Am 2023-12-01 09:34, schrieb Tom Hendrikx via Postfix-users:
On 01-12-2023 08:59, Alexander Leidinger via Postfix-users wrote:Am 2023-11-30 16:53, schrieb Wietse Venema via Postfix-users:Alexander Leidinger via Postfix-users:What is wrong here that [tlsproxy] doesn't establish a trusted connection to the github mailservers when posttls-finger is able to do that withthe same cert store?Because there are differences between tlsproxy and posttls-finger. 1) Different executable files may be subject to different SeLinux, AppArmor etc. policies.This is FreeBSD, no different policies.2) Different privileges: tlsproxy runs as the "postfix" user, posttls-finger as "root".Ok.The cert store permissions are OK. Any ordinary user is able to read it. posttls-finger as any other user (incl. postfix) produces the same output. With -P it verifies the cert, without it it doesn't.So still the question why the same configured cert store (posttls-finger + postfix + @FreeBSD.org + @reply.github.com) works for sending mail to FreeBSD.org but not to github.com.3) Different certificate stores, when tlsproxy may runs chrooted, and posttls-finger does not.No chroot-difference between both. This runs in a FreeBSD jail (like a container or a Solaris zone) and I was logged into this container, so both have seen the same filesystem content.There still seems to be a disconnect in communication here, as you didn't quote Viktors response on 'smtp_tls_policy_maps', which seems to be the key issue here. The policy in your connection to github seems to be 'verify' or higher.
I was simply not fast enough for you to answer to his mail. :) I just answered. In short: no this is not the key issue here. I don't care right now if my mail to github is deliverd. My point right now is the TLS communication only. See my answer to his mail for the details.
Maybe you could test again with an empty 'smtp_tls_policy_maps' parameter in postfix config, or show all values in your policy map explicitly (which might be difficult due to mysql usage)?
Short: I overlooked a line in the DB. But right now the delivery is not my concern. I could easily change the DB but will let it as it is to not need to change something somewhere to test the TLS part against github. More in my other answer.
Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netch...@freebsd.org : PGP 0x8F31830F9F2772BF
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
