postfix-2.8-20100610

2025-08-30 13:48:06 +00:00 · 2010-06-10 00:00:00 -05:00 · 2010-06-10 00:00:00 -05:00 · c72f9888ca
commit c72f9888ca
parent 31ff4331c2
11 changed files with 159 additions and 21 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -15799,8 +15799,8 @@ Apologies for any names omitted.
 	tls/tls_dh.c, tls/tls_server.c.

 	Portability: Mac OS 10.6.3 requires <arpa/nameser_compat.h>
-	instead of <arpa/nameser8_compat.h>. Files: makedefs,
-	util/sys_defs.h, dns/dns.h.
+	instead of <nameser8_compat.h>. Files: makedefs, util/sys_defs.h,
+	dns/dns.h.

 20100531

@ -15820,3 +15820,14 @@ Apologies for any names omitted.

 	Portability: Berkeley DB 5.x has the same API as Berkeley
 	DB 4.1 and later. File: util/dict_db.c.
+
+20100610
+
+	Postfix no longer appends the system default CAs to the
+	lists specified with *_tls_CAfile or with *_tls_CApath.
+	This prevents third-party certificates from being trusted
+	and being given mail relay permission with
+	permit_tls_all_clientcerts.  To get the old behavior specify
+	"tls_append_default_CA = yes".  Files: tls/tls_certkey.c,
+	tls/tls_misc.c, global/mail_params.h.  proto/postconf.proto,
+	mantools/postlink.
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@ -14,6 +14,16 @@ specifies the release date of a stable release or snapshot release.
 If you upgrade from Postfix 2.6 or earlier, read RELEASE_NOTES-2.7
 before proceeding.

+Incompatibility with snapshot 20100610
+======================================
+
+Postfix no longer appends the system-supplied default CAs to the
+lists specified with *_tls_CAfile or with *_tls_CApath. This prevents
+third-party certificates from being trusted and being given mail
+relay permission with permit_tls_all_clientcerts.
+
+Specify "tls_append_default_CA = yes" for the old behavior.
+
 Incompatibility with snapshot 20100101
 ======================================

--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@ -6202,7 +6202,8 @@ Examples:

 <p>
 The internet domain name of this mail system.  The default is to
-use $<a href="postconf.5.html#myhostname">myhostname</a> minus the first component.  $<a href="postconf.5.html#mydomain">mydomain</a> is used as
+use $<a href="postconf.5.html#myhostname">myhostname</a> minus the first component, or "localdomain" (Postfix
+2.3 and later).  $<a href="postconf.5.html#mydomain">mydomain</a> is used as
 a default value for many other configuration parameters.
 </p>

@ -6222,9 +6223,10 @@ Example:

 <p>
 The internet hostname of this mail system. The default is to use
-the fully-qualified domain name from gethostname(). $<a href="postconf.5.html#myhostname">myhostname</a> is
-used as a default value for many other configuration parameters.
-</p>
+the fully-qualified domain name (FQDN) from gethostname(), or to
+use the non-FQDN result from gethostname() and append ".$<a href="postconf.5.html#mydomain">mydomain</a>".
+$<a href="postconf.5.html#myhostname">myhostname</a> is used as a default value for many other configuration
+parameters.  </p>

 <p>
 Example:
@ -9457,6 +9459,10 @@ file may also be used to augment the client certificate trust chain,
 but it is best to include all the required certificates directly in
 $<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>. </p>

+<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8. </p>
+
 <p> Example: </p>

 <pre>
@ -9480,6 +9486,10 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
 <p> To use this option in chroot mode, this directory (or a copy)
 must be inside the chroot jail. </p>

+<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8. </p>
+
 <p> Example: </p>

 <pre>
@ -11131,8 +11141,10 @@ authenticated via the <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>
 <dd> Permit the request when the remote SMTP client certificate is
 verified successfully.  This option must be used only if a special
 CA issues the certificates and only this CA is listed as trusted
-CA, otherwise all clients with a recognized certificate would be
-allowed to relay. This feature is available with Postfix version 2.2.</dd>
+CA. This requires that "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" (the default
+with Postfix 2.8 and later).  Otherwise, clients with a third-party
+certificate would also be allowed to relay. This feature is available
+with Postfix version 2.2.</dd>

