or whether the connection is reused ("TLS connection reused").
Files: smtp/smtp.h, smtp/smtp_proto.c, smtp/smtp_session.c.
+ (20181117-nonprod) Unified summary logging in the SMTP
+ client, SMTP server, and posttls-finger. Viktor Dukhovni.
+ Files: tls/tls.h, tls/tls_misc.c, tls/tls_proxy.h,
+ tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
+ tls/tls_client.c, src/tls/tls_server.c, smtpd/smtpd.c,
+ posttls-finger/posttls-finger.c.
+
+ (20181117-nonprod) Improved logging of TLS 1.3 summary
+ information. On the server side this also affects the TLS
+ information optionally recorded in "Received" headers.
+ Viktor Dukhovni. Files: smtpd/smtpd.c, tls/tls.h,
+ tls/tls_client.c, tls/tls_misc.c, tls/tls_proxy.h,
+ tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
+ tls/tls_server.c.
+
+ (20181117-nonprod) FORWARD_SECRECY examples with TLS 1.3
+ logging. Viktor Dukhovni. File: proto/FORWARD_SECRECY_README.html.
+
20181118
Cleanup, no behavior change: updated comments concerning
message to the postscreen_pre_queue_limit. Problem reported
by Michael Orlitzky. File: proto/POSTSCREEN_README.html.
- Compatibility: removed support for OpenSSL 1.0.1 and earlier.
+ (20181226-nonprod) Compatibility: removed support for OpenSSL
+ 1.0.1 (not supported since December 31, 2016) and earlier
+ releases. This eliminated a large number of #ifdefs with
+ bitrot workarounds. Viktor Dukhovni. Files: global/mail_params.h,
+ posttls-finger/posttls-finger.c, tls/tls.h, tls/tls_certkey.c,
+ tls/tls_client.c, tls/tls_dane.c, tls/tls_dh.c, tls/tls_misc.c,
+ tls/tls_proxy_client_scan.c, tls/tls_rsa.c, tls/tls_server.c,
+ tls/tls_session.c.
- Feature: TLS support for client-side and server-side SNI
- in the Postfix SMTP server, SMTP client, and tlsproxy.
+ (20181226-nonprod) Use the OpenSSL 1.0.2 and later API for
+ setting ECDHE curves. Viktor Dukhovni. Files: tls/tls.h,
+ tls/tls_client.c, tls/tls_dh.c.
+
+ (20181226-nonprod) Documentation update for TLS support.
+ Viktor Dukhovni. Files: mantools/postlink, proto/TLS_README.html,
+ proto/postconf.proto, src/sendmail/sendmail.c, src/smtpd/smtpd.c.
20181229
dict_open.c, and updated the -F description in the postmap
manpage. Files: util/dict_open.c, postmap/postmap.c.
+ (20190106-nonprod) Feature: support for files that combine
+ multiple (key, certificate, trust chain) instances in one
+ file, to avoid separate files for RSA, DSA, Elliptic Curve,
+ and so on. Viktor Dukhovni. Files: .indent.pro,
+ global/mail_params.h, posttls-finger/posttls-finger.c,
+ smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_params.c,
+ smtp/smtp_proto.c, smtpd/smtpd.c, tls/tls.h, tls/tls_certkey.c,
+ tls/tls_client.c, tls/tls_proxy.h, tls/tls_proxy_client_print.c,
+ tls/tls_proxy_client_scan.c, tls/tls_proxy_server_print.c,
+ tls/tls_proxy_server_scan.c, tls/tls_server.c, tlsproxy/tlsproxy.c.
+
+ (20190106-nonprod) Create a second, no-key no-cert, SSL_CTX
+ for use with SNI. Viktor Dukhovni. Files: src/tls/tls.h,
+ src/tls/tls_client.c, src/tls/tls_misc.c, src/tls/tls_server.c.
+
+ (20190106-nonprod) Server-side SNI support. Viktor Dukhovni.
+ Files: src/global/mail_params.h, src/smtp/smtp.c,
+ src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_certkey.c,
+ src/tls/tls_misc.c, src/tlsproxy/tlsproxy.c,
+
+ (20190106-nonprod) Configurable client-side SNI signal.
+ Viktor Dukhovni. Files: global/mail_params.h,
+ posttls-finger/posttls-finger.c, smtp/lmtp_params.c,
+ smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c,
+ smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_client.c,
+ tls/tls_proxy.h, tls/tls_proxy_client_print.c,
+ tls/tls_proxy_client_scan.c.
