mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 09:57:34 +00:00
Code Issues Releases Wiki Activity

postfix-3.9-20230529

Browse Source
This commit is contained in:
Wietse Venema 2023-05-29 00:00:00 -05:00 committed by Viktor Dukhovni
parent 20413638d5
commit 96a97d3bdd
22 changed files with 266 additions and 175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
postfix/HISTORY
View File

@ -27210,7 +27210,7 @@ Apologies for any names omitted.
20230523 20230523
Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init' Cleanup: use TLS_CLIENT_PARAMS to pass the OpenSSL 'init'
configuration settings. These are global, i.e. apply to all configuration settings. These are global, i.e. apply to all
client TLS contexts, and they do not belong in tls_client_init() client TLS contexts, and they do not belong in tls_client_init()
or tls_client_start() calls. The tlsproxy(8) server uses or tls_client_start() calls. The tlsproxy(8) server uses
@ -27229,3 +27229,20 @@ Apologies for any names omitted.
and tls_config_name configuration parameters. Files: and tls_config_name configuration parameters. Files:
smtp/smtp.c, smtpd/smtpd.c, tls/tls_client.c, tls/tls.h, smtp/smtp.c, smtpd/smtpd.c, tls/tls_client.c, tls/tls.h,
tls/tls_server.c, tlsproxy/tlsproxy.c, tls/tls_server.c, tlsproxy/tlsproxy.c,
20230526
Documentation: clarified address class descriptions; added
the availability of back-ported OpenSSL INI file support
in stable releases. Files: proto/ADDRESS_CLASS_README.html,
proto/postconf.proto smtp/smtp.c, smtpd/smtpd.c,
tlsproxy/tlsproxy.c.
Security: in the Postfix SMTP daemon, improved pipelining
detection and reporting; and detect illegal command pipelining
before the server greeting. File: smtpd/smtpd.c.
20230529
Cleanup: error handling for OpenSSL INI file support. Viktor
Dukhovni. Files: proto/postconf.proto, tls/tls_misc.c.

76
postfix/README_FILES/ADDRESS_CLASS_README
View File

@ -25,18 +25,23 @@ important for the operation of Postfix.
An address class is defined by three items. An address class is defined by three items.
* The list of domains that are a member of that address class: for example, * The list of domains that are a member of that address class.
all local domains, or all relay domains.
* The default delivery transport for that address class. For example, the Examples: all local domains, or all relay domains.
local, virtual or relay delivery transport (delivery transports are defined
in master.cf). This helps to keep Postfix configurations simple, by
avoiding the need for explicit routing information in transport maps.
* The list of valid recipient addresses for that address class. The Postfix * The default delivery transport for domains in that address class.
SMTP server rejects invalid recipients with "User unknown in <name of
address class here> table". This helps to keep the Postfix queue free of Examples: local_transport or relay_transport (these point to services
undeliverable MAILER-DAEMON messages. defined in master.cf).
Benefit: this avoids the need for explicit routing information in transport
maps.
* The list of valid recipient addresses for that address class.
Benefit: the Postfix SMTP server rejects an invalid recipient with "User
unknown in <name of address class> table", and avoids sending a MAILER-
DAEMON message with backscatter spam.
WWhhaatt aaddddrreessss ccllaasssseess ddooeess PPoossttffiixx iimmpplleemmeenntt?? WWhhaatt aaddddrreessss ccllaasssseess ddooeess PPoossttffiixx iimmpplleemmeenntt??
@ -56,11 +61,11 @@ The local domain class.
also includes mail for user@[ipaddress] when the IP address is listed with also includes mail for user@[ipaddress] when the IP address is listed with
the inet_interfaces or proxy_interfaces parameters. the inet_interfaces or proxy_interfaces parameters.
* Valid recipient addresses are listed with the local_recipient_maps * Valid recipient addresses for those domains are listed with the
parameter, as described in LOCAL_RECIPIENT_README. The Postfix SMTP server local_recipient_maps parameter, as described in LOCAL_RECIPIENT_README. The
rejects invalid recipients with "User unknown in local recipient table". If Postfix SMTP server rejects invalid recipients with "User unknown in local
the local_recipient_maps parameter value is empty, then the Postfix SMTP recipient table". If the local_recipient_maps parameter value is empty,
server accepts any address in the local domain class. then the Postfix SMTP server accepts any address in the local domain class.
* The mail delivery transport is specified with the local_transport * The mail delivery transport is specified with the local_transport
parameter. The default value is llooccaall::$$mmyyhhoossttnnaammee for delivery with the parameter. The default value is llooccaall::$$mmyyhhoossttnnaammee for delivery with the
@ -69,20 +74,23 @@ The local domain class.
The virtual alias domain class. The virtual alias domain class.
* Purpose: hosted domains where each recipient address is aliased to an * Purpose: hosted domains where each recipient address is aliased to an
address in a different domain, for example, a local UNIX system account or address in a different domain class, for example, a local UNIX system
a remote address. A virtual alias example is given in the VIRTUAL_README account or a remote address. A virtual alias example is given in the
file. VIRTUAL_README file.
* Domain names are listed in virtual_alias_domains. The default value is * Domain names are listed in virtual_alias_domains. The default value is
$virtual_alias_maps for Postfix 1.1 compatibility. $virtual_alias_maps for Postfix 1.1 compatibility.
* Valid recipient addresses are listed with the virtual_alias_maps parameter. * Valid recipient addresses for those domains are listed with the
The Postfix SMTP server rejects invalid recipients with "User unknown in virtual_alias_maps parameter. The Postfix SMTP server rejects invalid
virtual alias table". The default value is $virtual_maps for Postfix 1.1 recipients with "User unknown in virtual alias table". The default value is
compatibility. $virtual_maps for Postfix 1.1 compatibility.
* There is no mail delivery transport parameter. Every address must be Note: for historical reasons, virtual_alias_maps apply to recipients in
aliased to an address in some other domain. all domain classes, not only the virtual alias domain class.
* There is no configurable mail delivery transport. Every address must be
aliased to an address in some other domain class.
The virtual mailbox domain class. The virtual mailbox domain class.
@ -93,11 +101,11 @@ The virtual mailbox domain class.
* Domain names are listed with the virtual_mailbox_domains parameter. The * Domain names are listed with the virtual_mailbox_domains parameter. The
default value is $virtual_mailbox_maps for Postfix 1.1 compatibility. default value is $virtual_mailbox_maps for Postfix 1.1 compatibility.
* Valid recipient addresses are listed with the virtual_mailbox_maps * Valid recipient addresses for those domains are listed with the
parameter. The Postfix SMTP server rejects invalid recipients with "User virtual_mailbox_maps parameter. The Postfix SMTP server rejects invalid
unknown in virtual mailbox table". If this parameter value is empty, the recipients with "User unknown in virtual mailbox table". If this parameter
Postfix SMTP server accepts all recipients for domains listed in value is empty, the Postfix SMTP server accepts all recipients for domains
$virtual_mailbox_domains. listed in $virtual_mailbox_domains.
* The mail delivery transport is specified with the virtual_transport * The mail delivery transport is specified with the virtual_transport
parameter. The default value is vviirrttuuaall for delivery with the virtual(8) parameter. The default value is vviirrttuuaall for delivery with the virtual(8)
@ -113,11 +121,11 @@ The relay domain class.
* Domain names are listed with the relay_domains parameter. * Domain names are listed with the relay_domains parameter.
* Valid recipient addresses are listed with the relay_recipient_maps * Valid recipient addresses for those domains are listed with the
parameter. The Postfix SMTP server rejects invalid recipients with "User relay_recipient_maps parameter. The Postfix SMTP server rejects invalid
unknown in relay recipient table". If this parameter value is empty, the recipients with "User unknown in relay recipient table". If this parameter
Postfix SMTP server accepts all recipients for domains listed with the value is empty, the Postfix SMTP server accepts all recipients for domains
relay_domains parameter. listed with the relay_domains parameter.
* The mail delivery transport is specified with the relay_transport * The mail delivery transport is specified with the relay_transport
parameter. The default value is rreellaayy which is a clone of the smtp(8) parameter. The default value is rreellaayy which is a clone of the smtp(8)

