Hi all,
just for info: new Postfix MTA-STS resolver package was released -
https://github.com/Snawoot/postfix-mta-sts-resolver/pull/64
<https://github.com/Snawoot/postfix-mta-sts-resolver/pull/64> (cite the author:
"I guess Debian packages will be available within a week in backports repo"),
so SNI will now work also with MTA-STS enabled servers (as required by RFC) :-)
... Viktor thanks for your help!
My last question is whether is it possible to include the Postfix TLSv1.3 patch
in older versions of Postfix (minor bug fix release). The problem is that with
enabled SNI in MTA-STS package, there will be lot of bug reports - because it
looks like I am not the only person who used: "smtpd_tls_eecdh_grade = ultra".
Check Google for "smtpd_tls_eecdh_grade = ultra" and you will find a ton of
"tuning security" manuals that recommend this setting :-)))
Cheers,
JM
> On 13 Jun 2020, at 20:29, Ján Máté <jan.m...@uniqsys.eu> wrote:
>
> Tested and confirmed ... it looks like there is a lot of untested software
> today, or I use all the special edge cases :-)
>
> I will report the bug to postfix-mta-sts-resolver developer - the patch is
> rather simple:
>
> root@collegemate:/usr/lib/python3/dist-packages/postfix_mta_sts_resolver#
> diff -u responder.py-orig responder.py
> --- responder.py-orig 2020-04-11 22:40:55.000000000 +0200
> +++ responder.py 2020-06-13 20:15:00.377112967 +0200
> @@ -219,7 +219,7 @@
> else:
> assert cached.pol_body['mx'], "Empty MX list for restrictive
> policy!"
> mxlist = [mx.lstrip('*') for mx in
> set(cached.pol_body['mx'])]
> - resp = "OK secure match=" + ":".join(mxlist)
> + resp = "OK secure servername=hostname match=" +
> ":".join(mxlist)
> return netstring.encode(resp.encode('utf-8'))
> else:
> return netstring.encode(b'NOTFOUND ')
>
