From: Wietse Venema Date: Thu, 6 Dec 2007 05:00:00 +0000 (-0500) Subject: postfix-2.5-20071206 X-Git-Tag: v2.5.0-RC1~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4929b8692cdb05fba37b20f8ae80feddfa3fb852;p=thirdparty%2Fpostfix.git postfix-2.5-20071206 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index b419c7f81..39b8a5117 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -13895,7 +13895,7 @@ Apologies for any names omitted. postalias/postalias.c. Bugfix: the proxymap client didn't properly propagate user - options options to the proxymap server. File: util/dict.h. + options to the proxymap server. File: util/dict.h. Workaround: force synchronous updates in the proxymap server so that maps will be in a consistent state between updates. @@ -13923,3 +13923,17 @@ Apologies for any names omitted. Feature: data_directory configuration parameter for Postfix-writable data such as caches and random numbers. Files: postfix-install, conf/postfix-files. + +20071206 + + Security: tlsmgr(8) and verify(8) no longer use root + privileges when opening their cache files. This avoids a + potential security loophole where the ownership of a file + (or directory) does not match the trust level of the content + of that file (or directory). See RELEASE_NOTES for how to + use pre-existing data. Files: util/set_eugid.[hc], + tlsmgr/tlsmgr.c, verify/verify.c. + + Compatibility: as a migration tool, redirect attempts by + tlsmgr(8) or verify(8) to open files in non-Postfix directories + to the Postfix-owned data_directory. File: global/data_redirect.c. diff --git a/postfix/README_FILES/ADDRESS_VERIFICATION_README b/postfix/README_FILES/ADDRESS_VERIFICATION_README index 1269f4171..5a3450857 100644 --- a/postfix/README_FILES/ADDRESS_VERIFICATION_README +++ b/postfix/README_FILES/ADDRESS_VERIFICATION_README @@ -157,7 +157,7 @@ domains that often appear in forged email. unverified_sender_reject_code = 550 # Note 1: Be sure to read the "Caching" section below! # Note 2: Avoid hash files here. Use btree instead. - address_verify_map = btree:/var/mta/verify + address_verify_map = btree:/var/lib/postfix/verify /etc/postfix/sender_access: aol.com reject_unverified_sender @@ -193,7 +193,7 @@ be blocked: ... # Note 1: Be sure to read the "Caching" section below! # Note 2: Avoid hash files here. Use btree instead. - address_verify_map = btree:/var/mta/verify + address_verify_map = btree:/var/lib/postfix/verify This is also a good way to populate your cache with address verification results before you start to actually reject mail. @@ -239,16 +239,23 @@ If your /var file system has sufficient space, try: /etc/postfix/main.cf: # Note: avoid hash files here. Use btree instead. - address_verify_map = btree:/var/mta/verify - -NOTE: Do not put this file in a file system that may run out of space. When the -address verification table gets corrupted the world comes to an end and YOU + address_verify_map = btree:/var/lib/postfix/verify + +NOTE 1: As of version 2.5, Postfix no longer uses root privileges when opening +this file. The file should now be stored under the Postfix-owned +data_directory. As a migration aid, an attempt to open the file under a non- +Postfix directory is redirected to the Postfix-owned data_directory, and a +warning is logged. If you wish to continue using an pre-existing database file, +move it to the data_directory, and change ownership to the account specfied +with the mail_owner parameter. + +NOTE 2: Do not put this file in a file system that may run out of space. When +the address verification table gets corrupted the world comes to an end and YOU will have to MANUALLY fix things as described in the next section. Meanwhile, you will not receive mail via SMTP. -The verify(8) daemon process will create a new database when none exists, and -will open/create the file before it enters the chroot jail and before it drops -root privileges. +NOTE 3: The verify(8) daemon process will create a new database when none +exists, and will open/create the file before it enters the chroot jail. MMaannaaggiinngg tthhee aaddddrreessss vveerriiffiiccaattiioonn ddaattaabbaassee diff --git a/postfix/README_FILES/TLS_LEGACY_README b/postfix/README_FILES/TLS_LEGACY_README index 78d128521..f78af3ff6 100644 --- a/postfix/README_FILES/TLS_LEGACY_README +++ b/postfix/README_FILES/TLS_LEGACY_README @@ -375,7 +375,11 @@ is high. Example: /etc/postfix/main.cf: - smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache + smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache + +As of version 2.5, Postfix will no longer maintain this file in a directory +with non-Postfix ownership. As a migration aid, attempts to open such files are +redirected to the Postfix-owned $data_directory, and a warning is logged. Cached Postfix SMTP server session information expires after a certain amount of time. Postfix/TLS does not use the OpenSSL default of 300s, but a longer @@ -627,7 +631,11 @@ client is allowed to negotiate per unit time. Example: /etc/postfix/main.cf: - smtp_tls_session_cache_database = btree:/etc/postfix/smtp_scache + smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache + +As of version 2.5, Postfix will no longer maintain this file in a directory +with non-Postfix ownership. As a migration aid, attempts to open such files are +redirected to the Postfix-owned $data_directory, and a warning is logged. Cached Postfix SMTP client session information expires after a certain amount of time. Postfix/TLS does not use the OpenSSL default of 300s, but a longer diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README index 17a757873..db0ba5e2e 100644 --- a/postfix/README_FILES/TLS_README +++ b/postfix/README_FILES/TLS_README @@ -416,6 +416,12 @@ Example: /etc/postfix/main.cf: smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache +Note: as of version 2.5, Postfix no longer uses root privileges when opening +this file. The file should now be stored under the Postfix-owned +data_directory. As a migration aid, an attempt to open the file under a non- +Postfix directory is redirected to the Postfix-owned data_directory, and a +warning is logged. + Cached Postfix SMTP server session information expires after a certain amount of time. Postfix/TLS does not use the OpenSSL default of 300s, but a longer time of 3600sec (=1 hour). RFC 2246 recommends a maximum of 24 hours. @@ -744,6 +750,12 @@ Example: /etc/postfix/main.cf: smtp_tls_session_cache_database = btree:/etc/postfix/smtp_scache +Note: as of version 2.5, Postfix no longer uses root privileges when opening +this file. The file should now be stored under the Postfix-owned +data_directory. As a migration aid, an attempt to open the file under a non- +Postfix directory is redirected to the Postfix-owned data_directory, and a +warning is logged. + Cached Postfix SMTP client session information expires after a certain amount of time. Postfix/TLS does not use the OpenSSL default of 300s, but a longer time of 3600s (=1 hour). RFC 2246 recommends a maximum of 24 hours. @@ -1598,17 +1610,25 @@ Example: The tlsmgr(8) process saves the PRNG state to a persistent exchange file at regular times and when the process terminates, so that it can recover the PRNG state the next time it starts up. This file is created when it does not exist. -Its default location is under the Postfix configuration directory, which is not -the proper place for information that is modified by Postfix. Instead, the file -location should probably be on the /var partition (but nnoott inside the chroot -jail). Examples: /etc/postfix/main.cf: - tls_random_exchange_name = /etc/postfix/prng_exch + tls_random_exchange_name = /var/lib/postfix/prng_exch tls_random_prng_update_period = 3600s +As of version 2.5, Postfix no longer uses root privileges when opening this +file. The file should now be stored under the Postfix-owned data_directory. As +a migration aid, an attempt to open the file under a non-Postfix directory is +redirected to the Postfix-owned data_directory, and a warning is logged. If you +wish to continue using a pre-existing PRNG state file, move it to the +data_directory and change the ownership to the account specified with the +mail_owner parameter. + +With earlier Postfix versions the default file location is under the Postfix +configuration directory, which is not the proper place for information that is +modified by Postfix. + GGeettttiinngg ssttaarrtteedd,, qquuiicckk aanndd ddiirrttyy The following steps will get you started quickly. Because you sign your own diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index da2fd5d40..621020261 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -17,13 +17,48 @@ Incompatibility with Postfix 2.3 and earlier If you upgrade from Postfix 2.3 or earlier, read RELEASE_NOTES-2.4 before proceeding. +Incompatibility with Postfix snapshot 20071206 +============================================== + +The "make install" and "make upgrade" procedures now create a +Postfix-owned directory for Postfix-writable data files such as +caches and random numbers. The location is specified with the +"data_directory" parameter (default: "/var/lib/postfix"), and the +ownership is specified with the "mail_owner" parameter. + +The tlsmgr(8) and verify(8) servers no longer use root privileges +when opening the address_verify_map, *_tls_session_cache_database, +and tls_random_exchange_name cache files. This avoids a potential +security loophole where the ownership of a file (or directory) does +not match the trust level of the content of that file (or directory). + +The tlsmgr(8) and verify(8) cache files should now be stored under +the Postfix-owned data_directory. As a migration aid, attempts to +open these files under a non-Postfix directory are redirected to +the Postfix-owned data_directory, and a warning is logged. + +This is an example of the warning messages: + + Dec 6 12:56:22 bristle postfix/tlsmgr[7899]: warning: request + to update file /etc/postfix/prng_exch in non-postfix directory + /etc/postfix + + Dec 6 12:56:22 bristle postfix/tlsmgr[7899]: warning: redirecting + the request to postfix-owned data_directory /var/lib/postfix + +If you wish to continue using a pre-existing tls_random_exchange_name +or address_verify_map file, move it to the Postfix-owned data_directory +and change ownership to the account specified with the mail_owner +configuration parameter. + Major changes with Postfix snapshot 20071205 ============================================ The "make install" and "make upgrade" procedures now create a -postfix-owned directory for Postfix-writable data files such as +Postfix-owned directory for Postfix-writable data files such as caches and random numbers. The location is specified with the -"data_directory" variable (default: "/var/lib/postfix"). +"data_directory" parameter (default: "/var/lib/postfix"), and the +ownership is specified with the "mail_owner" parameter. Incompatibility with Postfix snapshot 20071203 ============================================== diff --git a/postfix/conf/master.cf b/postfix/conf/master.cf index c1677f807..18095ecb3 100644 --- a/postfix/conf/master.cf +++ b/postfix/conf/master.cf @@ -32,6 +32,7 @@ trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap +proxywrite unix - - n - - proxymap smtp unix - - n - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - n - - smtp diff --git a/postfix/html/ADDRESS_VERIFICATION_README.html b/postfix/html/ADDRESS_VERIFICATION_README.html index ce38c1534..fa6083041 100644 --- a/postfix/html/ADDRESS_VERIFICATION_README.html +++ b/postfix/html/ADDRESS_VERIFICATION_README.html @@ -272,7 +272,7 @@ specific domains that often appear in forged email.

