mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-29 13:18:12 +00:00
Code Issues Releases Wiki Activity

postfix-2.11.1

Browse Source
This commit is contained in:
Wietse Venema 2014-05-07 00:00:00 -05:00 committed by Viktor Dukhovni
parent 642ad60d9b
commit 4632b19c12
16 changed files with 195 additions and 140 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
postfix/HISTORY
View File

@ -19528,3 +19528,49 @@ Apologies for any names omitted.
20140110-15
Miscellaneous documentation cleanups.
20140116
Workaround: prepend "-I. -I../../include" to CCARGS, to
avoid name clashes with non-Postfix header files. File:
makedefs.
20140125
Cleanup: postconf(1) manpage missing version attribution
and incorrect "author" formatting. File: postconf/postconf.c.
20140223
Logging: the TLS client logged that an "Untrusted" TLS
connection was established instead of "Anonymous". Viktor
Dukhovni. File: tls/tls_client.c.
20140227
Bugfix: Enforce TLS when TLSA records exist, but all are
unusable; Don't leak dane handle when all TLSA records are
unusable. Viktor Dukhovni. File: smtp/smtp_tls_policy.c.
Cleanup: log TLS policy lookup errors as warnings. Viktor
Dukhovni. File: smtp/smtp_connect.c.
20140407
Documentation: the documentation for Postfix > 2.8 TLS
activity logging was incorrect. Loglevel 0 produces no
logging. Instead, information is logged only with loglevel
1 or higher. Viktor Dukhovni. Files: proto/TLS_README.html,
proto/postconf.proto.
20140507
Bugfix (introduced: Postfix 2.11): with connection caching
enabled (the default), recipients could be given to the
wrong mail server. Root cause: due to an incorrect predicate,
the Postfix SMTP client could save and restore plaintext
connections that should not be cached, under nonsensical
lookup keys that did not distinguish by destination. Problem
reported by Sahil Tandon, predicate error found by Viktor,
redundant connection restore request eliminated by Wietse.
File: smtp/smtp_connect.c.

80
postfix/README_FILES/TLS_README
View File

@ -247,27 +247,25 @@ To get additional information about Postfix SMTP server TLS activity you can
increase the log level from 0..4. Each logging level also includes the
information that is logged at a lower logging level.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
|LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|0 |Log only a summary message on TLS |Disable logging of TLS activity.|
| |handshake completion -- no logging| |
| |of client certificate trust-chain | |
| |verification errors if client | |
| |certificate verification is not | |
| |required. | |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|1 |Also log trust-chain verification |Also log TLS handshake and |
| |errors and peer certificate |certificate information. |
| |summary information. | |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|2 |Also log levels during TLS negotiation. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|4 |Also log hexadecimal and ASCII dump of complete transmission after |
| |STARTTLS. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
|LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|0 |Disable logging of TLS activity. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|1 |Log only a summary message on TLS |Log the summary message, peer |
| |handshake completion -- no logging|certificate summary information|
| |of client certificate trust-chain |and unconditionally log trust- |
| |verification errors if client |chain verification errors. |
| |certificate verification is not | |
| |required. | |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|2 |Also log levels during TLS negotiation. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|4 |Also log hexadecimal and ASCII dump of complete transmission after|
| |STARTTLS. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
Use log level 3 only in case of problems. Use of log level 4 is strongly
discouraged.
@ -1321,27 +1319,25 @@ To get additional information about Postfix SMTP client TLS activity you can
increase the loglevel from 0..4. Each logging level also includes the
information that is logged at a lower logging level.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
|LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|0 |Log only a summary message on TLS |Disable logging of TLS activity.|
| |handshake completion -- no logging| |
| |of remote SMTP server certificate | |
| |trust-chain verification errors if| |
| |server certificate verification is| |
| |not required. | |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|1 |Also log remote SMTP server trust-|Also log TLS handshake and |
| |chain verification errors and peer|certificate information. |
| |certificate summary information. | |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|2 |Also log levels during TLS negotiation. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|4 |Also log hexadecimal and ASCII dump of complete transmission after |
| |STARTTLS. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
|LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|0 |Disable logging of TLS activity. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|1 |Log only a summary message on TLS |Log the summary message and |
| |handshake completion -- no logging|unconditionally log trust-chain|
| |of remote SMTP server certificate |verification errors. |
| |trust-chain verification errors if| |
| |server certificate verification is| |
| |not required. | |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|2 |Also log levels during TLS negotiation. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|4 |Also log hexadecimal and ASCII dump of complete transmission after|
| |STARTTLS. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
Example:

32
postfix/html/TLS_README.html
View File

@ -384,16 +384,15 @@ logging level. </p>
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr>
<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
logging of TLS activity. </td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
message on TLS handshake completion &mdash; no logging of client
certificate trust-chain verification errors if client certificate
verification is not required. </td> <td valign="top"> Disable logging
of TLS activity.</td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Also log trust-chain
verification errors and peer certificate summary information. </td>
<td valign="top"> Also log TLS handshake and certificate information.
</td> </tr>
verification is not required. </td> <td valign="top"> Log the summary
message, peer certificate summary information and unconditionally log
trust-chain verification errors. </td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr>
@ -1750,16 +1749,15 @@ logging level. </p>
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr>
<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
message on TLS handshake completion &mdash; no logging of remote
SMTP server certificate trust-chain verification errors if server
certificate verification is not required. </td> <td valign="top">
Disable logging of TLS activity.</td> </tr>
<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
logging of TLS activity. </td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Also log remote
SMTP server trust-chain verification errors and peer certificate
summary information. </td> <td valign="top"> Also log TLS handshake
and certificate information. </td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
message on TLS handshake completion &mdash; no logging of remote SMTP
server certificate trust-chain verification errors if server certificate
verification is not required. </td> <td valign="top"> Log the summary
message and unconditionally log trust-chain verification errors.
</td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr>

10
postfix/html/postconf.1.html
View File

@ -123,6 +123,8 @@ POSTCONF(1) POSTCONF(1)
The default is as if "<b>-C all</b>" is specified.
This feature is available with Postfix 2.9 and later.
<b>-d</b> Print <a href="postconf.5.html"><b>main.cf</b></a> default parameter settings instead of actual set-
tings. Specify <b>-df</b> to fold long lines for human readability
(Postfix 2.9 and later).
@ -330,6 +332,8 @@ POSTCONF(1) POSTCONF(1)
<b>-p</b> Show <a href="postconf.5.html"><b>main.cf</b></a> parameter settings. This is the default.
This feature is available with Postfix 2.11 and later.
<b>-P</b> Show <a href="master.5.html"><b>master.cf</b></a> service parameter settings (by default all ser-
vices and all parameters). formatted as one "<i>ser-</i>
<i>vice/type/parameter=value</i>" per line. Specify <b>-Pf</b> to fold long
@ -444,8 +448,10 @@ POSTCONF(1) POSTCONF(1)
The Secure Mailer license must be distributed with this software.
<b>AUTHOR(S)</b>
Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown
Heights, NY 10598, USA
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
POSTCONF(1)
</pre> </body> </html>

27
postfix/html/postconf.5.html
View File

@ -8600,7 +8600,7 @@ Examples:
<pre>
# Handle both Postfix and qmail extensions (Postfix 2.11 and later).
recipient_delimiters = +-
<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> = +-
</pre>
<pre>
@ -11362,14 +11362,13 @@ a lower logging level. </p>
<dl compact>
<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
&mdash; no logging of remote SMTP server certificate trust-chain
verification errors if server certificate verification is not required.
With Postfix 2.8 and earlier, disable logging of TLS activity. </dd>
<dt> </dt> <dd> 1 Also log remote SMTP server trust-chain verification
errors and peer certificate summary information. With Postfix 2.8
and earlier, log TLS handshake and certificate information. </dd>
With Postfix 2.8 and earlier, log the summary message and unconditionally
log trust-chain verification errors. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
@ -15555,15 +15554,13 @@ a lower logging level. </p>
<dl compact>
<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
&mdash; no logging of remote SMTP client certificate trust-chain verification
errors
if client certificate verification is not required. With Postfix 2.8
and earlier, disable logging of TLS activity. </dd>
<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
<dt> </dt> <dd> 1 Also log trust-chain verification errors and peer
certificate name and issuer. With Postfix 2.8 and earlier, log TLS
handshake and certificate information. </dd>
<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
&mdash; no logging of client certificate trust-chain verification errors
if client certificate verification is not required. With Postfix 2.8 and
earlier, log the summary message, peer certificate summary information
and unconditionally log trust-chain verification errors. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>

