diff --git a/postfix/HISTORY b/postfix/HISTORY index 9b28f52bb..b4aff9e13 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -20321,4 +20321,41 @@ Apologies for any names omitted. a session how many times each SMTP command was successfully invoked, followed by the total number of invocations if it is different. File: smtpd/smtpd.c. - + +20140802 + + Workaround: detect mis-configuration where Postfix talks + to the Dovecot master socket instead of the Dovecot userdb + socket. Timo Sirainen. File: xsasl/xsasl_dovecot_server.c. + +20140904 + + Logging: the MySQL client now logs a warning when a match + against the "domain" list fails due to table lookup error + (hte underlying mechanism already logs a warning, but it + has less context information). File: global/dict_mysql.c. + +20140905 + + Feature: support to fall back to an unauthenticated TLS + security level ("may" or "encrypt) when the Postfix SMTP + client cannot establish the preferred authenticated TLS + security level ("dane", "dane-only", "fingerprint", "verify", + or "secure"). The fall-back levels may be specified globally + with the smtp_tls_fallback_level parameter or in per-site + TLS policies with the "fallback" attribute. Viktor Dukhovni. + Files: mantools/postlink, proto/TLS_README.html, + ./proto/postconf.proto, global/mail_params.h, smtp/lmtp_params.c, + smtp/smtp.c, smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_params.c, + smtp/smtp_proto.c, smtp/smtp_tls_policy.c, smtp/smtp_trouble.c. + + Feature TLS audit logging, controlled with the + smtp_tls_audit_template parameter. This may be configured + to log TLS session properties at the end of each SMTP mail + delivery over TLS, for successful and failed deliveries. + This logging makes smtp_tls_loglevel=1 handshake logging + mostly redundant. Viktor Dukhovni. Files: mantools/postlink, + proto/TLS_README.html, ./proto/postconf.proto, + global/mail_params.h, smtp/Makefile.in, smtp/lmtp_params.c, + smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c, + smtp_tls_audit.c, tls/tls.h, util/mac_expand.c. diff --git a/postfix/README_FILES/SMTPUTF8_README b/postfix/README_FILES/SMTPUTF8_README index 7206e71b8..26d4d3f73 100644 --- a/postfix/README_FILES/SMTPUTF8_README +++ b/postfix/README_FILES/SMTPUTF8_README @@ -22,9 +22,6 @@ Topics covered in this document: EEnnaabblliinngg PPoossttffiixx SSMMTTPPUUTTFF88 ssuuppppoorrtt -By default, Postfix SMTPUTF8 support is disabled. Thus, Postfix should work -exactly as it has worked before SMTPUTF8 support was implemented. - Before turning on SMTPUTF8 support in Postfix, you need to verify that the rest of your email infrastructure can handle UTF-8 email addresses and message header values, including SMTPUTF8 protocol support in SMTP-based content @@ -33,8 +30,8 @@ filters (Amavisd), LMTP servers (Dovecot), and down-stream SMTP servers. SMTPUTF8 support is enabled by setting the smtputf8_enable parameter in main.cf: - # postconf "smtputf8_enable = yes" - # postfix reload + # ppoossttccoonnff ""ssmmttppuuttff88__eennaabbllee == yyeess"" + # ppoossttffiixx rreellooaadd With SMTPUTF8 support enabled, Postfix changes behavior as follows: @@ -45,7 +42,7 @@ With SMTPUTF8 support enabled, Postfix changes behavior as follows: * The Postfix SMTP server announces SMTPUTF8 support in the EHLO response. 220 server.example.com ESMTP Postfix - EHLO client.example.com + EEHHLLOO cclliieenntt..eexxaammppllee..ccoomm 250-server.example.com 250-PIPELINING 250-SIZE 10240000 @@ -61,20 +58,20 @@ With SMTPUTF8 support enabled, Postfix changes behavior as follows: * The Postfix SMTP server accepts the SMTPUTF8 request in MAIL FROM and VRFY commands. - MAIL FROM:
SMTPUTF8 ... + MMAAIILL FFRROOMM::<> SSMMTTPPUUTTFF88 ...... - VRFY address SMTPUTF8 + VVRRFFYY aaddddrreessss SSMMTTPPUUTTFF88 * The Postfix SMTP client may issue the SMTPUTF8 request in MAIL FROM commands. - * Postfix already permitted UTF-8 in message header values and in address - localparts. This does not change. - * The Postfix SMTP server accepts UTF-8 in email address domains, but only after the remote SMTP client client issues the SMTPUTF8 request in MAIL FROM or VRFY commands. +Postfix already permitted UTF-8 in message header values and in address +localparts. This does not change. + UUssiinngg PPoossttffiixx SSMMTTPPUUTTFF88 ssuuppppoorrtt After Postfix SMTPUTF8 support is turned on, Postfix behavior will depend on 1) @@ -155,7 +152,9 @@ disabled. LLiimmiittaattiioonnss ooff tthhee ccuurrrreenntt iimmpplleemmeennttaattiioonn "Internationalized" domain names can appear in two forms: the UTF-8 form, and -the ASCII (xn--mumble) form. +the ASCII (xn--mumble) form. The initial Postfix SMTPUTF8 implementation +performs no automatic conversions on UTF8 strings beyond what is needed to +perform DNS lookups. NNoo cchhaarraacctteerrsseett ccaannoonniiccaalliizzaattiioonn ffoorr nnoonn--AASSCCIIII ddoommaaiinn nnaammeess.. @@ -186,9 +185,9 @@ will have to apply RFC 2047 encoding to satisfy that last condition. PPrree--eexxiissttiinngg nnoonn--AASSCCIIII eemmaaiill fflloowwss In pre-SMTPUTF8 environments, email with UTF-8 in address localparts (and in -headers) works just fine because the vast majority of email software including -Postfix is perfectly capable of handling such email, even if pre-SMTPUTF8 -standards do not support this. +headers) works just fine. The vast majority of email software including Postfix +is perfectly capable of handling such email, even if pre-SMTPUTF8 standards do +not support this. Therefore, when Postfix SMTPUTF8 support is turned on, Postfix must not suddenly start to break pre-existing email flows with UTF-8 in addres @@ -204,7 +203,7 @@ Postfix SMTPUTF8 support requires the ICU library. Postfix automatically builds with SMTPUTF8 support when the library and its header files are installed. To force Postfix to build without SMTPUTF8, specify: - $ make makefiles -DNO_EAI ... + $ mmaakkee mmaakkeeffiilleess --DDNNOO__EEAAII ...... CCrreeddiittss diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README index adca4c825..ad448e96b 100644 --- a/postfix/README_FILES/TLS_README +++ b/postfix/README_FILES/TLS_README @@ -1027,8 +1027,12 @@ default. This is the recommended configuration for early adopters. * The "example.com" destination uses DANE, but if TLSA records are not present or are unusable, mail is deferred. - * The "example.org" destination uses DANE if possible, but if no TLSA records - are found opportunistic TLS is used. + * The "example.org" destination uses DANE if possible, but uses opportunistic + TLS if no TLSA records are found. The "fallback" attribute (Postfix >= + 2.12) overrides the global main.cf smtp_tls_fallback_level parameter to + employ unauthenticated mandatory encryption if DANE authentication fails, + after logging a warning. See smtp_tls_audit_template for additional control + over TLS security logging. main.cf: indexed = ${default_database_type}:${config_directory}/ @@ -1052,6 +1056,8 @@ default. This is the recommended configuration for early adopters. tls_policy: example.com dane-only + # Postfix >= 2.12, per-destination smtp_tls_fallback_level override + example.org dane fallback=encrypt master.cf: dane unix - - n - - smtp @@ -1632,7 +1638,9 @@ ddaannee obtained for the remote SMTP server, SSLv2 is automatically disabled (see smtp_tls_mandatory_protocols), and the server certificate must match the TLSA records. RFC 6698 (DANE) TLS authentication and DNSSEC support is - available with Postfix 2.11 and later. + available with Postfix 2.11 and later. The optional "fallback" attribute + provides a per-site override of the main.cf smtp_tls_fallback_level + parameter (Postfix >= 2.12). ddaannee--oonnllyy Mandatory DANE TLS. The TLS policy for the destination is obtained via TLSA records in DNSSEC. If no TLSA records are found, or none are usable, no @@ -1640,7 +1648,9 @@ ddaannee--oonnllyy the remote SMTP server, SSLv2 is automatically disabled (see smtp_tls_mandatory_protocols), and the server certificate must match the TLSA records. RFC 6698 (DANE) TLS authentication and DNSSEC support is - available with Postfix 2.11 and later. + available with Postfix 2.11 and later. The optional "fallback" attribute + provides a per-site override of the main.cf smtp_tls_fallback_level + parameter (Postfix >= 2.12). ffiinnggeerrpprriinntt Certificate fingerprint verification. Available with Postfix 2.5 and later. At this security level, there are no trusted certificate authorities. The @@ -1653,7 +1663,8 @@ ffiinnggeerrpprriinntt combined with a "|" delimiter in a single match attribute, or multiple match attributes can be employed. The ":" character is not used as a delimiter as it occurs between each pair of fingerprint (hexadecimal) - digits. + digits. The optional "fallback" attribute provides a per-site override of + the main.cf smtp_tls_fallback_level parameter (Postfix >= 2.12). vveerriiffyy Mandatory server certificate verification. Mail is delivered only if the TLS handshake succeeds, if the remote SMTP server certificate can be @@ -1664,7 +1675,8 @@ vveerriiffyy "tafile" attribute optionally modifies trust chain verification in the same manner as the "smtp_tls_trust_anchor_file" parameter. The "tafile" attribute may be specified multiple times to load multiple trust-anchor - files. + files. The optional "fallback" attribute provides a per-site override of + the main.cf smtp_tls_fallback_level parameter (Postfix >= 2.12). sseeccuurree Secure certificate verification. Mail is delivered only if the TLS handshake succeeds, if the remote SMTP server certificate can be validated @@ -1674,7 +1686,9 @@ sseeccuurree "match" attribute is specified). With Postfix >= 2.11 the "tafile" attribute optionally modifies trust chain verification in the same manner as the "smtp_tls_trust_anchor_file" parameter. The "tafile" attribute may - be specified multiple times to load multiple trust-anchor files. + be specified multiple times to load multiple trust-anchor files. The + optional "fallback" attribute provides a per-site override of the main.cf + smtp_tls_fallback_level parameter (Postfix >= 2.12). Notes: * The "match" attribute is especially useful to verify TLS certificates for @@ -1708,6 +1722,7 @@ Example: smtp_tls_policy_maps = hash:/etc/postfix/tls_policy # Postfix 2.5 and later smtp_tls_fingerprint_digest = md5 + /etc/postfix/tls_policy: example.edu none example.mil may @@ -1723,6 +1738,8 @@ Example: # Postfix 2.6 and later example.info may protocols=!SSLv2 ciphers=medium exclude=3DES + # Postfix 2.12 and later override of smtp_tls_fallback_level + fallback.example secure fallback=encrypt NNoottee:: The "hostname" strategy if listed in a non-default setting of smtp_tls_secure_cert_match or in the "match" attribute in the policy table can diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index c49daae86..32d3d943f 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -41,6 +41,27 @@ Maintainers may also benefit from the makedefs documentation (mantools/srctoman - makedefs | nroff -man | less) with information about build options that are not described in the INSTALL instructions. +Major changes with snapshot 20140905 +==================================== + +Support to fall back to an unauthenticated TLS security level ("may" +or "encrypt) when the Postfix SMTP client cannot establish the +preferred authenticated TLS security level ("dane", "dane-only", +"fingerprint", "verify", or "secure"). The fall-back levels may be +specified globally with the smtp_tls_fallback_level parameter or +in per-site TLS policies with the "fallback" attribute. + +If the above sounds like opportunistic authenticated TLS, than that +is pretty-much it. Wietse is not fully convinced that this is a +good idea, because it creates opportunities for downgrade attacks. + +SMTP client support to log TLS session properties after each mail +delivery attempt. The content of this optional logfile record is +configurable with the smtp_tls_audit_template parameter. The names +of template properties are not yet final; the names of TLS session +attributes need to be specific enough so that they will not collide +with future names of non-TLS session attributes. + Major changes with snapshot 20140801 ==================================== diff --git a/postfix/WISHLIST b/postfix/WISHLIST index ecde9e3e7..5a1aedfb3 100644 --- a/postfix/WISHLIST +++ b/postfix/WISHLIST @@ -8,7 +8,23 @@ Wish list: Things to do after the stable release: - up-convert myhostname in MIME boundary strings? + up-convert myhostname to UTF-8 in MIME boundary strings? + + Clarify that receive_override_options should not be used + with smtpd_proxy_filter. + + Send a "relayed" notification upon delivery after a "delayed" + notification was sent. This requres that the queue manager + notices that the delay warning time has been reset, that + the queue manager sets the NOTIFY=SUCCESS' flag on all + subsequent delivery attempts for that message where SUCCESS' + is like standard SUCCESS except instead of propagating it + to a down-stream MTA, the Postfix SMTP client sends a + "relayed" notice. Delivery agents will then report a + "relayed" or "delivered" status for all successful deliveries. + + Document the relative order of header_checks, address + rewriting, milters. Table-driven case folding and case-insensitive string comparison specifically for UTF-8. @@ -45,8 +61,6 @@ Wish list: independent from the DNS and native routines for host name/address lookup. - Incorporate 3rd-party code such as dynamic_maps. - Make been_here flag BH_FLAG_FOLD configurable for masochists. Replace some redundant TLS_README sections with pointers @@ -63,7 +77,8 @@ Wish list: needs to show the unfolded address. Per SASL account rate limits. This requires new infrastructure - that maintains stats by SASL account. + that maintains stats by SASL account instead of client IP + address. Watchdog timer in postmap/postalias. @@ -103,12 +118,6 @@ Wish list: End code revision, after DANE support stabilizes. - It would be nice if the result from one table lookup could - serve as input for another (e.g. virtual aliases before the - list of valid recipients). For this to work the magical - (bare user, domain only, etc.) lookups need to become a - table property, not a property of the client context. - It would be nice if "bare username" lookup is not hard-coded for domains in the local address class. @@ -249,12 +258,6 @@ Wish list: Investigate viability of Sendmail dns maps. - Check if FILTER_README has the "postsuper -r" workaround - - Bounces without <> in the plaintext section. Apparently, - some software renders the text as HTML (and therefore - does not render addresses and other text inside <> ). - Make the rules for how to use close-on-exec more explicit. Provide separate timeout control for dict_proxy client, @@ -393,28 +396,6 @@ Wish list: Consistency: in postconf.proto make
..
tags bold. - postscreen(8): listen on multiple IP addresses and enforce - that the client contacts the primary MX address first (i.e. - punish hosts that contact the secondary before the primary). - The downside with any approach that relies on temporary - punishment is that it does not scale to configurations - with multiple equal-preference MX hosts. Such hosts would - have to share the postscreen cache, causing an unacceptable - performance bottleneck and a single point of failure. - - According to a paper by Ted Unangst at BSDCON09, kqueue - reports state changes, i.e. kqueue indicates when the socket - becomes readable. Specifically, he writes when kqueue reports - a socket becomes readable but no data is read from that - socket, later kqueue calls won't report the socket as - readable. That's not what happens on FreeBSD 8.0, where - kqueue will keep reporting the socket as readable when - nothing is read. Also, FreeBSD 8.0 kqueue still reports - the socket as readable after a read operation does not empty - the kernel buffer. We need a test program for this that - repeats these tests with OpenBSD and NetBSD (and MacOS X - once they fix their kqueue implementation). - Would it help if there were different cleanup_service parameter names for different message paths? smtpd(8) uses the same cleanup_service value for receiving remote mail @@ -689,12 +670,6 @@ Wish list: into mailer-daemon (current bahavior) or disallow (strict behavior, currently implemented only in the SMTP server). - The type of var_message_limit (and other file size/offset - configuration parameters or internal protocol attributes) - should be changed from int to off_t. This also requires - checking all expressions in which var_message_limit etc. - appears: qmqpd, netstring, deliver_request, ... - Add M flag (enable multi-recipient delivery) to pipe daemon. The usage of TLScontext->cache_type is unclear. It specifies diff --git a/postfix/html/SMTPUTF8_README.html b/postfix/html/SMTPUTF8_README.html index 74f48a42c..9d26c6c72 100644 --- a/postfix/html/SMTPUTF8_README.html +++ b/postfix/html/SMTPUTF8_README.html @@ -50,10 +50,6 @@ header values.

Enabling Postfix SMTPUTF8 support

-

By default, Postfix SMTPUTF8 support is disabled. Thus, Postfix -should work exactly as it has worked before SMTPUTF8 support was -implemented.

-

Before turning on SMTPUTF8 support in Postfix, you need to verify that the rest of your email infrastructure can handle UTF-8 email addresses and message header values, including SMTPUTF8 @@ -65,8 +61,8 @@ parameter in main.cf:

-# postconf "smtputf8_enable = yes"
-# postfix reload
+# postconf "smtputf8_enable = yes"
+# postfix reload
@@ -83,7 +79,7 @@ EHLO response. 

 220 server.example.com ESMTP Postfix
-EHLO client.example.com
+EHLO client.example.com
 250-server.example.com
 250-PIPELINING
 250-SIZE 10240000
@@ -101,23 +97,23 @@ EHLO client.example.com
 MAIL FROM and VRFY commands. 

 
 
-MAIL FROM:<address> SMTPUTF8 ...
+MAIL FROM:<address> SMTPUTF8 ...
 
-VRFY address SMTPUTF8
+VRFY address SMTPUTF8
 

 
 
  •  
     The Postfix SMTP client may issue the SMTPUTF8 request in
 MAIL FROM commands. 
    
 
-
  •  
     Postfix already permitted UTF-8 in message header values
-and in address localparts. This does not change. 
    
-
 
  •  
     The Postfix SMTP server accepts UTF-8 in email address
 domains, but only after the remote SMTP client client issues the
 SMTPUTF8 request in MAIL FROM or VRFY commands.  
    
 
 
 
+
     Postfix already permitted UTF-8 in message header values
+and in address localparts. This does not change. 
    
+
 
     Using Postfix SMTPUTF8 support 
    
 
 
     After Postfix SMTPUTF8 support is turned on, Postfix behavior
@@ -223,7 +219,9 @@ delivered it if SMTPUTF8 support was disabled. 
    
 
 
 
     "Internationalized" domain names can appear in two forms: the
-UTF-8 form, and the ASCII (xn--mumble) form. 
    
+UTF-8 form, and the ASCII (xn--mumble) form. The initial Postfix
+SMTPUTF8 implementation performs no automatic conversions on UTF8
+strings beyond what is needed to perform DNS lookups. 
    
 
 
     No characterset canonicalization for non-ASCII domain names.
 
    
@@ -259,7 +257,7 @@ satisfy that last condition. 
    
 
     Pre-existing non-ASCII email flows 
    
 
 
     In pre-SMTPUTF8 environments, email with UTF-8 in address
-localparts (and in headers) works just fine because the vast majority
+localparts (and in headers) works just fine. The vast majority
 of email software including Postfix is perfectly capable of handling
 such email, even if pre-SMTPUTF8 standards do not support this. 
    
 
@@ -281,7 +279,7 @@ SMTPUTF8, specify: 
    
 
 
    
 
    -$ make makefiles -DNO_EAI ...
+$ make makefiles -DNO_EAI ...
 
    
 
    
 
diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html
index 2548b9f57..234f80960 100644
--- a/postfix/html/TLS_README.html
+++ b/postfix/html/TLS_README.html
@@ -1373,8 +1373,13 @@ for early adopters. 
    
 
  •  
     The "example.com" destination uses DANE, but if TLSA records
 are not present or are unusable, mail is deferred. 
    
 
-
  •  
     The "example.org" destination uses DANE if possible, but if no TLSA
-records are found opportunistic TLS is used. 
    
+
  •  
     The "example.org" destination uses DANE if possible, but
+uses opportunistic TLS if no TLSA records are found.  The
+"fallback" attribute (Postfix ≥ 2.12) overrides the global
+main.cf smtp_tls_fallback_level parameter to employ unauthenticated
+mandatory encryption if DANE authentication fails, after logging a
+warning.  See smtp_tls_audit_template for additional control over TLS
+security logging.  
    
 
 
 
    
@@ -1394,26 +1399,16 @@ records are found opportunistic TLS is used. 
    
     # default_transport = smtp, but some destinations are special:
     #
     transport_maps = ${indexed}transport
-
    • - -
    -
     transport:
     example.com dane
     example.org dane
-
    -
    -
    -
     tls_policy:
     example.com dane-only
-
    -
    + # Postfix ≥ 2.12, per-destination smtp_tls_fallback_level override + example.org dane fallback=encrypt -
    -
     master.cf:
     dane       unix  -       -       n       -       -       smtp
       -o smtp_dns_support_level=dnssec
@@ -2146,7 +2141,10 @@ href="#client_tls_encrypt">encrypt.  When usable TLSA records
 are obtained for the remote SMTP server, SSLv2 is automatically
 disabled (see smtp_tls_mandatory_protocols), and the server certificate
 must match the TLSA records.  RFC 6698 (DANE) TLS authentication
-and DNSSEC support is available with Postfix 2.11 and later.  
+and DNSSEC support is available with Postfix 2.11 and later.  
+The optional "fallback" attribute provides a per-site override of
+the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
+
 
 
    dane-only
     
    Mandatory DANE TLS.
 The TLS policy for the destination is obtained via TLSA records in
@@ -2155,7 +2153,10 @@ connection is made to the server.  When usable TLSA records are
 obtained for the remote SMTP server, SSLv2 is automatically disabled
 (see smtp_tls_mandatory_protocols), and the server certificate must
 match the TLSA records.  RFC 6698 (DANE) TLS authentication and
-DNSSEC support is available with Postfix 2.11 and later.  
    
+DNSSEC support is available with Postfix 2.11 and later.  
+The optional "fallback" attribute provides a per-site override of
+the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
+
 
 
    fingerprint
     
    Certificate
 fingerprint verification. Available with Postfix 2.5 and
@@ -2164,13 +2165,15 @@ authorities. The certificate trust chain, expiration date, ... are
 not checked. Instead, the optional match attribute, or else
 the main.cf smtp_tls_fingerprint_cert_match parameter, lists
 the server certificate fingerprints or public key fingerprints
-(Postfix 2.9 and later).  The
-digest algorithm used to calculate fingerprints is selected by the
-smtp_tls_fingerprint_digest parameter. Multiple fingerprints can
-be combined with a "|" delimiter in a single match attribute, or multiple
-match attributes can be employed. The ":" character is not used as a
-delimiter as it occurs between each pair of fingerprint (hexadecimal)
-digits. 
    
+(Postfix 2.9 and later).  The digest algorithm used to calculate
+fingerprints is selected by the smtp_tls_fingerprint_digest
+parameter. Multiple fingerprints can be combined with a "|" delimiter
+in a single match attribute, or multiple match attributes can be
+employed. The ":" character is not used as a delimiter as it occurs
+between each pair of fingerprint (hexadecimal) digits.
+The optional "fallback" attribute provides a per-site override of
+the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
+
 
 
    verify
     
    Mandatory
 server certificate verification.  Mail is delivered only if the
@@ -2181,9 +2184,11 @@ the optional "match" attribute (or the main.cf smtp_tls_trust_anchor_file" parameter.  The "tafile" attribute
-may be specified multiple times to load multiple trust-anchor
-files.  
    
+"smtp_tls_trust_anchor_file" parameter.  The "tafile" attribute may
+be specified multiple times to load multiple trust-anchor files.
+The optional "fallback" attribute provides a per-site override of
+the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
+
 
 
    secure
     
    Secure certificate
 verification. Mail is delivered only if the TLS handshake succeeds,
@@ -2195,7 +2200,10 @@ server certificate name matches the optional "match" attribute (or the
 attribute optionally modifies trust chain verification in the same manner
 as the "smtp_tls_trust_anchor_file" parameter.  The "tafile" attribute
 may be specified multiple times to load multiple trust-anchor
-files.  
    
+files.  
+The optional "fallback" attribute provides a per-site override of
+the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
+
 
 
 
@@ -2242,6 +2250,7 @@ Example:
     smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
     # Postfix 2.5 and later
     smtp_tls_fingerprint_digest = md5
+
 /etc/postfix/tls_policy:
     example.edu             none
     example.mil             may
@@ -2256,6 +2265,8 @@ Example:
         match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
     # Postfix 2.6 and later
     example.info            may protocols=!SSLv2 ciphers=medium exclude=3DES
+    # Postfix 2.12 and later override of smtp_tls_fallback_level
+    fallback.example        secure fallback=encrypt
    diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html index b05dc45cd..9a74d6b35 100644 --- a/postfix/html/lmtp.8.html +++ b/postfix/html/lmtp.8.html @@ -552,50 +552,59 @@ SMTP(8) SMTP(8) tlsmgr_service_name (tlsmgr) The name of the tlsmgr(8) service entry in master.cf. + Available in Postfix version 2.12 and later: + + smtp_tls_audit_template (empty) + Optional template for tls audit logging at the completion of + each message data transfer. + + smtp_tls_fallback_level (empty) + Optional fallback levels for authenticated TLS levels. + OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compatibility with - Postfix versions before 2.3. Support for these will be removed in a + The following configuration parameters exist for compatibility with + Postfix versions before 2.3. Support for these will be removed in a future release. smtp_use_tls (no) - Opportunistic mode: use TLS when a remote SMTP server announces + Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS support, otherwise send the mail in the clear. smtp_enforce_tls (no) - Enforcement mode: require that remote SMTP servers use TLS + Enforcement mode: require that remote SMTP servers use TLS encryption, and never send mail in the clear. smtp_tls_enforce_peername (yes) - With mandatory TLS encryption, require that the remote SMTP - server hostname matches the information in the remote SMTP + With mandatory TLS encryption, require that the remote SMTP + server hostname matches the information in the remote SMTP server certificate. smtp_tls_per_site (empty) - Optional lookup tables with the Postfix SMTP client TLS usage - policy by next-hop destination and by remote SMTP server host‐ + Optional lookup tables with the Postfix SMTP client TLS usage + policy by next-hop destination and by remote SMTP server host‐ name. smtp_tls_cipherlist (empty) - Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS + Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher list. RESOURCE AND RATE CONTROLS smtp_destination_concurrency_limit ($default_destination_concur‐‐ rency_limit) - The maximal number of parallel deliveries to the same destina‐ + The maximal number of parallel deliveries to the same destina‐ tion via the smtp message delivery transport. smtp_destination_recipient_limit ($default_destination_recipient_limit) - The maximal number of recipients per message for the smtp mes‐ + The maximal number of recipients per message for the smtp mes‐ sage delivery transport. smtp_connect_timeout (30s) - The Postfix SMTP client time limit for completing a TCP connec‐ + The Postfix SMTP client time limit for completing a TCP connec‐ tion, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The Postfix SMTP client time limit for sending the HELO or EHLO - command, and for receiving the initial remote SMTP server + The Postfix SMTP client time limit for sending the HELO or EHLO + command, and for receiving the initial remote SMTP server response. lmtp_lhlo_timeout (300s) @@ -607,19 +616,19 @@ SMTP(8) SMTP(8) mand, and for receiving the remote SMTP server response. smtp_mail_timeout (300s) - The Postfix SMTP client time limit for sending the MAIL FROM + The Postfix SMTP client time limit for sending the MAIL FROM command, and for receiving the remote SMTP server response. smtp_rcpt_timeout (300s) - The Postfix SMTP client time limit for sending the SMTP RCPT TO + The Postfix SMTP client time limit for sending the SMTP RCPT TO command, and for receiving the remote SMTP server response. smtp_data_init_timeout (120s) - The Postfix SMTP client time limit for sending the SMTP DATA + The Postfix SMTP client time limit for sending the SMTP DATA command, and for receiving the remote SMTP server response. smtp_data_xfer_timeout (180s) - The Postfix SMTP client time limit for sending the SMTP message + The Postfix SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) @@ -633,13 +642,13 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: smtp_mx_address_limit (5) - The maximal number of MX (mail exchanger) IP addresses that can - result from Postfix SMTP client mail exchanger lookups, or zero + The maximal number of MX (mail exchanger) IP addresses that can + result from Postfix SMTP client mail exchanger lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery request before - the Postfix SMTP client gives up or delivers to a fall-back + The maximal number of SMTP sessions per delivery request before + the Postfix SMTP client gives up or delivers to a fall-back relay host, or zero (no limit). smtp_rset_timeout (20s) @@ -649,17 +658,17 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and earlier: lmtp_cache_connection (yes) - Keep Postfix LMTP client connections open for up to $max_idle + Keep Postfix LMTP client connections open for up to $max_idle seconds. Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the specified + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a destination + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. smtp_connection_reuse_time_limit (300s) @@ -673,23 +682,23 @@ SMTP(8) SMTP(8) Available in Postfix version 2.3 and later: connection_cache_protocol_timeout (5s) - Time limit for connection cache connect, send or receive opera‐ + Time limit for connection cache connect, send or receive opera‐ tions. Available in Postfix version 2.9 and later: smtp_per_record_deadline (no) - Change the behavior of the smtp_*_timeout time limits, from a - time limit per read or write system call, to a time limit to - send or receive a complete record (an SMTP command line, SMTP - response line, SMTP message content line, or TLS protocol mes‐ + Change the behavior of the smtp_*_timeout time limits, from a + time limit per read or write system call, to a time limit to + send or receive a complete record (an SMTP command line, SMTP + response line, SMTP message content line, or TLS protocol mes‐ sage). Available in Postfix version 2.11 and later: smtp_connection_reuse_count_limit (0) - When SMTP connection caching is enabled, the number of times - that an SMTP session may be reused before it is closed, or zero + When SMTP connection caching is enabled, the number of times + that an SMTP session may be reused before it is closed, or zero (no limit). SMTPUTF8 CONTROLS @@ -700,21 +709,21 @@ SMTP(8) SMTP(8) in RFC 6531..6533. smtputf8_autodetect_classes (sendmail, verify) - Enable SMTPUTF8 autodetection for the specified mail origin - classes. + Detect that a message requires SMTPUTF8 support for the speci‐ + fied mail origin classes. TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a remote client or + The increment in verbose logging level when a remote client or server matches a pattern in the debug_peer_list parameter. debug_peer_list (empty) - Optional list of remote client or server hostname or network + Optional list of remote client or server hostname or network address patterns that cause the verbose logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about mail delivery + The recipient of postmaster notifications about mail delivery problems that are caused by policy, resource, software or proto‐ col errors. @@ -728,46 +737,46 @@ SMTP(8) SMTP(8) MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail when it + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con‐ + The default location of the Postfix main.cf and master.cf con‐ figuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to handle a + How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal point when log‐ + The maximal number of digits after the decimal point when log‐ ging sub-second delay values. disable_dns_lookups (no) Disable DNS lookups in the Postfix SMTP and LMTP clients. inet_interfaces (all) - The network interface addresses that this mail system receives + The network interface addresses that this mail system receives mail on. inet_protocols (all) - The Internet protocols Postfix will attempt to use when making + The Internet protocols Postfix will attempt to use when making or accepting connections. ipc_timeout (3600s) - The time limit for sending or receiving information over an + The time limit for sending or receiving information over an internal communication channel. lmtp_assume_final (no) - When a remote LMTP server announces no DSN support, assume that - the server performs final delivery, and send "delivered" deliv‐ + When a remote LMTP server announces no DSN support, assume that + the server performs final delivery, and send "delivered" deliv‐ ery status notifications instead of "relayed". lmtp_tcp_port (24) The default TCP port that the Postfix LMTP client connects to. max_idle (100s) - The maximum amount of time that an idle Postfix daemon process + The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. max_use (100) @@ -781,20 +790,20 @@ SMTP(8) SMTP(8) The process name of a Postfix command or daemon process. proxy_interfaces (empty) - The network interface addresses that this mail system receives + The network interface addresses that this mail system receives mail on by way of a proxy or network address translation unit. smtp_address_preference (any) The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP - client will try first, when a destination has IPv6 and IPv4 + client will try first, when a destination has IPv6 and IPv4 addresses with equal MX preference. smtp_bind_address (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv4 connection. smtp_bind_address6 (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv6 connection. smtp_helo_name ($myhostname) @@ -814,8 +823,8 @@ SMTP(8) SMTP(8) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - The mail system name that is prepended to the process name in - syslog records, so that "smtpd" becomes, for example, "post‐ + The mail system name that is prepended to the process name in + syslog records, so that "smtpd" becomes, for example, "post‐ fix/smtpd". Available with Postfix 2.2 and earlier: diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 9a714e7b1..877ed8005 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -4822,6 +4822,17 @@ configuration parameter. See there for details.

    This feature is available in Postfix 2.3 and later.

    + + +
    lmtp_tls_audit_template +(default: empty)
    + +

    The LMTP-specific version of the smtp_tls_audit_template +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.12 and later.

    + +
    lmtp_tls_block_early_mail_reply @@ -4923,6 +4934,17 @@ configuration parameter. See there for details.

    This feature is available in Postfix 2.3 and later.

    + + +
    lmtp_tls_fallback_level +(default: empty)
    + +

    The LMTP-specific version of the smtp_tls_fallback_level +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.12 and later.

    + +
    lmtp_tls_fingerprint_cert_match @@ -11264,6 +11286,74 @@ certificates.

    This feature is available in Postfix 2.2 and later.

    + + +
    smtp_tls_audit_template +(default: empty)
    + +

    Optional template for tls audit logging at the completion of each +message data transfer. If empty (the default setting) no TLS audit log +entries are generated.

    + +

    The following $name expansions are done on smtp_tls_audit_template:

    + +
    + +
    $relay
    +
    The remote SMTP server name[address]:port. +
    + +
    $level
    +
    The effective TLS security level after any fallback.
    + +
    $policy
    +
    The desired TLS security level before any fallback, undefined +if no fallback took place.
    + +
    $auth
    +
    The authentication level of the remote SMTP server. One of +"Cleartext", "Anonymous", "Untrusted", "Trusted" or "Verified". +
    + +
    $protocol
    +
    The TLS protocol version, defined only when TLS is used.
    + +
    $cipher
    +
    The TLS cipher name, defined only when TLS is used.
    + +
    $cert_digest
    +
    The digest of the remote SMTP server's certificate, defined +only when TLS is used and the remote server presented a certificate. +The digest algorithm is that specified via smtp_tls_fingerprint_digest. +
    + +
    $spki_digest
    +
    The digest of the remote SMTP server's public key (Subject +Public Key Info or SPKI from X.509), defined only when TLS is used +and the remote server presented a certificate. The digest algorithm +is that specified via smtp_tls_fingerprint_digest.
    + +
    ${name?value}
    + +
    Expands to value when $name is non-empty.
    + +
    ${name:value}
    + +
    Expands to value when $name is empty.
    + +
    + +

    Example:

    + +
    +/etc/postfix/main.cf:
+    smtp_tls_audit_template =
+        tlsaudit: relay=${relay}${auth?, auth=${auth}}${level?, level=${level}}${policy?, policy=${policy}}${protocol?, protocol=${protocol}}${cipher?, cipher=${cipher}}
+
    + +

    This feature is available in Postfix 2.12 and later.

    + +
    smtp_tls_block_early_mail_reply @@ -11517,6 +11607,62 @@ key exchange with RSA authentication.

    This feature is available in Postfix 2.3 and later.

    + + +
    smtp_tls_fallback_level +(default: empty)
    + +

    Optional fallback levels for authenticated TLS levels. Specify +a white-space or comma-separated list of +policy_level=fallback_level pairs. The policy_level +must require authentication (one of dane, dane-only, fingerprint, +verify, secure). The fallback_level must be "encrypt" or +"may". When an authenticated connection at some desired policy +level cannot be established, delivery will proceed at the correponding +fallback level if possible. A warning will be logged +indicating the fallback reason. You can use smtp_tls_audit_template +to record the TLS security status for each delivery.

    + +

    The TLS policy table +can be used to specify a destination-specific fallback strategy via the +"fallback" policy attribute. The value of the "fallback" attribute, if +specified, must be "may", "encrypt" or "none". If not "none", this +specifies the fallback level for the destination in question. If the +attribute value is "none", fallback is suppressed for the destination +even if enabled via a global setting of smtp_tls_fallback_level.

    + +

    Example:

    + +
    +
    +/etc/postfix/main.cf:
+    # When authentication fails, log a warning and deliver anyway
+    # over an unauthenticated TLS connection.
+    #
+    smtp_tls_fallback_level =
+        dane=encrypt,
+        dane-only=encrypt,
+        fingerprint=encrypt,
+        verify=encrypt,
+        secure=encrypt
+    indexed = ${default_database_type}:${config_directory}/
+    smtp_tls_policy_maps = ${indexed}tls-policy
+
    +
    + +
    +
    +/etc/postfix/tls-policy:
+    # No fallback for example.com
+    example.com secure fallback=none
+    # For example.net tolerate cleartext fallback
+    example.net dane fallback=may
+
    +
    + +

    This feature is available in Postfix 2.12 and later.

    + +
    smtp_tls_fingerprint_cert_match diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index b05dc45cd..9a74d6b35 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -552,50 +552,59 @@ SMTP(8) SMTP(8) tlsmgr_service_name (tlsmgr) The name of the tlsmgr(8) service entry in master.cf. + Available in Postfix version 2.12 and later: + + smtp_tls_audit_template (empty) + Optional template for tls audit logging at the completion of + each message data transfer. + + smtp_tls_fallback_level (empty) + Optional fallback levels for authenticated TLS levels. + OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compatibility with - Postfix versions before 2.3. Support for these will be removed in a + The following configuration parameters exist for compatibility with + Postfix versions before 2.3. Support for these will be removed in a future release. smtp_use_tls (no) - Opportunistic mode: use TLS when a remote SMTP server announces + Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS support, otherwise send the mail in the clear. smtp_enforce_tls (no) - Enforcement mode: require that remote SMTP servers use TLS + Enforcement mode: require that remote SMTP servers use TLS encryption, and never send mail in the clear. smtp_tls_enforce_peername (yes) - With mandatory TLS encryption, require that the remote SMTP - server hostname matches the information in the remote SMTP + With mandatory TLS encryption, require that the remote SMTP + server hostname matches the information in the remote SMTP server certificate. smtp_tls_per_site (empty) - Optional lookup tables with the Postfix SMTP client TLS usage - policy by next-hop destination and by remote SMTP server host‐ + Optional lookup tables with the Postfix SMTP client TLS usage + policy by next-hop destination and by remote SMTP server host‐ name. smtp_tls_cipherlist (empty) - Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS + Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher list. RESOURCE AND RATE CONTROLS smtp_destination_concurrency_limit ($default_destination_concur‐‐ rency_limit) - The maximal number of parallel deliveries to the same destina‐ + The maximal number of parallel deliveries to the same destina‐ tion via the smtp message delivery transport. smtp_destination_recipient_limit ($default_destination_recipient_limit) - The maximal number of recipients per message for the smtp mes‐ + The maximal number of recipients per message for the smtp mes‐ sage delivery transport. smtp_connect_timeout (30s) - The Postfix SMTP client time limit for completing a TCP connec‐ + The Postfix SMTP client time limit for completing a TCP connec‐ tion, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The Postfix SMTP client time limit for sending the HELO or EHLO - command, and for receiving the initial remote SMTP server + The Postfix SMTP client time limit for sending the HELO or EHLO + command, and for receiving the initial remote SMTP server response. lmtp_lhlo_timeout (300s) @@ -607,19 +616,19 @@ SMTP(8) SMTP(8) mand, and for receiving the remote SMTP server response. smtp_mail_timeout (300s) - The Postfix SMTP client time limit for sending the MAIL FROM + The Postfix SMTP client time limit for sending the MAIL FROM command, and for receiving the remote SMTP server response. smtp_rcpt_timeout (300s) - The Postfix SMTP client time limit for sending the SMTP RCPT TO + The Postfix SMTP client time limit for sending the SMTP RCPT TO command, and for receiving the remote SMTP server response. smtp_data_init_timeout (120s) - The Postfix SMTP client time limit for sending the SMTP DATA + The Postfix SMTP client time limit for sending the SMTP DATA command, and for receiving the remote SMTP server response. smtp_data_xfer_timeout (180s) - The Postfix SMTP client time limit for sending the SMTP message + The Postfix SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) @@ -633,13 +642,13 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: smtp_mx_address_limit (5) - The maximal number of MX (mail exchanger) IP addresses that can - result from Postfix SMTP client mail exchanger lookups, or zero + The maximal number of MX (mail exchanger) IP addresses that can + result from Postfix SMTP client mail exchanger lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery request before - the Postfix SMTP client gives up or delivers to a fall-back + The maximal number of SMTP sessions per delivery request before + the Postfix SMTP client gives up or delivers to a fall-back relay host, or zero (no limit). smtp_rset_timeout (20s) @@ -649,17 +658,17 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and earlier: lmtp_cache_connection (yes) - Keep Postfix LMTP client connections open for up to $max_idle + Keep Postfix LMTP client connections open for up to $max_idle seconds. Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the specified + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a destination + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. smtp_connection_reuse_time_limit (300s) @@ -673,23 +682,23 @@ SMTP(8) SMTP(8) Available in Postfix version 2.3 and later: connection_cache_protocol_timeout (5s) - Time limit for connection cache connect, send or receive opera‐ + Time limit for connection cache connect, send or receive opera‐ tions. Available in Postfix version 2.9 and later: smtp_per_record_deadline (no) - Change the behavior of the smtp_*_timeout time limits, from a - time limit per read or write system call, to a time limit to - send or receive a complete record (an SMTP command line, SMTP - response line, SMTP message content line, or TLS protocol mes‐ + Change the behavior of the smtp_*_timeout time limits, from a + time limit per read or write system call, to a time limit to + send or receive a complete record (an SMTP command line, SMTP + response line, SMTP message content line, or TLS protocol mes‐ sage). Available in Postfix version 2.11 and later: smtp_connection_reuse_count_limit (0) - When SMTP connection caching is enabled, the number of times - that an SMTP session may be reused before it is closed, or zero + When SMTP connection caching is enabled, the number of times + that an SMTP session may be reused before it is closed, or zero (no limit). SMTPUTF8 CONTROLS @@ -700,21 +709,21 @@ SMTP(8) SMTP(8) in RFC 6531..6533. smtputf8_autodetect_classes (sendmail, verify) - Enable SMTPUTF8 autodetection for the specified mail origin - classes. + Detect that a message requires SMTPUTF8 support for the speci‐ + fied mail origin classes. TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a remote client or + The increment in verbose logging level when a remote client or server matches a pattern in the debug_peer_list parameter. debug_peer_list (empty) - Optional list of remote client or server hostname or network + Optional list of remote client or server hostname or network address patterns that cause the verbose logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about mail delivery + The recipient of postmaster notifications about mail delivery problems that are caused by policy, resource, software or proto‐ col errors. @@ -728,46 +737,46 @@ SMTP(8) SMTP(8) MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail when it + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con‐ + The default location of the Postfix main.cf and master.cf con‐ figuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to handle a + How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal point when log‐ + The maximal number of digits after the decimal point when log‐ ging sub-second delay values. disable_dns_lookups (no) Disable DNS lookups in the Postfix SMTP and LMTP clients. inet_interfaces (all) - The network interface addresses that this mail system receives + The network interface addresses that this mail system receives mail on. inet_protocols (all) - The Internet protocols Postfix will attempt to use when making + The Internet protocols Postfix will attempt to use when making or accepting connections. ipc_timeout (3600s) - The time limit for sending or receiving information over an + The time limit for sending or receiving information over an internal communication channel. lmtp_assume_final (no) - When a remote LMTP server announces no DSN support, assume that - the server performs final delivery, and send "delivered" deliv‐ + When a remote LMTP server announces no DSN support, assume that + the server performs final delivery, and send "delivered" deliv‐ ery status notifications instead of "relayed". lmtp_tcp_port (24) The default TCP port that the Postfix LMTP client connects to. max_idle (100s) - The maximum amount of time that an idle Postfix daemon process + The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. max_use (100) @@ -781,20 +790,20 @@ SMTP(8) SMTP(8) The process name of a Postfix command or daemon process. proxy_interfaces (empty) - The network interface addresses that this mail system receives + The network interface addresses that this mail system receives mail on by way of a proxy or network address translation unit. smtp_address_preference (any) The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP - client will try first, when a destination has IPv6 and IPv4 + client will try first, when a destination has IPv6 and IPv4 addresses with equal MX preference. smtp_bind_address (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv4 connection. smtp_bind_address6 (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv6 connection. smtp_helo_name ($myhostname) @@ -814,8 +823,8 @@ SMTP(8) SMTP(8) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - The mail system name that is prepended to the process name in - syslog records, so that "smtpd" becomes, for example, "post‐ + The mail system name that is prepended to the process name in + syslog records, so that "smtpd" becomes, for example, "post‐ fix/smtpd". Available with Postfix 2.2 and earlier: diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 73ba99ed2..2dc247185 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -2818,6 +2818,11 @@ The LMTP-specific version of the smtp_tls_CApath configuration parameter. See there for details. .PP This feature is available in Postfix 2.3 and later. +.SH lmtp_tls_audit_template (default: empty) +The LMTP-specific version of the smtp_tls_audit_template +configuration parameter. See there for details. +.PP +This feature is available in Postfix 2.12 and later. .SH lmtp_tls_block_early_mail_reply (default: empty) The LMTP-specific version of the smtp_tls_block_early_mail_reply configuration parameter. See there for details. @@ -2865,6 +2870,11 @@ The LMTP-specific version of the smtp_tls_exclude_ciphers configuration parameter. See there for details. .PP This feature is available in Postfix 2.3 and later. +.SH lmtp_tls_fallback_level (default: empty) +The LMTP-specific version of the smtp_tls_fallback_level +configuration parameter. See there for details. +.PP +This feature is available in Postfix 2.12 and later. .SH lmtp_tls_fingerprint_cert_match (default: empty) The LMTP-specific version of the smtp_tls_fingerprint_cert_match configuration parameter. See there for details. @@ -6974,6 +6984,64 @@ smtp_tls_CApath = /etc/postfix/certs .ft R .PP This feature is available in Postfix 2.2 and later. +.SH smtp_tls_audit_template (default: empty) +Optional template for tls audit logging at the completion of each +message data transfer. If empty (the default setting) no TLS audit log +entries are generated. +.PP +The following $name expansions are done on smtp_tls_audit_template: +.IP "\fB$relay\fR" +The remote SMTP server \fIname\fR[\fIaddress\fR]:\fIport\fR. +.br +.IP "\fB$level\fR" +The effective TLS security level after any fallback. +.br +.IP "\fB$policy\fR" +The desired TLS security level before any fallback, undefined +if no fallback took place. +.br +.IP "\fB$auth\fR" +The authentication level of the remote SMTP server. One of +"Cleartext", "Anonymous", "Untrusted", "Trusted" or "Verified". +.br +.IP "\fB$protocol\fR" +The TLS protocol version, defined only when TLS is used. +.br +.IP "\fB$cipher\fR" +The TLS cipher name, defined only when TLS is used. +.br +.IP "\fB$cert_digest\fR" +The digest of the remote SMTP server's certificate, defined +only when TLS is used and the remote server presented a certificate. +The digest algorithm is that specified via smtp_tls_fingerprint_digest. +.br +.IP "\fB$spki_digest\fR" +The digest of the remote SMTP server's public key (Subject +Public Key Info or SPKI from X.509), defined only when TLS is used +and the remote server presented a certificate. The digest algorithm +is that specified via smtp_tls_fingerprint_digest. +.br +.IP "\fB${name?value}\fR" +Expands to \fIvalue\fR when \fI$name\fR is non-empty. +.br +.IP "\fB${name:value}\fR" +Expands to \fIvalue\fR when \fI$name\fR is empty. +.br +.br +.PP +Example: +.PP +.nf +.na +.ft C +/etc/postfix/main.cf: + smtp_tls_audit_template = + tlsaudit: relay=${relay}${auth?, auth=${auth}}${level?, level=${level}}${policy?, policy=${policy}}${protocol?, protocol=${protocol}}${cipher?, cipher=${cipher}} +.fi +.ad +.ft R +.PP +This feature is available in Postfix 2.12 and later. .SH smtp_tls_block_early_mail_reply (default: no) Try to detect a mail hijacking attack based on a TLS protocol vulnerability (CVE-2009-3555), where an attacker prepends malicious @@ -7189,6 +7257,64 @@ and "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" key exchange with RSA authentication. .PP This feature is available in Postfix 2.3 and later. +.SH smtp_tls_fallback_level (default: empty) +Optional fallback levels for authenticated TLS levels. Specify +a white-space or comma-separated list of +\fBpolicy_level\fR=\fBfallback_level\fR pairs. The \fBpolicy_level\fR +must require authentication (one of dane, dane-only, fingerprint, +verify, secure). The \fBfallback_level\fR must be "encrypt" or +"may". When an authenticated connection at some desired policy +level cannot be established, delivery will proceed at the correponding +fallback level if possible. A warning will be logged +indicating the fallback reason. You can use smtp_tls_audit_template +to record the TLS security status for each delivery. +.PP +The TLS policy table +can be used to specify a destination-specific fallback strategy via the +"fallback" policy attribute. The value of the "fallback" attribute, if +specified, must be "may", "encrypt" or "none". If not "none", this +specifies the fallback level for the destination in question. If the +attribute value is "none", fallback is suppressed for the destination +even if enabled via a global setting of smtp_tls_fallback_level. +.PP +Example: +.sp +.in +4 +.nf +.na +.ft C +/etc/postfix/main.cf: + # When authentication fails, log a warning and deliver anyway + # over an unauthenticated TLS connection. + # + smtp_tls_fallback_level = + dane=encrypt, + dane-only=encrypt, + fingerprint=encrypt, + verify=encrypt, + secure=encrypt + indexed = ${default_database_type}:${config_directory}/ + smtp_tls_policy_maps = ${indexed}tls-policy +.fi +.ad +.ft R +.in -4 +.sp +.in +4 +.nf +.na +.ft C +/etc/postfix/tls-policy: + # No fallback for example.com + example.com secure fallback=none + # For example.net tolerate cleartext fallback + example.net dane fallback=may +.fi +.ad +.ft R +.in -4 +.PP +This feature is available in Postfix 2.12 and later. .SH smtp_tls_fingerprint_cert_match (default: empty) List of acceptable remote SMTP server certificate fingerprints for the "fingerprint" TLS security level (\fBsmtp_tls_security_level\fR = diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8 index 6d8d116b7..698502336 100644 --- a/postfix/man/man8/smtp.8 +++ b/postfix/man/man8/smtp.8 @@ -492,6 +492,13 @@ not an alias and its address records lie in an unsigned zone. RFC 6698 trust-anchor digest support in the Postfix TLS library. .IP "\fBtlsmgr_service_name (tlsmgr)\fR" The name of the \fBtlsmgr\fR(8) service entry in master.cf. +.PP +Available in Postfix version 2.12 and later: +.IP "\fBsmtp_tls_audit_template (empty)\fR" +Optional template for tls audit logging at the completion of each +message data transfer. +.IP "\fBsmtp_tls_fallback_level (empty)\fR" +Optional fallback levels for authenticated TLS levels. .SH "OBSOLETE STARTTLS CONTROLS" .na .nf @@ -617,8 +624,8 @@ Preliminary SMTPUTF8 support is introduced with Postfix 2.12. Enable experimental SMTPUTF8 support for the protocols described in RFC 6531..6533. .IP "\fBsmtputf8_autodetect_classes (sendmail, verify)\fR" -Enable SMTPUTF8 autodetection for the specified mail origin -classes. +Detect that a message requires SMTPUTF8 support for the specified +mail origin classes. .SH "TROUBLE SHOOTING CONTROLS" .na .nf diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 4d314730c..731bec18d 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -631,6 +631,10 @@ while (<>) { s;\bsmtp_starttls_timeout\b;$&;g; s;\bsmtp_tls_CAfile\b;$&;g; s;\bsmtp_tls_CApath\b;$&;g; + s;\bsmtp_tls_fallback_level\b;$&;g; + s;\blmtp_tls_fallback_level\b;$&;g; + s;\bsmtp_tls_audit_template\b;$&;g; + s;\blmtp_tls_audit_template\b;$&;g; s;\bsmtp_tls_cert_file\b;$&;g; s;\bsmtp_tls_fingerprint_digest\b;$&;g; s;\bsmtp_tls_protocols\b;$&;g; diff --git a/postfix/proto/SMTPUTF8_README.html b/postfix/proto/SMTPUTF8_README.html index 86f8c33fb..41d845085 100644 --- a/postfix/proto/SMTPUTF8_README.html +++ b/postfix/proto/SMTPUTF8_README.html @@ -50,10 +50,6 @@ header values.

    Enabling Postfix SMTPUTF8 support

    -

    By default, Postfix SMTPUTF8 support is disabled. Thus, Postfix -should work exactly as it has worked before SMTPUTF8 support was -implemented.

    -

    Before turning on SMTPUTF8 support in Postfix, you need to verify that the rest of your email infrastructure can handle UTF-8 email addresses and message header values, including SMTPUTF8 @@ -65,8 +61,8 @@ parameter in main.cf:

    -# postconf "smtputf8_enable = yes"
-# postfix reload
+# postconf "smtputf8_enable = yes"
+# postfix reload
    @@ -83,7 +79,7 @@ EHLO response. 

     220 server.example.com ESMTP Postfix
-EHLO client.example.com
+EHLO client.example.com
 250-server.example.com
 250-PIPELINING
 250-SIZE 10240000
@@ -101,23 +97,23 @@ EHLO client.example.com
 MAIL FROM and VRFY commands. 
    
 
 
    -MAIL FROM:<address> SMTPUTF8 ...
+MAIL FROM:<address> SMTPUTF8 ...
 
-VRFY address SMTPUTF8
+VRFY address SMTPUTF8
 
    
 
 
  •  
     The Postfix SMTP client may issue the SMTPUTF8 request in
 MAIL FROM commands. 
    
 
-
  •  
     Postfix already permitted UTF-8 in message header values
-and in address localparts. This does not change. 
    
-
 
  •  
     The Postfix SMTP server accepts UTF-8 in email address
 domains, but only after the remote SMTP client client issues the
 SMTPUTF8 request in MAIL FROM or VRFY commands.  
    
 
 
 
+
     Postfix already permitted UTF-8 in message header values
+and in address localparts. This does not change. 
    
+
 
     Using Postfix SMTPUTF8 support 
    
 
 
     After Postfix SMTPUTF8 support is turned on, Postfix behavior
@@ -223,7 +219,9 @@ delivered it if SMTPUTF8 support was disabled. 
    
 
 
 
     "Internationalized" domain names can appear in two forms: the
-UTF-8 form, and the ASCII (xn--mumble) form. 
    
+UTF-8 form, and the ASCII (xn--mumble) form. The initial Postfix
+SMTPUTF8 implementation performs no automatic conversions on UTF8
+strings beyond what is needed to perform DNS lookups. 
    
 
 
     No characterset canonicalization for non-ASCII domain names.
 
    
@@ -259,7 +257,7 @@ satisfy that last condition. 
    
 
     Pre-existing non-ASCII email flows 
    
 
 
     In pre-SMTPUTF8 environments, email with UTF-8 in address
-localparts (and in headers) works just fine because the vast majority
+localparts (and in headers) works just fine. The vast majority
 of email software including Postfix is perfectly capable of handling
 such email, even if pre-SMTPUTF8 standards do not support this. 
    
 
@@ -281,7 +279,7 @@ SMTPUTF8, specify: 
    
 
 
    
 
    -$ make makefiles -DNO_EAI ...
+$ make makefiles -DNO_EAI ...
 
    
 
    
 
diff --git a/postfix/proto/TLS_README.html b/postfix/proto/TLS_README.html
index bc492ebd5..431c323be 100644
--- a/postfix/proto/TLS_README.html
+++ b/postfix/proto/TLS_README.html
@@ -1373,8 +1373,13 @@ for early adopters. 
    
 
  •  
     The "example.com" destination uses DANE, but if TLSA records
 are not present or are unusable, mail is deferred. 
    
 
-
  •  
     The "example.org" destination uses DANE if possible, but if no TLSA
-records are found opportunistic TLS is used. 
    
+
  •  
     The "example.org" destination uses DANE if possible, but
+uses opportunistic TLS if no TLSA records are found.  The
+"fallback" attribute (Postfix ≥ 2.12) overrides the global
+main.cf smtp_tls_fallback_level parameter to employ unauthenticated
+mandatory encryption if DANE authentication fails, after logging a
+warning.  See smtp_tls_audit_template for additional control over TLS
+security logging.  
    
 
 
 
    
@@ -1394,26 +1399,16 @@ main.cf:
     # default_transport = smtp, but some destinations are special:
     #
     transport_maps = ${indexed}transport
-
    • - -
    -
     transport:
     example.com dane
     example.org dane
-
    -
    -
    -
     tls_policy:
     example.com dane-only
-
    -
    + # Postfix ≥ 2.12, per-destination smtp_tls_fallback_level override + example.org dane fallback=encrypt -
    -
     master.cf:
     dane       unix  -       -       n       -       -       smtp
       -o smtp_dns_support_level=dnssec
@@ -2146,7 +2141,10 @@ href="#client_tls_encrypt">encrypt.  When usable TLSA records
 are obtained for the remote SMTP server, SSLv2 is automatically
 disabled (see smtp_tls_mandatory_protocols), and the server certificate
 must match the TLSA records.  RFC 6698 (DANE) TLS authentication
-and DNSSEC support is available with Postfix 2.11 and later.  
+and DNSSEC support is available with Postfix 2.11 and later.  
+The optional "fallback" attribute provides a per-site override of
+the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
+
 
 
    dane-only
     
    Mandatory DANE TLS.
 The TLS policy for the destination is obtained via TLSA records in
@@ -2155,7 +2153,10 @@ connection is made to the server.  When usable TLSA records are
 obtained for the remote SMTP server, SSLv2 is automatically disabled
 (see smtp_tls_mandatory_protocols), and the server certificate must
 match the TLSA records.  RFC 6698 (DANE) TLS authentication and
-DNSSEC support is available with Postfix 2.11 and later.  
    
+DNSSEC support is available with Postfix 2.11 and later.  
+The optional "fallback" attribute provides a per-site override of
+the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
+
 
 
    fingerprint
     
    Certificate
 fingerprint verification. Available with Postfix 2.5 and
@@ -2164,13 +2165,15 @@ authorities. The certificate trust chain, expiration date, ... are
 not checked. Instead, the optional match attribute, or else
 the main.cf smtp_tls_fingerprint_cert_match parameter, lists
 the server certificate fingerprints or public key fingerprints
-(Postfix 2.9 and later).  The
-digest algorithm used to calculate fingerprints is selected by the
-smtp_tls_fingerprint_digest parameter. Multiple fingerprints can
-be combined with a "|" delimiter in a single match attribute, or multiple
-match attributes can be employed. The ":" character is not used as a
-delimiter as it occurs between each pair of fingerprint (hexadecimal)
-digits. 
    
+(Postfix 2.9 and later).  The digest algorithm used to calculate
+fingerprints is selected by the smtp_tls_fingerprint_digest
+parameter. Multiple fingerprints can be combined with a "|" delimiter
+in a single match attribute, or multiple match attributes can be
+employed. The ":" character is not used as a delimiter as it occurs
+between each pair of fingerprint (hexadecimal) digits.
+The optional "fallback" attribute provides a per-site override of
+the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
+
 
 
    verify
     
    Mandatory
 server certificate verification.  Mail is delivered only if the
@@ -2181,9 +2184,11 @@ the optional "match" attribute (or the main.cf smtp_tls_verify_cert_match
 parameter value when no optional "match" attribute is specified).
 With Postfix ≥ 2.11 the "tafile" attribute optionally modifies
 trust chain verification in the same manner as the
-"smtp_tls_trust_anchor_file" parameter.  The "tafile" attribute
-may be specified multiple times to load multiple trust-anchor
-files.  
    
+"smtp_tls_trust_anchor_file" parameter.  The "tafile" attribute may
+be specified multiple times to load multiple trust-anchor files.
+The optional "fallback" attribute provides a per-site override of
+the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
+
 
 
    secure
     
    Secure certificate
 verification. Mail is delivered only if the TLS handshake succeeds,
@@ -2195,7 +2200,10 @@ main.cf smtp_tls_secure_cert_match parameter value when no optional
 attribute optionally modifies trust chain verification in the same manner
 as the "smtp_tls_trust_anchor_file" parameter.  The "tafile" attribute
 may be specified multiple times to load multiple trust-anchor
-files.  
    
+files.  
+The optional "fallback" attribute provides a per-site override of
+the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
+
 
 
 
@@ -2242,6 +2250,7 @@ Example:
     smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
     # Postfix 2.5 and later
     smtp_tls_fingerprint_digest = md5
+
 /etc/postfix/tls_policy:
     example.edu             none
     example.mil             may
@@ -2256,6 +2265,8 @@ Example:
 	match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
     # Postfix 2.6 and later
     example.info            may protocols=!SSLv2 ciphers=medium exclude=3DES
+    # Postfix 2.12 and later override of smtp_tls_fallback_level
+    fallback.example        secure fallback=encrypt
    diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index c26f1a5da..45181dfd7 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -11019,8 +11019,8 @@ Example: [mail.example.org]:587 secure match=nexthop # Postfix 2.5 and later [thumb.example.org] fingerprint - match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35 - match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1 + match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35 + match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1

    Note: The hostname strategy if listed in a non-default @@ -16184,3 +16184,133 @@ mail.

    This feature is available in Postfix 2.12 and later.

    + +%PARAM smtp_tls_fallback_level + +

    Optional fallback levels for authenticated TLS levels. Specify +a white-space or comma-separated list of +policy_level=fallback_level pairs. The policy_level +must require authentication (one of dane, dane-only, fingerprint, +verify, secure). The fallback_level must be "encrypt" or +"may". When an authenticated connection at some desired policy +level cannot be established, delivery will proceed at the correponding +fallback level if possible. A warning will be logged +indicating the fallback reason. You can use smtp_tls_audit_template +to record the TLS security status for each delivery.

    + +

    The TLS policy table +can be used to specify a destination-specific fallback strategy via the +"fallback" policy attribute. The value of the "fallback" attribute, if +specified, must be "may", "encrypt" or "none". If not "none", this +specifies the fallback level for the destination in question. If the +attribute value is "none", fallback is suppressed for the destination +even if enabled via a global setting of smtp_tls_fallback_level.

    + +

    Example:

    + +
    +
    +/etc/postfix/main.cf:
+    # When authentication fails, log a warning and deliver anyway
+    # over an unauthenticated TLS connection.
+    #
+    smtp_tls_fallback_level =
+	dane=encrypt,
+	dane-only=encrypt,
+	fingerprint=encrypt,
+	verify=encrypt,
+	secure=encrypt
+    indexed = ${default_database_type}:${config_directory}/
+    smtp_tls_policy_maps = ${indexed}tls-policy
+
    +
    + +
    +
    +/etc/postfix/tls-policy:
+    # No fallback for example.com
+    example.com secure fallback=none
+    # For example.net tolerate cleartext fallback
+    example.net dane fallback=may
+
    +
    + +

    This feature is available in Postfix 2.12 and later.

    + +%PARAM lmtp_tls_fallback_level + +

    The LMTP-specific version of the smtp_tls_fallback_level +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.12 and later.

    + +%PARAM smtp_tls_audit_template + +

    Optional template for tls audit logging at the completion of each +message data transfer. If empty (the default setting) no TLS audit log +entries are generated.

    + +

    The following $name expansions are done on smtp_tls_audit_template:

    + +
    + +
    $relay
    +
    The remote SMTP server name[address]:port. +
    + +
    $level
    +
    The effective TLS security level after any fallback.
    + +
    $policy
    +
    The desired TLS security level before any fallback, undefined +if no fallback took place.
    + +
    $auth
    +
    The authentication level of the remote SMTP server. One of +"Cleartext", "Anonymous", "Untrusted", "Trusted" or "Verified". +
    + +
    $protocol
    +
    The TLS protocol version, defined only when TLS is used.
    + +
    $cipher
    +
    The TLS cipher name, defined only when TLS is used.
    + +
    $cert_digest
    +
    The digest of the remote SMTP server's certificate, defined +only when TLS is used and the remote server presented a certificate. +The digest algorithm is that specified via smtp_tls_fingerprint_digest. +
    + +
    $spki_digest
    +
    The digest of the remote SMTP server's public key (Subject +Public Key Info or SPKI from X.509), defined only when TLS is used +and the remote server presented a certificate. The digest algorithm +is that specified via smtp_tls_fingerprint_digest.
    + +
    ${name?value}
    + +
    Expands to value when $name is non-empty.
    + +
    ${name:value}
    + +
    Expands to value when $name is empty.
    + +
    + +

    Example:

    + +
    +/etc/postfix/main.cf:
+    smtp_tls_audit_template =
+        tlsaudit: relay=${relay}${auth?, auth=${auth}}${level?, level=${level}}${policy?, policy=${policy}}${protocol?, protocol=${protocol}}${cipher?, cipher=${cipher}}
+
    + +

    This feature is available in Postfix 2.12 and later.

    + +%PARAM lmtp_tls_audit_template + +

    The LMTP-specific version of the smtp_tls_audit_template +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.12 and later.

    diff --git a/postfix/src/global/dict_mysql.c b/postfix/src/global/dict_mysql.c index e899a1489..268f51d33 100644 --- a/postfix/src/global/dict_mysql.c +++ b/postfix/src/global/dict_mysql.c @@ -349,9 +349,11 @@ static const char *dict_mysql_lookup(DICT *dict, const char *name) msg_info("%s: Skipping lookup of '%s'", myname, name); return (0); } - if (domain_rc < 0) + if (domain_rc < 0) { + msg_warn("%s:%s 'domain' pattern match failed for '%s'", + dict->type, dict->name, name); DICT_ERR_VAL_RETURN(dict, domain_rc, (char *) 0); - + } #define INIT_VSTR(buf, len) do { \ if (buf == 0) \ buf = vstring_alloc(len); \ diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 3b402a708..494112014 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -1372,6 +1372,12 @@ extern bool var_smtp_tls_enforce_peername; #define DEF_LMTP_TLS_LEVEL "" extern char *var_smtp_tls_level; +#define VAR_SMTP_TLS_FBACK_LEVEL "smtp_tls_fallback_level" +#define DEF_SMTP_TLS_FBACK_LEVEL "" +#define VAR_LMTP_TLS_FBACK_LEVEL "lmtp_tls_fallback_level" +#define DEF_LMTP_TLS_FBACK_LEVEL "" +extern char *var_smtp_tls_fback_level; + #define VAR_SMTP_TLS_SCERT_VD "smtp_tls_scert_verifydepth" #define DEF_SMTP_TLS_SCERT_VD 9 #define VAR_LMTP_TLS_SCERT_VD "lmtp_tls_scert_verifydepth" @@ -1543,6 +1549,12 @@ extern bool var_smtp_tls_blk_early_mail_reply; #define DEF_LMTP_TLS_FORCE_TLSA 0 extern bool var_smtp_tls_force_tlsa; +#define VAR_SMTP_TLS_AUDIT_TEMPLATE "smtp_tls_audit_template" +#define DEF_SMTP_TLS_AUDIT_TEMPLATE "" +#define VAR_LMTP_TLS_AUDIT_TEMPLATE "lmtp_tls_audit_template" +#define DEF_LMTP_TLS_AUDIT_TEMPLATE "" +extern char *var_smtp_tls_audit_template; + /* * SASL authentication support, SMTP server side. */ diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index c2a8dc360..add3094a4 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20140801" +#define MAIL_RELEASE_DATE "20140905" #define MAIL_VERSION_NUMBER "2.12" #ifdef SNAPSHOT diff --git a/postfix/src/smtp/Makefile.in b/postfix/src/smtp/Makefile.in index fdbab2f97..e271bf7d4 100644 --- a/postfix/src/smtp/Makefile.in +++ b/postfix/src/smtp/Makefile.in @@ -2,11 +2,11 @@ SHELL = /bin/sh SRCS = smtp.c smtp_connect.c smtp_proto.c smtp_chat.c smtp_session.c \ smtp_addr.c smtp_trouble.c smtp_state.c smtp_rcpt.c smtp_tls_policy.c \ smtp_sasl_proto.c smtp_sasl_glue.c smtp_reuse.c smtp_map11.c \ - smtp_sasl_auth_cache.c smtp_key.c + smtp_sasl_auth_cache.c smtp_key.c smtp_tls_audit.c OBJS = smtp.o smtp_connect.o smtp_proto.o smtp_chat.o smtp_session.o \ smtp_addr.o smtp_trouble.o smtp_state.o smtp_rcpt.o smtp_tls_policy.o \ smtp_sasl_proto.o smtp_sasl_glue.o smtp_reuse.o smtp_map11.o \ - smtp_sasl_auth_cache.o smtp_key.o + smtp_sasl_auth_cache.o smtp_key.o smtp_tls_audit.o HDRS = smtp.h smtp_sasl.h smtp_addr.h smtp_reuse.h smtp_sasl_auth_cache.h TESTSRC = DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE) @@ -662,6 +662,41 @@ smtp_state.o: ../../include/vstring.h smtp_state.o: smtp.h smtp_state.o: smtp_sasl.h smtp_state.o: smtp_state.c +smtp_tls_audit.o: ../../include/argv.h +smtp_tls_audit.o: ../../include/attr.h +smtp_tls_audit.o: ../../include/deliver_request.h +smtp_tls_audit.o: ../../include/dict.h +smtp_tls_audit.o: ../../include/dns.h +smtp_tls_audit.o: ../../include/dsn.h +smtp_tls_audit.o: ../../include/dsn_buf.h +smtp_tls_audit.o: ../../include/header_body_checks.h +smtp_tls_audit.o: ../../include/header_opts.h +smtp_tls_audit.o: ../../include/htable.h +smtp_tls_audit.o: ../../include/mac_expand.h +smtp_tls_audit.o: ../../include/mac_parse.h +smtp_tls_audit.o: ../../include/mail_params.h +smtp_tls_audit.o: ../../include/maps.h +smtp_tls_audit.o: ../../include/match_list.h +smtp_tls_audit.o: ../../include/mime_state.h +smtp_tls_audit.o: ../../include/msg.h +smtp_tls_audit.o: ../../include/msg_stats.h +smtp_tls_audit.o: ../../include/myaddrinfo.h +smtp_tls_audit.o: ../../include/myflock.h +smtp_tls_audit.o: ../../include/name_code.h +smtp_tls_audit.o: ../../include/name_mask.h +smtp_tls_audit.o: ../../include/recipient_list.h +smtp_tls_audit.o: ../../include/resolve_clnt.h +smtp_tls_audit.o: ../../include/scache.h +smtp_tls_audit.o: ../../include/sock_addr.h +smtp_tls_audit.o: ../../include/string_list.h +smtp_tls_audit.o: ../../include/sys_defs.h +smtp_tls_audit.o: ../../include/tls.h +smtp_tls_audit.o: ../../include/tok822.h +smtp_tls_audit.o: ../../include/vbuf.h +smtp_tls_audit.o: ../../include/vstream.h +smtp_tls_audit.o: ../../include/vstring.h +smtp_tls_audit.o: smtp.h +smtp_tls_audit.o: smtp_tls_audit.c smtp_tls_policy.o: ../../include/argv.h smtp_tls_policy.o: ../../include/attr.h smtp_tls_policy.o: ../../include/ctable.h diff --git a/postfix/src/smtp/lmtp_params.c b/postfix/src/smtp/lmtp_params.c index 1861e5ba5..eb84c920e 100644 --- a/postfix/src/smtp/lmtp_params.c +++ b/postfix/src/smtp/lmtp_params.c @@ -28,6 +28,7 @@ VAR_LMTP_TLS_ECCERT_FILE, DEF_LMTP_TLS_ECCERT_FILE, &var_smtp_tls_eccert_file, 0, 0, VAR_LMTP_TLS_ECKEY_FILE, DEF_LMTP_TLS_ECKEY_FILE, &var_smtp_tls_eckey_file, 0, 0, VAR_LMTP_TLS_LOGLEVEL, DEF_LMTP_TLS_LOGLEVEL, &var_smtp_tls_loglevel, 0, 0, + VAR_LMTP_TLS_FBACK_LEVEL, DEF_LMTP_TLS_FBACK_LEVEL, &var_smtp_tls_fback_level, 0, 0, #endif VAR_LMTP_SASL_MECHS, DEF_LMTP_SASL_MECHS, &var_smtp_sasl_mechs, 0, 0, VAR_LMTP_SASL_TYPE, DEF_LMTP_SASL_TYPE, &var_smtp_sasl_type, 1, 0, @@ -119,3 +120,11 @@ VAR_LMTP_DUMMY_MAIL_AUTH, DEF_LMTP_DUMMY_MAIL_AUTH, &var_smtp_dummy_mail_auth, 0, }; + + /* Suppress $name expansion upon loading. */ + static const CONFIG_RAW_TABLE lmtp_raw_table[] = { +#ifdef USE_TLS + VAR_LMTP_TLS_AUDIT_TEMPLATE, DEF_LMTP_TLS_AUDIT_TEMPLATE, &var_smtp_tls_audit_template, 0, 0, +#endif + 0, + }; diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index 158c273e6..130b251f9 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -462,6 +462,13 @@ /* RFC 6698 trust-anchor digest support in the Postfix TLS library. /* .IP "\fBtlsmgr_service_name (tlsmgr)\fR" /* The name of the \fBtlsmgr\fR(8) service entry in master.cf. +/* .PP +/* Available in Postfix version 2.12 and later: +/* .IP "\fBsmtp_tls_audit_template (empty)\fR" +/* Optional template for tls audit logging at the completion of each +/* message data transfer. +/* .IP "\fBsmtp_tls_fallback_level (empty)\fR" +/* Optional fallback levels for authenticated TLS levels. /* OBSOLETE STARTTLS CONTROLS /* .ad /* .fi @@ -581,8 +588,8 @@ /* Enable experimental SMTPUTF8 support for the protocols described /* in RFC 6531..6533. /* .IP "\fBsmtputf8_autodetect_classes (sendmail, verify)\fR" -/* Enable SMTPUTF8 autodetection for the specified mail origin -/* classes. +/* Detect that a message requires SMTPUTF8 support for the specified +/* mail origin classes. /* TROUBLE SHOOTING CONTROLS /* .ad /* .fi @@ -856,6 +863,7 @@ char *var_smtp_tls_mand_excl; char *var_smtp_tls_dcert_file; char *var_smtp_tls_dkey_file; bool var_smtp_tls_enforce_peername; +char *var_smtp_tls_fback_level; char *var_smtp_tls_key_file; char *var_smtp_tls_loglevel; bool var_smtp_tls_note_starttls_offer; @@ -872,6 +880,7 @@ char *var_smtp_tls_eccert_file; char *var_smtp_tls_eckey_file; bool var_smtp_tls_blk_early_mail_reply; bool var_smtp_tls_force_tlsa; +char *var_smtp_tls_audit_template; #endif @@ -1285,6 +1294,8 @@ int main(int argc, char **argv) smtp_int_table : lmtp_int_table, MAIL_SERVER_STR_TABLE, smtp_mode ? smtp_str_table : lmtp_str_table, + MAIL_SERVER_RAW_TABLE, smtp_mode ? + smtp_raw_table : lmtp_raw_table, MAIL_SERVER_BOOL_TABLE, smtp_mode ? smtp_bool_table : lmtp_bool_table, MAIL_SERVER_PRE_INIT, pre_init, diff --git a/postfix/src/smtp/smtp.h b/postfix/src/smtp/smtp.h index c21aa65a5..2e58af635 100644 --- a/postfix/src/smtp/smtp.h +++ b/postfix/src/smtp/smtp.h @@ -92,6 +92,8 @@ typedef struct SMTP_ITERATOR { typedef struct SMTP_TLS_POLICY { int level; /* TLS enforcement level */ + int policy_level; /* TLS desired policy level */ + int fallback_level; /* TLS fallback level */ char *protocols; /* Acceptable SSL protocols */ char *grade; /* Cipher grade: "export", ... */ VSTRING *exclusions; /* Excluded SSL ciphers */ @@ -120,11 +122,13 @@ extern void smtp_tls_policy_cache_flush(void); SMTP_TLS_POLICY *_tls_policy_dummy_tmp = (t); \ smtp_tls_policy_init(_tls_policy_dummy_tmp, (DSN_BUF *) 0); \ _tls_policy_dummy_tmp->level = TLS_LEV_NONE; \ + _tls_policy_dummy_tmp->policy_level = TLS_LEV_NONE; \ } while (0) /* This macro is not part of the module external interface. */ #define smtp_tls_policy_init(t, w) do { \ SMTP_TLS_POLICY *_tls_policy_init_tmp = (t); \ + _tls_policy_init_tmp->fallback_level = TLS_LEV_NOTFOUND; \ _tls_policy_init_tmp->protocols = 0; \ _tls_policy_init_tmp->grade = 0; \ _tls_policy_init_tmp->exclusions = 0; \ @@ -341,6 +345,7 @@ typedef struct SMTP_SESSION { char *tls_nexthop; /* Nexthop domain for cert checks */ int tls_retry_plain; /* Try plain when TLS handshake fails */ SMTP_TLS_POLICY *tls; /* TEMPORARY */ + int tls_level; /* Actual tls level */ #endif SMTP_STATE *state; /* back link */ @@ -469,14 +474,16 @@ extern HBC_CALL_BACKS smtp_hbc_callbacks[]; #define PLAINTEXT_FALLBACK_OK_AFTER_STARTTLS_FAILURE \ (session->tls_context == 0 \ - && session->tls->level == TLS_LEV_MAY \ + && (session->tls->level == TLS_LEV_MAY \ + || session->tls->fallback_level == TLS_LEV_MAY) \ && PREACTIVE_DELAY >= var_min_backoff_time \ && !HAVE_SASL_CREDENTIALS) #define PLAINTEXT_FALLBACK_OK_AFTER_TLS_SESSION_FAILURE \ (session->tls_context != 0 \ && SMTP_RCPT_LEFT(state) > SMTP_RCPT_MARK_COUNT(state) \ - && session->tls->level == TLS_LEV_MAY \ + && (session->tls->level == TLS_LEV_MAY \ + || session->tls->fallback_level == TLS_LEV_MAY) \ && PREACTIVE_DELAY >= var_min_backoff_time \ && !HAVE_SASL_CREDENTIALS) @@ -488,8 +495,17 @@ extern HBC_CALL_BACKS smtp_hbc_callbacks[]; #define RETRY_AS_PLAINTEXT do { \ session->tls_retry_plain = 1; \ state->misc_flags &= ~SMTP_MISC_FLAG_FINAL_SERVER; \ + (void) smtp_tls_trouble(state, session->tls_context ? \ + STARTTLS_SESSION_FALLBACK : \ + STARTTLS_HANDSHAKE_FALLBACK); \ } while (0) +#define STARTTLS_FEATURE_FALLBACK 1 /* No STARTTLS feature */ +#define STARTTLS_COMMAND_FALLBACK 2 /* Refused STARTTLS command */ +#define STARTTLS_HANDSHAKE_FALLBACK 3 /* Handshake failed */ +#define STARTTLS_VERIFY_FALLBACK 4 /* Peer verification failed */ +#define STARTTLS_SESSION_FALLBACK 5 /* Data transfer failed */ + /* * smtp_chat.c */ @@ -572,6 +588,11 @@ extern void PRINTFLIKE(5, 6) smtp_rcpt_fail(SMTP_STATE *, RECIPIENT *, const char *,...); extern int smtp_stream_except(SMTP_STATE *, int, const char *); +#ifdef USE_TLS +extern int smtp_tls_trouble(SMTP_STATE *, int); + +#endif + /* * smtp_unalias.c */ @@ -649,6 +670,11 @@ char *smtp_key_prefix(VSTRING *, const char *, SMTP_ITERATOR *, int); | COND_SASL_SMTP_KEY_FLAG_NEXTHOP | COND_SASL_SMTP_KEY_FLAG_HOSTNAME \ | SMTP_KEY_FLAG_ADDR | SMTP_KEY_FLAG_PORT) + /* + * smtp_tls_audit.c + */ +extern void smtp_tls_audit(const char *, SMTP_SESSION *); + /* * Silly little macros. */ diff --git a/postfix/src/smtp/smtp_connect.c b/postfix/src/smtp/smtp_connect.c index acff1eba4..be55b27e4 100644 --- a/postfix/src/smtp/smtp_connect.c +++ b/postfix/src/smtp/smtp_connect.c @@ -108,6 +108,18 @@ #include #include + /* + * XXX Unclean: all TLS security level info belongs in session->tls. It + * should not pollute the session structure and consequently pollute + * internal APIs that don't need access to the session structure. + */ +#ifdef USE_TLS +#define TLS_SESS_INIT(session, state) do { \ + session->tls_level = state->tls->level; /* XXX Pre fallback */ \ + session->tls = state->tls; /* TEMPORARY */ \ + } while (0) +#endif + /* * Forward declaration. */ @@ -522,7 +534,7 @@ static void smtp_connect_local(SMTP_STATE *state, const char *path) if ((state->session = session) != 0) { session->state = state; #ifdef USE_TLS - session->tls = state->tls; /* TEMPORARY */ + TLS_SESS_INIT(session, state); /* TEMPORARY */ session->tls_nexthop = var_myhostname; /* for TLS_LEV_SECURE */ if (session->tls->level == TLS_LEV_MAY) { msg_warn("%s: opportunistic TLS encryption is not appropriate " @@ -674,7 +686,7 @@ static int smtp_reuse_session(SMTP_STATE *state, DNS_RR **addr_list, && *addr_list == 0) state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; #ifdef USE_TLS - session->tls = state->tls; /* TEMPORARY */ + TLS_SESS_INIT(session, state); /* TEMPORARY */ #endif smtp_xfer(state); smtp_cleanup_session(state); @@ -734,7 +746,7 @@ static int smtp_reuse_session(SMTP_STATE *state, DNS_RR **addr_list, && next == 0) state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; #ifdef USE_TLS - session->tls = state->tls; /* TEMPORARY */ + TLS_SESS_INIT(session, state); /* TEMPORARY */ #endif smtp_xfer(state); smtp_cleanup_session(state); @@ -978,7 +990,7 @@ static void smtp_connect_inet(SMTP_STATE *state, const char *nexthop, if ((state->session = session) != 0) { session->state = state; #ifdef USE_TLS - session->tls = state->tls; /* TEMPORARY */ + TLS_SESS_INIT(session, state); /* TEMPORARY */ /* XXX: EAI: Convert to A-label here or in TLS library */ session->tls_nexthop = domain; /* for TLS_LEV_SECURE */ #endif diff --git a/postfix/src/smtp/smtp_params.c b/postfix/src/smtp/smtp_params.c index 807215dba..eddca9e9c 100644 --- a/postfix/src/smtp/smtp_params.c +++ b/postfix/src/smtp/smtp_params.c @@ -29,6 +29,7 @@ VAR_SMTP_TLS_ECCERT_FILE, DEF_SMTP_TLS_ECCERT_FILE, &var_smtp_tls_eccert_file, 0, 0, VAR_SMTP_TLS_ECKEY_FILE, DEF_SMTP_TLS_ECKEY_FILE, &var_smtp_tls_eckey_file, 0, 0, VAR_SMTP_TLS_LOGLEVEL, DEF_SMTP_TLS_LOGLEVEL, &var_smtp_tls_loglevel, 0, 0, + VAR_SMTP_TLS_FBACK_LEVEL, DEF_SMTP_TLS_FBACK_LEVEL, &var_smtp_tls_fback_level, 0, 0, #endif VAR_SMTP_SASL_MECHS, DEF_SMTP_SASL_MECHS, &var_smtp_sasl_mechs, 0, 0, VAR_SMTP_SASL_TYPE, DEF_SMTP_SASL_TYPE, &var_smtp_sasl_type, 1, 0, @@ -123,3 +124,11 @@ VAR_SMTP_DUMMY_MAIL_AUTH, DEF_SMTP_DUMMY_MAIL_AUTH, &var_smtp_dummy_mail_auth, 0, }; + + /* Suppress $name expansion upon loading. */ + static const CONFIG_RAW_TABLE smtp_raw_table[] = { +#ifdef USE_TLS + VAR_SMTP_TLS_AUDIT_TEMPLATE, DEF_SMTP_TLS_AUDIT_TEMPLATE, &var_smtp_tls_audit_template, 0, 0, +#endif + 0, + }; diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c index 53e4c1496..bb88acfee 100644 --- a/postfix/src/smtp/smtp_proto.c +++ b/postfix/src/smtp/smtp_proto.c @@ -339,6 +339,9 @@ int smtp_helo(SMTP_STATE *state) /* * If the policy table specifies a bogus TLS security level, fail * now. + * + * XXX: This should be caught in smtp_connect before we even make a + * connection to the host. Change to msg_panic()? */ #ifdef USE_TLS if (session->tls->level == TLS_LEV_INVALID) @@ -753,37 +756,38 @@ int smtp_helo(SMTP_STATE *state) * although support for it was announced in the EHLO response. */ session->features &= ~SMTP_FEATURE_STARTTLS; - if (TLS_REQUIRED(session->tls->level)) + if (smtp_tls_trouble(state, STARTTLS_COMMAND_FALLBACK)) return (smtp_site_fail(state, STR(iter->host), resp, "TLS is required, but host %s refused to start TLS: %s", session->namaddr, translit(resp->str, "\n", " "))); /* Else try to continue in plain-text mode. */ - } + } else { - /* - * Give up if we must use TLS but can't for various reasons. - * - * 200412 Be sure to provide the default clause at the bottom of this - * block. When TLS is required we must never, ever, end up in - * plain-text mode. - */ - if (TLS_REQUIRED(session->tls->level)) { - if (!(session->features & SMTP_FEATURE_STARTTLS)) { - return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, - SMTP_RESP_FAKE(&fake, "4.7.4"), + /* + * Give up if we must use TLS but can't for various reasons. + * + * 200412 Be sure to provide the default clause at the bottom of + * this block. When TLS is required we must never, ever, end up + * in plain-text mode. + */ + if (smtp_tls_trouble(state, STARTTLS_FEATURE_FALLBACK)) { + if (!(session->features & SMTP_FEATURE_STARTTLS)) { + return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, + SMTP_RESP_FAKE(&fake, "4.7.4"), "TLS is required, but was not offered by host %s", - session->namaddr)); - } else if (smtp_tls_ctx == 0) { - return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, - SMTP_RESP_FAKE(&fake, "4.7.5"), + session->namaddr)); + } else if (smtp_tls_ctx == 0) { + return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, + SMTP_RESP_FAKE(&fake, "4.7.5"), "TLS is required, but our TLS engine is unavailable")); - } else { - msg_warn("%s: TLS is required but unavailable, don't know why", - myname); - return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, - SMTP_RESP_FAKE(&fake, "4.7.0"), + } else { + msg_warn("%s: TLS is required but unavailable, don't know why", + myname); + return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, + SMTP_RESP_FAKE(&fake, "4.7.0"), "TLS is required, but unavailable")); + } } } } @@ -807,6 +811,7 @@ static int smtp_start_tls(SMTP_STATE *state) TLS_CLIENT_START_PROPS tls_props; VSTRING *serverid; SMTP_RESP fake; + int tls_level; /* * Turn off SMTP connection caching. When the TLS handshake succeeds, we @@ -856,6 +861,11 @@ static int smtp_start_tls(SMTP_STATE *state) * resulting TLScontext. It is now up to the application to abort the TLS * connection if it chooses. * + * Consequently, the TLS library need not and does not distinguish between + * the "dane" and "dane-only" security levels. By the time we have TLSA + * records in hand, both behave identically modulo application-level + * fallback. We collapse these now equivalent security levels. + * * XXX When tls_client_start() fails then we don't know what state the SMTP * connection is in, so we give up on this connection even if we are not * required to use TLS. @@ -863,12 +873,14 @@ static int smtp_start_tls(SMTP_STATE *state) * Large parameter lists are error-prone, so we emulate a language feature * that C does not have natively: named parameter lists. */ + if ((tls_level = session->tls->level) == TLS_LEV_DANE_ONLY) + tls_level = TLS_LEV_DANE; session->tls_context = TLS_CLIENT_START(&tls_props, ctx = smtp_tls_ctx, stream = session->stream, timeout = var_smtp_starttls_tmout, - tls_level = session->tls->level, + tls_level = tls_level, nexthop = session->tls_nexthop, host = STR(iter->host), namaddr = session->namaddrport, @@ -913,25 +925,21 @@ static int smtp_start_tls(SMTP_STATE *state) * result, abort the delivery here. We have a usable TLS session with the * server, so no need to disable I/O, ... we can even be polite and send * "QUIT". - * - * See src/tls/tls_level.c and src/tls/tls.h. Levels above "encrypt" require - * matching. Levels >= "dane" require CA or DNSSEC trust. - * - * When DANE TLSA records specify an end-entity certificate, the trust and - * match bits always coincide, but it is fine to report the wrong - * end-entity certificate as untrusted rather than unmatched. */ - if (TLS_MUST_TRUST(session->tls->level)) - if (!TLS_CERT_IS_TRUSTED(session->tls_context)) + if (TLS_MUST_TRUST(session->tls_level) + && !TLS_CERT_IS_TRUSTED(session->tls_context)) { + if (smtp_tls_trouble(state, STARTTLS_VERIFY_FALLBACK)) return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, SMTP_RESP_FAKE(&fake, "4.7.5"), "Server certificate not trusted")); - if (TLS_MUST_MATCH(session->tls->level)) - if (!TLS_CERT_IS_MATCHED(session->tls_context)) + } else if (TLS_MUST_MATCH(session->tls_level) + && !TLS_CERT_IS_MATCHED(session->tls_context)) { + /* Peer certificate not matched as it should be */ + if (smtp_tls_trouble(state, STARTTLS_VERIFY_FALLBACK)) return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, SMTP_RESP_FAKE(&fake, "4.7.5"), "Server certificate not verified")); - + } /* At this point there must not be any pending plaintext. */ vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); @@ -1442,8 +1450,8 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state, } /* - * Request SMTPUTF8 when the remote SMTP server supports - * SMTPUTF8 and the sender requested SMTPUTF8 support. + * Request SMTPUTF8 when the remote SMTP server supports SMTPUTF8 + * and the sender requested SMTPUTF8 support. * * If the sender requested SMTPUTF8 but the remote SMTP server does * not support SMTPUTF8, then we have already determined earlier @@ -2214,6 +2222,17 @@ int smtp_xfer(SMTP_STATE *state) */ result = smtp_loop(state, send_state, recv_state); + /* + * Optionally log the TLS session status. This provides an audit trail + * for both successful and failed deliveries. Failed deliveries should + * not escape auditing: they may in fact be successful deliveries to an + * impostor who steals copies of email by posing as a high-preference MX + * server that fakes a temporary error after end-of-data. + */ +#ifdef USE_TLS + smtp_tls_audit(request->queue_id, session); +#endif + if (result == 0 /* Just in case */ && vstream_ferror(session->stream) == 0 diff --git a/postfix/src/smtp/smtp_tls_audit.c b/postfix/src/smtp/smtp_tls_audit.c new file mode 100644 index 000000000..6c87120f6 --- /dev/null +++ b/postfix/src/smtp/smtp_tls_audit.c @@ -0,0 +1,143 @@ +/*++ +/* NAME +/* smtp_tls_audit 3 +/* SUMMARY +/* report effective TLS policy +/* SYNOPSIS +/* #include "smtp.h" +/* +/* smtp_tls_audit( +/* const char *queue_id, +/* SMTP_SESSION *session) +/* DESCRIPTION +/* smtp_tls_audit() logs a record with TLS session properties +/* as specified with the smtp_tls_audit_template configuration +/* parameter. +/* +/* Arguments: +/* .IP queue_id +/* Mail delivery transaction identifier. +/* .IP session +/* Client-side SMTP/TLS session state. +/* DIAGNOSTICS +/* Unrecognized macro name in audit template. +/* LICENSE +/* .ad +/* .fi +/* The Secure Mailer license must be distributed with this software. +/* AUTHOR(S) +/* Viktor Dukhovni +/*--*/ + +#ifdef USE_TLS + +/* System library. */ + +#include +#include +#include + +/* Utility library. */ + +#include +#include +#include +#include + +/* Global library. */ + +#include + +/* Application-specific. */ + +#include "smtp.h" + + /* + * The mini symbol table name and keys used for expanding macros in smtp tls + * audit log entries. + */ +#define TLS_AUDIT_DICT_TABLE "tls_audit_template" /* table name */ +#define TLS_AUDIT_DICT_RELAY "relay" /* key */ +#define TLS_AUDIT_DICT_ALEVEL "level" /* key */ +#define TLS_AUDIT_DICT_PLEVEL "policy"/* key */ +#define TLS_AUDIT_DICT_STATUS "auth" /* key */ +#define TLS_AUDIT_DICT_PROTOCOL "protocol" /* key */ +#define TLS_AUDIT_DICT_CIPHER "cipher"/* key */ +#define TLS_AUDIT_DICT_CERT "cert_digest" /* key */ +#define TLS_AUDIT_DICT_SPKI "spki_digest" /* key */ + +/* audit_lookup - macro parser call-back routine */ + +static const char *audit_lookup(const char *key, int unused_mode, char *dict) +{ + const char *value = dict_lookup(dict, key); + + if (value == 0) + msg_warn("%s: unknown TLS audit template macro name: \"%s\"", + SMTP_X(TLS_AUDIT_TEMPLATE), key); + return value; +} + +/* expand_template - expand macros in the audit template */ + +static int expand_template(char *template, VSTRING *result) +{ + +#define NO_SCAN_FILTER ((const char *) 0) + return mac_expand(result, template, MAC_EXP_FLAG_NONE, NO_SCAN_FILTER, + audit_lookup, TLS_AUDIT_DICT_TABLE); +} + +/* smtp_tls_audit - log TLS audit trail */ + +void smtp_tls_audit(const char *queue_id, SMTP_SESSION *session) +{ + SMTP_TLS_POLICY *tls = session->tls; + TLS_SESS_STATE *TLScontext = session->tls_context; + const char *policy_level; + const char *actual_level; + VSTRING *result = vstring_alloc(100); + int status; + + if (!*var_smtp_tls_audit_template) + return; + +#ifndef TLS_AUDIT_NONE_POLICY + /* Do we log policy "none" and cleartext status when TLS is disabled? */ + if (tls->policy_level <= TLS_LEV_NONE) + return; +#endif + + dict_update(TLS_AUDIT_DICT_TABLE, TLS_AUDIT_DICT_RELAY, + session->namaddrport); + + actual_level = str_tls_level(session->tls_level); + policy_level = (session->tls_level == tls->policy_level) ? "" : + str_tls_level(tls->policy_level); + dict_update(TLS_AUDIT_DICT_TABLE, TLS_AUDIT_DICT_ALEVEL, + actual_level ? actual_level : ""); + dict_update(TLS_AUDIT_DICT_TABLE, TLS_AUDIT_DICT_PLEVEL, + policy_level ? policy_level : ""); + + dict_update(TLS_AUDIT_DICT_TABLE, TLS_AUDIT_DICT_STATUS, + TLScontext == 0 ? "Cleartext" : + !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" : + TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" : + TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : + "Untrusted"); + dict_update(TLS_AUDIT_DICT_TABLE, TLS_AUDIT_DICT_PROTOCOL, + TLScontext == 0 ? "" : TLScontext->protocol); + dict_update(TLS_AUDIT_DICT_TABLE, TLS_AUDIT_DICT_CIPHER, + TLScontext == 0 ? "" : TLScontext->cipher_name); + dict_update(TLS_AUDIT_DICT_TABLE, TLS_AUDIT_DICT_CERT, + TLScontext == 0 ? "" : TLScontext->peer_cert_fprint); + dict_update(TLS_AUDIT_DICT_TABLE, TLS_AUDIT_DICT_SPKI, + TLScontext == 0 ? "" : TLScontext->peer_pkey_fprint); + + status = expand_template(var_smtp_tls_audit_template, result); + if (status == 0) + msg_info("%s: %s", queue_id, STR(result)); + vstring_free(result); +} + +#endif /* USE_TLS */ diff --git a/postfix/src/smtp/smtp_tls_policy.c b/postfix/src/smtp/smtp_tls_policy.c index 59118f2b3..bde1331d9 100644 --- a/postfix/src/smtp/smtp_tls_policy.c +++ b/postfix/src/smtp/smtp_tls_policy.c @@ -155,7 +155,7 @@ static const char *policy_name(int tls_level) } #define MARK_INVALID(why, levelp) do { \ - dsb_simple((why), "4.7.5", "client TLS configuration problem"); \ + dsb_simple((why), "4.7.0", "client TLS configuration problem"); \ *(levelp) = TLS_LEV_INVALID; } while (0) /* tls_site_lookup - look up per-site TLS security level */ @@ -352,6 +352,37 @@ static void tls_policy_lookup_one(SMTP_TLS_POLICY *tls, int *site_level, } continue; } + /* Only one instance per policy. */ + if (!strcasecmp(name, "fallback")) { + int l; + + if (!TLS_MUST_MATCH(*site_level)) { + msg_warn("%s: attribute \"%s\" invalid at security level" + " \"%s\"", WHERE, name, policy_name(*site_level)); + continue; + } + if (tls->fallback_level != TLS_LEV_NOTFOUND) { + msg_warn("%s: attribute \"%s\" is specified multiple times", + WHERE, name); + continue; + } + if (*val == 0) { + msg_warn("%s: attribute \"%s\" has empty value", WHERE, name); + continue; + } + switch (l = tls_level_lookup(val)) { + case TLS_LEV_NONE: + case TLS_LEV_MAY: + case TLS_LEV_ENCRYPT: + tls->fallback_level = l; + break; + default: + msg_warn("%s: attribute \"%s\" invalid fallback level: \"%s\"", + WHERE, name, val); + break; + } + continue; + } msg_warn("%s: invalid attribute name: \"%s\"", WHERE, name); INVALID_RETURN(tls->why, site_level); } @@ -433,6 +464,7 @@ static void set_cipher_grade(SMTP_TLS_POLICY *tls) break; case TLS_LEV_DANE: + case TLS_LEV_DANE_ONLY: case TLS_LEV_FPRINT: case TLS_LEV_VERIFY: case TLS_LEV_SECURE: @@ -462,6 +494,49 @@ static void set_cipher_grade(SMTP_TLS_POLICY *tls) ADD_EXCLUDE(tls->exclusions, also_exclude); } +static int global_fallback(SMTP_TLS_POLICY *tls) +{ + static int l = TLS_LEV_NOTFOUND; + const char *lname = str_tls_level(tls->level); + const char *err; + char *saved; + char *fback; + char *tok; + char *name; + char *val; + + /* + * Silently ignore any spurious fallback setting for unauthenticated TLS. + */ + if (!