On 15.12.2025 14.28, Crystal Kolipe wrote:
On Mon, Dec 15, 2025 at 02:19:59PM +0100, Stphane Guedon wrote:
Actually, right now, it works. These are the lines running in the servers :
action "relay" relay host smtps://blackblock.22decembre.eu:10027 src
2603:c026:306:9211::300
listen on $ip6 port 10027 smtps hostname blackblock.22decembre.eu pki
blackblock
I see only two differences : I am not requiring tls on either side, and I am
explicit on the hostname in the listen clause.
The connection is using tls, smtps is by definition always over an encrypted
channel.
The syntax of smtpd.conf uses 'tls' in various places to mean starttls, which
may have caused a bit of confusion.
Why is it a problem that I require tls validation ? I wanted to be safe, and
I felt like this was possible as I control both ends of the connection.
Using smtps, the connection is encrypted.
Yes, I know. The thing that troubles me now is that I don't get why I
could place tls after the host declaration.
action "relay" relay host smtp+tls://blackblock.22decembre.eu:10027 tls
pki dina protocols secure src 2603:c026:306:9211::300
I thought that I was initiating a starttls connection to blackblock, and
provided dina's tls cert, so both hosts were authentified, and the
connection could not be anymore secure.
Was it not possible ? Was it actually undesirable ?
If you want to verify the client cert for full validation, that's also
possible using 'verify'.
