From: Wietse Venema Date: Sat, 27 Jun 2020 05:00:00 +0000 (-0500) Subject: postfix-3.4.14 X-Git-Tag: v3.4.14^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=72775505ae64bb8a5c282759f2f917256cf0c931;p=thirdparty%2Fpostfix.git postfix-3.4.14 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index fe15290e6..11d3615e6 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -24427,3 +24427,42 @@ Apologies for any names omitted. sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP client. Reported by Ján Máté, fixed by Viktor Dukhovni. File: tls/tls_misc.c. + +20200617 + + Bugfix (introduced: Postfix 3.4): the connection_reuse + attribute in smtp_tls_policy_maps resulted in an "invalid + attribute name" error. Fix by Thorsten Habich. File: + smtp/smtp_tls_policy.c. + +20200619 + + Bugfix (introduced: Postfix 3.4): SMTP over TLS connection + reuse was broken for configurations that use explicit trust + anchors. Reported by Thorsten Habich. Cause: the tlsproxy + client was sending a zero certificate length. File: + tls/tls_proxy_client_print.c. + +20200620 + + Bugfix (introduced: Postfix 3.4): SMTP over TLS connection + reuse was broken for configurations that use explicit trust + anchors. Reported by Thorsten Habich. Fixed by calling DANE + initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c. + +20200626 + + Bugfix (introduced: Postfix 2.11): The Postfix smtp(8) + client did not send the right SNI name when the TLSA base + domain was a secure CNAME expansion of the MX hostname (or + non-MX nexthop domain). Domains with CNAME expanded MX hosts + are not conformant with RFC5321, and so are rare. Even more + rare are MX hosts with TLSA records for their CNAME expansion. + For this to matter, the remote SMTP server would also have + to select its certificate based on the SNI name in such a + way that the original MX host would yield a different + certificate. Among the ~2 million hosts in the DANE survey, + none meet the conditions for returning a different certificate + for the expanded CNAME. Therefore, sending the correct SNI + name should not break existing mail flows. Fixed by Viktor + Dukhovni. File: src/tls/tls_client.c. diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 95afa7b9d..ee31b0f22 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20200614" -#define MAIL_VERSION_NUMBER "3.4.13" +#define MAIL_RELEASE_DATE "20200627" +#define MAIL_VERSION_NUMBER "3.4.14" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/smtp/smtp_tls_policy.c b/postfix/src/smtp/smtp_tls_policy.c index 03201b9c1..4b394a934 100644 --- a/postfix/src/smtp/smtp_tls_policy.c +++ b/postfix/src/smtp/smtp_tls_policy.c @@ -389,6 +389,7 @@ static void tls_policy_lookup_one(SMTP_TLS_POLICY *tls, int *site_level, WHERE, name, val); INVALID_RETURN(tls->why, site_level); } + continue; } msg_warn("%s: invalid attribute name: \"%s\"", WHERE, name); INVALID_RETURN(tls->why, site_level); diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c index 4d5143eaf..0b10620ef 100644 --- a/postfix/src/tls/tls_client.c +++ b/postfix/src/tls/tls_client.c @@ -1018,10 +1018,13 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props) * avoid SNI, and there are no plans to support SNI in the Postfix * SMTP server). * + * Per RFC7672, the required SNI name is the TLSA "base domain" (the one + * used to construct the "_25._tcp." TLSA record DNS query). + * * Since the hostname is DNSSEC-validated, it must be a DNS FQDN and * thererefore valid for use with SNI. */ - sni = props->host; + sni = props->dane->base_domain; } else if (props->sni && *props->sni) { if (strcmp(props->sni, "hostname") == 0) sni = props->host; diff --git a/postfix/src/tls/tls_proxy_client_print.c b/postfix/src/tls/tls_proxy_client_print.c index 68fb56b17..b45100c0e 100644 --- a/postfix/src/tls/tls_proxy_client_print.c +++ b/postfix/src/tls/tls_proxy_client_print.c @@ -213,6 +213,7 @@ static int tls_proxy_client_certs_print(ATTR_PRINT_MASTER_FN print_fn, i2d_X509(tp->cert, &bp); if ((char *) bp - STR(buf) != len) msg_panic("i2d_X509 failed to encode certificate"); + vstring_set_payload_size(buf, len); ret = print_fn(fp, flags | ATTR_FLAG_MORE, SEND_ATTR_DATA(TLS_ATTR_CERT, LEN(buf), STR(buf)), ATTR_TYPE_END); @@ -258,6 +259,7 @@ static int tls_proxy_client_pkeys_print(ATTR_PRINT_MASTER_FN print_fn, i2d_PUBKEY(tp->pkey, &bp); if ((char *) bp - STR(buf) != len) msg_panic("i2d_PUBKEY failed to encode public key"); + vstring_set_payload_size(buf, len); ret = print_fn(fp, flags | ATTR_FLAG_MORE, SEND_ATTR_DATA(TLS_ATTR_PKEY, LEN(buf), STR(buf)), ATTR_TYPE_END); diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c index 65c7201b4..ab24fff76 100644 --- a/postfix/src/tlsproxy/tlsproxy.c +++ b/postfix/src/tlsproxy/tlsproxy.c @@ -993,12 +993,12 @@ static int tlsp_client_start_pre_handshake(TLSP_STATE *state) state->client_start_props->ctx = state->appl_state; state->client_start_props->fd = state->ciphertext_fd; /* These predicates and warning belong inside tls_client_start(). */ - if (!TLS_DANE_BASED(state->client_start_props->tls_level) - || tls_dane_avail()) - state->tls_context = tls_client_start(state->client_start_props); - else + if (!tls_dane_avail() /* mandatory side effects!! */ + &&TLS_DANE_BASED(state->client_start_props->tls_level)) msg_warn("%s: DANE requested, but not available", state->client_start_props->namaddr); + else + state->tls_context = tls_client_start(state->client_start_props); if (state->tls_context != 0) return (TLSP_STAT_OK);