postfix-3.4-20181122

postfix/HISTORY

@@ -23820,3 +23820,18 @@ Apologies for any names omitted.
 	Bitrot: makedefs will use "pkg-config" to locate ICU build
 	information, falling back to "icu-config" if "pkg-config"
 	is not found. File: makedefs.
+
+20181122
+
+	Cleanup: tlsproxy loads the same TLS client configuration
+	at pre-jail time as the Postfix SMTP client, so that secret
+	keys can remain read-only for root. This is sufficient for
+	MTAs that have a fixed TLS client identity. tlsproxy will
+	log a warning if it is requested to assume a different TLS
+	client identity, and will log suggestions for a workaround.
+	The long-term solution is to stop loading certs/keys from
+	files, and to use the same approach as planned for server-side
+	SNI support: open a cert/key map at pre-jail time, and read
+	cert/key information on-the-fly at post-jail time. Files:
+	proto/postconf.proto, mantools/postlink, global/mail_params.h,
+	tlsproxy/tlsproxy.c.

postfix/html/makedefs.1.html

@@ -65,8 +65,8 @@ MAKEDEFS(1)                                                        MAKEDEFS(1)
 
               <b>-DNO_EAI</b>
                      Do not build with EAI (SMTPUTF8) support. By default, EAI
-                     support is compiled in when the "icu-config"  command  is
-                     found.
+                     support is compiled in when the "pkg-config"  command  is
+                     found, or the deprecated "icu-config" command.
 
               <b>-DNO_INLINE</b>
                      Do  not  require  support  for  C99  "inline"  functions.

postfix/html/postconf.5.html

@@ -18357,6 +18357,198 @@ of TLS. </p>
 <p> This feature is available in Postfix 2.11 and later. </p>
 
 
+</DD>
+
+<DT><b><a name="tlsproxy_client_CAfile">tlsproxy_client_CAfile</a>
+(default: $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a>)</b></DT><DD>
+
+<p> A file containing CA certificates of root CAs trusted to sign
+either remote TLS server certificates or intermediate CA certificates.
+See <a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_CApath">tlsproxy_client_CApath</a>
+(default: $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a>)</b></DT><DD>
+
+<p> Directory with PEM format Certification Authority certificates
+that the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client uses to verify a remote TLS
+server certificate. See <a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_cert_file">tlsproxy_client_cert_file</a>
+(default: $<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b></DT><DD>
+
+<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client RSA certificate in PEM
+format. See <a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_dcert_file">tlsproxy_client_dcert_file</a>
+(default: $<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b></DT><DD>
+
+<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client DSA certificate in PEM
+format. See <a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_dkey_file">tlsproxy_client_dkey_file</a>
+(default: $<a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a>)</b></DT><DD>
+
+<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client DSA private key in PEM
+format. See <a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_eccert_file">tlsproxy_client_eccert_file</a>
+(default: $<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b></DT><DD>
+
+<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client ECDSA certificate in
+PEM format. See <a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_eckey_file">tlsproxy_client_eckey_file</a>
+(default: $<a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a>)</b></DT><DD>
+
+<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client ECDSA private key in
+PEM format. See <a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_enforce_tls">tlsproxy_client_enforce_tls</a>
+(default: $<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>)</b></DT><DD>
+
+<p> Enforcement mode: require that SMTP servers use TLS encryption.
+See <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_fingerprint_digest">tlsproxy_client_fingerprint_digest</a>
+(default: $<a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a>)</b></DT><DD>
+
+<p> The message digest algorithm used to construct remote TLS server
+certificate fingerprints. See <a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> for
+further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_key_file">tlsproxy_client_key_file</a>
+(default: $<a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a>)</b></DT><DD>
+
+<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client RSA private key in PEM
+format. See <a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_loglevel">tlsproxy_client_loglevel</a>
+(default: $<a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a>)</b></DT><DD>
+
+<p> Enable additional Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client logging of TLS
+activity. See <a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_loglevel_parameter">tlsproxy_client_loglevel_parameter</a>
+(default: <a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a>)</b></DT><DD>
+
+<p> The name of the parameter that provides the <a href="postconf.5.html#tlsproxy_client_loglevel">tlsproxy_client_loglevel</a>
+value. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_per_site">tlsproxy_client_per_site</a>
+(default: $<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>)</b></DT><DD>
+
+<p> Optional lookup tables with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client TLS
+usage policy by next-hop destination and by remote TLS server
+hostname.  See <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_policy_maps">tlsproxy_client_policy_maps</a>
+(default: $<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>)</b></DT><DD>
+
+<p> Optional lookup tables with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client TLS
+security policy by next-hop destination. See <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>
+for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_scert_verifydepth">tlsproxy_client_scert_verifydepth</a>
+(default: $<a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a>)</b></DT><DD>
+
+<p> The verification depth for remote TLS server certificates.
+See <a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_security_level">tlsproxy_client_security_level</a>
+(default: $<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>)</b></DT><DD>
+
+<p> The default TLS security level for the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a>
+client. See <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_use_tls">tlsproxy_client_use_tls</a>
+(default: $<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>)</b></DT><DD>
+
+<p> Opportunistic mode: use TLS when a remote server announces TLS
+support. See <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
 </DD>
 
 <DT><b><a name="tlsproxy_enforce_tls">tlsproxy_enforce_tls</a>

postfix/html/tlsproxy.8.html

@@ -160,6 +160,82 @@ TLSPROXY(8)                                                        TLSPROXY(8)
        <b><a href="postconf.5.html#tlsmgr_service_name">tlsmgr_service_name</a> (tlsmgr)</b>
               The name of the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
 
+<b>TLS CLIENT CONTROLS</b>
+       These parameters allow <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> to load certificate and private  key
+       information  before  dropping  privileges, so that the key files can be
+       kept read-only for root.
+
+       Available in Postfix version 3.4 and later:
+
+       <b><a href="postconf.5.html#tlsproxy_client_CAfile">tlsproxy_client_CAfile</a> ($<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a>)</b>
+              A file containing CA certificates of root CAs  trusted  to  sign
+              either  remote  TLS  server certificates or intermediate CA cer-
+              tificates.
+
+       <b><a href="postconf.5.html#tlsproxy_client_CApath">tlsproxy_client_CApath</a> ($<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a>)</b>
+              Directory with PEM format Certification  Authority  certificates
+              that  the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client uses to verify a remote TLS
+              server certificate.
+
+       <b><a href="postconf.5.html#tlsproxy_client_cert_file">tlsproxy_client_cert_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b>
+              File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client RSA certificate in  PEM
+              format.
+
+       <b><a href="postconf.5.html#tlsproxy_client_key_file">tlsproxy_client_key_file</a> ($<a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a>)</b>
+              File  with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client RSA private key in PEM
+              format.
+
+       <b><a href="postconf.5.html#tlsproxy_client_dcert_file">tlsproxy_client_dcert_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b>
+              File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client DSA certificate in  PEM
+              format.
+
+       <b><a href="postconf.5.html#tlsproxy_client_dkey_file">tlsproxy_client_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a>)</b>
+              File  with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client DSA private key in PEM
+              format.
+
+       <b><a href="postconf.5.html#tlsproxy_client_eccert_file">tlsproxy_client_eccert_file</a> ($<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b>
+              File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client  ECDSA  certificate  in
+              PEM format.
+
+       <b><a href="postconf.5.html#tlsproxy_client_eckey_file">tlsproxy_client_eckey_file</a> ($<a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a>)</b>
+              File  with  the  Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client ECDSA private key in
+              PEM format.
+
+       <b><a href="postconf.5.html#tlsproxy_client_fingerprint_digest">tlsproxy_client_fingerprint_digest</a> ($<a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a>)</b>
+              The message digest algorithm used to construct remote TLS server
+              certificate fingerprints.
+
+       <b><a href="postconf.5.html#tlsproxy_client_loglevel">tlsproxy_client_loglevel</a> ($<a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a>)</b>
+              Enable  additional  Postfix  <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>  client  logging of TLS
+              activity.
+
+       <b><a href="postconf.5.html#tlsproxy_client_loglevel_parameter">tlsproxy_client_loglevel_parameter</a> (<a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a>)</b>
+              The    name    of    the    parameter    that    provides    the
+              <a href="postconf.5.html#tlsproxy_client_loglevel">tlsproxy_client_loglevel</a> value.
+
+       <b><a href="postconf.5.html#tlsproxy_client_scert_verifydepth">tlsproxy_client_scert_verifydepth</a> ($<a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a>)</b>
+              The verification depth for remote TLS server certificates.
+
+       <b><a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> ($<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>)</b>
+              The  default  TLS  security  level  for  the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>
+              client.
+
+       <b><a href="postconf.5.html#tlsproxy_client_policy_maps">tlsproxy_client_policy_maps</a> ($<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>)</b>
+              Optional lookup tables with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>  client  TLS
+              security policy by next-hop destination.
+
+       <b><a href="postconf.5.html#tlsproxy_client_use_tls">tlsproxy_client_use_tls</a> ($<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>)</b>
+              Opportunistic  mode:  use TLS when a remote server announces TLS
+              support.
+
+       <b><a href="postconf.5.html#tlsproxy_client_enforce_tls">tlsproxy_client_enforce_tls</a> ($<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>)</b>
+              Enforcement mode: require that SMTP servers use TLS  encryption.
+
+       <b><a href="postconf.5.html#tlsproxy_client_per_site">tlsproxy_client_per_site</a> ($<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>)</b>
+              Optional  lookup  tables with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client TLS
+              usage policy by next-hop destination and by  remote  TLS  server
+              hostname.
+
 <b>OBSOLETE STARTTLS SUPPORT CONTROLS</b>
        These  parameters  are supported for compatibility with <a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy
        parameters.

postfix/man/man1/makedefs.1

@@ -63,8 +63,8 @@ By default, EPOLL support is compiled in on platforms that
 are known to support it.
 .IP \fB\-DNO_EAI\fR
 Do not build with EAI (SMTPUTF8) support. By default, EAI
-support is compiled in when the "icu\-config" command is
-found.
+support is compiled in when the "pkg\-config" command is
+found, or the deprecated "icu\-config" command.
 .IP \fB\-DNO_INLINE\fR
 Do not require support for C99 "inline" functions. Instead,
 implement argument typechecks for non\-(printf/scanf)\-like

postfix/man/man5/postconf.5

@@ -12695,6 +12695,96 @@ service maintains TLS session caches and other information in support
 of TLS.
 .PP
 This feature is available in Postfix 2.11 and later.
+.SH tlsproxy_client_CAfile (default: $smtp_tls_CAfile)
+A file containing CA certificates of root CAs trusted to sign
+either remote TLS server certificates or intermediate CA certificates.
+See smtp_tls_CAfile for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_CApath (default: $smtp_tls_CApath)
+Directory with PEM format Certification Authority certificates
+that the Postfix \fBtlsproxy\fR(8) client uses to verify a remote TLS
+server certificate. See smtp_tls_CApath for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_cert_file (default: $smtp_tls_cert_file)
+File with the Postfix \fBtlsproxy\fR(8) client RSA certificate in PEM
+format. See smtp_tls_cert_file for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_dcert_file (default: $smtp_tls_dcert_file)
+File with the Postfix \fBtlsproxy\fR(8) client DSA certificate in PEM
+format. See smtp_tls_dcert_file for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_dkey_file (default: $smtp_tls_dkey_file)
+File with the Postfix \fBtlsproxy\fR(8) client DSA private key in PEM
+format. See smtp_tls_dkey_file for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_eccert_file (default: $smtp_tls_eccert_file)
+File with the Postfix \fBtlsproxy\fR(8) client ECDSA certificate in
+PEM format. See smtp_tls_eccert_file for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_eckey_file (default: $smtp_tls_eckey_file)
+File with the Postfix \fBtlsproxy\fR(8) client ECDSA private key in
+PEM format. See smtp_tls_eckey_file for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_enforce_tls (default: $smtp_enforce_tls)
+Enforcement mode: require that SMTP servers use TLS encryption.
+See smtp_enforce_tls for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_fingerprint_digest (default: $smtp_tls_fingerprint_digest)
+The message digest algorithm used to construct remote TLS server
+certificate fingerprints. See smtp_tls_fingerprint_digest for
+further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_key_file (default: $smtp_tls_key_file)
+File with the Postfix \fBtlsproxy\fR(8) client RSA private key in PEM
+format. See smtp_tls_key_file for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_loglevel (default: $smtp_tls_loglevel)
+Enable additional Postfix \fBtlsproxy\fR(8) client logging of TLS
+activity. See smtp_tls_loglevel for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_loglevel_parameter (default: smtp_tls_loglevel)
+The name of the parameter that provides the tlsproxy_client_loglevel
+value.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_per_site (default: $smtp_tls_per_site)
+Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS
+usage policy by next\-hop destination and by remote TLS server
+hostname.  See smtp_tls_per_site for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_policy_maps (default: $smtp_tls_policy_maps)
+Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS
+security policy by next\-hop destination. See smtp_tls_policy_maps
+for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_scert_verifydepth (default: $smtp_tls_scert_verifydepth)
+The verification depth for remote TLS server certificates.
+See smtp_tls_scert_verifydepth for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_security_level (default: $smtp_tls_security_level)
+The default TLS security level for the Postfix \fBtlsproxy\fR(8)
+client. See smtp_tls_security_level for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_use_tls (default: $smtp_use_tls)
+Opportunistic mode: use TLS when a remote server announces TLS
+support. See smtp_use_tls for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
 .SH tlsproxy_enforce_tls (default: $smtpd_enforce_tls)
 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
 require that clients use TLS encryption. See smtpd_enforce_tls for

postfix/man/man8/tlsproxy.8

@@ -153,6 +153,67 @@ parameters smtpd_use_tls and smtpd_enforce_tls.
 Available in Postfix version 2.11 and later:
 .IP "\fBtlsmgr_service_name (tlsmgr)\fR"
 The name of the \fBtlsmgr\fR(8) service entry in master.cf.
+.SH "TLS CLIENT CONTROLS"
+.na
+.nf
+.ad
+.fi
+These parameters allow \fBtlsproxy\fR(8) to load certificate
+and private key information before dropping privileges, so
+that the key files can be kept read\-only for root.
+.PP
+Available in Postfix version 3.4 and later:
+.IP "\fBtlsproxy_client_CAfile ($smtp_tls_CAfile)\fR"
+A file containing CA certificates of root CAs trusted to sign
+either remote TLS server certificates or intermediate CA certificates.
+.IP "\fBtlsproxy_client_CApath ($smtp_tls_CApath)\fR"
+Directory with PEM format Certification Authority certificates
+that the Postfix \fBtlsproxy\fR(8) client uses to verify a remote TLS
+server certificate.
+.IP "\fBtlsproxy_client_cert_file ($smtp_tls_cert_file)\fR"
+File with the Postfix \fBtlsproxy\fR(8) client RSA certificate in PEM
+format.
+.IP "\fBtlsproxy_client_key_file ($smtp_tls_key_file)\fR"
+File with the Postfix \fBtlsproxy\fR(8) client RSA private key in PEM
+format.
+.IP "\fBtlsproxy_client_dcert_file ($smtp_tls_dcert_file)\fR"
+File with the Postfix \fBtlsproxy\fR(8) client DSA certificate in PEM
+format.
+.IP "\fBtlsproxy_client_dkey_file ($smtp_tls_dkey_file)\fR"
+File with the Postfix \fBtlsproxy\fR(8) client DSA private key in PEM
+format.
+.IP "\fBtlsproxy_client_eccert_file ($smtp_tls_eccert_file)\fR"
+File with the Postfix \fBtlsproxy\fR(8) client ECDSA certificate in
+PEM format.
+.IP "\fBtlsproxy_client_eckey_file ($smtp_tls_eckey_file)\fR"
+File with the Postfix \fBtlsproxy\fR(8) client ECDSA private key in
+PEM format.
+.IP "\fBtlsproxy_client_fingerprint_digest ($smtp_tls_fingerprint_digest)\fR"
+The message digest algorithm used to construct remote TLS server
+certificate fingerprints.
+.IP "\fBtlsproxy_client_loglevel ($smtp_tls_loglevel)\fR"
+Enable additional Postfix \fBtlsproxy\fR(8) client logging of TLS
+activity.
+.IP "\fBtlsproxy_client_loglevel_parameter (smtp_tls_loglevel)\fR"
+The name of the parameter that provides the tlsproxy_client_loglevel
+value.
+.IP "\fBtlsproxy_client_scert_verifydepth ($smtp_tls_scert_verifydepth)\fR"
+The verification depth for remote TLS server certificates.
+.IP "\fBtlsproxy_client_security_level ($smtp_tls_security_level)\fR"
+The default TLS security level for the Postfix \fBtlsproxy\fR(8)
+client.
+.IP "\fBtlsproxy_client_policy_maps ($smtp_tls_policy_maps)\fR"
+Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS
+security policy by next\-hop destination.
+.IP "\fBtlsproxy_client_use_tls ($smtp_use_tls)\fR"
+Opportunistic mode: use TLS when a remote server announces TLS
+support.
+.IP "\fBtlsproxy_client_enforce_tls ($smtp_enforce_tls)\fR"
+Enforcement mode: require that SMTP servers use TLS encryption.
+.IP "\fBtlsproxy_client_per_site ($smtp_tls_per_site)\fR"
+Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS
+usage policy by next\-hop destination and by remote TLS server
+hostname.
 .SH "OBSOLETE STARTTLS SUPPORT CONTROLS"
 .na
 .nf

postfix/mantools/postlink

@@ -1082,6 +1082,25 @@ while (<>) {
     s;\btlsproxy_tls_security_level\b;<a href="postconf.5.html#tlsproxy_tls_security_level">$&</a>;g;
     s;\btlsproxy_use_tls\b;<a href="postconf.5.html#tlsproxy_use_tls">$&</a>;g;
 
+    s;\btlsproxy_client_CAfile\b;<a href="postconf.5.html#tlsproxy_client_CAfile">$&</a>;g;
+    s;\btlsproxy_client_CApath\b;<a href="postconf.5.html#tlsproxy_client_CApath">$&</a>;g;
+    s;\btlsproxy_client_cert_file\b;<a href="postconf.5.html#tlsproxy_client_cert_file">$&</a>;g;
+    s;\btlsproxy_client_dcert_file\b;<a href="postconf.5.html#tlsproxy_client_dcert_file">$&</a>;g;
+    s;\btlsproxy_client_dkey_file\b;<a href="postconf.5.html#tlsproxy_client_dkey_file">$&</a>;g;
+    s;\btlsproxy_client_eccert_file\b;<a href="postconf.5.html#tlsproxy_client_eccert_file">$&</a>;g;
+    s;\btlsproxy_client_eckey_file\b;<a href="postconf.5.html#tlsproxy_client_eckey_file">$&</a>;g;
+    s;\btlsproxy_client_fingerprint_digest\b;<a href="postconf.5.html#tlsproxy_client_fingerprint_digest">$&</a>;g;
+    s;\btlsproxy_client_key_file\b;<a href="postconf.5.html#tlsproxy_client_key_file">$&</a>;g;
+    s;\btlsproxy_client_loglevel\b;<a href="postconf.5.html#tlsproxy_client_loglevel">$&</a>;g;
+    s;\btlsproxy_client_loglevel_parameter\b;<a href="postconf.5.html#tlsproxy_client_loglevel_parameter">$&</a>;g;
+    s;\btlsproxy_client_scert_verifydepth\b;<a href="postconf.5.html#tlsproxy_client_scert_verifydepth">$&</a>;g;
+
+    s;\btlsproxy_client_security_level\b;<a href="postconf.5.html#tlsproxy_client_security_level">$&</a>;g;
+    s;\btlsproxy_client_per_site\b;<a href="postconf.5.html#tlsproxy_client_per_site">$&</a>;g;
+    s;\btlsproxy_client_policy_maps\b;<a href="postconf.5.html#tlsproxy_client_policy_maps">$&</a>;g;
+    s;\btlsproxy_client_use_tls\b;<a href="postconf.5.html#tlsproxy_client_use_tls">$&</a>;g;
+    s;\btlsproxy_client_enforce_tls\b;<a href="postconf.5.html#tlsproxy_client_enforce_tls">$&</a>;g;
+
     # SMTPUTF8
 
     s;\bsmtputf8_enable\b;<a href="postconf.5.html#smtputf8_enable">$&</a>;g;

postfix/proto/postconf.proto

@@ -16913,3 +16913,127 @@ environment variable, or from the UNIX password file. </p>
 </ul>
 
 <p> This feature is available in Postfix 3.3 and later. </p>
+
+%PARAM tlsproxy_client_CAfile $smtp_tls_CAfile
+
+<p> A file containing CA certificates of root CAs trusted to sign
+either remote TLS server certificates or intermediate CA certificates.
+See smtp_tls_CAfile for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_CApath $smtp_tls_CApath
+
+<p> Directory with PEM format Certification Authority certificates
+that the Postfix tlsproxy(8) client uses to verify a remote TLS
+server certificate. See smtp_tls_CApath for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_cert_file $smtp_tls_cert_file
+
+<p> File with the Postfix tlsproxy(8) client RSA certificate in PEM
+format. See smtp_tls_cert_file for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_key_file $smtp_tls_key_file
+
+<p> File with the Postfix tlsproxy(8) client RSA private key in PEM
+format. See smtp_tls_key_file for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_dcert_file $smtp_tls_dcert_file
+
+<p> File with the Postfix tlsproxy(8) client DSA certificate in PEM
+format. See smtp_tls_dcert_file for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_dkey_file $smtp_tls_dkey_file
+
+<p> File with the Postfix tlsproxy(8) client DSA private key in PEM
+format. See smtp_tls_dkey_file for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_eccert_file $smtp_tls_eccert_file
+
+<p> File with the Postfix tlsproxy(8) client ECDSA certificate in
+PEM format. See smtp_tls_eccert_file for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_eckey_file $smtp_tls_eckey_file
+
+<p> File with the Postfix tlsproxy(8) client ECDSA private key in
+PEM format. See smtp_tls_eckey_file for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_fingerprint_digest $smtp_tls_fingerprint_digest
+
+<p> The message digest algorithm used to construct remote TLS server
+certificate fingerprints. See smtp_tls_fingerprint_digest for
+further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_loglevel $smtp_tls_loglevel
+
+<p> Enable additional Postfix tlsproxy(8) client logging of TLS
+activity. See smtp_tls_loglevel for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_loglevel_parameter smtp_tls_loglevel
+
+<p> The name of the parameter that provides the tlsproxy_client_loglevel
+value. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_scert_verifydepth $smtp_tls_scert_verifydepth
+
+<p> The verification depth for remote TLS server certificates.
+See smtp_tls_scert_verifydepth for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_security_level $smtp_tls_security_level
+
+<p> The default TLS security level for the Postfix tlsproxy(8)
+client. See smtp_tls_security_level for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_per_site $smtp_tls_per_site
+
+<p> Optional lookup tables with the Postfix tlsproxy(8) client TLS
+usage policy by next-hop destination and by remote TLS server
+hostname.  See smtp_tls_per_site for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_policy_maps $smtp_tls_policy_maps
+
+<p> Optional lookup tables with the Postfix tlsproxy(8) client TLS
+security policy by next-hop destination. See smtp_tls_policy_maps
+for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_use_tls $smtp_use_tls
+
+<p> Opportunistic mode: use TLS when a remote server announces TLS
+support. See smtp_use_tls for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_enforce_tls $smtp_enforce_tls
+
+<p> Enforcement mode: require that SMTP servers use TLS encryption.
+See smtp_enforce_tls for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>

postfix/src/global/mail_params.h

@@ -3931,6 +3931,77 @@ extern bool var_tlsp_tls_received_header;
 #define DEF_TLSP_TLS_SET_SESSID	"$" VAR_SMTPD_TLS_SET_SESSID
 extern bool var_tlsp_tls_set_sessid;
 
+ /*
+  * Workaround for tlsproxy(8) pre-jail client certs/keys access.
+  */
+#define VAR_TLSP_CLNT_LOGLEVEL		"tlsproxy_client_loglevel"
+#define DEF_TLSP_CLNT_LOGLEVEL		"$" VAR_SMTP_TLS_LOGLEVEL
+extern char *var_tlsp_clnt_loglevel;
+
+#define VAR_TLSP_CLNT_LOGPARAM		"tlsproxy_client_loglevel_parameter"
+#define DEF_TLSP_CLNT_LOGPARAM		VAR_SMTP_TLS_LOGLEVEL
+extern char *var_tlsp_clnt_logparam;
+
+#define VAR_TLSP_CLNT_SCERT_VD		"tlsproxy_client_scert_verifydepth"
+#define DEF_TLSP_CLNT_SCERT_VD		"$" VAR_SMTP_TLS_SCERT_VD
+extern int var_tlsp_clnt_scert_vd;
+
+#define VAR_TLSP_CLNT_CERT_FILE		"tlsproxy_client_cert_file"
+#define DEF_TLSP_CLNT_CERT_FILE		"$" VAR_SMTP_TLS_CERT_FILE
+extern char *var_tlsp_clnt_cert_file;
+
+#define VAR_TLSP_CLNT_KEY_FILE		"tlsproxy_client_key_file"
+#define DEF_TLSP_CLNT_KEY_FILE		"$" VAR_SMTP_TLS_KEY_FILE
+extern char *var_tlsp_clnt_key_file;
+
+#define VAR_TLSP_CLNT_DCERT_FILE	"tlsproxy_client_dcert_file"
+#define DEF_TLSP_CLNT_DCERT_FILE	"$" VAR_SMTP_TLS_DCERT_FILE
+extern char *var_tlsp_clnt_dcert_file;
+
+#define VAR_TLSP_CLNT_DKEY_FILE		"tlsproxy_client_dkey_file"
+#define DEF_TLSP_CLNT_DKEY_FILE		"$" VAR_SMTP_TLS_DKEY_FILE
+extern char *var_tlsp_clnt_dkey_file;
+
+#define VAR_TLSP_CLNT_ECCERT_FILE	"tlsproxy_client_eccert_file"
+#define DEF_TLSP_CLNT_ECCERT_FILE	"$" VAR_SMTP_TLS_ECCERT_FILE
+extern char *var_tlsp_clnt_eccert_file;
+
+#define VAR_TLSP_CLNT_ECKEY_FILE	"tlsproxy_client_eckey_file"
+#define DEF_TLSP_CLNT_ECKEY_FILE	"$" VAR_SMTP_TLS_ECKEY_FILE
+extern char *var_tlsp_clnt_eckey_file;
+
+#define VAR_TLSP_CLNT_CAFILE		"tlsproxy_client_CAfile"
+#define DEF_TLSP_CLNT_CAFILE		"$" VAR_SMTP_TLS_CA_FILE
+extern char *var_tlsp_clnt_CAfile;
+
+#define VAR_TLSP_CLNT_CAPATH		"tlsproxy_client_CApath"
+#define DEF_TLSP_CLNT_CAPATH		"$" VAR_SMTP_TLS_CA_PATH
+extern char *var_tlsp_clnt_CApath;
+
+#define VAR_TLSP_CLNT_FPT_DGST		"tlsproxy_client_fingerprint_digest"
+#define DEF_TLSP_CLNT_FPT_DGST		"$" VAR_SMTP_TLS_FPT_DGST
+extern char *var_tlsp_clnt_fpt_dgst;
+
+#define VAR_TLSP_CLNT_USE_TLS		"tlsproxy_client_use_tls"
+#define DEF_TLSP_CLNT_USE_TLS		"$" VAR_SMTP_USE_TLS
+bool var_tlsp_clnt_use_tls;
+
+#define VAR_TLSP_CLNT_ENFORCE_TLS	"tlsproxy_client_enforce_tls"
+#define DEF_TLSP_CLNT_ENFORCE_TLS	"$" VAR_SMTP_ENFORCE_TLS
+bool var_tlsp_clnt_enforce_tls;
+
+#define VAR_TLSP_CLNT_LEVEL		"tlsproxy_client_level"
+#define DEF_TLSP_CLNT_LEVEL		"$" VAR_SMTP_TLS_LEVEL
+char *var_tlsp_clnt_level;
+
+#define VAR_TLSP_CLNT_PER_SITE		"tlsproxy_client_per_site"
+#define DEF_TLSP_CLNT_PER_SITE		"$" VAR_SMTP_TLS_PER_SITE
+char *var_tlsp_clnt_per_site;
+
+#define VAR_TLSP_CLNT_POLICY		"tlsproxy_client_policy"
+#define DEF_TLSP_CLNT_POLICY		"$" VAR_SMTP_TLS_POLICY
+char *var_tlsp_clnt_policy;
+
  /*
   * SMTPD "reject" contact info.
   */

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20181119"
+#define MAIL_RELEASE_DATE	"20181122"
 #define MAIL_VERSION_NUMBER	"3.4"
 
 #ifdef SNAPSHOT

postfix/src/smtp/smtp_key.c

@@ -51,13 +51,14 @@
 /*	The envelope sender address. This is a proxy for sender-dependent
 /*	context, such as per-sender SASL authentication.
 /* .IP SMTP_KEY_FLAG_REQ_NEXTHOP
-/*	The delivery request nexthop destination. This is a proxy
-/*	for destination-dependent, but host-independent context.
+/*	The delivery request nexthop destination, including optional
+/*	[] and :port (the same form that users specify in a SASL
+/*	password or TLS policy lookup table). This is a proxy for
+/*	destination-dependent, but host-independent context.
 /* .IP SMTP_KEY_FLAG_CUR_NEXTHOP
 /*	The current iterator's nexthop destination (delivery request
 /*	nexthop or fallback nexthop, including optional [] and
-/*	:port). This is the form that users specify in a SASL or
-/*	TLS lookup tables.
+/*	:port).
 /* .IP SMTP_KEY_FLAG_HOSTNAME
 /*	The current iterator's remote hostname.
 /* .IP SMTP_KEY_FLAG_ADDR

postfix/src/tls/tls.h

@@ -525,12 +525,17 @@ extern TLS_SESS_STATE *tls_client_post_connect(TLS_SESS_STATE *,
 #define tls_client_stop(ctx, stream, timeout, failure, TLScontext) \
 	tls_session_stop(ctx, (stream), (timeout), (failure), (TLScontext))
 
-#define TLS_CLIENT_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
+#define TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
     a10, a11, a12, a13) \
-    tls_client_init((((props)->a1), ((props)->a2), ((props)->a3), \
+    (((props)->a1), ((props)->a2), ((props)->a3), \
     ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \
     ((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \
-    ((props)->a12), ((props)->a13), (props)))
+    ((props)->a12), ((props)->a13), (props))
+
+#define TLS_CLIENT_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
+    a10, a11, a12, a13) \
+    tls_client_init(TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, \
+    a6, a7, a8, a9, a10, a11, a12, a13))
 
 #define TLS_CLIENT_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
     a10, a11, a12, a13, a14, a15, a16) \

postfix/src/tlsproxy/tlsproxy.c

@@ -137,6 +137,65 @@
 /*	Available in Postfix version 2.11 and later:
 /* .IP "\fBtlsmgr_service_name (tlsmgr)\fR"
 /*	The name of the \fBtlsmgr\fR(8) service entry in master.cf.
+/* TLS CLIENT CONTROLS
+/* .ad
+/* .fi
+/*	These parameters allow \fBtlsproxy\fR(8) to load certificate
+/*	and private key information before dropping privileges, so
+/*	that the key files can be kept read-only for root.
+/* .PP
+/*	Available in Postfix version 3.4 and later:
+/* .IP "\fBtlsproxy_client_CAfile ($smtp_tls_CAfile)\fR"
+/*	A file containing CA certificates of root CAs trusted to sign
+/*	either remote TLS server certificates or intermediate CA certificates.
+/* .IP "\fBtlsproxy_client_CApath ($smtp_tls_CApath)\fR"
+/*	Directory with PEM format Certification Authority certificates
+/*	that the Postfix \fBtlsproxy\fR(8) client uses to verify a remote TLS
+/*	server certificate.
+/* .IP "\fBtlsproxy_client_cert_file ($smtp_tls_cert_file)\fR"
+/*	File with the Postfix \fBtlsproxy\fR(8) client RSA certificate in PEM
+/*	format.
+/* .IP "\fBtlsproxy_client_key_file ($smtp_tls_key_file)\fR"
+/*	File with the Postfix \fBtlsproxy\fR(8) client RSA private key in PEM
+/*	format.
+/* .IP "\fBtlsproxy_client_dcert_file ($smtp_tls_dcert_file)\fR"
+/*	File with the Postfix \fBtlsproxy\fR(8) client DSA certificate in PEM
+/*	format.
+/* .IP "\fBtlsproxy_client_dkey_file ($smtp_tls_dkey_file)\fR"
+/*	File with the Postfix \fBtlsproxy\fR(8) client DSA private key in PEM
+/*	format.
+/* .IP "\fBtlsproxy_client_eccert_file ($smtp_tls_eccert_file)\fR"
+/*	File with the Postfix \fBtlsproxy\fR(8) client ECDSA certificate in
+/*	PEM format.
+/* .IP "\fBtlsproxy_client_eckey_file ($smtp_tls_eckey_file)\fR"
+/*	File with the Postfix \fBtlsproxy\fR(8) client ECDSA private key in
+/*	PEM format.
+/* .IP "\fBtlsproxy_client_fingerprint_digest ($smtp_tls_fingerprint_digest)\fR"
+/*	The message digest algorithm used to construct remote TLS server
+/*	certificate fingerprints.
+/* .IP "\fBtlsproxy_client_loglevel ($smtp_tls_loglevel)\fR"
+/*	Enable additional Postfix \fBtlsproxy\fR(8) client logging of TLS
+/*	activity.
+/* .IP "\fBtlsproxy_client_loglevel_parameter (smtp_tls_loglevel)\fR"
+/*	The name of the parameter that provides the tlsproxy_client_loglevel
+/*	value.
+/* .IP "\fBtlsproxy_client_scert_verifydepth ($smtp_tls_scert_verifydepth)\fR"
+/*	The verification depth for remote TLS server certificates.
+/* .IP "\fBtlsproxy_client_security_level ($smtp_tls_security_level)\fR"
+/*	The default TLS security level for the Postfix \fBtlsproxy\fR(8)
+/*	client.
+/* .IP "\fBtlsproxy_client_policy_maps ($smtp_tls_policy_maps)\fR"
+/*	Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS
+/*	security policy by next-hop destination.
+/* .IP "\fBtlsproxy_client_use_tls ($smtp_use_tls)\fR"
+/*	Opportunistic mode: use TLS when a remote server announces TLS
+/*	support.
+/* .IP "\fBtlsproxy_client_enforce_tls ($smtp_enforce_tls)\fR"
+/*	Enforcement mode: require that SMTP servers use TLS encryption.
+/* .IP "\fBtlsproxy_client_per_site ($smtp_tls_per_site)\fR"
+/*	Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS
+/*	usage policy by next-hop destination and by remote TLS server
+/*	hostname.
 /* OBSOLETE STARTTLS SUPPORT CONTROLS
 /* .ad
 /* .fi
@@ -304,10 +363,50 @@ char   *var_tlsp_tls_level;
 
 int     var_tlsp_watchdog;
 
+ /*
+  * Defaults for tlsp_clnt_*.
+  */
+char   *var_smtp_tls_loglevel;
+int     var_smtp_tls_scert_vd;
+char   *var_smtp_tls_cert_file;
+char   *var_smtp_tls_key_file;
+char   *var_smtp_tls_dcert_file;
+char   *var_smtp_tls_dkey_file;
+char   *var_smtp_tls_eccert_file;
+char   *var_smtp_tls_eckey_file;
+char   *var_smtp_tls_CAfile;
+char   *var_smtp_tls_CApath;
+char   *var_smtp_tls_fpt_dgst;
+char   *var_smtp_tls_level;
+bool    var_smtp_use_tls;
+bool    var_smtp_enforce_tls;
+char   *var_smtp_tls_per_site;
+char   *var_smtp_tls_policy;
+
+char   *var_tlsp_clnt_loglevel;
+char   *var_tlsp_clnt_logparam;
+int     var_tlsp_clnt_scert_vd;
+char   *var_tlsp_clnt_cert_file;
+char   *var_tlsp_clnt_key_file;
+char   *var_tlsp_clnt_dcert_file;
+char   *var_tlsp_clnt_dkey_file;
+char   *var_tlsp_clnt_eccert_file;
+char   *var_tlsp_clnt_eckey_file;
+char   *var_tlsp_clnt_CAfile;
+char   *var_tlsp_clnt_CApath;
+char   *var_tlsp_clnt_fpt_dgst;
+char   *var_tlsp_clnt_level;
+bool    var_tlsp_clnt_use_tls;
+bool    var_tlsp_clnt_enforce_tls;
+char   *var_tlsp_clnt_per_site;
+char   *var_tlsp_clnt_policy;
+
  /*
   * TLS per-process status.
   */
 static TLS_APPL_STATE *tlsp_server_ctx;
+static TLS_APPL_STATE *tlsp_client_ctx;
+static bool tlsp_pre_jail_done;
 static int ask_client_cert;
 
  /*
@@ -905,14 +1004,19 @@ static void tlsp_get_fd_event(int event, void *context)
 }
 
  /*
-  * This function does not destroy TLSP_STATE in case of error, because that
-  * would complicate the caller.
+  * Macro for readability.
   */
+#define TLSP_CLIENT_INIT(ctx, props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
+    a10, a11, a12, a13) \
+    tlsp_client_init((ctx), TLS_CLIENT_INIT_ARGS((props), a1, a2, a3, a4, \
+    a5, a6, a7, a8, a9, a10, a11, a12, a13))
 
-/* tlsp_client_init_no_tlsp_state_free - initialize a TLS client engine */
+/* tlsp_client_init - initialize a TLS client engine */
 
-static int tlsp_client_init_no_tlsp_state_free(TLSP_STATE *state)
+static int tlsp_client_init(TLS_APPL_STATE **client_appl_state,
+			            TLS_CLIENT_INIT_PROPS *init_props)
 {
+    TLS_APPL_STATE *appl_state;
     VSTRING *buf;
     char   *key;
 
@@ -922,13 +1026,38 @@ static int tlsp_client_init_no_tlsp_state_free(TLSP_STATE *state)
      * expensive.
      */
     buf = vstring_alloc(100);
-    key = tls_proxy_client_init_to_string(buf, state->client_init_props);
-    if ((state->appl_state = (TLS_APPL_STATE *)
+    key = tls_proxy_client_init_to_string(buf, init_props);
+    if ((appl_state = (TLS_APPL_STATE *)
 	 htable_find(tlsp_client_app_cache, key)) == 0
-	&& (state->appl_state =
-	    tls_client_init(state->client_init_props)) != 0) {
-	(void) htable_enter(tlsp_client_app_cache, key,
-			    (void *) state->appl_state);
+	&& (appl_state = tls_client_init(init_props)) != 0) {
+	(void) htable_enter(tlsp_client_app_cache, key, (void *) appl_state);
+
+	/*
+	 * Log a warning if these client settings differ from the
+	 * tlsproxy_client_* settings AND the settings specify file or
+	 * directory arguments. Those are problematic after chroot (pathname
+	 * resolution) and dropping permission (key files must be root
+	 * read-only). We can eliminate this by adding code that opens a
+	 * cert/key lookup table at pre-jail time and by reading cert/key
+	 * info on-the-fly from that table.
+	 */
+#define NOT_NULL_NOT_EMPTY(x) ((x) && *(x))
+
+	if (tlsp_pre_jail_done && appl_state && appl_state != tlsp_client_ctx
+	    && (NOT_NULL_NOT_EMPTY(init_props->cert_file)
+		|| NOT_NULL_NOT_EMPTY(init_props->key_file)
+		|| NOT_NULL_NOT_EMPTY(init_props->dcert_file)
+		|| NOT_NULL_NOT_EMPTY(init_props->dkey_file)
+		|| NOT_NULL_NOT_EMPTY(init_props->eccert_file)
+		|| NOT_NULL_NOT_EMPTY(init_props->eckey_file)
+		|| NOT_NULL_NOT_EMPTY(init_props->CAfile)
+		|| NOT_NULL_NOT_EMPTY(init_props->CApath))) {
+	    msg_warn("client request differs from tlsproxy_client_* settings");
+	    msg_warn("to avoid this warning, 1) configure a custom tlsproxy");
+	    msg_warn("service and 2) configure an smtp client with a");
+	    msg_warn("tlsproxy_service setting that resolves to the custom");
+	    msg_warn("tlsproxy service");
+	}
 
 	/*
 	 * To maintain sanity, allow partial SSL_write() operations, and
@@ -937,13 +1066,14 @@ static int tlsp_client_init_no_tlsp_state_free(TLSP_STATE *state)
 	 * a mailing list, but is not supported by documentation. If this
 	 * code stops working then no-one can be held responsible.
 	 */
-	if (state->appl_state)
-	    SSL_CTX_set_mode(state->appl_state->ssl_ctx,
+	if (appl_state)
+	    SSL_CTX_set_mode(appl_state->ssl_ctx,
 			     SSL_MODE_ENABLE_PARTIAL_WRITE
 			     | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
     }
+    *client_appl_state = appl_state;
     vstring_free(buf);
-    return (state->appl_state != 0);
+    return (appl_state != 0);
 }
 
 /* tlsp_close_event - pre-handshake plaintext-client close event */
@@ -1039,7 +1169,7 @@ static void tlsp_get_request_event(int event, void *context)
 	    tlsp_state_free(state);
 	    return;
 	}
-	ready = tlsp_client_init_no_tlsp_state_free(state);
+	ready = tlsp_client_init(&state->appl_state, state->client_init_props);
 	break;
     case TLS_PROXY_FLAG_ROLE_SERVER:
 	state->is_server_role = 1;
@@ -1117,6 +1247,7 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
     int     have_server_cert;
     int     no_server_cert_ok;
     int     require_server_cert;
+    int     clnt_use_tls;
 
     /*
      * The code in this routine is pasted literally from smtpd(8). I am not
@@ -1224,13 +1355,110 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
 	SSL_CTX_set_mode(tlsp_server_ctx->ssl_ctx,
 			 SSL_MODE_ENABLE_PARTIAL_WRITE
 			 | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
-}
 
-/* post_jail_init - post-jail initialization */
-
-static void post_jail_init(char *unused_name, char **unused_argv)
-{
+    /*
+     * The cache with TLS_APPL_STATE instances for different TLS_CLIENT_INIT
+     * configurations.
+     */
     tlsp_client_app_cache = htable_create(10);
+
+    /*
+     * Most sites don't use TLS client certs/keys. In that case, enabling
+     * tlsproxy-based connection caching is trivial.
+     * 
+     * But some sites do use TLS client certs/keys, and that is challenging when
+     * tlsproxy runs in a post-jail environment: chroot breaks pathname
+     * resolution, and an unprivileged process should not be able to open
+     * files with secrets. The workaround: assume that most of those sites
+     * will use a fixed TLS client identity. In that case, tlsproxy can load
+     * the corresponding certs/keys at pre-jail time, so that secrets can
+     * remain read-only for root. As long as the tlsproxy pre-jail TLS client
+     * configuration with cert or key pathnames is the same as the one used
+     * in the Postfix SMTP client, sites can selectively or globally enable
+     * tlsproxy-based connection caching without additional TLS
+     * configuration.
+     * 
+     * Loading one TLS client configuration at pre-jail time is not sufficient
+     * for the minority of sites that want to use TLS connection caching with
+     * multiple TLS client identities. To alert the operator, tlsproxy will
+     * log a warning when a TLS_CLIENT_INIT message specifies a different
+     * configuration with cert or key pathnames. The workaround is to have
+     * one tlsproxy process per TLS client identity.
+     * 
+     * The general solution for single-identity or multi-identity clients is to
+     * stop loading certs and keys from individual files. Instead, have a
+     * cert/key map, indexed by client identity, read-only by root. After
+     * opening the map at pre-jail time, tlsproxy can read certs/keys
+     * on-the-fly at post-jail time. This is the approach that was already
+     * proposed for server-side SNI support, and it could be reused here. It
+     * would also end the proliferation of RSA cert/key parameters, DSA
+     * cert/key parameters, EC cert/key parameters, and so on.
+     * 
+     * Horror: In order to create the same pre-jail TLS client context as the
+     * one used in the Postfix SMTP client, we have to duplicate intricate
+     * SMTP client code, including a handful configuration parameters that
+     * tlsproxy does not need. We must duplicate the logic, so that we only
+     * load certs and keys when the SMTP client would load them.
+     */
+    if (*var_tlsp_clnt_level != 0)
+	switch (tls_level_lookup(var_tlsp_clnt_level)) {
+	case TLS_LEV_SECURE:
+	case TLS_LEV_VERIFY:
+	case TLS_LEV_DANE_ONLY:
+	case TLS_LEV_FPRINT:
+	case TLS_LEV_ENCRYPT:
+	    var_tlsp_clnt_use_tls = var_tlsp_clnt_enforce_tls = 1;
+	    break;
+	case TLS_LEV_DANE:
+	case TLS_LEV_MAY:
+	    var_tlsp_clnt_use_tls = 1;
+	    var_tlsp_clnt_enforce_tls = 0;
+	    break;
+	case TLS_LEV_NONE:
+	    var_tlsp_clnt_use_tls = var_tlsp_clnt_enforce_tls = 0;
+	    break;
+	default:
+	    /* tls_level_lookup() logs no warning. */
+	    /* session_tls_init() assumes that var_tlsp_clnt_level is sane. */
+	    msg_fatal("Invalid TLS level \"%s\"", var_tlsp_clnt_level);
+	}
+    clnt_use_tls = (var_tlsp_clnt_use_tls || var_tlsp_clnt_enforce_tls);
+
+    /*
+     * Initialize the TLS data before entering the chroot jail.
+     */
+    if (clnt_use_tls || var_tlsp_clnt_per_site[0] || var_tlsp_clnt_policy[0]) {
+	TLS_CLIENT_INIT_PROPS props;
+
+	/*
+	 * We get stronger type safety and a cleaner interface by combining
+	 * the various parameters into a single tls_client_props structure.
+	 * 
+	 * Large parameter lists are error-prone, so we emulate a language
+	 * feature that C does not have natively: named parameter lists.
+	 */
+	if (TLSP_CLIENT_INIT(&tlsp_client_ctx, &props,
+			     log_param = var_tlsp_clnt_logparam,
+			     log_level = var_tlsp_clnt_loglevel,
+			     verifydepth = var_tlsp_clnt_scert_vd,
+			     cache_type = TLS_MGR_SCACHE_SMTP,
+			     cert_file = var_tlsp_clnt_cert_file,
+			     key_file = var_tlsp_clnt_key_file,
+			     dcert_file = var_tlsp_clnt_dcert_file,
+			     dkey_file = var_tlsp_clnt_dkey_file,
+			     eccert_file = var_tlsp_clnt_eccert_file,
+			     eckey_file = var_tlsp_clnt_eckey_file,
+			     CAfile = var_tlsp_clnt_CAfile,
+			     CApath = var_tlsp_clnt_CApath,
+			     mdalg = var_tlsp_clnt_fpt_dgst) == 0)
+	    msg_warn("TLS client initialization failed");
+    }
+
+    /*
+     * tlsp_client_init() needs to know if it is called pre-jail or
+     * post-jail.
+     */
+    tlsp_pre_jail_done = 1;
 }
 
 MAIL_VERSION_STAMP_DECLARE;
@@ -1239,24 +1467,38 @@ MAIL_VERSION_STAMP_DECLARE;
 
 int     main(int argc, char **argv)
 {
-    static const CONFIG_INT_TABLE int_table[] = {
+
+    /*
+     * Each table below initializes the named variables to their implicit
+     * default value, or to the explicit value in main.cf or master.cf. Here,
+     * "compat" means that a table initializes a variable "smtpd_blah" or
+     * "smtp_blah" that provides the implicit default value for variable
+     * "tlsproxy_blah". To make this work, the variables in a "compat" table
+     * must be initialized before the variables in the corresponding
+     * non-compat table.
+     */
+    static const CONFIG_INT_TABLE compat_int_table[] = {
 	VAR_SMTPD_TLS_CCERT_VD, DEF_SMTPD_TLS_CCERT_VD, &var_smtpd_tls_ccert_vd, 0, 0,
+	VAR_SMTP_TLS_SCERT_VD, DEF_SMTP_TLS_SCERT_VD, &var_smtp_tls_scert_vd, 0, 0,
 	0,
     };
     static const CONFIG_NINT_TABLE nint_table[] = {
 	VAR_TLSP_TLS_CCERT_VD, DEF_TLSP_TLS_CCERT_VD, &var_tlsp_tls_ccert_vd, 0, 0,
+	VAR_TLSP_CLNT_SCERT_VD, DEF_TLSP_CLNT_SCERT_VD, &var_tlsp_clnt_scert_vd, 0, 0,
 	0,
     };
     static const CONFIG_TIME_TABLE time_table[] = {
 	VAR_TLSP_WATCHDOG, DEF_TLSP_WATCHDOG, &var_tlsp_watchdog, 10, 0,
 	0,
     };
-    static const CONFIG_BOOL_TABLE bool_table[] = {
+    static const CONFIG_BOOL_TABLE compat_bool_table[] = {
 	VAR_SMTPD_USE_TLS, DEF_SMTPD_USE_TLS, &var_smtpd_use_tls,
 	VAR_SMTPD_ENFORCE_TLS, DEF_SMTPD_ENFORCE_TLS, &var_smtpd_enforce_tls,
 	VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
 	VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert,
 	VAR_SMTPD_TLS_SET_SESSID, DEF_SMTPD_TLS_SET_SESSID, &var_smtpd_tls_set_sessid,
+	VAR_SMTP_USE_TLS, DEF_SMTP_USE_TLS, &var_smtp_use_tls,
+	VAR_SMTP_ENFORCE_TLS, DEF_SMTP_ENFORCE_TLS, &var_smtp_enforce_tls,
 	0,
     };
     static const CONFIG_NBOOL_TABLE nbool_table[] = {
@@ -1265,9 +1507,11 @@ int     main(int argc, char **argv)
 	VAR_TLSP_TLS_ACERT, DEF_TLSP_TLS_ACERT, &var_tlsp_tls_ask_ccert,
 	VAR_TLSP_TLS_RCERT, DEF_TLSP_TLS_RCERT, &var_tlsp_tls_req_ccert,
 	VAR_TLSP_TLS_SET_SESSID, DEF_TLSP_TLS_SET_SESSID, &var_tlsp_tls_set_sessid,
+	VAR_TLSP_CLNT_USE_TLS, DEF_TLSP_CLNT_USE_TLS, &var_tlsp_clnt_use_tls,
+	VAR_TLSP_CLNT_ENFORCE_TLS, DEF_TLSP_CLNT_ENFORCE_TLS, &var_tlsp_clnt_enforce_tls,
 	0,
     };
-    static const CONFIG_STR_TABLE str_table[] = {
+    static const CONFIG_STR_TABLE compat_str_table[] = {
 	VAR_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CERT_FILE, &var_smtpd_tls_cert_file, 0, 0,
 	VAR_SMTPD_TLS_KEY_FILE, DEF_SMTPD_TLS_KEY_FILE, &var_smtpd_tls_key_file, 0, 0,
 	VAR_SMTPD_TLS_DCERT_FILE, DEF_SMTPD_TLS_DCERT_FILE, &var_smtpd_tls_dcert_file, 0, 0,
@@ -1288,6 +1532,22 @@ int     main(int argc, char **argv)
 	VAR_SMTPD_TLS_FPT_DGST, DEF_SMTPD_TLS_FPT_DGST, &var_smtpd_tls_fpt_dgst, 1, 0,
 	VAR_SMTPD_TLS_LOGLEVEL, DEF_SMTPD_TLS_LOGLEVEL, &var_smtpd_tls_loglevel, 0, 0,
 	VAR_SMTPD_TLS_LEVEL, DEF_SMTPD_TLS_LEVEL, &var_smtpd_tls_level, 0, 0,
+	VAR_SMTP_TLS_CERT_FILE, DEF_SMTP_TLS_CERT_FILE, &var_smtp_tls_cert_file, 0, 0,
+	VAR_SMTP_TLS_KEY_FILE, DEF_SMTP_TLS_KEY_FILE, &var_smtp_tls_key_file, 0, 0,
+	VAR_SMTP_TLS_DCERT_FILE, DEF_SMTP_TLS_DCERT_FILE, &var_smtp_tls_dcert_file, 0, 0,
+	VAR_SMTP_TLS_DKEY_FILE, DEF_SMTP_TLS_DKEY_FILE, &var_smtp_tls_dkey_file, 0, 0,
+	VAR_SMTP_TLS_CA_FILE, DEF_SMTP_TLS_CA_FILE, &var_smtp_tls_CAfile, 0, 0,
+	VAR_SMTP_TLS_CA_PATH, DEF_SMTP_TLS_CA_PATH, &var_smtp_tls_CApath, 0, 0,
+	VAR_SMTP_TLS_FPT_DGST, DEF_SMTP_TLS_FPT_DGST, &var_smtp_tls_fpt_dgst, 1, 0,
+	VAR_SMTP_TLS_ECCERT_FILE, DEF_SMTP_TLS_ECCERT_FILE, &var_smtp_tls_eccert_file, 0, 0,
+	VAR_SMTP_TLS_ECKEY_FILE, DEF_SMTP_TLS_ECKEY_FILE, &var_smtp_tls_eckey_file, 0, 0,
+	VAR_SMTP_TLS_LOGLEVEL, DEF_SMTP_TLS_LOGLEVEL, &var_smtp_tls_loglevel, 0, 0,
+	VAR_SMTP_TLS_PER_SITE, DEF_SMTP_TLS_PER_SITE, &var_smtp_tls_per_site, 0, 0,
+	VAR_SMTP_TLS_LEVEL, DEF_SMTP_TLS_LEVEL, &var_smtp_tls_level, 0, 0,
+	VAR_SMTP_TLS_POLICY, DEF_SMTP_TLS_POLICY, &var_smtp_tls_policy, 0, 0,
+	0,
+    };
+    static const CONFIG_STR_TABLE str_table[] = {
 	VAR_TLSP_TLS_CERT_FILE, DEF_TLSP_TLS_CERT_FILE, &var_tlsp_tls_cert_file, 0, 0,
 	VAR_TLSP_TLS_KEY_FILE, DEF_TLSP_TLS_KEY_FILE, &var_tlsp_tls_key_file, 0, 0,
 	VAR_TLSP_TLS_DCERT_FILE, DEF_TLSP_TLS_DCERT_FILE, &var_tlsp_tls_dcert_file, 0, 0,
@@ -1308,6 +1568,20 @@ int     main(int argc, char **argv)
 	VAR_TLSP_TLS_FPT_DGST, DEF_TLSP_TLS_FPT_DGST, &var_tlsp_tls_fpt_dgst, 1, 0,
 	VAR_TLSP_TLS_LOGLEVEL, DEF_TLSP_TLS_LOGLEVEL, &var_tlsp_tls_loglevel, 0, 0,
 	VAR_TLSP_TLS_LEVEL, DEF_TLSP_TLS_LEVEL, &var_tlsp_tls_level, 0, 0,
+	VAR_TLSP_CLNT_LOGLEVEL, DEF_TLSP_CLNT_LOGLEVEL, &var_tlsp_clnt_loglevel, 0, 0,
+	VAR_TLSP_CLNT_LOGPARAM, DEF_TLSP_CLNT_LOGPARAM, &var_tlsp_clnt_logparam, 0, 0,
+	VAR_TLSP_CLNT_CERT_FILE, DEF_TLSP_CLNT_CERT_FILE, &var_tlsp_clnt_cert_file, 0, 0,
+	VAR_TLSP_CLNT_KEY_FILE, DEF_TLSP_CLNT_KEY_FILE, &var_tlsp_clnt_key_file, 0, 0,
+	VAR_TLSP_CLNT_DCERT_FILE, DEF_TLSP_CLNT_DCERT_FILE, &var_tlsp_clnt_dcert_file, 0, 0,
+	VAR_TLSP_CLNT_DKEY_FILE, DEF_TLSP_CLNT_DKEY_FILE, &var_tlsp_clnt_dkey_file, 0, 0,
+	VAR_TLSP_CLNT_ECCERT_FILE, DEF_TLSP_CLNT_ECCERT_FILE, &var_tlsp_clnt_eccert_file, 0, 0,
+	VAR_TLSP_CLNT_ECKEY_FILE, DEF_TLSP_CLNT_ECKEY_FILE, &var_tlsp_clnt_eckey_file, 0, 0,
+	VAR_TLSP_CLNT_CAFILE, DEF_TLSP_CLNT_CAFILE, &var_tlsp_clnt_CAfile, 0, 0,
+	VAR_TLSP_CLNT_CAPATH, DEF_TLSP_CLNT_CAPATH, &var_tlsp_clnt_CApath, 0, 0,
+	VAR_TLSP_CLNT_FPT_DGST, DEF_TLSP_CLNT_FPT_DGST, &var_tlsp_clnt_fpt_dgst, 1, 0,
+	VAR_TLSP_CLNT_LEVEL, DEF_TLSP_CLNT_LEVEL, &var_tlsp_clnt_level, 0, 0,
+	VAR_TLSP_CLNT_PER_SITE, DEF_TLSP_CLNT_PER_SITE, &var_tlsp_clnt_per_site, 0, 0,
+	VAR_TLSP_CLNT_POLICY, DEF_TLSP_CLNT_POLICY, &var_tlsp_clnt_policy, 0, 0,
 	0,
     };
 
@@ -1320,14 +1594,14 @@ int     main(int argc, char **argv)
      * Pass control to the event-driven service skeleton.
      */
     event_server_main(argc, argv, tlsp_service,
-		      CA_MAIL_SERVER_INT_TABLE(int_table),
+		      CA_MAIL_SERVER_INT_TABLE(compat_int_table),
 		      CA_MAIL_SERVER_NINT_TABLE(nint_table),
+		      CA_MAIL_SERVER_STR_TABLE(compat_str_table),
 		      CA_MAIL_SERVER_STR_TABLE(str_table),
-		      CA_MAIL_SERVER_BOOL_TABLE(bool_table),
+		      CA_MAIL_SERVER_BOOL_TABLE(compat_bool_table),
 		      CA_MAIL_SERVER_NBOOL_TABLE(nbool_table),
 		      CA_MAIL_SERVER_TIME_TABLE(time_table),
 		      CA_MAIL_SERVER_PRE_INIT(pre_jail_init),
-		      CA_MAIL_SERVER_POST_INIT(post_jail_init),
 		      CA_MAIL_SERVER_SLOW_EXIT(tlsp_drain),
 		      CA_MAIL_SERVER_RETIRE_ME,
 		      CA_MAIL_SERVER_WATCHDOG(&var_tlsp_watchdog),