On Thu, Apr 14, 2016 at 12:46:06PM -0400, Chris Siebenmann wrote:
> It would be convenient if you could directly put copies of self-signed
> certificates in some location in order to have them pass validation, but
> as far as I know this is not supported by anything.
For a self-signed (subject == issuer == signer) certificate, it is
not that uncommon to verify its fingerprint:
http://www.postfix.org/TLS_README.html#client_tls_fprint
private trust-anchor (homebrew CA) support is also not unheard of:
http://www.postfix.org/TLS_README.html#client_tls_secure
With Postfix >= 2.11 the "smtp_tls_trust_anchor_file" parameter
or more typically the corresponding per-destination "tafile"
attribute optionally modifies trust chain verification. If the
parameter is not empty the root CAs in CAfile and CApath are
no longer trusted. Rather, the Postfix SMTP client will only
trust certificate-chains signed by one of the trust-anchors
contained in the chosen files. The specified trust-anchor
certificates and public keys are not subject to expiration,
and need not be (self-signed) root CAs. They may, if desired,
be intermediate certificates. Therefore, these certificates
also may be found "in the middle" of the trust chain presented
by the remote SMTP server, and any untrusted issuing parent
certificates will be ignored.
--
Viktor.
