20100610
- Postfix no longer appends the system default CAs to the
- lists specified with *_tls_CAfile or with *_tls_CApath.
+ Bugfix: Postfix no longer appends the system default CAs
+ to the lists specified with *_tls_CAfile or with *_tls_CApath.
This prevents third-party certificates from being trusted
- and being given mail relay permission with
- permit_tls_all_clientcerts. To get the old behavior specify
+ and given mail relay permission with permit_tls_all_clientcerts.
+ This change may break valid configurations that do not use
+ permit_tls_all_clientcerts. To get the old behavior, specify
"tls_append_default_CA = yes". Files: tls/tls_certkey.c,
tls/tls_misc.c, global/mail_params.h. proto/postconf.proto,
mantools/postlink.
Postfix no longer appends the system-supplied default CAs to the
lists specified with *_tls_CAfile or with *_tls_CApath. This prevents
-third-party certificates from being trusted and being given mail
-relay permission with permit_tls_all_clientcerts.
+third-party certificates from being trusted and given mail relay
+permission with permit_tls_all_clientcerts.
-Specify "tls_append_default_CA = yes" for the old behavior.
+Unfortunately this change may break certificate verification on
+sites that don't use permit_tls_all_clientcerts. Specify
+"tls_append_default_CA = yes" for backwards compatibility.
Incompatibility with snapshot 20100101
======================================
Remove this file from the stable release.
+ Need a regular expression table to translate address
+ verification responses into hard/soft/accept reply codes.
+
When an alias is a member of an :include: list with owner-
alias, local(8) needs an option to deliver alias or alias->user
indirectly. What happens when an :include: list with owner-
<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8. </p>
+certificates. </p>
<p> Example: </p>
<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8. </p>
+certificates. </p>
<p> Example: </p>
<dd> Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
-CA. This requires that "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" (the default
-with Postfix 2.8 and later). Otherwise, clients with a third-party
-certificate would also be allowed to relay. This feature is available
-with Postfix version 2.2.</dd>
+CA. Otherwise, clients with a third-party certificate would also
+be allowed to relay. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" when the
+trusted CA is specified with <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> or <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>,
+to prevent Postfix from appending the system-supplied default CAs.
+This feature is available with Postfix version 2.2.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8. </p>
+certificates. </p>
<p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are not
requested, and <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> should remain empty. If you do make use
<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8. </p>
+certificates. </p>
<p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are
not requested, and <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> should remain empty. In contrast
<p> Append the system-supplied default certificate authority
certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
-</p>
-
-<p> To avoid massive compatibility breaks, this parameter defaults
-to "yes" for Postfix versions 2.7 and earlier. That is, they trust
-third-party certificates and they give relay permission with
+The default is "no"; this prevents Postfix from trusting third-party
+certificates and giving them relay permission with
<a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
-<p> This feature is retroactive in Postfix 2.4 and later. </p>
+<p> This feature is available in Postfix 2.4.15, 2.6.8, 2.7.2 and
+later versions. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = yes" for backwards
+compatibility, to avoid breaking certificate verification with sites
+that don't use <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
</DD>
.PP
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8.
+certificates.
.PP
Example:
.PP
.PP
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8.
+certificates.
.PP
Example:
.PP
Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
-CA. This requires that "tls_append_default_CA = no" (the default
-with Postfix 2.8 and later). Otherwise, clients with a third-party
-certificate would also be allowed to relay. This feature is available
-with Postfix version 2.2.
+CA. Otherwise, clients with a third-party certificate would also
+be allowed to relay. Specify "tls_append_default_CA = no" when the
+trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
+to prevent Postfix from appending the system-supplied default CAs.
+This feature is available with Postfix version 2.2.
.IP "\fBpermit_tls_clientcerts\fR"
Permit the request when the remote SMTP client certificate
fingerprint is listed in $relay_clientcerts.
.PP
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8.
+certificates.
.PP
By default (see smtpd_tls_ask_ccert), client certificates are not
requested, and smtpd_tls_CAfile should remain empty. If you do make use
.PP
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8.
+certificates.
.PP
By default (see smtpd_tls_ask_ccert), client certificates are
not requested, and smtpd_tls_CApath should remain empty. In contrast
.SH tls_append_default_CA (default: no)
Append the system-supplied default certificate authority
certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
-.PP
-To avoid massive compatibility breaks, this parameter defaults
-to "yes" for Postfix versions 2.7 and earlier. That is, they trust
-third-party certificates and they give relay permission with
+The default is "no"; this prevents Postfix from trusting third-party
+certificates and giving them relay permission with
permit_tls_all_clientcerts.
.PP
-This feature is retroactive in Postfix 2.4 and later.
+This feature is available in Postfix 2.4.15, 2.6.8, 2.7.2 and
+later versions. Specify "tls_append_default_CA = yes" for backwards
+compatibility, to avoid breaking certificate verification with sites
+that don't use permit_tls_all_clientcerts.
.SH tls_daemon_random_bytes (default: 32)
The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
process requests from the \fBtlsmgr\fR(8) server in order to seed its
<dd> Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
-CA. This requires that "tls_append_default_CA = no" (the default
-with Postfix 2.8 and later). Otherwise, clients with a third-party
-certificate would also be allowed to relay. This feature is available
-with Postfix version 2.2.</dd>
+CA. Otherwise, clients with a third-party certificate would also
+be allowed to relay. Specify "tls_append_default_CA = no" when the
+trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
+to prevent Postfix from appending the system-supplied default CAs.
+This feature is available with Postfix version 2.2.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
<p> Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8. </p>
+certificates. </p>
<p> By default (see smtpd_tls_ask_ccert), client certificates are not
requested, and smtpd_tls_CAfile should remain empty. If you do make use
<p> Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8. </p>
+certificates. </p>
<p> By default (see smtpd_tls_ask_ccert), client certificates are
not requested, and smtpd_tls_CApath should remain empty. In contrast
<p> Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8. </p>
+certificates. </p>
<p> Example: </p>
<p> Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
-certificates. This setting is default as of Postfix 2.8. </p>
+certificates. </p>
<p> Example: </p>
<p> Append the system-supplied default certificate authority
certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
-</p>
-
-<p> To avoid massive compatibility breaks, this parameter defaults
-to "yes" for Postfix versions 2.7 and earlier. That is, they trust
-third-party certificates and they give relay permission with
+The default is "no"; this prevents Postfix from trusting third-party
+certificates and giving them relay permission with
permit_tls_all_clientcerts. </p>
-<p> This feature is retroactive in Postfix 2.4 and later. </p>
+<p> This feature is available in Postfix 2.4.15, 2.6.8, 2.7.2 and
+later versions. Specify "tls_append_default_CA = yes" for backwards
+compatibility, to avoid breaking certificate verification with sites
+that don't use permit_tls_all_clientcerts. </p>
%PARAM tls_random_exchange_name see "postconf -d" output
extern int var_dup_filter_limit;
#define VAR_TLS_APPEND_DEF_CA "tls_append_default_CA"
-#define DEF_TLS_APPEND_DEF_CA 0 /* 1 for Postfix < 2.8 */
+#define DEF_TLS_APPEND_DEF_CA 0 /* Postfix < 2.8 BC break */
extern bool var_tls_append_def_CA;
#define VAR_TLS_RAND_EXCH_NAME "tls_random_exchange_name"
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20100610"
+#define MAIL_RELEASE_DATE "20100615"
#define MAIL_VERSION_NUMBER "2.8"
#ifdef SNAPSHOT
projects / thirdparty / postfix.git / commitdiff
