posttls-finger/Makefile.in, posttls-finger/posttls-finger.c,
posttls-finger/tlsmgrmem.c, posttls-finger/tlsmgrmem.h,
tls/tls.h, tls/tls_misc.c.
+
+20130426
+
+ Non-production fixes: revert to using proxies (sender,
+ nexthop, hostname) to distinguish between different SASL
+ credentials for connections to the same IP address and port.
+ Files: smtp/smtp.h smtp/smtp_connect.c, smtp/smtp_key.c.
+
+ Non-production cleanup: documentation, identifiers. Viktor
+ Dukhovni. Files: proto/postconf.proto, src/dns/dns.h,
+ src/dns/dns_lookup.c, src/dns/dns_rr.c, src/dns/test_dns_lookup.c,
+ src/global/mail_proto.h, src/posttls-finger/posttls-finger.c,
+ src/smtp/smtp.h, src/smtp/smtp_addr.c, src/smtp/smtp_connect.c,
+ src/smtp/smtp_session.c, src/smtp/smtp_tls_policy.c,
+ src/smtpd/smtpd_check.c, src/tls/tls.h, src/tls/tls_client.c,
+ src/tls/tls_dane.c, src/tls/tls_fprint.c, src/tls/tls_misc.c,
+ src/tls/tls_proxy_clnt.c, src/tls/tls_proxy_print.c,
+ src/tls/tls_proxy_scan.c, src/tls/tls_server.c,
+ src/tls/tls_verify.c.
some_bound". Instead of bare numbers use named constants
in function argument lists.
- Code clarity: replace "valid" with or "dnssec_valid".
-
Code clarity: replace obscure macro/function names: for
example SMTP_X(XXX) -> VAR_SMTP(XXX), as the purpose is to
choose between VAR_SMTP_XXX or VAR_LMTP_XXX; replace
contents of a buffer with the specified length). Replace r
with res_opt, ditto for other 1-letter names.
- Code consistency: replace the VSTRING-based digest output
- loop with a tls_digest_encode() call.
-
- Code clarity: rename tls_fingerprint() to tls_cert_fprint()
- (compute certifate fingerprint). Keep tls_pkey_fprint()
- (compute public-key fingerprint). Rename tls_fprint() to
- tls_data_fprint() (compute fingerprint for arbitrary data).
-
- Collect SMTP client connection-management state in one
- iterator object, that provides the same information for
- SMTP reuse policy, TLS policy, and SASL password lookups.
-
Unnecessary complexity: the SMTP_SESSION "tls" field is
mandatory (always allocated) therefore the content can be
a permanent part of the SMTP_SESSION structure, just like
all over the code, as well as awkward smtp_tls_sess_alloc()
error semantics.
- Provide an iterator object API that provides consistent
- search key generation for SMTP reuse policy, TLS policy,
- and SASL password lookups.
-
We have smtp_host_lookup, smtp_dns_resolver_options, and
now smtp_dns_support_level. Of these, smtp_dns_resolver_options
is orthogonal but the rest has overlap.
will be ignored. Specify a list of pathnames separated by comma
or whitespace. </p>
-<p> This feature is implemented for completeness, to allow installations
-with a small set of SMTP peers to set global policy in <a href="postconf.5.html">main.cf</a>,
-that at most sites would be set via <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>. In almost
-all cases it is better to use it on a per-destination basis via the
-"tafile" policy attribute of the "verify" and "secure" levels leaving
-the global <a href="postconf.5.html">main.cf</a> setting empty. </p>
-
-<p> When used on a per-destination basis, each "tafile" PEM file
-must be accessible to the Postfix SMTP client in the chroot jail
-if applicable. The files should not contain any sensitive data,
-and must be readable by the non-privileged $<a href="postconf.5.html#mail_owner">mail_owner</a> user. This
-allows destinations to be bound to a set of specific CAs or public
-keys without trusting the same CAs for all destinations. </p>
+<p> Whether specified in <a href="postconf.5.html">main.cf</a>, or on a per-destination basis,
+the trust-anchor PEM file must be accessible to the Postfix SMTP
+client in the chroot jail if applicable. The trust-anchor file
+should contain only certificates and public keys, no private key
+material, and must be readable by the non-privileged $<a href="postconf.5.html#mail_owner">mail_owner</a>
+user. This allows destinations to be bound to a set of specific
+CAs or public keys without trusting the same CAs for all destinations.
+</p>
+
+<p> The <a href="postconf.5.html">main.cf</a> parameter supports single-purpose Postfix installations
+that send mail to a fixed set of SMTP peers. At most sites, if
+trust-anchor files are used at all, they will be specified on a
+per-destination basis via the "tafile" attribute of the "verify"
+and "secure" levels in <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>. </p>
<p> The underlying mechanism is in support of <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA),
which defines mechanisms for a client to securely determine server
Arguments:
- <b>-a</b> Address family preference: <b>ipv4</b>, <b>ipv6</b> or <b>any</b>. When
+ <b>-a</b> <i>family</i> (default: <b>any</b>)
+ Address family preference: <b>ipv4</b>, <b>ipv6</b> or <b>any</b>. When
using <b>any</b>, posttls-finger will randomly select one
of the two as the more preferred, and exhaust all
MX preferences for the first address family before
- trying any addresses for the other. The default
- value is <b>any</b>.
+ trying any addresses for the other.
- <b>-A</b> A list of PEM trust-anchor files that overrides
- CAfile and CApath trust chain verification. Spec-
- ify the option multiple times to specify multiple
+ <b>-A</b> <i>trust-anchor.pem</i> (default: none)
+ A list of PEM trust-anchor files that overrides
+ CAfile and CApath trust chain verification. Spec-
+ ify the option multiple times to specify multiple
files. See the <a href="postconf.5.html">main.cf</a> documentation for
<a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a> for details.
- <b>-c</b> Disable SMTP chat logging; only TLS-related infor-
+ <b>-c</b> Disable SMTP chat logging; only TLS-related infor-
mation is logged.
- <b>-C</b> Print the remote SMTP server certificate trust
- chain in PEM format. The issuer DN, subject DN,
- certificate and public key fingerprints (see <b>-d</b>
+ <b>-C</b> Print the remote SMTP server certificate trust
+ chain in PEM format. The issuer DN, subject DN,
+ certificate and public key fingerprints (see <b>-d</b>
<i>mdalg</i> option below) are printed above each PEM cer-
- tificate block. If you specify <b>-F</b> <i>CAfile</i> or <b>-P</b>
- <i>CApath</i>, the OpenSSL library may augment the chain
+ tificate block. If you specify <b>-F</b> <i>CAfile</i> or <b>-P</b>
+ <i>CApath</i>, the OpenSSL library may augment the chain
with missing issuer certificates. To see the
- actual chain sent by the remote SMTP server leave
+ actual chain sent by the remote SMTP server leave
<i>CAfile</i> and <i>CApath</i> unset.
- <b>-d</b> <i>mdalg</i>
- The message digest algorithm to use for reporting
- remote SMTP server fingerprints and matching
- against user provided certificate fingerprints
- (with DANE TLSA records the algorithm is specified
- in the DNS). The default algorithm is sha1.
+ <b>-d</b> <i>mdalg</i> (default: <b>sha1</b>)
+ The message digest algorithm to use for reporting
+ remote SMTP server fingerprints and matching
+ against user provided certificate fingerprints
+ (with DANE TLSA records the algorithm is specified
+ in the DNS).
- <b>-F</b> <i>CAfile.pem</i>
- The PEM formatted CAfile for remote SMTP server
- certificate verification. By default no CAfile is
+ <b>-F</b> <i>CAfile.pem</i> (default: none)
+ The PEM formatted CAfile for remote SMTP server
+ certificate verification. By default no CAfile is
used and no public CAs are trusted.
- <b>-h</b> <i>host</i><b>_</b><i>lookup</i>
- The hostname lookup methods used for the connec-
- tion.
See the documentation of <a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a>
+ <b>-h</b> <i>host</i><b>_</b><i>lookup</i> (default: <b>dns</b>)
+ The hostname lookup methods used for the connec-
+ tion.
See the documentation of <a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a>
for syntax and semantics.
- <b>-l</b> <i>level</i>
+ <b>-l</b> <i>level</i> (default: <b>dane</b> or <b>secure</b>)
The security level for the connection, default <b>dane</b>
or <b>secure</b> depending on whether DNSSEC is available.
- For syntax and semantics, see the documentation of
- <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>. When <b>dane</b> is supported
- and selected, if no TLSA records are found, or all
- the records found are unusable, the <i>degraded</i> level
- will be <b>secure</b>. The main additional level to con-
- sider is <b>fingerprint</b>, which allows you test cer-
- tificate or public-key fingerprint matches before
+ For syntax and semantics, see the documentation of
+ <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>. When <b>dane</b> is supported
+ and selected, if no TLSA records are found, or all
+ the records found are unusable, the <i>degraded</i> level
+ will be <b>secure</b>. The main additional level to con-
+ sider is <b>fingerprint</b>, which allows you test cer-
+ tificate or public-key fingerprint matches before
you deploy them in the policy table.
- Note, since <b>posttls-finger</b> does not actually
- deliver any email, the <b>none</b>, <b>may</b> and <b>encrypt</b> secu-
- rity levels are not very useful. Since <b>may</b> and
- <b>encrypt</b> don't require peer certificates, they will
- often negotiate anonymous TLS ciphersuites, so you
- won't learn much about the remote SMTP server's
- certificates at these levels if it also supports
+ Note, since <b>posttls-finger</b> does not actually
+ deliver any email, the <b>none</b>, <b>may</b> and <b>encrypt</b> secu-
+ rity levels are not very useful. Since <b>may</b> and
+ <b>encrypt</b> don't require peer certificates, they will
+ often negotiate anonymous TLS ciphersuites, so you
+ won't learn much about the remote SMTP server's
+ certificates at these levels if it also supports
anonymous TLS (though you may learn that the server
supports anonymous TLS).
