Am 18.12.25 um 20:00 schrieb Stuart D Gathman:
On Mon, 15 Dec 2025, Thomas Bohl wrote:
provided dina's tls cert, so both hosts were authentified, and the
connection could not be anymore secure.
Warning: You don't have authentication between blackblock and dina!
(That is why you need 2603:c026:306:9211::300 in your <localnet>
table.) Even with "verify". All that does is: "Yep, I know and trust
that CA."
Authentication is a different "beast". Whether you want or need to
introduce it is another topic. Just remember for now, that the
transactions are not authenticated.
Here's what I do with opensmtpd for peer to peer email: use a
"crypto-mesh" IPv6 VPN like cjdns or yggdrasil. The raw IPs are
authenticated,
I'm only talking about smtpd's understanding of authentication. Nothing
else. Like "match auth" inside smtpd.conf will not match because you
used a VPN or forced TSL. I'm also not implying something is insecure
with the solution presented in this thread.
