diff --git a/postfix/HISTORY b/postfix/HISTORY index 841767bf2..80148b74d 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -13731,3 +13731,43 @@ Apologies for any names omitted. 2821 (and 5321) is vague about the VRFY request format, but spends lots of text on the reply format. File: smtpd/smtpd.c. +20100610 + + Bugfix (introduced Postfix 2.2): Postfix no longer appends + the system default CA certificates to the lists specified + with *_tls_CAfile or with *_tls_CApath. This prevents + third-party certificates from getting mail relay permission + with the permit_tls_all_clientcerts feature. Unfortunately + this may cause compatibility problems with configurations + that rely on certificate verification for other purposes. + To get the old behavior, specify "tls_append_default_CA = + yes". Files: tls/tls_certkey.c, smtp/smtp_params.c, + smtpd/smtpd.c, global/mail_params.h. proto/postconf.proto, + mantools/postlink. + +20100714 + + Compatibility with Postfix < 2.3: fix 20061207 was incomplete + (undoing the change to bounce instead of defer after + pipe-to-command delivery fails with a signal). Fix by Thomas + Arnett. File: global/pipe_command.c. + +20100827 + + Performance: fix for poor smtpd_proxy_filter TCP performance + over loopback (127.0.0.1) connections. Problem reported by + Mark Martinec. Files: smtpd/smtpd_proxy.c. + +20101023 + + Cleanup: don't apply reject_rhsbl_helo to non-domain forms + such as network addresses. This would cause false positives + with dbl.spamhaus.org. File: smtpd/smtpd_check.c. + +20101117 + + Bugfix: the "421" reply after Milter error was overruled + by Postfix 1.1 code that replied with "503" for RFC 2821 + compliance. We now make an exception for "final" replies, + as permitted by RFC. Solution by Victor Duchovni. File: + smtpd/smtpd.c. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index cf371e567..54172d510 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -11,6 +11,18 @@ instead, a new snapshot is released. The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release. +Incompatibility with Postfix 2.4.15 +=================================== + +Postfix no longer appends the system-supplied default CA certificates +to the lists specified with *_tls_CAfile or with *_tls_CApath. This +prevents third-party certificates from getting mail relay permission +with the permit_tls_all_clientcerts feature. + +Unfortunately this change may cause compatibility problems when +configurations rely on certificate verification for other purposes. +Specify "tls_append_default_CA = yes" for backwards compatibility. + Incompatibility with Postfix 2.4.4 ================================== diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index a19b6b341..37723c00a 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -7979,6 +7979,10 @@ during TLS startup and shutdown handshake procedures.

needed only when the CA certificate is not already present in the client certificate file.

+

Specify "tls_append_default_CA = no" to prevent Postfix from +appending the system-supplied default CAs and trusting third-party +certificates.

+

Example: 

@@ -8002,6 +8006,10 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
 
 To use this option in chroot mode, this directory (or a copy)
 must be inside the chroot jail. 

 
+
 Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. 

+
 
 Example: 

 
 
@@ -9278,8 +9286,11 @@ authenticated via the RFC 2554 Permit the request when the remote SMTP client certificate is
 verified successfully.  This option must be used only if a special
 CA issues the certificates and only this CA is listed as trusted
-CA, otherwise all clients with a recognized certificate would be
-allowed to relay. This feature is available with Postfix version 2.2.
+CA. Otherwise, clients with a third-party certificate would also
+be allowed to relay.  Specify "tls_append_default_CA = no" when the
+trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
+to prevent Postfix from appending the system-supplied default CAs.
+This feature is available with Postfix version 2.2.
 
 
permit_tls_clientcerts

 
@@ -10878,6 +10889,10 @@ server certificate file.  This file may also contain the CA
 certificates of other trusted CAs.  You must use this file for the
 list of trusted CAs if you want to use chroot-mode. 

 
+
 Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. 

+
 
 Example: 

 
 
@@ -10904,6 +10919,10 @@ CA certificates are not offered to the client, so that e.g.  Netscape
 clients might not offer certificates issued by them.  Use of this
 feature is therefore not recommended. 

 
+
 Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. 

+
 
 Example: 

 
 
@@ -11726,6 +11745,23 @@ while accessing the Postfix main.cf configuration
 

 
 
+
+
+
tls_append_default_CA
+(default: no)

+
+
 Append the system-supplied default certificate authority
+certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+The default is "no"; this prevents Postfix from trusting third-party
+certificates and giving them relay permission with
+permit_tls_all_clientcerts.  

