Hello, ** Wietse Venema <wie...@porcupine.org> [2020-04-16 10:31:56 -0400]:
> With the minnimal patch below, it looks like Postfix DANE support > will continue to work after a breaking change in Glibc 2.31. Tested > on Fedora 32 beta. > This patch also deals with the 'multiple definition' errors caused > by a breaking change in GCC 10. Also tested on Fedora 32 beta. > Plan is to release this in Postfix 3.6 (development release) > and then update the stable releases. > Demo: > ./posttls-finger dukhovni.org > posttls-finger: using DANE RR: _25._tcp.smtp.dukhovni.org IN TLSA 3 1 1 > 5E:07:8B:31:60:56:9F:16:5A:69:EB:86:03:95:BB:BD:C7:57:6C:36:03:C3:45:2B:07:13:9C:27:6B:26:D0:1C > posttls-finger: Connected to smtp.dukhovni.org[100.2.39.101]:25 > posttls-finger: < 220 straasha.imrryr.org ESMTP Postfix > posttls-finger: > EHLO localhost.localdomain > posttls-finger: < 250-straasha.imrryr.org > posttls-finger: < 250-PIPELINING > posttls-finger: < 250-SIZE 104857600 > posttls-finger: < 250-VRFY > posttls-finger: < 250-ETRN > posttls-finger: < 250-STARTTLS > posttls-finger: < 250-ENHANCEDSTATUSCODES > posttls-finger: < 250-8BITMIME > posttls-finger: < 250-SMTPUTF8 > posttls-finger: < 250 CHUNKING > posttls-finger: > STARTTLS > posttls-finger: < 220 2.0.0 Ready to start TLS > posttls-finger: smtp.dukhovni.org[100.2.39.101]:25: depth=0 matched end > entity public-key sha256 > digest=5E:07:8B:31:60:56:9F:16:5A:69:EB:86:03:95:BB:BD:C7:57:6C:36:03:C3:45:2B:07:13:9C:27:6B:26:D0:1C > posttls-finger: smtp.dukhovni.org[100.2.39.101]:25 CommonName > mournblade.imrryr.org > posttls-finger: smtp.dukhovni.org[100.2.39.101]:25: > subject_CN=mournblade.imrryr.org, issuer_CN=mournblade.imrryr.org, > fingerprint=DF:53:67:E7:87:D8:4E:9A:FF:34:A2:92:36:F8:15:1F:2F:15:82:1B, > pkey_fingerprint=98:40:01:98:0F:75:58:35:92:3B:07:94:CF:58:B9:FA:99:C5:06:F5 > posttls-finger: Verified TLS connection established to > smtp.dukhovni.org[100.2.39.101]:25: TLSv1.3 with cipher > TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature > RSA-PSS (2048 bits) server-digest SHA256 > posttls-finger: > EHLO localhost.localdomain > posttls-finger: < 250-straasha.imrryr.org > posttls-finger: < 250-PIPELINING > posttls-finger: < 250-SIZE 104857600 > posttls-finger: < 250-VRFY > posttls-finger: < 250-ETRN > posttls-finger: < 250-ENHANCEDSTATUSCODES > posttls-finger: < 250-8BITMIME > posttls-finger: < 250-SMTPUTF8 > posttls-finger: < 250 CHUNKING > posttls-finger: > QUIT > posttls-finger: < 221 2.0.0 Bye I'm newbie but I'm using Archlinux which has glibc 2.31 and postfix 3.5.0. After reading the thread "Outgoing DANE not working " (http://postfix.1071664.n5.nabble.com/Outgoing-DANE-not-working-td105397.html) about DANE I added 'trust-ad' to /etc/resolv.conf, run command that Viktor Dukhovni shown and got the same output as Viktor shown. Now I run the above command and get the same output for my system posttls-finger: using DANE RR: _25._tcp.smtp.dukhovni.org IN TLSA 3 1 1 5E:07:8B:31:60:56:9F:16:5A:69:EB:86:03:95:BB:BD:C7:57:6C:36:03:C3:45:2B:07:13:9C:27:6B:26:D0:1C posttls-finger: Connected to smtp.dukhovni.org[100.2.39.101]:25 posttls-finger: < 220 straasha.imrryr.org ESMTP Postfix posttls-finger: > EHLO smoon.bkoty.ru posttls-finger: < 250-straasha.imrryr.org posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 104857600 posttls-finger: < 250-VRFY posttls-finger: < 250-ETRN posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-SMTPUTF8 posttls-finger: < 250 CHUNKING posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLS posttls-finger: smtp.dukhovni.org[100.2.39.101]:25: depth=0 matched end entity public-key sha256 digest=5E:07:8B:31:60:56:9F:16:5A:69:EB:86:03:95:BB:BD:C7:57:6C:36:03:C3:45:2B:07:13:9C:27:6B:26:D0:1C posttls-finger: smtp.dukhovni.org[100.2.39.101]:25 CommonName mournblade.imrryr.org posttls-finger: smtp.dukhovni.org[100.2.39.101]:25: subject_CN=mournblade.imrryr.org, issuer_CN=mournblade.imrryr.org, fingerprint=DF:53:67:E7:87:D8:4E:9A:FF:34:A2:92:36:F8:15:1F:2F:15:82:1B, pkey_fingerprint=98:40:01:98:0F:75:58:35:92:3B:07:94:CF:58:B9:FA:99:C5:06:F5 posttls-finger: Verified TLS connection established to smtp.dukhovni.org[100.2.39.101]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 posttls-finger: > EHLO smoon.bkoty.ru posttls-finger: < 250-straasha.imrryr.org posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 104857600 posttls-finger: < 250-VRFY posttls-finger: < 250-ETRN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-SMTPUTF8 posttls-finger: < 250 CHUNKING posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye I'm a bit bewildered. Does this mean that all is Ok with glibc 2.31 with 'options trust-ad' and postfix 3.5.0 or it is depend strongly on used 'options'? I might have a bit extraordinary DNS configuration (dnscrypt-proxy on some systems and dnscrypt-proxy+dnsmasq on others) but all has the same resolv.conf options: options edns0 options trust-ad > Patch follows after the signature. > Wietse [...] --- WBR, Vladimir Lomov -- Competence, like truth, beauty, and contact lenses, is in the eye of the beholder. -- Dr. Laurence J. Peter
signature.asc
Description: PGP signature
