From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id E827B1FF14B for ; Sat, 02 May 2026 10:07:53 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 07F2727F7F; Sat, 2 May 2026 10:07:53 +0200 (CEST) From: Maksim Usmanov To: pmg-devel@lists.proxmox.com Subject: [PATCH] fix #7476: config: allow TLS policy nexthops with port Date: Sat, 2 May 2026 10:02:12 +0200 Message-ID: <20260502080212.30722-1-maks@adw.es> X-Mailer: git-send-email 2.53.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-PPP-Message-ID: <177770882797.989293.7158250858450508037@73200.nsprimario.com> X-PPP-Vhost: adw.es X-SPAM-LEVEL: Spam detection results: 0 AWL 0.512 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_PASS -0.1 DMARC pass policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: H635AMAPDB6YRIB66HREXYCSDTBMLBUX X-Message-ID-Hash: H635AMAPDB6YRIB66HREXYCSDTBMLBUX X-MailFrom: maks@adw.es X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: maks X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: maks Postfix smtp_tls_policy_maps require an exact nexthop match. When a transport uses an explicit port (e.g. smtp:[1.2.3.4]:25), the TLS policy key must include the port as well. The previous validation used a greedy regex, causing bracketed addresses with a port to fail validation. Handle bracketed nexthops ([host] or [host]:port) and unbracketed nexthops (host or host:port) explicitly. Signed-off-by: Maksim Usmanov --- src/PMG/Config.pm | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/src/PMG/Config.pm b/src/PMG/Config.pm index 495fe70..91fe8ac 100644 --- a/src/PMG/Config.pm +++ b/src/PMG/Config.pm @@ -1196,19 +1196,15 @@ sub pmg_verify_transport_domain_or_nexthop { if (pmg_verify_transport_domain($name, 1)) { return $name; - } elsif ($name =~ m/^(\S+)(?::\d+)?$/) { - my $nexthop = $1; - if ($nexthop =~ m/^\[(.*)\]$/) { - $nexthop = $1; - } - return $name if pmg_verify_transport_address($nexthop, 1); - # else fall through, because it is a failure + } elsif ($name =~ m/^\[([^\]]+)\](?::\d+)?$/) { + return $name if pmg_verify_transport_address($1, 1); + } elsif ($name =~ m/^([^:\s]+)(?::\d+)?$/) { + return $name if pmg_verify_transport_address($1, 1); } return undef if $noerr; die "value does not look like a valid domain or next-hop\n"; } - sub read_tls_policy { my ($filename, $fh) = @_; -- 2.53.0