+
+
 This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
+backwards compatibility, to avoid breaking certificate verification
+with sites that don't use permit_tls_all_clientcerts. 

+
+
 

 
 
tls_daemon_random_bytes
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 7af763b32..159d2425b 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -4442,6 +4442,10 @@ The file with the certificate of the certification authority
 needed only when the CA certificate is not already present in the
 client certificate file.
 .PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates.
+.PP
 Example:
 .PP
 .nf
@@ -4462,6 +4466,10 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
 To use this option in chroot mode, this directory (or a copy)
 must be inside the chroot jail.
 .PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates.
+.PP
 Example:
 .PP
 .nf
@@ -5476,8 +5484,11 @@ authenticated via the RFC 2554 (AUTH) protocol.
 Permit the request when the remote SMTP client certificate is
 verified successfully.  This option must be used only if a special
 CA issues the certificates and only this CA is listed as trusted
-CA, otherwise all clients with a recognized certificate would be
-allowed to relay. This feature is available with Postfix version 2.2.
+CA. Otherwise, clients with a third-party certificate would also
+be allowed to relay.  Specify "tls_append_default_CA = no" when the
+trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
+to prevent Postfix from appending the system-supplied default CAs.
+This feature is available with Postfix version 2.2.
 .IP "\fBpermit_tls_clientcerts\fR"
 Permit the request when the remote SMTP client certificate is
 verified successfully, and the certificate fingerprint is listed
@@ -6513,6 +6524,10 @@ server certificate file.  This file may also contain the CA
 certificates of other trusted CAs.  You must use this file for the
 list of trusted CAs if you want to use chroot-mode.
 .PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates.
+.PP
 Example:
 .PP
 .nf
@@ -6537,6 +6552,10 @@ CA certificates are not offered to the client, so that e.g.  Netscape
 clients might not offer certificates issued by them.  Use of this
 feature is therefore not recommended.
 .PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates.
+.PP
 Example:
 .PP
 .nf
@@ -7128,6 +7147,17 @@ a Postfix process has completed initialization. Errors during
 process initialization will be logged with the default name. Examples
 are errors while parsing the command line arguments, and errors
 while accessing the Postfix main.cf configuration file.
+.SH tls_append_default_CA (default: no)
+Append the system-supplied default certificate authority
+certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+The default is "no"; this prevents Postfix from trusting third-party
+certificates and giving them relay permission with
+permit_tls_all_clientcerts.
+.PP
+This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
+backwards compatibility, to avoid breaking certificate verification
+with sites that don't use permit_tls_all_clientcerts.
 .SH tls_daemon_random_bytes (default: 32)
 The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
 process requests from the \fBtlsmgr\fR(8) server in order to seed its
diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink
index b4771d943..7790d0ee2 100755
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@@ -601,6 +601,7 @@ while (<>) {
     s;\btls_low_cipherlist\b;$&;g;
     s;\btls_export_cipherlist\b;$&;g;
     s;\btls_null_cipherlist\b;$&;g;
+    s;\btls_append_default_CA\b;$&;g;
  
     s;\bfrozen_delivered_to\b;$&;g;
 
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index f5a90edfb..fb1a9d070 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -4637,8 +4637,11 @@ authenticated via the RFC 2554 (AUTH) protocol. 
 
 Permit the request when the remote SMTP client certificate is
 verified successfully.  This option must be used only if a special
 CA issues the certificates and only this CA is listed as trusted
-CA, otherwise all clients with a recognized certificate would be
-allowed to relay. This feature is available with Postfix version 2.2.

+CA. Otherwise, clients with a third-party certificate would also
+be allowed to relay.  Specify "tls_append_default_CA = no" when the
+trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
+to prevent Postfix from appending the system-supplied default CAs.
+This feature is available with Postfix version 2.2.
 
 
permit_tls_clientcerts

 
@@ -8226,6 +8229,10 @@ server certificate file.  This file may also contain the CA
 certificates of other trusted CAs.  You must use this file for the
 list of trusted CAs if you want to use chroot-mode. 

 
+
 Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. 

+
 
 Example: 

 
 
@@ -8248,6 +8255,10 @@ CA certificates are not offered to the client, so that e.g.  Netscape
 clients might not offer certificates issued by them.  Use of this
 feature is therefore not recommended. 

 
+
 Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. 

+
 
 Example: 

 
 
@@ -8581,6 +8592,10 @@ smtp_tls_key_file = $smtp_tls_cert_file
 needed only when the CA certificate is not already present in the
 client certificate file.  

 
+
 Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. 

+
 
 Example: 

 
 
@@ -8600,6 +8615,10 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
 
 To use this option in chroot mode, this directory (or a copy) 
 must be inside the chroot jail. 

 
+
 Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. 

+
 
 Example: 

 
 
@@ -8874,6 +8893,19 @@ smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
 
 
 This feature is available in Postfix 2.2 and later.  

 
+%PARAM tls_append_default_CA no
+
+
 Append the system-supplied default certificate authority
+certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+The default is "no"; this prevents Postfix from trusting third-party
+certificates and giving them relay permission with
+permit_tls_all_clientcerts.  

+
+
 This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
+backwards compatibility, to avoid breaking certificate verification
+with sites that don't use permit_tls_all_clientcerts. 

+
 %PARAM tls_random_exchange_name ${config_directory}/prng_exch
 
 
 Name of the pseudo random number generator (PRNG) state file
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index c6369e839..5278dd45d 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -593,6 +593,10 @@ extern bool var_stat_home_dir;
 #define DEF_DUP_FILTER_LIMIT	1000
 extern int var_dup_filter_limit;
 
+#define VAR_TLS_APPEND_DEF_CA	"tls_append_default_CA"
+#define DEF_TLS_APPEND_DEF_CA	0	/* Postfix < 2.8 BC break */
+extern bool var_tls_append_def_CA;
+
 #define VAR_TLS_RAND_EXCH_NAME	"tls_random_exchange_name"
 #define DEF_TLS_RAND_EXCH_NAME	"${config_directory}/prng_exch"
 extern char *var_tls_rand_exch_name;
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 0e7367b79..14a68fa4c 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20090322"
-#define MAIL_VERSION_NUMBER	"2.4.14"
+#define MAIL_RELEASE_DATE	"20091123"
+#define MAIL_VERSION_NUMBER	"2.4.15"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff --git a/postfix/src/global/pipe_command.c b/postfix/src/global/pipe_command.c
index d305f79d0..838e17727 100644
--- a/postfix/src/global/pipe_command.c
+++ b/postfix/src/global/pipe_command.c
@@ -628,7 +628,7 @@ int     pipe_command(VSTREAM *src, DSN_BUF *why,...)
 	 */
 	if (!NORMAL_EXIT_STATUS(wait_status)) {
 	    if (WIFSIGNALED(wait_status)) {
-		dsb_unix(why, "5.3.0", log_len ?
+		dsb_unix(why, "4.3.0", log_len ?
 			 log_buf : sys_exits_detail(EX_SOFTWARE)->text,
 			 "Command died with signal %d: \"%s\"%s%s",
 			 WTERMSIG(wait_status), args.command,
diff --git a/postfix/src/smtp/lmtp_params.c b/postfix/src/smtp/lmtp_params.c
index c25587935..2d955fcdd 100644
--- a/postfix/src/smtp/lmtp_params.c
+++ b/postfix/src/smtp/lmtp_params.c
@@ -94,6 +94,7 @@
 #ifdef USE_TLS
 	VAR_LMTP_TLS_ENFORCE_PN, DEF_LMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername,
 	VAR_LMTP_TLS_NOTEOFFER, DEF_LMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer,
+	VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
 #endif
 	VAR_LMTP_SENDER_AUTH, DEF_LMTP_SENDER_AUTH, &var_smtp_sender_auth,
 	VAR_LMTP_CNAME_OVERR, DEF_LMTP_CNAME_OVERR, &var_smtp_cname_overr,
diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c
index 0c226697e..b5cfb10f2 100644
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@@ -704,6 +704,7 @@ char   *var_smtp_tls_sec_cmatch;
 int     var_smtp_tls_scert_vd;
 char   *var_smtp_tls_vfy_cmatch;
 int     var_tls_daemon_rand_bytes;
+bool    var_tls_append_def_CA;
 
 #endif
 
diff --git a/postfix/src/smtp/smtp_params.c b/postfix/src/smtp/smtp_params.c
index e604298b1..bff8d1a78 100644
--- a/postfix/src/smtp/smtp_params.c
+++ b/postfix/src/smtp/smtp_params.c
@@ -98,6 +98,7 @@
 #ifdef USE_TLS
 	VAR_SMTP_TLS_ENFORCE_PN, DEF_SMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername,
 	VAR_SMTP_TLS_NOTEOFFER, DEF_SMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer,
+	VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
 #endif
 	VAR_SMTP_SENDER_AUTH, DEF_SMTP_SENDER_AUTH, &var_smtp_sender_auth,
 	VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr,
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index 64b1f3fb7..3c61f68ff 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -1082,6 +1082,7 @@ bool    var_smtpd_tls_req_ccert;
 int     var_smtpd_tls_scache_timeout;
 bool    var_smtpd_tls_set_sessid;
 int     var_tls_daemon_rand_bytes;
+bool    var_tls_append_def_CA;
 
