-TDOMAIN_LIST
-TDSN
-TDSN_BUF
+-TDSN_FILTER
-TDSN_SPLIT
-TDSN_STAT
-TEC_GROUP
-TNAME_CODE
-TNAME_MASK
-TNBBIO
--TNDR_FILTER
-TOPTIONS
-TPCF_DBMS_INFO
-TPCF_EVAL_CTX
master/single_server.c, master/trigger_server.c, pipe/pipe.c,
smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_params.c,
virtual/virtual.c, mantools/postlink.
+
+20140322
+
+ Cleanup: code comments and identifier names to reflect the
+ evolution from "NDR filter" to "delivery status filter".
+ Files: global/mail_params.h, smtp/smtp.c, global/dsn_filter.c,
+ global/dsn_filter.h, local/local.c, pipe/pipe.c,
+ smtp/lmtp_params.c, smtp/smtp_params.c, virtual/virtual.c,
+ global/bounce.c.
+
+20140406
+
+ Bugfix: when testing session caching, stop reconnecting
+ after encountering a previously-used server (when the session
+ is re-used or not). Viktor Dukhovni. File:
+ posttls-finger/posttls-finger.c.
+
+ Feature: configurable TLS session-ticket cipher (default:
+ tls_sesion_ticket_cipher = aes-128-cbc). Viktor Dukhovni
+ and Wietse. Files: mantools/postlink, smtpd/smtpd.c,
+ proto/postconf.proto, global/mail_params.h, tls/tls_misc.c,
+ tls/tls_scache.h, tls/tls_server.c.
+
====================================
Delivery status filter support, to replace the delivery status codes
-and explanatory text of successful or unsuccessful deliveries. This
-was originally implemented for sites that want to turn certain soft
-delivery errors into hard delivery errors, but it can also be used
-to censor out information from delivery confirmation reports.
+and explanatory text of successful or unsuccessful deliveries by
+Postfix mail delivery agents.
+
+This was originally implemented for sites that want to turn certain
+soft delivery errors into hard delivery errors, but it can also be
+used to censor out information from delivery confirmation reports.
This feature is implemented as a filter that replaces the three-number
enhanced status code and descriptive text in Postfix delivery agent
(default: empty)</b></DT><DD>
<p> Optional filter to replace the delivery status code or explanatory
-text of successful or unsuccessful deliveries. This does, however,
-not allow the replacement of a successful status code (2.X.X) with
-an unsuccessful status code (4.X.X or 5.X.X) or vice versa. </p>
+text of successful or unsuccessful deliveries. This does not allow
+the replacement of a successful status code (2.X.X) with an
+unsuccessful status code (4.X.X or 5.X.X) or vice versa. </p>
+
+<p> The following parameters can be used to implement a filter for
+specific delivery agents: <a href="postconf.5.html#lmtp_delivery_status_filter">lmtp_delivery_status_filter</a>,
+<a href="postconf.5.html#local_delivery_status_filter">local_delivery_status_filter</a>, <a href="postconf.5.html#pipe_delivery_status_filter">pipe_delivery_status_filter</a>,
+<a href="postconf.5.html#smtp_delivery_status_filter">smtp_delivery_status_filter</a> or <a href="postconf.5.html#virtual_delivery_status_filter">virtual_delivery_status_filter</a>. These
+parameters support the same filter syntax as described here. </p>
<p> Specify zero or more "<a href="DATABASE_README.html">type:table</a>" lookup table names, separated
-by comma or whitespace. With each bounce or defer request, the
-tables are queried in the specified order with one line of text
-that is structured as follows: </p>
+by comma or whitespace. For each successful or unsuccessful delivery
+to a recipient, the tables are queried in the specified order with
+one line of text that is structured as follows: </p>
<blockquote>
enhanced-status-code SPACE explanatory-text
<p> This feature is available in Postfix 2.2 and later. </p>
