posttls-finger/posttls-finger.c, smtp/lmtp_params.c,
smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c,
smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_level.c.
+
+20130518
+
+ Feature: posttls-finger protocol and cipher grade selection
+ options. Leave protocol debug flags active across reconnects,
+ only suppress redundant logging of the certificate details.
+ Viktor Dukhovni. File: posttls-finger/posttls-finger.c.
+
+ Robustness: send SNI even when trying to reuse a DANE
+ session, because a new session may be negotiated anyway.
+ Viktor Dukhovni. File: tls/tls_client.c.
+
+ Cleanup: eliminate variable that is redundant with respect
+ to more authoritative state. Viktor Dukhovni. File:
+ posttls-finger/posttls-finger.c.
+
+ Feature: new tls_ssl_options parameter to enable OpenSSL
+ features (as opposed to tls_disable_workarounds which is
+ disables bug workarounds that are on by default). Viktor
+ Dukhovni. Files: proto/TLS_README.html, proto/postconf.proto,
+ src/global/mail_params.h, src/tls/tls.h, src/tls/tls_client.c,
+ src/tls/tls_misc.c.
+
/etc/postfix/main.cf:
tls_disable_workarounds = 0xFFFFFFFF
- tls_disable_workarounds = CVE-2010-4180, LEGACY_SERVER_CONNECT
+ tls_disable_workarounds = CVE-2010-4180
+
+With Postfix >= 2.11, the tls_ssl_options parameter specifies a list or bit-
+mask of OpenSSL options to enable. Specify one or more of the named options
+below, or a hexadecimal bitmask of options found in the ssl.h file
+corresponding to the run-time OpenSSL library. While it may be reasonable to
+turn off all bug workarounds (see above), it is not a good idea to attempt to
+turn on all features.
+
+L\bLE\bEG\bGA\bAC\bCY\bY_\b_S\bSE\bER\bRV\bVE\bER\bR_\b_C\bCO\bON\bNN\bNE\bEC\bCT\bT
+ See SSL_CTX_set_options(3).
+N\bNO\bO_\b_T\bTI\bIC\bCK\bKE\bET\bT
+ See SSL_CTX_set_options(3).
+N\bNO\bO_\b_C\bCO\bOM\bMP\bPR\bRE\bES\bSS\bSI\bIO\bON\bN
+ Disable SSL compression even if supported by the OpenSSL library.
+ Compression is CPU-intensive, and compression before encryption does not
+ always improve security.
+Example:
-Note: Disabling LEGACY_SERVER_CONNECT is not wise at this time, lots of servers
-are still unpatched and Postfix is not significantly vulnerable to the
-renegotiation issue in the TLS protocol.
+ /etc/postfix/main.cf:
+ tls_ssl_options = no_ticket, no_compression
+
+You should only enable features via the hexadecimal mask when the need to
+control the feature is critical (to deal with a new vulnerability or a serious
+interoperability problem). Postfix DOES NOT promise backwards compatible
+behavior with respect to the mask bits. A feature enabled via the mask in one
+release may be enabled by other means in a later release, and the mask bit will
+then be ignored. Therefore, use of the hexadecimal mask is only a temporary
+measure until a new Postfix or OpenSSL release provides a better solution.
S\bSM\bMT\bTP\bP C\bCl\bli\bie\ben\bnt\bt s\bsp\bpe\bec\bci\bif\bfi\bic\bc s\bse\bet\btt\bti\bin\bng\bgs\bs
/etc/postfix/main.cf:
smtp_starttls_timeout = 300s
+With Postfix 2.8 and later, the tls_disable_workarounds parameter specifies a
+list or bit-mask of OpenSSL bug work-arounds to disable. This may be necessary
+if one of the work-arounds enabled by default in OpenSSL proves to pose a
+security risk, or introduces an unexpected interoperability issue. Some bug
+work-arounds known to be problematic are disabled in the default value of the
+parameter when linked with an OpenSSL library that could be vulnerable.
+
+Example:
+
+ /etc/postfix/main.cf:
+ tls_disable_workarounds = 0xFFFFFFFF
+ tls_disable_workarounds = CVE-2010-4180, LEGACY_SERVER_CONNECT
+
+Note: Disabling LEGACY_SERVER_CONNECT is not wise at this time, lots of servers
+are still unpatched and Postfix is not significantly vulnerable to the
+renegotiation issue in the TLS protocol.
+
+With Postfix >= 2.11, the tls_ssl_options parameter specifies a list or bit-
+mask of OpenSSL options to enable. Specify one or more of the named options
+below, or a hexadecimal bitmask of options found in the ssl.h file
+corresponding to the run-time OpenSSL library. While it may be reasonable to
+turn off all bug workarounds (see above), it is not a good idea to attempt to
+turn on all features.
+
+A future version of OpenSSL may by default no longer allow connections to
+servers that don't support secure renegotiation. Since the exposure for SMTP is
+minimal, and some SMTP servers may remain unpatched, you can add
+LEGACY_SERVER_CONNECT to the options to restore the more permissive default of
+current OpenSSL releases.
+
+Example:
+
+ /etc/postfix/main.cf:
+ tls_ssl_options = NO_TICKET, NO_COMPRESSION, LEGACY_SERVER_CONNECT
+
+You should only enable features via the hexadecimal mask when the need to
+control the feature is critical (to deal with a new vulnerability or a serious
+interoperability problem). Postfix DOES NOT promise backwards compatible
+behavior with respect to the mask bits. A feature enabled via the mask in one
+release may be enabled by other means in a later release, and the mask bit will
+then be ignored. Therefore, use of the hexadecimal mask is only a temporary
+measure until a new Postfix or OpenSSL release provides a better solution.
