mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 09:57:34 +00:00
Code Issues Releases Wiki Activity

postfix-3.5-20190210

Browse Source
This commit is contained in:
Wietse Venema 2019-02-10 00:00:00 -05:00 committed by Viktor Dukhovni
parent 67965c8458
commit c6eaaf0bf1
30 changed files with 1282 additions and 491 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
postfix/AAAREADME
View File

@ -149,6 +149,7 @@ Postfix daemons:
src/oqmgr/ Old queue manager
src/pickup/ Local pickup
src/pipe/ Pipe delivery
src/postlogd/ Syslog alternative, logs to file or stdout
src/postscreen/ Zombie blocker
src/proxymap/ Table lookup proxy agent
src/qmgr/ Queue manager
@ -159,7 +160,7 @@ Postfix daemons:
src/smtpd/ SMTP server
src/spawn/ Run non-Postfix server
src/tlsmgr/ TLS session keys and random pool
src/tlsproxy/ TLS proxy for postscreen
src/tlsproxy/ TLS proxy for postscreen and outbound connection reuse
src/trivial-rewrite/ Address rewriting and resolving
src/verify/ address verification service
src/virtual/ virtual mailbox-only delivery agent

15
postfix/HISTORY
View File

@ -17692,7 +17692,7 @@ Apologies for any names omitted.
20120330
Workaround: specify "\c" at the start of an smtp_reject_footer
Workaround: specify "\c" at the start of an smtpd_reject_footer
template to suppress the line break between the reply text
and the footer text. Files: global/smtp_reply_footer.c,
proto/postconf.proto.
@ -23633,10 +23633,10 @@ Apologies for any names omitted.
20180812
Feature: smtp_reject_footer_maps (as well as the postscreen
Feature: smtpd_reject_footer_maps (as well as the postscreen
variant postscreen_reject_footer_maps). This is indexed
with the SMTP server response text, and overrides the footer
specified with smtp_reject_footer. Files: global/mail_params.h,
specified with smtpd_reject_footer. Files: global/mail_params.h,
mantools/postlink, postscreen/postscreen.c,
postscreen/postscreen_send.c, postscreen/postscreen_smtpd.c,
proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_chat.c.
@ -24105,3 +24105,12 @@ Apologies for any names omitted.
Debugging: tlsproxy(8) now logs more details about unexpected
configuration differences between the Postfix SMTP client
and the tlsproxy(8) daemon.
20190210
Documentation: Postfix 3.4.0 RELEASE NOTES.
Documentation: added BDAT_README.
Documentation: global TLS settings. Files: mantools/postlink,
smtp/smtp.c, tlsproxy/tlsproxy.c.

1
postfix/README_FILES/AAAREADME
View File

@ -78,6 +78,7 @@ OOtthheerr ttooppiiccss
* ADDRESS_CLASS_README: Address Classes
* CONNECTION_CACHE_README: Connection cache howto
* DSN_README: Postfix DSN support
* BDAT_README: Postfix BDAT (CHUNKING) support
* PACKAGE_README: Guidelines for Package Builders
* SCHEDULER_README: Queue Scheduler
* XCLIENT_README: XCLIENT Command

124
postfix/README_FILES/BDAT_README Normal file
View File

@ -0,0 +1,124 @@
PPoossttffiixx BBDDAATT ((CCHHUUNNKKIINNGG)) ssuuppppoorrtt
-------------------------------------------------------------------------------
OOvveerrvviieeww
Postfix SMTP server supports RFC 3030 CHUNKING (the BDAT command) without
BINARYMIME, in both smtpd(8) and postscreen(8). It is enabled by default.
Topics covered in this document:
* Disabling BDAT support
* Impact on existing configurations
* Example SMTP session
* Benefits of CHUNKING (BDAT) support without BINARYMIME
* Downsides of CHUNKING (BDAT) support
DDiissaabblliinngg BBDDAATT ssuuppppoorrtt
BDAT support is enabled by default. To disable BDAT support globally:
/etc/postfix/main.cf:
# The logging alternative:
smtpd_discard_ehlo_keywords = chunking
# The non-logging alternative:
smtpd_discard_ehlo_keywords = chunking, silent_discard
Specify '-o smtpd_discard_ehlo_keywords=' in master.cf for the submission and
smtps services, if you have clients that benefit from CHUNKING support.
IImmppaacctt oonn eexxiissttiinngg ccoonnffiigguurraattiioonnss
* There are no changes for smtpd_mumble_restrictions, smtpd_proxy_filter,
smtpd_milters, or for postscreen settings, except for the above mentioned
option to suppress the SMTP server's CHUNKING service announcement.
* There are no changes in the Postfix queue file content, no changes for
down-stream SMTP servers or after-queue content filters, and no changes in
the envelope or message content that Milters will receive.
EExxaammppllee SSMMTTPP sseessssiioonn
The main differences are that the Postfix SMTP server announces "CHUNKING"
support in the EHLO response, and that instead of sending one DATA request, the
remote SMTP client may send one or more BDAT requests. In the example below,
"S:" indicates server responses, and "C:" indicates client requests (bold
font).
S: 220 server.example.com
C: EEHHLLOO cclliieenntt..eexxaammppllee..ccoomm
S: 250-server.example.com
S: 250-PIPELINING
S: 250-SIZE 153600000
S: 250-VRFY
S: 250-ETRN
S: 250-STARTTLS
S: 250-AUTH PLAIN LOGIN
S: 250-ENHANCEDSTATUSCODES
S: 250-8BITMIME
S: 250-DSN
S: 250-SMTPUTF8
S: 250 CHUNKING
C: MMAAIILL FFRROOMM::<<sseennddeerr@@eexxaammppllee..ccoomm>>
S: 250 2.1.0 Ok
C: RRCCPPTT TTOO::<<rreecciippiieenntt@@eexxaammppllee..ccoomm>>
S: 250 2.1.5 Ok
C: BBDDAATT 1100000000
C: ....ffoolllloowweedd bbyy 1100000000 bbyytteess......
S: 250 2.0.0 Ok: 10000 bytes
C: BBDDAATT 112233
C: ....ffoolllloowweedd bbyy 112233 bbyytteess......
S: 250 2.0.0 Ok: 123 bytes
C: BBDDAATT 00 LLAASSTT
S: 250 2.0.0 Ok: 10123 bytes queued as 41yYhh41qmznjbD
C: QQUUIITT
S: 221 2.0.0 Bye
Internally in Postfix, there is no difference between mail that was received
with BDAT or with DATA. Postfix smtpd_mumble_restrictions, policy delegation
queries, smtpd_proxy_filter and Milters all behave as if Postfix received (MAIL
+ RCPT + DATA + end-of-data). However, Postfix will log BDAT-related failures
as "xxx after BDAT" to avoid complicating troubleshooting (xxx = 'lost
connection' or 'timeout'), and will log a warning when a client sends a
malformed BDAT command.
BBeenneeffiittss ooff CCHHUUNNKKIINNGG ((BBDDAATT)) ssuuppppoorrtt wwiitthhoouutt BBIINNAARRYYMMIIMMEE
Support for CHUNKING (BDAT) was added to improve interoperability with some
clients, a benefit that would reportedly exist even without Postfix support for
BINARYMIME. Since June 2018, Wietse's mail server has received BDAT commands
from a variety of systems.
Postfix does not support BINARYMIME at this time because:
* BINARYMIME support would require moderately invasive changes to Postfix, to
support email content that is not line-oriented. With BINARYMIME, the
Content-Length: message header specifies the length of content that may or
may not have line boundaries. Without BINARYMIME support, email RFCs
require that binary content is base64-encoded, and formatted as lines of
text.
* For delivery to non-BINARYMIME systems including UNIX mbox, the available
options are to convert binary content into 8bit text, one of the 7bit forms
(base64 or quoted-printable), or to return email as undeliverable. Any
conversion would obviously break digital signatures, so conversion would
have to happen before signing.
DDoowwnnssiiddeess ooff CCHHUUNNKKIINNGG ((BBDDAATT)) ssuuppppoorrtt
The RFC 3030 authors did not specify any limitations on how clients may
pipeline commands (i.e. send commands without waiting for a server response).
If a server announces PIPELINING support, like Postfix does, then a remote SMTP
client can pipeline all commands following EHLO, for example, MAIL/RCPT/BDAT/
BDAT/MAIL/RCPT/BDAT, without ever having to wait for a server response. This
means that with BDAT, the Postfix SMTP server cannot distinguish between a
well-behaved client and a spambot, based on their command pipelining behavior.
If you require "reject_unauth_pipelining" to block spambots, then turn off
Postfix's CHUNKING announcement as described above.
In RFC 4468, the authors write that a client may pipeline commands, and that
after sending BURL LAST or BDAT LAST, a client must wait for the server's
response. But as this text does not appear in RFC 3030 which defines BDAT, is
it a useless restriction that Postfix will not enforce.

224
postfix/RELEASE_NOTES
View File

@ -1,19 +1,19 @@
This is the Postfix 3.4 (experimental) release.
This is the Postfix 3.5 (experimental) release.
The stable Postfix release is called postfix-3.3.x where 3=major
release number, 3=minor release number, x=patchlevel. The stable
The stable Postfix release is called postfix-3.4.x where 3=major
release number, 4=minor release number, x=patchlevel. The stable
release never changes except for patches that address bugs or
emergencies. Patches change the patchlevel and the release date.
New features are developed in snapshot releases. These are called
postfix-3.4-yyyymmdd where yyyymmdd is the release date (yyyy=year,
postfix-3.5-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day). Patches are never issued for snapshot releases;
instead, a new snapshot is released.
The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.
If you upgrade from Postfix 3.2 or earlier, read RELEASE_NOTES-3.3
If you upgrade from Postfix 3.3 or earlier, read RELEASE_NOTES-3.4
before proceeding.
License change
@ -24,217 +24,3 @@ historical IBM Public License 1.0, it is now also distributed with the
more recent Eclipse Public License 2.0. Recipients can choose to take
the software under the license of their choice. Those who are more
comfortable with the IPL can continue with that license.
Incompatible changes with snapshot 20190126-nonprod
====================================================
This introduces a new master.cf service 'postlog' with type
'unix-dgram' that is used by the new postlogd(8) daemon. The
'unix-dgram' service type is not supported by older Postfix versions.
Before backing out to an older version, edit the master.cf file and
remove the postlog entry.
Major changes with snapshot 20190126-nonprod
============================================
Support for logging to file or stdout, instead of using syslog.
- Logging to file solves a usability problem for MacOS, and
eliminates multiple problems with systemd-based systems.
- Logging to stdout is useful when Postfix runs in a container, as
it eliminates a syslogd dependency.
See MAILLOG_README for configuration examples and logfile rotation.
Incompatible changes with snapshot 20190106
===========================================
Postfix 3.4 drops support for OpenSSL 1.0.1 (end-of-life December
31, 2016) and earlier releases.
Major changes with snapshot 20190106
====================================
SNI support in the Postfix SMTP server, the Postfix SMTP client,
and in the tlsproxy daemon (both server and client roles). See the
postconf(5) documentation for the new tls_server_sni_maps and
smtp_tls_servername parameters.
Support for files that contain multiple (key, certificate, trust
chain) instances. This was required to implement server-side SNI
table lookups, but it also eliminates the need for separate cert/key
files for RSA, DSA, Elliptic Curve, and so on. The file format is
documented in the TLS_README sections "Server-side certificate and
private key configuration" and "Client-side certificate and private
key configuration", and in the postconf(5) documentation for the
parameters smtp_tls_chain_files, smtpd_tls_chain_files,
tlsproxy_client_chain_files, and tlsproxy_tls_chain_files.
Note: the command "postfix tls" does not yet support the new
consolidated certificate chain format. If you switch to the new
format, you'll need to manage your keys and certificates directly,
rather than via postfix-tls(1).
Major changes with snapshot 20180826
====================================
Postfix SMTP server support for RFC 3030 CHUNKING (the BDAT command)
without BINARYMIME, in both smtpd(8) and postscreen(8).
To disable the SMTP server's CHUNKING support:
/etc/postfix/main.cf:
# The logging alternative:
smtpd_discard_ehlo_keywords = chunking
# The non-logging alternative:
smtpd_discard_ehlo_keywords = chunking, silent_discard
Be sure to specify '-o smtpd_discard_ehlo_keywords=' in master.cf
for the submission and smtps services, in case you have clients
that benefit from CHUNKING support.
Impact on existing configurations:
----------------------------------
- There are no changes for smtpd_mumble_restrictions, smtpd_proxy_filter,
smtpd_milters, or for postscreen settings, except for the additional
option to suppress the SMTP server's CHUNKING service announcement.
- There are no changes in the Postfix queue file content, no changes
for down-stream SMTP servers or after-queue content filters, and
no changes in the envelope or message content that Milters will
receive.
Example SMTP session
--------------------
The main differences are that the Postfix SMTP server announces
"CHUNKING" support in the EHLO response, and that instead of sending
one DATA request, the remote SMTP client may send one or more BDAT
requests. In the example below, "S:" indicates server responses,
and "C:" indicates client requests.
S: 220 server.example.com
C: EHLO client.example.com
S: 250-server.example.com
S: 250-PIPELINING
S: 250-SIZE 153600000
S: 250-VRFY
S: 250-ETRN
S: 250-STARTTLS
S: 250-AUTH PLAIN LOGIN
S: 250-ENHANCEDSTATUSCODES
S: 250-8BITMIME
S: 250-DSN
S: 250-SMTPUTF8
S: 250 CHUNKING
C: MAIL FROM:<sender@example.com>
S: 250 2.1.0 Ok
C: RCPT TO:<recipient@example.com>
S: 250 2.1.5 Ok
C: BDAT 10000
C: ..followed by 10000 bytes...
S: 250 2.0.0 Ok: 10000 bytes
C: BDAT 123
C: ..followed by 123 bytes...
S: 250 2.0.0 Ok: 123 bytes
C: BDAT 0 LAST
S: 250 2.0.0 Ok: 10123 bytes queued as 41yYhh41qmznjbD
C: QUIT
S: 221 2.0.0 Bye
Internally in Postfix, there is no difference between mail that was
received with BDAT or with DATA. Postfix smtpd_mumble_restrictions,
policy delegation queries, smtpd_proxy_filter and Milters all behave
as if Postfix received (MAIL + RCPT + DATA + end-of-data). However,
Postfix will log BDAT-related failures as "xxx after BDAT" to avoid
complicating troubleshooting (xxx = 'lost connection' or 'timeout'),
and will log a warning when a client sends a malformed BDAT command.
Benefits of CHUNKING (BDAT) support without BINARYMIME:
-------------------------------------------------------
Support for CHUNKING (BDAT) was added to improve interoperability
with some clients, a benefit that would reportedly exist even without
Postfix support for BINARYMIME.
Postfix does not support BINARYMIME at this time because:
- BINARYMIME support would require moderately invasive changes to
support email content that is not line-oriented. With BINARYMIME,
the Content-Length: header specifies the length of arbitrary
content that has no line boundaries. Without BINARYMIME, binary
content is base64-encoded, and formatted as lines of text.
- There is no conversion of BINARYMIME to a line-oriented 8BITMIME
form that is compatible with legacy systems including UNIX mbox.
The available options are to convert binary content into one of
the 7bit forms (base64 or quoted-printable), or to return email
as undeliverable. Any conversion would break digital signatures,
so it would have to happen before signing.
Downsides of CHUNKING (BDAT) support:
-------------------------------------
The RFC 3030 authors did not specify any limitations on how clients
may pipeline commands (i.e. send commands without waiting for a
server response). If a server announces PIPELINING support, like
Postfix does, then a remote SMTP client can pipeline all commands
following EHLO, for example, MAIL/RCPT/BDAT/BDAT/MAIL/RCPT/BDAT,
without ever having to wait for a server response. This means that
with BDAT, the Postfix SMTP server cannot distinguish between a
well-behaved client and a spambot, based on their command pipelining
behavior. If you require "reject_unauth_pipelining" to block spambots,
turn off the CHUNKING support announcement as described above.
Incompatible change with snapshot 20180701
==========================================
To avoid performance loss under load, the tlsproxy(8) daemon now
requires a zero process limit in master.cf (this setting is provided
with the default master.cf file). As tlsproxy(8) processes become
too busy handling TLS connections, more processes will automatically
be added. By default, a tlsproxy(8) process will retire after several
hours.
To set the tlsproxy process limit to zero:
# postconf -F tlsproxy/unix/process_limit=0
# postfix reload
Major changes with snapshot 20180617
====================================
Preliminary Postfix SMTP client support for multiple deliveries per
TLS-encrypted connection. This is primarily to improve mail delivery
performance for destinations that throttle clients when they don't
combine deliveries.
This feature is enabled with "smtp_tls_connection_reuse=yes" in
main.cf, or with "tls_connection_reuse=yes" in smtp_tls_policy_maps.
It supports all Postfix TLS security levels including dane and
dane-only.
The implementation of TLS connection reuse relies on the same
scache(8) service as used for delivering plaintext SMTP mail, the
same tlsproxy(8) daemon as used by the postscreen(8) service for
inbound connections, and relies on the same hints from the qmgr(8)
daemon. It reuses the configuration parameters described in
CONNECTION_CACHE_README.
The following illustrates how TLS connections are reused:
Initial plaintext SMTP handshake:
smtp(8) -> remote SMTP server
Reused SMTP/TLS connection, or new SMTP/TLS connection:
smtp(8) -> tlsproxy(8) -> remote SMTP server
Cached SMTP/TLS connection:
scache(8) -> tlsproxy(8) -> remote SMTP server
There are a few refinements planned:
- Log the TLS properties every time a connection is reused.
Currently, the properties are logged when a TLS session is created.

