File: mantools/check-snapshot-nonprod.
First general Postfix release with TLSRPT support.
+
+20240927
+
+ Feature: new parameter smtp_tlsrpt_skip_reused_handshakes
+ (default: yes) to suppress TLSRPT status reports for TLS
+ handshakes that reuse a previously-negotiated TLS session
+ (there would be no new information to report). Specify "no"
+ for TLSRPT troubleshooting. Files: mantools/postlink,
+ proto/TLSRPT_README.html, proto/postconf.proto, smtp/smtp.c,
+ smtp/smtp_params.c, smtp/smtp_tlsrpt.c, tls/tls_client.c,
+ tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
+ tls/tlsrpt_wrapper.c, tls/tlsrpt_wrapper.h.
[ipaddr],
failure_type=validation_failure, failure_reason=self-signed_certificate
-Note: Postfix logs and reports TLSRPT status only for TLS handshakes on a new
-SMTP connection. There is no TLSRPT status logging for a reused SMTP
-connection. Such connections have Postfix SMTP client logging like this:
+Notes:
+
+ * Postfix logs and reports the TLSRPT status only for TLS handshakes on a new
+ SMTP connection. There is no TLS handshake, and thus no TLSRPT status
+ logging, when an SMTP connection is reused. Such connections have Postfix
+ SMTP client logging like this:
Verified T\bTL\bLS\bS c\bco\bon\bnn\bne\bec\bct\bti\bio\bon\bn r\bre\beu\bus\bse\bed\bd to mail.example.com[ipaddr]:25:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Untrusted T\bTL\bLS\bS c\bco\bon\bnn\bne\bec\bct\bti\bio\bon\bn r\bre\beu\bus\bse\bed\bd to mail.example.com[ipaddr]:25:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
-Postfix logs certificate verification failures with a level of detail that is
-different for a new or reused TLS session.
+ * By default, Postfix does not report the TLSRPT status for a TLS handshake
+ that reuses a previously-negotiated TLS session (there would be no new
+ information to report). Specify "smtp_tlsrpt_skip_reused_handshakes = no"
+ to report the TLSRPT status for all TLS handshakes. This may be useful for
+ troubleshooting.
- * A new TLS session is logged with certificate verification failure details:
+ * Postfix logging for certificate verification failures may differ between
+ new or reused TLS sessions.
- TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org
- [ipaddr],
- f\bfa\bai\bil\blu\bur\bre\be_\b_t\bty\byp\bpe\be=\b=v\bva\bal\bli\bid\bda\bat\bti\bio\bon\bn_\b_f\bfa\bai\bil\blu\bur\bre\be, f\bfa\bai\bil\blu\bur\bre\be_\b_r\bre\bea\bas\bso\bon\bn=\b=s\bse\bel\blf\bf-\b-s\bsi\big\bgn\bne\bed\bd_\b_c\bce\ber\brt\bti\bif\bfi\bic\bca\bat\bte\be
+ o New TLS session:
- * A reused TLS session is indicated as shown below, and has no certificate
- verification details:
+ TLSRPT: status=failure, domain=example.org,
+ receiving_mx=mail.example.org[ipaddr],
+ f\bfa\bai\bil\blu\bur\bre\be_\b_t\bty\byp\bpe\be=\b=v\bva\bal\bli\bid\bda\bat\bti\bio\bon\bn_\b_f\bfa\bai\bil\blu\bur\bre\be, f\bfa\bai\bil\blu\bur\bre\be_\b_r\bre\bea\bas\bso\bon\bn=\b=s\bse\bel\blf\bf-\b-
+ s\bsi\big\bgn\bne\bed\bd_\b_c\bce\ber\brt\bti\bif\bfi\bic\bca\bat\bte\be
- mail.example.org[ipaddr]:25: r\bre\be-\b-u\bus\bsi\bin\bng\bg s\bse\bes\bss\bsi\bio\bon\bn with untrusted peer
- credential, look for details earlier in the log
- TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org
- [ipaddr],
- f\bfa\bai\bil\blu\bur\bre\be_\b_t\bty\byp\bpe\be=\b=c\bce\ber\brt\bti\bif\bfi\bic\bca\bat\bte\be_\b_n\bno\bot\bt_\b_t\btr\bru\bus\bst\bte\bed\bd
+ o Reused TLS session:
-Some Postfix users may wonder where the difference comes from. So this is why.
+ mail.example.org[ipaddr]:25: r\bre\be-\b-u\bus\bsi\bin\bng\bg s\bse\bes\bss\bsi\bio\bon\bn with untrusted peer
+ credential, look for details earlier in the log
+ TLSRPT: status=failure, domain=example.org,
+ receiving_mx=mail.example.org[ipaddr],
+ f\bfa\bai\bil\blu\bur\bre\be_\b_t\bty\byp\bpe\be=\b=c\bce\ber\brt\bti\bif\bfi\bic\bca\bat\bte\be_\b_n\bno\bot\bt_\b_t\btr\bru\bus\bst\bte\bed\bd
+
+ The logging may differ because a reused TLS session does not have the
+ details for why TLS authentication failed.
D\bDe\bel\bli\biv\bve\ber\bri\bin\bng\bg T\bTL\bLS\bSR\bRP\bPT\bT s\bsu\bum\bmm\bma\bar\bri\bie\bes\bs v\bvi\bia\ba e\bem\bma\bai\bil\bl
L\bLi\bim\bmi\bit\bta\bat\bti\bio\bon\bns\bs
-The Postfix TLSRPT implementation reports at most one final TLS handshake
-status (either 'success' or 'failure') per connection. Postfix TLSRPT cannot
-report a failure and then later report a final status of 'success' for that
-same connection. The reason is that it's too complicated to filter TLS errors
-and to report error details from the TLS engine back to the SMTP protocol
-engine. It just is not how Postfix works internally.
-
The Postfix TLSRPT implementation reports only TLS handshake success or
-failure. It does not report failure to connect, or connections that break after
-a successful TLS handshake.
+failure. It does not report failure to connect, or connections that break
+before or after a TLS handshake.
+
+The Postfix TLSRPT implementation reports at most one final TLS handshake
+status (either 'success' or 'failure') per SMTP connection. Postfix TLSRPT will
+not report a recoverable failure and then later report a final status of
+'success' for that same connection. The reason is that it's too complicated to
+filter TLS errors and to report error details from the TLS engine back to the
+SMTP protocol engine. It just is not how Postfix works internally.
C\bCr\bre\bed\bdi\bit\bts\bs
Disable -DSNAPSHOT and -DNONPROD in makedefs.
Add smtp_tlsrpt_allow_list feature (default: static:all) to limit
- the domains for which Postfix generates TLSRPT daily sumamries.
+ the domains for which Postfix generates TLSRPT daily summaries.
+
+ Rename TLS_SESS_STATE.rpt_reported to skip_tlsrpt_report.
Add unit tests for smtp_tlsrpt.c, tlstrpd_wrapper.c, ...
engine. With "<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> = no", the <a href="smtp.8.html">smtp(8)</a> client
process also implements the TLS client engine. With
"<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> = yes", the <a href="smtp.8.html">smtp(8)</a> client process
-delegates TLS processing to a Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> process. Either
-way, Postfix will generate the exact same TLSRPT events. </p>
+delegates TLS processing to a Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> process. Either
+way, Postfix will generate the exact same TLSRPT events. </p>
<h2> <a name="building"> Building Postfix with TLSRPT support </a>
</h2>
</pre>
</blockquote>
-<p> Note: Postfix logs and reports TLSRPT status only for TLS
-handshakes on a new SMTP connection. There is no TLSRPT status
-logging for a reused SMTP connection. Such connections have
-Postfix SMTP client logging like this: </p>
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> Postfix logs and reports the TLSRPT status only for TLS
+handshakes on a new SMTP connection. There is no TLS handshake, and
+thus no TLSRPT status logging, when an SMTP connection is reused.
+Such connections have Postfix SMTP client logging like this: </p>
-<blockquote>
<pre>
Verified <b>TLS connection reused</b> to mail.example.com[ipaddr]:25:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Untrusted <b>TLS connection reused</b> to mail.example.com[ipaddr]:25:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
</pre>
-</blockquote>
-<p> Postfix logs certificate verification failures with a level of
-detail that is different for a new or reused TLS session. </p>
+<li> <p> By default, Postfix does not report the TLSRPT status for
+a TLS handshake that reuses a previously-negotiated TLS session
+(there would be no new information to report). Specify
+"<a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> = no" to report the TLSRPT
+status for all TLS handshakes. This may be useful for troubleshooting.
+</p>
+
+<li> <p> Postfix logging for certificate verification failures may
+differ between new or reused TLS sessions. </p>
<ul>
-<li> <p> A new TLS session is logged with certificate verification
-failure details: </p>
+<li> <p> New TLS session:
+</p>
<pre>
TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org[ipaddr],
<b>failure_type=validation_failure</b>, <b>failure_reason=self-signed_certificate</b>
</pre>
-<li> <p> A reused TLS session is indicated as shown below, and has
-no certificate verification details: </p>
+<li> <p> Reused TLS session: </p>
<pre>
mail.example.org[ipaddr]:25: <b>re-using session</b> with untrusted peer
</ul>
-<p> Some Postfix users may wonder where the difference comes from.
-So this is why. </p>
+<p> The logging may differ because a reused TLS session does not
+have the details for why TLS authentication failed. </p>
+
+</ul>
<h2> <a name="delivering"> Delivering TLSRPT summaries via email</a> </h2>
<h2> <a name="limitations"> Limitations </a></h2>
-<p> The Postfix TLSRPT implementation reports at most one final TLS
-handshake status (either 'success' or 'failure') per connection.
-Postfix TLSRPT cannot report a failure and then later report a final
-status of 'success' for that same connection. The reason is that
-it's too complicated to filter TLS errors and to report error details
-from the TLS engine back to the SMTP protocol engine. It just is
-not how Postfix works internally. </p>
-
<p> The Postfix TLSRPT implementation reports only TLS handshake
success or failure. It does not report failure to connect, or
-connections that break after a successful TLS handshake. </p>
+connections that break before or after a TLS handshake. </p>
+
+<p> The Postfix TLSRPT implementation reports at most one final TLS
+handshake status (either 'success' or 'failure') per SMTP connection.
+Postfix TLSRPT will not report a recoverable failure and then later
+report a final status of 'success' for that same connection. The
+reason is that it's too complicated to filter TLS errors and to
+report error details from the TLS engine back to the SMTP protocol
+engine. It just is not how Postfix works internally. </p>
<h2> <a name="credits"> Credits </a> </h2>
Available in Postfix version 3.2 and later:
<b><a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> (see 'postconf -d' output)</b>
- The prioritized list of elliptic curves supported by the Postfix
- SMTP client and server.
+ The prioritized list of elliptic curves, that should be enabled
+ in the Postfix SMTP client and server.
Available in Postfix version 3.4 and later:
The pathname of a UNIX-domain datagram socket that is managed by
a local TLSRPT reporting service.
+ <b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (yes)</b>
+ Do not report the TLSRPT status for TLS protocol handshakes that
+ reuse a previously-negotiated TLS session (there is no new
+ information to report).
+
<b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
<p> Enable support for <a href="https://tools.ietf.org/html/rfc8460">RFC 8460</a> TLSRPT notifications. A mail receiving
domain can publish a TLSRPT policy in DNS, to request periodic
summaries of successful and failed SMTP over TLS connections to
-their mail servers. This feature requires that Postfix is built
+their MX servers. This feature requires that Postfix is built
with a TLSRPT supporting library. </p>
<p> This feature is available in Postfix ≥ 3.10. </p>
+</DD>
+
+<DT><b><a name="smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a>
+(default: yes)</b></DT><DD>
+
+<p> Do not report the TLSRPT status for TLS protocol handshakes
+that reuse a previously-negotiated TLS session (there is no new
+information to report). Report the TLSRPT status only for "new" TLS
+sessions. Set this to "no" to log the TLSRPT status of all TLS
+handshakes, for example to troubleshoot Postfix TLSRPT support.
+</p>
+
+<p> This feature is available in Postfix ≥ 3.10. </p>
+
+
</DD>
<DT><b><a name="smtp_tlsrpt_socket_name">smtp_tlsrpt_socket_name</a>
Available in Postfix version 3.2 and later:
<b><a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> (see 'postconf -d' output)</b>
- The prioritized list of elliptic curves supported by the Postfix
- SMTP client and server.
+ The prioritized list of elliptic curves, that should be enabled
+ in the Postfix SMTP client and server.
Available in Postfix version 3.4 and later:
The pathname of a UNIX-domain datagram socket that is managed by
a local TLSRPT reporting service.
+ <b><a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a> (yes)</b>
+ Do not report the TLSRPT status for TLS protocol handshakes that
+ reuse a previously-negotiated TLS session (there is no new
+ information to report).
+
<b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
Enable support for RFC 8460 TLSRPT notifications. A mail receiving
domain can publish a TLSRPT policy in DNS, to request periodic
summaries of successful and failed SMTP over TLS connections to
-their mail servers. This feature requires that Postfix is built
+their MX servers. This feature requires that Postfix is built
with a TLSRPT supporting library.
.PP
This feature is available in Postfix >= 3.10.
+.SH smtp_tlsrpt_skip_reused_handshakes (default: yes)
+Do not report the TLSRPT status for TLS protocol handshakes
+that reuse a previously\-negotiated TLS session (there is no new
+information to report). Report the TLSRPT status only for "new" TLS
+sessions. Set this to "no" to log the TLSRPT status of all TLS
+handshakes, for example to troubleshoot Postfix TLSRPT support.
+.PP
+This feature is available in Postfix >= 3.10.
.SH smtp_tlsrpt_socket_name (default: empty)
The pathname of a UNIX\-domain datagram socket that is managed
by a local TLSRPT reporting service. This parameter must specify a
.PP
Available in Postfix version 3.2 and later:
.IP "\fBtls_eecdh_auto_curves (see 'postconf -d' output)\fR"
-The prioritized list of elliptic curves supported by the Postfix
-SMTP client and server.
+The prioritized list of elliptic curves, that should be enabled in the
+Postfix SMTP client and server.
.PP
Available in Postfix version 3.4 and later:
.IP "\fBsmtp_tls_connection_reuse (no)\fR"
.IP "\fBsmtp_tlsrpt_socket_name (empty)\fR"
The pathname of a UNIX\-domain datagram socket that is managed
by a local TLSRPT reporting service.
+.IP "\fBsmtp_tlsrpt_skip_reused_handshakes (yes)\fR"
+Do not report the TLSRPT status for TLS protocol handshakes
+that reuse a previously\-negotiated TLS session (there is no new
+information to report).
.SH "OBSOLETE STARTTLS CONTROLS"
.na
.nf
s;\blmtp_tls_connection_reuse\b;<a href="postconf.5.html#lmtp_tls_connection_reuse">$&</a>;g;
s;\bsmtp_tlsrpt_enable\b;<a href="postconf.5.html#smtp_tlsrpt_enable">$&</a>;g;
s;\bsmtp_tlsrpt_socket_name\b;<a href="postconf.5.html#smtp_tlsrpt_socket_name">$&</a>;g;
+ s;\bsmtp_tlsrpt_skip_reused_handshakes\b;<a href="postconf.5.html#smtp_tlsrpt_skip_reused_handshakes">$&</a>;g;
s;\blmtp_tlsrpt_enable\b;<a href="postconf.5.html#lmtp_tlsrpt_enable">$&</a>;g;
s;\blmtp_tlsrpt_socket_name\b;<a href="postconf.5.html#lmtp_tlsrpt_socket_name">$&</a>;g;
+ s;\blmtp_tlsrpt_skip_reused_handshakes\b;<a href="postconf.5.html#lmtp_tlsrpt_skip_reused_handshakes">$&</a>;g;
s;\bsmtpd_enforce_tls\b;<a href="postconf.5.html#smtpd_enforce_tls">$&</a>;g;
s;\bsmtpd_sasl_tls_security_options\b;<a href="postconf.5.html#smtpd_sasl_tls_security_options">$&</a>;g;
s;\bsmtpd_sasl_type\b;<a href="postconf.5.html#smtpd_sasl_type">$&</a>;g;
engine. With "smtp_tls_connection_reuse = no", the smtp(8) client
process also implements the TLS client engine. With
"smtp_tls_connection_reuse = yes", the smtp(8) client process
-delegates TLS processing to a Postfix tlsproxy(8) process. Either
-way, Postfix will generate the exact same TLSRPT events. </p>
+delegates TLS processing to a Postfix tlsproxy(8) process. Either
+way, Postfix will generate the exact same TLSRPT events. </p>
<h2> <a name="building"> Building Postfix with TLSRPT support </a>
</h2>
</pre>
</blockquote>
-<p> Note: Postfix logs and reports TLSRPT status only for TLS
-handshakes on a new SMTP connection. There is no TLSRPT status
-logging for a reused SMTP connection. Such connections have
-Postfix SMTP client logging like this: </p>
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> Postfix logs and reports the TLSRPT status only for TLS
+handshakes on a new SMTP connection. There is no TLS handshake, and
+thus no TLSRPT status logging, when an SMTP connection is reused.
+Such connections have Postfix SMTP client logging like this: </p>
-<blockquote>
<pre>
Verified <b>TLS connection reused</b> to mail.example.com[ipaddr]:25:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Untrusted <b>TLS connection reused</b> to mail.example.com[ipaddr]:25:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
</pre>
-</blockquote>
-<p> Postfix logs certificate verification failures with a level of
-detail that is different for a new or reused TLS session. </p>
+<li> <p> By default, Postfix does not report the TLSRPT status for
+a TLS handshake that reuses a previously-negotiated TLS session
+(there would be no new information to report). Specify
+"smtp_tlsrpt_skip_reused_handshakes = no" to report the TLSRPT
+status for all TLS handshakes. This may be useful for troubleshooting.
+</p>
+
+<li> <p> Postfix logging for certificate verification failures may
+differ between new or reused TLS sessions. </p>
<ul>
-<li> <p> A new TLS session is logged with certificate verification
-failure details: </p>
+<li> <p> New TLS session:
+</p>
<pre>
TLSRPT: status=failure, domain=example.org, receiving_mx=mail.example.org[ipaddr],
<b>failure_type=validation_failure</b>, <b>failure_reason=self-signed_certificate</b>
</pre>
-<li> <p> A reused TLS session is indicated as shown below, and has
-no certificate verification details: </p>
+<li> <p> Reused TLS session: </p>
<pre>
mail.example.org[ipaddr]:25: <b>re-using session</b> with untrusted peer
</ul>
-<p> Some Postfix users may wonder where the difference comes from.
-So this is why. </p>
+<p> The logging may differ because a reused TLS session does not
+have the details for why TLS authentication failed. </p>
+
+</ul>
<h2> <a name="delivering"> Delivering TLSRPT summaries via email</a> </h2>
<h2> <a name="limitations"> Limitations </a></h2>
-<p> The Postfix TLSRPT implementation reports at most one final TLS
-handshake status (either 'success' or 'failure') per connection.
-Postfix TLSRPT cannot report a failure and then later report a final
-status of 'success' for that same connection. The reason is that
-it's too complicated to filter TLS errors and to report error details
-from the TLS engine back to the SMTP protocol engine. It just is
-not how Postfix works internally. </p>
-
<p> The Postfix TLSRPT implementation reports only TLS handshake
success or failure. It does not report failure to connect, or
-connections that break after a successful TLS handshake. </p>
+connections that break before or after a TLS handshake. </p>
+
+<p> The Postfix TLSRPT implementation reports at most one final TLS
+handshake status (either 'success' or 'failure') per SMTP connection.
+Postfix TLSRPT will not report a recoverable failure and then later
+report a final status of 'success' for that same connection. The
+reason is that it's too complicated to filter TLS errors and to
+report error details from the TLS engine back to the SMTP protocol
+engine. It just is not how Postfix works internally. </p>
<h2> <a name="credits"> Credits </a> </h2>
<p> Enable support for RFC 8460 TLSRPT notifications. A mail receiving
domain can publish a TLSRPT policy in DNS, to request periodic
summaries of successful and failed SMTP over TLS connections to
-their mail servers. This feature requires that Postfix is built
+their MX servers. This feature requires that Postfix is built
with a TLSRPT supporting library. </p>
<p> This feature is available in Postfix ≥ 3.10. </p>
"smtp_tlsrpt_enable = yes". </p>
<p> This feature is available in Postfix ≥ 3.10. </p>
+
+%PARAM smtp_tlsrpt_skip_reused_handshakes yes
+
+<p> Do not report the TLSRPT status for TLS protocol handshakes
+that reuse a previously-negotiated TLS session (there is no new
+information to report). Report the TLSRPT status only for "new" TLS
+sessions. Set this to "no" to log the TLSRPT status of all TLS
+handshakes, for example to troubleshoot Postfix TLSRPT support.
+</p>
+
+<p> This feature is available in Postfix ≥ 3.10. </p>
cleanup cleanup h cleanup cleanup_extracted c
File postcat postcat c
Files src tls tls h src tls tls_dh c src tls tls_misc c
+ proto TLSRPT_README html proto postconf proto smtp smtp c
#define DEF_LMTP_TLSRPT_SOCKNAME DEF_SMTP_TLSRPT_SOCKNAME
extern char *var_smtp_tlsrpt_sockname;
+#define VAR_SMTP_TLSRPT_SKIP_REUSED_HS "smtp_tlsrpt_skip_reused_handshakes"
+#define DEF_SMTP_TLSRPT_SKIP_REUSED_HS "yes"
+#define VAR_LMTP_TLSRPT_SKIP_REUSED_HS "lmtp_tlsrpt_skip_reused_handshakes"
+#define DEF_LMTP_TLSRPT_SKIP_REUSED_HS DEF_SMTP_TLSRPT_SKIP_REUSED_HS
+extern int var_smtp_tlsrpt_skip_reused_hs;
+
/* LICENSE
/* .ad
/* .fi
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20240926"
+#define MAIL_RELEASE_DATE "20240927"
#define MAIL_VERSION_NUMBER "3.10"
#ifdef SNAPSHOT
static const CONFIG_NBOOL_TABLE lmtp_nbool_table[] = {
VAR_LMTP_REQ_DEADLINE, DEF_LMTP_REQ_DEADLINE, &var_smtp_req_deadline,
VAR_LMTP_TLSRPT_ENABLE, DEF_LMTP_TLSRPT_ENABLE, &var_smtp_tlsrpt_enable,
+ VAR_LMTP_TLSRPT_SKIP_REUSED_HS, DEF_LMTP_TLSRPT_SKIP_REUSED_HS, &var_smtp_tlsrpt_skip_reused_hs,
0,
};
/* .PP
/* Available in Postfix version 3.2 and later:
/* .IP "\fBtls_eecdh_auto_curves (see 'postconf -d' output)\fR"
-/* The prioritized list of elliptic curves supported by the Postfix
-/* SMTP client and server.
+/* The prioritized list of elliptic curves, that should be enabled in the
+/* Postfix SMTP client and server.
/* .PP
/* Available in Postfix version 3.4 and later:
/* .IP "\fBsmtp_tls_connection_reuse (no)\fR"
/* .IP "\fBsmtp_tlsrpt_socket_name (empty)\fR"
/* The pathname of a UNIX-domain datagram socket that is managed
/* by a local TLSRPT reporting service.
+/* .IP "\fBsmtp_tlsrpt_skip_reused_handshakes (yes)\fR"
+/* Do not report the TLSRPT status for TLS protocol handshakes
+/* that reuse a previously-negotiated TLS session (there is no new
+/* information to report).
