diff --git a/postfix/HISTORY b/postfix/HISTORY index 488629f98..4d86d67b1 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -23820,3 +23820,18 @@ Apologies for any names omitted. Bitrot: makedefs will use "pkg-config" to locate ICU build information, falling back to "icu-config" if "pkg-config" is not found. File: makedefs. + +20181122 + + Cleanup: tlsproxy loads the same TLS client configuration + at pre-jail time as the Postfix SMTP client, so that secret + keys can remain read-only for root. This is sufficient for + MTAs that have a fixed TLS client identity. tlsproxy will + log a warning if it is requested to assume a different TLS + client identity, and will log suggestions for a workaround. + The long-term solution is to stop loading certs/keys from + files, and to use the same approach as planned for server-side + SNI support: open a cert/key map at pre-jail time, and read + cert/key information on-the-fly at post-jail time. Files: + proto/postconf.proto, mantools/postlink, global/mail_params.h, + tlsproxy/tlsproxy.c. diff --git a/postfix/html/makedefs.1.html b/postfix/html/makedefs.1.html index d6816a99d..cf1f02c17 100644 --- a/postfix/html/makedefs.1.html +++ b/postfix/html/makedefs.1.html @@ -65,8 +65,8 @@ MAKEDEFS(1) MAKEDEFS(1) -DNO_EAI Do not build with EAI (SMTPUTF8) support. By default, EAI - support is compiled in when the "icu-config" command is - found. + support is compiled in when the "pkg-config" command is + found, or the deprecated "icu-config" command. -DNO_INLINE Do not require support for C99 "inline" functions. diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 2b32c4ed4..ff32ae574 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -18357,6 +18357,198 @@ of TLS.

This feature is available in Postfix 2.11 and later.

+ + +
tlsproxy_client_CAfile +(default: $smtp_tls_CAfile)
+ +

A file containing CA certificates of root CAs trusted to sign +either remote TLS server certificates or intermediate CA certificates. +See smtp_tls_CAfile for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ + +
+ +
tlsproxy_client_CApath +(default: $smtp_tls_CApath)
+ +

Directory with PEM format Certification Authority certificates +that the Postfix tlsproxy(8) client uses to verify a remote TLS +server certificate. See smtp_tls_CApath for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ + +
+ +
tlsproxy_client_cert_file +(default: $smtp_tls_cert_file)
+ +

File with the Postfix tlsproxy(8) client RSA certificate in PEM +format. See smtp_tls_cert_file for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ + +
+ +
tlsproxy_client_dcert_file +(default: $smtp_tls_dcert_file)
+ +

File with the Postfix tlsproxy(8) client DSA certificate in PEM +format. See smtp_tls_dcert_file for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ + +
+ +
tlsproxy_client_dkey_file +(default: $smtp_tls_dkey_file)
+ +

File with the Postfix tlsproxy(8) client DSA private key in PEM +format. See smtp_tls_dkey_file for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ + +
+ +
tlsproxy_client_eccert_file +(default: $smtp_tls_eccert_file)
+ +

File with the Postfix tlsproxy(8) client ECDSA certificate in +PEM format. See smtp_tls_eccert_file for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ + +
+ +
tlsproxy_client_eckey_file +(default: $smtp_tls_eckey_file)
+ +

File with the Postfix tlsproxy(8) client ECDSA private key in +PEM format. See smtp_tls_eckey_file for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ + +
+ +
tlsproxy_client_enforce_tls +(default: $smtp_enforce_tls)
+ +

Enforcement mode: require that SMTP servers use TLS encryption. +See smtp_enforce_tls for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ + +
+ +
tlsproxy_client_fingerprint_digest +(default: $smtp_tls_fingerprint_digest)
+ +

The message digest algorithm used to construct remote TLS server +certificate fingerprints. See smtp_tls_fingerprint_digest for +further details.

+ +

This feature is available in Postfix 3.4 and later.

+ + +
+ +
tlsproxy_client_key_file +(default: $smtp_tls_key_file)
+ +

File with the Postfix tlsproxy(8) client RSA private key in PEM +format. See smtp_tls_key_file for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ + +
+ +
tlsproxy_client_loglevel +(default: $smtp_tls_loglevel)
+ +

Enable additional Postfix tlsproxy(8) client logging of TLS +activity. See smtp_tls_loglevel for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ + +
+ +
tlsproxy_client_loglevel_parameter +(default: smtp_tls_loglevel)
+ +

The name of the parameter that provides the tlsproxy_client_loglevel +value.

+ +

This feature is available in Postfix 3.4 and later.

+ + +
+ +
tlsproxy_client_per_site +(default: $smtp_tls_per_site)
+ +

Optional lookup tables with the Postfix tlsproxy(8) client TLS +usage policy by next-hop destination and by remote TLS server +hostname. See smtp_tls_per_site for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ + +
+ +
tlsproxy_client_policy_maps +(default: $smtp_tls_policy_maps)
+ +

Optional lookup tables with the Postfix tlsproxy(8) client TLS +security policy by next-hop destination. See smtp_tls_policy_maps +for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ + +
+ +
tlsproxy_client_scert_verifydepth +(default: $smtp_tls_scert_verifydepth)
+ +

The verification depth for remote TLS server certificates. +See smtp_tls_scert_verifydepth for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ + +
+ +
tlsproxy_client_security_level +(default: $smtp_tls_security_level)
+ +

The default TLS security level for the Postfix tlsproxy(8) +client. See smtp_tls_security_level for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ + +
+ +
tlsproxy_client_use_tls +(default: $smtp_use_tls)
+ +

