mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-29 21:27:57 +00:00
Code Issues Releases Wiki Activity

postfix-2.11.1

Browse Source
This commit is contained in:
Wietse Venema 2014-05-07 00:00:00 -05:00 committed by Viktor Dukhovni
parent 642ad60d9b
commit 4632b19c12
16 changed files with 195 additions and 140 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
postfix/HISTORY
View File

@ -19528,3 +19528,49 @@ Apologies for any names omitted.
20140110-15 20140110-15
Miscellaneous documentation cleanups. Miscellaneous documentation cleanups.
20140116
Workaround: prepend "-I. -I../../include" to CCARGS, to
avoid name clashes with non-Postfix header files. File:
makedefs.
20140125
Cleanup: postconf(1) manpage missing version attribution
and incorrect "author" formatting. File: postconf/postconf.c.
20140223
Logging: the TLS client logged that an "Untrusted" TLS
connection was established instead of "Anonymous". Viktor
Dukhovni. File: tls/tls_client.c.
20140227
Bugfix: Enforce TLS when TLSA records exist, but all are
unusable; Don't leak dane handle when all TLSA records are
unusable. Viktor Dukhovni. File: smtp/smtp_tls_policy.c.
Cleanup: log TLS policy lookup errors as warnings. Viktor
Dukhovni. File: smtp/smtp_connect.c.
20140407
Documentation: the documentation for Postfix > 2.8 TLS
activity logging was incorrect. Loglevel 0 produces no
logging. Instead, information is logged only with loglevel
1 or higher. Viktor Dukhovni. Files: proto/TLS_README.html,
proto/postconf.proto.
20140507
Bugfix (introduced: Postfix 2.11): with connection caching
enabled (the default), recipients could be given to the
wrong mail server. Root cause: due to an incorrect predicate,
the Postfix SMTP client could save and restore plaintext
connections that should not be cached, under nonsensical
lookup keys that did not distinguish by destination. Problem
reported by Sahil Tandon, predicate error found by Viktor,
redundant connection restore request eliminated by Wietse.
File: smtp/smtp_connect.c.

80
postfix/README_FILES/TLS_README
View File

@ -247,27 +247,25 @@ To get additional information about Postfix SMTP server TLS activity you can
increase the log level from 0..4. Each logging level also includes the increase the log level from 0..4. Each logging level also includes the
information that is logged at a lower logging level. information that is logged at a lower logging level.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
|LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. | |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|0 |Log only a summary message on TLS |Disable logging of TLS activity.| |0 |Disable logging of TLS activity. |
| |handshake completion -- no logging| | |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
| |of client certificate trust-chain | | |1 |Log only a summary message on TLS |Log the summary message, peer |
| |verification errors if client | | | |handshake completion -- no logging|certificate summary information|
| |certificate verification is not | | | |of client certificate trust-chain |and unconditionally log trust- |
| |required. | | | |verification errors if client |chain verification errors. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | | |certificate verification is not | |
|1 |Also log trust-chain verification |Also log TLS handshake and | | |required. | |
| |errors and peer certificate |certificate information. | |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
| |summary information. | | |2 |Also log levels during TLS negotiation. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|2 |Also log levels during TLS negotiation. | |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|3 |Also log hexadecimal and ASCII dump of TLS negotiation process. | |4 |Also log hexadecimal and ASCII dump of complete transmission after|
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | | |STARTTLS. |
|4 |Also log hexadecimal and ASCII dump of complete transmission after | |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
| |STARTTLS. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
Use log level 3 only in case of problems. Use of log level 4 is strongly Use log level 3 only in case of problems. Use of log level 4 is strongly
discouraged. discouraged.
@ -1321,27 +1319,25 @@ To get additional information about Postfix SMTP client TLS activity you can
increase the loglevel from 0..4. Each logging level also includes the increase the loglevel from 0..4. Each logging level also includes the
information that is logged at a lower logging level. information that is logged at a lower logging level.
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
|LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. | |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|0 |Log only a summary message on TLS |Disable logging of TLS activity.| |0 |Disable logging of TLS activity. |
| |handshake completion -- no logging| | |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
| |of remote SMTP server certificate | | |1 |Log only a summary message on TLS |Log the summary message and |
| |trust-chain verification errors if| | | |handshake completion -- no logging|unconditionally log trust-chain|
| |server certificate verification is| | | |of remote SMTP server certificate |verification errors. |
| |not required. | | | |trust-chain verification errors if| |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | | |server certificate verification is| |
|1 |Also log remote SMTP server trust-|Also log TLS handshake and | | |not required. | |
| |chain verification errors and peer|certificate information. | |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
| |certificate summary information. | | |2 |Also log levels during TLS negotiation. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|2 |Also log levels during TLS negotiation. | |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
|3 |Also log hexadecimal and ASCII dump of TLS negotiation process. | |4 |Also log hexadecimal and ASCII dump of complete transmission after|
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | | |STARTTLS. |
|4 |Also log hexadecimal and ASCII dump of complete transmission after | |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
| |STARTTLS. |
|_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
Example: Example:

