Article <87r07zi2oo.fsf@miraculix.mork.no>

Deutsch English Français Italiano
<87r07zi2oo.fsf@miraculix.mork.no>

View for Bookmarking (what is this?)
Look up another Usenet article
Path: ...!weretis.net!feeder9.news.weretis.net!news.quux.org!eternal-september.org!feeder2.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: =?utf-8?Q?Bj=C3=B8rn_Mork?= <bjorn@mork.no>
Newsgroups: comp.mail.sendmail
Subject: Re: Problem with FEATURE(`sts'): bogus "not listed in SANs" rejects
Date: Tue, 29 Oct 2024 12:11:35 +0100
Organization: m
Lines: 67
Message-ID: <87r07zi2oo.fsf@miraculix.mork.no>
References: <87a5enl3x6.fsf@miraculix.mork.no>
	<87v7xbi6ok.fsf@miraculix.mork.no>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 29 Oct 2024 12:11:35 +0100 (CET)
Injection-Info: dont-email.me; posting-host="e26d762b05cd42ed41f661d42a7e7041";
	logging-data="1615147"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX1/QE12b3BpKYJEcM0L3jRL6"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
Cancel-Lock: sha1:tEtouAY/t+fRQ09aNPwughDjPGg=
	sha1:JD9TFtwTp594Qw1z6DmTcj9uG0M=
Bytes: 3043

OK, I will not claim to understand any of the sendmail cf language, but
trying to reduce this problem to a test.cf file like this:

C{cert_altnames}*.olc.protection.outlook.com
D{server_name}outlook-com.olc.protection.outlook.com
SSTS_SAN
R$*			$: $&{server_name}
R$={cert_altnames}	$@ ok
# strip only one level (no recursion!)
R$-.$+			$: $2
R *.$={cert_altnames}	$@ ok
R$*			$#error $@ 4.7.0 $: 450 $&{server_name} not listed in SANs

and running that through sendmail -bt -Ctest.cf will reproduce the problem:

 > STS_SAN foo
 STS_SAN            input: foo
 STS_SAN          returns: $# error $@ 4 . 7 . 0 $: 450 outlook-com . olc . protection . outlook . com not listed in SANs

What I do not understand is why the rule doesn't simply rewrite
"outlook-com.olc.protection.outlook.com" to
"*.olc.protection.outlook.com" and then repeat the class lookup with
that.  Like this, which seems to work for me:

SSTS_SANFIX
R$*			$: $&{server_name}
R$={cert_altnames}	$@ ok
# strip only one level (no recursion!)
R$-.$+			$: *.$2
R$={cert_altnames}	$@ ok
R$*			$#error $@ 4.7.0 $: 450 $&{server_name} not listed in SANs

Running that I get:

 > STS_SANFIX foo
 STS_SANFIX         input: foo
 STS_SANFIX       returns: ok
 > ${server_name}
 outlook-com.olc.protection.outlook.com
 > $={cert_altnames}
 *.olc.protection.outlook.com

And it still seems to work as it should with non-matching names:

 > .D{server_name}example.com
 > STS_SANFIX foo
 STS_SANFIX         input: foo
 STS_SANFIX       returns: $# error $@ 4 . 7 . 0 $: 450 example . com not listed in SANs

Exact matches also continue to work.  Adding example.com to the class
and run again:

 > .C{cert_altnames}example.com
 > $={cert_altnames}
 example.com
 *.olc.protection.outlook.com
 > STS_SANFIX foo
 STS_SANFIX         input: foo
 STS_SANFIX       returns: ok


So, what do you think?  Is that the correct fix or am I missing
something?



Bjørn