reuse was broken for configurations that use explicit trust
anchors. Reported by Thorsten Habich. Fixed by calling DANE
initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c.
+
+20200626
+
+ Typo: in postconf(5) documentation, AAAAA should be AAAA.
+ Christian Franke. File: proto/postconf.proto.
+
+ Bugfix (introduced: Postfix 2.11): The Postfix smtp(8)
+ client did not send the right SNI name when the TLSA base
+ domain was a secure CNAME expansion of the MX hostname (or
+ non-MX nexthop domain). Domains with CNAME expanded MX
+ hosts are not conformant with RFC5321, and so are rare.
+ Even more rare are MX hosts with TLSA records for their
+ CNAME expansion. For this to matter, the remote SMTP server
+ would also have to select its certificate based on the SNI
+ name in such a way that the original MX host would yield a
+ different certificate. Among the ~2 million hosts in the
+ DANE survey, none meet the conditions for returning a
+ different certificate for the expanded CNAME. Therefore,
+ sending the correct SNI name should not break existing mail
+ flows. Fixed by Viktor Dukhovni. File: src/tls/tls_client.c.
<li> <p> The Postfix SMTP/LMTP client uses <a href="postconf.5.html#smtp_dns_reply_filter">smtp_dns_reply_filter</a>
and <a href="postconf.5.html#lmtp_dns_reply_filter">lmtp_dns_reply_filter</a> only to discover a remote SMTP or LMTP
-service (record types MX, A, AAAAA, and TLSA). These lookups are
+service (record types MX, A, AAAA, and TLSA). These lookups are
also made to implement the features <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> and
<a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>. </p>
a filter removes all lookup results from a successful query. </p>
<li> <p> Postfix SMTP server uses <a href="postconf.5.html#smtpd_dns_reply_filter">smtpd_dns_reply_filter</a> only to
-look up MX, A, AAAAA, and TXT records to implement the features
+look up MX, A, AAAA, and TXT records to implement the features
<a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a>, <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a>,
<a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a>, reject_rbl_*, and reject_rhsbl_*.
</p>
.IP \(bu
The Postfix SMTP/LMTP client uses smtp_dns_reply_filter
and lmtp_dns_reply_filter only to discover a remote SMTP or LMTP
-service (record types MX, A, AAAAA, and TLSA). These lookups are
+service (record types MX, A, AAAA, and TLSA). These lookups are
also made to implement the features reject_unverified_sender and
reject_unverified_recipient.
.IP \(bu
a filter removes all lookup results from a successful query.
.IP \(bu
Postfix SMTP server uses smtpd_dns_reply_filter only to
-look up MX, A, AAAAA, and TXT records to implement the features
+look up MX, A, AAAA, and TXT records to implement the features
reject_unknown_helo_hostname, reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_rbl_*, and reject_rhsbl_*.
.IP \(bu
<li> <p> The Postfix SMTP/LMTP client uses smtp_dns_reply_filter
and lmtp_dns_reply_filter only to discover a remote SMTP or LMTP
-service (record types MX, A, AAAAA, and TLSA). These lookups are
+service (record types MX, A, AAAA, and TLSA). These lookups are
also made to implement the features reject_unverified_sender and
reject_unverified_recipient. </p>
a filter removes all lookup results from a successful query. </p>
<li> <p> Postfix SMTP server uses smtpd_dns_reply_filter only to
-look up MX, A, AAAAA, and TXT records to implement the features
+look up MX, A, AAAA, and TXT records to implement the features
reject_unknown_helo_hostname, reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_rbl_*, and reject_rhsbl_*.
</p>
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20200620"
+#define MAIL_RELEASE_DATE "20200627"
#define MAIL_VERSION_NUMBER "3.6"
#ifdef SNAPSHOT
* avoid SNI, and there are no plans to support SNI in the Postfix
* SMTP server).
*
+ * Per RFC7672, the required SNI name is the TLSA "base domain" (the one
+ * used to construct the "_25._tcp.<fqdn>" TLSA record DNS query).
+ *
* Since the hostname is DNSSEC-validated, it must be a DNS FQDN and
* thererefore valid for use with SNI.
*/
- sni = props->host;
+ sni = props->dane->base_domain;
} else if (props->sni && *props->sni) {
+
+ /*
+ * MTA-STS policy plugin compatibility: with servername=hostname,
+ * Postfix must send the MX hostname (not CNAME expanded).
+ */
if (strcmp(props->sni, "hostname") == 0)
sni = props->host;
else if (strcmp(props->sni, "nexthop") == 0)
projects / thirdparty / postfix.git / commitdiff
