Did you try the 'tls no-verify' option described here: https://man.openbsd.org/smtpd.conf#tls ? If you are sure that some host under example.com is talking to the correct mail.example.com host, it is OK to skip the certificate verification.
Thanks, Dipesh On Tue, Mar 15, 2022 at 7:18 AM <rea...@catastrophe.net> wrote: > A private CA has issued server certs to mail.example.org. However, when > smtpd from another server in the example.org domain connects to > mail.example.org, TLS validation fails and the message exchange falls back > to smtp+notls > > Is there way to add a cert chain somewhere that smtpd will do a chain > lookup > in order to trust the TLS connection? > > The following log messages show the error: > > Mar 14 15:00:32 server smtpd[73240]: e415a0d39ccaa8a6 mta connected > Mar 14 15:00:32 server smtpd[73240]: smtp-out: Error on session > e415a0d39ccaa8a6: opportunistic TLS failed, downgrading to plain > Mar 14 15:00:32 server smtpd[73240]: e415a0d39ccaa8a6 mta connecting > address=smtp+notls://100.64.10.1:25 host=mail.example.org > Mar 14 15:00:32 server smtpd[73240]: e415a0d39ccaa8a6 mta connected Mar 14 > 15:00:32 server smtpd[73240]: e415a0d39ccaa8a6 mta delivery > evpid=6ad1c44d48964de8 from=<sen...@example.com> to=<recipi...@example.org> > rcpt=<-> source="100.64.10.9" relay="100.64.10.1 > (mail.example.org)" delay=42s result="Ok" stat="250 2.0.0 180e8af2 > Message accepted for delivery" > > Thanks in advance. > >
