From 2cd314309bc76b19159d247c040c33510a636c61 Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Sun, 6 Apr 2014 00:00:00 -0500 Subject: [PATCH] postfix-2.12-20140406 --- postfix/.indent.pro | 2 +- postfix/HISTORY | 23 +++++++++++++ postfix/RELEASE_NOTES | 10 +++--- postfix/html/postconf.5.html | 36 +++++++++++++++++---- postfix/html/smtpd.8.html | 5 +++ postfix/man/man5/postconf.5 | 30 +++++++++++++---- postfix/man/man8/smtpd.8 | 4 +++ postfix/mantools/postlink | 1 + postfix/proto/postconf.proto | 32 ++++++++++++++---- postfix/src/global/Makefile.in | 33 ++++++++++--------- postfix/src/global/bounce.c | 14 ++++++++ postfix/src/global/dsn_filter.c | 15 +++++---- postfix/src/global/dsn_filter.h | 2 +- postfix/src/global/mail_params.h | 6 +++- postfix/src/global/mail_version.h | 2 +- postfix/src/local/local.c | 6 ++-- postfix/src/pipe/pipe.c | 6 ++-- postfix/src/posttls-finger/posttls-finger.c | 2 +- postfix/src/smtp/lmtp_params.c | 2 +- postfix/src/smtp/smtp.c | 24 +++++++------- postfix/src/smtp/smtp_params.c | 2 +- postfix/src/smtpd/smtpd.c | 4 +++ postfix/src/tls/tls_misc.c | 3 ++ postfix/src/tls/tls_scache.h | 4 +-- postfix/src/tls/tls_server.c | 24 +++++++++++--- postfix/src/virtual/virtual.c | 6 ++-- 26 files changed, 218 insertions(+), 80 deletions(-) diff --git a/postfix/.indent.pro b/postfix/.indent.pro index 82bf6e4fb..6c5e7904b 100644 --- a/postfix/.indent.pro +++ b/postfix/.indent.pro @@ -120,6 +120,7 @@ -TDOMAIN_LIST -TDSN -TDSN_BUF +-TDSN_FILTER -TDSN_SPLIT -TDSN_STAT -TEC_GROUP @@ -209,7 +210,6 @@ -TNAME_CODE -TNAME_MASK -TNBBIO --TNDR_FILTER -TOPTIONS -TPCF_DBMS_INFO -TPCF_EVAL_CTX diff --git a/postfix/HISTORY b/postfix/HISTORY index c502ba6a9..1f9c92f52 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -19649,3 +19649,26 @@ Apologies for any names omitted. master/single_server.c, master/trigger_server.c, pipe/pipe.c, smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_params.c, virtual/virtual.c, mantools/postlink. + +20140322 + + Cleanup: code comments and identifier names to reflect the + evolution from "NDR filter" to "delivery status filter". + Files: global/mail_params.h, smtp/smtp.c, global/dsn_filter.c, + global/dsn_filter.h, local/local.c, pipe/pipe.c, + smtp/lmtp_params.c, smtp/smtp_params.c, virtual/virtual.c, + global/bounce.c. + +20140406 + + Bugfix: when testing session caching, stop reconnecting + after encountering a previously-used server (when the session + is re-used or not). Viktor Dukhovni. File: + posttls-finger/posttls-finger.c. + + Feature: configurable TLS session-ticket cipher (default: + tls_sesion_ticket_cipher = aes-128-cbc). Viktor Dukhovni + and Wietse. Files: mantools/postlink, smtpd/smtpd.c, + proto/postconf.proto, global/mail_params.h, tls/tls_misc.c, + tls/tls_scache.h, tls/tls_server.c. + diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index e56c6dc7a..76addc374 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -20,10 +20,12 @@ Major changes with snapshot 20140321 ==================================== Delivery status filter support, to replace the delivery status codes -and explanatory text of successful or unsuccessful deliveries. This -was originally implemented for sites that want to turn certain soft -delivery errors into hard delivery errors, but it can also be used -to censor out information from delivery confirmation reports. +and explanatory text of successful or unsuccessful deliveries by +Postfix mail delivery agents. + +This was originally implemented for sites that want to turn certain +soft delivery errors into hard delivery errors, but it can also be +used to censor out information from delivery confirmation reports. This feature is implemented as a filter that replaces the three-number enhanced status code and descriptive text in Postfix delivery agent diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 316f0fb12..074e42d06 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -1890,14 +1890,20 @@ name of the message delivery transport. (default: empty)

Optional filter to replace the delivery status code or explanatory -text of successful or unsuccessful deliveries. This does, however, -not allow the replacement of a successful status code (2.X.X) with -an unsuccessful status code (4.X.X or 5.X.X) or vice versa.

