On Sun, May 10, 2015 at 07:34:43PM +0200, Gilles Chehade wrote:
> On Sat, May 09, 2015 at 11:21:55AM -0700, Seth wrote:
> >
> > I installed the latest snapshot and restarted the service and now relay
> > connections from my public server to local LAN server are failing with "SSL
> > certificate check failed" errors.
> >
> > I can provide the smtpd -dv output off-list on request.
> >
>
> Yes please, send me -dv output.
>
I have spotted a logic error which explains your issue.
Without this, you cannot fallback to the default CA, you have to declare
your CA explicitely.
Can you apply the following diff ?
diff --git a/smtpd/lka.c b/smtpd/lka.c
index 31b7176..b621e10 100644
--- a/smtpd/lka.c
+++ b/smtpd/lka.c
@@ -689,7 +689,10 @@ lka_certificate_verify_resume(enum imsg_type type, struct
ca_vrfy_req_msg *req)
if (req->fallback)
sca = dict_get(env->sc_ca_dict, "*");
cafile = sca ? sca->ca_cert_file : CA_FILE;
- if (sca == NULL || ! lka_X509_verify(req, cafile, NULL))
+
+ if (sca == NULL && !req->fallback)
+ resp.status = CA_FAIL;
+ else if (! lka_X509_verify(req, cafile, NULL))
resp.status = CA_FAIL;
else
resp.status = CA_OK;
--
Gilles Chehade
https://www.poolp.org @poolpOrg
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
