>There is a CA Option in smtpd.conf, for example (CA-ubuntu path) > >ca NAME certificate "/etc/ssl/certs/ca-certificates.crt"
Yes - but what I want is the verification of "random" senders (I don't want to reject them - I just want the trace in the headers like I used to get previously) ca doesn't obviously do that - quoting the man page: ca hostname certificate cafile Associate a custom CA certificate located in cafile with hostname. If we were using that syntax then what I want would be hostname = * (and I do use the ca keyword for my custom routes) CApath / CAfile (and CRLfile) would normally be where to look up everything non-custom as used in sendmail & openssl. Either way - this used to work and it doesn't now. I'm perfectly happy to believe that I need a config file change to get it work again but what is wanted isn't obvious to me. Regards JC > >Regards, > >Marcel > > >Am 17.05.2016 um 09:47 schrieb John Cox: >> Hi >> >> Since I upgraded to OpenBSD 5.9 (I think) I've been getting TLS >> validation errors in the headers: >> >> TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 >> bits=256 verify=NO >> >> Prior to the upgrade I would get verify=YES. (I think it was the >> upgrade to OpenBSD 5.9 and whichever OpenSMTPD that comes with it that >> did it - it was certainly about that time) >> >> I have now upgraded OpenSMTPD to the current 5.9.2 release and that >> makes no difference. >> >> All logging suggests that cert validation is OK (though I note that I >> only ever get that message on outgoing lines, and never on incoming) >> >> What does OpenSMTPD use as its default cert store - as far as I can >> tell the .conf lacks CAfile or CApath options? >> >> Testing with openssl s_client suggests that my certs are generally in >> order >> >> Any clues? >> >> Many thanks >> >> John Cox >> >> >> Log file: >> >> >> May 17 08:26:58 azathoth smtpd[18872]: info: OpenSMTPD 5.9.2 starting >> May 17 08:27:47 azathoth smtpd[10532]: smtp-in: New session >> 31086515f45c2260 from host smtp31.cix.co.uk [77.92.64.18] >> May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Started TLS on session >> 31086515f45c2260: version=TLSv1, cipher=DHE-RSA-AES256-SHA, bits=256 >> May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Accepted message >> daa12d76 on session 31086515f45c2260: from=<[email protected]>, >> to=<[email protected]>, size=793, ndest=1, proto=ESMTP >> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Connecting to >> tls://10.44.0.3:25 (yidhra.outer.uphall.net) on session >> 3108651f4a1f0980... >> May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Closing session >> 31086515f45c2260 >> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Connected on session >> 3108651f4a1f0980 >> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Started TLS on >> session 3108651f4a1f0980: version=TLSv1.2, >> cipher=ECDHE-RSA-CHACHA20-POLY1305, bits=256 >> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Server certificate >> verification succeeded on session 3108651f4a1f0980 >> May 17 08:27:48 azathoth smtpd[10532]: relay: Ok for daa12d76fa78afb9: >> session=3108651f4a1f0980, from=<[email protected]>, to=<[email protected]>, >> rcpt=<->, source=46.235.226.138, relay=10.44.0.3 >> (yidhra.outer.uphall.net), delay=0s, stat=250 2.0.0: f8f2d286 Message >> accepted for delivery >> May 17 08:27:58 azathoth smtpd[10532]: smtp-out: Closing session >> 3108651f4a1f0980: 1 message sent. >> # >> >> >> Headers: >> >> Return-Path: [email protected] >> Delivered-To: [email protected] >> Received: from azathoth.uphall.net (azathoth.uphall.net >> [46.235.226.138]) >> by yidhra.outer.uphall.net (OpenSMTPD) with ESMTPS id f8f2d286 >> TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305 >> bits=256 verify=NO >> for <[email protected]>; >> Tue, 17 May 2016 08:27:48 +0100 (BST) >> Received: from smtp1.cix.co.uk (smtp31.cix.co.uk [77.92.64.18]) >> by azathoth.uphall.net (OpenSMTPD) with ESMTPS id daa12d76 >> TLS version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO >> for <[email protected]>; >> Tue, 17 May 2016 08:27:48 +0100 (BST) >> Received: (qmail 22491 invoked from network); 17 May 2016 07:27:47 >> -0000 >> Received: from unknown (HELO Ithaqua.outer.uphall.net) (86.21.189.18) >> by smtp1.cix.co.uk with ESMTPS (AES256-SHA encrypted); 17 May 2016 >> 07:27:47 -0000 >> From: John Cox <[email protected]> >> To: John home Cox <[email protected]> >> Subject: Incoming 2 >> Date: Tue, 17 May 2016 08:27:47 +0100 >> Message-ID: <[email protected]> >> User-Agent: ForteAgent/7.10.32.1212 >> MIME-Version: 1.0 >> Content-Type: text/plain; charset=us-ascii >> Content-Transfer-Encoding: 7bit >> >> >> -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
