On Sat, Dec 02, 2023 at 11:37:55AM -0500, pgnd wrote:
> > - dane:Same as "may" in the absence of DNSSEC MX and TLSA
>
> iiuc, this functions as
>
> dane, with DNSSEC MX and TLSA
> may, without DNSSEC MX and TLSA
>
> is there an equivalent single form that functions as
>
>
tly:
case TLS_LEV_DANE:
case TLS_LEV_DANE_ONLY:
state->match = argv_alloc(2);
argv_add(state->match, "nexthop", "hostname", ARGV_END);
break;
}
configures matching of either the "nexthop" and the MX &qu
On Sat, Dec 02, 2023 at 09:55:44PM +0900, Byung-Hee HWANG via Postfix-users
wrote:
> > No, it's a pure security policy thing and an overlooked line in the mysql
> > tls
> > policy table.
> >
> > The policy "secure" (and I assume "dane-only") doesn't work, as github is
> > not
> > using DNSSEC. V
> No, it's a pure security policy thing and an overlooked line in the mysql tls
> policy table.
>
> The policy "secure" (and I assume "dane-only") doesn't work, as github is not
> using DNSSEC. Valid policies which make this work are "verify", "may" and I
> assume "dane" (if you have "smtp_tls_secu
ain.
github is not DNSSEC protected, as such - if I understand the TLS
readme
correctly, postfix will not use DANE. As such I assume, posttls-finger
will
not use DANE too.
Correct. Therefore "posttls-finger" will use the "secure" level, and
its matching policy:
This doesn&
chain.
>
> github is not DNSSEC protected, as such - if I understand the TLS readme
> correctly, postfix will not use DANE. As such I assume, posttls-finger will
> not use DANE too.
Correct. Therefore "posttls-finger" will use the "secure" level, and
its matching po
Wietse Venema via Postfix-users:
> As people rely more on posttls-finger to troubleshoot TLS issues,
> it is clear that posttls-finger needs to become an officially
> supported tool.
Just to be clear, current posttls-finger documentation says "Note:
this is an unsupported test prog
As people rely more on posttls-finger to troubleshoot TLS issues,
it is clear that posttls-finger needs to become an officially
supported tool.
For that, we need to document how posttls-finger expecatations
differ from Postfix SMTP client expectations (some of which the
SMTP client delegates to
b mailservers when posttls-finger is able to do that with
>> the same cert store?
>
> Because there are differences between tlsproxy and posttls-finger.
>
> 1) Different executable files may be subject to different SeLinux,
> AppArmor etc. policies.
This is FreeBSD, no different poli
Am 2023-12-01 12:40, schrieb Byung-Hee HWANG via Postfix-users:
Alexander Leidinger via Postfix-users
writes:
Am 2023-12-01 12:08, schrieb Byung-Hee HWANG via Postfix-users:
...
Nov 30 11:31:48 mailgate postfix/tlsproxy[175]: server certificate
verification failed for in-8.smtp.github.com[140
ficate.
You can go through the motions if you want, but it won't achieve any
security goals.
Not with github. I fully agree. With github it was about the technical
issues I wanted to understand and solve (and it is solved now, see
below).
The technical problem I have is that postfix seems
Alexander Leidinger:
> Am 2023-11-30 16:53, schrieb Wietse Venema via Postfix-users:
> > Alexander Leidinger via Postfix-users:
> >> What is wrong here that [tlsproxy] doesn't establish a trusted
> >> connection
> >> to the github mailservers when posttl
Alexander Leidinger via Postfix-users
writes:
> Am 2023-12-01 12:08, schrieb Byung-Hee HWANG via Postfix-users:
>>> ...
>>> Nov 30 11:31:48 mailgate postfix/tlsproxy[175]: server certificate
>>> verification failed for in-8.smtp.github.com[140.82.114.32]:25:
>>> num=62:hostname mismatch
>>> ...
>
Am 2023-12-01 12:08, schrieb Byung-Hee HWANG via Postfix-users:
...
Nov 30 11:31:48 mailgate postfix/tlsproxy[175]: server certificate
verification failed for in-8.smtp.github.com[140.82.114.32]:25:
num=62:hostname mismatch
...
