From: Wietse Venema Date: Sat, 29 Jun 2019 05:00:00 +0000 (-0500) Subject: postfix-3.4.6 X-Git-Tag: v3.4.6^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9d6c1c9ea166ce73386dc0c63d101ec092864dd1;p=thirdparty%2Fpostfix.git postfix-3.4.6 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 9f9c0ab67..bf78705c3 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -24208,3 +24208,43 @@ Apologies for any names omitted. could exhaust LMTP server resources, resulting in two-second pauses between email deliveries. This problem was investigated by Juliana Rodrigueiro. File: smtp/smtp_connect.c. + +20190331 + + Documentation: tlsext_padding is not a tls_ssl_options + feature. File: proto/postconf.proto. + +20190401 + + Portability: added "#undef sun" to util/unix_dgram_connect.c. + +20190403 + + Bugfix (introduced: Postfix 2.3): a censoring filter broke + multiline Milter responses for header/body events. Problem + report by Andreas Thienemann. Files: util/printable.c, + util/stringops.h, smtpd/smtpd.c + + Bugfix (introduced: Postfix 3.3): "smtp_mx_address_limit = + 0" no longer meant 'unlimited'. Problem report by Luc Pardon. + File: smtp/smtp_addr.c. + +20190615 + + Documentation: updated the BUGS section in the smtp(8) manpage + about TLS connection reuse. File: smtp/smtp.c. + + Workaround for implementations that hang Postfix while + shutting down a TLS session, until Postfix times out. With + "tls_fast_shutdown_enable = yes" (the default), Postfix no + longer waits for the TLS peer to respond to a TLS 'close' + request. This is recommended with TLSv1.0 and later. Files: + global/mail_params.h, tls/tls_session.c, and documentation. + +20190621 + + Bugfix (introduced: Postfix 3.0): the code to reset Postfix + SMTP server command counts was not called after a HaProxy + handshake failure, causing stale numbers to be reported. + The command counts are now reset in the function that reports + the counts. File: smtpd/smtpd.c. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 6794f1d3c..63e8e5a5b 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -16,6 +16,16 @@ specifies the release date of a stable release or snapshot release. If you upgrade from Postfix 3.2 or earlier, read RELEASE_NOTES-3.3 before proceeding. +TLS Workaround for Postfix 3.4.6, 3.3.5, 3.2.10 and 3.1.13 +----------------------------------------------------------- + +This release introduces a workaround for implementations that hang +Postfix while shutting down a TLS session, until Postfix times out. +With "tls_fast_shutdown_enable = yes" (the default), Postfix no +longer waits for a remote TLS peer to respond to a TLS 'close' +request. This behavior is recommended with TLSv1.0 and later. Specify +"tls_fast_shutdown_enable = no" to get historical Postfix behavior. + License change --------------- diff --git a/postfix/conf/main.cf b/postfix/conf/main.cf index 7af8bdeea..9247ef7be 100644 --- a/postfix/conf/main.cf +++ b/postfix/conf/main.cf @@ -249,7 +249,7 @@ unknown_local_recipient_reject_code = 550 # # By default (mynetworks_style = subnet), Postfix "trusts" SMTP # clients in the same IP subnetworks as the local machine. -# On Linux, this does works correctly only with interfaces specified +# On Linux, this works correctly only with interfaces specified # with the "ifconfig" command. # # Specify "mynetworks_style = class" when Postfix should "trust" SMTP diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html index e02d89807..1ab0d6795 100644 --- a/postfix/html/lmtp.8.html +++ b/postfix/html/lmtp.8.html @@ -120,9 +120,8 @@ SMTP(8) SMTP(8) ter is notified of bounces, protocol problems, and of other trouble. BUGS - SMTP and LMTP connection caching does not work with TLS. The necessary - support for TLS object passivation and re-activation does not exist - without closing the session, which defeats the purpose. + SMTP and LMTP connection reuse for TLS (without closing the SMTP or + LMTP connection) is not supported before Postfix 3.4. SMTP and LMTP connection caching assumes that SASL credentials are valid for all destinations that map onto the same IP address and TCP @@ -595,6 +594,12 @@ SMTP(8) SMTP(8) Optional name to send to the remote SMTP server in the TLS Server Name Indication (SNI) extension. + Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13: + + tls_fast_shutdown_enable (yes) + A workaround for implementations that hang Postfix while shuting + down a TLS session, until Postfix times out. + OBSOLETE STARTTLS CONTROLS The following configuration parameters exist for compatibility with Postfix versions before 2.3. Support for these will be removed in a diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 88b8b87bf..cba1fac35 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -18529,6 +18529,21 @@ encouraged to not change this setting.

