On 01-12-2023 08:59, Alexander Leidinger via Postfix-users wrote:
Am 2023-11-30 16:53, schrieb Wietse Venema via Postfix-users:
Alexander Leidinger via Postfix-users:
What is wrong here that [tlsproxy] doesn't establish a trusted
connection
to the github mailservers when posttls-finger is able to do that with
the same cert store?
Because there are differences between tlsproxy and posttls-finger.
1) Different executable files may be subject to different SeLinux,
AppArmor etc. policies.
This is FreeBSD, no different policies.
2) Different privileges: tlsproxy runs as the "postfix" user,
posttls-finger as "root".
Ok.
The cert store permissions are OK. Any ordinary user is able to read it.
posttls-finger as any other user (incl. postfix) produces the same
output. With -P it verifies the cert, without it it doesn't.
So still the question why the same configured cert store (posttls-finger
+ postfix + @FreeBSD.org + @reply.github.com) works for sending mail to
FreeBSD.org but not to github.com.
3) Different certificate stores, when tlsproxy may runs chrooted,
and posttls-finger does not.
No chroot-difference between both. This runs in a FreeBSD jail (like a
container or a Solaris zone) and I was logged into this container, so
both have seen the same filesystem content.
There still seems to be a disconnect in communication here, as you
didn't quote Viktors response on 'smtp_tls_policy_maps', which seems to
be the key issue here. The policy in your connection to github seems to
be 'verify' or higher.
Maybe you could test again with an empty 'smtp_tls_policy_maps'
parameter in postfix config, or show all values in your policy map
explicitly (which might be difficult due to mysql usage)?
Kind regards,
Tom
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org