From: Wietse Venema Date: Sat, 27 Jun 2020 05:00:00 +0000 (-0500) Subject: postfix-3.5.4 X-Git-Tag: v3.5.4^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=90f21be456d3f686c3821256fb68441a6ac97904;p=thirdparty%2Fpostfix.git postfix-3.5.4 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index eec2fa67c..d32f78adf 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -24753,3 +24753,41 @@ Apologies for any names omitted. client. Reported by Ján Máté, fixed by Viktor Dukhovni. File: tls/tls_misc.c. +20200617 + + Bugfix (introduced: Postfix 3.4): the connection_reuse + attribute in smtp_tls_policy_maps resulted in an "invalid + attribute name" error. Fix by Thorsten Habich. File: + smtp/smtp_tls_policy.c. + +20200619 + + Bugfix (introduced: Postfix 3.4): SMTP over TLS connection + reuse was broken for configurations that use explicit trust + anchors. Reported by Thorsten Habich. Cause: the tlsproxy + client was sending a zero certificate length. File: + tls/tls_proxy_client_print.c. + +20200620 + + Bugfix (introduced: Postfix 3.4): SMTP over TLS connection + reuse was broken for configurations that use explicit trust + anchors. Reported by Thorsten Habich. Fixed by calling DANE + initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c. + +20200626 + + Bugfix (introduced: Postfix 2.11): The Postfix smtp(8) + client did not send the right SNI name when the TLSA base + domain was a secure CNAME expansion of the MX hostname (or + non-MX nexthop domain). Domains with CNAME expanded MX hosts + are not conformant with RFC5321, and so are rare. Even more + rare are MX hosts with TLSA records for their CNAME expansion. + For this to matter, the remote SMTP server would also have + to select its certificate based on the SNI name in such a + way that the original MX host would yield a different + certificate. Among the ~2 million hosts in the DANE survey, + none meet the conditions for returning a different certificate + for the expanded CNAME. Therefore, sending the correct SNI + name should not break existing mail flows. Fixed by Viktor + Dukhovni. File: src/tls/tls_client.c. diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 2e598484e..102edce3c 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20200614" -#define MAIL_VERSION_NUMBER "3.5.3" +#define MAIL_RELEASE_DATE "20200627" +#define MAIL_VERSION_NUMBER "3.5.4" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/smtp/smtp_tls_policy.c b/postfix/src/smtp/smtp_tls_policy.c index 03201b9c1..4b394a934 100644 --- a/postfix/src/smtp/smtp_tls_policy.c +++ b/postfix/src/smtp/smtp_tls_policy.c @@ -389,6 +389,7 @@ static void tls_policy_lookup_one(SMTP_TLS_POLICY *tls, int *site_level, WHERE, name, val); INVALID_RETURN(tls->why, site_level); } + continue; } msg_warn("%s: invalid attribute name: \"%s\"", WHERE, name); INVALID_RETURN(tls->why, site_level); diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c index c12e48cbb..2ef055368 100644 --- a/postfix/src/tls/tls_client.c +++ b/postfix/src/tls/tls_client.c @@ -1018,10 +1018,13 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props) * avoid SNI, and there are no plans to support SNI in the Postfix * SMTP server). * + * Per RFC7672, the required SNI name is the TLSA "base domain" (the one + * used to construct the "_25._tcp." TLSA record DNS query). + * * Since the hostname is DNSSEC-validated, it must be a DNS FQDN and * thererefore valid for use with SNI. */ - sni = props->host; + sni = props->dane->base_domain; } else if (props->sni && *props->sni) { if (strcmp(props->sni, "hostname") == 0) sni = props->host; diff --git a/postfix/src/tls/tls_proxy_client_print.c b/postfix/src/tls/tls_proxy_client_print.c index 68fb56b17..b45100c0e 100644 --- a/postfix/src/tls/tls_proxy_client_print.c +++ b/postfix/src/tls/tls_proxy_client_print.c @@ -213,6 +213,7 @@ static int tls_proxy_client_certs_print(ATTR_PRINT_MASTER_FN print_fn, i2d_X509(tp->cert, &bp); if ((char *) bp - STR(buf) != len) msg_panic("i2d_X509 failed to encode certificate"); + vstring_set_payload_size(buf, len); ret = print_fn(fp, flags | ATTR_FLAG_MORE, SEND_ATTR_DATA(TLS_ATTR_CERT, LEN(buf), STR(buf)), ATTR_TYPE_END); @@ -258,6 +259,7 @@ static int tls_proxy_client_pkeys_print(ATTR_PRINT_MASTER_FN print_fn, i2d_PUBKEY(tp->pkey, &bp); if ((char *) bp - STR(buf) != len) msg_panic("i2d_PUBKEY failed to encode public key"); + vstring_set_payload_size(buf, len); ret = print_fn(fp, flags | ATTR_FLAG_MORE, SEND_ATTR_DATA(TLS_ATTR_PKEY, LEN(buf), STR(buf)), ATTR_TYPE_END); diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c index 70ea8042e..7aad011be 100644 --- a/postfix/src/tlsproxy/tlsproxy.c +++ b/postfix/src/tlsproxy/tlsproxy.c @@ -997,12 +997,12 @@ static int tlsp_client_start_pre_handshake(TLSP_STATE *state) state->client_start_props->ctx = state->appl_state; state->client_start_props->fd = state->ciphertext_fd; /* These predicates and warning belong inside tls_client_start(). */ - if (!TLS_DANE_BASED(state->client_start_props->tls_level) - || tls_dane_avail()) - state->tls_context = tls_client_start(state->client_start_props); - else + if (!tls_dane_avail() /* mandatory side effects!! */ + &&TLS_DANE_BASED(state->client_start_props->tls_level)) msg_warn("%s: DANE requested, but not available", state->client_start_props->namaddr); + else + state->tls_context = tls_client_start(state->client_start_props); if (state->tls_context != 0) return (TLSP_STAT_OK);