 #endif
 
@@ -4014,6 +4015,11 @@ static void smtpd_proto(SMTPD_STATE *state)
 	    }
 	    /* XXX We use the real client for connect access control. */
 	    if (state->access_denied && cmdp->action != quit_cmd) {
+		/* XXX Exception for Milter override. */
+		if (strncmp(state->access_denied + 1, "21", 2) == 0) {
+		    smtpd_chat_reply(state, "%s", state->access_denied);
+		    continue;
+		}
 		smtpd_chat_reply(state, "503 5.7.0 Error: access denied for %s",
 				 state->namaddr);	/* RFC 2821 Sec 3.1 */
 		state->error_count++;
@@ -4509,6 +4515,7 @@ int     main(int argc, char **argv)
 	VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert,
 	VAR_SMTPD_TLS_RECHEAD, DEF_SMTPD_TLS_RECHEAD, &var_smtpd_tls_received_header,
 	VAR_SMTPD_TLS_SET_SESSID, DEF_SMTPD_TLS_SET_SESSID, &var_smtpd_tls_set_sessid,
+	VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
 #endif
 	VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup,
 	VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open,
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index ad69f5b57..e48effe32 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -3684,7 +3684,8 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 			 name);
 	    else {
 		cpp += 1;
-		if (state->helo_name)
+		if (state->helo_name
+		    && valid_hostname(state->helo_name, DONT_GRIPE))
 		    status = reject_rbl_domain(state, *cpp, state->helo_name,
 					       SMTPD_NAME_HELO);
 	    }
diff --git a/postfix/src/smtpd/smtpd_proxy.c b/postfix/src/smtpd/smtpd_proxy.c
index 345485abd..9cc258743 100644
--- a/postfix/src/smtpd/smtpd_proxy.c
+++ b/postfix/src/smtpd/smtpd_proxy.c
@@ -302,6 +302,9 @@ int     smtpd_proxy_open(SMTPD_STATE *state, const char *service,
     }
     state->proxy = vstream_fdopen(fd, O_RDWR);
     vstream_control(state->proxy, VSTREAM_CTL_PATH, service, VSTREAM_CTL_END);
+    /* Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE. */
+    if (connect_fn == inet_connect)
+	vstream_tweak_tcp(state->proxy);
     smtp_timeout_setup(state->proxy, timeout);
 
     /*
diff --git a/postfix/src/tls/Makefile.in b/postfix/src/tls/Makefile.in
index d3e21510a..6e1c71383 100644
--- a/postfix/src/tls/Makefile.in
+++ b/postfix/src/tls/Makefile.in
@@ -99,6 +99,7 @@ tls_bio_ops.o: ../../include/vstream.h
 tls_bio_ops.o: ../../include/vstring.h
 tls_bio_ops.o: tls.h
 tls_bio_ops.o: tls_bio_ops.c
+tls_certkey.o: ../../include/mail_params.h
 tls_certkey.o: ../../include/msg.h
 tls_certkey.o: ../../include/name_code.h
 tls_certkey.o: ../../include/name_mask.h
diff --git a/postfix/src/tls/tls_certkey.c b/postfix/src/tls/tls_certkey.c
index 05deba332..633c431b3 100644
--- a/postfix/src/tls/tls_certkey.c
+++ b/postfix/src/tls/tls_certkey.c
@@ -67,6 +67,10 @@
 
 #include 
 
+/* Global library. */
+
+#include 
+
 /* TLS library. */
 
 #define TLS_INTERNAL
@@ -87,7 +91,7 @@ int     tls_set_ca_certificate_info(SSL_CTX *ctx, const char *CAfile,
 	    tls_print_errors();
 	    return (-1);
 	}
-	if (!SSL_CTX_set_default_verify_paths(ctx)) {
+	if (var_tls_append_def_CA && !SSL_CTX_set_default_verify_paths(ctx)) {
 	    msg_info("cannot set certificate verification paths");
 	    tls_print_errors();
 	    return (-1);