+
20190121
Logging: support for internal logging file, without using
util/msg_output.h, util/unix_dgram_connect.c,
util/unix_dgram_listen.c.
- Safety: temporary postlogd fix to avoid recursion when main.cf
- has "maillog_file =" but master(8) still still tells its child
- processes to send logs to postlogd. File: postlogd/postlogd.c.
+ Cleanup: cert/key/chain loading, plus unit tests to exercise
+ non-error and error cases. Viktor Dukhovni. Files: tls/*.pem,
+ tls*.pem.ref, tls/tls_certkey.c.
20190126
20190129
Safety: require that $maillog_file matches one of the
- pathname prefixes specified in $maillog_file_prefixes. The
+ pathname prefixes specified in $maillog_file_prefixes. The
maillog file is created by root, and the prefixes limit the
damage from a single configuration error. Files:
global/mail_params.[hc], global/maillog_client.c.
+
+20191201
+
+ Feature: "postfix logrotate" command with configurable
+ compression program and datestamp filename suffix. File:
+ conf/postfix-script.
+
+20190202
+
+ Cleanup: log a warning when the client sends a malformed
+ SNI; log an info message when the client sends a valid SNI
+ that does not match the SNI lookup tables; update the
+ FORWARD_SECRECY_README logging examples. Viktor Dukhovni.
+ Files: proto/FORWARD_SECRECY_README.html, tls/tls.h,
+ tls/tls_client.c, tls/tls_misc.c.
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
server-signature ED25519
+Note that Postfix >= 3.4 server logging may also include a "to sni-name"
+element to record the use of an alternate server certificate chain for the
+connection in question. This happens when the client uses the TLS SNI
+extension, and the server selects a non-default certificate chain based on the
+client's SNI value:
+
+ postfix/smtpd[process-id]:
+ Untrusted TLS connection established from client.example[192.0.2.1]
+ to server.example: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256
+ bits)
+ key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
+ SHA256
+ client-signature ECDSA (P-256) client-digest SHA256
+
W\bWh\bha\bat\bt d\bdo\bo "\b"A\bAn\bno\bon\bny\bym\bmo\bou\bus\bs"\b",\b, "\b"U\bUn\bnt\btr\bru\bus\bst\bte\bed\bd"\b",\b, e\bet\btc\bc.\b. i\bin\bn P\bPo\bos\bst\btf\bfi\bix\bx l\blo\bog\bgg\bgi\bin\bng\bg m\bme\bea\ban\bn?\b?
The verification levels below are subject to man-in-the-middle attacks to
the software under the license of their choice. Those who are more
comfortable with the IPL can continue with that license.
-Major changes with snapshot 20190127
-====================================
-
-[TODO: summary of SNI and chain-file support]
-
Incompatible changes with snapshot 20190126-nonprod
====================================================
This introduces a new master.cf service type 'unix-dgram' that is
used by the new postlogd(8) daemon. This type is not supported by
-older Postfix versions. Before backing out to an older release,
+older Postfix versions. Before backing out to an older version,
edit the master.cf file and remove the postlog entry.
Major changes with snapshot 20190126-nonprod
============================================
-Support for logging to file or stdout. This disables syslog logging.
+[TODO: move most of this text to MAILLOG_README file]
-- Logging to file solves a usability problem for MacOS users, and
- may also be useful on LINUX when systemd is getting in the way.
+Support for logging to file or stdout, instead of using syslog.
+
+- Logging to file solves a usability problem for MacOS, and
+ eliminates multiple problems with systemd-based systems.
- Logging to stdout is useful when Postfix runs in a container, as
it eliminates a syslogd dependency.
To enable Postfix logging to file or stdout:
--------------------------------------------
-Add the following line to master.cf if not already present (no
-whitespace at the start of the line):
+Add the following line to master.cf if not already present (note:
+there must be no whitespace at the start of the line):
postlog unix-dgram n - n - 1 postlogd
To write logs to Postfix logfile (see below for logfile rotation):
# postconf maillog_file=/dev/stdout
# postfix start-fg
-The maillog_file parameter must contain a prefix that is specified
-with the maillog_file_prefixes parameter (default: /var, /dev/stdout).
-This limits the damage from a single configuration mistake.
+The maillog_file parameter must contain one of the prefixes that
+are specified with the maillog_file_prefixes parameter (default:
+/var, /dev/stdout). This limits the damage from a single configuration
+mistake.