+text of successful or unsuccessful deliveries. This does not allow +the replacement of a successful status code (2.X.X) with an +unsuccessful status code (4.X.X or 5.X.X) or vice versa.

+ +

The following parameters can be used to implement a filter for +specific delivery agents: lmtp_delivery_status_filter, +local_delivery_status_filter, pipe_delivery_status_filter, +smtp_delivery_status_filter or virtual_delivery_status_filter. These +parameters support the same filter syntax as described here.

Specify zero or more "type:table" lookup table names, separated -by comma or whitespace. With each bounce or defer request, the -tables are queried in the specified order with one line of text -that is structured as follows:

+by comma or whitespace. For each successful or unsuccessful delivery +to a recipient, the tables are queried in the specified order with +one line of text that is structured as follows:

enhanced-status-code SPACE explanatory-text @@ -16923,6 +16929,24 @@ gives timeout errors.

This feature is available in Postfix 2.2 and later.

+
+ +
tls_session_ticket_cipher +(default: aes-128-cbc)
+ +

Algorithm used to encrypt RFC5077 TLS session tickets. This +algorithm must use CBC mode, have a 128-bit initialization vector +(IV), and must have a key length between 128 and 256 bits. The +default is aes-128-cbc. Sensible alternatives include aes-192-cbc +and aes-256-cbc.

+ +

Setting this parameter empty disables session ticket support +in the Postfix SMTP server. Another way to disable session ticket +support is via the tls_ssl_options parameter.

+ +

This feature is available in Postfix 2.12 and later.

+ +
tls_ssl_options diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index 814c715dd..84e91653b 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -537,6 +537,11 @@ SMTPD(8) SMTPD(8) tlsmgr_service_name (tlsmgr) The name of the tlsmgr(8) service entry in master.cf. + Available in Postfix version 2.12 and later: + + tls_session_ticket_cipher (aes-128-cbc) + Algorithm used to encrypt RFC5077 TLS session tickets. + OBSOLETE STARTTLS CONTROLS The following configuration parameters exist for compatibility with Postfix versions before 2.3. Support for these will be removed in a diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 43dfa2d9b..14cee0d5f 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -1110,14 +1110,20 @@ transport-specific override, where \fItransport\fR is the master.cf name of the message delivery transport. .SH default_delivery_status_filter (default: empty) Optional filter to replace the delivery status code or explanatory -text of successful or unsuccessful deliveries. This does, however, -not allow the replacement of a successful status code (2.X.X) with -an unsuccessful status code (4.X.X or 5.X.X) or vice versa. +text of successful or unsuccessful deliveries. This does not allow +the replacement of a successful status code (2.X.X) with an +unsuccessful status code (4.X.X or 5.X.X) or vice versa. +.PP +The following parameters can be used to implement a filter for +specific delivery agents: lmtp_delivery_status_filter, +local_delivery_status_filter, pipe_delivery_status_filter, +smtp_delivery_status_filter or virtual_delivery_status_filter. These +parameters support the same filter syntax as described here. .PP Specify zero or more "type:table" lookup table names, separated -by comma or whitespace. With each bounce or defer request, the -tables are queried in the specified order with one line of text -that is structured as follows: +by comma or whitespace. For each successful or unsuccessful delivery +to a recipient, the tables are queried in the specified order with +one line of text that is structured as follows: .sp .in +4 enhanced-status-code SPACE explanatory-text @@ -11589,6 +11595,18 @@ Note: on OpenBSD systems specify /dev/arandom when /dev/urandom gives timeout errors. .PP This feature is available in Postfix 2.2 and later. +.SH tls_session_ticket_cipher (default: aes-128-cbc) +Algorithm used to encrypt RFC5077 TLS session tickets. This +algorithm must use CBC mode, have a 128-bit initialization vector +(IV), and must have a key length between 128 and 256 bits. The +default is aes-128-cbc. Sensible alternatives include aes-192-cbc +and aes-256-cbc. +.PP +Setting this parameter empty disables session ticket support +in the Postfix SMTP server. Another way to disable session ticket +support is via the tls_ssl_options parameter. +.PP +This feature is available in Postfix 2.12 and later. .SH tls_ssl_options (default: empty) List or bit-mask of OpenSSL options to enable. .PP diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8 index f900b5fa4..563ec475d 100644 --- a/postfix/man/man8/smtpd.8 +++ b/postfix/man/man8/smtpd.8 @@ -485,6 +485,10 @@ List or bit-mask of OpenSSL bug work-arounds to disable. Available in Postfix version 2.11 and later: .IP "\fBtlsmgr_service_name (tlsmgr)\fR" The name of the \fBtlsmgr\fR(8) service entry in master.cf. +.PP +Available in Postfix version 2.12 and later: +.IP "\fBtls_session_ticket_cipher (aes-128-cbc)\fR" +Algorithm used to encrypt RFC5077 TLS session tickets. .SH "OBSOLETE STARTTLS CONTROLS" .na .nf diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 73e69278d..1a30542aa 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -724,6 +724,7 @@ while (<>) { s;\btls_dane_trust_anchor_digest_enable\b;$&;g; s;\btls_dane_digests\b;$&;g; s;\btls_wildcard_matches_multiple_labels\b;$&;g; + s;\btls_session_ticket_cipher\b;$&;g; s;\bfrozen_delivered_to\b;$&;g; s;\breset_owner_alias\b;$&;g; diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index e621cbb8c..8ee4b042d 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -15616,17 +15616,37 @@ anchor assertion) TLSA records.

