From 9756d67d1aebe23fae4cdfa4090de950fff5e843 Mon Sep 17 00:00:00 2001 From: Wietse Z Venema Date: Wed, 30 Jul 2025 00:00:00 -0500 Subject: [PATCH] postfix-3.11-20250730 --- postfix/HISTORY | 23 +++++++++++++ postfix/conf/postfix-tls-script | 2 +- postfix/html/discard.8.html | 2 +- postfix/html/error.8.html | 2 +- postfix/html/oqmgr.8.html | 2 +- postfix/html/postfix-tls.1.html | 2 +- postfix/html/qmgr.8.html | 2 +- postfix/html/virtual.8.html | 2 +- postfix/man/man1/postfix-tls.1 | 2 +- postfix/man/man1/postmulti.1 | 38 ++++++++++++++++++++- postfix/man/man8/discard.8 | 2 +- postfix/man/man8/error.8 | 2 +- postfix/man/man8/oqmgr.8 | 2 +- postfix/man/man8/qmgr.8 | 2 +- postfix/man/man8/virtual.8 | 2 +- postfix/mantools/srctoman | 2 +- postfix/proto/stop.double-history | 4 +++ postfix/src/discard/discard.c | 2 +- postfix/src/error/error.c | 2 +- postfix/src/global/config_known_tcp_ports.c | 4 +-- postfix/src/global/mail_version.h | 2 +- postfix/src/oqmgr/qmgr.c | 2 +- postfix/src/postmulti/postmulti.c | 36 ++++++++++++++----- postfix/src/qmgr/qmgr.c | 2 +- postfix/src/tls/tls_client.c | 6 ++-- postfix/src/tls/tls_misc.c | 8 ++--- postfix/src/tls/tls_verify.c | 18 +++++----- postfix/src/virtual/virtual.c | 2 +- 28 files changed, 128 insertions(+), 49 deletions(-) diff --git a/postfix/HISTORY b/postfix/HISTORY index d5658bd7a..db6dfb59c 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -29488,3 +29488,26 @@ Apologies for any names omitted. Postfix that would need to be converted to int64_t, or to long long which just like time_t is a 64-bit type on many ILP32 and LP64 systems. + +20250730 + + Bugfix (defect introduced: Postfix 3.6, date 20200710): + Postfix TLS client code logged "Untrusted TLS connection" + (wrong) instead of "Trusted TLS connection" (right) for a + resumed TLS session, when a server offered a trusted (valid + PKI trust chain) certificate that did not match the expected + server name pattern. Viktor Dukhovni. Files: tls/tls_client.c, + tls/tls_verify.c. + + Cleanup: make the manpage extraction tooling smarter about + section headings, and remove the now unnecessary explicit + ".SH" formatting requests. This produces zero visible change + in formatted Postfix manpages. Files: mantools/srctoman, + src/global/config_known_tcp_ports.c, postmulti/postmulti.c, + tls/tls_misc.c. + + Regenerate all manpages, causing parameter summaries to be + updated with new descriptions from postconf(5). Files: + conf/postfix-tls-script, discard/discard.c, error/error.c, + oqmgr/qmgr.c, postmulti/postmulti.c, qmgr/qmgr.c, + virtual/virtual.c. diff --git a/postfix/conf/postfix-tls-script b/postfix/conf/postfix-tls-script index 997e9c52e..04501b481 100644 --- a/postfix/conf/postfix-tls-script +++ b/postfix/conf/postfix-tls-script @@ -177,7 +177,7 @@ # The location of the OpenSSL command line program \fBopenssl\fR(1). # .IP "\fBsmtp_tls_loglevel (0)\fR" # Enable additional Postfix SMTP client logging of TLS activity. -# .IP "\fBsmtp_tls_security_level (empty)\fR" +# .IP "\fBsmtp_tls_security_level (Postfix >= 3.11: may; Postfix < 3.11: empty)\fR" # The default SMTP TLS security level for the Postfix SMTP client. # .IP "\fBsmtp_tls_session_cache_database (empty)\fR" # Name of the file containing the optional Postfix SMTP client diff --git a/postfix/html/discard.8.html b/postfix/html/discard.8.html index 9d0e1ebde..207a03540 100644 --- a/postfix/html/discard.8.html +++ b/postfix/html/discard.8.html @@ -60,7 +60,7 @@ DISCARD(8) DISCARD(8) delay_logging_resolution_limit (2) The maximal number of digits after the decimal point when log- - ging sub-second delay values. + ging delay values. double_bounce_sender (double-bounce) The sender address of postmaster notifications that are gener- diff --git a/postfix/html/error.8.html b/postfix/html/error.8.html index aee2cd8ad..4f22acbe0 100644 --- a/postfix/html/error.8.html +++ b/postfix/html/error.8.html @@ -70,7 +70,7 @@ ERROR(8) ERROR(8) delay_logging_resolution_limit (2) The maximal number of digits after the decimal point when log- - ging sub-second delay values. + ging delay values. double_bounce_sender (double-bounce) The sender address of postmaster notifications that are gener- diff --git a/postfix/html/oqmgr.8.html b/postfix/html/oqmgr.8.html index 0bebfb533..cc47fea49 100644 --- a/postfix/html/oqmgr.8.html +++ b/postfix/html/oqmgr.8.html @@ -348,7 +348,7 @@ OQMGR(8) OQMGR(8) delay_logging_resolution_limit (2) The maximal number of digits after the decimal point when log- - ging sub-second delay values. + ging delay values. helpful_warnings (yes) Log warnings about problematic configuration settings, and pro- diff --git a/postfix/html/postfix-tls.1.html b/postfix/html/postfix-tls.1.html index 272d98b53..b94443a39 100644 --- a/postfix/html/postfix-tls.1.html +++ b/postfix/html/postfix-tls.1.html @@ -182,7 +182,7 @@ POSTFIX-TLS(1) POSTFIX-TLS(1) smtp_tls_loglevel (0) Enable additional Postfix SMTP client logging of TLS activity. - smtp_tls_security_level (empty) + smtp_tls_security_level (Postfix >= 3.11: may; Postfix < 3.11: empty) The default SMTP TLS security level for the Postfix SMTP client. smtp_tls_session_cache_database (empty) diff --git a/postfix/html/qmgr.8.html b/postfix/html/qmgr.8.html index 3e6249e74..575f6d7cb 100644 --- a/postfix/html/qmgr.8.html +++ b/postfix/html/qmgr.8.html @@ -426,7 +426,7 @@ QMGR(8) QMGR(8) delay_logging_resolution_limit (2) The maximal number of digits after the decimal point when log- - ging sub-second delay values. + ging delay values. helpful_warnings (yes) Log warnings about problematic configuration settings, and pro- diff --git a/postfix/html/virtual.8.html b/postfix/html/virtual.8.html index 880018fcb..b72652aaa 100644 --- a/postfix/html/virtual.8.html +++ b/postfix/html/virtual.8.html @@ -233,7 +233,7 @@ VIRTUAL(8) VIRTUAL(8) delay_logging_resolution_limit (2) The maximal number of digits after the decimal point when log- - ging sub-second delay values. + ging delay values. ipc_timeout (3600s) The time limit for sending or receiving information over an diff --git a/postfix/man/man1/postfix-tls.1 b/postfix/man/man1/postfix-tls.1 index 4e8cb9279..2a6025c6a 100644 --- a/postfix/man/man1/postfix-tls.1 +++ b/postfix/man/man1/postfix-tls.1 @@ -185,7 +185,7 @@ configuration files. The location of the OpenSSL command line program \fBopenssl\fR(1). .IP "\fBsmtp_tls_loglevel (0)\fR" Enable additional Postfix SMTP client logging of TLS activity. -.IP "\fBsmtp_tls_security_level (empty)\fR" +.IP "\fBsmtp_tls_security_level (Postfix >= 3.11: may; Postfix < 3.11: empty)\fR" The default SMTP TLS security level for the Postfix SMTP client. .IP "\fBsmtp_tls_session_cache_database (empty)\fR" Name of the file containing the optional Postfix SMTP client diff --git a/postfix/man/man1/postmulti.1 b/postfix/man/man1/postmulti.1 index 6db035ea1..96c597e94 