> On Dec 11, 2017, at 5:40 PM, J Doe <gene...@nativemethods.com> wrote:
>
> I have a question regarding specifying where the list of trusted CA’s are in
> regards to the smtp client.
The recommended set of trusted CAs for the Postfix SMTP client is
*empty*. TLS in SMTP is opportunistic, and email sent whether or
not the peer appears to be authenticated. So any trusted CAs you
might configure are largely just wasted memory and CPU.
> In man 5 postconf, I can see there are two configuration parameters regarding
> this:
>
> smtp_tls_CAfile
> smtp_tls_CApath
>
> The documentation (as I understand it), notes that:
>
> 1. smtp_tls_CAfile
Generally avoid this entirely. It does however work "better"
with chroot jails, since the file is loaded into memory before
chroot.
> 2. smtp_tls_CApath
>
> — Specifies directory with PEM format CA certs that smtp client uses to
> verify remote SMTP server certificate
> — Preferred over smtp_tls_CAfile when the number of trusted roots is large
Let's say that "large" is 5 or more. By the time you have more
CAs than you've carefully curated after thinking about each one,
you're probably better off with CApath, to the extent that you
bother to configure either.
> On one of my installations of Postfix 3.1.0 on Ubuntu 16.04 LTS, I use CAfile
> to specify the file that stores all the CA certs:
>
> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
The recommended setting is empty.
> My questions are:
>
> 1. Is that correct ?
What are you using the certificates for? Have you configured
any destinations with a "security level" of "verify" or "secure"?
> 2. Is there any other guidance on when to prefer smtp_tls_CApath over
> smtp_tls_CAfile ?
Set both empty.
--
Viktor.
