[GF-Users] Postfix TLSRPT

Michael Webb michael.webb at integrilog.com
Wed Jun 18 16:25:44 MST 2025 

Luca

> I also get: postfix/smtp[2795346]: warning: Could not report TLS handshake > result to tlsrpt library: No such file or directory (errno 2)

This happens when the socket file is missing. After random periods, I also notice the socket file is missing even though tlsrpt-collectd.service is still running. After I restart the service problem goes away for a while. Can't find what is causing the socket file to disappear, but am considering making a cron job to periodically check for the socket and restart the service if missing.


> Should I add tlsrpt user to postdrop group?

Mine is working with only postfix a member of tlstrp group.

usermod -G tlsrpt postfix

See the output below
[root at mx02 ~]# cat /etc/group | grep post
postdrop:x:90:
postfix:x:89:
tlsrpt:x:1001:postfix

I think you may have either mixed 2 different postfix builds or do not have the correct executable permissions for /usr/sbin/postdrop.  The postdrop problem you describe happened to me when I uninstalled postfix3 and then copied in my own postfix build. The /usr/sbin/postdrop file I had was somehow pointing to the wrong library locations. I fixed it my replacing postconf from another working postfix3 machine and copying the shared libraries from that machine to to /usr/lib/postfix/

Mike

-----Original Message-----
From: users-bounces at lists.ghettoforge.org <users-bounces at lists.ghettoforge.org> On Behalf Of Luca vom Bruch
Sent: Wednesday, June 18, 2025 3:24 AM
To: 'GhettoForge Users mailing list' <users at lists.ghettoforge.org>
Subject: Re: [GF-Users] Postfix TLSRPT

Personally I have selinux disabled.

I am now sending out the tls report email okay. 

But just testing running tlsrpt-reportd.service as root. 

This is as far as I got:

to start in postfix main.cf (using postfix-tlspol)

smtp_tlsrpt_enable = yes
smtp_tlsrpt_socket_name = tlsrpt/tlsrpt-collectd.sock smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8642:QUERYwithTLSRPT

( relative path setting for /var/spool/postfix/tlsrpt/tlsrpt-collectd.sock )

The folder is tlsrpt:tlsrpt and the socket gets created as tlsrpt:postfix

I believe that part works fine. 

I enter this path in the tlsrpt-reporter config file. (collectd.cfg) And I also adjust the email and domain details in the other config file
(reportd.cfg)

 Example ouput in maillog:

postfix/smtp[3006488]: TLSRPT: status=success, domain=google.com, receiving_mx=smtp.google.com[142.250.102.27]

I also get: postfix/smtp[2795346]: warning: Could not report TLS handshake result to tlsrpt library: No such file or directory (errno 2)

But seems to have gone away for now.

if the reportd service runs as user tlsrpt I get: 

tlsrpt-reportd[3655077]: postdrop: warning: mail_queue_enter: create file
maildrop/371734.3655077: Permission denied

/var/spool/postfix/maildrop is there as postfix:postdrop

Should I add tlsrpt user to postdrop group? 

Luca


-----Ursprüngliche Nachricht-----
Von: users-bounces at lists.ghettoforge.org
<users-bounces at lists.ghettoforge.org> Im Auftrag von Peter
Gesendet: Mittwoch, 18. Juni 2025 09:43
An: users at lists.ghettoforge.org
Betreff: Re: [GF-Users] Postfix TLSRPT

Okay, so I think the proper way to do this is:

Create a new selinux type: system_u:object_r:tlsrpt_var_run_t and set context for /var/run/tlsrpt to that type.

Create a new policy allowing write and sendto for postfix_smtp_t to tlsrpt_var_run_t.

That should allow postfix to access the socket properly without blowing out access to a bunch of other files as well.

This is a bit of advanced selinux for me so I'll work it out over the next day or so and add it to the tlsrpt-reporter package so it gets installed in %post.


