mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-29 13:18:12 +00:00
Code Issues Releases Wiki Activity

postfix-2.4.15

Browse Source
This commit is contained in:
Wietse Venema 2009-11-23 00:00:00 -05:00 committed by Viktor Dukhovni
parent ee180a4c76
commit a2d30d2f55
17 changed files with 185 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
postfix/HISTORY
View File

@ -13731,3 +13731,43 @@ Apologies for any names omitted.
2821 (and 5321) is vague about the VRFY request format, but 2821 (and 5321) is vague about the VRFY request format, but
spends lots of text on the reply format. File: smtpd/smtpd.c. spends lots of text on the reply format. File: smtpd/smtpd.c.
20100610
Bugfix (introduced Postfix 2.2): Postfix no longer appends
the system default CA certificates to the lists specified
with *_tls_CAfile or with *_tls_CApath. This prevents
third-party certificates from getting mail relay permission
with the permit_tls_all_clientcerts feature. Unfortunately
this may cause compatibility problems with configurations
that rely on certificate verification for other purposes.
To get the old behavior, specify "tls_append_default_CA =
yes". Files: tls/tls_certkey.c, smtp/smtp_params.c,
smtpd/smtpd.c, global/mail_params.h. proto/postconf.proto,
mantools/postlink.
20100714
Compatibility with Postfix < 2.3: fix 20061207 was incomplete
(undoing the change to bounce instead of defer after
pipe-to-command delivery fails with a signal). Fix by Thomas
Arnett. File: global/pipe_command.c.
20100827
Performance: fix for poor smtpd_proxy_filter TCP performance
over loopback (127.0.0.1) connections. Problem reported by
Mark Martinec. Files: smtpd/smtpd_proxy.c.
20101023
Cleanup: don't apply reject_rhsbl_helo to non-domain forms
such as network addresses. This would cause false positives
with dbl.spamhaus.org. File: smtpd/smtpd_check.c.
20101117
Bugfix: the "421" reply after Milter error was overruled
by Postfix 1.1 code that replied with "503" for RFC 2821
compliance. We now make an exception for "final" replies,
as permitted by RFC. Solution by Victor Duchovni. File:
smtpd/smtpd.c.

12
postfix/RELEASE_NOTES
View File

@ -11,6 +11,18 @@ instead, a new snapshot is released.
The mail_release_date configuration parameter (format: yyyymmdd) The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release. specifies the release date of a stable release or snapshot release.
Incompatibility with Postfix 2.4.15
===================================
Postfix no longer appends the system-supplied default CA certificates
to the lists specified with *_tls_CAfile or with *_tls_CApath. This
prevents third-party certificates from getting mail relay permission
with the permit_tls_all_clientcerts feature.
Unfortunately this change may cause compatibility problems when
configurations rely on certificate verification for other purposes.
Specify "tls_append_default_CA = yes" for backwards compatibility.
Incompatibility with Postfix 2.4.4 Incompatibility with Postfix 2.4.4
================================== ==================================

40
postfix/html/postconf.5.html
View File

@ -7979,6 +7979,10 @@ during TLS startup and shutdown handshake procedures. </p>
needed only when the CA certificate is not already present in the needed only when the CA certificate is not already present in the
client certificate file. </p> client certificate file. </p>
<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. </p>
<p> Example: </p> <p> Example: </p>
<pre> <pre>
@ -8002,6 +8006,10 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
<p> To use this option in chroot mode, this directory (or a copy) <p> To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail. </p> must be inside the chroot jail. </p>
<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. </p>
<p> Example: </p> <p> Example: </p>
<pre> <pre>
@ -9278,8 +9286,11 @@ authenticated via the <a href="http://www.faqs.org/rfcs/rfc2554.html">RFC 2554</
<dd> Permit the request when the remote SMTP client certificate is <dd> Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted CA issues the certificates and only this CA is listed as trusted
CA, otherwise all clients with a recognized certificate would be CA. Otherwise, clients with a third-party certificate would also
allowed to relay. This feature is available with Postfix version 2.2.</dd> be allowed to relay. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" when the
trusted CA is specified with <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> or <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>,
to prevent Postfix from appending the system-supplied default CAs.
This feature is available with Postfix version 2.2.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt> <dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
@ -10878,6 +10889,10 @@ server certificate file. This file may also contain the CA
certificates of other trusted CAs. You must use this file for the certificates of other trusted CAs. You must use this file for the
list of trusted CAs if you want to use chroot-mode. </p> list of trusted CAs if you want to use chroot-mode. </p>
<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. </p>
<p> Example: </p> <p> Example: </p>
<pre> <pre>
@ -10904,6 +10919,10 @@ CA certificates are not offered to the client, so that e.g. Netscape
clients might not offer certificates issued by them. Use of this clients might not offer certificates issued by them. Use of this
feature is therefore not recommended. </p> feature is therefore not recommended. </p>
<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. </p>
<p> Example: </p> <p> Example: </p>
<pre> <pre>
@ -11726,6 +11745,23 @@ while accessing the Postfix <a href="postconf.5.html">main.cf</a> configuration
</p> </p>
</DD>
<DT><b><a name="tls_append_default_CA">tls_append_default_CA</a>
(default: no)</b></DT><DD>
<p> Append the system-supplied default certificate authority
certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
The default is "no"; this prevents Postfix from trusting third-party
certificates and giving them relay permission with
<a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
<p> This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
2.7.2 and later versions. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = yes" for
backwards compatibility, to avoid breaking certificate verification
with sites that don't use <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
</DD> </DD>
<DT><b><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a> <DT><b><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a>

