Description of problem: /etc/pki/tls/certs/ca-bundle.crt is being removed in Fedora 44 and as such this line in the default config causes outbound mail to disable tls: smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt I believe smtp_tls_CAfile can be removed altogether as the existing smtp_tls_CApath directive should search the CA certs directory already. Version-Release number of selected component (if applicable): 3.10.7 How reproducible: Always Steps to Reproduce: 1. Install postfix on Fedora 44 Actual results: Outbound mail either fails altogether or disables tls Expected results: Mail should send with tls enabled
For reference https://fedoraproject.org/wiki/Changes/droppingOfCertPemFile#List_of_affected_Packages As Dominic proposed, going with the dir option is preferred. It should also be possible to leave this to openssl completely using `SSL_CTX_set_default_verify_paths which would be even more preferable if applicable.
Thanks for the info.
FEDORA-2026-6a0a28f481 (postfix-3.11.1-2.fc45) has been submitted as an update to Fedora 45. https://bodhi.fedoraproject.org/updates/FEDORA-2026-6a0a28f481
Please correct me if I'm wrong, but the ca-bundle does not seem to be removed but moved under /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem smtp_tls_CAfile = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem smtp_tls_CApath = /etc/pki/ca-trust/extracted/pem/
Using a single cert bundle file is now considered legacy behaviour for performance reasons. Since smtp_tls_CApath already gives access to all required certificates, there's no advantage and some disadvantage to setting smtp_tls_CAfile to a new path. More details: https://fedoraproject.org/wiki/Changes/droppingOfCertPemFile
Understood! In existing installations, the "smtp_tls_CAfile" option should be set to empty, what about "smtp_tls_CApath", what is the new CA path? Thank you.
smtp_tls_CAfile directive should be removed, smtp_tls_CApath directive remains unchanged from default ( smtp_tls_CApath = /etc/pki/tls/certs )
Thank you for the details, Is it ok if we update existing installations with older Fedora releases (F42, F43) to match this change? Just to be ready?
I'd be surprised if any action is necessary for previous versions of Fedora, unless /etc/pki/tls/certs/ca-bundle.crt is deleted during the upgrade. Perhaps someone else can confirm.
And by that I mean, I think this bug is only relevant to clean installs of Fedora 44.
ok no worries. I'm managing lots of EL8, EL9, El10 and Fedora systems, so I'm trying to see how this will affect me in the future. For example, if this change passes down to EL10.xx or if it becomes the default for a EL11 release.
smtp_tls_CAfile is in the process of being removed from future installations of the postfix package. But yeah, check if /etc/pki/tls/certs exists and point smtp_tls_CApath to it if you want to be ahead of the curve.
... and then delete the smtp_tls_CAfile directive.
Very clear! Thank you.
FEDORA-2026-79429423df (postfix-3.11.2-1.fc45) has been submitted as an update to Fedora 45. https://bodhi.fedoraproject.org/updates/FEDORA-2026-79429423df
(In reply to Dominic from comment #9) > I'd be surprised if any action is necessary for previous versions of Fedora, > unless /etc/pki/tls/certs/ca-bundle.crt is deleted during the upgrade. > > Perhaps someone else can confirm. I upgraded two F43 systems to F44 (using dnf) and /etc/pki/tls/certs/ca-bundle.crt is gone afterwards. At first I changed smtp_tls_CAfile to /etc/ssl/certs/ca-bundle.crt, but just disabling this option also works, as smtp_tls_CApath is set to /etc/pki/tls/certs by default.
It's been almost a month since the maintainer submitted an update to remove smtp_tls_CAfile from the postfix config, but it's not even in Rawhide yet.
Checking where it got stuck, probably some CI failure.
It seems the CI failed due to bug in ncat :)
(In reply to Jaroslav Škarvada from comment #19) > It seems the CI failed due to bug in ncat :) https://bugzilla.redhat.com/show_bug.cgi?id=2466767 I waived the CI and pushed the F45 update manually in: https://bodhi.fedoraproject.org/updates/FEDORA-2026-79429423df I will also handle F44.
FEDORA-2026-79429423df (postfix-3.11.2-1.fc45) has been pushed to the Fedora 45 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2026-d5eecc1ad3 (postfix-3.10.7-4.fc44) has been submitted as an update to Fedora 44. https://bodhi.fedoraproject.org/updates/FEDORA-2026-d5eecc1ad3
FEDORA-2026-d5eecc1ad3 has been pushed to the Fedora 44 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-d5eecc1ad3` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-d5eecc1ad3 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2026-d5eecc1ad3 (postfix-3.10.7-4.fc44) has been pushed to the Fedora 44 stable repository. If problem still persists, please make note of it in this bug report.