On 11/30/2014 06:50 PM, Viktor Dukhovni wrote:
On Sun, Nov 30, 2014 at 06:30:51PM -0500, Robert Moskowitz wrote:
On 11/30/2014 04:55 PM, Wietse Venema wrote:
Robert Moskowitz:
Where does Postfix get its list of trusted certificate issuers?
You decide:
http://www.postfix.org/postconf.5.html#tls_append_default_CA
Thanks. Now I just have to get a CA list onto the server. As well as what
format the list is to be in. Or are they just multiple files in a
directory. Got some searching to do.
Sufficiently recent versions of Postfix (yours predates at least
2.9) don't bother to pollute the logs with uninteresting verification
"failures" when delivery proceeds whether the peer chain was trusted
or not:
http://www.postfix.org/TLS_README.html#client_logging
You don't have to do anything, your protection against active
attacks is not noticeably improved when your logs sometimes happen
to record that the certificate chain was issued by a trusted root
for a few destinations.
Even if you configure a "complete" (whatever than means) CA-bundle,
opportunistic TLS in Postfix still does not check the certificate
hostname, so you'd know is that the peer certificate was issued by
some trusted CA to some domain or other, possibly completely
unrelated to the target SMTP server.
If you're dead set on going through the motions anyway, you can
put one trusted root CA certificate per file in some directory,
run the OpenSSL c_rehash(1) utility on that directory, and then
configure the directory as your smtp_tls_CApath. If your master.cf
file does not specify chroot=n for the smtp delivery agent, you'll
to clone the CApath directory into the chroot jail ($queue_directory).
I am not suggesting you do this, but since you asked...
As so often, Viktor, you get right to the 'key' point. Yes, why
bother. Is it any faster if it has a lot of root CA files to check
against? Probably not! And we want opertunistic, in this case, to
protect against listeners between the MTAs. (but considering all I do in
secure communications I will not go down the pro/con debate; does not
belong here).
So leave it alone. Just another interesting message happening. Nothing
REALLY interesting, move along...
Ah, for the days of X.400 mail when every mail handler HAD to be
trusted. :)