34
postfix/man/man5/postconf.5
View File

@ -4442,6 +4442,10 @@ The file with the certificate of the certification authority
needed only when the CA certificate is not already present in the needed only when the CA certificate is not already present in the
client certificate file. client certificate file.
.PP .PP
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates.
.PP
Example: Example:
.PP .PP
.nf .nf
@ -4462,6 +4466,10 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
To use this option in chroot mode, this directory (or a copy) To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail. must be inside the chroot jail.
.PP .PP
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates.
.PP
Example: Example:
.PP .PP
.nf .nf
@ -5476,8 +5484,11 @@ authenticated via the RFC 2554 (AUTH) protocol.
Permit the request when the remote SMTP client certificate is Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted CA issues the certificates and only this CA is listed as trusted
CA, otherwise all clients with a recognized certificate would be CA. Otherwise, clients with a third-party certificate would also
allowed to relay. This feature is available with Postfix version 2.2. be allowed to relay. Specify "tls_append_default_CA = no" when the
trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
to prevent Postfix from appending the system-supplied default CAs.
This feature is available with Postfix version 2.2.
.IP "\fBpermit_tls_clientcerts\fR" .IP "\fBpermit_tls_clientcerts\fR"
Permit the request when the remote SMTP client certificate is Permit the request when the remote SMTP client certificate is
verified successfully, and the certificate fingerprint is listed verified successfully, and the certificate fingerprint is listed
@ -6513,6 +6524,10 @@ server certificate file. This file may also contain the CA
certificates of other trusted CAs. You must use this file for the certificates of other trusted CAs. You must use this file for the
list of trusted CAs if you want to use chroot-mode. list of trusted CAs if you want to use chroot-mode.
.PP .PP
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates.
.PP
Example: Example:
.PP .PP
.nf .nf
@ -6537,6 +6552,10 @@ CA certificates are not offered to the client, so that e.g. Netscape
clients might not offer certificates issued by them. Use of this clients might not offer certificates issued by them. Use of this
feature is therefore not recommended. feature is therefore not recommended.
.PP .PP
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates.
.PP
Example: Example:
.PP .PP
.nf .nf
@ -7128,6 +7147,17 @@ a Postfix process has completed initialization. Errors during
process initialization will be logged with the default name. Examples process initialization will be logged with the default name. Examples
are errors while parsing the command line arguments, and errors are errors while parsing the command line arguments, and errors
while accessing the Postfix main.cf configuration file. while accessing the Postfix main.cf configuration file.
.SH tls_append_default_CA (default: no)
Append the system-supplied default certificate authority
certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
The default is "no"; this prevents Postfix from trusting third-party
certificates and giving them relay permission with
permit_tls_all_clientcerts.
.PP
This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
backwards compatibility, to avoid breaking certificate verification
with sites that don't use permit_tls_all_clientcerts.
.SH tls_daemon_random_bytes (default: 32) .SH tls_daemon_random_bytes (default: 32)
The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8) The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
process requests from the \fBtlsmgr\fR(8) server in order to seed its process requests from the \fBtlsmgr\fR(8) server in order to seed its