+</DD>
+
+<DT><b><a name="tls_session_ticket_cipher">tls_session_ticket_cipher</a>
+(default: aes-128-cbc)</b></DT><DD>
+
+<p> Algorithm used to encrypt <a href="http://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets. This
+algorithm must use CBC mode, have a 128-bit initialization vector
+(IV), and must have a key length between 128 and 256 bits. The
+default is aes-128-cbc. Sensible alternatives include aes-192-cbc
+and aes-256-cbc. </p>
+
+<p> Setting this parameter empty disables session ticket support
+in the Postfix SMTP server. Another way to disable session ticket
+support is via the tls_ssl_options parameter. </p>
+
+<p> This feature is available in Postfix 2.12 and later. </p>
+
+
</DD>
<DT><b><a name="tls_ssl_options">tls_ssl_options</a>
<b><a href="postconf.5.html#tlsmgr_service_name">tlsmgr_service_name</a> (tlsmgr)</b>
The name of the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
+ Available in Postfix version 2.12 and later:
+
+ <b><a href="postconf.5.html#tls_session_ticket_cipher">tls_session_ticket_cipher</a> (aes-128-cbc)</b>
+ Algorithm used to encrypt <a href="http://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets.
+
<b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
name of the message delivery transport.
.SH default_delivery_status_filter (default: empty)
Optional filter to replace the delivery status code or explanatory
-text of successful or unsuccessful deliveries. This does, however,
-not allow the replacement of a successful status code (2.X.X) with
-an unsuccessful status code (4.X.X or 5.X.X) or vice versa.
+text of successful or unsuccessful deliveries. This does not allow
+the replacement of a successful status code (2.X.X) with an
+unsuccessful status code (4.X.X or 5.X.X) or vice versa.
+.PP
+The following parameters can be used to implement a filter for
+specific delivery agents: lmtp_delivery_status_filter,
+local_delivery_status_filter, pipe_delivery_status_filter,
+smtp_delivery_status_filter or virtual_delivery_status_filter. These
+parameters support the same filter syntax as described here.
.PP
Specify zero or more "type:table" lookup table names, separated
-by comma or whitespace. With each bounce or defer request, the
-tables are queried in the specified order with one line of text
-that is structured as follows:
+by comma or whitespace. For each successful or unsuccessful delivery
+to a recipient, the tables are queried in the specified order with
+one line of text that is structured as follows:
.sp
.in +4
enhanced-status-code SPACE explanatory-text
gives timeout errors.
.PP
This feature is available in Postfix 2.2 and later.
+.SH tls_session_ticket_cipher (default: aes-128-cbc)
+Algorithm used to encrypt RFC5077 TLS session tickets. This
+algorithm must use CBC mode, have a 128-bit initialization vector
+(IV), and must have a key length between 128 and 256 bits. The
+default is aes-128-cbc. Sensible alternatives include aes-192-cbc
+and aes-256-cbc.
+.PP
+Setting this parameter empty disables session ticket support
+in the Postfix SMTP server. Another way to disable session ticket
+support is via the tls_ssl_options parameter.
+.PP
+This feature is available in Postfix 2.12 and later.
.SH tls_ssl_options (default: empty)
List or bit-mask of OpenSSL options to enable.
.PP
Available in Postfix version 2.11 and later:
.IP "\fBtlsmgr_service_name (tlsmgr)\fR"
The name of the \fBtlsmgr\fR(8) service entry in master.cf.
+.PP
+Available in Postfix version 2.12 and later:
+.IP "\fBtls_session_ticket_cipher (aes-128-cbc)\fR"
+Algorithm used to encrypt RFC5077 TLS session tickets.
.SH "OBSOLETE STARTTLS CONTROLS"
.na
.nf
s;\btls_dane_trust_anchor_digest_enable\b;<a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">$&</a>;g;
s;\btls_dane_digests\b;<a href="postconf.5.html#tls_dane_digests">$&</a>;g;
s;\btls_wildcard_matches_multiple_labels\b;<a href="postconf.5.html#tls_wildcard_matches_multiple_labels">$&</a>;g;
+ s;\btls_session_ticket_cipher\b;<a href="postconf.5.html#tls_session_ticket_cipher">$&</a>;g;
s;\bfrozen_delivered_to\b;<a href="postconf.5.html#frozen_delivered_to">$&</a>;g;
s;\breset_owner_alias\b;<a href="postconf.5.html#reset_owner_alias">$&</a>;g;
<p> This feature is available in Postfix 2.11 and later. </p>
+%PARAM tls_session_ticket_cipher aes-128-cbc
+
+<p> Algorithm used to encrypt RFC5077 TLS session tickets. This
+algorithm must use CBC mode, have a 128-bit initialization vector
+(IV), and must have a key length between 128 and 256 bits. The
+default is aes-128-cbc. Sensible alternatives include aes-192-cbc
+and aes-256-cbc. </p>
+
+<p> Setting this parameter empty disables session ticket support
+in the Postfix SMTP server. Another way to disable session ticket
+support is via the tls_ssl_options parameter. </p>
+
+<p> This feature is available in Postfix 2.12 and later. </p>
+
%PARAM default_delivery_status_filter
<p> Optional filter to replace the delivery status code or explanatory
-text of successful or unsuccessful deliveries. This does, however,
-not allow the replacement of a successful status code (2.X.X) with
-an unsuccessful status code (4.X.X or 5.X.X) or vice versa. </p>
+text of successful or unsuccessful deliveries. This does not allow
+the replacement of a successful status code (2.X.X) with an
+unsuccessful status code (4.X.X or 5.X.X) or vice versa. </p>
+
+<p> The following parameters can be used to implement a filter for
+specific delivery agents: lmtp_delivery_status_filter,
+local_delivery_status_filter, pipe_delivery_status_filter,
+smtp_delivery_status_filter or virtual_delivery_status_filter. These
+parameters support the same filter syntax as described here. </p>
<p> Specify zero or more "type:table" lookup table names, separated
-by comma or whitespace. With each bounce or defer request, the
-tables are queried in the specified order with one line of text
-that is structured as follows: </p>
+by comma or whitespace. For each successful or unsuccessful delivery
+to a recipient, the tables are queried in the specified order with
+one line of text that is structured as follows: </p>
<blockquote>
enhanced-status-code SPACE explanatory-text
bounce.o: deliver_request.h
bounce.o: dsn.h
bounce.o: dsn_buf.h
+bounce.o: dsn_filter.h
bounce.o: dsn_print.h
bounce.o: dsn_util.h
bounce.o: log_adhoc.h
bounce.o: mail_params.h
bounce.o: mail_proto.h
bounce.o: msg_stats.h
-bounce.o: dsn_filter.h
bounce.o: rcpt_print.h
bounce.o: recipient_list.h
bounce.o: trace.h
defer.o: deliver_request.h
defer.o: dsn.h
defer.o: dsn_buf.h
+defer.o: dsn_filter.h
defer.o: dsn_print.h
defer.o: dsn_util.h
defer.o: flush_clnt.h
defer.o: mail_proto.h
defer.o: mail_queue.h
defer.o: msg_stats.h
-defer.o: dsn_filter.h
defer.o: rcpt_print.h
defer.o: recipient_list.h
defer.o: trace.h
dsn_buf.o: dsn.h
dsn_buf.o: dsn_buf.c