Opportunistic mode: use TLS when a remote server announces TLS +support. See smtp_use_tls for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ +
tlsproxy_enforce_tls diff --git a/postfix/html/tlsproxy.8.html b/postfix/html/tlsproxy.8.html index 56b75c51c..f0b7b8883 100644 --- a/postfix/html/tlsproxy.8.html +++ b/postfix/html/tlsproxy.8.html @@ -160,12 +160,88 @@ TLSPROXY(8) TLSPROXY(8) tlsmgr_service_name (tlsmgr) The name of the tlsmgr(8) service entry in master.cf. +TLS CLIENT CONTROLS + These parameters allow tlsproxy(8) to load certificate and private key + information before dropping privileges, so that the key files can be + kept read-only for root. + + Available in Postfix version 3.4 and later: + + tlsproxy_client_CAfile ($smtp_tls_CAfile) + A file containing CA certificates of root CAs trusted to sign + either remote TLS server certificates or intermediate CA cer- + tificates. + + tlsproxy_client_CApath ($smtp_tls_CApath) + Directory with PEM format Certification Authority certificates + that the Postfix tlsproxy(8) client uses to verify a remote TLS + server certificate. + + tlsproxy_client_cert_file ($smtp_tls_cert_file) + File with the Postfix tlsproxy(8) client RSA certificate in PEM + format. + + tlsproxy_client_key_file ($smtp_tls_key_file) + File with the Postfix tlsproxy(8) client RSA private key in PEM + format. + + tlsproxy_client_dcert_file ($smtp_tls_dcert_file) + File with the Postfix tlsproxy(8) client DSA certificate in PEM + format. + + tlsproxy_client_dkey_file ($smtp_tls_dkey_file) + File with the Postfix tlsproxy(8) client DSA private key in PEM + format. + + tlsproxy_client_eccert_file ($smtp_tls_eccert_file) + File with the Postfix tlsproxy(8) client ECDSA certificate in + PEM format. + + tlsproxy_client_eckey_file ($smtp_tls_eckey_file) + File with the Postfix tlsproxy(8) client ECDSA private key in + PEM format. + + tlsproxy_client_fingerprint_digest ($smtp_tls_fingerprint_digest) + The message digest algorithm used to construct remote TLS server + certificate fingerprints. + + tlsproxy_client_loglevel ($smtp_tls_loglevel) + Enable additional Postfix tlsproxy(8) client logging of TLS + activity. + + tlsproxy_client_loglevel_parameter (smtp_tls_loglevel) + The name of the parameter that provides the + tlsproxy_client_loglevel value. + + tlsproxy_client_scert_verifydepth ($smtp_tls_scert_verifydepth) + The verification depth for remote TLS server certificates. + + tlsproxy_client_security_level ($smtp_tls_security_level) + The default TLS security level for the Postfix tlsproxy(8) + client. + + tlsproxy_client_policy_maps ($smtp_tls_policy_maps) + Optional lookup tables with the Postfix tlsproxy(8) client TLS + security policy by next-hop destination. + + tlsproxy_client_use_tls ($smtp_use_tls) + Opportunistic mode: use TLS when a remote server announces TLS + support. + + tlsproxy_client_enforce_tls ($smtp_enforce_tls) + Enforcement mode: require that SMTP servers use TLS encryption. + + tlsproxy_client_per_site ($smtp_tls_per_site) + Optional lookup tables with the Postfix tlsproxy(8) client TLS + usage policy by next-hop destination and by remote TLS server + hostname. + OBSOLETE STARTTLS SUPPORT CONTROLS - These parameters are supported for compatibility with smtpd(8) legacy + These parameters are supported for compatibility with smtpd(8) legacy parameters. tlsproxy_use_tls ($smtpd_use_tls) - Opportunistic TLS: announce STARTTLS support to remote SMTP + Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not require that clients use TLS encryption. tlsproxy_enforce_tls ($smtpd_enforce_tls) @@ -179,7 +255,7 @@ TLSPROXY(8) TLSPROXY(8) MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con- + The default location of the Postfix main.cf and master.cf con- figuration files. process_id (read-only) @@ -192,7 +268,7 @@ TLSPROXY(8) TLSPROXY(8) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - A prefix that is prepended to the process name in syslog + A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available in Postfix 3.3 and later: diff --git a/postfix/man/man1/makedefs.1 b/postfix/man/man1/makedefs.1 index a70963df6..34c9d013a 100644 --- a/postfix/man/man1/makedefs.1 +++ b/postfix/man/man1/makedefs.1 @@ -63,8 +63,8 @@ By default, EPOLL support is compiled in on platforms that are known to support it. .IP \fB\-DNO_EAI\fR Do not build with EAI (SMTPUTF8) support. By default, EAI -support is compiled in when the "icu\-config" command is -found. +support is compiled in when the "pkg\-config" command is +found, or the deprecated "icu\-config" command. .IP \fB\-DNO_INLINE\fR Do not require support for C99 "inline" functions. Instead, implement argument typechecks for non\-(printf/scanf)\-like diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index c428caf3e..13e6b2b3c 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -12695,6 +12695,96 @@ service maintains TLS session caches and other information in support of TLS. .PP This feature is available in Postfix 2.11 and later. +.SH tlsproxy_client_CAfile (default: $smtp_tls_CAfile) +A file containing CA certificates of root CAs trusted to sign +either remote TLS server certificates or intermediate CA certificates. +See smtp_tls_CAfile for further details. +.PP +This feature is available in Postfix 3.4 and later. +.SH tlsproxy_client_CApath (default: $smtp_tls_CApath) +Directory with PEM format Certification Authority certificates +that the Postfix \fBtlsproxy\fR(8) client uses to verify a remote TLS +server certificate. See smtp_tls_CApath for further details. +.PP +This feature is available in Postfix 3.4 and later. +.SH tlsproxy_client_cert_file (default: $smtp_tls_cert_file) +File with the Postfix \fBtlsproxy\fR(8) client RSA certificate in PEM +format. See smtp_tls_cert_file for further details. +.PP +This feature is available in Postfix 3.4 and later. +.SH tlsproxy_client_dcert_file (default: $smtp_tls_dcert_file) +File with the Postfix \fBtlsproxy\fR(8) client DSA certificate in PEM +format. See smtp_tls_dcert_file for further details. +.PP +This feature is available in Postfix 3.4 and later. +.SH tlsproxy_client_dkey_file (default: $smtp_tls_dkey_file) +File with the Postfix \fBtlsproxy\fR(8) client DSA private key in PEM +format. See smtp_tls_dkey_file for further details. +.PP +This feature is available in Postfix 3.4 and later. +.SH tlsproxy_client_eccert_file (default: $smtp_tls_eccert_file) +File with the Postfix \fBtlsproxy\fR(8) client ECDSA certificate in +PEM format. See smtp_tls_eccert_file for further details. +.PP +This feature is available in Postfix 3.4 and later. +.SH tlsproxy_client_eckey_file (default: $smtp_tls_eckey_file) +File with the Postfix \fBtlsproxy\fR(8) client ECDSA private key in +PEM format. See smtp_tls_eckey_file for further details. +.PP +This feature is available in Postfix 3.4 and later. +.SH tlsproxy_client_enforce_tls (default: $smtp_enforce_tls) +Enforcement mode: require that SMTP servers use TLS encryption. +See smtp_enforce_tls for further details. +.PP +This feature is available in Postfix 3.4 and later. +.SH tlsproxy_client_fingerprint_digest (default: $smtp_tls_fingerprint_digest) +The message digest algorithm used to construct remote TLS server +certificate fingerprints. See smtp_tls_fingerprint_digest for +further details. +.PP +This feature is available in Postfix 3.4 and later. +.SH tlsproxy_client_key_file (default: $smtp_tls_key_file) +File with the Postfix \fBtlsproxy\fR(8) client RSA private key in PEM +format. See smtp_tls_key_file for further details. +.PP +This feature is available in Postfix 3.4 and later. +.SH tlsproxy_client_loglevel (default: $smtp_tls_loglevel) +Enable additional Postfix \fBtlsproxy\fR(8) client logging of TLS +activity. See smtp_tls_loglevel for further details. +.PP +This feature is available in Postfix 3.4 and later. +.SH tlsproxy_client_loglevel_parameter (default: smtp_tls_loglevel) +The name of the parameter that provides the tlsproxy_client_loglevel +value. +.PP +This feature is available in Postfix 3.4 and later. +.SH tlsproxy_client_per_site (default: $smtp_tls_per_site) +Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS +usage policy by next\-hop destination and by remote TLS server +hostname. See smtp_tls_per_site for further details. +.PP +This feature is available in Postfix 3.4 and later. +.SH tlsproxy_client_policy_maps (default: $smtp_tls_policy_maps) +Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS +security policy by next\-hop destination. See smtp_tls_policy_maps +for further details. +.PP +This feature is available in Postfix 3.4 and later. +.SH tlsproxy_client_scert_verifydepth (default: $smtp_tls_scert_verifydepth) +The verification depth for remote TLS server certificates. +See smtp_tls_scert_verifydepth for further details. +.PP +This feature is available in Postfix 3.4 and later. +.SH tlsproxy_client_security_level (default: $smtp_tls_security_level) +The default TLS security level for the Postfix \fBtlsproxy\fR(8) +client. See smtp_tls_security_level for further details. +.PP +This feature is available in Postfix 3.4 and later. +.SH tlsproxy_client_use_tls (default: $smtp_use_tls) +Opportunistic mode: use TLS when a remote server announces TLS +support. See smtp_use_tls for further details. +.PP +This feature is available in Postfix 3.4 and later. .SH tlsproxy_enforce_tls (default: $smtpd_enforce_tls) Mandatory TLS: announce STARTTLS support to remote SMTP clients, and require that clients use TLS encryption. See smtpd_enforce_tls for diff --git a/postfix/man/man8/tlsproxy.8 b/postfix/man/man8/tlsproxy.8 index 88a022a7c..72e7a157b 100644 --- a/postfix/man/man8/tlsproxy.8 +++ b/postfix/man/man8/tlsproxy.8 @@ -153,6 +153,67 @@ parameters smtpd_use_tls and smtpd_enforce_tls. Available in Postfix version 2.11 and later: .IP "\fBtlsmgr_service_name (tlsmgr)\fR" The name of the \fBtlsmgr\fR(8) service entry in master.cf. +.SH "TLS CLIENT CONTROLS" +.na +.nf +.ad +.fi +These parameters allow \fBtlsproxy\fR(8) to load certificate +and private key information before dropping privileges, so +that the key files can be kept read\-only for root. +.PP +Available in Postfix version 3.4 and later: +.IP "\fBtlsproxy_client_CAfile ($smtp_tls_CAfile)\fR" +A file containing CA certificates of root CAs trusted to sign +either remote TLS server certificates or intermediate CA certificates. +.IP "\fBtlsproxy_client_CApath ($smtp_tls_CApath)\fR" +Directory with PEM format Certification Authority certificates +that the Postfix \fBtlsproxy\fR(8) client uses to verify a remote TLS +server certificate. +.IP "\fBtlsproxy_client_cert_file ($smtp_tls_cert_file)\fR" +File with the Postfix \fBtlsproxy\fR(8) client RSA certificate in PEM +format. +.IP "\fBtlsproxy_client_key_file ($smtp_tls_key_file)\fR" +File with the Postfix \fBtlsproxy\fR(8) client RSA private key in PEM +format. +.IP "\fBtlsproxy_client_dcert_file ($smtp_tls_dcert_file)\fR" +File with the Postfix \fBtlsproxy\fR(8) client DSA certificate in PEM +format. +.IP "\fBtlsproxy_client_dkey_file ($smtp_tls_dkey_file)\fR" +File with the Postfix \fBtlsproxy\fR(8) client DSA private key in PEM +format. +.IP "\fBtlsproxy_client_eccert_file ($smtp_tls_eccert_file)\fR" +File with the Postfix \fBtlsproxy\fR(8) client ECDSA certificate in +PEM format. +.IP "\fBtlsproxy_client_eckey_file ($smtp_tls_eckey_file)\fR" +File with the Postfix \fBtlsproxy\fR(8) client ECDSA private key in +PEM format. +.IP "\fBtlsproxy_client_fingerprint_digest ($smtp_tls_fingerprint_digest)\fR" +The message digest algorithm used to construct remote TLS server +certificate fingerprints. +.IP "\fBtlsproxy_client_loglevel ($smtp_tls_loglevel)\fR" +Enable additional Postfix \fBtlsproxy\fR(8) client logging of TLS +activity. +.IP "\fBtlsproxy_client_loglevel_parameter (smtp_tls_loglevel)\fR" +The name of the parameter that provides the tlsproxy_client_loglevel +value. +.IP "\fBtlsproxy_client_scert_verifydepth ($smtp_tls_scert_verifydepth)\fR" +The verification depth for remote TLS server certificates. +.IP "\fBtlsproxy_client_security_level ($smtp_tls_security_level)\fR" +The default TLS security level for the Postfix \fBtlsproxy\fR(8) +client. +.IP "\fBtlsproxy_client_policy_maps ($smtp_tls_policy_maps)\fR" +Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS +security policy by next\-hop destination. +.IP "\fBtlsproxy_client_use_tls ($smtp_use_tls)\fR" +Opportunistic mode: use TLS when a remote server announces TLS +support. +.IP "\fBtlsproxy_client_enforce_tls ($smtp_enforce_tls)\fR" +Enforcement mode: require that SMTP servers use TLS encryption. +.IP "\fBtlsproxy_client_per_site ($smtp_tls_per_site)\fR" +Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS +usage policy by next\-hop destination and by remote TLS server +hostname. .SH "OBSOLETE STARTTLS SUPPORT CONTROLS" .na .nf diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 7e6fd4197..99b3b4887 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -1082,6 +1082,25 @@ while (<>) { s;\btlsproxy_tls_security_level\b;$&;g; s;\btlsproxy_use_tls\b;$&;g; + s;\btlsproxy_client_CAfile\b;$&;g; + s;\btlsproxy_client_CApath\b;$&;g; + s;\btlsproxy_client_cert_file\b;$&;g; + s;\btlsproxy_client_dcert_file\b;$&;g; + s;\btlsproxy_client_dkey_file\b;$&;g; + s;\btlsproxy_client_eccert_file\b;$&;g; + s;\btlsproxy_client_eckey_file\b;$&;g; + s;\btlsproxy_client_fingerprint_digest\b;$&;g; + s;\btlsproxy_client_key_file\b;$&;g; + s;\btlsproxy_client_loglevel\b;$&;g; + s;\btlsproxy_client_loglevel_parameter\b;$&;g; + s;\btlsproxy_client_scert_verifydepth\b;$&;g; + + s;\btlsproxy_client_security_level\b;$&;g; + s;\btlsproxy_client_per_site\b;$&;g; + s;\btlsproxy_client_policy_maps\b;$&;g; + s;\btlsproxy_client_use_tls\b;$&;g; + s;\btlsproxy_client_enforce_tls\b;$&;g; + # SMTPUTF8 s;\bsmtputf8_enable\b;$&;g; diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 13c172323..16d793463 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -16913,3 +16913,127 @@ environment variable, or from the UNIX password file.

