mirror of
https://github.com/vdukhovni/postfix
synced 2025-08-22 09:57:34 +00:00
postfix-3.7.13
This commit is contained in:
parent
0f41a30c25
commit
1c16cbb9eb
@ -26804,3 +26804,77 @@ Apologies for any names omitted.
|
||||
by Postfix (for example, a From: header with UTF8 full name
|
||||
information from the password file). Reported by Michael
|
||||
Tokarev. File: src/cleanup/cleanup_message.c.
|
||||
|
||||
20241205
|
||||
|
||||
Portability: include <sys_socket.h> for a SUNOS5 workaround.
|
||||
Gary R. Schmidt. File: util/peekfd.c.
|
||||
|
||||
20241230
|
||||
|
||||
Bugfix (defect introduced: Postfix 3.3, date 20180107) small
|
||||
memory leak in the cleanup daemon when generating a "From:
|
||||
full-name <addr-spec>" message header. The impact is limited
|
||||
because the number of requests is bounded by the "max_use"
|
||||
configuration parameter. Found during code maintenance.
|
||||
File: cleanup/cleanup_message.c.
|
||||
|
||||
20250111
|
||||
|
||||
Forward compatibility: ignore new queue file flag bits that may
|
||||
be used with Postfix 3.10 and later. This is a safety in case
|
||||
a Postfix 3.10 upgrade needs to be rolled back, after the new
|
||||
TLS-Required feature has been used. Files: global/smtputf8.h,
|
||||
*qmgr/qmgr_message.c.
|
||||
|
||||
20250115
|
||||
|
||||
Bugfix (defect introduced: Postfix 3.0): the bounce daemon
|
||||
mangled a non-ASCII address localpart in the "X-Postfix-Sender:"
|
||||
field of a delivery status notification. It backslash-escaped
|
||||
each byte in a multi-byte character. This behavior was
|
||||
implemented in Postfix 2.1 (no support for UTF8 local-parts),
|
||||
but it became incorrect after SMTPUTF8 support was implemented
|
||||
in Postfix 3.0. File: bounce/bounce_notify_util.c.
|
||||
|
||||
20250207
|
||||
|
||||
Performance: when a mysql: or pgsql: configuration specifies
|
||||
a single host, assume that it is a load balancer and reconnect
|
||||
immediately after a single failure, instead of failing all
|
||||
requests for 60s. Files: global/dict_pgsql.c, global/dict_mysql.c.
|
||||
|
||||
20250210
|
||||
|
||||
Bugfix (defect introduced: Postfix 3.6): Reverted the default
|
||||
smtp_tls_dane_insecure_mx_policy setting to "dane" as of Postfix
|
||||
3.6.17, 3.7.13, 3.8.8, 3.9.2, and 3.10.0. By mistake the default
|
||||
was dependent on the smtp_tls_security_level setting. Files:
|
||||
global/mail_params.h, proto/postconf.proto, smtp/smtp.c.
|
||||
|
||||
20250212
|
||||
|
||||
Support for OpenSSL 3.5 post-quantum cryptography. To manage
|
||||
algorithm selection, OpenSSL introduces new TLS group syntax
|
||||
that Postfix will not attempt to imitate. Instead, Postfix
|
||||
now allows the tls_eecdh_auto_curves and tls_ffdhe_auto_groups
|
||||
parameter values to have an empty value. When both are set
|
||||
empty, the algorithm selection can be managed through OpenSSL
|
||||
configuration. Viktor Dukhovni. File: tls/tls_misc.c.
|
||||
|
||||
Bugfix (defect introduced: Postfix 3.4, date 20181113): a
|
||||
server with multiple TLS certificates could report, for a
|
||||
resumed TLS session, the wrong server-signature and
|
||||
server-digest names in logging and Received: message headers.
|
||||
Viktor Dukhovni. File: tls/tls_misc.c.
|
||||
|
||||
20250213
|
||||
|
||||
Documentation: updated postconf(5) that the parameters
|
||||
smtpd_tls_eecdh_grade, tls_eecdh_strong_curve,
|
||||
tls_eecdh_ultra_curve, and tlsproxy_tls_eecdh_grade, are
|
||||
not used since Postfix 3.6; updated the tls_eecdh_auto_curves
|
||||
and tls_ffdhe_auto_groups description with post-quantum
|
||||
configuration; added a post-quantum example to the
|
||||
tls_config_file description. File: proto/postconf.proto.
|
||||
The unused parameters will be deleted in Postfix 3.11.
|
||||
|
@ -662,7 +662,7 @@ SMTP(8) SMTP(8)
|
||||
|
||||
Available in Postfix version 3.1 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (see 'postconf -d' output)</b>
|
||||
<b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (dane)</b>
|
||||
The TLS policy for MX hosts with "secure" TLSA records when the
|
||||
nexthop destination security level is <b>dane</b>, but the MX record
|
||||
was found via an "insecure" MX lookup.
|
||||
|
@ -12871,7 +12871,7 @@ TLS connection reuse</a>" for background details. </p>
|
||||
</DD>
|
||||
|
||||
<DT><b><a name="smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a>
|
||||
(default: see "postconf -d" output)</b></DT><DD>
|
||||
(default: dane)</b></DT><DD>
|
||||
|
||||
<p> The TLS policy for MX hosts with "secure" TLSA records when the
|
||||
nexthop destination security level is <b>dane</b>, but the MX
|
||||
@ -12895,10 +12895,9 @@ authentication succeeds, it will be logged only as "Trusted", not
|
||||
"Verified", because the MX host name could have been forged. </dd>
|
||||
</dl>
|
||||
|
||||
<p> The default setting for Postfix ≥ 3.6 is "dane" with
|
||||
"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = dane", otherwise "may". This behavior
|
||||
was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21.
