Re: (Patch "half-dane" logging corner case) Untrusted TLS connections where email domain does not support DNSSEC but MX server has DNSSEC/DANE records

Wietse Venema Fri, 25 Nov 2022 06:36:17 -0800

Viktor Dukhovni:
> However, in this case the issue is a minor oversight in the Postfix TLS
> client code.  The intended logging behaviour does not happen.  Patch
> below:


Is there an equivalent for the still supported Postfix version 3.5?
That would also fix Postfix version 3.4 which has the same code.

        Wietse

> diff --git a/src/tls/tls_client.c b/src/tls/tls_client.c
> index b6065649b..64c8da923 100644
> --- a/src/tls/tls_client.c
> +++ b/src/tls/tls_client.c
> @@ -342,7 +342,8 @@ static void verify_extract_name(TLS_SESS_STATE 
> *TLScontext, X509 *peercert,
>            */
>           if (!TLS_NEVER_SECURED(TLScontext->level))
>               TLScontext->peer_status |= TLS_CERT_FLAG_SECURED;
> -         TLScontext->peer_status |= TLS_CERT_FLAG_MATCHED;
> +         TLScontext->peer_status |=
> +             TLS_CERT_FLAG_TRUSTED | TLS_CERT_FLAG_MATCHED;
>  
>           if (verbose) {
>               const char *peername = SSL_get0_peername(TLScontext->con);
>

Re: (Patch "half-dane" logging corner case) Untrusted TLS connections where email domain does not support DNSSEC but MX server has DNSSEC/DANE records

Reply via email to