Am 2023-11-30 16:53, schrieb Wietse Venema via Postfix-users:
Alexander Leidinger via Postfix-users:What is wrong here that [tlsproxy] doesn't establish a trusted connectionto the github mailservers when posttls-finger is able to do that with the same cert store?Because there are differences between tlsproxy and posttls-finger. 1) Different executable files may be subject to different SeLinux, AppArmor etc. policies.
This is FreeBSD, no different policies.
2) Different privileges: tlsproxy runs as the "postfix" user, posttls-finger as "root".
Ok.The cert store permissions are OK. Any ordinary user is able to read it. posttls-finger as any other user (incl. postfix) produces the same output. With -P it verifies the cert, without it it doesn't.
So still the question why the same configured cert store (posttls-finger + postfix + @FreeBSD.org + @reply.github.com) works for sending mail to FreeBSD.org but not to github.com.
3) Different certificate stores, when tlsproxy may runs chrooted, and posttls-finger does not.
No chroot-difference between both. This runs in a FreeBSD jail (like a container or a Solaris zone) and I was logged into this container, so both have seen the same filesystem content.
Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netch...@freebsd.org : PGP 0x8F31830F9F2772BF
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
