That worked.  I spent quite a bit of time trying to get it working.  Thank you both for your replies!

On 3/10/2018 10:20 AM, Robert Cameron wrote:
On Sat, 2018-03-10 at 09:13 -0600, g p wrote:
I have three domains and have created my own certificates for them
but I
cannot get OpenSMTPD to work with all of them, just one.
I too use OpenSMTPd with 3 different certificates, so perhaps portions
of my config might work.

# pki setup
pki certificate
pki key
pki certificate "/etc/ssl/"
pki key "/etc/ssl/private/"
pki certificate "/etc/ssl/"
pki key "/etc/ssl/private/"
Mine is set up the same way (although my domains are different ;-)

# listen ports setup
listen on lo0
listen on egress port 25
listen on egress port 587 tls-require pki
auth <secrets>
I think this is where we diverge.

listen on egress port 25 tls auth-optional <credentials> hostname
listen on egress port 587 tls-require auth <credentials> hostname

Originally I had problems with figuring out how to serve multiple
certificates. I believe that using the 'hostname' keyword sends that
particular domain's certificates by default. However, if the client
connects using a different hostname, smtpd will present the certificate
for the specified domain.

Everything works great like this, except if I try to connect with
Thunderbird without a pki.

For example, if I try to retrieve emails via IMAP with Thunderbird
works for garybainbridge.mail, but no for and user info.
/var/log/maillog it shows "reason=ca-failure" and I can't add
line such as: "listen on egress port 587 tls-require pki  auth <secrets>" because it doesn't work.

If I just use "listen on egress port 587 tls-require" then I can't
Thunderbird to work because I get "reason=ca-failure"

How can I get it working with multiple domains and certificates?
This is what works for me, but your mileage may vary. (Also, the
default domain I have specified with the 'hostname' keyword is not the
domain most frequently used by users connecting to this host.

-- Robert Cameron

You received this mail because you are subscribed to
To unsubscribe, send a mail to:

Reply via email to