83
postfix/html/ADDRESS_CLASS_README.html
View File

@ -52,20 +52,25 @@ address classes are very important for the operation of Postfix. </p>
<ul> <ul>
<li> <p> The list of domains that are a member of that address <li> <p> The list of domains that are a member of that address
class: for example, all <a href="ADDRESS_CLASS_README.html#local_domain_class">local domains</a>, or all <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domains</a>. </p> class. </p>
<li> <p> The default delivery transport for that address class. For <p> Examples: all <a href="ADDRESS_CLASS_README.html#local_domain_class">local domains</a>, or all <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domains</a>. </p>
example, the local,
virtual or relay delivery transport (delivery transports are defined <li> <p> The default delivery transport for domains in that address
in <a href="master.5.html">master.cf</a>). This helps to keep Postfix configurations simple, class. </p>
by avoiding the need for explicit routing information in transport
maps. </p> <p> Examples: <a href="postconf.5.html#local_transport">local_transport</a> or <a href="postconf.5.html#relay_transport">relay_transport</a> (these point
to services defined in <a href="master.5.html">master.cf</a>). </p>
<p> Benefit: this avoids the need for explicit routing information
in transport maps. </p>
<li> <p> The list of valid recipient addresses for that address <li> <p> The list of valid recipient addresses for that address
class. The Postfix SMTP server rejects invalid recipients with class. </p>
"User unknown in &lt;name of address class here&gt; table". This
helps to keep the Postfix queue free of undeliverable MAILER-DAEMON <p> Benefit: the Postfix SMTP server rejects an invalid recipient
messages. </p> with "User unknown in &lt;name of address class&gt; table", and
avoids sending a MAILER-DAEMON message with backscatter spam. </p>
</ul> </ul>
@ -92,12 +97,12 @@ This domain class also includes mail for <i>user@[ipaddress]</i>
when the IP address is listed with the <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or when the IP address is listed with the <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or
<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> parameters. </p> <a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> parameters. </p>
<li> <p> Valid recipient addresses are listed with the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> <li> <p> Valid recipient addresses for those domains are
parameter, as described in <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a>. The Postfix SMTP listed with the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> parameter, as described in
server rejects invalid recipients with "User unknown in local <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a>. The Postfix SMTP server rejects invalid recipients
recipient table". If the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> parameter value is with "User unknown in local recipient table". If the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>
empty, then the Postfix SMTP server accepts any address in the parameter value is empty, then the Postfix SMTP server accepts any
<a href="ADDRESS_CLASS_README.html#local_domain_class">local domain</a> class. </p> address in the <a href="ADDRESS_CLASS_README.html#local_domain_class">local domain</a> class. </p>
<li> <p> The mail delivery transport is specified with the <li> <p> The mail delivery transport is specified with the
<a href="postconf.5.html#local_transport">local_transport</a> parameter. The default value is <b><a href="local.8.html">local</a>:$<a href="postconf.5.html#myhostname">myhostname</a></b> <a href="postconf.5.html#local_transport">local_transport</a> parameter. The default value is <b><a href="local.8.html">local</a>:$<a href="postconf.5.html#myhostname">myhostname</a></b>
@ -111,21 +116,25 @@ class. </p>
<ul> <ul>
<li> <p> Purpose: <a href="VIRTUAL_README.html#canonical">hosted domains</a> where each recipient address is <li> <p> Purpose: <a href="VIRTUAL_README.html#canonical">hosted domains</a> where each recipient address is
aliased to an address in a different domain, for example, a local aliased to an address in a different domain class, for example, a
UNIX system account or a remote address. A local UNIX system account or a remote address. A
<a href="VIRTUAL_README.html#virtual_alias">virtual alias example</a> is given in the <a href="VIRTUAL_README.html">VIRTUAL_README</a> file. </p> <a href="VIRTUAL_README.html#virtual_alias">virtual alias example</a> is given in the <a href="VIRTUAL_README.html">VIRTUAL_README</a> file. </p>
<li> <p> Domain names are listed in <a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>. The <li> <p> Domain names are listed in <a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>. The
default value is $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> for Postfix 1.1 compatibility. default value is $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> for Postfix 1.1 compatibility.
</p> </p>
<li> <p> Valid recipient addresses are listed with the <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> <li> <p> Valid recipient addresses for those domains are listed with the
