[GF-Users] Postfix TLSRPT

Peter peter at pajamian.dhs.org
Mon Jun 16 21:23:50 MST 2025 

On 17/06/25 08:52, Michael Webb wrote:
> Hi Peter
> 
> Thank you so much for getting this out so promptly. Good job. I agree with Luca. Seems like EL does not have "u!" option for sysusers.d. I replaced mine with "u" (using Rocky 9.6).

I I just grabbed the file from arch, I'll change it to "u".

> I notice you are putting some of your libraries in different locations to the postfix compiler defaults. The default shared library is located at /usr/local/lib/postfix/{mailver} but maybe does not matter if it was all compiled a specific way.

/usr/local is for when you do a source install.  When libraries are 
packaged they go in /usr/lib (or lib64).  They are in the correct place 
for a packaged library and I build postfix to look for them there as 
well so it should all line up.

> I did compile the whole thing (postfix, postfix-tlspol, tlsrpt, and tlsrpt-reporter) myself and installed each as custom packages on another test VM and have it all working with one domain to prove it does. However, on gf Postfix3 with both gf tlsrpt-reporter and my own tlsrpt-reporter pkg, the only thing that I can't get working is the postfix connection to the tlsrpt-collectd.socket.
> 
>         "warning: Could not report TLS handshake result to tlsrpt library: Permission denied (errno 13)"
> 
> Coincidentally I got the same error in my self-compiled system and I resolved by setting "socketmode = 0777" in collectd.cfg but it does not seem to help on the gf postfix install. I will keep looking and testing and report back if I find anything.

It's generally not a good idea to set perms to 777, we should look at 
the user and group settings on the socket and go from there.


Peter

> 
> My configs are:

If I get the chance I'll compare with the configs that are shipped.

> For my working system, these are the compile settings I used. (Same app configs as above.)
> 
> make -f Makefile.init makefiles shared=yes shlib_directory=/usr/local/lib/postfix/MAIL_VERSION CCARGS="-DUSE_TLS -DUSE_TLSRPT -I/usr/local/include -I/usr/include -DHAS_LDAP -DHAS_PCRE=2 `pcre2-config --cflags` -DHAS_MYSQL -I/usr/include/mysql/" "AUXLIBS=-L/usr/lib64 -lssl -lcrypto -L/usr/local/lib -Wl,-rpath,/usr/local/lib -ltlsrpt" AUXLIBS_PCRE="`pcre2-config --libs8`" AUXLIBS_MYSQL="-L/usr/lib64/mysql -lmysqlclient -lz -lm" AUXLIBS_LDAP="-L/usr/lib64 -lldap -L/usr/lib64 -llber"

 From mock's build.log:

+ make -f Makefile.init makefiles pie=yes shared=yes dynamicmaps=yes 
'CCARGS=-fstack-protector -DHAS_LDAP -DUSE_LDAP_SASL -DLDAP_DEPRECATED=1 
-DHAS_LMDB -DHAS_PCRE -I/usr/include/pcre -DHAS_MYSQL 
-I/usr/include/mysql -DHAS_PGSQL -I/usr/include/pgsql -DHAS_SQLITE 
-DHAS_CDB -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl -DUSE_TLS 
  -DUSE_TLSRPT -DNO_NIS -DDEF_CONFIG_DIR=\"/etc/postfix\" ' 'AUXLIBS= 
-L/usr/lib64/sasl2 -lsasl2 -lssl -lcrypto  -ltlsrpt -Wl,-z,relro' 
'AUXLIBS_LDAP=-lldap -llber' AUXLIBS_LMDB=-llmdb AUXLIBS_PCRE=-lpcre 
'AUXLIBS_MYSQL=-L/usr/lib64/mariadb -lmysqlclient -lm' 
AUXLIBS_PGSQL=-lpq 'AUXLIBS_SQLITE=-lsqlite3 -lpthread' 
AUXLIBS_CDB=-lcdb DEBUG= 'OPT=-O2 -flto=auto -ffat-lto-objects 
-fexceptions -g -grecord-gcc-switches -pipe -Wall 
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 
-Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 
-fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 
-m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables 
-fstack-clash-protection -fcf-protection -Wno-comment'
...
+ make -j16

> # and then,
> make package

+ make non-interactive-package POSTFIX_INSTALL_OPTS=-keep-build-mtime 
install_root=/builddir/build/BUILDROOT/postfix3-3.10.2-3.gf.el9.x86_64 
config_directory=/etc/postfix daemon_directory=/usr/libexec/postfix 
command_directory=/usr/sbin queue_directory=/var/spool/postfix 
data_directory=/var/lib/postfix sendmail_path=/usr/sbin/sendmail.postfix 
newaliases_path=/usr/bin/newaliases.postfix 
mailq_path=/usr/bin/mailq.postfix mail_owner=postfix 
setgid_group=postdrop manpage_directory=/usr/share/man 
sample_directory=/usr/share/doc/postfix3-3.10.2/samples 
readme_directory=/usr/share/doc/postfix3-3.10.2/README_FILES


Peter

More information about the users mailing list