Re: Problem with FEATURE('sts'): bogus "not listed in SANs" rejects

hquest@hquest.pro.br (HQuest) writes:

I can confirm the problem exists with messages sent to outlook.com email
addresses. At first, I thought it would be a behavior change introduced
by openssl 3.4.0 (this was the last update I applied to this system),
however downgrading back to v3.3.2, and even going down to 3.0.15 gives
the same output. Unless this is a side effect of any possible patches
applied by upstream in their Sep 2024 releases.

Thanks for confirming that I'm not crazy :-)

The patch below fixes the issue for me, but should probably go through
someone who knows what they are doing.


Bjørn
---
From a43bb19d2f26267f7098a114edc2c191f45e4286 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
Date: Tue, 29 Oct 2024 12:17:04 +0100
Subject: [PATCH] cf: fix wildcard handling in STS_SAN rule
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

MXes with wildcard certificates would be rejected with a bogus
"not listed in SANs" error.  Fix by rewriting the MX hostname
to its wildcard alternative, and then reattempt the SAN class
match.

Link: https://www.novabbs.com/computers/article-flat.php?id=1120&group=comp.mail.sendmail
Signed-off-by: Bjørn Mork <bjorn@mork.no>
---
 cf/m4/proto.m4 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cf/m4/proto.m4 b/cf/m4/proto.m4
index ff7eb0bedc2a..d143b42fbae9 100644
--- a/cf/m4/proto.m4
+++ b/cf/m4/proto.m4
@@ -2748,9 +2748,9 @@ R$* $: $&{server_name}
 dnl exact match
 R$={cert_altnames} $@ ok
 # strip only one level (no recursion!)
-R$-.$+ $: $2
+R$-.$+ $: *.$2
 dnl wildcard: *. or just .?
-R *.$={cert_altnames} $@ ok
+R$={cert_altnames} $@ ok
 dnl R .$={cert_altnames} $@ ok
 dnl always temporary error? make it an option (of the feature)?
 R$* $#error $@ 4.7.0 $: 450 $&{server_name} not listed in SANs', `dnl')
--
2.39.5