This feature is available in Postfix 2.11 and later.

+%PARAM tls_session_ticket_cipher aes-128-cbc + +

Algorithm used to encrypt RFC5077 TLS session tickets. This +algorithm must use CBC mode, have a 128-bit initialization vector +(IV), and must have a key length between 128 and 256 bits. The +default is aes-128-cbc. Sensible alternatives include aes-192-cbc +and aes-256-cbc.

+ +

Setting this parameter empty disables session ticket support +in the Postfix SMTP server. Another way to disable session ticket +support is via the tls_ssl_options parameter.

+ +

This feature is available in Postfix 2.12 and later.

+ %PARAM default_delivery_status_filter

Optional filter to replace the delivery status code or explanatory -text of successful or unsuccessful deliveries. This does, however, -not allow the replacement of a successful status code (2.X.X) with -an unsuccessful status code (4.X.X or 5.X.X) or vice versa.

+text of successful or unsuccessful deliveries. This does not allow +the replacement of a successful status code (2.X.X) with an +unsuccessful status code (4.X.X or 5.X.X) or vice versa.

+ +

The following parameters can be used to implement a filter for +specific delivery agents: lmtp_delivery_status_filter, +local_delivery_status_filter, pipe_delivery_status_filter, +smtp_delivery_status_filter or virtual_delivery_status_filter. These +parameters support the same filter syntax as described here.

Specify zero or more "type:table" lookup table names, separated -by comma or whitespace. With each bounce or defer request, the -tables are queried in the specified order with one line of text -that is structured as follows:

+by comma or whitespace. For each successful or unsuccessful delivery +to a recipient, the tables are queried in the specified order with +one line of text that is structured as follows:

enhanced-status-code SPACE explanatory-text diff --git a/postfix/src/global/Makefile.in b/postfix/src/global/Makefile.in index 355465c1a..2e7ec04ec 100644 --- a/postfix/src/global/Makefile.in +++ b/postfix/src/global/Makefile.in @@ -660,13 +660,13 @@ bounce.o: defer.h bounce.o: deliver_request.h bounce.o: dsn.h bounce.o: dsn_buf.h +bounce.o: dsn_filter.h bounce.o: dsn_print.h bounce.o: dsn_util.h bounce.o: log_adhoc.h bounce.o: mail_params.h bounce.o: mail_proto.h bounce.o: msg_stats.h -bounce.o: dsn_filter.h bounce.o: rcpt_print.h bounce.o: recipient_list.h bounce.o: trace.h @@ -804,6 +804,7 @@ defer.o: defer.h defer.o: deliver_request.h defer.o: dsn.h defer.o: dsn_buf.h +defer.o: dsn_filter.h defer.o: dsn_print.h defer.o: dsn_util.h defer.o: flush_clnt.h @@ -812,7 +813,6 @@ defer.o: mail_params.h defer.o: mail_proto.h defer.o: mail_queue.h defer.o: msg_stats.h -defer.o: dsn_filter.h defer.o: rcpt_print.h defer.o: recipient_list.h defer.o: trace.h @@ -1050,6 +1050,20 @@ dsn_buf.o: ../../include/vstring.h dsn_buf.o: dsn.h dsn_buf.o: dsn_buf.c dsn_buf.o: dsn_buf.h +dsn_filter.o: ../../include/argv.h +dsn_filter.o: ../../include/dict.h +dsn_filter.o: ../../include/msg.h +dsn_filter.o: ../../include/myflock.h +dsn_filter.o: ../../include/mymalloc.h +dsn_filter.o: ../../include/sys_defs.h +dsn_filter.o: ../../include/vbuf.h +dsn_filter.o: ../../include/vstream.h +dsn_filter.o: ../../include/vstring.h +dsn_filter.o: dsn.h +dsn_filter.o: dsn_filter.c +dsn_filter.o: dsn_filter.h +dsn_filter.o: dsn_util.h +dsn_filter.o: maps.h dsn_mask.o: ../../include/msg.h dsn_mask.o: ../../include/name_code.h dsn_mask.o: ../../include/name_mask.h @@ -1806,20 +1820,6 @@ namadr_list.o: ../../include/match_list.h namadr_list.o: ../../include/sys_defs.h namadr_list.o: namadr_list.c namadr_list.o: namadr_list.h -dsn_filter.o: ../../include/argv.h -dsn_filter.o: ../../include/dict.h -dsn_filter.o: ../../include/msg.h -dsn_filter.o: ../../include/myflock.h -dsn_filter.o: ../../include/mymalloc.h -dsn_filter.o: ../../include/sys_defs.h -dsn_filter.o: ../../include/vbuf.h -dsn_filter.o: ../../include/vstream.h -dsn_filter.o: ../../include/vstring.h -dsn_filter.o: dsn.h -dsn_filter.o: dsn_util.h -dsn_filter.o: maps.h -dsn_filter.o: dsn_filter.c -dsn_filter.o: dsn_filter.h off_cvt.o: ../../include/msg.h off_cvt.o: ../../include/sys_defs.h off_cvt.o: ../../include/vbuf.h @@ -2087,6 +2087,7 @@ sent.o: defer.h sent.o: deliver_request.h sent.o: dsn.h sent.o: dsn_buf.h +sent.o: dsn_filter.h sent.o: dsn_mask.h sent.o: dsn_util.h sent.o: log_adhoc.h diff --git a/postfix/src/global/bounce.c b/postfix/src/global/bounce.c index 4e6a305f0..e246ce3ea 100644 --- a/postfix/src/global/bounce.c +++ b/postfix/src/global/bounce.c @@ -61,6 +61,20 @@ /* MSG_STATS *stats; /* RECIPIENT *rcpt; /* const char *relay; +/* +/* int bounce_one_intern(flags, queue, id, encoding, sender, envid, ret, +/* stats, recipient, relay, dsn) +/* int flags; +/* const char *queue; +/* const char *id; +/* const char *encoding; +/* const char *sender; +/* const char *dsn_envid; +/* int dsn_ret; +/* MSG_STATS *stats; +/* RECIPIENT *rcpt; +/* const char *relay; +/* DSN *dsn; /* DESCRIPTION /* This module implements the client interface to the message /* bounce service, which maintains a per-message log of status diff --git a/postfix/src/global/dsn_filter.c b/postfix/src/global/dsn_filter.c index ff5586a98..ed76c29ab 100644 --- a/postfix/src/global/dsn_filter.c +++ b/postfix/src/global/dsn_filter.c @@ -2,7 +2,7 @@ /* NAME /* dsn_filter 3 /* SUMMARY -/* filter DSN status or text +/* filter delivery status code or text /* SYNOPSIS /* #include /* @@ -23,7 +23,7 @@ /* text) into replacement (success status code and text). Other /* DSN attributes are passed through without modification. /* -/* dsn_filter_create() instantiates