Postfix stable release 3.5.9 and legacy releases 3.4.19, postfix-3.3.16, 3.2.21

[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-3.5.9.html]

Runtime detection of DNSSEC support

This update improves the reporting of DNSSEC problems that may affect DANE security. DNSSEC support may unavailable because of local configuration, libc incompatibility, or other infrastructure issues. This was backported from Postfix 3.6.

Background: DNSSEC validation is needed for Postfix DANE support; this ensures that Postfix receives TLSA records with secure TLS server certificate info. When DNSSEC validation is unavailable, mail deliveries using opportunistic DANE (security level 'dane') will not be protected by server certificate info in TLSA records, and mail deliveries using mandatory DANE (security level 'dane-only') will not be made at all.

This update introduces the following behavior: when a process requests DNSSEC support (typically, for Postfix DANE support), the process may now do a runtime test to determine if DNSSEC validation is available.

The new dnssec_probe parameter specifies a DNS query type (default: "ns") and DNS query name (default: ".") that Postfix may use to determine whether DNSSEC validation is available. Specify an empty value to disable this feature.

When dnssec_probe is enabled, a Postfix process will send a DNSSEC probe after 1) the process made a DNS query that requested DNSSEC validation, 2) the process did not receive a DNSSEC validated response to this query or to an earlier query, and 3) the process did not already send a DNSSEC probe.

When the DNSSEC probe has no response, or when the response is not DNSSEC validated, Postfix logs a warning that DNSSEC validation may be unavailable. Examples:

warning: DNSSEC validation may be unavailable
warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
warning: reason: dnssec_probe 'ns:.' received no response: Server failure

With this update, the Postfix build system will no longer automatically disable DNSSEC support when it determines that Postfix will use libc-musl. This removes the earlier libc-musl workaround introduced with Postfix 3.2.15, 3.3.10, 3.4.12, and 3.5.2.

You can find the updated Postfix source code at the mirrors listed at http://www.postfix.org/.