From: Wietse Z Venema Date: Sun, 2 Nov 2025 05:00:00 +0000 (-0500) Subject: postfix-3.11-20251102 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=16f30ecd33ae0775365ce9b7eb7fe4b05910ba82;p=thirdparty%2Fpostfix.git postfix-3.11-20251102 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index e9017bb13..eba515c89 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -29765,3 +29765,23 @@ Apologies for any names omitted. Debugging: depending on OpenSSL build options, "posttls-finger -L ssl-debug" will decode TLS handshake messages. Viktor Dukhovni. File: posttls-finger/posttls-finger.c + +20241031 + + Bugfix (defect introduced: Postfix 3.10, date 20250117): + support for "TLS-Required: no" broke client-side TLS wrappermode + support, by downgrading a connection to TLS security level 'may'. + The solution is to change the downgrade level for wrappermode + connections to 'encrypt'. Rationale: by design, TLS can be + optional only for connections that use STARTTLS. The downgrade + to unauthenticated 'encrypt' allows a sender to avoid an email + delivery problem. Problem reported by Joshua Tyler Cochran. + Files: smtp/smtp_tls_policy.c, smtp/smtp_tls_policy_test.c. + +20251102 + + Post-quantum cryptography support (with OpenSSL 3.5 and + later): change the tls_eecdh_auto_curves default value to + avoid problems with infrastructure that mis-handles TLS + hello messages larger than one (Ethernet) TCP segment. + Viktor Dukhovni. Files: global/mail_params.h, proto/postconf.proto. diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 359e046b6..de47f73e7 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -20255,8 +20255,9 @@ MinProtocol = TLSv1 main.cf: tls_config_file = ${config_directory}/openssl.cnf tls_config_name = postfix - # Clear Postfix curve/group settings to let OpenSSL settings take - # effect. + # Clear Postfix curve/group settings to let custom OpenSSL + # configuration settings take effect. For most users, the + # default Postfix settings are strongly recommended. tls_eecdh_auto_curves = tls_ffdhe_auto_groups = @@ -20283,14 +20284,14 @@ openssl.cnf: # # Groups = X25519:X448:prime256v1:secp384r1:secp521r1:ffdhe2048:ffdhe3072 # - Groups = *X25519MLKEM768 / *X25519:X448 / P-256:P-384 + Groups = ?X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072 -

Caution: It is typically best to just use the default OpenSSL -group settings, by setting "tls_config_file = none". Overly strict -system-wide TLS settings will conflict with Postfix's opportunistic -TLS, where being less restrictive is better than downgrading to -cleartext SMTP.

+

Caution: It is typically best to just use the compiled-in default +OpenSSL group settings, by setting "tls_config_file = none". Overly +strict system-wide TLS settings will conflict with Postfix's +opportunistic TLS, where being less restrictive is better than +downgrading to cleartext SMTP.

This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, 3.6.10, and 3.5.20.

@@ -20509,14 +20510,20 @@ is introduced with Postfix 3.8, when built against OpenSSL 3.0 or later.

Post-quantum cryptography support: OpenSSL 3.5 introduces new -configuration syntax that Postfix will not attempt to imitate. -Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set -both tls_eecdh_auto_curves and if available tls_ffdhe_auto_groups -to the empty value, to enable algorithm selection through OpenSSL -configuration. The empty value is the default setting for both as -of Postfix 3.11, when compiled with OpenSSL 3.5 or later. See -tls_config_file for a configuration example. -

+configuration syntax that Postfix will not attempt to emulate. That +said, when compiled against OpenSSL 3.5 or later, the Postfix default +setting is a minor adjustment of the OpenSSL compiled-in default +setting, it just delays generation of the hybrid post-quantum +X25519MLKEM768 key-share until it is explicitly requested by the +server. This avoids interoperability issues with some SMTP servers that +are unable to handle the resulting large TLS Client Hello.

+ +

If, despite the strongly recommended defaults, you need fine-grained +control over the supported groups, with Postfix 3.6.17, 3.7.13, 3.8.8, +3.9.2, and later, set both tls_eecdh_auto_curves and if available +tls_ffdhe_auto_groups to the empty value, to enable algorithm selection +through OpenSSL configuration. See tls_config_file for a configuration +example.

