Comments (6)
Frederick888
commented on June 13, 2024
1
Ah, I was wondering why it suddenly started to fail. Thanks a lot for the quick response!
from postfix-mta-sts-resolver.
Snawoot
commented on June 13, 2024
Hello!
This is expected and documented behaviour.
Long story short: MTA-STS standard implies MTA has to support SNI. Otherwise there may be issues with TLS connectivity leading to permanent delivery failure to domains using multiple certificates on single MX address. Postfix prior to 3.4 doesn't support SNI at all. Postfix 3.4+ has SNI support, but doesn't send it by default. In order to comply with RFC 8461, postfix-mta-sts-resolver 1.0.0+ instructs Postfix 3.4+ to send server name indication with each returned valid STS policy.
This change was introduced in postfix-mta-sts-resolver version 1.0.0 and correct behaviour is enabled by default.
Only completely valid configuration for MTA-STS (from standards point of view) is Postfix 3.4+ and postfix-mta-sts-resolver 1.0.0 and above.
There are two ways for you to resolve this issue:
- (Preferred) Upgrade to Postfix 3.4 and above.
- Set postfix-mta-sts-resolver to not require SNI.
SNI requirement can be disabled in your mta-sts-daemon.yml with require_sni option like this:
--- a/mta-sts-daemon.yml
+++ b/mta-sts-daemon.yml
@@ -11,3 +11,4 @@ cache:
default_zone:
strict_testing: false
timeout: 4
+ require_sni: falsefrom postfix-mta-sts-resolver.
xcodxcod
commented on June 13, 2024
Hi!
I have same issue with gmail.com and mail.ru, but i added require_sni: false.
My environment:
Linux CentOS x64 7.9.2009 + last upd
Postfix 2.10.1 (postfix.x86_64 2:2.10.1-9.el7)
Installation method 4. Docker.
Run:
docker run -d --security-opt no-new-privileges -v /etc/postfix/mta-sts-cfg.yml:/etc/mta-sta-daemon.yml -v mta-sts-cache:/var/lib/mta-sts -p 127.0.0.1:8461:8461 --restart unless-stopped --name postfix-mta-sts-resolver yarmak/postfix-mta-sts-resolver
/etc/postfix/mta-sts-cfg.yml
host: 0.0.0.0
port: 8461
reuse_port: true
shutdown_timeout: 20
cache:
type: sqlite
options:
filename: "/var/lib/mta-sts/cache.db"
default_zone:
strict_testing: false
timeout: 4
require_sni: false
Sorry my English...
from postfix-mta-sts-resolver.
Snawoot
commented on June 13, 2024
Hi!
Please check if you are running latest version of docker image.
Please tell me output of following command:
/usr/sbin/postmap -q gmail.com socketmap:inet:127.0.0.1:8461:test
from postfix-mta-sts-resolver.
xcodxcod
commented on June 13, 2024
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
yarmak/postfix-mta-sts-resolver latest cda7cbfb8cb5 6 months ago 72MB
/usr/sbin/postmap -q gmail.com socketmap:inet:127.0.0.1:8461:test
secure match=gmail-smtp-in.l.google.com:.gmail-smtp-in.l.google.com servername=hostname
from postfix-mta-sts-resolver.
Snawoot
commented on June 13, 2024
Thanks! You have typo in your docker command: /etc/mta-sta-daemon.yml. Correct option will look like this: -v /etc/postfix/mta-sts-cfg.yml:/etc/mta-sts-daemon.yml
from postfix-mta-sts-resolver.
Related Issues (20)
- Client tls issue when using unix socket instead of inet tcp HOT 3
- dependencies unclear HOT 1
- Support unix sockets for daemon HOT 2
- Allow configuring the unix socket permissions HOT 1
- Policies for Smarthosts HOT 2
- Make systemd dependency optional HOT 4
- mta-sts-query returns NONE instead of FETCH_ERROR when DNS error HOT 1
- mta-sts-query documentation mentions verbosity, but it's not implemented HOT 2
- Notice for Postfix 3.4+ users HOT 2
- MTA-STS Overrides DANE HOT 16
- MTA-STS fails with gmail.com HOT 5
- Move to aioredis v2 HOT 1
- TypeError HOT 3
- How to test successful postfix-mta-sts-resolver setup? HOT 5
- KeyError: 'url' with Debian Buster and python 3.7 HOT 1
- Allow configuring the unix socket owner and group HOT 3
- Querying IDN domains causes an error HOT 1
- Support for redis sentinel HOT 1
- Email deliverability fails to protonmail.com HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from postfix-mta-sts-resolver.