This feature is available in Postfix 3.3 and later.

+ +%PARAM tlsproxy_client_CAfile $smtp_tls_CAfile + +

A file containing CA certificates of root CAs trusted to sign +either remote TLS server certificates or intermediate CA certificates. +See smtp_tls_CAfile for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ +%PARAM tlsproxy_client_CApath $smtp_tls_CApath + +

Directory with PEM format Certification Authority certificates +that the Postfix tlsproxy(8) client uses to verify a remote TLS +server certificate. See smtp_tls_CApath for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ +%PARAM tlsproxy_client_cert_file $smtp_tls_cert_file + +

File with the Postfix tlsproxy(8) client RSA certificate in PEM +format. See smtp_tls_cert_file for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ +%PARAM tlsproxy_client_key_file $smtp_tls_key_file + +

File with the Postfix tlsproxy(8) client RSA private key in PEM +format. See smtp_tls_key_file for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ +%PARAM tlsproxy_client_dcert_file $smtp_tls_dcert_file + +

File with the Postfix tlsproxy(8) client DSA certificate in PEM +format. See smtp_tls_dcert_file for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ +%PARAM tlsproxy_client_dkey_file $smtp_tls_dkey_file + +

File with the Postfix tlsproxy(8) client DSA private key in PEM +format. See smtp_tls_dkey_file for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ +%PARAM tlsproxy_client_eccert_file $smtp_tls_eccert_file + +

File with the Postfix tlsproxy(8) client ECDSA certificate in +PEM format. See smtp_tls_eccert_file for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ +%PARAM tlsproxy_client_eckey_file $smtp_tls_eckey_file + +

File with the Postfix tlsproxy(8) client ECDSA private key in +PEM format. See smtp_tls_eckey_file for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ +%PARAM tlsproxy_client_fingerprint_digest $smtp_tls_fingerprint_digest + +

The message digest algorithm used to construct remote TLS server +certificate fingerprints. See smtp_tls_fingerprint_digest for +further details.

+ +

This feature is available in Postfix 3.4 and later.

+ +%PARAM tlsproxy_client_loglevel $smtp_tls_loglevel + +

Enable additional Postfix tlsproxy(8) client logging of TLS +activity. See smtp_tls_loglevel for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ +%PARAM tlsproxy_client_loglevel_parameter smtp_tls_loglevel + +

The name of the parameter that provides the tlsproxy_client_loglevel +value.

+ +

This feature is available in Postfix 3.4 and later.

+ +%PARAM tlsproxy_client_scert_verifydepth $smtp_tls_scert_verifydepth + +

The verification depth for remote TLS server certificates. +See smtp_tls_scert_verifydepth for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ +%PARAM tlsproxy_client_security_level $smtp_tls_security_level + +

The default TLS security level for the Postfix tlsproxy(8) +client. See smtp_tls_security_level for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ +%PARAM tlsproxy_client_per_site $smtp_tls_per_site + +

Optional lookup tables with the Postfix tlsproxy(8) client TLS +usage policy by next-hop destination and by remote TLS server +hostname. See smtp_tls_per_site for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ +%PARAM tlsproxy_client_policy_maps $smtp_tls_policy_maps + +

Optional lookup tables with the Postfix tlsproxy(8) client TLS +security policy by next-hop destination. See smtp_tls_policy_maps +for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ +%PARAM tlsproxy_client_use_tls $smtp_use_tls + +

Opportunistic mode: use TLS when a remote server announces TLS +support. See smtp_use_tls for further details.

+ +

This feature is available in Postfix 3.4 and later.

+ +%PARAM tlsproxy_client_enforce_tls $smtp_enforce_tls + +

Enforcement mode: require that SMTP servers use TLS encryption. +See smtp_enforce_tls for further details.

+ +

This feature is available in Postfix 3.4 and later.

diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 1568687d2..73bde6855 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -3931,6 +3931,77 @@ extern bool var_tlsp_tls_received_header; #define DEF_TLSP_TLS_SET_SESSID "$" VAR_SMTPD_TLS_SET_SESSID extern bool var_tlsp_tls_set_sessid; + /* + * Workaround for tlsproxy(8) pre-jail client certs/keys access. + */ +#define VAR_TLSP_CLNT_LOGLEVEL "tlsproxy_client_loglevel" +#define DEF_TLSP_CLNT_LOGLEVEL "$" VAR_SMTP_TLS_LOGLEVEL +extern char *var_tlsp_clnt_loglevel; + +#define VAR_TLSP_CLNT_LOGPARAM "tlsproxy_client_loglevel_parameter" +#define DEF_TLSP_CLNT_LOGPARAM VAR_SMTP_TLS_LOGLEVEL +extern char *var_tlsp_clnt_logparam; + +#define VAR_TLSP_CLNT_SCERT_VD "tlsproxy_client_scert_verifydepth" +#define DEF_TLSP_CLNT_SCERT_VD "$" VAR_SMTP_TLS_SCERT_VD +extern int var_tlsp_clnt_scert_vd; + +#define VAR_TLSP_CLNT_CERT_FILE "tlsproxy_client_cert_file" +#define DEF_TLSP_CLNT_CERT_FILE "$" VAR_SMTP_TLS_CERT_FILE +extern char *var_tlsp_clnt_cert_file; + +#define VAR_TLSP_CLNT_KEY_FILE "tlsproxy_client_key_file" +#define DEF_TLSP_CLNT_KEY_FILE "$" VAR_SMTP_TLS_KEY_FILE +extern char *var_tlsp_clnt_key_file; + +#define VAR_TLSP_CLNT_DCERT_FILE "tlsproxy_client_dcert_file" +#define DEF_TLSP_CLNT_DCERT_FILE "$" VAR_SMTP_TLS_DCERT_FILE +extern char *var_tlsp_clnt_dcert_file; + +#define VAR_TLSP_CLNT_DKEY_FILE "tlsproxy_client_dkey_file" +#define DEF_TLSP_CLNT_DKEY_FILE "$" VAR_SMTP_TLS_DKEY_FILE +extern char *var_tlsp_clnt_dkey_file; + +#define VAR_TLSP_CLNT_ECCERT_FILE "tlsproxy_client_eccert_file" +#define DEF_TLSP_CLNT_ECCERT_FILE "$" VAR_SMTP_TLS_ECCERT_FILE +extern char *var_tlsp_clnt_eccert_file; + +#define VAR_TLSP_CLNT_ECKEY_FILE "tlsproxy_client_eckey_file" +#define DEF_TLSP_CLNT_ECKEY_FILE "$" VAR_SMTP_TLS_ECKEY_FILE +extern char *var_tlsp_clnt_eckey_file; + +#define VAR_TLSP_CLNT_CAFILE "tlsproxy_client_CAfile" +#define DEF_TLSP_CLNT_CAFILE "$" VAR_SMTP_TLS_CA_FILE +extern char *var_tlsp_clnt_CAfile; + +#define VAR_TLSP_CLNT_CAPATH "tlsproxy_client_CApath" +#define DEF_TLSP_CLNT_CAPATH "$" VAR_SMTP_TLS_CA_PATH +extern char *var_tlsp_clnt_CApath; + +#define VAR_TLSP_CLNT_FPT_DGST "tlsproxy_client_fingerprint_digest" +#define DEF_TLSP_CLNT_FPT_DGST "$" VAR_SMTP_TLS_FPT_DGST +extern char *var_tlsp_clnt_fpt_dgst; + +#define VAR_TLSP_CLNT_USE_TLS "tlsproxy_client_use_tls" +#define DEF_TLSP_CLNT_USE_TLS "$" VAR_SMTP_USE_TLS +bool var_tlsp_clnt_use_tls; + +#define VAR_TLSP_CLNT_ENFORCE_TLS "tlsproxy_client_enforce_tls" +#define DEF_TLSP_CLNT_ENFORCE_TLS "$" VAR_SMTP_ENFORCE_TLS +bool var_tlsp_clnt_enforce_tls; + +#define VAR_TLSP_CLNT_LEVEL "tlsproxy_client_level" +#define DEF_TLSP_CLNT_LEVEL "$" VAR_SMTP_TLS_LEVEL +char *var_tlsp_clnt_level; + +#define VAR_TLSP_CLNT_PER_SITE "tlsproxy_client_per_site" +#define DEF_TLSP_CLNT_PER_SITE "$" VAR_SMTP_TLS_PER_SITE +char *var_tlsp_clnt_per_site; + +#define VAR_TLSP_CLNT_POLICY "tlsproxy_client_policy" +#define DEF_TLSP_CLNT_POLICY "$" VAR_SMTP_TLS_POLICY +char *var_tlsp_clnt_policy; + /* * SMTPD "reject" contact info. */ diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 1e927a5a1..f3a11fab8 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20181119" +#define MAIL_RELEASE_DATE "20181122" #define MAIL_VERSION_NUMBER "3.4" #ifdef SNAPSHOT diff --git a/postfix/src/smtp/smtp_key.c b/postfix/src/smtp/smtp_key.c index b11189be4..643f4db7e 100644 --- a/postfix/src/smtp/smtp_key.c +++ b/postfix/src/smtp/smtp_key.c @@ -51,13 +51,14 @@ /* The envelope sender address. This is a proxy for sender-dependent /* context, such as per-sender SASL authentication. /* .IP SMTP_KEY_FLAG_REQ_NEXTHOP -/* The delivery request nexthop destination. This is a proxy -/* for destination-dependent, but host-independent context. +/* The delivery request nexthop destination, including optional +/* [] and :port (the same form that users specify in a SASL +/* password or TLS policy lookup table). This is a proxy for +/* destination-dependent, but host-independent context. /* .IP SMTP_KEY_FLAG_CUR_NEXTHOP /* The current iterator's nexthop destination (delivery request /* nexthop or fallback nexthop, including optional [] and -/* :port). This is the form that users specify in a SASL or -/* TLS lookup tables. +/* :port). /* .IP SMTP_KEY_FLAG_HOSTNAME /* The current iterator's remote hostname. /* .IP SMTP_KEY_FLAG_ADDR diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h index 0f3c5be12..50827f58b 100644 --- a/postfix/src/tls/tls.h +++ b/postfix/src/tls/tls.h @@ -525,12 +525,17 @@ extern TLS_SESS_STATE *tls_client_post_connect(TLS_SESS_STATE *, #define tls_client_stop(ctx, stream, timeout, failure, TLScontext) \ tls_session_stop(ctx, (stream), (timeout), (failure), (TLScontext)) -#define TLS_CLIENT_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ +#define TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ a10, a11, a12, a13) \ - tls_client_init((((props)->a1), ((props)->a2), ((props)->a3), \ + (((props)->a1), ((props)->a2), ((props)->a3), \ ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \ ((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \ - ((props)->a12), ((props)->a13), (props))) + ((props)->a12), ((props)->a13), (props)) + +#define TLS_CLIENT_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ + a10, a11, a12, a13) \ + tls_client_init(TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, \ + a6, a7, a8, a9, a10, a11, a12, a13)) #define TLS_CLIENT_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ a10, a11, a12, a13, a14, a15, a16) \ diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c index 5f57c4e3d..29af7bc58 100644 --- a/postfix/src/tlsproxy/tlsproxy.c +++ b/postfix/src/tlsproxy/tlsproxy.c @@ -137,6 +137,65 @@ /* Available in Postfix version 2.11 and later: /* .IP "\fBtlsmgr_service_name (tlsmgr)\fR" /* The name of the \fBtlsmgr\fR(8) service entry in master.cf. +/* TLS CLIENT CONTROLS +/* .ad +/* .fi +/* These parameters allow \fBtlsproxy\fR(8) to load certificate +/* and private key information before dropping privileges, so +/* that the key files can be kept read-only for root. +/* .PP +/* Available in Postfix version 3.4 and later: +/* .IP "\fBtlsproxy_client_CAfile ($smtp_tls_CAfile)\fR" +/* A file containing CA certificates of root CAs trusted to sign +/* either remote TLS server certificates or intermediate CA certificates. +/* .IP "\fBtlsproxy_client_CApath ($smtp_tls_CApath)\fR" +/* Directory with PEM format Certification Authority certificates +/* that the Postfix \fBtlsproxy\fR(8) client uses to verify a remote TLS +/* server certificate. +/* .IP "\fBtlsproxy_client_cert_file ($smtp_tls_cert_file)\fR" +/* File with the Postfix \fBtlsproxy\fR(8) client RSA certificate in PEM +/* format. +/* .IP "\fBtlsproxy_client_key_file ($smtp_tls_key_file)\fR" +/* File with the Postfix \fBtlsproxy\fR(8) client RSA private key in PEM +/* format. +/* .IP "\fBtlsproxy_client_dcert_file ($smtp_tls_dcert_file)\fR" +/* File with the Postfix \fBtlsproxy\fR(8) client DSA certificate in PEM +/* format. +/* .IP "\fBtlsproxy_client_dkey_file ($smtp_tls_dkey_file)\fR" +/* File with the Postfix \fBtlsproxy\fR(8) client DSA private key in PEM +/* format. +/* .IP "\fBtlsproxy_client_eccert_file ($smtp_tls_eccert_file)\fR" +/* File with the Postfix \fBtlsproxy\fR(8) client ECDSA certificate in +/* PEM format. +/* .IP "\fBtlsproxy_client_eckey_file ($smtp_tls_eckey_file)\fR" +/* File with the Postfix \fBtlsproxy\fR(8) client ECDSA private key in +/* PEM format. +/* .IP "\fBtlsproxy_client_fingerprint_digest ($smtp_tls_fingerprint_digest)\fR" +/* The message digest algorithm used to construct remote TLS server +/* certificate fingerprints. +/* .IP "\fBtlsproxy_client_loglevel ($smtp_tls_loglevel)\fR" +/* Enable additional Postfix \fBtlsproxy\fR(8) client logging of TLS +/* activity. +/* .IP "\fBtlsproxy_client_loglevel_parameter (smtp_tls_loglevel)\fR" +/* The name of the parameter that provides the tlsproxy_client_loglevel +/* value. +/* .IP "\fBtlsproxy_client_scert_verifydepth ($smtp_tls_scert_verifydepth)\fR" +/* The verification depth for remote TLS server certificates. +/* .IP "\fBtlsproxy_client_security_level ($smtp_tls_security_level)\fR" +/* The default TLS security level for the Postfix \fBtlsproxy\fR(8) +/* client. +/* .IP "\fBtlsproxy_client_policy_maps ($smtp_tls_policy_maps)\fR" +/* Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS +/* security policy by next-hop destination. +/* .IP "\fBtlsproxy_client_use_tls ($smtp_use_tls)\fR" +/* Opportunistic mode: use TLS when a remote server announces TLS +/* support. +/* .IP "\fBtlsproxy_client_enforce_tls ($smtp_enforce_tls)\fR" +/* Enforcement mode: require that SMTP servers use TLS encryption. +/* .IP "\fBtlsproxy_client_per_site ($smtp_tls_per_site)\fR" +/* Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS +/* usage policy by next-hop destination and by remote TLS server +/* hostname. /* OBSOLETE STARTTLS SUPPORT CONTROLS /* .ad /* .fi @@ -304,10 +363,50 @@ char *var_tlsp_tls_level; int var_tlsp_watchdog; + /* + * Defaults for tlsp_clnt_*. + */ +char *var_smtp_tls_loglevel; +int var_smtp_tls_scert_vd; +char *var_smtp_tls_cert_file; +char *var_smtp_tls_key_file; +char *var_smtp_tls_dcert_file; +char *var_smtp_tls_dkey_file; +char *var_smtp_tls_eccert_file; +char *var_smtp_tls_eckey_file; +char *var_smtp_tls_CAfile; +char *var_smtp_tls_CApath; +char *var_smtp_tls_fpt_dgst; +char *var_smtp_tls_level; +bool var_smtp_use_tls; +bool var_smtp_enforce_tls; +char *var_smtp_tls_per_site; +char *var_smtp_tls_policy; + +char *var_tlsp_clnt_loglevel; +char *var_tlsp_clnt_logparam; +int var_tlsp_clnt_scert_vd; +char *var_tlsp_clnt_cert_file; +char *var_tlsp_clnt_key_file; +char *var_tlsp_clnt_dcert_file; +char *var_tlsp_clnt_dkey_file; +char *var_tlsp_clnt_eccert_file; +char *var_tlsp_clnt_eckey_file; +char *var_tlsp_clnt_CAfile; +char *var_tlsp_clnt_CApath; +char *var_tlsp_clnt_fpt_dgst; +char *var_tlsp_clnt_level; +bool var_tlsp_clnt_use_tls; +bool var_tlsp_clnt_enforce_tls; +char *var_tlsp_clnt_per_site; +char *var_tlsp_clnt_policy; + /* * TLS per-process status. */ static TLS_APPL_STATE *tlsp_server_ctx; +static TLS_APPL_STATE *tlsp_client_ctx; +static bool tlsp_pre_jail_done; static int ask_client_cert; /* @@ -905,14 +1004,19 @@ static void tlsp_get_fd_event(int event, void *context) } /* - * This function does not destroy TLSP_STATE in case of error, because that - * would complicate the caller. + * Macro for readability. */ +#define TLSP_CLIENT_INIT(ctx, props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ + a10, a11, a12, a13) \ + tlsp_client_init((ctx), TLS_CLIENT_INIT_ARGS((props), a1, a2, a3, a4, \ + a5, a6, a7, a8, a9, a10, a11, a12, a13)) -/* tlsp_client_init_no_tlsp_state_free - initialize a TLS client engine */ +/* tlsp_client_init - initialize a TLS client engine */ -static int tlsp_client_init_no_tlsp_state_free(TLSP_STATE *state) +static int tlsp_client_init(TLS_APPL_STATE **client_appl_state, + TLS_CLIENT_INIT_PROPS *init_props) { + TLS_APPL_STATE *appl_state; VSTRING *buf; char *key; @@ -922,13 +1026,38 @@ static int tlsp_client_init_no_tlsp_state_free(TLSP_STATE *state) * expensive. */ buf = vstring_alloc(100); - key = tls_proxy_client_init_to_string(buf, state->client_init_props); - if ((state->appl_state = (TLS_APPL_STATE *) + key = tls_proxy_client_init_to_string(buf, init_props); + if ((appl_state = (TLS_APPL_STATE *) htable_find(tlsp_client_app_cache, key)) == 0 - && (state->appl_state = - tls_client_init(state->client_init_props)) != 0) { - (void) htable_enter(tlsp_client_app_cache, key, - (void *) state->appl_state); + && (appl_state = tls_client_init(init_props)) != 0) { + (void) htable_enter(tlsp_client_app_cache, key, (void *) appl_state); + + /* + * Log a warning if these client settings differ from the + * tlsproxy_client_* settings AND the settings specify file or + * directory arguments. Those are problematic after chroot (pathname + * resolution) and dropping permission (key files must be root + * read-only). We can eliminate this by adding code that opens a + * cert/key lookup table at pre-jail time and by reading cert/key + * info on-the-fly from that table. + */ +#define NOT_NULL_NOT_EMPTY(x) ((x) && *(x)) + + if (tlsp_pre_jail_done && appl_state && appl_state != tlsp_client_ctx + && (NOT_NULL_NOT_EMPTY(init_props->cert_file) + || NOT_NULL_NOT_EMPTY(init_props->key_file) + || NOT_NULL_NOT_EMPTY(init_props->dcert_file) + || NOT_NULL_NOT_EMPTY(init_props->dkey_file) + || NOT_NULL_NOT_EMPTY(init_props->eccert_file) + || NOT_NULL_NOT_EMPTY(init_props->eckey_file) + || NOT_NULL_NOT_EMPTY(init_props->CAfile) + || NOT_NULL_NOT_EMPTY(init_props->CApath))) { + msg_warn("client request differs from tlsproxy_client_* settings"); + msg_warn("to avoid this warning, 1) configure a custom tlsproxy"); + msg_warn("service and 2) configure an smtp client with a"); + msg_warn("tlsproxy_service setting that resolves to the custom"); + msg_warn("tlsproxy service"); + } /* * To maintain sanity, allow partial SSL_write() operations, and @@ -937,13 +1066,14 @@ static int tlsp_client_init_no_tlsp_state_free(TLSP_STATE *state) * a mailing list, but is not supported by documentation. If this * code stops working then no-one can be held responsible. */ - if (state->appl_state) - SSL_CTX_set_mode(state->appl_state->ssl_ctx, + if (appl_state) + SSL_CTX_set_mode(appl_state->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); } + *client_appl_state = appl_state; vstring_free(buf); - return (state->appl_state != 0); + return (appl_state != 0); } /* tlsp_close_event - pre-handshake plaintext-client close event */ @@ -1039,7 +1169,7 @@ static void tlsp_get_request_event(int event, void *context) tlsp_state_free(state); return; } - ready = tlsp_client_init_no_tlsp_state_free(state); + ready = tlsp_client_init(&state->appl_state, state->client_init_props); break; case TLS_PROXY_FLAG_ROLE_SERVER: state->is_server_role = 1; @@ -1117,6 +1247,7 @@ static void pre_jail_init(char *unused_name, char **unused_argv) int have_server_cert; int no_server_cert_ok; int require_server_cert; + int clnt_use_tls; /* * The code in this routine is pasted literally from smtpd(8). I am not @@ -1224,13 +1355,110 @@ static void pre_jail_init(char *unused_name, char **unused_argv) SSL_CTX_set_mode(tlsp_server_ctx->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); -} -/* post_jail_init - post-jail initialization */ - -static void post_jail_init(char *unused_name, char **unused_argv) -{ + /* + * The cache with TLS_APPL_STATE instances for different TLS_CLIENT_INIT + * configurations. + */ tlsp_client_app_cache = htable_create(10); + + /* + * Most sites don't use TLS client certs/keys. In that case, enabling + * tlsproxy-based connection caching is trivial. + * + * But some sites do use TLS client certs/keys, and that is challenging when + * tlsproxy runs in a post-jail environment: chroot breaks pathname + * resolution, and an unprivileged process should not be able to open + * files with secrets. The workaround: assume that most of those sites + * will use a fixed TLS client identity. In that case, tlsproxy can load + * the corresponding certs/keys at pre-jail time, so that secrets can + * remain read-only for root. As long as the tlsproxy pre-jail TLS client + * configuration with cert or key pathnames is the same as the one used + * in the Postfix SMTP client, sites can selectively or globally enable + * tlsproxy-based connection caching without additional TLS + * configuration. + * + * Loading one TLS client configuration at pre-jail time is not sufficient + * for the minority of sites that want to use TLS connection caching with + * multiple TLS client identities. To alert the operator, tlsproxy will + * log a warning when a TLS_CLIENT_INIT message specifies a different + * configuration with cert or key pathnames. The workaround is to have + * one tlsproxy process per TLS client identity. + * + * The general solution for single-identity or multi-identity clients is to + * stop loading certs and keys from individual files. Instead, have a + * cert/key map, indexed by client identity, read-only by root. After + * opening the map at pre-jail time, tlsproxy can read certs/keys + * on-the-fly at post-jail time. This is the approach that was already + * proposed for server-side SNI support, and it could be reused here. It + * would also end the proliferation of RSA cert/key parameters, DSA + * cert/key parameters, EC cert/key parameters, and so on. + * + * Horror: In order to create the same pre-jail TLS client context as the + * one used in the Postfix SMTP client, we have to duplicate intricate + * SMTP client code, including a handful configuration parameters that + * tlsproxy does not need. We must duplicate the logic, so that we only + * load certs and keys when the SMTP client would load them. + */ + if (*var_tlsp_clnt_level != 0) + switch (tls_level_lookup(var_tlsp_clnt_level)) { + case TLS_LEV_SECURE: + case TLS_LEV_VERIFY: + case TLS_LEV_DANE_ONLY: + case TLS_LEV_FPRINT: + case TLS_LEV_ENCRYPT: + var_tlsp_clnt_use_tls = var_tlsp_clnt_enforce_tls = 1; + break; + case TLS_LEV_DANE: + case TLS_LEV_MAY: + var_tlsp_clnt_use_tls = 1; + var_tlsp_clnt_enforce_tls = 0; + break; + case TLS_LEV_NONE: + var_tlsp_clnt_use_tls = var_tlsp_clnt_enforce_tls = 0; + break; + default: + /* tls_level_lookup() logs no warning. */ + /* session_tls_init() assumes that var_tlsp_clnt_level is sane. */ + msg_fatal("Invalid TLS level \"%s\"", var_tlsp_clnt_level); + } + clnt_use_tls = (var_tlsp_clnt_use_tls || var_tlsp_clnt_enforce_tls); + + /* + * Initialize the TLS data before entering the chroot jail. + */ + if (clnt_use_tls || var_tlsp_clnt_per_site[0] || var_tlsp_clnt_policy[0]) { + TLS_CLIENT_INIT_PROPS props; + + /* + * We get stronger type safety and a cleaner interface by combining + * the various parameters into a single tls_client_props structure. + * + * Large parameter lists are error-prone, so we emulate a language + * feature that C does not have natively: named parameter lists. + */ + if (TLSP_CLIENT_INIT(&tlsp_client_ctx, &props, + log_param = var_tlsp_clnt_logparam, + log_level = var_tlsp_clnt_loglevel, + verifydepth = var_tlsp_clnt_scert_vd, + cache_type = TLS_MGR_SCACHE_SMTP, + cert_file = var_tlsp_clnt_cert_file, + key_file = var_tlsp_clnt_key_file, + dcert_file = var_tlsp_clnt_dcert_file, + dkey_file = var_tlsp_clnt_dkey_file, + eccert_file = var_tlsp_clnt_eccert_file, + eckey_file = var_tlsp_clnt_eckey_file, + CAfile = var_tlsp_clnt_CAfile, + CApath = var_tlsp_clnt_CApath, + mdalg = var_tlsp_clnt_fpt_dgst) == 0) + msg_warn("TLS client initialization failed"); + } + + /* + * tlsp_client_init() needs to know if it is called pre-jail or + * post-jail. + */ + tlsp_pre_jail_done = 1; } MAIL_VERSION_STAMP_DECLARE; @@ -1239,24 +1467,38 @@ MAIL_VERSION_STAMP_DECLARE; int main(int argc, char **argv) { - static const CONFIG_INT_TABLE int_table[] = { + + /* + * Each table below initializes the named variables to their implicit + * default value, or to the explicit value in main.cf or master.cf. Here, + * "compat" means that a table initializes a variable "smtpd_blah" or + * "smtp_blah" that provides the implicit default value for variable + * "tlsproxy_blah". To make this work, the variables in a "compat" table + * must be initialized before the variables in the corresponding + * non-compat table. + */ + static const CONFIG_INT_TABLE compat_int_table[] = { VAR_SMTPD_TLS_CCERT_VD, DEF_SMTPD_TLS_CCERT_VD, &var_smtpd_tls_ccert_vd, 0, 0, + VAR_SMTP_TLS_SCERT_VD, DEF_SMTP_TLS_SCERT_VD, &var_smtp_tls_scert_vd, 0, 0, 0, }; static const CONFIG_NINT_TABLE nint_table[] = { VAR_TLSP_TLS_CCERT_VD, DEF_TLSP_TLS_CCERT_VD, &var_tlsp_tls_ccert_vd, 0, 0, + VAR_TLSP_CLNT_SCERT_VD, DEF_TLSP_CLNT_SCERT_VD, &var_tlsp_clnt_scert_vd, 0, 0, 0, }; static const CONFIG_TIME_TABLE time_table[] = { VAR_TLSP_WATCHDOG, DEF_TLSP_WATCHDOG, &var_tlsp_watchdog, 10, 0, 0, }; - static const CONFIG_BOOL_TABLE bool_table[] = { + static const CONFIG_BOOL_TABLE compat_bool_table[] = { VAR_SMTPD_USE_TLS, DEF_SMTPD_USE_TLS, &var_smtpd_use_tls, VAR_SMTPD_ENFORCE_TLS, DEF_SMTPD_ENFORCE_TLS, &var_smtpd_enforce_tls, VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert, VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert, VAR_SMTPD_TLS_SET_SESSID, DEF_SMTPD_TLS_SET_SESSID, &var_smtpd_tls_set_sessid, + VAR_SMTP_USE_TLS, DEF_SMTP_USE_TLS, &var_smtp_use_tls, + VAR_SMTP_ENFORCE_TLS, DEF_SMTP_ENFORCE_TLS, &var_smtp_enforce_tls, 0, }; static const CONFIG_NBOOL_TABLE nbool_table[] = { @@ -1265,9 +1507,11 @@ int main(int argc, char **argv) VAR_TLSP_TLS_ACERT, DEF_TLSP_TLS_ACERT, &var_tlsp_tls_ask_ccert, VAR_TLSP_TLS_RCERT, DEF_TLSP_TLS_RCERT, &var_tlsp_tls_req_ccert, VAR_TLSP_TLS_SET_SESSID, DEF_TLSP_TLS_SET_SESSID, &var_tlsp_tls_set_sessid, + VAR_TLSP_CLNT_USE_TLS, DEF_TLSP_CLNT_USE_TLS, &var_tlsp_clnt_use_tls, + VAR_TLSP_CLNT_ENFORCE_TLS, DEF_TLSP_CLNT_ENFORCE_TLS, &var_tlsp_clnt_enforce_tls, 0, }; - static const CONFIG_STR_TABLE str_table[] = { + static const CONFIG_STR_TABLE compat_str_table[] = { VAR_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CERT_FILE, &var_smtpd_tls_cert_file, 0, 0, VAR_SMTPD_TLS_KEY_FILE, DEF_SMTPD_TLS_KEY_FILE, &var_smtpd_tls_key_file, 0, 0, VAR_SMTPD_TLS_DCERT_FILE, DEF_SMTPD_TLS_DCERT_FILE, &var_smtpd_tls_dcert_file, 0, 0, @@ -1288,6 +1532,22 @@ int main(int argc, char **argv) VAR_SMTPD_TLS_FPT_DGST, DEF_SMTPD_TLS_FPT_DGST, &var_smtpd_tls_fpt_dgst, 1, 0, VAR_SMTPD_TLS_LOGLEVEL, DEF_SMTPD_TLS_LOGLEVEL, &var_smtpd_tls_loglevel, 0, 0, VAR_SMTPD_TLS_LEVEL, DEF_SMTPD_TLS_LEVEL, &var_smtpd_tls_level, 0, 0, + VAR_SMTP_TLS_CERT_FILE, DEF_SMTP_TLS_CERT_FILE, &var_smtp_tls_cert_file, 0, 0, + VAR_SMTP_TLS_KEY_FILE, DEF_SMTP_TLS_KEY_FILE, &var_smtp_tls_key_file, 0, 0, + VAR_SMTP_TLS_DCERT_FILE, DEF_SMTP_TLS_DCERT_FILE, &var_smtp_tls_dcert_file, 0, 0, + VAR_SMTP_TLS_DKEY_FILE, DEF_SMTP_TLS_DKEY_FILE, &var_smtp_tls_dkey_file, 0, 0, + VAR_SMTP_TLS_CA_FILE, DEF_SMTP_TLS_CA_FILE, &var_smtp_tls_CAfile, 0, 0, + VAR_SMTP_TLS_CA_PATH, DEF_SMTP_TLS_CA_PATH, &var_smtp_tls_CApath, 0, 0, + VAR_SMTP_TLS_FPT_DGST, DEF_SMTP_TLS_FPT_DGST, &var_smtp_tls_fpt_dgst, 1, 0, + VAR_SMTP_TLS_ECCERT_FILE, DEF_SMTP_TLS_ECCERT_FILE, &var_smtp_tls_eccert_file, 0, 0, + VAR_SMTP_TLS_ECKEY_FILE, DEF_SMTP_TLS_ECKEY_FILE, &var_smtp_tls_eckey_file, 0, 0, + VAR_SMTP_TLS_LOGLEVEL, DEF_SMTP_TLS_LOGLEVEL, &var_smtp_tls_loglevel, 0, 0, + VAR_SMTP_TLS_PER_SITE, DEF_SMTP_TLS_PER_SITE, &var_smtp_tls_per_site, 0, 0, + VAR_SMTP_TLS_LEVEL, DEF_SMTP_TLS_LEVEL, &var_smtp_tls_level, 0, 0, + VAR_SMTP_TLS_POLICY, DEF_SMTP_TLS_POLICY, &var_smtp_tls_policy, 0, 0, + 0, + }; + static const CONFIG_STR_TABLE str_table[] = { VAR_TLSP_TLS_CERT_FILE, DEF_TLSP_TLS_CERT_FILE, &var_tlsp_tls_cert_file, 0, 0, VAR_TLSP_TLS_KEY_FILE, DEF_TLSP_TLS_KEY_FILE, &var_tlsp_tls_key_file, 0, 0, VAR_TLSP_TLS_DCERT_FILE, DEF_TLSP_TLS_DCERT_FILE, &var_tlsp_tls_dcert_file, 0, 0, @@ -1308,6 +1568,20 @@ int main(int argc, char **argv) VAR_TLSP_TLS_FPT_DGST, DEF_TLSP_TLS_FPT_DGST, &var_tlsp_tls_fpt_dgst, 1, 0, VAR_TLSP_TLS_LOGLEVEL, DEF_TLSP_TLS_LOGLEVEL, &var_tlsp_tls_loglevel, 0, 0, VAR_TLSP_TLS_LEVEL, DEF_TLSP_TLS_LEVEL, &var_tlsp_tls_level, 0, 0, + VAR_TLSP_CLNT_LOGLEVEL, DEF_TLSP_CLNT_LOGLEVEL, &var_tlsp_clnt_loglevel, 0, 0, + VAR_TLSP_CLNT_LOGPARAM, DEF_TLSP_CLNT_LOGPARAM, &var_tlsp_clnt_logparam, 0, 0, + VAR_TLSP_CLNT_CERT_FILE, DEF_TLSP_CLNT_CERT_FILE, &var_tlsp_clnt_cert_file, 0, 0, + VAR_TLSP_CLNT_KEY_FILE, DEF_TLSP_CLNT_KEY_FILE, &var_tlsp_clnt_key_file, 0, 0, + VAR_TLSP_CLNT_DCERT_FILE, DEF_TLSP_CLNT_DCERT_FILE, &var_tlsp_clnt_dcert_file, 0, 0, + VAR_TLSP_CLNT_DKEY_FILE, DEF_TLSP_CLNT_DKEY_FILE, &var_tlsp_clnt_dkey_file, 0, 0, + VAR_TLSP_CLNT_ECCERT_FILE, DEF_TLSP_CLNT_ECCERT_FILE, &var_tlsp_clnt_eccert_file, 0, 0, + VAR_TLSP_CLNT_ECKEY_FILE, DEF_TLSP_CLNT_ECKEY_FILE, &var_tlsp_clnt_eckey_file, 0, 0, + VAR_TLSP_CLNT_CAFILE, DEF_TLSP_CLNT_CAFILE, &var_tlsp_clnt_CAfile, 0, 0, + VAR_TLSP_CLNT_CAPATH, DEF_TLSP_CLNT_CAPATH, &var_tlsp_clnt_CApath, 0, 0, + VAR_TLSP_CLNT_FPT_DGST, DEF_TLSP_CLNT_FPT_DGST, &var_tlsp_clnt_fpt_dgst, 1, 0, + VAR_TLSP_CLNT_LEVEL, DEF_TLSP_CLNT_LEVEL, &var_tlsp_clnt_level, 0, 0, + VAR_TLSP_CLNT_PER_SITE, DEF_TLSP_CLNT_PER_SITE, &var_tlsp_clnt_per_site, 0, 0, + VAR_TLSP_CLNT_POLICY, DEF_TLSP_CLNT_POLICY, &var_tlsp_clnt_policy, 0, 0, 0, }; @@ -1320,14 +1594,14 @@ int main(int argc, char **argv) * Pass control to the event-driven service skeleton. */ event_server_main(argc, argv, tlsp_service, - CA_MAIL_SERVER_INT_TABLE(int_table), + CA_MAIL_SERVER_INT_TABLE(compat_int_table), CA_MAIL_SERVER_NINT_TABLE(nint_table), + CA_MAIL_SERVER_STR_TABLE(compat_str_table), CA_MAIL_SERVER_STR_TABLE(str_table), - CA_MAIL_SERVER_BOOL_TABLE(bool_table), + CA_MAIL_SERVER_BOOL_TABLE(compat_bool_table), CA_MAIL_SERVER_NBOOL_TABLE(nbool_table), CA_MAIL_SERVER_TIME_TABLE(time_table), CA_MAIL_SERVER_PRE_INIT(pre_jail_init), - CA_MAIL_SERVER_POST_INIT(post_jail_init), CA_MAIL_SERVER_SLOW_EXIT(tlsp_drain), CA_MAIL_SERVER_RETIRE_ME, CA_MAIL_SERVER_WATCHDOG(&var_tlsp_watchdog),