This feature is available in Postfix 3.2 and later, when it is compiled and linked with OpenSSL 1.0.2 or later on platforms where @@ -20659,28 +20666,24 @@ are largely a backup, in case some peer does not support EC key exchange, or EC key exchange needs to be disabled for some pressing reason.

-

Setting this parameter empty disables FFDHE support in TLS 1.3. +

Setting this parameter empty disables FFDHE support in TLS 1.3, +unless FFDHE groups are included in the "tls_eecdh_auto_curves" setting, +perhaps indirectly, as with the "DEFAULT" keyword available with OpenSSL +3.5 or later. In that case, prefixing each group name with a "-" has +the effect of removing it from the list. Whether FFDHE key agreement is enabled in TLS 1.2 and earlier depends on whether any of the "kDHE" ciphers are included in the cipherlist.

Conversely, setting "tls_eecdh_auto_curves" empty disables TLS 1.3 EC key agreement in OpenSSL 3.0 and later. If both are set empty, -Postfix will fall back to OpenSSL preferences as described next.

+Postfix will fall back to OpenSSL preferences as described in the +documentation of "tls_eecdh_auto_curves". -

Post-quantum cryptography support: OpenSSL 3.5 introduces new -configuration syntax that Postfix will not attempt to imitate. -Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set -both tls_eecdh_auto_curves and tls_ffdhe_auto_groups to the empty -value, to enable algorithm selection through OpenSSL configuration. -The empty value is the default setting for both as of Postfix 3.11, -when compiled with OpenSSL 3.5 or later. See tls_config_file for a -configuration example.

- -

All the default groups and EC curves should be sufficiently strong to make -"pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the -OpenSSL name for "secp256r1", a.k.a. "P-256") should be among the enabled EC -curves, while "dhe2048" and "dhe3072" should be among the FFDHE groups.

+

The default list includes "ffdhe2048" and "ffdhe3072". While +it should not be necessary in most cases, you can add "ffdhe4096" +to the list if you run into an exotic server that does not support +ECDHE and insists on much stronger than sensible DHE parameters.

This feature is available in Postfix 3.8 and later, when it is compiled and linked with OpenSSL 3.0 or later.

diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 87d39ab8e..819d18ae4 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -14105,8 +14105,9 @@ Example: Custom OpenSSL group settings. main.cf: tls_config_file = ${config_directory}/openssl.cnf tls_config_name = postfix - # Clear Postfix curve/group settings to let OpenSSL settings take - # effect. + # Clear Postfix curve/group settings to let custom OpenSSL + # configuration settings take effect. For most users, the + # default Postfix settings are strongly recommended. tls_eecdh_auto_curves = tls_ffdhe_auto_groups = .fi @@ -14141,15 +14142,15 @@ openssl.cnf: # # Groups = X25519:X448:prime256v1:secp384r1:secp521r1:ffdhe2048:ffdhe3072 # - Groups = *X25519MLKEM768 / *X25519:X448 / P\-256:P\-384 + Groups = ?X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072 .fi .ad .PP -Caution: It is typically best to just use the default OpenSSL -group settings, by setting "tls_config_file = none". Overly strict -system\-wide TLS settings will conflict with Postfix's opportunistic -TLS, where being less restrictive is better than downgrading to -cleartext SMTP. +Caution: It is typically best to just use the compiled\-in default +OpenSSL group settings, by setting "tls_config_file = none". Overly +strict system\-wide TLS settings will conflict with Postfix's +opportunistic TLS, where being less restrictive is better than +downgrading to cleartext SMTP. .PP This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6, 3.6.10, and 3.5.20. @@ -14336,13 +14337,20 @@ customizing the list of FFDHE groups enabled with TLS 1.3. That setting is introduced with Postfix 3.8, when built against OpenSSL 3.0 or later. .PP Post\-quantum cryptography support: OpenSSL 3.5 introduces new -configuration syntax that Postfix will not attempt to imitate. -Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set -both tls_eecdh_auto_curves and if available tls_ffdhe_auto_groups -to the empty value, to enable algorithm selection through OpenSSL -configuration. The empty value is the default setting for both as -of Postfix 3.11, when compiled with OpenSSL 3.5 or later. See -tls_config_file for a configuration example. +configuration syntax that Postfix will not attempt to emulate. That +said, when compiled against OpenSSL 3.5 or later, the Postfix default +setting is a minor adjustment of the OpenSSL compiled\-in default +setting, it just delays generation of the hybrid post\-quantum +\fBX25519MLKEM768\fR key\-share until it is explicitly requested by the +server. This avoids interoperability issues with some SMTP servers that +are unable to handle the resulting large TLS Client Hello. +.PP +If, despite the strongly recommended defaults, you need fine\-grained +control over the supported groups, with Postfix 3.6.17, 3.7.13, 3.8.8, +3.9.2, and later, set both tls_eecdh_auto_curves and if available +tls_ffdhe_auto_groups to the empty value, to enable algorithm selection +through OpenSSL configuration. See tls_config_file for a configuration +example. .PP This feature is available in Postfix 3.2 and later, when it is compiled and linked with OpenSSL 1.0.2 or later on platforms where @@ -14449,27 +14457,23 @@ are largely a backup, in case some peer does not support EC key exchange, or EC key exchange needs to be disabled for some pressing reason. .PP -Setting this parameter empty disables FFDHE support in TLS 1.3. +Setting this parameter empty disables FFDHE support in TLS 1.3, +unless FFDHE groups are included in the "tls_eecdh_auto_curves" setting, +perhaps indirectly, as with the "DEFAULT" keyword available with OpenSSL +3.5 or later. In that case, prefixing each group name with a "\-" has +the effect of removing it from the list. Whether FFDHE key agreement is enabled in TLS 1.2 and earlier depends on whether any of the "kDHE" ciphers are included in the cipherlist. .PP Conversely, setting "tls_eecdh_auto_curves" empty disables TLS 1.3 EC key agreement in OpenSSL 3.0 and later. If both are set empty, -Postfix will fall back to OpenSSL preferences as described next. +Postfix will fall back to OpenSSL preferences as described in the +documentation of "tls_eecdh_auto_curves". .PP -Post\-quantum cryptography support: OpenSSL 3.5 introduces new -configuration syntax that Postfix will not attempt to imitate. -Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set -both tls_eecdh_auto_curves and tls_ffdhe_auto_groups to the empty -value, to enable algorithm selection through OpenSSL configuration. -The empty value is the default setting for both as of Postfix 3.11, -when compiled with OpenSSL 3.5 or later. See tls_config_file for a -configuration example. -.PP -All the default groups and EC curves should be sufficiently strong to make -"pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the -OpenSSL name for "secp256r1", a.k.a. "P\-256") should be among the enabled EC -curves, while "dhe2048" and "dhe3072" should be among the FFDHE groups. +The default list includes "ffdhe2048" and "ffdhe3072". While +it should not be necessary in most cases, you can add "ffdhe4096" +to the list if you run into an exotic server that does not support +ECDHE and insists on much stronger than sensible DHE parameters. .PP This feature is available in Postfix 3.8 and later, when it is compiled and linked with OpenSSL 3.0 or later. diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 5f94cb366..33349122c 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -13439,14 +13439,20 @@ is introduced with Postfix 3.8, when built against OpenSSL 3.0 or later.

Post-quantum cryptography support: OpenSSL 3.5 introduces new -configuration syntax that Postfix will not attempt to imitate. -Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set -both tls_eecdh_auto_curves and if available tls_ffdhe_auto_groups -to the empty value, to enable algorithm selection through OpenSSL -configuration. The empty value is the default setting for both as -of Postfix 3.11, when compiled with OpenSSL 3.5 or later. See -tls_config_file for a configuration example. -

+configuration syntax that Postfix will not attempt to emulate. That +said, when compiled against OpenSSL 3.5 or later, the Postfix default +setting is a minor adjustment of the OpenSSL compiled-in default +setting, it just delays generation of the hybrid post-quantum +X25519MLKEM768 key-share until it is explicitly requested by the +server. This avoids interoperability issues with some SMTP servers that +are unable to handle the resulting large TLS Client Hello.