- <b>-L</b> <i>logopts</i>
- Fine-grained TLS logging options. To tune the TLS
- features logged during the TLS handshake, specify
+ <b>-L</b> <i>logopts</i> (default: <b>routine,certmatch</b>)
+ Fine-grained TLS logging options. To tune the TLS
+ features logged during the TLS handshake, specify
one or more of:
- 0, none
+ <b>0, none</b>
These yield no TLS logging; you'll generally
- want more, but this is handy if you just
+ want more, but this is handy if you just
want the trust chain:
$ posttls-finger -cC -L none destination
- 1, routine, summary
- These synonymous values yield a normal one-
+ <b>1, routine, summary</b>
+ These synonymous values yield a normal one-
line summary of the TLS connection.
- 2, debug
+ <b>2, debug</b>
These synonymous values combine routine,
ssl-debug, cache and verbose.
- 3, ssl-expert
- These synonymous values combine debug with
- ssl-handshake-packet-dump. For experts
+ <b>3, ssl-expert</b>
+ These synonymous values combine debug with
+ ssl-handshake-packet-dump. For experts
only.
- 4, ssl-developer
- These synonymous values combine ssl-expert
- with ssl-session-packet-dump. For experts
+ <b>4, ssl-developer</b>
+ These synonymous values combine ssl-expert
+ with ssl-session-packet-dump. For experts
only, and in most cases, use wireshark
instead.
- ssl-debug
- Turn on OpenSSL logging of the progress of
+ <b>ssl-debug</b>
+ Turn on OpenSSL logging of the progress of
the SSL handshake.
- ssl-handshake-packet-dump
- Log hexadecimal packet dumps of the SSL
+ <b>ssl-handshake-packet-dump</b>
+ Log hexadecimal packet dumps of the SSL
handshake; for experts only.
- ssl-session-packet-dump
- Log hexadecimal packet dumps of the entire
- SSL session; only useful to those who can
- debug SSL protocol problems from hex dumps.
+ <b>ssl-session-packet-dump</b>
+ Log hexadecimal packet dumps of the entire
+ SSL session; only useful to those who can
+ debug SSL protocol problems from hex dumps.
- untrusted
- Logs trust chain verification problems.
- This is turned on automatically at security
- levels that use peer names signed by cer-
- tificate authorities to validate certifi-
+ <b>untrusted</b>
+ Logs trust chain verification problems.
+ This is turned on automatically at security
+ levels that use peer names signed by cer-
+ tificate authorities to validate certifi-
cates. So while this setting is recognized,
- you should never need to set it explicitly.
+ you should never need to set it explicitly.
- peercert
- This logs a one line summary of the remote
+ <b>peercert</b>
+ This logs a one line summary of the remote
SMTP server certificate subject, issuer, and
fingerprints.
- certmatch
- This logs remote SMTP server certificate
- matching, showing the CN and each subjec-
+ <b>certmatch</b>
+ This logs remote SMTP server certificate
+ matching, showing the CN and each subjec-
tAltName and which name matched. With DANE,
- logs matching of TLSA record trust-anchor
+ logs matching of TLSA record trust-anchor
and end-entity certificates.
- cache This logs session cache operations, showing
- whether session caching is effective with
- the remote SMTP server. Automatically used
+ <b>cache</b> This logs session cache operations, showing
+ whether session caching is effective with
+ the remote SMTP server. Automatically used
when reconnecting with the <b>-r</b> option; rarely
needs to be set explicitly.
- verbose
- Enables verbose logging in the Postfix TLS
- driver; includes all of peercert..cache and
+ <b>verbose</b>
+ Enables verbose logging in the Postfix TLS
+ driver; includes all of peercert..cache and
more.
- The default is <b>routine,certmatch</b>. After a recon-
- nect, the log level is unconditionally <b>rou-</b>
+ The default is <b>routine,certmatch</b>. After a recon-
+ nect, the log level is unconditionally <b>rou-</b>
<b>tine,cache</b>.
- <b>-m</b> <i>count</i>
- When the <b>-r</b> <i>delay</i> option is specified, the <b>-m</b>
- option determines the maximum number of reconnect
- attempts to use with a server behind a load-bal-
- acer, to see whether connection caching is likely
- to be effective for this destination. Some MTAs
- don't expose the underlying server identity in
- their EHLO response; with these servers there will
+ <b>-m</b> <i>count</i> (default: <b>5</b>)
+ When the <b>-r</b> <i>delay</i> option is specified, the <b>-m</b>
+ option determines the maximum number of reconnect
+ attempts to use with a server behind a load-bal-
+ acer, to see whether connection caching is likely
+ to be effective for this destination. Some MTAs
+ don't expose the underlying server identity in
+ their EHLO response; with these servers there will
never be more than 1 reconnection attempt.
<b>-o</b> <i>name=value</i>
Specify zero or more times to override the value of
- the <a href="postconf.5.html">main.cf</a> parameter <i>name</i> with <i>value</i>. Possible
- use-cases include overriding the values of TLS
- library parameters or "<a href="postconf.5.html#myhostname">myhostname</a>" to configure the
- SMTP EHLO name sent to the remote server.
-
- <b>-P</b> <i>CApath/</i>
- The OpenSSL CApath/ directory (indexed via
- c_rehash(1)) for remote SMTP server certificate
- verification. By default no CApath is used and no
+ the <a href="postconf.5.html">main.cf</a> parameter <i>name</i> with <i>value</i>. Possible
+ use-cases include overriding the values of TLS
+ library parameters, or "<a href="postconf.5.html#myhostname">myhostname</a>" to configure
+ the SMTP EHLO name sent to the remote server.
+
+ <b>-P</b> <i>CApath/</i> (default: none)
+ The OpenSSL CApath/ directory (indexed via
+ c_rehash(1)) for remote SMTP server certificate
+ verification. By default no CApath is used and no
public CAs are trusted.
<b>-r</b> <i>delay</i>
- With a cachable TLS session, disconnect and recon-
- nect after <i>delay</i> seconds. Report whether the ses-
- sion is re-used. Retry if a new server is encoun-
- tered, up to 5 times or as specified with the <b>-m</b>
- option.
+ With a cachable TLS session, disconnect and recon-
+ nect after <i>delay</i> seconds. Report whether the ses-
+ sion is re-used. Retry if a new server is encoun-
+ tered, up to 5 times or as specified with the <b>-m</b>
+ option. By default reconnection is disabled, spec-
+ ify a positive delay to enable this behavior.
<b>-S</b> Disable SMTP; that is, connect to an LMTP server.
The default port for LMTP over TCP is 24. Alterna-
tive ports can specified by appending "<i>:service-</i>
<i>name</i>" or ":<i>portnumber</i>" to the destination argument.
- <b>-t</b> <i>timeout</i>
+ <b>-t</b> <i>timeout</i> (default: <b>5</b>)
The TCP connection timeout to use. This is also
the timeout for reading the remote server's 220
banner.
- <b>-T</b> <i>timeout</i>
+ <b>-T</b> <i>timeout</i> (default: <b>30</b>)
The SMTP/LMTP command timeout for EHLO/LHLO, START-
TLS and QUIT.
- <b>-v</b> Enable more verbose logging.
+ <b>-v</b> Enable verose Postfix logging. Specify more than
+ once to increase the level of verbose logging.
[<b>inet:</b>]<i>domain</i>[:<i>port</i>]
- Connect via TCP to domain <i>domain</i>, port <i>port</i>. The
- default port is <b>smtp</b> (or 24 with LMTP). With SMTP
- an MX lookup is performed to resolve the domain to
- a host, unless the domain is enclosed in <b>[]</b>. If
- you want to connect to a specific MX host, for
+ Connect via TCP to domain <i>domain</i>, port <i>port</i>. The
+ default port is <b>smtp</b> (or 24 with LMTP). With SMTP
+ an MX lookup is performed to resolve the domain to
+ a host, unless the domain is enclosed in <b>[]</b>. If
+ you want to connect to a specific MX host, for
instance <i>mx1.example.com</i>, specify [<i>mx1.example.com</i>]
as the destination and <i>example.com</i> as a <b>match</b> argu-
- ment. When using DNS, the destination domain is
- assumed fully qualified and no default domain or
- search suffixes are applied; you must use fully-
- qualified names or also enable <b>native</b> host lookups
- (these don't support <b>dane</b> as no DNSSEC validation
+ ment. When using DNS, the destination domain is
+ assumed fully qualified and no <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> or
+ search suffixes are applied; you must use fully-
+ qualified names or also enable <b>native</b> host lookups
+ (these don't support <b>dane</b> as no DNSSEC validation
information is available via <b>native</b> lookups).
<b>unix:</b><i>pathname</i>
With no match arguments specified, certificate
peername matching uses the compiled-in default
strategies for each security level. If you specify
- one or more arguments, these will be used as the
- list of certificate or public-key digests to match
- for the <b>fingerprint</b> level, or as the list of DNS
+ one or more arguments, these will be used as the
+ list of certificate or public-key digests to match
+ for the <b>fingerprint</b> level, or as the list of DNS
names to match in the certificate at the <b>verify</b> and
- <b>secure</b> levels. If the security level is <b>dane</b>, and
- usable TLSA records are found, the match names are
+ <b>secure</b> levels. If the security level is <b>dane</b>, and
+ usable TLSA records are found, the match names are
ignored, and <b>hostname, nexthop</b> strategies are used.
- If no TLSA records are found or none are usable,
- the level <i>degrades</i> to <b>secure</b> and the provided list
+ If no TLSA records are found or none are usable,
+ the level <i>degrades</i> to <b>secure</b> and the provided list
is used to match names in the certificate.
<b>ENVIRONMENT</b>
<b>MAIL_CONFIG</b>
- Read configuration parameters from a non-default
+ Read configuration parameters from a non-default
location.
<b>MAIL_VERBOSE</b>
<a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
SMTP. The default TCP port for LMTP is 24.
Arguments:
-.IP "\fB-a\fR"
+.IP "\fB-a\fR \fIfamily\fR (default: \fBany\fR)"
Address family preference: \fBipv4\fR, \fBipv6\fR or \fBany\fR. When
using \fBany\fR, posttls-finger will randomly select one of the two as
the more preferred, and exhaust all MX preferences for the first
-address family before trying any addresses for the other. The
-default value is \fBany\fR.
-.IP "\fB-A\fR"
+address family before trying any addresses for the other.
+.IP "\fB-A\fR \fItrust-anchor.pem\fR (default: none)"
A list of PEM trust-anchor files that overrides CAfile and CApath
trust chain verification. Specify the option multiple times to
specify multiple files. See the main.cf documentation for
\fB-P \fICApath\fR, the OpenSSL library may augment the chain with
missing issuer certificates. To see the actual chain sent by the
remote SMTP server leave \fICAfile\fR and \fICApath\fR unset.
-.IP "\fB-d \fImdalg\fR"
+.IP "\fB-d \fImdalg\fR (default: \fBsha1\fR)"
The message digest algorithm to use for reporting remote SMTP server
fingerprints and matching against user provided certificate
fingerprints (with DANE TLSA records the algorithm is specified
-in the DNS). The default algorithm is sha1.
-.IP "\fB-F \fICAfile.pem\fR"
+in the DNS).
+.IP "\fB-F \fICAfile.pem\fR (default: none)"
The PEM formatted CAfile for remote SMTP server certificate
verification. By default no CAfile is used and no public CAs
are trusted.
-.IP "\fB-h \fIhost_lookup\fR"
+.IP "\fB-h \fIhost_lookup\fR (default: \fBdns\fR)"
The hostname lookup methods used for the connection. See the
documentation of smtp_host_lookup for syntax and semantics.
-.IP "\fB-l \fIlevel\fR"
+.IP "\fB-l \fIlevel\fR (default: \fBdane\fR or \fBsecure\fR)"
The security level for the connection, default \fBdane\fR or
\fBsecure\fR depending on whether DNSSEC is available. For syntax
and semantics, see the documentation of smtp_tls_security_level.
so you won't learn much about the remote SMTP server's certificates
at these levels if it also supports anonymous TLS (though you may
learn that the server supports anonymous TLS).
-.IP "\fB-L \fIlogopts\fR"
+.IP "\fB-L \fIlogopts\fR (default: \fBroutine,certmatch\fR)"
Fine-grained TLS logging options. To tune the TLS features logged
during the TLS handshake, specify one or more of:
.RS
-.IP "0, none"
+.IP "\fB0, none\fR"
These yield no TLS logging; you'll generally want more, but this
is handy if you just want the trust chain:
.RS
$ posttls-finger -cC -L none destination
.fi
.RE
-.IP "1, routine, summary"
+.IP "\fB1, routine, summary\fR"
These synonymous values yield a normal one-line summary of the TLS
connection.
-.IP "2, debug"
+.IP "\fB2, debug\fR"
These synonymous values combine routine, ssl-debug, cache and verbose.
-.IP "3, ssl-expert"
+.IP "\fB3, ssl-expert\fR"
These synonymous values combine debug with ssl-handshake-packet-dump.
For experts only.
-.IP "4, ssl-developer"
+.IP "\fB4, ssl-developer\fR"
These synonymous values combine ssl-expert with ssl-session-packet-dump.
For experts only, and in most cases, use wireshark instead.
-.IP ssl-debug
+.IP "\fBssl-debug\fR"
Turn on OpenSSL logging of the progress of the SSL handshake.
-.IP ssl-handshake-packet-dump
+.IP "\fBssl-handshake-packet-dump\fR"
Log hexadecimal packet dumps of the SSL handshake; for experts only.
-.IP ssl-session-packet-dump
+.IP "\fBssl-session-packet-dump\fR"
Log hexadecimal packet dumps of the entire SSL session; only useful
to those who can debug SSL protocol problems from hex dumps.
-.IP untrusted
+.IP "\fBuntrusted\fR"
Logs trust chain verification problems. This is turned on
automatically at security levels that use peer names signed
by certificate authorities to validate certificates. So while
this setting is recognized, you should never need to set it
explicitly.
-.IP peercert
+.IP "\fBpeercert\fR"
This logs a one line summary of the remote SMTP server certificate
subject, issuer, and fingerprints.
-.IP certmatch
+.IP "\fBcertmatch\fR"
This logs remote SMTP server certificate matching, showing the CN
and each subjectAltName and which name matched. With DANE, logs
matching of TLSA record trust-anchor and end-entity certificates.
-.IP cache
+.IP "\fBcache\fR"
This logs session cache operations, showing whether session caching
is effective with the remote SMTP server. Automatically used when
reconnecting with the \fB-r\fR option; rarely needs to be set
explicitly.
-.IP verbose
+.IP "\fBverbose\fR"
Enables verbose logging in the Postfix TLS driver; includes all of
peercert..cache and more.
.RE
.IP
The default is \fBroutine,certmatch\fR. After a reconnect, the log
level is unconditionally \fBroutine,cache\fR.
-.IP "\fB-m \fIcount\fR"
+.IP "\fB-m \fIcount\fR (default: \fB5\fR)"
When the \fB-r \fIdelay\fR option is specified, the \fB-m\fR option
determines the maximum number of reconnect attempts to use with
a server behind a load-balacer, to see whether connection caching
-is likely to be effective for this destination. Some MTAs don't
-expose the underlying server identity in their EHLO response; with
-these servers there will never be more than 1 reconnection attempt.
+is likely to be effective for this destination. Some MTAs
+don't expose the underlying server identity in their EHLO
+response; with these servers there will never be more than
+1 reconnection attempt.
.IP "\fB-o \fIname=value\fR"
Specify zero or more times to override the value of the main.cf
parameter \fIname\fR with \fIvalue\fR. Possible use-cases include
-overriding the values of TLS library parameters or "myhostname" to
+overriding the values of TLS library parameters, or "myhostname" to
configure the SMTP EHLO name sent to the remote server.
-.IP "\fB-P \fICApath/\fR"
+.IP "\fB-P \fICApath/\fR (default: none)"
The OpenSSL CApath/ directory (indexed via c_rehash(1)) for remote
SMTP server certificate verification. By default no CApath is used
and no public CAs are trusted.
With a cachable TLS session, disconnect and reconnect after \fIdelay\fR
seconds. Report whether the session is re-used. Retry if a new server
is encountered, up to 5 times or as specified with the \fB-m\fR option.
+By default reconnection is disabled, specify a positive delay to
+enable this behavior.
.IP "\fB-S\fR"
Disable SMTP; that is, connect to an LMTP server. The default port for
LMTP over TCP is 24. Alternative ports can specified by appending
"\fI:servicename\fR" or ":\fIportnumber\fR" to the destination
argument.
-.IP "\fB-t \fItimeout\fR"
+.IP "\fB-t \fItimeout\fR (default: \fB5\fR)"
The TCP connection timeout to use. This is also the timeout for
reading the remote server's 220 banner.
-.IP "\fB-T \fItimeout\fR"
+.IP "\fB-T \fItimeout\fR (default: \fB30\fR)"
The SMTP/LMTP command timeout for EHLO/LHLO, STARTTLS and QUIT.
.IP "\fB-v\fR"
-Enable more verbose logging.
+Enable verose Postfix logging. Specify more than once to increase
+the level of verbose logging.
.IP "[\fBinet:\fR]\fIdomain\fR[:\fIport\fR]"
Connect via TCP to domain \fIdomain\fR, port \fIport\fR. The default
port is \fBsmtp\fR (or 24 with LMTP). With SMTP an MX lookup is
will be ignored. Specify a list of pathnames separated by comma
or whitespace.
.PP
-This feature is implemented for completeness, to allow installations
-with a small set of SMTP peers to set global policy in main.cf,
-that at most sites would be set via smtp_tls_policy_maps. In almost
-all cases it is better to use it on a per-destination basis via the
-"tafile" policy attribute of the "verify" and "secure" levels leaving
-the global main.cf setting empty.
-.PP
-When used on a per-destination basis, each "tafile" PEM file
-must be accessible to the Postfix SMTP client in the chroot jail
-if applicable. The files should not contain any sensitive data,
-and must be readable by the non-privileged $mail_owner user. This
-allows destinations to be bound to a set of specific CAs or public
-keys without trusting the same CAs for all destinations.
+Whether specified in main.cf, or on a per-destination basis,
+the trust-anchor PEM file must be accessible to the Postfix SMTP
+client in the chroot jail if applicable. The trust-anchor file
+should contain only certificates and public keys, no private key
+material, and must be readable by the non-privileged $mail_owner
+user. This allows destinations to be bound to a set of specific
+CAs or public keys without trusting the same CAs for all destinations.
+.PP
+The main.cf parameter supports single-purpose Postfix installations
+that send mail to a fixed set of SMTP peers. At most sites, if
+trust-anchor files are used at all, they will be specified on a
+per-destination basis via the "tafile" attribute of the "verify"
+and "secure" levels in smtp_tls_policy_maps.
.PP
The underlying mechanism is in support of RFC 6698 (DANE TLSA),
which defines mechanisms for a client to securely determine server
will be ignored. Specify a list of pathnames separated by comma
or whitespace. </p>
-<p> This feature is implemented for completeness, to allow installations
-with a small set of SMTP peers to set global policy in main.cf,
-that at most sites would be set via smtp_tls_policy_maps. In almost
-all cases it is better to use it on a per-destination basis via the
-"tafile" policy attribute of the "verify" and "secure" levels leaving
-the global main.cf setting empty. </p>
-
-<p> When used on a per-destination basis, each "tafile" PEM file
-must be accessible to the Postfix SMTP client in the chroot jail
-if applicable. The files should not contain any sensitive data,
-and must be readable by the non-privileged $mail_owner user. This
-allows destinations to be bound to a set of specific CAs or public
-keys without trusting the same CAs for all destinations. </p>
+<p> Whether specified in main.cf, or on a per-destination basis,
+the trust-anchor PEM file must be accessible to the Postfix SMTP
+client in the chroot jail if applicable. The trust-anchor file
+should contain only certificates and public keys, no private key
+material, and must be readable by the non-privileged $mail_owner
+user. This allows destinations to be bound to a set of specific
+CAs or public keys without trusting the same CAs for all destinations.
+</p>
+
+<p> The main.cf parameter supports single-purpose Postfix installations
+that send mail to a fixed set of SMTP peers. At most sites, if
+trust-anchor files are used at all, they will be specified on a
+per-destination basis via the "tafile" attribute of the "verify"
+and "secure" levels in smtp_tls_policy_maps. </p>
<p> The underlying mechanism is in support of RFC 6698 (DANE TLSA),
which defines mechanisms for a client to securely determine server
unsigned short type; /* T_A, T_CNAME, etc. */
unsigned short class; /* C_IN, etc. */
unsigned int ttl; /* always */
- unsigned int validated; /* DNSSEC */
+ unsigned int dnssec_valid; /* DNSSEC validated */
unsigned short pref; /* T_MX only */
struct DNS_RR *next; /* linkage */
size_t data_len; /* actual data size */
typedef struct DNS_REPLY {
unsigned char *buf; /* raw reply data */
size_t buf_len; /* reply buffer length */
- int validated; /* DNSSEC AD bit */
+ int dnssec_valid; /* DNSSEC AD bit */
int query_count; /* number of queries */
int answer_count; /* number of answers */
unsigned char *query_start; /* start of query data */
* the fly while the reply is being parsed.
*/
#if RES_USE_DNSSEC != 0
- reply->validated = (flags & RES_USE_DNSSEC) ? reply_header->ad : 0;
+ reply->dnssec_valid = (flags & RES_USE_DNSSEC) ? reply_header->ad : 0;
#else
- reply->validated = 0;
+ reply->dnssec_valid = 0;
#endif
reply->end = reply->buf + len;
reply->query_start = reply->buf + sizeof(HEADER);
if ((status = dns_get_rr(&rr, orig_name, reply, pos, rr_name,
&fixed)) == DNS_OK) {
resource_found++;
- rr->validated = (reply->validated & *validate_mask);
+ rr->dnssec_valid = (reply->dnssec_valid & *validate_mask);
*rrlist = dns_rr_append(*rrlist, rr);
} else if (not_found_status != DNS_RETRY)
not_found_status = status;
if (cname && c_len > 0)
if ((status = dns_get_alias(reply, pos, &fixed, cname, c_len)) != DNS_OK)
CORRUPT(status);
- *validate_mask &= reply->validated;
+ *validate_mask &= reply->dnssec_valid;
}
pos += fixed.length;
}
rr->type = type;
rr->class = class;
rr->ttl = ttl;
- rr->validated = 0;
+ rr->dnssec_valid = 0;
rr->pref = pref;
if (data && data_len > 0)
memcpy(rr->data, data, data_len);
size_t i;
while (rr) {
- printf("%s: ad: %d, ttl: %9d ", rr->rname, rr->validated, rr->ttl);
+ printf("%s: ad: %d, ttl: %9d ", rr->rname, rr->dnssec_valid, rr->ttl);
switch (rr->type) {
case T_A:
#ifdef T_AAAA
#define MAIL_ATTR_FUNC "function"
#define MAIL_ATTR_CCERT_SUBJECT "ccert_subject"
#define MAIL_ATTR_CCERT_ISSUER "ccert_issuer"
-#define MAIL_ATTR_CCERT_FINGERPRINT "ccert_fingerprint"
+#define MAIL_ATTR_CCERT_CERT_FPRINT "ccert_fingerprint"
#define MAIL_ATTR_CCERT_PKEY_FPRINT "ccert_pubkey_fingerprint"
#define MAIL_ATTR_CRYPTO_PROTOCOL "encryption_protocol"
#define MAIL_ATTR_CRYPTO_CIPHER "encryption_cipher"
#define MAIL_ATTR_TIMEOUT "timeout"
#define MAIL_ATTR_PEER_CN "peer_CN"
#define MAIL_ATTR_ISSUER_CN "issuer_CN"
-#define MAIL_ATTR_PEER_FPT "peer_fingerprint"
+#define MAIL_ATTR_PEER_CERT_FPT "peer_fingerprint"
#define MAIL_ATTR_PEER_PKEY_FPT "peer_pubkey_fingerprint"
#define MAIL_ATTR_PEER_STATUS "peer_status"
#define MAIL_ATTR_CIPHER_PROTOCOL "cipher_protocol"
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20130422"
+#define MAIL_RELEASE_DATE "20130425"
#define MAIL_VERSION_NUMBER "2.11"
#ifdef SNAPSHOT
/* SMTP. The default TCP port for LMTP is 24.
/*
/* Arguments:
-/* .IP "\fB-a\fR"
+/* .IP "\fB-a\fR \fIfamily\fR (default: \fBany\fR)"
/* Address family preference: \fBipv4\fR, \fBipv6\fR or \fBany\fR. When
/* using \fBany\fR, posttls-finger will randomly select one of the two as
/* the more preferred, and exhaust all MX preferences for the first
-/* address family before trying any addresses for the other. The
-/* default value is \fBany\fR.
-/* .IP "\fB-A\fR"
+/* address family before trying any addresses for the other.
+/* .IP "\fB-A\fR \fItrust-anchor.pem\fR (default: none)"
/* A list of PEM trust-anchor files that overrides CAfile and CApath
/* trust chain verification. Specify the option multiple times to
/* specify multiple files. See the main.cf documentation for
/* \fB-P \fICApath\fR, the OpenSSL library may augment the chain with
/* missing issuer certificates. To see the actual chain sent by the
/* remote SMTP server leave \fICAfile\fR and \fICApath\fR unset.
-/* .IP "\fB-d \fImdalg\fR"
+/* .IP "\fB-d \fImdalg\fR (default: \fBsha1\fR)"
/* The message digest algorithm to use for reporting remote SMTP server
/* fingerprints and matching against user provided certificate
/* fingerprints (with DANE TLSA records the algorithm is specified
-/* in the DNS). The default algorithm is sha1.
-/* .IP "\fB-F \fICAfile.pem\fR"
+/* in the DNS).
+/* .IP "\fB-F \fICAfile.pem\fR (default: none)"
/* The PEM formatted CAfile for remote SMTP server certificate
/* verification. By default no CAfile is used and no public CAs
/* are trusted.
-/* .IP "\fB-h \fIhost_lookup\fR"
+/* .IP "\fB-h \fIhost_lookup\fR (default: \fBdns\fR)"
/* The hostname lookup methods used for the connection. See the
/* documentation of smtp_host_lookup for syntax and semantics.
-/* .IP "\fB-l \fIlevel\fR"
+/* .IP "\fB-l \fIlevel\fR (default: \fBdane\fR or \fBsecure\fR)"
/* The security level for the connection, default \fBdane\fR or
/* \fBsecure\fR depending on whether DNSSEC is available. For syntax
/* and semantics, see the documentation of smtp_tls_security_level.
/* so you won't learn much about the remote SMTP server's certificates
/* at these levels if it also supports anonymous TLS (though you may
/* learn that the server supports anonymous TLS).
-/* .IP "\fB-L \fIlogopts\fR"
+/* .IP "\fB-L \fIlogopts\fR (default: \fBroutine,certmatch\fR)"
/* Fine-grained TLS logging options. To tune the TLS features logged
/* during the TLS handshake, specify one or more of:
/* .RS
-/* .IP "0, none"
+/* .IP "\fB0, none\fR"
/* These yield no TLS logging; you'll generally want more, but this
/* is handy if you just want the trust chain:
/* .RS
/* $ posttls-finger -cC -L none destination
/* .fi
/* .RE
-/* .IP "1, routine, summary"
+/* .IP "\fB1, routine, summary\fR"
/* These synonymous values yield a normal one-line summary of the TLS
/* connection.
-/* .IP "2, debug"
+/* .IP "\fB2, debug\fR"
/* These synonymous values combine routine, ssl-debug, cache and verbose.
-/* .IP "3, ssl-expert"
+/* .IP "\fB3, ssl-expert\fR"
/* These synonymous values combine debug with ssl-handshake-packet-dump.
/* For experts only.
-/* .IP "4, ssl-developer"
+/* .IP "\fB4, ssl-developer\fR"
/* These synonymous values combine ssl-expert with ssl-session-packet-dump.
/* For experts only, and in most cases, use wireshark instead.
-/* .IP ssl-debug
+/* .IP "\fBssl-debug\fR"
/* Turn on OpenSSL logging of the progress of the SSL handshake.
-/* .IP ssl-handshake-packet-dump
+/* .IP "\fBssl-handshake-packet-dump\fR"
/* Log hexadecimal packet dumps of the SSL handshake; for experts only.
-/* .IP ssl-session-packet-dump
+/* .IP "\fBssl-session-packet-dump\fR"
/* Log hexadecimal packet dumps of the entire SSL session; only useful
/* to those who can debug SSL protocol problems from hex dumps.
-/* .IP untrusted
+/* .IP "\fBuntrusted\fR"
/* Logs trust chain verification problems. This is turned on
/* automatically at security levels that use peer names signed
/* by certificate authorities to validate certificates. So while
/* this setting is recognized, you should never need to set it
/* explicitly.
-/* .IP peercert
+/* .IP "\fBpeercert\fR"
/* This logs a one line summary of the remote SMTP server certificate
/* subject, issuer, and fingerprints.
-/* .IP certmatch
+/* .IP "\fBcertmatch\fR"
/* This logs remote SMTP server certificate matching, showing the CN
/* and each subjectAltName and which name matched. With DANE, logs
/* matching of TLSA record trust-anchor and end-entity certificates.
-/* .IP cache
+/* .IP "\fBcache\fR"
/* This logs session cache operations, showing whether session caching
/* is effective with the remote SMTP server. Automatically used when
/* reconnecting with the \fB-r\fR option; rarely needs to be set
/* explicitly.
-/* .IP verbose
+/* .IP "\fBverbose\fR"
/* Enables verbose logging in the Postfix TLS driver; includes all of
/* peercert..cache and more.
/* .RE
/* .IP
/* The default is \fBroutine,certmatch\fR. After a reconnect, the log
/* level is unconditionally \fBroutine,cache\fR.
-/* .IP "\fB-m \fIcount\fR"
+/* .IP "\fB-m \fIcount\fR (default: \fB5\fR)"
/* When the \fB-r \fIdelay\fR option is specified, the \fB-m\fR option
/* determines the maximum number of reconnect attempts to use with
/* a server behind a load-balacer, to see whether connection caching
-/* is likely to be effective for this destination. Some MTAs don't
-/* expose the underlying server identity in their EHLO response; with
-/* these servers there will never be more than 1 reconnection attempt.
+/* is likely to be effective for this destination. Some MTAs
+/* don't expose the underlying server identity in their EHLO
+/* response; with these servers there will never be more than
+/* 1 reconnection attempt.
