From 18022f6941ee1dc14042b47d0e42a3e40d76847f Mon Sep 17 00:00:00 2001
From: Antoine Nguyen <tonio@ngyn.org>
Date: Fri, 9 Mar 2018 13:19:21 +0100
Subject: [PATCH] Use CA certs to identify TLS peers.

see https://github.com/modoboa/modoboa/issues/1428
---
 modoboa_installer/scripts/files/postfix/main.cf.tpl | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modoboa_installer/scripts/files/postfix/main.cf.tpl b/modoboa_installer/scripts/files/postfix/main.cf.tpl
index 093137a..ae57d3c 100644
--- a/modoboa_installer/scripts/files/postfix/main.cf.tpl
+++ b/modoboa_installer/scripts/files/postfix/main.cf.tpl
@@ -39,6 +39,7 @@ proxy_read_maps =
 #
 smtpd_use_tls = yes
 smtpd_tls_auth_only = no
+smtpd_tls_CApath = /etc/ssl/certs
 smtpd_tls_key_file = %tls_key_file
 smtpd_tls_cert_file = %tls_cert_file
 smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
@@ -58,6 +59,7 @@ smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
 smtpd_tls_eecdh_grade = strong
 
 # Use TLS if this is supported by the remote SMTP server, otherwise use plaintext.
+smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_security_level = may
 smtp_tls_loglevel = 1
 smtp_tls_exclude_ciphers = EXPORT, LOW