diff --git a/postfix/HISTORY b/postfix/HISTORY index fd45ffe07..9b544b285 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -15823,11 +15823,12 @@ Apologies for any names omitted. 20100610 - Postfix no longer appends the system default CAs to the - lists specified with *_tls_CAfile or with *_tls_CApath. + Bugfix: Postfix no longer appends the system default CAs + to the lists specified with *_tls_CAfile or with *_tls_CApath. This prevents third-party certificates from being trusted - and being given mail relay permission with - permit_tls_all_clientcerts. To get the old behavior specify + and given mail relay permission with permit_tls_all_clientcerts. + This change may break valid configurations that do not use + permit_tls_all_clientcerts. To get the old behavior, specify "tls_append_default_CA = yes". Files: tls/tls_certkey.c, tls/tls_misc.c, global/mail_params.h. proto/postconf.proto, mantools/postlink. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index b0c82af36..76830b67c 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -19,10 +19,12 @@ Incompatibility with snapshot 20100610 Postfix no longer appends the system-supplied default CAs to the lists specified with *_tls_CAfile or with *_tls_CApath. This prevents -third-party certificates from being trusted and being given mail -relay permission with permit_tls_all_clientcerts. +third-party certificates from being trusted and given mail relay +permission with permit_tls_all_clientcerts. -Specify "tls_append_default_CA = yes" for the old behavior. +Unfortunately this change may break certificate verification on +sites that don't use permit_tls_all_clientcerts. Specify +"tls_append_default_CA = yes" for backwards compatibility. Incompatibility with snapshot 20100101 ====================================== diff --git a/postfix/WISHLIST b/postfix/WISHLIST index 83ae66556..285221991 100644 --- a/postfix/WISHLIST +++ b/postfix/WISHLIST @@ -2,6 +2,9 @@ Wish list: Remove this file from the stable release. + Need a regular expression table to translate address + verification responses into hard/soft/accept reply codes. + When an alias is a member of an :include: list with owner- alias, local(8) needs an option to deliver alias or alias->user indirectly. What happens when an :include: list with owner- diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 365fed132..991478f68 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -9461,7 +9461,7 @@ $smtp_tls_cert_file.

Specify "tls_append_default_CA = no" to prevent Postfix from appending the system-supplied default CAs and trusting third-party -certificates. This setting is default as of Postfix 2.8.

+certificates.

Example:

@@ -9488,7 +9488,7 @@ must be inside the chroot jail.

Specify "tls_append_default_CA = no" to prevent Postfix from appending the system-supplied default CAs and trusting third-party -certificates. This setting is default as of Postfix 2.8.

+certificates.

Example:

@@ -11141,10 +11141,11 @@ authenticated via the RFC 4954
Permit the request when the remote SMTP client certificate is verified successfully. This option must be used only if a special CA issues the certificates and only this CA is listed as trusted -CA. This requires that "tls_append_default_CA = no" (the default -with Postfix 2.8 and later). Otherwise, clients with a third-party -certificate would also be allowed to relay. This feature is available -with Postfix version 2.2.
+CA. Otherwise, clients with a third-party certificate would also +be allowed to relay. Specify "tls_append_default_CA = no" when the +trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath, +to prevent Postfix from appending the system-supplied default CAs. +This feature is available with Postfix version 2.2.
permit_tls_clientcerts
@@ -12959,7 +12960,7 @@ server certificate file.

Specify "tls_append_default_CA = no" to prevent Postfix from appending the system-supplied default CAs and trusting third-party -certificates. This setting is default as of Postfix 2.8.

+certificates.

By default (see smtpd_tls_ask_ccert), client certificates are not requested, and smtpd_tls_CAfile should remain empty. If you do make use @@ -12994,7 +12995,7 @@ inside the chroot jail.

Specify "tls_append_default_CA = no" to prevent Postfix from appending the system-supplied default CAs and trusting third-party -certificates. This setting is default as of Postfix 2.8.

