Re: 6.9 regression: opensmtpd complains "smtp cert-check result=\"no certificate presented\""

Mon, 21 Jun 2021 07:51:47 -0700 

On 6/21/21 12:52 PM, n...@xn--bimann-cta.de wrote:

since the upgrade to 6.9 at the weekend opensmtpd complains
        smtp cert-check result="no certificate presented"
for incoming EMails. opensmtpd.conf and the certificate chain


Hello.
This is because clients are not providing a tls client certificate
for authentication. See:
https://www.mail-archive.com/misc@opensmtpd.org/msg05280.html



Looking at my certificate I see

        X509v3 extensions:
            X509v3 Authority Key Identifier:
                
keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2

            X509v3 Subject Key Identifier:
                F7:5D:C6:13:97:9B:F8:D4:49:9E:EC:36:E1:B3:26:C2:12:BD:D2:8C

            X509v3 Subject Alternative Name:
                DNS:*.example.de, DNS:example.de, DNS:mail.example.de
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
        :

Looks fine to me. Not to mention that it did work for OpenBSD 6.8, using
the same certificate chain and looking at the same 2 MTAs. OpenBSD 6.8:

:
Jun 13 07:28:31 gate5a smtpd[28825]: 5b12b1c3d9362d18 smtp connected 
address=199.185.178.25 host=mail.openbsd.org
Jun 13 07:28:32 gate5a smtpd[28825]: 5b12b1c3d9362d18 smtp tls 
ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
Jun 13 07:28:33 gate5a smtpd[28825]: 5b12b1c3d9362d18 smtp message 
msgid=b493cde6 size=5248 nrcpt=1 proto=ESMTP
Jun 13 07:28:33 gate5a smtpd[28825]: 5b12b1c3d9362d18 smtp envelope evpid=b493cde6b4306880 
from=<owner-bugs+M35148=harald.dunkel=example....@openbsd.org> 
to=<harald.dun...@example.com>
Jun 13 07:28:43 gate5a smtpd[28825]: 5b12b1c3d9362d18 smtp disconnected 
reason=quit
:

OpenBSD 6.9:
:
Jun 21 15:08:29 gate5a smtpd[5083]: dd4992e9e4b2a33d smtp connected 
address=199.185.178.25 host=mail.openbsd.org
Jun 21 15:08:30 gate5a smtpd[5083]: dd4992e9e4b2a33d smtp tls 
ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
Jun 21 15:08:30 gate5a smtpd[5083]: dd4992e9e4b2a33d smtp cert-check result="no 
certificate presented"
Jun 21 15:08:31 gate5a smtpd[5083]: dd4992e9e4b2a33d smtp message 
msgid=acf4c26b size=2087 nrcpt=1 proto=ESMTP
Jun 21 15:08:31 gate5a smtpd[5083]: dd4992e9e4b2a33d smtp envelope evpid=acf4c26b733f72fa 
from=<owner-misc+M189705=harald.dunkel=example....@openbsd.org> 
to=<harald.dun...@example.com>
Jun 21 15:08:41 gate5a smtpd[5083]: dd4992e9e4b2a33d smtp disconnected 
reason=quit
:


?


Every helpful comment is highly appreciated

Harri























					Reply via email to