On Fri, Sep 25, 2015 at 04:53:22PM +0000, Viktor Dukhovni wrote:
> On Fri, Sep 25, 2015 at 07:21:32PM +0300, Michael Peter wrote:
>
> > > What version of Postfix are you using?
> >
> > postfix/master[7500]: reload -- version 2.6.6, configuration /etc/postfix
>
> That's nearly seven years old. When you enable the Web PKI by
> setting smtp_tls_CAfile, that version of Postfix will also drag
> in all the default system certificate files.
For the record, in case you have not yet stumbled across this:
http://www.postfix.org/postconf.5.html#tls_append_default_CA
tls_append_default_CA (default: no)
This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8, 2.7.2 and later
versions.
This parameter controls the use of legacy default CAs in Postfix
>= 2.8 and sufficiently high patch levels of the previous four
releases.
--
Viktor.
