> On Feb 1, 2018, at 11:45 AM, Danny Horne <da...@trisect.uk> wrote:
>
> # openssl version -d
> OPENSSLDIR: "/etc/pki/tls"
>
> # ls -al /etc/pki/tls
> lrwxrwxrwx. 1 root root 49 Nov 27 21:00 cert.pem ->
> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
> drwxr-xr-x. 2 root root 97 Dec 21 17:31 certs
> drwxr-xr-x. 2 root root 6 Nov 6 08:24 misc
> -rw-r--r--. 1 root root 10841 Nov 6 08:20 openssl.cnf
Here we see that /etc/pki/tls is not only reported by
"openssl version -d", but also has a "cert.pem" file,
a "certs" sub-directory, and an openssl.cnf file.
This matches the layout expected by OpenSSL. Given this,
I'd expect to find the hashed symlinks in:
/etc/pki/tls/certs
Look there, and if all is as expected, your CApath would be:
smtpd_tls_CApath = /etc/pki/tls/certs.
All this to get client certs to show as "Trusted", perhaps it
would have been easier to just not bother requesting client certs :-)
A simpler way to achieve the same goal would have been:
http://www.postfix.org/postconf.5.html#tls_append_default_CA
tls_append_default_CA = yes
bearing in mind the caution in the documentation, when enabling the
panoply of WebPKI trust-anchors (root CAs) DO NOT make the make the
mistake of also using "permit_tls_all_clientcerts", lest your server
become an open relay for every man and his dog who can get a Let's
Encrypt certificate...
--
Viktor.
