postfix-3.9-20230521

postfix/HISTORY

@@ -27132,7 +27132,7 @@ Apologies for any names omitted.
 
 	Usability: improved error message when master.cf specifies
 	a wild-card network listener (like "smtp inet ... smtpd")
-	while `inet_interfaces is empty. File: master/master_ent.c.
+	while inet_interfaces is empty. File: master/master_ent.c.
 
 	More documentation updates for local aliasing versus virtual
 	aliasing. Files: proto/aliases, proto/virtual, postfix/postfix.c.
@@ -27180,3 +27180,30 @@ Apologies for any names omitted.
 	This also fixes a warning message when a destination contains
 	":service" information. Reported by Thomas Korbar. File:
 	posttls-finger/posttls-finger.c.
+
+20230519
+
+	Cleanup: fixed postconf tests for dynamically-linked builds.
+	File: postconf/Makefile.in.
+
+20230521
+
+	Bitrot: library error messages in SMTP server tests.  File:
+	smtpd/Makefile.in.
+
+	Cleanup: removed some "the the" instances. Files:
+	proto/MILTER_README.html proto/stop.double-proto-html.
+
+	Bitrot: preliminary support for OpenSSL configuration files,
+	primarily OpenSSL 1.1.1b and later. This introduces new
+	parameters "tls_config_file" and "tls_config_name", which
+	can be used to limit collateral damage from OS distributions
+	that crank up security to 11, increasing the number of
+	plaintext email deliveries. Details are in the postconf(5)
+	manpage under "tls_config_file" and "tls_config_name".
+	Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto,
+	global/mail_params.h, posttls-finger/posttls-finger.c,
+	smtp/smtp.c, smtp/smtp_proto.c, tls/tls_client.c, tls/tls.h,
+	tls/tls_misc.c, tls/tls_proxy_client_print.c,
+	tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c,
+	tlsproxy/tlsproxy.c.

postfix/README_FILES/MILTER_README

@@ -392,9 +392,9 @@ ccoommmmaa wwiitthhiinn aa vvaalluuee oorr aarroouunndd
 DDiiffffeerreenntt sseettttiinnggss ffoorr ddiiffffeerreenntt SSMMTTPP cclliieennttss
 
 The smtpd_milter_maps feature supports different Milter settings for different
-client IP addresses. Lookup results override the the global smtpd_milters
-setting, and have the same syntax. For example, to disable Milter settings for
-local address ranges:
+client IP addresses. Lookup results override the global smtpd_milters setting,
+and have the same syntax. For example, to disable Milter settings for local
+address ranges:
 
 /etc/postfix/main.cf:
     smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map

postfix/RELEASE_NOTES

@@ -26,6 +26,17 @@ now also distributed with the more recent Eclipse Public License
 license of their choice. Those who are more comfortable with the
 IPL can continue with that license.
 
+Major changes with snapshot 20230522
+====================================
+
+Preliminary support for OpenSSL configuration files, primarily
+OpenSSL 1.1.1b and later. This introduces two new parameters
+"tls_config_file" and "tls_config_name", which can be used to limit
+collateral damage from OS distributions that crank up security to
+11, increasing the number of plaintext email deliveries. Details
+are in the postconf(5) manpage under "tls_config_file" and
+"tls_config_name".
+
 Incompatible changes with snapshot 20230419
 ===========================================
 

postfix/WISHLIST

@@ -1,5 +1,9 @@
 Wish list:
 
+	In tlsproxy, diff the server-side TLS library settings
+	against those from a tlsproxy client, and make sure that
+	the diff covers the new cnf_file and cnf_name properties.
+
 	Things to do before the stable release:
 
 	make pre-release-check, HTML validator check.

postfix/html/MILTER_README.html

@@ -630,7 +630,7 @@ and protocol.  </p>
 clients </a></h3>
 
 <p> The <a href="postconf.5.html#smtpd_milter_maps">smtpd_milter_maps</a> feature supports different Milter settings
-for different client IP addresses. Lookup results override the the
+for different client IP addresses. Lookup results override the
 global <a href="postconf.5.html#smtpd_milters">smtpd_milters</a> setting, and have the same syntax. For example,
 to disable Milter settings for local address ranges: </p>
 

postfix/html/postconf.5.html

@@ -19261,6 +19261,112 @@ backwards compatibility, to avoid breaking certificate verification
 with sites that don't use <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
 
 
+</DD>
+
+<DT><b><a name="tls_config_file">tls_config_file</a>
+(default: default)</b></DT><DD>
+
+<p> Optional configuration file with baseline OpenSSL settings.
+OpenSSL loads any SSL settings found in the configuration file for
+the selected application name (see <a href="postconf.5.html#tls_config_name">tls_config_name</a>) or else the
+built-in application name "openssl_conf" when no application name is
+specified, or no corresponding configuration section is present.
+</p>
+
+<p> With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
+Postfix) can neither specify an alternative configuration file, nor
+avoid loading the default configuration file.  </p>
+
+<p> With OpenSSL 1.1.1b or later, this parameter may be set to one of:
+</p>
+
+<dl>
+
+<dt> <b>default</b> (default) </dt> <dd> Load the system-wide
+"openssl.cnf" configuration file.  </dd>
+
+<dt> <b>none</b> (recommended, OpenSSL 1.1.1b or later only) </dt>
+<dd> This setting disables loading of  the system-wide "openssl.cnf"
+file.  </dd>
+
+<dt> <b><i>/absolute-path</i></b> (OpenSSL 1.1.1b or later only) </dt>
+<dd> Load the configuration file specified by <i>/absolute-path</i>.
+With this setting it is an error for the file to not contain any
+settings for the selected <a href="postconf.5.html#tls_config_name">tls_config_name</a>.  There is no fallback to
+the default "openssl_conf" name. </dd>
+
+</dl>
+
+<p> Failures in processing of the built-in default configuration
+file, are silently ignored with OpenSSL prior to 1.1.1b.  With later
+OpenSSL releases, any errors in loading either the default or custom
+configuration file are detected by Postfix, and cause TLS support to
+be disabled.  </p>
+
+<p> The OpenSSL configuration file format is not documented here,
+beyond giving two examples. <p>
+
+<p> Example: Default settings for all applications. </p>
+
+<blockquote>
+<pre>
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation.  Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+</pre>
+</blockquote>
+
+<p> Example: Custom settings for an application named "postfix". </p>
+
+<blockquote>
+<pre>
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]".  The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+</pre>
+</blockquote>
+
+<p> This feature is available in Postfix &ge; 3.9. </p>
+
+
+</DD>
+
+<DT><b><a name="tls_config_name">tls_config_name</a>
+(default: empty)</b></DT><DD>
+
+<p> The application name passed by Postfix to OpenSSL library
+initialization functions.  This name is used to select the desired
+configuration "section" in the OpenSSL configuration file specified
+via the <a href="postconf.5.html#tls_config_file">tls_config_file</a> parameter.  When empty, or when the
+selected name is not present in the configuration file, the default
+application name ("openssl_conf") is used as a fallback.  </p>
+
+<p> This feature is available in Postfix &ge; 3.9.  </p>
+
+
 </DD>
 
 <DT><b><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a>

postfix/man/man5/postconf.5

@@ -13640,6 +13640,104 @@ This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
 2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
 backwards compatibility, to avoid breaking certificate verification
 with sites that don't use permit_tls_all_clientcerts.
+.SH tls_config_file (default: default)
+Optional configuration file with baseline OpenSSL settings.
+OpenSSL loads any SSL settings found in the configuration file for
+the selected application name (see tls_config_name) or else the
+built\-in application name "openssl_conf" when no application name is
+specified, or no corresponding configuration section is present.
+.PP
+With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
+Postfix) can neither specify an alternative configuration file, nor
+avoid loading the default configuration file.
+.PP
+With OpenSSL 1.1.1b or later, this parameter may be set to one of:
+.IP "\fBdefault\fR (default)"
+Load the system\-wide
+"openssl.cnf" configuration file.
+.br
+.IP "\fBnone\fR (recommended, OpenSSL 1.1.1b or later only)"
+This setting disables loading of  the system\-wide "openssl.cnf"
+file.
+.br
+.IP "\fB\fI/absolute\-path\fR\fR (OpenSSL 1.1.1b or later only)"
+Load the configuration file specified by \fI/absolute\-path\fR.
+With this setting it is an error for the file to not contain any
+settings for the selected tls_config_name.  There is no fallback to
+the default "openssl_conf" name.
+.br
+.br
+.PP
+Failures in processing of the built\-in default configuration
+file, are silently ignored with OpenSSL prior to 1.1.1b.  With later
+OpenSSL releases, any errors in loading either the default or custom
+configuration file are detected by Postfix, and cause TLS support to
+be disabled.
+.PP
+The OpenSSL configuration file format is not documented here,
+beyond giving two examples.
+.PP
+Example: Default settings for all applications.
+.sp
+.in +4
+.nf
+.na
+.ft C
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation.  Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+.fi
+.ad
+.ft R
+.in -4
+.PP
+Example: Custom settings for an application named "postfix".
+.sp
+.in +4
+.nf
+.na
+.ft C
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]".  The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+.fi
+.ad
+.ft R
+.in -4
+.PP
+This feature is available in Postfix >= 3.9.
+.SH tls_config_name (default: empty)
+The application name passed by Postfix to OpenSSL library
+initialization functions.  This name is used to select the desired
+configuration "section" in the OpenSSL configuration file specified
+via the tls_config_file parameter.  When empty, or when the
+selected name is not present in the configuration file, the default
+application name ("openssl_conf") is used as a fallback.
+.PP
+This feature is available in Postfix >= 3.9.
 .SH tls_daemon_random_bytes (default: 32)
 The number of pseudo\-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
 process requests from the \fBtlsmgr\fR(8) server in order to seed its

postfix/man/man8/smtp.8

@@ -836,8 +836,8 @@ sub\-second delay values.
 .IP "\fBdisable_dns_lookups (no)\fR"
 Disable DNS lookups in the Postfix SMTP and LMTP clients.
 .IP "\fBinet_interfaces (all)\fR"
-The local network interface addresses that this mail system receives
-mail on.
+The local network interface addresses that this mail system
+receives mail on.
 .IP "\fBinet_protocols (see 'postconf -d output')\fR"
 The Internet protocols Postfix will attempt to use when making
 or accepting connections.

postfix/mantools/postlink

@@ -782,6 +782,8 @@ while (<>) {
     s;\btls_session_ticket_cipher\b;<a href="postconf.5.html#tls_session_ticket_cipher">$&</a>;g;
     s;\btls_server_sni_maps\b;<a href="postconf.5.html#tls_server_sni_maps">$&</a>;g;
     s;\btls_ssl_options\b;<a href="postconf.5.html#tls_ssl_options">$&</a>;g;
+    s;\btls_config_name\b;<a href="postconf.5.html#tls_config_name">$&</a>;g;
+    s;\btls_config_file\b;<a href="postconf.5.html#tls_config_file">$&</a>;g;
     s;\btls_dane_digest_agility\b;<a href="postconf.5.html#tls_dane_digest_agility">$&</a>;g;
     s;\btls_dane_trust_anchor_digest_enable\b;<a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">$&</a>;g;
     s;\btls_fast_shutdown_enable\b;<a href="postconf.5.html#tls_fast_shutdown_enable">$&</a>;g;

postfix/proto/MILTER_README.html

@@ -630,7 +630,7 @@ main.cf: items separated by space or comma. There is one difference:
 clients </a></h3>
 
 <p> The smtpd_milter_maps feature supports different Milter settings
-for different client IP addresses. Lookup results override the the
+for different client IP addresses. Lookup results override the
 global smtpd_milters setting, and have the same syntax. For example,
 to disable Milter settings for local address ranges: </p>
 

postfix/proto/postconf.proto

@@ -18748,3 +18748,101 @@ uses fewer the anvil(8) resources to maintain counters. By default,
 aggregation is enabled for IPv6.  </p>
 
 <p> This feature is available in Postfix 3.8 and later. </p>
+
+%PARAM tls_config_name
+
+<p> The application name passed by Postfix to OpenSSL library
+initialization functions.  This name is used to select the desired
+configuration "section" in the OpenSSL configuration file specified
+via the tls_config_file parameter.  When empty, or when the
+selected name is not present in the configuration file, the default
+application name ("openssl_conf") is used as a fallback.  </p>
+
+<p> This feature is available in Postfix &ge; 3.9.  </p>
+
+%PARAM tls_config_file default
+
+<p> Optional configuration file with baseline OpenSSL settings.
+OpenSSL loads any SSL settings found in the configuration file for
+the selected application name (see tls_config_name) or else the
+built-in application name "openssl_conf" when no application name is
+specified, or no corresponding configuration section is present.
+</p>
+
+<p> With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
+Postfix) can neither specify an alternative configuration file, nor
+avoid loading the default configuration file.  </p>
+
+<p> With OpenSSL 1.1.1b or later, this parameter may be set to one of:
+</p>
+
+<dl>
+
+<dt> <b>default</b> (default) </dt> <dd> Load the system-wide
+"openssl.cnf" configuration file.  </dd>
+
+<dt> <b>none</b> (recommended, OpenSSL 1.1.1b or later only) </dt>
+<dd> This setting disables loading of  the system-wide "openssl.cnf"
+file.  </dd>
+
+<dt> <b><i>/absolute-path</i></b> (OpenSSL 1.1.1b or later only) </dt>
+<dd> Load the configuration file specified by <i>/absolute-path</i>.
+With this setting it is an error for the file to not contain any
+settings for the selected tls_config_name.  There is no fallback to
+the default "openssl_conf" name. </dd>
+
+</dl>
+
+<p> Failures in processing of the built-in default configuration
+file, are silently ignored with OpenSSL prior to 1.1.1b.  With later
+OpenSSL releases, any errors in loading either the default or custom
+configuration file are detected by Postfix, and cause TLS support to
+be disabled.  </p>
+
+<p> The OpenSSL configuration file format is not documented here,
+beyond giving two examples. <p>
+
+<p> Example: Default settings for all applications. </p>
+
+<blockquote>
+<pre>
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation.  Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+</pre>
+</blockquote>
+
+<p> Example: Custom settings for an application named "postfix". </p>
+
+<blockquote>
+<pre>
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]".  The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+</pre>
+</blockquote>
+
+<p> This feature is available in Postfix &ge; 3.9. </p>

postfix/proto/stop.double-history

@@ -50,3 +50,6 @@ proto  proto ADDRESS_REWRITING_README html
 proto  proto aliases proto virtual proto ADDRESS_REWRITING_README html 
  master master c postlog postlog c postlogd postlogd c 
  proto postconf proto proto aliases proto virtual 
+ posttls finger posttls finger c smtp smtp c smtp smtp_proto c 
+ tls tls_client c tls tls h tls tls_misc c 
+ tls tls_proxy h tls tls_server c tlsproxy tlsproxy c 

