mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-29 13:18:12 +00:00
Code Issues Releases Wiki Activity

postfix-2.3-RC9

Browse Source
This commit is contained in:
Wietse Venema 2006-07-09 00:00:00 -05:00 committed by Viktor Dukhovni
parent cc94e64f58
commit bea0e7b32c
27 changed files with 1115 additions and 743 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
postfix/HISTORY
View File

@ -12479,6 +12479,20 @@ Apologies for any names omitted.
plaintext after an opportunistic TLS handshake fails. Specify
"smtp_sasl_auth_enforce = no" to deliver mail anyway.
20060709
Cleanup: the new single smtpd_tls_security_level parameter
obsoletes the multiple smtpd_use_tls and smtpd_enforce_tls
parameters. This is done for consistency with the Postfix
SMTP client. In the Postfix SMTP server, the levels "verify"
and "secure" are currently not applicable, and are treated
as "encrypt", after logging a warning. Files: smtpd/smtpd.c,
tls/tls_level.c, smtp/smtp_session.c.
Compatibility: don't send the first body line to Milter
applications. This also broke domain key etc. signatures
when verified by non-Postfix MTAs. File: milter/milter8.c.
Wish list:
The usage of TLScontext->cache_type is unclear. It specifies

2
postfix/README_FILES/INSTALL
View File

@ -95,7 +95,7 @@ At some point in time, a version of Postfix was supported on:
OSF1.V3 - OSF1.V5 (Digital UNIX)
Reliant UNIX 5.x
Rhapsody 5.x
SunOS 4.1.4 (December 2005)
SunOS 4.1.4 (July 2006)
SunOS 5.4 - 5.9 (Solaris 2.4..9)
Ultrix 4.x (well, that was long ago)

122
postfix/README_FILES/TLS_README
View File

@ -146,9 +146,8 @@ clients will not, as a rule, fall back to plain text after a TLS handshake
failure, the server will be unable to receive email from most TLS enabled
clients. To avoid accidental configurations with no certificates, Postfix 2.3
enables certificate-less operation only when the administrator explicitly sets
"smtpd_tls_cert_file = none". This ensures that new Postfix configurations with
just "smtpd_use_tls = yes" added, will not accidentally run with no
certificates.
"smtpd_tls_cert_file = none". This ensures that new Postfix configurations will
not accidentally run with no certificates.
Both RSA and DSA certificates are supported. Typically you will only have RSA
certificates issued by a commercial CA. In addition, the tools supplied with
@ -282,11 +281,16 @@ Example:
EEnnaabblliinngg TTLLSS iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr
By default, TLS is disabled in the Postfix SMTP server, so no difference to
plain Postfix is visible. Explicitly switch it on using "smtpd_use_tls = yes".
plain Postfix is visible. Explicitly switch it on with
"smtpd_tls_security_level = may" (Postfix 2.3 and later) or
"smtpd_use_tls = yes" (obsolete but still supported).
Example:
/etc/postfix/main.cf:
# Postfix 2.3 and later
smtpd_tls_security_level = may
# Obsolete, but still supported
smtpd_use_tls = yes
With this, Postfix SMTP server announces STARTTLS support to SMTP clients, but
@ -298,13 +302,17 @@ is intended behavior.
You can ENFORCE the use of TLS, so that the Postfix SMTP server announces
STARTTLS and accepts no mail without TLS encryption, by setting
"smtpd_enforce_tls = yes". According to RFC 2487 this MUST NOT be applied in
case of a publicly-referenced Postfix SMTP server. This option is off by
default and should only seldom be used.
"smtpd_tls_security_level = encrypt" (Postfix 2.3 and later) or
"smtpd_enforce_tls = yes" (obsolete but still supported). According to RFC 2487
this MUST NOT be applied in case of a publicly-referenced Postfix SMTP server.
This option is off by default and should only seldom be used.
Example:
/etc/postfix/main.cf:
# Postfix 2.3 and later
smtpd_tls_security_level = encrypt
# Obsolete, but still supported
smtpd_enforce_tls = yes
TLS is sometimes used in the non-standard "wrapper" mode where a server always
@ -343,8 +351,11 @@ server is configured to ask for client certificates.
Example:
/etc/postfix/main.cf:
smtpd_use_tls = yes
smtpd_tls_ask_ccert = yes
# Postfix 2.3 and later
smtpd_tls_security_level = may
# Obsolete, but still supported
smtpd_use_tls = yes
When TLS is enforced you may also decide to REQUIRE a remote SMTP client
certificate for all TLS connections, by setting "smtpd_tls_req_ccert = yes".
@ -354,8 +365,11 @@ This feature implies "smtpd_tls_ask_ccert = yes". When TLS is not enforced,
Example:
/etc/postfix/main.cf:
smtpd_enforce_tls = yes
smtpd_tls_req_ccert = yes
# Postfix 2.3 and later
smtpd_tls_security_level = encrypt
# Obsolete, but still supported
smtpd_enforce_tls = yes
A client certificate verification depth of 1 is sufficient if the certificate
is directly issued by a CA listed in the CA file. The default value (5) should
@ -370,12 +384,14 @@ Example:
SSuuppppoorrttiinngg AAUUTTHH oovveerr TTLLSS oonnllyy
Sending AUTH data over an unencrypted channel poses a security risk. When TLS
layer encryption is required (smtpd_enforce_tls = yes), the Postfix SMTP server
will announce and accept AUTH only after the TLS layer has been activated with
STARTTLS. When TLS layer encryption is optional (smtpd_enforce_tls = no), it
may however still be useful to only offer AUTH when TLS is active. To maintain
compatibility with non-TLS clients, the default is to accept AUTH without
encryption. In order to change this behavior, set "smtpd_tls_auth_only = yes".
layer encryption is required ("smtpd_tls_security_level = encrypt" or the
obsolete "smtpd_enforce_tls = yes"), the Postfix SMTP server will announce and
accept AUTH only after the TLS layer has been activated with STARTTLS. When TLS
layer encryption is optional ("smtpd_tls_security_level = may" or the obsolete
"smtpd_enforce_tls = no"), it may however still be useful to only offer AUTH
when TLS is active. To maintain compatibility with non-TLS clients, the default
is to accept AUTH without encryption. In order to change this behavior, set
"smtpd_tls_auth_only = yes".
Example:
@ -489,12 +505,14 @@ specifying an smtpd_tls_dcert_file.
Example: (MSA that requires TLS with reasonably secure ciphers)
/etc/postfix/main.cf:
smtpd_use_tls = yes
smtpd_enforce_tls = yes
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = aNULL, MD5
# Postfix 2.3 and later
smtpd_tls_security_level = encrypt
# Obsolete, but still supported
smtpd_enforce_tls = yes
If you want to take advantage of ciphers with EDH, DH parameters are needed.
Instead of using the built-in DH parameters for both 1024bit and 512bit, it is
@ -993,13 +1011,13 @@ the new policy table instead.
MMaannddaattoorryy sseerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn
At the "verify" TLS security level, messages are sent only over TLS encrypted
sessions for which server certificate verification succeeds. If no suitable
servers are found, the message will be deferred. With Postfix 2.3 and later,
mandatory server certificate verification can be configured by setting
"smtp_tls_security_level = verify", the smtp_tls_verify_cert_match parameter
can override the default "hostname" certificate match strategy. Fine-tuning the
matching strategy is generally only appropriate for secure-channel
destinations.
sessions if the server certificate is valid (not expired or revoked, and signed
by a trusted certificate authority) and if the server certificate name matches
a known pattern. Mandatory server certificate verification can be configured by
setting "smtp_tls_security_level = verify". The smtp_tls_verify_cert_match
parameter can override the default "hostname" certificate name matching
strategy. Fine-tuning the matching strategy is generally only appropriate for
secure-channel destinations.
With Postfix 2.2 and earlier, or when smtp_tls_security_level is set to its
default (backwards compatible) empty value, the appropriate configuration
@ -1229,27 +1247,39 @@ nnoonnee
mmaayy
Opportunistic TLS. No additional attributes are supported at this level.
eennccrryypptt
Mandatory TLS encryption. At this level and higher the optional "ciphers"
attribute overrides the main.cf smtp_tls_mandatory_ciphers parameter and
the optional "protocols" keyword overrides the main.cf
smtp_tls_mandatory_protocols parameter. In the policy table, multiple
protocols must be separated by colons, as attribute values may not contain
whitespace or commas.
Mandatory TLS encryption. Mail is delivered only if remote SMTP server
offers STARTTLS and the TLS handshake succeeds. At this level and higher
the optional "ciphers" attribute overrides the main.cf
smtp_tls_mandatory_ciphers parameter and the optional "protocols" keyword
overrides the main.cf smtp_tls_mandatory_protocols parameter.
vveerriiffyy
Mandatory server certificate verification. The optional "match" attribute
overrides the main.cf smtp_tls_verify_cert_match parameter. In the policy
table, multiple match patterns and strategies must be separated by colons.
Mandatory server certificate verification. Mail is delivered only if the
TLS handshake succeeds, if the server certificate can be validated (not
expired or revoked, and signed by a trusted certificate authority), and if
the server certificate name matches the optional "match" attribute (or the
main.cf smtp_tls_verify_cert_match parameter value when no optional "match"
attribute is specified).
sseeccuurree
Secure-channel TLS. The optional "match" attribute overrides the main.cf
smtp_tls_secure_cert_match parameter. In the policy table, multiple match
patterns and strategies must be separated by colons. The match attribute is
useful when additional domains are supported by common server, the policy
entries for the additional domains specify matching rules for the primary
domain certificate. While transport table overrides routing secondary
domains to the primary nexthop also allow secure verification, they risk
delivery to the wrong destination when domains change hands or are re-
assigned to new gateways. With the "match" attribute approach, routing is
not perturbed, and mail is deferred if verification of a new MX host fails.
Secure-channel TLS. Mail is delivered only if the TLS handshake succeeds,
if the server certificate can be validated (not expired or revoked, and
signed by a trusted certificate authority), and if the server certificate
name matches the optional "match" attribute (or the main.cf
smtp_tls_secure_cert_match parameter value when no optional "match"
attribute is specified).
Notes:
* The "match" attribute is especially useful to verify TLS certificates for
domains that are hosted on a shared server. In that case, specify "match"
rules for the shared server's name. While secure verification can also be
achieved with manual routing overrides in Postfix transport(5) tables, that
approach can deliver mail to the wrong host when domains are assigned to
new gateway hosts. The "match" attribute approach avoids the problems of
manual routing overrides; mail is deferred if verification of a new MX host
fails.
* When a policy table entry specifies multiple match patterns, multiple match
strategies, or multiple protocols, these must be separated by colons.
Example:
/etc/postfix/main.cf:
@ -1662,6 +1692,7 @@ indicates a super-user shell.
certificate and key incorrectly, you will be unable to send mail to sites
that request client certificate, but don't require them from all clients.
/etc/postfix/main.cf:
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_session_cache_database =
btree:/var/spool/postfix/smtp_tls_session_cache
@ -1672,8 +1703,11 @@ indicates a super-user shell.
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database =
btree:/var/spool/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
# Postfix 2.3 and later
smtpd_tls_security_level = may
# Obsolete, but still supported
smtpd_use_tls = yes
RReeppoorrttiinngg pprroobblleemmss