208
postfix/RELEASE_NOTES-3.4 Normal file
View File

@ -0,0 +1,208 @@
This is the Postfix 3.4 (stable) release.
The stable Postfix release is called postfix-3.4.x where 3=major
release number, 4=minor release number, x=patchlevel. The stable
release never changes except for patches that address bugs or
emergencies. Patches change the patchlevel and the release date.
New features are developed in snapshot releases. These are called
postfix-3.5-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day). Patches are never issued for snapshot releases;
instead, a new snapshot is released.
The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.
If you upgrade from Postfix 3.2 or earlier, read RELEASE_NOTES-3.3
before proceeding.
License change
---------------
This software is distributed with a dual license: in addition to the
historical IBM Public License 1.0, it is now also distributed with the
more recent Eclipse Public License 2.0. Recipients can choose to take
the software under the license of their choice. Those who are more
comfortable with the IPL can continue with that license.
Summary of changes
------------------
Incompatible changes, bdat support, containers, database support,
logging, safety, tls connection pooling, tls support, usability,
Incompatible changes
--------------------
[Incompat 20180826] The Postfix SMTP server announces CHUNKING (BDAT
command) by default. In the unlikely case that this breaks some
important remote SMTP client, disable the feature as follows:
/etc/postfix/main.cf:
# The logging alternative:
smtpd_discard_ehlo_keywords = chunking
# The non-logging alternative:
smtpd_discard_ehlo_keywords = chunking, silent_discard
See BDAT_README for more.
[Incompat 20190126] This introduces a new master.cf service 'postlog'
with type 'unix-dgram' that is used by the new postlogd(8) daemon.
Before backing out to an older Postfix version, edit the master.cf
file and remove the postlog entry.
[Incompat 20190106] Postfix 3.4 drops support for OpenSSL 1.0.1
(end-of-life was December 31, 2016) and all earlier releases.
[Incompat 20180701] To avoid performance loss under load, the
tlsproxy(8) daemon now requires a zero process limit in master.cf
(this setting is provided with the default master.cf file). By
default, a tlsproxy(8) process will retire after several hours.
To set the tlsproxy process limit to zero:
# postconf -F tlsproxy/unix/process_limit=0
# postfix reload
Major changes - bdat support
--------------------
[Feature 20180826] Postfix SMTP server support for RFC 3030 CHUNKING
(the BDAT command) without BINARYMIME, in both smtpd(8) and
postscreen(8). This has no effect on Milters, smtpd_mumble_restrictions,
and smtpd_proxy_filter. See BDAT_README for more.
Major changes - containers
--------------------------
[Feature 20190126] Support for logging to file or stdout, instead
of using syslog.
- Logging to file solves a usability problem for MacOS, and
eliminates multiple problems with systemd-based systems.
- Logging to stdout is useful when Postfix runs in a container, as
it eliminates a syslogd dependency.
See MAILLOG_README for configuration examples and logfile rotation.
[Feature 20180422] Better handling of undocumented(!) Linux behavior
whether or not signals are delivered to a PID=1 process.
Major changes - database support
--------------------------------
[Feature 20181105] Support for (key, list of filenames) in map
source text.
- Currently, this feature is used only by tls_server_sni_maps.
- When a map is created from source with "postmap -F maptype:mapname",
the command processes each key as usual and processes each value
as a list of filenames, concatenates the content of those files
(with one newline character in-between files), and stores an entry
with (key, base64-encoded result).
- When a map is queried with "postmap -F -q ...", the command
base64-decodes each value. It reports an error when a value is
not in base64 form.
This "postmap -F -q ..." behavior also works when querying the
memory-resident map types cidr:, inline:, pcre:, randmap:, regexp:,
and static:. Postfix reads the files specified as table values,
stores base64-encoded content, and base64-decodes content upon
table lookup.
Internally, Postfix will turn on this behavior for lookups (not
updates) when a map is opened with the DICT_FLAG_RHS_IS_FILE flag.
Major changes - logging
-----------------------
[Feature 20190126] Support for logging to file or stdout, instead
of using syslog.
- Logging to file solves a usability problem for MacOS, and
eliminates multiple problems with systemd-based systems.
- Logging to stdout is useful when Postfix runs in a container, as
it eliminates a syslogd dependency.
See MAILLOG_README for configuration examples and logfile rotation.
Major changes - safety
----------------------
[Feature 20180623] Automatic retirement: dnsblog(8) and tlsproxy(8) process
will now voluntarily retire after after max_idle*max_use, or some
sane limit if either limit is disabled. Without this, a process
could stay busy for days or more.
Major changes - tls connection pooling
--------------------------------------
[Feature 20180617] Postfix SMTP client support for multiple deliveries
per TLS-encrypted connection. This is primarily to improve mail
delivery performance for destinations that throttle clients when
they don't combine deliveries.
This feature is enabled with "smtp_tls_connection_reuse=yes" in
main.cf, or with "tls_connection_reuse=yes" in smtp_tls_policy_maps.
It supports all Postfix TLS security levels including dane and
dane-only.
The implementation of TLS connection reuse relies on the same
scache(8) service as used for delivering plaintext SMTP mail, the
same tlsproxy(8) daemon as used by the postscreen(8) service for
inbound connections, and relies on the same hints from the qmgr(8)
daemon. It reuses the configuration parameters described in
CONNECTION_CACHE_README.
The Postfix SMTP client now logs whether an SMTP-over-TLS connection
is newly established ("TLS connection established") or whether the
connection is reused ("TLS connection reused").
The following illustrates how TLS connections are reused:
Initial plaintext SMTP handshake:
smtp(8) -> remote SMTP server
Reused SMTP/TLS connection, or new SMTP/TLS connection:
smtp(8) -> tlsproxy(8) -> remote SMTP server
Cached SMTP/TLS connection:
scache(8) -> tlsproxy(8) -> remote SMTP server
Major changes - tls support
---------------------------
[Feature 20190106] SNI support in the Postfix SMTP server, the
Postfix SMTP client, and in the tlsproxy(8) daemon (both server and
client roles). See the postconf(5) documentation for the new
tls_server_sni_maps and smtp_tls_servername parameters.
[Feature 20190106] Support for files that contain multiple (key,
certificate, trust chain) instances. This was required to implement
server-side SNI table lookups, but it also eliminates the need for
separate cert/key files for RSA, DSA, Elliptic Curve, and so on.
The file format is documented in the TLS_README sections "Server-side
certificate and private key configuration" and "Client-side certificate
and private key configuration", and in the postconf(5) documentation
for the parameters smtp_tls_chain_files, smtpd_tls_chain_files,
tlsproxy_client_chain_files, and tlsproxy_tls_chain_files.
Note: the command "postfix tls" does not yet support the new
consolidated certificate chain format. If you switch to the new
format, you'll need to manage your keys and certificates directly,
rather than via postfix-tls(1).
Major changes - usability
-------------------------
[Feature 20180812] Support for smtpd_reject_footer_maps (as well
as the postscreen variant postscreen_reject_footer_maps) for more
informative reject messages. This is indexed with the Postfix SMTP
server response text, and overrides the footer specified with
smtpd_reject_footer. One will want to use a pcre: or regexp: map
with this.

20
postfix/WISHLIST
View File

@ -1,18 +1,15 @@
Wish list:
Move tls_proxy_client_scan.c _to_string() function
to tls_proxy_client_misc.c.
Things to do before the stable release:
In tlsproxy, include parameter names in the diffs between
expected and client properties. This requires a function
tls_proxy_client_init_with_names_to_string().
Spell-check, double-word check, HTML validator check,
mantools/missing-proxy-read-maps check.
Disable -DSNAPSHOT and -DNONPROD in makedefs.
make tls_pre_jail_init() safe by design for use in programs
that implement both clients and servers.
postfix rotate-log command: mv postfix.log postfix.log.$(date
+%Y%M%d-%H%M%S) to avoid data loss if called repeatedly.
In smtpd(8) and postscreen(8), set the ehlo_discard_mask
to ~0 so that STARTTLS, BDAT, DSN, etc. work only for clients
that send EHLO.
@ -23,13 +20,6 @@ Wish list:
In postscreen, don't fork after 'postfix reload' when
psc_check_queue_length (and psc_post_queue_length?) is zero.
Things to do before the stable release:
Spell-check, double-word check, HTML validator check,
mantools/missing-proxy-read-maps check.
Disable -DSNAPSHOT and -DNONPROD in makedefs.
After I/O error, store errno in VSTREAM object before errno
may be overwritten.

