check_ccert_access without SASL

2021-10-30 Thread Brad Barden 
Greetings,

During recent infrastructure updates, I ran into an oddity using a
check_ccert_access rule on postfix built without SASL support. The following
warning is logged:

Oct 30 14:03:22 postfix/submission/smtpd[7724]: warning: restriction 
`check_ccert_access' ignored: no SASL support

Despite the warning, the rule still behaves correctly. This appears to be a
mistaken #ifdef placement in generic_checks() in src/smtpd/smtpd_check.c. An
obvious patch is attached, though there's a chance I misunderstood something
subtle so please review accordingly.

Thanks,
-Brad
--- a/src/smtpd/smtpd_check.c   2021-10-30 14:07:05.215801324 +
+++ b/src/smtpd/smtpd_check.c   2021-10-30 14:07:14.495823061 +
@@ -4374,8 +4374,8 @@
}
} else if (is_map_command(state, name, CHECK_CCERT_ACL, &cpp)) {
status = check_ccert_access(state, *cpp, def_acl);
-#ifdef USE_SASL_AUTH
} else if (is_map_command(state, name, CHECK_SASL_ACL, &cpp)) {
+#ifdef USE_SASL_AUTH
if (var_smtpd_sasl_enable) {
if (state->sasl_username && state->sasl_username[0])
status = check_sasl_access(state, *cpp, def_acl);

FYI SMTP/25 security (was: "Correct" way to override cipher list?)

2021-10-30 Thread Matus UHLAR - fantomas 

On Fri, Oct 29, 2021 at 08:36:38PM -0700, Dan Mahoney (Gushi) wrote:

smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1


On 30.10.21 01:01, Viktor Dukhovni wrote:

Leave TLSv1 and TLSv1.1 enabled, there's no compelling reason to turn
these off for opportunistic TLS.


I agree. 


unfortunately, security bureau in Slovakia started scanning gov. agencies
and we already received requests to close those on smtp/25.

FYI, I wasn't able to find article in english language, this one is in
slovak, if anyona's interested.

https://zive.aktuality.sk/clanok/5sn9q7n/stat-ma-novy-nastroj-ktorym-kontroluje-zranitelnosti-svojich-it-systemov-vyvinul-si-ho-sam/


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer

Re: FYI SMTP/25 security (was: "Correct" way to override cipher list?)

2021-10-30 Thread Bastian Blank 
On Sat, Oct 30, 2021 at 06:57:41PM +0200, Matus UHLAR - fantomas wrote:
> unfortunately, security bureau in Slovakia started scanning gov. agencies
> and we already received requests to close those on smtp/25.

And do they actually have anything to say?  Just disable cleartext then.

Bastian

-- 
Oh, that sound of male ego.  You travel halfway across the galaxy and
it's still the same song.
-- Eve McHuron, "Mudd's Women", stardate 1330.1

Re: check_ccert_access without SASL

2021-10-30 Thread Viktor Dukhovni 
On Sat, Oct 30, 2021 at 02:55:45PM +, Brad Barden wrote:

> Oct 30 14:03:22 postfix/submission/smtpd[7724]: warning: restriction 
> `check_ccert_access' ignored: no SASL support

The proposed patch is correct.  Well spotted.  Thanks.

--- a/src/smtpd/smtpd_check.c   2021-10-30 14:07:05.215801324 +
+++ b/src/smtpd/smtpd_check.c   2021-10-30 14:07:14.495823061 +
@@ -4374,8 +4374,8 @@
}
} else if (is_map_command(state, name, CHECK_CCERT_ACL, &cpp)) {
status = check_ccert_access(state, *cpp, def_acl);
-#ifdef USE_SASL_AUTH
} else if (is_map_command(state, name, CHECK_SASL_ACL, &cpp)) {
+#ifdef USE_SASL_AUTH
if (var_smtpd_sasl_enable) {
if (state->sasl_username && state->sasl_username[0])
status = check_sasl_access(state, *cpp, def_acl);

-- 
VIktor.