mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-31 22:25:24 +00:00
Code Issues Releases Wiki Activity

postfix-2.8-20100610

Browse Source
This commit is contained in:
Wietse Venema
2010-06-10 00:00:00 -05:00
committed by Viktor Dukhovni
parent 31ff4331c2
commit c72f9888ca
11 changed files with 159 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
postfix/HISTORY
View File

@@ -15799,8 +15799,8 @@ Apologies for any names omitted.
tls/tls_dh.c, tls/tls_server.c. tls/tls_dh.c, tls/tls_server.c.
Portability: Mac OS 10.6.3 requires <arpa/nameser_compat.h> Portability: Mac OS 10.6.3 requires <arpa/nameser_compat.h>
instead of <arpa/nameser8_compat.h>. Files: makedefs, instead of <nameser8_compat.h>. Files: makedefs, util/sys_defs.h,
util/sys_defs.h, dns/dns.h. dns/dns.h.
20100531 20100531
@@ -15820,3 +15820,14 @@ Apologies for any names omitted.
Portability: Berkeley DB 5.x has the same API as Berkeley Portability: Berkeley DB 5.x has the same API as Berkeley
DB 4.1 and later. File: util/dict_db.c. DB 4.1 and later. File: util/dict_db.c.
20100610
Postfix no longer appends the system default CAs to the
lists specified with *_tls_CAfile or with *_tls_CApath.
This prevents third-party certificates from being trusted
and being given mail relay permission with
permit_tls_all_clientcerts. To get the old behavior specify
"tls_append_default_CA = yes". Files: tls/tls_certkey.c,
tls/tls_misc.c, global/mail_params.h. proto/postconf.proto,
mantools/postlink.

10
postfix/RELEASE_NOTES
View File

@@ -14,6 +14,16 @@ specifies the release date of a stable release or snapshot release.
If you upgrade from Postfix 2.6 or earlier, read RELEASE_NOTES-2.7 If you upgrade from Postfix 2.6 or earlier, read RELEASE_NOTES-2.7
before proceeding. before proceeding.
Incompatibility with snapshot 20100610
======================================
Postfix no longer appends the system-supplied default CAs to the
lists specified with *_tls_CAfile or with *_tls_CApath. This prevents
third-party certificates from being trusted and being given mail
relay permission with permit_tls_all_clientcerts.
Specify "tls_append_default_CA = yes" for the old behavior.
Incompatibility with snapshot 20100101 Incompatibility with snapshot 20100101
====================================== ======================================

49
postfix/html/postconf.5.html
View File

@@ -6202,7 +6202,8 @@ Examples:
<p> <p>
The internet domain name of this mail system. The default is to The internet domain name of this mail system. The default is to
use $<a href="postconf.5.html#myhostname">myhostname</a> minus the first component. $<a href="postconf.5.html#mydomain">mydomain</a> is used as use $<a href="postconf.5.html#myhostname">myhostname</a> minus the first component, or "localdomain" (Postfix
2.3 and later). $<a href="postconf.5.html#mydomain">mydomain</a> is used as
a default value for many other configuration parameters. a default value for many other configuration parameters.
</p> </p>
@@ -6222,9 +6223,10 @@ Example:
<p> <p>
The internet hostname of this mail system. The default is to use The internet hostname of this mail system. The default is to use
the fully-qualified domain name from gethostname(). $<a href="postconf.5.html#myhostname">myhostname</a> is the fully-qualified domain name (FQDN) from gethostname(), or to
used as a default value for many other configuration parameters. use the non-FQDN result from gethostname() and append ".$<a href="postconf.5.html#mydomain">mydomain</a>".
</p> $<a href="postconf.5.html#myhostname">myhostname</a> is used as a default value for many other configuration
parameters. </p>
<p> <p>
Example: Example:
@@ -9457,6 +9459,10 @@ file may also be used to augment the client certificate trust chain,
but it is best to include all the required certificates directly in but it is best to include all the required certificates directly in
$<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>. </p> $<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>. </p>
<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. This setting is default as of Postfix 2.8. </p>
<p> Example: </p> <p> Example: </p>
<pre> <pre>
@@ -9480,6 +9486,10 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
<p> To use this option in chroot mode, this directory (or a copy) <p> To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail. </p> must be inside the chroot jail. </p>
<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. This setting is default as of Postfix 2.8. </p>
<p> Example: </p> <p> Example: </p>
<pre> <pre>
@@ -11131,8 +11141,10 @@ authenticated via the <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>
<dd> Permit the request when the remote SMTP client certificate is <dd> Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted CA issues the certificates and only this CA is listed as trusted
CA, otherwise all clients with a recognized certificate would be CA. This requires that "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" (the default
allowed to relay. This feature is available with Postfix version 2.2.</dd> with Postfix 2.8 and later). Otherwise, clients with a third-party
certificate would also be allowed to relay. This feature is available
with Postfix version 2.2.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt> <dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
@@ -12945,6 +12957,10 @@ file may also be used to augment the server certificate trust chain,
but it is best to include all the required certificates directly in the but it is best to include all the required certificates directly in the
server certificate file. </p> server certificate file. </p>
<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. This setting is default as of Postfix 2.8. </p>
<p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are not <p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are not
requested, and <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> should remain empty. If you do make use requested, and <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> should remain empty. If you do make use
of client certificates, the distinguished names (DNs) of the certificate of client certificates, the distinguished names (DNs) of the certificate
@@ -12976,6 +12992,10 @@ for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> in chroot mode, this directory (or a copy) must be <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> in chroot mode, this directory (or a copy) must be
inside the chroot jail. </p> inside the chroot jail. </p>
<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. This setting is default as of Postfix 2.8. </p>
<p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are <p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are
not requested, and <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> should remain empty. In contrast not requested, and <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> should remain empty. In contrast
to <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>, DNs of certificate authorities installed to <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>, DNs of certificate authorities installed
@@ -14087,6 +14107,23 @@ connections. Next, you enable Postfix TCP servers with the updated
<p> This feature is available in Postfix 2.6 and later. </p> <p> This feature is available in Postfix 2.6 and later. </p>
</DD>
<DT><b><a name="tls_append_default_CA">tls_append_default_CA</a>
(default: no)</b></DT><DD>
<p> Append the system-supplied default certificate authority
certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
</p>
<p> To avoid massive compatibility breaks, this parameter defaults
to "yes" for Postfix versions 2.7 and earlier. That is, they trust
third-party certificates and they give relay permission with
<a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
<p> This feature is retroactive in Postfix 2.4 and later. </p>
</DD> </DD>
<DT><b><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a> <DT><b><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a>

