From: Wietse Venema Date: Wed, 1 Feb 2006 05:00:00 +0000 (-0500) Subject: postfix-2.2.9-RC1 X-Git-Tag: v2.2.9-RC1^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a665b061fb83ece9166c9f2ac24b9fde23074bc;p=thirdparty%2Fpostfix.git postfix-2.2.9-RC1 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index a6fac711b..6c5543850 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -10794,3 +10794,62 @@ Apologies for any names omitted. Portability: FreeBSD 6 is a supported platform. Files: util/sys_defs.h, makedefs. + +20010604 + + Safety: new "smtp_cname_overrides_servername" parameter. + The default value ("yes") is backwards compatible. + + With a value of "no", the Postfix SMTP client no longer + allows CNAME expansion to override the hostname that is + used for logging, SASL password lookup, TLS policy decisions, + or TLS certificate verification. Instead it uses the name + of the recipient domain, the host or domain name specified + in Postfix configuration files, or the hostnames obtained + with MX lookups. To prevent cheating with hostnames in MX + lookup results, you will have to suppress MX lookups with + explicit [hostname] entries in transport maps. Files: + dns/dns_lookup.c, dns/dns_rr.c, proto/postconf.proto. + +20060108 + + Bugfix: mailbox_command_maps was not subject to $name + expansion. File: local/local.c. + +20060115 + + Bugfix: don't ignore the per-site policy when SSL library + initialization fails. Introduced after adopting the TLS + patch. File: smtp/smtp_session.c. + +20060121 + + Bugfix: a TLS per-site MUST_NOPEERMATCH policy could not + override a stronger main.cf policy, while a per-site NONE + policy could. Fixed with a clean re-implementation from + Postfix 2.3. File: smtp/smtp_session.c. + + Bugfix: a combined TLS per-site (host, recipient) policy + of (NONE, MAY) changed a global MUST policy into NONE, and + a global MUST_NOPEERMATCH into MAY. The result is now NONE. + Problem found by exhaustive simulation. Fixed with a clean + re-implementation from Postfix 2.3. File: smtp/smtp_session.c. + +20060130 + + Bugfix: an empty remote_header_rewrite_domain value caused + trivial-rewrite to dereference a null pointer, but only in + regression tests, not in production. Postfix rewrites + addresses in the remote rewriting context only when the + remote_header_rewrite_domain parameter value is non-empty. + File: trivial-rewrite/rewrite.c. + +20060202 + + Workaround: a malformed domain name lookup result (such as + null MX record) is now treated as a hard error, so that + Postfix will no longer repeatedly try to deliver mail until + the message expires in the queue. However, this will not + reject mail with reject_unknown_sender/recipient_domain. + That would require too much change for a stable release. + File: dns/dns_lookup.c. diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README index 25d0aa43d..c1d290724 100644 --- a/postfix/README_FILES/TLS_README +++ b/postfix/README_FILES/TLS_README @@ -68,6 +68,10 @@ To build Postfix with TLS support, first we need to generate the make(1) files with the necessary definitions. This is done by invoking the command "make makefiles" in the Postfix top-level directory and with arguments as shown next. +NNOOTTEE:: DDoo nnoott uussee GGnnuu TTLLSS.. IItt wwiillll ssppoonnttaanneeoouussllyy tteerrmmiinnaattee aa pprroocceessss wwiitthh eexxiitt +ssttaattuuss ccooddee 22,, iinnsstteeaadd ooff pprrooppeerrllyy rreeppoorrttiinngg pprroobblleemmss ttoo PPoossttffiixx,, ssoo tthhaatt iitt +ccaann lloogg tthheemm ttoo tthhee mmaaiilllloogg ffiillee.. + * If the OpenSSL include files (such as ssl.h) are in directory /usr/include/ openssl, and the OpenSSL libraries (such as libssl.so and libcrypto.so) are in directory /usr/lib: @@ -364,7 +368,9 @@ between multiple smtpd(8) processes, a persistent session cache can be used. You can specify any database type that can store objects of several kbytes and that supports the sequence operator. DBM databases are not suitable because they can only store small objects. The cache is maintained by the tlsmgr(8) -process, so there is no problem with concurrent access. +process, so there is no problem with concurrent access. Session caching is +highly recommended, because the cost of repeatedly negotiating TLS session keys +is high. Example: @@ -420,7 +426,7 @@ Example: ... The Postfix list manipulation routines give special treatment to whitespace and -some other characters, making the use of certificate names unpractical. Instead +some other characters, making the use of certificate names impractical. Instead we use the certificate fingerprints as they are difficult to fake but easy to use for lookup. Postfix lookup tables are in the form of (key, value) pairs. Since we only need the key, the value can be chosen freely, e.g. the name of @@ -485,7 +491,12 @@ Topics covered in this section: * Client-side TLS activity logging * Client-side TLS session cache * Enabling TLS in the Postfix SMTP client - * Server certificate verification + * Requiring TLS encryption + * Disabling server certificate verification + * Per-site TLS policies + * Closing a DNS loophole with per-site TLS policies + * Discovering servers that support TLS + * Server certificate verification depth * Client-side cipher controls * Miscellaneous client controls @@ -530,12 +541,12 @@ If you want the Postfix SMTP client to accept remote SMTP server certificates issued by these CAs, append the root certificate to $smtp_tls_CAfile or install it in the $smtp_tls_CApath directory. When you configure trust in a root CA, it is not necessary to explicitly trust intermediary CAs signed by the root CA, -unless $smtp_tls_verify_depth is less than the number of CAs in the certificate -chain for the servers of interest. With a verify depth of 1 you can only verify -certificates directly signed by a trusted CA, and all trusted intermediary CAs -need to be configured explicitly. With a verify depth of 2 you can verify -servers signed by a root CA or a direct intermediary CA (so long as the server -is correctly configured to supply its intermediate CA certificate). +unless $smtp_tls_scert_verifydepth is less than the number of CAs in the +certificate chain for the servers of interest. With a verify depth of 1 you can +only verify certificates directly signed by a trusted CA, and all trusted +intermediary CAs need to be configured explicitly. With a verify depth of 2 you +can verify servers signed by a root CA or a direct intermediary CA (so long as +the server is correctly configured to supply its intermediate CA certificate). RSA key and certificate examples: @@ -608,7 +619,10 @@ between multiple smtp(8) processes, a persistent session cache can be used. You can specify any database type that can store objects of several kbytes and that supports the sequence operator. DBM databases are not suitable because they can only store small objects. The cache is maintained by the tlsmgr(8) process, so -there is no problem with concurrent access. +there is no problem with concurrent access. Session caching is highly +recommended, because the cost of repeatedly negotiating TLS session keys is +high. Future Postfix SMTP servers may limit the number of sessions that a +client is allowed to negotiate per unit time. Example: @@ -630,20 +644,19 @@ By default, TLS is disabled in the Postfix SMTP client, so no difference to plain Postfix is visible. If you enable TLS, the Postfix SMTP client will send STARTTLS when TLS support is announced by the remote SMTP server. -WARNING: MS Exchange servers will announce STARTTLS support even when the -service is not configured, so that the TLS handshake will fail. It may be wise -to not use this option on your central mail hub, as you don't know in advance -whether you are going to connect to such a host. Instead, use the -smtp_tls_per_site recipient/site specific options that are described below. - -When the TLS handshake fails and no other server is available, the Postfix SMTP -client defers the delivery attempt, and the mail stays in the queue. +When the server accepts the STARTTLS command, but the subsequent TLS handshake +fails, and no other server is available, the Postfix SMTP client defers the +delivery attempt, and the mail stays in the queue. After a handshake failure, +the communications channel is in an indeterminate state and cannot be used for +non-TLS deliveries. Example: /etc/postfix/main.cf: smtp_use_tls = yes +RReeqquuiirriinngg TTLLSS eennccrryyppttiioonn + You can ENFORCE the use of TLS, so that the Postfix SMTP client will not deliver mail over unencrypted connections. In this mode, the remote SMTP server hostname must match the information in the remote server certificate, and the @@ -652,21 +665,22 @@ client. If the remote server certificate doesn't verify or the remote SMTP server hostname doesn't match, and no other server is available, the delivery attempt is deferred and the mail stays in the queue. -The remote SMTP server hostname used in the check is beyond question, as it -must be the principal hostname (no CNAME allowed here). Checks are performed -against all names provided as dNSNames in the SubjectAlternativeName. If no -dNSNames are specified, the CommonName is checked. The behavior may be changed -with the smtp_tls_enforce_peername option which is discussed below. +The remote SMTP server hostname is verified against all names provided as +dNSNames in the SubjectAlternativeName. If no dNSNames are specified, the +CommonName is checked. Verification may be turned off with the +smtp_tls_enforce_peername option which is discussed below. -This option is useful only if you know that you will only connect to servers -that support RFC 2487 _and_ that present server certificates that meet the -above requirements. An example would be a client only sends email to one +Enforcing the use of TLS is useful if you know that you will only connect to +servers that support RFC 2487 _and_ that present server certificates that meet +the above requirements. An example would be a client only sends email to one specific mailhub that offers the necessary STARTTLS support. Example: /etc/postfix/main.cf: - smtp_enforce_tls = no + smtp_enforce_tls = yes + +DDiissaabblliinngg sseerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn As of RFC 2487 the requirements for hostname checking for MTA clients are not set. When TLS is required (smtp_enforce_tls = yes), the option @@ -674,79 +688,140 @@ smtp_tls_enforce_peername can be set to "no" to disable strict remote SMTP server hostname checking. In this case, the mail delivery will proceed regardless of the CommonName etc. listed in the certificate. -Note: the smtp_tls_enforce_peername setting has no effect on sessions that are -controlled via the smtp_tls_per_site table. - -Disabling the remote SMTP server hostname verification can make sense in closed -environment where special CAs are created. If not used carefully, this option -opens the danger of a "man-in-the-middle" attack (the CommonName of this -possible attacker is logged). +Despite the potential for eliminating "man-in-the-middle" and other attacks, +mandatory certificate/peername verification is not viable as a default Internet +mail delivery policy at this time. A significant fraction of TLS enabled MTAs +uses self-signed certificates, or certificates that are signed by a private +certificate authority. On a machine that delivers mail to the Internet, if you +set smtp_enforce_tls = yes, you should probably also set +smtp_tls_enforce_peername = no. You can use the per-site TLS policies (see +below) to enable full peer verification for specific destinations that are +known to have verifiable TLS server certificates. Example: /etc/postfix/main.cf: - smtp_tls_enforce_peername = yes - -Generally, trying TLS can be a bad idea, as some servers offer STARTTLS but the -negotiation will fail leading to unexplainable failures. Instead, it may be a -good idea to choose the TLS usage policy based on the recipient or the mailhub -to which you are connecting. - -Deciding the TLS usage policy per recipient may be difficult, since a single -email delivery attempt can involve several recipients. Instead, use of TLS is -controlled by the Postfix next-hop destination domain name and by the remote -SMTP server hostname. If either of these matches an entry in the -smtp_tls_per_site table, appropriate action is taken. - -The remote SMTP server hostname is simply the DNS name of the server that the -Postfix SMTP client connects to. The next-hop destination is Postfix specific. -By default, this is the domain name in the recipient address, but this -information can be overruled by the transport(5) table or by the relayhost -parameter setting. In these cases the relayhost etc. must be listed in the -smtp_tls_per_site table, instead of the recipient domain name. - -Format of the table: domain or host names are specified on the left-hand side; -no wildcards are allowed. On the right hand side specify one of the following -keywords: + smtp_enforce_tls = yes + smtp_tls_enforce_peername = no + +PPeerr--ssiittee TTLLSS ppoolliicciieess + +A small fraction of servers offer STARTTLS but the negotiation consistently +fails, leading to mail aging out of the queue and bouncing back to the sender. +In such cases, you can use the per-site policies to disable TLS for the problem +sites. Alternatively, you can enable TLS for just a few specific sites and not +enable it for all sites. + +The smtp_tls_per_site table is searched for a policy that matches the following +information: + + remote SMTP server hostname + This is simply the DNS name of the server that the Postfix SMTP client + connects to; this name may be obtained from other DNS lookups, such as + MX lookups or CNAME lookups. + next-hop destination + This is normally the domain portion of the recipient address, but it + may be overruled by information from the transport(5) table, from the + relayhost parameter setting, or from the relay_transport setting. When + it's not the recipient domain, the next-hop destination can have the + Postfix-specific form "[name]", [name]:port", "name" or "name:port". + +When both the hostname lookup and the next-hop lookup succeed, the host policy +does not automatically override the next-hop policy. Instead, precedence is +given to either the more specific or the more secure per-site policy as +described below. + +The smtp_tls_per_site table uses a simple "name whitespace value" format. +Specify host names or next-hop destinations on the left-hand side; no wildcards +are allowed. On the right hand side specify one of the following keywords: NONE - Don't use TLS at all. + Don't use TLS at all. This overrides a less specific MMAAYY lookup result + from the alternate host or next-hop lookup key, and overrides the + global smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername + settings. MAY - Try to use STARTTLS if offered, otherwise use the unencrypted - connection. + Try to use TLS if the server announces support, otherwise use the + unencrypted connection. This has less precedence than a more specific + result (including NNOONNEE) from the alternate host or next-hop lookup key, + and has less precedence than the more specific global "smtp_enforce_tls + = yes" or "smtp_tls_enforce_peername = yes". + MUST_NOPEERMATCH + Require TLS encryption, but do not require that the remote SMTP server + hostname matches the information in the remote SMTP server certificate, + or that the server certificate was issued by a trusted CA. This + overrides a less secure NNOONNEE or a less specific MMAAYY lookup result from + the alternate host or next-hop lookup key, and overrides the global + smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername settings. MUST - Require usage of STARTTLS, require that the remote SMTP server hostname + Require TLS encryption, require that the remote SMTP server hostname matches the information in the remote SMTP server certificate, and require that the remote SMTP server certificate was issued by a trusted - CA. - MUST_NOPEERMATCH - Require usage of STARTTLS, but do not require that the remote SMTP - server hostname matches the information in the remote SMTP server - certificate, or that the server certificate was issued by a trusted CA. + CA. This overrides a less secure NNOONNEE and MMUUSSTT__NNOOPPEEEERRMMAATTCCHH or a less + specific MMAAYY lookup result from the alternate host or next-hop lookup + key, and overrides the global smtp_use_tls, smtp_enforce_tls and + smtp_tls_enforce_peername settings. + +The precedences between global (main.cf) and per-site TLS policies can be +summarized as follows: + + * When neither the remote SMTP server hostname nor the next-hop destination + are found in the smtp_tls_per_site table, the policy is based on + smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername. Note: + "smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes" imply + "smtp_use_tls = yes". + + * When both hostname and next-hop destination lookups produce a result, the + more specific per-site policy (NONE, MUST, etc) overrides the less specific + one (MAY), and the more secure per-site policy (MUST, etc) overrides the + less secure one (NONE). + + * After the per-site policy lookups are combined, the result generally + overrides the global policy. The exception is the less specific MMAAYY per- + site policy, which is overruled by the more specific global + "smtp_enforce_tls = yes" with server certificate verification as specified + with the smtp_tls_enforce_peername parameter. + +CClloossiinngg aa DDNNSS lloooopphhoollee wwiitthh ppeerr--ssiittee TTLLSS ppoolliicciieess + +As long as no secure DNS lookup mechanism is available, false hostnames in MX +or CNAME responses can change the server hostname that Postfix uses for TLS +policy lookup and server certificate verification. Even with a perfect match +between the server hostname and the server certificate, there is no guarantee +that Postfix is connected to the right server. To avoid this loophole take the +following steps: + + * Eliminate MX lookups. Specify local transport(5) table entries for + sensitive domains with explicit smtp:[mailhost] or smtp:[mailhost]:port + destinations (you can assure security of this table unlike DNS); in the + smtp_tls_per_site table specify the value MMUUSSTT for the key [mailhost] or + smtp:[mailhost]:port. This prevents false hostname information in DNS MX + records from changing the server hostname that Postfix uses for TLS policy + lookup and server certificate verification. + + * Disallow CNAME hostname overrides. In main.cf specify + "smtp_cname_overrides_servername = no". This prevents false hostname + information in DNS CNAME records from changing the server hostname that + Postfix uses for TLS policy lookup and server certificate verification. + This feature requires Postfix 2.2.9 or later. -The actual TLS usage policy depends not only on whether the next-hop -destination or remote SMTP server hostname are found in the smtp_tls_per_site -table, but also on the smtp_enforce_tls setting: +Example: - * If no match was found, the policy is applied as specified with - smtp_enforce_tls. + /etc/postfix/main.cf: + smtp_tls_per_site = hash:/etc/postfix/tls_per_site + relayhost = [msa.example.net]:587 - * If a match was found, and the smtp_enforce_tls policy is "enforce", NONE - explicitly switches it off; otherwise the "enforce" mode is used even for - entries that specify MAY. + /etc/postfix/tls_per_site: + # relayhost exact nexthop match + [msa.example.net]:587 MUST -Special hint for TLS enforcement mode: since no secure DNS lookup mechanism is -available, mail can be delivered to the wrong remote SMTP server. This is not -prevented by specifying MUST for the next-hop domain name. The recommended -setup is: specify local transport(5) table entries for sensitive domains with -explicit smtp:[mailhost] destinations (since you can assure security of this -table unlike DNS), then specify MUST for these mail hosts in the -smtp_tls_per_site table. + # example.org (as nexthop) has MX hosts with broken TLS. + example.org NONE -Example: + # Except for (as host) mx1.example.org which works. + mx1.example.org MAY - /etc/postfix/main.cf: - smtp_tls_per_site = hash:/etc/postfix/tls_per_site +DDiissccoovveerriinngg sseerrvveerrss tthhaatt ssuuppppoorrtt TTLLSS As we decide on a "per site" basis whether or not to use TLS, it would be good to have a list of sites that offered "STARTTLS". We can collect it ourselves @@ -763,7 +838,7 @@ Example: /etc/postfix/main.cf: smtp_tls_note_starttls_offer = yes -SSeerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn +SSeerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn ddeepptthh When verifying a remote SMTP server certificate, a verification depth of 1 is sufficient if the certificate is directly issued by a CA specified with @@ -1012,10 +1087,25 @@ J and in order to access the TLS session cache databases. Such a protocol cannot be run across fifos. + * smtp_tls_per_site: the MUST_NOPEERMATCH per-site policy cannot override the + global "smtp_tls_enforce_peername = yes" setting. + + * smtp_tls_per_site: a combined (NONE + MAY) lookup result for (hostname and + next-hop destination) produces counter-intuitive results for different + main.cf settings. TLS is enabled with "smtp_tls_enforce_peername = no", but + it is disabled when both "smtp_enforce_tls = yes" and + "smtp_tls_enforce_peername = yes". + +The smtp_tls_per_site limitations were removed by the end of the Postfix 2.2 +support cycle. + CCrreeddiittss * TLS support for Postfix was originally developed by Lutz Jänicke at Cottbus Technical University. * Wietse Venema adopted the code, did some restructuring, and compiled this part of the documentation from Lutz's documents. + * Victor Duchovni was instrumental with the re-implementation of the + smtp_tls_per_site code in terms of enforcement levels, which simplified the + implementation greatly. diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html index cf4b4c6e2..b6fe6594d 100644 --- a/postfix/html/TLS_README.html +++ b/postfix/html/TLS_README.html @@ -129,6 +129,11 @@ the make(1) files with the necessary definitions. This is done by invoking the command "make makefiles" in the Postfix top-level directory and with arguments as shown next.

+

NOTE: Do not use Gnu TLS. It will spontaneously terminate +a process with exit status code 2, instead of properly reporting +problems to Postfix, so that it can log them to the maillog file. +

+ +

The smtp_tls_per_site limitations were removed by the end of +the Postfix 2.2 support cycle.

+

Credits

diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index c9d1260c1..208c1f710 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -3352,7 +3352,7 @@ is suitable for, e.g., pop-before-smtp lookup tables.

Examples:

-

The Postfix < 2.2 backwards compatible setting: always rewrite +

The Postfix < 2.2 backwards compatible setting: always rewrite message headers, and always append my own domain to incomplete header addresses.

@@ -5765,6 +5765,21 @@ IP hosting, but can be a problem on multi-homed firewalls. See the but this form is not recommended here.

+ + +
smtp_cname_overrides_servername +(default: yes)
+ +

Allow DNS CNAME records to override the servername that the +Postfix SMTP client uses for logging, SASL password lookup, TLS +policy decisions, or TLS certificate verification. The default value +(yes) is backwards compatible. Specify "no" to harden Postfix 2.2 +smtp_tls_per_site hostname-based policies against false hostname +information in DNS CNAME records.

+ +

This feature is available in Postfix 2.2.9 and later.

+ +
smtp_connect_timeout @@ -6736,38 +6751,79 @@ postfix/smtp[pid]: Host offered STARTTLS: [name.of.host] (default: empty)

Optional lookup tables with the Postfix SMTP client TLS usage -policy by next-hop domain name and by remote SMTP server hostname. -

- -

Table format: domain names or server hostnames are specified -on the left-hand side; no wildcards are allowed. On the right hand -side specify one of the following keywords:

+policy by next-hop destination and by remote SMTP server hostname. +When both lookups succeed, the more specific per-site policy (NONE, +MUST, etc) overrides the less specific one (MAY), and the more +secure per-site policy (MUST, etc) overrides the less secure one +(NONE).

+ +

Specify a next-hop destination or server hostname on the left-hand +side; no wildcards are allowed. The next-hop destination is either +the recipient domain, or the destination specified with a transport(5) +table, the relayhost parameter, or the relay_transport parameter. +On the right hand side specify one of the following keywords:

-
NONE
Don't use TLS at all.
+
NONE
Don't use TLS at all. This overrides a less +specific MAY lookup result from the alternate host or next-hop +lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls, +and smtp_tls_enforce_peername settings.
+ +
MAY
Try to use TLS if the server announces support, +otherwise use the unencrypted connection. This has less precedence +than a more specific result (including NONE) from the alternate +host or next-hop lookup key, and has less precedence than the more +specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername += yes".
+ +
MUST_NOPEERMATCH
Require TLS encryption, but do not +require that the remote SMTP server hostname matches the information +in the remote SMTP server certificate, or that the server certificate +was issued by a trusted CA. This overrides a less secure NONE +or a less specific MAY lookup result from the alternate host +or next-hop lookup key, and overrides the global smtp_use_tls, +smtp_enforce_tls and smtp_tls_enforce_peername settings.
+ +
MUST
Require TLS encryption, require that the remote +SMTP server hostname matches the information in the remote SMTP +server certificate, and require that the remote SMTP server certificate +was issued by a trusted CA. This overrides a less secure NONE +and MUST_NOPEERMATCH or a less specific MAY lookup +result from the alternate host or next-hop lookup key, and overrides +the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername +settings.
-
MAY
Try to use STARTTLS if offered, otherwise use -the unencrypted connection.
+
-
MUST
Require usage of STARTTLS, require that the -remote SMTP server hostname matches the information in the remote -SMTP server certificate, and require that the remote SMTP server -certificate was issued by a trusted CA.
+

As long as no secure DNS lookup mechanism is available, false +hostnames in MX or CNAME responses can change the server hostname +that Postfix uses for TLS policy lookup and server certificate +verification. Even with a perfect match between the server hostname +and the server certificate, there is no guarantee that Postfix is +connected to the right server. To avoid this loophole take the +following steps:

-
MUST_NOPEERMATCH
Require usage of STARTTLS, but do -not require that the remote SMTP server hostname matches the -information in the remote SMTP server certificate, or that the -server certificate was issued by a trusted CA.
+ -

Special hint for enforcement mode: since no secure DNS lookup -mechanism is available, the recommended setup is: specify local -transport(5) table entries for sensitive domains with explicit -smtp:[mailhost] destinations (since you can assure security of this -table unlike DNS), then specify MUST for these mail hosts in the -smtp_tls_per_site table.