237
postfix/RELEASE_NOTES
View File

@ -18,12 +18,13 @@ See RELEASE_NOTES_2.2 if you upgrade from Postfix 2.1 or earlier.
Some Postfix internal protocols have changed. You need to "postfix
reload" or restart Postfix, otherwise many servers will log warning
messages with "unexpected attribute" or "problem talking to service
rewrite: Unknown error: 0", and mail will not be delivered.
messages like "unexpected attribute xxx" or "problem talking to
service yyy", and mail will not be delivered.
The Sendmail-compatible Milter support introduces three new queue
file record types. As long as you leave this feature turned off,
you can still go back to Postfix version 2.2 without losing mail.
you can still go back to Postfix version 2.2 without losing mail
that was received by Postfix 2.3.
Major changes - DNS lookups
---------------------------
@ -38,26 +39,27 @@ Major changes - DSN
[Feature 20050615] DSN support as described in RFC 3461 .. RFC 3464.
This gives senders control over successful and failed delivery
notifications. DSN involves extra parameters to the SMTP MAIL FROM
and RCPT TO commands, as well as extra Postfix sendmail command
line options for mail submission.
notifications. DSN involves extra parameters to the SMTP "MAIL
FROM" and "RCPT TO" commands, as well as extra Postfix sendmail
command line options for mail submission.
See DSN_README for details. Some implementation notes are in
implementation-notes/DSN.
See DSN_README for details. Some implementation notes can be found
in implementation-notes/DSN.
[Incompat 20050615] The new DSN support conflicts with VERP support.
For Sendmail compatibility, Postfix now uses the sendmail -V command
line option for DSN. In order to request VERP style delivery, you
must now specify -XV instead of -V. The Postfix sendmail command
will recognize if you try to use -V for VERP-style delivery. It
will do the right thing and will remind you of the new syntax.
line option for DSN. To request VERP style delivery, you must now
specify -XV instead of -V. The Postfix sendmail command will
recognize if you try to use -V for VERP-style delivery. It will
usually do the right thing, and remind you of the new syntax.
[Incompat 20050828] When the cleanup server rejects the content or
size of mail that was submitted with the Postfix sendmail command,
that was forwarded with the local(8) delivery agent, or that was
re-queued with "postsuper -r", Postfix no longer sends DSN SUCCESS
notification after virtual alias expansions. Since all the recipients
are reported as failed, the SUCCESS notification seems redundant.
[Incompat 20050828] Postfix no longer sends DSN SUCCESS notification
after virtual alias expansions when the cleanup server rejects the
content or size of mail that was submitted with the Postfix sendmail
command, mail that was forwarded with the local(8) delivery agent,
or mail that was re-queued with "postsuper -r". Since all the
recipients are reported as failed, the SUCCESS notification seems
redundant.
Major changes - LMTP client
---------------------------
@ -68,7 +70,8 @@ to SASL authentication and TLS support, respectively.
[Feature 20051208] The SMTP client now implements the LMTP protocol.
Most but not all smtp_xxx parameters now have an lmtp_xxx equivalent.
This means there are lot of new LMTP features, including support
for TLS and for the shared connection cache.
for TLS and for the shared connection cache. See the "SMTP client"
section for details.
[Incompat 20051208] The LMTP client now reports the server as
"myhostname[/path/name]". With the real server hostname in delivery
@ -88,9 +91,10 @@ queue ID.
See the MILTER_README document for a discussion of how to use Milter
support with Postfix, and limitations of the current implementation.
[Incompat 20060515] Milter support introduces three new queue file
record types. As long as you leave this feature turned off, you can
still go back to Postfix version 2.2 without losing mail.
The Sendmail-compatible Milter support introduces three new queue
file record types. As long as you leave this feature turned off,
you can still go back to Postfix version 2.2 without losing mail
that was received by Postfix 2.3.
[Incompat 20060515] Milter support introduces new logfile event
types: milter-reject, milter-discard and milter-hold, that identify
@ -100,13 +104,6 @@ software.
Major changes - SASL authentication
-----------------------------------
[Incompat 20060707] The SMTP/LMTP client now defers delivery when
a SASL password exists but the server does not offer SASL authentication.
Otherwise, the server could reject the mail. This may become an
issue now that Postfix retries delivery in plaintext after an
opportunistic TLS handshake fails. Specify "smtp_sasl_auth_enforce
= no" to deliver mail anyway.
[Feature 20051220] Plug-in support for SASL authentication in the
SMTP server and in the SMTP/LMTP client. With this, Postfix can
support multiple SASL implementations without source code patches.
@ -164,6 +161,14 @@ ISP accounts.
smtp_sender_dependent_authentication = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_pass
[Incompat 20060707] The SMTP/LMTP client now defers delivery when
a SASL password exists but the server does not announce support for
SASL authentication. This can happen with servers that announce
SASL support only when TLS is turned on. When an opportunistic TLS
handshake fails, Postfix >= 2.3 retries delivery in plaintext, and
the remote server rejects mail from the unauthenticated client.
Specify "smtp_sasl_auth_enforce = no" to deliver mail anyway.
Major changes - SMTP client
---------------------------
@ -192,30 +197,6 @@ smtp_fallback_relay, to make clear that the combined SMTP/LMTP
client uses this setting only for SMTP deliveries. The old name
still works.
[Feature 20051125] This snapshot adds support for sender-dependent
ISP accounts.
- Sender-dependent smarthost lookup tables. The maps are searched
with the sender address and with the sender @domain. The result
overrides the global relayhost setting, but otherwise has identical
behavior. See the postconf(5) manual page for more details.
Example:
/etc/postfix/main.cf:
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
- Sender-dependent SASL authentication support. This disables SMTP
connection caching to ensure that mail from different senders
will use the correct authentication credentials. The SMTP SASL
password file is first searched by sender address, and then by
the remote domain and hostname as usual.
Example:
/etc/postfix/main.cf:
smtp_sasl_auth_enable = yes
smtp_sender_dependent_authentication = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_pass
[Incompat 20051106] The relay=... logging has changed and now
includes the remote SMTP server port number as hostname[hostaddr]:port.
@ -282,9 +263,9 @@ Major changes - SMTP server
See the "SASL authentication" and "TLS" sections for changes related
to SASL authentication and TLS support, respectively.
[Feature 20051222] You can now use "resolve_numeric_domain = yes"
to stop Postfix from rejecting user@ipaddress as an invalid
destination. It will deliver the mail to user@[ipaddress] instead.
[Feature 20051222] To accept the non-compliant user@ipaddress form,
specify "resolve_numeric_domain = yes". Postfix will deliver the
mail to user@[ipaddress] instead.
[Incompat 20051202] The Postfix SMTP server now refuses to receive
mail from the network if it isn't running with postfix mail_owner
@ -294,16 +275,9 @@ privileges. This prevents surprises when, for example, "sendmail
[Incompat 20051121] Although the permit_mx_backup feature still
accepts mail for authorized destinations (see permit_mx_backup for
definition), with all other destinations it now requires that the
local MTA is listed as non-primary MX. This prevents mail loop
problems when someone points the primary MX record at a Postfix
system.
[Feature 20051011] Optional protection against SMTP clients that
hammer the server with too many new (i.e. uncached) SMTP-over-TLS
sessions. Cached sessions are much less expensive in terms of CPU
cycles. Use the smtpd_client_new_tls_session_rate_limit parameter
to specify a limit that is at least the inbound client concurrency
limit, or else you may deny legitimate service requests.
local MTA is listed as non-primary MX server. This prevents mail
loop problems when someone points their primary MX record at a
Postfix system.
[Feature 20051011] Optional suppression of remote SMTP client
hostname lookup and hostname verification. Specify "smtpd_peername_lookup
@ -327,73 +301,75 @@ The old names are still recognized and documented.
Major changes - TLS
-------------------
[Feature 20060123] Postfix 2.3 provides a new per-site TLS policy
mechanism that is more flexible and that eliminates DNS spoofing
attacks more effectively. The legacy smtp_tls_per_site feature will
be kept intact for a few releases so that sites can upgrade Postfix
without being forced to use a different TLS policy mechanism.
Major revisions were made to Postfix TLS support; see TLS_README
for the details. For backwards compatibility, the old TLS policy
user interface will be kept intact for a few releases so that sites
can upgrade Postfix without being forced to use a different TLS
policy mechanism.
[Feature 20060614] New smtp_tls_security_level parameter obsoletes
the smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername
parameters. The old parameters are still supported but will be
removed in a future Postfix release.
[Feature 20060614] New concept: TLS security levels ("none", "may",
"encrypt", "verify" or "secure") in the Postfix SMTP client. You
can specify the TLS security level via the smtp_tls_security_level
parameter. This is more convenient than controlling TLS with the
multiple smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername,
parameters.
[Feature 20060614] New smtpd_tls_protocols parameter complements
the smtp_tls_mandatory_protocols parameter. This recommended for
MSA configurations, not for MX for hosts that face the Internet.
[Feature 20060709] TLS security levels ("none", "may", "encrypt")
in the Postfix SMTP server. You specify the security level with the
smtpd_tls_security_level parameter. This overrides the multiple
smtpd_use_tls and smtpd_enforce_tls parameters. When a value of
"verify" or "secure" is specified, the Postfix SMTP server logs a
warning and uses "encrypt" instead.
[Feature 20060626] Both the SMTP client and server can be configured
without a client or server certificate. An SMTP server without
certificate can use only anonymous ciphers, and will not inter-operate
with most clients.
[Feature 20060123] A new per-site TLS policy mechanism for the
Postfix SMTP client that supports the new TLS security levels,
and that eliminates DNS spoofing attacks more effectively.
The SMTP server supports anonymous ciphers when client certificates
are not requested or required, and the administrator has not excluded
the "aNULL" OpenSSL cipher type with smtpd_tls_exclude_ciphers.
[Feature 20060626] Both the Postfix SMTP client and server can be
configured without a client or server certificate. An SMTP server
without certificate can use only anonymous ciphers, and will not
inter-operate with most clients.
The SMTP client supports anonymous ciphers when no server certificate
is required (notably Postfix 2.3 in "opportunistic" mode) and the
administrator has not excluded the "aNULL" OpenSSL cipher type with
smtp_tls_exclude_ciphers.
The Postfix SMTP server supports anonymous ciphers when 1) no client
certificates are requested or required, and 2) the administrator
has not excluded the "aNULL" OpenSSL cipher type with the
smtpd_tls_exclude_ciphers parameter.
[Feature 20060626] You can specify cipher grades (instead of cipher
names) with the smtp_tls_mandatory_ciphers, lmtp_tls_mandatory_ciphers
and smtpd_tls_ciphers parameters. Specify one of "high", "medium",
"low", "export" or "null". See TLS_README for details.
The Postfix SMTP client supports anonymous ciphers when 1) no server
certificate is required and 2) the administrator has not excluded
the "aNULL" OpenSSL cipher type with the smtp_tls_exclude_ciphers
parameter.
[Incompat 20060707] The SMTPD policy client now encodes the
ccert_subject and ccert_issuer attributes as xtext. Some characters
are represented by +XX, where XX is the two-digit hexadecimal
representation of the character value.
[Incompat 20060614] The smtp_sasl_tls_verified_security_options
feature is not yet complete, and will therefore not appear in the
stable Postfix 2.3 release.
[Incompat 20060614] New smtp_tls_mandatory_protocols feature used
for mandatory TLS destinations. The default value is "SSLv3, TLSv1".
SSLv2 is by default no longer used with mandatory TLS.
[Feature 20060614] The smtpd_tls_protocols parameter restricts the
list of TLS protocols supported by the SMTP server. This is
recommended for use with MSA configurations only. It should not
be used with MX hosts that receive mail from the Internet, as it
reduces inter-operability.
[Incompat 20060614] The smtp_tls_cipherlist parameter only applies
when TLS is mandatory. It is ignored with opportunistic TLS sessions.
[Incompat 20060614] At (lmtp|smtp|smtpd)_tls_loglevel >= 2, Postfix
now also logs TLS session cache activity. Use level 2 and higher
for debugging only, use levels 0 or 1 as production settings.
for debugging only; use levels 0 or 1 as production settings.
[Incompat 20060207] The Postfix SMTP server no longer complains
when TLS support is not compiled in while permit_tls_clientcerts,
permit_tls_all_clientcerts, or check_ccert_access are specified in
main.cf. These features now are effectively ignored. However, the
reject_plaintext_session feature is not ignored and will reject
mail.
plain-text mail.
[Feature 20060123] Some obscure behavior was eliminated from the
smtp_tls_per_site feature, without changes to the user interface.
Some Postfix internals had to be re-structured in preparation for
a more general TLS policy mechanism; this required that smtp_tls_per_site
be re-implemented from scratch. The obscure behavior was found
during compatibility testing.
Some Postfix internals had to be re-structured for the new TLS
policy mechanism; for this, smtp_tls_per_site had to be re-implemented.
The obscure behavior was found during compatibility testing.
[Feature 20051011] Optional protection against SMTP clients that
hammer the server with too many new (i.e. uncached) SMTP-over-TLS
@ -420,14 +396,14 @@ changed. The SMTP server now resets state to the initial server
greeting stage, immediately before the EHLO/HELO greeting. This
was needed to correctly simulate the effect of connection-level
access restrictions. Without this change, XCLIENT would not work
with Milter applications.
at all with Milter applications.
[Incompat 20060611] The SMTP server XCLIENT and XFORWARD commands
now expect that attributes are xtext encoded (RFC 1891). For backwards
compatibility they will also accept unencoded attribute values. The
XFORWARD client code in the SMTP client and in the SMTPD_PROXY
client will always encode attribute values. This change will have
effect only for malformed hostname and helo parameter values.
client now always encode attribute values. This change will have a
visible effect only for malformed hostname and helo parameter values.
For more details, see the XCLIENT_README and XFORWARD_README
documents.
@ -461,9 +437,8 @@ Major changes - bounce message templates
that was developed by Nicolas Riendeau. The file with templates is
specified with the bounce_template_file parameter. Details are in
the bounce(5) manual page, and examples of the built-in templates
can be found in a file bounce.cf.default in the Postfix configuration
directory. The template for the default bounce message looks like
this:
can be found in $config_directory/bounce.cf.default. The template
for the default bounce message looks like this:
failure_template = <<EOF
Charset: us-ascii
@ -493,11 +468,12 @@ message_strip_characters parameters understand the usual C-like
escape sequences: \a \b \f \n \r \t \v \ddd (up to three octal
digits) and \\.
[Incompat 20050828] When a header/body_checks or message_reject_characters
rule rejects mail that was submitted with the Postfix sendmail
command (or re-queued with "postsuper -r"), the returned message
is now limited to just the message headers, to avoid the risk of
exposure to harmful content in the message body or attachments.
[Incompat 20050828] When a header/body_checks rule or when
message_reject_characters rejects mail that was submitted with the
Postfix sendmail command (or re-queued with "postsuper -r"), the
returned message is now limited to just the message headers, to
avoid the risk of exposure to harmful content in the message body
or attachments.
Major changes - database support
--------------------------------
@ -640,9 +616,18 @@ maillog has changed so that they are easier to sort:
agents now log the RFC 3463 enhanced status code as "dsn=x.y.z"
where y and z can be up to three digits each.
[Incompat 20051208] The LMTP client now reports the server as
"myhostname[/path/name]". With the real server hostname in delivery
status reports, the information will be more useful.
Major changes - performance
---------------------------
[Incompat 20051105] All delay logging now has sub-second resolution,
including the over-all "delay=nnn" logging. A patch is available
for pflogsumm (pflogsumm-conn-delays-dsn-patch). The qshape script
has been updated (auxiliary/qshape/qshape.pl).
[Incompat 20050622] The Postfix SMTP client by default limits the
number of MX server addresses to smtp_mx_address_limit=5. Previously
this limit was disabled by default. The new limit prevents Postfix
@ -726,10 +711,9 @@ when the patch passes the wrong integer argument type in contexts
that disable automatic argument type conversions. Examples of such
contexts are formatting with printf-like arguments, and invoking
functions that write Postfix request or reply attributes across
inter-process communication channels. Unfortunately, gcc does not
report "(unsigned) int" versus "(s)size_t" format string argument
mis-matches on 32-bit systems; it reports them only on 64-bit
systems.
inter-process communication channels. Unfortunately, gcc reports
"(unsigned) int" versus "(s)size_t" format string argument mis-matches
only on LP64 systems.
Major changes - safety
----------------------
@ -754,11 +738,12 @@ multiple times in a hierarchy of nested aliases. For this to work,
only the top-level alias should have an owner- alias, and none of
the subordinate aliases.
[Incompat 20050828] When a header/body_checks or message_reject_characters
rule rejects mail that was submitted with the Postfix sendmail
command (or re-queued with "postsuper -r"), the returned message
is now limited to just the message headers, to avoid the risk of
exposure to harmful content in the message body or attachments.
[Incompat 20050828] When a header/body_checks rule or when
message_reject_characters rejects mail that was submitted with the
Postfix sendmail command (or re-queued with "postsuper -r"), the
returned message is now limited to just the message headers, to
avoid the risk of exposure to harmful content in the message body
or attachments.
[Incompat 20051202] The Postfix SMTP server now refuses to receive
mail from the network if it isn't running with postfix mail_owner

