mta-sts service, running, but how do see this?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

mta-sts service, running, but how do see this?

Maurizio Caloro-2

Hello together

Installing the postfix-mta-sts service, and on my view this will running now,

but how i can check this, if this service are running up and correct?

 

after watching mail.log i dont see nothing more then else

 

Main.cf

smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix

smtpd_tls_key_file   = /etc/letsencrypt/live/nmail.caloro.ch/privkey.pem

smtpd_tls_cert_file  = /etc/letsencrypt/live/nmail.caloro.ch/fullchain.pem

 

root@r:/lib/systemd/system# netstat -an | grep 8461

tcp        0      0 127.0.0.1:8461          0.0.0.0:*               LISTEN

 

root@r :/# systemctl status postfix-mta-sts

  postfix-mta-sts.service - Postfix MTA STS daemon

   Loaded: loaded (/lib/systemd/system/postfix-mta-sts.service; enabled; vendor preset: enabled)

   Active: active (running) since Fri 2020-10-02 11:10:34 CEST; 20min ago

Main PID: 26294 (mta-sts-daemon)

    Tasks: 2 (limit: 4915)

   CGroup: /system.slice/postfix-mta-sts.service

           └─26294 /usr/bin/python3 /usr/local/bin/mta-sts-daemon --config /etc/mta-sts-daemon.yml

 

Oct 02 11:10:34 nmail.caloro.ch mta-sts-daemon[26294]: 2020-10-02 11:10:34 INFO MAIN: MTA-STS daemon starting...

Oct 02 11:10:34 nmail.caloro.ch mta-sts-daemon[26294]: 2020-10-02 11:10:34 INFO MAIN: Starting eventloop...

Oct 02 11:10:34 nmail.caloro.ch mta-sts-daemon[26294]: 2020-10-02 11:10:34 INFO MAIN: uvloop is not available. Falling back to built-in event loop.

Oct 02 11:10:34 nmail.caloro.ch mta-sts-daemon[26294]: 2020-10-02 11:10:34 INFO MAIN: Eventloop started.

Oct 02 11:10:34 nmail.caloro.ch mta-sts-daemon[26294]: 2020-10-02 11:10:34 INFO MAIN: Server started.

Oct 02 11:10:34 nmail.caloro.ch mta-sts-daemon[26294]: 2020-10-02 11:10:34 INFO MAIN: Proactive policy fetcher started.

Oct 02 11:10:34 nmail.caloro.ch systemd[1]: Started Postfix MTA STS daemon.

Oct 02 11:10:35 nmail.caloro.ch mta-sts-daemon[26294]: 2020-10-02 11:10:35 INFO PF: Proactive policy fetching for all domains in cache started...

Oct 02 11:10:35 nmail.caloro.ch mta-sts-daemon[26294]: 2020-10-02 11:10:35 INFO PF: Proactive policy fetching for all domains in cache finished.

Oct 02 11:15:32 nmail.caloro.ch mta-sts-daemon[26294]: 2020-10-02 11:15:32 WARNING STS: Bad netstring message received

 

 

 

Reply | Threaded
Open this post in threaded view
|

Re: mta-sts service, running, but how do see this?

Wietse Venema
Maurizio Caloro:
> Hello together
>
> Installing the postfix-mta-sts service, and on my view this will running
> now,
>
> but how i can check this, if this service are running up and correct?

Where does this postfix-mta-sts service logs its activities?

        Wietse
Reply | Threaded
Open this post in threaded view
|

AW: mta-sts service, running, but how do see this?

Maurizio Caloro-2
>> Installing the postfix-mta-sts service, and on my view this will running
>> now, but how i can check this, if this service are running up and
correct?

>Where does this postfix-mta-sts service logs its activities?
> Wietse






systemctl restart postfix.service
If everything is done correctly, then for STS connections in the
/var/log/mail.info log instead

root@r:/var/log# cat mail.info | grep mta-sts
root@r:/var/log#

Reply | Threaded
Open this post in threaded view
|

AW: mta-sts service, running, but how do see this?

