2019-01-06 16:21 skrev John Cox:
Hi
I'm using OpenSMTPD 6.4.0
I'm (at least) a little confused as to which sort of certs I should
put in the pki cert and ca conf file entries (I can cope with the key
entry!)
I have an apparently functional ACME setup using the default
acme-client supplied with openbsd. This gives me 3 sorts of cert:
1) Bare cert
2) Chain cert
3) Full chain cert
I have pki cert set to the bare cert, and ca set to the chain cert -
is that correct? or should I use the full chain cert for the pki cert?
I ask because whilst the setup mostly morks I do get odd logging like
this:
Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting
address=smtp://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net
Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected
Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta starttls
ciphers=version=TLSv1.2, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256
Jan 6 14:35:05 azathoth smtpd[87479]: smtp-out: Server certificate
verification succeeded on session 92975635cb3d86a4
Jan 6 14:35:05 azathoth smtpd[87479]: 92975635cb3d86a4 mta delivery
evpid=00fe7e3a0bda75cf from=<[email protected]>
to=<[email protected]> rcpt=<[email protected]>
source="46.235.226.138" relay="212.54.58.11
(mx.mnd.ukmail.iss.as9143.net)" delay=1s result="Ok" stat="250 2.0.0
MXIN650 mail accepted for delivery
;id=g9W5guLw5a6xRg9W5gmZtD;sid=g9W5guLw5a6xR;mta=mx4.mnd;d=20190106;t=153505[CET];ipsrc=46.235.226.138;"
Jan 6 14:35:16 azathoth smtpd[87479]: smtp-out: Error on session
92975635cb3d86a4: opportunistic TLS failed, downgrading to plain
Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connecting
address=smtp+notls://212.54.58.11:25 host=mx.mnd.ukmail.iss.as9143.net
Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta connected
Jan 6 14:35:16 azathoth smtpd[87479]: 92975635cb3d86a4 mta
disconnected reason=quit messages=1
Where I seems to succeed with tls and then it says that it has failed.
What is going on?
Thanks
John Cox
You should use the full chain, so that any connecting computers can
verify the full certificate chain. :)
This is a snippet from my configuration:
pki mx.helloworld.online cert
"/etc/ssl/acme/mx.helloworld.online.fullchain.pem"
pki mx.helloworld.online key
"/etc/ssl/acme/private/mx.helloworld.online.key"
Hope that helps in some way.
--
Oscar
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