parameter. The Postfix SMTP server rejects invalid recipients with <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> parameter. The Postfix SMTP server rejects invalid
"User unknown in virtual alias table". The default value is recipients with "User unknown in virtual alias table". The default
$<a href="postconf.5.html#virtual_maps">virtual_maps</a> for Postfix 1.1 compatibility. </p> value is $<a href="postconf.5.html#virtual_maps">virtual_maps</a> for Postfix 1.1 compatibility. </p>
<li> <p> There is no mail delivery transport parameter. Every <blockquote ><p> Note: for historical reasons, <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>
address must be aliased to an address in some other domain. </p> apply to recipients in all domain classes, not only the virtual
alias domain class. </p> </blockquote>
<li> <p> There is no configurable mail delivery transport. Every
address must be aliased to an address in some other domain class. </p>
</ul> </ul>
@ -136,18 +145,19 @@ class. </p>
<li> <p> Purpose: final delivery for <a href="VIRTUAL_README.html#canonical">hosted domains</a> where each <li> <p> Purpose: final delivery for <a href="VIRTUAL_README.html#canonical">hosted domains</a> where each
recipient address can have its own mailbox, and where users do not recipient address can have its own mailbox, and where users do not
need to have a UNIX system account. A <a href="VIRTUAL_README.html#virtual_mailbox">virtual mailbox example</a> is need to have a UNIX system account. A <a href="VIRTUAL_README.html#virtual_mailbox">virtual mailbox example</a> is
given in the <a href="VIRTUAL_README.html">VIRTUAL_README</a> file. </p> given in the <a href="VIRTUAL_README.html">VIRTUAL_README</a> file. </p>
<li> <p> Domain names are listed with the <a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> <li> <p> Domain names are listed with the <a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>
parameter. The default value is $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> for Postfix parameter. The default value is $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> for Postfix
1.1 compatibility. </p> 1.1 compatibility. </p>
<li> <p> Valid recipient addresses are listed with the <a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> <li> <p> Valid recipient addresses for those domains are listed
parameter. The Postfix SMTP server rejects invalid recipients with with the <a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> parameter. The Postfix SMTP server
"User unknown in virtual mailbox table". If this parameter value rejects invalid recipients with "User unknown in virtual mailbox
is empty, the Postfix SMTP server accepts all recipients for domains table". If this parameter value is empty, the Postfix SMTP server
listed in $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>. </p> accepts all recipients for domains listed in $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.
</p>
<li> <p> The mail delivery transport is specified with the <li> <p> The mail delivery transport is specified with the
<a href="postconf.5.html#virtual_transport">virtual_transport</a> parameter. The default value is <b>virtual</b> <a href="postconf.5.html#virtual_transport">virtual_transport</a> parameter. The default value is <b>virtual</b>
@ -169,11 +179,12 @@ file. </p>
<li> <p> Domain names are listed with the <a href="postconf.5.html#relay_domains">relay_domains</a> parameter. <li> <p> Domain names are listed with the <a href="postconf.5.html#relay_domains">relay_domains</a> parameter.
</p> </p>
<li> <p> Valid recipient addresses are listed with the <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> <li> <p> Valid recipient addresses for those domains are listed
parameter. The Postfix SMTP server rejects invalid recipients with with the <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> parameter. The Postfix SMTP server
"User unknown in relay recipient table". If this parameter value rejects invalid recipients with "User unknown in relay recipient
is empty, the Postfix SMTP server accepts all recipients for domains table". If this parameter value is empty, the Postfix SMTP server
listed with the <a href="postconf.5.html#relay_domains">relay_domains</a> parameter. </p> accepts all recipients for domains listed with the <a href="postconf.5.html#relay_domains">relay_domains</a>
parameter. </p>
<li> <p> The mail delivery transport is specified with the <li> <p> The mail delivery transport is specified with the
<a href="postconf.5.html#relay_transport">relay_transport</a> parameter. The default value is <b>relay</b> which <a href="postconf.5.html#relay_transport">relay_transport</a> parameter. The default value is <b>relay</b> which

2
postfix/html/lmtp.8.html
View File

@ -715,7 +715,7 @@ SMTP(8) SMTP(8)
(FFDHE) key exchange groups supported by the Postfix SMTP client (FFDHE) key exchange groups supported by the Postfix SMTP client
and server. and server.
Available in Postfix version 3.9 and later: Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
<b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b> <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
Optional configuration file with baseline OpenSSL settings. Optional configuration file with baseline OpenSSL settings.

