Bug 44811 - relay setting forcing TLS also on amavis connection
relay setting forcing TLS also on amavis connection
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Mail
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-0-errata
Assigned To: Daniel Tröder
Sönke Schwardt-Krummrich
https://forge.univention.org/bugzilla...
:
Depends on:
Blocks: 44820
  Show dependency treegraph
 
Reported: 2017-06-19 10:18 CEST by Daniel Tröder
Modified: 2017-06-19 15:04 CEST (History)
0 users

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.429
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Tröder univentionstaff 2017-06-19 10:18:20 CEST
4.2 erratum 36 (Bug #44589) forces all SMTP client connections to be encrypted, when relaying. That includes those to Amavis - which isn't supported.

https://help.univention.com/t/mail-transport-unavailable-seit-update-auf-4-2-0-errata-45/5957/8

https://help.univention.com/t/kopano-postfix-tls-problem/5976/2

An exception for amavis is needed.
Comment 1 Daniel Tröder univentionstaff 2017-06-19 10:28:31 CEST
r80269: create possibility to set SMTP client TLS policy
r80270: update advisory
r80271: merge to 4.2-1

Package: univention-mail-postfix
Version: 11.0.1-9A~4.2.0.201706191026
Branch: ucs_4.2-0
Scope: errata4.2-0
Comment 2 Daniel Tröder univentionstaff 2017-06-19 11:12:52 CEST
r80276: undo global encryption setting from Bug #44589 if relaying is enabled, set it only for mail/relayhost
r80277: update advisory

univention-mail-postfix (11.0.1-10A~4.2.0.201706191111)
Comment 3 Daniel Tröder univentionstaff 2017-06-19 11:34:23 CEST
r80278: allow setting additional lookup tables for the Postfix SMTP client TLS security policy
r80279: update advisory

univention-mail-postfix (11.0.1-11A~4.2.0.201706191133)
Comment 4 Daniel Tröder univentionstaff 2017-06-19 12:18:45 CEST
r80284: change UCRV format to support IPv6 addresses
r80285: fix default UCR value for amavis
r80286: update advisory

univention-mail-postfix (11.0.1-13A~4.2.0.201706191217)
Comment 5 Daniel Tröder univentionstaff 2017-06-19 13:38:22 CEST
80291: handle subdomains safer, run postmap when installing, wording
80292: merge to 4.2-1
80293: update advisory

univention-mail-postfix 11.0.1-14A~4.2.0.201706191335)
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2017-06-19 14:29:50 CEST
--: added ucs-test scripts
    00_checks/81_check_tls_policy_default
	40_mail/48_smtp_tls_policy_map
OK: advisory
OK: code change
OK: receive mail with default settings
OK: receive mail with enabled relayhost+relayauth
OK: send mail with enabled relayhost+relayauth
    (see below)
OK: merged to UCS 4.2-1

# ucr set mail/relayhost='[10.200.18.70]:587' mail/relayauth="yes"
# echo "[10.200.18.70]:587  ben@nstx.local:univention99" > /etc/postfix/smtp_auth 
# postmap /etc/postfix/smtp_auth
# invoke-rc.d postfix restart
# echo "TEST" | mail -s "TEST1" noreply@univention.com
# cat /etc/postfix/tls_policy | grep 18.70
[10.200.18.70]:587 encrypt
# 

Jun 19 14:07:54 master30 amavis[28613]: (28613-01) Passed CLEAN {RelayedOpenRelay}, [127.0.0.1] <root@master30.nstx.local> -> <noreply@univention.de>, Message-ID: <20170619120753.3CB5B80151@master30.nstx.local>, mail_id: mf4iXDY76J2I, Hits: -0.001, size: 315, queued_as: 45D5980136, 467 ms
Jun 19 14:07:54 master30 postfix/smtp[4575]: 3CB5B80151: to=<noreply@univention.de>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.1, delays=0.31/0.31/0.05/0.44, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 45D5980136)
Jun 19 14:07:54 master30 postfix/qmgr[4568]: 3CB5B80151: removed
Jun 19 14:07:55 master30 postfix/smtp[4580]: 45D5980136: to=<noreply@univention.de>, relay=10.200.18.70[10.200.18.70]:587, delay=1.6, delays=0.07/0.03/0.31/1.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 74D9F1C0998)

# cat /etc/postfix/tls_policy | grep 18.70
[10.200.18.70]:587 none
# postmap /etc/postfix/tls_policy
# invoke-rc.d postfix restart
# echo "TEST" | mail -s "TEST2" noreply@univention.com

Jun 19 14:09:09 master30 postfix/smtp[4825]: 688EB80136: to=<noreply@univention.de>, relay=10.200.18.70[10.200.18.70]:587, delay=0.12, delays=0.08/0.03/0.01/0, dsn=5.7.0, status=bounced (host 10.200.18.70[10.200.18.70] said: 530 5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command))
Comment 7 Janek Walkenhorst univentionstaff 2017-06-19 15:04:57 CEST
<http://errata.software-univention.de/ucs/4.2/49.html>