On 2024/3/25 01:12, Viktor Dukhovni via Postfix-users wrote:
If the "posttls-finger" has the identical behavior as postfix, then I
could write a simple cronjob script to "finger" the
smtp.gmail.com:465.
Not necessarily 100% identical, but quite close.
It seems not perfect. :(
$ posttls-finger -wc -F /etc/ssl/certs/ca-certificates.crt -a ipv6
[smtp.gmail.com]:465
You neglected to specify "-lsecure", and just in case an explicit match
pattern:
My bad, I will add this "-lsecure" to "posttls-finger" and add "-CAfile" to the
openssl command.
posttls-finger: Verified TLS connection established to
smtp.gmail.com[142.251.8.109]:465: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
(256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
It does indeed look like IPv6 is not available on your end.
Actually, I was afraid that my postfix is too old to have this problem or the
build mistake from old debian. I checked posttls-finger on my another container
which is Ubuntu 22.04.4, posttls-finger still doesn't support ipv6, weird.
If the "posttls-finger" has the identical behavior as postfix about
verifying the certificate, then I can start to launch this cronjob.
Certificate verification should be identical, but if the presented chain
subtly depends on the client's TLS HELLO message, there could perhaps be
a difference if main.cf has "smtp_tls_..." settings that cause the HELLO
message to differ between smtp(8) and posttls-finger(1).
Since they are different, my idea to use posttls-finger seems unnecessary. I
decide to cancel this idea.
But modify my script to monitor the postfix log for keyword "self-signed" every
minute. I can expect that we cannot see any result in a short time.
The cipher grade will default to "medium", and (as in the Postfix
smtp(8) client) an SNI name won't be sent unless you specify one ("-s
smtp.gmail.com").
Thanks to remind me. I will add another posttls-finger with "-s" and add another openssl
with "-noservername" to my modified script.
On 2024/3/24 00:49, Viktor Dukhovni via Postfix-users wrote:
One possible factor is the handling of TLS connections that don't set
the SNI name (Postfix default, see
<http://www.postfix.org/postconf.5.html#smtp_tls_servername>).
I recall your remind as above. I didn't use "smtp_tls_servername" in my postfix.
For debug purpose, I should not modify my postfix configurations.
For formal usage, I should use DANE or specify "servername" attribute to the
tls_policy.
m....it seems that we prefer to believe postfix really got a self-signed
certificate from smtp.gmail.com last time and maybe one of the cause is no SNI
name sent.
I still decide to add the "servername" attribute to my tls_policy while also
monitor the postfix log with my modified script. Maybe I will never have a result. :)
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
