mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-29 13:18:12 +00:00
Code Issues Releases Wiki Activity

postfix-3.6.10

Browse Source
This commit is contained in:
Wietse Venema 2023-06-05 00:00:00 -05:00 committed by Viktor Dukhovni
parent 61905f5c19
commit 0423f332f7
28 changed files with 826 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
postfix/HISTORY
View File

@ -25896,3 +25896,90 @@ Apologies for any names omitted.
return "not found" instead of "error" during the time that
all MySQL server connections were turned down after error.
Found during code maintenance. File: global/dict_mysql.c.
20230428
Bugfix (defect introduced: Postfix 1.0): the command "postconf
.. name=v1 .. name=v2 .." (multiple instances of the same
parameter name) created multiple name=value entries with
the same parameter name. It now logs a warning and skips
the earlier update. Found during code maintenance. File:
postconf/postconf_edit.c
Bugfix (defect introduced: Postfix 3.3): the command "postconf
-M name1/type1='name2 type2 ...'" died with a segmentation
violation when the request matched multiple master.cf
entries. The master.cf file was not damaged. Problem reported
by SATOH Fumiyasu. File: postconf/postconf_master.c.
20230502
Bugfix (defect introduced: Postfix 2.11): the command
"postconf -M name1/type1='name2 type2 ...'" could add a
service definition to master.cf that conflicted with an
already existing service definition. It now replaces all
existing service definitions that match the service pattern
'name1/type1' or the service name and type in 'name2 type2
...' with a single service definition 'name2 type2 ...'.
Problem reported by SATOH Fumiyasu. File: postconf/postconf_edit.c.
20230519
Bitrot: preliminary support for OpenSSL configuration files,
primarily OpenSSL 1.1.1b and later. This introduces new
parameters "tls_config_file" and "tls_config_name", which
can be used to limit collateral damage from OS distributions
that crank up security to 11, increasing the number of
plaintext email deliveries. Details are in the postconf(5)
manpage under "tls_config_file" and "tls_config_name".
Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, posttls-finger/posttls-finger.c,
smtp/smtp.c, smtp/smtp_proto.c, tls/tls_client.c, tls/tls.h,
tls/tls_misc.c, tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c,
tlsproxy/tlsproxy.c.
20230523
Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init'
configurations. This information is independent from the
client or server TLS context, and therefore does not belong
in tls_*_init() or tls_*_start() calls. The tlsproxy(8)
server uses TLS_CLIENT_PARAMS to report differences between
its own global TLS settings, and those from its clients.
Files: posttls-finger/posttls-finger.c, smtp/smtp.c,
smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c,
tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
tls/tls_proxy.h, tlsproxy/tlsproxy.c.
20230524
Cleanup: reverted cosmetic-only changes to minimize the
patch footprint for OpenSSL INI file support; updated daemon
manpages with the new tls_config_file and tls_config_name
configuration parameters. Files: smtp/smtp.c, smtpd/smtpd.c,
tls/tls_client.c, tls/tls.h, tls/tls_server.c, tlsproxy/tlsproxy.c,
20230529
Cleanup: made OpenSSL 'default' INI file support error
handling consistent with OpenSSL default behavior. Viktor
Dukhovni. Files: proto/postconf.proto, tls/tls_misc.c.
20230602
Backwards compatibility for stable releases that originally
had no OpenSSL INI support. Skip the new OpenSSL INI support
code, unless the Postfix configuration actually specifies
non-default tls_config_xxx settings. File: tls/tls_misc.c.
Cleanup: added a multiple initialization guard in the
tls_library_init() function, and made an initialization
error sticky. File: tls/tls_misc.c.
20230605
Security: new parameter smtpd_forbid_unauth_pipelining
(default: no) to disconnect remote SMTP clients that violate
RFC 2920 (or 5321) command pipelining constraints. Files:
global/mail_params.h, smtpd/smtpd.c, proto/postconf.proto.

17
postfix/RELEASE_NOTES
View File

@ -25,6 +25,23 @@ more recent Eclipse Public License 2.0. Recipients can choose to take
the software under the license of their choice. Those who are more
comfortable with the IPL can continue with that license.
Major changes with Postfix 3.6.10
=================================
Security: the Postfix SMTP server optionally disconnects remote
SMTP clients that violate RFC 2920 (or 5321) command pipelining
constraints. The server replies with "554 5.5.0 Error: SMTP protocol
synchronization" and logs the unexpected remote SMTP client input.
Specify "smtpd_forbid_unauth_pipelining = yes" to enable. This
feature is enabled by default in Postfix 3.9 and later.
Workaround to limit collateral damage from OS distributions that
crank up security to 11, increasing the number of plaintext email
deliveries. This introduces basic OpenSSL configuration file support,
with two new parameters "tls_config_file" and "tls_config_name".
Details are in the postconf(5) manpage under "tls_config_file" and
"tls_config_name".
Major changes - internal protocol identification
------------------------------------------------

9
postfix/html/lmtp.8.html
View File

@ -668,6 +668,15 @@ SMTP(8) SMTP(8)
A workaround for implementations that hang Postfix while shut-
ting down a TLS session, until Postfix times out.
Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
<b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
Optional configuration file with baseline OpenSSL settings.
<b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
The application name passed by Postfix to OpenSSL library ini-
tialization functions.
<b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a

