I've recently found a reason [1] to use different certificates for
relaying than those that are used for submitting mails. 

Reading smtpd.conf(5) I learned that "relay" did not list "pki" as an

Feeling adventurous I just added the "pki pubpki" directive:
  "action rlay relay src <outbound> helo $hname pki pubpki"

"smtpd -n -v' did not complain.

There's a patch for smtpd.conf(5), at the end of this message.

But I'm having a hard time testing. Here's a trace from a receiving end, 
when contacted _by_ the server in question. 

        smtp: 0x17e7eea48000: <<< STARTTLS
        smtp: 0x17e7eea48000: >>> 220 2.0.0 Ready to start TLS
        smtp: 0x17e7eea48000: STATE_HELO -> STATE_TLS
        160f48d2b4ce36f0 smtp tls
        smtp: 0x17e7eea48000: STATE_TLS -> STATE_HELO

How can I check which certificate was used? 
I control both ends, which are OpenBSD 6.6 with OpenSMTPd.

Or, asking differently: if I have more than one "pki" defined, which
one is used for "relay" actions?

[1] there's an "internal" domain name that is used for mail submission
    access, which has a acme certificate.
    but, when relaying, it goes out with the "official" name, which is not
    contained in the acme certificate for the "internal" domain.

Thanks for reading that far, Marcus

Index: smtpd.conf.5
RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v
retrieving revision 1.249
diff -u -p -u -r1.249 smtpd.conf.5
--- smtpd.conf.5        12 Feb 2020 14:46:36 -0000      1.249
+++ smtpd.conf.5        2 Apr 2020 09:14:01 -0000
@@ -274,6 +274,14 @@ and
 .Dq smtps
 protocols for authentication.
 Server certificates for those protocols are verified by default.
+.It Cm pki Ar pkiname
+For secure connections,
+use the certificate associated with
+.Ar pkiname
+(declared in a
+.Ic pki
+to prove a mail server's identity.
 .It Cm srs
 When relaying a mail resulting from a forward,
 use the Sender Rewriting Scheme to rewrite sender address.

Reply via email to