a configuration requests access control by client certificate,
but "smtpd_tls_ask_clientcert = no". Files: proto/postconf.proto,
smtpd/smtpd_check.c.
+
+20200315
+
+ Bugfix (introduced: 20190517 development release): in
+ check_ccert_access, the issuer_cn and subject_cn matches
+ now require that the client certificate is signed by a CA
+ that the Postfix SMTP server trusts. Files: smtpd/smtpd_check.c,
+ proto/postconf.proto.
Major changes - multiple relayhost in SMTP
------------------------------------------
-[Feature 20200111] SMTP (and LMTP) client support for a list of
-nexthop destinations separated by comma or whitespace. These will
-destinations be tried in the specified order.
+[Feature 20200111] the Postfix SMTP and LMTP client support a list
+of nexthop destinations separated by comma or whitespace. These
+destinations will be tried in the specified order.
The list form can be specified in relayhost, transport_maps,
default_transport, and sender_dependent_default_transport_maps.
...
The check_ccert_access search order also supports the subject_cn and
-issuer_cn properties. Support is planned for rfc822name and
-smtputf8mailbox.
+issuer_cn client certificate properties, when the client certificate
+is signed by a CA that the Postfix SMTP server trusts. Support is
+planned for rfc822name and smtputf8mailbox.
Major changes - dovecot usability
---------------------------------
not be returned to the sender until it is released with -f or -H.
In the mailq(1) or postqueue(1) -p output, a forced-to-expire message
-is indicated with # after the queue name. In postqueue(1) JSON
+is indicated with # after the queue file name. In postqueue(1) JSON
output, there is a new per-message field "forced_expire" (with value
true or false) that shows the forced-to-expire status.
<dd> The commas are optional. Other valid search_order elements are
"subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN). </dd>
+certificate issuer CN). These require that the client certificate
+is signed by a CA that the Postfix SMTP server trusts. </dd>
<dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
.br
The commas are optional. Other valid search_order elements are
"subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN).
+certificate issuer CN). These require that the client certificate
+is signed by a CA that the Postfix SMTP server trusts.
.br
.IP "\fBcheck_client_access \fItype:table\fR\fR"
Search the specified access database for the client hostname,
<dd> The commas are optional. Other valid search_order elements are
"subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN). </dd>
+certificate issuer CN). These require that the client certificate
+is signed by a CA that the Postfix SMTP server trusts. </dd>
<dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20200312"
+#define MAIL_RELEASE_DATE "20200315"
#define MAIL_VERSION_NUMBER "3.6"
#ifdef SNAPSHOT
const char *action;
const char *match_this;
const char *known_action;
+ int need_trusted_cert;
for (action = search_order; *action; action++) {
+ need_trusted_cert = 1;
switch (*action) {
case SMTPD_ACL_SEARCH_CODE_CERT_FPRINT:
match_this = state->tls_context->peer_cert_fprint;
+ need_trusted_cert = 0;
break;
case SMTPD_ACL_SEARCH_CODE_PKEY_FPRINT:
match_this = state->tls_context->peer_pkey_fprint;
+ need_trusted_cert = 0;
break;
case SMTPD_ACL_SEARCH_CODE_CERT_ISSUER_CN:
match_this = state->tls_context->issuer_CN;
451, "4.3.5",
"Server configuration error"));
}
+ if (need_trusted_cert && !TLS_CERT_IS_TRUSTED(state->tls_context)) {
+ if (msg_verbose)
+ msg_info("%s: skipping %s %s: untrusted client certificate",
+ myname, str_name_code(search_actions, *action),
+ match_this);
+ return SMTPD_CHECK_DUNNO;
+ }
if (msg_verbose)
msg_info("%s: look up %s %s",
myname, str_name_code(search_actions, *action),
bool var_smtpd_peername_lookup;
bool var_smtpd_client_port_log;
char *var_smtpd_dns_re_filter;
+bool var_smtpd_tls_ask_ccert;
#define int_table test_int_table
VAR_PLAINTEXT_CODE, DEF_PLAINTEXT_CODE, &var_plaintext_code,
VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup,
VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
+ VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
0,
};
projects / thirdparty / postfix.git / commitdiff
