On Sun, Feb 16, 2014 at 10:44:39AM +0100, Remco wrote:
> From smtpd.conf(5) on OpenBSD 5.4:
> (You seem to run CURRENT, which I didn't check, so things might be different
> in your case)
Yes I do. Sorry, running -current comes so naturally to me that I didn't
thought about mentioning it.
> You seem to want it the other way around, you want clients that set up an
> encrypted connection to your server to be verified (authenticated) by means
> of their certificate. I'm not aware if this is possible with smtpd, but I've
> never looked into it either.
I am not talking about clients either:
INET --> relay.example.tld --> mail.example.tld
So when relay receives mail for example.tld it will relay the mail via
TLS to mail.example.tld. What I want is to only relay if
mail.example.tld provided me a certificate that I verified to be the one
in question.
So thinking about it I'd say I need the certificate I assume the box
will provide and the CA that signed the certificate but not the key of
the certificate, right? But if I omit the the key part I get the
following:
# smtpd -nf /etc/mail/smtpd.conf
fatal: load_pki_tree: missing key file
While this is the corresponding smtpd.conf file:
# $OpenBSD: smtpd.conf,v 1.6 2013/01/26 09:38:25 gilles Exp $
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.
# To accept external mail, replace with: listen on all
#
pki relay.example.tld certificate "/etc/ssl/relay.example.tld.pem" \
key "/etc/ssl/private/relay.example.tld.key" \
ca "/etc/ssl/sbde-ca.pem"
pki mcs certificate "/etc/ssl/mcs.example.tld.pem"
pki mcs ca "/etc/ssl/sbde-ca.pem"
table aliases db:/etc/mail/aliases.db
table sat db:/etc/mail/sender_access_table.db
listen on lo0
listen on egress tls hostname relay.example.tld
listen on egress port msa tls-require auth <sat> hostname relay.example.tld
accept for local alias <aliases> deliver to mbox
accept from any for domain example.tld relay via tls://mail.example.tld
hostname relay.example.tld pki mcs verify
accept from local for any relay
