On 15.12.2025 21.37, Thomas Bohl wrote:
Am 15.12.25 um 15:03 schrieb Stéphane Guedon:
On 15.12.2025 14.28, Crystal Kolipe wrote:
On Mon, Dec 15, 2025 at 02:19:59PM +0100, Stphane Guedon wrote:
and I am
explicit on the hostname in the listen clause.
Being explicit with the hostname is IMHO better
than relying on RDNS.
Ok, that I understand.
Using smtps, the connection is encrypted.
Yes, I know. The thing that troubles me now is that I don't get why I
could place tls after the host declaration.
action "relay" relay host smtp+tls://blackblock.22decembre.eu:10027
tls pki dina protocols secure src 2603:c026:306:9211::300
I thought that I was initiating a starttls connection to blackblock, and
According to https://pastebin.com/nAKFADH9 (listen on $ip6 inet6 port
10027) blackblock only accepted connections _without_ encryption.
provided dina's tls cert, so both hosts were authentified, and the
connection could not be anymore secure.
Warning: You don't have authentication between blackblock and dina!
(That is why you need 2603:c026:306:9211::300 in your <localnet> table.)
Even with "verify". All that does is: "Yep, I know and trust that CA."
Authentication is a different "beast". Whether you want or need to
introduce it is another topic. Just remember for now, that the
transactions are not authenticated.
Well, now I think I got it running like I want, and in the next days, I
will tighten again the firewalls.
I will maybe document that setup on my blog, as much to help other as
myself.
I wish to thank you.
