That worked. I spent quite a bit of time trying to get it working.
Thank you both for your replies!
On 3/10/2018 10:20 AM, Robert Cameron wrote:
On Sat, 2018-03-10 at 09:13 -0600, g p wrote:
I have three domains and have created my own certificates for them
but I
cannot get OpenSMTPD to work with all of them, just one.
I too use OpenSMTPd with 3 different certificates, so perhaps portions
of my config might work.
# pki setup
pki mail.garybainbridge.email certificate
"/etc/ssl/mail.garybainbridge.email.crt"
pki mail.garybainbridge.email key
"/etc/ssl/private/mail.garybainbridge.email.key"
pki mail.domain2.com certificate "/etc/ssl/mail.domain2.com.crt"
pki mail.domain2.com key "/etc/ssl/private/mail.domain2.com.key"
pki mail.domain3.com certificate "/etc/ssl/mail.domain3.com.crt"
pki mail.domain3.com key "/etc/ssl/private/mail.domain3.com.key"
Mine is set up the same way (although my domains are different ;-)
# listen ports setup
listen on lo0
listen on egress port 25
listen on egress port 587 tls-require pki mail.garybainbridge.email
auth <secrets>
I think this is where we diverge.
listen on egress port 25 tls auth-optional <credentials> hostname
mail.domain.com
listen on egress port 587 tls-require auth <credentials> hostname
mail.domain.com
Originally I had problems with figuring out how to serve multiple
certificates. I believe that using the 'hostname' keyword sends that
particular domain's certificates by default. However, if the client
connects using a different hostname, smtpd will present the certificate
for the specified domain.
Everything works great like this, except if I try to connect with
Thunderbird without a pki.
For example, if I try to retrieve emails via IMAP with Thunderbird
it
works for garybainbridge.mail, but no for domain2.com and user info.
In
/var/log/maillog it shows "reason=ca-failure" and I can't add
another
line such as: "listen on egress port 587 tls-require pki
mail.domain2.com auth <secrets>" because it doesn't work.
If I just use "listen on egress port 587 tls-require" then I can't
get
Thunderbird to work because I get "reason=ca-failure"
How can I get it working with multiple domains and certificates?
This is what works for me, but your mileage may vary. (Also, the
default domain I have specified with the 'hostname' keyword is not the
domain most frequently used by users connecting to this host.
-- Robert Cameron
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
