Bug#924183: marked as done (postfix: Trust anchor files (tafile=) in TLS policy break secure level email delivery)

Debian Bug Tracking System Thu, 28 Mar 2019 03:21:27 -0700

Your message dated Thu, 28 Mar 2019 10:19:48 +0000
with message-id <e1h9s8s-000htz...@fasolo.debian.org>
and subject line Bug#924183: fixed in postfix 3.4.4-1
has caused the Debian Bug report #924183,
regarding postfix: Trust anchor files (tafile=) in TLS policy break secure 
level email delivery
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
924183: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924183
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: postfix
Version: 3.4.1-1
Severity: important
Tags: patch

Hi,

I have entries like this:

  [domain.tld]:587    secure tafile=/etc/ssl/certs/Lets-Encrypt-Authority-X3.pem

… in the file referenced by:

  smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

This worked just fine until 3.3.2-4 inclusive but since I've upgraded
my sid system yesterday and Postfix was upgraded to 3.4.1-1 I see:

  postfix/smtp[15202]: warning: Trust anchor files not supported
  postfix/smtp[15202]: warning: TLS policy lookup error for 
[domain.tld]:587/domain.tld: client TLS configuration problem
  postfix/smtp[15202]: warning: TLS policy lookup for 
[domain.tld]:587/domain.tld: client TLS configuration problem
  postfix/smtp[15202]: 8B30018835E3: to=<some...@example.com>, relay=none, 
delay=1197, delays=1196/0.82/0.36/0, dsn=4.7.5, status=deferred (client TLS 
configuration problem)

This seems to come from src/tls/tls_dane.c. I see that 3.4.0 has
modified this file quite a bit, e.g. these lines were removed:

  #if OPENSSL_VERSION_NUMBER >= 0x1000000fL && \
         (defined(X509_V_FLAG_PARTIAL_CHAIN) || !defined(OPENSSL_NO_ECDH))
  #define TRUST_ANCHOR_SUPPORT

… and there's only one "#ifdef TRUST_ANCHOR_SUPPORT" left, that guards
the warning I'm seeing. This feels like a leftover of an incomplete
cleanup of the TLS support code that happened in this release, such as
dropping support for OpenSSL 1.0.1.

FWIW the attached patch fixes this problem for me. I don't know if it
can cause any trouble.

I'm setting severity to important as this is a regression introduced
at the last minute before the Buster freeze, but of course feel free
to adjust as you wish :)

Cheers!


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (990, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-3-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_USER
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages postfix depends on:
ii  adduser                3.118
ii  cpio                   2.12+dfsg-6
ii  debconf [debconf-2.0]  1.5.71
ii  dpkg                   1.19.5
ii  e2fsprogs              1.45.0-1
ii  libc6                  2.28-8
ii  libdb5.3               5.3.28+dfsg1-0.5
ii  libicu63               63.1-6
ii  libsasl2-2             2.1.27+dfsg-1
ii  libssl1.1              1.1.1b-1
ii  lsb-base               10.2018112800
ii  netbase                5.6
ii  ssl-cert               1.0.39

Versions of packages postfix recommends:
ii  python3  3.7.2-1

Versions of packages postfix suggests:
ii  bsd-mailx [mail-reader]        8.1.2-0.20180807cvs-1
ii  dovecot-core [dovecot-common]  1:2.3.4.1-1
ii  emacs-gtk [mail-reader]        1:26.1+1-3.2
ii  evolution [mail-reader]        3.30.5-1
ii  libsasl2-modules               2.1.27+dfsg-1
ii  mailutils [mail-reader]        1:3.5-2
ii  mutt [mail-reader]             1.10.1-2
pn  postfix-cdb                    <none>
pn  postfix-doc                    <none>
pn  postfix-ldap                   <none>
pn  postfix-lmdb                   <none>
pn  postfix-mysql                  <none>
pn  postfix-pcre                   <none>
pn  postfix-pgsql                  <none>
pn  postfix-sqlite                 <none>
pn  procmail                       <none>
pn  resolvconf                     <none>
ii  thunderbird [mail-reader]      1:60.5.1-1
pn  ufw                            <none>

-- debconf information:
  postfix/kernel_version_warning:
  postfix/destinations: $myhostname, manticora, localhost.localdomain, , 
localhost
  postfix/mydomain_warning:
  postfix/tlsmgr_upgrade_warning:
  postfix/chattr: false
  postfix/relay_restrictions_warning:
  postfix/mailbox_limit: 0
  postfix/sqlite_warning:
  postfix/root_address:
  postfix/relayhost:
* postfix/main_mailer_type: No configuration
  postfix/main_cf_conversion_warning: true
  postfix/retry_upgrade_warning:
  postfix/procmail: false
  postfix/mailname: manticora
  postfix/bad_recipient_delimiter:
  postfix/lmtp_retired_warning: true
  postfix/rfc1035_violation: false
  postfix/mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
  postfix/dynamicmaps_conversion_warning:
  postfix/recipient_delim: +
  postfix/not_configured:
  postfix/compat_conversion_warning: true
  postfix/protocols: all
  postfix/newaliases: false

-- 
intrigeri

>From 4d98d0aa5aeb4fbb9941a4239251edfb1537a0e9 Mon Sep 17 00:00:00 2001
From: intrigeri <intrig...@debian.org>
Date: Sun, 10 Mar 2019 06:29:25 +0000
Subject: [PATCH] Drop leftover of obsolete check for trust anchor support.

---
 src/tls/tls_dane.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/src/tls/tls_dane.c b/src/tls/tls_dane.c
index 93f8e2a5..013426b1 100644
--- a/src/tls/tls_dane.c
+++ b/src/tls/tls_dane.c
@@ -1125,7 +1125,6 @@ TLS_DANE *tls_dane_resolve(unsigned port, const char *proto, DNS_RR *hostrr,
 
 int     tls_dane_load_trustfile(TLS_DANE *dane, const char *tafile)
 {
-#ifdef TRUST_ANCHOR_SUPPORT
     BIO    *bp;
     char   *name = 0;
     char   *header = 0;
@@ -1217,9 +1216,6 @@ int     tls_dane_load_trustfile(TLS_DANE *dane, const char *tafile)
     }
     /* Some other PEM read error */
     tls_print_errors();
-#else
-    msg_warn("Trust anchor files not supported");
-#endif
     return (0);
 }
 
