[CERT-Bund#2023092728001552] Vulnerability report regarding postfix and postfix-mta-sts-resolver

[gsauthof]

I came across some traces of a CERT-Bund vulnerability report:

From postfix-devel  Tue Oct 24 11:58:20 2023
From: Wietse Venema via Postfix-devel <postfix-devel () postfix ! org>
Date: Tue, 24 Oct 2023 11:58:20 +0000
To: postfix-devel
Subject: [pfx-dev] Re: [CERT-Bund#2023092728001552] Vulnerability report regarding postfix and postfix-mta-sts-resolver
Message-Id: <4SF9cx74KKzJrP1 () spike ! porcupine ! org>
X-MARC-Message: https://marc.info/?l=postfix-devel&m=169814870008296

see also:

• https://marc.info/?t=169814871600002&r=1&w=2
• https://www.mail-archive.com/postfix-devel@postfix.org/msg01148.html

Since I found nothing in the issues/pull-requests tracker/readme I'm wondering whether they managed to contact you and whether current postfix-meta-sts-resolver is vulnerable (if it was a valid report, in the first place).

[Snawoot]

Hello!

Yes, they've contacted me. They reported two things:

• MTA-STS Overrides DANE #67
• Issue with check of domain name in subject certificate. postfix-mta-sts-resolver tells which domains names are allowed by MTA-STS, but it can't ensure domain name in certificate matches exactly to one which Postfix requested dialing SMTP TLS session. IMO it's a minor inconsistency with MTA-STS RFC, but hardly a security issue: if attacker is able to use certificate validating any MTA-STS authorized domain, security is already broken at this point.