On Sun, Nov 30, 2014 at 06:30:51PM -0500, Robert Moskowitz wrote:
> On 11/30/2014 04:55 PM, Wietse Venema wrote:
> >Robert Moskowitz:
> >>Where does Postfix get its list of trusted certificate issuers?
> >You decide:
> >http://www.postfix.org/postconf.5.html#tls_append_default_CA
>
> Thanks. Now I just have to get a CA list onto the server. As well as what
> format the list is to be in. Or are they just multiple files in a
> directory. Got some searching to do.
Sufficiently recent versions of Postfix (yours predates at least
2.9) don't bother to pollute the logs with uninteresting verification
"failures" when delivery proceeds whether the peer chain was trusted
or not:
http://www.postfix.org/TLS_README.html#client_logging
You don't have to do anything, your protection against active
attacks is not noticeably improved when your logs sometimes happen
to record that the certificate chain was issued by a trusted root
for a few destinations.
Even if you configure a "complete" (whatever than means) CA-bundle,
opportunistic TLS in Postfix still does not check the certificate
hostname, so you'd know is that the peer certificate was issued by
some trusted CA to some domain or other, possibly completely
unrelated to the target SMTP server.
If you're dead set on going through the motions anyway, you can
put one trusted root CA certificate per file in some directory,
run the OpenSSL c_rehash(1) utility on that directory, and then
configure the directory as your smtp_tls_CApath. If your master.cf
file does not specify chroot=n for the smtp delivery agent, you'll
to clone the CApath directory into the chroot jail ($queue_directory).
I am not suggesting you do this, but since you asked...
--
Viktor.
