[pfx] TLSRPT: master.cf overrides are being ignored and warning logs when relaying TLS report emails generated by sys4 tlsrpt-reporter

[Michael Webb via Postfix-users]

Thank you for the amazing work that has been done to integrate the TLSRPT 
feature.

After setting up TLS reporting in one of my systems I noticed some worrying 
behavior (Postfix 3.10.2 on EL9).
Was hoping someone could take a look to see if it does need a fix or whether 
there is a better way to accomplish the same thing.

                When relaying TLS report emails generated by sys4 
tlsrpt-reporter, Postfix built with TLSRPT library seems to ignore master.cf 
overrides and generates warning logs.

In my master.cf I have defined a dedicated listener (port 10032) to receive TLS 
reports from the tlsrpt-reporter package so they can be relayed without 
generating another TLS report (to avoid a report loop).
I tried to use these 2 overrides for this control:
"-o smtp_tlsrpt_enable=no" and
"-o smtp_tlsrpt_socket_name="

Instead, I noticed that even though the tlsrpt-reporter package report email is 
relayed successfully, the relay activity produces strange logs and pushes a new 
TLS report to the tlsrpt-reporter socket (ignoring the overrides). It is as if 
somehow specific email content is spilling over into the code variables and 
influencing the decision logic. When I substitute the sample text file with 
example text from other emails sources, logs are normal and no report is pushed 
to the socket. No difference when I send to different ports.

Typical logs when sample text is present:

Jun 18 21:33:35 mx02.mta-service.com postfix/smtp[3011]: warning: 
mx1.example2.com[X.X.X.X]:25: error loading trust settings: 3 1 1 
FBEC849FD98C9895479B54C2C499200EE0C69EB60BA9021AB86F2BED48E88465 <--------- 
fragment of the TLSA record from example2.com. Normally don't get this line.
Jun 18 21:33:35 mx02.mta-service.com postfix/smtp[3011]: warning: TLS library 
problem: error:0A0000AF:SSL routines::dane not enabled:ssl/ssl_lib.c:270:       
                                                                                
                          <--------- Normally don't get this line.
Jun 18 21:33:35 mx02.mta-service.com postfix/smtp[3011]: Untrusted TLS 
connection established to mx1.example2.com[X.X.X.X]:25: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits).......           <--------- 
mx1.example2.com is normally VERIFIED TLS
Jun 18 21:33:35 mx02.mta-service.com postfix/smtp[3011]: TLSRPT: 
status=success, domain=example2.com, receiving_mx=mx1.example2.com[X.X.X.X]     
                            <------------------ should not be getting another 
report generated
Jun 18 21:33:35 mx02.mta-service.com postfix/smtp[3011]: 42E593042330: 
to=tls...@example2.com<mailto:tls...@example2.com>, 
relay=mx1.example2.com[X.X.X.X]:25, delay=0.44, delays=0.1/0.03/0.1/0.2, 
dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 7E6A4A5AC0)
Jun 18 21:33:35 mx02.mta-service.com postfix/qmgr[3000]: 42E593042330: removed

I am testing with msmtp mail client which supports alternative destination port
(dnf install msmtp <------ careful, postfix service can be disabled on reboot)
cat /var/lib/tlsrpt/examplereport | msmtp --source-ip=127.0.0.1 
--host=127.0.0.1 --port=10032 -t --read-envelope-from

To reproduce the problem you can substitute example1 and example2 in the sample 
or send as is with a different script and the recipient domain (example2) may 
need to have TLSA records to support DANE to see the full picture
cat /var/lib/tlsrpt/ examplereport | msmtp --source-ip=127.0.0.1 
--host=127.0.0.1 --port=10032 --auth=off 
--from=no-reply-tls-repo...@example1.com<mailto:--from=no-reply-tls-repo...@example1.com>
 tls...@example2.com<mailto:tls...@example2.com>

Sample email generated by real tlsrpt-reportd.service (text between lines). 
Only domain text was modified, rest is same and the gzip part still contains 
the real JSON.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Subject: Report Domain: example2.com Submitter: example1.com Report-ID:
<2025-06-17T00:00:00z_idx1_example2....@example1.com>
From: no-reply-tls-repo...@example1.com
To: tls...@example2.com
Message-ID: <175027643876.5219.1875859660905557...@example1.com>
TLS-Report-Domain: example2.com
TLS-Report-Submitter: example1.com
TLS-Required: No
MIME-Version: 1.0
Content-Type: multipart/report; report-type="tlsrpt";
boundary="===============5068069055278124422=="

--===============5068069055278124422==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

This is an aggregate TLS report from example1.com

--===============5068069055278124422==
Content-Type: application/tlsrpt+gzip
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="example1.com!example2.com!1750118400!1750204799!1.json.gz"
MIME-Version: 1.0

H4sIAFYZU2gA/3WRwY6DIBCGX6XhvDRI1UpPrdY+wZ66aRoWqZIoGBiTuo3vvqDpJpumYQ4T/n+G
b5gHMrbmWv1wUEZjzTuJdiukNMjaqtbUa2E69LFCFQeJLdd10B/IAbeAwyWopYQSmmCS4mj7Schu
jnMolLp656ObXcJ8nNHkjcJo4AKw0jcTjL1x0HEH0u5fcXrTKqGk88YvTzN0HbfjTAYGeItvXLWD
ldhJ58JgwgwavE587eJwgxBevA3tiymeni8sLZcUw9jPE0Dr+B/DiCvTcaWD0N2j9beExjVSNErz
5h/tiB1YpeuAjDaryJ9TXhZZzE5HlhUsY0m8ZXkSF7SIGaOElCUpUlbmKckPjNDokGfpieblMc7K
LIvTBF0C6XPWSoLP5i+5TBcvWNkbvyVVvdvPVVX36PqKPP0CUhWLaRcCAAA=

--===============5068069055278124422==--
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------



Mike

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org