/* .IP "\fB-o \fIname=value\fR"
/* Specify zero or more times to override the value of the main.cf
/* parameter \fIname\fR with \fIvalue\fR. Possible use-cases include
-/* overriding the values of TLS library parameters or "myhostname" to
+/* overriding the values of TLS library parameters, or "myhostname" to
/* configure the SMTP EHLO name sent to the remote server.
-/* .IP "\fB-P \fICApath/\fR"
+/* .IP "\fB-P \fICApath/\fR (default: none)"
/* The OpenSSL CApath/ directory (indexed via c_rehash(1)) for remote
/* SMTP server certificate verification. By default no CApath is used
/* and no public CAs are trusted.
/* With a cachable TLS session, disconnect and reconnect after \fIdelay\fR
/* seconds. Report whether the session is re-used. Retry if a new server
/* is encountered, up to 5 times or as specified with the \fB-m\fR option.
+/* By default reconnection is disabled, specify a positive delay to
+/* enable this behavior.
/* .IP "\fB-S\fR"
/* Disable SMTP; that is, connect to an LMTP server. The default port for
/* LMTP over TCP is 24. Alternative ports can specified by appending
/* "\fI:servicename\fR" or ":\fIportnumber\fR" to the destination
/* argument.
-/* .IP "\fB-t \fItimeout\fR"
+/* .IP "\fB-t \fItimeout\fR (default: \fB5\fR)"
/* The TCP connection timeout to use. This is also the timeout for
/* reading the remote server's 220 banner.
-/* .IP "\fB-T \fItimeout\fR"
+/* .IP "\fB-T \fItimeout\fR (default: \fB30\fR)"
/* The SMTP/LMTP command timeout for EHLO/LHLO, STARTTLS and QUIT.
/* .IP "\fB-v\fR"
-/* Enable more verbose logging.
+/* Enable verose Postfix logging. Specify more than once to increase
+/* the level of verbose logging.
/* .IP "[\fBinet:\fR]\fIdomain\fR[:\fIport\fR]"
/* Connect via TCP to domain \fIdomain\fR, port \fIport\fR. The default
/* port is \fBsmtp\fR (or 24 with LMTP). With SMTP an MX lookup is
static DNS_RR *host_addr(STATE *, const char *);
-#define HNAME(addr) (addr->validated ? addr->rname : addr->qname)
+#define HNAME(addr) (addr->dnssec_valid ? addr->rname : addr->qname)
/*
* Structure with broken-up SMTP server response.
X509_NAME_oneline(xn, buf, sizeof buf);
BIO_printf(state->tls_bio, " issuer: %s\n", buf);
}
- digest = tls_fingerprint(cert, state->mdalg);
+ digest = tls_cert_fprint(cert, state->mdalg);
BIO_printf(state->tls_bio, " cert digest=%s\n", digest);
myfree(digest);
static const char *myname = "mx_addr_list";
DNS_RR *addr_list = 0;
DNS_RR *rr;
- int res_opt = mx_names->validated ? RES_USE_DNSSEC : 0;
+ int res_opt = mx_names->dnssec_valid ? RES_USE_DNSSEC : 0;
for (rr = mx_names; rr; rr = rr->next) {
if (rr->type != T_MX)
#ifdef USE_TLS
if (level == TLS_LEV_DANE) {
- if (addr->validated) {
+ if (addr->dnssec_valid) {
if (state->log_mask & (TLS_LOG_CERTMATCH | TLS_LOG_VERBOSE))
tls_dane_verbose(1);
else
return (0);
}
-
*/
#define SMTP_MISC_FLAG_LOOP_DETECT (1<<0)
#define SMTP_MISC_FLAG_IN_STARTTLS (1<<1)
-#define SMTP_MISC_FLAG_TLSA_HOST (1<<2)
-#define SMTP_MISC_FLAG_FIRST_NEXTHOP (1<<3)
-#define SMTP_MISC_FLAG_FINAL_NEXTHOP (1<<4)
-#define SMTP_MISC_FLAG_FINAL_SERVER (1<<5)
-#define SMTP_MISC_FLAG_CONN_LOAD (1<<6)
-#define SMTP_MISC_FLAG_CONN_STORE (1<<7)
-#define SMTP_MISC_FLAG_COMPLETE_SESSION (1<<8)
-#define SMTP_MISC_FLAG_PREF_IPV6 (1<<9)
-#define SMTP_MISC_FLAG_PREF_IPV4 (1<<10)
+#define SMTP_MISC_FLAG_FIRST_NEXTHOP (1<<2)
+#define SMTP_MISC_FLAG_FINAL_NEXTHOP (1<<3)
+#define SMTP_MISC_FLAG_FINAL_SERVER (1<<4)
+#define SMTP_MISC_FLAG_CONN_LOAD (1<<5)
+#define SMTP_MISC_FLAG_CONN_STORE (1<<6)
+#define SMTP_MISC_FLAG_COMPLETE_SESSION (1<<7)
+#define SMTP_MISC_FLAG_PREF_IPV6 (1<<8)
+#define SMTP_MISC_FLAG_PREF_IPV4 (1<<9)
#define SMTP_MISC_FLAG_CONN_CACHE_MASK \
(SMTP_MISC_FLAG_CONN_LOAD | SMTP_MISC_FLAG_CONN_STORE)
/*
* What's in a name? With DANE TLSA we need the rr->rname (if validated).
*/
-#define SMTP_HNAME(rr) ( (var_smtp_cname_overr || rr->validated) ? \
+#define SMTP_HNAME(rr) ( (var_smtp_cname_overr || rr->dnssec_valid) ? \
(rr)->rname : (rr)->qname )
/*
#define SMTP_KEY_FLAG_HOSTNAME (1<<4) /* remote host name */
#define SMTP_KEY_FLAG_ADDR (1<<5) /* remote address */
#define SMTP_KEY_FLAG_PORT (1<<6) /* remote port */
-#define SMTP_KEY_FLAG_SASL (1<<7) /* username, password */
-#define SMTP_KEY_FLAG_NOSASL (1<<8) /* dummy-user, dummy-pass */
#define SMTP_KEY_MASK_ALL \
(SMTP_KEY_FLAG_SERVICE | SMTP_KEY_FLAG_SENDER | \
SMTP_KEY_FLAG_REQ_NEXTHOP | \
SMTP_KEY_FLAG_NEXTHOP | SMTP_KEY_FLAG_HOSTNAME | \
- SMTP_KEY_FLAG_ADDR | SMTP_KEY_FLAG_PORT | \
- SMTP_KEY_FLAG_SASL | SMTP_KEY_FLAG_NOSASL)
+ SMTP_KEY_FLAG_ADDR | SMTP_KEY_FLAG_PORT)
+
+ /*
+ * Connection-cache destination lookup key. The SENDER attribute is a proxy
+ * for sender-dependent SASL credentials (or absence thereof), and prevents
+ * false connection sharing when different SASL credentials may be required
+ * for different deliveries to the same domain and port. The SERVICE
+ * attribute is a proxy for all request-independent configuration details.
+ */
+#define SMTP_KEY_MASK_SCACHE_DEST_LABEL \
+ (SMTP_KEY_FLAG_SERVICE | SMTP_KEY_FLAG_SENDER \
+ | SMTP_KEY_FLAG_REQ_NEXTHOP)
+
+ /*
+ * Connection-cache endpoint lookup key. The SENDER, NEXTHOP, and HOSTNAME
+ * attributes are proxies for SASL credentials (or absence thereof), and
+ * prevent false connection sharing when different SASL credentials may be
+ * required for different deliveries to the same IP address and port.
+ */
+#define SMTP_KEY_MASK_SCACHE_ENDP_LABEL \
+ (SMTP_KEY_FLAG_SERVICE | SMTP_KEY_FLAG_SENDER \
+ | SMTP_KEY_FLAG_REQ_NEXTHOP | SMTP_KEY_FLAG_HOSTNAME \
+ | SMTP_KEY_FLAG_ADDR | SMTP_KEY_FLAG_PORT)
/*
* Silly little macros.
{
DNS_RR *addr_list = 0;
DNS_RR *rr;
- int res_opt = mx_names->validated ? RES_USE_DNSSEC : 0;
+ int res_opt = mx_names->dnssec_valid ? RES_USE_DNSSEC : 0;
/*
* As long as we are able to look up any host address, we ignore problems
msg_info("%s: trying: %s[%s] port %d...",
myname, STR(iter->host), STR(iter->addr), ntohs(port));
- if (addr->validated)
- sess_flags |= SMTP_MISC_FLAG_TLSA_HOST;
-
return (smtp_connect_sock(sock, sa, salen, iter, why, sess_flags));
}
* hosts. In fact, this is the only benefit of caching logical to
* physical bindings; caching a session under its own hostname provides
* no performance benefit, given the way smtp_connect() works.
- *
- * The SMTP_KEY_FLAG_SASL attribute is required in the endpoint label to
- * avoid false sharing of SASL-authenticated and -unauthenticated
- * connections to the same IP address. We don't have this problem with
- * UNIX-domain connections as long as we use nexthop == address.
