postfix-2.8-20100615

postfix/HISTORY

@@ -15823,11 +15823,12 @@ Apologies for any names omitted.
 
 20100610
 
-	Postfix no longer appends the system default CAs to the
+	Bugfix: Postfix no longer appends the system default CAs
-	lists specified with *_tls_CAfile or with *_tls_CApath.
+	to the lists specified with *_tls_CAfile or with *_tls_CApath.
 	This prevents third-party certificates from being trusted
-	and being given mail relay permission with
+	and given mail relay permission with permit_tls_all_clientcerts.
-	permit_tls_all_clientcerts.  To get the old behavior specify
+	This change may break valid configurations that do not use
+	permit_tls_all_clientcerts.  To get the old behavior, specify
 	"tls_append_default_CA = yes".  Files: tls/tls_certkey.c,
 	tls/tls_misc.c, global/mail_params.h.  proto/postconf.proto,
 	mantools/postlink.

postfix/RELEASE_NOTES

@@ -19,10 +19,12 @@ Incompatibility with snapshot 20100610
 
 Postfix no longer appends the system-supplied default CAs to the
 lists specified with *_tls_CAfile or with *_tls_CApath. This prevents
-third-party certificates from being trusted and being given mail
+third-party certificates from being trusted and given mail relay
-relay permission with permit_tls_all_clientcerts.
+permission with permit_tls_all_clientcerts.
 
-Specify "tls_append_default_CA = yes" for the old behavior.
+Unfortunately this change may break certificate verification on
+sites that don't use permit_tls_all_clientcerts.  Specify
+"tls_append_default_CA = yes" for backwards compatibility.
 
 Incompatibility with snapshot 20100101
 ======================================

postfix/WISHLIST

@@ -2,6 +2,9 @@ Wish list:
 
 	Remove this file from the stable release.
 
+	Need a regular expression table to translate address
+	verification responses into hard/soft/accept reply codes.
+
 	When an alias is a member of an :include: list with owner-
 	alias, local(8) needs an option to deliver alias or alias->user
 	indirectly. What happens when an :include: list with owner-

postfix/html/postconf.5.html

@@ -9461,7 +9461,7 @@ $<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>. </p>
 
 <p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
 appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8. </p>
+certificates. </p>
 
 <p> Example: </p>
 
@@ -9488,7 +9488,7 @@ must be inside the chroot jail. </p>
 
 <p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
 appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8. </p>
+certificates. </p>
 
 <p> Example: </p>
 
@@ -11141,10 +11141,11 @@ authenticated via the <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>
 <dd> Permit the request when the remote SMTP client certificate is
 verified successfully.  This option must be used only if a special
 CA issues the certificates and only this CA is listed as trusted
-CA. This requires that "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" (the default
+CA. Otherwise, clients with a third-party certificate would also
-with Postfix 2.8 and later).  Otherwise, clients with a third-party
+be allowed to relay.  Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" when the
-certificate would also be allowed to relay. This feature is available
+trusted CA is specified with <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> or <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>,
-with Postfix version 2.2.</dd>
+to prevent Postfix from appending the system-supplied default CAs.
+This feature is available with Postfix version 2.2.</dd>
 
 <dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
 
@@ -12959,7 +12960,7 @@ server certificate file. </p>
 
 <p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
 appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8. </p>
+certificates. </p>
 
 <p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are not
 requested, and <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> should remain empty. If you do make use
@@ -12994,7 +12995,7 @@ inside the chroot jail. </p>
 
 <p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
 appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8. </p>
+certificates. </p>
 
 <p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are
 not requested, and <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> should remain empty. In contrast
@@ -14114,14 +14115,14 @@ connections.  Next, you enable Postfix TCP servers with the updated
 
 <p> Append the system-supplied default certificate authority
 certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
-</p>
+The default is "no"; this prevents Postfix from trusting third-party
-
+certificates and giving them relay permission with
-<p> To avoid massive compatibility breaks, this parameter defaults
-to "yes" for Postfix versions 2.7 and earlier. That is, they trust
-third-party certificates and they give relay permission with
 <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>.  </p>
 
-<p> This feature is retroactive in Postfix 2.4 and later. </p>
+<p> This feature is available in Postfix 2.4.15, 2.6.8, 2.7.2 and
+later versions. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = yes" for backwards
+compatibility, to avoid breaking certificate verification with sites
+that don't use <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
 