-- 
2.20.1

--- End Message ---

--- Begin Message ---

Source: postfix
Source-Version: 3.4.4-1

We believe that the bug you reported is fixed in the latest version of
postfix, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 924...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Kitterman <sc...@kitterman.com> (supplier of updated postfix package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 24 Mar 2019 15:28:00 -0400
Source: postfix
Binary: postfix postfix-cdb postfix-cdb-dbgsym postfix-dbgsym postfix-doc 
postfix-ldap postfix-ldap-dbgsym postfix-lmdb postfix-lmdb-dbgsym postfix-mysql 
postfix-mysql-dbgsym postfix-pcre postfix-pcre-dbgsym postfix-pgsql 
postfix-pgsql-dbgsym postfix-sqlite postfix-sqlite-dbgsym
Architecture: source amd64 all
Version: 3.4.4-1
Distribution: unstable
Urgency: medium
Maintainer: LaMont Jones <lam...@debian.org>
Changed-By: Scott Kitterman <sc...@kitterman.com>
Description:
 postfix    - High-performance mail transport agent
 postfix-cdb - CDB map support for Postfix
 postfix-doc - Documentation for Postfix
 postfix-ldap - LDAP map support for Postfix
 postfix-lmdb - LMDB map support for Postfix
 postfix-mysql - MySQL map support for Postfix
 postfix-pcre - PCRE map support for Postfix
 postfix-pgsql - PostgreSQL map support for Postfix
 postfix-sqlite - SQLite map support for Postfix
Closes: 922477 924183 925082
Changes:
 postfix (3.4.4-1) unstable; urgency=medium
 .
   [Wietse Venema]
 .
   * 3.4.2
     - Bugfix (introduced: 20181226): broken DANE trust anchor
       file support, caused by left-over debris from the 20181226
       TLS library overhaul. Scott Kitterman. File: tls/tls_dane.c.
       Closes: #924183
     - Bugfix (introduced: Postfix-1.0.1): null pointer read, while
       logging a warning after a corrupted bounce log file. File:
       global/bounce_log.c.
     - Bugfix (introduced: Postfix-2.9.0): null pointer read, while
       logging a warning after a postscreen_command_filter read
       error. File: postscreen/postscreen_smtpd.c. global/bounce_log.c
   * 3.4.3
     - Bitrot: LINUX5s support, after some sanity checks with a
       rawhide prerelease version. Files: makedefs, util/sys_defs.h.
       Closes: #922477
   * 3.4.4
     - Bugfix (introduced: Postfix 2.2): reject_multi_recipient_bounce
       has been producing false rejects starting with the Postfix
       2.2 smtpd_end_of_data_restrictons, and for the same reasons,
       does the same with the Postfix 3.4 BDAT command. The latter
       was reported by Andreas Schulze. File: smtpd/smtpd_check.c.
       Closes: #925082
Checksums-Sha1:
 dc9bd19466d72b02693b3cf8864a11fe7279c4a2 2724 postfix_3.4.4-1.dsc
 3605640265069886797f69a66ec30b24e87263af 4581121 postfix_3.4.4.orig.tar.gz
 05c9f5c178ffbea4b51eb62cea8a76f69ebb61dd 195932 postfix_3.4.4-1.debian.tar.xz
 cf1cee89ce0fb6811133bd8430e209643f07d4bc 11660 
postfix-cdb-dbgsym_3.4.4-1_amd64.deb
 a40a24d7803c028d7ef11e27ccf073a81c94a1ac 337260 postfix-cdb_3.4.4-1_amd64.deb
 0ed157de11e3424754a303568cf666b5a564f190 3093164 
postfix-dbgsym_3.4.4-1_amd64.deb
 41d199ef9c8b7ecd824f3572264436cc5cc30c76 1227856 postfix-doc_3.4.4-1_all.deb