*/
bad_session = THIS_SESSION_IS_BAD; /* smtp_quit() may fail */
if (THIS_SESSION_IS_EXPIRED)
/* Redundant tests for safety... */
&& vstream_ferror(session->stream) == 0
&& vstream_feof(session->stream) == 0) {
- smtp_save_session(state, SMTP_KEY_FLAG_SERVICE
- | SMTP_KEY_FLAG_SENDER
- | SMTP_KEY_FLAG_REQ_NEXTHOP,
- SMTP_KEY_FLAG_SERVICE
- | SMTP_KEY_FLAG_SASL
- | SMTP_KEY_FLAG_ADDR
- | SMTP_KEY_FLAG_PORT);
+ smtp_save_session(state, SMTP_KEY_MASK_SCACHE_DEST_LABEL,
+ SMTP_KEY_MASK_SCACHE_ENDP_LABEL);
} else {
smtp_session_free(session);
}
}
#endif
if ((state->misc_flags & SMTP_MISC_FLAG_CONN_LOAD) == 0
- || (session = smtp_reuse_nexthop(state, SMTP_KEY_FLAG_SERVICE
- | SMTP_KEY_FLAG_SENDER
- | SMTP_KEY_FLAG_REQ_NEXTHOP)) == 0)
+ || (session = smtp_reuse_nexthop(state,
+ SMTP_KEY_MASK_SCACHE_DEST_LABEL)) == 0)
session = smtp_connect_unix(iter, why, state->misc_flags);
if ((state->session = session) != 0) {
session->state = state;
#endif
SMTP_ITER_SAVE_DEST(state->iterator);
if (*addr_list && SMTP_RCPT_LEFT(state) > 0
- && (session = smtp_reuse_nexthop(state, SMTP_KEY_FLAG_SERVICE
- | SMTP_KEY_FLAG_SENDER
- | SMTP_KEY_FLAG_REQ_NEXTHOP)) != 0) {
+ && (session = smtp_reuse_nexthop(state, SMTP_KEY_MASK_SCACHE_DEST_LABEL)) != 0) {
session_count = 1;
smtp_update_addr_list(addr_list, session->addr, session_count);
if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP)
/* XXX Assume there is no code at the end of this loop. */
}
#endif
- if ((session = smtp_reuse_addr(state, SMTP_KEY_FLAG_SERVICE
- | SMTP_KEY_FLAG_NOSASL
- | SMTP_KEY_FLAG_ADDR
- | SMTP_KEY_FLAG_PORT)) != 0) {
+ if ((session = smtp_reuse_addr(state,
+ SMTP_KEY_MASK_SCACHE_ENDP_LABEL)) != 0) {
session->features |= SMTP_FEATURE_BEST_MX;
session_count += 1;
smtp_update_addr_list(addr_list, session->addr, session_count);
#endif
if ((state->misc_flags & SMTP_MISC_FLAG_CONN_LOAD) == 0
|| addr->pref == domain_best_pref
- || !(session = smtp_reuse_addr(state, SMTP_KEY_FLAG_SERVICE
- | SMTP_KEY_FLAG_NOSASL
- | SMTP_KEY_FLAG_ADDR
- | SMTP_KEY_FLAG_PORT)))
+ || !(session = smtp_reuse_addr(state,
+ SMTP_KEY_MASK_SCACHE_ENDP_LABEL)))
session = smtp_connect_addr(iter, why, state->misc_flags);
if ((state->session = session) != 0) {
session->state = state;
VSTRING_ADDCH(buffer, delim_na[0]);
}
-/* smtp_key_append_base64 - append base64-encoded key field */
-
-static void smtp_key_append_base64(VSTRING *buffer, const char *str,
- const char *delim_na)
-{
- if (str == 0 || str[0] == 0) {
- smtp_key_append_na(buffer, delim_na);
- } else {
- base64_encode_opt(buffer, str, strlen(str), BASE64_FLAG_APPEND);
- VSTRING_ADDCH(buffer, delim_na[0]);
- }
-}
-
/* smtp_key_append_str - append string-valued key field */
static void smtp_key_append_str(VSTRING *buffer, const char *str,
{
const char myname[] = "smtp_key_prefix";
SMTP_STATE *state = iter->parent; /* private member */
- SMTP_SESSION *session;
/*
* Sanity checks.
if (flags & SMTP_KEY_FLAG_PORT)
smtp_key_append_uint(buffer, ntohs(iter->port), delim_na);
- /*
- * Security attributes.
- */
-#ifdef USE_SASL_AUTH
- if (flags & SMTP_KEY_FLAG_NOSASL) {
- smtp_key_append_na(buffer, delim_na); /* username n/a */
- smtp_key_append_na(buffer, delim_na); /* password n/a */
- }
- if (flags & SMTP_KEY_FLAG_SASL) {
- if ((session = state->session) == 0 || session->sasl_username == 0) {
- smtp_key_append_na(buffer, delim_na); /* username n/a */
- smtp_key_append_na(buffer, delim_na); /* password n/a */
- } else {
- smtp_key_append_base64(buffer, session->sasl_username, delim_na);
- smtp_key_append_base64(buffer, session->sasl_passwd, delim_na);
- }
- }
-#endif
/* Similarly, provide unique TLS fingerprint when applicable. */
VSTRING_TERMINATE(buffer);
SMTP_SESSION *smtp_reuse_addr(SMTP_STATE *state, int endp_key_flags)
{
- const char *myname = "smtp_reuse_addr";
SMTP_SESSION *session;
int fd;
- /*
- * Sanity check. We currently lack support to look up SASL credentials.
- */
-#ifdef USE_SASL_AUTH
- if ((endp_key_flags & SMTP_KEY_FLAG_SASL) != 0)
- msg_panic("%s: SASL credential lookup is not supported", myname);
-#endif
-
- /*
- * Don't look up an existing SASL-unauthenticated connection when a new
- * connection may require authentication. We conservatively test below if
- * unauthenticated connection reuse is guaranteed to be OK. This test can
- * be replaced later with a more precise one.
- */
-#ifdef USE_SASL_AUTH
- if ((endp_key_flags & SMTP_KEY_FLAG_NOSASL) != 0
- && var_smtp_sasl_enable != 0
- && *var_smtp_sasl_passwd != 0)
- return (0);
-#endif
-
/*
* Don't look up an existing plaintext connection when a new connection
* would (try to) use TLS.
/* .IP flags
/* Zero or more of the following:
/* .RS
-/* .IP SMTP_MISC_FLAG_TLSA_HOST
-/* The hostname is DNSSEC-validated.
/* .IP SMTP_MISC_FLAG_CONN_LOAD
/* Enable re-use of cached SMTP or LMTP connections.
/* .IP SMTP_MISC_FLAG_CONN_STORE
SMTP_ITERATOR *iter)
{
VSTRING *key;
- int valid = iter->rr && iter->rr->validated;
+ int valid = iter->rr && iter->rr->dnssec_valid;
/*
* Create an empty TLS Policy cache on the fly.
static void dane_init(SMTP_TLS_POLICY *tls, SMTP_ITERATOR *iter)
{
TLS_DANE *dane;
- int valid = iter->rr && iter->rr->validated;
+ int valid = iter->rr && iter->rr->dnssec_valid;
if (!iter->port) {
msg_warn("%s: the \"dane\" security level is invalid for delivery via"
int i;
char *prints[2];
- prints[0] = state->tls_context->peer_fingerprint;
+ prints[0] = state->tls_context->peer_cert_fprint;
prints[1] = state->tls_context->peer_pkey_fprint;
/* After lookup error, leave relay_ccerts->error at non-zero value. */
int i;
char *prints[2];
- prints[0] = state->tls_context->peer_fingerprint;
+ prints[0] = state->tls_context->peer_cert_fprint;
prints[1] = state->tls_context->peer_pkey_fprint;
for (i = 0; i < 2; ++i) {
* When directly checking the fingerprint, it is OK if the issuing CA is
* not trusted.
*/
- ATTR_TYPE_STR, MAIL_ATTR_CCERT_FINGERPRINT,
- IF_ENCRYPTED(state->tls_context->peer_fingerprint, ""),
+ ATTR_TYPE_STR, MAIL_ATTR_CCERT_CERT_FPRINT,
+ IF_ENCRYPTED(state->tls_context->peer_cert_fprint, ""),
ATTR_TYPE_STR, MAIL_ATTR_CCERT_PKEY_FPRINT,
IF_ENCRYPTED(state->tls_context->peer_pkey_fprint, ""),
ATTR_TYPE_STR, MAIL_ATTR_CRYPTO_PROTOCOL,
(TLS_SESS_STATE *) mymalloc(sizeof(*state.tls_context));
memset((char *) state.tls_context, 0,
sizeof(*state.tls_context));
- state.tls_context->peer_fingerprint =
+ state.tls_context->peer_cert_fprint =
state.tls_context->peer_pkey_fprint = 0;
}
state.tls_context->peer_status |= TLS_CERT_FLAG_PRESENT;
- UPDATE_STRING(state.tls_context->peer_fingerprint,
+ UPDATE_STRING(state.tls_context->peer_cert_fprint,
args->argv[1]);
state.tls_context->peer_pkey_fprint =
- state.tls_context->peer_fingerprint;
+ state.tls_context->peer_cert_fprint;
resp = "OK";
break;
#endif
FREE_STRING(state.helo_name);
FREE_STRING(state.sender);
if (state.tls_context) {
- FREE_STRING(state.tls_context->peer_fingerprint);
+ FREE_STRING(state.tls_context->peer_cert_fprint);
myfree((char *) state.tls_context);
}
exit(0);
/* Public, read-only. */
char *peer_CN; /* Peer Common Name */
char *issuer_CN; /* Issuer Common Name */
- char *peer_fingerprint; /* ASCII fingerprint */
+ char *peer_cert_fprint; /* ASCII certificate fingerprint */
char *peer_pkey_fprint; /* ASCII public key fingerprint */
int peer_status; /* Certificate and match status */
const char *protocol;
* tls_fprint.c
*/
extern char *tls_digest_encode(const unsigned char *, int);
-extern char *tls_fprint(const char *, int, const char *);
-extern char *tls_fingerprint(X509 *, const char *);
+extern char *tls_data_fprint(const char *, int, const char *);
+extern char *tls_cert_fprint(X509 *, const char *);
extern char *tls_pkey_fprint(X509 *, const char *);
extern char *tls_serverid_digest(const TLS_CLIENT_START_PROPS *, long,
const char *);
/* .IP TLScontext->issuer_CN
/* Extracted CommonName of the issuer, or zero-length string if the
/* information could not be extracted.
-/* .IP TLScontext->peer_fingerprint
+/* .IP TLScontext->peer_cert_fprint
/* At the fingerprint security level, if the peer presented a certificate
/* the fingerprint of the certificate.
/* .PP
* peername if using traditional PKI or DANE with trust-anchors.
*/
if (!TLS_CERT_IS_MATCHED(TLScontext)
- && TLS_CERT_IS_TRUSTED(TLScontext)
- && TLS_MUST_TRUST(props->tls_level))
+ && TLS_CERT_IS_TRUSTED(TLScontext)
+ && TLS_MUST_TRUST(props->tls_level))
verify_peername = 1;
/* Force cert processing so we can log the data? */
static void verify_extract_print(TLS_SESS_STATE *TLScontext, X509 *peercert,
const TLS_CLIENT_START_PROPS *props)
{
- TLScontext->peer_fingerprint = tls_fingerprint(peercert, props->mdalg);
+ TLScontext->peer_cert_fprint = tls_cert_fprint(peercert, props->mdalg);
TLScontext->peer_pkey_fprint = tls_pkey_fprint(peercert, props->mdalg);
/*
/*
* When certificate verification is required, log trust chain validation
* errors even when disabled by default for opportunistic sessions. For
- * "dane" this only applies when using trust-anchors associations.
