On Thu, Feb 11, 2021 at 4:49 PM Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > On Thu, Feb 11, 2021 at 02:51:02PM +0000, bitozoid wrote: > > > As of today, doc says for 'smtp_tls_CAfile': > > > > "A file containing CA certificates of root CAs trusted to sign either > > remote SMTP server certificates or intermediate CA certificates." > > It can also contain intermediate CA certificates. Storing non-root CAs > carries a risk that they may expire before you remove them, and then > they may take precedence over non-expired intermediate CA certs that the > remote peer provides in the TLS handshake. > > TLS servers or clients that fail to send the required list of > intermediate certificates are in violation of various RFCs, and poor > interoperability is to be expected. Perhaps a better fix is to request > that the problem be fixed on the remote end. >
That is really insightful. That would also be nice to be found in the doc. Thanks a lot.
