just a friendly ping... mcmer-opensm...@tor.at (Marcus MERIGHI), 2020.04.02 (Thu) 12:00 (CEST): > Hello! > > I've recently found a reason [1] to use different certificates for > relaying than those that are used for submitting mails. > > Reading smtpd.conf(5) I learned that "relay" did not list "pki" as an > option. > > Feeling adventurous I just added the "pki pubpki" directive: > "action rlay relay src <outbound> helo $hname pki pubpki" > > "smtpd -n -v' did not complain. > > There's a patch for smtpd.conf(5), at the end of this message. > > But I'm having a hard time testing. Here's a trace from a receiving end, > when contacted _by_ the server in question. > > smtp: 0x17e7eea48000: <<< STARTTLS > smtp: 0x17e7eea48000: >>> 220 2.0.0 Ready to start TLS > smtp: 0x17e7eea48000: STATE_HELO -> STATE_TLS > 160f48d2b4ce36f0 smtp tls > ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 > smtp: 0x17e7eea48000: STATE_TLS -> STATE_HELO > > How can I check which certificate was used? > I control both ends, which are OpenBSD 6.6 with OpenSMTPd. > > Or, asking differently: if I have more than one "pki" defined, which > one is used for "relay" actions? > > [1] there's an "internal" domain name that is used for mail submission > access, which has a acme certificate. > but, when relaying, it goes out with the "official" name, which is not > contained in the acme certificate for the "internal" domain. > > Thanks for reading that far, Marcus >
Index: smtpd.conf.5 =================================================================== RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v retrieving revision 1.249 diff -u -p -u -r1.249 smtpd.conf.5 --- smtpd.conf.5 12 Feb 2020 14:46:36 -0000 1.249 +++ smtpd.conf.5 2 Apr 2020 09:14:01 -0000 @@ -274,6 +274,14 @@ and .Dq smtps protocols for authentication. Server certificates for those protocols are verified by default. +.It Cm pki Ar pkiname +For secure connections, +use the certificate associated with +.Ar pkiname +(declared in a +.Ic pki +directive) +to prove a mail server's identity. .It Cm srs When relaying a mail resulting from a forward, use the Sender Rewriting Scheme to rewrite sender address.