On 2023/06/04 11:40:34 +0200, Frank de Bruijn <smtpd-...@aconet.nl> wrote: > I built 7.3.0p0 rc2 on Debian Bookworm and it seems to work ok so far. > Just one thing: I had to change my smtpd.conf, because starting > initially failed with: > > smtpd: invalid listen option: pki required for tls/smtps > > My smtpd.conf has four pki sets, because the server serves several > domains. Up to now, I never needed to use pki in a listen directive, as > OpenSMTPD would pick the correct pki depending on the hostname. > > It appears this no longer works. Is that a bug or a deliberate change?
This was changed in OpenBSD 6.9, from the changelog: : Change the way SNI works in smtpd.conf(5). TLS listeners may be : configured with multiple certificates. The matching is based on the : names included in these certificates. I forgot to go thru the various releases and mention the changes in the changelog. Will try to remember to do that for the release' changelog. > If the latter, what to do now? For the tests, I used one of the pkis in > the listen directive, but I really need all four of them. Would > specifying them all work? Yes, it's possible to specify more than one `pki' per `listen' directive. Thanks for testing! Omar Polo