46
postfix/html/INSTALL.html
View File

@ -156,7 +156,7 @@ OPENSTEP 4.x <br>
OSF1.V3 - OSF1.V5 (Digital UNIX) <br>
Reliant UNIX 5.x <br>
Rhapsody 5.x <br>
SunOS 4.1.4 (December 2005) <br>
SunOS 4.1.4 (July 2006) <br>
SunOS 5.4 - 5.9 (Solaris 2.4..9) <br>
Ultrix 4.x (well, that was long ago) <br>
</p>
@ -478,13 +478,13 @@ one of the following commands as the super-user:</p>
<ul>
<li> <p> The non-interactive version ("make upgrade") needs the
/etc/postfix/main.cf file from a previous installation. If the file
/etc/postfix/<a href="postconf.5.html">main.cf</a> file from a previous installation. If the file
does not exist, use interactive installation ("make install")
instead. </p>
<li> <p> The interactive version offers suggestions for pathnames
that you can override interactively, and stores your preferences
in /etc/postfix/main.cf for convenient future upgrades. </p>
in /etc/postfix/<a href="postconf.5.html">main.cf</a> for convenient future upgrades. </p>
</ul>
@ -520,13 +520,13 @@ configuration file edits</a>" in section 10, and review the "<a
href="#hamlet">To chroot or not to chroot</a>" text in section
11. </p>
<p> You MUST comment out the "smtp inet" entry in /etc/postfix/master.cf,
<p> You MUST comment out the "smtp inet" entry in /etc/postfix/<a href="master.5.html">master.cf</a>,
in order to avoid conflicts with the real sendmail. Put a "#"
character in front of the line that defines the smtpd service: </p>
<blockquote>
<pre>
/etc/postfix/master.cf:
/etc/postfix/<a href="master.5.html">master.cf</a>:
#smtp inet n - n - - smtpd
</pre>
</blockquote>
@ -585,11 +585,11 @@ receive mail while leaving your Sendmail setup intact, by running
Postfix on a virtual interface address. Simply configure your mail
user agent to directly invoke the Postfix sendmail program. </p>
<p> In the /etc/postfix/main.cf file, I would specify </p>
<p> In the /etc/postfix/<a href="postconf.5.html">main.cf</a> file, I would specify </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#myhostname">myhostname</a> = virtual.host.tld
<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> = $<a href="postconf.5.html#myhostname">myhostname</a>
<a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a>
@ -722,12 +722,12 @@ presented below is targeted at experienced system administrators.
<h3>10.1 - Postfix configuration files</h3>
<p> By default, Postfix configuration files are in /etc/postfix.
The two most important files are main.cf and master.cf; these files
The two most important files are <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a>; these files
must be owned by root. Giving someone else write permission to
main.cf or master.cf (or to their parent directories) means giving
<a href="postconf.5.html">main.cf</a> or <a href="master.5.html">master.cf</a> (or to their parent directories) means giving
root privileges to that person. </p>
<p> In /etc/postfix/main.cf, you will have to set up a minimal number
<p> In /etc/postfix/<a href="postconf.5.html">main.cf</a>, you will have to set up a minimal number
of configuration parameters. Postfix configuration parameters
resemble shell variables, with two important differences: the first
one is that Postfix does not know about quotes like the UNIX shell
@ -737,7 +737,7 @@ does.</p>
<blockquote>
<pre>
/etc/postfix/main.cf:
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
parameter = value
</pre>
</blockquote>
@ -746,7 +746,7 @@ does.</p>
<blockquote>
<pre>
/etc/postfix/main.cf:
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
other_parameter = $parameter
</pre>
</blockquote>
@ -756,7 +756,7 @@ second main difference with UNIX shell variables). The Postfix
configuration language uses lazy evaluation, and does not look at
a parameter value until it is needed at runtime. </p>
<p> Whenever you make a change to the main.cf or master.cf file,
<p> Whenever you make a change to the <a href="postconf.5.html">main.cf</a> or <a href="master.5.html">master.cf</a> file,
execute the following command in order to refresh a running mail
system: </p>
@ -777,7 +777,7 @@ probably OK only for very small sites. </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#myhostname">myhostname</a> (send mail as "user@$<a href="postconf.5.html#myhostname">myhostname</a>")
<a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#mydomain">mydomain</a> (send mail as "user@$<a href="postconf.5.html#mydomain">mydomain</a>")
</pre>
@ -792,7 +792,7 @@ locally. </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, localhost
<a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, localhost, $<a href="postconf.5.html#mydomain">mydomain</a>
<a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a>
@ -819,7 +819,7 @@ mail delivery loops will happen when the primary MX host is down.
<blockquote>
<pre>
/etc/postfix/main.cf:
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> = 1.2.3.4 (the proxy/NAT external network address)
</pre>
</blockquote>
@ -834,7 +834,7 @@ permission to too many clients. My own settings are: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#mynetworks">mynetworks</a> = 168.100.189.0/28, 127.0.0.0/8
</pre>
</blockquote>
@ -849,7 +849,7 @@ too many destinations. Recommended settings (use only one): </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#relay_domains">relay_domains</a> = (do not forward mail from strangers)
<a href="postconf.5.html#relay_domains">relay_domains</a> = $<a href="postconf.5.html#mydomain">mydomain</a> (my domain and subdomains)
<a href="postconf.5.html#relay_domains">relay_domains</a> = $<a href="postconf.5.html#mydomain">mydomain</a>, other.domain.tld, ...
@ -868,7 +868,7 @@ a hard-coded hostname. </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#relayhost">relayhost</a> = $<a href="postconf.5.html#mydomain">mydomain</a>
<a href="postconf.5.html#relayhost">relayhost</a> = [mail.$<a href="postconf.5.html#mydomain">mydomain</a>]
</pre>
@ -882,7 +882,7 @@ turn off SMTP client DNS lookups like this: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> = yes
</pre>
</blockquote>
@ -928,7 +928,7 @@ following commands: </p>
<h2><a name="hamlet">11 - To chroot or not to chroot</a></h2>
<p> Postfix daemon processes can be configured (via master.cf) to
<p> Postfix daemon processes can be configured (via <a href="master.5.html">master.cf</a>) to
run in a chroot jail. The processes run at a fixed low privilege
and with access only to the Postfix queue directories (/var/spool/postfix).
This provides a significant barrier against intrusion. The barrier
@ -944,9 +944,9 @@ processes, and perhaps also the <a href="lmtp.8.html">lmtp(8)</a> client. The au
porcupine.org mail server runs all daemons chrooted that can be
chrooted. </p>
<p> The default /etc/postfix/master.cf file specifies that no
<p> The default /etc/postfix/<a href="master.5.html">master.cf</a> file specifies that no
Postfix daemon runs chrooted. In order to enable chroot operation,
edit the file /etc/postfix/master.cf. Instructions are in the file.
edit the file /etc/postfix/<a href="master.5.html">master.cf</a>. Instructions are in the file.
</p>
<p> Note that a chrooted daemon resolves all filenames relative to

