smtpd: mta cert-check result="unverified" on smarthost

Mon, 14 Feb 2022 08:31:38 -0800 

Hi,

After upgrading from
        OpenBSD 7.0-current (GENERIC.MP) #133: Sat Feb  5 12:11:10 CET 2022"
  to    OpenBSD 7.0-current (GENERIC.MP) #335: Sun Feb 13 16:41:43 MST 2022

I am seeing smtpd to report smarthost connection (when my local user is sending 
a mail) with:
  Feb 14 16:58:42 quade smtpd[14803]: 48abc0eafe1f6d7d mta cert-check 
result="unverified" fingerprint="SHA256:abcxyz"
previously, it was:
  Feb 14 10:31:16 quade smtpd[84045]: 2a0974f82839e80c mta cert-check 
result="valid" fingerprint="SHA256:abcxyz"

As it is a smarthost connection (connection with smtps:// to send a
mail), I am expecting the connection to be verified before sending
my credentials on the wire.

In the timeframe, there is two commits:
- 2022-02-12 3abbdc76 eric     use new libtls signer api
- 2022-02-10 89818320 millert  Do not verify the cert or CA for a relay using 
opportunistic TLS.                             

if I backout 3abbdc76, I still have result="unverified", and if I
backout the 2 commits (there are conflicts with only 89818320 backout),
I get back verified connection.

        commit 89818320f51ce9b89c144087357e3182ba7f3dda
        from: millert <[email protected]>
        date: Thu Feb 10 14:59:35 2022 UTC

        Do not verify the cert or CA for a relay using opportunistic TLS.
        If a relay is not explicitly configured to use TLS but the remote
        side supports STARTTLS, we will try to use it.  However, in this
        case we should not verify the cert or CA (which may be self-signed).
        This restores the relay behavior before the switch to libtls was made.
        There is no change if the relay is explicitly configured to use TLS.
        OK eric@


The smtpd daemon doesn't accept mail from internet, but only on
localhost. the sender mail is used to choose the the smarthost used.

My config is:


table aliases file:/etc/mail/aliases
table secrets file:/etc/mail/secrets
table senders-free      file:/etc/mail/senders-free
table senders-o2switch  file:/etc/mail/senders-o2switch

bounce warn-interval 1d

# listens
listen on lo0

# actions
action "local" mbox alias <aliases>
action "relay-o2switch" relay host "smtps://[email protected]" auth 
<secrets>
action "relay-free"     relay host "smtps://[email protected]" auth <secrets>

# matches
match from local for local action "local"
match from local mail-from <senders-free> for any action "relay-free"
match from local mail-from <senders-o2switch> for any action "relay-o2switch"
match for domain "xyz.fr" action "relay-o2switch"

Thanks.
-- 
Sebastien Marie

Reply via email to