On Fri, Sep 25, 2015 at 04:53:22PM +0000, Viktor Dukhovni wrote: > On Fri, Sep 25, 2015 at 07:21:32PM +0300, Michael Peter wrote: > > > > What version of Postfix are you using? > > > > postfix/master[7500]: reload -- version 2.6.6, configuration /etc/postfix > > That's nearly seven years old. When you enable the Web PKI by > setting smtp_tls_CAfile, that version of Postfix will also drag > in all the default system certificate files.
For the record, in case you have not yet stumbled across this: http://www.postfix.org/postconf.5.html#tls_append_default_CA tls_append_default_CA (default: no) This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8, 2.7.2 and later versions. This parameter controls the use of legacy default CAs in Postfix >= 2.8 and sufficiently high patch levels of the previous four releases. -- Viktor.