From: Wietse Z Venema Date: Thu, 23 Apr 2026 05:00:00 +0000 (-0500) Subject: postfix-3.12-20260423 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;p=thirdparty%2Fpostfix.git postfix-3.12-20260423 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 8fa7e5c05..0af1781db 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -30964,8 +30964,61 @@ Apologies for any names omitted. Added missing text to manpages. Files: tls/tls_proxy_*_proto.c. +20260419 + + Testing: completed smtpd(8) support to remotely call + tls_server_init() and tls_server_start() in tlsproxy(8); + tlsproxy(8) still ignores that information. This is a + non-production feature that will be used to test tlsproxy(8) + server role support. Files: smtpd/smtpd.c, tlsproxy/tlsproxy.c. + +20260420 + + Code health: completed tlsproxy(8) support to use remote + arguments for tls_server_init() and tls_server_start() + calls. Files: tlsproxy/tlsproxy.c, mantools/postlink, + proto/postconf.proto. + +20260422 + + Code health: completed postscreen(8) support to remotely + call tls_server_init() and tls_server_start() in tlsproxy(8). + Files: postscreen/postscreen.[hc], + postscreen/postscreen_starttls.c, postscreen/postscreen_tls_conf.c + + Code health: script to enforce consistent upper and lower + bounds in Postfix configuration parameter definitions. File: + mantools/check-param-defaults. + + Remaining tech debt: we now have three subtly-different + instances of code that maps main.cf settings to tls_client_xxx() + and tls_server_xxx() arguments. + +20260423 + + Cleanup: silence tlsproxy warnings about harmless differences + in xxx_tls_loglevel parameter names; use the posttls-finger(1) + process name when delegating TLS to a tlsproxy(8) daemon. + Files: tlsproxy/tlsproxy_client.c, tlsproxy/tlsproxy_server.c, + posttls-finger/posttls-finger.c. + + Cleanup: the tlsproxy_client_loglevel_parameter feature is + gone. It was solving the wrong problem, and therefore no-one + should miss it. Files: postconf/postconf_unused.c, + proto/DEPRECATION_README.html, tlsproxy/tlsproxy_client.c, + src/global/mail_params.h. + + Code health: eliminate a null pointer time bomb by assigning + the "service_name" parameter value to the "var_servname" C + variable. Every daemon program already sets its service name + value in the configuration parameter dictionary. File: + global/mail_params.c. + TODO Reorganize PTEST_LIB, PMOCK_LIB, TESTLIB, TESTLIBS, etc. Document TLS parameters in tlsproxy(8) and postscreen(8). + + Why are process_name and service_name implemented in different + ways? diff --git a/postfix/Makefile.in b/postfix/Makefile.in index 12575a6b3..aa3713d04 100644 --- a/postfix/Makefile.in +++ b/postfix/Makefile.in @@ -134,6 +134,7 @@ pre-release-checks: update typo-check double-check \ postlink-check postfix-files-check \ postconf-unimplemented-check postconf-undocumented-check \ check-table-proto check-see-postconf-d-output \ + check-param-defaults \ check-snapshot-nonprod postfix-files-check: @@ -188,6 +189,9 @@ check-table-proto: check-see-postconf-d-output: mantools/check-see-postconf-d-output | diff /dev/null - +check-param-defaults: + mantools/check-param-defaults | diff /dev/null - + check-snapshot-nonprod: mantools/check-snapshot-nonprod diff --git a/postfix/README_FILES/DEPRECATION_README b/postfix/README_FILES/DEPRECATION_README index d1729b24b..25aa3e11b 100644 --- a/postfix/README_FILES/DEPRECATION_README +++ b/postfix/README_FILES/DEPRECATION_README @@ -54,10 +54,11 @@ the "obsolete feature" name for a more detailed description. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |WWaarrnniinngg|RReemmoovveedd| | - |OObbssoolleettee ffeeaattuurree nnaammee |aass | |RReeppllaacceemmeenntt | - | |ooff |iinn | | + |OObbssoolleettee ffeeaattuurree nnaammee |aass ooff |iinn |RReeppllaacceemmeenntt | | |vveerrssiioonn|vveerrssiioonn| | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |tlsproxy_client_loglevel_parameter | 3.12 | 3.12 |do not specify | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |authorized_verp_clients | 3.11 | - |smtpd_authorized_verp_clients | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |fallback_relay | 3.11 | - |smtp_fallback_relay | diff --git a/postfix/html/DEPRECATION_README.html b/postfix/html/DEPRECATION_README.html index a5fec1f52..79aa897fe 100644 --- a/postfix/html/DEPRECATION_README.html +++ b/postfix/html/DEPRECATION_README.html @@ -100,9 +100,12 @@ detailed description.

- - + + +
Obsolete feature name Warning as
of version -		 Removed
in version 		Replacement
Obsolete feature name Warning as of version + Removed in version Replacement
tlsproxy_client_loglevel_parameter + 3.12 3.12 + do not specify
authorized_verp_clients 3.11 - diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 70e3a587b..71b2b9e06 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -9617,6 +9617,266 @@ further details.

This feature is available in Postfix 3.4 and later.

+ + +
postscreen_starttls_timeout +(default: $smtpd_starttls_timeout)
+ +

The postscreen(8) equivalent of smtpd_starttls_timeout.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_CAfile +(default: $smtpd_tls_CAfile)
+ +

The postscreen(8) equivalent of smtpd_tls_CAfile.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_CApath +(default: $smtpd_tls_CApath)
+ +

The postscreen(8) equivalent of smtpd_tls_CApath.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_always_issue_session_ids +(default: $smtpd_tls_always_issue_session_ids)
+ +

The postscreen(8) equivalent of smtpd_tls_always_issue_session_ids.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_ask_ccert +(default: $smtpd_tls_ask_ccert)
+ +

The postscreen(8) equivalent of smtpd_tls_ask_ccert.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_ccert_verifydepth +(default: $smtpd_tls_ccert_verifydepth)
+ +

The postscreen(8) equivalent of smtpd_tls_ccert_verifydepth.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_cert_file +(default: $smtpd_tls_cert_file)
+ +

The postscreen(8) equivalent of smtpd_tls_cert_file.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_chain_files +(default: $smtpd_tls_chain_files)
+ +

The postscreen(8) equivalent of smtpd_tls_chain_files.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_ciphers +(default: $smtpd_tls_ciphers)
+ +

The postscreen(8) equivalent of smtpd_tls_ciphers.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_dcert_file +(default: $smtpd_tls_dcert_file)
+ +

The postscreen(8) equivalent of smtpd_tls_dcert_file.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_dh1024_param_file +(default: $smtpd_tls_dh1024_param_file)
+ +

The postscreen(8) equivalent of smtpd_tls_dh1024_param_file.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_dh512_param_file +(default: $smtpd_tls_dh512_param_file)
+ +

The postscreen(8) equivalent of smtpd_tls_dh512_param_file.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_dkey_file +(default: $smtpd_tls_dkey_file)
+ +

The postscreen(8) equivalent of smtpd_tls_dkey_file.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_eccert_file +(default: $smtpd_tls_eccert_file)
+ +

The postscreen(8) equivalent of smtpd_tls_eccert_file.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_eckey_file +(default: $smtpd_tls_eckey_file)
+ +

The postscreen(8) equivalent of smtpd_tls_eckey_file.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_eecdh_grade +(default: $smtpd_tls_eecdh_grade)
+ +

The postscreen(8) equivalent of smtpd_tls_eecdh_grade.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_enable_rpk +(default: $smtpd_tls_enable_rpk)
+ +

The postscreen(8) equivalent of smtpd_tls_enable_rpk.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_exclude_ciphers +(default: $smtpd_tls_exclude_ciphers)
+ +

The postscreen(8) equivalent of smtpd_tls_exclude_ciphers.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_fingerprint_digest +(default: $smtpd_tls_fingerprint_digest)
+ +

The postscreen(8) equivalent of smtpd_tls_fingerprint_digest.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_key_file +(default: $smtpd_tls_key_file)
+ +

The postscreen(8) equivalent of smtpd_tls_key_file.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_loglevel +(default: $smtpd_tls_loglevel)
+ +

The postscreen(8) equivalent of smtpd_tls_loglevel.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_mandatory_ciphers +(default: $smtpd_tls_mandatory_ciphers)
+ +

The postscreen(8) equivalent of smtpd_tls_mandatory_ciphers.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_mandatory_exclude_ciphers +(default: $smtpd_tls_mandatory_exclude_ciphers)
+ +

The postscreen(8) equivalent of smtpd_tls_mandatory_exclude_ciphers.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_mandatory_protocols +(default: $smtpd_tls_mandatory_protocols)
+ +

The postscreen(8) equivalent of smtpd_tls_mandatory_protocols.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_protocols +(default: $smtpd_tls_protocols)
+ +

The postscreen(8) equivalent of smtpd_tls_protocols.

+ +

This feature is available in Postfix 3.12 and later.

+ + +
+ +
postscreen_tls_req_ccert +(default: $smtpd_tls_req_ccert)
+ +

The postscreen(8) equivalent of smtpd_tls_req_ccert.

+ +

This feature is available in Postfix 3.12 and later.

+ +
postscreen_tls_security_level @@ -22344,7 +22604,7 @@ activity. See smtp_tls_loglevel

The name of the parameter that provides the tlsproxy_client_loglevel value.

-

This feature is available in Postfix 3.4 and later.

+

This feature is available in Postfix 3.4 through 3.11.