|
||||
With earlier Postfix versions the default setting was always "dane".
|
||||
<p> The default setting is "dane" as of Postfix versions 3.6.17,
|
||||
3.7.13, 3.8.8, 3.9.2, and 3.10.0. With earlier versions the default
|
||||
was mistakenly dependent on the <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> setting.
|
||||
</p>
|
||||
|
||||
<p> Though with "insecure" MX records an active attacker can
|
||||
@ -18219,6 +18218,8 @@ this parameter is always ignored, and Postfix behaves as though the
|
||||
<b>auto</b> value (described below) was chosen.
|
||||
</p>
|
||||
|
||||
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
|
||||
|
||||
<p> The available choices are: </p>
|
||||
|
||||
<dl>
|
||||
@ -19360,6 +19361,45 @@ MinProtocol = TLSv1
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Example: Custom OpenSSL group settings. </p>
|
||||
|
||||
<pre>
|
||||
<a href="postconf.5.html">main.cf</a>:
|
||||
<a href="postconf.5.html#tls_config_file">tls_config_file</a> = ${<a href="postconf.5.html#config_directory">config_directory</a>}/openssl.cnf
|
||||
<a href="postconf.5.html#tls_config_name">tls_config_name</a> = postfix
|
||||
</pre>
|
||||
|
||||
<pre>
|
||||
openssl.cnf:
|
||||
postfix = postfix_settings
|
||||
</pre>
|
||||
|
||||
<pre>
|
||||
[postfix_settings]
|
||||
ssl_conf = postfix_ssl_settings
|
||||
</pre>
|
||||
|
||||
<pre>
|
||||
[postfix_ssl_settings]
|
||||
system_default = baseline_postfix_settings
|
||||
</pre>
|
||||
|
||||
<pre>
|
||||
[baseline_postfix_settings]
|
||||
# New OpenSSL 3.5 syntax, for older releases consider
|
||||
# the Postfix default:
|
||||
#
|
||||
# Groups = X25519:X448:prime256v1:secp384r1:secp521r1:ffdhe2048:ffdhe3072
|
||||
#
|
||||
Groups = *X25519MLKEM768 / *X25519:X448 / P-256:P-384
|
||||
</pre>
|
||||
|
||||
<p> Caution: It is typically best to just use the default OpenSSL
|
||||
group settings, by setting "<a href="postconf.5.html#tls_config_file">tls_config_file</a> = none". Overly strict
|
||||
system-wide TLS settings will conflict with Postfix's opportunistic
|
||||
TLS, where being less restrictive is better than downgrading to
|
||||
cleartext SMTP. </p>
|
||||
|
||||
<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6,
|
||||
3.6.10, and 3.5.20. </p>
|
||||
|
||||
@ -19552,8 +19592,7 @@ be using 0.9.6! </dd>
|
||||
(default: see "postconf -d" output)</b></DT><DD>
|
||||
|
||||
<p> The prioritized list of elliptic curves supported by the Postfix
|
||||
SMTP client and server. These curves are used by the Postfix SMTP
|
||||
server when "<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> = auto". The selected curves
|
||||
SMTP client and server. The selected curves
|
||||
must be implemented by OpenSSL and be standardized for use in TLS
|
||||
(<a href="https://tools.ietf.org/html/rfc8422">RFC 8422</a>). It is unwise to list only
|
||||
"bleeding-edge" curves supported by a small subset of clients. The
|
||||
@ -19568,6 +19607,14 @@ support for either or both may be missing. These curves may appear
|
||||
in the default value of this parameter, even though they'll only
|
||||
be usable with later versions of OpenSSL. </p>
|
||||
|
||||
<p> Post-quantum cryptography support: OpenSSL 3.5 introduces new
|
||||
configuration syntax that Postfix will not attempt to imitate.
|
||||
Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
|
||||
both <a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> and if available tls_ffdhe_auto_groups
|
||||
to the empty value, to enable algorithm selection through OpenSSL
|
||||
configuration. See <a href="postconf.5.html#tls_config_file">tls_config_file</a> for a configuration example.
|
||||
</p>
|
||||
|
||||
<p> This feature is available in Postfix 3.2 and later, when it is
|
||||
compiled and linked with OpenSSL 1.0.2 or later on platforms where
|
||||
EC algorithms have not been disabled by the vendor. </p>
|
||||
@ -19591,6 +19638,8 @@ must support this curve for EECDH key exchange to take place. It
|
||||
is unwise to choose only "bleeding-edge" curves supported by only a
|
||||
small subset of clients. </p>
|
||||
|
||||
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
|
||||
|
||||
<p> The default "strong" curve is rated in NSA <a
|
||||
href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
|
||||
B</a> for information classified up to SECRET. </p>
|
||||
@ -19635,6 +19684,8 @@ client implementations must support this curve for EECDH key exchange
|
||||
to take place. It is unwise to choose only "bleeding-edge" curves
|
||||
supported by only a small subset of clients. </p>
|
||||
|
||||
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
|
||||
|
||||
<p> This default "ultra" curve is rated in NSA <a
|
||||
href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
|
||||
B</a> for information classified up to TOP SECRET. </p>
|
||||
@ -20594,6 +20645,8 @@ the "<a href="postconf.5.html#tlsproxy_tls_chain_files">tlsproxy_tls_chain_files
|
||||
elliptic-curve Diffie-Hellman (EECDH) key exchange. See
|
||||
<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> for further details. </p>
|
||||
|
||||
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
|
||||
|
||||
<p> This feature is available in Postfix 2.8 and later. </p>
|
||||
|
||||
|
||||
|
@ -662,7 +662,7 @@ SMTP(8) SMTP(8)
|
||||
|
||||
Available in Postfix version 3.1 and later:
|
||||
|
||||
<b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (see 'postconf -d' output)</b>
|
||||
<b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (dane)</b>
|
||||
The TLS policy for MX hosts with "secure" TLSA records when the
|
||||
nexthop destination security level is <b>dane</b>, but the MX record
|
||||
was found via an "insecure" MX lookup.
