Hi, It seems I need to explicitly add "tls" on the action line to enforce the tls verification now.
- action "relay-free" relay host "smtps://[email protected]" auth <secrets> + action "relay-free" relay host "smtps://[email protected]" auth <secrets> tls I am unsure if the behaviour change was intented or not. If it persists it might need some documentation (a current.html entry) for users to update their configuration (as TLS session might not be checked anymore whereas it was previously). Thanks. -- Sebastien Marie On Mon, Feb 14, 2022 at 05:30:41PM +0100, Sebastien Marie wrote: > Hi, > > After upgrading from > OpenBSD 7.0-current (GENERIC.MP) #133: Sat Feb 5 12:11:10 CET 2022" > to OpenBSD 7.0-current (GENERIC.MP) #335: Sun Feb 13 16:41:43 MST 2022 > > I am seeing smtpd to report smarthost connection (when my local user is > sending a mail) with: > Feb 14 16:58:42 quade smtpd[14803]: 48abc0eafe1f6d7d mta cert-check > result="unverified" fingerprint="SHA256:abcxyz" > previously, it was: > Feb 14 10:31:16 quade smtpd[84045]: 2a0974f82839e80c mta cert-check > result="valid" fingerprint="SHA256:abcxyz" > > As it is a smarthost connection (connection with smtps:// to send a > mail), I am expecting the connection to be verified before sending > my credentials on the wire. > > In the timeframe, there is two commits: > - 2022-02-12 3abbdc76 eric use new libtls signer api > - 2022-02-10 89818320 millert Do not verify the cert or CA for a relay using > opportunistic TLS. > > if I backout 3abbdc76, I still have result="unverified", and if I > backout the 2 commits (there are conflicts with only 89818320 backout), > I get back verified connection. > > commit 89818320f51ce9b89c144087357e3182ba7f3dda > from: millert <[email protected]> > date: Thu Feb 10 14:59:35 2022 UTC > > Do not verify the cert or CA for a relay using opportunistic TLS. > If a relay is not explicitly configured to use TLS but the remote > side supports STARTTLS, we will try to use it. However, in this > case we should not verify the cert or CA (which may be self-signed). > This restores the relay behavior before the switch to libtls was made. > There is no change if the relay is explicitly configured to use TLS. > OK eric@ > > > The smtpd daemon doesn't accept mail from internet, but only on > localhost. the sender mail is used to choose the the smarthost used. > > My config is: > > > table aliases file:/etc/mail/aliases > table secrets file:/etc/mail/secrets > table senders-free file:/etc/mail/senders-free > table senders-o2switch file:/etc/mail/senders-o2switch > > bounce warn-interval 1d > > # listens > listen on lo0 > > # actions > action "local" mbox alias <aliases> > action "relay-o2switch" relay host "smtps://[email protected]" auth > <secrets> > action "relay-free" relay host "smtps://[email protected]" auth <secrets> > > # matches > match from local for local action "local" > match from local mail-from <senders-free> for any action "relay-free" > match from local mail-from <senders-o2switch> for any action "relay-o2switch" > match for domain "xyz.fr" action "relay-o2switch" > > Thanks. > -- > Sebastien Marie
