search

Snawoot / postfix-mta-sts-resolver

Daemon which provides TLS client policy for Postfix via socketmap, according to domain MTA-STS policy
MIT License
117 stars 23 forks source link

Client tls issue when using unix socket instead of inet tcp #100

Closed JourneyUnkn0wn closed 1 year ago

JourneyUnkn0wn commented 1 year ago

Hi,

When i use the standard inet configuration everything works ok, the daemon runs ok and i can send/receive emails fine. /usr/sbin/postmap -q dismail.de socketmap:inet:127.0.0.1:8461:postfix returns the correct response.

When i configure the daemon to use a unix socket instead of inet tcp i get a client tls configuration error and i cannot send email.

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- 865A235FB 2902 Mon Jun 12 10:40:38 sender@email.com (client TLS configuration problem) receiver@email.com

However when i run /usr/sbin/postmap -q dismail.de socketmap:unix:/var/spool/postfix/run/mta-sts/mta-sts-resolver.sock:postfix it returns the same response as the above inet command, indicating it's working ok.

My mta-sts daemon file has the below config parameters for the socket: path: /var/spool/postfix/run/mta-sts/mta-sts-resolver.sock mode: 0666

And my postfix main.cf has the line (when trying to use the unix socket instead of inet): smtp_tls_policy_maps = socketmap:unix:/var/spool/postfix/run/mta-sts/mta-sts-resolver.sock:postfix I've also tried just using run/mta-sts-mta-sts-resolver.sock as the path but got the same result.

I'm assuming it's a configuration problem but i'm not sure what i could have done wrong.

I'm using the inet socket for now as that is working ok.

Thank you for your time!

Snawoot commented 1 year ago

Hi! Could you test your unix socket reachability with following command:

/usr/sbin/postmap -q dismail.de socketmap:unix:/var/spool/postfix/run/mta-sts/mta-sts-resolver.sock:postfix

?

JourneyUnkn0wn commented 1 year ago

Hi! Could you test your unix socket reachability with following command:

/usr/sbin/postmap -q dismail.de socketmap:unix:/var/spool/postfix/run/mta-sts/mta-sts-resolver.sock:postfix

?

Thank you for getting back to me.

The socket is reachable: root@server:~ $/usr/sbin/postmap -q dismail.de socketmap:unix:/var/spool/postfix/run/mta-sts/mta-sts-resolver.sock:postfix secure match=mx1.dismail.de:mx2.dismail.de servername=hostname

I get the same response as above when using inet as well.

Snawoot commented 1 year ago

@JourneyUnkn0wn That means postfix-mta-sts-resolver is working fine, but postfix daemon itself can't reach this socket. There may be different reasons for this like postfix running in some isolated systemd slice, not able to access socket in the filesystem. Or some sort of apparmor rules or SELinux rules, preventing postfix from that. You probably should check that, try to impersonate as postfix user with su and access that socket again with postmap tool.

Also provide info which distro and postfix package you're using, maybe it will help somehow.

But if it's too challenging, it's probably not worth bothering. Using UNIX domain socket brings virtually no improvement compared to TCP.