 3c57047224425bbec9c5aaf39af85c12d3d7846d 23140 
postfix-ldap-dbgsym_3.4.4-1_amd64.deb
 271a2261e22ae2fb21c5beb15596b0d9679d8684 354776 postfix-ldap_3.4.4-1_amd64.deb
 998b713d62c0331dee9f5f29f163b2086eac3323 29056 
postfix-lmdb-dbgsym_3.4.4-1_amd64.deb
 6db15b41e21b05650b7116aac7406077d55598f6 342568 postfix-lmdb_3.4.4-1_amd64.deb
 da7a746a871ffc9372ae82989220b49731d5391e 25152 
postfix-mysql-dbgsym_3.4.4-1_amd64.deb
 7d43c61302423fc8994d29ad0a15ba2f6a898b8b 345056 postfix-mysql_3.4.4-1_amd64.deb
 a05ac56ac4dd3909be6742ab22f36adf9ef00325 15676 
postfix-pcre-dbgsym_3.4.4-1_amd64.deb
 8d9b3fe7d0b6f8f4c3ff8a7784cc1ff8c2530ada 343060 postfix-pcre_3.4.4-1_amd64.deb
 a50aff40f53cbec27dcca7ad76a4733b0cefcf40 14496 
postfix-pgsql-dbgsym_3.4.4-1_amd64.deb
 fdc871a3bf7a32f10486014f8641c6fd97ab9d0c 343692 postfix-pgsql_3.4.4-1_amd64.deb
 8ade4bccab2500d2df6bc9d6bb1e8e6ea94b8911 8388 
postfix-sqlite-dbgsym_3.4.4-1_amd64.deb
 d3ad52308091d6bc9cf27aaabe474d55bd995704 340692 
postfix-sqlite_3.4.4-1_amd64.deb
 b1ed711b75fddacd5fe7a92961a76b020ff547e5 10839 postfix_3.4.4-1_amd64.buildinfo
 a9c913a58f5db011b65efd12cddb0949ea0e4147 1510888 postfix_3.4.4-1_amd64.deb
Checksums-Sha256:
 458ba2ae80c552f927dc5dab025c3fdf18c487d29ebe1559334cad4b1a8e6994 2724 
postfix_3.4.4-1.dsc
 27f2ab631a966a40e002aedc6db9281e5970295fa5fd96b29066e457a4601e34 4581121 
postfix_3.4.4.orig.tar.gz
 5960ff7e6b0a1125b564e270295e19d025343cee671c63259a10a2470f5ec810 195932 
postfix_3.4.4-1.debian.tar.xz
 181b6eae09ee6e6ac2911e96fb465be696fd9b41ce57e6e2e1fb39a676890d16 11660 
postfix-cdb-dbgsym_3.4.4-1_amd64.deb
 301bb949b5aa9b941959418af802d6cba34a4c8b9e23ca307b59c36718a22ea6 337260 
postfix-cdb_3.4.4-1_amd64.deb
 3b6bea1f5fbf667d54f8cba86d29c86757373da214a9f7a2ea552df47902cecf 3093164 
postfix-dbgsym_3.4.4-1_amd64.deb
 e7dd78f190df98c83ba30ccc078ee3d7a373474e62558ff3b7f8f37b7cb59ce8 1227856 
postfix-doc_3.4.4-1_all.deb
 5af35b7c1449f7a4577eec4a34efe9f1614d3ae20aa0e2bd23ab7932379ade5f 23140 
postfix-ldap-dbgsym_3.4.4-1_amd64.deb
 011d51f386ee3a2671f669b8538e79b257709f18f543ffc1d8ab394d9df73893 354776 
postfix-ldap_3.4.4-1_amd64.deb
 3a5cc44fdcb80a1383afcabbad1d305232ea05051a19b3835d2f132e941935cb 29056 
postfix-lmdb-dbgsym_3.4.4-1_amd64.deb
 fb1a08fe0cd8d719b6b68598dd59ad8711e712379f064f5a7200d6db797def19 342568 
postfix-lmdb_3.4.4-1_amd64.deb
 60ff8c26e2da94e2d47150083bac15c159d8e27e9c565abe1f3d6ed5f6b14422 25152 
postfix-mysql-dbgsym_3.4.4-1_amd64.deb
 c16a6dbbb6ca70ef59ff18c522ba775dc94b777f4fb83f5d749ea669a50b5f09 345056 
postfix-mysql_3.4.4-1_amd64.deb
 b0dc7cd7766c3d63a7c5ba2cf9888e19027129b5a7761b63af09ed43a44050fa 15676 
postfix-pcre-dbgsym_3.4.4-1_amd64.deb
 fa47d3c9fe6bf1cd9a102c3d0e17cd391b93e2fa4aa4af104c387349953e384a 343060 
postfix-pcre_3.4.4-1_amd64.deb
 50d8902176114a917758cb7f5a95679504ffbb0413b93ad391c5ba100c437c7a 14496 
postfix-pgsql-dbgsym_3.4.4-1_amd64.deb
 0cbd6c75075ddb3c2e43924ac1ab4430bad23ff7386cdf5a113c4e212aa9f46f 343692 
postfix-pgsql_3.4.4-1_amd64.deb
 bd4373c86073454b4572620831456ca11017e36d1da30514cda9f8c292b7d1a7 8388 
postfix-sqlite-dbgsym_3.4.4-1_amd64.deb
