> On Jun 19, 2018, at 12:21 PM, Wietse Venema <wie...@porcupine.org> wrote:
>
> Argh, the trace ends in the smtp_tls_policy_cache_query which is called from
> more than one place. Investigating...
DANE context initialization needs to know whether the MX hostname
is an alias, and was previously only done per-MX. Now there's
a new call with "iter->rr" still NULL. The code in dane_init()
is not prepared for that. Without the MX hostname and its DNS_RRs
it can't decide whether the security level is DANE (MX host has
TLSA records, ...) or opportunistic TLS.
diff --git a/postfix/src/smtp/smtp_connect.c b/postfix/src/smtp/smtp_connect.c
index 2bf209d9..abccb57c 100644
--- a/postfix/src/smtp/smtp_connect.c
+++ b/postfix/src/smtp/smtp_connect.c
@@ -669,9 +669,12 @@ static int smtp_reuse_session(SMTP_STATE *state, DNS_RR
**addr_list,
*
- * We request a dummy "TLS disabled" policy for connection-cache lookup by
- * request nexthop only. If we find a saved connection, then we know that
- * plaintext was permitted, because we never save a connection after
- * turning on TLS.
+ * If TLS is proxied, lookup the TLS policy now so that we reuse only
+ * matching sessions. Otherwise, request a dummy "TLS disabled" policy
+ * for connection-cache lookup by request nexthop only.
*/
#ifdef USE_TLS
- smtp_tls_policy_dummy(state->tls);
+ if (!smtp_tls_policy_cache_query(why, state->tls, iter)) {
+ msg_warn("TLS policy lookup error for %s/%s: %s",
+ STR(iter->dest), STR(iter->host), STR(why->reason));
+ return (0); /* XXX */
+ }
#endif
--
Viktor.
