mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-29 13:18:12 +00:00
Code Issues Releases Wiki Activity

postfix-3.10-20250126-nonprod

Browse Source
This commit is contained in:
Wietse Z Venema 2025-01-26 00:00:00 -05:00 committed by Viktor Dukhovni
parent c378e47a69
commit 137e70673b
12 changed files with 449 additions and 434 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
postfix/HISTORY
View File

@ -28952,8 +28952,28 @@ Apologies for any names omitted.
Completed: simplify the code in cleanup_envelope_test.c.
Completed: REQUIRETLS support can be disabled in the Postfix
SMTP/LMTP client with "{ -o requiretls_enable = no }". This
is recommended for a perimeter MTA that hands off mail to
internal servers that may not support REQUIRETLS.
Completed: simplified cleanup_envelope_test implementation.
TODO:
Add a log-only mode for REQUIRETLS, so that one can find out
how much would break. Maybe make it a map, so that different
sites can have different enforcement levels.
If we support log-only REQUIRETLS, then don't panic ("can't
happen") when the code reaches a point that can't be reached
when REQUIRETLS is actually enforced.
Encapsulate the sendopts-to-cleanup-flags mapping.
How do we make it work with multi-instance SMTP-based content
filters? How is this different from the single-instance case?
What REQUIRETLS expectations can we enforce when delivering
over a UNIX-domain channel? The SMTP/LMTP client currently
implements the same behavior as for TCP, except that
@ -28990,17 +29010,13 @@ TODO:
not require that the LMTP server announces REQUIRETLS
support.
- Perimeter MTA configuration: disable REQUIRETLS on the
inbound relay transport when internal infrastructure may
not be suitable for REQUIRETLS enforcement.
If a message contains "TLS-Required: no", should a bounce
message also contain this header?
If the Postfix SMTP server accepted REQUIRETLS, should that
stay in effect if, before the message is forwarded, the
configuration is changed to "requiretls_enable = no"? Same
for "postsuper -r".
Ditto for "tls_required_enable = no" and "TLS-Required:
no".
Simplify the cleanup_envelope_test. Write the initial SIZE
record to /dev/null, don't call cleanup_final(), and verify
the value of state->sendopts.
no". The header is provided by the sender, and enforcement
is up the Postfix SMTP client.

8
postfix/html/lmtp.8.html
View File

@ -143,11 +143,9 @@ SMTP(8) SMTP(8)
<b>X</b> Indicates that the delivery is final. This flag affects
the status reported in "success" DSN (delivery status
notification) messages, and changes it from "relayed"
into "delivered". The flag also suppresses the require-
ment that the remote server announces REQUIRETLS support.
into "delivered".
This feature is available as of Postfix 3.5; REQUIRETLS
support was introduced with Postfix 3.10.
This feature is available as of Postfix 3.5.
<b><a name="security">SECURITY</a></b>
The SMTP+LMTP client is moderately security-sensitive. It talks to SMTP
@ -749,6 +747,8 @@ SMTP(8) SMTP(8)
Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
instead of an X.509 certificate.
Available in Postfix version 3.10 and later:
<b><a href="postconf.5.html#smtp_tlsrpt_enable">smtp_tlsrpt_enable</a> (no)</b>
Enable support for <a href="https://tools.ietf.org/html/rfc8460">RFC 8460</a> TLSRPT notifications.

16
postfix/html/postconf.5.html
View File

@ -10575,13 +10575,15 @@ the mail server (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
<p> Enable support for the ESMTP verb "REQUIRETLS", defined in <a href="https://tools.ietf.org/html/rfc8689">RFC</a>
<a href="https://tools.ietf.org/html/rfc8689">8689</a>. By issuing this verb in the "MAIL FROM" command, a sender
requires that a message must be delivered over TLS connections with
a verified server certificate. This corresponds to the Postfix SMTP
client TLS security levels "secure", "verify", "fingerprint",
opportunistic "dane" with a successful certificate match, or
"dane-only" (the postfix-mta-sts-resolver plugin tells Postfix to
enforce a "secure with certificate match" policy). Otherwise, Postfix
returns the message as undeliverable. </p>
specifies that a message must be delivered over TLS connections
with a verified server certificate, to a server that announces
"REQUIRETLS" support. This corresponds to the Postfix SMTP client
TLS security levels "secure", "verify", "fingerprint", dane-only,
or opportunistic "dane", with a successful certificate match. The
Postfix SMTP client will try one or more servers, controlled with
the <a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> parameter, until it finds a server that
satisfies requirements. Otherwise, Postfix returns the message as
undeliverable. </p>
<p> Note: REQUIRETLS overrides "TLS-Required: no". </p>

8
postfix/html/smtp.8.html
View File

@ -143,11 +143,9 @@ SMTP(8) SMTP(8)
<b>X</b> Indicates that the delivery is final. This flag affects
the status reported in "success" DSN (delivery status
notification) messages, and changes it from "relayed"
into "delivered". The flag also suppresses the require-
ment that the remote server announces REQUIRETLS support.
into "delivered".
This feature is available as of Postfix 3.5; REQUIRETLS
support was introduced with Postfix 3.10.
This feature is available as of Postfix 3.5.
<b><a name="security">SECURITY</a></b>
The SMTP+LMTP client is moderately security-sensitive. It talks to SMTP
@ -749,6 +747,8 @@ SMTP(8) SMTP(8)
Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
instead of an X.509 certificate.
Available in Postfix version 3.10 and later:
<b><a href="postconf.5.html#smtp_tlsrpt_enable">smtp_tlsrpt_enable</a> (no)</b>
Enable support for <a href="https://tools.ietf.org/html/rfc8460">RFC 8460</a> TLSRPT notifications.

16
postfix/man/man5/postconf.5
View File

@ -6581,13 +6581,15 @@ the mail server (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
.SH requiretls_enable (default: yes)
Enable support for the ESMTP verb "REQUIRETLS", defined in RFC
8689. By issuing this verb in the "MAIL FROM" command, a sender
requires that a message must be delivered over TLS connections with
a verified server certificate. This corresponds to the Postfix SMTP
client TLS security levels "secure", "verify", "fingerprint",
opportunistic "dane" with a successful certificate match, or
"dane\-only" (the postfix\-mta\-sts\-resolver plugin tells Postfix to
enforce a "secure with certificate match" policy). Otherwise, Postfix
returns the message as undeliverable.
specifies that a message must be delivered over TLS connections
with a verified server certificate, to a server that announces
"REQUIRETLS" support. This corresponds to the Postfix SMTP client
TLS security levels "secure", "verify", "fingerprint", dane\-only,
or opportunistic "dane", with a successful certificate match. The
Postfix SMTP client will try one or more servers, controlled with
the smtp_mx_address_limit parameter, until it finds a server that
satisfies requirements. Otherwise, Postfix returns the message as
undeliverable.
.PP
Note: REQUIRETLS overrides "TLS\-Required: no".
.PP

9
postfix/man/man8/smtp.8
View File

@ -153,11 +153,9 @@ This feature is available as of Postfix 3.5.
Indicates that the delivery is final. This flag affects
the status reported in "success" DSN (delivery status
notification) messages, and changes it from "relayed" into
"delivered". The flag also suppresses the requirement that
the remote server announces REQUIRETLS support.
"delivered".
.sp
This feature is available as of Postfix 3.5;
REQUIRETLS support was introduced with Postfix 3.10.
This feature is available as of Postfix 3.5.
.RE
.SH "SECURITY"
.na
@ -675,7 +673,8 @@ Available in Postfix version 3.9 and later:
.IP "\fBsmtp_tls_enable_rpk (no)\fR"
Request that remote SMTP servers send an RFC7250 raw public key
instead of an X.509 certificate.
.PP Available in Postfix version 3.10 and later:
.PP
Available in Postfix version 3.10 and later:
.IP "\fBsmtp_tlsrpt_enable (no)\fR"
Enable support for RFC 8460 TLSRPT notifications.
.IP "\fBsmtp_tlsrpt_socket_name (empty)\fR"

16
postfix/proto/postconf.proto
View File

@ -19491,13 +19491,15 @@ certificates, and fall back to plaintext if TLS is unavailable.
<p> Enable support for the ESMTP verb "REQUIRETLS", defined in RFC
8689. By issuing this verb in the "MAIL FROM" command, a sender
requires that a message must be delivered over TLS connections with
a verified server certificate. This corresponds to the Postfix SMTP
client TLS security levels "secure", "verify", "fingerprint",
opportunistic "dane" with a successful certificate match, or
"dane-only" (the postfix-mta-sts-resolver plugin tells Postfix to
enforce a "secure with certificate match" policy). Otherwise, Postfix
returns the message as undeliverable. </p>
specifies that a message must be delivered over TLS connections
with a verified server certificate, to a server that announces
"REQUIRETLS" support. This corresponds to the Postfix SMTP client
TLS security levels "secure", "verify", "fingerprint", dane-only,
or opportunistic "dane", with a successful certificate match. The
Postfix SMTP client will try one or more servers, controlled with
the smtp_mx_address_limit parameter, until it finds a server that
satisfies requirements. Otherwise, Postfix returns the message as
undeliverable. </p>
<p> Note: REQUIRETLS overrides "TLS-Required: no". </p>

2
postfix/src/cleanup/cleanup_api.c
View File

@ -81,7 +81,7 @@
/* Autodetection: request SMTPUTF8 support if the message
/* contains an UTF8 message header, sender, or recipient.
/* .IP CLEANUP_FLAG_REQUIRETLS
/* The sender requested 'authenticated' TLS enforcement.
/* The sender requested REQUIRETLS (RFC 8689) enforcement.
/* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8)
/* or \fBpostlogd\fR(8).

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20250122"
#define MAIL_RELEASE_DATE "20250126"
#define MAIL_VERSION_NUMBER "3.10"
#ifdef SNAPSHOT

9
postfix/src/smtp/smtp.c
View File

@ -139,11 +139,9 @@
/* Indicates that the delivery is final. This flag affects
/* the status reported in "success" DSN (delivery status
/* notification) messages, and changes it from "relayed" into
/* "delivered". The flag also suppresses the requirement that
/* the remote server announces REQUIRETLS support.
/* "delivered".
/* .sp
/* This feature is available as of Postfix 3.5;
/* REQUIRETLS support was introduced with Postfix 3.10.
/* This feature is available as of Postfix 3.5.
/* .RE
/* SECURITY
/* .ad
@ -641,7 +639,8 @@
/* .IP "\fBsmtp_tls_enable_rpk (no)\fR"
/* Request that remote SMTP servers send an RFC7250 raw public key
/* instead of an X.509 certificate.
/* .PP Available in Postfix version 3.10 and later:
/* .PP
/* Available in Postfix version 3.10 and later:
/* .IP "\fBsmtp_tlsrpt_enable (no)\fR"
/* Enable support for RFC 8460 TLSRPT notifications.
/* .IP "\fBsmtp_tlsrpt_socket_name (empty)\fR"

3
postfix/src/smtp/smtp_connect.c
View File

@ -518,7 +518,8 @@ static int smtp_get_effective_tls_level(DSN_BUF *why, SMTP_STATE *state)
* If the sender requires TLS with server certificate verification, the
* TLS level must enforce a server certificate match.
*/
else if ((state->request->sendopts & SOPT_REQUIRETLS_ESMTP)) {
else if (var_requiretls_enable
&& (state->request->sendopts & SOPT_REQUIRETLS_ESMTP)) {
if (TLS_MUST_MATCH(tls->level) == 0) {
dsb_simple(why, "5.7.10", "Sender requires a TLS server "
"certificate match, but the configured %s TLS "

30
postfix/src/smtp/smtp_proto.c
View File

@ -685,23 +685,15 @@ int smtp_helo(SMTP_STATE *state)
}
/*
* If delivery of a REQUIRETLS message is not final, require that the
* server announces REQUIRETLS when the sender requested REQUIRETLS.
* Return the message as undeliverable only when there are no more
* alternative MX hosts.
*
* If delivery of a REQUIRETLS message is final, we don't need the server to
* announce REQUIRETLS support (but we still had to enforce the
* requirement that the TLS session has a matched server certificate).
* Require that the server announces REQUIRETLS when the sender requested
* REQUIRETLS. Return the message as undeliverable only when there are no
* more alternative MX hosts.
*/
#define SERVER_MUST_OFFER_REQUIRETLS \
((request->sendopts & SOPT_REQUIRETLS_ESMTP) != 0 \
&& (smtp_cli_attr.flags & SMTP_CLI_FLAG_FINAL_DELIVERY) == 0)
#ifdef USE_TLS
if ((state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0
&& (session->features & SMTP_FEATURE_REQUIRETLS) == 0
&& SERVER_MUST_OFFER_REQUIRETLS)
if (var_requiretls_enable
&& (request->sendopts & SOPT_REQUIRETLS_ESMTP) != 0
&& (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0
&& (session->features & SMTP_FEATURE_REQUIRETLS) == 0)
return (smtp_misc_fail(state, SMTP_MISC_FAIL_SOFT_NON_FINAL,
DSN_BY_LOCAL_MTA,
SMTP_RESP_FAKE(&fake, "5.7.30"),
@ -1227,7 +1219,8 @@ static int smtp_start_tls(SMTP_STATE *state)
* REQUIRETLS. Return the message as undeliverable only when
* there are no more alternative MX hosts.
*/
if ((state->request->sendopts & SOPT_REQUIRETLS_ESMTP)) {
if (var_requiretls_enable
&& (state->request->sendopts & SOPT_REQUIRETLS_ESMTP)) {
return (smtp_misc_fail(state, SMTP_MISC_FAIL_SOFT_NON_FINAL,
DSN_BY_LOCAL_MTA,
SMTP_RESP_FAKE(&fake, "5.7.10"),
@ -1833,10 +1826,11 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
* REQUIRETLS and the sender requested REQUIRETLS.
*/
#ifdef USE_TLS
if ((request->sendopts & SOPT_REQUIRETLS_ESMTP) != 0) {
if (var_requiretls_enable
&& (request->sendopts & SOPT_REQUIRETLS_ESMTP) != 0) {
if ((session->features & SMTP_FEATURE_REQUIRETLS) != 0)
vstring_strcat(next_command, " REQUIRETLS");
else if (SERVER_MUST_OFFER_REQUIRETLS)
else if ((request->sendopts & SOPT_REQUIRETLS_ESMTP) != 0)
msg_panic("Can't happen: message requires REQUIRETLS, but "
"host %s did not announce REQUIRETLS support",
session->namaddr);