diff --git a/postfix/AAAREADME b/postfix/AAAREADME index e6f5940d5..7b7a4b696 100644 --- a/postfix/AAAREADME +++ b/postfix/AAAREADME @@ -149,6 +149,7 @@ Postfix daemons: src/oqmgr/ Old queue manager src/pickup/ Local pickup src/pipe/ Pipe delivery + src/postlogd/ Syslog alternative, logs to file or stdout src/postscreen/ Zombie blocker src/proxymap/ Table lookup proxy agent src/qmgr/ Queue manager @@ -159,7 +160,7 @@ Postfix daemons: src/smtpd/ SMTP server src/spawn/ Run non-Postfix server src/tlsmgr/ TLS session keys and random pool - src/tlsproxy/ TLS proxy for postscreen + src/tlsproxy/ TLS proxy for postscreen and outbound connection reuse src/trivial-rewrite/ Address rewriting and resolving src/verify/ address verification service src/virtual/ virtual mailbox-only delivery agent diff --git a/postfix/HISTORY b/postfix/HISTORY index 1ea5d38b0..c0119def5 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -17692,7 +17692,7 @@ Apologies for any names omitted. 20120330 - Workaround: specify "\c" at the start of an smtp_reject_footer + Workaround: specify "\c" at the start of an smtpd_reject_footer template to suppress the line break between the reply text and the footer text. Files: global/smtp_reply_footer.c, proto/postconf.proto. @@ -23633,10 +23633,10 @@ Apologies for any names omitted. 20180812 - Feature: smtp_reject_footer_maps (as well as the postscreen + Feature: smtpd_reject_footer_maps (as well as the postscreen variant postscreen_reject_footer_maps). This is indexed with the SMTP server response text, and overrides the footer - specified with smtp_reject_footer. Files: global/mail_params.h, + specified with smtpd_reject_footer. Files: global/mail_params.h, mantools/postlink, postscreen/postscreen.c, postscreen/postscreen_send.c, postscreen/postscreen_smtpd.c, proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_chat.c. @@ -24105,3 +24105,12 @@ Apologies for any names omitted. Debugging: tlsproxy(8) now logs more details about unexpected configuration differences between the Postfix SMTP client and the tlsproxy(8) daemon. + +20190210 + + Documentation: Postfix 3.4.0 RELEASE NOTES. + + Documentation: added BDAT_README. + + Documentation: global TLS settings. Files: mantools/postlink, + smtp/smtp.c, tlsproxy/tlsproxy.c. diff --git a/postfix/README_FILES/AAAREADME b/postfix/README_FILES/AAAREADME index 07bd21ea1..9afa3b7d2 100644 --- a/postfix/README_FILES/AAAREADME +++ b/postfix/README_FILES/AAAREADME @@ -78,6 +78,7 @@ OOtthheerr ttooppiiccss * ADDRESS_CLASS_README: Address Classes * CONNECTION_CACHE_README: Connection cache howto * DSN_README: Postfix DSN support + * BDAT_README: Postfix BDAT (CHUNKING) support * PACKAGE_README: Guidelines for Package Builders * SCHEDULER_README: Queue Scheduler * XCLIENT_README: XCLIENT Command diff --git a/postfix/README_FILES/BDAT_README b/postfix/README_FILES/BDAT_README new file mode 100644 index 000000000..2dc1df35c --- /dev/null +++ b/postfix/README_FILES/BDAT_README @@ -0,0 +1,124 @@ +PPoossttffiixx BBDDAATT ((CCHHUUNNKKIINNGG)) ssuuppppoorrtt + +------------------------------------------------------------------------------- + +OOvveerrvviieeww + +Postfix SMTP server supports RFC 3030 CHUNKING (the BDAT command) without +BINARYMIME, in both smtpd(8) and postscreen(8). It is enabled by default. + +Topics covered in this document: + + * Disabling BDAT support + * Impact on existing configurations + * Example SMTP session + * Benefits of CHUNKING (BDAT) support without BINARYMIME + * Downsides of CHUNKING (BDAT) support + +DDiissaabblliinngg BBDDAATT ssuuppppoorrtt + +BDAT support is enabled by default. To disable BDAT support globally: + + /etc/postfix/main.cf: + # The logging alternative: + smtpd_discard_ehlo_keywords = chunking + # The non-logging alternative: + smtpd_discard_ehlo_keywords = chunking, silent_discard + +Specify '-o smtpd_discard_ehlo_keywords=' in master.cf for the submission and +smtps services, if you have clients that benefit from CHUNKING support. + +IImmppaacctt oonn eexxiissttiinngg ccoonnffiigguurraattiioonnss + + * There are no changes for smtpd_mumble_restrictions, smtpd_proxy_filter, + smtpd_milters, or for postscreen settings, except for the above mentioned + option to suppress the SMTP server's CHUNKING service announcement. + + * There are no changes in the Postfix queue file content, no changes for + down-stream SMTP servers or after-queue content filters, and no changes in + the envelope or message content that Milters will receive. + +EExxaammppllee SSMMTTPP sseessssiioonn + +The main differences are that the Postfix SMTP server announces "CHUNKING" +support in the EHLO response, and that instead of sending one DATA request, the +remote SMTP client may send one or more BDAT requests. In the example below, +"S:" indicates server responses, and "C:" indicates client requests (bold +font). + + S: 220 server.example.com + C: EEHHLLOO cclliieenntt..eexxaammppllee..ccoomm + S: 250-server.example.com + S: 250-PIPELINING + S: 250-SIZE 153600000 + S: 250-VRFY + S: 250-ETRN + S: 250-STARTTLS + S: 250-AUTH PLAIN LOGIN + S: 250-ENHANCEDSTATUSCODES + S: 250-8BITMIME + S: 250-DSN + S: 250-SMTPUTF8 + S: 250 CHUNKING + C: MMAAIILL FFRROOMM::<> + S: 250 2.1.0 Ok + C: RRCCPPTT TTOO::<> + S: 250 2.1.5 Ok + C: BBDDAATT 1100000000 + C: ....ffoolllloowweedd bbyy 1100000000 bbyytteess...... + S: 250 2.0.0 Ok: 10000 bytes + C: BBDDAATT 112233 + C: ....ffoolllloowweedd bbyy 112233 bbyytteess...... + S: 250 2.0.0 Ok: 123 bytes + C: BBDDAATT 00 LLAASSTT + S: 250 2.0.0 Ok: 10123 bytes queued as 41yYhh41qmznjbD + C: QQUUIITT + S: 221 2.0.0 Bye + +Internally in Postfix, there is no difference between mail that was received +with BDAT or with DATA. Postfix smtpd_mumble_restrictions, policy delegation +queries, smtpd_proxy_filter and Milters all behave as if Postfix received (MAIL ++ RCPT + DATA + end-of-data). However, Postfix will log BDAT-related failures +as "xxx after BDAT" to avoid complicating troubleshooting (xxx = 'lost +connection' or 'timeout'), and will log a warning when a client sends a +malformed BDAT command. + +BBeenneeffiittss ooff CCHHUUNNKKIINNGG ((BBDDAATT)) ssuuppppoorrtt wwiitthhoouutt BBIINNAARRYYMMIIMMEE + +Support for CHUNKING (BDAT) was added to improve interoperability with some +clients, a benefit that would reportedly exist even without Postfix support for +BINARYMIME. Since June 2018, Wietse's mail server has received BDAT commands +from a variety of systems. + +Postfix does not support BINARYMIME at this time because: + + * BINARYMIME support would require moderately invasive changes to Postfix, to + support email content that is not line-oriented. With BINARYMIME, the + Content-Length: message header specifies the length of content that may or + may not have line boundaries. Without BINARYMIME support, email RFCs + require that binary content is base64-encoded, and formatted as lines of + text. + + * For delivery to non-BINARYMIME systems including UNIX mbox, the available + options are to convert binary content into 8bit text, one of the 7bit forms + (base64 or quoted-printable), or to return email as undeliverable. Any + conversion would obviously break digital signatures, so conversion would + have to happen before signing. + +DDoowwnnssiiddeess ooff CCHHUUNNKKIINNGG ((BBDDAATT)) ssuuppppoorrtt + +The RFC 3030 authors did not specify any limitations on how clients may +pipeline commands (i.e. send commands without waiting for a server response). +If a server announces PIPELINING support, like Postfix does, then a remote SMTP +client can pipeline all commands following EHLO, for example, MAIL/RCPT/BDAT/ +BDAT/MAIL/RCPT/BDAT, without ever having to wait for a server response. This +means that with BDAT, the Postfix SMTP server cannot distinguish between a +well-behaved client and a spambot, based on their command pipelining behavior. +If you require "reject_unauth_pipelining" to block spambots, then turn off +Postfix's CHUNKING announcement as described above. + +In RFC 4468, the authors write that a client may pipeline commands, and that +after sending BURL LAST or BDAT LAST, a client must wait for the server's +response. But as this text does not appear in RFC 3030 which defines BDAT, is +it a useless restriction that Postfix will not enforce. + diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 5037b316f..1986c5be9 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -1,19 +1,19 @@ -This is the Postfix 3.4 (experimental) release. +This is the Postfix 3.5 (experimental) release. -The stable Postfix release is called postfix-3.3.x where 3=major -release number, 3=minor release number, x=patchlevel. The stable +The stable Postfix release is called postfix-3.4.x where 3=major +release number, 4=minor release number, x=patchlevel. The stable release never changes except for patches that address bugs or emergencies. Patches change the patchlevel and the release date. New features are developed in snapshot releases. These are called -postfix-3.4-yyyymmdd where yyyymmdd is the release date (yyyy=year, +postfix-3.5-yyyymmdd where yyyymmdd is the release date (yyyy=year, mm=month, dd=day). Patches are never issued for snapshot releases; instead, a new snapshot is released. The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release. -If you upgrade from Postfix 3.2 or earlier, read RELEASE_NOTES-3.3 +If you upgrade from Postfix 3.3 or earlier, read RELEASE_NOTES-3.4 before proceeding. License change @@ -24,217 +24,3 @@ historical IBM Public License 1.0, it is now also distributed with the more recent Eclipse Public License 2.0. Recipients can choose to take the software under the license of their choice. Those who are more comfortable with the IPL can continue with that license. - -Incompatible changes with snapshot 20190126-nonprod -==================================================== - -This introduces a new master.cf service 'postlog' with type -'unix-dgram' that is used by the new postlogd(8) daemon. The -'unix-dgram' service type is not supported by older Postfix versions. -Before backing out to an older version, edit the master.cf file and -remove the postlog entry. - -Major changes with snapshot 20190126-nonprod -============================================ - -Support for logging to file or stdout, instead of using syslog. - -- Logging to file solves a usability problem for MacOS, and - eliminates multiple problems with systemd-based systems. - -- Logging to stdout is useful when Postfix runs in a container, as - it eliminates a syslogd dependency. - -See MAILLOG_README for configuration examples and logfile rotation. - -Incompatible changes with snapshot 20190106 -=========================================== - -Postfix 3.4 drops support for OpenSSL 1.0.1 (end-of-life December -31, 2016) and earlier releases. - -Major changes with snapshot 20190106 -==================================== - -SNI support in the Postfix SMTP server, the Postfix SMTP client, -and in the tlsproxy daemon (both server and client roles). See the -postconf(5) documentation for the new tls_server_sni_maps and -smtp_tls_servername parameters. - -Support for files that contain multiple (key, certificate, trust -chain) instances. This was required to implement server-side SNI -table lookups, but it also eliminates the need for separate cert/key -files for RSA, DSA, Elliptic Curve, and so on. The file format is -documented in the TLS_README sections "Server-side certificate and -private key configuration" and "Client-side certificate and private -key configuration", and in the postconf(5) documentation for the -parameters smtp_tls_chain_files, smtpd_tls_chain_files, -tlsproxy_client_chain_files, and tlsproxy_tls_chain_files. - -Note: the command "postfix tls" does not yet support the new -consolidated certificate chain format. If you switch to the new -format, you'll need to manage your keys and certificates directly, -rather than via postfix-tls(1). - -Major changes with snapshot 20180826 -==================================== - -Postfix SMTP server support for RFC 3030 CHUNKING (the BDAT command) -without BINARYMIME, in both smtpd(8) and postscreen(8). - -To disable the SMTP server's CHUNKING support: - -/etc/postfix/main.cf: - # The logging alternative: - smtpd_discard_ehlo_keywords = chunking - # The non-logging alternative: - smtpd_discard_ehlo_keywords = chunking, silent_discard - -Be sure to specify '-o smtpd_discard_ehlo_keywords=' in master.cf -for the submission and smtps services, in case you have clients -that benefit from CHUNKING support. - -Impact on existing configurations: ----------------------------------- - -- There are no changes for smtpd_mumble_restrictions, smtpd_proxy_filter, - smtpd_milters, or for postscreen settings, except for the additional - option to suppress the SMTP server's CHUNKING service announcement. - -- There are no changes in the Postfix queue file content, no changes - for down-stream SMTP servers or after-queue content filters, and - no changes in the envelope or message content that Milters will - receive. - -Example SMTP session --------------------- - -The main differences are that the Postfix SMTP server announces -"CHUNKING" support in the EHLO response, and that instead of sending -one DATA request, the remote SMTP client may send one or more BDAT -requests. In the example below, "S:" indicates server responses, -and "C:" indicates client requests. - - S: 220 server.example.com - C: EHLO client.example.com - S: 250-server.example.com - S: 250-PIPELINING - S: 250-SIZE 153600000 - S: 250-VRFY - S: 250-ETRN - S: 250-STARTTLS - S: 250-AUTH PLAIN LOGIN - S: 250-ENHANCEDSTATUSCODES - S: 250-8BITMIME - S: 250-DSN - S: 250-SMTPUTF8 - S: 250 CHUNKING - C: MAIL FROM: - S: 250 2.1.0 Ok - C: RCPT TO: - S: 250 2.1.5 Ok - C: BDAT 10000 - C: ..followed by 10000 bytes... - S: 250 2.0.0 Ok: 10000 bytes - C: BDAT 123 - C: ..followed by 123 bytes... - S: 250 2.0.0 Ok: 123 bytes - C: BDAT 0 LAST - S: 250 2.0.0 Ok: 10123 bytes queued as 41yYhh41qmznjbD - C: QUIT - S: 221 2.0.0 Bye - -Internally in Postfix, there is no difference between mail that was -received with BDAT or with DATA. Postfix smtpd_mumble_restrictions, -policy delegation queries, smtpd_proxy_filter and Milters all behave -as if Postfix received (MAIL + RCPT + DATA + end-of-data). However, -Postfix will log BDAT-related failures as "xxx after BDAT" to avoid -complicating troubleshooting (xxx = 'lost connection' or 'timeout'), -and will log a warning when a client sends a malformed BDAT command. - -Benefits of CHUNKING (BDAT) support without BINARYMIME: -------------------------------------------------------- - -Support for CHUNKING (BDAT) was added to improve interoperability -with some clients, a benefit that would reportedly exist even without -Postfix support for BINARYMIME. - -Postfix does not support BINARYMIME at this time because: - -- BINARYMIME support would require moderately invasive changes to - support email content that is not line-oriented. With BINARYMIME, - the Content-Length: header specifies the length of arbitrary - content that has no line boundaries. Without BINARYMIME, binary - content is base64-encoded, and formatted as lines of text. - -- There is no conversion of BINARYMIME to a line-oriented 8BITMIME - form that is compatible with legacy systems including UNIX mbox. - The available options are to convert binary content into one of - the 7bit forms (base64 or quoted-printable), or to return email - as undeliverable. Any conversion would break digital signatures, - so it would have to happen before signing. - -Downsides of CHUNKING (BDAT) support: -------------------------------------- - -The RFC 3030 authors did not specify any limitations on how clients -may pipeline commands (i.e. send commands without waiting for a -server response). If a server announces PIPELINING support, like -Postfix does, then a remote SMTP client can pipeline all commands -following EHLO, for example, MAIL/RCPT/BDAT/BDAT/MAIL/RCPT/BDAT, -without ever having to wait for a server response. This means that -with BDAT, the Postfix SMTP server cannot distinguish between a -well-behaved client and a spambot, based on their command pipelining -behavior. If you require "reject_unauth_pipelining" to block spambots, -turn off the CHUNKING support announcement as described above. - -Incompatible change with snapshot 20180701 -========================================== - -To avoid performance loss under load, the tlsproxy(8) daemon now -requires a zero process limit in master.cf (this setting is provided -with the default master.cf file). As tlsproxy(8) processes become -too busy handling TLS connections, more processes will automatically -be added. By default, a tlsproxy(8) process will retire after several -hours. - -To set the tlsproxy process limit to zero: - -# postconf -F tlsproxy/unix/process_limit=0 -# postfix reload - -Major changes with snapshot 20180617 -==================================== - -Preliminary Postfix SMTP client support for multiple deliveries per -TLS-encrypted connection. This is primarily to improve mail delivery -performance for destinations that throttle clients when they don't -combine deliveries. - -This feature is enabled with "smtp_tls_connection_reuse=yes" in -main.cf, or with "tls_connection_reuse=yes" in smtp_tls_policy_maps. -It supports all Postfix TLS security levels including dane and -dane-only. - -The implementation of TLS connection reuse relies on the same -scache(8) service as used for delivering plaintext SMTP mail, the -same tlsproxy(8) daemon as used by the postscreen(8) service for -inbound connections, and relies on the same hints from the qmgr(8) -daemon. It reuses the configuration parameters described in -CONNECTION_CACHE_README. - -The following illustrates how TLS connections are reused: - - Initial plaintext SMTP handshake: - smtp(8) -> remote SMTP server - - Reused SMTP/TLS connection, or new SMTP/TLS connection: - smtp(8) -> tlsproxy(8) -> remote SMTP server - - Cached SMTP/TLS connection: - scache(8) -> tlsproxy(8) -> remote SMTP server - -There are a few refinements planned: - -- Log the TLS properties every time a connection is reused. - Currently, the properties are logged when a TLS session is created. diff --git a/postfix/RELEASE_NOTES-3.4 b/postfix/RELEASE_NOTES-3.4 new file mode 100644 index 000000000..6794f1d3c --- /dev/null +++ b/postfix/RELEASE_NOTES-3.4 @@ -0,0 +1,208 @@ +This is the Postfix 3.4 (stable) release. + +The stable Postfix release is called postfix-3.4.x where 3=major +release number, 4=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-3.5-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 3.2 or earlier, read RELEASE_NOTES-3.3 +before proceeding. + +License change +--------------- + +This software is distributed with a dual license: in addition to the +historical IBM Public License 1.0, it is now also distributed with the +more recent Eclipse Public License 2.0. Recipients can choose to take +the software under the license of their choice. Those who are more +comfortable with the IPL can continue with that license. + +Summary of changes +------------------ + +Incompatible changes, bdat support, containers, database support, +logging, safety, tls connection pooling, tls support, usability, + +Incompatible changes +-------------------- + +[Incompat 20180826] The Postfix SMTP server announces CHUNKING (BDAT +command) by default. In the unlikely case that this breaks some +important remote SMTP client, disable the feature as follows: + +/etc/postfix/main.cf: + # The logging alternative: + smtpd_discard_ehlo_keywords = chunking + # The non-logging alternative: + smtpd_discard_ehlo_keywords = chunking, silent_discard + +See BDAT_README for more. + +[Incompat 20190126] This introduces a new master.cf service 'postlog' +with type 'unix-dgram' that is used by the new postlogd(8) daemon. +Before backing out to an older Postfix version, edit the master.cf +file and remove the postlog entry. + +[Incompat 20190106] Postfix 3.4 drops support for OpenSSL 1.0.1 +(end-of-life was December 31, 2016) and all earlier releases. + +[Incompat 20180701] To avoid performance loss under load, the +tlsproxy(8) daemon now requires a zero process limit in master.cf +(this setting is provided with the default master.cf file). By +default, a tlsproxy(8) process will retire after several hours. + +To set the tlsproxy process limit to zero: + +# postconf -F tlsproxy/unix/process_limit=0 +# postfix reload + +Major changes - bdat support +-------------------- + +[Feature 20180826] Postfix SMTP server support for RFC 3030 CHUNKING +(the BDAT command) without BINARYMIME, in both smtpd(8) and +postscreen(8). This has no effect on Milters, smtpd_mumble_restrictions, +and smtpd_proxy_filter. See BDAT_README for more. + +Major changes - containers +-------------------------- + +[Feature 20190126] Support for logging to file or stdout, instead +of using syslog. + +- Logging to file solves a usability problem for MacOS, and + eliminates multiple problems with systemd-based systems. + +- Logging to stdout is useful when Postfix runs in a container, as + it eliminates a syslogd dependency. + +See MAILLOG_README for configuration examples and logfile rotation. + +[Feature 20180422] Better handling of undocumented(!) Linux behavior +whether or not signals are delivered to a PID=1 process. + +Major changes - database support +-------------------------------- + +[Feature 20181105] Support for (key, list of filenames) in map +source text. + +- Currently, this feature is used only by tls_server_sni_maps. + +- When a map is created from source with "postmap -F maptype:mapname", + the command processes each key as usual and processes each value + as a list of filenames, concatenates the content of those files + (with one newline character in-between files), and stores an entry + with (key, base64-encoded result). + +- When a map is queried with "postmap -F -q ...", the command + base64-decodes each value. It reports an error when a value is + not in base64 form. + + This "postmap -F -q ..." behavior also works when querying the + memory-resident map types cidr:, inline:, pcre:, randmap:, regexp:, + and static:. Postfix reads the files specified as table values, + stores base64-encoded content, and base64-decodes content upon + table lookup. + + Internally, Postfix will turn on this behavior for lookups (not + updates) when a map is opened with the DICT_FLAG_RHS_IS_FILE flag. + +Major changes - logging +----------------------- + +[Feature 20190126] Support for logging to file or stdout, instead +of using syslog. + +- Logging to file solves a usability problem for MacOS, and + eliminates multiple problems with systemd-based systems. + +- Logging to stdout is useful when Postfix runs in a container, as + it eliminates a syslogd dependency. + +See MAILLOG_README for configuration examples and logfile rotation. + +Major changes - safety +---------------------- + +[Feature 20180623] Automatic retirement: dnsblog(8) and tlsproxy(8) process +will now voluntarily retire after after max_idle*max_use, or some +sane limit if either limit is disabled. Without this, a process +could stay busy for days or more. + +Major changes - tls connection pooling +-------------------------------------- + +[Feature 20180617] Postfix SMTP client support for multiple deliveries +per TLS-encrypted connection. This is primarily to improve mail +delivery performance for destinations that throttle clients when +they don't combine deliveries. + +This feature is enabled with "smtp_tls_connection_reuse=yes" in +main.cf, or with "tls_connection_reuse=yes" in smtp_tls_policy_maps. +It supports all Postfix TLS security levels including dane and +dane-only. + +The implementation of TLS connection reuse relies on the same +scache(8) service as used for delivering plaintext SMTP mail, the +same tlsproxy(8) daemon as used by the postscreen(8) service for +inbound connections, and relies on the same hints from the qmgr(8) +daemon. It reuses the configuration parameters described in +CONNECTION_CACHE_README. + +The Postfix SMTP client now logs whether an SMTP-over-TLS connection +is newly established ("TLS connection established") or whether the +connection is reused ("TLS connection reused"). + +The following illustrates how TLS connections are reused: + + Initial plaintext SMTP handshake: + smtp(8) -> remote SMTP server + + Reused SMTP/TLS connection, or new SMTP/TLS connection: + smtp(8) -> tlsproxy(8) -> remote SMTP server + + Cached SMTP/TLS connection: + scache(8) -> tlsproxy(8) -> remote SMTP server + +Major changes - tls support +--------------------------- + +[Feature 20190106] SNI support in the Postfix SMTP server, the +Postfix SMTP client, and in the tlsproxy(8) daemon (both server and +client roles). See the postconf(5) documentation for the new +tls_server_sni_maps and smtp_tls_servername parameters. + +[Feature 20190106] Support for files that contain multiple (key, +certificate, trust chain) instances. This was required to implement +server-side SNI table lookups, but it also eliminates the need for +separate cert/key files for RSA, DSA, Elliptic Curve, and so on. +The file format is documented in the TLS_README sections "Server-side +certificate and private key configuration" and "Client-side certificate +and private key configuration", and in the postconf(5) documentation +for the parameters smtp_tls_chain_files, smtpd_tls_chain_files, +tlsproxy_client_chain_files, and tlsproxy_tls_chain_files. + +Note: the command "postfix tls" does not yet support the new +consolidated certificate chain format. If you switch to the new +format, you'll need to manage your keys and certificates directly, +rather than via postfix-tls(1). + +Major changes - usability +------------------------- + +[Feature 20180812] Support for smtpd_reject_footer_maps (as well +as the postscreen variant postscreen_reject_footer_maps) for more +informative reject messages. This is indexed with the Postfix SMTP +server response text, and overrides the footer specified with +smtpd_reject_footer. One will want to use a pcre: or regexp: map +with this. + diff --git a/postfix/WISHLIST b/postfix/WISHLIST index 245590f35..23f7e4e0f 100644 --- a/postfix/WISHLIST +++ b/postfix/WISHLIST @@ -1,18 +1,15 @@ Wish list: - Move tls_proxy_client_scan.c _to_string() function - to tls_proxy_client_misc.c. + Things to do before the stable release: - In tlsproxy, include parameter names in the diffs between - expected and client properties. This requires a function - tls_proxy_client_init_with_names_to_string(). + Spell-check, double-word check, HTML validator check, + mantools/missing-proxy-read-maps check. + + Disable -DSNAPSHOT and -DNONPROD in makedefs. make tls_pre_jail_init() safe by design for use in programs that implement both clients and servers. - postfix rotate-log command: mv postfix.log postfix.log.$(date - +%Y%M%d-%H%M%S) to avoid data loss if called repeatedly. - In smtpd(8) and postscreen(8), set the ehlo_discard_mask to ~0 so that STARTTLS, BDAT, DSN, etc. work only for clients that send EHLO. @@ -23,13 +20,6 @@ Wish list: In postscreen, don't fork after 'postfix reload' when psc_check_queue_length (and psc_post_queue_length?) is zero. - Things to do before the stable release: - - Spell-check, double-word check, HTML validator check, - mantools/missing-proxy-read-maps check. - - Disable -DSNAPSHOT and -DNONPROD in makedefs. - After I/O error, store errno in VSTREAM object before errno may be overwritten. diff --git a/postfix/html/BDAT_README.html b/postfix/html/BDAT_README.html new file mode 100644 index 000000000..b8feeeb14 --- /dev/null +++ b/postfix/html/BDAT_README.html @@ -0,0 +1,178 @@ + + + + + + +Postfix BDAT (CHUNKING) support + + + + + + + +

