mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-30 05:38:06 +00:00
Code Issues Releases Wiki Activity

postfix-2.6.7

Browse Source
This commit is contained in:
Wietse Venema 2010-06-08 00:00:00 -05:00 committed by Viktor Dukhovni
parent 6f50e0caaa
commit b558caf8fd
16 changed files with 177 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
postfix/HISTORY
View File

@ -15338,3 +15338,32 @@ Apologies for any names omitted.
a mailbox address inside <>, which broke expectations. RFC
2821 (and 5321) is vague about the VRFY request format, but
spends lots of text on the reply format. File: smtpd/smtpd.c.
20100515
Bugfix (introduced Postfix 2.6): the Postfix SMTP client
XFORWARD implementation did not skip "unknown" SMTP client
attributes, causing a syntax error when sending a PORT
attribute. Reported by Victor Duchovni. File: smtp/smtp_proto.c.
20100529
Portability: OpenSSL 1.0.0 changes the priority of anonymous
cyphers. Victor Duchovni. Files: postconf.proto,
global/mail_params.h, tls/tls_certkey.c, tls/tls_client.c,
tls/tls_dh.c, tls/tls_server.c.
Portability: Mac OS 10.6.3 requires <arpa/nameser_compat.h>
instead of <nameser8_compat.h>. Files: makedefs, util/sys_defs.h,
dns/dns.h.
20100531
Robustness: skip LDAP queries with non-ASCII search strings.
The LDAP library requires well-formed UTF-8. Victor Duchovni.
File: global/dict_ldap.c.
20100601
Portability: Berkeley DB 5.x has the same API as Berkeley
DB 4.1 and later. File: util/dict_db.c.

41
postfix/html/postconf.5.html
View File

@ -4279,7 +4279,7 @@ configuration parameter. See there for details. </p>
parameter. See there for details. </p>
<p> This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 0.9.9 or later. </p>
compiled and linked with OpenSSL 1.0.0 or later. </p>
</DD>
@ -4291,7 +4291,7 @@ compiled and linked with OpenSSL 0.9.9 or later. </p>
parameter. See there for details. </p>
<p> This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 0.9.9 or later. </p>
compiled and linked with OpenSSL 1.0.0 or later. </p>
</DD>
@ -9081,7 +9081,7 @@ This file may also contain the Postfix SMTP client ECDSA private key. </p>
</pre>
<p> This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 0.9.9 or later. </p>
compiled and linked with OpenSSL 1.0.0 or later. </p>
</DD>
@ -9099,7 +9099,7 @@ access to the system superuser account ("root"), and no access
to anyone else. </p>
<p> This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 0.9.9 or later. </p>
compiled and linked with OpenSSL 1.0.0 or later. </p>
</DD>
@ -12534,7 +12534,7 @@ This file may also contain the Postfix SMTP server private ECDSA key. </p>
</pre>
<p> This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 0.9.9 or later. </p>
compiled and linked with OpenSSL 1.0.0 or later. </p>
</DD>
@ -12552,7 +12552,7 @@ access to the system superuser account ("root"), and no access
to anyone else. </p>
<p> This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 0.9.9 or later. </p>
compiled and linked with OpenSSL 1.0.0 or later. </p>
</DD>
@ -12586,7 +12586,7 @@ users. </dd>
</dl>
<p> This feature is available in Postfix 2.6 and later, when it is
compiled and linked with OpenSSL 0.9.9 or later. </p>
compiled and linked with OpenSSL 1.0.0 or later. </p>
</DD>
@ -13380,7 +13380,7 @@ under the SECG name "secp256r1", but OpenSSL does not recognize the
latter name. </p>
<p> This feature is available in Postfix 2.6 and later, when it is
compiled and linked with OpenSSL 0.9.9 or later. </p>
compiled and linked with OpenSSL 1.0.0 or later. </p>
</DD>
@ -13403,7 +13403,7 @@ of <a href="http://tools.ietf.org/html/rfc4492">RFC 4492</a>. You should not gen
classified as TOP SECRET. </p>
<p> This feature is available in Postfix 2.6 and later, when it is
compiled and linked with OpenSSL 0.9.9 or later. </p>
compiled and linked with OpenSSL 1.0.0 or later. </p>
</DD>
@ -13416,7 +13416,11 @@ defines the meaning of the "export" setting in <a href="postconf.5.html#smtpd_tl
<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and <a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. This is
the cipherlist for the opportunistic ("may") TLS client security
level and is the default cipherlist for the SMTP server. You are
strongly encouraged to not change this setting. </p>
strongly encouraged to not change this setting. With OpenSSL 1.0.0 and
later the cipherlist may start with an "aNULL:" prefix, which restores
the 0.9.8-compatible ordering of the aNULL ciphers to the top of the
list when they are enabled. This prefix is not needed with previous
OpenSSL releases. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
@ -13429,7 +13433,11 @@ strongly encouraged to not change this setting. </p>
<p> The OpenSSL cipherlist for "HIGH" grade ciphers. This defines
the meaning of the "high" setting in <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>,
<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and <a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. You are
strongly encouraged to not change this setting. </p>
strongly encouraged to not change this setting. With OpenSSL 1.0.0 and
later the cipherlist may start with an "aNULL:" prefix, which restores
the 0.9.8-compatible ordering of the aNULL ciphers to the top of the
list when they are enabled. This prefix is not needed with previous
OpenSSL releases. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
@ -13442,7 +13450,11 @@ strongly encouraged to not change this setting. </p>
<p> The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
the meaning of the "low" setting in <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>,
<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and <a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. You are
strongly encouraged to not change this setting. </p>
strongly encouraged to not change this setting. With OpenSSL 1.0.0 and
later the cipherlist may start with an "aNULL:" prefix, which restores
the 0.9.8-compatible ordering of the aNULL ciphers to the top of the
list when they are enabled. This prefix is not needed with previous
OpenSSL releases. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
@ -13458,7 +13470,10 @@ defines the meaning of the "medium" setting in <a href="postconf.5.html#smtpd_tl
the default cipherlist for mandatory TLS encryption in the TLS
client (with anonymous ciphers disabled when verifying server
certificates). You are strongly encouraged to not change this
setting. </p>
setting. With OpenSSL 1.0.0 and later the cipherlist may start with an
"aNULL:" prefix, which restores the 0.9.8-compatible ordering of the
aNULL ciphers to the top of the list when they are enabled. This prefix
is not needed with previous OpenSSL releases. </p>
<p> This feature is available in Postfix 2.3 and later. </p>

5
postfix/makedefs
View File

@ -412,6 +412,11 @@ ReliantUNIX-?.5.43) SYSTYPE=ReliantUnix543
[1-6].*) CCARGS="$CCARGS -DNO_IPV6";;
*) CCARGS="$CCARGS -DBIND_8_COMPAT -DNO_NETINFO";;
esac
# Darwin 10.3.0 no longer has <nameser8_compat.h>.
case $RELEASE in
?.*) CCARGS="$CCARGS -DRESOLVE_H_NEEDS_NAMESER8_COMPAT_H";;
*) CCARGS="$CCARGS -DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H";;
esac
# kqueue and/or poll are broken up to and including MacOS X 10.5
CCARGS="$CCARGS -DNO_KQUEUE"
# # Darwin 8.11.1 has kqueue support, but let's play safe

41
postfix/man/man5/postconf.5
View File

@ -2326,13 +2326,13 @@ The LMTP-specific version of the smtp_tls_eccert_file configuration
parameter. See there for details.
.PP
This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 0.9.9 or later.
compiled and linked with OpenSSL 1.0.0 or later.
.SH lmtp_tls_eckey_file (default: empty)
The LMTP-specific version of the smtp_tls_eckey_file configuration
parameter. See there for details.
.PP
This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 0.9.9 or later.
compiled and linked with OpenSSL 1.0.0 or later.
.SH lmtp_tls_enforce_peername (default: yes)
The LMTP-specific version of the smtp_tls_enforce_peername
configuration parameter. See there for details.
@ -5221,7 +5221,7 @@ smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
.ft R
.PP
This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 0.9.9 or later.
compiled and linked with OpenSSL 1.0.0 or later.
.SH smtp_tls_eckey_file (default: $smtp_tls_eccert_file)
File with the Postfix SMTP client ECDSA private key in PEM format.
This file may be combined with the Postfix SMTP client ECDSA
@ -5233,7 +5233,7 @@ access to the system superuser account ("root"), and no access
to anyone else.
.PP
This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 0.9.9 or later.
compiled and linked with OpenSSL 1.0.0 or later.
.SH smtp_tls_enforce_peername (default: yes)
With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP server
@ -7820,7 +7820,7 @@ smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
.ft R
.PP
This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 0.9.9 or later.
compiled and linked with OpenSSL 1.0.0 or later.
.SH smtpd_tls_eckey_file (default: $smtpd_tls_eccert_file)
File with the Postfix SMTP server ECDSA private key in PEM format.
This file may be combined with the Postfix SMTP server ECDSA certificate
@ -7832,7 +7832,7 @@ access to the system superuser account ("root"), and no access
to anyone else.
.PP
This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 0.9.9 or later.
compiled and linked with OpenSSL 1.0.0 or later.
.SH smtpd_tls_eecdh_grade (default: see "postconf -d" output)
The Postfix SMTP server security grade for ephemeral elliptic-curve
Diffie-Hellman (EECDH) key exchange.
@ -7856,7 +7856,7 @@ elliptic curve crypto-systems, the "strong" curve is sufficient for most
users.
.PP
This feature is available in Postfix 2.6 and later, when it is
compiled and linked with OpenSSL 0.9.9 or later.
compiled and linked with OpenSSL 1.0.0 or later.
.SH smtpd_tls_exclude_ciphers (default: empty)
List of ciphers or cipher types to exclude from the SMTP server
cipher list at all TLS security levels. Excluding valid ciphers
@ -8437,7 +8437,7 @@ under the SECG name "secp256r1", but OpenSSL does not recognize the
latter name.
.PP
This feature is available in Postfix 2.6 and later, when it is
compiled and linked with OpenSSL 0.9.9 or later.
compiled and linked with OpenSSL 1.0.0 or later.
.SH tls_eecdh_ultra_curve (default: secp384r1)
The elliptic curve used by the SMTP server for maximally strong
ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
@ -8454,28 +8454,40 @@ This default "ultra" curve is specified in NSA "Suite B" Cryptography
classified as TOP SECRET.
.PP
This feature is available in Postfix 2.6 and later, when it is
compiled and linked with OpenSSL 0.9.9 or later.
compiled and linked with OpenSSL 1.0.0 or later.
.SH tls_export_cipherlist (default: ALL:+RC4:@STRENGTH)
The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This
defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers,
smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is
the cipherlist for the opportunistic ("may") TLS client security
level and is the default cipherlist for the SMTP server. You are
strongly encouraged to not change this setting.
strongly encouraged to not change this setting. With OpenSSL 1.0.0 and
later the cipherlist may start with an "aNULL:" prefix, which restores
the 0.9.8-compatible ordering of the aNULL ciphers to the top of the
list when they are enabled. This prefix is not needed with previous
OpenSSL releases.
.PP
This feature is available in Postfix 2.3 and later.
.SH tls_high_cipherlist (default: ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)
The OpenSSL cipherlist for "HIGH" grade ciphers. This defines
the meaning of the "high" setting in smtpd_tls_mandatory_ciphers,
smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
strongly encouraged to not change this setting.
strongly encouraged to not change this setting. With OpenSSL 1.0.0 and
later the cipherlist may start with an "aNULL:" prefix, which restores
the 0.9.8-compatible ordering of the aNULL ciphers to the top of the
list when they are enabled. This prefix is not needed with previous
OpenSSL releases.
.PP
This feature is available in Postfix 2.3 and later.
.SH tls_low_cipherlist (default: ALL:!EXPORT:+RC4:@STRENGTH)
The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
the meaning of the "low" setting in smtpd_tls_mandatory_ciphers,
smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
strongly encouraged to not change this setting.
strongly encouraged to not change this setting. With OpenSSL 1.0.0 and
later the cipherlist may start with an "aNULL:" prefix, which restores
the 0.9.8-compatible ordering of the aNULL ciphers to the top of the
list when they are enabled. This prefix is not needed with previous
OpenSSL releases.
.PP
This feature is available in Postfix 2.3 and later.
.SH tls_medium_cipherlist (default: ALL:!EXPORT:!LOW:+RC4:@STRENGTH)
@ -8485,7 +8497,10 @@ smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is
the default cipherlist for mandatory TLS encryption in the TLS
client (with anonymous ciphers disabled when verifying server
certificates). You are strongly encouraged to not change this
setting.
setting. With OpenSSL 1.0.0 and later the cipherlist may start with an
"aNULL:" prefix, which restores the 0.9.8-compatible ordering of the
aNULL ciphers to the top of the list when they are enabled. This prefix
is not needed with previous OpenSSL releases.
.PP
This feature is available in Postfix 2.3 and later.
.SH tls_null_cipherlist (default: eNULL:!aNULL)

41
postfix/proto/postconf.proto
View File

@ -10891,7 +10891,11 @@ attribute. See smtp_tls_policy_maps for notes and examples. </p>
<p> The OpenSSL cipherlist for "HIGH" grade ciphers. This defines
the meaning of the "high" setting in smtpd_tls_mandatory_ciphers,
smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
strongly encouraged to not change this setting. </p>
strongly encouraged to not change this setting. With OpenSSL 1.0.0 and
later the cipherlist may start with an "aNULL:" prefix, which restores
the 0.9.8-compatible ordering of the aNULL ciphers to the top of the
list when they are enabled. This prefix is not needed with previous
OpenSSL releases. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
@ -10903,7 +10907,10 @@ smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is
the default cipherlist for mandatory TLS encryption in the TLS
client (with anonymous ciphers disabled when verifying server
certificates). You are strongly encouraged to not change this
setting. </p>
setting. With OpenSSL 1.0.0 and later the cipherlist may start with an
"aNULL:" prefix, which restores the 0.9.8-compatible ordering of the
aNULL ciphers to the top of the list when they are enabled. This prefix
is not needed with previous OpenSSL releases. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
@ -10912,7 +10919,11 @@ setting. </p>
<p> The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
the meaning of the "low" setting in smtpd_tls_mandatory_ciphers,
smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
strongly encouraged to not change this setting. </p>
strongly encouraged to not change this setting. With OpenSSL 1.0.0 and
later the cipherlist may start with an "aNULL:" prefix, which restores
the 0.9.8-compatible ordering of the aNULL ciphers to the top of the
list when they are enabled. This prefix is not needed with previous
OpenSSL releases. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
@ -10923,7 +10934,11 @@ defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers,
smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is
the cipherlist for the opportunistic ("may") TLS client security
level and is the default cipherlist for the SMTP server. You are
strongly encouraged to not change this setting. </p>
strongly encouraged to not change this setting. With OpenSSL 1.0.0 and
later the cipherlist may start with an "aNULL:" prefix, which restores
the 0.9.8-compatible ordering of the aNULL ciphers to the top of the
list when they are enabled. This prefix is not needed with previous
OpenSSL releases. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
@ -11449,7 +11464,7 @@ under the SECG name "secp256r1", but OpenSSL does not recognize the
latter name. </p>
<p> This feature is available in Postfix 2.6 and later, when it is
compiled and linked with OpenSSL 0.9.9 or later. </p>
compiled and linked with OpenSSL 1.0.0 or later. </p>
%PARAM tls_eecdh_ultra_curve secp384r1
@ -11468,7 +11483,7 @@ of RFC 4492. You should not generally change this setting. </p>
classified as TOP SECRET. </p>
<p> This feature is available in Postfix 2.6 and later, when it is
compiled and linked with OpenSSL 0.9.9 or later. </p>
compiled and linked with OpenSSL 1.0.0 or later. </p>
%PARAM smtpd_tls_eecdh_grade see "postconf -d" output
@ -11498,7 +11513,7 @@ users. </dd>
</dl>
<p> This feature is available in Postfix 2.6 and later, when it is
compiled and linked with OpenSSL 0.9.9 or later. </p>
compiled and linked with OpenSSL 1.0.0 or later. </p>
%PARAM smtpd_tls_eccert_file
@ -11514,7 +11529,7 @@ smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
</pre>
<p> This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 0.9.9 or later. </p>
compiled and linked with OpenSSL 1.0.0 or later. </p>
%PARAM smtpd_tls_eckey_file $smtpd_tls_eccert_file
@ -11528,7 +11543,7 @@ access to the system superuser account ("root"), and no access
to anyone else. </p>
<p> This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 0.9.9 or later. </p>
compiled and linked with OpenSSL 1.0.0 or later. </p>
%PARAM smtp_tls_eccert_file
@ -11545,7 +11560,7 @@ smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
</pre>
<p> This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 0.9.9 or later. </p>
compiled and linked with OpenSSL 1.0.0 or later. </p>
%PARAM smtp_tls_eckey_file $smtp_tls_eccert_file
@ -11559,7 +11574,7 @@ access to the system superuser account ("root"), and no access
to anyone else. </p>
<p> This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 0.9.9 or later. </p>
compiled and linked with OpenSSL 1.0.0 or later. </p>
%PARAM lmtp_tls_eccert_file
@ -11567,7 +11582,7 @@ compiled and linked with OpenSSL 0.9.9 or later. </p>
parameter. See there for details. </p>
<p> This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 0.9.9 or later. </p>
compiled and linked with OpenSSL 1.0.0 or later. </p>
%PARAM lmtp_tls_eckey_file
@ -11575,7 +11590,7 @@ compiled and linked with OpenSSL 0.9.9 or later. </p>
parameter. See there for details. </p>
<p> This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 0.9.9 or later. </p>
compiled and linked with OpenSSL 1.0.0 or later. </p>
%PARAM smtp_header_checks

3
postfix/src/dns/dns.h
View File

@ -22,6 +22,9 @@
#ifdef RESOLVE_H_NEEDS_NAMESER8_COMPAT_H
#include <nameser8_compat.h>
#endif
#ifdef RESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H
#include <arpa/nameser_compat.h>
#endif
#include <resolv.h>
/*

12
postfix/src/global/dict_ldap.c
View File

@ -1082,12 +1082,21 @@ static const char *dict_ldap_lookup(DICT *dict, const char *name)
static VSTRING *result;
int rc = 0;
int sizelimit;
const char *cp;
dict_errno = 0;
if (msg_verbose)
msg_info("%s: In dict_ldap_lookup", myname);
for (cp = name; *cp; ++cp)
if (!ISASCII(*cp)) {
if (msg_verbose)
msg_info("%s: %s: Skipping lookup of non-ASCII key '%s'",
myname, dict_ldap->parser->name, name);
return (0);
}
/*
* Optionally fold the key.
*/
@ -1105,7 +1114,8 @@ static const char *dict_ldap_lookup(DICT *dict, const char *name)
*/
if (db_common_check_domain(dict_ldap->ctx, name) == 0) {
if (msg_verbose)
msg_info("%s: Skipping lookup of '%s'", myname, name);
msg_info("%s: %s: Skipping lookup of key '%s': domain mismatch",
myname, dict_ldap->parser->name, name);
return (0);
}
#define INIT_VSTR(buf, len) do { \

19
postfix/src/global/mail_params.h
View File

@ -2875,20 +2875,31 @@ extern bool var_smtp_cname_overr;
/*
* TLS cipherlists
*/
#ifdef USE_TLS
#include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
#define PREFER_aNULL "aNULL:-aNULL:"
#else
#define PREFER_aNULL ""
#endif
#else
#define PREFER_aNULL ""
#endif
#define VAR_TLS_HIGH_CLIST "tls_high_cipherlist"
#define DEF_TLS_HIGH_CLIST "ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
#define DEF_TLS_HIGH_CLIST PREFER_aNULL "ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
extern char *var_tls_high_clist;
#define VAR_TLS_MEDIUM_CLIST "tls_medium_cipherlist"
#define DEF_TLS_MEDIUM_CLIST "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
#define DEF_TLS_MEDIUM_CLIST PREFER_aNULL "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
extern char *var_tls_medium_clist;
#define VAR_TLS_LOW_CLIST "tls_low_cipherlist"
#define DEF_TLS_LOW_CLIST "ALL:!EXPORT:+RC4:@STRENGTH"
#define DEF_TLS_LOW_CLIST PREFER_aNULL "ALL:!EXPORT:+RC4:@STRENGTH"
extern char *var_tls_low_clist;
#define VAR_TLS_EXPORT_CLIST "tls_export_cipherlist"
#define DEF_TLS_EXPORT_CLIST "ALL:+RC4:@STRENGTH"
#define DEF_TLS_EXPORT_CLIST PREFER_aNULL "ALL:+RC4:@STRENGTH"
extern char *var_tls_export_clist;
#define VAR_TLS_NULL_CLIST "tls_null_cipherlist"

