flat down postfix to simple local sendmail forwarder

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

flat down postfix to simple local sendmail forwarder

Matt Wong
Ok, so the title isn't really helpful, so I try to explain it:

I want to use Apache James as my primary MTA (please don't ask why -
just take it as given). Major issue: james doesn't have a local sendmail
command replacement. So I've looked up apache james doc wich is heavy
outdated. Also, I'm running opensuse 15.0 wich uses full postfix instead
of sendmail.

Unfortunately, I couldn't find any way to disable smtp-server but keep
rest of postfix running so it will take mails from sendmail command and
process its queue. All google gives is how to stop postfix completely,
but I only want it to not run local smtp-server but otherwise process
queue by dropped in mails like sendmail from apache or cron.

What postfix should to: forward all collected messages to local running
james mta so it will handle delievery instead. Also, it should deliever
local mail for users - like from cron - so I receive cron messages not
as local mbox mail but as forwarded mail to james and can easy get them
with IMAP.

I tried it with sendmail instead - but it can't even be easy installed
on my chosen distro and most information found redirects to postfix or
exim. So, not really helpful to try to give the big G a try as it only
gets you not useful "systemctl stop postfix" - wich isn't what I want.

I also tried to look at this very long doc listing all conf options -
but didn't found any flag to just disable smtpd or options to tell
postfix to forward anything to local  running smtp server (wich is
provied by james). I tried to alter service file to remove the flag for
tcp-listening - but somehow postfix doesn't care if the flag is present
or not - it always runs smtpd - wich I just don'T want - but I want
postfix to receive mails dropped in by sendmail or postdrop and just
forward them to smtp://127.0.0.1:25/.

Neither sendmail configs nor postfix configs provide such options - but
there's also no simple drop-in sendmail replacement offering this
behaviour to use it with another MTA software.

Matt
Reply | Threaded
Open this post in threaded view
|

Re: flat down postfix to simple local sendmail forwarder

Noel Jones-2
On 1/23/2019 1:47 PM, Matt Wong wrote:
> Ok, so the title isn't really helpful, so I try to explain it:
>
> I want to use Apache James as my primary MTA (please don't ask why -
> just take it as given). Major issue: james doesn't have a local
> sendmail command replacement. So I've looked up apache james doc
> wich is heavy outdated. Also, I'm running opensuse 15.0 wich uses
> full postfix instead of sendmail.

To disable smtpd, comment out the smtpd service in master.cf. To
have postfix forward all mail to a specific SMTP server, set the
relayhost parameter.


If you're just looking for a replacement for the sendmail command
that can forward to a local SMTP server, the mini_sendmail program
is probably just what you need.
https://acme.com/software/mini_sendmail/
Packages are available for most systems.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: flat down postfix to simple local sendmail forwarder

Matt Wong
Hi Noel Jones,

sadly, this didn't the trick. I can change /etc/postfix/master.cf and
call postfix reload - then smtpd shuts down and james is able to start
its smtp server. Strangely, when using systemctl restart postfix
master.cf is rebuild from /etc/sysconfig/postfix - smtpd is re-enabled
and re-started - or at least tried, when james is running it fails as
tcp/25 is in use. So, I need to add some option in
/etc/sysconfig/postfix so when master.cf is rebuild smtpd is not
re-enabled by default. That's my first issue.

Second issue: even I set relayhost to [127.0.0.1]:25 when using mail()
in php in apache, postfix doesn't even try to connect to james. It's in
the logs that postfix got the mail from apache, but it seems nothing
happens after this. Is there something else I have to set?

