Hi Victor,
> On Dec 11, 2017, at 6:13 PM, Viktor Dukhovni <[email protected]>
> wrote:
>
>> On Dec 11, 2017, at 5:40 PM, J Doe <[email protected]> wrote:
>>
>> I have a question regarding specifying where the list of trusted CA’s are in
>> regards to the smtp client.
>
> The recommended set of trusted CAs for the Postfix SMTP client is
> *empty*. TLS in SMTP is opportunistic, and email sent whether or
> not the peer appears to be authenticated. So any trusted CAs you
> might configure are largely just wasted memory and CPU.
Ok. If I am understanding you correctly, you are saying that if the SMTP
client is configured to use opportunistic TLS, the mail will be delivered
regardless of whether the remote peer is *authenticated* ?
In my case, I use opportunistic TLS for the SMTP client:
/etc/postfix/main.cf
smtp_tls_security_level = may
I then had the CA list set up:
/etc/postfix/main.cf
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
I did not have any per-destination rules set up - all mail via the SMTP client
used these settings. When I send a test message in to my server and the SMTP
client sends it out to my test Gmail address, I note that the TLS log line in
mail.log is:
Dec 11 20:40:44 server postfix/smtp[2559]: Trusted TLS connection . . .
But when I remove the CA list the log line is:
Dec 11 20:40:44 server postfix/smtp[2559]: Untrusted TLS connection . . .
*HOWEVER* you are saying that the authentication status (“Trusted” /
“Untrusted”), is actually irrelevant as the mail will still be delivered to
Gmail regardless. The fact that I receive successful authentication
(“trusted”), is irrelevant compared to no authentication (“untrusted”), because
the mail goes through either way so in effect all I am doing is wasting compute
resources ?
Apologies if this is a basic question - I do appreciate your help.
After Postfix configuration ins and outs, I have a book ready on cryptography
that I am going to read to get a better handle on this.
- J
