On Wed, Dec 10, 2025 at 04:22:06PM +0100, Stphane Guedon wrote: > I have this conf' in host blackblock : > > ip6 = "2a05:f6c7:de1::2" > listen on $ip6 tag SAFE tls-require pki blackblock port 10027 > > Blackblock listen on the proper port : > > debug: smtp: listen on [2a05:f6c7:de1::2] port 10027 flags 0x421 > > > And this in host dina : > > action "relay" relay host smtp+tls://[2a05:f6c7:de1::2]:10027 pki dina tls > protocols secure src 2603:c026:306:9211:f:10d:c:9f55
The action directive on dina includes a 'pki' option, so you are presenting a client certificate to blackblock. But the listen directive on blackblock only specifies tls-require, without 'verify', so the client certificate is not required. Although this is not the cause of the error, it might not be the configuration you want. Apart from that, your configuration essentially matches what we use on various setups here, so it should be expected to work. > And yet I can do telnet from Dina to Blackblock : > > dina$ telnet -6 blackblock.22decembre.eu 10027 > Trying 2a05:f6c7:de1::2... > Connected to blackblock.22decembre.eu. > Escape character is '^]'. > 220 blackblock.22decembre.eu ESMTP OpenSMTPD Are you connecting from the same source address, (2603:c026:306:9211:f:10d:c:9f55)? What happens if you try connecting using: # openssl s_client -host 2a05:f6c7:de1::2 -starttls smtp -port 10027 Also, if this listener on blackblock is purely for receiving mail from another smtpd instance on dina and not exposed to the wider internet, why not run smtps instead of smtp with forced starttls? It's somewhat easier to debug...
