[BlueOnyx:23946] Re: 5210R: Postfix SNI support - status update

Michael Stauber mstauber at blueonyx.it
Mon Jun 8 17:18:39 -05 2020 

Hi Chris,

> I can imagine that it's a lot of work.

Yeah, it is. I'm also a lot more comfortable with Sendmail as far as
configuring it goes and there were many aspects of Postfix that I wasn't
aware of. I think I'm still scratching only on the surface of it.

When done, I certainly need someone to take a long hard look at our
Postfix configuration to check if there is something we could do better
or if there is something I shouldn't have done this or that way.

As far as the integration into the GUI goes: That was surprisingly
simple. I started at the premise that I didn't want to duplicate every
Sendmail handler for Postfix. So instead I wrote a parser that parses
the sendmail.mc (and other parts of its config) to populate an existing
Postfix config with just the required settings. Such as max_message_size
and others.

This is now done entirely on the fly on "systemctl restart postfix".
Which is kind of neat.

The most complicated part so far was actually getting the AV-SPAM to
work with both Sendmail and Postfix depending on what's active. That
required some extensive changes. Postfix does understand Sendmail
Milters and can handle them well enough. However, ownerships and
permissions of the milter sockets (and sometimes their location) were
preventing Postfix from using them. But I have that sorted as well by now.

> One of the most common support calls we get are for "Certificate Failure" 
> reports when a user sets up email on a desktop or mobile device.

Yeah, we *really* need SNI. Not just for Dovecot, but also for the MTA.

And in that regards I have some good news:

https://centos.pkgs.org/8/ghettoforge-plus-x86_64/postfix3-3.5.2-1.gf.el8.x86_64.rpm.html

That's the latest Postfix v3.5.2 for CentOS 8. Ghettoforge.com? Never
heard of them, but I was more than happy to fully embrace what their
offering. After some digging it was clear that whoever did that Postfix
(S)RPM clearly knows what he's been doing and he's been offering updated
Postfix RPMs for EL6 and EL7 for many years.

So I grabbed their SRPM and with some extras that make the integration
easier I repackaged it as "blueonyx-postfix".

After some fiddling with the configs I then got SNI working:

root at beast-smd-net:~# openssl s_client -connect jarvis.smd.net:25
-servername www.kinofreak.com -starttls smtp|grep -E "CN =|Verification:"
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.kinofreak.com
verify return:1
250 CHUNKING
 0 s:CN = www.kinofreak.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
subject=CN = www.kinofreak.com
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Verification: OK

That's an "on foot" TLS connection to the MTA of 'jarvis.smd.net' and
we're requesting to talk to 'www.kinofreak.com' (one of the Vsite's with
an LE SSL cert).

We get the cert for www.kinofreak.com presented and the TLS verification
of the Cert finishes with "Verification: OK".

Even if we skip the roundabout and connect directly to port 25 on
kinofreak.com it checks out:

root at beast-smd-net:~# openssl s_client -connect kinofreak.com:25
-starttls smtp|grep -E "CN =|Verification:"
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.kinofreak.com
verify return:1
250 CHUNKING
 0 s:CN = www.kinofreak.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
subject=CN = www.kinofreak.com
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Verification: OK


So ... that's a 5210R with working SNI on the MTA. \o/

What's left is committing everything to SVN, building RPMs (and a PKG
for the AV-SPAM) and then testing, testing, testing.

In the next few days I'll have it in the "5210R-testing" YUM repository
so that we can play around with it.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list