From: Wietse Z Venema Date: Thu, 30 Oct 2025 05:00:00 +0000 (-0500) Subject: postfix-3.11-20251030 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=800cda0de6baa503f2f318bae6b111209e2f37e5;p=thirdparty%2Fpostfix.git postfix-3.11-20251030 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index bd3cd5d0b..e9017bb13 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -29710,12 +29710,12 @@ Apologies for any names omitted. that have been renamed in the past, and that still provide a backwards-compatible default value for their replacement. The parameters deprecated by this change are: - authorized_verp_clients, fallback_relay, lmtp_per_request_deadline, + authorized_verp_clients, fallback_relay, lmtp_per_record_deadline, postscreen_blacklist_action, postscreen_dnsbl_ttl, postscreen_dnsbl_whitelist_threshold, postscreen_whitelist_interfaces, smtpd_client_connection_limit_exceptions, - smtp_per_request_deadline, tlsproxy_client_level, + smtp_per_record_deadline, tlsproxy_client_level, tlsproxy_client_policy, virtual_maps. Files: mantools/postlink, proto/DEPRECATION_README.html, postconf/postconf_unused.c. @@ -29750,3 +29750,18 @@ Apologies for any names omitted. tls_ffdhe_auto_groups parameters because doing this now would make migration noisy. Files: proto/DEPRECATION_README.html, proto/postconf.proto, postconf/postconf_unused.c. + +20251029 + + Cleanup: postconf(1) logged a few wrong deprecated parameter + names (Viktor Dukhovni). Sort the order of unused and + deprecated warnings to make test results predictable. + Files: proto/DEPRECATION_README.html, postconf/Makefile.in, + postconf/postconf_unused.c, postconf/test28.ref, + postconf/test29.ref, postconf/test2.ref, postconf/test57.ref, + postconf/test59.ref, postconf/test67.ref, postconf/test76.ref, + postconf/test77.ref, postconf/test78.ref, postconf/test79.ref. + + Debugging: depending on OpenSSL build options, "posttls-finger + -L ssl-debug" will decode TLS handshake messages. Viktor + Dukhovni. File: posttls-finger/posttls-finger.c diff --git a/postfix/README_FILES/DEPRECATION_README b/postfix/README_FILES/DEPRECATION_README index eccc37f9e..d1729b24b 100644 --- a/postfix/README_FILES/DEPRECATION_README +++ b/postfix/README_FILES/DEPRECATION_README @@ -62,7 +62,7 @@ the "obsolete feature" name for a more detailed description. |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |fallback_relay | 3.11 | - |smtp_fallback_relay | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |lmtp_per_request_deadline | 3.11 | - |lmtp_per_request_deadline | + |lmtp_per_record_deadline | 3.11 | - |lmtp_per_request_deadline | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |postscreen_blacklist_action | 3.11 | - |postscreen_denylist_action | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | @@ -74,7 +74,9 @@ the "obsolete feature" name for a more detailed description. |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |smtpd_client_connection_limit_exceptions| 3.11 | - |smtpd_client_event_limit_exceptions | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |smtp_per_request_deadline | 3.11 | - |smtp_per_request_deadline | + |smtpd_per_record_deadline | 3.11 | - |smtpd_per_request_deadline | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |smtp_per_record_deadline | 3.11 | - |smtp_per_request_deadline | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |tlsproxy_client_level | 3.11 | - |tlsproxy_client_security_level | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | @@ -119,7 +121,7 @@ The postconf(1) command logs one or more of the following: specify "smtpd_authorized_verp_clients" * support for parameter "fallback_relay" will be removed; instead, specify "smtp_fallback_relay" - * support for parameter "lmtp_per_request_deadline" will be removed; instead, + * support for parameter "lmtp_per_record_deadline" will be removed; instead, specify "lmtp_per_request_deadline" * support for parameter "postscreen_blacklist_action" will be removed; instead, specify "postscreen_denylist_action" @@ -131,7 +133,7 @@ The postconf(1) command logs one or more of the following: instead, specify "postscreen_allowlist_interfaces" * support for parameter "smtpd_client_connection_limit_exceptions" will be removed; instead, specify "smtpd_client_event_limit_exceptions" - * support for parameter "smtp_per_request_deadline" will be removed; instead, + * support for parameter "smtp_per_record_deadline" will be removed; instead, specify "smtp_per_request_deadline" * support for parameter "tlsproxy_client_level" will be removed; instead, specify "tlsproxy_client_security_level" diff --git a/postfix/html/DEPRECATION_README.html b/postfix/html/DEPRECATION_README.html index 3960f7b86..a5fec1f52 100644 --- a/postfix/html/DEPRECATION_README.html +++ b/postfix/html/DEPRECATION_README.html @@ -112,7 +112,7 @@ detailed description.

