From 0d89e201493f34f7a70f79e90020016d45a40da0 Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Sat, 18 May 2013 21:07:46 -0400 Subject: [PATCH] postfix-2.11-20130518-nonprod --- postfix/HISTORY | 23 +++++ postfix/README_FILES/TLS_README | 75 +++++++++++++- postfix/html/TLS_README.html | 103 ++++++++++++++++++-- postfix/html/postconf.5.html | 59 +++++++++++ postfix/html/posttls-finger.1.html | 97 +++++++++--------- postfix/man/man1/posttls-finger.1 | 11 ++- postfix/man/man5/postconf.5 | 53 ++++++++++ postfix/proto/TLS_README.html | 103 ++++++++++++++++++-- postfix/proto/postconf.proto | 56 +++++++++++ postfix/src/global/mail_params.h | 4 + postfix/src/global/mail_version.h | 2 +- postfix/src/posttls-finger/posttls-finger.c | 51 +++++++--- postfix/src/tls/tls.h | 15 ++- postfix/src/tls/tls_client.c | 14 +-- postfix/src/tls/tls_misc.c | 37 +++++++ 15 files changed, 615 insertions(+), 88 deletions(-) diff --git a/postfix/HISTORY b/postfix/HISTORY index e81c3fc09..acea1db13 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -18557,3 +18557,26 @@ Apologies for any names omitted. posttls-finger/posttls-finger.c, smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_level.c. + +20130518 + + Feature: posttls-finger protocol and cipher grade selection + options. Leave protocol debug flags active across reconnects, + only suppress redundant logging of the certificate details. + Viktor Dukhovni. File: posttls-finger/posttls-finger.c. + + Robustness: send SNI even when trying to reuse a DANE + session, because a new session may be negotiated anyway. + Viktor Dukhovni. File: tls/tls_client.c. + + Cleanup: eliminate variable that is redundant with respect + to more authoritative state. Viktor Dukhovni. File: + posttls-finger/posttls-finger.c. + + Feature: new tls_ssl_options parameter to enable OpenSSL + features (as opposed to tls_disable_workarounds which is + disables bug workarounds that are on by default). Viktor + Dukhovni. Files: proto/TLS_README.html, proto/postconf.proto, + src/global/mail_params.h, src/tls/tls.h, src/tls/tls_client.c, + src/tls/tls_misc.c. + diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README index 61ca0c97b..6ec931214 100644 --- a/postfix/README_FILES/TLS_README +++ b/postfix/README_FILES/TLS_README @@ -665,11 +665,35 @@ Example: /etc/postfix/main.cf: tls_disable_workarounds = 0xFFFFFFFF - tls_disable_workarounds = CVE-2010-4180, LEGACY_SERVER_CONNECT + tls_disable_workarounds = CVE-2010-4180 + +With Postfix >= 2.11, the tls_ssl_options parameter specifies a list or bit- +mask of OpenSSL options to enable. Specify one or more of the named options +below, or a hexadecimal bitmask of options found in the ssl.h file +corresponding to the run-time OpenSSL library. While it may be reasonable to +turn off all bug workarounds (see above), it is not a good idea to attempt to +turn on all features. + +LLEEGGAACCYY__SSEERRVVEERR__CCOONNNNEECCTT + See SSL_CTX_set_options(3). +NNOO__TTIICCKKEETT + See SSL_CTX_set_options(3). +NNOO__CCOOMMPPRREESSSSIIOONN + Disable SSL compression even if supported by the OpenSSL library. + Compression is CPU-intensive, and compression before encryption does not + always improve security. +Example: -Note: Disabling LEGACY_SERVER_CONNECT is not wise at this time, lots of servers -are still unpatched and Postfix is not significantly vulnerable to the -renegotiation issue in the TLS protocol. + /etc/postfix/main.cf: + tls_ssl_options = no_ticket, no_compression + +You should only enable features via the hexadecimal mask when the need to +control the feature is critical (to deal with a new vulnerability or a serious +interoperability problem). Postfix DOES NOT promise backwards compatible +behavior with respect to the mask bits. A feature enabled via the mask in one +release may be enabled by other means in a later release, and the mask bit will +then be ignored. Therefore, use of the hexadecimal mask is only a temporary +measure until a new Postfix or OpenSSL release provides a better solution. SSMMTTPP CClliieenntt ssppeecciiffiicc sseettttiinnggss @@ -1857,6 +1881,49 @@ Example: /etc/postfix/main.cf: smtp_starttls_timeout = 300s +With Postfix 2.8 and later, the tls_disable_workarounds parameter specifies a +list or bit-mask of OpenSSL bug work-arounds to disable. This may be necessary +if one of the work-arounds enabled by default in OpenSSL proves to pose a +security risk, or introduces an unexpected interoperability issue. Some bug +work-arounds known to be problematic are disabled in the default value of the +parameter when linked with an OpenSSL library that could be vulnerable. + +Example: + + /etc/postfix/main.cf: + tls_disable_workarounds = 0xFFFFFFFF + tls_disable_workarounds = CVE-2010-4180, LEGACY_SERVER_CONNECT + +Note: Disabling LEGACY_SERVER_CONNECT is not wise at this time, lots of servers +are still unpatched and Postfix is not significantly vulnerable to the +renegotiation issue in the TLS protocol. + +With Postfix >= 2.11, the tls_ssl_options parameter specifies a list or bit- +mask of OpenSSL options to enable. Specify one or more of the named options +below, or a hexadecimal bitmask of options found in the ssl.h file +corresponding to the run-time OpenSSL library. While it may be reasonable to +turn off all bug workarounds (see above), it is not a good idea to attempt to +turn on all features. + +A future version of OpenSSL may by default no longer allow connections to +servers that don't support secure renegotiation. Since the exposure for SMTP is +minimal, and some SMTP servers may remain unpatched, you can add +LEGACY_SERVER_CONNECT to the options to restore the more permissive default of +current OpenSSL releases. + +Example: + + /etc/postfix/main.cf: + tls_ssl_options = NO_TICKET, NO_COMPRESSION, LEGACY_SERVER_CONNECT + +You should only enable features via the hexadecimal mask when the need to +control the feature is critical (to deal with a new vulnerability or a serious +interoperability problem). Postfix DOES NOT promise backwards compatible +behavior with respect to the mask bits. A feature enabled via the mask in one +release may be enabled by other means in a later release, and the mask bit will +then be ignored. Therefore, use of the hexadecimal mask is only a temporary +measure until a new Postfix or OpenSSL release provides a better solution. + TTLLSS mmaannaaggeerr ssppeecciiffiicc sseettttiinnggss The security of cryptographic software such as TLS depends critically on the diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html index af302e001..942e77165 100644 --- a/postfix/html/TLS_README.html +++ b/postfix/html/TLS_README.html @@ -931,15 +931,48 @@ an OpenSSL library that could be vulnerable. 

 /etc/postfix/main.cf:
     tls_disable_workarounds = 0xFFFFFFFF
-    tls_disable_workarounds = CVE-2010-4180, LEGACY_SERVER_CONNECT
+    tls_disable_workarounds = CVE-2010-4180
-

Note: Disabling LEGACY_SERVER_CONNECT is not wise at this -time, lots of servers are still unpatched and Postfix is not -significantly vulnerable to the renegotiation issue in the TLS -protocol.

+

With Postfix ≥ 2.11, the tls_ssl_options parameter specifies +a list or bit-mask of OpenSSL options to enable. Specify one or +more of the named options below, or a hexadecimal bitmask of options +found in the ssl.h file corresponding to the run-time OpenSSL +library. While it may be reasonable to turn off all bug workarounds +(see above), it is not a good idea to attempt to turn on all features. +

+ +
+ +
LEGACY_SERVER_CONNECT
See SSL_CTX_set_options(3).
+ +
NO_TICKET
See SSL_CTX_set_options(3).
+ +
NO_COMPRESSION
Disable SSL compression even if +supported by the OpenSSL library. Compression is CPU-intensive, +and compression before encryption does not always improve security.
+ +
+ +

Example:

+ +
+
+/etc/postfix/main.cf:
+    tls_ssl_options = no_ticket, no_compression
+
+
+ +

You should only enable features via the hexadecimal mask when +the need to control the feature is critical (to deal with a new +vulnerability or a serious interoperability problem). Postfix DOES +NOT promise backwards compatible behavior with respect to the mask +bits. A feature enabled via the mask in one release may be enabled +by other means in a later release, and the mask bit will then be +ignored. Therefore, use of the hexadecimal mask is only a temporary +measure until a new Postfix or OpenSSL release provides a better +solution.

SMTP Client specific settings

@@ -2435,6 +2468,64 @@ defers delivery if no alternative server is available.

+

With Postfix 2.8 and later, the tls_disable_workarounds parameter +specifies a list or bit-mask of OpenSSL bug work-arounds to disable. This +may be necessary if one of the work-arounds enabled by default in +OpenSSL proves to pose a security risk, or introduces an unexpected +interoperability issue. Some bug work-arounds known to be problematic +are disabled in the default value of the parameter when linked with +an OpenSSL library that could be vulnerable.

+ +

Example:

+ +
+
+/etc/postfix/main.cf:
+    tls_disable_workarounds = 0xFFFFFFFF
+    tls_disable_workarounds = CVE-2010-4180, LEGACY_SERVER_CONNECT
+
+
+ +

Note: Disabling LEGACY_SERVER_CONNECT is not wise at this +time, lots of servers are still unpatched and Postfix is not +significantly vulnerable to the renegotiation issue in the TLS +protocol.

+ +

With Postfix ≥ 2.11, the tls_ssl_options parameter specifies +a list or bit-mask of OpenSSL options to enable. Specify one or +more of the named options below, or a hexadecimal bitmask of options +found in the ssl.h file corresponding to the run-time OpenSSL +library. While it may be reasonable to turn off all bug workarounds +(see above), it is not a good idea to attempt to turn on all features. +

+ +

A future version of OpenSSL may by default no longer allow +connections to servers that don't support secure renegotiation. +Since the exposure for SMTP is minimal, and some SMTP servers may +remain unpatched, you can add LEGACY_SERVER_CONNECT to the +options to restore the more permissive default of current OpenSSL +releases.

+ +

Example:

+ +
+
+/etc/postfix/main.cf:
+    tls_ssl_options = NO_TICKET, NO_COMPRESSION, LEGACY_SERVER_CONNECT
+
+
+ +

You should only enable features via the hexadecimal mask when +the need to control the feature is critical (to deal with a new +vulnerability or a serious interoperability problem). Postfix DOES +NOT promise backwards compatible behavior with respect to the mask +bits. A feature enabled via the mask in one release may be enabled +by other means in a later release, and the mask bit will then be +ignored. Therefore, use of the hexadecimal mask is only a temporary +measure until a new Postfix or OpenSSL release provides a better +solution.

+

TLS manager specific settings

The security of cryptographic software such as TLS depends diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 9cda67dec..d5363a1d0 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -16471,6 +16471,65 @@ gives timeout errors.

This feature is available in Postfix 2.2 and later.

+ + +
tls_ssl_options +(default: empty)
+ +

List or bit-mask of OpenSSL options to enable.

+ +

The OpenSSL toolkit provides a set of options that applications +can enable to tune the OpenSSL behavior. Some of these work around +bugs in other implementations and are on by default. You can use +the tls_disable_workarounds parameter to selectively disable some +or all of the bug work-arounds, making OpenSSL more strict at the +cost of non-interoperability with SSL clients or servers that exhibit +the bugs.

+ +

Other options are off by default, and typically enable or disable +features rather than bug work-arounds. These may be turned on (with +care) via the tls_ssl_options parameter. The value is a white-space +or comma separated list of named options chosen from the list below. +The names are not case-sensitive, you can use lower-case if you +prefer. The upper case values below match the corresponding macro +name in the ssl.h header file with the SSL_OP_ prefix removed. It +is possible that your OpenSSL version includes new options added +after your Postfix source code was last updated, in that case you +can only enable one of these via the hexadecimal syntax below.

+ +

You should only enable features via the hexadecimal mask when +the need to control the feature is critical (to deal with a new +vulnerability or a serious interoperability problem). Postfix DOES +NOT promise backwards compatible behavior with respect to the mask +bits. A feature enabled via the mask in one release may be enabled +by other means in a later release, and the mask bit will then be +ignored. Therefore, use of the hexadecimal mask is only a temporary +measure until a new Postfix or OpenSSL release provides a better +solution.

+ +

If the value of the parameter is a hexadecimal long integer +starting with "0x", the options corresponding to the bits specified +in its value are enabled (see openssl/ssl.h and SSL_CTX_set_options(3)). +You can only enable options not already controlled by other Postfix +settings. For example, you cannot disable protocols or enable +server cipher preference. Do not attempt to turn all features by +specifying 0xFFFFFFFF, this is unlikely to be a good idea.

+ +
+ +
LEGACY_SERVER_CONNECT
See SSL_CTX_set_options(3).
+ +
NO_TICKET
See SSL_CTX_set_options(3).
+ +
NO_COMPRESSION
Disable SSL compression even if +supported by the OpenSSL library. Compression is CPU-intensive, +and compression before encryption does not always improve security.
+ +
+ +

This feature is available in Postfix 2.11 and later.

+ +
tlsproxy_enforce_tls diff --git a/postfix/html/posttls-finger.1.html b/postfix/html/posttls-finger.1.html index ebcb1f513..81705a895 100644 --- a/postfix/html/posttls-finger.1.html +++ b/postfix/html/posttls-finger.1.html @@ -131,46 +131,50 @@ POSTTLS-FINGER(1) POSTTLS-FINGER(1) certificate verification. By default no CAfile is used and no public CAs are trusted. + -g grade (default: medium) + The minimum TLS cipher grade used by posttls-fin- + ger. See smtp_tls_mandatory_ciphers for details. + -h host_lookup (default: dns) - The hostname lookup methods used for the connec- - tion. See the documentation of smtp_host_lookup + The hostname lookup methods used for the connec- + tion. See the documentation of smtp_host_lookup for syntax and semantics. -l level (default: dane or secure) The security level for the connection, default dane or secure depending on whether DNSSEC is available. - For syntax and semantics, see the documentation of + For syntax and semantics, see the documentation of smtp_tls_security_level. When dane or dane-only is - supported and selected, if no TLSA records are - found, or all the records found are unusable, the + supported and selected, if no TLSA records are + found, or all the records found are unusable, the secure level will be used instead. The fingerprint - security level allows you to test certificate or - public-key fingerprint matches before you deploy + security level allows you to test certificate or + public-key fingerprint matches before you deploy them in the policy table. - Note, since posttls-finger does not actually - deliver any email, the none, may and encrypt secu- - rity levels are not very useful. Since may and - encrypt don't require peer certificates, they will - often negotiate anonymous TLS ciphersuites, so you - won't learn much about the remote SMTP server's - certificates at these levels if it also supports + Note, since posttls-finger does not actually + deliver any email, the none, may and encrypt secu- + rity levels are not very useful. Since may and + encrypt don't require peer certificates, they will + often negotiate anonymous TLS ciphersuites, so you + won't learn much about the remote SMTP server's + certificates at these levels if it also supports anonymous TLS (though you may learn that the server supports anonymous TLS). -L logopts (default: routine,certmatch) - Fine-grained TLS logging options. To tune the TLS - features logged during the TLS handshake, specify + Fine-grained TLS logging options. To tune the TLS + features logged during the TLS handshake, specify one or more of: 0, none These yield no TLS logging; you'll generally - want more, but this is handy if you just + want more, but this is handy if you just want the trust chain: $ posttls-finger -cC -L none destination 1, routine, summary - These synonymous values yield a normal one- + These synonymous values yield a normal one- line summary of the TLS connection. 2, debug @@ -178,63 +182,63 @@ POSTTLS-FINGER(1) POSTTLS-FINGER(1) ssl-debug, cache and verbose. 3, ssl-expert - These synonymous values combine debug with - ssl-handshake-packet-dump. For experts + These synonymous values combine debug with + ssl-handshake-packet-dump. For experts only. 4, ssl-developer - These synonymous values combine ssl-expert - with ssl-session-packet-dump. For experts + These synonymous values combine ssl-expert + with ssl-session-packet-dump. For experts only, and in most cases, use wireshark instead. ssl-debug - Turn on OpenSSL logging of the progress of + Turn on OpenSSL logging of the progress of the SSL handshake. ssl-handshake-packet-dump - Log hexadecimal packet dumps of the SSL + Log hexadecimal packet dumps of the SSL handshake; for experts only. ssl-session-packet-dump - Log hexadecimal packet dumps of the entire - SSL session; only useful to those who can - debug SSL protocol problems from hex dumps. + Log hexadecimal packet dumps of the entire + SSL session; only useful to those who can + debug SSL protocol problems from hex dumps. untrusted - Logs trust chain verification problems. - This is turned on automatically at security - levels that use peer names signed by cer- - tificate authorities to validate certifi- + Logs trust chain verification problems. + This is turned on automatically at security + levels that use peer names signed by cer- + tificate authorities to validate certifi- cates. So while this setting is recognized, - you should never need to set it explicitly. + you should never need to set it explicitly. peercert - This logs a one line summary of the remote + This logs a one line summary of the remote SMTP server certificate subject, issuer, and fingerprints. certmatch - This logs remote SMTP server certificate - matching, showing the CN and each subjec- + This logs remote SMTP server certificate + matching, showing the CN and each subjec- tAltName and which name matched. With DANE, - logs matching of TLSA record trust-anchor + logs matching of TLSA record trust-anchor and end-entity certificates. - cache This logs session cache operations, showing - whether session caching is effective with - the remote SMTP server. Automatically used + cache This logs session cache operations, showing + whether session caching is effective with + the remote SMTP server. Automatically used when reconnecting with the -r option; rarely needs to be set explicitly. verbose - Enables verbose logging in the Postfix TLS - driver; includes all of peercert..cache and + Enables verbose logging in the Postfix TLS + driver; includes all of peercert..cache and more. - The default is routine,certmatch. After a recon- - nect, the log level is unconditionally rou- - tine,cache. + The default is routine,certmatch. After a recon- + nect, peercert, certmatch and verbose are automati- + cally disabled while cache and summary are enabled. -m count (default: 5) When the -r delay option is specified, the -m @@ -253,6 +257,11 @@ POSTTLS-FINGER(1) POSTTLS-FINGER(1) library parameters, or "myhostname" to configure the SMTP EHLO name sent to the remote server. + -p protocols (default: !SSLv2) + List of TLS protocols that posttls-finger will + exclude or include. See smtp_tls_mandatory_proto- + cols for details. + -P CApath/ (default: none) The OpenSSL CApath/ directory (indexed via c_rehash(1)) for remote SMTP server certificate diff --git a/postfix/man/man1/posttls-finger.1 b/postfix/man/man1/posttls-finger.1 index 2323eb541..f418e54c4 100644 --- a/postfix/man/man1/posttls-finger.1 +++ b/postfix/man/man1/posttls-finger.1 @@ -111,6 +111,9 @@ in the DNS). The PEM formatted CAfile for remote SMTP server certificate verification. By default no CAfile is used and no public CAs are trusted. +.IP "\fB-g \fIgrade\fR (default: medium)" +The minimum TLS cipher grade used by posttls-finger. See +smtp_tls_mandatory_ciphers for details. .IP "\fB-h \fIhost_lookup\fR (default: \fBdns\fR)" The hostname lookup methods used for the connection. See the documentation of smtp_host_lookup for syntax and semantics. @@ -185,8 +188,9 @@ Enables verbose logging in the Postfix TLS driver; includes all of peercert..cache and more. .RE .IP -The default is \fBroutine,certmatch\fR. After a reconnect, the log -level is unconditionally \fBroutine,cache\fR. +The default is \fBroutine,certmatch\fR. After a reconnect, +\fBpeercert\fR, \fBcertmatch\fR and \fBverbose\fR are automatically +disabled while \fBcache\fR and \fBsummary\fR are enabled. .IP "\fB-m \fIcount\fR (default: \fB5\fR)" When the \fB-r \fIdelay\fR option is specified, the \fB-m\fR option determines the maximum number of reconnect attempts to use with @@ -200,6 +204,9 @@ Specify zero or more times to override the value of the main.cf parameter \fIname\fR with \fIvalue\fR. Possible use-cases include overriding the values of TLS library parameters, or "myhostname" to configure the SMTP EHLO name sent to the remote server. +.IP "\fB-p \fIprotocols\fR (default: !SSLv2)" +List of TLS protocols that posttls-finger will exclude or include. See +smtp_tls_mandatory_protocols for details. .IP "\fB-P \fICApath/\fR (default: none)" The OpenSSL CApath/ directory (indexed via c_rehash(1)) for remote SMTP server certificate verification. By default no CApath is used diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index f511388a9..d073fc9ca 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -11190,6 +11190,59 @@ Note: on OpenBSD systems specify /dev/arandom when /dev/urandom gives timeout errors. .PP This feature is available in Postfix 2.2 and later. +.SH tls_ssl_options (default: empty) +List or bit-mask of OpenSSL options to enable. +.PP +The OpenSSL toolkit provides a set of options that applications +can enable to tune the OpenSSL behavior. Some of these work around +bugs in other implementations and are on by default. You can use +the tls_disable_workarounds parameter to selectively disable some +or all of the bug work-arounds, making OpenSSL more strict at the +cost of non-interoperability with SSL clients or servers that exhibit +the bugs. +.PP +Other options are off by default, and typically enable or disable +features rather than bug work-arounds. These may be turned on (with +care) via the tls_ssl_options parameter. The value is a white-space +or comma separated list of named options chosen from the list below. +The names are not case-sensitive, you can use lower-case if you +prefer. The upper case values below match the corresponding macro +name in the ssl.h header file with the SSL_OP_ prefix removed. It +is possible that your OpenSSL version includes new options added +after your Postfix source code was last updated, in that case you +can only enable one of these via the hexadecimal syntax below. +.PP +You should only enable features via the hexadecimal mask when +the need to control the feature is critical (to deal with a new +vulnerability or a serious interoperability problem). Postfix DOES +NOT promise backwards compatible behavior with respect to the mask +bits. A feature enabled via the mask in one release may be enabled +by other means in a later release, and the mask bit will then be +ignored. Therefore, use of the hexadecimal mask is only a temporary +measure until a new Postfix or OpenSSL release provides a better +solution. +.PP +If the value of the parameter is a hexadecimal long integer +starting with "0x", the options corresponding to the bits specified +in its value are enabled (see openssl/ssl.h and SSL_CTX_\fBset_options\fR(3)). +You can only enable options not already controlled by other Postfix +settings. For example, you cannot disable protocols or enable +server cipher preference. Do not attempt to turn all features by +specifying 0xFFFFFFFF, this is unlikely to be a good idea. +.IP "\fBLEGACY_SERVER_CONNECT\fR" +See SSL_CTX_\fBset_options\fR(3). +.br +.IP "\fBNO_TICKET\fR" +See SSL_CTX_\fBset_options\fR(3). +.br +.IP "\fBNO_COMPRESSION\fR" +Disable SSL compression even if +supported by the OpenSSL library. Compression is CPU-intensive, +and compression before encryption does not always improve security. +.br +.br +.PP +This feature is available in Postfix 2.11 and later. .SH tlsproxy_enforce_tls (default: $smtpd_enforce_tls) Mandatory TLS: announce STARTTLS support to remote SMTP clients, and require that clients use TLS encryption. See smtpd_enforce_tls for diff --git a/postfix/proto/TLS_README.html b/postfix/proto/TLS_README.html index 1d05dd52e..28c1f42f8 100644 --- a/postfix/proto/TLS_README.html +++ b/postfix/proto/TLS_README.html @@ -931,15 +931,48 @@ an OpenSSL library that could be vulnerable. 

 /etc/postfix/main.cf:
     tls_disable_workarounds = 0xFFFFFFFF
-    tls_disable_workarounds = CVE-2010-4180, LEGACY_SERVER_CONNECT
+    tls_disable_workarounds = CVE-2010-4180
-

Note: Disabling LEGACY_SERVER_CONNECT is not wise at this -time, lots of servers are still unpatched and Postfix is not -significantly vulnerable to the renegotiation issue in the TLS -protocol.

+

With Postfix ≥ 2.11, the tls_ssl_options parameter specifies +a list or bit-mask of OpenSSL options to enable. Specify one or +more of the named options below, or a hexadecimal bitmask of options +found in the ssl.h file corresponding to the run-time OpenSSL +library. While it may be reasonable to turn off all bug workarounds +(see above), it is not a good idea to attempt to turn on all features. +

+ +
+ +
LEGACY_SERVER_CONNECT
See SSL_CTX_set_options(3).
+ +
NO_TICKET
See SSL_CTX_set_options(3).
+ +
NO_COMPRESSION
Disable SSL compression even if +supported by the OpenSSL library. Compression is CPU-intensive, +and compression before encryption does not always improve security.
+ +
+ +

Example:

+ +
+
+/etc/postfix/main.cf:
+    tls_ssl_options = no_ticket, no_compression
+
+
+ +

You should only enable features via the hexadecimal mask when +the need to control the feature is critical (to deal with a new +vulnerability or a serious interoperability problem). Postfix DOES +NOT promise backwards compatible behavior with respect to the mask +bits. A feature enabled via the mask in one release may be enabled +by other means in a later release, and the mask bit will then be +ignored. Therefore, use of the hexadecimal mask is only a temporary +measure until a new Postfix or OpenSSL release provides a better +solution.

SMTP Client specific settings

@@ -2435,6 +2468,64 @@ defers delivery if no alternative server is available.

+

With Postfix 2.8 and later, the tls_disable_workarounds parameter +specifies a list or bit-mask of OpenSSL bug work-arounds to disable. This +may be necessary if one of the work-arounds enabled by default in +OpenSSL proves to pose a security risk, or introduces an unexpected +interoperability issue. Some bug work-arounds known to be problematic +are disabled in the default value of the parameter when linked with +an OpenSSL library that could be vulnerable.

+ +

Example:

+ +
+
+/etc/postfix/main.cf:
+    tls_disable_workarounds = 0xFFFFFFFF
+    tls_disable_workarounds = CVE-2010-4180, LEGACY_SERVER_CONNECT
+
+
+ +

Note: Disabling LEGACY_SERVER_CONNECT is not wise at this +time, lots of servers are still unpatched and Postfix is not +significantly vulnerable to the renegotiation issue in the TLS +protocol.

+ +

With Postfix ≥ 2.11, the tls_ssl_options parameter specifies +a list or bit-mask of OpenSSL options to enable. Specify one or +more of the named options below, or a hexadecimal bitmask of options +found in the ssl.h file corresponding to the run-time OpenSSL +library. While it may be reasonable to turn off all bug workarounds +(see above), it is not a good idea to attempt to turn on all features. +

+ +

A future version of OpenSSL may by default no longer allow +connections to servers that don't support secure renegotiation. +Since the exposure for SMTP is minimal, and some SMTP servers may +remain unpatched, you can add LEGACY_SERVER_CONNECT to the +options to restore the more permissive default of current OpenSSL +releases.

