Hi. My question is pretty simple: Is it possible to have OpenSMTPD listen on a single socket (smtps or submission) and authenticate both “real” users (i.e., /etc/passwd” and virtual users from a credentials table (without adding the real users to the table). I think the answer is ‘no’ (and that is a fine answer, if that is the answer).
For context, I’m setting up some relaying from an internal set of hosts. The internal relay needs to relay mail to my external mail server. I currently have this working by having my internal relay connecting on the submission port (port 25 is firmly blocked) and authenticating as a user from /etc/passwd. Internally, I have provided self-signed certs for all the machines to authenticate with to the internal relay. I can’t do this on the external relay because adding new CA on a listen command *adds* the CA, it doesn’t *replace* the CA (thus causing any host with a legitimately signed cert able to relay). See https://github.com/OpenSMTPD/OpenSMTPD/issues/926. So, according to a comment on this post (https://misc.opensmtpd.narkive.com/2puCGKoq/client-certificate-verification-prompt), my choices for relaying are basically either allow a cert or authenticate a user, and since I can’t use a cert (because I can’t replace CAs), I was hoping to add a virtual user instead of creating another login user. Another possibility might be to make the “default” CA file empty, but then who knows what all will break on the system. :-( Sean
