Re: (Patch "half-dane" logging corner case) Untrusted TLS connections where email domain does not support DNSSEC but MX server has DNSSEC/DANE records

[Viktor Dukhovni]

On Mon, Nov 21, 2022 at 06:18:33PM +0100, Paul Menzel wrote:

> With Postfix 3.6.0-RC1 and

I am curious why you are using a rather dated release-candidate.

> After a while of head scratching, I thought it might have to do with the 
> SMTP servers publishing TLSA records, but the domain in the email 
> address does not support DNSSEC.

That's where "smtp_tls_dane_insecure_mx_policy" comes into play.

> Testing with level `dane` it indeed does mark the TLS connection as 
> untrusted:
> 
>      $ posttls-finger -c -l dane -P /etc/ssl/certs rki.de
>      posttls-finger: MX RRset insecure: log verified as trusted
>      posttls-finger: mx1.bund.de[77.87.224.131]:25: Matched DANE EE 
> certificate at depth 0: 3 0 1 
> 2E5543C7522EDC151C65602F4541DC14D66182B49EA687EE9EFA2F6E3990186E

A matching "3 0 1" record was found, this should be logged as "Trusted"
per the preceding log message.

>      posttls-finger: Untrusted TLS connection established to 
> mx1.bund.de[77.87.224.131]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 
> (256/256 bits) key-exchange X25519 
> server-signature RSA-PSS (4096 bits) server-digest SHA256

Unfortunately, that's not what actually happens.

> My naive assumption would have been, if no DNSSEC is set up for the 
> domain in the email address, that DANE would not be tried. The
> DANE SMTP Validator [1] seems to use that ordering too.
> 
> Do you have suggestions how to deal with this issue?

In general, don't stick with "-RC*" builds long past their use-by date.
However, in this case the issue is a minor oversight in the Postfix TLS
client code.  The intended logging behaviour does not happen.  Patch
below:

-- 
    Viktor.

diff --git a/src/tls/tls_client.c b/src/tls/tls_client.c
index b6065649b..64c8da923 100644
--- a/src/tls/tls_client.c
+++ b/src/tls/tls_client.c
@@ -342,7 +342,8 @@ static void verify_extract_name(TLS_SESS_STATE *TLScontext, 
X509 *peercert,
             */
            if (!TLS_NEVER_SECURED(TLScontext->level))
                TLScontext->peer_status |= TLS_CERT_FLAG_SECURED;
-           TLScontext->peer_status |= TLS_CERT_FLAG_MATCHED;
+           TLScontext->peer_status |=
+               TLS_CERT_FLAG_TRUSTED | TLS_CERT_FLAG_MATCHED;
 
            if (verbose) {
                const char *peername = SSL_get0_peername(TLScontext->con);