This feature is available in Postfix 2.3 and later.

+ + +
tls_fast_shutdown_enable +(default: yes)
+ +

A workaround for implementations that hang Postfix while shuting +down a TLS session, until Postfix times out. With this enabled, +Postfix will not wait for the remote TLS peer to respond to a TLS +'close' notification. This behavior is recommended for TLSv1.0 and +later.

+ +

This feature was introduced with Postfix 3.4.6, 3.3.5, 3.2.10, +and 3.1.13.

+ +
tls_high_cipherlist @@ -18890,9 +18905,6 @@ SSL_CTX_set_options(3).
PRIORITIZE_CHACHA
Postfix ≥ 3.4. See SSL_CTX_set_options(3).
-
TLSEXT_PADDING
Postfix ≥ 3.4. See -SSL_CTX_set_options(3).
-

This feature is available in Postfix 2.11 and later.

diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index e02d89807..1ab0d6795 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -120,9 +120,8 @@ SMTP(8) SMTP(8) ter is notified of bounces, protocol problems, and of other trouble. BUGS - SMTP and LMTP connection caching does not work with TLS. The necessary - support for TLS object passivation and re-activation does not exist - without closing the session, which defeats the purpose. + SMTP and LMTP connection reuse for TLS (without closing the SMTP or + LMTP connection) is not supported before Postfix 3.4. SMTP and LMTP connection caching assumes that SASL credentials are valid for all destinations that map onto the same IP address and TCP @@ -595,6 +594,12 @@ SMTP(8) SMTP(8) Optional name to send to the remote SMTP server in the TLS Server Name Indication (SNI) extension. + Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13: + + tls_fast_shutdown_enable (yes) + A workaround for implementations that hang Postfix while shuting + down a TLS session, until Postfix times out. + OBSOLETE STARTTLS CONTROLS The following configuration parameters exist for compatibility with Postfix versions before 2.3. Support for these will be removed in a diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index 191fe63b6..311c9b63e 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -589,6 +589,12 @@ SMTPD(8) SMTPD(8) clients via the TLS Server Name Indication (SNI) extension to the appropriate keys and certificate chains. + Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13: + + tls_fast_shutdown_enable (yes) + A workaround for implementations that hang Postfix while shuting + down a TLS session, until Postfix times out. + OBSOLETE STARTTLS CONTROLS The following configuration parameters exist for compatibility with Postfix versions before 2.3. Support for these will be removed in a diff --git a/postfix/html/tlsproxy.8.html b/postfix/html/tlsproxy.8.html index 25016ce57..ccd212bd0 100644 --- a/postfix/html/tlsproxy.8.html +++ b/postfix/html/tlsproxy.8.html @@ -337,6 +337,12 @@ TLSPROXY(8) TLSPROXY(8) usage policy by next-hop destination and by remote TLS server hostname. + Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13: + + tls_fast_shutdown_enable (yes) + A workaround for implementations that hang Postfix while shuting + down a TLS session, until Postfix times out. + OBSOLETE STARTTLS SUPPORT CONTROLS These parameters are supported for compatibility with smtpd(8) legacy parameters. diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index a97621d4d..fdf6b39d6 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -12930,6 +12930,15 @@ the default cipherlist for the SMTP server. You are strongly encouraged to not change this setting. .PP This feature is available in Postfix 2.3 and later. +.SH tls_fast_shutdown_enable (default: yes) +A workaround for implementations that hang Postfix while shuting +down a TLS session, until Postfix times out. With this enabled, +Postfix will not wait for the remote TLS peer