Public bug reported: When running posttls-finger on focal, it attempts to connect to private/tlsmgr, and unless the program is being run from /var/spool/postfix as root, this fails and posttls-finger disables TLS in the subsequent connection that it makes to the specified SMTP server.
If the user doesn't notice the "disabling TLS support" message in the output, they might infer that the test has successfully verified their TLS configuration, when in fact all it has verified is that it can connect to the SMTP server without TLS. The following command shows the problem: root@maimbo:/# posttls-finger mx.dmz.tait.net.nz posttls-finger: warning: connect to private/tlsmgr: No such file or directory posttls-finger: warning: connect to private/tlsmgr: No such file or directory posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory posttls-finger: warning: no entropy for TLS key generation: disabling TLS support posttls-finger: using DANE RR: _25._tcp.mx.dmz.tait.net.nz -> mx.dane.tait.net.nz IN TLSA 3 1 1 19:D6:84:A7:45:FF:A1:46:0E:09:1B:10:CE:B8:4D:68:BF:EA:A9:C4:EA:51:2D:0F:30:A4:1D:D4:41:DE:0F:AC posttls-finger: Connected to mx.dmz.tait.net.nz[192.168.20.196]:25 posttls-finger: < 220 mx.tait.net.nz ESMTP Postfix (Ubuntu) posttls-finger: > EHLO maimbo.tait.net.nz posttls-finger: < 250-mx.tait.net.nz posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 20480000 posttls-finger: < 250-ETRN posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 SMTPUTF8 posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye In contrast, if the same command is run from /var/spool/postfix as root, the output is as follows: root@maimbo:/var/spool/postfix# posttls-finger mx.dmz.tait.net.nz posttls-finger: using DANE RR: _25._tcp.mx.dmz.tait.net.nz -> mx.dane.tait.net.nz IN TLSA 3 1 1 19:D6:84:A7:45:FF:A1:46:0E:09:1B:10:CE:B8:4D:68:BF:EA:A9:C4:EA:51:2D:0F:30:A4:1D:D4:41:DE:0F:AC posttls-finger: Connected to mx.dmz.tait.net.nz[192.168.20.196]:25 posttls-finger: < 220 mx.tait.net.nz ESMTP Postfix (Ubuntu) posttls-finger: > EHLO maimbo.tait.net.nz posttls-finger: < 250-mx.tait.net.nz posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 20480000 posttls-finger: < 250-ETRN posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 SMTPUTF8 posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLS posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25: depth=0 matched end entity public-key sha256 digest=19:D6:84:A7:45:FF:A1:46:0E:09:1B:10:CE:B8:4D:68:BF:EA:A9:C4:EA:51:2D:0F:30:A4:1D:D4:41:DE:0F:AC posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25: subjectAltName: mx.tait.net.nz posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25 CommonName mx.tait.net.nz posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25: subject_CN=mx.tait.net.nz, issuer_CN=Nick's Domain CA, fingerprint=FD:88:18:3D:9D:33:4C:0B:B8:F9:E8:64:4B:23:D6:05:F1:DB:8D:21, pkey_fingerprint=03:6B:E4:D3:73:82:D5:B4:EB:98:96:BB:56:77:A2:48:C2:73:A0:03 posttls-finger: Verified TLS connection established to mx.dmz.tait.net.nz[192.168.20.196]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 posttls-finger: > EHLO maimbo.tait.net.nz posttls-finger: < 250-mx.tait.net.nz posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 20480000 posttls-finger: < 250-ETRN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 SMTPUTF8 posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye Which of course now includes the "Verified TLS connection established..." line. ** Affects: postfix (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885403 Title: posttls-finger fails to connect to private/tlsmgr To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1885403/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs