There is a CA Option in smtpd.conf, for example (CA-ubuntu path) ca NAME certificate "/etc/ssl/certs/ca-certificates.crt"
Regards, Marcel Am 17.05.2016 um 09:47 schrieb John Cox: > Hi > > Since I upgraded to OpenBSD 5.9 (I think) I've been getting TLS > validation errors in the headers: > > TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 > bits=256 verify=NO > > Prior to the upgrade I would get verify=YES. (I think it was the > upgrade to OpenBSD 5.9 and whichever OpenSMTPD that comes with it that > did it - it was certainly about that time) > > I have now upgraded OpenSMTPD to the current 5.9.2 release and that > makes no difference. > > All logging suggests that cert validation is OK (though I note that I > only ever get that message on outgoing lines, and never on incoming) > > What does OpenSMTPD use as its default cert store - as far as I can > tell the .conf lacks CAfile or CApath options? > > Testing with openssl s_client suggests that my certs are generally in > order > > Any clues? > > Many thanks > > John Cox > > > Log file: > > > May 17 08:26:58 azathoth smtpd[18872]: info: OpenSMTPD 5.9.2 starting > May 17 08:27:47 azathoth smtpd[10532]: smtp-in: New session > 31086515f45c2260 from host smtp31.cix.co.uk [77.92.64.18] > May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Started TLS on session > 31086515f45c2260: version=TLSv1, cipher=DHE-RSA-AES256-SHA, bits=256 > May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Accepted message > daa12d76 on session 31086515f45c2260: from=<[email protected]>, > to=<[email protected]>, size=793, ndest=1, proto=ESMTP > May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Connecting to > tls://10.44.0.3:25 (yidhra.outer.uphall.net) on session > 3108651f4a1f0980... > May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Closing session > 31086515f45c2260 > May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Connected on session > 3108651f4a1f0980 > May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Started TLS on > session 3108651f4a1f0980: version=TLSv1.2, > cipher=ECDHE-RSA-CHACHA20-POLY1305, bits=256 > May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Server certificate > verification succeeded on session 3108651f4a1f0980 > May 17 08:27:48 azathoth smtpd[10532]: relay: Ok for daa12d76fa78afb9: > session=3108651f4a1f0980, from=<[email protected]>, to=<[email protected]>, > rcpt=<->, source=46.235.226.138, relay=10.44.0.3 > (yidhra.outer.uphall.net), delay=0s, stat=250 2.0.0: f8f2d286 Message > accepted for delivery > May 17 08:27:58 azathoth smtpd[10532]: smtp-out: Closing session > 3108651f4a1f0980: 1 message sent. > # > > > Headers: > > Return-Path: [email protected] > Delivered-To: [email protected] > Received: from azathoth.uphall.net (azathoth.uphall.net > [46.235.226.138]) > by yidhra.outer.uphall.net (OpenSMTPD) with ESMTPS id f8f2d286 > TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305 > bits=256 verify=NO > for <[email protected]>; > Tue, 17 May 2016 08:27:48 +0100 (BST) > Received: from smtp1.cix.co.uk (smtp31.cix.co.uk [77.92.64.18]) > by azathoth.uphall.net (OpenSMTPD) with ESMTPS id daa12d76 > TLS version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO > for <[email protected]>; > Tue, 17 May 2016 08:27:48 +0100 (BST) > Received: (qmail 22491 invoked from network); 17 May 2016 07:27:47 > -0000 > Received: from unknown (HELO Ithaqua.outer.uphall.net) (86.21.189.18) > by smtp1.cix.co.uk with ESMTPS (AES256-SHA encrypted); 17 May 2016 > 07:27:47 -0000 > From: John Cox <[email protected]> > To: John home Cox <[email protected]> > Subject: Incoming 2 > Date: Tue, 17 May 2016 08:27:47 +0100 > Message-ID: <[email protected]> > User-Agent: ForteAgent/7.10.32.1212 > MIME-Version: 1.0 > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: 7bit > > > -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
