tls/tls_dh.c, tls/tls_server.c.
Portability: Mac OS 10.6.3 requires <arpa/nameser_compat.h>
- instead of <arpa/nameser8_compat.h>. Files: makedefs,
- util/sys_defs.h, dns/dns.h.
+ instead of <nameser8_compat.h>. Files: makedefs, util/sys_defs.h,
+ dns/dns.h.
20100531
Portability: Berkeley DB 5.x has the same API as Berkeley
DB 4.1 and later. File: util/dict_db.c.
+
+20100610
+
+ Postfix no longer appends the system default CAs to the
+ lists specified with *_tls_CAfile or with *_tls_CApath.
+ This prevents third-party certificates from being trusted
+ and being given mail relay permission with
+ permit_tls_all_clientcerts. To get the old behavior specify
+ "tls_append_default_CA = yes". Files: tls/tls_certkey.c,
+ tls/tls_misc.c, global/mail_params.h. proto/postconf.proto,
+ mantools/postlink.
If you upgrade from Postfix 2.6 or earlier, read RELEASE_NOTES-2.7
before proceeding.
+Incompatibility with snapshot 20100610
+======================================
+
+Postfix no longer appends the system-supplied default CAs to the
+lists specified with *_tls_CAfile or with *_tls_CApath. This prevents
+third-party certificates from being trusted and being given mail
+relay permission with permit_tls_all_clientcerts.
+
+Specify "tls_append_default_CA = yes" for the old behavior.
+
Incompatibility with snapshot 20100101
======================================
<p>
The internet domain name of this mail system. The default is to
-use $<a href="postconf.5.html#myhostname">myhostname</a> minus the first component. $<a href="postconf.5.html#mydomain">mydomain</a> is used as
+use $<a href="postconf.5.html#myhostname">myhostname</a> minus the first component, or "localdomain" (Postfix
+2.3 and later). $<a href="postconf.5.html#mydomain">mydomain</a> is used as
a default value for many other configuration parameters.
</p>
<p>
The internet hostname of this mail system. The default is to use
-the fully-qualified domain name from gethostname(). $<a href="postconf.5.html#myhostname">myhostname</a> is
-used as a default value for many other configuration parameters.
-</p>
+the fully-qualified domain name (FQDN) from gethostname(), or to
+use the non-FQDN result from gethostname() and append ".$<a href="postconf.5.html#mydomain">mydomain</a>".
+$<a href="postconf.5.html#myhostname">myhostname</a> is used as a default value for many other configuration
+parameters. </p>
<p>
Example:
but it is best to include all the required certificates directly in
$<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>. </p>
+<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8. </p>
+
<p> Example: </p>
<pre>
<p> To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail. </p>
+<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8. </p>
+
<p> Example: </p>
<pre>
<dd> Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
-CA, otherwise all clients with a recognized certificate would be
-allowed to relay. This feature is available with Postfix version 2.2.</dd>
+CA. This requires that "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" (the default
+with Postfix 2.8 and later). Otherwise, clients with a third-party
+certificate would also be allowed to relay. This feature is available
+with Postfix version 2.2.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
but it is best to include all the required certificates directly in the
server certificate file. </p>
+<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8. </p>
+
<p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are not
requested, and <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> should remain empty. If you do make use
of client certificates, the distinguished names (DNs) of the certificate
<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> in chroot mode, this directory (or a copy) must be
inside the chroot jail. </p>
+<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8. </p>
+
<p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are
not requested, and <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> should remain empty. In contrast
to <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>, DNs of certificate authorities installed
<p> This feature is available in Postfix 2.6 and later. </p>
+</DD>
+
+<DT><b><a name="tls_append_default_CA">tls_append_default_CA</a>
+(default: no)</b></DT><DD>
+
+<p> Append the system-supplied default certificate authority
+certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+</p>
+
+<p> To avoid massive compatibility breaks, this parameter defaults
+to "yes" for Postfix versions 2.7 and earlier. That is, they trust
+third-party certificates and they give relay permission with
+<a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
+
+<p> This feature is retroactive in Postfix 2.4 and later. </p>
+
+
</DD>
<DT><b><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a>
.ft R
.SH mydomain (default: see "postconf -d" output)
The internet domain name of this mail system. The default is to
-use $myhostname minus the first component. $mydomain is used as
+use $myhostname minus the first component, or "localdomain" (Postfix
+2.3 and later). $mydomain is used as
a default value for many other configuration parameters.