100644 --- a/postfix/man/man1/postmulti.1 +++ b/postfix/man/man1/postmulti.1 @@ -95,6 +95,10 @@ command is performed just for the primary instance. .PP Iterator mode implements the following command options: .SH "Instance selection" +.na +.nf +.ad +.fi .IP \fB\-a\fR Perform the operation on all instances. This is the default. .IP "\fB\-g \fIgroup\fR" @@ -111,10 +115,18 @@ are started before "source" instances. .sp This option cannot be used with \fB\-p\fR. .SH "List mode" +.na +.nf +.ad +.fi .IP \fB\-l\fR List Postfix instances with their instance name, instance group name, enable/disable status and configuration directory. -.SH "Postfix\-wrapper mode" +.SH "Postfix-wrapper mode" +.na +.nf +.ad +.fi .IP "\fB\-p \fIpostfix\-command\fR" Invoke \fBpostfix(1)\fR to execute \fIpostfix\-command\fR. This option implements the \fBpostfix\-wrapper\fR(5) interface. @@ -146,6 +158,10 @@ invoke \fBpostmulti\fR(1) as follows: # postmulti \-g msa \-p start .RE .SH "Command mode" +.na +.nf +.ad +.fi .IP "\fB\-x \fIunix\-command\fR" Execute the specified \fIunix\-command\fR for all Postfix instances. The command runs with appropriate environment settings for @@ -154,6 +170,10 @@ config_directory, queue_directory, data_directory, multi_instance_name, multi_instance_group and multi_instance_enable. .SH "Other options" +.na +.nf +.ad +.fi .IP \fB\-v\fR Enable verbose logging for debugging purposes. Multiple \fB\-v\fR options make the software increasingly verbose. @@ -168,6 +188,10 @@ multi\-instance status of an existing instance. .PP The following options are implemented: .SH "Existing instance selection" +.na +.nf +.ad +.fi .IP \fB\-a\fR When creating or importing an instance, place the new instance at the front of the secondary instance list. @@ -183,6 +207,10 @@ With other life\-cycle operations, apply the operation to the named existing instance. Specify "\-" to select the primary Postfix instance. .SH "New or existing instance name assignment" +.na +.nf +.ad +.fi .IP "\fB\-I \fIname\fR" Assign the specified instance \fIname\fR to an existing instance, newly\-created instance, or imported instance. @@ -194,6 +222,10 @@ likelihood of name collisions with system files. Assign the specified \fIgroup\fR name to an existing instance or to a newly created or imported instance. .SH "Instance creation/deletion/status change" +.na +.nf +.ad +.fi .IP "\fB\-e \fIaction\fR" "Edit" managed instances. The following actions are supported: .RS @@ -315,6 +347,10 @@ the instance will not be started etc. with "postfix start", "postmulti \-p start" and so on. The instance can still be started etc. with "postfix \-c config\-directory start". .SH "Other options" +.na +.nf +.ad +.fi .IP \fB\-v\fR Enable verbose logging for debugging purposes. Multiple \fB\-v\fR options make the software increasingly verbose. diff --git a/postfix/man/man8/discard.8 b/postfix/man/man8/discard.8 index 782389149..6f01d86a6 100644 --- a/postfix/man/man8/discard.8 +++ b/postfix/man/man8/discard.8 @@ -67,7 +67,7 @@ How much time a Postfix daemon process may take to handle a request before it is terminated by a built\-in watchdog timer. .IP "\fBdelay_logging_resolution_limit (2)\fR" The maximal number of digits after the decimal point when logging -sub\-second delay values. +delay values. .IP "\fBdouble_bounce_sender (double\-bounce)\fR" The sender address of postmaster notifications that are generated by the mail system. diff --git a/postfix/man/man8/error.8 b/postfix/man/man8/error.8 index f0dae3be9..08c9e158e 100644 --- a/postfix/man/man8/error.8 +++ b/postfix/man/man8/error.8 @@ -75,7 +75,7 @@ How much time a Postfix daemon process may take to handle a request before it is terminated by a built\-in watchdog timer. .IP "\fBdelay_logging_resolution_limit (2)\fR" The maximal number of digits after the decimal point when logging -sub\-second delay values. +delay values. .IP "\fBdouble_bounce_sender (double\-bounce)\fR" The sender address of postmaster notifications that are generated by the mail system. diff --git a/postfix/man/man8/oqmgr.8 b/postfix/man/man8/oqmgr.8 index 61b4299ab..6ea0cede1 100644 --- a/postfix/man/man8/oqmgr.8 +++ b/postfix/man/man8/oqmgr.8 @@ -347,7 +347,7 @@ The names of message delivery transports that should not deliver mail unless someone issues "\fBsendmail \-q\fR" or equivalent. .IP "\fBdelay_logging_resolution_limit (2)\fR" The maximal number of digits after the decimal point when logging -sub\-second delay values. +delay values. .IP "\fBhelpful_warnings (yes)\fR" Log warnings about problematic configuration settings, and provide helpful suggestions. diff --git a/postfix/man/man8/qmgr.8 b/postfix/man/man8/qmgr.8 index ca1fd4c79..6be3f8bb1 100644 --- a/postfix/man/man8/qmgr.8 +++ b/postfix/man/man8/qmgr.8 @@ -411,7 +411,7 @@ The names of message delivery transports that should not deliver mail unless someone issues "\fBsendmail \-q\fR" or equivalent. .IP "\fBdelay_logging_resolution_limit (2)\fR" The maximal number of digits after the decimal point when logging -sub\-second delay values. +delay values. .IP "\fBhelpful_warnings (yes)\fR" Log warnings about problematic configuration settings, and provide helpful suggestions. diff --git a/postfix/man/man8/virtual.8 b/postfix/man/man8/virtual.8 index 746fc0df2..68e2382c4 100644 --- a/postfix/man/man8/virtual.8 +++ b/postfix/man/man8/virtual.8 @@ -263,7 +263,7 @@ How much time a Postfix daemon process may take to handle a request before it is terminated by a built\-in watchdog timer. .IP "\fBdelay_logging_resolution_limit (2)\fR" The maximal number of digits after the decimal point when logging -sub\-second delay values. +delay values. .IP "\fBipc_timeout (3600s)\fR" The time limit for sending or receiving information over an internal communication channel. diff --git a/postfix/mantools/srctoman b/postfix/mantools/srctoman index e48f379cd..3959be583 100755 --- a/postfix/mantools/srctoman +++ b/postfix/mantools/srctoman @@ -92,7 +92,7 @@ do /^HISTORY/s//.SH &\ .ad\ .fi/ - /^[A-Z][A-Z][A-Z][^a-z]*$/s//.SH "&"\ + /^[A-Z][A-Za-z][A-Za-z].*$/s//.SH "&"\ .na\ .nf/ p diff --git a/postfix/proto/stop.double-history b/postfix/proto/stop.double-history index 45bfd7fb7..4b800e3ab 100644 --- a/postfix/proto/stop.double-history +++ b/postfix/proto/stop.double-history @@ -189,3 +189,7 @@ proto proto COMPATIBILITY_README html long long which just like time_t is a 64 bit type on many File tls tls h dual purpose field File tls tls h + conf postfix tls script discard discard c error error c + oqmgr qmgr c postmulti postmulti c qmgr qmgr c + src global config_known_tcp_ports c postmulti postmulti c + virtual virtual c diff --git a/postfix/src/discard/discard.c b/postfix/src/discard/discard.c index 331f96fbd..f21b95cbc 100644 --- a/postfix/src/discard/discard.c +++ b/postfix/src/discard/discard.c @@ -53,7 +53,7 @@ /* request before