123
postfix/html/postconf.5.html
View File

@ -15296,6 +15296,22 @@ This feature is available in Postfix 2.0 and later.
</p>
</DD>
<DT><b><a name="smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a>
(default: Postfix &ge; 3.9: yes)</b></DT><DD>
<p> Disconnect remote SMTP clients that violate <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (or 5321)
command pipelining constraints. The server replies with "554 5.5.0
Error: SMTP protocol synchronization" and logs the unexpected remote
SMTP client input. Specify "<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> = yes"
to enable. This feature is enabled by default with Postfix &ge;
3.9. </p>
<p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20. </p>
</DD>
<DT><b><a name="smtpd_forbidden_commands">smtpd_forbidden_commands</a>
@ -18723,6 +18739,113 @@ backwards compatibility, to avoid breaking certificate verification
with sites that don't use <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
</DD>
<DT><b><a name="tls_config_file">tls_config_file</a>
(default: default)</b></DT><DD>
<p> Optional configuration file with baseline OpenSSL settings.
OpenSSL loads any SSL settings found in the configuration file for
the selected application name (see <a href="postconf.5.html#tls_config_name">tls_config_name</a>) or else the
built-in application name "openssl_conf" when no application name is
specified, or no corresponding configuration section is present.
</p>
<p> With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
Postfix) can neither specify an alternative configuration file, nor
avoid loading the default configuration file. </p>
<p> With OpenSSL 1.1.1b or later, this parameter may be set to one of:
</p>
<dl>
<dt> <b>default</b> (default) </dt> <dd> Load the system-wide
"openssl.cnf" configuration file. </dd>
<dt> <b>none</b> (recommended, OpenSSL 1.1.1b or later only) </dt>
<dd> This setting disables loading of the system-wide "openssl.cnf"
file. </dd>
<dt> <b><i>/absolute-path</i></b> (OpenSSL 1.1.1b or later only) </dt>
<dd> Load the configuration file specified by <i>/absolute-path</i>.
With this setting it is an error for the file to not contain any
settings for the selected <a href="postconf.5.html#tls_config_name">tls_config_name</a>. There is no fallback to
the default "openssl_conf" name. </dd>
</dl>
<p> Failures in processing of the built-in default configuration file,
are silently ignored. Any errors in loading a non-default configuration
file are detected by Postfix, and cause TLS support to be disabled.
</p>
<p> The OpenSSL configuration file format is not documented here,
beyond giving two examples. <p>
<p> Example: Default settings for all applications. </p>
<blockquote>
<pre>
# The name 'openssl_conf' is the default application name
# The section name to the right of the '=' sign is arbitrary,
# any name will do, so long as it refers to the desired section.
#
# The name 'system_default' selects the settings applied internally
# by the SSL library as part of SSL object creation. Applications
# can then apply any additional settings of their choice.
#
# In this example, TLS versions prior to 1.2 are disabled by default.
#
openssl_conf = system_wide_settings
[system_wide_settings]
ssl_conf = ssl_library_settings
[ssl_library_settings]
system_default = initial_ssl_settings
[initial_ssl_settings]
MinProtocol = TLSv1.2
</pre>
</blockquote>
<p> Example: Custom settings for an application named "postfix". </p>
<blockquote>
<pre>
# The mapping from an application name to the corresponding configuration
# section must appear near the top of the file, (in what is sometimes called
# the "default section") prior to the start of any explicitly named
# "[sections]". The named sections can appear in any order and don't nest.
#
postfix = postfix_settings
[postfix_settings]
ssl_conf = postfix_ssl_settings
[postfix_ssl_settings]
system_default = baseline_postfix_settings
[baseline_postfix_settings]
MinProtocol = TLSv1
</pre>
</blockquote>
<p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20. </p>
</DD>
<DT><b><a name="tls_config_name">tls_config_name</a>
(default: empty)</b></DT><DD>
<p> The application name passed by Postfix to OpenSSL library
initialization functions. This name is used to select the desired
configuration "section" in the OpenSSL configuration file specified
via the <a href="postconf.5.html#tls_config_file">tls_config_file</a> parameter. When empty, or when the
selected name is not present in the configuration file, the default
application name ("openssl_conf") is used as a fallback. </p>
<p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20. </p>
</DD>
<DT><b><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a>

9
postfix/html/smtp.8.html
View File

@ -668,6 +668,15 @@ SMTP(8) SMTP(8)
A workaround for implementations that hang Postfix while shut-
ting down a TLS session, until Postfix times out.
Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
<b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
Optional configuration file with baseline OpenSSL settings.
<b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
The application name passed by Postfix to OpenSSL library ini-
tialization functions.
<b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a

15
postfix/html/smtpd.8.html
View File

@ -619,6 +619,15 @@ SMTPD(8) SMTPD(8)
The email address form that will be used in non-debug logging
(info, warning, etc.).
Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
<b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
Optional configuration file with baseline OpenSSL settings.
<b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
The application name passed by Postfix to OpenSSL library ini-
tialization functions.
<b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
@ -921,6 +930,12 @@ SMTPD(8) SMTPD(8)
to send to this service per time unit, regardless of whether or
not Postfix actually accepts those commands.
Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
<b><a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> (Postfix</b> &gt;<b>= 3.9: yes)</b>
Disconnect remote SMTP clients that violate <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (or 5321)
command pipelining constraints.
<b>TARPIT CONTROLS</b>
When a remote SMTP client makes errors, the Postfix SMTP server can
insert delays before responding. This can help to slow down run-away

9
postfix/html/tlsproxy.8.html
View File

@ -150,6 +150,15 @@ TLSPROXY(8) TLSPROXY(8)
A workaround for implementations that hang Postfix while shut-
ting down a TLS session, until Postfix times out.
Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
<b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
Optional configuration file with baseline OpenSSL settings.
<b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
The application name passed by Postfix to OpenSSL library ini-
tialization functions.
<b>STARTTLS SERVER CONTROLS</b>
These settings are clones of Postfix SMTP server settings. They allow
<a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> to load the same certificate and private key information as