4
postfix/src/global/mail_version.h
View File

@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20100319"
#define MAIL_VERSION_NUMBER "2.6.6"
#define MAIL_RELEASE_DATE "20100608"
#define MAIL_VERSION_NUMBER "2.6.7"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE

35
postfix/src/smtp/smtp_proto.c
View File

@ -1205,20 +1205,31 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
* information, the command length stays within the 512 byte
* command line length limit.
*/
#ifndef CAN_FORWARD_CLIENT_NAME
#define _ATTR_AVAIL_AND_KNOWN_(val) \
(DEL_REQ_ATTR_AVAIL(val) && strcasecmp((val), "unknown"))
#define CAN_FORWARD_CLIENT_NAME _ATTR_AVAIL_AND_KNOWN_
#define CAN_FORWARD_CLIENT_ADDR _ATTR_AVAIL_AND_KNOWN_
#define CAN_FORWARD_CLIENT_PORT _ATTR_AVAIL_AND_KNOWN_
#define CAN_FORWARD_PROTO_NAME _ATTR_AVAIL_AND_KNOWN_
#define CAN_FORWARD_HELO_NAME DEL_REQ_ATTR_AVAIL
#define CAN_FORWARD_RWR_CONTEXT DEL_REQ_ATTR_AVAIL
#endif
case SMTP_STATE_XFORWARD_NAME_ADDR:
vstring_strcpy(next_command, XFORWARD_CMD);
if ((session->features & SMTP_FEATURE_XFORWARD_NAME)
&& DEL_REQ_ATTR_AVAIL(request->client_name)) {
&& CAN_FORWARD_CLIENT_NAME(request->client_name)) {
vstring_strcat(next_command, " " XFORWARD_NAME "=");
xtext_quote_append(next_command, request->client_name, "");
}
if ((session->features & SMTP_FEATURE_XFORWARD_ADDR)
&& DEL_REQ_ATTR_AVAIL(request->client_addr)) {
&& CAN_FORWARD_CLIENT_ADDR(request->client_addr)) {
vstring_strcat(next_command, " " XFORWARD_ADDR "=");
xtext_quote_append(next_command, request->client_addr, "");
}
if ((session->features & SMTP_FEATURE_XFORWARD_PORT)
&& DEL_REQ_ATTR_AVAIL(request->client_port)) {
&& CAN_FORWARD_CLIENT_PORT(request->client_port)) {
vstring_strcat(next_command, " " XFORWARD_PORT "=");
xtext_quote_append(next_command, request->client_port, "");
}
@ -1231,17 +1242,17 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
case SMTP_STATE_XFORWARD_PROTO_HELO:
vstring_strcpy(next_command, XFORWARD_CMD);
if ((session->features & SMTP_FEATURE_XFORWARD_PROTO)
&& DEL_REQ_ATTR_AVAIL(request->client_proto)) {
&& CAN_FORWARD_PROTO_NAME(request->client_proto)) {
vstring_strcat(next_command, " " XFORWARD_PROTO "=");
xtext_quote_append(next_command, request->client_proto, "");
}
if ((session->features & SMTP_FEATURE_XFORWARD_HELO)
&& DEL_REQ_ATTR_AVAIL(request->client_helo)) {
&& CAN_FORWARD_HELO_NAME(request->client_helo)) {
vstring_strcat(next_command, " " XFORWARD_HELO "=");
xtext_quote_append(next_command, request->client_helo, "");
}
if ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN)
&& DEL_REQ_ATTR_AVAIL(request->rewrite_context)) {
&& CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)) {
vstring_strcat(next_command, " " XFORWARD_DOMAIN "=");
xtext_quote_append(next_command,
strcmp(request->rewrite_context, MAIL_ATTR_RWR_LOCAL) ?
@ -1923,19 +1934,19 @@ int smtp_xfer(SMTP_STATE *state)
send_name_addr =
var_smtp_send_xforward
&& (((session->features & SMTP_FEATURE_XFORWARD_NAME)
&& DEL_REQ_ATTR_AVAIL(request->client_name))
&& CAN_FORWARD_CLIENT_NAME(request->client_name))
|| ((session->features & SMTP_FEATURE_XFORWARD_ADDR)
&& DEL_REQ_ATTR_AVAIL(request->client_addr))
&& CAN_FORWARD_CLIENT_ADDR(request->client_addr))
|| ((session->features & SMTP_FEATURE_XFORWARD_PORT)
&& DEL_REQ_ATTR_AVAIL(request->client_port)));
&& CAN_FORWARD_CLIENT_PORT(request->client_port)));
session->send_proto_helo =
var_smtp_send_xforward
&& (((session->features & SMTP_FEATURE_XFORWARD_PROTO)
&& DEL_REQ_ATTR_AVAIL(request->client_proto))
&& CAN_FORWARD_PROTO_NAME(request->client_proto))
|| ((session->features & SMTP_FEATURE_XFORWARD_HELO)
&& DEL_REQ_ATTR_AVAIL(request->client_helo))
&& CAN_FORWARD_HELO_NAME(request->client_helo))
|| ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN)
&& DEL_REQ_ATTR_AVAIL(request->rewrite_context)));
&& CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)));
if (send_name_addr)
recv_state = send_state = SMTP_STATE_XFORWARD_NAME_ADDR;
else if (session->send_proto_helo)