it is terminated by a built-in watchdog timer. /* .IP "\fBdelay_logging_resolution_limit (2)\fR" /* The maximal number of digits after the decimal point when logging -/* sub-second delay values. +/* delay values. /* .IP "\fBdouble_bounce_sender (double-bounce)\fR" /* The sender address of postmaster notifications that are generated /* by the mail system. diff --git a/postfix/src/error/error.c b/postfix/src/error/error.c index 61e805b0d..e1ff1cb7c 100644 --- a/postfix/src/error/error.c +++ b/postfix/src/error/error.c @@ -61,7 +61,7 @@ /* request before it is terminated by a built-in watchdog timer. /* .IP "\fBdelay_logging_resolution_limit (2)\fR" /* The maximal number of digits after the decimal point when logging -/* sub-second delay values. +/* delay values. /* .IP "\fBdouble_bounce_sender (double-bounce)\fR" /* The sender address of postmaster notifications that are generated /* by the mail system. diff --git a/postfix/src/global/config_known_tcp_ports.c b/postfix/src/global/config_known_tcp_ports.c index 563bbd356..db61f4aae 100644 --- a/postfix/src/global/config_known_tcp_ports.c +++ b/postfix/src/global/config_known_tcp_ports.c @@ -14,10 +14,10 @@ /* in the settings argument, and reports any warnings to the standard /* error stream. The source argument is used to provide warning /* context. It typically is a configuration parameter name. -/* .SH EXPECTED SYNTAX (ABNF) +/* EXPECTED SYNTAX (ABNF) /* configuration = empty | name-to-port *("," name-to-port) /* name-to-port = 1*(name "=") port -/* SH EXAMPLES +/* EXAMPLES /* In the example below, the whitespace is optional. /* smtp = 25, smtps = submissions = 465, submission = 587 /* LICENSE diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 8ef93f86d..56b86a414 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20250729" +#define MAIL_RELEASE_DATE "20250730" #define MAIL_VERSION_NUMBER "3.11" #ifdef SNAPSHOT diff --git a/postfix/src/oqmgr/qmgr.c b/postfix/src/oqmgr/qmgr.c index 02573f161..11859a871 100644 --- a/postfix/src/oqmgr/qmgr.c +++ b/postfix/src/oqmgr/qmgr.c @@ -309,7 +309,7 @@ /* unless someone issues "\fBsendmail -q\fR" or equivalent. /* .IP "\fBdelay_logging_resolution_limit (2)\fR" /* The maximal number of digits after the decimal point when logging -/* sub-second delay values. +/* delay values. /* .IP "\fBhelpful_warnings (yes)\fR" /* Log warnings about problematic configuration settings, and provide /* helpful suggestions. diff --git a/postfix/src/postmulti/postmulti.c b/postfix/src/postmulti/postmulti.c index 5adcd272c..ccb85afa8 100644 --- a/postfix/src/postmulti/postmulti.c +++ b/postfix/src/postmulti/postmulti.c @@ -84,7 +84,9 @@ /* command is performed just for the primary instance. /* .PP /* Iterator mode implements the following command options: -/* .SH "Instance selection" +/* Instance selection +/* .ad +/* .fi /* .IP \fB-a\fR /* Perform the operation on all instances. This is the default. /* .IP "\fB-g \fIgroup\fR" @@ -100,11 +102,15 @@ /* are started before "source" instances. /* .sp /* This option cannot be used with \fB-p\fR. -/* .SH "List mode" +/* List mode +/* .ad +/* .fi /* .IP \fB-l\fR /* List Postfix instances with their instance name, instance /* group name, enable/disable status and configuration directory. -/* .SH "Postfix-wrapper mode" +/* Postfix-wrapper mode +/* .ad +/* .fi /* .IP "\fB-p \fIpostfix-command\fR" /* Invoke \fBpostfix(1)\fR to execute \fIpostfix-command\fR. /* This