Am 15.12.25 um 15:03 schrieb Stéphane Guedon:
On 15.12.2025 14.28, Crystal Kolipe wrote:
On Mon, Dec 15, 2025 at 02:19:59PM +0100, Stphane Guedon wrote:
Actually, right now, it works. These are the lines running in the
servers :
action "relay" relay host smtps://blackblock.22decembre.eu:10027 src
2603:c026:306:9211::300
listen on $ip6 port 10027 smtps hostname blackblock.22decembre.eu pki
blackblock
I see only two differences : I am not requiring tls on either side,
But smtp_s_ is tls from the start. "SMTP session with forced TLS on
connection." It is the opposite of not requiring tls.
and I am
explicit on the hostname in the listen clause.
You also force smtp_s_. Being explicit with the hostname is IMHO better
than relying on RDNS.
Using smtps, the connection is encrypted.
Yes, I know. The thing that troubles me now is that I don't get why I
could place tls after the host declaration.
action "relay" relay host smtp+tls://blackblock.22decembre.eu:10027 tls
pki dina protocols secure src 2603:c026:306:9211::300
I thought that I was initiating a starttls connection to blackblock, and
According to https://pastebin.com/nAKFADH9 (listen on $ip6 inet6 port
10027) blackblock only accepted connections _without_ encryption.
provided dina's tls cert, so both hosts were authentified, and the
connection could not be anymore secure.
Warning: You don't have authentication between blackblock and dina!
(That is why you need 2603:c026:306:9211::300 in your <localnet> table.)
Even with "verify". All that does is: "Yep, I know and trust that CA."
Authentication is a different "beast". Whether you want or need to
introduce it is another topic. Just remember for now, that the
transactions are not authenticated.
