From: Wietse Z Venema Date: Sun, 2 Feb 2025 05:00:00 +0000 (-0500) Subject: postfix-3.10-20250202 X-Git-Tag: v3.10.0~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=70fe1107cf65fd1fba4f49c30beeffeed7e851a8;p=thirdparty%2Fpostfix.git postfix-3.10-20250202 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 0ecbb813a..277752d35 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -28866,7 +28866,7 @@ Apologies for any names omitted. Feature: support for the RFC 8689 "TLS-Required: no" message header. This limits the Postfix SMTP client TLS security - level to "smtp_tls_security = may", which does not authenticate + level to "smtp_tls_security = may", which does not verify remote SMTP server TLS certificates, and which allows falling back to plaintext. This is needed for the delivery of messages such as TLSRPT summaries, which should be sent @@ -28898,3 +28898,24 @@ Apologies for any names omitted. Debug: verbose logging for the tlsrpt_wrapper functions. File: tls/tlsrpt_wrapper.c. + +20250201 + + Cleanup: simplified the code in cleanup_envelope_test.c. + + Feature: configuration parameter "tls_required_enable + (default: yes) to control support for the "TLS-Required: + no" message header. Files: global/mail_params.[hc], + bounce/bounce.c, bounce/bounce_notify_util.c, cleanup/cleanup.c, + cleanup/cleanup_message.c, smtp/smtp.c, smtp/smtp_connect.c, + mantools/postlink. + +20250202 + + Documentation: edited for clarity. Files: pipe/pipe.c, + proto/postconf.proto. + + Debug logging: cleanup/cleanup_api.c. tls/tlsrpt_wrapper.c. + proto/TLSRPT_README.html. + + Postfix 3.10 code freeze. diff --git a/postfix/README_FILES/TLSRPT_README b/postfix/README_FILES/TLSRPT_README index 8c8c24553..94f011ebe 100644 --- a/postfix/README_FILES/TLSRPT_README +++ b/postfix/README_FILES/TLSRPT_README @@ -30,8 +30,8 @@ successful and failed SMTP over TLS connections to domain example.com, and to report those summaries via email to the specified address. Instead of mailto:, a policy may specify an https: destination. -The high-level diagram below shows how TLS handshake success and failure events -from Postfix are collected and processed into daily summary reports. +The diagram below shows how Postfix TLS handshake success and failure events +are collected and processed into daily summary reports. Postfix SMTP and TLSRPT client TLSRPT collector, Email or HTTP TLS client engines -> library (linked -> fetcher, and -> delivery diff --git a/postfix/html/TLSRPT_README.html b/postfix/html/TLSRPT_README.html index 602857f0b..95acfb7b7 100644 --- a/postfix/html/TLSRPT_README.html +++ b/postfix/html/TLSRPT_README.html @@ -55,9 +55,9 @@ summaries of successful and failed SMTP over TLS connections to domain specified address. Instead of mailto:, a policy may specify an https: destination.

-

The high-level diagram below shows how TLS handshake success -and failure events from Postfix are collected and processed into -daily summary reports.

+

The diagram below shows how Postfix TLS handshake success and +failure events are collected and processed into daily summary +reports.