unverified_sender_reject_code = 550 # Note 1: Be sure to read the "Caching" section below! # Note 2: Avoid hash files here. Use btree instead. - address_verify_map = btree:/var/mta/verify + address_verify_map = btree:/var/lib/postfix/verify /etc/postfix/sender_access: aol.com reject_unverified_sender @@ -314,7 +314,7 @@ you can see what mail would be blocked:

... # Note 1: Be sure to read the "Caching" section below! # Note 2: Avoid hash files here. Use btree instead. - address_verify_map = btree:/var/mta/verify + address_verify_map = btree:/var/lib/postfix/verify @@ -373,19 +373,28 @@ stop". 

 /etc/postfix/main.cf:
     # Note: avoid hash files here. Use btree instead.
-    address_verify_map = btree:/var/mta/verify
+    address_verify_map = btree:/var/lib/postfix/verify
-

NOTE: Do not put this file in a file system that may run out +

NOTE 1: As of version 2.5, Postfix no longer uses root privileges +when opening this file. The file should now be stored under the +Postfix-owned data_directory. As a migration aid, an attempt to +open the file under a non-Postfix directory is redirected to the +Postfix-owned data_directory, and a warning is logged. If you wish +to continue using an pre-existing database file, move it to the +data_directory, and change ownership to the account specfied with +the mail_owner parameter.

+ +

NOTE 2: Do not put this file in a file system that may run out of space. When the address verification table gets corrupted the world comes to an end and YOU will have to MANUALLY fix things as described in the next section. Meanwhile, you will not receive mail via SMTP.

-

The verify(8) daemon process will create a new database when +

NOTE 3: The verify(8) daemon process will create a new database when none exists, and will open/create the file before it enters the -chroot jail and before it drops root privileges.

+chroot jail.

Managing the address verification database

diff --git a/postfix/html/TLS_LEGACY_README.html b/postfix/html/TLS_LEGACY_README.html index d9862b104..e5787a031 100644 --- a/postfix/html/TLS_LEGACY_README.html +++ b/postfix/html/TLS_LEGACY_README.html @@ -33,7 +33,7 @@ encrypted session protects the information that is transmitted with SMTP mail or with SASL authentication.

Postfix version 2.2 introduces support for TLS as described in -RFC 3207. TLS Support for older Postfix versions was available as +RFC 3207. TLS Support for older Postfix versions was available as an add-on patch. The section "Compatibility with Postfix < 2.2 TLS support" below discusses the differences between these implementations.

@@ -425,7 +425,7 @@ private key. This is intended behavior.

You can ENFORCE the use of TLS, so that the Postfix SMTP server announces STARTTLS and accepts no mail without TLS encryption, by -setting "smtpd_enforce_tls = yes". According to RFC 2487 this MUST +setting "smtpd_enforce_tls = yes". According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced Postfix SMTP server. This option is off by default and should only seldom be used.

@@ -564,13 +564,18 @@ the cost of repeatedly negotiating TLS session keys is high.

 /etc/postfix/main.cf:
-    smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
+    smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
+

As of version 2.5, Postfix will no longer maintain this file +in a directory with non-Postfix ownership. As a migration aid, +attempts to open such files are redirected to the Postfix-owned +$data_directory, and a warning is logged.

+

Cached Postfix SMTP server session information expires after a certain amount of time. Postfix/TLS does not use the OpenSSL -default of 300s, but a longer time of 3600sec (=1 hour). RFC 2246 +default of 300s, but a longer time of 3600sec (=1 hour). RFC 2246 recommends a maximum of 24 hours.

Example:

@@ -933,13 +938,18 @@ is allowed to negotiate per unit time.

 /etc/postfix/main.cf:
-    smtp_tls_session_cache_database = btree:/etc/postfix/smtp_scache
+    smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
+

As of version 2.5, Postfix will no longer maintain this file +in a directory with non-Postfix ownership. As a migration aid, +attempts to open such files are redirected to the Postfix-owned +$data_directory, and a warning is logged.

+

Cached Postfix SMTP client session information expires after a certain amount of time. Postfix/TLS does not use the OpenSSL -default of 300s, but a longer time of 3600s (=1 hour). RFC 2246 +default of 300s, but a longer time of 3600s (=1 hour). RFC 2246 recommends a maximum of 24 hours.

Example:

@@ -994,7 +1004,7 @@ CommonName is checked. Verification may be turned off with the

Enforcing the use of TLS is useful if you know that you will only -connect to servers that support RFC 2487 _and_ that present server +connect to servers that support RFC 2487 _and_ that present server certificates that meet the above requirements. An example would be a client only sends email to one specific mailhub that offers the necessary STARTTLS support.

@@ -1011,7 +1021,7 @@ the necessary STARTTLS support.

Disabling server certificate verification

-

As of RFC 2487 the requirements for hostname checking for MTA +

As of RFC 2487 the requirements for hostname checking for MTA clients are not set. When TLS is required (smtp_enforce_tls = yes), the option smtp_tls_enforce_peername can be set to "no" to disable strict remote SMTP server hostname checking. In this case, the mail diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html index 1cbe97e32..d8ce9fc5c 100644 --- a/postfix/html/TLS_README.html +++ b/postfix/html/TLS_README.html @@ -463,7 +463,7 @@ so that the Postfix SMTP server announces STARTTLS and accepts no mail without TLS encryption, by setting "smtpd_tls_security_level = encrypt" (Postfix 2.3 and later) or "smtpd_enforce_tls = yes" (obsolete but still -supported). According to RFC 2487 this MUST NOT be applied in case +supported). According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced Postfix SMTP server. This option is off by default and should only seldom be used.

@@ -616,9 +616,15 @@ the cost of repeatedly negotiating TLS session keys is high.

+

Note: as of version 2.5, Postfix no longer uses root privileges +when opening this file. The file should now be stored under the +Postfix-owned data_directory. As a migration aid, an attempt to +open the file under a non-Postfix directory is redirected to the +Postfix-owned data_directory, and a warning is logged.

+

Cached Postfix SMTP server session information expires after a certain amount of time. Postfix/TLS does not use the OpenSSL -default of 300s, but a longer time of 3600sec (=1 hour). RFC 2246 +default of 300s, but a longer time of 3600sec (=1 hour). RFC 2246 recommends a maximum of 24 hours.

Example:

@@ -1077,9 +1083,15 @@ is allowed to negotiate per unit time.

+

Note: as of version 2.5, Postfix no longer uses root privileges +when opening this file. The file should now be stored under the +Postfix-owned data_directory. As a migration aid, an attempt to +open the file under a non-Postfix directory is redirected to the +Postfix-owned data_directory, and a warning is logged.

+

Cached Postfix SMTP client session information expires after a certain amount of time. Postfix/TLS does not use the OpenSSL -default of 300s, but a longer time of 3600s (=1 hour). RFC 2246 +default of 300s, but a longer time of 3600s (=1 hour). RFC 2246 recommends a maximum of 24 hours.

Example:

@@ -1461,7 +1473,7 @@ verification as a default policy.

Mandatory server certificate verification as a default security level may be appropriate if you know that you will only connect to -servers that support RFC 2487 and that present verifiable +servers that support RFC 2487 and that present verifiable server certificates. An example would be a client that sends all email to a central mailhub that offers the necessary STARTTLS support. In such cases, you can often use a

Mandatory secure server certificate verification as a default security level may be appropriate if you know that you will only -connect to servers that support RFC 2487 and that present +connect to servers that support RFC 2487 and that present verifiable server certificates. An example would be a client that sends all email to a central mailhub that offers the necessary STARTTLS support.

@@ -2164,22 +2176,31 @@ The default maximal time interval is 1 hour.

The tlsmgr(8) process saves the PRNG state to a persistent exchange file at regular times and when the process terminates, so that it can recover the PRNG state the next time it starts up. -This file is created when it does not exist. Its default location -is under the Postfix configuration directory, which is not the -proper place for information that is modified by Postfix. Instead, -the file location should probably be on the /var partition (but -not inside the chroot jail).

+This file is created when it does not exist.

Examples: 

 /etc/postfix/main.cf:
-    tls_random_exchange_name = /etc/postfix/prng_exch
+    tls_random_exchange_name = /var/lib/postfix/prng_exch
     tls_random_prng_update_period = 3600s
+

As of version 2.5, Postfix no longer uses root privileges when +opening this file. The file should now be stored under the Postfix-owned +data_directory. As a migration aid, an attempt to open the file +under a non-Postfix directory is redirected to the Postfix-owned +data_directory, and a warning is logged. If you wish to continue +using a pre-existing PRNG state file, move it to the data_directory +and change the ownership to the account specified with the mail_owner +parameter.

+ +

With earlier Postfix versions the default file location +is under the Postfix configuration directory, which is not the +proper place for information that is modified by Postfix.

+

Getting started, quick and dirty

The following steps will get you started quickly. Because you diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 7d364d855..cd525afc4 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -163,6 +163,12 @@ database becomes corrupted, the world comes to an end. To recover delete the file and do "postfix reload".

+

As of version 2.5, Postfix no longer uses root privileges when +opening this file. The file should now be stored under the Postfix-owned +data_directory. As a migration aid, an attempt to open the file +under a non-Postfix directory is redirected to the Postfix-owned +data_directory, and a warning is logged.

+

Examples:

@@ -6180,13 +6186,10 @@ This feature is available in Postfix 2.0 and later.
proxy_write_maps (default: see "postconf -d" output)
-

-The lookup tables that the proxymap(8) server is allowed to access -for the read-write service. If implemented with local files, these -tables are preferably stored under the location specified with the -data_directory configuration parameter. -Table references that don't begin with proxy: are ignored. -

+

The lookup tables that the proxymap(8) server is allowed to +access for the read-write service. Postfix-owned local database +files should be stored under the Postfix-owned data_directory. +Table references that don't begin with proxy: are ignored.

This feature is available in Postfix 2.5 and later. @@ -9116,13 +9119,19 @@ implemented indirectly in the tlsmgr(8) daemon. This per-smtp-instance master.cf overrides of this parameter are not effective. Note, that each of the cache databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database -(and with Postfix 2.3 and later $lmtp_session_cache_database), needs to -be stored separately, it is not at this time possible to store multiple +(and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to +be stored separately. It is not at this time possible to store multiple caches in a single database.

Note: dbm databases are not suitable. TLS session objects are too large.

+

As of version 2.5, Postfix no longer uses root privileges when +opening this file. The file should now be stored under the Postfix-owned +data_directory. As a migration aid, an attempt to open the file +under a non-Postfix directory is redirected to the Postfix-owned +data_directory, and a warning is logged.

+

Example: 

@@ -11850,13 +11859,19 @@ implemented indirectly in the tlsmgr(8) daemon. This
 per-smtpd-instance master.cf overrides of this parameter are not
 effective. Note, that each of the cache databases supported by tlsmgr(8)
 daemon: $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database
-(and with Postfix 2.3 and later $lmtp_session_cache_database), needs to be
-stored separately, it is not at this time possible to store multiple
+(and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to be
+stored separately. It is not at this time possible to store multiple
 caches in a single database. 

 
 
 Note: dbm databases are not suitable. TLS
 session objects are too large. 

 
+
 As of version 2.5, Postfix no longer uses root privileges when
+opening this file. The file should now be stored under the Postfix-owned
+data_directory. As a migration aid, an attempt to open the file
+under a non-Postfix directory is redirected to the Postfix-owned
+data_directory, and a warning is logged. 

+
 
 Example: 

 
 
@@ -12245,15 +12260,18 @@ bytes is read.
tls_random_exchange_name -(default: ${config_directory}/prng_exch)
+(default: see "postconf -d" output)

Name of the pseudo random number generator (PRNG) state file that is maintained by tlsmgr(8). The file is created when it does not exist, and its length is fixed at 1024 bytes.

-

Since this file is modified by Postfix, it should probably be -kept in the /var file system, instead of under $config_directory. -The location should not be inside the chroot jail.

+

As of version 2.5, Postfix no longer uses root privileges when +opening this file, and the default file location was changed from +${config_directory}/prng_exch to ${data_directory}/prng_exch. As +a migration aid, an attempt to open the file under a non-Postfix +directory is redirected to the Postfix-owned data_directory, and a +warning is logged.

This feature is available in Postfix 2.2 and later.

diff --git a/postfix/html/proxymap.8.html b/postfix/html/proxymap.8.html index 48100fe83..a11b312aa 100644 --- a/postfix/html/proxymap.8.html +++ b/postfix/html/proxymap.8.html @@ -117,13 +117,13 @@ PROXYMAP(8) PROXYMAP(8) sitive processes. Postfix-writable data files should be stored under a dedi- - cated directory that is writable only by the $mail_owner - account, such as the $data_directory directory. + cated directory that is writable only by the Postfix mail + system, such as the Postfix-owned data_directory. In particular, Postfix-writable files should never exist in root-owned directories. That would open up a particular - type of security hole where ownership (root) does not - match content provenance (Postfix). + type of security hole where ownership of a file or direc- + tory does not match the provider of its content. DIAGNOSTICS Problems and transactions are logged to syslogd(8). diff --git a/postfix/html/tlsmgr.8.html b/postfix/html/tlsmgr.8.html index a60980d8a..509ee8b06 100644 --- a/postfix/html/tlsmgr.8.html +++ b/postfix/html/tlsmgr.8.html @@ -47,6 +47,13 @@ TLSMGR(8) TLSMGR(8) source and exchange file, and creates or truncates the optional TLS session cache files. + With Postfix version 2.5 and later, the tlsmgr(8) no + longer uses root privileges when opening cache files. + These files should now be stored under the Postfix-owned + data_directory. As a migration aid, an attempt to open a + cache file under a non-Postfix directory is redirected to + the Postfix-owned data_directory, and a warning is logged. + DIAGNOSTICS Problems and transactions are logged to the syslog daemon. @@ -111,7 +118,7 @@ TLSMGR(8) TLSMGR(8) $tls_random_source when (re)seeding the in-memory pseudo random number generator (PRNG) pool. - tls_random_exchange_name (${config_directory}/prng_exch) + tls_random_exchange_name (see 'postconf -d' output) Name of the pseudo random number generator (PRNG) state file that is maintained by tlsmgr(8). diff --git a/postfix/html/verify.8.html b/postfix/html/verify.8.html index 23dce7167..744a5bb71 100644 --- a/postfix/html/verify.8.html +++ b/postfix/html/verify.8.html @@ -54,6 +54,14 @@ VERIFY(8) VERIFY(8) trades one problem (disk space exhaustion) for another one (poor response time to client requests). + With Postfix version 2.5 and later, the verify(8) server + no longer uses root privileges when opening the + address_verify_map cache file. The file should now be + stored under the Postfix-owned data_directory. As a + migration aid, an attempt to open a cache file under a + non-Postfix directory is redirected to the Postfix-owned + data_directory, and a warning is logged. + DIAGNOSTICS Problems and transactions are logged to syslogd(8). @@ -82,12 +90,13 @@ VERIFY(8) VERIFY(8) Optional lookup table for persistent address veri- fication status storage. - address_verify_sender (postmaster) + address_verify_sender ($double_bounce_sender) The sender address to use in address verification - probes. + probes; prior to Postfix 2.5 the default was "post- + master". address_verify_positive_expire_time (31d) - The time after which a successful probe expires + The time after which a successful probe expires from the address verification cache. address_verify_positive_refresh_time (7d) @@ -99,24 +108,24 @@ VERIFY(8) VERIFY(8) results. address_verify_negative_expire_time (3d) - The time after which a failed probe expires from + The time after which a failed probe expires from the address verification cache. address_verify_negative_refresh_time (3h) - The time after which a failed address verification + The time after which a failed address verification probe needs to be refreshed. PROBE MESSAGE ROUTING CONTROLS - By default, probe messages are delivered via the same - route as regular messages. The following parameters can + By default, probe messages are delivered via the same + route as regular messages. The following parameters can be used to override specific message routing mechanisms. address_verify_relayhost ($relayhost) - Overrides the relayhost parameter setting for + Overrides the relayhost parameter setting for address verification probes. address_verify_transport_maps ($transport_maps) - Overrides the transport_maps parameter setting for + Overrides the transport_maps parameter setting for address verification probes. address_verify_local_transport ($local_transport) @@ -124,7 +133,7 @@ VERIFY(8) VERIFY(8) address verification probes. address_verify_virtual_transport ($virtual_transport) - Overrides the virtual_transport parameter setting + Overrides the virtual_transport parameter setting for address verification probes. address_verify_relay_transport ($relay_transport) @@ -132,17 +141,17 @@ VERIFY(8) VERIFY(8) address verification probes. address_verify_default_transport ($default_transport) - Overrides the default_transport parameter setting + Overrides the default_transport parameter setting for address verification probes. MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and + The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to - handle a request before it is terminated by a + How much time a Postfix daemon process may take to + handle a request before it is terminated by a built-in watchdog timer. ipc_timeout (3600s) @@ -150,23 +159,23 @@ VERIFY(8) VERIFY(8) over an internal communication channel. process_id (read-only) - The process ID of a Postfix command or daemon + The process ID of a Postfix command or daemon process. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. queue_directory (see 'postconf -d' output) - The location of the Postfix top-level queue direc- + The location of the Postfix top-level queue direc- tory. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (postfix) - The mail system name that is prepended to the - process name in syslog records, so that "smtpd" + The mail system name that is prepended to the + process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". SEE ALSO @@ -179,7 +188,7 @@ VERIFY(8) VERIFY(8) ADDRESS_VERIFICATION_README, address verification howto LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. HISTORY diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index e204a342a..5bef7fd80 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -99,6 +99,12 @@ Specify a location in a file system that will not fill up. If the database becomes corrupted, the world comes to an end. To recover delete the file and do "\fBpostfix reload\fR". .PP +As of version 2.5, Postfix no longer uses root privileges when +opening this file. The file should now be stored under the Postfix-owned +data_directory. As a migration aid, an attempt to open the file +under a non-Postfix directory is redirected to the Postfix-owned +data_directory, and a warning is logged. +.PP Examples: .PP .nf @@ -3436,10 +3442,9 @@ Table references that don't begin with proxy: are ignored. .PP This feature is available in Postfix 2.0 and later. .SH proxy_write_maps (default: see "postconf -d" output) -The lookup tables that the \fBproxymap\fR(8) server is allowed to access -for the read-write service. If implemented with local files, these -tables are preferably stored under the location specified with the -data_directory configuration parameter. +The lookup tables that the \fBproxymap\fR(8) server is allowed to +access for the read-write service. Postfix-owned local database +files should be stored under the Postfix-owned data_directory. Table references that don't begin with proxy: are ignored. .PP This feature is available in Postfix 2.5 and later. @@ -5359,13 +5364,19 @@ implemented indirectly in the \fBtlsmgr\fR(8) daemon. This means that per-smtp-instance master.cf overrides of this parameter are not effective. Note, that each of the cache databases supported by \fBtlsmgr\fR(8) daemon: $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database -(and with Postfix 2.3 and later $lmtp_session_cache_database), needs to -be stored separately, it is not at this time possible to store multiple +(and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to +be stored separately. It is not at this time possible to store multiple caches in a single database. .PP Note: \fBdbm\fR databases are not suitable. TLS session objects are too large. .PP +As of version 2.5, Postfix no longer uses root privileges when +opening this file. The file should now be stored under the Postfix-owned +data_directory. As a migration aid, an attempt to open the file +under a non-Postfix directory is redirected to the Postfix-owned +data_directory, and a warning is logged. +.PP Example: .PP .nf @@ -7234,13 +7245,19 @@ implemented indirectly in the \fBtlsmgr\fR(8) daemon. This means that per-smtpd-instance master.cf overrides of this parameter are not effective. Note, that each of the cache databases supported by \fBtlsmgr\fR(8) daemon: $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database -(and with Postfix 2.3 and later $lmtp_session_cache_database), needs to be -stored separately, it is not at this time possible to store multiple +(and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to be +stored separately. It is not at this time possible to store multiple caches in a single database. .PP Note: \fBdbm\fR databases are not suitable. TLS session objects are too large. .PP +As of version 2.5, Postfix no longer uses root privileges when +opening this file. The file should now be stored under the Postfix-owned +data_directory. As a migration aid, an attempt to open the file +under a non-Postfix directory is redirected to the Postfix-owned +data_directory, and a warning is logged. +.PP Example: .PP .nf @@ -7454,14 +7471,17 @@ symmetric keys. If using EGD or a device file, a maximum of 255 bytes is read. .PP This feature is available in Postfix 2.2 and later. -.SH tls_random_exchange_name (default: ${config_directory}/prng_exch) +.SH tls_random_exchange_name (default: see "postconf -d" output) Name of the pseudo random number generator (PRNG) state file that is maintained by \fBtlsmgr\fR(8). The file is created when it does not exist, and its length is fixed at 1024 bytes. .PP -Since this file is modified by Postfix, it should probably be -kept in the /var file system, instead of under $config_directory. -The location should not be inside the chroot jail. +As of version 2.5, Postfix no longer uses root privileges when +opening this file, and the default file location was changed from +${config_directory}/prng_exch to ${data_directory}/prng_exch. As +a migration aid, an attempt to open the file under a non-Postfix +directory is redirected to the Postfix-owned data_directory, and a +warning is logged. .PP This feature is available in Postfix 2.2 and later. .SH tls_random_prng_update_period (default: 3600s) diff --git a/postfix/man/man8/proxymap.8 b/postfix/man/man8/proxymap.8 index 6d6aa619d..025b30726 100644 --- a/postfix/man/man8/proxymap.8 +++ b/postfix/man/man8/proxymap.8 @@ -119,13 +119,13 @@ and opens the table directly. This allows the same main.cf setting to be used by sensitive and non-sensitive processes. Postfix-writable data files should be stored under a dedicated -directory that is writable only by the $\fBmail_owner\fR -account, such as the $\fBdata_directory\fR directory. +directory that is writable only by the Postfix mail system, +such as the Postfix-owned \fBdata_directory\fR. In particular, Postfix-writable files should never exist in root-owned directories. That would open up a particular -type of security hole where ownership (root) does not match -content provenance (Postfix). +type of security hole where ownership of a file or directory +does not match the provider of its content. .SH DIAGNOSTICS .ad .fi @@ -185,8 +185,8 @@ Available in Postfix 2.5 and later: The directory with Postfix-writable data files (for example: caches, pseudo-random numbers). .IP "\fBproxy_write_maps (see 'postconf -d' output)\fR" -The lookup tables that the \fBproxymap\fR(8) server is allowed to access -for the read-write service. +The lookup tables that the \fBproxymap\fR(8) server is allowed to +access for the read-write service. .SH "SEE ALSO" .na .nf diff --git a/postfix/man/man8/tlsmgr.8 b/postfix/man/man8/tlsmgr.8 index 6bba143a5..5765ea391 100644 --- a/postfix/man/man8/tlsmgr.8 +++ b/postfix/man/man8/tlsmgr.8 @@ -48,6 +48,14 @@ The \fBtlsmgr\fR(8) can be run chrooted and with reduced privileges. At process startup it connects to the entropy source and exchange file, and creates or truncates the optional TLS session cache files. + +With Postfix version 2.5 and later, the \fBtlsmgr\fR(8) no +longer uses root privileges when opening cache files. These +files should now be stored under the Postfix-owned +\fBdata_directory\fR. As a migration aid, an attempt to +open a cache file under a non-Postfix directory is redirected +to the Postfix-owned \fBdata_directory\fR, and a warning +is logged. .SH DIAGNOSTICS .ad .fi @@ -110,7 +118,7 @@ random number generator (PRNG) pool. The number of bytes that \fBtlsmgr\fR(8) reads from $tls_random_source when (re)seeding the in-memory pseudo random number generator (PRNG) pool. -.IP "\fBtls_random_exchange_name (${config_directory}/prng_exch)\fR" +.IP "\fBtls_random_exchange_name (see 'postconf -d' output)\fR" Name of the pseudo random number generator (PRNG) state file that is maintained by \fBtlsmgr\fR(8). .IP "\fBtls_random_prng_update_period (3600s)\fR" diff --git a/postfix/man/man8/verify.8 b/postfix/man/man8/verify.8 index 2a9eedbe0..fa8c05ec9 100644 --- a/postfix/man/man8/verify.8 +++ b/postfix/man/man8/verify.8 @@ -52,6 +52,14 @@ The address verification server can be coerced to store unlimited amounts of garbage. Limiting the cache size trades one problem (disk space exhaustion) for another one (poor response time to client requests). + +With Postfix version 2.5 and later, the \fBverify\fR(8) +server no longer uses root privileges when opening the +\fBaddress_verify_map\fR cache file. The file should now +be stored under the Postfix-owned \fBdata_directory\fR. As +a migration aid, an attempt to open a cache file under a +non-Postfix directory is redirected to the Postfix-owned +\fBdata_directory\fR, and a warning is logged. .SH DIAGNOSTICS .ad .fi @@ -88,8 +96,9 @@ The text below provides only a parameter summary. See .IP "\fBaddress_verify_map (empty)\fR" Optional lookup table for persistent address verification status storage. -.IP "\fBaddress_verify_sender (postmaster)\fR" -The sender address to use in address verification probes. +.IP "\fBaddress_verify_sender ($double_bounce_sender)\fR" +The sender address to use in address verification probes; prior +to Postfix 2.5 the default was "postmaster". .IP "\fBaddress_verify_positive_expire_time (31d)\fR" The time after which a successful probe expires from the address verification cache. diff --git a/postfix/proto/ADDRESS_VERIFICATION_README.html b/postfix/proto/ADDRESS_VERIFICATION_README.html index 6addcb7b5..46be3f376 100644 --- a/postfix/proto/ADDRESS_VERIFICATION_README.html +++ b/postfix/proto/ADDRESS_VERIFICATION_README.html @@ -272,7 +272,7 @@ specific domains that often appear in forged email.

unverified_sender_reject_code = 550 # Note 1: Be sure to read the "Caching" section below! # Note 2: Avoid hash files here. Use btree instead. - address_verify_map = btree:/var/mta/verify + address_verify_map = btree:/var/lib/postfix/verify /etc/postfix/sender_access: aol.com reject_unverified_sender @@ -314,7 +314,7 @@ you can see what mail would be blocked:

... # Note 1: Be sure to read the "Caching" section below! # Note 2: Avoid hash files here. Use btree instead. - address_verify_map = btree:/var/mta/verify + address_verify_map = btree:/var/lib/postfix/verify @@ -373,19 +373,28 @@ stop". 

 /etc/postfix/main.cf:
     # Note: avoid hash files here. Use btree instead.
-    address_verify_map = btree:/var/mta/verify
+    address_verify_map = btree:/var/lib/postfix/verify
-

NOTE: Do not put this file in a file system that may run out +

NOTE 1: As of version 2.5, Postfix no longer uses root privileges +when opening this file. The file should now be stored under the +Postfix-owned data_directory. As a migration aid, an attempt to +open the file under a non-Postfix directory is redirected to the +Postfix-owned data_directory, and a warning is logged. If you wish +to continue using an pre-existing database file, move it to the +data_directory, and change ownership to the account specfied with +the mail_owner parameter.

+ +

NOTE 2: Do not put this file in a file system that may run out of space. When the address verification table gets corrupted the world comes to an end and YOU will have to MANUALLY fix things as described in the next section. Meanwhile, you will not receive mail via SMTP.

-

The verify(8) daemon process will create a new database when +

NOTE 3: The verify(8) daemon process will create a new database when none exists, and will open/create the file before it enters the -chroot jail and before it drops root privileges.

+chroot jail.

Managing the address verification database

diff --git a/postfix/proto/TLS_README.html b/postfix/proto/TLS_README.html index e63a7e670..b8c74141e 100644 --- a/postfix/proto/TLS_README.html +++ b/postfix/proto/TLS_README.html @@ -616,6 +616,12 @@ the cost of repeatedly negotiating TLS session keys is high.

+

Note: as of version 2.5, Postfix no longer uses root privileges +when opening this file. The file should now be stored under the +Postfix-owned data_directory. As a migration aid, an attempt to +open the file under a non-Postfix directory is redirected to the +Postfix-owned data_directory, and a warning is logged.

+

Cached Postfix SMTP server session information expires after a certain amount of time. Postfix/TLS does not use the OpenSSL default of 300s, but a longer time of 3600sec (=1 hour). RFC 2246 @@ -1077,6 +1083,12 @@ is allowed to negotiate per unit time.

+

Note: as of version 2.5, Postfix no longer uses root privileges +when opening this file. The file should now be stored under the +Postfix-owned data_directory. As a migration aid, an attempt to +open the file under a non-Postfix directory is redirected to the +Postfix-owned data_directory, and a warning is logged.

+

Cached Postfix SMTP client session information expires after a certain amount of time. Postfix/TLS does not use the OpenSSL default of 300s, but a longer time of 3600s (=1 hour). RFC 2246 @@ -2164,22 +2176,31 @@ The default maximal time interval is 1 hour.

The tlsmgr(8) process saves the PRNG state to a persistent exchange file at regular times and when the process terminates, so that it can recover the PRNG state the next time it starts up. -This file is created when it does not exist. Its default location -is under the Postfix configuration directory, which is not the -proper place for information that is modified by Postfix. Instead, -the file location should probably be on the /var partition (but -not inside the chroot jail).

+This file is created when it does not exist.

Examples: 

 /etc/postfix/main.cf:
-    tls_random_exchange_name = /etc/postfix/prng_exch
+    tls_random_exchange_name = /var/lib/postfix/prng_exch
     tls_random_prng_update_period = 3600s
+

As of version 2.5, Postfix no longer uses root privileges when +opening this file. The file should now be stored under the Postfix-owned +data_directory. As a migration aid, an attempt to open the file +under a non-Postfix directory is redirected to the Postfix-owned +data_directory, and a warning is logged. If you wish to continue +using a pre-existing PRNG state file, move it to the data_directory +and change the ownership to the account specified with the mail_owner +parameter.

+ +

With earlier Postfix versions the default file location +is under the Postfix configuration directory, which is not the +proper place for information that is modified by Postfix.

+

Getting started, quick and dirty

The following steps will get you started quickly. Because you diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 8a1889615..8f8daa962 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -183,6 +183,12 @@ Specify a location in a file system that will not fill up. If the database becomes corrupted, the world comes to an end. To recover delete the file and do "postfix reload".

+ +

As of version 2.5, Postfix no longer uses root privileges when +opening this file. The file should now be stored under the Postfix-owned +data_directory. As a migration aid, an attempt to open the file +under a non-Postfix directory is redirected to the Postfix-owned +data_directory, and a warning is logged.

Examples: @@ -7215,13 +7221,10 @@ This feature is available in Postfix 2.0 and later. %PARAM proxy_write_maps see "postconf -d" output -

-The lookup tables that the proxymap(8) server is allowed to access -for the read-write service. If implemented with local files, these -tables are preferably stored under the location specified with the -data_directory configuration parameter. -Table references that don't begin with proxy: are ignored. -

+

The lookup tables that the proxymap(8) server is allowed to +access for the read-write service. Postfix-owned local database +files should be stored under the Postfix-owned data_directory. +Table references that don't begin with proxy: are ignored.

This feature is available in Postfix 2.5 and later. @@ -8480,12 +8483,18 @@ implemented indirectly in the tlsmgr(8) daemon. This means that per-smtpd-instance master.cf overrides of this parameter are not effective. Note, that each of the cache databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database -(and with Postfix 2.3 and later $lmtp_session_cache_database), needs to be -stored separately, it is not at this time possible to store multiple +(and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to be +stored separately. It is not at this time possible to store multiple caches in a single database.

Note: dbm databases are not suitable. TLS session objects are too large.

+ +

As of version 2.5, Postfix no longer uses root privileges when +opening this file. The file should now be stored under the Postfix-owned +data_directory. As a migration aid, an attempt to open the file +under a non-Postfix directory is redirected to the Postfix-owned +data_directory, and a warning is logged.

Example:

@@ -8738,12 +8747,18 @@ implemented indirectly in the tlsmgr(8) daemon. This means that per-smtp-instance master.cf overrides of this parameter are not effective. Note, that each of the cache databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database -(and with Postfix 2.3 and later $lmtp_session_cache_database), needs to -be stored separately, it is not at this time possible to store multiple +(and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to +be stored separately. It is not at this time possible to store multiple caches in a single database.

Note: dbm databases are not suitable. TLS session objects are too large.

+ +

As of version 2.5, Postfix no longer uses root privileges when +opening this file. The file should now be stored under the Postfix-owned +data_directory. As a migration aid, an attempt to open the file +under a non-Postfix directory is redirected to the Postfix-owned +data_directory, and a warning is logged.

Example:

@@ -8966,15 +8981,18 @@ smtp_tls_dcert_file = /etc/postfix/client-dsa.pem

This feature is available in Postfix 2.2 and later.

-%PARAM tls_random_exchange_name ${config_directory}/prng_exch +%PARAM tls_random_exchange_name see "postconf -d" output

Name of the pseudo random number generator (PRNG) state file that is maintained by tlsmgr(8). The file is created when it does not exist, and its length is fixed at 1024 bytes.