postfix/proto/stop.double-proto-html

@@ -42,7 +42,6 @@ dd  dd The default algorithm is b sha256 b with Postfix ge 3 6
  dd No TLS TLS will not be used unless enabled for specific
 Dec 4 04 30 09 hostname postfix smtpd 58549 NOQUEUE reject 
  default_transport uucp uucp gateway
- different client IP addresses Lookup results override the the global
 Documentation  Documentation is available as README files start with the file
 done  done
 done done
@@ -202,8 +201,6 @@ smtp_tls_mandatory_protocols SSLv2 SSLv3 TLSv1 TLSv1 1
  SSLv3 TLSv1 TLSv1 1 TLSv1 2 and TLSv1 3 Starting with
  T 5 10 20 40 80 160 320 640 1280 1280 
  T A 5 10 20 40 80 160 320 320 
- The and match and literally Without the the
- The matches literally Without the the would
 Therefore 301 0301 0x301 and 0x0301 are all equivalent to
  The syntax of name value value name value and name value 
 the  the backed up domain tld domain This prevents your mail queue
@@ -247,3 +244,9 @@ dt  dt b name value b Postfix ge 3 0 dt
  p Note on OpenBSD systems specify dev dev arandom when dev dev urandom
  user3 example net smtp smtp relay example net submission 
  virtual_alias_maps hash etc postfix virtual virtual aliasing 
+system_wide_settings  system_wide_settings 
+ssl_library_settings  ssl_library_settings 
+initial_ssl_settings  initial_ssl_settings 
+postfix_settings  postfix_settings 
+postfix_ssl_settings  postfix_ssl_settings 
+baseline_postfix_settings  baseline_postfix_settings 

postfix/proto/stop.spell-cc

@@ -1802,3 +1802,4 @@ bytecount
 ipproto
 cw
 uncreate
+MFLAGS

postfix/proto/stop.spell-proto-html

@@ -357,3 +357,4 @@ kDHE
 srv
 wraptls
 api
+MinProtocol

postfix/src/global/mail_params.h

@@ -3330,9 +3330,19 @@ extern bool var_smtp_sender_auth;
 extern bool var_smtp_cname_overr;
 
  /*
-  * TLS cipherlists
+  * TLS library settings
+  */
+#define VAR_TLS_CNF_FILE	"tls_config_file"
+#define DEF_TLS_CNF_FILE	"default"
+extern char *var_tls_cnf_file;
+
+#define VAR_TLS_CNF_NAME	"tls_config_name"
+#define DEF_TLS_CNF_NAME	""
+extern char *var_tls_cnf_name;
+
+ /*
+  * Deprecated and unused cipher, key exchange and public key algorithms
   */
- /* Deprecated and unused cipher, key exchange and public key algorithms */
 #define TLS_EXCL_CIPHS	    ":!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5"
 #define TLS_EXCL_KEXCH	    ":!kDH:!kECDH"
 #define TLS_EXCL_PKEYS	    ":!aDSS"

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20230517"
+#define MAIL_RELEASE_DATE	"20230521"
 #define MAIL_VERSION_NUMBER	"3.9"
 
 #ifdef SNAPSHOT

postfix/src/postconf/Makefile.in

@@ -808,7 +808,7 @@ test58: $(PROG) test58.ref
 	echo 'yy_backup = bbb' >> main.cf
 	echo 'yy_bogus = bbb' >> main.cf
 	touch -t 197101010000 main.cf
-	$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./postconf -nc. >test58.tmp 2>&1 || true
+	$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -nc. >test58.tmp 2>&1 || true
 	diff test58.ref test58.tmp
 	rm -f main.cf master.cf test58.tmp
 
@@ -994,9 +994,9 @@ test71:	$(PROG) test71.ref
 test72:	$(PROG) test72.ref
 	rm -f main.cf master.cf
 	touch main.cf master.cf
-	./postconf -Mc. smtp/unix='smtp unix - n n - 0 other'
-	./postconf -Mc. smtp/abcd='smtp fifo - n n - 0 other'
-	./postconf -Mc. smtp/abcd='smtp inet - n n - 0 other'
+	$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/unix='smtp unix - n n - 0 other'
+	$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp fifo - n n - 0 other'
+	$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp inet - n n - 0 other'
 	touch -t 197201010000 main.cf
 	$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. >test72.tmp 2>&1
 	diff test72.ref test72.tmp
@@ -1006,10 +1006,10 @@ test72:	$(PROG) test72.ref
 test73:	$(PROG) test73.ref
 	rm -f main.cf master.cf
 	touch main.cf master.cf
-	./postconf -Mc. smtp/unix='smtp unix - n n - 0 other'
-	./postconf -Mc. smtp/abcd='smtp fifo - n n - 0 other'
-	./postconf -Mc. smtp/abcd='smtp inet - n n - 0 other'
-	./postconf -Mc. smtp/abcd='smtp unix - n n - 0 otherx'
+	$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/unix='smtp unix - n n - 0 other'
+	$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp fifo - n n - 0 other'
+	$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp inet - n n - 0 other'
+	$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp unix - n n - 0 otherx'
 	touch -t 197301010000 main.cf
 	$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. >test73.tmp 2>&1
 	diff test73.ref test73.tmp
@@ -1019,10 +1019,10 @@ test73:	$(PROG) test73.ref
 test74:	$(PROG) test74.ref
 	rm -f main.cf master.cf
 	touch main.cf master.cf
-	./postconf -Mc. smtp/unix='smtp unix - n n - 0 other'
-	./postconf -Mc. smtp/abcd='smtp fifo - n n - 0 other'
-	./postconf -Mc. smtp/abcd='smtp inet - n n - 0 other'
-	./postconf -Mc. smtp/fifo='lmtp unix - n n - 0 otherx'
+	$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/unix='smtp unix - n n - 0 other'
+	$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp fifo - n n - 0 other'
+	$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp inet - n n - 0 other'
+	$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/fifo='lmtp unix - n n - 0 otherx'
 	touch -t 197401010000 main.cf
 	$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. >test74.tmp 2>&1
 	diff test74.ref test74.tmp
@@ -1032,7 +1032,7 @@ test74:	$(PROG) test74.ref
 test75:	$(PROG) test75.ref
 	rm -f main.cf master.cf
 	touch main.cf master.cf
-	./postconf -c. mail_version=x mail_version=y >test75.tmp 2>&1
+	$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -c. mail_version=x mail_version=y >test75.tmp 2>&1
 	touch -t 197501010000 main.cf
 	$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -nc. >>test75.tmp 2>&1
 	diff test75.ref test75.tmp

postfix/src/posttls-finger/posttls-finger.c

@@ -793,6 +793,8 @@ static int starttls(STATE *state)
 	 * Send all our wishes in one big request.
 	 */
 	TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
+				    cnf_file = var_tls_cnf_file,
+				    cnf_name = var_tls_cnf_name,
 				    log_param = "-L option",
 				    log_level = state->options.logopts,
 				    verifydepth = DEF_SMTP_TLS_SCERT_VD,
@@ -1854,6 +1856,8 @@ static void tls_init(STATE *state)
     /* Needed for tls_dane_avail() and other DANE-related processing. */
     state->tls_ctx =
 	TLS_CLIENT_INIT(&props,
+			cnf_file = var_tls_cnf_file,
+			cnf_name = var_tls_cnf_name,
 			log_param = "-L option",
 			log_level = state->options.logopts,
 			verifydepth = DEF_SMTP_TLS_SCERT_VD,

postfix/src/smtp/smtp.c

@@ -792,8 +792,8 @@
 /* .IP "\fBdisable_dns_lookups (no)\fR"
 /*	Disable DNS lookups in the Postfix SMTP and LMTP clients.
 /* .IP "\fBinet_interfaces (all)\fR"
-/*	The local network interface addresses that this mail system receives
-/*	mail on.
+/*	The local network interface addresses that this mail system
+/*	receives mail on.
 /* .IP "\fBinet_protocols (see 'postconf -d output')\fR"
 /*	The Internet protocols Postfix will attempt to use when making
 /*	or accepting connections.
@@ -1512,6 +1512,8 @@ static void pre_init(char *unused_name, char **unused_argv)
 	 */
 	smtp_tls_ctx =
 	    TLS_CLIENT_INIT(&props,
+			    cnf_file = var_tls_cnf_file,
+			    cnf_name = var_tls_cnf_name,
 			    log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
 			    log_level = var_smtp_tls_loglevel,
 			    verifydepth = var_smtp_tls_scert_vd,

postfix/src/smtp/smtp_proto.c

@@ -911,6 +911,8 @@ static int smtp_start_tls(SMTP_STATE *state)
 	 * Send all our wishes in one big request.
 	 */
 	TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
+				    cnf_file = var_tls_cnf_file,
+				    cnf_name = var_tls_cnf_name,
 				    log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
 				    log_level = var_smtp_tls_loglevel,
 				    verifydepth = var_smtp_tls_scert_vd,

postfix/src/smtpd/Makefile.in

@@ -114,7 +114,8 @@ smtpd_addr_valid_test: smtpd_check smtpd_addr_valid.in smtpd_addr_valid.ref
 
 # This requires that the DNS server can query porcupine.org.
 
-ADDRINFO_FIX = sed 's/No address associated with hostname/hostname nor servname provided, or not known/'
+ADDRINFO_FIX = sed -e 's/No address associated with hostname/hostname nor servname provided, or not known/' \
+		-e 's/Name or service not known/hostname nor servname provided, or not known/'
 
 smtpd_exp_test: smtpd_check smtpd_exp.in smtpd_exp.ref
 	$(SHLIB_ENV) $(VALGRIND) ../postmap/postmap hash:smtpd_check_access

postfix/src/tls/tls.h

@@ -77,6 +77,7 @@ extern const char *str_tls_level(int);
 #include <openssl/evp.h>		/* New OpenSSL 3.0 EVP_PKEY APIs */
 #include <openssl/opensslv.h>		/* OPENSSL_VERSION_NUMBER */
 #include <openssl/ssl.h>
+#include <openssl/conf.h>
 
