sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP
client. Reported by Ján Máté, fixed by Viktor Dukhovni.
File: tls/tls_misc.c.
+
+20200617
+
+ Bugfix (introduced: Postfix 3.4): the connection_reuse
+ attribute in smtp_tls_policy_maps resulted in an "invalid
+ attribute name" error. Fix by Thorsten Habich. File:
+ smtp/smtp_tls_policy.c.
+
+20200618
+
+ Documentation: documented that smtp_line_length_limit=0
+ disables the feature, and made this more explicit in the
+ code by using the ENFORCING_SIZE_LIMIT macro. Files:
+ proto/postconf.proto, smtp/smtp_proto.c.
+
+20200619
+
+ Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
+ reuse was broken for configurations that use explicit trust
+ anchors. Reported by Thorsten Habich. Cause: the tlsproxy
+ client was sending a zero certificate length. File:
+ tls/tls_proxy_client_print.c.
+
+ Bugfix: posttls-finger reported a conflict betwen -X and
+ -r when only -X was used. File: posttls-finger/posttls-finger.c.
+
+20200620
+
+ Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
+ reuse was broken for configurations that use explicit trust
+ anchors. Reported by Thorsten Habich. Fixed by calling DANE
+ initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c.
Wish list:
+ Move the tls_dane_avail() and DANE-requested test into
+ tls_client_start().
+
DNS wrapper class, like XSASL, to support different stub
resolvers without contaminating Postfix programs with the
idiosyncracies of stub resolvers. Handle differences in
will send via SMTP. This limit does not include the <CR><LF>
at the end of each line. Longer lines are broken by inserting
"<CR><LF><SPACE>", to minimize the damage to MIME
-formatted mail.
+formatted mail. Specify zero to disable this limit.
</p>
<p>
will send via SMTP. This limit does not include the <CR><LF>
at the end of each line. Longer lines are broken by inserting
"<CR><LF><SPACE>", to minimize the damage to MIME
-formatted mail.
+formatted mail. Specify zero to disable this limit.
.PP
The Postfix limit of 998 characters not including <CR><LF>
is consistent with the SMTP limit of 1000 characters including
will send via SMTP. This limit does not include the <CR><LF>
at the end of each line. Longer lines are broken by inserting
"<CR><LF><SPACE>", to minimize the damage to MIME
-formatted mail.
+formatted mail. Specify zero to disable this limit.
</p>
<p>
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20200610"
+#define MAIL_RELEASE_DATE "20200620"
#define MAIL_VERSION_NUMBER "3.6"
#ifdef SNAPSHOT
msg_fatal("bad '-a' option value: %s", state->options.addr_pref);
#ifdef USE_TLS
- if (state->tlsproxy_mode && state->reconnect)
+ if (state->tlsproxy_mode && state->reconnect >= 0)
msg_fatal("The -X and -r options are mutually exclusive");
#endif
if (state->space_left == var_smtp_line_limit
&& data_left > 0 && *data_start == '.')
smtp_fputc('.', session->stream);
- if (var_smtp_line_limit > 0 && data_left >= state->space_left) {
+ if (ENFORCING_SIZE_LIMIT(var_smtp_line_limit)
+ && data_left >= state->space_left) {
smtp_fputs(data_start, state->space_left, session->stream);
data_start += state->space_left;
data_left -= state->space_left;
WHERE, name, val);
INVALID_RETURN(tls->why, site_level);
}
+ continue;
}
msg_warn("%s: invalid attribute name: \"%s\"", WHERE, name);
INVALID_RETURN(tls->why, site_level);
i2d_X509(tp->cert, &bp);
if ((char *) bp - STR(buf) != len)
msg_panic("i2d_X509 failed to encode certificate");
+ vstring_set_payload_size(buf, len);
ret = print_fn(fp, flags | ATTR_FLAG_MORE,
SEND_ATTR_DATA(TLS_ATTR_CERT, LEN(buf), STR(buf)),
ATTR_TYPE_END);
i2d_PUBKEY(tp->pkey, &bp);
if ((char *) bp - STR(buf) != len)
msg_panic("i2d_PUBKEY failed to encode public key");
+ vstring_set_payload_size(buf, len);
ret = print_fn(fp, flags | ATTR_FLAG_MORE,
SEND_ATTR_DATA(TLS_ATTR_PKEY, LEN(buf), STR(buf)),
ATTR_TYPE_END);
state->client_start_props->ctx = state->appl_state;
state->client_start_props->fd = state->ciphertext_fd;
/* These predicates and warning belong inside tls_client_start(). */
- if (!TLS_DANE_BASED(state->client_start_props->tls_level)
- || tls_dane_avail())
- state->tls_context = tls_client_start(state->client_start_props);
- else
+ if (!tls_dane_avail() /* mandatory side effects!! */
+ &&TLS_DANE_BASED(state->client_start_props->tls_level))
msg_warn("%s: DANE requested, but not available",
state->client_start_props->namaddr);
+ else
+ state->tls_context = tls_client_start(state->client_start_props);
if (state->tls_context != 0)
return (TLSP_STAT_OK);
projects / thirdparty / postfix.git / commitdiff
