Documentation: global TLS settings. Files: mantools/postlink,
smtp/smtp.c, tlsproxy/tlsproxy.c.
+
+20190211
+
+ Cleanup: removed obsolete parameters: tls_dane_digest_agility,
+ tls_dane_trust_anchor_digest_enable; removed openssl_path
+ parameter from configuration difference checks in tlsproxy.
+ Files: global/mail_params.h, tls/tls_misc.c,
+ tls/tls_proxy_client_misc.c, tls/tls_proxy_client_print.c,
+ tls/tls_proxy_client_scan.c, tls/tls_proxy.h.
+
+20190212
+
+ Cleanup: missing #ifdef USE_TLS. Files: smtp/smtp_session.c,
+ posttls-finger/posttls-finger.c.
#define DEF_TLS_SERVER_SNI_MAPS ""
extern char *var_tls_server_sni_maps;
- /*
- * Ordered list of DANE digest algorithms.
- */
-#define TLS_DANE_AGILITY_OFF "off"
-#define TLS_DANE_AGILITY_ON "on"
-#define TLS_DANE_AGILITY_MAYBE "maybe"
-#define VAR_TLS_DANE_AGILITY "tls_dane_digest_agility"
-#define DEF_TLS_DANE_AGILITY TLS_DANE_AGILITY_ON
-extern char *var_tls_dane_agility;
-
/*
* Ordered list of DANE digest algorithms.
*/
#define DEF_TLS_DANE_DIGESTS "sha512 sha256"
extern char *var_tls_dane_digests;
- /*
- * External interface for enabling trust-anchor digests, which are risky
- * when the corresponding certificate is missing from the peer chain (this
- * can't happen with the leaf certificate).
- */
-#define VAR_TLS_DANE_TAA_DGST "tls_dane_trust_anchor_digest_enable"
-#define DEF_TLS_DANE_TAA_DGST 1
-extern bool var_tls_dane_taa_dgst;
-
/*
* Sendmail-style mail filter support.
*/
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20190210"
-#define MAIL_VERSION_NUMBER "3.4.0-RC1"
+#define MAIL_RELEASE_DATE "20190212"
+#define MAIL_VERSION_NUMBER "3.4.0-RC2"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
if (state->addr_pref < 0)
msg_fatal("bad '-a' option value: %s", state->options.addr_pref);
+#ifdef USE_TLS
if (state->tlsproxy_mode && state->reconnect)
msg_fatal("The -X and -r options are mutually exclusive");
+#endif
/*
* Select hostname lookup mechanisms.
TLS_SESS_STATE *tls_context = 0;
SMTP_TLS_POLICY *tls = iter->parent->tls;
+#define TLS_PROXY_CONTEXT_FREE() do { \
+ if (tls_context) \
+ tls_proxy_context_free(tls_context); \
+ } while (0)
+#else
+#define TLS_PROXY_CONTEXT_FREE() /* nothing */
#endif
#define SMTP_SESSION_ACTIVATE_ERR_RETURN() do { \
- if (tls_context) \
- tls_proxy_context_free(tls_context); \
+ TLS_PROXY_CONTEXT_FREE(); \
return (0); \
} while (0)
(time_t) 0, NO_FLAGS);
session->features =
(endp_features | dest_features | SMTP_FEATURE_FROM_CACHE);
+#ifdef USE_TLS
session->tls_context = tls_context;
+#endif
CACHE_THIS_SESSION_UNTIL(expire_time);
session->reuse_count = ++reuse_count;
/* char *var_tls_eecdh_auto;
/* char *var_tls_eecdh_strong;
/* char *var_tls_eecdh_ultra;
-/* char *var_tls_dane_agility;
/* char *var_tls_dane_digests;
/* int var_tls_daemon_rand_bytes;
/* bool var_tls_append_def_CA;
-/* bool var_tls_dane_taa_dgst;
/* bool var_tls_preempt_clist;
