Re: a few more questions
On 01/30/15 02:28, Gilles Chehade wrote: Hi, I had somehow missed this thread... On Sun, Jan 18, 2015 at 04:25:20PM -0600, Edgar Pettijohn wrote: I added another host and test user and everything seems to be working. Reread smtpd.conf(5) and feel good about this setup. A few questions remain. When I connect from my home pc with: $ mutt -f imap://t...@test.pettijohn-web.com@test.pettijohn-web.com and send an email to myself the from address is t...@test.my.domain instead of what it should be. However, when using thunderbird it works as expected. That is because you didn't configure your From in mutt which will therefore not append a domain and let OpenSMTPD do it. In my ~/.muttrc I have: set realname=Gilles Chehade set from=gil...@poolp.org You don't need to do that with Thunderbird, it does it automatically. It also does not present the proper cert for the new domain. From the man page: #pki listen context The *hostnames* parameter overrides the server name for specific addresses. Table /names/ contains a mapping of IP addresses to hostnames and smtpd(8) http://www.openbsd.org/cgi-bin/man.cgi?query=smtpdsec=8 will use the hostname that matches the address on which the connection arrives if it is found in the mapping. If all virtual domains map to the same ip then this names table won't work. Yes, this is right, `hostnames` is a mechanism to map an IP to a hostname like I mentionned in the ticket you opened. When you connect, before even you start TLS, OpenSMTPD will great you and needs to know which hostname it will run under. The mapping can't be that an IP resolves to several hostnames otherwise it can't know. SNI happens later in the chain, after it has greated you, you have EHLOed it has told you it supports STARTTLS and you have started to negotiate. #pki relay context When relaying, STARTTLS is always attempted if available on remote host and OpenSMTPD will try to present a certificate matching the outgoing hostname if one is registered in the pki. If pki is specified, the certificate registered for pkiname is used instead. Is there a way to make the listen work like the relay and just use the matching cert? It should work automatically. If your client supports SNI, during the TLS negotiation, it will ask for the specific virtual domain and OpenSMTPD will try to find a pki that is registered for that domain and pick it up. This has nothing to do with the `hostnames` table. Are you sure your version of mutt has SNI support ? Thanks for the reply. It all makes sense to me now. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: a few more questions
Hi, I had somehow missed this thread... On Sun, Jan 18, 2015 at 04:25:20PM -0600, Edgar Pettijohn wrote: I added another host and test user and everything seems to be working. Reread smtpd.conf(5) and feel good about this setup. A few questions remain. When I connect from my home pc with: $ mutt -f imap://t...@test.pettijohn-web.com@test.pettijohn-web.com and send an email to myself the from address is t...@test.my.domain instead of what it should be. However, when using thunderbird it works as expected. That is because you didn't configure your From in mutt which will therefore not append a domain and let OpenSMTPD do it. In my ~/.muttrc I have: set realname=Gilles Chehade set from=gil...@poolp.org You don't need to do that with Thunderbird, it does it automatically. It also does not present the proper cert for the new domain. From the man page: #pki listen context The *hostnames* parameter overrides the server name for specific addresses. Table /names/ contains a mapping of IP addresses to hostnames and smtpd(8) http://www.openbsd.org/cgi-bin/man.cgi?query=smtpdsec=8 will use the hostname that matches the address on which the connection arrives if it is found in the mapping. If all virtual domains map to the same ip then this names table won't work. Yes, this is right, `hostnames` is a mechanism to map an IP to a hostname like I mentionned in the ticket you opened. When you connect, before even you start TLS, OpenSMTPD will great you and needs to know which hostname it will run under. The mapping can't be that an IP resolves to several hostnames otherwise it can't know. SNI happens later in the chain, after it has greated you, you have EHLOed it has told you it supports STARTTLS and you have started to negotiate. #pki relay context When relaying, STARTTLS is always attempted if available on remote host and OpenSMTPD will try to present a certificate matching the outgoing hostname if one is registered in the pki. If pki is specified, the certificate registered for pkiname is used instead. Is there a way to make the listen work like the relay and just use the matching cert? It should work automatically. If your client supports SNI, during the TLS negotiation, it will ask for the specific virtual domain and OpenSMTPD will try to find a pki that is registered for that domain and pick it up. This has nothing to do with the `hostnames` table. Are you sure your version of mutt has SNI support ? -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: a few more questions