|
||||
|
@ -8383,7 +8383,7 @@ See "Client\-side
|
||||
TLS connection reuse" for background details.
|
||||
.PP
|
||||
This feature is available in Postfix 3.4 and later.
|
||||
.SH smtp_tls_dane_insecure_mx_policy (default: see "postconf \-d" output)
|
||||
.SH smtp_tls_dane_insecure_mx_policy (default: dane)
|
||||
The TLS policy for MX hosts with "secure" TLSA records when the
|
||||
nexthop destination security level is \fBdane\fR, but the MX
|
||||
record was found via an "insecure" MX lookup. The choices are:
|
||||
@ -8404,10 +8404,9 @@ authentication succeeds, it will be logged only as "Trusted", not
|
||||
"Verified", because the MX host name could have been forged.
|
||||
.br
|
||||
.br
|
||||
The default setting for Postfix >= 3.6 is "dane" with
|
||||
"smtp_tls_security_level = dane", otherwise "may". This behavior
|
||||
was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21.
|
||||
With earlier Postfix versions the default setting was always "dane".
|
||||
The default setting is "dane" as of Postfix versions 3.6.17,
|
||||
3.7.13, 3.8.8, 3.9.2, and 3.10.0. With earlier versions the default
|
||||
was mistakenly dependent on the smtp_tls_security_level setting.
|
||||
.PP
|
||||
Though with "insecure" MX records an active attacker can
|
||||
compromise SMTP transport security by returning forged MX records,
|
||||
@ -12829,6 +12828,8 @@ Diffie\-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of
|
||||
this parameter is always ignored, and Postfix behaves as though the
|
||||
\fBauto\fR value (described below) was chosen.
|
||||
.PP
|
||||
This feature is not used as of Postfix 3.6. Do not specify.
|
||||
.PP
|
||||
The available choices are:
|
||||
.IP "\fBauto\fR"
|
||||
Use the most preferred curve that is
|
||||
@ -13768,6 +13769,65 @@ MinProtocol = TLSv1
|
||||
.ft R
|
||||
.in -4
|
||||
.PP
|
||||
Example: Custom OpenSSL group settings.
|
||||
.PP
|
||||
.nf
|
||||
.na
|
||||
.ft C
|
||||
main.cf:
|
||||
tls_config_file = ${config_directory}/openssl.cnf
|
||||
tls_config_name = postfix
|
||||
.fi
|
||||
.ad
|
||||
.ft R
|
||||
.PP
|
||||
.nf
|
||||
.na
|
||||
.ft C
|
||||
openssl.cnf:
|
||||
postfix = postfix_settings
|
||||
.fi
|
||||
.ad
|
||||
.ft R
|
||||
.PP
|
||||
.nf
|
||||
.na
|
||||
.ft C
|
||||
[postfix_settings]
|
||||
ssl_conf = postfix_ssl_settings
|
||||
.fi
|
||||
.ad
|
||||
.ft R
|
||||
.PP
|
||||
.nf
|
||||
.na
|
||||
.ft C
|
||||
[postfix_ssl_settings]
|
||||
system_default = baseline_postfix_settings
|
||||
.fi
|
||||
.ad
|
||||
.ft R
|
||||
.PP
|
||||
.nf
|
||||
.na
|
||||
.ft C
|
||||
[baseline_postfix_settings]
|
||||
# New OpenSSL 3.5 syntax, for older releases consider
|
||||
# the Postfix default:
|
||||
#
|
||||
# Groups = X25519:X448:prime256v1:secp384r1:secp521r1:ffdhe2048:ffdhe3072
|
||||
#
|
||||
Groups = *X25519MLKEM768 / *X25519:X448 / P\-256:P\-384
|
||||
.fi
|
||||
.ad
|
||||
.ft R
|
||||
.PP
|
||||
Caution: It is typically best to just use the default OpenSSL
|
||||
group settings, by setting "tls_config_file = none". Overly strict
|
||||
system\-wide TLS settings will conflict with Postfix's opportunistic
|
||||
TLS, where being less restrictive is better than downgrading to
|
||||
cleartext SMTP.
|
||||
.PP
|
||||
This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
|
||||
3.6.10, and 3.5.20.
|
||||
.SH tls_config_name (default: empty)
|
||||
@ -13929,8 +13989,7 @@ Postfix >= 3.4. See \fBSSL_CTX_set_options\fR(3).
|
||||
This feature is available in Postfix 2.8 and later.
|
||||
.SH tls_eecdh_auto_curves (default: see "postconf \-d" output)
|
||||
The prioritized list of elliptic curves supported by the Postfix
|
||||
SMTP client and server. These curves are used by the Postfix SMTP
|
||||
server when "smtpd_tls_eecdh_grade = auto". The selected curves
|
||||
SMTP client and server. The selected curves
|
||||
must be implemented by OpenSSL and be standardized for use in TLS
|
||||
(RFC 8422). It is unwise to list only
|
||||
"bleeding\-edge" curves supported by a small subset of clients. The
|
||||
@ -13945,6 +14004,13 @@ support for either or both may be missing. These curves may appear
|
||||
in the default value of this parameter, even though they'll only
|
||||
be usable with later versions of OpenSSL.
|
||||
.PP
|
||||
Post\-quantum cryptography support: OpenSSL 3.5 introduces new
|
||||
configuration syntax that Postfix will not attempt to imitate.
