postfix-2.12-20140223

postfix/HISTORY

@@ -19559,14 +19559,32 @@ Apologies for any names omitted.
 
 	Workaround: require that a queue file is older than
 	$minimal_backoff_time, before falling back from failed TLS
-	(both during or after the TLS handshake) to plaintext
-	delivery.  Viktor Dukhovni. Files: smtp/smtp.h, smtp/smtp.c,
+	to plaintext (both during or after the TLS handshake).
+	Viktor Dukhovni. Files: smtp/smtp.h, smtp/smtp.c,
 	smtp/lmtp_params.c, smtp/smtp_params.c.
 
-20140219
+20140220
 
-	Workaround: disable the fallback to plaintext when all
-	recipients have already been bounced or deferred. This
-	happens for example when TLS breaks after the TLS handshake
-	while talking to the "final" SMTP server.  Wietse and Viktor.
-	Files: smtp/smtp.h.
+	Workaround: in case "minimal_backoff_time = $queue_run_delay".
+	Files: smtp/smtp.c, smtp/smtp_params.c, smtp/lmtp_params.c.
+
+	Cleanup: consolidate the code to log the start of a new
+	mail transaction in one place, so that code can easily be
+	added to log TLS status information in addition to the
+	existing client and SASL status information. Files:
+	smtpd/smtpd_sasl_proto.h, smtpd/smtpd_sasl_proto.c,
+	smtpd/smtpd.c.
+
+20140223
+
+	Workaround: when a session breaks after the TLS handshake,
+	do not fall back from TLS to plaintext when all recipients
+	were deferred or rejected during the TLS phase. Files:
+	smtp/smtp.h, smtp/smtp_rcpt.c.
+
+	Logging: the TLS client logged that an "Untrusted" TLS
+	connection was established instead of "Anonymous".
+	Viktor Dukhovni. File: tls/tls_client.c.
+
+	Documentation: new self-signed certificate example and
+	updated private CA example. File: proto/TLS_README.html.

postfix/README_FILES/TLS_README

@@ -2011,12 +2011,37 @@ key certificates of remote hosts.
 In the examples below, user input is shown in bboolldd font, and a "#" prompt
 indicates a super-user shell.
 
-  * Become your own Certificate Authority, so that you can sign your own public
-    keys. This example uses the CA.pl script that ships with OpenSSL. On some
-    systems, OpenSSL installs this as /usr/local/ssl/misc/CA.pl. Some systems
-    install this as part of a package named openssl-perl or something similar.
-    The script creates a private key in ./demoCA/private/cakey.pem and a public
-    key in ./demoCA/cacert.pem.
+  * Self-signed server certificate.
+
+  * Private Certificate Authority.
+
+SSeellff--ssiiggnneedd sseerrvveerr cceerrttiiffiiccaattee
+
+The following commands (credits: Viktor Dukhovni) generate and install a
+private key and 10-year self-signed certificate for the local Postfix system.
+This requires super-user privileges.
+
+    # dir="$(postconf -h config_directory)"
+    # fqdn=$(postconf -h myhostname)
+    # ymd=$(date +%Y-%m-%d)
+    # key="${dir}/key-${ymd}.pem"; rm -f "${key}"
+    # cert="${dir}/cert-${ymd}.pem"; rm -f "${cert}"
+    # (umask 077; openssl genrsa -out "${key}" 2048) &&
+      openssl req -new -key "${key}" \
+        -x509 -subj "/CN=${fqdn}" -days 3650 -out "${cert}" &&
+      postconf -e \
+        "smtpd_tls_cert_file = ${cert}" \
+        "smtpd_tls_key_file = ${key}"
+
+PPrriivvaattee CCeerrttiiffiiccaattee AAuutthhoorriittyy
+
+  * Become your own Certificate Authority, so that you can sign your own
+    certificates, and so that your own systems can authenticate certificates
+    from your own CA. This example uses the CA.pl script that ships with
+    OpenSSL. On some systems, OpenSSL installs this as /usr/local/openssl/misc/
+    CA.pl. Some systems install this as part of a package named openssl-perl or
+    something similar. The script creates a private key in ./demoCA/private/
+    cakey.pem and a public key in ./demoCA/cacert.pem.
 
         % //uussrr//llooccaall//ssssll//mmiisscc//CCAA..ppll --nneewwccaa
         CA certificate filename (or enter to create)
@@ -2032,8 +2057,7 @@ indicates a super-user shell.
   * Create an unpassworded private key for host foo.porcupine.org and create an
     unsigned public key certificate.
 
-        % ooppeennssssll rreeqq --nneeww --nnooddeess --kkeeyyoouutt ffoooo--kkeeyy..ppeemm --oouutt ffoooo--rreeqq..ppeemm --ddaayyss
-        336655
+        % ooppeennssssll rreeqq --nneeww --nnooddeess --kkeeyyoouutt ffoooo--kkeeyy..ppeemm --oouutt ffoooo--rreeqq..ppeemm
         Using configuration from /etc/ssl/openssl.cnf
         Generating a 1024 bit RSA private key
         ........................................++++++
@@ -2065,7 +2089,7 @@ indicates a super-user shell.
   * Sign the public key certificate for host foo.porcupine.org with the
     Certification Authority private key that we created a few steps ago.
 
-        % ooppeennssssll ccaa --oouutt ffoooo--cceerrtt..ppeemm --iinnffiilleess ffoooo--rreeqq..ppeemm
+        % ooppeennssssll ccaa --oouutt ffoooo--cceerrtt..ppeemm --ddaayyss 336655 --iinnffiilleess ffoooo--rreeqq..ppeemm
         Using configuration from /etc/ssl/openssl.cnf
         Enter PEM pass phrase:wwhhaatteevveerr
         Check that the request matches the signature
@@ -2089,6 +2113,10 @@ indicates a super-user shell.
     Certification Authority certificate files. This requires super-user
     privileges.
 
+    The following commands assume that the key and certificate will be
+    installed for the local Postfix MTA. You will need to adjust the commands
+    if the Postfix MTA is on a different host.
+
         # ccpp ddeemmooCCAA//ccaacceerrtt..ppeemm ffoooo--kkeeyy..ppeemm ffoooo--cceerrtt..ppeemm //eettcc//ppoossttffiixx
         # cchhmmoodd 664444 //eettcc//ppoossttffiixx//ffoooo--cceerrtt..ppeemm //eettcc//ppoossttffiixx//ccaacceerrtt..ppeemm
         # cchhmmoodd 440000 //eettcc//ppoossttffiixx//ffoooo--kkeeyy..ppeemm

postfix/html/TLS_README.html

@@ -2635,10 +2635,44 @@ font, and a "<tt>#</tt>" prompt indicates a super-user shell. </p>
 
 <ul>
 
+<li> <p> <a name="#self-signed">Self-signed server certificate</a>.</p>
+
+<li> <p> <a name="#private-ca">Private Certificate Authority</a>. </p>
+
+</ul>
+
+<h3><a name="self-signed">Self-signed server certificate</a></h3>
+
+<p> The following commands (credits: Viktor Dukhovni) generate
+and install a private key and 10-year self-signed certificate for
+the local Postfix system. This requires super-user privileges. </p>
+
+<blockquote>
+<pre>
+# dir="$(postconf -h <a href="postconf.5.html#config_directory">config_directory</a>)"
+# fqdn=$(postconf -h <a href="postconf.5.html#myhostname">myhostname</a>)
+# ymd=$(date +%Y-%m-%d)
+# key="${dir}/key-${ymd}.pem"; rm -f "${key}"
+# cert="${dir}/cert-${ymd}.pem"; rm -f "${cert}"
+# (umask 077; openssl genrsa -out "${key}" 2048) &&
+  openssl req -new -key "${key}" \
+    -x509 -subj "/CN=${fqdn}" -days 3650 -out "${cert}" &&
+  postconf -e \
+    "<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = ${cert}" \
+    "<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> = ${key}"
+</pre>
+</blockquote>
+
+<h3><a name="private-ca">Private Certificate Authority</a></h3>
+
+<ul>
+
 <li> <p> Become your own Certificate Authority, so that you can
-sign your own public keys. This example uses the CA.pl script that
-ships with OpenSSL.  On some systems, OpenSSL installs this as
-<tt>/usr/local/ssl/misc/CA.pl</tt>. Some systems install this as
+sign your own certificates, and so that your own systems can
+authenticate certificates from your own CA. This example uses the
+CA.pl script that ships with OpenSSL.  On some systems, OpenSSL
+installs this as <tt>/usr/local/openssl/misc/CA.pl</tt>. Some systems
+install this as
 part of a package named <tt>openssl-perl</tt> or something similar.
 The script creates a private key in <tt>./demoCA/private/cakey.pem</tt>
 and a public key in <tt>./demoCA/cacert.pem</tt>.</p>
@@ -2663,7 +2697,7 @@ an unsigned public key certificate. </p>
 
 <blockquote>
 <pre>
-% <b>openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 365</b>
+% <b>openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem</b>
 Using configuration from /etc/ssl/openssl.cnf
 Generating a 1024 bit RSA private key
 ........................................++++++
@@ -2698,7 +2732,7 @@ steps ago. </p>
 
 <blockquote>
 <pre>
-% <b>openssl ca -out foo-cert.pem -infiles foo-req.pem</b>
+% <b>openssl ca -out foo-cert.pem -days 365 -infiles foo-req.pem</b>
 Using configuration from /etc/ssl/openssl.cnf
 Enter PEM pass phrase:<b>whatever</b>
 Check that the request matches the signature
@@ -2724,6 +2758,10 @@ Data Base Updated
 and the Certification Authority certificate files.  This requires
 super-user privileges. </p>
 
+<p> The following commands assume that the key and certificate will
+be installed for the local Postfix MTA. You will need to adjust the
+commands if the Postfix MTA is on a different host. </p>
+
 <blockquote>
 <pre>
 # <b>cp demoCA/cacert.pem foo-key.pem foo-cert.pem /etc/postfix</b>

postfix/html/lmtp.8.html

@@ -219,9 +219,10 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.2.9 and later:
 
        <b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b>
-              Allow DNS CNAME records to  override  the  servername  that  the
-              Postfix  SMTP client uses for logging, SASL password lookup, TLS
-              policy decisions, or TLS certificate verification.
+              When the remote SMTP servername is  a  DNS  CNAME,  replace  the
+              servername  with the result from CNAME expansion for the purpose
+              of logging, SASL password lookup, TLS policy decisions,  or  TLS
+              certificate verification.
 
        Available in Postfix version 2.3 and later:
 

postfix/html/smtp.8.html

@@ -219,9 +219,10 @@ SMTP(8)                                                                SMTP(8)
        Available in Postfix version 2.2.9 and later:
 
        <b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b>
-              Allow DNS CNAME records to  override  the  servername  that  the
-              Postfix  SMTP client uses for logging, SASL password lookup, TLS
-              policy decisions, or TLS certificate verification.
+              When the remote SMTP servername is  a  DNS  CNAME,  replace  the
+              servername  with the result from CNAME expansion for the purpose
+              of logging, SASL password lookup, TLS policy decisions,  or  TLS
+              certificate verification.
 
        Available in Postfix version 2.3 and later:
 

postfix/man/man8/smtp.8

@@ -217,8 +217,9 @@ a globally valid address when sending mail across the Internet.
 .PP
 Available in Postfix version 2.2.9 and later:
 .IP "\fBsmtp_cname_overrides_servername (version dependent)\fR"
-Allow DNS CNAME records to override the servername that the
-Postfix SMTP client uses for logging, SASL password lookup, TLS
+When the remote SMTP servername is a DNS CNAME, replace the
+servername with the result from CNAME expansion for the purpose of
+logging, SASL password lookup, TLS
 policy decisions, or TLS certificate verification.
 .PP
 Available in Postfix version 2.3 and later:

postfix/proto/TLS_README.html

@@ -2635,10 +2635,44 @@ font, and a "<tt>#</tt>" prompt indicates a super-user shell. </p>
 
 <ul>
 
+<li> <p> <a name="#self-signed">Self-signed server certificate</a>.</p>
+
+<li> <p> <a name="#private-ca">Private Certificate Authority</a>. </p>
+
+</ul>
+
+<h3><a name="self-signed">Self-signed server certificate</a></h3>
+
+<p> The following commands (credits: Viktor Dukhovni) generate
+and install a private key and 10-year self-signed certificate for
+the local Postfix system. This requires super-user privileges. </p>
+
+<blockquote>
+<pre>
+# dir="$(postconf -h config_directory)"
+# fqdn=$(postconf -h myhostname)
+# ymd=$(date +%Y-%m-%d)
+# key="${dir}/key-${ymd}.pem"; rm -f "${key}"
+# cert="${dir}/cert-${ymd}.pem"; rm -f "${cert}"
+# (umask 077; openssl genrsa -out "${key}" 2048) &&
+  openssl req -new -key "${key}" \
+    -x509 -subj "/CN=${fqdn}" -days 3650 -out "${cert}" &&
+  postconf -e \
+    "smtpd_tls_cert_file = ${cert}" \
+    "smtpd_tls_key_file = ${key}"
+</pre>
+</blockquote>
+
+<h3><a name="private-ca">Private Certificate Authority</a></h3>
+
+<ul>
+
 <li> <p> Become your own Certificate Authority, so that you can
-sign your own public keys. This example uses the CA.pl script that
-ships with OpenSSL.  On some systems, OpenSSL installs this as
-<tt>/usr/local/ssl/misc/CA.pl</tt>. Some systems install this as
+sign your own certificates, and so that your own systems can
+authenticate certificates from your own CA. This example uses the
+CA.pl script that ships with OpenSSL.  On some systems, OpenSSL
+installs this as <tt>/usr/local/openssl/misc/CA.pl</tt>. Some systems
+install this as
 part of a package named <tt>openssl-perl</tt> or something similar.
 The script creates a private key in <tt>./demoCA/private/cakey.pem</tt>
 and a public key in <tt>./demoCA/cacert.pem</tt>.</p>
@@ -2663,7 +2697,7 @@ an unsigned public key certificate. </p>
 
 <blockquote>
 <pre>
-% <b>openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 365</b>
+% <b>openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem</b>
 Using configuration from /etc/ssl/openssl.cnf
 Generating a 1024 bit RSA private key
 ........................................++++++
@@ -2698,7 +2732,7 @@ steps ago. </p>
 
 <blockquote>
 <pre>
-% <b>openssl ca -out foo-cert.pem -infiles foo-req.pem</b>
+% <b>openssl ca -out foo-cert.pem -days 365 -infiles foo-req.pem</b>
 Using configuration from /etc/ssl/openssl.cnf
 Enter PEM pass phrase:<b>whatever</b>
 Check that the request matches the signature
@@ -2724,6 +2758,10 @@ Data Base Updated
 and the Certification Authority certificate files.  This requires
 super-user privileges. </p>
 
+<p> The following commands assume that the key and certificate will
+be installed for the local Postfix MTA. You will need to adjust the
+commands if the Postfix MTA is on a different host. </p>
+
 <blockquote>
 <pre>
 # <b>cp demoCA/cacert.pem foo-key.pem foo-cert.pem /etc/postfix</b>

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20140219"
+#define MAIL_RELEASE_DATE	"20140223"
 #define MAIL_VERSION_NUMBER	"2.12"
 
 #ifdef SNAPSHOT

postfix/src/smtp/lmtp_params.c

@@ -71,8 +71,9 @@
 	VAR_LMTP_RSET_TMOUT, DEF_LMTP_RSET_TMOUT, &var_smtp_rset_tmout, 1, 0,
 	VAR_LMTP_QUIT_TMOUT, DEF_LMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0,
 	VAR_LMTP_PIX_THRESH, DEF_LMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0,
-	VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0,
 	VAR_LMTP_PIX_DELAY, DEF_LMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0,
+	VAR_QUEUE_RUN_DELAY, DEF_QUEUE_RUN_DELAY, &var_queue_run_delay, 1, 0,
+	VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0,
 	VAR_LMTP_CACHE_CONNT, DEF_LMTP_CACHE_CONNT, &var_smtp_cache_conn, 1, 0,
 	VAR_LMTP_REUSE_TIME, DEF_LMTP_REUSE_TIME, &var_smtp_reuse_time, 1, 0,
 #ifdef USE_TLS

postfix/src/smtp/smtp.c

@@ -195,8 +195,9 @@
 /* .PP
 /*	Available in Postfix version 2.2.9 and later:
 /* .IP "\fBsmtp_cname_overrides_servername (version dependent)\fR"
-/*	Allow DNS CNAME records to override the servername that the
-/*	Postfix SMTP client uses for logging, SASL password lookup, TLS
+/*	When the remote SMTP servername is a DNS CNAME, replace the
+/*	servername with the result from CNAME expansion for the purpose of
+/*	logging, SASL password lookup, TLS
 /*	policy decisions, or TLS certificate verification.
 /* .PP
 /*	Available in Postfix version 2.3 and later:
@@ -797,6 +798,7 @@ char   *var_smtp_bind_addr;
 char   *var_smtp_bind_addr6;
 bool    var_smtp_rand_addr;
 int     var_smtp_pix_thresh;
+int     var_queue_run_delay;
 int     var_min_backoff_time;
 int     var_smtp_pix_delay;
 int     var_smtp_line_limit;

postfix/src/smtp/smtp.h

@@ -474,7 +474,7 @@ extern HBC_CALL_BACKS smtp_hbc_callbacks[];
 
 #define PLAINTEXT_FALLBACK_OK_AFTER_TLS_SESSION_FAILURE \
 	(session->tls_context != 0 \
-	    && SMTP_RCPT_LEFT(state) > 0 \
+	    && SMTP_RCPT_LEFT(state) > SMTP_RCPT_MARK_COUNT(state) \
 	    && session->tls->level == TLS_LEV_MAY \
 	    && PREACTIVE_DELAY >= var_min_backoff_time \
 	    && !HAVE_SASL_CREDENTIALS)
@@ -553,6 +553,8 @@ extern void smtp_chat_notify(SMTP_SESSION *);
 
 #define SMTP_RCPT_LEFT(state) (state)->rcpt_left
 
+#define SMTP_RCPT_MARK_COUNT(state) ((state)->rcpt_drop + (state)->rcpt_keep)
+
 extern void smtp_rcpt_cleanup(SMTP_STATE *);
 extern void smtp_rcpt_done(SMTP_STATE *, SMTP_RESP *, RECIPIENT *);
 

postfix/src/smtp/smtp_params.c

@@ -73,6 +73,7 @@
 	VAR_SMTP_QUIT_TMOUT, DEF_SMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0,
 	VAR_SMTP_PIX_THRESH, DEF_SMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0,
 	VAR_SMTP_PIX_DELAY, DEF_SMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0,
+	VAR_QUEUE_RUN_DELAY, DEF_QUEUE_RUN_DELAY, &var_queue_run_delay, 1, 0,
 	VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0,
 	VAR_SMTP_CACHE_CONNT, DEF_SMTP_CACHE_CONNT, &var_smtp_cache_conn, 1, 0,
 	VAR_SMTP_REUSE_TIME, DEF_SMTP_REUSE_TIME, &var_smtp_reuse_time, 1, 0,

postfix/src/smtp/smtp_rcpt.c

@@ -26,6 +26,9 @@
 /*	int	SMTP_RCPT_LEFT(state)
 /*	SMTP_STATE *state;
 /*
+/*	int	SMTP_RCPT_MARK_COUNT(state)
+/*	SMTP_STATE *state;
+/*
 /*	void	smtp_rcpt_done(state, resp, rcpt)
 /*	SMTP_STATE *state;
 /*	SMTP_RESP *resp;
@@ -64,6 +67,9 @@
 /*	SMTP_RCPT_LEFT() returns the number of left_over recipients
 /*	(the total number of marked and non-marked recipients).
 /*
+/*	SMTP_RCPT_MARK_COUNT() returns the number of left_over
+/*	recipients that are marked.
+/*
 /*	smtp_rcpt_cleanup() cleans up the in-memory recipient list.
 /*	It removes the recipients marked DROP from the left-over
 /*	recipients, unmarks the left-over recipients, and enforces

postfix/src/smtp/smtp_trouble.c

@@ -452,5 +452,11 @@ int     smtp_stream_except(SMTP_STATE *state, int code, const char *description)
 	dsb_simple(why, "4.3.0", "local data error while talking to %s",
 		   session->namaddr);
     }
+
+    /*
+     * The smtp_bulk_fail() call below will not throttle the destination when
+     * falling back to plaintext, because RETRY_AS_PLAINTEXT clears the
+     * FINAL_SERVER flag.
+     */
     return (smtp_bulk_fail(state, SMTP_THROTTLE));
 }

postfix/src/smtpd/smtpd.c

@@ -2036,23 +2036,25 @@ static int mail_open_stream(SMTPD_STATE *state)
     /*
      * Log the queue ID with the message origin.
      */
-#ifdef USE_SASL_AUTH
-    if (state->sasl_username)
-	smtpd_sasl_mail_log(state);
-    else
-#endif
-
-	/*
-	 * See also: smtpd_sasl_proto.c, for a longer client= logfile record.
-	 */
 #define PRINT_OR_NULL(cond, str) \
 	    ((cond) ? (str) : "")
 #define PRINT2_OR_NULL(cond, name, value) \
 	    PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond), (value))
 
-	msg_info("%s: client=%s%s%s%s%s",
+    msg_info("%s: client=%s%s%s%s%s%s%s%s%s%s%s",
 	     (state->queue_id ? state->queue_id : "NOQUEUE"),
 	     state->namaddr,
+#ifdef USE_SASL_AUTH
+	     PRINT2_OR_NULL(state->sasl_method,
+			    ", sasl_method=", state->sasl_method),
+	     PRINT2_OR_NULL(state->sasl_username,
+			    ", sasl_username=", state->sasl_username),
+	     PRINT2_OR_NULL(state->sasl_sender,
+			    ", sasl_sender=", state->sasl_sender),
+#else
+	     "", "", "", "", "", "",
+#endif
+    /* Insert transaction TLS status here. */
 	     PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state),
 			    ", orig_queue_id=", FORWARD_IDENT(state)),
 	     PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state),

postfix/src/smtpd/smtpd_sasl_proto.c

@@ -24,9 +24,6 @@
 /*	SMTPD_STATE *state;
 /*	const char *sender;
 /*
-/*	void	smtpd_sasl_mail_log(state)
-/*	SMTPD_STATE *state;
-/*
 /*	void	smtpd_sasl_mail_reset(state)
 /*	SMTPD_STATE *state;
 /*
@@ -64,9 +61,6 @@
 /*	option to the MAIL FROM command. The result is an error response
 /*	in case of problems.
 /*
-/*	smtpd_sasl_mail_log() logs SASL-specific information after
-/*	processing the MAIL FROM command.
-/*
 /*	smtpd_sasl_mail_reset() performs cleanup for the SASL-specific
 /*	AUTH=sender option to the MAIL FROM command.
 /*
@@ -253,34 +247,6 @@ char   *smtpd_sasl_mail_opt(SMTPD_STATE *state, const char *addr)
     return (0);
 }
 
-/* smtpd_sasl_mail_log - SASL-specific MAIL FROM logging */
-
-void    smtpd_sasl_mail_log(SMTPD_STATE *state)
-{
-
-    /*
-     * See also: smtpd.c, for a shorter client= logfile record.
-     */
-#define PRINT_OR_NULL(cond, str) \
-	    ((cond) ? (str) : "")
-#define PRINT2_OR_NULL(cond, name, value) \
-	    PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond), (value))
-
-    msg_info("%s: client=%s%s%s%s%s%s%s%s%s%s%s",
-	     (state->queue_id ? state->queue_id : "NOQUEUE"),
-	     state->namaddr,
-	     PRINT2_OR_NULL(state->sasl_method,
-			    ", sasl_method=", state->sasl_method),
-	     PRINT2_OR_NULL(state->sasl_username,
-			    ", sasl_username=", state->sasl_username),
-	     PRINT2_OR_NULL(state->sasl_sender,
-			    ", sasl_sender=", state->sasl_sender),
-	     PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state),
-			    ", orig_queue_id=", FORWARD_IDENT(state)),
-	     PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state),
-			    ", orig_client=", FORWARD_NAMADDR(state)));
-}
-
 /* smtpd_sasl_mail_reset - SASL-specific MAIL FROM cleanup */
 
 void    smtpd_sasl_mail_reset(SMTPD_STATE *state)

postfix/src/smtpd/smtpd_sasl_proto.h

@@ -14,7 +14,6 @@
 extern int smtpd_sasl_auth_cmd(SMTPD_STATE *, int, SMTPD_TOKEN *);
 extern void smtpd_sasl_auth_reset(SMTPD_STATE *);
 extern char *smtpd_sasl_mail_opt(SMTPD_STATE *, const char *);
-extern void smtpd_sasl_mail_log(SMTPD_STATE *);
 extern void smtpd_sasl_mail_reset(SMTPD_STATE *);
 
 #define smtpd_sasl_auth_extern	smtpd_sasl_login

postfix/src/tls/tls_client.c

@@ -1045,7 +1045,9 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
      */
     if (log_mask & TLS_LOG_SUMMARY)
 	msg_info("%s TLS connection established to %s: %s with cipher %s "
-	      "(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
+		 "(%d/%d bits)",
+		 !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" :
+		 TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
 		 TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
 	      props->namaddr, TLScontext->protocol, TLScontext->cipher_name,
 		 TLScontext->cipher_usebits, TLScontext->cipher_algbits);