mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-29 13:18:12 +00:00
Code Issues Releases Wiki Activity

postfix-3.5.0

Browse Source
This commit is contained in:
Wietse Venema 2020-03-16 00:00:00 -05:00 committed by Viktor Dukhovni
parent 28b3968dd1
commit a7732f7484
7 changed files with 50 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
postfix/HISTORY
View File

@ -24654,9 +24654,20 @@ Apologies for any names omitted.
Cleanup: harmless memory leak in postconf. File:
postconf/postconf_master.c.
20200312
Bugfix (introduced: Postfix 2.3): panic with Postfix
multi-Milter configuration during MAIL FROM. Milter client
state was not properly reset after one of the Milters failed.
Reported by WeiYu Wu.
20200312
Usability: the Postfix SMTP server now logs a warning when
a configuration requests access control by client certificate,
but "smtpd_tls_ask_clientcert = no". Files: proto/postconf.proto,
smtpd/smtpd_check.c.
20200316
Removed the issuer_cn and subject_cn matches from
check_ccert_access. Files: smtpd/smtpd_check.c,
proto/postconf.proto.

12
postfix/RELEASE_NOTES
View File

@ -28,9 +28,9 @@ comfortable with the IPL can continue with that license.
Major changes - multiple relayhost in SMTP
------------------------------------------
[Feature 20200111] SMTP (and LMTP) client support for a list of
nexthop destinations separated by comma or whitespace. These will
destinations be tried in the specified order.
[Feature 20200111] the Postfix SMTP and LMTP client support a list
of nexthop destinations separated by comma or whitespace. These
destinations will be tried in the specified order.
The list form can be specified in relayhost, transport_maps,
default_transport, and sender_dependent_default_transport_maps.
@ -72,9 +72,7 @@ exact same result:
search_order = cert_fingerprint, pubkey_fingerprint } }
...
The check_ccert_access search order also supports the subject_cn and
issuer_cn properties. Support is planned for rfc822name and
smtputf8mailbox.
Support is planned for other certificate features.
Major changes - dovecot usability
---------------------------------
@ -108,7 +106,7 @@ a message if it is in the hold queue. With -e, such a message would
not be returned to the sender until it is released with -f or -H.
In the mailq(1) or postqueue(1) -p output, a forced-to-expire message
is indicated with # after the queue name. In postqueue(1) JSON
is indicated with # after the queue file name. In postqueue(1) JSON
output, there is a new per-message field "forced_expire" (with value
true or false) that shows the forced-to-expire status.

14
postfix/html/postconf.5.html
View File

@ -14239,7 +14239,8 @@ fingerprint (Postfix 2.9 and later) as lookup key for the specified
remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the
<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter (hard-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version
Postfix version 2.5). This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>
= yes" and is available with Postfix version
2.2 and later. </dd>
<br>
@ -14251,9 +14252,7 @@ above corresponds with: </dd>
<dd> <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> { <a href="DATABASE_README.html">type:table</a>, { search_order = cert_fingerprint,
pubkey_fingerprint } } </dd>
<dd> The commas are optional. Other valid search_order elements are
"subject_cn" (the certificate subject CN) and "issuer_cn" (the
certificate issuer CN). </dd>
<dd> The commas are optional. </dd>
<dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
@ -14353,7 +14352,8 @@ CA. Otherwise, clients with a third-party certificate would also
be allowed to relay. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" when the
trusted CA is specified with <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> or <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>,
to prevent Postfix from appending the system-supplied default CAs.
This feature is available with Postfix version 2.2.</dd>
This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> = yes" and is available
with Postfix version 2.2 and later.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
@ -14362,8 +14362,8 @@ fingerprint or public key fingerprint (Postfix 2.9 and later) is
listed in $<a href="postconf.5.html#relay_clientcerts">relay_clientcerts</a>.
The fingerprint digest algorithm is configurable via the
<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter (hard-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version
2.2. </dd>
Postfix version 2.5). This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>
= yes" and is available with Postfix version 2.2 and later.</dd>
<dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>

14
postfix/man/man5/postconf.5
View File

@ -9523,7 +9523,8 @@ fingerprint (Postfix 2.9 and later) as lookup key for the specified
remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard\-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version
Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
= yes" and is available with Postfix version
2.2 and later.
.br
.br
@ -9534,9 +9535,7 @@ above corresponds with:
check_ccert_access { type:table, { search_order = cert_fingerprint,
pubkey_fingerprint } }
.br
The commas are optional. Other valid search_order elements are
"subject_cn" (the certificate subject CN) and "issuer_cn" (the
certificate issuer CN).
The commas are optional.
.br
.IP "\fBcheck_client_access \fItype:table\fR\fR"
Search the specified access database for the client hostname,
@ -9623,7 +9622,8 @@ CA. Otherwise, clients with a third\-party certificate would also
be allowed to relay. Specify "tls_append_default_CA = no" when the
trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
to prevent Postfix from appending the system\-supplied default CAs.
This feature is available with Postfix version 2.2.
This feature requires "smtpd_tls_ask_ccert = yes" and is available
with Postfix version 2.2 and later.
.br
.IP "\fBpermit_tls_clientcerts\fR"
Permit the request when the remote SMTP client certificate
@ -9631,8 +9631,8 @@ fingerprint or public key fingerprint (Postfix 2.9 and later) is
listed in $relay_clientcerts.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard\-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version
2.2.
Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
= yes" and is available with Postfix version 2.2 and later.
.br
.IP "\fBreject_rbl_client \fIrbl_domain=d.d.d.d\fR\fR"
Reject the request when the reversed client network address is

14
postfix/proto/postconf.proto
View File

@ -5110,7 +5110,8 @@ access(5) database; with Postfix version 2.2, also require that the
remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version
Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
= yes" and is available with Postfix version
2.2 and later. </dd>
<br>
@ -5122,9 +5123,7 @@ above corresponds with: </dd>
<dd> check_ccert_access { type:table, { search_order = cert_fingerprint,
pubkey_fingerprint } } </dd>
<dd> The commas are optional. Other valid search_order elements are
"subject_cn" (the certificate subject CN) and "issuer_cn" (the
certificate issuer CN). </dd>
<dd> The commas are optional. </dd>
<dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
@ -5225,7 +5224,8 @@ CA. Otherwise, clients with a third-party certificate would also
be allowed to relay. Specify "tls_append_default_CA = no" when the
trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
to prevent Postfix from appending the system-supplied default CAs.
This feature is available with Postfix version 2.2.</dd>
This feature requires "smtpd_tls_ask_ccert = yes" and is available
with Postfix version 2.2 and later.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
@ -5234,8 +5234,8 @@ fingerprint or public key fingerprint (Postfix 2.9 and later) is
listed in $relay_clientcerts.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version
2.2. </dd>
Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
= yes" and is available with Postfix version 2.2 and later.</dd>
<dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>

4
postfix/src/global/mail_version.h
View File

@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20200312"
#define MAIL_VERSION_NUMBER "3.5.0-RC2"
#define MAIL_RELEASE_DATE "20200316"
#define MAIL_VERSION_NUMBER "3.5.0"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE

15
postfix/src/smtpd/smtpd_check.c
View File

@ -1627,6 +1627,10 @@ static int permit_tls_clientcerts(SMTPD_STATE *state, int permit_all_certs)
if (msg_verbose)
msg_info("relay_clientcerts: No match for fingerprint '%s', "
"pkey fingerprint %s", prints[0], prints[1]);
} else if (!var_smtpd_tls_ask_ccert) {
msg_warn("%s is requested, but \"%s = no\"", permit_all_certs ?
PERMIT_TLS_ALL_CLIENTCERTS : PERMIT_TLS_CLIENTCERTS,
VAR_SMTPD_TLS_ACERT);
}
#endif
return (SMTPD_CHECK_DUNNO);
@ -3191,12 +3195,6 @@ static int check_ccert_access(SMTPD_STATE *state, const char *acl_spec,
case SMTPD_ACL_SEARCH_CODE_PKEY_FPRINT:
match_this = state->tls_context->peer_pkey_fprint;
break;
case SMTPD_ACL_SEARCH_CODE_CERT_ISSUER_CN:
match_this = state->tls_context->issuer_CN;
break;
case SMTPD_ACL_SEARCH_CODE_CERT_SUBJECT_CN:
match_this = state->tls_context->peer_CN;
break;
default:
known_action = str_name_code(search_actions, *action);
if (known_action == 0)
@ -3227,6 +3225,9 @@ static int check_ccert_access(SMTPD_STATE *state, const char *acl_spec,
if (result != SMTPD_CHECK_DUNNO)
break;
}
} else if (!var_smtpd_tls_ask_ccert) {
msg_warn("%s is requested, but \"%s = no\"",
CHECK_CCERT_ACL, VAR_SMTPD_TLS_ACERT);
} else {
if (msg_verbose)
msg_info("%s: no client certificate", myname);
@ -5755,6 +5756,7 @@ int var_plaintext_code;
bool var_smtpd_peername_lookup;
bool var_smtpd_client_port_log;
char *var_smtpd_dns_re_filter;
bool var_smtpd_tls_ask_ccert;
#define int_table test_int_table
@ -5789,6 +5791,7 @@ static const INT_TABLE int_table[] = {
VAR_PLAINTEXT_CODE, DEF_PLAINTEXT_CODE, &var_plaintext_code,
VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup,
VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
0,
};