Re: smtp cert-check result - no certificate presented

Sun, 09 May 2021 14:52:35 -0700 

Hi,

I do have mĂșltiple domains but only have a single certificate that accepts mail 
from my multiple domains. Reading the upgrade guide I did not think I needed to 
change anything in my smtpd.conf. Though to be sure I have provided here my 
comfiguration;


pki mx1.stonyrange.com cert "/etc/ssl/stonyrange.com.fullchain.pem"
pki mx1.stonyrange.com key "/etc/ssl/private/stonyrange.com.key"

table aliases file:/etc/mail/aliases
table passwd passwd:/etc/mail/passwd
table vusers file:/etc/mail/vusers
table vdomains file:/etc/mail/vdomains
table vaddr file:/etc/mail/vaddr

filter f01 phase connect match !rdns disconnect "550 no rDNS, you need proper 
DNS" 
filter f02 phase connect match !fcrdns disconnect "550 no FCrDNS, you need 
proper DNS" 
filter f03 proc-exec "filter-senderscore -blockBelow 10 -junkBelow 70 
-slowFactor 5000"
filter f04 proc-exec "filter-rspamd"
filter c01 chain { f01, f02, f03, f04 }

listen on socket
listen on lo0
listen on egress tls pki mx1.stonyrange.com \
        hostname "mx1.stonyrange.com" filter c01
listen on egress port submission tls-require pki mx1.stonyrange.com \
        hostname "mx1.stonyrange.com" auth <passwd> filter f04

action a01 lmtp "/var/dovecot/lmtp" rcpt-to alias <aliases>
action a02 lmtp "/var/dovecot/lmtp" rcpt-to virtual <vusers>
action a03 relay helo mx1.stonyrange.com

match from local for local action a01
match from any for domain <vdomains> rcpt-to <vaddr> action a02 
match from local for any action a03
match auth from any for any action a03 

I can verify the connection using "openssl" as noted by Johannes K and 
everything verifies OK with no errors. I am not sure what to think now.

Thanks for your feedback
Nino

> On 10 May 2021, at 12:58 am, [email protected] wrote:
> 
>> On my server (OpenBSD 6.9 + OpenSMTPD 6.9.0) this message appears since 
>> I have upgraded to OpenBSD 6.9.
>> 
>> ...
>> 
>> When I test the server connection manually with the OpenSSL command line 
>> utility, both certificates will
>> be shown.
> 
> Are there multiple domains involved in your configuration? As smtpd was 
> ported to libtls, there were major configuration changes concerning the pki 
> listener option. Also, are there any more detailed tls options in your 
> listener config? Because looking at the source code [1] it seems that 
> tls_peer_cert_provided is returning 0.
> 
> [1] 
> https://github.com/OpenSMTPD/OpenSMTPD/blob/9e195177ab8354f188d156a82b11e7d38e517bc7/usr.sbin/smtpd/mta_session.c#L1606

Reply via email to