mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-23 02:17:44 +00:00
Code Issues Releases Wiki Activity

postfix-3.9-20230521

Browse Source
This commit is contained in:
Wietse Venema 2023-05-21 00:00:00 -05:00 committed by Viktor Dukhovni
parent dedb6a0d58
commit 770f8c7630
30 changed files with 552 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
postfix/HISTORY
View File

@ -27132,7 +27132,7 @@ Apologies for any names omitted.
Usability: improved error message when master.cf specifies Usability: improved error message when master.cf specifies
a wild-card network listener (like "smtp inet ... smtpd") a wild-card network listener (like "smtp inet ... smtpd")
while `inet_interfaces is empty. File: master/master_ent.c. while inet_interfaces is empty. File: master/master_ent.c.
More documentation updates for local aliasing versus virtual More documentation updates for local aliasing versus virtual
aliasing. Files: proto/aliases, proto/virtual, postfix/postfix.c. aliasing. Files: proto/aliases, proto/virtual, postfix/postfix.c.
@ -27180,3 +27180,30 @@ Apologies for any names omitted.
This also fixes a warning message when a destination contains This also fixes a warning message when a destination contains
":service" information. Reported by Thomas Korbar. File: ":service" information. Reported by Thomas Korbar. File:
posttls-finger/posttls-finger.c. posttls-finger/posttls-finger.c.
20230519
Cleanup: fixed postconf tests for dynamically-linked builds.
File: postconf/Makefile.in.
20230521
Bitrot: library error messages in SMTP server tests. File:
smtpd/Makefile.in.
Cleanup: removed some "the the" instances. Files:
proto/MILTER_README.html proto/stop.double-proto-html.
Bitrot: preliminary support for OpenSSL configuration files,
primarily OpenSSL 1.1.1b and later. This introduces new
parameters "tls_config_file" and "tls_config_name", which
can be used to limit collateral damage from OS distributions
that crank up security to 11, increasing the number of
plaintext email deliveries. Details are in the postconf(5)
manpage under "tls_config_file" and "tls_config_name".
Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, posttls-finger/posttls-finger.c,
smtp/smtp.c, smtp/smtp_proto.c, tls/tls_client.c, tls/tls.h,
tls/tls_misc.c, tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c,
tlsproxy/tlsproxy.c.

6
postfix/README_FILES/MILTER_README
View File

@ -392,9 +392,9 @@ ccoommmmaa wwiitthhiinn aa vvaalluuee oorr aarroouunndd
DDiiffffeerreenntt sseettttiinnggss ffoorr ddiiffffeerreenntt SSMMTTPP cclliieennttss DDiiffffeerreenntt sseettttiinnggss ffoorr ddiiffffeerreenntt SSMMTTPP cclliieennttss
The smtpd_milter_maps feature supports different Milter settings for different The smtpd_milter_maps feature supports different Milter settings for different
client IP addresses. Lookup results override the the global smtpd_milters client IP addresses. Lookup results override the global smtpd_milters setting,
setting, and have the same syntax. For example, to disable Milter settings for and have the same syntax. For example, to disable Milter settings for local
local address ranges: address ranges:
/etc/postfix/main.cf: /etc/postfix/main.cf:
smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map

11
postfix/RELEASE_NOTES
View File

@ -26,6 +26,17 @@ now also distributed with the more recent Eclipse Public License
license of their choice. Those who are more comfortable with the license of their choice. Those who are more comfortable with the
IPL can continue with that license. IPL can continue with that license.
Major changes with snapshot 20230522
====================================
Preliminary support for OpenSSL configuration files, primarily
OpenSSL 1.1.1b and later. This introduces two new parameters
"tls_config_file" and "tls_config_name", which can be used to limit
collateral damage from OS distributions that crank up security to
11, increasing the number of plaintext email deliveries. Details
are in the postconf(5) manpage under "tls_config_file" and
"tls_config_name".
Incompatible changes with snapshot 20230419 Incompatible changes with snapshot 20230419
=========================================== ===========================================

4
postfix/WISHLIST
View File

@ -1,5 +1,9 @@
Wish list: Wish list:
In tlsproxy, diff the server-side TLS library settings
against those from a tlsproxy client, and make sure that
the diff covers the new cnf_file and cnf_name properties.
Things to do before the stable release: Things to do before the stable release:
make pre-release-check, HTML validator check. make pre-release-check, HTML validator check.

2
postfix/html/MILTER_README.html
View File

@ -630,7 +630,7 @@ and protocol. </p>
clients </a></h3> clients </a></h3>
<p> The <a href="postconf.5.html#smtpd_milter_maps">smtpd_milter_maps</a> feature supports different Milter settings <p> The <a href="postconf.5.html#smtpd_milter_maps">smtpd_milter_maps</a> feature supports different Milter settings
for different client IP addresses. Lookup results override the the for different client IP addresses. Lookup results override the
global <a href="postconf.5.html#smtpd_milters">smtpd_milters</a> setting, and have the same syntax. For example, global <a href="postconf.5.html#smtpd_milters">smtpd_milters</a> setting, and have the same syntax. For example,
to disable Milter settings for local address ranges: </p> to disable Milter settings for local address ranges: </p>

106
postfix/html/postconf.5.html
View File

@ -19261,6 +19261,112 @@ backwards compatibility, to avoid breaking certificate verification
with sites that don't use <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p> with sites that don't use <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
</DD>
<DT><b><a name="tls_config_file">tls_config_file</a>
(default: default)</b></DT><DD>
<p> Optional configuration file with baseline OpenSSL settings.
OpenSSL loads any SSL settings found in the configuration file for
the selected application name (see <a href="postconf.5.html#tls_config_name">tls_config_name</a>) or else the
built-in application name "openssl_conf" when no application name is
specified, or no corresponding configuration section is present.
</p>
<p> With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
Postfix) can neither specify an alternative configuration file, nor
avoid loading the default configuration file. </p>
<p> With OpenSSL 1.1.1b or later, this parameter may be set to one of:
</p>
<dl>
<dt> <b>default</b> (default) </dt> <dd> Load the system-wide
"openssl.cnf" configuration file. </dd>
<dt> <b>none</b> (recommended, OpenSSL 1.1.1b or later only) </dt>
<dd> This setting disables loading of the system-wide "openssl.cnf"
file. </dd>
<dt> <b><i>/absolute-path</i></b> (OpenSSL 1.1.1b or later only) </dt>
<dd> Load the configuration file specified by <i>/absolute-path</i>.
With this setting it is an error for the file to not contain any
settings for the selected <a href="postconf.5.html#tls_config_name">tls_config_name</a>. There is no fallback to
the default "openssl_conf" name. </dd>
</dl>
<p> Failures in processing of the built-in default configuration
file, are silently ignored with OpenSSL prior to 1.1.1b. With later
OpenSSL releases, any errors in loading either the default or custom
configuration file are detected by Postfix, and cause TLS support to
be disabled. </p>
<p> The OpenSSL configuration file format is not documented here,
beyond giving two examples. <p>
<p> Example: Default settings for all applications. </p>
<blockquote>
<pre>
# The name 'openssl_conf' is the default application name
# The section name to the right of the '=' sign is arbitrary,
# any name will do, so long as it refers to the desired section.
#
# The name 'system_default' selects the settings applied internally
# by the SSL library as part of SSL object creation. Applications
# can then apply any additional settings of their choice.
#
# In this example, TLS versions prior to 1.2 are disabled by default.
#
openssl_conf = system_wide_settings
[system_wide_settings]
ssl_conf = ssl_library_settings
[ssl_library_settings]
system_default = initial_ssl_settings
[initial_ssl_settings]
MinProtocol = TLSv1.2
</pre>
</blockquote>
<p> Example: Custom settings for an application named "postfix". </p>
<blockquote>
<pre>
# The mapping from an application name to the corresponding configuration
# section must appear near the top of the file, (in what is sometimes called
# the "default section") prior to the start of any explicitly named
# "[sections]". The named sections can appear in any order and don't nest.
#
postfix = postfix_settings
[postfix_settings]
ssl_conf = postfix_ssl_settings
[postfix_ssl_settings]
system_default = baseline_postfix_settings
[baseline_postfix_settings]
MinProtocol = TLSv1
</pre>
</blockquote>
<p> This feature is available in Postfix &ge; 3.9. </p>
</DD>
<DT><b><a name="tls_config_name">tls_config_name</a>
(default: empty)</b></DT><DD>
<p> The application name passed by Postfix to OpenSSL library
initialization functions. This name is used to select the desired
configuration "section" in the OpenSSL configuration file specified
via the <a href="postconf.5.html#tls_config_file">tls_config_file</a> parameter. When empty, or when the
selected name is not present in the configuration file, the default
application name ("openssl_conf") is used as a fallback. </p>
<p> This feature is available in Postfix &ge; 3.9. </p>
</DD> </DD>
<DT><b><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a> <DT><b><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a>

98
postfix/man/man5/postconf.5
View File

@ -13640,6 +13640,104 @@ This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
2.7.2 and later versions. Specify "tls_append_default_CA = yes" for 2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
backwards compatibility, to avoid breaking certificate verification backwards compatibility, to avoid breaking certificate verification
with sites that don't use permit_tls_all_clientcerts. with sites that don't use permit_tls_all_clientcerts.
.SH tls_config_file (default: default)
Optional configuration file with baseline OpenSSL settings.
OpenSSL loads any SSL settings found in the configuration file for
the selected application name (see tls_config_name) or else the
built\-in application name "openssl_conf" when no application name is
specified, or no corresponding configuration section is present.
.PP
With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
Postfix) can neither specify an alternative configuration file, nor
avoid loading the default configuration file.
.PP
With OpenSSL 1.1.1b or later, this parameter may be set to one of:
.IP "\fBdefault\fR (default)"
Load the system\-wide
"openssl.cnf" configuration file.
.br
.IP "\fBnone\fR (recommended, OpenSSL 1.1.1b or later only)"
This setting disables loading of the system\-wide "openssl.cnf"
file.
.br
.IP "\fB\fI/absolute\-path\fR\fR (OpenSSL 1.1.1b or later only)"
Load the configuration file specified by \fI/absolute\-path\fR.
With this setting it is an error for the file to not contain any
settings for the selected tls_config_name. There is no fallback to
the default "openssl_conf" name.
.br
.br
.PP
Failures in processing of the built\-in default configuration
file, are silently ignored with OpenSSL prior to 1.1.1b. With later
OpenSSL releases, any errors in loading either the default or custom
configuration file are detected by Postfix, and cause TLS support to
be disabled.
.PP
The OpenSSL configuration file format is not documented here,
beyond giving two examples.
.PP
Example: Default settings for all applications.
.sp
.in +4
.nf
.na
.ft C
# The name 'openssl_conf' is the default application name
# The section name to the right of the '=' sign is arbitrary,
# any name will do, so long as it refers to the desired section.
#
# The name 'system_default' selects the settings applied internally
# by the SSL library as part of SSL object creation. Applications
# can then apply any additional settings of their choice.
#
# In this example, TLS versions prior to 1.2 are disabled by default.
#
openssl_conf = system_wide_settings
[system_wide_settings]
ssl_conf = ssl_library_settings
[ssl_library_settings]
system_default = initial_ssl_settings
[initial_ssl_settings]
MinProtocol = TLSv1.2
.fi
.ad
.ft R
.in -4
.PP
Example: Custom settings for an application named "postfix".
.sp
.in +4
.nf
.na
.ft C
# The mapping from an application name to the corresponding configuration
# section must appear near the top of the file, (in what is sometimes called
# the "default section") prior to the start of any explicitly named
# "[sections]". The named sections can appear in any order and don't nest.
#
postfix = postfix_settings
[postfix_settings]
ssl_conf = postfix_ssl_settings
[postfix_ssl_settings]
system_default = baseline_postfix_settings
[baseline_postfix_settings]
MinProtocol = TLSv1
.fi
.ad
.ft R
.in -4
.PP
This feature is available in Postfix >= 3.9.
.SH tls_config_name (default: empty)
The application name passed by Postfix to OpenSSL library
initialization functions. This name is used to select the desired
configuration "section" in the OpenSSL configuration file specified
via the tls_config_file parameter. When empty, or when the
selected name is not present in the configuration file, the default
application name ("openssl_conf") is used as a fallback.
.PP
This feature is available in Postfix >= 3.9.
.SH tls_daemon_random_bytes (default: 32) .SH tls_daemon_random_bytes (default: 32)
The number of pseudo\-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8) The number of pseudo\-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
process requests from the \fBtlsmgr\fR(8) server in order to seed its process requests from the \fBtlsmgr\fR(8) server in order to seed its

4
postfix/man/man8/smtp.8
View File

@ -836,8 +836,8 @@ sub\-second delay values.
.IP "\fBdisable_dns_lookups (no)\fR" .IP "\fBdisable_dns_lookups (no)\fR"
Disable DNS lookups in the Postfix SMTP and LMTP clients. Disable DNS lookups in the Postfix SMTP and LMTP clients.
.IP "\fBinet_interfaces (all)\fR" .IP "\fBinet_interfaces (all)\fR"
The local network interface addresses that this mail system receives The local network interface addresses that this mail system
mail on. receives mail on.
.IP "\fBinet_protocols (see 'postconf -d output')\fR" .IP "\fBinet_protocols (see 'postconf -d output')\fR"
The Internet protocols Postfix will attempt to use when making The Internet protocols Postfix will attempt to use when making
or accepting connections. or accepting connections.

2
postfix/mantools/postlink
View File

@ -782,6 +782,8 @@ while (<>) {
s;\btls_session_ticket_cipher\b;<a href="postconf.5.html#tls_session_ticket_cipher">$&</a>;g; s;\btls_session_ticket_cipher\b;<a href="postconf.5.html#tls_session_ticket_cipher">$&</a>;g;
s;\btls_server_sni_maps\b;<a href="postconf.5.html#tls_server_sni_maps">$&</a>;g; s;\btls_server_sni_maps\b;<a href="postconf.5.html#tls_server_sni_maps">$&</a>;g;
s;\btls_ssl_options\b;<a href="postconf.5.html#tls_ssl_options">$&</a>;g; s;\btls_ssl_options\b;<a href="postconf.5.html#tls_ssl_options">$&</a>;g;
s;\btls_config_name\b;<a href="postconf.5.html#tls_config_name">$&</a>;g;
s;\btls_config_file\b;<a href="postconf.5.html#tls_config_file">$&</a>;g;
s;\btls_dane_digest_agility\b;<a href="postconf.5.html#tls_dane_digest_agility">$&</a>;g; s;\btls_dane_digest_agility\b;<a href="postconf.5.html#tls_dane_digest_agility">$&</a>;g;
s;\btls_dane_trust_anchor_digest_enable\b;<a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">$&</a>;g; s;\btls_dane_trust_anchor_digest_enable\b;<a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">$&</a>;g;
s;\btls_fast_shutdown_enable\b;<a href="postconf.5.html#tls_fast_shutdown_enable">$&</a>;g; s;\btls_fast_shutdown_enable\b;<a href="postconf.5.html#tls_fast_shutdown_enable">$&</a>;g;

2
postfix/proto/MILTER_README.html
View File

@ -630,7 +630,7 @@ main.cf: items separated by space or comma. There is one difference:
clients </a></h3> clients </a></h3>
<p> The smtpd_milter_maps feature supports different Milter settings <p> The smtpd_milter_maps feature supports different Milter settings
for different client IP addresses. Lookup results override the the for different client IP addresses. Lookup results override the
global smtpd_milters setting, and have the same syntax. For example, global smtpd_milters setting, and have the same syntax. For example,
to disable Milter settings for local address ranges: </p> to disable Milter settings for local address ranges: </p>

98
postfix/proto/postconf.proto
View File

@ -18748,3 +18748,101 @@ uses fewer the anvil(8) resources to maintain counters. By default,
aggregation is enabled for IPv6. </p> aggregation is enabled for IPv6. </p>
<p> This feature is available in Postfix 3.8 and later. </p> <p> This feature is available in Postfix 3.8 and later. </p>
%PARAM tls_config_name
<p> The application name passed by Postfix to OpenSSL library
initialization functions. This name is used to select the desired
configuration "section" in the OpenSSL configuration file specified
via the tls_config_file parameter. When empty, or when the
selected name is not present in the configuration file, the default
application name ("openssl_conf") is used as a fallback. </p>
<p> This feature is available in Postfix &ge; 3.9. </p>
%PARAM tls_config_file default
<p> Optional configuration file with baseline OpenSSL settings.
OpenSSL loads any SSL settings found in the configuration file for
the selected application name (see tls_config_name) or else the
built-in application name "openssl_conf" when no application name is
specified, or no corresponding configuration section is present.
</p>
<p> With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
Postfix) can neither specify an alternative configuration file, nor
avoid loading the default configuration file. </p>
<p> With OpenSSL 1.1.1b or later, this parameter may be set to one of:
</p>
<dl>
<dt> <b>default</b> (default) </dt> <dd> Load the system-wide
"openssl.cnf" configuration file. </dd>
<dt> <b>none</b> (recommended, OpenSSL 1.1.1b or later only) </dt>
<dd> This setting disables loading of the system-wide "openssl.cnf"
file. </dd>
<dt> <b><i>/absolute-path</i></b> (OpenSSL 1.1.1b or later only) </dt>
<dd> Load the configuration file specified by <i>/absolute-path</i>.
With this setting it is an error for the file to not contain any
settings for the selected tls_config_name. There is no fallback to
the default "openssl_conf" name. </dd>
</dl>
<p> Failures in processing of the built-in default configuration
file, are silently ignored with OpenSSL prior to 1.1.1b. With later
OpenSSL releases, any errors in loading either the default or custom
configuration file are detected by Postfix, and cause TLS support to
be disabled. </p>
<p> The OpenSSL configuration file format is not documented here,
beyond giving two examples. <p>
<p> Example: Default settings for all applications. </p>
<blockquote>
<pre>
# The name 'openssl_conf' is the default application name
# The section name to the right of the '=' sign is arbitrary,
# any name will do, so long as it refers to the desired section.
#
# The name 'system_default' selects the settings applied internally
# by the SSL library as part of SSL object creation. Applications
# can then apply any additional settings of their choice.
#
# In this example, TLS versions prior to 1.2 are disabled by default.
#
openssl_conf = system_wide_settings
[system_wide_settings]
ssl_conf = ssl_library_settings
[ssl_library_settings]
system_default = initial_ssl_settings
[initial_ssl_settings]
MinProtocol = TLSv1.2
</pre>
</blockquote>
<p> Example: Custom settings for an application named "postfix". </p>
<blockquote>
<pre>
# The mapping from an application name to the corresponding configuration
# section must appear near the top of the file, (in what is sometimes called
# the "default section") prior to the start of any explicitly named
# "[sections]". The named sections can appear in any order and don't nest.
#
postfix = postfix_settings
[postfix_settings]
ssl_conf = postfix_ssl_settings
[postfix_ssl_settings]
system_default = baseline_postfix_settings
[baseline_postfix_settings]
MinProtocol = TLSv1
</pre>
</blockquote>
<p> This feature is available in Postfix &ge; 3.9. </p>

3
postfix/proto/stop.double-history
View File

@ -50,3 +50,6 @@ proto proto ADDRESS_REWRITING_README html
proto proto aliases proto virtual proto ADDRESS_REWRITING_README html proto proto aliases proto virtual proto ADDRESS_REWRITING_README html
master master c postlog postlog c postlogd postlogd c master master c postlog postlog c postlogd postlogd c
proto postconf proto proto aliases proto virtual proto postconf proto proto aliases proto virtual
posttls finger posttls finger c smtp smtp c smtp smtp_proto c
tls tls_client c tls tls h tls tls_misc c
tls tls_proxy h tls tls_server c tlsproxy tlsproxy c

9
postfix/proto/stop.double-proto-html
View File

@ -42,7 +42,6 @@ dd dd The default algorithm is b sha256 b with Postfix ge 3 6
dd No TLS TLS will not be used unless enabled for specific dd No TLS TLS will not be used unless enabled for specific
Dec 4 04 30 09 hostname postfix smtpd 58549 NOQUEUE reject Dec 4 04 30 09 hostname postfix smtpd 58549 NOQUEUE reject
default_transport uucp uucp gateway default_transport uucp uucp gateway
different client IP addresses Lookup results override the the global
Documentation Documentation is available as README files start with the file Documentation Documentation is available as README files start with the file
done done done done
done done done done
@ -202,8 +201,6 @@ smtp_tls_mandatory_protocols SSLv2 SSLv3 TLSv1 TLSv1 1
SSLv3 TLSv1 TLSv1 1 TLSv1 2 and TLSv1 3 Starting with SSLv3 TLSv1 TLSv1 1 TLSv1 2 and TLSv1 3 Starting with
T 5 10 20 40 80 160 320 640 1280 1280 T 5 10 20 40 80 160 320 640 1280 1280
T A 5 10 20 40 80 160 320 320 T A 5 10 20 40 80 160 320 320
The and match and literally Without the the
The matches literally Without the the would
Therefore 301 0301 0x301 and 0x0301 are all equivalent to Therefore 301 0301 0x301 and 0x0301 are all equivalent to
The syntax of name value value name value and name value The syntax of name value value name value and name value
the the backed up domain tld domain This prevents your mail queue the the backed up domain tld domain This prevents your mail queue
@ -247,3 +244,9 @@ dt dt b name value b Postfix ge 3 0 dt
p Note on OpenBSD systems specify dev dev arandom when dev dev urandom p Note on OpenBSD systems specify dev dev arandom when dev dev urandom
user3 example net smtp smtp relay example net submission user3 example net smtp smtp relay example net submission
virtual_alias_maps hash etc postfix virtual virtual aliasing virtual_alias_maps hash etc postfix virtual virtual aliasing
system_wide_settings system_wide_settings
ssl_library_settings ssl_library_settings
initial_ssl_settings initial_ssl_settings
postfix_settings postfix_settings
postfix_ssl_settings postfix_ssl_settings
baseline_postfix_settings baseline_postfix_settings

1
postfix/proto/stop.spell-cc
View File

@ -1802,3 +1802,4 @@ bytecount
ipproto ipproto
cw cw
uncreate uncreate
MFLAGS

1
postfix/proto/stop.spell-proto-html
View File

@ -357,3 +357,4 @@ kDHE
srv srv
wraptls wraptls
api api
MinProtocol

14
postfix/src/global/mail_params.h
View File

@ -3330,9 +3330,19 @@ extern bool var_smtp_sender_auth;
extern bool var_smtp_cname_overr; extern bool var_smtp_cname_overr;
/* /*
* TLS cipherlists * TLS library settings
*/
#define VAR_TLS_CNF_FILE "tls_config_file"
#define DEF_TLS_CNF_FILE "default"
extern char *var_tls_cnf_file;
#define VAR_TLS_CNF_NAME "tls_config_name"
#define DEF_TLS_CNF_NAME ""
extern char *var_tls_cnf_name;
/*
* Deprecated and unused cipher, key exchange and public key algorithms
*/ */
/* Deprecated and unused cipher, key exchange and public key algorithms */
#define TLS_EXCL_CIPHS ":!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5" #define TLS_EXCL_CIPHS ":!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5"
#define TLS_EXCL_KEXCH ":!kDH:!kECDH" #define TLS_EXCL_KEXCH ":!kDH:!kECDH"
#define TLS_EXCL_PKEYS ":!aDSS" #define TLS_EXCL_PKEYS ":!aDSS"

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20230517" #define MAIL_RELEASE_DATE "20230521"
#define MAIL_VERSION_NUMBER "3.9" #define MAIL_VERSION_NUMBER "3.9"
#ifdef SNAPSHOT #ifdef SNAPSHOT

26
postfix/src/postconf/Makefile.in
View File

@ -808,7 +808,7 @@ test58: $(PROG) test58.ref
echo 'yy_backup = bbb' >> main.cf echo 'yy_backup = bbb' >> main.cf
echo 'yy_bogus = bbb' >> main.cf echo 'yy_bogus = bbb' >> main.cf
touch -t 197101010000 main.cf touch -t 197101010000 main.cf
$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./postconf -nc. >test58.tmp 2>&1 || true $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -nc. >test58.tmp 2>&1 || true
diff test58.ref test58.tmp diff test58.ref test58.tmp
rm -f main.cf master.cf test58.tmp rm -f main.cf master.cf test58.tmp
@ -994,9 +994,9 @@ test71: $(PROG) test71.ref
test72: $(PROG) test72.ref test72: $(PROG) test72.ref
rm -f main.cf master.cf rm -f main.cf master.cf
touch main.cf master.cf touch main.cf master.cf
./postconf -Mc. smtp/unix='smtp unix - n n - 0 other' $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/unix='smtp unix - n n - 0 other'
./postconf -Mc. smtp/abcd='smtp fifo - n n - 0 other' $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp fifo - n n - 0 other'
./postconf -Mc. smtp/abcd='smtp inet - n n - 0 other' $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp inet - n n - 0 other'
touch -t 197201010000 main.cf touch -t 197201010000 main.cf
$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. >test72.tmp 2>&1 $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. >test72.tmp 2>&1
diff test72.ref test72.tmp diff test72.ref test72.tmp
@ -1006,10 +1006,10 @@ test72: $(PROG) test72.ref
test73: $(PROG) test73.ref test73: $(PROG) test73.ref
rm -f main.cf master.cf rm -f main.cf master.cf
touch main.cf master.cf touch main.cf master.cf
./postconf -Mc. smtp/unix='smtp unix - n n - 0 other' $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/unix='smtp unix - n n - 0 other'
./postconf -Mc. smtp/abcd='smtp fifo - n n - 0 other' $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp fifo - n n - 0 other'
./postconf -Mc. smtp/abcd='smtp inet - n n - 0 other' $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp inet - n n - 0 other'
./postconf -Mc. smtp/abcd='smtp unix - n n - 0 otherx' $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp unix - n n - 0 otherx'
touch -t 197301010000 main.cf touch -t 197301010000 main.cf
$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. >test73.tmp 2>&1 $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. >test73.tmp 2>&1
diff test73.ref test73.tmp diff test73.ref test73.tmp
@ -1019,10 +1019,10 @@ test73: $(PROG) test73.ref
test74: $(PROG) test74.ref test74: $(PROG) test74.ref
rm -f main.cf master.cf rm -f main.cf master.cf
touch main.cf master.cf touch main.cf master.cf
./postconf -Mc. smtp/unix='smtp unix - n n - 0 other' $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/unix='smtp unix - n n - 0 other'
./postconf -Mc. smtp/abcd='smtp fifo - n n - 0 other' $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp fifo - n n - 0 other'
./postconf -Mc. smtp/abcd='smtp inet - n n - 0 other' $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp inet - n n - 0 other'
./postconf -Mc. smtp/fifo='lmtp unix - n n - 0 otherx' $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/fifo='lmtp unix - n n - 0 otherx'
touch -t 197401010000 main.cf touch -t 197401010000 main.cf
$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. >test74.tmp 2>&1 $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. >test74.tmp 2>&1
diff test74.ref test74.tmp diff test74.ref test74.tmp
@ -1032,7 +1032,7 @@ test74: $(PROG) test74.ref
test75: $(PROG) test75.ref test75: $(PROG) test75.ref
rm -f main.cf master.cf rm -f main.cf master.cf
touch main.cf master.cf touch main.cf master.cf
./postconf -c. mail_version=x mail_version=y >test75.tmp 2>&1 $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -c. mail_version=x mail_version=y >test75.tmp 2>&1
touch -t 197501010000 main.cf touch -t 197501010000 main.cf
$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -nc. >>test75.tmp 2>&1 $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -nc. >>test75.tmp 2>&1
diff test75.ref test75.tmp diff test75.ref test75.tmp

