Bug#924183: postfix: Trust anchor files (tafile=) in TLS policy break secure level email delivery

intrigeri Sat, 09 Mar 2019 22:43:09 -0800

Package: postfix
Version: 3.4.1-1
Severity: important
Tags: patch

Hi,


I have entries like this:

  [domain.tld]:587    secure tafile=/etc/ssl/certs/Lets-Encrypt-Authority-X3.pem

… in the file referenced by:

  smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

This worked just fine until 3.3.2-4 inclusive but since I've upgraded
my sid system yesterday and Postfix was upgraded to 3.4.1-1 I see:

  postfix/smtp[15202]: warning: Trust anchor files not supported
  postfix/smtp[15202]: warning: TLS policy lookup error for 
[domain.tld]:587/domain.tld: client TLS configuration problem
  postfix/smtp[15202]: warning: TLS policy lookup for 
[domain.tld]:587/domain.tld: client TLS configuration problem
  postfix/smtp[15202]: 8B30018835E3: to=<some...@example.com>, relay=none, 
delay=1197, delays=1196/0.82/0.36/0, dsn=4.7.5, status=deferred (client TLS 
configuration problem)

This seems to come from src/tls/tls_dane.c. I see that 3.4.0 has
modified this file quite a bit, e.g. these lines were removed:

  #if OPENSSL_VERSION_NUMBER >= 0x1000000fL && \
         (defined(X509_V_FLAG_PARTIAL_CHAIN) || !defined(OPENSSL_NO_ECDH))
  #define TRUST_ANCHOR_SUPPORT

… and there's only one "#ifdef TRUST_ANCHOR_SUPPORT" left, that guards
the warning I'm seeing. This feels like a leftover of an incomplete
cleanup of the TLS support code that happened in this release, such as
dropping support for OpenSSL 1.0.1.

FWIW the attached patch fixes this problem for me. I don't know if it
can cause any trouble.

I'm setting severity to important as this is a regression introduced
at the last minute before the Buster freeze, but of course feel free
to adjust as you wish :)

Cheers!


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (990, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-3-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_USER
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages postfix depends on:
ii  adduser                3.118
ii  cpio                   2.12+dfsg-6
ii  debconf [debconf-2.0]  1.5.71
ii  dpkg                   1.19.5
ii  e2fsprogs              1.45.0-1
ii  libc6                  2.28-8
ii  libdb5.3               5.3.28+dfsg1-0.5
ii  libicu63               63.1-6
ii  libsasl2-2             2.1.27+dfsg-1
ii  libssl1.1              1.1.1b-1
ii  lsb-base               10.2018112800
ii  netbase                5.6
ii  ssl-cert               1.0.39

Versions of packages postfix recommends:
ii  python3  3.7.2-1

Versions of packages postfix suggests:
ii  bsd-mailx [mail-reader]        8.1.2-0.20180807cvs-1
ii  dovecot-core [dovecot-common]  1:2.3.4.1-1
ii  emacs-gtk [mail-reader]        1:26.1+1-3.2
ii  evolution [mail-reader]        3.30.5-1
ii  libsasl2-modules               2.1.27+dfsg-1
ii  mailutils [mail-reader]        1:3.5-2
ii  mutt [mail-reader]             1.10.1-2
pn  postfix-cdb                    <none>
pn  postfix-doc                    <none>
pn  postfix-ldap                   <none>
pn  postfix-lmdb                   <none>
pn  postfix-mysql                  <none>
pn  postfix-pcre                   <none>
pn  postfix-pgsql                  <none>
pn  postfix-sqlite                 <none>
pn  procmail                       <none>
pn  resolvconf                     <none>
ii  thunderbird [mail-reader]      1:60.5.1-1
pn  ufw                            <none>

-- debconf information:
  postfix/kernel_version_warning:
  postfix/destinations: $myhostname, manticora, localhost.localdomain, , 
localhost
  postfix/mydomain_warning:
  postfix/tlsmgr_upgrade_warning:
  postfix/chattr: false
  postfix/relay_restrictions_warning:
  postfix/mailbox_limit: 0
  postfix/sqlite_warning:
  postfix/root_address:
  postfix/relayhost:
* postfix/main_mailer_type: No configuration
  postfix/main_cf_conversion_warning: true
  postfix/retry_upgrade_warning:
  postfix/procmail: false
  postfix/mailname: manticora
  postfix/bad_recipient_delimiter:
  postfix/lmtp_retired_warning: true
  postfix/rfc1035_violation: false
  postfix/mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
  postfix/dynamicmaps_conversion_warning:
  postfix/recipient_delim: +
  postfix/not_configured:
  postfix/compat_conversion_warning: true
  postfix/protocols: all
  postfix/newaliases: false

-- 
intrigeri

>From 4d98d0aa5aeb4fbb9941a4239251edfb1537a0e9 Mon Sep 17 00:00:00 2001
From: intrigeri <intrig...@debian.org>
Date: Sun, 10 Mar 2019 06:29:25 +0000
Subject: [PATCH] Drop leftover of obsolete check for trust anchor support.

---
 src/tls/tls_dane.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/src/tls/tls_dane.c b/src/tls/tls_dane.c
index 93f8e2a5..013426b1 100644
--- a/src/tls/tls_dane.c
+++ b/src/tls/tls_dane.c
@@ -1125,7 +1125,6 @@ TLS_DANE *tls_dane_resolve(unsigned port, const char *proto, DNS_RR *hostrr,
 
 int     tls_dane_load_trustfile(TLS_DANE *dane, const char *tafile)
 {
-#ifdef TRUST_ANCHOR_SUPPORT
     BIO    *bp;
     char   *name = 0;
     char   *header = 0;
@@ -1217,9 +1216,6 @@ int     tls_dane_load_trustfile(TLS_DANE *dane, const char *tafile)
     }
     /* Some other PEM read error */
     tls_print_errors();
-#else
-    msg_warn("Trust anchor files not supported");
-#endif
     return (0);
 }
 
-- 
2.20.1

Bug#924183: postfix: Trust anchor files (tafile=) in TLS policy break secure level email delivery

Reply via email to