2
0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-31 06:05:37 +00:00

postfix-3.9-20231212

This commit is contained in:
Wietse Venema
2023-12-12 00:00:00 -05:00
committed by Viktor Dukhovni
parent 984278aadf
commit 0f39d92148
3 changed files with 16 additions and 5 deletions

View File

@@ -27603,3 +27603,10 @@ Apologies for any names omitted.
Feature: the pipe(8) delivery agent supports an ${envid}
command-line attribute that expands to the RFC 3461 envelope
ID if available. File: pipe/pipe.c.
20231211
Cleanup: posttls-finger certificate match expectations for
all TLS security levels, including warnings for levels that
don't implement certificate matching. Viktor Dukhovni.
File: posttls-finger.c.

View File

@@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20231210"
#define MAIL_RELEASE_DATE "20231212"
#define MAIL_VERSION_NUMBER "3.9"
#ifdef SNAPSHOT

View File

@@ -839,7 +839,7 @@ static int starttls(STATE *state)
state->ddane : state->dane);
#define PROXY_OPEN_FLAGS \
(TLS_PROXY_FLAG_ROLE_CLIENT | TLS_PROXY_FLAG_SEND_CONTEXT)
(TLS_PROXY_FLAG_ROLE_CLIENT | TLS_PROXY_FLAG_SEND_CONTEXT)
#define var_tlsproxy_service
if ((cwd_fd = open(".", O_RDONLY)) < 0)
@@ -900,7 +900,7 @@ static int starttls(STATE *state)
if (state->tls_context) {
if (state->log_mask &
(TLS_LOG_CERTMATCH | TLS_LOG_VERBOSE | TLS_LOG_PEERCERT)) {
if (state->tls_context->stoc_rpk)
if (state->tls_context->stoc_rpk)
msg_info("%s: pkey_fingerprint=%s", state->namaddrport,
state->tls_context->peer_pkey_fprint);
else
@@ -911,7 +911,7 @@ static int starttls(STATE *state)
state->tls_context->issuer_CN,
state->tls_context->peer_cert_fprint,
state->tls_context->peer_pkey_fprint);
}
}
tls_log_summary(TLS_ROLE_CLIENT, TLS_USAGE_NEW,
state->tls_context);
} else {
@@ -1252,7 +1252,7 @@ static DNS_RR *addr_one(STATE *state, DNS_RR *addr_list, const char *host,
* should not clobber a soft error text and status code.
*/
#define RETRY_AI_ERROR(e) \
((e) == EAI_AGAIN || (e) == EAI_MEMORY || (e) == EAI_SYSTEM)
((e) == EAI_AGAIN || (e) == EAI_MEMORY || (e) == EAI_SYSTEM)
#ifdef EAI_NODATA
#define DSN_NOHOST(e) \
((e) == EAI_AGAIN || (e) == EAI_NODATA || (e) == EAI_NONAME)
@@ -2145,8 +2145,12 @@ static void parse_match(STATE *state, int argc, char *argv[])
switch (state->level) {
default:
state->match = 0;
if (*argv)
msg_warn("TLS level '%s' does not implement certificate matching",
str_tls_level(state->level));
break;
case TLS_LEV_DANE:
case TLS_LEV_DANE_ONLY:
case TLS_LEV_SECURE:
state->match = argv_alloc(2);
while (*argv)