On 10.12.2025 19.38, Crystal Kolipe wrote:
The action directive on dina includes a 'pki' option, so you are presenting a
client certificate to blackblock.
But the listen directive on blackblock only specifies tls-require, without
'verify', so the client certificate is not required.
Well, I added "verify" in the last hours during tests because I want the
connection between the two acting like a safe tunnel. Still not working
as it's not the root cause of the trouble.
I am still just as perplexed.
Although this is not the cause of the error, it might not be the configuration
you want.
Apart from that, your configuration essentially matches what we use on various
setups here, so it should be expected to work.
And yet I can do telnet from Dina to Blackblock :
dina$ telnet -6 blackblock.22decembre.eu 10027
Trying 2a05:f6c7:de1::2...
Connected to blackblock.22decembre.eu.
Escape character is '^]'.
220 blackblock.22decembre.eu ESMTP OpenSMTPD
Are you connecting from the same source address,
(2603:c026:306:9211:f:10d:c:9f55)?
Yes.
What happens if you try connecting using:
# openssl s_client -host 2a05:f6c7:de1::2 -starttls smtp -port 10027
I get a full certified connection (same as ports 25 and 587).
dina$ openssl s_client -host 2a05:f6c7:de1::2 -starttls smtp -port 10027
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R13
verify return:1
depth=0 CN = blackblock.22decembre.eu
verify return:1
---
Certificate chain
0 s:/CN=blackblock.22decembre.eu
i:/C=US/O=Let's Encrypt/CN=R13
1 s:/C=US/O=Let's Encrypt/CN=R13
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGWjCCBUKgAwIBAgISBXUNFcNS3Bl5qnvnCkR+A0Y9MA0GCSqGSIb3DQEBCwUA
..
hE18gaOiexG5vjI6qWsGIvEgee6Np7/ClbP/N2PVwEcAGo/wfqcJNcKiu2ai2g==
-----END CERTIFICATE-----
subject=/CN=blackblock.22decembre.eu
issuer=/C=US/O=Let's Encrypt/CN=R13
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 4050 bytes and written 406 bytes
---
New, TLSv1/SSLv3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_CHACHA20_POLY1305_SHA256
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1765397399
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
250 HELP
16373541939144:error:1404C45C:SSL routines:ST_OK:tlsv13 alert
certificate required:/usr/src/lib/libssl/tls13_lib.c:167:SSL alert
number 116
dina$
I don't know if the last line is normal though.
Also, if this listener on blackblock is purely for receiving mail from another
smtpd instance on dina and not exposed to the wider internet, why not run
smtps instead of smtp with forced starttls? It's somewhat easier to debug...
Ok, I did not know that. I can totally switch to smtps. will make an
attempt.