align="center"> 3.11 - smtp_fallback_relay - lmtp_per_request_deadline + lmtp_per_record_deadline 3.11 - lmtp_per_request_deadline @@ -138,7 +138,11 @@ align="center"> 3.11 - smtpd_client_event_limit_exceptions - smtp_per_request_deadline + smtpd_per_record_deadline + 3.11 - +smtpd_per_request_deadline + + smtp_per_record_deadline 3.11 - smtp_per_request_deadline @@ -241,7 +245,7 @@ instead, specify "smtpd_
  • support for parameter "fallback_relay" will be removed; instead, specify "smtp_fallback_relay"
    • -
  • support for parameter "lmtp_per_request_deadline" will be +
  • support for parameter "lmtp_per_record_deadline" will be removed; instead, specify "lmtp_per_request_deadline"
  • support for parameter "postscreen_blacklist_action" will be @@ -261,7 +265,7 @@ be removed; instead, specify "smtpd_client_event_limit_exceptions"
    • -
  • support for parameter "smtp_per_request_deadline" will be +
  • support for parameter "smtp_per_record_deadline" will be removed; instead, specify "smtp_per_request_deadline"
  • support for parameter "tlsproxy_client_level" will be removed; diff --git a/postfix/html/posttls-finger.1.html b/postfix/html/posttls-finger.1.html index 4b713678d..d52b306fb 100644 --- a/postfix/html/posttls-finger.1.html +++ b/postfix/html/posttls-finger.1.html @@ -194,96 +194,97 @@ POSTTLS-FINGER(1) POSTTLS-FINGER(1) ssl-debug Turn on OpenSSL logging of the progress of the SSL hand- - shake. + shake. This includes detailed output of decoded hand- + shake messages. ssl-handshake-packet-dump - Log hexadecimal packet dumps of the SSL handshake; for + Log hexadecimal packet dumps of the SSL handshake; for experts only. ssl-session-packet-dump - Log hexadecimal packet dumps of the entire SSL session; - only useful to those who can debug SSL protocol problems + Log hexadecimal packet dumps of the entire SSL session; + only useful to those who can debug SSL protocol problems from hex dumps. untrusted - Logs trust chain verification problems. This is turned - on automatically at security levels that use peer names - signed by Certification Authorities to validate certifi- - cates. So while this setting is recognized, you should + Logs trust chain verification problems. This is turned + on automatically at security levels that use peer names + signed by Certification Authorities to validate certifi- + cates. So while this setting is recognized, you should never need to set it explicitly. peercert - This logs a one line summary of the remote SMTP server + This logs a one line summary of the remote SMTP server certificate subject, issuer, and fingerprints. certmatch - This logs remote SMTP server certificate matching, show- + This logs remote SMTP server certificate matching, show- ing the CN and each subjectAltName and which name - matched. With DANE, logs matching of TLSA record + matched. With DANE, logs matching of TLSA record trust-anchor and end-entity certificates. - cache This logs session cache operations, showing whether ses- - sion caching is effective with the remote SMTP server. - Automatically used when reconnecting with the -r option; + cache This logs session cache operations, showing whether ses- + sion caching is effective with the remote SMTP server. + Automatically used when reconnecting with the -r option; rarely needs to be set explicitly. verbose Enables verbose logging in the Postfix TLS driver; includes all of peercert..cache and more. - The default is routine,certmatch. After a reconnect, peercert, + The default is routine,certmatch. After a reconnect, peercert, certmatch and verbose are automatically disabled while cache and summary are enabled. -m count (default: 5) - When the -r delay option is specified, the -m option determines - the maximum number of reconnect attempts to use with a server - behind a load balancer, to see whether connection caching is - likely to be effective for this destination. Some MTAs don't - expose the underlying server identity in their EHLO response; - with these servers there will never be more than 1 reconnection + When the -r delay option is specified, the -m option determines + the maximum number of reconnect attempts to use with a server + behind a load balancer, to see whether connection caching is + likely to be effective for this destination. Some MTAs don't + expose the underlying server identity in their EHLO response; + with these servers there will never be more than 1 reconnection attempt. -M insecure_mx_policy (default: dane) - The TLS policy for MX hosts with "secure" TLSA records when the - nexthop destination security level is dane, but the MX record + The TLS policy for MX hosts with "secure" TLSA records when the + nexthop destination security level is dane, but the MX record was found via an "insecure" MX lookup. See the main.cf documen- tation for smtp_tls_dane_insecure_mx_policy for details. -o name=value - Specify zero or more times to override the value of the main.cf - parameter name with value. Possible use-cases include overrid- - ing the values of TLS library parameters, or "myhostname" to + Specify zero or more times to override the value of the main.cf + parameter name with value. Possible use-cases include overrid- + ing the values of TLS library parameters, or "myhostname" to configure the SMTP EHLO name sent to the remote server. -p protocols (default: >=TLSv1) - TLS protocols that posttls-finger(1) will exclude or include. + TLS protocols that posttls-finger(1) will exclude or include. See smtp_tls_mandatory_protocols for