mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-30 05:38:06 +00:00
Code Issues Releases Wiki Activity

postfix-3.5-20190212

Browse Source
This commit is contained in:
Wietse Venema 2019-02-12 00:00:00 -05:00 committed by Viktor Dukhovni
parent c6eaaf0bf1
commit ed3f86da7c
10 changed files with 39 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
postfix/HISTORY
View File

@ -24114,3 +24114,17 @@ Apologies for any names omitted.
Documentation: global TLS settings. Files: mantools/postlink,
smtp/smtp.c, tlsproxy/tlsproxy.c.
20190211
Cleanup: removed obsolete parameters: tls_dane_digest_agility,
tls_dane_trust_anchor_digest_enable; removed openssl_path
parameter from configuration difference checks in tlsproxy.
Files: global/mail_params.h, tls/tls_misc.c,
tls/tls_proxy_client_misc.c, tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c, tls/tls_proxy.h.
20190212
Cleanup: missing #ifdef USE_TLS. Files: smtp/smtp_session.c,
posttls-finger/posttls-finger.c.

19
postfix/src/global/mail_params.h
View File

@ -3323,16 +3323,6 @@ extern bool var_tls_bc_pkey_fprint;
#define DEF_TLS_SERVER_SNI_MAPS ""
extern char *var_tls_server_sni_maps;
/*
* Ordered list of DANE digest algorithms.
*/
#define TLS_DANE_AGILITY_OFF "off"
#define TLS_DANE_AGILITY_ON "on"
#define TLS_DANE_AGILITY_MAYBE "maybe"
#define VAR_TLS_DANE_AGILITY "tls_dane_digest_agility"
#define DEF_TLS_DANE_AGILITY TLS_DANE_AGILITY_ON
extern char *var_tls_dane_agility;
/*
* Ordered list of DANE digest algorithms.
*/
@ -3340,15 +3330,6 @@ extern char *var_tls_dane_agility;
#define DEF_TLS_DANE_DIGESTS "sha512 sha256"
extern char *var_tls_dane_digests;
/*
* External interface for enabling trust-anchor digests, which are risky
* when the corresponding certificate is missing from the peer chain (this
* can't happen with the leaf certificate).
*/
#define VAR_TLS_DANE_TAA_DGST "tls_dane_trust_anchor_digest_enable"
#define DEF_TLS_DANE_TAA_DGST 1
extern bool var_tls_dane_taa_dgst;
/*
* Sendmail-style mail filter support.
*/

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20190210"
#define MAIL_RELEASE_DATE "20190212"
#define MAIL_VERSION_NUMBER "3.5"
#ifdef SNAPSHOT

2
postfix/src/posttls-finger/posttls-finger.c
View File

@ -1987,8 +1987,10 @@ static void parse_options(STATE *state, int argc, char *argv[])
if (state->addr_pref < 0)
msg_fatal("bad '-a' option value: %s", state->options.addr_pref);
#ifdef USE_TLS
if (state->tlsproxy_mode && state->reconnect)
msg_fatal("The -X and -r options are mutually exclusive");
#endif
/*
* Select hostname lookup mechanisms.

11
postfix/src/smtp/smtp_session.c
View File

@ -336,11 +336,16 @@ SMTP_SESSION *smtp_session_activate(int fd, SMTP_ITERATOR *iter,
TLS_SESS_STATE *tls_context = 0;
SMTP_TLS_POLICY *tls = iter->parent->tls;
#define TLS_PROXY_CONTEXT_FREE() do { \
if (tls_context) \
tls_proxy_context_free(tls_context); \
} while (0)
#else
#define TLS_PROXY_CONTEXT_FREE() /* nothing */
#endif
#define SMTP_SESSION_ACTIVATE_ERR_RETURN() do { \
if (tls_context) \
tls_proxy_context_free(tls_context); \
TLS_PROXY_CONTEXT_FREE(); \
return (0); \
} while (0)
@ -416,7 +421,9 @@ SMTP_SESSION *smtp_session_activate(int fd, SMTP_ITERATOR *iter,
(time_t) 0, NO_FLAGS);
session->features =
(endp_features | dest_features | SMTP_FEATURE_FROM_CACHE);
#ifdef USE_TLS
session->tls_context = tls_context;
#endif
CACHE_THIS_SESSION_UNTIL(expire_time);
session->reuse_count = ++reuse_count;