|
||||
Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
|
||||
both tls_eecdh_auto_curves and if available tls_ffdhe_auto_groups
|
||||
to the empty value, to enable algorithm selection through OpenSSL
|
||||
configuration. See tls_config_file for a configuration example.
|
||||
.PP
|
||||
This feature is available in Postfix 3.2 and later, when it is
|
||||
compiled and linked with OpenSSL 1.0.2 or later on platforms where
|
||||
EC algorithms have not been disabled by the vendor.
|
||||
@ -13962,6 +14028,8 @@ must support this curve for EECDH key exchange to take place. It
|
||||
is unwise to choose only "bleeding\-edge" curves supported by only a
|
||||
small subset of clients.
|
||||
.PP
|
||||
This feature is not used as of Postfix 3.6. Do not specify.
|
||||
.PP
|
||||
The default "strong" curve is rated in NSA Suite
|
||||
B for information classified up to SECRET.
|
||||
.PP
|
||||
@ -13997,6 +14065,8 @@ client implementations must support this curve for EECDH key exchange
|
||||
to take place. It is unwise to choose only "bleeding\-edge" curves
|
||||
supported by only a small subset of clients.
|
||||
.PP
|
||||
This feature is not used as of Postfix 3.6. Do not specify.
|
||||
.PP
|
||||
This default "ultra" curve is rated in NSA Suite
|
||||
B for information classified up to TOP SECRET.
|
||||
.PP
|
||||
@ -14636,6 +14706,8 @@ The Postfix \fBtlsproxy\fR(8) server security grade for ephemeral
|
||||
elliptic\-curve Diffie\-Hellman (EECDH) key exchange. See
|
||||
smtpd_tls_eecdh_grade for further details.
|
||||
.PP
|
||||
This feature is not used as of Postfix 3.6. Do not specify.
|
||||
.PP
|
||||
This feature is available in Postfix 2.8 and later.
|
||||
.SH tlsproxy_tls_exclude_ciphers (default: $smtpd_tls_exclude_ciphers)
|
||||
List of ciphers or cipher types to exclude from the \fBtlsproxy\fR(8)
|
||||
|
@ -460,9 +460,7 @@ FROM command in SASL\-authenticated SMTP sessions.
|
||||
Detailed information about STARTTLS configuration may be found
|
||||
in the TLS_README document.
|
||||
.IP "\fBsmtp_tls_security_level (empty)\fR"
|
||||
The default SMTP TLS security level for the Postfix SMTP client;
|
||||
when a non\-empty value is specified, this overrides the obsolete
|
||||
parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
|
||||
The default SMTP TLS security level for the Postfix SMTP client.
|
||||
.IP "\fBsmtp_sasl_tls_security_options ($smtp_sasl_security_options)\fR"
|
||||
The SASL authentication security options that the Postfix SMTP
|
||||
client uses for TLS encrypted SMTP sessions.
|
||||
@ -595,10 +593,10 @@ The name of the \fBtlsmgr\fR(8) service entry in master.cf.
|
||||
Available in Postfix version 3.0 and later:
|
||||
.IP "\fBsmtp_tls_wrappermode (no)\fR"
|
||||
Request that the Postfix SMTP client connects using the
|
||||
legacy SMTPS protocol instead of using the STARTTLS command.
|
||||
SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command.
|
||||
.PP
|
||||
Available in Postfix version 3.1 and later:
|
||||
.IP "\fBsmtp_tls_dane_insecure_mx_policy (see 'postconf -d' output)\fR"
|
||||
.IP "\fBsmtp_tls_dane_insecure_mx_policy (dane)\fR"
|
||||
The TLS policy for MX hosts with "secure" TLSA records when the
|
||||
nexthop destination security level is \fBdane\fR, but the MX
|
||||
record was found via an "insecure" MX lookup.
|
||||
@ -767,7 +765,7 @@ transport.
|
||||
Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
|
||||
.IP "\fBsmtputf8_enable (yes)\fR"
|
||||
Enable preliminary SMTPUTF8 support for the protocols described
|
||||
in RFC 6531..6533.
|
||||
in RFC 6531, RFC 6532, and RFC 6533.
|
||||
.IP "\fBsmtputf8_autodetect_classes (sendmail, verify)\fR"
|
||||
Detect that a message requires SMTPUTF8 support for the specified
|
||||
mail origin classes.
|
||||
|
@ -13088,8 +13088,7 @@ parameter. See there for details. </p>
|
||||
%PARAM tls_eecdh_auto_curves see "postconf -d" output
|
||||
|
||||
<p> The prioritized list of elliptic curves supported by the Postfix
|
||||
SMTP client and server. These curves are used by the Postfix SMTP
|
||||
server when "smtpd_tls_eecdh_grade = auto". The selected curves
|
||||
SMTP client and server. The selected curves
|
||||
must be implemented by OpenSSL and be standardized for use in TLS
|
||||
(RFC 8422). It is unwise to list only
|
||||
"bleeding-edge" curves supported by a small subset of clients. The
|
||||
@ -13104,6 +13103,14 @@ support for either or both may be missing. These curves may appear
|
||||
in the default value of this parameter, even though they'll only
|
||||
be usable with later versions of OpenSSL. </p>
|
||||
|
||||
<p> Post-quantum cryptography support: OpenSSL 3.5 introduces new
|
||||
configuration syntax that Postfix will not attempt to imitate.
|
||||
Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
|
||||
both tls_eecdh_auto_curves and if available tls_ffdhe_auto_groups
|
||||
to the empty value, to enable algorithm selection through OpenSSL
|
||||
configuration. See tls_config_file for a configuration example.