+ +

Example:

+ +
+
+/etc/postfix/main.cf:
+    tls_ssl_options = NO_TICKET, NO_COMPRESSION, LEGACY_SERVER_CONNECT
+
+
+ +

You should only enable features via the hexadecimal mask when +the need to control the feature is critical (to deal with a new +vulnerability or a serious interoperability problem). Postfix DOES +NOT promise backwards compatible behavior with respect to the mask +bits. A feature enabled via the mask in one release may be enabled +by other means in a later release, and the mask bit will then be +ignored. Therefore, use of the hexadecimal mask is only a temporary +measure until a new Postfix or OpenSSL release provides a better +solution.

+

TLS manager specific settings

The security of cryptographic software such as TLS depends diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index ff9a7b481..1359d1b7c 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -15226,3 +15226,59 @@ the server in question is skipped and delivery is deferred if no secure servers are found.

This feature is available in Postfix 2.11 and later.

+ +%PARAM tls_ssl_options + +

List or bit-mask of OpenSSL options to enable.

+ +

The OpenSSL toolkit provides a set of options that applications +can enable to tune the OpenSSL behavior. Some of these work around +bugs in other implementations and are on by default. You can use +the tls_disable_workarounds parameter to selectively disable some +or all of the bug work-arounds, making OpenSSL more strict at the +cost of non-interoperability with SSL clients or servers that exhibit +the bugs.

+ +

Other options are off by default, and typically enable or disable +features rather than bug work-arounds. These may be turned on (with +care) via the tls_ssl_options parameter. The value is a white-space +or comma separated list of named options chosen from the list below. +The names are not case-sensitive, you can use lower-case if you +prefer. The upper case values below match the corresponding macro +name in the ssl.h header file with the SSL_OP_ prefix removed. It +is possible that your OpenSSL version includes new options added +after your Postfix source code was last updated, in that case you +can only enable one of these via the hexadecimal syntax below.

+ +

You should only enable features via the hexadecimal mask when +the need to control the feature is critical (to deal with a new +vulnerability or a serious interoperability problem). Postfix DOES +NOT promise backwards compatible behavior with respect to the mask +bits. A feature enabled via the mask in one release may be enabled +by other means in a later release, and the mask bit will then be +ignored. Therefore, use of the hexadecimal mask is only a temporary +measure until a new Postfix or OpenSSL release provides a better +solution.

+ +

If the value of the parameter is a hexadecimal long integer +starting with "0x", the options corresponding to the bits specified +in its value are enabled (see openssl/ssl.h and SSL_CTX_set_options(3)). +You can only enable options not already controlled by other Postfix +settings. For example, you cannot disable protocols or enable +server cipher preference. Do not attempt to turn all features by +specifying 0xFFFFFFFF, this is unlikely to be a good idea.

+ +
+ +
LEGACY_SERVER_CONNECT
See SSL_CTX_set_options(3).
+ +
NO_TICKET
See SSL_CTX_set_options(3).
+ +
NO_COMPRESSION
Disable SSL compression even if +supported by the OpenSSL library. Compression is CPU-intensive, +and compression before encryption does not always improve security.
+ +
+ +

This feature is available in Postfix 2.11 and later.

+ diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 7949738b8..c40702f13 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -3065,6 +3065,10 @@ extern bool var_tls_preempt_clist; #define DEF_TLS_BUG_TWEAKS TLS_BUG_TWEAKS extern char *var_tls_bug_tweaks; +#define VAR_TLS_SSL_OPTIONS "tls_ssl_options" +#define DEF_TLS_SSL_OPTIONS "" +extern char *var_tls_ssl_options; + #define VAR_TLS_BC_PKEY_FPRINT "tls_legacy_public_key_fingerprints" #define DEF_TLS_BC_PKEY_FPRINT 0 extern bool var_tls_bc_pkey_fprint; diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index fb5a95323..ed6467d86 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20130506" +#define MAIL_RELEASE_DATE "20130518" #define MAIL_VERSION_NUMBER "2.11" #ifdef SNAPSHOT diff --git a/postfix/src/posttls-finger/posttls-finger.c b/postfix/src/posttls-finger/posttls-finger.c index e8e5223f1..fffad281e 100644 --- a/postfix/src/posttls-finger/posttls-finger.c +++ b/postfix/src/posttls-finger/posttls-finger.c @@ -105,6 +105,9 @@ /* The PEM formatted CAfile for remote SMTP server certificate /* verification. By default no CAfile is used and no public CAs /* are trusted. +/* .IP "\fB-g \fIgrade\fR (default: medium)" +/* The minimum TLS cipher grade used by posttls-finger. See +/* smtp_tls_mandatory_ciphers for details. /* .IP "\fB-h \fIhost_lookup\fR (default: \fBdns\fR)" /* The hostname lookup methods used for the connection. See the /* documentation of smtp_host_lookup for syntax and semantics. @@ -179,8 +182,9 @@ /* peercert..cache and more. /* .RE /* .IP -/* The default is \fBroutine,certmatch\fR. After a reconnect, the log -/* level is unconditionally \fBroutine,cache\fR. +/* The default is \fBroutine,certmatch\fR. After a reconnect, +/* \fBpeercert\fR, \fBcertmatch\fR and \fBverbose\fR are automatically +/* disabled while \fBcache\fR and \fBsummary\fR are enabled. /* .IP "\fB-m \fIcount\fR (default: \fB5\fR)" /* When the \fB-r \fIdelay\fR option is specified, the \fB-m\fR option /* determines the maximum number of reconnect attempts to use with @@ -194,6 +198,9 @@ /* parameter \fIname\fR with \fIvalue\fR. Possible use-cases include /* overriding the values of TLS library parameters, or "myhostname" to /* configure the SMTP EHLO name sent to the remote server. +/* .IP "\fB-p \fIprotocols\fR (default: !SSLv2)" +/* List of TLS protocols that posttls-finger will exclude or include. See +/* smtp_tls_mandatory_protocols for details. /* .IP "\fB-P \fICApath/\fR (default: none)" /* The OpenSSL CApath/ directory (indexed via c_rehash(1)) for remote /* SMTP server certificate verification. By default no CApath is used @@ -418,6 +425,8 @@ typedef struct STATE { TLS_SESS_STATE *tls_context; /* Session TLS context */ TLS_DANE *dane; /* DANE TLSA validation structure */ TLS_DANE *ddane; /* DANE TLSA from DNS */ + char *grade; /* Minimum cipher grade */ + char *protocols; /* Protocol inclusion/exclusion */ #endif OPTIONS options; /* JCL */ } STATE; @@ -667,8 +676,8 @@ static int starttls(STATE *state) namaddr = state->namaddrport, serverid = STR(serverid), helo = state->helo ? state->helo : "", - protocols = "!SSLv2", /* XXX */ - cipher_grade = "medium", /* XXX */ + protocols = state->protocols, + cipher_grade = state->grade, cipher_exclusions = vstring_str(cipher_exclusions), matchargv = state->match, @@ -693,7 +702,9 @@ static int starttls(STATE *state) msg_info("Server is anonymous"); else if (state->print_trust) print_trust_info(state); - state->log_mask = TLS_LOG_SUMMARY | TLS_LOG_CACHE; + state->log_mask &= ~(TLS_LOG_CERTMATCH | TLS_LOG_PEERCERT | + TLS_LOG_VERBOSE | TLS_LOG_UNTRUSTED); + state->log_mask |= TLS_LOG_CACHE | TLS_LOG_SUMMARY; tls_update_app_logmask(state->tls_ctx, state->log_mask); } return (0); @@ -1127,7 +1138,7 @@ static DNS_RR *host_addr(STATE *state, const char *host) /* dane_host_level - canidate host "dane" or degraded security level */ -static int dane_host_level(STATE *state, DNS_RR *addr, unsigned port) +static int dane_host_level(STATE *state, DNS_RR *addr) { int level = state->level; @@ -1144,11 +1155,11 @@ static int dane_host_level(STATE *state, DNS_RR *addr, unsigned port) tls_dane_free(state->ddane); /* When TLSA lookups fail, next host */ - state->ddane = tls_dane_resolve(HNAME(addr), "tcp", port); + state->ddane = tls_dane_resolve(HNAME(addr), "tcp", state->port); if (!state->ddane) { dsb_simple(state->why, "4.7.5", "TLSA lookup error for %s:%u", - HNAME(addr), ntohs(port)); + HNAME(addr), ntohs(state->port)); return (TLS_LEV_INVALID); } /* If unusable or not found, same fallback to "secure" */ @@ -1222,12 +1233,11 @@ static void connect_remote(STATE *state, char *dest) DNS_RR *addr; char *buf; char *domain; - unsigned port; /* When reconnecting use IP address of previous session */ if (state->addr == 0) { buf = parse_destination(dest, state->smtp ? "smtp" : "24", - &domain, &port); + &domain, &state->port); if (!state->nexthop) state->nexthop = mystrdup(domain); if (state->smtp == 0 || *dest == '[') @@ -1241,10 +1251,9 @@ static void connect_remote(STATE *state, char *dest) vstring_str(state->why->reason)); return; } - state->port = port; } for (addr = state->addr; addr; addr = addr->next) { - int level = dane_host_level(state, addr, port); + int level = dane_host_level(state, addr); if (level == TLS_LEV_INVALID || (state->stream = connect_addr(state, addr)) == 0) { @@ -1440,6 +1449,8 @@ static void cleanup(STATE *state) tls_dane_flush(); /* Flush and free memory tlsmgr cache */ tlsmgrmem_flush(); + myfree(state->grade); + myfree(state->protocols); #endif myfree(state->options.host_lookup); myfree(state->dest); @@ -1453,7 +1464,7 @@ static void usage(void) { #ifdef USE_TLS fprintf(stderr, "usage: %s %s \\\n\t%s \\\n\t%s destination [match ...]