+ +

If, despite the strongly recommended defaults, you need fine-grained +control over the supported groups, with Postfix 3.6.17, 3.7.13, 3.8.8, +3.9.2, and later, set both tls_eecdh_auto_curves and if available +tls_ffdhe_auto_groups to the empty value, to enable algorithm selection +through OpenSSL configuration. See tls_config_file for a configuration +example.

This feature is available in Postfix 3.2 and later, when it is compiled and linked with OpenSSL 1.0.2 or later on platforms where @@ -13472,28 +13478,24 @@ are largely a backup, in case some peer does not support EC key exchange, or EC key exchange needs to be disabled for some pressing reason.

-

Setting this parameter empty disables FFDHE support in TLS 1.3. +

Setting this parameter empty disables FFDHE support in TLS 1.3, +unless FFDHE groups are included in the "tls_eecdh_auto_curves" setting, +perhaps indirectly, as with the "DEFAULT" keyword available with OpenSSL +3.5 or later. In that case, prefixing each group name with a "-" has +the effect of removing it from the list. Whether FFDHE key agreement is enabled in TLS 1.2 and earlier depends on whether any of the "kDHE" ciphers are included in the cipherlist.

Conversely, setting "tls_eecdh_auto_curves" empty disables TLS 1.3 EC key agreement in OpenSSL 3.0 and later. If both are set empty, -Postfix will fall back to OpenSSL preferences as described next.

+Postfix will fall back to OpenSSL preferences as described in the +documentation of "tls_eecdh_auto_curves". -

Post-quantum cryptography support: OpenSSL 3.5 introduces new -configuration syntax that Postfix will not attempt to imitate. -Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set -both tls_eecdh_auto_curves and tls_ffdhe_auto_groups to the empty -value, to enable algorithm selection through OpenSSL configuration. -The empty value is the default setting for both as of Postfix 3.11, -when compiled with OpenSSL 3.5 or later. See tls_config_file for a -configuration example.

- -

All the default groups and EC curves should be sufficiently strong to make -"pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the -OpenSSL name for "secp256r1", a.k.a. "P-256") should be among the enabled EC -curves, while "dhe2048" and "dhe3072" should be among the FFDHE groups.

+

The default list includes "ffdhe2048" and "ffdhe3072". While +it should not be necessary in most cases, you can add "ffdhe4096" +to the list if you run into an exotic server that does not support +ECDHE and insists on much stronger than sensible DHE parameters.

This feature is available in Postfix 3.8 and later, when it is compiled and linked with OpenSSL 3.0 or later.

@@ -19295,8 +19297,9 @@ MinProtocol = TLSv1 main.cf: tls_config_file = ${config_directory}/openssl.cnf tls_config_name = postfix - # Clear Postfix curve/group settings to let OpenSSL settings take - # effect. + # Clear Postfix curve/group settings to let custom OpenSSL + # configuration settings take effect. For most users, the + # default Postfix settings are strongly recommended. tls_eecdh_auto_curves = tls_ffdhe_auto_groups = @@ -19323,14 +19326,14 @@ openssl.cnf: # # Groups = X25519:X448:prime256v1:secp384r1:secp521r1:ffdhe2048:ffdhe3072 # - Groups = *X25519MLKEM768 / *X25519:X448 / P-256:P-384 + Groups = ?X25519MLKEM768 / ?*X25519:?secp256r1 / ?X448:?secp384r1:?secp521r1 / ?ffdhe2048:?ffdhe3072 -

Caution: It is typically best to just use the default OpenSSL -group settings, by setting "tls_config_file = none". Overly strict -system-wide TLS settings will conflict with Postfix's opportunistic -TLS, where being less restrictive is better than downgrading to -cleartext SMTP.

+

Caution: It is typically best to just use the compiled-in default +OpenSSL group settings, by setting "tls_config_file = none". Overly +strict system-wide TLS settings will conflict with Postfix's +opportunistic TLS, where being less restrictive is better than +downgrading to cleartext SMTP.