+certificates.

By default (see smtpd_tls_ask_ccert), client certificates are not requested, and smtpd_tls_CApath should remain empty. In contrast @@ -14114,14 +14115,14 @@ connections. Next, you enable Postfix TCP servers with the updated

Append the system-supplied default certificate authority certificates to the ones specified with *_tls_CApath or *_tls_CAfile. -

- -

To avoid massive compatibility breaks, this parameter defaults -to "yes" for Postfix versions 2.7 and earlier. That is, they trust -third-party certificates and they give relay permission with +The default is "no"; this prevents Postfix from trusting third-party +certificates and giving them relay permission with permit_tls_all_clientcerts.

-

This feature is retroactive in Postfix 2.4 and later.

+

This feature is available in Postfix 2.4.15, 2.6.8, 2.7.2 and +later versions. Specify "tls_append_default_CA = yes" for backwards +compatibility, to avoid breaking certificate verification with sites +that don't use permit_tls_all_clientcerts.

diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 592ecfa47..24850ce39 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -5414,7 +5414,7 @@ $smtp_tls_cert_file. .PP Specify "tls_append_default_CA = no" to prevent Postfix from appending the system-supplied default CAs and trusting third-party -certificates. This setting is default as of Postfix 2.8. +certificates. .PP Example: .PP @@ -5438,7 +5438,7 @@ must be inside the chroot jail. .PP Specify "tls_append_default_CA = no" to prevent Postfix from appending the system-supplied default CAs and trusting third-party -certificates. This setting is default as of Postfix 2.8. +certificates. .PP Example: .PP @@ -6803,10 +6803,11 @@ authenticated via the RFC 4954 (AUTH) protocol. Permit the request when the remote SMTP client certificate is verified successfully. This option must be used only if a special CA issues the certificates and only this CA is listed as trusted -CA. This requires that "tls_append_default_CA = no" (the default -with Postfix 2.8 and later). Otherwise, clients with a third-party -certificate would also be allowed to relay. This feature is available -with Postfix version 2.2. +CA. Otherwise, clients with a third-party certificate would also +be allowed to relay. Specify "tls_append_default_CA = no" when the +trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath, +to prevent Postfix from appending the system-supplied default CAs. +This feature is available with Postfix version 2.2. .IP "\fBpermit_tls_clientcerts\fR" Permit the request when the remote SMTP client certificate fingerprint is listed in $relay_clientcerts. @@ -8051,7 +8052,7 @@ server certificate file. .PP Specify "tls_append_default_CA = no" to prevent Postfix from appending the system-supplied default CAs and trusting third-party -certificates. This setting is default as of Postfix 2.8. +certificates. .PP By default (see smtpd_tls_ask_ccert), client certificates are not requested, and smtpd_tls_CAfile should remain empty. If you do make use @@ -8084,7 +8085,7 @@ inside the chroot jail. .PP Specify "tls_append_default_CA = no" to prevent Postfix from appending the system-supplied default CAs and trusting third-party -certificates. This setting is default as of Postfix 2.8. +certificates. .PP By default (see smtpd_tls_ask_ccert), client certificates are not requested, and smtpd_tls_CApath should remain empty. In contrast @@ -8943,13 +8944,14 @@ This feature is available in Postfix 2.6 and later. .SH tls_append_default_CA (default: no) Append the system-supplied default certificate authority certificates to the ones specified with *_tls_CApath or *_tls_CAfile. -.PP -To avoid massive compatibility breaks, this parameter defaults -to "yes" for Postfix versions 2.7 and earlier. That is, they trust -third-party certificates and they give relay permission with +The default is "no"; this prevents Postfix from trusting third-party +certificates and giving them relay permission with permit_tls_all_clientcerts. .PP -This feature is retroactive in Postfix 2.4 and later. +This feature is available in Postfix 2.4.15, 2.6.8, 2.7.2 and +later versions. Specify "tls_append_default_CA = yes" for backwards +compatibility, to avoid breaking certificate verification with sites +that don't use permit_tls_all_clientcerts. .SH tls_daemon_random_bytes (default: 32) The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8) process requests from the \fBtlsmgr\fR(8) server in order to seed its diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 574ee1ebd..e41350341 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -4860,10 +4860,11 @@ authenticated via the RFC 4954 (AUTH) protocol.
Permit the request when the remote SMTP client certificate is verified successfully. This option must be used only if a special CA issues the certificates and only this CA is listed as trusted -CA. This requires that "tls_append_default_CA = no" (the default -with Postfix 2.8 and later). Otherwise, clients with a third-party -certificate would also be allowed to relay. This feature is available -with Postfix version 2.2.
+CA. Otherwise, clients with a third-party certificate would also +be allowed to relay. Specify "tls_append_default_CA = no" when the +trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath, +to prevent Postfix from appending the system-supplied default CAs. +This feature is available with Postfix version 2.2.
permit_tls_clientcerts
@@ -8678,7 +8679,7 @@ server certificate file.