Maybe you check?
root@yw-1204:/etc/postfix# postconf -n | grep CA
> ...
> Nov 30 11:31:48 mailgate postfix/tlsproxy[175]: server certificate
> verification failed for in-8.smtp.github.com[140.82.114.32]:25:
> num=62:hostname mismatch
> ...
Maybe you check?
root@yw-1204:/etc/postfix# postconf -n | grep CAfile
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.cr
ons if you want, but it won't achieve any
security goals.
> The technical problem I have is that postfix seems to use parts of the cert
> store (it validates the MX of FreeBSD, but not the MX of github), whereas
> posttls-finger uses the complete cert store.
No. The problem you'
usted
connection
to the github mailservers when posttls-finger is able to do that
with
the same cert store?
Because there are differences between tlsproxy and posttls-finger.
1) Different executable files may be subject to different SeLinux,
AppArmor etc. policies.
This is FreeBSD, no diff
st is orthogonal to
this. I agree with all what is written in the link and what you said
about insecure (if no DNSSEC is used), but this is trust, not technical
validation.
The technical problem I have is that postfix seems to use parts of the
cert store (it validates the MX of FreeBSD, but not
On 01-12-2023 08:59, Alexander Leidinger via Postfix-users wrote:
Am 2023-11-30 16:53, schrieb Wietse Venema via Postfix-users:
Alexander Leidinger via Postfix-users:
What is wrong here that [tlsproxy] doesn't establish a trusted
connection
to the github mailservers when posttls-fing
Am 2023-11-30 16:53, schrieb Wietse Venema via Postfix-users:
Alexander Leidinger via Postfix-users:
What is wrong here that [tlsproxy] doesn't establish a trusted
connection
to the github mailservers when posttls-finger is able to do that with
the same cert store?
Because ther
email address I want to deliver to
> this server.
See above. You're missing the point.
> So there is a mismatch between postfix and postls-finger on a TLS
> connection level which to my understanding shall not happen.
No, there's a mismatch between the configuration of y
Alexander Leidinger via Postfix-users:
> What is wrong here that [tlsproxy] doesn't establish a trusted connection
> to the github mailservers when posttls-finger is able to do that with
> the same cert store?
Because there are differences between tlsproxy and posttls-finger.
y to us... Also, I wouldn't consider it a worthwhile effort for
most systems, but that's your call for your environment.
You removed the part where posttls-finger is able to verify the
connection if I add -P /etc/ssl/cert, but postfix isn't, and it is using
the same cert store.
On 2023-11-30 at 08:03:09 UTC-0500 (Thu, 30 Nov 2023 14:03:09 +0100)
Alexander Leidinger via Postfix-users
is rumored to have said:
Hi,
There is something strange with delivering mail from my mailserver to
github, it complains about the github server certificate not verified
on an outgoing T
two times.
If I now use posttls-finger I'm able to get a verified connection if I
specify -P to the cert-store:
---snip---
# posttls-finger -c reply.github.com
posttls-finger: certificate verification failed for
in-10.smtp.github.com[140.82.112.32]:25: untrusted issuer
/C=US/O=DigiCert Inc/O
On Mon, Sep 06, 2021 at 06:39:32PM +0200, Miriam Espana Acebal wrote:
> recently we were working on this bug:
> https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1885403.
> [...]
> posttls-finger: warning: connect to private/tlsmgr: No such file or directory
> posttls-
Hi all,
recently we were working on this bug:
https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1885403.
For summarizing, when running posttls-finger, it attempts to connect
through private/tlsmgr, and unless the program is being run from
/var/spool/postfix, this fails and posttls-finger
Paul Menzel:
> Dear Postfix users,
>
>
> I couldn?t find a Make rule to install `posttls-finger`? Did I overlook
> something, or would I need to copy it manually?
There is no such rule, because Postfix test programs are not supported.
Supported programns are protected by backwar
Dear Postfix users,
I couldn’t find a Make rule to install `posttls-finger`? Did I overlook
something, or would I need to copy it manually?