diff --git a/postfix/html/bounce.8.html b/postfix/html/bounce.8.html index 212ec8f6b..695478942 100644 --- a/postfix/html/bounce.8.html +++ b/postfix/html/bounce.8.html @@ -166,6 +166,12 @@ BOUNCE(8) BOUNCE(8) header_from_format (standard) The format of the Postfix-generated From: header. + Available in Postfix 3.10 and later: + + tls_required_enable (yes) + Enable support for the "TLS-Required: no" message header, + defined in RFC 8689. + FILES /var/spool/postfix/bounce/* non-delivery records /var/spool/postfix/defer/* non-delivery records diff --git a/postfix/html/cleanup.8.html b/postfix/html/cleanup.8.html index ab9990bc4..655275a9e 100644 --- a/postfix/html/cleanup.8.html +++ b/postfix/html/cleanup.8.html @@ -70,6 +70,7 @@ CLEANUP(8) CLEANUP(8) RFC 3463 (Enhanced Status Codes) RFC 3464 (Delivery status notifications) RFC 5322 (Internet Message Format) + RFC 8689 (TLS-Required: message header) DIAGNOSTICS Problems and transactions are logged to syslogd(8) or postlogd(8). @@ -461,29 +462,36 @@ CLEANUP(8) CLEANUP(8) IDNA2008, when converting UTF-8 domain names to/from the ASCII form that is used for DNS lookups. +TLS SUPPORT + Available in Postfix version 3.10 and later: + + tls_required_enable (yes) + Enable support for the "TLS-Required: no" message header, + defined in RFC 8689. + MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con- + The default location of the Postfix main.cf and master.cf con- figuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to handle a + How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal point when log- + The maximal number of digits after the decimal point when log- ging delay values. delay_warning_time (0h) - The time after which the sender receives a copy of the message + The time after which the sender receives a copy of the message headers of mail that is still queued. ipc_timeout (3600s) - The time limit for sending or receiving information over an + The time limit for sending or receiving information over an internal communication channel. max_idle (100s) - The maximum amount of time that an idle Postfix daemon process + The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. max_use (100) @@ -494,7 +502,7 @@ CLEANUP(8) CLEANUP(8) The internet hostname of this mail system. myorigin ($myhostname) - The domain name that locally-posted mail appears to come from, + The domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to. process_id (read-only) @@ -507,21 +515,21 @@ CLEANUP(8) CLEANUP(8) The location of the Postfix top-level queue directory. soft_bounce (no) - Safety net to keep mail queued that would otherwise be returned + Safety net to keep mail queued that would otherwise be returned to the sender. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - A prefix that is prepended to the process name in syslog + A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available in Postfix version 2.1 and later: enable_original_recipient (yes) - Enable support for the original recipient address after an - address is rewritten to a different address (for example with + Enable support for the original recipient address after an + address is rewritten to a different address (for example with aliasing or with canonical mapping). Available in Postfix 3.3 and later: @@ -532,14 +540,14 @@ CLEANUP(8) CLEANUP(8) Available in Postfix 3.5 and later: info_log_address_format (external) - The email address form that will be used in non-debug logging + The email address form that will be used in non-debug logging (info, warning, etc.). Available in Postfix 3.9 and later: force_mime_input_conversion (no) - Convert body content that claims to be 8-bit into quoted-print- - able, before header_checks, body_checks, Milters, and before + Convert body content that claims to be 8-bit into quoted-print- + able, before header_checks, body_checks, Milters, and before after-queue content filters. FILES diff --git a/postfix/html/defer.8.html b/postfix/html/defer.8.html index 212ec8f6b..695478942 100644 --- a/postfix/html/defer.8.html +++ b/postfix/html/defer.8.html @@ -166,6 +166,12 @@ BOUNCE(8) BOUNCE(8) header_from_format (standard) The format of the Postfix-generated From: header. + Available in Postfix 3.10 and later: + + tls_required_enable (yes) + Enable support for the "TLS-Required: no" message header, + defined in RFC 8689. + FILES /var/spool/postfix/bounce/* non-delivery records /var/spool/postfix/defer/* non-delivery records diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html index 3170f70ca..5c5b16847 100644 --- a/postfix/html/lmtp.8.html +++ b/postfix/html/lmtp.8.html @@ -174,6 +174,7 @@ SMTP(8) SMTP(8) RFC 6531 (Internationalized SMTP) RFC 6533 (Internationalized Delivery Status Notifications) RFC 7672 (SMTP security via opportunistic DANE TLS) + RFC 8689 (TLS-Required message header) DIAGNOSTICS Problems and transactions are logged to syslogd(8) or postlogd(8). @@ -746,6 +747,8 @@ SMTP(8) SMTP(8) Request that remote SMTP servers send an RFC7250 raw public key instead of an X.509 certificate. + Available in Postfix version 3.10 and later: + smtp_tlsrpt_enable (no) Enable support for RFC 8460 TLSRPT notifications. @@ -758,41 +761,45 @@ SMTP(8) SMTP(8) reuse a previously-negotiated TLS session (there is no new information to report). + tls_required_enable (yes) + Enable support for the "TLS-Required: no" message header, + defined in RFC 8689. + OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compatibility with - Postfix versions before 2.3. Support for these will be removed in a + The following configuration parameters exist for compatibility with + Postfix versions before 2.3. Support for these will be removed in a future release. smtp_use_tls (no) - Opportunistic mode: use TLS when a remote SMTP server announces + Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS support, otherwise send the mail in the clear. smtp_enforce_tls (no) - Enforcement mode: require that remote SMTP servers use TLS + Enforcement mode: require that remote SMTP servers use TLS encryption, and never send mail in the clear. smtp_tls_enforce_peername (yes) - With mandatory TLS encryption, require that the remote SMTP - server hostname matches the information in the remote SMTP + With mandatory TLS encryption, require that the remote SMTP + server hostname matches the information in the remote SMTP server certificate. smtp_tls_per_site (empty) - Optional lookup tables with the Postfix SMTP client TLS usage - policy by next-hop destination and by remote SMTP server host- + Optional lookup tables with the Postfix SMTP client TLS usage + policy by next-hop destination and by remote SMTP server host- name. smtp_tls_cipherlist (empty) - Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS + Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher list. RESOURCE AND RATE CONTROLS smtp_connect_timeout (30s) - The Postfix SMTP client time limit for completing a TCP connec- + The Postfix SMTP client time limit for completing a TCP connec- tion, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The Postfix SMTP client time limit for sending the HELO or EHLO - command, and for receiving the initial remote SMTP server + The Postfix SMTP client time limit for sending the HELO or EHLO + command, and for receiving the initial remote SMTP server response. lmtp_lhlo_timeout (300s) @@ -804,19 +811,19 @@ SMTP(8) SMTP(8) mand, and for receiving the remote SMTP server response. smtp_mail_timeout (300s) - The Postfix SMTP client time limit for sending the MAIL FROM + The Postfix SMTP client time limit for sending the MAIL FROM command, and for receiving the remote SMTP server response. smtp_rcpt_timeout (300s) - The Postfix SMTP client time limit for sending the SMTP RCPT TO + The Postfix SMTP client time limit for sending the SMTP RCPT TO command, and for receiving the remote SMTP server response. smtp_data_init_timeout (120s) - The Postfix SMTP client time limit for sending the SMTP DATA + The Postfix SMTP client time limit for sending the SMTP DATA command, and for receiving the remote SMTP server response. smtp_data_xfer_timeout (180s) - The Postfix SMTP client time limit for sending the SMTP message + The Postfix SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) @@ -830,13 +837,13 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: smtp_mx_address_limit (5) - The maximal number of MX (mail exchanger) IP addresses that can - result from Postfix SMTP client mail exchanger lookups, or zero + The maximal number of MX (mail exchanger) IP addresses that can + result from Postfix SMTP client mail exchanger lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery request before - the Postfix SMTP client gives up or delivers to a fall-back + The maximal number of SMTP sessions per delivery request before + the Postfix SMTP client gives up or delivers to a fall-back relay host, or zero (no limit). smtp_rset_timeout (20s) @@ -846,17 +853,17 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and earlier: lmtp_cache_connection (yes) - Keep Postfix LMTP client connections open for up to $max_idle + Keep Postfix LMTP client connections open for up to $max_idle seconds. Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the specified + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a destination + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. smtp_connection_reuse_time_limit (300s) @@ -870,23 +877,23 @@ SMTP(8) SMTP(8) Available in Postfix version 2.3 and later: connection_cache_protocol_timeout (5s) - Time limit for connection cache connect, send or receive opera- + Time limit for connection cache connect, send or receive opera- tions. Available in Postfix version 2.9 - 3.6: smtp_per_record_deadline (no) - Change the behavior of the smtp_*_timeout time limits, from a - time limit per read or write system call, to a time limit to - send or receive a complete record (an SMTP command line, SMTP - response line, SMTP message content line, or TLS protocol mes- + Change the behavior of the smtp_*_timeout time limits, from a + time limit per read or write system call, to a time limit to + send or receive a complete record (an SMTP command line, SMTP + response line, SMTP message content line, or TLS protocol mes- sage). Available in Postfix version 2.11 and later: smtp_connection_reuse_count_limit (0) - When SMTP connection caching is enabled, the number of times - that an SMTP session may be reused before it is closed, or zero + When SMTP connection caching is enabled, the number of times + that an SMTP session may be reused before it is closed, or zero (no limit). Available in Postfix version 3.4 and later: @@ -897,13 +904,13 @@ SMTP(8) SMTP(8) Available in Postfix version 3.7 and later: smtp_per_request_deadline (no) - Change the behavior of the smtp_*_timeout time limits, from a - time limit per plaintext or TLS read or write call, to a com- - bined time limit for sending a complete SMTP request and for + Change the behavior of the smtp_*_timeout time limits, from a + time limit per plaintext or TLS read or write call, to a com- + bined time limit for sending a complete SMTP request and for receiving a complete SMTP response. smtp_min_data_rate (500) - The minimum plaintext data transfer rate in bytes/second for + The minimum plaintext data transfer rate in bytes/second for DATA requests, when deadlines are enabled with smtp_per_request_deadline. @@ -911,54 +918,54 @@ SMTP(8) SMTP(8) transport_destination_concurrency_limit ($default_destination_concur- rency_limit) - A transport-specific override for the default_destination_con- + A transport-specific override for the default_destination_con- currency_limit parameter value, where transport is the master.cf name of the message delivery transport. transport_destination_recipient_limit ($default_destination_recipi- ent_limit) A transport-specific override for the default_destination_recip- - ient_limit parameter value, where transport is the master.cf + ient_limit parameter value, where transport is the master.cf name of the message delivery transport. SMTPUTF8 CONTROLS Preliminary SMTPUTF8 support is introduced with Postfix 3.0. smtputf8_enable (yes) - Enable preliminary SMTPUTF8 support for the protocols described + Enable preliminary SMTPUTF8 support for the protocols described in RFC 6531, RFC 6532, and RFC 6533. smtputf8_autodetect_classes (sendmail, verify) - Detect that a message requires SMTPUTF8 support for the speci- + Detect that a message requires SMTPUTF8 support for the speci- fied mail origin classes. Available in Postfix version 3.2 and later: enable_idna2003_compatibility (no) - Enable 'transitional' compatibility between IDNA2003 and - IDNA2008, when converting UTF-8 domain names to/from the ASCII + Enable 'transitional' compatibility between IDNA2003 and + IDNA2008, when converting UTF-8 domain names to/from the ASCII form that is used for DNS lookups. TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a nexthop destina- - tion, remote client or server name or network address matches a + The increment in verbose logging level when a nexthop destina- + tion, remote client or server name or network address matches a pattern given with the debug_peer_list parameter. debug_peer_list (empty) - Optional list of nexthop destination, remote client or server - name or network address patterns that, if matched, cause the - verbose logging level to increase by the amount specified in + Optional list of nexthop destination, remote client or server + name or network address patterns that, if matched, cause the + verbose logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about mail delivery + The recipient of postmaster notifications about mail delivery problems that are caused by policy, resource, software or proto- col errors. internal_mail_filter_classes (empty) - What categories of Postfix-generated mail are subject to - before-queue content inspection by non_smtpd_milters, + What categories of Postfix-generated mail are subject to + before-queue content inspection by non_smtpd_milters, header_checks and body_checks. notify_classes (resource, software) @@ -966,46 +973,46 @@ SMTP(8) SMTP(8) MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail when it + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con- + The default location of the Postfix main.cf and master.cf con- figuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to handle a + How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal point when log- + The maximal number of digits after the decimal point when log- ging delay values. disable_dns_lookups (no) Disable DNS lookups in the Postfix SMTP and LMTP clients. inet_interfaces (all) - The local network interface addresses that this mail system + The local network interface addresses that this mail system receives mail on. inet_protocols (see 'postconf -d' output) - The Internet protocols Postfix will attempt to use when making + The Internet protocols Postfix will attempt to use when making or accepting connections. ipc_timeout (3600s) - The time limit for sending or receiving information over an + The time limit for sending or receiving information over an internal communication channel. lmtp_assume_final (no) - When a remote LMTP server announces no DSN support, assume that - the server performs final delivery, and send "delivered" deliv- + When a remote LMTP server announces no DSN support, assume that + the server performs final delivery, and send "delivered" deliv- ery status notifications instead of "relayed". lmtp_tcp_port (24) The default TCP port that the Postfix LMTP client connects to. max_idle (100s) - The maximum amount of time that an idle Postfix daemon process + The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. max_use (100) @@ -1019,21 +1026,21 @@ SMTP(8) SMTP(8) The process name of a Postfix command or daemon process. proxy_interfaces (empty) - The remote network interface addresses that this mail system - receives mail on by way of a proxy or network address transla- + The remote network interface addresses that this mail system + receives mail on by way of a proxy or network address transla- tion unit. smtp_address_preference (any) The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP - client will try first, when a destination has IPv6 and IPv4 + client will try first, when a destination has IPv6 and IPv4 addresses with equal MX preference. smtp_bind_address (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv4 connection. smtp_bind_address6 (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv6 connection. smtp_helo_name ($myhostname) @@ -1053,7 +1060,7 @@ SMTP(8) SMTP(8) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - A prefix that is prepended to the process name in syslog + A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available with Postfix 2.2 and earlier: @@ -1065,14 +1072,14 @@ SMTP(8) SMTP(8) Available with Postfix 2.3 and later: smtp_fallback_relay ($fallback_relay) - Optional list of relay destinations that will be used when an - SMTP destination is not found, or when delivery fails due to a + Optional list of relay destinations that will be used when an + SMTP destination is not found, or when delivery fails due to a non-permanent error. Available with Postfix 3.0 and later: smtp_address_verify_target (rcpt) - In the context of email address verification, the SMTP protocol + In the context of email address verification, the SMTP protocol stage that determines whether an email address is deliverable. Available with Postfix 3.1 and later: @@ -1094,7 +1101,7 @@ SMTP(8) SMTP(8) Available in Postfix 3.7 and later: smtp_bind_address_enforce (no) - Defer delivery when the Postfix SMTP client cannot apply the + Defer delivery when the Postfix SMTP client cannot apply the smtp_bind_address or smtp_bind_address6 setting. SEE ALSO diff --git a/postfix/html/pipe.8.html b/postfix/html/pipe.8.html index a714cacb8..911a740eb 100644 --- a/postfix/html/pipe.8.html +++ b/postfix/html/pipe.8.html @@ -170,6 +170,7 @@ PIPE(8) PIPE(8) as an argument by itself: Right: command -f $sender -- $recipient + NOTE: DO NOT put quotes around the command, $sender, or $recipi- ent. @@ -422,7 +423,7 @@ PIPE(8) PIPE(8) delay_logging_resolution_limit (2) The maximal number of digits after the decimal point when log- - ging sub-second delay values. + ging delay values. export_environment (see 'postconf -d' output) The list of environment variables that a Postfix process will diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index b673b46c4..e67cfb18e 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -20603,6 +20603,23 @@ gives timeout errors.

