Note: Postfix logs and reports TLSRPT status only for TLS -handshakes on a new SMTP connection. There is no TLSRPT status -logging for a reused SMTP connection. Such connections have -Postfix SMTP client logging like this:
+Notes:
+ +Postfix logs and reports the TLSRPT status only for TLS +handshakes on a new SMTP connection. There is no TLS handshake, and +thus no TLSRPT status logging, when an SMTP connection is reused. +Such connections have Postfix SMTP client logging like this:
-
Verified TLS connection reused to mail.example.com[ipaddr]:25:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
@@ -224,23 +227,28 @@ Verified TLS connection reused to mail.example.com[ipaddr]:25:
Untrusted TLS connection reused to mail.example.com[ipaddr]:25:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
-
-Postfix logs certificate verification failures with a level of -detail that is different for a new or reused TLS session.
+By default, Postfix does not report the TLSRPT status for +a TLS handshake that reuses a previously-negotiated TLS session +(there would be no new information to report). Specify +"smtp_tlsrpt_skip_reused_handshakes = no" to report the TLSRPT +status for all TLS handshakes. This may be useful for troubleshooting. +
+ +Postfix logging for certificate verification failures may +differ between new or reused TLS sessions.
A new TLS session is logged with certificate verification -failure details:
+New TLS session: +
TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org[ipaddr],
failure_type=validation_failure, failure_reason=self-signed_certificate
-A reused TLS session is indicated as shown below, and has -no certificate verification details:
+Reused TLS session:
mail.example.org[ipaddr]:25: re-using session with untrusted peer @@ -251,8 +259,10 @@ TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org[ipaddr
Some Postfix users may wonder where the difference comes from. -So this is why.
+The logging may differ because a reused TLS session does not +have the details for why TLS authentication failed.
+ +The Postfix TLSRPT implementation reports at most one final TLS -handshake status (either 'success' or 'failure') per connection. -Postfix TLSRPT cannot report a failure and then later report a final -status of 'success' for that same connection. The reason is that -it's too complicated to filter TLS errors and to report error details -from the TLS engine back to the SMTP protocol engine. It just is -not how Postfix works internally.
-The Postfix TLSRPT implementation reports only TLS handshake success or failure. It does not report failure to connect, or -connections that break after a successful TLS handshake.
+connections that break before or after a TLS handshake. + +The Postfix TLSRPT implementation reports at most one final TLS +handshake status (either 'success' or 'failure') per SMTP connection. +Postfix TLSRPT will not report a recoverable failure and then later +report a final status of 'success' for that same connection. The +reason is that it's too complicated to filter TLS errors and to +report error details from the TLS engine back to the SMTP protocol +engine. It just is not how Postfix works internally.
Enable support for RFC 8460 TLSRPT notifications. A mail receiving domain can publish a TLSRPT policy in DNS, to request periodic summaries of successful and failed SMTP over TLS connections to -their mail servers. This feature requires that Postfix is built +their MX servers. This feature requires that Postfix is built with a TLSRPT supporting library.
This feature is available in Postfix ≥ 3.10.
+ + +Do not report the TLSRPT status for TLS protocol handshakes +that reuse a previously-negotiated TLS session (there is no new +information to report). Report the TLSRPT status only for "new" TLS +sessions. Set this to "no" to log the TLSRPT status of all TLS +handshakes, for example to troubleshoot Postfix TLSRPT support. +
+ +This feature is available in Postfix ≥ 3.10.
+ +Note: Postfix logs and reports TLSRPT status only for TLS -handshakes on a new SMTP connection. There is no TLSRPT status -logging for a reused SMTP connection. Such connections have -Postfix SMTP client logging like this:
+Notes:
+ +Postfix logs and reports the TLSRPT status only for TLS +handshakes on a new SMTP connection. There is no TLS handshake, and +thus no TLSRPT status logging, when an SMTP connection is reused. +Such connections have Postfix SMTP client logging like this:
-
Verified TLS connection reused to mail.example.com[ipaddr]:25:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
@@ -224,23 +227,28 @@ Verified TLS connection reused to mail.example.com[ipaddr]:25:
Untrusted TLS connection reused to mail.example.com[ipaddr]:25:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
-
-Postfix logs certificate verification failures with a level of -detail that is different for a new or reused TLS session.
+By default, Postfix does not report the TLSRPT status for +a TLS handshake that reuses a previously-negotiated TLS session +(there would be no new information to report). Specify +"smtp_tlsrpt_skip_reused_handshakes = no" to report the TLSRPT +status for all TLS handshakes. This may be useful for troubleshooting. +
+ +Postfix logging for certificate verification failures may +differ between new or reused TLS sessions.
A new TLS session is logged with certificate verification -failure details:
+New TLS session: +
TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org[ipaddr],
failure_type=validation_failure, failure_reason=self-signed_certificate
-A reused TLS session is indicated as shown below, and has -no certificate verification details:
+Reused TLS session:
mail.example.org[ipaddr]:25: re-using session with untrusted peer @@ -251,8 +259,10 @@ TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org[ipaddr
Some Postfix users may wonder where the difference comes from. -So this is why.
+The logging may differ because a reused TLS session does not +have the details for why TLS authentication failed.
+ +The Postfix TLSRPT implementation reports at most one final TLS -handshake status (either 'success' or 'failure') per connection. -Postfix TLSRPT cannot report a failure and then later report a final -status of 'success' for that same connection. The reason is that -it's too complicated to filter TLS errors and to report error details -from the TLS engine back to the SMTP protocol engine. It just is -not how Postfix works internally.
-The Postfix TLSRPT implementation reports only TLS handshake success or failure. It does not report failure to connect, or -connections that break after a successful TLS handshake.
+connections that break before or after a TLS handshake. + +The Postfix TLSRPT implementation reports at most one final TLS +handshake status (either 'success' or 'failure') per SMTP connection. +Postfix TLSRPT will not report a recoverable failure and then later +report a final status of 'success' for that same connection. The +reason is that it's too complicated to filter TLS errors and to +report error details from the TLS engine back to the SMTP protocol +engine. It just is not how Postfix works internally.
Enable support for RFC 8460 TLSRPT notifications. A mail receiving domain can publish a TLSRPT policy in DNS, to request periodic summaries of successful and failed SMTP over TLS connections to -their mail servers. This feature requires that Postfix is built +their MX servers. This feature requires that Postfix is built with a TLSRPT supporting library.
This feature is available in Postfix ≥ 3.10.
@@ -19427,3 +19427,14 @@ pathname (absolute, or relative to $queue_directory) when "smtp_tlsrpt_enable = yes".This feature is available in Postfix ≥ 3.10.
+ +%PARAM smtp_tlsrpt_skip_reused_handshakes yes + +Do not report the TLSRPT status for TLS protocol handshakes +that reuse a previously-negotiated TLS session (there is no new +information to report). Report the TLSRPT status only for "new" TLS +sessions. Set this to "no" to log the TLSRPT status of all TLS +handshakes, for example to troubleshoot Postfix TLSRPT support. +
+ +This feature is available in Postfix ≥ 3.10.
diff --git a/postfix/proto/stop b/postfix/proto/stop index 4755ed24f..1160a4bc5 100644 --- a/postfix/proto/stop +++ b/postfix/proto/stop @@ -1651,3 +1651,4 @@ parsable mailto ipaddr STS +hs diff --git a/postfix/proto/stop.double-history b/postfix/proto/stop.double-history index 70a09313a..3a720a5d8 100644 --- a/postfix/proto/stop.double-history +++ b/postfix/proto/stop.double-history @@ -131,3 +131,4 @@ proto proto mysql_table proto pgsql_table proto ldap_table cleanup cleanup h cleanup cleanup_extracted c File postcat postcat c Files src tls tls h src tls tls_dh c src tls tls_misc c + proto TLSRPT_README html proto postconf proto smtp smtp c diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index d209bc036..8e02d12f5 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -4475,6 +4475,12 @@ extern bool var_smtp_tlsrpt_enable; #define DEF_LMTP_TLSRPT_SOCKNAME DEF_SMTP_TLSRPT_SOCKNAME extern char *var_smtp_tlsrpt_sockname; +#define VAR_SMTP_TLSRPT_SKIP_REUSED_HS "smtp_tlsrpt_skip_reused_handshakes" +#define DEF_SMTP_TLSRPT_SKIP_REUSED_HS "yes" +#define VAR_LMTP_TLSRPT_SKIP_REUSED_HS "lmtp_tlsrpt_skip_reused_handshakes" +#define DEF_LMTP_TLSRPT_SKIP_REUSED_HS DEF_SMTP_TLSRPT_SKIP_REUSED_HS +extern int var_smtp_tlsrpt_skip_reused_hs; + /* LICENSE /* .ad /* .fi diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 56082f7d9..7eced915f 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20240926" +#define MAIL_RELEASE_DATE "20240927" #define MAIL_VERSION_NUMBER "3.10" #ifdef SNAPSHOT diff --git a/postfix/src/smtp/lmtp_params.c b/postfix/src/smtp/lmtp_params.c index c41cf91ae..b77500326 100644 --- a/postfix/src/smtp/lmtp_params.c +++ b/postfix/src/smtp/lmtp_params.c @@ -139,5 +139,6 @@ static const CONFIG_NBOOL_TABLE lmtp_nbool_table[] = { VAR_LMTP_REQ_DEADLINE, DEF_LMTP_REQ_DEADLINE, &var_smtp_req_deadline, VAR_LMTP_TLSRPT_ENABLE, DEF_LMTP_TLSRPT_ENABLE, &var_smtp_tlsrpt_enable, + VAR_LMTP_TLSRPT_SKIP_REUSED_HS, DEF_LMTP_TLSRPT_SKIP_REUSED_HS, &var_smtp_tlsrpt_skip_reused_hs, 0, }; diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index 23ce94ebf..b06535979 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -603,8 +603,8 @@ /* .PP /* Available in Postfix version 3.2 and later: /* .IP "\fBtls_eecdh_auto_curves (see 'postconf -d' output)\fR" -/* The prioritized list of elliptic curves supported by the Postfix -/* SMTP client and server. +/* The prioritized list of elliptic curves, that should be enabled in the +/* Postfix SMTP client and server. /* .PP /* Available in Postfix version 3.4 and later: /* .IP "\fBsmtp_tls_connection_reuse (no)\fR" @@ -644,6 +644,10 @@ /* .IP "\fBsmtp_tlsrpt_socket_name (empty)\fR" /* The pathname of a UNIX-domain datagram socket that is managed /* by a local TLSRPT reporting service. +/* .IP "\fBsmtp_tlsrpt_skip_reused_handshakes (yes)\fR" +/* Do not report the TLSRPT status for TLS protocol handshakes +/* that reuse a previously-negotiated TLS session (there is no new +/* information to report). /* OBSOLETE STARTTLS CONTROLS /* .ad /* .fi @@ -1154,6 +1158,7 @@ bool var_ign_srv_lookup_err; bool var_allow_srv_fallback; bool var_smtp_tlsrpt_enable; char *var_smtp_tlsrpt_sockname; +bool var_smtp_tlsrpt_skip_reused_hs; /* Special handling of 535 AUTH errors. */ char *var_smtp_sasl_auth_cache_name; diff --git a/postfix/src/smtp/smtp_params.c b/postfix/src/smtp/smtp_params.c index f58f9eb34..6d80ef105 100644 --- a/postfix/src/smtp/smtp_params.c +++ b/postfix/src/smtp/smtp_params.c @@ -143,5 +143,6 @@ static const CONFIG_NBOOL_TABLE smtp_nbool_table[] = { VAR_SMTP_REQ_DEADLINE, DEF_SMTP_REQ_DEADLINE, &var_smtp_req_deadline, VAR_SMTP_TLSRPT_ENABLE, DEF_SMTP_TLSRPT_ENABLE, &var_smtp_tlsrpt_enable, + VAR_SMTP_TLSRPT_SKIP_REUSED_HS, DEF_SMTP_TLSRPT_SKIP_REUSED_HS, &var_smtp_tlsrpt_skip_reused_hs, 0, }; diff --git a/postfix/src/smtp/smtp_tlsrpt.c b/postfix/src/smtp/smtp_tlsrpt.c index cfb8c5545..23dc5f766 100644 --- a/postfix/src/smtp/smtp_tlsrpt.c +++ b/postfix/src/smtp/smtp_tlsrpt.c @@ -253,7 +253,8 @@ void smtp_tlsrpt_create_wrapper(SMTP_STATE *state, const char *domain) state->tlsrpt = trw_create( /* rpt_socket_name= */ var_smtp_tlsrpt_sockname, /* rpt_policy_domain= */ adomain, - /* rpt_policy_string= */ rr->data); + /* rpt_policy_string= */ rr->data, + /* skip_reused_hs = */ var_smtp_tlsrpt_skip_reused_hs); dns_rr_free(rr); } else { if (msg_verbose) diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c index a635767dc..9c5528db6 100644 --- a/postfix/src/tls/tls_client.c +++ b/postfix/src/tls/tls_client.c @@ -1424,12 +1424,15 @@ TLS_SESS_STATE *tls_client_post_connect(TLS_SESS_STATE *TLScontext, * connection. It is never called for a reused TCP connection. * * Inform the caller that they should not generate a TLSRPT 'success' or - * 'failure' event: this TLS protocol engine has already generated a - * TLSRPT 'failure' event for this session. + * 'failure' event: either this TLS protocol engine has already generated + * a TLSRPT 'failure' event for this session, or this is a reused TLS + * session. */ #ifdef USE_TLSRPT TLScontext->rpt_reported = props->tlsrpt != 0 - && trw_is_reported(props->tlsrpt); + && (trw_is_reported(props->tlsrpt) + || (TLScontext->session_reused + && trw_is_skip_reused_hs(props->tlsrpt))); #endif return (TLScontext); diff --git a/postfix/src/tls/tls_proxy_client_print.c b/postfix/src/tls/tls_proxy_client_print.c index ae378cb7e..68d8394ce 100644 --- a/postfix/src/tls/tls_proxy_client_print.c +++ b/postfix/src/tls/tls_proxy_client_print.c @@ -287,6 +287,8 @@ static int tls_proxy_client_tlsrpt_print(ATTR_PRINT_COMMON_FN print_fn, STRING_OR_EMPTY(trw->rcv_mta_addr)), SEND_ATTR_STR(TRW_DST_MTA_EHLO, STRING_OR_EMPTY(trw->rcv_mta_ehlo)), + SEND_ATTR_INT(TRW_SKIP_REUSED_HS, + trw->skip_reused_hs), SEND_ATTR_INT(TRW_FLAGS, trw->flags), ATTR_TYPE_END); diff --git a/postfix/src/tls/tls_proxy_client_scan.c b/postfix/src/tls/tls_proxy_client_scan.c index 7b25f71af..685f9e124 100644 --- a/postfix/src/tls/tls_proxy_client_scan.c +++ b/postfix/src/tls/tls_proxy_client_scan.c @@ -467,6 +467,7 @@ static int tls_proxy_client_tlsrpt_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTRING *rcv_mta_name = vstring_alloc(100); VSTRING *rcv_mta_addr = vstring_alloc(100); VSTRING *rcv_mta_ehlo = vstring_alloc(100); + int skip_reused_hs; int trw_flags; ret = scan_fn(fp, flags | ATTR_FLAG_MORE, @@ -481,6 +482,7 @@ static int tls_proxy_client_tlsrpt_scan(ATTR_SCAN_COMMON_FN scan_fn, RECV_ATTR_STR(TRW_DST_MTA_NAME, rcv_mta_name), RECV_ATTR_STR(TRW_DST_MTA_ADDR, rcv_mta_addr), RECV_ATTR_STR(TRW_DST_MTA_EHLO, rcv_mta_ehlo), + RECV_ATTR_INT(TRW_SKIP_REUSED_HS, &skip_reused_hs), RECV_ATTR_INT(TRW_FLAGS, &trw_flags), ATTR_TYPE_END); @@ -497,8 +499,9 @@ static int tls_proxy_client_tlsrpt_scan(ATTR_SCAN_COMMON_FN scan_fn, EXPORT_OR_NULL(trw->rcv_mta_name, rcv_mta_name); EXPORT_OR_NULL(trw->rcv_mta_addr, rcv_mta_addr); EXPORT_OR_NULL(trw->rcv_mta_ehlo, rcv_mta_ehlo); + trw->skip_reused_hs = skip_reused_hs; trw->flags = trw_flags; - ret = (ret == 12 ? 1 : -1); + ret = (ret == 13 ? 1 : -1); if (ret != 1) { trw_free(trw); trw = 0; diff --git a/postfix/src/tls/tlsrpt_wrapper.c b/postfix/src/tls/tlsrpt_wrapper.c index 176e4015c..11d06434d 100644 --- a/postfix/src/tls/tlsrpt_wrapper.c +++ b/postfix/src/tls/tlsrpt_wrapper.c @@ -11,7 +11,8 @@ /* TLS_RPT *trw_create( /* const char *rpt_socket_name, /* const char *rpt_policy_domain, -/* const char *rpt_policy_string) +/* const char *rpt_policy_string, +/* int skip_reused_hs) /* /* void trw_free( /* TLSRPT_WRAPPER *trw) @@ -45,6 +46,9 @@ /* int trw_is_reported( /* TLSRPT_WRAPPER *trw) /* +/* int trw_is_skip_reused_hs( +/* TLSRPT_WRAPPER *trw) +/* /* tlsrpt_policy_type_t convert_tlsrpt_policy_type( /* const char *policy_type) /* @@ -136,6 +140,10 @@ /* .IP rpt_policy_string /* The TLSRPT policy record content, i.e. how to submit TLSRPT /* summary reports. +/* .IP skip_reused_hs +/* If non-zero, do not report the TLSRPT status for TLS handshakes +/* that reuse a previously-negotiated TLS session; such sessions +/* were already reported when they were used for the first time. /* .PP /* trw_free() destroys storage allocated with other trw_xxx() /* requests. @@ -199,6 +207,9 @@ /* trw_is_reported() returns non-zero when the contents of the /* specified TLSRPT_WRAPPER have been reported. /* .PP +/* trw_is_skip_reused_hs() returns non-zero if the skip_reused_hs +/* argument of trw_create() was non-zero. +/* .PP /* convert_tlsrpt_policy_type() and convert_tlsrpt_policy_failure() /* convert a valid policy type or failure name to the corresponding /* enum value. The result is < 0 if the name is not valid. @@ -298,7 +309,8 @@ TLSRPT_WRAPPER *trw_create(const char *rpt_socket_name, const char *rpt_policy_domain, - const char *rpt_policy_string) + const char *rpt_policy_string, + int skip_reused_hs) { TLSRPT_WRAPPER *trw; @@ -317,6 +329,7 @@ TLSRPT_WRAPPER *trw_create(const char *rpt_socket_name, trw->rcv_mta_name = 0; trw->rcv_mta_addr = 0; trw->rcv_mta_ehlo = 0; + trw->skip_reused_hs = skip_reused_hs; trw->flags = 0; return (trw); } @@ -623,6 +636,13 @@ int trw_is_reported(const TLSRPT_WRAPPER *trw) return (trw->flags & TRW_FLAG_REPORTED); } +/* trw_is_skip_reused_hs - don't report TLS handshakes that reuse a session */ + +int trw_is_skip_reused_hs(const TLSRPT_WRAPPER *trw) +{ + return (trw->skip_reused_hs); +} + #endif /* USE_TLS_RPT */ /* diff --git a/postfix/src/tls/tlsrpt_wrapper.h b/postfix/src/tls/tlsrpt_wrapper.h index 57daff16f..569def450 100644 --- a/postfix/src/tls/tlsrpt_wrapper.h +++ b/postfix/src/tls/tlsrpt_wrapper.h @@ -31,7 +31,8 @@ typedef struct TLSRPT_WRAPPER TLSRPT_WRAPPER; extern TLSRPT_WRAPPER *trw_create(const char *rpt_socket_name, const char *rpt_policy_domain, - const char *rpt_policy_string); + const char *rpt_policy_string, + int skip_reused_hs); extern void trw_free(TLSRPT_WRAPPER *trw); extern void trw_set_tls_policy(TLSRPT_WRAPPER *trw, tlsrpt_policy_type_t tls_policy_type, @@ -50,6 +51,7 @@ extern int trw_report_failure(TLSRPT_WRAPPER *trw, const char *failure_reason); extern int trw_report_success(TLSRPT_WRAPPER *trw); extern int trw_is_reported(const TLSRPT_WRAPPER *trw); +extern int trw_is_skip_reused_hs(const TLSRPT_WRAPPER *trw); /* * The internals declarations are also needed for functions that transmit @@ -67,6 +69,7 @@ struct TLSRPT_WRAPPER { char *rpt_socket_name; char *rpt_policy_domain; char *rpt_policy_string; + int skip_reused_hs; /* Set with trw_set_policy(). */ tlsrpt_policy_type_t tls_policy_type; ARGV *tls_policy_strings; @@ -89,6 +92,7 @@ struct TLSRPT_WRAPPER { #define TRW_RPT_SOCKET_NAME "rpt_socket_name" #define TRW_RPT_POLICY_DOMAIN "rpt_policy_domain" #define TRW_RPT_POLICY_STRING "rpt_policy_string" +#define TRW_SKIP_REUSED_HS "skip_reused_hs" #define TRW_TLS_POLICY_TYPE "tls_policy_type" #define TRW_TLS_POLICY_STRINGS "tls_policy_strings" /* XXX Not checked */ #define TRW_TLS_POLICY_DOMAIN "tls_policy_domain"