3
postfix/makedefs
View File

@ -638,6 +638,9 @@ export SYSTYPE AR ARFL RANLIB SYSLIBS CC OPT DEBUG AWK OPTS
# needed before the code stabilizes.
#CCARGS="$CCARGS -DNONPROD"
# Workaround: prepend Postfix include files before other include files.
CCARGS="-I. -I../../include $CCARGS"
sed 's/ / /g' <<EOF
SYSTYPE = $SYSTYPE
AR = $AR

10
postfix/man/man1/postconf.1
View File

@ -143,6 +143,8 @@ All the above classes.
.IP
The default is as if "\fB-C all\fR" is
specified.
This feature is available with Postfix 2.9 and later.
.IP \fB-d\fR
Print \fBmain.cf\fR default parameter settings instead of
actual settings.
@ -347,6 +349,8 @@ Override \fBmain.cf\fR parameter settings.
This feature is available with Postfix 2.10 and later.
.IP \fB-p\fR
Show \fBmain.cf\fR parameter settings. This is the default.
This feature is available with Postfix 2.11 and later.
.IP \fB-P\fR
Show \fBmaster.cf\fR service parameter settings (by default
all services and all parameters). formatted as one
@ -486,5 +490,7 @@ software.
.SH "AUTHOR(S)"
.na
.nf
Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown
Heights, NY 10598, USA
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA

29
postfix/man/man5/postconf.5
View File

@ -5176,7 +5176,7 @@ recipient_delimiter = +
.na
.ft C
# Handle both Postfix and qmail extensions (Postfix 2.11 and later).
recipient_delimiters = +-
recipient_delimiter = +-
.fi
.ad
.ft R
@ -7120,15 +7120,14 @@ Enable additional Postfix SMTP client logging of TLS activity.
Each logging level also includes the information that is logged at
a lower logging level.
.IP ""
0 Log only a summary message on TLS handshake completion
- no logging of remote SMTP server certificate trust-chain
verification errors if server certificate verification is not required.
With Postfix 2.8 and earlier, disable logging of TLS activity.
0 Disable logging of TLS activity.
.br
.IP ""
1 Also log remote SMTP server trust-chain verification
errors and peer certificate summary information. With Postfix 2.8
and earlier, log TLS handshake and certificate information.
1 Log only a summary message on TLS handshake completion
- no logging of remote SMTP server certificate trust-chain
verification errors if server certificate verification is not required.
With Postfix 2.8 and earlier, log the summary message and unconditionally
log trust-chain verification errors.
.br
.IP ""
2 Also log levels during TLS negotiation.
@ -10554,16 +10553,14 @@ Enable additional Postfix SMTP server logging of TLS activity.
Each logging level also includes the information that is logged at
a lower logging level.
.IP ""
0 Log only a summary message on TLS handshake completion
- no logging of remote SMTP client certificate trust-chain verification
errors
if client certificate verification is not required. With Postfix 2.8
and earlier, disable logging of TLS activity.
0 Disable logging of TLS activity.
.br
.IP ""
1 Also log trust-chain verification errors and peer
certificate name and issuer. With Postfix 2.8 and earlier, log TLS
handshake and certificate information.
1 Log only a summary message on TLS handshake completion
- no logging of client certificate trust-chain verification errors
if client certificate verification is not required. With Postfix 2.8 and
earlier, log the summary message, peer certificate summary information
and unconditionally log trust-chain verification errors.
.br
.IP ""
2 Also log levels during TLS negotiation.

