From: Wietse Z Venema Date: Sun, 28 Sep 2025 05:00:00 +0000 (-0500) Subject: postfix-3.11-20250928 X-Git-Tag: v3.11.0-RC1~23 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=69e7544da6594591ddbe36fbd914d66b21ffe7b9;p=thirdparty%2Fpostfix.git postfix-3.11-20250928 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 1aafee60e..a43950a6d 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -29596,13 +29596,23 @@ Apologies for any names omitted. 20250906 - Bugfix: with "smtp_tls_enforce_sts_mx_patterns = yes" (the - default) transform the TLS policy from an STS policy plugin - as follows: connect to an MX host only if its name matches - an STS policy MX host pattern, and match the server - certificate against the MX hostname. Files: mantools/postlink, - proto/postconf.proto, global/mail_params.h, smtp/lmtp_params.c, - smtp/smtp.c, smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_params.c, + Workaround for an interface mis-match between the Postfix + SMTP client and MTA-STS policy plugins. This introduces a + new parameter "smtp_tls_enforce_sts_mx_patterns" (default: + "yes"). The MTA-STS plugin configuration needs to enable + TLSRPT support, so that it forwards STS policy attributes + to Postfix. This works even if Postfix TLSRPT support is + disabled at build time or at runtime. + + With the above two configurations, the Postfix SMTP client + will connect to an MX host only if its name matches any STS + policy MX host pattern, and will match a server certificate + against the MX hostname. Otherwise, the old behavior stays + in effect: connect to any MX host listed in DNS, and match + a server certificate against any STS policy MX host pattern. + Files: mantools/postlink, proto/postconf.proto, + global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c, + smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_params.c, smtp/smtp_tls_policy.c, smtp/smtp_tls_policy_test.c. 20250911 @@ -29640,3 +29650,14 @@ Apologies for any names omitted. the policies[*].policy.policy-domain value. This ignores that TLSA policies must be reported with different policy-domain values than STS policies. File: tls/tlsrpt_wrapper.c. + +20250927 + + Updated documentation for smtp_tls_enforce_sts_mx_patterns. + Files: proto/postconf.proto, smtp_tls_policy.c. + +20250928 + + Cleanup: make STS mx hostname pattern enforcement consistent + with the smtp_cname_overrides_servername setting. File: + smtp/smtp_connect.c. diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html index e116f43aa..37a089ab1 100644 --- a/postfix/html/lmtp.8.html +++ b/postfix/html/lmtp.8.html @@ -762,19 +762,17 @@ SMTP(8) SMTP(8) When set to "yes", report the TLSRPT status only for "new" TLS sessions. - Available in Postfix version 3.10.5 and later: - - smtp_tls_enforce_sts_mx_patterns (yes) - Transform the TLS policy from an STS policy plugin: connect to - an MX host only if its name matches the STS policy MX host pat- - tern, and match the server certificate against the MX hostname. - - Available in Postfix version 3.11 and later: - tls_required_enable (yes) Enable support for the "TLS-Required: no" message header, defined in RFC 8689. + Available in Postfix version 3.10.5 and later: + + smtp_tls_enforce_sts_mx_patterns (yes) + Transform the TLS policy from an STS policy plugin: connect to + an MX host only if its name matches any STS policy MX host pat- + tern, and match the server certificate against the MX hostname. + OBSOLETE STARTTLS CONTROLS The following configuration parameters exist for compatibility with Postfix versions before 2.3. Support for these will be removed in a diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index e3ad23702..a8d362911 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -13555,8 +13555,17 @@ Postfix 2.3 and later use smtp (default: yes)

Transform the TLS policy from an STS policy plugin: connect to -an MX host only if its name matches the STS policy MX host pattern, -and match the server certificate against the MX hostname.

+an MX host only if its name matches any STS policy MX host pattern, +and match the server certificate against the MX hostname. This +setting takes effect only when an STS policy plugin has TLSRPT +support enabled, so that it forwards STS policy attributes to +Postfix. This works even if Postfix TLSRPT support is disabled at +build time or at runtime.

+ +

Without the above configuration settings for Postfix and STS +plugins, the old behavior stays in effect: connect to any MX host +listed in DNS, and match a server certificate against any STS policy +MX host pattern.

