diff --git a/postfix/HISTORY b/postfix/HISTORY index f6abede77..43dd50fc9 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -24899,3 +24899,23 @@ Apologies for any names omitted. reuse was broken for configurations that use explicit trust anchors. Reported by Thorsten Habich. Fixed by calling DANE initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c. + +20200626 + + Typo: in postconf(5) documentation, AAAAA should be AAAA. + Christian Franke. File: proto/postconf.proto. + + Bugfix (introduced: Postfix 2.11): The Postfix smtp(8) + client did not send the right SNI name when the TLSA base + domain was a secure CNAME expansion of the MX hostname (or + non-MX nexthop domain). Domains with CNAME expanded MX + hosts are not conformant with RFC5321, and so are rare. + Even more rare are MX hosts with TLSA records for their + CNAME expansion. For this to matter, the remote SMTP server + would also have to select its certificate based on the SNI + name in such a way that the original MX host would yield a + different certificate. Among the ~2 million hosts in the + DANE survey, none meet the conditions for returning a + different certificate for the expanded CNAME. Therefore, + sending the correct SNI name should not break existing mail + flows. Fixed by Viktor Dukhovni. File: src/tls/tls_client.c. diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 7ba6400f0..a29f9223e 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -10936,7 +10936,7 @@ lookups through nsswitch.conf or equivalent mechanisms.

  • The Postfix SMTP/LMTP client uses smtp_dns_reply_filter and lmtp_dns_reply_filter only to discover a remote SMTP or LMTP -service (record types MX, A, AAAAA, and TLSA). These lookups are +service (record types MX, A, AAAA, and TLSA). These lookups are also made to implement the features reject_unverified_sender and reject_unverified_recipient.

    @@ -10944,7 +10944,7 @@ also made to implement the features smtpd_dns_reply_filter only to -look up MX, A, AAAAA, and TXT records to implement the features +look up MX, A, AAAA, and TXT records to implement the features reject_unknown_helo_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_*, and reject_rhsbl_*.

    diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index b40a82b42..db912da01 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -6858,7 +6858,7 @@ lookups through nsswitch.conf or equivalent mechanisms. .IP \(bu The Postfix SMTP/LMTP client uses smtp_dns_reply_filter and lmtp_dns_reply_filter only to discover a remote SMTP or LMTP -service (record types MX, A, AAAAA, and TLSA). These lookups are +service (record types MX, A, AAAA, and TLSA). These lookups are also made to implement the features reject_unverified_sender and reject_unverified_recipient. .IP \(bu @@ -6866,7 +6866,7 @@ The Postfix SMTP/LMTP client defers mail delivery when a filter removes all lookup results from a successful query. .IP \(bu Postfix SMTP server uses smtpd_dns_reply_filter only to -look up MX, A, AAAAA, and TXT records to implement the features +look up MX, A, AAAA, and TXT records to implement the features reject_unknown_helo_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_*, and reject_rhsbl_*. .IP \(bu diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 8c42da554..b5ea36aed 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -16704,7 +16704,7 @@ lookups through nsswitch.conf or equivalent mechanisms.

  • The Postfix SMTP/LMTP client uses smtp_dns_reply_filter and lmtp_dns_reply_filter only to discover a remote SMTP or LMTP -service (record types MX, A, AAAAA, and TLSA). These lookups are +service (record types MX, A, AAAA, and TLSA). These lookups are also made to implement the features reject_unverified_sender and reject_unverified_recipient.

    @@ -16712,7 +16712,7 @@ reject_unverified_recipient.

    a filter removes all lookup results from a successful query.

  • Postfix SMTP server uses smtpd_dns_reply_filter only to -look up MX, A, AAAAA, and TXT records to implement the features +look up MX, A, AAAA, and TXT records to implement the features reject_unknown_helo_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_*, and reject_rhsbl_*.

    diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index e76173c87..1326f7b26 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20200620" +#define MAIL_RELEASE_DATE "20200627" #define MAIL_VERSION_NUMBER "3.6" #ifdef SNAPSHOT diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c index c12e48cbb..139f0204f 100644 --- a/postfix/src/tls/tls_client.c +++ b/postfix/src/tls/tls_client.c @@ -1018,11 +1018,19 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props) * avoid SNI, and there are no plans to support SNI in the Postfix * SMTP server). * + * Per RFC7672, the required SNI name is the TLSA "base domain" (the one + * used to construct the "_25._tcp." TLSA record DNS query). + * * Since the hostname is DNSSEC-validated, it must be a DNS FQDN and * thererefore valid for use with SNI. */ - sni = props->host; + sni = props->dane->base_domain; } else if (props->sni && *props->sni) { + + /* + * MTA-STS policy plugin compatibility: with servername=hostname, + * Postfix must send the MX hostname (not CNAME expanded). + */ if (strcmp(props->sni, "hostname") == 0) sni = props->host; else if (strcmp(props->sni, "nexthop") == 0)