Thanks in advance,

Matt Wong

Am 23.01.2019 um 20:59 schrieb Noel Jones:

> On 1/23/2019 1:47 PM, Matt Wong wrote:
>> Ok, so the title isn't really helpful, so I try to explain it:
>>
>> I want to use Apache James as my primary MTA (please don't ask why -
>> just take it as given). Major issue: james doesn't have a local
>> sendmail command replacement. So I've looked up apache james doc
>> wich is heavy outdated. Also, I'm running opensuse 15.0 wich uses
>> full postfix instead of sendmail.
> To disable smtpd, comment out the smtpd service in master.cf. To
> have postfix forward all mail to a specific SMTP server, set the
> relayhost parameter.
>
>
> If you're just looking for a replacement for the sendmail command
> that can forward to a local SMTP server, the mini_sendmail program
> is probably just what you need.
> https://acme.com/software/mini_sendmail/
> Packages are available for most systems.
>
>
>
>    -- Noel Jones

Reply | Threaded
Open this post in threaded view
|

Re: flat down postfix to simple local sendmail forwarder

Noel Jones-2
On 1/24/2019 3:12 PM, Matt Wong wrote:

> Hi Noel Jones,
>
> sadly, this didn't the trick. I can change /etc/postfix/master.cf
> and call postfix reload - then smtpd shuts down and james is able to
> start its smtp server. Strangely, when using systemctl restart
> postfix master.cf is rebuild from /etc/sysconfig/postfix - smtpd is
> re-enabled and re-started - or at least tried, when james is running
> it fails as tcp/25 is in use. So, I need to add some option in
> /etc/sysconfig/postfix so when master.cf is rebuild smtpd is not
> re-enabled by default. That's my first issue.

brain-dead systems that reconfigure your settings are not supported
here.  Check with your system vendor.

>
> Second issue: even I set relayhost to [127.0.0.1]:25 when using
> mail() in php in apache, postfix doesn't even try to connect to
> james. It's in the logs that postfix got the mail from apache, but
> it seems nothing happens after this. Is there something else I have
> to set?

Nothing else is necessary. Assuming other settings haven't been set
to brain-dead values.

Good luck.


You should really look into mini-sendmail or some other command-line
SMTP tool.





  -- Noel Jones



>
> Thanks in advance,
>
> Matt Wong
>
> Am 23.01.2019 um 20:59 schrieb Noel Jones:
>> On 1/23/2019 1:47 PM, Matt Wong wrote:
>>> Ok, so the title isn't really helpful, so I try to explain it:
>>>
>>> I want to use Apache James as my primary MTA (please don't ask why -
>>> just take it as given). Major issue: james doesn't have a local
>>> sendmail command replacement. So I've looked up apache james doc
>>> wich is heavy outdated. Also, I'm running opensuse 15.0 wich uses
>>> full postfix instead of sendmail.
>> To disable smtpd, comment out the smtpd service in master.cf. To
>> have postfix forward all mail to a specific SMTP server, set the
>> relayhost parameter.
>>
>>
>> If you're just looking for a replacement for the sendmail command
>> that can forward to a local SMTP server, the mini_sendmail program
>> is probably just what you need.
>> https://acme.com/software/mini_sendmail/
>> Packages are available for most systems.
>>
>>
>>
>>    -- Noel Jones
>

Reply | Threaded
Open this post in threaded view
|

Re: flat down postfix to simple local sendmail forwarder

Matt Wong
Well, I'll give mini-smtp a try now - let's see if this fits my purposes
better.

About the brain-dead system: isn't it supposed that the config-tool,
wich, correct me if I'm wrong, belongs to postfix itself is run at its
start-up? Also, if config.postfix generates master.cf from sysconfig -
shouldn't there be an option in sysconfig the tell config.postfix the
not enable smtpd? Looks like error on postfix's side to me, not
distribution fault.

About relayhost: if setting relayhost to [127.0.0.1]:25 should do the
trick, but doesn't, wich other configs could prevent processing
mail-queue, connect to smtp-server and drop it there? Couldn't find any
and I'm not good enough with anything other than Java to dig through the
source my self to find the issue.

All comes back down to: couldn't find any config options provide desired
options or could be reason for what's happening. So, my guess, postfix
just doesn't fit my needs.

