> On 4/12/2011 2:17 AM, email builder wrote: > >>> Am I correct to infer that both smtp(d)_tls_CAfile settings only serve > >>> a purpose when you want to verify client/server certificates? > >>> If that's the case, why does the example at the bottom of TLS_README > >>> use both the CAfile settings with only opportunistic encryption? > >> > >> This reduces log noise, and improves the audit trail. > > > > Hmm, OK, not to imply these things are not important, but are these the > > only reasons you'd have a CAfile or CApath? > > With opportunistic TLS you don't gain any extra security by > verifying the remote cert. This is what makes self-signed > certificates adequate for opportunistic TLS. > > > > >>> Our system seems to work without any CAfile/CApath settings under > >> opportunistic > >> > >>> encryption both incoming and outgoing. Is there a performance or security > >>> difference between using them or not? > >> > >> You should probably throw in a few trusted root CAs. > > > > 1) Is there a place to get a file with the usual suspects already in it? > > Most OS's have a package of common root certs available. For > example, FreeBSD provides the security/ca_root_nss port. > > > > > 2) Does postfix add new CAs to it when it sees a new one from a client? > > No. The CA file/path is a trust list. It would be > inappropriate for a program to add trust automatically. > > > 3) Does it make much difference between CApath or CAfile? I suppose > > using CApath only makes sense if the answer to question 2 is "yes"? (File > > probably sufficient if it is static and not that big) > > Performance may be better with CApath for a large number of > certificates, but mostly this is about how the certs are > bundled for you.
Thank you and Victor.
