summaryrefslogtreecommitdiffstats
path: root/src/posttls-finger/posttls-finger.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-08 18:56:32 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-08 18:56:32 +0000
commite2905c99ea172c2e54ea419699d8073d23fe7b22 (patch)
tree89ef066e2d4428688b42ec1d2f23dd28d51253b2 /src/posttls-finger/posttls-finger.c
parentAdding upstream version 3.7.10. (diff)
downloadpostfix-e2905c99ea172c2e54ea419699d8073d23fe7b22.tar.xz
postfix-e2905c99ea172c2e54ea419699d8073d23fe7b22.zip
Adding upstream version 3.7.11.upstream/3.7.11upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/posttls-finger/posttls-finger.c')
-rw-r--r--src/posttls-finger/posttls-finger.c21
1 files changed, 16 insertions, 5 deletions
diff --git a/src/posttls-finger/posttls-finger.c b/src/posttls-finger/posttls-finger.c
index 502645c..2652ec6 100644
--- a/src/posttls-finger/posttls-finger.c
+++ b/src/posttls-finger/posttls-finger.c
@@ -1252,6 +1252,8 @@ static DNS_RR *addr_one(STATE *state, DNS_RR *addr_list, const char *host,
msg_fatal("host %s: conversion error for address family %d: %m",
host, ((struct sockaddr *) (res0->ai_addr))->sa_family);
addr_list = dns_rr_append(addr_list, addr);
+ if (DNS_RR_IS_TRUNCATED(addr_list))
+ break;
}
freeaddrinfo(res0);
if (found == 0) {
@@ -1289,6 +1291,8 @@ static DNS_RR *mx_addr_list(STATE *state, DNS_RR *mx_names)
msg_panic("%s: bad resource type: %d", myname, rr->type);
addr_list = addr_one(state, addr_list, (char *) rr->data, res_opt,
rr->pref);
+ if (addr_list && DNS_RR_IS_TRUNCATED(addr_list))
+ break;
}
return (addr_list);
}
@@ -2024,7 +2028,19 @@ static void parse_match(STATE *state, int argc, char *argv[])
#ifdef USE_TLS
int smtp_mode = 1;
+ /*
+ * DANE match names are configured late, once the TLSA records are in
+ * hand. For now, prepare to fall back to "secure".
+ */
switch (state->level) {
+ default:
+ state->match = 0;
+ if (*argv)
+ msg_warn("TLS level '%s' does not implement certificate matching",
+ str_tls_level(state->level));
+ break;
+ case TLS_LEV_DANE:
+ case TLS_LEV_DANE_ONLY:
case TLS_LEV_SECURE:
state->match = argv_alloc(2);
while (*argv)
@@ -2045,11 +2061,6 @@ static void parse_match(STATE *state, int argc, char *argv[])
tls_dane_add_fpt_digests((TLS_DANE *) state->dane, *argv++, "",
smtp_mode);
break;
- case TLS_LEV_DANE:
- case TLS_LEV_DANE_ONLY:
- state->match = argv_alloc(2);
- argv_add(state->match, "nexthop", "hostname", ARGV_END);
- break;
}
#endif
}