On Thu, Jun 19, 2025 at 09:24:27AM +0000, Michael Webb via Postfix-users wrote:
> When relaying TLS report emails generated by sys4 tlsrpt-reporter,
> Postfix built with TLSRPT library seems to ignore master.cf overrides
> and generates warning logs.
The master.cf overrides you've specified are not "ignored", rather the
settings in question are not and were never applicable to smtpd(8).
It is a mistake to expect smtpd(8) to somehow propagate non-default
master.cf overrides to downstream services via the queue file. Postfix
does not work that way. Setting in master.cf affect only the service to
which they are applied, and settings for other not documented as
applicable in the relevant manpage have no effect.
> In my master.cf I have defined a dedicated listener (port 10032) to
> receive TLS reports from the tlsrpt-reporter package so they can be
> relayed without generating another TLS report (to avoid a report
> loop). I tried to use these 2 overrides for this control:
> "-o smtp_tlsrpt_enable=no" and
> "-o smtp_tlsrpt_socket_name="
These not smtpd(8) settings, they can only be applied to an smtp(8)
(client) delivery agent, not to an smtpd(8) server.
> Typical logs when sample text is present:
This is what the "TLS-Required: no" header is for.
> Jun 18 21:33:35 mx02.mta-service.com postfix/smtp[3011]: warning:
> mx1.example2.com[X.X.X.X]:25:
> error loading trust settings: 3 1 1
> FBEC849FD98C9895479B54C2C499200EE0C69EB60BA9021AB86F2BED48E88465
However, there's a problematic interaction with DANE TLSA records.
Patch below.
--
Viktor.
--- a/src/smtp/smtp.h
+++ b/src/smtp/smtp.h
@@ -61,2 +61,3 @@ typedef struct SMTP_ITERATOR {
unsigned port; /* network byte order or null */
+ int tlsreqno; /* "TLS-Required: no" */
struct DNS_RR *rr; /* DNS resource record or null */
@@ -73,2 +74,3 @@ typedef struct SMTP_ITERATOR {
(iter)->port = (_port); \
+ (iter)->tlsreqno = 0; \
(iter)->mx = (iter)->rr = 0; \
--- a/src/smtp/smtp_connect.c
+++ b/src/smtp/smtp_connect.c
@@ -509,2 +509,15 @@ static int smtp_get_effective_tls_level(DSN_BUF *why,
SMTP_STATE *state)
+ /*
+ * If the message contains a "TLS-Required: no" header, update the iterator
+ * to cap the policy at TLS_LEV_MAY.
+ *
+ * We must do this early to avoid possible failure if TLSA record lookups
+ * fail, of if TLSA records are found, but can't be activated because the
+ * security level has been reset to "may".
+ */
+ if (var_tls_required_enable
+ && (state->request->sendopts & SOPT_REQUIRETLS_HEADER)) {
+ iter->tlsreqno = 1;
+ }
+
/*
@@ -531,12 +544,2 @@ static int smtp_get_effective_tls_level(DSN_BUF *why,
SMTP_STATE *state)
- /*
- * Otherwise, if the TLS level is not TLS_LEV_NONE or some non-level, and
- * the message contains a "TLS-Required: no" header, limit the level to
- * TLS_LEV_MAY.
- */
- else if (var_tls_required_enable && tls->level > TLS_LEV_NONE
- && (state->request->sendopts & SOPT_REQUIRETLS_HEADER)) {
- tls->level = TLS_LEV_MAY;
- }
-
/*
--- a/src/smtp/smtp_tls_policy.c
+++ b/src/smtp/smtp_tls_policy.c
@@ -653,3 +653,6 @@ static void *policy_create(const char *unused_key, void
*context)
- if (tls_policy) {
+ if (iter->tlsreqno) {
+ if (tls->level > TLS_LEV_MAY)
+ tls->level = TLS_LEV_MAY;
+ } else if (tls_policy) {
tls_policy_lookup(tls, &site_level, dest, "next-hop destination");
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
