Subject: openssl CA certs
To: None <>
From: Wolfgang S. Rupprecht <>
List: tech-crypto
Date: 07/19/2003 10:46:23
I just installed the postfix w. tls from pkgsrc.  What a nice hack.
Thanks for the folks that put in the work!

One thing that netbsd's postfix and/or openssl is missing out of the
box is a comprehensive set of CA certificates to validate the
host-level certs that postfix will get handed from the remote host.

I've started to put together a bundle of CA certs to feed to postfix.
Most of them came from "curl", but I've appended a few other CA certs
that I needed.  The file is in a format that postfix can use via:

    smtpd_tls_CAfile = /etc/openssl/certs/all-cacert.pem
    smtp_tls_CAfile = /etc/openssl/certs/all-cacert.pem

Is there enough interest to include something like this with netbsd? 

Yes, I know it is another file to maintain, but without it openssl
just can't validate the remote certifications.  Thoughts?

Wolfgang S. Rupprecht
(NOTE: The email address above is valid.  Edit it at your own peril.)