32
postfix/html/TLS_README.html
View File

@ -384,16 +384,15 @@ logging level. </p>
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier <tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr> releases. </th> </tr>
<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary <tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
logging of TLS activity. </td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
message on TLS handshake completion &mdash; no logging of client message on TLS handshake completion &mdash; no logging of client
certificate trust-chain verification errors if client certificate certificate trust-chain verification errors if client certificate
verification is not required. </td> <td valign="top"> Disable logging verification is not required. </td> <td valign="top"> Log the summary
of TLS activity.</td> </tr> message, peer certificate summary information and unconditionally log
trust-chain verification errors. </td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Also log trust-chain
verification errors and peer certificate summary information. </td>
<td valign="top"> Also log TLS handshake and certificate information.
</td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also <tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr> log levels during TLS negotiation. </td> </tr>
@ -1750,16 +1749,15 @@ logging level. </p>
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier <tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr> releases. </th> </tr>
<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary <tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
message on TLS handshake completion &mdash; no logging of remote logging of TLS activity. </td> </tr>
SMTP server certificate trust-chain verification errors if server
certificate verification is not required. </td> <td valign="top">
Disable logging of TLS activity.</td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Also log remote <tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
SMTP server trust-chain verification errors and peer certificate message on TLS handshake completion &mdash; no logging of remote SMTP
summary information. </td> <td valign="top"> Also log TLS handshake server certificate trust-chain verification errors if server certificate
and certificate information. </td> </tr> verification is not required. </td> <td valign="top"> Log the summary
message and unconditionally log trust-chain verification errors.
</td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also <tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr> log levels during TLS negotiation. </td> </tr>

10
postfix/html/postconf.1.html
View File

@ -123,6 +123,8 @@ POSTCONF(1) POSTCONF(1)
The default is as if "<b>-C all</b>" is specified. The default is as if "<b>-C all</b>" is specified.
This feature is available with Postfix 2.9 and later.
<b>-d</b> Print <a href="postconf.5.html"><b>main.cf</b></a> default parameter settings instead of actual set- <b>-d</b> Print <a href="postconf.5.html"><b>main.cf</b></a> default parameter settings instead of actual set-
tings. Specify <b>-df</b> to fold long lines for human readability tings. Specify <b>-df</b> to fold long lines for human readability
(Postfix 2.9 and later). (Postfix 2.9 and later).
@ -330,6 +332,8 @@ POSTCONF(1) POSTCONF(1)
<b>-p</b> Show <a href="postconf.5.html"><b>main.cf</b></a> parameter settings. This is the default. <b>-p</b> Show <a href="postconf.5.html"><b>main.cf</b></a> parameter settings. This is the default.
This feature is available with Postfix 2.11 and later.
<b>-P</b> Show <a href="master.5.html"><b>master.cf</b></a> service parameter settings (by default all ser- <b>-P</b> Show <a href="master.5.html"><b>master.cf</b></a> service parameter settings (by default all ser-
vices and all parameters). formatted as one "<i>ser-</i> vices and all parameters). formatted as one "<i>ser-</i>
<i>vice/type/parameter=value</i>" per line. Specify <b>-Pf</b> to fold long <i>vice/type/parameter=value</i>" per line. Specify <b>-Pf</b> to fold long
@ -444,8 +448,10 @@ POSTCONF(1) POSTCONF(1)
The Secure Mailer license must be distributed with this software. The Secure Mailer license must be distributed with this software.
<b>AUTHOR(S)</b> <b>AUTHOR(S)</b>
Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown Wietse Venema
Heights, NY 10598, USA IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
POSTCONF(1) POSTCONF(1)
</pre> </body> </html> </pre> </body> </html>

27
postfix/html/postconf.5.html
View File

@ -8600,7 +8600,7 @@ Examples:
<pre> <pre>
# Handle both Postfix and qmail extensions (Postfix 2.11 and later). # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
recipient_delimiters = +- <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> = +-
</pre> </pre>
<pre> <pre>
@ -11362,14 +11362,13 @@ a lower logging level. </p>
<dl compact> <dl compact>
<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion <dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
&mdash; no logging of remote SMTP server certificate trust-chain &mdash; no logging of remote SMTP server certificate trust-chain
verification errors if server certificate verification is not required. verification errors if server certificate verification is not required.
With Postfix 2.8 and earlier, disable logging of TLS activity. </dd> With Postfix 2.8 and earlier, log the summary message and unconditionally
log trust-chain verification errors. </dd>
<dt> </dt> <dd> 1 Also log remote SMTP server trust-chain verification
errors and peer certificate summary information. With Postfix 2.8
and earlier, log TLS handshake and certificate information. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd> <dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
@ -15555,15 +15554,13 @@ a lower logging level. </p>
<dl compact> <dl compact>
<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion <dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
&mdash; no logging of remote SMTP client certificate trust-chain verification
errors
if client certificate verification is not required. With Postfix 2.8
and earlier, disable logging of TLS activity. </dd>
<dt> </dt> <dd> 1 Also log trust-chain verification errors and peer <dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
certificate name and issuer. With Postfix 2.8 and earlier, log TLS &mdash; no logging of client certificate trust-chain verification errors
handshake and certificate information. </dd> if client certificate verification is not required. With Postfix 2.8 and
earlier, log the summary message, peer certificate summary information
and unconditionally log trust-chain verification errors. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd> <dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>

3
postfix/makedefs
View File

@ -638,6 +638,9 @@ export SYSTYPE AR ARFL RANLIB SYSLIBS CC OPT DEBUG AWK OPTS
# needed before the code stabilizes. # needed before the code stabilizes.
#CCARGS="$CCARGS -DNONPROD" #CCARGS="$CCARGS -DNONPROD"
# Workaround: prepend Postfix include files before other include files.
CCARGS="-I. -I../../include $CCARGS"
sed 's/ / /g' <<EOF sed 's/ / /g' <<EOF
SYSTYPE = $SYSTYPE SYSTYPE = $SYSTYPE
AR = $AR AR = $AR

10
postfix/man/man1/postconf.1
View File

@ -143,6 +143,8 @@ All the above classes.
.IP .IP
The default is as if "\fB-C all\fR" is The default is as if "\fB-C all\fR" is
specified. specified.
This feature is available with Postfix 2.9 and later.
.IP \fB-d\fR .IP \fB-d\fR
Print \fBmain.cf\fR default parameter settings instead of Print \fBmain.cf\fR default parameter settings instead of
actual settings. actual settings.
@ -347,6 +349,8 @@ Override \fBmain.cf\fR parameter settings.
This feature is available with Postfix 2.10 and later. This feature is available with Postfix 2.10 and later.
.IP \fB-p\fR .IP \fB-p\fR
Show \fBmain.cf\fR parameter settings. This is the default. Show \fBmain.cf\fR parameter settings. This is the default.
This feature is available with Postfix 2.11 and later.
.IP \fB-P\fR .IP \fB-P\fR
Show \fBmaster.cf\fR service parameter settings (by default Show \fBmaster.cf\fR service parameter settings (by default
all services and all parameters). formatted as one all services and all parameters). formatted as one
@ -486,5 +490,7 @@ software.
.SH "AUTHOR(S)" .SH "AUTHOR(S)"
.na .na
.nf .nf
Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown Wietse Venema
Heights, NY 10598, USA IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA

29
postfix/man/man5/postconf.5
View File

@ -5176,7 +5176,7 @@ recipient_delimiter = +
.na .na
.ft C .ft C
# Handle both Postfix and qmail extensions (Postfix 2.11 and later). # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
recipient_delimiters = +- recipient_delimiter = +-
.fi .fi
.ad .ad
.ft R .ft R
@ -7120,15 +7120,14 @@ Enable additional Postfix SMTP client logging of TLS activity.
Each logging level also includes the information that is logged at Each logging level also includes the information that is logged at
a lower logging level. a lower logging level.
.IP "" .IP ""
0 Log only a summary message on TLS handshake completion 0 Disable logging of TLS activity.
- no logging of remote SMTP server certificate trust-chain
verification errors if server certificate verification is not required.
With Postfix 2.8 and earlier, disable logging of TLS activity.
.br .br
.IP "" .IP ""
1 Also log remote SMTP server trust-chain verification 1 Log only a summary message on TLS handshake completion
errors and peer certificate summary information. With Postfix 2.8 - no logging of remote SMTP server certificate trust-chain
and earlier, log TLS handshake and certificate information. verification errors if server certificate verification is not required.
With Postfix 2.8 and earlier, log the summary message and unconditionally
log trust-chain verification errors.
.br .br
.IP "" .IP ""
2 Also log levels during TLS negotiation. 2 Also log levels during TLS negotiation.
@ -10554,16 +10553,14 @@ Enable additional Postfix SMTP server logging of TLS activity.
Each logging level also includes the information that is logged at Each logging level also includes the information that is logged at
a lower logging level. a lower logging level.
.IP "" .IP ""
0 Log only a summary message on TLS handshake completion 0 Disable logging of TLS activity.
- no logging of remote SMTP client certificate trust-chain verification
errors
if client certificate verification is not required. With Postfix 2.8
and earlier, disable logging of TLS activity.
.br .br
.IP "" .IP ""
1 Also log trust-chain verification errors and peer 1 Log only a summary message on TLS handshake completion
certificate name and issuer. With Postfix 2.8 and earlier, log TLS - no logging of client certificate trust-chain verification errors
handshake and certificate information. if client certificate verification is not required. With Postfix 2.8 and
earlier, log the summary message, peer certificate summary information
and unconditionally log trust-chain verification errors.
.br .br
.IP "" .IP ""
2 Also log levels during TLS negotiation. 2 Also log levels during TLS negotiation.

32
postfix/proto/TLS_README.html
View File

@ -384,16 +384,15 @@ logging level. </p>
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier <tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr> releases. </th> </tr>
<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary <tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
logging of TLS activity. </td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
message on TLS handshake completion &mdash; no logging of client message on TLS handshake completion &mdash; no logging of client
certificate trust-chain verification errors if client certificate certificate trust-chain verification errors if client certificate
verification is not required. </td> <td valign="top"> Disable logging verification is not required. </td> <td valign="top"> Log the summary
of TLS activity.</td> </tr> message, peer certificate summary information and unconditionally log
trust-chain verification errors. </td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Also log trust-chain
verification errors and peer certificate summary information. </td>
<td valign="top"> Also log TLS handshake and certificate information.
</td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also <tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr> log levels during TLS negotiation. </td> </tr>
@ -1750,16 +1749,15 @@ logging level. </p>
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier <tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr> releases. </th> </tr>
<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary <tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
message on TLS handshake completion &mdash; no logging of remote logging of TLS activity. </td> </tr>
SMTP server certificate trust-chain verification errors if server
certificate verification is not required. </td> <td valign="top">
Disable logging of TLS activity.</td> </tr>
<tr> <td valign="top"> 1 </td> <td valign="top"> Also log remote <tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
SMTP server trust-chain verification errors and peer certificate message on TLS handshake completion &mdash; no logging of remote SMTP
summary information. </td> <td valign="top"> Also log TLS handshake server certificate trust-chain verification errors if server certificate
and certificate information. </td> </tr> verification is not required. </td> <td valign="top"> Log the summary
message and unconditionally log trust-chain verification errors.
</td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also <tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr> log levels during TLS negotiation. </td> </tr>