178
postfix/html/BDAT_README.html Normal file
View File

@ -0,0 +1,178 @@
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Postfix BDAT (CHUNKING) support</title>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body>
<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix
BDAT (CHUNKING) support</h1>
<hr>
<h2>Overview </h2>
<p> Postfix SMTP server supports <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> CHUNKING (the BDAT command)
without BINARYMIME, in both <a href="smtpd.8.html">smtpd(8)</a> and <a href="postscreen.8.html">postscreen(8)</a>. It is enabled
by default. </p>
<p> Topics covered in this document: </p>
<ul>
<li><a href="#disable"> Disabling BDAT support</a>
<li><a href="#impact"> Impact on existing configurations</a>
<li><a href="#example"> Example SMTP session</a>
<li> <a href="#benefits">Benefits of CHUNKING (BDAT) support without BINARYMIME</a>
<li> <a href="#downsides">Downsides of CHUNKING (BDAT) support</a>
</ul>
<h2> <a name="disable"> Disabling BDAT support </a> </h2>
<p> BDAT support is enabled by default. To disable BDAT support
globally: </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
# The logging alternative:
<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> = chunking
# The non-logging alternative:
<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> = chunking, silent_discard
</pre>
</blockquote>
<p> Specify '-o <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>=' in <a href="master.5.html">master.cf</a>
for the submission and smtps services, if you have clients
that benefit from CHUNKING support. </p>
<h2> <a name="impact"> Impact on existing configurations </a> </h2>
<ul>
<li> <p> There are no changes for smtpd_mumble_restrictions,
<a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a>, <a href="postconf.5.html#smtpd_milters">smtpd_milters</a>, or for postscreen settings,
except for the above mentioned option to suppress the SMTP server's
CHUNKING service announcement. </p>
<li> <p> There are no changes in the Postfix queue file content,
no changes for down-stream SMTP servers or after-queue content
filters, and no changes in the envelope or message content that
Milters will receive. </p>
</ul>
<h2> <a name="example"> Example SMTP session</a> </h2>
<p> The main differences are that the Postfix SMTP server announces
"CHUNKING" support in the EHLO response, and that instead of sending
one DATA request, the remote SMTP client may send one or more BDAT
requests. In the example below, "S:" indicates server responses,
and "C:" indicates client requests (bold font). </p>
<blockquote>
<pre>
S: 220 server.example.com
C: <b>EHLO client.example.com</b>
S: 250-server.example.com
S: 250-PIPELINING
S: 250-SIZE 153600000
S: 250-VRFY
S: 250-ETRN
S: 250-STARTTLS
S: 250-AUTH PLAIN LOGIN
S: 250-ENHANCEDSTATUSCODES
S: 250-8BITMIME
S: 250-DSN
S: 250-SMTPUTF8
S: 250 CHUNKING
C: <b>MAIL FROM:&lt;sender@example.com&gt;</b>
S: 250 2.1.0 Ok
C: <b>RCPT TO:&lt;recipient@example.com&gt;</b>
S: 250 2.1.5 Ok
C: <b>BDAT 10000</b>
C: <b>..followed by 10000 bytes...</b>
S: 250 2.0.0 Ok: 10000 bytes
C: <b>BDAT 123</b>
C: <b>..followed by 123 bytes...</b>
S: 250 2.0.0 Ok: 123 bytes
C: <b>BDAT 0 LAST</b>
S: 250 2.0.0 Ok: 10123 bytes queued as 41yYhh41qmznjbD
C: <b>QUIT</b>
S: 221 2.0.0 Bye
</pre>
</blockquote>
<p> Internally in Postfix, there is no difference between mail that
was received with BDAT or with DATA. Postfix smtpd_mumble_restrictions,
policy delegation queries, <a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a> and Milters all behave
as if Postfix received (MAIL + RCPT + DATA + end-of-data). However,
Postfix will log BDAT-related failures as "xxx after BDAT" to avoid
complicating troubleshooting (xxx = 'lost connection' or 'timeout'),
and will log a warning when a client sends a malformed BDAT command.
</p>
<h2> <a name="benefits">Benefits of CHUNKING (BDAT) support without
BINARYMIME</a> </h2>
<p> Support for CHUNKING (BDAT) was added to improve interoperability
with some clients, a benefit that would reportedly exist even without
Postfix support for BINARYMIME. Since June 2018, Wietse's mail
server has received BDAT commands from a variety of systems. </p>
<p> Postfix does not support BINARYMIME at this time because: </p>
<ul>
<li> <p> BINARYMIME support would require moderately invasive
changes to Postfix, to support email content that is not line-oriented.
With BINARYMIME, the Content-Length: message header specifies the
length of content that may or may not have line boundaries. Without
BINARYMIME support, email RFCs require that binary content is
base64-encoded, and formatted as lines of text. </p>
<li> <p> For delivery to non-BINARYMIME systems including UNIX mbox,
the available options are to convert binary content into 8bit text,
one of the 7bit forms (base64 or quoted-printable), or to return
email as undeliverable. Any conversion would obviously break digital
signatures, so conversion would have to happen before signing. </p>
</ul>
<h2> <a name="downsides">Downsides of CHUNKING (BDAT) support</a>
</h2>
<p> The <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> authors did not specify any limitations on how
clients may pipeline commands (i.e. send commands without waiting
for a server response). If a server announces PIPELINING support,
like Postfix does, then a remote SMTP client can pipeline all
commands following EHLO, for example, MAIL/RCPT/BDAT/BDAT/MAIL/RCPT/BDAT,
without ever having to wait for a server response. This means that
with BDAT, the Postfix SMTP server cannot distinguish between a
well-behaved client and a spambot, based on their command pipelining
behavior. If you require "<a href="postconf.5.html#reject_unauth_pipelining">reject_unauth_pipelining</a>" to block spambots,
then turn off Postfix's CHUNKING announcement as described above.
</p>
<p> In <a href="http://tools.ietf.org/html/rfc4468">RFC 4468</a>, the authors write that a client may pipeline
commands, and that after sending BURL LAST or BDAT LAST, a client
must wait for the server's response. But as this text does not
appear in <a href="http://tools.ietf.org/html/rfc3030">RFC 3030</a> which defines BDAT, is it a useless restriction
that Postfix will not enforce. </p>
</body>
</html>

2
postfix/html/index.html
View File

@ -199,6 +199,8 @@ Recipients </a>
<li> <a href="DSN_README.html"> Postfix DSN support </a>
<li> <a href="BDAT_README.html"> Postfix BDAT (CHUNKING) support </a>
<li> <a href="PACKAGE_README.html"> Guidelines for Package Builders
</a>

9
postfix/html/lmtp.8.html
View File

@ -547,6 +547,15 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b>
List or bit-mask of OpenSSL bug work-arounds to disable.
Available in Postfix version 2.11-3.1:
<b><a href="postconf.5.html#tls_dane_digest_agility">tls_dane_digest_agility</a> (on)</b>
Configure <a href="http://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
<b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b>
Enable support for <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
digests of trust-anchors with certificate usage "2".
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a> (empty)</b>

2
postfix/html/postlogd.8.html
View File

@ -31,7 +31,7 @@ POSTLOGD(8) POSTLOGD(8)
<b><a href="postconf.5.html#maillog_file">log_file</a></b> (also, logging to stdout would interfere with the operation of
some of these programs). These programs can log to <a href="postlogd.8.html"><b>postlogd</b>(8)</a> if they
are run by the super-user, or if their executable file has set-gid per-
mission. Do not set this permision on programs other than <a href="postdrop.1.html"><b>postdrop</b>(1)</a>
mission. Do not set this permission on programs other than <a href="postdrop.1.html"><b>postdrop</b>(1)</a>
and <a href="postqueue.1.html"><b>postqueue</b>(1)</a>.
<b>CONFIGURATION PARAMETERS</b>

9
postfix/html/smtp.8.html
View File

@ -547,6 +547,15 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b>
List or bit-mask of OpenSSL bug work-arounds to disable.
Available in Postfix version 2.11-3.1:
<b><a href="postconf.5.html#tls_dane_digest_agility">tls_dane_digest_agility</a> (on)</b>
Configure <a href="http://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
<b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b>
Enable support for <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
digests of trust-anchors with certificate usage "2".
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a> (empty)</b>

3
postfix/html/smtpd.8.html
View File

@ -1322,7 +1322,8 @@ SMTPD(8) SMTPD(8)
<b>README FILES</b>
<a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a>, blocking unknown hosted or relay recipients
<a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> Postfix address manipulation
<a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a>, Postfix address manipulation
<a href="BDAT_README.html">BDAT_README</a>, Postfix CHUNKING support
<a href="FILTER_README.html">FILTER_README</a>, external after-queue content filter
<a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a>, blocking unknown local recipients
<a href="MILTER_README.html">MILTER_README</a>, before-queue mail filter applications

119
postfix/html/tlsproxy.8.html
View File

@ -55,7 +55,103 @@ TLSPROXY(8) TLSPROXY(8)
The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for
more details including examples.
<b>STARTTLS SUPPORT CONTROLS</b>
<b>STARTTLS GLOBAL CONTROLS</b>
The following settings are global and therefore cannot be overruled by
information specified in a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client request.
<b><a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> (no)</b>
Append the system-supplied default Certification Authority cer-
tificates to the ones specified with *_tls_CApath or
*_tls_CAfile.
<b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> or <a href="smtpd.8.html"><b>smtpd</b>(8)</a>
process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> server in order to seed its
internal pseudo random number generator (PRNG).
<b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> (see 'postconf -d' output)</b>
The OpenSSL cipherlist for "high" grade ciphers.
<b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (see 'postconf -d' output)</b>
The OpenSSL cipherlist for "medium" or higher grade ciphers.
<b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (see 'postconf -d' output)</b>
The OpenSSL cipherlist for "low" or higher grade ciphers.
<b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (see 'postconf -d' output)</b>
The OpenSSL cipherlist for "export" or higher grade ciphers.
<b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
The OpenSSL cipherlist for "NULL" grade ciphers that provide
authentication without encryption.
<b><a href="postconf.5.html#tls_eecdh_strong_curve">tls_eecdh_strong_curve</a> (prime256v1)</b>
The elliptic curve used by the Postfix SMTP server for sensibly
strong ephemeral ECDH key exchange.
<b><a href="postconf.5.html#tls_eecdh_ultra_curve">tls_eecdh_ultra_curve</a> (secp384r1)</b>
The elliptic curve used by the Postfix SMTP server for maximally
strong ephemeral ECDH key exchange.
<b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b>
List or bit-mask of OpenSSL bug work-arounds to disable.
<b><a href="postconf.5.html#tls_preempt_cipherlist">tls_preempt_cipherlist</a> (no)</b>
With SSLv3 and later, use the Postfix SMTP server's cipher pref-
erence order instead of the remote client's cipher preference
order.
Available in Postfix version 2.9 and later:
<b><a href="postconf.5.html#tls_legacy_public_key_fingerprint">tls_legacy_public_key_fingerprints</a> (no)</b>
A temporary migration aid for sites that use certificate <i>pub-</i>
<i>lic-key</i> fingerprints with Postfix 2.9.0..2.9.5, which use an
incorrect algorithm.
Available in Postfix version 2.11-3.1:
<b><a href="postconf.5.html#tls_dane_digest_agility">tls_dane_digest_agility</a> (on)</b>
Configure <a href="http://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
<b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b>
Enable support for <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
digests of trust-anchors with certificate usage "2".
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#tlsmgr_service_name">tlsmgr_service_name</a> (tlsmgr)</b>
The name of the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
Available in Postfix version 3.0 and later:
<b><a href="postconf.5.html#tls_session_ticket_cipher">tls_session_ticket_cipher</a> (Postfix</b> &gt;<b>= 3.0: aes-256-cbc, Postfix</b> &lt; <b>3.0:</b>
<b>aes-128-cbc)</b>
Algorithm used to encrypt <a href="http://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets.
<b><a href="postconf.5.html#openssl_path">openssl_path</a> (openssl)</b>
The location of the OpenSSL command line program <b>openssl</b>(1).
Available in Postfix version 3.2 and later:
<b><a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> (see 'postconf -d' output)</b>
The prioritized list of elliptic curves supported by the Postfix
SMTP client and server.
Available in Postfix version 3.4 and later:
<b><a href="postconf.5.html#tls_server_sni_maps">tls_server_sni_maps</a> (empty)</b>
Optional lookup tables that map names received from remote SMTP
clients via the TLS Server Name Indication (SNI) extension to
the appropriate keys and certificate chains.
<b>STARTTLS SERVER CONTROLS</b>
These settings are clones of Postfix SMTP server settings. They allow
<a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> to load the same certificate and private key information as
the Postfix SMTP server, before dropping privileges, so that the key
files can be kept read-only for root. These settings can currently not
be overruled by information in a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client request, but that
limitation may be removed in a future version.
<b><a href="postconf.5.html#tlsproxy_tls_CAfile">tlsproxy_tls_CAfile</a> ($<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>)</b>
A file containing (PEM format) CA certificates of root CAs
trusted to sign either remote SMTP client certificates or inter-
@ -155,27 +251,16 @@ TLSPROXY(8) TLSPROXY(8)
when a non-empty value is specified, this overrides the obsolete
parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>.
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#tlsmgr_service_name">tlsmgr_service_name</a> (tlsmgr)</b>
The name of the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
Available in Postfix version 3.4 and later:
<b><a href="postconf.5.html#tlsproxy_tls_chain_files">tlsproxy_tls_chain_files</a> ($<a href="postconf.5.html#smtpd_tls_chain_files">smtpd_tls_chain_files</a>)</b>
Files with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server keys and certificate
chains in PEM format.
<b><a href="postconf.5.html#tls_server_sni_maps">tls_server_sni_maps</a> (empty)</b>
Optional lookup tables that map names received from remote SMTP
clients via the TLS Server Name Indication (SNI) extension to
the appropriate keys and certificate chains.
<b>TLS CLIENT CONTROLS</b>
These parameters are clones of SMTP client settings. They allow
<b>STARTTLS CLIENT CONTROLS</b>
These settings are clones of Postfix SMTP client settings. They allow
<a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> to load the same certificate and private key information as
the SMTP client, before dropping privileges, so that the key files can
be kept read-only for root.
the Postfix SMTP client, before dropping privileges, so that the key
files can be kept read-only for root. Some settings may be overruled by
information in a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client request.
Available in Postfix version 3.4 and later:

2
postfix/man/man8/postlogd.8
View File

@ -34,7 +34,7 @@ Other non\-daemon Postfix programs will never write directly to
with the operation of some of these programs). These programs
can log to \fBpostlogd\fR(8) if they are run by the super\-user,
or if their executable file has set\-gid permission. Do not
set this permision on programs other than \fBpostdrop\fR(1)
set this permission on programs other than \fBpostdrop\fR(1)
and \fBpostqueue\fR(1).
.SH "CONFIGURATION PARAMETERS"
.na

7
postfix/man/man8/smtp.8
View File

@ -489,6 +489,13 @@ Available in Postfix version 2.8 and later:
.IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR"
List or bit\-mask of OpenSSL bug work\-arounds to disable.
.PP
Available in Postfix version 2.11\-3.1:
.IP "\fBtls_dane_digest_agility (on)\fR"
Configure RFC7671 DANE TLSA digest algorithm agility.
.IP "\fBtls_dane_trust_anchor_digest_enable (yes)\fR"
Enable support for RFC 6698 (DANE TLSA) DNS records that contain
digests of trust\-anchors with certificate usage "2".
.PP
Available in Postfix version 2.11 and later:
.IP "\fBsmtp_tls_trust_anchor_file (empty)\fR"
Zero or more PEM\-format files with trust\-anchor certificates

3
postfix/man/man8/smtpd.8
View File

@ -1157,7 +1157,8 @@ Use "\fBpostconf readme_directory\fR" or
.na
.nf
ADDRESS_CLASS_README, blocking unknown hosted or relay recipients
ADDRESS_REWRITING_README Postfix address manipulation
ADDRESS_REWRITING_README, Postfix address manipulation
BDAT_README, Postfix CHUNKING support
FILTER_README, external after\-queue content filter
LOCAL_RECIPIENT_README, blocking unknown local recipients
MILTER_README, before\-queue mail filter applications

107
postfix/man/man8/tlsproxy.8
View File

@ -71,11 +71,93 @@ reload\fR" to speed up a change.
The text below provides only a parameter summary. See
\fBpostconf\fR(5) for more details including examples.
.SH "STARTTLS SUPPORT CONTROLS"
.SH "STARTTLS GLOBAL CONTROLS"
.na
.nf
.ad
.fi
The following settings are global and therefore cannot be
overruled by information specified in a \fBtlsproxy\fR(8)
client request.
.IP "\fBtls_append_default_CA (no)\fR"
Append the system\-supplied default Certification Authority
certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
.IP "\fBtls_daemon_random_bytes (32)\fR"
The number of pseudo\-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
process requests from the \fBtlsmgr\fR(8) server in order to seed its
internal pseudo random number generator (PRNG).
.IP "\fBtls_high_cipherlist (see 'postconf -d' output)\fR"
The OpenSSL cipherlist for "high" grade ciphers.
.IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR"
The OpenSSL cipherlist for "medium" or higher grade ciphers.
.IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
The OpenSSL cipherlist for "low" or higher grade ciphers.
.IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
The OpenSSL cipherlist for "export" or higher grade ciphers.
.IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
The OpenSSL cipherlist for "NULL" grade ciphers that provide
authentication without encryption.
.IP "\fBtls_eecdh_strong_curve (prime256v1)\fR"
The elliptic curve used by the Postfix SMTP server for sensibly
strong
ephemeral ECDH key exchange.
.IP "\fBtls_eecdh_ultra_curve (secp384r1)\fR"
The elliptic curve used by the Postfix SMTP server for maximally
strong
ephemeral ECDH key exchange.
.IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR"
List or bit\-mask of OpenSSL bug work\-arounds to disable.
.IP "\fBtls_preempt_cipherlist (no)\fR"
With SSLv3 and later, use the Postfix SMTP server's cipher
preference order instead of the remote client's cipher preference
order.
.PP
Available in Postfix version 2.9 and later:
.IP "\fBtls_legacy_public_key_fingerprints (no)\fR"
A temporary migration aid for sites that use certificate
\fIpublic\-key\fR fingerprints with Postfix 2.9.0..2.9.5, which use
an incorrect algorithm.
.PP
Available in Postfix version 2.11\-3.1:
.IP "\fBtls_dane_digest_agility (on)\fR"
Configure RFC7671 DANE TLSA digest algorithm agility.
.IP "\fBtls_dane_trust_anchor_digest_enable (yes)\fR"
Enable support for RFC 6698 (DANE TLSA) DNS records that contain
digests of trust\-anchors with certificate usage "2".
.PP
Available in Postfix version 2.11 and later:
.IP "\fBtlsmgr_service_name (tlsmgr)\fR"
The name of the \fBtlsmgr\fR(8) service entry in master.cf.
.PP
Available in Postfix version 3.0 and later:
.IP "\fBtls_session_ticket_cipher (Postfix >= 3.0: aes\-256\-cbc, Postfix < 3.0: aes\-128\-cbc)\fR"
Algorithm used to encrypt RFC5077 TLS session tickets.
.IP "\fBopenssl_path (openssl)\fR"
The location of the OpenSSL command line program \fBopenssl\fR(1).
.PP
Available in Postfix version 3.2 and later:
.IP "\fBtls_eecdh_auto_curves (see 'postconf -d' output)\fR"
The prioritized list of elliptic curves supported by the Postfix
SMTP client and server.
.PP
Available in Postfix version 3.4 and later:
.IP "\fBtls_server_sni_maps (empty)\fR"
Optional lookup tables that map names received from remote SMTP
clients via the TLS Server Name Indication (SNI) extension to the
appropriate keys and certificate chains.
.SH "STARTTLS SERVER CONTROLS"
.na
.nf
.ad
.fi
These settings are clones of Postfix SMTP server settings.
They allow \fBtlsproxy\fR(8) to load the same certificate
and private key information as the Postfix SMTP server,
before dropping privileges, so that the key files can be
kept read\-only for root. These settings can currently not
be overruled by information in a \fBtlsproxy\fR(8) client
request, but that limitation may be removed in a future
version.
.IP "\fBtlsproxy_tls_CAfile ($smtpd_tls_CAfile)\fR"
A file containing (PEM format) CA certificates of root CAs
trusted to sign either remote SMTP client certificates or intermediate
@ -150,29 +232,20 @@ client certificate in order to allow TLS connections to proceed.
The SMTP TLS security level for the Postfix \fBtlsproxy\fR(8) server;
when a non\-empty value is specified, this overrides the obsolete
parameters smtpd_use_tls and smtpd_enforce_tls.
.PP
Available in Postfix version 2.11 and later:
.IP "\fBtlsmgr_service_name (tlsmgr)\fR"
The name of the \fBtlsmgr\fR(8) service entry in master.cf.
.PP
Available in Postfix version 3.4 and later:
.IP "\fBtlsproxy_tls_chain_files ($smtpd_tls_chain_files)\fR"
Files with the Postfix \fBtlsproxy\fR(8) server keys and certificate
chains in PEM format.
.IP "\fBtls_server_sni_maps (empty)\fR"
Optional lookup tables that map names received from remote SMTP
clients via the TLS Server Name Indication (SNI) extension to the
appropriate keys and certificate chains.
.SH "TLS CLIENT CONTROLS"
.SH "STARTTLS CLIENT CONTROLS"
.na
.nf
.ad
.fi
These parameters are clones of SMTP client settings. They
allow \fBtlsproxy\fR(8) to load the same certificate and
private key information as the SMTP client, before dropping
privileges, so that the key files can be kept read\-only for
root.
These settings are clones of Postfix SMTP client settings.
They allow \fBtlsproxy\fR(8) to load the same certificate
and private key information as the Postfix SMTP client,
before dropping privileges, so that the key files can be
kept read\-only for root. Some settings may be overruled by
information in a \fBtlsproxy\fR(8) client request.
.PP
Available in Postfix version 3.4 and later:
.IP "\fBtlsproxy_client_CAfile ($smtp_tls_CAfile)\fR"

