Did you just add this config option in Postfix 2.8
http://www.postfix.org/postconf.5.html#tls_append_default_CA
?
Jan C.:
Did you just add this config option in Postfix 2.8
http://www.postfix.org/postconf.5.html#tls_append_default_CA
Yes.
Wietse
On Wed, Jun 09, 2010 at 07:41:51PM -0400, Wietse Venema wrote:
Victor Duchovni:
I guess our documentation has never promised the use of system CAs when
CApath or CAfile are set, failing to override the system settings is
counter-intuitive, so I can support this change. We'll also have to
Hi Viktor,
thanks for your answer but that does not answer by question. Is the
/etc/ssl/certs directory loaded also by default ? I did the test:
smtp_tls_CApath = /foo/bar
I added/hashed some certs in /foo/bar
When postfix connects to a smtp server (tls verify), certificates
issued by CAs from
Please do not top-post your replies. Thank you.
On Wed, Jun 09, 2010 at 10:22:16AM +0200, Jan C. wrote:
thanks for your answer but that does not answer by question. Is the
/etc/ssl/certs directory loaded also by default ? I did the test:
Postfix postconf(5) defaults can be shown with the
Hi,
Um, no. By default Postfix is not going to use TLS at all. When
activated, by default, no certificate verification is done at all.
Consult your distributor's package documentation if they have set
different defaults.
If I set smtp_tls_CApath to /etc/ssl/certs and then again to something
Actually, this step is not needed to reproduce it :
Now I set:
~ $ postconf -e smtp_tls_CApath=/etc/ssl/certs/
and reload postfix
to sum it up, when smtp_tls_CApath is not empty, CAs from
/etc/ssl/certs are trusted regardless the value of smtp_tls_CApath.
regards,
Jan
Jan C.:
Actually, this step is not needed to reproduce it :
Now I set:
~ $ postconf -e smtp_tls_CApath=/etc/ssl/certs/
and reload postfix
to sum it up, when smtp_tls_CApath is not empty, CAs from
/etc/ssl/certs are trusted regardless the value of smtp_tls_CApath.
Victor will have to
On Wed, Jun 09, 2010 at 11:25:50AM -0400, Wietse Venema wrote:
to sum it up, when smtp_tls_CApath is not empty, CAs from
/etc/ssl/certs are trusted regardless the value of smtp_tls_CApath.
This is done primarily by OpenSSL, but as Wietse observes:
Victor will have to confirm or deny this,
Hello,
ok then t least I know what's the origin of the behavior I had.
On Wed, Jun 9, 2010 at 6:12 PM, Victor Duchovni
victor.ducho...@morganstanley.com wrote:
I guess our documentation has never promised the use of system CAs when
CApath or CAfile are set, failing to override the system
On Wed, Jun 09, 2010 at 06:30:59PM +0200, Jan C. wrote:
Hello,
ok then t least I know what's the origin of the behavior I had.
On Wed, Jun 9, 2010 at 6:12 PM, Victor Duchovni
victor.ducho...@morganstanley.com wrote:
I guess our documentation has never promised the use of system CAs when
On Wed, Jun 9, 2010 at 6:35 PM, Victor Duchovni
victor.ducho...@morganstanley.com wrote:
Probably, although I don't think we've reached a final decision yet...
My preference is to not trust some random list of CAs that came with the
O/S OpenSSL package when the user specifies an explicit
On Wed, Jun 09, 2010 at 06:39:26PM +0200, Jan C. wrote:
On Wed, Jun 9, 2010 at 6:35 PM, Victor Duchovni
victor.ducho...@morganstanley.com wrote:
Probably, although I don't think we've reached a final decision yet...
My preference is to not trust some random list of CAs that came with the
Victor Duchovni:
On Wed, Jun 09, 2010 at 11:25:50AM -0400, Wietse Venema wrote:
to sum it up, when smtp_tls_CApath is not empty, CAs from
/etc/ssl/certs are trusted regardless the value of smtp_tls_CApath.
This is done primarily by OpenSSL, but as Wietse observes:
Victor will have
On Wed, Jun 09, 2010 at 01:34:53PM -0400, Wietse Venema wrote:
I guess our documentation has never promised the use of system CAs when
CApath or CAfile are set, failing to override the system settings is
counter-intuitive, so I can support this change. We'll also have to
document the
Victor Duchovni:
I guess our documentation has never promised the use of system CAs when
CApath or CAfile are set, failing to override the system settings is
counter-intuitive, so I can support this change. We'll also have to
document the semantics of CAfile == CApath == empty.
Why do we have
On Tue, Jun 08, 2010 at 09:31:46AM +0200, Jan C. wrote:
I have my postfix set up as a TLS client to other smtp servers. I
point smtp_tls_CApath to a directory where I store my own imported
trusted CAs. My question is whether or not Postfix will also load the
Root CAs stored in /etc/ssl/certs.
17 matches
Mail list logo