Feature: the pipe(8) delivery agent supports an ${envid}
command-line attribute that expands to the RFC 3461 envelope
ID if available. File: pipe/pipe.c.
+
+20231211
+
+ Cleanup: posttls-finger certificate match expectations for
+ all TLS security levels, including warnings for levels that
+ don't implement certificate matching. Viktor Dukhovni.
+ File: posttls-finger.c.
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20231210"
+#define MAIL_RELEASE_DATE "20231212"
#define MAIL_VERSION_NUMBER "3.9"
#ifdef SNAPSHOT
state->ddane : state->dane);
#define PROXY_OPEN_FLAGS \
- (TLS_PROXY_FLAG_ROLE_CLIENT | TLS_PROXY_FLAG_SEND_CONTEXT)
+ (TLS_PROXY_FLAG_ROLE_CLIENT | TLS_PROXY_FLAG_SEND_CONTEXT)
#define var_tlsproxy_service
if ((cwd_fd = open(".", O_RDONLY)) < 0)
if (state->tls_context) {
if (state->log_mask &
(TLS_LOG_CERTMATCH | TLS_LOG_VERBOSE | TLS_LOG_PEERCERT)) {
- if (state->tls_context->stoc_rpk)
+ if (state->tls_context->stoc_rpk)
msg_info("%s: pkey_fingerprint=%s", state->namaddrport,
state->tls_context->peer_pkey_fprint);
else
state->tls_context->issuer_CN,
state->tls_context->peer_cert_fprint,
state->tls_context->peer_pkey_fprint);
- }
+ }
tls_log_summary(TLS_ROLE_CLIENT, TLS_USAGE_NEW,
state->tls_context);
} else {
* should not clobber a soft error text and status code.
*/
#define RETRY_AI_ERROR(e) \
- ((e) == EAI_AGAIN || (e) == EAI_MEMORY || (e) == EAI_SYSTEM)
+ ((e) == EAI_AGAIN || (e) == EAI_MEMORY || (e) == EAI_SYSTEM)
#ifdef EAI_NODATA
#define DSN_NOHOST(e) \
((e) == EAI_AGAIN || (e) == EAI_NODATA || (e) == EAI_NONAME)
switch (state->level) {
default:
state->match = 0;
+ if (*argv)
+ msg_warn("TLS level '%s' does not implement certificate matching",
+ str_tls_level(state->level));
break;
case TLS_LEV_DANE:
+ case TLS_LEV_DANE_ONLY:
case TLS_LEV_SECURE:
state->match = argv_alloc(2);
while (*argv)
projects / thirdparty / postfix.git / commitdiff