Thanks anyways,

Matt

Am 24.01.2019 um 22:24 schrieb Noel Jones:

> On 1/24/2019 3:12 PM, Matt Wong wrote:
>> Hi Noel Jones,
>>
>> sadly, this didn't the trick. I can change /etc/postfix/master.cf
>> and call postfix reload - then smtpd shuts down and james is able to
>> start its smtp server. Strangely, when using systemctl restart
>> postfix master.cf is rebuild from /etc/sysconfig/postfix - smtpd is
>> re-enabled and re-started - or at least tried, when james is running
>> it fails as tcp/25 is in use. So, I need to add some option in
>> /etc/sysconfig/postfix so when master.cf is rebuild smtpd is not
>> re-enabled by default. That's my first issue.
> brain-dead systems that reconfigure your settings are not supported
> here.  Check with your system vendor.
>
>> Second issue: even I set relayhost to [127.0.0.1]:25 when using
>> mail() in php in apache, postfix doesn't even try to connect to
>> james. It's in the logs that postfix got the mail from apache, but
>> it seems nothing happens after this. Is there something else I have
>> to set?
> Nothing else is necessary. Assuming other settings haven't been set
> to brain-dead values.
>
> Good luck.
>
>
> You should really look into mini-sendmail or some other command-line
> SMTP tool.
>
>
>
>
>
>    -- Noel Jones
>
>
>
>> Thanks in advance,
>>
>> Matt Wong
>>
>> Am 23.01.2019 um 20:59 schrieb Noel Jones:
>>> On 1/23/2019 1:47 PM, Matt Wong wrote:
>>>> Ok, so the title isn't really helpful, so I try to explain it:
>>>>
>>>> I want to use Apache James as my primary MTA (please don't ask why -
>>>> just take it as given). Major issue: james doesn't have a local
>>>> sendmail command replacement. So I've looked up apache james doc
>>>> wich is heavy outdated. Also, I'm running opensuse 15.0 wich uses
>>>> full postfix instead of sendmail.
>>> To disable smtpd, comment out the smtpd service in master.cf. To
>>> have postfix forward all mail to a specific SMTP server, set the
>>> relayhost parameter.
>>>
>>>
>>> If you're just looking for a replacement for the sendmail command
>>> that can forward to a local SMTP server, the mini_sendmail program
>>> is probably just what you need.
>>> https://acme.com/software/mini_sendmail/
>>> Packages are available for most systems.
>>>
>>>
>>>
>>>     -- Noel Jones

Reply | Threaded
Open this post in threaded view
|

Re: flat down postfix to simple local sendmail forwarder

Scott Kitterman-4
On Thursday, January 24, 2019 11:09:25 PM Matt Wong wrote:

> Well, I'll give mini-smtp a try now - let's see if this fits my purposes
> better.
>
> About the brain-dead system: isn't it supposed that the config-tool,
> wich, correct me if I'm wrong, belongs to postfix itself is run at its
> start-up? Also, if config.postfix generates master.cf from sysconfig -
> shouldn't there be an option in sysconfig the tell config.postfix the
> not enable smtpd? Looks like error on postfix's side to me, not
> distribution fault.
>
> About relayhost: if setting relayhost to [127.0.0.1]:25 should do the
> trick, but doesn't, wich other configs could prevent processing
> mail-queue, connect to smtp-server and drop it there? Couldn't find any
> and I'm not good enough with anything other than Java to dig through the
> source my self to find the issue.
>
> All comes back down to: couldn't find any config options provide desired
> options or could be reason for what's happening. So, my guess, postfix
> just doesn't fit my needs.

The problem you're having with sysconfig isn't part of the upstream postfix
distribution (and thus can't be supported here).  You need to consult your
distro support resources to resolve issues with it.

You demonstrated that, as shipped, postfix solves your use case just fine.  
It's the distro 'improvements' that are the problem.  You shouldn't expect an
upstream list to know how to solve those problems.  I'm the Debian postfix
maintainer and part of why I'm on this list is to help with our distro
specific issues.