/* bool var_tls_bc_pkey_fprint;
/* bool var_tls_multi_wildcard;
char *var_tls_eecdh_auto;
char *var_tls_eecdh_strong;
char *var_tls_eecdh_ultra;
-char *var_tls_dane_agility;
char *var_tls_dane_digests;
bool var_tls_append_def_CA;
char *var_tls_bug_tweaks;
char *var_tls_ssl_options;
bool var_tls_bc_pkey_fprint;
-bool var_tls_dane_taa_dgst;
bool var_tls_multi_wildcard;
char *var_tls_mgr_service;
char *var_tls_tkt_cipher;
void tls_param_init(void)
{
+ /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
static const CONFIG_STR_TABLE str_table[] = {
VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0,
VAR_TLS_EECDH_ULTRA, DEF_TLS_EECDH_ULTRA, &var_tls_eecdh_ultra, 1, 0,
VAR_TLS_BUG_TWEAKS, DEF_TLS_BUG_TWEAKS, &var_tls_bug_tweaks, 0, 0,
VAR_TLS_SSL_OPTIONS, DEF_TLS_SSL_OPTIONS, &var_tls_ssl_options, 0, 0,
- VAR_TLS_DANE_AGILITY, DEF_TLS_DANE_AGILITY, &var_tls_dane_agility, 1, 0,
VAR_TLS_DANE_DIGESTS, DEF_TLS_DANE_DIGESTS, &var_tls_dane_digests, 1, 0,
VAR_TLS_MGR_SERVICE, DEF_TLS_MGR_SERVICE, &var_tls_mgr_service, 1, 0,
VAR_TLS_TKT_CIPHER, DEF_TLS_TKT_CIPHER, &var_tls_tkt_cipher, 0, 0,
VAR_OPENSSL_PATH, DEF_OPENSSL_PATH, &var_openssl_path, 1, 0,
0,
};
+ /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
static const CONFIG_INT_TABLE int_table[] = {
VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 1, 0,
0,
};
+ /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
static const CONFIG_BOOL_TABLE bool_table[] = {
VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
VAR_TLS_BC_PKEY_FPRINT, DEF_TLS_BC_PKEY_FPRINT, &var_tls_bc_pkey_fprint,
- VAR_TLS_DANE_TAA_DGST, DEF_TLS_DANE_TAA_DGST, &var_tls_dane_taa_dgst,
VAR_TLS_PREEMPT_CLIST, DEF_TLS_PREEMPT_CLIST, &var_tls_preempt_clist,
VAR_TLS_MULTI_WILDCARD, DEF_TLS_MULTI_WILDCARD, &var_tls_multi_wildcard,
0,
* In the serialization these attributes are identified by their configuration
* parameter names.
*
+ * NOTE: this does not include openssl_path.
+ *
* TODO: TLS_SERVER_PARAM structure, like TLS_CLIENT_PARAMS plus
* VAR_TLS_SERVER_SNI_MAPS.
*/
char *tls_eecdh_ultra;
char *tls_bug_tweaks;
char *tls_ssl_options;
- char *tls_dane_agility;
char *tls_dane_digests;
char *tls_mgr_service;
char *tls_tkt_cipher;
- char *openssl_path;
int tls_daemon_rand_bytes;
int tls_append_def_CA;
int tls_bc_pkey_fprint;
- int tls_dane_taa_dgst;
int tls_preempt_clist;
int tls_multi_wildcard;
} TLS_CLIENT_PARAMS;
#define TLS_PROXY_PARAMS(params, a1, a2, a3, a4, a5, a6, a7, a8, \
- a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20, a21) \
+ a9, a10, a11, a12, a13, a14, a15, a16, a17, a18) \
(((params)->a1), ((params)->a2), ((params)->a3), \
((params)->a4), ((params)->a5), ((params)->a6), ((params)->a7), \
((params)->a8), ((params)->a9), ((params)->a10), ((params)->a11), \
((params)->a12), ((params)->a13), ((params)->a14), ((params)->a15), \
- ((params)->a16), ((params)->a17), ((params)->a18), ((params)->a19), \
