From: Wietse Venema Date: Sun, 7 Sep 2014 05:00:00 +0000 (-0500) Subject: postfix-2.12-20140907 X-Git-Tag: v3.0.0-RC1~37 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=558905a6627f93e3da1cb94a253039872f0c7370;p=thirdparty%2Fpostfix.git postfix-2.12-20140907 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index b4aff9e13..b0e7a500d 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -20332,30 +20332,16 @@ Apologies for any names omitted. Logging: the MySQL client now logs a warning when a match against the "domain" list fails due to table lookup error - (hte underlying mechanism already logs a warning, but it + (the underlying mechanism already logs a warning, but it has less context information). File: global/dict_mysql.c. -20140905 - - Feature: support to fall back to an unauthenticated TLS - security level ("may" or "encrypt) when the Postfix SMTP - client cannot establish the preferred authenticated TLS - security level ("dane", "dane-only", "fingerprint", "verify", - or "secure"). The fall-back levels may be specified globally - with the smtp_tls_fallback_level parameter or in per-site - TLS policies with the "fallback" attribute. Viktor Dukhovni. - Files: mantools/postlink, proto/TLS_README.html, - ./proto/postconf.proto, global/mail_params.h, smtp/lmtp_params.c, - smtp/smtp.c, smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_params.c, - smtp/smtp_proto.c, smtp/smtp_tls_policy.c, smtp/smtp_trouble.c. - - Feature TLS audit logging, controlled with the - smtp_tls_audit_template parameter. This may be configured - to log TLS session properties at the end of each SMTP mail - delivery over TLS, for successful and failed deliveries. - This logging makes smtp_tls_loglevel=1 handshake logging - mostly redundant. Viktor Dukhovni. Files: mantools/postlink, - proto/TLS_README.html, ./proto/postconf.proto, - global/mail_params.h, smtp/Makefile.in, smtp/lmtp_params.c, - smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c, - smtp_tls_audit.c, tls/tls.h, util/mac_expand.c. +20140907 + + Feature: with "confirm_delay_cleared = yes", Postfix informs + the sender when delayed mail leaves the queue. This can + result in a sudden burst of notifications at the end of a + prolonged network outage, and is therefore disabled by + default. Files: mantools/postlink, proto/postconf.proto, + global/deliver_request.h, global/mail_params.h, global/sent.c, + *qmgr/qmgr.c, *qmgr/qmgr_active.c, *qmgr/qmgr_message.c. + diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README index ad448e96b..adca4c825 100644 --- a/postfix/README_FILES/TLS_README +++ b/postfix/README_FILES/TLS_README @@ -1027,12 +1027,8 @@ default. This is the recommended configuration for early adopters. * The "example.com" destination uses DANE, but if TLSA records are not present or are unusable, mail is deferred. - * The "example.org" destination uses DANE if possible, but uses opportunistic - TLS if no TLSA records are found. The "fallback" attribute (Postfix >= - 2.12) overrides the global main.cf smtp_tls_fallback_level parameter to - employ unauthenticated mandatory encryption if DANE authentication fails, - after logging a warning. See smtp_tls_audit_template for additional control - over TLS security logging. + * The "example.org" destination uses DANE if possible, but if no TLSA records + are found opportunistic TLS is used. main.cf: indexed = ${default_database_type}:${config_directory}/ @@ -1056,8 +1052,6 @@ default. This is the recommended configuration for early adopters. tls_policy: example.com dane-only - # Postfix >= 2.12, per-destination smtp_tls_fallback_level override - example.org dane fallback=encrypt master.cf: dane unix - - n - - smtp @@ -1638,9 +1632,7 @@ ddaannee obtained for the remote SMTP server, SSLv2 is automatically disabled (see smtp_tls_mandatory_protocols), and the server certificate must match the TLSA records. RFC 6698 (DANE) TLS authentication and DNSSEC support is - available with Postfix 2.11 and later. The optional "fallback" attribute - provides a per-site override of the main.cf smtp_tls_fallback_level - parameter (Postfix >= 2.12). + available with Postfix 2.11 and later. ddaannee--oonnllyy Mandatory DANE TLS. The TLS policy for the destination is obtained via TLSA records in DNSSEC. If no TLSA records are found, or none are usable, no @@ -1648,9 +1640,7 @@ ddaannee--oonnllyy the remote SMTP server, SSLv2 is automatically disabled (see smtp_tls_mandatory_protocols), and the server certificate must match the TLSA records. RFC 6698 (DANE) TLS authentication and DNSSEC support is - available with Postfix 2.11 and later. The optional "fallback" attribute - provides a per-site override of the main.cf smtp_tls_fallback_level - parameter (Postfix >= 2.12). + available with Postfix 2.11 and later. ffiinnggeerrpprriinntt Certificate fingerprint verification. Available with Postfix 2.5 and later. At this security level, there are no trusted certificate authorities. The @@ -1663,8 +1653,7 @@ ffiinnggeerrpprriinntt combined with a "|" delimiter in a single match attribute, or multiple match attributes can be employed. The ":" character is not used as a delimiter as it occurs between each pair of fingerprint (hexadecimal) - digits. The optional "fallback" attribute provides a per-site override of - the main.cf smtp_tls_fallback_level parameter (Postfix >= 2.12). + digits. vveerriiffyy Mandatory server certificate verification. Mail is delivered only if the TLS handshake succeeds, if the remote SMTP server certificate can be @@ -1675,8 +1664,7 @@ vveerriiffyy "tafile" attribute optionally modifies trust chain verification in the same manner as the "smtp_tls_trust_anchor_file" parameter. The "tafile" attribute may be specified multiple times to load multiple trust-anchor - files. The optional "fallback" attribute provides a per-site override of - the main.cf smtp_tls_fallback_level parameter (Postfix >= 2.12). + files. sseeccuurree Secure certificate verification. Mail is delivered only if the TLS handshake succeeds, if the remote SMTP server certificate can be validated @@ -1686,9 +1674,7 @@ sseeccuurree "match" attribute is specified). With Postfix >= 2.11 the "tafile" attribute optionally modifies trust chain verification in the same manner as the "smtp_tls_trust_anchor_file" parameter. The "tafile" attribute may - be specified multiple times to load multiple trust-anchor files. The - optional "fallback" attribute provides a per-site override of the main.cf - smtp_tls_fallback_level parameter (Postfix >= 2.12). + be specified multiple times to load multiple trust-anchor files. Notes: * The "match" attribute is especially useful to verify TLS certificates for @@ -1722,7 +1708,6 @@ Example: smtp_tls_policy_maps = hash:/etc/postfix/tls_policy # Postfix 2.5 and later smtp_tls_fingerprint_digest = md5 - /etc/postfix/tls_policy: example.edu none example.mil may @@ -1738,8 +1723,6 @@ Example: # Postfix 2.6 and later example.info may protocols=!SSLv2 ciphers=medium exclude=3DES - # Postfix 2.12 and later override of smtp_tls_fallback_level - fallback.example secure fallback=encrypt NNoottee:: The "hostname" strategy if listed in a non-default setting of smtp_tls_secure_cert_match or in the "match" attribute in the policy table can diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 32d3d943f..c49daae86 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -41,27 +41,6 @@ Maintainers may also benefit from the makedefs documentation (mantools/srctoman - makedefs | nroff -man | less) with information about build options that are not described in the INSTALL instructions. -Major changes with snapshot 20140905 -==================================== - -Support to fall back to an unauthenticated TLS security level ("may" -or "encrypt) when the Postfix SMTP client cannot establish the -preferred authenticated TLS security level ("dane", "dane-only", -"fingerprint", "verify", or "secure"). The fall-back levels may be -specified globally with the smtp_tls_fallback_level parameter or -in per-site TLS policies with the "fallback" attribute. - -If the above sounds like opportunistic authenticated TLS, than that -is pretty-much it. Wietse is not fully convinced that this is a -good idea, because it creates opportunities for downgrade attacks. - -SMTP client support to log TLS session properties after each mail -delivery attempt. The content of this optional logfile record is -configurable with the smtp_tls_audit_template parameter. The names -of template properties are not yet final; the names of TLS session -attributes need to be specific enough so that they will not collide -with future names of non-TLS session attributes. - Major changes with snapshot 20140801 ==================================== diff --git a/postfix/WISHLIST b/postfix/WISHLIST index 5a1aedfb3..a9a08d656 100644 --- a/postfix/WISHLIST +++ b/postfix/WISHLIST @@ -13,16 +13,6 @@ Wish list: Clarify that receive_override_options should not be used with smtpd_proxy_filter. - Send a "relayed" notification upon delivery after a "delayed" - notification was sent. This requres that the queue manager - notices that the delay warning time has been reset, that - the queue manager sets the NOTIFY=SUCCESS' flag on all - subsequent delivery attempts for that message where SUCCESS' - is like standard SUCCESS except instead of propagating it - to a down-stream MTA, the Postfix SMTP client sends a - "relayed" notice. Delivery agents will then report a - "relayed" or "delivered" status for all successful deliveries. - Document the relative order of header_checks, address rewriting, milters. diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html index 234f80960..2548b9f57 100644 --- a/postfix/html/TLS_README.html +++ b/postfix/html/TLS_README.html @@ -1373,13 +1373,8 @@ for early adopters.

  • The "example.com" destination uses DANE, but if TLSA records are not present or are unusable, mail is deferred.

    -

  • The "example.org" destination uses DANE if possible, but -uses opportunistic TLS if no TLSA records are found. The -"fallback" attribute (Postfix ≥ 2.12) overrides the global -main.cf smtp_tls_fallback_level parameter to employ unauthenticated -mandatory encryption if DANE authentication fails, after logging a -warning. See smtp_tls_audit_template for additional control over TLS -security logging.

    +

  • The "example.org" destination uses DANE if possible, but if no TLSA +records are found opportunistic TLS is used.

    @@ -1399,16 +1394,26 @@ security logging.

    # default_transport = smtp, but some destinations are special: # transport_maps = ${indexed}transport + +
    +
    +
     transport:
     example.com dane
     example.org dane
+
    +
    +
    +
     tls_policy:
     example.com dane-only
-    # Postfix ≥ 2.12, per-destination smtp_tls_fallback_level override
-    example.org dane fallback=encrypt
+
    +
    +
    +
     master.cf:
     dane       unix  -       -       n       -       -       smtp
       -o smtp_dns_support_level=dnssec
@@ -2141,10 +2146,7 @@ href="#client_tls_encrypt">encrypt.  When usable TLSA records
 are obtained for the remote SMTP server, SSLv2 is automatically
 disabled (see smtp_tls_mandatory_protocols), and the server certificate
 must match the TLSA records.  RFC 6698 (DANE) TLS authentication
-and DNSSEC support is available with Postfix 2.11 and later.  
-The optional "fallback" attribute provides a per-site override of
-the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
-
+and DNSSEC support is available with Postfix 2.11 and later.  
 
 
    dane-only
     
    Mandatory DANE TLS.
 The TLS policy for the destination is obtained via TLSA records in
@@ -2153,10 +2155,7 @@ connection is made to the server.  When usable TLSA records are
 obtained for the remote SMTP server, SSLv2 is automatically disabled
 (see smtp_tls_mandatory_protocols), and the server certificate must
 match the TLSA records.  RFC 6698 (DANE) TLS authentication and
-DNSSEC support is available with Postfix 2.11 and later.  
-The optional "fallback" attribute provides a per-site override of
-the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
-
    
+DNSSEC support is available with Postfix 2.11 and later.  
 
 
    fingerprint
     
    Certificate
 fingerprint verification. Available with Postfix 2.5 and
@@ -2165,15 +2164,13 @@ authorities. The certificate trust chain, expiration date, ... are
 not checked. Instead, the optional match attribute, or else
 the main.cf smtp_tls_fingerprint_cert_match parameter, lists
 the server certificate fingerprints or public key fingerprints
-(Postfix 2.9 and later).  The digest algorithm used to calculate
-fingerprints is selected by the smtp_tls_fingerprint_digest
-parameter. Multiple fingerprints can be combined with a "|" delimiter
-in a single match attribute, or multiple match attributes can be
-employed. The ":" character is not used as a delimiter as it occurs
-between each pair of fingerprint (hexadecimal) digits.
-The optional "fallback" attribute provides a per-site override of
-the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
-
    
+(Postfix 2.9 and later).  The
+digest algorithm used to calculate fingerprints is selected by the
+smtp_tls_fingerprint_digest parameter. Multiple fingerprints can
+be combined with a "|" delimiter in a single match attribute, or multiple
+match attributes can be employed. The ":" character is not used as a
+delimiter as it occurs between each pair of fingerprint (hexadecimal)
+digits. 
 
 
    verify
     
    Mandatory
 server certificate verification.  Mail is delivered only if the
@@ -2184,11 +2181,9 @@ the optional "match" attribute (or the main.cf smtp_tls_trust_anchor_file" parameter.  The "tafile" attribute may
-be specified multiple times to load multiple trust-anchor files.
-The optional "fallback" attribute provides a per-site override of
-the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
-
    
+"smtp_tls_trust_anchor_file" parameter.  The "tafile" attribute
+may be specified multiple times to load multiple trust-anchor
+files.  
 
 
    secure
     
    Secure certificate
 verification. Mail is delivered only if the TLS handshake succeeds,
@@ -2200,10 +2195,7 @@ server certificate name matches the optional "match" attribute (or the
 attribute optionally modifies trust chain verification in the same manner
 as the "smtp_tls_trust_anchor_file" parameter.  The "tafile" attribute
 may be specified multiple times to load multiple trust-anchor
-files.  
-The optional "fallback" attribute provides a per-site override of
-the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
-
    
+files.  
 
 
 
@@ -2250,7 +2242,6 @@ Example:
     smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
     # Postfix 2.5 and later
     smtp_tls_fingerprint_digest = md5
-
 /etc/postfix/tls_policy:
     example.edu             none
     example.mil             may
@@ -2265,8 +2256,6 @@ Example:
         match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
     # Postfix 2.6 and later
     example.info            may protocols=!SSLv2 ciphers=medium exclude=3DES
-    # Postfix 2.12 and later override of smtp_tls_fallback_level
-    fallback.example        secure fallback=encrypt
    diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html index 9a74d6b35..0356f23da 100644 --- a/postfix/html/lmtp.8.html +++ b/postfix/html/lmtp.8.html @@ -552,59 +552,50 @@ SMTP(8) SMTP(8) tlsmgr_service_name (tlsmgr) The name of the tlsmgr(8) service entry in master.cf. - Available in Postfix version 2.12 and later: - - smtp_tls_audit_template (empty) - Optional template for tls audit logging at the completion of - each message data transfer. - - smtp_tls_fallback_level (empty) - Optional fallback levels for authenticated TLS levels. - OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compatibility with - Postfix versions before 2.3. Support for these will be removed in a + The following configuration parameters exist for compatibility with + Postfix versions before 2.3. Support for these will be removed in a future release. smtp_use_tls (no) - Opportunistic mode: use TLS when a remote SMTP server announces + Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS support, otherwise send the mail in the clear. smtp_enforce_tls (no) - Enforcement mode: require that remote SMTP servers use TLS + Enforcement mode: require that remote SMTP servers use TLS encryption, and never send mail in the clear. smtp_tls_enforce_peername (yes) - With mandatory TLS encryption, require that the remote SMTP - server hostname matches the information in the remote SMTP + With mandatory TLS encryption, require that the remote SMTP + server hostname matches the information in the remote SMTP server certificate. smtp_tls_per_site (empty) - Optional lookup tables with the Postfix SMTP client TLS usage - policy by next-hop destination and by remote SMTP server host‐ + Optional lookup tables with the Postfix SMTP client TLS usage + policy by next-hop destination and by remote SMTP server host‐ name. smtp_tls_cipherlist (empty) - Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS + Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher list. RESOURCE AND RATE CONTROLS smtp_destination_concurrency_limit ($default_destination_concur‐‐ rency_limit) - The maximal number of parallel deliveries to the same destina‐ + The maximal number of parallel deliveries to the same destina‐ tion via the smtp message delivery transport. smtp_destination_recipient_limit ($default_destination_recipient_limit) - The maximal number of recipients per message for the smtp mes‐ + The maximal number of recipients per message for the smtp mes‐ sage delivery transport. smtp_connect_timeout (30s) - The Postfix SMTP client time limit for completing a TCP connec‐ + The Postfix SMTP client time limit for completing a TCP connec‐ tion, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The Postfix SMTP client time limit for sending the HELO or EHLO - command, and for receiving the initial remote SMTP server + The Postfix SMTP client time limit for sending the HELO or EHLO + command, and for receiving the initial remote SMTP server response. lmtp_lhlo_timeout (300s) @@ -616,19 +607,19 @@ SMTP(8) SMTP(8) mand, and for receiving the remote SMTP server response. smtp_mail_timeout (300s) - The Postfix SMTP client time limit for sending the MAIL FROM + The Postfix SMTP client time limit for sending the MAIL FROM command, and for receiving the remote SMTP server response. smtp_rcpt_timeout (300s) - The Postfix SMTP client time limit for sending the SMTP RCPT TO + The Postfix SMTP client time limit for sending the SMTP RCPT TO command, and for receiving the remote SMTP server response. smtp_data_init_timeout (120s) - The Postfix SMTP client time limit for sending the SMTP DATA + The Postfix SMTP client time limit for sending the SMTP DATA command, and for receiving the remote SMTP server response. smtp_data_xfer_timeout (180s) - The Postfix SMTP client time limit for sending the SMTP message + The Postfix SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) @@ -642,13 +633,13 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: smtp_mx_address_limit (5) - The maximal number of MX (mail exchanger) IP addresses that can - result from Postfix SMTP client mail exchanger lookups, or zero + The maximal number of MX (mail exchanger) IP addresses that can + result from Postfix SMTP client mail exchanger lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery request before - the Postfix SMTP client gives up or delivers to a fall-back + The maximal number of SMTP sessions per delivery request before + the Postfix SMTP client gives up or delivers to a fall-back relay host, or zero (no limit). smtp_rset_timeout (20s) @@ -658,17 +649,17 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and earlier: lmtp_cache_connection (yes) - Keep Postfix LMTP client connections open for up to $max_idle + Keep Postfix LMTP client connections open for up to $max_idle seconds. Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the specified + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a destination + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. smtp_connection_reuse_time_limit (300s) @@ -682,23 +673,23 @@ SMTP(8) SMTP(8) Available in Postfix version 2.3 and later: connection_cache_protocol_timeout (5s) - Time limit for connection cache connect, send or receive opera‐ + Time limit for connection cache connect, send or receive opera‐ tions. Available in Postfix version 2.9 and later: smtp_per_record_deadline (no) - Change the behavior of the smtp_*_timeout time limits, from a - time limit per read or write system call, to a time limit to - send or receive a complete record (an SMTP command line, SMTP - response line, SMTP message content line, or TLS protocol mes‐ + Change the behavior of the smtp_*_timeout time limits, from a + time limit per read or write system call, to a time limit to + send or receive a complete record (an SMTP command line, SMTP + response line, SMTP message content line, or TLS protocol mes‐ sage). Available in Postfix version 2.11 and later: smtp_connection_reuse_count_limit (0) - When SMTP connection caching is enabled, the number of times - that an SMTP session may be reused before it is closed, or zero + When SMTP connection caching is enabled, the number of times + that an SMTP session may be reused before it is closed, or zero (no limit). SMTPUTF8 CONTROLS @@ -709,21 +700,21 @@ SMTP(8) SMTP(8) in RFC 6531..6533. smtputf8_autodetect_classes (sendmail, verify) - Detect that a message requires SMTPUTF8 support for the speci‐ + Detect that a message requires SMTPUTF8 support for the speci‐ fied mail origin classes. TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a remote client or + The increment in verbose logging level when a remote client or server matches a pattern in the debug_peer_list parameter. debug_peer_list (empty) - Optional list of remote client or server hostname or network + Optional list of remote client or server hostname or network address patterns that cause the verbose logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about mail delivery + The recipient of postmaster notifications about mail delivery problems that are caused by policy, resource, software or proto‐ col errors. @@ -737,46 +728,46 @@ SMTP(8) SMTP(8) MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail when it + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con‐ + The default location of the Postfix main.cf and master.cf con‐ figuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to handle a + How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal point when log‐ + The maximal number of digits after the decimal point when log‐ ging sub-second delay values. disable_dns_lookups (no) Disable DNS lookups in the Postfix SMTP and LMTP clients. inet_interfaces (all) - The network interface addresses that this mail system receives + The network interface addresses that this mail system receives mail on. inet_protocols (all) - The Internet protocols Postfix will attempt to use when making + The Internet protocols Postfix will attempt to use when making or accepting connections. ipc_timeout (3600s) - The time limit for sending or receiving information over an + The time limit for sending or receiving information over an internal communication channel. lmtp_assume_final (no) - When a remote LMTP server announces no DSN support, assume that - the server performs final delivery, and send "delivered" deliv‐ + When a remote LMTP server announces no DSN support, assume that + the server performs final delivery, and send "delivered" deliv‐ ery status notifications instead of "relayed". lmtp_tcp_port (24) The default TCP port that the Postfix LMTP client connects to. max_idle (100s) - The maximum amount of time that an idle Postfix daemon process + The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. max_use (100) @@ -790,20 +781,20 @@ SMTP(8) SMTP(8) The process name of a Postfix command or daemon process. proxy_interfaces (empty) - The network interface addresses that this mail system receives + The network interface addresses that this mail system receives mail on by way of a proxy or network address translation unit. smtp_address_preference (any) The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP - client will try first, when a destination has IPv6 and IPv4 + client will try first, when a destination has IPv6 and IPv4 addresses with equal MX preference. smtp_bind_address (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv4 connection. smtp_bind_address6 (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv6 connection. smtp_helo_name ($myhostname) @@ -823,8 +814,8 @@ SMTP(8) SMTP(8) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - The mail system name that is prepended to the process name in - syslog records, so that "smtpd" becomes, for example, "post‐ + The mail system name that is prepended to the process name in + syslog records, so that "smtpd" becomes, for example, "post‐ fix/smtpd". Available with Postfix 2.2 and earlier: diff --git a/postfix/html/oqmgr.8.html b/postfix/html/oqmgr.8.html index 42f5a80fd..e41690037 100644 --- a/postfix/html/oqmgr.8.html +++ b/postfix/html/oqmgr.8.html @@ -14,11 +14,11 @@ OQMGR(8) OQMGR(8) DESCRIPTION The oqmgr(8) daemon awaits the arrival of incoming mail and arranges - for its delivery via Postfix delivery processes. The actual mail rout- - ing strategy is delegated to the trivial-rewrite(8) daemon. This pro- + for its delivery via Postfix delivery processes. The actual mail rout‐ + ing strategy is delegated to the trivial-rewrite(8) daemon. This pro‐ gram expects to be run from the master(8) process manager. - Mail addressed to the local double-bounce address is logged and dis- + Mail addressed to the local double-bounce address is logged and dis‐ carded. This stops potential loops caused by undeliverable bounce notifications. @@ -56,7 +56,7 @@ OQMGR(8) OQMGR(8) These files are maintained by the defer(8) daemon. trace Per-recipient status information as requested with the Postfix - "sendmail -v" or "sendmail -bv" command. These files are main- + "sendmail -v" or "sendmail -bv" command. These files are main‐ tained by the trace(8) daemon. The oqmgr(8) daemon is responsible for asking the bounce(8), defer(8) @@ -72,14 +72,14 @@ OQMGR(8) OQMGR(8) heavy load. fairness - When the active queue has room, the queue manager takes one mes- + When the active queue has room, the queue manager takes one mes‐ sage from the incoming queue and one from the deferred queue. This prevents a large mail backlog from blocking the delivery of new mail. slow start This strategy eliminates "thundering herd" problems by slowly - adjusting the number of parallel deliveries to the same destina- + adjusting the number of parallel deliveries to the same destina‐ tion. round robin @@ -89,17 +89,17 @@ OQMGR(8) OQMGR(8) exponential backoff Mail that cannot be delivered upon the first attempt is - deferred. The time interval between delivery attempts is dou- + deferred. The time interval between delivery attempts is dou‐ bled after each attempt. destination status cache - The queue manager avoids unnecessary delivery attempts by main- - taining a short-term, in-memory list of unreachable destina- + The queue manager avoids unnecessary delivery attempts by main‐ + taining a short-term, in-memory list of unreachable destina‐ tions. TRIGGERS On an idle system, the queue manager waits for the arrival of trigger - events, or it waits for a timer to go off. A trigger is a one-byte mes- + events, or it waits for a timer to go off. A trigger is a one-byte mes‐ sage. Depending on the message received, the queue manager performs one of the following actions (the message is followed by the symbolic constant used internally by the software): @@ -137,28 +137,28 @@ OQMGR(8) OQMGR(8) RFC 3464 (Delivery status notifications) SECURITY - The oqmgr(8) daemon is not security sensitive. It reads single-charac- + The oqmgr(8) daemon is not security sensitive. It reads single-charac‐ ter messages from untrusted local users, and thus may be susceptible to denial of service attacks. The oqmgr(8) daemon does not talk to the outside world, and it can be run at fixed low privilege in a chrooted environment. DIAGNOSTICS - Problems and transactions are logged to the syslog(8) daemon. Cor- - rupted message files are saved to the corrupt queue for further inspec- + Problems and transactions are logged to the syslog(8) daemon. Cor‐ + rupted message files are saved to the corrupt queue for further inspec‐ tion. - Depending on the setting of the notify_classes parameter, the postmas- + Depending on the setting of the notify_classes parameter, the postmas‐ ter is notified of bounces and of other trouble. BUGS - A single queue manager process has to compete for disk access with mul- + A single queue manager process has to compete for disk access with mul‐ tiple front-end processes such as cleanup(8). A sudden burst of inbound mail can negatively impact outbound delivery rates. CONFIGURATION PARAMETERS Changes to main.cf are not picked up automatically, as oqmgr(8) is a - persistent process. Use the command "postfix reload" after a configura- + persistent process. Use the command "postfix reload" after a configura‐ tion change. The text below provides only a parameter summary. See postconf(5) for @@ -207,15 +207,15 @@ OQMGR(8) OQMGR(8) The default maximal number of parallel deliveries to the same destination. - transport_destination_concurrency_limit ($default_destination_concur- - rency_limit) + transport_destination_concurrency_limit ($default_destination_concur‐‐ + rency_limit) Idem, for delivery via the named message transport. Available in Postfix version 2.5 and later: - transport_initial_destination_concurrency ($initial_destination_concur- - rency) - Initial concurrency for delivery via the named message trans- + transport_initial_destination_concurrency ($initial_destination_concur‐‐ + rency) + Initial concurrency for delivery via the named message trans‐ port. default_destination_concurrency_failed_cohort_limit (1) @@ -223,30 +223,30 @@ OQMGR(8) OQMGR(8) failure before a specific destination is considered unavailable (and further delivery is suspended). - transport_destination_concurrency_failed_cohort_limit ($default_desti- - nation_concurrency_failed_cohort_limit) + transport_destination_concurrency_failed_cohort_limit ($default_desti‐‐ + nation_concurrency_failed_cohort_limit) Idem, for delivery via the named message transport. default_destination_concurrency_negative_feedback (1) The per-destination amount of delivery concurrency negative - feedback, after a delivery completes with a connection or hand- + feedback, after a delivery completes with a connection or hand‐ shake failure. - transport_destination_concurrency_negative_feedback ($default_destina- - tion_concurrency_negative_feedback) + transport_destination_concurrency_negative_feedback ($default_destina‐‐ + tion_concurrency_negative_feedback) Idem, for delivery via the named message transport. default_destination_concurrency_positive_feedback (1) The per-destination amount of delivery concurrency positive - feedback, after a delivery completes without connection or hand- + feedback, after a delivery completes without connection or hand‐ shake failure. - transport_destination_concurrency_positive_feedback ($default_destina- - tion_concurrency_positive_feedback) + transport_destination_concurrency_positive_feedback ($default_destina‐‐ + tion_concurrency_positive_feedback) Idem, for delivery via the named message transport. destination_concurrency_feedback_debug (no) - Make the queue manager's feedback algorithm verbose for perfor- + Make the queue manager's feedback algorithm verbose for perfor‐ mance analysis purposes. RECIPIENT SCHEDULING CONTROLS @@ -266,15 +266,15 @@ OQMGR(8) OQMGR(8) maximal_queue_lifetime (5d) Consider a message as undeliverable, when delivery fails with a - temporary error, and the time in the queue has reached the maxi- - mal_queue_lifetime limit. + temporary error, and the time in the queue has reached the maxi‐ + mal_queue_lifetime limit. queue_run_delay (300s) The time between deferred queue scans by the queue manager; prior to Postfix 2.4 the default value was 1000s. transport_retry_time (60s) - The time between attempts by the Postfix queue manager to con- + The time between attempts by the Postfix queue manager to con‐ tact a malfunctioning message delivery transport. Available in Postfix version 2.1 and later: @@ -289,7 +289,7 @@ OQMGR(8) OQMGR(8) default_destination_rate_delay (0s) The default amount of delay that is inserted between individual deliveries to the same destination; the resulting behavior - depends on the value of the corresponding per-destination recip- + depends on the value of the corresponding per-destination recip‐ ient limit. transport_destination_rate_delay $default_destination_rate_delay @@ -301,12 +301,12 @@ OQMGR(8) OQMGR(8) a request before it is terminated by a built-in watchdog timer. qmgr_ipc_timeout (60s) - The time limit for the queue manager to send or receive informa- + The time limit for the queue manager to send or receive informa‐ tion over an internal communication channel. MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con- + The default location of the Postfix main.cf and master.cf con‐ figuration files. defer_transports (empty) @@ -314,11 +314,11 @@ OQMGR(8) OQMGR(8) mail unless someone issues "sendmail -q" or equivalent. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal point when log- + The maximal number of digits after the decimal point when log‐ ging sub-second delay values. helpful_warnings (yes) - Log warnings about problematic configuration settings, and pro- + Log warnings about problematic configuration settings, and pro‐ vide helpful suggestions. process_id (read-only) @@ -335,9 +335,15 @@ OQMGR(8) OQMGR(8) syslog_name (see 'postconf -d' output) The mail system name that is prepended to the process name in - syslog records, so that "smtpd" becomes, for example, "post- + syslog records, so that "smtpd" becomes, for example, "post‐ fix/smtpd". + Available in Postfix version 2.12 and later: + + confirm_delay_cleared (no) + After sending a "your message is delayed" notification, inform + the sender when the delay clears up. + FILES /var/spool/postfix/incoming, incoming queue /var/spool/postfix/active, active queue diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 877ed8005..a09a1cc39 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -1537,6 +1537,21 @@ requires that the directory is listed with the main.cf file.

    + + +
    confirm_delay_cleared +(default: no)
    + +

    After sending a "your message is delayed" notification, inform +the sender when the delay clears up. This can result in a sudden +burst of notifications at the end of a prolonged network outage, +and is therefore disabled by default.

    + +

    See also: delay_warning_time.

    + +

    This feature is available in Postfix 2.12 and later.

    + +
    connection_cache_protocol_timeout @@ -2647,7 +2662,8 @@ See also: delay_warning_time, <

    The time after which the sender receives a copy of the message -headers of mail that is still queued. +headers of mail that is still queued. The confirm_delay_cleared +parameter controls sender notification when the delay clears up.

    @@ -2662,7 +2678,7 @@ The default time unit is h (hours).

    -See also: delay_notice_recipient, notify_classes. +See also: delay_notice_recipient, notify_classes, confirm_delay_cleared.

    @@ -4822,17 +4838,6 @@ configuration parameter. See there for details.

    This feature is available in Postfix 2.3 and later.

    - - -
    lmtp_tls_audit_template -(default: empty)
    - -

    The LMTP-specific version of the smtp_tls_audit_template -configuration parameter. See there for details.

    - -

    This feature is available in Postfix 2.12 and later.

    - -
    lmtp_tls_block_early_mail_reply @@ -4934,17 +4939,6 @@ configuration parameter. See there for details.

    This feature is available in Postfix 2.3 and later.

    - - -
    lmtp_tls_fallback_level -(default: empty)
    - -

    The LMTP-specific version of the smtp_tls_fallback_level -configuration parameter. See there for details.

    - -

    This feature is available in Postfix 2.12 and later.

    - -
    lmtp_tls_fingerprint_cert_match @@ -11286,74 +11280,6 @@ certificates.

    This feature is available in Postfix 2.2 and later.

    - - -
    smtp_tls_audit_template -(default: empty)
    - -

    Optional template for tls audit logging at the completion of each -message data transfer. If empty (the default setting) no TLS audit log -entries are generated.

    - -

    The following $name expansions are done on smtp_tls_audit_template:

    - -
    - -
    $relay
    -
    The remote SMTP server name[address]:port. -
    - -
    $level
    -
    The effective TLS security level after any fallback.
    - -
    $policy
    -
    The desired TLS security level before any fallback, undefined -if no fallback took place.
    - -
    $auth
    -
    The authentication level of the remote SMTP server. One of -"Cleartext", "Anonymous", "Untrusted", "Trusted" or "Verified". -
    - -
    $protocol
    -
    The TLS protocol version, defined only when TLS is used.
    - -
    $cipher
    -
    The TLS cipher name, defined only when TLS is used.
    - -
    $cert_digest
    -
    The digest of the remote SMTP server's certificate, defined -only when TLS is used and the remote server presented a certificate. -The digest algorithm is that specified via smtp_tls_fingerprint_digest. -
    - -
    $spki_digest
    -
    The digest of the remote SMTP server's public key (Subject -Public Key Info or SPKI from X.509), defined only when TLS is used -and the remote server presented a certificate. The digest algorithm -is that specified via smtp_tls_fingerprint_digest.
    - -
    ${name?value}
    - -
    Expands to value when $name is non-empty.
    - -
    ${name:value}
    - -
    Expands to value when $name is empty.
    - -
    - -

    Example:

    - -
    -/etc/postfix/main.cf:
-    smtp_tls_audit_template =
-        tlsaudit: relay=${relay}${auth?, auth=${auth}}${level?, level=${level}}${policy?, policy=${policy}}${protocol?, protocol=${protocol}}${cipher?, cipher=${cipher}}
-
    - -

    This feature is available in Postfix 2.12 and later.

    - -
    smtp_tls_block_early_mail_reply @@ -11607,62 +11533,6 @@ key exchange with RSA authentication.

    This feature is available in Postfix 2.3 and later.

    - - -
    smtp_tls_fallback_level -(default: empty)
    - -

    Optional fallback levels for authenticated TLS levels. Specify -a white-space or comma-separated list of -policy_level=fallback_level pairs. The policy_level -must require authentication (one of dane, dane-only, fingerprint, -verify, secure). The fallback_level must be "encrypt" or -"may". When an authenticated connection at some desired policy -level cannot be established, delivery will proceed at the correponding -fallback level if possible. A warning will be logged -indicating the fallback reason. You can use smtp_tls_audit_template -to record the TLS security status for each delivery.

    - -

    The TLS policy table -can be used to specify a destination-specific fallback strategy via the -"fallback" policy attribute. The value of the "fallback" attribute, if -specified, must be "may", "encrypt" or "none". If not "none", this -specifies the fallback level for the destination in question. If the -attribute value is "none", fallback is suppressed for the destination -even if enabled via a global setting of smtp_tls_fallback_level.

    - -

    Example:

    - -
    -
    -/etc/postfix/main.cf:
-    # When authentication fails, log a warning and deliver anyway
-    # over an unauthenticated TLS connection.
-    #
-    smtp_tls_fallback_level =
-        dane=encrypt,
-        dane-only=encrypt,
-        fingerprint=encrypt,
-        verify=encrypt,
-        secure=encrypt
-    indexed = ${default_database_type}:${config_directory}/
-    smtp_tls_policy_maps = ${indexed}tls-policy
-
    -
    - -
    -
    -/etc/postfix/tls-policy:
-    # No fallback for example.com
-    example.com secure fallback=none
-    # For example.net tolerate cleartext fallback
-    example.net dane fallback=may
-
    -
    - -

    This feature is available in Postfix 2.12 and later.

    - -
    smtp_tls_fingerprint_cert_match diff --git a/postfix/html/qmgr.8.html b/postfix/html/qmgr.8.html index 67766445d..2ea1e164a 100644 --- a/postfix/html/qmgr.8.html +++ b/postfix/html/qmgr.8.html @@ -18,7 +18,7 @@ QMGR(8) QMGR(8) strategy is delegated to the trivial-rewrite(8) daemon. This program expects to be run from the master(8) process manager. - Mail addressed to the local double-bounce address is logged and dis- + Mail addressed to the local double-bounce address is logged and dis‐ carded. This stops potential loops caused by undeliverable bounce notifications. @@ -56,7 +56,7 @@ QMGR(8) QMGR(8) These files are maintained by the defer(8) daemon. trace Per-recipient status information as requested with the Postfix - "sendmail -v" or "sendmail -bv" command. These files are main- + "sendmail -v" or "sendmail -bv" command. These files are main‐ tained by the trace(8) daemon. The qmgr(8) daemon is responsible for asking the bounce(8), defer(8) or @@ -72,14 +72,14 @@ QMGR(8) QMGR(8) heavy load. fairness - When the active queue has room, the queue manager takes one mes- + When the active queue has room, the queue manager takes one mes‐ sage from the incoming queue and one from the deferred queue. This prevents a large mail backlog from blocking the delivery of new mail. slow start This strategy eliminates "thundering herd" problems by slowly - adjusting the number of parallel deliveries to the same destina- + adjusting the number of parallel deliveries to the same destina‐ tion. round robin @@ -89,12 +89,12 @@ QMGR(8) QMGR(8) exponential backoff Mail that cannot be delivered upon the first attempt is - deferred. The time interval between delivery attempts is dou- + deferred. The time interval between delivery attempts is dou‐ bled after each attempt. destination status cache - The queue manager avoids unnecessary delivery attempts by main- - taining a short-term, in-memory list of unreachable destina- + The queue manager avoids unnecessary delivery attempts by main‐ + taining a short-term, in-memory list of unreachable destina‐ tions. preemptive message scheduling @@ -104,7 +104,7 @@ QMGR(8) QMGR(8) TRIGGERS On an idle system, the queue manager waits for the arrival of trigger - events, or it waits for a timer to go off. A trigger is a one-byte mes- + events, or it waits for a timer to go off. A trigger is a one-byte mes‐ sage. Depending on the message received, the queue manager performs one of the following actions (the message is followed by the symbolic constant used internally by the software): @@ -144,7 +144,7 @@ QMGR(8) QMGR(8) SECURITY The qmgr(8) daemon is not security sensitive. It reads single-character messages from untrusted local users, and thus may be susceptible to - denial of service attacks. The qmgr(8) daemon does not talk to the out- + denial of service attacks. The qmgr(8) daemon does not talk to the out‐ side world, and it can be run at fixed low privilege in a chrooted environment. @@ -152,16 +152,16 @@ QMGR(8) QMGR(8) Problems and transactions are logged to the syslog daemon. Corrupted message files are saved to the corrupt queue for further inspection. - Depending on the setting of the notify_classes parameter, the postmas- + Depending on the setting of the notify_classes parameter, the postmas‐ ter is notified of bounces and of other trouble. BUGS - A single queue manager process has to compete for disk access with mul- + A single queue manager process has to compete for disk access with mul‐ tiple front-end processes such as cleanup(8). A sudden burst of inbound mail can negatively impact outbound delivery rates. CONFIGURATION PARAMETERS - Changes to main.cf are not picked up automatically as qmgr(8) is a per- + Changes to main.cf are not picked up automatically as qmgr(8) is a per‐ sistent process. Use the "postfix reload" command after a configuration change. @@ -239,15 +239,15 @@ QMGR(8) QMGR(8) The default maximal number of parallel deliveries to the same destination. - transport_destination_concurrency_limit ($default_destination_concur- - rency_limit) + transport_destination_concurrency_limit ($default_destination_concur‐‐ + rency_limit) Idem, for delivery via the named message transport. Available in Postfix version 2.5 and later: - transport_initial_destination_concurrency ($initial_destination_concur- - rency) - Initial concurrency for delivery via the named message trans- + transport_initial_destination_concurrency ($initial_destination_concur‐‐ + rency) + Initial concurrency for delivery via the named message trans‐ port. default_destination_concurrency_failed_cohort_limit (1) @@ -255,38 +255,38 @@ QMGR(8) QMGR(8) failure before a specific destination is considered unavailable (and further delivery is suspended). - transport_destination_concurrency_failed_cohort_limit ($default_desti- - nation_concurrency_failed_cohort_limit) + transport_destination_concurrency_failed_cohort_limit ($default_desti‐‐ + nation_concurrency_failed_cohort_limit) Idem, for delivery via the named message transport. default_destination_concurrency_negative_feedback (1) The per-destination amount of delivery concurrency negative - feedback, after a delivery completes with a connection or hand- + feedback, after a delivery completes with a connection or hand‐ shake failure. - transport_destination_concurrency_negative_feedback ($default_destina- - tion_concurrency_negative_feedback) + transport_destination_concurrency_negative_feedback ($default_destina‐‐ + tion_concurrency_negative_feedback) Idem, for delivery via the named message transport. default_destination_concurrency_positive_feedback (1) The per-destination amount of delivery concurrency positive - feedback, after a delivery completes without connection or hand- + feedback, after a delivery completes without connection or hand‐ shake failure. - transport_destination_concurrency_positive_feedback ($default_destina- - tion_concurrency_positive_feedback) + transport_destination_concurrency_positive_feedback ($default_destina‐‐ + tion_concurrency_positive_feedback) Idem, for delivery via the named message transport. destination_concurrency_feedback_debug (no) - Make the queue manager's feedback algorithm verbose for perfor- + Make the queue manager's feedback algorithm verbose for perfor‐ mance analysis purposes. RECIPIENT SCHEDULING CONTROLS default_destination_recipient_limit (50) The default maximal number of recipients per message delivery. - transport_destination_recipient_limit ($default_destination_recipi- - ent_limit) + transport_destination_recipient_limit ($default_destination_recipi‐‐ + ent_limit) Idem, for delivery via the named message transport. MESSAGE SCHEDULING CONTROLS @@ -328,15 +328,15 @@ QMGR(8) QMGR(8) maximal_queue_lifetime (5d) Consider a message as undeliverable, when delivery fails with a - temporary error, and the time in the queue has reached the maxi- - mal_queue_lifetime limit. + temporary error, and the time in the queue has reached the maxi‐ + mal_queue_lifetime limit. queue_run_delay (300s) The time between deferred queue scans by the queue manager; prior to Postfix 2.4 the default value was 1000s. transport_retry_time (60s) - The time between attempts by the Postfix queue manager to con- + The time between attempts by the Postfix queue manager to con‐ tact a malfunctioning message delivery transport. Available in Postfix version 2.1 and later: @@ -351,7 +351,7 @@ QMGR(8) QMGR(8) default_destination_rate_delay (0s) The default amount of delay that is inserted between individual deliveries to the same destination; the resulting behavior - depends on the value of the corresponding per-destination recip- + depends on the value of the corresponding per-destination recip‐ ient limit. transport_destination_rate_delay $default_destination_rate_delay @@ -363,12 +363,12 @@ QMGR(8) QMGR(8) a request before it is terminated by a built-in watchdog timer. qmgr_ipc_timeout (60s) - The time limit for the queue manager to send or receive informa- + The time limit for the queue manager to send or receive informa‐ tion over an internal communication channel. MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con- + The default location of the Postfix main.cf and master.cf con‐ figuration files. defer_transports (empty) @@ -376,11 +376,11 @@ QMGR(8) QMGR(8) mail unless someone issues "sendmail -q" or equivalent. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal point when log- + The maximal number of digits after the decimal point when log‐ ging sub-second delay values. helpful_warnings (yes) - Log warnings about problematic configuration settings, and pro- + Log warnings about problematic configuration settings, and pro‐ vide helpful suggestions. process_id (read-only) @@ -397,9 +397,15 @@ QMGR(8) QMGR(8) syslog_name (see 'postconf -d' output) The mail system name that is prepended to the process name in - syslog records, so that "smtpd" becomes, for example, "post- + syslog records, so that "smtpd" becomes, for example, "post‐ fix/smtpd". + Available in Postfix version 2.12 and later: + + confirm_delay_cleared (no) + After sending a "your message is delayed" notification, inform + the sender when the delay clears up. + FILES /var/spool/postfix/incoming, incoming queue /var/spool/postfix/active, active queue diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index 9a74d6b35..0356f23da 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -552,59 +552,50 @@ SMTP(8) SMTP(8) tlsmgr_service_name (tlsmgr) The name of the tlsmgr(8) service entry in master.cf. - Available in Postfix version 2.12 and later: - - smtp_tls_audit_template (empty) - Optional template for tls audit logging at the completion of - each message data transfer. - - smtp_tls_fallback_level (empty) - Optional fallback levels for authenticated TLS levels. - OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compatibility with - Postfix versions before 2.3. Support for these will be removed in a + The following configuration parameters exist for compatibility with + Postfix versions before 2.3. Support for these will be removed in a future release. smtp_use_tls (no) - Opportunistic mode: use TLS when a remote SMTP server announces + Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS support, otherwise send the mail in the clear. smtp_enforce_tls (no) - Enforcement mode: require that remote SMTP servers use TLS + Enforcement mode: require that remote SMTP servers use TLS encryption, and never send mail in the clear. smtp_tls_enforce_peername (yes) - With mandatory TLS encryption, require that the remote SMTP - server hostname matches the information in the remote SMTP + With mandatory TLS encryption, require that the remote SMTP + server hostname matches the information in the remote SMTP server certificate. smtp_tls_per_site (empty) - Optional lookup tables with the Postfix SMTP client TLS usage - policy by next-hop destination and by remote SMTP server host‐ + Optional lookup tables with the Postfix SMTP client TLS usage + policy by next-hop destination and by remote SMTP server host‐ name. smtp_tls_cipherlist (empty) - Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS + Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher list. RESOURCE AND RATE CONTROLS smtp_destination_concurrency_limit ($default_destination_concur‐‐ rency_limit) - The maximal number of parallel deliveries to the same destina‐ + The maximal number of parallel deliveries to the same destina‐ tion via the smtp message delivery transport. smtp_destination_recipient_limit ($default_destination_recipient_limit) - The maximal number of recipients per message for the smtp mes‐ + The maximal number of recipients per message for the smtp mes‐ sage delivery transport. smtp_connect_timeout (30s) - The Postfix SMTP client time limit for completing a TCP connec‐ + The Postfix SMTP client time limit for completing a TCP connec‐ tion, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The Postfix SMTP client time limit for sending the HELO or EHLO - command, and for receiving the initial remote SMTP server + The Postfix SMTP client time limit for sending the HELO or EHLO + command, and for receiving the initial remote SMTP server response. lmtp_lhlo_timeout (300s) @@ -616,19 +607,19 @@ SMTP(8) SMTP(8) mand, and for receiving the remote SMTP server response. smtp_mail_timeout (300s) - The Postfix SMTP client time limit for sending the MAIL FROM + The Postfix SMTP client time limit for sending the MAIL FROM command, and for receiving the remote SMTP server response. smtp_rcpt_timeout (300s) - The Postfix SMTP client time limit for sending the SMTP RCPT TO + The Postfix SMTP client time limit for sending the SMTP RCPT TO command, and for receiving the remote SMTP server response. smtp_data_init_timeout (120s) - The Postfix SMTP client time limit for sending the SMTP DATA + The Postfix SMTP client time limit for sending the SMTP DATA command, and for receiving the remote SMTP server response. smtp_data_xfer_timeout (180s) - The Postfix SMTP client time limit for sending the SMTP message + The Postfix SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) @@ -642,13 +633,13 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: smtp_mx_address_limit (5) - The maximal number of MX (mail exchanger) IP addresses that can - result from Postfix SMTP client mail exchanger lookups, or zero + The maximal number of MX (mail exchanger) IP addresses that can + result from Postfix SMTP client mail exchanger lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery request before - the Postfix SMTP client gives up or delivers to a fall-back + The maximal number of SMTP sessions per delivery request before + the Postfix SMTP client gives up or delivers to a fall-back relay host, or zero (no limit). smtp_rset_timeout (20s) @@ -658,17 +649,17 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and earlier: lmtp_cache_connection (yes) - Keep Postfix LMTP client connections open for up to $max_idle + Keep Postfix LMTP client connections open for up to $max_idle seconds. Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the specified + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a destination + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. smtp_connection_reuse_time_limit (300s) @@ -682,23 +673,23 @@ SMTP(8) SMTP(8) Available in Postfix version 2.3 and later: connection_cache_protocol_timeout (5s) - Time limit for connection cache connect, send or receive opera‐ + Time limit for connection cache connect, send or receive opera‐ tions. Available in Postfix version 2.9 and later: smtp_per_record_deadline (no) - Change the behavior of the smtp_*_timeout time limits, from a - time limit per read or write system call, to a time limit to - send or receive a complete record (an SMTP command line, SMTP - response line, SMTP message content line, or TLS protocol mes‐ + Change the behavior of the smtp_*_timeout time limits, from a + time limit per read or write system call, to a time limit to + send or receive a complete record (an SMTP command line, SMTP + response line, SMTP message content line, or TLS protocol mes‐ sage). Available in Postfix version 2.11 and later: smtp_connection_reuse_count_limit (0) - When SMTP connection caching is enabled, the number of times - that an SMTP session may be reused before it is closed, or zero + When SMTP connection caching is enabled, the number of times + that an SMTP session may be reused before it is closed, or zero (no limit). SMTPUTF8 CONTROLS @@ -709,21 +700,21 @@ SMTP(8) SMTP(8) in RFC 6531..6533. smtputf8_autodetect_classes (sendmail, verify) - Detect that a message requires SMTPUTF8 support for the speci‐ + Detect that a message requires SMTPUTF8 support for the speci‐ fied mail origin classes. TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a remote client or + The increment in verbose logging level when a remote client or server matches a pattern in the debug_peer_list parameter. debug_peer_list (empty) - Optional list of remote client or server hostname or network + Optional list of remote client or server hostname or network address patterns that cause the verbose logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about mail delivery + The recipient of postmaster notifications about mail delivery problems that are caused by policy, resource, software or proto‐ col errors. @@ -737,46 +728,46 @@ SMTP(8) SMTP(8) MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail when it + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con‐ + The default location of the Postfix main.cf and master.cf con‐ figuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to handle a + How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal point when log‐ + The maximal number of digits after the decimal point when log‐ ging sub-second delay values. disable_dns_lookups (no) Disable DNS lookups in the Postfix SMTP and LMTP clients. inet_interfaces (all) - The network interface addresses that this mail system receives + The network interface addresses that this mail system receives mail on. inet_protocols (all) - The Internet protocols Postfix will attempt to use when making + The Internet protocols Postfix will attempt to use when making or accepting connections. ipc_timeout (3600s) - The time limit for sending or receiving information over an + The time limit for sending or receiving information over an internal communication channel. lmtp_assume_final (no) - When a remote LMTP server announces no DSN support, assume that - the server performs final delivery, and send "delivered" deliv‐ + When a remote LMTP server announces no DSN support, assume that + the server performs final delivery, and send "delivered" deliv‐ ery status notifications instead of "relayed". lmtp_tcp_port (24) The default TCP port that the Postfix LMTP client connects to. max_idle (100s) - The maximum amount of time that an idle Postfix daemon process + The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. max_use (100) @@ -790,20 +781,20 @@ SMTP(8) SMTP(8) The process name of a Postfix command or daemon process. proxy_interfaces (empty) - The network interface addresses that this mail system receives + The network interface addresses that this mail system receives mail on by way of a proxy or network address translation unit. smtp_address_preference (any) The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP - client will try first, when a destination has IPv6 and IPv4 + client will try first, when a destination has IPv6 and IPv4 addresses with equal MX preference. smtp_bind_address (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv4 connection. smtp_bind_address6 (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv6 connection. smtp_helo_name ($myhostname) @@ -823,8 +814,8 @@ SMTP(8) SMTP(8) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - The mail system name that is prepended to the process name in - syslog records, so that "smtpd" becomes, for example, "post‐ + The mail system name that is prepended to the process name in + syslog records, so that "smtpd" becomes, for example, "post‐ fix/smtpd". Available with Postfix 2.2 and earlier: diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 2dc247185..d19ce122d 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -886,6 +886,15 @@ With Postfix command that run with set-gid privileges, a config_directory override requires either root privileges, or it requires that the directory is listed with the alternate_config_directories parameter in the default main.cf file. +.SH confirm_delay_cleared (default: no) +After sending a "your message is delayed" notification, inform +the sender when the delay clears up. This can result in a sudden +burst of notifications at the end of a prolonged network outage, +and is therefore disabled by default. +.PP +See also: delay_warning_time. +.PP +This feature is available in Postfix 2.12 and later. .SH connection_cache_protocol_timeout (default: 5s) Time limit for connection cache connect, send or receive operations. The time limit is enforced in the client. @@ -1638,7 +1647,8 @@ units. See also: delay_warning_time, notify_classes. .SH delay_warning_time (default: 0h) The time after which the sender receives a copy of the message -headers of mail that is still queued. +headers of mail that is still queued. The confirm_delay_cleared +parameter controls sender notification when the delay clears up. .PP To enable this feature, specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time @@ -1647,7 +1657,7 @@ unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is h (hours). .PP -See also: delay_notice_recipient, notify_classes. +See also: delay_notice_recipient, notify_classes, confirm_delay_cleared. .SH deliver_lock_attempts (default: 20) The maximal number of attempts to acquire an exclusive lock on a mailbox file or \fBbounce\fR(8) logfile. @@ -2818,11 +2828,6 @@ The LMTP-specific version of the smtp_tls_CApath configuration parameter. See there for details. .PP This feature is available in Postfix 2.3 and later. -.SH lmtp_tls_audit_template (default: empty) -The LMTP-specific version of the smtp_tls_audit_template -configuration parameter. See there for details. -.PP -This feature is available in Postfix 2.12 and later. .SH lmtp_tls_block_early_mail_reply (default: empty) The LMTP-specific version of the smtp_tls_block_early_mail_reply configuration parameter. See there for details. @@ -2870,11 +2875,6 @@ The LMTP-specific version of the smtp_tls_exclude_ciphers configuration parameter. See there for details. .PP This feature is available in Postfix 2.3 and later. -.SH lmtp_tls_fallback_level (default: empty) -The LMTP-specific version of the smtp_tls_fallback_level -configuration parameter. See there for details. -.PP -This feature is available in Postfix 2.12 and later. .SH lmtp_tls_fingerprint_cert_match (default: empty) The LMTP-specific version of the smtp_tls_fingerprint_cert_match configuration parameter. See there for details. @@ -6984,64 +6984,6 @@ smtp_tls_CApath = /etc/postfix/certs .ft R .PP This feature is available in Postfix 2.2 and later. -.SH smtp_tls_audit_template (default: empty) -Optional template for tls audit logging at the completion of each -message data transfer. If empty (the default setting) no TLS audit log -entries are generated. -.PP -The following $name expansions are done on smtp_tls_audit_template: -.IP "\fB$relay\fR" -The remote SMTP server \fIname\fR[\fIaddress\fR]:\fIport\fR. -.br -.IP "\fB$level\fR" -The effective TLS security level after any fallback. -.br -.IP "\fB$policy\fR" -The desired TLS security level before any fallback, undefined -if no fallback took place. -.br -.IP "\fB$auth\fR" -The authentication level of the remote SMTP server. One of -"Cleartext", "Anonymous", "Untrusted", "Trusted" or "Verified". -.br -.IP "\fB$protocol\fR" -The TLS protocol version, defined only when TLS is used. -.br -.IP "\fB$cipher\fR" -The TLS cipher name, defined only when TLS is used. -.br -.IP "\fB$cert_digest\fR" -The digest of the remote SMTP server's certificate, defined -only when TLS is used and the remote server presented a certificate. -The digest algorithm is that specified via smtp_tls_fingerprint_digest. -.br -.IP "\fB$spki_digest\fR" -The digest of the remote SMTP server's public key (Subject -Public Key Info or SPKI from X.509), defined only when TLS is used -and the remote server presented a certificate. The digest algorithm -is that specified via smtp_tls_fingerprint_digest. -.br -.IP "\fB${name?value}\fR" -Expands to \fIvalue\fR when \fI$name\fR is non-empty. -.br -.IP "\fB${name:value}\fR" -Expands to \fIvalue\fR when \fI$name\fR is empty. -.br -.br -.PP -Example: -.PP -.nf -.na -.ft C -/etc/postfix/main.cf: - smtp_tls_audit_template = - tlsaudit: relay=${relay}${auth?, auth=${auth}}${level?, level=${level}}${policy?, policy=${policy}}${protocol?, protocol=${protocol}}${cipher?, cipher=${cipher}} -.fi -.ad -.ft R -.PP -This feature is available in Postfix 2.12 and later. .SH smtp_tls_block_early_mail_reply (default: no) Try to detect a mail hijacking attack based on a TLS protocol vulnerability (CVE-2009-3555), where an attacker prepends malicious @@ -7257,64 +7199,6 @@ and "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" key exchange with RSA authentication. .PP This feature is available in Postfix 2.3 and later. -.SH smtp_tls_fallback_level (default: empty) -Optional fallback levels for authenticated TLS levels. Specify -a white-space or comma-separated list of -\fBpolicy_level\fR=\fBfallback_level\fR pairs. The \fBpolicy_level\fR -must require authentication (one of dane, dane-only, fingerprint, -verify, secure). The \fBfallback_level\fR must be "encrypt" or -"may". When an authenticated connection at some desired policy -level cannot be established, delivery will proceed at the correponding -fallback level if possible. A warning will be logged -indicating the fallback reason. You can use smtp_tls_audit_template -to record the TLS security status for each delivery. -.PP -The TLS policy table -can be used to specify a destination-specific fallback strategy via the -"fallback" policy attribute. The value of the "fallback" attribute, if -specified, must be "may", "encrypt" or "none". If not "none", this -specifies the fallback level for the destination in question. If the -attribute value is "none", fallback is suppressed for the destination -even if enabled via a global setting of smtp_tls_fallback_level. -.PP -Example: -.sp -.in +4 -.nf -.na -.ft C -/etc/postfix/main.cf: - # When authentication fails, log a warning and deliver anyway - # over an unauthenticated TLS connection. - # - smtp_tls_fallback_level = - dane=encrypt, - dane-only=encrypt, - fingerprint=encrypt, - verify=encrypt, - secure=encrypt - indexed = ${default_database_type}:${config_directory}/ - smtp_tls_policy_maps = ${indexed}tls-policy -.fi -.ad -.ft R -.in -4 -.sp -.in +4 -.nf -.na -.ft C -/etc/postfix/tls-policy: - # No fallback for example.com - example.com secure fallback=none - # For example.net tolerate cleartext fallback - example.net dane fallback=may -.fi -.ad -.ft R -.in -4 -.PP -This feature is available in Postfix 2.12 and later. .SH smtp_tls_fingerprint_cert_match (default: empty) List of acceptable remote SMTP server certificate fingerprints for the "fingerprint" TLS security level (\fBsmtp_tls_security_level\fR = diff --git a/postfix/man/man8/oqmgr.8 b/postfix/man/man8/oqmgr.8 index 2074649b7..359d6650d 100644 --- a/postfix/man/man8/oqmgr.8 +++ b/postfix/man/man8/oqmgr.8 @@ -328,6 +328,11 @@ The syslog facility of Postfix logging. .IP "\fBsyslog_name (see 'postconf -d' output)\fR" The mail system name that is prepended to the process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". +.PP +Available in Postfix version 2.12 and later: +.IP "\fBconfirm_delay_cleared (no)\fR" +After sending a "your message is delayed" notification, inform +the sender when the delay clears up. .SH "FILES" .na .nf diff --git a/postfix/man/man8/qmgr.8 b/postfix/man/man8/qmgr.8 index ce420f73a..afc54f4bf 100644 --- a/postfix/man/man8/qmgr.8 +++ b/postfix/man/man8/qmgr.8 @@ -376,6 +376,11 @@ The syslog facility of Postfix logging. .IP "\fBsyslog_name (see 'postconf -d' output)\fR" The mail system name that is prepended to the process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". +.PP +Available in Postfix version 2.12 and later: +.IP "\fBconfirm_delay_cleared (no)\fR" +After sending a "your message is delayed" notification, inform +the sender when the delay clears up. .SH "FILES" .na .nf diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8 index 698502336..7836549c2 100644 --- a/postfix/man/man8/smtp.8 +++ b/postfix/man/man8/smtp.8 @@ -492,13 +492,6 @@ not an alias and its address records lie in an unsigned zone. RFC 6698 trust-anchor digest support in the Postfix TLS library. .IP "\fBtlsmgr_service_name (tlsmgr)\fR" The name of the \fBtlsmgr\fR(8) service entry in master.cf. -.PP -Available in Postfix version 2.12 and later: -.IP "\fBsmtp_tls_audit_template (empty)\fR" -Optional template for tls audit logging at the completion of each -message data transfer. -.IP "\fBsmtp_tls_fallback_level (empty)\fR" -Optional fallback levels for authenticated TLS levels. .SH "OBSOLETE STARTTLS CONTROLS" .na .nf diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 731bec18d..20338dbbb 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -127,6 +127,7 @@ while (<>) { s;\bcommand_expan[-]*\n* *[]*sion_filter\b;$&;g; s;\bcommand_time_limit\b;$&;g; s;\bcon[-]*\n*[ ]*fig_direc[-]*\n*[ ]*tory\b;$&;g; + s;\bconfirm_delay_cleared;$&;g; s;\bcon[-]*\n*[ ]*tent_filter\b;$&;g; s;\bdata_direc[-]*\n*[ ]*tory\b;$&;g; s;\bdae[-]*\n*[ ]*mon_direc[-]*\n*[ ]*tory\b;$&;g; @@ -631,10 +632,6 @@ while (<>) { s;\bsmtp_starttls_timeout\b;$&;g; s;\bsmtp_tls_CAfile\b;$&;g; s;\bsmtp_tls_CApath\b;$&;g; - s;\bsmtp_tls_fallback_level\b;$&;g; - s;\blmtp_tls_fallback_level\b;$&;g; - s;\bsmtp_tls_audit_template\b;$&;g; - s;\blmtp_tls_audit_template\b;$&;g; s;\bsmtp_tls_cert_file\b;$&;g; s;\bsmtp_tls_fingerprint_digest\b;$&;g; s;\bsmtp_tls_protocols\b;$&;g; diff --git a/postfix/proto/TLS_README.html b/postfix/proto/TLS_README.html index 431c323be..bc492ebd5 100644 --- a/postfix/proto/TLS_README.html +++ b/postfix/proto/TLS_README.html @@ -1373,13 +1373,8 @@ for early adopters.

  • The "example.com" destination uses DANE, but if TLSA records are not present or are unusable, mail is deferred.

    -

  • The "example.org" destination uses DANE if possible, but -uses opportunistic TLS if no TLSA records are found. The -"fallback" attribute (Postfix ≥ 2.12) overrides the global -main.cf smtp_tls_fallback_level parameter to employ unauthenticated -mandatory encryption if DANE authentication fails, after logging a -warning. See smtp_tls_audit_template for additional control over TLS -security logging.

    +

  • The "example.org" destination uses DANE if possible, but if no TLSA +records are found opportunistic TLS is used.

    @@ -1399,16 +1394,26 @@ main.cf: # default_transport = smtp, but some destinations are special: # transport_maps = ${indexed}transport + +
    +
    +
     transport:
     example.com dane
     example.org dane
+
    +
    +
    +
     tls_policy:
     example.com dane-only
-    # Postfix ≥ 2.12, per-destination smtp_tls_fallback_level override
-    example.org dane fallback=encrypt
+
    +
    +
    +
     master.cf:
     dane       unix  -       -       n       -       -       smtp
       -o smtp_dns_support_level=dnssec
@@ -2141,10 +2146,7 @@ href="#client_tls_encrypt">encrypt.  When usable TLSA records
 are obtained for the remote SMTP server, SSLv2 is automatically
 disabled (see smtp_tls_mandatory_protocols), and the server certificate
 must match the TLSA records.  RFC 6698 (DANE) TLS authentication
-and DNSSEC support is available with Postfix 2.11 and later.  
-The optional "fallback" attribute provides a per-site override of
-the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
-
+and DNSSEC support is available with Postfix 2.11 and later.  
 
 
    dane-only
     
    Mandatory DANE TLS.
 The TLS policy for the destination is obtained via TLSA records in
@@ -2153,10 +2155,7 @@ connection is made to the server.  When usable TLSA records are
 obtained for the remote SMTP server, SSLv2 is automatically disabled
 (see smtp_tls_mandatory_protocols), and the server certificate must
 match the TLSA records.  RFC 6698 (DANE) TLS authentication and
-DNSSEC support is available with Postfix 2.11 and later.  
-The optional "fallback" attribute provides a per-site override of
-the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
-
    
+DNSSEC support is available with Postfix 2.11 and later.  
 
 
    fingerprint
     
    Certificate
 fingerprint verification. Available with Postfix 2.5 and
@@ -2165,15 +2164,13 @@ authorities. The certificate trust chain, expiration date, ... are
 not checked. Instead, the optional match attribute, or else
 the main.cf smtp_tls_fingerprint_cert_match parameter, lists
 the server certificate fingerprints or public key fingerprints
-(Postfix 2.9 and later).  The digest algorithm used to calculate
-fingerprints is selected by the smtp_tls_fingerprint_digest
-parameter. Multiple fingerprints can be combined with a "|" delimiter
-in a single match attribute, or multiple match attributes can be
-employed. The ":" character is not used as a delimiter as it occurs
-between each pair of fingerprint (hexadecimal) digits.
-The optional "fallback" attribute provides a per-site override of
-the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
-
    
+(Postfix 2.9 and later).  The
+digest algorithm used to calculate fingerprints is selected by the
+smtp_tls_fingerprint_digest parameter. Multiple fingerprints can
+be combined with a "|" delimiter in a single match attribute, or multiple
+match attributes can be employed. The ":" character is not used as a
+delimiter as it occurs between each pair of fingerprint (hexadecimal)
+digits. 
 
 
    verify
     
    Mandatory
 server certificate verification.  Mail is delivered only if the
@@ -2184,11 +2181,9 @@ the optional "match" attribute (or the main.cf smtp_tls_verify_cert_match
 parameter value when no optional "match" attribute is specified).
 With Postfix ≥ 2.11 the "tafile" attribute optionally modifies
 trust chain verification in the same manner as the
-"smtp_tls_trust_anchor_file" parameter.  The "tafile" attribute may
-be specified multiple times to load multiple trust-anchor files.
-The optional "fallback" attribute provides a per-site override of
-the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
-
    
+"smtp_tls_trust_anchor_file" parameter.  The "tafile" attribute
+may be specified multiple times to load multiple trust-anchor
+files.  
 
 
    secure
     
    Secure certificate
 verification. Mail is delivered only if the TLS handshake succeeds,
@@ -2200,10 +2195,7 @@ main.cf smtp_tls_secure_cert_match parameter value when no optional
 attribute optionally modifies trust chain verification in the same manner
 as the "smtp_tls_trust_anchor_file" parameter.  The "tafile" attribute
 may be specified multiple times to load multiple trust-anchor
-files.  
-The optional "fallback" attribute provides a per-site override of
-the main.cf smtp_tls_fallback_level parameter (Postfix ≥ 2.12).
-
    
+files.  
 
 
 
@@ -2250,7 +2242,6 @@ Example:
     smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
     # Postfix 2.5 and later
     smtp_tls_fingerprint_digest = md5
-
 /etc/postfix/tls_policy:
     example.edu             none
     example.mil             may
@@ -2265,8 +2256,6 @@ Example:
 	match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
     # Postfix 2.6 and later
     example.info            may protocols=!SSLv2 ciphers=medium exclude=3DES
-    # Postfix 2.12 and later override of smtp_tls_fallback_level
-    fallback.example        secure fallback=encrypt
    diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 45181dfd7..30dc837ad 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -7505,7 +7505,8 @@ See also: delay_warning_time, notify_classes.

    The time after which the sender receives a copy of the message -headers of mail that is still queued. +headers of mail that is still queued. The confirm_delay_cleared +parameter controls sender notification when the delay clears up.

    @@ -7520,9 +7521,20 @@ The default time unit is h (hours).

    -See also: delay_notice_recipient, notify_classes. +See also: delay_notice_recipient, notify_classes, confirm_delay_cleared.

    +%PARAM confirm_delay_cleared no + +

    After sending a "your message is delayed" notification, inform +the sender when the delay clears up. This can result in a sudden +burst of notifications at the end of a prolonged network outage, +and is therefore disabled by default.

    + +

    See also: delay_warning_time.

    + +

    This feature is available in Postfix 2.12 and later.

    + %PARAM disable_dns_lookups no

    @@ -16184,133 +16196,3 @@ mail.

    This feature is available in Postfix 2.12 and later.

    - -%PARAM smtp_tls_fallback_level - -

    Optional fallback levels for authenticated TLS levels. Specify -a white-space or comma-separated list of -policy_level=fallback_level pairs. The policy_level -must require authentication (one of dane, dane-only, fingerprint, -verify, secure). The fallback_level must be "encrypt" or -"may". When an authenticated connection at some desired policy -level cannot be established, delivery will proceed at the correponding -fallback level if possible. A warning will be logged -indicating the fallback reason. You can use smtp_tls_audit_template -to record the TLS security status for each delivery.

    - -

    The TLS policy table -can be used to specify a destination-specific fallback strategy via the -"fallback" policy attribute. The value of the "fallback" attribute, if -specified, must be "may", "encrypt" or "none". If not "none", this -specifies the fallback level for the destination in question. If the -attribute value is "none", fallback is suppressed for the destination -even if enabled via a global setting of smtp_tls_fallback_level.

    - -

    Example:

    - -
    -
    -/etc/postfix/main.cf:
-    # When authentication fails, log a warning and deliver anyway
-    # over an unauthenticated TLS connection.
-    #
-    smtp_tls_fallback_level =
-	dane=encrypt,
-	dane-only=encrypt,
-	fingerprint=encrypt,
-	verify=encrypt,
-	secure=encrypt
-    indexed = ${default_database_type}:${config_directory}/
-    smtp_tls_policy_maps = ${indexed}tls-policy
-
    -
    - -
    -
    -/etc/postfix/tls-policy:
-    # No fallback for example.com
-    example.com secure fallback=none
-    # For example.net tolerate cleartext fallback
-    example.net dane fallback=may
-
    -
    - -

    This feature is available in Postfix 2.12 and later.

    - -%PARAM lmtp_tls_fallback_level - -

    The LMTP-specific version of the smtp_tls_fallback_level -configuration parameter. See there for details.

    - -

    This feature is available in Postfix 2.12 and later.

    - -%PARAM smtp_tls_audit_template - -

    Optional template for tls audit logging at the completion of each -message data transfer. If empty (the default setting) no TLS audit log -entries are generated.

    - -

    The following $name expansions are done on smtp_tls_audit_template:

    - -
    - -
    $relay
    -
    The remote SMTP server name[address]:port. -
    - -
    $level
    -
    The effective TLS security level after any fallback.
    - -
    $policy
    -
    The desired TLS security level before any fallback, undefined -if no fallback took place.
    - -
    $auth
    -
    The authentication level of the remote SMTP server. One of -"Cleartext", "Anonymous", "Untrusted", "Trusted" or "Verified". -
    - -
    $protocol
    -
    The TLS protocol version, defined only when TLS is used.
    - -
    $cipher
    -
    The TLS cipher name, defined only when TLS is used.
    - -
    $cert_digest
    -
    The digest of the remote SMTP server's certificate, defined -only when TLS is used and the remote server presented a certificate. -The digest algorithm is that specified via smtp_tls_fingerprint_digest. -
    - -
    $spki_digest
    -
    The digest of the remote SMTP server's public key (Subject -Public Key Info or SPKI from X.509), defined only when TLS is used -and the remote server presented a certificate. The digest algorithm -is that specified via smtp_tls_fingerprint_digest.
    - -
    ${name?value}
    - -
    Expands to value when $name is non-empty.
    - -
    ${name:value}
    - -
    Expands to value when $name is empty.
    - -
    - -

    Example:

    - -
    -/etc/postfix/main.cf:
-    smtp_tls_audit_template =
-        tlsaudit: relay=${relay}${auth?, auth=${auth}}${level?, level=${level}}${policy?, policy=${policy}}${protocol?, protocol=${protocol}}${cipher?, cipher=${cipher}}
-
    - -

    This feature is available in Postfix 2.12 and later.

    - -%PARAM lmtp_tls_audit_template - -

    The LMTP-specific version of the smtp_tls_audit_template -configuration parameter. See there for details.

    - -

    This feature is available in Postfix 2.12 and later.

    diff --git a/postfix/src/global/deliver_request.h b/postfix/src/global/deliver_request.h index 8ab36fc1a..e38b50e09 100644 --- a/postfix/src/global/deliver_request.h +++ b/postfix/src/global/deliver_request.h @@ -73,6 +73,7 @@ typedef struct DELIVER_REQUEST { #define DEL_REQ_FLAG_RECORD (1<<10) /* record and deliver */ #define DEL_REQ_FLAG_CONN_LOAD (1<<11) /* Consult opportunistic cache */ #define DEL_REQ_FLAG_CONN_STORE (1<<12) /* Update opportunistic cache */ +#define DEL_REQ_FLAG_REC_SENT (1<<13) /* Record if sent only */ /* * Cache Load and Store as value or mask. Use explicit _MASK for multi-bit @@ -91,7 +92,8 @@ typedef struct DELIVER_REQUEST { * Mail that uses the trace(8) service, and maybe more. */ #define DEL_REQ_TRACE_FLAGS_MASK \ - (DEL_REQ_FLAG_MTA_VRFY | DEL_REQ_FLAG_USR_VRFY | DEL_REQ_FLAG_RECORD) + (DEL_REQ_FLAG_MTA_VRFY | DEL_REQ_FLAG_USR_VRFY | DEL_REQ_FLAG_RECORD \ + | DEL_REQ_FLAG_REC_SENT) #define DEL_REQ_TRACE_FLAGS(f) ((f) & DEL_REQ_TRACE_FLAGS_MASK) /* diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 494112014..056d60602 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -723,6 +723,10 @@ extern int var_dsn_queue_time; #define DEF_DELAY_WARN_TIME "0h" extern int var_delay_warn_time; +#define VAR_DSN_DELAY_CLEARED "confirm_delay_cleared" +#define DEF_DSN_DELAY_CLEARED 0 +extern int var_dsn_delay_cleared; + /* * Queue manager: various in-core message and recipient limits. */ @@ -1372,12 +1376,6 @@ extern bool var_smtp_tls_enforce_peername; #define DEF_LMTP_TLS_LEVEL "" extern char *var_smtp_tls_level; -#define VAR_SMTP_TLS_FBACK_LEVEL "smtp_tls_fallback_level" -#define DEF_SMTP_TLS_FBACK_LEVEL "" -#define VAR_LMTP_TLS_FBACK_LEVEL "lmtp_tls_fallback_level" -#define DEF_LMTP_TLS_FBACK_LEVEL "" -extern char *var_smtp_tls_fback_level; - #define VAR_SMTP_TLS_SCERT_VD "smtp_tls_scert_verifydepth" #define DEF_SMTP_TLS_SCERT_VD 9 #define VAR_LMTP_TLS_SCERT_VD "lmtp_tls_scert_verifydepth" @@ -1549,12 +1547,6 @@ extern bool var_smtp_tls_blk_early_mail_reply; #define DEF_LMTP_TLS_FORCE_TLSA 0 extern bool var_smtp_tls_force_tlsa; -#define VAR_SMTP_TLS_AUDIT_TEMPLATE "smtp_tls_audit_template" -#define DEF_SMTP_TLS_AUDIT_TEMPLATE "" -#define VAR_LMTP_TLS_AUDIT_TEMPLATE "lmtp_tls_audit_template" -#define DEF_LMTP_TLS_AUDIT_TEMPLATE "" -extern char *var_smtp_tls_audit_template; - /* * SASL authentication support, SMTP server side. */ diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index add3094a4..adb59662a 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20140905" +#define MAIL_RELEASE_DATE "20140907" #define MAIL_VERSION_NUMBER "2.12" #ifdef SNAPSHOT diff --git a/postfix/src/global/sent.c b/postfix/src/global/sent.c index 48db9327b..393807848 100644 --- a/postfix/src/global/sent.c +++ b/postfix/src/global/sent.c @@ -32,6 +32,7 @@ /* The message is a user-requested address expansion probe. /* Update the message delivery record. /* .IP DEL_REQ_FLAG_RECORD +/* .IP DEL_REQ_FLAG_REC_SENT /* This is a normal message with logged delivery. Update the /* the message delivery record. /* .RE .IP queue_id @@ -142,7 +143,7 @@ int sent(int flags, const char *id, MSG_STATS *stats, if (my_dsn.action == 0 || my_dsn.action[0] == 0) my_dsn.action = "delivered"; - if (((flags & DEL_REQ_FLAG_RECORD) == 0 + if (((flags & (DEL_REQ_FLAG_RECORD | DEL_REQ_FLAG_REC_SENT)) == 0 || trace_append(flags, id, stats, recipient, relay, &my_dsn) == 0) && ((recipient->dsn_notify & DSN_NOTIFY_SUCCESS) == 0 || trace_append(flags, id, stats, recipient, relay, &my_dsn) == 0)) { diff --git a/postfix/src/oqmgr/qmgr.c b/postfix/src/oqmgr/qmgr.c index 441141054..7a00591b1 100644 --- a/postfix/src/oqmgr/qmgr.c +++ b/postfix/src/oqmgr/qmgr.c @@ -290,6 +290,11 @@ /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR" /* The mail system name that is prepended to the process name in syslog /* records, so that "smtpd" becomes, for example, "postfix/smtpd". +/* .PP +/* Available in Postfix version 2.12 and later: +/* .IP "\fBconfirm_delay_cleared (no)\fR" +/* After sending a "your message is delayed" notification, inform +/* the sender when the delay clears up. /* FILES /* /var/spool/postfix/incoming, incoming queue /* /var/spool/postfix/active, active queue @@ -385,6 +390,7 @@ int var_dest_rate_delay; char *var_def_filter_nexthop; int var_qmgr_daemon_timeout; int var_qmgr_ipc_timeout; +int var_dsn_delay_cleared; static QMGR_SCAN *qmgr_scans[2]; @@ -648,6 +654,7 @@ int main(int argc, char **argv) static const CONFIG_BOOL_TABLE bool_table[] = { VAR_VERP_BOUNCE_OFF, DEF_VERP_BOUNCE_OFF, &var_verp_bounce_off, VAR_CONC_FDBACK_DEBUG, DEF_CONC_FDBACK_DEBUG, &var_conc_feedback_debug, + VAR_DSN_DELAY_CLEARED, DEF_DSN_DELAY_CLEARED, &var_dsn_delay_cleared, 0, }; diff --git a/postfix/src/oqmgr/qmgr_active.c b/postfix/src/oqmgr/qmgr_active.c index c3e446cb5..04cf152ca 100644 --- a/postfix/src/oqmgr/qmgr_active.c +++ b/postfix/src/oqmgr/qmgr_active.c @@ -385,7 +385,8 @@ static void qmgr_active_done_2_generic(QMGR_MESSAGE *message) * * See also comments in bounce/bounce_notify_util.c. */ - if ((message->tflags & (DEL_REQ_FLAG_USR_VRFY | DEL_REQ_FLAG_RECORD)) + if ((message->tflags & (DEL_REQ_FLAG_USR_VRFY | DEL_REQ_FLAG_RECORD + | DEL_REQ_FLAG_REC_SENT)) || (message->rflags & QMGR_READ_FLAG_NOTIFY_SUCCESS)) { atrace_flush(message->tflags, message->queue_name, diff --git a/postfix/src/oqmgr/qmgr_message.c b/postfix/src/oqmgr/qmgr_message.c index cb87d367b..bd049c895 100644 --- a/postfix/src/oqmgr/qmgr_message.c +++ b/postfix/src/oqmgr/qmgr_message.c @@ -760,6 +760,16 @@ static int qmgr_message_read(QMGR_MESSAGE *message) myfree(orig_rcpt); } + /* + * After sending a "delayed" warning, request sender notification when + * message delivery is completed. While "mail delayed" notifications are + * bad enough because they multiply the amount of email traffic, "delay + * cleared" notifications are even worse because they come in a sudden + * burst when the queue drains after a network outage. + */ + if (var_dsn_delay_cleared && message->warn_time < 0) + message->tflags |= DEL_REQ_FLAG_REC_SENT; + /* * Avoid clumsiness elsewhere in the program. When sending data across an * IPC channel, sending an empty string is more convenient than sending a @@ -826,13 +836,13 @@ void qmgr_message_update_warn(QMGR_MESSAGE *message) { /* - * XXX eventually this should let us schedule multiple warnings, right - * now it just allows for one. + * After the "mail delayed" warning, optionally send a "delay cleared" + * notification. */ if (qmgr_message_open(message) || vstream_fseek(message->fp, message->warn_offset, SEEK_SET) < 0 || rec_fprintf(message->fp, REC_TYPE_WARN, REC_TYPE_WARN_FORMAT, - REC_TYPE_WARN_ARG(0)) < 0 + REC_TYPE_WARN_ARG(-1)) < 0 || vstream_fflush(message->fp)) msg_fatal("update queue file %s: %m", VSTREAM_PATH(message->fp)); qmgr_message_close(message); diff --git a/postfix/src/qmgr/qmgr.c b/postfix/src/qmgr/qmgr.c index 146464bb2..d8d8b58d9 100644 --- a/postfix/src/qmgr/qmgr.c +++ b/postfix/src/qmgr/qmgr.c @@ -336,6 +336,11 @@ /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR" /* The mail system name that is prepended to the process name in syslog /* records, so that "smtpd" becomes, for example, "postfix/smtpd". +/* .PP +/* Available in Postfix version 2.12 and later: +/* .IP "\fBconfirm_delay_cleared (no)\fR" +/* After sending a "your message is delayed" notification, inform +/* the sender when the delay clears up. /* FILES /* /var/spool/postfix/incoming, incoming queue /* /var/spool/postfix/active, active queue @@ -445,6 +450,7 @@ int var_dest_rate_delay; char *var_def_filter_nexthop; int var_qmgr_daemon_timeout; int var_qmgr_ipc_timeout; +int var_dsn_delay_cleared; static QMGR_SCAN *qmgr_scans[2]; @@ -723,6 +729,7 @@ int main(int argc, char **argv) static const CONFIG_BOOL_TABLE bool_table[] = { VAR_VERP_BOUNCE_OFF, DEF_VERP_BOUNCE_OFF, &var_verp_bounce_off, VAR_CONC_FDBACK_DEBUG, DEF_CONC_FDBACK_DEBUG, &var_conc_feedback_debug, + VAR_DSN_DELAY_CLEARED, DEF_DSN_DELAY_CLEARED, &var_dsn_delay_cleared, 0, }; diff --git a/postfix/src/qmgr/qmgr_active.c b/postfix/src/qmgr/qmgr_active.c index c3e446cb5..04cf152ca 100644 --- a/postfix/src/qmgr/qmgr_active.c +++ b/postfix/src/qmgr/qmgr_active.c @@ -385,7 +385,8 @@ static void qmgr_active_done_2_generic(QMGR_MESSAGE *message) * * See also comments in bounce/bounce_notify_util.c. */ - if ((message->tflags & (DEL_REQ_FLAG_USR_VRFY | DEL_REQ_FLAG_RECORD)) + if ((message->tflags & (DEL_REQ_FLAG_USR_VRFY | DEL_REQ_FLAG_RECORD + | DEL_REQ_FLAG_REC_SENT)) || (message->rflags & QMGR_READ_FLAG_NOTIFY_SUCCESS)) { atrace_flush(message->tflags, message->queue_name, diff --git a/postfix/src/qmgr/qmgr_message.c b/postfix/src/qmgr/qmgr_message.c index 19323467d..e559d11cd 100644 --- a/postfix/src/qmgr/qmgr_message.c +++ b/postfix/src/qmgr/qmgr_message.c @@ -801,6 +801,16 @@ static int qmgr_message_read(QMGR_MESSAGE *message) myfree(orig_rcpt); } + /* + * After sending a "delayed" warning, request sender notification when + * message delivery is completed. While "mail delayed" notifications are + * bad enough because they multiply the amount of email traffic, "delay + * cleared" notifications are even worse because they come in a sudden + * burst when the queue drains after a network outage. + */ + if (var_dsn_delay_cleared && message->warn_time < 0) + message->tflags |= DEL_REQ_FLAG_REC_SENT; + /* * Remember when we have read the last recipient batch. Note that we do * it here after reading as reading might have used considerable amount @@ -883,13 +893,13 @@ void qmgr_message_update_warn(QMGR_MESSAGE *message) { /* - * XXX eventually this should let us schedule multiple warnings, right - * now it just allows for one. + * After the "mail delayed" warning, optionally send a "delay cleared" + * notification. */ if (qmgr_message_open(message) || vstream_fseek(message->fp, message->warn_offset, SEEK_SET) < 0 || rec_fprintf(message->fp, REC_TYPE_WARN, REC_TYPE_WARN_FORMAT, - REC_TYPE_WARN_ARG(0)) < 0 + REC_TYPE_WARN_ARG(-1)) < 0 || vstream_fflush(message->fp)) msg_fatal("update queue file %s: %m", VSTREAM_PATH(message->fp)); qmgr_message_close(message); diff --git a/postfix/src/smtp/Makefile.in b/postfix/src/smtp/Makefile.in index e271bf7d4..fdbab2f97 100644 --- a/postfix/src/smtp/Makefile.in +++ b/postfix/src/smtp/Makefile.in @@ -2,11 +2,11 @@ SHELL = /bin/sh SRCS = smtp.c smtp_connect.c smtp_proto.c smtp_chat.c smtp_session.c \ smtp_addr.c smtp_trouble.c smtp_state.c smtp_rcpt.c smtp_tls_policy.c \ smtp_sasl_proto.c smtp_sasl_glue.c smtp_reuse.c smtp_map11.c \ - smtp_sasl_auth_cache.c smtp_key.c smtp_tls_audit.c + smtp_sasl_auth_cache.c smtp_key.c OBJS = smtp.o smtp_connect.o smtp_proto.o smtp_chat.o smtp_session.o \ smtp_addr.o smtp_trouble.o smtp_state.o smtp_rcpt.o smtp_tls_policy.o \ smtp_sasl_proto.o smtp_sasl_glue.o smtp_reuse.o smtp_map11.o \ - smtp_sasl_auth_cache.o smtp_key.o smtp_tls_audit.o + smtp_sasl_auth_cache.o smtp_key.o HDRS = smtp.h smtp_sasl.h smtp_addr.h smtp_reuse.h smtp_sasl_auth_cache.h TESTSRC = DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE) @@ -662,41 +662,6 @@ smtp_state.o: ../../include/vstring.h smtp_state.o: smtp.h smtp_state.o: smtp_sasl.h smtp_state.o: smtp_state.c -smtp_tls_audit.o: ../../include/argv.h -smtp_tls_audit.o: ../../include/attr.h -smtp_tls_audit.o: ../../include/deliver_request.h -smtp_tls_audit.o: ../../include/dict.h -smtp_tls_audit.o: ../../include/dns.h -smtp_tls_audit.o: ../../include/dsn.h -smtp_tls_audit.o: ../../include/dsn_buf.h -smtp_tls_audit.o: ../../include/header_body_checks.h -smtp_tls_audit.o: ../../include/header_opts.h -smtp_tls_audit.o: ../../include/htable.h -smtp_tls_audit.o: ../../include/mac_expand.h -smtp_tls_audit.o: ../../include/mac_parse.h -smtp_tls_audit.o: ../../include/mail_params.h -smtp_tls_audit.o: ../../include/maps.h -smtp_tls_audit.o: ../../include/match_list.h -smtp_tls_audit.o: ../../include/mime_state.h -smtp_tls_audit.o: ../../include/msg.h -smtp_tls_audit.o: ../../include/msg_stats.h -smtp_tls_audit.o: ../../include/myaddrinfo.h -smtp_tls_audit.o: ../../include/myflock.h -smtp_tls_audit.o: ../../include/name_code.h -smtp_tls_audit.o: ../../include/name_mask.h -smtp_tls_audit.o: ../../include/recipient_list.h -smtp_tls_audit.o: ../../include/resolve_clnt.h -smtp_tls_audit.o: ../../include/scache.h -smtp_tls_audit.o: ../../include/sock_addr.h -smtp_tls_audit.o: ../../include/string_list.h -smtp_tls_audit.o: ../../include/sys_defs.h -smtp_tls_audit.o: ../../include/tls.h -smtp_tls_audit.o: ../../include/tok822.h -smtp_tls_audit.o: ../../include/vbuf.h -smtp_tls_audit.o: ../../include/vstream.h -smtp_tls_audit.o: ../../include/vstring.h -smtp_tls_audit.o: smtp.h -smtp_tls_audit.o: smtp_tls_audit.c smtp_tls_policy.o: ../../include/argv.h smtp_tls_policy.o: ../../include/attr.h smtp_tls_policy.o: ../../include/ctable.h diff --git a/postfix/src/smtp/lmtp_params.c b/postfix/src/smtp/lmtp_params.c index eb84c920e..1861e5ba5 100644 --- a/postfix/src/smtp/lmtp_params.c +++ b/postfix/src/smtp/lmtp_params.c @@ -28,7 +28,6 @@ VAR_LMTP_TLS_ECCERT_FILE, DEF_LMTP_TLS_ECCERT_FILE, &var_smtp_tls_eccert_file, 0, 0, VAR_LMTP_TLS_ECKEY_FILE, DEF_LMTP_TLS_ECKEY_FILE, &var_smtp_tls_eckey_file, 0, 0, VAR_LMTP_TLS_LOGLEVEL, DEF_LMTP_TLS_LOGLEVEL, &var_smtp_tls_loglevel, 0, 0, - VAR_LMTP_TLS_FBACK_LEVEL, DEF_LMTP_TLS_FBACK_LEVEL, &var_smtp_tls_fback_level, 0, 0, #endif VAR_LMTP_SASL_MECHS, DEF_LMTP_SASL_MECHS, &var_smtp_sasl_mechs, 0, 0, VAR_LMTP_SASL_TYPE, DEF_LMTP_SASL_TYPE, &var_smtp_sasl_type, 1, 0, @@ -120,11 +119,3 @@ VAR_LMTP_DUMMY_MAIL_AUTH, DEF_LMTP_DUMMY_MAIL_AUTH, &var_smtp_dummy_mail_auth, 0, }; - - /* Suppress $name expansion upon loading. */ - static const CONFIG_RAW_TABLE lmtp_raw_table[] = { -#ifdef USE_TLS - VAR_LMTP_TLS_AUDIT_TEMPLATE, DEF_LMTP_TLS_AUDIT_TEMPLATE, &var_smtp_tls_audit_template, 0, 0, -#endif - 0, - }; diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index 130b251f9..6e0ce6925 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -462,13 +462,6 @@ /* RFC 6698 trust-anchor digest support in the Postfix TLS library. /* .IP "\fBtlsmgr_service_name (tlsmgr)\fR" /* The name of the \fBtlsmgr\fR(8) service entry in master.cf. -/* .PP -/* Available in Postfix version 2.12 and later: -/* .IP "\fBsmtp_tls_audit_template (empty)\fR" -/* Optional template for tls audit logging at the completion of each -/* message data transfer. -/* .IP "\fBsmtp_tls_fallback_level (empty)\fR" -/* Optional fallback levels for authenticated TLS levels. /* OBSOLETE STARTTLS CONTROLS /* .ad /* .fi @@ -863,7 +856,6 @@ char *var_smtp_tls_mand_excl; char *var_smtp_tls_dcert_file; char *var_smtp_tls_dkey_file; bool var_smtp_tls_enforce_peername; -char *var_smtp_tls_fback_level; char *var_smtp_tls_key_file; char *var_smtp_tls_loglevel; bool var_smtp_tls_note_starttls_offer; @@ -880,7 +872,6 @@ char *var_smtp_tls_eccert_file; char *var_smtp_tls_eckey_file; bool var_smtp_tls_blk_early_mail_reply; bool var_smtp_tls_force_tlsa; -char *var_smtp_tls_audit_template; #endif @@ -1294,8 +1285,6 @@ int main(int argc, char **argv) smtp_int_table : lmtp_int_table, MAIL_SERVER_STR_TABLE, smtp_mode ? smtp_str_table : lmtp_str_table, - MAIL_SERVER_RAW_TABLE, smtp_mode ? - smtp_raw_table : lmtp_raw_table, MAIL_SERVER_BOOL_TABLE, smtp_mode ? smtp_bool_table : lmtp_bool_table, MAIL_SERVER_PRE_INIT, pre_init, diff --git a/postfix/src/smtp/smtp.h b/postfix/src/smtp/smtp.h index 2e58af635..c21aa65a5 100644 --- a/postfix/src/smtp/smtp.h +++ b/postfix/src/smtp/smtp.h @@ -92,8 +92,6 @@ typedef struct SMTP_ITERATOR { typedef struct SMTP_TLS_POLICY { int level; /* TLS enforcement level */ - int policy_level; /* TLS desired policy level */ - int fallback_level; /* TLS fallback level */ char *protocols; /* Acceptable SSL protocols */ char *grade; /* Cipher grade: "export", ... */ VSTRING *exclusions; /* Excluded SSL ciphers */ @@ -122,13 +120,11 @@ extern void smtp_tls_policy_cache_flush(void); SMTP_TLS_POLICY *_tls_policy_dummy_tmp = (t); \ smtp_tls_policy_init(_tls_policy_dummy_tmp, (DSN_BUF *) 0); \ _tls_policy_dummy_tmp->level = TLS_LEV_NONE; \ - _tls_policy_dummy_tmp->policy_level = TLS_LEV_NONE; \ } while (0) /* This macro is not part of the module external interface. */ #define smtp_tls_policy_init(t, w) do { \ SMTP_TLS_POLICY *_tls_policy_init_tmp = (t); \ - _tls_policy_init_tmp->fallback_level = TLS_LEV_NOTFOUND; \ _tls_policy_init_tmp->protocols = 0; \ _tls_policy_init_tmp->grade = 0; \ _tls_policy_init_tmp->exclusions = 0; \ @@ -345,7 +341,6 @@ typedef struct SMTP_SESSION { char *tls_nexthop; /* Nexthop domain for cert checks */ int tls_retry_plain; /* Try plain when TLS handshake fails */ SMTP_TLS_POLICY *tls; /* TEMPORARY */ - int tls_level; /* Actual tls level */ #endif SMTP_STATE *state; /* back link */ @@ -474,16 +469,14 @@ extern HBC_CALL_BACKS smtp_hbc_callbacks[]; #define PLAINTEXT_FALLBACK_OK_AFTER_STARTTLS_FAILURE \ (session->tls_context == 0 \ - && (session->tls->level == TLS_LEV_MAY \ - || session->tls->fallback_level == TLS_LEV_MAY) \ + && session->tls->level == TLS_LEV_MAY \ && PREACTIVE_DELAY >= var_min_backoff_time \ && !HAVE_SASL_CREDENTIALS) #define PLAINTEXT_FALLBACK_OK_AFTER_TLS_SESSION_FAILURE \ (session->tls_context != 0 \ && SMTP_RCPT_LEFT(state) > SMTP_RCPT_MARK_COUNT(state) \ - && (session->tls->level == TLS_LEV_MAY \ - || session->tls->fallback_level == TLS_LEV_MAY) \ + && session->tls->level == TLS_LEV_MAY \ && PREACTIVE_DELAY >= var_min_backoff_time \ && !HAVE_SASL_CREDENTIALS) @@ -495,17 +488,8 @@ extern HBC_CALL_BACKS smtp_hbc_callbacks[]; #define RETRY_AS_PLAINTEXT do { \ session->tls_retry_plain = 1; \ state->misc_flags &= ~SMTP_MISC_FLAG_FINAL_SERVER; \ - (void) smtp_tls_trouble(state, session->tls_context ? \ - STARTTLS_SESSION_FALLBACK : \ - STARTTLS_HANDSHAKE_FALLBACK); \ } while (0) -#define STARTTLS_FEATURE_FALLBACK 1 /* No STARTTLS feature */ -#define STARTTLS_COMMAND_FALLBACK 2 /* Refused STARTTLS command */ -#define STARTTLS_HANDSHAKE_FALLBACK 3 /* Handshake failed */ -#define STARTTLS_VERIFY_FALLBACK 4 /* Peer verification failed */ -#define STARTTLS_SESSION_FALLBACK 5 /* Data transfer failed */ - /* * smtp_chat.c */ @@ -588,11 +572,6 @@ extern void PRINTFLIKE(5, 6) smtp_rcpt_fail(SMTP_STATE *, RECIPIENT *, const char *,...); extern int smtp_stream_except(SMTP_STATE *, int, const char *); -#ifdef USE_TLS -extern int smtp_tls_trouble(SMTP_STATE *, int); - -#endif - /* * smtp_unalias.c */ @@ -670,11 +649,6 @@ char *smtp_key_prefix(VSTRING *, const char *, SMTP_ITERATOR *, int); | COND_SASL_SMTP_KEY_FLAG_NEXTHOP | COND_SASL_SMTP_KEY_FLAG_HOSTNAME \ | SMTP_KEY_FLAG_ADDR | SMTP_KEY_FLAG_PORT) - /* - * smtp_tls_audit.c - */ -extern void smtp_tls_audit(const char *, SMTP_SESSION *); - /* * Silly little macros. */ diff --git a/postfix/src/smtp/smtp_connect.c b/postfix/src/smtp/smtp_connect.c index be55b27e4..acff1eba4 100644 --- a/postfix/src/smtp/smtp_connect.c +++ b/postfix/src/smtp/smtp_connect.c @@ -108,18 +108,6 @@ #include #include - /* - * XXX Unclean: all TLS security level info belongs in session->tls. It - * should not pollute the session structure and consequently pollute - * internal APIs that don't need access to the session structure. - */ -#ifdef USE_TLS -#define TLS_SESS_INIT(session, state) do { \ - session->tls_level = state->tls->level; /* XXX Pre fallback */ \ - session->tls = state->tls; /* TEMPORARY */ \ - } while (0) -#endif - /* * Forward declaration. */ @@ -534,7 +522,7 @@ static void smtp_connect_local(SMTP_STATE *state, const char *path) if ((state->session = session) != 0) { session->state = state; #ifdef USE_TLS - TLS_SESS_INIT(session, state); /* TEMPORARY */ + session->tls = state->tls; /* TEMPORARY */ session->tls_nexthop = var_myhostname; /* for TLS_LEV_SECURE */ if (session->tls->level == TLS_LEV_MAY) { msg_warn("%s: opportunistic TLS encryption is not appropriate " @@ -686,7 +674,7 @@ static int smtp_reuse_session(SMTP_STATE *state, DNS_RR **addr_list, && *addr_list == 0) state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; #ifdef USE_TLS - TLS_SESS_INIT(session, state); /* TEMPORARY */ + session->tls = state->tls; /* TEMPORARY */ #endif smtp_xfer(state); smtp_cleanup_session(state); @@ -746,7 +734,7 @@ static int smtp_reuse_session(SMTP_STATE *state, DNS_RR **addr_list, && next == 0) state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; #ifdef USE_TLS - TLS_SESS_INIT(session, state); /* TEMPORARY */ + session->tls = state->tls; /* TEMPORARY */ #endif smtp_xfer(state); smtp_cleanup_session(state); @@ -990,7 +978,7 @@ static void smtp_connect_inet(SMTP_STATE *state, const char *nexthop, if ((state->session = session) != 0) { session->state = state; #ifdef USE_TLS - TLS_SESS_INIT(session, state); /* TEMPORARY */ + session->tls = state->tls; /* TEMPORARY */ /* XXX: EAI: Convert to A-label here or in TLS library */ session->tls_nexthop = domain; /* for TLS_LEV_SECURE */ #endif diff --git a/postfix/src/smtp/smtp_params.c b/postfix/src/smtp/smtp_params.c index eddca9e9c..807215dba 100644 --- a/postfix/src/smtp/smtp_params.c +++ b/postfix/src/smtp/smtp_params.c @@ -29,7 +29,6 @@ VAR_SMTP_TLS_ECCERT_FILE, DEF_SMTP_TLS_ECCERT_FILE, &var_smtp_tls_eccert_file, 0, 0, VAR_SMTP_TLS_ECKEY_FILE, DEF_SMTP_TLS_ECKEY_FILE, &var_smtp_tls_eckey_file, 0, 0, VAR_SMTP_TLS_LOGLEVEL, DEF_SMTP_TLS_LOGLEVEL, &var_smtp_tls_loglevel, 0, 0, - VAR_SMTP_TLS_FBACK_LEVEL, DEF_SMTP_TLS_FBACK_LEVEL, &var_smtp_tls_fback_level, 0, 0, #endif VAR_SMTP_SASL_MECHS, DEF_SMTP_SASL_MECHS, &var_smtp_sasl_mechs, 0, 0, VAR_SMTP_SASL_TYPE, DEF_SMTP_SASL_TYPE, &var_smtp_sasl_type, 1, 0, @@ -124,11 +123,3 @@ VAR_SMTP_DUMMY_MAIL_AUTH, DEF_SMTP_DUMMY_MAIL_AUTH, &var_smtp_dummy_mail_auth, 0, }; - - /* Suppress $name expansion upon loading. */ - static const CONFIG_RAW_TABLE smtp_raw_table[] = { -#ifdef USE_TLS - VAR_SMTP_TLS_AUDIT_TEMPLATE, DEF_SMTP_TLS_AUDIT_TEMPLATE, &var_smtp_tls_audit_template, 0, 0, -#endif - 0, - }; diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c index bb88acfee..53e4c1496 100644 --- a/postfix/src/smtp/smtp_proto.c +++ b/postfix/src/smtp/smtp_proto.c @@ -339,9 +339,6 @@ int smtp_helo(SMTP_STATE *state) /* * If the policy table specifies a bogus TLS security level, fail * now. - * - * XXX: This should be caught in smtp_connect before we even make a - * connection to the host. Change to msg_panic()? */ #ifdef USE_TLS if (session->tls->level == TLS_LEV_INVALID) @@ -756,38 +753,37 @@ int smtp_helo(SMTP_STATE *state) * although support for it was announced in the EHLO response. */ session->features &= ~SMTP_FEATURE_STARTTLS; - if (smtp_tls_trouble(state, STARTTLS_COMMAND_FALLBACK)) + if (TLS_REQUIRED(session->tls->level)) return (smtp_site_fail(state, STR(iter->host), resp, "TLS is required, but host %s refused to start TLS: %s", session->namaddr, translit(resp->str, "\n", " "))); /* Else try to continue in plain-text mode. */ - } else { + } - /* - * Give up if we must use TLS but can't for various reasons. - * - * 200412 Be sure to provide the default clause at the bottom of - * this block. When TLS is required we must never, ever, end up - * in plain-text mode. - */ - if (smtp_tls_trouble(state, STARTTLS_FEATURE_FALLBACK)) { - if (!(session->features & SMTP_FEATURE_STARTTLS)) { - return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, - SMTP_RESP_FAKE(&fake, "4.7.4"), + /* + * Give up if we must use TLS but can't for various reasons. + * + * 200412 Be sure to provide the default clause at the bottom of this + * block. When TLS is required we must never, ever, end up in + * plain-text mode. + */ + if (TLS_REQUIRED(session->tls->level)) { + if (!(session->features & SMTP_FEATURE_STARTTLS)) { + return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, + SMTP_RESP_FAKE(&fake, "4.7.4"), "TLS is required, but was not offered by host %s", - session->namaddr)); - } else if (smtp_tls_ctx == 0) { - return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, - SMTP_RESP_FAKE(&fake, "4.7.5"), + session->namaddr)); + } else if (smtp_tls_ctx == 0) { + return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, + SMTP_RESP_FAKE(&fake, "4.7.5"), "TLS is required, but our TLS engine is unavailable")); - } else { - msg_warn("%s: TLS is required but unavailable, don't know why", - myname); - return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, - SMTP_RESP_FAKE(&fake, "4.7.0"), + } else { + msg_warn("%s: TLS is required but unavailable, don't know why", + myname); + return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, + SMTP_RESP_FAKE(&fake, "4.7.0"), "TLS is required, but unavailable")); - } } } } @@ -811,7 +807,6 @@ static int smtp_start_tls(SMTP_STATE *state) TLS_CLIENT_START_PROPS tls_props; VSTRING *serverid; SMTP_RESP fake; - int tls_level; /* * Turn off SMTP connection caching. When the TLS handshake succeeds, we @@ -861,11 +856,6 @@ static int smtp_start_tls(SMTP_STATE *state) * resulting TLScontext. It is now up to the application to abort the TLS * connection if it chooses. * - * Consequently, the TLS library need not and does not distinguish between - * the "dane" and "dane-only" security levels. By the time we have TLSA - * records in hand, both behave identically modulo application-level - * fallback. We collapse these now equivalent security levels. - * * XXX When tls_client_start() fails then we don't know what state the SMTP * connection is in, so we give up on this connection even if we are not * required to use TLS. @@ -873,14 +863,12 @@ static int smtp_start_tls(SMTP_STATE *state) * Large parameter lists are error-prone, so we emulate a language feature * that C does not have natively: named parameter lists. */ - if ((tls_level = session->tls->level) == TLS_LEV_DANE_ONLY) - tls_level = TLS_LEV_DANE; session->tls_context = TLS_CLIENT_START(&tls_props, ctx = smtp_tls_ctx, stream = session->stream, timeout = var_smtp_starttls_tmout, - tls_level = tls_level, + tls_level = session->tls->level, nexthop = session->tls_nexthop, host = STR(iter->host), namaddr = session->namaddrport, @@ -925,21 +913,25 @@ static int smtp_start_tls(SMTP_STATE *state) * result, abort the delivery here. We have a usable TLS session with the * server, so no need to disable I/O, ... we can even be polite and send * "QUIT". + * + * See src/tls/tls_level.c and src/tls/tls.h. Levels above "encrypt" require + * matching. Levels >= "dane" require CA or DNSSEC trust. + * + * When DANE TLSA records specify an end-entity certificate, the trust and + * match bits always coincide, but it is fine to report the wrong + * end-entity certificate as untrusted rather than unmatched. */ - if (TLS_MUST_TRUST(session->tls_level) - && !TLS_CERT_IS_TRUSTED(session->tls_context)) { - if (smtp_tls_trouble(state, STARTTLS_VERIFY_FALLBACK)) + if (TLS_MUST_TRUST(session->tls->level)) + if (!TLS_CERT_IS_TRUSTED(session->tls_context)) return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, SMTP_RESP_FAKE(&fake, "4.7.5"), "Server certificate not trusted")); - } else if (TLS_MUST_MATCH(session->tls_level) - && !TLS_CERT_IS_MATCHED(session->tls_context)) { - /* Peer certificate not matched as it should be */ - if (smtp_tls_trouble(state, STARTTLS_VERIFY_FALLBACK)) + if (TLS_MUST_MATCH(session->tls->level)) + if (!TLS_CERT_IS_MATCHED(session->tls_context)) return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, SMTP_RESP_FAKE(&fake, "4.7.5"), "Server certificate not verified")); - } + /* At this point there must not be any pending plaintext. */ vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); @@ -1450,8 +1442,8 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state, } /* - * Request SMTPUTF8 when the remote SMTP server supports SMTPUTF8 - * and the sender requested SMTPUTF8 support. + * Request SMTPUTF8 when the remote SMTP server supports + * SMTPUTF8 and the sender requested SMTPUTF8 support. * * If the sender requested SMTPUTF8 but the remote SMTP server does * not support SMTPUTF8, then we have already determined earlier @@ -2222,17 +2214,6 @@ int smtp_xfer(SMTP_STATE *state) */ result = smtp_loop(state, send_state, recv_state); - /* - * Optionally log the TLS session status. This provides an audit trail - * for both successful and failed deliveries. Failed deliveries should - * not escape auditing: they may in fact be successful deliveries to an - * impostor who steals copies of email by posing as a high-preference MX - * server that fakes a temporary error after end-of-data. - */ -#ifdef USE_TLS - smtp_tls_audit(request->queue_id, session); -#endif - if (result == 0 /* Just in case */ && vstream_ferror(session->stream) == 0 diff --git a/postfix/src/smtp/smtp_tls_audit.c b/postfix/src/smtp/smtp_tls_audit.c deleted file mode 100644 index 6c87120f6..000000000 --- a/postfix/src/smtp/smtp_tls_audit.c +++ /dev/null @@ -1,143 +0,0 @@ -/*++ -/* NAME -/* smtp_tls_audit 3 -/* SUMMARY -/* report effective TLS policy -/* SYNOPSIS -/* #include "smtp.h" -/* -/* smtp_tls_audit( -/* const char *queue_id, -/* SMTP_SESSION *session) -/* DESCRIPTION -/* smtp_tls_audit() logs a record with TLS session properties -/* as specified with the smtp_tls_audit_template configuration -/* parameter. -/* -/* Arguments: -/* .IP queue_id -/* Mail delivery transaction identifier. -/* .IP session -/* Client-side SMTP/TLS session state. -/* DIAGNOSTICS -/* Unrecognized macro name in audit template. -/* LICENSE -/* .ad -/* .fi -/* The Secure Mailer license must be distributed with this software. -/* AUTHOR(S) -/* Viktor Dukhovni -/*--*/ - -#ifdef USE_TLS - -/* System library. */ - -#include -#include -#include - -/* Utility library. */ - -#include -#include -#include -#include - -/* Global library. */ - -#include - -/* Application-specific. */ - -#include "smtp.h" - - /* - * The mini symbol table name and keys used for expanding macros in smtp tls - * audit log entries. - */ -#define TLS_AUDIT_DICT_TABLE "tls_audit_template" /* table name */ -#define TLS_AUDIT_DICT_RELAY "relay" /* key */ -#define TLS_AUDIT_DICT_ALEVEL "level" /* key */ -#define TLS_AUDIT_DICT_PLEVEL "policy"/* key */ -#define TLS_AUDIT_DICT_STATUS "auth" /* key */ -#define TLS_AUDIT_DICT_PROTOCOL "protocol" /* key */ -#define TLS_AUDIT_DICT_CIPHER "cipher"/* key */ -#define TLS_AUDIT_DICT_CERT "cert_digest" /* key */ -#define TLS_AUDIT_DICT_SPKI "spki_digest" /* key */ - -/* audit_lookup - macro parser call-back routine */ - -static const char *audit_lookup(const char *key, int unused_mode, char *dict) -{ - const char *value = dict_lookup(dict, key); - - if (value == 0) - msg_warn("%s: unknown TLS audit template macro name: \"%s\"", - SMTP_X(TLS_AUDIT_TEMPLATE), key); - return value; -} - -/* expand_template - expand macros in the audit template */ - -static int expand_template(char *template, VSTRING *result) -{ - -#define NO_SCAN_FILTER ((const char *) 0) - return mac_expand(result, template, MAC_EXP_FLAG_NONE, NO_SCAN_FILTER, - audit_lookup, TLS_AUDIT_DICT_TABLE); -} - -/* smtp_tls_audit - log TLS audit trail */ - -void smtp_tls_audit(const char *queue_id, SMTP_SESSION *session) -{ - SMTP_TLS_POLICY *tls = session->tls; - TLS_SESS_STATE *TLScontext = session->tls_context; - const char *policy_level; - const char *actual_level; - VSTRING *result = vstring_alloc(100); - int status; - - if (!*var_smtp_tls_audit_template) - return; - -#ifndef TLS_AUDIT_NONE_POLICY - /* Do we log policy "none" and cleartext status when TLS is disabled? */ - if (tls->policy_level <= TLS_LEV_NONE) - return; -#endif - - dict_update(TLS_AUDIT_DICT_TABLE, TLS_AUDIT_DICT_RELAY, - session->namaddrport); - - actual_level = str_tls_level(session->tls_level); - policy_level = (session->tls_level == tls->policy_level) ? "" : - str_tls_level(tls->policy_level); - dict_update(TLS_AUDIT_DICT_TABLE, TLS_AUDIT_DICT_ALEVEL, - actual_level ? actual_level : ""); - dict_update(TLS_AUDIT_DICT_TABLE, TLS_AUDIT_DICT_PLEVEL, - policy_level ? policy_level : ""); - - dict_update(TLS_AUDIT_DICT_TABLE, TLS_AUDIT_DICT_STATUS, - TLScontext == 0 ? "Cleartext" : - !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" : - TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" : - TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : - "Untrusted"); - dict_update(TLS_AUDIT_DICT_TABLE, TLS_AUDIT_DICT_PROTOCOL, - TLScontext == 0 ? "" : TLScontext->protocol); - dict_update(TLS_AUDIT_DICT_TABLE, TLS_AUDIT_DICT_CIPHER, - TLScontext == 0 ? "" : TLScontext->cipher_name); - dict_update(TLS_AUDIT_DICT_TABLE, TLS_AUDIT_DICT_CERT, - TLScontext == 0 ? "" : TLScontext->peer_cert_fprint); - dict_update(TLS_AUDIT_DICT_TABLE, TLS_AUDIT_DICT_SPKI, - TLScontext == 0 ? "" : TLScontext->peer_pkey_fprint); - - status = expand_template(var_smtp_tls_audit_template, result); - if (status == 0) - msg_info("%s: %s", queue_id, STR(result)); - vstring_free(result); -} - -#endif /* USE_TLS */ diff --git a/postfix/src/smtp/smtp_tls_policy.c b/postfix/src/smtp/smtp_tls_policy.c index bde1331d9..59118f2b3 100644 --- a/postfix/src/smtp/smtp_tls_policy.c +++ b/postfix/src/smtp/smtp_tls_policy.c @@ -155,7 +155,7 @@ static const char *policy_name(int tls_level) } #define MARK_INVALID(why, levelp) do { \ - dsb_simple((why), "4.7.0", "client TLS configuration problem"); \ + dsb_simple((why), "4.7.5", "client TLS configuration problem"); \ *(levelp) = TLS_LEV_INVALID; } while (0) /* tls_site_lookup - look up per-site TLS security level */ @@ -352,37 +352,6 @@ static void tls_policy_lookup_one(SMTP_TLS_POLICY *tls, int *site_level, } continue; } - /* Only one instance per policy. */ - if (!strcasecmp(name, "fallback")) { - int l; - - if (!TLS_MUST_MATCH(*site_level)) { - msg_warn("%s: attribute \"%s\" invalid at security level" - " \"%s\"", WHERE, name, policy_name(*site_level)); - continue; - } - if (tls->fallback_level != TLS_LEV_NOTFOUND) { - msg_warn("%s: attribute \"%s\" is specified multiple times", - WHERE, name); - continue; - } - if (*val == 0) { - msg_warn("%s: attribute \"%s\" has empty value", WHERE, name); - continue; - } - switch (l = tls_level_lookup(val)) { - case TLS_LEV_NONE: - case TLS_LEV_MAY: - case TLS_LEV_ENCRYPT: - tls->fallback_level = l; - break; - default: - msg_warn("%s: attribute \"%s\" invalid fallback level: \"%s\"", - WHERE, name, val); - break; - } - continue; - } msg_warn("%s: invalid attribute name: \"%s\"", WHERE, name); INVALID_RETURN(tls->why, site_level); } @@ -464,7 +433,6 @@ static void set_cipher_grade(SMTP_TLS_POLICY *tls) break; case TLS_LEV_DANE: - case TLS_LEV_DANE_ONLY: case TLS_LEV_FPRINT: case TLS_LEV_VERIFY: case TLS_LEV_SECURE: @@ -494,49 +462,6 @@ static void set_cipher_grade(SMTP_TLS_POLICY *tls) ADD_EXCLUDE(tls->exclusions, also_exclude); } -static int global_fallback(SMTP_TLS_POLICY *tls) -{ - static int l = TLS_LEV_NOTFOUND; - const char *lname = str_tls_level(tls->level); - const char *err; - char *saved; - char *fback; - char *tok; - char *name; - char *val; - - /* - * Silently ignore any spurious fallback setting for unauthenticated TLS. - */ - if (!*var_smtp_tls_fback_level || tls->level <= TLS_LEV_ENCRYPT) - return l; - - saved = fback = mystrdup(var_smtp_tls_fback_level); - while ((tok = mystrtok(&fback, "\t\n\r ,")) != 0) { - if ((err = split_nameval(tok, &name, &val)) != 0) { - msg_warn("malformed %s: \"%s\": %s", SMTP_X(TLS_FBACK_LEVEL), - saved, err); - l = TLS_LEV_NOTFOUND; - break; - } - if (strcmp(name, lname) == 0) { - switch (l = tls_level_lookup(val)) { - case TLS_LEV_MAY: - case TLS_LEV_ENCRYPT: - break; - default: - msg_warn("%s: bad fallback mapping: %s=%s", - SMTP_X(TLS_FBACK_LEVEL), name, val); - l = TLS_LEV_NOTFOUND; - break; - } - break; - } - } - myfree(saved); - return (l); -} - /* policy_create - create SMTP TLS policy cache object (ctable call-back) */ static void *policy_create(const char *unused_key, void *context) @@ -597,19 +522,6 @@ static void *policy_create(const char *unused_key, void *context) return ((void *) tls); } - /* - * Save level as policy level (may be downgraded by early fallback, and - * compute fallback level if not specified per-site. If site fallback - * level is "none", replace with "notfound", otherwise if no site - * fallback level, use the global value. - */ - tls->policy_level = tls->level; - if (tls->fallback_level == TLS_LEV_NONE) - tls->fallback_level = TLS_LEV_NOTFOUND; - else if (tls->fallback_level == TLS_LEV_NOTFOUND - && (tls->fallback_level = global_fallback(tls)) == TLS_LEV_INVALID) - tls->fallback_level = TLS_LEV_NOTFOUND; - /* * DANE initialization may change the security level to something else, * so do this early, so that we use the right level below. Note that @@ -645,7 +557,6 @@ static void *policy_create(const char *unused_key, void *context) case TLS_LEV_MAY: case TLS_LEV_ENCRYPT: case TLS_LEV_DANE: - case TLS_LEV_DANE_ONLY: break; case TLS_LEV_FPRINT: if (tls->dane == 0) @@ -796,49 +707,29 @@ static int global_tls_level(void) #define NONDANE_CONFIG 0 /* Administrator's fault */ #define NONDANE_DEST 1 /* Remote server's fault */ #define DANE_UNUSABLE 2 /* Remote server's fault */ -#define TLSA_LOOKUP_ERR 3 /* DNS lookup failed */ -static void PRINTFLIKE(3, 4) dane_incompat(SMTP_TLS_POLICY *tls, +static void PRINTFLIKE(4, 5) dane_incompat(SMTP_TLS_POLICY *tls, + SMTP_ITERATOR *iter, int errtype, const char *fmt,...) { va_list ap; va_start(ap, fmt); - - /* - * TLSA lookup errors are potential downgrade attacks, since they can - * hide the presence of usable TLSA RRs, we must fail or fallback, not - * downgrade to encryption-only or opportunistic TLS as with unusable or - * absent TLSA records. - */ - if (tls->level == TLS_LEV_DANE && errtype != TLSA_LOOKUP_ERR) { - if (errtype == DANE_UNUSABLE) { - - /* - * When TLSA are present, but none are usable, "dane" clients are - * expected to perform mandatory unauthenticated TLS. If the - * "dane" the fallback level is "may", we enable fallback to - * cleartext (with the appropriate warnings). - */ - tls->level = TLS_LEV_ENCRYPT; - if (tls->fallback_level != TLS_LEV_MAY) - tls->fallback_level = TLS_LEV_NOTFOUND; - } else { - tls->level = TLS_LEV_MAY; - tls->fallback_level = TLS_LEV_NOTFOUND; - } + if (tls->level == TLS_LEV_DANE) { + tls->level = (errtype == DANE_UNUSABLE) ? TLS_LEV_ENCRYPT : TLS_LEV_MAY; if (errtype == NONDANE_CONFIG) vmsg_warn(fmt, ap); else if (msg_verbose) vmsg_info(fmt, ap); - } else { - vmsg_warn(fmt, ap); - if (errtype == NONDANE_CONFIG - || tls->fallback_level == TLS_LEV_NOTFOUND) + } else { /* dane-only */ + if (errtype == NONDANE_CONFIG) { + vmsg_warn(fmt, ap); MARK_INVALID(tls->why, &tls->level); - else - tls->level = tls->fallback_level; + } else { + tls->level = TLS_LEV_INVALID; + vdsb_simple(tls->why, "4.7.5", fmt, ap); + } } va_end(ap); } @@ -856,14 +747,14 @@ static void dane_init(SMTP_TLS_POLICY *tls, SMTP_ITERATOR *iter) return; } if (!tls_dane_avail()) { - dane_incompat(tls, NONDANE_CONFIG, + dane_incompat(tls, iter, NONDANE_CONFIG, "%s: %s configured, but no requisite library support", STR(iter->dest), policy_name(tls->level)); return; } if (!(smtp_host_lookup_mask & SMTP_HOST_FLAG_DNS) || smtp_dns_support != SMTP_DNS_DNSSEC) { - dane_incompat(tls, NONDANE_CONFIG, + dane_incompat(tls, iter, NONDANE_CONFIG, "%s: %s configured with dnssec lookups disabled", STR(iter->dest), policy_name(tls->level)); return; @@ -875,7 +766,7 @@ static void dane_init(SMTP_TLS_POLICY *tls, SMTP_ITERATOR *iter) * key material. */ if (smtp_mode && var_ign_mx_lookup_err) { - dane_incompat(tls, NONDANE_CONFIG, + dane_incompat(tls, iter, NONDANE_CONFIG, "%s: %s configured with MX lookup errors ignored", STR(iter->dest), policy_name(tls->level)); return; @@ -888,48 +779,45 @@ static void dane_init(SMTP_TLS_POLICY *tls, SMTP_ITERATOR *iter) * to certificate name checks, ... */ if (smtp_dns_res_opt & (RES_DEFNAMES | RES_DNSRCH)) { - dane_incompat(tls, NONDANE_CONFIG, + dane_incompat(tls, iter, NONDANE_CONFIG, "%s: dns resolver options incompatible with %s TLS", STR(iter->dest), policy_name(tls->level)); return; } /* When the MX name is present and insecure, DANE does not apply. */ if (iter->mx && !iter->mx->dnssec_valid) { - dane_incompat(tls, NONDANE_DEST, "%s: non-DNSSEC destination", - STR(iter->dest)); + dane_incompat(tls, iter, NONDANE_DEST, "non DNSSEC destination"); return; } - - /* - * When TLSA lookups fail, as with dane-only, we fall back or defer the - * message, the level will be set to either the fallback level or - * "invalid". - */ + /* When TLSA lookups fail, we defer the message */ if ((dane = tls_dane_resolve(iter->port, "tcp", iter->rr, var_smtp_tls_force_tlsa)) == 0) { - dane_incompat(tls, TLSA_LOOKUP_ERR, - "%s:%u: DANE TLSA lookup error", - STR(iter->host), ntohs(iter->port)); + tls->level = TLS_LEV_INVALID; + dsb_simple(tls->why, "4.7.5", "TLSA lookup error for %s:%u", + STR(iter->host), ntohs(iter->port)); return; } if (tls_dane_notfound(dane)) { - dane_incompat(tls, NONDANE_DEST, - "%s:%u: no DANE TLSA records found", - STR(iter->host), ntohs(iter->port)); + dane_incompat(tls, iter, NONDANE_DEST, "no TLSA records found"); tls_dane_free(dane); return; } - /*- - * Some TLSA records found, but none usable, per: - * - * https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane - * - * we MUST use TLS. + + /* + * Some TLSA records found, but none usable, per + * + * https://tools.ietf.org/html/draft-ietf-dane-srv-02#section-4 + * + * we MUST use TLS, and SHALL use full PKIX certificate checks. The latter + * would be unwise for SMTP: no human present to "click ok" and risk of + * non-delivery in most cases exceeds risk of interception. + * + * We also have a form of Goedel's incompleteness theorem in play: any list + * of public root CA certs is either incomplete or inconsistent (for any + * given verifier some of the CAs are surely not trustworthy). */ if (tls_dane_unusable(dane)) { - dane_incompat(tls, DANE_UNUSABLE, - "%s:%u: all DANE TLSA records unusable", - STR(iter->host), ntohs(iter->port)); + dane_incompat(tls, iter, DANE_UNUSABLE, "TLSA records unusable"); tls_dane_free(dane); return; } @@ -950,6 +838,7 @@ static void dane_init(SMTP_TLS_POLICY *tls, SMTP_ITERATOR *iter) } else if (!TLS_DANE_HASEE(dane)) msg_panic("empty DANE match list"); tls->dane = dane; + tls->level = TLS_LEV_DANE; return; } diff --git a/postfix/src/smtp/smtp_trouble.c b/postfix/src/smtp/smtp_trouble.c index ce40e8119..2262e6cf0 100644 --- a/postfix/src/smtp/smtp_trouble.c +++ b/postfix/src/smtp/smtp_trouble.c @@ -32,10 +32,6 @@ /* SMTP_STATE *state; /* int exception; /* const char *description; -/* -/* int smtp_tls_trouble(state, protocol_stage) -/* SMTP_STATE *state; -/* int protocol_stage; /* DESCRIPTION /* This module handles all non-fatal errors that can happen while /* attempting to deliver mail via SMTP, and implements the policy @@ -109,13 +105,6 @@ /* The session is marked as "do not cache". /* The result is non-zero. /* -/* smtp_tls_trouble() handles failure to establish a TLS connection or -/* else failure to authenticate the peer. The protocol_stage argument -/* indicates what TLS problem was detected. The return value is 0 when -/* TLS is not required or a fallback strategy allows delivery to continue. -/* When a non-zero value is returned delivery must not continue via the -/* current SMTP server. All relevant warnings are logged. -/* /* Arguments: /* .IP state /* SMTP client state per delivery request. @@ -478,71 +467,3 @@ int smtp_stream_except(SMTP_STATE *state, int code, const char *description) */ return (smtp_bulk_fail(state, SMTP_THROTTLE)); } - -#ifdef USE_TLS - -/* smtp_tls_trouble - Fail or fall back when TLS state is not satisfactory. */ - -int smtp_tls_trouble(SMTP_STATE *state, int protocol_stage) -{ - SMTP_SESSION *session = state->session; - SMTP_TLS_POLICY *tls = session->tls; - - /* Handle non-recoverable cases */ - switch (protocol_stage) { - case STARTTLS_VERIFY_FALLBACK: - if (tls->fallback_level == TLS_LEV_NOTFOUND) - return (-1); - break; - case STARTTLS_FEATURE_FALLBACK: - /* No recovery when skipping STARTTLS due to local problems */ - if (session->features & SMTP_FEATURE_STARTTLS) - return (-1); - /* FALLTHROUGH */ - case STARTTLS_COMMAND_FALLBACK: - case STARTTLS_HANDSHAKE_FALLBACK: - case STARTTLS_SESSION_FALLBACK: - if (TLS_REQUIRED(session->tls_level) - && tls->fallback_level != TLS_LEV_MAY) - return (-1); - break; - default: - msg_panic("Unexpected TLS failure stage: %d", protocol_stage); - } - - /* Log appropriate warning and perform fallback */ - switch (protocol_stage) { - case STARTTLS_FEATURE_FALLBACK: - msg_warn("%s: cleartext fallback, host did not offer STARTTLS", - session->namaddrport); - break; - - case STARTTLS_COMMAND_FALLBACK: - msg_warn("%s: cleartext fallback, host refused to start TLS", - session->namaddrport); - break; - - case STARTTLS_HANDSHAKE_FALLBACK: - msg_warn("%s: cleartext fallback, TLS handshake failed", - session->namaddrport); - break; - - case STARTTLS_SESSION_FALLBACK: - msg_warn("%s: cleartext fallback, post-handshake TLS failure", - session->namaddrport); - break; - - case STARTTLS_VERIFY_FALLBACK: - msg_warn("%s: fallback to unathenticated TLS: %s", - session->namaddrport, - TLS_CERT_IS_TRUSTED(session->tls_context) ? - "Server certificate failed verification" : - "Server certificate not trusted"); - break; - } - - session->tls_level = tls->fallback_level; - return (0); -} - -#endif