diff --git a/postfix/html/postscreen.8.html b/postfix/html/postscreen.8.html index 52a4e206c..cbb409a56 100644 --- a/postfix/html/postscreen.8.html +++ b/postfix/html/postscreen.8.html @@ -307,7 +307,9 @@ POSTSCREEN(8) POSTSCREEN(8) postscreen_cache_cleanup_interval (12h) The amount of time between postscreen(8) cache cleanup runs. - postscreen_cache_map (btree:$data_directory/postscreen_cache) + postscreen_cache_map (Postfix >= 3.11: + $default_cache_db_type:$data_directory/postscreen_cache; Postfix < + 3.11: btree:$data_directory/postscreen_cache) Persistent storage for the postscreen(8) server decisions. postscreen_cache_retention_time (7d) @@ -386,6 +388,90 @@ POSTSCREEN(8) POSTSCREEN(8) tlsproxy_service_name (tlsproxy) The name of the tlsproxy(8) service entry in master.cf. + Available with Postfix 3.12 and later: + + postscreen_starttls_timeout ($smtpd_starttls_timeout) + The postscreen(8) equivalent of smtpd_starttls_timeout. + + postscreen_tls_always_issue_session_ids ($smtpd_tls_always_issue_ses- + sion_ids) + The postscreen(8) equivalent of smtpd_tls_always_issue_ses- + sion_ids. + + postscreen_tls_ask_ccert ($smtpd_tls_ask_ccert) + The postscreen(8) equivalent of smtpd_tls_ask_ccert. + + postscreen_tls_CAfile ($smtpd_tls_CAfile) + The postscreen(8) equivalent of smtpd_tls_CAfile. + + postscreen_tls_CApath ($smtpd_tls_CApath) + The postscreen(8) equivalent of smtpd_tls_CApath. + + postscreen_tls_ccert_verifydepth ($smtpd_tls_ccert_verifydepth) + The postscreen(8) equivalent of smtpd_tls_ccert_verifydepth. + + postscreen_tls_cert_file ($smtpd_tls_cert_file) + The postscreen(8) equivalent of smtpd_tls_cert_file. + + postscreen_tls_chain_files ($smtpd_tls_chain_files) + The postscreen(8) equivalent of smtpd_tls_chain_files. + + postscreen_tls_ciphers ($smtpd_tls_ciphers) + The postscreen(8) equivalent of smtpd_tls_ciphers. + + postscreen_tls_dcert_file ($smtpd_tls_dcert_file) + The postscreen(8) equivalent of smtpd_tls_dcert_file. + + postscreen_tls_dh1024_param_file ($smtpd_tls_dh1024_param_file) + The postscreen(8) equivalent of smtpd_tls_dh1024_param_file. + + postscreen_tls_dh512_param_file ($smtpd_tls_dh512_param_file) + The postscreen(8) equivalent of smtpd_tls_dh512_param_file. + + postscreen_tls_dkey_file ($smtpd_tls_dkey_file) + The postscreen(8) equivalent of smtpd_tls_dkey_file. + + postscreen_tls_eccert_file ($smtpd_tls_eccert_file) + The postscreen(8) equivalent of smtpd_tls_eccert_file. + + postscreen_tls_eckey_file ($smtpd_tls_eckey_file) + The postscreen(8) equivalent of smtpd_tls_eckey_file. + + postscreen_tls_eecdh_grade ($smtpd_tls_eecdh_grade) + The postscreen(8) equivalent of smtpd_tls_eecdh_grade. + + postscreen_tls_enable_rpk ($smtpd_tls_enable_rpk) + The postscreen(8) equivalent of smtpd_tls_enable_rpk. + + postscreen_tls_exclude_ciphers ($smtpd_tls_exclude_ciphers) + The postscreen(8) equivalent of smtpd_tls_exclude_ciphers. + + postscreen_tls_fingerprint_digest ($smtpd_tls_fingerprint_digest) + The postscreen(8) equivalent of smtpd_tls_fingerprint_digest. + + postscreen_tls_key_file ($smtpd_tls_key_file) + The postscreen(8) equivalent of smtpd_tls_key_file. + + postscreen_tls_loglevel ($smtpd_tls_loglevel) + The postscreen(8) equivalent of smtpd_tls_loglevel. + + postscreen_tls_mandatory_ciphers ($smtpd_tls_mandatory_ciphers) + The postscreen(8) equivalent of smtpd_tls_mandatory_ciphers. + + postscreen_tls_mandatory_exclude_ciphers ($smtpd_tls_manda- + tory_exclude_ciphers) + The postscreen(8) equivalent of smtpd_tls_manda- + tory_exclude_ciphers. + + postscreen_tls_mandatory_protocols ($smtpd_tls_mandatory_protocols) + The postscreen(8) equivalent of smtpd_tls_mandatory_protocols. + + postscreen_tls_protocols ($smtpd_tls_protocols) + The postscreen(8) equivalent of smtpd_tls_protocols. + + postscreen_tls_req_ccert ($smtpd_tls_req_ccert) + The postscreen(8) equivalent of smtpd_tls_req_ccert. + OBSOLETE STARTTLS SUPPORT CONTROLS These parameters are supported for compatibility with smtpd(8) legacy parameters. diff --git a/postfix/html/tlsproxy.8.html b/postfix/html/tlsproxy.8.html index 58d68a542..89b152a0c 100644 --- a/postfix/html/tlsproxy.8.html +++ b/postfix/html/tlsproxy.8.html @@ -342,51 +342,47 @@ TLSPROXY(8) TLSPROXY(8) Enable additional Postfix tlsproxy(8) client logging of TLS activity. - tlsproxy_client_loglevel_parameter (smtp_tls_loglevel) - The name of the parameter that provides the - tlsproxy_client_loglevel value. - tlsproxy_client_scert_verifydepth ($smtp_tls_scert_verifydepth) The verification depth for remote TLS server certificates. tlsproxy_client_use_tls ($smtp_use_tls) - Opportunistic mode: use TLS when a remote server announces TLS + Opportunistic mode: use TLS when a remote server announces TLS support. tlsproxy_client_enforce_tls ($smtp_enforce_tls) - Enforcement mode: require that SMTP servers use TLS encryption. + Enforcement mode: require that SMTP servers use TLS encryption. tlsproxy_client_per_site ($smtp_tls_per_site) - Optional lookup tables with the Postfix tlsproxy(8) client TLS - usage policy by next-hop destination and by remote TLS server + Optional lookup tables with the Postfix tlsproxy(8) client TLS + usage policy by next-hop destination and by remote TLS server hostname. Available in Postfix version 3.4-3.6: tlsproxy_client_level ($smtp_tls_security_level) - The default TLS security level for the Postfix tlsproxy(8) + The default TLS security level for the Postfix tlsproxy(8) client. tlsproxy_client_policy ($smtp_tls_policy_maps) - Optional lookup tables with the Postfix tlsproxy(8) client TLS + Optional lookup tables with the Postfix tlsproxy(8) client TLS security policy by next-hop destination. Available in Postfix version 3.7 and later: tlsproxy_client_security_level ($smtp_tls_security_level) - The default TLS security level for the Postfix tlsproxy(8) + The default TLS security level for the Postfix tlsproxy(8) client. tlsproxy_client_policy_maps ($smtp_tls_policy_maps) - Optional lookup tables with the Postfix tlsproxy(8) client TLS + Optional lookup tables with the Postfix tlsproxy(8) client TLS security policy by next-hop destination. OBSOLETE STARTTLS SUPPORT CONTROLS - These parameters are supported for compatibility with smtpd(8) legacy + These parameters are supported for compatibility with smtpd(8) legacy parameters. tlsproxy_use_tls ($smtpd_use_tls) - Opportunistic TLS: announce STARTTLS support to remote SMTP + Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not require that clients use TLS encryption. tlsproxy_enforce_tls ($smtpd_enforce_tls) @@ -394,11 +390,11 @@ TLSPROXY(8) TLSPROXY(8) and require that clients use TLS encryption. tlsproxy_client_use_tls ($smtp_use_tls) - Opportunistic mode: use TLS when a remote server announces TLS + Opportunistic mode: use TLS when a remote server announces TLS support. tlsproxy_client_enforce_tls ($smtp_enforce_tls) - Enforcement mode: require that SMTP servers use TLS encryption. + Enforcement mode: require that SMTP servers use TLS encryption. RESOURCE CONTROLS tlsproxy_watchdog_timeout (10s) @@ -407,7 +403,7 @@ TLSPROXY(8) TLSPROXY(8) MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con- + The default location of the Postfix main.cf and master.cf con- figuration files. process_id (read-only) @@ -420,7 +416,7 @@ TLSPROXY(8) TLSPROXY(8) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - A prefix that is prepended to the process name in syslog + A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available in Postfix 3.3 and later: diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index cf5256093..a1765cac5 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -6022,6 +6022,110 @@ or 5XX \fBpostscreen\fR(8) server response. See smtpd_reject_footer_maps for further details. .PP This feature is available in Postfix 3.4 and later. +.SH postscreen_starttls_timeout (default: $smtpd_starttls_timeout) +The \fBpostscreen\fR(8) equivalent of smtpd_starttls_timeout. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_CAfile (default: $smtpd_tls_CAfile) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_CAfile. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_CApath (default: $smtpd_tls_CApath) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_CApath. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_always_issue_session_ids (default: $smtpd_tls_always_issue_session_ids) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_always_issue_session_ids. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_ask_ccert (default: $smtpd_tls_ask_ccert) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_ask_ccert. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_ccert_verifydepth (default: $smtpd_tls_ccert_verifydepth) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_ccert_verifydepth. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_cert_file (default: $smtpd_tls_cert_file) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_cert_file. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_chain_files (default: $smtpd_tls_chain_files) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_chain_files. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_ciphers (default: $smtpd_tls_ciphers) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_ciphers. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_dcert_file (default: $smtpd_tls_dcert_file) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_dcert_file. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_dh1024_param_file (default: $smtpd_tls_dh1024_param_file) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_dh1024_param_file. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_dh512_param_file (default: $smtpd_tls_dh512_param_file) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_dh512_param_file. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_dkey_file (default: $smtpd_tls_dkey_file) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_dkey_file. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_eccert_file (default: $smtpd_tls_eccert_file) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_eccert_file. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_eckey_file (default: $smtpd_tls_eckey_file) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_eckey_file. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_eecdh_grade (default: $smtpd_tls_eecdh_grade) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_eecdh_grade. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_enable_rpk (default: $smtpd_tls_enable_rpk) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_enable_rpk. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_exclude_ciphers (default: $smtpd_tls_exclude_ciphers) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_exclude_ciphers. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_fingerprint_digest (default: $smtpd_tls_fingerprint_digest) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_fingerprint_digest. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_key_file (default: $smtpd_tls_key_file) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_key_file. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_loglevel (default: $smtpd_tls_loglevel) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_loglevel. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_mandatory_ciphers (default: $smtpd_tls_mandatory_ciphers) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_mandatory_ciphers. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_mandatory_exclude_ciphers (default: $smtpd_tls_mandatory_exclude_ciphers) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_mandatory_exclude_ciphers. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_mandatory_protocols (default: $smtpd_tls_mandatory_protocols) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_mandatory_protocols. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_protocols (default: $smtpd_tls_protocols) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_protocols. +.PP +This feature is available in Postfix 3.12 and later. +.SH postscreen_tls_req_ccert (default: $smtpd_tls_req_ccert) +The \fBpostscreen\fR(8) equivalent of smtpd_tls_req_ccert. +.PP +This feature is available in Postfix 3.12 and later. .SH postscreen_tls_security_level (default: $smtpd_tls_security_level) The SMTP TLS security level for the \fBpostscreen\fR(8) server; when a non\-empty value is specified, this overrides the obsolete parameters @@ -15876,7 +15980,7 @@ This feature is available in Postfix 3.4 and later. The name of the parameter that provides the tlsproxy_client_loglevel value. .PP -This feature is available in Postfix 3.4 and later. +This feature is available in Postfix 3.4 through 3.11. .SH tlsproxy_client_per_site (default: $smtp_tls_per_site) Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS usage policy by next\-hop destination and by remote TLS server diff --git a/postfix/man/man8/postscreen.8 b/postfix/man/man8/postscreen.8 index 07013ea98..bec651ffb 100644 --- a/postfix/man/man8/postscreen.8 +++ b/postfix/man/man8/postscreen.8 @@ -317,7 +317,7 @@ server. .fi .IP "\fBpostscreen_cache_cleanup_interval (12h)\fR" The amount of time between \fBpostscreen\fR(8) cache cleanup runs. -.IP "\fBpostscreen_cache_map (btree:$data_directory/postscreen_cache)\fR" +.IP "\fBpostscreen_cache_map (Postfix >= 3.11: $default_cache_db_type:$data_directory/postscreen_cache; Postfix < 3.11: btree:$data_directory/postscreen_cache)\fR" Persistent storage for the \fBpostscreen\fR(8) server decisions. .IP "\fBpostscreen_cache_retention_time (7d)\fR" The amount of time that \fBpostscreen\fR(8) will cache an expired @@ -387,6 +387,60 @@ a non\-empty value is specified, this overrides the obsolete parameters postscreen_use_tls and postscreen_enforce_tls. .IP "\fBtlsproxy_service_name (tlsproxy)\fR" The name of the \fBtlsproxy\fR(8) service entry in master.cf. +.PP +Available with Postfix 3.12 and later: +.IP "\fBpostscreen_starttls_timeout ($smtpd_starttls_timeout)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_starttls_timeout. +.IP "\fBpostscreen_tls_always_issue_session_ids ($smtpd_tls_always_issue_session_ids)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_always_issue_session_ids. +.IP "\fBpostscreen_tls_ask_ccert ($smtpd_tls_ask_ccert)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_ask_ccert. +.IP "\fBpostscreen_tls_CAfile ($smtpd_tls_CAfile)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_CAfile. +.IP "\fBpostscreen_tls_CApath ($smtpd_tls_CApath)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_CApath. +.IP "\fBpostscreen_tls_ccert_verifydepth ($smtpd_tls_ccert_verifydepth)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_ccert_verifydepth. +.IP "\fBpostscreen_tls_cert_file ($smtpd_tls_cert_file)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_cert_file. +.IP "\fBpostscreen_tls_chain_files ($smtpd_tls_chain_files)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_chain_files. +.IP "\fBpostscreen_tls_ciphers ($smtpd_tls_ciphers)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_ciphers. +.IP "\fBpostscreen_tls_dcert_file ($smtpd_tls_dcert_file)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_dcert_file. +.IP "\fBpostscreen_tls_dh1024_param_file ($smtpd_tls_dh1024_param_file)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_dh1024_param_file. +.IP "\fBpostscreen_tls_dh512_param_file ($smtpd_tls_dh512_param_file)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_dh512_param_file. +.IP "\fBpostscreen_tls_dkey_file ($smtpd_tls_dkey_file)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_dkey_file. +.IP "\fBpostscreen_tls_eccert_file ($smtpd_tls_eccert_file)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_eccert_file. +.IP "\fBpostscreen_tls_eckey_file ($smtpd_tls_eckey_file)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_eckey_file. +.IP "\fBpostscreen_tls_eecdh_grade ($smtpd_tls_eecdh_grade)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_eecdh_grade. +.IP "\fBpostscreen_tls_enable_rpk ($smtpd_tls_enable_rpk)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_enable_rpk. +.IP "\fBpostscreen_tls_exclude_ciphers ($smtpd_tls_exclude_ciphers)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_exclude_ciphers. +.IP "\fBpostscreen_tls_fingerprint_digest ($smtpd_tls_fingerprint_digest)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_fingerprint_digest. +.IP "\fBpostscreen_tls_key_file ($smtpd_tls_key_file)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_key_file. +.IP "\fBpostscreen_tls_loglevel ($smtpd_tls_loglevel)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_loglevel. +.IP "\fBpostscreen_tls_mandatory_ciphers ($smtpd_tls_mandatory_ciphers)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_mandatory_ciphers. +.IP "\fBpostscreen_tls_mandatory_exclude_ciphers ($smtpd_tls_mandatory_exclude_ciphers)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_mandatory_exclude_ciphers. +.IP "\fBpostscreen_tls_mandatory_protocols ($smtpd_tls_mandatory_protocols)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_mandatory_protocols. +.IP "\fBpostscreen_tls_protocols ($smtpd_tls_protocols)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_protocols. +.IP "\fBpostscreen_tls_req_ccert ($smtpd_tls_req_ccert)\fR" +The \fBpostscreen\fR(8) equivalent of smtpd_tls_req_ccert. .SH "OBSOLETE STARTTLS SUPPORT CONTROLS" .na .nf diff --git a/postfix/man/man8/tlsproxy.8 b/postfix/man/man8/tlsproxy.8 index 727140175..25089cac5 100644 --- a/postfix/man/man8/tlsproxy.8 +++ b/postfix/man/man8/tlsproxy.8 @@ -308,9 +308,6 @@ certificate fingerprints. .IP "\fBtlsproxy_client_loglevel ($smtp_tls_loglevel)\fR" Enable additional Postfix \fBtlsproxy\fR(8) client logging of TLS activity. -.IP "\fBtlsproxy_client_loglevel_parameter (smtp_tls_loglevel)\fR" -The name of the parameter that provides the tlsproxy_client_loglevel -value. .IP "\fBtlsproxy_client_scert_verifydepth ($smtp_tls_scert_verifydepth)\fR" The verification depth for remote TLS server certificates. .IP "\fBtlsproxy_client_use_tls ($smtp_use_tls)\fR" diff --git a/postfix/mantools/check-param-defaults b/postfix/mantools/check-param-defaults new file mode 100755 index 000000000..4569606f7 --- /dev/null +++ b/postfix/mantools/check-param-defaults @@ -0,0 +1,43 @@ +#!/bin/sh + +# Verify the consistency of upper and lower bounds in definitions for +# the same parameter in different programs. Also verify the consistency +# between smtpd versus postscreen, smtpd versus tlsproxy, and smtp +# versus tlsproxy. + +# Verify the consistency of instances for the same parameter. + +grep -h '^[ ]*VAR_[^,]*, DEF_[^,]*, &' src/*/*.c | awk ' + NF > 3 { print $1, $2, $3, $4, $5 } +' | sort -u | grep -v VAR_LMTP_TLS_LOGLEVEL | awk ' + $1 == last1 { print last_all; print $0; print "" } + { last1 = $1; last_all = $0 } +' + +# Verify consistency between smtpd_xxx and postscreen_xxx instances. + +grep -h '^[ ]*VAR_[^,]*, DEF_[^,]*, &' src/*/*.c | awk ' + NF > 3 { print $1, $2, $3, $4, $5 } +' | sed 's/SMTPD_/PSC_/g; s/smtpd_/psc_/g' | grep PSC_ | sort -u | awk ' + $1 == last1 { print "smtpd/postscreen"; print last_all; print $0; print "" } + { last1 = $1; last_all = $0 } +' + +# Verify consistency between smtpd_xxx and tlsproxy_xxx instances. + +grep -h '^[ ]*VAR_[^,]*, DEF_[^,]*, &' src/*/*.c | awk ' + NF > 3 { print $1, $2, $3, $4, $5 } +' | sed 's/SMTPD_/TLSP_/g; s/smtpd_/tlsp_/g' | grep TLSP_ | sort -u | awk ' + $1 == last1 { print "tlsproxy/smtpd"; print last_all; print $0; print "" } + { last1 = $1; last_all = $0 } +' + +# Verify consistency between smtp_tls_xxx and tlsproxy_client_xxx instances. +# TODO:" rename TLSP_CLNT_CAFILE to TLSP_CLNT_CA_FILE. + +grep -h '^[ ]*VAR_[^,]*, DEF_[^,]*, &' src/*/*.c | awk ' + NF > 3 { print $1, $2, $3, $4, $5 } +' | sed 's/SMTP_TLS_/TLSP_CLNT_/g; s/smtp_tls_/tlsp_clnt_/g' | grep TLSP_ | sort -u | awk ' + $1 == last1 { print "tlsproxy/smtp"; print last_all; print $0; print "" } + { last1 = $1; last_all = $0 } +' diff --git a/postfix/mantools/check-postconf-unimplemented b/postfix/mantools/check-postconf-unimplemented index 14036a699..a01965dce 100755 --- a/postfix/mantools/check-postconf-unimplemented +++ b/postfix/mantools/check-postconf-unimplemented @@ -74,6 +74,7 @@ tlsproxy_client_level tlsproxy_client_policy tlsproxy_tls_session_cache_timeout virtual_maps +tlsproxy_client_loglevel_parameter EOF # Eliminate config functions. The are documented in the postconf(5) diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index d7d78a128..8affa0b62 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -1215,6 +1215,35 @@ while (<>) { s;\bfull_name_encoding_charset\b;$&;g; s;\bsmtpd_hide_client_session\b;$&;g; + # postscreen 3.12 + + s;\bpostscreen_starttls_timeout\b;$&;g; + s;\bpostscreen_tls_always_issue_session_ids\b;$&;g; + s;\bpostscreen_tls_ask_ccert\b;$&;g; + s;\bpostscreen_tls_CAfile\b;$&;g; + s;\bpostscreen_tls_CApath\b;$&;g; + s;\bpostscreen_tls_cert_file\b;$&;g; + s;\bpostscreen_tls_chain_files\b;$&;g; + s;\bpostscreen_tls_ciphers\b;$&;g; + s;\bpostscreen_tls_dcert_file\b;$&;g; + s;\bpostscreen_tls_dh1024_param_file\b;$&;g; + s;\bpostscreen_tls_dh512_param_file\b;$&;g; + s;\bpostscreen_tls_dkey_file\b;$&;g; + s;\bpostscreen_tls_eccert_file\b;$&;g; + s;\bpostscreen_tls_eckey_file\b;$&;g; + s;\bpostscreen_tls_eecdh_grade\b;$&;g; + s;\bpostscreen_tls_enable_rpk\b;$&;g; + s;\bpostscreen_tls_exclude_ciphers\b;$&;g; + s;\bpostscreen_tls_fingerprint_digest\b;$&;g; + s;\bpostscreen_tls_key_file\b;$&;g; + s;\bpostscreen_tls_loglevel\b;$&;g; + s;\bpostscreen_tls_mandatory_ciphers\b;$&;g; + s;\bpostscreen_tls_mandatory_exclude_ciphers\b;$&;g; + s;\bpostscreen_tls_mandatory_protocols\b;$&;g; + s;\bpostscreen_tls_protocols\b;$&;g; + s;\bpostscreen_tls_req_ccert\b;$&;g; + s;\bpostscreen_tls_ccert_verifydepth\b;$&;g; + # Service-defined parameters... s;\bpolicy_time_limit\b;$&;g; diff --git a/postfix/proto/DEPRECATION_README.html b/postfix/proto/DEPRECATION_README.html index dad5fe86e..7be42d9a3 100644 --- a/postfix/proto/DEPRECATION_README.html +++ b/postfix/proto/DEPRECATION_README.html @@ -100,9 +100,12 @@ detailed description.

- - + + +
Obsolete feature name Warning as
of version -		 Removed
in version 		Replacement
Obsolete feature name Warning as of version + Removed in version Replacement
tlsproxy_client_loglevel_parameter + 3.12 3.12 + do not specify
authorized_verp_clients 3.11 - diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 253fc6ebc..f175e65c4 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -18216,7 +18216,7 @@ activity. See smtp_tls_loglevel for further details.

The name of the parameter that provides the tlsproxy_client_loglevel value.

-

This feature is available in Postfix 3.4 and later.

+

This feature is available in Postfix 3.4 through 3.11.

%PARAM tlsproxy_client_scert_verifydepth $smtp_tls_scert_verifydepth @@ -20705,3 +20705,159 @@ service queries and the client connection will be reported "Trusted" in the logs.

This feature is available in Postfix ≥ 3.12.

