Hi all Can anyone help me with how to get custom certifcate verification to work in opensmtpd?
I have two opensmtpd machines - yidhra & azathoth - and I want to deliver mail from azathoth to yidhra. On yidhra: I have generated a local self-signed CA cert I have generated a machiner cert and signed it with my ca cert I can verify the machine cert against the ca cert with openssl I have the certs set smtpd.conf with pki yidhra.outer.uphall.net cert "/etc/ssl/local_certs/yidhra.outer.uphall.net.crt" pki yidhra.outer.uphall.net key "/etc/ssl/private/yidhra.outer.uphall.net.key" ca yidhra.outer.uphall.net cert "/etc/ssl/local_certs/ca_uphall.net.crt" and I belive that all works. When azathoth attempsts to deliver mail I get Mar 4 15:25:04 azathoth smtpd[85072]: 45f2eb8c98e80a78 mta connecting address=smtp://10.44.0.3:25 host=yidhra.outer.uphall.net Mar 4 15:25:04 azathoth smtpd[85072]: 45f2eb89e3a43fb8 smtp disconnected reason=quit Mar 4 15:25:04 azathoth smtpd[85072]: 45f2eb8c98e80a78 mta connected Mar 4 15:25:04 azathoth smtpd[85072]: 45f2eb8c98e80a78 mta tls ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 Mar 4 15:25:04 azathoth smtpd[85072]: 45f2eb8c98e80a78 mta server-cert-check result="failure" My questions are: Where should I have put the local CA cert on azathoth in order to get cert check success? Do I need a certificate with purposes set - my current one doesn't? Can I get enhanced debug on the cert verification process so I know what is failing? I had this working (with verify required) until my certs timed out recently & I have clearly cocked up something when updating everything. Many Thanks John Cox
