RE: certificate verification when using multiple relay hosts
Heho, Might be a nice feature request; You could write a ticket, or shoot that at m...@openbsd.org ; I see a lot more engagement for opensmtpd related messages there. With best regards, Tobias -Original Message- From: Tassilo Philipp Sent: Thursday, 8 September 2022 08:48 To: Tobias Fiebig Cc: misc@opensmtpd.org Subject: Re: certificate verification when using multiple relay hosts This is what we're doing, but it's not directly under our control, so there is some back and forth, etc.. possible, yes, but the question still remains. I personally lean more and more towards thinking it would be nice to be able to specify multiple relay hosts, explicitly. On Thu, Sep 08, 2022 at 12:35:04AM +0200, Tobias Fiebig wrote: > Heho, > Why don't you add mailrelays.domain as a DNSAltName to the certs of these > hosts? Or are they not under your control? > > With best regards, > Tobias > > > -Original Message- > From: Tassilo Philipp > Sent: Wednesday, 7 September 2022 11:31 > To: misc@opensmtpd.org > Subject: certificate verification when using multiple relay hosts > > Hello, > > I'd like to pick y'all's brains about a TLS enabled multi-relay-host setup, > where I'm not sure about what is right, or should maybe be possible. > > The setup in question is an OpenSMTPd box that is configured to relay > to multiple, explicitly specified, redundant hosts, the crucial config > line > is: > > action "relay_out" relay host smtps://mailrelays.domain > > (note: whether it's using smtps or smtp w/ starttls, etc. isn't > important, it comes down to the same) > > Multiple A records are entered for the domain mailrelays.domain, so it > resolves to multiple IPs. > > This DNS-based multi-A-records setup is the only way I found to tell > OpenSMTPd to use a list of relay hosts, and this works nicely. I verified > given the logs and traces, that it keeps a list of them all, selects what it > thinks the best connector is, handles a connector becoming unavailable, > gracefully, etc.. Great! > > However, this DNS based multi-host setup complicates matters when verifying > certificates. Imagine that mailrelays.domain points to 1.2.3.1 and 1.2.3.2. > Also, let's say there are specific A records pointing to those IPs, as well > as their respective PTR records, so the full list is: > > mailrelays.domain. 1.2.3.1 > mailrelays.domain. 1.2.3.2 > > mailrelay01.domain. 1.2.3.1 > mailrelay02.domain. 1.2.3.2 > > 1.3.2.1.in-addr.arpa.mailrelay01.domain. > 2.3.2.1.in-addr.arpa.mailrelay02.domain. > > > Also, let's say both relay hosts present certificates which only have their > own respective DNS names listed, but *not* "mailrelays.domain". > > In this case the cert verification fails when relaying mail fails, b/c > OpenSMTPd checks whether the cert of each box has mailrelays.domain listed, > which they do not, they only list their specific, number-suffixed domains. > > > By itself one could argue that this is to be expected, and I kinda agree. > However, one could also argue that maybe it should do a PTR lookup, first, > and use that DNS name for verification. > > > Taking a step back, I think the question essentially boils down to: how to > specify multiple relay hosts (e.g. for redundancy) *by DNS name*, so the cert > verification would work per relay host? > > The problems I encountered to get this set up are: > > - multiple CNAME records for a domain isn't possible in DNS > > - one cannot make use of MX records, either, as the relay host line > seems to only resolve A records in this case > > - there is seemingly no way to list multiple relay hosts in smtpd.conf, > explicitly, but maybe I'm missing something > > > Thoughts? I'm not sure what's right or wrong here, in some ways it behaves > like it should, but then again it also makes it hard to specify multiple > relay hosts, conveniently. I obviously might also totally miss something, in > which case I would be grateful to get some feedback. > > Thanks! > > > >
Re: certificate verification when using multiple relay hosts
This is what we're doing, but it's not directly under our control, so there is some back and forth, etc.. possible, yes, but the question still remains. I personally lean more and more towards thinking it would be nice to be able to specify multiple relay hosts, explicitly. On Thu, Sep 08, 2022 at 12:35:04AM +0200, Tobias Fiebig wrote: Heho, Why don't you add mailrelays.domain as a DNSAltName to the certs of these hosts? Or are they not under your control? With best regards, Tobias -Original Message- From: Tassilo Philipp Sent: Wednesday, 7 September 2022 11:31 To: misc@opensmtpd.org Subject: certificate verification when using multiple relay hosts Hello, I'd like to pick y'all's brains about a TLS enabled multi-relay-host setup, where I'm not sure about what is right, or should maybe be possible. The setup in question is an OpenSMTPd box that is configured to relay to multiple, explicitly specified, redundant hosts, the crucial config line is: action "relay_out" relay host smtps://mailrelays.domain (note: whether it's using smtps or smtp w/ starttls, etc. isn't important, it comes down to the same) Multiple A records are entered for the domain mailrelays.domain, so it resolves to multiple IPs. This DNS-based multi-A-records setup is the only way I found to tell OpenSMTPd to use a list of relay hosts, and this works nicely. I verified given the logs and traces, that it keeps a list of them all, selects what it thinks the best connector is, handles a connector becoming unavailable, gracefully, etc.. Great! However, this DNS based multi-host setup complicates matters when verifying certificates. Imagine that mailrelays.domain points to 1.2.3.1 and 1.2.3.2. Also, let's say there are specific A records pointing to those IPs, as well as their respective PTR records, so the full list is: mailrelays.domain. 1.2.3.1 mailrelays.domain. 1.2.3.2 mailrelay01.domain. 1.2.3.1 mailrelay02.domain. 1.2.3.2 1.3.2.1.in-addr.arpa.mailrelay01.domain. 2.3.2.1.in-addr.arpa.mailrelay02.domain. Also, let's say both relay hosts present certificates which only have their own respective DNS names listed, but *not* "mailrelays.domain". In this case the cert verification fails when relaying mail fails, b/c OpenSMTPd checks whether the cert of each box has mailrelays.domain listed, which they do not, they only list their specific, number-suffixed domains. By itself one could argue that this is to be expected, and I kinda agree. However, one could also argue that maybe it should do a PTR lookup, first, and use that DNS name for verification. Taking a step back, I think the question essentially boils down to: how to specify multiple relay hosts (e.g. for redundancy) *by DNS name*, so the cert verification would work per relay host? The problems I encountered to get this set up are: - multiple CNAME records for a domain isn't possible in DNS - one cannot make use of MX records, either, as the relay host line seems to only resolve A records in this case - there is seemingly no way to list multiple relay hosts in smtpd.conf, explicitly, but maybe I'm missing something Thoughts? I'm not sure what's right or wrong here, in some ways it behaves like it should, but then again it also makes it hard to specify multiple relay hosts, conveniently. I obviously might also totally miss something, in which case I would be grateful to get some feedback. Thanks!
RE: certificate verification when using multiple relay hosts
Heho, Why don't you add mailrelays.domain as a DNSAltName to the certs of these hosts? Or are they not under your control? With best regards, Tobias -Original Message- From: Tassilo Philipp Sent: Wednesday, 7 September 2022 11:31 To: misc@opensmtpd.org Subject: certificate verification when using multiple relay hosts Hello, I'd like to pick y'all's brains about a TLS enabled multi-relay-host setup, where I'm not sure about what is right, or should maybe be possible. The setup in question is an OpenSMTPd box that is configured to relay to multiple, explicitly specified, redundant hosts, the crucial config line is: action "relay_out" relay host smtps://mailrelays.domain (note: whether it's using smtps or smtp w/ starttls, etc. isn't important, it comes down to the same) Multiple A records are entered for the domain mailrelays.domain, so it resolves to multiple IPs. This DNS-based multi-A-records setup is the only way I found to tell OpenSMTPd to use a list of relay hosts, and this works nicely. I verified given the logs and traces, that it keeps a list of them all, selects what it thinks the best connector is, handles a connector becoming unavailable, gracefully, etc.. Great! However, this DNS based multi-host setup complicates matters when verifying certificates. Imagine that mailrelays.domain points to 1.2.3.1 and 1.2.3.2. Also, let's say there are specific A records pointing to those IPs, as well as their respective PTR records, so the full list is: mailrelays.domain. 