 623571b0f77c4767b1175a307529e651aaa18bf81e5f7659c5906085a43ca473 340692 
postfix-sqlite_3.4.4-1_amd64.deb
 5aac8f54fd827bac04c868a1b3e961350345d19fa66d7a3bf4eaa6e0583713ca 10839 
postfix_3.4.4-1_amd64.buildinfo
 6246158b46d14fb083e21163a646287d36b725b566c331a6fa1aa8dbb68f5f47 1510888 
postfix_3.4.4-1_amd64.deb
Files:
 2b7101755bd440edfb41fc652b7583c0 2724 mail optional postfix_3.4.4-1.dsc
 20f182ff0091170d8075bc4c11ab8713 4581121 mail optional 
postfix_3.4.4.orig.tar.gz
 55d850d547f5372fb4fb28b5f871b937 195932 mail optional 
postfix_3.4.4-1.debian.tar.xz
 18087fb1e5d20c9e88c52f243a1e5eac 11660 debug optional 
postfix-cdb-dbgsym_3.4.4-1_amd64.deb
 ec20416b6f357e072772552b9d136560 337260 mail optional 
postfix-cdb_3.4.4-1_amd64.deb
 0e6dfd3a5fcfb524909a23ea36ef9b37 3093164 debug optional 
postfix-dbgsym_3.4.4-1_amd64.deb
 48f63fcad111a140cd5dc7bbe4894770 1227856 doc optional 
postfix-doc_3.4.4-1_all.deb
 f2d6d1a3cccedfd18b2292940c9faabd 23140 debug optional 
postfix-ldap-dbgsym_3.4.4-1_amd64.deb
 ed23de2759da8aac8b9967c47bd9cda5 354776 mail optional 
postfix-ldap_3.4.4-1_amd64.deb
 89b874bded630d2ae8df80a09705eac9 29056 debug optional 
postfix-lmdb-dbgsym_3.4.4-1_amd64.deb
 3e3664b86ca34df85af60d12e8e22f2f 342568 mail optional 
postfix-lmdb_3.4.4-1_amd64.deb
 b4f0617dee38ed550b48e7a3f3446b66 25152 debug optional 
postfix-mysql-dbgsym_3.4.4-1_amd64.deb
 c180ec1c99a85db7a8597df3522ede67 345056 mail optional 
postfix-mysql_3.4.4-1_amd64.deb
 0b18e77ea18cf86614760dce48e2214c 15676 debug optional 
postfix-pcre-dbgsym_3.4.4-1_amd64.deb
 e749f75cc5fab32c711034ce31259eb7 343060 mail optional 
postfix-pcre_3.4.4-1_amd64.deb
 b7104360e29a932c47fb9c737efdc74f 14496 debug optional 
postfix-pgsql-dbgsym_3.4.4-1_amd64.deb
 f6a47894af793f14b33e882b46d96706 343692 mail optional 
postfix-pgsql_3.4.4-1_amd64.deb
 df5568fc4594811331b2c8775cd35162 8388 debug optional 
postfix-sqlite-dbgsym_3.4.4-1_amd64.deb
 ecc6d2866db129e4d9a3a1047d80eec9 340692 mail optional 
postfix-sqlite_3.4.4-1_amd64.deb
 d67db60a648f5cc8325d9279ddedbc62 10839 mail optional 
postfix_3.4.4-1_amd64.buildinfo
 c5dd28d06936186fde8c603a30e9cc67 1510888 mail optional 
postfix_3.4.4-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJcnJ0JAAoJEHjX3vua1Zrx79YQAL4zJ1FDwIeYONKfH/wF6vSJ
TkGY3TvyrjoK4DAsniMe+fDpqxwozWGbAd7I/xAUjJ3gcj3hioTH/gD19OiyKYZ3
YKACWCTbuO9J3GItKmndfMng83i8q3Oug2HQYOYwqpqwaFEJ3e8aeqNzX0Wz2swd
iHGvLYKU0WXxeeouvdp4b0cf03os1MbpBGAFe3K23BS4BTIl5JPwLrjp2hmUVpIh
un3DAKxk0RPFMLJGOo6LhYywip6zPKYjcdMxPXi8qlMbjmohP6PLP0K6is2n7/Bc
ip0oL3hIcOEQfDBROL6Q7u8cRqmYoFi1WZZWMn/f9Qb9Nsa46wNLHJYWJ8kHp9Rp
90YASf//WsodHLYGHKjLbXS3K6ThLrF/ILIPbWA9MhQTMtmc6Py8Dw+9CtK4PPWo
wF7J8cd5qKl2uO6RGjq7T9Yjq3BQPVJLspjs2XPwvvHacoGF4b9EOwCngBY8l5LL
xdg67t5WO6BPw3xTi0jIS/77L0NcHFlVIG1BAi4GzcqzeKOh+DBt8UicP8FV7Fds
ZMMX3WXcaeyVSeRBm7PnNOlyjLXXQGx9IzltYFjPwejwegpjlIX3oz+LPYblIKkx
tyTdhO6Crk35caP8sEYNAPn3ilroJIXYMS5poLEmCtL+HVo2CCrx6ddrbZ0MNkva
5FzA18T+oWXUUlEMBzMo
=wACp
-----END PGP SIGNATURE-----

--- End Message ---

Bug#924183: marked as done (postfix: Trust anchor files (tafile=) in TLS policy break secure level email delivery)

Reply via email to