This feature is available in Postfix 2.2 and later.

+ + +
tls_required_enable +(default: yes)
+ +

Enable support for the "TLS-Required: no" message header, defined +in RFC 8689. By adding this header to a message, a sender requests +no enforcement of TLS policy. This limits the Postfix SMTP client +TLS security level to "may", that is, do not verify remote SMTP +server certificates, and fall back to plaintext if TLS is unavailable. +If a message contains a "TLS-Required: no" header, then Postfix +will add that header to a delivery status notification for that +message.

+ +

This feature is available in Postfix ≥ 3.10.

+ +
tls_server_sni_maps diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index 3170f70ca..5c5b16847 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -174,6 +174,7 @@ SMTP(8) SMTP(8) RFC 6531 (Internationalized SMTP) RFC 6533 (Internationalized Delivery Status Notifications) RFC 7672 (SMTP security via opportunistic DANE TLS) + RFC 8689 (TLS-Required message header) DIAGNOSTICS Problems and transactions are logged to syslogd(8) or postlogd(8). @@ -746,6 +747,8 @@ SMTP(8) SMTP(8) Request that remote SMTP servers send an RFC7250 raw public key instead of an X.509 certificate. + Available in Postfix version 3.10 and later: + smtp_tlsrpt_enable (no) Enable support for RFC 8460 TLSRPT notifications. @@ -758,41 +761,45 @@ SMTP(8) SMTP(8) reuse a previously-negotiated TLS session (there is no new information to report). + tls_required_enable (yes) + Enable support for the "TLS-Required: no" message header, + defined in RFC 8689. + OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compatibility with - Postfix versions before 2.3. Support for these will be removed in a + The following configuration parameters exist for compatibility with + Postfix versions before 2.3. Support for these will be removed in a future release. smtp_use_tls (no) - Opportunistic mode: use TLS when a remote SMTP server announces + Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS support, otherwise send the mail in the clear. smtp_enforce_tls (no) - Enforcement mode: require that remote SMTP servers use TLS + Enforcement mode: require that remote SMTP servers use TLS encryption, and never send mail in the clear. smtp_tls_enforce_peername (yes) - With mandatory TLS encryption, require that the remote SMTP - server hostname matches the information in the remote SMTP + With mandatory TLS encryption, require that the remote SMTP + server hostname matches the information in the remote SMTP server certificate. smtp_tls_per_site (empty) - Optional lookup tables with the Postfix SMTP client TLS usage - policy by next-hop destination and by remote SMTP server host- + Optional lookup tables with the Postfix SMTP client TLS usage + policy by next-hop destination and by remote SMTP server host- name. smtp_tls_cipherlist (empty) - Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS + Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher list. RESOURCE AND RATE CONTROLS smtp_connect_timeout (30s) - The Postfix SMTP client time limit for completing a TCP connec- + The Postfix SMTP client time limit for completing a TCP connec- tion, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The Postfix SMTP client time limit for sending the HELO or EHLO - command, and for receiving the initial remote SMTP server + The Postfix SMTP client time limit for sending the HELO or EHLO + command, and for receiving the initial remote SMTP server response. lmtp_lhlo_timeout (300s) @@ -804,19 +811,19 @@ SMTP(8) SMTP(8) mand, and for receiving the remote SMTP server response. smtp_mail_timeout (300s) - The Postfix SMTP client time limit for sending the MAIL FROM + The Postfix SMTP client time limit for sending the MAIL FROM command, and for receiving the remote SMTP server response. smtp_rcpt_timeout (300s) - The Postfix SMTP client time limit for sending the SMTP RCPT TO + The Postfix SMTP client time limit for sending the SMTP RCPT TO command, and for receiving the remote SMTP server response. smtp_data_init_timeout (120s) - The Postfix SMTP client time limit for sending the SMTP DATA + The Postfix SMTP client time limit for sending the SMTP DATA command, and for receiving the remote SMTP server response. smtp_data_xfer_timeout (180s) - The Postfix SMTP client time limit for sending the SMTP message + The Postfix SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) @@ -830,13 +837,13 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: smtp_mx_address_limit (5) - The maximal number of MX (mail exchanger) IP addresses that can - result from Postfix SMTP client mail exchanger lookups, or zero + The maximal number of MX (mail exchanger) IP addresses that can + result from Postfix SMTP client mail exchanger lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery request before - the Postfix SMTP client gives up or delivers to a fall-back + The maximal number of SMTP sessions per delivery request before + the Postfix SMTP client gives up or delivers to a fall-back relay host, or zero (no limit). smtp_rset_timeout (20s) @@ -846,17 +853,17 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and earlier: lmtp_cache_connection (yes) - Keep Postfix LMTP client connections open for up to $max_idle + Keep Postfix LMTP client connections open for up to $max_idle seconds. Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the specified + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a destination + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. smtp_connection_reuse_time_limit (300s) @@ -870,23 +877,23 @@ SMTP(8) SMTP(8) Available in Postfix version 2.3 and later: connection_cache_protocol_timeout (5s) - Time limit for connection cache connect, send or receive opera- + Time limit for connection cache connect, send or receive opera- tions. Available in Postfix version 2.9 - 3.6: smtp_per_record_deadline (no) - Change the behavior of the smtp_*_timeout time limits, from a - time limit per read or write system call, to a time limit to - send or receive a complete record (an SMTP command line, SMTP - response line, SMTP message content line, or TLS protocol mes- + Change the behavior of the smtp_*_timeout time limits, from a + time limit per read or write system call, to a time limit to + send or receive a complete record (an SMTP command line, SMTP + response line, SMTP message content line, or TLS protocol mes- sage). Available in Postfix version 2.11 and later: smtp_connection_reuse_count_limit (0) - When SMTP connection caching is enabled, the number of times - that an SMTP session may be reused before it is closed, or zero + When SMTP connection caching is enabled, the number of times + that an SMTP session may be reused before it is closed, or zero (no limit). Available in Postfix version 3.4 and later: @@ -897,13 +904,13 @@ SMTP(8) SMTP(8) Available in Postfix version 3.7 and later: smtp_per_request_deadline (no) - Change the behavior of the smtp_*_timeout time limits, from a - time limit per plaintext or TLS read or write call, to a com- - bined time limit for sending a complete SMTP request and for + Change the behavior of the smtp_*_timeout time limits, from a + time limit per plaintext or TLS read or write call, to a com- + bined time limit for sending a complete SMTP request and for receiving a complete SMTP response. smtp_min_data_rate (500) - The minimum plaintext data transfer rate in bytes/second for + The minimum plaintext data transfer rate in bytes/second for DATA requests, when deadlines are enabled with smtp_per_request_deadline. @@ -911,54 +918,54 @@ SMTP(8) SMTP(8) transport_destination_concurrency_limit ($default_destination_concur- rency_limit) - A transport-specific override for the default_destination_con- + A transport-specific override for the default_destination_con- currency_limit parameter value, where transport is the master.cf name of the message delivery transport. transport_destination_recipient_limit ($default_destination_recipi- ent_limit) A transport-specific override for the default_destination_recip- - ient_limit parameter value, where transport is the master.cf + ient_limit parameter value, where transport is the master.cf name of the message delivery transport. SMTPUTF8 CONTROLS Preliminary SMTPUTF8 support is introduced with Postfix 3.0. smtputf8_enable (yes) - Enable preliminary SMTPUTF8 support for the protocols described + Enable preliminary SMTPUTF8 support for the protocols described in RFC 6531, RFC 6532, and RFC 6533. smtputf8_autodetect_classes (sendmail, verify) - Detect that a message requires SMTPUTF8 support for the speci- + Detect that a message requires SMTPUTF8 support for the speci- fied mail origin classes. Available in Postfix version 3.2 and later: enable_idna2003_compatibility (no) - Enable 'transitional' compatibility between IDNA2003 and - IDNA2008, when converting UTF-8 domain names to/from the ASCII + Enable 'transitional' compatibility between IDNA2003 and + IDNA2008, when converting UTF-8 domain names to/from the ASCII form that is used for DNS lookups. TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a nexthop destina- - tion, remote client or server name or network address matches a + The increment in verbose logging level when a nexthop destina- + tion, remote client or server name or network address matches a pattern given with the debug_peer_list parameter. debug_peer_list (empty) - Optional list of nexthop destination, remote client or server - name or network address patterns that, if matched, cause the - verbose logging level to increase by the amount specified in + Optional list of nexthop destination, remote client or server + name or network address patterns that, if matched, cause the + verbose logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about mail delivery + The recipient of postmaster notifications about mail delivery problems