[GF-Users] tlsrpt-reporter

Peter peter at pajamian.dhs.org
Mon Sep 29 14:23:33 MST 2025 

On 28/09/25 03:21, Michael Webb wrote:
> Thank you. Not sure if you saw a previous email that I have changed the way I use this package so it is harder for me to test all the options you have created. The upstream design template assumes that each postfix host will have its own tls report database. Problem is that the rfc allows for only one report per day and it is possible that if load balancing / alternate mx's are used that multiple tls reports will be generated from each tlsrpt-reporter instance. I noticed that Microsoft only accepts one report from each email domain. Instead, I have a single tlsrpt-reporter installed on a dedicated host and use socat to connect postfix to its socket.

It would be nice if tlsrpt-reporter would have a native way to configure 
it to listen on an inet socket and then it would be easy to configure 
postfix to connect to it on a different host directly.

All that said, this is not a "standard" configuration so it would not be 
prudent to add selinux policies for this usage case, but rather an admin 
who wants to use tlsrpt-reporter in this way should create the policies 
himself.

> I still have to run run "semanage permissive -a postfix_smtp_t" on the postfix machine to allow postfix general access to socat,

Unfortunately this is kind of the sledge hammer approach to fixing the 
issue and has the side-effect of disabling all selinux protections on 
the postfix smtp service.

I would recommend instead to look at the specific denials and run the 
audit2why utility on them for suggestions on the best approach to fixing 
the issue with less collateral damage.

> and because a unit file is custom, I now also have to use systemctl edit to override part of your install.

I take it the customizations have to do with running socat and 
maintaining those connections?  Are there any parts of your 
customizations that might be reasonable to add to the general package? 
If so I would be happy to consider them.

> It is a new package and I am grateful that we have something working, but I think some discussion is needed between us and upstream developers to help to standardize this a little better. To me the semanage will be system specific, so I don't think we need to include all the options, but rather just document different example at the upstream level just like other packages do. I do agree that my usage is not the most secure implementation, but I will eventually seek out an example how to make a custom permissive secure for my config.

Indeed.  I want to support the most common configurations fully with 
selinux policies included in the -selinux package for them, but for more 
obscure configurations such as yours getting it to work with selinux is 
an exorcize best left to the admin.

As an additional note:

tlsrpt-reporter is now just a meta-package, all it does is pull in both 
tlsrpt-reporter-core and tlsrpt-reporter-selinux ad dependancies.

tlsrpt-reporter-core now contains what tlsrpt-reporter used to contain, 
so it should work the same as the old tlsrpt-reporter package.

tlsrpt-reporter-selinux contains the selinux module that is needed for 
postfix to work with tlsrpt-reporter.  This module creates a new selinux 
type of tlsrpt_var_run_t, sets the directory /var/run/tlsrpt and all 
files under that directory to the new type, then allows postfix to write 
to socket files in that directory.

In your case you may want to just install tlsrpt-reporter-core so you 
don't get the selinux stuff, mainly because you don't need the selinux 
stuff on the tlsrpt-reporter host (it needs to be on the postfix host).

It might help to install tlsrpt-reporter-selinux on the postfix hosts 
but currently that has a require set for tlsrpt-reporter-core which you 
don't want on those hosts.  If you think this might be helpful I can 
rebuild the package without the tlsrpt-reporter-core requirement so you 
can just install the -selinux package on the postfix boxes.  This way if 
you configure socat to place the socket files in the same directory as 
tlsrpt-reporter (/var/run/tlsrpt) it should fix the selinux issues with 
postfix on the postfix hosts.


Peter

More information about the users mailing list