108
postfix/man/man5/postconf.5
View File

@ -10412,6 +10412,16 @@ The smtpd_expansion_filter value is not subject to Postfix configuration
parameter $name expansion.
.PP
This feature is available in Postfix 2.0 and later.
.SH smtpd_forbid_unauth_pipelining (default: Postfix >= 3.9: yes)
Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
command pipelining constraints. The server replies with "554 5.5.0
Error: SMTP protocol synchronization" and logs the unexpected remote
SMTP client input. Specify "smtpd_forbid_unauth_pipelining = yes"
to enable. This feature is enabled by default with Postfix >=
3.9.
.PP
This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20.
.SH smtpd_forbidden_commands (default: CONNECT, GET, POST)
List of commands that cause the Postfix SMTP server to immediately
terminate the session with a 221 code. This can be used to disconnect
@ -13122,6 +13132,104 @@ This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
backwards compatibility, to avoid breaking certificate verification
with sites that don't use permit_tls_all_clientcerts.
.SH tls_config_file (default: default)
Optional configuration file with baseline OpenSSL settings.
OpenSSL loads any SSL settings found in the configuration file for
the selected application name (see tls_config_name) or else the
built\-in application name "openssl_conf" when no application name is
specified, or no corresponding configuration section is present.
.PP
With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
Postfix) can neither specify an alternative configuration file, nor
avoid loading the default configuration file.
.PP
With OpenSSL 1.1.1b or later, this parameter may be set to one of:
.IP "\fBdefault\fR (default)"
Load the system\-wide
"openssl.cnf" configuration file.
.br
.IP "\fBnone\fR (recommended, OpenSSL 1.1.1b or later only)"
This setting disables loading of the system\-wide "openssl.cnf"
file.
.br
.IP "\fB\fI/absolute\-path\fR\fR (OpenSSL 1.1.1b or later only)"
Load the configuration file specified by \fI/absolute\-path\fR.
With this setting it is an error for the file to not contain any
settings for the selected tls_config_name. There is no fallback to
the default "openssl_conf" name.
.br
.br
.PP
Failures in processing of the built\-in default configuration file,
are silently ignored. Any errors in loading a non\-default configuration
file are detected by Postfix, and cause TLS support to be disabled.
.PP
The OpenSSL configuration file format is not documented here,
beyond giving two examples.
.PP
Example: Default settings for all applications.
.sp
.in +4
.nf
.na
.ft C
# The name 'openssl_conf' is the default application name
# The section name to the right of the '=' sign is arbitrary,
# any name will do, so long as it refers to the desired section.
#
# The name 'system_default' selects the settings applied internally
# by the SSL library as part of SSL object creation. Applications
# can then apply any additional settings of their choice.
#
# In this example, TLS versions prior to 1.2 are disabled by default.
#
openssl_conf = system_wide_settings
[system_wide_settings]
ssl_conf = ssl_library_settings
[ssl_library_settings]
system_default = initial_ssl_settings
[initial_ssl_settings]
MinProtocol = TLSv1.2
.fi
.ad
.ft R
.in -4
.PP
Example: Custom settings for an application named "postfix".
.sp
.in +4
.nf
.na
.ft C
# The mapping from an application name to the corresponding configuration
# section must appear near the top of the file, (in what is sometimes called
# the "default section") prior to the start of any explicitly named
# "[sections]". The named sections can appear in any order and don't nest.
#
postfix = postfix_settings
[postfix_settings]
ssl_conf = postfix_ssl_settings
[postfix_ssl_settings]
system_default = baseline_postfix_settings
[baseline_postfix_settings]
MinProtocol = TLSv1
.fi
.ad
.ft R
.in -4
.PP
This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20.
.SH tls_config_name (default: empty)
The application name passed by Postfix to OpenSSL library
initialization functions. This name is used to select the desired
configuration "section" in the OpenSSL configuration file specified
via the tls_config_file parameter. When empty, or when the
selected name is not present in the configuration file, the default
application name ("openssl_conf") is used as a fallback.
.PP
This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20.
.SH tls_daemon_random_bytes (default: 32)
The number of pseudo\-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
process requests from the \fBtlsmgr\fR(8) server in order to seed its

7
postfix/man/man8/smtp.8
View File

@ -603,6 +603,13 @@ Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
.IP "\fBtls_fast_shutdown_enable (yes)\fR"
A workaround for implementations that hang Postfix while shutting
down a TLS session, until Postfix times out.
.PP
Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
.IP "\fBtls_config_file (default)\fR"
Optional configuration file with baseline OpenSSL settings.
.IP "\fBtls_config_name (empty)\fR"
The application name passed by Postfix to OpenSSL library
initialization functions.
.SH "OBSOLETE STARTTLS CONTROLS"
.na
.nf

12
postfix/man/man8/smtpd.8
View File

@ -548,6 +548,13 @@ Available in Postfix 3.5 and later:
.IP "\fBinfo_log_address_format (external)\fR"
The email address form that will be used in non\-debug logging
(info, warning, etc.).
.PP
Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
.IP "\fBtls_config_file (default)\fR"
Optional configuration file with baseline OpenSSL settings.
.IP "\fBtls_config_name (empty)\fR"
The application name passed by Postfix to OpenSSL library
initialization functions.
.SH "OBSOLETE STARTTLS CONTROLS"
.na
.nf
@ -808,6 +815,11 @@ Available in Postfix version 3.1 and later:
The maximal number of AUTH commands that any client is allowed to
send to this service per time unit, regardless of whether or not
Postfix actually accepts those commands.
.PP
Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
.IP "\fBsmtpd_forbid_unauth_pipelining (Postfix >= 3.9: yes)\fR"
Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
command pipelining constraints.
.SH "TARPIT CONTROLS"
.na
.nf

7
postfix/man/man8/tlsproxy.8
View File

@ -150,6 +150,13 @@ Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
.IP "\fBtls_fast_shutdown_enable (yes)\fR"
A workaround for implementations that hang Postfix while shutting
down a TLS session, until Postfix times out.
.PP
Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
.IP "\fBtls_config_file (default)\fR"
Optional configuration file with baseline OpenSSL settings.
.IP "\fBtls_config_name (empty)\fR"
The application name passed by Postfix to OpenSSL library
initialization functions.
.SH "STARTTLS SERVER CONTROLS"
.na
.nf

