diff --git a/postfix/HISTORY b/postfix/HISTORY
index e3e1ab640..f41ef305f 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -24654,9 +24654,20 @@ Apologies for any names omitted.
Cleanup: harmless memory leak in postconf. File:
postconf/postconf_master.c.
-20200312
-
Bugfix (introduced: Postfix 2.3): panic with Postfix
multi-Milter configuration during MAIL FROM. Milter client
state was not properly reset after one of the Milters failed.
Reported by WeiYu Wu.
+
+20200312
+
+ Usability: the Postfix SMTP server now logs a warning when
+ a configuration requests access control by client certificate,
+ but "smtpd_tls_ask_clientcert = no". Files: proto/postconf.proto,
+ smtpd/smtpd_check.c.
+
+20200316
+
+ Removed the issuer_cn and subject_cn matches from
+ check_ccert_access. Files: smtpd/smtpd_check.c,
+ proto/postconf.proto.
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 001e2092e..d3c41b83b 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -28,9 +28,9 @@ comfortable with the IPL can continue with that license.
Major changes - multiple relayhost in SMTP
------------------------------------------
-[Feature 20200111] SMTP (and LMTP) client support for a list of
-nexthop destinations separated by comma or whitespace. These will
-destinations be tried in the specified order.
+[Feature 20200111] the Postfix SMTP and LMTP client support a list
+of nexthop destinations separated by comma or whitespace. These
+destinations will be tried in the specified order.
The list form can be specified in relayhost, transport_maps,
default_transport, and sender_dependent_default_transport_maps.
@@ -72,9 +72,7 @@ exact same result:
search_order = cert_fingerprint, pubkey_fingerprint } }
...
-The check_ccert_access search order also supports the subject_cn and
-issuer_cn properties. Support is planned for rfc822name and
-smtputf8mailbox.
+Support is planned for other certificate features.
Major changes - dovecot usability
---------------------------------
@@ -108,7 +106,7 @@ a message if it is in the hold queue. With -e, such a message would
not be returned to the sender until it is released with -f or -H.
In the mailq(1) or postqueue(1) -p output, a forced-to-expire message
-is indicated with # after the queue name. In postqueue(1) JSON
+is indicated with # after the queue file name. In postqueue(1) JSON
output, there is a new per-message field "forced_expire" (with value
true or false) that shows the forced-to-expire status.
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index e8d4ae3c0..5930016ae 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -14239,7 +14239,8 @@ fingerprint (Postfix 2.9 and later) as lookup key for the specified
remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
-Postfix version 2.5). This feature is available with Postfix version
+Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
+= yes" and is available with Postfix version
2.2 and later.
@@ -14251,9 +14252,7 @@ above corresponds with:
check_ccert_access { type:table, { search_order = cert_fingerprint,
pubkey_fingerprint } }
- The commas are optional. Other valid search_order elements are
-"subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN).
+ The commas are optional.
check_client_access type:table
@@ -14353,7 +14352,8 @@ CA. Otherwise, clients with a third-party certificate would also
be allowed to relay. Specify "tls_append_default_CA = no" when the
trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
to prevent Postfix from appending the system-supplied default CAs.
-This feature is available with Postfix version 2.2.
+This feature requires "smtpd_tls_ask_ccert = yes" and is available
+with Postfix version 2.2 and later.
permit_tls_clientcerts
@@ -14362,8 +14362,8 @@ fingerprint or public key fingerprint (Postfix 2.9 and later) is
listed in $relay_clientcerts.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
-Postfix version 2.5). This feature is available with Postfix version
-2.2.
+Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
+= yes" and is available with Postfix version 2.2 and later.
reject_rbl_client rbl_domain=d.d.d.d
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 056e35e47..d1e3147b5 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -9523,7 +9523,8 @@ fingerprint (Postfix 2.9 and later) as lookup key for the specified
remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard\-coded as md5 prior to
-Postfix version 2.5). This feature is available with Postfix version
+Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
+= yes" and is available with Postfix version
2.2 and later.
.br
.br
@@ -9534,9 +9535,7 @@ above corresponds with:
check_ccert_access { type:table, { search_order = cert_fingerprint,
pubkey_fingerprint } }
.br
-The commas are optional. Other valid search_order elements are
-"subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN).
+The commas are optional.
.br
.IP "\fBcheck_client_access \fItype:table\fR\fR"
Search the specified access database for the client hostname,
@@ -9623,7 +9622,8 @@ CA. Otherwise, clients with a third\-party certificate would also
be allowed to relay. Specify "tls_append_default_CA = no" when the
trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
to prevent Postfix from appending the system\-supplied default CAs.
-This feature is available with Postfix version 2.2.