+
T\bTL\bLS\bS m\bma\ban\bna\bag\bge\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bc s\bse\bet\btt\bti\bin\bng\bgs\bs
The security of cryptographic software such as TLS depends critically on the
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> = 0xFFFFFFFF
- <a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> = CVE-2010-4180, LEGACY_SERVER_CONNECT
+ <a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> = CVE-2010-4180
</pre>
</blockquote>
-<p> Note: Disabling LEGACY_SERVER_CONNECT is not wise at this
-time, lots of servers are still unpatched and Postfix is <a
-href="http://www.postfix.org/wip.html#tls-renegotiation">not
-significantly vulnerable</a> to the renegotiation issue in the TLS
-protocol. </p>
+<p> With Postfix ≥ 2.11, the tls_ssl_options parameter specifies
+a list or bit-mask of OpenSSL options to enable. Specify one or
+more of the named options below, or a hexadecimal bitmask of options
+found in the ssl.h file corresponding to the run-time OpenSSL
+library. While it may be reasonable to turn off all bug workarounds
+(see above), it is not a good idea to attempt to turn on all features.
+</p>
+
+<dl>
+
+<dt><b>LEGACY_SERVER_CONNECT</b></dt> <dd>See SSL_CTX_set_options(3).</dd>
+
+<dt><b>NO_TICKET</b></dt> <dd>See SSL_CTX_set_options(3).</dd>
+
+<dt><b>NO_COMPRESSION</b></dt> <dd>Disable SSL compression even if
+supported by the OpenSSL library. Compression is CPU-intensive,
+and compression before encryption does not always improve security. </dd>
+
+</dl>
+
+<p> Example: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ tls_ssl_options = no_ticket, no_compression
+</pre>
+</blockquote>
+
+<p> You should only enable features via the hexadecimal mask when
+the need to control the feature is critical (to deal with a new
+vulnerability or a serious interoperability problem). Postfix DOES
+NOT promise backwards compatible behavior with respect to the mask
+bits. A feature enabled via the mask in one release may be enabled
+by other means in a later release, and the mask bit will then be
+ignored. Therefore, use of the hexadecimal mask is only a temporary
+measure until a new Postfix or OpenSSL release provides a better
+solution. </p>
<h2> <a name="client_tls">SMTP Client specific settings</a> </h2>
</pre>
</blockquote>
+<p> With Postfix 2.8 and later, the <a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> parameter
+specifies a list or bit-mask of OpenSSL bug work-arounds to disable. This
+may be necessary if one of the work-arounds enabled by default in
+OpenSSL proves to pose a security risk, or introduces an unexpected
+interoperability issue. Some bug work-arounds known to be problematic
+are disabled in the default value of the parameter when linked with
+an OpenSSL library that could be vulnerable. </p>
+
+<p> Example: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ <a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> = 0xFFFFFFFF
+ <a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> = CVE-2010-4180, LEGACY_SERVER_CONNECT
+</pre>
+</blockquote>
+
+<p> Note: Disabling LEGACY_SERVER_CONNECT is not wise at this
+time, lots of servers are still unpatched and Postfix is <a
+href="http://www.postfix.org/wip.html#tls-renegotiation">not
+significantly vulnerable</a> to the renegotiation issue in the TLS
+protocol. </p>
+
+<p> With Postfix ≥ 2.11, the tls_ssl_options parameter specifies
+a list or bit-mask of OpenSSL options to enable. Specify one or
+more of the named options below, or a hexadecimal bitmask of options
+found in the ssl.h file corresponding to the run-time OpenSSL
+library. While it may be reasonable to turn off all bug workarounds
+(see above), it is not a good idea to attempt to turn on all features.
+</p>
+
+<p> A future version of OpenSSL may by default no longer allow
+connections to servers that don't support secure renegotiation.
+Since the exposure for SMTP is minimal, and some SMTP servers may
+remain unpatched, you can add LEGACY_SERVER_CONNECT to the
+options to restore the more permissive default of current OpenSSL
+releases. </p>
+
+<p> Example: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ tls_ssl_options = NO_TICKET, NO_COMPRESSION, LEGACY_SERVER_CONNECT
+</pre>
+</blockquote>
+
+<p> You should only enable features via the hexadecimal mask when
+the need to control the feature is critical (to deal with a new
+vulnerability or a serious interoperability problem). Postfix DOES
+NOT promise backwards compatible behavior with respect to the mask
+bits. A feature enabled via the mask in one release may be enabled
+by other means in a later release, and the mask bit will then be
+ignored. Therefore, use of the hexadecimal mask is only a temporary
+measure until a new Postfix or OpenSSL release provides a better
+solution. </p>
+
<h2><a name="tlsmgr_controls"> TLS manager specific settings </a> </h2>
<p> The security of cryptographic software such as TLS depends
<p> This feature is available in Postfix 2.2 and later. </p>
+</DD>
+
+<DT><b><a name="tls_ssl_options">tls_ssl_options</a>
+(default: empty)</b></DT><DD>
+
+<p> List or bit-mask of OpenSSL options to enable. </p>
+
+<p> The OpenSSL toolkit provides a set of options that applications
+can enable to tune the OpenSSL behavior. Some of these work around
+bugs in other implementations and are on by default. You can use
+the <a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> parameter to selectively disable some
+or all of the bug work-arounds, making OpenSSL more strict at the
+cost of non-interoperability with SSL clients or servers that exhibit
+the bugs. </p>
+
+<p> Other options are off by default, and typically enable or disable
+features rather than bug work-arounds. These may be turned on (with
+care) via the tls_ssl_options parameter. The value is a white-space
+or comma separated list of named options chosen from the list below.
