Bitrot: makedefs will use "pkg-config" to locate ICU build
information, falling back to "icu-config" if "pkg-config"
is not found. File: makedefs.
+
+20181122
+
+ Cleanup: tlsproxy loads the same TLS client configuration
+ at pre-jail time as the Postfix SMTP client, so that secret
+ keys can remain read-only for root. This is sufficient for
+ MTAs that have a fixed TLS client identity. tlsproxy will
+ log a warning if it is requested to assume a different TLS
+ client identity, and will log suggestions for a workaround.
+ The long-term solution is to stop loading certs/keys from
+ files, and to use the same approach as planned for server-side
+ SNI support: open a cert/key map at pre-jail time, and read
+ cert/key information on-the-fly at post-jail time. Files:
+ proto/postconf.proto, mantools/postlink, global/mail_params.h,
+ tlsproxy/tlsproxy.c.
<b>-DNO_EAI</b>
Do not build with EAI (SMTPUTF8) support. By default, EAI
- support is compiled in when the "icu-config" command is
- found.
+ support is compiled in when the "pkg-config" command is
+ found, or the deprecated "icu-config" command.
<b>-DNO_INLINE</b>
Do not require support for C99 "inline" functions.
<p> This feature is available in Postfix 2.11 and later. </p>
+</DD>
+
+<DT><b><a name="tlsproxy_client_CAfile">tlsproxy_client_CAfile</a>
+(default: $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a>)</b></DT><DD>
+
+<p> A file containing CA certificates of root CAs trusted to sign
+either remote TLS server certificates or intermediate CA certificates.
+See <a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_CApath">tlsproxy_client_CApath</a>
+(default: $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a>)</b></DT><DD>
+
+<p> Directory with PEM format Certification Authority certificates
+that the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client uses to verify a remote TLS
+server certificate. See <a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_cert_file">tlsproxy_client_cert_file</a>
+(default: $<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b></DT><DD>
+
+<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client RSA certificate in PEM
+format. See <a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_dcert_file">tlsproxy_client_dcert_file</a>
+(default: $<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b></DT><DD>
+
+<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client DSA certificate in PEM
+format. See <a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_dkey_file">tlsproxy_client_dkey_file</a>
+(default: $<a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a>)</b></DT><DD>
+
+<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client DSA private key in PEM
+format. See <a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_eccert_file">tlsproxy_client_eccert_file</a>
+(default: $<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b></DT><DD>
+
+<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client ECDSA certificate in
+PEM format. See <a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_eckey_file">tlsproxy_client_eckey_file</a>
+(default: $<a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a>)</b></DT><DD>
+
+<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client ECDSA private key in
+PEM format. See <a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_enforce_tls">tlsproxy_client_enforce_tls</a>
+(default: $<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>)</b></DT><DD>
+
+<p> Enforcement mode: require that SMTP servers use TLS encryption.
+See <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_fingerprint_digest">tlsproxy_client_fingerprint_digest</a>
+(default: $<a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a>)</b></DT><DD>
+
+<p> The message digest algorithm used to construct remote TLS server
+certificate fingerprints. See <a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> for
+further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_key_file">tlsproxy_client_key_file</a>
+(default: $<a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a>)</b></DT><DD>
+
+<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client RSA private key in PEM
+format. See <a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_loglevel">tlsproxy_client_loglevel</a>
+(default: $<a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a>)</b></DT><DD>
+
+<p> Enable additional Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client logging of TLS
+activity. See <a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_loglevel_parameter">tlsproxy_client_loglevel_parameter</a>
+(default: <a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a>)</b></DT><DD>
+
+<p> The name of the parameter that provides the <a href="postconf.5.html#tlsproxy_client_loglevel">tlsproxy_client_loglevel</a>
+value. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_per_site">tlsproxy_client_per_site</a>
+(default: $<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>)</b></DT><DD>
+
+<p> Optional lookup tables with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client TLS
+usage policy by next-hop destination and by remote TLS server
+hostname. See <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_policy_maps">tlsproxy_client_policy_maps</a>
+(default: $<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>)</b></DT><DD>
+
+<p> Optional lookup tables with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client TLS
+security policy by next-hop destination. See <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>
+for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_scert_verifydepth">tlsproxy_client_scert_verifydepth</a>
+(default: $<a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a>)</b></DT><DD>
+
+<p> The verification depth for remote TLS server certificates.
+See <a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_security_level">tlsproxy_client_security_level</a>
+(default: $<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>)</b></DT><DD>
+
+<p> The default TLS security level for the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a>
+client. See <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
+</DD>
+
+<DT><b><a name="tlsproxy_client_use_tls">tlsproxy_client_use_tls</a>
+(default: $<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>)</b></DT><DD>
+
+<p> Opportunistic mode: use TLS when a remote server announces TLS
+support. See <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+
</DD>
<DT><b><a name="tlsproxy_enforce_tls">tlsproxy_enforce_tls</a>
<b><a href="postconf.5.html#tlsmgr_service_name">tlsmgr_service_name</a> (tlsmgr)</b>
The name of the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
+<b>TLS CLIENT CONTROLS</b>
+ These parameters allow <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> to load certificate and private key
+ information before dropping privileges, so that the key files can be
+ kept read-only for root.
+
+ Available in Postfix version 3.4 and later:
+
+ <b><a href="postconf.5.html#tlsproxy_client_CAfile">tlsproxy_client_CAfile</a> ($<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a>)</b>
+ A file containing CA certificates of root CAs trusted to sign
+ either remote TLS server certificates or intermediate CA cer-
+ tificates.
+
+ <b><a href="postconf.5.html#tlsproxy_client_CApath">tlsproxy_client_CApath</a> ($<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a>)</b>
+ Directory with PEM format Certification Authority certificates
+ that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client uses to verify a remote TLS
+ server certificate.
+
+ <b><a href="postconf.5.html#tlsproxy_client_cert_file">tlsproxy_client_cert_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b>
+ File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client RSA certificate in PEM
+ format.
+
+ <b><a href="postconf.5.html#tlsproxy_client_key_file">tlsproxy_client_key_file</a> ($<a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a>)</b>
+ File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client RSA private key in PEM
+ format.
+
+ <b><a href="postconf.5.html#tlsproxy_client_dcert_file">tlsproxy_client_dcert_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b>
+ File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client DSA certificate in PEM
+ format.
+
+ <b><a href="postconf.5.html#tlsproxy_client_dkey_file">tlsproxy_client_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a>)</b>
+ File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client DSA private key in PEM
+ format.
+
+ <b><a href="postconf.5.html#tlsproxy_client_eccert_file">tlsproxy_client_eccert_file</a> ($<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b>
+ File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client ECDSA certificate in
+ PEM format.
+
+ <b><a href="postconf.5.html#tlsproxy_client_eckey_file">tlsproxy_client_eckey_file</a> ($<a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a>)</b>
+ File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client ECDSA private key in
+ PEM format.
+
+ <b><a href="postconf.5.html#tlsproxy_client_fingerprint_digest">tlsproxy_client_fingerprint_digest</a> ($<a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a>)</b>
+ The message digest algorithm used to construct remote TLS server
+ certificate fingerprints.
