On Tue, Jun 09, 2020 at 08:31:27PM +0200, Ján Máté wrote:
> Thanks for the explanation what's happening in the internals of
> Postfix, but the problem is still a mystery for me ...
>
> I use the default Debian (Buster) /etc/ssl/openssl.cnf without any
> modifications, so I don't think that there is any default certificate
> chain that might be preloaded into each new SSL_CTX.
Have you looked at that file? Any mention of any default certificate
chain files there?
> It looks like SNI works for you, but I cannot get it working - and
> tried really hard for more than a week (I read everything I found on
> Google and it looks like there are few people with working setup, and
> the remaining say that it does not work) :-/
>
> Any idea how to debug it myself? ... or even better - I can allow you
> root access to the test server to check it yourself (just send me a
> private e-mail with your ssh public key).
Can you strace the SMTP server process? Add a "-D" flag to the
smtpd(8) entry in master.cf after setting:
debugger_command =
PATH=/usr/bin:/bin:/usr/sbin:/sbin
strace -o /tmp/tr.$process_name.$process_id -p $process_id & sleep 1
Then 'grep open' in the trace file, looking for unexpected reads of
certificate chain files.
To get closer to your config, I just built Postfix 3.4.12, against
OpenSSL 1.1.1, which also works:
# postfix start
postfix/postfix-script: starting the Postfix mail system
# openssl s_client -CAfile rootcert.pem -servername mx1.example.com
-starttls smtp -connect localhost:25 -brief
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer certificate: CN = mx1.example.com
Hash used: SHA256
Signature type: RSA-PSS
Verification: OK
Server Temp Key: X25519, 253 bits
250 CHUNKING
quit
221 2.0.0 Bye
# openssl s_client -CAfile rootcert.pem -servername mx2.example.com
-starttls smtp -connect localhost:25 -brief
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer certificate: CN = mx2.example.com
Hash used: SHA256
Signature type: RSA-PSS
Verification: OK
Server Temp Key: X25519, 253 bits
250 CHUNKING
quit
221 2.0.0 Bye
# openssl s_client -CAfile rootcert.pem -servername mx1.example.com
-starttls smtp -connect localhost:25 -brief
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer certificate: CN = mx1.example.com
Hash used: SHA256
Signature type: RSA-PSS
Verification: OK
Server Temp Key: X25519, 253 bits
250 CHUNKING
quit
221 2.0.0 Bye
# openssl s_client -CAfile rootcert.pem -servername mx2.example.com
-starttls smtp -connect localhost:25 -brief
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer certificate: CN = mx2.example.com
Hash used: SHA256
Signature type: RSA-PSS
Verification: OK
Server Temp Key: X25519, 253 bits
250 CHUNKING
quit
221 2.0.0 Bye
# cat ../log/maillog
Jun 09 15:35:23 vpro postfix/postfix-script[2294]: starting the Postfix
mail system
Jun 09 15:35:23 vpro postfix/master[2296]: daemon started -- version
3.4.12, configuration /var/tmp/postfix/etc
Jun 09 15:35:28 vpro postfix/smtpd[2301]: connect from localhost[127.0.0.1]
Jun 09 15:35:28 vpro postfix/smtpd[2301]: Anonymous TLS connection
established from localhost[127.0.0.1] to mx1.example.com: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature
RSA-PSS (2048 bits) server-digest SHA256
Jun 09 15:35:30 vpro postfix/smtpd[2301]: disconnect from
localhost[127.0.0.1] ehlo=1 starttls=1 quit=1 commands=3
Jun 09 15:35:31 vpro postfix/smtpd[2301]: connect from localhost[127.0.0.1]
Jun 09 15:35:31 vpro postfix/smtpd[2301]: Anonymous TLS connection
established from localhost[127.0.0.1] to mx2.example.com: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature
RSA-PSS (2048 bits) server-digest SHA256
Jun 09 15:35:33 vpro postfix/smtpd[2301]: disconnect from
localhost[127.0.0.1] ehlo=1 starttls=1 quit=1 commands=3
Jun 09 15:35:34 vpro postfix/smtpd[2301]: connect from localhost[127.0.0.1]
Jun 09 15:35:34 vpro postfix/smtpd[2301]: Anonymous TLS connection
established from localhost[127.0.0.1] to mx1.example.com: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature
RSA-PSS (2048 bits) server-digest SHA256
Jun 09 15:35:35 vpro postfix/smtpd[2301]: disconnect from
localhost[127.0.0.1] ehlo=1 starttls=1 quit=1 commands=3
Jun 09 15:35:37 vpro postfix/smtpd[2301]: connect from localhost[127.0.0.1]
Jun 09 15:35:37 vpro postfix/smtpd[2301]: Anonymous TLS connection
established from localhost[127.0.0.1] to mx2.example.com: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature
RSA-PSS (2048 bits) server-digest SHA256
Jun 09 15:35:38 vpro postfix/smtpd[2301]: disconnect from
localhost[127.0.0.1] ehlo=1 starttls=1 quit=1 commands=3
The main.cf file is the stock one I get from an install from source
plus:
inet_interfaces = loopback-only
local_recipient_maps =
mydestination =
alias_database =
alias_maps = $alias_database
local_transport = error:5.1.2:Mailbox unavailable
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_chain_files =
${config_directory}/ee1pkey.pem
${config_directory}/ee1cert.pem
${config_directory}/cacert.pem
tls_server_sni_maps = hash:${config_directory}/sni
maillog_file = /var/tmp/postfix/log/maillog
My laptop OpenSSL dev library is a slightly dated 1.1.1c snapshot:
# postconf -T compile-version
OpenSSL 1.1.1c-dev xx XXX xxxx
# postconf -T run-version
OpenSSL 1.1.1c-dev xx XXX xxxx
but that won't differ materially from 1.1.1g, also a stock upstream
(from OpenSSL.org) openssl.cnf file, no Debian special-sauce.
--
Viktor.
