On Wed, 19 Jan 2022 15:54:03 +0100 Thomas Fargeix <thomas.farg...@burzmali.com>
wrote:
On 2022-01-18 23:19, Scott Kitterman wrote:
> According to postconf(5) it's not needed. It says, "These are loaded
> into
> memory before the smtp(8) client enters the chroot jail". Why do you
> need it
> in the chroot?
Then there is a different behavior between smtp(d)_tls_CAfile and
tls_ca_cert_file
from the postfix-ldap module (and maybe other TLS options from other
modules?
For postfix smtp and smtpd TLS support, you can use smtp[d]_tls_CAfile.
smtp[d] will open it at startup,
For all network map types, including ldap, etc, please use proxy:ldap:
instead of trying to copy half a system into chroot. Because the maps
are open on demand (postfix should not keep your ldap server busy all
the time), while smtp[d] initializes TLS at startup.
There's no need to increase complexity of this further. Just use proxy:
map. ca-certificates.crt should not be in chroot.
The workaround for extra_chroot_CAfile is wrong from this PoV, - it
just creates a wrong precedent. Instead, the solution should've been
to use proxy: map type, which is especially designed for this task.
Alternatively, un-chroot whatever service uses ldap map, in master.cf.
Please don't make simple things endlessly complex.
/mjt
