Am 2023-11-30 15:03, schrieb Bill Cole via Postfix-users:
On 2023-11-30 at 08:03:09 UTC-0500 (Thu, 30 Nov 2023 14:03:09 +0100) Alexander Leidinger via Postfix-users <alexan...@leidinger.net> is rumored to have said:
My main.cf contains the same certs-path for smtp and smtpd TLS connections:---snip--- # grep CApath main.cf smtp_tls_CApath = /etc/ssl/certs smtpd_tls_CApath = /etc/ssl/certs ---snip--- What I see in the failure case is: ---snip---Nov 30 11:18:40 mailgate postfix/tlsproxy[98300]: CONNECT to [140.82.112.31]:25 Nov 30 11:18:40 mailgate postfix/tlsproxy[98300]: server certificate verification failed for in-9.smtp.github.com[140.82.112.31]:25: num=62:hostname mismatchThat is the error.The hostname your TLS configuration is probably expecting for that connection is reply.github.com, but that's apparently just a mail domain, not a hostname, and the machines acting as MXs for it don't use a certificate with that name.
Why should it expect reply.github.com? The MX record lists in-9.smtp.github.com as a MX, postfix is connecting to it, the cert has *.smtp.github.com, and as such it should match the hostname. This has nothing to do with the email address I want to deliver to this server. I can let point the MX of leidinger.net to generic.imaginary.mail.provider.com, and as long as this provider has a valid cert for itself, the TLS connection should verify, no matter if this mail server acceps mail for leidinger.net or not.
The same is true for the working connection to freebsd.org. It is connecting to mx1.freebsd.org which is not at all the same as the maildomain @freebsd.org I used, and it doesn't fail.
You can probably make it work for this case with suitable special-casing in your configuration, but your configuration is a total mystery to us... Also, I wouldn't consider it a worthwhile effort for most systems, but that's your call for your environment.
You removed the part where posttls-finger is able to verify the connection if I add -P /etc/ssl/cert, but postfix isn't, and it is using the same cert store. So there is a mismatch between postfix and postls-finger on a TLS connection level which to my understanding shall not happen.
The config: ---snip--- # postconf -n | grep tls smtp_tls_CApath = /etc/ssl/certs smtp_tls_chain_files = $smtpd_tls_chain_files smtp_tls_connection_reuse = yes smtp_tls_fingerprint_digest = sha256 smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1 smtp_tls_note_starttls_offer = yes smtp_tls_policy_maps = hash:/my/tls_policy, mysql:/my/tls-policy.cf smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:$data_directory/smtp_scache smtp_tls_session_cache_timeout = 36000s smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_ask_ccert = yes smtpd_tls_auth_only = yes smtpd_tls_chain_files = /my/keys_and_chain_files smtpd_tls_dh1024_param_file = /my/dh_2048.pem smtpd_tls_dh512_param_file = /my/dh_512.pem smtpd_tls_eecdh_grade = auto smtpd_tls_mandatory_ciphers = highsmtpd_tls_mandatory_exclude_ciphers = export, weak, medium, low, SEED, RSA, CAMELIA, aNULL, eNULL, 3DES, MD5, EXP, PSK, SRP, DSS, RC4, SHA1
smtpd_tls_mandatory_protocols = !SSLv2 , !SSLv3 , !TLSv1 , !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3 , !TLSv1 , !TLSv1.1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/my/smtpd_scache smtpd_tls_session_cache_timeout = 36000stls_high_cipherlist = ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384;
tls_preempt_cipherlist = yes tls_random_source = dev:/dev/urandom tls_ssl_options = NO_COMPRESSION ---snip--- And the tls policy map contains nothing for github. This is with postfix 3.8.3. Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netch...@freebsd.org : PGP 0x8F31830F9F2772BF
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
