Robustness: force html2text to produce ASCII output. File:
mantools/html2readme.
+
+20150118
+
+ Bitrot: OpenSSL 1.1.0-dev (aka the "master" branch) has new
+ security levels ranging from 0 to 5. Level "0" is backwards
+ compatible, and other levels are increasingly restrictive.
+ Viktor Dukhovni. Files: tls/tls_server.c, tls/tls_client.c.
+
+20161205
+
+ Portability: Postfix TLS support uses /dev/urandom if
+ available and no system-specific setting exists in sys_defs.h.
+ Files: makedefs, util/sys_defs.h.
+
+20161206
+
+ Portability: added a tls_random_source default setting for
+ MacOS X. Viktor Dukhovni. File: util/sys_defs.h.
Disable -DSNAPSHOT and -DNONPROD in makedefs.
+ Fix bold "[" and "]" in manpages; these are not part of the
+ command line.
+
+ Add Google credits to manpages.
+
Remove this file from the stable release.
Things to do after the stable release:
Specify WARN_UNUSED_RESULT for all library functions that
pass, deliver, bounce or defer a delivery request.
- Specify WARN_UNUSED_RESULT for mac_expand(), after making
- smtp_reply_footer() undoable.
-
- Type-checking wrappers for htable(3), ctable(3) and other
- modules that take and return a void* pointer. This is
- the next best thing to C++ style HTABLE<payload_type>.
+ Invent some kind of type-checking wrappers for htable(3),
+ ctable(3) and other modules that take and return a void*
+ pointer. We already did that for variadic functions.
TLS certificate provenance: indicate whether a subject
name/issuer are verified or not (for example, change the
P.O. Box 704
Yorktown Heights, NY 10598, USA
+ Wietse Venema
+ Google, Inc.
+ 111 8th Avenue
+ New York, NY 10011, USA
+
CLEANUP(8)
</pre> </body> </html>
<DT><b><a name="lmtp_address_verify_target">lmtp_address_verify_target</a>
(default: rcpt)</b></DT><DD>
-<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a>
+<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a>
configuration parameter. See there for details. </p>
<p> This feature is available in Postfix 3.0 and later. </p>
<b>status</b> Indicate if the Postfix mail system is currently running.
- <b>set-permissions [</b><i>name</i>=<i>value ...</i><b>]</b>
+ <b>set-permissions</b> [<i>name</i>=<i>value ...</i>]
Set the ownership and permissions of Postfix related files and
directories, as specified in the <b>postfix-files</b> file.
fix 2.0 and earlier, use "<b>$<a href="postconf.5.html#config_directory">config_directory</a>/post-install</b>
<b>set-permissions</b>".
- <b>upgrade-configuration [</b><i>name</i>=<i>value ...</i><b>]</b>
+ <b>upgrade-configuration</b> [<i>name</i>=<i>value ...</i>]
Update the <a href="postconf.5.html"><b>main.cf</b></a> and <a href="master.5.html"><b>master.cf</b></a> files with information that
Postfix needs in order to run: add or update services, and add
or update configuration parameter settings.
P.O. Box 704
Yorktown Heights, NY 10598, USA
+ Wietse Venema
+ Google, Inc.
+ 111 8th Avenue
+ New York, NY 10011, USA
+
TLS support by:
Lutz Jaenicke
Brandenburg University of Technology
P.O. Box 704
Yorktown Heights, NY 10598, USA
+ Wietse Venema
+ Google, Inc.
+ 111 8th Avenue
+ New York, NY 10011, USA
+
SASL support originally by:
Till Franke
SuSE Rhein/Main AG
# ;;
#esac
+#
+# We don't know all systems that have /dev/urandom, so we probe.
+#
+test -r /dev/urandom && CCARGS="$CCARGS -DHAS_DEV_URANDOM"
+
#
# PCRE 3.x has a pcre-config utility so we don't have to guess.
#
earliest convenience.
.IP \fBstatus\fR
Indicate if the Postfix mail system is currently running.