Postfix +BDAT (CHUNKING) support

+ +
+ +

Overview

+ +

Postfix SMTP server supports RFC 3030 CHUNKING (the BDAT command) +without BINARYMIME, in both smtpd(8) and postscreen(8). It is enabled +by default.

+ +

Topics covered in this document:

+ + + +

Disabling BDAT support

+ +

BDAT support is enabled by default. To disable BDAT support +globally:

+ +
+
+/etc/postfix/main.cf:
+    # The logging alternative:
+    smtpd_discard_ehlo_keywords = chunking
+    # The non-logging alternative:
+    smtpd_discard_ehlo_keywords = chunking, silent_discard
+
+
+ +

Specify '-o smtpd_discard_ehlo_keywords=' in master.cf +for the submission and smtps services, if you have clients +that benefit from CHUNKING support.

+ +

Impact on existing configurations

+ +
    + +

  • There are no changes for smtpd_mumble_restrictions, +smtpd_proxy_filter, smtpd_milters, or for postscreen settings, +except for the above mentioned option to suppress the SMTP server's +CHUNKING service announcement.

    + +

  • There are no changes in the Postfix queue file content, +no changes for down-stream SMTP servers or after-queue content +filters, and no changes in the envelope or message content that +Milters will receive.

    + +
+ +

Example SMTP session

+ +

The main differences are that the Postfix SMTP server announces +"CHUNKING" support in the EHLO response, and that instead of sending +one DATA request, the remote SMTP client may send one or more BDAT +requests. In the example below, "S:" indicates server responses, +and "C:" indicates client requests (bold font).

+ +
+
+    S: 220 server.example.com
+    C: EHLO client.example.com
+    S: 250-server.example.com
+    S: 250-PIPELINING
+    S: 250-SIZE 153600000
+    S: 250-VRFY
+    S: 250-ETRN
+    S: 250-STARTTLS
+    S: 250-AUTH PLAIN LOGIN
+    S: 250-ENHANCEDSTATUSCODES
+    S: 250-8BITMIME
+    S: 250-DSN
+    S: 250-SMTPUTF8
+    S: 250 CHUNKING
+    C: MAIL FROM:<sender@example.com>
+    S: 250 2.1.0 Ok
+    C: RCPT TO:<recipient@example.com>
+    S: 250 2.1.5 Ok
+    C: BDAT 10000
+    C: ..followed by 10000 bytes...
+    S: 250 2.0.0 Ok: 10000 bytes
+    C: BDAT 123
+    C: ..followed by 123 bytes...
+    S: 250 2.0.0 Ok: 123 bytes
+    C: BDAT 0 LAST
+    S: 250 2.0.0 Ok: 10123 bytes queued as 41yYhh41qmznjbD
+    C: QUIT
+    S: 221 2.0.0 Bye
+
+
+ +

Internally in Postfix, there is no difference between mail that +was received with BDAT or with DATA. Postfix smtpd_mumble_restrictions, +policy delegation queries, smtpd_proxy_filter and Milters all behave +as if Postfix received (MAIL + RCPT + DATA + end-of-data). However, +Postfix will log BDAT-related failures as "xxx after BDAT" to avoid +complicating troubleshooting (xxx = 'lost connection' or 'timeout'), +and will log a warning when a client sends a malformed BDAT command. +

+ +

Benefits of CHUNKING (BDAT) support without +BINARYMIME

+ +

Support for CHUNKING (BDAT) was added to improve interoperability +with some clients, a benefit that would reportedly exist even without +Postfix support for BINARYMIME. Since June 2018, Wietse's mail +server has received BDAT commands from a variety of systems.

+ +

Postfix does not support BINARYMIME at this time because:

+ +
    + +

  • BINARYMIME support would require moderately invasive +changes to Postfix, to support email content that is not line-oriented. +With BINARYMIME, the Content-Length: message header specifies the +length of content that may or may not have line boundaries. Without +BINARYMIME support, email RFCs require that binary content is +base64-encoded, and formatted as lines of text.

    + +

  • For delivery to non-BINARYMIME systems including UNIX mbox, +the available options are to convert binary content into 8bit text, +one of the 7bit forms (base64 or quoted-printable), or to return +email as undeliverable. Any conversion would obviously break digital +signatures, so conversion would have to happen before signing.

    + +
+ +

Downsides of CHUNKING (BDAT) support +

+ +

The RFC 3030 authors did not specify any limitations on how +clients may pipeline commands (i.e. send commands without waiting +for a server response). If a server announces PIPELINING support, +like Postfix does, then a remote SMTP client can pipeline all +commands following EHLO, for example, MAIL/RCPT/BDAT/BDAT/MAIL/RCPT/BDAT, +without ever having to wait for a server response. This means that +with BDAT, the Postfix SMTP server cannot distinguish between a +well-behaved client and a spambot, based on their command pipelining +behavior. If you require "reject_unauth_pipelining" to block spambots, +then turn off Postfix's CHUNKING announcement as described above. +

+ +

In RFC 4468, the authors write that a client may pipeline +commands, and that after sending BURL LAST or BDAT LAST, a client +must wait for the server's response. But as this text does not +appear in RFC 3030 which defines BDAT, is it a useless restriction +that Postfix will not enforce.