32
postfix/proto/TLS_README.html
View File

@ -384,16 +384,15 @@ logging level. </p>
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr>
<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
logging of TLS activity. </td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
message on TLS handshake completion &mdash; no logging of client
certificate trust-chain verification errors if client certificate
verification is not required. </td> <td valign="top"> Disable logging
of TLS activity.</td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Also log trust-chain
verification errors and peer certificate summary information. </td>
<td valign="top"> Also log TLS handshake and certificate information.
</td> </tr>
verification is not required. </td> <td valign="top"> Log the summary
message, peer certificate summary information and unconditionally log
trust-chain verification errors. </td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr>
@ -1750,16 +1749,15 @@ logging level. </p>
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr>
<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
message on TLS handshake completion &mdash; no logging of remote
SMTP server certificate trust-chain verification errors if server
certificate verification is not required. </td> <td valign="top">
Disable logging of TLS activity.</td> </tr>
<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
logging of TLS activity. </td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Also log remote
SMTP server trust-chain verification errors and peer certificate
summary information. </td> <td valign="top"> Also log TLS handshake
and certificate information. </td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
message on TLS handshake completion &mdash; no logging of remote SMTP
server certificate trust-chain verification errors if server certificate
verification is not required. </td> <td valign="top"> Log the summary
message and unconditionally log trust-chain verification errors.
</td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr>

27
postfix/proto/postconf.proto
View File

@ -3546,7 +3546,7 @@ recipient_delimiter = +
<pre>
# Handle both Postfix and qmail extensions (Postfix 2.11 and later).
recipient_delimiters = +-
recipient_delimiter = +-
</pre>
<pre>
@ -9127,15 +9127,13 @@ a lower logging level. </p>
<dl compact>
<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
&mdash; no logging of remote SMTP client certificate trust-chain verification
errors
if client certificate verification is not required. With Postfix 2.8
and earlier, disable logging of TLS activity. </dd>
<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
<dt> </dt> <dd> 1 Also log trust-chain verification errors and peer
certificate name and issuer. With Postfix 2.8 and earlier, log TLS
handshake and certificate information. </dd>
<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
&mdash; no logging of client certificate trust-chain verification errors
if client certificate verification is not required. With Postfix 2.8 and
earlier, log the summary message, peer certificate summary information
and unconditionally log trust-chain verification errors. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
@ -9551,14 +9549,13 @@ a lower logging level. </p>
<dl compact>
<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
&mdash; no logging of remote SMTP server certificate trust-chain
verification errors if server certificate verification is not required.
With Postfix 2.8 and earlier, disable logging of TLS activity. </dd>
<dt> </dt> <dd> 1 Also log remote SMTP server trust-chain verification
errors and peer certificate summary information. With Postfix 2.8
and earlier, log TLS handshake and certificate information. </dd>
With Postfix 2.8 and earlier, log the summary message and unconditionally
log trust-chain verification errors. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>

4
postfix/src/global/mail_version.h
View File

@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20140115"
#define MAIL_VERSION_NUMBER "2.11.0"
#define MAIL_RELEASE_DATE "20140507"
#define MAIL_VERSION_NUMBER "2.11.1"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE

10
postfix/src/postconf/postconf.c
View File

@ -137,6 +137,8 @@
/* .IP
/* The default is as if "\fB-C all\fR" is
/* specified.
/*
/* This feature is available with Postfix 2.9 and later.
/* .IP \fB-d\fR
/* Print \fBmain.cf\fR default parameter settings instead of
/* actual settings.
@ -341,6 +343,8 @@
/* This feature is available with Postfix 2.10 and later.
/* .IP \fB-p\fR
/* Show \fBmain.cf\fR parameter settings. This is the default.
/*
/* This feature is available with Postfix 2.11 and later.
/* .IP \fB-P\fR
/* Show \fBmaster.cf\fR service parameter settings (by default
/* all services and all parameters). formatted as one
@ -464,8 +468,10 @@
/* The Secure Mailer license must be distributed with this
/* software.
/* AUTHOR(S)
/* Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown
/* Heights, NY 10598, USA
/* Wietse Venema
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
/*--*/
/* System library. */

2
postfix/src/smtp/smtp.h
View File

@ -195,7 +195,7 @@ typedef struct SMTP_STATE {
STR((state)->iterator->request_nexthop)[0] = 0; \
}
#define HAVE_NEXTHOP_STATE(state) (STR((state)->iterator->request_nexthop) != 0)
#define HAVE_NEXTHOP_STATE(state) (STR((state)->iterator->request_nexthop)[0] != 0)
/*