12
postfix/html/postconf.5.html
View File

@ -19297,11 +19297,10 @@ the default "openssl_conf" name. </dd>
</dl> </dl>
<p> Failures in processing of the built-in default configuration <p> Failures in processing of the built-in default configuration file,
file, are silently ignored with OpenSSL prior to 1.1.1b. With later are silently ignored. Any errors in loading a non-default configuration
OpenSSL releases, any errors in loading either the default or custom file are detected by Postfix, and cause TLS support to be disabled.
configuration file are detected by Postfix, and cause TLS support to </p>
be disabled. </p>
<p> The OpenSSL configuration file format is not documented here, <p> The OpenSSL configuration file format is not documented here,
beyond giving two examples. <p> beyond giving two examples. <p>
@ -19349,7 +19348,8 @@ MinProtocol = TLSv1
</pre> </pre>
</blockquote> </blockquote>
<p> This feature is available in Postfix &ge; 3.9. </p> <p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20. </p>
</DD> </DD>

2
postfix/html/smtp.8.html
View File

@ -715,7 +715,7 @@ SMTP(8) SMTP(8)
(FFDHE) key exchange groups supported by the Postfix SMTP client (FFDHE) key exchange groups supported by the Postfix SMTP client
and server. and server.
Available in Postfix version 3.9 and later: Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
<b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b> <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
Optional configuration file with baseline OpenSSL settings. Optional configuration file with baseline OpenSSL settings.

2
postfix/html/smtpd.8.html
View File

@ -639,7 +639,7 @@ SMTPD(8) SMTPD(8)
(FFDHE) key exchange groups supported by the Postfix SMTP client (FFDHE) key exchange groups supported by the Postfix SMTP client
and server. and server.
Available in Postfix version 3.9 and later: Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
<b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b> <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
Optional configuration file with baseline OpenSSL settings. Optional configuration file with baseline OpenSSL settings.

2
postfix/html/tlsproxy.8.html
View File

@ -160,7 +160,7 @@ TLSPROXY(8) TLSPROXY(8)
(FFDHE) key exchange groups supported by the Postfix SMTP client (FFDHE) key exchange groups supported by the Postfix SMTP client
and server. and server.
Available in Postfix version 3.9 and later: Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
<b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b> <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
Optional configuration file with baseline OpenSSL settings. Optional configuration file with baseline OpenSSL settings.

11
postfix/man/man5/postconf.5
View File

@ -13668,11 +13668,9 @@ the default "openssl_conf" name.
.br .br
.br .br
.PP .PP
Failures in processing of the built\-in default configuration Failures in processing of the built\-in default configuration file,
file, are silently ignored with OpenSSL prior to 1.1.1b. With later are silently ignored. Any errors in loading a non\-default configuration
OpenSSL releases, any errors in loading either the default or custom file are detected by Postfix, and cause TLS support to be disabled.
configuration file are detected by Postfix, and cause TLS support to
be disabled.
.PP .PP
The OpenSSL configuration file format is not documented here, The OpenSSL configuration file format is not documented here,
beyond giving two examples. beyond giving two examples.
@ -13728,7 +13726,8 @@ MinProtocol = TLSv1
.ft R .ft R
.in -4 .in -4
.PP .PP
This feature is available in Postfix >= 3.9. This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20.
.SH tls_config_name (default: empty) .SH tls_config_name (default: empty)
The application name passed by Postfix to OpenSSL library The application name passed by Postfix to OpenSSL library
initialization functions. This name is used to select the desired initialization functions. This name is used to select the desired

2
postfix/man/man8/smtp.8
View File

@ -641,7 +641,7 @@ The prioritized list of finite\-field Diffie\-Hellman ephemeral
(FFDHE) key exchange groups supported by the Postfix SMTP client and (FFDHE) key exchange groups supported by the Postfix SMTP client and
server. server.
.PP .PP
Available in Postfix version 3.9 and later: Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
.IP "\fBtls_config_file (default)\fR" .IP "\fBtls_config_file (default)\fR"
Optional configuration file with baseline OpenSSL settings. Optional configuration file with baseline OpenSSL settings.
.IP "\fBtls_config_name (empty)\fR" .IP "\fBtls_config_name (empty)\fR"

2
postfix/man/man8/smtpd.8
View File

@ -565,7 +565,7 @@ The prioritized list of finite\-field Diffie\-Hellman ephemeral
(FFDHE) key exchange groups supported by the Postfix SMTP client and (FFDHE) key exchange groups supported by the Postfix SMTP client and
server. server.
.PP .PP
Available in Postfix version 3.9 and later: Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
.IP "\fBtls_config_file (default)\fR" .IP "\fBtls_config_file (default)\fR"
Optional configuration file with baseline OpenSSL settings. Optional configuration file with baseline OpenSSL settings.
.IP "\fBtls_config_name (empty)\fR" .IP "\fBtls_config_name (empty)\fR"

2
postfix/man/man8/tlsproxy.8
View File

@ -159,7 +159,7 @@ The prioritized list of finite\-field Diffie\-Hellman ephemeral
(FFDHE) key exchange groups supported by the Postfix SMTP client and (FFDHE) key exchange groups supported by the Postfix SMTP client and
server. server.
.PP .PP
Available in Postfix version 3.9 and later: Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
.IP "\fBtls_config_file (default)\fR" .IP "\fBtls_config_file (default)\fR"
Optional configuration file with baseline OpenSSL settings. Optional configuration file with baseline OpenSSL settings.
.IP "\fBtls_config_name (empty)\fR" .IP "\fBtls_config_name (empty)\fR"