+ * "dane" this only applies when using trust-anchors associations.
*/
if (TLS_MUST_TRUST(props->tls_level)
- && (props->tls_level != TLS_LEV_DANE || TLS_DANE_HASTA(props->dane)))
+ && (props->tls_level != TLS_LEV_DANE || TLS_DANE_HASTA(props->dane)))
log_mask |= TLS_LOG_UNTRUSTED;
if (log_mask & TLS_LOG_VERBOSE)
}
/* The DANE level requires TLS 1.0 or later, not SSLv2 or SSLv3. */
if (props->tls_level == TLS_LEV_DANE)
- protomask |= TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_SSLv2;
+ protomask |= TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_SSLv2;
/*
* Per session cipher selection for sessions with mandatory encryption
SSL_SESSION_free(session); /* 200411 */
}
}
-
#ifdef TLSEXT_MAXLEN_host_name
if (session == 0
- && props->tls_level == TLS_LEV_DANE
- && strlen(props->host) <= TLSEXT_MAXLEN_host_name) {
+ && props->tls_level == TLS_LEV_DANE
+ && strlen(props->host) <= TLSEXT_MAXLEN_host_name) {
+
/*
* With new DANE sessions, send an SNI hint. We don't care whether
* the server reports finding a matching certificate or not, so no
* the associated TLSA RRs. (Generally, server administrators should
* avoid SNI, and there are no plans to support SNI in the Postfix
* SMTP server).
- *
+ *
* Since the hostname is DNSSEC-validated, it must be a DNS FQDN and
* thererefore valid for use with SNI. Failure to set a valid SNI
* hostname is a memory allocation error, and thus transient. Since
/*
* Peer name or fingerprint verification as requested.
- * Unconditionally set peer_CN, issuer_CN and peer_fingerprint. Check
+ * Unconditionally set peer_CN, issuer_CN and peer_cert_fprint. Check
* fingerprint first, and avoid logging verified as untrusted in the
* call to verify_extract_name().
*/
msg_info("%s: subject_CN=%s, issuer_CN=%s, "
"fingerprint=%s, pkey_fingerprint=%s", props->namaddr,
TLScontext->peer_CN, TLScontext->issuer_CN,
- TLScontext->peer_fingerprint,
+ TLScontext->peer_cert_fprint,
TLScontext->peer_pkey_fprint);
X509_free(peercert);
} else {
TLScontext->issuer_CN = mystrdup("");
TLScontext->peer_CN = mystrdup("");
- TLScontext->peer_fingerprint = mystrdup("");
+ TLScontext->peer_cert_fprint = mystrdup("");
TLScontext->peer_pkey_fprint = mystrdup("");
}
* and encode the digest value. We choose SHA256.
*/
dane_add(dane, usage, selector, sha256,
- digest = tls_fprint((char *)ip, mlen, sha256));
+ digest = tls_data_fprint((char *)ip, mlen, sha256));
break;
}
if (msg_verbose || dane_verbose)
/* One more second to account for discrete time */
dane->expires = 1 + event_time() + rrs->ttl;
- if (rrs->validated)
+ if (rrs->dnssec_valid)
parse_tlsa_rrs(dane, rrs);
dns_rr_free(rrs);
if (cert && (p - data) == len) {
selector = DNS_TLSA_SELECTOR_FULL_CERTIFICATE;
- digest = tls_fprint((char *)data, len, sha256);
+ digest = tls_data_fprint((char *)data, len, sha256);
dane_add(dane, usage, selector, sha256, digest);
myfree(digest);
ta_cert_insert(dane, cert);
if (pkey && (p - data) == len) {
selector = DNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO;
- digest = tls_fprint((char *)data, len, sha256);
+ digest = tls_data_fprint((char *)data, len, sha256);
dane_add(dane, usage, selector, sha256, digest);
myfree(digest);
ta_pkey_insert(dane, pkey);
/* const unsigned char *md_buf;
/* const char *md_len;
/*
-/* char *tls_fprint(buf, len, mdalg)
+/* char *tls_data_fprint(buf, len, mdalg)
/* const char *buf;
/* int len;
/* const char *mdalg;
/*
-/* char *tls_fingerprint(peercert, mdalg)
+/* char *tls_cert_fprint(peercert, mdalg)
/* X509 *peercert;
/* const char *mdalg;
/*
/* The return value is dynamically allocated with mymalloc(),
/* and the caller must eventually free it with myfree().
/*
-/* tls_fprint() digests unstructured data, and encodes the digested
-/* result via tls_digest_encode().
-/* The return value is dynamically allocated with mymalloc(),
-/* and the caller must eventually free it with myfree().
+/* tls_data_fprint() digests unstructured data, and encodes the digested
+/* result via tls_digest_encode(). The return value is dynamically
+/* allocated with mymalloc(), and the caller must eventually free it
+/* with myfree().
/*
-/* tls_fingerprint() returns a fingerprint of the the given
+/* tls_cert_fprint() returns a fingerprint of the the given
/* certificate using the requested message digest, formatted
/* with tls_digest_encode(). Panics if the
/* (previously verified) digest algorithm is not found. The return
/* must eventually free it with myfree().
/*
/* tls_pkey_fprint() returns a public-key fingerprint; in all
-/* other respects the function behaves as tls_fingerprint().
+/* other respects the function behaves as tls_cert_fprint().
/* The var_tls_bc_pkey_fprint variable enables an incorrect
/* algorithm that was used in Postfix versions 2.9.[0-5].
/* The return value is dynamically allocated with mymalloc(),
static const char hexcodes[] = "0123456789ABCDEF";
-#define chknonzero(ret) (ok &= ((ret) ? 1 : 0))
-#define digestpl(p, l) chknonzero(EVP_DigestUpdate(mdctx, (char *)(p), (l)))
-#define digestptr(p) digestpl((p), sizeof(*(p)))
-#define digeststr(s) digestpl((s), strlen(s)+1)
+#define checkok(ret) (ok &= ((ret) ? 1 : 0))
+#define digest_data(p, l) checkok(EVP_DigestUpdate(mdctx, (char *)(p), (l)))
+#define digest_object(p) digest_data((p), sizeof(*(p)))
+#define digest_string(s) digest_data((s), strlen(s)+1)
-#define digestdane(dane, memb) do { \
+#define digest_dane(dane, memb) do { \
if ((dane)->memb != 0) \
- chknonzero(tlsa_digest(mdctx, (dane)->memb, #memb)); \
+ checkok(digest_tlsa_usage(mdctx, (dane)->memb, #memb)); \
} while (0)
-#define digesttlsa(tlsa, memb) do { \
+#define digest_tlsa_argv(tlsa, memb) do { \
if ((tlsa)->memb) { \
- digeststr(#memb); \
+ digest_string(#memb); \
for (dgst = (tlsa)->memb->argv; *dgst; ++dgst) \
- digeststr(*dgst); \
+ digest_string(*dgst); \
} \
} while (0)
-/* tlsa_digest - digest a pre-sorted by caller TLSA match list */
+/* digest_tlsa_usage - digest TA or EE match list sorted by alg and value */
-static int tlsa_digest(EVP_MD_CTX *mdctx, TLS_TLSA *tlsa, const char *usage)
+static int digest_tlsa_usage(EVP_MD_CTX * mdctx, TLS_TLSA *tlsa,
+ const char *usage)
{
char **dgst;
int ok = 1;
- for (digeststr(usage); tlsa; tlsa = tlsa->next) {
- digeststr(tlsa->mdalg);
- digesttlsa(tlsa, pkeys);
- digesttlsa(tlsa, certs);
+ for (digest_string(usage); tlsa; tlsa = tlsa->next) {
+ digest_string(tlsa->mdalg);
+ digest_tlsa_argv(tlsa, pkeys);
+ digest_tlsa_argv(tlsa, certs);
}
return (ok);
}
sslversion = SSLeay();
mdctx = EVP_MD_CTX_create();
- chknonzero(EVP_DigestInit_ex(mdctx, md, NULL));
- digeststr(props->helo ? props->helo : "");
- digestptr(&sslversion);
- digestptr(&protomask);
- digeststr(ciphers);
+ checkok(EVP_DigestInit_ex(mdctx, md, NULL));
+ digest_string(props->helo ? props->helo : "");
+ digest_object(&sslversion);
+ digest_object(&protomask);
+ digest_string(ciphers);
/*
* All we get from the session cache is a single bit telling us whether
* the certificate is trusted or not, but we need to know whether the
* trust is CA-based (in that case we must do name checks) or whether it
- * is a direct end-point match. We mustn't confuse the two, so it is best
- * to process only TA trust in the verify callback and check the EE trust
- * after. This works since re-used sessions always have access to the leaf
- * certificate, while only the original session has the leaf and the full
- * trust chain.
- *
- * Only the trust anchor matchlist is hashed into the session key.
- * The end entity certs are not used to determine whether a certificate
- * is trusted or not, rather these are rechecked against the leaf cert
+ * is a direct end-point match. We mustn't confuse the two, so it is
+ * best to process only TA trust in the verify callback and check the EE
+ * trust after. This works since re-used sessions always have access to
+ * the leaf certificate, while only the original session has the leaf and
+ * the full trust chain.
+ *
+ * Only the trust anchor matchlist is hashed into the session key. The end
+ * entity certs are not used to determine whether a certificate is
+ * trusted or not, rather these are rechecked against the leaf cert
* outside the verification callback, each time a session is created or
* reused.
- *
- * Therefore, the security context of the session does not depend on the
- * EE matching data, which is checked separately each time. So we exclude
+ *
+ * Therefore, the security context of the session does not depend on the EE
+ * matching data, which is checked separately each time. So we exclude
* the EE part of the DANE structure from the serverid digest.
- *
+ *
* If this changes, also update tls_dane_final() in tls_dane.c.
- *
+ *
* If the security level is "dane", we send SNI information to the peer.