- ((params)->a20), ((params)->a21))
+ ((params)->a16), ((params)->a17), ((params)->a18))
/*
* tls_proxy_client_param_misc.c, tls_proxy_client_param_print.c, and
tls_eecdh_ultra = var_tls_eecdh_ultra,
tls_bug_tweaks = var_tls_bug_tweaks,
tls_ssl_options = var_tls_ssl_options,
- tls_dane_agility = var_tls_dane_agility,
tls_dane_digests = var_tls_dane_digests,
tls_mgr_service = var_tls_mgr_service,
tls_tkt_cipher = var_tls_tkt_cipher,
- openssl_path = var_openssl_path,
tls_daemon_rand_bytes = var_tls_daemon_rand_bytes,
tls_append_def_CA = var_tls_append_def_CA,
tls_bc_pkey_fprint = var_tls_bc_pkey_fprint,
- tls_dane_taa_dgst = var_tls_dane_taa_dgst,
tls_preempt_clist = var_tls_preempt_clist,
tls_multi_wildcard = var_tls_multi_wildcard);
return (params);
char *tls_proxy_client_param_to_string(VSTRING *buf, TLS_CLIENT_PARAMS *params)
{
vstring_sprintf(buf, "%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n"
- "%s\n%s\n%s\n%s\n%d\n%d\n%d\n%d\n%d\n%d\n",
+ "%s\n%s\n%d\n%d\n%d\n%d\n%d\n",
params->tls_high_clist, params->tls_medium_clist,
params->tls_low_clist, params->tls_export_clist,
params->tls_null_clist, params->tls_eecdh_auto,
params->tls_eecdh_strong, params->tls_eecdh_ultra,
params->tls_bug_tweaks, params->tls_ssl_options,
- params->tls_dane_agility, params->tls_dane_digests,
- params->tls_mgr_service, params->tls_tkt_cipher,
- params->openssl_path, params->tls_daemon_rand_bytes,
+ params->tls_dane_digests, params->tls_mgr_service,
+ params->tls_tkt_cipher, params->tls_daemon_rand_bytes,
params->tls_append_def_CA, params->tls_bc_pkey_fprint,
- params->tls_dane_taa_dgst, params->tls_preempt_clist,
- params->tls_multi_wildcard);
+ params->tls_preempt_clist, params->tls_multi_wildcard);
return (vstring_str(buf));
}
{
vstring_sprintf(buf, "%s = %s\n%s = %s\n%s = %s\n%s = %s\n%s = %s\n"
"%s = %s\n%s = %s\n%s = %s\n%s = %s\n%s = %s\n%s = %s\n"
- "%s = %s\n%s = %s\n%s = %s\n%s = %s\n%s = %d\n%s = %d\n"
+ "%s = %s\n%s = %s\n%s = %d\n"
"%s = %d\n%s = %d\n%s = %d\n%s = %d\n",
VAR_TLS_HIGH_CLIST, params->tls_high_clist,
VAR_TLS_MEDIUM_CLIST, params->tls_medium_clist,
VAR_TLS_EECDH_ULTRA, params->tls_eecdh_ultra,
VAR_TLS_BUG_TWEAKS, params->tls_bug_tweaks,
VAR_TLS_SSL_OPTIONS, params->tls_ssl_options,
- VAR_TLS_DANE_AGILITY, params->tls_dane_agility,
VAR_TLS_DANE_DIGESTS, params->tls_dane_digests,
VAR_TLS_MGR_SERVICE, params->tls_mgr_service,
VAR_TLS_TKT_CIPHER, params->tls_tkt_cipher,
- VAR_OPENSSL_PATH, params->openssl_path,
VAR_TLS_DAEMON_RAND_BYTES, params->tls_daemon_rand_bytes,
VAR_TLS_APPEND_DEF_CA, params->tls_append_def_CA,
VAR_TLS_BC_PKEY_FPRINT, params->tls_bc_pkey_fprint,
- VAR_TLS_DANE_TAA_DGST, params->tls_dane_taa_dgst,
VAR_TLS_PREEMPT_CLIST, params->tls_preempt_clist,
VAR_TLS_MULTI_WILDCARD, params->tls_multi_wildcard);
return (vstring_str(buf));
SEND_ATTR_STR(VAR_TLS_BUG_TWEAKS, params->tls_bug_tweaks),
