> > Relevant lines from smtpd.conf
> > ------------------------------
> >
> > I think the only relevant bit is that I set "relay tls" and not "relay
> > tls no-verify" - the latter config would pass mail outbound despite
> > the remote certificate validation failure.
> >
> > ===
> > pki ersa.daemonic.life cert "/etc/ssl/ersa.daemonic.life.fullchain.pem"
> > pki ersa.daemonic.life key "/etc/ssl/private/ersa.daemonic.life.key"
> > action "outbound" relay tls pki ersa.daemonic.life
> > match from local for any action outbound
> > ===
I'm not sure quite what you're trying to do here, that 'action "outbound" relay'
line doesn't match examples in smtpd.conf(5) etc.
On 2020/04/10 10:48, Bob Beck wrote:
>
> What makes you believe your certificate failure is due to the wildcard DNSname
> and not due to some other reason (like the certificate not being trusted, or
> failing a critical extension, etc.)
>
> A quick scan of the wildcard matching code in smtpd looks correct to me, but
> it won't get in there if the certificate doesn't validate in the first place.
>
> I can't connect to that host from where I am, obviously it does some
> sort of port 25 filtering or I would look at the certificate myself.
> instead of grepping strings it might be helpful to show the entire
> certificate.
I can connect, server and chain certs looks alright to me ..
$ openssl s_client -connect mx.hostedemail.com:25 -starttls smtp -showcerts
-CAfile /etc/ssl/cert.pem
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global
Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA
2018
verify return:1
depth=0 C = CA, ST = Ontario, L = Toronto, O = Tucows Inc, OU = Operations, CN
= *.hostedemail.com
verify return:1
write W BLOCK
---
Certificate chain
0 s:/C=CA/ST=Ontario/L=Toronto/O=Tucows Inc/OU=Operations/CN=*.hostedemail.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
-----BEGIN CERTIFICATE-----
MIIGGzCCBQOgAwIBAgIQDNt7838YR0QboWFZ9/AxrjANBgkqhkiG9w0BAQsFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR0wGwYDVQQDExRHZW9UcnVzdCBSU0EgQ0EgMjAxODAe
Fw0yMDAzMjUwMDAwMDBaFw0yMTA1MjQxMjAwMDBaMHcxCzAJBgNVBAYTAkNBMRAw
DgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdUb3JvbnRvMRMwEQYDVQQKEwpUdWNv
d3MgSW5jMRMwEQYDVQQLEwpPcGVyYXRpb25zMRowGAYDVQQDDBEqLmhvc3RlZGVt
YWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOGME3lAVmwL
93AFhpT3Isvf+t2i83jK66KQ5qyiM53JxeRyPkADIMbgjtBs/OzBvSBjrCF20Yps
ntxY51NR3PWPFo2qAfDmb1AsPdfxd2e3H3/c++H79baibTCDhIo4U9ZSDY3Ina3I
igAb+NZp3qdEXu+KMnoq43gc8FwovYm393bhAGNaZTdUPT+gYiirn6acq3kFyaG/
2c1eXPF9WnEcjzlwYqTC+JDYrd8aFTvJSRC2XmohuHA+mOFtcwomRgvEilqLfp0i
C/DPrCpmDF2s/XbonZWQf4FdE+oZV8/uUseOq/hRBlxhbiYmw0bJZvNAOikm2g2i
7zyWIu/SSx0CAwEAAaOCArowggK2MB8GA1UdIwQYMBaAFJBY/7CcdahRVHex7fKj
QxY4nmzFMB0GA1UdDgQWBBS862dlbkSagt2fONXW4de1L0eiQjAtBgNVHREEJjAk
ghEqLmhvc3RlZGVtYWlsLmNvbYIPaG9zdGVkZW1haWwuY29tMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwPgYDVR0fBDcwNTAz
oDGgL4YtaHR0cDovL2NkcC5nZW90cnVzdC5jb20vR2VvVHJ1c3RSU0FDQTIwMTgu
Y3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBz
Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMHUGCCsGAQUFBwEBBGkw
ZzAmBggrBgEFBQcwAYYaaHR0cDovL3N0YXR1cy5nZW90cnVzdC5jb20wPQYIKwYB
BQUHMAKGMWh0dHA6Ly9jYWNlcnRzLmdlb3RydXN0LmNvbS9HZW9UcnVzdFJTQUNB
MjAxOC5jcnQwCQYDVR0TBAIwADCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AKS5
CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABcRLV/uIAAAQDAEgwRgIh
AIZUVvvToQQ6CSZPAjtyMWKc87UoaSbbjM/f7m5piZ9qAiEAxBaCDKhvFdL4LxpX
pSp9B3GazYmuEqsZHVXTciqCuhEAdQBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOU
sl7m9scOygAAAXES1f8gAAAEAwBGMEQCICmAo/yhWsebRU+JF6VgNxpeMVjOT312
OFY/QrwuMkIuAiAhzzWiAXbX9xe6vNcIrr2uSWd/fRNugce1JB5ao2sQGjANBgkq
hkiG9w0BAQsFAAOCAQEAfSeMIjGQuLPU4rFKWt4UTi5wau/ZVEKHZbAH6G72CvqL
fXlcBnknQKFgY0AmJYDfsDh2UrVHWNP6R98wFCCY7CgTFZebZeOxr3iKrhYzv1s6
b4UFCamXcrLS8tmLwHDm/0uKG7x8ouIoF53XUI5vVrwojHEzmunI6lWHurirhNd/
jbR0yojnQhxEdr4kZp/6xF6ekF3PLvT1pP5bfE6XtIVFsZHIm/TmB/vL4ej5UZ4w
68D8jT2z0yfIAla6/Lv7p99Tlz0m8bDzp9sVhf0iFRb4lHJvMenkZm1Y/hp4u9uB
T2WqpSaUdjXnEVn2aWyi0sxFL0KCfOTzSUssO7nJiA==
-----END CERTIFICATE-----
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIEizCCA3OgAwIBAgIQBUb+GCP34ZQdo5/OFMRhczANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xNzExMDYxMjIzNDVaFw0yNzExMDYxMjIzNDVaMF4xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xHTAbBgNVBAMTFEdlb1RydXN0IFJTQSBDQSAyMDE4MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAv4rRY03hGOqHXegWPI9/tr6HFzekDPgxP59FVEAh
150Hm8oDI0q9m+2FAmM/n4W57Cjv8oYi2/hNVEHFtEJ/zzMXAQ6CkFLTxzSkwaEB
2jKgQK0fWeQz/KDDlqxobNPomXOMJhB3y7c/OTLo0lko7geG4gk7hfiqafapa59Y
rXLIW4dmrgjgdPstU0Nigz2PhUwRl9we/FAwuIMIMl5cXMThdSBK66XWdS3cLX18
4ND+fHWhTkAChJrZDVouoKzzNYoq6tZaWmyOLKv23v14RyZ5eqoi6qnmcRID0/i6
U9J5nL1krPYbY7tNjzgC+PBXXcWqJVoMXcUw/iBTGWzpwwIDAQABo4IBQDCCATww
HQYDVR0OBBYEFJBY/7CcdahRVHex7fKjQxY4nmzFMB8GA1UdIwQYMBaAFAPeUDVW
0Uy7ZvCj4hsbw5eyPdFVMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0BggrBgEFBQcBAQQo
MCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBCBgNVHR8E
OzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9i
YWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxo
dHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMA0GCSqGSIb3DQEBCwUAA4IBAQAw
8YdVPYQI/C5earp80s3VLOO+AtpdiXft9OlWwJLwKlUtRfccKj8QW/Pp4b7h6QAl
ufejwQMb455OjpIbCZVS+awY/R8pAYsXCnM09GcSVe4ivMswyoCZP/vPEn/LPRhH
hdgUPk8MlD979RGoUWz7qGAwqJChi28uRds3thx+vRZZIbEyZ62No0tJPzsSGSz8
nQ//jP8BIwrzBAUH5WcBAbmvgWfrKcuv+PyGPqRcc4T55TlzrBnzAzZ3oClo9fTv
O9PuiHMKrC6V6mgi0s2sa/gbXlPCD9Z24XUMxJElwIVTDuKB0Q4YMMlnpN/QChJ4
B0AFsQ+DU0NCO+f78Xf7
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CA/ST=Ontario/L=Toronto/O=Tucows
Inc/OU=Operations/CN=*.hostedemail.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3443 bytes and written 446 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 41AD1BBE05A17FD309D40EC84F4807B8E2ABD6865A20D0A3A092A3A8DD98178A
Session-ID-ctx:
Master-Key:
E3A023E45BD66C7ECD74E69A19789FBA8D79E16222286720598345E78931F3B2BBB061DBFE28ED6CC4843995ACB9FDCA
Start Time: 1586538537
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
250 CHUNKING
Q
DONE
