Personal OpenSMTPd relay fails when using "tls-require", works fine with just "tls"

Question

I'm currently setting up a somewhat unique personal email server using OpenSMTPd. I have a local server (Raspberry Pi) and a remote server (VPS). Emails sent to me are sent to the remote server and are then relayed to my local server. When I send an email it goes from my local server to the remote server, and is then relayed to it's recipient. Currently I'm only testing inbound mail, and it mostly works, with just one issue, tls.

If I have "tls-require" set on my local server, my remote servers seems to be able to connect, but then disconnects, and tries downgrading to plain (smtp+notls), which of course fails. If I just use "tls" instead of "tls-require" the same thing happens, but the smtp+notls attempt works.

The error messages don't seem that helpful. On the remote server I just get "opportunistic TLS failed, downgrading to plain". As I said before, on the local server it looks like the connection WAS successful (at least I think so), but then disconnects:

smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
smtp tls ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256
smtp disconnected reason=disconnect

I get a somewhat more informative error message if I try to send the email using openssl (from the remote server).

openssl s_client -debug -starttls smtp -crlf -connect redacted.local.ip.address:25

On the remote server everything goes fine until I enter a recipient, at which point I get a SSL error:

RCPT TO:<test@mydomain2.tld>
RENEGOTIATING
17412933263728:error:1404C042:SSL routines:ST_OK:called a function you should not call:/usr/src/lib/libssl/ssl_lib.c:2529:

That error seems to tell me more, but I can't find anything relevant about it. The local server shows exactly the same error as before.

---

I know a lot of people don't use enforced TLS with email, but for this use case I'd really like to get it working.

My local sever is running "Raspberry Pi OS 11 bullseye 64-bit" and OpenSMTPD 6.8.0p2 (the latest version on apt).

My remote server is running "OpenBSD 7.0 GENERIC#224 amd64" and OpenSMTPD 7.0.0.

Any advice would be greatly appreciated. Please let me know if you need any more information.

---

Here are my configs:

LOCAL SERVER smtpd.conf:

table aliases "/etc/smtpd/aliases"
table domains "/etc/smtpd/domains"
table passwds "/etc/smtpd/passwds"
table remote-servers "/etc/smtpd/remote-servers"

pki "mydomain.tld" cert "/etc/letsencrypt/live/mydomain.tld/fullchain.pem"
pki "mydomain.tld" key "/etc/letsencrypt/live/mydomain.tld/privkey.pem"

# Do I want srs here, on the remote, or both?
srs key "redacted key"

filter   "rdns" phase connect match   !rdns disconnect "550 DNS error"
filter "fcrdns" phase connect match !fcrdns disconnect "550 DNS error"
filter "rspamd" proc-exec "/etc/smtpd/filter-rspamd"

# Inbound
listen on eth0 port 25 tls-require pki "mydomain.tld" filter { "rdns", "fcrdns" "rspamd" }
#listen on eth0 port 25 tls pki "mydomain.tld" filter { "rdns", "fcrdns" "rspamd" }
action "RECV" lmtp "/var/run/dovecot/lmtp" rcpt-to virtual <aliases>
match from src <remote-servers> for domain <domains> action "RECV"
match !from src <remote-servers> for domain <domains> reject

# Outbound
listen on eth0 port 465 smtps       pki "mydomain.tld" auth <passwds> filter "rspamd" mask-src
listen on eth0 port 587 tls-require pki "mydomain.tld" auth <passwds> filter "rspamd" mask-src
action "SEND" relay host mx1.mydomain.tld:465
match from any auth for any action "SEND"

REMOTE SERVER smtpd.conf:

table aliases "/etc/smtpd/aliases"
table domains "/etc/smtpd/domains"

pki "mydomain.tld" cert "/etc/letsencrypt/live/mydomain.tld/fullchain.pem"
pki "mydomain.tld" key "/etc/letsencrypt/live/mydomain.tld/privkey.pem"

# Do I want srs here, on the remote, or both?
srs key "same redacted key"

filter   "rdns" phase connect match   !rdns disconnect "550 DNS error"
filter "fcrdns" phase connect match !fcrdns disconnect "550 DNS error"

