postfix-3.10-20240927

postfix/HISTORY

@@ -28301,3 +28301,15 @@ Apologies for any names omitted.
 	File: mantools/check-snapshot-nonprod.
 
 	First general Postfix release with TLSRPT support.
+
+20240927
+
+	Feature: new parameter smtp_tlsrpt_skip_reused_handshakes
+	(default: yes) to suppress TLSRPT status reports for TLS
+	handshakes that reuse a previously-negotiated TLS session
+	(there would be no new information to report). Specify "no"
+	for TLSRPT troubleshooting. Files: mantools/postlink,
+	proto/TLSRPT_README.html, proto/postconf.proto, smtp/smtp.c,
+	smtp/smtp_params.c, smtp/smtp_tlsrpt.c, tls/tls_client.c,
+	tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
+	tls/tlsrpt_wrapper.c, tls/tlsrpt_wrapper.h.

postfix/README_FILES/TLSRPT_README

@@ -133,9 +133,12 @@ daemon:
     [ipaddr],
         failure_type=validation_failure, failure_reason=self-signed_certificate
 
-Note: Postfix logs and reports TLSRPT status only for TLS handshakes on a new
-SMTP connection. There is no TLSRPT status logging for a reused SMTP
-connection. Such connections have Postfix SMTP client logging like this:
+Notes:
+
+  * Postfix logs and reports the TLSRPT status only for TLS handshakes on a new
+    SMTP connection. There is no TLS handshake, and thus no TLSRPT status
+    logging, when an SMTP connection is reused. Such connections have Postfix
+    SMTP client logging like this:
 
     Verified TTLLSS ccoonnnneeccttiioonn rreeuusseedd to mail.example.com[ipaddr]:25:
         TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
@@ -143,25 +146,32 @@ connection. Such connections have Postfix SMTP client logging like this:
     Untrusted TTLLSS ccoonnnneeccttiioonn rreeuusseedd to mail.example.com[ipaddr]:25:
         TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
 
-Postfix logs certificate verification failures with a level of detail that is
-different for a new or reused TLS session.
+  * By default, Postfix does not report the TLSRPT status for a TLS handshake
+    that reuses a previously-negotiated TLS session (there would be no new
+    information to report). Specify "smtp_tlsrpt_skip_reused_handshakes = no"
+    to report the TLSRPT status for all TLS handshakes. This may be useful for
+    troubleshooting.
 
-  * A new TLS session is logged with certificate verification failure details:
+  * Postfix logging for certificate verification failures may differ between
+    new or reused TLS sessions.
 
-    TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org
-    [ipaddr],
-        ffaaiilluurree__ttyyppee==vvaalliiddaattiioonn__ffaaiilluurree, ffaaiilluurree__rreeaassoonn==sseellff--ssiiggnneedd__cceerrttiiffiiccaattee
+      o New TLS session:
 
-  * A reused TLS session is indicated as shown below, and has no certificate
-    verification details:
+        TLSRPT: status=failure, domain=example.org,
+        receiving_mx=mail.example.org[ipaddr],
+            ffaaiilluurree__ttyyppee==vvaalliiddaattiioonn__ffaaiilluurree, ffaaiilluurree__rreeaassoonn==sseellff--
+        ssiiggnneedd__cceerrttiiffiiccaattee
 
-    mail.example.org[ipaddr]:25: rree--uussiinngg sseessssiioonn with untrusted peer
-        credential, look for details earlier in the log
-    TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org
-    [ipaddr],
-        ffaaiilluurree__ttyyppee==cceerrttiiffiiccaattee__nnoott__ttrruusstteedd
+      o Reused TLS session:
 
-Some Postfix users may wonder where the difference comes from. So this is why.
+        mail.example.org[ipaddr]:25: rree--uussiinngg sseessssiioonn with untrusted peer
+            credential, look for details earlier in the log
+        TLSRPT: status=failure, domain=example.org,
+        receiving_mx=mail.example.org[ipaddr],
+            ffaaiilluurree__ttyyppee==cceerrttiiffiiccaattee__nnoott__ttrruusstteedd
+
+    The logging may differ because a reused TLS session does not have the
+    details for why TLS authentication failed.
 
 DDeelliivveerriinngg TTLLSSRRPPTT ssuummmmaarriieess vviiaa eemmaaiill
 
@@ -258,16 +268,16 @@ datatracker.ietf.org/doc/html/rfc8460#section-4.5.
 
 LLiimmiittaattiioonnss
 
-The Postfix TLSRPT implementation reports at most one final TLS handshake
-status (either 'success' or 'failure') per connection. Postfix TLSRPT cannot
-report a failure and then later report a final status of 'success' for that
-same connection. The reason is that it's too complicated to filter TLS errors
-and to report error details from the TLS engine back to the SMTP protocol
-engine. It just is not how Postfix works internally.
-
 The Postfix TLSRPT implementation reports only TLS handshake success or
-failure. It does not report failure to connect, or connections that break after
-a successful TLS handshake.
+failure. It does not report failure to connect, or connections that break
+before or after a TLS handshake.
+
+The Postfix TLSRPT implementation reports at most one final TLS handshake
+status (either 'success' or 'failure') per SMTP connection. Postfix TLSRPT will
+not report a recoverable failure and then later report a final status of
+'success' for that same connection. The reason is that it's too complicated to
+filter TLS errors and to report error details from the TLS engine back to the
+SMTP protocol engine. It just is not how Postfix works internally.
 
 CCrreeddiittss
 

postfix/WISHLIST

@@ -7,7 +7,9 @@ Wish list:
 	Disable -DSNAPSHOT and -DNONPROD in makedefs.
 
 	Add smtp_tlsrpt_allow_list feature (default: static:all) to limit
-	the domains for which Postfix generates TLSRPT daily sumamries.
+	the domains for which Postfix generates TLSRPT daily summaries.
+
+	Rename TLS_SESS_STATE.rpt_reported to skip_tlsrpt_report.
 
 	Add unit tests for smtp_tlsrpt.c, tlstrpd_wrapper.c, ...
 

postfix/html/TLSRPT_README.html

@@ -105,8 +105,8 @@ and MTA-STS (through an <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_
 engine. With "<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> = no", the <a href="smtp.8.html">smtp(8)</a> client
 process also implements the TLS client engine. With
 "<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> = yes", the <a href="smtp.8.html">smtp(8)</a> client process
-delegates TLS processing to a Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> process.  Either
-way, Postfix will generate the exact same TLSRPT events.  </p>
+delegates TLS processing to a Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> process. Either
+way, Postfix will generate the exact same TLSRPT events. </p>
 
 <h2> <a name="building"> Building Postfix with TLSRPT support </a>
 </h2>
@@ -211,12 +211,15 @@ TLSRPT: status=failure, domain=example.net, receiving_mx=mail.example.net[ipaddr
 </pre>
 </blockquote>
 
-<p> Note: Postfix logs and reports TLSRPT status only for TLS
-handshakes on a new SMTP connection. There is no TLSRPT status
-logging for a reused SMTP connection. Such connections have 
-Postfix SMTP client logging like this: </p>
+<p> Notes: </p>
+
+<ul> 
+
+<li> <p> Postfix logs and reports the TLSRPT status only for TLS
+handshakes on a new SMTP connection. There is no TLS handshake, and
+thus no TLSRPT status logging, when an SMTP connection is reused.
+Such connections have Postfix SMTP client logging like this: </p>
 
-<blockquote> 
 <pre>
 Verified <b>TLS connection reused</b> to mail.example.com[ipaddr]:25:
     TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
@@ -224,23 +227,28 @@ Verified <b>TLS connection reused</b> to mail.example.com[ipaddr]:25:
 Untrusted <b>TLS connection reused</b> to mail.example.com[ipaddr]:25:
     TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
 </pre>
-</blockquote>
 
-<p> Postfix logs certificate verification failures with a level of
-detail that is different for a new or reused TLS session. </p>
+<li> <p> By default, Postfix does not report the TLSRPT status for
+a TLS handshake that reuses a previously-negotiated TLS session
+(there would be no new information to report). Specify
+"<a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> = no" to report the TLSRPT
+status for all TLS handshakes. This may be useful for troubleshooting.
+</p>
+
+<li> <p> Postfix logging for certificate verification failures may
+differ between new or reused TLS sessions. </p>
 
 <ul>
 
-<li> <p> A new TLS session is logged with certificate verification
-failure details: </p>
+<li> <p> New TLS session:
+</p>
 
 <pre>
 TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org[ipaddr],
     <b>failure_type=validation_failure</b>, <b>failure_reason=self-signed_certificate</b>
 </pre>
 
-<li> <p> A reused TLS session is indicated as shown below, and has
-no certificate verification details: </p>
+<li> <p> Reused TLS session: </p>
 
 <pre>
 mail.example.org[ipaddr]:25: <b>re-using session</b> with untrusted peer
@@ -251,8 +259,10 @@ TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org[ipaddr
 
 </ul>
 
-<p> Some Postfix users may wonder where the difference comes from.
-So this is why. </p>
+<p> The logging may differ because a reused TLS session does not
+have the details for why TLS authentication failed. </p>
+
+</ul>
 