+
+ <b><a href="postconf.5.html#tlsproxy_client_loglevel">tlsproxy_client_loglevel</a> ($<a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a>)</b>
+ Enable additional Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client logging of TLS
+ activity.
+
+ <b><a href="postconf.5.html#tlsproxy_client_loglevel_parameter">tlsproxy_client_loglevel_parameter</a> (<a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a>)</b>
+ The name of the parameter that provides the
+ <a href="postconf.5.html#tlsproxy_client_loglevel">tlsproxy_client_loglevel</a> value.
+
+ <b><a href="postconf.5.html#tlsproxy_client_scert_verifydepth">tlsproxy_client_scert_verifydepth</a> ($<a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a>)</b>
+ The verification depth for remote TLS server certificates.
+
+ <b><a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> ($<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>)</b>
+ The default TLS security level for the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a>
+ client.
+
+ <b><a href="postconf.5.html#tlsproxy_client_policy_maps">tlsproxy_client_policy_maps</a> ($<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>)</b>
+ Optional lookup tables with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client TLS
+ security policy by next-hop destination.
+
+ <b><a href="postconf.5.html#tlsproxy_client_use_tls">tlsproxy_client_use_tls</a> ($<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>)</b>
+ Opportunistic mode: use TLS when a remote server announces TLS
+ support.
+
+ <b><a href="postconf.5.html#tlsproxy_client_enforce_tls">tlsproxy_client_enforce_tls</a> ($<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>)</b>
+ Enforcement mode: require that SMTP servers use TLS encryption.
+
+ <b><a href="postconf.5.html#tlsproxy_client_per_site">tlsproxy_client_per_site</a> ($<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>)</b>
+ Optional lookup tables with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client TLS
+ usage policy by next-hop destination and by remote TLS server
+ hostname.
+
<b>OBSOLETE STARTTLS SUPPORT CONTROLS</b>
- These parameters are supported for compatibility with <a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy
+ These parameters are supported for compatibility with <a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy
parameters.
<b><a href="postconf.5.html#tlsproxy_use_tls">tlsproxy_use_tls</a> ($<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b>
- Opportunistic TLS: announce STARTTLS support to remote SMTP
+ Opportunistic TLS: announce STARTTLS support to remote SMTP
clients, but do not require that clients use TLS encryption.
<b><a href="postconf.5.html#tlsproxy_enforce_tls">tlsproxy_enforce_tls</a> ($<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b>
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
- A prefix that is prepended to the process name in syslog
+ A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
Available in Postfix 3.3 and later:
are known to support it.
.IP \fB\-DNO_EAI\fR
Do not build with EAI (SMTPUTF8) support. By default, EAI
-support is compiled in when the "icu\-config" command is
-found.
+support is compiled in when the "pkg\-config" command is
+found, or the deprecated "icu\-config" command.
.IP \fB\-DNO_INLINE\fR
Do not require support for C99 "inline" functions. Instead,
implement argument typechecks for non\-(printf/scanf)\-like
of TLS.
.PP
This feature is available in Postfix 2.11 and later.
+.SH tlsproxy_client_CAfile (default: $smtp_tls_CAfile)
+A file containing CA certificates of root CAs trusted to sign
+either remote TLS server certificates or intermediate CA certificates.
+See smtp_tls_CAfile for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_CApath (default: $smtp_tls_CApath)
+Directory with PEM format Certification Authority certificates
+that the Postfix \fBtlsproxy\fR(8) client uses to verify a remote TLS
+server certificate. See smtp_tls_CApath for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_cert_file (default: $smtp_tls_cert_file)
+File with the Postfix \fBtlsproxy\fR(8) client RSA certificate in PEM
+format. See smtp_tls_cert_file for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_dcert_file (default: $smtp_tls_dcert_file)
+File with the Postfix \fBtlsproxy\fR(8) client DSA certificate in PEM
+format. See smtp_tls_dcert_file for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_dkey_file (default: $smtp_tls_dkey_file)
+File with the Postfix \fBtlsproxy\fR(8) client DSA private key in PEM
+format. See smtp_tls_dkey_file for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_eccert_file (default: $smtp_tls_eccert_file)
+File with the Postfix \fBtlsproxy\fR(8) client ECDSA certificate in
+PEM format. See smtp_tls_eccert_file for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_eckey_file (default: $smtp_tls_eckey_file)
+File with the Postfix \fBtlsproxy\fR(8) client ECDSA private key in
+PEM format. See smtp_tls_eckey_file for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_enforce_tls (default: $smtp_enforce_tls)
+Enforcement mode: require that SMTP servers use TLS encryption.
+See smtp_enforce_tls for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_fingerprint_digest (default: $smtp_tls_fingerprint_digest)
+The message digest algorithm used to construct remote TLS server
+certificate fingerprints. See smtp_tls_fingerprint_digest for
+further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_key_file (default: $smtp_tls_key_file)
+File with the Postfix \fBtlsproxy\fR(8) client RSA private key in PEM
+format. See smtp_tls_key_file for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_loglevel (default: $smtp_tls_loglevel)
+Enable additional Postfix \fBtlsproxy\fR(8) client logging of TLS
+activity. See smtp_tls_loglevel for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_loglevel_parameter (default: smtp_tls_loglevel)
+The name of the parameter that provides the tlsproxy_client_loglevel
+value.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_per_site (default: $smtp_tls_per_site)
+Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS
+usage policy by next\-hop destination and by remote TLS server
+hostname. See smtp_tls_per_site for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_policy_maps (default: $smtp_tls_policy_maps)
+Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS
+security policy by next\-hop destination. See smtp_tls_policy_maps
+for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_scert_verifydepth (default: $smtp_tls_scert_verifydepth)
+The verification depth for remote TLS server certificates.
+See smtp_tls_scert_verifydepth for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_security_level (default: $smtp_tls_security_level)
+The default TLS security level for the Postfix \fBtlsproxy\fR(8)
+client. See smtp_tls_security_level for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
+.SH tlsproxy_client_use_tls (default: $smtp_use_tls)
+Opportunistic mode: use TLS when a remote server announces TLS
+support. See smtp_use_tls for further details.
+.PP
+This feature is available in Postfix 3.4 and later.
.SH tlsproxy_enforce_tls (default: $smtpd_enforce_tls)
Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
require that clients use TLS encryption. See smtpd_enforce_tls for
Available in Postfix version 2.11 and later:
.IP "\fBtlsmgr_service_name (tlsmgr)\fR"
The name of the \fBtlsmgr\fR(8) service entry in master.cf.
+.SH "TLS CLIENT CONTROLS"
+.na
+.nf
+.ad
+.fi
+These parameters allow \fBtlsproxy\fR(8) to load certificate
+and private key information before dropping privileges, so
+that the key files can be kept read\-only for root.
+.PP
+Available in Postfix version 3.4 and later:
+.IP "\fBtlsproxy_client_CAfile ($smtp_tls_CAfile)\fR"
+A file containing CA certificates of root CAs trusted to sign
+either remote TLS server certificates or intermediate CA certificates.
