Hi,
I have a question regarding specifying where the list of trusted CA’s are in
regards to the smtp client.
In man 5 postconf, I can see there are two configuration parameters regarding
this:
smtp_tls_CAfile
smtp_tls_CApath
The documentation (as I understand it), notes that:
1. smtp_tls_CAfile
— Specifies file that contains CA certs of root CA’s trusted to sign either
remote SMTP server certificates or intermediate CA certificates
2. smtp_tls_CApath
— Specifies directory with PEM format CA certs that smtp client uses to verify
remote SMTP server certificate
— Preferred over smtp_tls_CAfile when the number of trusted roots is large
On one of my installations of Postfix 3.1.0 on Ubuntu 16.04 LTS, I use CAfile
to specify the file that stores all the CA certs:
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
My questions are:
1. Is that correct ?
2. Is there any other guidance on when to prefer smtp_tls_CApath over
smtp_tls_CAfile ?
Thanks,
- J
