> On Feb 1, 2018, at 12:10 PM, Danny Horne <da...@trisect.uk> wrote:
>
>> A simpler way to achieve the same goal would have been:
>> http://www.postfix.org/postconf.5.html#tls_append_default_CA
>>
>> tls_append_default_CA = yes
>>
>> bearing in mind the caution in the documentation, when enabling the
>> panoply of WebPKI trust-anchors (root CAs) DO NOT make the make the
>> mistake of also using "permit_tls_all_clientcerts", lest your server
>> become an open relay for every man and his dog who can get a Let's
>> Encrypt certificate...
>>
> Ok, adding tls_append_default_CA = yes has finally given me trusted TLS
> connections, but I do wonder if it was worth it in the end!!
>
> I am not using permit_tls_all_clientcerts
This both loads the default CAfile and sets up the default CApath, so
we don't yet know whether your CApath directory is fully prepared or
not... So now you could try reverting to:
tls_append_default_CA = no
smtpd_tls_CApath = /etc/pki/tls/certs
which should work if the above directory has the expected symlinks.
Otherwise, you could run "c_rehash" to make it so. That'll save
each smtpd(8) process the (probably small) cost of loading all the
CAs at startup.
--
Viktor.
