In terms of version comparison (call the example not in /var/spool/postfix to have tls support) is:
Ubuntu: bionic 3.3.0-1ubuntu0.4 working focal 3.4.13-0ubuntu1.1 failing hirsute 3.5.6-1 failing impish 3.5.6-1ubuntu1 failing Fedora: 32 2:3.5.10-2.fc34 working 34 2:3.5.10-2.fc34 working So there is also a chance to do good/bad comparison with different code levels running outside of /var/spool/postfix and see where their behavior starts to differ. Since https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1868955/comments/21 was around tlsmgr being a red herring and later about some flags one might want to rebuild these other postfix versions into e.g. Focal. There the qeustion is "if bionic is rebuilt for focal does it work still" or vice versa "if focals postfix is rebuilt for bionic does it then work". If it does it might indicate that here again some other part of the configuration might be responsible and that the herring that is "private/tlsmgr" has again got us. P.S. even if it is a red herring it annoys me TL;DR there are many things to prove before we can even be sure which direction this should be approached. In that mindset I was forcing the postfix of bionic into focal the most ugly (not recommended) way to see how it would behave. $ wget https://launchpad.net/ubuntu/+source/postfix/3.3.0-1ubuntu0.4/+build/21989327/+files/postfix_3.3.0-1ubuntu0.4_amd64.deb $ dpkg -x postfix_3.3.0-1ubuntu0.4_amd64.deb postfix_3.3.0-1ubuntu0.4_amd64 $ wget https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/18845669/+files/libicu60_60.2-3ubuntu3.1_amd64.deb $ dpkg -x libicu60_60.2-3ubuntu3.1_amd64.deb libicu60_60.2-3ubuntu3.1_amd64 $ cd postfix_3.3.0-1ubuntu0.4_amd64/ $ export LD_LIBRARY_PATH="/root/postfix_3.3.0-1ubuntu0.4_amd64/usr/lib/postfix/:/root/libicu60_60.2-3ubuntu3.1_amd64/usr/lib/x86_64-linux-gnu/:$LD_LIBRARY_PATH" $ usr/sbin/posttls-finger mx.dmz.tait.net.nz And I can confirm the bionic code executed as-is in the otherwise failing focal environment does work. Thereby this case might not (again) be some missing flag in the other bits of the setup. But we might have something better to compare here. root@f:~/postfix_3.3.0-1ubuntu0.4_amd64# usr/sbin/posttls-finger mx.dmz.tait.net.nz posttls-finger: Connected to mx.dmz.tait.net.nz[114.23.142.178]:25 posttls-finger: < 220 mx.tait.net.nz ESMTP Postfix (Ubuntu) posttls-finger: > EHLO f.lxd posttls-finger: < 250-mx.tait.net.nz posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 20480000 posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250 SMTPUTF8 posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLS posttls-finger: mx.dmz.tait.net.nz[114.23.142.178]:25: subjectAltName: mx.tait.net.nz posttls-finger: mx.dmz.tait.net.nz[114.23.142.178]:25 CommonName mx.tait.net.nz posttls-finger: certificate verification failed for mx.dmz.tait.net.nz[114.23.142.178]:25: untrusted issuer /CN=Nick's Domain CA posttls-finger: mx.dmz.tait.net.nz[114.23.142.178]:25: subject_CN=mx.tait.net.nz, issuer_CN=Nick's Domain CA, fingerprint=FD:88:18:3D:9D:33:4C:0B:B8:F9:E8:64:4B:23:D6:05:F1:DB:8D:21, pkey_fingerprint=03:6B:E4:D3:73:82:D5:B4:EB:98:96:BB:56:77:A2:48:C2:73:A0:03 posttls-finger: Untrusted TLS connection established to mx.dmz.tait.net.nz[114.23.142.178]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) posttls-finger: > EHLO f.lxd posttls-finger: < 250-mx.tait.net.nz posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 20480000 posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250 SMTPUTF8 posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye Next I cloned https://github.com/vdukhovni/postfix.git (and got apt build-dep postfix) and tried to see how posttls-finger from git behaves comparing 3.3.0 to later versions. Can be built like this: $ make AUXLIBS="-lssl -lcrypto -lpthread" CCARGS="-DDEBIAN -DHAS_SSL -I/usr/include/openssl" pie=yes 3.6.5 build worked => Behaves like our package - from the build dir /root/postfix/postfix it fails the same way - ./bin/posttls-finger mx.dmz.tait.net.nz - problem - it still doesn't work in /var/spool/postfix when called like /root/postfix/postfix/bin/posttls-finger mx.dmz.tait.net.nz - but that might be a mismatch. 3.3.0 Unfortunately older versions complain about the kernel being too new - needs some patching to build for this debugging. For now in makedefs change in line 503 Linux.3*) SYSTYPE=LINUX3 to Linux.5*) SYSTYPE=LINUX3 But even 3.3.0 in this case behaves like the new code. But then I might have forced it's build too much. If we take back a step debugging in gdb through Bionic vs Focal builds might be a good start. I'd recommend building them both with -O0 on focal. As I've shown above extracting the bionic version works on focal and gives a good result. If rebuilding it breaks it that is an insight, and if rebuilding works then we'd have a good/bad case to compare in the very same focal environment that fails for the native postfix that is there. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885403 Title: posttls-finger fails to connect to private/tlsmgr To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1885403/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