*var_smtp_tls_fback_level || tls->level <= TLS_LEV_ENCRYPT) + return l; + + saved = fback = mystrdup(var_smtp_tls_fback_level); + while ((tok = mystrtok(&fback, "\t\n\r ,")) != 0) { + if ((err = split_nameval(tok, &name, &val)) != 0) { + msg_warn("malformed %s: \"%s\": %s", SMTP_X(TLS_FBACK_LEVEL), + saved, err); + l = TLS_LEV_NOTFOUND; + break; + } + if (strcmp(name, lname) == 0) { + switch (l = tls_level_lookup(val)) { + case TLS_LEV_MAY: + case TLS_LEV_ENCRYPT: + break; + default: + msg_warn("%s: bad fallback mapping: %s=%s", + SMTP_X(TLS_FBACK_LEVEL), name, val); + l = TLS_LEV_NOTFOUND; + break; + } + break; + } + } + myfree(saved); + return (l); +} + /* policy_create - create SMTP TLS policy cache object (ctable call-back) */ static void *policy_create(const char *unused_key, void *context) @@ -522,6 +597,19 @@ static void *policy_create(const char *unused_key, void *context) return ((void *) tls); } + /* + * Save level as policy level (may be downgraded by early fallback, and + * compute fallback level if not specified per-site. If site fallback + * level is "none", replace with "notfound", otherwise if no site + * fallback level, use the global value. + */ + tls->policy_level = tls->level; + if (tls->fallback_level == TLS_LEV_NONE) + tls->fallback_level = TLS_LEV_NOTFOUND; + else if (tls->fallback_level == TLS_LEV_NOTFOUND + && (tls->fallback_level = global_fallback(tls)) == TLS_LEV_INVALID) + tls->fallback_level = TLS_LEV_NOTFOUND; + /* * DANE initialization may change the security level to something else, * so do this early, so that we use the right level below. Note that @@ -557,6 +645,7 @@ static void *policy_create(const char *unused_key, void *context) case TLS_LEV_MAY: case TLS_LEV_ENCRYPT: case TLS_LEV_DANE: + case TLS_LEV_DANE_ONLY: break; case TLS_LEV_FPRINT: if (tls->dane == 0) @@ -707,29 +796,49 @@ static int global_tls_level(void) #define NONDANE_CONFIG 0 /* Administrator's fault */ #define NONDANE_DEST 1 /* Remote server's fault */ #define DANE_UNUSABLE 2 /* Remote server's fault */ +#define TLSA_LOOKUP_ERR 3 /* DNS lookup failed */ -static void PRINTFLIKE(4, 5) dane_incompat(SMTP_TLS_POLICY *tls, - SMTP_ITERATOR *iter, +static void PRINTFLIKE(3, 4) dane_incompat(SMTP_TLS_POLICY *tls, int errtype, const char *fmt,...) { va_list ap; va_start(ap, fmt); - if (tls->level == TLS_LEV_DANE) { - tls->level = (errtype == DANE_UNUSABLE) ? TLS_LEV_ENCRYPT : TLS_LEV_MAY; + + /* + * TLSA lookup errors are potential downgrade attacks, since they can + * hide the presence of usable TLSA RRs, we must fail or fallback, not + * downgrade to encryption-only or opportunistic TLS as with unusable or + * absent TLSA records. + */ + if (tls->level == TLS_LEV_DANE && errtype != TLSA_LOOKUP_ERR) { + if (errtype == DANE_UNUSABLE) { + + /* + * When TLSA are present, but none are usable, "dane" clients are + * expected to perform mandatory unauthenticated TLS. If the + * "dane" the fallback level is "may", we enable fallback to + * cleartext (with the appropriate warnings). + */ + tls->level = TLS_LEV_ENCRYPT; + if (tls->fallback_level != TLS_LEV_MAY) + tls->fallback_level = TLS_LEV_NOTFOUND; + } else { + tls->level = TLS_LEV_MAY; + tls->fallback_level = TLS_LEV_NOTFOUND; + } if (errtype == NONDANE_CONFIG) vmsg_warn(fmt, ap); else if (msg_verbose) vmsg_info(fmt, ap); - } else { /* dane-only */ - if (errtype == NONDANE_CONFIG) { - vmsg_warn(fmt, ap); + } else { + vmsg_warn(fmt, ap); + if (errtype == NONDANE_CONFIG + || tls->fallback_level == TLS_LEV_NOTFOUND) MARK_INVALID(tls->why, &tls->level); - } else { - tls->level = TLS_LEV_INVALID; - vdsb_simple(tls->why, "4.7.5", fmt, ap); - } + else + tls->level = tls->fallback_level; } va_end(ap); } @@ -747,14 +856,14 @@ static void dane_init(SMTP_TLS_POLICY *tls, SMTP_ITERATOR *iter) return; } if (!tls_dane_avail()) { - dane_incompat(tls, iter, NONDANE_CONFIG, + dane_incompat(tls, NONDANE_CONFIG, "%s: %s configured, but no requisite library support", STR(iter->dest), policy_name(tls->level)); return; } if (!(smtp_host_lookup_mask & SMTP_HOST_FLAG_DNS) || smtp_dns_support != SMTP_DNS_DNSSEC) { - dane_incompat(tls, iter, NONDANE_CONFIG, + dane_incompat(tls, NONDANE_CONFIG, "%s: %s configured with dnssec lookups disabled", STR(iter->dest), policy_name(tls->level)); return; @@ -766,7 +875,7 @@ static void dane_init(SMTP_TLS_POLICY *tls, SMTP_ITERATOR *iter) * key material. */ if (smtp_mode && var_ign_mx_lookup_err) { - dane_incompat(tls, iter, NONDANE_CONFIG, + dane_incompat(tls, NONDANE_CONFIG, "%s: %s configured with MX lookup errors ignored", STR(iter->dest), policy_name(tls->level)); return; @@ -779,45 +888,48 @@ static void dane_init(SMTP_TLS_POLICY *tls, SMTP_ITERATOR *iter) * to certificate name checks, ... */ if (smtp_dns_res_opt & (RES_DEFNAMES | RES_DNSRCH)) { - dane_incompat(tls, iter, NONDANE_CONFIG, + dane_incompat(tls, NONDANE_CONFIG, "%s: dns resolver options incompatible with %s TLS", STR(iter->dest), policy_name(tls->level)); return; } /* When the MX name is present and insecure, DANE does not apply. */ if (iter->mx && !iter->mx->dnssec_valid) { - dane_incompat(tls, iter, NONDANE_DEST, "non DNSSEC destination"); - return; - } - /* When TLSA lookups fail, we defer the message */ - if ((dane = tls_dane_resolve(iter->port, "tcp", iter->rr, - var_smtp_tls_force_tlsa)) == 0) { - tls->level = TLS_LEV_INVALID; - dsb_simple(tls->why, "4.7.5", "TLSA lookup error for %s:%u", - STR(iter->host), ntohs(iter->port)); - return; - } - if (tls_dane_notfound(dane)) { - dane_incompat(tls, iter, NONDANE_DEST, "no TLSA records found"); - tls_dane_free(dane); + dane_incompat(tls, NONDANE_DEST, "%s: non-DNSSEC destination", + STR(iter->dest)); return; } /* - * Some TLSA records found, but none usable, per - * - * https://tools.ietf.org/html/draft-ietf-dane-srv-02#section-4 - * - * we MUST use TLS, and SHALL use full PKIX certificate checks. The latter - * would be unwise for SMTP: no human present to "click ok" and risk of - * non-delivery in most cases exceeds risk of interception. - * - * We also have a form of Goedel's incompleteness theorem in play: any list - * of public root CA certs is either incomplete or inconsistent (for any - * given verifier some of the CAs are surely not trustworthy). + * When TLSA lookups fail, as with dane-only, we fall back or defer the + * message, the level will be set to either the fallback level or + * "invalid". + */ + if ((dane = tls_dane_resolve(iter->port, "tcp", iter->rr, + var_smtp_tls_force_tlsa)) == 0) { + dane_incompat(tls, TLSA_LOOKUP_ERR, + "%s:%u: DANE TLSA lookup error", + STR(iter->host), ntohs(iter->port)); + return; + } + if (tls_dane_notfound(dane)) { + dane_incompat(tls, NONDANE_DEST, + "%s:%u: no DANE TLSA records found", + STR(iter->host), ntohs(iter->port)); + tls_dane_free(dane); + return; + } + /*- + * Some TLSA records found, but none usable, per: + * + * https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane + * + * we MUST use TLS. */ if (tls_dane_unusable(dane)) { - dane_incompat(tls, iter, DANE_UNUSABLE, "TLSA records unusable"); + dane_incompat(tls, DANE_UNUSABLE, + "%s:%u: all DANE TLSA records unusable", + STR(iter->host), ntohs(iter->port)); tls_dane_free(dane); return; } @@ -838,7 +950,6 @@ static void dane_init(SMTP_TLS_POLICY *tls, SMTP_ITERATOR *iter) } else if (!TLS_DANE_HASEE(dane)) msg_panic("empty DANE match list"); tls->dane = dane; - tls->level = TLS_LEV_DANE; return; } diff --git a/postfix/src/smtp/smtp_trouble.c b/postfix/src/smtp/smtp_trouble.c index 2262e6cf0..ce40e8119 100644 --- a/postfix/src/smtp/smtp_trouble.c +++ b/postfix/src/smtp/smtp_trouble.c @@ -32,6 +32,10 @@ /* SMTP_STATE *state; /* int exception; /* const char *description; +/* +/* int smtp_tls_trouble(state, protocol_stage) +/* SMTP_STATE *state; +/* int protocol_stage; /* DESCRIPTION /* This module handles all non-fatal errors that can happen while /* attempting to deliver mail via SMTP, and implements the policy @@ -105,6 +109,13 @@ /* The session is marked as "do not cache". /* The result is non-zero. /* +/* smtp_tls_trouble() handles failure to establish a TLS connection or +/* else failure to authenticate the peer. The protocol_stage argument +/* indicates what TLS problem was detected. The return value is 0 when +/* TLS is not required or a fallback strategy allows delivery to continue. +/* When a non-zero value is returned delivery must not continue via the +/* current SMTP server. All relevant warnings are logged. +/* /* Arguments: /* .IP state /* SMTP client state per delivery request. @@ -467,3 +478,71 @@ int smtp_stream_except(SMTP_STATE *state, int code, const char *description) */ return (smtp_bulk_fail(state, SMTP_THROTTLE)); } + +#ifdef USE_TLS + +/* smtp_tls_trouble - Fail or fall back when TLS state is not satisfactory. */ + +int smtp_tls_trouble(SMTP_STATE *state, int protocol_stage) +{ + SMTP_SESSION *session = state->session; + SMTP_TLS_POLICY *tls = session->tls; + + /* Handle non-recoverable cases */ + switch (protocol_stage) { + case STARTTLS_VERIFY_FALLBACK: + if (tls->fallback_level == TLS_LEV_NOTFOUND) + return (-1); + break; + case STARTTLS_FEATURE_FALLBACK: + /* No recovery when skipping STARTTLS due to local problems */ + if (session->features & SMTP_FEATURE_STARTTLS) + return (-1); + /* FALLTHROUGH */ + case STARTTLS_COMMAND_FALLBACK: + case STARTTLS_HANDSHAKE_FALLBACK: + case STARTTLS_SESSION_FALLBACK: + if (TLS_REQUIRED(session->tls_level) + && tls->fallback_level != TLS_LEV_MAY) + return (-1); + break; + default: + msg_panic("Unexpected TLS failure stage: %d", protocol_stage); + } + + /* Log appropriate warning and perform fallback */ + switch (protocol_stage) { + case STARTTLS_FEATURE_FALLBACK: + msg_warn("%s: cleartext fallback, host did not offer STARTTLS", + session->namaddrport); + break; + + case STARTTLS_COMMAND_FALLBACK: + msg_warn("%s: cleartext fallback, host refused to start TLS", + session->namaddrport); + break; + + case STARTTLS_HANDSHAKE_FALLBACK: + msg_warn("%s: cleartext fallback, TLS handshake failed", + session->namaddrport); + break; + + case STARTTLS_SESSION_FALLBACK: + msg_warn("%s: cleartext fallback, post-handshake TLS failure", + session->namaddrport); + break; + + case STARTTLS_VERIFY_FALLBACK: + msg_warn("%s: fallback to unathenticated TLS: %s", + session->namaddrport, + TLS_CERT_IS_TRUSTED(session->tls_context) ? + "Server certificate failed verification" : + "Server certificate not trusted"); + break; + } + + session->tls_level = tls->fallback_level; + return (0); +} + +#endif diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h index 5b4851d39..664faec46 100644 --- a/postfix/src/tls/tls.h +++ b/postfix/src/tls/tls.h @@ -266,7 +266,6 @@ extern int tls_log_mask(const char *, const char *); #define TLS_LOG_DEBUG (1<<7) #define TLS_LOG_TLSPKTS (1<<8) #define TLS_LOG_ALLPKTS (1<<9) -#define TLS_LOG_SESSTKT (1<<10) /* * Client and Server application contexts diff --git a/postfix/src/util/mac_expand.c b/postfix/src/util/mac_expand.c index 8c6f6bb31..f1142d889 100644 --- a/postfix/src/util/mac_expand.c +++ b/postfix/src/util/mac_expand.c @@ -50,7 +50,7 @@ /* .IP MAC_EXP_FLAG_APPEND /* Append text to the result buffer without truncating it. /* .IP MAC_EXP_FLAG_SCAN -/* Invoke the call-back function each macro name in the input +/* Invoke the call-back function for each macro name in the input /* string, including macro names in the values of conditional /* expressions. Do not expand macros, and do not write to the /* result argument. @@ -218,7 +218,6 @@ static int mac_expand_callback(int type, VSTRING *buf, char *ptr) else if ((mc->flags & MAC_EXP_FLAG_SCAN) == 0) { vstring_strcat(mc->result, vstring_str(buf)); } - mc->level--; return (mc->status); diff --git a/postfix/src/xsasl/xsasl_dovecot_server.c b/postfix/src/xsasl/xsasl_dovecot_server.c index 6c75dc9c1..3d6a2d926 100644 --- a/postfix/src/xsasl/xsasl_dovecot_server.c +++ b/postfix/src/xsasl/xsasl_dovecot_server.c @@ -254,7 +254,7 @@ static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp) VSTREAM *sasl_stream; char *line, *cmd, *mech_name; unsigned int major_version, minor_version; - int fd, success; + int fd, success, have_mech_line; int sec_props; const char *path; @@ -294,6 +294,7 @@ static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp) return (-1); } success = 0; + have_mech_line = 0; line_str = vstring_alloc(256); /* XXX Encapsulate for logging. */ while (vstring_get_nonl(line_str, sasl_stream) != VSTREAM_EOF) { @@ -318,6 +319,7 @@ static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp) } } else if (strcmp(cmd, "MECH") == 0 && line != NULL) { mech_name = line; + have_mech_line = 1; line = split_at(line, '\t'); if (line != 0) { sec_props = @@ -331,6 +333,22 @@ static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp) sec_props = 0; xsasl_dovecot_server_mech_append(&xp->mechanism_list, mech_name, sec_props); + } else if (strcmp(cmd, "SPID") == 0) { + + /* + * Unfortunately the auth protocol handshake wasn't designed well + * to differentiate between auth-client/userdb/master. + * auth-userdb and auth-master send VERSION + SPID lines only and + * nothing afterwards, while auth-client sends VERSION + MECH + + * SPID + CUID + more. The simplest way that we can determine if + * we've connected to the correct socket is to see if MECH line + * exists or not (alternatively we'd have to have a small timeout + * after SPID to see if CUID is sent or not). + */ + if (!have_mech_line) { + msg_warn("SASL: Connected to wrong auth socket (auth-master instead of auth-client)"); + break; + } } else if (strcmp(cmd, "DONE") == 0) { /* Handshake finished. */ success = 1; @@ -400,7 +418,7 @@ static XSASL_SERVER *xsasl_dovecot_server_create(XSASL_SERVER_IMPL *impl, const char *myname = "xsasl_dovecot_server_create"; XSASL_DOVECOT_SERVER *server; struct sockaddr_storage ss; - struct sockaddr *sa = (struct sockaddr *) & ss; + struct sockaddr *sa = (struct sockaddr *) &ss; SOCKADDR_SIZE salen; MAI_HOSTADDR_STR server_addr;