a DSN filter. +/* dsn_filter_create() instantiates a delivery status filter. /* /* dsn_filter_lookup() queries the specified filter. The input /* DSN must be a success, bounce or defer DSN. If a match is @@ -34,7 +34,7 @@ /* overwritten upon each call. This function must not be /* called with the result from a dsn_filter_lookup() call. /* -/* dsn_free() destroys the specified DSN filter. +/* dsn_free() destroys the specified delivery status filter. /* /* Arguments: /* .IP title @@ -101,7 +101,7 @@ struct DSN_FILTER { */ #define STR(x) vstring_str(x) -/* dsn_filter_create - create bounce/defer NDR filter */ +/* dsn_filter_create - create delivery status filter */ DSN_FILTER *dsn_filter_create(const char *title, const char *map_names) { @@ -117,7 +117,7 @@ DSN_FILTER *dsn_filter_create(const char *title, const char *map_names) return (fp); } -/* dsn_filter_lookup - apply bounce/defer NDR filter */ +/* dsn_filter_lookup - apply delivery status filter */ DSN *dsn_filter_lookup(DSN_FILTER *fp, DSN *dsn) { @@ -147,7 +147,8 @@ DSN *dsn_filter_lookup(DSN_FILTER *fp, DSN *dsn) myname, dsn->status); /* - * Sanity check. A DSN filter must not be invoked with its own result. + * Sanity check. A delivery status filter must not be invoked with its + * own result. */ if (dsn->reason == fp->dsn.reason) msg_panic("%s: recursive call is not allowed", myname); @@ -177,7 +178,7 @@ DSN *dsn_filter_lookup(DSN_FILTER *fp, DSN *dsn) return (0); } -/* dsn_filter_free - destroy bounce/defer NDR filter */ +/* dsn_filter_free - destroy delivery status filter */ void dsn_filter_free(DSN_FILTER *fp) { diff --git a/postfix/src/global/dsn_filter.h b/postfix/src/global/dsn_filter.h index 43378dd96..f5e1378a6 100644 --- a/postfix/src/global/dsn_filter.h +++ b/postfix/src/global/dsn_filter.h @@ -5,7 +5,7 @@ /* NAME /* dsn_filter 3h /* SUMMARY -/* bounce/defer DSN filter +/* delivery status filter /* SYNOPSIS /* #include /* DESCRIPTION diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 5027990d1..b8cab5a57 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -3103,6 +3103,10 @@ extern char *var_tls_bug_tweaks; #define DEF_TLS_SSL_OPTIONS "" extern char *var_tls_ssl_options; +#define VAR_TLS_TKT_CIPHER "tls_session_ticket_cipher" +#define DEF_TLS_TKT_CIPHER "aes-128-cbc" +extern char *var_tls_tkt_cipher; + #define VAR_TLS_BC_PKEY_FPRINT "tls_legacy_public_key_fingerprints" #define DEF_TLS_BC_PKEY_FPRINT 0 extern bool var_tls_bc_pkey_fprint; @@ -3745,7 +3749,7 @@ extern char *var_sm_fix_eol; extern bool var_daemon_open_fatal; /* - * Optional DSN bounce/defer filter. + * Optional delivery status filter. */ #define VAR_DSN_FILTER "default_delivery_status_filter" #define DEF_DSN_FILTER "" diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 425bfbfe2..5aa05bd26 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20140321" +#define MAIL_RELEASE_DATE "20140406" #define MAIL_VERSION_NUMBER "2.12" #ifdef SNAPSHOT diff --git a/postfix/src/local/local.c b/postfix/src/local/local.c index c5ad9b9be..0da3b7025 100644 --- a/postfix/src/local/local.c +++ b/postfix/src/local/local.c @@ -669,7 +669,7 @@ int local_ext_prop_mask; int local_deliver_hdr_mask; int local_mbox_lock_mask; MAPS *alias_maps; -char *var_local_ndr_filter; +char *var_local_dsn_filter; /* local_deliver - deliver message with extreme prejudice */ @@ -905,7 +905,7 @@ int main(int argc, char **argv) VAR_DELIVER_HDR, DEF_DELIVER_HDR, &var_deliver_hdr, 0, 0, VAR_MAILBOX_LOCK, DEF_MAILBOX_LOCK, &var_mailbox_lock, 1, 0, VAR_MAILBOX_CMD_MAPS, DEF_MAILBOX_CMD_MAPS, &var_mailbox_cmd_maps, 0, 0, - VAR_LOCAL_DSN_FILTER, DEF_LOCAL_DSN_FILTER, &var_local_ndr_filter, 0, 0, + VAR_LOCAL_DSN_FILTER, DEF_LOCAL_DSN_FILTER, &var_local_dsn_filter, 0, 0, 0, }; static const CONFIG_BOOL_TABLE