From: Wietse Venema Date: Wed, 30 Sep 2020 05:00:00 +0000 (-0500) Subject: postfix-3.6-20200930 X-Git-Tag: v3.6.0-RC1~21 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ba144169c17cf1ef2e1f5736ef593c87c7b8c753;p=thirdparty%2Fpostfix.git postfix-3.6-20200930 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 5b9f68cb6..cc0172562 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -25171,3 +25171,15 @@ Apologies for any names omitted. looks for Delivered-To: headers ignored headers longer than $line_length_limit. Also added unit tests. File: global/delivered_hdr.c. + +20200930 + + Feature: when a Postfix program makes a DNS query that + requests DNSSEC validation (usually for Postfix DANE support) + but the DNS response is not DNSSEC validated, Postfix will + send a DNS query configured with the "dnssec_probe" parameter + to determine if DNSSEC support is available, and logs a + warning if it is not. By default, the probe has type "ns" + and domain name ".". The probe is sent once per process + lifetime. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_sec.c, + test_dns_lookup.c. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index f9ce0ef5c..1f44e1593 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -25,6 +25,31 @@ more recent Eclipse Public License 2.0. Recipients can choose to take the software under the license of their choice. Those who are more comfortable with the IPL can continue with that license. +Major changes with snapshot 20200930 +==================================== + +The dnssec_probe parameter specifies the DNS query type (default: +"ns") and DNS query name (default: ".") that Postfix may use to +determine whether DNSSEC validation is available. Specify an empty +value to disable this feature. + +Background: DNSSEC validation is needed for Postfix DANE support; +this ensures that Postfix receives TLSA records with secure TLS +server certificate info. When DNSSEC validation is unavailable, +mail deliveries using opportunistic DANE will not be protected by +server certificate info in TLSA records, and mail deliveries using +mandatory DANE will not be made at all. + +By default, a Postfix process will send a DNSSEC probe after 1) the +process made a DNS query that requested DNSSEC validation, 2) the +process did not receive a DNSSEC validated response to this query +or to an earlier query, and 3) the process did not already send a +DNSSEC probe. + +When the DNSSEC probe has no response, or when the response is not +DNSSEC validated, Postfix logs a warning that DNSSEC validation may +be unavailable. + Incompatible change with snapshot 20200920 ========================================== diff --git a/postfix/WISHLIST b/postfix/WISHLIST index 6ff3680d1..b6c799054 100644 --- a/postfix/WISHLIST +++ b/postfix/WISHLIST @@ -2,19 +2,32 @@ Wish list: Does tlsproxy terminate to soon after 'postfix reload'? + touch all files that contain Binfo_log_address_format + then re-generate manpages. + The documented order of relay/recipient restrictions differs from the implementation. This may need a new compatibility parameter. For example: http://postfix.1071664.n5.nabble.com/Relay-attempt-questions-td103646.html + check_mumble_mx_access also generates synthetic MX records + i.e. A/AAAA where no MX exists. + + Someone suggested adding References: and In-Reply-To: headers + in bounce messages. Downside: that will make it harder to + delete a bounce without deleting other mail. Therefore do + not enable by defalut. + Hardening the half-dane behavior: some sites may rely on current behavior which allows original MX domain name for certificate matches. Requires a new (compatibility) parameter setting? - multi_server applications could be migrated to event_server; - after accept(), they would have to set up their own read - event callback for handling requests. + Code deduplication: migrate multi_server applications to + event_server. In addition to the default event_server + accept() handler, also register a read event callback for + handling post_accept events. But the currrent multi_server + API foits typical usage better. Maybe expand %m to "application error" when errno == 0. diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html index ec2370e96..f35557304 100644 --- a/postfix/html/lmtp.8.html +++ b/postfix/html/lmtp.8.html @@ -361,10 +361,17 @@ SMTP(8) SMTP(8) Available in Postfix 3.5 and later: - info_log_address_format (external) + info_log_address_format (external) The email address form that will be used in non-debug logging (info, warning, etc.). + Available in Postfix 3.6 and later: + + dnssec_probe (ns:.) + The DNS query type (default: "ns") and DNS query name (default: + ".") that Postfix may use to determine whether DNSSEC is avail- + able. + MIME PROCESSING CONTROLS Available in Postfix version 2.0 and later: diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index da454c37f..7efb19f79 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -3035,6 +3035,57 @@ service performs DNS white/blacklist lookups.

This feature is available in Postfix 2.8 and later.

+ + +
dnssec_probe +(default: ns:.)
+ +

The DNS query type (default: "ns") and DNS query name (default: +".") that Postfix may use to determine whether DNSSEC validation +is available. +

+ +

Background: DNSSEC validation is needed for Postfix DANE support; +this ensures that Postfix receives TLSA records with secure TLS +server certificate info. When DNSSEC validation is unavailable, +mail deliveries using opportunistic DANE will not be protected +by server certificate info in TLSA records, and mail deliveries +using mandatory DANE will not be made at all.

+ +

By default, a Postfix process will send a DNSSEC probe after +1) the process made a DNS query that requested DNSSEC validation, +2) the process did not receive a DNSSEC validated response to this +query or to an earlier query, and 3) the process did not already +send a DNSSEC probe.

+ +

When the DNSSEC probe has no response, or when the response is +not DNSSEC validated, Postfix logs a warning that DNSSEC validation +may be unavailable.

+ +

Possible reasons why DNSSEC validation may be unavailable:

+ + + +

By default, the DNSSEC probe asks for the DNS root zone NS +records, because resolvers should always have that information +cached. If Postfix runs on a network where the DNS root zone is not +reachable, specify a different probe, or specify an empty dnssec_probe +value to disable the feature.

+ +

This feature is available in Postfix 3.6 and later.

+ +
dont_remove @@ -4082,7 +4133,7 @@ characters in the localpart.

form that Postfix 3.2 and later prefer for most table lookups. This is therefore the more useful form for non-debug logging.

-

Specify "info_log_address_format = internal" for backwards +

Specify "info_log_address_format = internal" for backwards compatibility.

Postfix uses the unquoted form internally, because an attacker diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index ec2370e96..f35557304 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -361,10 +361,17 @@ SMTP(8) SMTP(8) Available in Postfix 3.5 and later: - info_log_address_format (external) + info_log_address_format (external) The email address form that will be used in non-debug logging (info, warning, etc.). + Available in Postfix 3.6 and later: + + dnssec_probe (ns:.) + The DNS query type (default: "ns") and DNS query name (default: + ".") that Postfix may use to determine whether DNSSEC is avail- + able. + MIME PROCESSING CONTROLS Available in Postfix version 2.0 and later: diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 95ea21483..bc7c54edf 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -1902,6 +1902,47 @@ The name of the \fBdnsblog\fR(8) service entry in master.cf. This service performs DNS white/blacklist lookups. .PP This feature is available in Postfix 2.8 and later. +.SH dnssec_probe (default: ns:.) +The DNS query type (default: "ns") and DNS query name (default: +".") that Postfix may use to determine whether DNSSEC validation +is available. +.PP +Background: DNSSEC validation is needed for Postfix DANE support; +this ensures that Postfix receives TLSA records with secure TLS +server certificate info. When DNSSEC validation is unavailable, +mail deliveries using \fIopportunistic\fR DANE will not be protected +by server certificate info in TLSA records, and mail deliveries +using \fImandatory\fR DANE will not be made at all. +.PP +By default, a Postfix process will send a DNSSEC probe after +1) the process made a DNS query that requested DNSSEC validation, +2) the process did not receive a DNSSEC validated response to this +query or to an earlier query, and 3) the process did not already +send a DNSSEC probe. +.PP +When the DNSSEC probe has no response, or when the response is +not DNSSEC validated, Postfix logs a warning that DNSSEC validation +may be unavailable. +.PP +Possible reasons why DNSSEC validation may be unavailable: +.IP \(bu +The local /etc/resolv.conf file specifies a DNS resolver that +does not validate DNSSEC signatures (that's +$queue_directory/etc/resolv.conf when a Postfix daemon runs in a +chroot jail). +.IP \(bu +The local system library does not pass on the "DNSSEC validated" +bit to Postfix, or Postfix does not know how to ask the library to +do that. +.br +.PP +By default, the DNSSEC probe asks for the DNS root zone NS +records, because resolvers should always have that information +cached. If Postfix runs on a network where the DNS root zone is not +reachable, specify a different probe, or specify an empty dnssec_probe +value to disable the feature. +.PP +This feature is available in Postfix 3.6 and later. .SH dont_remove (default: 0) Don't remove queue files and save them to the "saved" mail queue. This is a debugging aid. To inspect the envelope information and diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8 index 6f72db307..ad111897a 100644 --- a/postfix/man/man8/smtp.8 +++ b/postfix/man/man8/smtp.8 @@ -356,6 +356,11 @@ Available in Postfix 3.5 and later: .IP "\fBinfo_log_address_format (external)\fR" The email address form that will be used in non\-debug logging (info, warning, etc.). +.PP +Available in Postfix 3.6 and later: +.IP "\fBdnssec_probe (ns:.)\fR" +The DNS query type (default: "ns") and DNS query name (default: +".") that Postfix may use to determine whether DNSSEC is available. .SH "MIME PROCESSING CONTROLS" .na .nf diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index b87e1eb80..556b4cde7 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -695,6 +695,8 @@ while (<>) { s;\bsmtp_per_record_deadline\b;$&;g; s;\bsmtp_send_dummy_mail_auth\b;$&;g; s;\bsmtp_balance_inet_protocols\b;$&;g; + s;\binfo_log_address_format\b;$&;g; + s;\bdnssec_probe\b;$&;g; s;\bsmtp_tls_connection_reuse\b;$&;g; s;\blmtp_tls_connection_reuse\b;$&;g; s;\bsmtpd_enforce_tls\b;$&;g; diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index d317f43de..768250b85 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -17842,3 +17842,50 @@ smtpd_sasl_mechanism_filter = /etc/postfix/smtpd_mechs

This feature is available in Postfix 3.6 and later.

+ +%PARAM dnssec_probe ns:. + +

The DNS query type (default: "ns") and DNS query name (default: +".") that Postfix may use to determine whether DNSSEC validation +is available. +

+ +

Background: DNSSEC validation is needed for Postfix DANE support; +this ensures that Postfix receives TLSA records with secure TLS +server certificate info. When DNSSEC validation is unavailable, +mail deliveries using opportunistic DANE will not be protected +by server certificate info in TLSA records, and mail deliveries +using mandatory DANE will not be made at all.

+ +

By default, a Postfix process will send a DNSSEC probe after +1) the process made a DNS query that requested DNSSEC validation, +2) the process did not receive a DNSSEC validated response to this +query or to an earlier query, and 3) the process did not already +send a DNSSEC probe.

+ +

When the DNSSEC probe has no response, or when the response is +not DNSSEC validated, Postfix logs a warning that DNSSEC validation +may be unavailable.

+ +

Possible reasons why DNSSEC validation may be unavailable:

+ +
    + +
  • The local /etc/resolv.conf file specifies a DNS resolver that +does not validate DNSSEC signatures (that's +$queue_directory/etc/resolv.conf when a Postfix daemon runs in a +chroot jail). + +
  • The local system library does not pass on the "DNSSEC validated" +bit to Postfix, or Postfix does not know how to ask the library to +do that. + +
+ +

By default, the DNSSEC probe asks for the DNS root zone NS +records, because resolvers should always have that information +cached. If Postfix runs on a network where the DNS root zone is not +reachable, specify a different probe, or specify an empty dnssec_probe +value to disable the feature.

+ +

This feature is available in Postfix 3.6 and later.

diff --git a/postfix/src/dns/Makefile.in b/postfix/src/dns/Makefile.in index aec91e0b5..795f9ba2a 100644 --- a/postfix/src/dns/Makefile.in +++ b/postfix/src/dns/Makefile.in @@ -1,10 +1,10 @@ SHELL = /bin/sh SRCS = dns_lookup.c dns_rr.c dns_strerror.c dns_strtype.c dns_rr_to_pa.c \ dns_sa_to_rr.c dns_rr_eq_sa.c dns_rr_to_sa.c dns_strrecord.c \ - dns_rr_filter.c dns_str_resflags.c + dns_rr_filter.c dns_str_resflags.c dns_sec.c OBJS = dns_lookup.o dns_rr.o dns_strerror.o dns_strtype.o dns_rr_to_pa.o \ dns_sa_to_rr.o dns_rr_eq_sa.o dns_rr_to_sa.o dns_strrecord.o \ - dns_rr_filter.o dns_str_resflags.o + dns_rr_filter.o dns_str_resflags.o dns_sec.o HDRS = dns.h TESTSRC = test_dns_lookup.c test_alias_token.c DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE) @@ -76,7 +76,7 @@ update: $(LIB_DIR)/$(LIB) $(HDRS) done cd $(INC_DIR); chmod 644 $(HDRS) -test_dns_lookup: test_dns_lookup.c $(LIB) $(LIBS) +test_dns_lookup: test_dns_lookup.c all $(LIB) $(LIBS) $(CC) $(CFLAGS) -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS) dns_rr_to_pa: $(LIB) $(LIBS) @@ -346,6 +346,18 @@ dns_sa_to_rr.o: ../../include/vbuf.h dns_sa_to_rr.o: ../../include/vstring.h dns_sa_to_rr.o: dns.h dns_sa_to_rr.o: dns_sa_to_rr.c +dns_sec.o: ../../include/check_arg.h +dns_sec.o: ../../include/mail_params.h +dns_sec.o: ../../include/msg.h +dns_sec.o: ../../include/myaddrinfo.h +dns_sec.o: ../../include/mymalloc.h +dns_sec.o: ../../include/sock_addr.h +dns_sec.o: ../../include/split_at.h +dns_sec.o: ../../include/sys_defs.h +dns_sec.o: ../../include/vbuf.h +dns_sec.o: ../../include/vstring.h +dns_sec.o: dns.h +dns_sec.o: dns_sec.c dns_str_resflags.o: ../../include/check_arg.h dns_str_resflags.o: ../../include/myaddrinfo.h dns_str_resflags.o: ../../include/name_mask.h diff --git a/postfix/src/dns/dns.h b/postfix/src/dns/dns.h index 4182aceba..26a346279 100644 --- a/postfix/src/dns/dns.h +++ b/postfix/src/dns/dns.h @@ -256,7 +256,12 @@ extern int dns_get_h_errno(void); (lflags), (ltype)) /* - * Request flags. + * The dns_lookup() rflag that requests DNSSEC validation. + */ +#define DNS_WANT_DNSSEC_VALIDATION(rflags) ((rflags) & RES_USE_DNSSEC) + + /* + * lflags. */ #define DNS_REQ_FLAG_STOP_OK (1<<0) #define DNS_REQ_FLAG_STOP_INVAL (1<<1) @@ -321,6 +326,18 @@ extern int dns_rr_filter_execute(DNS_RR **); */ const char *dns_str_resflags(unsigned long); + /* + * dns_sec.c. + */ +#define DNS_SEC_FLAG_AVAILABLE (1<<0) /* got some DNSSEC validated reply */ +#define DNS_SEC_FLAG_DONT_PROBE (1<<1) /* probe already sent, or disabled */ + +#define DNS_SEC_STATS_SET(flags) (dns_sec_stats |= (flags)) +#define DNS_SEC_STATS_TEST(flags) (dns_sec_stats & (flags)) + +extern int dns_sec_stats; /* See flags below */ +extern void dns_sec_probe(int); + /* LICENSE /* .ad /* .fi diff --git a/postfix/src/dns/dns_lookup.c b/postfix/src/dns/dns_lookup.c index 185f6baf6..61375e23c 100644 --- a/postfix/src/dns/dns_lookup.c +++ b/postfix/src/dns/dns_lookup.c @@ -177,6 +177,12 @@ /* Pointer to storage for the reply RCODE value. This gives /* more detailed information than DNS_FAIL, DNS_RETRY, etc. /* DIAGNOSTICS +/* If DNSSEC validation is requested but the response is not +/* DNSSEC validated, dns_lookup() will send a one-time probe +/* query as configured with the \fBdnssec_probe\fR configuration +/* parameter, and will log a warning when the probe response +/* was not DNSSEC validated. +/* .PP /* dns_lookup() returns one of the following codes and sets the /* \fIwhy\fR argument accordingly: /* .IP DNS_OK @@ -510,7 +516,7 @@ static int dns_query(const char *name, int type, unsigned flags, */ #define XTRA_FLAGS (RES_USE_EDNS0 | RES_TRUSTAD) - if (flags & RES_USE_DNSSEC) + if (DNS_WANT_DNSSEC_VALIDATION(flags)) flags |= (RES_USE_EDNS0 | RES_TRUSTAD); /* @@ -557,6 +563,8 @@ static int dns_query(const char *name, int type, unsigned flags, dns_res_state.options |= saved_options; reply_header = (HEADER *) reply->buf; reply->rcode = reply_header->rcode; + if ((reply->dnssec_ad = !!reply_header->ad) != 0) + DNS_SEC_STATS_SET(DNS_SEC_FLAG_AVAILABLE); if (DNS_GET_H_ERRNO(&dns_res_state) != 0) { if (why) vstring_sprintf(why, "Host or domain name not found. " @@ -610,13 +618,8 @@ static int dns_query(const char *name, int type, unsigned flags, /* * Initialize the reply structure. Some structure members are filled on - * the fly while the reply is being parsed. Coerce AD bit to boolean. + * the fly while the reply is being parsed. */ -#if RES_USE_DNSSEC != 0 - reply->dnssec_ad = (flags & RES_USE_DNSSEC) ? !!reply_header->ad : 0; -#else - reply->dnssec_ad = 0; -#endif SET_HAVE_DNS_REPLY_PACKET(reply, len); reply->query_start = reply->buf + sizeof(HEADER); reply->answer_start = 0; @@ -934,7 +937,9 @@ static int dns_get_answer(const char *orig_name, DNS_REPLY *reply, int type, CORRUPT(DNS_RETRY); if ((status = dns_get_fixed(pos, &fixed)) != DNS_OK) CORRUPT(status); - if (!valid_rr_name(rr_name, "resource name", fixed.type, reply)) + if (strcmp(orig_name, ".") == 0 && *rr_name == 0) + /* Allow empty response name for root queries. */ ; + else if (!valid_rr_name(rr_name, "resource name", fixed.type, reply)) CORRUPT(DNS_INVAL); if (fqdn) vstring_strcpy(fqdn, rr_name); @@ -1022,7 +1027,7 @@ int dns_lookup_x(const char *name, unsigned type, unsigned flags, /* * The Linux resolver misbehaves when given an invalid domain name. */ - if (!valid_hostname(name, DONT_GRIPE)) { + if (strcmp(name, ".") && !valid_hostname(name, DONT_GRIPE)) { if (why) vstring_sprintf(why, "Name service error for %s: invalid host or domain name", @@ -1059,6 +1064,10 @@ int dns_lookup_x(const char *name, unsigned type, unsigned flags, (void) dns_get_answer(orig_name, &reply, T_SOA, rrlist, fqdn, cname, c_len, &maybe_secure); } + if (DNS_WANT_DNSSEC_VALIDATION(flags) + && !DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE | \ + DNS_SEC_FLAG_DONT_PROBE)) + dns_sec_probe(flags); /* XXX Clobbers 'reply' */ return (status); } @@ -1068,6 +1077,10 @@ int dns_lookup_x(const char *name, unsigned type, unsigned flags, */ status = dns_get_answer(orig_name, &reply, type, rrlist, fqdn, cname, c_len, &maybe_secure); + if (DNS_WANT_DNSSEC_VALIDATION(flags) + && !DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE | \ + DNS_SEC_FLAG_DONT_PROBE)) + dns_sec_probe(flags); /* XXX Clobbers 'reply' */ switch (status) { default: if (why) diff --git a/postfix/src/dns/dns_sec.c b/postfix/src/dns/dns_sec.c new file mode 100644 index 000000000..cc1d5bcc2 --- /dev/null +++ b/postfix/src/dns/dns_sec.c @@ -0,0 +1,149 @@ +/*++ +/* NAME +/* dns_sec 3 +/* SUMMARY +/* DNSSEC validation availability +/* SYNOPSIS +/* #include +/* +/* DNS_SEC_STATS_SET( +/* int flags) +/* +/* DNS_SEC_STATS_TEST( +/* int flags) +/* +/* void dns_sec_probe( +/* int rflags) +/* DESCRIPTION +/* This module maintains information about the availability of +/* DNSSEC validation, in global flags that summarize +/* process-lifetime history. +/* .IP DNS_SEC_FLAG_AVAILABLE +/* The process has received at least one DNSSEC validated +/* response to a query that requested DNSSEC validation. +/* .IP DNS_SEC_FLAG_DONT_PROBE +/* The process has sent a DNSSEC probe (see below), or DNSSEC +/* probing is disabled by configuration. +/* .PP +/* DNS_SEC_STATS_SET() sets one or more DNS_SEC_FLAG_* flags, +/* and DNS_SEC_STATS_TEST() returns non-zero if any of the +/* specified flags is set. +/* +/* dns_sec_probe() generates a query to the target specified +/* with the \fBdnssec_probe\fR configuration parameter. It +/* sets the DNS_SEC_FLAG_DONT_PROBE flag, and it calls +/* dns_lookup() which sets DNS_SEC_FLAG_AVAILABLE if it receives +/* a DNSSEC validated response. Preconditions: +/* .IP \(bu +/* The rflags argument must request DNSSEC validation (in the +/* same manner as dns_lookup() rflags argument). +/* .IP \(bu +/* The DNS_SEC_FLAG_AVAILABLE and DNS_SEC_FLAG_DONT_PROBE +/* flags must be false. +/* LICENSE +/* .ad +/* .fi +/* The Secure Mailer license must be distributed with this software. +/* AUTHOR(S) +/* Wietse Venema +/* Google, Inc. +/* 111 8th Avenue +/* New York, NY 10011, USA +/*--*/ + +#include + + /* + * Utility library. + */ +#include +#include +#include +#include + + /* + * Global library. + */ +#include + + /* + * DNS library. + */ +#include + +int dns_sec_stats; + +/* dns_sec_probe - send a probe to establish DNSSEC viability */ + +void dns_sec_probe(int rflags) +{ + const char myname[] = "dns_sec_probe"; + char *saved_dnssec_probe; + char *qname; + int qtype; + DNS_RR *rrlist = 0; + int dns_status; + VSTRING *why; + + /* + * Sanity checks. + */ + if (!DNS_WANT_DNSSEC_VALIDATION(rflags)) + msg_panic("%s: DNSSEC is not requested", myname); + if (DNS_SEC_STATS_TEST(DNS_SEC_FLAG_DONT_PROBE)) + msg_panic("%s: DNSSEC probe was already sent, or probing is disabled", + myname); + if (DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE)) + msg_panic("%s: already have validated DNS response", myname); + + /* + * Don't recurse. + */ + DNS_SEC_STATS_SET(DNS_SEC_FLAG_DONT_PROBE); + + /* + * Don't probe. + */ + if (*var_dnssec_probe == 0) + return; + + /* + * Parse the probe spec. Format is type:resource. + */ + saved_dnssec_probe = mystrdup(var_dnssec_probe); + if ((qname = split_at(saved_dnssec_probe, ':')) == 0 || *qname == 0 + || (qtype = dns_type(saved_dnssec_probe)) == 0) + msg_fatal("malformed %s value: %s format is qtype:qname", + VAR_DNSSEC_PROBE, var_dnssec_probe); + + why = vstring_alloc(100); + dns_status = dns_lookup(qname, qtype, rflags, &rrlist, (char) 0, why); + switch (dns_status) { + default: + if (!DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE)) + msg_warn(VAR_DNSSEC_PROBE + " '%s' got a response that is not DNSSEC validated", + var_dnssec_probe); + if (rrlist) + dns_rr_free(rrlist); + break; + case DNS_POLICY: + msg_warn(VAR_DNSSEC_PROBE + " '%s' response was deleted by DNS reply filter", + var_dnssec_probe); + break; + case DNS_RETRY: + case DNS_FAIL: + msg_warn(VAR_DNSSEC_PROBE " '%s' got no response: %s", + var_dnssec_probe, vstring_str(why)); + break; + } + if (!DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE)) + msg_warn("DNSSEC support may be unavailable"); + else if (msg_verbose) + msg_info(VAR_DNSSEC_PROBE + " '%s' got a response that is DNSSEC validated", + var_dnssec_probe); + myfree(saved_dnssec_probe); + vstring_free(why); +} diff --git a/postfix/src/dns/test_dns_lookup.c b/postfix/src/dns/test_dns_lookup.c index 003fc3992..8366cf7c0 100644 --- a/postfix/src/dns/test_dns_lookup.c +++ b/postfix/src/dns/test_dns_lookup.c @@ -77,6 +77,9 @@ int main(int argc, char **argv) int ch; int lflags = DNS_REQ_FLAG_NONE; + if (var_dnssec_probe == 0) + var_dnssec_probe = mystrdup(DEF_DNSSEC_PROBE); + msg_vstream_init(argv[0], VSTREAM_ERR); while ((ch = GETOPT(argc, argv, "f:npv")) > 0) { switch (ch) { diff --git a/postfix/src/global/mail_params.c b/postfix/src/global/mail_params.c index 0efd00eda..b609c38a4 100644 --- a/postfix/src/global/mail_params.c +++ b/postfix/src/global/mail_params.c @@ -156,6 +156,8 @@ /* char *var_maillog_file_comp; /* char *var_maillog_file_stamp; /* char *var_postlog_service; +/* +/* char *var_dnssec_probe; /* DESCRIPTION /* This module (actually the associated include file) defines /* the names and defaults of all mail configuration parameters. @@ -366,6 +368,8 @@ char *var_maillog_file_comp; char *var_maillog_file_stamp; char *var_postlog_service; +char *var_dnssec_probe; + const char null_format_string[1] = ""; /* @@ -717,6 +721,7 @@ void mail_params_init() VAR_MAILLOG_FILE_COMP, DEF_MAILLOG_FILE_COMP, &var_maillog_file_comp, 1, 0, VAR_MAILLOG_FILE_STAMP, DEF_MAILLOG_FILE_STAMP, &var_maillog_file_stamp, 1, 0, VAR_POSTLOG_SERVICE, DEF_POSTLOG_SERVICE, &var_postlog_service, 1, 0, + VAR_DNSSEC_PROBE, DEF_DNSSEC_PROBE, &var_dnssec_probe, 0, 0, 0, }; static const CONFIG_BOOL_TABLE first_bool_defaults[] = { diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 2578c7af1..e41bffab4 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -4218,6 +4218,13 @@ extern int var_postlogd_watchdog; #define DEF_INFO_LOG_ADDR_FORM INFO_LOG_ADDR_FORM_NAME_EXTERNAL extern char *var_info_log_addr_form; + /* + * DNSSEC probing, to find out if DNSSEC validation is available. + */ +#define VAR_DNSSEC_PROBE "dnssec_probe" +#define DEF_DNSSEC_PROBE "ns:." +extern char *var_dnssec_probe; + /* LICENSE /* .ad /* .fi diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 129950725..8c387cd1e 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20200925" +#define MAIL_RELEASE_DATE "20200930" #define MAIL_VERSION_NUMBER "3.6" #ifdef SNAPSHOT diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index ecab89f8d..a89dcdb03 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -330,6 +330,11 @@ /* .IP "\fBinfo_log_address_format (external)\fR" /* The email address form that will be used in non-debug logging /* (info, warning, etc.). +/* .PP +/* Available in Postfix 3.6 and later: +/* .IP "\fBdnssec_probe (ns:.)\fR" +/* The DNS query type (default: "ns") and DNS query name (default: +/* ".") that Postfix may use to determine whether DNSSEC is available. /* MIME PROCESSING CONTROLS /* .ad /* .fi