Kind regards,
Paul
On 2021/01/26 19:49 PM, Viktor Dukhovni wrote:
On Tue, Jan 26, 2021 at 07:25:45PM -0500, vi...@vheuser.com wrote:
posttls-finger -c -lmay "[example.com]"
returns "posttls-finger: Server is anonymous"
What should the server return?
How it his configured?
You can tr
On Tue, Jan 26, 2021 at 07:25:45PM -0500, vi...@vheuser.com wrote:
> posttls-finger -c -lmay "[example.com]"
> returns "posttls-finger: Server is anonymous"
>
> What should the server return?
> How it his configured?
You can try "-lsecure&quo
posttls-finger -c -lmay "[example.com]"
returns "posttls-finger: Server is anonymous"
What should the server return?
How it his configured?
k sent elsewhere. Dane
record returning perfectly now, on posttls-finger, for that domain.
>> dnssec-lookaside auto;
>
> This is obsolete, the ISC DLV zone is now empty, so this should be set
> to "no" in all recursive BIND servers.
>
I deleted this guy.
Thanks Viktor.
Mal
> On Oct 17, 2017, at 5:58 AM, Mal wrote:
>
> Bingo. That information certainly explains the behavior observed.
>
> Does this therefore require DNSSEC-validation to be set to "no" (for the
> authoritative NS):
> dnssec-enable yes;
This must stay "yes" or else you DoS your domain.
> dnss
On 18/10/2017 1:17 AM, /dev/rob0 wrote:
> Um, validation is exclusively done on NON-authoritative lookup
> results. I'm not sure what you are thinking. In order:
This was pointed out previously.
> 1. dnssec-enable no; would prevent your BIND server from serving
> required records from a si
On Tue, Oct 17, 2017 at 08:28:02PM +1030, Mal wrote:
> On 17/10/2017 7:14 PM, Viktor Dukhovni wrote:
>
> > So it seems that the machine in question has the authoritative
> > server for the zone as its recursive server. Such mixing of
> > authoritative and recursive workloads is discouraged thes
On 17/10/2017 7:14 PM, Viktor Dukhovni wrote:
> So it seems that the machine in question has the authoritative
> server for the zone as its recursive server. Such mixing of
> authoritative and recursive workloads is discouraged these days,
> and critically, it breaks DANE in Postfix for any aut
> On Oct 17, 2017, at 3:58 AM, Mal wrote:
>
>> There's no such thing as "AD records".
>
> Was just a shortcut for 'Authoritative domain record'.
I've never seen that phrase before.
> The zone exists on that resolver and is queried directly.
> Will avoid lo[o]se english in future.
So it seem
On 17/10/2017 5:11 PM, Viktor Dukhovni wrote:
> The only way to find out they don't exist is to ask.
Very good.
> No TLSA records were found, perhaps because the "A" records were
> reported insecure, or because the TLSA records don't exist.
TLSA record is present. The sys4 Dane SMTP validato
d by posttls-finger.
The only way to find out they don't exist is to ask.
> The remote site has only
> IPv4 records in the zone, except for the zone NS records, which come
> from dual stack revolvers (which are auth).
Still not clear how this is relevant.
> me@mta:/#posttls-fi
Hello
This MTA is a dual stack postfix machine, which also has a dual stack
resolver running.
When testing DANE to a remove IPv4 only MTA, i see an attempt to lookup
a non-existent record by posttls-finger. The remote site has only
IPv4 records in the zone, except for the zone NS records
ty (runs into more bugs). It
is suitable for personal machines, but may not yet be wise for
servers.
FWIW, The resolver I'm using at the moment is not configured for
query minimization, and so:
$ posttls-finger -c -l dane sushi-circle.de
posttls-finger: using DANE RR: _25._tcp.login.ente
ed files just be c_rehashed in core certs ?
to show my problem:
posttls-finger fido.dk
i will add dane later, just want to solve tls first
On 2014-11-21 09:50, Patrik Båt wrote:
> On 2014-11-20 18:21, Viktor Dukhovni wrote:
>> On Thu, Nov 20, 2014 at 10:42:20AM +0100, Patrik B?t wrote:
>>
>>>> Ah thanks for the heads up, posttls-finger returned sha1, probably
>>>> because it runs OpenSSL 1.0.x.
