After Scott's comment about updating postfix to 3.4.11 I checked the changelog of this version and I noticed the only change from 3.4.10 is:
20200416
Workaround for broken builds after an incompatible change
in GCC 10. Files: makedefs, Makefile.in.
Workaround for broken DANE support after an incompatible
change in GLIBC 2.31. This avoids the need for new options
in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c.
I marked Groovy as Fix Released because the version 3.5.2 also contains this commit. However, when I tried the mentioned commands in a Groovy container I faced the same issue:
$ lxc launch ubuntu-daily:groovy postfix-dane-issue
$ lxc shell postfix-dane-issue
# apt install postfix
# dpkg -l | grep postfix
ii postfix 3.5.2-1 amd64 High-performance mail transport agent
# posttls-finger -c gmail.com
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
^C
# posttls-finger -t30 -T180 -c -L verbose,summary -w smtp.sdeziel.info:465
posttls-finger: initializing the client-side TLS engine
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
posttls-finger: warning: lost connection while sending QUIT command
As Paride mentioned those commands work without any problem in Eoan and also in Debian unstable which has the same postfix version:
$ lxc launch images:debian/sid postfix-dane-issue-debian
$ lxc shell postfix-dane-issue-debian
# apt install postfix
# dpkg -l | grep postfix
ii postfix 3.5.2-1+b1 amd64 High-performance mail transport agent
# posttls-finger -c gmail.com
posttls-finger: Failed to establish session to gmail.com via gmail-smtp-in.l.google.com: connect to gmail-smtp-in.l.google.com[2800:3f0:4003:c00::1a]:25: Connection timed out
^C
# posttls-finger -t30 -T180 -c -L verbose,summary -w smtp.sdeziel.info:465
posttls-finger: initializing the client-side TLS engine
posttls-finger: setting up TLS connection to smtp.sdeziel.info[2001:470:b1c3:7942::25]:465
posttls-finger: smtp.sdeziel.info[2001:470:b1c3:7942::25]:465: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"
posttls-finger: smtp.sdeziel.info[2001:470:b1c3:7942::25]:465: depth=1 verify=0 subject=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
posttls-finger: smtp.sdeziel.info[2001:470:b1c3:7942::25]:465: depth=0 verify=1 subject=/CN=smtp.sdeziel.info
posttls-finger: certificate verification failed for smtp.sdeziel.info[2001:470:b1c3:7942::25]:465: untrusted issuer /O=Digital Signature Trust Co./CN=DST Root CA X3
posttls-finger: smtp.sdeziel.info[2001:470:b1c3:7942::25]:465: subject_CN=smtp.sdeziel.info, issuer_CN=Let's Encrypt Authority X3, fingerprint=C9:7A:27:B3:13:62:4C:ED:5C:C8:CE:6D:9D:E8:E7:3A:F2:73:AE:9D, pkey_fingerprint=59:B1:2C:D2:78:CD:55:A1:11:F5:D5:AA:DB:87:1E:16:00:EC:52:33
posttls-finger: Untrusted TLS connection established to smtp.sdeziel.info[2001:470:b1c3:7942::25]:465: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
In Debian there is a binary only upload (got it from the amd64 buildd log):
After Scott's comment about updating postfix to 3.4.11 I checked the changelog of this version and I noticed the only change from 3.4.10 is:
20200416
Workaround for broken builds after an incompatible change
in GCC 10. Files: makedefs, Makefile.in.
Workaround for broken DANE support after an incompatible
change in GLIBC 2.31. This avoids the need for new options
in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c.
I marked Groovy as Fix Released because the version 3.5.2 also contains this commit. However, when I tried the mentioned commands in a Groovy container I faced the same issue:
$ lxc launch ubuntu-daily:groovy postfix-dane-issue info:465
$ lxc shell postfix-dane-issue
# apt install postfix
# dpkg -l | grep postfix
ii postfix 3.5.2-1 amd64 High-performance mail transport agent
# posttls-finger -c gmail.com
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
^C
# posttls-finger -t30 -T180 -c -L verbose,summary -w smtp.sdeziel.
posttls-finger: initializing the client-side TLS engine
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: connect to private/tlsmgr: No such file or directory
posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
posttls-finger: warning: no entropy for TLS key generation: disabling TLS support
posttls-finger: warning: lost connection while sending QUIT command
As Paride mentioned those commands work without any problem in Eoan and also in Debian unstable which has the same postfix version:
$ lxc launch images:debian/sid postfix- dane-issue- debian dane-issue- debian in.l.google. com: connect to gmail-smtp- in.l.google. com[2800: 3f0:4003: c00::1a] :25: Connection timed out info:465 info[2001: 470:b1c3: 7942::25] :465 info[2001: 470:b1c3: 7942::25] :465: TLS cipher list "aNULL: -aNULL: HIGH:MEDIUM: +RC4:@STRENGTH: !aNULL" info[2001: 470:b1c3: 7942::25] :465: depth=1 verify=0 subject= /C=US/O= Let's Encrypt/CN=Let's Encrypt Authority X3 info[2001: 470:b1c3: 7942::25] :465: depth=0 verify=1 subject= /CN=smtp. sdeziel. info info[2001: 470:b1c3: 7942::25] :465: untrusted issuer /O=Digital Signature Trust Co./CN=DST Root CA X3 info[2001: 470:b1c3: 7942::25] :465: subject_ CN=smtp. sdeziel. info, issuer_CN=Let's Encrypt Authority X3, fingerprint= C9:7A:27: B3:13:62: 4C:ED:5C: C8:CE:6D: 9D:E8:E7: 3A:F2:73: AE:9D, pkey_fingerprin t=59:B1: 2C:D2:78: CD:55:A1: 11:F5:D5: AA:DB:87: 1E:16:00: EC:52:33 info[2001: 470:b1c3: 7942::25] :465: TLSv1.3 with cipher TLS_AES_ 256_GCM_ SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
$ lxc shell postfix-
# apt install postfix
# dpkg -l | grep postfix
ii postfix 3.5.2-1+b1 amd64 High-performance mail transport agent
# posttls-finger -c gmail.com
posttls-finger: Failed to establish session to gmail.com via gmail-smtp-
^C
# posttls-finger -t30 -T180 -c -L verbose,summary -w smtp.sdeziel.
posttls-finger: initializing the client-side TLS engine
posttls-finger: setting up TLS connection to smtp.sdeziel.
posttls-finger: smtp.sdeziel.
posttls-finger: smtp.sdeziel.
posttls-finger: smtp.sdeziel.
posttls-finger: certificate verification failed for smtp.sdeziel.
posttls-finger: smtp.sdeziel.
posttls-finger: Untrusted TLS connection established to smtp.sdeziel.
In Debian there is a binary only upload (got it from the amd64 buildd log):
Format: 1.0 Only-Changes:
Source: postfix (3.5.2-1)
Binary: postfix postfix-ldap postfix-lmdb postfix-cdb postfix-pcre postfix-mysql postfix-pgsql postfix-sqlite postfix-doc
Architecture: amd64
Version: 3.5.2-1+b1
Binary-
postfix (3.5.2-1+b1) sid; urgency=low, binary-only=yes
.
* Binary-only non-maintainer upload for amd64; no source changes.
* Rebuild against libicu67
.
-- all / amd64 / i386 Build Daemon (x86-conova-01) <email address hidden> Wed, 03 Jun 2020 20:54:57 +0000
Do we need this in Groovy?