> > I'm wondering about the usefulness of smtp(d)_tls_CAfile(path) when using
> > opportunistic encryption in both incoming and outgoing connections. The > > TLS_README suggests that certificate and key files be left empty for > > opportunistic smtp processes, but it doesn't talk specifically about > > smtp_tls_CAfile(path). > > For the SMTP server, you should NOT leave the cert file empty, as many > clients won't support aNULL ciphers. Oops, sincere apologies. I meant the docs suggest empty cert and key for SMTP *client* only. I was originally asking only about the client, then changed my inquiry but forgot to change this. Anyway, sorry. > Rather, you need to set a self-signed > cert, if one of the usual CAs is not suitable. Right. Check. > For the SMTP server, since you probably won't ask for client certs, you > never need a CAfile or CApath. OK, got it. > For the SMTP client, indeed, generally, your key and cert should be set > empty. On the other hand, it is a good idea in most cases to have a CAfile > and/or CApath with a few trusted roots. > > > Am I correct to infer that both smtp(d)_tls_CAfile settings only serve > > a purpose when you want to verify client/server certificates? > > If that's the case, why does the example at the bottom of TLS_README > > use both the CAfile settings with only opportunistic encryption? > > This reduces log noise, and improves the audit trail. Hmm, OK, not to imply these things are not important, but are these the only reasons you'd have a CAfile or CApath? > > Our system seems to work without any CAfile/CApath settings under >opportunistic > > > encryption both incoming and outgoing. Is there a performance or security > > difference between using them or not? > > You should probably throw in a few trusted root CAs. 1) Is there a place to get a file with the usual suspects already in it? 2) Does postfix add new CAs to it when it sees a new one from a client? 3) Does it make much difference between CApath or CAfile? I suppose using CApath only makes sense if the answer to question 2 is "yes"? (File probably sufficient if it is static and not that big)