On Fri, Sep 17, 2021 at 01:38:43PM -0300, Fabio S. Schmidt wrote:
> Hello David and Gerald,
>
> Thank you for the answers. I'm reading the documentation and we need to
> adjust the smtp_tls_CAfile indeed. I will adjust this as soon as
> possible and I will report the result here.
I am curious why with opportunistic TLS (security level may), you're
bothering to take any action to tweak the entirely cosmetic certificate
path validation status?
* Whether the certificate was signed by a trusted CA or not, makes
no difference. Email delivery proceeds either way.
* The name in the certificate is ignored, it could have been a
certificate for mitm.p0wn3d.net.
* Postfix is likely willing to negotiate TLS 1.2 and by default
offers aNULL ciphers, and if the server obliges, there are no
certificates to check at all (Anonymous).
So what difference does it actually make whether it is "Trusted",
"Untrusted" or "Anonymous"? Feels like a waste of CPU to me...
--
Viktor.