 <h2> <a name="delivering"> Delivering TLSRPT summaries via email</a> </h2>
 
@@ -381,17 +391,17 @@ policy_failure=sts-webpki-invalid
 
 <h2> <a name="limitations"> Limitations </a></h2>
 
-<p> The Postfix TLSRPT implementation reports at most one final TLS
-handshake status (either 'success' or 'failure') per connection.
-Postfix TLSRPT cannot report a failure and then later report a final
-status of 'success' for that same connection. The reason is that
-it's too complicated to filter TLS errors and to report error details
-from the TLS engine back to the SMTP protocol engine. It just is
-not how Postfix works internally. </p>
-
 <p> The Postfix TLSRPT implementation reports only TLS handshake
 success or failure. It does not report failure to connect, or
-connections that break after a successful TLS handshake. </p>
+connections that break before or after a TLS handshake. </p>
+
+<p> The Postfix TLSRPT implementation reports at most one final TLS
+handshake status (either 'success' or 'failure') per SMTP connection.
+Postfix TLSRPT will not report a recoverable failure and then later
+report a final status of 'success' for that same connection. The
+reason is that it's too complicated to filter TLS errors and to
+report error details from the TLS engine back to the SMTP protocol
+engine. It just is not how Postfix works internally. </p>
 
 <h2> <a name="credits"> Credits </a> </h2>
 

postfix/html/lmtp.8.html

@@ -702,8 +702,8 @@ SMTP,(LMTP)                                                        SMTP,(LMTP)
        Available in Postfix version 3.2 and later:
 
        <b><a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> (see 'postconf -d' output)</b>
-              The prioritized list of elliptic curves supported by the Postfix
-              SMTP client and server.
+              The prioritized list of elliptic curves, that should be  enabled
+              in the Postfix SMTP client and server.
 
        Available in Postfix version 3.4 and later:
 
@@ -753,6 +753,11 @@ SMTP,(LMTP)                                                        SMTP,(LMTP)
               The pathname of a UNIX-domain datagram socket that is managed by
               a local TLSRPT reporting service.
 
+       <b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (yes)</b>
+              Do not report the TLSRPT status for TLS protocol handshakes that
+              reuse a previously-negotiated  TLS  session  (there  is  no  new
+              information to report).
+
 <b>OBSOLETE STARTTLS CONTROLS</b>
        The  following  configuration  parameters  exist for compatibility with
        Postfix versions before 2.3. Support for these will  be  removed  in  a

postfix/html/postconf.5.html

@@ -14808,12 +14808,27 @@ Postfix versions. </p>
 <p> Enable support for <a href="https://tools.ietf.org/html/rfc8460">RFC 8460</a> TLSRPT notifications. A mail receiving
 domain can publish a TLSRPT policy in DNS, to request periodic
 summaries of successful and failed SMTP over TLS connections to
-their mail servers. This feature requires that Postfix is built
+their MX servers. This feature requires that Postfix is built
 with a TLSRPT supporting library. </p>
 
 <p> This feature is available in Postfix &ge; 3.10. </p>
 
 
+</DD>
+
+<DT><b><a name="smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a>
+(default: yes)</b></DT><DD>
+
+<p> Do not report the TLSRPT status for TLS protocol handshakes
+that reuse a previously-negotiated TLS session (there is no new
+information to report). Report the TLSRPT status only for "new" TLS
+sessions. Set this to "no" to log the TLSRPT status of all TLS
+handshakes, for example to troubleshoot Postfix TLSRPT support.
+</p>
+
+<p> This feature is available in Postfix &ge; 3.10. </p>
+
+
 </DD>
 
 <DT><b><a name="smtp_tlsrpt_socket_name">smtp_tlsrpt_socket_name</a>

postfix/html/smtp.8.html

@@ -702,8 +702,8 @@ SMTP,(LMTP)                                                        SMTP,(LMTP)
        Available in Postfix version 3.2 and later:
 
        <b><a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> (see 'postconf -d' output)</b>
-              The prioritized list of elliptic curves supported by the Postfix
-              SMTP client and server.
+              The prioritized list of elliptic curves, that should be  enabled
+              in the Postfix SMTP client and server.
 
        Available in Postfix version 3.4 and later:
 
@@ -753,6 +753,11 @@ SMTP,(LMTP)                                                        SMTP,(LMTP)
               The pathname of a UNIX-domain datagram socket that is managed by
               a local TLSRPT reporting service.
 