Scott K
Reply | Threaded
Open this post in threaded view
|

Re: flat down postfix to simple local sendmail forwarder

Matt Wong
*cut out rage about linux*

Well, I got a bit further: When listing mailq postfix complains about
"127.0.0.1 loop back to myself".
https://james.apache.org/server/james_and_sendmail.html mentions some
this way and how sendmail once had to been told "yea, don't worry, I
know what I do" - is there some setting in postfix to tell it: "hey
dude, I know I set relay looks like to yourself - but trust me, I'm sure
I know what I do - just relay to smtp://127.0.0.1:25"?

About mini_sendmail - no look so far yet as it seems there's no "easy
way" to get it run on opensuse ... still on it.

Matt

Am 24.01.2019 um 23:19 schrieb Scott Kitterman:

> On Thursday, January 24, 2019 11:09:25 PM Matt Wong wrote:
>> Well, I'll give mini-smtp a try now - let's see if this fits my purposes
>> better.
>>
>> About the brain-dead system: isn't it supposed that the config-tool,
>> wich, correct me if I'm wrong, belongs to postfix itself is run at its
>> start-up? Also, if config.postfix generates master.cf from sysconfig -
>> shouldn't there be an option in sysconfig the tell config.postfix the
>> not enable smtpd? Looks like error on postfix's side to me, not
>> distribution fault.
>>
>> About relayhost: if setting relayhost to [127.0.0.1]:25 should do the
>> trick, but doesn't, wich other configs could prevent processing
>> mail-queue, connect to smtp-server and drop it there? Couldn't find any
>> and I'm not good enough with anything other than Java to dig through the
>> source my self to find the issue.
>>
>> All comes back down to: couldn't find any config options provide desired
>> options or could be reason for what's happening. So, my guess, postfix
>> just doesn't fit my needs.
> The problem you're having with sysconfig isn't part of the upstream postfix
> distribution (and thus can't be supported here).  You need to consult your
> distro support resources to resolve issues with it.
>
> You demonstrated that, as shipped, postfix solves your use case just fine.
> It's the distro 'improvements' that are the problem.  You shouldn't expect an
> upstream list to know how to solve those problems.  I'm the Debian postfix
> maintainer and part of why I'm on this list is to help with our distro
> specific issues.
>
> Scott K

Reply | Threaded
Open this post in threaded view
|

Re: flat down postfix to simple local sendmail forwarder

Noel Jones-2
In reply to this post by Matt Wong
On 1/24/2019 4:09 PM, Matt Wong wrote:
> Well, I'll give mini-smtp a try now - let's see if this fits my
> purposes better.
>
> About the brain-dead system: isn't it supposed that the config-tool,
> wich, correct me if I'm wrong, belongs to postfix itself is run at
> its start-up? Also, if config.postfix generates master.cf from
> sysconfig - shouldn't there be an option in sysconfig the tell
> config.postfix the not enable smtpd? Looks like error on postfix's
> side to me, not distribution fault.

That config-tool and the stuff in sysconfig is not part of postfix,
and is apparently supplied by your vendor.

We are unable to support it here.


>
> About relayhost: if setting relayhost to [127.0.0.1]:25 should do
> the trick, but doesn't, wich other configs could prevent processing
> mail-queue, connect to smtp-server and drop it there? Couldn't find
> any and I'm not good enough with anything other than Java to dig
> through the source my self to find the issue.
>
> All comes back down to: couldn't find any config options provide
> desired options or could be reason for what's happening. So, my
> guess, postfix just doesn't fit my needs.

Postfix has 900+ configure options, the overwhelming majority of
which have sensible defaults and will never need to be changed.  The
postfix documentation gives helpful hints on what should be changed
for most installations in the base *supplied by postfix* main.cf and
master.cf.

