profile
viewpoint
Marius Bergmann mbrgm mtbit Erlangen, Germany

startedanteater/anteater

started time in 18 days

startedno23reason/react-qr-svg

started time in 20 days

startedpapnkukn/qrcode-svg

started time in 20 days

startedjaredly/reason-language-server

started time in 21 days

startedmiekg/rdup

started time in 21 days

startedjedisct1/libsodium

started time in 21 days

startedjesseduffield/lazygit

started time in 21 days

startedandreaskoch/allmark

started time in 21 days

startedashald/EnvFile

started time in 24 days

startednix-community/nix-direnv

started time in 25 days

issue commentNixOS/nixpkgs

Manual page validation & generation is getting too slow

@Profpatsch Could you provide a reference to that?

Profpatsch

comment created time in a month

issue commentmailcow/mailcow-dockerized

smtpd_tls_cafile should be empty?

Ok, seems like I got this wrong. Thanks! Keep up the great work. :)

mbrgm

comment created time in a month

issue commentmailcow/mailcow-dockerized

smtpd_tls_cafile should be empty?

One thing I noticed after removing the line was that the logs now say 'untrusted connection from ...' instead of 'trusted connection from ...' on incoming connections. Do you know if this has any impact on e.g. spam score?

mbrgm

comment created time in a month

startedStanfordSNR/guardian-agent

started time in a month

startedFestify/app

started time in a month

issue openedmailcow/mailcow-dockerized

smtpd_tls_cafile should be empty?

  • [x] I understand, that not following or deleting the below instructions, will result in immediate closing and deletion of my issue.
  • [x] I have understood that answers are voluntary and community-driven, and not commercial support.
  • [x] I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description of the bug:

I found this while trying to setup client certificate authentication with mailcow.

Postfix docs on smtpd_tls_CAfile say it should be empty when no client certificate authentication is used. As smtpd_tls_ask_ccert = no for mailcow, this should be the case. As far as I understand, while smtp_tls_CAfile is used for checking remote smtpd's certificates (which is why it is correctly set to the system CA certificates), smtpd_tls_CAfile is used for checking client certificates. Setting it to the system CA certificates could lead to a situation where any certificate signed by an official CA is accepted as an client. The more realistic use case would be to let admins set smtpd_tls_CAfile to their internal CA cert, which would then allow to permit_tls_all_clientcerts for sending.

I would appreciate to have your feedback on this and could send a PR if this should be fixed.

Docker container logs of affected containers:

Not relevant.

Reproduction of said bug:

See the configuration at e.g. https://github.com/mailcow/mailcow-dockerized/blob/6a95d217b4e2d0efbb4449e2ecc3aed7148f1533/data/conf/postfix/main.cf#L107.

System information:

Question Answer
My operating system Debian 10.4
Is Apparmor, SELinux or similar active? No
Virtualization technlogy (KVM, VMware, Xen, etc - LXC and OpenVZ are not supported KVM
Server/VM specifications (Memory, CPU Cores) 2 Cores, 8GB Memory
Docker Version (docker version) 19.03.8
Docker-Compose Version (docker-compose version) 1.25.5
Reverse proxy (custom solution) -

created time in a month

startedcoreos/ignition

started time in a month

starteddexidp/dex

started time in 2 months

startedtaroved/pol

started time in 2 months

startedkmwoley/restic-windows-backup

started time in 2 months

startedreasonml-community/reductive

started time in 2 months

startedmuesli/beehive

started time in 3 months

issue openedNixOS/nixops-libvirtd

Allow running libvirtd deployments on remote hosts

It would be helpful to have the ability to run a libvirtd deployment on a remote host.

created time in 3 months

startedknupfer/dotfiles

started time in 3 months

issue commentrestic/restic

Unencrypted backups

+1 for no encryption

this would be usefull

Please use the thumbs up feature on the original issue instead of '+1'-ing to avoid flooding watchers' inboxes. Thank you!

teknico

comment created time in 3 months

issue commentatlassian/react-beautiful-dnd

React native support?

I too would be interested in this.

Please +1 on the original issue instead of replying to avoid spamming watchers' inboxes. Thanks!

vedant17

comment created time in 3 months

startedjiahaog/nativefier

started time in 3 months

startedEdinburgh-Genome-Foundry/blabel

started time in 3 months

more