Wietse Venema wrote: > Michael Str?der: >> Well, I have read the docs (see quote from postfix web site above). But the >> statement in the docs is pretty broad/unprecise: >> >> "followed by an optional list of whitespace and/or comma separated name=value >> attributes that override related main.cf settings." > > In the TLS_README document, the section "TLS policy table" presents > security levels and applicable attributes for those security levels. > > The postconf(5) manpage sectipn for "smtp_tls_policy_maps" says > "See TLS_README for a more detailed discussion of TLS security > levels" in the first paragraph. We did not want to repeat all of > TLS_README (2000 lines) in the postconf(5) manpage (12000 lines).
Sorry for nitpicking - not meant as personal offense: Actually in my former posting I've indeed cited http://www.postfix.org/TLS_README.html#client_tls_policy I've now looked more closely to this: http://www.postfix.org/TLS_README.html#client_tls_verify And it seems to describe what I was looking for: "With Postfix ≥ 2.11 the "smtp_tls_trust_anchor_file" parameter or more typically the corresponding per-destination "tafile" attribute optionally modifies trust chain verification. If the parameter is not empty the root CAs in CAfile and CApath are no longer trusted. Rather, the Postfix SMTP client will only trust certificate-chains signed by one of the trust-anchors contained in the chosen files." Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
