On Tue, May 03, 2016 at 02:42:41AM +0200, [email protected] wrote: > >Synopsis: smtpd.conf man page does not mention "listen [..] ca" > >Category: system > >Environment: > System : OpenBSD 5.9 > Details : OpenBSD 5.9 (GENERIC) #1761: Fri Feb 26 01:15:04 MST 2016 > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC > > Architecture: OpenBSD.amd64 > Machine : amd64 > >Description: > With the upgrade from 5.8 to 5.9 the way to configure smtpd to > use client certificates for authentication has changed. The old > way with "pki [..] ca" no longer works, instead it seems that > adding a "ca" parameter to the listen directive gets the job done. > > I could not find this documented anywhere in the smtpd.conf man > page (the page does not appear to mention the "ca" parameter on > "listen" directives at all); adding that information would probably > make it easier for others to figure out how to update their old > configuration. > >How-To-Repeat: > With 5.8 I had a configuration like: > > pki mypki certificate "/etc/mail/my.crt" > pki mypki key "/etc/mail/my.key" > pki mypki ca "/etc/mail/ca.crt" > listen on all port 587 tls-require verify pki mypki auth-optional tag > auth > > This configuration is no longer valid with version 5.9 > >Fix: > With version 5.9 I had to adjust the configuration to look like this: > > pki mypki certificate "/etc/mail/my.crt" > pki mypki key "/etc/mail/my.key" > ca myca certificate "/etc/mail/ca.crt" > listen on all port 587 tls-require verify pki mypki auth-optional tag > auth \ > ca myca >
will take care of this today -- Gilles Chehade https://www.poolp.org @poolpOrg
