> On Feb 1, 2018, at 1:44 PM, Danny Horne <da...@trisect.uk> wrote:
>
> Possibly, do I understand right that I'm going to have to separate all
> cacerts from the bundle files before using rehash?
Yes, but if your OS distribution does not provide a package that handles
all this, perhaps you should just stick with:
tls_append_default_CA = no
smtpd_tls_CApath = /etc/pki/tls/certs
which will include the CA bundle, but in a way that won't also leak it
to each client as the list of preferred CAs, which you'd get with
explicitly setting smtpd_tls_CAfile.
The point is that the list of trusted CAs may change from time to time,
and you probably don't want to be stuck with stale copies...
Or just don't ask for client certs! Is it painful enough yet? :-)
--
Viktor.