Specify "tls_append_default_CA = no" to prevent Postfix from appending the system-supplied default CAs and trusting third-party -certificates. This setting is default as of Postfix 2.8.

+certificates.

By default (see smtpd_tls_ask_ccert), client certificates are not requested, and smtpd_tls_CAfile should remain empty. If you do make use @@ -8709,7 +8710,7 @@ inside the chroot jail.

Specify "tls_append_default_CA = no" to prevent Postfix from appending the system-supplied default CAs and trusting third-party -certificates. This setting is default as of Postfix 2.8.

+certificates.

By default (see smtpd_tls_ask_ccert), client certificates are not requested, and smtpd_tls_CApath should remain empty. In contrast @@ -9081,7 +9082,7 @@ $smtp_tls_cert_file.

Specify "tls_append_default_CA = no" to prevent Postfix from appending the system-supplied default CAs and trusting third-party -certificates. This setting is default as of Postfix 2.8.

+certificates.

Example:

@@ -9104,7 +9105,7 @@ must be inside the chroot jail.

Specify "tls_append_default_CA = no" to prevent Postfix from appending the system-supplied default CAs and trusting third-party -certificates. This setting is default as of Postfix 2.8.

+certificates.

Example:

@@ -9399,14 +9400,14 @@ smtp_tls_dcert_file = /etc/postfix/client-dsa.pem

Append the system-supplied default certificate authority certificates to the ones specified with *_tls_CApath or *_tls_CAfile. -

- -

To avoid massive compatibility breaks, this parameter defaults -to "yes" for Postfix versions 2.7 and earlier. That is, they trust -third-party certificates and they give relay permission with +The default is "no"; this prevents Postfix from trusting third-party +certificates and giving them relay permission with permit_tls_all_clientcerts.

-

This feature is retroactive in Postfix 2.4 and later.

+

This feature is available in Postfix 2.4.15, 2.6.8, 2.7.2 and +later versions. Specify "tls_append_default_CA = yes" for backwards +compatibility, to avoid breaking certificate verification with sites +that don't use permit_tls_all_clientcerts.

%PARAM tls_random_exchange_name see "postconf -d" output diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 1d4be1e99..7afd598db 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -624,7 +624,7 @@ extern bool var_stat_home_dir; extern int var_dup_filter_limit; #define VAR_TLS_APPEND_DEF_CA "tls_append_default_CA" -#define DEF_TLS_APPEND_DEF_CA 0 /* 1 for Postfix < 2.8 */ +#define DEF_TLS_APPEND_DEF_CA 0 /* Postfix < 2.8 BC break */ extern bool var_tls_append_def_CA; #define VAR_TLS_RAND_EXCH_NAME "tls_random_exchange_name" diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index f2bfc7139..9d1233f29 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20100610" +#define MAIL_RELEASE_DATE "20100615" #define MAIL_VERSION_NUMBER "2.8" #ifdef SNAPSHOT