On Wed, Jun 17, 2020 at 06:05:44PM +0300, Thorsten Habich wrote:
> unfortunatelly I ran into a but when trying to use the connection_reuse
> parameter in a TLS policy maps file.
> Attached you can find a patch, to get this option running.
Thanks for the patch, indeed the "continue" is needed.
> --- src/smtp/smtp_tls_policy.c 2018-12-26 20:21:49.000000000 +0100
> +++ src/smtp/smtp_tls_policy.c.new 2020-06-12 14:44:28.740591359 +0200
> @@ -389,6 +389,7 @@
> WHERE, name, val);
> INVALID_RETURN(tls->why, site_level);
> }
> + continue;
> }
> msg_warn("%s: invalid attribute name: \"%s\"", WHERE, name);
> INVALID_RETURN(tls->why, site_level);
> P.S.: I think smtp_tls_connection_reuse=yes in combination with tafile
> is broken.
I think you're saying that per-connection trust-anchors are not
supported by the tlsproxy. That sounds plausible. The "tafile" is
internally converted to a set of synthetic "DANE-TA(2)" records,
that are used for validation with "secure/verify" instead of the
global CAfile/CApath. I don't think these are carried along with
the tlsproxy protocol.
There's some internal refactoring I should do in any case that
would make it easier to support these with connection reuse.
Ideally, we could drop (e.g. in Postfix 3.6) for OpenSSL 1.0.x, and
require 1.1.0 or later. Then it would make sense to refactor to use the
built-in DANE support in OpenSSL (a tidier reworked version of the code
originally in Postfix), and with that make sure that "tafile" works as
expected with TLS connection reuse.
--
Viktor.
