On Tue, May 10, 2016 at 08:37:56PM +0200, Joerg Jung wrote: > On Mon, May 09, 2016 at 11:07:40AM +0200, Gilles Chehade wrote: > > On Tue, May 03, 2016 at 02:42:41AM +0200, [email protected] wrote: > > > >Synopsis: smtpd.conf man page does not mention "listen [..] ca" > > > >Category: system > > > >Environment: > > > System : OpenBSD 5.9 > > > Details : OpenBSD 5.9 (GENERIC) #1761: Fri Feb 26 01:15:04 MST 2016 > > > > > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC > > > > > > Architecture: OpenBSD.amd64 > > > Machine : amd64 > > > >Description: > > > With the upgrade from 5.8 to 5.9 the way to configure smtpd to > > > use client certificates for authentication has changed. The old > > > way with "pki [..] ca" no longer works, instead it seems that > > > adding a "ca" parameter to the listen directive gets the job done. > > > > > > I could not find this documented anywhere in the smtpd.conf man > > > page (the page does not appear to mention the "ca" parameter on > > > "listen" directives at all); adding that information would probably > > > make it easier for others to figure out how to update their old > > > configuration. > > > >How-To-Repeat: > > > With 5.8 I had a configuration like: > > > > > > pki mypki certificate "/etc/mail/my.crt" > > > pki mypki key "/etc/mail/my.key" > > > pki mypki ca "/etc/mail/ca.crt" > > > listen on all port 587 tls-require verify pki mypki auth-optional tag > > > auth > > > > > > This configuration is no longer valid with version 5.9 > > > >Fix: > > > With version 5.9 I had to adjust the configuration to look like this: > > > > > > pki mypki certificate "/etc/mail/my.crt" > > > pki mypki key "/etc/mail/my.key" > > > ca myca certificate "/etc/mail/ca.crt" > > > listen on all port 587 tls-require verify pki mypki auth-optional tag > > > auth \ > > > ca myca > > > > > > > will take care of this today > > I had the diff below already in my tree. > > ok? >
one comment inlined, then ok > Index: smtpd.conf.5 > =================================================================== > RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v > retrieving revision 1.159 > diff -u -p -r1.159 smtpd.conf.5 > --- smtpd.conf.5 3 May 2016 18:43:45 -0000 1.159 > +++ smtpd.conf.5 10 May 2016 18:35:32 -0000 > @@ -664,6 +664,7 @@ Changing the default value might degrade > .Op Ic filter Ar name > .Op Ic tls | tls-require | tls-require verify | smtps | secure > .Op Ic pki Ar pkiname > +.Op Ic ca Ar caname > .Op Ic auth | auth-optional Op < Ns Ar authtable Ns > > .Op Ic tag Ar tag > .Op Ic hostname Ar hostname > @@ -742,6 +743,9 @@ is specified, > a certificate matching > .Ic name > is searched for. > +Moreover, a previously declared > +.Ic ca > +directive maybe specified to use a custom CA certificate. may be > .Pp > If the > .Ic auth > -- Gilles Chehade https://www.poolp.org @poolpOrg
