Thorsten Habich:
> This happens with tafile option in tls policy map or
> smtp_tls_trust_anchor_file set in main.cf and smtp_tls_connection_reuse
> = yes
>
> 2020-06-18T09:20:41.644109+02:00 servername postfix/tlsproxy[122987]:
> CONNECT to [10.11.12.13]:25
> 2020-06-18T09:20:41.644288+02:00 servername postfix/tlsproxy[122987]:
> warning: malformed certificate in TLS_CERTS
I found a way to reproduce this error message (with the posttls-finger
command). The same code path is used by the Postfix SMTP client
when connection reuse is turned on.
Does this patch addresss the problem that you reported?
Something was sending a length of zero, instead of the correct
length. This patch is needed for Postfix 3.4 and later.
Wietse
diff -ur /var/tmp/postfix-3.6-20200610/src/tls/tls_proxy_client_print.c
src/tls/tls_proxy_client_print.c
--- /var/tmp/postfix-3.6-20200610/src/tls/tls_proxy_client_print.c
2020-06-08 12:34:32.000000000 -0400
+++ src/tls/tls_proxy_client_print.c 2020-06-19 12:22:58.559465109 -0400
@@ -214,7 +214,7 @@
if ((char *) bp - STR(buf) != len)
msg_panic("i2d_X509 failed to encode certificate");
ret = print_fn(fp, flags | ATTR_FLAG_MORE,
- SEND_ATTR_DATA(TLS_ATTR_CERT, LEN(buf), STR(buf)),
+ SEND_ATTR_DATA(TLS_ATTR_CERT, len, STR(buf)),
ATTR_TYPE_END);
}
vstring_free(buf);
@@ -259,7 +259,7 @@
if ((char *) bp - STR(buf) != len)
msg_panic("i2d_PUBKEY failed to encode public key");
ret = print_fn(fp, flags | ATTR_FLAG_MORE,
- SEND_ATTR_DATA(TLS_ATTR_PKEY, LEN(buf), STR(buf)),
+ SEND_ATTR_DATA(TLS_ATTR_PKEY, len, STR(buf)),
ATTR_TYPE_END);
}
vstring_free(buf);