  /* Appease indent(1) */
 #define x509_stack_t STACK_OF(X509)
@@ -322,6 +323,7 @@ extern void tls_free_app_context(TLS_APPL_STATE *);
   * tls_misc.c
   */
 extern void tls_param_init(void);
+extern int tls_library_init(void);
 
  /*
   * Protocol selection.
@@ -449,6 +451,8 @@ extern void tls_get_signature_params(TLS_SESS_STATE *);
   * tls_client.c
   */
 typedef struct {
+    const char *cnf_file;
+    const char *cnf_name;
     const char *log_param;
     const char *log_level;
     int     verifydepth;
@@ -494,16 +498,16 @@ extern TLS_SESS_STATE *tls_client_post_connect(TLS_SESS_STATE *,
 	tls_session_stop(ctx, (stream), (timeout), (failure), (TLScontext))
 
 #define TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
-    a10, a11, a12, a13, a14) \
-    (((props)->a1), ((props)->a2), ((props)->a3), \
-    ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \
-    ((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \
-    ((props)->a12), ((props)->a13), ((props)->a14), (props))
+    a10, a11, a12, a13, a14, a15, a16) \
+    (((props)->a1), ((props)->a2), ((props)->a3), ((props)->a4), \
+    ((props)->a5), ((props)->a6), ((props)->a7), ((props)->a8), \
+    ((props)->a9), ((props)->a10), ((props)->a11), ((props)->a12), \
+    ((props)->a13), ((props)->a14), ((props)->a15), ((props)->a16), (props))
 
 #define TLS_CLIENT_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
-    a10, a11, a12, a13, a14) \
+    a10, a11, a12, a13, a14, a15, a16) \
     tls_client_init(TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, \
-    a6, a7, a8, a9, a10, a11, a12, a13, a14))
+    a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16))
 
 #define TLS_CLIENT_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
     a10, a11, a12, a13, a14, a15, a16, a17) \

postfix/src/tls/tls_client.c

@@ -640,6 +640,13 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
      */
     tls_check_version();
 
+    /*
+     * Initialize the OpenSSL library, possibly loading its configuration
+     * file.
+     */
+    if (tls_library_init() == 0)
+	return (0);
+
     /*
      * Create an application data index for SSL objects, so that we can
      * attach TLScontext information; this information is needed inside
@@ -788,8 +795,8 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
     /*
      * With OpenSSL 1.0.2 and later the client EECDH curve list becomes
      * configurable with the preferred curve negotiated via the supported
-     * curves extension.  With OpenSSL 3.0 and TLS 1.3, the same applies
-     * to the FFDHE groups which become part of a unified "groups" list.
+     * curves extension.  With OpenSSL 3.0 and TLS 1.3, the same applies to
+     * the FFDHE groups which become part of a unified "groups" list.
      */
     tls_auto_groups(client_ctx, var_tls_eecdh_auto, var_tls_ffdhe_auto);
 

postfix/src/tls/tls_misc.c

@@ -29,6 +29,8 @@
 /*	#define TLS_INTERNAL
 /*	#include <tls.h>
 /*
+/*	char	*var_tls_cnf_file;
+/*	char	*var_tls_cnf_name;
 /*	char	*var_tls_high_clist;
 /*	char	*var_tls_medium_clist;
 /*	char	*var_tls_null_clist;
@@ -68,6 +70,8 @@
 /*
 /*	void	tls_param_init()
 /*
+/*	int     tls_library_init(void)
+/*
 /*	int	tls_proto_mask_lims(plist, floor, ceiling)
 /*	const char *plist;
 /*	int	*floor;
@@ -156,6 +160,9 @@
 /*	tls_param_init() loads main.cf parameters used internally in
 /*	TLS library. Any errors are fatal.
 /*
+/*	tls_library_init() initializes the OpenSSL library, optionally
+/*	loading an OpenSSL configuration file.
+/*
 /*	tls_pre_jail_init() opens any tables that need to be opened before
 /*	entering a chroot jail. The "role" parameter must be TLS_ROLE_CLIENT
 /*	for clients and TLS_ROLE_SERVER for servers. Any errors are fatal.
@@ -274,6 +281,8 @@
  /*
   * Tunable parameters.
   */
+char   *var_tls_cnf_file;
+char   *var_tls_cnf_name;
 char   *var_tls_high_clist;
 char   *var_tls_medium_clist;
 char   *var_tls_low_ignored;
@@ -643,6 +652,8 @@ void    tls_param_init(void)
 {
     /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
     static const CONFIG_STR_TABLE str_table[] = {
+	VAR_TLS_CNF_FILE, DEF_TLS_CNF_FILE, &var_tls_cnf_file, 0, 0,
+	VAR_TLS_CNF_NAME, DEF_TLS_CNF_NAME, &var_tls_cnf_name, 0, 0,
 	VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
 	VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0,
 	VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_ignored, 0, 0,
@@ -687,6 +698,88 @@ void    tls_param_init(void)
     get_mail_conf_bool_table(bool_table);
 }
 