+ +%PARAM postscreen_starttls_timeout $smtpd_starttls_timeout + +

The postscreen(8) equivalent of smtpd_starttls_timeout.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_always_issue_session_ids $smtpd_tls_always_issue_session_ids + +

The postscreen(8) equivalent of smtpd_tls_always_issue_session_ids.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_ask_ccert $smtpd_tls_ask_ccert + +

The postscreen(8) equivalent of smtpd_tls_ask_ccert.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_CAfile $smtpd_tls_CAfile + +

The postscreen(8) equivalent of smtpd_tls_CAfile.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_CApath $smtpd_tls_CApath + +

The postscreen(8) equivalent of smtpd_tls_CApath.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_cert_file $smtpd_tls_cert_file + +

The postscreen(8) equivalent of smtpd_tls_cert_file.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_chain_files $smtpd_tls_chain_files + +

The postscreen(8) equivalent of smtpd_tls_chain_files.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_ciphers $smtpd_tls_ciphers + +

The postscreen(8) equivalent of smtpd_tls_ciphers.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_dcert_file $smtpd_tls_dcert_file + +

The postscreen(8) equivalent of smtpd_tls_dcert_file.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_dh1024_param_file $smtpd_tls_dh1024_param_file + +

The postscreen(8) equivalent of smtpd_tls_dh1024_param_file.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_dh512_param_file $smtpd_tls_dh512_param_file + +

The postscreen(8) equivalent of smtpd_tls_dh512_param_file.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_dkey_file $smtpd_tls_dkey_file + +

The postscreen(8) equivalent of smtpd_tls_dkey_file.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_eccert_file $smtpd_tls_eccert_file + +

The postscreen(8) equivalent of smtpd_tls_eccert_file.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_eckey_file $smtpd_tls_eckey_file + +

The postscreen(8) equivalent of smtpd_tls_eckey_file.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_eecdh_grade $smtpd_tls_eecdh_grade + +

The postscreen(8) equivalent of smtpd_tls_eecdh_grade.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_enable_rpk $smtpd_tls_enable_rpk + +

The postscreen(8) equivalent of smtpd_tls_enable_rpk.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_exclude_ciphers $smtpd_tls_exclude_ciphers + +

The postscreen(8) equivalent of smtpd_tls_exclude_ciphers.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_fingerprint_digest $smtpd_tls_fingerprint_digest + +

The postscreen(8) equivalent of smtpd_tls_fingerprint_digest.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_key_file $smtpd_tls_key_file + +

The postscreen(8) equivalent of smtpd_tls_key_file.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_loglevel $smtpd_tls_loglevel + +

The postscreen(8) equivalent of smtpd_tls_loglevel.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_mandatory_ciphers $smtpd_tls_mandatory_ciphers + +

The postscreen(8) equivalent of smtpd_tls_mandatory_ciphers.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_mandatory_exclude_ciphers $smtpd_tls_mandatory_exclude_ciphers + +

The postscreen(8) equivalent of smtpd_tls_mandatory_exclude_ciphers.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_mandatory_protocols $smtpd_tls_mandatory_protocols + +

The postscreen(8) equivalent of smtpd_tls_mandatory_protocols.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_protocols $smtpd_tls_protocols + +

The postscreen(8) equivalent of smtpd_tls_protocols.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_req_ccert $smtpd_tls_req_ccert + +

The postscreen(8) equivalent of smtpd_tls_req_ccert.

+ +

This feature is available in Postfix 3.12 and later.

+ +%PARAM postscreen_tls_ccert_verifydepth $smtpd_tls_ccert_verifydepth + +

The postscreen(8) equivalent of smtpd_tls_ccert_verifydepth.

+ +

This feature is available in Postfix 3.12 and later.

diff --git a/postfix/proto/stop.double-history b/postfix/proto/stop.double-history index ddccc17fb..c8e280f97 100644 --- a/postfix/proto/stop.double-history +++ b/postfix/proto/stop.double-history @@ -239,3 +239,8 @@ proto proto stop proto stop double cc Files tlsproxy tlsproxy c tlsproxy tlsproxy h for consistency Files tlsproxy tlsproxy hc tlsproxy tlsproxy_diff c tlsproxy tlsproxy h + calls File tlsproxy tlsproxy c + Files postscreen postscreen hc + server role support Files smtpd smtpd c tlsproxy tlsproxy c + support Files tlsproxy tlsproxy c tlsproxy tlsproxy_server hc + calls Files tlsproxy tlsproxy c mantools postlink diff --git a/postfix/src/global/mail_params.c b/postfix/src/global/mail_params.c index d7079dd2a..eed53bfde 100644 --- a/postfix/src/global/mail_params.c +++ b/postfix/src/global/mail_params.c @@ -783,6 +783,7 @@ void mail_params_init() static const CONFIG_STR_TABLE first_str_defaults[] = { /* $mail_version may appear in other parameters. */ VAR_MAIL_VERSION, DEF_MAIL_VERSION, &var_mail_version, 1, 0, + VAR_SERVNAME, DEF_SERVNAME, &var_servname, 1, 0, VAR_SYSLOG_FACILITY, DEF_SYSLOG_FACILITY, &var_syslog_facility, 1, 0, VAR_INET_PROTOCOLS, DEF_INET_PROTOCOLS, &var_inet_protocols, 0, 0, VAR_MULTI_CONF_DIRS, DEF_MULTI_CONF_DIRS, &var_multi_conf_dirs, 0, 0, diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index fcf36877c..c868c4f25 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -4185,10 +4185,6 @@ extern bool var_tlsp_tls_set_sessid; #define DEF_TLSP_CLNT_LOGLEVEL "$" VAR_SMTP_TLS_LOGLEVEL extern char *var_tlsp_clnt_loglevel; -#define VAR_TLSP_CLNT_LOGPARAM "tlsproxy_client_loglevel_parameter" -#define DEF_TLSP_CLNT_LOGPARAM VAR_SMTP_TLS_LOGLEVEL -extern char *var_tlsp_clnt_logparam; - #define VAR_TLSP_CLNT_SCERT_VD "tlsproxy_client_scert_verifydepth" #define DEF_TLSP_CLNT_SCERT_VD "$" VAR_SMTP_TLS_SCERT_VD extern int var_tlsp_clnt_scert_vd; @@ -4659,6 +4655,113 @@ extern char *var_nbdb_allow_user_pfxs; #define DEF_NBDB_LOG_REDIRECT "yes" extern bool var_nbdb_log_redirect; + /* + * Postfix 3.12 postscreen parameters. + */ +#define VAR_PSC_TLS_ACERT "postscreen_tls_ask_ccert" +#define DEF_PSC_TLS_ACERT "$" VAR_SMTPD_TLS_ACERT +extern bool var_psc_tls_ask_ccert; + +#define VAR_PSC_TLS_ENABLE_RPK "postscreen_tls_enable_rpk" +#define DEF_PSC_TLS_ENABLE_RPK "$" VAR_SMTPD_TLS_ENABLE_RPK +extern bool var_psc_tls_enable_rpk; + +#define VAR_PSC_TLS_RCERT "postscreen_tls_req_ccert" +#define DEF_PSC_TLS_RCERT "$" VAR_SMTPD_TLS_RCERT +extern bool var_psc_tls_req_ccert; + +#define VAR_PSC_TLS_SET_SESSID "postscreen_tls_always_issue_session_ids" +#define DEF_PSC_TLS_SET_SESSID "$" VAR_SMTPD_TLS_SET_SESSID +extern bool var_psc_tls_set_sessid; + +#define VAR_PSC_TLS_CAFILE "postscreen_tls_CAfile" +#define DEF_PSC_TLS_CAFILE "$" VAR_SMTPD_TLS_CA_FILE +extern char *var_psc_tls_CAfile; + +#define VAR_PSC_TLS_CAPATH "postscreen_tls_CApath" +#define DEF_PSC_TLS_CAPATH "$" VAR_SMTPD_TLS_CA_PATH +extern char *var_psc_tls_CApath; + +#define VAR_PSC_TLS_CERT_FILE "postscreen_tls_cert_file" +#define DEF_PSC_TLS_CERT_FILE "$" VAR_SMTPD_TLS_CERT_FILE +extern char *var_psc_tls_cert_file; + +#define VAR_PSC_TLS_CHAIN_FILES "postscreen_tls_chain_files" +#define DEF_PSC_TLS_CHAIN_FILES "$" VAR_SMTPD_TLS_CHAIN_FILES +extern char *var_psc_tls_chain_files; + +#define VAR_PSC_TLS_CIPH "postscreen_tls_ciphers" +#define DEF_PSC_TLS_CIPH "$" VAR_SMTPD_TLS_CIPH +extern char *var_psc_tls_ciph; + +#define VAR_PSC_TLS_DCERT_FILE "postscreen_tls_dcert_file" +#define DEF_PSC_TLS_DCERT_FILE "$" VAR_SMTPD_TLS_DCERT_FILE +extern char *var_psc_tls_dcert_file; + +#define VAR_PSC_TLS_1024_FILE "postscreen_tls_dh1024_param_file" +#define DEF_PSC_TLS_1024_FILE "$" VAR_SMTPD_TLS_1024_FILE +extern char *var_psc_tls_dh1024_param_file; + +#define VAR_PSC_TLS_512_FILE "postscreen_tls_dh512_param_file" +#define DEF_PSC_TLS_512_FILE "$" VAR_SMTPD_TLS_512_FILE +extern char *var_psc_tls_dh512_param_file; + +#define VAR_PSC_TLS_DKEY_FILE "postscreen_tls_dkey_file" +#define DEF_PSC_TLS_DKEY_FILE "$" VAR_SMTPD_TLS_DKEY_FILE +extern char *var_psc_tls_dkey_file; + +#define VAR_PSC_TLS_ECCERT_FILE "postscreen_tls_eccert_file" +#define DEF_PSC_TLS_ECCERT_FILE "$" VAR_SMTPD_TLS_ECCERT_FILE +extern char *var_psc_tls_eccert_file; + +#define VAR_PSC_TLS_ECKEY_FILE "postscreen_tls_eckey_file" +#define DEF_PSC_TLS_ECKEY_FILE "$" VAR_SMTPD_TLS_ECKEY_FILE +extern char *var_psc_tls_eckey_file; + +#define VAR_PSC_TLS_EECDH "postscreen_tls_eecdh_grade" +#define DEF_PSC_TLS_EECDH "$" VAR_SMTPD_TLS_EECDH +extern char *var_psc_tls_eecdh; + +#define VAR_PSC_TLS_EXCL_CIPH "postscreen_tls_exclude_ciphers" +#define DEF_PSC_TLS_EXCL_CIPH "$" VAR_SMTPD_TLS_EXCL_CIPH +extern char *var_psc_tls_excl_ciph; + +#define VAR_PSC_TLS_FPT_DGST "postscreen_tls_fingerprint_digest" +#define DEF_PSC_TLS_FPT_DGST "$" VAR_SMTPD_TLS_FPT_DGST +extern char *var_psc_tls_fpt_dgst; + +#define VAR_PSC_TLS_KEY_FILE "postscreen_tls_key_file" +#define DEF_PSC_TLS_KEY_FILE "$" VAR_SMTPD_TLS_KEY_FILE +extern char *var_psc_tls_key_file; + +#define VAR_PSC_TLS_LOGLEVEL "postscreen_tls_loglevel" +#define DEF_PSC_TLS_LOGLEVEL "$" VAR_SMTPD_TLS_LOGLEVEL +extern char *var_psc_tls_loglevel; + +#define VAR_PSC_TLS_MAND_CIPH "postscreen_tls_mandatory_ciphers" +#define DEF_PSC_TLS_MAND_CIPH "$" VAR_SMTPD_TLS_MAND_CIPH +extern char *var_psc_tls_mand_ciph; + +#define VAR_PSC_TLS_MAND_EXCL "postscreen_tls_mandatory_exclude_ciphers" +#define DEF_PSC_TLS_MAND_EXCL "$" VAR_SMTPD_TLS_MAND_EXCL +extern char *var_psc_tls_mand_excl; + +#define VAR_PSC_TLS_MAND_PROTO "postscreen_tls_mandatory_protocols" +#define DEF_PSC_TLS_MAND_PROTO "$" VAR_SMTPD_TLS_MAND_PROTO +extern char *var_psc_tls_mand_proto; + +#define VAR_PSC_TLS_PROTO "postscreen_tls_protocols" +#define DEF_PSC_TLS_PROTO "$" VAR_SMTPD_TLS_PROTO +extern char *var_psc_tls_proto; + +#define VAR_PSC_TLS_CCERT_VD "postscreen_tls_ccert_verifydepth" +#define DEF_PSC_TLS_CCERT_VD "$" VAR_SMTPD_TLS_CCERT_VD +extern int var_psc_tls_ccert_vd; + +#define VAR_PSC_STARTTLS_TMOUT "postscreen_starttls_timeout" +#define DEF_PSC_STARTTLS_TMOUT "$" VAR_SMTPD_STARTTLS_TMOUT +extern int var_psc_starttls_tmout; + /* LICENSE /* .ad /* .fi diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 3bff4b416..86d9cc1d3 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20260416" +#define MAIL_RELEASE_DATE "20260423" #define MAIL_VERSION_NUMBER "3.12" #ifdef SNAPSHOT diff --git a/postfix/src/postconf/postconf_builtin.c b/postfix/src/postconf/postconf_builtin.c index 0a88bb8fa..b8534beac 100644 --- a/postfix/src/postconf/postconf_builtin.c +++ b/postfix/src/postconf/postconf_builtin.c @@ -185,7 +185,6 @@ static const CONFIG_STR_FN_TABLE pcf_str_fn_table[] = { * effects, then those side effects must happen only once. */ static CONFIG_STR_TABLE pcf_adhoc_procname = {VAR_PROCNAME}; -static CONFIG_STR_TABLE pcf_adhoc_servname = {VAR_SERVNAME}; static CONFIG_INT_TABLE pcf_adhoc_pid = {VAR_PID}; #define STR(x) vstring_str(x) @@ -466,10 +465,6 @@ void pcf_register_builtin_parameters(const char *procname, pid_t pid) PCF_PARAM_TABLE_ENTER(pcf_param_table, pcf_adhoc_procname.name, PCF_PARAM_FLAG_BUILTIN | PCF_PARAM_FLAG_READONLY, (void *) &pcf_adhoc_procname, pcf_conv_str_parameter); - pcf_adhoc_servname.defval = mystrdup(DEF_SERVNAME); - PCF_PARAM_TABLE_ENTER(pcf_param_table, pcf_adhoc_servname.name, - PCF_PARAM_FLAG_BUILTIN | PCF_PARAM_FLAG_READONLY, - (void *) &pcf_adhoc_servname, pcf_conv_str_parameter); pcf_adhoc_pid.defval = pid; PCF_PARAM_TABLE_ENTER(pcf_param_table, pcf_adhoc_pid.name, PCF_PARAM_FLAG_BUILTIN | PCF_PARAM_FLAG_READONLY, diff --git a/postfix/src/postconf/postconf_unused.c b/postfix/src/postconf/postconf_unused.c index 4ea7b87bb..71e43c354 100644 --- a/postfix/src/postconf/postconf_unused.c +++ b/postfix/src/postconf/postconf_unused.c @@ -128,6 +128,11 @@ static const PCF_DEPR_PARAM_INFO pcf_depr_param_info[] = { "lmtp_cname_overrides_servername", "do not specify", "smtp_cname_overrides_servername", "do not specify", + /* + * Deprecated and removed as of Postfix 3.12. + */ + "tlsproxy_client_loglevel_parameter", "do not specify", + /* * Terminator. */ diff --git a/postfix/src/postscreen/Makefile.in b/postfix/src/postscreen/Makefile.in index 801b2ac01..fbf34d37b 100644 --- a/postfix/src/postscreen/Makefile.in +++ b/postfix/src/postscreen/Makefile.in @@ -3,12 +3,12 @@ SRCS = postscreen.c postscreen_dict.c postscreen_dnsbl.c \ postscreen_early.c postscreen_smtpd.c postscreen_misc.c \ postscreen_state.c postscreen_tests.c postscreen_send.c \ postscreen_starttls.c postscreen_expand.c postscreen_endpt.c \ - postscreen_haproxy.c + postscreen_haproxy.c postscreen_tls_conf.c OBJS = postscreen.o postscreen_dict.o postscreen_dnsbl.o \ postscreen_early.o postscreen_smtpd.o postscreen_misc.o \ postscreen_state.o postscreen_tests.o postscreen_send.o \ postscreen_starttls.o postscreen_expand.o postscreen_endpt.o \ - postscreen_haproxy.o + postscreen_haproxy.o postscreen_tls_conf.o HDRS = TESTSRC = postscreen_dnsbl_test.c DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE) @@ -74,6 +74,7 @@ postscreen.o: ../../include/check_arg.h postscreen.o: ../../include/data_redirect.h postscreen.o: ../../include/dict.h postscreen.o: ../../include/dict_cache.h +postscreen.o: ../../include/dns.h postscreen.o: ../../include/events.h postscreen.o: ../../include/htable.h postscreen.o: ../../include/inet_proto.h @@ -90,11 +91,22 @@ postscreen.o: ../../include/myaddrinfo.h postscreen.o: ../../include/myflock.h postscreen.o: ../../include/mymalloc.h postscreen.o: ../../include/name_code.h +postscreen.o: ../../include/name_mask.h postscreen.o: ../../include/nvtable.h postscreen.o: ../../include/server_acl.h postscreen.o: ../../include/set_eugid.h +postscreen.o: ../../include/sock_addr.h postscreen.o: ../../include/string_list.h postscreen.o: ../../include/sys_defs.h +postscreen.o: ../../include/tls.h +postscreen.o: ../../include/tls_proxy.h +postscreen.o: ../../include/tls_proxy_attr.h +postscreen.o: ../../include/tls_proxy_client_init_proto.h +postscreen.o: ../../include/tls_proxy_client_param_proto.h +postscreen.o: ../../include/tls_proxy_client_start_proto.h +postscreen.o: ../../include/tls_proxy_server_init_proto.h +postscreen.o: ../../include/tls_proxy_server_param_proto.h +postscreen.o: ../../include/tls_proxy_server_start_proto.h postscreen.o: ../../include/vbuf.h postscreen.o: ../../include/vstream.h postscreen.o: ../../include/vstring.h @@ -102,9 +114,11 @@ postscreen.o: postscreen.c postscreen.o: postscreen.h postscreen_dict.o: ../../include/addr_match_list.h postscreen_dict.o: ../../include/argv.h +postscreen_dict.o: ../../include/attr.h postscreen_dict.o: ../../include/check_arg.h postscreen_dict.o: ../../include/dict.h postscreen_dict.o: ../../include/dict_cache.h +postscreen_dict.o: ../../include/dns.h postscreen_dict.o: ../../include/events.h postscreen_dict.o: ../../include/htable.h postscreen_dict.o: ../../include/maps.h @@ -112,9 +126,23 @@ postscreen_dict.o: ../../include/match_list.h postscreen_dict.o: ../../include/msg.h postscreen_dict.o: ../../include/myaddrinfo.h postscreen_dict.o: ../../include/myflock.h +postscreen_dict.o: ../../include/mymalloc.h +postscreen_dict.o: ../../include/name_code.h +postscreen_dict.o: ../../include/name_mask.h +postscreen_dict.o: ../../include/nvtable.h postscreen_dict.o: ../../include/server_acl.h +postscreen_dict.o: ../../include/sock_addr.h postscreen_dict.o: ../../include/string_list.h postscreen_dict.o: ../../include/sys_defs.h +postscreen_dict.o: ../../include/tls.h +postscreen_dict.o: ../../include/tls_proxy.h +postscreen_dict.o: ../../include/tls_proxy_attr.h +postscreen_dict.o: ../../include/tls_proxy_client_init_proto.h +postscreen_dict.o: ../../include/tls_proxy_client_param_proto.h +postscreen_dict.o: ../../include/tls_proxy_client_start_proto.h +postscreen_dict.o: ../../include/tls_proxy_server_init_proto.h +postscreen_dict.o: ../../include/tls_proxy_server_param_proto.h +postscreen_dict.o: ../../include/tls_proxy_server_start_proto.h postscreen_dict.o: ../../include/vbuf.h postscreen_dict.o: ../../include/vstream.h postscreen_dict.o: ../../include/vstring.h @@ -127,6 +155,7 @@ postscreen_dnsbl.o: ../../include/check_arg.h postscreen_dnsbl.o: ../../include/connect.h postscreen_dnsbl.o: ../../include/dict.h postscreen_dnsbl.o: ../../include/dict_cache.h +postscreen_dnsbl.o: ../../include/dns.h postscreen_dnsbl.o: ../../include/events.h postscreen_dnsbl.o: ../../include/htable.h postscreen_dnsbl.o: ../../include/iostuff.h @@ -139,12 +168,24 @@ postscreen_dnsbl.o: ../../include/msg.h postscreen_dnsbl.o: ../../include/myaddrinfo.h postscreen_dnsbl.o: ../../include/myflock.h postscreen_dnsbl.o: ../../include/mymalloc.h +postscreen_dnsbl.o: ../../include/name_code.h +postscreen_dnsbl.o: ../../include/name_mask.h postscreen_dnsbl.o: ../../include/nvtable.h postscreen_dnsbl.o: ../../include/server_acl.h +postscreen_dnsbl.o: ../../include/sock_addr.h postscreen_dnsbl.o: ../../include/split_at.h postscreen_dnsbl.o: ../../include/string_list.h postscreen_dnsbl.o: ../../include/stringops.h postscreen_dnsbl.o: ../../include/sys_defs.h +postscreen_dnsbl.o: ../../include/tls.h +postscreen_dnsbl.o: ../../include/tls_proxy.h +postscreen_dnsbl.o: ../../include/tls_proxy_attr.h +postscreen_dnsbl.o: ../../include/tls_proxy_client_init_proto.h +postscreen_dnsbl.o: ../../include/tls_proxy_client_param_proto.h +postscreen_dnsbl.o: ../../include/tls_proxy_client_start_proto.h +postscreen_dnsbl.o: ../../include/tls_proxy_server_init_proto.h +postscreen_dnsbl.o: ../../include/tls_proxy_server_param_proto.h +postscreen_dnsbl.o: ../../include/tls_proxy_server_start_proto.h postscreen_dnsbl.o: ../../include/valid_hostname.h postscreen_dnsbl.o: ../../include/vbuf.h postscreen_dnsbl.o: ../../include/vstream.h @@ -158,6 +199,7 @@ postscreen_dnsbl_test.o: ../../include/check_arg.h postscreen_dnsbl_test.o: ../../include/connect.h postscreen_dnsbl_test.o: ../../include/dict.h postscreen_dnsbl_test.o: ../../include/dict_cache.h +postscreen_dnsbl_test.o: ../../include/dns.h postscreen_dnsbl_test.o: ../../include/events.h postscreen_dnsbl_test.o: ../../include/htable.h postscreen_dnsbl_test.o: ../../include/iostuff.h @@ -175,14 +217,26 @@ postscreen_dnsbl_test.o: ../../include/myaddrinfo.h postscreen_dnsbl_test.o: ../../include/myflock.h postscreen_dnsbl_test.o: ../../include/mymalloc.h postscreen_dnsbl_test.o: ../../include/myrand.h +postscreen_dnsbl_test.o: ../../include/name_code.h +postscreen_dnsbl_test.o: ../../include/name_mask.h postscreen_dnsbl_test.o: ../../include/nvtable.h postscreen_dnsbl_test.o: ../../include/pmock_expect.h postscreen_dnsbl_test.o: ../../include/ptest.h postscreen_dnsbl_test.o: ../../include/ptest_main.h postscreen_dnsbl_test.o: ../../include/server_acl.h +postscreen_dnsbl_test.o: ../../include/sock_addr.h postscreen_dnsbl_test.o: ../../include/string_list.h postscreen_dnsbl_test.o: ../../include/stringops.h postscreen_dnsbl_test.o: ../../include/sys_defs.h +postscreen_dnsbl_test.o: ../../include/tls.h +postscreen_dnsbl_test.o: ../../include/tls_proxy.h +postscreen_dnsbl_test.o: ../../include/tls_proxy_attr.h +postscreen_dnsbl_test.o: ../../include/tls_proxy_client_init_proto.h +postscreen_dnsbl_test.o: ../../include/tls_proxy_client_param_proto.h +postscreen_dnsbl_test.o: ../../include/tls_proxy_client_start_proto.h +postscreen_dnsbl_test.o: ../../include/tls_proxy_server_init_proto.h +postscreen_dnsbl_test.o: ../../include/tls_proxy_server_param_proto.h +postscreen_dnsbl_test.o: ../../include/tls_proxy_server_start_proto.h postscreen_dnsbl_test.o: ../../include/vbuf.h postscreen_dnsbl_test.o: ../../include/vstream.h postscreen_dnsbl_test.o: ../../include/vstring.h @@ -190,9 +244,11 @@ postscreen_dnsbl_test.o: postscreen.h postscreen_dnsbl_test.o: postscreen_dnsbl_test.c postscreen_early.o: ../../include/addr_match_list.h postscreen_early.o: ../../include/argv.h +postscreen_early.o: ../../include/attr.h postscreen_early.o: ../../include/check_arg.h postscreen_early.o: ../../include/dict.h postscreen_early.o: ../../include/dict_cache.h +postscreen_early.o: ../../include/dns.h postscreen_early.o: ../../include/events.h postscreen_early.o: ../../include/htable.h postscreen_early.o: ../../include/mail_params.h @@ -202,10 +258,23 @@ postscreen_early.o: ../../include/msg.h postscreen_early.o: ../../include/myaddrinfo.h postscreen_early.o: ../../include/myflock.h postscreen_early.o: ../../include/mymalloc.h +postscreen_early.o: ../../include/name_code.h +postscreen_early.o: ../../include/name_mask.h +postscreen_early.o: ../../include/nvtable.h postscreen_early.o: ../../include/server_acl.h +postscreen_early.o: ../../include/sock_addr.h postscreen_early.o: ../../include/string_list.h postscreen_early.o: ../../include/stringops.h postscreen_early.o: ../../include/sys_defs.h +postscreen_early.o: ../../include/tls.h +postscreen_early.o: ../../include/tls_proxy.h +postscreen_early.o: ../../include/tls_proxy_attr.h +postscreen_early.o: ../../include/tls_proxy_client_init_proto.h +postscreen_early.o: ../../include/tls_proxy_client_param_proto.h +postscreen_early.o: ../../include/tls_proxy_client_start_proto.h +postscreen_early.o: ../../include/tls_proxy_server_init_proto.h +postscreen_early.o: ../../include/tls_proxy_server_param_proto.h +postscreen_early.o: ../../include/tls_proxy_server_start_proto.h postscreen_early.o: ../../include/vbuf.h postscreen_early.o: ../../include/vstream.h postscreen_early.o: ../../include/vstring.h @@ -213,9 +282,11 @@ postscreen_early.o: postscreen.h postscreen_early.o: postscreen_early.c postscreen_endpt.o: ../../include/addr_match_list.h postscreen_endpt.o: ../../include/argv.h +postscreen_endpt.o: ../../include/attr.h postscreen_endpt.o: ../../include/check_arg.h postscreen_endpt.o: ../../include/dict.h postscreen_endpt.o: ../../include/dict_cache.h +postscreen_endpt.o: ../../include/dns.h postscreen_endpt.o: ../../include/events.h postscreen_endpt.o: ../../include/haproxy_srvr.h postscreen_endpt.o: ../../include/htable.h @@ -226,9 +297,23 @@ postscreen_endpt.o: ../../include/match_list.h postscreen_endpt.o: ../../include/msg.h postscreen_endpt.o: ../../include/myaddrinfo.h postscreen_endpt.o: ../../include/myflock.h +postscreen_endpt.o: ../../include/mymalloc.h +postscreen_endpt.o: ../../include/name_code.h +postscreen_endpt.o: ../../include/name_mask.h +postscreen_endpt.o: ../../include/nvtable.h postscreen_endpt.o: ../../include/server_acl.h +postscreen_endpt.o: ../../include/sock_addr.h postscreen_endpt.o: ../../include/string_list.h postscreen_endpt.o: ../../include/sys_defs.h +postscreen_endpt.o: ../../include/tls.h +postscreen_endpt.o: ../../include/tls_proxy.h +postscreen_endpt.o: ../../include/tls_proxy_attr.h +postscreen_endpt.o: ../../include/tls_proxy_client_init_proto.h +postscreen_endpt.o: ../../include/tls_proxy_client_param_proto.h +postscreen_endpt.o: ../../include/tls_proxy_client_start_proto.h +postscreen_endpt.o: ../../include/tls_proxy_server_init_proto.h +postscreen_endpt.o: ../../include/tls_proxy_server_param_proto.h +postscreen_endpt.o: ../../include/tls_proxy_server_start_proto.h postscreen_endpt.o: ../../include/vbuf.h postscreen_endpt.o: ../../include/vstream.h postscreen_endpt.o: ../../include/vstring.h @@ -241,6 +326,7 @@ postscreen_expand.o: ../../include/attr.h postscreen_expand.o: ../../include/check_arg.h postscreen_expand.o: ../../include/dict.h postscreen_expand.o: ../../include/dict_cache.h +postscreen_expand.o: ../../include/dns.h postscreen_expand.o: ../../include/events.h postscreen_expand.o: ../../include/htable.h postscreen_expand.o: ../../include/iostuff.h @@ -252,11 +338,23 @@ postscreen_expand.o: ../../include/msg.h postscreen_expand.o: ../../include/myaddrinfo.h postscreen_expand.o: ../../include/myflock.h postscreen_expand.o: ../../include/mymalloc.h +postscreen_expand.o: ../../include/name_code.h +postscreen_expand.o: ../../include/name_mask.h postscreen_expand.o: ../../include/nvtable.h postscreen_expand.o: ../../include/server_acl.h +postscreen_expand.o: ../../include/sock_addr.h postscreen_expand.o: ../../include/string_list.h postscreen_expand.o: ../../include/stringops.h postscreen_expand.o: ../../include/sys_defs.h +postscreen_expand.o: ../../include/tls.h +postscreen_expand.o: ../../include/tls_proxy.h +postscreen_expand.o: ../../include/tls_proxy_attr.h +postscreen_expand.o: ../../include/tls_proxy_client_init_proto.h +postscreen_expand.o: ../../include/tls_proxy_client_param_proto.h +postscreen_expand.o: ../../include/tls_proxy_client_start_proto.h +postscreen_expand.o: ../../include/tls_proxy_server_init_proto.h +postscreen_expand.o: ../../include/tls_proxy_server_param_proto.h +postscreen_expand.o: ../../include/tls_proxy_server_start_proto.h postscreen_expand.o: ../../include/vbuf.h postscreen_expand.o: ../../include/vstream.h postscreen_expand.o: ../../include/vstring.h @@ -264,9 +362,11 @@ postscreen_expand.o: postscreen.h postscreen_expand.o: postscreen_expand.c postscreen_haproxy.o: ../../include/addr_match_list.h postscreen_haproxy.o: ../../include/argv.h +postscreen_haproxy.o: ../../include/attr.h postscreen_haproxy.o: ../../include/check_arg.h postscreen_haproxy.o: ../../include/dict.h postscreen_haproxy.o: ../../include/dict_cache.h +postscreen_haproxy.o: ../../include/dns.h postscreen_haproxy.o: ../../include/events.h postscreen_haproxy.o: ../../include/haproxy_srvr.h postscreen_haproxy.o: ../../include/htable.h @@ -277,10 +377,23 @@ postscreen_haproxy.o: ../../include/msg.h postscreen_haproxy.o: ../../include/myaddrinfo.h postscreen_haproxy.o: ../../include/myflock.h postscreen_haproxy.o: ../../include/mymalloc.h +postscreen_haproxy.o: ../../include/name_code.h +postscreen_haproxy.o: ../../include/name_mask.h +postscreen_haproxy.o: ../../include/nvtable.h postscreen_haproxy.o: ../../include/server_acl.h +postscreen_haproxy.o: ../../include/sock_addr.h postscreen_haproxy.o: ../../include/string_list.h postscreen_haproxy.o: ../../include/stringops.h postscreen_haproxy.o: ../../include/sys_defs.h +postscreen_haproxy.o: ../../include/tls.h +postscreen_haproxy.o: ../../include/tls_proxy.h +postscreen_haproxy.o: ../../include/tls_proxy_attr.h +postscreen_haproxy.o: ../../include/tls_proxy_client_init_proto.h +postscreen_haproxy.o: ../../include/tls_proxy_client_param_proto.h +postscreen_haproxy.o: ../../include/tls_proxy_client_start_proto.h +postscreen_haproxy.o: ../../include/tls_proxy_server_init_proto.h +postscreen_haproxy.o: ../../include/tls_proxy_server_param_proto.h +postscreen_haproxy.o: ../../include/tls_proxy_server_start_proto.h postscreen_haproxy.o: ../../include/vbuf.h postscreen_haproxy.o: ../../include/vstream.h postscreen_haproxy.o: ../../include/vstring.h @@ -289,9 +402,11 @@ postscreen_haproxy.o: postscreen_haproxy.c postscreen_haproxy.o: postscreen_haproxy.h postscreen_misc.o: ../../include/addr_match_list.h postscreen_misc.o: ../../include/argv.h +postscreen_misc.o: ../../include/attr.h postscreen_misc.o: ../../include/check_arg.h postscreen_misc.o: ../../include/dict.h postscreen_misc.o: ../../include/dict_cache.h +postscreen_misc.o: ../../include/dns.h postscreen_misc.o: ../../include/events.h postscreen_misc.o: ../../include/format_tv.h postscreen_misc.o: ../../include/htable.h @@ -302,9 +417,23 @@ postscreen_misc.o: ../../include/match_list.h postscreen_misc.o: ../../include/msg.h postscreen_misc.o: ../../include/myaddrinfo.h postscreen_misc.o: ../../include/myflock.h +postscreen_misc.o: ../../include/mymalloc.h +postscreen_misc.o: ../../include/name_code.h +postscreen_misc.o: ../../include/name_mask.h +postscreen_misc.o: ../../include/nvtable.h postscreen_misc.o: ../../include/server_acl.h +postscreen_misc.o: ../../include/sock_addr.h postscreen_misc.o: ../../include/string_list.h postscreen_misc.o: ../../include/sys_defs.h +postscreen_misc.o: ../../include/tls.h +postscreen_misc.o: ../../include/tls_proxy.h +postscreen_misc.o: ../../include/tls_proxy_attr.h +postscreen_misc.o: ../../include/tls_proxy_client_init_proto.h +postscreen_misc.o: ../../include/tls_proxy_client_param_proto.h +postscreen_misc.o: ../../include/tls_proxy_client_start_proto.h +postscreen_misc.o: ../../include/tls_proxy_server_init_proto.h +postscreen_misc.o: ../../include/tls_proxy_server_param_proto.h +postscreen_misc.o: ../../include/tls_proxy_server_start_proto.h postscreen_misc.o: ../../include/vbuf.h postscreen_misc.o: ../../include/vstream.h postscreen_misc.o: ../../include/vstring.h @@ -317,6 +446,7 @@ postscreen_send.o: ../../include/check_arg.h postscreen_send.o: ../../include/connect.h postscreen_send.o: ../../include/dict.h postscreen_send.o: ../../include/dict_cache.h +postscreen_send.o: ../../include/dns.h postscreen_send.o: ../../include/events.h postscreen_send.o: ../../include/htable.h postscreen_send.o: ../../include/iostuff.h @@ -330,11 +460,23 @@ postscreen_send.o: ../../include/msg.h postscreen_send.o: ../../include/myaddrinfo.h postscreen_send.o: ../../include/myflock.h postscreen_send.o: ../../include/mymalloc.h +postscreen_send.o: ../../include/name_code.h +postscreen_send.o: ../../include/name_mask.h postscreen_send.o: ../../include/nvtable.h postscreen_send.o: ../../include/server_acl.h postscreen_send.o: ../../include/smtp_reply_footer.h +postscreen_send.o: ../../include/sock_addr.h postscreen_send.o: ../../include/string_list.h postscreen_send.o: ../../include/sys_defs.h +postscreen_send.o: ../../include/tls.h +postscreen_send.o: ../../include/tls_proxy.h +postscreen_send.o: ../../include/tls_proxy_attr.h +postscreen_send.o: ../../include/tls_proxy_client_init_proto.h +postscreen_send.o: ../../include/tls_proxy_client_param_proto.h +postscreen_send.o: ../../include/tls_proxy_client_start_proto.h +postscreen_send.o: ../../include/tls_proxy_server_init_proto.h +postscreen_send.o: ../../include/tls_proxy_server_param_proto.h +postscreen_send.o: ../../include/tls_proxy_server_start_proto.h postscreen_send.o: ../../include/vbuf.h postscreen_send.o: ../../include/vstream.h postscreen_send.o: ../../include/vstring.h @@ -371,6 +513,14 @@ postscreen_smtpd.o: ../../include/string_list.h postscreen_smtpd.o: ../../include/stringops.h postscreen_smtpd.o: ../../include/sys_defs.h postscreen_smtpd.o: ../../include/tls.h +postscreen_smtpd.o: ../../include/tls_proxy.h +postscreen_smtpd.o: ../../include/tls_proxy_attr.h +postscreen_smtpd.o: ../../include/tls_proxy_client_init_proto.h +postscreen_smtpd.o: ../../include/tls_proxy_client_param_proto.h +postscreen_smtpd.o: ../../include/tls_proxy_client_start_proto.h +postscreen_smtpd.o: ../../include/tls_proxy_server_init_proto.h +postscreen_smtpd.o: ../../include/tls_proxy_server_param_proto.h +postscreen_smtpd.o: ../../include/tls_proxy_server_start_proto.h postscreen_smtpd.o: ../../include/vbuf.h postscreen_smtpd.o: ../../include/vstream.h postscreen_smtpd.o: ../../include/vstring.h @@ -423,6 +573,7 @@ postscreen_state.o: ../../include/attr.h postscreen_state.o: ../../include/check_arg.h postscreen_state.o: ../../include/dict.h postscreen_state.o: ../../include/dict_cache.h +postscreen_state.o: ../../include/dns.h postscreen_state.o: ../../include/events.h postscreen_state.o: ../../include/htable.h postscreen_state.o: ../../include/iostuff.h @@ -435,11 +586,22 @@ postscreen_state.o: ../../include/msg.h postscreen_state.o: ../../include/myaddrinfo.h postscreen_state.o: ../../include/myflock.h postscreen_state.o: ../../include/mymalloc.h +postscreen_state.o: ../../include/name_code.h postscreen_state.o: ../../include/name_mask.h postscreen_state.o: ../../include/nvtable.h postscreen_state.o: ../../include/server_acl.h +postscreen_state.o: ../../include/sock_addr.h postscreen_state.o: ../../include/string_list.h postscreen_state.o: ../../include/sys_defs.h +postscreen_state.o: ../../include/tls.h +postscreen_state.o: ../../include/tls_proxy.h +postscreen_state.o: ../../include/tls_proxy_attr.h +postscreen_state.o: ../../include/tls_proxy_client_init_proto.h +postscreen_state.o: ../../include/tls_proxy_client_param_proto.h +postscreen_state.o: ../../include/tls_proxy_client_start_proto.h +postscreen_state.o: ../../include/tls_proxy_server_init_proto.h +postscreen_state.o: ../../include/tls_proxy_server_param_proto.h +postscreen_state.o: ../../include/tls_proxy_server_start_proto.h postscreen_state.o: ../../include/vbuf.h postscreen_state.o: ../../include/vstream.h postscreen_state.o: ../../include/vstring.h @@ -447,9 +609,11 @@ postscreen_state.o: postscreen.h postscreen_state.o: postscreen_state.c postscreen_tests.o: ../../include/addr_match_list.h postscreen_tests.o: ../../include/argv.h +postscreen_tests.o: ../../include/attr.h postscreen_tests.o: ../../include/check_arg.h postscreen_tests.o: ../../include/dict.h postscreen_tests.o: ../../include/dict_cache.h +postscreen_tests.o: ../../include/dns.h postscreen_tests.o: ../../include/events.h postscreen_tests.o: ../../include/htable.h postscreen_tests.o: ../../include/mail_params.h @@ -458,13 +622,63 @@ postscreen_tests.o: ../../include/match_list.h postscreen_tests.o: ../../include/msg.h postscreen_tests.o: ../../include/myaddrinfo.h postscreen_tests.o: ../../include/myflock.h +postscreen_tests.o: ../../include/mymalloc.h postscreen_tests.o: ../../include/name_code.h +postscreen_tests.o: ../../include/name_mask.h +postscreen_tests.o: ../../include/nvtable.h postscreen_tests.o: ../../include/sane_strtol.h postscreen_tests.o: ../../include/server_acl.h +postscreen_tests.o: ../../include/sock_addr.h postscreen_tests.o: ../../include/string_list.h postscreen_tests.o: ../../include/sys_defs.h +postscreen_tests.o: ../../include/tls.h +postscreen_tests.o: ../../include/tls_proxy.h +postscreen_tests.o: ../../include/tls_proxy_attr.h +postscreen_tests.o: ../../include/tls_proxy_client_init_proto.h +postscreen_tests.o: ../../include/tls_proxy_client_param_proto.h +postscreen_tests.o: ../../include/tls_proxy_client_start_proto.h +postscreen_tests.o: ../../include/tls_proxy_server_init_proto.h +postscreen_tests.o: ../../include/tls_proxy_server_param_proto.h +postscreen_tests.o: ../../include/tls_proxy_server_start_proto.h postscreen_tests.o: ../../include/vbuf.h postscreen_tests.o: ../../include/vstream.h postscreen_tests.o: ../../include/vstring.h postscreen_tests.o: postscreen.h postscreen_tests.o: postscreen_tests.c +postscreen_tls_conf.o: ../../include/addr_match_list.h +postscreen_tls_conf.o: ../../include/argv.h +postscreen_tls_conf.o: ../../include/attr.h +postscreen_tls_conf.o: ../../include/check_arg.h +postscreen_tls_conf.o: ../../include/dict.h +postscreen_tls_conf.o: ../../include/dict_cache.h +postscreen_tls_conf.o: ../../include/dns.h +postscreen_tls_conf.o: ../../include/events.h +postscreen_tls_conf.o: ../../include/htable.h +postscreen_tls_conf.o: ../../include/mail_params.h +postscreen_tls_conf.o: ../../include/maps.h +postscreen_tls_conf.o: ../../include/match_list.h +postscreen_tls_conf.o: ../../include/msg.h +postscreen_tls_conf.o: ../../include/myaddrinfo.h +postscreen_tls_conf.o: ../../include/myflock.h +postscreen_tls_conf.o: ../../include/mymalloc.h +postscreen_tls_conf.o: ../../include/name_code.h +postscreen_tls_conf.o: ../../include/name_mask.h +postscreen_tls_conf.o: ../../include/nvtable.h +postscreen_tls_conf.o: ../../include/server_acl.h +postscreen_tls_conf.o: ../../include/sock_addr.h +postscreen_tls_conf.o: ../../include/string_list.h +postscreen_tls_conf.o: ../../include/sys_defs.h +postscreen_tls_conf.o: ../../include/tls.h +postscreen_tls_conf.o: ../../include/tls_proxy.h +postscreen_tls_conf.o: ../../include/tls_proxy_attr.h +postscreen_tls_conf.o: ../../include/tls_proxy_client_init_proto.h +postscreen_tls_conf.o: ../../include/tls_proxy_client_param_proto.h +postscreen_tls_conf.o: ../../include/tls_proxy_client_start_proto.h +postscreen_tls_conf.o: ../../include/tls_proxy_server_init_proto.h +postscreen_tls_conf.o: ../../include/tls_proxy_server_param_proto.h +postscreen_tls_conf.o: ../../include/tls_proxy_server_start_proto.h +postscreen_tls_conf.o: ../../include/vbuf.h +postscreen_tls_conf.o: ../../include/vstream.h +postscreen_tls_conf.o: ../../include/vstring.h +postscreen_tls_conf.o: postscreen.h +postscreen_tls_conf.o: postscreen_tls_conf.c diff --git a/postfix/src/postscreen/postscreen.c b/postfix/src/postscreen/postscreen.c index d8422c67d..793673049 100644 --- a/postfix/src/postscreen/postscreen.c +++ b/postfix/src/postscreen/postscreen.c @@ -285,7 +285,7 @@ /* .fi /* .IP "\fBpostscreen_cache_cleanup_interval (12h)\fR" /* The amount of time between \fBpostscreen\fR(8) cache cleanup runs. -/* .IP "\fBpostscreen_cache_map (btree:$data_directory/postscreen_cache)\fR" +/* .IP "\fBpostscreen_cache_map (Postfix >= 3.11: $default_cache_db_type:$data_directory/postscreen_cache; Postfix < 3.11: btree:$data_directory/postscreen_cache)\fR" /* Persistent storage for the \fBpostscreen\fR(8) server decisions. /* .IP "\fBpostscreen_cache_retention_time (7d)\fR" /* The amount of time that \fBpostscreen\fR(8) will cache an expired @@ -351,6 +351,60 @@ /* postscreen_use_tls and postscreen_enforce_tls. /* .IP "\fBtlsproxy_service_name (tlsproxy)\fR" /* The name of the \fBtlsproxy\fR(8) service entry in master.cf. +/* .PP +/* Available with Postfix 3.12 and later: +/* .IP "\fBpostscreen_starttls_timeout ($smtpd_starttls_timeout)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_starttls_timeout. +/* .IP "\fBpostscreen_tls_always_issue_session_ids ($smtpd_tls_always_issue_session_ids)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_always_issue_session_ids. +/* .IP "\fBpostscreen_tls_ask_ccert ($smtpd_tls_ask_ccert)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_ask_ccert. +/* .IP "\fBpostscreen_tls_CAfile ($smtpd_tls_CAfile)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_CAfile. +/* .IP "\fBpostscreen_tls_CApath ($smtpd_tls_CApath)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_CApath. +/* .IP "\fBpostscreen_tls_ccert_verifydepth ($smtpd_tls_ccert_verifydepth)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_ccert_verifydepth. +/* .IP "\fBpostscreen_tls_cert_file ($smtpd_tls_cert_file)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_cert_file. +/* .IP "\fBpostscreen_tls_chain_files ($smtpd_tls_chain_files)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_chain_files. +/* .IP "\fBpostscreen_tls_ciphers ($smtpd_tls_ciphers)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_ciphers. +/* .IP "\fBpostscreen_tls_dcert_file ($smtpd_tls_dcert_file)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_dcert_file. +/* .IP "\fBpostscreen_tls_dh1024_param_file ($smtpd_tls_dh1024_param_file)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_dh1024_param_file. +/* .IP "\fBpostscreen_tls_dh512_param_file ($smtpd_tls_dh512_param_file)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_dh512_param_file. +/* .IP "\fBpostscreen_tls_dkey_file ($smtpd_tls_dkey_file)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_dkey_file. +/* .IP "\fBpostscreen_tls_eccert_file ($smtpd_tls_eccert_file)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_eccert_file. +/* .IP "\fBpostscreen_tls_eckey_file ($smtpd_tls_eckey_file)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_eckey_file. +/* .IP "\fBpostscreen_tls_eecdh_grade ($smtpd_tls_eecdh_grade)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_eecdh_grade. +/* .IP "\fBpostscreen_tls_enable_rpk ($smtpd_tls_enable_rpk)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_enable_rpk. +/* .IP "\fBpostscreen_tls_exclude_ciphers ($smtpd_tls_exclude_ciphers)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_exclude_ciphers. +/* .IP "\fBpostscreen_tls_fingerprint_digest ($smtpd_tls_fingerprint_digest)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_fingerprint_digest. +/* .IP "\fBpostscreen_tls_key_file ($smtpd_tls_key_file)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_key_file. +/* .IP "\fBpostscreen_tls_loglevel ($smtpd_tls_loglevel)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_loglevel. +/* .IP "\fBpostscreen_tls_mandatory_ciphers ($smtpd_tls_mandatory_ciphers)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_mandatory_ciphers. +/* .IP "\fBpostscreen_tls_mandatory_exclude_ciphers ($smtpd_tls_mandatory_exclude_ciphers)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_mandatory_exclude_ciphers. +/* .IP "\fBpostscreen_tls_mandatory_protocols ($smtpd_tls_mandatory_protocols)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_mandatory_protocols. +/* .IP "\fBpostscreen_tls_protocols ($smtpd_tls_protocols)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_protocols. +/* .IP "\fBpostscreen_tls_req_ccert ($smtpd_tls_req_ccert)\fR" +/* The \fBpostscreen\fR(8) equivalent of smtpd_tls_req_ccert. /* OBSOLETE STARTTLS SUPPORT CONTROLS /* .ad /* .fi @@ -557,6 +611,67 @@ char *var_psc_allist_if; char *var_psc_uproxy_proto; int var_psc_uproxy_tmout; + /* + * We use smtpd TLS parameters as the defaults for postscreen TLS support. + */ +bool var_smtpd_tls_ask_ccert; +bool var_smtpd_tls_enable_rpk; +bool var_smtpd_tls_req_ccert; +bool var_smtpd_tls_set_sessid; + +char *var_smtpd_tls_CAfile; +char *var_smtpd_tls_CApath; +char *var_smtpd_tls_cert_file; +char *var_smtpd_tls_chain_files; +char *var_smtpd_tls_ciph; +char *var_smtpd_tls_dcert_file; +char *var_smtpd_tls_dh1024_param_file; +char *var_smtpd_tls_dh512_param_file; +char *var_smtpd_tls_dkey_file; +char *var_smtpd_tls_eccert_file; +char *var_smtpd_tls_eckey_file; +char *var_smtpd_tls_eecdh; +char *var_smtpd_tls_excl_ciph; +char *var_smtpd_tls_fpt_dgst; +char *var_smtpd_tls_key_file; +char *var_smtpd_tls_loglevel; +char *var_smtpd_tls_mand_ciph; +char *var_smtpd_tls_mand_excl; +char *var_smtpd_tls_mand_proto; +char *var_smtpd_tls_proto; + +int var_smtpd_tls_ccert_vd; +int var_smtpd_starttls_tmout; + +bool var_psc_tls_ask_ccert; +bool var_psc_tls_enable_rpk; +bool var_psc_tls_req_ccert; +bool var_psc_tls_set_sessid; + +char *var_psc_tls_CAfile; +char *var_psc_tls_CApath; +char *var_psc_tls_cert_file; +char *var_psc_tls_chain_files; +char *var_psc_tls_ciph; +char *var_psc_tls_dcert_file; +char *var_psc_tls_dh1024_param_file; +char *var_psc_tls_dh512_param_file; +char *var_psc_tls_dkey_file; +char *var_psc_tls_eccert_file; +char *var_psc_tls_eckey_file; +char *var_psc_tls_eecdh; +char *var_psc_tls_excl_ciph; +char *var_psc_tls_fpt_dgst; +char *var_psc_tls_key_file; +char *var_psc_tls_loglevel; +char *var_psc_tls_mand_ciph; +char *var_psc_tls_mand_excl; +char *var_psc_tls_mand_proto; +char *var_psc_tls_proto; + +int var_psc_tls_ccert_vd; +int var_psc_starttls_tmout; + /* * Global variables. */ @@ -1178,6 +1293,26 @@ int main(int argc, char **argv) VAR_SMTPD_EHLO_DIS_WORDS, DEF_SMTPD_EHLO_DIS_WORDS, &var_smtpd_ehlo_dis_words, 0, 0, VAR_SMTPD_EHLO_DIS_MAPS, DEF_SMTPD_EHLO_DIS_MAPS, &var_smtpd_ehlo_dis_maps, 0, 0, VAR_SMTPD_TLS_LEVEL, DEF_SMTPD_TLS_LEVEL, &var_smtpd_tls_level, 0, 0, + VAR_SMTPD_TLS_CA_FILE, DEF_SMTPD_TLS_CA_FILE, &var_smtpd_tls_CAfile, 0, 0, + VAR_SMTPD_TLS_CA_PATH, DEF_SMTPD_TLS_CA_PATH, &var_smtpd_tls_CApath, 0, 0, + VAR_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CERT_FILE, &var_smtpd_tls_cert_file, 0, 0, + VAR_SMTPD_TLS_CHAIN_FILES, DEF_SMTPD_TLS_CHAIN_FILES, &var_smtpd_tls_chain_files, 0, 0, + VAR_SMTPD_TLS_CIPH, DEF_SMTPD_TLS_CIPH, &var_smtpd_tls_ciph, 1, 0, + VAR_SMTPD_TLS_DCERT_FILE, DEF_SMTPD_TLS_DCERT_FILE, &var_smtpd_tls_dcert_file, 0, 0, + VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0, + VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0, + VAR_SMTPD_TLS_DKEY_FILE, DEF_SMTPD_TLS_DKEY_FILE, &var_smtpd_tls_dkey_file, 0, 0, + VAR_SMTPD_TLS_ECCERT_FILE, DEF_SMTPD_TLS_ECCERT_FILE, &var_smtpd_tls_eccert_file, 0, 0, + VAR_SMTPD_TLS_ECKEY_FILE, DEF_SMTPD_TLS_ECKEY_FILE, &var_smtpd_tls_eckey_file, 0, 0, + VAR_SMTPD_TLS_EECDH, DEF_SMTPD_TLS_EECDH, &var_smtpd_tls_eecdh, 1, 0, + VAR_SMTPD_TLS_EXCL_CIPH, DEF_SMTPD_TLS_EXCL_CIPH, &var_smtpd_tls_excl_ciph, 0, 0, + VAR_SMTPD_TLS_FPT_DGST, DEF_SMTPD_TLS_FPT_DGST, &var_smtpd_tls_fpt_dgst, 1, 0, + VAR_SMTPD_TLS_KEY_FILE, DEF_SMTPD_TLS_KEY_FILE, &var_smtpd_tls_key_file, 0, 0, + VAR_SMTPD_TLS_LOGLEVEL, DEF_SMTPD_TLS_LOGLEVEL, &var_smtpd_tls_loglevel, 0, 0, + VAR_SMTPD_TLS_MAND_CIPH, DEF_SMTPD_TLS_MAND_CIPH, &var_smtpd_tls_mand_ciph, 1, 0, + VAR_SMTPD_TLS_MAND_EXCL, DEF_SMTPD_TLS_MAND_EXCL, &var_smtpd_tls_mand_excl, 0, 0, + VAR_SMTPD_TLS_MAND_PROTO, DEF_SMTPD_TLS_MAND_PROTO, &var_smtpd_tls_mand_proto, 0, 0, + VAR_SMTPD_TLS_PROTO, DEF_SMTPD_TLS_PROTO, &var_smtpd_tls_proto, 0, 0, VAR_SMTPD_CMD_FILTER, DEF_SMTPD_CMD_FILTER, &var_smtpd_cmd_filter, 0, 0, VAR_PSC_CACHE_MAP, DEF_PSC_CACHE_MAP, &var_psc_cache_map, 0, 0, VAR_PSC_PREGR_BANNER, DEF_PSC_PREGR_BANNER, &var_psc_pregr_banner, 0, 0, @@ -1194,6 +1329,26 @@ int main(int argc, char **argv) VAR_PSC_EHLO_DIS_MAPS, DEF_PSC_EHLO_DIS_MAPS, &var_psc_ehlo_dis_maps, 0, 0, VAR_PSC_DNSBL_REPLY, DEF_PSC_DNSBL_REPLY, &var_psc_dnsbl_reply, 0, 0, VAR_PSC_TLS_LEVEL, DEF_PSC_TLS_LEVEL, &var_psc_tls_level, 0, 0, + VAR_PSC_TLS_CAFILE, DEF_PSC_TLS_CAFILE, &var_psc_tls_CAfile, 0, 0, + VAR_PSC_TLS_CAPATH, DEF_PSC_TLS_CAPATH, &var_psc_tls_CApath, 0, 0, + VAR_PSC_TLS_CERT_FILE, DEF_PSC_TLS_CERT_FILE, &var_psc_tls_cert_file, 0, 0, + VAR_PSC_TLS_CHAIN_FILES, DEF_PSC_TLS_CHAIN_FILES, &var_psc_tls_chain_files, 0, 0, + VAR_PSC_TLS_CIPH, DEF_PSC_TLS_CIPH, &var_psc_tls_ciph, 1, 0, + VAR_PSC_TLS_DCERT_FILE, DEF_PSC_TLS_DCERT_FILE, &var_psc_tls_dcert_file, 0, 0, + VAR_PSC_TLS_1024_FILE, DEF_PSC_TLS_1024_FILE, &var_psc_tls_dh1024_param_file, 0, 0, + VAR_PSC_TLS_512_FILE, DEF_PSC_TLS_512_FILE, &var_psc_tls_dh512_param_file, 0, 0, + VAR_PSC_TLS_DKEY_FILE, DEF_PSC_TLS_DKEY_FILE, &var_psc_tls_dkey_file, 0, 0, + VAR_PSC_TLS_ECCERT_FILE, DEF_PSC_TLS_ECCERT_FILE, &var_psc_tls_eccert_file, 0, 0, + VAR_PSC_TLS_ECKEY_FILE, DEF_PSC_TLS_ECKEY_FILE, &var_psc_tls_eckey_file, 0, 0, + VAR_PSC_TLS_EECDH, DEF_PSC_TLS_EECDH, &var_psc_tls_eecdh, 1, 0, + VAR_PSC_TLS_EXCL_CIPH, DEF_PSC_TLS_EXCL_CIPH, &var_psc_tls_excl_ciph, 0, 0, + VAR_PSC_TLS_FPT_DGST, DEF_PSC_TLS_FPT_DGST, &var_psc_tls_fpt_dgst, 1, 0, + VAR_PSC_TLS_KEY_FILE, DEF_PSC_TLS_KEY_FILE, &var_psc_tls_key_file, 0, 0, + VAR_PSC_TLS_LOGLEVEL, DEF_PSC_TLS_LOGLEVEL, &var_psc_tls_loglevel, 0, 0, + VAR_PSC_TLS_MAND_CIPH, DEF_PSC_TLS_MAND_CIPH, &var_psc_tls_mand_ciph, 1, 0, + VAR_PSC_TLS_MAND_EXCL, DEF_PSC_TLS_MAND_EXCL, &var_psc_tls_mand_excl, 0, 0, + VAR_PSC_TLS_MAND_PROTO, DEF_PSC_TLS_MAND_PROTO, &var_psc_tls_mand_proto, 0, 0, + VAR_PSC_TLS_PROTO, DEF_PSC_TLS_PROTO, &var_psc_tls_proto, 0, 0, VAR_PSC_CMD_FILTER, DEF_PSC_CMD_FILTER, &var_psc_cmd_filter, 0, 0, VAR_DNSBLOG_SERVICE, DEF_DNSBLOG_SERVICE, &var_dnsblog_service, 1, 0, VAR_TLSPROXY_SERVICE, DEF_TLSPROXY_SERVICE, &var_tlsproxy_service, 1, 0, @@ -1206,6 +1361,7 @@ int main(int argc, char **argv) VAR_PSC_DNSBL_THRESH, DEF_PSC_DNSBL_THRESH, &var_psc_dnsbl_thresh, 1, 0, VAR_PSC_CMD_COUNT, DEF_PSC_CMD_COUNT, &var_psc_cmd_count, 1, 0, VAR_SMTPD_CCONN_LIMIT, DEF_SMTPD_CCONN_LIMIT, &var_smtpd_cconn_limit, 0, 0, + VAR_SMTPD_TLS_CCERT_VD, DEF_SMTPD_TLS_CCERT_VD, &var_smtpd_tls_ccert_vd, 0, 0, 0, }; static const CONFIG_NINT_TABLE nint_table[] = { @@ -1213,6 +1369,7 @@ int main(int argc, char **argv) VAR_PSC_PRE_QLIMIT, DEF_PSC_PRE_QLIMIT, &var_psc_pre_queue_limit, 10, 0, VAR_PSC_CCONN_LIMIT, DEF_PSC_CCONN_LIMIT, &var_psc_cconn_limit, 0, 0, VAR_PSC_DNSBL_ALTHRESH, DEF_PSC_DNSBL_ALTHRESH, &var_psc_dnsbl_althresh, 0, 0, + VAR_PSC_TLS_CCERT_VD, DEF_PSC_TLS_CCERT_VD, &var_psc_tls_ccert_vd, 0, 0, 0, }; static const CONFIG_TIME_TABLE time_table[] = { @@ -1229,7 +1386,8 @@ int main(int argc, char **argv) VAR_PSC_WATCHDOG, DEF_PSC_WATCHDOG, &var_psc_watchdog, 10, 0, VAR_PSC_UPROXY_TMOUT, DEF_PSC_UPROXY_TMOUT, &var_psc_uproxy_tmout, 1, 0, VAR_PSC_DNSBL_TMOUT, DEF_PSC_DNSBL_TMOUT, &var_psc_dnsbl_tmout, 1, 0, - + VAR_SMTPD_STARTTLS_TMOUT, DEF_SMTPD_STARTTLS_TMOUT, &var_smtpd_starttls_tmout, 1, 0, + VAR_PSC_STARTTLS_TMOUT, DEF_PSC_STARTTLS_TMOUT, &var_psc_starttls_tmout, 1, 0, 0, }; static const CONFIG_BOOL_TABLE bool_table[] = { @@ -1240,6 +1398,10 @@ int main(int argc, char **argv) VAR_PSC_PIPEL_ENABLE, DEF_PSC_PIPEL_ENABLE, &var_psc_pipel_enable, VAR_PSC_NSMTP_ENABLE, DEF_PSC_NSMTP_ENABLE, &var_psc_nsmtp_enable, VAR_PSC_BARLF_ENABLE, DEF_PSC_BARLF_ENABLE, &var_psc_barlf_enable, + VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert, + VAR_SMTPD_TLS_ENABLE_RPK, DEF_SMTPD_TLS_ENABLE_RPK, &var_smtpd_tls_enable_rpk, + VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert, + VAR_SMTPD_TLS_SET_SESSID, DEF_SMTPD_TLS_SET_SESSID, &var_smtpd_tls_set_sessid, 0, }; static const CONFIG_RAW_TABLE raw_table[] = { @@ -1254,6 +1416,10 @@ int main(int argc, char **argv) VAR_PSC_DISABLE_VRFY, DEF_PSC_DISABLE_VRFY, &var_psc_disable_vrfy, VAR_PSC_USE_TLS, DEF_PSC_USE_TLS, &var_psc_use_tls, VAR_PSC_ENFORCE_TLS, DEF_PSC_ENFORCE_TLS, &var_psc_enforce_tls, + VAR_PSC_TLS_ACERT, DEF_PSC_TLS_ACERT, &var_psc_tls_ask_ccert, + VAR_PSC_TLS_ENABLE_RPK, DEF_PSC_TLS_ENABLE_RPK, &var_psc_tls_enable_rpk, + VAR_PSC_TLS_RCERT, DEF_PSC_TLS_RCERT, &var_psc_tls_req_ccert, + VAR_PSC_TLS_SET_SESSID, DEF_PSC_TLS_SET_SESSID, &var_psc_tls_set_sessid, 0, }; diff --git a/postfix/src/postscreen/postscreen.h