/* OBSOLETE STARTTLS CONTROLS
/* .ad
/* .fi
bool var_allow_srv_fallback;
bool var_smtp_tlsrpt_enable;
char *var_smtp_tlsrpt_sockname;
+bool var_smtp_tlsrpt_skip_reused_hs;
/* Special handling of 535 AUTH errors. */
char *var_smtp_sasl_auth_cache_name;
static const CONFIG_NBOOL_TABLE smtp_nbool_table[] = {
VAR_SMTP_REQ_DEADLINE, DEF_SMTP_REQ_DEADLINE, &var_smtp_req_deadline,
VAR_SMTP_TLSRPT_ENABLE, DEF_SMTP_TLSRPT_ENABLE, &var_smtp_tlsrpt_enable,
+ VAR_SMTP_TLSRPT_SKIP_REUSED_HS, DEF_SMTP_TLSRPT_SKIP_REUSED_HS, &var_smtp_tlsrpt_skip_reused_hs,
0,
};
state->tlsrpt = trw_create(
/* rpt_socket_name= */ var_smtp_tlsrpt_sockname,
/* rpt_policy_domain= */ adomain,
- /* rpt_policy_string= */ rr->data);
+ /* rpt_policy_string= */ rr->data,
+ /* skip_reused_hs = */ var_smtp_tlsrpt_skip_reused_hs);
dns_rr_free(rr);
} else {
if (msg_verbose)
* connection. It is never called for a reused TCP connection.
*
* Inform the caller that they should not generate a TLSRPT 'success' or
- * 'failure' event: this TLS protocol engine has already generated a
- * TLSRPT 'failure' event for this session.
+ * 'failure' event: either this TLS protocol engine has already generated
+ * a TLSRPT 'failure' event for this session, or this is a reused TLS
+ * session.
*/
#ifdef USE_TLSRPT
TLScontext->rpt_reported = props->tlsrpt != 0
- && trw_is_reported(props->tlsrpt);
+ && (trw_is_reported(props->tlsrpt)
+ || (TLScontext->session_reused
+ && trw_is_skip_reused_hs(props->tlsrpt)));
#endif
return (TLScontext);
STRING_OR_EMPTY(trw->rcv_mta_addr)),
SEND_ATTR_STR(TRW_DST_MTA_EHLO,
STRING_OR_EMPTY(trw->rcv_mta_ehlo)),
+ SEND_ATTR_INT(TRW_SKIP_REUSED_HS,
+ trw->skip_reused_hs),
SEND_ATTR_INT(TRW_FLAGS,
trw->flags),
ATTR_TYPE_END);
VSTRING *rcv_mta_name = vstring_alloc(100);
VSTRING *rcv_mta_addr = vstring_alloc(100);
VSTRING *rcv_mta_ehlo = vstring_alloc(100);
+ int skip_reused_hs;
int trw_flags;
ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
RECV_ATTR_STR(TRW_DST_MTA_NAME, rcv_mta_name),
RECV_ATTR_STR(TRW_DST_MTA_ADDR, rcv_mta_addr),
RECV_ATTR_STR(TRW_DST_MTA_EHLO, rcv_mta_ehlo),
+ RECV_ATTR_INT(TRW_SKIP_REUSED_HS, &skip_reused_hs),
RECV_ATTR_INT(TRW_FLAGS, &trw_flags),
ATTR_TYPE_END);
EXPORT_OR_NULL(trw->rcv_mta_name, rcv_mta_name);
EXPORT_OR_NULL(trw->rcv_mta_addr, rcv_mta_addr);
EXPORT_OR_NULL(trw->rcv_mta_ehlo, rcv_mta_ehlo);
+ trw->skip_reused_hs = skip_reused_hs;
trw->flags = trw_flags;
- ret = (ret == 12 ? 1 : -1);
+ ret = (ret == 13 ? 1 : -1);
if (ret != 1) {
trw_free(trw);
trw = 0;
/* TLS_RPT *trw_create(
/* const char *rpt_socket_name,
/* const char *rpt_policy_domain,
-/* const char *rpt_policy_string)
+/* const char *rpt_policy_string,
+/* int skip_reused_hs)
/*
/* void trw_free(
/* TLSRPT_WRAPPER *trw)
/* int trw_is_reported(
/* TLSRPT_WRAPPER *trw)
/*
+/* int trw_is_skip_reused_hs(
+/* TLSRPT_WRAPPER *trw)
+/*
/* tlsrpt_policy_type_t convert_tlsrpt_policy_type(
/* const char *policy_type)
/*
/* .IP rpt_policy_string
/* The TLSRPT policy record content, i.e. how to submit TLSRPT
/* summary reports.
+/* .IP skip_reused_hs
+/* If non-zero, do not report the TLSRPT status for TLS handshakes
+/* that reuse a previously-negotiated TLS session; such sessions
+/* were already reported when they were used for the first time.
/* .PP
/* trw_free() destroys storage allocated with other trw_xxx()
/* requests.
/* trw_is_reported() returns non-zero when the contents of the
/* specified TLSRPT_WRAPPER have been reported.
/* .PP
+/* trw_is_skip_reused_hs() returns non-zero if the skip_reused_hs
+/* argument of trw_create() was non-zero.
+/* .PP
/* convert_tlsrpt_policy_type() and convert_tlsrpt_policy_failure()
/* convert a valid policy type or failure name to the corresponding
/* enum value. The result is < 0 if the name is not valid.
TLSRPT_WRAPPER *trw_create(const char *rpt_socket_name,
const char *rpt_policy_domain,
- const char *rpt_policy_string)
+ const char *rpt_policy_string,
+ int skip_reused_hs)
{
TLSRPT_WRAPPER *trw;
trw->rcv_mta_name = 0;
trw->rcv_mta_addr = 0;
trw->rcv_mta_ehlo = 0;
+ trw->skip_reused_hs = skip_reused_hs;
trw->flags = 0;
return (trw);
}
return (trw->flags & TRW_FLAG_REPORTED);
}
+/* trw_is_skip_reused_hs - don't report TLS handshakes that reuse a session */
+
+int trw_is_skip_reused_hs(const TLSRPT_WRAPPER *trw)
+{
+ return (trw->skip_reused_hs);
+}
+
#endif /* USE_TLS_RPT */
/*
extern TLSRPT_WRAPPER *trw_create(const char *rpt_socket_name,
const char *rpt_policy_domain,
- const char *rpt_policy_string);
+ const char *rpt_policy_string,
+ int skip_reused_hs);
extern void trw_free(TLSRPT_WRAPPER *trw);
extern void trw_set_tls_policy(TLSRPT_WRAPPER *trw,
tlsrpt_policy_type_t tls_policy_type,
const char *failure_reason);
extern int trw_report_success(TLSRPT_WRAPPER *trw);
extern int trw_is_reported(const TLSRPT_WRAPPER *trw);
+extern int trw_is_skip_reused_hs(const TLSRPT_WRAPPER *trw);
/*
* The internals declarations are also needed for functions that transmit
char *rpt_socket_name;
char *rpt_policy_domain;
char *rpt_policy_string;
+ int skip_reused_hs;
/* Set with trw_set_policy(). */
tlsrpt_policy_type_t tls_policy_type;
ARGV *tls_policy_strings;
#define TRW_RPT_SOCKET_NAME "rpt_socket_name"
#define TRW_RPT_POLICY_DOMAIN "rpt_policy_domain"
#define TRW_RPT_POLICY_STRING "rpt_policy_string"
+#define TRW_SKIP_REUSED_HS "skip_reused_hs"
#define TRW_TLS_POLICY_TYPE "tls_policy_type"
#define TRW_TLS_POLICY_STRINGS "tls_policy_strings" /* XXX Not checked */
#define TRW_TLS_POLICY_DOMAIN "tls_policy_domain"
projects / thirdparty / postfix.git / commitdiff