 
 </DD>

postfix/man/man5/postconf.5

@@ -5414,7 +5414,7 @@ $smtp_tls_cert_file.
 .PP
 Specify "tls_append_default_CA = no" to prevent Postfix from
 appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8.
+certificates.
 .PP
 Example:
 .PP
@@ -5438,7 +5438,7 @@ must be inside the chroot jail.
 .PP
 Specify "tls_append_default_CA = no" to prevent Postfix from
 appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8.
+certificates.
 .PP
 Example:
 .PP
@@ -6803,10 +6803,11 @@ authenticated via the RFC 4954 (AUTH) protocol.
 Permit the request when the remote SMTP client certificate is
 verified successfully.  This option must be used only if a special
 CA issues the certificates and only this CA is listed as trusted
-CA. This requires that "tls_append_default_CA = no" (the default
+CA. Otherwise, clients with a third-party certificate would also
-with Postfix 2.8 and later).  Otherwise, clients with a third-party
+be allowed to relay.  Specify "tls_append_default_CA = no" when the
-certificate would also be allowed to relay. This feature is available
+trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
-with Postfix version 2.2.
+to prevent Postfix from appending the system-supplied default CAs.
+This feature is available with Postfix version 2.2.
 .IP "\fBpermit_tls_clientcerts\fR"
 Permit the request when the remote SMTP client certificate
 fingerprint is listed in $relay_clientcerts.
@@ -8051,7 +8052,7 @@ server certificate file.
 .PP
 Specify "tls_append_default_CA = no" to prevent Postfix from
 appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8.
+certificates.
 .PP
 By default (see smtpd_tls_ask_ccert), client certificates are not
 requested, and smtpd_tls_CAfile should remain empty. If you do make use
@@ -8084,7 +8085,7 @@ inside the chroot jail.
 .PP
 Specify "tls_append_default_CA = no" to prevent Postfix from
 appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8.
+certificates.
 .PP
 By default (see smtpd_tls_ask_ccert), client certificates are
 not requested, and smtpd_tls_CApath should remain empty. In contrast
@@ -8943,13 +8944,14 @@ This feature is available in Postfix 2.6 and later.
 .SH tls_append_default_CA (default: no)
 Append the system-supplied default certificate authority
 certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
-.PP
+The default is "no"; this prevents Postfix from trusting third-party
-To avoid massive compatibility breaks, this parameter defaults
+certificates and giving them relay permission with
-to "yes" for Postfix versions 2.7 and earlier. That is, they trust
-third-party certificates and they give relay permission with
 permit_tls_all_clientcerts.
 .PP
-This feature is retroactive in Postfix 2.4 and later.
+This feature is available in Postfix 2.4.15, 2.6.8, 2.7.2 and
+later versions. Specify "tls_append_default_CA = yes" for backwards
+compatibility, to avoid breaking certificate verification with sites
+that don't use permit_tls_all_clientcerts.
 .SH tls_daemon_random_bytes (default: 32)
 The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
 process requests from the \fBtlsmgr\fR(8) server in order to seed its

postfix/proto/postconf.proto

@@ -4860,10 +4860,11 @@ authenticated via the RFC 4954 (AUTH) protocol. </dd>
 <dd> Permit the request when the remote SMTP client certificate is
 verified successfully.  This option must be used only if a special
 CA issues the certificates and only this CA is listed as trusted
-CA. This requires that "tls_append_default_CA = no" (the default
+CA. Otherwise, clients with a third-party certificate would also
-with Postfix 2.8 and later).  Otherwise, clients with a third-party
+be allowed to relay.  Specify "tls_append_default_CA = no" when the
-certificate would also be allowed to relay. This feature is available
+trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
-with Postfix version 2.2.</dd>
+to prevent Postfix from appending the system-supplied default CAs.
+This feature is available with Postfix version 2.2.</dd>
 
 <dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
 
@@ -8678,7 +8679,7 @@ server certificate file. </p>
 
 <p> Specify "tls_append_default_CA = no" to prevent Postfix from
 appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8. </p>
+certificates. </p>
 
 <p> By default (see smtpd_tls_ask_ccert), client certificates are not
 requested, and smtpd_tls_CAfile should remain empty. If you do make use
@@ -8709,7 +8710,7 @@ inside the chroot jail. </p>
 
 <p> Specify "tls_append_default_CA = no" to prevent Postfix from
 appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8. </p>
+certificates. </p>
 
 <p> By default (see smtpd_tls_ask_ccert), client certificates are
 not requested, and smtpd_tls_CApath should remain empty. In contrast
@@ -9081,7 +9082,7 @@ $smtp_tls_cert_file. </p>
 
 <p> Specify "tls_append_default_CA = no" to prevent Postfix from
 appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8. </p>
+certificates. </p>
 
 <p> Example: </p>
 
@@ -9104,7 +9105,7 @@ must be inside the chroot jail. </p>
 
 <p> Specify "tls_append_default_CA = no" to prevent Postfix from
 appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8. </p>
+certificates. </p>
 
 <p> Example: </p>
 
@@ -9399,14 +9400,14 @@ smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
 
 <p> Append the system-supplied default certificate authority
 certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
-</p>
+The default is "no"; this prevents Postfix from trusting third-party
-
+certificates and giving them relay permission with
-<p> To avoid massive compatibility breaks, this parameter defaults
-to "yes" for Postfix versions 2.7 and earlier. That is, they trust
-third-party certificates and they give relay permission with
 permit_tls_all_clientcerts.  </p>
 
-<p> This feature is retroactive in Postfix 2.4 and later. </p>
+<p> This feature is available in Postfix 2.4.15, 2.6.8, 2.7.2 and
+later versions. Specify "tls_append_default_CA = yes" for backwards
+compatibility, to avoid breaking certificate verification with sites
+that don't use permit_tls_all_clientcerts. </p>
 
 %PARAM tls_random_exchange_name see "postconf -d" output
 

postfix/src/global/mail_params.h

@@ -624,7 +624,7 @@ extern bool var_stat_home_dir;
 extern int var_dup_filter_limit;
 
 #define VAR_TLS_APPEND_DEF_CA	"tls_append_default_CA"
-#define DEF_TLS_APPEND_DEF_CA	0	/* 1 for Postfix < 2.8 */
+#define DEF_TLS_APPEND_DEF_CA	0	/* Postfix < 2.8 BC break */
 extern bool var_tls_append_def_CA;
 
 #define VAR_TLS_RAND_EXCH_NAME	"tls_random_exchange_name"

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20100610"
+#define MAIL_RELEASE_DATE	"20100615"
 #define MAIL_VERSION_NUMBER	"2.8"
 
 #ifdef SNAPSHOT