Hi Michael,

> Christian Rößner wrote:
>> I use OpenLDAP with Postfix. Today I tried to make OpenLDAP more secure by
>> requiring TLSv1.2. At this point Postfix stopped working.
> 
> I set TLSProtocolMin 3.3 (requires TLS 1.2) in my slapd.conf and ldap table of
> postfix 2.11.7 still works (both running on openSUSE Factory:ARM on rpi1b).
> 
>> I miss something like tls_protocols in ldap_table(5)
>> 
>> It would be nice to add this feature.
> 
> Since this would be a client side option it would IMHO not help with the 
> interop
> issue you experienced before.
> 
> Note that the TLS interop of ldap table is influenced by the various build(s) 
> of
> libldap and crypto libs on your OS platform(s). Which one? If it's Debian then
> note that libldap is linked against GnuTLS which has caused some trouble for
> others in the past.

I run OpenLDAP and Postfix both on Gentoo Linux linked against OpenSSL.

I also figured out that Ubuntu (my SOGo server) does not even work with any 
kind of encryption. So I have to rebuild the whole machine on another OS basis. 
GnuTLS is really broken!

Maybe my feature request depends on the way I bind Postfix to OpenLDAP. I do a 
SASL/EXTERNAL with a proxy user on LDAP (authz-to regex). I played around with 
SSF, ACLs and TLS (reading carefully through the man pages).

At the moment it works with all components, but only with:

TLSProtocolMin 3.1

which is TLSv1 I think. So it seems Postfix only does TLSv1 for LDAP client 
requests here. That is the reason for my feature request :-)

Kind regards

Christian
—
Christian Rößner B.Sc.
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to