4
postfix/src/posttls-finger/posttls-finger.c
View File

@ -793,6 +793,8 @@ static int starttls(STATE *state)
* Send all our wishes in one big request. * Send all our wishes in one big request.
*/ */
TLS_PROXY_CLIENT_INIT_PROPS(&init_props, TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
cnf_file = var_tls_cnf_file,
cnf_name = var_tls_cnf_name,
log_param = "-L option", log_param = "-L option",
log_level = state->options.logopts, log_level = state->options.logopts,
verifydepth = DEF_SMTP_TLS_SCERT_VD, verifydepth = DEF_SMTP_TLS_SCERT_VD,
@ -1854,6 +1856,8 @@ static void tls_init(STATE *state)
/* Needed for tls_dane_avail() and other DANE-related processing. */ /* Needed for tls_dane_avail() and other DANE-related processing. */
state->tls_ctx = state->tls_ctx =
TLS_CLIENT_INIT(&props, TLS_CLIENT_INIT(&props,
cnf_file = var_tls_cnf_file,
cnf_name = var_tls_cnf_name,
log_param = "-L option", log_param = "-L option",
log_level = state->options.logopts, log_level = state->options.logopts,
verifydepth = DEF_SMTP_TLS_SCERT_VD, verifydepth = DEF_SMTP_TLS_SCERT_VD,

12
postfix/src/smtp/smtp.c
View File

@ -792,8 +792,8 @@
/* .IP "\fBdisable_dns_lookups (no)\fR" /* .IP "\fBdisable_dns_lookups (no)\fR"
/* Disable DNS lookups in the Postfix SMTP and LMTP clients. /* Disable DNS lookups in the Postfix SMTP and LMTP clients.
/* .IP "\fBinet_interfaces (all)\fR" /* .IP "\fBinet_interfaces (all)\fR"
/* The local network interface addresses that this mail system receives /* The local network interface addresses that this mail system
/* mail on. /* receives mail on.
/* .IP "\fBinet_protocols (see 'postconf -d output')\fR" /* .IP "\fBinet_protocols (see 'postconf -d output')\fR"
/* The Internet protocols Postfix will attempt to use when making /* The Internet protocols Postfix will attempt to use when making
/* or accepting connections. /* or accepting connections.
@ -1110,8 +1110,8 @@ bool var_smtp_balance_inet_proto;
bool var_smtp_req_deadline; bool var_smtp_req_deadline;
int var_smtp_min_data_rate; int var_smtp_min_data_rate;
char *var_use_srv_lookup; char *var_use_srv_lookup;
bool var_ign_srv_lookup_err; bool var_ign_srv_lookup_err;
bool var_allow_srv_fallback; bool var_allow_srv_fallback;
/* Special handling of 535 AUTH errors. */ /* Special handling of 535 AUTH errors. */
char *var_smtp_sasl_auth_cache_name; char *var_smtp_sasl_auth_cache_name;
@ -1119,7 +1119,7 @@ int var_smtp_sasl_auth_cache_time;
bool var_smtp_sasl_auth_soft_bounce; bool var_smtp_sasl_auth_soft_bounce;
char *var_hfrom_format; char *var_hfrom_format;
bool var_smtp_bind_addr_enforce; bool var_smtp_bind_addr_enforce;
/* /*
* Global variables. * Global variables.
@ -1512,6 +1512,8 @@ static void pre_init(char *unused_name, char **unused_argv)
*/ */
smtp_tls_ctx = smtp_tls_ctx =
TLS_CLIENT_INIT(&props, TLS_CLIENT_INIT(&props,
cnf_file = var_tls_cnf_file,
cnf_name = var_tls_cnf_name,
log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL), log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
log_level = var_smtp_tls_loglevel, log_level = var_smtp_tls_loglevel,
verifydepth = var_smtp_tls_scert_vd, verifydepth = var_smtp_tls_scert_vd,

2
postfix/src/smtp/smtp_proto.c
View File

@ -911,6 +911,8 @@ static int smtp_start_tls(SMTP_STATE *state)
* Send all our wishes in one big request. * Send all our wishes in one big request.
*/ */
TLS_PROXY_CLIENT_INIT_PROPS(&init_props, TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
cnf_file = var_tls_cnf_file,
cnf_name = var_tls_cnf_name,
log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL), log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
log_level = var_smtp_tls_loglevel, log_level = var_smtp_tls_loglevel,
verifydepth = var_smtp_tls_scert_vd, verifydepth = var_smtp_tls_scert_vd,

3
postfix/src/smtpd/Makefile.in
View File

@ -114,7 +114,8 @@ smtpd_addr_valid_test: smtpd_check smtpd_addr_valid.in smtpd_addr_valid.ref
# This requires that the DNS server can query porcupine.org. # This requires that the DNS server can query porcupine.org.
ADDRINFO_FIX = sed 's/No address associated with hostname/hostname nor servname provided, or not known/' ADDRINFO_FIX = sed -e 's/No address associated with hostname/hostname nor servname provided, or not known/' \
-e 's/Name or service not known/hostname nor servname provided, or not known/'
smtpd_exp_test: smtpd_check smtpd_exp.in smtpd_exp.ref smtpd_exp_test: smtpd_check smtpd_exp.in smtpd_exp.ref
$(SHLIB_ENV) $(VALGRIND) ../postmap/postmap hash:smtpd_check_access $(SHLIB_ENV) $(VALGRIND) ../postmap/postmap hash:smtpd_check_access

18
postfix/src/tls/tls.h
View File

@ -77,6 +77,7 @@ extern const char *str_tls_level(int);
#include <openssl/evp.h> /* New OpenSSL 3.0 EVP_PKEY APIs */ #include <openssl/evp.h> /* New OpenSSL 3.0 EVP_PKEY APIs */
#include <openssl/opensslv.h> /* OPENSSL_VERSION_NUMBER */ #include <openssl/opensslv.h> /* OPENSSL_VERSION_NUMBER */
#include <openssl/ssl.h> #include <openssl/ssl.h>
#include <openssl/conf.h>
/* Appease indent(1) */ /* Appease indent(1) */
#define x509_stack_t STACK_OF(X509) #define x509_stack_t STACK_OF(X509)
@ -322,6 +323,7 @@ extern void tls_free_app_context(TLS_APPL_STATE *);
* tls_misc.c * tls_misc.c
*/ */
extern void tls_param_init(void); extern void tls_param_init(void);
extern int tls_library_init(void);
/* /*
* Protocol selection. * Protocol selection.
@ -449,6 +451,8 @@ extern void tls_get_signature_params(TLS_SESS_STATE *);
* tls_client.c * tls_client.c
*/ */
typedef struct { typedef struct {
const char *cnf_file;
const char *cnf_name;
const char *log_param; const char *log_param;
const char *log_level; const char *log_level;
int verifydepth; int verifydepth;
@ -494,16 +498,16 @@ extern TLS_SESS_STATE *tls_client_post_connect(TLS_SESS_STATE *,
tls_session_stop(ctx, (stream), (timeout), (failure), (TLScontext)) tls_session_stop(ctx, (stream), (timeout), (failure), (TLScontext))
#define TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ #define TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
a10, a11, a12, a13, a14) \ a10, a11, a12, a13, a14, a15, a16) \
(((props)->a1), ((props)->a2), ((props)->a3), \ (((props)->a1), ((props)->a2), ((props)->a3), ((props)->a4), \
((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \ ((props)->a5), ((props)->a6), ((props)->a7), ((props)->a8), \
((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \ ((props)->a9), ((props)->a10), ((props)->a11), ((props)->a12), \
((props)->a12), ((props)->a13), ((props)->a14), (props)) ((props)->a13), ((props)->a14), ((props)->a15), ((props)->a16), (props))
#define TLS_CLIENT_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ #define TLS_CLIENT_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
a10, a11, a12, a13, a14) \ a10, a11, a12, a13, a14, a15, a16) \
tls_client_init(TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, \ tls_client_init(TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, \
a6, a7, a8, a9, a10, a11, a12, a13, a14)) a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16))
#define TLS_CLIENT_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ #define TLS_CLIENT_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
a10, a11, a12, a13, a14, a15, a16, a17) \ a10, a11, a12, a13, a14, a15, a16, a17) \

11
postfix/src/tls/tls_client.c
View File

@ -640,6 +640,13 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
*/ */
tls_check_version(); tls_check_version();
/*
* Initialize the OpenSSL library, possibly loading its configuration
* file.
*/
if (tls_library_init() == 0)
return (0);
/* /*
* Create an application data index for SSL objects, so that we can * Create an application data index for SSL objects, so that we can
* attach TLScontext information; this information is needed inside * attach TLScontext information; this information is needed inside
@ -788,8 +795,8 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
/* /*
* With OpenSSL 1.0.2 and later the client EECDH curve list becomes * With OpenSSL 1.0.2 and later the client EECDH curve list becomes
* configurable with the preferred curve negotiated via the supported * configurable with the preferred curve negotiated via the supported
* curves extension. With OpenSSL 3.0 and TLS 1.3, the same applies * curves extension. With OpenSSL 3.0 and TLS 1.3, the same applies to
* to the FFDHE groups which become part of a unified "groups" list. * the FFDHE groups which become part of a unified "groups" list.
*/ */
tls_auto_groups(client_ctx, var_tls_eecdh_auto, var_tls_ffdhe_auto); tls_auto_groups(client_ctx, var_tls_eecdh_auto, var_tls_ffdhe_auto);

93
postfix/src/tls/tls_misc.c
View File

@ -29,6 +29,8 @@
/* #define TLS_INTERNAL /* #define TLS_INTERNAL
/* #include <tls.h> /* #include <tls.h>
/* /*
/* char *var_tls_cnf_file;
/* char *var_tls_cnf_name;
/* char *var_tls_high_clist; /* char *var_tls_high_clist;
/* char *var_tls_medium_clist; /* char *var_tls_medium_clist;
/* char *var_tls_null_clist; /* char *var_tls_null_clist;
@ -68,6 +70,8 @@
/* /*
/* void tls_param_init() /* void tls_param_init()
/* /*
/* int tls_library_init(void)
/*
/* int tls_proto_mask_lims(plist, floor, ceiling) /* int tls_proto_mask_lims(plist, floor, ceiling)
/* const char *plist; /* const char *plist;
/* int *floor; /* int *floor;
@ -156,6 +160,9 @@
/* tls_param_init() loads main.cf parameters used internally in /* tls_param_init() loads main.cf parameters used internally in
/* TLS library. Any errors are fatal. /* TLS library. Any errors are fatal.
/* /*
/* tls_library_init() initializes the OpenSSL library, optionally
/* loading an OpenSSL configuration file.
/*
/* tls_pre_jail_init() opens any tables that need to be opened before /* tls_pre_jail_init() opens any tables that need to be opened before
/* entering a chroot jail. The "role" parameter must be TLS_ROLE_CLIENT /* entering a chroot jail. The "role" parameter must be TLS_ROLE_CLIENT
/* for clients and TLS_ROLE_SERVER for servers. Any errors are fatal. /* for clients and TLS_ROLE_SERVER for servers. Any errors are fatal.
@ -274,6 +281,8 @@
/* /*
* Tunable parameters. * Tunable parameters.
*/ */
char *var_tls_cnf_file;
char *var_tls_cnf_name;
char *var_tls_high_clist; char *var_tls_high_clist;
char *var_tls_medium_clist; char *var_tls_medium_clist;
char *var_tls_low_ignored; char *var_tls_low_ignored;
@ -643,6 +652,8 @@ void tls_param_init(void)
{ {
/* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */ /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
static const CONFIG_STR_TABLE str_table[] = { static const CONFIG_STR_TABLE str_table[] = {
VAR_TLS_CNF_FILE, DEF_TLS_CNF_FILE, &var_tls_cnf_file, 0, 0,
VAR_TLS_CNF_NAME, DEF_TLS_CNF_NAME, &var_tls_cnf_name, 0, 0,
VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0, VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0, VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0,
VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_ignored, 0, 0, VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_ignored, 0, 0,
@ -687,6 +698,88 @@ void tls_param_init(void)
get_mail_conf_bool_table(bool_table); get_mail_conf_bool_table(bool_table);
} }
/* tls_library_init - perform OpenSSL library initialization */
int tls_library_init(void)
{
OPENSSL_INIT_SETTINGS *init_settings = 0;
char *conf_name = *var_tls_cnf_name ? var_tls_cnf_name : 0;
char *conf_file = 0;
unsigned long init_opts = 0;
if ((init_settings = OPENSSL_INIT_new()) == 0) {
msg_warn("error allocating OpenSSL init settings, "
"disabling TLS support");
return (0);
}
#if OPENSSL_VERSION_NUMBER < 0x1010102fL
/*
* OpenSSL 1.1.0 through 1.1.1a, no support for custom configuration
* files, disabling loading of the file, or getting strict error
* handling. Thus, the only supported configuration file is "default".
*/
if (strcmp(var_tls_cnf_file, "default") != 0) {
msg_warn("non-default %s = %s requires OpenSSL 1.1.1b or later, "
"disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
return (0);
}
#else
{
unsigned long init_flags = 0;
/*-
* OpenSSL 1.1.1b or later:
* We can now choose a non-default or configuration file, or
* use none at all. We can also request strict error
* reporting.
*/
if (strcmp(var_tls_cnf_file, "default") == 0) {
conf_file = 0;
/* The default global config file is optional */
init_flags |= CONF_MFLAGS_IGNORE_MISSING_FILE;
} else if (strcmp(var_tls_cnf_file, "none") == 0) {
init_opts |= OPENSSL_INIT_NO_LOAD_CONFIG;
} else if (*var_tls_cnf_file == '/') {
conf_file = var_tls_cnf_file;
} else {
msg_warn("non-default %s = %s is not an absolute pathname, "
"disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
return (0);
}
/*
* By not including CONF_MFLAGS_IGNORE_RETURN_CODES, we get strict
* error reporting. We don't insist on a match for the requested
* application name, allowing fallback to the default application
* name, even when a non-default application name is specified by
* always setting the CONF_MFLAGS_DEFAULT_SECTION bit.
*/
init_flags |= CONF_MFLAGS_DEFAULT_SECTION;
OPENSSL_INIT_set_config_file_flags(init_settings, init_flags);
}
#endif
if (conf_file)
OPENSSL_INIT_set_config_filename(init_settings, conf_file);
if (conf_name)
OPENSSL_INIT_set_config_appname(init_settings, conf_name);
if (OPENSSL_init_ssl(init_opts, init_settings) <= 0) {
if ((init_opts & OPENSSL_INIT_NO_LOAD_CONFIG) == 0)
msg_warn("error loading the '%s' settings from the %s OpenSSL "
"configuration file, disabling TLS support",
conf_name ? conf_name : "global",
conf_file ? conf_file : "default");
else
msg_warn("error initializing the OpenSSL library, "
"disabling TLS support");
tls_print_errors();
return (0);
}
return (1);
}
/* tls_pre_jail_init - Load TLS related pre-jail tables */ /* tls_pre_jail_init - Load TLS related pre-jail tables */
void tls_pre_jail_init(TLS_ROLE role) void tls_pre_jail_init(TLS_ROLE role)

7
postfix/src/tls/tls_proxy.h
View File

@ -97,11 +97,12 @@ extern VSTREAM *tls_proxy_open(const char *, int, VSTREAM *, const char *,
void *, void *, void *); void *, void *, void *);
#define TLS_PROXY_CLIENT_INIT_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \ #define TLS_PROXY_CLIENT_INIT_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \
a9, a10, a11, a12, a13, a14) \ a9, a10, a11, a12, a13, a14, a15, a16) \
(((props)->a1), ((props)->a2), ((props)->a3), \ (((props)->a1), ((props)->a2), ((props)->a3), \
((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \ ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \
((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \ ((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \
((props)->a12), ((props)->a13), ((props)->a14)) ((props)->a12), ((props)->a13), ((props)->a14), ((props)->a15), \
((props)->a16))
#define TLS_PROXY_CLIENT_START_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \ #define TLS_PROXY_CLIENT_START_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \
a9, a10, a11, a12, a13, a14) \ a9, a10, a11, a12, a13, a14) \
@ -214,6 +215,8 @@ extern void tls_proxy_server_start_free(TLS_SERVER_START_PROPS *);
/* /*
* TLS_CLIENT_INIT_PROPS attributes. * TLS_CLIENT_INIT_PROPS attributes.
*/ */
#define TLS_ATTR_CNF_FILE "config_file"
#define TLS_ATTR_CNF_NAME "config_name"
#define TLS_ATTR_LOG_PARAM "log_param" #define TLS_ATTR_LOG_PARAM "log_param"
#define TLS_ATTR_LOG_LEVEL "log_level" #define TLS_ATTR_LOG_LEVEL "log_level"
#define TLS_ATTR_VERIFYDEPTH "verifydepth" #define TLS_ATTR_VERIFYDEPTH "verifydepth"

4
postfix/src/tls/tls_proxy_client_print.c
View File

@ -144,6 +144,10 @@ int tls_proxy_client_init_print(ATTR_PRINT_COMMON_FN print_fn, VSTREAM *fp,
#define STRING_OR_EMPTY(s) ((s) ? (s) : "") #define STRING_OR_EMPTY(s) ((s) ? (s) : "")
ret = print_fn(fp, flags | ATTR_FLAG_MORE, ret = print_fn(fp, flags | ATTR_FLAG_MORE,
SEND_ATTR_STR(TLS_ATTR_CNF_FILE,
STRING_OR_EMPTY(props->cnf_file)),
SEND_ATTR_STR(TLS_ATTR_CNF_NAME,
STRING_OR_EMPTY(props->cnf_name)),
SEND_ATTR_STR(TLS_ATTR_LOG_PARAM, SEND_ATTR_STR(TLS_ATTR_LOG_PARAM,
STRING_OR_EMPTY(props->log_param)), STRING_OR_EMPTY(props->log_param)),
SEND_ATTR_STR(TLS_ATTR_LOG_LEVEL, SEND_ATTR_STR(TLS_ATTR_LOG_LEVEL,

