Helo
I am switching from postfix to OpenSMTPD ( On OpenBSD 5.4).
As asked by Gilles Chehade, here are some remarks.
First test (succeeded): Relay mail for authenticated user with TLS
Here is my smtpd.conf
-------------
table mycreds { monUtilisateur = monUtilisayeur:xxxxx-encrypt-passwd-yyyy }
pki smtp.mondomaine.fr certificate
"/etc/ssl/startssl/smtp.mondomaine.fr.crt"
pki smtp.mondomaine.fr key "/etc/ssl/private/server.key"
pki smtp.mondomaine.fr ca "/etc/ssl/startssl/sub.class1.server.ca.pem"
listen on egress port submission tls-require auth <mycreds> tag AUTH
hostname smtp.mondomaine.fr pki smtp.mondomaine.fr
table aliases db:/etc/mail/aliases.db
accept for local alias <aliases> deliver to maildir
accept for any relay
--------------
Some remarks from my test:
-1- pki smtp.mondomaine.fr is required. ( as I discovered before putting
it in, thanks to /usr/sbin/smtpd -n
which replied smtpd: invalid listen option: tls/smtps requires pki ).
BUT the man page doesn't mention this requirement. I (mis?)understood
that hostname was enough and pki was used only in case of using a name
different from the hostname supplied one.
The man page is very clear about this issue, but for the accept
directive, not the listen !
When relaying, STARTTLS is always attempted if available
on remote host and OpenSMTPD will try to present a
certificate matching the outgoing hostname if one is
registered in the pki. If*pki* is specified, the
certificate registered for/pkiname/ is used instead.
-2- On the MUA client side (Thunderbird), I had to choose STARTTLS. A
little bit confusing, because on the server side I choosed TLS-REQUIRE,
but on the client side, I can't choose SSL/TLS. The rejection message is
smtp-in: Bad input on session 76aea37c703909c7: 500 Pipelining not supported
-3- I have a S/MIME certificate in my UA, but lacks ca file, so I get:
debug: lka: X509 verify: unable to get local issuer certificate
smtp-in: Client certificate verification failed on session 76aea37b26a4f2e2
debug: lka: authenticating for mycreds:phl
smtp-in: Accepted authentication for user phl on session 76aea37b26a4f2e2
Hence, it seems that OpenSMTPD has this undocumented feature that it is
able to authenticate using X509 certificate. Will give it a try.
BTW I successfully use the undocumented feature auth <mycreds>, a must
for me.
---------------------
I have some little remarks on the man page.
-1-
from [!]*source table*
The rule matches if the connection is made from a client
whose address is declared in the table/table/.
When the word "table" is not a litteral, it should be in italics.
-2-
*sender* [*!*]*senders*
If specified, the rule will only be matched if the sender
email address is found in the table/senders/. The table
may contain complete email addresses or apply to an
entire domain if prefixed with @.
The same for "senders".
-3-
*deliver to* maildir/path/
Should be
*deliver to* maildir [/path]/
-4- The two relay ( relay mx and relay via ) have most in common. It
shoud be nice not having to read twice the long common explanations.
Also the maintainer of the man page did a copy and paste, corrected the
first but not the second:
From relay mx:
If the*source* parameter is specified,smtpd(8)
<http://www.openbsd.org/cgi-bin/man.cgi?query=smtpd&sektion=8&arch=i386&apropos=0&manpath=OpenBSD+Current>
will
explicitly bind to an address found in the table
referenced by/source/ when connecting to the relay. If
the table contains more than one address, they are picked
in turn each time a new connection is opened.
GOOD
From relay via:
If the*source* parameter is specified,smtpd(8)
<http://www.openbsd.org/cgi-bin/man.cgi?query=smtpd&sektion=8&arch=i386&apropos=0&manpath=OpenBSD+Current>
will
explicitly bind to an address found in the table
referenced by/table/ when connecting to the relay. If the
table contains more than one address, they are picked in
turn each time a new connection is opened.
BAD
--------
Furthermore, I don't understand discripancy between "listen" and "accept
... relay".
In the first you say: "listen ... tls ... pki ... hostname ..."
In the second "accept ... relay ... hostname ... pki ... hostname ..."
--------
BTW my test was forwarding to gmail and I observed 10 messages like this
debug: mta: 0x94b77d35000: no task for relay [relay:gmail.com] mta:
debug: last connection: hanging on for 6s
mta: timeout for session hangon
before message is successfully sent to gmail. I am probably greylisted!.
Ph. Le.
