On Sat, Jul 27, 2013 at 11:13:38AM +0200, Ruediger Meier wrote:
On Saturday 27 July 2013, Freek de Kruijf wrote:
Op zaterdag 27 juli 2013 02:40:58 schreef Ruediger Meier:
I've also thought about it already. Actually there are 3 *CApath vars: lmtp_tls_CApath smtp_tls_CApath smtpd_tls_CApath
Just noticed that maybe this might be enough: tls_append_default_CA = yes
man 5 postconf
As per http://tech.groups.yahoo.com/group/postfix-users/message/283845 it is necessary to specify at least xxx_CApath or xxx_CAfile for "tls_append_default_CA = yes" to be effective. So at least some more or less dummy xxx_CAfile is needed.
Hehe, I've read the same thread yesterday after posting. It's a pity that he don't want to let us use SSL_CTX_set_default_verify_paths() without specifying fixed CApaths already.
But I've tested that it works if you specify "non-existing paths" like this: tls_append_default_CA = yes smtp_tls_CApath = default-only smtpd_tls_CApath = default-only
.. and postfix doesn't even warns about non existing path "default-only".
However we could try to convince him to introduce a new config value like tls_append_default_CA = always to achieve the same more nice and without changing current behavior.
We can of course patch postfix... Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org