On Sat, 2018-03-10 at 09:13 -0600, g p wrote: > I have three domains and have created my own certificates for them > but I > cannot get OpenSMTPD to work with all of them, just one.
I too use OpenSMTPd with 3 different certificates, so perhaps portions of my config might work. > # pki setup > pki mail.garybainbridge.email certificate > "/etc/ssl/mail.garybainbridge.email.crt" > pki mail.garybainbridge.email key > "/etc/ssl/private/mail.garybainbridge.email.key" > pki mail.domain2.com certificate "/etc/ssl/mail.domain2.com.crt" > pki mail.domain2.com key "/etc/ssl/private/mail.domain2.com.key" > pki mail.domain3.com certificate "/etc/ssl/mail.domain3.com.crt" > pki mail.domain3.com key "/etc/ssl/private/mail.domain3.com.key" Mine is set up the same way (although my domains are different ;-) > # listen ports setup > listen on lo0 > listen on egress port 25 > listen on egress port 587 tls-require pki mail.garybainbridge.email > auth <secrets> I think this is where we diverge. listen on egress port 25 tls auth-optional <credentials> hostname mail.domain.com listen on egress port 587 tls-require auth <credentials> hostname mail.domain.com Originally I had problems with figuring out how to serve multiple certificates. I believe that using the 'hostname' keyword sends that particular domain's certificates by default. However, if the client connects using a different hostname, smtpd will present the certificate for the specified domain. > Everything works great like this, except if I try to connect with > Thunderbird without a pki. > > For example, if I try to retrieve emails via IMAP with Thunderbird > it > works for garybainbridge.mail, but no for domain2.com and user info. > In > /var/log/maillog it shows "reason=ca-failure" and I can't add > another > line such as: "listen on egress port 587 tls-require pki > mail.domain2.com auth <secrets>" because it doesn't work. > > If I just use "listen on egress port 587 tls-require" then I can't > get > Thunderbird to work because I get "reason=ca-failure" > > How can I get it working with multiple domains and certificates? This is what works for me, but your mileage may vary. (Also, the default domain I have specified with the 'hostname' keyword is not the domain most frequently used by users connecting to this host. -- Robert Cameron -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
