Hello, in order to prevent man in the middle attacks between my servers, I want to use my own CA. But I have trouble verifying that the destination is really using it.
# uname -a
OpenBSD c7.example.com 6.1 GENERIC#21 amd64
# smtpd -h
version: OpenSMTPD 6.0.0
# cat /etc/mail/smtpd.conf
table pwdauth file:/etc/mail/pwdauth
ca brief.example.com certificate "/etc/mail/example.com_CACert.pem"
listen on lo0
accept for domain c7.example.com relay via \
smtps+auth://e_local...@brief.example.com \
source 0.1.2.3 hostname mx.example.com \
auth <pwdauth> verify
# sendmail fdsa
fdsa
That leads to "mta event=error reason=SSL certificate check failed",
unless I add /etc/mail/example.com_CACert.pem to /etc/ssl/cert.pem.
But that means I have to trust all of /etc/ssl/cert.pem. Some nation
states could capture my juicy status emails ;-)
Have I misunderstood the ca option?
To rephrase: What I'm trying to achieve is, that the certificate of
brief.example.com is checked against the CA from
/etc/mail/example.com_CACert.pem and not from /etc/ssl/cert.pem.
smime.p7s
Description: S/MIME Cryptographic Signature
