Viktor Dukhovni:
> On Tue, Jun 19, 2018 at 01:22:53PM -0400, Wietse Venema wrote:
>
> > Unfortunately, this would be suboptimal when a site has muliple MX hosts
> > (It may end up making connections to each of them).
> >
> > Viktor's suggestion to skip the dane cache makes more sense.
> >
> > Viktor, cache wshould terminate after "postfix reload".
>
> In that case, perhaps the below will work?
It would not crash, but I don't think it would help.
First, the scache is indexed with keys that include the TLS security
level for a connection, so that we will never reuse a low-security
connection to deliver mail for a high-security destination. Thus
the lookups need to specify the security level that was in effect
when a connection was stored in the cache.
Second, it wants to look up the scache for the nexthop and primary
MXes to avoid contacting hosts that we have no cached connection
for. I think that these are the lookups that are failing because
state->iter->rr is not set. Would the patch below help?
Wietse
*** ./smtp_connect.c- 2018-06-04 19:21:21.000000000 -0400
--- ./smtp_connect.c 2018-06-19 14:36:32.000000000 -0400
***************
*** 672,677 ****
--- 672,678 ----
* for connection-cache lookup by request nexthop only.
*/
#ifdef USE_TLS
+ iter->rr = *addr_list;
if (!smtp_tls_policy_cache_query(why, state->tls, iter)) {
msg_warn("TLS policy lookup error for %s/%s: %s",
STR(iter->dest), STR(iter->host), STR(why->reason));
