Hello Bruno, Edgar,
I'm coming back regarding this topic because I didn't make it work.
Depending on the fqdn I need opensmtpd to reply with the right certificate.
My configurationpki domain1.com certificate "/etc/smtpd/tls/domain1.com.crt"
pki domain1.com key "/etc/smtpd/tls/domain1.com.key"
pki domain2.com certificate "/etc/smtpd/tls/domain2.com.crt"
pki domain2.com key "/etc/smtpd/tls/domain2.com.key"
listen on 1.1.1.1 port 25 tls auth-optional <passwords>
My problem, regardless of the fqdn that is accessed, smtpd always sends the
same certificate. But I have only ONE IP/interface
SMTPD doesn't select the appropriate certificate
Regards
Le Mardi 16 mai 2017 8h27, Mik J <mikyde...@yahoo.fr> a écrit :
Hello Bruno,Thank you for these explanations.
Le Lundi 15 mai 2017 16h11, Bruno Pagani <bruno.pag...@ens-lyon.org> a
écrit :
Hi,
Le 15/05/2017 à 15:46, Mik J a écrit :
Hello Bruno, Edgar,
Thank you for sharing
You wrote domain1.com and domain2.com but you don't use them there after pki
domain1.com certificate "/etc/smtpd/tls/domain1.com.crt"
pki domain1.com key "/etc/smtpd/tls/domain1.com.key"
pki domain2.com certificate "/etc/smtpd/tls/domain2.com.crt"
pki domain2.com key "/etc/smtpd/tls/domain2.com.key"
Yes, that’s the point, SMTPd auto-selects the correct pki based on the asked
hostname.
listen on <IP/dev> hostname <defaulthostname> port 25 tls
Also, could you repeat what is <defaulthostname>, a table of IP addresses ?
No, if you use `hostname`, it’s just one hostname to use as default (when the
client does not specify the required hostname).
But if you use `hostnames`, then it implies your listening on a device with
multiple IPs, and in this case indeed this is a table of IP addresses/hostname
association.
Could you post your complete configuration because I don't understand it
right now
I can’t show you one with `hostnames` because that’s not my use case, but here
is my (M)WE: smtpd.conf:
============
#AES-CBC and DES-CBC3-SHA ciphers because only one availables on some servers
ciphers ECDHE+CHACHA20:ECDHE+AES:RSA+AES:DES-CBC3-SHA
pki mydefault.host.name certificate "/etc/smtpd/tls/mydefault.host.name.crt"
pki mydefault.host.name key "/etc/smtpd/tls/mydefault.host.name.key"
pki mail.another.host.name1 certificate
"/etc/smtpd/tls/mail.another.host.name1.crt"
pki mail.another.host.name1 key "/etc/smtpd/tls/mail.another.host.name1.key"
pki mail.yetanother.host.name2 certificate
"/etc/smtpd/tls/mail.yetanother.host.name2.crt"
pki mail.yetanother.host.name2 key
"/etc/smtpd/tls/mail.yetanother.host.name2.key"
# List of aliases for system users
table aliases file:/etc/smtpd/aliases
# Passwd file for users credentials
table passwd passwd:/etc/smtpd/passwd
# List of domains for which to accept emails
table vdoms file:/etc/smtpd/vdoms
# List of existing email adresses and their aliases
table vusers file:/etc/smtpd/vusers
# Accept connections from outside for delivering emails to local users (no
tls-require [verify] because some servers fail those)
listen on enp1s0f0 port 25 hostname mydefault.host.name tls
# Accept connections from local users to send emails
listen on enp1s0f0 port 587 hostname mydefault.host.name tls-require auth
<passwd> mask-source
# Deliver local messages
accept from local for local alias <aliases> deliver to lmtp
"/var/run/dovecot/lmtp" rcpt-to
# Deliver incoming emails for local users
accept from any for domain <vdoms> virtual <vusers> deliver to lmtp
"/var/run/dovecot/lmtp" rcpt-to
# Send emails to the world (no tls [verify] because some servers fail this)
accept from local for any relay hostname mydefault.host.name
============ vdoms:
============
host.name
another.host.name1
yetanother.host.name2
============ vusers (extract/example):
============
postmas...@host.name bruno
postmas...@another.host.name1 bruno
postmas...@yetanother.host.name2 bruno
============ aliases:
============
vmail: /dev/null
root: bruno
============ The `passwd` tables holds… a passwd table of local users. Note
that I use `mail.` subdomains for my MXs.
Regards,
Bruno