1
postfix/mantools/postlink
View File

@ -601,6 +601,7 @@ while (<>) {
s;\btls_low_cipherlist\b;<a href="postconf.5.html#tls_low_cipherlist">$&</a>;g; s;\btls_low_cipherlist\b;<a href="postconf.5.html#tls_low_cipherlist">$&</a>;g;
s;\btls_export_cipherlist\b;<a href="postconf.5.html#tls_export_cipherlist">$&</a>;g; s;\btls_export_cipherlist\b;<a href="postconf.5.html#tls_export_cipherlist">$&</a>;g;
s;\btls_null_cipherlist\b;<a href="postconf.5.html#tls_null_cipherlist">$&</a>;g; s;\btls_null_cipherlist\b;<a href="postconf.5.html#tls_null_cipherlist">$&</a>;g;
s;\btls_append_default_CA\b;<a href="postconf.5.html#tls_append_default_CA">$&</a>;g;
s;\bfrozen_delivered_to\b;<a href="postconf.5.html#frozen_delivered_to">$&</a>;g; s;\bfrozen_delivered_to\b;<a href="postconf.5.html#frozen_delivered_to">$&</a>;g;

36
postfix/proto/postconf.proto
View File

@ -4637,8 +4637,11 @@ authenticated via the RFC 2554 (AUTH) protocol. </dd>
<dd> Permit the request when the remote SMTP client certificate is <dd> Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted CA issues the certificates and only this CA is listed as trusted
CA, otherwise all clients with a recognized certificate would be CA. Otherwise, clients with a third-party certificate would also
allowed to relay. This feature is available with Postfix version 2.2.</dd> be allowed to relay. Specify "tls_append_default_CA = no" when the
trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
to prevent Postfix from appending the system-supplied default CAs.
This feature is available with Postfix version 2.2.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt> <dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
@ -8226,6 +8229,10 @@ server certificate file. This file may also contain the CA
certificates of other trusted CAs. You must use this file for the certificates of other trusted CAs. You must use this file for the
list of trusted CAs if you want to use chroot-mode. </p> list of trusted CAs if you want to use chroot-mode. </p>
<p> Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. </p>
<p> Example: </p> <p> Example: </p>
<pre> <pre>
@ -8248,6 +8255,10 @@ CA certificates are not offered to the client, so that e.g. Netscape
clients might not offer certificates issued by them. Use of this clients might not offer certificates issued by them. Use of this
feature is therefore not recommended. </p> feature is therefore not recommended. </p>
<p> Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. </p>
<p> Example: </p> <p> Example: </p>
<pre> <pre>
@ -8581,6 +8592,10 @@ smtp_tls_key_file = $smtp_tls_cert_file
needed only when the CA certificate is not already present in the needed only when the CA certificate is not already present in the
client certificate file. </p> client certificate file. </p>
<p> Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. </p>
<p> Example: </p> <p> Example: </p>
<pre> <pre>
@ -8600,6 +8615,10 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
<p> To use this option in chroot mode, this directory (or a copy) <p> To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail. </p> must be inside the chroot jail. </p>
<p> Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. </p>
<p> Example: </p> <p> Example: </p>
<pre> <pre>
@ -8874,6 +8893,19 @@ smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
<p> This feature is available in Postfix 2.2 and later. </p> <p> This feature is available in Postfix 2.2 and later. </p>
%PARAM tls_append_default_CA no
<p> Append the system-supplied default certificate authority
certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
The default is "no"; this prevents Postfix from trusting third-party
certificates and giving them relay permission with
permit_tls_all_clientcerts. </p>
<p> This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
backwards compatibility, to avoid breaking certificate verification
with sites that don't use permit_tls_all_clientcerts. </p>
%PARAM tls_random_exchange_name ${config_directory}/prng_exch %PARAM tls_random_exchange_name ${config_directory}/prng_exch
<p> Name of the pseudo random number generator (PRNG) state file <p> Name of the pseudo random number generator (PRNG) state file

4
postfix/src/global/mail_params.h
View File

@ -593,6 +593,10 @@ extern bool var_stat_home_dir;
#define DEF_DUP_FILTER_LIMIT 1000 #define DEF_DUP_FILTER_LIMIT 1000
extern int var_dup_filter_limit; extern int var_dup_filter_limit;
#define VAR_TLS_APPEND_DEF_CA "tls_append_default_CA"
#define DEF_TLS_APPEND_DEF_CA 0 /* Postfix < 2.8 BC break */
extern bool var_tls_append_def_CA;
#define VAR_TLS_RAND_EXCH_NAME "tls_random_exchange_name" #define VAR_TLS_RAND_EXCH_NAME "tls_random_exchange_name"
#define DEF_TLS_RAND_EXCH_NAME "${config_directory}/prng_exch" #define DEF_TLS_RAND_EXCH_NAME "${config_directory}/prng_exch"
extern char *var_tls_rand_exch_name; extern char *var_tls_rand_exch_name;