+ + + + diff --git a/postfix/html/index.html b/postfix/html/index.html index 983ae42e9..c88728195 100644 --- a/postfix/html/index.html +++ b/postfix/html/index.html @@ -199,6 +199,8 @@ Recipients
  • Postfix DSN support +
  • Postfix BDAT (CHUNKING) support +
  • Guidelines for Package Builders diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html index ee724df51..e02d89807 100644 --- a/postfix/html/lmtp.8.html +++ b/postfix/html/lmtp.8.html @@ -547,14 +547,23 @@ SMTP(8) SMTP(8) tls_disable_workarounds (see 'postconf -d' output) List or bit-mask of OpenSSL bug work-arounds to disable. + Available in Postfix version 2.11-3.1: + + tls_dane_digest_agility (on) + Configure RFC7671 DANE TLSA digest algorithm agility. + + tls_dane_trust_anchor_digest_enable (yes) + Enable support for RFC 6698 (DANE TLSA) DNS records that contain + digests of trust-anchors with certificate usage "2". + Available in Postfix version 2.11 and later: smtp_tls_trust_anchor_file (empty) - Zero or more PEM-format files with trust-anchor certificates + Zero or more PEM-format files with trust-anchor certificates and/or public keys. smtp_tls_force_insecure_host_tlsa_lookup (no) - Lookup the associated DANE TLSA RRset even when a hostname is + Lookup the associated DANE TLSA RRset even when a hostname is not an alias and its address records lie in an unsigned zone. tlsmgr_service_name (tlsmgr) @@ -563,14 +572,14 @@ SMTP(8) SMTP(8) Available in Postfix version 3.0 and later: smtp_tls_wrappermode (no) - Request that the Postfix SMTP client connects using the legacy + Request that the Postfix SMTP client connects using the legacy SMTPS protocol instead of using the STARTTLS command. Available in Postfix version 3.1 and later: smtp_tls_dane_insecure_mx_policy (dane) - The TLS policy for MX hosts with "secure" TLSA records when the - nexthop destination security level is dane, but the MX record + The TLS policy for MX hosts with "secure" TLSA records when the + nexthop destination security level is dane, but the MX record was found via an "insecure" MX lookup. Available in Postfix version 3.4 and later: @@ -579,48 +588,48 @@ SMTP(8) SMTP(8) Try to make multiple deliveries per TLS-encrypted connection. smtp_tls_chain_files (empty) - List of one or more PEM files, each holding one or more private + List of one or more PEM files, each holding one or more private keys directly followed by a corresponding certificate chain. smtp_tls_servername (empty) - Optional name to send to the remote SMTP server in the TLS + Optional name to send to the remote SMTP server in the TLS Server Name Indication (SNI) extension. OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compatibility with - Postfix versions before 2.3. Support for these will be removed in a + The following configuration parameters exist for compatibility with + Postfix versions before 2.3. Support for these will be removed in a future release. smtp_use_tls (no) - Opportunistic mode: use TLS when a remote SMTP server announces + Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS support, otherwise send the mail in the clear. smtp_enforce_tls (no) - Enforcement mode: require that remote SMTP servers use TLS + Enforcement mode: require that remote SMTP servers use TLS encryption, and never send mail in the clear. smtp_tls_enforce_peername (yes) - With mandatory TLS encryption, require that the remote SMTP - server hostname matches the information in the remote SMTP + With mandatory TLS encryption, require that the remote SMTP + server hostname matches the information in the remote SMTP server certificate. smtp_tls_per_site (empty) - Optional lookup tables with the Postfix SMTP client TLS usage - policy by next-hop destination and by remote SMTP server host- + Optional lookup tables with the Postfix SMTP client TLS usage + policy by next-hop destination and by remote SMTP server host- name. smtp_tls_cipherlist (empty) - Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS + Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher list. RESOURCE AND RATE CONTROLS smtp_connect_timeout (30s) - The Postfix SMTP client time limit for completing a TCP connec- + The Postfix SMTP client time limit for completing a TCP connec- tion, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The Postfix SMTP client time limit for sending the HELO or EHLO - command, and for receiving the initial remote SMTP server + The Postfix SMTP client time limit for sending the HELO or EHLO + command, and for receiving the initial remote SMTP server response. lmtp_lhlo_timeout (300s) @@ -632,19 +641,19 @@ SMTP(8) SMTP(8) mand, and for receiving the remote SMTP server response. smtp_mail_timeout (300s) - The Postfix SMTP client time limit for sending the MAIL FROM + The Postfix SMTP client time limit for sending the MAIL FROM command, and for receiving the remote SMTP server response. smtp_rcpt_timeout (300s) - The Postfix SMTP client time limit for sending the SMTP RCPT TO + The Postfix SMTP client time limit for sending the SMTP RCPT TO command, and for receiving the remote SMTP server response. smtp_data_init_timeout (120s) - The Postfix SMTP client time limit for sending the SMTP DATA + The Postfix SMTP client time limit for sending the SMTP DATA command, and for receiving the remote SMTP server response. smtp_data_xfer_timeout (180s) - The Postfix SMTP client time limit for sending the SMTP message + The Postfix SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) @@ -658,13 +667,13 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: smtp_mx_address_limit (5) - The maximal number of MX (mail exchanger) IP addresses that can - result from Postfix SMTP client mail exchanger lookups, or zero + The maximal number of MX (mail exchanger) IP addresses that can + result from Postfix SMTP client mail exchanger lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery request before - the Postfix SMTP client gives up or delivers to a fall-back + The maximal number of SMTP sessions per delivery request before + the Postfix SMTP client gives up or delivers to a fall-back relay host, or zero (no limit). smtp_rset_timeout (20s) @@ -674,17 +683,17 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and earlier: lmtp_cache_connection (yes) - Keep Postfix LMTP client connections open for up to $max_idle + Keep Postfix LMTP client connections open for up to $max_idle seconds. Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the specified + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a destination + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. smtp_connection_reuse_time_limit (300s) @@ -698,23 +707,23 @@ SMTP(8) SMTP(8) Available in Postfix version 2.3 and later: connection_cache_protocol_timeout (5s) - Time limit for connection cache connect, send or receive opera- + Time limit for connection cache connect, send or receive opera- tions. Available in Postfix version 2.9 and later: smtp_per_record_deadline (no) - Change the behavior of the smtp_*_timeout time limits, from a - time limit per read or write system call, to a time limit to - send or receive a complete record (an SMTP command line, SMTP - response line, SMTP message content line, or TLS protocol mes- + Change the behavior of the smtp_*_timeout time limits, from a + time limit per read or write system call, to a time limit to + send or receive a complete record (an SMTP command line, SMTP + response line, SMTP message content line, or TLS protocol mes- sage). Available in Postfix version 2.11 and later: smtp_connection_reuse_count_limit (0) - When SMTP connection caching is enabled, the number of times - that an SMTP session may be reused before it is closed, or zero + When SMTP connection caching is enabled, the number of times + that an SMTP session may be reused before it is closed, or zero (no limit). Available in Postfix version 3.4 and later: @@ -726,52 +735,52 @@ SMTP(8) SMTP(8) transport_destination_concurrency_limit ($default_destination_concur- rency_limit) - A transport-specific override for the default_destination_con- + A transport-specific override for the default_destination_con- currency_limit parameter value, where transport is the master.cf name of the message delivery transport. transport_destination_recipient_limit ($default_destination_recipi- ent_limit) A transport-specific override for the default_destination_recip- - ient_limit parameter value, where transport is the master.cf + ient_limit parameter value, where transport is the master.cf name of the message delivery transport. SMTPUTF8 CONTROLS Preliminary SMTPUTF8 support is introduced with Postfix 3.0. smtputf8_enable (yes) - Enable preliminary SMTPUTF8 support for the protocols described + Enable preliminary SMTPUTF8 support for the protocols described in RFC 6531..6533. smtputf8_autodetect_classes (sendmail, verify) - Detect that a message requires SMTPUTF8 support for the speci- + Detect that a message requires SMTPUTF8 support for the speci- fied mail origin classes. Available in Postfix version 3.2 and later: enable_idna2003_compatibility (no) - Enable 'transitional' compatibility between IDNA2003 and - IDNA2008, when converting UTF-8 domain names to/from the ASCII + Enable 'transitional' compatibility between IDNA2003 and + IDNA2008, when converting UTF-8 domain names to/from the ASCII form that is used for DNS lookups. TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a remote client or + The increment in verbose logging level when a remote client or server matches a pattern in the debug_peer_list parameter. debug_peer_list (empty) - Optional list of remote client or server hostname or network + Optional list of remote client or server hostname or network address patterns that cause the verbose logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about mail delivery + The recipient of postmaster notifications about mail delivery problems that are caused by policy, resource, software or proto- col errors. internal_mail_filter_classes (empty) - What categories of Postfix-generated mail are subject to - before-queue content inspection by non_smtpd_milters, + What categories of Postfix-generated mail are subject to + before-queue content inspection by non_smtpd_milters, header_checks and body_checks. notify_classes (resource, software) @@ -779,46 +788,46 @@ SMTP(8) SMTP(8) MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail when it + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con- + The default location of the Postfix main.cf and master.cf con- figuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to handle a + How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal point when log- + The maximal number of digits after the decimal point when log- ging sub-second delay values. disable_dns_lookups (no) Disable DNS lookups in the Postfix SMTP and LMTP clients. inet_interfaces (all) - The network interface addresses that this mail system receives + The network interface addresses that this mail system receives mail on. inet_protocols (all) - The Internet protocols Postfix will attempt to use when making + The Internet protocols Postfix will attempt to use when making or accepting connections. ipc_timeout (3600s) - The time limit for sending or receiving information over an + The time limit for sending or receiving information over an internal communication channel. lmtp_assume_final (no) - When a remote LMTP server announces no DSN support, assume that - the server performs final delivery, and send "delivered" deliv- + When a remote LMTP server announces no DSN support, assume that + the server performs final delivery, and send "delivered" deliv- ery status notifications instead of "relayed". lmtp_tcp_port (24) The default TCP port that the Postfix LMTP client connects to. max_idle (100s) - The maximum amount of time that an idle Postfix daemon process + The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. max_use (100) @@ -832,20 +841,20 @@ SMTP(8) SMTP(8) The process name of a Postfix command or daemon process. proxy_interfaces (empty) - The network interface addresses that this mail system receives + The network interface addresses that this mail system receives mail on by way of a proxy or network address translation unit. smtp_address_preference (any) The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP - client will try first, when a destination has IPv6 and IPv4 + client will try first, when a destination has IPv6 and IPv4 addresses with equal MX preference. smtp_bind_address (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv4 connection. smtp_bind_address6 (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv6 connection. smtp_helo_name ($myhostname) @@ -865,7 +874,7 @@ SMTP(8) SMTP(8) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - A prefix that is prepended to the process name in syslog + A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available with Postfix 2.2 and earlier: @@ -883,7 +892,7 @@ SMTP(8) SMTP(8) Available with Postfix 3.0 and later: smtp_address_verify_target (rcpt) - In the context of email address verification, the SMTP protocol + In the context of email address verification, the SMTP protocol stage that determines whether an email address is deliverable. Available with Postfix 3.1 and later: diff --git a/postfix/html/postlogd.8.html b/postfix/html/postlogd.8.html index ae4a26a75..8cdc50d4d 100644 --- a/postfix/html/postlogd.8.html +++ b/postfix/html/postlogd.8.html @@ -31,7 +31,7 @@ POSTLOGD(8) POSTLOGD(8) log_file (also, logging to stdout would interfere with the operation of some of these programs). These programs can log to postlogd(8) if they are run by the super-user, or if their executable file has set-gid per- - mission. Do not set this permision on programs other than postdrop(1) + mission. Do not set this permission on programs other than postdrop(1) and postqueue(1). CONFIGURATION PARAMETERS diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index ee724df51..e02d89807 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -547,14 +547,23 @@ SMTP(8) SMTP(8) tls_disable_workarounds (see 'postconf -d' output) List or bit-mask of OpenSSL bug work-arounds to disable. + Available in Postfix version 2.11-3.1: + + tls_dane_digest_agility (on) + Configure RFC7671 DANE TLSA digest algorithm agility. + + tls_dane_trust_anchor_digest_enable (yes) + Enable support for RFC 6698 (DANE TLSA) DNS records that contain + digests of trust-anchors with certificate usage "2". + Available in Postfix version 2.11 and later: smtp_tls_trust_anchor_file (empty) - Zero or more PEM-format files with trust-anchor certificates + Zero or more PEM-format files with trust-anchor certificates and/or public keys. smtp_tls_force_insecure_host_tlsa_lookup (no) - Lookup the associated DANE TLSA RRset even when a hostname is + Lookup the associated DANE TLSA RRset even when a hostname is not an alias and its address records lie in an unsigned zone. tlsmgr_service_name (tlsmgr) @@ -563,14 +572,14 @@ SMTP(8) SMTP(8) Available in Postfix version 3.0 and later: smtp_tls_wrappermode (no) - Request that the Postfix SMTP client connects using the legacy + Request that the Postfix SMTP client connects using the legacy SMTPS protocol instead of using the STARTTLS command. Available in Postfix version 3.1 and later: smtp_tls_dane_insecure_mx_policy (dane) - The TLS policy for MX hosts with "secure" TLSA records when the - nexthop destination security level is dane, but the MX record + The TLS policy for MX hosts with "secure" TLSA records when the + nexthop destination security level is dane, but the MX record was found via an "insecure" MX lookup. Available in Postfix version 3.4 and later: @@ -579,48 +588,48 @@ SMTP(8) SMTP(8) Try to make multiple deliveries per TLS-encrypted connection. smtp_tls_chain_files (empty) - List of one or more PEM files, each holding one or more private + List of one or more PEM files, each holding one or more private keys directly followed by a corresponding certificate chain. smtp_tls_servername (empty) - Optional name to send to the remote SMTP server in the TLS + Optional name to send to the remote SMTP server in the TLS Server Name Indication (SNI) extension. OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compatibility with - Postfix versions before 2.3. Support for these will be removed in a + The following configuration parameters exist for compatibility with + Postfix versions before 2.3. Support for these will be removed in a future release. smtp_use_tls (no) - Opportunistic mode: use TLS when a remote SMTP server announces + Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS support, otherwise send the mail in the clear. smtp_enforce_tls (no) - Enforcement mode: require that remote SMTP servers use TLS + Enforcement mode: require that remote SMTP servers use TLS encryption, and never send mail in the clear. smtp_tls_enforce_peername (yes) - With mandatory TLS encryption, require that the remote SMTP - server hostname matches the information in the remote SMTP + With mandatory TLS encryption, require that the remote SMTP + server hostname matches the information in the remote SMTP server certificate. smtp_tls_per_site (empty) - Optional lookup tables with the Postfix SMTP client TLS usage - policy by next-hop destination and by remote SMTP server host- + Optional lookup tables with the Postfix SMTP client TLS usage + policy by next-hop destination and by remote SMTP server host- name. smtp_tls_cipherlist (empty) - Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS + Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher list. RESOURCE AND RATE CONTROLS smtp_connect_timeout (30s) - The Postfix SMTP client time limit for completing a TCP connec- + The Postfix SMTP client time limit for completing a TCP connec- tion, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The Postfix SMTP client time limit for sending the HELO or EHLO - command, and for receiving the initial remote SMTP server + The Postfix SMTP client time limit for sending the HELO or EHLO + command, and for receiving the initial remote SMTP server response. lmtp_lhlo_timeout (300s) @@ -632,19 +641,19 @@ SMTP(8) SMTP(8) mand, and for receiving the remote SMTP server response. smtp_mail_timeout (300s) - The Postfix SMTP client time limit for sending the MAIL FROM + The Postfix SMTP client time limit for sending the MAIL FROM command, and for receiving the remote SMTP server response. smtp_rcpt_timeout (300s) - The Postfix SMTP client time limit for sending the SMTP RCPT TO + The Postfix SMTP client time limit for sending the SMTP RCPT TO command, and for receiving the remote SMTP server response. smtp_data_init_timeout (120s) - The Postfix SMTP client time limit for sending the SMTP DATA + The Postfix SMTP client time limit for sending the SMTP DATA command, and for receiving the remote SMTP server response. smtp_data_xfer_timeout (180s) - The Postfix SMTP client time limit for sending the SMTP message + The Postfix SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) @@ -658,13 +667,13 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: smtp_mx_address_limit (5) - The maximal number of MX (mail exchanger) IP addresses that can - result from Postfix SMTP client mail exchanger lookups, or zero + The maximal number of MX (mail exchanger) IP addresses that can + result from Postfix SMTP client mail exchanger lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery request before - the Postfix SMTP client gives up or delivers to a fall-back + The maximal number of SMTP sessions per delivery request before + the Postfix SMTP client gives up or delivers to a fall-back relay host, or zero (no limit). smtp_rset_timeout (20s) @@ -674,17 +683,17 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and earlier: lmtp_cache_connection (yes) - Keep Postfix LMTP client connections open for up to $max_idle + Keep Postfix LMTP client connections open for up to $max_idle seconds. Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the specified + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a destination + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. smtp_connection_reuse_time_limit (300s) @@ -698,23 +707,23 @@ SMTP(8) SMTP(8) Available in Postfix version 2.3 and later: connection_cache_protocol_timeout (5s) - Time limit for connection cache connect, send or receive opera- + Time limit for connection cache connect, send or receive opera- tions. Available in Postfix version 2.9 and later: smtp_per_record_deadline (no) - Change the behavior of the smtp_*_timeout time limits, from a - time limit per read or write system call, to a time limit to - send or receive a complete record (an SMTP command line, SMTP - response line, SMTP message content line, or TLS protocol mes- + Change the behavior of the smtp_*_timeout time limits, from a + time limit per read or write system call, to a time limit to + send or receive a complete record (an SMTP command line, SMTP + response line, SMTP message content line, or TLS protocol mes- sage). Available in Postfix version 2.11 and later: smtp_connection_reuse_count_limit (0) - When SMTP connection caching is enabled, the number of times - that an SMTP session may be reused before it is closed, or zero + When SMTP connection caching is enabled, the number of times + that an SMTP session may be reused before it is closed, or zero (no limit). Available in Postfix version 3.4 and later: @@ -726,52 +735,52 @@ SMTP(8) SMTP(8) transport_destination_concurrency_limit ($default_destination_concur- rency_limit) - A transport-specific override for the default_destination_con- + A transport-specific override for the default_destination_con- currency_limit parameter value, where transport is the master.cf name of the message delivery transport. transport_destination_recipient_limit ($default_destination_recipi- ent_limit) A transport-specific override for the default_destination_recip- - ient_limit parameter value, where transport is the master.cf + ient_limit parameter value, where transport is the master.cf name of the message delivery transport. SMTPUTF8 CONTROLS Preliminary SMTPUTF8 support is introduced with Postfix 3.0. smtputf8_enable (yes) - Enable preliminary SMTPUTF8 support for the protocols described + Enable preliminary SMTPUTF8 support for the protocols described in RFC 6531..6533. smtputf8_autodetect_classes (sendmail, verify) - Detect that a message requires SMTPUTF8 support for the speci- + Detect that a message requires SMTPUTF8 support for the speci- fied mail origin classes. Available in Postfix version 3.2 and later: enable_idna2003_compatibility (no) - Enable 'transitional' compatibility between IDNA2003 and - IDNA2008, when converting UTF-8 domain names to/from the ASCII + Enable 'transitional' compatibility between IDNA2003 and + IDNA2008, when converting UTF-8 domain names to/from the ASCII form that is used for DNS lookups. TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a remote client or + The increment in verbose logging level when a remote client or server matches a pattern in the debug_peer_list parameter. debug_peer_list (empty) - Optional list of remote client or server hostname or network + Optional list of remote client or server hostname or network address patterns that cause the verbose logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about mail delivery + The recipient of postmaster notifications about mail delivery problems that are caused by policy, resource, software or proto- col errors. internal_mail_filter_classes (empty) - What categories of Postfix-generated mail are subject to - before-queue content inspection by non_smtpd_milters, + What categories of Postfix-generated mail are subject to + before-queue content inspection by non_smtpd_milters, header_checks and body_checks. notify_classes (resource, software) @@ -779,46 +788,46 @@ SMTP(8) SMTP(8) MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail when it + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con- + The default location of the Postfix main.cf and master.cf con- figuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to handle a + How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal point when log- + The maximal number of digits after the decimal point when log- ging sub-second delay values. disable_dns_lookups (no) Disable DNS lookups in the Postfix SMTP and LMTP clients. inet_interfaces (all) - The network interface addresses that this mail system receives + The network interface addresses that this mail system receives mail on. inet_protocols (all) - The Internet protocols Postfix will attempt to use when making + The Internet protocols Postfix will attempt to use when making or accepting connections. ipc_timeout (3600s) - The time limit for sending or receiving information over an + The time limit for sending or receiving information over an internal communication channel. lmtp_assume_final (no) - When a remote LMTP server announces no DSN support, assume that - the server performs final delivery, and send "delivered" deliv- + When a remote LMTP server announces no DSN support, assume that + the server performs final delivery, and send "delivered" deliv- ery status notifications instead of "relayed". lmtp_tcp_port (24) The default TCP port that the Postfix LMTP client connects to. max_idle (100s) - The maximum amount of time that an idle Postfix daemon process + The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. max_use (100) @@ -832,20 +841,20 @@ SMTP(8) SMTP(8) The process name of a Postfix command or daemon process. proxy_interfaces (empty) - The network interface addresses that this mail system receives + The network interface addresses that this mail system receives mail on by way of a proxy or network address translation unit. smtp_address_preference (any) The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP - client will try first, when a destination has IPv6 and IPv4 + client will try first, when a destination has IPv6 and IPv4 addresses with equal MX preference. smtp_bind_address (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv4 connection. smtp_bind_address6 (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv6 connection. smtp_helo_name ($myhostname) @@ -865,7 +874,7 @@ SMTP(8) SMTP(8) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - A prefix that is prepended to the process name in syslog + A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available with Postfix 2.2 and earlier: @@ -883,7 +892,7 @@ SMTP(8) SMTP(8) Available with Postfix 3.0 and later: smtp_address_verify_target (rcpt) - In the context of email address verification, the SMTP protocol + In the context of email address verification, the SMTP protocol stage that determines whether an email address is deliverable. Available with Postfix 3.1 and later: diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index d019b52e0..191fe63b6 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -1322,7 +1322,8 @@ SMTPD(8) SMTPD(8) README FILES ADDRESS_CLASS_README, blocking unknown hosted or relay recipients - ADDRESS_REWRITING_README Postfix address manipulation + ADDRESS_REWRITING_README, Postfix address manipulation + BDAT_README, Postfix CHUNKING support FILTER_README, external after-queue content filter LOCAL_RECIPIENT_README, blocking unknown local recipients MILTER_README, before-queue mail filter applications diff --git a/postfix/html/tlsproxy.8.html b/postfix/html/tlsproxy.8.html index 5b9e73d22..25016ce57 100644 --- a/postfix/html/tlsproxy.8.html +++ b/postfix/html/tlsproxy.8.html @@ -55,20 +55,116 @@ TLSPROXY(8) TLSPROXY(8) The text below provides only a parameter summary. See postconf(5) for more details including examples. -STARTTLS SUPPORT CONTROLS +STARTTLS GLOBAL CONTROLS + The following settings are global and therefore cannot be overruled by + information specified in a tlsproxy(8) client request. + + tls_append_default_CA (no) + Append the system-supplied default Certification Authority cer- + tificates to the ones specified with *_tls_CApath or + *_tls_CAfile. + + tls_daemon_random_bytes (32) + The number of pseudo-random bytes that an smtp(8) or smtpd(8) + process requests from the tlsmgr(8) server in order to seed its + internal pseudo random number generator (PRNG). + + tls_high_cipherlist (see 'postconf -d' output) + The OpenSSL cipherlist for "high" grade ciphers. + + tls_medium_cipherlist (see 'postconf -d' output) + The OpenSSL cipherlist for "medium" or higher grade ciphers. + + tls_low_cipherlist (see 'postconf -d' output) + The OpenSSL cipherlist for "low" or higher grade ciphers. + + tls_export_cipherlist (see 'postconf -d' output) + The OpenSSL cipherlist for "export" or higher grade ciphers. + + tls_null_cipherlist (eNULL:!aNULL) + The OpenSSL cipherlist for "NULL" grade ciphers that provide + authentication without encryption. + + tls_eecdh_strong_curve (prime256v1) + The elliptic curve used by the Postfix SMTP server for sensibly + strong ephemeral ECDH key exchange. + + tls_eecdh_ultra_curve (secp384r1) + The elliptic curve used by the Postfix SMTP server for maximally + strong ephemeral ECDH key exchange. + + tls_disable_workarounds (see 'postconf -d' output) + List or bit-mask of OpenSSL bug work-arounds to disable. + + tls_preempt_cipherlist (no) + With SSLv3 and later, use the Postfix SMTP server's cipher pref- + erence order instead of the remote client's cipher preference + order. + + Available in Postfix version 2.9 and later: + + tls_legacy_public_key_fingerprints (no) + A temporary migration aid for sites that use certificate pub- + lic-key fingerprints with Postfix 2.9.0..2.9.5, which use an + incorrect algorithm. + + Available in Postfix version 2.11-3.1: + + tls_dane_digest_agility (on) + Configure RFC7671 DANE TLSA digest algorithm agility. + + tls_dane_trust_anchor_digest_enable (yes) + Enable support for RFC 6698 (DANE TLSA) DNS records that contain + digests of trust-anchors with certificate usage "2". + + Available in Postfix version 2.11 and later: + + tlsmgr_service_name (tlsmgr) + The name of the tlsmgr(8) service entry in master.cf. + + Available in Postfix version 3.0 and later: + + tls_session_ticket_cipher (Postfix >= 3.0: aes-256-cbc, Postfix < 3.0: + aes-128-cbc) + Algorithm used to encrypt RFC5077 TLS session tickets. + + openssl_path (openssl) + The location of the OpenSSL command line program openssl(1). + + Available in Postfix version 3.2 and later: + + tls_eecdh_auto_curves (see 'postconf -d' output) + The prioritized list of elliptic curves supported by the Postfix + SMTP client and server. + + Available