mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-30 05:38:06 +00:00
Code Issues Releases Wiki Activity

postfix-3.10-20250126-nonprod

Browse Source
This commit is contained in:
Wietse Z Venema 2025-01-26 00:00:00 -05:00 committed by Viktor Dukhovni
parent c378e47a69
commit 137e70673b
12 changed files with 449 additions and 434 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
postfix/HISTORY
View File

@ -28952,8 +28952,28 @@ Apologies for any names omitted.
Completed: simplify the code in cleanup_envelope_test.c. Completed: simplify the code in cleanup_envelope_test.c.
Completed: REQUIRETLS support can be disabled in the Postfix
SMTP/LMTP client with "{ -o requiretls_enable = no }". This
is recommended for a perimeter MTA that hands off mail to
internal servers that may not support REQUIRETLS.
Completed: simplified cleanup_envelope_test implementation.
TODO: TODO:
Add a log-only mode for REQUIRETLS, so that one can find out
how much would break. Maybe make it a map, so that different
sites can have different enforcement levels.
If we support log-only REQUIRETLS, then don't panic ("can't
happen") when the code reaches a point that can't be reached
when REQUIRETLS is actually enforced.
Encapsulate the sendopts-to-cleanup-flags mapping.
How do we make it work with multi-instance SMTP-based content
filters? How is this different from the single-instance case?
What REQUIRETLS expectations can we enforce when delivering What REQUIRETLS expectations can we enforce when delivering
over a UNIX-domain channel? The SMTP/LMTP client currently over a UNIX-domain channel? The SMTP/LMTP client currently
implements the same behavior as for TCP, except that implements the same behavior as for TCP, except that
@ -28990,17 +29010,13 @@ TODO:
not require that the LMTP server announces REQUIRETLS not require that the LMTP server announces REQUIRETLS
support. support.
- Perimeter MTA configuration: disable REQUIRETLS on the
inbound relay transport when internal infrastructure may
not be suitable for REQUIRETLS enforcement.
If a message contains "TLS-Required: no", should a bounce If a message contains "TLS-Required: no", should a bounce
message also contain this header? message also contain this header?
If the Postfix SMTP server accepted REQUIRETLS, should that
stay in effect if, before the message is forwarded, the
configuration is changed to "requiretls_enable = no"? Same
for "postsuper -r".
Ditto for "tls_required_enable = no" and "TLS-Required: Ditto for "tls_required_enable = no" and "TLS-Required:
no". no". The header is provided by the sender, and enforcement
is up the Postfix SMTP client.
Simplify the cleanup_envelope_test. Write the initial SIZE
record to /dev/null, don't call cleanup_final(), and verify
the value of state->sendopts.

8
postfix/html/lmtp.8.html
View File

@ -143,11 +143,9 @@ SMTP(8) SMTP(8)
<b>X</b> Indicates that the delivery is final. This flag affects <b>X</b> Indicates that the delivery is final. This flag affects
the status reported in "success" DSN (delivery status the status reported in "success" DSN (delivery status
notification) messages, and changes it from "relayed" notification) messages, and changes it from "relayed"
into "delivered". The flag also suppresses the require- into "delivered".
ment that the remote server announces REQUIRETLS support.
This feature is available as of Postfix 3.5; REQUIRETLS This feature is available as of Postfix 3.5.
support was introduced with Postfix 3.10.
<b><a name="security">SECURITY</a></b> <b><a name="security">SECURITY</a></b>
The SMTP+LMTP client is moderately security-sensitive. It talks to SMTP The SMTP+LMTP client is moderately security-sensitive. It talks to SMTP
@ -749,6 +747,8 @@ SMTP(8) SMTP(8)
Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
instead of an X.509 certificate. instead of an X.509 certificate.
Available in Postfix version 3.10 and later:
<b><a href="postconf.5.html#smtp_tlsrpt_enable">smtp_tlsrpt_enable</a> (no)</b> <b><a href="postconf.5.html#smtp_tlsrpt_enable">smtp_tlsrpt_enable</a> (no)</b>
Enable support for <a href="https://tools.ietf.org/html/rfc8460">RFC 8460</a> TLSRPT notifications. Enable support for <a href="https://tools.ietf.org/html/rfc8460">RFC 8460</a> TLSRPT notifications.

16
postfix/html/postconf.5.html
View File

@ -10575,13 +10575,15 @@ the mail server (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
<p> Enable support for the ESMTP verb "REQUIRETLS", defined in <a href="https://tools.ietf.org/html/rfc8689">RFC</a> <p> Enable support for the ESMTP verb "REQUIRETLS", defined in <a href="https://tools.ietf.org/html/rfc8689">RFC</a>
<a href="https://tools.ietf.org/html/rfc8689">8689</a>. By issuing this verb in the "MAIL FROM" command, a sender <a href="https://tools.ietf.org/html/rfc8689">8689</a>. By issuing this verb in the "MAIL FROM" command, a sender
requires that a message must be delivered over TLS connections with specifies that a message must be delivered over TLS connections
a verified server certificate. This corresponds to the Postfix SMTP with a verified server certificate, to a server that announces
client TLS security levels "secure", "verify", "fingerprint", "REQUIRETLS" support. This corresponds to the Postfix SMTP client
opportunistic "dane" with a successful certificate match, or TLS security levels "secure", "verify", "fingerprint", dane-only,
"dane-only" (the postfix-mta-sts-resolver plugin tells Postfix to or opportunistic "dane", with a successful certificate match. The
enforce a "secure with certificate match" policy). Otherwise, Postfix Postfix SMTP client will try one or more servers, controlled with
returns the message as undeliverable. </p> the <a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> parameter, until it finds a server that
satisfies requirements. Otherwise, Postfix returns the message as
undeliverable. </p>
<p> Note: REQUIRETLS overrides "TLS-Required: no". </p> <p> Note: REQUIRETLS overrides "TLS-Required: no". </p>

8
postfix/html/smtp.8.html
View File

@ -143,11 +143,9 @@ SMTP(8) SMTP(8)
<b>X</b> Indicates that the delivery is final. This flag affects <b>X</b> Indicates that the delivery is final. This flag affects
the status reported in "success" DSN (delivery status the status reported in "success" DSN (delivery status
notification) messages, and changes it from "relayed" notification) messages, and changes it from "relayed"
into "delivered". The flag also suppresses the require- into "delivered".
ment that the remote server announces REQUIRETLS support.
This feature is available as of Postfix 3.5; REQUIRETLS This feature is available as of Postfix 3.5.
support was introduced with Postfix 3.10.
<b><a name="security">SECURITY</a></b> <b><a name="security">SECURITY</a></b>
The SMTP+LMTP client is moderately security-sensitive. It talks to SMTP The SMTP+LMTP client is moderately security-sensitive. It talks to SMTP
@ -749,6 +747,8 @@ SMTP(8) SMTP(8)
Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
instead of an X.509 certificate. instead of an X.509 certificate.
Available in Postfix version 3.10 and later:
<b><a href="postconf.5.html#smtp_tlsrpt_enable">smtp_tlsrpt_enable</a> (no)</b> <b><a href="postconf.5.html#smtp_tlsrpt_enable">smtp_tlsrpt_enable</a> (no)</b>
Enable support for <a href="https://tools.ietf.org/html/rfc8460">RFC 8460</a> TLSRPT notifications. Enable support for <a href="https://tools.ietf.org/html/rfc8460">RFC 8460</a> TLSRPT notifications.

16
postfix/man/man5/postconf.5
View File

@ -6581,13 +6581,15 @@ the mail server (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
.SH requiretls_enable (default: yes) .SH requiretls_enable (default: yes)
Enable support for the ESMTP verb "REQUIRETLS", defined in RFC Enable support for the ESMTP verb "REQUIRETLS", defined in RFC
8689. By issuing this verb in the "MAIL FROM" command, a sender 8689. By issuing this verb in the "MAIL FROM" command, a sender
requires that a message must be delivered over TLS connections with specifies that a message must be delivered over TLS connections
a verified server certificate. This corresponds to the Postfix SMTP with a verified server certificate, to a server that announces
client TLS security levels "secure", "verify", "fingerprint", "REQUIRETLS" support. This corresponds to the Postfix SMTP client
opportunistic "dane" with a successful certificate match, or TLS security levels "secure", "verify", "fingerprint", dane\-only,
"dane\-only" (the postfix\-mta\-sts\-resolver plugin tells Postfix to or opportunistic "dane", with a successful certificate match. The
enforce a "secure with certificate match" policy). Otherwise, Postfix Postfix SMTP client will try one or more servers, controlled with
returns the message as undeliverable. the smtp_mx_address_limit parameter, until it finds a server that
satisfies requirements. Otherwise, Postfix returns the message as
undeliverable.
.PP .PP
Note: REQUIRETLS overrides "TLS\-Required: no". Note: REQUIRETLS overrides "TLS\-Required: no".
.PP .PP

9
postfix/man/man8/smtp.8
View File

@ -153,11 +153,9 @@ This feature is available as of Postfix 3.5.
Indicates that the delivery is final. This flag affects Indicates that the delivery is final. This flag affects
the status reported in "success" DSN (delivery status the status reported in "success" DSN (delivery status
notification) messages, and changes it from "relayed" into notification) messages, and changes it from "relayed" into
"delivered". The flag also suppresses the requirement that "delivered".
the remote server announces REQUIRETLS support.
.sp .sp
This feature is available as of Postfix 3.5; This feature is available as of Postfix 3.5.
REQUIRETLS support was introduced with Postfix 3.10.
.RE .RE
.SH "SECURITY" .SH "SECURITY"
.na .na
@ -675,7 +673,8 @@ Available in Postfix version 3.9 and later:
.IP "\fBsmtp_tls_enable_rpk (no)\fR" .IP "\fBsmtp_tls_enable_rpk (no)\fR"
Request that remote SMTP servers send an RFC7250 raw public key Request that remote SMTP servers send an RFC7250 raw public key
instead of an X.509 certificate. instead of an X.509 certificate.
.PP Available in Postfix version 3.10 and later: .PP
Available in Postfix version 3.10 and later:
.IP "\fBsmtp_tlsrpt_enable (no)\fR" .IP "\fBsmtp_tlsrpt_enable (no)\fR"
Enable support for RFC 8460 TLSRPT notifications. Enable support for RFC 8460 TLSRPT notifications.
.IP "\fBsmtp_tlsrpt_socket_name (empty)\fR" .IP "\fBsmtp_tlsrpt_socket_name (empty)\fR"

16
postfix/proto/postconf.proto
View File

@ -19491,13 +19491,15 @@ certificates, and fall back to plaintext if TLS is unavailable.
<p> Enable support for the ESMTP verb "REQUIRETLS", defined in RFC <p> Enable support for the ESMTP verb "REQUIRETLS", defined in RFC
8689. By issuing this verb in the "MAIL FROM" command, a sender 8689. By issuing this verb in the "MAIL FROM" command, a sender
requires that a message must be delivered over TLS connections with specifies that a message must be delivered over TLS connections
a verified server certificate. This corresponds to the Postfix SMTP with a verified server certificate, to a server that announces
client TLS security levels "secure", "verify", "fingerprint", "REQUIRETLS" support. This corresponds to the Postfix SMTP client
opportunistic "dane" with a successful certificate match, or TLS security levels "secure", "verify", "fingerprint", dane-only,
"dane-only" (the postfix-mta-sts-resolver plugin tells Postfix to or opportunistic "dane", with a successful certificate match. The
enforce a "secure with certificate match" policy). Otherwise, Postfix Postfix SMTP client will try one or more servers, controlled with
returns the message as undeliverable. </p> the smtp_mx_address_limit parameter, until it finds a server that
satisfies requirements. Otherwise, Postfix returns the message as
undeliverable. </p>
<p> Note: REQUIRETLS overrides "TLS-Required: no". </p> <p> Note: REQUIRETLS overrides "TLS-Required: no". </p>

2
postfix/src/cleanup/cleanup_api.c
View File

@ -81,7 +81,7 @@
/* Autodetection: request SMTPUTF8 support if the message /* Autodetection: request SMTPUTF8 support if the message
/* contains an UTF8 message header, sender, or recipient. /* contains an UTF8 message header, sender, or recipient.
/* .IP CLEANUP_FLAG_REQUIRETLS /* .IP CLEANUP_FLAG_REQUIRETLS
/* The sender requested 'authenticated' TLS enforcement. /* The sender requested REQUIRETLS (RFC 8689) enforcement.
/* DIAGNOSTICS /* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8) /* Problems and transactions are logged to \fBsyslogd\fR(8)
/* or \fBpostlogd\fR(8). /* or \fBpostlogd\fR(8).

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20250122" #define MAIL_RELEASE_DATE "20250126"
#define MAIL_VERSION_NUMBER "3.10" #define MAIL_VERSION_NUMBER "3.10"
#ifdef SNAPSHOT #ifdef SNAPSHOT

9
postfix/src/smtp/smtp.c
View File

@ -139,11 +139,9 @@
/* Indicates that the delivery is final. This flag affects /* Indicates that the delivery is final. This flag affects
/* the status reported in "success" DSN (delivery status /* the status reported in "success" DSN (delivery status
/* notification) messages, and changes it from "relayed" into /* notification) messages, and changes it from "relayed" into
/* "delivered". The flag also suppresses the requirement that /* "delivered".
/* the remote server announces REQUIRETLS support.
/* .sp /* .sp
/* This feature is available as of Postfix 3.5; /* This feature is available as of Postfix 3.5.
/* REQUIRETLS support was introduced with Postfix 3.10.
/* .RE /* .RE
/* SECURITY /* SECURITY
/* .ad /* .ad
@ -641,7 +639,8 @@
/* .IP "\fBsmtp_tls_enable_rpk (no)\fR" /* .IP "\fBsmtp_tls_enable_rpk (no)\fR"
/* Request that remote SMTP servers send an RFC7250 raw public key /* Request that remote SMTP servers send an RFC7250 raw public key
/* instead of an X.509 certificate. /* instead of an X.509 certificate.
/* .PP Available in Postfix version 3.10 and later: /* .PP
/* Available in Postfix version 3.10 and later:
/* .IP "\fBsmtp_tlsrpt_enable (no)\fR" /* .IP "\fBsmtp_tlsrpt_enable (no)\fR"
/* Enable support for RFC 8460 TLSRPT notifications. /* Enable support for RFC 8460 TLSRPT notifications.
/* .IP "\fBsmtp_tlsrpt_socket_name (empty)\fR" /* .IP "\fBsmtp_tlsrpt_socket_name (empty)\fR"

3
postfix/src/smtp/smtp_connect.c
View File

@ -518,7 +518,8 @@ static int smtp_get_effective_tls_level(DSN_BUF *why, SMTP_STATE *state)
* If the sender requires TLS with server certificate verification, the * If the sender requires TLS with server certificate verification, the
* TLS level must enforce a server certificate match. * TLS level must enforce a server certificate match.
*/ */
else if ((state->request->sendopts & SOPT_REQUIRETLS_ESMTP)) { else if (var_requiretls_enable
&& (state->request->sendopts & SOPT_REQUIRETLS_ESMTP)) {
if (TLS_MUST_MATCH(tls->level) == 0) { if (TLS_MUST_MATCH(tls->level) == 0) {
dsb_simple(why, "5.7.10", "Sender requires a TLS server " dsb_simple(why, "5.7.10", "Sender requires a TLS server "
"certificate match, but the configured %s TLS " "certificate match, but the configured %s TLS "

30
postfix/src/smtp/smtp_proto.c
View File

@ -685,23 +685,15 @@ int smtp_helo(SMTP_STATE *state)
} }
/* /*
* If delivery of a REQUIRETLS message is not final, require that the * Require that the server announces REQUIRETLS when the sender requested
* server announces REQUIRETLS when the sender requested REQUIRETLS. * REQUIRETLS. Return the message as undeliverable only when there are no
* Return the message as undeliverable only when there are no more * more alternative MX hosts.
* alternative MX hosts.
*
* If delivery of a REQUIRETLS message is final, we don't need the server to
* announce REQUIRETLS support (but we still had to enforce the
* requirement that the TLS session has a matched server certificate).
*/ */
#define SERVER_MUST_OFFER_REQUIRETLS \
((request->sendopts & SOPT_REQUIRETLS_ESMTP) != 0 \
&& (smtp_cli_attr.flags & SMTP_CLI_FLAG_FINAL_DELIVERY) == 0)
#ifdef USE_TLS #ifdef USE_TLS
if ((state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0 if (var_requiretls_enable
&& (session->features & SMTP_FEATURE_REQUIRETLS) == 0 && (request->sendopts & SOPT_REQUIRETLS_ESMTP) != 0
&& SERVER_MUST_OFFER_REQUIRETLS) && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0
&& (session->features & SMTP_FEATURE_REQUIRETLS) == 0)
return (smtp_misc_fail(state, SMTP_MISC_FAIL_SOFT_NON_FINAL, return (smtp_misc_fail(state, SMTP_MISC_FAIL_SOFT_NON_FINAL,
DSN_BY_LOCAL_MTA, DSN_BY_LOCAL_MTA,
SMTP_RESP_FAKE(&fake, "5.7.30"), SMTP_RESP_FAKE(&fake, "5.7.30"),
@ -1227,7 +1219,8 @@ static int smtp_start_tls(SMTP_STATE *state)
* REQUIRETLS. Return the message as undeliverable only when * REQUIRETLS. Return the message as undeliverable only when
* there are no more alternative MX hosts. * there are no more alternative MX hosts.
*/ */
if ((state->request->sendopts & SOPT_REQUIRETLS_ESMTP)) { if (var_requiretls_enable
&& (state->request->sendopts & SOPT_REQUIRETLS_ESMTP)) {
return (smtp_misc_fail(state, SMTP_MISC_FAIL_SOFT_NON_FINAL, return (smtp_misc_fail(state, SMTP_MISC_FAIL_SOFT_NON_FINAL,
DSN_BY_LOCAL_MTA, DSN_BY_LOCAL_MTA,
SMTP_RESP_FAKE(&fake, "5.7.10"), SMTP_RESP_FAKE(&fake, "5.7.10"),
@ -1833,10 +1826,11 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
* REQUIRETLS and the sender requested REQUIRETLS. * REQUIRETLS and the sender requested REQUIRETLS.
*/ */
#ifdef USE_TLS #ifdef USE_TLS
if ((request->sendopts & SOPT_REQUIRETLS_ESMTP) != 0) { if (var_requiretls_enable
&& (request->sendopts & SOPT_REQUIRETLS_ESMTP) != 0) {
if ((session->features & SMTP_FEATURE_REQUIRETLS) != 0) if ((session->features & SMTP_FEATURE_REQUIRETLS) != 0)
vstring_strcat(next_command, " REQUIRETLS"); vstring_strcat(next_command, " REQUIRETLS");
else if (SERVER_MUST_OFFER_REQUIRETLS) else if ((request->sendopts & SOPT_REQUIRETLS_ESMTP) != 0)
msg_panic("Can't happen: message requires REQUIRETLS, but " msg_panic("Can't happen: message requires REQUIRETLS, but "
"host %s did not announce REQUIRETLS support", "host %s did not announce REQUIRETLS support",
session->namaddr); session->namaddr);