27
postfix/proto/postconf.proto
View File

@ -3546,7 +3546,7 @@ recipient_delimiter = +
<pre> <pre>
# Handle both Postfix and qmail extensions (Postfix 2.11 and later). # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
recipient_delimiters = +- recipient_delimiter = +-
</pre> </pre>
<pre> <pre>
@ -9127,15 +9127,13 @@ a lower logging level. </p>
<dl compact> <dl compact>
<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion <dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
&mdash; no logging of remote SMTP client certificate trust-chain verification
errors
if client certificate verification is not required. With Postfix 2.8
and earlier, disable logging of TLS activity. </dd>
<dt> </dt> <dd> 1 Also log trust-chain verification errors and peer <dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
certificate name and issuer. With Postfix 2.8 and earlier, log TLS &mdash; no logging of client certificate trust-chain verification errors
handshake and certificate information. </dd> if client certificate verification is not required. With Postfix 2.8 and
earlier, log the summary message, peer certificate summary information
and unconditionally log trust-chain verification errors. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd> <dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
@ -9551,14 +9549,13 @@ a lower logging level. </p>
<dl compact> <dl compact>
<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion <dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
&mdash; no logging of remote SMTP server certificate trust-chain &mdash; no logging of remote SMTP server certificate trust-chain
verification errors if server certificate verification is not required. verification errors if server certificate verification is not required.
With Postfix 2.8 and earlier, disable logging of TLS activity. </dd> With Postfix 2.8 and earlier, log the summary message and unconditionally
log trust-chain verification errors. </dd>
<dt> </dt> <dd> 1 Also log remote SMTP server trust-chain verification
errors and peer certificate summary information. With Postfix 2.8
and earlier, log TLS handshake and certificate information. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd> <dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>

4
postfix/src/global/mail_version.h
View File

@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20140115" #define MAIL_RELEASE_DATE "20140507"
#define MAIL_VERSION_NUMBER "2.11.0" #define MAIL_VERSION_NUMBER "2.11.1"
#ifdef SNAPSHOT #ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE

10
postfix/src/postconf/postconf.c
View File

@ -137,6 +137,8 @@
/* .IP /* .IP
/* The default is as if "\fB-C all\fR" is /* The default is as if "\fB-C all\fR" is
/* specified. /* specified.
/*
/* This feature is available with Postfix 2.9 and later.
/* .IP \fB-d\fR /* .IP \fB-d\fR
/* Print \fBmain.cf\fR default parameter settings instead of /* Print \fBmain.cf\fR default parameter settings instead of
/* actual settings. /* actual settings.
@ -341,6 +343,8 @@
/* This feature is available with Postfix 2.10 and later. /* This feature is available with Postfix 2.10 and later.
/* .IP \fB-p\fR /* .IP \fB-p\fR
/* Show \fBmain.cf\fR parameter settings. This is the default. /* Show \fBmain.cf\fR parameter settings. This is the default.
/*
/* This feature is available with Postfix 2.11 and later.
/* .IP \fB-P\fR /* .IP \fB-P\fR
/* Show \fBmaster.cf\fR service parameter settings (by default /* Show \fBmaster.cf\fR service parameter settings (by default
/* all services and all parameters). formatted as one /* all services and all parameters). formatted as one
@ -464,8 +468,10 @@
/* The Secure Mailer license must be distributed with this /* The Secure Mailer license must be distributed with this
/* software. /* software.
/* AUTHOR(S) /* AUTHOR(S)
/* Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown /* Wietse Venema
/* Heights, NY 10598, USA /* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
/*--*/ /*--*/
/* System library. */ /* System library. */

