Cleanup: harmless memory leak in postconf. File:
postconf/postconf_master.c.
-20200312
-
Bugfix (introduced: Postfix 2.3): panic with Postfix
multi-Milter configuration during MAIL FROM. Milter client
state was not properly reset after one of the Milters failed.
Reported by WeiYu Wu.
+
+20200312
+
+ Usability: the Postfix SMTP server now logs a warning when
+ a configuration requests access control by client certificate,
+ but "smtpd_tls_ask_clientcert = no". Files: proto/postconf.proto,
+ smtpd/smtpd_check.c.
+
+20200316
+
+ Removed the issuer_cn and subject_cn matches from
+ check_ccert_access. Files: smtpd/smtpd_check.c,
+ proto/postconf.proto.
Major changes - multiple relayhost in SMTP
------------------------------------------
-[Feature 20200111] SMTP (and LMTP) client support for a list of
-nexthop destinations separated by comma or whitespace. These will
-destinations be tried in the specified order.
+[Feature 20200111] the Postfix SMTP and LMTP client support a list
+of nexthop destinations separated by comma or whitespace. These
+destinations will be tried in the specified order.
The list form can be specified in relayhost, transport_maps,
default_transport, and sender_dependent_default_transport_maps.
search_order = cert_fingerprint, pubkey_fingerprint } }
...
-The check_ccert_access search order also supports the subject_cn and
-issuer_cn properties. Support is planned for rfc822name and
-smtputf8mailbox.
+Support is planned for other certificate features.
Major changes - dovecot usability
---------------------------------
not be returned to the sender until it is released with -f or -H.
In the mailq(1) or postqueue(1) -p output, a forced-to-expire message
-is indicated with # after the queue name. In postqueue(1) JSON
+is indicated with # after the queue file name. In postqueue(1) JSON
output, there is a new per-message field "forced_expire" (with value
true or false) that shows the forced-to-expire status.
remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the
<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter (hard-coded as md5 prior to
-Postfix version 2.5). This feature is available with Postfix version
+Postfix version 2.5). This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>
+= yes" and is available with Postfix version
2.2 and later. </dd>
<br>
<dd> <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> { <a href="DATABASE_README.html">type:table</a>, { search_order = cert_fingerprint,
pubkey_fingerprint } } </dd>
-<dd> The commas are optional. Other valid search_order elements are
-"subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN). </dd>
+<dd> The commas are optional. </dd>
<dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
be allowed to relay. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" when the
trusted CA is specified with <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> or <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>,
to prevent Postfix from appending the system-supplied default CAs.
-This feature is available with Postfix version 2.2.</dd>
+This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> = yes" and is available
+with Postfix version 2.2 and later.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
listed in $<a href="postconf.5.html#relay_clientcerts">relay_clientcerts</a>.
The fingerprint digest algorithm is configurable via the
<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter (hard-coded as md5 prior to
-Postfix version 2.5). This feature is available with Postfix version
-2.2. </dd>
+Postfix version 2.5). This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>
+= yes" and is available with Postfix version 2.2 and later.</dd>
<dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard\-coded as md5 prior to
-Postfix version 2.5). This feature is available with Postfix version
+Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
+= yes" and is available with Postfix version
2.2 and later.
.br
.br
check_ccert_access { type:table, { search_order = cert_fingerprint,
pubkey_fingerprint } }
.br
-The commas are optional. Other valid search_order elements are
-"subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN).
+The commas are optional.
.br
.IP "\fBcheck_client_access \fItype:table\fR\fR"
Search the specified access database for the client hostname,
be allowed to relay. Specify "tls_append_default_CA = no" when the
trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
to prevent Postfix from appending the system\-supplied default CAs.
-This feature is available with Postfix version 2.2.
+This feature requires "smtpd_tls_ask_ccert = yes" and is available
+with Postfix version 2.2 and later.
.br
.IP "\fBpermit_tls_clientcerts\fR"
Permit the request when the remote SMTP client certificate
listed in $relay_clientcerts.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard\-coded as md5 prior to
-Postfix version 2.5). This feature is available with Postfix version
-2.2.
+Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
+= yes" and is available with Postfix version 2.2 and later.
.br
.IP "\fBreject_rbl_client \fIrbl_domain=d.d.d.d\fR\fR"
Reject the request when the reversed client network address is
remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
-Postfix version 2.5). This feature is available with Postfix version
+Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
+= yes" and is available with Postfix version
2.2 and later. </dd>
<br>
<dd> check_ccert_access { type:table, { search_order = cert_fingerprint,
pubkey_fingerprint } } </dd>
-<dd> The commas are optional. Other valid search_order elements are
-"subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN). </dd>
+<dd> The commas are optional. </dd>
<dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
be allowed to relay. Specify "tls_append_default_CA = no" when the
trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
to prevent Postfix from appending the system-supplied default CAs.
-This feature is available with Postfix version 2.2.</dd>
+This feature requires "smtpd_tls_ask_ccert = yes" and is available
+with Postfix version 2.2 and later.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
listed in $relay_clientcerts.
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
-Postfix version 2.5). This feature is available with Postfix version
-2.2. </dd>
+Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert
+= yes" and is available with Postfix version 2.2 and later.</dd>
<dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20200312"
-#define MAIL_VERSION_NUMBER "3.5.0-RC2"
+#define MAIL_RELEASE_DATE "20200316"
+#define MAIL_VERSION_NUMBER "3.5.0"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
if (msg_verbose)
msg_info("relay_clientcerts: No match for fingerprint '%s', "
"pkey fingerprint %s", prints[0], prints[1]);
+ } else if (!var_smtpd_tls_ask_ccert) {
+ msg_warn("%s is requested, but \"%s = no\"", permit_all_certs ?
+ PERMIT_TLS_ALL_CLIENTCERTS : PERMIT_TLS_CLIENTCERTS,
+ VAR_SMTPD_TLS_ACERT);
}
#endif
return (SMTPD_CHECK_DUNNO);
case SMTPD_ACL_SEARCH_CODE_PKEY_FPRINT:
match_this = state->tls_context->peer_pkey_fprint;
break;
- case SMTPD_ACL_SEARCH_CODE_CERT_ISSUER_CN:
- match_this = state->tls_context->issuer_CN;
- break;
- case SMTPD_ACL_SEARCH_CODE_CERT_SUBJECT_CN:
- match_this = state->tls_context->peer_CN;
- break;
default:
known_action = str_name_code(search_actions, *action);
if (known_action == 0)
if (result != SMTPD_CHECK_DUNNO)
break;
}
+ } else if (!var_smtpd_tls_ask_ccert) {
+ msg_warn("%s is requested, but \"%s = no\"",
+ CHECK_CCERT_ACL, VAR_SMTPD_TLS_ACERT);
} else {
if (msg_verbose)
msg_info("%s: no client certificate", myname);
bool var_smtpd_peername_lookup;
bool var_smtpd_client_port_log;
char *var_smtpd_dns_re_filter;
+bool var_smtpd_tls_ask_ccert;
#define int_table test_int_table
VAR_PLAINTEXT_CODE, DEF_PLAINTEXT_CODE, &var_plaintext_code,
VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup,
VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
+ VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
0,
};
projects / thirdparty / postfix.git / commitdiff
