On 11.02.21 14:51, bitozoid wrote:
>As of today, doc says for 'smtp_tls_CAfile':
>
>"A file containing CA certificates of root CAs trusted to sign either
>remote SMTP server certificates or intermediate CA certificates."
>
>and for 'smtp_tls_CApath':
>
>"Directory with PEM format Certification Authority certificates that
>the Postfix SMTP client uses to verify a remote SMTP server
>certificate."
>
>On one hand, it looks that a remote server intermediate CA certificate
>(think about a remote server that does not send its intermediate CA
>certificate) does not fit in 'smtp_tls_CAfile' but in
>'smtp_tls_CApath'.
On Thu, Feb 11, 2021 at 3:11 PM Matus UHLAR - fantomas <uh...@fantomas.sk>
wrote:
huh?
On 11.02.21 16:01, bitozoid wrote:
'smtp_tls_CAfile' doc just mentions "root CAs" for the content of the file.
yes. smtp_tls_CAfile and smtp_tls_CApath are for the same usage, but
smtp_tls_CAfile
is expected to be a file, while smtp_tls_CApath is a path in which multiple
files may be located.
it's easier to maintain a path, however, Debian and derivatived generate the
file when you run update-ca-certificates.
>On the other hand, it looks that both variables do the same job, but
>one of them from a file and the other from a directory. Moreover, I
>have appended an intermediate CA certificate to 'smtp_tls_CAfile' and
>it seems to work for a remote server that does not provide it.
>
>Am I misunderstanding the documentation? Is there a right place to
>drop the intermediate CA certificate?
both smtp_tls_CAfile and smtp_tls_CApath are designed to contain
list of trusted CAs for SSL-based authentication.
However, smtp_tls_CAfile can be used for providing intermediate
certificate,
which chould not be a problem if you don't use SSL authentication.
I don't understand what you mean in your last sentence.
if you put your server's certificate into smtpd_tls_cert_file and
intermediate certificate to smtp_tls_CAfile, the intermediate certificate
will be provided to clients.
smtp_tls_CAfile will still be used as list of authorities trusted to sign
clients' certificates, which may be a problem if you use ssl-based
authentication.
Postfix >= 3.4 supports directive smtpd_tls_chain_files, which contains
list
of files containing private key, certificate and intermediate authorities
(contatenated).
Posttfix <= 3.3 supports multiple directives smtpd_tls_cert_file
smtpd_tls_key_file, smtpd_tls_eccert_file, smtpd_tls_eckey_file
supposed to contain certificates and keys. Certificates can be
concatenated in cert files, which can also include private keys.
I guess those are for postfix as an SMTP server. My question is for
postfix as an SMTP client.
smtpd_tls_* are for postfix as smtp server,
smtp_tls_* are for postfix as smtp client.
does your postfix authenticate to other servers using SSL certificate?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.
