Usability: improved error message when master.cf specifies
a wild-card network listener (like "smtp inet ... smtpd")
- while `inet_interfaces is empty. File: master/master_ent.c.
+ while inet_interfaces is empty. File: master/master_ent.c.
More documentation updates for local aliasing versus virtual
aliasing. Files: proto/aliases, proto/virtual, postfix/postfix.c.
This also fixes a warning message when a destination contains
":service" information. Reported by Thomas Korbar. File:
posttls-finger/posttls-finger.c.
+
+20230519
+
+ Cleanup: fixed postconf tests for dynamically-linked builds.
+ File: postconf/Makefile.in.
+
+20230521
+
+ Bitrot: library error messages in SMTP server tests. File:
+ smtpd/Makefile.in.
+
+ Cleanup: removed some "the the" instances. Files:
+ proto/MILTER_README.html proto/stop.double-proto-html.
+
+ Bitrot: preliminary support for OpenSSL configuration files,
+ primarily OpenSSL 1.1.1b and later. This introduces new
+ parameters "tls_config_file" and "tls_config_name", which
+ can be used to limit collateral damage from OS distributions
+ that crank up security to 11, increasing the number of
+ plaintext email deliveries. Details are in the postconf(5)
+ manpage under "tls_config_file" and "tls_config_name".
+ Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto,
+ global/mail_params.h, posttls-finger/posttls-finger.c,
+ smtp/smtp.c, smtp/smtp_proto.c, tls/tls_client.c, tls/tls.h,
+ tls/tls_misc.c, tls/tls_proxy_client_print.c,
+ tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c,
+ tlsproxy/tlsproxy.c.
D\bDi\bif\bff\bfe\ber\bre\ben\bnt\bt s\bse\bet\btt\bti\bin\bng\bgs\bs f\bfo\bor\br d\bdi\bif\bff\bfe\ber\bre\ben\bnt\bt S\bSM\bMT\bTP\bP c\bcl\bli\bie\ben\bnt\bts\bs
The smtpd_milter_maps feature supports different Milter settings for different
-client IP addresses. Lookup results override the the global smtpd_milters
-setting, and have the same syntax. For example, to disable Milter settings for
-local address ranges:
+client IP addresses. Lookup results override the global smtpd_milters setting,
+and have the same syntax. For example, to disable Milter settings for local
+address ranges:
/etc/postfix/main.cf:
smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
license of their choice. Those who are more comfortable with the
IPL can continue with that license.
+Major changes with snapshot 20230522
+====================================
+
+Preliminary support for OpenSSL configuration files, primarily
+OpenSSL 1.1.1b and later. This introduces two new parameters
+"tls_config_file" and "tls_config_name", which can be used to limit
+collateral damage from OS distributions that crank up security to
+11, increasing the number of plaintext email deliveries. Details
+are in the postconf(5) manpage under "tls_config_file" and
+"tls_config_name".
+
Incompatible changes with snapshot 20230419
===========================================
Wish list:
+ In tlsproxy, diff the server-side TLS library settings
+ against those from a tlsproxy client, and make sure that
+ the diff covers the new cnf_file and cnf_name properties.
+
Things to do before the stable release:
make pre-release-check, HTML validator check.
clients </a></h3>
<p> The <a href="postconf.5.html#smtpd_milter_maps">smtpd_milter_maps</a> feature supports different Milter settings
-for different client IP addresses. Lookup results override the the
+for different client IP addresses. Lookup results override the
global <a href="postconf.5.html#smtpd_milters">smtpd_milters</a> setting, and have the same syntax. For example,
to disable Milter settings for local address ranges: </p>
with sites that don't use <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
+</DD>
+
+<DT><b><a name="tls_config_file">tls_config_file</a>
+(default: default)</b></DT><DD>
+
+<p> Optional configuration file with baseline OpenSSL settings.
+OpenSSL loads any SSL settings found in the configuration file for
+the selected application name (see <a href="postconf.5.html#tls_config_name">tls_config_name</a>) or else the
+built-in application name "openssl_conf" when no application name is
+specified, or no corresponding configuration section is present.
