On Tue, Nov 14, 2023 at 03:56:25PM +0100, Patrick Ben Koetter via Postfix-users <postfix-users@postfix.org> wrote:
> * Viktor Dukhovni via Postfix-users <postfix-users@postfix.org>: > > On Mon, Sep 25, 2023 at 04:24:55PM +0200, Patrick Ben Koetter via > > Postfix-users wrote: > > > > > > Do you have SMTP client TLS connection reuse enabled? If so, TLS > > > > connections are made via tlsproxy(8), with the smtp(8) client > > > > unaware of any initialisation issues until STARTTLS. > > > > > > Well spotted and that was the reason Postfix failed. We've added a SELinux > > > policy to let tlsproxy do what it wants and things went back to normal. > > > > Thanks for the confirmation. I feel some pride in intuiting the cause > > in this case, the link with the reported symptoms was fairly subtle. > > After some more investigation and testing… > > It turned out that RedHat's SELinux policy does not cover Postfix' tlsproxy > and whenever tlsproxy takes out to do what Postfix wants it to do SELinux will > interfere and prohibit it from doing that. That in consequence made the SMTP > service throttle and so it came to a stillstand. > > For the moment we decided to do without TLS session caching in Postfix > smtp-client *and* sending client side x509 certificates on demand in favor of > running a more secure platform. > > Our long-term goal is to re-enable the Postfix features *and* use SELinux. > (RedHat if you're on this list and following this thread ping me offlist and > I'll be happy to share all information we can provide.) > > Regards > > p@rick This might be because tlsproxy is not active by default. Perhaps the default selinux policy for postfix is based only on the default configuration of postfix, when really, the default selinux policy for postfix should probably be based on all possible postfix behaviour. Talk to redhat about that. It must be possible to adapt the selinux policy to allow tlsproxy (but I can't help you with that). cheers, raf _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