9
postfix/src/tls/tls_misc.c
View File

@ -37,11 +37,9 @@
/* char *var_tls_eecdh_auto;
/* char *var_tls_eecdh_strong;
/* char *var_tls_eecdh_ultra;
/* char *var_tls_dane_agility;
/* char *var_tls_dane_digests;
/* int var_tls_daemon_rand_bytes;
/* bool var_tls_append_def_CA;
/* bool var_tls_dane_taa_dgst;
/* bool var_tls_preempt_clist;
/* bool var_tls_bc_pkey_fprint;
/* bool var_tls_multi_wildcard;
@ -284,13 +282,11 @@ int var_tls_daemon_rand_bytes;
char *var_tls_eecdh_auto;
char *var_tls_eecdh_strong;
char *var_tls_eecdh_ultra;
char *var_tls_dane_agility;
char *var_tls_dane_digests;
bool var_tls_append_def_CA;
char *var_tls_bug_tweaks;
char *var_tls_ssl_options;
bool var_tls_bc_pkey_fprint;
bool var_tls_dane_taa_dgst;
bool var_tls_multi_wildcard;
char *var_tls_mgr_service;
char *var_tls_tkt_cipher;
@ -724,6 +720,7 @@ int tls_protocol_mask(const char *plist)
void tls_param_init(void)
{
/* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
static const CONFIG_STR_TABLE str_table[] = {
VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0,
@ -735,21 +732,21 @@ void tls_param_init(void)
VAR_TLS_EECDH_ULTRA, DEF_TLS_EECDH_ULTRA, &var_tls_eecdh_ultra, 1, 0,
VAR_TLS_BUG_TWEAKS, DEF_TLS_BUG_TWEAKS, &var_tls_bug_tweaks, 0, 0,
VAR_TLS_SSL_OPTIONS, DEF_TLS_SSL_OPTIONS, &var_tls_ssl_options, 0, 0,
VAR_TLS_DANE_AGILITY, DEF_TLS_DANE_AGILITY, &var_tls_dane_agility, 1, 0,
VAR_TLS_DANE_DIGESTS, DEF_TLS_DANE_DIGESTS, &var_tls_dane_digests, 1, 0,
VAR_TLS_MGR_SERVICE, DEF_TLS_MGR_SERVICE, &var_tls_mgr_service, 1, 0,
VAR_TLS_TKT_CIPHER, DEF_TLS_TKT_CIPHER, &var_tls_tkt_cipher, 0, 0,
VAR_OPENSSL_PATH, DEF_OPENSSL_PATH, &var_openssl_path, 1, 0,
0,
};
/* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
static const CONFIG_INT_TABLE int_table[] = {
VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 1, 0,
0,
};
/* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
static const CONFIG_BOOL_TABLE bool_table[] = {
VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
VAR_TLS_BC_PKEY_FPRINT, DEF_TLS_BC_PKEY_FPRINT, &var_tls_bc_pkey_fprint,
VAR_TLS_DANE_TAA_DGST, DEF_TLS_DANE_TAA_DGST, &var_tls_dane_taa_dgst,
VAR_TLS_PREEMPT_CLIST, DEF_TLS_PREEMPT_CLIST, &var_tls_preempt_clist,
VAR_TLS_MULTI_WILDCARD, DEF_TLS_MULTI_WILDCARD, &var_tls_multi_wildcard,
0,

