On Wed, Dec 10, 2025 at 10:51:00PM +0100, Stphane Guedon wrote: > 16373541939144:error:1404C45C:SSL routines:ST_OK:tlsv13 alert certificate > required:/usr/src/lib/libssl/tls13_lib.c:167:SSL alert number 116 > dina$ > > I don't know if the last line is normal though.
Presumably this was after you added 'verify' to the listener, because this error is caused by the client not providing a client cert when the server expects one. You can provide it using the -cert and -key options to openssl s_client, if you want to test further. However, you are using the IP address directly in the action directive instead of using a hostname: > action "relay" relay host smtp+tls://[2a05:f6c7:de1::2]:10027 pki dina tls > protocols secure src 2603:c026:306:9211:f:10d:c:9f55 .. but the server certificate doesn't have this IP address in it's SAN field. Have you tried using the hostname here? I.E. action "relay" relay host smtp+tls://blackblock.22decembre.eu:10027 pki dina tls protocols secure src 2603:c026:306:9211:f:10d:c:9f55
