Hm, funny. I wasn't able to reproduce it on my side neither:
# touch /etc/ssl/foo{pem,key}
# chmod 0600 /etc/ssl/foo{pem,key}
# grep foo /etc/mail/smtpd.conf
pki foo certificate "/etc/ssl/foo.pem"
pki foo key "/etc/ssl/foo.key"
pki foo ca "/etc/ssl/sbde-ca.pem"
# smtpd -nf /etc/mail/smtpd.conf
fatal: load_pki_tree: failed to load certificate file
# vim /etc/mail/smtpd.conf
# smtpd -nf /etc/mail/smtpd.conf
fatal: load_pki_tree: failed to load certificate file
#
Looks like I had something fishy in my config other than the empty
certs. But I am still wondering about how the verify does work and I
wasn't able to get the info from the mta.c code so far.
I have the following accept rule:
accept from any for domain example.tld \
relay via tls://mail.example.tld \
hostname relay.example.tld pki mail verify
AFAICT this means that I have to setup a pki mail:
pki mail certificate "/etc/ssl/cert.pem" \
key "/etc/ssl/private/key.pem" \
ca "/etc/ssl/ca.pem"
Because with just the ca smtpd will complain about the missing
certificate and without the key it will complain about the missing key.
Shouldn't it be enough to have the certificate and the CA?
I also tested with a different certificate in my "mail" pki than what
is actually being provided by mail.example.tld itself:
# openssl x509 -noout -fingerprint -in /etc/ssl/cert.pem
SHA1 Fingerprint=35:F2:EE:4C:E7:01:FC:FD:42:7A:5C:7C:A7:06:60:FE:C2:8F:37:F6
compared to:
# openssl s_client -connect mail.example.tld:25 -starttls smtp </dev/null |\
openssl x509 -noout -fingerprint
SHA1 Fingerprint=D4:B8:5B:A0:32:70:A6:CB:B6:6B:05:2D:83:79:41:43:32:C3:C5:E3
but I still got a:
smtp-out: Server certificate verification succeeded on session 1cc9cff7599dd0f3
I expected that the verify will fail. Gilles, can you go into more detail
how the verify works and what it needs to do the job?
Thanks,
Frank.
--
Frank Brodbeck <[email protected]>
