Bug#1086178: sendmail: FEATURE(`sts') fails to validate some SANs, causing temp rejects
Package: sendmail
Version: 8.17.1.9-2+deb12u2
Followup-For: Bug #1086178
Control: tags -1 upstream patch
The attached patch fixes this issue for me. It has been submitted
upstream to sendmail-YYYY (at) support.sendmail.org. Don't know if
patches sent to address is tracked anywhere.
BjÃrn
From a43bb19d2f26267f7098a114edc2c191f45e4286 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
Date: Tue, 29 Oct 2024 12:17:04 +0100
Subject: [PATCH] cf: fix wildcard handling in STS_SAN rule
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
MXes with wildcard certificates would be rejected with a bogus
"not listed in SANs" error. Fix by rewriting the MX hostname
to its wildcard alternative, and then reattempt the SAN class
match.
Link: https://www.novabbs.com/computers/article-flat.php?id=1120&group=comp.mail.sendmail
Signed-off-by: Bjørn Mork <bjorn@mork.no>
---
cf/m4/proto.m4 | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/cf/m4/proto.m4 b/cf/m4/proto.m4
index ff7eb0bedc2a..d143b42fbae9 100644
--- a/cf/m4/proto.m4
+++ b/cf/m4/proto.m4
@@ -2748,9 +2748,9 @@ R$* $: $&{server_name}
dnl exact match
R$={cert_altnames} $@ ok
# strip only one level (no recursion!)
-R$-.$+ $: $2
+R$-.$+ $: *.$2
dnl wildcard: *. or just .?
-R *.$={cert_altnames} $@ ok
+R$={cert_altnames} $@ ok
dnl R .$={cert_altnames} $@ ok
dnl always temporary error? make it an option (of the feature)?
R$* $#error $@ 4.7.0 $: 450 $&{server_name} not listed in SANs', `dnl')
--
2.39.5
Reply to: