mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-29 13:18:12 +00:00
Code Issues Releases Wiki Activity

postfix-3.5.0

Browse Source
This commit is contained in:
Wietse Venema 2020-03-16 00:00:00 -05:00 committed by Viktor Dukhovni
parent 28b3968dd1
commit a7732f7484
7 changed files with 50 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
postfix/HISTORY
View File

@ -24654,9 +24654,20 @@ Apologies for any names omitted.
Cleanup: harmless memory leak in postconf. File: Cleanup: harmless memory leak in postconf. File:
postconf/postconf_master.c. postconf/postconf_master.c.
20200312
Bugfix (introduced: Postfix 2.3): panic with Postfix Bugfix (introduced: Postfix 2.3): panic with Postfix
multi-Milter configuration during MAIL FROM. Milter client multi-Milter configuration during MAIL FROM. Milter client
state was not properly reset after one of the Milters failed. state was not properly reset after one of the Milters failed.
Reported by WeiYu Wu. Reported by WeiYu Wu.
20200312
Usability: the Postfix SMTP server now logs a warning when
a configuration requests access control by client certificate,
but "smtpd_tls_ask_clientcert = no". Files: proto/postconf.proto,
smtpd/smtpd_check.c.
20200316
Removed the issuer_cn and subject_cn matches from
check_ccert_access. Files: smtpd/smtpd_check.c,
proto/postconf.proto.

12
postfix/RELEASE_NOTES
View File

@ -28,9 +28,9 @@ comfortable with the IPL can continue with that license.
Major changes - multiple relayhost in SMTP Major changes - multiple relayhost in SMTP
------------------------------------------ ------------------------------------------
[Feature 20200111] SMTP (and LMTP) client support for a list of [Feature 20200111] the Postfix SMTP and LMTP client support a list
nexthop destinations separated by comma or whitespace. These will of nexthop destinations separated by comma or whitespace. These
destinations be tried in the specified order. destinations will be tried in the specified order.
The list form can be specified in relayhost, transport_maps, The list form can be specified in relayhost, transport_maps,
default_transport, and sender_dependent_default_transport_maps. default_transport, and sender_dependent_default_transport_maps.
@ -72,9 +72,7 @@ exact same result:
search_order = cert_fingerprint, pubkey_fingerprint } } search_order = cert_fingerprint, pubkey_fingerprint } }
... ...
The check_ccert_access search order also supports the subject_cn and Support is planned for other certificate features.
issuer_cn properties. Support is planned for rfc822name and
smtputf8mailbox.
Major changes - dovecot usability Major changes - dovecot usability
--------------------------------- ---------------------------------
@ -108,7 +106,7 @@ a message if it is in the hold queue. With -e, such a message would
not be returned to the sender until it is released with -f or -H. not be returned to the sender until it is released with -f or -H.
In the mailq(1) or postqueue(1) -p output, a forced-to-expire message In the mailq(1) or postqueue(1) -p output, a forced-to-expire message
is indicated with # after the queue name. In postqueue(1) JSON is indicated with # after the queue file name. In postqueue(1) JSON
output, there is a new per-message field "forced_expire" (with value output, there is a new per-message field "forced_expire" (with value
true or false) that shows the forced-to-expire status. true or false) that shows the forced-to-expire status.

14
postfix/html/postconf.5.html
View File

@ -14239,7 +14239,8 @@ fingerprint (Postfix 2.9 and later) as lookup key for the specified
remote SMTP client certificate is verified successfully. remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the The fingerprint digest algorithm is configurable via the
<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter (hard-coded as md5 prior to <a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter (hard-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version Postfix version 2.5). This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>
= yes" and is available with Postfix version
2.2 and later. </dd> 2.2 and later. </dd>
<br> <br>
@ -14251,9 +14252,7 @@ above corresponds with: </dd>
<dd> <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> { <a href="DATABASE_README.html">type:table</a>, { search_order = cert_fingerprint, <dd> <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> { <a href="DATABASE_README.html">type:table</a>, { search_order = cert_fingerprint,
pubkey_fingerprint } } </dd> pubkey_fingerprint } } </dd>
<dd> The commas are optional. Other valid search_order elements are <dd> The commas are optional. </dd>
"subject_cn" (the certificate subject CN) and "issuer_cn" (the
certificate issuer CN). </dd>
<dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> <dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
@ -14353,7 +14352,8 @@ CA. Otherwise, clients with a third-party certificate would also
be allowed to relay. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" when the be allowed to relay. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" when the
trusted CA is specified with <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> or <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>, trusted CA is specified with <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> or <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>,
to prevent Postfix from appending the system-supplied default CAs. to prevent Postfix from appending the system-supplied default CAs.
This feature is available with Postfix version 2.2.</dd> This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> = yes" and is available
with Postfix version 2.2 and later.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt> <dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
@ -14362,8 +14362,8 @@ fingerprint or public key fingerprint (Postfix 2.9 and later) is
listed in $<a href="postconf.5.html#relay_clientcerts">relay_clientcerts</a>. listed in $<a href="postconf.5.html#relay_clientcerts">relay_clientcerts</a>.
The fingerprint digest algorithm is configurable via the The fingerprint digest algorithm is configurable via the
<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter (hard-coded as md5 prior to <a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter (hard-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version Postfix version 2.5). This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>
2.2. </dd> = yes" and is available with Postfix version 2.2 and later.</dd>
<dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt> <dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>