2
postfix/src/tls/tls_certkey.c
View File

@ -158,7 +158,7 @@ int tls_set_my_certificate_key_info(SSL_CTX *ctx,
return (-1); /* logged */
if (*dcert_file && !set_cert_stuff(ctx, "DSA", dcert_file, dkey_file))
return (-1); /* logged */
#if OPENSSL_VERSION_NUMBER >= 0x00909000 && !defined(OPENSSL_NO_ECDH)
#if OPENSSL_VERSION_NUMBER >= 0x1000000fL && !defined(OPENSSL_NO_ECDH)
if (*eccert_file && !set_cert_stuff(ctx, "ECDSA", eccert_file, eckey_file))
return (-1); /* logged */
#else

2
postfix/src/tls/tls_client.c
View File

@ -725,7 +725,7 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
int protomask;
const char *cipher_list;
SSL_SESSION *session;
SSL_CIPHER *cipher;
const SSL_CIPHER *cipher;
X509 *peercert;
TLS_SESS_STATE *TLScontext;
TLS_APPL_STATE *app_ctx = props->ctx;

2
postfix/src/tls/tls_dh.c
View File

@ -205,7 +205,7 @@ DH *tls_tmp_dh_cb(SSL *unused_ssl, int export, int keylength)
int tls_set_eecdh_curve(SSL_CTX *server_ctx, const char *grade)
{
#if OPENSSL_VERSION_NUMBER >= 0x00909000 && !defined(OPENSSL_NO_ECDH)
#if OPENSSL_VERSION_NUMBER >= 0x1000000fL && !defined(OPENSSL_NO_ECDH)
int nid;
EC_KEY *ecdh;
const char *curve;

2
postfix/src/tls/tls_server.c
View File

@ -554,7 +554,7 @@ TLS_SESS_STATE *tls_server_start(const TLS_SERVER_START_PROPS *props)
{
int sts;
TLS_SESS_STATE *TLScontext;
SSL_CIPHER *cipher;
const SSL_CIPHER *cipher;
X509 *peer;
char buf[CCERT_BUFSIZ];
const char *cipher_list;

2
postfix/src/util/dict_db.c
View File

@ -664,7 +664,7 @@ static DICT *dict_db_open(const char *class, const char *path, int open_flags,
msg_fatal("set DB cache size %d: %m", dict_db_cache_size);
if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0)
msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM);
#if (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0)
#if DB_VERSION_MAJOR == 5 || (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0)
if ((errno = db->open(db, 0, db_path, 0, type, db_flags, 0644)) != 0)
msg_fatal("open database %s: %m", db_path);
#elif (DB_VERSION_MAJOR == 3 || DB_VERSION_MAJOR == 4)

1
postfix/src/util/sys_defs.h
View File

@ -208,7 +208,6 @@
#define DEF_DB_TYPE "hash"
#define ALIAS_DB_MAP "hash:/etc/aliases"
#define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0)
#define RESOLVE_H_NEEDS_NAMESER8_COMPAT_H
#define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin"
#define USE_STATFS
#define STATFS_IN_SYS_MOUNT_H