+/* tls_library_init - perform OpenSSL library initialization */
+
+int     tls_library_init(void)
+{
+    OPENSSL_INIT_SETTINGS *init_settings = 0;
+    char   *conf_name = *var_tls_cnf_name ? var_tls_cnf_name : 0;
+    char   *conf_file = 0;
+    unsigned long init_opts = 0;
+
+    if ((init_settings = OPENSSL_INIT_new()) == 0) {
+	msg_warn("error allocating OpenSSL init settings, "
+		 "disabling TLS support");
+	return (0);
+    }
+#if OPENSSL_VERSION_NUMBER < 0x1010102fL
+
+    /*
+     * OpenSSL 1.1.0 through 1.1.1a, no support for custom configuration
+     * files, disabling loading of the file, or getting strict error
+     * handling.  Thus, the only supported configuration file is "default".
+     */
+    if (strcmp(var_tls_cnf_file, "default") != 0) {
+	msg_warn("non-default %s = %s requires OpenSSL 1.1.1b or later, "
+	       "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
+	return (0);
+    }
+#else
+    {
+	unsigned long init_flags = 0;
+
+	/*-
+	 * OpenSSL 1.1.1b or later:
+	 * We can now choose a non-default or configuration file, or
+	 * use none at all.  We can also request strict error
+	 * reporting.
+	 */
+	if (strcmp(var_tls_cnf_file, "default") == 0) {
+	    conf_file = 0;
+	    /* The default global config file is optional */
+	    init_flags |= CONF_MFLAGS_IGNORE_MISSING_FILE;
+	} else if (strcmp(var_tls_cnf_file, "none") == 0) {
+	    init_opts |= OPENSSL_INIT_NO_LOAD_CONFIG;
+	} else if (*var_tls_cnf_file == '/') {
+	    conf_file = var_tls_cnf_file;
+	} else {
+	    msg_warn("non-default %s = %s is not an absolute pathname, "
+	       "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
+	    return (0);
+	}
+
+	/*
+	 * By not including CONF_MFLAGS_IGNORE_RETURN_CODES, we get strict
+	 * error reporting.  We don't insist on a match for the requested
+	 * application name, allowing fallback to the default application
+	 * name, even when a non-default application name is specified by
+	 * always setting the CONF_MFLAGS_DEFAULT_SECTION bit.
+	 */
+	init_flags |= CONF_MFLAGS_DEFAULT_SECTION;
+	OPENSSL_INIT_set_config_file_flags(init_settings, init_flags);
+    }
+#endif
+
+    if (conf_file)
+	OPENSSL_INIT_set_config_filename(init_settings, conf_file);
+    if (conf_name)
+	OPENSSL_INIT_set_config_appname(init_settings, conf_name);
+
+    if (OPENSSL_init_ssl(init_opts, init_settings) <= 0) {
+	if ((init_opts & OPENSSL_INIT_NO_LOAD_CONFIG) == 0)
+	    msg_warn("error loading the '%s' settings from the %s OpenSSL "
+		     "configuration file, disabling TLS support",
+		     conf_name ? conf_name : "global",
+		     conf_file ? conf_file : "default");
+	else
+	    msg_warn("error initializing the OpenSSL library, "
+		     "disabling TLS support");
+	tls_print_errors();
+	return (0);
+    }
+    return (1);
+}
+
 /* tls_pre_jail_init - Load TLS related pre-jail tables */
 
 void    tls_pre_jail_init(TLS_ROLE role)

postfix/src/tls/tls_proxy.h

@@ -97,11 +97,12 @@ extern VSTREAM *tls_proxy_open(const char *, int, VSTREAM *, const char *,
 			               void *, void *, void *);
 
 #define TLS_PROXY_CLIENT_INIT_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \
-    a9, a10, a11, a12, a13, a14) \
+    a9, a10, a11, a12, a13, a14, a15, a16) \
     (((props)->a1), ((props)->a2), ((props)->a3), \
     ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \
     ((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \
-    ((props)->a12), ((props)->a13), ((props)->a14))
+    ((props)->a12), ((props)->a13), ((props)->a14), ((props)->a15), \
+    ((props)->a16))
 
 #define TLS_PROXY_CLIENT_START_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \
     a9, a10, a11, a12, a13, a14) \
@@ -214,6 +215,8 @@ extern void tls_proxy_server_start_free(TLS_SERVER_START_PROPS *);
  /*
   * TLS_CLIENT_INIT_PROPS attributes.
   */
+#define TLS_ATTR_CNF_FILE	"config_file"
+#define TLS_ATTR_CNF_NAME	"config_name"
 #define TLS_ATTR_LOG_PARAM	"log_param"
 #define TLS_ATTR_LOG_LEVEL	"log_level"
 #define TLS_ATTR_VERIFYDEPTH	"verifydepth"

postfix/src/tls/tls_proxy_client_print.c

@@ -144,6 +144,10 @@ int     tls_proxy_client_init_print(ATTR_PRINT_COMMON_FN print_fn, VSTREAM *fp,
 #define STRING_OR_EMPTY(s) ((s) ? (s) : "")
 
