reused in the Postfix SMTP server. Files: smtp/smtp_sasl_proto.c,
global/sacl_mech_filter.[hc].
- Bugfix (introduced: Postfix 2.0): smtp_sasl_mechamism_filter
- ignored table lookup errors, treating as 'not found'. Found while
- refactoring code.
+ Bugfix (introduced: Postfix 2.0): smtp_sasl_mechanism_filter
+ ignored table lookup errors, treating them as 'not found'.
+ Found while refactoring code. File: smtp/smtp_sasl_proto.c.
Feature: smtpd_sasl_mechanism_list (default: !external,
static:rest) to avoid confusing errors when a SASL backend
20200906-18
- Baseline is postfix-3.6-20200906.
-
Other debt: internal protocol identification. Each server
sends the name of the internal protocol that it implements,
and each client logs a warning if it receives the wrong
20201011
- Cleanup: save a copy of the postscreen_dnsbl_reply_map
- lookup result. This has no effect when the recommended
- texthash: look table is used, but it may avoid stale data
- with other lookup tables. File: postscreen/postscreen_dnsbl.c.
+ Bugfix (introduced: Postfix 2.8): save a copy of the
+ postscreen_dnsbl_reply_map lookup result. This has no effect
+ when the recommended texthash: look table is used, but it
+ may avoid stale data with other lookup tables. File:
+ postscreen/postscreen_dnsbl.c.
20201015
Cleanup: don't split a space-comma separated address list
on on space or comma inside a quoted string. Files:
util/mystrtok.c, util/mystetok.ref, global/login_sender_match.c.
+
+20201101
+
+ Cleanup: the default "smtp_tls_dane_insecure_mx_policy = dane"
+ was forcing too many A/AAAA lookups for MX hosts in DANE mode.
+ The default is now "dane" when smtp_tls_security_level is "dane".
+ otherwise it is "may". File: global/mail_params.h.
+
+20201104
+
+ Bugfix (introduced: Postfix 3.5): the Postfix SMTP client
+ broke message headers longer than $line_length_limit, causing
+ subsequent header content to become message body content.
+ Reported by Andreas Weigel, fix by Viktor Dukhovni. File:
+ smtp/smtp_proto.c.
+
+ Added missing employer attributions to .c and .h files.
Wish list:
Does tlsproxy terminate to soon after 'postfix reload'?
+ like, while a session is still im progress? Does it depend
+ on the server or client role?
Eliminate duplicate user_acl check from sendmail, and pass
the result through the postdrop-to-sendmail protocol. This
parameter. For example:
http://postfix.1071664.n5.nabble.com/Relay-attempt-questions-td103646.html
- check_mumble_mx_access also generates synthetic MX records
- i.e. A/AAAA where no MX exists.
+ Document that check_mumble_mx_access generates synthetic
+ MX records i.e. A/AAAA where no MX exists.
Someone suggested adding References: and In-Reply-To: headers
in bounce messages. Downside: that will make it harder to
delete a bounce without deleting other mail. Therefore do
- not enable by defalut.
+ not enable by default.
Hardening the half-dane behavior: some sites may rely on
current behavior which allows original MX domain name for
</DD>
<DT><b><a name="smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a>
-(default: dane)</b></DT><DD>
+(default: see "postconf -d" output)</b></DT><DD>
<p> The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is <b>dane</b>, but the MX
<dd> The TLSA records will signal a requirement to use TLS. While
TLS encryption will be required, authentication will not be performed.
</dd>
-<dt><b>dane</b> (default)</dt>
+<dt><b>dane</b></dt>
<dd>The TLSA records will be used just as with "secure" MX records.
TLS encryption will be required, and, if at least one of the TLSA
records is "usable", authentication will be required. When
"Verified", because the MX host name could have been forged. </dd>
</dl>
+<p> The default setting for Postfix ≥ 3.6 is "dane" with
+"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = dane", otherwise "may". With earlier
+Postfix versions the defauult setting was always "dane". </p>
+
<p> Though with "insecure" MX records an active attacker can
compromise SMTP transport security by returning forged MX records,
such attacks are "tamper-evident" since any forged MX hostnames
TLS connection reuse" for background details.
.PP
This feature is available in Postfix 3.4 and later.
-.SH smtp_tls_dane_insecure_mx_policy (default: dane)
+.SH smtp_tls_dane_insecure_mx_policy (default: see "postconf \-d" output)
The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is \fBdane\fR, but the MX
record was found via an "insecure" MX lookup. The choices are:
The TLSA records will signal a requirement to use TLS. While
TLS encryption will be required, authentication will not be performed.