# Inbound
listen on eth0 port 25 tls pki "mydomain.tld" filter { "rdns", "fcrdns" }
action "RECV" relay host redacted.local.ip.address:25
match from any for domain <domains> action "RECV"

# Outbound
listen on eth0 port 465 smtps pki "mydomain.tld" mask-src
action "SEND" relay srs
match from src redacted.local.ip.address for any action "SEND"
match !from src redacted.local.ip.address for any reject

Here are the maillogs if I have "tls-require" set:

LOCAL SERVER maillog:

Apr  3 11:57:26 LocalHostname smtpd[3614276]: 3c3d3943d2bc7134 smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
Apr  3 11:57:26 LocalHostname smtpd[3614276]: 3c3d3943d2bc7134 smtp tls ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256
Apr  3 11:57:26 LocalHostname smtpd[3614276]: 3c3d3943d2bc7134 smtp disconnected reason=disconnect
Apr  3 11:57:26 LocalHostname smtpd[3614276]: 3c3d39441db05cc1 smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
Apr  3 11:57:26 LocalHostname smtpd[3614276]: 3c3d39441db05cc1 smtp failed-command command="MAIL FROM:<redacted.email.address@googlemail.com>" result="530 5.5.1 Invalid command: Must issue a STARTTLS command first"
Apr  3 11:57:43 LocalHostname smtpd[3614276]: 3c3d39441db05cc1 smtp disconnected reason=quit

REMOTE SERVER maillog:

Apr  3 11:57:19 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp connected address=209.85.128.178 host=mail-yw1-f178.google.com
Apr  3 11:57:19 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp tls ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
Apr  3 11:57:20 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp message msgid=f8226363 size=2682 nrcpt=1 proto=ESMTP
Apr  3 11:57:20 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp envelope evpid=f822636342a8821f from=<redacted.email.address@googlemail.com> to=<test@mydomain2.tld>
Apr  3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta connecting address=smtp://redacted.local.ip.address:25 host=redacted-local-ip-address.isp.tld
Apr  3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta connected
Apr  3 11:57:20 RemoteHostname smtpd[94758]: 7349563019b45aeb smtp disconnected reason=quit
Apr  3 11:57:20 RemoteHostname smtpd[94758]: smtp-out: Error on session 734956336de69e03: opportunistic TLS failed, downgrading to plain
Apr  3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta connecting address=smtp+notls://redacted.local.ip.address:25 host=redacted-local-ip-address.isp.tld
Apr  3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta connected
Apr  3 11:57:20 RemoteHostname smtpd[94758]: 734956336de69e03 mta delivery evpid=f822636342a8821f from=<redacted.email.address@googlemail.com> to=<test@mydomain2.tld> rcpt=<-> source="redacted.remote.ip.address" relay="redacted.local.ip.address (redacted-local-ip-address.isp.tld)" delay=1s result="PermFail" stat="530 5.5.1 Invalid command: Must issue a STARTTLS command first"
Apr  3 11:57:22 RemoteHostname smtpd[94758]: 73495634e55adfe9 smtp connected address=local host=mx1.mydomain.tld
Apr  3 11:57:22 RemoteHostname smtpd[94758]: 73495634e55adfe9 smtp failed-command command="RCPT TO: <redacted.email.address@googlemail.com>" result="550 Invalid recipient: <redacted.email.address@googlemail.com>"
Apr  3 11:57:22 RemoteHostname smtpd[11238]: warn: PermFail injecting failure report on message f8226363 to <redacted.email.address@googlemail.com> for 1 envelope: 550 Invalid recipient: <redacted.email.address@googlemail.com>
Apr  3 11:57:22 RemoteHostname smtpd[94758]: 73495634e55adfe9 smtp disconnected reason=quit
Apr  3 11:57:37 RemoteHostname smtpd[94758]: 734956336de69e03 mta disconnected reason=quit messages=0

And these are the maillogs if I just have "tls" set:

LOCAL SERVER maillog:

Apr  3 12:07:09 LocalHostname smtpd[3849290]: b981307e92d2eeac smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
Apr  3 12:07:09 LocalHostname smtpd[3849290]: b981307e92d2eeac smtp tls ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256
Apr  3 12:07:09 LocalHostname smtpd[3849290]: b981307e92d2eeac smtp disconnected reason=disconnect
Apr  3 12:07:09 LocalHostname smtpd[3849290]: b981307ff6e18ae3 smtp connected address=redacted.remote.ip.address host=mx1.mydomain.tld
Apr  3 12:07:10 LocalHostname smtpd[3849290]: b981307ff6e18ae3 smtp message msgid=082c7a5e size=2850 nrcpt=1 proto=ESMTP
Apr  3 12:07:10 LocalHostname smtpd[3849290]: b981307ff6e18ae3 smtp envelope evpid=082c7a5e9dec905f from=<redacted.email.address@googlemail.com> to=<test@mydomain2.tld>
Apr  3 12:07:11 LocalHostname dovecot: lmtp(3967460): Connect from local
Apr  3 12:07:11 LocalHostname dovecot: lmtp(test@mydomain2.tld)<3967460><hmVpIN9/SWLkiTwAmV7YnQ>: msgid=<CACebY1Hm4jdhjFKoZ2374zbEq1MZV-yTxsUauV4gzxXqNBVeaQ@mail.gmail.com>: saved mail to INBOX
Apr  3 12:07:11 LocalHostname dovecot: lmtp(3967460): Disconnect from local: Client has quit the connection (state=READY)
Apr  3 12:07:11 LocalHostname smtpd[3849290]: b981308066da2115 mda delivery evpid=082c7a5e9dec905f from=<redacted.email.address@googlemail.com> to=<test@mydomain2.tld> rcpt=<test@mydomain2.tld> user=vmail delay=2s result=Ok stat=Delivered
Apr  3 12:07:27 LocalHostname smtpd[3849290]: b981307ff6e18ae3 smtp disconnected reason=quit

REMOTE SERVER maillog:

Apr  3 12:06:59 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp connected address=209.85.219.174 host=mail-yb1-f174.google.com
Apr  3 12:06:59 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp tls ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256
Apr  3 12:07:00 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp message msgid=b912e335 size=2670 nrcpt=1 proto=ESMTP
Apr  3 12:07:00 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp envelope evpid=b912e33501250790 from=<redacted.email.address@googlemail.com> to=<test@mydomain2.tld>
Apr  3 12:07:00 RemoteHostname smtpd[94758]: 7349563834c66e1a mta connecting address=smtp://redacted.local.ip.address:25 host=redacted-local-ip-address.isp.tld
Apr  3 12:07:00 RemoteHostname smtpd[94758]: 7349563834c66e1a mta connected
Apr  3 12:07:00 RemoteHostname smtpd[94758]: 73495635c8c7456b smtp disconnected reason=quit
Apr  3 12:07:00 RemoteHostname smtpd[94758]: smtp-out: Error on session 7349563834c66e1a: opportunistic TLS failed, downgrading to plain
Apr  3 12:07:00 RemoteHostname smtpd[94758]: 7349563834c66e1a mta connecting address=smtp+notls://redacted.local.ip.address:25 host=redacted-local-ip-address.isp.tld
Apr  3 12:07:00 RemoteHostname smtpd[94758]: 7349563834c66e1a mta connected
Apr  3 12:07:02 RemoteHostname smtpd[94758]: 7349563834c66e1a mta delivery evpid=b912e33501250790 from=<redacted.email.address@googlemail.com> to=<test@mydomain2.tld> rcpt=<-> source="redacted.remote.ip.address" relay="redacted.local.ip.address (redacted-local-ip-address.isp.tld)" delay=2s result="Ok" stat="250 2.0.0 082c7a5e Message accepted for delivery"
Apr  3 12:07:19 RemoteHostname smtpd[94758]: 7349563834c66e1a mta disconnected reason=quit messages=1

REMOTE SERVER pf.conf:

#       $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

set skip on lo

block return    # block stateless traffic
pass            # establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild