Re: Validating certificate chain of SMTP TLS connections using privately-issued CA certsy
On Wed, Mar 16, 2022 at 02:06:53AM +0100, Thomas Bohl wrote: >> > > client# cat /tmp/server.crt >> /etc/ssl/certs.pem > >BTW it's /etc/ssl/cert.pem not /etc/ssl/certs.pem yeah, type-o in the email on my part. >> > Just go with free "ACME certificate".) >> >> Not possible. > >...or do not have control over mail.example.org? It's an air-gapped environment.
Re: Validating certificate chain of SMTP TLS connections using privately-issued CA certsy
client# cat /tmp/server.crt >> /etc/ssl/certs.pem BTW it's /etc/ssl/cert.pem not /etc/ssl/certs.pem Not the cert of the server but, like he said, the CACert.pem The certificate is self-signed. Sorry, I should have mentioned that. Especially since you started by saying "A private CA has issued server certs to mail.example.org." :-) You could just create your own CA... Just go with free "ACME certificate".) Not possible. ...or do not have control over mail.example.org?
Re: Validating certificate chain of SMTP TLS connections using privately-issued CA certsy
On Wed, Mar 16, 2022 at 12:16:23AM +0100, Thomas Bohl wrote: > >> > IIUC the client server needs the CA Certificate that was used to >> > generate the SMTP-server Certificate in its /etc/ssl/cert.pem (on >> > OpenBSD). >> >> Thanks. I did try this but it's still not working out. >> > >> Download the server certificate and append it to our /etc/ssl/certs.pem >> >> client# scp relay-server:/etc/ssl/server.crt /tmp/ >> client# file /tmp/server.crt >> /tmp/server.crt: PEM certificate >> client# cat /tmp/server.crt >> /etc/ssl/certs.pem > >Not the cert of the server but, like he said, the CACert.pem The certificate is self-signed. Sorry, I should have mentioned that. >(And now you have to do that every time you update the system. sysmerge works wonders on OpenBSD. > Just go with free "ACME certificate".) Not possible.
Re: Validating certificate chain of SMTP TLS connections using privately-issued CA certs
On 3/15/22 19:16, Thomas Bohl wrote: > >>> IIUC the client server needs the CA Certificate that was used to >>> generate the SMTP-server Certificate in its /etc/ssl/cert.pem (on >>> OpenBSD). >> >> Thanks. I did try this but it's still not working out. >> > >> Download the server certificate and append it to our /etc/ssl/certs.pem >> >> client# scp relay-server:/etc/ssl/server.crt /tmp/ >> client# file /tmp/server.crt >> /tmp/server.crt: PEM certificate >> client# cat /tmp/server.crt >> /etc/ssl/certs.pem > > Not the cert of the server but, like he said, the CACert.pem > > (And now you have to do that every time you update the system. Just go > with free "ACME certificate".) OpenSMTPD should provide a way to specify the CA bundle used to validate an individual connection. -- Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Re: Validating certificate chain of SMTP TLS connections using privately-issued CA certs
IIUC the client server needs the CA Certificate that was used to generate the SMTP-server Certificate in its /etc/ssl/cert.pem (on OpenBSD). Thanks. I did try this but it's still not working out. Download the server certificate and append it to our /etc/ssl/certs.pem client# scp relay-server:/etc/ssl/server.crt /tmp/ client# file /tmp/server.crt /tmp/server.crt: PEM certificate client# cat /tmp/server.crt >> /etc/ssl/certs.pem Not the cert of the server but, like he said, the CACert.pem (And now you have to do that every time you update the system. Just go with free "ACME certificate".)
Re: Validating certificate chain of SMTP TLS connections using privately-issued CA certs
On Tue, Mar 15, 2022 at 05:11:14PM +0100, Marcus MERIGHI wrote: >Hello, > >rea...@catastrophe.net (rea...@catastrophe.net), 2022.03.15 (Tue) 00:27 (CET): >> On Tue, Mar 15, 2022 at 09:40:34AM +1100, Dipesh Sharma wrote: >> >Did you try the 'tls no-verify' option described here: >> >https://man.openbsd.org/smtpd.conf#tls ? If you are sure that some host >> >under example.com is talking to the correct mail.example.com host, it is OK >> >to skip the certificate verification. >> >> I did not as that is not what I'm hoping to do. >> >> Instead I'd like to verify the servers certificate is signed by a CA >> whose certificate is on the client machine. > >IIUC the client server needs the CA Certificate that was used to >generate the SMTP-server Certificate in its /etc/ssl/cert.pem (on >OpenBSD). Thanks. I did try this but it's still not working out. My configuration: client# cat /etc/mail/smtpd.conf table aliases file:/etc/mail/aliases listen on socket listen on lo0 action "local_mail" maildir alias action "outbound" relay host smtp://relay-server.example.org match for local action "local_mail" match for any action "outbound" Download the server certificate and append it to our /etc/ssl/certs.pem client# scp relay-server:/etc/ssl/server.crt /tmp/ client# file /tmp/server.crt /tmp/server.crt: PEM certificate client# cat /tmp/server.crt >> /etc/ssl/certs.pem Restart smtpd then send a test message client# rcctl restart smtpd client# echo "test" | mail -s Test recipi...@example.org Logs show smtp becomes smtp+notls client# tail -f /var/log/maillog [..] Mar 15 15:54:08 client smtpd[87731]: 329936c19282523c mta connecting address=smtp://192.168.1.1:25 host=relay-server.example.org Mar 15 15:54:08 client smtpd[87731]: 329936c19282523c mta connected Mar 15 15:54:08 client smtpd[87731]: smtp-out: Error on session 329936c19282523c: opportunistic TLS failed, downgrading to plain Mar 15 15:54:08 client smtpd[87731]: 329936c19282523c mta connecting address=smtp+notls://192.168.1.1:25 host=relay-server.example.org Mar 15 15:54:08 client smtpd[87731]: 329936c19282523c mta connected Mar 15 15:54:09 client smtpd[87731]: 329936c19282523c mta delivery evpid=5141efe410221a1f from= to= rcpt=<-> source="192.168.1.9" relay="192.168.1.1 (relay-server.example.org)" delay=1s result="Ok" stat="250 2.0.0 e6ec7840 Message accepted for delivery"
Re: Validating certificate chain of SMTP TLS connections using privately-issued CA certs
Hello, rea...@catastrophe.net (rea...@catastrophe.net), 2022.03.15 (Tue) 00:27 (CET): > On Tue, Mar 15, 2022 at 09:40:34AM +1100, Dipesh Sharma wrote: > >Did you try the 'tls no-verify' option described here: > >https://man.openbsd.org/smtpd.conf#tls ? If you are sure that some host > >under example.com is talking to the correct mail.example.com host, it is OK > >to skip the certificate verification. > > I did not as that is not what I'm hoping to do. > > Instead I'd like to verify the servers certificate is signed by a CA > whose certificate is on the client machine. IIUC the client server needs the CA Certificate that was used to generate the SMTP-server Certificate in its /etc/ssl/cert.pem (on OpenBSD). Marcus