On 11.02.21 14:51, bitozoid wrote:
As of today, doc says for 'smtp_tls_CAfile':
"A file containing CA certificates of root CAs trusted to sign either
remote SMTP server certificates or intermediate CA certificates."
and for 'smtp_tls_CApath':
"Directory with PEM format Certification Authority certificates that
the Postfix SMTP client uses to verify a remote SMTP server
certificate."
On one hand, it looks that a remote server intermediate CA certificate
(think about a remote server that does not send its intermediate CA
certificate) does not fit in 'smtp_tls_CAfile' but in
'smtp_tls_CApath'.
huh?
On the other hand, it looks that both variables do the same job, but
one of them from a file and the other from a directory. Moreover, I
have appended an intermediate CA certificate to 'smtp_tls_CAfile' and
it seems to work for a remote server that does not provide it.
Am I misunderstanding the documentation? Is there a right place to
drop the intermediate CA certificate?
both smtp_tls_CAfile and smtp_tls_CApath are designed to contain
list of trusted CAs for SSL-based authentication.
However, smtp_tls_CAfile can be used for providing intermediate certificate,
which chould not be a problem if you don't use SSL authentication.
Postfix >= 3.4 supports directive smtpd_tls_chain_files, which contains list
of files containing private key, certificate and intermediate authorities
(contatenated).
Posttfix <= 3.3 supports multiple directives smtpd_tls_cert_file
smtpd_tls_key_file, smtpd_tls_eccert_file, smtpd_tls_eckey_file
supposed to contain certificates and keys. Certificates can be
concatenated in cert files, which can also include private keys.
http://www.postfix.org/TLS_README.html
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