+The names are not case-sensitive, you can use lower-case if you
+prefer. The upper case values below match the corresponding macro
+name in the ssl.h header file with the SSL_OP_ prefix removed. It
+is possible that your OpenSSL version includes new options added
+after your Postfix source code was last updated, in that case you
+can only enable one of these via the hexadecimal syntax below. </p>
+
+<p> You should only enable features via the hexadecimal mask when
+the need to control the feature is critical (to deal with a new
+vulnerability or a serious interoperability problem). Postfix DOES
+NOT promise backwards compatible behavior with respect to the mask
+bits. A feature enabled via the mask in one release may be enabled
+by other means in a later release, and the mask bit will then be
+ignored. Therefore, use of the hexadecimal mask is only a temporary
+measure until a new Postfix or OpenSSL release provides a better
+solution. </p>
+
+<p> If the value of the parameter is a hexadecimal long integer
+starting with "0x", the options corresponding to the bits specified
+in its value are enabled (see openssl/ssl.h and SSL_CTX_set_options(3)).
+You can only enable options not already controlled by other Postfix
+settings. For example, you cannot disable protocols or enable
+server cipher preference. Do not attempt to turn all features by
+specifying 0xFFFFFFFF, this is unlikely to be a good idea. </p>
+
+<dl>
+
+<dt><b>LEGACY_SERVER_CONNECT</b></dt> <dd>See SSL_CTX_set_options(3).</dd>
+
+<dt><b>NO_TICKET</b></dt> <dd>See SSL_CTX_set_options(3).</dd>
+
+<dt><b>NO_COMPRESSION</b></dt> <dd>Disable SSL compression even if
+supported by the OpenSSL library. Compression is CPU-intensive,
+and compression before encryption does not always improve security. </dd>
+
+</dl>
+
+<p> This feature is available in Postfix 2.11 and later. </p>
+
+
</DD>
<DT><b><a name="tlsproxy_enforce_tls">tlsproxy_enforce_tls</a>
certificate verification. By default no CAfile is
used and no public CAs are trusted.
+ <b>-g</b> <i>grade</i> (default: medium)
+ The minimum TLS cipher grade used by posttls-fin-
+ ger. See <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> for details.
+
<b>-h</b> <i>host</i><b>_</b><i>lookup</i> (default: <b>dns</b>)
- The hostname lookup methods used for the connec-
- tion.
See the documentation of <a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a>
+ The hostname lookup methods used for the connec-
+ tion.
See the documentation of <a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a>
for syntax and semantics.
<b>-l</b> <i>level</i> (default: <b>dane</b> or <b>secure</b>)
The security level for the connection, default <b>dane</b>
or <b>secure</b> depending on whether DNSSEC is available.
- For syntax and semantics, see the documentation of
+ For syntax and semantics, see the documentation of
<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>. When <b>dane</b> or <b>dane-only</b> is
- supported and selected, if no TLSA records are
- found, or all the records found are unusable, the
+ supported and selected, if no TLSA records are
+ found, or all the records found are unusable, the
<i>secure</i> level will be used instead. The <b>fingerprint</b>
- security level allows you to test certificate or
- public-key fingerprint matches before you deploy
+ security level allows you to test certificate or
+ public-key fingerprint matches before you deploy
them in the policy table.
- Note, since <b>posttls-finger</b> does not actually
- deliver any email, the <b>none</b>, <b>may</b> and <b>encrypt</b> secu-
- rity levels are not very useful. Since <b>may</b> and
- <b>encrypt</b> don't require peer certificates, they will
- often negotiate anonymous TLS ciphersuites, so you
- won't learn much about the remote SMTP server's
- certificates at these levels if it also supports
+ Note, since <b>posttls-finger</b> does not actually
+ deliver any email, the <b>none</b>, <b>may</b> and <b>encrypt</b> secu-
+ rity levels are not very useful. Since <b>may</b> and
+ <b>encrypt</b> don't require peer certificates, they will
+ often negotiate anonymous TLS ciphersuites, so you
+ won't learn much about the remote SMTP server's
+ certificates at these levels if it also supports
anonymous TLS (though you may learn that the server
supports anonymous TLS).
<b>-L</b> <i>logopts</i> (default: <b>routine,certmatch</b>)
- Fine-grained TLS logging options. To tune the TLS
- features logged during the TLS handshake, specify
+ Fine-grained TLS logging options. To tune the TLS
+ features logged during the TLS handshake, specify
one or more of:
<b>0, none</b>
These yield no TLS logging; you'll generally
- want more, but this is handy if you just
+ want more, but this is handy if you just
want the trust chain:
$ posttls-finger -cC -L none destination
<b>1, routine, summary</b>
- These synonymous values yield a normal one-
+ These synonymous values yield a normal one-
line summary of the TLS connection.
<b>2, debug</b>
ssl-debug, cache and verbose.
<b>3, ssl-expert</b>
- These synonymous values combine debug with
- ssl-handshake-packet-dump. For experts
+ These synonymous values combine debug with
+ ssl-handshake-packet-dump. For experts
only.
<b>4, ssl-developer</b>
- These synonymous values combine ssl-expert
- with ssl-session-packet-dump. For experts
+ These synonymous values combine ssl-expert
+ with ssl-session-packet-dump. For experts
only, and in most cases, use wireshark
instead.
<b>ssl-debug</b>
- Turn on OpenSSL logging of the progress of
+ Turn on OpenSSL logging of the progress of
the SSL handshake.
<b>ssl-handshake-packet-dump</b>
- Log hexadecimal packet dumps of the SSL
+ Log hexadecimal packet dumps of the SSL
handshake; for experts only.
<b>ssl-session-packet-dump</b>
- Log hexadecimal packet dumps of the entire
- SSL session; only useful to those who can
- debug SSL protocol problems from hex dumps.
+ Log hexadecimal packet dumps of the entire
+ SSL session; only useful to those who can
+ debug SSL protocol problems from hex dumps.
<b>untrusted</b>
- Logs trust chain verification problems.
- This is turned on automatically at security
- levels that use peer names signed by cer-
- tificate authorities to validate certifi-
+ Logs trust chain verification problems.
+ This is turned on automatically at security
+ levels that use peer names signed by cer-
+ tificate authorities to validate certifi-
cates. So while this setting is recognized,
- you should never need to set it explicitly.
+ you should never need to set it explicitly.
<b>peercert</b>
- This logs a one line summary of the remote
+ This logs a one line summary of the remote
SMTP server certificate subject, issuer, and
fingerprints.
<b>certmatch</b>
- This logs remote SMTP server certificate
- matching, showing the CN and each subjec-
+ This logs remote SMTP server certificate
+ matching, showing the CN and each subjec-
tAltName and which name matched. With DANE,
- logs matching of TLSA record trust-anchor
+ logs matching of TLSA record trust-anchor
and end-entity certificates.
- <b>cache</b> This logs session cache operations, showing
- whether session caching is effective with
- the remote SMTP server. Automatically used
+ <b>cache</b> This logs session cache operations, showing
+ whether session caching is effective with
+ the remote SMTP server. Automatically used
when reconnecting with the <b>-r</b> option; rarely
needs to be set explicitly.
<b>verbose</b>
- Enables verbose logging in the Postfix TLS
- driver; includes all of peercert..cache and
+ Enables verbose logging in the Postfix TLS
+ driver; includes all of peercert..cache and
more.
- The default is <b>routine,certmatch</b>. After a recon-
- nect, the log level is unconditionally <b>rou-</b>
- <b>tine,cache</b>.
+ The default is <b>routine,certmatch</b>. After a recon-
+ nect, <b>peercert</b>, <b>certmatch</b> and <b>verbose</b> are automati-
+ cally disabled while <b>cache</b> and <b>summary</b> are enabled.
<b>-m</b> <i>count</i> (default: <b>5</b>)
When the <b>-r</b> <i>delay</i> option is specified, the <b>-m</b>
library parameters, or "<a href="postconf.5.html#myhostname">myhostname</a>" to configure
the SMTP EHLO name sent to the remote server.
+ <b>-p</b> <i>protocols</i> (default: !SSLv2)
+ List of TLS protocols that posttls-finger will
+ exclude or include. See smtp_tls_mandatory_proto-
+ cols for details.
+
<b>-P</b> <i>CApath/</i> (default: none)
The OpenSSL CApath/ directory (indexed via
c_rehash(1)) for remote SMTP server certificate
The PEM formatted CAfile for remote SMTP server certificate
verification. By default no CAfile is used and no public CAs
are trusted.
+.IP "\fB-g \fIgrade\fR (default: medium)"
+The minimum TLS cipher grade used by posttls-finger. See
+smtp_tls_mandatory_ciphers for details.
.IP "\fB-h \fIhost_lookup\fR (default: \fBdns\fR)"
The hostname lookup methods used for the connection. See the
documentation of smtp_host_lookup for syntax and semantics.
peercert..cache and more.
.RE
.IP
-The default is \fBroutine,certmatch\fR. After a reconnect, the log
-level is unconditionally \fBroutine,cache\fR.
+The default is \fBroutine,certmatch\fR. After a reconnect,
+\fBpeercert\fR, \fBcertmatch\fR and \fBverbose\fR are automatically
+disabled while \fBcache\fR and \fBsummary\fR are enabled.
.IP "\fB-m \fIcount\fR (default: \fB5\fR)"
When the \fB-r \fIdelay\fR option is specified, the \fB-m\fR option
determines the maximum number of reconnect attempts to use with
parameter \fIname\fR with \fIvalue\fR. Possible use-cases include
overriding the values of TLS library parameters, or "myhostname" to
configure the SMTP EHLO name sent to the remote server.
+.IP "\fB-p \fIprotocols\fR (default: !SSLv2)"
+List of TLS protocols that posttls-finger will exclude or include. See
+smtp_tls_mandatory_protocols for details.
.IP "\fB-P \fICApath/\fR (default: none)"
The OpenSSL CApath/ directory (indexed via c_rehash(1)) for remote
SMTP server certificate verification. By default no CApath is used
gives timeout errors.
.PP
This feature is available in Postfix 2.2 and later.
+.SH tls_ssl_options (default: empty)
+List or bit-mask of OpenSSL options to enable.
+.PP
+The OpenSSL toolkit provides a set of options that applications
+can enable to tune the OpenSSL behavior. Some of these work around
+bugs in other implementations and are on by default. You can use
+the tls_disable_workarounds parameter to selectively disable some
+or all of the bug work-arounds, making OpenSSL more strict at the
+cost of non-interoperability with SSL clients or servers that exhibit
+the bugs.
+.PP
+Other options are off by default, and typically enable or disable
+features rather than bug work-arounds. These may be turned on (with
+care) via the tls_ssl_options parameter. The value is a white-space
+or comma separated list of named options chosen from the list below.
+The names are not case-sensitive, you can use lower-case if you
+prefer. The upper case values below match the corresponding macro
+name in the ssl.h header file with the SSL_OP_ prefix removed. It
+is possible that your OpenSSL version includes new options added
+after your Postfix source code was last updated, in that case you
+can only enable one of these via the hexadecimal syntax below.
+.PP
+You should only enable features via the hexadecimal mask when
+the need to control the feature is critical (to deal with a new
+vulnerability or a serious interoperability problem). Postfix DOES
+NOT promise backwards compatible behavior with respect to the mask
+bits. A feature enabled via the mask in one release may be enabled
+by other means in a later release, and the mask bit will then be
+ignored. Therefore, use of the hexadecimal mask is only a temporary
+measure until a new Postfix or OpenSSL release provides a better
+solution.
+.PP
+If the value of the parameter is a hexadecimal long integer
+starting with "0x", the options corresponding to the bits specified
+in its value are enabled (see openssl/ssl.h and SSL_CTX_\fBset_options\fR(3)).
+You can only enable options not already controlled by other Postfix
+settings. For example, you cannot disable protocols or enable
+server cipher preference. Do not attempt to turn all features by
+specifying 0xFFFFFFFF, this is unlikely to be a good idea.
+.IP "\fBLEGACY_SERVER_CONNECT\fR"
+See SSL_CTX_\fBset_options\fR(3).
+.br
+.IP "\fBNO_TICKET\fR"
+See SSL_CTX_\fBset_options\fR(3).
+.br
+.IP "\fBNO_COMPRESSION\fR"
+Disable SSL compression even if
+supported by the OpenSSL library. Compression is CPU-intensive,
+and compression before encryption does not always improve security.
+.br
+.br
+.PP
+This feature is available in Postfix 2.11 and later.
.SH tlsproxy_enforce_tls (default: $smtpd_enforce_tls)
Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
require that clients use TLS encryption. See smtpd_enforce_tls for
<pre>
/etc/postfix/main.cf:
tls_disable_workarounds = 0xFFFFFFFF
- tls_disable_workarounds = CVE-2010-4180, LEGACY_SERVER_CONNECT
+ tls_disable_workarounds = CVE-2010-4180
</pre>
</blockquote>
-<p> Note: Disabling LEGACY_SERVER_CONNECT is not wise at this
-time, lots of servers are still unpatched and Postfix is <a
-href="http://www.postfix.org/wip.html#tls-renegotiation">not
-significantly vulnerable</a> to the renegotiation issue in the TLS
-protocol. </p>
+<p> With Postfix ≥ 2.11, the tls_ssl_options parameter specifies
+a list or bit-mask of OpenSSL options to enable. Specify one or
+more of the named options below, or a hexadecimal bitmask of options
+found in the ssl.h file corresponding to the run-time OpenSSL
+library. While it may be reasonable to turn off all bug workarounds
+(see above), it is not a good idea to attempt to turn on all features.
+</p>
+
+<dl>
+
+<dt><b>LEGACY_SERVER_CONNECT</b></dt> <dd>See SSL_CTX_set_options(3).</dd>
+
+<dt><b>NO_TICKET</b></dt> <dd>See SSL_CTX_set_options(3).</dd>
+
+<dt><b>NO_COMPRESSION</b></dt> <dd>Disable SSL compression even if
+supported by the OpenSSL library. Compression is CPU-intensive,
+and compression before encryption does not always improve security. </dd>
+
+</dl>
+
+<p> Example: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/main.cf:
+ tls_ssl_options = no_ticket, no_compression
+</pre>
+</blockquote>
+
+<p> You should only enable features via the hexadecimal mask when
+the need to control the feature is critical (to deal with a new
+vulnerability or a serious interoperability problem). Postfix DOES
+NOT promise backwards compatible behavior with respect to the mask
+bits. A feature enabled via the mask in one release may be enabled
+by other means in a later release, and the mask bit will then be
+ignored. Therefore, use of the hexadecimal mask is only a temporary
+measure until a new Postfix or OpenSSL release provides a better
+solution. </p>
<h2> <a name="client_tls">SMTP Client specific settings</a> </h2>
</pre>
</blockquote>
+<p> With Postfix 2.8 and later, the tls_disable_workarounds parameter
+specifies a list or bit-mask of OpenSSL bug work-arounds to disable. This
+may be necessary if one of the work-arounds enabled by default in
+OpenSSL proves to pose a security risk, or introduces an unexpected
+interoperability issue. Some bug work-arounds known to be problematic
+are disabled in the default value of the parameter when linked with
+an OpenSSL library that could be vulnerable. </p>
+
+<p> Example: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/main.cf:
+ tls_disable_workarounds = 0xFFFFFFFF
+ tls_disable_workarounds = CVE-2010-4180, LEGACY_SERVER_CONNECT
+</pre>
+</blockquote>
+
+<p> Note: Disabling LEGACY_SERVER_CONNECT is not wise at this
+time, lots of servers are still unpatched and Postfix is <a
+href="http://www.postfix.org/wip.html#tls-renegotiation">not
+significantly vulnerable</a> to the renegotiation issue in the TLS
+protocol. </p>
+
+<p> With Postfix ≥ 2.11, the tls_ssl_options parameter specifies
+a list or bit-mask of OpenSSL options to enable. Specify one or
+more of the named options below, or a hexadecimal bitmask of options
+found in the ssl.h file corresponding to the run-time OpenSSL
+library. While it may be reasonable to turn off all bug workarounds
+(see above), it is not a good idea to attempt to turn on all features.