+</p>
+
+<p> With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
+Postfix) can neither specify an alternative configuration file, nor
+avoid loading the default configuration file. </p>
+
+<p> With OpenSSL 1.1.1b or later, this parameter may be set to one of:
+</p>
+
+<dl>
+
+<dt> <b>default</b> (default) </dt> <dd> Load the system-wide
+"openssl.cnf" configuration file. </dd>
+
+<dt> <b>none</b> (recommended, OpenSSL 1.1.1b or later only) </dt>
+<dd> This setting disables loading of the system-wide "openssl.cnf"
+file. </dd>
+
+<dt> <b><i>/absolute-path</i></b> (OpenSSL 1.1.1b or later only) </dt>
+<dd> Load the configuration file specified by <i>/absolute-path</i>.
+With this setting it is an error for the file to not contain any
+settings for the selected <a href="postconf.5.html#tls_config_name">tls_config_name</a>. There is no fallback to
+the default "openssl_conf" name. </dd>
+
+</dl>
+
+<p> Failures in processing of the built-in default configuration
+file, are silently ignored with OpenSSL prior to 1.1.1b. With later
+OpenSSL releases, any errors in loading either the default or custom
+configuration file are detected by Postfix, and cause TLS support to
+be disabled. </p>
+
+<p> The OpenSSL configuration file format is not documented here,
+beyond giving two examples. <p>
+
+<p> Example: Default settings for all applications. </p>
+
+<blockquote>
+<pre>
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation. Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+</pre>
+</blockquote>
+
+<p> Example: Custom settings for an application named "postfix". </p>
+
+<blockquote>
+<pre>
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]". The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+</pre>
+</blockquote>
+
+<p> This feature is available in Postfix ≥ 3.9. </p>
+
+
+</DD>
+
+<DT><b><a name="tls_config_name">tls_config_name</a>
+(default: empty)</b></DT><DD>
+
+<p> The application name passed by Postfix to OpenSSL library
+initialization functions. This name is used to select the desired
+configuration "section" in the OpenSSL configuration file specified
+via the <a href="postconf.5.html#tls_config_file">tls_config_file</a> parameter. When empty, or when the
+selected name is not present in the configuration file, the default
+application name ("openssl_conf") is used as a fallback. </p>
+
+<p> This feature is available in Postfix ≥ 3.9. </p>
+
+
</DD>
<DT><b><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a>
2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
backwards compatibility, to avoid breaking certificate verification
with sites that don't use permit_tls_all_clientcerts.
+.SH tls_config_file (default: default)
+Optional configuration file with baseline OpenSSL settings.
+OpenSSL loads any SSL settings found in the configuration file for
+the selected application name (see tls_config_name) or else the
+built\-in application name "openssl_conf" when no application name is
+specified, or no corresponding configuration section is present.
+.PP
+With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
+Postfix) can neither specify an alternative configuration file, nor
+avoid loading the default configuration file.
+.PP
+With OpenSSL 1.1.1b or later, this parameter may be set to one of:
+.IP "\fBdefault\fR (default)"
+Load the system\-wide
+"openssl.cnf" configuration file.
+.br
+.IP "\fBnone\fR (recommended, OpenSSL 1.1.1b or later only)"
+This setting disables loading of the system\-wide "openssl.cnf"
+file.
+.br
+.IP "\fB\fI/absolute\-path\fR\fR (OpenSSL 1.1.1b or later only)"
+Load the configuration file specified by \fI/absolute\-path\fR.
+With this setting it is an error for the file to not contain any
+settings for the selected tls_config_name. There is no fallback to
+the default "openssl_conf" name.
+.br
+.br
+.PP
+Failures in processing of the built\-in default configuration
+file, are silently ignored with OpenSSL prior to 1.1.1b. With later
+OpenSSL releases, any errors in loading either the default or custom
+configuration file are detected by Postfix, and cause TLS support to
+be disabled.
+.PP
+The OpenSSL configuration file format is not documented here,
+beyond giving two examples.
+.PP
+Example: Default settings for all applications.
+.sp
+.in +4
+.nf
+.na
+.ft C
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation. Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+.fi
+.ad
+.ft R
+.in -4
+.PP
+Example: Custom settings for an application named "postfix".
+.sp
+.in +4
+.nf
+.na
+.ft C
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]". The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+.fi
+.ad
+.ft R
+.in -4
+.PP
+This feature is available in Postfix >= 3.9.