2
postfix/src/smtp/smtp.h
View File

@ -195,7 +195,7 @@ typedef struct SMTP_STATE {
STR((state)->iterator->request_nexthop)[0] = 0; \ STR((state)->iterator->request_nexthop)[0] = 0; \
} }
#define HAVE_NEXTHOP_STATE(state) (STR((state)->iterator->request_nexthop) != 0) #define HAVE_NEXTHOP_STATE(state) (STR((state)->iterator->request_nexthop)[0] != 0)
/* /*

7
postfix/src/smtp/smtp_connect.c
View File

@ -510,7 +510,7 @@ static void smtp_connect_local(SMTP_STATE *state, const char *path)
*/ */
#ifdef USE_TLS #ifdef USE_TLS
if (!smtp_tls_policy_cache_query(why, state->tls, iter)) { if (!smtp_tls_policy_cache_query(why, state->tls, iter)) {
msg_info("TLS policy lookup error for %s/%s: %s", msg_warn("TLS policy lookup error for %s/%s: %s",
STR(iter->host), STR(iter->addr), STR(why->reason)); STR(iter->host), STR(iter->addr), STR(why->reason));
return; return;
} }
@ -666,6 +666,7 @@ static int smtp_reuse_session(SMTP_STATE *state, DNS_RR **addr_list,
#endif #endif
SMTP_ITER_SAVE_DEST(state->iterator); SMTP_ITER_SAVE_DEST(state->iterator);
if (*addr_list && SMTP_RCPT_LEFT(state) > 0 if (*addr_list && SMTP_RCPT_LEFT(state) > 0
&& HAVE_NEXTHOP_STATE(state)
&& (session = smtp_reuse_nexthop(state, SMTP_KEY_MASK_SCACHE_DEST_LABEL)) != 0) { && (session = smtp_reuse_nexthop(state, SMTP_KEY_MASK_SCACHE_DEST_LABEL)) != 0) {
session_count = 1; session_count = 1;
smtp_update_addr_list(addr_list, STR(iter->addr), session_count); smtp_update_addr_list(addr_list, STR(iter->addr), session_count);
@ -716,7 +717,7 @@ static int smtp_reuse_session(SMTP_STATE *state, DNS_RR **addr_list,
iter->rr = addr; iter->rr = addr;
#ifdef USE_TLS #ifdef USE_TLS
if (!smtp_tls_policy_cache_query(why, state->tls, iter)) { if (!smtp_tls_policy_cache_query(why, state->tls, iter)) {
msg_info("TLS policy lookup error for %s/%s: %s", msg_warn("TLS policy lookup error for %s/%s: %s",
STR(iter->dest), STR(iter->host), STR(why->reason)); STR(iter->dest), STR(iter->host), STR(why->reason));
continue; continue;
/* XXX Assume there is no code at the end of this loop. */ /* XXX Assume there is no code at the end of this loop. */
@ -956,7 +957,7 @@ static void smtp_connect_inet(SMTP_STATE *state, const char *nexthop,
iter->rr = addr; iter->rr = addr;
#ifdef USE_TLS #ifdef USE_TLS
if (!smtp_tls_policy_cache_query(why, state->tls, iter)) { if (!smtp_tls_policy_cache_query(why, state->tls, iter)) {
msg_info("TLS policy lookup for %s/%s: %s", msg_warn("TLS policy lookup for %s/%s: %s",
STR(iter->dest), STR(iter->host), STR(why->reason)); STR(iter->dest), STR(iter->host), STR(why->reason));
continue; continue;
/* XXX Assume there is no code at the end of this loop. */ /* XXX Assume there is no code at the end of this loop. */