To rotate a Postfix logfile with a daily cronjob:
-------------------------------------------------
executable file has set-gid permission. Do not set this permision
on programs other than postdrop(1) and postqueue(1).
+Incompatible changes with snapshot 20190106
+===========================================
+
+Postfix 3.4 drops support for OpenSSL 1.0.1 (end-of-life December
+31, 2016) and earlier releases.
+
+Major changes with snapshot 20190106
+====================================
+
+SNI support in the Postfix SMTP server, the Postfix SMTP client,
+and in the tlsproxy daemon (both server and client roles).
+
+Support for files that combine multiple (key, certificate, trust
+chain) instances. This was required to implement server-side SNI
+table lookups, but it also eliminates the need for separate cert/key
+files for RSA, DSA, Elliptic Curve, and so on. The file format is
+documented in TLS_README sections [TODO] and in the postconf
+documentation for parameters [TODO].
+
Major changes with snapshot 20180826
====================================
/dev/*) $FATAL "not rotating '$maillog_file'"; exit 1;;
esac
- (
- suffix="`date +$maillog_file_rotate_suffix`" || exit 1
+ errors=`(
+ suffix="\`date +$maillog_file_rotate_suffix\`" || exit 1
mv "$maillog_file" "$maillog_file.$suffix" || exit 1
$daemon_directory/master -t 2>/dev/null ||
- kill -HUP `sed 1q pid/master.pid`
+ kill -HUP \`sed 1q pid/master.pid\` || exit 1
sleep 1
"$maillog_file_compressor" "$maillog_file.$suffix" || exit 1
- ) || {
- $FATAL "logfile '$maillog_file' rotation failed"
+ ) 2>&1` || {
+ $FATAL "logfile '$maillog_file' rotation failed: $errors"
exit 1
}
;;
</pre>
</blockquote>
+<p> Note that Postfix ≥ 3.4 server logging may also include a
+"to <i>sni-name</i>" element to record the use of an alternate
+server certificate chain for the connection in question. This happens
+when the client uses the TLS SNI extension, and the server selects
+a non-default certificate chain based on the client's SNI value:
+</p>
+
+<blockquote>
+<pre>
+postfix/smtpd[<i>process-id</i>]:
+ Untrusted TLS connection established from client.example[192.0.2.1]
+ to server.example: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
+ key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
+ client-signature ECDSA (P-256) client-digest SHA256
+</pre>
+</blockquote>
+
<h2><a name="status"> What do "Anonymous", "Untrusted", etc. in
Postfix logging mean? </a> </h2>
cesses terminate at their convenience.
<b>-i</b> Enable <b>init</b> mode: do not become a session or process group
- leader; similar to <b>-s</b>, do not redirect stdout to /dev/null, so
- that "<a href="postconf.5.html#maillog_file">maillog_file</a> = /dev/stdout" works. This mode is allowed
- only if the process ID equals 1.
+ leader; and similar to <b>-s</b>, do not redirect stdout to /dev/null,
+ so that "<a href="postconf.5.html#maillog_file">maillog_file</a> = /dev/stdout" works. This mode is
+ allowed only if the process ID equals 1.
+
+ This feature is available in Postfix 3.3 and later.
<b>-s</b> Do not redirect stdout to /dev/null, so that "<a href="postconf.5.html#maillog_file">maillog_file</a> =
/dev/stdout" works.
+ This feature is available in Postfix 3.4 and later.
+
<b>-t</b> Test mode. Return a zero exit status when the <b>master.pid</b> lock
file does not exist or when that file is not locked. This is
evidence that the <a href="master.8.html"><b>master</b>(8)</a> daemon is not running.
versions of Postfix ≥ 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2". </p>
-<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4,
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
this can be disabled, if need be, via "!TLSv1.3". </p>
<p> At the <a href="TLS_README.html#client_tls_dane">dane</a> and
versions of Postfix ≥ 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2"</p>
-<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4,
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
this can be disabled, if need be, via "!TLSv1.3". </p>
<p> To include a protocol list its name, to exclude it, prefix the name
versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or
"TLSv1.2". </p>
-<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4,
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
this can be disabled, if need be, via "!TLSv1.3". </p>
<p> Example: </p>
versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or
"TLSv1.2". </p>
-<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4,
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
this can be disabled, if need be, via "!TLSv1.3". </p>
<p> To include a protocol list its name, to exclude it, prefix the name
domains, the lookup key must be in IDNA 2008 A-label form (as
required in the TLS SNI extension). </p>
+<p> When this parameter is non-empty, the Postfix SMTP server enables
+SNI extension processing, and logs SNI values that are invalid or
+don't match an entry in the the specified tables. When an entry
+does match, the SNI name is logged as part of the connection summary
+at log levels 1 and higher. </p>
+
+<p> Note that the SNI lookup tables should also have entries for
+the domains that correspond to the Postfix SMTP server's default
+certificate(s). This ensures that the remote SMTP client's TLS SNI
+extension gets a positive response when it specifies one of the
+Postfix SMTP server's <a href="ADDRESS_CLASS_README.html#default_domain_class">default domains</a>, and ensures that the Postfix
+SMTP server will not log an SNI name mismatch for such a domain.