option implements the \fBpostfix-wrapper\fR(5) interface. @@ -135,7 +141,9 @@ /* .IP /* # postmulti -g msa -p start /* .RE -/* .SH "Command mode" +/* Command mode +/* .ad +/* .fi /* .IP "\fB-x \fIunix-command\fR" /* Execute the specified \fIunix-command\fR for all Postfix instances. /* The command runs with appropriate environment settings for @@ -143,7 +151,9 @@ /* config_directory, queue_directory, data_directory, /* multi_instance_name, multi_instance_group and /* multi_instance_enable. -/* .SH "Other options" +/* Other options +/* .ad +/* .fi /* .IP \fB-v\fR /* Enable verbose logging for debugging purposes. Multiple /* \fB-v\fR options make the software increasingly verbose. @@ -155,7 +165,9 @@ /* multi-instance status of an existing instance. /* .PP /* The following options are implemented: -/* .SH "Existing instance selection" +/* Existing instance selection +/* .ad +/* .fi /* .IP \fB-a\fR /* When creating or importing an instance, place the new /* instance at the front of the secondary instance list. @@ -170,7 +182,9 @@ /* With other life-cycle operations, apply the operation to /* the named existing instance. Specify "-" to select the /* primary Postfix instance. -/* .SH "New or existing instance name assignment" +/* New or existing instance name assignment +/* .ad +/* .fi /* .IP "\fB-I \fIname\fR" /* Assign the specified instance \fIname\fR to an existing /* instance, newly-created instance, or imported instance. @@ -181,7 +195,9 @@ /* .IP "\fB-G \fIgroup\fR" /* Assign the specified \fIgroup\fR name to an existing instance /* or to a newly created or imported instance. -/* .SH "Instance creation/deletion/status change" +/* Instance creation/deletion/status change +/* .ad +/* .fi /* .IP "\fB-e \fIaction\fR" /* "Edit" managed instances. The following actions are supported: /* .RS @@ -302,7 +318,9 @@ /* the instance will not be started etc. with "postfix start", /* "postmulti -p start" and so on. The instance can still be /* started etc. with "postfix -c config-directory start". -/* .SH "Other options" +/* Other options +/* .ad +/* .fi /* .IP \fB-v\fR /* Enable verbose logging for debugging purposes. Multiple /* \fB-v\fR options make the software increasingly verbose. diff --git a/postfix/src/qmgr/qmgr.c b/postfix/src/qmgr/qmgr.c index 25168e482..d3048d1c7 100644 --- a/postfix/src/qmgr/qmgr.c +++ b/postfix/src/qmgr/qmgr.c @@ -371,7 +371,7 @@ /* unless someone issues "\fBsendmail -q\fR" or equivalent. /* .IP "\fBdelay_logging_resolution_limit (2)\fR" /* The maximal number of digits after the decimal point when logging -/* sub-second delay values. +/* delay values. /* .IP "\fBhelpful_warnings (yes)\fR" /* Log warnings about problematic configuration settings, and provide /* helpful suggestions. diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c index babdbf40b..02db1d56f 100644 --- a/postfix/src/tls/tls_client.c +++ b/postfix/src/tls/tls_client.c @@ -319,6 +319,7 @@ static void uncache_session(SSL_CTX *ctx, TLS_SESS_STATE *TLScontext) static void verify_x509(TLS_SESS_STATE *TLScontext, X509 *peercert, const TLS_CLIENT_START_PROPS *props) { + int x509_err = SSL_get_verify_result(TLScontext->con); /* * On exit both peer_CN and issuer_CN should be set. @@ -330,7 +331,7 @@ static void verify_x509(TLS_SESS_STATE *TLScontext, X509 *peercert, * Is the certificate trust chain trusted and matched? Any required name * checks are now performed internally