postfix-3.5-20190219

2025-08-29 13:18:12 +00:00 · 2019-02-19 00:00:00 -05:00 · 2019-02-19 00:00:00 -05:00 · bc7be0f7d4
commit bc7be0f7d4
parent 8f6c362a83
4 changed files with 33 additions and 30 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -24142,8 +24142,8 @@ Apologies for any names omitted.
 	libtls seems to have to accreted multiple init functions
 	instead of reusing the tls_client_init() and tls_client_start()
 	API. And some functions that do initialization don't even
-	have init in their name! Viktor Dukhovni. Files: tls/tls_misc.c,
-	tlsproxy/tlsproxy.c.
+	have init in their name! Problem report by Andreas Schulze.
+	Viktor Dukhovni. Files: tls/tls_misc.c, tlsproxy/tlsproxy.c.

 	Workaround: Postfix libtls makes DANE-specific changes to
 	the shared SSL_CTX. To avoid false sharing, tlsproxy needs
@ -24155,3 +24155,10 @@ Apologies for any names omitted.
 	avoid false sharing in tlsproxy, the changes are now made
 	to the SSL handle. Viktor Dukhovni. Files: tls/tls.h,
 	tls/tls_client.c, tls/tls_misc.c, tls/tls_server.c.
+
+20190219
+
+	Bugfix: in the Postfix SMTP client, TLS wrappermode was not
+	tested in tlsproxy mode. It needed some setup for buffering
+	and timeouts. Problem report by Andreas Schulze. File:
+	smtp/smtp_proto.c.
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@ -20,7 +20,7 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20190218"
+#define MAIL_RELEASE_DATE	"20190219"
 #define MAIL_VERSION_NUMBER	"3.5"

 #ifdef SNAPSHOT
--- a/postfix/src/smtp/smtp_proto.c
+++ b/postfix/src/smtp/smtp_proto.c
@ -337,6 +337,8 @@ int     smtp_helo(SMTP_STATE *state)
 	&& (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) {
 	/* XXX Mix-up of per-session and per-request flags. */
 	state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS;
+	smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout,
+			  var_smtp_rec_deadline);
 	tls_helo_status = smtp_start_tls(state);
 	state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS;
 	return (tls_helo_status);
--- a/postfix/src/tlsproxy/tlsproxy.c
+++ b/postfix/src/tlsproxy/tlsproxy.c
@ -1140,14 +1140,6 @@ static void tlsp_log_config_diff(const char *server_cfg, const char *client_cfg)
    myfree(saved_server);
 }

- /*
-  * Macro for readability.
-  */
-#define TLSP_CLIENT_INIT(params, props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
-    a10, a11, a12, a13, a14, dane_based) \
-    tlsp_client_init((params), TLS_CLIENT_INIT_ARGS((props), a1, a2, a3, a4, \
-    a5, a6, a7, a8, a9, a10, a11, a12, a13, a14), (dane_based))
-
 /* tlsp_client_init - initialize a TLS client engine */

 static TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *tls_params,
@ -1173,9 +1165,10 @@ static TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *tls_params,
     * pre-jail request TLS_CLIENT_PARAMS and TLSPROXY_CLIENT_INIT_PROPS
     * settings, so that we can detect post-jail requests that do not match.
     * 
-     * Workaround: salt the hash-table key with DANE on/off info. This is needed
-     * because Postfix DANE support modifies SSL_CTX to override certificate
-     * verification. This should no longer be needed as of OpenSSL 1.0.2.
+     * Workaround: salt the hash-table key with DANE on/off info. This avoids
+     * cross-talk between DANE and non-DANE sessions. Postfix DANE support
+     * modifies SSL_CTX to override certificate verification because there is
+     * no other way to do this before OpenSSL 1.1.0.
     */
    param_buf = vstring_alloc(100);
    param_key = tls_proxy_client_param_with_names_to_string(
@ -1675,9 +1668,8 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
 	 * Large parameter lists are error-prone, so we emulate a language
 	 * feature that C does not have natively: named parameter lists.
 	 */
-	for (dane_based_mode = 0; dane_based_mode < 2; dane_based_mode++) {
-	    if (TLSP_CLIENT_INIT(tls_proxy_client_param_from_config(&tls_params),
-				 &init_props,
+	(void) tls_proxy_client_param_from_config(&tls_params);
+	(void) TLS_CLIENT_INIT_ARGS(&init_props,
 				    log_param = var_tlsp_clnt_logparam,
 				    log_level = var_tlsp_clnt_loglevel,
 				    verifydepth = var_tlsp_clnt_scert_vd,
@ -1691,7 +1683,9 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
 				    eckey_file = var_tlsp_clnt_eckey_file,
 				    CAfile = var_tlsp_clnt_CAfile,
 				    CApath = var_tlsp_clnt_CApath,
-				 mdalg = var_tlsp_clnt_fpt_dgst,
+				    mdalg = var_tlsp_clnt_fpt_dgst);
+	for (dane_based_mode = 0; dane_based_mode < 2; dane_based_mode++) {
+	    if (tlsp_client_init(&tls_params, &init_props,
 				 dane_based_mode) == 0)
 		msg_warn("TLS client initialization failed");
 	}