postfix-3.6-20200316

2025-08-22 01:49:47 +00:00 · 2020-03-16 00:00:00 -05:00 · 2020-03-16 00:00:00 -05:00 · cd2d0e0e1a
commit cd2d0e0e1a
parent 564963b7f5
7 changed files with 8 additions and 39 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -24666,10 +24666,8 @@ Apologies for any names omitted.
 	but "smtpd_tls_ask_clientcert = no".  Files: proto/postconf.proto,
 	smtpd/smtpd_check.c.

-20200315
+20200316

-	Bugfix (introduced: 20190517 development release): in
-	check_ccert_access, the issuer_cn and subject_cn matches
-	now require that the client certificate is signed by a CA
-	that the Postfix SMTP server trusts. Files: smtpd/smtpd_check.c,
+	Removed the issuer_cn and subject_cn matches from
+	check_ccert_access. Files: smtpd/smtpd_check.c,
 	proto/postconf.proto.
--- a/postfix/RELEASE_NOTES-3.5
+++ b/postfix/RELEASE_NOTES-3.5
@ -72,10 +72,7 @@ exact same result:
                search_order = cert_fingerprint, pubkey_fingerprint } }
        ...

-The check_ccert_access search order also supports the subject_cn and
-issuer_cn client certificate properties, when the client certificate
-is signed by a CA that the Postfix SMTP server trusts. Support is
-planned for rfc822name and smtputf8mailbox.
+Support is planned for other certificate features.

 Major changes - dovecot usability
 ---------------------------------
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@ -14252,10 +14252,7 @@ above corresponds with: </dd>
 <dd> <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> { <a href="DATABASE_README.html">type:table</a>, { search_order = cert_fingerprint,
 pubkey_fingerprint } } </dd>

-<dd> The commas are optional. Other valid search_order elements are
-"subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN). These require that the client certificate
-is signed by a CA that the Postfix SMTP server trusts. </dd>
+<dd> The commas are optional. </dd>

 <dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>

--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@ -9535,10 +9535,7 @@ above corresponds with:
 check_ccert_access { type:table, { search_order = cert_fingerprint,
 pubkey_fingerprint } }
 .br
-The commas are optional. Other valid search_order elements are
-"subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN). These require that the client certificate
-is signed by a CA that the Postfix SMTP server trusts.
+The commas are optional.
 .br
 .IP "\fBcheck_client_access \fItype:table\fR\fR"
 Search the specified access database for the client hostname,
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@ -5123,10 +5123,7 @@ above corresponds with: </dd>
 <dd> check_ccert_access { type:table, { search_order = cert_fingerprint,
 pubkey_fingerprint } } </dd>

-<dd> The commas are optional. Other valid search_order elements are
-"subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN). These require that the client certificate
-is signed by a CA that the Postfix SMTP server trusts. </dd>
+<dd> The commas are optional. </dd>

 <dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>

--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@ -20,7 +20,7 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20200315"
+#define MAIL_RELEASE_DATE	"20200316"
 #define MAIL_VERSION_NUMBER	"3.6"

 #ifdef SNAPSHOT
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@ -3186,24 +3186,14 @@ static int check_ccert_access(SMTPD_STATE *state, const char *acl_spec,
 	const char *action;
 	const char *match_this;
 	const char *known_action;
-	int     need_trusted_cert;

 	for (action = search_order; *action; action++) {
-	    need_trusted_cert = 1;
 	    switch (*action) {
 	    case SMTPD_ACL_SEARCH_CODE_CERT_FPRINT:
 		match_this = state->tls_context->peer_cert_fprint;
-		need_trusted_cert = 0;
 		break;
 	    case SMTPD_ACL_SEARCH_CODE_PKEY_FPRINT:
 		match_this = state->tls_context->peer_pkey_fprint;
-		need_trusted_cert = 0;
-		break;
-	    case SMTPD_ACL_SEARCH_CODE_CERT_ISSUER_CN:
-		match_this = state->tls_context->issuer_CN;
-		break;
-	    case SMTPD_ACL_SEARCH_CODE_CERT_SUBJECT_CN:
-		match_this = state->tls_context->peer_CN;
 		break;
 	    default:
 		known_action = str_name_code(search_actions, *action);
@ -3216,13 +3206,6 @@ static int check_ccert_access(SMTPD_STATE *state, const char *acl_spec,
 					   451, "4.3.5",
 					   "Server configuration error"));
 	    }
-	    if (need_trusted_cert && !TLS_CERT_IS_TRUSTED(state->tls_context)) {
-		if (msg_verbose)
-		    msg_info("%s: skipping %s %s: untrusted client certificate",
-			     myname, str_name_code(search_actions, *action),
-			     match_this);
-		return SMTPD_CHECK_DUNNO;
-	    }
 	    if (msg_verbose)
 		msg_info("%s: look up %s %s",
 			 myname, str_name_code(search_actions, *action),