14
postfix/man/man5/postconf.5
View File

@ -9523,7 +9523,8 @@ fingerprint (Postfix 2.9 and later) as lookup key for the specified
remote SMTP client certificate is verified successfully. remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard\-coded as md5 prior to smtpd_tls_fingerprint_digest parameter (hard\-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
= yes" and is available with Postfix version
2.2 and later. 2.2 and later.
.br .br
.br .br
@ -9534,9 +9535,7 @@ above corresponds with:
check_ccert_access { type:table, { search_order = cert_fingerprint, check_ccert_access { type:table, { search_order = cert_fingerprint,
pubkey_fingerprint } } pubkey_fingerprint } }
.br .br
The commas are optional. Other valid search_order elements are The commas are optional.
"subject_cn" (the certificate subject CN) and "issuer_cn" (the
certificate issuer CN).
.br .br
.IP "\fBcheck_client_access \fItype:table\fR\fR" .IP "\fBcheck_client_access \fItype:table\fR\fR"
Search the specified access database for the client hostname, Search the specified access database for the client hostname,
@ -9623,7 +9622,8 @@ CA. Otherwise, clients with a third\-party certificate would also
be allowed to relay. Specify "tls_append_default_CA = no" when the be allowed to relay. Specify "tls_append_default_CA = no" when the
trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath, trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
to prevent Postfix from appending the system\-supplied default CAs. to prevent Postfix from appending the system\-supplied default CAs.
This feature is available with Postfix version 2.2. This feature requires "smtpd_tls_ask_ccert = yes" and is available
with Postfix version 2.2 and later.
.br .br
.IP "\fBpermit_tls_clientcerts\fR" .IP "\fBpermit_tls_clientcerts\fR"
Permit the request when the remote SMTP client certificate Permit the request when the remote SMTP client certificate
@ -9631,8 +9631,8 @@ fingerprint or public key fingerprint (Postfix 2.9 and later) is
listed in $relay_clientcerts. listed in $relay_clientcerts.
The fingerprint digest algorithm is configurable via the The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard\-coded as md5 prior to smtpd_tls_fingerprint_digest parameter (hard\-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
2.2. = yes" and is available with Postfix version 2.2 and later.
.br .br
.IP "\fBreject_rbl_client \fIrbl_domain=d.d.d.d\fR\fR" .IP "\fBreject_rbl_client \fIrbl_domain=d.d.d.d\fR\fR"
Reject the request when the reversed client network address is Reject the request when the reversed client network address is

