From 84b6e12c120610bf6e917e8756daa916336ad322 Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Wed, 25 Apr 2012 00:00:00 -0500 Subject: [PATCH] postfix-2.10-20120425 --- postfix/HISTORY | 6 +++++ postfix/RELEASE_NOTES | 37 +++++++++++++++++++++++++++++++ postfix/html/lmtp.8.html | 2 +- postfix/html/smtp.8.html | 2 +- postfix/html/smtpd.8.html | 2 +- postfix/man/man8/smtp.8 | 2 +- postfix/man/man8/smtpd.8 | 2 +- postfix/src/global/mail_version.h | 2 +- postfix/src/smtp/smtp.c | 2 +- postfix/src/smtpd/smtpd.c | 2 +- postfix/src/tls/tls.h | 4 ++++ postfix/src/tls/tls_client.c | 4 ---- postfix/src/tls/tls_server.c | 4 ---- 13 files changed, 55 insertions(+), 16 deletions(-) diff --git a/postfix/HISTORY b/postfix/HISTORY index fea7b1d5b..bcbe233dd 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -17732,3 +17732,9 @@ Apologies for any names omitted. a patch by Victor Duchovni. Files: proto/TLS_README.html, proto/postconf.proto, tls/tls.h, tls/tls_misc.c, tls/tls_client.c, tls/tls_server.c. + +20120425 + + Workaround: bugs in 10-year old gcc versions break compilation + with #ifdef inside a macro invocation (NOT: definition). + Files: tls/tls.h, tls/tls_client.c, tls/tls_server.c. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index dea294e29..096b2d08a 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -14,6 +14,43 @@ specifies the release date of a stable release or snapshot release. If you upgrade from Postfix 2.8 or earlier, read RELEASE_NOTES-2.9 before proceeding. +Major changes with snapshot 20120422 +==================================== + +This release adds support to turn off the TLSv1.1 and TLSv1.2 +protocols. Introduced with OpenSSL version 1.0.1, these are known +to cause inter-operability problems with for example hotmail. + +The radical workaround is to temporarily turn off problematic +protocols globally: + +/etc/postfix/main.cf: + smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + + smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + +However, it may be better to temporarily turn off problematic +protocols for broken sites only: + +/etc/postfix/main.cf: + smtp_tls_policy_maps = hash:/etc/postfix/tls_policy + +/etc/postfix/tls_policy: + example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2 + +Important: + +- Note the use of ":" instead of comma or space. Also, note that + there is NO space around the "=" in "protocols=". + +- The smtp_tls_policy_maps lookup key must match the "next-hop" + destination that is given to the Postfix SMTP client. If you + override the next-hop destination with transport_maps, relayhost, + sender_dependent_relayhost_maps, or otherwise, you need to specify + the same destination for the smtp_tls_policy_maps lookup key. + Major changes with snapshot 20120306 ==================================== diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html index 67090be43..a72db682a 100644 --- a/postfix/html/lmtp.8.html +++ b/postfix/html/lmtp.8.html @@ -477,7 +477,7 @@ SMTP(8) SMTP(8) non-empty value is specified, this overrides the obsolete smtp_tls_per_site parameter. - smtp_tls_mandatory_protocols (SSLv3, TLSv1) + smtp_tls_mandatory_protocols (!SSLv2) List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index 67090be43..a72db682a 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -477,7 +477,7 @@ SMTP(8) SMTP(8) non-empty value is specified, this overrides the obsolete smtp_tls_per_site parameter. - smtp_tls_mandatory_protocols (SSLv3, TLSv1) + smtp_tls_mandatory_protocols (!SSLv2) List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index 0165c2d1e..f814378bc 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -473,7 +473,7 @@ SMTPD(8) SMTPD(8) exclude from the Postfix SMTP server cipher list at mandatory TLS security levels. - smtpd_tls_mandatory_protocols (SSLv3, TLSv1) + smtpd_tls_mandatory_protocols (!SSLv2) The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8 index 354ceb57c..793d79b0e 100644 --- a/postfix/man/man8/smtp.8 +++ b/postfix/man/man8/smtp.8 @@ -398,7 +398,7 @@ when TLS is not already enabled for that server. Optional lookup tables with the Postfix SMTP client TLS security policy by next-hop destination; when a non-empty value is specified, this overrides the obsolete smtp_tls_per_site parameter. -.IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR" +.IP "\fBsmtp_tls_mandatory_protocols (!SSLv2)\fR" List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. .IP "\fBsmtp_tls_scert_verifydepth (9)\fR" diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8 index d9f294009..b4e311a15 100644 --- a/postfix/man/man8/smtpd.8 +++ b/postfix/man/man8/smtpd.8 @@ -399,7 +399,7 @@ use with mandatory TLS encryption. .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR" Additional list of ciphers or cipher types to exclude from the Postfix SMTP server cipher list at mandatory TLS security levels. -.IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR" +.IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2)\fR" The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. .IP "\fBsmtpd_tls_received_header (no)\fR" diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 60d100f97..a57108141 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20120423" +#define MAIL_RELEASE_DATE "20120425" #define MAIL_VERSION_NUMBER "2.10" #ifdef SNAPSHOT diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index a13cd2eef..e42282f9f 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -368,7 +368,7 @@ /* Optional lookup tables with the Postfix SMTP client TLS security /* policy by next-hop destination; when a non-empty value is specified, /* this overrides the obsolete smtp_tls_per_site parameter. -/* .IP "\fBsmtp_tls_mandatory_protocols (SSLv3, TLSv1)\fR" +/* .IP "\fBsmtp_tls_mandatory_protocols (!SSLv2)\fR" /* List of SSL/TLS protocols that the Postfix SMTP client will use with /* mandatory TLS encryption. /* .IP "\fBsmtp_tls_scert_verifydepth (9)\fR" diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index c0f7aa93d..6651424b4 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -367,7 +367,7 @@ /* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR" /* Additional list of ciphers or cipher types to exclude from the /* Postfix SMTP server cipher list at mandatory TLS security levels. -/* .IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR" +/* .IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2)\fR" /* The SSL/TLS protocols accepted by the Postfix SMTP server with /* mandatory TLS encryption. /* .IP "\fBsmtpd_tls_received_header (no)\fR" diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h index e121c94dd..66972c509 100644 --- a/postfix/src/tls/tls.h +++ b/postfix/src/tls/tls.h @@ -177,11 +177,15 @@ extern void tls_param_init(void); #define TLS_PROTOCOL_TLSv1_1 (1<<3) /* TLSv1_1 */ #else #define TLS_PROTOCOL_TLSv1_1 0 /* Unknown */ +#undef SSL_OP_NO_TLSv1_1 +#define SSL_OP_NO_TLSv1_1 0L /* Noop */ #endif #ifdef SSL_TXT_TLSV1_2 #define TLS_PROTOCOL_TLSv1_2 (1<<4) /* TLSv1_2 */ #else #define TLS_PROTOCOL_TLSv1_2 0 /* Unknown */ +#undef SSL_OP_NO_TLSv1_2 +#define SSL_OP_NO_TLSv1_2 0L /* Noop */ #endif #define TLS_KNOWN_PROTOCOLS \ ( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \ diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c index b75bca5b5..18c08cf47 100644 --- a/postfix/src/tls/tls_client.c +++ b/postfix/src/tls/tls_client.c @@ -859,12 +859,8 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props) if (protomask != 0) SSL_set_options(TLScontext->con, ((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L) -#ifdef SSL_OP_NO_TLSv1_1 | ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L) -#endif -#ifdef SSL_OP_NO_TLSv1_2 | ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L) -#endif | ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) | ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L)); diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c index 245722216..73e58c08d 100644 --- a/postfix/src/tls/tls_server.c +++ b/postfix/src/tls/tls_server.c @@ -403,12 +403,8 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props) if (protomask != 0) SSL_CTX_set_options(server_ctx, ((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L) -#ifdef SSL_OP_NO_TLSv1_1 | ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L) -#endif -#ifdef SSL_OP_NO_TLSv1_2 | ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L) -#endif | ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) | ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L)); -- 2.47.3