|
||||
</p>
|
||||
|
||||
<p> This feature is available in Postfix 3.2 and later, when it is
|
||||
compiled and linked with OpenSSL 1.0.2 or later on platforms where
|
||||
EC algorithms have not been disabled by the vendor. </p>
|
||||
@ -13123,6 +13130,8 @@ must support this curve for EECDH key exchange to take place. It
|
||||
is unwise to choose only "bleeding-edge" curves supported by only a
|
||||
small subset of clients. </p>
|
||||
|
||||
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
|
||||
|
||||
<p> The default "strong" curve is rated in NSA <a
|
||||
href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
|
||||
B</a> for information classified up to SECRET. </p>
|
||||
@ -13163,6 +13172,8 @@ client implementations must support this curve for EECDH key exchange
|
||||
to take place. It is unwise to choose only "bleeding-edge" curves
|
||||
supported by only a small subset of clients. </p>
|
||||
|
||||
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
|
||||
|
||||
<p> This default "ultra" curve is rated in NSA <a
|
||||
href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
|
||||
B</a> for information classified up to TOP SECRET. </p>
|
||||
@ -13189,6 +13200,8 @@ this parameter is always ignored, and Postfix behaves as though the
|
||||
<b>auto</b> value (described below) was chosen.
|
||||
</p>
|
||||
|
||||
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
|
||||
|
||||
<p> The available choices are: </p>
|
||||
|
||||
<dl>
|
||||
@ -15611,6 +15624,8 @@ the "tlsproxy_tls_chain_files" parameter. </p>
|
||||
elliptic-curve Diffie-Hellman (EECDH) key exchange. See
|
||||
smtpd_tls_eecdh_grade for further details. </p>
|
||||
|
||||
<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
|
||||
|
||||
<p> This feature is available in Postfix 2.8 and later. </p>
|
||||
|
||||
%PARAM tlsproxy_tls_exclude_ciphers $smtpd_tls_exclude_ciphers
|
||||
@ -17215,7 +17230,7 @@ clients). </p>
|
||||
This feature is available in Postfix 3.1 and later.
|
||||
</p>
|
||||
|
||||
%PARAM smtp_tls_dane_insecure_mx_policy see "postconf -d" output
|
||||
%PARAM smtp_tls_dane_insecure_mx_policy dane
|
||||
|
||||
<p> The TLS policy for MX hosts with "secure" TLSA records when the
|
||||
nexthop destination security level is <b>dane</b>, but the MX
|
||||
@ -17239,10 +17254,9 @@ authentication succeeds, it will be logged only as "Trusted", not
|
||||
"Verified", because the MX host name could have been forged. </dd>
|
||||
</dl>
|
||||
|
||||
<p> The default setting for Postfix ≥ 3.6 is "dane" with
|
||||
"smtp_tls_security_level = dane", otherwise "may". This behavior
|
||||
was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21.
|
||||
With earlier Postfix versions the default setting was always "dane".
|
||||
<p> The default setting is "dane" as of Postfix versions 3.6.17,
|
||||
3.7.13, 3.8.8, 3.9.2, and 3.10.0. With earlier versions the default
|
||||
was mistakenly dependent on the smtp_tls_security_level setting.
|
||||
</p>
|
||||
|
||||
<p> Though with "insecure" MX records an active attacker can
|
||||
@ -18534,6 +18548,45 @@ MinProtocol = TLSv1
|
||||
</pre>
|
||||
</blockquote>
|
||||
|
||||
<p> Example: Custom OpenSSL group settings. </p>
|
||||
|
||||
<pre>
|
||||
main.cf:
|
||||
tls_config_file = ${config_directory}/openssl.cnf
|
||||
tls_config_name = postfix
|
||||
</pre>
|
||||
|
||||
<pre>
|
||||
openssl.cnf:
|
||||
postfix = postfix_settings
|
||||
</pre>
|
||||
|
||||
<pre>
|
||||
[postfix_settings]
|
||||
ssl_conf = postfix_ssl_settings
|
||||
</pre>
|
||||
|
||||
<pre>
|
||||
[postfix_ssl_settings]
|
||||
system_default = baseline_postfix_settings
|
||||
</pre>
|
||||
|
||||
<pre>
|
||||
[baseline_postfix_settings]
|
||||
# New OpenSSL 3.5 syntax, for older releases consider
|
||||
# the Postfix default:
|
||||
#
|
||||
# Groups = X25519:X448:prime256v1:secp384r1:secp521r1:ffdhe2048:ffdhe3072
|
||||
#
|
||||
Groups = *X25519MLKEM768 / *X25519:X448 / P-256:P-384
|
||||
</pre>
|
||||
|
||||
<p> Caution: It is typically best to just use the default OpenSSL
|
||||
group settings, by setting "tls_config_file = none". Overly strict
|
||||
system-wide TLS settings will conflict with Postfix's opportunistic
|
||||
TLS, where being less restrictive is better than downgrading to
|
||||
cleartext SMTP. </p>
|
||||
|
||||
<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6,
|
||||
3.6.10, and 3.5.20. </p>
|
||||
|
||||
|
@ -356,7 +356,8 @@ static BOUNCE_INFO *bounce_mail_alloc(const char *service,
|
||||
quote_822_local_flags(bounce_info->sender,
|
||||
VSTRING_LEN(bounce_info->buf) ?