10
postfix/src/tls/tls_proxy_client_scan.c
View File

@ -217,6 +217,8 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
void tls_proxy_client_init_free(TLS_CLIENT_INIT_PROPS *props) void tls_proxy_client_init_free(TLS_CLIENT_INIT_PROPS *props)
{ {
myfree((void *) props->cnf_file);
myfree((void *) props->cnf_name);
myfree((void *) props->log_param); myfree((void *) props->log_param);
myfree((void *) props->log_level); myfree((void *) props->log_level);
myfree((void *) props->cache_type); myfree((void *) props->cache_type);
@ -241,6 +243,8 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
TLS_CLIENT_INIT_PROPS *props TLS_CLIENT_INIT_PROPS *props
= (TLS_CLIENT_INIT_PROPS *) mymalloc(sizeof(*props)); = (TLS_CLIENT_INIT_PROPS *) mymalloc(sizeof(*props));
int ret; int ret;
VSTRING *cnf_file = vstring_alloc(25);
VSTRING *cnf_name = vstring_alloc(25);
VSTRING *log_param = vstring_alloc(25); VSTRING *log_param = vstring_alloc(25);
VSTRING *log_level = vstring_alloc(25); VSTRING *log_level = vstring_alloc(25);
VSTRING *cache_type = vstring_alloc(25); VSTRING *cache_type = vstring_alloc(25);
@ -263,6 +267,8 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
*/ */
memset(props, 0, sizeof(*props)); memset(props, 0, sizeof(*props));
ret = scan_fn(fp, flags | ATTR_FLAG_MORE, ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file),
RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name),
RECV_ATTR_STR(TLS_ATTR_LOG_PARAM, log_param), RECV_ATTR_STR(TLS_ATTR_LOG_PARAM, log_param),
RECV_ATTR_STR(TLS_ATTR_LOG_LEVEL, log_level), RECV_ATTR_STR(TLS_ATTR_LOG_LEVEL, log_level),
RECV_ATTR_INT(TLS_ATTR_VERIFYDEPTH, &props->verifydepth), RECV_ATTR_INT(TLS_ATTR_VERIFYDEPTH, &props->verifydepth),
@ -279,6 +285,8 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
RECV_ATTR_STR(TLS_ATTR_MDALG, mdalg), RECV_ATTR_STR(TLS_ATTR_MDALG, mdalg),
ATTR_TYPE_END); ATTR_TYPE_END);
/* Always construct a well-formed structure. */ /* Always construct a well-formed structure. */
props->cnf_file = vstring_export(cnf_file);
props->cnf_name = vstring_export(cnf_name);
props->log_param = vstring_export(log_param); props->log_param = vstring_export(log_param);
props->log_level = vstring_export(log_level); props->log_level = vstring_export(log_level);
props->cache_type = vstring_export(cache_type); props->cache_type = vstring_export(cache_type);
@ -292,7 +300,7 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
props->CAfile = vstring_export(CAfile); props->CAfile = vstring_export(CAfile);
props->CApath = vstring_export(CApath); props->CApath = vstring_export(CApath);
props->mdalg = vstring_export(mdalg); props->mdalg = vstring_export(mdalg);
ret = (ret == 14 ? 1 : -1); ret = (ret == 16 ? 1 : -1);
if (ret != 1) { if (ret != 1) {
tls_proxy_client_init_free(props); tls_proxy_client_init_free(props);
props = 0; props = 0;

17
postfix/src/tls/tls_server.c
View File

@ -168,10 +168,12 @@
static const char server_session_id_context[] = "Postfix/TLS"; static const char server_session_id_context[] = "Postfix/TLS";
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT
/* /*
* We retain the cipher handle for the lifetime of the process. * We retain the cipher handle for the lifetime of the process.
*/ */
static const EVP_CIPHER *tkt_cipher; static const EVP_CIPHER *tkt_cipher;
#endif #endif
#define GET_SID(s, v, lptr) ((v) = SSL_SESSION_get_id((s), (lptr))) #define GET_SID(s, v, lptr) ((v) = SSL_SESSION_get_id((s), (lptr)))
@ -419,6 +421,13 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
*/ */
tls_check_version(); tls_check_version();
/*
* Initialize the OpenSSL library, possibly loading its configuration
* file.
*/
if (tls_library_init() == 0)
return (0);
/* /*
* First validate the protocols. If these are invalid, we can't continue. * First validate the protocols. If these are invalid, we can't continue.
*/ */
@ -677,10 +686,10 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
tls_tmp_dh(sni_ctx, 1); tls_tmp_dh(sni_ctx, 1);
/* /*
* Enable EECDH if available, errors are not fatal, we just keep going with * Enable EECDH if available, errors are not fatal, we just keep going
* any remaining key-exchange algorithms. With OpenSSL 3.0 and TLS 1.3, * with any remaining key-exchange algorithms. With OpenSSL 3.0 and TLS
* the same applies to the FFDHE groups which become part of a unified * 1.3, the same applies to the FFDHE groups which become part of a
* "groups" list. * unified "groups" list.
*/ */
tls_auto_groups(server_ctx, var_tls_eecdh_auto, var_tls_ffdhe_auto); tls_auto_groups(server_ctx, var_tls_eecdh_auto, var_tls_ffdhe_auto);
tls_auto_groups(sni_ctx, var_tls_eecdh_auto, var_tls_ffdhe_auto); tls_auto_groups(sni_ctx, var_tls_eecdh_auto, var_tls_ffdhe_auto);

2
postfix/src/tlsproxy/tlsproxy.c
View File

@ -1742,6 +1742,8 @@ static void pre_jail_init_client(void)
*/ */
(void) tls_proxy_client_param_from_config(&tls_params); (void) tls_proxy_client_param_from_config(&tls_params);
(void) TLS_CLIENT_INIT_ARGS(&init_props, (void) TLS_CLIENT_INIT_ARGS(&init_props,
cnf_file = var_tls_cnf_file,
cnf_name = var_tls_cnf_name,
log_param = var_tlsp_clnt_logparam, log_param = var_tlsp_clnt_logparam,
log_level = var_tlsp_clnt_loglevel, log_level = var_tlsp_clnt_loglevel,
verifydepth = var_tlsp_clnt_scert_vd, verifydepth = var_tlsp_clnt_scert_vd,