From nobody Sun May 29 07:50:10 2022
X-Original-To: ports-bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 8F18D1B509CF
	for <ports-bugs@mlmmj.nyi.freebsd.org>; Sun, 29 May 2022 07:50:10 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4L9rLB204zz4slX
	for <ports-bugs@FreeBSD.org>; Sun, 29 May 2022 07:50:10 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 210951F184
	for <ports-bugs@FreeBSD.org>; Sun, 29 May 2022 07:50:10 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 24T7oAha074820
	for <ports-bugs@FreeBSD.org>; Sun, 29 May 2022 07:50:10 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 24T7oAWn074819
	for ports-bugs@FreeBSD.org; Sun, 29 May 2022 07:50:10 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: ports-bugs@FreeBSD.org
Subject: [Bug 264324] mail/sendmail: Add support MTA-STS and
 TLS_USE_CERTIFICATE_CHAIN_FILE, and fix some options and a bug
Date: Sun, 29 May 2022 07:50:10 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Ports & Packages
X-Bugzilla-Component: Individual Port(s)
X-Bugzilla-Version: Latest
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: nork@ninth-nine.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: dinoex@FreeBSD.org
X-Bugzilla-Flags: maintainer-feedback?
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
 flagtypes.name attachments.created
Message-ID: <bug-264324-7788@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-ports-bugs
List-Help: <mailto:ports-bugs+help@freebsd.org>
List-Post: <mailto:ports-bugs@freebsd.org>
List-Subscribe: <mailto:ports-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:ports-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-ports-bugs@freebsd.org
X-BeenThere: freebsd-ports-bugs@freebsd.org
MIME-Version: 1.0
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1653810610;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=pfj4DyB86UKca1vN9qco817pODXoYaJy5/dRSqrQDcA=;
	b=lBP7qkWowSH3aALrfYDopE1PtYedq9qunxmZHyFaTdk8AioqoYLfsR8EsbLSE07q8ODIqq
	BJfQZDwxriqY7B+qsQL02r5e+Apbw6LjI/CVW9Xk/UgobLue+f9+JyhuK2LxES+3Z1OTI9
	RoYUSluY8f7MDfgWGVVWuXaZyjytnsHMssKntinnP0VpRnaTwNlNK/2nL4xkj6gzf8P+zm
	zMYOtzUKNKeU17QR88/0YTS1/TqXRURpQGR6X2mdXM9WhQ8FI81W/JH85pm3gpzQfN1EdC
	10/DnbtvdoxpLD01KSb0n0vN38nDCiODg/dBz5CG8oxUj3wi41xMghRvIGFy8A==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1653810610; a=rsa-sha256; cv=none;
	b=vJ8eBO6OIqSqXmw2Vr5byGxTc6lwPcw1SDQAEm7SA9TkKcsfFTJmaWP2bSlMTVvP3jakKi
	nN22fIZQy3wwyZl6R5Hd2z1oqQUpZFFtofefcfyj+mVyQirpllOIl5RCbNdIxo1tqMyp/T
	uZGwm/eEdQCeheaexqGrk5hA3mnBgTWnwSnD+rcIzqyWg9IYOC+kHNS08XtcE7yPeAz1fC
	gsHQGcwSsWf9tZEfHj95evT4Ci24drOarykxTiLFJbCP+5/voxQMftpnm9ztyyRtUTowAY
	swxoU8jAMfaxuIAEpeu9IvzkmixlfDTn0mVY66WimzEf0FHFOkixy6i85qSB7Q==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D264324

            Bug ID: 264324
           Summary: mail/sendmail: Add support MTA-STS and
                    TLS_USE_CERTIFICATE_CHAIN_FILE, and fix some options
                    and a bug
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: dinoex@FreeBSD.org
          Reporter: nork@ninth-nine.com
             Flags: maintainer-feedback?(dinoex@FreeBSD.org)
          Assignee: dinoex@FreeBSD.org

Created attachment 234304
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D234304&action=
=3Dedit
a patch for sendmail port

Hi.
I hope to add support MTA-STS and TLS_USE_CERTIFICATE_CHAIN_FILE features.
And I organize some TLS related features, I found a bug for MTA-STS.

[OPTIONS]
Add MTA-STS and TLS_CERT_CHAIN.

[OPTIONS DEPENDENCY]
MTA-STS -> SOCKETMAP and TLS.
TLS_CERT_CHAIN -> TLS
CYRUSLOOKUP -> SOCKETMAP (fix)

[BUG FIX]
ports/mail/py-postfix-mta-sts-resolver's default port number is 8461, not 5=
461.

[TLS FEATURE]
Define TLS_EC -> Define TLS_EC=3D2
 * ECDH's feature, Only specified prime256v1 to OpenSSL default EC like X25=
519
and others.

Define _FFR_TLS_ALTNAMES.
 * Add support Subject Alternative Name, not only Common Name.
   https://cabforum.org/wp-content/uploads/BRv1.1.7.pdf Page#9, 9.2.1 Subje=
ct
Alternative Name Extension.

Define _FFR_VRFY_TRUSTED_FIRST.
 * Enable X509_V_FLAG_TRUSTED_FIRST option for X509_VERIFY_PARAM_set_flags()
function[1], to deal with the DST ROOT CA X3 expiration problem[2].
  [1] https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpir=
e/
  [2] https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

[TLS_USE_CERTIFICATE_CHAIN_FILE]
NOT COMPATIBLE how to specify `confCACERT*`, and behavior changes
`confSERVER_CERT` and `confCLIENT_CERT`, So I don't think enable DEFAULT
option.

This option enabled:
 confCACERT_PATH -> Use only server mode, and verify client certificates.
 confCACERT      -> Use only server mode, and verify a client certificate.
 confSERVER_CERT -> Add support certificate chain file, like Apache.
 confCLIENT_CERT -> Add support certificate chain file, like Apache.

This option disabled:
 confCACERT_PATH -> Use only server mode, and verify client certificates.
 confCACERT      -> Use server and client mode, verify client certificates =
and
add intermediate certificates. Oh My God!
 confSERVER_CERT -> Use only a server certificate.
 confCLIENT_CERT -> Use only a client certificate.=20


[P.S.]
If you are interested in MTA-STS, catch up two following reports too.
 * https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D262251
 * https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D262254

--=20
You are receiving this mail because:
You are the assignee for the bug.=