From: Wietse Venema <wietse@porcupine.org>
Date: Sun, 15 Mar 2020 05:00:00 +0000 (-0500)
Subject: postfix-3.6-20200315
X-Git-Tag: v3.6.0-RC1~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=564963b7f51203314bafe75f44975f60bfc8bb68;p=thirdparty%2Fpostfix.git

postfix-3.6-20200315
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index df93dfac0..23e8bebd5 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -24665,3 +24665,11 @@ Apologies for any names omitted.
 	a configuration requests access control by client certificate,
 	but "smtpd_tls_ask_clientcert = no".  Files: proto/postconf.proto,
 	smtpd/smtpd_check.c.
+
+20200315
+
+	Bugfix (introduced: 20190517 development release): in
+	check_ccert_access, the issuer_cn and subject_cn matches
+	now require that the client certificate is signed by a CA
+	that the Postfix SMTP server trusts. Files: smtpd/smtpd_check.c,
+	proto/postconf.proto.
diff --git a/postfix/RELEASE_NOTES-3.5 b/postfix/RELEASE_NOTES-3.5
index 001e2092e..4fa6a616b 100644
--- a/postfix/RELEASE_NOTES-3.5
+++ b/postfix/RELEASE_NOTES-3.5
@@ -28,9 +28,9 @@ comfortable with the IPL can continue with that license.
 Major changes - multiple relayhost in SMTP
 ------------------------------------------
 
-[Feature 20200111] SMTP (and LMTP) client support for a list of
-nexthop destinations separated by comma or whitespace. These will
-destinations be tried in the specified order.
+[Feature 20200111] the Postfix SMTP and LMTP client support a list
+of nexthop destinations separated by comma or whitespace. These
+destinations will be tried in the specified order.
 
 The list form can be specified in relayhost, transport_maps,
 default_transport, and sender_dependent_default_transport_maps.
@@ -73,8 +73,9 @@ exact same result:
         ...
 
 The check_ccert_access search order also supports the subject_cn and
-issuer_cn properties. Support is planned for rfc822name and
-smtputf8mailbox.
+issuer_cn client certificate properties, when the client certificate
+is signed by a CA that the Postfix SMTP server trusts. Support is
+planned for rfc822name and smtputf8mailbox.
 
 Major changes - dovecot usability
 ---------------------------------
@@ -108,7 +109,7 @@ a message if it is in the hold queue. With -e, such a message would
 not be returned to the sender until it is released with -f or -H.
 
 In the mailq(1) or postqueue(1) -p output, a forced-to-expire message
-is indicated with # after the queue name. In postqueue(1) JSON
+is indicated with # after the queue file name. In postqueue(1) JSON
 output, there is a new per-message field "forced_expire" (with value
 true or false) that shows the forced-to-expire status.
 
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 68135b0de..3a8dc8e78 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -14254,7 +14254,8 @@ pubkey_fingerprint } } </dd>
 
 <dd> The commas are optional. Other valid search_order elements are
 "subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN). </dd>
+certificate issuer CN). These require that the client certificate
+is signed by a CA that the Postfix SMTP server trusts. </dd>
 
 <dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index fbb387c09..3f6e3b4a2 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -9537,7 +9537,8 @@ pubkey_fingerprint } }
 .br
 The commas are optional. Other valid search_order elements are
 "subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN).
+certificate issuer CN). These require that the client certificate
+is signed by a CA that the Postfix SMTP server trusts.
 .br
 .IP "\fBcheck_client_access \fItype:table\fR\fR"
 Search the specified access database for the client hostname,
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 4f81c10b0..d9702a473 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -5125,7 +5125,8 @@ pubkey_fingerprint } } </dd>
 
 <dd> The commas are optional. Other valid search_order elements are
 "subject_cn" (the certificate subject CN) and "issuer_cn" (the
-certificate issuer CN). </dd>
+certificate issuer CN). These require that the client certificate
+is signed by a CA that the Postfix SMTP server trusts. </dd>
 
 <dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
 
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 74e6cb848..52bf63af8 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20200312"
+#define MAIL_RELEASE_DATE	"20200315"
 #define MAIL_VERSION_NUMBER	"3.6"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 1eaaf279b..c76669b08 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -3186,14 +3186,18 @@ static int check_ccert_access(SMTPD_STATE *state, const char *acl_spec,
 	const char *action;
 	const char *match_this;
 	const char *known_action;
+	int     need_trusted_cert;
 
 	for (action = search_order; *action; action++) {
+	    need_trusted_cert = 1;
 	    switch (*action) {
 	    case SMTPD_ACL_SEARCH_CODE_CERT_FPRINT:
 		match_this = state->tls_context->peer_cert_fprint;
+		need_trusted_cert = 0;
 		break;
 	    case SMTPD_ACL_SEARCH_CODE_PKEY_FPRINT:
 		match_this = state->tls_context->peer_pkey_fprint;
+		need_trusted_cert = 0;
 		break;
 	    case SMTPD_ACL_SEARCH_CODE_CERT_ISSUER_CN:
 		match_this = state->tls_context->issuer_CN;
@@ -3212,6 +3216,13 @@ static int check_ccert_access(SMTPD_STATE *state, const char *acl_spec,
 					   451, "4.3.5",
 					   "Server configuration error"));
 	    }
+	    if (need_trusted_cert && !TLS_CERT_IS_TRUSTED(state->tls_context)) {
+		if (msg_verbose)
+		    msg_info("%s: skipping %s %s: untrusted client certificate",
+			     myname, str_name_code(search_actions, *action),
+			     match_this);
+		return SMTPD_CHECK_DUNNO;
+	    }
 	    if (msg_verbose)
 		msg_info("%s: look up %s %s",
 			 myname, str_name_code(search_actions, *action),
@@ -5762,6 +5773,7 @@ int     var_plaintext_code;
 bool    var_smtpd_peername_lookup;
 bool    var_smtpd_client_port_log;
 char   *var_smtpd_dns_re_filter;
+bool    var_smtpd_tls_ask_ccert;
 
 #define int_table test_int_table
 
@@ -5796,6 +5808,7 @@ static const INT_TABLE int_table[] = {
     VAR_PLAINTEXT_CODE, DEF_PLAINTEXT_CODE, &var_plaintext_code,
     VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup,
     VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
+    VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
     0,
 };