that are caused by policy, resource, software or proto- col errors. internal_mail_filter_classes (empty) - What categories of Postfix-generated mail are subject to - before-queue content inspection by non_smtpd_milters, + What categories of Postfix-generated mail are subject to + before-queue content inspection by non_smtpd_milters, header_checks and body_checks. notify_classes (resource, software) @@ -966,46 +973,46 @@ SMTP(8) SMTP(8) MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail when it + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con- + The default location of the Postfix main.cf and master.cf con- figuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to handle a + How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal point when log- + The maximal number of digits after the decimal point when log- ging delay values. disable_dns_lookups (no) Disable DNS lookups in the Postfix SMTP and LMTP clients. inet_interfaces (all) - The local network interface addresses that this mail system + The local network interface addresses that this mail system receives mail on. inet_protocols (see 'postconf -d' output) - The Internet protocols Postfix will attempt to use when making + The Internet protocols Postfix will attempt to use when making or accepting connections. ipc_timeout (3600s) - The time limit for sending or receiving information over an + The time limit for sending or receiving information over an internal communication channel. lmtp_assume_final (no) - When a remote LMTP server announces no DSN support, assume that - the server performs final delivery, and send "delivered" deliv- + When a remote LMTP server announces no DSN support, assume that + the server performs final delivery, and send "delivered" deliv- ery status notifications instead of "relayed". lmtp_tcp_port (24) The default TCP port that the Postfix LMTP client connects to. max_idle (100s) - The maximum amount of time that an idle Postfix daemon process + The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. max_use (100) @@ -1019,21 +1026,21 @@ SMTP(8) SMTP(8) The process name of a Postfix command or daemon process. proxy_interfaces (empty) - The remote network interface addresses that this mail system - receives mail on by way of a proxy or network address transla- + The remote network interface addresses that this mail system + receives mail on by way of a proxy or network address transla- tion unit. smtp_address_preference (any) The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP - client will try first, when a destination has IPv6 and IPv4 + client will try first, when a destination has IPv6 and IPv4 addresses with equal MX preference. smtp_bind_address (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv4 connection. smtp_bind_address6 (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv6 connection. smtp_helo_name ($myhostname) @@ -1053,7 +1060,7 @@ SMTP(8) SMTP(8) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - A prefix that is prepended to the process name in syslog + A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available with Postfix 2.2 and earlier: @@ -1065,14 +1072,14 @@ SMTP(8) SMTP(8) Available with Postfix 2.3 and later: smtp_fallback_relay ($fallback_relay) - Optional list of relay destinations that will be used when an - SMTP destination is not found, or when delivery fails due to a + Optional list of relay destinations that will be used when an + SMTP destination is not found, or when delivery fails due to a non-permanent error. Available with Postfix 3.0 and later: smtp_address_verify_target (rcpt) - In the context of email address verification, the SMTP protocol + In the context of email address verification, the SMTP protocol stage that determines whether an email address is deliverable. Available with Postfix 3.1 and later: @@ -1094,7 +1101,7 @@ SMTP(8) SMTP(8) Available in Postfix 3.7 and later: smtp_bind_address_enforce (no) - Defer delivery when the Postfix SMTP client cannot apply the + Defer delivery when the Postfix SMTP client cannot apply the smtp_bind_address or smtp_bind_address6 setting. SEE ALSO diff --git a/postfix/html/trace.8.html b/postfix/html/trace.8.html index 212ec8f6b..695478942 100644 --- a/postfix/html/trace.8.html +++ b/postfix/html/trace.8.html @@ -166,6 +166,12 @@ BOUNCE(8) BOUNCE(8) header_from_format (standard) The format of the Postfix-generated From: header. + Available in Postfix 3.10 and later: + + tls_required_enable (yes) + Enable support for the "TLS-Required: no" message header, + defined in RFC 8689. + FILES /var/spool/postfix/bounce/* non-delivery records /var/spool/postfix/defer/* non-delivery records diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 46d3c24ef..060983545 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -14331,6 +14331,17 @@ Note: on OpenBSD systems specify dev:/dev/arandom when dev:/dev/urandom gives timeout errors. .PP This feature is available in Postfix 2.2 and later. +.SH tls_required_enable (default: yes) +Enable support for the "TLS\-Required: no" message header, defined +in RFC 8689. By adding this header to a message, a sender requests +no enforcement of TLS policy. This limits the Postfix SMTP client +TLS security level to "may", that is, do not verify remote SMTP +server certificates, and fall back to plaintext if TLS is unavailable. +If a message contains a "TLS\-Required: no" header, then Postfix +will add that header to a delivery status notification for that +message. +.PP +This feature is available in Postfix >= 3.10. .SH tls_server_sni_maps (default: empty) Optional lookup tables that map names received from remote SMTP clients via the TLS Server Name Indication (SNI) extension to the diff --git a/postfix/man/man8/bounce.8 b/postfix/man/man8/bounce.8 index 8581c3c1e..781eb86b2 100644 --- a/postfix/man/man8/bounce.8 +++ b/postfix/man/man8/bounce.8 @@ -146,6 +146,11 @@ header with the original Message\-ID value. Available in Postfix 3.7 and later: .IP "\fBheader_from_format (standard)\fR" The format of the Postfix\-generated \fBFrom:\fR header. +.PP +Available in Postfix 3.10 and later: +.IP "\fBtls_required_enable (yes)\fR" +Enable support for the "TLS\-Required: no" message header, defined +in RFC 8689. .SH "FILES" .na .nf diff --git a/postfix/man/man8/cleanup.8 b/postfix/man/man8/cleanup.8 index d1e4bf9c1..66a757838 100644 --- a/postfix/man/man8/cleanup.8 +++ b/postfix/man/man8/cleanup.8 @@ -78,6 +78,7 @@ RFC 2822 (Internet Message Format) RFC 3463 (Enhanced Status Codes) RFC 3464 (Delivery status notifications) RFC 5322 (Internet Message Format) +RFC 8689 (TLS\-Required: message header) .SH DIAGNOSTICS .ad .fi @@ -422,6 +423,15 @@ Available in Postfix version 3.2 and later: Enable 'transitional' compatibility between IDNA2003 and IDNA2008, when converting UTF\-8 domain names to/from the ASCII form that is used for DNS lookups. +.SH "TLS SUPPORT" +.na +.nf +.ad +.fi +Available in Postfix version 3.10 and later: +.IP "\fBtls_required_enable (yes)\fR" +Enable support for the "TLS\-Required: no" message header, defined +in RFC 8689. .SH "MISCELLANEOUS CONTROLS" .na .nf diff --git a/postfix/man/man8/pipe.8 b/postfix/man/man8/pipe.8 index 566cf89c8..770a459bc 100644 --- a/postfix/man/man8/pipe.8 +++ b/postfix/man/man8/pipe.8 @@ -180,6 +180,7 @@ specify \fB$sender\fR as an argument by itself: .nf \fIRight\fR: command \-f $sender \-\- $recipient .fi +.IP NOTE: DO NOT put quotes around the command, $sender, or $recipient. .IP This feature is available as of Postfix 2.3. @@ -412,7 +413,7 @@ How much time a Postfix daemon process may take to handle a request before it is terminated by a built\-in watchdog timer. .IP "\fBdelay_logging_resolution_limit (2)\fR" The maximal number of digits after the decimal point when logging -sub\-second delay values. +delay values. .IP "\fBexport_environment (see 'postconf -d' output)\fR" The list of environment variables that a Postfix process will export to non\-Postfix processes. diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8 index aa2298dfc..ee3cefc5f 100644 --- a/postfix/man/man8/smtp.8 +++ b/postfix/man/man8/smtp.8 @@ -190,6 +190,7 @@ RFC 5321 (SMTP protocol) RFC 6531 (Internationalized SMTP) RFC 6533 (Internationalized Delivery Status Notifications) RFC 7672 (SMTP security via opportunistic DANE TLS) +RFC 8689 (TLS\-Required message header) .SH DIAGNOSTICS .ad .fi @@ -672,7 +673,8 @@ Available in Postfix version 3.9 and later: .IP "\fBsmtp_tls_enable_rpk (no)\fR" Request that remote SMTP servers send an RFC7250 raw public key instead of an X.509 certificate. -.PP Available in Postfix version 3.10 and later: +.PP +Available in Postfix version 3.10 and later: .IP "\fBsmtp_tlsrpt_enable (no)\fR" Enable support for RFC 8460 TLSRPT notifications. .IP "\fBsmtp_tlsrpt_socket_name (empty)\fR" @@ -682,6 +684,9 @@ by a local TLSRPT reporting service. Do not report the TLSRPT status for TLS protocol handshakes that reuse a previously\-negotiated TLS session (there is no new information to report). +.IP "\fBtls_required_enable (yes)\fR" +Enable support for the "TLS\-Required: no" message header, defined +in RFC 8689. .SH "OBSOLETE STARTTLS CONTROLS" .na .nf diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 5c59da4ee..2a6558538 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -1186,6 +1186,7 @@ while (<>) { s;\ballow_srv_lookup_fallback\b;$&;g; s;\bignore_srv_lookup_error\b;$&;g; + s;\btls_required_enable\b;$&;g; s;\bfull_name_encoding_charset\b;$&;g; # Service-defined parameters... diff --git a/postfix/proto/TLSRPT_README.html b/postfix/proto/TLSRPT_README.html index 32a3fd9db..11bdc5510 100644 --- a/postfix/proto/TLSRPT_README.html +++ b/postfix/proto/TLSRPT_README.html @@ -55,9 +55,9 @@ summaries of successful and failed SMTP over TLS connections to domain specified address. Instead of mailto:, a policy may specify an https: destination.

