Re: relay host with ipv6 ?

Mon, 15 Dec 2025 05:20:54 -0800 


On 15.12.2025 10.21, Crystal Kolipe wrote:

On Mon, Dec 15, 2025 at 03:24:07AM +0100, Thomas Bohl wrote:

To bad that OpenBSD's "openssl s_client" doesn't have the -bind option or I
would have asked for the output of

openssl s_client -connect blackblock.22decembre.eu:10027 -bind
[2603:c026:306:9211::300]


Can't you use /usr/bin/nc instead now, since you've switched the listener to
smtps?



I did not think of it. But we have now a change of behaviour (cf bottom 
of mail)





That is a clear text connection only. Try

listen on $ip6 port 10027 smtps \

                             ^^^^^

        hostname blackblock.22decembre.eu \
        pki blackblock


# nc -cv blackblock.22decembre.eu 10027

The -s and -p options allow to select source address and port.


I assume you block connections to 10027 from the internet? Because I tried and
can't connect.


I also tested just now, and see no response from port 10027 on either IPv6 or
IPv4.  Connection to port 25 succeeds.  But the OP says in another mail that
10027 has now been opened to the internet for debugging, so I was expecting to
get a connection.  Maybe it was just opened temporarily?



No, I openned the port on pf, but I had forgotten on the router. Now 
it's opened worldwide there too. I apologize.




Separately, I wonder if there any filewall rules on the relay host that
prevent an outgoing connection based on UID or GID.  That would explain why
connecting as an arbitrary user works, but smtpd fails.



Actually, right now, it works. These are the lines running in the servers :


action "relay" relay host smtps://blackblock.22decembre.eu:10027 src 
2603:c026:306:9211::300



listen on $ip6 port 10027 smtps hostname blackblock.22decembre.eu pki 
blackblock



I see only two differences : I am not requiring tls on either side, and 
I am explicit on the hostname in the listen clause.


For example, this was one of the lines that failed before :


action "relay" relay host smtp+tls://blackblock.22decembre.eu:10027 tls 
pki dina protocols secure src 2603:c026:306:9211::300



Why is it a problem that I require tls validation ? I wanted to be safe, 
and I felt like this was possible as I control both ends of the connection.



































					Reply via email to