20250906
- Bugfix: with "smtp_tls_enforce_sts_mx_patterns = yes" (the
- default) transform the TLS policy from an STS policy plugin
- as follows: connect to an MX host only if its name matches
- an STS policy MX host pattern, and match the server
- certificate against the MX hostname. Files: mantools/postlink,
- proto/postconf.proto, global/mail_params.h, smtp/lmtp_params.c,
- smtp/smtp.c, smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_params.c,
+ Workaround for an interface mis-match between the Postfix
+ SMTP client and MTA-STS policy plugins. This introduces a
+ new parameter "smtp_tls_enforce_sts_mx_patterns" (default:
+ "yes"). The MTA-STS plugin configuration needs to enable
+ TLSRPT support, so that it forwards STS policy attributes
+ to Postfix. This works even if Postfix TLSRPT support is
+ disabled at build time or at runtime.
+
+ With the above two configurations, the Postfix SMTP client
+ will connect to an MX host only if its name matches any STS
+ policy MX host pattern, and will match a server certificate
+ against the MX hostname. Otherwise, the old behavior stays
+ in effect: connect to any MX host listed in DNS, and match
+ a server certificate against any STS policy MX host pattern.
+ Files: mantools/postlink, proto/postconf.proto,
+ global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c,
+ smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_params.c,
smtp/smtp_tls_policy.c, smtp/smtp_tls_policy_test.c.
20250911
the policies[*].policy.policy-domain value. This ignores
that TLSA policies must be reported with different policy-domain
values than STS policies. File: tls/tlsrpt_wrapper.c.
+
+20250927
+
+ Updated documentation for smtp_tls_enforce_sts_mx_patterns.
+ Files: proto/postconf.proto, smtp_tls_policy.c.
+
+20250928
+
+ Cleanup: make STS mx hostname pattern enforcement consistent
+ with the smtp_cname_overrides_servername setting. File:
+ smtp/smtp_connect.c.
When set to "yes", report the TLSRPT status only for "new" TLS
sessions.
- Available in Postfix version 3.10.5 and later:
-
- <b><a href="postconf.5.html#smtp_tls_enforce_sts_mx_patterns">smtp_tls_enforce_sts_mx_patterns</a> (yes)</b>
- Transform the TLS policy from an STS policy plugin: connect to
- an MX host only if its name matches the STS policy MX host pat-
- tern, and match the server certificate against the MX hostname.
-
- Available in Postfix version 3.11 and later:
-
<b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
Enable support for the "TLS-Required: no" message header,
defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
+ Available in Postfix version 3.10.5 and later:
+
+ <b><a href="postconf.5.html#smtp_tls_enforce_sts_mx_patterns">smtp_tls_enforce_sts_mx_patterns</a> (yes)</b>
+ Transform the TLS policy from an STS policy plugin: connect to
+ an MX host only if its name matches any STS policy MX host pat-
+ tern, and match the server certificate against the MX hostname.
+
<b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
(default: yes)</b></DT><DD>
<p> Transform the TLS policy from an STS policy plugin: connect to
-an MX host only if its name matches the STS policy MX host pattern,
-and match the server certificate against the MX hostname. </p>
+an MX host only if its name matches any STS policy MX host pattern,
+and match the server certificate against the MX hostname. This
+setting takes effect only when an STS policy plugin has TLSRPT
+support enabled, so that it forwards STS policy attributes to
+Postfix. This works even if Postfix TLSRPT support is disabled at
+build time or at runtime. </p>
+
+<p> Without the above configuration settings for Postfix and STS
+plugins, the old behavior stays in effect: connect to any MX host
+listed in DNS, and match a server certificate against any STS policy
+MX host pattern. </p>
<p> This feature is available in Postfix ≥ 3.10.5. </p>
When set to "yes", report the TLSRPT status only for "new" TLS
sessions.
- Available in Postfix version 3.10.5 and later:
-
- <b><a href="postconf.5.html#smtp_tls_enforce_sts_mx_patterns">smtp_tls_enforce_sts_mx_patterns</a> (yes)</b>
- Transform the TLS policy from an STS policy plugin: connect to
- an MX host only if its name matches the STS policy MX host pat-
- tern, and match the server certificate against the MX hostname.
-
- Available in Postfix version 3.11 and later:
-
<b><a href="postconf.5.html#tls_required_enable">tls_required_enable</a> (yes)</b>
Enable support for the "TLS-Required: no" message header,
defined in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>.
+ Available in Postfix version 3.10.5 and later:
+
+ <b><a href="postconf.5.html#smtp_tls_enforce_sts_mx_patterns">smtp_tls_enforce_sts_mx_patterns</a> (yes)</b>
+ Transform the TLS policy from an STS policy plugin: connect to
+ an MX host only if its name matches any STS policy MX host pat-
+ tern, and match the server certificate against the MX hostname.
+
<b><a name="obsolete_starttls_controls">OBSOLETE STARTTLS CONTROLS</a></b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
Postfix 2.3 and later use smtp_tls_security_level instead.
.SH smtp_tls_enforce_sts_mx_patterns (default: yes)
Transform the TLS policy from an STS policy plugin: connect to
-an MX host only if its name matches the STS policy MX host pattern,
-and match the server certificate against the MX hostname.
+an MX host only if its name matches any STS policy MX host pattern,
+and match the server certificate against the MX hostname. This
+setting takes effect only when an STS policy plugin has TLSRPT
+support enabled, so that it forwards STS policy attributes to
+Postfix. This works even if Postfix TLSRPT support is disabled at
+build time or at runtime.
+.PP
+Without the above configuration settings for Postfix and STS
+plugins, the old behavior stays in effect: connect to any MX host
+listed in DNS, and match a server certificate against any STS policy
+MX host pattern.
.PP
This feature is available in Postfix >= 3.10.5.
.SH smtp_tls_exclude_ciphers (default: empty)
.IP "\fBsmtp_tlsrpt_skip_reused_handshakes (Postfix >= 3.11: no, Postfix 3.10: yes)\fR"
When set to "yes", report the TLSRPT status only for "new" TLS
sessions.
+.IP "\fBtls_required_enable (yes)\fR"
+Enable support for the "TLS\-Required: no" message header, defined
+in RFC 8689.
.PP
Available in Postfix version 3.10.5 and later:
.IP "\fBsmtp_tls_enforce_sts_mx_patterns (yes)\fR"
Transform the TLS policy from an STS policy plugin: connect to
-an MX host only if its name matches the STS policy MX host pattern,
+an MX host only if its name matches any STS policy MX host pattern,
and match the server certificate against the MX hostname.
-.PP
-Available in Postfix version 3.11 and later:
-.IP "\fBtls_required_enable (yes)\fR"
-Enable support for the "TLS\-Required: no" message header, defined
-in RFC 8689.
.SH "OBSOLETE STARTTLS CONTROLS"
.na
.nf
%PARAM smtp_tls_enforce_sts_mx_patterns yes
<p> Transform the TLS policy from an STS policy plugin: connect to
-an MX host only if its name matches the STS policy MX host pattern,
-and match the server certificate against the MX hostname. </p>
+an MX host only if its name matches any STS policy MX host pattern,
+and match the server certificate against the MX hostname. This
+setting takes effect only when an STS policy plugin has TLSRPT
+support enabled, so that it forwards STS policy attributes to
+Postfix. This works even if Postfix TLSRPT support is disabled at
+build time or at runtime. </p>
+
+<p> Without the above configuration settings for Postfix and STS
+plugins, the old behavior stays in effect: connect to any MX host
+listed in DNS, and match a server certificate against any STS policy
+MX host pattern. </p>
<p> This feature is available in Postfix ≥ 3.10.5. </p>
ossl_digest_new ossl_digest_new returns NULL after error ossl_digest_data
Richard Hansen rhansen rhansen org
long long or long integer
+ policies policy policy domain If null this defaults to the
Files Makefile in smtp smtp h smtp smtp_connect c
smtp smtp c smtp smtp h smtp smtp_connect c smtp smtp_params c
Files smtp smtp h smtp smtp_key c smtp smtp_proto c
+ global mail_params h smtp lmtp_params c smtp smtp c
+ smtp smtp h smtp smtp_connect c smtp smtp_params c
+ the policies policy policy domain value This ignores
+ TLSRPT Workaround when policies policy policy type is
REPLYCODE
PTEST
finalizer
+enf
Jiaying
PRI
YP
+Natalenko
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20250924"
+#define MAIL_RELEASE_DATE "20250928"
#define MAIL_VERSION_NUMBER "3.11"
#ifdef SNAPSHOT
/* .IP "\fBsmtp_tlsrpt_skip_reused_handshakes (Postfix >= 3.11: no, Postfix 3.10: yes)\fR"
/* When set to "yes", report the TLSRPT status only for "new" TLS
/* sessions.
+/* .IP "\fBtls_required_enable (yes)\fR"
+/* Enable support for the "TLS-Required: no" message header, defined
+/* in RFC 8689.
/* .PP
/* Available in Postfix version 3.10.5 and later:
/* .IP "\fBsmtp_tls_enforce_sts_mx_patterns (yes)\fR"
/* Transform the TLS policy from an STS policy plugin: connect to
-/* an MX host only if its name matches the STS policy MX host pattern,
+/* an MX host only if its name matches any STS policy MX host pattern,
/* and match the server certificate against the MX hostname.
-/* .PP
-/* Available in Postfix version 3.11 and later:
-/* .IP "\fBtls_required_enable (yes)\fR"
-/* Enable support for the "TLS-Required: no" message header, defined
-/* in RFC 8689.
/* OBSOLETE STARTTLS CONTROLS
/* .ad
/* .fi
/* XXX Assume there is no code at the end of this loop. */
}
/* Skip MX hosts that lack authorization. */
- if (!smtp_tls_authorize_mx_hostname(state->tls, addr->qname)) {
+ if (!smtp_tls_authorize_mx_hostname(state->tls, SMTP_HNAME(addr))) {
continue;
/* XXX Assume there is no code at the end of this loop. */
}
/* When any required table or DNS lookups fail, the TLS level
/* is set to TLS_LEV_INVALID, the "why" argument is updated
/* with the error reason and the result value is zero (false).
+/* When var_smtp_tls_enf_sts_mx_pat is not null, and a policy plugin
+/* specifies a policy_type "sts" plus one or more mx_host_pattern
+/* instances, transform the policy as follows: allow only MX hosts
+/* that match an mx_host_pattern instance, and match a server
+/* certificate against the server hostname.
/*
/* smtp_tls_policy_dummy() initializes a trivial, non-cached,
/* policy with TLS disabled.
projects / thirdparty / postfix.git / commitdiff
