[pfx] Re: Postfix thinks smtp.gmail.com uses self-signed certificate

[Cowbay via Postfix-users]

On 2024/3/24 00:49, Viktor Dukhovni via Postfix-users wrote:

and also "posttls-finger" as in the example I posted.

You might not get to observe the problem for quite some time (if ever
again).

I'm quite seldom sending mail by gmail via my postfix server.

If the "posttls-finger" has the identical behavior as postfix, then I could write a 
simple cronjob script to "finger" the smtp.gmail.com:465.

OT: I just tried that my version of "posttls-finger" has no ipv6 support though 
the man page says it supports. And it always returns 0 even failed.
----------------8<---------------------8<-----------------
$ host smtp.gmail.com
smtp.gmail.com has address 142.251.8.109
smtp.gmail.com has IPv6 address 2404:6800:4008:c15::6d

$ posttls-finger -wc -F /etc/ssl/certs/ca-certificates.crt -a ipv6 
[smtp.gmail.com]:465
posttls-finger: smtp.gmail.com[142.251.8.109]:465: matched peername: 
smtp.gmail.com
posttls-finger: smtp.gmail.com[142.251.8.109]:465: subject_CN=smtp.gmail.com, 
issuer_CN=GTS CA 1C3, 
fingerprint=F7:5F:AA:8D:B5:7A:A7:A4:8A:34:0C:C3:12:18:D8:77:3B:A9:F7:75:E1:EC:76:25:76:79:41:B2:AB:46:34:E1,
 
pkey_fingerprint=E9:BB:66:2D:A5:7C:05:FD:C4:EE:2D:CD:33:9C:32:6D:F7:99:7E:66:29:1F:F0:A4:5E:42:05:57:32:10:7C:96
posttls-finger: Verified TLS connection established to 
smtp.gmail.com[142.251.8.109]:465: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 
(256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) 
server-digest SHA256

$ posttls-finger -wc -F /etc/ssl/certs/ca-certificates.crt 
"[ipv6:2404:6800:4008:c15::6d]:465" smtp.gmail.com
posttls-finger: Destination address lookup failed: Name service error for 
2404:6800:4008:c15::6d: invalid host or domain name
----------------8<---------------------8<-----------------
But this is no problem. It's enough to use ipv4.

I plan to use below script per hour.
----------------8<---------------------8<-----------------
#!/bin/bash
FGR_SMTP_HOST="smtp.gmail.com"
FGR_SMTP_PORT=465
FGR_SMTP_IP=""
FGR_ERR_FOUND=0
FGR_FINGER_TMP="/tmp/posttls-finger-output-$$.tmp"
FGR_OPENSSL_TMP="/tmp/openssl-s-client-output-$$.tmp"
FGR_REPORT_EMAIL="b...@domain.tld"

posttls-finger -wc -F /etc/ssl/certs/ca-certificates.crt "[${FGR_SMTP_HOST}]:$FGR_SMTP_PORT" 
> "$FGR_FINGER_TMP"
grep -q -i fail "$FGR_FINGER_TMP" && FGR_ERR_FOUND=1
if [ $FGR_ERR_FOUND -eq 1 ]; then
  FGR_SMTP_IP="$(sed -n -E 's/^posttls-finger:.+\[([0-9.]+)\].*$/\1/p; T; q' 
"$FGR_FINGER_TMP")"
  openssl s_client -servername "$FGR_SMTP_HOST" -connect "${FGR_SMTP_IP}:$FGR_SMTP_IP" < 
/dev/null > "$FGR_OPENSSL_TMP"
  while true; do
    echo "From: worker <worker@localhost>"
    echo "To: boss <${FGR_REPORT_EMAIL}>"
    echo "Date: $(date -R)"
    echo "Subject: [posttls-finger] bad finger to $FGR_SMTP_HOST"
    echo "MIME-Version: 1.0"
    echo "Content-Type: text/plain; charset=utf-8"
    echo "Content-Transfer-Encoding: 8bit"
    echo "Message-Id: <$(date +%s)-${RANDOM}${RANDOM}@domain.tld>"
    echo
    echo "===> $FGR_FINGER_TMP"
    cat "$FGR_FINGER_TMP"
    echo
    echo "===> $FGR_OPENSSL_TMP"
    cat "$FGR_OPENSSL_TMP"
    echo
    break
  done | sendmail -i "$FGR_REPORT_EMAIL"
fi
rm -f "$FGR_FINGER_TMP" "$FGR_OPENSSL_TMP"
----------------8<---------------------8<-----------------

If the "posttls-finger" has the identical behavior as postfix about verifying 
the certificate, then I can start to launch this cronjob.

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org