+The Postfix SMTP server's default certificates are then only used
+when the client sends no SNI or when it sends SNI with a domain
+that the server knows no certificate(s) for. </p>
+
<p> The mapping from an SNI domain name to a certificate chain is
typically indirect. In the input source files for "cdb", "hash",
"btree" or other tables that are converted to on-disk indexed files
versions of Postfix >= 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2".
.PP
-OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4,
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+>= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
this can be disabled, if need be, via "!TLSv1.3".
.PP
At the dane and
versions of Postfix >= 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2"
.PP
-OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4,
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+>= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
this can be disabled, if need be, via "!TLSv1.3".
.PP
To include a protocol list its name, to exclude it, prefix the name
versions of Postfix >= 2.10 can disable support for "TLSv1.1" or
"TLSv1.2".
.PP
-OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4,
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+>= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
this can be disabled, if need be, via "!TLSv1.3".
.PP
Example:
versions of Postfix >= 2.10 can disable support for "TLSv1.1" or
"TLSv1.2".
.PP
-OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4,
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+>= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
this can be disabled, if need be, via "!TLSv1.3".
.PP
To include a protocol list its name, to exclude it, prefix the name
domains, the lookup key must be in IDNA 2008 A\-label form (as
required in the TLS SNI extension).
.PP
+When this parameter is non\-empty, the Postfix SMTP server enables
+SNI extension processing, and logs SNI values that are invalid or
+don't match an entry in the the specified tables. When an entry
+does match, the SNI name is logged as part of the connection summary
+at log levels 1 and higher.
+.PP
+Note that the SNI lookup tables should also have entries for
+the domains that correspond to the Postfix SMTP server's default
+certificate(s). This ensures that the remote SMTP client's TLS SNI
+extension gets a positive response when it specifies one of the
+Postfix SMTP server's default domains, and ensures that the Postfix
+SMTP server will not log an SNI name mismatch for such a domain.
+The Postfix SMTP server's default certificates are then only used
+when the client sends no SNI or when it sends SNI with a domain
+that the server knows no certificate(s) for.
+.PP
The mapping from an SNI domain name to a certificate chain is
typically indirect. In the input source files for "cdb", "hash",
"btree" or other tables that are converted to on\-disk indexed files
processes terminate at their convenience.
.IP \fB\-i\fR
Enable \fBinit\fR mode: do not become a session or process
-group leader; similar to \fB\-s\fR, do not redirect stdout
+group leader; and similar to \fB\-s\fR, do not redirect stdout
to /dev/null, so that "maillog_file = /dev/stdout" works.
This mode is allowed only if the process ID equals 1.
+.sp
+This feature is available in Postfix 3.3 and later.
.IP \fB\-s\fR
Do not redirect stdout to /dev/null, so that "maillog_file
= /dev/stdout" works.
+.sp
+This feature is available in Postfix 3.4 and later.
.IP \fB\-t\fR
Test mode. Return a zero exit status when the \fBmaster.pid\fR lock
file does not exist or when that file is not locked. This is evidence
</pre>
</blockquote>
+<p> Note that Postfix ≥ 3.4 server logging may also include a
+"to <i>sni-name</i>" element to record the use of an alternate
+server certificate chain for the connection in question. This happens
+when the client uses the TLS SNI extension, and the server selects
+a non-default certificate chain based on the client's SNI value:
+</p>
+
+<blockquote>
+<pre>
+postfix/smtpd[<i>process-id</i>]:
+ Untrusted TLS connection established from client.example[192.0.2.1]
+ to server.example: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
+ key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
+ client-signature ECDSA (P-256) client-digest SHA256
+</pre>
+</blockquote>
+
<h2><a name="status"> What do "Anonymous", "Untrusted", etc. in
Postfix logging mean? </a> </h2>
versions of Postfix ≥ 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2". </p>
-<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4,
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
this can be disabled, if need be, via "!TLSv1.3". </p>
<p> At the <a href="TLS_README.html#client_tls_dane">dane</a> and
versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or
"TLSv1.2". </p>
-<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4,
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
this can be disabled, if need be, via "!TLSv1.3". </p>
<p> Example: </p>
versions of Postfix ≥ 2.10 can explicitly disable support for
"TLSv1.1" or "TLSv1.2"</p>
-<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4,
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
this can be disabled, if need be, via "!TLSv1.3". </p>
<p> To include a protocol list its name, to exclude it, prefix the name
versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or
"TLSv1.2". </p>
-<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix ≥ 3.4,
+<p> OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix
+≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2)
this can be disabled, if need be, via "!TLSv1.3". </p>
<p> To include a protocol list its name, to exclude it, prefix the name
domains, the lookup key must be in IDNA 2008 A-label form (as
required in the TLS SNI extension). </p>
+<p> When this parameter is non-empty, the Postfix SMTP server enables
+SNI extension processing, and logs SNI values that are invalid or
+don't match an entry in the the specified tables. When an entry
+does match, the SNI name is logged as part of the connection summary
+at log levels 1 and higher. </p>
+
+<p> Note that the SNI lookup tables should also have entries for
+the domains that correspond to the Postfix SMTP server's default
+certificate(s). This ensures that the remote SMTP client's TLS SNI
+extension gets a positive response when it specifies one of the
+Postfix SMTP server's default domains, and ensures that the Postfix
+SMTP server will not log an SNI name mismatch for such a domain.
+The Postfix SMTP server's default certificates are then only used
+when the client sends no SNI or when it sends SNI with a domain
+that the server knows no certificate(s) for. </p>
+
<p> The mapping from an SNI domain name to a certificate chain is
typically indirect. In the input source files for "cdb", "hash",
"btree" or other tables that are converted to on-disk indexed files
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20190201"
+#define MAIL_RELEASE_DATE "20190202"
#define MAIL_VERSION_NUMBER "3.4"
#ifdef SNAPSHOT
/* processes terminate at their convenience.
/* .IP \fB-i\fR
/* Enable \fBinit\fR mode: do not become a session or process
-/* group leader; similar to \fB-s\fR, do not redirect stdout
+/* group leader; and similar to \fB-s\fR, do not redirect stdout
/* to /dev/null, so that "maillog_file = /dev/stdout" works.
/* This mode is allowed only if the process ID equals 1.
+/* .sp
+/* This feature is available in Postfix 3.3 and later.
/* .IP \fB-s\fR
/* Do not redirect stdout to /dev/null, so that "maillog_file
/* = /dev/stdout" works.
+/* .sp
+/* This feature is available in Postfix 3.4 and later.
/* .IP \fB-t\fR
/* Test mode. Return a zero exit status when the \fBmaster.pid\fR lock
/* file does not exist or when that file is not locked. This is evidence
*/
MAIL_VERSION_STAMP_ALLOCATE;
+ /*
+ * This is a datagram service, not a stream service, so that postlogd can
+ * restart immediately after "postfix reload" without requiring clients
+ * to resend messages. Those messages remain queued in the kernel until a
+ * new postlogd process retrieves them. It would be unreasonable to
+ * require that clients retransmit logs, especially in the case of a
+ * fatal or panic error.
+ */
dgram_server_main(argc, argv, postlogd_service,
CA_MAIL_SERVER_TIME_TABLE(time_table),
CA_MAIL_SERVER_PRE_INIT(pre_jail_init),
/* Public, read-only. */
char *peer_CN; /* Peer Common Name */
char *issuer_CN; /* Issuer Common Name */
+ char *peer_sni; /* SNI sent to or by the peer */
char *peer_cert_fprint; /* ASCII certificate fingerprint */
char *peer_pkey_fprint; /* ASCII public key fingerprint */
int peer_status; /* Certificate and match status */
tls_free_context(TLScontext);
return (0);
}
+ /*
+ * The saved value is not presently used client-side, but could later
+ * be logged if acked by the server (requires new client-side callback
+ * to detect the ack). For now this just maintains symmetry with the
+ * server code, where do record the received SNI for logging.
