diff --git a/postfix/HISTORY b/postfix/HISTORY
index 85119166a..282a31c7d 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -27132,7 +27132,7 @@ Apologies for any names omitted.
Usability: improved error message when master.cf specifies
a wild-card network listener (like "smtp inet ... smtpd")
- while `inet_interfaces is empty. File: master/master_ent.c.
+ while inet_interfaces is empty. File: master/master_ent.c.
More documentation updates for local aliasing versus virtual
aliasing. Files: proto/aliases, proto/virtual, postfix/postfix.c.
@@ -27180,3 +27180,30 @@ Apologies for any names omitted.
This also fixes a warning message when a destination contains
":service" information. Reported by Thomas Korbar. File:
posttls-finger/posttls-finger.c.
+
+20230519
+
+ Cleanup: fixed postconf tests for dynamically-linked builds.
+ File: postconf/Makefile.in.
+
+20230521
+
+ Bitrot: library error messages in SMTP server tests. File:
+ smtpd/Makefile.in.
+
+ Cleanup: removed some "the the" instances. Files:
+ proto/MILTER_README.html proto/stop.double-proto-html.
+
+ Bitrot: preliminary support for OpenSSL configuration files,
+ primarily OpenSSL 1.1.1b and later. This introduces new
+ parameters "tls_config_file" and "tls_config_name", which
+ can be used to limit collateral damage from OS distributions
+ that crank up security to 11, increasing the number of
+ plaintext email deliveries. Details are in the postconf(5)
+ manpage under "tls_config_file" and "tls_config_name".
+ Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto,
+ global/mail_params.h, posttls-finger/posttls-finger.c,
+ smtp/smtp.c, smtp/smtp_proto.c, tls/tls_client.c, tls/tls.h,
+ tls/tls_misc.c, tls/tls_proxy_client_print.c,
+ tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c,
+ tlsproxy/tlsproxy.c.
diff --git a/postfix/README_FILES/MILTER_README b/postfix/README_FILES/MILTER_README
index 4ace86821..7d9e93893 100644
--- a/postfix/README_FILES/MILTER_README
+++ b/postfix/README_FILES/MILTER_README
@@ -392,9 +392,9 @@ c�co�om�mm�ma�a w�wi�it�th�hi�in�n a�a v�va�al�lu�ue�e o�or�r a�ar�ro�ou�un�nd�d
D�Di�if�ff�fe�er�re�en�nt�t s�se�et�tt�ti�in�ng�gs�s f�fo�or�r d�di�if�ff�fe�er�re�en�nt�t S�SM�MT�TP�P c�cl�li�ie�en�nt�ts�s
The smtpd_milter_maps feature supports different Milter settings for different
-client IP addresses. Lookup results override the the global smtpd_milters
-setting, and have the same syntax. For example, to disable Milter settings for
-local address ranges:
+client IP addresses. Lookup results override the global smtpd_milters setting,
+and have the same syntax. For example, to disable Milter settings for local
+address ranges:
/etc/postfix/main.cf:
smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index fb8922265..5cc9debc1 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -26,6 +26,17 @@ now also distributed with the more recent Eclipse Public License
license of their choice. Those who are more comfortable with the
IPL can continue with that license.
+Major changes with snapshot 20230522
+====================================
+
+Preliminary support for OpenSSL configuration files, primarily
+OpenSSL 1.1.1b and later. This introduces two new parameters
+"tls_config_file" and "tls_config_name", which can be used to limit
+collateral damage from OS distributions that crank up security to
+11, increasing the number of plaintext email deliveries. Details
+are in the postconf(5) manpage under "tls_config_file" and
+"tls_config_name".
+
Incompatible changes with snapshot 20230419
===========================================
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index 43f0baadc..a041835b3 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -1,5 +1,9 @@
Wish list:
+ In tlsproxy, diff the server-side TLS library settings
+ against those from a tlsproxy client, and make sure that
+ the diff covers the new cnf_file and cnf_name properties.
+
Things to do before the stable release:
make pre-release-check, HTML validator check.
diff --git a/postfix/html/MILTER_README.html b/postfix/html/MILTER_README.html
index c69a5bfd8..b72fdb885 100644
--- a/postfix/html/MILTER_README.html
+++ b/postfix/html/MILTER_README.html
@@ -630,7 +630,7 @@ and protocol.
clients
The smtpd_milter_maps feature supports different Milter settings
-for different client IP addresses. Lookup results override the the
+for different client IP addresses. Lookup results override the
global smtpd_milters setting, and have the same syntax. For example,
to disable Milter settings for local address ranges:
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 51ed8ed69..f4e8be08b 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -19261,6 +19261,112 @@ backwards compatibility, to avoid breaking certificate verification
with sites that don't use permit_tls_all_clientcerts.
+
+
+tls_config_file
+(default: default)
+
+ Optional configuration file with baseline OpenSSL settings.
+OpenSSL loads any SSL settings found in the configuration file for
+the selected application name (see tls_config_name) or else the
+built-in application name "openssl_conf" when no application name is
+specified, or no corresponding configuration section is present.
+
+
+ With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
+Postfix) can neither specify an alternative configuration file, nor
+avoid loading the default configuration file.
+
+ With OpenSSL 1.1.1b or later, this parameter may be set to one of:
+
+
+
+
+- default (default)
- Load the system-wide
+"openssl.cnf" configuration file.
+
+- none (recommended, OpenSSL 1.1.1b or later only)
+- This setting disables loading of the system-wide "openssl.cnf"
+file.
+
+- /absolute-path (OpenSSL 1.1.1b or later only)
+- Load the configuration file specified by /absolute-path.
+With this setting it is an error for the file to not contain any
+settings for the selected tls_config_name. There is no fallback to
+the default "openssl_conf" name.
+
+
+
+ Failures in processing of the built-in default configuration
+file, are silently ignored with OpenSSL prior to 1.1.1b. With later
+OpenSSL releases, any errors in loading either the default or custom
+configuration file are detected by Postfix, and cause TLS support to
+be disabled.
+
+ The OpenSSL configuration file format is not documented here,
+beyond giving two examples.
+
+
Example: Default settings for all applications.
+
+
+
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation. Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+
+
+
+ Example: Custom settings for an application named "postfix".
+
+
+
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]". The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+
+
+
+ This feature is available in Postfix ≥ 3.9.
+
+
+
+
+tls_config_name
+(default: empty)
+
+ The application name passed by Postfix to OpenSSL library
+initialization functions. This name is used to select the desired
+configuration "section" in the OpenSSL configuration file specified
+via the tls_config_file parameter. When empty, or when the
+selected name is not present in the configuration file, the default
+application name ("openssl_conf") is used as a fallback.
+
+ This feature is available in Postfix ≥ 3.9.
+
+
tls_daemon_random_bytes
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 48cb498bc..9ecb0a2f0 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -13640,6 +13640,104 @@ This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
backwards compatibility, to avoid breaking certificate verification
with sites that don't use permit_tls_all_clientcerts.
+.SH tls_config_file (default: default)
+Optional configuration file with baseline OpenSSL settings.
+OpenSSL loads any SSL settings found in the configuration file for
+the selected application name (see tls_config_name) or else the
+built\-in application name "openssl_conf" when no application name is
+specified, or no corresponding configuration section is present.
+.PP
+With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
+Postfix) can neither specify an alternative configuration file, nor
+avoid loading the default configuration file.
+.PP
+With OpenSSL 1.1.1b or later, this parameter may be set to one of:
+.IP "\fBdefault\fR (default)"
+Load the system\-wide
+"openssl.cnf" configuration file.
+.br
+.IP "\fBnone\fR (recommended, OpenSSL 1.1.1b or later only)"
+This setting disables loading of the system\-wide "openssl.cnf"
+file.
+.br
+.IP "\fB\fI/absolute\-path\fR\fR (OpenSSL 1.1.1b or later only)"
+Load the configuration file specified by \fI/absolute\-path\fR.
+With this setting it is an error for the file to not contain any
+settings for the selected tls_config_name. There is no fallback to
+the default "openssl_conf" name.
+.br
+.br
+.PP
+Failures in processing of the built\-in default configuration
+file, are silently ignored with OpenSSL prior to 1.1.1b. With later
+OpenSSL releases, any errors in loading either the default or custom
+configuration file are detected by Postfix, and cause TLS support to
+be disabled.
+.PP
+The OpenSSL configuration file format is not documented here,
+beyond giving two examples.
+.PP
+Example: Default settings for all applications.
+.sp
+.in +4
+.nf
+.na
+.ft C
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation. Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+.fi
+.ad
+.ft R
+.in -4
+.PP
+Example: Custom settings for an application named "postfix".
+.sp
+.in +4
+.nf
+.na
+.ft C
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]". The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+.fi
+.ad
+.ft R
+.in -4
+.PP
+This feature is available in Postfix >= 3.9.
+.SH tls_config_name (default: empty)
+The application name passed by Postfix to OpenSSL library
+initialization functions. This name is used to select the desired
+configuration "section" in the OpenSSL configuration file specified
+via the tls_config_file parameter. When empty, or when the
+selected name is not present in the configuration file, the default
+application name ("openssl_conf") is used as a fallback.
+.PP
+This feature is available in Postfix >= 3.9.
.SH tls_daemon_random_bytes (default: 32)
The number of pseudo\-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
process requests from the \fBtlsmgr\fR(8) server in order to seed its
diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8
index 8a8ad84dc..361e3dd46 100644
--- a/postfix/man/man8/smtp.8
+++ b/postfix/man/man8/smtp.8
@@ -836,8 +836,8 @@ sub\-second delay values.
.IP "\fBdisable_dns_lookups (no)\fR"
Disable DNS lookups in the Postfix SMTP and LMTP clients.
.IP "\fBinet_interfaces (all)\fR"
-The local network interface addresses that this mail system receives
-mail on.
+The local network interface addresses that this mail system
+receives mail on.
.IP "\fBinet_protocols (see 'postconf -d output')\fR"
The Internet protocols Postfix will attempt to use when making
or accepting connections.
diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink
index 9966ea45d..8a27a92a1 100755
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@@ -782,6 +782,8 @@ while (<>) {
s;\btls_session_ticket_cipher\b;$&;g;
s;\btls_server_sni_maps\b;$&;g;
s;\btls_ssl_options\b;$&;g;
+ s;\btls_config_name\b;$&;g;
+ s;\btls_config_file\b;$&;g;
s;\btls_dane_digest_agility\b;$&;g;
s;\btls_dane_trust_anchor_digest_enable\b;$&;g;
s;\btls_fast_shutdown_enable\b;$&;g;
diff --git a/postfix/proto/MILTER_README.html b/postfix/proto/MILTER_README.html
index d40d24c97..9f9833bb4 100644
--- a/postfix/proto/MILTER_README.html
+++ b/postfix/proto/MILTER_README.html
@@ -630,7 +630,7 @@ main.cf: items separated by space or comma. There is one difference:
clients
The smtpd_milter_maps feature supports different Milter settings
-for different client IP addresses. Lookup results override the the
+for different client IP addresses. Lookup results override the
global smtpd_milters setting, and have the same syntax. For example,
to disable Milter settings for local address ranges:
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 0ec06fe49..f89164999 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -18748,3 +18748,101 @@ uses fewer the anvil(8) resources to maintain counters. By default,
aggregation is enabled for IPv6.
This feature is available in Postfix 3.8 and later.
+
+%PARAM tls_config_name
+
+ The application name passed by Postfix to OpenSSL library
+initialization functions. This name is used to select the desired
+configuration "section" in the OpenSSL configuration file specified
+via the tls_config_file parameter. When empty, or when the
+selected name is not present in the configuration file, the default
+application name ("openssl_conf") is used as a fallback.
+
+ This feature is available in Postfix ≥ 3.9.
+
+%PARAM tls_config_file default
+
+ Optional configuration file with baseline OpenSSL settings.
+OpenSSL loads any SSL settings found in the configuration file for
+the selected application name (see tls_config_name) or else the
+built-in application name "openssl_conf" when no application name is
+specified, or no corresponding configuration section is present.
+
+
+ With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
+Postfix) can neither specify an alternative configuration file, nor
+avoid loading the default configuration file.
+
+ With OpenSSL 1.1.1b or later, this parameter may be set to one of:
+
+
+
+
+- default (default)
- Load the system-wide
+"openssl.cnf" configuration file.
+
+- none (recommended, OpenSSL 1.1.1b or later only)
+- This setting disables loading of the system-wide "openssl.cnf"
+file.
+
+- /absolute-path (OpenSSL 1.1.1b or later only)
+- Load the configuration file specified by /absolute-path.
+With this setting it is an error for the file to not contain any
+settings for the selected tls_config_name. There is no fallback to
+the default "openssl_conf" name.
+
+
+
+ Failures in processing of the built-in default configuration
+file, are silently ignored with OpenSSL prior to 1.1.1b. With later
+OpenSSL releases, any errors in loading either the default or custom
+configuration file are detected by Postfix, and cause TLS support to
+be disabled.
+
+ The OpenSSL configuration file format is not documented here,
+beyond giving two examples.
+
+
Example: Default settings for all applications.
+
+
+
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation. Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+
+
+
+ Example: Custom settings for an application named "postfix".
+
+
+
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]". The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+
+
+
+ This feature is available in Postfix ≥ 3.9.
diff --git a/postfix/proto/stop.double-history b/postfix/proto/stop.double-history
index 60b8572a1..1826107aa 100644
--- a/postfix/proto/stop.double-history
+++ b/postfix/proto/stop.double-history
@@ -50,3 +50,6 @@ proto proto ADDRESS_REWRITING_README html
proto proto aliases proto virtual proto ADDRESS_REWRITING_README html
master master c postlog postlog c postlogd postlogd c
proto postconf proto proto aliases proto virtual
+ posttls finger posttls finger c smtp smtp c smtp smtp_proto c
+ tls tls_client c tls tls h tls tls_misc c
+ tls tls_proxy h tls tls_server c tlsproxy tlsproxy c
diff --git a/postfix/proto/stop.double-proto-html b/postfix/proto/stop.double-proto-html
index f89992e13..5f50df096 100644
--- a/postfix/proto/stop.double-proto-html
+++ b/postfix/proto/stop.double-proto-html
@@ -42,7 +42,6 @@ dd dd The default algorithm is b sha256 b with Postfix ge 3 6
dd No TLS TLS will not be used unless enabled for specific
Dec 4 04 30 09 hostname postfix smtpd 58549 NOQUEUE reject
default_transport uucp uucp gateway
- different client IP addresses Lookup results override the the global
Documentation Documentation is available as README files start with the file
done done
done done
@@ -202,8 +201,6 @@ smtp_tls_mandatory_protocols SSLv2 SSLv3 TLSv1 TLSv1 1
SSLv3 TLSv1 TLSv1 1 TLSv1 2 and TLSv1 3 Starting with
T 5 10 20 40 80 160 320 640 1280 1280
T A 5 10 20 40 80 160 320 320
- The and match and literally Without the the
- The matches literally Without the the would
Therefore 301 0301 0x301 and 0x0301 are all equivalent to
The syntax of name value value name value and name value
the the backed up domain tld domain This prevents your mail queue
@@ -247,3 +244,9 @@ dt dt b name value b Postfix ge 3 0 dt
p Note on OpenBSD systems specify dev dev arandom when dev dev urandom
user3 example net smtp smtp relay example net submission
virtual_alias_maps hash etc postfix virtual virtual aliasing
+system_wide_settings system_wide_settings
+ssl_library_settings ssl_library_settings
+initial_ssl_settings initial_ssl_settings
+postfix_settings postfix_settings
+postfix_ssl_settings postfix_ssl_settings
+baseline_postfix_settings baseline_postfix_settings
diff --git a/postfix/proto/stop.spell-cc b/postfix/proto/stop.spell-cc
index aa28bee99..2bd163eb2 100644
--- a/postfix/proto/stop.spell-cc
+++ b/postfix/proto/stop.spell-cc
@@ -1802,3 +1802,4 @@ bytecount
ipproto
cw
uncreate
+MFLAGS
diff --git a/postfix/proto/stop.spell-proto-html b/postfix/proto/stop.spell-proto-html
index 191224080..c4f4c845b 100644
--- a/postfix/proto/stop.spell-proto-html
+++ b/postfix/proto/stop.spell-proto-html
@@ -357,3 +357,4 @@ kDHE
srv
wraptls
api
+MinProtocol
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index c008f46f7..4582e480b 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -3330,9 +3330,19 @@ extern bool var_smtp_sender_auth;
extern bool var_smtp_cname_overr;
/*
- * TLS cipherlists
+ * TLS library settings
+ */
+#define VAR_TLS_CNF_FILE "tls_config_file"
+#define DEF_TLS_CNF_FILE "default"
+extern char *var_tls_cnf_file;
+
+#define VAR_TLS_CNF_NAME "tls_config_name"
+#define DEF_TLS_CNF_NAME ""
+extern char *var_tls_cnf_name;
+
+ /*
+ * Deprecated and unused cipher, key exchange and public key algorithms
*/
- /* Deprecated and unused cipher, key exchange and public key algorithms */
#define TLS_EXCL_CIPHS ":!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5"
#define TLS_EXCL_KEXCH ":!kDH:!kECDH"
#define TLS_EXCL_PKEYS ":!aDSS"
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index fc2f3adc8..924362f83 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20230517"
+#define MAIL_RELEASE_DATE "20230521"
#define MAIL_VERSION_NUMBER "3.9"
#ifdef SNAPSHOT
diff --git a/postfix/src/postconf/Makefile.in b/postfix/src/postconf/Makefile.in
index f872b8aae..efae3652a 100644
--- a/postfix/src/postconf/Makefile.in
+++ b/postfix/src/postconf/Makefile.in
@@ -808,7 +808,7 @@ test58: $(PROG) test58.ref
echo 'yy_backup = bbb' >> main.cf
echo 'yy_bogus = bbb' >> main.cf
touch -t 197101010000 main.cf
- $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./postconf -nc. >test58.tmp 2>&1 || true
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -nc. >test58.tmp 2>&1 || true
diff test58.ref test58.tmp
rm -f main.cf master.cf test58.tmp
@@ -994,9 +994,9 @@ test71: $(PROG) test71.ref
test72: $(PROG) test72.ref
rm -f main.cf master.cf
touch main.cf master.cf
- ./postconf -Mc. smtp/unix='smtp unix - n n - 0 other'
- ./postconf -Mc. smtp/abcd='smtp fifo - n n - 0 other'
- ./postconf -Mc. smtp/abcd='smtp inet - n n - 0 other'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/unix='smtp unix - n n - 0 other'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp fifo - n n - 0 other'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp inet - n n - 0 other'
touch -t 197201010000 main.cf
$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. >test72.tmp 2>&1
diff test72.ref test72.tmp
@@ -1006,10 +1006,10 @@ test72: $(PROG) test72.ref
test73: $(PROG) test73.ref
rm -f main.cf master.cf
touch main.cf master.cf
- ./postconf -Mc. smtp/unix='smtp unix - n n - 0 other'
- ./postconf -Mc. smtp/abcd='smtp fifo - n n - 0 other'
- ./postconf -Mc. smtp/abcd='smtp inet - n n - 0 other'
- ./postconf -Mc. smtp/abcd='smtp unix - n n - 0 otherx'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/unix='smtp unix - n n - 0 other'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp fifo - n n - 0 other'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp inet - n n - 0 other'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp unix - n n - 0 otherx'
touch -t 197301010000 main.cf
$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. >test73.tmp 2>&1
diff test73.ref test73.tmp
@@ -1019,10 +1019,10 @@ test73: $(PROG) test73.ref
test74: $(PROG) test74.ref
rm -f main.cf master.cf
touch main.cf master.cf
- ./postconf -Mc. smtp/unix='smtp unix - n n - 0 other'
- ./postconf -Mc. smtp/abcd='smtp fifo - n n - 0 other'
- ./postconf -Mc. smtp/abcd='smtp inet - n n - 0 other'
- ./postconf -Mc. smtp/fifo='lmtp unix - n n - 0 otherx'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/unix='smtp unix - n n - 0 other'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp fifo - n n - 0 other'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp inet - n n - 0 other'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/fifo='lmtp unix - n n - 0 otherx'
touch -t 197401010000 main.cf
$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. >test74.tmp 2>&1
diff test74.ref test74.tmp
@@ -1032,7 +1032,7 @@ test74: $(PROG) test74.ref
test75: $(PROG) test75.ref
rm -f main.cf master.cf
touch main.cf master.cf
- ./postconf -c. mail_version=x mail_version=y >test75.tmp 2>&1
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -c. mail_version=x mail_version=y >test75.tmp 2>&1
touch -t 197501010000 main.cf
$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -nc. >>test75.tmp 2>&1
diff test75.ref test75.tmp
diff --git a/postfix/src/posttls-finger/posttls-finger.c b/postfix/src/posttls-finger/posttls-finger.c
index b9a46999d..027fd9a89 100644
--- a/postfix/src/posttls-finger/posttls-finger.c
+++ b/postfix/src/posttls-finger/posttls-finger.c
@@ -793,6 +793,8 @@ static int starttls(STATE *state)
* Send all our wishes in one big request.
*/
TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
+ cnf_file = var_tls_cnf_file,
+ cnf_name = var_tls_cnf_name,
log_param = "-L option",
log_level = state->options.logopts,
verifydepth = DEF_SMTP_TLS_SCERT_VD,
@@ -1854,6 +1856,8 @@ static void tls_init(STATE *state)
/* Needed for tls_dane_avail() and other DANE-related processing. */
state->tls_ctx =
TLS_CLIENT_INIT(&props,
+ cnf_file = var_tls_cnf_file,
+ cnf_name = var_tls_cnf_name,
log_param = "-L option",
log_level = state->options.logopts,
verifydepth = DEF_SMTP_TLS_SCERT_VD,
diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c
index 8f1413d93..793802a5f 100644
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@@ -792,8 +792,8 @@
/* .IP "\fBdisable_dns_lookups (no)\fR"
/* Disable DNS lookups in the Postfix SMTP and LMTP clients.
/* .IP "\fBinet_interfaces (all)\fR"
-/* The local network interface addresses that this mail system receives
-/* mail on.
+/* The local network interface addresses that this mail system
+/* receives mail on.
/* .IP "\fBinet_protocols (see 'postconf -d output')\fR"
/* The Internet protocols Postfix will attempt to use when making
/* or accepting connections.
@@ -1110,8 +1110,8 @@ bool var_smtp_balance_inet_proto;
bool var_smtp_req_deadline;
int var_smtp_min_data_rate;
char *var_use_srv_lookup;
-bool var_ign_srv_lookup_err;
-bool var_allow_srv_fallback;
+bool var_ign_srv_lookup_err;
+bool var_allow_srv_fallback;
/* Special handling of 535 AUTH errors. */
char *var_smtp_sasl_auth_cache_name;
@@ -1119,7 +1119,7 @@ int var_smtp_sasl_auth_cache_time;
bool var_smtp_sasl_auth_soft_bounce;
char *var_hfrom_format;
-bool var_smtp_bind_addr_enforce;
+bool var_smtp_bind_addr_enforce;
/*
* Global variables.
@@ -1512,6 +1512,8 @@ static void pre_init(char *unused_name, char **unused_argv)
*/
smtp_tls_ctx =
TLS_CLIENT_INIT(&props,
+ cnf_file = var_tls_cnf_file,
+ cnf_name = var_tls_cnf_name,
log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
log_level = var_smtp_tls_loglevel,
verifydepth = var_smtp_tls_scert_vd,
diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c
index 097d51842..4bbec9405 100644
--- a/postfix/src/smtp/smtp_proto.c
+++ b/postfix/src/smtp/smtp_proto.c
@@ -911,6 +911,8 @@ static int smtp_start_tls(SMTP_STATE *state)
* Send all our wishes in one big request.
*/
TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
+ cnf_file = var_tls_cnf_file,
+ cnf_name = var_tls_cnf_name,
log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
log_level = var_smtp_tls_loglevel,
verifydepth = var_smtp_tls_scert_vd,
diff --git a/postfix/src/smtpd/Makefile.in b/postfix/src/smtpd/Makefile.in
index 7fdfe1286..4df864c4d 100644
--- a/postfix/src/smtpd/Makefile.in
+++ b/postfix/src/smtpd/Makefile.in
@@ -114,7 +114,8 @@ smtpd_addr_valid_test: smtpd_check smtpd_addr_valid.in smtpd_addr_valid.ref
# This requires that the DNS server can query porcupine.org.
-ADDRINFO_FIX = sed 's/No address associated with hostname/hostname nor servname provided, or not known/'
+ADDRINFO_FIX = sed -e 's/No address associated with hostname/hostname nor servname provided, or not known/' \
+ -e 's/Name or service not known/hostname nor servname provided, or not known/'
smtpd_exp_test: smtpd_check smtpd_exp.in smtpd_exp.ref
$(SHLIB_ENV) $(VALGRIND) ../postmap/postmap hash:smtpd_check_access
diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h
index 00515ee93..90100cd37 100644
--- a/postfix/src/tls/tls.h
+++ b/postfix/src/tls/tls.h
@@ -77,6 +77,7 @@ extern const char *str_tls_level(int);
#include /* New OpenSSL 3.0 EVP_PKEY APIs */
#include /* OPENSSL_VERSION_NUMBER */
#include
+#include
/* Appease indent(1) */
#define x509_stack_t STACK_OF(X509)
@@ -322,6 +323,7 @@ extern void tls_free_app_context(TLS_APPL_STATE *);
* tls_misc.c
*/
extern void tls_param_init(void);
+extern int tls_library_init(void);
/*
* Protocol selection.
@@ -449,6 +451,8 @@ extern void tls_get_signature_params(TLS_SESS_STATE *);
* tls_client.c
*/
typedef struct {
+ const char *cnf_file;
+ const char *cnf_name;
const char *log_param;
const char *log_level;
int verifydepth;
@@ -494,16 +498,16 @@ extern TLS_SESS_STATE *tls_client_post_connect(TLS_SESS_STATE *,
tls_session_stop(ctx, (stream), (timeout), (failure), (TLScontext))
#define TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
- a10, a11, a12, a13, a14) \
- (((props)->a1), ((props)->a2), ((props)->a3), \
- ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \
- ((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \
- ((props)->a12), ((props)->a13), ((props)->a14), (props))
+ a10, a11, a12, a13, a14, a15, a16) \
+ (((props)->a1), ((props)->a2), ((props)->a3), ((props)->a4), \
+ ((props)->a5), ((props)->a6), ((props)->a7), ((props)->a8), \
+ ((props)->a9), ((props)->a10), ((props)->a11), ((props)->a12), \
+ ((props)->a13), ((props)->a14), ((props)->a15), ((props)->a16), (props))
#define TLS_CLIENT_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
- a10, a11, a12, a13, a14) \
+ a10, a11, a12, a13, a14, a15, a16) \
tls_client_init(TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, \
- a6, a7, a8, a9, a10, a11, a12, a13, a14))
+ a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16))
#define TLS_CLIENT_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
a10, a11, a12, a13, a14, a15, a16, a17) \
diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c
index d63d65023..9656d6922 100644
--- a/postfix/src/tls/tls_client.c
+++ b/postfix/src/tls/tls_client.c
@@ -640,6 +640,13 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
*/
tls_check_version();
+ /*
+ * Initialize the OpenSSL library, possibly loading its configuration
+ * file.
+ */
+ if (tls_library_init() == 0)
+ return (0);
+
/*
* Create an application data index for SSL objects, so that we can
* attach TLScontext information; this information is needed inside
@@ -788,8 +795,8 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
/*
* With OpenSSL 1.0.2 and later the client EECDH curve list becomes
* configurable with the preferred curve negotiated via the supported
- * curves extension. With OpenSSL 3.0 and TLS 1.3, the same applies
- * to the FFDHE groups which become part of a unified "groups" list.
+ * curves extension. With OpenSSL 3.0 and TLS 1.3, the same applies to
+ * the FFDHE groups which become part of a unified "groups" list.
*/
tls_auto_groups(client_ctx, var_tls_eecdh_auto, var_tls_ffdhe_auto);
diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c
index b7000cbab..d91e43f23 100644
--- a/postfix/src/tls/tls_misc.c
+++ b/postfix/src/tls/tls_misc.c
@@ -29,6 +29,8 @@
/* #define TLS_INTERNAL
/* #include
/*
+/* char *var_tls_cnf_file;
+/* char *var_tls_cnf_name;
/* char *var_tls_high_clist;
/* char *var_tls_medium_clist;
/* char *var_tls_null_clist;
@@ -68,6 +70,8 @@
/*
/* void tls_param_init()
/*
+/* int tls_library_init(void)
+/*
/* int tls_proto_mask_lims(plist, floor, ceiling)
/* const char *plist;
/* int *floor;
@@ -156,6 +160,9 @@
/* tls_param_init() loads main.cf parameters used internally in
/* TLS library. Any errors are fatal.
/*
+/* tls_library_init() initializes the OpenSSL library, optionally
+/* loading an OpenSSL configuration file.
+/*
/* tls_pre_jail_init() opens any tables that need to be opened before
/* entering a chroot jail. The "role" parameter must be TLS_ROLE_CLIENT
/* for clients and TLS_ROLE_SERVER for servers. Any errors are fatal.
@@ -274,6 +281,8 @@
/*
* Tunable parameters.
*/
+char *var_tls_cnf_file;
+char *var_tls_cnf_name;
char *var_tls_high_clist;
char *var_tls_medium_clist;
char *var_tls_low_ignored;
@@ -643,6 +652,8 @@ void tls_param_init(void)
{
/* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
static const CONFIG_STR_TABLE str_table[] = {
+ VAR_TLS_CNF_FILE, DEF_TLS_CNF_FILE, &var_tls_cnf_file, 0, 0,
+ VAR_TLS_CNF_NAME, DEF_TLS_CNF_NAME, &var_tls_cnf_name, 0, 0,
VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0,
VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_ignored, 0, 0,
@@ -687,6 +698,88 @@ void tls_param_init(void)
get_mail_conf_bool_table(bool_table);
}
+/* tls_library_init - perform OpenSSL library initialization */
+
+int tls_library_init(void)
+{
+ OPENSSL_INIT_SETTINGS *init_settings = 0;
+ char *conf_name = *var_tls_cnf_name ? var_tls_cnf_name : 0;
+ char *conf_file = 0;
+ unsigned long init_opts = 0;
+
+ if ((init_settings = OPENSSL_INIT_new()) == 0) {
+ msg_warn("error allocating OpenSSL init settings, "
+ "disabling TLS support");
+ return (0);
+ }
+#if OPENSSL_VERSION_NUMBER < 0x1010102fL
+
+ /*
+ * OpenSSL 1.1.0 through 1.1.1a, no support for custom configuration
+ * files, disabling loading of the file, or getting strict error
+ * handling. Thus, the only supported configuration file is "default".
+ */
+ if (strcmp(var_tls_cnf_file, "default") != 0) {
+ msg_warn("non-default %s = %s requires OpenSSL 1.1.1b or later, "
+ "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
+ return (0);
+ }
+#else
+ {
+ unsigned long init_flags = 0;
+
+ /*-
+ * OpenSSL 1.1.1b or later:
+ * We can now choose a non-default or configuration file, or
+ * use none at all. We can also request strict error
+ * reporting.
+ */
+ if (strcmp(var_tls_cnf_file, "default") == 0) {
+ conf_file = 0;
+ /* The default global config file is optional */
+ init_flags |= CONF_MFLAGS_IGNORE_MISSING_FILE;
+ } else if (strcmp(var_tls_cnf_file, "none") == 0) {
+ init_opts |= OPENSSL_INIT_NO_LOAD_CONFIG;
+ } else if (*var_tls_cnf_file == '/') {
+ conf_file = var_tls_cnf_file;
+ } else {
+ msg_warn("non-default %s = %s is not an absolute pathname, "
+ "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
+ return (0);
+ }
+
+ /*
+ * By not including CONF_MFLAGS_IGNORE_RETURN_CODES, we get strict
+ * error reporting. We don't insist on a match for the requested
+ * application name, allowing fallback to the default application
+ * name, even when a non-default application name is specified by
+ * always setting the CONF_MFLAGS_DEFAULT_SECTION bit.
+ */
+ init_flags |= CONF_MFLAGS_DEFAULT_SECTION;
+ OPENSSL_INIT_set_config_file_flags(init_settings, init_flags);
+ }
+#endif
+
+ if (conf_file)
+ OPENSSL_INIT_set_config_filename(init_settings, conf_file);
+ if (conf_name)
+ OPENSSL_INIT_set_config_appname(init_settings, conf_name);
+
+ if (OPENSSL_init_ssl(init_opts, init_settings) <= 0) {
+ if ((init_opts & OPENSSL_INIT_NO_LOAD_CONFIG) == 0)
+ msg_warn("error loading the '%s' settings from the %s OpenSSL "
+ "configuration file, disabling TLS support",
+ conf_name ? conf_name : "global",
+ conf_file ? conf_file : "default");
+ else
+ msg_warn("error initializing the OpenSSL library, "
+ "disabling TLS support");
+ tls_print_errors();
+ return (0);
+ }
+ return (1);
+}
+
/* tls_pre_jail_init - Load TLS related pre-jail tables */
void tls_pre_jail_init(TLS_ROLE role)
diff --git a/postfix/src/tls/tls_proxy.h b/postfix/src/tls/tls_proxy.h
index f3eb0f611..70c188a91 100644
--- a/postfix/src/tls/tls_proxy.h
+++ b/postfix/src/tls/tls_proxy.h
@@ -97,11 +97,12 @@ extern VSTREAM *tls_proxy_open(const char *, int, VSTREAM *, const char *,
void *, void *, void *);
#define TLS_PROXY_CLIENT_INIT_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \
- a9, a10, a11, a12, a13, a14) \
+ a9, a10, a11, a12, a13, a14, a15, a16) \
(((props)->a1), ((props)->a2), ((props)->a3), \
((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \
((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \
- ((props)->a12), ((props)->a13), ((props)->a14))
+ ((props)->a12), ((props)->a13), ((props)->a14), ((props)->a15), \
+ ((props)->a16))
#define TLS_PROXY_CLIENT_START_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \
a9, a10, a11, a12, a13, a14) \
@@ -214,6 +215,8 @@ extern void tls_proxy_server_start_free(TLS_SERVER_START_PROPS *);
/*
* TLS_CLIENT_INIT_PROPS attributes.
*/
+#define TLS_ATTR_CNF_FILE "config_file"
+#define TLS_ATTR_CNF_NAME "config_name"
#define TLS_ATTR_LOG_PARAM "log_param"
#define TLS_ATTR_LOG_LEVEL "log_level"
#define TLS_ATTR_VERIFYDEPTH "verifydepth"
diff --git a/postfix/src/tls/tls_proxy_client_print.c b/postfix/src/tls/tls_proxy_client_print.c
index 616eb45d5..39a1e1c74 100644
--- a/postfix/src/tls/tls_proxy_client_print.c
+++ b/postfix/src/tls/tls_proxy_client_print.c
@@ -144,6 +144,10 @@ int tls_proxy_client_init_print(ATTR_PRINT_COMMON_FN print_fn, VSTREAM *fp,
#define STRING_OR_EMPTY(s) ((s) ? (s) : "")
ret = print_fn(fp, flags | ATTR_FLAG_MORE,
+ SEND_ATTR_STR(TLS_ATTR_CNF_FILE,
+ STRING_OR_EMPTY(props->cnf_file)),
+ SEND_ATTR_STR(TLS_ATTR_CNF_NAME,
+ STRING_OR_EMPTY(props->cnf_name)),
SEND_ATTR_STR(TLS_ATTR_LOG_PARAM,
STRING_OR_EMPTY(props->log_param)),
SEND_ATTR_STR(TLS_ATTR_LOG_LEVEL,
diff --git a/postfix/src/tls/tls_proxy_client_scan.c b/postfix/src/tls/tls_proxy_client_scan.c
index a4767b792..914710649 100644
--- a/postfix/src/tls/tls_proxy_client_scan.c
+++ b/postfix/src/tls/tls_proxy_client_scan.c
@@ -217,6 +217,8 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
void tls_proxy_client_init_free(TLS_CLIENT_INIT_PROPS *props)
{
+ myfree((void *) props->cnf_file);
+ myfree((void *) props->cnf_name);
myfree((void *) props->log_param);
myfree((void *) props->log_level);
myfree((void *) props->cache_type);
@@ -241,6 +243,8 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
TLS_CLIENT_INIT_PROPS *props
= (TLS_CLIENT_INIT_PROPS *) mymalloc(sizeof(*props));
int ret;
+ VSTRING *cnf_file = vstring_alloc(25);
+ VSTRING *cnf_name = vstring_alloc(25);
VSTRING *log_param = vstring_alloc(25);
VSTRING *log_level = vstring_alloc(25);
VSTRING *cache_type = vstring_alloc(25);
@@ -263,6 +267,8 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
*/
memset(props, 0, sizeof(*props));
ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
+ RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file),
+ RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name),
RECV_ATTR_STR(TLS_ATTR_LOG_PARAM, log_param),
RECV_ATTR_STR(TLS_ATTR_LOG_LEVEL, log_level),
RECV_ATTR_INT(TLS_ATTR_VERIFYDEPTH, &props->verifydepth),
@@ -279,6 +285,8 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
RECV_ATTR_STR(TLS_ATTR_MDALG, mdalg),
ATTR_TYPE_END);
/* Always construct a well-formed structure. */
+ props->cnf_file = vstring_export(cnf_file);
+ props->cnf_name = vstring_export(cnf_name);
props->log_param = vstring_export(log_param);
props->log_level = vstring_export(log_level);
props->cache_type = vstring_export(cache_type);
@@ -292,7 +300,7 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
props->CAfile = vstring_export(CAfile);
props->CApath = vstring_export(CApath);
props->mdalg = vstring_export(mdalg);
- ret = (ret == 14 ? 1 : -1);
+ ret = (ret == 16 ? 1 : -1);
if (ret != 1) {
tls_proxy_client_init_free(props);
props = 0;
diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c
index dcf232e84..86bb198e5 100644
--- a/postfix/src/tls/tls_server.c
+++ b/postfix/src/tls/tls_server.c
@@ -168,10 +168,12 @@
static const char server_session_id_context[] = "Postfix/TLS";
#ifndef OPENSSL_NO_TLSEXT
+
/*
* We retain the cipher handle for the lifetime of the process.
*/
static const EVP_CIPHER *tkt_cipher;
+
#endif
#define GET_SID(s, v, lptr) ((v) = SSL_SESSION_get_id((s), (lptr)))
@@ -419,6 +421,13 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
*/
tls_check_version();
+ /*
+ * Initialize the OpenSSL library, possibly loading its configuration
+ * file.
+ */
+ if (tls_library_init() == 0)
+ return (0);
+
/*
* First validate the protocols. If these are invalid, we can't continue.
*/
@@ -677,10 +686,10 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
tls_tmp_dh(sni_ctx, 1);
/*
- * Enable EECDH if available, errors are not fatal, we just keep going with
- * any remaining key-exchange algorithms. With OpenSSL 3.0 and TLS 1.3,
- * the same applies to the FFDHE groups which become part of a unified
- * "groups" list.
+ * Enable EECDH if available, errors are not fatal, we just keep going
+ * with any remaining key-exchange algorithms. With OpenSSL 3.0 and TLS
+ * 1.3, the same applies to the FFDHE groups which become part of a
+ * unified "groups" list.
*/
tls_auto_groups(server_ctx, var_tls_eecdh_auto, var_tls_ffdhe_auto);
tls_auto_groups(sni_ctx, var_tls_eecdh_auto, var_tls_ffdhe_auto);
diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c
index 18203f787..58215e8c2 100644
--- a/postfix/src/tlsproxy/tlsproxy.c
+++ b/postfix/src/tlsproxy/tlsproxy.c
@@ -1742,6 +1742,8 @@ static void pre_jail_init_client(void)
*/
(void) tls_proxy_client_param_from_config(&tls_params);
(void) TLS_CLIENT_INIT_ARGS(&init_props,
+ cnf_file = var_tls_cnf_file,
+ cnf_name = var_tls_cnf_name,
log_param = var_tlsp_clnt_logparam,
log_level = var_tlsp_clnt_loglevel,
verifydepth = var_tlsp_clnt_scert_vd,