Hi.
I take on debugging again on that. Thanks for previous participants.
For reminders : I cannot connect to my main mail server from the backup.
The main mail server (blackblock) is listening on on ipv6 on a dedicated
port and I can see that a connection is possible (no blockage from
firewalls).
And yet, I got this :
debug: mta-routing: skipping host 89.150.157.50: AF mismatch
debug: mta-routing: skipping route [2603:c026:306:9211::300] <->
[2a05:f6c7:de1::2] (blackblock): not validated yet
debug: mta: hit route limit
debug: mta-routing: no route available for
[connector:[2603:c026:306:9211::300]->[relay:blackblock.22decembre.eu,port=10027,smtps,pki_name=dina,mx,sourcetable=<dynamic:2>],0x0]:
limits reached
debug: mta: retrying to connect on
[connector:[2603:c026:306:9211::300]->[relay:blackblock.22decembre.eu,port=10027,smtps,pki_name=dina,mx,sourcetable=<dynamic:2>],0x0]
in 5s...
debug: mta: draining
[relay:blackblock.22decembre.eu,port=10027,smtps,pki_name=dina,mx,sourcetable=<dynamic:2>]
refcount=2, ntask=17, nconnector=1, nconn=1
debug: mta: scheduling relay
[relay:blackblock.22decembre.eu,port=10027,smtps,pki_name=dina,mx,sourcetable=<dynamic:2>]
in 10s...
debug: mta: ... timeout for
[connector:[2603:c026:306:9211::300]->[relay:blackblock.22decembre.eu,port=10027,smtps,pki_name=dina,mx,sourcetable=<dynamic:2>],0x20000]
debug: mta: connecting with
[connector:[2603:c026:306:9211::300]->[relay:blackblock.22decembre.eu,port=10027,smtps,pki_name=dina,mx,sourcetable=<dynamic:2>],0x0]
This was when trying to send mail from dina (backup server) to blackblock.
I tried to do this in smtps, smtp+tls (eg starttls) or even smtp
(without tls security) and it still fails.
Any more suggestions ?
On 10.12.2025 23.45, Crystal Kolipe wrote:
On Wed, Dec 10, 2025 at 10:51:00PM +0100, Stphane Guedon wrote:
16373541939144:error:1404C45C:SSL routines:ST_OK:tlsv13 alert certificate
required:/usr/src/lib/libssl/tls13_lib.c:167:SSL alert number 116
dina$
I don't know if the last line is normal though.
Presumably this was after you added 'verify' to the listener, because this
error is caused by the client not providing a client cert when the server
expects one.
I guessed so, so I was not so worried
You can provide it using the -cert and -key options to openssl s_client, if
you want to test further.
However, you are using the IP address directly in the action directive instead
of using a hostname:
action "relay" relay host smtp+tls://[2a05:f6c7:de1::2]:10027 pki dina tls
protocols secure src 2603:c026:306:9211:f:10d:c:9f55
... but the server certificate doesn't have this IP address in it's SAN field.
Have you tried using the hostname here?
I.E.
action "relay" relay host smtp+tls://blackblock.22decembre.eu:10027 pki dina tls
protocols secure src 2603:c026:306:9211:f:10d:c:9f55
Yes