12
postfix/src/smtp/smtp_tls_policy.c
View File

@ -525,8 +525,8 @@ static void *policy_create(const char *unused_key, void *context)
/* /*
* DANE initialization may change the security level to something else, * DANE initialization may change the security level to something else,
* so do this early, so that we use the right level below. Note that * so do this early, so that we use the right level below. Note that
* "dane-only" changes to "dane" after any fallback strategies are * "dane-only" changes to "dane" once we obtain the requisite TLSA
* applied. * records.
*/ */
if (tls->level == TLS_LEV_DANE || tls->level == TLS_LEV_DANE_ONLY) if (tls->level == TLS_LEV_DANE || tls->level == TLS_LEV_DANE_ONLY)
dane_init(tls, iter); dane_init(tls, iter);
@ -706,6 +706,7 @@ static int global_tls_level(void)
#define NONDANE_CONFIG 0 /* Administrator's fault */ #define NONDANE_CONFIG 0 /* Administrator's fault */
#define NONDANE_DEST 1 /* Remote server's fault */ #define NONDANE_DEST 1 /* Remote server's fault */
#define DANE_UNUSABLE 2 /* Remote server's fault */
static void PRINTFLIKE(4, 5) dane_incompat(SMTP_TLS_POLICY *tls, static void PRINTFLIKE(4, 5) dane_incompat(SMTP_TLS_POLICY *tls,
SMTP_ITERATOR *iter, SMTP_ITERATOR *iter,
@ -716,12 +717,12 @@ static void PRINTFLIKE(4, 5) dane_incompat(SMTP_TLS_POLICY *tls,
va_start(ap, fmt); va_start(ap, fmt);
if (tls->level == TLS_LEV_DANE) { if (tls->level == TLS_LEV_DANE) {
tls->level = TLS_LEV_MAY; tls->level = (errtype == DANE_UNUSABLE) ? TLS_LEV_ENCRYPT : TLS_LEV_MAY;
if (errtype == NONDANE_CONFIG) if (errtype == NONDANE_CONFIG)
vmsg_warn(fmt, ap); vmsg_warn(fmt, ap);
else if (msg_verbose) else if (msg_verbose)
vmsg_info(fmt, ap); vmsg_info(fmt, ap);
} else { } else { /* dane-only */
if (errtype == NONDANE_CONFIG) { if (errtype == NONDANE_CONFIG) {
vmsg_warn(fmt, ap); vmsg_warn(fmt, ap);
MARK_INVALID(tls->why, &tls->level); MARK_INVALID(tls->why, &tls->level);
@ -816,7 +817,8 @@ static void dane_init(SMTP_TLS_POLICY *tls, SMTP_ITERATOR *iter)
* given verifier some of the CAs are surely not trustworthy). * given verifier some of the CAs are surely not trustworthy).
*/ */
if (tls_dane_unusable(dane)) { if (tls_dane_unusable(dane)) {
dane_incompat(tls, iter, NONDANE_DEST, "TLSA records unusable"); dane_incompat(tls, iter, DANE_UNUSABLE, "TLSA records unusable");
tls_dane_free(dane);
return; return;
} }

4
postfix/src/tls/tls_client.c
View File

@ -1045,7 +1045,9 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
*/ */
if (log_mask & TLS_LOG_SUMMARY) if (log_mask & TLS_LOG_SUMMARY)
msg_info("%s TLS connection established to %s: %s with cipher %s " msg_info("%s TLS connection established to %s: %s with cipher %s "
"(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" : "(%d/%d bits)",
!TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" :
TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted", TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
props->namaddr, TLScontext->protocol, TLScontext->cipher_name, props->namaddr, TLScontext->protocol, TLScontext->cipher_name,
TLScontext->cipher_usebits, TLScontext->cipher_algbits); TLScontext->cipher_usebits, TLScontext->cipher_algbits);