Hello,
I'd like to pick y'all's brains about a TLS enabled multi-relay-host
setup, where I'm not sure about what is right, or should maybe be
possible.
The setup in question is an OpenSMTPd box that is configured to relay to
multiple, explicitly specified, redundant hosts, the crucial config line
is:
action "relay_out" relay host smtps://mailrelays.domain
(note: whether it's using smtps or smtp w/ starttls, etc. isn't
important, it comes down to the same)
Multiple A records are entered for the domain mailrelays.domain, so it
resolves to multiple IPs.
This DNS-based multi-A-records setup is the only way I found to tell
OpenSMTPd to use a list of relay hosts, and this works nicely. I
verified given the logs and traces, that it keeps a list of them all,
selects what it thinks the best connector is, handles a connector
becoming unavailable, gracefully, etc.. Great!
However, this DNS based multi-host setup complicates matters when
verifying certificates. Imagine that mailrelays.domain points to 1.2.3.1
and 1.2.3.2. Also, let's say there are specific A records pointing to
those IPs, as well as their respective PTR records, so the full list is:
mailrelays.domain. 1.2.3.1
mailrelays.domain. 1.2.3.2
mailrelay01.domain. 1.2.3.1
mailrelay02.domain. 1.2.3.2
1.3.2.1.in-addr.arpa. mailrelay01.domain.
2.3.2.1.in-addr.arpa. mailrelay02.domain.
Also, let's say both relay hosts present certificates which only have
their own respective DNS names listed, but *not* "mailrelays.domain".
In this case the cert verification fails when relaying mail fails, b/c
OpenSMTPd checks whether the cert of each box has mailrelays.domain
listed, which they do not, they only list their specific,
number-suffixed domains.
By itself one could argue that this is to be expected, and I kinda
agree. However, one could also argue that maybe it should do a PTR
lookup, first, and use that DNS name for verification.
Taking a step back, I think the question essentially boils down to: how
to specify multiple relay hosts (e.g. for redundancy) *by DNS name*, so
the cert verification would work per relay host?
The problems I encountered to get this set up are:
- multiple CNAME records for a domain isn't possible in DNS
- one cannot make use of MX records, either, as the relay host line
seems to only resolve A records in this case
- there is seemingly no way to list multiple relay hosts in smtpd.conf,
explicitly, but maybe I'm missing something
Thoughts? I'm not sure what's right or wrong here, in some ways it
behaves like it should, but then again it also makes it hard to specify
multiple relay hosts, conveniently. I obviously might also totally miss
something, in which case I would be grateful to get some feedback.
Thanks!
