search

Snawoot / postfix-mta-sts-resolver

Daemon which provides TLS client policy for Postfix via socketmap, according to domain MTA-STS policy
MIT License
117 stars 23 forks source link

MTA-STS fails with gmail.com #76

Closed marneu closed 2 years ago

marneu commented 2 years ago

Sending mail to Google It is not possible with mta-sts to send mail to Google, it is remaining in the mail queue.

To Reproduce

  1. Redis enabled MTA-STS installed using method 2 including Redis: postfix-mta-sts-resolver (1.0.1)
  2. Postfix mail_version = 3.3.0
  3. /usr/sbin/postmap -q gmail.com socketmap:inet:127.0.0.1:8461:postfix

    secure match=.gmail-smtp-in.l.google.com:gmail-smtp-in.l.google.com servername=hostname

Expected behavior It works with MS/Outlook but not with Google (see Output)

Output listings

  1. maillog 
    
Steps to reproduce the behavior:
Oct 17 20:55:42 smtp.<myserver>.com postfix/smtp[22718]: warning: smtp_tls_policy_maps, next-hop destination "gmail.com": invalid attribute name: "servername"
Oct 17 20:55:42 smtp.<myserver>.com postfix/smtp[22718]: warning: TLS policy lookup for gmail.com/gmail-smtp-in.l.google.com: client TLS configuration problem
2. mta-sts.log

2021-10-17 20:55:42 DEBUG STS: Lookup skipped: domain = gmail.com 2021-10-17 20:55:42 DEBUG STS: Future await complete: data=b'90:OK secure match=gmail-smtp-in.l.google.com:.gmail-smtp-in.l.google.com servername=hostname,' 2021-10-17 20:55:42 DEBUG STS: Wrote: b'90:OK secure match=gmail-smtp-in.l.google.com:.gmail-smtp-in.l.google.com servername=hostname,'


**Environment (please complete the following information):**
 - OS: [GNU/Linux]
 - Distro: [Ubuntu]
 - Distro version: [18.04.6]
 - Python version: [3.6.9]
Snawoot commented 2 years ago

For Postfix versions before 3.4 you have to add require_sni: false into your zone configuration. See man page for mta-sts-daemon.yml

Snawoot commented 2 years ago

Also note that lack of SNI support makes your server compliant with RFC, so it's recommended to upgrade Postfix anyway.

marneu commented 2 years ago

Seems you are right, "certificate verification failed " is the new response with disabled _requiresni.

Snawoot commented 2 years ago

@marneu last time I tried TLS for google worked well even without SNI. make sure your postfix configuration has CA certificates set.

marneu commented 2 years ago

It works on a Postfix 3.4 setup without sni disabled. Certificate is a valid fullchain cert on my site.