     ret = print_fn(fp, flags | ATTR_FLAG_MORE,
+		   SEND_ATTR_STR(TLS_ATTR_CNF_FILE,
+				 STRING_OR_EMPTY(props->cnf_file)),
+		   SEND_ATTR_STR(TLS_ATTR_CNF_NAME,
+				 STRING_OR_EMPTY(props->cnf_name)),
 		   SEND_ATTR_STR(TLS_ATTR_LOG_PARAM,
 				 STRING_OR_EMPTY(props->log_param)),
 		   SEND_ATTR_STR(TLS_ATTR_LOG_LEVEL,

postfix/src/tls/tls_proxy_client_scan.c

@@ -217,6 +217,8 @@ int     tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
 
 void    tls_proxy_client_init_free(TLS_CLIENT_INIT_PROPS *props)
 {
+    myfree((void *) props->cnf_file);
+    myfree((void *) props->cnf_name);
     myfree((void *) props->log_param);
     myfree((void *) props->log_level);
     myfree((void *) props->cache_type);
@@ -241,6 +243,8 @@ int     tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
     TLS_CLIENT_INIT_PROPS *props
     = (TLS_CLIENT_INIT_PROPS *) mymalloc(sizeof(*props));
     int     ret;
+    VSTRING *cnf_file = vstring_alloc(25);
+    VSTRING *cnf_name = vstring_alloc(25);
     VSTRING *log_param = vstring_alloc(25);
     VSTRING *log_level = vstring_alloc(25);
     VSTRING *cache_type = vstring_alloc(25);
@@ -263,6 +267,8 @@ int     tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
      */
     memset(props, 0, sizeof(*props));
     ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
+		  RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file),
+		  RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name),
 		  RECV_ATTR_STR(TLS_ATTR_LOG_PARAM, log_param),
 		  RECV_ATTR_STR(TLS_ATTR_LOG_LEVEL, log_level),
 		  RECV_ATTR_INT(TLS_ATTR_VERIFYDEPTH, &props->verifydepth),
@@ -279,6 +285,8 @@ int     tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
 		  RECV_ATTR_STR(TLS_ATTR_MDALG, mdalg),
 		  ATTR_TYPE_END);
     /* Always construct a well-formed structure. */
+    props->cnf_file = vstring_export(cnf_file);
+    props->cnf_name = vstring_export(cnf_name);
     props->log_param = vstring_export(log_param);
     props->log_level = vstring_export(log_level);
     props->cache_type = vstring_export(cache_type);
@@ -292,7 +300,7 @@ int     tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
     props->CAfile = vstring_export(CAfile);
     props->CApath = vstring_export(CApath);
     props->mdalg = vstring_export(mdalg);
-    ret = (ret == 14 ? 1 : -1);
+    ret = (ret == 16 ? 1 : -1);
     if (ret != 1) {
 	tls_proxy_client_init_free(props);
 	props = 0;

postfix/src/tls/tls_server.c

@@ -168,10 +168,12 @@
 static const char server_session_id_context[] = "Postfix/TLS";
 
 #ifndef OPENSSL_NO_TLSEXT
+
  /*
   * We retain the cipher handle for the lifetime of the process.
   */
 static const EVP_CIPHER *tkt_cipher;
+
 #endif
 
 #define GET_SID(s, v, lptr)	((v) = SSL_SESSION_get_id((s), (lptr)))
@@ -419,6 +421,13 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
      */
     tls_check_version();
 
+    /*
+     * Initialize the OpenSSL library, possibly loading its configuration
+     * file.
+     */
+    if (tls_library_init() == 0)
+	return (0);
+
     /*
      * First validate the protocols. If these are invalid, we can't continue.
      */
@@ -677,10 +686,10 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
     tls_tmp_dh(sni_ctx, 1);
 
     /*
-     * Enable EECDH if available, errors are not fatal, we just keep going with
-     * any remaining key-exchange algorithms.  With OpenSSL 3.0 and TLS 1.3,
-     * the same applies to the FFDHE groups which become part of a unified
-     * "groups" list.
+     * Enable EECDH if available, errors are not fatal, we just keep going
+     * with any remaining key-exchange algorithms.  With OpenSSL 3.0 and TLS
+     * 1.3, the same applies to the FFDHE groups which become part of a
+     * unified "groups" list.
      */
     tls_auto_groups(server_ctx, var_tls_eecdh_auto, var_tls_ffdhe_auto);
     tls_auto_groups(sni_ctx, var_tls_eecdh_auto, var_tls_ffdhe_auto);

postfix/src/tlsproxy/tlsproxy.c

@@ -1742,6 +1742,8 @@ static void pre_jail_init_client(void)
 	 */
 	(void) tls_proxy_client_param_from_config(&tls_params);
 	(void) TLS_CLIENT_INIT_ARGS(&init_props,
+				    cnf_file = var_tls_cnf_file,
+				    cnf_name = var_tls_cnf_name,
 				    log_param = var_tlsp_clnt_logparam,
 				    log_level = var_tlsp_clnt_loglevel,
 				    verifydepth = var_tlsp_clnt_scert_vd,