\n", - var_procname, "[-acCStTv] [-d mdalg] [-F CAfile.pem]", + var_procname, "[-acCStTv] [-d mdalg] [-g grade] [-p protocols] [-F CAfile.pem]", "[-h host_lookup] [-l level] [-L logopts] [-m count]", "[-o name=value] [-P CApath/] [-r delay]"); #else @@ -1515,12 +1526,16 @@ static void parse_options(STATE *state, int argc, char *argv[]) state->pass = 1; state->reconnect = -1; state->max_reconnect = 5; +#ifdef USE_TLS + state->protocols = mystrdup("!SSLv2"); + state->grade = mystrdup("medium"); +#endif memset((char *) &state->options, 0, sizeof(state->options)); state->options.host_lookup = mystrdup("dns"); #define OPTS "a:ch:o:St:T:v" #ifdef USE_TLS -#define TLSOPTS "A:Cd:F:l:L:m:P:r:" +#define TLSOPTS "A:Cd:F:g:l:L:m:p:P:r:" state->mdalg = mystrdup("sha1"); state->CApath = mystrdup(""); @@ -1578,6 +1593,10 @@ static void parse_options(STATE *state, int argc, char *argv[]) myfree(state->CAfile); state->CAfile = mystrdup(optarg); break; + case 'g': + myfree(state->grade); + state->grade = mystrdup(optarg); + break; case 'l': if (state->options.level) myfree(state->options.level); @@ -1591,6 +1610,10 @@ static void parse_options(STATE *state, int argc, char *argv[]) case 'm': state->max_reconnect = atoi(optarg); break; + case 'p': + myfree(state->protocols); + state->protocols = mystrdup(optarg); + break; case 'P': myfree(state->CApath); state->CApath = mystrdup(optarg); diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h index f1544069e..5519dcc54 100644 --- a/postfix/src/tls/tls.h +++ b/postfix/src/tls/tls.h @@ -295,9 +295,22 @@ extern void tls_param_init(void); #undef SSL_OP_NO_TLSv1_2 #define SSL_OP_NO_TLSv1_2 0L /* Noop */ #endif -#define TLS_KNOWN_PROTOCOLS \ +#define TLS_KNOWN_PROTOCOLS \ ( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \ | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 ) +#define TLS_SSL_OP_PROTOMASK(m) \ + ((((m) & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L) \ + | (((m) & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) \ + | (((m) & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L) \ + | (((m) & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L) \ + | (((m) & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L)) + +/* + * SSL options that are managed via dedicated Postfix features, rather than + * just exposed via hex codes or named elements of tls_ssl_options. + */ +#define TLS_SSL_OP_MANAGED_BITS \ + (SSL_OP_CIPHER_SERVER_PREFERENCE | TLS_SSL_OP_PROTOMASK(~0)) extern int tls_protocol_mask(const char *); diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c index 7f108b984..422614805 100644 --- a/postfix/src/tls/tls_client.c +++ b/postfix/src/tls/tls_client.c @@ -853,12 +853,7 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props) * Apply session protocol restrictions. */ if (protomask != 0) - SSL_set_options(TLScontext->con, - ((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L) - | ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L) - | ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L) - | ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) - | ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L)); + SSL_set_options(TLScontext->con, TLS_SSL_OP_PROTOMASK(protomask)); /* * XXX To avoid memory leaks we must always call SSL_SESSION_free() after @@ -873,13 +868,12 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props) } } #ifdef TLSEXT_MAXLEN_host_name - if (session == 0 - && props->tls_level == TLS_LEV_DANE + if (props->tls_level == TLS_LEV_DANE && strlen(props->host) <= TLSEXT_MAXLEN_host_name) { /* - * With new DANE sessions, send an SNI hint. We don't care whether - * the server reports finding a matching certificate or not, so no + * With DANE sessions, send an SNI hint. We don't care whether the + * server reports finding a matching certificate or not, so no * callback is required to process the server response. Our use of * SNI is limited to giving servers that are (mis)configured to use * SNI the best opportunity to find the certificate they promised via diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c index 086aaf76a..93b5fb1d5 100644 --- a/postfix/src/tls/tls_misc.c +++ b/postfix/src/tls/tls_misc.c @@ -221,6 +221,7 @@ char *var_tls_eecdh_ultra; char *var_tls_dane_ta_dgst; bool var_tls_append_def_CA; char *var_tls_bug_tweaks; +char *var_tls_ssl_options; bool var_tls_bc_pkey_fprint; #ifdef VAR_TLS_PREEMPT_CLIST @@ -312,6 +313,28 @@ static const LONG_NAME_MASK ssl_bug_tweaks[] = { 0, 0, }; + /* + * SSL_OP_MUMBLE option name <=> mask conversion for options that are not + * (or may in the future not be) in SSL_OP_ALL. These enable optional + * behavior, rather than bug interoperability work-arounds. + */ +#define NAME_SSL_OP(x) #x, SSL_OP_##x +static const LONG_NAME_MASK ssl_op_tweaks[] = { + +#if defined(SSL_OP_LEGACY_SERVER_CONNECT) + NAME_SSL_OP(LEGACY_SERVER_CONNECT), +#endif + +#if defined(SSL_OP_NO_TICKET) + NAME_SSL_OP(NO_TICKET), +#endif + +#if defined(SSL_OP_NO_COMPRESSION) + NAME_SSL_OP(NO_COMPRESSION), +#endif + 0, 0, +}; + /* * Ciphersuite name <=> code conversion. */ @@ -567,6 +590,7 @@ void tls_param_init(void) VAR_TLS_EECDH_STRONG, DEF_TLS_EECDH_STRONG, &var_tls_eecdh_strong, 1, 0, VAR_TLS_EECDH_ULTRA, DEF_TLS_EECDH_ULTRA, &var_tls_eecdh_ultra, 1, 0, VAR_TLS_BUG_TWEAKS, DEF_TLS_BUG_TWEAKS, &var_tls_bug_tweaks, 0, 0, + VAR_TLS_SSL_OPTIONS, DEF_TLS_SSL_OPTIONS, &var_tls_ssl_options, 0, 0, VAR_TLS_DANE_TA_DGST, DEF_TLS_DANE_TA_DGST, &var_tls_dane_ta_dgst, 0, 0, 0, }; @@ -924,6 +948,19 @@ long tls_bug_bits(void) var_tls_bug_tweaks, NAME_MASK_ANY_CASE | NAME_MASK_NUMBER | NAME_MASK_WARN); } + + /* + * Allow users to set options not in SSL_OP_ALL, and not already + * managed via other Postfix parameters. + */ + if (*var_tls_ssl_options) { + long enable; + enable = long_name_mask_opt(VAR_TLS_SSL_OPTIONS, ssl_op_tweaks, + var_tls_ssl_options, NAME_MASK_ANY_CASE | + NAME_MASK_NUMBER | NAME_MASK_WARN); + enable &= ~(SSL_OP_ALL | TLS_SSL_OP_MANAGED_BITS); + bits |= enable; + } return (bits); } -- 2.47.3