41
postfix/man/man5/postconf.5
View File

@@ -3473,7 +3473,8 @@ mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
.ft R .ft R
.SH mydomain (default: see "postconf -d" output) .SH mydomain (default: see "postconf -d" output)
The internet domain name of this mail system. The default is to The internet domain name of this mail system. The default is to
use $myhostname minus the first component. $mydomain is used as use $myhostname minus the first component, or "localdomain" (Postfix
2.3 and later). $mydomain is used as
a default value for many other configuration parameters. a default value for many other configuration parameters.
.PP .PP
Example: Example:
@@ -3487,8 +3488,10 @@ mydomain = domain.tld
.ft R .ft R
.SH myhostname (default: see "postconf -d" output) .SH myhostname (default: see "postconf -d" output)
The internet hostname of this mail system. The default is to use The internet hostname of this mail system. The default is to use
the fully-qualified domain name from gethostname(). $myhostname is the fully-qualified domain name (FQDN) from gethostname(), or to
used as a default value for many other configuration parameters. use the non-FQDN result from gethostname() and append ".$mydomain".
$myhostname is used as a default value for many other configuration
parameters.
.PP .PP
Example: Example:
.PP .PP
@@ -5409,6 +5412,10 @@ file may also be used to augment the client certificate trust chain,
but it is best to include all the required certificates directly in but it is best to include all the required certificates directly in
$smtp_tls_cert_file. $smtp_tls_cert_file.
.PP .PP
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. This setting is default as of Postfix 2.8.
.PP
Example: Example:
.PP .PP
.nf .nf
@@ -5429,6 +5436,10 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
To use this option in chroot mode, this directory (or a copy) To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail. must be inside the chroot jail.
.PP .PP
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. This setting is default as of Postfix 2.8.
.PP
Example: Example:
.PP .PP
.nf .nf
@@ -6792,8 +6803,10 @@ authenticated via the RFC 4954 (AUTH) protocol.
Permit the request when the remote SMTP client certificate is Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted CA issues the certificates and only this CA is listed as trusted
CA, otherwise all clients with a recognized certificate would be CA. This requires that "tls_append_default_CA = no" (the default
allowed to relay. This feature is available with Postfix version 2.2. with Postfix 2.8 and later). Otherwise, clients with a third-party
certificate would also be allowed to relay. This feature is available
with Postfix version 2.2.
.IP "\fBpermit_tls_clientcerts\fR" .IP "\fBpermit_tls_clientcerts\fR"
Permit the request when the remote SMTP client certificate Permit the request when the remote SMTP client certificate
fingerprint is listed in $relay_clientcerts. fingerprint is listed in $relay_clientcerts.
@@ -8036,6 +8049,10 @@ file may also be used to augment the server certificate trust chain,
but it is best to include all the required certificates directly in the but it is best to include all the required certificates directly in the
server certificate file. server certificate file.
.PP .PP
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. This setting is default as of Postfix 2.8.
.PP
By default (see smtpd_tls_ask_ccert), client certificates are not By default (see smtpd_tls_ask_ccert), client certificates are not
requested, and smtpd_tls_CAfile should remain empty. If you do make use requested, and smtpd_tls_CAfile should remain empty. If you do make use
of client certificates, the distinguished names (DNs) of the certificate of client certificates, the distinguished names (DNs) of the certificate
@@ -8065,6 +8082,10 @@ for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
smtpd_tls_CApath in chroot mode, this directory (or a copy) must be smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
inside the chroot jail. inside the chroot jail.
.PP .PP
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. This setting is default as of Postfix 2.8.
.PP
By default (see smtpd_tls_ask_ccert), client certificates are By default (see smtpd_tls_ask_ccert), client certificates are
not requested, and smtpd_tls_CApath should remain empty. In contrast not requested, and smtpd_tls_CApath should remain empty. In contrast
to smtpd_tls_CAfile, DNs of certificate authorities installed to smtpd_tls_CAfile, DNs of certificate authorities installed
@@ -8919,6 +8940,16 @@ tcp_windowsize change will work only for Postfix TCP clients (\fBsmtp\fR(8),
\fBlmtp\fR(8)). \fBlmtp\fR(8)).
.PP .PP
This feature is available in Postfix 2.6 and later. This feature is available in Postfix 2.6 and later.
.SH tls_append_default_CA (default: no)
Append the system-supplied default certificate authority
certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
.PP
To avoid massive compatibility breaks, this parameter defaults
to "yes" for Postfix versions 2.7 and earlier. That is, they trust
third-party certificates and they give relay permission with
permit_tls_all_clientcerts.
.PP
This feature is retroactive in Postfix 2.4 and later.
.SH tls_daemon_random_bytes (default: 32) .SH tls_daemon_random_bytes (default: 32)
The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8) The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
process requests from the \fBtlsmgr\fR(8) server in order to seed its process requests from the \fBtlsmgr\fR(8) server in order to seed its

1
postfix/mantools/postlink
View File

@@ -677,6 +677,7 @@ while (<>) {
s;\btls_null_cipherlist\b;<a href="postconf.5.html#tls_null_cipherlist">$&</a>;g; s;\btls_null_cipherlist\b;<a href="postconf.5.html#tls_null_cipherlist">$&</a>;g;
s;\btls_eecdh_strong_curve\b;<a href="postconf.5.html#tls_eecdh_strong_curve">$&</a>;g; s;\btls_eecdh_strong_curve\b;<a href="postconf.5.html#tls_eecdh_strong_curve">$&</a>;g;
s;\btls_eecdh_ultra_curve\b;<a href="postconf.5.html#tls_eecdh_ultra_curve">$&</a>;g; s;\btls_eecdh_ultra_curve\b;<a href="postconf.5.html#tls_eecdh_ultra_curve">$&</a>;g;
s;\btls_append_default_CA\b;<a href="postconf.5.html#tls_append_default_CA">$&</a>;g;
s;\bfrozen_delivered_to\b;<a href="postconf.5.html#frozen_delivered_to">$&</a>;g; s;\bfrozen_delivered_to\b;<a href="postconf.5.html#frozen_delivered_to">$&</a>;g;

45
postfix/proto/postconf.proto
View File

@@ -2884,7 +2884,8 @@ mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
<p> <p>
The internet domain name of this mail system. The default is to The internet domain name of this mail system. The default is to
use $myhostname minus the first component. $mydomain is used as use $myhostname minus the first component, or "localdomain" (Postfix
2.3 and later). $mydomain is used as
a default value for many other configuration parameters. a default value for many other configuration parameters.
</p> </p>
@@ -2900,9 +2901,10 @@ mydomain = domain.tld
<p> <p>
The internet hostname of this mail system. The default is to use The internet hostname of this mail system. The default is to use
the fully-qualified domain name from gethostname(). $myhostname is the fully-qualified domain name (FQDN) from gethostname(), or to
used as a default value for many other configuration parameters. use the non-FQDN result from gethostname() and append ".$mydomain".
</p> $myhostname is used as a default value for many other configuration
parameters. </p>
<p> <p>
Example: Example:
@@ -4858,8 +4860,10 @@ authenticated via the RFC 4954 (AUTH) protocol. </dd>
<dd> Permit the request when the remote SMTP client certificate is <dd> Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted CA issues the certificates and only this CA is listed as trusted
CA, otherwise all clients with a recognized certificate would be CA. This requires that "tls_append_default_CA = no" (the default
allowed to relay. This feature is available with Postfix version 2.2.</dd> with Postfix 2.8 and later). Otherwise, clients with a third-party
certificate would also be allowed to relay. This feature is available
with Postfix version 2.2.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt> <dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
@@ -8672,6 +8676,10 @@ file may also be used to augment the server certificate trust chain,
but it is best to include all the required certificates directly in the but it is best to include all the required certificates directly in the
server certificate file. </p> server certificate file. </p>
<p> Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. This setting is default as of Postfix 2.8. </p>
<p> By default (see smtpd_tls_ask_ccert), client certificates are not <p> By default (see smtpd_tls_ask_ccert), client certificates are not
requested, and smtpd_tls_CAfile should remain empty. If you do make use requested, and smtpd_tls_CAfile should remain empty. If you do make use
of client certificates, the distinguished names (DNs) of the certificate of client certificates, the distinguished names (DNs) of the certificate
@@ -8699,6 +8707,10 @@ for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
smtpd_tls_CApath in chroot mode, this directory (or a copy) must be smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
inside the chroot jail. </p> inside the chroot jail. </p>
<p> Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. This setting is default as of Postfix 2.8. </p>
<p> By default (see smtpd_tls_ask_ccert), client certificates are <p> By default (see smtpd_tls_ask_ccert), client certificates are
not requested, and smtpd_tls_CApath should remain empty. In contrast not requested, and smtpd_tls_CApath should remain empty. In contrast
to smtpd_tls_CAfile, DNs of certificate authorities installed to smtpd_tls_CAfile, DNs of certificate authorities installed
@@ -9067,6 +9079,10 @@ file may also be used to augment the client certificate trust chain,
but it is best to include all the required certificates directly in but it is best to include all the required certificates directly in
$smtp_tls_cert_file. </p> $smtp_tls_cert_file. </p>
<p> Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. This setting is default as of Postfix 2.8. </p>
<p> Example: </p> <p> Example: </p>
<pre> <pre>
@@ -9086,6 +9102,10 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
<p> To use this option in chroot mode, this directory (or a copy) <p> To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail. </p> must be inside the chroot jail. </p>
<p> Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates. This setting is default as of Postfix 2.8. </p>
<p> Example: </p> <p> Example: </p>
<pre> <pre>
@@ -9375,6 +9395,19 @@ smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
<p> This feature is available in Postfix 2.2 and later. </p> <p> This feature is available in Postfix 2.2 and later. </p>
%PARAM tls_append_default_CA no
<p> Append the system-supplied default certificate authority
certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
</p>
<p> To avoid massive compatibility breaks, this parameter defaults
to "yes" for Postfix versions 2.7 and earlier. That is, they trust
third-party certificates and they give relay permission with
permit_tls_all_clientcerts. </p>
<p> This feature is retroactive in Postfix 2.4 and later. </p>
%PARAM tls_random_exchange_name see "postconf -d" output %PARAM tls_random_exchange_name see "postconf -d" output
<p> Name of the pseudo random number generator (PRNG) state file <p> Name of the pseudo random number generator (PRNG) state file

4
postfix/src/global/mail_params.h
View File

@@ -623,6 +623,10 @@ extern bool var_stat_home_dir;
#define DEF_DUP_FILTER_LIMIT 1000 #define DEF_DUP_FILTER_LIMIT 1000
extern int var_dup_filter_limit; extern int var_dup_filter_limit;
#define VAR_TLS_APPEND_DEF_CA "tls_append_default_CA"
#define DEF_TLS_APPEND_DEF_CA 0 /* 1 for Postfix < 2.8 */
extern bool var_tls_append_def_CA;
#define VAR_TLS_RAND_EXCH_NAME "tls_random_exchange_name" #define VAR_TLS_RAND_EXCH_NAME "tls_random_exchange_name"
#define DEF_TLS_RAND_EXCH_NAME "${data_directory}/prng_exch" #define DEF_TLS_RAND_EXCH_NAME "${data_directory}/prng_exch"
extern char *var_tls_rand_exch_name; extern char *var_tls_rand_exch_name;

2
postfix/src/global/mail_version.h
View File

@@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20100603" #define MAIL_RELEASE_DATE "20100610"
#define MAIL_VERSION_NUMBER "2.8" #define MAIL_VERSION_NUMBER "2.8"
#ifdef SNAPSHOT #ifdef SNAPSHOT

1
postfix/src/tls/Makefile.in
View File

@@ -101,6 +101,7 @@ tls_bio_ops.o: ../../include/vstring.h
tls_bio_ops.o: tls.h tls_bio_ops.o: tls.h
tls_bio_ops.o: tls_bio_ops.c tls_bio_ops.o: tls_bio_ops.c
tls_certkey.o: ../../include/argv.h tls_certkey.o: ../../include/argv.h
tls_certkey.o: ../../include/mail_params.h
tls_certkey.o: ../../include/msg.h tls_certkey.o: ../../include/msg.h
tls_certkey.o: ../../include/name_code.h tls_certkey.o: ../../include/name_code.h
tls_certkey.o: ../../include/name_mask.h tls_certkey.o: ../../include/name_mask.h

6
postfix/src/tls/tls_certkey.c
View File

@@ -70,6 +70,10 @@
#include <msg.h> #include <msg.h>
/* Global library. */
#include <mail_params.h>
/* TLS library. */ /* TLS library. */
#define TLS_INTERNAL #define TLS_INTERNAL
@@ -91,7 +95,7 @@ int tls_set_ca_certificate_info(SSL_CTX *ctx, const char *CAfile,
tls_print_errors(); tls_print_errors();
return (-1); return (-1);
} }
if (!SSL_CTX_set_default_verify_paths(ctx)) { if (var_tls_append_def_CA && !SSL_CTX_set_default_verify_paths(ctx)) {
msg_info("cannot set certificate verification paths: " msg_info("cannot set certificate verification paths: "
"disabling TLS support"); "disabling TLS support");
tls_print_errors(); tls_print_errors();

6
postfix/src/tls/tls_misc.c
View File

@@ -15,6 +15,7 @@
/* char *var_tls_eecdh_strong; /* char *var_tls_eecdh_strong;
/* char *var_tls_eecdh_ultra; /* char *var_tls_eecdh_ultra;
/* int var_tls_daemon_rand_bytes; /* int var_tls_daemon_rand_bytes;
/* bool var_tls_append_def_CA;
/* /*
/* TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx) /* TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx)
/* SSL_CTX *ssl_ctx; /* SSL_CTX *ssl_ctx;
@@ -190,6 +191,7 @@ char *var_tls_null_clist;
int var_tls_daemon_rand_bytes; int var_tls_daemon_rand_bytes;
char *var_tls_eecdh_strong; char *var_tls_eecdh_strong;
char *var_tls_eecdh_ultra; char *var_tls_eecdh_ultra;
bool var_tls_append_def_CA;
/* /*
* Index to attach TLScontext pointers to SSL objects, so that they can be * Index to attach TLScontext pointers to SSL objects, so that they can be
@@ -407,6 +409,10 @@ void tls_param_init(void)
VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 1, 0, VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 1, 0,
0, 0,
}; };
static const CONFIG_BOOL_TABLE bool_table[] = {
VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
0,
};
static int init_done; static int init_done;
if (init_done) if (init_done)