+</p>
+
+<p> A future version of OpenSSL may by default no longer allow
+connections to servers that don't support secure renegotiation.
+Since the exposure for SMTP is minimal, and some SMTP servers may
+remain unpatched, you can add LEGACY_SERVER_CONNECT to the
+options to restore the more permissive default of current OpenSSL
+releases. </p>
+
+<p> Example: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/main.cf:
+ tls_ssl_options = NO_TICKET, NO_COMPRESSION, LEGACY_SERVER_CONNECT
+</pre>
+</blockquote>
+
+<p> You should only enable features via the hexadecimal mask when
+the need to control the feature is critical (to deal with a new
+vulnerability or a serious interoperability problem). Postfix DOES
+NOT promise backwards compatible behavior with respect to the mask
+bits. A feature enabled via the mask in one release may be enabled
+by other means in a later release, and the mask bit will then be
+ignored. Therefore, use of the hexadecimal mask is only a temporary
+measure until a new Postfix or OpenSSL release provides a better
+solution. </p>
+
<h2><a name="tlsmgr_controls"> TLS manager specific settings </a> </h2>
<p> The security of cryptographic software such as TLS depends
secure servers are found. </p>
<p> This feature is available in Postfix 2.11 and later. </p>
+
+%PARAM tls_ssl_options
+
+<p> List or bit-mask of OpenSSL options to enable. </p>
+
+<p> The OpenSSL toolkit provides a set of options that applications
+can enable to tune the OpenSSL behavior. Some of these work around
+bugs in other implementations and are on by default. You can use
+the tls_disable_workarounds parameter to selectively disable some
+or all of the bug work-arounds, making OpenSSL more strict at the
+cost of non-interoperability with SSL clients or servers that exhibit
+the bugs. </p>
+
+<p> Other options are off by default, and typically enable or disable
+features rather than bug work-arounds. These may be turned on (with
+care) via the tls_ssl_options parameter. The value is a white-space
+or comma separated list of named options chosen from the list below.
+The names are not case-sensitive, you can use lower-case if you
+prefer. The upper case values below match the corresponding macro
+name in the ssl.h header file with the SSL_OP_ prefix removed. It
+is possible that your OpenSSL version includes new options added
+after your Postfix source code was last updated, in that case you
+can only enable one of these via the hexadecimal syntax below. </p>
+
+<p> You should only enable features via the hexadecimal mask when
+the need to control the feature is critical (to deal with a new
+vulnerability or a serious interoperability problem). Postfix DOES
+NOT promise backwards compatible behavior with respect to the mask
+bits. A feature enabled via the mask in one release may be enabled
+by other means in a later release, and the mask bit will then be
+ignored. Therefore, use of the hexadecimal mask is only a temporary
+measure until a new Postfix or OpenSSL release provides a better
+solution. </p>
+
+<p> If the value of the parameter is a hexadecimal long integer
+starting with "0x", the options corresponding to the bits specified
+in its value are enabled (see openssl/ssl.h and SSL_CTX_set_options(3)).
+You can only enable options not already controlled by other Postfix
+settings. For example, you cannot disable protocols or enable
+server cipher preference. Do not attempt to turn all features by
+specifying 0xFFFFFFFF, this is unlikely to be a good idea. </p>
+
+<dl>
+
+<dt><b>LEGACY_SERVER_CONNECT</b></dt> <dd>See SSL_CTX_set_options(3).</dd>
+
+<dt><b>NO_TICKET</b></dt> <dd>See SSL_CTX_set_options(3).</dd>
+
+<dt><b>NO_COMPRESSION</b></dt> <dd>Disable SSL compression even if
+supported by the OpenSSL library. Compression is CPU-intensive,
+and compression before encryption does not always improve security. </dd>
+
+</dl>
+
+<p> This feature is available in Postfix 2.11 and later. </p>
+
#define DEF_TLS_BUG_TWEAKS TLS_BUG_TWEAKS
extern char *var_tls_bug_tweaks;
+#define VAR_TLS_SSL_OPTIONS "tls_ssl_options"
+#define DEF_TLS_SSL_OPTIONS ""
+extern char *var_tls_ssl_options;
+
#define VAR_TLS_BC_PKEY_FPRINT "tls_legacy_public_key_fingerprints"
#define DEF_TLS_BC_PKEY_FPRINT 0
extern bool var_tls_bc_pkey_fprint;
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20130506"
+#define MAIL_RELEASE_DATE "20130518"
#define MAIL_VERSION_NUMBER "2.11"
#ifdef SNAPSHOT
/* The PEM formatted CAfile for remote SMTP server certificate
/* verification. By default no CAfile is used and no public CAs
/* are trusted.
+/* .IP "\fB-g \fIgrade\fR (default: medium)"
+/* The minimum TLS cipher grade used by posttls-finger. See
+/* smtp_tls_mandatory_ciphers for details.