+       <b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (yes)</b>
+              Do not report the TLSRPT status for TLS protocol handshakes that
+              reuse a previously-negotiated  TLS  session  (there  is  no  new
+              information to report).
+
 <b>OBSOLETE STARTTLS CONTROLS</b>
        The  following  configuration  parameters  exist for compatibility with
        Postfix versions before 2.3. Support for these will  be  removed  in  a

postfix/man/man5/postconf.5

@@ -9864,10 +9864,18 @@ This feature is available in Postfix 3.0 and later.
 Enable support for RFC 8460 TLSRPT notifications. A mail receiving
 domain can publish a TLSRPT policy in DNS, to request periodic
 summaries of successful and failed SMTP over TLS connections to
-their mail servers. This feature requires that Postfix is built
+their MX servers. This feature requires that Postfix is built
 with a TLSRPT supporting library.
 .PP
 This feature is available in Postfix >= 3.10.
+.SH smtp_tlsrpt_skip_reused_handshakes (default: yes)
+Do not report the TLSRPT status for TLS protocol handshakes
+that reuse a previously\-negotiated TLS session (there is no new
+information to report). Report the TLSRPT status only for "new" TLS
+sessions. Set this to "no" to log the TLSRPT status of all TLS
+handshakes, for example to troubleshoot Postfix TLSRPT support.
+.PP
+This feature is available in Postfix >= 3.10.
 .SH smtp_tlsrpt_socket_name (default: empty)
 The pathname of a UNIX\-domain datagram socket that is managed
 by a local TLSRPT reporting service. This parameter must specify a

postfix/man/man8/smtp.8

@@ -637,8 +637,8 @@ record was found via an "insecure" MX lookup.
 .PP
 Available in Postfix version 3.2 and later:
 .IP "\fBtls_eecdh_auto_curves (see 'postconf -d' output)\fR"
-The prioritized list of elliptic curves supported by the Postfix
-SMTP client and server.
+The prioritized list of elliptic curves, that should be enabled in the
+Postfix SMTP client and server.
 .PP
 Available in Postfix version 3.4 and later:
 .IP "\fBsmtp_tls_connection_reuse (no)\fR"
@@ -678,6 +678,10 @@ Enable support for RFC 8460 TLSRPT notifications.
 .IP "\fBsmtp_tlsrpt_socket_name (empty)\fR"
 The pathname of a UNIX\-domain datagram socket that is managed
 by a local TLSRPT reporting service.
+.IP "\fBsmtp_tlsrpt_skip_reused_handshakes (yes)\fR"
+Do not report the TLSRPT status for TLS protocol handshakes
+that reuse a previously\-negotiated TLS session (there is no new
+information to report).
 .SH "OBSOLETE STARTTLS CONTROLS"
 .na
 .nf

postfix/mantools/postlink

@@ -723,8 +723,10 @@ while (<>) {
     s;\blmtp_tls_connection_reuse\b;<a href="postconf.5.html#lmtp_tls_connection_reuse">$&</a>;g;
     s;\bsmtp_tlsrpt_enable\b;<a href="postconf.5.html#smtp_tlsrpt_enable">$&</a>;g;
     s;\bsmtp_tlsrpt_socket_name\b;<a href="postconf.5.html#smtp_tlsrpt_socket_name">$&</a>;g;
+    s;\bsmtp_tlsrpt_skip_reused_handshakes\b;<a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">$&</a>;g;
     s;\blmtp_tlsrpt_enable\b;<a href="postconf.5.html#lmtp_tlsrpt_enable">$&</a>;g;
     s;\blmtp_tlsrpt_socket_name\b;<a href="postconf.5.html#lmtp_tlsrpt_socket_name">$&</a>;g;
+    s;\blmtp_tlsrpt_skip_reused_handshakes\b;<a href="postconf.5.html#lmtp_tlsrpt_skip_reused_handshakes">$&</a>;g;
     s;\bsmtpd_enforce_tls\b;<a href="postconf.5.html#smtpd_enforce_tls">$&</a>;g;
     s;\bsmtpd_sasl_tls_security_options\b;<a href="postconf.5.html#smtpd_sasl_tls_security_options">$&</a>;g;
     s;\bsmtpd_sasl_type\b;<a href="postconf.5.html#smtpd_sasl_type">$&</a>;g;

postfix/proto/TLSRPT_README.html

@@ -105,8 +105,8 @@ and MTA-STS (through an smtp_tls_policy_maps plug-in).
 engine. With "smtp_tls_connection_reuse = no", the smtp(8) client
 process also implements the TLS client engine. With
 "smtp_tls_connection_reuse = yes", the smtp(8) client process
-delegates TLS processing to a Postfix tlsproxy(8) process.  Either
-way, Postfix will generate the exact same TLSRPT events.  </p>
+delegates TLS processing to a Postfix tlsproxy(8) process. Either
+way, Postfix will generate the exact same TLSRPT events. </p>
 
 <h2> <a name="building"> Building Postfix with TLSRPT support </a>
 </h2>
@@ -211,12 +211,15 @@ TLSRPT: status=failure, domain=example.net, receiving_mx=mail.example.net[ipaddr
 </pre>
 </blockquote>
 
