On Sat, Jun 13, 2020 at 01:19:44AM +1000, Nikolai Lusan wrote:
> Thank you very much for finding that.
The OP provided a system on which I could compare:
- Vendor Postfix vs. Postfix built from source
- stock configs vs. OP's actual config.
It turned out that the configuration was what mattered, and then it was
just a matter of adding one setting at a time, until the SNI chain
failed to load. After that a bunch of head- scratching as to why the
EECDH grade would matter, but no longer requiring a remote system to
find how to reproduce.
> I had the "smtpd_tls_eecdh_grade" set to "strong", after removing it from
> the main.cf file and letting it default I can verify that the starttls sni
> all works on my servers.
That's of course a good idea, with or without the bug, for which the
real fix is one of the upcoming releases, even with the EECDH grade
set to "auto", HRR might happen anyway, just far less likely. So
upgrade when a patch release is available for your system.
--
Viktor.
