[GF-Users] Postfix TLSRPT

Michael Webb michael.webb at integrilog.com
Mon Jun 16 13:52:34 MST 2025 

Hi Peter

Thank you so much for getting this out so promptly. Good job. I agree with Luca. Seems like EL does not have "u!" option for sysusers.d. I replaced mine with "u" (using Rocky 9.6). I notice you are putting some of your libraries in different locations to the postfix compiler defaults. The default shared library is located at /usr/local/lib/postfix/{mailver} but maybe does not matter if it was all compiled a specific way.

I did compile the whole thing (postfix, postfix-tlspol, tlsrpt, and tlsrpt-reporter) myself and installed each as custom packages on another test VM and have it all working with one domain to prove it does. However, on gf Postfix3 with both gf tlsrpt-reporter and my own tlsrpt-reporter pkg, the only thing that I can't get working is the postfix connection to the tlsrpt-collectd.socket.  

       "warning: Could not report TLS handshake result to tlsrpt library: Permission denied (errno 13)"

Coincidentally I got the same error in my self-compiled system and I resolved by setting "socketmode = 0777" in collectd.cfg but it does not seem to help on the gf postfix install. I will keep looking and testing and report back if I find anything.

My configs are:
[tlsrpt_collectd]
storage = sqlite:///var/lib/tlsrpt/tlsrpt-collectd.sqlite
logfilename = /var/log/tlsrpt/tlsrpt-collectd.log
socketname = /run/tlsrpt/tlsrpt-collectd.socket
socketmode = 0777
socketgroup = postfix
pidfilename = /run/tlsrpt/tlsrpt-collectd.pid
socketuser = tlsrpt
dump_path_for_invalid_datagram = /tmp/debug-payload
log_level = debug

[main.cf]
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy socketmap:inet:127.0.0.1:8642:QUERYwithTLSRPT
smtp_tlsrpt_enable = yes
smtp_tlsrpt_socket_name = /run/tlsrpt/tlsrpt-collectd.socket

tlsrpt-collecd.service
-----------------------------------------------------------------------------------------
[Unit]
Description=tlsrpt-collectd agent to collect TLSRPT reports
After=network.target

[Service]
ExecStart=/usr/bin/tlsrpt-collectd --config_file /etc/tlsrpt/collectd.cfg
PrivateDevices=true
PrivateTmp=true
ProtectSystem=true
Restart=always
User=tlsrpt
Group=postfix
LogsDirectory=tlsrpt
StateDirectory=tlsrpt
RuntimeDirectory=tlsrpt
ConfigurationDirectory=tlsrpt
---------------------------------------------------------------------------------------------

[Install]
WantedBy=multi-user.target

For my working system, these are the compile settings I used. (Same app configs as above.)

make -f Makefile.init makefiles shared=yes shlib_directory=/usr/local/lib/postfix/MAIL_VERSION CCARGS="-DUSE_TLS -DUSE_TLSRPT -I/usr/local/include -I/usr/include -DHAS_LDAP -DHAS_PCRE=2 `pcre2-config --cflags` -DHAS_MYSQL -I/usr/include/mysql/" "AUXLIBS=-L/usr/lib64 -lssl -lcrypto -L/usr/local/lib -Wl,-rpath,/usr/local/lib -ltlsrpt" AUXLIBS_PCRE="`pcre2-config --libs8`" AUXLIBS_MYSQL="-L/usr/lib64/mysql -lmysqlclient -lz -lm" AUXLIBS_LDAP="-L/usr/lib64 -lldap -L/usr/lib64 -llber"

# and then,
make package


Mike

-----Original Message-----
From: users-bounces at lists.ghettoforge.org <users-bounces at lists.ghettoforge.org> On Behalf Of Luca vom Bruch
Sent: Monday, June 16, 2025 11:21 AM
To: 'GhettoForge Users mailing list' <users at lists.ghettoforge.org>
Subject: Re: [GF-Users] Postfix TLSRPT

Hi Peter,

I get this:

Preparing        :                             1/1 
  Running scriptlet: tlsrpt-reporter-0.5.0-1.g   1/1 
  Installing       : tlsrpt-reporter-0.5.0-1.g   1/1 
  Running scriptlet: tlsrpt-reporter-0.5.0-1.g   1/1 
/usr/lib/sysusers.d/tlsrpt.conf:1: Unknown modifier 'u!'.