+This feature requires "smtpd_tls_ask_ccert = yes" and is available
+with Postfix version 2.2 and later.
.br
.IP "\fBpermit_tls_clientcerts\fR"
Permit the request when the remote SMTP client certificate
@@ -9631,8 +9631,8 @@ fingerprint or public key fingerprint (Postfix 2.9 and later) is
listed in $relay_clientcerts.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard\-coded as md5 prior to
-Postfix version 2.5). This feature is available with Postfix version
-2.2.
+Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
+= yes" and is available with Postfix version 2.2 and later.
.br
.IP "\fBreject_rbl_client \fIrbl_domain=d.d.d.d\fR\fR"
Reject the request when the reversed client network address is
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 11f769467..ca384963b 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -5110,7 +5110,8 @@ access(5) database; with Postfix version 2.2, also require that the
remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
-Postfix version 2.5). This feature is available with Postfix version
+Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
+= yes" and is available with Postfix version
2.2 and later.
@@ -5122,9 +5123,7 @@ above corresponds with:
check_ccert_access { type:table, { search_order = cert_fingerprint,
pubkey_fingerprint } }
- The commas are optional. Other valid search_order elements are
-"subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN).
+ The commas are optional.
check_client_access type:table
@@ -5225,7 +5224,8 @@ CA. Otherwise, clients with a third-party certificate would also
be allowed to relay. Specify "tls_append_default_CA = no" when the
trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
to prevent Postfix from appending the system-supplied default CAs.
-This feature is available with Postfix version 2.2.
+This feature requires "smtpd_tls_ask_ccert = yes" and is available
+with Postfix version 2.2 and later.
permit_tls_clientcerts
@@ -5234,8 +5234,8 @@ fingerprint or public key fingerprint (Postfix 2.9 and later) is
listed in $relay_clientcerts.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
-Postfix version 2.5). This feature is available with Postfix version
-2.2.
+Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
+= yes" and is available with Postfix version 2.2 and later.
reject_rbl_client rbl_domain=d.d.d.d
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index a13af0767..c52097e07 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20200312"
-#define MAIL_VERSION_NUMBER "3.5.0-RC2"
+#define MAIL_RELEASE_DATE "20200316"
+#define MAIL_VERSION_NUMBER "3.5.0"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index b93ac4d4a..35c713158 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -1627,6 +1627,10 @@ static int permit_tls_clientcerts(SMTPD_STATE *state, int permit_all_certs)
if (msg_verbose)
msg_info("relay_clientcerts: No match for fingerprint '%s', "
"pkey fingerprint %s", prints[0], prints[1]);
+ } else if (!var_smtpd_tls_ask_ccert) {
+ msg_warn("%s is requested, but \"%s = no\"", permit_all_certs ?
+ PERMIT_TLS_ALL_CLIENTCERTS : PERMIT_TLS_CLIENTCERTS,
+ VAR_SMTPD_TLS_ACERT);
}
#endif
return (SMTPD_CHECK_DUNNO);
@@ -3191,12 +3195,6 @@ static int check_ccert_access(SMTPD_STATE *state, const char *acl_spec,
case SMTPD_ACL_SEARCH_CODE_PKEY_FPRINT:
match_this = state->tls_context->peer_pkey_fprint;
break;
- case SMTPD_ACL_SEARCH_CODE_CERT_ISSUER_CN:
- match_this = state->tls_context->issuer_CN;
- break;
- case SMTPD_ACL_SEARCH_CODE_CERT_SUBJECT_CN:
- match_this = state->tls_context->peer_CN;
- break;
default:
known_action = str_name_code(search_actions, *action);
if (known_action == 0)
@@ -3227,6 +3225,9 @@ static int check_ccert_access(SMTPD_STATE *state, const char *acl_spec,
if (result != SMTPD_CHECK_DUNNO)
break;
}
+ } else if (!var_smtpd_tls_ask_ccert) {
+ msg_warn("%s is requested, but \"%s = no\"",
+ CHECK_CCERT_ACL, VAR_SMTPD_TLS_ACERT);
} else {
if (msg_verbose)
msg_info("%s: no client certificate", myname);
@@ -5755,6 +5756,7 @@ int var_plaintext_code;
bool var_smtpd_peername_lookup;
bool var_smtpd_client_port_log;
char *var_smtpd_dns_re_filter;
+bool var_smtpd_tls_ask_ccert;
#define int_table test_int_table
@@ -5789,6 +5791,7 @@ static const INT_TABLE int_table[] = {
VAR_PLAINTEXT_CODE, DEF_PLAINTEXT_CODE, &var_plaintext_code,
VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup,
VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
+ VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
0,
};