Clear fallback level for non-DANE destinations.

Since the effective policy is "may", there is no need for
a fallback setting.

Add comment text about fallback from "encrypt" with unusable TLSA
RRs.

diff --git a/postfix/src/smtp/smtp_tls_policy.c b/postfix/src/smtp/smtp_tls_policy.c
index ca401716d5741e0ed2bb4f043909ecf7fd2af353..cff26a058513e9a144efdc318d184345b6f2b44a 100644 (file)
--- a/postfix/src/smtp/smtp_tls_policy.c
+++ b/postfix/src/smtp/smtp_tls_policy.c
@@ -813,11 +813,19 @@ static void PRINTFLIKE(4, 5) dane_incompat(SMTP_TLS_POLICY *tls,
      */
     if (tls->level == TLS_LEV_DANE && errtype != TLSA_LOOKUP_ERR) {
        if (errtype == DANE_UNUSABLE) {
+           /*
+            * When TLSA are present, but none are usable, "dane" clients
+            * are expected to perform mandatory unauthenticated TLS.  If
+            * the "dane" the fallback level is "may", we enable fallback to
+            * cleartext (with the appropriate warnings).
+            */
            tls->level = TLS_LEV_ENCRYPT;
            if (tls->fallback_level != TLS_LEV_MAY)
                tls->fallback_level = TLS_LEV_NOTFOUND;
-       } else
+       } else {
            tls->level = TLS_LEV_MAY;
+           tls->fallback_level = TLS_LEV_NOTFOUND;
+       }
        if (errtype == NONDANE_CONFIG)
            vmsg_warn(fmt, ap);
        else if (msg_verbose)