Re: a few more questions
On 01/30/15 02:28, Gilles Chehade wrote: Hi, I had somehow missed this thread... On Sun, Jan 18, 2015 at 04:25:20PM -0600, Edgar Pettijohn wrote: I added another host and test user and everything seems to be working. Reread smtpd.conf(5) and feel good about this setup. A few questions remain. When I connect from my home pc with: $ mutt -f imap://t...@test.pettijohn-web.com@test.pettijohn-web.com and send an email to myself the from address is t...@test.my.domain instead of what it should be. However, when using thunderbird it works as expected. That is because you didn't configure your From in mutt which will therefore not append a domain and let OpenSMTPD do it. In my ~/.muttrc I have: set realname=Gilles Chehade set from=gil...@poolp.org You don't need to do that with Thunderbird, it does it automatically. It also does not present the proper cert for the new domain. From the man page: #pki listen context The *hostnames* parameter overrides the server name for specific addresses. Table /names/ contains a mapping of IP addresses to hostnames and smtpd(8) http://www.openbsd.org/cgi-bin/man.cgi?query=smtpdsec=8 will use the hostname that matches the address on which the connection arrives if it is found in the mapping. If all virtual domains map to the same ip then this names table won't work. Yes, this is right, `hostnames` is a mechanism to map an IP to a hostname like I mentionned in the ticket you opened. When you connect, before even you start TLS, OpenSMTPD will great you and needs to know which hostname it will run under. The mapping can't be that an IP resolves to several hostnames otherwise it can't know. SNI happens later in the chain, after it has greated you, you have EHLOed it has told you it supports STARTTLS and you have started to negotiate. #pki relay context When relaying, STARTTLS is always attempted if available on remote host and OpenSMTPD will try to present a certificate matching the outgoing hostname if one is registered in the pki. If pki is specified, the certificate registered for pkiname is used instead. Is there a way to make the listen work like the relay and just use the matching cert? It should work automatically. If your client supports SNI, during the TLS negotiation, it will ask for the specific virtual domain and OpenSMTPD will try to find a pki that is registered for that domain and pick it up. This has nothing to do with the `hostnames` table. Are you sure your version of mutt has SNI support ? Thanks for the reply. It all makes sense to me now. -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: a few more questions
Hi, I had somehow missed this thread... On Sun, Jan 18, 2015 at 04:25:20PM -0600, Edgar Pettijohn wrote: I added another host and test user and everything seems to be working. Reread smtpd.conf(5) and feel good about this setup. A few questions remain. When I connect from my home pc with: $ mutt -f imap://t...@test.pettijohn-web.com@test.pettijohn-web.com and send an email to myself the from address is t...@test.my.domain instead of what it should be. However, when using thunderbird it works as expected. That is because you didn't configure your From in mutt which will therefore not append a domain and let OpenSMTPD do it. In my ~/.muttrc I have: set realname=Gilles Chehade set from=gil...@poolp.org You don't need to do that with Thunderbird, it does it automatically. It also does not present the proper cert for the new domain. From the man page: #pki listen context The *hostnames* parameter overrides the server name for specific addresses. Table /names/ contains a mapping of IP addresses to hostnames and smtpd(8) http://www.openbsd.org/cgi-bin/man.cgi?query=smtpdsec=8 will use the hostname that matches the address on which the connection arrives if it is found in the mapping. If all virtual domains map to the same ip then this names table won't work. Yes, this is right, `hostnames` is a mechanism to map an IP to a hostname like I mentionned in the ticket you opened. When you connect, before even you start TLS, OpenSMTPD will great you and needs to know which hostname it will run under. The mapping can't be that an IP resolves to several hostnames otherwise it can't know. SNI happens later in the chain, after it has greated you, you have EHLOed it has told you it supports STARTTLS and you have started to negotiate. #pki relay context When relaying, STARTTLS is always attempted if available on remote host and OpenSMTPD will try to present a certificate matching the outgoing hostname if one is registered in the pki. If pki is specified, the certificate registered for pkiname is used instead. Is there a way to make the listen work like the relay and just use the matching cert? It should work automatically. If your client supports SNI, during the TLS negotiation, it will ask for the specific virtual domain and OpenSMTPD will try to find a pki that is registered for that domain and pick it up. This has nothing to do with the `hostnames` table. Are you sure your version of mutt has SNI support ? -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: a few more questions
On Mon, 19 Jan 2015 15:14:14 -0800, Edgar Pettijohn ed...@pettijohn-web.com wrote: http://www.mail-archive.com/misc%40opensmtpd.org/msg01427.html That gives the following error: # /usr/sbin/smtpd -d /etc/mail/smtpd.conf:16: invalid use of table dynamic:0 as HOSTNAMES parameter Looks like you're getting the same error as posted of the 2nd mailing list thread I linked to above ^^. Might be prudent to file a bug report on github. https://github.com/OpenSMTPD/OpenSMTPD/issues -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: a few more questions
On Sun, 18 Jan 2015 20:20:19 -0800, Seth l...@sysfu.com wrote:
https://github.com/OpenSMTPD/OpenSMTPD/issues/376
Related email threads
http://www.mail-archive.com/misc%40opensmtpd.org/msg00625.html
Declare your listener with a hostnames table and declare a pki entry for
every domain that should be supported by SNI:
pki foo.bar ...