bool_table[] = { @@ -945,6 +945,6 @@ int main(int argc, char **argv) MAIL_SERVER_PRE_ACCEPT, pre_accept, MAIL_SERVER_PRIVILEGED, MAIL_SERVER_BOUNCE_INIT, VAR_LOCAL_DSN_FILTER, - &var_local_ndr_filter, + &var_local_dsn_filter, 0); } diff --git a/postfix/src/pipe/pipe.c b/postfix/src/pipe/pipe.c index 4b6e96d14..d63aca845 100644 --- a/postfix/src/pipe/pipe.c +++ b/postfix/src/pipe/pipe.c @@ -548,7 +548,7 @@ int var_command_maxtime; /* You can now leave this here. */ /* * Other main.cf parameters. */ -char *var_pipe_ndr_filter; +char *var_pipe_dsn_filter; /* * For convenience. Instead of passing around lists of parameters, bundle @@ -1330,7 +1330,7 @@ int main(int argc, char **argv) 0, }; static const CONFIG_STR_TABLE str_table[] = { - VAR_PIPE_DSN_FILTER, DEF_PIPE_DSN_FILTER, &var_pipe_ndr_filter, 0, 0, + VAR_PIPE_DSN_FILTER, DEF_PIPE_DSN_FILTER, &var_pipe_dsn_filter, 0, 0, 0, }; @@ -1346,6 +1346,6 @@ int main(int argc, char **argv) MAIL_SERVER_PRE_ACCEPT, pre_accept, MAIL_SERVER_PRIVILEGED, MAIL_SERVER_BOUNCE_INIT, VAR_PIPE_DSN_FILTER, - &var_pipe_ndr_filter, + &var_pipe_dsn_filter, 0); } diff --git a/postfix/src/posttls-finger/posttls-finger.c b/postfix/src/posttls-finger/posttls-finger.c index 28aa5f1f1..c0c22b605 100644 --- a/postfix/src/posttls-finger/posttls-finger.c +++ b/postfix/src/posttls-finger/posttls-finger.c @@ -1411,7 +1411,7 @@ static int finger(STATE *state) if (cache_enabled && cache_count == 0) { msg_info("Server declined session caching. Done reconnecting."); state->reconnect = 0; - } else if (cache_hits > 0 && (state->log_mask & TLS_LOG_SESSTKT) != 0) { + } else if (cache_hits > 0 && (state->log_mask & TLS_LOG_CACHE) != 0) { msg_info("Found a previously used server. Done reconnecting."); state->reconnect = 0; } else if (state->max_reconnect-- <= 0) { diff --git a/postfix/src/smtp/lmtp_params.c b/postfix/src/smtp/lmtp_params.c index 250a2b34a..1861e5ba5 100644 --- a/postfix/src/smtp/lmtp_params.c +++ b/postfix/src/smtp/lmtp_params.c @@ -57,7 +57,7 @@ VAR_LMTP_RESP_FILTER, DEF_LMTP_RESP_FILTER, &var_smtp_resp_filter, 0, 0, VAR_LMTP_ADDR_PREF, DEF_LMTP_ADDR_PREF, &var_smtp_addr_pref, 1, 0, VAR_LMTP_DNS_RES_OPT, DEF_LMTP_DNS_RES_OPT, &var_smtp_dns_res_opt, 0, 0, - VAR_LMTP_DSN_FILTER, DEF_LMTP_DSN_FILTER, &var_smtp_ndr_filter, 0, 0, + VAR_LMTP_DSN_FILTER, DEF_LMTP_DSN_FILTER, &var_smtp_dsn_filter, 0, 0, 0, }; static const CONFIG_TIME_TABLE lmtp_time_table[] = { diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index 41368636a..15ecda163 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -55,20 +55,20 @@ /* LMTP DESTINATION SYNTAX /* .ad /* .fi -/* LMTP destinations have the following form: +/* LMTP destinations have the following form: /* .IP \fBunix\fR:\fIpathname\fR -/* Connect to the local UNIX-domain server that is bound to the specified -/* \fIpathname\fR. If the process runs chrooted, an absolute pathname -/* is interpreted relative to the Postfix queue directory. +/* Connect to the local UNIX-domain server that is bound to the specified +/* \fIpathname\fR. If the process runs chrooted, an absolute pathname +/* is interpreted relative to the Postfix queue directory. /* .IP \fBinet\fR:\fIhostname\fR /* .IP \fBinet\fR:\fIhostname\fR:\fIport\fR /* .IP \fBinet\fR:[\fIaddress\fR] /* .IP \fBinet\fR:[\fIaddress\fR]:\fIport\fR -/* Connect to the specified TCP port on the specified local or -/* remote host. If no port is specified, connect to the port defined as -/* \fBlmtp\fR in \fBservices\fR(4). -/* If no such service is found, the \fBlmtp_tcp_port\fR configuration -/* parameter (default value of 24) will be used. +/* Connect to the specified TCP port on the specified local or +/* remote host. If no port is specified, connect to the port defined as +/* \fBlmtp\fR in \fBservices\fR(4). +/* If