|
||||
STR(bounce_info->buf) :
|
||||
mail_addr_mail_daemon(), 0);
|
||||
mail_addr_mail_daemon(),
|
||||
QUOTE_FLAG_8BITCLEAN);
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -779,7 +779,7 @@ static void cleanup_header_done_callback(void *context)
|
||||
}
|
||||
if (token) {
|
||||
tok822_externalize(state->temp2, token, TOK822_STR_NONE);
|
||||
tok822_free(token);
|
||||
tok822_free_tree(token);
|
||||
vstring_strcat(state->temp2, " ");
|
||||
}
|
||||
vstring_sprintf_append(state->temp2, "<%s>",
|
||||
|
@ -798,6 +798,9 @@ static void mysql_parse_config(DICT_MYSQL *dict_mysql, const char *mysqlcf)
|
||||
msg_info("%s: %s: no hostnames specified, defaulting to '%s'",
|
||||
myname, mysqlcf, dict_mysql->hosts->argv[0]);
|
||||
}
|
||||
/* Don't blacklist the load balancer! */
|
||||
if (dict_mysql->hosts->argc == 1)
|
||||
argv_add(dict_mysql->hosts, dict_mysql->hosts->argv[0], (char *) 0);
|
||||
myfree(hosts);
|
||||
}
|
||||
|
||||
|
@ -776,6 +776,9 @@ static void pgsql_parse_config(DICT_PGSQL *dict_pgsql, const char *pgsqlcf)
|
||||
msg_info("%s: %s: no hostnames specified, defaulting to '%s'",
|
||||
myname, pgsqlcf, dict_pgsql->hosts->argv[0]);
|
||||
}
|
||||
/* Don't blacklist the load balancer! */
|
||||
if (dict_pgsql->hosts->argc == 1)
|
||||
argv_add(dict_pgsql->hosts, dict_pgsql->hosts->argv[0], (char *) 0);
|
||||
myfree(hosts);
|
||||
}
|
||||
|
||||
|
@ -1650,7 +1650,7 @@ extern bool var_smtp_tls_force_tlsa;
|
||||
|
||||
/* SMTP only */
|
||||
#define VAR_SMTP_TLS_INSECURE_MX_POLICY "smtp_tls_dane_insecure_mx_policy"
|
||||
#define DEF_SMTP_TLS_INSECURE_MX_POLICY "${{$smtp_tls_security_level} == {dane} ? {dane} : {may}}"
|
||||
#define DEF_SMTP_TLS_INSECURE_MX_POLICY "dane"
|
||||
extern char *var_smtp_tls_insecure_mx_policy;
|
||||
|
||||
/*
|
||||
|
@ -20,8 +20,8 @@
|
||||
* Patches change both the patchlevel and the release date. Snapshots have no
|
||||
* patchlevel; they change the release date only.
|
||||
*/
|
||||
#define MAIL_RELEASE_DATE "20241204"
|
||||
#define MAIL_VERSION_NUMBER "3.7.12"
|
||||
#define MAIL_RELEASE_DATE "20250216"
|
||||
#define MAIL_VERSION_NUMBER "3.7.13"
|
||||
|
||||
#ifdef SNAPSHOT
|
||||
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
|
||||
|
@ -99,6 +99,11 @@ extern int smtputf8_autodetect(int);
|
||||
#define SMTPUTF8_FLAG_SENDER (1<<2) /* queue file/delivery/bounce request */
|
||||
#define SMTPUTF8_FLAG_RECIPIENT (1<<3) /* delivery request only */
|
||||
|
||||
#define SMTPUTF8_FLAG_ALL (SMTPUTF8_FLAG_REQUESTED \
|
||||
| SMTPUTF8_FLAG_HEADER \
|
||||
| SMTPUTF8_FLAG_SENDER \
|
||||
| SMTPUTF8_FLAG_RECIPIENT)
|
||||
|
||||
/* LICENSE
|
||||
/* .ad
|
||||
/* .fi
|
||||
|
@ -285,6 +285,7 @@ qmgr_message.o: ../../include/resolve_clnt.h
|
||||
qmgr_message.o: ../../include/rewrite_clnt.h
|
||||
qmgr_message.o: ../../include/scan_dir.h
|
||||
qmgr_message.o: ../../include/sent.h
|
||||
qmgr_message.o: ../../include/smtputf8.h
|
||||
qmgr_message.o: ../../include/split_addr.h
|
||||
qmgr_message.o: ../../include/split_at.h
|
||||
qmgr_message.o: ../../include/stringops.h
|
||||
|
@ -137,6 +137,7 @@
|
||||
#include <split_addr.h>
|
||||
#include <dsn_mask.h>
|
||||
#include <rec_attr_map.h>
|
||||
#include <smtputf8.h>
|
||||
|
||||
/* Client stubs. */
|
||||
|
||||
@ -562,6 +563,8 @@ static int qmgr_message_read(QMGR_MESSAGE *message)
|
||||
rec_type = REC_TYPE_ERROR;
|
||||
break;
|
||||
}
|
||||
/* Forward compatibility. */
|
||||
message->smtputf8 &= SMTPUTF8_FLAG_ALL;
|
||||
} else if (count == 1) {
|
||||
/* Postfix < 1.0 (a.k.a. 20010228). */
|
||||
qmgr_message_oldstyle_scan(message);
|
||||
|
@ -301,6 +301,7 @@ qmgr_message.o: ../../include/rewrite_clnt.h
|
||||
qmgr_message.o: ../../include/sane_time.h
|
||||
qmgr_message.o: ../../include/scan_dir.h
|
||||
qmgr_message.o: ../../include/sent.h
|
||||
qmgr_message.o: ../../include/smtputf8.h
|
||||
qmgr_message.o: ../../include/split_addr.h
|
||||
qmgr_message.o: ../../include/split_at.h
|
||||
qmgr_message.o: ../../include/stringops.h
|
||||
|
@ -146,6 +146,7 @@
|
||||
#include <split_addr.h>
|
||||
#include <dsn_mask.h>
|
||||
#include <rec_attr_map.h>
|
||||
#include <smtputf8.h>
|
||||
|
||||
/* Client stubs. */
|
||||
|
||||
@ -603,6 +604,8 @@ static int qmgr_message_read(QMGR_MESSAGE *message)
|
||||
rec_type = REC_TYPE_ERROR;
|
||||
break;
|
||||
}
|
||||
/* Forward compatibility. */
|
||||
message->smtputf8 &= SMTPUTF8_FLAG_ALL;
|
||||
} else if (count == 1) {
|
||||
/* Postfix < 1.0 (a.k.a. 20010228). */
|
||||
qmgr_message_oldstyle_scan(message);
|
||||
|
@ -426,9 +426,7 @@
|
||||
/* Detailed information about STARTTLS configuration may be found
|
||||
/* in the TLS_README document.
