Wietse Venema via Postfix-users:
> As people rely more on posttls-finger to troubleshoot TLS issues,
> it is clear that posttls-finger needs to become an officially
> supported tool.
Just to be clear, current posttls-finger documentation says "Note:
this is an unsupported test program." The text is there because
supported programs are held to a different standard with respect
to documentation (how it can be used) and compatibility (a promise
that features' won't randomly change or disappear).
> For that, we need to document how posttls-finger expecatations
> differ from Postfix SMTP client expectations (some of which the
> SMTP client delegates to tlsproxy), doing a beter job than I did
> in this week's email thread.
>
> Perhaps the posttls-finger(1) manpage can summarize the differences
> in default behaviors with the SMTP client (and features available
> in only one of the two, such as client certificates).
Turns out that posttls-finger does have client certificate support.
> A full mapping between posttls-finger and SMTP client settings may
> be too much for a manpage (and manpages do not support tables if I
> recall correctly). A full mapping may be more appropriate for a
> "troubleshooting" section in the TLS_README.
Taking one step back, should/could we make it easier to simulate
Postfix SMTP client behavior with posttls-finger?
- We can't keep duplicating SMTP client code into the posttls-finger
command, that would be unsustainable. Instead we'd have to make
most of the SMTP client code embeddable into posttls-finger. That
would be a lot of work.
- We can already do realistic tests with "sendmail -C /test/directory
-bv <address>". This requires a dedicated Postfix test instance.
Otherwise, I see the work items that I alluded to:
- Document differences in default behavior between posttls-finger
and SMTP client. I can do a stab at an updated posttls-finger
manpage and Viktor can fix that.
- Document the correspondence between SMTP client settings and
posttls-finger settings. A feature matrix of sorts.
Wietse
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