no such service is found, the \fBlmtp_tcp_port\fR configuration +/* parameter (default value of 24) will be used. /* An IPv6 address must be formatted as [\fBipv6\fR:\fIaddress\fR]. /* .PP /* SECURITY @@ -219,7 +219,7 @@ /* default setting "no", send no SASL authoriZation ID (authzid); send /* only the SASL authentiCation ID (authcid) plus the authcid's password. /* .PP -/* Available in Postfix version 2.5 and later: +/* Available in Postfix version 2.5 and later: /* .IP "\fBsmtp_header_checks (empty)\fR" /* Restricted \fBheader_checks\fR(5) tables for the Postfix SMTP client. /* .IP "\fBsmtp_mime_header_checks (empty)\fR" @@ -882,7 +882,7 @@ char *var_smtp_dns_res_opt; char *var_smtp_dns_support; bool var_smtp_rec_deadline; bool var_smtp_dummy_mail_auth; -char *var_smtp_ndr_filter; +char *var_smtp_dsn_filter; /* Special handling of 535 AUTH errors. */ char *var_smtp_sasl_auth_cache_name; @@ -1279,6 +1279,6 @@ int main(int argc, char **argv) MAIL_SERVER_POST_INIT, post_init, MAIL_SERVER_PRE_ACCEPT, pre_accept, MAIL_SERVER_BOUNCE_INIT, VAR_SMTP_DSN_FILTER, - &var_smtp_ndr_filter, + &var_smtp_dsn_filter, 0); } diff --git a/postfix/src/smtp/smtp_params.c b/postfix/src/smtp/smtp_params.c index aecac56bd..807215dba 100644 --- a/postfix/src/smtp/smtp_params.c +++ b/postfix/src/smtp/smtp_params.c @@ -58,7 +58,7 @@ VAR_SMTP_RESP_FILTER, DEF_SMTP_RESP_FILTER, &var_smtp_resp_filter, 0, 0, VAR_SMTP_ADDR_PREF, DEF_SMTP_ADDR_PREF, &var_smtp_addr_pref, 1, 0, VAR_SMTP_DNS_RES_OPT, DEF_SMTP_DNS_RES_OPT, &var_smtp_dns_res_opt, 0, 0, - VAR_SMTP_DSN_FILTER, DEF_SMTP_DSN_FILTER, &var_smtp_ndr_filter, 0, 0, + VAR_SMTP_DSN_FILTER, DEF_SMTP_DSN_FILTER, &var_smtp_dsn_filter, 0, 0, 0, }; static const CONFIG_TIME_TABLE smtp_time_table[] = { diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index fa0131307..d19bbde91 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -451,6 +451,10 @@ /* Available in Postfix version 2.11 and later: /* .IP "\fBtlsmgr_service_name (tlsmgr)\fR" /* The name of the \fBtlsmgr\fR(8) service entry in master.cf. +/* .PP +/* Available in Postfix version 2.12 and later: +/* .IP "\fBtls_session_ticket_cipher (aes-128-cbc)\fR" +/* Algorithm used to encrypt RFC5077 TLS session tickets. /* OBSOLETE STARTTLS CONTROLS /* .ad /* .fi diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c index 65addd2ed..1791dce22 100644 --- a/postfix/src/tls/tls_misc.c +++ b/postfix/src/tls/tls_misc.c @@ -23,6 +23,7 @@ /* bool var_tls_bc_pkey_fprint; /* bool var_tls_multi_wildcard; /* char *var_tls_mgr_service; +/* char *var_tls_tkt_cipher; /* /* TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx, log_mask) /* SSL_CTX *ssl_ctx; @@ -231,6 +232,7 @@ bool var_tls_bc_pkey_fprint; bool var_tls_dane_taa_dgst; bool var_tls_multi_wildcard; char *var_tls_mgr_service; +char *var_tls_tkt_cipher; #ifdef VAR_TLS_PREEMPT_CLIST bool var_tls_preempt_clist; @@ -617,6 +619,7 @@ void tls_param_init(void) VAR_TLS_DANE_AGILITY, DEF_TLS_DANE_AGILITY, &var_tls_dane_agility, 1, 0, VAR_TLS_DANE_DIGESTS, DEF_TLS_DANE_DIGESTS, &var_tls_dane_digests, 1, 0, VAR_TLS_MGR_SERVICE, DEF_TLS_MGR_SERVICE, &var_tls_mgr_service, 1, 0, + VAR_TLS_TKT_CIPHER, DEF_TLS_TKT_CIPHER, &var_tls_tkt_cipher, 0, 0, 0, }; static const CONFIG_INT_TABLE int_table[] = { diff --git a/postfix/src/tls/tls_scache.h b/postfix/src/tls/tls_scache.h index fe6b40f85..06c727a67 100644 --- a/postfix/src/tls/tls_scache.h +++ b/postfix/src/tls/tls_scache.h @@ -31,8 +31,8 @@ typedef struct { #define TLS_TICKET_NAMELEN 16 /* RFC 5077 ticket key name length */ #define TLS_TICKET_IVLEN 16 /* RFC 5077 ticket IV length */ -#define TLS_TICKET_KEYLEN 16 /* AES-128-CBC key size */ -#define TLS_TICKET_MACLEN 16 /* SHA-256 collision strength */ +#define TLS_TICKET_KEYLEN 32 /* AES-256-CBC key size */ +#define