This feature is available in Postfix ≥ 3.10.5.

diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index e116f43aa..37a089ab1 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -762,19 +762,17 @@ SMTP(8) SMTP(8) When set to "yes", report the TLSRPT status only for "new" TLS sessions. - Available in Postfix version 3.10.5 and later: - - smtp_tls_enforce_sts_mx_patterns (yes) - Transform the TLS policy from an STS policy plugin: connect to - an MX host only if its name matches the STS policy MX host pat- - tern, and match the server certificate against the MX hostname. - - Available in Postfix version 3.11 and later: - tls_required_enable (yes) Enable support for the "TLS-Required: no" message header, defined in RFC 8689. + Available in Postfix version 3.10.5 and later: + + smtp_tls_enforce_sts_mx_patterns (yes) + Transform the TLS policy from an STS policy plugin: connect to + an MX host only if its name matches any STS policy MX host pat- + tern, and match the server certificate against the MX hostname. + OBSOLETE STARTTLS CONTROLS The following configuration parameters exist for compatibility with Postfix versions before 2.3. Support for these will be removed in a diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 31bfc0375..bcecdf30d 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -8703,8 +8703,17 @@ This feature is available in Postfix 2.2 and later. With Postfix 2.3 and later use smtp_tls_security_level instead. .SH smtp_tls_enforce_sts_mx_patterns (default: yes) Transform the TLS policy from an STS policy plugin: connect to -an MX host only if its name matches the STS policy MX host pattern, -and match the server certificate against the MX hostname. +an MX host only if its name matches any STS policy MX host pattern, +and match the server certificate against the MX hostname. This +setting takes effect only when an STS policy plugin has TLSRPT +support enabled, so that it forwards STS policy attributes to +Postfix. This works even if Postfix TLSRPT support is disabled at +build time or at runtime. +.PP +Without the above configuration settings for Postfix and STS +plugins, the old behavior stays in effect: connect to any MX host +listed in DNS, and match a server certificate against any STS policy +MX host pattern. .PP This feature is available in Postfix >= 3.10.5. .SH smtp_tls_exclude_ciphers (default: empty) diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8 index dde3d5c7d..80183b92f 100644 --- a/postfix/man/man8/smtp.8 +++ b/postfix/man/man8/smtp.8 @@ -684,17 +684,15 @@ by a local TLSRPT reporting service. .IP "\fBsmtp_tlsrpt_skip_reused_handshakes (Postfix >= 3.11: no, Postfix 3.10: yes)\fR" When set to "yes", report the TLSRPT status only for "new" TLS sessions. +.IP "\fBtls_required_enable (yes)\fR" +Enable support for the "TLS\-Required: no" message header, defined +in RFC 8689. .PP Available in Postfix version 3.10.5 and later: .IP "\fBsmtp_tls_enforce_sts_mx_patterns (yes)\fR" Transform the TLS policy from an STS policy plugin: connect to -an MX host only if its name matches the STS policy MX host pattern, +an MX host only if its name matches any STS policy MX host pattern, and match the server certificate against the MX hostname. -.PP -Available in Postfix version 3.11 and later: -.IP "\fBtls_required_enable (yes)\fR" -Enable support for the "TLS\-Required: no" message header, defined -in RFC 8689. .SH "OBSOLETE STARTTLS CONTROLS" .na .nf diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index cbaf202ec..4237ab897 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -19575,8 +19575,17 @@ second etc. TLS handshake to report.

%PARAM smtp_tls_enforce_sts_mx_patterns yes

Transform the TLS policy from an STS policy plugin: connect to -an MX host only if its name matches the STS policy MX host pattern, -and match the server certificate against the MX hostname.

+an MX host only if its name matches any STS policy MX host pattern, +and match the server certificate against the MX hostname. This +setting takes effect only when an STS policy plugin has TLSRPT +support enabled, so that it forwards STS policy attributes to +Postfix. This works even if Postfix TLSRPT support is disabled at +build time or at runtime.

+ +

Without the above configuration settings for Postfix and STS +plugins, the old behavior stays in effect: connect to any MX host +listed in DNS, and match a server certificate against any STS policy +MX host pattern.

This feature is available in Postfix ≥ 3.10.5.

diff --git a/postfix/proto/stop.double-cc b/postfix/proto/stop.double-cc index 1da83181c..e55d6dedf 100644 --- a/postfix/proto/stop.double-cc +++ b/postfix/proto/stop.double-cc @@ -346,3 +346,4 @@ encoded encoded text can contain only alpha digit ossl_digest_new ossl_digest_new returns NULL after error ossl_digest_data Richard Hansen rhansen rhansen org long long or long integer + policies policy policy domain If null this defaults to the diff --git a/postfix/proto/stop.double-history b/postfix/proto/stop.double-history index 913a3083f..6b32f3309 100644 --- a/postfix/proto/stop.double-history +++ b/postfix/proto/stop.double-history @@ -198,3 +198,7 @@ proto proto COMPATIBILITY_README html Files Makefile in smtp smtp h smtp smtp_connect c smtp smtp c smtp smtp h smtp smtp_connect c smtp smtp_params c Files smtp smtp h smtp smtp_key c smtp smtp_proto c + global mail_params h smtp lmtp_params c smtp smtp c + smtp smtp h smtp smtp_connect c smtp smtp_params c + the policies policy policy domain value This ignores + TLSRPT Workaround when policies policy policy type is diff --git a/postfix/proto/stop.spell-cc b/postfix/proto/stop.spell-cc index 4313fb9d7..c21a6600d 100644 --- a/postfix/proto/stop.spell-cc +++ b/postfix/proto/stop.spell-cc @@ -1870,3 +1870,4 @@ lflag REPLYCODE PTEST finalizer +enf diff --git a/postfix/proto/stop.spell-history b/postfix/proto/stop.spell-history index 901956536..b63bed7d8 100644 --- a/postfix/proto/stop.spell-history +++ b/postfix/proto/stop.spell-history @@ -113,3 +113,4 @@ Fust Jiaying PRI YP +Natalenko diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 18d00303c..0fd56f3b6 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20250924" +#define MAIL_RELEASE_DATE "20250928" #define MAIL_VERSION_NUMBER "3.11" #ifdef SNAPSHOT diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index beb46033c..873ef2ebb 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -650,17 +650,15 @@ /* .IP "\fBsmtp_tlsrpt_skip_reused_handshakes (Postfix >= 3.11: no, Postfix 3.10: yes)\fR" /* When set to "yes", report the TLSRPT status only for "new" TLS /* sessions. +/* .IP "\fBtls_required_enable (yes)\fR" +/* Enable support for the "TLS-Required: no" message header, defined +/* in RFC 8689. /* .PP /* Available in Postfix version 3.10.5 and later: /* .IP "\fBsmtp_tls_enforce_sts_mx_patterns (yes)\fR" /* Transform the TLS policy from an STS policy plugin: connect to -/* an MX host only if its name matches the STS policy MX host pattern, +/* an MX host only if its name matches any STS policy MX host pattern, /* and match the server certificate against the MX hostname. -/* .PP -/* Available in Postfix version 3.11 and later: -/* .IP "\fBtls_required_enable (yes)\fR" -/* Enable support for the "TLS-Required: no" message header, defined -/* in RFC 8689. /* OBSOLETE STARTTLS CONTROLS /* .ad /* .fi diff --git a/postfix/src/smtp/smtp_connect.c b/postfix/src/smtp/smtp_connect.c index 7a93e638c..6354a8578 100644 --- a/postfix/src/smtp/smtp_connect.c +++ b/postfix/src/smtp/smtp_connect.c @@ -1125,7 +1125,7 @@ static void smtp_connect_inet(SMTP_STATE *state, const char *nexthop, /* XXX Assume there is no code at the end of this loop. */ } /* Skip MX hosts that lack authorization. */ - if (!smtp_tls_authorize_mx_hostname(state->tls, addr->qname)) { + if (!smtp_tls_authorize_mx_hostname(state->tls, SMTP_HNAME(addr))) { continue; /* XXX Assume there is no code at the end of this loop. */ } diff --git a/postfix/src/smtp/smtp_tls_policy.c b/postfix/src/smtp/smtp_tls_policy.c index 76f38aa3e..73d1cd962 100644 --- a/postfix/src/smtp/smtp_tls_policy.c +++ b/postfix/src/smtp/smtp_tls_policy.c @@ -35,6 +35,11 @@ /* When any required table or DNS lookups fail, the TLS level /* is set to TLS_LEV_INVALID, the "why" argument is updated /* with the error reason and the result value is zero (false). +/* When var_smtp_tls_enf_sts_mx_pat is not null, and a policy plugin +/* specifies a policy_type "sts" plus one or more mx_host_pattern +/* instances, transform the policy as follows: allow only MX hosts +/* that match an mx_host_pattern instance, and match a server +/* certificate against the server hostname. /* /* smtp_tls_policy_dummy() initializes a trivial, non-cached, /* policy with TLS disabled.