in Postfix version 3.4 and later: + + tls_server_sni_maps (empty) + Optional lookup tables that map names received from remote SMTP + clients via the TLS Server Name Indication (SNI) extension to + the appropriate keys and certificate chains. + +STARTTLS SERVER CONTROLS + These settings are clones of Postfix SMTP server settings. They allow + tlsproxy(8) to load the same certificate and private key information as + the Postfix SMTP server, before dropping privileges, so that the key + files can be kept read-only for root. These settings can currently not + be overruled by information in a tlsproxy(8) client request, but that + limitation may be removed in a future version. + tlsproxy_tls_CAfile ($smtpd_tls_CAfile) - A file containing (PEM format) CA certificates of root CAs + A file containing (PEM format) CA certificates of root CAs trusted to sign either remote SMTP client certificates or inter- mediate CA certificates. tlsproxy_tls_CApath ($smtpd_tls_CApath) - A directory containing (PEM format) CA certificates of root CAs + A directory containing (PEM format) CA certificates of root CAs trusted to sign either remote SMTP client certificates or inter- mediate CA certificates. tlsproxy_tls_always_issue_session_ids ($smtpd_tls_always_issue_ses- sion_ids) - Force the Postfix tlsproxy(8) server to issue a TLS session id, + Force the Postfix tlsproxy(8) server to issue a TLS session id, even when TLS session caching is turned off. tlsproxy_tls_ask_ccert ($smtpd_tls_ask_ccert) @@ -78,7 +174,7 @@ TLSPROXY(8) TLSPROXY(8) The verification depth for remote SMTP client certificates. tlsproxy_tls_cert_file ($smtpd_tls_cert_file) - File with the Postfix tlsproxy(8) server RSA certificate in PEM + File with the Postfix tlsproxy(8) server RSA certificate in PEM format. tlsproxy_tls_ciphers ($smtpd_tls_ciphers) @@ -86,47 +182,47 @@ TLSPROXY(8) TLSPROXY(8) will use with opportunistic TLS encryption. tlsproxy_tls_dcert_file ($smtpd_tls_dcert_file) - File with the Postfix tlsproxy(8) server DSA certificate in PEM + File with the Postfix tlsproxy(8) server DSA certificate in PEM format. tlsproxy_tls_dh1024_param_file ($smtpd_tls_dh1024_param_file) - File with DH parameters that the Postfix tlsproxy(8) server + File with DH parameters that the Postfix tlsproxy(8) server should use with non-export EDH ciphers. tlsproxy_tls_dh512_param_file ($smtpd_tls_dh512_param_file) - File with DH parameters that the Postfix tlsproxy(8) server + File with DH parameters that the Postfix tlsproxy(8) server should use with export-grade EDH ciphers. tlsproxy_tls_dkey_file ($smtpd_tls_dkey_file) - File with the Postfix tlsproxy(8) server DSA private key in PEM + File with the Postfix tlsproxy(8) server DSA private key in PEM format. tlsproxy_tls_eccert_file ($smtpd_tls_eccert_file) - File with the Postfix tlsproxy(8) server ECDSA certificate in + File with the Postfix tlsproxy(8) server ECDSA certificate in PEM format. tlsproxy_tls_eckey_file ($smtpd_tls_eckey_file) - File with the Postfix tlsproxy(8) server ECDSA private key in + File with the Postfix tlsproxy(8) server ECDSA private key in PEM format. tlsproxy_tls_eecdh_grade ($smtpd_tls_eecdh_grade) - The Postfix tlsproxy(8) server security grade for ephemeral + The Postfix tlsproxy(8) server security grade for ephemeral elliptic-curve Diffie-Hellman (EECDH) key exchange. tlsproxy_tls_exclude_ciphers ($smtpd_tls_exclude_ciphers) - List of ciphers or cipher types to exclude from the tlsproxy(8) + List of ciphers or cipher types to exclude from the tlsproxy(8) server cipher list at all TLS security levels. tlsproxy_tls_fingerprint_digest ($smtpd_tls_fingerprint_digest) - The message digest algorithm to construct remote SMTP + The message digest algorithm to construct remote SMTP client-certificate fingerprints. tlsproxy_tls_key_file ($smtpd_tls_key_file) - File with the Postfix tlsproxy(8) server RSA private key in PEM + File with the Postfix tlsproxy(8) server RSA private key in PEM format. tlsproxy_tls_loglevel ($smtpd_tls_loglevel) - Enable additional Postfix tlsproxy(8) server logging of TLS + Enable additional Postfix tlsproxy(8) server logging of TLS activity. tlsproxy_tls_mandatory_ciphers ($smtpd_tls_mandatory_ciphers) @@ -135,7 +231,7 @@ TLSPROXY(8) TLSPROXY(8) tlsproxy_tls_mandatory_exclude_ciphers ($smtpd_tls_manda- tory_exclude_ciphers) - Additional list of ciphers or cipher types to exclude from the + Additional list of ciphers or cipher types to exclude from the tlsproxy(8) server cipher list at mandatory TLS security levels. tlsproxy_tls_mandatory_protocols ($smtpd_tls_mandatory_protocols) @@ -143,39 +239,28 @@ TLSPROXY(8) TLSPROXY(8) with mandatory TLS encryption. tlsproxy_tls_protocols ($smtpd_tls_protocols) - List of TLS protocols that the Postfix tlsproxy(8) server will + List of TLS protocols that the Postfix tlsproxy(8) server will exclude or include with opportunistic TLS encryption. tlsproxy_tls_req_ccert ($smtpd_tls_req_ccert) - With mandatory TLS encryption, require a trusted remote SMTP + With mandatory TLS encryption, require a trusted remote SMTP client certificate in order to allow TLS connections to proceed. tlsproxy_tls_security_level ($smtpd_tls_security_level) - The SMTP TLS security level for the Postfix tlsproxy(8) server; + The SMTP TLS security level for the Postfix tlsproxy(8) server; when a non-empty value is specified, this overrides the obsolete parameters smtpd_use_tls and smtpd_enforce_tls. - Available in Postfix version 2.11 and later: - - tlsmgr_service_name (tlsmgr) - The name of the tlsmgr(8) service entry in master.cf. - - Available in Postfix version 3.4 and later: - tlsproxy_tls_chain_files ($smtpd_tls_chain_files) - Files with the Postfix tlsproxy(8) server keys and certificate + Files with the Postfix tlsproxy(8) server keys and certificate chains in PEM format. - tls_server_sni_maps (empty) - Optional lookup tables that map names received from remote SMTP - clients via the TLS Server Name Indication (SNI) extension to - the appropriate keys and certificate chains. - -TLS CLIENT CONTROLS - These parameters are clones of SMTP client settings. They allow +STARTTLS CLIENT CONTROLS + These settings are clones of Postfix SMTP client settings. They allow tlsproxy(8) to load the same certificate and private key information as - the SMTP client, before dropping privileges, so that the key files can - be kept read-only for root. + the Postfix SMTP client, before dropping privileges, so that the key + files can be kept read-only for root. Some settings may be overruled by + information in a tlsproxy(8) client request. Available in Postfix version 3.4 and later: diff --git a/postfix/man/man8/postlogd.8 b/postfix/man/man8/postlogd.8 index 6ec826cee..19112f2bd 100644 --- a/postfix/man/man8/postlogd.8 +++ b/postfix/man/man8/postlogd.8 @@ -34,7 +34,7 @@ Other non\-daemon Postfix programs will never write directly to with the operation of some of these programs). These programs can log to \fBpostlogd\fR(8) if they are run by the super\-user, or if their executable file has set\-gid permission. Do not -set this permision on programs other than \fBpostdrop\fR(1) +set this permission on programs other than \fBpostdrop\fR(1) and \fBpostqueue\fR(1). .SH "CONFIGURATION PARAMETERS" .na diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8 index a0a0c32cc..ca81ebc48 100644 --- a/postfix/man/man8/smtp.8 +++ b/postfix/man/man8/smtp.8 @@ -489,6 +489,13 @@ Available in Postfix version 2.8 and later: .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR" List or bit\-mask of OpenSSL bug work\-arounds to disable. .PP +Available in Postfix version 2.11\-3.1: +.IP "\fBtls_dane_digest_agility (on)\fR" +Configure RFC7671 DANE TLSA digest algorithm agility. +.IP "\fBtls_dane_trust_anchor_digest_enable (yes)\fR" +Enable support for RFC 6698 (DANE TLSA) DNS records that contain +digests of trust\-anchors with certificate usage "2". +.PP Available in Postfix version 2.11 and later: .IP "\fBsmtp_tls_trust_anchor_file (empty)\fR" Zero or more PEM\-format files with trust\-anchor certificates diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8 index 2505c8edd..1ea172fdf 100644 --- a/postfix/man/man8/smtpd.8 +++ b/postfix/man/man8/smtpd.8 @@ -1157,7 +1157,8 @@ Use "\fBpostconf readme_directory\fR" or .na .nf ADDRESS_CLASS_README, blocking unknown hosted or relay recipients -ADDRESS_REWRITING_README Postfix address manipulation +ADDRESS_REWRITING_README, Postfix address manipulation +BDAT_README, Postfix CHUNKING support FILTER_README, external after\-queue content filter LOCAL_RECIPIENT_README, blocking unknown local recipients MILTER_README, before\-queue mail filter applications diff --git a/postfix/man/man8/tlsproxy.8 b/postfix/man/man8/tlsproxy.8 index 5fc67049f..71a3e4e8d 100644 --- a/postfix/man/man8/tlsproxy.8 +++ b/postfix/man/man8/tlsproxy.8 @@ -71,11 +71,93 @@ reload\fR" to speed up a change. The text below provides only a parameter summary. See \fBpostconf\fR(5) for more details including examples. -.SH "STARTTLS SUPPORT CONTROLS" +.SH "STARTTLS GLOBAL CONTROLS" .na .nf .ad .fi +The following settings are global and therefore cannot be +overruled by information specified in a \fBtlsproxy\fR(8) +client request. +.IP "\fBtls_append_default_CA (no)\fR" +Append the system\-supplied default Certification Authority +certificates to the ones specified with *_tls_CApath or *_tls_CAfile. +.IP "\fBtls_daemon_random_bytes (32)\fR" +The number of pseudo\-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8) +process requests from the \fBtlsmgr\fR(8) server in order to seed its +internal pseudo random number generator (PRNG). +.IP "\fBtls_high_cipherlist (see 'postconf -d' output)\fR" +The OpenSSL cipherlist for "high" grade ciphers. +.IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR" +The OpenSSL cipherlist for "medium" or higher grade ciphers. +.IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR" +The OpenSSL cipherlist for "low" or higher grade ciphers. +.IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR" +The OpenSSL cipherlist for "export" or higher grade ciphers. +.IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR" +The OpenSSL cipherlist for "NULL" grade ciphers that provide +authentication without encryption. +.IP "\fBtls_eecdh_strong_curve (prime256v1)\fR" +The elliptic curve used by the Postfix SMTP server for sensibly +strong +ephemeral ECDH key exchange. +.IP "\fBtls_eecdh_ultra_curve (secp384r1)\fR" +The elliptic curve used by the Postfix SMTP server for maximally +strong +ephemeral ECDH key exchange. +.IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR" +List or bit\-mask of OpenSSL bug work\-arounds to disable. +.IP "\fBtls_preempt_cipherlist (no)\fR" +With SSLv3 and later, use the Postfix SMTP server's cipher +preference order instead of the remote client's cipher preference +order. +.PP +Available in Postfix version 2.9 and later: +.IP "\fBtls_legacy_public_key_fingerprints (no)\fR" +A temporary migration aid for sites that use certificate +\fIpublic\-key\fR fingerprints with Postfix 2.9.0..2.9.5, which use +an incorrect algorithm. +.PP +Available in Postfix version 2.11\-3.1: +.IP "\fBtls_dane_digest_agility (on)\fR" +Configure RFC7671 DANE TLSA digest algorithm agility. +.IP "\fBtls_dane_trust_anchor_digest_enable (yes)\fR" +Enable support for RFC 6698 (DANE TLSA) DNS records that contain +digests of trust\-anchors with certificate usage "2". +.PP +Available in Postfix version 2.11 and later: +.IP "\fBtlsmgr_service_name (tlsmgr)\fR" +The name of the \fBtlsmgr\fR(8) service entry in master.cf. +.PP +Available in Postfix version 3.0 and later: +.IP "\fBtls_session_ticket_cipher (Postfix >= 3.0: aes\-256\-cbc, Postfix < 3.0: aes\-128\-cbc)\fR" +Algorithm used to encrypt RFC5077 TLS session tickets. +.IP "\fBopenssl_path (openssl)\fR" +The location of the OpenSSL command line program \fBopenssl\fR(1). +.PP +Available in Postfix version 3.2 and later: +.IP "\fBtls_eecdh_auto_curves (see 'postconf -d' output)\fR" +The prioritized list of elliptic curves supported by the Postfix +SMTP client and server. +.PP +Available in Postfix version 3.4 and later: +.IP "\fBtls_server_sni_maps (empty)\fR" +Optional lookup tables that map names received from remote SMTP +clients via the TLS Server Name Indication (SNI) extension to the +appropriate keys and certificate chains. +.SH "STARTTLS SERVER CONTROLS" +.na +.nf +.ad +.fi +These settings are clones of Postfix SMTP server settings. +They allow \fBtlsproxy\fR(8) to load the same certificate +and private key information as the Postfix SMTP server, +before dropping privileges, so that the key files can be +kept read\-only for root. These settings can currently not +be overruled by information in a \fBtlsproxy\fR(8) client +request, but that limitation may be removed in a future +version. .IP "\fBtlsproxy_tls_CAfile ($smtpd_tls_CAfile)\fR" A file containing (PEM format) CA certificates of root CAs trusted to sign either remote SMTP client certificates or intermediate @@ -150,29 +232,20 @@ client certificate in order to allow TLS connections to proceed. The SMTP TLS security level for the Postfix \fBtlsproxy\fR(8) server; when a non\-empty value is specified, this overrides the obsolete parameters smtpd_use_tls and smtpd_enforce_tls. -.PP -Available in Postfix version 2.11 and later: -.IP "\fBtlsmgr_service_name (tlsmgr)\fR" -The name of the \fBtlsmgr\fR(8) service entry in master.cf. -.PP -Available in Postfix version 3.4 and later: .IP "\fBtlsproxy_tls_chain_files ($smtpd_tls_chain_files)\fR" Files with the Postfix \fBtlsproxy\fR(8) server keys and certificate chains in PEM format. -.IP "\fBtls_server_sni_maps (empty)\fR" -Optional lookup tables that map names received from remote SMTP -clients via the TLS Server Name Indication (SNI) extension to the -appropriate keys and certificate chains. -.SH "TLS CLIENT CONTROLS" +.SH "STARTTLS CLIENT CONTROLS" .na .nf .ad .fi -These parameters are clones of SMTP client settings. They -allow \fBtlsproxy\fR(8) to load the same certificate and -private key information as the SMTP client, before dropping -privileges, so that the key files can be kept read\-only for -root. +These settings are clones of Postfix SMTP client settings. +They allow \fBtlsproxy\fR(8) to load the same certificate +and private key information as the Postfix SMTP client, +before dropping privileges, so that the key files can be +kept read\-only for root. Some settings may be overruled by +information in a \fBtlsproxy\fR(8) client request. .PP Available in Postfix version 3.4 and later: .IP "\fBtlsproxy_client_CAfile ($smtp_tls_CAfile)\fR" diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 31b0172c6..e2749fe9b 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -763,6 +763,8 @@ while (<>) { s;\btls_session_ticket_cipher\b;$&;g; s;\btls_server_sni_maps\b;$&;g; s;\btls_ssl_options\b;$&;g; + s;\btls_dane_digest_agility\b;$&;g; + s;\btls_dane_trust_anchor_digest_enable\b;$&;g; s;\bfrozen_delivered_to\b;$&;g; s;\breset_owner_alias\b;$&;g; diff --git a/postfix/proto/BDAT_README.html b/postfix/proto/BDAT_README.html new file mode 100644 index 000000000..60f0d1fa1 --- /dev/null +++ b/postfix/proto/BDAT_README.html @@ -0,0 +1,178 @@ + + + + + + +Postfix BDAT (CHUNKING) support + + + + + + + +

