Jan C.:
> Did you just add this config option in Postfix 2.8
> http://www.postfix.org/postconf.5.html#tls_append_default_CA
Yes.
Wietse
Did you just add this config option in Postfix 2.8
http://www.postfix.org/postconf.5.html#tls_append_default_CA
?
On Wed, Jun 09, 2010 at 07:41:51PM -0400, Wietse Venema wrote:
> Victor Duchovni:
> > I guess our documentation has never promised the use of system CAs when
> > CApath or CAfile are set, failing to override the system settings is
> > counter-intuitive, so I can support this change. We'll also hav
Victor Duchovni:
> I guess our documentation has never promised the use of system CAs when
> CApath or CAfile are set, failing to override the system settings is
> counter-intuitive, so I can support this change. We'll also have to
> document the semantics of "CAfile == CApath == ".
Why do we have
On Wed, Jun 09, 2010 at 01:34:53PM -0400, Wietse Venema wrote:
> > I guess our documentation has never promised the use of system CAs when
> > CApath or CAfile are set, failing to override the system settings is
> > counter-intuitive, so I can support this change. We'll also have to
> > document t
Victor Duchovni:
> On Wed, Jun 09, 2010 at 11:25:50AM -0400, Wietse Venema wrote:
>
> > > to sum it up, when smtp_tls_CApath is not empty, CAs from
> > > /etc/ssl/certs are trusted regardless the value of smtp_tls_CApath.
>
> This is done primarily by OpenSSL, but as Wietse observes:
>
> > Victo
On Wed, Jun 09, 2010 at 06:39:26PM +0200, Jan C. wrote:
> On Wed, Jun 9, 2010 at 6:35 PM, Victor Duchovni
> wrote:
> > Probably, although I don't think we've reached a final decision yet...
> > My preference is to not trust some random list of CAs that came with the
> > O/S OpenSSL package when t
On Wed, Jun 9, 2010 at 6:35 PM, Victor Duchovni
wrote:
> Probably, although I don't think we've reached a final decision yet...
> My preference is to not trust some random list of CAs that came with the
> O/S OpenSSL package when the user specifies an explicit CAfile/CApath,
> but this would be an
On Wed, Jun 09, 2010 at 06:30:59PM +0200, Jan C. wrote:
> Hello,
> ok then t least I know what's the origin of the behavior I had.
>
> On Wed, Jun 9, 2010 at 6:12 PM, Victor Duchovni
> wrote:
> > I guess our documentation has never promised the use of system CAs when
> > CApath or CAfile are set
Hello,
ok then t least I know what's the origin of the behavior I had.
On Wed, Jun 9, 2010 at 6:12 PM, Victor Duchovni
wrote:
> I guess our documentation has never promised the use of system CAs when
> CApath or CAfile are set, failing to override the system settings is
> counter-intuitive, so I
On Wed, Jun 09, 2010 at 11:25:50AM -0400, Wietse Venema wrote:
> > to sum it up, when smtp_tls_CApath is not empty, CAs from
> > /etc/ssl/certs are trusted regardless the value of smtp_tls_CApath.
This is done primarily by OpenSSL, but as Wietse observes:
> Victor will have to confirm or deny th
Jan C.:
> Actually, this step is not needed to reproduce it :
> > Now I set:
> > ~ $ postconf -e smtp_tls_CApath=/etc/ssl/certs/
> > and reload postfix
> >
>
> to sum it up, when smtp_tls_CApath is not empty, CAs from
> /etc/ssl/certs are trusted regardless the value of smtp_tls_CApath.
Victor wi
Actually, this step is not needed to reproduce it :
> Now I set:
> ~ $ postconf -e smtp_tls_CApath=/etc/ssl/certs/
> and reload postfix
>
to sum it up, when smtp_tls_CApath is not empty, CAs from
/etc/ssl/certs are trusted regardless the value of smtp_tls_CApath.
regards,
Jan
Hi,
> Um, no. By default Postfix is not going to use TLS at all. When
> activated, by default, no certificate verification is done at all.
> Consult your distributor's package documentation if they have set
> different defaults.
If I set smtp_tls_CApath to /etc/ssl/certs and then again to somethin
Please do not top-post your replies. Thank you.
On Wed, Jun 09, 2010 at 10:22:16AM +0200, Jan C. wrote:
> thanks for your answer but that does not answer by question. Is the
> /etc/ssl/certs directory loaded also by default ? I did the test:
Postfix postconf(5) defaults can be shown with the post
Hi Viktor,
thanks for your answer but that does not answer by question. Is the
/etc/ssl/certs directory loaded also by default ? I did the test:
smtp_tls_CApath = /foo/bar
I added/hashed some certs in /foo/bar
When postfix connects to a smtp server (tls verify), certificates
issued by CAs from /et
On Tue, Jun 08, 2010 at 09:31:46AM +0200, Jan C. wrote:
> I have my postfix set up as a TLS client to other smtp servers. I
> point smtp_tls_CApath to a directory where I store my own imported
> trusted CAs. My question is whether or not Postfix will also load the
> Root CAs stored in /etc/ssl/cer
Hello,
I have my postfix set up as a TLS client to other smtp servers. I
point smtp_tls_CApath to a directory where I store my own imported
trusted CAs. My question is whether or not Postfix will also load the
Root CAs stored in /etc/ssl/certs. If not, does it mean that I have to
set smtp_tls_CApat
18 matches
Mail list logo