-

Since this file is modified by Postfix, it should probably be -kept in the /var file system, instead of under $config_directory. -The location should not be inside the chroot jail.

+

As of version 2.5, Postfix no longer uses root privileges when +opening this file, and the default file location was changed from +${config_directory}/prng_exch to ${data_directory}/prng_exch. As +a migration aid, an attempt to open the file under a non-Postfix +directory is redirected to the Postfix-owned data_directory, and a +warning is logged.

This feature is available in Postfix 2.2 and later.

diff --git a/postfix/src/global/Makefile.in b/postfix/src/global/Makefile.in index b87e77335..bb44e93d9 100644 --- a/postfix/src/global/Makefile.in +++ b/postfix/src/global/Makefile.in @@ -28,7 +28,7 @@ SRCS = abounce.c anvil_clnt.c been_here.c bounce.c bounce_log.c \ tok822_resolve.c tok822_rewrite.c tok822_tree.c trace.c \ user_acl.c valid_mailhost_addr.c verify.c verify_clnt.c \ verp_sender.c wildcard_inet_addr.c xtext.c delivered_hdr.c \ - fold_addr.c header_body_checks.c mkmap_proxy.c + fold_addr.c header_body_checks.c mkmap_proxy.c data_redirect.c OBJS = abounce.o anvil_clnt.o been_here.o bounce.o bounce_log.o \ canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \ clnt_stream.o conv_time.o db_common.o debug_peer.o debug_process.o \ @@ -58,7 +58,7 @@ OBJS = abounce.o anvil_clnt.o been_here.o bounce.o bounce_log.o \ tok822_resolve.o tok822_rewrite.o tok822_tree.o trace.o \ user_acl.o valid_mailhost_addr.o verify.o verify_clnt.o \ verp_sender.o wildcard_inet_addr.o xtext.o delivered_hdr.o \ - fold_addr.o header_body_checks.o mkmap_proxy.o + fold_addr.o header_body_checks.o mkmap_proxy.o data_redirect.o HDRS = abounce.h anvil_clnt.h been_here.h bounce.h bounce_log.h \ canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \ conv_time.h db_common.h debug_peer.h debug_process.h defer.h \ @@ -82,7 +82,7 @@ HDRS = abounce.h anvil_clnt.h been_here.h bounce.h bounce_log.h \ string_list.h strip_addr.h sys_exits.h timed_ipc.h tok822.h \ trace.h user_acl.h valid_mailhost_addr.h verify.h verify_clnt.h \ verp_sender.h wildcard_inet_addr.h xtext.h delivered_hdr.h \ - fold_addr.h header_body_checks.h + fold_addr.h header_body_checks.h data_redirect.h TESTSRC = rec2stream.c stream2rec.c recdump.c DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE) CFLAGS = $(DEBUG) $(OPT) $(DEFS) @@ -94,7 +94,8 @@ TESTPROG= domain_list dot_lockfile mail_addr_crunch mail_addr_find \ resolve_local rewrite_clnt stream2rec string_list tok822_parse \ quote_821_local mail_conf_time mime_state strip_addr \ verify_clnt xtext anvil_clnt scache ehlo_mask \ - valid_mailhost_addr own_inet_addr header_body_checks + valid_mailhost_addr own_inet_addr header_body_checks \ + data_redirect LIBS = ../../lib/libutil.a LIB_DIR = ../../lib @@ -274,6 +275,9 @@ own_inet_addr: own_inet_addr.c $(LIB) $(LIBS) header_body_checks: header_body_checks.c $(LIB) $(LIBS) $(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS) +data_redirect: data_redirect.c $(LIB) $(LIBS) + $(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS) + tests: tok822_test mime_tests strip_addr_test tok822_limit_test \ xtext_test scache_multi_test ehlo_mask_test \ namadr_list_test mail_conf_time_test header_body_checks_tests @@ -636,6 +640,23 @@ conv_time.o: ../../include/msg.h conv_time.o: ../../include/sys_defs.h conv_time.o: conv_time.c conv_time.o: conv_time.h +data_redirect.o: ../../include/argv.h +data_redirect.o: ../../include/dict.h +data_redirect.o: ../../include/dict_cdb.h +data_redirect.o: ../../include/dict_db.h +data_redirect.o: ../../include/dict_dbm.h +data_redirect.o: ../../include/msg.h +data_redirect.o: ../../include/name_code.h +data_redirect.o: ../../include/split_at.h +data_redirect.o: ../../include/stringops.h +data_redirect.o: ../../include/sys_defs.h +data_redirect.o: ../../include/vbuf.h +data_redirect.o: ../../include/vstream.h +data_redirect.o: ../../include/vstring.h +data_redirect.o: data_redirect.c +data_redirect.o: data_redirect.h +data_redirect.o: dict_proxy.h +data_redirect.o: mail_params.h db_common.o: ../../include/argv.h db_common.o: ../../include/dict.h db_common.o: ../../include/match_list.h diff --git a/postfix/src/global/data_redirect.c b/postfix/src/global/data_redirect.c new file mode 100644 index 000000000..95697075c --- /dev/null +++ b/postfix/src/global/data_redirect.c @@ -0,0 +1,244 @@ +/*++ +/* NAME +/* data_redirect 3 +/* SUMMARY +/* redirect legacy writes to Postfix-owned data directory +/* SYNOPSIS +/* #include +/* +/* char *data_redirect_file(result, path) +/* VSTRING *result; +/* const char *path; +/* +/* char *data_redirect_map(result, map) +/* VSTRING *result; +/* const char *map; +/* DESCRIPTION +/* With Postfix version 2.5 and later, the tlsmgr(8) and +/* verify(8) servers no longer open cache files with root +/* privilege. This avoids a potential security loophole where +/* the ownership of a file (or directory) does not match the +/* trust level of the content of that file (or directory). +/* +/* This module implements a migration aid that allows a +/* transition without disruption of service. +/* +/* data_redirect_file() detects a request to open a file in a +/* non-Postfix directory, logs a warning, and redirects the +/* request to the Postfix-owned data_directory. +/* +/* data_redirect_map() performs the same function for a limited +/* subset of file-based lookup tables. +/* +/* Arguments: +/* .IP result +/* A possibly redirected copy of the input. +/* .IP path +/* The pathname that may be redirected. +/* .IP map +/* The "mapname" or "maptype:mapname" that may be redirected. +/* The result is always in "maptype:mapname" form. +/* BUGS +/* Only a few map types are redirected. This is acceptable for +/* a temporary migration tool. +/* DIAGNOSTICS +/* Fatal errors: memory allocation failure. +/* CONFIGURATION PARAMETERS +/* data_directory, location of Postfix-writable files +/* LICENSE +/* .ad +/* .fi +/* The Secure Mailer license must be distributed with this software. +/* AUTHOR(S) +/* Wietse Venema +/* IBM T.J. Watson Research +/* P.O. Box 704 +/* Yorktown Heights, NY 10598, USA +/*--*/ + +/* System library. */ + +#include +#include +#include + +/* Utility library. */ + +#include +#include +#include +#include +#include +#include +#include +#include + +/* Global directory. */ + +#include +#include +#include + +/* Application-specific. */ + +#define STR(x) vstring_str(x) +#define LEN(x) VSTRING_LEN(x) + + /* + * Redirect only these map types, so that we don't try stupid things with + * NIS, *SQL or LDAP. This is a transition feature for legacy TLS and verify + * configurations, so it does not have to cover every possible map type. + * + * XXX In this same spirit of imperfection we also use hard-coded map names, + * because maintainers may add map types that the official release doesn't + * even know about, because map types may be added dynamically on some + * platforms. + */ +static NAME_CODE data_redirect_map_types[] = { + DICT_TYPE_HASH, 1, + DICT_TYPE_BTREE, 1, + DICT_TYPE_DBM, 1, + DICT_TYPE_CDB, 1, /* not a read-write map type */ + "sdbm", 1, /* legacy 3rd-party TLS */ + "dbz", 1, /* just in case */ + 0, 0, +}; + +/* data_redirect_path - redirect path to Postfix-owned directory */ + +static char *data_redirect_path(VSTRING *result, const char *path, + const char *log_type, const char *log_name) +{ + struct stat st; + +#define PATH_DELIMITER "/" + + (void) sane_dirname(result, path); + if (stat(STR(result), &st) != 0 || st.st_uid == var_owner_uid) { + vstring_strcpy(result, path); + } else { + msg_warn("request to update %s %s in non-%s directory %s", + log_type, log_name, var_mail_owner, STR(result)); + msg_warn("redirecting the request to %s-owned %s %s", + var_mail_owner, VAR_DATA_DIR, var_data_dir); + (void) sane_basename(result, path); + vstring_prepend(result, PATH_DELIMITER, sizeof(PATH_DELIMITER) - 1); + vstring_prepend(result, var_data_dir, strlen(var_data_dir)); + } + return (STR(result)); +} + +/* data_redirect_file - redirect file to Postfix-owned directory */ + +char *data_redirect_file(VSTRING *result, const char *path) +{ + + /* + * Sanity check. + */ + if (path == STR(result)) + msg_panic("data_redirect_file: result clobbers input"); + + return (data_redirect_path(result, path, "file", path)); +} + +char *data_redirect_map(VSTRING *result, const char *map) +{ + const char *path; + const char *map_type; + size_t map_type_len; + +#define MAP_DELIMITER ":" + + /* + * Sanity check. + */ + if (map == STR(result)) + msg_panic("data_redirect_map: result clobbers input"); + + /* + * Parse the input into map type and map name. + */ + path = strchr(map, MAP_DELIMITER[0]); + if (path != 0) { + map_type = map; + map_type_len = path - map; + path += 1; + } else { + map_type = var_db_type; + map_type_len = strlen(map_type); + path = map; + } + + /* + * Redirect the pathname. + */ + vstring_strncpy(result, map_type, map_type_len); + if (name_code(data_redirect_map_types, NAME_CODE_FLAG_NONE, STR(result))) { + data_redirect_path(result, path, "table", map); + } else { + vstring_strcpy(result, path); + } + + /* + * (Re)combine the map type with the map name. + */ + vstring_prepend(result, MAP_DELIMITER, sizeof(MAP_DELIMITER) - 1); + vstring_prepend(result, map_type, map_type_len); + return (STR(result)); +} + + /* + * Proof-of-concept test program. This can't be run as automated regression + * test, because the result depends on main.cf information (mail_owner UID + * and data_directory pathname) and on local file system details. + */ +#ifdef TEST + +#include +#include +#include +#include + +int main(int argc, char **argv) +{ + VSTRING *inbuf = vstring_alloc(100); + VSTRING *result = vstring_alloc(100); + char *bufp; + char *cmd; + char *target; + char *junk; + + mail_conf_read(); + + while (vstring_get_nonl(inbuf, VSTREAM_IN) != VSTREAM_EOF) { + bufp = STR(inbuf); + if (!isatty(0)) { + vstream_printf("> %s\n", bufp); + vstream_fflush(VSTREAM_OUT); + } + if (*bufp == '#') + continue; + if ((cmd = mystrtok(&bufp, " \t")) == 0) { + vstream_printf("usage: file path|map maptype:mapname\n"); + vstream_fflush(VSTREAM_OUT); + continue; + } + target = mystrtok(&bufp, " \t"); + junk = mystrtok(&bufp, " \t"); + if (strcmp(cmd, "file") == 0 && target && !junk) { + data_redirect_file(result, target); + vstream_printf("%s -> %s\n", target, STR(result)); + } else if (strcmp(cmd, "map") == 0 && target && !junk) { + data_redirect_map(result, target); + vstream_printf("%s -> %s\n", target, STR(result)); + } else { + vstream_printf("usage: file path|map maptype:mapname\n"); + } + vstream_fflush(VSTREAM_OUT); + } + vstring_free(inbuf); + return (0); +} + +#endif diff --git a/postfix/src/global/data_redirect.h b/postfix/src/global/data_redirect.h new file mode 100644 index 000000000..28b431e90 --- /dev/null +++ b/postfix/src/global/data_redirect.h @@ -0,0 +1,31 @@ +#ifndef _DATA_REDIRECT_H_INCLUDED_ +#define _DATA_REDIRECT_H_INCLUDED_ + +/*++ +/* NAME +/* data_redirect 3h +/* SUMMARY +/* redirect writes from legacy pathname to Postfix-owned data directory +/* SYNOPSIS +/* #include "data_redirect.h" +/* DESCRIPTION +/* .nf + + /* + * External interface. + */ +char *data_redirect_file(VSTRING *, const char *); +char *data_redirect_map(VSTRING *, const char *); + +/* LICENSE +/* .ad +/* .fi +/* The Secure Mailer license must be distributed with this software. +/* AUTHOR(S) +/* Wietse Venema +/* IBM T.J. Watson Research +/* P.O. Box 704 +/* Yorktown Heights, NY 10598, USA +/*--*/ + +#endif diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index aac05a6ba..5cfaa1307 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -608,7 +608,7 @@ extern bool var_stat_home_dir; extern int var_dup_filter_limit; #define VAR_TLS_RAND_EXCH_NAME "tls_random_exchange_name" -#define DEF_TLS_RAND_EXCH_NAME "${config_directory}/prng_exch" +#define DEF_TLS_RAND_EXCH_NAME "${data_directory}/prng_exch" extern char *var_tls_rand_exch_name; #define VAR_TLS_RAND_SOURCE "tls_random_source" diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 3e91849b7..1d85f7598 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "2007111205" +#define MAIL_RELEASE_DATE "20071206" #define MAIL_VERSION_NUMBER "2.5" #ifdef SNAPSHOT diff --git a/postfix/src/proxymap/proxymap.c b/postfix/src/proxymap/proxymap.c index 2a3c392af..481510a8d 100644 --- a/postfix/src/proxymap/proxymap.c +++ b/postfix/src/proxymap/proxymap.c @@ -109,13 +109,13 @@ /* setting to be used by sensitive and non-sensitive processes. /* /* Postfix-writable data files should be stored under a dedicated -/* directory that is writable only by the $\fBmail_owner\fR -/* account, such as the $\fBdata_directory\fR directory. +/* directory that is writable only by the Postfix mail system, +/* such as the Postfix-owned \fBdata_directory\fR. /* /* In particular, Postfix-writable files should never exist /* in root-owned directories. That would open up a particular -/* type of security hole where ownership (root) does not match -/* content provenance (Postfix). +/* type of security hole where ownership of a file or directory +/* does not match the provider of its content. /* DIAGNOSTICS /* Problems and transactions are logged to \fBsyslogd\fR(8). /* BUGS @@ -169,8 +169,8 @@ /* The directory with Postfix-writable data files (for example: /* caches, pseudo-random numbers). /* .IP "\fBproxy_write_maps (see 'postconf -d' output)\fR" -/* The lookup tables that the \fBproxymap\fR(8) server is allowed to access -/* for the read-write service. +/* The lookup tables that the \fBproxymap\fR(8) server is allowed to +/* access for the read-write service. /* SEE ALSO /* postconf(5), configuration parameters /* master(5), generic daemon options diff --git a/postfix/src/tlsmgr/Makefile.in b/postfix/src/tlsmgr/Makefile.in index a25208427..597f6e650 100644 --- a/postfix/src/tlsmgr/Makefile.in +++ b/postfix/src/tlsmgr/Makefile.in @@ -61,6 +61,7 @@ depend: $(MAKES) # do not edit below this line - it is generated by 'make depend' tlsmgr.o: ../../include/argv.h tlsmgr.o: ../../include/attr.h +tlsmgr.o: ../../include/data_redirect.h tlsmgr.o: ../../include/dict.h tlsmgr.o: ../../include/events.h tlsmgr.o: ../../include/iostuff.h @@ -74,6 +75,7 @@ tlsmgr.o: ../../include/msg.h tlsmgr.o: ../../include/mymalloc.h tlsmgr.o: ../../include/name_code.h tlsmgr.o: ../../include/name_mask.h +tlsmgr.o: ../../include/set_eugid.h tlsmgr.o: ../../include/stringops.h tlsmgr.o: ../../include/sys_defs.h tlsmgr.o: ../../include/tls.h diff --git a/postfix/src/tlsmgr/tlsmgr.c b/postfix/src/tlsmgr/tlsmgr.c index 242c10d96..2fe71b36a 100644 --- a/postfix/src/tlsmgr/tlsmgr.c +++ b/postfix/src/tlsmgr/tlsmgr.c @@ -40,6 +40,14 @@ /* At process startup it connects to the entropy source and /* exchange file, and creates or truncates the optional TLS /* session cache files. +/* +/* With Postfix version 2.5 and later, the \fBtlsmgr\fR(8) no +/* longer uses root privileges when opening cache files. These +/* files should now be stored under the Postfix-owned +/* \fBdata_directory\fR. As a migration aid, an attempt to +/* open a cache file under a non-Postfix directory is redirected +/* to the Postfix-owned \fBdata_directory\fR, and a warning +/* is logged. /* DIAGNOSTICS /* Problems and transactions are logged to the syslog daemon. /* BUGS @@ -92,7 +100,7 @@ /* The number of bytes that \fBtlsmgr\fR(8) reads from $tls_random_source /* when (re)seeding the in-memory pseudo random number generator (PRNG) /* pool. -/* .IP "\fBtls_random_exchange_name (${config_directory}/prng_exch)\fR" +/* .IP "\fBtls_random_exchange_name (see 'postconf -d' output)\fR" /* Name of the pseudo random number generator (PRNG) state file /* that is maintained by \fBtlsmgr\fR(8). /* .IP "\fBtls_random_prng_update_period (3600s)\fR" @@ -187,6 +195,7 @@ #include #include #include +#include /* Global library. */ @@ -195,6 +204,7 @@ #include #include #include +#include /* Master process interface. */ @@ -737,6 +747,7 @@ static void tlsmgr_pre_init(char *unused_name, char **unused_argv) char *path; struct timeval tv; TLSMGR_SCACHE *ent; + VSTRING *redirect; /* * If nothing else works then at least this will get us a few bits of @@ -796,28 +807,48 @@ static void tlsmgr_pre_init(char *unused_name, char **unused_argv) } /* - * Open the PRNG exchange file while privileged. Start the exchange file - * read/update pseudo thread after dropping privileges. + * Security: don't create root-owned files that contain untrusted data. + * And don't create Postfix-owned files in root-owned directories, + * either. We want a correct relationship between (file/directory) + * ownership and (file/directory) content. + */ + SAVE_AND_SET_EUGID(var_owner_uid, var_owner_gid); + redirect = vstring_alloc(100); + + /* + * Open the PRNG exchange file before going to jail, but don't use root + * privileges. Start the exchange file read/update pseudo thread after + * dropping privileges. */ if (*var_tls_rand_exch_name) { - rand_exch = tls_prng_exch_open(var_tls_rand_exch_name); + rand_exch = + tls_prng_exch_open(data_redirect_file(redirect, + var_tls_rand_exch_name)); if (rand_exch == 0) msg_fatal("cannot open PRNG exchange file %s: %m", var_tls_rand_exch_name); } /* - * Open the session cache files and discard old information while - * privileged. Start the cache maintenance pseudo threads after dropping - * privileges. + * Open the session cache files and discard old information before going + * to jail, but don't use root privilege. Start the cache maintenance + * pseudo threads after dropping privileges. * * XXX Need sanity check that the databases have different names. */ for (ent = cache_table; ent->cache_label; ++ent) if (**ent->cache_db) ent->cache_info = - tls_scache_open(*ent->cache_db, ent->cache_label, - *ent->cache_loglevel >= 2, *ent->cache_timeout); + tls_scache_open(data_redirect_map(redirect, *ent->cache_db), + ent->cache_label, + *ent->cache_loglevel >= 2, + *ent->cache_timeout); + + /* + * Clean up and restore privilege. + */ + vstring_free(redirect); + RESTORE_SAVED_EUGID(); } /* tlsmgr_post_init - post-jail initialization */ diff --git a/postfix/src/util/set_eugid.c b/postfix/src/util/set_eugid.c index f71b6b4e7..ef35380b5 100644 --- a/postfix/src/util/set_eugid.c +++ b/postfix/src/util/set_eugid.c @@ -9,10 +9,19 @@ /* void set_eugid(euid, egid) /* uid_t euid; /* gid_t egid; +/* +/* void SAVE_AND_SET_EUGID(uid, gid) +/* uid_t uid; +/* gid_t gid; +/* +/* void RESTORE_SAVED_EUGID() /* DESCRIPTION /* set_eugid() sets the effective user and group process attributes /* and updates the process group access list to be just the specified /* effective group id. +/* +/* SAVE_AND_SET_EUGID() opens a block that executes with the +/* specified privilege. RESTORE_SAVED_EUGID() closes the block. /* DIAGNOSTICS /* All system call errors are fatal. /* SEE ALSO diff --git a/postfix/src/util/set_eugid.h b/postfix/src/util/set_eugid.h index e461cbfed..97a523e8c 100644 --- a/postfix/src/util/set_eugid.h +++ b/postfix/src/util/set_eugid.h @@ -15,6 +15,20 @@ extern void set_eugid(uid_t, gid_t); + /* + * The following macros open and close a block that runs at a different + * privilege level. To make mistakes with stray curly braces less likely, we + * shape the macros below as the head and tail of a do-while loop. + */ +#define SAVE_AND_SET_EUGID(uid, gid) do { \ + uid_t __set_eugid_uid = geteuid(); \ + gid_t __set_eugid_gid = getegid(); \ + set_eugid((uid), (gid)); + +#define RESTORE_SAVED_EUGID() \ + set_eugid(__set_eugid_uid, __set_eugid_gid); \ + } while (0) + /* LICENSE /* .ad /* .fi diff --git a/postfix/src/verify/Makefile.in b/postfix/src/verify/Makefile.in index 0bb5c159d..e5fa293c7 100644 --- a/postfix/src/verify/Makefile.in +++ b/postfix/src/verify/Makefile.in @@ -60,6 +60,7 @@ depend: $(MAKES) verify.o: ../../include/argv.h verify.o: ../../include/attr.h verify.o: ../../include/cleanup_user.h +verify.o: ../../include/data_redirect.h verify.o: ../../include/deliver_request.h verify.o: ../../include/dict.h verify.o: ../../include/dict_ht.h @@ -77,6 +78,7 @@ verify.o: ../../include/msg_stats.h verify.o: ../../include/mymalloc.h verify.o: ../../include/post_mail.h verify.o: ../../include/recipient_list.h +verify.o: ../../include/set_eugid.h verify.o: ../../include/split_at.h verify.o: ../../include/stringops.h verify.o: ../../include/sys_defs.h diff --git a/postfix/src/verify/verify.c b/postfix/src/verify/verify.c index 13db73fd8..ac7acd00b 100644 --- a/postfix/src/verify/verify.c +++ b/postfix/src/verify/verify.c @@ -44,6 +44,14 @@ /* unlimited amounts of garbage. Limiting the cache size /* trades one problem (disk space exhaustion) for another /* one (poor response time to client requests). +/* +/* With Postfix version 2.5 and later, the \fBverify\fR(8) +/* server no longer uses root privileges when opening the +/* \fBaddress_verify_map\fR cache file. The file should now +/* be stored under the Postfix-owned \fBdata_directory\fR. As +/* a migration aid, an attempt to open a cache file under a +/* non-Postfix directory is redirected to the Postfix-owned +/* \fBdata_directory\fR, and a warning is logged. /* DIAGNOSTICS /* Problems and transactions are logged to \fBsyslogd\fR(8). /* BUGS @@ -72,8 +80,9 @@ /* .IP "\fBaddress_verify_map (empty)\fR" /* Optional lookup table for persistent address verification status /* storage. -/* .IP "\fBaddress_verify_sender (postmaster)\fR" -/* The sender address to use in address verification probes. +/* .IP "\fBaddress_verify_sender ($double_bounce_sender)\fR" +/* The sender address to use in address verification probes; prior +/* to Postfix 2.5 the default was "postmaster". /* .IP "\fBaddress_verify_positive_expire_time (31d)\fR" /* The time after which a successful probe expires from the address /* verification cache. @@ -181,6 +190,7 @@ #include #include #include +#include /* Global library. */ @@ -189,6 +199,7 @@ #include #include #include +#include #include /* Server skeleton. */ @@ -540,6 +551,37 @@ static void post_jail_init(char *unused_name, char **unused_argv) static void pre_jail_init(char *unused_name, char **unused_argv) { mode_t saved_mask; + VSTRING *redirect; + + /* + * Never, ever, get killed by a master signal, as that would corrupt the + * database when we're in the middle of an update. + */ + setsid(); + + /* + * Security: don't create root-owned files that contain untrusted data. + * And don't create Postfix-owned files in root-owned directories, + * either. We want a correct relationship between (file/directory) + * ownership and (file/directory) content. + * + * XXX Non-root open can violate the principle of least surprise: Postfix + * can't open an *SQL config file for database read-write access, even + * though it can open that same control file for database read-only + * access. + * + * The solution is to query a map type and obtain its properties before + * opening it. A clean solution is to add a dict_info() API that is + * simlar to dict_open() except it returns properties (dict flags) only. + * A pragmatic solution is to overload the existing API and have + * dict_open() return a dummy map when given a null map name. + * + * However, the proxymap daemon has been opening *SQL maps as non-root for + * years now without anyone complaining, let's not solve a problem that + * doesn't exist. + */ + SAVE_AND_SET_EUGID(var_owner_uid, var_owner_gid); + redirect = vstring_alloc(100); /* * Keep state in persistent (external) or volatile (internal) map. @@ -548,7 +590,7 @@ static void pre_jail_init(char *unused_name, char **unused_argv) if (*var_verify_map) { saved_mask = umask(022); - verify_map = dict_open(var_verify_map, + verify_map = dict_open(data_redirect_map(redirect, var_verify_map), O_CREAT | O_RDWR, VERIFY_DICT_OPEN_FLAGS); (void) umask(saved_mask); @@ -557,10 +599,10 @@ static void pre_jail_init(char *unused_name, char **unused_argv) } /* - * Never, ever, get killed by a master signal, as that would corrupt the - * database when we're in the middle of an update. + * Clean up and restore privilege. */ - setsid(); + vstring_free(redirect); + RESTORE_SAVED_EUGID(); } MAIL_VERSION_STAMP_DECLARE;