Maurizio Caloro-2
In reply to this post by Wietse Venema

>systemctl restart postfix.service
>If everything is done correctly, then for STS connections in the
/var/log/mail.info log instead
>
>root@r:/var/log# cat mail.info | grep mta-sts root@r:/var/log#


If i try to send any Email to gmail domain, then gmail will support and
check mta-sts, will see log entry like:

Main.cf
smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix

Mail.info
Oct  2 15:54:27 nmail postfix/qmgr[30484]: D67EF40568:
from=<[hidden email]>, size=2403, nrcpt=1 (queue active)
Oct  2 15:54:27 nmail postfix/smtp[30568]: warning: smtp_tls_policy_maps,
next-hop destination "gmail.com": invalid attribute name: "servername"
Oct  2 15:54:27 nmail postfix/smtp[30568]: warning: TLS policy lookup for
gmail.com/gmail-smtp-in.l.google.com: client TLS configuration problem
Oct  2 15:54:27 nmail postfix/smtp[30568]: warning: smtp_tls_policy_maps,
next-hop destination "gmail.com": invalid attribute name: "servername"
Oct  2 15:54:27 nmail postfix/smtp[30568]: warning: TLS policy lookup for
gmail.com/alt1.gmail-smtp-in.l.google.com: client TLS configuration problem
Oct  2 15:54:27 nmail postfix/smtp[30568]: warning: smtp_tls_policy_maps,
next-hop destination "gmail.com": invalid attribute name: "servername"
Oct  2 15:54:27 nmail postfix/smtp[30568]: warning: TLS policy lookup for
gmail.com/alt2.gmail-smtp-in.l.google.com: client TLS configuration problem
Oct  2 15:54:27 nmail postfix/smtp[30568]: warning: smtp_tls_policy_maps,
next-hop destination "gmail.com": invalid attribute name: "servername"
Oct  2 15:54:27 nmail postfix/smtp[30568]: warning: TLS policy lookup for
gmail.com/alt3.gmail-smtp-in.l.google.com: client TLS configuration problem
Oct  2 15:54:27 nmail postfix/smtp[30568]: warning: smtp_tls_policy_maps,
next-hop destination "gmail.com": invalid attribute name: "servername"
Oct  2 15:54:27 nmail postfix/smtp[30568]: warning: TLS policy lookup for
gmail.com/alt4.gmail-smtp-in.l.google.com: client TLS configuration problem
Oct  2 15:54:27 nmail postfix/smtp[30568]: D67EF40568:
to=<[hidden email]>, relay=none, delay=0.23, delays=0.22/0/0.01/0,
dsn=4.7.5, status=deferred (client TLS configuration problem)

Please which problem with TLS i have here???



Reply | Threaded
Open this post in threaded view
|

Re: AW: mta-sts service, running, but how do see this?

Wietse Venema
Maurizio Caloro:
> Oct  2 15:54:27 nmail postfix/smtp[30568]: warning: smtp_tls_policy_maps,
> next-hop destination "gmail.com": invalid attribute name: "servername"

Attribute name 'servername' requires Postfix 3.4 or later.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: AW: mta-sts service, running, but how do see this?

Wietse Venema
Wietse Venema:
> Maurizio Caloro:
> > Oct  2 15:54:27 nmail postfix/smtp[30568]: warning: smtp_tls_policy_maps,
> > next-hop destination "gmail.com": invalid attribute name: "servername"
>
> Attribute name 'servername' requires Postfix 3.4 or later.

'servername' is used for SNI. It ensures that the remote SMTP server
will send Postfix a TLS certificate for the recipient's domain.
Depending on the destination SNI may not be needed; if you send to
[hidden email], then the default server certificate should work.
If you send to a customer domain hosted at Google, then SNI may be
necessary.

        Wietse
Reply | Threaded
Open this post in threaded view
|

AW: AW: mta-sts service, running, but how do see this?