14
postfix/proto/postconf.proto
View File

@ -5110,7 +5110,8 @@ access(5) database; with Postfix version 2.2, also require that the
remote SMTP client certificate is verified successfully. remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
= yes" and is available with Postfix version
2.2 and later. </dd> 2.2 and later. </dd>
<br> <br>
@ -5122,9 +5123,7 @@ above corresponds with: </dd>
<dd> check_ccert_access { type:table, { search_order = cert_fingerprint, <dd> check_ccert_access { type:table, { search_order = cert_fingerprint,
pubkey_fingerprint } } </dd> pubkey_fingerprint } } </dd>
<dd> The commas are optional. Other valid search_order elements are <dd> The commas are optional. </dd>
"subject_cn" (the certificate subject CN) and "issuer_cn" (the
certificate issuer CN). </dd>
<dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> <dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
@ -5225,7 +5224,8 @@ CA. Otherwise, clients with a third-party certificate would also
be allowed to relay. Specify "tls_append_default_CA = no" when the be allowed to relay. Specify "tls_append_default_CA = no" when the
trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath, trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
to prevent Postfix from appending the system-supplied default CAs. to prevent Postfix from appending the system-supplied default CAs.
This feature is available with Postfix version 2.2.</dd> This feature requires "smtpd_tls_ask_ccert = yes" and is available
with Postfix version 2.2 and later.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt> <dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
@ -5234,8 +5234,8 @@ fingerprint or public key fingerprint (Postfix 2.9 and later) is
listed in $relay_clientcerts. listed in $relay_clientcerts.
The fingerprint digest algorithm is configurable via the The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
2.2. </dd> = yes" and is available with Postfix version 2.2 and later.</dd>
<dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt> <dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>

4
postfix/src/global/mail_version.h
View File

@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20200312" #define MAIL_RELEASE_DATE "20200316"
#define MAIL_VERSION_NUMBER "3.5.0-RC2" #define MAIL_VERSION_NUMBER "3.5.0"
#ifdef SNAPSHOT #ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE

15
postfix/src/smtpd/smtpd_check.c
View File

@ -1627,6 +1627,10 @@ static int permit_tls_clientcerts(SMTPD_STATE *state, int permit_all_certs)
if (msg_verbose) if (msg_verbose)
msg_info("relay_clientcerts: No match for fingerprint '%s', " msg_info("relay_clientcerts: No match for fingerprint '%s', "
"pkey fingerprint %s", prints[0], prints[1]); "pkey fingerprint %s", prints[0], prints[1]);
} else if (!var_smtpd_tls_ask_ccert) {
msg_warn("%s is requested, but \"%s = no\"", permit_all_certs ?
PERMIT_TLS_ALL_CLIENTCERTS : PERMIT_TLS_CLIENTCERTS,
VAR_SMTPD_TLS_ACERT);
} }
#endif #endif
return (SMTPD_CHECK_DUNNO); return (SMTPD_CHECK_DUNNO);
@ -3191,12 +3195,6 @@ static int check_ccert_access(SMTPD_STATE *state, const char *acl_spec,
case SMTPD_ACL_SEARCH_CODE_PKEY_FPRINT: case SMTPD_ACL_SEARCH_CODE_PKEY_FPRINT:
match_this = state->tls_context->peer_pkey_fprint; match_this = state->tls_context->peer_pkey_fprint;
break; break;
case SMTPD_ACL_SEARCH_CODE_CERT_ISSUER_CN:
match_this = state->tls_context->issuer_CN;
break;
case SMTPD_ACL_SEARCH_CODE_CERT_SUBJECT_CN:
match_this = state->tls_context->peer_CN;
break;
default: default:
known_action = str_name_code(search_actions, *action); known_action = str_name_code(search_actions, *action);
if (known_action == 0) if (known_action == 0)
@ -3227,6 +3225,9 @@ static int check_ccert_access(SMTPD_STATE *state, const char *acl_spec,
if (result != SMTPD_CHECK_DUNNO) if (result != SMTPD_CHECK_DUNNO)
break; break;
} }
} else if (!var_smtpd_tls_ask_ccert) {
msg_warn("%s is requested, but \"%s = no\"",
CHECK_CCERT_ACL, VAR_SMTPD_TLS_ACERT);
} else { } else {
if (msg_verbose) if (msg_verbose)
msg_info("%s: no client certificate", myname); msg_info("%s: no client certificate", myname);
@ -5755,6 +5756,7 @@ int var_plaintext_code;
bool var_smtpd_peername_lookup; bool var_smtpd_peername_lookup;
bool var_smtpd_client_port_log; bool var_smtpd_client_port_log;
char *var_smtpd_dns_re_filter; char *var_smtpd_dns_re_filter;
bool var_smtpd_tls_ask_ccert;
#define int_table test_int_table #define int_table test_int_table
@ -5789,6 +5791,7 @@ static const INT_TABLE int_table[] = {
VAR_PLAINTEXT_CODE, DEF_PLAINTEXT_CODE, &var_plaintext_code, VAR_PLAINTEXT_CODE, DEF_PLAINTEXT_CODE, &var_plaintext_code,
VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup, VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup,
VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log, VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
0, 0,
}; };