3
postfix/mantools/postlink
View File

@ -548,6 +548,7 @@ while (<>) {
s;\bsmtpd_etrn_restrictions\b;<a href="postconf.5.html#smtpd_etrn_restrictions">$&</a>;g;
s;\bsmtpd_expansion_filter\b;<a href="postconf.5.html#smtpd_expansion_filter">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bidden_commands\b;<a href="postconf.5.html#smtpd_forbidden_commands">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_unauth_pipelining\b;<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">$&</a>;g;
s;\bsmtpd_hard_error_limit\b;<a href="postconf.5.html#smtpd_hard_error_limit">$&</a>;g;
s;\bsmtpd_helo_required\b;<a href="postconf.5.html#smtpd_helo_required">$&</a>;g;
s;\bsmtpd_helo_restrictions\b;<a href="postconf.5.html#smtpd_helo_restrictions">$&</a>;g;
@ -767,6 +768,8 @@ while (<>) {
s;\btls_session_ticket_cipher\b;<a href="postconf.5.html#tls_session_ticket_cipher">$&</a>;g;
s;\btls_server_sni_maps\b;<a href="postconf.5.html#tls_server_sni_maps">$&</a>;g;
s;\btls_ssl_options\b;<a href="postconf.5.html#tls_ssl_options">$&</a>;g;
s;\btls_config_name\b;<a href="postconf.5.html#tls_config_name">$&</a>;g;
s;\btls_config_file\b;<a href="postconf.5.html#tls_config_file">$&</a>;g;
s;\btls_dane_digest_agility\b;<a href="postconf.5.html#tls_dane_digest_agility">$&</a>;g;
s;\btls_dane_trust_anchor_digest_enable\b;<a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">$&</a>;g;
s;\btls_fast_shutdown_enable\b;<a href="postconf.5.html#tls_fast_shutdown_enable">$&</a>;g;

111
postfix/proto/postconf.proto
View File

@ -18058,3 +18058,114 @@ name-to-port = 1*(service-name "=') port-number
name or port number. </p>
<p> This feature is available in Postfix 3.6 and later. </p>
%PARAM tls_config_name
<p> The application name passed by Postfix to OpenSSL library
initialization functions. This name is used to select the desired
configuration "section" in the OpenSSL configuration file specified
via the tls_config_file parameter. When empty, or when the
selected name is not present in the configuration file, the default
application name ("openssl_conf") is used as a fallback. </p>
<p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20. </p>
%PARAM tls_config_file default
<p> Optional configuration file with baseline OpenSSL settings.
OpenSSL loads any SSL settings found in the configuration file for
the selected application name (see tls_config_name) or else the
built-in application name "openssl_conf" when no application name is
specified, or no corresponding configuration section is present.
</p>
<p> With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
Postfix) can neither specify an alternative configuration file, nor
avoid loading the default configuration file. </p>
<p> With OpenSSL 1.1.1b or later, this parameter may be set to one of:
</p>
<dl>
<dt> <b>default</b> (default) </dt> <dd> Load the system-wide
"openssl.cnf" configuration file. </dd>
<dt> <b>none</b> (recommended, OpenSSL 1.1.1b or later only) </dt>
<dd> This setting disables loading of the system-wide "openssl.cnf"
file. </dd>
<dt> <b><i>/absolute-path</i></b> (OpenSSL 1.1.1b or later only) </dt>
<dd> Load the configuration file specified by <i>/absolute-path</i>.
With this setting it is an error for the file to not contain any
settings for the selected tls_config_name. There is no fallback to
the default "openssl_conf" name. </dd>
</dl>
<p> Failures in processing of the built-in default configuration file,
are silently ignored. Any errors in loading a non-default configuration
file are detected by Postfix, and cause TLS support to be disabled.
</p>
<p> The OpenSSL configuration file format is not documented here,
beyond giving two examples. <p>
<p> Example: Default settings for all applications. </p>
<blockquote>
<pre>
# The name 'openssl_conf' is the default application name
# The section name to the right of the '=' sign is arbitrary,
# any name will do, so long as it refers to the desired section.
#
# The name 'system_default' selects the settings applied internally
# by the SSL library as part of SSL object creation. Applications
# can then apply any additional settings of their choice.
#
# In this example, TLS versions prior to 1.2 are disabled by default.
#
openssl_conf = system_wide_settings
[system_wide_settings]
ssl_conf = ssl_library_settings
[ssl_library_settings]
system_default = initial_ssl_settings
[initial_ssl_settings]
MinProtocol = TLSv1.2
</pre>
</blockquote>
<p> Example: Custom settings for an application named "postfix". </p>
<blockquote>
<pre>
# The mapping from an application name to the corresponding configuration
# section must appear near the top of the file, (in what is sometimes called
# the "default section") prior to the start of any explicitly named
# "[sections]". The named sections can appear in any order and don't nest.
#
postfix = postfix_settings
[postfix_settings]
ssl_conf = postfix_ssl_settings
[postfix_ssl_settings]
system_default = baseline_postfix_settings
[baseline_postfix_settings]
MinProtocol = TLSv1
</pre>
</blockquote>
<p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20. </p>
%PARAM smtpd_forbid_unauth_pipelining Postfix &ge; 3.9: yes
<p> Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
command pipelining constraints. The server replies with "554 5.5.0
Error: SMTP protocol synchronization" and logs the unexpected remote
SMTP client input. Specify "smtpd_forbid_unauth_pipelining = yes"
to enable. This feature is enabled by default with Postfix &ge;
3.9. </p>
<p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20. </p>

15
postfix/src/global/mail_params.h
View File

@ -2430,6 +2430,10 @@ extern char *var_smtpd_exp_filter;
#define DEF_SMTPD_PEERNAME_LOOKUP 1
extern bool var_smtpd_peername_lookup;
#define VAR_SMTPD_FORBID_UNAUTH_PIPE "smtpd_forbid_unauth_pipelining"
#define DEF_SMTPD_FORBID_UNAUTH_PIPE 0
extern bool var_smtpd_forbid_unauth_pipe;
/*
* Heuristic to reject unknown local recipients at the SMTP port.
*/
@ -3313,8 +3317,17 @@ extern bool var_smtp_sender_auth;
extern bool var_smtp_cname_overr;
/*
* TLS cipherlists
* TLS library settings
*/
#define VAR_TLS_CNF_FILE "tls_config_file"
#define DEF_TLS_CNF_FILE "default"
extern char *var_tls_cnf_file;
#define VAR_TLS_CNF_NAME "tls_config_name"
#define DEF_TLS_CNF_NAME ""
extern char *var_tls_cnf_name;
#define VAR_TLS_HIGH_CLIST "tls_high_cipherlist"
#define DEF_TLS_HIGH_CLIST "aNULL:-aNULL:HIGH:@STRENGTH"
extern char *var_tls_high_clist;

4
postfix/src/global/mail_version.h
View File

@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20230418"
#define MAIL_VERSION_NUMBER "3.6.9"
#define MAIL_RELEASE_DATE "20230605"
#define MAIL_VERSION_NUMBER "3.6.10"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE

61
postfix/src/postconf/postconf_edit.c
View File

@ -192,6 +192,11 @@ void pcf_edit_main(int mode, int argc, char **argv)
} else {
msg_panic("pcf_edit_main: unknown mode %d", mode);
}
if ((cvalue = htable_find(table, pattern)) != 0) {
msg_warn("ignoring earlier request: '%s = %s'",
pattern, cvalue->value);
htable_delete(table, pattern, myfree);
}
cvalue = (struct cvalue *) mymalloc(sizeof(*cvalue));
cvalue->value = edit_value;
cvalue->found = 0;
@ -459,8 +464,38 @@ void pcf_edit_master(int mode, int argc, char **argv)
/*
* Match each service pattern.
*
* Additional care is needed when a request adds or replaces an
* entire service definition, instead of a specific field or
* parameter. Given a command "postconf -M name1/type1='name2
* type2 ...'", where name1 and name2 may differ, and likewise
* for type1 and type2:
*
* - First, if an existing service definition a) matches the service
* pattern 'name1/type1', or b) matches the name and type in the
* new service definition 'name2 type2 ...', remove the service
* definition.
*
* - Then, after an a) or b) type match, add a new service
* definition for 'name2 type2 ...', but only after the first
* match.
*
* - Finally, if a request had no a) or b) type match for any
* master.cf service definition, add a new service definition for
* 'name2 type2 ...'.
*/
for (req = edit_reqs; req < edit_reqs + num_reqs; req++) {
PCF_MASTER_ENT *tentative_entry = 0;
int use_tentative_entry = 0;
/* Additional care for whole service definition requests. */
if ((mode & PCF_MASTER_ENTRY) && (mode & PCF_EDIT_CONF)) {
tentative_entry = (PCF_MASTER_ENT *)
mymalloc(sizeof(*tentative_entry));
if ((err = pcf_parse_master_entry(tentative_entry,
req->edit_value)) != 0)
msg_fatal("%s: \"%s\"", err, req->raw_text);
}
if (PCF_MATCH_SERVICE_PATTERN(req->service_pattern,
service_name,
service_type)) {
@ -506,18 +541,30 @@ void pcf_edit_master(int mode, int argc, char **argv)
* Replace entire master.cf entry.
*/
case PCF_MASTER_ENTRY:
if (new_entry != 0)
pcf_free_master_entry(new_entry);
new_entry = (PCF_MASTER_ENT *)
mymalloc(sizeof(*new_entry));
if ((err = pcf_parse_master_entry(new_entry,
req->edit_value)) != 0)
msg_fatal("%s: \"%s\"", err, req->raw_text);
if (req->match_count == 1)
use_tentative_entry = 1;
break;
default:
msg_panic("%s: unknown edit mode %d", myname, mode);
}
}
} else if (tentative_entry != 0
&& PCF_MATCH_SERVICE_PATTERN(tentative_entry->argv,
service_name,
service_type)) {
service_name_type_matched = 1; /* Sticky flag */
req->match_count += 1;
if (req->match_count == 1)
use_tentative_entry = 1;
}
if (tentative_entry != 0) {
if (use_tentative_entry) {
if (new_entry != 0)
pcf_free_master_entry(new_entry);
new_entry = tentative_entry;
} else {
pcf_free_master_entry(tentative_entry);
}
}
}

11
postfix/src/postconf/postconf_master.c
View File

@ -156,6 +156,7 @@
#include <readlline.h>
#include <stringops.h>
#include <split_at.h>
#include <dict_ht.h>
/* Global library. */
@ -393,12 +394,12 @@ const char *pcf_parse_master_entry(PCF_MASTER_ENT *masterp, const char *buf)
concatenate("ro", PCF_NAMESP_SEP_STR, masterp->name_space, (char *) 0);
masterp->argv = argv;
masterp->valid_names = 0;
masterp->ro_params = dict_ht_open(ro_name_space, O_CREAT | O_RDWR, 0);
process_name = basename(argv->argv[PCF_MASTER_FLD_CMD]);
dict_update(ro_name_space, VAR_PROCNAME, process_name);
dict_update(ro_name_space, VAR_SERVNAME,
strcmp(process_name, argv->argv[0]) != 0 ?
argv->argv[0] : process_name);
masterp->ro_params = dict_handle(ro_name_space);
dict_put(masterp->ro_params, VAR_PROCNAME, process_name);
dict_put(masterp->ro_params, VAR_SERVNAME,
strcmp(process_name, argv->argv[0]) != 0 ?
argv->argv[0] : process_name);
myfree(ro_name_space);
masterp->all_params = 0;
return (0);

7
postfix/src/smtp/smtp.c
View File

@ -569,6 +569,13 @@
/* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
/* A workaround for implementations that hang Postfix while shutting
/* down a TLS session, until Postfix times out.
/* .PP
/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
/* .IP "\fBtls_config_file (default)\fR"
/* Optional configuration file with baseline OpenSSL settings.
/* .IP "\fBtls_config_name (empty)\fR"
/* The application name passed by Postfix to OpenSSL library
/* initialization functions.
/* OBSOLETE STARTTLS CONTROLS
/* .ad
/* .fi

70
postfix/src/smtpd/smtpd.c
View File

@ -514,6 +514,13 @@
/* .IP "\fBinfo_log_address_format (external)\fR"
/* The email address form that will be used in non-debug logging
/* (info, warning, etc.).
/* .PP
/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
/* .IP "\fBtls_config_file (default)\fR"
/* Optional configuration file with baseline OpenSSL settings.
/* .IP "\fBtls_config_name (empty)\fR"
/* The application name passed by Postfix to OpenSSL library
/* initialization functions.
/* OBSOLETE STARTTLS CONTROLS
/* .ad
/* .fi
@ -762,6 +769,11 @@
/* The maximal number of AUTH commands that any client is allowed to
/* send to this service per time unit, regardless of whether or not
/* Postfix actually accepts those commands.
/* .PP
/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
/* .IP "\fBsmtpd_forbid_unauth_pipelining (Postfix >= 3.9: yes)\fR"
/* Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
/* command pipelining constraints.
/* TARPIT CONTROLS
/* .ad
/* .fi
@ -1447,6 +1459,7 @@ char *var_milt_eod_macros;
char *var_milt_unk_macros;
char *var_milt_macro_deflts;
bool var_smtpd_client_port_log;
bool var_smtpd_forbid_unauth_pipe;
char *var_stress;
char *var_reject_tmpf_act;
@ -5375,6 +5388,32 @@ static SMTPD_CMD smtpd_cmd_table[] = {
static STRING_LIST *smtpd_noop_cmds;
static STRING_LIST *smtpd_forbid_cmds;
/* smtpd_flag_ill_pipelining - flag pipelining protocol violation */
static int smtpd_flag_ill_pipelining(SMTPD_STATE *state)
{
/*
* This code will not return after I/O error, timeout, or EOF. VSTREAM
* exceptions must be enabled in advance with smtp_stream_setup().
*/
if (vstream_peek(state->client) == 0
&& peekfd(vstream_fileno(state->client)) > 0)
(void) vstream_ungetc(state->client, smtp_fgetc(state->client));
if (vstream_peek(state->client) > 0) {
if (state->expand_buf == 0)
state->expand_buf = vstring_alloc(100);
escape(state->expand_buf, vstream_peek_data(state->client),
vstream_peek(state->client) < 100 ?
vstream_peek(state->client) : 100);
msg_info("improper command pipelining after %s from %s: %s",
state->where, state->namaddr, STR(state->expand_buf));
state->flags |= SMTPD_FLAG_ILL_PIPELINING;
return (1);
}
return (0);
}
/* smtpd_proto - talk the SMTP protocol */
static void smtpd_proto(SMTPD_STATE *state)
@ -5513,6 +5552,21 @@ static void smtpd_proto(SMTPD_STATE *state)
}
#endif
/*
* If the client spoke before the server sends the initial greeting,
* raise a flag and log the content of the protocol violation. This
* check MUST NOT apply to TLS wrappermode connections.
*/
if (SMTPD_STAND_ALONE(state) == 0
&& vstream_context(state->client) == 0 /* not postscreen */
&& (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0
&& smtpd_flag_ill_pipelining(state)
&& var_smtpd_forbid_unauth_pipe) {
smtpd_chat_reply(state,
"554 5.5.0 Error: SMTP protocol synchronization");
break;
}
/*
* XXX The client connection count/rate control must be consistent in
* its use of client address information in connect and disconnect
@ -5740,16 +5794,11 @@ static void smtpd_proto(SMTPD_STATE *state)
&& (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0
|| (cmdp->flags & SMTPD_CMD_FLAG_LAST))
&& (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0
&& (vstream_peek(state->client) > 0
|| peekfd(vstream_fileno(state->client)) > 0)) {
if (state->expand_buf == 0)
state->expand_buf = vstring_alloc(100);
escape(state->expand_buf, vstream_peek_data(state->client),
vstream_peek(state->client) < 100 ?
vstream_peek(state->client) : 100);
msg_info("improper command pipelining after %s from %s: %s",
cmdp->name, state->namaddr, STR(state->expand_buf));
state->flags |= SMTPD_FLAG_ILL_PIPELINING;
&& smtpd_flag_ill_pipelining(state)
&& var_smtpd_forbid_unauth_pipe) {
smtpd_chat_reply(state,
"554 5.5.0 Error: SMTP protocol synchronization");
break;
}
if (cmdp->action(state, argc, argv) != 0)
state->error_count++;
@ -6412,6 +6461,7 @@ int main(int argc, char **argv)
VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup,
VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open,
VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
VAR_SMTPD_FORBID_UNAUTH_PIPE, DEF_SMTPD_FORBID_UNAUTH_PIPE, &var_smtpd_forbid_unauth_pipe,
0,
};
static const CONFIG_NBOOL_TABLE nbool_table[] = {

2
postfix/src/tls/tls.h
View File

@ -76,6 +76,7 @@ extern const char *str_tls_level(int);
#include <openssl/crypto.h> /* Legacy SSLEAY_VERSION_NUMBER */
#include <openssl/opensslv.h> /* OPENSSL_VERSION_NUMBER */
#include <openssl/ssl.h>
#include <openssl/conf.h>
/* Appease indent(1) */
#define x509_stack_t STACK_OF(X509)
@ -311,6 +312,7 @@ extern void tls_free_app_context(TLS_APPL_STATE *);
* tls_misc.c
*/
extern void tls_param_init(void);
extern int tls_library_init(void);
/*
* Protocol selection.

