Usability: the Postfix SMTP server now logs a warning when
a configuration requests access control by client certificate,
- but "smtpd_tls_ask_clientcert = no". Files: proto/postconf.proto,
+ but "smtpd_tls_ask_ccert = no". Files: proto/postconf.proto,
smtpd/smtpd_check.c.
20200316
Removed the issuer_cn and subject_cn matches from
check_ccert_access. Files: smtpd/smtpd_check.c,
proto/postconf.proto.
+
+20200407
+
+ Helper script by Viktor Dukhovni to report TLS information
+ per message delivery. This processes output from the
+ collate.pl script. Files: auxiliary/collate/README.tlstype,
+ auxiliary/collate/tlstype.pl.
+
+20200416
+
+ Workaround for broken builds after an incompatible change
+ in GCC 10. Files: makedefs, Makefile.in.
+
+ Workaround for broken DANE support after an incompatible
+ change in GLIBC 2.31. This avoids the need for new options
+ in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c.
+
+ Misc fixes for gcc 'multiple definition' errors. Files:
+ master/master_vars.c, smtp/smtp.c, proxymap/proxymap.c.
# To test with valgrind:
# make -i tests VALGRIND="valgrind --tool=memcheck --log-file=/some/where.%p"
SHELL = /bin/sh
-WARN = -Wmissing-prototypes -Wformat -Wno-comment
+WARN = -Wmissing-prototypes -Wformat -Wno-comment -fcommon
OPTS = 'WARN=$(WARN)'
DIRS = src/util src/global src/dns src/tls src/xsasl src/master src/milter \
src/postfix src/fsstone src/smtpstone \
Wish list:
+ Read http://mmogilvi.users.sourceforge.net/software/oauthbearer.html
+ and see how we can improve on the Postfix side.
+
+ Investigate feasibility of SO_REUSEPORT (~portable) and
+ SO_REUSEPORT_LB (*BSD).
+
nbbio: exercise the sanity checks with fake msg(3) functions.
optreset (bsd-ism) how badly do we need it?
--- /dev/null
+On Mon, Apr 06, 2020 at 08:21:32AM +0100, Dominic Raferd wrote:
+
+> Using setting 'smtp_tls_security_level = may' (postfix 3.3.0) is there
+> a reliable way to see from log which outgoing emails were sent in the
+> clear i.e. *not* using TLS?
+
+Yes, provided you don't lose too many log messages[1], and your logging
+subsystem does not reorder them[1], set:
+
+ smtp_tls_loglevel = 1
+
+and use "collate":
+
+ https://github.com/vdukhovni/postfix/tree/master/postfix/auxiliary/collate
+
+whose output you'd send to the attached Perl script. On my system for
+example:
+
+ # bzcat $(ls -tr /var/log/maillog*) | perl collate.pl | perl tlstype.pl
+
+--
+ Viktor.
+
+[1] If your system is suffering under the yoke of systemd-journald, you
+should strongly consider enabling the built-in logging in recent
+versions of Postfix to bypass systemd's broken logging subsystem.
+
+ - It is single-threaded, performs poorly on multi-cpu servers and
+ may not be able to keep up with all the messages generated on a
+ busy multi-cpu system.
+
+ - By default has low message rate limits, dropping messages
+ that exceed the limits.
+
+ - Listens on stream socket rather than a dgram socket, which
+ breaks message ordering from multi-process systems like
+ Postfix.
--- /dev/null
+#! /usr/bin/env perl
+
+use strict;
+use warnings;
+
+local $/ = "\n\n";
+
+while (<>) {
+ my $qid;
+ my %tls;
+ my $smtp;
+ foreach my $line (split("\n")) {
+ if ($line =~ m{ postfix(?:\S*?)/qmgr\[\d+\]: (\w+): from=<.*>, size=\d+, nrcpt=\d+ [(]queue active[)]$}) {
+ $qid //= $1;
+ next;
+ }
+ if ($line =~ m{ postfix(?:\S*?)/smtp\[(\d+)\]: (\S+) TLS connection established to (\S+): (.*)}) {
+ $tls{$1}->{lc($3)} = [$2, $4];
+ next;
+ }
+ if ($line =~ m{.*? postfix(?:\S*?)/smtp\[(\d+)\]: (\w+): (to=.*), relay=(\S+), (delay=\S+, delays=\S+, dsn=2\.\S+, status=sent .*)}) {
+ next unless $qid eq $2;
+ if (defined($tls{$1}->{lc($4)}) && ($tls{$1}->{lc($4)}->[2] //= $5) eq $5) {
+ printf "qid=%s, relay=%s, %s -> %s %s\n", $qid, lc($4), $3, @{$tls{$1}->{lc($4)}}[0..1];
+ } else {
+ delete $tls{$1};
+ printf "qid=%s, relay=%s, %s -> cleartext\n", $qid, lc($4), $3;
+ }
+ }
+ }
+}
: ${CC=gcc} ${OPT='-O'} ${DEBUG='-g'} ${AWK=awk} \
${WARN='-Wall -Wno-comment -Wformat -Wimplicit -Wmissing-prototypes \
-Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \
- -Wunused -Wno-missing-braces'}
+ -Wunused -Wno-missing-braces -fcommon'}
# Extract map type names from -DHAS_XXX compiler options. We avoid
# problems with tr(1) range syntax by using enumerations instead,
*/
#ifdef NO_DNSSEC
#undef RES_USE_DNSSEC
+#undef RES_TRUSTAD
#endif
/*
#endif
#ifndef RES_USE_EDNS0
#define RES_USE_EDNS0 0
+#endif
+#ifndef RES_TRUSTAD
+#define RES_TRUSTAD 0
#endif
/*-
/* Request DNSSEC validation. This flag is silently ignored
/* when the system stub resolver API, resolver(3), does not
/* implement DNSSEC.
+/* Automatically turns on the RES_TRUSTAD flag on systems that
+/* support this flag (this behavior will be more configurable
+/* in a later release).
/* .RE
/* .IP lflags
/* Flags that control the operation of the dns_lookup*()
/*
* Set extra options that aren't exposed to the application.
*/
-#define XTRA_FLAGS (RES_USE_EDNS0)
+#define XTRA_FLAGS (RES_USE_EDNS0 | RES_TRUSTAD)
if (flags & RES_USE_DNSSEC)
- flags |= RES_USE_EDNS0;
+ flags |= (RES_USE_EDNS0 | RES_TRUSTAD);
/*
* Can't append domains: we need the right SOA TTL.
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20200316"
+#define MAIL_RELEASE_DATE "20200416"
#define MAIL_VERSION_NUMBER "3.6"
#ifdef SNAPSHOT
/*
* Tunable parameters.
*/
-char *var_inet_protocols;
int var_throttle_time;
char *var_master_disable;
char *var_virt_mailbox_maps;
char *var_virt_mailbox_doms;
char *var_relay_rcpt_maps;
-char *var_relay_domains;
char *var_canonical_maps;
char *var_send_canon_maps;
char *var_rcpt_canon_maps;
int var_smtp_data2_tmout;
int var_smtp_rset_tmout;
int var_smtp_quit_tmout;
-char *var_inet_interfaces;
char *var_notify_classes;
int var_smtp_skip_5xx_greeting;
int var_ign_mx_lookup_err;
projects / thirdparty / postfix.git / commitdiff