in OpenSSL. */ - if (SSL_get_verify_result(TLScontext->con) == X509_V_OK) { + if (x509_err == X509_V_OK) { TLScontext->peer_status |= TLS_CERT_FLAG_TRUSTED; if (TLScontext->must_fail) { msg_panic("%s: cert valid despite trust init failure", @@ -363,8 +364,7 @@ static void verify_x509(TLS_SESS_STATE *TLScontext, X509 *peercert, } } } else if (TLS_MUST_MATCH(TLScontext->level) && - TLScontext->errordepth == 0 && - TLScontext->errorcode == X509_V_ERR_HOSTNAME_MISMATCH) { + x509_err == X509_V_ERR_HOSTNAME_MISMATCH) { /* * If the only error is a hostname mismatch, the certificate must have * been trusted. diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c index d4cbe2bb9..6cc38cc40 100644 --- a/postfix/src/tls/tls_misc.c +++ b/postfix/src/tls/tls_misc.c @@ -4,9 +4,7 @@ /* SUMMARY /* miscellaneous TLS support routines /* SYNOPSIS -/* .SH Public functions -/* .nf -/* .na +/* Public functions /* #include /* /* void tls_log_summary(role, usage, TLScontext) @@ -23,9 +21,7 @@ /* void tls_pre_jail_init(TLS_ROLE) /* TLS_ROLE role; /* -/* .SH Internal functions -/* .nf -/* .na +/* Internal functions /* #define TLS_INTERNAL /* #include /* diff --git a/postfix/src/tls/tls_verify.c b/postfix/src/tls/tls_verify.c index deb3ae8d3..9c7191c45 100644 --- a/postfix/src/tls/tls_verify.c +++ b/postfix/src/tls/tls_verify.c @@ -120,9 +120,10 @@ /* update_error_state - safely stash away error state */ -static void update_error_state(TLS_SESS_STATE *TLScontext, int depth, - X509 *errorcert, int errorcode) +static void update_error_state(X509_STORE_CTX *ctx, TLS_SESS_STATE *TLScontext, + int depth, X509 *errorcert, int errorcode) { + /* * Report the error that is closest to the leaf certificate, any errors * higher up the chain are immaterial until the "inner" errors are fixed. @@ -132,11 +133,12 @@ static void update_error_state(TLS_SESS_STATE *TLScontext, int depth, * with a hostname mismatch. Any other error has a higher priority. */ if (TLScontext->errordepth >= 0) { - if (TLScontext->errordepth <= depth && - TLScontext->errorcode != X509_V_ERR_HOSTNAME_MISMATCH) - return; - if (errorcode == X509_V_ERR_HOSTNAME_MISMATCH) + if ((TLScontext->errordepth <= depth && + TLScontext->errorcode != X509_V_ERR_HOSTNAME_MISMATCH) || + errorcode == X509_V_ERR_HOSTNAME_MISMATCH) { + X509_STORE_CTX_set_error(ctx, TLScontext->errorcode); return; + } } /* @@ -191,12 +193,12 @@ int tls_verify_certificate_callback(int ok, X509_STORE_CTX *ctx) if (TLScontext->must_fail) { if (depth == 0) { X509_STORE_CTX_set_error(ctx, err = X509_V_ERR_UNSPECIFIED); - update_error_state(TLScontext, depth, cert, err); + update_error_state(ctx, TLScontext, depth, cert, err); } return (1); } if (ok == 0) - update_error_state(TLScontext, depth, cert, err); + update_error_state(ctx, TLScontext, depth, cert, err); if (TLScontext->log_mask & TLS_LOG_VERBOSE) { if (cert) { diff --git a/postfix/src/virtual/virtual.c b/postfix/src/virtual/virtual.c index 6fa9f1e67..ed8025352 100644 --- a/postfix/src/virtual/virtual.c +++ b/postfix/src/virtual/virtual.c @@ -227,7 +227,7 @@ /* request before it is terminated by a built-in watchdog timer. /* .IP "\fBdelay_logging_resolution_limit (2)\fR" /* The maximal number of digits after the decimal point when logging -/* sub-second delay values. +/* delay values. /* .IP "\fBipc_timeout (3600s)\fR" /* The time limit for sending or receiving information over an internal /* communication channel.