On Sat, 09 May 2015 07:37:13 -0700, Gilles Chehade <[email protected]>
wrote:
Hi,
We are preparing upcoming major release and there's been some invasive
updates since latest snapshot.
In particular these 3 parts require HEAVY testing:
- smtp and mta TLS setup can never be concurrent anymore, simplify
lka
- turn the lka certificate verification into an async operation
The TLS code used to be duplicated between incoming and outgoing path, I
have factored it so the same code is used to validate client certificate
in the incoming path and server certificate in the outgoing path.
I have been running with this for a while but we could use some feedback
that you don't observe regressions when accepting mail over TLS, or when
relaying over TLS.
I installed the latest snapshot and restarted the service and now relay
connections from my public server to local LAN server are failing with
"SSL certificate check failed" errors.
I can provide the smtpd -dv output off-list on request.
/etc/mail/smptd.conf
--------------------------------------------------------------------------------------------------
pki mx.sysfu.com certificate "/etc/mail/tls/mx_sysfu_com.crt"
pki mx.sysfu.com key "/etc/mail/tls/mx_sysfu_com.key"
limit mta inet4
listen on lo0 inet4
listen on egress inet4 tls-require pki mx.sysfu.com auth-optional hostname
mx.sysfu.com mask-source
listen on egress inet4 port 587 tls-require pki mx.sysfu.com auth-optional
tag SYSFU_OUT
bounce-warn 1d
table trusted-relays "/etc/mail/trusted-relays"
table enforce-tls "/etc/mail/enforce-tls"
# incoming mail destined for users is relayed back to home mail server
accept from any for domain { sysfu.com mx.sysfu.com } relay via
tls://mail.dvllc.co verify
accept from source <trusted-relays> for domain <enforce-tls> relay tls
verify# require STARTTLS
accept from source <trusted-relays> for any relay
accept from local for any relay
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