On 2014-11-20 18:21, Viktor Dukhovni wrote:
> On Thu, Nov 20, 2014 at 10:42:20AM +0100, Patrik B?t wrote:
>
>>> Ah thanks for the heads up, posttls-finger returned sha1, probably
>>> because it runs OpenSSL 1.0.x.
>> "The best practice algorithm is now sha1&qu
On Thu, Nov 20, 2014 at 10:42:20AM +0100, Patrik B?t wrote:
> > Ah thanks for the heads up, posttls-finger returned sha1, probably
> > because it runs OpenSSL 1.0.x.
>
> "The best practice algorithm is now sha1", maybe thats why it is default
> in posttls-fi
On Thu, Nov 20, 2014 at 10:07:26AM +0100, Patrik B?t wrote:
> The fingerprint that posttls-finger is returning, what fingerprint is
> this? it doesn?t match the one I'm getting from the certificate using:
>From the manpage for posttls-finger(1):
$ tar zxf postfix-2.11.3.t
On 2014-11-20 10:27, Patrik Båt wrote:
> On 2014-11-20 10:18, Matthias Schneider wrote:
>> Am 20.11.2014 um 10:07 schrieb Patrik Båt:
>>> Hello!
>>>
>>> The fingerprint that posttls-finger is returning, what fingerprint is
>>> this? it doesn’t match t
On 2014-11-20 10:18, Matthias Schneider wrote:
> Am 20.11.2014 um 10:07 schrieb Patrik Båt:
>> Hello!
>>
>> The fingerprint that posttls-finger is returning, what fingerprint is
>> this? it doesn’t match the one I'm getting from the certificate using:
>>
>&
Am 20.11.2014 um 10:07 schrieb Patrik Båt:
Hello!
The fingerprint that posttls-finger is returning, what fingerprint is
this? it doesn’t match the one I'm getting from the certificate using:
openssl x509 -in cert.pem -noout -pubkey | openssl rsa -pubin -outform
DER | openssl dgst -md5 -c
Hello!
The fingerprint that posttls-finger is returning, what fingerprint is
this? it doesn’t match the one I'm getting from the certificate using:
openssl x509 -in cert.pem -noout -pubkey | openssl rsa -pubin -outform
DER | openssl dgst -md5 -c
Best regards, Patrik.
signatur
On Mon, Dec 30, 2013 at 12:08:30PM +0100, sca wrote:
> I find posttls-finger very useful. But it isn't installed by default.
> Do I need some special parameters to install binary+manpage when
> building postfix from source?
> (2.11-$latest)
Add the relevant entries to c
Hello,
I find posttls-finger very useful. But it isn't installed by default.
Do I need some special parameters to install binary+manpage when
building postfix from source?
(2.11-$latest)
Andreas
Am 15.12.2013 22:08 schrieb Patrick Ben Koetter:
> % unbound-control flush
I prefer "unbound-control flush_zone " because "flush" don't flush TXT
Andreas
* Viktor Dukhovni :
> On Sun, Dec 15, 2013 at 09:33:25PM +0100, Patrick Ben Koetter wrote:
>
> > I am looking for a switch in posttls-finger to tell it where (read:
> > nameservr)
> > to lookup TLSA RRs.
> >
> > Problem is: I've updated my zone,
On Sun, Dec 15, 2013 at 09:33:25PM +0100, Patrick Ben Koetter wrote:
> I am looking for a switch in posttls-finger to tell it where (read: nameservr)
> to lookup TLSA RRs.
>
> Problem is: I've updated my zone, but I posttls-finger doesn't seem to 'see'
>
Viktor,
I am looking for a switch in posttls-finger to tell it where (read: nameservr)
to lookup TLSA RRs.
Problem is: I've updated my zone, but I posttls-finger doesn't seem to 'see'
that because my local resolver has cached the DNS zones information.
Is there an option I
57 matches
Mail list logo