Am 2023-12-01 13:44, schrieb Wietse Venema:
Alexander Leidinger:Am 2023-11-30 16:53, schrieb Wietse Venema via Postfix-users: > Alexander Leidinger via Postfix-users: >> What is wrong here that [tlsproxy] doesn't establish a trusted >> connection >> to the github mailservers when posttls-finger is able to do that with >> the same cert store? > > Because there are differences between tlsproxy and posttls-finger. > > 1) Different executable files may be subject to different SeLinux, > AppArmor etc. policies.This is FreeBSD, no different policies. > 2) Different privileges: tlsproxy runs as the "postfix" user, > posttls-finger as "root"....> 3) Different certificate stores, when tlsproxy may runs chrooted, > and posttls-finger does not.As Viktor poointed out 4) Diferent certificate match expectations.
May I suggest to add a note or two to the man page of posttls-finger in the sense that posttls-finger doesn't look at the postfix config and is standalone, and that if configure with TLS support the default is (as documented) "-l dane" but that this fall back to "-l verify" (at least according to my experiment) if the domein is not DNSSEC enabled?
I also suggest to add a note to the TLS readme that if the policy is secure and the chain validates, but the hostname doesn't match what postfix expects (it would also be good if it would print the hostname it expects in the default log level), that it prints the hostname mismatch error. It would also be nice if it is documented what it prints when the certificate chain doesn't validate in that case.
Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netch...@freebsd.org : PGP 0x8F31830F9F2772BF
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