dsn_buf.o: dsn_buf.h
+dsn_filter.o: ../../include/argv.h
+dsn_filter.o: ../../include/dict.h
+dsn_filter.o: ../../include/msg.h
+dsn_filter.o: ../../include/myflock.h
+dsn_filter.o: ../../include/mymalloc.h
+dsn_filter.o: ../../include/sys_defs.h
+dsn_filter.o: ../../include/vbuf.h
+dsn_filter.o: ../../include/vstream.h
+dsn_filter.o: ../../include/vstring.h
+dsn_filter.o: dsn.h
+dsn_filter.o: dsn_filter.c
+dsn_filter.o: dsn_filter.h
+dsn_filter.o: dsn_util.h
+dsn_filter.o: maps.h
dsn_mask.o: ../../include/msg.h
dsn_mask.o: ../../include/name_code.h
dsn_mask.o: ../../include/name_mask.h
namadr_list.o: ../../include/sys_defs.h
namadr_list.o: namadr_list.c
namadr_list.o: namadr_list.h
-dsn_filter.o: ../../include/argv.h
-dsn_filter.o: ../../include/dict.h
-dsn_filter.o: ../../include/msg.h
-dsn_filter.o: ../../include/myflock.h
-dsn_filter.o: ../../include/mymalloc.h
-dsn_filter.o: ../../include/sys_defs.h
-dsn_filter.o: ../../include/vbuf.h
-dsn_filter.o: ../../include/vstream.h
-dsn_filter.o: ../../include/vstring.h
-dsn_filter.o: dsn.h
-dsn_filter.o: dsn_util.h
-dsn_filter.o: maps.h
-dsn_filter.o: dsn_filter.c
-dsn_filter.o: dsn_filter.h
off_cvt.o: ../../include/msg.h
off_cvt.o: ../../include/sys_defs.h
off_cvt.o: ../../include/vbuf.h
sent.o: deliver_request.h
sent.o: dsn.h
sent.o: dsn_buf.h
+sent.o: dsn_filter.h
sent.o: dsn_mask.h
sent.o: dsn_util.h
sent.o: log_adhoc.h
/* MSG_STATS *stats;
/* RECIPIENT *rcpt;
/* const char *relay;
+/*
+/* int bounce_one_intern(flags, queue, id, encoding, sender, envid, ret,
+/* stats, recipient, relay, dsn)
+/* int flags;
+/* const char *queue;
+/* const char *id;
+/* const char *encoding;
+/* const char *sender;
+/* const char *dsn_envid;
+/* int dsn_ret;
+/* MSG_STATS *stats;
+/* RECIPIENT *rcpt;
+/* const char *relay;
+/* DSN *dsn;
/* DESCRIPTION
/* This module implements the client interface to the message
/* bounce service, which maintains a per-message log of status
/* NAME
/* dsn_filter 3
/* SUMMARY
-/* filter DSN status or text
+/* filter delivery status code or text
/* SYNOPSIS
/* #include <dsn_filter.h>
/*
/* text) into replacement (success status code and text). Other
/* DSN attributes are passed through without modification.
/*
-/* dsn_filter_create() instantiates a DSN filter.
+/* dsn_filter_create() instantiates a delivery status filter.
/*
/* dsn_filter_lookup() queries the specified filter. The input
/* DSN must be a success, bounce or defer DSN. If a match is
/* overwritten upon each call. This function must not be
/* called with the result from a dsn_filter_lookup() call.
/*
-/* dsn_free() destroys the specified DSN filter.
+/* dsn_free() destroys the specified delivery status filter.
/*
/* Arguments:
/* .IP title
*/
#define STR(x) vstring_str(x)
-/* dsn_filter_create - create bounce/defer NDR filter */
+/* dsn_filter_create - create delivery status filter */
DSN_FILTER *dsn_filter_create(const char *title, const char *map_names)
{
return (fp);
}
-/* dsn_filter_lookup - apply bounce/defer NDR filter */
+/* dsn_filter_lookup - apply delivery status filter */
DSN *dsn_filter_lookup(DSN_FILTER *fp, DSN *dsn)
{
myname, dsn->status);
/*
- * Sanity check. A DSN filter must not be invoked with its own result.
+ * Sanity check. A delivery status filter must not be invoked with its
+ * own result.
*/
if (dsn->reason == fp->dsn.reason)
msg_panic("%s: recursive call is not allowed", myname);
return (0);
}
-/* dsn_filter_free - destroy bounce/defer NDR filter */
+/* dsn_filter_free - destroy delivery status filter */
void dsn_filter_free(DSN_FILTER *fp)
{
/* NAME
/* dsn_filter 3h
/* SUMMARY
-/* bounce/defer DSN filter
+/* delivery status filter
/* SYNOPSIS
/* #include <dsn_filter.h>
/* DESCRIPTION
#define DEF_TLS_SSL_OPTIONS ""
extern char *var_tls_ssl_options;
+#define VAR_TLS_TKT_CIPHER "tls_session_ticket_cipher"
+#define DEF_TLS_TKT_CIPHER "aes-128-cbc"
+extern char *var_tls_tkt_cipher;
+
#define VAR_TLS_BC_PKEY_FPRINT "tls_legacy_public_key_fingerprints"
#define DEF_TLS_BC_PKEY_FPRINT 0
extern bool var_tls_bc_pkey_fprint;
extern bool var_daemon_open_fatal;
/*
- * Optional DSN bounce/defer filter.
+ * Optional delivery status filter.
*/
#define VAR_DSN_FILTER "default_delivery_status_filter"
#define DEF_DSN_FILTER ""
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20140321"
+#define MAIL_RELEASE_DATE "20140406"
#define MAIL_VERSION_NUMBER "2.12"
#ifdef SNAPSHOT
int local_deliver_hdr_mask;
int local_mbox_lock_mask;
MAPS *alias_maps;
-char *var_local_ndr_filter;
+char *var_local_dsn_filter;
/* local_deliver - deliver message with extreme prejudice */
VAR_DELIVER_HDR, DEF_DELIVER_HDR, &var_deliver_hdr, 0, 0,
VAR_MAILBOX_LOCK, DEF_MAILBOX_LOCK, &var_mailbox_lock, 1, 0,
VAR_MAILBOX_CMD_MAPS, DEF_MAILBOX_CMD_MAPS, &var_mailbox_cmd_maps, 0, 0,
- VAR_LOCAL_DSN_FILTER, DEF_LOCAL_DSN_FILTER, &var_local_ndr_filter, 0, 0,
+ VAR_LOCAL_DSN_FILTER, DEF_LOCAL_DSN_FILTER, &var_local_dsn_filter, 0, 0,
0,
};
static const CONFIG_BOOL_TABLE bool_table[] = {
MAIL_SERVER_PRE_ACCEPT, pre_accept,
MAIL_SERVER_PRIVILEGED,
MAIL_SERVER_BOUNCE_INIT, VAR_LOCAL_DSN_FILTER,
- &var_local_ndr_filter,
+ &var_local_dsn_filter,
0);
}
/*
* Other main.cf parameters.
*/
-char *var_pipe_ndr_filter;
+char *var_pipe_dsn_filter;
/*
* For convenience. Instead of passing around lists of parameters, bundle
0,
};
static const CONFIG_STR_TABLE str_table[] = {
- VAR_PIPE_DSN_FILTER, DEF_PIPE_DSN_FILTER, &var_pipe_ndr_filter, 0, 0,
+ VAR_PIPE_DSN_FILTER, DEF_PIPE_DSN_FILTER, &var_pipe_dsn_filter, 0, 0,
0,
};
MAIL_SERVER_PRE_ACCEPT, pre_accept,
MAIL_SERVER_PRIVILEGED,
MAIL_SERVER_BOUNCE_INIT, VAR_PIPE_DSN_FILTER,
- &var_pipe_ndr_filter,
+ &var_pipe_dsn_filter,
0);
}
if (cache_enabled && cache_count == 0) {
msg_info("Server declined session caching. Done reconnecting.");
state->reconnect = 0;
- } else if (cache_hits > 0 && (state->log_mask & TLS_LOG_SESSTKT) != 0) {
+ } else if (cache_hits > 0 && (state->log_mask & TLS_LOG_CACHE) != 0) {
msg_info("Found a previously used server. Done reconnecting.");
state->reconnect = 0;
} else if (state->max_reconnect-- <= 0) {
VAR_LMTP_RESP_FILTER, DEF_LMTP_RESP_FILTER, &var_smtp_resp_filter, 0, 0,
VAR_LMTP_ADDR_PREF, DEF_LMTP_ADDR_PREF, &var_smtp_addr_pref, 1, 0,
VAR_LMTP_DNS_RES_OPT, DEF_LMTP_DNS_RES_OPT, &var_smtp_dns_res_opt, 0, 0,
- VAR_LMTP_DSN_FILTER, DEF_LMTP_DSN_FILTER, &var_smtp_ndr_filter, 0, 0,
+ VAR_LMTP_DSN_FILTER, DEF_LMTP_DSN_FILTER, &var_smtp_dsn_filter, 0, 0,
0,
};
static const CONFIG_TIME_TABLE lmtp_time_table[] = {
/* LMTP DESTINATION SYNTAX
/* .ad
/* .fi
-/* LMTP destinations have the following form:
+/* LMTP destinations have the following form:
/* .IP \fBunix\fR:\fIpathname\fR
-/* Connect to the local UNIX-domain server that is bound to the specified
-/* \fIpathname\fR. If the process runs chrooted, an absolute pathname
-/* is interpreted relative to the Postfix queue directory.
+/* Connect to the local UNIX-domain server that is bound to the specified
+/* \fIpathname\fR. If the process runs chrooted, an absolute pathname
+/* is interpreted relative to the Postfix queue directory.
/* .IP \fBinet\fR:\fIhostname\fR
/* .IP \fBinet\fR:\fIhostname\fR:\fIport\fR
/* .IP \fBinet\fR:[\fIaddress\fR]
/* .IP \fBinet\fR:[\fIaddress\fR]:\fIport\fR
-/* Connect to the specified TCP port on the specified local or
-/* remote host. If no port is specified, connect to the port defined as
-/* \fBlmtp\fR in \fBservices\fR(4).
-/* If no such service is found, the \fBlmtp_tcp_port\fR configuration
-/* parameter (default value of 24) will be used.
+/* Connect to the specified TCP port on the specified local or
+/* remote host. If no port is specified, connect to the port defined as
+/* \fBlmtp\fR in \fBservices\fR(4).
+/* If no such service is found, the \fBlmtp_tcp_port\fR configuration
+/* parameter (default value of 24) will be used.
/* An IPv6 address must be formatted as [\fBipv6\fR:\fIaddress\fR].
/* .PP
/* SECURITY
/* default setting "no", send no SASL authoriZation ID (authzid); send
/* only the SASL authentiCation ID (authcid) plus the authcid's password.
/* .PP
-/* Available in Postfix version 2.5 and later:
+/* Available in Postfix version 2.5 and later:
/* .IP "\fBsmtp_header_checks (empty)\fR"
/* Restricted \fBheader_checks\fR(5) tables for the Postfix SMTP client.
/* .IP "\fBsmtp_mime_header_checks (empty)\fR"
char *var_smtp_dns_support;
bool var_smtp_rec_deadline;
bool var_smtp_dummy_mail_auth;
-char *var_smtp_ndr_filter;
+char *var_smtp_dsn_filter;
/* Special handling of 535 AUTH errors. */
char *var_smtp_sasl_auth_cache_name;
MAIL_SERVER_POST_INIT, post_init,
MAIL_SERVER_PRE_ACCEPT, pre_accept,
MAIL_SERVER_BOUNCE_INIT, VAR_SMTP_DSN_FILTER,
- &var_smtp_ndr_filter,
+ &var_smtp_dsn_filter,
0);
}
VAR_SMTP_RESP_FILTER, DEF_SMTP_RESP_FILTER, &var_smtp_resp_filter, 0, 0,
VAR_SMTP_ADDR_PREF, DEF_SMTP_ADDR_PREF, &var_smtp_addr_pref, 1, 0,
VAR_SMTP_DNS_RES_OPT, DEF_SMTP_DNS_RES_OPT, &var_smtp_dns_res_opt, 0, 0,
- VAR_SMTP_DSN_FILTER, DEF_SMTP_DSN_FILTER, &var_smtp_ndr_filter, 0, 0,
+ VAR_SMTP_DSN_FILTER, DEF_SMTP_DSN_FILTER, &var_smtp_dsn_filter, 0, 0,
0,
};
static const CONFIG_TIME_TABLE smtp_time_table[] = {
/* Available in Postfix version 2.11 and later:
/* .IP "\fBtlsmgr_service_name (tlsmgr)\fR"
/* The name of the \fBtlsmgr\fR(8) service entry in master.cf.
+/* .PP
+/* Available in Postfix version 2.12 and later:
+/* .IP "\fBtls_session_ticket_cipher (aes-128-cbc)\fR"
+/* Algorithm used to encrypt RFC5077 TLS session tickets.
/* OBSOLETE STARTTLS CONTROLS
/* .ad
/* .fi
/* bool var_tls_bc_pkey_fprint;
/* bool var_tls_multi_wildcard;
/* char *var_tls_mgr_service;
+/* char *var_tls_tkt_cipher;
/*
/* TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx, log_mask)
/* SSL_CTX *ssl_ctx;
bool var_tls_dane_taa_dgst;
bool var_tls_multi_wildcard;
char *var_tls_mgr_service;
+char *var_tls_tkt_cipher;
#ifdef VAR_TLS_PREEMPT_CLIST
bool var_tls_preempt_clist;
VAR_TLS_DANE_AGILITY, DEF_TLS_DANE_AGILITY, &var_tls_dane_agility, 1, 0,
VAR_TLS_DANE_DIGESTS, DEF_TLS_DANE_DIGESTS, &var_tls_dane_digests, 1, 0,
VAR_TLS_MGR_SERVICE, DEF_TLS_MGR_SERVICE, &var_tls_mgr_service, 1, 0,
+ VAR_TLS_TKT_CIPHER, DEF_TLS_TKT_CIPHER, &var_tls_tkt_cipher, 0, 0,
0,
};
static const CONFIG_INT_TABLE int_table[] = {
#define TLS_TICKET_NAMELEN 16 /* RFC 5077 ticket key name length */
#define TLS_TICKET_IVLEN 16 /* RFC 5077 ticket IV length */
-#define TLS_TICKET_KEYLEN 16 /* AES-128-CBC key size */
-#define TLS_TICKET_MACLEN 16 /* SHA-256 collision strength */
+#define TLS_TICKET_KEYLEN 32 /* AES-256-CBC key size */
+#define TLS_TICKET_MACLEN 32 /* RFC 5077 HMAC key size */
#define TLS_SESSION_LIFEMIN 120 /* May you live to 120! */
typedef struct TLS_TICKET_KEY {
EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int create)
{
static const EVP_MD *sha256;
- static const EVP_CIPHER *aes128;
+ static const EVP_CIPHER *ciph;
TLS_TICKET_KEY *key;
TLS_SESS_STATE *TLScontext = SSL_get_ex_data(con, TLScontext_index);
int timeout = ((int) SSL_CTX_get_timeout(SSL_get_SSL_CTX(con))) / 2;
if ((!sha256 && (sha256 = EVP_sha256()) == 0)
- || (!aes128 && (aes128 = EVP_aes_128_cbc()) == 0)
+ || (!ciph && (ciph = EVP_get_cipherbyname(var_tls_tkt_cipher)) == 0)
|| (key = tls_mgr_key(create ? 0 : name, timeout)) == 0
|| (create && RAND_bytes(iv, TLS_TICKET_IVLEN) <= 0))
return (create ? TLS_TKT_NOKEYS : TLS_TKT_STALE);
HMAC_Init_ex(hctx, key->hmac, TLS_TICKET_MACLEN, sha256, NOENGINE);
if (create) {
- EVP_EncryptInit_ex(ctx, aes128, NOENGINE, key->bits, iv);
+ EVP_EncryptInit_ex(ctx, ciph, NOENGINE, key->bits, iv);
memcpy((char *) name, (char *) key->name, TLS_TICKET_NAMELEN);
if (TLScontext->log_mask & TLS_LOG_CACHE)
msg_info("%s: Issuing session ticket, key expiration: %ld",
TLScontext->namaddr, (long) key->tout);
} else {
- EVP_DecryptInit_ex(ctx, aes128, NOENGINE, key->bits, iv);
+ EVP_DecryptInit_ex(ctx, ciph, NOENGINE, key->bits, iv);
if (TLScontext->log_mask & TLS_LOG_CACHE)
msg_info("%s: Decrypting session ticket, key expiration: %ld",
TLScontext->namaddr, (long) key->tout);
*/
#ifdef SSL_OP_NO_TICKET
#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER >= 0x0090808fL
- ticketable = (scache_timeout > 0 && !(off & SSL_OP_NO_TICKET));
+ ticketable = (*var_tls_tkt_cipher && scache_timeout > 0
+ && !(off & SSL_OP_NO_TICKET));
+ if (ticketable) {
+ const EVP_CIPHER *ciph;
+
+ if ((ciph = EVP_get_cipherbyname(var_tls_tkt_cipher)) == 0
+ || EVP_CIPHER_mode(ciph) != EVP_CIPH_CBC_MODE
+ || EVP_CIPHER_iv_length(ciph) != TLS_TICKET_IVLEN
+ || EVP_CIPHER_key_length(ciph) < TLS_TICKET_IVLEN
+ || EVP_CIPHER_key_length(ciph) > TLS_TICKET_KEYLEN) {
+ msg_warn("%s: invalid value: %s; session tickets disabled",
+ VAR_TLS_TKT_CIPHER, var_tls_tkt_cipher);
+ ticketable = 0;
+ }
+ }
if (ticketable)
SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_cb);
#endif
long var_virt_mailbox_limit;
char *var_mail_spool_dir; /* XXX dependency fix */
bool var_strict_mbox_owner;
-char *var_virt_ndr_filter;
+char *var_virt_dsn_filter;
/*
* Mappings.
VAR_VIRT_GID_MAPS, DEF_VIRT_GID_MAPS, &var_virt_gid_maps, 0, 0,
VAR_VIRT_MAILBOX_BASE, DEF_VIRT_MAILBOX_BASE, &var_virt_mailbox_base, 1, 0,
VAR_VIRT_MAILBOX_LOCK, DEF_VIRT_MAILBOX_LOCK, &var_virt_mailbox_lock, 1, 0,
- VAR_VIRT_DSN_FILTER, DEF_VIRT_DSN_FILTER, &var_virt_ndr_filter, 0, 0,
+ VAR_VIRT_DSN_FILTER, DEF_VIRT_DSN_FILTER, &var_virt_dsn_filter, 0, 0,
0,
};
static const CONFIG_BOOL_TABLE bool_table[] = {
MAIL_SERVER_PRE_ACCEPT, pre_accept,
MAIL_SERVER_PRIVILEGED,
MAIL_SERVER_BOUNCE_INIT, VAR_VIRT_DSN_FILTER,
- &var_virt_ndr_filter,
+ &var_virt_dsn_filter,
0);
}
projects / thirdparty / postfix.git / commitdiff