"postconf -nf"  shows the current settings in main.cf; the hundreds
of values still at their default are not shown.

"postconf -Mf" shows current settings in master.cf

Official documentation can be found at:
http://www.postfix.org/documentation.html
There are dozens of third-party how-to's on the internet; try to
ignore them.

You may find particularly helpful:
http://www.postfix.org/BASIC_CONFIGURATION_README.html
http://www.postfix.org/STANDARD_CONFIGURATION_README.html
http://www.postfix.org/STANDARD_CONFIGURATION_README.html#null_client




  -- Noel Jones




>
> Thanks anyways,
>
> Matt
>
> Am 24.01.2019 um 22:24 schrieb Noel Jones:
>> On 1/24/2019 3:12 PM, Matt Wong wrote:
>>> Hi Noel Jones,
>>>
>>> sadly, this didn't the trick. I can change /etc/postfix/master.cf
>>> and call postfix reload - then smtpd shuts down and james is able to
>>> start its smtp server. Strangely, when using systemctl restart
>>> postfix master.cf is rebuild from /etc/sysconfig/postfix - smtpd is
>>> re-enabled and re-started - or at least tried, when james is running
>>> it fails as tcp/25 is in use. So, I need to add some option in
>>> /etc/sysconfig/postfix so when master.cf is rebuild smtpd is not
>>> re-enabled by default. That's my first issue.
>> brain-dead systems that reconfigure your settings are not supported
>> here.  Check with your system vendor.
>>
>>> Second issue: even I set relayhost to [127.0.0.1]:25 when using
>>> mail() in php in apache, postfix doesn't even try to connect to
>>> james. It's in the logs that postfix got the mail from apache, but
>>> it seems nothing happens after this. Is there something else I have
>>> to set?
>> Nothing else is necessary. Assuming other settings haven't been set
>> to brain-dead values.
>>
>> Good luck.
>>
>>
>> You should really look into mini-sendmail or some other command-line
>> SMTP tool.
>>
>>
>>
>>
>>
>>    -- Noel Jones
>>
>>
>>
>>> Thanks in advance,
>>>
>>> Matt Wong
>>>
>>> Am 23.01.2019 um 20:59 schrieb Noel Jones:
>>>> On 1/23/2019 1:47 PM, Matt Wong wrote:
>>>>> Ok, so the title isn't really helpful, so I try to explain it:
>>>>>
>>>>> I want to use Apache James as my primary MTA (please don't ask
>>>>> why -
>>>>> just take it as given). Major issue: james doesn't have a local
>>>>> sendmail command replacement. So I've looked up apache james doc
>>>>> wich is heavy outdated. Also, I'm running opensuse 15.0 wich uses
>>>>> full postfix instead of sendmail.
>>>> To disable smtpd, comment out the smtpd service in master.cf. To
>>>> have postfix forward all mail to a specific SMTP server, set the
>>>> relayhost parameter.
>>>>
>>>>
>>>> If you're just looking for a replacement for the sendmail command
>>>> that can forward to a local SMTP server, the mini_sendmail program
>>>> is probably just what you need.
>>>> https://acme.com/software/mini_sendmail/
>>>> Packages are available for most systems.
>>>>
>>>>
>>>>
>>>>     -- Noel Jones
>

Reply | Threaded
Open this post in threaded view
|

Re: flat down postfix to simple local sendmail forwarder

Noel Jones-2
In reply to this post by Matt Wong
On 1/24/2019 4:54 PM, Matt Wong wrote:

> Well, I got a bit further: When listing mailq postfix complains
> about "127.0.0.1 loop back to myself".

Change the postfix "myhostname" parameter to something other than
what James uses.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: flat down postfix to simple local sendmail forwarder

Viktor Dukhovni
On Thu, Jan 24, 2019 at 05:15:58PM -0600, Noel Jones wrote:

> On 1/24/2019 4:54 PM, Matt Wong wrote:
>
> > Well, I got a bit further: When listing mailq postfix complains
> > about "127.0.0.1 loop back to myself".
>
> Change the postfix "myhostname" parameter to something other than
> what James uses.