4
postfix/src/global/mail_version.h
View File

@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20090322" #define MAIL_RELEASE_DATE "20091123"
#define MAIL_VERSION_NUMBER "2.4.14" #define MAIL_VERSION_NUMBER "2.4.15"
#ifdef SNAPSHOT #ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE

2
postfix/src/global/pipe_command.c
View File

@ -628,7 +628,7 @@ int pipe_command(VSTREAM *src, DSN_BUF *why,...)
*/ */
if (!NORMAL_EXIT_STATUS(wait_status)) { if (!NORMAL_EXIT_STATUS(wait_status)) {
if (WIFSIGNALED(wait_status)) { if (WIFSIGNALED(wait_status)) {
dsb_unix(why, "5.3.0", log_len ? dsb_unix(why, "4.3.0", log_len ?
log_buf : sys_exits_detail(EX_SOFTWARE)->text, log_buf : sys_exits_detail(EX_SOFTWARE)->text,
"Command died with signal %d: \"%s\"%s%s", "Command died with signal %d: \"%s\"%s%s",
WTERMSIG(wait_status), args.command, WTERMSIG(wait_status), args.command,

1
postfix/src/smtp/lmtp_params.c
View File

@ -94,6 +94,7 @@
#ifdef USE_TLS #ifdef USE_TLS
VAR_LMTP_TLS_ENFORCE_PN, DEF_LMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername, VAR_LMTP_TLS_ENFORCE_PN, DEF_LMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername,
VAR_LMTP_TLS_NOTEOFFER, DEF_LMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer, VAR_LMTP_TLS_NOTEOFFER, DEF_LMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer,
VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
#endif #endif
VAR_LMTP_SENDER_AUTH, DEF_LMTP_SENDER_AUTH, &var_smtp_sender_auth, VAR_LMTP_SENDER_AUTH, DEF_LMTP_SENDER_AUTH, &var_smtp_sender_auth,
VAR_LMTP_CNAME_OVERR, DEF_LMTP_CNAME_OVERR, &var_smtp_cname_overr, VAR_LMTP_CNAME_OVERR, DEF_LMTP_CNAME_OVERR, &var_smtp_cname_overr,

1
postfix/src/smtp/smtp.c
View File

@ -704,6 +704,7 @@ char *var_smtp_tls_sec_cmatch;
int var_smtp_tls_scert_vd; int var_smtp_tls_scert_vd;
char *var_smtp_tls_vfy_cmatch; char *var_smtp_tls_vfy_cmatch;
int var_tls_daemon_rand_bytes; int var_tls_daemon_rand_bytes;
bool var_tls_append_def_CA;
#endif #endif

1
postfix/src/smtp/smtp_params.c
View File

@ -98,6 +98,7 @@
#ifdef USE_TLS #ifdef USE_TLS
VAR_SMTP_TLS_ENFORCE_PN, DEF_SMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername, VAR_SMTP_TLS_ENFORCE_PN, DEF_SMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername,
VAR_SMTP_TLS_NOTEOFFER, DEF_SMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer, VAR_SMTP_TLS_NOTEOFFER, DEF_SMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer,
VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
#endif #endif
VAR_SMTP_SENDER_AUTH, DEF_SMTP_SENDER_AUTH, &var_smtp_sender_auth, VAR_SMTP_SENDER_AUTH, DEF_SMTP_SENDER_AUTH, &var_smtp_sender_auth,
VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr, VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr,