to respond to a TLS +'close' notification. This behavior is recommended for TLSv1.0 and +later. +.PP +This feature was introduced with Postfix 3.4.6, 3.3.5, 3.2.10, +and 3.1.13. .SH tls_high_cipherlist (default: see "postconf \-d" output) The OpenSSL cipherlist for "high" grade ciphers. This defines the meaning of the "high" setting in smtpd_tls_ciphers, @@ -13221,10 +13230,6 @@ Postfix .IP "\fBPRIORITIZE_CHACHA\fR" Postfix >= 3.4. See SSL_CTX_\fBset_options\fR(3). .br -.IP "\fBTLSEXT_PADDING\fR" -Postfix >= 3.4. See -SSL_CTX_\fBset_options\fR(3). -.br .br .PP This feature is available in Postfix 2.11 and later. diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8 index ca81ebc48..5da1cbc49 100644 --- a/postfix/man/man8/smtp.8 +++ b/postfix/man/man8/smtp.8 @@ -127,9 +127,8 @@ other trouble. .SH BUGS .ad .fi -SMTP and LMTP connection caching does not work with TLS. The necessary -support for TLS object passivation and re\-activation does not -exist without closing the session, which defeats the purpose. +SMTP and LMTP connection reuse for TLS (without closing the +SMTP or LMTP connection) is not supported before Postfix 3.4. SMTP and LMTP connection caching assumes that SASL credentials are valid for all destinations that map onto the same IP @@ -526,6 +525,11 @@ directly followed by a corresponding certificate chain. .IP "\fBsmtp_tls_servername (empty)\fR" Optional name to send to the remote SMTP server in the TLS Server Name Indication (SNI) extension. +.PP +Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13: +.IP "\fBtls_fast_shutdown_enable (yes)\fR" +A workaround for implementations that hang Postfix while shuting +down a TLS session, until Postfix times out. .SH "OBSOLETE STARTTLS CONTROLS" .na .nf diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8 index 1ea172fdf..49798ddf7 100644 --- a/postfix/man/man8/smtpd.8 +++ b/postfix/man/man8/smtpd.8 @@ -527,6 +527,11 @@ directly followed by a corresponding certificate chain. Optional lookup tables that map names received from remote SMTP clients via the TLS Server Name Indication (SNI) extension to the appropriate keys and certificate chains. +.PP +Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13: +.IP "\fBtls_fast_shutdown_enable (yes)\fR" +A workaround for implementations that hang Postfix while shuting +down a TLS session, until Postfix times out. .SH "OBSOLETE STARTTLS CONTROLS" .na .nf diff --git a/postfix/man/man8/tlsproxy.8 b/postfix/man/man8/tlsproxy.8 index 71a3e4e8d..0e6649653 100644 --- a/postfix/man/man8/tlsproxy.8 +++ b/postfix/man/man8/tlsproxy.8 @@ -302,6 +302,11 @@ Enforcement mode: require that SMTP servers use TLS encryption. Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS usage policy by next\-hop destination and by remote TLS server hostname. +.PP +Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13: +.IP "\fBtls_fast_shutdown_enable (yes)\fR" +A workaround for implementations that hang Postfix while shuting +down a TLS session, until Postfix times out. .SH "OBSOLETE STARTTLS SUPPORT CONTROLS" .na .nf diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index e2749fe9b..4d5817d2a 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -765,6 +765,7 @@ while (<>) { s;\btls_ssl_options\b;$&;g; s;\btls_dane_digest_agility\b;$&;g; s;\btls_dane_trust_anchor_digest_enable\b;$&;g; + s;\btls_fast_shutdown_enable\b;$&;g; s;\bfrozen_delivered_to\b;$&;g; s;\breset_owner_alias\b;$&;g; diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 77a1baff8..f29cdf6e3 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -16130,9 +16130,6 @@ SSL_CTX_set_options(3).
PRIORITIZE_CHACHA
Postfix ≥ 3.4. See SSL_CTX_set_options(3).
-
TLSEXT_PADDING
Postfix ≥ 3.4. See -SSL_CTX_set_options(3).
-

This feature is available in Postfix 2.11 and later.

@@ -16245,6 +16242,17 @@ support is via the tls_ssl_options parameter.

This feature is available in Postfix 3.0 and later.

+%PARAM tls_fast_shutdown_enable yes + +

A workaround for implementations that hang Postfix while shuting +down a TLS session, until Postfix times out. With this enabled, +Postfix will not wait for the remote TLS peer to respond to a TLS +'close' notification. This behavior is recommended for TLSv1.0 and +later.

+ +

This feature was introduced with Postfix 3.4.6, 3.3.5, 3.2.10, +and 3.1.13.

+ %PARAM default_delivery_status_filter

Optional filter to replace the delivery status code or explanatory diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 638daa15d..bb19360d0 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -3330,6 +3330,13 @@ extern char *var_tls_server_sni_maps; #define DEF_TLS_DANE_DIGESTS "sha512 sha256" extern char *var_tls_dane_digests; + /* + * The default is backwards-incompatible. + */ +#define VAR_TLS_FAST_SHUTDOWN "tls_fast_shutdown" +#define DEF_TLS_FAST_SHUTDOWN 1 +extern bool var_tls_fast_shutdown; + /* * Sendmail-style mail filter support. */ diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index b7e58902e..2f1bc03a6 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20190330" -#define MAIL_VERSION_NUMBER "3.4.5" +#define MAIL_RELEASE_DATE "20190629" +#define MAIL_VERSION_NUMBER "3.4.6" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index 4e50699f8..d7db6fd19 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -109,9 +109,8 @@ /* the postmaster is notified of bounces, protocol problems, and of /* other trouble. /* BUGS -/* SMTP and LMTP connection caching does not work with TLS. The necessary -/* support for TLS object passivation and re-activation does not -/* exist without closing the session, which defeats the purpose. +/* SMTP and LMTP connection reuse for TLS (without closing the +/* SMTP or LMTP connection) is not supported before Postfix 3.4. /* /* SMTP and LMTP connection caching assumes that SASL credentials /* are valid for all destinations that map onto the same IP @@ -496,6 +495,11 @@ /* .IP "\fBsmtp_tls_servername (empty)\fR" /* Optional name to send to the remote SMTP server in the TLS Server /* Name Indication (SNI) extension. +/* .PP +/* Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13: +/* .IP "\fBtls_fast_shutdown_enable (yes)\fR" +/* A workaround for implementations that hang Postfix while shuting +/* down a TLS session, until Postfix times out. /* OBSOLETE STARTTLS CONTROLS /* .ad /* .fi diff --git a/postfix/src/smtp/smtp_addr.c b/postfix/src/smtp/smtp_addr.c index f374adad5..2210ff7d8 100644 --- a/postfix/src/smtp/smtp_addr.c +++ b/postfix/src/smtp/smtp_addr.c @@ -623,7 +623,7 @@ DNS_RR *smtp_domain_addr(const char *name, DNS_RR **mxrr, int misc_flags, if (var_smtp_rand_addr) addr_list = dns_rr_shuffle(addr_list); addr_list = dns_rr_sort(addr_list, SMTP_COMPARE_ADDR(misc_flags)); - if (var_smtp_balance_inet_proto) + if (var_smtp_mxaddr_limit > 0 && var_smtp_balance_inet_proto) addr_list = smtp_balance_inet_proto(addr_list, misc_flags, var_smtp_mxaddr_limit); } @@ -683,7 +683,7 @@ DNS_RR *smtp_host_addr(const char *host, int misc_flags, DSN_BUF *why) /* The following changes the order of equal-preference hosts. */ if (inet_proto_info()->ai_family_list[1] != 0) addr_list = dns_rr_sort(addr_list, SMTP_COMPARE_ADDR(misc_flags)); - if (var_smtp_balance_inet_proto) + if (var_smtp_mxaddr_limit > 0 && var_smtp_balance_inet_proto) addr_list = smtp_balance_inet_proto(addr_list, misc_flags, var_smtp_mxaddr_limit); } diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index f3e107072..8560dc9a9 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -493,6 +493,11 @@ /* Optional lookup tables that map names received from remote SMTP /* clients via the TLS Server Name Indication (SNI) extension to the /* appropriate keys and certificate chains. +/* .PP +/* Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13: +/* .IP "\fBtls_fast_shutdown_enable (yes)\fR" +/* A workaround for implementations that hang Postfix while shuting +/* down a TLS session, until Postfix times out. /* OBSOLETE STARTTLS CONTROLS /* .ad /* .fi @@ -3528,6 +3533,11 @@ static int common_post_message_handling(SMTPD_STATE *state) int saved_err; const CLEANUP_STAT_DETAIL *detail; +#define IS_SMTP_REJECT(s) \ + (((s)[0] == '4' || (s)[0] == '5') \ + && ISDIGIT((s)[1]) && ISDIGIT((s)[2]) \ + && ((s)[3] == '\0' || (s)[3] == ' ' || (s)[3] == '-')) + if (state->err == CLEANUP_STAT_OK && SMTPD_STAND_ALONE(state) == 0 && (err = smtpd_check_eod(state)) != 0) { @@ -3598,7 +3608,10 @@ static int common_post_message_handling(SMTPD_STATE *state) if (state->err == 0) { why = vstring_alloc(10); state->err = mail_stream_finish(state->dest, why); - printable(STR(why), ' '); + if (IS_SMTP_REJECT(STR(why))) + printable_except(STR(why), ' ', "\r\n"); + else + printable(STR(why), ' '); } else mail_stream_cleanup(state->dest); state->dest = 0; @@ -3633,11 +3646,6 @@ static int common_post_message_handling(SMTPD_STATE *state) * * See also: qmqpd.c */ -#define IS_SMTP_REJECT(s) \ - (((s)[0] == '4' || (s)[0] == '5') \ - && ISDIGIT((s)[1]) && ISDIGIT((s)[2]) \ - && ((s)[3] == '\0' || (s)[3] == ' ' || (s)[3] == '-')) - if (state->err == CLEANUP_STAT_OK) { state->error_count = 0; state->error_mask = 0; @@ -5412,15 +5420,6 @@ static void smtpd_proto(SMTPD_STATE *state) case 0: - /* - * Reset the per-command counters. - */ - for (cmdp = smtpd_cmd_table; /* see below */ ; cmdp++) { - cmdp->success_count = cmdp->total_count = 0; - if (cmdp->name == 0) - break; - } - /* * In TLS wrapper mode, turn on TLS using code that is shared with * the STARTTLS command. This code does not return when the handshake @@ -5819,6 +5818,15 @@ static char *smtpd_format_cmd_stats(VSTRING *buf) break; } + /* + * Reset the per-command counters. + */ + for (cmdp = smtpd_cmd_table; /* see below */ ; cmdp++) { + cmdp->success_count = cmdp->total_count = 0; + if (cmdp->name == 0) + break; + } + /* * Log total numbers, so that logfile analyzers will see something even * if the above loop produced no output. When no commands were received diff --git a/postfix/src/tls/Makefile.in b/postfix/src/tls/Makefile.in index dabd6403c..fec7d4542 100644 --- a/postfix/src/tls/Makefile.in +++ b/postfix/src/tls/Makefile.in @@ -572,6 +572,7 @@ tls_server.o: tls_server.c tls_session.o: ../../include/argv.h tls_session.o: ../../include/check_arg.h tls_session.o: ../../include/dns.h +tls_session.o: ../../include/mail_params.h tls_session.o: ../../include/msg.h tls_session.o: ../../include/myaddrinfo.h tls_session.o: ../../include/mymalloc.h diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c index a28623af5..9fac44460 100644 --- a/postfix/src/tls/tls_misc.c +++ b/postfix/src/tls/tls_misc.c @@ -46,6 +46,8 @@ /* char *var_tls_mgr_service; /* char *var_tls_tkt_cipher; /* char *var_openssl_path; +/* char *var_tls_server_sni_maps; +/* bool var_tls_fast_shutdown; /* /* TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx, log_mask) /* SSL_CTX *ssl_ctx; @@ -289,6 +291,7 @@ char *var_tls_mgr_service; char *var_tls_tkt_cipher; char *var_openssl_path; char *var_tls_server_sni_maps; +bool var_tls_fast_shutdown; static MAPS *tls_server_sni_maps; @@ -625,6 +628,7 @@ void tls_param_init(void) VAR_TLS_BC_PKEY_FPRINT, DEF_TLS_BC_PKEY_FPRINT, &var_tls_bc_pkey_fprint, VAR_TLS_PREEMPT_CLIST, DEF_TLS_PREEMPT_CLIST, &var_tls_preempt_clist, VAR_TLS_MULTI_WILDCARD, DEF_TLS_MULTI_WILDCARD, &var_tls_multi_wildcard, + VAR_TLS_FAST_SHUTDOWN, DEF_TLS_FAST_SHUTDOWN, &var_tls_fast_shutdown, 0, }; static int init_done; diff --git a/postfix/src/tls/tls_session.c b/postfix/src/tls/tls_session.c index 112b89df0..3f6027fc4 100644 --- a/postfix/src/tls/tls_session.c +++ b/postfix/src/tls/tls_session.c @@ -71,6 +71,10 @@ #include #include +/* Global library. */ + +#include + /* TLS library. */ #define TLS_INTERNAL @@ -95,6 +99,18 @@ void tls_session_stop(TLS_APPL_STATE *unused_ctx, VSTREAM *stream, int timeou msg_panic("%s: stream has no active TLS context", myname); /* + * According to RFC 2246 (TLS 1.0), there is no requirement to wait for + * the peer's close-notify. If the application protocol provides + * sufficient session termination signaling, then there's no need to + * duplicate that at the TLS close-notify layer. + * + * https://tools.ietf.org/html/rfc2246#section-7.2.1 + * https://tools.ietf.org/html/rfc4346#section-7.2.1 + * https://tools.ietf.org/html/rfc5246#section-7.2.1 + * + * Specify 'tls_fast_shutdown = no' to enable the historical behavior + * described below. + * * Perform SSL_shutdown() twice, as the first attempt will send out the * shutdown alert but it will not wait for the peer's shutdown alert. * Therefore, when we are the first party to send the alert, we must call @@ -104,7 +120,7 @@ void tls_session_stop(TLS_APPL_STATE *unused_ctx, VSTREAM *stream, int timeou */ if (!failure) { retval = tls_bio_shutdown(vstream_fileno(stream), timeout, TLScontext); - if (retval == 0) + if (!var_tls_fast_shutdown && retval == 0) tls_bio_shutdown(vstream_fileno(stream), timeout, TLScontext); } tls_free_context(TLScontext); diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c index 7339da6b9..9149c5c64 100644 --- a/postfix/src/tlsproxy/tlsproxy.c +++ b/postfix/src/tlsproxy/tlsproxy.c @@ -282,6 +282,11 @@ /* Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS /* usage policy by next-hop destination and by remote TLS server /* hostname. +/* .PP +/* Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13: +/* .IP "\fBtls_fast_shutdown_enable (yes)\fR" +/* A workaround for implementations that hang Postfix while shuting +/* down a TLS session, until Postfix times out. /* OBSOLETE STARTTLS SUPPORT CONTROLS /* .ad /* .fi diff --git a/postfix/src/util/printable.c b/postfix/src/util/printable.c index a37ff6306..6c148fd00 100644 --- a/postfix/src/util/printable.c +++ b/postfix/src/util/printable.c @@ -11,6 +11,11 @@ /* char *printable(buffer, replacement) /* char *buffer; /* int replacement; +/* +/* char *printable_except(buffer, replacement, except) +/* char *buffer; +/* int replacement; +/* const char *except; /* DESCRIPTION /* printable() replaces non-printable characters /* in its input with the given replacement. @@ -24,6 +29,8 @@ /* .IP replacement /* Replacement value for characters in \fIbuffer\fR that do not /* pass the ASCII isprint(3) test or that are not valid UTF8. +/* .IP except +/* Null-terminated sequence of non-replaced ASCII characters. /* LICENSE /* .ad /* .fi @@ -33,12 +40,18 @@ /* IBM T.J. Watson Research /* P.O. Box 704 /* Yorktown Heights, NY 10598, USA +/* +/* Wietse Venema +/* Google, Inc. +/* 111 8th Avenue +/* New York, NY 10011, USA /*--*/ /* System library. */ #include "sys_defs.h" #include +#include /* Utility library. */ @@ -46,7 +59,20 @@ int util_utf8_enable = 0; +/* printable - binary compatibility */ + +#undef printable + +char *printable(char *, int); + char *printable(char *string, int replacement) +{ + return (printable_except(string, replacement, (char *) 0)); +} + +/* printable_except - pass through printable or other preserved characters */ + +char *printable_except(char *string, int replacement, const char *except) { unsigned char *cp; int ch; @@ -57,7 +83,7 @@ char *printable(char *string, int replacement) */ cp = (unsigned char *) string; while ((ch = *cp) != 0) { - if (ISASCII(ch) && ISPRINT(ch)) { + if (ISASCII(ch) && (ISPRINT(ch) || (except && strchr(except, ch)))) { /* ok */ } else if (util_utf8_enable && ch >= 194 && ch <= 254 && cp[1] >= 128 && cp[1] < 192) { diff --git a/postfix/src/util/stringops.h b/postfix/src/util/stringops.h index c227b8460..c54a5268b 100644 --- a/postfix/src/util/stringops.h +++ b/postfix/src/util/stringops.h @@ -20,7 +20,7 @@ * External interface. */ extern int util_utf8_enable; -extern char *printable(char *, int); +extern char *printable_except(char *, int, const char *); extern char *neuter(char *, const char *, int); extern char *lowercase(char *); extern char *casefoldx(int, VSTRING *, const char *, ssize_t); @@ -32,6 +32,9 @@ extern char *mystrtok(char **, const char *); extern char *mystrtokq(char **, const char *, const char *); extern char *translit(char *, const char *, const char *); +#define printable(string, replacement) \ + printable_except((string), (replacement), (char *) 0) + #ifndef HAVE_BASENAME #define basename postfix_basename extern char *basename(const char *); diff --git a/postfix/src/util/unix_dgram_connect.c b/postfix/src/util/unix_dgram_connect.c index b3492f731..83a035e76 100644 --- a/postfix/src/util/unix_dgram_connect.c +++ b/postfix/src/util/unix_dgram_connect.c @@ -60,6 +60,7 @@ int unix_dgram_connect(const char *path, int block_mode) { const char myname[] = "unix_dgram_connect"; +#undef sun struct sockaddr_un sun; ssize_t path_len; int sock;