On Mon, Feb 17, 2014 at 11:43:50PM +0100, Frank Brodbeck wrote:
> Hm, funny. I wasn't able to reproduce it on my side neither:
>
> # touch /etc/ssl/foo{pem,key}
> # chmod 0600 /etc/ssl/foo{pem,key}
> # grep foo /etc/mail/smtpd.conf
> pki foo certificate "/etc/ssl/foo.pem"
> pki foo key "/etc/ssl/foo.key"
> pki foo ca "/etc/ssl/sbde-ca.pem"
> # smtpd -nf /etc/mail/smtpd.conf
> fatal: load_pki_tree: failed to load certificate file
> # vim /etc/mail/smtpd.conf
> # smtpd -nf /etc/mail/smtpd.conf
> fatal: load_pki_tree: failed to load certificate file
> #
>
strange, it would be nice to figure out what caused it though :-/
> Looks like I had something fishy in my config other than the empty
> certs. But I am still wondering about how the verify does work and I
> wasn't able to get the info from the mta.c code so far.
>
> I have the following accept rule:
>
> accept from any for domain example.tld \
> relay via tls://mail.example.tld \
> hostname relay.example.tld pki mail verify
>
> AFAICT this means that I have to setup a pki mail:
>
> pki mail certificate "/etc/ssl/cert.pem" \
> key "/etc/ssl/private/key.pem" \
> ca "/etc/ssl/ca.pem"
>
> Because with just the ca smtpd will complain about the missing
> certificate and without the key it will complain about the missing key.
> Shouldn't it be enough to have the certificate and the CA?
>
> [...]
>
It should yes but it's not doable at the moment.
Long story short, I did a lot of rework to privsep the ssl tree so that
it would no longer be in the memory of processes facing the network. It
led to factor some code which allowed verify to work when sending peers
a certificate but not yet in the general case ...
It's coming next, no worries, I just want to avoid touching SSL related
code so close to a lock ;-)
--
Gilles Chehade
https://www.poolp.org @poolpOrg