7
postfix/src/tls/tls_client.c
View File

@ -640,6 +640,13 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
*/
tls_check_version();
/*
* Initialize the OpenSSL library, possibly loading its configuration
* file.
*/
if (tls_library_init() == 0)
return (0);
/*
* Create an application data index for SSL objects, so that we can
* attach TLScontext information; this information is needed inside

123
postfix/src/tls/tls_misc.c
View File

@ -29,6 +29,8 @@
/* #define TLS_INTERNAL
/* #include <tls.h>
/*
/* char *var_tls_cnf_file;
/* char *var_tls_cnf_name;
/* char *var_tls_high_clist;
/* char *var_tls_medium_clist;
/* char *var_tls_low_clist;
@ -69,6 +71,8 @@
/*
/* void tls_param_init()
/*
/* int tls_library_init(void)
/*
/* int tls_proto_mask_lims(plist, floor, ceiling)
/* const char *plist;
/* int *floor;
@ -155,6 +159,9 @@
/* tls_param_init() loads main.cf parameters used internally in
/* TLS library. Any errors are fatal.
/*
/* tls_library_init() initializes the OpenSSL library, optionally
/* loading an OpenSSL configuration file.
/*
/* tls_pre_jail_init() opens any tables that need to be opened before
/* entering a chroot jail. The "role" parameter must be TLS_ROLE_CLIENT
/* for clients and TLS_ROLE_SERVER for servers. Any errors are fatal.
@ -274,6 +281,8 @@
/*
* Tunable parameters.
*/
char *var_tls_cnf_file;
char *var_tls_cnf_name;
char *var_tls_high_clist;
char *var_tls_medium_clist;
char *var_tls_low_clist;
@ -642,6 +651,8 @@ void tls_param_init(void)
{
/* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
static const CONFIG_STR_TABLE str_table[] = {
VAR_TLS_CNF_FILE, DEF_TLS_CNF_FILE, &var_tls_cnf_file, 0, 0,
VAR_TLS_CNF_NAME, DEF_TLS_CNF_NAME, &var_tls_cnf_name, 0, 0,
VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0,
VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0,
@ -685,6 +696,118 @@ void tls_param_init(void)
get_mail_conf_bool_table(bool_table);
}
/* tls_library_init - perform OpenSSL library initialization */
int tls_library_init(void)
{
OPENSSL_INIT_SETTINGS *init_settings;
char *conf_name = *var_tls_cnf_name ? var_tls_cnf_name : 0;
char *conf_file = 0;
unsigned long init_opts = 0;
#define TLS_LIB_INIT_TODO (-1)
#define TLS_LIB_INIT_ERR (0)
#define TLS_LIB_INIT_OK (1)
static int init_res = TLS_LIB_INIT_TODO;
if (init_res != TLS_LIB_INIT_TODO)
return (init_res);
/*
* Backwards compatibility: skip this function unless the Postfix
* configuration actually has non-default tls_config_xxx settings.
*/
if (strcmp(var_tls_cnf_file, DEF_TLS_CNF_FILE) == 0
&& strcmp(var_tls_cnf_name, DEF_TLS_CNF_NAME) == 0) {
if (msg_verbose)
msg_info("tls_library_init: using backwards-compatible defaults");
return (init_res = TLS_LIB_INIT_OK);
}
if ((init_settings = OPENSSL_INIT_new()) == 0) {
msg_warn("error allocating OpenSSL init settings, "
"disabling TLS support");
return (init_res = TLS_LIB_INIT_ERR);
}
#define TLS_LIB_INIT_RETURN(x) \
do { OPENSSL_INIT_free(init_settings); return (init_res = (x)); } while(0)
#if OPENSSL_VERSION_NUMBER < 0x1010102fL
/*
* OpenSSL 1.1.0 through 1.1.1a, no support for custom configuration
* files, disabling loading of the file, or getting strict error
* handling. Thus, the only supported configuration file is "default".
*/
if (strcmp(var_tls_cnf_file, "default") != 0) {
msg_warn("non-default %s = %s requires OpenSSL 1.1.1b or later, "
"disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
}
#else
{
unsigned long file_flags = 0;
/*-
* OpenSSL 1.1.1b or later:
* We can now use a non-default configuration file, or
* use none at all. We can also request strict error
* reporting.
*/
if (strcmp(var_tls_cnf_file, "none") == 0) {
init_opts |= OPENSSL_INIT_NO_LOAD_CONFIG;
} else if (strcmp(var_tls_cnf_file, "default") == 0) {
/*
* The default global config file is optional. With "default"
* initialisation we don't insist on a match for the requested
* application name, allowing fallback to the default application
* name, even when a non-default application name is specified.
* Errors in loading the default configuration are ignored.
*/
conf_file = 0;
file_flags |= CONF_MFLAGS_IGNORE_MISSING_FILE;
file_flags |= CONF_MFLAGS_DEFAULT_SECTION;
file_flags |= CONF_MFLAGS_IGNORE_RETURN_CODES | CONF_MFLAGS_SILENT;
} else if (*var_tls_cnf_file == '/') {
/*
* A custom config file must be present, error reporting is
* strict and the configuration section for the requested
* application name does not fall back to "openssl_conf" when
* missing.
*/
conf_file = var_tls_cnf_file;
} else {
msg_warn("non-default %s = %s is not an absolute pathname, "
"disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
}
OPENSSL_INIT_set_config_file_flags(init_settings, file_flags);
}
#endif
if (conf_file)
OPENSSL_INIT_set_config_filename(init_settings, conf_file);
if (conf_name)
OPENSSL_INIT_set_config_appname(init_settings, conf_name);
if (OPENSSL_init_ssl(init_opts, init_settings) <= 0) {
if ((init_opts & OPENSSL_INIT_NO_LOAD_CONFIG) == 0)
msg_warn("error loading the '%s' settings from the %s OpenSSL "
"configuration file, disabling TLS support",
conf_name ? conf_name : "global",
conf_file ? conf_file : "default");
else
msg_warn("error initializing the OpenSSL library, "
"disabling TLS support");
tls_print_errors();
TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
}
TLS_LIB_INIT_RETURN(TLS_LIB_INIT_OK);
}
/* tls_pre_jail_init - Load TLS related pre-jail tables */
void tls_pre_jail_init(TLS_ROLE role)