7
postfix/src/smtp/smtp_connect.c
View File

@ -510,7 +510,7 @@ static void smtp_connect_local(SMTP_STATE *state, const char *path)
*/
#ifdef USE_TLS
if (!smtp_tls_policy_cache_query(why, state->tls, iter)) {
msg_info("TLS policy lookup error for %s/%s: %s",
msg_warn("TLS policy lookup error for %s/%s: %s",
STR(iter->host), STR(iter->addr), STR(why->reason));
return;
}
@ -666,6 +666,7 @@ static int smtp_reuse_session(SMTP_STATE *state, DNS_RR **addr_list,
#endif
SMTP_ITER_SAVE_DEST(state->iterator);
if (*addr_list && SMTP_RCPT_LEFT(state) > 0
&& HAVE_NEXTHOP_STATE(state)
&& (session = smtp_reuse_nexthop(state, SMTP_KEY_MASK_SCACHE_DEST_LABEL)) != 0) {
session_count = 1;
smtp_update_addr_list(addr_list, STR(iter->addr), session_count);
@ -716,7 +717,7 @@ static int smtp_reuse_session(SMTP_STATE *state, DNS_RR **addr_list,
iter->rr = addr;
#ifdef USE_TLS
if (!smtp_tls_policy_cache_query(why, state->tls, iter)) {
msg_info("TLS policy lookup error for %s/%s: %s",
msg_warn("TLS policy lookup error for %s/%s: %s",
STR(iter->dest), STR(iter->host), STR(why->reason));
continue;
/* XXX Assume there is no code at the end of this loop. */
@ -956,7 +957,7 @@ static void smtp_connect_inet(SMTP_STATE *state, const char *nexthop,
iter->rr = addr;
#ifdef USE_TLS
if (!smtp_tls_policy_cache_query(why, state->tls, iter)) {
msg_info("TLS policy lookup for %s/%s: %s",
msg_warn("TLS policy lookup for %s/%s: %s",
STR(iter->dest), STR(iter->host), STR(why->reason));
continue;
/* XXX Assume there is no code at the end of this loop. */

12
postfix/src/smtp/smtp_tls_policy.c
View File

@ -525,8 +525,8 @@ static void *policy_create(const char *unused_key, void *context)
/*
* DANE initialization may change the security level to something else,
* so do this early, so that we use the right level below. Note that
* "dane-only" changes to "dane" after any fallback strategies are
* applied.
* "dane-only" changes to "dane" once we obtain the requisite TLSA
* records.
*/
if (tls->level == TLS_LEV_DANE || tls->level == TLS_LEV_DANE_ONLY)
dane_init(tls, iter);
@ -706,6 +706,7 @@ static int global_tls_level(void)
#define NONDANE_CONFIG 0 /* Administrator's fault */
#define NONDANE_DEST 1 /* Remote server's fault */
#define DANE_UNUSABLE 2 /* Remote server's fault */
static void PRINTFLIKE(4, 5) dane_incompat(SMTP_TLS_POLICY *tls,
SMTP_ITERATOR *iter,
@ -716,12 +717,12 @@ static void PRINTFLIKE(4, 5) dane_incompat(SMTP_TLS_POLICY *tls,
va_start(ap, fmt);
if (tls->level == TLS_LEV_DANE) {
tls->level = TLS_LEV_MAY;
tls->level = (errtype == DANE_UNUSABLE) ? TLS_LEV_ENCRYPT : TLS_LEV_MAY;
if (errtype == NONDANE_CONFIG)
vmsg_warn(fmt, ap);
else if (msg_verbose)
vmsg_info(fmt, ap);
} else {
} else { /* dane-only */
if (errtype == NONDANE_CONFIG) {
vmsg_warn(fmt, ap);
MARK_INVALID(tls->why, &tls->level);
@ -816,7 +817,8 @@ static void dane_init(SMTP_TLS_POLICY *tls, SMTP_ITERATOR *iter)
* given verifier some of the CAs are surely not trustworthy).
*/
if (tls_dane_unusable(dane)) {
dane_incompat(tls, iter, NONDANE_DEST, "TLSA records unusable");
dane_incompat(tls, iter, DANE_UNUSABLE, "TLSA records unusable");
tls_dane_free(dane);
return;
}

4
postfix/src/tls/tls_client.c
View File

@ -1045,7 +1045,9 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
*/
if (log_mask & TLS_LOG_SUMMARY)
msg_info("%s TLS connection established to %s: %s with cipher %s "
"(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
"(%d/%d bits)",
!TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" :
TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
props->namaddr, TLScontext->protocol, TLScontext->cipher_name,
TLScontext->cipher_usebits, TLScontext->cipher_algbits);