Hi,
Thank for the tip.
It worked.
Took a bit longer to figure out.
Because somehow I was running 2 entities of smtpd one with rcctl and one
with smtpd -T option.
Thanks for the great and fast respons.
Kind Regards,
Wim Stockman
Op 23-09-2022 om 14:32 schreef Tobias Fiebig:
Heho,
Can you try:
# pki "*" ...
# pki "*" ...
# pki "*" ...
# pki "*" ...
pki "mail.thinkerwim.org" cert "/etc/ssl/mail.thinkerwim.org.fullchain.pem"
pki "mail.thinkerwim.org" key "/etc/ssl/private/mail.thinkerwim.org.key"
pki "mail.batterijland.com" cert "/etc/ssl/mail.batterijland.com.fullchain.pem"
pki "mail.batterijland.com" key "/etc/ssl/private/mail.batterijland.com.key"
...
listen on all tls pki "mail.thinkerwim.org" pki "mail.batterijland.com"
...
At least that is how I read 'man smtpd.conf', i.e.:
pki pkiname
For secure connections, use the certificate associated
with pkiname (declared in a pki directive) to prove a
mail server's identity. This option can be used multiple
times to provide alternate certificates for SNI.
With best regards,
Tobias
-----Original Message-----
From: wim <[email protected]>
Sent: Friday, 23 September 2022 14:20
To: Tobias Fiebig <[email protected]>
Subject: Re: SNI seems not working
I'm testing with openssl.
openssl s_client -connect mail.batterijland.com:25 -starttls smtp -servername
mail.batterijland.com
Op 23-09-2022 om 13:41 schreef Tobias Fiebig:
Heho,
How are you testing this? libressl connect? Are you signalling SNI there?
With best regards,
Tobias
-----Original Message-----
From: wim <[email protected]>
Sent: Friday, 23 September 2022 13:26
To: [email protected]
Subject: SNI seems not working
Hi,
Hi,
HI,
Hi, I'm trying to configure SNI,
but it always returns the first pki from my smtp.conf
Here is what my conf looks like for the moment:
# $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.
pki "*" cert "/etc/ssl/mail.thinkerwim.org.fullchain.pem"
pki "*" key "/etc/ssl/private/mail.thinkerwim.org.key"
pki "*" cert "/etc/ssl/mail.batterijland.com.fullchain.pem"
pki "*" key "/etc/ssl/private/mail.batterijland.com.key"
pki "mail.thinkerwim.org" cert "/etc/ssl/mail.thinkerwim.org.fullchain.pem"
pki "mail.thinkerwim.org" key "/etc/ssl/private/mail.thinkerwim.org.key"
pki "mail.batterijland.com" cert
"/etc/ssl/mail.batterijland.com.fullchain.pem"
pki "mail.batterijland.com" key "/etc/ssl/private/mail.batterijland.com.key"
filter dkimsign_rsa proc-exec "filter-dkimsign -d thinkerwim.org -s
20220705 -k /etc/mail/dkim/private.rsa.key" user _dkimsign group _dkimsign #filter "rdns"
phase connect match !rdns disconnect "550 DNS ERROR"
#filter "fcrdns" phase connect match !fcrdns disconnect "550 DNS ERROR"
table aliases file:/etc/mail/aliases
table batalias file:/etc/mail/batalias #table virtuals
file:/etc/mail/virtuals
#listen directives
listen on all tls pki "*"
#listen on all port 25 tls pki "*"
#listen on all port 587 tls pki hostname mail.thinkerwim.org tls pki
mail.thinkerwim.org auth #listen on all port 587 tls-require pki
hostname auth hostname
listen on all port 587 tls-require pki mail.thinkerwim.org auth
hostname mail.thinkerwim.org listen on all port 588 tls-require pki
mail.batterijland.com auth hostname mail.batterijland.com #listen on
all port 465 tls-require pki mail.thinkerwim.org auth hostname
mail.thinkerwim.org listen on lo0 port 10028 tag DKIM
# send mail to maildir ~/.mail for local accounts in alias table
#action "local" maildir "%{user.directory}/.mail" alias <aliases>
action "local" lmtp "/var/dovecot/lmtp" alias <aliases> action
"batlocal" lmtp "/var/dovecot/lmtp" rcpt-to virtual <batalias>
action "relay" relay helo mail.thinkerwim.org action "relay_dkim"
relay host smtp://127.0.0.1:10027
# thinkerwim.org
match from any for domain "thinkerwim.org" action "local"
match from any for domain "batterijland.com" action "batlocal"
#match from any for domain {"thinkerwim.org","batterijland.com"} action "local"
# local
match for local action "local"
# dkim
match tag DKIM for any action "relay"
##match auth from any for any action "relay"
match auth from any for any action "relay_dkim"
Thanks
Wim Stockman