-<p> Note: Postfix logs and reports TLSRPT status only for TLS
-handshakes on a new SMTP connection. There is no TLSRPT status
-logging for a reused SMTP connection. Such connections have 
-Postfix SMTP client logging like this: </p>
+<p> Notes: </p>
+
+<ul> 
+
+<li> <p> Postfix logs and reports the TLSRPT status only for TLS
+handshakes on a new SMTP connection. There is no TLS handshake, and
+thus no TLSRPT status logging, when an SMTP connection is reused.
+Such connections have Postfix SMTP client logging like this: </p>
 
-<blockquote> 
 <pre>
 Verified <b>TLS connection reused</b> to mail.example.com[ipaddr]:25:
     TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
@@ -224,23 +227,28 @@ Verified <b>TLS connection reused</b> to mail.example.com[ipaddr]:25:
 Untrusted <b>TLS connection reused</b> to mail.example.com[ipaddr]:25:
     TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
 </pre>
-</blockquote>
 
-<p> Postfix logs certificate verification failures with a level of
-detail that is different for a new or reused TLS session. </p>
+<li> <p> By default, Postfix does not report the TLSRPT status for
+a TLS handshake that reuses a previously-negotiated TLS session
+(there would be no new information to report). Specify
+"smtp_tlsrpt_skip_reused_handshakes = no" to report the TLSRPT
+status for all TLS handshakes. This may be useful for troubleshooting.
+</p>
+
+<li> <p> Postfix logging for certificate verification failures may
+differ between new or reused TLS sessions. </p>
 
 <ul>
 
-<li> <p> A new TLS session is logged with certificate verification
-failure details: </p>
+<li> <p> New TLS session:
+</p>
 
 <pre>
 TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org[ipaddr],
     <b>failure_type=validation_failure</b>, <b>failure_reason=self-signed_certificate</b>
 </pre>
 
-<li> <p> A reused TLS session is indicated as shown below, and has
-no certificate verification details: </p>
+<li> <p> Reused TLS session: </p>
 
 <pre>
 mail.example.org[ipaddr]:25: <b>re-using session</b> with untrusted peer
@@ -251,8 +259,10 @@ TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org[ipaddr
 
 </ul>
 
-<p> Some Postfix users may wonder where the difference comes from.
-So this is why. </p>
+<p> The logging may differ because a reused TLS session does not
+have the details for why TLS authentication failed. </p>
+
+</ul>
 
 <h2> <a name="delivering"> Delivering TLSRPT summaries via email</a> </h2>
 
@@ -381,17 +391,17 @@ policy_failure=sts-webpki-invalid
 
 <h2> <a name="limitations"> Limitations </a></h2>
 
-<p> The Postfix TLSRPT implementation reports at most one final TLS
-handshake status (either 'success' or 'failure') per connection.
-Postfix TLSRPT cannot report a failure and then later report a final
-status of 'success' for that same connection. The reason is that
-it's too complicated to filter TLS errors and to report error details
-from the TLS engine back to the SMTP protocol engine. It just is
-not how Postfix works internally. </p>
-
 <p> The Postfix TLSRPT implementation reports only TLS handshake
 success or failure. It does not report failure to connect, or
-connections that break after a successful TLS handshake. </p>
+connections that break before or after a TLS handshake. </p>
+
+<p> The Postfix TLSRPT implementation reports at most one final TLS
+handshake status (either 'success' or 'failure') per SMTP connection.
+Postfix TLSRPT will not report a recoverable failure and then later
+report a final status of 'success' for that same connection. The
+reason is that it's too complicated to filter TLS errors and to
+report error details from the TLS engine back to the SMTP protocol
+engine. It just is not how Postfix works internally. </p>
 
 <h2> <a name="credits"> Credits </a> </h2>
 

postfix/proto/postconf.proto

@@ -19414,7 +19414,7 @@ length limit. </p>
 <p> Enable support for RFC 8460 TLSRPT notifications. A mail receiving
 domain can publish a TLSRPT policy in DNS, to request periodic
 summaries of successful and failed SMTP over TLS connections to
-their mail servers. This feature requires that Postfix is built
+their MX servers. This feature requires that Postfix is built
 with a TLSRPT supporting library. </p>
 
 <p> This feature is available in Postfix &ge; 3.10. </p>
@@ -19427,3 +19427,14 @@ pathname (absolute, or relative to $queue_directory) when
 "smtp_tlsrpt_enable = yes". </p>
 
 <p> This feature is available in Postfix &ge; 3.10. </p>
+
+%PARAM smtp_tlsrpt_skip_reused_handshakes yes
+
+<p> Do not report the TLSRPT status for TLS protocol handshakes
+that reuse a previously-negotiated TLS session (there is no new
+information to report). Report the TLSRPT status only for "new" TLS
+sessions. Set this to "no" to log the TLSRPT status of all TLS
+handshakes, for example to troubleshoot Postfix TLSRPT support.
+</p>
+
+<p> This feature is available in Postfix &ge; 3.10. </p>

postfix/proto/stop

@@ -1651,3 +1651,4 @@ parsable
 mailto
 ipaddr
 STS
+hs

postfix/proto/stop.double-history

@@ -131,3 +131,4 @@ proto  proto mysql_table proto pgsql_table proto ldap_table
  cleanup cleanup h cleanup cleanup_extracted c 
  File postcat postcat c 
  Files src tls tls h src tls tls_dh c src tls tls_misc c 
+ proto TLSRPT_README html proto postconf proto smtp smtp c 

postfix/src/global/mail_params.h

@@ -4475,6 +4475,12 @@ extern bool var_smtp_tlsrpt_enable;
 #define DEF_LMTP_TLSRPT_SOCKNAME DEF_SMTP_TLSRPT_SOCKNAME
 extern char *var_smtp_tlsrpt_sockname;
 
+#define VAR_SMTP_TLSRPT_SKIP_REUSED_HS	"smtp_tlsrpt_skip_reused_handshakes"
+#define DEF_SMTP_TLSRPT_SKIP_REUSED_HS	"yes"
+#define VAR_LMTP_TLSRPT_SKIP_REUSED_HS	"lmtp_tlsrpt_skip_reused_handshakes"
+#define DEF_LMTP_TLSRPT_SKIP_REUSED_HS	DEF_SMTP_TLSRPT_SKIP_REUSED_HS
+extern int var_smtp_tlsrpt_skip_reused_hs;
+
 /* LICENSE
 /* .ad
 /* .fi

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20240926"
+#define MAIL_RELEASE_DATE	"20240927"
 #define MAIL_VERSION_NUMBER	"3.10"
 
 #ifdef SNAPSHOT

postfix/src/smtp/lmtp_params.c

@@ -139,5 +139,6 @@
     static const CONFIG_NBOOL_TABLE lmtp_nbool_table[] = {
 	VAR_LMTP_REQ_DEADLINE, DEF_LMTP_REQ_DEADLINE, &var_smtp_req_deadline,
 	VAR_LMTP_TLSRPT_ENABLE, DEF_LMTP_TLSRPT_ENABLE, &var_smtp_tlsrpt_enable,
+	VAR_LMTP_TLSRPT_SKIP_REUSED_HS, DEF_LMTP_TLSRPT_SKIP_REUSED_HS, &var_smtp_tlsrpt_skip_reused_hs,
 	0,
     };

postfix/src/smtp/smtp.c

@@ -603,8 +603,8 @@
 /* .PP
 /*	Available in Postfix version 3.2 and later:
 /* .IP "\fBtls_eecdh_auto_curves (see 'postconf -d' output)\fR"
-/*	The prioritized list of elliptic curves supported by the Postfix
-/*	SMTP client and server.
+/*	The prioritized list of elliptic curves, that should be enabled in the
+/*	Postfix SMTP client and server.
 /* .PP
 /*	Available in Postfix version 3.4 and later:
 /* .IP "\fBsmtp_tls_connection_reuse (no)\fR"
@@ -644,6 +644,10 @@
 /* .IP "\fBsmtp_tlsrpt_socket_name (empty)\fR"
 /*	The pathname of a UNIX-domain datagram socket that is managed
 /*	by a local TLSRPT reporting service.
+/* .IP "\fBsmtp_tlsrpt_skip_reused_handshakes (yes)\fR"
+/*	Do not report the TLSRPT status for TLS protocol handshakes
+/*	that reuse a previously-negotiated TLS session (there is no new
+/*	information to report).
 /* OBSOLETE STARTTLS CONTROLS
 /* .ad
 /* .fi
@@ -1154,6 +1158,7 @@ bool    var_ign_srv_lookup_err;
 bool    var_allow_srv_fallback;
 bool    var_smtp_tlsrpt_enable;
 char   *var_smtp_tlsrpt_sockname;
+bool    var_smtp_tlsrpt_skip_reused_hs;
 
  /* Special handling of 535 AUTH errors. */
 char   *var_smtp_sasl_auth_cache_name;

postfix/src/smtp/smtp_params.c

@@ -143,5 +143,6 @@
     static const CONFIG_NBOOL_TABLE smtp_nbool_table[] = {
 	VAR_SMTP_REQ_DEADLINE, DEF_SMTP_REQ_DEADLINE, &var_smtp_req_deadline,
 	VAR_SMTP_TLSRPT_ENABLE, DEF_SMTP_TLSRPT_ENABLE, &var_smtp_tlsrpt_enable,
+	VAR_SMTP_TLSRPT_SKIP_REUSED_HS, DEF_SMTP_TLSRPT_SKIP_REUSED_HS, &var_smtp_tlsrpt_skip_reused_hs,
 	0,
     };

postfix/src/smtp/smtp_tlsrpt.c

@@ -253,7 +253,8 @@ void    smtp_tlsrpt_create_wrapper(SMTP_STATE *state, const char *domain)
 	state->tlsrpt = trw_create(
 			    /* rpt_socket_name= */ var_smtp_tlsrpt_sockname,
 				    /* rpt_policy_domain= */ adomain,
-				    /* rpt_policy_string= */ rr->data);
+				    /* rpt_policy_string= */ rr->data,
+		    /* skip_reused_hs = */ var_smtp_tlsrpt_skip_reused_hs);
 	dns_rr_free(rr);
     } else {
 	if (msg_verbose)

postfix/src/tls/tls_client.c

@@ -1424,12 +1424,15 @@ TLS_SESS_STATE *tls_client_post_connect(TLS_SESS_STATE *TLScontext,
      * connection. It is never called for a reused TCP connection.
      * 
      * Inform the caller that they should not generate a TLSRPT 'success' or
-     * 'failure' event: this TLS protocol engine has already generated a
-     * TLSRPT 'failure' event for this session.
+     * 'failure' event: either this TLS protocol engine has already generated
+     * a TLSRPT 'failure' event for this session, or this is a reused TLS
+     * session.
      */
 #ifdef USE_TLSRPT
     TLScontext->rpt_reported = props->tlsrpt != 0
-	&& trw_is_reported(props->tlsrpt);
+	&& (trw_is_reported(props->tlsrpt)
+	    || (TLScontext->session_reused
+		&& trw_is_skip_reused_hs(props->tlsrpt)));
 #endif
 
     return (TLScontext);

postfix/src/tls/tls_proxy_client_print.c

@@ -287,6 +287,8 @@ static int tls_proxy_client_tlsrpt_print(ATTR_PRINT_COMMON_FN print_fn,
 				     STRING_OR_EMPTY(trw->rcv_mta_addr)),
 		       SEND_ATTR_STR(TRW_DST_MTA_EHLO,
 				     STRING_OR_EMPTY(trw->rcv_mta_ehlo)),
+		       SEND_ATTR_INT(TRW_SKIP_REUSED_HS,
+				     trw->skip_reused_hs),
 		       SEND_ATTR_INT(TRW_FLAGS,
 				     trw->flags),
 		       ATTR_TYPE_END);

postfix/src/tls/tls_proxy_client_scan.c

@@ -467,6 +467,7 @@ static int tls_proxy_client_tlsrpt_scan(ATTR_SCAN_COMMON_FN scan_fn,
 	VSTRING *rcv_mta_name = vstring_alloc(100);
 	VSTRING *rcv_mta_addr = vstring_alloc(100);
 	VSTRING *rcv_mta_ehlo = vstring_alloc(100);
+	int     skip_reused_hs;
 	int     trw_flags;
 
 	ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
@@ -481,6 +482,7 @@ static int tls_proxy_client_tlsrpt_scan(ATTR_SCAN_COMMON_FN scan_fn,
 		      RECV_ATTR_STR(TRW_DST_MTA_NAME, rcv_mta_name),
 		      RECV_ATTR_STR(TRW_DST_MTA_ADDR, rcv_mta_addr),
 		      RECV_ATTR_STR(TRW_DST_MTA_EHLO, rcv_mta_ehlo),
+		      RECV_ATTR_INT(TRW_SKIP_REUSED_HS, &skip_reused_hs),
 		      RECV_ATTR_INT(TRW_FLAGS, &trw_flags),
 		      ATTR_TYPE_END);
 
@@ -497,8 +499,9 @@ static int tls_proxy_client_tlsrpt_scan(ATTR_SCAN_COMMON_FN scan_fn,
 	EXPORT_OR_NULL(trw->rcv_mta_name, rcv_mta_name);
 	EXPORT_OR_NULL(trw->rcv_mta_addr, rcv_mta_addr);
 	EXPORT_OR_NULL(trw->rcv_mta_ehlo, rcv_mta_ehlo);
+	trw->skip_reused_hs = skip_reused_hs;
 	trw->flags = trw_flags;
-	ret = (ret == 12 ? 1 : -1);
+	ret = (ret == 13 ? 1 : -1);
 	if (ret != 1) {
 	    trw_free(trw);
 	    trw = 0;