SEND_ATTR_STR(VAR_TLS_SSL_OPTIONS,
params->tls_ssl_options),
- SEND_ATTR_STR(VAR_TLS_DANE_AGILITY,
- params->tls_dane_agility),
SEND_ATTR_STR(VAR_TLS_DANE_DIGESTS,
params->tls_dane_digests),
SEND_ATTR_STR(VAR_TLS_MGR_SERVICE,
params->tls_mgr_service),
SEND_ATTR_STR(VAR_TLS_TKT_CIPHER, params->tls_tkt_cipher),
- SEND_ATTR_STR(VAR_OPENSSL_PATH, params->openssl_path),
SEND_ATTR_INT(VAR_TLS_DAEMON_RAND_BYTES,
params->tls_daemon_rand_bytes),
SEND_ATTR_INT(VAR_TLS_APPEND_DEF_CA,
params->tls_append_def_CA),
SEND_ATTR_INT(VAR_TLS_BC_PKEY_FPRINT,
params->tls_bc_pkey_fprint),
- SEND_ATTR_INT(VAR_TLS_DANE_TAA_DGST,
- params->tls_dane_taa_dgst),
SEND_ATTR_INT(VAR_TLS_PREEMPT_CLIST,
params->tls_preempt_clist),
SEND_ATTR_INT(VAR_TLS_MULTI_WILDCARD,
myfree(params->tls_eecdh_ultra);
myfree(params->tls_bug_tweaks);
myfree(params->tls_ssl_options);
- myfree(params->tls_dane_agility);
myfree(params->tls_dane_digests);
myfree(params->tls_mgr_service);
myfree(params->tls_tkt_cipher);
- myfree(params->openssl_path);
myfree((void *) params);
}
VSTRING *tls_eecdh_ultra = vstring_alloc(25);
VSTRING *tls_bug_tweaks = vstring_alloc(25);
VSTRING *tls_ssl_options = vstring_alloc(25);
- VSTRING *tls_dane_agility = vstring_alloc(25);
VSTRING *tls_dane_digests = vstring_alloc(25);
VSTRING *tls_mgr_service = vstring_alloc(25);
VSTRING *tls_tkt_cipher = vstring_alloc(25);
- VSTRING *openssl_path = vstring_alloc(25);
if (msg_verbose)
msg_info("begin tls_proxy_client_param_scan");
RECV_ATTR_STR(VAR_TLS_EECDH_ULTRA, tls_eecdh_ultra),
RECV_ATTR_STR(VAR_TLS_BUG_TWEAKS, tls_bug_tweaks),
RECV_ATTR_STR(VAR_TLS_SSL_OPTIONS, tls_ssl_options),
- RECV_ATTR_STR(VAR_TLS_DANE_AGILITY, tls_dane_agility),
RECV_ATTR_STR(VAR_TLS_DANE_DIGESTS, tls_dane_digests),
RECV_ATTR_STR(VAR_TLS_MGR_SERVICE, tls_mgr_service),
RECV_ATTR_STR(VAR_TLS_TKT_CIPHER, tls_tkt_cipher),
- RECV_ATTR_STR(VAR_OPENSSL_PATH, openssl_path),
RECV_ATTR_INT(VAR_TLS_DAEMON_RAND_BYTES,
¶ms->tls_daemon_rand_bytes),
RECV_ATTR_INT(VAR_TLS_APPEND_DEF_CA,
¶ms->tls_append_def_CA),
RECV_ATTR_INT(VAR_TLS_BC_PKEY_FPRINT,
¶ms->tls_bc_pkey_fprint),
- RECV_ATTR_INT(VAR_TLS_DANE_TAA_DGST,
- ¶ms->tls_dane_taa_dgst),
RECV_ATTR_INT(VAR_TLS_PREEMPT_CLIST,
¶ms->tls_preempt_clist),
RECV_ATTR_INT(VAR_TLS_MULTI_WILDCARD,
params->tls_eecdh_ultra = vstring_export(tls_eecdh_ultra);
params->tls_bug_tweaks = vstring_export(tls_bug_tweaks);
params->tls_ssl_options = vstring_export(tls_ssl_options);
- params->tls_dane_agility = vstring_export(tls_dane_agility);
params->tls_dane_digests = vstring_export(tls_dane_digests);
params->tls_mgr_service = vstring_export(tls_mgr_service);
params->tls_tkt_cipher = vstring_export(tls_tkt_cipher);
- params->openssl_path = vstring_export(openssl_path);
- ret = (ret == 21 ? 1 : -1);
+ ret = (ret == 18 ? 1 : -1);
if (ret != 1) {
tls_proxy_client_param_free(params);
params = 0;
projects / thirdparty / postfix.git / commitdiff
