That worked.  I spent quite a bit of time trying to get it working.  Thank you both for your replies!

On 3/10/2018 10:20 AM, Robert Cameron wrote:
On Sat, 2018-03-10 at 09:13 -0600, g p wrote:
I have three domains and have created my own certificates for them
but I
cannot get OpenSMTPD to work with all of them, just one.
I too use OpenSMTPd with 3 different certificates, so perhaps portions
of my config might work.

# pki setup
pki mail.garybainbridge.email certificate
"/etc/ssl/mail.garybainbridge.email.crt"
pki mail.garybainbridge.email key
"/etc/ssl/private/mail.garybainbridge.email.key"
pki mail.domain2.com certificate "/etc/ssl/mail.domain2.com.crt"
pki mail.domain2.com key "/etc/ssl/private/mail.domain2.com.key"
pki mail.domain3.com certificate "/etc/ssl/mail.domain3.com.crt"
pki mail.domain3.com key "/etc/ssl/private/mail.domain3.com.key"
Mine is set up the same way (although my domains are different ;-)

# listen ports setup
listen on lo0
listen on egress port 25
listen on egress port 587 tls-require pki mail.garybainbridge.email
auth <secrets>
I think this is where we diverge.

listen on egress port 25 tls auth-optional <credentials> hostname
mail.domain.com
listen on egress port 587 tls-require auth <credentials> hostname
mail.domain.com

Originally I had problems with figuring out how to serve multiple
certificates. I believe that using the 'hostname' keyword sends that
particular domain's certificates by default. However, if the client
connects using a different hostname, smtpd will present the certificate
for the specified domain.

Everything works great like this, except if I try to connect with
Thunderbird without a pki.

For example, if I try to retrieve emails via IMAP with Thunderbird
it
works for garybainbridge.mail, but no for domain2.com and user info.
In
/var/log/maillog it shows "reason=ca-failure" and I can't add
another
line such as: "listen on egress port 587 tls-require pki
mail.domain2.com  auth <secrets>" because it doesn't work.

If I just use "listen on egress port 587 tls-require" then I can't
get
Thunderbird to work because I get "reason=ca-failure"

How can I get it working with multiple domains and certificates?
This is what works for me, but your mileage may vary. (Also, the
default domain I have specified with the 'hostname' keyword is not the
domain most frequently used by users connecting to this host.

-- Robert Cameron


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org

Reply via email to