Postfix stable release 3.5.9 and legacy releases 3.4.19, postfix-3.3.16, 3.2.21

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Postfix stable release 3.5.9 and legacy releases 3.4.19, postfix-3.3.16, 3.2.21

Wietse Venema
Runtime detection of DNSSEC support

This update improves the reporting of DNSSEC problems that may
affect DANE security. DNSSEC support may unavailable because of
local configuration, libc incompatibility, or other infrastructure
issues. This was backported from Postfix 3.6.

Background: DNSSEC validation is needed for Postfix DANE support;
this ensures that Postfix receives TLSA records with secure TLS
server certificate info. When DNSSEC validation is unavailable,
mail deliveries using opportunistic DANE (security level 'dane')
will not be protected by server certificate info in TLSA records,
and mail deliveries using mandatory DANE (security level 'dane-only')
will not be made at all.

This update introduces the following behavior: when a process
requests DNSSEC support (typically, for Postfix DANE support), the
process may now do a runtime test to determine if DNSSEC validation
is available.

The new dnssec_probe parameter specifies a DNS query type (default:
"ns") and DNS query name (default: ".") that Postfix may use to
determine whether DNSSEC validation is available. Specify an empty
value to disable this feature.

When dnssec_probe is enabled, a Postfix process will send a DNSSEC
probe after 1) the process made a DNS query that requested DNSSEC
validation, 2) the process did not receive a DNSSEC validated
response to this query or to an earlier query, and 3) the process
did not already send a DNSSEC probe.

When the DNSSEC probe has no response, or when the response is not
DNSSEC validated, Postfix logs a warning that DNSSEC validation may
be unavailable. Examples:

warning: DNSSEC validation may be unavailable
warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
warning: reason: dnssec_probe 'ns:.' received no response: Server failure

With this update, the Postfix build system will no longer automatically
disable DNSSEC support when it determines that Postfix will use
libc-musl. This removes the earlier libc-musl workaround introduced
with Postfix 3.2.15, 3.3.10, 3.4.12, and 3.5.2.

You can find the updated Postfix source code at the mirrors listed
at http://www.postfix.org/.

        Wietse