-
-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
smtpd accept client certificate only from a specific CA #926
Comments
Hi, investigated this and I understand what happens, I misunderstood your initial issue. indeed, this adds your CA to the system's list of CA, it doesn't replace them. there's no way currently in OpenSMTPD to only use your CA unless you tweak the stock certs and we're too close to the release to change that. we're not making changes to the TLS layer at this point unless there's something critical as we're also preparing the move to the libtls branch. I'll keep this ticket opened so we add this in the next release. |
Oh, gotcha! Thanks for digging into this and the information! Dani |
I'm assuming since this feature request is still open it was never implemented. It would be nice to be able to override CAs per-port. |
This might be a separate feature request, but I was also looking for a way to verify client certificates against a specific CA, but with SMTPS instead of STARTTLS. Either would work with my use case though :) |
Having this on my relay host running OpenBSD 6.5-stable:
smtpd.conf:
ca myCA cert "/path/to/myCA.pem"
listen on egress port submission
tls-require verify
ca myCA
It seems that this also accepts any certificate that is trusted based on the default /etc/ssl/certs.pem file, along with a certificate signed by myCA.
(Re)moving the stock certs file "fixes" this (although with a warning in the logs).
I guess this should only accept certs that were signed by myCA?
--
Dani
The text was updated successfully, but these errors were encountered: