From 0f39d92148c1bcedd039fd8778a8cd2e082ca3ad Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Tue, 12 Dec 2023 00:00:00 -0500
Subject: [PATCH] postfix-3.9-20231212

---
 postfix/HISTORY                             |  7 +++++++
 postfix/src/global/mail_version.h           |  2 +-
 postfix/src/posttls-finger/posttls-finger.c | 12 ++++++++----
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index b93c5e051..3ddec8b18 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -27603,3 +27603,10 @@ Apologies for any names omitted.
 	Feature: the pipe(8) delivery agent supports an ${envid}
 	command-line attribute that expands to the RFC 3461 envelope
 	ID if available. File: pipe/pipe.c.
+
+20231211
+
+	Cleanup: posttls-finger certificate match expectations for
+	all TLS security levels, including warnings for levels that
+	don't implement certificate matching. Viktor Dukhovni.
+	File: posttls-finger.c.
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 77f2ae7f7..040b19e42 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20231210"
+#define MAIL_RELEASE_DATE	"20231212"
 #define MAIL_VERSION_NUMBER	"3.9"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/posttls-finger/posttls-finger.c b/postfix/src/posttls-finger/posttls-finger.c
index 91bbc6669..9df556082 100644
--- a/postfix/src/posttls-finger/posttls-finger.c
+++ b/postfix/src/posttls-finger/posttls-finger.c
@@ -839,7 +839,7 @@ static int starttls(STATE *state)
 				     state->ddane : state->dane);
 
 #define PROXY_OPEN_FLAGS \
-        (TLS_PROXY_FLAG_ROLE_CLIENT | TLS_PROXY_FLAG_SEND_CONTEXT)
+	(TLS_PROXY_FLAG_ROLE_CLIENT | TLS_PROXY_FLAG_SEND_CONTEXT)
 #define var_tlsproxy_service
 
 	if ((cwd_fd = open(".", O_RDONLY)) < 0)
@@ -900,7 +900,7 @@ static int starttls(STATE *state)
 	    if (state->tls_context) {
 		if (state->log_mask &
 		    (TLS_LOG_CERTMATCH | TLS_LOG_VERBOSE | TLS_LOG_PEERCERT)) {
-                    if (state->tls_context->stoc_rpk)
+		    if (state->tls_context->stoc_rpk)
 			msg_info("%s: pkey_fingerprint=%s", state->namaddrport,
 				 state->tls_context->peer_pkey_fprint);
 		    else
@@ -911,7 +911,7 @@ static int starttls(STATE *state)
 				 state->tls_context->issuer_CN,
 				 state->tls_context->peer_cert_fprint,
 				 state->tls_context->peer_pkey_fprint);
-                }
+		}
 		tls_log_summary(TLS_ROLE_CLIENT, TLS_USAGE_NEW,
 				state->tls_context);
 	    } else {
@@ -1252,7 +1252,7 @@ static DNS_RR *addr_one(STATE *state, DNS_RR *addr_list, const char *host,
      * should not clobber a soft error text and status code.
      */
 #define RETRY_AI_ERROR(e) \
-        ((e) == EAI_AGAIN || (e) == EAI_MEMORY || (e) == EAI_SYSTEM)
+	((e) == EAI_AGAIN || (e) == EAI_MEMORY || (e) == EAI_SYSTEM)
 #ifdef EAI_NODATA
 #define DSN_NOHOST(e) \
 	((e) == EAI_AGAIN || (e) == EAI_NODATA || (e) == EAI_NONAME)
@@ -2145,8 +2145,12 @@ static void parse_match(STATE *state, int argc, char *argv[])
     switch (state->level) {
     default:
 	state->match = 0;
+	if (*argv)
+	    msg_warn("TLS level '%s' does not implement certificate matching",
+		     str_tls_level(state->level));
 	break;
     case TLS_LEV_DANE:
+    case TLS_LEV_DANE_ONLY:
     case TLS_LEV_SECURE:
 	state->match = argv_alloc(2);
 	while (*argv)