.PP
Example:
.ft R
.SH myhostname (default: see "postconf -d" output)
The internet hostname of this mail system. The default is to use
-the fully-qualified domain name from gethostname(). $myhostname is
-used as a default value for many other configuration parameters.
+the fully-qualified domain name (FQDN) from gethostname(), or to
+use the non-FQDN result from gethostname() and append ".$mydomain".
+$myhostname is used as a default value for many other configuration
+parameters.
.PP
Example:
.PP
but it is best to include all the required certificates directly in
$smtp_tls_cert_file.
.PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8.
+.PP
Example:
.PP
.nf
To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail.
.PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8.
+.PP
Example:
.PP
.nf
Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
-CA, otherwise all clients with a recognized certificate would be
-allowed to relay. This feature is available with Postfix version 2.2.
+CA. This requires that "tls_append_default_CA = no" (the default
+with Postfix 2.8 and later). Otherwise, clients with a third-party
+certificate would also be allowed to relay. This feature is available
+with Postfix version 2.2.
.IP "\fBpermit_tls_clientcerts\fR"
Permit the request when the remote SMTP client certificate
fingerprint is listed in $relay_clientcerts.
but it is best to include all the required certificates directly in the
server certificate file.
.PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8.
+.PP
By default (see smtpd_tls_ask_ccert), client certificates are not
requested, and smtpd_tls_CAfile should remain empty. If you do make use
of client certificates, the distinguished names (DNs) of the certificate
smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
inside the chroot jail.
.PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8.
+.PP
By default (see smtpd_tls_ask_ccert), client certificates are
not requested, and smtpd_tls_CApath should remain empty. In contrast
to smtpd_tls_CAfile, DNs of certificate authorities installed
\fBlmtp\fR(8)).
.PP
This feature is available in Postfix 2.6 and later.
+.SH tls_append_default_CA (default: no)
+Append the system-supplied default certificate authority
+certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+.PP
+To avoid massive compatibility breaks, this parameter defaults
+to "yes" for Postfix versions 2.7 and earlier. That is, they trust
+third-party certificates and they give relay permission with
+permit_tls_all_clientcerts.
+.PP
+This feature is retroactive in Postfix 2.4 and later.
.SH tls_daemon_random_bytes (default: 32)
The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
process requests from the \fBtlsmgr\fR(8) server in order to seed its
s;\btls_null_cipherlist\b;<a href="postconf.5.html#tls_null_cipherlist">$&</a>;g;
s;\btls_eecdh_strong_curve\b;<a href="postconf.5.html#tls_eecdh_strong_curve">$&</a>;g;
s;\btls_eecdh_ultra_curve\b;<a href="postconf.5.html#tls_eecdh_ultra_curve">$&</a>;g;
+ s;\btls_append_default_CA\b;<a href="postconf.5.html#tls_append_default_CA">$&</a>;g;
s;\bfrozen_delivered_to\b;<a href="postconf.5.html#frozen_delivered_to">$&</a>;g;
<p>
The internet domain name of this mail system. The default is to
-use $myhostname minus the first component. $mydomain is used as
+use $myhostname minus the first component, or "localdomain" (Postfix
+2.3 and later). $mydomain is used as
a default value for many other configuration parameters.
</p>
<p>
The internet hostname of this mail system. The default is to use
-the fully-qualified domain name from gethostname(). $myhostname is
-used as a default value for many other configuration parameters.
-</p>
+the fully-qualified domain name (FQDN) from gethostname(), or to
+use the non-FQDN result from gethostname() and append ".$mydomain".
+$myhostname is used as a default value for many other configuration
+parameters. </p>
<p>
Example:
<dd> Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
-CA, otherwise all clients with a recognized certificate would be
-allowed to relay. This feature is available with Postfix version 2.2.</dd>
+CA. This requires that "tls_append_default_CA = no" (the default
+with Postfix 2.8 and later). Otherwise, clients with a third-party
+certificate would also be allowed to relay. This feature is available
+with Postfix version 2.2.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
but it is best to include all the required certificates directly in the
server certificate file. </p>
+<p> Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8. </p>
+
<p> By default (see smtpd_tls_ask_ccert), client certificates are not
requested, and smtpd_tls_CAfile should remain empty. If you do make use
of client certificates, the distinguished names (DNs) of the certificate
smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
inside the chroot jail. </p>
+<p> Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8. </p>
+
<p> By default (see smtpd_tls_ask_ccert), client certificates are
not requested, and smtpd_tls_CApath should remain empty. In contrast
to smtpd_tls_CAfile, DNs of certificate authorities installed
but it is best to include all the required certificates directly in
$smtp_tls_cert_file. </p>
+<p> Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8. </p>
+
<p> Example: </p>
<pre>
<p> To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail. </p>
+<p> Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. This setting is default as of Postfix 2.8. </p>
+
<p> Example: </p>
<pre>
<p> This feature is available in Postfix 2.2 and later. </p>
+%PARAM tls_append_default_CA no
+
+<p> Append the system-supplied default certificate authority
+certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+</p>
+
+<p> To avoid massive compatibility breaks, this parameter defaults
+to "yes" for Postfix versions 2.7 and earlier. That is, they trust
+third-party certificates and they give relay permission with
+permit_tls_all_clientcerts. </p>
+
+<p> This feature is retroactive in Postfix 2.4 and later. </p>
+
%PARAM tls_random_exchange_name see "postconf -d" output
<p> Name of the pseudo random number generator (PRNG) state file
#define DEF_DUP_FILTER_LIMIT 1000
extern int var_dup_filter_limit;
+#define VAR_TLS_APPEND_DEF_CA "tls_append_default_CA"
+#define DEF_TLS_APPEND_DEF_CA 0 /* 1 for Postfix < 2.8 */
+extern bool var_tls_append_def_CA;
+
#define VAR_TLS_RAND_EXCH_NAME "tls_random_exchange_name"
#define DEF_TLS_RAND_EXCH_NAME "${data_directory}/prng_exch"
extern char *var_tls_rand_exch_name;
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20100603"
+#define MAIL_RELEASE_DATE "20100610"
#define MAIL_VERSION_NUMBER "2.8"
#ifdef SNAPSHOT
tls_bio_ops.o: tls.h
tls_bio_ops.o: tls_bio_ops.c
tls_certkey.o: ../../include/argv.h
+tls_certkey.o: ../../include/mail_params.h
tls_certkey.o: ../../include/msg.h
tls_certkey.o: ../../include/name_code.h
tls_certkey.o: ../../include/name_mask.h
#include <msg.h>
+/* Global library. */
+
+#include <mail_params.h>
+
/* TLS library. */
#define TLS_INTERNAL
tls_print_errors();
return (-1);
}
- if (!SSL_CTX_set_default_verify_paths(ctx)) {
+ if (var_tls_append_def_CA && !SSL_CTX_set_default_verify_paths(ctx)) {
msg_info("cannot set certificate verification paths: "
"disabling TLS support");
tls_print_errors();
/* char *var_tls_eecdh_strong;
/* char *var_tls_eecdh_ultra;
/* int var_tls_daemon_rand_bytes;
+/* bool var_tls_append_def_CA;
/*
/* TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx)
/* SSL_CTX *ssl_ctx;
int var_tls_daemon_rand_bytes;
char *var_tls_eecdh_strong;
char *var_tls_eecdh_ultra;
+bool var_tls_append_def_CA;
/*
* Index to attach TLScontext pointers to SSL objects, so that they can be
VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 1, 0,
0,
};
+ static const CONFIG_BOOL_TABLE bool_table[] = {
+ VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
+ 0,
+ };
static int init_done;
if (init_done)
projects / thirdparty / postfix.git / commitdiff
