On Mon, May 09, 2016 at 11:07:40AM +0200, Gilles Chehade wrote: > On Tue, May 03, 2016 at 02:42:41AM +0200, [email protected] wrote: > > >Synopsis: smtpd.conf man page does not mention "listen [..] ca" > > >Category: system > > >Environment: > > System : OpenBSD 5.9 > > Details : OpenBSD 5.9 (GENERIC) #1761: Fri Feb 26 01:15:04 MST 2016 > > > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC > > > > Architecture: OpenBSD.amd64 > > Machine : amd64 > > >Description: > > With the upgrade from 5.8 to 5.9 the way to configure smtpd to > > use client certificates for authentication has changed. The old > > way with "pki [..] ca" no longer works, instead it seems that > > adding a "ca" parameter to the listen directive gets the job done. > > > > I could not find this documented anywhere in the smtpd.conf man > > page (the page does not appear to mention the "ca" parameter on > > "listen" directives at all); adding that information would probably > > make it easier for others to figure out how to update their old > > configuration. > > >How-To-Repeat: > > With 5.8 I had a configuration like: > > > > pki mypki certificate "/etc/mail/my.crt" > > pki mypki key "/etc/mail/my.key" > > pki mypki ca "/etc/mail/ca.crt" > > listen on all port 587 tls-require verify pki mypki auth-optional tag > > auth > > > > This configuration is no longer valid with version 5.9 > > >Fix: > > With version 5.9 I had to adjust the configuration to look like this: > > > > pki mypki certificate "/etc/mail/my.crt" > > pki mypki key "/etc/mail/my.key" > > ca myca certificate "/etc/mail/ca.crt" > > listen on all port 587 tls-require verify pki mypki auth-optional tag > > auth \ > > ca myca > > > > will take care of this today
I had the diff below already in my tree. ok? Index: smtpd.conf.5 =================================================================== RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v retrieving revision 1.159 diff -u -p -r1.159 smtpd.conf.5 --- smtpd.conf.5 3 May 2016 18:43:45 -0000 1.159 +++ smtpd.conf.5 10 May 2016 18:35:32 -0000 @@ -664,6 +664,7 @@ Changing the default value might degrade .Op Ic filter Ar name .Op Ic tls | tls-require | tls-require verify | smtps | secure .Op Ic pki Ar pkiname +.Op Ic ca Ar caname .Op Ic auth | auth-optional Op < Ns Ar authtable Ns > .Op Ic tag Ar tag .Op Ic hostname Ar hostname @@ -742,6 +743,9 @@ is specified, a certificate matching .Ic name is searched for. +Moreover, a previously declared +.Ic ca +directive maybe specified to use a custom CA certificate. .Pp If the .Ic auth