+ */
+ TLScontext->peer_sni = mystrdup(sni);
if (log_mask & TLS_LOG_DEBUG)
msg_info("%s: SNI hostname: %s", props->namaddr, sni);
}
static int server_sni_callback(SSL *ssl, int *alert, void *arg)
{
SSL_CTX *sni_ctx = (SSL_CTX *) arg;
+ TLS_SESS_STATE *TLScontext = SSL_get_ex_data(ssl, TLScontext_index);
const char *sni = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
+ const char *cp = sni;
const char *pem;
- if (!sni_ctx || !tls_server_sni_maps
- || !sni || !*sni || !valid_hostname(sni, DONT_GRIPE))
+ /* SNI is silently ignored when we don't care or is NULL or empty */
+ if (!sni_ctx || !tls_server_sni_maps || !sni || !*sni)
return SSL_TLSEXT_ERR_NOACK;
+ if (!valid_hostname(sni, DONT_GRIPE)) {
+ msg_warn("TLS SNI from %s is invalid: %s",
+ TLScontext->namaddr, sni);
+ return SSL_TLSEXT_ERR_NOACK;
+ }
+
do {
/* Don't silently skip maps opened with the wrong flags. */
- pem = maps_file_find(tls_server_sni_maps, sni, 0);
+ pem = maps_file_find(tls_server_sni_maps, cp, 0);
} while (!pem
&& !tls_server_sni_maps->error
- && (sni = strchr(sni + 1, '.')) != 0);
+ && (cp = strchr(cp + 1, '.')) != 0);
if (!pem) {
if (tls_server_sni_maps->error) {
*alert = SSL_AD_INTERNAL_ERROR;
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
+ msg_info("TLS SNI %s from %s not matched, using default chain",
+ sni, TLScontext->namaddr);
+ /*
+ * XXX: We could lie and pretend to accept the name, but since we've
+ * previously not impemented the callback (with OpenSSL then declining
+ * the extension), and nothing bad happened, declining it explicitly
+ * should be safe.
+ */
return SSL_TLSEXT_ERR_NOACK;
}
SSL_set_SSL_CTX(ssl, sni_ctx);
*alert = SSL_AD_INTERNAL_ERROR;
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
+ TLScontext->peer_sni = mystrdup(sni);
return SSL_TLSEXT_ERR_OK;
}
{
VSTRING *msg = vstring_alloc(100);
const char *direction = (role == TLS_ROLE_CLIENT) ? "to" : "from";
+ const char *sni = (role == TLS_ROLE_CLIENT) ? 0 : ctx->peer_sni;
- vstring_sprintf(msg, "%s TLS connection %s %s %s: %s"
+ /*
+ * When SNI was sent and accepted, the server-side log message now includes
+ * a "to <sni-name>" detail after the "from <namaddr>" detail identifying
+ * the remote client. We don't presently log (purportedly) accepted SNI on
+ * the client side.
+ */
+ vstring_sprintf(msg, "%s TLS connection %s %s %s%s%s: %s"
" with cipher %s (%d/%d bits)",
!TLS_CERT_IS_PRESENT(ctx) ? "Anonymous" :
TLS_CERT_IS_SECURED(ctx) ? "Verified" :
TLS_CERT_IS_TRUSTED(ctx) ? "Trusted" : "Untrusted",
usage == TLS_USAGE_NEW ? "established" : "reused",
- direction, ctx->namaddr, ctx->protocol, ctx->cipher_name,
- ctx->cipher_usebits, ctx->cipher_algbits);
+ direction, ctx->namaddr, sni ? " to " : "", sni ? sni : "",
+ ctx->protocol, ctx->cipher_name, ctx->cipher_usebits,
+ ctx->cipher_algbits);
if (ctx->kex_name && *ctx->kex_name) {
vstring_sprintf_append(msg, " key-exchange %s", ctx->kex_name);
TLScontext->serverid = 0;
TLScontext->peer_CN = 0;
TLScontext->issuer_CN = 0;
+ TLScontext->peer_sni = 0;
TLScontext->peer_cert_fprint = 0;
TLScontext->peer_pkey_fprint = 0;
TLScontext->protocol = 0;
myfree(TLScontext->peer_CN);
if (TLScontext->issuer_CN)
myfree(TLScontext->issuer_CN);
+ if (TLScontext->peer_sni)
+ myfree(TLScontext->peer_sni);
if (TLScontext->peer_cert_fprint)
myfree(TLScontext->peer_cert_fprint);
if (TLScontext->peer_pkey_fprint)
projects / thirdparty / postfix.git / commitdiff
