On Sun, Mar 24, 2024 at 11:34:35PM +0800, Cowbay via Postfix-users wrote:
> > You might not get to observe the problem for quite some time (if ever
> > again).
>
> I'm quite seldom sending mail by gmail via my postfix server.
>
> If the "posttls-finger" has the identical behavior as postfix, then I
> could write a simple cronjob script to "finger" the
> smtp.gmail.com:465.
Not necessarily 100% identical, but quite close.
> OT: I just tried that my version of "posttls-finger" has no ipv6 support
> though the man page says it supports. And it always returns 0 even failed.
> ----------------8<---------------------8<-----------------
> $ host smtp.gmail.com
> smtp.gmail.com has address 142.251.8.109
> smtp.gmail.com has IPv6 address 2404:6800:4008:c15::6d
>
> $ posttls-finger -wc -F /etc/ssl/certs/ca-certificates.crt -a ipv6
> [smtp.gmail.com]:465
You neglected to specify "-lsecure", and just in case an explicit match
pattern:
$ posttls-finger -wc -lsecure -F /etc/ssl/cert.pem -a ipv6
"[smtp.gmail.com]:465" smt.gmail.com
posttls-finger: smtp.gmail.com[2607:f8b0:4004:c1d::6c]:465: matched
peername: smtp.gmail.com
posttls-finger: smtp.gmail.com[2607:f8b0:4004:c1d::6c]:465:
subject_CN=smtp.gmail.com, issuer=GTS CA 1C3, cert
fingerprint=F7:5F:AA:8D:B5:7A:A7:A4:8A:34:0C:C3:12:18:D8:77:3B:A9:F7:75:E1:EC:76:25:76:79:41:B2:AB:46:34:E1,
pkey
fingerprint=E9:BB:66:2D:A5:7C:05:FD:C4:EE:2D:CD:33:9C:32:6D:F7:99:7E:66:29:1F:F0:A4:5E:42:05:57:32:10:7C:96
posttls-finger: Verified TLS connection established to
smtp.gmail.com[2607:f8b0:4004:c1d::6c]:465: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature
RSA-PSS (2048 bits) server-digest SHA256
> posttls-finger: Verified TLS connection established to
> smtp.gmail.com[142.251.8.109]:465: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
> (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
> server-digest SHA256
It does indeed look like IPv6 is not available on your end.
> $ posttls-finger -wc -F /etc/ssl/certs/ca-certificates.crt
> "[ipv6:2404:6800:4008:c15::6d]:465" smtp.gmail.com
The "[ipv6:addr]" syntax can be simplified to "[addr]". You still
should specify "-lsecure".
> If the "posttls-finger" has the identical behavior as postfix about
> verifying the certificate, then I can start to launch this cronjob.
Certificate verification should be identical, but if the presented chain
subtly depends on the client's TLS HELLO message, there could perhaps be
a difference if main.cf has "smtp_tls_..." settings that cause the HELLO
message to differ between smtp(8) and posttls-finger(1).
The cipher grade will default to "medium", and (as in the Postfix
smtp(8) client) an SNI name won't be sent unless you specify one ("-s
smtp.gmail.com").
I am sceptical that monitoring smtp.gmail.com:465 is likely to be
productive, but if you're motivated, this is surely harmless.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