160
postfix/html/TLS_README.html
View File

@ -248,8 +248,7 @@ be unable to receive email from most TLS enabled clients. To avoid
accidental configurations with no certificates, Postfix 2.3 enables
certificate-less operation only when the administrator explicitly sets
"<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>&nbsp;=&nbsp;none". This ensures that new Postfix
configurations with just "<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>&nbsp;=&nbsp;yes" added, will
not accidentally run with no certificates. </p>
configurations will not accidentally run with no certificates. </p>
<p> Both RSA and DSA certificates are supported. Typically you will
only have RSA certificates issued by a commercial CA. In addition,
@ -437,13 +436,18 @@ since the headers may be changed by intermediate servers. </p>
<p> By default, TLS is disabled in the Postfix SMTP server, so no
difference to plain Postfix is visible. Explicitly switch it on
using "<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>&nbsp;=&nbsp;yes". </p>
with "<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>&nbsp;=&nbsp;may" (Postfix 2.3 and
later) or "<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>&nbsp;=&nbsp;yes" (obsolete but still
supported). </p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
# Postfix 2.3 and later
<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may
# Obsolete, but still supported
<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
</pre>
</blockquote>
@ -456,18 +460,23 @@ SMTP clients, but does not require that clients use TLS encryption.
is never offered due to insufficient privileges to access the server
private key. This is intended behavior. </p>
<p> <a name="server_enforce">You can ENFORCE the use of TLS</a>, so that
the Postfix SMTP server announces STARTTLS and accepts no mail without
TLS encryption, by setting "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>&nbsp;=&nbsp;yes". According
to <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> this MUST NOT be applied in case of a publicly-referenced
Postfix SMTP server. This option is off by default and should only
seldom be used. </p>
<p> <a name="server_enforce">You can ENFORCE the use of TLS</a>,
so that the Postfix SMTP server announces STARTTLS and accepts no
mail without TLS encryption, by setting
"<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>&nbsp;=&nbsp;encrypt" (Postfix 2.3 and
later) or "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>&nbsp;=&nbsp;yes" (obsolete but still
supported). According to <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> this MUST NOT be applied in case
of a publicly-referenced Postfix SMTP server. This option is off
by default and should only seldom be used. </p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
# Postfix 2.3 and later
<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt
# Obsolete, but still supported
<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
</pre>
</blockquote>
@ -517,8 +526,11 @@ when the server is configured to ask for client certificates. </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> = yes
# Postfix 2.3 and later
<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may
# Obsolete, but still supported
<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
</pre>
</blockquote>
@ -534,8 +546,11 @@ logged. </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> = yes
# Postfix 2.3 and later
<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt
# Obsolete, but still supported
<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
</pre>
</blockquote>
@ -556,15 +571,18 @@ CA issues special CA which then issues the actual certificate...)
<h3><a name="server_tls_auth">Supporting AUTH over TLS only</a></h3>
<p> Sending AUTH data over an unencrypted channel poses a security risk.
When TLS layer encryption is required (<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>&nbsp;=&nbsp;yes),
the Postfix SMTP server will announce and accept AUTH only
after the TLS layer has been activated with STARTTLS. When TLS
layer encryption is optional (<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>&nbsp;=&nbsp;no), it may
however still be useful to only offer AUTH when TLS is active. To
maintain compatibility with non-TLS clients, the default is to
accept AUTH without encryption. In order to change this behavior,
set "<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a>&nbsp;=&nbsp;yes". </p>
<p> Sending AUTH data over an unencrypted channel poses a security
risk. When TLS layer encryption is required
("<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>&nbsp;=&nbsp;encrypt" or the obsolete
"<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>&nbsp;=&nbsp;yes"), the Postfix SMTP server will
announce and accept AUTH only after the TLS layer has been activated
with STARTTLS. When TLS layer encryption is optional
("<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>&nbsp;=&nbsp;may" or the obsolete
"<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>&nbsp;=&nbsp;no"), it may however still be useful
to only offer AUTH when TLS is active. To maintain compatibility
with non-TLS clients, the default is to accept AUTH without encryption.
In order to change this behavior, set
"<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a>&nbsp;=&nbsp;yes". </p>
<p> Example: </p>
@ -715,12 +733,14 @@ and not specifying an <a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_d
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = /etc/postfix/cert.pem
<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> = /etc/postfix/key.pem
<a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> = medium
<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = aNULL, MD5
# Postfix 2.3 and later
<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt
# Obsolete, but still supported
<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes
</pre>
</blockquote>
@ -1257,12 +1277,12 @@ on TLS <a href="#client_tls_limits">limitations</a> above. </p>
<p> At the "encrypt" TLS security level, messages are sent only
over TLS encrypted sessions. The SMTP transaction is aborted unless
the STARTTLS ESMTP feature is supported by the server. If no
suitable servers are found, the message will be deferred. With Postfix
2.3 and later, mandatory TLS encryption can be configured by setting
"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>&nbsp;=&nbsp;encrypt". Even though TLS encryption
is always used, mail delivery continues if the server certificate is
untrusted or bears the wrong name. </p>
the STARTTLS ESMTP feature is supported by the server. If no suitable
servers are found, the message will be deferred. With Postfix 2.3
and later, mandatory TLS encryption can be configured by setting
"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>&nbsp;=&nbsp;encrypt". Even though TLS
encryption is always used, mail delivery continues if the server
certificate is untrusted or bears the wrong name. </p>
<p> At this security level and higher, the <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
and <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> configuration parameters determine
@ -1382,15 +1402,15 @@ use the new <a href="#client_tls_policy">policy table</a> instead. </p>
<h3><a name="client_tls_verify"> Mandatory server certificate verification </a>
</h3>
<p> At the "verify" TLS security level, messages are sent only
over TLS encrypted sessions for which server certificate verification
succeeds. If no suitable servers are found, the message will be
deferred. With Postfix 2.3 and later, mandatory server certificate
verification can be configured by setting
"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>&nbsp;=&nbsp;verify", the
<p> At the "verify" TLS security level, messages are sent only over
TLS encrypted sessions if the server certificate is valid (not
expired or revoked, and signed by a trusted certificate authority)
and if the server certificate name matches a known pattern. Mandatory
server certificate verification can be configured by setting
"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>&nbsp;=&nbsp;verify". The
<a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> parameter can override the default
"hostname" certificate match strategy. Fine-tuning the matching
strategy is generally only appropriate for <a
"hostname" certificate name matching strategy. Fine-tuning the
matching strategy is generally only appropriate for <a
href="#client_tls_secure">secure-channel</a> destinations. </p>
<p> With Postfix 2.2 and earlier, or when <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>
@ -1676,33 +1696,51 @@ describe the corresponding table syntax: </p>
<dd>Opportunistic TLS. No additional attributes are supported at this
level. </dd>
<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption. At this level and
higher the optional "ciphers" attribute overrides the <a href="postconf.5.html">main.cf</a>
<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter and the optional "protocols"
keyword overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> parameter.
In the policy table, multiple protocols must be separated by colons,
as attribute values may not contain whitespace or commas.</dd>
<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption. Mail is
delivered only if remote SMTP server offers STARTTLS and the TLS
handshake succeeds. At this level and higher the optional "ciphers"
attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter
and the optional "protocols" keyword overrides the <a href="postconf.5.html">main.cf</a>
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> parameter. </dd>
<dt><b>verify</b></dt>
<dd>Mandatory server certificate verification. The optional "match"
attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> parameter.
In the policy table, multiple match patterns and strategies must
be separated by colons. </dd>
<dt><b>verify</b></dt> <dd>Mandatory server certificate verification.
Mail is delivered only if the TLS handshake succeeds, if the server
certificate can be validated (not expired or revoked, and signed
by a trusted certificate authority), and if the server certificate
name matches the optional "match" attribute (or the <a href="postconf.5.html">main.cf</a>
<a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> parameter value when no optional "match"
attribute is specified). </dd>
<dt><b>secure</b></dt> <dd>Secure-channel TLS. The optional "match"
attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> parameter. In
the policy table, multiple match patterns and strategies must be separated
by colons. The match attribute is useful when additional domains are
supported by common server, the policy entries for the additional domains
specify matching rules for the primary domain certificate. While transport
table overrides routing secondary domains to the primary nexthop also
allow secure verification, they risk delivery to the wrong destination
when domains change hands or are re-assigned to new gateways. With the
"match" attribute approach, routing is not perturbed, and mail is deferred
if verification of a new MX host fails. </dd>
<dt><b>secure</b></dt> <dd>Secure-channel TLS. Mail is delivered
only if the TLS handshake succeeds, if the server certificate can
be validated (not expired or revoked, and signed by a trusted
certificate authority), and if the server certificate name matches
the optional "match" attribute (or the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a>
parameter value when no optional "match" attribute is specified).
</dd>
</dl>
<p> Notes: </p>
<ul>
<li> <p> The "match" attribute is especially useful to verify TLS
certificates for domains that are hosted on a shared server. In
that case, specify "match" rules for the shared server's name.
While secure verification can also be achieved with manual routing
overrides in Postfix <a href="transport.5.html">transport(5)</a> tables, that approach can deliver
mail to the wrong host when domains are assigned to new gateway
hosts. The "match" attribute approach avoids the problems of manual
routing overrides; mail is deferred if verification of a new MX
host fails. </p>
<li> <p> When a policy table entry specifies multiple match patterns,
multiple match strategies, or multiple protocols, these must be
separated by colons. </p>
</ul>
<p>
Example:
</p>
@ -2238,6 +2276,7 @@ but don't require them from all clients. </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> = /etc/postfix/cacert.pem
<a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> =
btree:/var/spool/postfix/smtp_tls_session_cache
@ -2248,8 +2287,11 @@ but don't require them from all clients. </p>
<a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> = yes
<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> =
btree:/var/spool/postfix/smtpd_tls_session_cache
<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
<a href="postconf.5.html#tls_random_source">tls_random_source</a> = dev:/dev/urandom
# Postfix 2.3 and later
<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may
# Obsolete, but still supported
<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes
</pre>
</blockquote>