postfix/src/tls/tlsrpt_wrapper.c

@@ -11,7 +11,8 @@
 /*	TLS_RPT *trw_create(
 /*	const char *rpt_socket_name,
 /*	const char *rpt_policy_domain,
-/*	const char *rpt_policy_string)
+/*	const char *rpt_policy_string,
+/*	int	skip_reused_hs)
 /*
 /*	void	trw_free(
 /*	TLSRPT_WRAPPER *trw)
@@ -45,6 +46,9 @@
 /*	int	trw_is_reported(
 /*	TLSRPT_WRAPPER *trw)
 /*
+/*	int	trw_is_skip_reused_hs(
+/*	TLSRPT_WRAPPER *trw)
+/*
 /*	tlsrpt_policy_type_t convert_tlsrpt_policy_type(
 /*	const char *policy_type)
 /*
@@ -136,6 +140,10 @@
 /* .IP rpt_policy_string
 /*	The TLSRPT policy record content, i.e. how to submit TLSRPT
 /*	summary reports.
+/* .IP skip_reused_hs
+/*	If non-zero, do not report the TLSRPT status for TLS handshakes
+/*	that reuse a previously-negotiated TLS session; such sessions
+/*	were already reported when they were used for the first time.
 /* .PP
 /*	trw_free() destroys storage allocated with other trw_xxx()
 /*	requests.
@@ -199,6 +207,9 @@
 /*	trw_is_reported() returns non-zero when the contents of the
 /*	specified TLSRPT_WRAPPER have been reported.
 /* .PP
+/*	trw_is_skip_reused_hs() returns non-zero if the skip_reused_hs
+/*	argument of trw_create() was non-zero.
+/* .PP
 /*	convert_tlsrpt_policy_type() and convert_tlsrpt_policy_failure()
 /*	convert a valid policy type or failure name to the corresponding
 /*	enum value. The result is < 0 if the name is not valid.
@@ -298,7 +309,8 @@
 
 TLSRPT_WRAPPER *trw_create(const char *rpt_socket_name,
 			           const char *rpt_policy_domain,
-			           const char *rpt_policy_string)
+			           const char *rpt_policy_string,
+			           int skip_reused_hs)
 {
     TLSRPT_WRAPPER *trw;
 
@@ -317,6 +329,7 @@ TLSRPT_WRAPPER *trw_create(const char *rpt_socket_name,
     trw->rcv_mta_name = 0;
     trw->rcv_mta_addr = 0;
     trw->rcv_mta_ehlo = 0;
+    trw->skip_reused_hs = skip_reused_hs;
     trw->flags = 0;
     return (trw);
 }
@@ -623,6 +636,13 @@ int     trw_is_reported(const TLSRPT_WRAPPER *trw)
     return (trw->flags & TRW_FLAG_REPORTED);
 }
 
+/* trw_is_skip_reused_hs - don't report TLS handshakes that reuse a session */
+
+int     trw_is_skip_reused_hs(const TLSRPT_WRAPPER *trw)
+{
+    return (trw->skip_reused_hs);
+}
+
 #endif					/* USE_TLS_RPT */
 
  /*

postfix/src/tls/tlsrpt_wrapper.h

@@ -31,7 +31,8 @@ typedef struct TLSRPT_WRAPPER TLSRPT_WRAPPER;
 
 extern TLSRPT_WRAPPER *trw_create(const char *rpt_socket_name,
 				          const char *rpt_policy_domain,
-				          const char *rpt_policy_string);
+				          const char *rpt_policy_string,
+				          int skip_reused_hs);
 extern void trw_free(TLSRPT_WRAPPER *trw);
 extern void trw_set_tls_policy(TLSRPT_WRAPPER *trw,
 			               tlsrpt_policy_type_t tls_policy_type,
@@ -50,6 +51,7 @@ extern int trw_report_failure(TLSRPT_WRAPPER *trw,
 			              const char *failure_reason);
 extern int trw_report_success(TLSRPT_WRAPPER *trw);
 extern int trw_is_reported(const TLSRPT_WRAPPER *trw);
+extern int trw_is_skip_reused_hs(const TLSRPT_WRAPPER *trw);
 
  /*
   * The internals declarations are also needed for functions that transmit
@@ -67,6 +69,7 @@ struct TLSRPT_WRAPPER {
     char   *rpt_socket_name;
     char   *rpt_policy_domain;
     char   *rpt_policy_string;
+    int     skip_reused_hs;
     /* Set with trw_set_policy(). */
     tlsrpt_policy_type_t tls_policy_type;
     ARGV   *tls_policy_strings;
@@ -89,6 +92,7 @@ struct TLSRPT_WRAPPER {
 #define TRW_RPT_SOCKET_NAME	"rpt_socket_name"
 #define TRW_RPT_POLICY_DOMAIN	"rpt_policy_domain"
 #define TRW_RPT_POLICY_STRING	"rpt_policy_string"
+#define TRW_SKIP_REUSED_HS	"skip_reused_hs"
 #define TRW_TLS_POLICY_TYPE	"tls_policy_type"
 #define TRW_TLS_POLICY_STRINGS	"tls_policy_strings"	/* XXX Not checked */
 #define TRW_TLS_POLICY_DOMAIN	"tls_policy_domain"