2
postfix/mantools/postlink
View File

@ -763,6 +763,8 @@ while (<>) {
s;\btls_session_ticket_cipher\b;<a href="postconf.5.html#tls_session_ticket_cipher">$&</a>;g;
s;\btls_server_sni_maps\b;<a href="postconf.5.html#tls_server_sni_maps">$&</a>;g;
s;\btls_ssl_options\b;<a href="postconf.5.html#tls_ssl_options">$&</a>;g;
s;\btls_dane_digest_agility\b;<a href="postconf.5.html#tls_dane_digest_agility">$&</a>;g;
s;\btls_dane_trust_anchor_digest_enable\b;<a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">$&</a>;g;
s;\bfrozen_delivered_to\b;<a href="postconf.5.html#frozen_delivered_to">$&</a>;g;
s;\breset_owner_alias\b;<a href="postconf.5.html#reset_owner_alias">$&</a>;g;

178
postfix/proto/BDAT_README.html Normal file
View File

@ -0,0 +1,178 @@
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Postfix BDAT (CHUNKING) support</title>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body>
<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix
BDAT (CHUNKING) support</h1>
<hr>
<h2>Overview </h2>
<p> Postfix SMTP server supports RFC 3030 CHUNKING (the BDAT command)
without BINARYMIME, in both smtpd(8) and postscreen(8). It is enabled
by default. </p>
<p> Topics covered in this document: </p>
<ul>
<li><a href="#disable"> Disabling BDAT support</a>
<li><a href="#impact"> Impact on existing configurations</a>
<li><a href="#example"> Example SMTP session</a>
<li> <a href="#benefits">Benefits of CHUNKING (BDAT) support without BINARYMIME</a>
<li> <a href="#downsides">Downsides of CHUNKING (BDAT) support</a>
</ul>
<h2> <a name="disable"> Disabling BDAT support </a> </h2>
<p> BDAT support is enabled by default. To disable BDAT support
globally: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
# The logging alternative:
smtpd_discard_ehlo_keywords = chunking
# The non-logging alternative:
smtpd_discard_ehlo_keywords = chunking, silent_discard
</pre>
</blockquote>
<p> Specify '-o smtpd_discard_ehlo_keywords=' in master.cf
for the submission and smtps services, if you have clients
that benefit from CHUNKING support. </p>
<h2> <a name="impact"> Impact on existing configurations </a> </h2>
<ul>
<li> <p> There are no changes for smtpd_mumble_restrictions,
smtpd_proxy_filter, smtpd_milters, or for postscreen settings,
except for the above mentioned option to suppress the SMTP server's
CHUNKING service announcement. </p>
<li> <p> There are no changes in the Postfix queue file content,
no changes for down-stream SMTP servers or after-queue content
filters, and no changes in the envelope or message content that
Milters will receive. </p>
</ul>
<h2> <a name="example"> Example SMTP session</a> </h2>
<p> The main differences are that the Postfix SMTP server announces
"CHUNKING" support in the EHLO response, and that instead of sending
one DATA request, the remote SMTP client may send one or more BDAT
requests. In the example below, "S:" indicates server responses,
and "C:" indicates client requests (bold font). </p>
<blockquote>
<pre>
S: 220 server.example.com
C: <b>EHLO client.example.com</b>
S: 250-server.example.com
S: 250-PIPELINING
S: 250-SIZE 153600000
S: 250-VRFY
S: 250-ETRN
S: 250-STARTTLS
S: 250-AUTH PLAIN LOGIN
S: 250-ENHANCEDSTATUSCODES
S: 250-8BITMIME
S: 250-DSN
S: 250-SMTPUTF8
S: 250 CHUNKING
C: <b>MAIL FROM:&lt;sender@example.com&gt;</b>
S: 250 2.1.0 Ok
C: <b>RCPT TO:&lt;recipient@example.com&gt;</b>
S: 250 2.1.5 Ok
C: <b>BDAT 10000</b>
C: <b>..followed by 10000 bytes...</b>
S: 250 2.0.0 Ok: 10000 bytes
C: <b>BDAT 123</b>
C: <b>..followed by 123 bytes...</b>
S: 250 2.0.0 Ok: 123 bytes
C: <b>BDAT 0 LAST</b>
S: 250 2.0.0 Ok: 10123 bytes queued as 41yYhh41qmznjbD
C: <b>QUIT</b>
S: 221 2.0.0 Bye
</pre>
</blockquote>
<p> Internally in Postfix, there is no difference between mail that
was received with BDAT or with DATA. Postfix smtpd_mumble_restrictions,
policy delegation queries, smtpd_proxy_filter and Milters all behave
as if Postfix received (MAIL + RCPT + DATA + end-of-data). However,
Postfix will log BDAT-related failures as "xxx after BDAT" to avoid
complicating troubleshooting (xxx = 'lost connection' or 'timeout'),
and will log a warning when a client sends a malformed BDAT command.
</p>
<h2> <a name="benefits">Benefits of CHUNKING (BDAT) support without
BINARYMIME</a> </h2>
<p> Support for CHUNKING (BDAT) was added to improve interoperability
with some clients, a benefit that would reportedly exist even without
Postfix support for BINARYMIME. Since June 2018, Wietse's mail
server has received BDAT commands from a variety of systems. </p>
<p> Postfix does not support BINARYMIME at this time because: </p>
<ul>
<li> <p> BINARYMIME support would require moderately invasive
changes to Postfix, to support email content that is not line-oriented.
With BINARYMIME, the Content-Length: message header specifies the
length of content that may or may not have line boundaries. Without
BINARYMIME support, email RFCs require that binary content is
base64-encoded, and formatted as lines of text. </p>
<li> <p> For delivery to non-BINARYMIME systems including UNIX mbox,
the available options are to convert binary content into 8bit text,
one of the 7bit forms (base64 or quoted-printable), or to return
email as undeliverable. Any conversion would obviously break digital
signatures, so conversion would have to happen before signing. </p>
</ul>
<h2> <a name="downsides">Downsides of CHUNKING (BDAT) support</a>
</h2>
<p> The RFC 3030 authors did not specify any limitations on how
clients may pipeline commands (i.e. send commands without waiting
for a server response). If a server announces PIPELINING support,
like Postfix does, then a remote SMTP client can pipeline all
commands following EHLO, for example, MAIL/RCPT/BDAT/BDAT/MAIL/RCPT/BDAT,
without ever having to wait for a server response. This means that
with BDAT, the Postfix SMTP server cannot distinguish between a
well-behaved client and a spambot, based on their command pipelining
behavior. If you require "reject_unauth_pipelining" to block spambots,
then turn off Postfix's CHUNKING announcement as described above.
</p>
<p> In RFC 4468, the authors write that a client may pipeline
commands, and that after sending BURL LAST or BDAT LAST, a client
must wait for the server's response. But as this text does not
appear in RFC 3030 which defines BDAT, is it a useless restriction
that Postfix will not enforce. </p>
</body>
</html>

8
postfix/proto/Makefile.in
View File

@ -11,6 +11,7 @@ HTML = ../html/ADDRESS_CLASS_README.html \
../html/ADDRESS_VERIFICATION_README.html \
../html/BACKSCATTER_README.html \
../html/BASIC_CONFIGURATION_README.html \
../html/BDAT_README.html \
../html/BUILTIN_FILTER_README.html \
../html/CDB_README.html \
../html/COMPATIBILITY_README.html \
@ -57,6 +58,7 @@ README = ../README_FILES/ADDRESS_CLASS_README \
../README_FILES/ADDRESS_VERIFICATION_README \
../README_FILES/BACKSCATTER_README \
../README_FILES/BASIC_CONFIGURATION_README \
../README_FILES/BDAT_README \
../README_FILES/BUILTIN_FILTER_README \
../README_FILES/CDB_README \
../README_FILES/COMPATIBILITY_README \
@ -179,6 +181,9 @@ clobber:
../html/BASIC_CONFIGURATION_README.html: BASIC_CONFIGURATION_README.html
$(DETAB) $? | $(POSTLINK) >$@
../html/BDAT_README.html: BDAT_README.html
$(DETAB) $? | $(POSTLINK) >$@
../html/BUILTIN_FILTER_README.html: BUILTIN_FILTER_README.html
$(DETAB) $? | $(POSTLINK) >$@
@ -338,6 +343,9 @@ clobber:
../README_FILES/BASIC_CONFIGURATION_README: BASIC_CONFIGURATION_README.html
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/BDAT_README: BDAT_README.html
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/BUILTIN_FILTER_README: BUILTIN_FILTER_README.html
$(DETAB) $? | $(HT2READ) >$@

4
postfix/src/global/mail_version.h
View File

@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20190209"
#define MAIL_VERSION_NUMBER "3.4"
#define MAIL_RELEASE_DATE "20190210"
#define MAIL_VERSION_NUMBER "3.5"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE

5
postfix/src/master/master_conf.c
View File

@ -30,6 +30,11 @@
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
/*
/* Wietse Venema
/* Google, Inc.
/* 111 8th Avenue
/* New York, NY 10011, USA
/*--*/
/* System libraries. */

2
postfix/src/postlogd/postlogd.c
View File

@ -26,7 +26,7 @@
/* with the operation of some of these programs). These programs
/* can log to \fBpostlogd\fR(8) if they are run by the super-user,
/* or if their executable file has set-gid permission. Do not
/* set this permision on programs other than \fBpostdrop\fR(1)
/* set this permission on programs other than \fBpostdrop\fR(1)
/* and \fBpostqueue\fR(1).
/* CONFIGURATION PARAMETERS
/* .ad

7
postfix/src/smtp/smtp.c
View File

@ -459,6 +459,13 @@
/* .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR"
/* List or bit-mask of OpenSSL bug work-arounds to disable.
/* .PP
/* Available in Postfix version 2.11-3.1:
/* .IP "\fBtls_dane_digest_agility (on)\fR"
/* Configure RFC7671 DANE TLSA digest algorithm agility.
/* .IP "\fBtls_dane_trust_anchor_digest_enable (yes)\fR"
/* Enable support for RFC 6698 (DANE TLSA) DNS records that contain
/* digests of trust-anchors with certificate usage "2".
/* .PP
/* Available in Postfix version 2.11 and later:
/* .IP "\fBsmtp_tls_trust_anchor_file (empty)\fR"
/* Zero or more PEM-format files with trust-anchor certificates

3
postfix/src/smtpd/smtpd.c
View File

@ -1095,7 +1095,8 @@
/* .na
/* .nf
/* ADDRESS_CLASS_README, blocking unknown hosted or relay recipients
/* ADDRESS_REWRITING_README Postfix address manipulation
/* ADDRESS_REWRITING_README, Postfix address manipulation
/* BDAT_README, Postfix CHUNKING support
/* FILTER_README, external after-queue content filter
/* LOCAL_RECIPIENT_README, blocking unknown local recipients
/* MILTER_README, before-queue mail filter applications

1
postfix/src/tls/tls_proxy.h
View File

@ -123,6 +123,7 @@ extern int tls_proxy_client_init_print(ATTR_PRINT_MASTER_FN, VSTREAM *, int, voi
extern int tls_proxy_client_init_scan(ATTR_SCAN_MASTER_FN, VSTREAM *, int, void *);
extern void tls_proxy_client_init_free(TLS_CLIENT_INIT_PROPS *);
extern char *tls_proxy_client_init_to_string(VSTRING *, TLS_CLIENT_INIT_PROPS *);
extern char *tls_proxy_client_init_with_names_to_string(VSTRING *, TLS_CLIENT_INIT_PROPS *);
extern int tls_proxy_client_start_print(ATTR_PRINT_MASTER_FN, VSTREAM *, int, void *);
extern int tls_proxy_client_start_scan(ATTR_SCAN_MASTER_FN, VSTREAM *, int, void *);

60
postfix/src/tls/tls_proxy_client_misc.c
View File

@ -16,6 +16,10 @@
/* char *tls_proxy_client_param_with_names_to_string(buf, params)
/* VSTRING *buf;
/* TLS_CLIENT_PARAMS *params;
/*
/* char *tls_proxy_client_init_to_string(buf, init_props)
/* VSTRING *buf;
/* TLS_CLIENT_INIT_PROPS *init_props;
/* DESCRIPTION
/* tls_proxy_client_param_from_config() initializes a TLS_CLIENT_PARAMS
/* structure from configuration parameters and returns its
@ -25,10 +29,19 @@
/* tls_proxy_client_param_to_string() produces a lookup key
/* that is unique for the TLS_CLIENT_PARAMS member values.
/*
/* tls_proxy_client_param_with_names_to_string() TODO produces a
/* string with "name = value\n" for each TLS_CLIENT_PARAMS member.
/* This may be useful for reporting differences between
/* tls_proxy_client_param_with_names_to_string() produces a
/* string with "name = value\n" for each TLS_CLIENT_PARAMS
/* member. This may be useful for reporting differences between
/* TLS_CLIENT_PARAMS instances.
/*
/* tls_proxy_client_init_to_string() produces a lookup key
/* that is unique for the properties received by
/* tls_proxy_client_init_scan().
/*
/* tls_proxy_client_init_with_names_to_string() produces a
/* string with "name = value\n" for each TLS_CLIENT_INIT_PROPS
/* member. This may be useful for reporting differences between
/* TLS_CLIENT_INIT_PROPS instances.
/* LICENSE
/* .ad
/* .fi
@ -141,4 +154,45 @@ char *tls_proxy_client_param_with_names_to_string(VSTRING *buf, TLS_CLIENT_PAR
return (vstring_str(buf));
}
/* tls_proxy_client_init_to_string - serialize to string */
char *tls_proxy_client_init_to_string(VSTRING *buf,
TLS_CLIENT_INIT_PROPS *props)
{
vstring_sprintf(buf, "%s\n%s\n%d\n%s\n%s\n%s\n%s\n%s\n%s\n"
"%s\n%s\n%s\n%s\n%s\n", props->log_param,
props->log_level, props->verifydepth,
props->cache_type, props->chain_files,
props->cert_file, props->key_file,
props->dcert_file, props->dkey_file,
props->eccert_file, props->eckey_file,
props->CAfile, props->CApath, props->mdalg);
return (vstring_str(buf));
}
/* tls_proxy_client_init_with_names_to_string - serialize to string */
char *tls_proxy_client_init_with_names_to_string(VSTRING *buf,
TLS_CLIENT_INIT_PROPS *props)
{
vstring_sprintf(buf, "%s = %s\n%s = %s\n%s = %d\n%s = %s\n%s = %s\n"
"%s = %s\n%s = %s\n%s = %s\n%s = %s\n%s = %s\n"
"%s = %s\n%s = %s\n%s = %s\n%s = %s\n",
TLS_ATTR_LOG_PARAM, props->log_param,
TLS_ATTR_LOG_LEVEL, props->log_level,
TLS_ATTR_VERIFYDEPTH, props->verifydepth,
TLS_ATTR_CACHE_TYPE, props->cache_type,
TLS_ATTR_CHAIN_FILES, props->chain_files,
TLS_ATTR_CERT_FILE, props->cert_file,
TLS_ATTR_KEY_FILE, props->key_file,
TLS_ATTR_DCERT_FILE, props->dcert_file,
TLS_ATTR_DKEY_FILE, props->dkey_file,
TLS_ATTR_ECCERT_FILE, props->eccert_file,
TLS_ATTR_ECKEY_FILE, props->eckey_file,
TLS_ATTR_CAFILE, props->CAfile,
TLS_ATTR_CAPATH, props->CApath,
TLS_ATTR_MDALG, props->mdalg);
return (vstring_str(buf));
}
#endif

24
postfix/src/tls/tls_proxy_client_scan.c
View File

@ -21,10 +21,6 @@
/* int flags;
/* void *ptr;
/*
/* char *tls_proxy_client_init_to_string(buf, init_props)
/* VSTRING *buf;
/* TLS_CLIENT_INIT_PROPS *init_props;
/*
/* void tls_proxy_client_init_free(init_props)
/* TLS_CLIENT_INIT_PROPS *init_props;
/*
@ -57,10 +53,6 @@
/* scan routine. tls_proxy_client_init_scan() is meant to be passed
/* as a call-back function to attr_scan(), as shown below.
/*
/* tls_proxy_client_init_to_string() produces a lookup key
/* that is unique for the properties received by
/* tls_proxy_client_init_scan().
/*
/* tls_proxy_client_init_free() destroys a TLS_CLIENT_INIT_PROPS
/* structure that was created by tls_proxy_client_init_scan().
/*
@ -324,22 +316,6 @@ int tls_proxy_client_init_scan(ATTR_SCAN_MASTER_FN scan_fn, VSTREAM *fp,
return (ret);
}
/* tls_proxy_client_init_to_string - serialize to string */
char *tls_proxy_client_init_to_string(VSTRING *buf,
TLS_CLIENT_INIT_PROPS *props)
{
vstring_sprintf(buf, "%s\n%s\n%d\n%s\n%s\n%s\n%s\n%s\n%s\n"
"%s\n%s\n%s\n%s\n%s\n", props->log_param,
props->log_level, props->verifydepth,
props->cache_type, props->chain_files,
props->cert_file, props->key_file,
props->dcert_file, props->dkey_file,
props->eccert_file, props->eckey_file,
props->CAfile, props->CApath, props->mdalg);
return (vstring_str(buf));
}
/* tls_proxy_client_certs_free - destroy TLS_PKEYS from stream */
static void tls_proxy_client_certs_free(TLS_CERTS *tp)

147
postfix/src/tlsproxy/tlsproxy.c
View File

@ -57,9 +57,89 @@
/*
/* The text below provides only a parameter summary. See
/* \fBpostconf\fR(5) for more details including examples.
/* STARTTLS SUPPORT CONTROLS
/* STARTTLS GLOBAL CONTROLS
/* .ad
/* .fi
/* The following settings are global and therefore cannot be
/* overruled by information specified in a \fBtlsproxy\fR(8)
/* client request.
/* .IP "\fBtls_append_default_CA (no)\fR"
/* Append the system-supplied default Certification Authority
/* certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
/* .IP "\fBtls_daemon_random_bytes (32)\fR"
/* The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
/* process requests from the \fBtlsmgr\fR(8) server in order to seed its
/* internal pseudo random number generator (PRNG).
/* .IP "\fBtls_high_cipherlist (see 'postconf -d' output)\fR"
/* The OpenSSL cipherlist for "high" grade ciphers.
/* .IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR"
/* The OpenSSL cipherlist for "medium" or higher grade ciphers.
/* .IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
/* The OpenSSL cipherlist for "low" or higher grade ciphers.
/* .IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
/* The OpenSSL cipherlist for "export" or higher grade ciphers.
/* .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
/* The OpenSSL cipherlist for "NULL" grade ciphers that provide
/* authentication without encryption.
/* .IP "\fBtls_eecdh_strong_curve (prime256v1)\fR"
/* The elliptic curve used by the Postfix SMTP server for sensibly
/* strong
/* ephemeral ECDH key exchange.
/* .IP "\fBtls_eecdh_ultra_curve (secp384r1)\fR"
/* The elliptic curve used by the Postfix SMTP server for maximally
/* strong
/* ephemeral ECDH key exchange.
/* .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR"
/* List or bit-mask of OpenSSL bug work-arounds to disable.
/* .IP "\fBtls_preempt_cipherlist (no)\fR"
/* With SSLv3 and later, use the Postfix SMTP server's cipher
/* preference order instead of the remote client's cipher preference
/* order.
/* .PP
/* Available in Postfix version 2.9 and later:
/* .IP "\fBtls_legacy_public_key_fingerprints (no)\fR"
/* A temporary migration aid for sites that use certificate
/* \fIpublic-key\fR fingerprints with Postfix 2.9.0..2.9.5, which use
/* an incorrect algorithm.
/* .PP
/* Available in Postfix version 2.11-3.1:
/* .IP "\fBtls_dane_digest_agility (on)\fR"
/* Configure RFC7671 DANE TLSA digest algorithm agility.
/* .IP "\fBtls_dane_trust_anchor_digest_enable (yes)\fR"
/* Enable support for RFC 6698 (DANE TLSA) DNS records that contain
/* digests of trust-anchors with certificate usage "2".
/* .PP
/* Available in Postfix version 2.11 and later:
/* .IP "\fBtlsmgr_service_name (tlsmgr)\fR"
/* The name of the \fBtlsmgr\fR(8) service entry in master.cf.
/* .PP
/* Available in Postfix version 3.0 and later:
/* .IP "\fBtls_session_ticket_cipher (Postfix >= 3.0: aes-256-cbc, Postfix < 3.0: aes-128-cbc)\fR"
/* Algorithm used to encrypt RFC5077 TLS session tickets.
/* .IP "\fBopenssl_path (openssl)\fR"
/* The location of the OpenSSL command line program \fBopenssl\fR(1).
/* .PP
/* Available in Postfix version 3.2 and later:
/* .IP "\fBtls_eecdh_auto_curves (see 'postconf -d' output)\fR"
/* The prioritized list of elliptic curves supported by the Postfix
/* SMTP client and server.
/* .PP
/* Available in Postfix version 3.4 and later:
/* .IP "\fBtls_server_sni_maps (empty)\fR"
/* Optional lookup tables that map names received from remote SMTP
/* clients via the TLS Server Name Indication (SNI) extension to the
/* appropriate keys and certificate chains.
/* STARTTLS SERVER CONTROLS
/* .ad
/* .fi
/* These settings are clones of Postfix SMTP server settings.
/* They allow \fBtlsproxy\fR(8) to load the same certificate
/* and private key information as the Postfix SMTP server,
/* before dropping privileges, so that the key files can be
/* kept read-only for root. These settings can currently not
/* be overruled by information in a \fBtlsproxy\fR(8) client
/* request, but that limitation may be removed in a future
/* version.
/* .IP "\fBtlsproxy_tls_CAfile ($smtpd_tls_CAfile)\fR"
/* A file containing (PEM format) CA certificates of root CAs
/* trusted to sign either remote SMTP client certificates or intermediate
@ -134,27 +214,18 @@
/* The SMTP TLS security level for the Postfix \fBtlsproxy\fR(8) server;
/* when a non-empty value is specified, this overrides the obsolete
/* parameters smtpd_use_tls and smtpd_enforce_tls.
/* .PP
/* Available in Postfix version 2.11 and later:
/* .IP "\fBtlsmgr_service_name (tlsmgr)\fR"
/* The name of the \fBtlsmgr\fR(8) service entry in master.cf.
/* .PP
/* Available in Postfix version 3.4 and later:
/* .IP "\fBtlsproxy_tls_chain_files ($smtpd_tls_chain_files)\fR"
/* Files with the Postfix \fBtlsproxy\fR(8) server keys and certificate
/* chains in PEM format.
/* .IP "\fBtls_server_sni_maps (empty)\fR"
/* Optional lookup tables that map names received from remote SMTP
/* clients via the TLS Server Name Indication (SNI) extension to the
/* appropriate keys and certificate chains.
/* TLS CLIENT CONTROLS
/* STARTTLS CLIENT CONTROLS
/* .ad
/* .fi
/* These parameters are clones of SMTP client settings. They
/* allow \fBtlsproxy\fR(8) to load the same certificate and
/* private key information as the SMTP client, before dropping
/* privileges, so that the key files can be kept read-only for
/* root.
/* These settings are clones of Postfix SMTP client settings.
/* They allow \fBtlsproxy\fR(8) to load the same certificate
/* and private key information as the Postfix SMTP client,
/* before dropping privileges, so that the key files can be
/* kept read-only for root. Some settings may be overruled by
/* information in a \fBtlsproxy\fR(8) client request.
/* .PP
/* Available in Postfix version 3.4 and later:
/* .IP "\fBtlsproxy_client_CAfile ($smtp_tls_CAfile)\fR"
@ -430,14 +501,14 @@ static TLS_APPL_STATE *tlsp_server_ctx;
static TLS_APPL_STATE *tlsp_client_ctx;
static bool tlsp_pre_jail_done;
static int ask_client_cert;
static char *tlsp_pre_jail_client_param_key; /* pre-jail global params */
static char *tlsp_pre_jail_client_init_key; /* pre-jail init props */
/*
* TLS per-client status.
*/
static HTABLE *tlsp_client_app_cache;
static BH_TABLE *tlsp_params_mismatch_filter;
static char *tlsp_pre_jail_client_param_key;
static char *tlsp_pre_jail_client_init_key;
static HTABLE *tlsp_client_app_cache; /* per-client init props */
static BH_TABLE *tlsp_params_mismatch_filter; /* per-client nag filter */
/*
* Error handling: if a function detects an error, then that function is
@ -1088,16 +1159,19 @@ static TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *tls_params,
/*
* Use one TLS_APPL_STATE object for all requests that specify the same
* TLS_CLIENT_INIT_PROPS. Each TLS_APPL_STATE owns an SSL_CTX, which is
* expensive to create.
* expensive to create. Bug: TLS_CLIENT_PARAMS are not used when creating
* a TLS_APPL_STATE instance.
*
* First, compute the TLS_APPL_STATE cache lookup key. Save a copy of the
* TLS_CLIENT_PARAMS and TLSPROXY_CLIENT_INIT_PROPS settings from the
* pre-jail internal request.
* pre-jail request TLS_CLIENT_PARAMS and TLSPROXY_CLIENT_INIT_PROPS
* settings, so that we can detect post-jail requests that do not match.
*/
param_buf = vstring_alloc(100);
param_key = tls_proxy_client_param_to_string(param_buf, tls_params);
param_key = tls_proxy_client_param_with_names_to_string(
param_buf, tls_params);
init_buf = vstring_alloc(100);
init_key = tls_proxy_client_init_to_string(init_buf, init_props);
init_key = tls_proxy_client_init_with_names_to_string(
init_buf, init_props);
if (tlsp_pre_jail_done == 0) {
if (tlsp_pre_jail_client_param_key != 0
|| tlsp_pre_jail_client_init_key != 0)
@ -1108,9 +1182,9 @@ static TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *tls_params,
/*
* Log a warning if a post-jail request uses unexpected TLS_CLIENT_PARAMS
* settings. These differences are problematic because TLS_CLIENT_PARAMS
* settings are unfortunately not passed to tls_client_init(). Only the
* init_props settings are used.
* settings. Bug: TLS_CLIENT_PARAMS settings are not used when creating a
* TLS_APPL_STATE instance; this makes a mismatch of TLS_CLIENT_PARAMS
* settings problematic.
*/
if (tlsp_pre_jail_done
&& !been_here_fixed(tlsp_params_mismatch_filter, param_key)
@ -1129,10 +1203,12 @@ static TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *tls_params,
/*
* Before creating a TLS_APPL_STATE instance, log a warning if a
* post-jail request differs from the saved pre-jail request AND the
* request specifies file/directory pathname arguments. Requests
* containing pathnames are problematic after chroot (pathname
* resolution) and after dropping privileges (key files must be root
* read-only).
* post-jail request specifies file/directory pathname arguments.
* Unexpected requests containing pathnames are problematic after
* chroot (pathname resolution) and after dropping privileges (key
* files must be root read-only). Unexpected requests are not a
* problem as long as they contain no pathnames (for example a
* tls_loglevel change).
*
* We could eliminate some of this complication by adding code that
* opens a cert/key lookup table at pre-jail time, and by reading
@ -1607,9 +1683,8 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
tlsp_pre_jail_done = 1;
/*
* Unfortunately TLS_CLIENT_PARAMS attributes correspond to global state
* and can therefore not be used when creating TLS_APPL_STATE instances,
* but we can warn about attribute mismatches.
* Bug: TLS_CLIENT_PARAMS attributes are not used when creating a
* TLS_APPL_STATE instance; we can only warn about attribute mismatches.
*/
tlsp_params_mismatch_filter = been_here_init(BH_BOUND_NONE, BH_FLAG_NONE);
}