    Postfix +BDAT (CHUNKING) support

    + +
    + +

    Overview

    + +

    Postfix SMTP server supports RFC 3030 CHUNKING (the BDAT command) +without BINARYMIME, in both smtpd(8) and postscreen(8). It is enabled +by default.

    + +

    Topics covered in this document:

    + + + +

    Disabling BDAT support

    + +

    BDAT support is enabled by default. To disable BDAT support +globally:

    + +
    +
    +/etc/postfix/main.cf:
+    # The logging alternative:
+    smtpd_discard_ehlo_keywords = chunking
+    # The non-logging alternative:
+    smtpd_discard_ehlo_keywords = chunking, silent_discard
+
    +
    + +

    Specify '-o smtpd_discard_ehlo_keywords=' in master.cf +for the submission and smtps services, if you have clients +that benefit from CHUNKING support.

    + +

    Impact on existing configurations

    + +
      + +

    • There are no changes for smtpd_mumble_restrictions, +smtpd_proxy_filter, smtpd_milters, or for postscreen settings, +except for the above mentioned option to suppress the SMTP server's +CHUNKING service announcement.

      + +

    • There are no changes in the Postfix queue file content, +no changes for down-stream SMTP servers or after-queue content +filters, and no changes in the envelope or message content that +Milters will receive.

      + +
    + +

    Example SMTP session

    + +

    The main differences are that the Postfix SMTP server announces +"CHUNKING" support in the EHLO response, and that instead of sending +one DATA request, the remote SMTP client may send one or more BDAT +requests. In the example below, "S:" indicates server responses, +and "C:" indicates client requests (bold font).