While that's necessary, it is typically not sufficient.  One also
needs to make sure that that destination IP address is not listed
in "inet_interfaces".

In this case, an explicit setting of "inet_interfaces" to just the
public IP address of the machine would be required.

    main.cf:
        # Choose a non-loopback interface IP
        #
        inet_interfaces = 192.0.2.1

        # Choose a name that is different from the name used in
        # the SMTP 220 greeting banner or EHLO response of the
        # non-Postfix loopback SMTP service.
        #
        myhostname = mail.example.com

        ...

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: flat down postfix to simple local sendmail forwarder

Matt Wong
This gets closer - and as far as I tested, it's not the name, but rather
the ip to wich inet_interfaces is set to. Default seems "all" - wich
includes the IPs of all interfaces + loopback - and it seems the error
is caused by some quirk that postfix doesn't want to deliever to any ip
it self is set to. It doesn't matter if you set interfaces to loopback
and send mail to the nic-IP or vise versa - as long as they different.

As I scrolled through the docs - seems there is no config option to
override this behaviour like "ignore loopback" - so it seems this check
is hardcoded in the source.

I also tried mini_sendmail - but as you have to override sendmail
yourself - it gets overridden by package update - but I guess this issue
can be said about just any package-based distribution.

Matt

Am 25.01.2019 um 01:05 schrieb Viktor Dukhovni:

> On Thu, Jan 24, 2019 at 05:15:58PM -0600, Noel Jones wrote:
>
>> On 1/24/2019 4:54 PM, Matt Wong wrote:
>>
>>> Well, I got a bit further: When listing mailq postfix complains
>>> about "127.0.0.1 loop back to myself".
>> Change the postfix "myhostname" parameter to something other than
>> what James uses.
> While that's necessary, it is typically not sufficient.  One also
> needs to make sure that that destination IP address is not listed
> in "inet_interfaces".
>
> In this case, an explicit setting of "inet_interfaces" to just the
> public IP address of the machine would be required.
>
>      main.cf:
> # Choose a non-loopback interface IP
> #
> inet_interfaces = 192.0.2.1
>
> # Choose a name that is different from the name used in
> # the SMTP 220 greeting banner or EHLO response of the
> # non-Postfix loopback SMTP service.
> #
> myhostname = mail.example.com
>
> ...
>

Reply | Threaded
Open this post in threaded view
|

Re: flat down postfix to simple local sendmail forwarder

Scott Kitterman-4
No.  Well designed ones won't do that to you.

Scott K

On Friday, January 25, 2019 01:51:55 AM Matt Wong wrote:

> This gets closer - and as far as I tested, it's not the name, but rather
> the ip to wich inet_interfaces is set to. Default seems "all" - wich
> includes the IPs of all interfaces + loopback - and it seems the error
> is caused by some quirk that postfix doesn't want to deliever to any ip
> it self is set to. It doesn't matter if you set interfaces to loopback
> and send mail to the nic-IP or vise versa - as long as they different.
>
> As I scrolled through the docs - seems there is no config option to
> override this behaviour like "ignore loopback" - so it seems this check
> is hardcoded in the source.
>
> I also tried mini_sendmail - but as you have to override sendmail
> yourself - it gets overridden by package update - but I guess this issue
> can be said about just any package-based distribution.
>
> Matt
>
> Am 25.01.2019 um 01:05 schrieb Viktor Dukhovni:
> > On Thu, Jan 24, 2019 at 05:15:58PM -0600, Noel Jones wrote:
> >> On 1/24/2019 4:54 PM, Matt Wong wrote:
> >>> Well, I got a bit further: When listing mailq postfix complains
> >>> about "127.0.0.1 loop back to myself".
> >>
> >> Change the postfix "myhostname" parameter to something other than
> >> what James uses.
> >
> > While that's necessary, it is typically not sufficient.  One also
> > needs to make sure that that destination IP address is not listed
> > in "inet_interfaces".
> >
> > In this case, an explicit setting of "inet_interfaces" to just the
> > public IP address of the machine would be required.
> >
> >      main.cf:
> > # Choose a non-loopback interface IP
> > #
> > inet_interfaces = 192.0.2.1
> >
> > # Choose a name that is different from the name used in
> > # the SMTP 220 greeting banner or EHLO response of the
> > # non-Postfix loopback SMTP service.
> > #
> > myhostname = mail.example.com
> >
> > ...