b/postfix/src/postscreen/postscreen.h index b9ceeeb99..c8ae62e2b 100644 --- a/postfix/src/postscreen/postscreen.h +++ b/postfix/src/postscreen/postscreen.h @@ -30,6 +30,13 @@ #include #include + /* + * TLS library. + */ +#ifdef USE_TLS +#include +#endif + /* * Preliminary stuff, to be fixed. */ @@ -555,6 +562,19 @@ extern void psc_send_socket(PSC_STATE *); */ extern void psc_starttls_open(PSC_STATE *, EVENT_NOTIFY_FN); + /* + * postscreen_tls_conf.c. + */ +extern bool psc_tls_ready; +extern bool psc_tls_pre_jail(void); + +#ifdef USE_TLS +extern TLS_SERVER_PARAMS psc_tls_params; +extern TLS_SERVER_INIT_PROPS psc_init_props; +extern bool psc_tls_pre_start(const char *, TLS_SERVER_START_PROPS *); + +#endif + /* * postscreen_expand.c */ diff --git a/postfix/src/postscreen/postscreen_smtpd.c b/postfix/src/postscreen/postscreen_smtpd.c index 6b72626a7..89fcdac31 100644 --- a/postfix/src/postscreen/postscreen_smtpd.c +++ b/postfix/src/postscreen/postscreen_smtpd.c @@ -439,7 +439,8 @@ static int psc_starttls_cmd(PSC_STATE *state, char *args) if (state->flags & PSC_STATE_FLAG_USING_TLS) return (PSC_SEND_REPLY(state, "554 5.5.1 Error: TLS already active\r\n")); - if (var_psc_use_tls == 0 || (state->ehlo_discard_mask & EHLO_MASK_STARTTLS)) +#ifdef USE_TLS + if (!psc_tls_ready) return (PSC_SEND_REPLY(state, "502 5.5.1 Error: command not implemented\r\n")); @@ -449,6 +450,10 @@ static int psc_starttls_cmd(PSC_STATE *state, char *args) PSC_SUSPEND_SMTP_CMD_EVENTS(state); psc_starttls_open(state, psc_starttls_resume); return (0); +#else + return (PSC_SEND_REPLY(state, + "502 5.5.1 Error: command not implemented\r\n")); +#endif } /* psc_extract_addr - extract MAIL/RCPT address, unquoted form */ @@ -1238,49 +1243,15 @@ void psc_smtpd_init(void) psc_smtpd_helo_reply = mystrdup(STR(psc_temp)); /* - * STARTTLS support. Note the complete absence of #ifdef USE_TLS - * throughout the postscreen(8) source code. If Postfix is built without - * TLS support, then the TLS proxy will simply report that TLS is not - * available, and conventional error handling will take care of the - * issue. - * - * Legacy code copied from smtpd(8). The pre-fabricated EHLO reply depends - * on this. - */ - if (*var_psc_tls_level) { - switch (tls_level_lookup(var_psc_tls_level)) { - default: - msg_fatal("Invalid TLS level \"%s\"", var_psc_tls_level); - /* NOTREACHED */ - break; - case TLS_LEV_SECURE: - case TLS_LEV_VERIFY: - case TLS_LEV_FPRINT: - msg_warn("%s: unsupported TLS level \"%s\", using \"encrypt\"", - VAR_PSC_TLS_LEVEL, var_psc_tls_level); - /* FALLTHROUGH */ - case TLS_LEV_ENCRYPT: - var_psc_enforce_tls = var_psc_use_tls = 1; - break; - case TLS_LEV_MAY: - var_psc_enforce_tls = 0; - var_psc_use_tls = 1; - break; - case TLS_LEV_NONE: - var_psc_enforce_tls = var_psc_use_tls = 0; - break; - } - } - var_psc_use_tls = var_psc_use_tls || var_psc_enforce_tls; -#ifdef TODO_SASL_AUTH - var_psc_tls_auth_only = var_psc_tls_auth_only || var_psc_enforce_tls; -#endif + * STARTTLS support. This affects the EHLO greeting. */ + psc_tls_pre_jail(); /* * Initialize the EHLO reply. Once for plaintext sessions, and once for * TLS sessions. */ - psc_smtpd_format_ehlo_reply(psc_temp, psc_ehlo_discard_mask); + psc_smtpd_format_ehlo_reply(psc_temp, psc_ehlo_discard_mask + | (psc_tls_ready ? 0 : EHLO_MASK_STARTTLS)); psc_smtpd_ehlo_reply_plain = mystrdup(STR(psc_temp)); psc_smtpd_format_ehlo_reply(psc_temp, diff --git a/postfix/src/postscreen/postscreen_starttls.c b/postfix/src/postscreen/postscreen_starttls.c index 4036a3dcd..3124223d5 100644 --- a/postfix/src/postscreen/postscreen_starttls.c +++ b/postfix/src/postscreen/postscreen_starttls.c @@ -44,6 +44,8 @@ /* New York, NY 10011, USA /*--*/ +#ifdef USE_TLS + /* System library. */ #include @@ -203,6 +205,7 @@ static void psc_starttls_first(int event, void *context) PSC_STATE *smtp_state = starttls_state->smtp_state; VSTREAM *tlsproxy_stream = starttls_state->tlsproxy_stream; static VSTRING *remote_endpt = 0; + TLS_SERVER_START_PROPS start_props; if (msg_verbose) msg_info("%s: receive server protocol on proxy socket %d" @@ -247,14 +250,21 @@ static void psc_starttls_first(int event, void *context) remote_endpt = vstring_alloc(20); vstring_sprintf(remote_endpt, "[%s]:%s", smtp_state->smtp_client_addr, smtp_state->smtp_client_port); - attr_print(tlsproxy_stream, ATTR_FLAG_NONE, - SEND_ATTR_STR(TLS_ATTR_REMOTE_ENDPT, STR(remote_endpt)), - SEND_ATTR_INT(TLS_ATTR_FLAGS, TLS_PROXY_FLAG_ROLE_SERVER), - SEND_ATTR_INT(TLS_ATTR_TIMEOUT, psc_normal_cmd_time_limit), - SEND_ATTR_INT(TLS_ATTR_TIMEOUT, psc_normal_cmd_time_limit), - SEND_ATTR_STR(TLS_ATTR_SERVERID, MAIL_SERVICE_SMTPD), /* XXX */ - ATTR_TYPE_END); - if (vstream_fflush(tlsproxy_stream) != 0) { + psc_tls_pre_start(STR(remote_endpt), &start_props); + + if (attr_print(tlsproxy_stream, ATTR_FLAG_NONE, + SEND_ATTR_STR(TLS_ATTR_REMOTE_ENDPT, STR(remote_endpt)), + SEND_ATTR_INT(TLS_ATTR_FLAGS, TLS_PROXY_FLAG_ROLE_SERVER), + SEND_ATTR_INT(TLS_ATTR_TIMEOUT, psc_normal_cmd_time_limit), + SEND_ATTR_INT(TLS_ATTR_TIMEOUT, psc_normal_cmd_time_limit), + SEND_ATTR_STR(TLS_ATTR_SERVERID, var_servname), + ATTR_TYPE_END) != 0 + || attr_print(tlsproxy_stream, ATTR_FLAG_NONE, + SEND_ATTR_FUNC(tls_proxy_server_param_print, &psc_tls_params), + SEND_ATTR_FUNC(tls_proxy_server_init_print, &psc_init_props), + SEND_ATTR_FUNC(tls_proxy_server_start_print, &start_props), + ATTR_TYPE_END) != 0 + || vstream_fflush(tlsproxy_stream) != 0) { msg_warn("error sending request to %s service: %m", psc_tlsp_service); PSC_SEND_REPLY(smtp_state, "454 4.7.0 TLS not available due to local problem\r\n"); @@ -315,3 +325,5 @@ void psc_starttls_open(PSC_STATE *smtp_state, EVENT_NOTIFY_FN resume_event) PSC_READ_EVENT_REQUEST(vstream_fileno(tlsproxy_stream), psc_starttls_first, (void *) starttls_state, TLSPROXY_INIT_TIMEOUT); } + +#endif diff --git a/postfix/src/postscreen/postscreen_tls_conf.c b/postfix/src/postscreen/postscreen_tls_conf.c new file mode 100644 index 000000000..ab3f2f4f3 --- /dev/null +++ b/postfix/src/postscreen/postscreen_tls_conf.c @@ -0,0 +1,283 @@ +/*++ +/* NAME +/* postscreen_tls_conf 3 +/* SUMMARY +/* postscreen TLS proxy support, configuration adapter +/* SYNOPSIS +/* #include +/* +/* bool psc_tls_ready; +/* TLS_SERVER_PARAMS psc_tls_params; +/* TLS_SERVER_INIT_PROPS psc_init_props; +/* +/* bool psc_tls_pre_jail(void) +/* +/* bool psc_tls_pre_start( +/* const char *remote_endpt, +/* TLS_SERVER_START_PROPS *start_props) +/* DESCRIPTION +/* This module converts Postfix configuration settings into +/* per-process TLS_SERVER_PARAMS and TLS_SERVER_INIT_PROPS, and +/* into per-request TLS_SERVER_START_PROPS. +/* +/* psc_tls_ready represents the TLS support state: true when +/* TLS support is compiled in and enabled by configuration. +/* +/* psc_tls_pre_jail() must be called once, before the process handles +/* requests. If TLS is enabled by configuration, this function +/* pre-computes TLS_SERVER_PARAMS and TLS_SERVER_INIT_PROPS, and +/* returns true. This function logs a configuration warning when +/* TLS is requested by configuration, but Postfix is built without +/* TLS support. +/* +/* psc_tls_pre_start() always returns the value of psc_tls_ready. +/* If TLS is enabled by configuration, this function updates the +/* structure referenced by the start_props argument with information +/* based on configuration and on the remote endpoint string. +/* LICENSE +/* .ad +/* .fi +/* The Secure Mailer license must be distributed with this software. +/* AUTHOR(S) +/* Wietse Venema +/* IBM T.J. Watson Research +/* P.O. Box 704 +/* Yorktown Heights, NY 10598, USA +/* +/* Wietse Venema +/* Google, Inc. +/* 111 8th Avenue +/* New York, NY 10011, USA +/* +/* Wietse Venema +/* porcupine.org +/*--*/ + +/* System library. */ + +#include + +/* Utility library. */ + +#include + +/* Global library. */ + +#include + +/* TLS library. */ + +#include + +/* Application-specific. */ + +#include + + /* + * For now, the conversion from configuration parameters to tls_server_xxx() + * arguments is built here into the postscreen(8) source code. In the future + * it should be abstracted into a library module that can be reused use by + * other programs such as smtpd(8), tlsproxy(8), and smtp-sink(1). + */ + + /* + * Pre-computed state based on configuration parameters. TODO(wietse): some + * legacy booleans use "|=". Fix that when this code is factored out. + */ +TLS_SERVER_PARAMS psc_tls_params; +TLS_SERVER_INIT_PROPS psc_init_props; +bool psc_tls_ready; + + /* + * Private state. + */ +static bool psc_tls_pre_jail_done; +static int ask_client_cert; + +/* psc_tls_pre_jail - pre-compute per-process TLS properties */ + +bool psc_tls_pre_jail(void) +{ + + /* + * Sanity check. + */ + if (psc_tls_pre_jail_done) + msg_panic("%s: multiple calls", __func__); + + /* + * XXX Temporary fix to pretend that we consistently implement TLS + * security levels. We implement only a subset for now. + * + * Note: tls_level_lookup() logs no warning. + */ + if (var_psc_tls_level) { + switch (tls_level_lookup(var_psc_tls_level)) { + default: + msg_fatal("Invalid TLS level \"%s\"", var_psc_tls_level); + /* NOTREACHED */ + break; + case TLS_LEV_SECURE: + case TLS_LEV_VERIFY: + case TLS_LEV_FPRINT: + msg_warn("%s: unsupported TLS level \"%s\", using \"encrypt\"", + VAR_SMTPD_TLS_LEVEL, var_psc_tls_level); + /* FALLTHROUGH */ + case TLS_LEV_ENCRYPT: + var_psc_enforce_tls = var_psc_use_tls = 1; + break; + case TLS_LEV_MAY: + var_psc_enforce_tls = 0; + var_psc_use_tls = 1; + break; + case TLS_LEV_NONE: + var_psc_enforce_tls = var_psc_use_tls = 0; + break; + } + } + var_psc_use_tls = var_psc_use_tls || var_psc_enforce_tls; + + if (var_psc_use_tls) { +#ifdef USE_TLS + const char *cert_file; + int have_server_cert; + int no_server_cert_ok; + int require_server_cert; + + + /* + * Can't use anonymous ciphers if we want client certificates. Must + * use anonymous ciphers if we have no certificates. + * + * XXX: Ugh! Too many booleans! + */ + ask_client_cert = require_server_cert = + (var_psc_tls_ask_ccert + || (var_psc_enforce_tls && var_psc_tls_req_ccert)); + if (strcasecmp(var_psc_tls_cert_file, "none") == 0) { + no_server_cert_ok = 1; + cert_file = ""; + } else { + no_server_cert_ok = 0; + cert_file = var_psc_tls_cert_file; + } + have_server_cert = *cert_file != 0; + have_server_cert |= *var_psc_tls_eccert_file != 0; + have_server_cert |= *var_psc_tls_dcert_file != 0; + + if (*var_psc_tls_chain_files != 0) { + if (!have_server_cert) + have_server_cert = 1; + else + msg_warn("Both %s and one or more of the legacy " + " %s, %s or %s are non-empty; the legacy " + " parameters will be ignored", + VAR_PSC_TLS_CHAIN_FILES, + VAR_PSC_TLS_CERT_FILE, + VAR_PSC_TLS_ECCERT_FILE, + VAR_PSC_TLS_DCERT_FILE); + } + /* Some TLS configuration errors are not show stoppers. */ + if (!have_server_cert && require_server_cert) + msg_warn("Need a server cert to request client certs"); + if (!var_psc_enforce_tls && var_psc_tls_req_ccert) + msg_warn("Can't require client certs unless TLS is required"); + /* After a show-stopper error, reply with 454 to STARTTLS. */ + if (have_server_cert + || (no_server_cert_ok && !require_server_cert)) { + + tls_pre_jail_init(TLS_ROLE_SERVER); + tls_proxy_server_param_from_config(&psc_tls_params); + TLS_PROXY_SERVER_INIT_PROPS(&psc_init_props, + log_param = VAR_PSC_TLS_LOGLEVEL, + log_level = var_psc_tls_loglevel, + verifydepth = var_psc_tls_ccert_vd, + cache_type = TLS_MGR_SCACHE_SMTPD, + set_sessid = var_psc_tls_set_sessid, + chain_files = var_psc_tls_chain_files, + cert_file = cert_file, + key_file = var_psc_tls_key_file, + dcert_file = var_psc_tls_dcert_file, + dkey_file = var_psc_tls_dkey_file, + eccert_file = var_psc_tls_eccert_file, + eckey_file = var_psc_tls_eckey_file, + CAfile = var_psc_tls_CAfile, + CApath = var_psc_tls_CApath, + dh1024_param_file + = var_psc_tls_dh1024_param_file, + dh512_param_file + = var_psc_tls_dh512_param_file, + eecdh_grade = var_psc_tls_eecdh, + protocols = var_psc_enforce_tls ? + var_psc_tls_mand_proto : + var_psc_tls_proto, + ask_ccert = ask_client_cert, + mdalg = var_psc_tls_fpt_dgst); + psc_tls_ready = true; + } else { + msg_warn("No server certs available. TLS won't be enabled"); + } +#else + msg_warn("TLS has been selected, but TLS support is not compiled in"); +#endif + } + psc_tls_pre_jail_done = true; + return (psc_tls_ready); +} + +#ifdef USE_TLS + +/* psc_tls_pre_start - assign per-request TLS properties */ + +bool psc_tls_pre_start(const char *remote_endpt, + TLS_SERVER_START_PROPS *start_props) +{ + static char *cipher_grade; + static VSTRING *cipher_exclusions; + int requirecert; + + if (!psc_tls_ready) + return (false); + + /* + * In non-wrapper mode, it is possible to require client certificate + * verification without requiring TLS. Since certificates can be verified + * only while TLS is turned on, this means that Postfix will happily + * perform SMTP transactions when the client does not use the STARTTLS + * command. For this reason, Postfix does not require client certificate + * verification unless TLS is required. + * + * The cipher grade and exclusions don't change between sessions. Compute + * just once and cache. + */ +#define ADD_EXCLUDE(vstr, str) \ + do { \ + if (*(str)) \ + vstring_sprintf_append((vstr), "%s%s", \ + VSTRING_LEN(vstr) ? " " : "", (str)); \ + } while (0) + + if (cipher_grade == 0) { + cipher_grade = var_psc_enforce_tls ? + var_psc_tls_mand_ciph : var_psc_tls_ciph; + cipher_exclusions = vstring_alloc(10); + ADD_EXCLUDE(cipher_exclusions, var_psc_tls_excl_ciph); + if (var_psc_enforce_tls) + ADD_EXCLUDE(cipher_exclusions, var_psc_tls_mand_excl); + if (ask_client_cert) + ADD_EXCLUDE(cipher_exclusions, "aNULL"); + } + requirecert = (var_psc_tls_req_ccert && var_psc_enforce_tls); + TLS_PROXY_SERVER_START_PROPS(start_props, + timeout = var_psc_starttls_tmout, + enable_rpk = var_psc_tls_enable_rpk, + requirecert = requirecert, + serverid = var_servname, + namaddr = remote_endpt, + cipher_grade = cipher_grade, + cipher_exclusions = STR(cipher_exclusions), + mdalg = var_psc_tls_fpt_dgst); + return (true); +} + +#endif diff --git a/postfix/src/posttls-finger/posttls-finger.c b/postfix/src/posttls-finger/posttls-finger.c index d058bc4de..109191c3f 100644 --- a/postfix/src/posttls-finger/posttls-finger.c +++ b/postfix/src/posttls-finger/posttls-finger.c @@ -853,7 +853,7 @@ static int starttls(STATE *state) tlsproxy = tls_proxy_open(DEF_TLSPROXY_SERVICE /* TODO */ , PROXY_OPEN_FLAGS, state->stream, state->paddr, STR(port_buf), - smtp_tmout, smtp_tmout, state->addrport, + smtp_tmout, smtp_tmout, var_procname, tls_proxy_client_param_from_config(&tls_params), &init_props, &start_props); vstring_free(port_buf); diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index 8e6b1558d..976d52ea0 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -1569,6 +1569,7 @@ int smtpd_proxy_opts; #ifdef USE_TLSPROXY char *var_tlsproxy_service; +TLS_SERVER_INIT_PROPS smtpd_init_props; #endif @@ -1668,9 +1669,10 @@ static void tls_reset(SMTPD_STATE *); */ #ifndef USE_TLSPROXY static