97
postfix/html/postconf.5.html
View File

@ -8457,9 +8457,10 @@ example.net secure match=example.com:.example.com
<DT><b><a name="smtp_tls_security_level">smtp_tls_security_level</a>
(default: empty)</b></DT><DD>
<p> The default SMTP TLS security level for all destinations; when
a non-empty value is specified, this overrides the obsolete parameters
<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. </p>
<p> The default SMTP TLS security level for the Postfix SMTP client;
when a non-empty value is specified, this overrides the obsolete
parameters <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
</p>
<p> Specify one of the following security levels: </p>
@ -9457,19 +9458,20 @@ applies in the context of the SMTP END-OF-DATA command. </p>
<DT><b><a name="smtpd_enforce_tls">smtpd_enforce_tls</a>
(default: no)</b></DT><DD>
<p> Enforcement mode: announce STARTTLS support to SMTP clients,
<p> Mandatory TLS: announce STARTTLS support to SMTP clients,
and require that clients use TLS encryption. According to <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a>
this MUST NOT be applied in case of a publicly-referenced SMTP
server. This option is off by default and should be used only on
dedicated servers. </p>
<p> Note 1: this mode implies "<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> = yes". </p>
<p> Note 1: "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes" implies "<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> = yes". </p>
<p> Note 2: when invoked via "<b>sendmail -bs</b>", Postfix will never offer
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
<p> This feature is available in Postfix 2.2 and later. With
Postfix 2.3 and later use <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p>
</DD>
@ -10805,15 +10807,15 @@ able to authenticate the server, but unless it is running Postfix 2.3 or
similar software, it will still insist on a server certificate. </p>
<p> For servers that are <b>not</b> public Internet MX hosts, Postfix
2.3 supports configurations with no certificates. This entails the use
of just the anonymous TLS ciphers, which are not supported by typical
SMTP clients. Since such clients will not, as a rule, fall back to plain
text after a TLS handshake failure, the server will be unable to receive
email from TLS enabled clients. To avoid accidental configurations with
no certificates, Postfix 2.3 enables certificate-less operation only
when the administrator explicitly sets "<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = none". This
ensures that new Postfix configurations with just "<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> = yes"
added, will not accidentally run with no certificates. </p>
2.3 supports configurations with no certificates. This entails the
use of just the anonymous TLS ciphers, which are not supported by
typical SMTP clients. Since such clients will not, as a rule, fall
back to plain text after a TLS handshake failure, the server will
be unable to receive email from TLS enabled clients. To avoid
accidental configurations with no certificates, Postfix 2.3 enables
certificate-less operation only when the administrator explicitly
sets "<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = none". This ensures that new Postfix
configurations will not accidentally run with no certificates. </p>
<p> Both RSA and DSA certificates are supported. When both types
are present, the cipher used determines which certificate will be
@ -11108,17 +11110,15 @@ loglevel 4 is strongly discouraged. </p>
<DT><b><a name="smtpd_tls_protocols">smtpd_tls_protocols</a>
(default: empty)</b></DT><DD>
<p> The list of TLS protocols supported by the server. If empty the
default list of protocols is used (i.e. all TLS protocol versions are
supported). Any non-empty value is interpreted as a list of protocol
names separated by whitespace, commas or colons. The supported protocol
names are "SSLv2", "SSLv3" and "TLSv1", and are not
case-sensitive. </p>
<p> The list of TLS protocols supported by the Postfix SMTP server.
If the list is empty, the server supports all available TLS protocol
versions. A non-empty value is a list of protocol names separated
by whitespace, commas or colons. The supported protocol names are
"SSLv2", "SSLv3" and "TLSv1", and are not case sensitive. </p>
<p> DO NOT set this to a non-default value on an MX-host,
as some clients may not support any of the narrower set of protocols,
and may be unable to fallback to plaintext sessions. If you restrict
the protocol list on an MX host, you may lose mail. </p>
<p> DO NOT set this to a non-default value on an Internet MX host,
as this may cause inter-operability problems. If you restrict the
protocol list on an Internet MX host, you may lose mail. </p>
<p> Example: </p>
@ -11159,6 +11159,48 @@ a warning written to the mail log. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
</DD>
<DT><b><a name="smtpd_tls_security_level">smtpd_tls_security_level</a>
(default: empty)</b></DT><DD>
<p> The SMTP TLS security level for the Postfix SMTP server; when
a non-empty value is specified, this overrides the obsolete parameters
<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>. This parameter is ignored with
"<a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a> = yes". </p>
<p> Specify one of the following security levels: </p>
<dl>
<dt><b>none</b></dt> <dd> TLS will not be used. </dd>
<dt><b>may</b></dt> <dd> Opportunistic TLS: announce STARTTLS support
to SMTP clients, but do not require that clients use TLS encryption.
</dd>
<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption: announce
STARTTLS support to SMTP clients, and require that clients use TLS
encryption. According to <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> this MUST NOT be applied in case
of a publicly-referenced SMTP server. Instead, this option should
be used only on dedicated servers. </dd>
</dl>
<p> Note 1: the "verify" and "secure" levels are not supported.
The Postfix SMTP server logs a warning and uses "encrypt" instead.
To verify SMTP client certificates, see <a href="TLS_README.html">TLS_README</a> for a discussion
of the <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>, <a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a>, and <a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a>
features. </p>
<p> Note 2: The parameter setting "<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> =
encrypt" implies "<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> = yes".</p>
<p> Note 3: when invoked via "sendmail -bs", Postfix will never
offer STARTTLS due to insufficient privileges to access the server
private key. This is intended behavior.</p>
</DD>
<DT><b><a name="smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a>
@ -11225,14 +11267,15 @@ purpose. </p>
<DT><b><a name="smtpd_use_tls">smtpd_use_tls</a>
(default: no)</b></DT><DD>
<p> Opportunistic mode: announce STARTTLS support to SMTP clients,
<p> Opportunistic TLS: announce STARTTLS support to SMTP clients,
but do not require that clients use TLS encryption. </p>
<p> Note: when invoked via "<b>sendmail -bs</b>", Postfix will never offer
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
<p> This feature is available in Postfix 2.2 and later. With
Postfix 2.3 and later use <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p>
</DD>

9
postfix/html/smtp.8.html
View File

@ -320,10 +320,11 @@ SMTP(8) SMTP(8)
found in the <a href="TLS_README.html">TLS_README</a> document.
<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
The default SMTP TLS security level for all desti-
nations; when a non-empty value is specified, this
overrides the obsolete parameters <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,
<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
The default SMTP TLS security level for the Postfix
SMTP client; when a non-empty value is specified,
this overrides the obsolete parameters
<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
<b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b>
<b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b>

15
postfix/html/smtpd.8.html
View File

@ -329,12 +329,12 @@ SMTPD(8) SMTPD(8)
found in the <a href="TLS_README.html">TLS_README</a> document.
<b><a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> (no)</b>
Opportunistic mode: announce STARTTLS support to
Opportunistic TLS: announce STARTTLS support to
SMTP clients, but do not require that clients use
TLS encryption.
<b><a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> (no)</b>
Enforcement mode: announce STARTTLS support to SMTP
Mandatory TLS: announce STARTTLS support to SMTP
clients, and require that clients use TLS encryp-
tion.
@ -408,7 +408,8 @@ SMTPD(8) SMTPD(8)
TLS activity.
<b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (empty)</b>
The list of TLS protocols supported by the server.
The list of TLS protocols supported by the Postfix
SMTP server.
<b><a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> (no)</b>
Request that the Postfix SMTP server produces
@ -441,6 +442,14 @@ SMTPD(8) SMTPD(8)
server in order to seed its internal pseudo random
number generator (PRNG).
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> (empty)</b>
The SMTP TLS security level for the Postfix SMTP
server; when a non-empty value is specified, this
overrides the obsolete parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and
<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>.
<b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b>
<b>(!EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH)</b>
The OpenSSL cipherlist for "HIGH" grade ciphers.

85
postfix/man/man5/postconf.5
View File

@ -4884,9 +4884,9 @@ example.net secure match=example.com:.example.com
.PP
This feature is available in Postfix 2.3 and later.
.SH smtp_tls_security_level (default: empty)
The default SMTP TLS security level for all destinations; when
a non-empty value is specified, this overrides the obsolete parameters
smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
The default SMTP TLS security level for the Postfix SMTP client;
when a non-empty value is specified, this overrides the obsolete
parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
.PP
Specify one of the following security levels:
.IP "\fBnone\fR"
@ -5621,19 +5621,20 @@ This feature is available in Postfix 2.2 and later.
.PP
See smtpd_data_restrictions for syntax details.
.SH smtpd_enforce_tls (default: no)
Enforcement mode: announce STARTTLS support to SMTP clients,
Mandatory TLS: announce STARTTLS support to SMTP clients,
and require that clients use TLS encryption. According to RFC 2487
this MUST NOT be applied in case of a publicly-referenced SMTP
server. This option is off by default and should be used only on
dedicated servers.
.PP
Note 1: this mode implies "smtpd_tls_auth_only = yes".
Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
.PP
Note 2: when invoked via "\fBsendmail -bs\fR", Postfix will never offer
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior.
.PP
This feature is available in Postfix 2.2 and later.
This feature is available in Postfix 2.2 and later. With
Postfix 2.3 and later use smtpd_tls_security_level instead.
.SH smtpd_error_sleep_time (default: 1s)
With Postfix version 2.1 and later: the SMTP server response delay after
a client has made more than $smtpd_soft_error_limit errors, and
@ -6470,15 +6471,15 @@ able to authenticate the server, but unless it is running Postfix 2.3 or
similar software, it will still insist on a server certificate.
.PP
For servers that are \fBnot\fR public Internet MX hosts, Postfix
2.3 supports configurations with no certificates. This entails the use
of just the anonymous TLS ciphers, which are not supported by typical
SMTP clients. Since such clients will not, as a rule, fall back to plain
text after a TLS handshake failure, the server will be unable to receive
email from TLS enabled clients. To avoid accidental configurations with
no certificates, Postfix 2.3 enables certificate-less operation only
when the administrator explicitly sets "smtpd_tls_cert_file = none". This
ensures that new Postfix configurations with just "smtpd_use_tls = yes"
added, will not accidentally run with no certificates.
2.3 supports configurations with no certificates. This entails the
use of just the anonymous TLS ciphers, which are not supported by
typical SMTP clients. Since such clients will not, as a rule, fall
back to plain text after a TLS handshake failure, the server will
be unable to receive email from TLS enabled clients. To avoid
accidental configurations with no certificates, Postfix 2.3 enables
certificate-less operation only when the administrator explicitly
sets "smtpd_tls_cert_file = none". This ensures that new Postfix
configurations will not accidentally run with no certificates.
.PP
Both RSA and DSA certificates are supported. When both types
are present, the cipher used determines which certificate will be
@ -6723,17 +6724,15 @@ loglevel 4 is strongly discouraged.
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_tls_protocols (default: empty)
The list of TLS protocols supported by the server. If empty the
default list of protocols is used (i.e. all TLS protocol versions are
supported). Any non-empty value is interpreted as a list of protocol
names separated by whitespace, commas or colons. The supported protocol
names are "SSLv2", "SSLv3" and "TLSv1", and are not
case-sensitive.
The list of TLS protocols supported by the Postfix SMTP server.
If the list is empty, the server supports all available TLS protocol
versions. A non-empty value is a list of protocol names separated
by whitespace, commas or colons. The supported protocol names are
"SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.
.PP
DO NOT set this to a non-default value on an MX-host,
as some clients may not support any of the narrower set of protocols,
and may be unable to fallback to plaintext sessions. If you restrict
the protocol list on an MX host, you may lose mail.
DO NOT set this to a non-default value on an Internet MX host,
as this may cause inter-operability problems. If you restrict the
protocol list on an Internet MX host, you may lose mail.
.PP
Example:
.PP
@ -6764,6 +6763,37 @@ When TLS encryption is optional, this setting is ignored with
a warning written to the mail log.
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_tls_security_level (default: empty)
The SMTP TLS security level for the Postfix SMTP server; when
a non-empty value is specified, this overrides the obsolete parameters
smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
"smtpd_tls_wrappermode = yes".
.PP
Specify one of the following security levels:
.IP "\fBnone\fR"
TLS will not be used.
.IP "\fBmay\fR"
Opportunistic TLS: announce STARTTLS support
to SMTP clients, but do not require that clients use TLS encryption.
.IP "\fBencrypt\fR"
Mandatory TLS encryption: announce
STARTTLS support to SMTP clients, and require that clients use TLS
encryption. According to RFC 2487 this MUST NOT be applied in case
of a publicly-referenced SMTP server. Instead, this option should
be used only on dedicated servers.
.PP
Note 1: the "verify" and "secure" levels are not supported.
The Postfix SMTP server logs a warning and uses "encrypt" instead.
To verify SMTP client certificates, see TLS_README for a discussion
of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and permit_tls_clientcerts
features.
.PP
Note 2: The parameter setting "smtpd_tls_security_level =
encrypt" implies "smtpd_tls_auth_only = yes".
.PP
Note 3: when invoked via "sendmail -bs", Postfix will never
offer STARTTLS due to insufficient privileges to access the server
private key. This is intended behavior.
.SH smtpd_tls_session_cache_database (default: empty)
Name of the file containing the optional Postfix SMTP server
TLS session cache. Specify a database type that supports enumeration,
@ -6812,14 +6842,15 @@ purpose.
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_use_tls (default: no)
Opportunistic mode: announce STARTTLS support to SMTP clients,
Opportunistic TLS: announce STARTTLS support to SMTP clients,
but do not require that clients use TLS encryption.
.PP
Note: when invoked via "\fBsendmail -bs\fR", Postfix will never offer
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior.
.PP
This feature is available in Postfix 2.2 and later.
This feature is available in Postfix 2.2 and later. With
Postfix 2.3 and later use smtpd_tls_security_level instead.
.SH soft_bounce (default: no)
Safety net to keep mail queued that would otherwise be returned to
the sender. This parameter disables locally-generated bounces,

6
postfix/man/man8/smtp.8
View File

@ -286,9 +286,9 @@ for authentication.
Detailed information about STARTTLS configuration may be found
in the TLS_README document.
.IP "\fBsmtp_tls_security_level (empty)\fR"
The default SMTP TLS security level for all destinations; when
a non-empty value is specified, this overrides the obsolete parameters
smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
The default SMTP TLS security level for the Postfix SMTP client;
when a non-empty value is specified, this overrides the obsolete
parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
.IP "\fBsmtp_sasl_tls_security_options ($smtp_sasl_security_options)\fR"
The SASL authentication security options that the Postfix SMTP
client uses for TLS encrypted SMTP sessions.

