[Bug 1885403] [NEW] posttls-finger fails to connect to private/tlsmgr

Sat, 27 Jun 2020 18:31:34 -0700 

Public bug reported:

When running posttls-finger on focal, it attempts to connect to
private/tlsmgr, and unless the program is being run from
/var/spool/postfix as root, this fails and posttls-finger disables TLS
in the subsequent connection that it makes to the specified SMTP server.

If the user doesn't notice the "disabling TLS support" message in the
output, they might infer that the test has successfully verified their
TLS configuration, when in fact all it has verified is that it can
connect to the SMTP server without TLS.

The following command shows the problem:

root@maimbo:/# posttls-finger mx.dmz.tait.net.nz
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file 
or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS 
support
posttls-finger: using DANE RR: _25._tcp.mx.dmz.tait.net.nz -> 
mx.dane.tait.net.nz IN TLSA 3 1 1 
19:D6:84:A7:45:FF:A1:46:0E:09:1B:10:CE:B8:4D:68:BF:EA:A9:C4:EA:51:2D:0F:30:A4:1D:D4:41:DE:0F:AC
posttls-finger: Connected to mx.dmz.tait.net.nz[192.168.20.196]:25
posttls-finger: < 220 mx.tait.net.nz ESMTP Postfix (Ubuntu)
posttls-finger: > EHLO maimbo.tait.net.nz
posttls-finger: < 250-mx.tait.net.nz
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 20480000
posttls-finger: < 250-ETRN
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250 SMTPUTF8
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye

In contrast, if the same command is run from /var/spool/postfix as root,
the output is as follows:

root@maimbo:/var/spool/postfix# posttls-finger mx.dmz.tait.net.nz
posttls-finger: using DANE RR: _25._tcp.mx.dmz.tait.net.nz -> 
mx.dane.tait.net.nz IN TLSA 3 1 1 
19:D6:84:A7:45:FF:A1:46:0E:09:1B:10:CE:B8:4D:68:BF:EA:A9:C4:EA:51:2D:0F:30:A4:1D:D4:41:DE:0F:AC
posttls-finger: Connected to mx.dmz.tait.net.nz[192.168.20.196]:25
posttls-finger: < 220 mx.tait.net.nz ESMTP Postfix (Ubuntu)
posttls-finger: > EHLO maimbo.tait.net.nz
posttls-finger: < 250-mx.tait.net.nz
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 20480000
posttls-finger: < 250-ETRN
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250 SMTPUTF8
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25: depth=0 matched end 
entity public-key sha256 
digest=19:D6:84:A7:45:FF:A1:46:0E:09:1B:10:CE:B8:4D:68:BF:EA:A9:C4:EA:51:2D:0F:30:A4:1D:D4:41:DE:0F:AC
posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25: subjectAltName: 
mx.tait.net.nz
posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25 CommonName mx.tait.net.nz
posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25: 
subject_CN=mx.tait.net.nz, issuer_CN=Nick's Domain CA, 
fingerprint=FD:88:18:3D:9D:33:4C:0B:B8:F9:E8:64:4B:23:D6:05:F1:DB:8D:21, 
pkey_fingerprint=03:6B:E4:D3:73:82:D5:B4:EB:98:96:BB:56:77:A2:48:C2:73:A0:03
posttls-finger: Verified TLS connection established to 
mx.dmz.tait.net.nz[192.168.20.196]:25: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
RSA-PSS (2048 bits) server-digest SHA256
posttls-finger: > EHLO maimbo.tait.net.nz
posttls-finger: < 250-mx.tait.net.nz
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 20480000
posttls-finger: < 250-ETRN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250 SMTPUTF8
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye

Which of course now includes the "Verified TLS connection
established..." line.

** Affects: postfix (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1885403

Title:
  posttls-finger fails to connect to private/tlsmgr

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1885403/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to