Re: OpenBSD 5.7-stable/OpenSMTPD 5.4.4 error: client did not present certificate

[David Dahlberg]

Am Mittwoch, den 25.11.2015, 18:51 +0100 schrieb Gianluca D.Muscelli:
> Hi, if i use verify in /etc/smtpd.conf sometimes I reciveerrors like
> this:
[..]
> Nov 25 16:33:05 server smtpd[12808]: smtp-in: Disconnecting session
> 95548f7f974b7523: client did not present certificate
> 
> Any suggestion to fix this problem?

There ain't any fix, because this behaviour is exactly the one that you
requested:

>listen on egress pki mail.example.it tls-require verify 

smtpd.conf(5)
| If tls-require verify is specified, the client must provide a valid 
| certificate to be able to establish an SMTP session.

If you don't want this, don't use it.

BTW, you have other problems as well (found out while trying to PM):

$ dig gianlucamuscelli.it MX
gianlucamuscelli.it.85780   IN  MX \
0 mail.gianlucamuscelli.it.
$ dig mail.gianlucamuscelli.it A
mail.gianlucamuscelli.it has address 192.168.1.30
$ dig mail.gianlucamuscelli.it 
;; connection timed out; no servers
could be reached

$ dig gianlucamuscelli.it NS
gianlucamuscelli.it.85923   IN  NS  ns1.gianluc
amuscelli.it.
gianlucamuscelli.it.85923   IN  NS  ns2.gianluc
amuscelli.it.
$ dig ns1.gianlucamuscelli.it A
ns1.gianlucamuscelli.it. 85923  IN  A   192.168.1.30
$ dig ns2.gianlucamuscelli.it 
;; connection timed out; no servers could be reached
$ dig ns2.gianlucamuscelli.it A
ns2.gianlucamuscelli.it. 85923  IN  A   192.168.1.30
$ dig ns2.gianlucamuscelli.it 
;; connection timed out; no servers could be reached

OpenBSD 5.7-stable/OpenSMTPD 5.4.4 error: client did not present certificate

[Gianluca D.Muscelli]

Hi, if i use verify in /etc/smtpd.conf sometimes I reciveerrors like this:

Nov 25 16:33:04 server smtpd[12808]: smtp-in: New session 95548f7f974b7523
from host example.com [x.x.x.x]
Nov 25 16:33:05 server smtpd[12808]: smtp-in: Started TLS on session
95548f7f974b7523: version=TLSv1/SSLv3,
+cipher=DHE-RSA-AES128-GCM-SHA256, bits=128
Nov 25 16:33:05 server smtpd[12808]: smtp-in: Disconnecting session
95548f7f974b7523: client did not present certificate

Any suggestion to fix this problem?
Thank you!

OpenBSD 5.7-stable
OpenSMTPD 5.4.4

$ cat /etc/mail/smtpd.conf
queue compression
queue encryption key 5fd06dd95d86ebb57144e516b42799cf

table aliases db:/etc/mail/aliases.db
table domains file:/etc/mail/domains
table users file:/etc/mail/users
table blacklist-recipients file:/etc/mail/blacklist-recipients

pki mail.example.it key "/etc/ssl/private/mail.example.it.key"
pki mail.example.it certificate "/etc/ssl/mail.example.it.crt"

max-message-size 50M

listen on egress pki mail.example.it smtps auth hostname example.it
listen on egress pki mail.example.it tls-require verify hostname
example.it mask-source

accept from any \
recipient ! \
for domain  \
virtual  \
deliver to maildir "/var/mail/%{user.username}/Inbox"
accept \
recipient ! \
for local alias  \
deliver to maildir "/var/mail/%{user.username}/Inbox"

listen on lo0 hostname example.it
listen on lo0 port 10028 tag DKIM hostname example.it

accept tagged DKIM \
for any \
relay \
hostname example.it
accept from local \
for any \
relay via smtp://127.0.0.1:10027

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]