smtpd accept client certificate only from a specific CA

[levaidaniel]

Having this on my relay host running OpenBSD 6.5-stable:

smtpd.conf:
ca myCA cert "/path/to/myCA.pem"

listen on egress port submission
tls-require verify
ca myCA

It seems that this also accepts any certificate that is trusted based on the default /etc/ssl/certs.pem file, along with a certificate signed by myCA.
(Re)moving the stock certs file "fixes" this (although with a warning in the logs).

I guess this should only accept certs that were signed by myCA?

--
Dani

[poolpOrg]

Hi,

investigated this and I understand what happens, I misunderstood your initial issue.

indeed, this adds your CA to the system's list of CA, it doesn't replace them.

there's no way currently in OpenSMTPD to only use your CA unless you tweak the stock certs and we're too close to the release to change that.

we're not making changes to the TLS layer at this point unless there's something critical as we're also preparing the move to the libtls branch.

I'll keep this ticket opened so we add this in the next release.

[levaidaniel]

Oh, gotcha! Thanks for digging into this and the information!

Dani

[kamat1z]

I'm assuming since this feature request is still open it was never implemented. It would be nice to be able to override CAs per-port.

[lnikkila]

This might be a separate feature request, but I was also looking for a way to verify client certificates against a specific CA, but with SMTPS instead of STARTTLS. Either would work with my use case though :)