On 6/19/2020 7:33 PM, Wietse Venema wrote:
> Thorsten Habich:
>> This happens with tafile option in tls policy map or
>> smtp_tls_trust_anchor_file set in main.cf and smtp_tls_connection_reuse
>> = yes
>>
>> 2020-06-18T09:20:41.644109+02:00 servername postfix/tlsproxy[122987]:
>> CONNECT to [10.11.12.13]:25
>> 2020-06-18T09:20:41.644288+02:00 servername postfix/tlsproxy[122987]:
>> warning: malformed certificate in TLS_CERTS
> I found a way to reproduce this error message (with the posttls-finger
> command). The same code path is used by the Postfix SMTP client
> when connection reuse is turned on.
>
> Does this patch addresss the problem that you reported?
>
> Something was sending a length of zero, instead of the correct
> length. This patch is needed for Postfix 3.4 and later.
>
> Wietse
>
> diff -ur /var/tmp/postfix-3.6-20200610/src/tls/tls_proxy_client_print.c
> src/tls/tls_proxy_client_print.c
> --- /var/tmp/postfix-3.6-20200610/src/tls/tls_proxy_client_print.c
> 2020-06-08 12:34:32.000000000 -0400
> +++ src/tls/tls_proxy_client_print.c 2020-06-19 12:22:58.559465109 -0400
> @@ -214,7 +214,7 @@
> if ((char *) bp - STR(buf) != len)
> msg_panic("i2d_X509 failed to encode certificate");
> ret = print_fn(fp, flags | ATTR_FLAG_MORE,
> - SEND_ATTR_DATA(TLS_ATTR_CERT, LEN(buf), STR(buf)),
> + SEND_ATTR_DATA(TLS_ATTR_CERT, len, STR(buf)),
> ATTR_TYPE_END);
> }
> vstring_free(buf);
> @@ -259,7 +259,7 @@
> if ((char *) bp - STR(buf) != len)
> msg_panic("i2d_PUBKEY failed to encode public key");
> ret = print_fn(fp, flags | ATTR_FLAG_MORE,
> - SEND_ATTR_DATA(TLS_ATTR_PKEY, LEN(buf), STR(buf)),
> + SEND_ATTR_DATA(TLS_ATTR_PKEY, len, STR(buf)),
> ATTR_TYPE_END);
> }
> vstring_free(buf);
Thanks for debugging this. With this patch applied I am getting the
following error now:
2020-06-20T09:24:23.141716+02:00 servername postfix/tlsproxy[13452]:
CONNECT to [10.11.12.13]:25
2020-06-20T09:24:23.162992+02:00 servername postfix/tlsproxy[13452]: CA
certificate verification failed for mail.somedomain.net[10.11.12.13]:25:
num=28:certificate rejected
2020-06-20T09:24:23.163196+02:00 servername postfix/tlsproxy[13452]:
Untrusted TLS connection established to
mail.somedomain.net[10.11.12.13]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (2048 bits) server-digest SHA256
2020-06-20T09:24:23.163575+02:00 servername postfix/smtp[13451]:
Untrusted TLS connection established to
mail.somedomain.net[10.11.12.13]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (2048 bits) server-digest SHA256
2020-06-20T09:24:23.167998+02:00 servername postfix/smtp[13451]:
BB9B9300006A: to=<u...@somedomain.net>,
relay=mail.somedomain.net[10.11.12.13]:25, delay=284,
delays=283/0.02/0.12/0, dsn=4.7.5, status=deferred (Server certificate
not trusted)
with connection_reuse=no the mail is being delivered without a problem.
I increased the log level. Looks like the correct certificate was found
in the tafile
2020-06-20T09:38:18.632247+02:00 servername postfix/tlsproxy[17324]:
mail.somedomain.net[10.11.12.13]:25: depth=1 matched trust anchor
certificate sha512 digest
2020-06-20T09:38:18.632323+02:00 servername postfix/tlsproxy[17324]:
mail.somedomain.net[10.11.12.13]:25: depth=0 trust-anchor certificate
2020-06-20T09:38:18.632396+02:00 servername postfix/tlsproxy[17324]:
mail.somedomain.net[10.11.12.13]:25: depth=1 verify=0
subject=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2020-06-20T09:38:18.632541+02:00 servername postfix/tlsproxy[17324]:
message repeated 2 times: [ mail.somedomain.net[10.11.12.13]:25: depth=1
verify=0 subject=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3]
2020-06-20T09:38:18.632615+02:00 servername postfix/tlsproxy[17324]:
mail.somedomain.net[10.11.12.13]:25: depth=0 verify=1
subject=/CN=mail.somedomain.net