-

The high-level diagram below shows how TLS handshake success -and failure events from Postfix are collected and processed into -daily summary reports.

+

The diagram below shows how Postfix TLS handshake success and +failure events are collected and processed into daily summary +reports.

diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 5a06d3fb5..abb606368 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -19473,3 +19473,16 @@ skip the full name.

including the netstring encapsulation.

This feature is available in Postfix ≥ 3.10.

+ +%PARAM tls_required_enable yes + +

Enable support for the "TLS-Required: no" message header, defined +in RFC 8689. By adding this header to a message, a sender requests +no enforcement of TLS policy. This limits the Postfix SMTP client +TLS security level to "may", that is, do not verify remote SMTP +server certificates, and fall back to plaintext if TLS is unavailable. +If a message contains a "TLS-Required: no" header, then Postfix +will add that header to a delivery status notification for that +message.

+ +

This feature is available in Postfix ≥ 3.10.

diff --git a/postfix/proto/stop.double-history b/postfix/proto/stop.double-history index ef83bc3c8..15d98a3c3 100644 --- a/postfix/proto/stop.double-history +++ b/postfix/proto/stop.double-history @@ -159,3 +159,4 @@ proto proto socketmap_table qmgr qmgr_deliver c qmgr qmgr_message c qmqpd qmqpd c smtp smtp_proto c smtpd smtpd c verify verify c operations Files cleanup cleanup h cleanup cleanup_message c + proto postconf proto pipe pipe c diff --git a/postfix/proto/stop.spell-cc b/postfix/proto/stop.spell-cc index 7ecd9ce84..34e439196 100644 --- a/postfix/proto/stop.spell-cc +++ b/postfix/proto/stop.spell-cc @@ -1857,3 +1857,4 @@ cntrl TINYCDB getdata XXXSENDOPTS +xtra diff --git a/postfix/src/bounce/bounce.c b/postfix/src/bounce/bounce.c index 1567bada0..04f51553b 100644 --- a/postfix/src/bounce/bounce.c +++ b/postfix/src/bounce/bounce.c @@ -134,6 +134,11 @@ /* Available in Postfix 3.7 and later: /* .IP "\fBheader_from_format (standard)\fR" /* The format of the Postfix-generated \fBFrom:\fR header. +/* .PP +/* Available in Postfix 3.10 and later: +/* .IP "\fBtls_required_enable (yes)\fR" +/* Enable support for the "TLS-Required: no" message header, defined +/* in RFC 8689. /* FILES /* /var/spool/postfix/bounce/* non-delivery records /* /var/spool/postfix/defer/* non-delivery records diff --git a/postfix/src/bounce/bounce_notify_util.c b/postfix/src/bounce/bounce_notify_util.c index 3a077f651..f089e4c04 100644 --- a/postfix/src/bounce/bounce_notify_util.c +++ b/postfix/src/bounce/bounce_notify_util.c @@ -533,6 +533,13 @@ int bounce_header(VSTREAM *bounce, BOUNCE_INFO *bounce_info, post_mail_fprintf(bounce, "In-Reply-To: %s", STR(bounce_info->orig_msgid)); } + /* + * Trade confidentiality against availability. + */ + if (var_tls_required_enable + && (bounce_info->sendopts & SOPT_REQUIRETLS_HEADER) != 0) + post_mail_fprintf(bounce, "TLS-Required: no"); + /* * Auto-Submitted header, as per RFC 3834. */ diff --git a/postfix/src/cleanup/cleanup.c b/postfix/src/cleanup/cleanup.c index 6ef7a02d6..46b225218 100644 --- a/postfix/src/cleanup/cleanup.c +++ b/postfix/src/cleanup/cleanup.c @@ -70,6 +70,7 @@ /* RFC 3463 (Enhanced Status Codes) /* RFC 3464 (Delivery status notifications) /* RFC 5322 (Internet Message Format) +/* RFC 8689 (TLS-Required: message header) /* DIAGNOSTICS /* Problems and transactions are logged to \fBsyslogd\fR(8) /* or \fBpostlogd\fR(8). @@ -390,6 +391,13 @@ /* Enable 'transitional' compatibility between IDNA2003 and IDNA2008, /* when converting UTF-8 domain names to/from the ASCII form that is /* used for DNS lookups. +/* TLS SUPPORT +/* .ad +/* .fi +/* Available in Postfix version 3.10 and later: +/* .IP "\fBtls_required_enable (yes)\fR" +/* Enable support for the "TLS-Required: no" message header, defined +/* in RFC 8689. /* MISCELLANEOUS CONTROLS /* .ad /* .fi diff --git a/postfix/src/cleanup/cleanup_api.c b/postfix/src/cleanup/cleanup_api.c index 60fb49a59..6a0c6dac0 100644 --- a/postfix/src/cleanup/cleanup_api.c +++ b/postfix/src/cleanup/cleanup_api.c @@ -202,7 +202,7 @@ void cleanup_control(CLEANUP_STATE *state, int flags) * definition. */ if (msg_verbose) - msg_info("cleanup flags = %s", cleanup_strflags(flags)); + msg_info("client flags = %s", cleanup_strflags(flags)); if ((state->flags = flags) & CLEANUP_FLAG_BOUNCE) { state->err_mask = CLEANUP_STAT_MASK_INCOMPLETE; } else { @@ -211,6 +211,8 @@ void cleanup_control(CLEANUP_STATE *state, int flags) if (state->flags & CLEANUP_FLAG_SMTPUTF8) state->sendopts |= SMTPUTF8_FLAG_REQUESTED; /* TODO(wietse) REQUIRETLS. */ + if (msg_verbose) + msg_info("server flags = %s", cleanup_strflags(state->flags)); } /* cleanup_flush - finish queue file */ diff --git a/postfix/src/cleanup/cleanup_envelope_test.c b/postfix/src/cleanup/cleanup_envelope_test.c index 2fa168961..eda68e110 100644 --- a/postfix/src/cleanup/cleanup_envelope_test.c +++ b/postfix/src/cleanup/cleanup_envelope_test.c @@ -5,7 +5,6 @@ #include #include #include -#include /* ssscanf() */ #include /* @@ -20,7 +19,6 @@ /* * Global library. */ -#include #include #include #include @@ -135,10 +133,8 @@ static int overrides_size_fields(const TEST_CASE *tp) * Process the test SIZE record payload, clear some bits from the * sendopts field, and write an all-zeroes preliminary SIZE record. */ - VSTRING *output_stream_buf = vstring_alloc(100); - - if ((state->dst = vstream_memopen(output_stream_buf, O_WRONLY)) == 0) { - msg_warn("vstream_memopen(output_stream_buf, O_WRONLY): %m"); + if ((state->dst = vstream_fopen("/dev/null", O_WRONLY, 0)) == 0) { + msg_warn("vstream_fopen(\"/dev/null\", O_WRONLY, 0): %m"); return (FAIL); } cleanup_envelope(state, REC_TYPE_SIZE, vstring_str(input_buf), @@ -151,94 +147,50 @@ static int overrides_size_fields(const TEST_CASE *tp) } vstring_free(input_buf); input_buf = 0; - - /* - * Overwrite the SIZE record with an updated version that includes the - * modified sendopts field. - */ - cleanup_final(state); - if (state->errs != CLEANUP_STAT_OK) { - msg_warn("cleanup_final: got: '%s', want: '%s'", - cleanup_strerror(state->errs), - cleanup_strerror(CLEANUP_STAT_OK)); - return (FAIL); - } (void) vstream_fclose(state->dst); state->dst = 0; /* - * Read the final SIZE record content. This normally happens in the queue - * manager, and in the pickup daemon after a message is re-queued. + * Compare the updated state against the expected content. We expect that + * the fields for xtra_offset, data_offset, rcpt_count, qmgr_opts, and + * cont_length, are consistent with the saved CLEANUP_STATE, and we + * expect to see a specific value for the sendopts field that was + * assigned in cleanup_envelope(). */ - VSTREAM *fp; - - if ((fp = vstream_memopen(output_stream_buf, O_RDONLY)) == 0) { - msg_warn("vstream_memopen(output_stream_buf, O_RDONLY): %m"); - return (FAIL); - } - VSTRING *got_size_payload = vstring_alloc(VSTRING_LEN(output_stream_buf)); - int got_rec_type; - - if ((got_rec_type = rec_get(fp, got_size_payload, 0)) != REC_TYPE_SIZE) { - msg_warn("rec_get: got: %s, want: %s", - rec_type_name(got_rec_type), rec_type_name(REC_TYPE_SIZE)); - return (FAIL); - } - (void) vstream_fclose(fp); - vstring_free(output_stream_buf); - - /* - * Compare the stored SIZE record content against the expected content. - * We expect that the fields for data_size, data_offset, rcpt_count, - * qmgr_opts, and cont_length, are consistent with the saved - * CLEANUP_STATE, and we expect to see a specific value for the sendopts - * field that was made by cleanup_envelope(). - */ - int got_conv; - long data_size, data_offset, cont_length; - int rcpt_count, qmgr_opts, sendopts; - - if ((got_conv = sscanf(vstring_str(got_size_payload), "%ld %ld %d %d %ld %d", - &data_size, &data_offset, &rcpt_count, &qmgr_opts, - &cont_length, &sendopts)) != 6) { - msg_warn("sscanf SIZE record fields: got: %d, want 6", got_conv); - return (FAIL); - } - if (data_size != saved_state.xtra_offset - saved_state.data_offset) { - msg_warn("SIZE.data_size: got %ld, want: %ld", (long) data_size, - (long) (saved_state.xtra_offset - saved_state.data_offset)); + if (state->xtra_offset != saved_state.xtra_offset) { + msg_warn("state->xtra_offset: got %ld, want: %ld", + (long) state->xtra_offset, (long) saved_state.xtra_offset); return (FAIL); } - if (data_offset != saved_state.data_offset) { - msg_warn("SIZE.data_offset: got %ld, want: %ld", (long) data_offset, - (long) saved_state.data_offset); + if (state->data_offset != saved_state.data_offset) { + msg_warn("state->data_offset: got %ld, want: %ld", + (long) state->data_offset, (long) saved_state.data_offset); return (FAIL); } - if (rcpt_count != saved_state.rcpt_count) { - msg_warn("SIZE.rcpt_count: got: %d, want: %d", rcpt_count, - (int) saved_state.rcpt_count); + if (state->rcpt_count != saved_state.rcpt_count) { + msg_warn("state->rcpt_count: got: %ld, want: %ld", + (long) state->rcpt_count, (long) saved_state.rcpt_count); return (FAIL); } - if (qmgr_opts != saved_state.qmgr_opts) { - msg_warn("SIZE.qmgr_opts: got: %d, want: %d", qmgr_opts, - saved_state.qmgr_opts); + if (state->qmgr_opts != saved_state.qmgr_opts) { + msg_warn("state=>qmgr_opts: got: %d, want: %d", + state->qmgr_opts, saved_state.qmgr_opts); return (FAIL); } - if (cont_length != saved_state.cont_length) { - msg_warn("SIZE.cont_length: got %ld, want: %ld", (long) cont_length, - (long) saved_state.cont_length); + if (state->cont_length != saved_state.cont_length) { + msg_warn("state->cont_length: got %ld, want: %ld", + (long) state->cont_length, (long) saved_state.cont_length); return (FAIL); } - if (sendopts != (SOPT_FLAG_ALL & ~SOPT_FLAG_DERIVED)) { - msg_warn("SIZE.sendopts: got: 0x%x, want: 0x%x", - sendopts, SOPT_FLAG_ALL & ~SOPT_FLAG_DERIVED); + if (state->sendopts != (SOPT_FLAG_ALL & ~SOPT_FLAG_DERIVED)) { + msg_warn("state->sendopts: got: 0x%x, want: 0x%x", + state->sendopts, SOPT_FLAG_ALL & ~SOPT_FLAG_DERIVED); return (FAIL); } /* * Cleanup. */ - vstring_free(got_size_payload); cleanup_state_free(state); return (PASS); } diff --git a/postfix/src/cleanup/cleanup_message.c b/postfix/src/cleanup/cleanup_message.c index b9a7e9360..cdff5bf05 100644 --- a/postfix/src/cleanup/cleanup_message.c +++ b/postfix/src/cleanup/cleanup_message.c @@ -653,7 +653,7 @@ static void cleanup_header_callback(void *context, int header_class, if (state->hop_count == 1) argv_add(state->auto_hdrs, vstring_str(header_buf), ARGV_END); } - if (hdr_opts->type == HDR_TLS_REQUIRED) { + if (hdr_opts->type == HDR_TLS_REQUIRED && var_tls_required_enable) { char *cp = vstring_str(header_buf) + strlen(hdr_opts->name) + 1; while (ISSPACE(*cp)) diff --git a/postfix/src/global/mail_params.c b/postfix/src/global/mail_params.c index 5147c0915..5d2171d0a 100644 --- a/postfix/src/global/mail_params.c +++ b/postfix/src/global/mail_params.c @@ -125,9 +125,10 @@ /* bool var_long_queue_ids; /* bool var_daemon_open_fatal; /* char *var_dsn_filter; -/* int var_smtputf8_enable +/* int var_smtputf8_enable; /* int