+.SH tls_config_name (default: empty)
+The application name passed by Postfix to OpenSSL library
+initialization functions. This name is used to select the desired
+configuration "section" in the OpenSSL configuration file specified
+via the tls_config_file parameter. When empty, or when the
+selected name is not present in the configuration file, the default
+application name ("openssl_conf") is used as a fallback.
+.PP
+This feature is available in Postfix >= 3.9.
.SH tls_daemon_random_bytes (default: 32)
The number of pseudo\-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
process requests from the \fBtlsmgr\fR(8) server in order to seed its
.IP "\fBdisable_dns_lookups (no)\fR"
Disable DNS lookups in the Postfix SMTP and LMTP clients.
.IP "\fBinet_interfaces (all)\fR"
-The local network interface addresses that this mail system receives
-mail on.
+The local network interface addresses that this mail system
+receives mail on.
.IP "\fBinet_protocols (see 'postconf -d output')\fR"
The Internet protocols Postfix will attempt to use when making
or accepting connections.
s;\btls_session_ticket_cipher\b;<a href="postconf.5.html#tls_session_ticket_cipher">$&</a>;g;
s;\btls_server_sni_maps\b;<a href="postconf.5.html#tls_server_sni_maps">$&</a>;g;
s;\btls_ssl_options\b;<a href="postconf.5.html#tls_ssl_options">$&</a>;g;
+ s;\btls_config_name\b;<a href="postconf.5.html#tls_config_name">$&</a>;g;
+ s;\btls_config_file\b;<a href="postconf.5.html#tls_config_file">$&</a>;g;
s;\btls_dane_digest_agility\b;<a href="postconf.5.html#tls_dane_digest_agility">$&</a>;g;
s;\btls_dane_trust_anchor_digest_enable\b;<a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">$&</a>;g;
s;\btls_fast_shutdown_enable\b;<a href="postconf.5.html#tls_fast_shutdown_enable">$&</a>;g;
clients </a></h3>
<p> The smtpd_milter_maps feature supports different Milter settings
-for different client IP addresses. Lookup results override the the
+for different client IP addresses. Lookup results override the
global smtpd_milters setting, and have the same syntax. For example,
to disable Milter settings for local address ranges: </p>
aggregation is enabled for IPv6. </p>
<p> This feature is available in Postfix 3.8 and later. </p>
+
+%PARAM tls_config_name
+
+<p> The application name passed by Postfix to OpenSSL library
+initialization functions. This name is used to select the desired
+configuration "section" in the OpenSSL configuration file specified
+via the tls_config_file parameter. When empty, or when the
+selected name is not present in the configuration file, the default
+application name ("openssl_conf") is used as a fallback. </p>
+
+<p> This feature is available in Postfix ≥ 3.9. </p>
+
+%PARAM tls_config_file default
+
+<p> Optional configuration file with baseline OpenSSL settings.
+OpenSSL loads any SSL settings found in the configuration file for
+the selected application name (see tls_config_name) or else the
+built-in application name "openssl_conf" when no application name is
+specified, or no corresponding configuration section is present.
+</p>
+
+<p> With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
+Postfix) can neither specify an alternative configuration file, nor
+avoid loading the default configuration file. </p>
+
+<p> With OpenSSL 1.1.1b or later, this parameter may be set to one of:
+</p>
+
+<dl>
+
+<dt> <b>default</b> (default) </dt> <dd> Load the system-wide
+"openssl.cnf" configuration file. </dd>
+
+<dt> <b>none</b> (recommended, OpenSSL 1.1.1b or later only) </dt>
+<dd> This setting disables loading of the system-wide "openssl.cnf"
+file. </dd>
+
+<dt> <b><i>/absolute-path</i></b> (OpenSSL 1.1.1b or later only) </dt>
+<dd> Load the configuration file specified by <i>/absolute-path</i>.