    + +
    +
    +    S: 220 server.example.com
+    C: EHLO client.example.com
+    S: 250-server.example.com
+    S: 250-PIPELINING
+    S: 250-SIZE 153600000
+    S: 250-VRFY
+    S: 250-ETRN
+    S: 250-STARTTLS
+    S: 250-AUTH PLAIN LOGIN
+    S: 250-ENHANCEDSTATUSCODES
+    S: 250-8BITMIME
+    S: 250-DSN
+    S: 250-SMTPUTF8
+    S: 250 CHUNKING
+    C: MAIL FROM:<sender@example.com>
+    S: 250 2.1.0 Ok
+    C: RCPT TO:<recipient@example.com>
+    S: 250 2.1.5 Ok
+    C: BDAT 10000
+    C: ..followed by 10000 bytes...
+    S: 250 2.0.0 Ok: 10000 bytes
+    C: BDAT 123
+    C: ..followed by 123 bytes...
+    S: 250 2.0.0 Ok: 123 bytes
+    C: BDAT 0 LAST
+    S: 250 2.0.0 Ok: 10123 bytes queued as 41yYhh41qmznjbD
+    C: QUIT
+    S: 221 2.0.0 Bye
+
    +
    + +

    Internally in Postfix, there is no difference between mail that +was received with BDAT or with DATA. Postfix smtpd_mumble_restrictions, +policy delegation queries, smtpd_proxy_filter and Milters all behave +as if Postfix received (MAIL + RCPT + DATA + end-of-data). However, +Postfix will log BDAT-related failures as "xxx after BDAT" to avoid +complicating troubleshooting (xxx = 'lost connection' or 'timeout'), +and will log a warning when a client sends a malformed BDAT command. +

    + +

    Benefits of CHUNKING (BDAT) support without +BINARYMIME

    + +

    Support for CHUNKING (BDAT) was added to improve interoperability +with some clients, a benefit that would reportedly exist even without +Postfix support for BINARYMIME. Since June 2018, Wietse's mail +server has received BDAT commands from a variety of systems.

    + +

    Postfix does not support BINARYMIME at this time because:

    + +
      + +

    • BINARYMIME support would require moderately invasive +changes to Postfix, to support email content that is not line-oriented. +With BINARYMIME, the Content-Length: message header specifies the +length of content that may or may not have line boundaries. Without +BINARYMIME support, email RFCs require that binary content is +base64-encoded, and formatted as lines of text.

      + +

    • For delivery to non-BINARYMIME systems including UNIX mbox, +the available options are to convert binary content into 8bit text, +one of the 7bit forms (base64 or quoted-printable), or to return +email as undeliverable. Any conversion would obviously break digital +signatures, so conversion would have to happen before signing.

      + +
    + +

    Downsides of CHUNKING (BDAT) support +

    + +

    The RFC 3030 authors did not specify any limitations on how +clients may pipeline commands (i.e. send commands without waiting +for a server response). If a server announces PIPELINING support, +like Postfix does, then a remote SMTP client can pipeline all +commands following EHLO, for example, MAIL/RCPT/BDAT/BDAT/MAIL/RCPT/BDAT, +without ever having to wait for a server response. This means that +with BDAT, the Postfix SMTP server cannot distinguish between a +well-behaved client and a spambot, based on their command pipelining +behavior. If you require "reject_unauth_pipelining" to block spambots, +then turn off Postfix's CHUNKING announcement as described above. +

    + +

    In RFC 4468, the authors write that a client may pipeline +commands, and that after sending BURL LAST or BDAT LAST, a client +must wait for the server's response. But as this text does not +appear in RFC 3030 which defines BDAT, is it a useless restriction +that Postfix will not enforce.