|
||||
/* .IP "\fBsmtp_tls_security_level (empty)\fR"
|
||||
/* The default SMTP TLS security level for the Postfix SMTP client;
|
||||
/* when a non-empty value is specified, this overrides the obsolete
|
||||
/* parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
|
||||
/* The default SMTP TLS security level for the Postfix SMTP client.
|
||||
/* .IP "\fBsmtp_sasl_tls_security_options ($smtp_sasl_security_options)\fR"
|
||||
/* The SASL authentication security options that the Postfix SMTP
|
||||
/* client uses for TLS encrypted SMTP sessions.
|
||||
@ -561,10 +559,10 @@
|
||||
/* Available in Postfix version 3.0 and later:
|
||||
/* .IP "\fBsmtp_tls_wrappermode (no)\fR"
|
||||
/* Request that the Postfix SMTP client connects using the
|
||||
/* legacy SMTPS protocol instead of using the STARTTLS command.
|
||||
/* SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command.
|
||||
/* .PP
|
||||
/* Available in Postfix version 3.1 and later:
|
||||
/* .IP "\fBsmtp_tls_dane_insecure_mx_policy (see 'postconf -d' output)\fR"
|
||||
/* .IP "\fBsmtp_tls_dane_insecure_mx_policy (dane)\fR"
|
||||
/* The TLS policy for MX hosts with "secure" TLSA records when the
|
||||
/* nexthop destination security level is \fBdane\fR, but the MX
|
||||
/* record was found via an "insecure" MX lookup.
|
||||
@ -727,7 +725,7 @@
|
||||
/* Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
|
||||
/* .IP "\fBsmtputf8_enable (yes)\fR"
|
||||
/* Enable preliminary SMTPUTF8 support for the protocols described
|
||||
/* in RFC 6531..6533.
|
||||
/* in RFC 6531, RFC 6532, and RFC 6533.
|
||||
/* .IP "\fBsmtputf8_autodetect_classes (sendmail, verify)\fR"
|
||||
/* Detect that a message requires SMTPUTF8 support for the specified
|
||||
/* mail origin classes.
|
||||
|
@ -660,9 +660,9 @@ void tls_param_init(void)
|
||||
VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0,
|
||||
VAR_TLS_EXPORT_CLIST, DEF_TLS_EXPORT_CLIST, &var_tls_export_clist, 1, 0,
|
||||
VAR_TLS_NULL_CLIST, DEF_TLS_NULL_CLIST, &var_tls_null_clist, 1, 0,
|
||||
VAR_TLS_EECDH_AUTO, DEF_TLS_EECDH_AUTO, &var_tls_eecdh_auto, 1, 0,
|
||||
VAR_TLS_EECDH_STRONG, DEF_TLS_EECDH_STRONG, &var_tls_eecdh_strong, 1, 0,
|
||||
VAR_TLS_EECDH_ULTRA, DEF_TLS_EECDH_ULTRA, &var_tls_eecdh_ultra, 1, 0,
|
||||
VAR_TLS_EECDH_AUTO, DEF_TLS_EECDH_AUTO, &var_tls_eecdh_auto, 0, 0,
|
||||
VAR_TLS_EECDH_STRONG, DEF_TLS_EECDH_STRONG, &var_tls_eecdh_strong, 0, 0,
|
||||
VAR_TLS_EECDH_ULTRA, DEF_TLS_EECDH_ULTRA, &var_tls_eecdh_ultra, 0, 0,
|
||||
VAR_TLS_BUG_TWEAKS, DEF_TLS_BUG_TWEAKS, &var_tls_bug_tweaks, 0, 0,
|
||||
VAR_TLS_SSL_OPTIONS, DEF_TLS_SSL_OPTIONS, &var_tls_ssl_options, 0, 0,
|
||||
VAR_TLS_DANE_DIGESTS, DEF_TLS_DANE_DIGESTS, &var_tls_dane_digests, 1, 0,
|
||||
@ -1050,6 +1050,12 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext)
|
||||
kex_name = OBJ_nid2sn(EVP_PKEY_type(nid));
|
||||
break;
|
||||
|
||||
#if defined(EVP_PKEY_KEYMGMT)
|
||||
case EVP_PKEY_KEYMGMT:
|
||||
kex_name = EVP_PKEY_get0_type_name(dh_pkey);
|
||||
break;
|
||||
#endif
|
||||
|
||||
case EVP_PKEY_DH:
|
||||
kex_name = "DHE";
|
||||
TLScontext->kex_bits = EVP_PKEY_bits(dh_pkey);
|
||||
@ -1062,8 +1068,17 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext)
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
EVP_PKEY_free(dh_pkey);
|
||||
}
|
||||
if (kex_name) {
|
||||
TLScontext->kex_name = mystrdup(kex_name);
|
||||
TLScontext->kex_curve = kex_curve;
|
||||
}
|
||||
/* Not a problem if NULL */
|
||||
EVP_PKEY_free(dh_pkey);
|
||||
|
||||
/* Resumption makes no use of signature keys or digests */
|
||||
if (TLScontext->session_reused)
|
||||
return;
|
||||
|
||||
/*
|
||||
* On the client end, the certificate may be preset, but not used, so we
|
||||
@ -1084,12 +1099,19 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext)
|
||||
* the more familiar name. For "RSA" keys report "RSA-PSS", which
|
||||
* must be used with TLS 1.3.
