> On Mar 6, 2023, at 14:28, Thomas Bohl <opensmtpd-misc-64...@aloof.de> wrote: > >> My question is pretty simple: Is it possible to have OpenSMTPD listen on a >> single socket (smtps or submission) and authenticate both “real” users >> (i.e., /etc/passwd” and virtual users from a credentials table (without >> adding the real users to the table). I think the answer is ‘no’ (and that >> is a fine answer, if that is the answer). > > There where talks in the past about making auth as flexible/programmable as > filters are. So maybe that becomes possible in the future.
I keep hoping. :-) >> For context, I’m setting up some relaying from an internal set of hosts. >> The internal relay needs to relay mail to my external mail server. I >> currently have this working by having my internal relay connecting on the >> submission port (port 25 is firmly blocked) and authenticating as a user >> from /etc/passwd. >> Internally, I have provided self-signed certs for all the machines to >> authenticate with to the internal relay. I can’t do this on the external >> relay because adding new CA on a listen command *adds* the CA, it doesn’t >> *replace* the CA (thus causing any host with a legitimately signed cert able >> to relay). > > I'm not sure if I understand you a 100%. But maybe you could add multiple > OpenSMTPD sockets with different authentication and have the firewall forward > connections, depending on the source-IP, to the right internal port. So > technically the mail server is only reachable on a single port. But depending > on who asks, supports different authentication types. Yeah, I debated setting up 465 as smtps only for relaying from my small fleet of Alix machines, and 587 for submission from rando devices I use. There are a number of “solutions”, I was just hoping for something “simple”. Really just want a way to authenticate with a Cert or a username/password, all over a single listener. I.e., if the connection isn’t using a “known cert” (and by “known”, I don’t mean “trusted” I mean “from this set of certs”) then it has to supply username/password. If anyone feels like implementing this, contact me off list and we can discuss a possible sponsorship. Possible a little in the future. :-) Sean
