From 4632b19c12f5f15c8e544bc97f164a58a8847233 Mon Sep 17 00:00:00 2001
From: Wietse Venema
Date: Wed, 7 May 2014 00:00:00 -0500
Subject: [PATCH] postfix-2.11.1
---
postfix/HISTORY | 46 +++++++++++++++++
postfix/README_FILES/TLS_README | 80 ++++++++++++++----------------
postfix/html/TLS_README.html | 32 ++++++------
postfix/html/postconf.1.html | 10 +++-
postfix/html/postconf.5.html | 27 +++++-----
postfix/makedefs | 3 ++
postfix/man/man1/postconf.1 | 10 +++-
postfix/man/man5/postconf.5 | 29 +++++------
postfix/proto/TLS_README.html | 32 ++++++------
postfix/proto/postconf.proto | 27 +++++-----
postfix/src/global/mail_version.h | 4 +-
postfix/src/postconf/postconf.c | 10 +++-
postfix/src/smtp/smtp.h | 2 +-
postfix/src/smtp/smtp_connect.c | 7 +--
postfix/src/smtp/smtp_tls_policy.c | 12 +++--
postfix/src/tls/tls_client.c | 4 +-
16 files changed, 195 insertions(+), 140 deletions(-)
diff --git a/postfix/HISTORY b/postfix/HISTORY
index 8482b6195..225b98fea 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -19528,3 +19528,49 @@ Apologies for any names omitted.
20140110-15
Miscellaneous documentation cleanups.
+
+20140116
+
+ Workaround: prepend "-I. -I../../include" to CCARGS, to
+ avoid name clashes with non-Postfix header files. File:
+ makedefs.
+
+20140125
+
+ Cleanup: postconf(1) manpage missing version attribution
+ and incorrect "author" formatting. File: postconf/postconf.c.
+
+20140223
+
+ Logging: the TLS client logged that an "Untrusted" TLS
+ connection was established instead of "Anonymous". Viktor
+ Dukhovni. File: tls/tls_client.c.
+
+20140227
+
+ Bugfix: Enforce TLS when TLSA records exist, but all are
+ unusable; Don't leak dane handle when all TLSA records are
+ unusable. Viktor Dukhovni. File: smtp/smtp_tls_policy.c.
+
+ Cleanup: log TLS policy lookup errors as warnings. Viktor
+ Dukhovni. File: smtp/smtp_connect.c.
+
+20140407
+
+ Documentation: the documentation for Postfix > 2.8 TLS
+ activity logging was incorrect. Loglevel 0 produces no
+ logging. Instead, information is logged only with loglevel
+ 1 or higher. Viktor Dukhovni. Files: proto/TLS_README.html,
+ proto/postconf.proto.
+
+20140507
+
+ Bugfix (introduced: Postfix 2.11): with connection caching
+ enabled (the default), recipients could be given to the
+ wrong mail server. Root cause: due to an incorrect predicate,
+ the Postfix SMTP client could save and restore plaintext
+ connections that should not be cached, under nonsensical
+ lookup keys that did not distinguish by destination. Problem
+ reported by Sahil Tandon, predicate error found by Viktor,
+ redundant connection restore request eliminated by Wietse.
+ File: smtp/smtp_connect.c.
diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README
index 404bde7c5..26ac64b42 100644
--- a/postfix/README_FILES/TLS_README
+++ b/postfix/README_FILES/TLS_README
@@ -247,27 +247,25 @@ To get additional information about Postfix SMTP server TLS activity you can
increase the log level from 0..4. Each logging level also includes the
information that is logged at a lower logging level.
- _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
- |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |0 |Log only a summary message on TLS |Disable logging of TLS activity.|
- | |handshake completion -- no logging| |
- | |of client certificate trust-chain | |
- | |verification errors if client | |
- | |certificate verification is not | |
- | |required. | |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |1 |Also log trust-chain verification |Also log TLS handshake and |
- | |errors and peer certificate |certificate information. |
- | |summary information. | |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |2 |Also log levels during TLS negotiation. |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |4 |Also log hexadecimal and ASCII dump of complete transmission after |
- | |STARTTLS. |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+ |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |0 |Disable logging of TLS activity. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |1 |Log only a summary message on TLS |Log the summary message, peer |
+ | |handshake completion -- no logging|certificate summary information|
+ | |of client certificate trust-chain |and unconditionally log trust- |
+ | |verification errors if client |chain verification errors. |
+ | |certificate verification is not | |
+ | |required. | |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |2 |Also log levels during TLS negotiation. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |4 |Also log hexadecimal and ASCII dump of complete transmission after|
+ | |STARTTLS. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
Use log level 3 only in case of problems. Use of log level 4 is strongly
discouraged.
