From: "Matthias Andree" on
Greetings,

I haven't checked if it's a flaw in my configuration, but anyways, for the
records:

openSUSE 11.3 does not seem to automatically set up the TLS certs for the
chroot if you have smtp_tls_CApath set, but not smtpd_tls_CApath (note the
d in smtp vs. smtpd).

I needed to do this to get my SMTP client work again:

sudo c_rehash /etc/ssl/certs/ # just to be on the safe side
sudo rsync -av /etc/ssl/certs/ /var/spool/postfix/etc/ssl/certs --del
--copy-unsafe-links -H

Note that smtpd_tls_CApath would call rsync -avH, which would copy
symlinks verbatim into the chroot, which get broken along the way because
there is no /usr/share/ca-certificates inside the Postfix chroot (this is
a fault in SuSEconfig.postfix).

Note that SUSE /etc/ssl/certs .pem files are actually symlinks to
/usr/share/ca-certificates/mozilla/... managed by update-ca-certificates,
hence the copy-unsafe-links.

I don't currently have time to do a formal bug report against
SuSEconfig.postfix, and I'm unsure if they or I care enough. Perhaps
Carsten Höger reads this?

Best

--
Matthias Andree

From: Carsten Hoeger on
On Fri, Jul 23, Matthias Andree wrote:

> Greetings,
>
> I haven't checked if it's a flaw in my configuration, but anyways,
> for the records:
>
> openSUSE 11.3 does not seem to automatically set up the TLS certs
> for the chroot if you have smtp_tls_CApath set, but not
> smtpd_tls_CApath (note the d in smtp vs. smtpd).
>
> I needed to do this to get my SMTP client work again:
>
> sudo c_rehash /etc/ssl/certs/ # just to be on the safe side
> sudo rsync -av /etc/ssl/certs/ /var/spool/postfix/etc/ssl/certs
> --del --copy-unsafe-links -H
>
> Note that smtpd_tls_CApath would call rsync -avH, which would copy
> symlinks verbatim into the chroot, which get broken along the way
> because there is no /usr/share/ca-certificates inside the Postfix
> chroot (this is a fault in SuSEconfig.postfix).
>
> Note that SUSE /etc/ssl/certs .pem files are actually symlinks to
> /usr/share/ca-certificates/mozilla/... managed by
> update-ca-certificates, hence the copy-unsafe-links.
>
> I don't currently have time to do a formal bug report against
> SuSEconfig.postfix, and I'm unsure if they or I care enough. Perhaps
> Carsten Höger reads this?

Although I am reading this, I am sorry to say, that this is no longer my
business. I suggest to open a bug at https://bugzilla.novell.com


--
With best regards,

Carsten Hoeger