 <dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>

@ -12945,6 +12957,10 @@ file may also be used to augment the server certificate trust chain,
 but it is best to include all the required certificates directly in the
 server certificate file. </p>

+<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8. </p>
+
 <p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are not
 requested, and <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> should remain empty. If you do make use
 of client certificates, the distinguished names (DNs) of the certificate
@ -12976,6 +12992,10 @@ for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
 <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> in chroot mode, this directory (or a copy) must be
 inside the chroot jail. </p>

+<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8. </p>
+
 <p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are
 not requested, and <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> should remain empty. In contrast
 to <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>, DNs of certificate authorities installed
@ -14087,6 +14107,23 @@ connections.  Next, you enable Postfix TCP servers with the updated
 <p> This feature is available in Postfix 2.6 and later. </p>


+</DD>
+
+<DT><b><a name="tls_append_default_CA">tls_append_default_CA</a>
+(default: no)</b></DT><DD>
+
+<p> Append the system-supplied default certificate authority
+certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+</p>
+
+<p> To avoid massive compatibility breaks, this parameter defaults
+to "yes" for Postfix versions 2.7 and earlier. That is, they trust
+third-party certificates and they give relay permission with
+<a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>.  </p>
+
+<p> This feature is retroactive in Postfix 2.4 and later. </p>
+
+
 </DD>

 <DT><b><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a>
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@ -3473,7 +3473,8 @@ mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
 .ft R
 .SH mydomain (default: see "postconf -d" output)
 The internet domain name of this mail system.  The default is to
-use $myhostname minus the first component.  $mydomain is used as
+use $myhostname minus the first component, or "localdomain" (Postfix
+2.3 and later).  $mydomain is used as
 a default value for many other configuration parameters.
 .PP
 Example:
@ -3487,8 +3488,10 @@ mydomain = domain.tld
 .ft R
 .SH myhostname (default: see "postconf -d" output)
 The internet hostname of this mail system. The default is to use
-the fully-qualified domain name from gethostname(). $myhostname is
-used as a default value for many other configuration parameters.
+the fully-qualified domain name (FQDN) from gethostname(), or to
+use the non-FQDN result from gethostname() and append ".$mydomain".
+$myhostname is used as a default value for many other configuration
+parameters.
 .PP
 Example:
 .PP
@ -5409,6 +5412,10 @@ file may also be used to augment the client certificate trust chain,
 but it is best to include all the required certificates directly in
 $smtp_tls_cert_file.
 .PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8.
+.PP
 Example:
 .PP
 .nf
@ -5429,6 +5436,10 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
 To use this option in chroot mode, this directory (or a copy)
 must be inside the chroot jail.
 .PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8.
+.PP
 Example:
 .PP
 .nf
@ -6792,8 +6803,10 @@ authenticated via the RFC 4954 (AUTH) protocol.
 Permit the request when the remote SMTP client certificate is
 verified successfully.  This option must be used only if a special
 CA issues the certificates and only this CA is listed as trusted
-CA, otherwise all clients with a recognized certificate would be
-allowed to relay. This feature is available with Postfix version 2.2.
+CA. This requires that "tls_append_default_CA = no" (the default
+with Postfix 2.8 and later).  Otherwise, clients with a third-party
+certificate would also be allowed to relay. This feature is available
+with Postfix version 2.2.
 .IP "\fBpermit_tls_clientcerts\fR"
 Permit the request when the remote SMTP client certificate
 fingerprint is listed in $relay_clientcerts.
@ -8036,6 +8049,10 @@ file may also be used to augment the server certificate trust chain,
 but it is best to include all the required certificates directly in the
 server certificate file.
 .PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8.
+.PP
 By default (see smtpd_tls_ask_ccert), client certificates are not
 requested, and smtpd_tls_CAfile should remain empty. If you do make use
 of client certificates, the distinguished names (DNs) of the certificate
@ -8065,6 +8082,10 @@ for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
 smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
 inside the chroot jail.
 .PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8.
+.PP
 By default (see smtpd_tls_ask_ccert), client certificates are
 not requested, and smtpd_tls_CApath should remain empty. In contrast
 to smtpd_tls_CAfile, DNs of certificate authorities installed
@ -8919,6 +8940,16 @@ tcp_windowsize change will work only for Postfix TCP clients (\fBsmtp\fR(8),
 \fBlmtp\fR(8)).
 .PP
 This feature is available in Postfix 2.6 and later.
+.SH tls_append_default_CA (default: no)
+Append the system-supplied default certificate authority
+certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+.PP
+To avoid massive compatibility breaks, this parameter defaults
+to "yes" for Postfix versions 2.7 and earlier. That is, they trust
+third-party certificates and they give relay permission with
+permit_tls_all_clientcerts.
+.PP
+This feature is retroactive in Postfix 2.4 and later.
 .SH tls_daemon_random_bytes (default: 32)
 The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
 process requests from the \fBtlsmgr\fR(8) server in order to seed its
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@ -677,6 +677,7 @@ while (<>) {
    s;\btls_null_cipherlist\b;<a href="postconf.5.html#tls_null_cipherlist">$&</a>;g;
    s;\btls_eecdh_strong_curve\b;<a href="postconf.5.html#tls_eecdh_strong_curve">$&</a>;g;
    s;\btls_eecdh_ultra_curve\b;<a href="postconf.5.html#tls_eecdh_ultra_curve">$&</a>;g;
+    s;\btls_append_default_CA\b;<a href="postconf.5.html#tls_append_default_CA">$&</a>;g;
 