+

diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index 95c51c2a9..14c20b2fd 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -99,8 +99,14 @@ SMTP(8) SMTP(8) smtp_never_send_ehlo (no) Never send EHLO at the start of an SMTP session. + smtp_cname_overrides_servername (yes) + Allow DNS CNAME records to override the servername + that the Postfix SMTP client uses for logging, SASL + password lookup, TLS policy decisions, or TLS cer- + tificate verification. + smtp_defer_if_no_mx_address_found (no) - Defer mail delivery when no MX record resolves to + Defer mail delivery when no MX record resolves to an IP address. smtp_line_length_limit (990) @@ -108,17 +114,17 @@ SMTP(8) SMTP(8) that Postfix will send via SMTP. smtp_pix_workaround_delay_time (10s) - How long the Postfix SMTP client pauses before + How long the Postfix SMTP client pauses before sending ".<CR><LF>" in order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug. smtp_pix_workaround_threshold_time (500s) - How long a message must be queued before the PIX - firewall "<CR><LF>.<CR><LF>" bug workaround is + How long a message must be queued before the PIX + firewall "<CR><LF>.<CR><LF>" bug workaround is turned on. smtp_quote_rfc821_envelope (yes) - Quote addresses in SMTP MAIL FROM and RCPT TO com- + Quote addresses in SMTP MAIL FROM and RCPT TO com- mands as required by RFC 821. smtp_skip_5xx_greeting (yes) @@ -126,7 +132,7 @@ SMTP(8) SMTP(8) (go away, do not try again later). smtp_skip_quit_response (yes) - Do not wait for the response to the SMTP QUIT com- + Do not wait for the response to the SMTP QUIT com- mand. Available in Postfix version 2.0 and earlier: @@ -138,21 +144,21 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and later: smtp_discard_ehlo_keyword_address_maps (empty) - Lookup tables, indexed by the remote SMTP server - address, with case insensitive lists of EHLO key- - words (pipelining, starttls, auth, etc.) that the + Lookup tables, indexed by the remote SMTP server + address, with case insensitive lists of EHLO key- + words (pipelining, starttls, auth, etc.) that the SMTP client will ignore in the EHLO response from a remote SMTP server. smtp_discard_ehlo_keywords (empty) - A case insensitive list of EHLO keywords (pipelin- - ing, starttls, auth, etc.) that the SMTP client + A case insensitive list of EHLO keywords (pipelin- + ing, starttls, auth, etc.) that the SMTP client will ignore in the EHLO response from a remote SMTP server. smtp_generic_maps (empty) Optional lookup tables that perform address rewrit- - ing in the SMTP client, typically to transform a + ing in the SMTP client, typically to transform a locally valid address into a globally valid address when sending mail across the Internet. @@ -160,7 +166,7 @@ SMTP(8) SMTP(8) Available in Postfix version 2.0 and later: disable_mime_output_conversion (no) - Disable the conversion of 8BITMIME format to 7BIT + Disable the conversion of 8BITMIME format to 7BIT format. mime_boundary_length_limit (2048) @@ -175,110 +181,110 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: smtp_send_xforward_command (no) - Send the non-standard XFORWARD command when the - Postfix SMTP server EHLO response announces XFOR- + Send the non-standard XFORWARD command when the + Postfix SMTP server EHLO response announces XFOR- WARD support. SASL AUTHENTICATION CONTROLS smtp_sasl_auth_enable (no) - Enable SASL authentication in the Postfix SMTP + Enable SASL authentication in the Postfix SMTP client. smtp_sasl_password_maps (empty) - Optional SMTP client lookup tables with one user- - name:password entry per remote hostname or domain. + Optional SMTP client lookup tables with one user- + name:password entry per remote hostname or domain. smtp_sasl_security_options (noplaintext, noanonymous) - What authentication mechanisms the Postfix SMTP + What authentication mechanisms the Postfix SMTP client is allowed to use. Available in Postfix version 2.2 and later: smtp_sasl_mechanism_filter (empty) - If non-empty, a Postfix SMTP client filter for the - remote SMTP server's list of offered SASL mecha- + If non-empty, a Postfix SMTP client filter for the + remote SMTP server's list of offered SASL mecha- nisms. STARTTLS SUPPORT CONTROLS - Detailed information about STARTTLS configuration may be + Detailed information about STARTTLS configuration may be found in the TLS_README document. smtp_use_tls (no) - Opportunistic mode: use TLS when a remote SMTP - server announces STARTTLS support, otherwise send + Opportunistic mode: use TLS when a remote SMTP + server announces STARTTLS support, otherwise send the mail in the clear. smtp_enforce_tls (no) - Enforcement mode: require that remote SMTP servers - use TLS encryption, and never send mail in the + Enforcement mode: require that remote SMTP servers + use TLS encryption, and never send mail in the clear. smtp_sasl_tls_security_options ($smtp_sasl_secu- rity_options) - The SASL authentication security options that the - Postfix SMTP client uses for TLS encrypted SMTP + The SASL authentication security options that the + Postfix SMTP client uses for TLS encrypted SMTP sessions. smtp_starttls_timeout (300s) - Time limit for Postfix SMTP client write and read - operations during TLS startup and shutdown hand- + Time limit for Postfix SMTP client write and read + operations during TLS startup and shutdown hand- shake procedures. smtp_tls_CAfile (empty) - The file with the certificate of the certification - authority (CA) that issued the Postfix SMTP client + The file with the certificate of the certification + authority (CA) that issued the Postfix SMTP client certificate. smtp_tls_CApath (empty) - Directory with PEM format certificate authority - certificates that the Postfix SMTP client uses to + Directory with PEM format certificate authority + certificates that the Postfix SMTP client uses to verify a remote SMTP server certificate. smtp_tls_cert_file (empty) - File with the Postfix SMTP client RSA certificate + File with the Postfix SMTP client RSA certificate in PEM format. smtp_tls_cipherlist (empty) - Controls the Postfix SMTP client TLS cipher selec- + Controls the Postfix SMTP client TLS cipher selec- tion scheme. smtp_tls_dcert_file (empty) - File with the Postfix SMTP client DSA certificate + File with the Postfix SMTP client DSA certificate in PEM format. smtp_tls_dkey_file ($smtp_tls_dcert_file) - File with the Postfix SMTP client DSA private key + File with the Postfix SMTP client DSA private key in PEM format. smtp_tls_enforce_peername (yes) - When TLS encryption is enforced, require that the + When TLS encryption is enforced, require that the remote SMTP server hostname matches the information in the remote SMTP server certificate. smtp_tls_key_file ($smtp_tls_cert_file) - File with the Postfix SMTP client RSA private key + File with the Postfix SMTP client RSA private key in PEM format. smtp_tls_loglevel (0) - Enable additional Postfix SMTP client logging of + Enable additional Postfix SMTP client logging of TLS activity. smtp_tls_note_starttls_offer (no) - Log the hostname of a remote SMTP server that - offers STARTTLS, when TLS is not already enabled + Log the hostname of a remote SMTP server that + offers STARTTLS, when TLS is not already enabled for that server. smtp_tls_per_site (empty) Optional lookup tables with the Postfix SMTP client - TLS usage policy by next-hop domain name and by + TLS usage policy by next-hop domain name and by remote SMTP server hostname. smtp_tls_scert_verifydepth (5) - The verification depth for remote SMTP server cer- + The verification depth for remote SMTP server cer- tificates. smtp_tls_session_cache_database (empty) - Name of the file containing the optional Postfix + Name of the file containing the optional Postfix SMTP client TLS session cache. smtp_tls_session_cache_timeout (3600s) @@ -286,31 +292,31 @@ SMTP(8) SMTP(8) sion cache information. tls_daemon_random_bytes (32) - The number of pseudo-random bytes that an smtp(8) - or smtpd(8) process requests from the tlsmgr(8) - server in order to seed its internal pseudo random + The number of pseudo-random bytes that an smtp(8) + or smtpd(8) process requests from the tlsmgr(8) + server in order to seed its internal pseudo random number generator (PRNG). RESOURCE AND RATE CONTROLS smtp_destination_concurrency_limit ($default_destina- tion_concurrency_limit) - The maximal number of parallel deliveries to the - same destination via the smtp message delivery + The maximal number of parallel deliveries to the + same destination via the smtp message delivery transport. smtp_destination_recipient_limit ($default_destina- tion_recipient_limit) - The maximal number of recipients per delivery via + The maximal number of recipients per delivery via the smtp message delivery transport. smtp_connect_timeout (30s) - The SMTP client time limit for completing a TCP + The SMTP client time limit for completing a TCP connection, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The SMTP client time limit for sending the HELO or - EHLO command, and for receiving the initial server + The SMTP client time limit for sending the HELO or + EHLO command, and for receiving the initial server response. smtp_xforward_timeout (300s) @@ -318,30 +324,30 @@ SMTP(8) SMTP(8) command, and for receiving the server response. smtp_mail_timeout (300s) - The SMTP client time limit for sending the MAIL - FROM command, and for receiving the server + The SMTP client time limit for sending the MAIL + FROM command, and for receiving the server response. smtp_rcpt_timeout (300s) - The SMTP client time limit for sending the SMTP - RCPT TO command, and for receiving the server + The SMTP client time limit for sending the SMTP + RCPT TO command, and for receiving the server response. smtp_data_init_timeout (120s) - The SMTP client time limit for sending the SMTP - DATA command, and for receiving the server + The SMTP client time limit for sending the SMTP + DATA command, and for receiving the server response. smtp_data_xfer_timeout (180s) - The SMTP client time limit for sending the SMTP + The SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) - The SMTP client time limit for sending the SMTP + The SMTP client time limit for sending the SMTP ".", and for receiving the server response. smtp_quit_timeout (300s) - The SMTP client time limit for sending the QUIT + The SMTP client time limit for sending the QUIT command, and for receiving the server response. Available in Postfix version 2.1 and later: @@ -352,77 +358,77 @@ SMTP(8) SMTP(8) lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery - request before giving up or delivering to a fall- + The maximal number of SMTP sessions per delivery + request before giving up or delivering to a fall- back relay host, or zero (no limit). smtp_rset_timeout (20s) - The SMTP client time limit for sending the RSET + The SMTP client time limit for sending the RSET command, and for receiving the server response. Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. smtp_connection_cache_reuse_limit (10) When SMTP connection caching is enabled, the number - of times that an SMTP session is reused before it + of times that an SMTP session is reused before it is closed. smtp_connection_cache_time_limit (2s) When SMTP connection caching is enabled, the amount - of time that an unused SMTP client socket is kept + of time that an unused SMTP client socket is kept open before it is closed. TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a - remote client or server matches a pattern in the + The increment in verbose logging level when a + remote client or server matches a pattern in the debug_peer_list parameter. debug_peer_list (empty) - Optional list of remote client or server hostname - or network address patterns that cause the verbose - logging level to increase by the amount specified + Optional list of remote client or server hostname + or network address patterns that cause the verbose + logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about - mail delivery problems that are caused by policy, + The recipient of postmaster notifications about + mail delivery problems that are caused by policy, resource, software or protocol errors. notify_classes (resource, software) - The list of error classes that are reported to the + The list of error classes that are reported to the postmaster. MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and + The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to - handle a request before it is terminated by a + How much time a Postfix daemon process may take to + handle a request before it is terminated by a built-in watchdog timer. disable_dns_lookups (no) - Disable DNS lookups in the Postfix SMTP and LMTP + Disable DNS lookups in the Postfix SMTP and LMTP clients. fallback_relay (empty) - Optional list of relay hosts for SMTP destinations + Optional list of relay hosts for SMTP destinations that can't be found or that are unreachable. inet_interfaces (all) @@ -430,7 +436,7 @@ SMTP(8) SMTP(8) tem receives mail on. inet_protocols (ipv4) - The Internet protocols Postfix will attempt to use + The Internet protocols Postfix will attempt to use when making or accepting connections. ipc_timeout (3600s) @@ -438,55 +444,55 @@ SMTP(8) SMTP(8) over an internal communication channel. max_idle (100s) - The maximum amount of time that an idle Postfix - daemon process waits for the next service request + The maximum amount of time that an idle Postfix + daemon process waits for the next service request before exiting. max_use (100) - The maximal number of connection requests before a + The maximal number of connection requests before a Postfix daemon process terminates. process_id (read-only) - The process ID of a Postfix command or daemon + The process ID of a Postfix command or daemon process. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. proxy_interfaces (empty) The network interface addresses that this mail sys- - tem receives mail on by way of a proxy or network + tem receives mail on by way of a proxy or network address translation unit. smtp_bind_address (empty) An optional numerical network address that the SMTP - client should bind to when making an IPv4 connec- + client should bind to when making an IPv4 connec- tion. smtp_bind_address6 (empty) An optional numerical network address that the SMTP - client should bind to when making an IPv6 connec- + client should bind to when making an IPv6 connec- tion. smtp_helo_name ($myhostname) - The hostname to send in the SMTP EHLO or HELO com- + The hostname to send in the SMTP EHLO or HELO com- mand. smtp_host_lookup (dns) - What mechanisms when the SMTP client uses to look + What mechanisms when the SMTP client uses to look up a host's IP address. smtp_randomize_addresses (yes) - Randomize the order of equal-preference MX host + Randomize the order of equal-preference MX host addresses. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (postfix) - The mail system name that is prepended to the - process name in syslog records, so that "smtpd" + The mail system name that is prepended to the + process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". SEE ALSO @@ -504,7 +510,7 @@ SMTP(8) SMTP(8) TLS_README, Postfix STARTTLS howto LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 3447ab77f..bd2f315f0 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -3195,6 +3195,15 @@ inet_interfaces documentation for more detail. .PP Note 2: address information may be enclosed inside [], but this form is not recommended here. +.SH smtp_cname_overrides_servername (default: yes) +Allow DNS CNAME records to override the servername that the +Postfix SMTP client uses for logging, SASL password lookup, TLS +policy decisions, or TLS certificate verification. The default value +(yes) is backwards compatible. Specify "no" to harden Postfix 2.2 +smtp_tls_per_site hostname-based policies against false hostname +information in DNS CNAME records. +.PP +This feature is available in Postfix 2.2.9 and later. .SH smtp_connect_timeout (default: 30s) The SMTP client time limit for completing a TCP connection, or zero (use the operating system built-in time limit). @@ -3748,33 +3757,70 @@ postfix/smtp[pid]: Host offered STARTTLS: [name.of.host] .ft R .SH smtp_tls_per_site (default: empty) Optional lookup tables with the Postfix SMTP client TLS usage -policy by next-hop domain name and by remote SMTP server hostname. -.PP -Table format: domain names or server hostnames are specified -on the left-hand side; no wildcards are allowed. On the right hand -side specify one of the following keywords: +policy by next-hop destination and by remote SMTP server hostname. +When both lookups succeed, the more specific per-site policy (NONE, +MUST, etc) overrides the less specific one (MAY), and the more +secure per-site policy (MUST, etc) overrides the less secure one +(NONE). +.PP +Specify a next-hop destination or server hostname on the left-hand +side; no wildcards are allowed. The next-hop destination is either +the recipient domain, or the destination specified with a \fBtransport\fR(5) +table, the relayhost parameter, or the relay_transport parameter. +On the right hand side specify one of the following keywords: .IP "NONE" -Don't use TLS at all. +Don't use TLS at all. This overrides a less +specific \fBMAY\fR lookup result from the alternate host or next-hop +lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls, +and smtp_tls_enforce_peername settings. .IP "MAY" -Try to use STARTTLS if offered, otherwise use -the unencrypted connection. -.IP "MUST" -Require usage of STARTTLS, require that the -remote SMTP server hostname matches the information in the remote -SMTP server certificate, and require that the remote SMTP server -certificate was issued by a trusted CA. +Try to use TLS if the server announces support, +otherwise use the unencrypted connection. This has less precedence +than a more specific result (including \fBNONE\fR) from the alternate +host or next-hop lookup key, and has less precedence than the more +specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername += yes". .IP "MUST_NOPEERMATCH" -Require usage of STARTTLS, but do -not require that the remote SMTP server hostname matches the -information in the remote SMTP server certificate, or that the -server certificate was issued by a trusted CA. -.PP -Special hint for enforcement mode: since no secure DNS lookup -mechanism is available, the recommended setup is: specify local -\fBtransport\fR(5) table entries for sensitive domains with explicit -smtp:[mailhost] destinations (since you can assure security of this -table unlike DNS), then specify MUST for these mail hosts in the -smtp_tls_per_site table. +Require TLS encryption, but do not +require that the remote SMTP server hostname matches the information +in the remote SMTP server certificate, or that the server certificate +was issued by a trusted CA. This overrides a less secure \fBNONE\fR +or a less specific \fBMAY\fR lookup result from the alternate host +or next-hop lookup key, and overrides the global smtp_use_tls, +smtp_enforce_tls and smtp_tls_enforce_peername settings. +.IP "MUST" +Require TLS encryption, require that the remote +SMTP server hostname matches the information in the remote SMTP +server certificate, and require that the remote SMTP server certificate +was issued by a trusted CA. This overrides a less secure \fBNONE\fR +and \fBMUST_NOPEERMATCH\fR or a less specific \fBMAY\fR lookup +result from the alternate host or next-hop lookup key, and overrides +the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername +settings. +.PP +As long as no secure DNS lookup mechanism is available, false +hostnames in MX or CNAME responses can change the server hostname +that Postfix uses for TLS policy lookup and server certificate +verification. Even with a perfect match between the server hostname +and the server certificate, there is no guarantee that Postfix is +connected to the right server. To avoid this loophole take the +following steps: +.IP \(bu +Disallow CNAME hostname overrides. In main.cf specify +"smtp_cname_overrides_servername = no". This prevents false hostname +information in DNS CNAME records from changing the server hostname +that Postfix uses for TLS policy lookup and server certificate +verification. This feature requires Postfix 2.2.9 or later. +.IP \(bu +Eliminate MX lookups. Specify local \fBtransport\fR(5) table entries +for sensitive domains with explicit smtp:[mailhost] or smtp:[mailhost]:port +destinations. This prevents false hostname information in DNS MX +records from changing the server hostname that Postfix uses for TLS +policy lookup and server certificate verification. +.IP \(bu +Specify MUST for these mail hosts (including [ ] and port) in +the smtp_tls_per_site table. +.PP .SH smtp_tls_scert_verifydepth (default: 5) The verification depth for remote SMTP server certificates. A depth of 1 is sufficient, if the certificate is directly issued by diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8 index 136b509a8..ee21119cc 100644 --- a/postfix/man/man8/smtp.8 +++ b/postfix/man/man8/smtp.8 @@ -103,6 +103,10 @@ Ignore DNS MX lookups that produce no response. Always send EHLO at the start of an SMTP session. .IP "\fBsmtp_never_send_ehlo (no)\fR" Never send EHLO at the start of an SMTP session. +.IP "\fBsmtp_cname_overrides_servername (yes)\fR" +Allow DNS CNAME records to override the servername that the +Postfix SMTP client uses for logging, SASL password lookup, TLS +policy decisions, or TLS certificate verification. .IP "\fBsmtp_defer_if_no_mx_address_found (no)\fR" Defer mail delivery when no MX record resolves to an IP address. .IP "\fBsmtp_line_length_limit (990)\fR" diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 7f2db8e60..6f90f1be9 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -313,6 +313,7 @@ while (<>) { s;\bsmtp_always_send_ehlo\b;$&;g; s;\bsmtp_bind_address\b;$&;g; s;\bsmtp_bind_address6\b;$&;g; + s;\bsmtp_cname_overrides_servername\b;$&;g; s;\bsmtp_connect_timeout\b;$&;g; s;\bsmtp_connection_cache_on_demand\b;$&;g; diff --git a/postfix/proto/TLS_README.html b/postfix/proto/TLS_README.html index 04711f7cc..b16479898 100644 --- a/postfix/proto/TLS_README.html +++ b/postfix/proto/TLS_README.html @@ -129,6 +129,11 @@ the make(1) files with the necessary definitions. This is done by invoking the command "make makefiles" in the Postfix top-level directory and with arguments as shown next.

+

NOTE: Do not use Gnu TLS. It will spontaneously terminate +a process with exit status code 2, instead of properly reporting +problems to Postfix, so that it can log them to the maillog file. +

+ +

The smtp_tls_per_site limitations were removed by the end of +the Postfix 2.2 support cycle.

+

Credits

diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 3ab5bd2c3..11b1fc17d 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -7750,7 +7750,7 @@ is suitable for, e.g., pop-before-smtp lookup tables.

Examples:

-

The Postfix < 2.2 backwards compatible setting: always rewrite +

The Postfix < 2.2 backwards compatible setting: always rewrite message headers, and always append my own domain to incomplete header addresses.

@@ -8251,38 +8251,79 @@ CommonName of this attacker will be logged).

%PARAM smtp_tls_per_site

Optional lookup tables with the Postfix SMTP client TLS usage -policy by next-hop domain name and by remote SMTP server hostname. -

- -

Table format: domain names or server hostnames are specified -on the left-hand side; no wildcards are allowed. On the right hand -side specify one of the following keywords:

+policy by next-hop destination and by remote SMTP server hostname. +When both lookups succeed, the more specific per-site policy (NONE, +MUST, etc) overrides the less specific one (MAY), and the more +secure per-site policy (MUST, etc) overrides the less secure one +(NONE).

+ +

Specify a next-hop destination or server hostname on the left-hand +side; no wildcards are allowed. The next-hop destination is either +the recipient domain, or the destination specified with a transport(5) +table, the relayhost parameter, or the relay_transport parameter. +On the right hand side specify one of the following keywords:

-
NONE
Don't use TLS at all.
+
NONE
Don't use TLS at all. This overrides a less +specific MAY lookup result from the alternate host or next-hop +lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls, +and smtp_tls_enforce_peername settings.
+ +
MAY
Try to use TLS if the server announces support, +otherwise use the unencrypted connection. This has less precedence +than a more specific result (including NONE) from the alternate +host or next-hop lookup key, and has less precedence than the more +specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername += yes".
+ +
MUST_NOPEERMATCH
Require TLS encryption, but do not +require that the remote SMTP server hostname matches the information +in the remote SMTP server certificate, or that the server certificate +was issued by a trusted CA. This overrides a less secure NONE +or a less specific MAY lookup result from the alternate host +or next-hop lookup key, and overrides the global smtp_use_tls, +smtp_enforce_tls and smtp_tls_enforce_peername settings.
+ +
MUST
Require TLS encryption, require that the remote +SMTP server hostname matches the information in the remote SMTP +server certificate, and require that the remote SMTP server certificate +was issued by a trusted CA. This overrides a less secure NONE +and MUST_NOPEERMATCH or a less specific MAY lookup +result from the alternate host or next-hop lookup key, and overrides +the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername +settings.
+ +
-
MAY
Try to use STARTTLS if offered, otherwise use -the unencrypted connection.
+

As long as no secure DNS lookup mechanism is available, false +hostnames in MX or CNAME responses can change the server hostname +that Postfix uses for TLS policy lookup and server certificate +verification. Even with a perfect match between the server hostname +and the server certificate, there is no guarantee that Postfix is +connected to the right server. To avoid this loophole take the +following steps:

-
MUST
Require usage of STARTTLS, require that the -remote SMTP server hostname matches the information in the remote -SMTP server certificate, and require that the remote SMTP server -certificate was issued by a trusted CA.
+ + +

%PARAM smtp_tls_scert_verifydepth 5 @@ -8412,3 +8453,14 @@ examples are shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README documents.

This feature is available in Postfix 2.2 and later.

+ +%PARAM smtp_cname_overrides_servername yes + +

Allow DNS CNAME records to override the servername that the +Postfix SMTP client uses for logging, SASL password lookup, TLS +policy decisions, or TLS certificate verification. The default value +(yes) is backwards compatible. Specify "no" to harden Postfix 2.2 +smtp_tls_per_site hostname-based policies against false hostname +information in DNS CNAME records.

+ +

This feature is available in Postfix 2.2.9 and later.

diff --git a/postfix/src/dns/dns.h b/postfix/src/dns/dns.h index c57114c6f..beeaa5ea1 100644 --- a/postfix/src/dns/dns.h +++ b/postfix/src/dns/dns.h @@ -80,7 +80,8 @@ typedef struct DNS_FIXED { * named after the things one can expect to find in a DNS resource record. */ typedef struct DNS_RR { - char *name; /* name, mystrdup()ed */ + char *qname; /* query name, mystrdup()ed */ + char *rname; /* reply name, mystrdup()ed */ unsigned short type; /* T_A, T_CNAME, etc. */ unsigned short class; /* C_IN, etc. */ unsigned int ttl; /* always */ @@ -104,7 +105,8 @@ extern unsigned dns_type(const char *); /* * dns_rr.c */ -extern DNS_RR *dns_rr_create(const char *, ushort, ushort, +extern DNS_RR *dns_rr_create(const char *, const char *, + ushort, ushort, unsigned, unsigned, const char *, unsigned); extern void dns_rr_free(DNS_RR *); diff --git a/postfix/src/dns/dns_lookup.c b/postfix/src/dns/dns_lookup.c index da1a14a50..deb133503 100644 --- a/postfix/src/dns/dns_lookup.c +++ b/postfix/src/dns/dns_lookup.c @@ -97,6 +97,11 @@ /* The query failed; the problem is transient. /* .IP DNS_FAIL /* The query failed. +/* +/* As a workaround, this result value is also returned when +/* the DNS query succeeded, but the result could not be parsed, +/* or the result domain name did not pass the valid_hostname() +/* syntax test (e.g., a null MX hostname). /* BUGS /* dns_lookup() implements a subset of all possible resource types: /* CNAME, MX, A, and some records with similar formatting requirements. @@ -324,7 +329,7 @@ static int valid_rr_name(const char *name, const char *location, /* dns_get_rr - extract resource record from name server reply */ -static DNS_RR *dns_get_rr(DNS_REPLY *reply, unsigned char *pos, +static DNS_RR *dns_get_rr(const char *name, DNS_REPLY *reply, unsigned char *pos, char *rr_name, DNS_FIXED *fixed) { char temp[DNS_NAME_LEN]; @@ -397,7 +402,7 @@ static DNS_RR *dns_get_rr(DNS_REPLY *reply, unsigned char *pos, *dst = 0; break; } - return (dns_rr_create(rr_name, fixed->type, fixed->class, fixed->ttl, + return (dns_rr_create(name, rr_name, fixed->type, fixed->class, fixed->ttl, pref, temp, data_len)); } @@ -417,7 +422,7 @@ static int dns_get_alias(DNS_REPLY *reply, unsigned char *pos, /* dns_get_answer - extract answers from name server reply */ -static int dns_get_answer(DNS_REPLY *reply, int type, +static int dns_get_answer(const char *name, DNS_REPLY *reply, int type, DNS_RR **rrlist, VSTRING *fqdn, char *cname, int c_len) { char rr_name[DNS_NAME_LEN]; @@ -490,11 +495,11 @@ static int dns_get_answer(DNS_REPLY *reply, int type, CORRUPT; if (type == fixed.type || type == T_ANY) { /* requested type */ if (rrlist) { - if ((rr = dns_get_rr(reply, pos, rr_name, &fixed)) != 0) { + if ((rr = dns_get_rr(name, reply, pos, rr_name, &fixed)) != 0) { resource_found++; *rrlist = dns_rr_append(*rrlist, rr); - } else - not_found_status = DNS_RETRY; + } else if (not_found_status != DNS_RETRY) + not_found_status = DNS_FAIL; /* XXX */ } else resource_found++; } else if (fixed.type == T_CNAME) { /* cname resource */ @@ -528,6 +533,7 @@ int dns_lookup(const char *name, unsigned type, unsigned flags, DNS_REPLY reply; int count; int status; + const char *saved_name = name; /* * DJBDNS produces a bogus A record when given a numerical hostname. @@ -569,7 +575,8 @@ int dns_lookup(const char *name, unsigned type, unsigned flags, * Extract resource records of the requested type. Pick up CNAME * information just in case the requested data is not found. */ - status = dns_get_answer(&reply, type, rrlist, fqdn, cname, c_len); + status = dns_get_answer(saved_name, &reply, type, rrlist, fqdn, + cname, c_len); switch (status) { default: if (why) diff --git a/postfix/src/dns/dns_rr.c b/postfix/src/dns/dns_rr.c index a52d2813d..874e1dda0 100644 --- a/postfix/src/dns/dns_rr.c +++ b/postfix/src/dns/dns_rr.c @@ -6,9 +6,10 @@ /* SYNOPSIS /* #include /* -/* DNS_RR *dns_rr_create(name, type, class, ttl, preference, +/* DNS_RR *dns_rr_create(qname, rname, type, class, ttl, preference, /* data, data_len) -/* const char *name; +/* const char *qname; +/* const char *rname; /* unsigned short type; /* unsigned short class; /* unsigned int ttl; @@ -41,7 +42,8 @@ /* information, and maintain lists of DNS resource records. /* /* dns_rr_create() creates and initializes one resource record. -/* The \fIname\fR record specifies the record name. +/* The \fIqname\fR field specifies the query name. +/* The \fIrname\fR field specifies the reply name. /* \fIpreference\fR is used for MX records; \fIdata\fR is a null /* pointer or specifies optional resource-specific data; /* \fIdata_len\fR is the amount of resource-specific data. @@ -91,14 +93,16 @@ /* dns_rr_create - fill in resource record structure */ -DNS_RR *dns_rr_create(const char *name, ushort type, ushort class, +DNS_RR *dns_rr_create(const char *qname, const char *rname, + ushort type, ushort class, unsigned int ttl, unsigned pref, const char *data, unsigned data_len) { DNS_RR *rr; rr = (DNS_RR *) mymalloc(sizeof(*rr) + data_len - 1); - rr->name = mystrdup(name); + rr->qname = mystrdup(qname); + rr->rname = mystrdup(rname); rr->type = type; rr->class = class; rr->ttl = ttl; @@ -117,7 +121,8 @@ void dns_rr_free(DNS_RR *rr) if (rr) { if (rr->next) dns_rr_free(rr->next); - myfree(rr->name); + myfree(rr->qname); + myfree(rr->rname); myfree((char *) rr); } } @@ -134,7 +139,8 @@ DNS_RR *dns_rr_copy(DNS_RR *src) */ dst = (DNS_RR *) mymalloc(len); memcpy((char *) dst, (char *) src, len); - dst->name = mystrdup(src->name); + dst->qname = mystrdup(src->qname); + dst->rname = mystrdup(src->rname); dst->next = 0; return (dst); } diff --git a/postfix/src/dns/dns_sa_to_rr.c b/postfix/src/dns/dns_sa_to_rr.c index da8aa9e1d..d8a8dc94c 100644 --- a/postfix/src/dns/dns_sa_to_rr.c +++ b/postfix/src/dns/dns_sa_to_rr.c @@ -54,12 +54,12 @@ DNS_RR *dns_sa_to_rr(const char *hostname, unsigned pref, struct sockaddr * sa) #define DUMMY_TTL 0 if (sa->sa_family == AF_INET) { - return (dns_rr_create(hostname, T_A, C_IN, DUMMY_TTL, pref, + return (dns_rr_create(hostname, hostname, T_A, C_IN, DUMMY_TTL, pref, (char *) &SOCK_ADDR_IN_ADDR(sa), sizeof(SOCK_ADDR_IN_ADDR(sa)))); #ifdef HAS_IPV6 } else if (sa->sa_family == AF_INET6) { - return (dns_rr_create(hostname, T_AAAA, C_IN, DUMMY_TTL, pref, + return (dns_rr_create(hostname, hostname, T_AAAA, C_IN, DUMMY_TTL, pref, (char *) &SOCK_ADDR_IN6_ADDR(sa), sizeof(SOCK_ADDR_IN6_ADDR(sa)))); #endif diff --git a/postfix/src/dns/test_dns_lookup.c b/postfix/src/dns/test_dns_lookup.c index a5388f009..765567e49 100644 --- a/postfix/src/dns/test_dns_lookup.c +++ b/postfix/src/dns/test_dns_lookup.c @@ -45,7 +45,7 @@ static void print_rr(DNS_RR *rr) MAI_HOSTADDR_STR host; while (rr) { - printf("%s: ttl: %9d ", rr->name, rr->ttl); + printf("%s: ttl: %9d ", rr->rname, rr->ttl); switch (rr->type) { case T_A: #ifdef T_AAAA diff --git a/postfix/src/global/ehlo_mask.ref b/postfix/src/global/ehlo_mask.ref index 4c6dab355..f0b34967e 100644 --- a/postfix/src/global/ehlo_mask.ref +++ b/postfix/src/global/ehlo_mask.ref @@ -1,3 +1,3 @@ -starttls, 8bitmime, verp, etrn, etrn -> 0x51 -> 8BITMIME ETRN VERP +starttls, 8bitmime, verp, etrn, etrn -> 0xd1 -> 8BITMIME ETRN VERP STARTTLS foobar, auth, pipelining, size, vrfy -> 0x2e -> AUTH PIPELINING SIZE VRFY -xclient, xforward -> 0x180 -> XCLIENT XFORWARD +xclient, xforward -> 0x300 -> XCLIENT XFORWARD diff --git a/postfix/src/global/input_transp.c b/postfix/src/global/input_transp.c index a9b1bede9..bc0374d1a 100644 --- a/postfix/src/global/input_transp.c +++ b/postfix/src/global/input_transp.c @@ -26,7 +26,7 @@ /* given in parentheses: /* .IP "no_unknown_recipient_checks (INPUT_TRANSP_UNKNOWN_RCPT)" /* Do not try to reject unknown recipients. -/* .IP "no_address_mapping (INPUT_TRANSP_ADDRESS_MAPPING) +/* .IP "no_address_mappings (INPUT_TRANSP_ADDRESS_MAPPING) /* Disable canonical address mapping, virtual alias map expansion, /* address masquerading, and automatic BCC recipients. /* .IP "no_header_body_checkss (INPUT_TRANSP_HEADER_BODY) diff --git a/postfix/src/global/mail_addr_find.c b/postfix/src/global/mail_addr_find.c index c08f9dbcf..38421c67b 100644 --- a/postfix/src/global/mail_addr_find.c +++ b/postfix/src/global/mail_addr_find.c @@ -107,7 +107,10 @@ const char *mail_addr_find(MAPS *path, const char *address, char **extp) if (*var_rcpt_delim == 0) { bare_key = saved_ext = 0; } else { - bare_key = strip_addr(full_key, &saved_ext, *var_rcpt_delim); + /* Preserve case of extension. */ + bare_key = strip_addr(address, &saved_ext, *var_rcpt_delim); + if (bare_key != 0) + lowercase(bare_key); } /* diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index ebce57eaa..2ff6f3a34 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -12,51 +12,51 @@ /* .nf /* - * This is to make it easier to auto-generate tables. - */ + * This is to make it easier to auto-generate tables. + */ typedef int bool; /* - * Name used when this mail system announces itself. - */ + * Name used when this mail system announces itself. + */ #define VAR_MAIL_NAME "mail_name" #define DEF_MAIL_NAME "Postfix" extern char *var_mail_name; /* - * You want to be helped or not. - */ + * You want to be helped or not. + */ #define VAR_HELPFUL_WARNINGS "helpful_warnings" #define DEF_HELPFUL_WARNINGS 1 extern bool var_helpful_warnings; /* - * You want to be helped or not. - */ + * You want to be helped or not. + */ #define VAR_SHOW_UNK_RCPT_TABLE "show_user_unknown_table_name" #define DEF_SHOW_UNK_RCPT_TABLE 1 extern bool var_show_unk_rcpt_table; /* - * What problem classes should be reported to the postmaster via email. - * Default is bad problems only. See mail_error(3). Even when mail notices - * are disabled, problems are still logged to the syslog daemon. - */ + * What problem classes should be reported to the postmaster via email. + * Default is bad problems only. See mail_error(3). Even when mail notices + * are disabled, problems are still logged to the syslog daemon. + */ #define VAR_NOTIFY_CLASSES "notify_classes" #define DEF_NOTIFY_CLASSES "resource, software" extern char *var_notify_classes; /* - * What do I turn <> into? Sendmail defaults to mailer-daemon. - */ -#define VAR_EMPTY_ADDR "empty_address_recipient" -#define DEF_EMPTY_ADDR MAIL_ADDR_MAIL_DAEMON + * What do I turn <> into? Sendmail defaults to mailer-daemon. + */ +#define VAR_EMPTY_ADDR "empty_address_recipient" +#define DEF_EMPTY_ADDR MAIL_ADDR_MAIL_DAEMON extern char *var_empty_addr; /* - * Privileges used by the mail system: the owner of files and commands, and - * the rights to be used when running external commands. - */ + * Privileges used by the mail system: the owner of files and commands, and + * the rights to be used when running external commands. + */ #define VAR_MAIL_OWNER "mail_owner" #define DEF_MAIL_OWNER "postfix" extern char *var_mail_owner; @@ -75,8 +75,8 @@ extern uid_t var_default_uid; extern gid_t var_default_gid; /* - * Access control for local privileged operations: - */ + * Access control for local privileged operations: + */ #define STATIC_ANYONE_ACL "static:anyone" #define VAR_FLUSH_ACL "authorized_flush_users" @@ -92,24 +92,24 @@ extern char *var_showq_acl; extern char *var_submit_acl; /* - * What goes on the right-hand side of addresses of mail sent from this - * machine. - */ + * What goes on the right-hand side of addresses of mail sent from this + * machine. + */ #define VAR_MYORIGIN "myorigin" #define DEF_MYORIGIN "$myhostname" extern char *var_myorigin; /* - * What domains I will receive mail for. Not to be confused with transit - * mail to other destinations. - */ + * What domains I will receive mail for. Not to be confused with transit + * mail to other destinations. + */ #define VAR_MYDEST "mydestination" #define DEF_MYDEST "$myhostname, localhost.$mydomain, localhost" extern char *var_mydest; /* - * These are by default taken from the name service. - */ + * These are by default taken from the name service. + */ #define VAR_MYHOSTNAME "myhostname" /* my hostname (fqdn) */ extern char *var_myhostname; @@ -117,15 +117,15 @@ extern char *var_myhostname; extern char *var_mydomain; /* - * The default local delivery transport. - */ + * The default local delivery transport. + */ #define VAR_LOCAL_TRANSPORT "local_transport" #define DEF_LOCAL_TRANSPORT MAIL_SERVICE_LOCAL ":$myhostname" extern char *var_local_transport; /* - * Where to send postmaster copies of bounced mail, and other notices. - */ + * Where to send postmaster copies of bounced mail, and other notices. + */ #define VAR_BOUNCE_RCPT "bounce_notice_recipient" #define DEF_BOUNCE_RCPT "postmaster" extern char *var_bounce_rcpt; @@ -143,8 +143,8 @@ extern char *var_delay_rcpt; extern char *var_error_rcpt; /* - * Virtual host support. Default is to listen on all machine interfaces. - */ + * Virtual host support. Default is to listen on all machine interfaces. + */ #define VAR_INET_INTERFACES "inet_interfaces" /* listen addresses */ #define INET_INTERFACES_ALL "all" #define INET_INTERFACES_LOCAL "loopback-only" @@ -156,8 +156,8 @@ extern char *var_inet_interfaces; extern char *var_proxy_interfaces; /* - * Masquerading (i.e. subdomain stripping). - */ + * Masquerading (i.e. subdomain stripping). + */ #define VAR_MASQ_DOMAINS "masquerade_domains" #define DEF_MASQ_DOMAINS "" extern char *var_masq_domains; @@ -178,8 +178,8 @@ extern char *var_masq_exceptions; extern char *var_masq_classes; /* - * Intranet versus internet. - */ + * Intranet versus internet. + */ #define VAR_RELAYHOST "relayhost" #define DEF_RELAYHOST "" extern char *var_relayhost; @@ -208,8 +208,8 @@ extern int var_smtp_mxaddr_limit; extern int var_smtp_mxsess_limit; /* - * Location of the mail queue directory tree. - */ + * Location of the mail queue directory tree. + */ #define VAR_QUEUE_DIR "queue_directory" #ifndef DEF_QUEUE_DIR #define DEF_QUEUE_DIR "/var/spool/postfix" @@ -217,8 +217,8 @@ extern int var_smtp_mxsess_limit; extern char *var_queue_dir; /* - * Location of command and daemon programs. - */ + * Location of command and daemon programs. + */ #define VAR_DAEMON_DIR "daemon_directory" #ifndef DEF_DAEMON_DIR #define DEF_DAEMON_DIR "/usr/libexec/postfix" @@ -232,8 +232,8 @@ extern char *var_daemon_dir; extern char *var_command_dir; /* - * Location of PID files. - */ + * Location of PID files. + */ #define VAR_PID_DIR "process_id_directory" #ifndef DEF_PID_DIR #define DEF_PID_DIR "pid" @@ -241,13 +241,13 @@ extern char *var_command_dir; extern char *var_pid_dir; /* - * Program startup time. - */ + * Program startup time. + */ extern time_t var_starttime; /* - * Location of configuration files. - */ + * Location of configuration files. + */ #define VAR_CONFIG_DIR "config_directory" #ifndef DEF_CONFIG_DIR #define DEF_CONFIG_DIR "/etc/postfix" @@ -262,17 +262,17 @@ extern char *var_config_dirs; #define MASTER_CONF_FILE "master.cf" /* - * Preferred type of indexed files. The DEF_DB_TYPE macro value is system - * dependent. It is defined in . - */ + * Preferred type of indexed files. The DEF_DB_TYPE macro value is system + * dependent. It is defined in . + */ #define VAR_DB_TYPE "default_database_type" extern char *var_db_type; /* - * What syslog facility to use. Unfortunately, something may have to be - * logged before parameters are read from the main.cf file. This logging - * will go the LOG_FACILITY facility specified below. - */ + * What syslog facility to use. Unfortunately, something may have to be + * logged before parameters are read from the main.cf file. This logging + * will go the LOG_FACILITY facility specified below. + */ #define VAR_SYSLOG_FACILITY "syslog_facility" extern char *var_syslog_facility; @@ -285,50 +285,50 @@ extern char *var_syslog_facility; #endif /* - * Big brother: who receives a blank-carbon copy of all mail that enters - * this mail system. - */ + * Big brother: who receives a blank-carbon copy of all mail that enters + * this mail system. + */ #define VAR_ALWAYS_BCC "always_bcc" #define DEF_ALWAYS_BCC "" extern char *var_always_bcc; /* - * What to put in the To: header when no recipients were disclosed. - * - * XXX 2822: When no recipient headers remain, a system should insert a Bcc: - * header without additional information. That is not so great given that - * MTAs routinely strip Bcc: headers from message headers. - */ + * What to put in the To: header when no recipients were disclosed. + * + * XXX 2822: When no recipient headers remain, a system should insert a Bcc: + * header without additional information. That is not so great given that + * MTAs routinely strip Bcc: headers from message headers. + */ #define VAR_RCPT_WITHELD "undisclosed_recipients_header" #define DEF_RCPT_WITHELD "To: undisclosed-recipients:;" extern char *var_rcpt_witheld; /* - * Standards violation: allow/permit RFC 822-style addresses in SMTP - * commands. - */ + * Standards violation: allow/permit RFC 822-style addresses in SMTP + * commands. + */ #define VAR_STRICT_RFC821_ENV "strict_rfc821_envelopes" #define DEF_STRICT_RFC821_ENV 0 extern bool var_strict_rfc821_env; /* - * Standards violation: send "250 AUTH=list" in order to accomodate clients - * that implement an old version of the protocol. - */ + * Standards violation: send "250 AUTH=list" in order to accomodate clients + * that implement an old version of the protocol. + */ #define VAR_BROKEN_AUTH_CLNTS "broken_sasl_auth_clients" #define DEF_BROKEN_AUTH_CLNTS 0 extern bool var_broken_auth_clients; /* - * Standards violation: disable VRFY. - */ + * Standards violation: disable VRFY. + */ #define VAR_DISABLE_VRFY_CMD "disable_vrfy_command" #define DEF_DISABLE_VRFY_CMD 0 extern bool var_disable_vrfy_cmd; /* - * trivial rewrite/resolve service: mapping tables. - */ + * trivial rewrite/resolve service: mapping tables. + */ #define VAR_VIRT_ALIAS_MAPS "virtual_alias_maps" #define DEF_VIRT_ALIAS_MAPS "$virtual_maps" /* Compatibility! */ extern char *var_virt_alias_maps; @@ -392,8 +392,8 @@ extern char *var_transport_maps; extern char *var_def_transport; /* - * trivial rewrite/resolve service: rewriting controls. - */ + * trivial rewrite/resolve service: rewriting controls. + */ #define VAR_SWAP_BANGPATH "swap_bangpath" #define DEF_SWAP_BANGPATH 1 extern bool var_swap_bangpath; @@ -411,8 +411,8 @@ extern bool var_append_dot_mydomain; extern bool var_percent_hack; /* - * Local delivery: alias databases. - */ + * Local delivery: alias databases. + */ #define VAR_ALIAS_MAPS "alias_maps" #ifdef HAS_NIS #define DEF_ALIAS_MAPS ALIAS_DB_MAP ", nis:mail.aliases" @@ -422,15 +422,15 @@ extern bool var_percent_hack; extern char *var_alias_maps; /* - * Local delivery: to BIFF or not to BIFF. - */ + * Local delivery: to BIFF or not to BIFF. + */ #define VAR_BIFF "biff" #define DEF_BIFF 1 extern bool var_biff; /* - * Local delivery: mail to files/commands. - */ + * Local delivery: mail to files/commands. + */ #define VAR_ALLOW_COMMANDS "allow_mail_to_commands" #define DEF_ALLOW_COMMANDS "alias, forward" extern char *var_allow_commands; @@ -456,8 +456,8 @@ extern char *var_alias_db_map; extern char *var_luser_relay; /* - * Local delivery: mailbox delivery. - */ + * Local delivery: mailbox delivery. + */ #define VAR_MAIL_SPOOL_DIR "mail_spool_directory" #define DEF_MAIL_SPOOL_DIR _PATH_MAILDIR extern char *var_mail_spool_dir; @@ -483,15 +483,15 @@ extern char *var_mailbox_transport; extern char *var_fallback_transport; /* - * Local delivery: path to per-user forwarding file. - */ + * Local delivery: path to per-user forwarding file. + */ #define VAR_FORWARD_PATH "forward_path" #define DEF_FORWARD_PATH "$home/.forward${recipient_delimiter}${extension}, $home/.forward" extern char *var_forward_path; /* - * Local delivery: external command execution directory. - */ + * Local delivery: external command execution directory. + */ #define VAR_EXEC_DIRECTORY "command_execution_directory" #define DEF_EXEC_DIRECTORY "" extern char *var_exec_directory; @@ -503,22 +503,22 @@ ABCDEFGHIJKLMNOPQRSTUVWXYZ" extern char *var_exec_exp_filter; /* - * Mailbox locking. DEF_MAILBOX_LOCK is defined in sys_defs.h. - */ + * Mailbox locking. DEF_MAILBOX_LOCK is defined in sys_defs.h. + */ #define VAR_MAILBOX_LOCK "mailbox_delivery_lock" extern char *var_mailbox_lock; /* - * Mailbox size limit. This used to be enforced as a side effect of the way - * the message size limit is implemented, but that is not clean. - */ + * Mailbox size limit. This used to be enforced as a side effect of the way + * the message size limit is implemented, but that is not clean. + */ #define VAR_MAILBOX_LIMIT "mailbox_size_limit" #define DEF_MAILBOX_LIMIT (DEF_MESSAGE_LIMIT * 5) extern int var_mailbox_limit; /* - * Miscellaneous. - */ + * Miscellaneous. + */ #define VAR_PROP_EXTENSION "propagate_unmatched_extensions" #define DEF_PROP_EXTENSION "canonical, virtual" extern char *var_prop_extension; @@ -544,11 +544,11 @@ extern char *var_fwd_exp_filter; extern char *var_deliver_hdr; /* - * Cleanup: enable support for X-Original-To message headers, which are - * needed for multi-recipient mailboxes. When this is turned on, perform - * duplicate elimination on (original rcpt, rewritten rcpt) pairs, and - * generating non-empty original recipient records in the queue file. - */ + * Cleanup: enable support for X-Original-To message headers, which are + * needed for multi-recipient mailboxes. When this is turned on, perform + * duplicate elimination on (original rcpt, rewritten rcpt) pairs, and + * generating non-empty original recipient records in the queue file. + */ #define VAR_ENABLE_ORCPT "enable_original_recipient" #define DEF_ENABLE_ORCPT 1 extern bool var_enable_orcpt; @@ -562,9 +562,9 @@ extern bool var_exp_own_alias; extern bool var_stat_home_dir; /* - * Queue manager: maximal size of the duplicate expansion filter. By - * default, we do graceful degradation with huge mailing lists. - */ + * Queue manager: maximal size of the duplicate expansion filter. By + * default, we do graceful degradation with huge mailing lists. + */ #define VAR_DUP_FILTER_LIMIT "duplicate_filter_limit" #define DEF_DUP_FILTER_LIMIT 1000 extern int var_dup_filter_limit; @@ -598,27 +598,27 @@ extern int var_tls_reseed_period; extern int var_tls_prng_upd_period; /* - * Queue manager: relocated databases. - */ + * Queue manager: relocated databases. + */ #define VAR_RELOCATED_MAPS "relocated_maps" #define DEF_RELOCATED_MAPS "" extern char *var_relocated_maps; /* - * Queue manager: after each failed attempt the backoff time (how long we - * won't try this host in seconds) is doubled until it reaches the maximum. - * MAX_QUEUE_TIME limits the amount of time a message may spend in the mail - * queue before it is sent back. - */ + * Queue manager: after each failed attempt the backoff time (how long we + * won't try this host in seconds) is doubled until it reaches the maximum. + * MAX_QUEUE_TIME limits the amount of time a message may spend in the mail + * queue before it is sent back. + */ #define VAR_QUEUE_RUN_DELAY "queue_run_delay" -#define DEF_QUEUE_RUN_DELAY "1000s" +#define DEF_QUEUE_RUN_DELAY "1000s" #define VAR_MIN_BACKOFF_TIME "minimal_backoff_time" -#define DEF_MIN_BACKOFF_TIME "1000s" +#define DEF_MIN_BACKOFF_TIME "1000s" extern int var_min_backoff_time; #define VAR_MAX_BACKOFF_TIME "maximal_backoff_time" -#define DEF_MAX_BACKOFF_TIME "4000s" +#define DEF_MAX_BACKOFF_TIME "4000s" extern int var_max_backoff_time; #define VAR_MAX_QUEUE_TIME "maximal_queue_lifetime" @@ -634,8 +634,8 @@ extern int var_dsn_queue_time; extern int var_delay_warn_time; /* - * Queue manager: various in-core message and recipient limits. - */ + * Queue manager: various in-core message and recipient limits. + */ #define VAR_QMGR_ACT_LIMIT "qmgr_message_active_limit" #define DEF_QMGR_ACT_LIMIT 20000 extern int var_qmgr_active_limit; @@ -659,8 +659,8 @@ extern int var_xport_rcpt_limit; extern int var_stack_rcpt_limit; /* - * Queue manager: default job scheduler parameters. - */ + * Queue manager: default job scheduler parameters. + */ #define VAR_DELIVERY_SLOT_COST "default_delivery_slot_cost" #define _DELIVERY_SLOT_COST "_delivery_slot_cost" #define DEF_DELIVERY_SLOT_COST 5 @@ -686,8 +686,8 @@ extern int var_min_delivery_slots; extern int var_qmgr_fudge; /* - * Queue manager: default destination concurrency levels. - */ + * Queue manager: default destination concurrency levels. + */ #define VAR_INIT_DEST_CON "initial_destination_concurrency" #define DEF_INIT_DEST_CON 5 extern int var_init_dest_concurrency; @@ -702,8 +702,8 @@ extern int var_dest_con_limit; extern int var_local_con_lim; /* - * Queue manager: default number of recipients per transaction. - */ + * Queue manager: default number of recipients per transaction. + */ #define VAR_DEST_RCPT_LIMIT "default_destination_recipient_limit" #define _DEST_RCPT_LIMIT "_destination_recipient_limit" #define DEF_DEST_RCPT_LIMIT 50 @@ -714,93 +714,93 @@ extern int var_dest_rcpt_limit; extern int var_local_rcpt_lim; /* - * Queue manager: default delay before retrying a dead transport. - */ + * Queue manager: default delay before retrying a dead transport. + */ #define VAR_XPORT_RETRY_TIME "transport_retry_time" #define DEF_XPORT_RETRY_TIME "60s" extern int var_transport_retry_time; /* - * Queue manager: what transports to defer delivery to. - */ + * Queue manager: what transports to defer delivery to. + */ #define VAR_DEFER_XPORTS "defer_transports" #define DEF_DEFER_XPORTS "" extern char *var_defer_xports; /* - * Queue manager: how often to warn that a destination is clogging the - * active queue. - */ + * Queue manager: how often to warn that a destination is clogging the + * active queue. + */ #define VAR_QMGR_CLOG_WARN_TIME "qmgr_clog_warn_time" #define DEF_QMGR_CLOG_WARN_TIME "300s" extern int var_qmgr_clog_warn_time; /* - * Master: default process count limit per mail subsystem. - */ + * Master: default process count limit per mail subsystem. + */ #define VAR_PROC_LIMIT "default_process_limit" #define DEF_PROC_LIMIT 100 extern int var_proc_limit; /* - * Master: default time to wait after service is throttled. - */ + * Master: default time to wait after service is throttled. + */ #define VAR_THROTTLE_TIME "service_throttle_time" #define DEF_THROTTLE_TIME "60s" extern int var_throttle_time; /* - * Any subsystem: default maximum number of clients serviced before a mail - * subsystem terminates (except queue manager). - */ + * Any subsystem: default maximum number of clients serviced before a mail + * subsystem terminates (except queue manager). + */ #define VAR_MAX_USE "max_use" #define DEF_MAX_USE 100 extern int var_use_limit; /* - * Any subsystem: default amount of time a mail subsystem waits for a client - * connection (except queue manager). - */ + * Any subsystem: default amount of time a mail subsystem waits for a client + * connection (except queue manager). + */ #define VAR_MAX_IDLE "max_idle" #define DEF_MAX_IDLE "100s" extern int var_idle_limit; /* - * Any subsystem: default amount of time a mail subsystem waits for - * application events to drain. - */ + * Any subsystem: default amount of time a mail subsystem waits for + * application events to drain. + */ #define VAR_EVENT_DRAIN "application_event_drain_time" #define DEF_EVENT_DRAIN "100s" extern int var_event_drain; /* - * Any subsystem: default amount of time a mail subsystem keeps an internal - * IPC connection before closing it because it is idle for too much time. - */ + * Any subsystem: default amount of time a mail subsystem keeps an internal + * IPC connection before closing it because it is idle for too much time. + */ #define VAR_IPC_IDLE "ipc_idle" #define DEF_IPC_IDLE "100s" extern int var_ipc_idle_limit; /* - * Any subsystem: default amount of time a mail subsystem keeps an internal - * IPC connection before closing it because the connection has existed for - * too much time. - */ + * Any subsystem: default amount of time a mail subsystem keeps an internal + * IPC connection before closing it because the connection has existed for + * too much time. + */ #define VAR_IPC_TTL "ipc_ttl" #define DEF_IPC_TTL "1000s" extern int var_ipc_ttl_limit; /* - * Any front-end subsystem: avoid running out of memory when someone sends - * infinitely-long requests or replies. - */ + * Any front-end subsystem: avoid running out of memory when someone sends + * infinitely-long requests or replies. + */ #define VAR_LINE_LIMIT "line_length_limit" #define DEF_LINE_LIMIT 2048 extern int var_line_limit; /* - * Specify what SMTP peers need verbose logging. - */ + * Specify what SMTP peers need verbose logging. + */ #define VAR_DEBUG_PEER_LIST "debug_peer_list" #define DEF_DEBUG_PEER_LIST "" extern char *var_debug_peer_list; @@ -810,9 +810,9 @@ extern char *var_debug_peer_list; extern int var_debug_peer_level; /* - * Queue management: what queues are hashed behind a forest of - * subdirectories, and how deep the forest is. - */ + * Queue management: what queues are hashed behind a forest of + * subdirectories, and how deep the forest is. + */ #define VAR_HASH_QUEUE_NAMES "hash_queue_names" #define DEF_HASH_QUEUE_NAMES "deferred, defer" extern char *var_hash_queue_names; @@ -822,8 +822,8 @@ extern char *var_hash_queue_names; extern int var_hash_queue_depth; /* - * Multi-protocol support. - */ + * Multi-protocol support. + */ #define INET_PROTO_NAME_IPV4 "ipv4" #define INET_PROTO_NAME_IPV6 "ipv6" #define INET_PROTO_NAME_ALL "all" @@ -831,14 +831,14 @@ extern int var_hash_queue_depth; extern char *var_inet_protocols; /* - * SMTP client. Timeouts inspired by RFC 1123. The SMTP recipient limit - * determines how many recipient addresses the SMTP client sends along with - * each message. Unfortunately, some mailers misbehave and disconnect (smap) - * when given more recipients than they are willing to handle. - * - * XXX 2821: A mail system is supposed to use EHLO instead of HELO, and to fall - * back to HELO if EHLO is not supported. - */ + * SMTP client. Timeouts inspired by RFC 1123. The SMTP recipient limit + * determines how many recipient addresses the SMTP client sends along with + * each message. Unfortunately, some mailers misbehave and disconnect (smap) + * when given more recipients than they are willing to handle. + * + * XXX 2821: A mail system is supposed to use EHLO instead of HELO, and to fall + * back to HELO if EHLO is not supported. + */ #define VAR_BESTMX_TRANSP "best_mx_transport" #define DEF_BESTMX_TRANSP "" extern char *var_bestmx_transp; @@ -974,10 +974,10 @@ extern bool var_smtp_send_xforward; extern char *var_smtp_generic_maps; /* - * SMTP server. The soft error limit determines how many errors an SMTP - * client may make before we start to slow down; the hard error limit - * determines after how many client errors we disconnect. - */ + * SMTP server. The soft error limit determines how many errors an SMTP + * client may make before we start to slow down; the hard error limit + * determines after how many client errors we disconnect. + */ #define VAR_SMTPD_BANNER "smtpd_banner" #define DEF_SMTPD_BANNER "$myhostname ESMTP $mail_name" extern char *var_smtpd_banner; @@ -1171,8 +1171,8 @@ extern char *var_smtp_tls_scache_db; extern int var_smtp_tls_scache_timeout; /* - * SASL authentication support, SMTP server side. - */ + * SASL authentication support, SMTP server side. + */ #define VAR_SMTPD_SASL_ENABLE "smtpd_sasl_auth_enable" #define DEF_SMTPD_SASL_ENABLE 0 extern bool var_smtpd_sasl_enable; @@ -1208,8 +1208,8 @@ extern char *var_smtpd_snd_auth_maps; "reject_unauthenticated_sender_login_mismatch" /* - * SASL authentication support, SMTP client side. - */ + * SASL authentication support, SMTP client side. + */ #define VAR_SMTP_SASL_ENABLE "smtp_sasl_auth_enable" #define DEF_SMTP_SASL_ENABLE 0 extern bool var_smtp_sasl_enable; @@ -1231,10 +1231,10 @@ extern char *var_smtp_sasl_mechs; extern char *var_smtp_sasl_tls_opts; /* - * LMTP server. The soft error limit determines how many errors an LMTP - * client may make before we start to slow down; the hard error limit - * determines after how many client errors we disconnect. - */ + * LMTP server. The soft error limit determines how many errors an LMTP + * client may make before we start to slow down; the hard error limit + * determines after how many client errors we disconnect. + */ #define VAR_LMTPD_BANNER "lmtpd_banner" #define DEF_LMTPD_BANNER "$myhostname $mail_name" extern char *var_lmtpd_banner; @@ -1264,8 +1264,8 @@ extern int var_lmtpd_err_sleep; extern int var_lmtpd_junk_cmd_limit; /* - * SASL authentication support, LMTP server side. - */ + * SASL authentication support, LMTP server side. + */ #define VAR_LMTPD_SASL_ENABLE "lmtpd_sasl_auth_enable" #define DEF_LMTPD_SASL_ENABLE 0 extern bool var_lmtpd_sasl_enable; @@ -1279,8 +1279,8 @@ extern char *var_lmtpd_sasl_opts; extern char *var_lmtpd_sasl_realm; /* - * SASL authentication support, LMTP client side. - */ + * SASL authentication support, LMTP client side. + */ #define VAR_LMTP_SASL_ENABLE "lmtp_sasl_auth_enable" #define DEF_LMTP_SASL_ENABLE 0 extern bool var_lmtp_sasl_enable; @@ -1294,16 +1294,16 @@ extern char *var_lmtp_sasl_passwd; extern char *var_lmtp_sasl_opts; /* - * SASL-based relay etc. control. - */ + * SASL-based relay etc. control. + */ #define PERMIT_SASL_AUTH "permit_sasl_authenticated" /* - * LMTP client. Timeouts inspired by RFC 1123. The LMTP recipient limit - * determines how many recipient addresses the LMTP client sends along with - * each message. Unfortunately, some mailers misbehave and disconnect (smap) - * when given more recipients than they are willing to handle. - */ + * LMTP client. Timeouts inspired by RFC 1123. The LMTP recipient limit + * determines how many recipient addresses the LMTP client sends along with + * each message. Unfortunately, some mailers misbehave and disconnect (smap) + * when given more recipients than they are willing to handle. + */ #define VAR_LMTP_TCP_PORT "lmtp_tcp_port" #define DEF_LMTP_TCP_PORT 24 extern int var_lmtp_tcp_port; @@ -1361,9 +1361,9 @@ extern int var_lmtp_quit_tmout; extern bool var_lmtp_send_xforward; /* - * Cleanup service. Header info that exceeds $header_size_limit bytes or - * $header_address_token_limit tokens is discarded. - */ + * Cleanup service. Header info that exceeds $header_size_limit bytes or + * $header_address_token_limit tokens is discarded. + */ #define VAR_HOPCOUNT_LIMIT "hopcount_limit" #define DEF_HOPCOUNT_LIMIT 50 extern int var_hopcount_limit; @@ -1385,8 +1385,8 @@ extern int var_virt_recur_limit; extern int var_virt_expan_limit; /* - * Message/queue size limits. - */ + * Message/queue size limits. + */ #define VAR_MESSAGE_LIMIT "message_size_limit" #define DEF_MESSAGE_LIMIT 10240000 extern int var_message_limit; @@ -1416,23 +1416,23 @@ extern char *var_body_checks; extern int var_body_check_len; /* - * Bounce service: truncate bounce message that exceed $bounce_size_limit. - */ + * Bounce service: truncate bounce message that exceed $bounce_size_limit. + */ #define VAR_BOUNCE_LIMIT "bounce_size_limit" #define DEF_BOUNCE_LIMIT 50000 extern int var_bounce_limit; /* - * Bounce service: reserved sender address for double bounces. The local - * delivery service discards undeliverable double bounces. - */ + * Bounce service: reserved sender address for double bounces. The local + * delivery service discards undeliverable double bounces. + */ #define VAR_DOUBLE_BOUNCE "double_bounce_sender" #define DEF_DOUBLE_BOUNCE "double-bounce" extern char *var_double_bounce_sender; /* - * When forking a process, how often to try and how long to wait. - */ + * When forking a process, how often to try and how long to wait. + */ #define VAR_FORK_TRIES "fork_attempts" #define DEF_FORK_TRIES 5 extern int var_fork_tries; @@ -1442,14 +1442,14 @@ extern int var_fork_tries; extern int var_fork_delay; /* - * When locking a mailbox, how often to try and how long to wait. - */ -#define VAR_FLOCK_TRIES "deliver_lock_attempts" -#define DEF_FLOCK_TRIES 20 + * When locking a mailbox, how often to try and how long to wait. + */ +#define VAR_FLOCK_TRIES "deliver_lock_attempts" +#define DEF_FLOCK_TRIES 20 extern int var_flock_tries; -#define VAR_FLOCK_DELAY "deliver_lock_delay" -#define DEF_FLOCK_DELAY "1s" +#define VAR_FLOCK_DELAY "deliver_lock_delay" +#define DEF_FLOCK_DELAY "1s" extern int var_flock_delay; #define VAR_FLOCK_STALE "stale_lock_time" @@ -1461,33 +1461,33 @@ extern int var_flock_stale; extern int var_mailtool_compat; /* - * How long a daemon command may take to receive or deliver a message etc. - * before we assume it is wegded (should never happen). - */ + * How long a daemon command may take to receive or deliver a message etc. + * before we assume it is wegded (should never happen). + */ #define VAR_DAEMON_TIMEOUT "daemon_timeout" #define DEF_DAEMON_TIMEOUT "18000s" extern int var_daemon_timeout; /* - * How long an intra-mail command may take before we assume the mail system - * is in deadlock (should never happen). - */ + * How long an intra-mail command may take before we assume the mail system + * is in deadlock (should never happen). + */ #define VAR_IPC_TIMEOUT "ipc_timeout" #define DEF_IPC_TIMEOUT "3600s" extern int var_ipc_timeout; /* - * Time limit on intra-mail triggers. - */ + * Time limit on intra-mail triggers. + */ #define VAR_TRIGGER_TIMEOUT "trigger_timeout" #define DEF_TRIGGER_TIMEOUT "10s" extern int var_trigger_timeout; /* - * SMTP server restrictions. What networks I am willing to relay from, what - * domains I am willing to forward mail from or to, what clients I refuse to - * talk to, and what domains I never want to see in the sender address. - */ + * SMTP server restrictions. What networks I am willing to relay from, what + * domains I am willing to forward mail from or to, what clients I refuse to + * talk to, and what domains I never want to see in the sender address. + */ #define VAR_MYNETWORKS "mynetworks" extern char *var_mynetworks; @@ -1560,10 +1560,10 @@ extern char *var_rest_classes; extern bool var_allow_untrust_route; /* - * Names of specific restrictions, and the corresponding configuration - * parameters that control the status codes sent in response to rejected - * requests. - */ + * Names of specific restrictions, and the corresponding configuration + * parameters that control the status codes sent in response to rejected + * requests. + */ #define PERMIT_ALL "permit" #define REJECT_ALL "reject" #define VAR_REJECT_CODE "reject_code" @@ -1718,8 +1718,8 @@ abcdefghijklmnopqrstuvwxyz{|}~" extern char *var_smtpd_exp_filter; /* - * Heuristic to reject unknown local recipients at the SMTP port. - */ + * Heuristic to reject unknown local recipients at the SMTP port. + */ #define VAR_LOCAL_RCPT_MAPS "local_recipient_maps" #define DEF_LOCAL_RCPT_MAPS "proxy:unix:passwd.byname $" VAR_ALIAS_MAPS extern char *var_local_rcpt_maps; @@ -1729,8 +1729,8 @@ extern char *var_local_rcpt_maps; extern int var_local_rcpt_code; /* - * List of pre-approved maps that are OK to open with the proxymap service. - */ + * List of pre-approved maps that are OK to open with the proxymap service. + */ #define VAR_PROXY_READ_MAPS "proxy_read_maps" #define DEF_PROXY_READ_MAPS "$" VAR_LOCAL_RCPT_MAPS \ " $" VAR_MYDEST \ @@ -1749,8 +1749,8 @@ extern int var_local_rcpt_code; extern char *var_proxy_read_maps; /* - * Other. - */ + * Other. + */ #define VAR_PROCNAME "process_name" extern char *var_procname; @@ -1760,29 +1760,29 @@ extern int var_pid; #define VAR_DEBUG_COMMAND "debugger_command" /* - * Paranoia: save files instead of deleting them. - */ + * Paranoia: save files instead of deleting them. + */ #define VAR_DONT_REMOVE "dont_remove" #define DEF_DONT_REMOVE 0 extern bool var_dont_remove; /* - * Paranoia: defer messages instead of bouncing them. - */ + * Paranoia: defer messages instead of bouncing them. + */ #define VAR_SOFT_BOUNCE "soft_bounce" #define DEF_SOFT_BOUNCE 0 extern bool var_soft_bounce; /* - * Give special treatment to owner- and -request. - */ + * Give special treatment to owner- and -request. + */ #define VAR_OWNREQ_SPECIAL "owner_request_special" #define DEF_OWNREQ_SPECIAL 1 extern bool var_ownreq_special; /* - * Allow/disallow recipient addresses starting with `-'. - */ + * Allow/disallow recipient addresses starting with `-'. + */ #define VAR_ALLOW_MIN_USER "allow_min_user" #define DEF_ALLOW_MIN_USER 0 extern bool var_allow_min_user; @@ -1790,15 +1790,15 @@ extern bool var_allow_min_user; extern void mail_params_init(void); /* - * Content inspection and filtering. - */ + * Content inspection and filtering. + */ #define VAR_FILTER_XPORT "content_filter" #define DEF_FILTER_XPORT "" extern char *var_filter_xport; /* - * Fast flush service support. - */ + * Fast flush service support. + */ #define VAR_FFLUSH_DOMAINS "fast_flush_domains" #define DEF_FFLUSH_DOMAINS "$relay_domains" extern char *var_fflush_domains; @@ -1812,9 +1812,9 @@ extern int var_fflush_purge; extern int var_fflush_refresh; /* - * Environmental management - what Postfix imports from the external world, - * and what Postfix exports to the external world. - */ + * Environmental management - what Postfix imports from the external world, + * and what Postfix exports to the external world. + */ #define VAR_IMPORT_ENVIRON "import_environment" #define DEF_IMPORT_ENVIRON "MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY" extern char *var_import_environ; @@ -1824,8 +1824,8 @@ extern char *var_import_environ; extern char *var_export_environ; /* - * Tunables for the "virtual" local delivery agent - */ + * Tunables for the "virtual" local delivery agent + */ #define VAR_VIRT_TRANSPORT "virtual_transport" #define DEF_VIRT_TRANSPORT MAIL_SERVICE_VIRTUAL extern char *var_virt_transport; @@ -1867,15 +1867,15 @@ extern int var_virt_mailbox_limit; extern char *var_virt_mailbox_lock; /* - * Distinct logging tag for multiple Postfix instances. - */ + * Distinct logging tag for multiple Postfix instances. + */ #define VAR_SYSLOG_NAME "syslog_name" #define DEF_SYSLOG_NAME "postfix" extern char *var_syslog_name; /* - * QMQPD - */ + * QMQPD + */ #define VAR_QMQPD_CLIENTS "qmqpd_authorized_clients" #define DEF_QMQPD_CLIENTS "" extern char *var_qmqpd_clients; @@ -1889,9 +1889,9 @@ extern int var_qmqpd_timeout; extern int var_qmqpd_err_sleep; /* - * VERP, more DJB intellectual cross-pollination. However, we prefer + as - * the default recipient delimiter. - */ + * VERP, more DJB intellectual cross-pollination. However, we prefer + as + * the default recipient delimiter. + */ #define VAR_VERP_DELIMS "default_verp_delimiters" #define DEF_VERP_DELIMS "+=" extern char *var_verp_delims; @@ -1909,28 +1909,28 @@ extern bool var_verp_bounce_off; extern char *var_verp_clients; /* - * XCLIENT, for rule testing and fetchmail like apps. - */ + * XCLIENT, for rule testing and fetchmail like apps. + */ #define VAR_XCLIENT_HOSTS "smtpd_authorized_xclient_hosts" #define DEF_XCLIENT_HOSTS "" extern char *var_xclient_hosts; /* - * XFORWARD, for improved post-filter logging. - */ + * XFORWARD, for improved post-filter logging. + */ #define VAR_XFORWARD_HOSTS "smtpd_authorized_xforward_hosts" #define DEF_XFORWARD_HOSTS "" extern char *var_xforward_hosts; /* - * Inbound mail flow control. This allows for a stiffer coupling between - * receiving mail and sending mail. A sending process produces one token for - * each message that it takes from the incoming queue; a receiving process - * consumes one token for each message that it adds to the incoming queue. - * When no token is available (Postfix receives more mail than it is able to - * deliver) a receiving process pauses for $in_flow_delay seconds so that - * the sending processes get a chance to access the disk. - */ + * Inbound mail flow control. This allows for a stiffer coupling between + * receiving mail and sending mail. A sending process produces one token for + * each message that it takes from the incoming queue; a receiving process + * consumes one token for each message that it adds to the incoming queue. + * When no token is available (Postfix receives more mail than it is able to + * deliver) a receiving process pauses for $in_flow_delay seconds so that + * the sending processes get a chance to access the disk. + */ #define VAR_IN_FLOW_DELAY "in_flow_delay" #ifdef PIPES_CANT_FIONREAD #define DEF_IN_FLOW_DELAY "0s" @@ -1940,8 +1940,8 @@ extern char *var_xforward_hosts; extern int var_in_flow_delay; /* - * Backwards compatibility: foo.com matches itself and names below foo.com. - */ + * Backwards compatibility: foo.com matches itself and names below foo.com. + */ #define VAR_PAR_DOM_MATCH "parent_domain_matches_subdomains" #define DEF_PAR_DOM_MATCH VAR_DEBUG_PEER_LIST "," \ VAR_FFLUSH_DOMAINS "," \ @@ -1955,15 +1955,15 @@ extern char *var_par_dom_match; #define SMTPD_ACCESS_MAPS "smtpd_access_maps" /* - * Run-time fault injection. - */ + * Run-time fault injection. + */ #define VAR_FAULT_INJ_CODE "fault_injection_code" #define DEF_FAULT_INJ_CODE 0 extern int var_fault_inj_code; /* - * Install/upgrade information. - */ + * Install/upgrade information. + */ #define VAR_SENDMAIL_PATH "sendmail_path" #ifndef DEF_SENDMAIL_PATH #define DEF_SENDMAIL_PATH "/usr/sbin/sendmail" @@ -2000,12 +2000,12 @@ extern int var_fault_inj_code; #endif /* - * Safety: resolve the address with unquoted localpart (default, but - * technically incorrect), instead of resolving the address with quoted - * localpart (technically correct, but unsafe). The default prevents mail - * relay loopholes with "user@domain"@domain when relaying mail to a - * Sendmail system. - */ + * Safety: resolve the address with unquoted localpart (default, but + * technically incorrect), instead of resolving the address with quoted + * localpart (technically correct, but unsafe). The default prevents mail + * relay loopholes with "user@domain"@domain when relaying mail to a + * Sendmail system. + */ #define VAR_RESOLVE_DEQUOTED "resolve_dequoted_address" #define DEF_RESOLVE_DEQUOTED 1 extern bool var_resolve_dequoted; @@ -2015,12 +2015,12 @@ extern bool var_resolve_dequoted; extern bool var_resolve_nulldom; /* - * Service names. The transport (TCP, FIFO or UNIX-domain) type is frozen - * because you cannot simply mix them, and accessibility (private/public) is - * frozen for security reasons. We list only the internal services, not the - * externally visible SMTP server, or the delivery agents that can already - * be chosen via transport mappings etc. - */ + * Service names. The transport (TCP, FIFO or UNIX-domain) type is frozen + * because you cannot simply mix them, and accessibility (private/public) is + * frozen for security reasons. We list only the internal services, not the + * externally visible SMTP server, or the delivery agents that can already + * be chosen via transport mappings etc. + */ #define VAR_BOUNCE_SERVICE "bounce_service_name" #define DEF_BOUNCE_SERVICE MAIL_SERVICE_BOUNCE extern char *var_bounce_service; @@ -2060,8 +2060,8 @@ extern char *var_error_service; extern char *var_flush_service; /* - * Session cache service. - */ + * Session cache service. + */ #define VAR_SCACHE_SERVICE "connection_cache_service" #define DEF_SCACHE_SERVICE "scache" extern char *var_scache_service; @@ -2075,8 +2075,8 @@ extern int var_scache_ttl_lim; extern int var_scache_stat_time; /* - * Address verification service. - */ + * Address verification service. + */ #define VAR_VERIFY_SERVICE "address_verify_service_name" #define DEF_VERIFY_SERVICE MAIL_SERVICE_VERIFY extern char *var_verify_service; @@ -2142,15 +2142,15 @@ extern char *var_vrfy_relayhost; extern char *var_vrfy_xport_maps; /* - * Message delivery trace service. - */ + * Message delivery trace service. + */ #define VAR_TRACE_SERVICE "trace_service_name" #define DEF_TRACE_SERVICE MAIL_SERVICE_TRACE extern char *var_trace_service; /* - * Mailbox/maildir delivery errors that cause delivery to be tried again. - */ + * Mailbox/maildir delivery errors that cause delivery to be tried again. + */ #define VAR_MBX_DEFER_ERRS "mailbox_defer_errors" #define DEF_MBX_DEFER_ERRS "eagain, enospc, estale" extern char *var_mbx_defer_errs; @@ -2160,8 +2160,8 @@ extern char *var_mbx_defer_errs; extern char *var_mdr_defer_errs; /* - * Berkeley DB memory pool sizes. - */ + * Berkeley DB memory pool sizes. + */ #define VAR_DB_CREATE_BUF "berkeley_db_create_buffer_size" #define DEF_DB_CREATE_BUF (16 * 1024 *1024) extern int var_db_create_buf; @@ -2171,15 +2171,15 @@ extern int var_db_create_buf; extern int var_db_read_buf; /* - * Named queue file attributes. - */ + * Named queue file attributes. + */ #define VAR_QATTR_COUNT_LIMIT "queue_file_attribute_count_limit" #define DEF_QATTR_COUNT_LIMIT 100 extern int var_qattr_count_limit; /* - * MIME support. - */ + * MIME support. + */ #define VAR_MIME_MAXDEPTH "mime_nesting_limit" #define DEF_MIME_MAXDEPTH 100 extern int var_mime_maxdepth; @@ -2213,8 +2213,8 @@ extern bool var_strict_8bit_body; extern bool var_strict_encoding; /* - * Bizarre. - */ + * Bizarre. + */ #define VAR_SENDER_ROUTING "sender_based_routing" #define DEF_SENDER_ROUTING 0 extern bool var_sender_routing; @@ -2224,15 +2224,15 @@ extern bool var_sender_routing; extern char *var_xport_null_key; /* - * Bounce service controls. - */ + * Bounce service controls. + */ #define VAR_OLDLOG_COMPAT "backwards_bounce_logfile_compatibility" #define DEF_OLDLOG_COMPAT 1 extern bool var_oldlog_compat; /* - * SMTPD content proxy. - */ + * SMTPD content proxy. + */ #define VAR_SMTPD_PROXY_FILT "smtpd_proxy_filter" #define DEF_SMTPD_PROXY_FILT "" extern char *var_smtpd_proxy_filt; @@ -2246,17 +2246,17 @@ extern char *var_smtpd_proxy_ehlo; extern int var_smtpd_proxy_tmout; /* - * Transparency options for mail input interfaces and for the cleanup server - * behind them. These should turn off stuff we don't want to happen, because - * the default is to do a lot of things. - */ + * Transparency options for mail input interfaces and for the cleanup server + * behind them. These should turn off stuff we don't want to happen, because + * the default is to do a lot of things. + */ #define VAR_INPUT_TRANSP "receive_override_options" #define DEF_INPUT_TRANSP "" extern char *var_smtpd_input_transp; /* - * SMTP server policy delegation. - */ + * SMTP server policy delegation. + */ #define VAR_SMTPD_POLICY_TMOUT "smtpd_policy_service_timeout" #define DEF_SMTPD_POLICY_TMOUT "100s" extern int var_smtpd_policy_tmout; @@ -2272,8 +2272,8 @@ extern int var_smtpd_policy_ttl; #define CHECK_POLICY_SERVICE "check_policy_service" /* - * Client rate control. - */ + * Client rate control. + */ #define VAR_SMTPD_CRATE_LIMIT "smtpd_client_connection_rate_limit" #define DEF_SMTPD_CRATE_LIMIT 0 extern int var_smtpd_crate_limit; @@ -2303,8 +2303,8 @@ extern int var_anvil_time_unit; extern int var_anvil_stat_time; /* - * Temporary stop gap. - */ + * Temporary stop gap. + */ #if 0 #include @@ -2315,8 +2315,8 @@ extern char *var_anvil_service; #endif /* - * What domain names to assume when no valid domain context exists. - */ + * What domain names to assume when no valid domain context exists. + */ #define VAR_REM_RWR_DOMAIN "remote_header_rewrite_domain" #define DEF_REM_RWR_DOMAIN "" extern char *var_remote_rwr_domain; @@ -2328,8 +2328,8 @@ extern char *var_remote_rwr_domain; extern char *var_local_rwr_clients; /* - * EHLO keyword filter. - */ + * EHLO keyword filter. + */ #define VAR_SMTPD_EHLO_DIS_WORDS "smtpd_discard_ehlo_keywords" #define DEF_SMTPD_EHLO_DIS_WORDS "" extern char *var_smtpd_ehlo_dis_words; @@ -2346,6 +2346,13 @@ extern char *var_smtp_ehlo_dis_words; #define DEF_SMTP_EHLO_DIS_MAPS "" extern char *var_smtp_ehlo_dis_maps; + /* + * Allow CNAME lookup result to override the server hostname. + */ +#define VAR_SMTP_CNAME_OVERR "smtp_cname_overrides_servername" +#define DEF_SMTP_CNAME_OVERR 1 +extern bool var_smtp_cname_overr; + /* LICENSE /* .ad /* .fi diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 07653d390..0a70893d7 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change the patchlevel and the release date. Snapshots change the * release date only. */ -#define MAIL_RELEASE_DATE "20060103" -#define MAIL_VERSION_NUMBER "2.2.8" +#define MAIL_RELEASE_DATE "20060201" +#define MAIL_VERSION_NUMBER "2.2.9-RC1" #define VAR_MAIL_VERSION "mail_version" #ifdef SNAPSHOT diff --git a/postfix/src/lmtp/lmtp_addr.c b/postfix/src/lmtp/lmtp_addr.c index 1710f787d..34f180164 100644 --- a/postfix/src/lmtp/lmtp_addr.c +++ b/postfix/src/lmtp/lmtp_addr.c @@ -105,7 +105,7 @@ static void lmtp_print_addr(char *what, DNS_RR *addr_list) msg_warn("skipping record type %s: %m", dns_strtype(addr->type)); } else { msg_info("pref %4d host %s/%s", - addr->pref, addr->name, + addr->pref, addr->rname, hostaddr.buf); } } diff --git a/postfix/src/lmtp/lmtp_connect.c b/postfix/src/lmtp/lmtp_connect.c index e00a15114..36983672b 100644 --- a/postfix/src/lmtp/lmtp_connect.c +++ b/postfix/src/lmtp/lmtp_connect.c @@ -200,10 +200,10 @@ static LMTP_SESSION *lmtp_connect_addr(DNS_RR *addr, unsigned port, SOCKADDR_TO_HOSTADDR(sa, salen, &hostaddr, (MAI_SERVPORT_STR *) 0, 0); if (msg_verbose) msg_info("%s: trying: %s[%s] port %d...", - myname, addr->name, hostaddr.buf, ntohs(port)); + myname, addr->rname, hostaddr.buf, ntohs(port)); return (lmtp_connect_sock(sock, sa, salen, - addr->name, hostaddr.buf, destination, why)); + addr->rname, hostaddr.buf, destination, why)); } /* lmtp_connect_sock - connect a socket over some transport */ diff --git a/postfix/src/local/local.c b/postfix/src/local/local.c index 7dfc6770e..b4ee034ed 100644 --- a/postfix/src/local/local.c +++ b/postfix/src/local/local.c @@ -829,6 +829,7 @@ int main(int argc, char **argv) VAR_PROP_EXTENSION, DEF_PROP_EXTENSION, &var_prop_extension, 0, 0, VAR_DELIVER_HDR, DEF_DELIVER_HDR, &var_deliver_hdr, 0, 0, VAR_MAILBOX_LOCK, DEF_MAILBOX_LOCK, &var_mailbox_lock, 1, 0, + VAR_MAILBOX_CMD_MAPS, DEF_MAILBOX_CMD_MAPS, &var_mailbox_cmd_maps, 0, 0, 0, }; static CONFIG_BOOL_TABLE bool_table[] = { @@ -844,7 +845,6 @@ int main(int argc, char **argv) VAR_EXEC_DIRECTORY, DEF_EXEC_DIRECTORY, &var_exec_directory, 0, 0, VAR_FORWARD_PATH, DEF_FORWARD_PATH, &var_forward_path, 0, 0, VAR_MAILBOX_COMMAND, DEF_MAILBOX_COMMAND, &var_mailbox_command, 0, 0, - VAR_MAILBOX_CMD_MAPS, DEF_MAILBOX_CMD_MAPS, &var_mailbox_cmd_maps, 0, 0, VAR_LUSER_RELAY, DEF_LUSER_RELAY, &var_luser_relay, 0, 0, 0, }; diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index b0bbf70ff..0d1f8ceca 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -85,6 +85,10 @@ /* Always send EHLO at the start of an SMTP session. /* .IP "\fBsmtp_never_send_ehlo (no)\fR" /* Never send EHLO at the start of an SMTP session. +/* .IP "\fBsmtp_cname_overrides_servername (yes)\fR" +/* Allow DNS CNAME records to override the servername that the +/* Postfix SMTP client uses for logging, SASL password lookup, TLS +/* policy decisions, or TLS certificate verification. /* .IP "\fBsmtp_defer_if_no_mx_address_found (no)\fR" /* Defer mail delivery when no MX record resolves to an IP address. /* .IP "\fBsmtp_line_length_limit (990)\fR" @@ -497,6 +501,7 @@ bool var_smtp_tls_note_starttls_offer; char *var_smtp_generic_maps; char *var_prop_extension; +bool var_smtp_cname_overr; /* * Global variables. smtp_errno is set by the address lookup routines and by @@ -790,6 +795,7 @@ int main(int argc, char **argv) VAR_SMTP_TLS_ENFORCE_PN, DEF_SMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername, VAR_SMTP_TLS_NOTEOFFER, DEF_SMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer, #endif + VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr, 0, }; diff --git a/postfix/src/smtp/smtp.h b/postfix/src/smtp/smtp.h index 2aa7a363c..ba7a24d2b 100644 --- a/postfix/src/smtp/smtp.h +++ b/postfix/src/smtp/smtp.h @@ -164,6 +164,12 @@ extern SSL_CTX *smtp_tls_ctx; /* client-side TLS engine */ #endif + + /* + * What's in a name? + */ +#define SMTP_HNAME(rr) (var_smtp_cname_overr ? (rr)->rname : (rr)->qname) + /* * smtp_session.c */ diff --git a/postfix/src/smtp/smtp_addr.c b/postfix/src/smtp/smtp_addr.c index 49980a415..5a9dfc687 100644 --- a/postfix/src/smtp/smtp_addr.c +++ b/postfix/src/smtp/smtp_addr.c @@ -119,7 +119,7 @@ static void smtp_print_addr(char *what, DNS_RR *addr_list) msg_warn("skipping record type %s: %m", dns_strtype(addr->type)); } else { msg_info("pref %4d host %s/%s", - addr->pref, addr->name, + addr->pref, SMTP_HNAME(addr), hostaddr.buf); } } diff --git a/postfix/src/smtp/smtp_connect.c b/postfix/src/smtp/smtp_connect.c index 1fcae1f2f..047d720f7 100644 --- a/postfix/src/smtp/smtp_connect.c +++ b/postfix/src/smtp/smtp_connect.c @@ -228,7 +228,7 @@ static SMTP_SESSION *smtp_connect_addr(const char *dest, DNS_RR *addr, SOCKADDR_TO_HOSTADDR(sa, salen, &hostaddr, (MAI_SERVPORT_STR *) 0, 0); if (msg_verbose) msg_info("%s: trying: %s[%s] port %d...", - myname, addr->name, hostaddr.buf, ntohs(port)); + myname, SMTP_HNAME(addr), hostaddr.buf, ntohs(port)); if (var_smtp_conn_tmout > 0) { non_blocking(sock, NON_BLOCKING); conn_stat = timed_connect(sock, sa, salen, var_smtp_conn_tmout); @@ -240,7 +240,7 @@ static SMTP_SESSION *smtp_connect_addr(const char *dest, DNS_RR *addr, } if (conn_stat < 0) { vstring_sprintf(why, "connect to %s[%s]: %m", - addr->name, hostaddr.buf); + SMTP_HNAME(addr), hostaddr.buf); smtp_errno = SMTP_ERR_RETRY; close(sock); return (0); @@ -251,7 +251,7 @@ static SMTP_SESSION *smtp_connect_addr(const char *dest, DNS_RR *addr, */ if (read_wait(sock, var_smtp_helo_tmout) < 0) { vstring_sprintf(why, "connect to %s[%s]: read timeout", - addr->name, hostaddr.buf); + SMTP_HNAME(addr), hostaddr.buf); smtp_errno = SMTP_ERR_RETRY; close(sock); return (0); @@ -263,7 +263,7 @@ static SMTP_SESSION *smtp_connect_addr(const char *dest, DNS_RR *addr, stream = vstream_fdopen(sock, O_RDWR); if ((ch = VSTREAM_GETC(stream)) == VSTREAM_EOF) { vstring_sprintf(why, "connect to %s[%s]: server dropped connection without sending the initial SMTP greeting", - addr->name, hostaddr.buf); + SMTP_HNAME(addr), hostaddr.buf); smtp_errno = SMTP_ERR_RETRY; vstream_fclose(stream); return (0); @@ -281,13 +281,13 @@ static SMTP_SESSION *smtp_connect_addr(const char *dest, DNS_RR *addr, VSTRING *salvage_buf = smtp_salvage(stream); vstring_sprintf(why, "connect to %s[%s]: server refused to talk to me: %s", - addr->name, hostaddr.buf, STR(salvage_buf)); + SMTP_HNAME(addr), hostaddr.buf, STR(salvage_buf)); vstring_free(salvage_buf); smtp_errno = SMTP_ERR_RETRY; vstream_fclose(stream); return (0); } - return (smtp_session_alloc(stream, dest, addr->name, + return (smtp_session_alloc(stream, dest, SMTP_HNAME(addr), hostaddr.buf, port, sess_flags)); } diff --git a/postfix/src/smtp/smtp_session.c b/postfix/src/smtp/smtp_session.c index 453cc9e69..567ad04ed 100644 --- a/postfix/src/smtp/smtp_session.c +++ b/postfix/src/smtp/smtp_session.c @@ -128,14 +128,20 @@ #ifdef USE_TLS /* - * Per-site policies can override main.cf settings. + * TLS enforcement level. Actual TLS policies will be NONE or higher. + * + * There are two pseudo levels: NOTFOUND is a sentinel value for the ease of + * implementation; MAY is a wild-card that indicates "anything goes". + * + * Non pseudo levels can also be used to indicate the actual security level of + * a session. */ -typedef struct { - int dont_use; /* don't use TLS */ - int use; /* useless, see above */ - int enforce; /* must always use TLS */ - int enforce_peername; /* must verify certificate name */ -} SMTP_TLS_SITE_POLICY; +#define SMTP_TLS_LEV_NOTFOUND (-1) /* sentinel */ +#define SMTP_TLS_LEV_NONE 0 /* plain-text only */ +#define SMTP_TLS_LEV_MAY 1 /* wildcard */ +#define SMTP_TLS_LEV_ENCRYPT 2 /* encrypted connection */ +#define SMTP_TLS_LEV_VERIFY 3 /* certificate verified */ +#define SMTP_TLS_LEV_STRICT 4 /* "secure" verification */ static MAPS *tls_per_site; /* lookup table(s) */ @@ -147,9 +153,21 @@ void smtp_tls_list_init(void) DICT_FLAG_LOCK); } +/* smtp_tls_policy_print - print policy level */ + +static void smtp_tls_policy_print(const char *name, int level) +{ + msg_info("%s TLS level: %s", name, + level == SMTP_TLS_LEV_VERIFY ? "verify" : + level == SMTP_TLS_LEV_ENCRYPT ? "encrypt" : + level == SMTP_TLS_LEV_MAY ? "may" : + level == SMTP_TLS_LEV_NONE ? "none" : + "unknown"); +} + /* smtp_tls_site_policy - look up per-site TLS policy */ -static void smtp_tls_site_policy(SMTP_TLS_SITE_POLICY *policy, +static void smtp_tls_site_policy(int *site_level, const char *site_name, const char *site_class) { @@ -157,33 +175,101 @@ static void smtp_tls_site_policy(SMTP_TLS_SITE_POLICY *policy, char *lookup_key; /* - * Initialize the default policy. - */ - policy->dont_use = 0; - policy->use = 0; - policy->enforce = 0; - policy->enforce_peername = 0; - - /* - * Look up a non-default policy. + * Look up a non-default policy. In case of multiple lookup results, the + * precedence order is a permutation of the TLS enforcement level order: + * VERIFY, ENCRYPT, NONE, MAY, NOTFOUND. I.e. we override MAY with a more + * specific policy including NONE, otherwise we choose the stronger + * enforcement level. */ lookup_key = lowercase(mystrdup(site_name)); if ((lookup = maps_find(tls_per_site, lookup_key, 0)) != 0) { - if (!strcasecmp(lookup, "NONE")) - policy->dont_use = 1; - else if (!strcasecmp(lookup, "MAY")) - policy->use = 1; - else if (!strcasecmp(lookup, "MUST")) - policy->enforce = policy->enforce_peername = 1; - else if (!strcasecmp(lookup, "MUST_NOPEERMATCH")) - policy->enforce = 1; - else + if (!strcasecmp(lookup, "NONE")) { + /* NONE overrides MAY or NOTFOUND. */ + if (*site_level <= SMTP_TLS_LEV_MAY) + *site_level = SMTP_TLS_LEV_NONE; + } else if (!strcasecmp(lookup, "MAY")) { + /* MAY overrides NOTFOUND but not NONE. */ + if (*site_level < SMTP_TLS_LEV_NONE) + *site_level = SMTP_TLS_LEV_MAY; + } else if (!strcasecmp(lookup, "MUST_NOPEERMATCH")) { + if (*site_level < SMTP_TLS_LEV_ENCRYPT) + *site_level = SMTP_TLS_LEV_ENCRYPT; + } else if (!strcasecmp(lookup, "MUST")) { + if (*site_level < SMTP_TLS_LEV_VERIFY) + *site_level = SMTP_TLS_LEV_VERIFY; + } else { msg_warn("Table %s: ignoring unknown TLS policy '%s' for %s %s", var_smtp_tls_per_site, lookup, site_class, site_name); + } } myfree(lookup_key); } +/* smtp_tls_level_init - configure session TLS enforcement level */ + +static int smtp_tls_level_init(const char *dest, const char *host) +{ + int global_level; + int site_level; + int tls_level; + + /* + * Compute the global TLS policy. This is the default policy level when + * no per-site policy exists. It also is used to override a wild-card + * per-site policy. + */ + if (var_smtp_enforce_tls) + global_level = var_smtp_tls_enforce_peername ? + SMTP_TLS_LEV_VERIFY : SMTP_TLS_LEV_ENCRYPT; + else + global_level = var_smtp_use_tls ? + SMTP_TLS_LEV_MAY : SMTP_TLS_LEV_NONE; + if (msg_verbose) + smtp_tls_policy_print("global", global_level); + + /* + * Compute the per-site TLS enforcement level. For compatibility with the + * original TLS patch, this algorithm is gives equal precedence to host + * and next-hop policies. + */ + site_level = SMTP_TLS_LEV_NOTFOUND; + + if (tls_per_site) { + smtp_tls_site_policy(&site_level, dest, "next-hop destination"); + if (strcasecmp(dest, host) != 0) + smtp_tls_site_policy(&site_level, host, "server hostname"); + if (msg_verbose) + smtp_tls_policy_print("site", site_level); + } + + /* + * Override a wild-card per-site policy with a more specific global + * policy. + * + * With the original TLS patch, 1) a per-site ENCRYPT could not override a + * global VERIFY, and 2) a combined per-site (NONE+MAY) policy produced + * inconsistent results: it changed a global VERIFY into NONE, while + * producing MAY with all weaker global policy settings. + * + * With the current implementation, a combined per-site (NONE+MAY) + * consistently overrides global policy with NONE, and global policy can + * override only a per-site MAY wildcard. That is, specific policies + * consistently override wildcard policies, and (non-wildcard) per-site + * policies consistently override global policies. + */ + if (site_level == SMTP_TLS_LEV_NOTFOUND + || (site_level == SMTP_TLS_LEV_MAY + && global_level > SMTP_TLS_LEV_MAY)) + tls_level = global_level; + else + tls_level = site_level; + + if (msg_verbose && tls_per_site) + smtp_tls_policy_print("effective", tls_level); + + return (tls_level); +} + #endif /* smtp_session_alloc - allocate and initialize SMTP_SESSION structure */ @@ -194,12 +280,6 @@ SMTP_SESSION *smtp_session_alloc(VSTREAM *stream, const char *dest, { SMTP_SESSION *session; -#ifdef USE_TLS - SMTP_TLS_SITE_POLICY host_policy; - SMTP_TLS_SITE_POLICY rcpt_policy; - -#endif - session = (SMTP_SESSION *) mymalloc(sizeof(*session)); session->stream = stream; session->dest = mystrdup(dest); @@ -236,39 +316,14 @@ SMTP_SESSION *smtp_session_alloc(VSTREAM *stream, const char *dest, session->tls_enforce_peername = 0; session->tls_context = 0; session->tls_info = tls_info_zero; - - /* - * Override the main.cf TLS policy with an optional per-site policy. - */ - if (smtp_tls_ctx != 0) { - smtp_tls_site_policy(&host_policy, host, "receiving host"); - smtp_tls_site_policy(&rcpt_policy, dest, "recipient domain"); - - /* - * Set up TLS enforcement for this session. - */ - if ((var_smtp_enforce_tls && !host_policy.dont_use && !rcpt_policy.dont_use) - || host_policy.enforce || rcpt_policy.enforce) - session->tls_enforce_tls = session->tls_use_tls = 1; - - /* - * Set up peername checking for this session. - * - * We want to make sure that a MUST* entry in the tls_per_site table - * always has precedence. MUST always must lead to a peername check, - * MUST_NOPEERMATCH must always disable it. Only when no explicit - * setting has been found, the default will be used. There is the - * case left, that both "host" and "recipient" settings conflict. In - * this case, the "host" setting wins. - */ - if (host_policy.enforce && host_policy.enforce_peername) - session->tls_enforce_peername = 1; - else if (rcpt_policy.enforce && rcpt_policy.enforce_peername) - session->tls_enforce_peername = 1; - else if (var_smtp_enforce_tls && var_smtp_tls_enforce_peername) - session->tls_enforce_peername = 1; - else if ((var_smtp_use_tls && !host_policy.dont_use && !rcpt_policy.dont_use) || host_policy.use || rcpt_policy.use) - session->tls_use_tls = 1; + switch (smtp_tls_level_init(dest, host)) { + case SMTP_TLS_LEV_VERIFY: + session->tls_enforce_peername = 1; + case SMTP_TLS_LEV_ENCRYPT: + session->tls_enforce_tls = 1; + case SMTP_TLS_LEV_MAY: + session->tls_use_tls = 1; + break; } #endif debug_peer_check(host, addr); diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index 4d57edcc5..d20fba59a 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -2314,7 +2314,7 @@ static int check_server_access(SMTPD_STATE *state, const char *table, (VSTRING *) 0, (VSTRING *) 0); if (dns_status == DNS_NOTFOUND && h_errno == NO_DATA) { if (type == T_MX) { - server_list = dns_rr_create(domain, type, C_IN, 0, 0, + server_list = dns_rr_create(domain, domain, type, C_IN, 0, 0, domain, strlen(domain) + 1); dns_status = DNS_OK; } else if (type == T_NS) { @@ -4337,6 +4337,7 @@ char *var_relay_rcpt_maps; char *var_verify_sender; char *var_smtpd_sasl_opts; char *var_local_rwr_clients; +char *var_smtpd_relay_ccerts; typedef struct { char *name; @@ -4379,6 +4380,7 @@ static STRING_TABLE string_table[] = { VAR_MAIL_NAME, DEF_MAIL_NAME, &var_mail_name, VAR_SMTPD_SASL_OPTS, DEF_SMTPD_SASL_OPTS, &var_smtpd_sasl_opts, VAR_LOC_RWR_CLIENTS, DEF_LOC_RWR_CLIENTS, &var_local_rwr_clients, + VAR_RELAY_CCERTS, DEF_RELAY_CCERTS, &var_smtpd_relay_ccerts, 0, }; diff --git a/postfix/src/smtpd/smtpd_exp.ref b/postfix/src/smtpd/smtpd_exp.ref index fcee7f2a3..8f1f4204e 100644 --- a/postfix/src/smtpd/smtpd_exp.ref +++ b/postfix/src/smtpd/smtpd_exp.ref @@ -107,8 +107,8 @@ OK >>> mail sname@sdomain OK >>> rcpt rname@rdomain -./smtpd_check: : reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@domain; from= to= proto=SMTP helo= -554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@domain +./smtpd_check: : reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@example.tld; from= to= proto=SMTP helo= +554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@example.tld >>> # >>> # Check MX access >>> # diff --git a/postfix/src/trivial-rewrite/rewrite.c b/postfix/src/trivial-rewrite/rewrite.c index c1a275f99..30ec6f077 100644 --- a/postfix/src/trivial-rewrite/rewrite.c +++ b/postfix/src/trivial-rewrite/rewrite.c @@ -173,7 +173,8 @@ void rewrite_tree(RWR_CONTEXT *context, TOK822 *tree) /* * Append missing @origin */ - else if (var_append_at_myorigin != 0) { + else if (var_append_at_myorigin != 0 + && context->origin[0][0] != 0) { domain = tok822_sub_append(tree, tok822_alloc('@', (char *) 0)); tok822_sub_append(tree, tok822_scan(REW_PARAM_VALUE(context->origin), (TOK822 **) 0)); @@ -186,6 +187,7 @@ void rewrite_tree(RWR_CONTEXT *context, TOK822 *tree) * alone. */ if (var_append_dot_mydomain != 0 + && context->domain[0][0] != 0 && (domain = tok822_rfind_type(tree->tail, '@')) != 0 && domain != tree->tail && tok822_find_type(domain, TOK822_DOMLIT) == 0