83
postfix/proto/ADDRESS_CLASS_README.html
View File

@ -52,20 +52,25 @@ address classes are very important for the operation of Postfix. </p>
<ul> <ul>
<li> <p> The list of domains that are a member of that address <li> <p> The list of domains that are a member of that address
class: for example, all local domains, or all relay domains. </p> class. </p>
<li> <p> The default delivery transport for that address class. For <p> Examples: all local domains, or all relay domains. </p>
example, the local,
virtual or relay delivery transport (delivery transports are defined <li> <p> The default delivery transport for domains in that address
in master.cf). This helps to keep Postfix configurations simple, class. </p>
by avoiding the need for explicit routing information in transport
maps. </p> <p> Examples: local_transport or relay_transport (these point
to services defined in master.cf). </p>
<p> Benefit: this avoids the need for explicit routing information
in transport maps. </p>
<li> <p> The list of valid recipient addresses for that address <li> <p> The list of valid recipient addresses for that address
class. The Postfix SMTP server rejects invalid recipients with class. </p>
"User unknown in &lt;name of address class here&gt; table". This
helps to keep the Postfix queue free of undeliverable MAILER-DAEMON <p> Benefit: the Postfix SMTP server rejects an invalid recipient
messages. </p> with "User unknown in &lt;name of address class&gt; table", and
avoids sending a MAILER-DAEMON message with backscatter spam. </p>
</ul> </ul>
@ -92,12 +97,12 @@ This domain class also includes mail for <i>user@[ipaddress]</i>
when the IP address is listed with the inet_interfaces or when the IP address is listed with the inet_interfaces or
proxy_interfaces parameters. </p> proxy_interfaces parameters. </p>
<li> <p> Valid recipient addresses are listed with the local_recipient_maps <li> <p> Valid recipient addresses for those domains are
parameter, as described in LOCAL_RECIPIENT_README. The Postfix SMTP listed with the local_recipient_maps parameter, as described in
server rejects invalid recipients with "User unknown in local LOCAL_RECIPIENT_README. The Postfix SMTP server rejects invalid recipients
recipient table". If the local_recipient_maps parameter value is with "User unknown in local recipient table". If the local_recipient_maps
empty, then the Postfix SMTP server accepts any address in the parameter value is empty, then the Postfix SMTP server accepts any
local domain class. </p> address in the local domain class. </p>
<li> <p> The mail delivery transport is specified with the <li> <p> The mail delivery transport is specified with the
local_transport parameter. The default value is <b>local:$myhostname</b> local_transport parameter. The default value is <b>local:$myhostname</b>
@ -111,21 +116,25 @@ class. </p>
<ul> <ul>
<li> <p> Purpose: hosted domains where each recipient address is <li> <p> Purpose: hosted domains where each recipient address is
aliased to an address in a different domain, for example, a local aliased to an address in a different domain class, for example, a
UNIX system account or a remote address. A local UNIX system account or a remote address. A
virtual alias example is given in the VIRTUAL_README file. </p> virtual alias example is given in the VIRTUAL_README file. </p>
<li> <p> Domain names are listed in virtual_alias_domains. The <li> <p> Domain names are listed in virtual_alias_domains. The
default value is $virtual_alias_maps for Postfix 1.1 compatibility. default value is $virtual_alias_maps for Postfix 1.1 compatibility.
</p> </p>
<li> <p> Valid recipient addresses are listed with the virtual_alias_maps <li> <p> Valid recipient addresses for those domains are listed with the
parameter. The Postfix SMTP server rejects invalid recipients with virtual_alias_maps parameter. The Postfix SMTP server rejects invalid
"User unknown in virtual alias table". The default value is recipients with "User unknown in virtual alias table". The default
$virtual_maps for Postfix 1.1 compatibility. </p> value is $virtual_maps for Postfix 1.1 compatibility. </p>
<li> <p> There is no mail delivery transport parameter. Every <blockquote ><p> Note: for historical reasons, virtual_alias_maps
address must be aliased to an address in some other domain. </p> apply to recipients in all domain classes, not only the virtual
alias domain class. </p> </blockquote>
<li> <p> There is no configurable mail delivery transport. Every
address must be aliased to an address in some other domain class. </p>
</ul> </ul>
@ -136,18 +145,19 @@ class. </p>
<li> <p> Purpose: final delivery for hosted domains where each <li> <p> Purpose: final delivery for hosted domains where each
recipient address can have its own mailbox, and where users do not recipient address can have its own mailbox, and where users do not
need to have a UNIX system account. A virtual mailbox example is need to have a UNIX system account. A virtual mailbox example is
given in the VIRTUAL_README file. </p> given in the VIRTUAL_README file. </p>
<li> <p> Domain names are listed with the virtual_mailbox_domains <li> <p> Domain names are listed with the virtual_mailbox_domains
parameter. The default value is $virtual_mailbox_maps for Postfix parameter. The default value is $virtual_mailbox_maps for Postfix
1.1 compatibility. </p> 1.1 compatibility. </p>
<li> <p> Valid recipient addresses are listed with the virtual_mailbox_maps <li> <p> Valid recipient addresses for those domains are listed
parameter. The Postfix SMTP server rejects invalid recipients with with the virtual_mailbox_maps parameter. The Postfix SMTP server
"User unknown in virtual mailbox table". If this parameter value rejects invalid recipients with "User unknown in virtual mailbox
is empty, the Postfix SMTP server accepts all recipients for domains table". If this parameter value is empty, the Postfix SMTP server
listed in $virtual_mailbox_domains. </p> accepts all recipients for domains listed in $virtual_mailbox_domains.
</p>
<li> <p> The mail delivery transport is specified with the <li> <p> The mail delivery transport is specified with the
virtual_transport parameter. The default value is <b>virtual</b> virtual_transport parameter. The default value is <b>virtual</b>
@ -169,11 +179,12 @@ file. </p>
<li> <p> Domain names are listed with the relay_domains parameter. <li> <p> Domain names are listed with the relay_domains parameter.
</p> </p>
<li> <p> Valid recipient addresses are listed with the relay_recipient_maps <li> <p> Valid recipient addresses for those domains are listed
parameter. The Postfix SMTP server rejects invalid recipients with with the relay_recipient_maps parameter. The Postfix SMTP server
"User unknown in relay recipient table". If this parameter value rejects invalid recipients with "User unknown in relay recipient
is empty, the Postfix SMTP server accepts all recipients for domains table". If this parameter value is empty, the Postfix SMTP server
listed with the relay_domains parameter. </p> accepts all recipients for domains listed with the relay_domains
parameter. </p>
<li> <p> The mail delivery transport is specified with the <li> <p> The mail delivery transport is specified with the
relay_transport parameter. The default value is <b>relay</b> which relay_transport parameter. The default value is <b>relay</b> which