1.2.3.1 mailrelays.domain. 1.2.3.2 mailrelay01.domain. 1.2.3.1 mailrelay02.domain. 1.2.3.2 1.3.2.1.in-addr.arpa.mailrelay01.domain. 2.3.2.1.in-addr.arpa.mailrelay02.domain. Also, let's say both relay hosts present certificates which only have their own respective DNS names listed, but *not* "mailrelays.domain". In this case the cert verification fails when relaying mail fails, b/c OpenSMTPd checks whether the cert of each box has mailrelays.domain listed, which they do not, they only list their specific, number-suffixed domains. By itself one could argue that this is to be expected, and I kinda agree. However, one could also argue that maybe it should do a PTR lookup, first, and use that DNS name for verification. Taking a step back, I think the question essentially boils down to: how to specify multiple relay hosts (e.g. for redundancy) *by DNS name*, so the cert verification would work per relay host? The problems I encountered to get this set up are: - multiple CNAME records for a domain isn't possible in DNS - one cannot make use of MX records, either, as the relay host line seems to only resolve A records in this case - there is seemingly no way to list multiple relay hosts in smtpd.conf, explicitly, but maybe I'm missing something Thoughts? I'm not sure what's right or wrong here, in some ways it behaves like it should, but then again it also makes it hard to specify multiple relay hosts, conveniently. I obviously might also totally miss something, in which case I would be grateful to get some feedback. Thanks!
certificate verification when using multiple relay hosts
Hello, I'd like to pick y'all's brains about a TLS enabled multi-relay-host setup, where I'm not sure about what is right, or should maybe be possible. The setup in question is an OpenSMTPd box that is configured to relay to multiple, explicitly specified, redundant hosts, the crucial config line is: action "relay_out" relay host smtps://mailrelays.domain (note: whether it's using smtps or smtp w/ starttls, etc. isn't important, it comes down to the same) Multiple A records are entered for the domain mailrelays.domain, so it resolves to multiple IPs. This DNS-based multi-A-records setup is the only way I found to tell OpenSMTPd to use a list of relay hosts, and this works nicely. I verified given the logs and traces, that it keeps a list of them all, selects what it thinks the best connector is, handles a connector becoming unavailable, gracefully, etc.. Great! However, this DNS based multi-host setup complicates matters when verifying certificates. Imagine that mailrelays.domain points to 1.2.3.1 and 1.2.3.2. Also, let's say there are specific A records pointing to those IPs, as well as their respective PTR records, so the full list is: mailrelays.domain. 1.2.3.1 mailrelays.domain. 1.2.3.2 mailrelay01.domain. 1.2.3.1 mailrelay02.domain. 1.2.3.2 1.3.2.1.in-addr.arpa.mailrelay01.domain. 2.3.2.1.in-addr.arpa.mailrelay02.domain. Also, let's say both relay hosts present certificates which only have their own respective DNS names listed, but *not* "mailrelays.domain". In this case the cert verification fails when relaying mail fails, b/c OpenSMTPd checks whether the cert of each box has mailrelays.domain listed, which they do not, they only list their specific, number-suffixed domains. By itself one could argue that this is to be expected, and I kinda agree. However, one could also argue that maybe it should do a PTR lookup, first, and use that DNS name for verification. Taking a step back, I think the question essentially boils down to: how to specify multiple relay hosts (e.g. for redundancy) *by DNS name*, so the cert verification would work per relay host? The problems I encountered to get this set up are: - multiple CNAME records for a domain isn't possible in DNS - one cannot make use of MX records, either, as the relay host line seems to only resolve A records in this case - there is seemingly no way to list multiple relay hosts in smtpd.conf, explicitly, but maybe I'm missing something Thoughts? I'm not sure what's right or wrong here, in some ways it behaves like it should, but then again it also makes it hard to specify multiple relay hosts, conveniently. I obviously might also totally miss something, in which case I would be grateful to get some feedback. Thanks!
