just a friendly ping...

mcmer-opensm...@tor.at (Marcus MERIGHI), 2020.04.02 (Thu) 12:00 (CEST):
> Hello!
> I've recently found a reason [1] to use different certificates for
> relaying than those that are used for submitting mails. 
> Reading smtpd.conf(5) I learned that "relay" did not list "pki" as an
> option. 
> Feeling adventurous I just added the "pki pubpki" directive:
>   "action rlay relay src <outbound> helo $hname pki pubpki"
> "smtpd -n -v' did not complain.
> There's a patch for smtpd.conf(5), at the end of this message.
> But I'm having a hard time testing. Here's a trace from a receiving end, 
> when contacted _by_ the server in question. 
>         smtp: 0x17e7eea48000: <<< STARTTLS
>         smtp: 0x17e7eea48000: >>> 220 2.0.0 Ready to start TLS
>         smtp: 0x17e7eea48000: STATE_HELO -> STATE_TLS
>         160f48d2b4ce36f0 smtp tls
>                 ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
>         smtp: 0x17e7eea48000: STATE_TLS -> STATE_HELO
> How can I check which certificate was used? 
> I control both ends, which are OpenBSD 6.6 with OpenSMTPd.
> Or, asking differently: if I have more than one "pki" defined, which
> one is used for "relay" actions?
> [1] there's an "internal" domain name that is used for mail submission
>     access, which has a acme certificate.
>     but, when relaying, it goes out with the "official" name, which is not
>     contained in the acme certificate for the "internal" domain.
> Thanks for reading that far, Marcus

Index: smtpd.conf.5
RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v
retrieving revision 1.249
diff -u -p -u -r1.249 smtpd.conf.5
--- smtpd.conf.5        12 Feb 2020 14:46:36 -0000      1.249
+++ smtpd.conf.5        2 Apr 2020 09:14:01 -0000
@@ -274,6 +274,14 @@ and
 .Dq smtps
 protocols for authentication.
 Server certificates for those protocols are verified by default.
+.It Cm pki Ar pkiname
+For secure connections,
+use the certificate associated with
+.Ar pkiname
+(declared in a
+.Ic pki
+to prove a mail server's identity.
 .It Cm srs
 When relaying a mail resulting from a forward,
 use the Sender Rewriting Scheme to rewrite sender address.

Reply via email to