7
postfix/src/smtpd/smtpd.c
View File

@ -1082,6 +1082,7 @@ bool var_smtpd_tls_req_ccert;
int var_smtpd_tls_scache_timeout; int var_smtpd_tls_scache_timeout;
bool var_smtpd_tls_set_sessid; bool var_smtpd_tls_set_sessid;
int var_tls_daemon_rand_bytes; int var_tls_daemon_rand_bytes;
bool var_tls_append_def_CA;
#endif #endif
@ -4014,6 +4015,11 @@ static void smtpd_proto(SMTPD_STATE *state)
} }
/* XXX We use the real client for connect access control. */ /* XXX We use the real client for connect access control. */
if (state->access_denied && cmdp->action != quit_cmd) { if (state->access_denied && cmdp->action != quit_cmd) {
/* XXX Exception for Milter override. */
if (strncmp(state->access_denied + 1, "21", 2) == 0) {
smtpd_chat_reply(state, "%s", state->access_denied);
continue;
}
smtpd_chat_reply(state, "503 5.7.0 Error: access denied for %s", smtpd_chat_reply(state, "503 5.7.0 Error: access denied for %s",
state->namaddr); /* RFC 2821 Sec 3.1 */ state->namaddr); /* RFC 2821 Sec 3.1 */
state->error_count++; state->error_count++;
@ -4509,6 +4515,7 @@ int main(int argc, char **argv)
VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert, VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert,
VAR_SMTPD_TLS_RECHEAD, DEF_SMTPD_TLS_RECHEAD, &var_smtpd_tls_received_header, VAR_SMTPD_TLS_RECHEAD, DEF_SMTPD_TLS_RECHEAD, &var_smtpd_tls_received_header,
VAR_SMTPD_TLS_SET_SESSID, DEF_SMTPD_TLS_SET_SESSID, &var_smtpd_tls_set_sessid, VAR_SMTPD_TLS_SET_SESSID, DEF_SMTPD_TLS_SET_SESSID, &var_smtpd_tls_set_sessid,
VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
#endif #endif
VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup, VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup,
VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open, VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open,

3
postfix/src/smtpd/smtpd_check.c
View File

@ -3684,7 +3684,8 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
name); name);
else { else {
cpp += 1; cpp += 1;
if (state->helo_name) if (state->helo_name
&& valid_hostname(state->helo_name, DONT_GRIPE))
status = reject_rbl_domain(state, *cpp, state->helo_name, status = reject_rbl_domain(state, *cpp, state->helo_name,
SMTPD_NAME_HELO); SMTPD_NAME_HELO);
} }

3
postfix/src/smtpd/smtpd_proxy.c
View File

@ -302,6 +302,9 @@ int smtpd_proxy_open(SMTPD_STATE *state, const char *service,
} }
state->proxy = vstream_fdopen(fd, O_RDWR); state->proxy = vstream_fdopen(fd, O_RDWR);
vstream_control(state->proxy, VSTREAM_CTL_PATH, service, VSTREAM_CTL_END); vstream_control(state->proxy, VSTREAM_CTL_PATH, service, VSTREAM_CTL_END);
/* Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE. */
if (connect_fn == inet_connect)
vstream_tweak_tcp(state->proxy);
smtp_timeout_setup(state->proxy, timeout); smtp_timeout_setup(state->proxy, timeout);
/* /*

1
postfix/src/tls/Makefile.in
View File

@ -99,6 +99,7 @@ tls_bio_ops.o: ../../include/vstream.h
tls_bio_ops.o: ../../include/vstring.h tls_bio_ops.o: ../../include/vstring.h
tls_bio_ops.o: tls.h tls_bio_ops.o: tls.h
tls_bio_ops.o: tls_bio_ops.c tls_bio_ops.o: tls_bio_ops.c
tls_certkey.o: ../../include/mail_params.h
tls_certkey.o: ../../include/msg.h tls_certkey.o: ../../include/msg.h
tls_certkey.o: ../../include/name_code.h tls_certkey.o: ../../include/name_code.h
tls_certkey.o: ../../include/name_mask.h tls_certkey.o: ../../include/name_mask.h

6
postfix/src/tls/tls_certkey.c
View File

@ -67,6 +67,10 @@
#include <msg.h> #include <msg.h>
/* Global library. */
#include <mail_params.h>
/* TLS library. */ /* TLS library. */
#define TLS_INTERNAL #define TLS_INTERNAL
@ -87,7 +91,7 @@ int tls_set_ca_certificate_info(SSL_CTX *ctx, const char *CAfile,
tls_print_errors(); tls_print_errors();
return (-1); return (-1);
} }
if (!SSL_CTX_set_default_verify_paths(ctx)) { if (var_tls_append_def_CA && !SSL_CTX_set_default_verify_paths(ctx)) {
msg_info("cannot set certificate verification paths"); msg_info("cannot set certificate verification paths");
tls_print_errors(); tls_print_errors();
return (-1); return (-1);