This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, 3.6.10, and 3.5.20.

diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index de23c9637..7583c8b55 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -3421,7 +3421,7 @@ extern char *var_tls_null_clist; #define VAR_TLS_EECDH_AUTO "tls_eecdh_auto_curves" #if OPENSSL_VERSION_PREREQ(3,5) -#define DEF_TLS_EECDH_AUTO "" +#define DEF_TLS_EECDH_AUTO "?X25519MLKEM768:DEFAULT" #else #if defined(SN_X25519) && defined(NID_X25519) #define DEF_TLS_EECDH_AUTO_1 SN_X25519 " " diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index ec7d136fa..19e1a0cd0 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20251030" +#define MAIL_RELEASE_DATE "20251102" #define MAIL_VERSION_NUMBER "3.11" #ifdef SNAPSHOT diff --git a/postfix/src/smtp/smtp_tls_policy.c b/postfix/src/smtp/smtp_tls_policy.c index 028f48c32..b234dd8fa 100644 --- a/postfix/src/smtp/smtp_tls_policy.c +++ b/postfix/src/smtp/smtp_tls_policy.c @@ -191,12 +191,12 @@ int smtp_tls_authorize_mx_hostname(SMTP_TLS_POLICY *tls, const char *name) if (match_sts_mx_host_pattern(*pattp, aname)) { if (msg_verbose) msg_info("MX name '%s' matches STS MX pattern for '%s'", - aname, tls->ext_policy_domain ? tls->ext_policy_domain : ""); + aname, tls->ext_policy_domain ? tls->ext_policy_domain : ""); return (1); } } msg_warn("MX name '%s' does not match STS MX pattern for '%s'", - aname, tls->ext_policy_domain ? tls->ext_policy_domain : ""); + aname, tls->ext_policy_domain ? tls->ext_policy_domain : ""); return (0); } /* No applicable policy name patterns. */ @@ -732,8 +732,13 @@ static void *policy_create(const char *unused_key, void *context) if (STATE_TLS_NOT_REQUIRED(iter->parent)) { if (msg_verbose) msg_info("%s: no tls policy lookup", __func__); - if (tls->level > TLS_LEV_MAY) - tls->level = TLS_LEV_MAY; + if (var_smtp_tls_wrappermode) { + if (tls->level > TLS_LEV_ENCRYPT) + tls->level = TLS_LEV_ENCRYPT; + } else { + if (tls->level > TLS_LEV_MAY) + tls->level = TLS_LEV_MAY; + } } else if (tls_policy) { tls_policy_lookup(tls, &site_level, dest, "next-hop destination"); } else if (tls_per_site) { diff --git a/postfix/src/smtp/smtp_tls_policy_test.c b/postfix/src/smtp/smtp_tls_policy_test.c index f37ac9875..dd9ac7b4e 100644 --- a/postfix/src/smtp/smtp_tls_policy_test.c +++ b/postfix/src/smtp/smtp_tls_policy_test.c @@ -84,6 +84,7 @@ char *var_smtp_tls_vfy_cmatch; bool var_smtp_use_tls; char *var_smtp_tls_excl_ciph; bool var_smtp_tls_enf_sts_mx_pat; +bool var_smtp_tls_wrappermode; /* * Other globals. @@ -125,6 +126,8 @@ static void test_setup(void) var_smtp_use_tls = DEF_SMTP_USE_TLS; var_smtp_tls_excl_ciph = DEF_SMTP_TLS_EXCL_CIPH; var_smtp_tls_enf_sts_mx_pat = 1; + var_smtp_tls_wrappermode = 0; + var_tls_required_enable = 0; smtp_mode = 1; @@ -462,10 +465,121 @@ static int test_hostname_authorization(const struct TEST_CASE *tp) return (match ? PASS : FAIL); } +static int test_tls_reqd_no_sans_header(const struct TEST_CASE *tp) +{ + SMTP_STATE *state = smtp_state_alloc(); + const char *domain = "example.com"; + const char *host = "mail.example.com"; + const char *addr = "10.0.1.1"; + int port = 25; + int want_level; + int ret = FAIL; + + var_smtp_tls_level = "secure"; + var_smtp_tls_policy = "static:none"; + + /* Test-dependent. */ + state->request = &(DELIVER_REQUEST) {.sendopts = 0}; + var_smtp_tls_wrappermode = 1; + var_tls_required_enable = 1; + want_level = TLS_LEV_NONE; + + smtp_tls_list_init(); + SMTP_ITER_INIT(state->iterator, domain, host, addr, port, state); + if (smtp_tls_policy_cache_query(state->why, state->tls, + state->iterator) == 0) { + msg_warn("smtp_tls_policy_cache_query failed: %s", + STR(state->why->reason)); + } else if (state->tls->level != want_level) { + msg_warn("got TLS level '%s', want '%s'", + str_tls_level(state->tls->level), str_tls_level(want_level)); + } else { + ret = PASS; + } + smtp_tls_policy_cache_flush(); + smtp_state_free(state); + return (ret); +} + +static int test_tls_reqd_no_with_wrappermode(const struct TEST_CASE *tp) +{ + SMTP_STATE *state = smtp_state_alloc(); + const char *domain = "example.com"; + const char *host = "mail.example.com"; + const char *addr = "10.0.1.1"; + int port = 25; + int want_level; + int ret = FAIL; + + var_smtp_tls_level = "secure"; + var_smtp_tls_policy = "static:none"; + + /* Test-dependent. */ + state->request = &(DELIVER_REQUEST) {.sendopts = SOPT_REQUIRETLS_HEADER}; + var_smtp_tls_wrappermode = 1; + var_tls_required_enable = 1; + want_level = TLS_LEV_ENCRYPT; + + smtp_tls_list_init(); + SMTP_ITER_INIT(state->iterator, domain, host, addr, port, state); + if (smtp_tls_policy_cache_query(state->why, state->tls, + state->iterator) == 0) { + msg_warn("smtp_tls_policy_cache_query failed: %s", + STR(state->why->reason)); + } else if (state->tls->level != want_level) { + msg_warn("got TLS level '%s', want '%s'", + str_tls_level(state->tls->level), str_tls_level(want_level)); + } else { + ret = PASS; + } + smtp_tls_policy_cache_flush(); + smtp_state_free(state); + return (ret); +} + +static int test_tls_reqd_no_sans_wrappermode(const struct TEST_CASE *tp) +{ + SMTP_STATE *state = smtp_state_alloc(); + const char *domain = "example.com"; + const char *host = "mail.example.com"; + const char *addr = "10.0.1.1"; + int port = 25; + int want_level; + int ret = FAIL; + + var_smtp_tls_level = "secure"; + var_smtp_tls_policy = "static:none"; + + /* Test-dependent. */ + state->request = &(DELIVER_REQUEST) {.sendopts = SOPT_REQUIRETLS_HEADER}; + var_smtp_tls_wrappermode = 0; + var_tls_required_enable = 1; + want_level = TLS_LEV_MAY; + + smtp_tls_list_init(); + SMTP_ITER_INIT(state->iterator, domain, host, addr, port, state); + if (smtp_tls_policy_cache_query(state->why, state->tls, + state->iterator) == 0) { + msg_warn("smtp_tls_policy_cache_query failed: %s", + STR(state->why->reason)); + } else if (state->tls->level != want_level) { + msg_warn("got TLS level '%s', want '%s'", + str_tls_level(state->tls->level), str_tls_level(want_level)); + } else { + ret = PASS; + } + smtp_tls_policy_cache_flush(); + smtp_state_free(state); + return (ret); +} + static const struct TEST_CASE test_cases[] = { {"sts_policy_smoke_test", sts_policy_smoke_test,}, {"obs_sts_policy_smoke_test", obs_sts_policy_smoke_test,}, {"test_hostname_authorization", test_hostname_authorization}, + {"test_tls_reqd_no_sans_header", test_tls_reqd_no_sans_header}, + {"test_tls_reqd_no_with_wrappermode", test_tls_reqd_no_with_wrappermode}, + {"test_tls_reqd_no_sans_wrappermode", test_tls_reqd_no_sans_wrappermode}, {0}, };