On 1/9/2011 4:39 PM, IT geek 31 wrote:
My understanding is to prevent these errors, you obtain the root
certificate for each server mail certificate your Postfix server
connects to, append it to a pem file and reference it with
smtp_tls_CAfile in main.conf.
This could obviously take a while. On a Windows installation you can
refer to a certificates store in the registry.
Is there an easier way to do this on a *nix box?
You obtain a list of common root certificates and point
postfix to that. Your system probably already has such a list
if you have a web browser installed.
Some OS vendors make common certificates available as a
separate package. See your favorite web search engine for
more information.
However, verifying certificates for email is of little value
if you are willing to accept unencrypted connections, and
you'll also find that *many* legit organizations use
self-signed, outdated, or otherwise unverifiable certificates.
If you require verified encrypted connections, you should read
http://www.postfix.org/TLS_README.html
paying particular attention to the various "secure"
discussions and warnings, and you should obtain the required
certificates manually.
-- Noel Jones
