On 09.05.21 at 10:17 [email protected] wrote:
Do I need to be concerned about this log messages in /var/log/maillog?
smtpd[43176]: ecd860f40cdb2d36 smtp cert-check result="no certificate presented”
It depends. Based on the amount of information you gave, there are two
possibilities. A connection from an MUA (ie. thunderbird) to the MTA
(opensmtpd) is not encrypted, or the connection to another MTA, because it
didn't present a certificate. You can further inspect with smtpctl log verbose
or smtpctl trace smtp/mta. With show message or show envelope you can display
the contents of the concerning message. (https://man.openbsd.org/smtpctl)
On my server (OpenBSD 6.9 + OpenSMTPD 6.9.0) this message appears since
I have upgraded to OpenBSD 6.9.
MTA <-> MTA connection:
May 9 11:52:41 odin smtpd[31816]: 20d5d49592a856dc smtp connected
address=199.185.178.25 host=mail.openbsd.org
May 9 11:52:48 odin smtpd[31816]: 20d5d49592a856dc smtp tls
ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
May 9 11:52:48 odin smtpd[31816]: 20d5d49592a856dc smtp cert-check
result="no certificate presented"
May 9 11:52:53 odin smtpd[31816]: 20d5d49592a856dc smtp message
msgid=4da82d9d size=3039 nrcpt=1 proto=ESMTP
When I test the server connection manually with the OpenSSL command line
utility, both certificates will
be shown.
My Mailserver:
$ openssl s_client -connect mail.krottmayer.com:25 -starttls smtp
-servername mail.krottmayer.com
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.krottmayer.com
verify return:1
---
Certificate chain
0 s:CN = mail.krottmayer.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
[REMOVED]
-----END CERTIFICATE-----
subject=CN = mail.krottmayer.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3780 bytes and written 434 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 HELP
quit
221 2.0.0 Bye
read:errno=0
$
OpenBSD Mailserver:
openssl s_client -connect mail.openbsd.org:25 -starttls smtp -servername
mail.openbsd.org
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.openbsd.org
verify return:1
---
Certificate chain
0 s:CN = mail.openbsd.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
[REMOVED]
-----END CERTIFICATE-----
subject=CN = mail.openbsd.org
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3710 bytes and written 431 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 STARTTLS
quit
221 mail.openbsd.org
closed
$
--
Kind regrads,
Johannes K.
