postfix-3.6-20200627

postfix/HISTORY

@@ -24899,3 +24899,23 @@ Apologies for any names omitted.
 	reuse was broken for configurations that use explicit trust
 	anchors. Reported by Thorsten Habich. Fixed by calling DANE
 	initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c.
+
+20200626
+
+	Typo: in postconf(5) documentation, AAAAA should be AAAA.
+	Christian Franke.  File: proto/postconf.proto.
+
+	Bugfix (introduced: Postfix 2.11): The Postfix smtp(8)
+	client did not send the right SNI name when the TLSA base
+	domain was a secure CNAME expansion of the MX hostname (or
+	non-MX nexthop domain). Domains with CNAME expanded MX
+	hosts are not conformant with RFC5321, and so are rare.
+	Even more rare are MX hosts with TLSA records for their
+	CNAME expansion. For this to matter, the remote SMTP server
+	would also have to select its certificate based on the SNI
+	name in such a way that the original MX host would yield a
+	different certificate. Among the ~2 million hosts in the
+	DANE survey, none meet the conditions for returning a
+	different certificate for the expanded CNAME. Therefore,
+	sending the correct SNI name should not break existing mail
+	flows. Fixed by Viktor Dukhovni. File: src/tls/tls_client.c.

postfix/html/postconf.5.html

@@ -10936,7 +10936,7 @@ lookups through nsswitch.conf or equivalent mechanisms.  </p>
 
 <li> <p> The Postfix SMTP/LMTP client uses <a href="postconf.5.html#smtp_dns_reply_filter">smtp_dns_reply_filter</a>
 and <a href="postconf.5.html#lmtp_dns_reply_filter">lmtp_dns_reply_filter</a> only to discover a remote SMTP or LMTP
-service (record types MX, A, AAAAA, and TLSA).  These lookups are
+service (record types MX, A, AAAA, and TLSA).  These lookups are
 also made to implement the features <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> and
 <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>.  </p>
 
@@ -10944,7 +10944,7 @@ also made to implement the features <a href="postconf.5.html#reject_unverified_s
 a filter removes all lookup results from a successful query.  </p>
 
 <li> <p> Postfix SMTP server uses <a href="postconf.5.html#smtpd_dns_reply_filter">smtpd_dns_reply_filter</a> only to
-look up MX, A, AAAAA, and TXT records to implement the features
+look up MX, A, AAAA, and TXT records to implement the features
 <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a>, <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a>,
 <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a>, reject_rbl_*, and reject_rhsbl_*.
 </p>

postfix/man/man5/postconf.5

@@ -6858,7 +6858,7 @@ lookups through nsswitch.conf or equivalent mechanisms.
 .IP \(bu
 The Postfix SMTP/LMTP client uses smtp_dns_reply_filter
 and lmtp_dns_reply_filter only to discover a remote SMTP or LMTP
-service (record types MX, A, AAAAA, and TLSA).  These lookups are
+service (record types MX, A, AAAA, and TLSA).  These lookups are
 also made to implement the features reject_unverified_sender and
 reject_unverified_recipient.
 .IP \(bu
@@ -6866,7 +6866,7 @@ The Postfix SMTP/LMTP client defers mail delivery when
 a filter removes all lookup results from a successful query.
 .IP \(bu
 Postfix SMTP server uses smtpd_dns_reply_filter only to
-look up MX, A, AAAAA, and TXT records to implement the features
+look up MX, A, AAAA, and TXT records to implement the features
 reject_unknown_helo_hostname, reject_unknown_sender_domain,
 reject_unknown_recipient_domain, reject_rbl_*, and reject_rhsbl_*.
 .IP \(bu

postfix/proto/postconf.proto

@@ -16704,7 +16704,7 @@ lookups through nsswitch.conf or equivalent mechanisms.  </p>
 
 <li> <p> The Postfix SMTP/LMTP client uses smtp_dns_reply_filter
 and lmtp_dns_reply_filter only to discover a remote SMTP or LMTP
-service (record types MX, A, AAAAA, and TLSA).  These lookups are
+service (record types MX, A, AAAA, and TLSA).  These lookups are
 also made to implement the features reject_unverified_sender and
 reject_unverified_recipient.  </p>
 
@@ -16712,7 +16712,7 @@ reject_unverified_recipient.  </p>
 a filter removes all lookup results from a successful query.  </p>
 
 <li> <p> Postfix SMTP server uses smtpd_dns_reply_filter only to
-look up MX, A, AAAAA, and TXT records to implement the features
+look up MX, A, AAAA, and TXT records to implement the features
 reject_unknown_helo_hostname, reject_unknown_sender_domain,
 reject_unknown_recipient_domain, reject_rbl_*, and reject_rhsbl_*.
 </p>

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20200620"
+#define MAIL_RELEASE_DATE	"20200627"
 #define MAIL_VERSION_NUMBER	"3.6"
 
 #ifdef SNAPSHOT

postfix/src/tls/tls_client.c

@@ -1018,11 +1018,19 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
 	 * avoid SNI, and there are no plans to support SNI in the Postfix
 	 * SMTP server).
 	 * 
+	 * Per RFC7672, the required SNI name is the TLSA "base domain" (the one
+	 * used to construct the "_25._tcp.<fqdn>" TLSA record DNS query).
+	 * 
 	 * Since the hostname is DNSSEC-validated, it must be a DNS FQDN and
 	 * thererefore valid for use with SNI.
 	 */
-	sni = props->host;
+	sni = props->dane->base_domain;
     } else if (props->sni && *props->sni) {
+
+	/*
+	 * MTA-STS policy plugin compatibility: with servername=hostname,
+	 * Postfix must send the MX hostname (not CNAME expanded).
+	 */
 	if (strcmp(props->sni, "hostname") == 0)
 	    sni = props->host;
 	else if (strcmp(props->sni, "nexthop") == 0)