    s;\bfrozen_delivered_to\b;<a href="postconf.5.html#frozen_delivered_to">$&</a>;g;

--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@ -2884,7 +2884,8 @@ mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain

 <p>
 The internet domain name of this mail system.  The default is to
-use $myhostname minus the first component.  $mydomain is used as
+use $myhostname minus the first component, or "localdomain" (Postfix
+2.3 and later).  $mydomain is used as
 a default value for many other configuration parameters.
 </p>

@ -2900,9 +2901,10 @@ mydomain = domain.tld

 <p>
 The internet hostname of this mail system. The default is to use
-the fully-qualified domain name from gethostname(). $myhostname is
-used as a default value for many other configuration parameters.
-</p>
+the fully-qualified domain name (FQDN) from gethostname(), or to
+use the non-FQDN result from gethostname() and append ".$mydomain".
+$myhostname is used as a default value for many other configuration
+parameters.  </p>

 <p>
 Example:
@ -4858,8 +4860,10 @@ authenticated via the RFC 4954 (AUTH) protocol. </dd>
 <dd> Permit the request when the remote SMTP client certificate is
 verified successfully.  This option must be used only if a special
 CA issues the certificates and only this CA is listed as trusted
-CA, otherwise all clients with a recognized certificate would be
-allowed to relay. This feature is available with Postfix version 2.2.</dd>
+CA. This requires that "tls_append_default_CA = no" (the default
+with Postfix 2.8 and later).  Otherwise, clients with a third-party
+certificate would also be allowed to relay. This feature is available
+with Postfix version 2.2.</dd>

 <dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>

@ -8672,6 +8676,10 @@ file may also be used to augment the server certificate trust chain,
 but it is best to include all the required certificates directly in the
 server certificate file. </p>

+<p> Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8. </p>
+
 <p> By default (see smtpd_tls_ask_ccert), client certificates are not
 requested, and smtpd_tls_CAfile should remain empty. If you do make use
 of client certificates, the distinguished names (DNs) of the certificate
@ -8699,6 +8707,10 @@ for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
 smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
 inside the chroot jail. </p>

+<p> Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8. </p>
+
 <p> By default (see smtpd_tls_ask_ccert), client certificates are
 not requested, and smtpd_tls_CApath should remain empty. In contrast
 to smtpd_tls_CAfile, DNs of certificate authorities installed
@ -9067,6 +9079,10 @@ file may also be used to augment the client certificate trust chain,
 but it is best to include all the required certificates directly in
 $smtp_tls_cert_file. </p>

+<p> Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8. </p>
+
 <p> Example: </p>

 <pre>
@ -9086,6 +9102,10 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
 <p> To use this option in chroot mode, this directory (or a copy) 
 must be inside the chroot jail. </p>

+<p> Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8. </p>
+
 <p> Example: </p>

 <pre>
@ -9375,6 +9395,19 @@ smtp_tls_dcert_file = /etc/postfix/client-dsa.pem

 <p> This feature is available in Postfix 2.2 and later.  </p>

+%PARAM tls_append_default_CA no
+
+<p> Append the system-supplied default certificate authority
+certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+</p>
+
+<p> To avoid massive compatibility breaks, this parameter defaults
+to "yes" for Postfix versions 2.7 and earlier. That is, they trust
+third-party certificates and they give relay permission with
+permit_tls_all_clientcerts.  </p>
+
+<p> This feature is retroactive in Postfix 2.4 and later. </p>
+
 %PARAM tls_random_exchange_name see "postconf -d" output

 <p> Name of the pseudo random number generator (PRNG) state file
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@ -623,6 +623,10 @@ extern bool var_stat_home_dir;
 #define DEF_DUP_FILTER_LIMIT	1000
 extern int var_dup_filter_limit;

+#define VAR_TLS_APPEND_DEF_CA	"tls_append_default_CA"
+#define DEF_TLS_APPEND_DEF_CA	0	/* 1 for Postfix < 2.8 */
+extern bool var_tls_append_def_CA;
+
 #define VAR_TLS_RAND_EXCH_NAME	"tls_random_exchange_name"
 #define DEF_TLS_RAND_EXCH_NAME	"${data_directory}/prng_exch"
 extern char *var_tls_rand_exch_name;
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@ -20,7 +20,7 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20100603"
+#define MAIL_RELEASE_DATE	"20100610"
 #define MAIL_VERSION_NUMBER	"2.8"

 #ifdef SNAPSHOT
--- a/postfix/src/tls/Makefile.in
+++ b/postfix/src/tls/Makefile.in
@ -101,6 +101,7 @@ tls_bio_ops.o: ../../include/vstring.h
 tls_bio_ops.o: tls.h
 tls_bio_ops.o: tls_bio_ops.c
 tls_certkey.o: ../../include/argv.h
+tls_certkey.o: ../../include/mail_params.h
 tls_certkey.o: ../../include/msg.h
 tls_certkey.o: ../../include/name_code.h
 tls_certkey.o: ../../include/name_mask.h
--- a/postfix/src/tls/tls_certkey.c
+++ b/postfix/src/tls/tls_certkey.c
@ -70,6 +70,10 @@

 #include <msg.h>

+/* Global library. */
+
+#include <mail_params.h>
+
 /* TLS library. */

 #define TLS_INTERNAL
@ -91,7 +95,7 @@ int     tls_set_ca_certificate_info(SSL_CTX *ctx, const char *CAfile,
 	    tls_print_errors();
 	    return (-1);
 	}
-	if (!SSL_CTX_set_default_verify_paths(ctx)) {
+	if (var_tls_append_def_CA && !SSL_CTX_set_default_verify_paths(ctx)) {
 	    msg_info("cannot set certificate verification paths: "
 		     "disabling TLS support");
 	    tls_print_errors();
--- a/postfix/src/tls/tls_misc.c
+++ b/postfix/src/tls/tls_misc.c
@ -15,6 +15,7 @@
 /*	char	*var_tls_eecdh_strong;
 /*	char	*var_tls_eecdh_ultra;
 /*	int	var_tls_daemon_rand_bytes;
+/*	bool    var_tls_append_def_CA;
 /*
 /*	TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx)
 /*	SSL_CTX	*ssl_ctx;
@ -190,6 +191,7 @@ char   *var_tls_null_clist;
 int     var_tls_daemon_rand_bytes;
 char   *var_tls_eecdh_strong;
 char   *var_tls_eecdh_ultra;
+bool    var_tls_append_def_CA;

 /*
  * Index to attach TLScontext pointers to SSL objects, so that they can be
@ -407,6 +409,10 @@ void    tls_param_init(void)
 	VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 1, 0,
 	0,
    };
+    static const CONFIG_BOOL_TABLE bool_table[] = {
+	VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
+	0,
+    };
    static int init_done;

    if (init_done)