20100610
- Bugfix: Postfix no longer appends the system default CAs
- to the lists specified with *_tls_CAfile or with *_tls_CApath.
- This prevents third-party certificates from being trusted
- and given mail relay permission with permit_tls_all_clientcerts.
- This change may break valid configurations that do not use
+ Bugfix (introduced Postfix 2.2): Postfix no longer appends
+ the system default CA certificates to the lists specified
+ with *_tls_CAfile or with *_tls_CApath. This prevents
+ third-party certificates from being trusted and given mail
+ relay permission with permit_tls_all_clientcerts. This
+ change may break valid configurations that do not use
permit_tls_all_clientcerts. To get the old behavior, specify
"tls_append_default_CA = yes". Files: tls/tls_certkey.c,
tls/tls_misc.c, global/mail_params.h. proto/postconf.proto,
Incompatibility with Postfix 2.7.2
----------------------------------
-Postfix no longer appends the system-supplied default CAs to the
-lists specified with *_tls_CAfile or with *_tls_CApath. This prevents
-third-party certificates from being trusted and given mail relay
-permission with permit_tls_all_clientcerts.
+Postfix no longer appends the system-supplied default CA certificates
+to the lists specified with *_tls_CAfile or with *_tls_CApath. This
+prevents third-party certificates from being trusted and given mail
+relay permission with permit_tls_all_clientcerts.
Unfortunately this change may break certificate verification on
sites that don't use permit_tls_all_clientcerts. Specify
certificates and giving them relay permission with
<a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
-<p> This feature is available in Postfix 2.4.15, 2.6.8, 2.7.2 and
-later versions. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = yes" for backwards
-compatibility, to avoid breaking certificate verification with sites
-that don't use <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
+<p> This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+2.7.2 and later versions. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = yes" for
+backwards compatibility, to avoid breaking certificate verification
+
with sites that don't use <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
</DD>
certificates and giving them relay permission with
permit_tls_all_clientcerts.
.PP
-This feature is available in Postfix 2.4.15, 2.6.8, 2.7.2 and
-later versions. Specify "tls_append_default_CA = yes" for backwards
-compatibility, to avoid breaking certificate verification with sites
-that don't use permit_tls_all_clientcerts.
+This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
+backwards compatibility, to avoid breaking certificate verification
+with sites that don't use permit_tls_all_clientcerts.
.SH tls_daemon_random_bytes (default: 32)
The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
process requests from the \fBtlsmgr\fR(8) server in order to seed its
certificates and giving them relay permission with
permit_tls_all_clientcerts. </p>
-<p> This feature is available in Postfix 2.4.15, 2.6.8, 2.7.2 and
-later versions. Specify "tls_append_default_CA = yes" for backwards
-compatibility, to avoid breaking certificate verification with sites
-that don't use permit_tls_all_clientcerts. </p>
+<p> This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
+backwards compatibility, to avoid breaking certificate verification
+with sites that don't use permit_tls_all_clientcerts. </p>
%PARAM tls_random_exchange_name see "postconf -d" output
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20100615"
-#define MAIL_VERSION_NUMBER "2.7.2-RC1"
+#define MAIL_RELEASE_DATE "20100707"
+#define MAIL_VERSION_NUMBER "2.7.2-RC2"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
tls_bio_ops.o: tls.h
tls_bio_ops.o: tls_bio_ops.c
tls_certkey.o: ../../include/argv.h
+tls_certkey.o: ../../include/mail_params.h
tls_certkey.o: ../../include/msg.h
tls_certkey.o: ../../include/name_code.h
tls_certkey.o: ../../include/name_mask.h
get_mail_conf_str_table(str_table);
get_mail_conf_int_table(int_table);
+ get_mail_conf_bool_table(bool_table);
}
/* tls_set_ciphers - Set SSL context cipher list */
projects / thirdparty / postfix.git / commitdiff
