My question is pretty simple: Is it possible to have OpenSMTPD listen on a single socket (smtps or submission) and authenticate both “real” users (i.e., /etc/passwd” and virtual users from a credentials table (without adding the real users to the table). I think the answer is ‘no’ (and that is a fine answer, if that is the answer).
There where talks in the past about making auth as flexible/programmable as filters are. So maybe that becomes possible in the future.
For context, I’m setting up some relaying from an internal set of hosts. The internal relay needs to relay mail to my external mail server. I currently have this working by having my internal relay connecting on the submission port (port 25 is firmly blocked) and authenticating as a user from /etc/passwd. Internally, I have provided self-signed certs for all the machines to authenticate with to the internal relay. I can’t do this on the external relay because adding new CA on a listen command *adds* the CA, it doesn’t *replace* the CA (thus causing any host with a legitimately signed cert able to relay).
I'm not sure if I understand you a 100%. But maybe you could add multiple OpenSMTPD sockets with different authentication and have the firewall forward connections, depending on the source-IP, to the right internal port. So technically the mail server is only reachable on a single port. But depending on who asks, supports different authentication types.
