conf/postfix-tls-script, discard/discard.c, error/error.c,
oqmgr/qmgr.c, postmulti/postmulti.c, qmgr/qmgr.c,
virtual/virtual.c.
+
+20250801
+
+ Bugfix (defect introduced: Postfix 3.7): incorrect backwards
+ compatible support for the legacy configuration parameters
+ tlsproxy_client_level and tlsproxy_client_policy. This
+ disabled the tlsproxy TLS client role when a legacy parameter
+ was set. Reported by John Doe, diagnosed by Viktor Dukhovni.
+ File: global/mail_params.h.
+
+ Bugfix (defect introduced: Postfix 3.4): with the TLS client
+ role disabled by configuration, the tlsproxy daemon
+ dereferenced a null pointer while handling a tlsproxy client
+ request. Reported by John Doe. File: tlsproxy/tlsproxy.c.
+
+ Bugfix (defect introduced: 20250713): the import_environment
+ change did not have space between POSTLOG_HOSTNAME and
+ XDG_RUNTIME_DIR, breaking maillog_file support and graphical
+ debugging. File: global/mail_params.h.
oqmgr qmgr c postmulti postmulti c qmgr qmgr c
src global config_known_tcp_ports c postmulti postmulti c
virtual virtual c
+ request Reported by John Doe File tlsproxy tlsproxy c
#define VAR_IMPORT_ENVIRON "import_environment"
#define DEF_IMPORT_ENVIRON "MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG " \
"TZ XAUTHORITY DISPLAY LANG=C " \
- "POSTLOG_SERVICE POSTLOG_HOSTNAME" \
+ "POSTLOG_SERVICE POSTLOG_HOSTNAME " \
"XDG_RUNTIME_DIR"
extern char *var_import_environ;
/* Migrate an incorrect name. */
#define OBS_TLSP_CLNT_LEVEL "tlsproxy_client_level"
#define VAR_TLSP_CLNT_LEVEL "tlsproxy_client_security_level"
-#define DEF_TLSP_CLNT_LEVEL "${" OBS_TLSP_CLNT_LEVEL ":$" VAR_SMTP_TLS_LEVEL "}"
+#define DEF_TLSP_CLNT_LEVEL "${" OBS_TLSP_CLNT_LEVEL "?{$" \
+ OBS_TLSP_CLNT_LEVEL "}:{$" \
+ VAR_SMTP_TLS_LEVEL "}}"
extern char *var_tlsp_clnt_level;
#define VAR_TLSP_CLNT_PER_SITE "tlsproxy_client_per_site"
/* Migrate an incorrect name. */
#define OBS_TLSP_CLNT_POLICY "tlsproxy_client_policy"
#define VAR_TLSP_CLNT_POLICY "tlsproxy_client_policy_maps"
-#define DEF_TLSP_CLNT_POLICY "${" OBS_TLSP_CLNT_POLICY ":$" VAR_SMTP_TLS_POLICY "}"
+#define DEF_TLSP_CLNT_POLICY "${" OBS_TLSP_CLNT_POLICY "?{$" \
+ OBS_TLSP_CLNT_POLICY "}:{$" \
+ VAR_SMTP_TLS_POLICY "}}"
extern char *var_tlsp_clnt_policy;
/*
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20250730"
+#define MAIL_RELEASE_DATE "20250801"
#define MAIL_VERSION_NUMBER "3.11"
#ifdef SNAPSHOT
init_buf = vstring_alloc(100);
init_key = tls_proxy_client_init_serialize(attr_print_plain, init_buf,
init_props);
+#define TLSP_CLIENT_INIT_RETURN(retval) do { \
+ vstring_free(init_buf); \
+ vstring_free(param_buf); \
+ return (retval); \
+ } while (0)
+
if (tlsp_pre_jail_done == 0) {
if (tlsp_pre_jail_client_param_key == 0
|| tlsp_pre_jail_client_init_key == 0) {
* TLS_APPL_STATE instance; this makes a mismatch of TLS_CLIENT_PARAMS
* settings problematic.
*/
- if (tlsp_pre_jail_done
- && !been_here_fixed(tlsp_params_mismatch_filter, param_key)
- && strcmp(tlsp_pre_jail_client_param_key, param_key) != 0) {
+ else if (tlsp_pre_jail_client_param_key == 0
+ || tlsp_pre_jail_client_init_key == 0) {
+ msg_warn("TLS client role is disabled by configuration");
+ TLSP_CLIENT_INIT_RETURN(0);
+ } else if (!been_here_fixed(tlsp_params_mismatch_filter, param_key)
+ && strcmp(tlsp_pre_jail_client_param_key, param_key) != 0) {
msg_warn("request from tlsproxy client with unexpected settings");
tlsp_log_config_diff(tlsp_pre_jail_client_param_key, param_key);
log_hints = 1;
SSL_MODE_ENABLE_PARTIAL_WRITE
| SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
}
- vstring_free(init_buf);
- vstring_free(param_buf);
- return (appl_state);
+ TLSP_CLIENT_INIT_RETURN(appl_state);
}
/* tlsp_close_event - pre-handshake plaintext-client close event */
TLSP_INIT_TIMEOUT, (void *) state);
return;
} else {
+ state->flags |= TLSP_FLAG_DO_HANDSHAKE;
tlsp_request_read_event(plaintext_fd, tlsp_get_fd_event,
TLSP_INIT_TIMEOUT, (void *) state);
return;
{
TLSP_STATE *state = (TLSP_STATE *) mymalloc(sizeof(*state));
- state->flags = TLSP_FLAG_DO_HANDSHAKE;
+ state->flags = 0;
state->service = mystrdup(service);
state->plaintext_stream = plaintext_stream;
state->plaintext_buf = 0;
projects / thirdparty / postfix.git / commitdiff
