[BlueOnyx:23950] Re: 5210R: Postfix SNI support - status update

Dirk Estenfeld dirk.estenfeld at blackpoint.de
Tue Jun 9 08:44:48 -05 2020 

Hello Michael,

in 2017 we did discuss about a change fromm mbox to Maildir.
Last state wasyou want to look into it. This is ~ 3 years ago.
Now that you have the topic in your hands again anyway, maybe now would be a good time to turn the mbox into a Maildir? Maybe only for all new installations and the existing installations will remain as they are...

Best regards,
Dirk

blackpoint GmbH - Friedberger Straße 106b - 61118 Bad Vilbel

-----Ursprüngliche Nachricht-----
Von: Blueonyx <blueonyx-bounces at mail.blueonyx.it> Im Auftrag von Michael Stauber
Gesendet: Sonntag, 7. Juni 2020 06:43
An: blueonyx at mail.blueonyx.it
Betreff: [BlueOnyx:23941] 5210R: Postfix SNI support - status update

Hi all,

A little update on what I've been working on for the last 10 days:

Recently Tomohiro Hosaka gave me the helpful pointers that Dovecot finally supports Server Name Indication (SNI). Meaning: It can handle more than one SSL cert.

Subsequently I extended the Dovecot configuration on 5210R with provisions that Dovecot automatically configures SNI in Dovecot and integrates the SSL certificates of all Vsites with SSL enabled.

This was already published as a YUM update and has been out for a bit.

Right after that I looked at how we could equip the MTA end of things with SNI as well. Sendmail doesn't support SNI. Using Nginx as SMTP-Proxy was briefly considered, but that idea wasn't practical.

Next I looked at replacing Sendmail on 5210R with Postfix.

For that I now have a working demonstrator which allows to switch a 5210R back and forth between using Sendmail and Postfix via the GUI.

The Postfix configuration is created on the fly and is based on the Sendmail configuration - from which it extracts and sets certain thing to populate its own settings.

The AV-SPAM for 5210R had to be overhauled to deal with either Sendmail or Postfix and that has also been finished on the demonstrator and is now fully working.

Last point on the list: Configure SNI for Postfix - yay! \o/

But guess what? No dice!

Postfix got SNI support in release 3.4.0 as outlined here:

http://www.postfix.org/announcements/postfix-3.4.0.html

The latest available stable version of Postfix is v3.5.2.

Guess which version CentOS 8 ships with?

[root at 5210r ~]# rpm -q postfix
postfix-3.3.1-9.el8.x86_64

Yoo, RedHat? /me extends middle finger

Or in other words: YOU GOTTA BE FUCKING KIDDING ME! :-(

In hindsight (which is always 20/20) it's clear that RedHat *really* picked the worst possible moment to version freeze software for EL8. Not only because of Postfix, but also Apache and a couple of other odds and sods. But it is what it is. /sigh

Fedora Core 32 does have a Postfix-3.5.2 and FC31 and FC30 have Postfix-3.4.10. I've grabbed the SRPM of these and tried to rebuild them for CentOS 8 - but so far no luck. But I'll keep trying.

The latest Postfix 3.5.2 builds fine from the sources on CentOS 8, but the patches that RedHat applied to 3.5.2 and 3.4.10 in their SRPMs make the build fail *hard*. Like so hard that compiled binaries have missing symbols. Go figure.

So until we get at least a Postfix v3.4.10 up and running for 5210R we still won't have an MTA with SNI support.

Still: Postfix is nice to have and the other "quality of life"
improvements in this set of updates still make it worthwhile to release it - even w/o SNI for the MTA.

Sometime next week I expect to publish the YUM updates that make the Postfix alternative for 5210R available. Any 5210R installed with Sendmail that is currently running Sendmail will continue to use it.
Until the point that you voluntarily switch it to Postfix via the GUI.
And if you do, you can always go back to Sendmail again.

Eventually new installs of 5210R will default to use Postfix, but can be switched back to Sendmail if wanted.

As for users of the AV-SPAM on 5210R: The currently available AV-SPAM
v7.0.0 for 5210R will continue to work even after the YUM updates are out. But in order to use it with Postfix you'll need the AV-SPAM 7.1.0, which will be made available via NewLinQ at the same time that the YUM updates for 5210R get released.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list