TLS_TICKET_MACLEN 32 /* RFC 5077 HMAC key size */ #define TLS_SESSION_LIFEMIN 120 /* May you live to 120! */ typedef struct TLS_TICKET_KEY { diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c index 279ba376d..3a18cdc8e 100644 --- a/postfix/src/tls/tls_server.c +++ b/postfix/src/tls/tls_server.c @@ -292,13 +292,13 @@ static int ticket_cb(SSL *con, unsigned char name[], unsigned char iv[], EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int create) { static const EVP_MD *sha256; - static const EVP_CIPHER *aes128; + static const EVP_CIPHER *ciph; TLS_TICKET_KEY *key; TLS_SESS_STATE *TLScontext = SSL_get_ex_data(con, TLScontext_index); int timeout = ((int) SSL_CTX_get_timeout(SSL_get_SSL_CTX(con))) / 2; if ((!sha256 && (sha256 = EVP_sha256()) == 0) - || (!aes128 && (aes128 = EVP_aes_128_cbc()) == 0) + || (!ciph && (ciph = EVP_get_cipherbyname(var_tls_tkt_cipher)) == 0) || (key = tls_mgr_key(create ? 0 : name, timeout)) == 0 || (create && RAND_bytes(iv, TLS_TICKET_IVLEN) <= 0)) return (create ? TLS_TKT_NOKEYS : TLS_TKT_STALE); @@ -306,13 +306,13 @@ static int ticket_cb(SSL *con, unsigned char name[], unsigned char iv[], HMAC_Init_ex(hctx, key->hmac, TLS_TICKET_MACLEN, sha256, NOENGINE); if (create) { - EVP_EncryptInit_ex(ctx, aes128, NOENGINE, key->bits, iv); + EVP_EncryptInit_ex(ctx, ciph, NOENGINE, key->bits, iv); memcpy((char *) name, (char *) key->name, TLS_TICKET_NAMELEN); if (TLScontext->log_mask & TLS_LOG_CACHE) msg_info("%s: Issuing session ticket, key expiration: %ld", TLScontext->namaddr, (long) key->tout); } else { - EVP_DecryptInit_ex(ctx, aes128, NOENGINE, key->bits, iv); + EVP_DecryptInit_ex(ctx, ciph, NOENGINE, key->bits, iv); if (TLScontext->log_mask & TLS_LOG_CACHE) msg_info("%s: Decrypting session ticket, key expiration: %ld", TLScontext->namaddr, (long) key->tout); @@ -457,7 +457,21 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props) */ #ifdef SSL_OP_NO_TICKET #if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER >= 0x0090808fL - ticketable = (scache_timeout > 0 && !(off & SSL_OP_NO_TICKET)); + ticketable = (*var_tls_tkt_cipher && scache_timeout > 0 + && !(off & SSL_OP_NO_TICKET)); + if (ticketable) { + const EVP_CIPHER *ciph; + + if ((ciph = EVP_get_cipherbyname(var_tls_tkt_cipher)) == 0 + || EVP_CIPHER_mode(ciph) != EVP_CIPH_CBC_MODE + || EVP_CIPHER_iv_length(ciph) != TLS_TICKET_IVLEN + || EVP_CIPHER_key_length(ciph) < TLS_TICKET_IVLEN + || EVP_CIPHER_key_length(ciph) > TLS_TICKET_KEYLEN) { + msg_warn("%s: invalid value: %s; session tickets disabled", + VAR_TLS_TKT_CIPHER, var_tls_tkt_cipher); + ticketable = 0; + } + } if (ticketable) SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_cb); #endif diff --git a/postfix/src/virtual/virtual.c b/postfix/src/virtual/virtual.c index 337a99d09..6b56226da 100644 --- a/postfix/src/virtual/virtual.c +++ b/postfix/src/virtual/virtual.c @@ -340,7 +340,7 @@ char *var_virt_mailbox_lock; long var_virt_mailbox_limit; char *var_mail_spool_dir; /* XXX dependency fix */ bool var_strict_mbox_owner; -char *var_virt_ndr_filter; +char *var_virt_dsn_filter; /* * Mappings. @@ -517,7 +517,7 @@ int main(int argc, char **argv) VAR_VIRT_GID_MAPS, DEF_VIRT_GID_MAPS, &var_virt_gid_maps, 0, 0, VAR_VIRT_MAILBOX_BASE, DEF_VIRT_MAILBOX_BASE, &var_virt_mailbox_base, 1, 0, VAR_VIRT_MAILBOX_LOCK, DEF_VIRT_MAILBOX_LOCK, &var_virt_mailbox_lock, 1, 0, - VAR_VIRT_DSN_FILTER, DEF_VIRT_DSN_FILTER, &var_virt_ndr_filter, 0, 0, + VAR_VIRT_DSN_FILTER, DEF_VIRT_DSN_FILTER, &var_virt_dsn_filter, 0, 0, 0, }; static const CONFIG_BOOL_TABLE bool_table[] = { @@ -540,6 +540,6 @@ int main(int argc, char **argv) MAIL_SERVER_PRE_ACCEPT, pre_accept, MAIL_SERVER_PRIVILEGED, MAIL_SERVER_BOUNCE_INIT, VAR_VIRT_DSN_FILTER, - &var_virt_ndr_filter, + &var_virt_dsn_filter, 0); } -- 2.47.3