12
postfix/man/man8/smtpd.8
View File

@ -295,10 +295,10 @@ for authentication.
Detailed information about STARTTLS configuration may be
found in the TLS_README document.
.IP "\fBsmtpd_use_tls (no)\fR"
Opportunistic mode: announce STARTTLS support to SMTP clients,
Opportunistic TLS: announce STARTTLS support to SMTP clients,
but do not require that clients use TLS encryption.
.IP "\fBsmtpd_enforce_tls (no)\fR"
Enforcement mode: announce STARTTLS support to SMTP clients,
Mandatory TLS: announce STARTTLS support to SMTP clients,
and require that clients use TLS encryption.
.IP "\fBsmtpd_sasl_tls_security_options ($smtpd_sasl_security_options)\fR"
The SASL authentication security options that the Postfix SMTP
@ -342,7 +342,7 @@ File with the Postfix SMTP server RSA private key in PEM format.
.IP "\fBsmtpd_tls_loglevel (0)\fR"
Enable additional Postfix SMTP server logging of TLS activity.
.IP "\fBsmtpd_tls_protocols (empty)\fR"
The list of TLS protocols supported by the server.
The list of TLS protocols supported by the Postfix SMTP server.
.IP "\fBsmtpd_tls_received_header (no)\fR"
Request that the Postfix SMTP server produces Received: message
headers that include information about the protocol and cipher used,
@ -364,6 +364,12 @@ instead of using the STARTTLS command.
The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
process requests from the \fBtlsmgr\fR(8) server in order to seed its
internal pseudo random number generator (PRNG).
.PP
Available in Postfix version 2.3 and later:
.IP "\fBsmtpd_tls_security_level (empty)\fR"
The SMTP TLS security level for the Postfix SMTP server; when
a non-empty value is specified, this overrides the obsolete parameters
smtpd_use_tls and smtpd_enforce_tls.
.IP "\fBtls_high_cipherlist (!EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH)\fR"
The OpenSSL cipherlist for "HIGH" grade ciphers.
.IP "\fBtls_medium_cipherlist (!EXPORT:!LOW:ALL:+RC4:@STRENGTH)\fR"

1
postfix/mantools/postlink
View File

@ -566,6 +566,7 @@ while (<>) {
s;\bsmtpd_tls_dh512_param_file\b;<a href="postconf.5.html#smtpd_tls_dh512_param_file">$&</a>;g;
s;\bsmtpd_tls_dkey_file\b;<a href="postconf.5.html#smtpd_tls_dkey_file">$&</a>;g;
s;\bsmtpd_tls_key_file\b;<a href="postconf.5.html#smtpd_tls_key_file">$&</a>;g;
s;\bsmtpd_tls_security_level\b;<a href="postconf.5.html#smtpd_tls_security_level">$&</a>;g;
s;\bsmtpd_tls_loglevel\b;<a href="postconf.5.html#smtpd_tls_loglevel">$&</a>;g;
s;\bsmtpd_tls_protocols\b;<a href="postconf.5.html#smtpd_tls_protocols">$&</a>;g;
s;\bsmtpd_tls_received_header\b;<a href="postconf.5.html#smtpd_tls_received_header">$&</a>;g;

2
postfix/proto/INSTALL.html
View File

@ -156,7 +156,7 @@ OPENSTEP 4.x <br>
OSF1.V3 - OSF1.V5 (Digital UNIX) <br>
Reliant UNIX 5.x <br>
Rhapsody 5.x <br>
SunOS 4.1.4 (December 2005) <br>
SunOS 4.1.4 (July 2006) <br>
SunOS 5.4 - 5.9 (Solaris 2.4..9) <br>
Ultrix 4.x (well, that was long ago) <br>
</p>

160
postfix/proto/TLS_README.html
View File

@ -248,8 +248,7 @@ be unable to receive email from most TLS enabled clients. To avoid
accidental configurations with no certificates, Postfix 2.3 enables
certificate-less operation only when the administrator explicitly sets
"smtpd_tls_cert_file&nbsp;=&nbsp;none". This ensures that new Postfix
configurations with just "smtpd_use_tls&nbsp;=&nbsp;yes" added, will
not accidentally run with no certificates. </p>
configurations will not accidentally run with no certificates. </p>
<p> Both RSA and DSA certificates are supported. Typically you will
only have RSA certificates issued by a commercial CA. In addition,
@ -437,13 +436,18 @@ since the headers may be changed by intermediate servers. </p>
<p> By default, TLS is disabled in the Postfix SMTP server, so no
difference to plain Postfix is visible. Explicitly switch it on
using "smtpd_use_tls&nbsp;=&nbsp;yes". </p>
with "smtpd_tls_security_level&nbsp;=&nbsp;may" (Postfix 2.3 and
later) or "smtpd_use_tls&nbsp;=&nbsp;yes" (obsolete but still
supported). </p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
# Postfix 2.3 and later
smtpd_tls_security_level = may
# Obsolete, but still supported
smtpd_use_tls = yes
</pre>
</blockquote>
@ -456,18 +460,23 @@ SMTP clients, but does not require that clients use TLS encryption.
is never offered due to insufficient privileges to access the server
private key. This is intended behavior. </p>
<p> <a name="server_enforce">You can ENFORCE the use of TLS</a>, so that
the Postfix SMTP server announces STARTTLS and accepts no mail without
TLS encryption, by setting "smtpd_enforce_tls&nbsp;=&nbsp;yes". According
to RFC 2487 this MUST NOT be applied in case of a publicly-referenced
Postfix SMTP server. This option is off by default and should only
seldom be used. </p>
<p> <a name="server_enforce">You can ENFORCE the use of TLS</a>,
so that the Postfix SMTP server announces STARTTLS and accepts no
mail without TLS encryption, by setting
"smtpd_tls_security_level&nbsp;=&nbsp;encrypt" (Postfix 2.3 and
later) or "smtpd_enforce_tls&nbsp;=&nbsp;yes" (obsolete but still
supported). According to RFC 2487 this MUST NOT be applied in case
of a publicly-referenced Postfix SMTP server. This option is off
by default and should only seldom be used. </p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
# Postfix 2.3 and later
smtpd_tls_security_level = encrypt
# Obsolete, but still supported
smtpd_enforce_tls = yes
</pre>
</blockquote>
@ -517,8 +526,11 @@ when the server is configured to ask for client certificates. </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
smtpd_use_tls = yes
smtpd_tls_ask_ccert = yes
# Postfix 2.3 and later
smtpd_tls_security_level = may
# Obsolete, but still supported
smtpd_use_tls = yes
</pre>
</blockquote>
@ -534,8 +546,11 @@ logged. </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
smtpd_enforce_tls = yes
smtpd_tls_req_ccert = yes
# Postfix 2.3 and later
smtpd_tls_security_level = encrypt
# Obsolete, but still supported
smtpd_enforce_tls = yes
</pre>
</blockquote>
@ -556,15 +571,18 @@ CA issues special CA which then issues the actual certificate...)
<h3><a name="server_tls_auth">Supporting AUTH over TLS only</a></h3>
<p> Sending AUTH data over an unencrypted channel poses a security risk.
When TLS layer encryption is required (smtpd_enforce_tls&nbsp;=&nbsp;yes),
the Postfix SMTP server will announce and accept AUTH only
after the TLS layer has been activated with STARTTLS. When TLS
layer encryption is optional (smtpd_enforce_tls&nbsp;=&nbsp;no), it may
however still be useful to only offer AUTH when TLS is active. To
maintain compatibility with non-TLS clients, the default is to
accept AUTH without encryption. In order to change this behavior,
set "smtpd_tls_auth_only&nbsp;=&nbsp;yes". </p>
<p> Sending AUTH data over an unencrypted channel poses a security
risk. When TLS layer encryption is required
("smtpd_tls_security_level&nbsp;=&nbsp;encrypt" or the obsolete
"smtpd_enforce_tls&nbsp;=&nbsp;yes"), the Postfix SMTP server will
announce and accept AUTH only after the TLS layer has been activated
with STARTTLS. When TLS layer encryption is optional
("smtpd_tls_security_level&nbsp;=&nbsp;may" or the obsolete
"smtpd_enforce_tls&nbsp;=&nbsp;no"), it may however still be useful
to only offer AUTH when TLS is active. To maintain compatibility
with non-TLS clients, the default is to accept AUTH without encryption.
In order to change this behavior, set
"smtpd_tls_auth_only&nbsp;=&nbsp;yes". </p>
<p> Example: </p>
@ -715,12 +733,14 @@ and not specifying an smtpd_tls_dcert_file. </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
smtpd_use_tls = yes
smtpd_enforce_tls = yes
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = aNULL, MD5
# Postfix 2.3 and later
smtpd_tls_security_level = encrypt
# Obsolete, but still supported
smtpd_enforce_tls = yes
</pre>
</blockquote>
@ -1257,12 +1277,12 @@ on TLS <a href="#client_tls_limits">limitations</a> above. </p>
<p> At the "encrypt" TLS security level, messages are sent only
over TLS encrypted sessions. The SMTP transaction is aborted unless
the STARTTLS ESMTP feature is supported by the server. If no
suitable servers are found, the message will be deferred. With Postfix
2.3 and later, mandatory TLS encryption can be configured by setting
"smtp_tls_security_level&nbsp;=&nbsp;encrypt". Even though TLS encryption
is always used, mail delivery continues if the server certificate is
untrusted or bears the wrong name. </p>
the STARTTLS ESMTP feature is supported by the server. If no suitable
servers are found, the message will be deferred. With Postfix 2.3
and later, mandatory TLS encryption can be configured by setting
"smtp_tls_security_level&nbsp;=&nbsp;encrypt". Even though TLS
encryption is always used, mail delivery continues if the server
certificate is untrusted or bears the wrong name. </p>
<p> At this security level and higher, the smtp_tls_mandatory_protocols
and smtp_tls_mandatory_ciphers configuration parameters determine
@ -1382,15 +1402,15 @@ use the new <a href="#client_tls_policy">policy table</a> instead. </p>
<h3><a name="client_tls_verify"> Mandatory server certificate verification </a>
</h3>
<p> At the "verify" TLS security level, messages are sent only
over TLS encrypted sessions for which server certificate verification
succeeds. If no suitable servers are found, the message will be
deferred. With Postfix 2.3 and later, mandatory server certificate
verification can be configured by setting
"smtp_tls_security_level&nbsp;=&nbsp;verify", the
<p> At the "verify" TLS security level, messages are sent only over
TLS encrypted sessions if the server certificate is valid (not
expired or revoked, and signed by a trusted certificate authority)
and if the server certificate name matches a known pattern. Mandatory
server certificate verification can be configured by setting
"smtp_tls_security_level&nbsp;=&nbsp;verify". The
smtp_tls_verify_cert_match parameter can override the default
"hostname" certificate match strategy. Fine-tuning the matching
strategy is generally only appropriate for <a
"hostname" certificate name matching strategy. Fine-tuning the
matching strategy is generally only appropriate for <a
href="#client_tls_secure">secure-channel</a> destinations. </p>
<p> With Postfix 2.2 and earlier, or when smtp_tls_security_level
@ -1676,33 +1696,51 @@ describe the corresponding table syntax: </p>
<dd>Opportunistic TLS. No additional attributes are supported at this
level. </dd>
<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption. At this level and
higher the optional "ciphers" attribute overrides the main.cf
smtp_tls_mandatory_ciphers parameter and the optional "protocols"
keyword overrides the main.cf smtp_tls_mandatory_protocols parameter.
In the policy table, multiple protocols must be separated by colons,
as attribute values may not contain whitespace or commas.</dd>
<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption. Mail is
delivered only if remote SMTP server offers STARTTLS and the TLS
handshake succeeds. At this level and higher the optional "ciphers"
attribute overrides the main.cf smtp_tls_mandatory_ciphers parameter
and the optional "protocols" keyword overrides the main.cf
smtp_tls_mandatory_protocols parameter. </dd>
<dt><b>verify</b></dt>
<dd>Mandatory server certificate verification. The optional "match"
attribute overrides the main.cf smtp_tls_verify_cert_match parameter.
In the policy table, multiple match patterns and strategies must
be separated by colons. </dd>
<dt><b>verify</b></dt> <dd>Mandatory server certificate verification.
Mail is delivered only if the TLS handshake succeeds, if the server
certificate can be validated (not expired or revoked, and signed
by a trusted certificate authority), and if the server certificate
name matches the optional "match" attribute (or the main.cf
smtp_tls_verify_cert_match parameter value when no optional "match"
attribute is specified). </dd>
<dt><b>secure</b></dt> <dd>Secure-channel TLS. The optional "match"
attribute overrides the main.cf smtp_tls_secure_cert_match parameter. In
the policy table, multiple match patterns and strategies must be separated
by colons. The match attribute is useful when additional domains are
supported by common server, the policy entries for the additional domains
specify matching rules for the primary domain certificate. While transport
table overrides routing secondary domains to the primary nexthop also
allow secure verification, they risk delivery to the wrong destination
when domains change hands or are re-assigned to new gateways. With the
"match" attribute approach, routing is not perturbed, and mail is deferred
if verification of a new MX host fails. </dd>
<dt><b>secure</b></dt> <dd>Secure-channel TLS. Mail is delivered
only if the TLS handshake succeeds, if the server certificate can
be validated (not expired or revoked, and signed by a trusted
certificate authority), and if the server certificate name matches
the optional "match" attribute (or the main.cf smtp_tls_secure_cert_match
parameter value when no optional "match" attribute is specified).
</dd>
</dl>
<p> Notes: </p>
<ul>
<li> <p> The "match" attribute is especially useful to verify TLS
certificates for domains that are hosted on a shared server. In
that case, specify "match" rules for the shared server's name.
While secure verification can also be achieved with manual routing
overrides in Postfix transport(5) tables, that approach can deliver
mail to the wrong host when domains are assigned to new gateway
hosts. The "match" attribute approach avoids the problems of manual
routing overrides; mail is deferred if verification of a new MX
host fails. </p>
<li> <p> When a policy table entry specifies multiple match patterns,
multiple match strategies, or multiple protocols, these must be
separated by colons. </p>
</ul>
<p>
Example:
</p>
@ -2238,6 +2276,7 @@ but don't require them from all clients. </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_session_cache_database =
btree:/var/spool/postfix/smtp_tls_session_cache
@ -2248,8 +2287,11 @@ smtpd_tls_key_file = /etc/postfix/FOO-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database =
btree:/var/spool/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
# Postfix 2.3 and later
smtpd_tls_security_level = may
# Obsolete, but still supported
smtpd_use_tls = yes
</pre>
</blockquote>

