6.9 regression: opensmtpd complains "smtp cert-check result=\"no certificate presented\""

Mon, 21 Jun 2021 07:42:07 -0700 

Hi folks,

since the upgrade to OpenBSD 6.9 at the weekend opensmtpd complains

        smtp cert-check result="no certificate presented"

for incoming EMails. opensmtpd.conf and the certificate chain
hasn't changed. There is only a single MX defined in DNS (for
both "example.com" and "example.de"), matching the certificate.

The FAQs for the openbsd upgrade state for opensmtpd

Configurations that use only a single certificate do not need updating.


Did I miss something here? Every helpful comment is highly appreciated.

Harri

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

# https://man.openbsd.org/OpenBSD-6.9/smtpd.conf.5

xname = "mail.example.de"

pki $xname cert "/etc/ssl/public/mail.example.de.chain.pem"
pki $xname key "/etc/ssl/private/smtpd.key.pem"
pki $xname dhe auto
#
# ca can be used to introduce another root CA authority. Intermediate
# certs should be appended to the client certificate, instead.
#
# ca $xname cert "/etc/ssl/public/DigiCertCA.crt"

listen on lo0           tls pki $xname
listen on internal      tls pki $xname
listen on external      tls pki $xname

smtp max-message-size 128M

table aliases db:/etc/mail/aliases.db

#
# permitted hosts: srvvm01, gate4a/b
table trusted_mta {192.168.96.11 192.168.96.22 192.168.98.246 192.168.98.248 }

table at_example                        {"@example.de", "@example.com"}
table example                           {"example.de", "example.com"}
table spf_protection_outlook_com        
file:/etc/mail/spf_protection_outlook_com
table external_mta                      file:/etc/mail/external_mta

action "local"                  mbox alias <aliases>
action "relay_example"          relay host smtp://mailhost.ac.example.de helo 
"mail.example.de"
action "relay_external"         relay src { 10.145.142.10 
2001:db8:13b0:ffff::60 } helo "mail.example.de"

#
# first match wins, default is to reject.
#
# "from local" and "for local" are the defaults, but it is good practice to not
# omit these statements.
#
match from local                                        for local               
action "local"
match from local                                        for domain <example>    
action "relay_example"
match from local                                        for any                 
action "relay_external"

match from src <trusted_mta>                            for domain <example>    
action "relay_example"
match from src <spf_protection_outlook_com>             for domain <example>    
action "relay_example"
match from src <external_mta>                           for domain <example>    
action "relay_example"
match from src <trusted_mta>                            for any                 
action "relay_external"

match from any mail-from <at_example>                   for any                 
reject
match from any                                          for domain <example>    
action "relay_example"

# the rest is rejected by default
match from any for any reject

Reply via email to