+With this setting it is an error for the file to not contain any
+settings for the selected tls_config_name. There is no fallback to
+the default "openssl_conf" name. </dd>
+
+</dl>
+
+<p> Failures in processing of the built-in default configuration
+file, are silently ignored with OpenSSL prior to 1.1.1b. With later
+OpenSSL releases, any errors in loading either the default or custom
+configuration file are detected by Postfix, and cause TLS support to
+be disabled. </p>
+
+<p> The OpenSSL configuration file format is not documented here,
+beyond giving two examples. <p>
+
+<p> Example: Default settings for all applications. </p>
+
+<blockquote>
+<pre>
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation. Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+</pre>
+</blockquote>
+
+<p> Example: Custom settings for an application named "postfix". </p>
+
+<blockquote>
+<pre>
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]". The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+</pre>
+</blockquote>
+
+<p> This feature is available in Postfix ≥ 3.9. </p>
proto proto aliases proto virtual proto ADDRESS_REWRITING_README html
master master c postlog postlog c postlogd postlogd c
proto postconf proto proto aliases proto virtual
+ posttls finger posttls finger c smtp smtp c smtp smtp_proto c
+ tls tls_client c tls tls h tls tls_misc c
+ tls tls_proxy h tls tls_server c tlsproxy tlsproxy c
dd No TLS TLS will not be used unless enabled for specific
Dec 4 04 30 09 hostname postfix smtpd 58549 NOQUEUE reject
default_transport uucp uucp gateway
- different client IP addresses Lookup results override the the global
Documentation Documentation is available as README files start with the file
done done
done done
SSLv3 TLSv1 TLSv1 1 TLSv1 2 and TLSv1 3 Starting with
T 5 10 20 40 80 160 320 640 1280 1280
T A 5 10 20 40 80 160 320 320
- The and match and literally Without the the
- The matches literally Without the the would
Therefore 301 0301 0x301 and 0x0301 are all equivalent to
The syntax of name value value name value and name value
the the backed up domain tld domain This prevents your mail queue
p Note on OpenBSD systems specify dev dev arandom when dev dev urandom
user3 example net smtp smtp relay example net submission
virtual_alias_maps hash etc postfix virtual virtual aliasing
+system_wide_settings system_wide_settings
+ssl_library_settings ssl_library_settings
+initial_ssl_settings initial_ssl_settings
+postfix_settings postfix_settings
+postfix_ssl_settings postfix_ssl_settings
+baseline_postfix_settings baseline_postfix_settings
ipproto
cw
uncreate
+MFLAGS
srv
wraptls
api
+MinProtocol
extern bool var_smtp_cname_overr;
/*
- * TLS cipherlists
+ * TLS library settings
+ */
+#define VAR_TLS_CNF_FILE "tls_config_file"
+#define DEF_TLS_CNF_FILE "default"
+extern char *var_tls_cnf_file;
+
+#define VAR_TLS_CNF_NAME "tls_config_name"
+#define DEF_TLS_CNF_NAME ""
+extern char *var_tls_cnf_name;
+
+ /*
+ * Deprecated and unused cipher, key exchange and public key algorithms
*/
- /* Deprecated and unused cipher, key exchange and public key algorithms */
#define TLS_EXCL_CIPHS ":!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5"
#define TLS_EXCL_KEXCH ":!kDH:!kECDH"
#define TLS_EXCL_PKEYS ":!aDSS"
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20230517"
+#define MAIL_RELEASE_DATE "20230521"
#define MAIL_VERSION_NUMBER "3.9"
#ifdef SNAPSHOT
echo 'yy_backup = bbb' >> main.cf
echo 'yy_bogus = bbb' >> main.cf
touch -t 197101010000 main.cf
- $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./postconf -nc. >test58.tmp 2>&1 || true
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -nc. >test58.tmp 2>&1 || true
diff test58.ref test58.tmp
rm -f main.cf master.cf test58.tmp
test72: $(PROG) test72.ref
rm -f main.cf master.cf
touch main.cf master.cf
- ./postconf -Mc. smtp/unix='smtp unix - n n - 0 other'
- ./postconf -Mc. smtp/abcd='smtp fifo - n n - 0 other'
- ./postconf -Mc. smtp/abcd='smtp inet - n n - 0 other'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/unix='smtp unix - n n - 0 other'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp fifo - n n - 0 other'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp inet - n n - 0 other'
touch -t 197201010000 main.cf
$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. >test72.tmp 2>&1
diff test72.ref test72.tmp
test73: $(PROG) test73.ref
rm -f main.cf master.cf
touch main.cf master.cf
- ./postconf -Mc. smtp/unix='smtp unix - n n - 0 other'
