** Description changed: + [SRU] + + [Impact] + + If posttls-finger is not used within /var/spool/postfix, the + private/tlmsgr socket is not found and TLS is disabled. + + [Test Plan] + + This behaviour has been seen in Focal, Hirsute (also in Impish). + + To test the bad response, run posttls-finger mx.dmz.tait.net.nz outside + /var/spool/postfix folder: + + root@focal::/home/ubuntu# posttls-finger mx.dmz.tait.net.nz + posttls-finger: warning: connect to private/tlsmgr: No such file or directory + posttls-finger: warning: connect to private/tlsmgr: No such file or directory + posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory + posttls-finger: warning: no entropy for TLS key generation: disabling TLS support + posttls-finger: Connected to mx.dmz.tait.net.nz[114.23.142.178]:25 + posttls-finger: < 220 mx.tait.net.nz ESMTP Postfix (Ubuntu) + posttls-finger: > EHLO impish-squid-postfix.lxd + posttls-finger: < 250-mx.tait.net.nz + posttls-finger: < 250-PIPELINING + posttls-finger: < 250-SIZE 20480000 + posttls-finger: < 250-STARTTLS + posttls-finger: < 250-ENHANCEDSTATUSCODES + posttls-finger: < 250-8BITMIME + posttls-finger: < 250-SMTPUTF8 + posttls-finger: < 250 CHUNKING + posttls-finger: > QUIT + posttls-finger: < 221 2.0.0 Bye + + Good response has STARTTLS section and also the warning messages + doesn't appear. + + [Where problems could occur] + + It can affect other global variables/functions reallocated in the + shared library, so unexpected behaviour can arise for other postfix + tools using the shared libraries that the package provides (in the sense + of not-discovered-yet bugs). + + [Other Info] + + Reported upstream at https://marc.info/?l=postfix-users&m=163094641524790&w=2 . + + [Original Report] + --- + When running posttls-finger on focal, it attempts to connect to private/tlsmgr, and unless the program is being run from /var/spool/postfix as root, this fails and posttls-finger disables TLS in the subsequent connection that it makes to the specified SMTP server. If the user doesn't notice the "disabling TLS support" message in the output, they might infer that the test has successfully verified their TLS configuration, when in fact all it has verified is that it can connect to the SMTP server without TLS. The following command shows the problem: root@maimbo:/# posttls-finger mx.dmz.tait.net.nz posttls-finger: warning: connect to private/tlsmgr: No such file or directory posttls-finger: warning: connect to private/tlsmgr: No such file or directory posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory posttls-finger: warning: no entropy for TLS key generation: disabling TLS support posttls-finger: using DANE RR: _25._tcp.mx.dmz.tait.net.nz -> mx.dane.tait.net.nz IN TLSA 3 1 1 19:D6:84:A7:45:FF:A1:46:0E:09:1B:10:CE:B8:4D:68:BF:EA:A9:C4:EA:51:2D:0F:30:A4:1D:D4:41:DE:0F:AC posttls-finger: Connected to mx.dmz.tait.net.nz[192.168.20.196]:25 posttls-finger: < 220 mx.tait.net.nz ESMTP Postfix (Ubuntu) posttls-finger: > EHLO maimbo.tait.net.nz posttls-finger: < 250-mx.tait.net.nz posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 20480000 posttls-finger: < 250-ETRN posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 SMTPUTF8 posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye In contrast, if the same command is run from /var/spool/postfix as root, the output is as follows: root@maimbo:/var/spool/postfix# posttls-finger mx.dmz.tait.net.nz posttls-finger: using DANE RR: _25._tcp.mx.dmz.tait.net.nz -> mx.dane.tait.net.nz IN TLSA 3 1 1 19:D6:84:A7:45:FF:A1:46:0E:09:1B:10:CE:B8:4D:68:BF:EA:A9:C4:EA:51:2D:0F:30:A4:1D:D4:41:DE:0F:AC posttls-finger: Connected to mx.dmz.tait.net.nz[192.168.20.196]:25 posttls-finger: < 220 mx.tait.net.nz ESMTP Postfix (Ubuntu) posttls-finger: > EHLO maimbo.tait.net.nz posttls-finger: < 250-mx.tait.net.nz posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 20480000 posttls-finger: < 250-ETRN posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 SMTPUTF8 posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLS posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25: depth=0 matched end entity public-key sha256 digest=19:D6:84:A7:45:FF:A1:46:0E:09:1B:10:CE:B8:4D:68:BF:EA:A9:C4:EA:51:2D:0F:30:A4:1D:D4:41:DE:0F:AC posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25: subjectAltName: mx.tait.net.nz posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25 CommonName mx.tait.net.nz posttls-finger: mx.dmz.tait.net.nz[192.168.20.196]:25: subject_CN=mx.tait.net.nz, issuer_CN=Nick's Domain CA, fingerprint=FD:88:18:3D:9D:33:4C:0B:B8:F9:E8:64:4B:23:D6:05:F1:DB:8D:21, pkey_fingerprint=03:6B:E4:D3:73:82:D5:B4:EB:98:96:BB:56:77:A2:48:C2:73:A0:03 posttls-finger: Verified TLS connection established to mx.dmz.tait.net.nz[192.168.20.196]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 posttls-finger: > EHLO maimbo.tait.net.nz posttls-finger: < 250-mx.tait.net.nz posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 20480000 posttls-finger: < 250-ETRN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 SMTPUTF8 posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye Which of course now includes the "Verified TLS connection established..." line.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1885403 Title: posttls-finger fails to connect to private/tlsmgr To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1885403/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