10
postfix/src/tls/tls_proxy.h
View File

@ -38,6 +38,8 @@
* In the serialization these attributes are identified by their configuration
* parameter names.
*
* NOTE: this does not include openssl_path.
*
* TODO: TLS_SERVER_PARAM structure, like TLS_CLIENT_PARAMS plus
* VAR_TLS_SERVER_SNI_MAPS.
*/
@ -52,27 +54,23 @@ typedef struct TLS_CLIENT_PARAMS {
char *tls_eecdh_ultra;
char *tls_bug_tweaks;
char *tls_ssl_options;
char *tls_dane_agility;
char *tls_dane_digests;
char *tls_mgr_service;
char *tls_tkt_cipher;
char *openssl_path;
int tls_daemon_rand_bytes;
int tls_append_def_CA;
int tls_bc_pkey_fprint;
int tls_dane_taa_dgst;
int tls_preempt_clist;
int tls_multi_wildcard;
} TLS_CLIENT_PARAMS;
#define TLS_PROXY_PARAMS(params, a1, a2, a3, a4, a5, a6, a7, a8, \
a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20, a21) \
a9, a10, a11, a12, a13, a14, a15, a16, a17, a18) \
(((params)->a1), ((params)->a2), ((params)->a3), \
((params)->a4), ((params)->a5), ((params)->a6), ((params)->a7), \
((params)->a8), ((params)->a9), ((params)->a10), ((params)->a11), \
((params)->a12), ((params)->a13), ((params)->a14), ((params)->a15), \
((params)->a16), ((params)->a17), ((params)->a18), ((params)->a19), \
((params)->a20), ((params)->a21))
((params)->a16), ((params)->a17), ((params)->a18))
/*
* tls_proxy_client_param_misc.c, tls_proxy_client_param_print.c, and

18
postfix/src/tls/tls_proxy_client_misc.c
View File

@ -88,15 +88,12 @@ TLS_CLIENT_PARAMS *tls_proxy_client_param_from_config(TLS_CLIENT_PARAMS *params)
tls_eecdh_ultra = var_tls_eecdh_ultra,
tls_bug_tweaks = var_tls_bug_tweaks,
tls_ssl_options = var_tls_ssl_options,
tls_dane_agility = var_tls_dane_agility,
tls_dane_digests = var_tls_dane_digests,
tls_mgr_service = var_tls_mgr_service,
tls_tkt_cipher = var_tls_tkt_cipher,
openssl_path = var_openssl_path,
tls_daemon_rand_bytes = var_tls_daemon_rand_bytes,
tls_append_def_CA = var_tls_append_def_CA,
tls_bc_pkey_fprint = var_tls_bc_pkey_fprint,
tls_dane_taa_dgst = var_tls_dane_taa_dgst,
tls_preempt_clist = var_tls_preempt_clist,
tls_multi_wildcard = var_tls_multi_wildcard);
return (params);
@ -107,18 +104,16 @@ TLS_CLIENT_PARAMS *tls_proxy_client_param_from_config(TLS_CLIENT_PARAMS *params)
char *tls_proxy_client_param_to_string(VSTRING *buf, TLS_CLIENT_PARAMS *params)
{
vstring_sprintf(buf, "%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n"
"%s\n%s\n%s\n%s\n%d\n%d\n%d\n%d\n%d\n%d\n",
"%s\n%s\n%d\n%d\n%d\n%d\n%d\n",
params->tls_high_clist, params->tls_medium_clist,
params->tls_low_clist, params->tls_export_clist,
params->tls_null_clist, params->tls_eecdh_auto,
params->tls_eecdh_strong, params->tls_eecdh_ultra,
params->tls_bug_tweaks, params->tls_ssl_options,
params->tls_dane_agility, params->tls_dane_digests,
params->tls_mgr_service, params->tls_tkt_cipher,
params->openssl_path, params->tls_daemon_rand_bytes,
params->tls_dane_digests, params->tls_mgr_service,
params->tls_tkt_cipher, params->tls_daemon_rand_bytes,
params->tls_append_def_CA, params->tls_bc_pkey_fprint,
params->tls_dane_taa_dgst, params->tls_preempt_clist,
params->tls_multi_wildcard);
params->tls_preempt_clist, params->tls_multi_wildcard);
return (vstring_str(buf));
}
@ -128,7 +123,7 @@ char *tls_proxy_client_param_with_names_to_string(VSTRING *buf, TLS_CLIENT_PAR
{
vstring_sprintf(buf, "%s = %s\n%s = %s\n%s = %s\n%s = %s\n%s = %s\n"
"%s = %s\n%s = %s\n%s = %s\n%s = %s\n%s = %s\n%s = %s\n"
"%s = %s\n%s = %s\n%s = %s\n%s = %s\n%s = %d\n%s = %d\n"
"%s = %s\n%s = %s\n%s = %d\n"
"%s = %d\n%s = %d\n%s = %d\n%s = %d\n",
VAR_TLS_HIGH_CLIST, params->tls_high_clist,
VAR_TLS_MEDIUM_CLIST, params->tls_medium_clist,
@ -140,15 +135,12 @@ char *tls_proxy_client_param_with_names_to_string(VSTRING *buf, TLS_CLIENT_PAR
VAR_TLS_EECDH_ULTRA, params->tls_eecdh_ultra,
VAR_TLS_BUG_TWEAKS, params->tls_bug_tweaks,
VAR_TLS_SSL_OPTIONS, params->tls_ssl_options,
VAR_TLS_DANE_AGILITY, params->tls_dane_agility,
VAR_TLS_DANE_DIGESTS, params->tls_dane_digests,
VAR_TLS_MGR_SERVICE, params->tls_mgr_service,
VAR_TLS_TKT_CIPHER, params->tls_tkt_cipher,
VAR_OPENSSL_PATH, params->openssl_path,
VAR_TLS_DAEMON_RAND_BYTES, params->tls_daemon_rand_bytes,
VAR_TLS_APPEND_DEF_CA, params->tls_append_def_CA,
VAR_TLS_BC_PKEY_FPRINT, params->tls_bc_pkey_fprint,
VAR_TLS_DANE_TAA_DGST, params->tls_dane_taa_dgst,
VAR_TLS_PREEMPT_CLIST, params->tls_preempt_clist,
VAR_TLS_MULTI_WILDCARD, params->tls_multi_wildcard);
return (vstring_str(buf));

5
postfix/src/tls/tls_proxy_client_print.c
View File

@ -110,22 +110,17 @@ int tls_proxy_client_param_print(ATTR_PRINT_MASTER_FN print_fn, VSTREAM *fp,
SEND_ATTR_STR(VAR_TLS_BUG_TWEAKS, params->tls_bug_tweaks),
SEND_ATTR_STR(VAR_TLS_SSL_OPTIONS,
params->tls_ssl_options),
SEND_ATTR_STR(VAR_TLS_DANE_AGILITY,
params->tls_dane_agility),
SEND_ATTR_STR(VAR_TLS_DANE_DIGESTS,
params->tls_dane_digests),
SEND_ATTR_STR(VAR_TLS_MGR_SERVICE,
params->tls_mgr_service),
SEND_ATTR_STR(VAR_TLS_TKT_CIPHER, params->tls_tkt_cipher),
SEND_ATTR_STR(VAR_OPENSSL_PATH, params->openssl_path),
SEND_ATTR_INT(VAR_TLS_DAEMON_RAND_BYTES,
params->tls_daemon_rand_bytes),
SEND_ATTR_INT(VAR_TLS_APPEND_DEF_CA,
params->tls_append_def_CA),
SEND_ATTR_INT(VAR_TLS_BC_PKEY_FPRINT,
params->tls_bc_pkey_fprint),
SEND_ATTR_INT(VAR_TLS_DANE_TAA_DGST,
params->tls_dane_taa_dgst),
SEND_ATTR_INT(VAR_TLS_PREEMPT_CLIST,
params->tls_preempt_clist),
SEND_ATTR_INT(VAR_TLS_MULTI_WILDCARD,

12
postfix/src/tls/tls_proxy_client_scan.c
View File

@ -130,11 +130,9 @@ void tls_proxy_client_param_free(TLS_CLIENT_PARAMS *params)
myfree(params->tls_eecdh_ultra);
myfree(params->tls_bug_tweaks);
myfree(params->tls_ssl_options);
myfree(params->tls_dane_agility);
myfree(params->tls_dane_digests);
myfree(params->tls_mgr_service);
myfree(params->tls_tkt_cipher);
myfree(params->openssl_path);
myfree((void *) params);
}
@ -156,11 +154,9 @@ int tls_proxy_client_param_scan(ATTR_SCAN_MASTER_FN scan_fn, VSTREAM *fp,
VSTRING *tls_eecdh_ultra = vstring_alloc(25);
VSTRING *tls_bug_tweaks = vstring_alloc(25);
VSTRING *tls_ssl_options = vstring_alloc(25);
VSTRING *tls_dane_agility = vstring_alloc(25);
VSTRING *tls_dane_digests = vstring_alloc(25);
VSTRING *tls_mgr_service = vstring_alloc(25);
VSTRING *tls_tkt_cipher = vstring_alloc(25);
VSTRING *openssl_path = vstring_alloc(25);
if (msg_verbose)
msg_info("begin tls_proxy_client_param_scan");
@ -180,19 +176,15 @@ int tls_proxy_client_param_scan(ATTR_SCAN_MASTER_FN scan_fn, VSTREAM *fp,
RECV_ATTR_STR(VAR_TLS_EECDH_ULTRA, tls_eecdh_ultra),
RECV_ATTR_STR(VAR_TLS_BUG_TWEAKS, tls_bug_tweaks),
RECV_ATTR_STR(VAR_TLS_SSL_OPTIONS, tls_ssl_options),
RECV_ATTR_STR(VAR_TLS_DANE_AGILITY, tls_dane_agility),
RECV_ATTR_STR(VAR_TLS_DANE_DIGESTS, tls_dane_digests),
RECV_ATTR_STR(VAR_TLS_MGR_SERVICE, tls_mgr_service),
RECV_ATTR_STR(VAR_TLS_TKT_CIPHER, tls_tkt_cipher),
RECV_ATTR_STR(VAR_OPENSSL_PATH, openssl_path),
RECV_ATTR_INT(VAR_TLS_DAEMON_RAND_BYTES,
&params->tls_daemon_rand_bytes),
RECV_ATTR_INT(VAR_TLS_APPEND_DEF_CA,
&params->tls_append_def_CA),
RECV_ATTR_INT(VAR_TLS_BC_PKEY_FPRINT,
&params->tls_bc_pkey_fprint),
RECV_ATTR_INT(VAR_TLS_DANE_TAA_DGST,
&params->tls_dane_taa_dgst),
RECV_ATTR_INT(VAR_TLS_PREEMPT_CLIST,
&params->tls_preempt_clist),
RECV_ATTR_INT(VAR_TLS_MULTI_WILDCARD,
@ -209,13 +201,11 @@ int tls_proxy_client_param_scan(ATTR_SCAN_MASTER_FN scan_fn, VSTREAM *fp,
params->tls_eecdh_ultra = vstring_export(tls_eecdh_ultra);
params->tls_bug_tweaks = vstring_export(tls_bug_tweaks);
params->tls_ssl_options = vstring_export(tls_ssl_options);
params->tls_dane_agility = vstring_export(tls_dane_agility);
params->tls_dane_digests = vstring_export(tls_dane_digests);
params->tls_mgr_service = vstring_export(tls_mgr_service);
params->tls_tkt_cipher = vstring_export(tls_tkt_cipher);
params->openssl_path = vstring_export(openssl_path);
ret = (ret == 21 ? 1 : -1);
ret = (ret == 18 ? 1 : -1);
if (ret != 1) {
tls_proxy_client_param_free(params);
params = 0;