-.IP "\fBset\-permissions\fR \fB[\fIname\fR=\fIvalue ...\fB]\fR
+.IP "\fBset\-permissions\fR [\fIname\fR=\fIvalue ...\fR]
Set the ownership and permissions of Postfix related files and
directories, as specified in the \fBpostfix\-files\fR file.
.sp
This feature is available in Postfix 2.1 and later. With
Postfix 2.0 and earlier, use "\fB$config_directory/post\-install
set\-permissions\fR".
-.IP "\fBupgrade\-configuration\fR \fB[\fIname\fR=\fIvalue ...\fB]\fR
+.IP "\fBupgrade\-configuration\fR [\fIname\fR=\fIvalue ...\fR]
Update the \fBmain.cf\fR and \fBmaster.cf\fR files with information
that Postfix needs in order to run: add or update services, and add
or update configuration parameter settings.
P.O. Box 704
Yorktown Heights, NY 10598, USA
+Wietse Venema
+Google, Inc.
+111 8th Avenue
+New York, NY 10011, USA
+
TLS support by:
Lutz Jaenicke
Brandenburg University of Technology
.PP
This feature is available in Postfix 2.8 and later.
.SH lmtp_address_verify_target (default: rcpt)
-The LMTP\-specific version of the smtp_dns_support_level
+The LMTP\-specific version of the smtp_address_verify_target
configuration parameter. See there for details.
.PP
This feature is available in Postfix 3.0 and later.
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
+
+Wietse Venema
+Google, Inc.
+111 8th Avenue
+New York, NY 10011, USA
P.O. Box 704
Yorktown Heights, NY 10598, USA
+Wietse Venema
+Google, Inc.
+111 8th Avenue
+New York, NY 10011, USA
+
SASL support originally by:
Till Franke
SuSE Rhein/Main AG
%PARAM lmtp_address_verify_target rcpt
-<p> The LMTP-specific version of the smtp_dns_support_level
+<p> The LMTP-specific version of the smtp_address_verify_target
configuration parameter. See there for details. </p>
<p> This feature is available in Postfix 3.0 and later. </p>
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20160117"
+#define MAIL_RELEASE_DATE "20160206"
#define MAIL_VERSION_NUMBER "3.1"
#ifdef SNAPSHOT
#define BAD_SMTP (-1)
#define BAD_MACRO (-2)
-static struct test_case test_cases[] = {
+static const struct test_case test_cases[] = {
{"missing reply", "", NO_TEMPLATE, NO_FILTER, BAD_SMTP, 0},
{"long smtp_code", "1234 foo", NO_TEMPLATE, NO_FILTER, BAD_SMTP, 0},
{"short smtp_code", "12 foo", NO_TEMPLATE, NO_FILTER, BAD_SMTP, 0},
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
#endif
/* earliest convenience.
/* .IP \fBstatus\fR
/* Indicate if the Postfix mail system is currently running.
-/* .IP "\fBset-permissions\fR \fB[\fIname\fR=\fIvalue ...\fB]\fR
+/* .IP "\fBset-permissions\fR [\fIname\fR=\fIvalue ...\fR]
/* Set the ownership and permissions of Postfix related files and
/* directories, as specified in the \fBpostfix-files\fR file.
/* .sp
/* This feature is available in Postfix 2.1 and later. With
/* Postfix 2.0 and earlier, use "\fB$config_directory/post-install
/* set-permissions\fR".
-/* .IP "\fBupgrade-configuration\fR \fB[\fIname\fR=\fIvalue ...\fB]\fR
+/* .IP "\fBupgrade-configuration\fR [\fIname\fR=\fIvalue ...\fR]
/* Update the \fBmain.cf\fR and \fBmaster.cf\fR files with information
/* that Postfix needs in order to run: add or update services, and add
/* or update configuration parameter settings.
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
+/*
/* TLS support by:
/* Lutz Jaenicke
/* Brandenburg University of Technology
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
+/*
/* SASL support originally by:
/* Till Franke
/* SuSE Rhein/Main AG
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
#endif
/* Backwards compatibility with OpenSSL < 1.1.0 */
-#ifdef SSLEAY_VERSION_NUMBER
-#define OpenSSL_version_num SSLeay
-#endif
-
#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define OpenSSL_version_num SSLeay
+#define OpenSSL_version SSLeay_version
+#define OPENSSL_VERSION SSLEAY_VERSION
#define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
#endif
/*
* tls_misc.c
*/
-
extern void tls_param_init(void);
/*
return (0);
}
+#ifdef SSL_SECOP_PEER
+ /* Backwards compatible security as a base for opportunistic TLS. */
+ SSL_CTX_set_security_level(client_ctx, 0);
+#endif
+
/*
* See the verify callback in tls_verify.c
*/
if (protomask != 0)
SSL_set_options(TLScontext->con, TLS_SSL_OP_PROTOMASK(protomask));
+#ifdef SSL_SECOP_PEER
+ /* When authenticating the peer, use 80-bit plus OpenSSL security level */
+ if (TLS_MUST_MATCH(props->tls_level))
+ SSL_set_security_level(TLScontext->con, 1);
+#endif
+
/*
* XXX To avoid memory leaks we must always call SSL_SESSION_free() after
* calling SSL_set_session(), regardless of whether or not the session
return (0);
}
+#ifdef SSL_SECOP_PEER
+ /* Backwards compatible security as a base for opportunistic TLS. */
+ SSL_CTX_set_security_level(server_ctx, 0);
+#endif
+
/*
* See the verify callback in tls_verify.c
*/
return (0);
}
+#ifdef SSL_SECOP_PEER
+ /* When authenticating the peer, use 80-bit plus OpenSSL security level */
+ if (props->requirecert)
+ SSL_set_security_level(TLScontext->con, 1);
+#endif
+
/*
* Before really starting anything, try to seed the PRNG a little bit
* more.
TLScontext->peer_pkey_fprint);
}
X509_free(peer);
+
+ /*
+ * Give them a clue. Problems with trust chain verification are logged
+ * when the session is first negotiated, before the session is stored
+ * into the cache. We don't want mystery failures, so log the fact the
+ * real problem is to be found in the past.
+ */
+ if (!TLS_CERT_IS_TRUSTED(TLScontext)
+ && (TLScontext->log_mask & TLS_LOG_UNTRUSTED)) {
+ if (TLScontext->session_reused == 0)
+ tls_log_verify_error(TLScontext);
+ else
+ msg_info("%s: re-using session with untrusted certificate, "
+ "look for details earlier in the log",
+ TLScontext->namaddr);
+ }
} else {
TLScontext->peer_CN = mystrdup("");
TLScontext->issuer_CN = mystrdup("");
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* expand macro references in string
/* SYNOPSIS
/* #include <mac_expand.h>
- DESCRIPTION
- .nf
+/* DESCRIPTION
+/* .nf
/*
* Utility library.
/* locate macro references in string
/* SYNOPSIS
/* #include <mac_parse.h>
- DESCRIPTION
- .nf
+/* DESCRIPTION
+/* .nf
/*
* Utility library.
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/*
#define HAVE_POSIX_GETPW_R
#endif
#define HAS_DLOPEN
+#define PREFERRED_RAND_SOURCE "dev:/dev/urandom"
#endif
/*
*/
#ifndef NO_WATCHDOG_PIPE
#define USE_WATCHDOG_PIPE
+#endif
+
+ /*
+ * If we don't have defined a preferred random device above, but the system
+ * has /dev/urandom, then we use that.
+ */
+#if !defined(PREFERRED_RAND_SOURCE) && defined(HAS_DEV_URANDOM)
+#define PREFERRED_RAND_SOURCE "dev:/dev/urandom"
#endif
/*
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
#endif
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
projects / thirdparty / postfix.git / commitdiff
