On Thu, Feb 11, 2021 at 3:11 PM Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
> On 11.02.21 14:51, bitozoid wrote: > >As of today, doc says for 'smtp_tls_CAfile': > > > >"A file containing CA certificates of root CAs trusted to sign either > >remote SMTP server certificates or intermediate CA certificates." > > > >and for 'smtp_tls_CApath': > > > >"Directory with PEM format Certification Authority certificates that > >the Postfix SMTP client uses to verify a remote SMTP server > >certificate." > > > >On one hand, it looks that a remote server intermediate CA certificate > >(think about a remote server that does not send its intermediate CA > >certificate) does not fit in 'smtp_tls_CAfile' but in > >'smtp_tls_CApath'. > > huh? > 'smtp_tls_CAfile' doc just mentions "root CAs" for the content of the file. > >On the other hand, it looks that both variables do the same job, but > >one of them from a file and the other from a directory. Moreover, I > >have appended an intermediate CA certificate to 'smtp_tls_CAfile' and > >it seems to work for a remote server that does not provide it. > > > >Am I misunderstanding the documentation? Is there a right place to > >drop the intermediate CA certificate? > > both smtp_tls_CAfile and smtp_tls_CApath are designed to contain > list of trusted CAs for SSL-based authentication. > > However, smtp_tls_CAfile can be used for providing intermediate > certificate, > which chould not be a problem if you don't use SSL authentication. > I don't understand what you mean in your last sentence. > Postfix >= 3.4 supports directive smtpd_tls_chain_files, which contains > list > of files containing private key, certificate and intermediate authorities > (contatenated). > > Posttfix <= 3.3 supports multiple directives smtpd_tls_cert_file > smtpd_tls_key_file, smtpd_tls_eccert_file, smtpd_tls_eckey_file > > supposed to contain certificates and keys. Certificates can be > concatenated in cert files, which can also include private keys. > > I guess those are for postfix as an SMTP server. My question is for postfix as an SMTP client. Thanks a lot for your answer.
