mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-30 05:38:06 +00:00
Code Issues Releases Wiki Activity

postfix-3.6-20200312

Browse Source
This commit is contained in:
Wietse Venema 2020-03-12 00:00:00 -05:00 committed by Viktor Dukhovni
parent fdc3eb4143
commit 6795a5d1ac
6 changed files with 33 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
postfix/HISTORY
View File

@ -24658,3 +24658,10 @@ Apologies for any names omitted.
multi-Milter configuration during MAIL FROM. Milter client
state was not properly reset after one of the Milters failed.
Reported by WeiYu Wu.
20200312
Usability: the Postfix SMTP server now logs a warning when
a configuration requests access control by client certificate,
but "smtpd_tls_ask_clientcert = no". Files: proto/postconf.proto,
smtpd/smtpd_check.c.

10
postfix/html/postconf.5.html
View File

@ -14239,7 +14239,8 @@ fingerprint (Postfix 2.9 and later) as lookup key for the specified
remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the
<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter (hard-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version
Postfix version 2.5). This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>
= yes" and is available with Postfix version
2.2 and later. </dd>
<br>
@ -14353,7 +14354,8 @@ CA. Otherwise, clients with a third-party certificate would also
be allowed to relay. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" when the
trusted CA is specified with <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> or <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>,
to prevent Postfix from appending the system-supplied default CAs.
This feature is available with Postfix version 2.2.</dd>
This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> = yes" and is available
with Postfix version 2.2 and later.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
@ -14362,8 +14364,8 @@ fingerprint or public key fingerprint (Postfix 2.9 and later) is
listed in $<a href="postconf.5.html#relay_clientcerts">relay_clientcerts</a>.
The fingerprint digest algorithm is configurable via the
<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter (hard-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version
2.2. </dd>
Postfix version 2.5). This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>
= yes" and is available with Postfix version 2.2 and later.</dd>
<dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>

10
postfix/man/man5/postconf.5
View File

@ -9523,7 +9523,8 @@ fingerprint (Postfix 2.9 and later) as lookup key for the specified
remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard\-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version
Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
= yes" and is available with Postfix version
2.2 and later.
.br
.br
@ -9623,7 +9624,8 @@ CA. Otherwise, clients with a third\-party certificate would also
be allowed to relay. Specify "tls_append_default_CA = no" when the
trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
to prevent Postfix from appending the system\-supplied default CAs.
This feature is available with Postfix version 2.2.
This feature requires "smtpd_tls_ask_ccert = yes" and is available
with Postfix version 2.2 and later.
.br
.IP "\fBpermit_tls_clientcerts\fR"
Permit the request when the remote SMTP client certificate
@ -9631,8 +9633,8 @@ fingerprint or public key fingerprint (Postfix 2.9 and later) is
listed in $relay_clientcerts.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard\-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version
2.2.
Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
= yes" and is available with Postfix version 2.2 and later.
.br
.IP "\fBreject_rbl_client \fIrbl_domain=d.d.d.d\fR\fR"
Reject the request when the reversed client network address is

10
postfix/proto/postconf.proto
View File

@ -5110,7 +5110,8 @@ access(5) database; with Postfix version 2.2, also require that the
remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version
Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
= yes" and is available with Postfix version
2.2 and later. </dd>
<br>
@ -5225,7 +5226,8 @@ CA. Otherwise, clients with a third-party certificate would also
be allowed to relay. Specify "tls_append_default_CA = no" when the
trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
to prevent Postfix from appending the system-supplied default CAs.
This feature is available with Postfix version 2.2.</dd>
This feature requires "smtpd_tls_ask_ccert = yes" and is available
with Postfix version 2.2 and later.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
@ -5234,8 +5236,8 @@ fingerprint or public key fingerprint (Postfix 2.9 and later) is
listed in $relay_clientcerts.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version
2.2. </dd>
Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
= yes" and is available with Postfix version 2.2 and later.</dd>
<dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20200309"
#define MAIL_RELEASE_DATE "20200312"
#define MAIL_VERSION_NUMBER "3.6"
#ifdef SNAPSHOT

7
postfix/src/smtpd/smtpd_check.c
View File

@ -1627,6 +1627,10 @@ static int permit_tls_clientcerts(SMTPD_STATE *state, int permit_all_certs)
if (msg_verbose)
msg_info("relay_clientcerts: No match for fingerprint '%s', "
"pkey fingerprint %s", prints[0], prints[1]);
} else if (!var_smtpd_tls_ask_ccert) {
msg_warn("%s is requested, but \"%s = no\"", permit_all_certs ?
PERMIT_TLS_ALL_CLIENTCERTS : PERMIT_TLS_CLIENTCERTS,
VAR_SMTPD_TLS_ACERT);
}
#endif
return (SMTPD_CHECK_DUNNO);
@ -3227,6 +3231,9 @@ static int check_ccert_access(SMTPD_STATE *state, const char *acl_spec,
if (result != SMTPD_CHECK_DUNNO)
break;
}
} else if (!var_smtpd_tls_ask_ccert) {
msg_warn("%s is requested, but \"%s = no\"",
CHECK_CCERT_ACL, VAR_SMTPD_TLS_ACERT);
} else {
if (msg_verbose)
msg_info("%s: no client certificate", myname);