Bug 264324 - mail/sendmail: Add support MTA-STS and TLS_USE_CERTIFICATE_CHAIN_FILE, and fix some options and a bug
Summary: mail/sendmail: Add support MTA-STS and TLS_USE_CERTIFICATE_CHAIN_FILE, and fi...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Dirk Meyer
URL:
Keywords: feature, patch
Depends on:
Blocks:
 
Reported: 2022-05-29 07:50 UTC by Norikatsu Shigemura
Modified: 2022-06-03 04:47 UTC (History)
0 users

See Also:
dinoex: maintainer-feedback+

Attachments
a patch for sendmail port (4.10 KB, patch)
2022-05-29 07:50 UTC, Norikatsu Shigemura 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Norikatsu Shigemura 2022-05-29 07:50:10 UTC 
Created attachment 234304 [details]
a patch for sendmail port

Hi.
I hope to add support MTA-STS and TLS_USE_CERTIFICATE_CHAIN_FILE features.
And I organize some TLS related features, I found a bug for MTA-STS.

[OPTIONS]
Add MTA-STS and TLS_CERT_CHAIN.

[OPTIONS DEPENDENCY]
MTA-STS -> SOCKETMAP and TLS.
TLS_CERT_CHAIN -> TLS
CYRUSLOOKUP -> SOCKETMAP (fix)

[BUG FIX]
ports/mail/py-postfix-mta-sts-resolver's default port number is 8461, not 5461.

[TLS FEATURE]
Define TLS_EC -> Define TLS_EC=2
 * ECDH's feature, Only specified prime256v1 to OpenSSL default EC like X25519 and others.

Define _FFR_TLS_ALTNAMES.
 * Add support Subject Alternative Name, not only Common Name.
   https://cabforum.org/wp-content/uploads/BRv1.1.7.pdf Page#9, 9.2.1 Subject Alternative Name Extension.

Define _FFR_VRFY_TRUSTED_FIRST.
 * Enable X509_V_FLAG_TRUSTED_FIRST option for X509_VERIFY_PARAM_set_flags() function[1], to deal with the DST ROOT CA X3 expiration problem[2].
  [1] https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
  [2] https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

[TLS_USE_CERTIFICATE_CHAIN_FILE]
NOT COMPATIBLE how to specify `confCACERT*`, and behavior changes `confSERVER_CERT` and `confCLIENT_CERT`, So I don't think enable DEFAULT option.

This option enabled:
 confCACERT_PATH -> Use only server mode, and verify client certificates.
 confCACERT      -> Use only server mode, and verify a client certificate.
 confSERVER_CERT -> Add support certificate chain file, like Apache.
 confCLIENT_CERT -> Add support certificate chain file, like Apache.

This option disabled:
 confCACERT_PATH -> Use only server mode, and verify client certificates.
 confCACERT      -> Use server and client mode, verify client certificates and add intermediate certificates. Oh My God!
 confSERVER_CERT -> Use only a server certificate.
 confCLIENT_CERT -> Use only a client certificate. 


[P.S.]
If you are interested in MTA-STS, catch up two following reports too.
 * https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262251
 * https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262254
Comment 1 Dirk Meyer freebsd_committer freebsd_triage 2022-05-30 08:57:56 UTC 
I will look into this.
Comment 2 commit-hook freebsd_committer freebsd_triage 2022-06-03 04:46:19 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7384f5368e82dd9644322da2b07abc32a3c44ca9

commit 7384f5368e82dd9644322da2b07abc32a3c44ca9
Author:     Dirk Meyer <dinoex@FreeBSD.org>
AuthorDate: 2022-06-03 04:45:38 +0000
Commit:     Dirk Meyer <dinoex@FreeBSD.org>
CommitDate: 2022-06-03 04:45:38 +0000

    mail/sendmail: New options MTA-STS TLS_CERT_CHAIN

    PR: 264324

 mail/sendmail/Makefile                                | 19 +++++++++++++------
 mail/sendmail/files/patch-cfsts.m4 (new)              |  9 +++++++++
 mail/sendmail/files/site.config.m4.mta-sts (new)      |  1 +
 mail/sendmail/files/site.config.m4.tls                |  4 +++-
 .../files/site.config.m4.tls-cert-chain (new)         |  1 +
 5 files changed, 27 insertions(+), 7 deletions(-)
Comment 3 Dirk Meyer freebsd_committer freebsd_triage 2022-06-03 04:47:37 UTC 
Committed.

Thanks for the detailed description.