postfix-3.6-20200620

postfix/HISTORY

@@ -24867,3 +24867,35 @@ Apologies for any names omitted.
 	sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP
 	client. Reported by Ján Máté, fixed by Viktor Dukhovni.
 	File: tls/tls_misc.c.
+
+20200617
+
+	Bugfix (introduced: Postfix 3.4): the connection_reuse
+	attribute in smtp_tls_policy_maps resulted in an "invalid
+	attribute name" error. Fix by Thorsten Habich. File:
+	smtp/smtp_tls_policy.c.
+
+20200618
+
+	Documentation: documented that smtp_line_length_limit=0
+	disables the feature, and made this more explicit in the
+	code by using the ENFORCING_SIZE_LIMIT macro. Files:
+	proto/postconf.proto, smtp/smtp_proto.c.
+
+20200619
+
+	Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
+	reuse was broken for configurations that use explicit trust
+	anchors. Reported by Thorsten Habich. Cause: the tlsproxy
+	client was sending a zero certificate length. File:
+	tls/tls_proxy_client_print.c.
+
+	Bugfix: posttls-finger reported a conflict betwen -X and
+	-r when only -X was used. File: posttls-finger/posttls-finger.c.
+
+20200620
+
+	Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
+	reuse was broken for configurations that use explicit trust
+	anchors. Reported by Thorsten Habich. Fixed by calling DANE
+	initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c.

postfix/WISHLIST

@@ -1,5 +1,8 @@
 Wish list:
 
+	Move the tls_dane_avail() and DANE-requested test into
+	tls_client_start().
+
 	DNS wrapper class, like XSASL, to support different stub
 	resolvers without contaminating Postfix programs with the
 	idiosyncracies of stub resolvers. Handle differences in

postfix/html/postconf.5.html

@@ -11285,7 +11285,7 @@ The maximal length of message header and body lines that Postfix
 will send via SMTP. This limit does not include the <CR><LF>
 at the end of each line.  Longer lines are broken by inserting
 "<CR><LF><SPACE>", to minimize the damage to MIME
-formatted mail.
+formatted mail. Specify zero to disable this limit.
 </p>
 
 <p>

postfix/man/man5/postconf.5

@@ -7117,7 +7117,7 @@ The maximal length of message header and body lines that Postfix
 will send via SMTP. This limit does not include the <CR><LF>
 at the end of each line.  Longer lines are broken by inserting
 "<CR><LF><SPACE>", to minimize the damage to MIME
-formatted mail.
+formatted mail. Specify zero to disable this limit.
 .PP
 The Postfix limit of 998 characters not including <CR><LF>
 is consistent with the SMTP limit of 1000 characters including

postfix/proto/postconf.proto

@@ -4400,7 +4400,7 @@ The maximal length of message header and body lines that Postfix
 will send via SMTP. This limit does not include the <CR><LF>
 at the end of each line.  Longer lines are broken by inserting
 "<CR><LF><SPACE>", to minimize the damage to MIME
-formatted mail.
+formatted mail. Specify zero to disable this limit.
 </p>
 
 <p>

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20200610"
+#define MAIL_RELEASE_DATE	"20200620"
 #define MAIL_VERSION_NUMBER	"3.6"
 
 #ifdef SNAPSHOT

postfix/src/posttls-finger/posttls-finger.c

@@ -1988,7 +1988,7 @@ static void parse_options(STATE *state, int argc, char *argv[])
 	msg_fatal("bad '-a' option value: %s", state->options.addr_pref);
 
 #ifdef USE_TLS
-    if (state->tlsproxy_mode && state->reconnect)
+    if (state->tlsproxy_mode && state->reconnect >= 0)
 	msg_fatal("The -X and -r options are mutually exclusive");
 #endif
 

postfix/src/smtp/smtp_proto.c

@@ -1179,7 +1179,8 @@ static void smtp_text_out(void *context, int rec_type,
 	if (state->space_left == var_smtp_line_limit
 	    && data_left > 0 && *data_start == '.')
 	    smtp_fputc('.', session->stream);
-	if (var_smtp_line_limit > 0 && data_left >= state->space_left) {
+	if (ENFORCING_SIZE_LIMIT(var_smtp_line_limit)
+	    && data_left >= state->space_left) {
 	    smtp_fputs(data_start, state->space_left, session->stream);
 	    data_start += state->space_left;
 	    data_left -= state->space_left;

postfix/src/smtp/smtp_tls_policy.c

@@ -389,6 +389,7 @@ static void tls_policy_lookup_one(SMTP_TLS_POLICY *tls, int *site_level,
 			 WHERE, name, val);
 		INVALID_RETURN(tls->why, site_level);
 	    }
+	    continue;
 	}
 	msg_warn("%s: invalid attribute name: \"%s\"", WHERE, name);
 	INVALID_RETURN(tls->why, site_level);

postfix/src/tls/tls_proxy_client_print.c

@@ -213,6 +213,7 @@ static int tls_proxy_client_certs_print(ATTR_PRINT_COMMON_FN print_fn,
 	    i2d_X509(tp->cert, &bp);
 	    if ((char *) bp - STR(buf) != len)
 		msg_panic("i2d_X509 failed to encode certificate");
+	    vstring_set_payload_size(buf, len);
 	    ret = print_fn(fp, flags | ATTR_FLAG_MORE,
 			   SEND_ATTR_DATA(TLS_ATTR_CERT, LEN(buf), STR(buf)),
 			   ATTR_TYPE_END);
@@ -258,6 +259,7 @@ static int tls_proxy_client_pkeys_print(ATTR_PRINT_COMMON_FN print_fn,
 	    i2d_PUBKEY(tp->pkey, &bp);
 	    if ((char *) bp - STR(buf) != len)
 		msg_panic("i2d_PUBKEY failed to encode public key");
+	    vstring_set_payload_size(buf, len);
 	    ret = print_fn(fp, flags | ATTR_FLAG_MORE,
 			   SEND_ATTR_DATA(TLS_ATTR_PKEY, LEN(buf), STR(buf)),
 			   ATTR_TYPE_END);

postfix/src/tlsproxy/tlsproxy.c

@@ -997,12 +997,12 @@ static int tlsp_client_start_pre_handshake(TLSP_STATE *state)
     state->client_start_props->ctx = state->appl_state;
     state->client_start_props->fd = state->ciphertext_fd;
     /* These predicates and warning belong inside tls_client_start(). */
-    if (!TLS_DANE_BASED(state->client_start_props->tls_level)
+    if (!tls_dane_avail()			/* mandatory side effects!! */
-	|| tls_dane_avail())
+	&&TLS_DANE_BASED(state->client_start_props->tls_level))
-	state->tls_context = tls_client_start(state->client_start_props);
-    else
 	msg_warn("%s: DANE requested, but not available",
 		 state->client_start_props->namaddr);
+    else
+	state->tls_context = tls_client_start(state->client_start_props);
     if (state->tls_context != 0)
 	return (TLSP_STAT_OK);