93
postfix/proto/postconf.proto
View File

@ -8068,15 +8068,15 @@ able to authenticate the server, but unless it is running Postfix 2.3 or
similar software, it will still insist on a server certificate. </p>
<p> For servers that are <b>not</b> public Internet MX hosts, Postfix
2.3 supports configurations with no certificates. This entails the use
of just the anonymous TLS ciphers, which are not supported by typical
SMTP clients. Since such clients will not, as a rule, fall back to plain
text after a TLS handshake failure, the server will be unable to receive
email from TLS enabled clients. To avoid accidental configurations with
no certificates, Postfix 2.3 enables certificate-less operation only
when the administrator explicitly sets "smtpd_tls_cert_file = none". This
ensures that new Postfix configurations with just "smtpd_use_tls = yes"
added, will not accidentally run with no certificates. </p>
2.3 supports configurations with no certificates. This entails the
use of just the anonymous TLS ciphers, which are not supported by
typical SMTP clients. Since such clients will not, as a rule, fall
back to plain text after a TLS handshake failure, the server will
be unable to receive email from TLS enabled clients. To avoid
accidental configurations with no certificates, Postfix 2.3 enables
certificate-less operation only when the administrator explicitly
sets "smtpd_tls_cert_file = none". This ensures that new Postfix
configurations will not accidentally run with no certificates. </p>
<p> Both RSA and DSA certificates are supported. When both types
are present, the cipher used determines which certificate will be
@ -8225,30 +8225,32 @@ that was recorded by the final destination can be trusted. </p>
%PARAM smtpd_use_tls no
<p> Opportunistic mode: announce STARTTLS support to SMTP clients,
<p> Opportunistic TLS: announce STARTTLS support to SMTP clients,
but do not require that clients use TLS encryption. </p>
<p> Note: when invoked via "<b>sendmail -bs</b>", Postfix will never offer
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
<p> This feature is available in Postfix 2.2 and later. With
Postfix 2.3 and later use smtpd_tls_security_level instead. </p>
%PARAM smtpd_enforce_tls no
<p> Enforcement mode: announce STARTTLS support to SMTP clients,
<p> Mandatory TLS: announce STARTTLS support to SMTP clients,
and require that clients use TLS encryption. According to RFC 2487
this MUST NOT be applied in case of a publicly-referenced SMTP
server. This option is off by default and should be used only on
dedicated servers. </p>
<p> Note 1: this mode implies "smtpd_tls_auth_only = yes". </p>
<p> Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes". </p>
<p> Note 2: when invoked via "<b>sendmail -bs</b>", Postfix will never offer
STARTTLS due to insufficient privileges to access the server private
key. This is intended behavior. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
<p> This feature is available in Postfix 2.2 and later. With
Postfix 2.3 and later use smtpd_tls_security_level instead. </p>
%PARAM smtpd_tls_wrappermode no
@ -9772,17 +9774,15 @@ configuration parameter. See there for details. </p>
%PARAM smtpd_tls_protocols
<p> The list of TLS protocols supported by the server. If empty the
default list of protocols is used (i.e. all TLS protocol versions are
supported). Any non-empty value is interpreted as a list of protocol
names separated by whitespace, commas or colons. The supported protocol
names are "SSLv2", "SSLv3" and "TLSv1", and are not
case-sensitive. </p>
<p> The list of TLS protocols supported by the Postfix SMTP server.
If the list is empty, the server supports all available TLS protocol
versions. A non-empty value is a list of protocol names separated
by whitespace, commas or colons. The supported protocol names are
"SSLv2", "SSLv3" and "TLSv1", and are not case sensitive. </p>
<p> DO NOT set this to a non-default value on an MX-host,
as some clients may not support any of the narrower set of protocols,
and may be unable to fallback to plaintext sessions. If you restrict
the protocol list on an MX host, you may lose mail. </p>
<p> DO NOT set this to a non-default value on an Internet MX host,
as this may cause inter-operability problems. If you restrict the
protocol list on an Internet MX host, you may lose mail. </p>
<p> Example: </p>
@ -9794,9 +9794,10 @@ smtpd_tls_protocols = SSLv3, TLSv1
%PARAM smtp_tls_security_level
<p> The default SMTP TLS security level for all destinations; when
a non-empty value is specified, this overrides the obsolete parameters
smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername. </p>
<p> The default SMTP TLS security level for the Postfix SMTP client;
when a non-empty value is specified, this overrides the obsolete
parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
</p>
<p> Specify one of the following security levels: </p>
@ -10360,3 +10361,41 @@ login/password information for that server. </p>
configuration parameter. See there for details. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
%PARAM smtpd_tls_security_level
<p> The SMTP TLS security level for the Postfix SMTP server; when
a non-empty value is specified, this overrides the obsolete parameters
smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
"smtpd_tls_wrappermode = yes". </p>
<p> Specify one of the following security levels: </p>
<dl>
<dt><b>none</b></dt> <dd> TLS will not be used. </dd>
<dt><b>may</b></dt> <dd> Opportunistic TLS: announce STARTTLS support
to SMTP clients, but do not require that clients use TLS encryption.
</dd>
<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption: announce
STARTTLS support to SMTP clients, and require that clients use TLS
encryption. According to RFC 2487 this MUST NOT be applied in case
of a publicly-referenced SMTP server. Instead, this option should
be used only on dedicated servers. </dd>
</dl>
<p> Note 1: the "verify" and "secure" levels are not supported.
The Postfix SMTP server logs a warning and uses "encrypt" instead.
To verify SMTP client certificates, see TLS_README for a discussion
of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and permit_tls_clientcerts
features. </p>
<p> Note 2: The parameter setting "smtpd_tls_security_level =
encrypt" implies "smtpd_tls_auth_only = yes".</p>
<p> Note 3: when invoked via "sendmail -bs", Postfix will never
offer STARTTLS due to insufficient privileges to access the server
private key. This is intended behavior.</p>

4
postfix/src/cleanup/cleanup_milter.c
View File

@ -1178,6 +1178,10 @@ static const char *cleanup_repl_body(void *context, VSTRING *body)
{
const char *myname = "cleanup_repl_body";
/*
* XXX Sendmail compatibility: milters don't see the first body line, so
* don't expect they will send one.
*/
msg_panic("%s: message body replace operation is not implemented", myname);
}

4
postfix/src/global/mail_params.h
View File

@ -1091,6 +1091,10 @@ extern char *var_smtpd_forbid_cmds;
#define DEF_SMTPD_TLS_WRAPPER 0
extern bool var_smtpd_tls_wrappermode;
#define VAR_SMTPD_TLS_LEVEL "smtpd_tls_security_level"
#define DEF_SMTPD_TLS_LEVEL ""
extern char *var_smtpd_tls_level;
#define VAR_SMTPD_USE_TLS "smtpd_use_tls"
#define DEF_SMTPD_USE_TLS 0
extern bool var_smtpd_use_tls;

4
postfix/src/global/mail_version.h
View File

@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20060707"
#define MAIL_VERSION_NUMBER "2.3-RC8"
#define MAIL_RELEASE_DATE "20060709"
#define MAIL_VERSION_NUMBER "2.3-RC9"
#define VAR_MAIL_VERSION "mail_version"
#define DEF_MAIL_VERSION MAIL_VERSION_NUMBER

18
postfix/src/milter/milter8.c
View File

@ -1886,7 +1886,8 @@ static void milter8_disc_event(MILTER *m)
typedef struct {
MILTER8 *milter; /* milter client */
ARGV *macros; /* end-of-body macros */
int hdr_count; /* header counter */
int first_header; /* first header */
int first_body; /* first body line */
const char *resp; /* milter application response */
} MILTER_MSG_CONTEXT;
@ -1916,8 +1917,10 @@ static void milter8_header(void *ptr, int unused_header_class,
* dk-filter signature will be inserted at the wrong position. It should
* precede the headers that it signs.
*/
if (msg_ctx->hdr_count++ == 0)
if (msg_ctx->first_header) {
msg_ctx->first_header = 0;
return;
}
/*
* Sendmail 8 sends multi-line headers as text separated by newline.
@ -1982,6 +1985,14 @@ static void milter8_body(void *ptr, int rec_type,
ssize_t space;
ssize_t count;
/*
* XXX Sendmail compatibility: don't expose our first body line.
*/
if (msg_ctx->first_body) {
msg_ctx->first_body = 0;
return;
}
/*
* XXX I thought I was going to delegate all the on-the-wire formatting
* to a common lower layer, but unfortunately it's not practical. If we
@ -2082,7 +2093,8 @@ static const char *milter8_message(MILTER *m, VSTREAM *qfile,
}
msg_ctx.milter = milter;
msg_ctx.macros = macros;
msg_ctx.hdr_count = 0;
msg_ctx.first_header = 1;
msg_ctx.first_body = 1;
msg_ctx.resp = 0;
mime_state =
mime_state_alloc(MIME_OPT_DISABLE_MIME,

11
postfix/src/smtp/smtp.c
View File

@ -256,9 +256,9 @@
/* Detailed information about STARTTLS configuration may be found
/* in the TLS_README document.
/* .IP "\fBsmtp_tls_security_level (empty)\fR"
/* The default SMTP TLS security level for all destinations; when
/* a non-empty value is specified, this overrides the obsolete parameters
/* smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
/* The default SMTP TLS security level for the Postfix SMTP client;
/* when a non-empty value is specified, this overrides the obsolete
/* parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
/* .IP "\fBsmtp_sasl_tls_security_options ($smtp_sasl_security_options)\fR"
/* The SASL authentication security options that the Postfix SMTP
/* client uses for TLS encrypted SMTP sessions.
@ -716,8 +716,6 @@ SSL_CTX *smtp_tls_ctx;
#endif
extern NAME_CODE smtp_tls_levels[]; /* smtp_session.c name_code table */
/* deliver_message - deliver message with extreme prejudice */
static int deliver_message(const char *service, DELIVER_REQUEST *request)
@ -853,8 +851,7 @@ static void pre_init(char *unused_name, char **unused_argv)
/*
* Initialize the TLS data before entering the chroot jail
*/
if (name_code(smtp_tls_levels, NAME_CODE_FLAG_NONE,
var_smtp_tls_level) > TLS_LEV_NONE ||
if (tls_level_lookup(var_smtp_tls_level) > TLS_LEV_NONE ||
var_smtp_use_tls || var_smtp_enforce_tls ||
var_smtp_tls_per_site[0] || var_smtp_tls_policy[0]) {
#ifdef USE_TLS