12
postfix/proto/postconf.proto
View File

@ -18793,11 +18793,10 @@ the default "openssl_conf" name. </dd>
</dl> </dl>
<p> Failures in processing of the built-in default configuration <p> Failures in processing of the built-in default configuration file,
file, are silently ignored with OpenSSL prior to 1.1.1b. With later are silently ignored. Any errors in loading a non-default configuration
OpenSSL releases, any errors in loading either the default or custom file are detected by Postfix, and cause TLS support to be disabled.
configuration file are detected by Postfix, and cause TLS support to </p>
be disabled. </p>
<p> The OpenSSL configuration file format is not documented here, <p> The OpenSSL configuration file format is not documented here,
beyond giving two examples. <p> beyond giving two examples. <p>
@ -18845,4 +18844,5 @@ MinProtocol = TLSv1
</pre> </pre>
</blockquote> </blockquote>
<p> This feature is available in Postfix &ge; 3.9. </p> <p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
3.6.10, and 3.5.20. </p>

16
postfix/proto/stop.double-history
View File

@ -12,7 +12,6 @@
Fix by Viktor Dukhovni Files tls tls h tls tls_dane c Fix by Viktor Dukhovni Files tls tls h tls tls_dane c
Discovered by Benny Pedersen File postscreen postscreen c Discovered by Benny Pedersen File postscreen postscreen c
proto postconf proto src tlsproxy tlsproxy c src smtpd smtpd c proto postconf proto src tlsproxy tlsproxy c src smtpd smtpd c
proto postconf proto src tlsproxy tlsproxy c src smtpd smtpd c
src tls tls h src tls tls_proxy_client_misc c src tls tls_misc c src tls tls h src tls tls_proxy_client_misc c src tls tls_misc c
src global mail_params h src smtp smtp c src global mail_params h src smtp smtp c
attacks Fix by Viktor Dukhovni Files tls tls h tls_client c attacks Fix by Viktor Dukhovni Files tls tls h tls_client c
@ -25,16 +24,13 @@
arguments Files src dns dns h src dns dns_rr_eq_sa c arguments Files src dns dns h src dns dns_rr_eq_sa c
only a subset of all arguments Files src dns dns h only a subset of all arguments Files src dns dns h
global mail_params h smtp smtp c smtpd smtpd c tls tls_misc c global mail_params h smtp smtp c smtpd smtpd c tls tls_misc c
global mail_params h smtp smtp c smtpd smtpd c tls tls_misc c
tls tls_proxy_client_scan c tls tls_proxy h tlsproxy tlsproxy c tls tls_proxy_client_scan c tls tls_proxy h tlsproxy tlsproxy c
smtp smtp c smtpd smtpd c tls tls_misc c smtp smtp c smtpd smtpd c tls tls_misc c
smtp smtp c smtpd smtpd c tls tls_misc c
proto proto SASL_README html proto SQLITE_README html proto proto SASL_README html proto SQLITE_README html
proto postconf proto global mail_params h smtp smtp c proto postconf proto global mail_params h smtp smtp c
smtpd smtpd c tls tls_misc c tls tls_proxy_client_misc c smtpd smtpd c tls tls_misc c tls tls_proxy_client_misc c
tls tls_proxy h tlsproxy tlsproxy c tls tls_proxy h tlsproxy tlsproxy c
postfix postfix c postlog postlog c postfix postfix c postlog postlog c
postfix postfix c postlog postlog c
util net_mask_top hc smtpd smtpd c smtpd smtpd_peer c util net_mask_top hc smtpd smtpd c smtpd smtpd_peer c
util inet_prefix_top hc smtpd smtpd c smtpd smtpd_peer c util inet_prefix_top hc smtpd smtpd c smtpd smtpd_peer c
File smtp smtp h File smtp smtp h
@ -43,8 +39,6 @@ proto proto SASL_README html proto SQLITE_README html
proto proto ADDRESS_REWRITING_README html proto proto ADDRESS_REWRITING_README html
proto postconf proto proto ADDRESS_REWRITING_README html proto postconf proto proto ADDRESS_REWRITING_README html
cleanup cleanup c local local c smtpd smtpd c cleanup cleanup c local local c smtpd smtpd c
cleanup cleanup c local local c smtpd smtpd c
cleanup cleanup c local local c smtpd smtpd c
postfix postfix c postfix postfix c
aliasing Files proto aliases proto virtual postfix postfix c aliasing Files proto aliases proto virtual postfix postfix c
proto proto aliases proto virtual proto ADDRESS_REWRITING_README html proto proto aliases proto virtual proto ADDRESS_REWRITING_README html
@ -53,3 +47,13 @@ proto proto aliases proto virtual proto ADDRESS_REWRITING_README html
posttls finger posttls finger c smtp smtp c smtp smtp_proto c posttls finger posttls finger c smtp smtp c smtp smtp_proto c
tls tls_client c tls tls h tls tls_misc c tls tls_client c tls tls h tls tls_misc c
tls tls_proxy h tls tls_server c tlsproxy tlsproxy c tls tls_proxy h tls tls_server c tlsproxy tlsproxy c
Cleanup removed some the the instances Files
clients Files posttls finger posttls finger c smtp smtp c
smtp smtp c smtp smtp_proto c tls tls_client c tls tls h
smtp smtp c smtpd smtpd c tls tls_client c tls tls h
smtp smtp_proto c tls tls h tls tls_proxy_client_misc c
tls tls_server c tlsproxy tlsproxy c
tlsproxy tlsproxy c
proto postconf proto smtp smtp c smtpd smtpd c
pipelining before the server greeting File smtpd smtpd c
before the server greeting File smtpd smtpd c

2
postfix/proto/stop.double-proto-html
View File

@ -250,3 +250,5 @@ initial_ssl_settings initial_ssl_settings
postfix_settings postfix_settings postfix_settings postfix_settings
postfix_ssl_settings postfix_ssl_settings postfix_ssl_settings postfix_ssl_settings
baseline_postfix_settings baseline_postfix_settings baseline_postfix_settings baseline_postfix_settings
The and match and literally Without the the
The matches literally Without the the would

1
postfix/proto/stop.spell-history
View File

@ -58,3 +58,4 @@ Piekert
refactored refactored
Fumiyasu Fumiyasu
SATOH SATOH
INI

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20230524" #define MAIL_RELEASE_DATE "20230529"
#define MAIL_VERSION_NUMBER "3.9" #define MAIL_VERSION_NUMBER "3.9"
#ifdef SNAPSHOT #ifdef SNAPSHOT

2
postfix/src/smtp/smtp.c
View File

@ -607,7 +607,7 @@
/* (FFDHE) key exchange groups supported by the Postfix SMTP client and /* (FFDHE) key exchange groups supported by the Postfix SMTP client and
/* server. /* server.
/* .PP /* .PP
/* Available in Postfix version 3.9 and later: /* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
/* .IP "\fBtls_config_file (default)\fR" /* .IP "\fBtls_config_file (default)\fR"
/* Optional configuration file with baseline OpenSSL settings. /* Optional configuration file with baseline OpenSSL settings.
/* .IP "\fBtls_config_name (empty)\fR" /* .IP "\fBtls_config_name (empty)\fR"

52
postfix/src/smtpd/smtpd.c
View File

@ -531,7 +531,7 @@
/* (FFDHE) key exchange groups supported by the Postfix SMTP client and /* (FFDHE) key exchange groups supported by the Postfix SMTP client and
/* server. /* server.
/* .PP /* .PP
/* Available in Postfix version 3.9 and later: /* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
/* .IP "\fBtls_config_file (default)\fR" /* .IP "\fBtls_config_file (default)\fR"
/* Optional configuration file with baseline OpenSSL settings. /* Optional configuration file with baseline OpenSSL settings.
/* .IP "\fBtls_config_name (empty)\fR" /* .IP "\fBtls_config_name (empty)\fR"
@ -5448,6 +5448,32 @@ static SMTPD_CMD smtpd_cmd_table[] = {
static STRING_LIST *smtpd_noop_cmds; static STRING_LIST *smtpd_noop_cmds;
static STRING_LIST *smtpd_forbid_cmds; static STRING_LIST *smtpd_forbid_cmds;
/* smtpd_flag_ill_pipelining - flag pipelining protocol violation */
static int smtpd_flag_ill_pipelining(SMTPD_STATE *state)
{
/*
* This code will not return after I/O error, timeout, or EOF. VSTREAM
* exceptions must be enabled in advance with smtp_stream_setup().
*/
if (vstream_peek(state->client) == 0
&& peekfd(vstream_fileno(state->client)) > 0)
(void) vstream_ungetc(state->client, smtp_fgetc(state->client));
if (vstream_peek(state->client) > 0) {
if (state->expand_buf == 0)
state->expand_buf = vstring_alloc(100);
escape(state->expand_buf, vstream_peek_data(state->client),
vstream_peek(state->client) < 100 ?
vstream_peek(state->client) : 100);
msg_info("improper command pipelining after %s from %s: %s",
state->where, state->namaddr, STR(state->expand_buf));
state->flags |= SMTPD_FLAG_ILL_PIPELINING;
return (1);
}
return (0);
}
/* smtpd_proto - talk the SMTP protocol */ /* smtpd_proto - talk the SMTP protocol */
static void smtpd_proto(SMTPD_STATE *state) static void smtpd_proto(SMTPD_STATE *state)
@ -5589,6 +5615,16 @@ static void smtpd_proto(SMTPD_STATE *state)
} }
#endif #endif
/*
* If the client spoke before the server sends the initial greeting,
* raise a flag and log the content of the protocol violation. This
* check MUST NOT apply to TLS wrappermode connections.
*/
if (SMTPD_STAND_ALONE(state) == 0
&& vstream_context(state->client) == 0 /* not postscreen */
&& (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0)
(void) smtpd_flag_ill_pipelining(state);
/* /*
* XXX The client connection count/rate control must be consistent in * XXX The client connection count/rate control must be consistent in
* its use of client address information in connect and disconnect * its use of client address information in connect and disconnect
@ -5824,18 +5860,8 @@ static void smtpd_proto(SMTPD_STATE *state)
if (SMTPD_STAND_ALONE(state) == 0 if (SMTPD_STAND_ALONE(state) == 0
&& (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0 && (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0
|| (cmdp->flags & SMTPD_CMD_FLAG_LAST)) || (cmdp->flags & SMTPD_CMD_FLAG_LAST))
&& (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0 && (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0)
&& (vstream_peek(state->client) > 0 (void) smtpd_flag_ill_pipelining(state);
|| peekfd(vstream_fileno(state->client)) > 0)) {
if (state->expand_buf == 0)
state->expand_buf = vstring_alloc(100);
escape(state->expand_buf, vstream_peek_data(state->client),
vstream_peek(state->client) < 100 ?
vstream_peek(state->client) : 100);
msg_info("improper command pipelining after %s from %s: %s",
cmdp->name, state->namaddr, STR(state->expand_buf));
state->flags |= SMTPD_FLAG_ILL_PIPELINING;
}
if (cmdp->action(state, argc, argv) != 0) if (cmdp->action(state, argc, argv) != 0)
state->error_count++; state->error_count++;
else else

