On Tue, Mar 15, 2022 at 05:11:14PM +0100, Marcus MERIGHI wrote: >Hello, > >[email protected] ([email protected]), 2022.03.15 (Tue) 00:27 (CET): >> On Tue, Mar 15, 2022 at 09:40:34AM +1100, Dipesh Sharma wrote: >> >Did you try the 'tls no-verify' option described here: >> >https://man.openbsd.org/smtpd.conf#tls ? If you are sure that some host >> >under example.com is talking to the correct mail.example.com host, it is OK >> >to skip the certificate verification. >> >> I did not as that is not what I'm hoping to do. >> >> Instead I'd like to verify the servers certificate is signed by a CA >> whose certificate is on the client machine. > >IIUC the client server needs the CA Certificate that was used to >generate the SMTP-server Certificate in its /etc/ssl/cert.pem (on >OpenBSD).
Thanks. I did try this but it's still not working out. My configuration: client# cat /etc/mail/smtpd.conf table aliases file:/etc/mail/aliases listen on socket listen on lo0 action "local_mail" maildir alias <aliases> action "outbound" relay host smtp://relay-server.example.org match for local action "local_mail" match for any action "outbound" Download the server certificate and append it to our /etc/ssl/certs.pem client# scp relay-server:/etc/ssl/server.crt /tmp/ client# file /tmp/server.crt /tmp/server.crt: PEM certificate client# cat /tmp/server.crt >> /etc/ssl/certs.pem Restart smtpd then send a test message client# rcctl restart smtpd client# echo "test" | mail -s Test [email protected] Logs show smtp becomes smtp+notls client# tail -f /var/log/maillog [..] Mar 15 15:54:08 client smtpd[87731]: 329936c19282523c mta connecting address=smtp://192.168.1.1:25 host=relay-server.example.org Mar 15 15:54:08 client smtpd[87731]: 329936c19282523c mta connected Mar 15 15:54:08 client smtpd[87731]: smtp-out: Error on session 329936c19282523c: opportunistic TLS failed, downgrading to plain Mar 15 15:54:08 client smtpd[87731]: 329936c19282523c mta connecting address=smtp+notls://192.168.1.1:25 host=relay-server.example.org Mar 15 15:54:08 client smtpd[87731]: 329936c19282523c mta connected Mar 15 15:54:09 client smtpd[87731]: 329936c19282523c mta delivery evpid=5141efe410221a1f from=<[email protected]> to=<[email protected]> rcpt=<-> source="192.168.1.9" relay="192.168.1.1 (relay-server.example.org)" delay=1s result="Ok" stat="250 2.0.0 e6ec7840 Message accepted for delivery"
