Am 20.12.2011 10:24, schrieb lst_ho...@kwsoft.de: Hello,
>> Any idea how to allow all certificates issued by specific Sub-CAs, >> without trusting everyone? > > As far as i understand you have to list the complete chain but only your > sub-CA to get it working. So create a smtpd_tls_CAfile with the Telekom > root and your sub-CA and nothing else. This would allow relaying for any > certificate your sub-CA or the Telekom root CA has issued, but not for > certificates issued by any sub-CA of the Telekom beside yours. Be aware > that you should not do this on a public facing port 25. Unfortunately no-go, the full chain needs to be in smtpd_tls_CApath, otherwise I get the "unable to get issuer certificate". And doing that would blow the purpose, since we would be an open relay for everyone having a DTAG certificate. Bernhard