/* .IP "\fB-h \fIhost_lookup\fR (default: \fBdns\fR)"
/* The hostname lookup methods used for the connection. See the
/* documentation of smtp_host_lookup for syntax and semantics.
/* peercert..cache and more.
/* .RE
/* .IP
-/* The default is \fBroutine,certmatch\fR. After a reconnect, the log
-/* level is unconditionally \fBroutine,cache\fR.
+/* The default is \fBroutine,certmatch\fR. After a reconnect,
+/* \fBpeercert\fR, \fBcertmatch\fR and \fBverbose\fR are automatically
+/* disabled while \fBcache\fR and \fBsummary\fR are enabled.
/* .IP "\fB-m \fIcount\fR (default: \fB5\fR)"
/* When the \fB-r \fIdelay\fR option is specified, the \fB-m\fR option
/* determines the maximum number of reconnect attempts to use with
/* parameter \fIname\fR with \fIvalue\fR. Possible use-cases include
/* overriding the values of TLS library parameters, or "myhostname" to
/* configure the SMTP EHLO name sent to the remote server.
+/* .IP "\fB-p \fIprotocols\fR (default: !SSLv2)"
+/* List of TLS protocols that posttls-finger will exclude or include. See
+/* smtp_tls_mandatory_protocols for details.
/* .IP "\fB-P \fICApath/\fR (default: none)"
/* The OpenSSL CApath/ directory (indexed via c_rehash(1)) for remote
/* SMTP server certificate verification. By default no CApath is used
TLS_SESS_STATE *tls_context; /* Session TLS context */
TLS_DANE *dane; /* DANE TLSA validation structure */
TLS_DANE *ddane; /* DANE TLSA from DNS */
+ char *grade; /* Minimum cipher grade */
+ char *protocols; /* Protocol inclusion/exclusion */
#endif
OPTIONS options; /* JCL */
} STATE;
namaddr = state->namaddrport,
serverid = STR(serverid),
helo = state->helo ? state->helo : "",
- protocols = "!SSLv2", /* XXX */
- cipher_grade = "medium", /* XXX */
+ protocols = state->protocols,
+ cipher_grade = state->grade,
cipher_exclusions
= vstring_str(cipher_exclusions),
matchargv = state->match,
msg_info("Server is anonymous");
else if (state->print_trust)
print_trust_info(state);
- state->log_mask = TLS_LOG_SUMMARY | TLS_LOG_CACHE;
+ state->log_mask &= ~(TLS_LOG_CERTMATCH | TLS_LOG_PEERCERT |
+ TLS_LOG_VERBOSE | TLS_LOG_UNTRUSTED);
+ state->log_mask |= TLS_LOG_CACHE | TLS_LOG_SUMMARY;
tls_update_app_logmask(state->tls_ctx, state->log_mask);
}
return (0);
/* dane_host_level - canidate host "dane" or degraded security level */
-static int dane_host_level(STATE *state, DNS_RR *addr, unsigned port)
+static int dane_host_level(STATE *state, DNS_RR *addr)
{
int level = state->level;
tls_dane_free(state->ddane);
/* When TLSA lookups fail, next host */
- state->ddane = tls_dane_resolve(HNAME(addr), "tcp", port);
+ state->ddane = tls_dane_resolve(HNAME(addr), "tcp", state->port);
if (!state->ddane) {
dsb_simple(state->why, "4.7.5",
"TLSA lookup error for %s:%u",
- HNAME(addr), ntohs(port));
+ HNAME(addr), ntohs(state->port));
return (TLS_LEV_INVALID);
}
/* If unusable or not found, same fallback to "secure" */
DNS_RR *addr;
char *buf;
char *domain;
- unsigned port;
/* When reconnecting use IP address of previous session */
if (state->addr == 0) {
buf = parse_destination(dest, state->smtp ? "smtp" : "24",
- &domain, &port);
+ &domain, &state->port);
if (!state->nexthop)
state->nexthop = mystrdup(domain);
if (state->smtp == 0 || *dest == '[')
vstring_str(state->why->reason));
return;
}
- state->port = port;
}
for (addr = state->addr; addr; addr = addr->next) {
- int level = dane_host_level(state, addr, port);
+ int level = dane_host_level(state, addr);
if (level == TLS_LEV_INVALID
|| (state->stream = connect_addr(state, addr)) == 0) {
tls_dane_flush();
/* Flush and free memory tlsmgr cache */
tlsmgrmem_flush();
+ myfree(state->grade);
+ myfree(state->protocols);
#endif
myfree(state->options.host_lookup);
myfree(state->dest);
{
#ifdef USE_TLS
fprintf(stderr, "usage: %s %s \\\n\t%s \\\n\t%s destination [match ...]\n",
- var_procname, "[-acCStTv] [-d mdalg] [-F CAfile.pem]",
+ var_procname, "[-acCStTv] [-d mdalg] [-g grade] [-p protocols] [-F CAfile.pem]",
"[-h host_lookup] [-l level] [-L logopts] [-m count]",
"[-o name=value] [-P CApath/] [-r delay]");
#else
state->pass = 1;
state->reconnect = -1;
state->max_reconnect = 5;
+#ifdef USE_TLS
+ state->protocols = mystrdup("!SSLv2");
+ state->grade = mystrdup("medium");
+#endif
memset((char *) &state->options, 0, sizeof(state->options));
state->options.host_lookup = mystrdup("dns");
#define OPTS "a:ch:o:St:T:v"
#ifdef USE_TLS
-#define TLSOPTS "A:Cd:F:l:L:m:P:r:"
+#define TLSOPTS "A:Cd:F:g:l:L:m:p:P:r:"
state->mdalg = mystrdup("sha1");
state->CApath = mystrdup("");
myfree(state->CAfile);
state->CAfile = mystrdup(optarg);
break;
+ case 'g':
+ myfree(state->grade);
+ state->grade = mystrdup(optarg);
+ break;
case 'l':
if (state->options.level)
myfree(state->options.level);
case 'm':
state->max_reconnect = atoi(optarg);
break;
+ case 'p':
+ myfree(state->protocols);
+ state->protocols = mystrdup(optarg);
+ break;
case 'P':
myfree(state->CApath);
state->CApath = mystrdup(optarg);
#undef SSL_OP_NO_TLSv1_2
#define SSL_OP_NO_TLSv1_2 0L /* Noop */
#endif
-#define TLS_KNOWN_PROTOCOLS \
+#define TLS_KNOWN_PROTOCOLS \
( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \
| TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 )
+#define TLS_SSL_OP_PROTOMASK(m) \
+ ((((m) & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L) \
+ | (((m) & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) \
+ | (((m) & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L) \
+ | (((m) & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L) \
+ | (((m) & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L))
+
+/*
+ * SSL options that are managed via dedicated Postfix features, rather than
+ * just exposed via hex codes or named elements of tls_ssl_options.
+ */
+#define TLS_SSL_OP_MANAGED_BITS \
+ (SSL_OP_CIPHER_SERVER_PREFERENCE | TLS_SSL_OP_PROTOMASK(~0))
extern int tls_protocol_mask(const char *);
* Apply session protocol restrictions.
*/
if (protomask != 0)
- SSL_set_options(TLScontext->con,
- ((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L)
- | ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L)
- | ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L)
- | ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L)
- | ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L));
+ SSL_set_options(TLScontext->con, TLS_SSL_OP_PROTOMASK(protomask));
/*
* XXX To avoid memory leaks we must always call SSL_SESSION_free() after
}
}
#ifdef TLSEXT_MAXLEN_host_name
- if (session == 0
- && props->tls_level == TLS_LEV_DANE
+ if (props->tls_level == TLS_LEV_DANE
&& strlen(props->host) <= TLSEXT_MAXLEN_host_name) {
/*
- * With new DANE sessions, send an SNI hint. We don't care whether
- * the server reports finding a matching certificate or not, so no
+ * With DANE sessions, send an SNI hint. We don't care whether the
+ * server reports finding a matching certificate or not, so no
* callback is required to process the server response. Our use of
* SNI is limited to giving servers that are (mis)configured to use
* SNI the best opportunity to find the certificate they promised via
char *var_tls_dane_ta_dgst;
bool var_tls_append_def_CA;
char *var_tls_bug_tweaks;
+char *var_tls_ssl_options;
bool var_tls_bc_pkey_fprint;
#ifdef VAR_TLS_PREEMPT_CLIST
0, 0,
};
+ /*
+ * SSL_OP_MUMBLE option name <=> mask conversion for options that are not
+ * (or may in the future not be) in SSL_OP_ALL. These enable optional
+ * behavior, rather than bug interoperability work-arounds.
+ */
+#define NAME_SSL_OP(x) #x, SSL_OP_##x
+static const LONG_NAME_MASK ssl_op_tweaks[] = {
+
+#if defined(SSL_OP_LEGACY_SERVER_CONNECT)
+ NAME_SSL_OP(LEGACY_SERVER_CONNECT),
+#endif
+
+#if defined(SSL_OP_NO_TICKET)
+ NAME_SSL_OP(NO_TICKET),
+#endif
+
+#if defined(SSL_OP_NO_COMPRESSION)
+ NAME_SSL_OP(NO_COMPRESSION),
+#endif
+ 0, 0,
+};
+
/*
* Ciphersuite name <=> code conversion.
*/
VAR_TLS_EECDH_STRONG, DEF_TLS_EECDH_STRONG, &var_tls_eecdh_strong, 1, 0,
VAR_TLS_EECDH_ULTRA, DEF_TLS_EECDH_ULTRA, &var_tls_eecdh_ultra, 1, 0,
VAR_TLS_BUG_TWEAKS, DEF_TLS_BUG_TWEAKS, &var_tls_bug_tweaks, 0, 0,
+ VAR_TLS_SSL_OPTIONS, DEF_TLS_SSL_OPTIONS, &var_tls_ssl_options, 0, 0,
VAR_TLS_DANE_TA_DGST, DEF_TLS_DANE_TA_DGST, &var_tls_dane_ta_dgst, 0, 0,
0,
};
var_tls_bug_tweaks, NAME_MASK_ANY_CASE |
NAME_MASK_NUMBER | NAME_MASK_WARN);
}
+
+ /*
+ * Allow users to set options not in SSL_OP_ALL, and not already
+ * managed via other Postfix parameters.
+ */
+ if (*var_tls_ssl_options) {
+ long enable;
+ enable = long_name_mask_opt(VAR_TLS_SSL_OPTIONS, ssl_op_tweaks,
+ var_tls_ssl_options, NAME_MASK_ANY_CASE |
+ NAME_MASK_NUMBER | NAME_MASK_WARN);
+ enable &= ~(SSL_OP_ALL | TLS_SSL_OP_MANAGED_BITS);
+ bits |= enable;
+ }
return (bits);
}
projects / thirdparty / postfix.git / commitdiff