    + + + + diff --git a/postfix/proto/Makefile.in b/postfix/proto/Makefile.in index d60c318dc..6f435ee4a 100644 --- a/postfix/proto/Makefile.in +++ b/postfix/proto/Makefile.in @@ -11,6 +11,7 @@ HTML = ../html/ADDRESS_CLASS_README.html \ ../html/ADDRESS_VERIFICATION_README.html \ ../html/BACKSCATTER_README.html \ ../html/BASIC_CONFIGURATION_README.html \ + ../html/BDAT_README.html \ ../html/BUILTIN_FILTER_README.html \ ../html/CDB_README.html \ ../html/COMPATIBILITY_README.html \ @@ -57,6 +58,7 @@ README = ../README_FILES/ADDRESS_CLASS_README \ ../README_FILES/ADDRESS_VERIFICATION_README \ ../README_FILES/BACKSCATTER_README \ ../README_FILES/BASIC_CONFIGURATION_README \ + ../README_FILES/BDAT_README \ ../README_FILES/BUILTIN_FILTER_README \ ../README_FILES/CDB_README \ ../README_FILES/COMPATIBILITY_README \ @@ -179,6 +181,9 @@ clobber: ../html/BASIC_CONFIGURATION_README.html: BASIC_CONFIGURATION_README.html $(DETAB) $? | $(POSTLINK) >$@ +../html/BDAT_README.html: BDAT_README.html + $(DETAB) $? | $(POSTLINK) >$@ + ../html/BUILTIN_FILTER_README.html: BUILTIN_FILTER_README.html $(DETAB) $? | $(POSTLINK) >$@ @@ -338,6 +343,9 @@ clobber: ../README_FILES/BASIC_CONFIGURATION_README: BASIC_CONFIGURATION_README.html $(DETAB) $? | $(HT2READ) >$@ +../README_FILES/BDAT_README: BDAT_README.html + $(DETAB) $? | $(HT2READ) >$@ + ../README_FILES/BUILTIN_FILTER_README: BUILTIN_FILTER_README.html $(DETAB) $? | $(HT2READ) >$@ diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index e0af21080..f0738ca9f 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20190209" -#define MAIL_VERSION_NUMBER "3.4" +#define MAIL_RELEASE_DATE "20190210" +#define MAIL_VERSION_NUMBER "3.5" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/master/master_conf.c b/postfix/src/master/master_conf.c index 851e662fe..37cad2a85 100644 --- a/postfix/src/master/master_conf.c +++ b/postfix/src/master/master_conf.c @@ -30,6 +30,11 @@ /* IBM T.J. Watson Research /* P.O. Box 704 /* Yorktown Heights, NY 10598, USA +/* +/* Wietse Venema +/* Google, Inc. +/* 111 8th Avenue +/* New York, NY 10011, USA /*--*/ /* System libraries. */ diff --git a/postfix/src/postlogd/postlogd.c b/postfix/src/postlogd/postlogd.c index 0d615147a..4c6db6362 100644 --- a/postfix/src/postlogd/postlogd.c +++ b/postfix/src/postlogd/postlogd.c @@ -26,7 +26,7 @@ /* with the operation of some of these programs). These programs /* can log to \fBpostlogd\fR(8) if they are run by the super-user, /* or if their executable file has set-gid permission. Do not -/* set this permision on programs other than \fBpostdrop\fR(1) +/* set this permission on programs other than \fBpostdrop\fR(1) /* and \fBpostqueue\fR(1). /* CONFIGURATION PARAMETERS /* .ad diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index f2dd52008..4e50699f8 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -459,6 +459,13 @@ /* .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR" /* List or bit-mask of OpenSSL bug work-arounds to disable. /* .PP +/* Available in Postfix version 2.11-3.1: +/* .IP "\fBtls_dane_digest_agility (on)\fR" +/* Configure RFC7671 DANE TLSA digest algorithm agility. +/* .IP "\fBtls_dane_trust_anchor_digest_enable (yes)\fR" +/* Enable support for RFC 6698 (DANE TLSA) DNS records that contain +/* digests of trust-anchors with certificate usage "2". +/* .PP /* Available in Postfix version 2.11 and later: /* .IP "\fBsmtp_tls_trust_anchor_file (empty)\fR" /* Zero or more PEM-format files with trust-anchor certificates diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index cf6bac428..d115fca3b 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -1095,7 +1095,8 @@ /* .na /* .nf /* ADDRESS_CLASS_README, blocking unknown hosted or relay recipients -/* ADDRESS_REWRITING_README Postfix address manipulation +/* ADDRESS_REWRITING_README, Postfix address manipulation +/* BDAT_README, Postfix CHUNKING support /* FILTER_README, external after-queue content filter /* LOCAL_RECIPIENT_README, blocking unknown local recipients /* MILTER_README, before-queue mail filter applications diff --git a/postfix/src/tls/tls_proxy.h b/postfix/src/tls/tls_proxy.h index 8104c5bdb..4a9db08fb 100644 --- a/postfix/src/tls/tls_proxy.h +++ b/postfix/src/tls/tls_proxy.h @@ -123,6 +123,7 @@ extern int tls_proxy_client_init_print(ATTR_PRINT_MASTER_FN, VSTREAM *, int, voi extern int tls_proxy_client_init_scan(ATTR_SCAN_MASTER_FN, VSTREAM *, int, void *); extern void tls_proxy_client_init_free(TLS_CLIENT_INIT_PROPS *); extern char *tls_proxy_client_init_to_string(VSTRING *, TLS_CLIENT_INIT_PROPS *); +extern char *tls_proxy_client_init_with_names_to_string(VSTRING *, TLS_CLIENT_INIT_PROPS *); extern int tls_proxy_client_start_print(ATTR_PRINT_MASTER_FN, VSTREAM *, int, void *); extern int tls_proxy_client_start_scan(ATTR_SCAN_MASTER_FN, VSTREAM *, int, void *); diff --git a/postfix/src/tls/tls_proxy_client_misc.c b/postfix/src/tls/tls_proxy_client_misc.c index 4732a8564..2c67f62ad 100644 --- a/postfix/src/tls/tls_proxy_client_misc.c +++ b/postfix/src/tls/tls_proxy_client_misc.c @@ -16,6 +16,10 @@ /* char *tls_proxy_client_param_with_names_to_string(buf, params) /* VSTRING *buf; /* TLS_CLIENT_PARAMS *params; +/* +/* char *tls_proxy_client_init_to_string(buf, init_props) +/* VSTRING *buf; +/* TLS_CLIENT_INIT_PROPS *init_props; /* DESCRIPTION /* tls_proxy_client_param_from_config() initializes a TLS_CLIENT_PARAMS /* structure from configuration parameters and returns its @@ -25,10 +29,19 @@ /* tls_proxy_client_param_to_string() produces a lookup key /* that is unique for the TLS_CLIENT_PARAMS member values. /* -/* tls_proxy_client_param_with_names_to_string() TODO produces a -/* string with "name = value\n" for each TLS_CLIENT_PARAMS member. -/* This may be useful for reporting differences between +/* tls_proxy_client_param_with_names_to_string() produces a +/* string with "name = value\n" for each TLS_CLIENT_PARAMS +/* member. This may be useful for reporting differences between /* TLS_CLIENT_PARAMS instances. +/* +/* tls_proxy_client_init_to_string() produces a lookup key +/* that is unique for the properties received by +/* tls_proxy_client_init_scan(). +/* +/* tls_proxy_client_init_with_names_to_string() produces a +/* string with "name = value\n" for each TLS_CLIENT_INIT_PROPS +/* member. This may be useful for reporting differences between +/* TLS_CLIENT_INIT_PROPS instances. /* LICENSE /* .ad /* .fi @@ -141,4 +154,45 @@ char *tls_proxy_client_param_with_names_to_string(VSTRING *buf, TLS_CLIENT_PAR return (vstring_str(buf)); } +/* tls_proxy_client_init_to_string - serialize to string */ + +char *tls_proxy_client_init_to_string(VSTRING *buf, + TLS_CLIENT_INIT_PROPS *props) +{ + vstring_sprintf(buf, "%s\n%s\n%d\n%s\n%s\n%s\n%s\n%s\n%s\n" + "%s\n%s\n%s\n%s\n%s\n", props->log_param, + props->log_level, props->verifydepth, + props->cache_type, props->chain_files, + props->cert_file, props->key_file, + props->dcert_file, props->dkey_file, + props->eccert_file, props->eckey_file, + props->CAfile, props->CApath, props->mdalg); + return (vstring_str(buf)); +} + +/* tls_proxy_client_init_with_names_to_string - serialize to string */ + +char *tls_proxy_client_init_with_names_to_string(VSTRING *buf, + TLS_CLIENT_INIT_PROPS *props) +{ + vstring_sprintf(buf, "%s = %s\n%s = %s\n%s = %d\n%s = %s\n%s = %s\n" + "%s = %s\n%s = %s\n%s = %s\n%s = %s\n%s = %s\n" + "%s = %s\n%s = %s\n%s = %s\n%s = %s\n", + TLS_ATTR_LOG_PARAM, props->log_param, + TLS_ATTR_LOG_LEVEL, props->log_level, + TLS_ATTR_VERIFYDEPTH, props->verifydepth, + TLS_ATTR_CACHE_TYPE, props->cache_type, + TLS_ATTR_CHAIN_FILES, props->chain_files, + TLS_ATTR_CERT_FILE, props->cert_file, + TLS_ATTR_KEY_FILE, props->key_file, + TLS_ATTR_DCERT_FILE, props->dcert_file, + TLS_ATTR_DKEY_FILE, props->dkey_file, + TLS_ATTR_ECCERT_FILE, props->eccert_file, + TLS_ATTR_ECKEY_FILE, props->eckey_file, + TLS_ATTR_CAFILE, props->CAfile, + TLS_ATTR_CAPATH, props->CApath, + TLS_ATTR_MDALG, props->mdalg); + return (vstring_str(buf)); +} + #endif diff --git a/postfix/src/tls/tls_proxy_client_scan.c b/postfix/src/tls/tls_proxy_client_scan.c index 4cf362f0e..61aa6ef2e 100644 --- a/postfix/src/tls/tls_proxy_client_scan.c +++ b/postfix/src/tls/tls_proxy_client_scan.c @@ -21,10 +21,6 @@ /* int flags; /* void *ptr; /* -/* char *tls_proxy_client_init_to_string(buf, init_props) -/* VSTRING *buf; -/* TLS_CLIENT_INIT_PROPS *init_props; -/* /* void tls_proxy_client_init_free(init_props) /* TLS_CLIENT_INIT_PROPS *init_props; /* @@ -57,10 +53,6 @@ /* scan routine. tls_proxy_client_init_scan() is meant to be passed /* as a call-back function to attr_scan(), as shown below. /* -/* tls_proxy_client_init_to_string() produces a lookup key -/* that is unique for the properties received by -/* tls_proxy_client_init_scan(). -/* /* tls_proxy_client_init_free() destroys a TLS_CLIENT_INIT_PROPS /* structure that was created by tls_proxy_client_init_scan(). /* @@ -324,22 +316,6 @@ int tls_proxy_client_init_scan(ATTR_SCAN_MASTER_FN scan_fn, VSTREAM *fp, return (ret); } -/* tls_proxy_client_init_to_string - serialize to string */ - -char *tls_proxy_client_init_to_string(VSTRING *buf, - TLS_CLIENT_INIT_PROPS *props) -{ - vstring_sprintf(buf, "%s\n%s\n%d\n%s\n%s\n%s\n%s\n%s\n%s\n" - "%s\n%s\n%s\n%s\n%s\n", props->log_param, - props->log_level, props->verifydepth, - props->cache_type, props->chain_files, - props->cert_file, props->key_file, - props->dcert_file, props->dkey_file, - props->eccert_file, props->eckey_file, - props->CAfile, props->CApath, props->mdalg); - return (vstring_str(buf)); -} - /* tls_proxy_client_certs_free - destroy TLS_PKEYS from stream */ static void tls_proxy_client_certs_free(TLS_CERTS *tp) diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c index b6440952f..2c8714cb4 100644 --- a/postfix/src/tlsproxy/tlsproxy.c +++ b/postfix/src/tlsproxy/tlsproxy.c @@ -57,9 +57,89 @@ /* /* The text below provides only a parameter summary. See /* \fBpostconf\fR(5) for more details including examples. -/* STARTTLS SUPPORT CONTROLS +/* STARTTLS GLOBAL CONTROLS /* .ad /* .fi +/* The following settings are global and therefore cannot be +/* overruled by information specified in a \fBtlsproxy\fR(8) +/* client request. +/* .IP "\fBtls_append_default_CA (no)\fR" +/* Append the system-supplied default Certification Authority +/* certificates to the ones specified with *_tls_CApath or *_tls_CAfile. +/* .IP "\fBtls_daemon_random_bytes (32)\fR" +/* The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8) +/* process requests from the \fBtlsmgr\fR(8) server in order to seed its +/* internal pseudo random number generator (PRNG). +/* .IP "\fBtls_high_cipherlist (see 'postconf -d' output)\fR" +/* The OpenSSL cipherlist for "high" grade ciphers. +/* .IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR" +/* The OpenSSL cipherlist for "medium" or higher grade ciphers. +/* .IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR" +/* The OpenSSL cipherlist for "low" or higher grade ciphers. +/* .IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR" +/* The OpenSSL cipherlist for "export" or higher grade ciphers. +/* .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR" +/* The OpenSSL cipherlist for "NULL" grade ciphers that provide +/* authentication without encryption. +/* .IP "\fBtls_eecdh_strong_curve (prime256v1)\fR" +/* The elliptic curve used by the Postfix SMTP server for sensibly +/* strong +/* ephemeral ECDH key exchange. +/* .IP "\fBtls_eecdh_ultra_curve (secp384r1)\fR" +/* The elliptic curve used by the Postfix SMTP server for maximally +/* strong +/* ephemeral ECDH key exchange. +/* .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR" +/* List or bit-mask of OpenSSL bug work-arounds to disable. +/* .IP "\fBtls_preempt_cipherlist (no)\fR" +/* With SSLv3 and later, use the Postfix SMTP server's cipher +/* preference order instead of the remote client's cipher preference +/* order. +/* .PP +/* Available in Postfix version 2.9 and later: +/* .IP "\fBtls_legacy_public_key_fingerprints (no)\fR" +/* A temporary migration aid for sites that use certificate +/* \fIpublic-key\fR fingerprints with Postfix 2.9.0..2.9.5, which use +/* an incorrect algorithm. +/* .PP +/* Available in Postfix version 2.11-3.1: +/* .IP "\fBtls_dane_digest_agility (on)\fR" +/* Configure RFC7671 DANE TLSA digest algorithm agility. +/* .IP "\fBtls_dane_trust_anchor_digest_enable (yes)\fR" +/* Enable support for RFC 6698 (DANE TLSA) DNS records that contain +/* digests of trust-anchors with certificate usage "2". +/* .PP +/* Available in Postfix version 2.11 and later: +/* .IP "\fBtlsmgr_service_name (tlsmgr)\fR" +/* The name of the \fBtlsmgr\fR(8) service entry in master.cf. +/* .PP +/* Available in Postfix version 3.0 and later: +/* .IP "\fBtls_session_ticket_cipher (Postfix >= 3.0: aes-256-cbc, Postfix < 3.0: aes-128-cbc)\fR" +/* Algorithm used to encrypt RFC5077 TLS session tickets. +/* .IP "\fBopenssl_path (openssl)\fR" +/* The location of the OpenSSL command line program \fBopenssl\fR(1). +/* .PP +/* Available in Postfix version 3.2 and later: +/* .IP "\fBtls_eecdh_auto_curves (see 'postconf -d' output)\fR" +/* The prioritized list of elliptic curves supported by the Postfix +/* SMTP client and server. +/* .PP +/* Available in Postfix version 3.4 and later: +/* .IP "\fBtls_server_sni_maps (empty)\fR" +/* Optional lookup tables that map names received from remote SMTP +/* clients via the TLS Server Name Indication (SNI) extension to the +/* appropriate keys and certificate chains. +/* STARTTLS SERVER CONTROLS +/* .ad +/* .fi +/* These settings are clones of Postfix SMTP server settings. +/* They allow \fBtlsproxy\fR(8) to load the same certificate +/* and private key information as the Postfix SMTP server, +/* before dropping privileges, so that the key files can be +/* kept read-only for root. These settings can currently not +/* be overruled by information in a \fBtlsproxy\fR(8) client +/* request, but that limitation may be removed in a future +/* version. /* .IP "\fBtlsproxy_tls_CAfile ($smtpd_tls_CAfile)\fR" /* A file containing (PEM format) CA certificates of root CAs /* trusted to sign either remote SMTP client certificates or intermediate @@ -134,27 +214,18 @@ /* The SMTP TLS security level for the Postfix \fBtlsproxy\fR(8) server; /* when a non-empty value is specified, this overrides the obsolete /* parameters smtpd_use_tls and smtpd_enforce_tls. -/* .PP -/* Available in Postfix version 2.11 and later: -/* .IP "\fBtlsmgr_service_name (tlsmgr)\fR" -/* The name of the \fBtlsmgr\fR(8) service entry in master.cf. -/* .PP -/* Available in Postfix version 3.4 and later: /* .IP "\fBtlsproxy_tls_chain_files ($smtpd_tls_chain_files)\fR" /* Files with the Postfix \fBtlsproxy\fR(8) server keys and certificate /* chains in PEM format. -/* .IP "\fBtls_server_sni_maps (empty)\fR" -/* Optional lookup tables that map names received from remote SMTP -/* clients via the TLS Server Name Indication (SNI) extension to the -/* appropriate keys and certificate chains. -/* TLS CLIENT CONTROLS +/* STARTTLS CLIENT CONTROLS /* .ad /* .fi -/* These parameters are clones of SMTP client settings. They -/* allow \fBtlsproxy\fR(8) to load the same certificate and -/* private key information as the SMTP client, before dropping -/* privileges, so that the key files can be kept read-only for -/* root. +/* These settings are clones of Postfix SMTP client settings. +/* They allow \fBtlsproxy\fR(8) to load the same certificate +/* and private key information as the Postfix SMTP client, +/* before dropping privileges, so that the key files can be +/* kept read-only for root. Some settings may be overruled by +/* information in a \fBtlsproxy\fR(8) client request. /* .PP /* Available in Postfix version 3.4 and later: /* .IP "\fBtlsproxy_client_CAfile ($smtp_tls_CAfile)\fR" @@ -430,14 +501,14 @@ static TLS_APPL_STATE *tlsp_server_ctx; static TLS_APPL_STATE *tlsp_client_ctx; static bool tlsp_pre_jail_done; static int ask_client_cert; +static char *tlsp_pre_jail_client_param_key; /* pre-jail global params */ +static char *tlsp_pre_jail_client_init_key; /* pre-jail init props */ /* * TLS per-client status. */ -static HTABLE *tlsp_client_app_cache; -static BH_TABLE *tlsp_params_mismatch_filter; -static char *tlsp_pre_jail_client_param_key; -static char *tlsp_pre_jail_client_init_key; +static HTABLE *tlsp_client_app_cache; /* per-client init props */ +static BH_TABLE *tlsp_params_mismatch_filter; /* per-client nag filter */ /* * Error handling: if a function detects an error, then that function is @@ -1088,16 +1159,19 @@ static TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *tls_params, /* * Use one TLS_APPL_STATE object for all requests that specify the same * TLS_CLIENT_INIT_PROPS. Each TLS_APPL_STATE owns an SSL_CTX, which is - * expensive to create. + * expensive to create. Bug: TLS_CLIENT_PARAMS are not used when creating + * a TLS_APPL_STATE instance. * * First, compute the TLS_APPL_STATE cache lookup key. Save a copy of the - * TLS_CLIENT_PARAMS and TLSPROXY_CLIENT_INIT_PROPS settings from the - * pre-jail internal request. + * pre-jail request TLS_CLIENT_PARAMS and TLSPROXY_CLIENT_INIT_PROPS + * settings, so that we can detect post-jail requests that do not match. */ param_buf = vstring_alloc(100); - param_key = tls_proxy_client_param_to_string(param_buf, tls_params); + param_key = tls_proxy_client_param_with_names_to_string( + param_buf, tls_params); init_buf = vstring_alloc(100); - init_key = tls_proxy_client_init_to_string(init_buf, init_props); + init_key = tls_proxy_client_init_with_names_to_string( + init_buf, init_props); if (tlsp_pre_jail_done == 0) { if (tlsp_pre_jail_client_param_key != 0 || tlsp_pre_jail_client_init_key != 0) @@ -1108,9 +1182,9 @@ static TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *tls_params, /* * Log a warning if a post-jail request uses unexpected TLS_CLIENT_PARAMS - * settings. These differences are problematic because TLS_CLIENT_PARAMS - * settings are unfortunately not passed to tls_client_init(). Only the - * init_props settings are used. + * settings. Bug: TLS_CLIENT_PARAMS settings are not used when creating a + * TLS_APPL_STATE instance; this makes a mismatch of TLS_CLIENT_PARAMS + * settings problematic. */ if (tlsp_pre_jail_done && !been_here_fixed(tlsp_params_mismatch_filter, param_key) @@ -1129,10 +1203,12 @@ static TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *tls_params, /* * Before creating a TLS_APPL_STATE instance, log a warning if a * post-jail request differs from the saved pre-jail request AND the - * request specifies file/directory pathname arguments. Requests - * containing pathnames are problematic after chroot (pathname - * resolution) and after dropping privileges (key files must be root - * read-only). + * post-jail request specifies file/directory pathname arguments. + * Unexpected requests containing pathnames are problematic after + * chroot (pathname resolution) and after dropping privileges (key + * files must be root read-only). Unexpected requests are not a + * problem as long as they contain no pathnames (for example a + * tls_loglevel change). * * We could eliminate some of this complication by adding code that * opens a cert/key lookup table at pre-jail time, and by reading @@ -1607,9 +1683,8 @@ static void pre_jail_init(char *unused_name, char **unused_argv) tlsp_pre_jail_done = 1; /* - * Unfortunately TLS_CLIENT_PARAMS attributes correspond to global state - * and can therefore not be used when creating TLS_APPL_STATE instances, - * but we can warn about attribute mismatches. + * Bug: TLS_CLIENT_PARAMS attributes are not used when creating a + * TLS_APPL_STATE instance; we can only warn about attribute mismatches. */ tlsp_params_mismatch_filter = been_here_init(BH_BOUND_NONE, BH_FLAG_NONE); }