|
||||
*/
|
||||
if ((nid = EVP_PKEY_type(EVP_PKEY_id(local_pkey))) != NID_undef) {
|
||||
if ((nid = EVP_PKEY_id(local_pkey)) != NID_undef) {
|
||||
switch (nid) {
|
||||
default:
|
||||
locl_sig_name = OBJ_nid2sn(nid);
|
||||
if ((nid = EVP_PKEY_type(nid)) != NID_undef)
|
||||
locl_sig_name = OBJ_nid2sn(nid);
|
||||
break;
|
||||
|
||||
#if defined(EVP_PKEY_KEYMGMT)
|
||||
case EVP_PKEY_KEYMGMT:
|
||||
locl_sig_name = EVP_PKEY_get0_type_name(local_pkey);
|
||||
break;
|
||||
#endif
|
||||
|
||||
case EVP_PKEY_RSA:
|
||||
/* For RSA, TLS 1.3 mandates PSS signatures */
|
||||
locl_sig_name = "RSA-PSS";
|
||||
@ -1112,6 +1134,13 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext)
|
||||
*/
|
||||
if (SSL_get_signature_nid(ssl, &nid) && nid != NID_undef)
|
||||
locl_sig_dgst = OBJ_nid2sn(nid);
|
||||
|
||||
if (locl_sig_name) {
|
||||
SIG_PROP(TLScontext, srvr, name) = mystrdup(locl_sig_name);
|
||||
SIG_PROP(TLScontext, srvr, curve) = locl_sig_curve;
|
||||
if (locl_sig_dgst)
|
||||
SIG_PROP(TLScontext, srvr, dgst) = mystrdup(locl_sig_dgst);
|
||||
}
|
||||
}
|
||||
/* Signature algorithms for the peer end of the connection */
|
||||
if ((peer_cert = TLS_PEEK_PEER_CERT(ssl)) != 0) {
|
||||
@ -1122,12 +1151,19 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext)
|
||||
* the more familiar name. For "RSA" keys report "RSA-PSS", which
|
||||
* must be used with TLS 1.3.
|
||||
*/
|
||||
if ((nid = EVP_PKEY_type(EVP_PKEY_id(peer_pkey))) != NID_undef) {
|
||||
if ((nid = EVP_PKEY_id(peer_pkey)) != NID_undef) {
|
||||
switch (nid) {
|
||||
default:
|
||||
peer_sig_name = OBJ_nid2sn(nid);
|
||||
if ((nid = EVP_PKEY_type(nid)) != NID_undef)
|
||||
peer_sig_name = OBJ_nid2sn(nid);
|
||||
break;
|
||||
|
||||
#if defined(EVP_PKEY_KEYMGMT)
|
||||
case EVP_PKEY_KEYMGMT:
|
||||
peer_sig_name = EVP_PKEY_get0_type_name(peer_pkey);
|
||||
break;
|
||||
#endif
|
||||
|
||||
case EVP_PKEY_RSA:
|
||||
/* For RSA, TLS 1.3 mandates PSS signatures */
|
||||
peer_sig_name = "RSA-PSS";
|
||||
@ -1150,24 +1186,14 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext)
|
||||
if (SSL_get_peer_signature_nid(ssl, &nid) && nid != NID_undef)
|
||||
peer_sig_dgst = OBJ_nid2sn(nid);
|
||||
|
||||
if (peer_sig_name) {
|
||||
SIG_PROP(TLScontext, !srvr, name) = mystrdup(peer_sig_name);
|
||||
SIG_PROP(TLScontext, !srvr, curve) = peer_sig_curve;
|
||||
if (peer_sig_dgst)
|
||||
SIG_PROP(TLScontext, !srvr, dgst) = mystrdup(peer_sig_dgst);
|
||||
}
|
||||
TLS_FREE_PEER_CERT(peer_cert);
|
||||
}
|
||||
if (kex_name) {
|
||||
TLScontext->kex_name = mystrdup(kex_name);
|
||||
TLScontext->kex_curve = kex_curve;
|
||||
}
|
||||
if (locl_sig_name) {
|
||||
SIG_PROP(TLScontext, srvr, name) = mystrdup(locl_sig_name);
|
||||
SIG_PROP(TLScontext, srvr, curve) = locl_sig_curve;
|
||||
if (locl_sig_dgst)
|
||||
SIG_PROP(TLScontext, srvr, dgst) = mystrdup(locl_sig_dgst);
|
||||
}
|
||||
if (peer_sig_name) {
|
||||
SIG_PROP(TLScontext, !srvr, name) = mystrdup(peer_sig_name);
|
||||
SIG_PROP(TLScontext, !srvr, curve) = peer_sig_curve;
|
||||
if (peer_sig_dgst)
|
||||
SIG_PROP(TLScontext, !srvr, dgst) = mystrdup(peer_sig_dgst);
|
||||
}
|
||||
}
|
||||
|
||||
/* tls_log_summary - TLS loglevel 1 one-liner, embellished with TLS 1.3 details */
|
||||
|
@ -39,6 +39,9 @@
|
||||
|
||||
#include <sys_defs.h>
|
||||
#include <sys/ioctl.h>
|
||||
#ifdef SUNOS5
|
||||
#include <sys/socket.h> /* shutdown(2) */
|
||||
#endif
|
||||
#ifdef FIONREAD_IN_SYS_FILIO_H
|
||||
#include <sys/filio.h>
|
||||
#endif
|
||||
|
Loading…
x
Reference in New Issue
Block a user