Does the hostname in the pki directive correspond to the hostname in
/etc/mail/mailname? If so, can I omit the pki parameter in the "listen
on" directive?
For example, if I have "mail.example.com" in /etc/mail/mailname and the
following pki directives in smtpd.conf:
pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"
pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
can I safely change:
listen on mail port smtp tls pki mail.example.com auth-optional <passwd>
listen on mail port submission tls-require pki mail.example.com auth
<passwd>
to:
listen on mail port smtp tls auth-optional <passwd>
listen on mail port submission tls-require auth <passwd>
What if mail is accepted from local for domains other than
"example.com"? Will secure connections still be used.
I did some tests and logs indicate the pki can be omitted. But I just
want to confirm with an expert and make sure there are not gotchas or
caveats.
Here is my log from a mail submission with "pki <hostname>" omitted.
Mar 7 04:10:18 hercules smtpd[8551]: smtp-in: New session
33f2a1d1995aac8c from host neo.mokaz.com [10.0.9.13]
Mar 7 04:10:18 hercules smtpd[8551]: smtp-in: Started TLS on session
33f2a1d1995aac8c: version=TLSv1/SSLv3,
cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128
Mar 7 04:10:18 hercules smtpd[8551]: smtp-in: Client certificate
verification failed on session 33f2a1d1995aac8c
Mar 7 04:10:18 hercules smtpd[8551]: smtp-in: Accepted authentication
for user [email protected] on session 33f2a1d1995aac8c
Mar 7 04:10:18 hercules smtpd[8551]: smtp-in: Accepted message e8c5a335
on session 33f2a1d1995aac8c: from=<[email protected]>, to=<[email protected]>,
size=494, ndest=1, proto=ESMTP
Mar 7 04:10:18 hercules smtpd[8551]: smtp-in: Closing session
33f2a1d1995aac8c
Mar 7 04:10:18 hercules smtpd[8551]: delivery: Ok for e8c5a335e26b07fa:
from=<[email protected]>, to=<[email protected]>, user=vmail, method=maildir,
delay=0s, stat=Delivered
The following are my real life configs:
/etc/mail/smtpd.conf
==========
table users "/etc/mail/users"
table passwd "/etc/mail/passwd"
table aliases "/etc/mail/aliases"
table domains "/etc/mail/domains"
pki mail.targetmeister.com certificate "/etc/ssl/mail.targetmeister.com.crt"
pki mail.targetmeister.com key "/etc/ssl/private/mail.targetmeister.com.key"
listen on localhost
#listen on mail port smtp tls pki mail.targetmeister.com auth-optional
<passwd>
#listen on mail port submission tls-require pki mail.targetmeister.com
auth <passwd>
listen on mail port smtp tls auth-optional <passwd>
listen on mail port submission tls-require auth <passwd>
accept from local for local alias <aliases> deliver to mbox
accept from any for domain <domains> virtual <users> deliver to maildir \
"/var/spool/vmail/%{dest.domain:lowercase}/%{dest.user:lowercase|strip}"
accept from local for any relay
/etc/mail/domains
==========
ecentryx.com
mokaz.com
targetmeister.com
/etc/mail/mailname
==========
mail.targetmeister.com
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
