mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-09-01 06:35:27 +00:00
Code Issues Releases Wiki Activity

postfix-3.9-20231212

Browse Source
This commit is contained in:
Wietse Venema
2023-12-12 00:00:00 -05:00
committed by Viktor Dukhovni
parent 984278aadf
commit 0f39d92148
3 changed files with 16 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
postfix/HISTORY
View File

@@ -27603,3 +27603,10 @@ Apologies for any names omitted.
Feature: the pipe(8) delivery agent supports an ${envid} Feature: the pipe(8) delivery agent supports an ${envid}
command-line attribute that expands to the RFC 3461 envelope command-line attribute that expands to the RFC 3461 envelope
ID if available. File: pipe/pipe.c. ID if available. File: pipe/pipe.c.
20231211
Cleanup: posttls-finger certificate match expectations for
all TLS security levels, including warnings for levels that
don't implement certificate matching. Viktor Dukhovni.
File: posttls-finger.c.

2
postfix/src/global/mail_version.h
View File

@@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20231210" #define MAIL_RELEASE_DATE "20231212"
#define MAIL_VERSION_NUMBER "3.9" #define MAIL_VERSION_NUMBER "3.9"
#ifdef SNAPSHOT #ifdef SNAPSHOT

12
postfix/src/posttls-finger/posttls-finger.c
View File

@@ -839,7 +839,7 @@ static int starttls(STATE *state)
state->ddane : state->dane); state->ddane : state->dane);
#define PROXY_OPEN_FLAGS \ #define PROXY_OPEN_FLAGS \
(TLS_PROXY_FLAG_ROLE_CLIENT | TLS_PROXY_FLAG_SEND_CONTEXT) (TLS_PROXY_FLAG_ROLE_CLIENT | TLS_PROXY_FLAG_SEND_CONTEXT)
#define var_tlsproxy_service #define var_tlsproxy_service
if ((cwd_fd = open(".", O_RDONLY)) < 0) if ((cwd_fd = open(".", O_RDONLY)) < 0)
@@ -900,7 +900,7 @@ static int starttls(STATE *state)
if (state->tls_context) { if (state->tls_context) {
if (state->log_mask & if (state->log_mask &
(TLS_LOG_CERTMATCH | TLS_LOG_VERBOSE | TLS_LOG_PEERCERT)) { (TLS_LOG_CERTMATCH | TLS_LOG_VERBOSE | TLS_LOG_PEERCERT)) {
if (state->tls_context->stoc_rpk) if (state->tls_context->stoc_rpk)
msg_info("%s: pkey_fingerprint=%s", state->namaddrport, msg_info("%s: pkey_fingerprint=%s", state->namaddrport,
state->tls_context->peer_pkey_fprint); state->tls_context->peer_pkey_fprint);
else else
@@ -911,7 +911,7 @@ static int starttls(STATE *state)
state->tls_context->issuer_CN, state->tls_context->issuer_CN,
state->tls_context->peer_cert_fprint, state->tls_context->peer_cert_fprint,
state->tls_context->peer_pkey_fprint); state->tls_context->peer_pkey_fprint);
} }
tls_log_summary(TLS_ROLE_CLIENT, TLS_USAGE_NEW, tls_log_summary(TLS_ROLE_CLIENT, TLS_USAGE_NEW,
state->tls_context); state->tls_context);
} else { } else {
@@ -1252,7 +1252,7 @@ static DNS_RR *addr_one(STATE *state, DNS_RR *addr_list, const char *host,
* should not clobber a soft error text and status code. * should not clobber a soft error text and status code.
*/ */
#define RETRY_AI_ERROR(e) \ #define RETRY_AI_ERROR(e) \
((e) == EAI_AGAIN || (e) == EAI_MEMORY || (e) == EAI_SYSTEM) ((e) == EAI_AGAIN || (e) == EAI_MEMORY || (e) == EAI_SYSTEM)
#ifdef EAI_NODATA #ifdef EAI_NODATA
#define DSN_NOHOST(e) \ #define DSN_NOHOST(e) \
((e) == EAI_AGAIN || (e) == EAI_NODATA || (e) == EAI_NONAME) ((e) == EAI_AGAIN || (e) == EAI_NODATA || (e) == EAI_NONAME)
@@ -2145,8 +2145,12 @@ static void parse_match(STATE *state, int argc, char *argv[])
switch (state->level) { switch (state->level) {
default: default:
state->match = 0; state->match = 0;
if (*argv)
msg_warn("TLS level '%s' does not implement certificate matching",
str_tls_level(state->level));
break; break;
case TLS_LEV_DANE: case TLS_LEV_DANE:
case TLS_LEV_DANE_ONLY:
case TLS_LEV_SECURE: case TLS_LEV_SECURE:
state->match = argv_alloc(2); state->match = argv_alloc(2);
while (*argv) while (*argv)