Reply | Threaded
Open this post in threaded view
|

Postfix vs. OpenSSL on Debian "buster".

Viktor Dukhovni
In reply to this post by Scott Kitterman-4
On Thu, Jan 24, 2019 at 05:19:44PM -0500, Scott Kitterman wrote:

> I'm the Debian postfix
> maintainer and part of why I'm on this list is to help with our distro
> specific issues.

Speaking of "distro-specific issues", I just today came across a
Debian "buster" system where the OpenSSL version is 1.1.1, and the
default /etc/ssl/openssl.cnf file has an ssl module configuration
section:

    # System default
    openssl_conf = default_conf

    [default_conf]
    ssl_conf = ssl_sect

    [ssl_sect]
    system_default = system_default_sect

    [system_default_sect]
    MinProtocol = TLSv1.2
    CipherString = DEFAULT@SECLEVEL=2

While Postfix 3.4, if compiled against OpenSSL 1.1.1b (once that
version is released), will be able to opt-out of processing the
system-wide default file, Postfix 3.3 or 3.4 with OpenSSSL 1.1.x
prior to 1.1.1b, will unconditionally load this configuration.

Fortunately, the rather strict CipherString will have no effect,
since Postfix always overrides the cipherlist.  Still I should note
that in other applications @SECLEVEL=2 yields a 2048-bit floor on
RSA certs, which may be too strict, there's not much evidence of
practical attacks 1280-bit or 1536-bit certs, and even attacks on
1024-bit RSA are largely speculative.  The other thing to note here
is that the correct syntax is "DEFAULT:@SECLEVEL=2".

The missing ":" works only "by accident", as a side-effect of the
special-case manner in which the "DEFAULT" cipher is implemented.
If the first component were anything other than "DEFAULT" it would
break.

More importantly however, the "MinProtocol" setting will affect
Postfix, and there is as yet no mechanism in Postfix to override
this.  Postfix 3.4 will make it possible to set the "applicaton
name" to "postfix" or similar, and edit the /etc/ssl/openssl.cnf
file to include:

    # System default
    postfix = postfix_conf

    [postfix_conf]
    ssl_conf = postfix_ssl_sect

    [postfix_ssl_sect]
    system_default = postfix_ssl_sect

    [postfix_default_sect]
    MinProtocol = TLSv1

While MTAs running only SSLv3 are largely behind us, I am less
confident that TLSv1-only systems are gone.  Some users may have
trouble doing TLS with peers that support only TLSv1 or TLSv1.1.
This may be especially important with submission, where various
peripheral devices (fax-to-email, printers, ...) may only support
TLSv1.  So the "buster" system-wide default of TLSv1.2 and up may
cause problems.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix vs. OpenSSL on Debian "buster".

@lbutlr
On 24 Jan 2019, at 18:07, Viktor Dukhovni <[hidden email]> wrote:
> This may be especially important with submission, where various
> peripheral devices (fax-to-email, printers, ...) may only support
> TLSv1.  So the "buster" system-wide default of TLSv1.2 and up may
> cause problems.

The least likely to be patched most likely toe hacked mail clients. Hmmm.


--
'The trouble with my friend here is that he doesn't know the difference
between a postulate and a metaphor of human existence. Or a hole in the
ground.' --Pyramids