On Saturday 27 July 2013, Freek de Kruijf wrote:
Op vrijdag 26 juli 2013 09:09:02 schreef Ludwig Nussel:
I'm currently working on that for 13.1¹. Applications are expected to call SSL_CTX_set_default_verify_paths() resp gnutls_x509_trust_list_add_system_trust() to make them use the system certificate store. No package should hardcode /etc/ssl/certs or any bundle file anymore. NSS applications like Firefox need no change. Just install p11-kit-nss-trust instead of mozilla-nss-certs.
Postfix used to have in main.cf two parameters with CApath in it to point to these certs. Now these parameters do not have a value. Should these parameters be replaced by new parameters to indicate the use of the above routine in Postfix?
I've also thought about it already. Actually there are 3 *CApath vars: lmtp_tls_CApath smtp_tls_CApath smtpd_tls_CApath Setting them per default might be a good idead but I see a few possible problems, specially for the update case. Could it break advanced existing setups? How it conflicts with existing *_CAfile settings? For example in past I had set custom *_CAFile vars which only contained my own CA certificate. I only wanted to trust my own postfix servers and I wouldn't have liked it if upgrading suse adds all common CAs without asking me. BTW TLS is disabled in postfix by default anyway. So it's not worth to risk these update problems. On the other hand I would support to enable TLS by default. If we would do this, then we have to set *_CApath of course. My preferred default config would be like this: diff --git a/postfix/main.cf b/postfix/main.cf index a11775e..2a25522 100644 --- a/postfix/main.cf +++ b/postfix/main.cf @@ -726,9 +726,13 @@ strict_rfc821_envelopes = no smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination smtp_sasl_auth_enable = no smtpd_sasl_auth_enable = no -smtpd_use_tls = no -smtp_use_tls = no -smtp_enforce_tls = no +smtp_tls_note_starttls_offer = yes +smtp_tls_security_level = may +smtp_tls_CApath = /etc/ssl/certs +smtp_tls_loglevel = 1 +smtp_tls_security_level = none +smtpd_tls_CApath = /etc/ssl/certs +smtpd_tls_loglevel = 1 alias_maps = hash:/etc/aliases mailbox_size_limit = 0 message_size_limit = 0 diff --git a/postfix/master.cf b/postfix/master.cf index 2eadaf5..2939b04 100644 --- a/postfix/master.cf +++ b/postfix/master.cf @@ -25,7 +25,7 @@ pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr -#tlsmgr unix - - n 1000? 1 tlsmgr +tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce Notes 1. The 3 removed vars are deprecated and should be replaced by *_tls_security_level in any case. 2. If we could generate default keys somehow then we could also enable TLS for incomming smtp: +smtpd_tls_security_level = may +smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key +smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt 3. lmtp could be handled similar allthough AFAIK it's usually only used in LAN because of performance reasons so maybe TLS is usually not wanted. 4. Instead of changing the default main.cf we should consider to change the default compile time settings. Could be more easy handle the update case this way. cu, Rudi -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org