54
postfix/src/tls/tls_misc.c
View File

@ -702,7 +702,7 @@ void tls_param_init(void)
int tls_library_init(void) int tls_library_init(void)
{ {
OPENSSL_INIT_SETTINGS *init_settings = 0; OPENSSL_INIT_SETTINGS *init_settings;
char *conf_name = *var_tls_cnf_name ? var_tls_cnf_name : 0; char *conf_name = *var_tls_cnf_name ? var_tls_cnf_name : 0;
char *conf_file = 0; char *conf_file = 0;
unsigned long init_opts = 0; unsigned long init_opts = 0;
@ -712,6 +712,10 @@ int tls_library_init(void)
"disabling TLS support"); "disabling TLS support");
return (0); return (0);
} }
#define TLS_LIB_INIT_RETURN(x) \
do { OPENSSL_INIT_free(init_settings); return (x); } while(0)
#if OPENSSL_VERSION_NUMBER < 0x1010102fL #if OPENSSL_VERSION_NUMBER < 0x1010102fL
/* /*
@ -722,41 +726,49 @@ int tls_library_init(void)
if (strcmp(var_tls_cnf_file, "default") != 0) { if (strcmp(var_tls_cnf_file, "default") != 0) {
msg_warn("non-default %s = %s requires OpenSSL 1.1.1b or later, " msg_warn("non-default %s = %s requires OpenSSL 1.1.1b or later, "
"disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file); "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
return (0); TLS_LIB_INIT_RETURN(0);
} }
#else #else
{ {
unsigned long init_flags = 0; unsigned long file_flags = 0;
/*- /*-
* OpenSSL 1.1.1b or later: * OpenSSL 1.1.1b or later:
* We can now choose a non-default or configuration file, or * We can now use a non-default configuration file, or
* use none at all. We can also request strict error * use none at all. We can also request strict error
* reporting. * reporting.
*/ */
if (strcmp(var_tls_cnf_file, "default") == 0) { if (strcmp(var_tls_cnf_file, "none") == 0) {
conf_file = 0;
/* The default global config file is optional */
init_flags |= CONF_MFLAGS_IGNORE_MISSING_FILE;
} else if (strcmp(var_tls_cnf_file, "none") == 0) {
init_opts |= OPENSSL_INIT_NO_LOAD_CONFIG; init_opts |= OPENSSL_INIT_NO_LOAD_CONFIG;
} else if (strcmp(var_tls_cnf_file, "default") == 0) {
/*
* The default global config file is optional. With "default"
* initialization we don't insist on a match for the requested
* application name, allowing fallback to the default application
* name, even when a non-default application name is specified.
* Errors in loading the default configuration are ignored.
*/
conf_file = 0;
file_flags |= CONF_MFLAGS_IGNORE_MISSING_FILE;
file_flags |= CONF_MFLAGS_DEFAULT_SECTION;
file_flags |= CONF_MFLAGS_IGNORE_RETURN_CODES | CONF_MFLAGS_SILENT;
} else if (*var_tls_cnf_file == '/') { } else if (*var_tls_cnf_file == '/') {
/*
* A custom config file must be present, error reporting is
* strict and the configuration section for the requested
* application name does not fall back to "openssl_conf" when
* missing.
*/
conf_file = var_tls_cnf_file; conf_file = var_tls_cnf_file;
} else { } else {
msg_warn("non-default %s = %s is not an absolute pathname, " msg_warn("non-default %s = %s is not an absolute pathname, "
"disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file); "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
return (0); TLS_LIB_INIT_RETURN(0);
} }
/* OPENSSL_INIT_set_config_file_flags(init_settings, file_flags);
* By not including CONF_MFLAGS_IGNORE_RETURN_CODES, we get strict
* error reporting. We don't insist on a match for the requested
* application name, allowing fallback to the default application
* name, even when a non-default application name is specified by
* always setting the CONF_MFLAGS_DEFAULT_SECTION bit.
*/
init_flags |= CONF_MFLAGS_DEFAULT_SECTION;
OPENSSL_INIT_set_config_file_flags(init_settings, init_flags);
} }
#endif #endif
@ -775,9 +787,9 @@ int tls_library_init(void)
msg_warn("error initializing the OpenSSL library, " msg_warn("error initializing the OpenSSL library, "
"disabling TLS support"); "disabling TLS support");
tls_print_errors(); tls_print_errors();
return (0); TLS_LIB_INIT_RETURN(0);
} }
return (1); TLS_LIB_INIT_RETURN(1);
} }
/* tls_pre_jail_init - Load TLS related pre-jail tables */ /* tls_pre_jail_init - Load TLS related pre-jail tables */

2
postfix/src/tlsproxy/tlsproxy.c
View File

@ -143,7 +143,7 @@
/* (FFDHE) key exchange groups supported by the Postfix SMTP client and /* (FFDHE) key exchange groups supported by the Postfix SMTP client and
/* server. /* server.
/* .PP /* .PP
/* Available in Postfix version 3.9 and later: /* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
/* .IP "\fBtls_config_file (default)\fR" /* .IP "\fBtls_config_file (default)\fR"
/* Optional configuration file with baseline OpenSSL settings. /* Optional configuration file with baseline OpenSSL settings.
/* .IP "\fBtls_config_name (empty)\fR" /* .IP "\fBtls_config_name (empty)\fR"