* This may cause it to respond with a non-default certificate. Since
* certificates for sessions with no or different SNI data may not match,
if (props->dane) {
int mixed = (props->dane->flags & TLS_DANE_FLAG_MIXED);
- digestptr(&mixed);
- digestdane(props->dane, ta);
+ digest_object(&mixed);
+ digest_dane(props->dane, ta);
#if 0
- digestdane(props->dane, ee); /* See above */
+ digest_dane(props->dane, ee); /* See above */
#endif
- digeststr(props->tls_level == TLS_LEV_DANE ? props->host : "");
+ digest_string(props->tls_level == TLS_LEV_DANE ? props->host : "");
}
- chknonzero(EVP_DigestFinal_ex(mdctx, md_buf, &md_len));
+ checkok(EVP_DigestFinal_ex(mdctx, md_buf, &md_len));
EVP_MD_CTX_destroy(mdctx);
if (!ok)
msg_fatal("error computing %s message digest", mdalg);
if (md_len > EVP_MAX_MD_SIZE)
msg_panic("unexpectedly large %s digest size: %u", mdalg, md_len);
- /* Append the digest to the serverid */
+ /*
+ * Append the digest to the serverid. We don't compare this digest to
+ * any user-specified fingerprints. Therefore, we don't need to use a
+ * colon-separated format, which saves space in the TLS session cache and
+ * makes logging of session cache lookup keys more readable.
+ *
+ * This does however duplicate a few lines of code from the digest encoder
+ * for colon-separated cert and pkey fingerprints. If that is a
+ * compelling reason to consolidate, we could use that and append the
+ * result.
+ */
result = vstring_alloc(strlen(props->serverid) + 1 + 2 * md_len);
vstring_strcpy(result, props->serverid);
VSTRING_ADDCH(result, ':');
return (result);
}
-/* tls_fprint - compute and encode digest of DER-encoded object */
+/* tls_data_fprint - compute and encode digest of binary object */
-char *tls_fprint(const char *buf, int len, const char *mdalg)
+char *tls_data_fprint(const char *buf, int len, const char *mdalg)
{
EVP_MD_CTX *mdctx;
const EVP_MD *md;
msg_panic("digest algorithm \"%s\" not found", mdalg);
mdctx = EVP_MD_CTX_create();
- chknonzero(EVP_DigestInit_ex(mdctx, md, NULL));
- digestpl(buf, len);
- chknonzero(EVP_DigestFinal_ex(mdctx, md_buf, &md_len));
+ checkok(EVP_DigestInit_ex(mdctx, md, NULL));
+ digest_data(buf, len);
+ checkok(EVP_DigestFinal_ex(mdctx, md_buf, &md_len));
EVP_MD_CTX_destroy(mdctx);
if (!ok)
msg_fatal("error computing %s message digest", mdalg);
return (tls_digest_encode(md_buf, md_len));
}
-/* tls_fingerprint - extract certificate fingerprint */
+/* tls_cert_fprint - extract certificate fingerprint */
-char *tls_fingerprint(X509 *peercert, const char *mdalg)
+char *tls_cert_fprint(X509 *peercert, const char *mdalg)
{
int len;
char *buf;
if (buf2 - buf != len)
msg_panic("i2d_X509 invalid result length");
- result = tls_fprint(buf, len, mdalg);
+ result = tls_data_fprint(buf, len, mdalg);
myfree(buf);
return (result);
msg_fatal("%s: error extracting legacy public-key fingerprint: %m",
myname);
- result = tls_fprint((char *) key->data, key->length, mdalg);
+ result = tls_data_fprint((char *) key->data, key->length, mdalg);
return (result);
} else {
int len;
if (buf2 - buf != len)
msg_panic("i2d_X509_PUBKEY invalid result length");
- result = tls_fprint(buf, len, mdalg);
+ result = tls_data_fprint(buf, len, mdalg);
myfree(buf);
return (result);
}
/* tls_update_app_logmask - update log level after init */
-void tls_update_app_logmask(TLS_APPL_STATE *app_ctx, int log_mask)
+void tls_update_app_logmask(TLS_APPL_STATE *app_ctx, int log_mask)
{
app_ctx->log_mask = log_mask;
}
TLScontext->serverid = 0;
TLScontext->peer_CN = 0;
TLScontext->issuer_CN = 0;
- TLScontext->peer_fingerprint = 0;
+ TLScontext->peer_cert_fprint = 0;
TLScontext->peer_pkey_fprint = 0;
TLScontext->protocol = 0;
TLScontext->cipher_name = 0;
TLScontext->log_mask = log_mask;
TLScontext->namaddr = lowercase(mystrdup(namaddr));
- TLScontext->mdalg = 0; /* Alias for props->mdalg */
- TLScontext->dane = 0; /* Alias for client props->dane */
+ TLScontext->mdalg = 0; /* Alias for props->mdalg */
+ TLScontext->dane = 0; /* Alias for client
+ * props->dane */
TLScontext->trustdepth = -1;
TLScontext->chaindepth = -1;
TLScontext->errordepth = -1;
myfree(TLScontext->peer_CN);
if (TLScontext->issuer_CN)
myfree(TLScontext->issuer_CN);
- if (TLScontext->peer_fingerprint)
- myfree(TLScontext->peer_fingerprint);
+ if (TLScontext->peer_cert_fprint)
+ myfree(TLScontext->peer_cert_fprint);
if (TLScontext->peer_pkey_fprint)
myfree(TLScontext->peer_pkey_fprint);
if (TLScontext->errorcert)
myfree(tls_context->peer_CN);
if (tls_context->issuer_CN)
myfree(tls_context->issuer_CN);
- if (tls_context->peer_fingerprint)
- myfree(tls_context->peer_fingerprint);
+ if (tls_context->peer_cert_fprint)
+ myfree(tls_context->peer_cert_fprint);
if (tls_context->protocol)
myfree((char *) tls_context->protocol);
if (tls_context->cipher_name)
STRING_OR_EMPTY(tp->peer_CN),
ATTR_TYPE_STR, MAIL_ATTR_ISSUER_CN,
STRING_OR_EMPTY(tp->issuer_CN),
- ATTR_TYPE_STR, MAIL_ATTR_PEER_FPT,
- STRING_OR_EMPTY(tp->peer_fingerprint),
+ ATTR_TYPE_STR, MAIL_ATTR_PEER_CERT_FPT,
+ STRING_OR_EMPTY(tp->peer_cert_fprint),
ATTR_TYPE_STR, MAIL_ATTR_PEER_PKEY_FPT,
STRING_OR_EMPTY(tp->peer_pkey_fprint),
ATTR_TYPE_INT, MAIL_ATTR_PEER_STATUS,
int ret;
VSTRING *peer_CN = vstring_alloc(25);
VSTRING *issuer_CN = vstring_alloc(25);
- VSTRING *peer_fingerprint = vstring_alloc(60); /* 60 for SHA-1 */
+ VSTRING *peer_cert_fprint = vstring_alloc(60); /* 60 for SHA-1 */
VSTRING *peer_pkey_fprint = vstring_alloc(60); /* 60 for SHA-1 */
VSTRING *protocol = vstring_alloc(25);
VSTRING *cipher_name = vstring_alloc(25);
ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
ATTR_TYPE_STR, MAIL_ATTR_PEER_CN, peer_CN,
ATTR_TYPE_STR, MAIL_ATTR_ISSUER_CN, issuer_CN,
- ATTR_TYPE_STR, MAIL_ATTR_PEER_FPT, peer_fingerprint,
+ ATTR_TYPE_STR, MAIL_ATTR_PEER_CERT_FPT, peer_cert_fprint,
ATTR_TYPE_STR, MAIL_ATTR_PEER_PKEY_FPT, peer_pkey_fprint,
ATTR_TYPE_INT, MAIL_ATTR_PEER_STATUS,
&tls_context->peer_status,
ATTR_TYPE_END);
tls_context->peer_CN = vstring_export(peer_CN);
tls_context->issuer_CN = vstring_export(issuer_CN);
- tls_context->peer_fingerprint = vstring_export(peer_fingerprint);
+ tls_context->peer_cert_fprint = vstring_export(peer_cert_fprint);
tls_context->peer_pkey_fprint = vstring_export(peer_pkey_fprint);
tls_context->protocol = vstring_export(protocol);
tls_context->cipher_name = vstring_export(cipher_name);
/* .IP TLScontext->issuer_CN
/* Extracted CommonName of the issuer, or zero-length string
/* when information could not be extracted.
-/* .IP TLScontext->peer_fingerprint
+/* .IP TLScontext->peer_cert_fprint
/* Fingerprint of the certificate, or zero-length string when no peer
/* certificate is available.
/* .PP
}
TLScontext->peer_CN = tls_peer_CN(peer, TLScontext);
TLScontext->issuer_CN = tls_issuer_CN(peer, TLScontext);
- TLScontext->peer_fingerprint = tls_fingerprint(peer, TLScontext->mdalg);
+ TLScontext->peer_cert_fprint = tls_cert_fprint(peer, TLScontext->mdalg);
TLScontext->peer_pkey_fprint = tls_pkey_fprint(peer, TLScontext->mdalg);
if (TLScontext->log_mask & (TLS_LOG_VERBOSE | TLS_LOG_PEERCERT)) {
", pkey_fingerprint=%s",
TLScontext->namaddr,
TLScontext->peer_CN, TLScontext->issuer_CN,
- TLScontext->peer_fingerprint,
+ TLScontext->peer_cert_fprint,
TLScontext->peer_pkey_fprint);
}
X509_free(peer);
} else {
TLScontext->peer_CN = mystrdup("");
TLScontext->issuer_CN = mystrdup("");
- TLScontext->peer_fingerprint = mystrdup("");
+ TLScontext->peer_cert_fprint = mystrdup("");
TLScontext->peer_pkey_fprint = mystrdup("");
}
}
certs = mixed ? tlsa->pkeys : tlsa->certs;
if (certs != 0 && !matched) {
- char *cert_dgst = tls_fingerprint(cert, tlsa->mdalg);
+ char *cert_dgst = tls_cert_fprint(cert, tlsa->mdalg);
for (dgst = certs->argv; !matched && *dgst; ++dgst)
if (strcasecmp(cert_dgst, *dgst) == 0)
projects / thirdparty / postfix.git / commitdiff