.br
-.IP "\fBdane\fR (default)"
+.IP "\fBdane\fR"
The TLSA records will be used just as with "secure" MX records.
TLS encryption will be required, and, if at least one of the TLSA
records is "usable", authentication will be required. When
"Verified", because the MX host name could have been forged.
.br
.br
+The default setting for Postfix >= 3.6 is "dane" with
+"smtp_tls_security_level = dane", otherwise "may". With earlier
+Postfix versions the defauult setting was always "dane".
+.PP
Though with "insecure" MX records an active attacker can
compromise SMTP transport security by returning forged MX records,
such attacks are "tamper\-evident" since any forged MX hostnames
This feature is available in Postfix 3.1 and later.
</p>
-%PARAM smtp_tls_dane_insecure_mx_policy dane
+%PARAM smtp_tls_dane_insecure_mx_policy see "postconf -d" output
<p> The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is <b>dane</b>, but the MX
<dd> The TLSA records will signal a requirement to use TLS. While
TLS encryption will be required, authentication will not be performed.
</dd>
-<dt><b>dane</b> (default)</dt>
+<dt><b>dane</b></dt>
<dd>The TLSA records will be used just as with "secure" MX records.
TLS encryption will be required, and, if at least one of the TLSA
records is "usable", authentication will be required. When
"Verified", because the MX host name could have been forged. </dd>
</dl>
+<p> The default setting for Postfix ≥ 3.6 is "dane" with
+"smtp_tls_security_level = dane", otherwise "may". With earlier
+Postfix versions the defauult setting was always "dane". </p>
+
<p> Though with "insecure" MX records an active attacker can
compromise SMTP transport security by returning forged MX records,
such attacks are "tamper-evident" since any forged MX hostnames
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
#endif
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
#endif
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
#endif
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
#endif
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
#endif
/* SMTP only */
#define VAR_SMTP_TLS_INSECURE_MX_POLICY "smtp_tls_dane_insecure_mx_policy"
-#define DEF_SMTP_TLS_INSECURE_MX_POLICY "dane"
+#define DEF_SMTP_TLS_INSECURE_MX_POLICY "${{$smtp_tls_security_level} == {dane} ? {dane} : {may}}"
extern char *var_smtp_tls_insecure_mx_policy;
/*
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20201101"
+#define MAIL_RELEASE_DATE "20201104"
#define MAIL_VERSION_NUMBER "3.6"
#ifdef SNAPSHOT
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
#endif
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
#endif
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
#endif
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* smtp_out_raw_or_mime - output buffer, raw output or MIME-aware */
-static int smtp_out_raw_or_mime(SMTP_STATE *state, VSTRING *buf)
+static int smtp_out_raw_or_mime(SMTP_STATE *state, int rec_type, VSTRING *buf)
{
SMTP_SESSION *session = state->session;
int mime_errs;
if (session->mime_state == 0) {
- smtp_text_out((void *) state, REC_TYPE_NORM, vstring_str(buf),
+ smtp_text_out((void *) state, rec_type, vstring_str(buf),
VSTRING_LEN(buf), (off_t) 0);
} else {
mime_errs =
- mime_state_update(session->mime_state, REC_TYPE_NORM,
+ mime_state_update(session->mime_state, rec_type,
vstring_str(buf), VSTRING_LEN(buf));
if (mime_errs) {
smtp_mime_fail(state, mime_errs);
vstring_str(session->scratch2),
QUOTE_FLAG_DEFAULT | QUOTE_FLAG_APPEND);
vstring_strcat(session->scratch, gt);
- return (smtp_out_raw_or_mime(state, session->scratch));
+ return (smtp_out_raw_or_mime(state, REC_TYPE_NORM, session->scratch));
}
/* smtp_out_add_headers - output additional headers, uses session->scratch* */
while ((rec_type = rec_get(state->src, session->scratch, 0)) > 0) {
if (rec_type != REC_TYPE_NORM && rec_type != REC_TYPE_CONT)
break;
- if (smtp_out_raw_or_mime(state, session->scratch) < 0)
+ if (smtp_out_raw_or_mime(state, rec_type,
+ session->scratch) < 0)
RETURN(0);
prev_type = rec_type;
}
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System interfaces. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System libraries. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
#endif
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
projects / thirdparty / postfix.git / commitdiff
