Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate subject names checked when min_tls_level is encrypted #612

Closed
lesderid opened this issue Aug 7, 2023 · 1 comment
Closed

Certificate subject names checked when min_tls_level is encrypted #612

lesderid opened this issue Aug 7, 2023 · 1 comment
Assignees
@foxcpp
Labels
bug Something isn't working. ready-for-release Feature is implemented and available for testing in dev branch. It will be included in the next rele

Comments

@lesderid
Copy link

lesderid commented Aug 7, 2023

Describe the bug

maddy checks the certificate common name (and alt names) when min_tls_level is set to encrypted. It should only check whether a certificate is available, not if the MX name is a subject name, unless min_tls_level is set to authenticated.

Steps to reproduce

  1. Find a mail server with this issue (e.g. sourceware.org servers)
  2. Send an e-mail to it

Log files

queue: delivery attempt failed        {"domain":"cygwin.com","msg_id":"f6811c56","rcpt":"cygwin-patches@cygwin.com","reason":"TLS it not available or unauthenticated but required","smtp_code":451,"smtp_enchcode":"5.4.0","smtp_msg":"No usable MXs, last err: TLS it not available or unauthenticated but required","target":"remote","tls_err":"tls: failed to verify certificate: x509: certificate is valid for server2.sourceware.org, not sourceware.org.","tls_level":"none"}

Configuration file

# ...

target.remote outbound_delivery {
    # ...

    local_policy {
        min_tls_level encrypted
        min_mx_level none
    }
}

Environment information

  • maddy version: 0.7.0 (linux/amd64 go1.20.4)
@lesderid lesderid added the bug Something isn't working. label Aug 7, 2023
@lesderid lesderid changed the title Bug report Certificate subject names checked when min_tls_level is encrypted Aug 7, 2023
@foxcpp foxcpp self-assigned this Aug 23, 2023
foxcpp added a commit that referenced this issue Aug 23, 2023
@foxcpp
target/remote: Fix isVerifyError not working correctly on Go 1.20
17b76d9 
On Go 1.20, *tls.CertificateVerificationError is returned that
wraps x509 errors.

See #612.
@foxcpp foxcpp added the ready-for-release Feature is implemented and available for testing in dev branch. It will be included in the next rele label Aug 23, 2023
@foxcpp
Copy link
Owner

foxcpp commented Aug 23, 2023

Error handling code on Go 1.20 misinterprets TLS verification errors as connection errors, therefore downgrading connection to plain text and failing min_tls_level test. Fixed in 17b76d9.

@foxcpp foxcpp closed this as completed Jan 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@foxcpp foxcpp

Labels
bug Something isn't working. ready-for-release Feature is implemented and available for testing in dev branch. It will be included in the next rele
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lesderid @foxcpp