[BlueOnyx:23941] 5210R: Postfix SNI support - status update

[Michael Stauber]

Hi all,

A little update on what I've been working on for the last 10 days:

Recently Tomohiro Hosaka gave me the helpful pointers that Dovecot
finally supports Server Name Indication (SNI). Meaning: It can handle
more than one SSL cert.

Subsequently I extended the Dovecot configuration on 5210R with
provisions that Dovecot automatically configures SNI in Dovecot and
integrates the SSL certificates of all Vsites with SSL enabled.

This was already published as a YUM update and has been out for a bit.

Right after that I looked at how we could equip the MTA end of things
with SNI as well. Sendmail doesn't support SNI. Using Nginx as
SMTP-Proxy was briefly considered, but that idea wasn't practical.

Next I looked at replacing Sendmail on 5210R with Postfix.

For that I now have a working demonstrator which allows to switch a
5210R back and forth between using Sendmail and Postfix via the GUI.

The Postfix configuration is created on the fly and is based on the
Sendmail configuration - from which it extracts and sets certain thing
to populate its own settings.

The AV-SPAM for 5210R had to be overhauled to deal with either Sendmail
or Postfix and that has also been finished on the demonstrator and is
now fully working.

Last point on the list: Configure SNI for Postfix - yay! \o/

But guess what? No dice!

Postfix got SNI support in release 3.4.0 as outlined here:

http://www.postfix.org/announcements/postfix-3.4.0.html

The latest available stable version of Postfix is v3.5.2.

Guess which version CentOS 8 ships with?

[root at 5210r ~]# rpm -q postfix
postfix-3.3.1-9.el8.x86_64

Yoo, RedHat? /me extends middle finger

Or in other words: YOU GOTTA BE FUCKING KIDDING ME! :-(

In hindsight (which is always 20/20) it's clear that RedHat *really*
picked the worst possible moment to version freeze software for EL8. Not
only because of Postfix, but also Apache and a couple of other odds and
sods. But it is what it is. /sigh

Fedora Core 32 does have a Postfix-3.5.2 and FC31 and FC30 have
Postfix-3.4.10. I've grabbed the SRPM of these and tried to rebuild them
for CentOS 8 - but so far no luck. But I'll keep trying.

The latest Postfix 3.5.2 builds fine from the sources on CentOS 8, but
the patches that RedHat applied to 3.5.2 and 3.4.10 in their SRPMs make
the build fail *hard*. Like so hard that compiled binaries have missing
symbols. Go figure.

So until we get at least a Postfix v3.4.10 up and running for 5210R we
still won't have an MTA with SNI support.

Still: Postfix is nice to have and the other "quality of life"
improvements in this set of updates still make it worthwhile to release
it - even w/o SNI for the MTA.

Sometime next week I expect to publish the YUM updates that make the
Postfix alternative for 5210R available. Any 5210R installed with
Sendmail that is currently running Sendmail will continue to use it.
Until the point that you voluntarily switch it to Postfix via the GUI.
And if you do, you can always go back to Sendmail again.

Eventually new installs of 5210R will default to use Postfix, but can be
switched back to Sendmail if wanted.

As for users of the AV-SPAM on 5210R: The currently available AV-SPAM
v7.0.0 for 5210R will continue to work even after the YUM updates are
out. But in order to use it with Postfix you'll need the AV-SPAM 7.1.0,
which will be made available via NewLinQ at the same time that the YUM
updates for 5210R get released.

-- 
With best regards

Michael Stauber