pki bar.baz ...
listen on [...] tls hostnames { foo.bar, bar.baz }
http://www.mail-archive.com/misc%40opensmtpd.org/msg01427.html
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: a few more questions
On 01/18/15 17:20, Seth wrote: On Sun, 18 Jan 2015 14:25:20 -0800, Edgar Pettijohn ed...@pettijohn-web.com wrote: I added another host and test user and everything seems to be working. Reread smtpd.conf(5) and feel good about this setup. A few questions remain. When I connect from my home pc with: $ mutt -f imap://t...@test.pettijohn-web.com@test.pettijohn-web.com and send an email to myself the from address is t...@test.my.domain instead of what it should be. However, when using thunderbird it works as expected. I believe that is a mutt configuration issue. Just tried on my postfix server and I think you're right I just never noticed it before. Is there a way to make the listen work like the relay and just use the matching cert? I don't think so. I think you'd have to configure an additional IP address for the 2nd domain, and then create a dedicated listen rule in smptd.conf for each IP, one per domain. Thats what I was planning to try next. Thanks -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
a few more questions
I added another host and test user and everything seems to be working.
Reread smtpd.conf(5) and feel good about this setup. A few questions
remain. When I connect from my home pc with:
$ mutt -f imap://t...@test.pettijohn-web.com@test.pettijohn-web.com
and send an email to myself the from address is t...@test.my.domain
instead of what it should be. However, when using thunderbird it works
as expected. It also does not present the proper cert for the new
domain. From the man page:
#pki listen context
The *hostnames* parameter overrides the server name for specific
addresses. Table /names/ contains a mapping of IP addresses to hostnames
and smtpd(8) http://www.openbsd.org/cgi-bin/man.cgi?query=smtpdsec=8
will use the hostname that matches the address on which the connection
arrives if it is found in the mapping.
If all virtual domains map to the same ip then this names table won't
work.
#pki relay context
When relaying, STARTTLS is always attempted if available on remote host
and OpenSMTPD will try to present a certificate matching the outgoing
hostname if one is registered in the pki. If pki is specified, the
certificate registered for pkiname is used instead.
Is there a way to make the listen work like the relay and just use the
matching cert?
# cat /etc/mail/smtpd.conf
# $OpenBSD: smtpd.conf,v 1.7 2014/03/12 18:21:34 tedu Exp $
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.
table aliases db:/etc/mail/aliases.db
table vdomains db:/etc/mail/vdomains.db
table vusers db:/etc/mail/vusers.db
pki test.pettijohn-web.com certificate /etc/ssl/test.pettijohn-web.com.crt
pki test.pettijohn-web.com key /etc/ssl/private/test.pettijohn-web.com.key
pki openbsd.pettijohn-web.com certificate
/etc/ssl/openbsd.pettijohn-web.com.crt
pki openbsd.pettijohn-web.com key
/etc/ssl/private/openbsd.pettijohn-web.com.key
listen on egress tls
listen on lo0
queue compression
queue encryption key f61de1a07fba7ccd57af89df8c28fc1f
accept from any for domain vdomains virtual vusers deliver to mda \
/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d %{rcpt}
accept for local alias aliases deliver to maildir
accept from any for any relay
Thanks,
Edgar