/usr/lib/tmpfiles.d/tlsrpt.conf:1: Failed to resolve user 'tlsrpt': No such process
/usr/lib/tmpfiles.d/tlsrpt.conf:2: Failed to resolve user 'tlsrpt': No such process
/usr/lib/tmpfiles.d/tlsrpt.conf:3: Failed to resolve user 'tlsrpt': No such process

  Verifying        : tlsrpt-reporter-0.5.0-1.g   1/1 

Installed:
  tlsrpt-reporter-0.5.0-1.gf.el9.x86_64              

Complete!

It creates a user group tlsrpt but not the user. 

Without the user the services don’t start.  

With the user the last 3 errors disappear but the u! one remains, not sure what it means, or if it will work anyway. 

Currently testing it with postfix. 

Luca




-----Ursprüngliche Nachricht-----
Von: users-bounces at lists.ghettoforge.org <users-bounces at lists.ghettoforge.org> Im Auftrag von Peter
Gesendet: Montag, 16. Juni 2025 07:26
An: users at lists.ghettoforge.org
Betreff: Re: [GF-Users] Postfix TLSRPT

tlsrpt-reporter is now built and in Ghettoforge.


Peter


On 15/06/25 15:07, Peter wrote:
> Well the arch sources have a PKGBUILD file which shows how they build 
> it, plus they have systemd.service files which will also be a huge help.
>    I can likely create a spec file that does what PKGBUILD does and 
> get something built from there.
> 
> 
> Peter
> 
> 
> On 15/06/25 15:01, Peter wrote:
>> Possibly, I might look at the arch packaqe and see if I can rebuild that.
>>
>>
>> Peter
>>
>>
>> On 15/06/25 01:35, Luca vom Bruch wrote:
>>> Thank you very much for your work Peter.
>>>
>>> Does anyone have experience with setting up tlsrpt-reporter for it? 
>>> Can I cannibalize the arch package as a template for rhel?
>>>
>>> Luca
>>>
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: users-bounces at lists.ghettoforge.org
>>> <users-bounces at lists.ghettoforge.org> Im Auftrag von Peter
>>> Gesendet: Samstag, 14. Juni 2025 09:12
>>> An: users at lists.ghettoforge.org
>>> Betreff: Re: [GF-Users] Postfix TLSRPT
>>>
>>> New packages have been pushed out with TLSRPT support.
>>>
>>>
>>> Peter
>>>
>>>
>>> On 26/05/25 12:17, Peter wrote:
>>>>
>>>>
>>>> On 26/05/25 05:37, Michael Webb wrote:
>>>>> After compiling libtlsrpt on Rocky 9.5, I was able to compile 
>>>>> Postfix
>>> 3.10.2 with the TLSRPT option without tlsrpt-reporter installed. It 
>>> seems to me that as long as TLSRPT option is compiled with postfix3, 
>>> then for the tlsrpt-reporter, as for other 3rd party packages (like 
>>> opendmarc, amavisd, spamassassin etc), users will need to accept 
>>> that it needs to be installed in addition to postfix3 and maintained separately if they want to enable it.
>>>>
>>>> Indeed, but I would like to offer it on GF so those users don't 
>>>> have to install it from source.
>>>>
>>>>
>>>> Peter
>>>>
>>>> _______________________________________________
>>>> users mailing list
>>>> users at lists.ghettoforge.org
>>>> http://lists.ghettoforge.org/mailman/listinfo/users
>>>
>>> _______________________________________________
>>> users mailing list
>>> users at lists.ghettoforge.org
>>> http://lists.ghettoforge.org/mailman/listinfo/users
>>>
>>>
>>> _______________________________________________
>>> users mailing list
>>> users at lists.ghettoforge.org
>>> http://lists.ghettoforge.org/mailman/listinfo/users
>>
>> _______________________________________________
>> users mailing list
>> users at lists.ghettoforge.org
>> http://lists.ghettoforge.org/mailman/listinfo/users
> 
> _______________________________________________
> users mailing list
> users at lists.ghettoforge.org
> http://lists.ghettoforge.org/mailman/listinfo/users

_______________________________________________
users mailing list
users at lists.ghettoforge.org
http://lists.ghettoforge.org/mailman/listinfo/users

_______________________________________________
users mailing list
users at lists.ghettoforge.org
http://lists.ghettoforge.org/mailman/listinfo/users

More information about the users mailing list