You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We can technically support authenticating clients using certificates not
issued by your CA if we introduced a new kind of table lookups where the
client certificate is looked up in a store. It's trivial work that could
be wrapped within a couple hours but no one expressed interest in it. It
is therefore not ranged high in my priority list.
As I understand it today, whatever OpenSMTPD is configured with for a list of CAs, the cert needs be issued from that list of CAs, and is the only necessary "verification" for a cert. Further, if running a public SMTP server, and wanting to accept TLS traffic from the internet, one must use a "real" CA for all connections. Thus, it is impossible to limit a connection based on certificate only.
If we could generate certs using a private CA, we could add that private CA to other legit CAs, and then pin a set of certs to allow relaying using the table lookup suggested in Gilles comment. I could be wrong, since the man page says:
The ca entry can be referenced in listener rules and relay actions
However, I only see ca/caname referenced in the listen directive.
With the immense popularity of LetsEncrypt, it's trivial to set up "real" certs, and it would be nice to use these for per-certificate relaying, as well.
The text was updated successfully, but these errors were encountered:
9 years ago, Gilles Chehade wrote this:
(a comment on this post: https://misc.opensmtpd.narkive.com/2puCGKoq/client-certificate-verification-prompt)
As I understand it today, whatever OpenSMTPD is configured with for a list of CAs, the cert needs be issued from that list of CAs, and is the only necessary "verification" for a cert. Further, if running a public SMTP server, and wanting to accept TLS traffic from the internet, one must use a "real" CA for all connections. Thus, it is impossible to limit a connection based on certificate only.
If we could generate certs using a private CA, we could add that private CA to other legit CAs, and then pin a set of certs to allow relaying using the table lookup suggested in Gilles comment. I could be wrong, since the man page says:
However, I only see ca/caname referenced in the listen directive.
With the immense popularity of LetsEncrypt, it's trivial to set up "real" certs, and it would be nice to use these for per-certificate relaying, as well.
The text was updated successfully, but these errors were encountered: