Postfix 3.4

[IPTRACE]

Hello All!

Does someone know when we can expect the Postfix branch version 3.4 in ports tree?
The software is already ready since end of February and current version is 3.4.5 .
I do not want to install by myself from source. The old one 3.3.4 is legacy release and is availbale from ports of course.

Thank you for any replies.

 

[SirDice]

Does someone know when we can expect the Postfix branch version 3.4 in ports tree?

Ask the maintainer.

 

[Remington]

There is mail/postfix-current which is 3.4

 

[usdmatt]

Obviously it appears there is postfix-current which is version 3.4, but just to play devils advocate, do you have a specific need for the latest version? 3.3.4 still appears to be supported and was last updated in the ports tree just a few days ago.

 

[IPTRACE]

Yes, TLSv1.3 . After upgrade to release 3.3.x this protocol has been "locked" due to some issues.
By the way, I do not think so the postfix/postfix-3.4-20190106.tar.gz is the newest release, I mean 3.4.5 .

 

[usdmatt]

Are there any change logs on 1.3 being locked? The release notes tend to suggest Postfix supports whatever the OpenSSL library does and I can't find any reports of 1.3 being disabled. It seems to work fine on one of my 12.0 systems that has just been upgraded to the latest quarterly packages. (This is using postfix-sasl which appears to be 3.3.3, but the notes on mail/postfix for 3.3.4 don't mention any tls issues).

 # openssl s_client -connect localhost:25 -starttls smtp
CONNECTED(00000003)
... snip ...
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
... snip ...
ehlo localhost
250-hostname
250-PIPELINING
250-SIZE 51200000
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
quit
221 2.0.0 Bye
closed

 

[IPTRACE]

Ok, it looks like it's started to work with TLSv1.3 on 3.3.4 .
Anyway, BDAT is useful as well and more or less supporting SNI in branch release 3.4.x .
But for now, TLS is more important for me and it works.

 

[IPTRACE]

By the way, I have a client with Windows 10 Home+Office 365 and Outlook tries to use TLSv1.3 but it does not work.
E-mail doesn't send. Any suggestions?

postfix/submission/smtpd[33592]: Anonymous TLS connection established from client1.150 [192.168.0.150]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256

I'm a bit confused because Microsoft does not support TLSv1.3 and even if they support, it does not work.

 

[IPTRACE]

Weird, after a few attempt Outlook sent e-mail using TLSv1.3 .
Then I've tried to send again and e-mail has been sent immediately.

 

[xtaz]

That says that the connection is established. Which means it's not a TLS problem. It's something after that. For what it's worth I'm using TLSv1.3 on Postfix 3.3.4 with no problems at all.

 

[IPTRACE]

I will wait for May 2019 Windows 10 Pro upgrade. Maybe, Microsoft will provide support for TLSv1.3 .
What client MUA and OS do you use to send e-mail using TLSv1.3 ?

 

[usdmatt]

Do you get any errors on the client or in the mail log? I would at least expect something on the server if the connection failed.
As mentioned the message above seems to suggest that it negotiated a TLS connection successfully. If anything fails you should get a reason.

My SMTP servers don't happen to support 1.3 yet (they're still on 11.x branch), but I wouldn't expect clients to start failing once I upgrade. They'll either use 1.3 if they support it or negotiate 1.2/1.1 otherwise. You client should be negotiating a version it supports (unless you've limited Postfix to just 1.3 - but in that case I'd expect the connection to fail to negotiate completely rather than appear to negotiate 1.3 but not send the email)

What client MUA and OS do you use to send e-mail using TLSv1.3 ?

In all honesty I don't get the obsession with 1.3. It's still a new standard that's not supported that widely, and there isn't anyone that is currently requiring more than 1.2, even in high security environments. I wouldn't jump through hoops trying to find a specific client or OS for it. I suspect most people on here are using the client they prefer, regardless of the TLS version it uses.

 

[IPTRACE]

On the client timeout (even if I set 10 minutes delay to send) on the server connection closed by the client.
The problem is I have one MUA Windows10Home+Outlook from Office 365 that starts negotiating TLSv1.3 even I do not see any information about this protocol in Windows system configuration.

The weird thing is that after several hours such e-mail is sent using TLSv1.3, example after 30 attempts.