Yes, this is "expected" Initially there were very parameters and we started building upon and ended up with non-swappable parameters.
I recently started to work on making the parameters swappable but I started with "relay" rules which was the worst case ever, I will start dealing with "listen" starting tomorrow and hopefully they'll be swappable by the time we release 5.4.1 Gilles 2013/9/15 Hugo Osvaldo Barrera <[email protected]> > On 2013-09-09 12:10, Gilles Chehade wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Hi, > > > > The latest snapshot has some very experimental code that needs HEAVY > > testing, in particular the following: > > > > - complete rework of SSL setup in smtpd.conf > > - introduce mandatory client certificate verification > > - introduce mandatory server certificate verification > > - introduce mandatory TLS relaying for "relay" rules > > > > This will BREAK your existing configuration. > > - From now on, to setup TLS/SMTPS you will have to prepare your > > certificate information as follow: > > > > # first we setup certificate informations for a hostname > > # > > pki mx.opensmtpd.org certificate "/path/to/certificate" > > pki mx.opensmtpd.org key "/path/to/key" > > > > # then we reference it > > # > > listen on all tls pki mx.opensmtpd.org > > Looks like this works: > listen on egress port 25 tls pki mx1.ubertech.com.ar hostname " > mx1.ubertech.com.ar" > > While this doesn't: > listen on egress port 25 tls hostname "mx1.ubertech.com.ar" pki > mx1.ubertech.com.ar > > (Syntax error on line N) > > > > > accept for any relay via tls://my.hub pki mx.opensmtpd.org > > > > > > In addition, you can turn STRICT checking of peer certificates: > > > > listen on all tls-require verify [...] # refuse clients that do not > > provide a VALID certificate > > > > accept for any relay via tls://my.hub verify [...] # do not relay if > > my.hub did not provide a VALID certificate > > > > > > And finally, you can turn you can decide to break your email experience > > by refusing to relay to ANY MX that doesn't support TLS: > > > > accept for any relay tls > > > > or that doesn't also provide a VALID certificate: > > > > accept for any relay tls verify > > > > > > PLEASE TEEEEEEEST THIS SNAPSHOT ! > > PLEASE TEEEEEEEST THIS SNAPSHOT ! > > PLEASE TEEEEEEEST THIS SNAPSHOT ! > > PLEASE TEEEEEEEST THIS SNAPSHOT ! > > PLEASE TEEEEEEEST THIS SNAPSHOT ! > > PLEASE TEEEEEEEST THIS SNAPSHOT ! > > PLEASE TEEEEEEEST THIS SNAPSHOT ! > > PLEASE TEEEEEEEST THIS SNAPSHOT ! > > > > > > Thanks ;-) > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.13 (OpenBSD) > > > > iQIbBAEBAgAGBQJSLg8IAAoJENW+07TfGsqvJQoP+IFCORxKN89pFUOfPd1vJfPF > > i4mfWrusrESUlgAuRTJNKhEpgz91UMkFucjAuo8mvJZ9bImyrso11KVpfe35mumn > > nwYy8BZeRw/CIfdQTwPopznezqr4ORY7Lbx3cly07/jkqdUPOjI/5a9Yjsx80Zwx > > /QQwR8kslSoRI/+sVaLiPAVbkrPDZ6eDB9F81b15EpKywv43KvHS/G+k4/pZEgtr > > fLlMyDmqWHyneeYy1Ci213C4P2IJTLrVuf9nGGdOayrQrFRnApOjoAdNeKqz13Ns > > J1ob23akjYj91vW21GXoASN6yvlRfC76A3FDwSnySXTo6Yh52xqy9dsmVLZ3RLPj > > 88A66Gbiiy89fSk8G+UDA73AI3abYj9/r3v+tbiz+dHtmb8wEIJgdkl3V1ZgQOoM > > LojIxiIOWazI9l2RE3wnVqf7enugExwvdmx4Y6EQ8CPaAS5IDJsIvdg9KlgeSvET > > 7ysHEENZMOjNov9EQ+g8z+PjaGnStDJi4uh+AjvhBevq0GNDtC3+x0c3g+YC2aGc > > EfMg7c89lanrMmNDuQeuFgbMYpe9BD1oPPaO08E2YoEfTwAZgVoRDBdI71bLPNnW > > DLr/7ido4YyKik4jAmH8voLMUNUV249ogvyC0rwf0vofgsH8OPfRYg2GJy4tobsz > > QdPsGOJbP7s5gJ+qBF4= > > =wQ/L > > -----END PGP SIGNATURE----- > > > > > > -- > > You received this mail because you are subscribed to [email protected] > > To unsubscribe, send a mail to: [email protected] > > > > -- > Hugo Osvaldo Barrera >