9
postfix/src/tls/tls_proxy.h
View File

@ -44,6 +44,8 @@
* VAR_TLS_SERVER_SNI_MAPS.
*/
typedef struct TLS_CLIENT_PARAMS {
char *tls_cnf_file;
char *tls_cnf_name;
char *tls_high_clist;
char *tls_medium_clist;
char *tls_low_clist;
@ -65,12 +67,13 @@ typedef struct TLS_CLIENT_PARAMS {
} TLS_CLIENT_PARAMS;
#define TLS_PROXY_PARAMS(params, a1, a2, a3, a4, a5, a6, a7, a8, \
a9, a10, a11, a12, a13, a14, a15, a16, a17, a18) \
a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20) \
(((params)->a1), ((params)->a2), ((params)->a3), \
((params)->a4), ((params)->a5), ((params)->a6), ((params)->a7), \
((params)->a8), ((params)->a9), ((params)->a10), ((params)->a11), \
((params)->a12), ((params)->a13), ((params)->a14), ((params)->a15), \
((params)->a16), ((params)->a17), ((params)->a18))
((params)->a16), ((params)->a17), ((params)->a18), ((params)->a19), \
((params)->a20))
/*
* tls_proxy_client_param_misc.c, tls_proxy_client_param_print.c, and
@ -217,6 +220,8 @@ extern void tls_proxy_server_start_free(TLS_SERVER_START_PROPS *);
/*
* TLS_CLIENT_INIT_PROPS attributes.
*/
#define TLS_ATTR_CNF_FILE "config_file"
#define TLS_ATTR_CNF_NAME "config_name"
#define TLS_ATTR_LOG_PARAM "log_param"
#define TLS_ATTR_LOG_LEVEL "log_level"
#define TLS_ATTR_VERIFYDEPTH "verifydepth"

2
postfix/src/tls/tls_proxy_client_misc.c
View File

@ -78,6 +78,8 @@
TLS_CLIENT_PARAMS *tls_proxy_client_param_from_config(TLS_CLIENT_PARAMS *params)
{
TLS_PROXY_PARAMS(params,
tls_cnf_file = var_tls_cnf_file,
tls_cnf_name = var_tls_cnf_name,
tls_high_clist = var_tls_high_clist,
tls_medium_clist = var_tls_medium_clist,
tls_low_clist = var_tls_low_clist,

2
postfix/src/tls/tls_proxy_client_print.c
View File

@ -95,6 +95,8 @@ int tls_proxy_client_param_print(ATTR_PRINT_COMMON_FN print_fn, VSTREAM *fp,
msg_info("begin tls_proxy_client_param_print");
ret = print_fn(fp, flags | ATTR_FLAG_MORE,
SEND_ATTR_STR(TLS_ATTR_CNF_FILE, params->tls_cnf_file),
SEND_ATTR_STR(TLS_ATTR_CNF_NAME, params->tls_cnf_name),
SEND_ATTR_STR(VAR_TLS_HIGH_CLIST, params->tls_high_clist),
SEND_ATTR_STR(VAR_TLS_MEDIUM_CLIST,
params->tls_medium_clist),

10
postfix/src/tls/tls_proxy_client_scan.c
View File

@ -121,6 +121,8 @@
void tls_proxy_client_param_free(TLS_CLIENT_PARAMS *params)
{
myfree(params->tls_cnf_file);
myfree(params->tls_cnf_name);
myfree(params->tls_high_clist);
myfree(params->tls_medium_clist);
myfree(params->tls_low_clist);
@ -145,6 +147,8 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
TLS_CLIENT_PARAMS *params
= (TLS_CLIENT_PARAMS *) mymalloc(sizeof(*params));
int ret;
VSTRING *cnf_file = vstring_alloc(25);
VSTRING *cnf_name = vstring_alloc(25);
VSTRING *tls_high_clist = vstring_alloc(25);
VSTRING *tls_medium_clist = vstring_alloc(25);
VSTRING *tls_low_clist = vstring_alloc(25);
@ -167,6 +171,8 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
*/
memset(params, 0, sizeof(*params));
ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file),
RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name),
RECV_ATTR_STR(VAR_TLS_HIGH_CLIST, tls_high_clist),
RECV_ATTR_STR(VAR_TLS_MEDIUM_CLIST, tls_medium_clist),
RECV_ATTR_STR(VAR_TLS_LOW_CLIST, tls_low_clist),
@ -192,6 +198,8 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
&params->tls_multi_wildcard),
ATTR_TYPE_END);
/* Always construct a well-formed structure. */
params->tls_cnf_file = vstring_export(cnf_file);
params->tls_cnf_name = vstring_export(cnf_name);
params->tls_high_clist = vstring_export(tls_high_clist);
params->tls_medium_clist = vstring_export(tls_medium_clist);
params->tls_low_clist = vstring_export(tls_low_clist);
@ -206,7 +214,7 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
params->tls_mgr_service = vstring_export(tls_mgr_service);
params->tls_tkt_cipher = vstring_export(tls_tkt_cipher);
ret = (ret == 18 ? 1 : -1);
ret = (ret == 20 ? 1 : -1);
if (ret != 1) {
tls_proxy_client_param_free(params);
params = 0;

7
postfix/src/tls/tls_server.c
View File

@ -370,6 +370,13 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
*/
tls_check_version();
/*
* Initialize the OpenSSL library, possibly loading its configuration
* file.
*/
if (tls_library_init() == 0)
return (0);
/*
* First validate the protocols. If these are invalid, we can't continue.
*/

7
postfix/src/tlsproxy/tlsproxy.c
View File

@ -134,6 +134,13 @@
/* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
/* A workaround for implementations that hang Postfix while shutting
/* down a TLS session, until Postfix times out.
/* .PP
/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
/* .IP "\fBtls_config_file (default)\fR"
/* Optional configuration file with baseline OpenSSL settings.
/* .IP "\fBtls_config_name (empty)\fR"
/* The application name passed by Postfix to OpenSSL library
/* initialization functions.
/* STARTTLS SERVER CONTROLS
/* .ad
/* .fi