Re: smtp_tls_CAfile and smtp_tls_CApath doc

2021-02-11 Thread Viktor Dukhovni
On Thu, Feb 11, 2021 at 05:04:24PM +, bitozoid wrote: > > It can also contain intermediate CA certificates. Storing non-root CAs > > carries a risk that they may expire before you remove them, and then > > they may take precedence over non-expired intermediate CA certs that the > > remote pee

Re: smtp_tls_CAfile and smtp_tls_CApath doc

2021-02-11 Thread bitozoid
On Thu, Feb 11, 2021 at 4:49 PM Viktor Dukhovni wrote: > > On Thu, Feb 11, 2021 at 02:51:02PM +, bitozoid wrote: > > > As of today, doc says for 'smtp_tls_CAfile': > > > > "A file containing CA certificates of root CAs trusted to sign either > > remote SMTP server certificates or intermediate

Re: smtp_tls_CAfile and smtp_tls_CApath doc

2021-02-11 Thread Viktor Dukhovni
On Thu, Feb 11, 2021 at 02:51:02PM +, bitozoid wrote: > As of today, doc says for 'smtp_tls_CAfile': > > "A file containing CA certificates of root CAs trusted to sign either > remote SMTP server certificates or intermediate CA certificates." It can also contain intermediate CA certificates.

Re: smtp_tls_CAfile and smtp_tls_CApath doc

2021-02-11 Thread Matus UHLAR - fantomas
On 11.02.21 14:51, bitozoid wrote: >As of today, doc says for 'smtp_tls_CAfile': > >"A file containing CA certificates of root CAs trusted to sign either >remote SMTP server certificates or intermediate CA certificates." > >and for 'smtp_tls_CApath': > >"Directory with PEM format Certification Aut

Re: smtp_tls_CAfile and smtp_tls_CApath doc

2021-02-11 Thread bitozoid
On Thu, Feb 11, 2021 at 3:11 PM Matus UHLAR - fantomas wrote: > On 11.02.21 14:51, bitozoid wrote: > >As of today, doc says for 'smtp_tls_CAfile': > > > >"A file containing CA certificates of root CAs trusted to sign either > >remote SMTP server certificates or intermediate CA certificates." > >

Re: smtp_tls_CAfile and smtp_tls_CApath doc

2021-02-11 Thread Matus UHLAR - fantomas
On 11.02.21 14:51, bitozoid wrote: As of today, doc says for 'smtp_tls_CAfile': "A file containing CA certificates of root CAs trusted to sign either remote SMTP server certificates or intermediate CA certificates." and for 'smtp_tls_CApath': "Directory with PEM format Certification Authority

Re: smtp_tls_CAfile

2009-02-25 Thread Manuel Pégourié-Gonnard
Victor Duchovni a écrit : >> I don't think it is. I would otherwise not be able to find the file >> indicated by smtp_tls_CAfile. > > No, this file is loaded into memory before smtp(8) enters the chroot > jail, while smtp_tls_CApath is accessed post-jail. > Ok, I didn't know. I can see you made i

Re: smtp_tls_CAfile

2009-02-25 Thread Victor Duchovni
On Wed, Feb 25, 2009 at 05:19:48PM +0100, Manuel P?gouri?-Gonnard wrote: > >> OTOH, server certificate verification should be done against > >> certificates in the directory indicated by smtp_tls_CApath. For some > >> reason, I didn't manage to get it working (and yes, I ran c_rehash on > >> this

Re: smtp_tls_CAfile

2009-02-25 Thread Wietse Venema
We're still taking documentation fixes for Postfix 2.6... Wietse

Re: smtp_tls_CAfile

2009-02-25 Thread Manuel Pégourié-Gonnard
Victor Duchovni a écrit : >> So this should not be used to verify a server's certificate. In >> practice, if the file pointed to by smtp_tls_CAfile is a concatenation >> of CA's certificates, then they are all used to verify the server's >> certificate. > > Yes, smtp_tls_CAfile is used to verify s

Re: smtp_tls_CAfile

2009-02-25 Thread Victor Duchovni
On Wed, Feb 25, 2009 at 02:14:40PM +0100, Manuel P?gouri?-Gonnard wrote: > I'm afraid I don't understand what the directive smtp_tls_CAfile does > exactly. According to postconf(5), > > > smtp_tls_CAfile (default: empty) > > The file with the certificate of the certification authority (CA) tha

Re: smtp_tls_CAfile

2009-02-25 Thread Wietse Venema
Manuel P?gouri?-Gonnard: > Hi, > > I'm afraid I don't understand what the directive smtp_tls_CAfile does > exactly. According to postconf(5), > > > smtp_tls_CAfile (default: empty) > > The file with the certificate of the certification authority (CA) that > > issued the Postfix SMTP client