On Mon, 19 Jan 2015 15:14:14 -0800, Edgar Pettijohn ed...@pettijohn-web.com wrote: http://www.mail-archive.com/misc%40opensmtpd.org/msg01427.html That gives the following error: # /usr/sbin/smtpd -d /etc/mail/smtpd.conf:16: invalid use of table dynamic:0 as HOSTNAMES parameter Looks like you're getting the same error as posted of the 2nd mailing list thread I linked to above ^^. Might be prudent to file a bug report on github. https://github.com/OpenSMTPD/OpenSMTPD/issues -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: a few more questions
On Sun, 18 Jan 2015 20:20:19 -0800, Seth l...@sysfu.com wrote: https://github.com/OpenSMTPD/OpenSMTPD/issues/376 Related email threads http://www.mail-archive.com/misc%40opensmtpd.org/msg00625.html Declare your listener with a hostnames table and declare a pki entry for every domain that should be supported by SNI: pki foo.bar ... pki bar.baz ... listen on [...] tls hostnames { foo.bar, bar.baz } http://www.mail-archive.com/misc%40opensmtpd.org/msg01427.html -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: a few more questions
On 01/18/15 17:20, Seth wrote: On Sun, 18 Jan 2015 14:25:20 -0800, Edgar Pettijohn ed...@pettijohn-web.com wrote: I added another host and test user and everything seems to be working. Reread smtpd.conf(5) and feel good about this setup. A few questions remain. When I connect from my home pc with: $ mutt -f imap://t...@test.pettijohn-web.com@test.pettijohn-web.com and send an email to myself the from address is t...@test.my.domain instead of what it should be. However, when using thunderbird it works as expected. I believe that is a mutt configuration issue. Just tried on my postfix server and I think you're right I just never noticed it before. Is there a way to make the listen work like the relay and just use the matching cert? I don't think so. I think you'd have to configure an additional IP address for the 2nd domain, and then create a dedicated listen rule in smptd.conf for each IP, one per domain. Thats what I was planning to try next. Thanks -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
a few more questions
I added another host and test user and everything seems to be working. Reread smtpd.conf(5) and feel good about this setup. A few questions remain. When I connect from my home pc with: $ mutt -f imap://t...@test.pettijohn-web.com@test.pettijohn-web.com and send an email to myself the from address is t...@test.my.domain instead of what it should be. However, when using thunderbird it works as expected. It also does not present the proper cert for the new domain. From the man page: #pki listen context The *hostnames* parameter overrides the server name for specific addresses. Table /names/ contains a mapping of IP addresses to hostnames and smtpd(8) http://www.openbsd.org/cgi-bin/man.cgi?query=smtpdsec=8 will use the hostname that matches the address on which the connection arrives if it is found in the mapping. If all virtual domains map to the same ip then this names table won't work. #pki relay context When relaying, STARTTLS is always attempted if available on remote host and OpenSMTPD will try to present a certificate matching the outgoing hostname if one is registered in the pki. If pki is specified, the certificate registered for pkiname is used instead. Is there a way to make the listen work like the relay and just use the matching cert? # cat /etc/mail/smtpd.conf # $OpenBSD: smtpd.conf,v 1.7 2014/03/12 18:21:34 tedu Exp $ # This is the smtpd server system-wide configuration file. # See smtpd.conf(5) for more information. table aliases db:/etc/mail/aliases.db table vdomains db:/etc/mail/vdomains.db table vusers db:/etc/mail/vusers.db pki test.pettijohn-web.com certificate /etc/ssl/test.pettijohn-web.com.crt pki test.pettijohn-web.com key /etc/ssl/private/test.pettijohn-web.com.key pki openbsd.pettijohn-web.com certificate /etc/ssl/openbsd.pettijohn-web.com.crt pki openbsd.pettijohn-web.com key /etc/ssl/private/openbsd.pettijohn-web.com.key listen on egress tls listen on lo0 queue compression queue encryption key f61de1a07fba7ccd57af89df8c28fc1f accept from any for domain vdomains virtual vusers deliver to mda \ /usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{rcpt} accept for local alias aliases deliver to maildir accept from any for any relay Thanks, Edgar