Maurizio Caloro-2
Wietse Venema:
> Maurizio Caloro:
>> > Oct  2 15:54:27 nmail postfix/smtp[30568]: warning:
>> > smtp_tls_policy_maps, next-hop destination "gmail.com": invalid
attribute name: "servername"
>>
>> Attribute name 'servername' requires Postfix 3.4 or later.
>>
>>'servername' is used for SNI. It ensures that the remote SMTP server will
send Postfix a TLS certificate for the recipient's domain.
>>Depending on the destination SNI may not be needed; if you send to
[hidden email], then the default server certificate should work.
>>If you send to a customer domain hosted at Google, then SNI may be
necessary.
>>
>> Wietse

Ok, thanks now i see the servername mistake, my debian run with postfix,
mail_version = 3.1.15
And i'am using option " smtp_tls_security_level = may", i was thinking to
add now mta.sts but i
need now more read., to go forrward... :-/







Reply | Threaded
Open this post in threaded view
|

AW: AW: mta-sts service, running, but how do see this?

Maurizio Caloro-2
Wietse Venema:
> Maurizio Caloro:
>> > Oct  2 15:54:27 nmail postfix/smtp[30568]: warning:
>> > smtp_tls_policy_maps, next-hop destination "gmail.com": invalid
attribute name: "servername"
>>
>> Attribute name 'servername' requires Postfix 3.4 or later.
>>
>>'servername' is used for SNI. It ensures that the remote SMTP server
>>will
send Postfix a TLS certificate for the recipient's domain.
>>Depending on the destination SNI may not be needed; if you send to
[hidden email], then the default server certificate should work.
>>If you send to a customer domain hosted at Google, then SNI may be
necessary.
>>
>> Wietse

>Ok, thanks now i see the servername mistake, my debian run with postfix,
mail_version = 3.1.15 And i'am using option " smtp_tls_security_level =
may", i was thinking to add now mta.sts but i >need now more read., to go
forrward... :-/

Please any update help possible?







Reply | Threaded
Open this post in threaded view
|

Re: AW: AW: mta-sts service, running, but how do see this?

Wietse Venema
Maurizio Caloro:

> Wietse Venema:
> > Maurizio Caloro:
> >> > Oct  2 15:54:27 nmail postfix/smtp[30568]: warning:
> >> > smtp_tls_policy_maps, next-hop destination "gmail.com": invalid
> attribute name: "servername"
> >>
> >> Attribute name 'servername' requires Postfix 3.4 or later.
> >>
> >>'servername' is used for SNI. It ensures that the remote SMTP server
> >>will
> send Postfix a TLS certificate for the recipient's domain.
> >>Depending on the destination SNI may not be needed; if you send to
> [hidden email], then the default server certificate should work.
> >>If you send to a customer domain hosted at Google, then SNI may be
> necessary.
> >>
> >> Wietse
>
> >Ok, thanks now i see the servername mistake, my debian run with postfix,
> mail_version = 3.1.15 And i'am using option " smtp_tls_security_level =
> may", i was thinking to add now mta.sts but i >need now more read., to go
> forrward... :-/
>
> Please any update help possible?

Perhaps mts-sts-service can be configured not to send 'servername'.
Otherwise you will need a newer Postfix that support servername and
SNI. I can't add servername support to postfix 3.1.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: AW: AW: mta-sts service, running, but how do see this?

Marcel de Riedmatten
Le vendredi 02 octobre 2020 à 12:44 -0400, Wietse Venema a écrit :

> > Please any update help possible?
> Perhaps mts-sts-service can be configured not to send 'servername'.
> Otherwise you will need a newer Postfix that support servername and
> SNI. I can't add servername support to postfix 3.1.

It looks like:

Go to 

https://github.com/Snawoot/postfix-mta-sts-resolver/tree/master/postfix
_mta_sts_resolver

and click on sni: make default and add compatibility notice

on the line of  defaults.py


-- 
Marcel de Riedmatten