On Mon, Mar 25, 2024 at 10:08:59AM +0800, Cowbay via Postfix-users wrote:
> On 2024/3/25 01:12, Viktor Dukhovni via Postfix-users wrote:
> > > If the "posttls-finger" has the identical behavior as postfix, then I
> > > could write a simple cronjob script to "finger" the
> > > smtp.gmail.com:465.
> >
> > Not necessarily 100% identical, but quite close.
> It seems not perfect. :(
But close enough, that it should be used instead of "openssl s_client".
You can also specify the "-C" option to report the remote chain, which
you can then examine if verification failed.
> I checked posttls-finger on my another container which is Ubuntu
> 22.04.4, posttls-finger still doesn't support ipv6, weird.
It isn't posttls-finger that does not support "ipv6", but rather your
network stack.
> > Certificate verification should be identical, but if the presented chain
> > subtly depends on the client's TLS HELLO message, there could perhaps be
> > a difference if main.cf has "smtp_tls_..." settings that cause the HELLO
> > message to differ between smtp(8) and posttls-finger(1).
>
> Since they are different, my idea to use posttls-finger seems
> unnecessary. I decide to cancel this idea. But modify my script to
> monitor the postfix log for keyword "self-signed" every minute. I can
> expect that we cannot see any result in a short time.
You read too much into my caveats, the differences should be minor, and
quite likely the issue was a brief configuration blip in Google's
front-end TLS load-balancers.
> it seems that we prefer to believe postfix really got a self-signed
> certificate from smtp.gmail.com last time and maybe one of the cause
> is no SNI name sent.
That's one possible explanation.
> I still decide to add the "servername" attribute to my tls_policy
> while also monitor the postfix log with my modified script. Maybe I
> will never have a result. :)
Good luck, whatever that might be.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