+.IP "\fBtlsproxy_client_CApath ($smtp_tls_CApath)\fR"
+Directory with PEM format Certification Authority certificates
+that the Postfix \fBtlsproxy\fR(8) client uses to verify a remote TLS
+server certificate.
+.IP "\fBtlsproxy_client_cert_file ($smtp_tls_cert_file)\fR"
+File with the Postfix \fBtlsproxy\fR(8) client RSA certificate in PEM
+format.
+.IP "\fBtlsproxy_client_key_file ($smtp_tls_key_file)\fR"
+File with the Postfix \fBtlsproxy\fR(8) client RSA private key in PEM
+format.
+.IP "\fBtlsproxy_client_dcert_file ($smtp_tls_dcert_file)\fR"
+File with the Postfix \fBtlsproxy\fR(8) client DSA certificate in PEM
+format.
+.IP "\fBtlsproxy_client_dkey_file ($smtp_tls_dkey_file)\fR"
+File with the Postfix \fBtlsproxy\fR(8) client DSA private key in PEM
+format.
+.IP "\fBtlsproxy_client_eccert_file ($smtp_tls_eccert_file)\fR"
+File with the Postfix \fBtlsproxy\fR(8) client ECDSA certificate in
+PEM format.
+.IP "\fBtlsproxy_client_eckey_file ($smtp_tls_eckey_file)\fR"
+File with the Postfix \fBtlsproxy\fR(8) client ECDSA private key in
+PEM format.
+.IP "\fBtlsproxy_client_fingerprint_digest ($smtp_tls_fingerprint_digest)\fR"
+The message digest algorithm used to construct remote TLS server
+certificate fingerprints.
+.IP "\fBtlsproxy_client_loglevel ($smtp_tls_loglevel)\fR"
+Enable additional Postfix \fBtlsproxy\fR(8) client logging of TLS
+activity.
+.IP "\fBtlsproxy_client_loglevel_parameter (smtp_tls_loglevel)\fR"
+The name of the parameter that provides the tlsproxy_client_loglevel
+value.
+.IP "\fBtlsproxy_client_scert_verifydepth ($smtp_tls_scert_verifydepth)\fR"
+The verification depth for remote TLS server certificates.
+.IP "\fBtlsproxy_client_security_level ($smtp_tls_security_level)\fR"
+The default TLS security level for the Postfix \fBtlsproxy\fR(8)
+client.
+.IP "\fBtlsproxy_client_policy_maps ($smtp_tls_policy_maps)\fR"
+Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS
+security policy by next\-hop destination.
+.IP "\fBtlsproxy_client_use_tls ($smtp_use_tls)\fR"
+Opportunistic mode: use TLS when a remote server announces TLS
+support.
+.IP "\fBtlsproxy_client_enforce_tls ($smtp_enforce_tls)\fR"
+Enforcement mode: require that SMTP servers use TLS encryption.
+.IP "\fBtlsproxy_client_per_site ($smtp_tls_per_site)\fR"
+Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS
+usage policy by next\-hop destination and by remote TLS server
+hostname.
.SH "OBSOLETE STARTTLS SUPPORT CONTROLS"
.na
.nf
s;\btlsproxy_tls_security_level\b;<a href="postconf.5.html#tlsproxy_tls_security_level">$&</a>;g;
s;\btlsproxy_use_tls\b;<a href="postconf.5.html#tlsproxy_use_tls">$&</a>;g;
+ s;\btlsproxy_client_CAfile\b;<a href="postconf.5.html#tlsproxy_client_CAfile">$&</a>;g;
+ s;\btlsproxy_client_CApath\b;<a href="postconf.5.html#tlsproxy_client_CApath">$&</a>;g;
+ s;\btlsproxy_client_cert_file\b;<a href="postconf.5.html#tlsproxy_client_cert_file">$&</a>;g;
+ s;\btlsproxy_client_dcert_file\b;<a href="postconf.5.html#tlsproxy_client_dcert_file">$&</a>;g;
+ s;\btlsproxy_client_dkey_file\b;<a href="postconf.5.html#tlsproxy_client_dkey_file">$&</a>;g;
+ s;\btlsproxy_client_eccert_file\b;<a href="postconf.5.html#tlsproxy_client_eccert_file">$&</a>;g;
+ s;\btlsproxy_client_eckey_file\b;<a href="postconf.5.html#tlsproxy_client_eckey_file">$&</a>;g;
+ s;\btlsproxy_client_fingerprint_digest\b;<a href="postconf.5.html#tlsproxy_client_fingerprint_digest">$&</a>;g;
+ s;\btlsproxy_client_key_file\b;<a href="postconf.5.html#tlsproxy_client_key_file">$&</a>;g;
+ s;\btlsproxy_client_loglevel\b;<a href="postconf.5.html#tlsproxy_client_loglevel">$&</a>;g;
+ s;\btlsproxy_client_loglevel_parameter\b;<a href="postconf.5.html#tlsproxy_client_loglevel_parameter">$&</a>;g;
+ s;\btlsproxy_client_scert_verifydepth\b;<a href="postconf.5.html#tlsproxy_client_scert_verifydepth">$&</a>;g;
+
+ s;\btlsproxy_client_security_level\b;<a href="postconf.5.html#tlsproxy_client_security_level">$&</a>;g;
+ s;\btlsproxy_client_per_site\b;<a href="postconf.5.html#tlsproxy_client_per_site">$&</a>;g;
+ s;\btlsproxy_client_policy_maps\b;<a href="postconf.5.html#tlsproxy_client_policy_maps">$&</a>;g;
+ s;\btlsproxy_client_use_tls\b;<a href="postconf.5.html#tlsproxy_client_use_tls">$&</a>;g;
+ s;\btlsproxy_client_enforce_tls\b;<a href="postconf.5.html#tlsproxy_client_enforce_tls">$&</a>;g;
+
# SMTPUTF8
s;\bsmtputf8_enable\b;<a href="postconf.5.html#smtputf8_enable">$&</a>;g;
</ul>
<p> This feature is available in Postfix 3.3 and later. </p>
+
+%PARAM tlsproxy_client_CAfile $smtp_tls_CAfile
+
+<p> A file containing CA certificates of root CAs trusted to sign
+either remote TLS server certificates or intermediate CA certificates.
+See smtp_tls_CAfile for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_CApath $smtp_tls_CApath
+
+<p> Directory with PEM format Certification Authority certificates
+that the Postfix tlsproxy(8) client uses to verify a remote TLS
+server certificate. See smtp_tls_CApath for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_cert_file $smtp_tls_cert_file
+
+<p> File with the Postfix tlsproxy(8) client RSA certificate in PEM
+format. See smtp_tls_cert_file for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_key_file $smtp_tls_key_file
+
+<p> File with the Postfix tlsproxy(8) client RSA private key in PEM
+format. See smtp_tls_key_file for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_dcert_file $smtp_tls_dcert_file
+
+<p> File with the Postfix tlsproxy(8) client DSA certificate in PEM
+format. See smtp_tls_dcert_file for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_dkey_file $smtp_tls_dkey_file
+
+<p> File with the Postfix tlsproxy(8) client DSA private key in PEM
+format. See smtp_tls_dkey_file for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_eccert_file $smtp_tls_eccert_file
+
+<p> File with the Postfix tlsproxy(8) client ECDSA certificate in
+PEM format. See smtp_tls_eccert_file for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_eckey_file $smtp_tls_eckey_file
+
+<p> File with the Postfix tlsproxy(8) client ECDSA private key in
+PEM format. See smtp_tls_eckey_file for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_fingerprint_digest $smtp_tls_fingerprint_digest
+
+<p> The message digest algorithm used to construct remote TLS server
+certificate fingerprints. See smtp_tls_fingerprint_digest for
+further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_loglevel $smtp_tls_loglevel
+
+<p> Enable additional Postfix tlsproxy(8) client logging of TLS
+activity. See smtp_tls_loglevel for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_loglevel_parameter smtp_tls_loglevel
+
+<p> The name of the parameter that provides the tlsproxy_client_loglevel
+value. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_scert_verifydepth $smtp_tls_scert_verifydepth
+
+<p> The verification depth for remote TLS server certificates.
+See smtp_tls_scert_verifydepth for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_security_level $smtp_tls_security_level
+
+<p> The default TLS security level for the Postfix tlsproxy(8)
+client. See smtp_tls_security_level for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_per_site $smtp_tls_per_site
+
+<p> Optional lookup tables with the Postfix tlsproxy(8) client TLS
+usage policy by next-hop destination and by remote TLS server
+hostname. See smtp_tls_per_site for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_policy_maps $smtp_tls_policy_maps
+
+<p> Optional lookup tables with the Postfix tlsproxy(8) client TLS
+security policy by next-hop destination. See smtp_tls_policy_maps
+for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_use_tls $smtp_use_tls
+
+<p> Opportunistic mode: use TLS when a remote server announces TLS
+support. See smtp_use_tls for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
+
+%PARAM tlsproxy_client_enforce_tls $smtp_enforce_tls
+
+<p> Enforcement mode: require that SMTP servers use TLS encryption.
+See smtp_enforce_tls for further details. </p>
+
+<p> This feature is available in Postfix 3.4 and later. </p>
#define DEF_TLSP_TLS_SET_SESSID "$" VAR_SMTPD_TLS_SET_SESSID
extern bool var_tlsp_tls_set_sessid;
+ /*
+ * Workaround for tlsproxy(8) pre-jail client certs/keys access.
+ */
+#define VAR_TLSP_CLNT_LOGLEVEL "tlsproxy_client_loglevel"
+#define DEF_TLSP_CLNT_LOGLEVEL "$" VAR_SMTP_TLS_LOGLEVEL
+extern char *var_tlsp_clnt_loglevel;
+
+#define VAR_TLSP_CLNT_LOGPARAM "tlsproxy_client_loglevel_parameter"
+#define DEF_TLSP_CLNT_LOGPARAM VAR_SMTP_TLS_LOGLEVEL
+extern char *var_tlsp_clnt_logparam;
+
+#define VAR_TLSP_CLNT_SCERT_VD "tlsproxy_client_scert_verifydepth"
+#define DEF_TLSP_CLNT_SCERT_VD "$" VAR_SMTP_TLS_SCERT_VD
+extern int var_tlsp_clnt_scert_vd;
+
+#define VAR_TLSP_CLNT_CERT_FILE "tlsproxy_client_cert_file"
+#define DEF_TLSP_CLNT_CERT_FILE "$" VAR_SMTP_TLS_CERT_FILE
+extern char *var_tlsp_clnt_cert_file;
+
+#define VAR_TLSP_CLNT_KEY_FILE "tlsproxy_client_key_file"
+#define DEF_TLSP_CLNT_KEY_FILE "$" VAR_SMTP_TLS_KEY_FILE
+extern char *var_tlsp_clnt_key_file;
+
+#define VAR_TLSP_CLNT_DCERT_FILE "tlsproxy_client_dcert_file"
+#define DEF_TLSP_CLNT_DCERT_FILE "$" VAR_SMTP_TLS_DCERT_FILE
+extern char *var_tlsp_clnt_dcert_file;
+
+#define VAR_TLSP_CLNT_DKEY_FILE "tlsproxy_client_dkey_file"
+#define DEF_TLSP_CLNT_DKEY_FILE "$" VAR_SMTP_TLS_DKEY_FILE
+extern char *var_tlsp_clnt_dkey_file;
+
+#define VAR_TLSP_CLNT_ECCERT_FILE "tlsproxy_client_eccert_file"
+#define DEF_TLSP_CLNT_ECCERT_FILE "$" VAR_SMTP_TLS_ECCERT_FILE
+extern char *var_tlsp_clnt_eccert_file;
+
+#define VAR_TLSP_CLNT_ECKEY_FILE "tlsproxy_client_eckey_file"
+#define DEF_TLSP_CLNT_ECKEY_FILE "$" VAR_SMTP_TLS_ECKEY_FILE
+extern char *var_tlsp_clnt_eckey_file;
+
+#define VAR_TLSP_CLNT_CAFILE "tlsproxy_client_CAfile"
+#define DEF_TLSP_CLNT_CAFILE "$" VAR_SMTP_TLS_CA_FILE
+extern char *var_tlsp_clnt_CAfile;
+
+#define VAR_TLSP_CLNT_CAPATH "tlsproxy_client_CApath"
+#define DEF_TLSP_CLNT_CAPATH "$" VAR_SMTP_TLS_CA_PATH
+extern char *var_tlsp_clnt_CApath;
+
+#define VAR_TLSP_CLNT_FPT_DGST "tlsproxy_client_fingerprint_digest"
+#define DEF_TLSP_CLNT_FPT_DGST "$" VAR_SMTP_TLS_FPT_DGST
+extern char *var_tlsp_clnt_fpt_dgst;
+
+#define VAR_TLSP_CLNT_USE_TLS "tlsproxy_client_use_tls"
+#define DEF_TLSP_CLNT_USE_TLS "$" VAR_SMTP_USE_TLS
+bool var_tlsp_clnt_use_tls;
+
+#define VAR_TLSP_CLNT_ENFORCE_TLS "tlsproxy_client_enforce_tls"
+#define DEF_TLSP_CLNT_ENFORCE_TLS "$" VAR_SMTP_ENFORCE_TLS
+bool var_tlsp_clnt_enforce_tls;
+
+#define VAR_TLSP_CLNT_LEVEL "tlsproxy_client_level"
+#define DEF_TLSP_CLNT_LEVEL "$" VAR_SMTP_TLS_LEVEL
+char *var_tlsp_clnt_level;
+
+#define VAR_TLSP_CLNT_PER_SITE "tlsproxy_client_per_site"
+#define DEF_TLSP_CLNT_PER_SITE "$" VAR_SMTP_TLS_PER_SITE
+char *var_tlsp_clnt_per_site;
+
+#define VAR_TLSP_CLNT_POLICY "tlsproxy_client_policy"
+#define DEF_TLSP_CLNT_POLICY "$" VAR_SMTP_TLS_POLICY
+char *var_tlsp_clnt_policy;
+
/*
* SMTPD "reject" contact info.
*/
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20181119"
+#define MAIL_RELEASE_DATE "20181122"
#define MAIL_VERSION_NUMBER "3.4"
#ifdef SNAPSHOT
/* The envelope sender address. This is a proxy for sender-dependent
/* context, such as per-sender SASL authentication.
/* .IP SMTP_KEY_FLAG_REQ_NEXTHOP
-/* The delivery request nexthop destination. This is a proxy
-/* for destination-dependent, but host-independent context.
+/* The delivery request nexthop destination, including optional
+/* [] and :port (the same form that users specify in a SASL
+/* password or TLS policy lookup table). This is a proxy for
+/* destination-dependent, but host-independent context.
/* .IP SMTP_KEY_FLAG_CUR_NEXTHOP
/* The current iterator's nexthop destination (delivery request
/* nexthop or fallback nexthop, including optional [] and
-/* :port). This is the form that users specify in a SASL or
-/* TLS lookup tables.
+/* :port).
/* .IP SMTP_KEY_FLAG_HOSTNAME
/* The current iterator's remote hostname.
/* .IP SMTP_KEY_FLAG_ADDR
#define tls_client_stop(ctx, stream, timeout, failure, TLScontext) \
tls_session_stop(ctx, (stream), (timeout), (failure), (TLScontext))
-#define TLS_CLIENT_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
+#define TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
a10, a11, a12, a13) \
- tls_client_init((((props)->a1), ((props)->a2), ((props)->a3), \
+ (((props)->a1), ((props)->a2), ((props)->a3), \
((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \
((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \
- ((props)->a12), ((props)->a13), (props)))
+ ((props)->a12), ((props)->a13), (props))
+
+#define TLS_CLIENT_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
+ a10, a11, a12, a13) \
+ tls_client_init(TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, \
+ a6, a7, a8, a9, a10, a11, a12, a13))
#define TLS_CLIENT_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
a10, a11, a12, a13, a14, a15, a16) \
/* Available in Postfix version 2.11 and later:
/* .IP "\fBtlsmgr_service_name (tlsmgr)\fR"
/* The name of the \fBtlsmgr\fR(8) service entry in master.cf.
+/* TLS CLIENT CONTROLS
+/* .ad
+/* .fi
+/* These parameters allow \fBtlsproxy\fR(8) to load certificate
+/* and private key information before dropping privileges, so
+/* that the key files can be kept read-only for root.
+/* .PP
+/* Available in Postfix version 3.4 and later:
+/* .IP "\fBtlsproxy_client_CAfile ($smtp_tls_CAfile)\fR"
+/* A file containing CA certificates of root CAs trusted to sign
+/* either remote TLS server certificates or intermediate CA certificates.
+/* .IP "\fBtlsproxy_client_CApath ($smtp_tls_CApath)\fR"
+/* Directory with PEM format Certification Authority certificates
+/* that the Postfix \fBtlsproxy\fR(8) client uses to verify a remote TLS
+/* server certificate.
+/* .IP "\fBtlsproxy_client_cert_file ($smtp_tls_cert_file)\fR"
+/* File with the Postfix \fBtlsproxy\fR(8) client RSA certificate in PEM
+/* format.
+/* .IP "\fBtlsproxy_client_key_file ($smtp_tls_key_file)\fR"
+/* File with the Postfix \fBtlsproxy\fR(8) client RSA private key in PEM
+/* format.
+/* .IP "\fBtlsproxy_client_dcert_file ($smtp_tls_dcert_file)\fR"
+/* File with the Postfix \fBtlsproxy\fR(8) client DSA certificate in PEM
+/* format.
+/* .IP "\fBtlsproxy_client_dkey_file ($smtp_tls_dkey_file)\fR"
+/* File with the Postfix \fBtlsproxy\fR(8) client DSA private key in PEM
+/* format.
+/* .IP "\fBtlsproxy_client_eccert_file ($smtp_tls_eccert_file)\fR"
+/* File with the Postfix \fBtlsproxy\fR(8) client ECDSA certificate in
+/* PEM format.
+/* .IP "\fBtlsproxy_client_eckey_file ($smtp_tls_eckey_file)\fR"
+/* File with the Postfix \fBtlsproxy\fR(8) client ECDSA private key in
+/* PEM format.
+/* .IP "\fBtlsproxy_client_fingerprint_digest ($smtp_tls_fingerprint_digest)\fR"
+/* The message digest algorithm used to construct remote TLS server
+/* certificate fingerprints.
+/* .IP "\fBtlsproxy_client_loglevel ($smtp_tls_loglevel)\fR"
+/* Enable additional Postfix \fBtlsproxy\fR(8) client logging of TLS
+/* activity.
+/* .IP "\fBtlsproxy_client_loglevel_parameter (smtp_tls_loglevel)\fR"
+/* The name of the parameter that provides the tlsproxy_client_loglevel
+/* value.
+/* .IP "\fBtlsproxy_client_scert_verifydepth ($smtp_tls_scert_verifydepth)\fR"
+/* The verification depth for remote TLS server certificates.
+/* .IP "\fBtlsproxy_client_security_level ($smtp_tls_security_level)\fR"
+/* The default TLS security level for the Postfix \fBtlsproxy\fR(8)
+/* client.
+/* .IP "\fBtlsproxy_client_policy_maps ($smtp_tls_policy_maps)\fR"
+/* Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS
+/* security policy by next-hop destination.
+/* .IP "\fBtlsproxy_client_use_tls ($smtp_use_tls)\fR"
+/* Opportunistic mode: use TLS when a remote server announces TLS
+/* support.
+/* .IP "\fBtlsproxy_client_enforce_tls ($smtp_enforce_tls)\fR"
+/* Enforcement mode: require that SMTP servers use TLS encryption.
+/* .IP "\fBtlsproxy_client_per_site ($smtp_tls_per_site)\fR"
+/* Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS
+/* usage policy by next-hop destination and by remote TLS server
+/* hostname.
/* OBSOLETE STARTTLS SUPPORT CONTROLS
/* .ad
/* .fi
int var_tlsp_watchdog;
+ /*
+ * Defaults for tlsp_clnt_*.
+ */
+char *var_smtp_tls_loglevel;
+int var_smtp_tls_scert_vd;
+char *var_smtp_tls_cert_file;
+char *var_smtp_tls_key_file;
+char *var_smtp_tls_dcert_file;
+char *var_smtp_tls_dkey_file;
+char *var_smtp_tls_eccert_file;
+char *var_smtp_tls_eckey_file;
+char *var_smtp_tls_CAfile;
+char *var_smtp_tls_CApath;
+char *var_smtp_tls_fpt_dgst;
+char *var_smtp_tls_level;
+bool var_smtp_use_tls;
+bool var_smtp_enforce_tls;
+char *var_smtp_tls_per_site;
+char *var_smtp_tls_policy;
+
+char *var_tlsp_clnt_loglevel;
+char *var_tlsp_clnt_logparam;
+int var_tlsp_clnt_scert_vd;
+char *var_tlsp_clnt_cert_file;
+char *var_tlsp_clnt_key_file;
+char *var_tlsp_clnt_dcert_file;
+char *var_tlsp_clnt_dkey_file;
+char *var_tlsp_clnt_eccert_file;
+char *var_tlsp_clnt_eckey_file;
+char *var_tlsp_clnt_CAfile;
+char *var_tlsp_clnt_CApath;
+char *var_tlsp_clnt_fpt_dgst;
+char *var_tlsp_clnt_level;
+bool var_tlsp_clnt_use_tls;
+bool var_tlsp_clnt_enforce_tls;
+char *var_tlsp_clnt_per_site;
+char *var_tlsp_clnt_policy;
+
/*
* TLS per-process status.
*/
static TLS_APPL_STATE *tlsp_server_ctx;
+static TLS_APPL_STATE *tlsp_client_ctx;
+static bool tlsp_pre_jail_done;
static int ask_client_cert;
/*
}
/*
- * This function does not destroy TLSP_STATE in case of error, because that
- * would complicate the caller.
+ * Macro for readability.
*/
+#define TLSP_CLIENT_INIT(ctx, props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
+ a10, a11, a12, a13) \
+ tlsp_client_init((ctx), TLS_CLIENT_INIT_ARGS((props), a1, a2, a3, a4, \
+ a5, a6, a7, a8, a9, a10, a11, a12, a13))
-/* tlsp_client_init_no_tlsp_state_free - initialize a TLS client engine */
+/* tlsp_client_init - initialize a TLS client engine */
-static int tlsp_client_init_no_tlsp_state_free(TLSP_STATE *state)
+static int tlsp_client_init(TLS_APPL_STATE **client_appl_state,
+ TLS_CLIENT_INIT_PROPS *init_props)
{
+ TLS_APPL_STATE *appl_state;
VSTRING *buf;
char *key;
* expensive.
*/
buf = vstring_alloc(100);
- key = tls_proxy_client_init_to_string(buf, state->client_init_props);
- if ((state->appl_state = (TLS_APPL_STATE *)
+ key = tls_proxy_client_init_to_string(buf, init_props);
+ if ((appl_state = (TLS_APPL_STATE *)
htable_find(tlsp_client_app_cache, key)) == 0
- && (state->appl_state =
- tls_client_init(state->client_init_props)) != 0) {
- (void) htable_enter(tlsp_client_app_cache, key,
- (void *) state->appl_state);
+ && (appl_state = tls_client_init(init_props)) != 0) {
+ (void) htable_enter(tlsp_client_app_cache, key, (void *) appl_state);
+
+ /*
+ * Log a warning if these client settings differ from the
+ * tlsproxy_client_* settings AND the settings specify file or
+ * directory arguments. Those are problematic after chroot (pathname
+ * resolution) and dropping permission (key files must be root
+ * read-only). We can eliminate this by adding code that opens a
+ * cert/key lookup table at pre-jail time and by reading cert/key
+ * info on-the-fly from that table.
+ */
+#define NOT_NULL_NOT_EMPTY(x) ((x) && *(x))
+
+ if (tlsp_pre_jail_done && appl_state && appl_state != tlsp_client_ctx
+ && (NOT_NULL_NOT_EMPTY(init_props->cert_file)
+ || NOT_NULL_NOT_EMPTY(init_props->key_file)
+ || NOT_NULL_NOT_EMPTY(init_props->dcert_file)
+ || NOT_NULL_NOT_EMPTY(init_props->dkey_file)
+ || NOT_NULL_NOT_EMPTY(init_props->eccert_file)
+ || NOT_NULL_NOT_EMPTY(init_props->eckey_file)
+ || NOT_NULL_NOT_EMPTY(init_props->CAfile)
+ || NOT_NULL_NOT_EMPTY(init_props->CApath))) {
+ msg_warn("client request differs from tlsproxy_client_* settings");
+ msg_warn("to avoid this warning, 1) configure a custom tlsproxy");
+ msg_warn("service and 2) configure an smtp client with a");
+ msg_warn("tlsproxy_service setting that resolves to the custom");
+ msg_warn("tlsproxy service");
+ }
/*
* To maintain sanity, allow partial SSL_write() operations, and
* a mailing list, but is not supported by documentation. If this
* code stops working then no-one can be held responsible.
*/
- if (state->appl_state)
- SSL_CTX_set_mode(state->appl_state->ssl_ctx,
+ if (appl_state)
+ SSL_CTX_set_mode(appl_state->ssl_ctx,
SSL_MODE_ENABLE_PARTIAL_WRITE
| SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
}
+ *client_appl_state = appl_state;
vstring_free(buf);
- return (state->appl_state != 0);
+ return (appl_state != 0);
}
/* tlsp_close_event - pre-handshake plaintext-client close event */
tlsp_state_free(state);
return;
}
- ready = tlsp_client_init_no_tlsp_state_free(state);
+ ready = tlsp_client_init(&state->appl_state, state->client_init_props);
break;
case TLS_PROXY_FLAG_ROLE_SERVER:
state->is_server_role = 1;
int have_server_cert;
int no_server_cert_ok;
int require_server_cert;
+ int clnt_use_tls;
/*
* The code in this routine is pasted literally from smtpd(8). I am not
SSL_CTX_set_mode(tlsp_server_ctx->ssl_ctx,
SSL_MODE_ENABLE_PARTIAL_WRITE
| SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
-}
-
-/* post_jail_init - post-jail initialization */
-static void post_jail_init(char *unused_name, char **unused_argv)
-{
+ /*
+ * The cache with TLS_APPL_STATE instances for different TLS_CLIENT_INIT
+ * configurations.
+ */
tlsp_client_app_cache = htable_create(10);
+
+ /*
+ * Most sites don't use TLS client certs/keys. In that case, enabling
+ * tlsproxy-based connection caching is trivial.
+ *
+ * But some sites do use TLS client certs/keys, and that is challenging when
+ * tlsproxy runs in a post-jail environment: chroot breaks pathname
+ * resolution, and an unprivileged process should not be able to open
+ * files with secrets. The workaround: assume that most of those sites
+ * will use a fixed TLS client identity. In that case, tlsproxy can load
+ * the corresponding certs/keys at pre-jail time, so that secrets can
+ * remain read-only for root. As long as the tlsproxy pre-jail TLS client
+ * configuration with cert or key pathnames is the same as the one used
+ * in the Postfix SMTP client, sites can selectively or globally enable
+ * tlsproxy-based connection caching without additional TLS
+ * configuration.
+ *
+ * Loading one TLS client configuration at pre-jail time is not sufficient
+ * for the minority of sites that want to use TLS connection caching with
+ * multiple TLS client identities. To alert the operator, tlsproxy will
+ * log a warning when a TLS_CLIENT_INIT message specifies a different
+ * configuration with cert or key pathnames. The workaround is to have
+ * one tlsproxy process per TLS client identity.
+ *
+ * The general solution for single-identity or multi-identity clients is to
+ * stop loading certs and keys from individual files. Instead, have a
+ * cert/key map, indexed by client identity, read-only by root. After
+ * opening the map at pre-jail time, tlsproxy can read certs/keys
+ * on-the-fly at post-jail time. This is the approach that was already
+ * proposed for server-side SNI support, and it could be reused here. It
+ * would also end the proliferation of RSA cert/key parameters, DSA
+ * cert/key parameters, EC cert/key parameters, and so on.
+ *
+ * Horror: In order to create the same pre-jail TLS client context as the
+ * one used in the Postfix SMTP client, we have to duplicate intricate
+ * SMTP client code, including a handful configuration parameters that
+ * tlsproxy does not need. We must duplicate the logic, so that we only
+ * load certs and keys when the SMTP client would load them.
+ */
+ if (*var_tlsp_clnt_level != 0)
+ switch (tls_level_lookup(var_tlsp_clnt_level)) {
+ case TLS_LEV_SECURE:
+ case TLS_LEV_VERIFY:
+ case TLS_LEV_DANE_ONLY:
+ case TLS_LEV_FPRINT:
+ case TLS_LEV_ENCRYPT:
+ var_tlsp_clnt_use_tls = var_tlsp_clnt_enforce_tls = 1;
+ break;
+ case TLS_LEV_DANE:
+ case TLS_LEV_MAY:
+ var_tlsp_clnt_use_tls = 1;
+ var_tlsp_clnt_enforce_tls = 0;
+ break;
+ case TLS_LEV_NONE:
+ var_tlsp_clnt_use_tls = var_tlsp_clnt_enforce_tls = 0;
+ break;
+ default:
+ /* tls_level_lookup() logs no warning. */
+ /* session_tls_init() assumes that var_tlsp_clnt_level is sane. */
+ msg_fatal("Invalid TLS level \"%s\"", var_tlsp_clnt_level);
+ }
+ clnt_use_tls = (var_tlsp_clnt_use_tls || var_tlsp_clnt_enforce_tls);
+
+ /*
+ * Initialize the TLS data before entering the chroot jail.
+ */
+ if (clnt_use_tls || var_tlsp_clnt_per_site[0] || var_tlsp_clnt_policy[0]) {
+ TLS_CLIENT_INIT_PROPS props;
+
+ /*
+ * We get stronger type safety and a cleaner interface by combining
+ * the various parameters into a single tls_client_props structure.
+ *
+ * Large parameter lists are error-prone, so we emulate a language
+ * feature that C does not have natively: named parameter lists.
+ */
+ if (TLSP_CLIENT_INIT(&tlsp_client_ctx, &props,
+ log_param = var_tlsp_clnt_logparam,
+ log_level = var_tlsp_clnt_loglevel,
+ verifydepth = var_tlsp_clnt_scert_vd,
+ cache_type = TLS_MGR_SCACHE_SMTP,
+ cert_file = var_tlsp_clnt_cert_file,
+ key_file = var_tlsp_clnt_key_file,
+ dcert_file = var_tlsp_clnt_dcert_file,
+ dkey_file = var_tlsp_clnt_dkey_file,
+ eccert_file = var_tlsp_clnt_eccert_file,
+ eckey_file = var_tlsp_clnt_eckey_file,
+ CAfile = var_tlsp_clnt_CAfile,
+ CApath = var_tlsp_clnt_CApath,
+ mdalg = var_tlsp_clnt_fpt_dgst) == 0)
+ msg_warn("TLS client initialization failed");
+ }
+
+ /*
+ * tlsp_client_init() needs to know if it is called pre-jail or
+ * post-jail.
+ */
+ tlsp_pre_jail_done = 1;
}
MAIL_VERSION_STAMP_DECLARE;
int main(int argc, char **argv)
{
- static const CONFIG_INT_TABLE int_table[] = {
+
+ /*
+ * Each table below initializes the named variables to their implicit
+ * default value, or to the explicit value in main.cf or master.cf. Here,
+ * "compat" means that a table initializes a variable "smtpd_blah" or
+ * "smtp_blah" that provides the implicit default value for variable
+ * "tlsproxy_blah". To make this work, the variables in a "compat" table
+ * must be initialized before the variables in the corresponding
+ * non-compat table.
+ */
+ static const CONFIG_INT_TABLE compat_int_table[] = {
VAR_SMTPD_TLS_CCERT_VD, DEF_SMTPD_TLS_CCERT_VD, &var_smtpd_tls_ccert_vd, 0, 0,
+ VAR_SMTP_TLS_SCERT_VD, DEF_SMTP_TLS_SCERT_VD, &var_smtp_tls_scert_vd, 0, 0,
0,
};
static const CONFIG_NINT_TABLE nint_table[] = {
VAR_TLSP_TLS_CCERT_VD, DEF_TLSP_TLS_CCERT_VD, &var_tlsp_tls_ccert_vd, 0, 0,
+ VAR_TLSP_CLNT_SCERT_VD, DEF_TLSP_CLNT_SCERT_VD, &var_tlsp_clnt_scert_vd, 0, 0,
0,
};
static const CONFIG_TIME_TABLE time_table[] = {
VAR_TLSP_WATCHDOG, DEF_TLSP_WATCHDOG, &var_tlsp_watchdog, 10, 0,
0,
};
- static const CONFIG_BOOL_TABLE bool_table[] = {
+ static const CONFIG_BOOL_TABLE compat_bool_table[] = {
VAR_SMTPD_USE_TLS, DEF_SMTPD_USE_TLS, &var_smtpd_use_tls,
VAR_SMTPD_ENFORCE_TLS, DEF_SMTPD_ENFORCE_TLS, &var_smtpd_enforce_tls,
VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert,
VAR_SMTPD_TLS_SET_SESSID, DEF_SMTPD_TLS_SET_SESSID, &var_smtpd_tls_set_sessid,
+ VAR_SMTP_USE_TLS, DEF_SMTP_USE_TLS, &var_smtp_use_tls,
+ VAR_SMTP_ENFORCE_TLS, DEF_SMTP_ENFORCE_TLS, &var_smtp_enforce_tls,
0,
};
static const CONFIG_NBOOL_TABLE nbool_table[] = {
VAR_TLSP_TLS_ACERT, DEF_TLSP_TLS_ACERT, &var_tlsp_tls_ask_ccert,
VAR_TLSP_TLS_RCERT, DEF_TLSP_TLS_RCERT, &var_tlsp_tls_req_ccert,
VAR_TLSP_TLS_SET_SESSID, DEF_TLSP_TLS_SET_SESSID, &var_tlsp_tls_set_sessid,
+ VAR_TLSP_CLNT_USE_TLS, DEF_TLSP_CLNT_USE_TLS, &var_tlsp_clnt_use_tls,
+ VAR_TLSP_CLNT_ENFORCE_TLS, DEF_TLSP_CLNT_ENFORCE_TLS, &var_tlsp_clnt_enforce_tls,
0,
};
- static const CONFIG_STR_TABLE str_table[] = {
+ static const CONFIG_STR_TABLE compat_str_table[] = {
VAR_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CERT_FILE, &var_smtpd_tls_cert_file, 0, 0,
VAR_SMTPD_TLS_KEY_FILE, DEF_SMTPD_TLS_KEY_FILE, &var_smtpd_tls_key_file, 0, 0,
VAR_SMTPD_TLS_DCERT_FILE, DEF_SMTPD_TLS_DCERT_FILE, &var_smtpd_tls_dcert_file, 0, 0,
VAR_SMTPD_TLS_FPT_DGST, DEF_SMTPD_TLS_FPT_DGST, &var_smtpd_tls_fpt_dgst, 1, 0,
VAR_SMTPD_TLS_LOGLEVEL, DEF_SMTPD_TLS_LOGLEVEL, &var_smtpd_tls_loglevel, 0, 0,
VAR_SMTPD_TLS_LEVEL, DEF_SMTPD_TLS_LEVEL, &var_smtpd_tls_level, 0, 0,
+ VAR_SMTP_TLS_CERT_FILE, DEF_SMTP_TLS_CERT_FILE, &var_smtp_tls_cert_file, 0, 0,
+ VAR_SMTP_TLS_KEY_FILE, DEF_SMTP_TLS_KEY_FILE, &var_smtp_tls_key_file, 0, 0,
+ VAR_SMTP_TLS_DCERT_FILE, DEF_SMTP_TLS_DCERT_FILE, &var_smtp_tls_dcert_file, 0, 0,
+ VAR_SMTP_TLS_DKEY_FILE, DEF_SMTP_TLS_DKEY_FILE, &var_smtp_tls_dkey_file, 0, 0,
+ VAR_SMTP_TLS_CA_FILE, DEF_SMTP_TLS_CA_FILE, &var_smtp_tls_CAfile, 0, 0,
+ VAR_SMTP_TLS_CA_PATH, DEF_SMTP_TLS_CA_PATH, &var_smtp_tls_CApath, 0, 0,
+ VAR_SMTP_TLS_FPT_DGST, DEF_SMTP_TLS_FPT_DGST, &var_smtp_tls_fpt_dgst, 1, 0,
+ VAR_SMTP_TLS_ECCERT_FILE, DEF_SMTP_TLS_ECCERT_FILE, &var_smtp_tls_eccert_file, 0, 0,
+ VAR_SMTP_TLS_ECKEY_FILE, DEF_SMTP_TLS_ECKEY_FILE, &var_smtp_tls_eckey_file, 0, 0,
+ VAR_SMTP_TLS_LOGLEVEL, DEF_SMTP_TLS_LOGLEVEL, &var_smtp_tls_loglevel, 0, 0,
+ VAR_SMTP_TLS_PER_SITE, DEF_SMTP_TLS_PER_SITE, &var_smtp_tls_per_site, 0, 0,
+ VAR_SMTP_TLS_LEVEL, DEF_SMTP_TLS_LEVEL, &var_smtp_tls_level, 0, 0,
+ VAR_SMTP_TLS_POLICY, DEF_SMTP_TLS_POLICY, &var_smtp_tls_policy, 0, 0,
+ 0,
+ };
+ static const CONFIG_STR_TABLE str_table[] = {
VAR_TLSP_TLS_CERT_FILE, DEF_TLSP_TLS_CERT_FILE, &var_tlsp_tls_cert_file, 0, 0,
VAR_TLSP_TLS_KEY_FILE, DEF_TLSP_TLS_KEY_FILE, &var_tlsp_tls_key_file, 0, 0,
VAR_TLSP_TLS_DCERT_FILE, DEF_TLSP_TLS_DCERT_FILE, &var_tlsp_tls_dcert_file, 0, 0,
VAR_TLSP_TLS_FPT_DGST, DEF_TLSP_TLS_FPT_DGST, &var_tlsp_tls_fpt_dgst, 1, 0,
VAR_TLSP_TLS_LOGLEVEL, DEF_TLSP_TLS_LOGLEVEL, &var_tlsp_tls_loglevel, 0, 0,
VAR_TLSP_TLS_LEVEL, DEF_TLSP_TLS_LEVEL, &var_tlsp_tls_level, 0, 0,
+ VAR_TLSP_CLNT_LOGLEVEL, DEF_TLSP_CLNT_LOGLEVEL, &var_tlsp_clnt_loglevel, 0, 0,
+ VAR_TLSP_CLNT_LOGPARAM, DEF_TLSP_CLNT_LOGPARAM, &var_tlsp_clnt_logparam, 0, 0,
+ VAR_TLSP_CLNT_CERT_FILE, DEF_TLSP_CLNT_CERT_FILE, &var_tlsp_clnt_cert_file, 0, 0,
+ VAR_TLSP_CLNT_KEY_FILE, DEF_TLSP_CLNT_KEY_FILE, &var_tlsp_clnt_key_file, 0, 0,
+ VAR_TLSP_CLNT_DCERT_FILE, DEF_TLSP_CLNT_DCERT_FILE, &var_tlsp_clnt_dcert_file, 0, 0,
+ VAR_TLSP_CLNT_DKEY_FILE, DEF_TLSP_CLNT_DKEY_FILE, &var_tlsp_clnt_dkey_file, 0, 0,
+ VAR_TLSP_CLNT_ECCERT_FILE, DEF_TLSP_CLNT_ECCERT_FILE, &var_tlsp_clnt_eccert_file, 0, 0,
+ VAR_TLSP_CLNT_ECKEY_FILE, DEF_TLSP_CLNT_ECKEY_FILE, &var_tlsp_clnt_eckey_file, 0, 0,
+ VAR_TLSP_CLNT_CAFILE, DEF_TLSP_CLNT_CAFILE, &var_tlsp_clnt_CAfile, 0, 0,
+ VAR_TLSP_CLNT_CAPATH, DEF_TLSP_CLNT_CAPATH, &var_tlsp_clnt_CApath, 0, 0,
+ VAR_TLSP_CLNT_FPT_DGST, DEF_TLSP_CLNT_FPT_DGST, &var_tlsp_clnt_fpt_dgst, 1, 0,
+ VAR_TLSP_CLNT_LEVEL, DEF_TLSP_CLNT_LEVEL, &var_tlsp_clnt_level, 0, 0,
+ VAR_TLSP_CLNT_PER_SITE, DEF_TLSP_CLNT_PER_SITE, &var_tlsp_clnt_per_site, 0, 0,
+ VAR_TLSP_CLNT_POLICY, DEF_TLSP_CLNT_POLICY, &var_tlsp_clnt_policy, 0, 0,
0,
};
* Pass control to the event-driven service skeleton.
*/
event_server_main(argc, argv, tlsp_service,
- CA_MAIL_SERVER_INT_TABLE(int_table),
+ CA_MAIL_SERVER_INT_TABLE(compat_int_table),
CA_MAIL_SERVER_NINT_TABLE(nint_table),
+ CA_MAIL_SERVER_STR_TABLE(compat_str_table),
CA_MAIL_SERVER_STR_TABLE(str_table),
- CA_MAIL_SERVER_BOOL_TABLE(bool_table),
+ CA_MAIL_SERVER_BOOL_TABLE(compat_bool_table),
CA_MAIL_SERVER_NBOOL_TABLE(nbool_table),
CA_MAIL_SERVER_TIME_TABLE(time_table),
CA_MAIL_SERVER_PRE_INIT(pre_jail_init),
- CA_MAIL_SERVER_POST_INIT(post_jail_init),
CA_MAIL_SERVER_SLOW_EXIT(tlsp_drain),
CA_MAIL_SERVER_RETIRE_ME,
CA_MAIL_SERVER_WATCHDOG(&var_tlsp_watchdog),
projects / thirdparty / postfix.git / commitdiff