16
postfix/src/smtp/smtp_session.c
View File

@ -126,15 +126,6 @@
#include "smtp.h"
#include "smtp_sasl.h"
NAME_CODE smtp_tls_levels[] = {
"none", TLS_LEV_NONE,
"may", TLS_LEV_MAY,
"encrypt", TLS_LEV_ENCRYPT,
"verify", TLS_LEV_VERIFY,
"secure", TLS_LEV_SECURE,
0, TLS_LEV_NOTFOUND,
};
#ifdef USE_TLS
static MAPS *tls_policy; /* lookup table(s) */
@ -162,7 +153,7 @@ void smtp_tls_list_init(void)
static const char *policy_name(int tls_level)
{
const char *name = str_name_code(smtp_tls_levels, tls_level);
const char *name = str_tls_level(tls_level);
if (name == 0)
name = "unknown";
@ -241,7 +232,7 @@ static int tls_policy_lookup_one(SMTP_SESSION *session,
msg_warn("ignoring empty tls policy for %s", site_name);
FREE_RETURN(1); /* No further lookups */
}
*site_level = name_code(smtp_tls_levels, NAME_CODE_FLAG_NONE, tok);
*site_level = tls_level_lookup(tok);
if (*site_level == TLS_LEV_NOTFOUND) {
msg_warn("%s: unknown security level '%s' ignored",
str_context(cbuf, site_class, site_name), tok);
@ -418,8 +409,7 @@ static void session_tls_init(SMTP_SESSION *session, const char *dest,
* per-site policy.
*/
if (*var_smtp_tls_level) {
global_level = name_code(smtp_tls_levels, NAME_CODE_FLAG_NONE,
var_smtp_tls_level);
global_level = tls_level_lookup(var_smtp_tls_level);
if (global_level == TLS_LEV_NOTFOUND) {
msg_fatal("%s: unknown TLS security level '%s'",
lmtp ? VAR_LMTP_TLS_LEVEL : VAR_SMTP_TLS_LEVEL,

54
postfix/src/smtpd/smtpd.c
View File

@ -263,10 +263,10 @@
/* Detailed information about STARTTLS configuration may be
/* found in the TLS_README document.
/* .IP "\fBsmtpd_use_tls (no)\fR"
/* Opportunistic mode: announce STARTTLS support to SMTP clients,
/* Opportunistic TLS: announce STARTTLS support to SMTP clients,
/* but do not require that clients use TLS encryption.
/* .IP "\fBsmtpd_enforce_tls (no)\fR"
/* Enforcement mode: announce STARTTLS support to SMTP clients,
/* Mandatory TLS: announce STARTTLS support to SMTP clients,
/* and require that clients use TLS encryption.
/* .IP "\fBsmtpd_sasl_tls_security_options ($smtpd_sasl_security_options)\fR"
/* The SASL authentication security options that the Postfix SMTP
@ -310,7 +310,7 @@
/* .IP "\fBsmtpd_tls_loglevel (0)\fR"
/* Enable additional Postfix SMTP server logging of TLS activity.
/* .IP "\fBsmtpd_tls_protocols (empty)\fR"
/* The list of TLS protocols supported by the server.
/* The list of TLS protocols supported by the Postfix SMTP server.
/* .IP "\fBsmtpd_tls_received_header (no)\fR"
/* Request that the Postfix SMTP server produces Received: message
/* headers that include information about the protocol and cipher used,
@ -332,6 +332,12 @@
/* The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
/* process requests from the \fBtlsmgr\fR(8) server in order to seed its
/* internal pseudo random number generator (PRNG).
/* .PP
/* Available in Postfix version 2.3 and later:
/* .IP "\fBsmtpd_tls_security_level (empty)\fR"
/* The SMTP TLS security level for the Postfix SMTP server; when
/* a non-empty value is specified, this overrides the obsolete parameters
/* smtpd_use_tls and smtpd_enforce_tls.
/* .IP "\fBtls_high_cipherlist (!EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH)\fR"
/* The OpenSSL cipherlist for "HIGH" grade ciphers.
/* .IP "\fBtls_medium_cipherlist (!EXPORT:!LOW:ALL:+RC4:@STRENGTH)\fR"
@ -1019,6 +1025,7 @@ char *var_local_rwr_clients;
char *var_smtpd_ehlo_dis_words;
char *var_smtpd_ehlo_dis_maps;
char *var_smtpd_tls_level;
bool var_smtpd_use_tls;
bool var_smtpd_enforce_tls;
bool var_smtpd_tls_wrappermode;
@ -4109,8 +4116,8 @@ static void pre_accept(char *unused_name, char **unused_argv)
static void pre_jail_init(char *unused_name, char **unused_argv)
{
int enforce_tls = var_smtpd_tls_wrappermode || var_smtpd_enforce_tls;
int use_tls = var_smtpd_use_tls || enforce_tls;
int enforce_tls;
int use_tls;
/*
* Initialize blacklist/etc. patterns before entering the chroot jail, in
@ -4139,10 +4146,42 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
VAR_SMTPD_SASL_ENABLE);
#endif
/*
* XXX Temporary fix to pretend that we consistently implement TLS
* security levels. We implement only a subset for now. If we implement
* more levels, wrappermode should override only weaker TLS security
* levels.
*/
if (!var_smtpd_tls_wrappermode && *var_smtpd_tls_level) {
switch (tls_level_lookup(var_smtpd_tls_level)) {
default:
msg_warn("%s: ignoring unknown TLS level \"%s\"",
VAR_SMTPD_TLS_LEVEL, var_smtpd_tls_level);
break;
case TLS_LEV_SECURE:
case TLS_LEV_VERIFY:
msg_warn("%s: unsupported TLS level \"%s\", using \"encrypt\"",
VAR_SMTPD_TLS_LEVEL, var_smtpd_tls_level);
/* FALLTHROUGH */
case TLS_LEV_ENCRYPT:
var_smtpd_enforce_tls = var_smtpd_use_tls = 1;
break;
case TLS_LEV_MAY:
var_smtpd_enforce_tls = 0;
var_smtpd_use_tls = 1;
break;
case TLS_LEV_NONE:
var_smtpd_enforce_tls = var_smtpd_use_tls = 0;
break;
}
}
enforce_tls = var_smtpd_tls_wrappermode || var_smtpd_enforce_tls;
use_tls = var_smtpd_use_tls || enforce_tls;
/*
* Keys can only be loaded when running with suitable permissions. When
* called from "sendmail -bs" this is not the case, but STARTTLS is not
* used in this scenario anyhow.
* called from "sendmail -bs" this is not the case, so we must not
* announce STARTTLS support.
*/
if (getuid() == 0 || getuid() == var_owner_uid) {
if (use_tls) {
@ -4442,6 +4481,7 @@ int main(int argc, char **argv)
VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0,
VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0,
#endif
VAR_SMTPD_TLS_LEVEL, DEF_SMTPD_TLS_LEVEL, &var_smtpd_tls_level, 0, 0,
VAR_SMTPD_SASL_TYPE, DEF_SMTPD_SASL_TYPE, &var_smtpd_sasl_type, 1, 0,
VAR_SMTPD_MILTERS, DEF_SMTPD_MILTERS, &var_smtpd_milters, 0, 0,
VAR_MILT_CONN_MACROS, DEF_MILT_CONN_MACROS, &var_milt_conn_macros, 0, 0,

2
postfix/src/smtpd/smtpd.h
View File

@ -30,9 +30,7 @@
/*
* Postfix TLS library.
*/
#ifdef USE_TLS
#include <tls.h>
#endif
/*
* Milter library.

14
postfix/src/tls/Makefile.in
View File

@ -2,11 +2,13 @@ SHELL = /bin/sh
SRCS = tls_prng_dev.c tls_prng_egd.c tls_prng_file.c \
tls_prng_exch.c tls_stream.c tls_bio_ops.c tls_misc.c tls_dh.c \
tls_rsa.c tls_verify.c tls_certkey.c tls_session.c \
tls_client.c tls_server.c tls_scache.c tls_mgr.c tls_seed.c
tls_client.c tls_server.c tls_scache.c tls_mgr.c tls_seed.c \
tls_level.c
OBJS = tls_prng_dev.o tls_prng_egd.o tls_prng_file.o \
tls_prng_exch.o tls_stream.o tls_bio_ops.o tls_misc.o tls_dh.o \
tls_rsa.o tls_verify.o tls_certkey.o tls_session.o \
tls_client.o tls_server.o tls_scache.o tls_mgr.o tls_seed.o
tls_client.o tls_server.o tls_scache.o tls_mgr.o tls_seed.o \
tls_level.o
HDRS = tls.h tls_prng.h tls_scache.h tls_mgr.h
TESTSRC =
DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE)
@ -129,6 +131,14 @@ tls_dh.o: ../../include/vstream.h
tls_dh.o: ../../include/vstring.h
tls_dh.o: tls.h
tls_dh.o: tls_dh.c
tls_level.o: ../../include/name_code.h
tls_level.o: ../../include/name_mask.h
tls_level.o: ../../include/sys_defs.h
tls_level.o: ../../include/vbuf.h
tls_level.o: ../../include/vstream.h
tls_level.o: ../../include/vstring.h
tls_level.o: tls.h
tls_level.o: tls_level.c
tls_mgr.o: ../../include/attr.h
tls_mgr.o: ../../include/attr_clnt.h
tls_mgr.o: ../../include/iostuff.h

10
postfix/src/tls/tls.h
View File

@ -11,6 +11,11 @@
/* DESCRIPTION
/* .nf
/*
* Utility library.
*/
#include <name_code.h>
/*
* TLS enforcement levels. Non-sentinel values also be used to indicate
* the actual security level of a session.
@ -22,6 +27,11 @@
#define TLS_LEV_VERIFY 3 /* certificate verified */
#define TLS_LEV_SECURE 4 /* "secure" verification */
extern NAME_CODE tls_level_table[];
#define tls_level_lookup(s) name_code(tls_level_table, NAME_CODE_FLAG_NONE, (s))
#define str_tls_level(l) str_name_code(tls_level_table, (l))
#ifdef USE_TLS
/*

60
postfix/src/tls/tls_level.c Normal file
View File

@ -0,0 +1,60 @@
/*++
/* NAME
/* tls_level 3
/* SUMMARY
/* TLS security level conversion
/* SYNOPSIS
/* #include <tls.h>
/*
/* int tls_level_lookup(name)
/* const char *name;
/*
/* const char *str_tls_level(level)
/* int level;
/* DESCRIPTION
/* The macros in this module convert TLS levels from symbolic
/* name to internal form and vice versa. The macros are safe
/* because they evaluate their arguments only once.
/*
/* tls_level_lookup() converts a TLS level from symbolic name
/* to internal form. The result is TLS_NOTFOUND for an unknown
/* level.
/*
/* str_tls_level() converts a TLS level from internal form to
/* symbolic name. The result is a null pointer for an unknown
/* level.
/* SEE ALSO
/* name_code(3) name to number mapping
/* LICENSE
/* .ad
/* .fi
/* The Secure Mailer license must be distributed with this software.
/* AUTHOR(S)
/* Wietse Venema
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
/*--*/
/* System library. */
#include <sys_defs.h>
/* Utility library. */
#include <name_code.h>
/* TLS library. */
#include <tls.h>
/* Application-specific. */
NAME_CODE tls_level_table[] = {
"none", TLS_LEV_NONE,
"may", TLS_LEV_MAY,
"encrypt", TLS_LEV_ENCRYPT,
"verify", TLS_LEV_VERIFY,
"secure", TLS_LEV_SECURE,
0, TLS_LEV_NOTFOUND,
};