details. -P CApath/ (default: none) - The OpenSSL CApath/ directory (indexed via c_rehash(1)) for + The OpenSSL CApath/ directory (indexed via c_rehash(1)) for remote SMTP server certificate verification. By default no CAp- ath is used and no public CAs are trusted. -r delay - With a cacheable TLS session, disconnect and reconnect after + With a cacheable TLS session, disconnect and reconnect after delay seconds. Report whether the session is re-used. Retry if a - new server is encountered, up to 5 times or as specified with - the -m option. By default reconnection is disabled, specify a + new server is encountered, up to 5 times or as specified with + the -m option. By default reconnection is disabled, specify a positive delay to enable this behavior. -R Use SRV lookup instead of MX. -s servername - The server name to send with the TLS Server Name Indication - (SNI) extension. When the server has DANE TLSA records, this - parameter is ignored and the TLSA base domain is used instead. - Otherwise, SNI is not used by default, but can be enabled by + The server name to send with the TLS Server Name Indication + (SNI) extension. When the server has DANE TLSA records, this + parameter is ignored and the TLSA base domain is used instead. + Otherwise, SNI is not used by default, but can be enabled by specifying the desired value with this option. - -S Disable SMTP; that is, connect to an LMTP server. The default - port for LMTP over TCP is 24. Alternative ports can specified - by appending ":servicename" or ":portnumber" to the destination + -S Disable SMTP; that is, connect to an LMTP server. The default + port for LMTP over TCP is 24. Alternative ports can specified + by appending ":servicename" or ":portnumber" to the destination argument. -t timeout (default: 30) @@ -291,41 +292,41 @@ POSTTLS-FINGER(1) POSTTLS-FINGER(1) reading the remote server's 220 banner. -T timeout (default: 30) - The SMTP/LMTP command timeout for EHLO/LHLO, STARTTLS and QUIT. + The SMTP/LMTP command timeout for EHLO/LHLO, STARTTLS and QUIT. - -v Enable verbose Postfix logging. Specify more than once to + -v Enable verbose Postfix logging. Specify more than once to increase the level of verbose logging. - -w Enable outgoing TLS wrapper mode, or SUBMISSIONS/SMTPS support. - This is typically provided on port 465 by servers that are com- - patible with the SMTP-in-SSL protocol, rather than the STARTTLS - protocol. The destination domain:port must of course provide + -w Enable outgoing TLS wrapper mode, or SUBMISSIONS/SMTPS support. + This is typically provided on port 465 by servers that are com- + patible with the SMTP-in-SSL protocol, rather than the STARTTLS + protocol. The destination domain:port must of course provide such a service. - -x Prefer RFC7250 non-X.509 raw public key (RPK) server creden- - tials. By default only X.509 certificates are accepted. This + -x Prefer RFC7250 non-X.509 raw public key (RPK) server creden- + tials. By default only X.509 certificates are accepted. This is analogous to setting smtp_tls_enable_rpk = yes in the smtp(8) client. At the fingerprint security level, when raw public keys - are enabled, only public key (and not certificate) fingerprints - will be compared against the specified list of match arguments. - Certificate fingerprints are fragile when raw public keys are - solicited, the server may at some point in time start returning + are enabled, only public key (and not certificate) fingerprints + will be compared against the specified list of match arguments. + Certificate fingerprints are fragile when raw public keys are + solicited, the server may at some point in time start returning only the public key. - -X Enable tlsproxy(8) mode. This is an unsupported mode, for pro- + -X Enable tlsproxy(8) mode. This is an unsupported mode, for pro- gram development only. [inet:]domain[:port] Connect via TCP to domain domain, port port. The default port is - smtp (or 24 with LMTP). With SMTP an MX lookup is performed to - resolve the domain to a host, unless the domain is enclosed in - []. If you want to connect to a specific MX host, for instance - mx1.example.com, specify [mx1.example.com] as the destination + smtp (or 24 with LMTP). With SMTP an MX lookup is performed to + resolve the domain to a host, unless the domain is enclosed in + []. If you want to connect to a specific MX host, for instance + mx1.example.com, specify [mx1.example.com] as the destination and example.com as a match argument. When using DNS, the desti- - nation domain is assumed fully qualified and no default domain - or search suffixes are applied; you must use fully-qualified - names or also enable native host lookups (these don't support - dane or dane-only as no DNSSEC validation information is avail- + nation domain is assumed fully qualified and no default domain + or search suffixes are applied; you must use fully-qualified + names or also enable native host lookups (these don't support + dane or dane-only as no DNSSEC validation information is avail- able via native lookups). unix:pathname @@ -334,8 +335,8 @@ POSTTLS-FINGER(1) POSTTLS-FINGER(1) match ... With no match arguments specified, certificate peername matching uses the compiled-in default strategies for each security level. - If you specify one or more arguments, these will be used as the - list of certificate or public-key digests to match for the fin- + If you specify one or more arguments, these will be used as the + list of certificate or public-key digests to match for the fin- gerprint level, or as the list of DNS names to match in the cer- tificate at the verify and secure levels. If the security level is dane, or dane-only the match names are ignored, and hostname, diff --git a/postfix/man/man1/posttls-finger.1 b/postfix/man/man1/posttls-finger.1 index 3cba97253..ee8bd8a68 100644 --- a/postfix/man/man1/posttls-finger.1 +++ b/postfix/man/man1/posttls-finger.1 @@ -180,7 +180,8 @@ For experts only. These synonymous values combine ssl\-expert with ssl\-session\-packet\-dump. For experts only, and in most cases, use wireshark instead. .IP "\fBssl\-debug\fR" -Turn on OpenSSL logging of the progress of the SSL handshake. +Turn on OpenSSL logging of the progress of the SSL handshake. This +includes detailed output of decoded handshake messages. .IP "\fBssl\-handshake\-packet\-dump\fR" Log hexadecimal packet dumps of the SSL handshake; for experts only. .IP "\fBssl\-session\-packet\-dump\fR" diff --git a/postfix/proto/DEPRECATION_README.html b/postfix/proto/DEPRECATION_README.html index e9d68ed7e..dad5fe86e 100644 --- a/postfix/proto/DEPRECATION_README.html +++ b/postfix/proto/DEPRECATION_README.html @@ -112,7 +112,7 @@ smtpd_authorized_verp_clients align="center"> 3.11 - smtp_fallback_relay - lmtp_per_request_deadline + lmtp_per_record_deadline 3.11 - lmtp_per_request_deadline @@ -138,7 +138,11 @@ postscreen_dnsbl_allowlist_threshold smtpd_client_event_limit_exceptions - smtp_per_request_deadline + smtpd_per_record_deadline + 3.11 - +smtpd_per_request_deadline + + smtp_per_record_deadline 3.11 - smtp_per_request_deadline @@ -241,7 +245,7 @@ instead, specify "smtpd_authorized_verp_clients"
  • support for parameter "fallback_relay" will be removed; instead, specify "smtp_fallback_relay"
    • -
  • support for parameter "lmtp_per_request_deadline" will be +
  • support for parameter "lmtp_per_record_deadline" will be removed; instead, specify "lmtp_per_request_deadline"
  • support for parameter "postscreen_blacklist_action" will be @@ -261,7 +265,7 @@ be removed; instead, specify "postscreen_allowlist_interfaces"
    • will be removed; instead, specify "smtpd_client_event_limit_exceptions" -
  • support for parameter "smtp_per_request_deadline" will be +
  • support for parameter "smtp_per_record_deadline" will be removed; instead, specify "smtp_per_request_deadline"
  • support for parameter "tlsproxy_client_level" will be removed; diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 9c379e9ea..ec7d136fa 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20251029" +#define MAIL_RELEASE_DATE "20251030" #define MAIL_VERSION_NUMBER "3.11" #ifdef SNAPSHOT diff --git a/postfix/src/postconf/Makefile.in b/postfix/src/postconf/Makefile.in index f607792d7..5139e1c0b 100644 --- a/postfix/src/postconf/Makefile.in +++ b/postfix/src/postconf/Makefile.in @@ -1102,13 +1102,14 @@ test79: $(PROG) test79.ref config_directory=. \ authorized_verp_clients=x \ fallback_relay=x \ - lmtp_per_request_deadline=x \ + lmtp_per_record_deadline=x \ postscreen_blacklist_action=x \ postscreen_dnsbl_ttl=x \ postscreen_dnsbl_whitelist_threshold=x \ postscreen_whitelist_interfaces=x \ smtpd_client_connection_limit_exceptions=x \ - smtp_per_request_deadline=x \ + smtpd_per_record_deadline=x \ + smtp_per_record_deadline=x \ tlsproxy_client_level=x \ tlsproxy_client_policy=x \ virtual_maps=x \ @@ -1432,6 +1433,7 @@ postconf_unused.o: ../../include/mail_conf.h postconf_unused.o: ../../include/mail_params.h postconf_unused.o: ../../include/msg.h postconf_unused.o: ../../include/myflock.h +postconf_unused.o: ../../include/mymalloc.h postconf_unused.o: ../../include/name_code.h postconf_unused.o: ../../include/sys_defs.h postconf_unused.o: ../../include/vbuf.h diff --git a/postfix/src/postconf/postconf_unused.c b/postfix/src/postconf/postconf_unused.c index c77c8b622..bf101119d 100644 --- a/postfix/src/postconf/postconf_unused.c +++ b/postfix/src/postconf/postconf_unused.c @@ -45,10 +45,12 @@ /* System library. */ #include +#include /* Utility library. */ #include +#include #include #include @@ -105,14 +107,15 @@ static const PCF_DEPR_PARAM_INFO pcf_depr_param_info[] = { */ "authorized_verp_clients", "specify \"smtpd_authorized_verp_clients\"", "fallback_relay", "specify \"smtp_fallback_relay\"", - "lmtp_per_request_deadline", "specify \"lmtp_per_request_deadline\"", + "lmtp_per_record_deadline", "specify \"lmtp_per_request_deadline\"", "lmtp_tls_enforce_peername", "specify \"lmtp_tls_security_level\"", "postscreen_blacklist_action", "specify \"postscreen_denylist_action\"", "postscreen_dnsbl_ttl", "specify \"postscreen_dnsbl_max_ttl\"", "postscreen_dnsbl_whitelist_threshold", "specify \"postscreen_dnsbl_allowlist_threshold\"", "postscreen_whitelist_interfaces", "specify \"postscreen_allowlist_interfaces\"", "smtpd_client_connection_limit_exceptions", "specify \"smtpd_client_event_limit_exceptions\"", - "smtp_per_request_deadline", "specify \"smtp_per_request_deadline\"", + "smtpd_per_record_deadline", "specify \"smtpd_per_request_deadline\"", + "smtp_per_record_deadline", "specify \"smtp_per_request_deadline\"", "smtp_tls_enforce_peername", "specify \"smtp_tls_security_level\"", "tlsproxy_client_level", "specify \"tlsproxy_client_security_level\"", "tlsproxy_client_policy", "specify \"tlsproxy_client_policy_maps\"", @@ -133,6 +136,8 @@ static const PCF_DEPR_PARAM_INFO pcf_depr_param_info[] = { static HTABLE *pcf_depr_param_table; int pcf_found_deprecated; +#define STR(x) vstring_str(x) + /* pcf_init_depr_params - initialize lookup table */ static void pcf_init_depr_params(void) @@ -144,6 +149,16 @@ static void pcf_init_depr_params(void) (void) htable_enter(pcf_depr_param_table, dp->name, (void *) dp); } +/* pcf_cmp_ht_key - qsort helper for ht_info pointer array */ + +static int pcf_cmp_ht_key(const void *a, const void *b) +{ + HTABLE_INFO **ap = (HTABLE_INFO **) a; + HTABLE_INFO **bp = (HTABLE_INFO **) b; + + return (strcmp(ap[0]->key, bp[0]->key)); +} + /* pcf_flag_unused_parameters - warn about unused parameters */ static void pcf_flag_unused_parameters(DICT *dict, const char *conf_name, @@ -154,6 +169,8 @@ static void pcf_flag_unused_parameters(DICT *dict, const char *conf_name, const char *param_name; const char *param_value; int how; + HTABLE *flagged; + VSTRING *buf; /* * Sanity checks. @@ -175,6 +192,8 @@ static void pcf_flag_unused_parameters(DICT *dict, const char *conf_name, * anywhere, or that are deprecated. Show the warning message(s) after * the end of the stdout output. */ + flagged = htable_create(1); + buf = vstring_alloc(100); for (how = DICT_SEQ_FUN_FIRST; dict->sequence(dict, how, ¶m_name, ¶m_value) == 0; how = DICT_SEQ_FUN_NEXT) { @@ -186,17 +205,18 @@ static void pcf_flag_unused_parameters(DICT *dict, const char *conf_name, if (PCF_PARAM_TABLE_LOCATE(pcf_param_table, param_name) == 0 && (local_scope == 0 || PCF_PARAM_TABLE_LOCATE(local_scope->valid_names, param_name) == 0)) { - vstream_fflush(VSTREAM_OUT); if ((dp = (const PCF_DEPR_PARAM_INFO *) htable_find(pcf_depr_param_table, param_name)) != 0) { - msg_warn("%s/%s: support for parameter %s has been removed;" - " instead, %s", var_config_dir, conf_name, - param_name, dp->alternative); + vstring_sprintf(buf, "%s/%s: support for parameter %s" + " has been removed; instead, %s", + var_config_dir, conf_name, + param_name, dp->alternative); pcf_found_deprecated = 1; } else { - msg_warn("%s/%s: unused parameter: %s=%s", - var_config_dir, conf_name, param_name, param_value); + vstring_sprintf(buf, "%s/%s: unused parameter: %s=%s", + var_config_dir, conf_name, param_name, param_value); } + (void) htable_enter(flagged, param_name, mystrdup(STR(buf))); } /* @@ -206,13 +226,32 @@ static void pcf_flag_unused_parameters(DICT *dict, const char *conf_name, */ else if ((dp = (const PCF_DEPR_PARAM_INFO *) htable_find(pcf_depr_param_table, param_name)) != 0) { - vstream_fflush(VSTREAM_OUT); - msg_warn("%s/%s: support for parameter \"%s\" will be removed;" - " instead, %s", var_config_dir, conf_name, - param_name, dp->alternative); + vstring_sprintf(buf, "%s/%s: support for parameter \"%s\"" + " will be removed; instead, %s", + var_config_dir, conf_name, + param_name, dp->alternative); pcf_found_deprecated = 1; + (void) htable_enter(flagged, param_name, mystrdup(STR(buf))); } } + + /* + * Log flagged parameters in sorted order, for predictable results. + */ + if (flagged->used > 0) { + HTABLE_INFO **ht_info; + HTABLE_INFO **ht; + + vstream_fflush(VSTREAM_OUT); + ht_info = htable_list(flagged); + qsort((void *) ht_info, flagged->used, sizeof(*ht_info), + pcf_cmp_ht_key); + for (ht = ht_info; *ht; ht++) + msg_warn("%s", (char *) ht[0]->value); + myfree(ht_info); + } + htable_free(flagged, myfree); + vstring_free(buf); } /* pcf_flag_unused_main_parameters - warn about unused parameters */ diff --git a/postfix/src/postconf/test2.ref b/postfix/src/postconf/test2.ref index 49af249a3..ff25b0bd8 100644 --- a/postfix/src/postconf/test2.ref +++ b/postfix/src/postconf/test2.ref @@ -1,3 +1,3 @@ config_directory = . -./postconf: warning: ./main.cf: unused parameter: restriction_classes=foo bar ./postconf: warning: ./main.cf: unused parameter: foo=yes +./postconf: warning: ./main.cf: unused parameter: restriction_classes=foo bar diff --git a/postfix/src/postconf/test28.ref b/postfix/src/postconf/test28.ref index 4e9373463..db80a8eeb 100644 --- a/postfix/src/postconf/test28.ref +++ b/postfix/src/postconf/test28.ref @@ -5,6 +5,6 @@ header_checks = ldap:hh hh_domain = whatever yy = aap zz = $yy +./postconf: warning: ./main.cf: unused parameter: aa_domain=whatever ./postconf: warning: ./main.cf: unused parameter: foo_domain=bar ./postconf: warning: ./main.cf: unused parameter: xx=proxy:ldap:foo -./postconf: warning: ./main.cf: unused parameter: aa_domain=whatever diff --git a/postfix/src/postconf/test29.ref b/postfix/src/postconf/test29.ref index c3bbaecab..8f3732248 100644 --- a/postfix/src/postconf/test29.ref +++ b/postfix/src/postconf/test29.ref @@ -1,19 +1,19 @@ config_directory = . -./postconf: warning: ./main.cf: unused parameter: pgsqlfoo_domain=bar -./postconf: warning: ./main.cf: unused parameter: sqlitefoo_domain=bar +./postconf: warning: ./main.cf: unused parameter: ldapfoo_domain=bar +./postconf: warning: ./main.cf: unused parameter: ldapfoo_domainx=bar ./postconf: warning: ./main.cf: unused parameter: ldapxx=proxy:ldap:ldapfoo -./postconf: warning: ./main.cf: unused parameter: mongodbfoo_domain=bar -./postconf: warning: ./main.cf: unused parameter: sqlitexx=proxy:sqlite:sqlitefoo -./postconf: warning: ./main.cf: unused parameter: mysqlfoo_domain=bar -./postconf: warning: ./main.cf: unused parameter: sqlitefoo_domainx=bar ./postconf: warning: ./main.cf: unused parameter: memcachefoo_domain=bar -./postconf: warning: ./main.cf: unused parameter: pgsqlfoo_domainx=bar -./postconf: warning: ./main.cf: unused parameter: mongodbfoo_domainx=bar -./postconf: warning: ./main.cf: unused parameter: ldapfoo_domainx=bar -./postconf: warning: ./main.cf: unused parameter: ldapfoo_domain=bar -./postconf: warning: ./main.cf: unused parameter: memcachexx=proxy:memcache:memcachefoo ./postconf: warning: ./main.cf: unused parameter: memcachefoo_domainx=bar +./postconf: warning: ./main.cf: unused parameter: memcachexx=proxy:memcache:memcachefoo +./postconf: warning: ./main.cf: unused parameter: mongodbfoo_domain=bar +./postconf: warning: ./main.cf: unused parameter: mongodbfoo_domainx=bar +./postconf: warning: ./main.cf: unused parameter: mongodbxx=proxy:mongodb:mongodbfoo +./postconf: warning: ./main.cf: unused parameter: mysqlfoo_domain=bar ./postconf: warning: ./main.cf: unused parameter: mysqlfoo_domainx=bar ./postconf: warning: ./main.cf: unused parameter: mysqlxx=proxy:mysql:mysqlfoo -./postconf: warning: ./main.cf: unused parameter: mongodbxx=proxy:mongodb:mongodbfoo +./postconf: warning: ./main.cf: unused parameter: pgsqlfoo_domain=bar +./postconf: warning: ./main.cf: unused parameter: pgsqlfoo_domainx=bar ./postconf: warning: ./main.cf: unused parameter: pgsqlxx=proxy:pgsql:pgsqlfoo +./postconf: warning: ./main.cf: unused parameter: sqlitefoo_domain=bar +./postconf: warning: ./main.cf: unused parameter: sqlitefoo_domainx=bar +./postconf: warning: ./main.cf: unused parameter: sqlitexx=proxy:sqlite:sqlitefoo diff --git a/postfix/src/postconf/test57.ref b/postfix/src/postconf/test57.ref index 362fd167a..9bb13926e 100644 --- a/postfix/src/postconf/test57.ref +++ b/postfix/src/postconf/test57.ref @@ -6,5 +6,5 @@ config_directory = . t1 = Postfix 2.11 compatible x = x-value y = y-value -./postconf: warning: ./main.cf: unused parameter: t2=$t1 ./postconf: warning: ./main.cf: unused parameter: foo=$bar$baz +./postconf: warning: ./main.cf: unused parameter: t2=$t1 diff --git a/postfix/src/postconf/test59.ref b/postfix/src/postconf/test59.ref index c5cb3f6a0..3a7e57f6a 100644 --- a/postfix/src/postconf/test59.ref +++ b/postfix/src/postconf/test59.ref @@ -6,5 +6,5 @@ bar inet - n n 0 0 other -o {name2=value2a value2b} arg1a arg1b {arg2a arg2b} {arg3a arg3b} baz unix - n n 0 0 other -./postconf: warning: ./master.cf: unused parameter: name2=value2a value2b ./postconf: warning: ./master.cf: unused parameter: name1=value1 +./postconf: warning: ./master.cf: unused parameter: name2=value2a value2b diff --git a/postfix/src/postconf/test67.ref b/postfix/src/postconf/test67.ref index 2014e9925..03def6f46 100644 --- a/postfix/src/postconf/test67.ref +++ b/postfix/src/postconf/test67.ref @@ -4,7 +4,7 @@ smtp inet n - n - - smtpd smtp unix n - n - - smtp -o test2_process_name=smtp -o test2_service_name=smtp -./postconf: warning: ./master.cf: unused parameter: test1_service_name=$service_name ./postconf: warning: ./master.cf: unused parameter: test1_process_name=$process_name -./postconf: warning: ./master.cf: unused parameter: test2_service_name=$service_name +./postconf: warning: ./master.cf: unused parameter: test1_service_name=$service_name ./postconf: warning: ./master.cf: unused parameter: test2_process_name=$process_name +./postconf: warning: ./master.cf: unused parameter: test2_service_name=$service_name diff --git a/postfix/src/postconf/test76.ref b/postfix/src/postconf/test76.ref index 57b5aabfe..710d6841e 100644 --- a/postfix/src/postconf/test76.ref +++ b/postfix/src/postconf/test76.ref @@ -2,9 +2,9 @@ config_directory = . disable_dns_lookups = no lmtp_use_tls = no smtpd_tls_dh1024_param_file = auto +./postconf: warning: ./main.cf: support for parameter deleted-test-only has been removed; instead, do not specify ./postconf: warning: ./main.cf: support for parameter "disable_dns_lookups" will be removed; instead, specify "smtp_dns_support_level" ./postconf: warning: ./main.cf: support for parameter "lmtp_use_tls" will be removed; instead, specify "lmtp_tls_security_level" ./postconf: warning: ./main.cf: support for parameter "smtpd_tls_dh1024_param_file" will be removed; instead, do not specify (leave at default) -./postconf: warning: ./main.cf: support for parameter deleted-test-only has been removed; instead, do not specify ./postconf: warning: ./master.cf: support for parameter "smtp_enforce_tls" will be removed; instead, specify "smtp_tls_security_level" ./postconf: warning: See https://www.postfix.org/DEPRECATION_README.html for details diff --git a/postfix/src/postconf/test77.ref b/postfix/src/postconf/test77.ref index c8f7f04a2..157322076 100644 --- a/postfix/src/postconf/test77.ref +++ b/postfix/src/postconf/test77.ref @@ -10,22 +10,22 @@ _proxy_debug_domain = whatever _unionmap_debug_domain = whatever config_directory = . header_checks = ldap:_baseline debug:ldap:_debug ${_debug}:ldap:_debugvar proxy:debug:ldap:_proxy_debug debug:proxy:ldap:_debug_proxy pipemap:{debug:ldap:_pipemap_debug} debug:pipemap:{ldap:_debug_pipemap} unionmap:{debug:ldap:_unionmap_debug} debug:unionmap:{ldap:_debug_unionmap} -./postconf: warning: ./main.cf: unused parameter: _unused_debug_pipemap_domain=whatever -./postconf: warning: ./main.cf: unused parameter: _unused_pipemap_debug_domain=whatever -./postconf: warning: ./main.cf: unused parameter: _unionmap_debug_foo=whatever -./postconf: warning: ./main.cf: unused parameter: _unused_unionmap_debug_domain=whatever -./postconf: warning: ./main.cf: unused parameter: _unused_baseline_domain=whatever -./postconf: warning: ./main.cf: unused parameter: _debugvar_foo=whatever -./postconf: warning: ./main.cf: unused parameter: _unused_tables=ldap:_unused_baseline debug:ldap:_unused_debug ${_debug}:ldap:_unused_debugvar proxy:debug:ldap:_unused_proxy_debug debug:proxy:ldap:_unused_debug_proxy pipemap:{debug:ldap:_unused_pipemap_debug} debug:pipemap:{ldap:_unused_debug_pipemap} unionmap:{debug:ldap:_unused_unionmap_debug} debug:unionmap:{ldap:_unused_debug_unionmap} -./postconf: warning: ./main.cf: unused parameter: _debug_pipemap_foo=whatever +./postconf: warning: ./main.cf: unused parameter: _baseline_foo=whatever ./postconf: warning: ./main.cf: unused parameter: _debug_foo=whatever -./postconf: warning: ./main.cf: unused parameter: _pipemap_debug_foo=whatever -./postconf: warning: ./main.cf: unused parameter: _unused_debug_domain=whatever -./postconf: warning: ./main.cf: unused parameter: _unused_proxy_debug_domain=whatever +./postconf: warning: ./main.cf: unused parameter: _debug_pipemap_foo=whatever ./postconf: warning: ./main.cf: unused parameter: _debug_proxy_foo=whatever -./postconf: warning: ./main.cf: unused parameter: _unused_debugvar_domain=whatever -./postconf: warning: ./main.cf: unused parameter: _unused_debug_unionmap_domain=whatever -./postconf: warning: ./main.cf: unused parameter: _baseline_foo=whatever -./postconf: warning: ./main.cf: unused parameter: _proxy_debug_foo=whatever ./postconf: warning: ./main.cf: unused parameter: _debug_unionmap_foo=whatever +./postconf: warning: ./main.cf: unused parameter: _debugvar_foo=whatever +./postconf: warning: ./main.cf: unused parameter: _pipemap_debug_foo=whatever +./postconf: warning: ./main.cf: unused parameter: _proxy_debug_foo=whatever +./postconf: warning: ./main.cf: unused parameter: _unionmap_debug_foo=whatever +./postconf: warning: ./main.cf: unused parameter: _unused_baseline_domain=whatever +./postconf: warning: ./main.cf: unused parameter: _unused_debug_domain=whatever +./postconf: warning: ./main.cf: unused parameter: _unused_debug_pipemap_domain=whatever ./postconf: warning: ./main.cf: unused parameter: _unused_debug_proxy_domain=whatever +./postconf: warning: ./main.cf: unused parameter: _unused_debug_unionmap_domain=whatever +./postconf: warning: ./main.cf: unused parameter: _unused_debugvar_domain=whatever +./postconf: warning: ./main.cf: unused parameter: _unused_pipemap_debug_domain=whatever +./postconf: warning: ./main.cf: unused parameter: _unused_proxy_debug_domain=whatever +./postconf: warning: ./main.cf: unused parameter: _unused_tables=ldap:_unused_baseline debug:ldap:_unused_debug ${_debug}:ldap:_unused_debugvar proxy:debug:ldap:_unused_proxy_debug debug:proxy:ldap:_unused_debug_proxy pipemap:{debug:ldap:_unused_pipemap_debug} debug:pipemap:{ldap:_unused_debug_pipemap} unionmap:{debug:ldap:_unused_unionmap_debug} debug:unionmap:{ldap:_unused_debug_unionmap} +./postconf: warning: ./main.cf: unused parameter: _unused_unionmap_debug_domain=whatever diff --git a/postfix/src/postconf/test78.ref b/postfix/src/postconf/test78.ref index 47741a110..75b483d7f 100644 --- a/postfix/src/postconf/test78.ref +++ b/postfix/src/postconf/test78.ref @@ -1,8 +1,8 @@ config_directory = . lmtp_tls_enforce_peername = yes smtp_tls_enforce_peername = yes -./postconf: warning: ./main.cf: support for parameter "smtp_tls_enforce_peername" will be removed; instead, specify "smtp_tls_security_level" ./postconf: warning: ./main.cf: support for parameter "lmtp_tls_enforce_peername" will be removed; instead, specify "lmtp_tls_security_level" -./postconf: warning: ./master.cf: support for parameter "smtp_tls_enforce_peername" will be removed; instead, specify "smtp_tls_security_level" +./postconf: warning: ./main.cf: support for parameter "smtp_tls_enforce_peername" will be removed; instead, specify "smtp_tls_security_level" ./postconf: warning: ./master.cf: support for parameter "lmtp_tls_enforce_peername" will be removed; instead, specify "lmtp_tls_security_level" +./postconf: warning: ./master.cf: support for parameter "smtp_tls_enforce_peername" will be removed; instead, specify "smtp_tls_security_level" ./postconf: warning: See https://www.postfix.org/DEPRECATION_README.html for details diff --git a/postfix/src/postconf/test79.ref b/postfix/src/postconf/test79.ref index a9fe23e3f..b5cfc8230 100644 --- a/postfix/src/postconf/test79.ref +++ b/postfix/src/postconf/test79.ref @@ -2,31 +2,33 @@ authorized_verp_clients = x config_directory = . fallback_relay = x lmtp_cname_overrides_servername = x -lmtp_per_request_deadline = x +lmtp_per_record_deadline = x postscreen_blacklist_action = x postscreen_dnsbl_ttl = x postscreen_dnsbl_whitelist_threshold = x postscreen_whitelist_interfaces = x smtp_cname_overrides_servername = x -smtp_per_request_deadline = x +smtp_per_record_deadline = x smtpd_client_connection_limit_exceptions = x +smtpd_per_record_deadline = x tlsproxy_client_level = x tlsproxy_client_policy = x virtual_maps = x -./postconf: warning: ./main.cf: support for parameter "lmtp_per_request_deadline" will be removed; instead, specify "lmtp_per_request_deadline" -./postconf: warning: ./main.cf: support for parameter "tlsproxy_client_policy" will be removed; instead, specify "tlsproxy_client_policy_maps" -./postconf: warning: ./main.cf: support for parameter "virtual_maps" will be removed; instead, specify "virtual_alias_maps" ./postconf: warning: ./main.cf: support for parameter "authorized_verp_clients" will be removed; instead, specify "smtpd_authorized_verp_clients" -./postconf: warning: ./main.cf: support for parameter "tlsproxy_client_level" will be removed; instead, specify "tlsproxy_client_security_level" -./postconf: warning: ./main.cf: support for parameter "smtpd_client_connection_limit_exceptions" will be removed; instead, specify "smtpd_client_event_limit_exceptions" -./postconf: warning: ./main.cf: support for parameter "postscreen_whitelist_interfaces" will be removed; instead, specify "postscreen_allowlist_interfaces" ./postconf: warning: ./main.cf: support for parameter "fallback_relay" will be removed; instead, specify "smtp_fallback_relay" -./postconf: warning: ./main.cf: support for parameter "postscreen_dnsbl_ttl" will be removed; instead, specify "postscreen_dnsbl_max_ttl" ./postconf: warning: ./main.cf: support for parameter "lmtp_cname_overrides_servername" will be removed; instead, do not specify -./postconf: warning: ./main.cf: support for parameter "smtp_cname_overrides_servername" will be removed; instead, do not specify -./postconf: warning: ./main.cf: support for parameter "postscreen_dnsbl_whitelist_threshold" will be removed; instead, specify "postscreen_dnsbl_allowlist_threshold" +./postconf: warning: ./main.cf: support for parameter "lmtp_per_record_deadline" will be removed; instead, specify "lmtp_per_request_deadline" ./postconf: warning: ./main.cf: support for parameter "postscreen_blacklist_action" will be removed; instead, specify "postscreen_denylist_action" -./postconf: warning: ./main.cf: support for parameter "smtp_per_request_deadline" will be removed; instead, specify "smtp_per_request_deadline" -./postconf: warning: ./master.cf: support for parameter "smtp_tls_enforce_peername" will be removed; instead, specify "smtp_tls_security_level" +./postconf: warning: ./main.cf: support for parameter "postscreen_dnsbl_ttl" will be removed; instead, specify "postscreen_dnsbl_max_ttl" +./postconf: warning: ./main.cf: support for parameter "postscreen_dnsbl_whitelist_threshold" will be removed; instead, specify "postscreen_dnsbl_allowlist_threshold" +./postconf: warning: ./main.cf: support for parameter "postscreen_whitelist_interfaces" will be removed; instead, specify "postscreen_allowlist_interfaces" +./postconf: warning: ./main.cf: support for parameter "smtp_cname_overrides_servername" will be removed; instead, do not specify +./postconf: warning: ./main.cf: support for parameter "smtp_per_record_deadline" will be removed; instead, specify "smtp_per_request_deadline" +./postconf: warning: ./main.cf: support for parameter "smtpd_client_connection_limit_exceptions" will be removed; instead, specify "smtpd_client_event_limit_exceptions" +./postconf: warning: ./main.cf: support for parameter "smtpd_per_record_deadline" will be removed; instead, specify "smtpd_per_request_deadline" +./postconf: warning: ./main.cf: support for parameter "tlsproxy_client_level" will be removed; instead, specify "tlsproxy_client_security_level" +./postconf: warning: ./main.cf: support for parameter "tlsproxy_client_policy" will be removed; instead, specify "tlsproxy_client_policy_maps" +./postconf: warning: ./main.cf: support for parameter "virtual_maps" will be removed; instead, specify "virtual_alias_maps" ./postconf: warning: ./master.cf: support for parameter "lmtp_tls_enforce_peername" will be removed; instead, specify "lmtp_tls_security_level" +./postconf: warning: ./master.cf: support for parameter "smtp_tls_enforce_peername" will be removed; instead, specify "smtp_tls_security_level" ./postconf: warning: See https://www.postfix.org/DEPRECATION_README.html for details diff --git a/postfix/src/posttls-finger/posttls-finger.c b/postfix/src/posttls-finger/posttls-finger.c index 38c2eae31..25f420bf2 100644 --- a/postfix/src/posttls-finger/posttls-finger.c +++ b/postfix/src/posttls-finger/posttls-finger.c @@ -174,7 +174,8 @@ /* These synonymous values combine ssl-expert with ssl-session-packet-dump. /* For experts only, and in most cases, use wireshark instead. /* .IP "\fBssl-debug\fR" -/* Turn on OpenSSL logging of the progress of the SSL handshake. +/* Turn on OpenSSL logging of the progress of the SSL handshake. This +/* includes detailed output of decoded handshake messages. /* .IP "\fBssl-handshake-packet-dump\fR" /* Log hexadecimal packet dumps of the SSL handshake; for experts only. /* .IP "\fBssl-session-packet-dump\fR" @@ -1868,6 +1869,22 @@ static void usage(void) exit(1); } + +#ifndef OPENSSL_NO_SSL_TRACE +static void ssl_trace(int write_p, int version, int content_type, + const void *buf, size_t msglen, SSL *ssl, void *arg) +{ + BIO *out = (BIO *) arg; + + /* Avoid mixing BIO and vstream/stdio buffers */ + vstream_fflush(VSTREAM_OUT); + SSL_trace(write_p, version, content_type, buf, msglen, ssl, out); + (void) BIO_flush(out); +} + +#endif + + /* tls_init - initialize application TLS library context */ static void tls_init(STATE *state) @@ -1895,6 +1912,13 @@ static void tls_init(STATE *state) CAfile = state->CAfile, CApath = state->CApath, mdalg = state->mdalg); +#ifndef OPENSSL_NO_SSL_TRACE + if (state->tls_ctx != 0 + && (state->log_mask & TLS_LOG_DEBUG)) { + SSL_CTX_set_msg_callback(state->tls_ctx->ssl_ctx, ssl_trace); + SSL_CTX_set_msg_callback_arg(state->tls_ctx->ssl_ctx, state->tls_bio); + } +#endif #endif } @@ -2248,6 +2272,7 @@ int main(int argc, char *argv[]) warn_compat_break_smtp_tls_fpt_dgst = 0; else state.mdalg = mystrdup(var_smtp_tls_fpt_dgst); + state.tls_bio = BIO_new_fp(stdout, BIO_NOCLOSE); /* * We first call tls_init(), which ultimately calls SSL_library_init(), @@ -2259,9 +2284,6 @@ int main(int argc, char *argv[]) msg_warn("DANE TLS support is not available, resorting to \"secure\""); state.level = TLS_LEV_SECURE; } - state.tls_bio = 0; - if (state.print_trust) - state.tls_bio = BIO_new_fp(stdout, BIO_NOCLOSE); #endif /* Enforce consistent operation of different Postfix parts. */