This is what we're doing, but it's not directly under our control, so there is some back and forth, etc.. possible, yes, but the question still remains. I personally lean more and more towards thinking it would be nice to be able to specify multiple relay hosts, explicitly.

On Thu, Sep 08, 2022 at 12:35:04AM +0200, Tobias Fiebig wrote:
Why don't you add mailrelays.domain as a DNSAltName to the certs of these 
hosts? Or are they not under your control?

With best regards,

-----Original Message-----
From: Tassilo Philipp <>
Sent: Wednesday, 7 September 2022 11:31
Subject: certificate verification when using multiple relay hosts


I'd like to pick y'all's brains about a TLS enabled multi-relay-host setup, 
where I'm not sure about what is right, or should maybe be possible.

The setup in question is an OpenSMTPd box that is configured to relay to multiple, explicitly specified, redundant hosts, the crucial config line is:

 action "relay_out" relay host smtps://mailrelays.domain

(note: whether it's using smtps or smtp w/ starttls, etc. isn't important, it 
comes down to the same)

Multiple A records are entered for the domain mailrelays.domain, so it resolves 
to multiple IPs.

This DNS-based multi-A-records setup is the only way I found to tell OpenSMTPd 
to use a list of relay hosts, and this works nicely. I verified given the logs 
and traces, that it keeps a list of them all, selects what it thinks the best 
connector is, handles a connector becoming unavailable, gracefully, etc.. Great!

However, this DNS based multi-host setup complicates matters when verifying 
certificates. Imagine that mailrelays.domain points to and 
Also, let's say there are specific A records pointing to those IPs, as well as 
their respective PTR records, so the full list is:


mailrelay02.domain.    mailrelay01.domain.    mailrelay02.domain.

Also, let's say both relay hosts present certificates which only have their own 
respective DNS names listed, but *not* "mailrelays.domain".

In this case the cert verification fails when relaying mail fails, b/c 
OpenSMTPd checks whether the cert of each box has mailrelays.domain listed, 
which they do not, they only list their specific, number-suffixed domains.

By itself one could argue that this is to be expected, and I kinda agree. 
However, one could also argue that maybe it should do a PTR lookup, first, and 
use that DNS name for verification.

Taking a step back, I think the question essentially boils down to: how to 
specify multiple relay hosts (e.g. for redundancy) *by DNS name*, so the cert 
verification would work per relay host?

The problems I encountered to get this set up are:

- multiple CNAME records for a domain isn't possible in DNS

- one cannot make use of MX records, either, as the relay host line
  seems to only resolve A records in this case

- there is seemingly no way to list multiple relay hosts in smtpd.conf,
  explicitly, but maybe I'm missing something

Thoughts? I'm not sure what's right or wrong here, in some ways it behaves like 
it should, but then again it also makes it hard to specify multiple relay 
hosts, conveniently. I obviously might also totally miss something, in which 
case I would be grateful to get some feedback.


Reply via email to