Hi Chris, > I can imagine that it's a lot of work.
Yeah, it is. I'm also a lot more comfortable with Sendmail as far as configuring it goes and there were many aspects of Postfix that I wasn't aware of. I think I'm still scratching only on the surface of it. When done, I certainly need someone to take a long hard look at our Postfix configuration to check if there is something we could do better or if there is something I shouldn't have done this or that way. As far as the integration into the GUI goes: That was surprisingly simple. I started at the premise that I didn't want to duplicate every Sendmail handler for Postfix. So instead I wrote a parser that parses the sendmail.mc (and other parts of its config) to populate an existing Postfix config with just the required settings. Such as max_message_size and others. This is now done entirely on the fly on "systemctl restart postfix". Which is kind of neat. The most complicated part so far was actually getting the AV-SPAM to work with both Sendmail and Postfix depending on what's active. That required some extensive changes. Postfix does understand Sendmail Milters and can handle them well enough. However, ownerships and permissions of the milter sockets (and sometimes their location) were preventing Postfix from using them. But I have that sorted as well by now. > One of the most common support calls we get are for "Certificate Failure" > reports when a user sets up email on a desktop or mobile device. Yeah, we *really* need SNI. Not just for Dovecot, but also for the MTA. And in that regards I have some good news: https://centos.pkgs.org/8/ghettoforge-plus-x86_64/postfix3-3.5.2-1.gf.el8.x86_64.rpm.html That's the latest Postfix v3.5.2 for CentOS 8. Ghettoforge.com? Never heard of them, but I was more than happy to fully embrace what their offering. After some digging it was clear that whoever did that Postfix (S)RPM clearly knows what he's been doing and he's been offering updated Postfix RPMs for EL6 and EL7 for many years. So I grabbed their SRPM and with some extras that make the integration easier I repackaged it as "blueonyx-postfix". After some fiddling with the configs I then got SNI working: root@beast-smd-net:~# openssl s_client -connect jarvis.smd.net:25 -servername www.kinofreak.com -starttls smtp|grep -E "CN =|Verification:" depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = www.kinofreak.com verify return:1 250 CHUNKING 0 s:CN = www.kinofreak.com i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 subject=CN = www.kinofreak.com issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Verification: OK That's an "on foot" TLS connection to the MTA of 'jarvis.smd.net' and we're requesting to talk to 'www.kinofreak.com' (one of the Vsite's with an LE SSL cert). We get the cert for www.kinofreak.com presented and the TLS verification of the Cert finishes with "Verification: OK". Even if we skip the roundabout and connect directly to port 25 on kinofreak.com it checks out: root@beast-smd-net:~# openssl s_client -connect kinofreak.com:25 -starttls smtp|grep -E "CN =|Verification:" depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = www.kinofreak.com verify return:1 250 CHUNKING 0 s:CN = www.kinofreak.com i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 subject=CN = www.kinofreak.com issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Verification: OK So ... that's a 5210R with working SNI on the MTA. \o/ What's left is committing everything to SVN, building RPMs (and a PKG for the AV-SPAM) and then testing, testing, testing. In the next few days I'll have it in the "5210R-testing" YUM repository so that we can play around with it. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx