From: Wietse Venema Date: Tue, 23 Nov 2010 05:00:00 +0000 (-0500) Subject: postfix-2.5.11 X-Git-Tag: v2.5.11^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b3ab42ccc0282130b93940e3f1bb3468eb8736ec;p=thirdparty%2Fpostfix.git postfix-2.5.11 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index aed5d77aa..6ded39d8e 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -14571,3 +14571,42 @@ Apologies for any names omitted. 2821 (and 5321) is vague about the VRFY request format, but spends lots of text on the reply format. File: smtpd/smtpd.c. +20100610 + + Bugfix (introduced Postfix 2.2): Postfix no longer appends + the system default CA certificates to the lists specified + with *_tls_CAfile or with *_tls_CApath. This prevents + third-party certificates from getting mail relay permission + with the permit_tls_all_clientcerts feature. Unfortunately + this may cause compatibility problems with configurations + that rely on certificate verification for other purposes. + To get the old behavior, specify "tls_append_default_CA = + yes". Files: tls/tls_certkey.c, tls/tls_misc.c, + global/mail_params.h. proto/postconf.proto, mantools/postlink. + +20100714 + + Compatibility with Postfix < 2.3: fix 20061207 was incomplete + (undoing the change to bounce instead of defer after + pipe-to-command delivery fails with a signal). Fix by Thomas + Arnett. File: global/pipe_command.c. + +20100827 + + Performance: fix for poor smtpd_proxy_filter TCP performance + over loopback (127.0.0.1) connections. Problem reported by + Mark Martinec. Files: smtpd/smtpd_proxy.c. + +20101023 + + Cleanup: don't apply reject_rhsbl_helo to non-domain forms + such as network addresses. This would cause false positives + with dbl.spamhaus.org. File: smtpd/smtpd_check.c. + +20101117 + + Bugfix: the "421" reply after Milter error was overruled + by Postfix 1.1 code that replied with "503" for RFC 2821 + compliance. We now make an exception for "final" replies, + as permitted by RFC. Solution by Victor Duchovni. File: + smtpd/smtpd.c. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 14fd19aa1..5c3aeb85f 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -11,6 +11,18 @@ instead, a new snapshot is released. The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release. +Incompatibility with Postfix 2.5.11 +=================================== + +Postfix no longer appends the system-supplied default CA certificates +to the lists specified with *_tls_CAfile or with *_tls_CApath. This +prevents third-party certificates from getting mail relay permission +with the permit_tls_all_clientcerts feature. + +Unfortunately this change may cause compatibility problems when +configurations rely on certificate verification for other purposes. +Specify "tls_append_default_CA = yes" for backwards compatibility. + Incompatibility with Postfix 2.5.3 ================================== diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 1796c89d8..b7eb3f8d2 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -8542,6 +8542,10 @@ during TLS startup and shutdown handshake procedures.

needed only when the CA certificate is not already present in the client certificate file.

+

Specify "tls_append_default_CA = no" to prevent Postfix from +appending the system-supplied default CAs and trusting third-party +certificates.

+

Example: 

@@ -8565,6 +8569,10 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
 
 To use this option in chroot mode, this directory (or a copy)
 must be inside the chroot jail. 

 
+
 Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. 

+
 
 Example: 

 
 
@@ -10041,8 +10049,11 @@ authenticated via the RFC 4954
 
 Permit the request when the remote SMTP client certificate is
 verified successfully.  This option must be used only if a special
 CA issues the certificates and only this CA is listed as trusted
-CA, otherwise all clients with a recognized certificate would be
-allowed to relay. This feature is available with Postfix version 2.2.

+CA. Otherwise, clients with a third-party certificate would also
+be allowed to relay.  Specify "tls_append_default_CA = no" when the
+trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
+to prevent Postfix from appending the system-supplied default CAs.
+This feature is available with Postfix version 2.2.
 
 
permit_tls_clientcerts

 
@@ -11671,6 +11682,10 @@ server certificate file.  This file may also contain the CA
 certificates of other trusted CAs.  You must use this file for the
 list of trusted CAs if you want to use chroot-mode. 

 
+
 Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. 

+
 
 Example: 

 
 
@@ -11697,6 +11712,10 @@ CA certificates are not offered to the client, so that e.g.  Netscape
 clients might not offer certificates issued by them.  Use of this
 feature is therefore not recommended. 

 
+
 Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. 

+
 
 Example: 

 
 
@@ -12632,6 +12651,23 @@ while accessing the Postfix main.cf configuration
 

 
 
+
+
+
tls_append_default_CA
+(default: no)

+
+
 Append the system-supplied default certificate authority
+certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+The default is "no"; this prevents Postfix from trusting third-party
+certificates and giving them relay permission with
+permit_tls_all_clientcerts.  

+
+
 This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
+backwards compatibility, to avoid breaking certificate verification
+with sites that don't use permit_tls_all_clientcerts. 

+
+
 

 
 
tls_daemon_random_bytes
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 922cdac1e..b227012be 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -4822,6 +4822,10 @@ The file with the certificate of the certification authority
 needed only when the CA certificate is not already present in the
 client certificate file.
 .PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates.
+.PP
 Example:
 .PP
 .nf
@@ -4842,6 +4846,10 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
 To use this option in chroot mode, this directory (or a copy)
 must be inside the chroot jail.
 .PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates.
+.PP
 Example:
 .PP
 .nf
@@ -6060,8 +6068,11 @@ authenticated via the RFC 4954 (AUTH) protocol.
 Permit the request when the remote SMTP client certificate is
 verified successfully.  This option must be used only if a special
 CA issues the certificates and only this CA is listed as trusted
-CA, otherwise all clients with a recognized certificate would be
-allowed to relay. This feature is available with Postfix version 2.2.
+CA. Otherwise, clients with a third-party certificate would also
+be allowed to relay.  Specify "tls_append_default_CA = no" when the
+trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
+to prevent Postfix from appending the system-supplied default CAs.
+This feature is available with Postfix version 2.2.
 .IP "\fBpermit_tls_clientcerts\fR"
 Permit the request when the remote SMTP client certificate
 fingerprint is listed in $relay_clientcerts.
@@ -7120,6 +7131,10 @@ server certificate file.  This file may also contain the CA
 certificates of other trusted CAs.  You must use this file for the
 list of trusted CAs if you want to use chroot-mode.
 .PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates.
+.PP
 Example:
 .PP
 .nf
@@ -7144,6 +7159,10 @@ CA certificates are not offered to the client, so that e.g.  Netscape
 clients might not offer certificates issued by them.  Use of this
 feature is therefore not recommended.
 .PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates.
+.PP
 Example:
 .PP
 .nf
@@ -7842,6 +7861,17 @@ a Postfix process has completed initialization. Errors during
 process initialization will be logged with the default name. Examples
 are errors while parsing the command line arguments, and errors
 while accessing the Postfix main.cf configuration file.
+.SH tls_append_default_CA (default: no)
+Append the system-supplied default certificate authority
+certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+The default is "no"; this prevents Postfix from trusting third-party
+certificates and giving them relay permission with
+permit_tls_all_clientcerts.
+.PP
+This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
+backwards compatibility, to avoid breaking certificate verification
+with sites that don't use permit_tls_all_clientcerts.
 .SH tls_daemon_random_bytes (default: 32)
 The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
 process requests from the \fBtlsmgr\fR(8) server in order to seed its
diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink
index 5e76394a6..8c9b0462e 100755
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@@ -630,6 +630,7 @@ while (<>) {
     s;\btls_low_cipherlist\b;$&;g;
     s;\btls_export_cipherlist\b;$&;g;
     s;\btls_null_cipherlist\b;$&;g;
+    s;\btls_append_default_CA\b;$&;g;
  
     s;\bfrozen_delivered_to\b;$&;g;
 
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index d2ce35d79..5d9c20b9b 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -4739,8 +4739,11 @@ authenticated via the RFC 4954 (AUTH) protocol. 
 
 Permit the request when the remote SMTP client certificate is
 verified successfully.  This option must be used only if a special
 CA issues the certificates and only this CA is listed as trusted
-CA, otherwise all clients with a recognized certificate would be
-allowed to relay. This feature is available with Postfix version 2.2.

+CA. Otherwise, clients with a third-party certificate would also
+be allowed to relay.  Specify "tls_append_default_CA = no" when the
+trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
+to prevent Postfix from appending the system-supplied default CAs.
+This feature is available with Postfix version 2.2.
 
 
permit_tls_clientcerts

 
@@ -8390,6 +8393,10 @@ server certificate file.  This file may also contain the CA
 certificates of other trusted CAs.  You must use this file for the
 list of trusted CAs if you want to use chroot-mode. 

 
+
 Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. 

+
 
 Example: 

 
 
@@ -8412,6 +8419,10 @@ CA certificates are not offered to the client, so that e.g.  Netscape
 clients might not offer certificates issued by them.  Use of this
 feature is therefore not recommended. 

 
+
 Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. 

+
 
 Example: 

 
 
@@ -8761,6 +8772,10 @@ smtp_tls_key_file = $smtp_tls_cert_file
 needed only when the CA certificate is not already present in the
 client certificate file.  

 
+
 Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. 

+
 
 Example: 

 
 
@@ -8780,6 +8795,10 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
 
 To use this option in chroot mode, this directory (or a copy) 
 must be inside the chroot jail. 

 
+
 Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. 

+
 
 Example: 

 
 
@@ -9067,6 +9086,19 @@ smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
 
 
 This feature is available in Postfix 2.2 and later.  

 
+%PARAM tls_append_default_CA no
+
+
 Append the system-supplied default certificate authority
+certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+The default is "no"; this prevents Postfix from trusting third-party
+certificates and giving them relay permission with
+permit_tls_all_clientcerts.  

+
+
 This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
+backwards compatibility, to avoid breaking certificate verification
+with sites that don't use permit_tls_all_clientcerts. 

+
 %PARAM tls_random_exchange_name see "postconf -d" output
 
 
 Name of the pseudo random number generator (PRNG) state file
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index 0702df170..c64ed1f99 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -607,6 +607,10 @@ extern bool var_stat_home_dir;
 #define DEF_DUP_FILTER_LIMIT	1000
 extern int var_dup_filter_limit;
 
+#define VAR_TLS_APPEND_DEF_CA	"tls_append_default_CA"
+#define DEF_TLS_APPEND_DEF_CA	0	/* Postfix < 2.8 BC break */
+extern bool var_tls_append_def_CA;
+
 #define VAR_TLS_RAND_EXCH_NAME	"tls_random_exchange_name"
 #define DEF_TLS_RAND_EXCH_NAME	"${data_directory}/prng_exch"
 extern char *var_tls_rand_exch_name;
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index aa9bd93f3..ca3776258 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20100322"
-#define MAIL_VERSION_NUMBER	"2.5.10"
+#define MAIL_RELEASE_DATE	"20101123"
+#define MAIL_VERSION_NUMBER	"2.5.11"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff --git a/postfix/src/global/pipe_command.c b/postfix/src/global/pipe_command.c
index ce3bad0a9..6cd4100ed 100644
--- a/postfix/src/global/pipe_command.c
+++ b/postfix/src/global/pipe_command.c
@@ -628,7 +628,7 @@ int     pipe_command(VSTREAM *src, DSN_BUF *why,...)
 	 */
 	if (!NORMAL_EXIT_STATUS(wait_status)) {
 	    if (WIFSIGNALED(wait_status)) {
-		dsb_unix(why, "5.3.0", log_len ?
+		dsb_unix(why, "4.3.0", log_len ?
 			 log_buf : sys_exits_detail(EX_SOFTWARE)->text,
 			 "Command died with signal %d: \"%s\"%s%s",
 			 WTERMSIG(wait_status), args.command,
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index 29457f13c..a376e06a5 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -4221,6 +4221,11 @@ static void smtpd_proto(SMTPD_STATE *state)
 	    }
 	    /* XXX We use the real client for connect access control. */
 	    if (state->access_denied && cmdp->action != quit_cmd) {
+		/* XXX Exception for Milter override. */
+		if (strncmp(state->access_denied + 1, "21", 2) == 0) {
+		    smtpd_chat_reply(state, "%s", state->access_denied);
+		    continue;
+		}
 		smtpd_chat_reply(state, "503 5.7.0 Error: access denied for %s",
 				 state->namaddr);	/* RFC 2821 Sec 3.1 */
 		state->error_count++;
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 0c7eceac6..d890054e0 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -3702,7 +3702,8 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 			 name);
 	    else {
 		cpp += 1;
-		if (state->helo_name)
+		if (state->helo_name
+		    && valid_hostname(state->helo_name, DONT_GRIPE))
 		    status = reject_rbl_domain(state, *cpp, state->helo_name,
 					       SMTPD_NAME_HELO);
 	    }
diff --git a/postfix/src/smtpd/smtpd_proxy.c b/postfix/src/smtpd/smtpd_proxy.c
index cfefe7e3d..5c682439a 100644
--- a/postfix/src/smtpd/smtpd_proxy.c
+++ b/postfix/src/smtpd/smtpd_proxy.c
@@ -304,6 +304,9 @@ int     smtpd_proxy_open(SMTPD_STATE *state, const char *service,
     }
     state->proxy = vstream_fdopen(fd, O_RDWR);
     vstream_control(state->proxy, VSTREAM_CTL_PATH, service, VSTREAM_CTL_END);
+    /* Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE. */
+    if (connect_fn == inet_connect)
+	vstream_tweak_tcp(state->proxy);
     smtp_timeout_setup(state->proxy, timeout);
 
     /*
diff --git a/postfix/src/tls/Makefile.in b/postfix/src/tls/Makefile.in
index 9ebaae1e4..80c3bcb33 100644
--- a/postfix/src/tls/Makefile.in
+++ b/postfix/src/tls/Makefile.in
@@ -101,6 +101,7 @@ tls_bio_ops.o: ../../include/vstring.h
 tls_bio_ops.o: tls.h
 tls_bio_ops.o: tls_bio_ops.c
 tls_certkey.o: ../../include/argv.h
+tls_certkey.o: ../../include/mail_params.h
 tls_certkey.o: ../../include/msg.h
 tls_certkey.o: ../../include/name_code.h
 tls_certkey.o: ../../include/name_mask.h
diff --git a/postfix/src/tls/tls_certkey.c b/postfix/src/tls/tls_certkey.c
index 05deba332..633c431b3 100644
--- a/postfix/src/tls/tls_certkey.c
+++ b/postfix/src/tls/tls_certkey.c
@@ -67,6 +67,10 @@
 
 #include 
 
+/* Global library. */
+
+#include 
+
 /* TLS library. */
 
 #define TLS_INTERNAL
@@ -87,7 +91,7 @@ int     tls_set_ca_certificate_info(SSL_CTX *ctx, const char *CAfile,
 	    tls_print_errors();
 	    return (-1);
 	}
-	if (!SSL_CTX_set_default_verify_paths(ctx)) {
+	if (var_tls_append_def_CA && !SSL_CTX_set_default_verify_paths(ctx)) {
 	    msg_info("cannot set certificate verification paths");
 	    tls_print_errors();
 	    return (-1);
diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c
index a1f9060a6..aa4c3a23b 100644
--- a/postfix/src/tls/tls_misc.c
+++ b/postfix/src/tls/tls_misc.c
@@ -13,6 +13,7 @@
 /*	char	*var_tls_export_clist;
 /*	char	*var_tls_null_clist;
 /*	int	var_tls_daemon_rand_bytes;
+/*	bool    var_tls_append_def_CA;
 /*
 /*	TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx)
 /*	SSL_CTX	*ssl_ctx;
@@ -186,6 +187,7 @@ char   *var_tls_low_clist;
 char   *var_tls_export_clist;
 char   *var_tls_null_clist;
 int     var_tls_daemon_rand_bytes;
+bool    var_tls_append_def_CA;
 
  /*
   * Index to attach TLScontext pointers to SSL objects, so that they can be
@@ -401,6 +403,10 @@ void    tls_param_init(void)
 	VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 1, 0,
 	0,
     };
+    static const CONFIG_BOOL_TABLE bool_table[] = {
+	VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
+	0,
+    };
     static int init_done;
 
     if (init_done)
@@ -409,6 +415,7 @@ void    tls_param_init(void)
 
     get_mail_conf_str_table(str_table);
     get_mail_conf_int_table(int_table);
+    get_mail_conf_bool_table(bool_table);
 }
 
 /* tls_set_ciphers - Set SSL context cipher list */