On Sat, Dec 02, 2023 at 12:44:27PM +0100, Alexander Leidinger wrote:
> > Actually "secure", which means that the match strategy is
> > "nexthop:dot-nexthop" unless you specify additional command-line
> > arguments to override the match list.
> >
> > switch (state->level) {
> > case TLS_LEV_SECURE:
> > state->match = argv_alloc(2);
> > while (*argv)
> > argv_add(state->match, *argv++, ARGV_END);
> > if (state->match->argc == 0)
> > argv_add(state->match, "nexthop", "dot-nexthop", ARGV_END);
> > break;
> > case TLS_LEV_VERIFY:
> > state->match = argv_alloc(1);
> > while (*argv)
> > argv_add(state->match, *argv++, ARGV_END);
> > if (state->match->argc == 0)
> > argv_add(state->match, "hostname", ARGV_END);
> > break;
> > case TLS_LEV_FPRINT:
> > state->dane = tls_dane_alloc();
> > while (*argv)
> > tls_dane_add_fpt_digests(state->dane,
> > state->options.enable_rpk,
> > *argv++, "", smtp_mode);
> > break;
> > ...
Sorry, yes, the "..." part is the default DANE setting, which, as it
happens presently:
case TLS_LEV_DANE:
case TLS_LEV_DANE_ONLY:
state->match = argv_alloc(2);
argv_add(state->match, "nexthop", "hostname", ARGV_END);
break;
}
configures matching of either the "nexthop" and the MX "hostname" in
anticipation of DANE TLSA records, but this lingers even when no TLSA
records are found. The matching strategy is then a hybrid of "secure"
and "verify". This can reasonably be declared a bug in
"posttls-finger".
--- a/src/posttls-finger/posttls-finger.c
+++ b/src/posttls-finger/posttls-finger.c
@@ -2138,7 +2138,15 @@ static void parse_match(STATE *state, int argc, char
*argv[])
#ifdef USE_TLS
int smtp_mode = 1;
+ /*
+ * DANE match names are configured late, once the TLSA records are in hand.
+ * For now, prepare to fall back to "secure".
+ */
switch (state->level) {
+ default:
+ state->match = 0;
+ break;
+ case TLS_LEV_DANE:
case TLS_LEV_SECURE:
state->match = argv_alloc(2);
while (*argv)
@@ -2159,11 +2167,6 @@ static void parse_match(STATE *state, int argc, char
*argv[])
tls_dane_add_fpt_digests(state->dane, state->options.enable_rpk,
*argv++, "", smtp_mode);
break;
- case TLS_LEV_DANE:
- case TLS_LEV_DANE_ONLY:
- state->match = argv_alloc(2);
- argv_add(state->match, "nexthop", "hostname", ARGV_END);
- break;
}
#endif
}
With the above, posttls-finger reports:
$ bin/posttls-finger -c -P /etc/ssl/certs/ reply.github.com
posttls-finger: server certificate verification failed for
in-5.smtp.github.com[140.82.113.31]:25: num=62:hostname mismatch
posttls-finger: in-5.smtp.github.com[140.82.113.31]:25:
subject_CN=*.smtp.github.com, issuer=DigiCert TLS RSA SHA256 2020 CA1, cert
fingerprint=4B:7B:90:8B:F3:F3:28:AE:36:C2:D4:04:918
posttls-finger: Untrusted TLS connection established to
in-5.smtp.github.com[140.82.113.31]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-s6
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