Peter


On 18/06/25 16:18, Peter wrote:
> Actually I'll just put a note in a README file about it.  I don't want 
> to open up those particular params by default.
> 
> I might be able to set the context of the socket to postfix_smtp_t,
though.
> 
> 
> Peter
> 
> 
> On 18/06/25 15:48, Peter wrote:
>> I'll add the selinux module to the tlsrpt-reporter package, thanks.
>>
>> The original spec file was "stolen" from Fedora, but has been greatly 
>> modified over several years by me, so not all of the credit goes to GF.
>> Also keep in mind that those are the actual make commands sent by 
>> rpmbuild but a lot of it is compiled in the spec file and doesn't 
>> actually look that complex or explicit.
>>
>>
>> Peter Ajamian
>>
>>
>> On 17/06/25 21:11, Michael Webb wrote:
>>> Peter. Agreed, thank you. 0777 is a bad idea, but my point was more 
>>> that
there is something else going on beyond regular file permissions preventing the socket connection on your build. I have since found that selinux is blocking the connection.
>>>
>>> >From my selinux audit log:
>>> ------------------------------------
>>> type=AVC msg=audit(1750140768.442:846): avc:  denied  { write } for
>>> pid=3168 comm="smtp" name="tlsrpt-collectd.socket" dev="tmpfs" 
>>> ino=1223 scontext=system_u:system_r:postfix_smtp_t:s0
>>> tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
>>> permissive=0
>>>
>>> I then confirmed postfix_smtp_t is the culprit audit2allow -a 
>>> #============= postfix_smtp_t ============== allow postfix_smtp_t 
>>> unconfined_service_t:unix_dgram_socket sendto; allow postfix_smtp_t 
>>> var_run_t:sock_file write;
>>>
>>> #After setting the following, the gf postfix connection is working 
>>> normally (with 0660) (and I can retire my custom build, yay) 
>>> semanage permissive -a postfix_smtp_t
>>>
>>>
>>> Thanks also for sharing your compiler info in previous email. It was
very informative to see how much more you are doing with your build, folder path selection and how you also use it to make the build rpm ready. I truly appreciate how much TLC that has gone into the project. Huge thank you!
>>>
>>> Mike
>>>
>>> -----Original Message-----
>>> From: users-bounces at lists.ghettoforge.org
>>> <users-bounces at lists.ghettoforge.org> On Behalf Of Peter
>>> Sent: Monday, June 16, 2025 10:40 PM
>>> To: users at lists.ghettoforge.org
>>> Subject: Re: [GF-Users] Postfix TLSRPT
>>>
>>> On 17/06/25 16:23, Peter wrote:
>>>>> Coincidentally I got the same error in my self-compiled system and 
>>>>> I
resolved by setting "socketmode = 0777" in collectd.cfg but it does not seem to help on the gf postfix install. I will keep looking and testing and report back if I find anything.
>>>>
>>>> It's generally not a good idea to set perms to 777, we should look 
>>>> at the user and group settings on the socket and go from there.
>>>
>>> Try this:
>>> socketmode = 0660
>>> socketgroup = postfix
>>> socketuser = tlsrpt
>>>
>>> ...also try with 0666 and 0770 and let me know which combinations work.
>>>
>>>
>>> Peter
>>>
>>> _______________________________________________
>>> users mailing list
>>> users at lists.ghettoforge.org
>>> http://lists.ghettoforge.org/mailman/listinfo/users
>>> _______________________________________________
>>> users mailing list
>>> users at lists.ghettoforge.org
>>> http://lists.ghettoforge.org/mailman/listinfo/users
>>
>> _______________________________________________
>> users mailing list
>> users at lists.ghettoforge.org
>> http://lists.ghettoforge.org/mailman/listinfo/users
> 
> _______________________________________________
> users mailing list
> users at lists.ghettoforge.org
> http://lists.ghettoforge.org/mailman/listinfo/users

_______________________________________________
users mailing list
users at lists.ghettoforge.org
http://lists.ghettoforge.org/mailman/listinfo/users


_______________________________________________
users mailing list
users at lists.ghettoforge.org
http://lists.ghettoforge.org/mailman/listinfo/users

More information about the users mailing list