ided by a properly
+configured peer as part of the TLS handshake, this may result in failure
+to validate the peer's certificate chain.
+
+ The choice between $smtp_tls_CAfile and $smtp_tls_CApath is a
+space/time tradeoff. If there are many trusted CAs, the cost of
+preloading them all into memo
On Thu, Feb 11, 2021 at 4:49 PM Viktor Dukhovni
wrote:
>
> On Thu, Feb 11, 2021 at 02:51:02PM +, bitozoid wrote:
>
> > As of today, doc says for 'smtp_tls_CAfile':
> >
> > "A file containing CA certificates of root CAs trusted to sign either
> >
On Thu, Feb 11, 2021 at 02:51:02PM +, bitozoid wrote:
> As of today, doc says for 'smtp_tls_CAfile':
>
> "A file containing CA certificates of root CAs trusted to sign either
> remote SMTP server certificates or intermediate CA certificates."
It can also cont
On 11.02.21 14:51, bitozoid wrote:
>As of today, doc says for 'smtp_tls_CAfile':
>
>"A file containing CA certificates of root CAs trusted to sign either
>remote SMTP server certificates or intermediate CA certificates."
>
>and for 'smtp_tls_CApath&#x
On Thu, Feb 11, 2021 at 3:11 PM Matus UHLAR - fantomas
wrote:
> On 11.02.21 14:51, bitozoid wrote:
> >As of today, doc says for 'smtp_tls_CAfile':
> >
> >"A file containing CA certificates of root CAs trusted to sign either
> >remote SMTP server ce
On 11.02.21 14:51, bitozoid wrote:
As of today, doc says for 'smtp_tls_CAfile':
"A file containing CA certificates of root CAs trusted to sign either
remote SMTP server certificates or intermediate CA certificates."
and for 'smtp_tls_CApath':
"Directory with
As of today, doc says for 'smtp_tls_CAfile':
"A file containing CA certificates of root CAs trusted to sign either
remote SMTP server certificates or intermediate CA certificates."
and for 'smtp_tls_CApath':
"Directory with PEM format Certification Authority
gt; That's nearly seven years old. When you enable the Web PKI by
> setting smtp_tls_CAfile, that version of Postfix will also drag
> in all the default system certificate files.
For the record, in case you have not yet stumbled across this:
http://www.postfix.org/postconf.5.html#tls_
On Fri, Sep 25, 2015 at 07:56:15PM +0300, Michael Peter wrote:
> Just for info, How can i know the default locations for default system
> certificates which postfix drag when setting smtp_tls_CAfile ?
This is system-dependent:
$ openssl version -d
OPENSSLDIR: "/usr/pkg/
> On Fri, Sep 25, 2015 at 07:21:32PM +0300, Michael Peter wrote:
>
>> > What version of Postfix are you using?
>>
>> postfix/master[7500]: reload -- version 2.6.6, configuration
>> /etc/postfix
>
> That's nearly seven years old. When you enable th
On Fri, Sep 25, 2015 at 07:21:32PM +0300, Michael Peter wrote:
> > What version of Postfix are you using?
>
> postfix/master[7500]: reload -- version 2.6.6, configuration /etc/postfix
That's nearly seven years old. When you enable the Web PKI by
setting smtp_tls_CAfile, that v
> On Fri, Sep 25, 2015 at 06:16:10PM +0300, Michael Peter wrote:
>
>> I have configured postfix to check CAfile which contains only Godaddy
>> root
>> certificate as follow for outgoing emails.
>>
>> smtp_tls_CAfile = /etc/certs/go-daddy-root-ca.crt
>
> Wh
On Fri, Sep 25, 2015 at 03:40:17PM +, Viktor Dukhovni wrote:
> What version of Postfix are you using?
Note that in Postfix prior to 2.8, setting a non-empty CAfile causes
the default system certificate store to also be enabled.
--
Viktor.
On Fri, Sep 25, 2015 at 06:16:10PM +0300, Michael Peter wrote:
> I have configured postfix to check CAfile which contains only Godaddy root
> certificate as follow for outgoing emails.
>
> smtp_tls_CAfile = /etc/certs/go-daddy-root-ca.crt
Which certificates are in that file? Repor
configured postfix to check CAfile which contains only Godaddy root
certificate as follow for outgoing emails.
smtp_tls_CAfile = /etc/certs/go-daddy-root-ca.crt
my surprise that still postfix trust the server certificates when email is
sent to Yahoo or Gmail.. (although they are using diffe
Michael Peter:
> This makes me more confused..
>
> Please advise your opinion..
Please post your configration as requested in the welcome message.
wietse
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
Thank
Hello,
I have configured postfix to check CAfile which contains only Godaddy root
certificate as follow
smtp_tls_CAfile = /etc/certs/go-daddy-root-ca.crt
my surpirse that still postfix trust the server certificates when email is
sent to Yahoo or Gmail.. although the CAfile contains only the
certificates or intermediate CA
! certificates. Do not forget to create the necessary "hash" links with,
! for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
! smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
! inside the chroot jail.
Victor Duchovni a écrit :
>> I don't think it is. I would otherwise not be able to find the file
>> indicated by smtp_tls_CAfile.
>
> No, this file is loaded into memory before smtp(8) enters the chroot
> jail, while smtp_tls_CApath is accessed post-jail.
>
Ok, I di
ersions of it)?
> --- 8927,8940
>
> %PARAM smtp_tls_CAfile
>
> ! A file containing CA certificates of root CAs trusted to sign
> ! either remote SMTP server certificates or intermediate CA certificates.
> ! These are loaded into memory before the smtp(8) client enters th
rder).
! Example: the certificate for "client.example.com" was issued by
! "intermediate CA" which itself has a certificate issued by "root CA".
Create the client.pem file with "cat client_cert.pem intermediate_CA.pem
root_CA.pem > client.pem"
yes, I ran c_rehash on
> >> this directory).
> >
> > Perhaps your smtp(8) client is chrooted.
> >
> I don't think it is. I would otherwise not be able to find the file
> indicated by smtp_tls_CAfile.
No, this file is loaded into memory before smtp(
We're still taking documentation fixes for Postfix 2.6...
Wietse
Victor Duchovni a écrit :
>> So this should not be used to verify a server's certificate. In
>> practice, if the file pointed to by smtp_tls_CAfile is a concatenation
>> of CA's certificates, then they are all used to verify the server's
>> certificate.
>
On Wed, Feb 25, 2009 at 02:14:40PM +0100, Manuel P?gouri?-Gonnard wrote:
> I'm afraid I don't understand what the directive smtp_tls_CAfile does
> exactly. According to postconf(5),
>
> > smtp_tls_CAfile (default: empty)
> > The file with the certificate of
Manuel P?gouri?-Gonnard:
> Hi,
>
> I'm afraid I don't understand what the directive smtp_tls_CAfile does
> exactly. According to postconf(5),
>
> > smtp_tls_CAfile (default: empty)
> > The file with the certificate of the certification authority (CA)
Hi,
I'm afraid I don't understand what the directive smtp_tls_CAfile does
exactly. According to postconf(5),
> smtp_tls_CAfile (default: empty)
> The file with the certificate of the certification authority (CA) that
> issued the Postfix SMTP client certificate. This
27 matches
Mail list logo
