[Bug 1868955] Re: after upgrade to 20.04: posttls cannot connect to private/tlsmgr

Nick Tait 1868955 at bugs.launchpad.net
Sat Jun 6 08:42:36 UTC 2020 

I (by accident) discovered that glibc has introduced a new resolver
option in resolv.h:

#define RES_TRUSTAD     0x04000000 /* Request AD bit, keep it in
responses.  */

I've done some testing with this, and it resolves the issue with the AD
flag not being returned.

So based on this I think this bug needs to be changed back to postfix,
and postfix needs to be updated to include this flag? Ideally the
behaviour require should be:

* If RES_TRUSTAD is defined, then postfix should use that instead of RES_USE_DNSSEC and RES_USE_EDNS0.
* If RES_TRUSTAD is not defined, then postfix should maintain current behaviour of using RES_USE_DNSSEC and RES_USE_EDNS0.

If the above is implemented it would reduce the size of the DNS queries,
because they won't include the RRSIG records that "come for free" when
the DO bit is set (based on RES_USE_DNSSEC).

Thanks,
Nick.

** Package changed: glibc (Ubuntu) => postfix (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1868955

Title:
  after upgrade to 20.04: posttls cannot connect to private/tlsmgr

Status in postfix package in Ubuntu:
  Triaged

Bug description:
  My postfix configuration uses dane-only policies for some domains.
  After upgrading from LTS 18.04 to the current developing LTS 20.04 this stopped working.

  Compare the following commands:

  Ubuntu 18.04:

  $ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space

  posttls-finger: initializing the client-side TLS engine
  posttls-finger: using DANE RR: _25._tcp.www.bueren.space IN TLSA 3 0 1 D7:BC:71:07:19:28:E7:97:F9:86:52:02:EB:90:99:4B:B1:DB:EE:8D:FF:B5:D5:6D:15:B2:D8:AC:25:99:AA:5F
  posttls-finger: setting up TLS connection to www.bueren.space[31.15.68.4]:25

  
  Ubuntu 20.04:

  $ posttls-finger -t30 -T180 -c -L verbose,summary bueren.space

  posttls-finger: initializing the client-side TLS engine
  posttls-finger: warning: connect to private/tlsmgr: No such file or directory
  posttls-finger: warning: connect to private/tlsmgr: No such file or directory
  posttls-finger: warning: problem talking to server private/tlsmgr: No such file or directory
  posttls-finger: warning: no entropy for TLS key generation: disabling TLS support

  
  Sending email to this domains stopped working with the following (obviously wrong) error message in mail.log:

  to=<xxx at bueren.space>, relay=none, delay=2126, delays=2126/0.01/0/0,
  dsn=4.7.5, status=deferred (non DNSSEC destination)

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: postfix 3.4.10-1
  ProcVersionSignature: Ubuntu 5.4.0-18.22-generic 5.4.24
  Uname: Linux 5.4.0-18-generic x86_64
  ApportVersion: 2.20.11-0ubuntu21
  Architecture: amd64
  Date: Wed Mar 25 11:22:11 2020
  EtcMailname: mail.kivitendo.de
  Hostname: www.kivitendo.de
  InstallationDate: Installed on 2016-12-14 (1196 days ago)
  InstallationMedia: Ubuntu-Server 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.3)
  PostconfMydomain: kivitendo-erp.de
  PostconfMyhostname: www.kivitendo-erp.de
  PostconfMyorigin: /etc/mailname
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   LANG=de_DE.UTF-8
   SHELL=/bin/bash
  ResolvConf:
   # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
   #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
   nameserver 127.0.0.1
   nameserver 127.0.0.1
   search kivitendo-erp.de
  SourcePackage: postfix
  UpgradeStatus: Upgraded to focal on 2020-03-02 (23 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1868955/+subscriptions

More information about the foundations-bugs mailing list