Manuel P?gouri?-Gonnard: > Hi, > > I'm afraid I don't understand what the directive smtp_tls_CAfile does > exactly. According to postconf(5), > > > smtp_tls_CAfile (default: empty) > > The file with the certificate of the certification authority (CA) that > > issued the Postfix SMTP client certificate. This is needed only when > > the CA certificate is not already present in the client certificate > > file. > > So this should not be used to verify a server's certificate. In > practice, if the file pointed to by smtp_tls_CAfile is a concatenation > of CA's certificates, then they are all used to verify the server's > certificate. > > OTOH, server certificate verification should be done against > certificates in the directory indicated by smtp_tls_CApath. For some
That is smtpd_tls_CApath (or smtpd_tls_CAfile). Wietse > reason, I didn't manage to get it working (and yes, I ran c_rehash on > this directory). > > Has someone any idea why I can't get this directive working? > > My server are finally working as I want wrt TLS, but I feel very > uncomfortable with this situation: the directive which should do the job > accoring to the manual doesn't work, and the directive which souldn't do > it, does it. > > Did I misunderstand something in the manual? If not, may I suggest > updating either the manual or the code so that they match? > > Thanks, > Manuel. > >