multi-Milter configuration during MAIL FROM. Milter client
state was not properly reset after one of the Milters failed.
Reported by WeiYu Wu.
+
+20200312
+
+ Usability: the Postfix SMTP server now logs a warning when
+ a configuration requests access control by client certificate,
+ but "smtpd_tls_ask_clientcert = no". Files: proto/postconf.proto,
+ smtpd/smtpd_check.c.
remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the
<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter (hard-coded as md5 prior to
-Postfix version 2.5). This feature is available with Postfix version
+Postfix version 2.5). This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>
+= yes" and is available with Postfix version
2.2 and later. </dd>
<br>
be allowed to relay. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" when the
trusted CA is specified with <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> or <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>,
to prevent Postfix from appending the system-supplied default CAs.
-This feature is available with Postfix version 2.2.</dd>
+This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> = yes" and is available
+with Postfix version 2.2 and later.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
listed in $<a href="postconf.5.html#relay_clientcerts">relay_clientcerts</a>.
The fingerprint digest algorithm is configurable via the
<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter (hard-coded as md5 prior to
-Postfix version 2.5). This feature is available with Postfix version
-2.2. </dd>
+Postfix version 2.5). This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>
+= yes" and is available with Postfix version 2.2 and later.</dd>
<dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard\-coded as md5 prior to
-Postfix version 2.5). This feature is available with Postfix version
+Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
+= yes" and is available with Postfix version
2.2 and later.
.br
.br
be allowed to relay. Specify "tls_append_default_CA = no" when the
trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
to prevent Postfix from appending the system\-supplied default CAs.
-This feature is available with Postfix version 2.2.
+This feature requires "smtpd_tls_ask_ccert = yes" and is available
+with Postfix version 2.2 and later.
.br
.IP "\fBpermit_tls_clientcerts\fR"
Permit the request when the remote SMTP client certificate
listed in $relay_clientcerts.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard\-coded as md5 prior to
-Postfix version 2.5). This feature is available with Postfix version
-2.2.
+Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
+= yes" and is available with Postfix version 2.2 and later.
.br
.IP "\fBreject_rbl_client \fIrbl_domain=d.d.d.d\fR\fR"
Reject the request when the reversed client network address is
remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
-Postfix version 2.5). This feature is available with Postfix version
+Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
+= yes" and is available with Postfix version
2.2 and later. </dd>
<br>
be allowed to relay. Specify "tls_append_default_CA = no" when the
trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
to prevent Postfix from appending the system-supplied default CAs.
-This feature is available with Postfix version 2.2.</dd>
+This feature requires "smtpd_tls_ask_ccert = yes" and is available
+with Postfix version 2.2 and later.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
listed in $relay_clientcerts.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
-Postfix version 2.5). This feature is available with Postfix version
-2.2. </dd>
+Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
+= yes" and is available with Postfix version 2.2 and later.</dd>
<dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20200309"
+#define MAIL_RELEASE_DATE "20200312"
#define MAIL_VERSION_NUMBER "3.6"
#ifdef SNAPSHOT
if (msg_verbose)
msg_info("relay_clientcerts: No match for fingerprint '%s', "
"pkey fingerprint %s", prints[0], prints[1]);
+ } else if (!var_smtpd_tls_ask_ccert) {
+ msg_warn("%s is requested, but \"%s = no\"", permit_all_certs ?
+ PERMIT_TLS_ALL_CLIENTCERTS : PERMIT_TLS_CLIENTCERTS,
+ VAR_SMTPD_TLS_ACERT);
}
#endif
return (SMTPD_CHECK_DUNNO);
if (result != SMTPD_CHECK_DUNNO)
break;
}
+ } else if (!var_smtpd_tls_ask_ccert) {
+ msg_warn("%s is requested, but \"%s = no\"",
+ CHECK_CCERT_ACL, VAR_SMTPD_TLS_ACERT);
} else {
if (msg_verbose)
msg_info("%s: no client certificate", myname);
projects / thirdparty / postfix.git / commitdiff