var_strict_smtputf8; /* char *var_smtputf8_autoclass; +/* int var_tls_required_enable; /* int var_idna2003_compat; /* char *var_compatibility_level; /* char *var_drop_hdrs; @@ -369,6 +370,7 @@ char *var_dsn_filter; int var_smtputf8_enable; int var_strict_smtputf8; char *var_smtputf8_autoclass; +int var_tls_required_enable; int var_idna2003_compat; char *var_compatibility_level; char *var_drop_hdrs; @@ -755,6 +757,7 @@ void mail_params_init() VAR_SMTPUTF8_ENABLE, DEF_SMTPUTF8_ENABLE, &var_smtputf8_enable, VAR_IDNA2003_COMPAT, DEF_IDNA2003_COMPAT, &var_idna2003_compat, VAR_RESPECTFUL_LOGGING, DEF_RESPECTFUL_LOGGING, &var_respectful_logging, + VAR_TLSREQUIRED_ENABLE, DEF_TLSREQUIRED_ENABLE, &var_tls_required_enable, 0, }; static const CONFIG_STR_FN_TABLE function_str_defaults[] = { diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 253929319..8b54490f5 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -4376,6 +4376,13 @@ extern char *var_smtputf8_autoclass; #define DEF_IDNA2003_COMPAT "no" extern int var_idna2003_compat; + /* + * REQUIRETLS support (RFC 8689). + */ +#define VAR_TLSREQUIRED_ENABLE "tls_required_enable" +#define DEF_TLSREQUIRED_ENABLE "yes" +extern int var_tls_required_enable; + /* * Workaround for future incompatibility. Our implementation of RFC 2308 * negative reply caching relies on the promise that res_query() and diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index e52be6f07..825bcae3d 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20250131" +#define MAIL_RELEASE_DATE "20250202" #define MAIL_VERSION_NUMBER "3.10" #ifdef SNAPSHOT diff --git a/postfix/src/pipe/pipe.c b/postfix/src/pipe/pipe.c index ffc30301b..58ff5e0e7 100644 --- a/postfix/src/pipe/pipe.c +++ b/postfix/src/pipe/pipe.c @@ -170,7 +170,8 @@ /* .nf /* \fIRight\fR: command -f $sender -- $recipient /* .fi -/* NOTE: DO NOT put quotes around the command, $sender, or $recipient. +/* .IP +/* NOTE: DO NOT put quotes around the command, $sender, or $recipient. /* .IP /* This feature is available as of Postfix 2.3. /* .IP "\fBsize\fR=\fIsize_limit\fR (optional)" @@ -390,7 +391,7 @@ /* request before it is terminated by a built-in watchdog timer. /* .IP "\fBdelay_logging_resolution_limit (2)\fR" /* The maximal number of digits after the decimal point when logging -/* sub-second delay values. +/* delay values. /* .IP "\fBexport_environment (see 'postconf -d' output)\fR" /* The list of environment variables that a Postfix process will export /* to non-Postfix processes. diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index b1db77063..38b3771d4 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -172,6 +172,7 @@ /* RFC 6531 (Internationalized SMTP) /* RFC 6533 (Internationalized Delivery Status Notifications) /* RFC 7672 (SMTP security via opportunistic DANE TLS) +/* RFC 8689 (TLS-Required message header) /* DIAGNOSTICS /* Problems and transactions are logged to \fBsyslogd\fR(8) /* or \fBpostlogd\fR(8). @@ -638,7 +639,8 @@ /* .IP "\fBsmtp_tls_enable_rpk (no)\fR" /* Request that remote SMTP servers send an RFC7250 raw public key /* instead of an X.509 certificate. -/* .PP Available in Postfix version 3.10 and later: +/* .PP +/* Available in Postfix version 3.10 and later: /* .IP "\fBsmtp_tlsrpt_enable (no)\fR" /* Enable support for RFC 8460 TLSRPT notifications. /* .IP "\fBsmtp_tlsrpt_socket_name (empty)\fR" @@ -648,6 +650,9 @@ /* Do not report the TLSRPT status for TLS protocol handshakes /* that reuse a previously-negotiated TLS session (there is no new /* information to report). +/* .IP "\fBtls_required_enable (yes)\fR" +/* Enable support for the "TLS-Required: no" message header, defined +/* in RFC 8689. /* OBSOLETE STARTTLS CONTROLS /* .ad /* .fi diff --git a/postfix/src/smtp/smtp_connect.c b/postfix/src/smtp/smtp_connect.c index e71e68c4b..2bfff1c93 100644 --- a/postfix/src/smtp/smtp_connect.c +++ b/postfix/src/smtp/smtp_connect.c @@ -534,7 +534,7 @@ static int smtp_get_effective_tls_level(DSN_BUF *why, SMTP_STATE *state) * the message contains a "TLS-Required: no" header, limit the level to * TLS_LEV_MAY. */ - else if (tls->level > TLS_LEV_NONE + else if (var_tls_required_enable && tls->level > TLS_LEV_NONE && (state->request->sendopts & SOPT_REQUIRETLS_HEADER)) { tls->level = TLS_LEV_MAY; } diff --git a/postfix/src/util/Makefile.in b/postfix/src/util/Makefile.in index 7df6ffd94..32ad7fa34 100644 --- a/postfix/src/util/Makefile.in +++ b/postfix/src/util/Makefile.in @@ -1391,6 +1391,14 @@ cidr_match.o: stringops.h cidr_match.o: sys_defs.h cidr_match.o: vbuf.h cidr_match.o: vstring.h +clean_ascii_cntrl_space.o: check_arg.h +clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.c +clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.h +clean_ascii_cntrl_space.o: stringops.h +clean_ascii_cntrl_space.o: sys_defs.h +clean_ascii_cntrl_space.o: vbuf.h +clean_ascii_cntrl_space.o: vstream.h +clean_ascii_cntrl_space.o: vstring.h clean_env.o: argv.h clean_env.o: check_arg.h clean_env.o: clean_env.c @@ -2837,14 +2845,6 @@ trimblanks.o: sys_defs.h trimblanks.o: trimblanks.c trimblanks.o: vbuf.h trimblanks.o: vstring.h -clean_ascii_cntrl_space.o: check_arg.h -clean_ascii_cntrl_space.o: stringops.h -clean_ascii_cntrl_space.o: sys_defs.h -clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.c -clean_ascii_cntrl_space.o: clean_ascii_cntrl_space.h -clean_ascii_cntrl_space.o: vbuf.h -clean_ascii_cntrl_space.o: vstream.h -clean_ascii_cntrl_space.o: vstring.h unescape.o: check_arg.h unescape.o: stringops.h unescape.o: sys_defs.h