- ./postconf -Mc. smtp/abcd='smtp fifo - n n - 0 other'
- ./postconf -Mc. smtp/abcd='smtp inet - n n - 0 other'
- ./postconf -Mc. smtp/abcd='smtp unix - n n - 0 otherx'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/unix='smtp unix - n n - 0 other'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp fifo - n n - 0 other'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp inet - n n - 0 other'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp unix - n n - 0 otherx'
touch -t 197301010000 main.cf
$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. >test73.tmp 2>&1
diff test73.ref test73.tmp
test74: $(PROG) test74.ref
rm -f main.cf master.cf
touch main.cf master.cf
- ./postconf -Mc. smtp/unix='smtp unix - n n - 0 other'
- ./postconf -Mc. smtp/abcd='smtp fifo - n n - 0 other'
- ./postconf -Mc. smtp/abcd='smtp inet - n n - 0 other'
- ./postconf -Mc. smtp/fifo='lmtp unix - n n - 0 otherx'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/unix='smtp unix - n n - 0 other'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp fifo - n n - 0 other'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/abcd='smtp inet - n n - 0 other'
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. smtp/fifo='lmtp unix - n n - 0 otherx'
touch -t 197401010000 main.cf
$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -Mc. >test74.tmp 2>&1
diff test74.ref test74.tmp
test75: $(PROG) test75.ref
rm -f main.cf master.cf
touch main.cf master.cf
- ./postconf -c. mail_version=x mail_version=y >test75.tmp 2>&1
+ $(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -c. mail_version=x mail_version=y >test75.tmp 2>&1
touch -t 197501010000 main.cf
$(HTABLE_FIX) $(SHLIB_ENV) $(VALGRIND) ./$(PROG) -nc. >>test75.tmp 2>&1
diff test75.ref test75.tmp
* Send all our wishes in one big request.
*/
TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
+ cnf_file = var_tls_cnf_file,
+ cnf_name = var_tls_cnf_name,
log_param = "-L option",
log_level = state->options.logopts,
verifydepth = DEF_SMTP_TLS_SCERT_VD,
/* Needed for tls_dane_avail() and other DANE-related processing. */
state->tls_ctx =
TLS_CLIENT_INIT(&props,
+ cnf_file = var_tls_cnf_file,
+ cnf_name = var_tls_cnf_name,
log_param = "-L option",
log_level = state->options.logopts,
verifydepth = DEF_SMTP_TLS_SCERT_VD,
/* .IP "\fBdisable_dns_lookups (no)\fR"
/* Disable DNS lookups in the Postfix SMTP and LMTP clients.
/* .IP "\fBinet_interfaces (all)\fR"
-/* The local network interface addresses that this mail system receives
-/* mail on.
+/* The local network interface addresses that this mail system
+/* receives mail on.
/* .IP "\fBinet_protocols (see 'postconf -d output')\fR"
/* The Internet protocols Postfix will attempt to use when making
/* or accepting connections.
bool var_smtp_req_deadline;
int var_smtp_min_data_rate;
char *var_use_srv_lookup;
-bool var_ign_srv_lookup_err;
-bool var_allow_srv_fallback;
+bool var_ign_srv_lookup_err;
+bool var_allow_srv_fallback;
/* Special handling of 535 AUTH errors. */
char *var_smtp_sasl_auth_cache_name;
bool var_smtp_sasl_auth_soft_bounce;
char *var_hfrom_format;
-bool var_smtp_bind_addr_enforce;
+bool var_smtp_bind_addr_enforce;
/*
* Global variables.
*/
smtp_tls_ctx =
TLS_CLIENT_INIT(&props,
+ cnf_file = var_tls_cnf_file,
+ cnf_name = var_tls_cnf_name,
log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
log_level = var_smtp_tls_loglevel,
verifydepth = var_smtp_tls_scert_vd,
* Send all our wishes in one big request.
*/
TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
+ cnf_file = var_tls_cnf_file,
+ cnf_name = var_tls_cnf_name,
log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
log_level = var_smtp_tls_loglevel,
verifydepth = var_smtp_tls_scert_vd,
# This requires that the DNS server can query porcupine.org.
-ADDRINFO_FIX = sed 's/No address associated with hostname/hostname nor servname provided, or not known/'
+ADDRINFO_FIX = sed -e 's/No address associated with hostname/hostname nor servname provided, or not known/' \
+ -e 's/Name or service not known/hostname nor servname provided, or not known/'
smtpd_exp_test: smtpd_check smtpd_exp.in smtpd_exp.ref
$(SHLIB_ENV) $(VALGRIND) ../postmap/postmap hash:smtpd_check_access
#include <openssl/evp.h> /* New OpenSSL 3.0 EVP_PKEY APIs */
#include <openssl/opensslv.h> /* OPENSSL_VERSION_NUMBER */
#include <openssl/ssl.h>
+#include <openssl/conf.h>
/* Appease indent(1) */
#define x509_stack_t STACK_OF(X509)
* tls_misc.c
*/
extern void tls_param_init(void);
+extern int tls_library_init(void);
/*
* Protocol selection.
* tls_client.c
*/
typedef struct {
+ const char *cnf_file;
+ const char *cnf_name;
const char *log_param;
const char *log_level;
int verifydepth;
tls_session_stop(ctx, (stream), (timeout), (failure), (TLScontext))
#define TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
- a10, a11, a12, a13, a14) \
- (((props)->a1), ((props)->a2), ((props)->a3), \
- ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \
- ((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \
- ((props)->a12), ((props)->a13), ((props)->a14), (props))
+ a10, a11, a12, a13, a14, a15, a16) \
+ (((props)->a1), ((props)->a2), ((props)->a3), ((props)->a4), \
+ ((props)->a5), ((props)->a6), ((props)->a7), ((props)->a8), \
+ ((props)->a9), ((props)->a10), ((props)->a11), ((props)->a12), \
+ ((props)->a13), ((props)->a14), ((props)->a15), ((props)->a16), (props))
#define TLS_CLIENT_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
- a10, a11, a12, a13, a14) \
+ a10, a11, a12, a13, a14, a15, a16) \
tls_client_init(TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, \
- a6, a7, a8, a9, a10, a11, a12, a13, a14))
+ a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16))
#define TLS_CLIENT_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
a10, a11, a12, a13, a14, a15, a16, a17) \
*/
tls_check_version();
+ /*
+ * Initialize the OpenSSL library, possibly loading its configuration
+ * file.
+ */
+ if (tls_library_init() == 0)
+ return (0);
+
/*
* Create an application data index for SSL objects, so that we can
* attach TLScontext information; this information is needed inside
/*
* With OpenSSL 1.0.2 and later the client EECDH curve list becomes
* configurable with the preferred curve negotiated via the supported
- * curves extension. With OpenSSL 3.0 and TLS 1.3, the same applies
- * to the FFDHE groups which become part of a unified "groups" list.
+ * curves extension. With OpenSSL 3.0 and TLS 1.3, the same applies to
+ * the FFDHE groups which become part of a unified "groups" list.
*/
tls_auto_groups(client_ctx, var_tls_eecdh_auto, var_tls_ffdhe_auto);
/* #define TLS_INTERNAL
/* #include <tls.h>
/*
+/* char *var_tls_cnf_file;
+/* char *var_tls_cnf_name;
/* char *var_tls_high_clist;
/* char *var_tls_medium_clist;
/* char *var_tls_null_clist;
/*
/* void tls_param_init()
/*
+/* int tls_library_init(void)
+/*
/* int tls_proto_mask_lims(plist, floor, ceiling)
/* const char *plist;
/* int *floor;
/* tls_param_init() loads main.cf parameters used internally in
/* TLS library. Any errors are fatal.
/*
+/* tls_library_init() initializes the OpenSSL library, optionally
+/* loading an OpenSSL configuration file.
+/*
/* tls_pre_jail_init() opens any tables that need to be opened before
/* entering a chroot jail. The "role" parameter must be TLS_ROLE_CLIENT
/* for clients and TLS_ROLE_SERVER for servers. Any errors are fatal.
/*
* Tunable parameters.
*/
+char *var_tls_cnf_file;
+char *var_tls_cnf_name;
char *var_tls_high_clist;
char *var_tls_medium_clist;
char *var_tls_low_ignored;
{
/* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
static const CONFIG_STR_TABLE str_table[] = {
+ VAR_TLS_CNF_FILE, DEF_TLS_CNF_FILE, &var_tls_cnf_file, 0, 0,
+ VAR_TLS_CNF_NAME, DEF_TLS_CNF_NAME, &var_tls_cnf_name, 0, 0,
VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0,
VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_ignored, 0, 0,
get_mail_conf_bool_table(bool_table);
}
+/* tls_library_init - perform OpenSSL library initialization */
+
+int tls_library_init(void)
+{
+ OPENSSL_INIT_SETTINGS *init_settings = 0;
+ char *conf_name = *var_tls_cnf_name ? var_tls_cnf_name : 0;
+ char *conf_file = 0;
+ unsigned long init_opts = 0;
+
+ if ((init_settings = OPENSSL_INIT_new()) == 0) {
+ msg_warn("error allocating OpenSSL init settings, "
+ "disabling TLS support");
+ return (0);
+ }
+#if OPENSSL_VERSION_NUMBER < 0x1010102fL
+
+ /*
+ * OpenSSL 1.1.0 through 1.1.1a, no support for custom configuration
+ * files, disabling loading of the file, or getting strict error
+ * handling. Thus, the only supported configuration file is "default".
+ */
+ if (strcmp(var_tls_cnf_file, "default") != 0) {
+ msg_warn("non-default %s = %s requires OpenSSL 1.1.1b or later, "
+ "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
+ return (0);
+ }
+#else
+ {
+ unsigned long init_flags = 0;
+
+ /*-
+ * OpenSSL 1.1.1b or later:
+ * We can now choose a non-default or configuration file, or
+ * use none at all. We can also request strict error
+ * reporting.
+ */
+ if (strcmp(var_tls_cnf_file, "default") == 0) {
+ conf_file = 0;
+ /* The default global config file is optional */
+ init_flags |= CONF_MFLAGS_IGNORE_MISSING_FILE;
+ } else if (strcmp(var_tls_cnf_file, "none") == 0) {
+ init_opts |= OPENSSL_INIT_NO_LOAD_CONFIG;
+ } else if (*var_tls_cnf_file == '/') {
+ conf_file = var_tls_cnf_file;
+ } else {
+ msg_warn("non-default %s = %s is not an absolute pathname, "
+ "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
+ return (0);
+ }
+
+ /*
+ * By not including CONF_MFLAGS_IGNORE_RETURN_CODES, we get strict
+ * error reporting. We don't insist on a match for the requested
+ * application name, allowing fallback to the default application
+ * name, even when a non-default application name is specified by
+ * always setting the CONF_MFLAGS_DEFAULT_SECTION bit.
+ */
+ init_flags |= CONF_MFLAGS_DEFAULT_SECTION;
+ OPENSSL_INIT_set_config_file_flags(init_settings, init_flags);
+ }
+#endif
+
+ if (conf_file)
+ OPENSSL_INIT_set_config_filename(init_settings, conf_file);
+ if (conf_name)
+ OPENSSL_INIT_set_config_appname(init_settings, conf_name);
+
+ if (OPENSSL_init_ssl(init_opts, init_settings) <= 0) {
+ if ((init_opts & OPENSSL_INIT_NO_LOAD_CONFIG) == 0)
+ msg_warn("error loading the '%s' settings from the %s OpenSSL "
+ "configuration file, disabling TLS support",
+ conf_name ? conf_name : "global",
+ conf_file ? conf_file : "default");
+ else
+ msg_warn("error initializing the OpenSSL library, "
+ "disabling TLS support");
+ tls_print_errors();
+ return (0);
+ }
+ return (1);
+}
+
/* tls_pre_jail_init - Load TLS related pre-jail tables */
void tls_pre_jail_init(TLS_ROLE role)
void *, void *, void *);
#define TLS_PROXY_CLIENT_INIT_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \
- a9, a10, a11, a12, a13, a14) \
+ a9, a10, a11, a12, a13, a14, a15, a16) \
(((props)->a1), ((props)->a2), ((props)->a3), \
((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \
((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \
- ((props)->a12), ((props)->a13), ((props)->a14))
+ ((props)->a12), ((props)->a13), ((props)->a14), ((props)->a15), \
+ ((props)->a16))
#define TLS_PROXY_CLIENT_START_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \
a9, a10, a11, a12, a13, a14) \
/*
* TLS_CLIENT_INIT_PROPS attributes.
*/
+#define TLS_ATTR_CNF_FILE "config_file"
+#define TLS_ATTR_CNF_NAME "config_name"
#define TLS_ATTR_LOG_PARAM "log_param"
#define TLS_ATTR_LOG_LEVEL "log_level"
#define TLS_ATTR_VERIFYDEPTH "verifydepth"
#define STRING_OR_EMPTY(s) ((s) ? (s) : "")
ret = print_fn(fp, flags | ATTR_FLAG_MORE,
+ SEND_ATTR_STR(TLS_ATTR_CNF_FILE,
+ STRING_OR_EMPTY(props->cnf_file)),
+ SEND_ATTR_STR(TLS_ATTR_CNF_NAME,
+ STRING_OR_EMPTY(props->cnf_name)),
SEND_ATTR_STR(TLS_ATTR_LOG_PARAM,
STRING_OR_EMPTY(props->log_param)),
SEND_ATTR_STR(TLS_ATTR_LOG_LEVEL,
void tls_proxy_client_init_free(TLS_CLIENT_INIT_PROPS *props)
{
+ myfree((void *) props->cnf_file);
+ myfree((void *) props->cnf_name);
myfree((void *) props->log_param);
myfree((void *) props->log_level);
myfree((void *) props->cache_type);
TLS_CLIENT_INIT_PROPS *props
= (TLS_CLIENT_INIT_PROPS *) mymalloc(sizeof(*props));
int ret;
+ VSTRING *cnf_file = vstring_alloc(25);
+ VSTRING *cnf_name = vstring_alloc(25);
VSTRING *log_param = vstring_alloc(25);
VSTRING *log_level = vstring_alloc(25);
VSTRING *cache_type = vstring_alloc(25);
*/
memset(props, 0, sizeof(*props));
ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
+ RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file),
+ RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name),
RECV_ATTR_STR(TLS_ATTR_LOG_PARAM, log_param),
RECV_ATTR_STR(TLS_ATTR_LOG_LEVEL, log_level),
RECV_ATTR_INT(TLS_ATTR_VERIFYDEPTH, &props->verifydepth),
RECV_ATTR_STR(TLS_ATTR_MDALG, mdalg),
ATTR_TYPE_END);
/* Always construct a well-formed structure. */
+ props->cnf_file = vstring_export(cnf_file);
+ props->cnf_name = vstring_export(cnf_name);
props->log_param = vstring_export(log_param);
props->log_level = vstring_export(log_level);
props->cache_type = vstring_export(cache_type);
props->CAfile = vstring_export(CAfile);
props->CApath = vstring_export(CApath);
props->mdalg = vstring_export(mdalg);
- ret = (ret == 14 ? 1 : -1);
+ ret = (ret == 16 ? 1 : -1);
if (ret != 1) {
tls_proxy_client_init_free(props);
props = 0;
static const char server_session_id_context[] = "Postfix/TLS";
#ifndef OPENSSL_NO_TLSEXT
+
/*
* We retain the cipher handle for the lifetime of the process.
*/
static const EVP_CIPHER *tkt_cipher;
+
#endif
#define GET_SID(s, v, lptr) ((v) = SSL_SESSION_get_id((s), (lptr)))
*/
tls_check_version();
+ /*
+ * Initialize the OpenSSL library, possibly loading its configuration
+ * file.
+ */
+ if (tls_library_init() == 0)
+ return (0);
+
/*
* First validate the protocols. If these are invalid, we can't continue.
*/
tls_tmp_dh(sni_ctx, 1);
/*
- * Enable EECDH if available, errors are not fatal, we just keep going with
- * any remaining key-exchange algorithms. With OpenSSL 3.0 and TLS 1.3,
- * the same applies to the FFDHE groups which become part of a unified
- * "groups" list.
+ * Enable EECDH if available, errors are not fatal, we just keep going
+ * with any remaining key-exchange algorithms. With OpenSSL 3.0 and TLS
+ * 1.3, the same applies to the FFDHE groups which become part of a
+ * unified "groups" list.
*/
tls_auto_groups(server_ctx, var_tls_eecdh_auto, var_tls_ffdhe_auto);
tls_auto_groups(sni_ctx, var_tls_eecdh_auto, var_tls_ffdhe_auto);
*/
(void) tls_proxy_client_param_from_config(&tls_params);
(void) TLS_CLIENT_INIT_ARGS(&init_props,
+ cnf_file = var_tls_cnf_file,
+ cnf_name = var_tls_cnf_name,
log_param = var_tlsp_clnt_logparam,
log_level = var_tlsp_clnt_loglevel,
verifydepth = var_tlsp_clnt_scert_vd,
projects / thirdparty / postfix.git / commitdiff