@@ -1321,27 +1319,25 @@ To get additional information about Postfix SMTP client TLS activity you can
increase the loglevel from 0..4. Each logging level also includes the
information that is logged at a lower logging level.
- _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
- |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |0 |Log only a summary message on TLS |Disable logging of TLS activity.|
- | |handshake completion -- no logging| |
- | |of remote SMTP server certificate | |
- | |trust-chain verification errors if| |
- | |server certificate verification is| |
- | |not required. | |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |1 |Also log remote SMTP server trust-|Also log TLS handshake and |
- | |chain verification errors and peer|certificate information. |
- | |certificate summary information. | |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |2 |Also log levels during TLS negotiation. |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |4 |Also log hexadecimal and ASCII dump of complete transmission after |
- | |STARTTLS. |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+ |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |0 |Disable logging of TLS activity. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |1 |Log only a summary message on TLS |Log the summary message and |
+ | |handshake completion -- no logging|unconditionally log trust-chain|
+ | |of remote SMTP server certificate |verification errors. |
+ | |trust-chain verification errors if| |
+ | |server certificate verification is| |
+ | |not required. | |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |2 |Also log levels during TLS negotiation. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |4 |Also log hexadecimal and ASCII dump of complete transmission after|
+ | |STARTTLS. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
Example:
diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html
index 50713e4e0..77c09f926 100644
--- a/postfix/html/TLS_README.html
+++ b/postfix/html/TLS_README.html
@@ -384,16 +384,15 @@ logging level.
Level | Postfix 2.9 and later | Earlier
releases. |
- 0 | Log only a summary
+ |
0 | Disable
+logging of TLS activity. |
+
+ 1 | Log only a summary
message on TLS handshake completion — no logging of client
certificate trust-chain verification errors if client certificate
-verification is not required. | Disable logging
-of TLS activity. |
-
- 1 | Also log trust-chain
-verification errors and peer certificate summary information. |
- Also log TLS handshake and certificate information.
- |
+verification is not required. Log the summary
+message, peer certificate summary information and unconditionally log
+trust-chain verification errors. |
2 | Also
log levels during TLS negotiation. |
@@ -1750,16 +1749,15 @@ logging level.
Level | Postfix 2.9 and later | Earlier
releases. |
- 0 | Log only a summary
-message on TLS handshake completion — no logging of remote
-SMTP server certificate trust-chain verification errors if server
-certificate verification is not required. |
-Disable logging of TLS activity. |
+ 0 | Disable
+logging of TLS activity. |
- 1 | Also log remote
-SMTP server trust-chain verification errors and peer certificate
-summary information. | Also log TLS handshake
-and certificate information. |
+ 1 | Log only a summary
+message on TLS handshake completion — no logging of remote SMTP
+server certificate trust-chain verification errors if server certificate
+verification is not required. | Log the summary
+message and unconditionally log trust-chain verification errors.
+ |
2 | Also
log levels during TLS negotiation. |
diff --git a/postfix/html/postconf.1.html b/postfix/html/postconf.1.html
index ecaed1a25..aa16a13a4 100644
--- a/postfix/html/postconf.1.html
+++ b/postfix/html/postconf.1.html
@@ -123,6 +123,8 @@ POSTCONF(1) POSTCONF(1)
The default is as if "-C all" is specified.
+ This feature is available with Postfix 2.9 and later.
+
-d Print main.cf default parameter settings instead of actual set-
tings. Specify -df to fold long lines for human readability
(Postfix 2.9 and later).
@@ -330,6 +332,8 @@ POSTCONF(1) POSTCONF(1)
-p Show main.cf parameter settings. This is the default.
+ This feature is available with Postfix 2.11 and later.
+
-P Show master.cf service parameter settings (by default all ser-
vices and all parameters). formatted as one "ser-
vice/type/parameter=value" per line. Specify -Pf to fold long
@@ -444,8 +448,10 @@ POSTCONF(1) POSTCONF(1)
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
- Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown
- Heights, NY 10598, USA
+ Wietse Venema
+ IBM T.J. Watson Research
+ P.O. Box 704
+ Yorktown Heights, NY 10598, USA
POSTCONF(1)