Hello, in order to prevent man in the middle attacks between my servers, I want to use my own CA. But I have trouble verifying that the destination is really using it.
# uname -a OpenBSD c7.example.com 6.1 GENERIC#21 amd64 # smtpd -h version: OpenSMTPD 6.0.0 # cat /etc/mail/smtpd.conf table pwdauth file:/etc/mail/pwdauth ca brief.example.com certificate "/etc/mail/example.com_CACert.pem" listen on lo0 accept for domain c7.example.com relay via \ smtps+auth://e_local...@brief.example.com \ source 0.1.2.3 hostname mx.example.com \ auth <pwdauth> verify # sendmail fdsa fdsa That leads to "mta event=error reason=SSL certificate check failed", unless I add /etc/mail/example.com_CACert.pem to /etc/ssl/cert.pem. But that means I have to trust all of /etc/ssl/cert.pem. Some nation states could capture my juicy status emails ;-) Have I misunderstood the ca option? To rephrase: What I'm trying to achieve is, that the certificate of brief.example.com is checked against the CA from /etc/mail/example.com_CACert.pem and not from /etc/ssl/cert.pem.
smime.p7s
Description: S/MIME Cryptographic Signature