TLS_APPL_STATE *smtpd_tls_ctx; -static int ask_client_cert; #endif /* USE_TLSPROXY */ +static int ask_client_cert; + #endif /* @@ -5249,49 +5251,15 @@ static void smtpd_start_tls(SMTPD_STATE *state) int cert_present; int requirecert; -#ifdef USE_TLSPROXY - - /* - * This is non-production code, for tlsproxy(8) load testing only. It - * implements enough to enable some Postfix features that depend on TLS - * encryption. - * - * To insert tlsproxy(8) between this process and the SMTP client, we swap - * the file descriptors between the state->tlsproxy and state->client - * VSTREAMS, so that we don't lose all the user-configurable - * state->client attributes (such as longjump buffers or timeouts). - * - * As we implement tlsproxy support in the Postfix SMTP client we should - * develop a usable abstraction that encapsulates this stream plumbing in - * a library module. - */ - vstream_control(state->tlsproxy, CA_VSTREAM_CTL_DOUBLE, CA_VSTREAM_CTL_END); - vstream_control(state->client, CA_VSTREAM_CTL_SWAP_FD(state->tlsproxy), - CA_VSTREAM_CTL_END); - (void) vstream_fclose(state->tlsproxy); /* direct-to-client stream! */ - state->tlsproxy = 0; - - /* - * After plumbing the plaintext stream, receive the TLS context object. - * For this we must use the same VSTREAM buffer that we also use to - * receive subsequent SMTP commands. The attribute protocol is robust - * enough that an adversary cannot inject their own bogus TLS context - * attributes into the stream. - */ - state->tls_context = tls_proxy_context_receive(state->client); - - /* - * XXX Maybe it is better to send this information to tlsproxy(8) when - * requesting service, effectively making a remote tls_server_start() - * call. - */ - requirecert = (var_smtpd_tls_req_ccert && var_smtpd_enforce_tls); - -#else /* USE_TLSPROXY */ TLS_SERVER_START_PROPS props; static char *cipher_grade; static VSTRING *cipher_exclusions; +#ifdef USE_TLSPROXY + TLS_SERVER_PARAMS tls_params; + +#endif + /* * Wrapper mode uses a dedicated port and always requires TLS. * @@ -5328,7 +5296,62 @@ static void smtpd_start_tls(SMTPD_STATE *state) * requirements later, if necessary. */ requirecert = (var_smtpd_tls_req_ccert && var_smtpd_enforce_tls); +#ifdef USE_TLSPROXY + /* + * This is non-production code, for tlsproxy(8) load testing only. It + * implements enough to enable some Postfix features that depend on TLS + * encryption. + * + * To insert tlsproxy(8) between this process and the SMTP client, we swap + * the file descriptors between the state->tlsproxy and state->client + * VSTREAMS, so that we don't lose all the user-configurable + * state->client attributes (such as longjump buffers or timeouts). + */ + tls_proxy_server_param_from_config(&tls_params); + TLS_PROXY_SERVER_START_PROPS(&props, + timeout = var_smtpd_starttls_tmout, + enable_rpk = var_smtpd_tls_enable_rpk, + requirecert = requirecert, + serverid = state->service, + namaddr = state->namaddr, + cipher_grade = cipher_grade, + cipher_exclusions = STR(cipher_exclusions), + mdalg = var_smtpd_tls_fpt_dgst); + + /* + * Note: state->tlsproxy is left open when smtp_flush() calls longjmp(), + * so we garbage-collect the VSTREAM in smtpd_state_reset(). + */ +#define PROXY_OPEN_FLAGS \ + (TLS_PROXY_FLAG_ROLE_SERVER | TLS_PROXY_FLAG_SEND_CONTEXT) + + state->tlsproxy = + tls_proxy_open(var_tlsproxy_service, PROXY_OPEN_FLAGS, + state->client, state->addr, state->port, + var_smtpd_tmout, var_smtpd_tmout, + state->service, &tls_params, + &smtpd_init_props, &props); + if (state->tlsproxy == 0) { + state->error_mask |= MAIL_ERROR_SOFTWARE; + msg_warn("tlsproxy handshake failed"); + vstream_longjmp(state->client, SMTP_ERR_EOF); + } + vstream_control(state->tlsproxy, CA_VSTREAM_CTL_DOUBLE, CA_VSTREAM_CTL_END); + vstream_control(state->client, CA_VSTREAM_CTL_SWAP_FD(state->tlsproxy), + CA_VSTREAM_CTL_END); + (void) vstream_fclose(state->tlsproxy); /* direct-to-client stream! */ + state->tlsproxy = 0; + + /* + * After plumbing the plaintext stream, receive the TLS context object. + * For this we must use the same VSTREAM buffer that we also use to + * receive subsequent SMTP commands. The attribute protocol is robust + * enough that an adversary cannot inject their own bogus TLS context + * attributes into the stream. + */ + state->tls_context = tls_proxy_context_receive(state->client); +#else /* USE_TLSPROXY */ state->tls_context = TLS_SERVER_START(&props, ctx = smtpd_tls_ctx, @@ -5469,20 +5492,8 @@ static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) return (-1); } #ifdef USE_TLSPROXY - - /* - * Note: state->tlsproxy is left open when smtp_flush() calls longjmp(), - * so we garbage-collect the VSTREAM in smtpd_state_reset(). - */ -#define PROXY_OPEN_FLAGS \ - (TLS_PROXY_FLAG_ROLE_SERVER | TLS_PROXY_FLAG_SEND_CONTEXT) - - state->tlsproxy = - tls_proxy_legacy_open(var_tlsproxy_service, PROXY_OPEN_FLAGS, - state->client, state->addr, - state->port, var_smtpd_tmout, - state->service); - if (state->tlsproxy == 0) { + if (!tls_proxy_probe(var_tlsproxy_service, TLS_PROXY_FLAG_ROLE_SERVER, + state->addr, state->port)) { state->error_mask |= MAIL_ERROR_SOFTWARE; /* RFC 3207 Section 4. */ smtpd_chat_reply(state, "454 4.7.0 TLS not available due to local problem"); @@ -6583,6 +6594,8 @@ static void pre_jail_init(char *unused_name, char **unused_argv) #ifdef USE_TLS #ifndef USE_TLSPROXY TLS_SERVER_INIT_PROPS props; + +#endif const char *cert_file; int have_server_cert; int no_server_cert_ok; @@ -6636,6 +6649,33 @@ static void pre_jail_init(char *unused_name, char **unused_argv) * language feature that C does not have natively: named * parameter lists. */ +#ifdef USE_TLSPROXY + TLS_PROXY_SERVER_INIT_PROPS(&smtpd_init_props, + log_param = VAR_SMTPD_TLS_LOGLEVEL, + log_level = var_smtpd_tls_loglevel, + verifydepth = var_smtpd_tls_ccert_vd, + cache_type = TLS_MGR_SCACHE_SMTPD, + set_sessid = var_smtpd_tls_set_sessid, + chain_files = var_smtpd_tls_chain_files, + cert_file = cert_file, + key_file = var_smtpd_tls_key_file, + dcert_file = var_smtpd_tls_dcert_file, + dkey_file = var_smtpd_tls_dkey_file, + eccert_file = var_smtpd_tls_eccert_file, + eckey_file = var_smtpd_tls_eckey_file, + CAfile = var_smtpd_tls_CAfile, + CApath = var_smtpd_tls_CApath, + dh1024_param_file + = var_smtpd_tls_dh1024_param_file, + dh512_param_file + = var_smtpd_tls_dh512_param_file, + eecdh_grade = var_smtpd_tls_eecdh, + protocols = var_smtpd_enforce_tls ? + var_smtpd_tls_mand_proto : + var_smtpd_tls_proto, + ask_ccert = ask_client_cert, + mdalg = var_smtpd_tls_fpt_dgst); +#else smtpd_tls_ctx = TLS_SERVER_INIT(&props, log_param = VAR_SMTPD_TLS_LOGLEVEL, @@ -6662,10 +6702,10 @@ static void pre_jail_init(char *unused_name, char **unused_argv) var_smtpd_tls_proto, ask_ccert = ask_client_cert, mdalg = var_smtpd_tls_fpt_dgst); +#endif /* USE_TLSPROXY */ } else { msg_warn("No server certs available. TLS won't be enabled"); } -#endif /* USE_TLSPROXY */ #else msg_warn("TLS has been selected, but TLS support is not compiled in"); #endif diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h index 971f1f2b1..507aff593 100644 --- a/postfix/src/tls/tls.h +++ b/postfix/src/tls/tls.h @@ -593,14 +593,19 @@ extern TLS_SESS_STATE *tls_server_post_accept(TLS_SESS_STATE *); #define tls_server_stop(ctx, stream, timeout, failure, TLScontext) \ tls_session_stop(ctx, (stream), (timeout), (failure), (TLScontext)) -#define TLS_SERVER_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ +#define TLS_SERVER_INIT_ARGS(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20) \ - tls_server_init((((props)->a1), ((props)->a2), ((props)->a3), \ + (((props)->a1), ((props)->a2), ((props)->a3), \ ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \ ((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \ ((props)->a12), ((props)->a13), ((props)->a14), ((props)->a15), \ ((props)->a16), ((props)->a17), ((props)->a18), ((props)->a19), \ - ((props)->a20), (props))) + ((props)->a20), (props)) + +#define TLS_SERVER_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ + a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20) \ + tls_server_init(TLS_SERVER_INIT_ARGS(props, a1, a2, a3, a4, a5, a6, \ + a7, a8, a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20)) #define TLS_SERVER_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ a10, a11) \ diff --git a/postfix/src/tls/tls_proxy.h b/postfix/src/tls/tls_proxy.h index e52d5260c..3d1941a0c 100644 --- a/postfix/src/tls/tls_proxy.h +++ b/postfix/src/tls/tls_proxy.h @@ -28,6 +28,7 @@ #define TLS_PROXY_FLAG_ROLE_SERVER (1<<0) /* request server role */ #define TLS_PROXY_FLAG_ROLE_CLIENT (1<<1) /* request client role */ #define TLS_PROXY_FLAG_SEND_CONTEXT (1<<2) /* send TLS context */ +#define TLS_PROXY_FLAG_PROBE_ONLY (1<<3) /* what-if */ #include @@ -55,6 +56,7 @@ extern VSTREAM *tls_proxy_open(const char *, int, VSTREAM *, const char *, const char *, int, int, const char *, void *, void *, void *); +extern bool tls_proxy_probe(const char *, int, const char *, const char *); extern TLS_SESS_STATE *tls_proxy_context_receive(VSTREAM *); extern void tls_proxy_context_free(TLS_SESS_STATE *); diff --git a/postfix/src/tls/tls_proxy_clnt.c b/postfix/src/tls/tls_proxy_clnt.c index ca6a2e407..7722d4dda 100644 --- a/postfix/src/tls/tls_proxy_clnt.c +++ b/postfix/src/tls/tls_proxy_clnt.c @@ -34,6 +34,12 @@ /* const char *peer_port; /* int timeout; /* const char *serverid; +/* +/* bool tls_proxy_probe(service, flags, peer_addr, peer_port) +/* const char *service; +/* int flags; +/* const char *peer_addr; +/* const char *peer_port; /* DESCRIPTION /* tls_proxy_open() prepares for inserting the tlsproxy(8) /* daemon between the current process and a remote peer (the @@ -61,6 +67,9 @@ /* tls_proxy_legacy_open() is a backwards-compatibility feature /* that provides a historical interface. /* +/* tls_proxy_probe() asks the tlsproxy server if the requested role +/* would be available. +/* /* Arguments: /* .IP service /* The (base) name of the tlsproxy service. @@ -212,6 +221,8 @@ VSTREAM *tls_proxy_open(const char *service, int flags, } switch (flags & (TLS_PROXY_FLAG_ROLE_CLIENT | TLS_PROXY_FLAG_ROLE_SERVER)) { case TLS_PROXY_FLAG_ROLE_CLIENT: + if ((flags & TLS_PROXY_FLAG_PROBE_ONLY)) + break; attr_print(tlsproxy_stream, ATTR_FLAG_NONE, SEND_ATTR_FUNC(tls_proxy_client_param_print, tls_params), SEND_ATTR_FUNC(tls_proxy_client_init_print, init_props), @@ -219,13 +230,13 @@ VSTREAM *tls_proxy_open(const char *service, int flags, ATTR_TYPE_END); break; case TLS_PROXY_FLAG_ROLE_SERVER: -#if 0 + if ((flags & TLS_PROXY_FLAG_PROBE_ONLY)) + break; attr_print(tlsproxy_stream, ATTR_FLAG_NONE, SEND_ATTR_FUNC(tls_proxy_server_param_print, tls_params), SEND_ATTR_FUNC(tls_proxy_server_init_print, init_props), SEND_ATTR_FUNC(tls_proxy_server_start_print, start_props), ATTR_TYPE_END); -#endif break; default: msg_panic("%s: bad flags: 0x%x", myname, flags); @@ -262,6 +273,12 @@ VSTREAM *tls_proxy_open(const char *service, int flags, return (0); } + /* + * What-if probe only. + */ + if ((flags & TLS_PROXY_FLAG_PROBE_ONLY) != 0) + return (tlsproxy_stream); + /* * Send the remote peer file descriptor. */ @@ -297,4 +314,26 @@ TLS_SESS_STATE *tls_proxy_context_receive(VSTREAM *proxy_stream) } } +/* tls_proxy_probe - service availability check */ + +bool tls_proxy_probe(const char *service, int flags, + const char *peer_addr, const char *peer_port) +{ + VSTREAM *tlsproxy_stream; + bool ret; + +#define UNUSED_VSTREAM (0) +#define UNUSED_TIMEOUT (0) + + tlsproxy_stream = tls_proxy_open(service, + flags | TLS_PROXY_FLAG_PROBE_ONLY, + UNUSED_VSTREAM, peer_addr, + peer_port, UNUSED_TIMEOUT, + UNUSED_TIMEOUT, "unused_server", + (void *) 0, (void *) 0, (void *) 0); + if ((ret = tlsproxy_stream != 0)) + (void) vstream_fclose(tlsproxy_stream); + return (ret); +} + #endif diff --git a/postfix/src/tlsproxy/Makefile.in b/postfix/src/tlsproxy/Makefile.in index b2a401947..f1a7953a3 100644 --- a/postfix/src/tlsproxy/Makefile.in +++ b/postfix/src/tlsproxy/Makefile.in @@ -160,6 +160,7 @@ tlsproxy_diff.o: tlsproxy_diff.c tlsproxy_diff.o: tlsproxy_diff.h tlsproxy_server.o: ../../include/argv.h tlsproxy_server.o: ../../include/attr.h +tlsproxy_server.o: ../../include/been_here.h tlsproxy_server.o: ../../include/check_arg.h tlsproxy_server.o: ../../include/dns.h tlsproxy_server.o: ../../include/events.h @@ -187,6 +188,7 @@ tlsproxy_server.o: ../../include/vbuf.h tlsproxy_server.o: ../../include/vstream.h tlsproxy_server.o: ../../include/vstring.h tlsproxy_server.o: tlsproxy.h +tlsproxy_server.o: tlsproxy_diff.h tlsproxy_server.o: tlsproxy_server.c tlsproxy_server.o: tlsproxy_server.h tlsproxy_state.o: ../../include/argv.h diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c index 32951e471..1618b5918 100644 --- a/postfix/src/tlsproxy/tlsproxy.c +++ b/postfix/src/tlsproxy/tlsproxy.c @@ -288,9 +288,6 @@ /* .IP "\fBtlsproxy_client_loglevel ($smtp_tls_loglevel)\fR" /* Enable additional Postfix \fBtlsproxy\fR(8) client logging of TLS /* activity. -/* .IP "\fBtlsproxy_client_loglevel_parameter (smtp_tls_loglevel)\fR" -/* The name of the parameter that provides the tlsproxy_client_loglevel -/* value. /* .IP "\fBtlsproxy_client_scert_verifydepth ($smtp_tls_scert_verifydepth)\fR" /* The verification depth for remote TLS server certificates. /* .IP "\fBtlsproxy_client_use_tls ($smtp_use_tls)\fR" @@ -543,6 +540,12 @@ bool var_tlsp_clnt_enforce_tls; char *var_tlsp_clnt_per_site; char *var_tlsp_clnt_policy; + /* + * TODO(wietse): simplify role state management. + */ +static bool tlsp_server_role_ready; +static bool tlsp_client_role_ready; + /* * The code that implements the TLS engine looks simpler than expected. That * is the result of a great deal of effort, mainly in design and analysis. @@ -1181,6 +1184,10 @@ static void tlsp_get_request_event(int event, void *context) switch (req_flags & (TLS_PROXY_FLAG_ROLE_CLIENT | TLS_PROXY_FLAG_ROLE_SERVER)) { case TLS_PROXY_FLAG_ROLE_CLIENT: state->is_server_role = 0; + if (req_flags & TLS_PROXY_FLAG_PROBE_ONLY) { + ready = tlsp_client_role_ready; + break; + } if (attr_scan(plaintext_stream, ATTR_FLAG_STRICT, RECV_ATTR_FUNC(tls_proxy_client_param_scan, (void *) &state->client_params), @@ -1199,9 +1206,25 @@ static void tlsp_get_request_event(int event, void *context) break; case TLS_PROXY_FLAG_ROLE_SERVER: state->is_server_role = 1; - ready = (tlsp_server_ctx != 0); - if (server_role_disabled) - msg_warn("%s", server_role_disabled); + if (req_flags & TLS_PROXY_FLAG_PROBE_ONLY) { + ready = tlsp_server_role_ready; + break; + } + if (attr_scan(plaintext_stream, ATTR_FLAG_STRICT, + RECV_ATTR_FUNC(tls_proxy_server_param_scan, + (void *) &state->server_params), + RECV_ATTR_FUNC(tls_proxy_server_init_scan, + (void *) &state->server_init_props), + RECV_ATTR_FUNC(tls_proxy_server_start_scan, + (void *) &state->server_start_props), + ATTR_TYPE_END) != 3) { + msg_warn("%s: receive server TLS settings: %m", myname); + tlsp_state_free(state); + return; + } + state->appl_state = tlsp_server_init(state->server_params, + state->server_init_props); + ready = state->appl_state != 0; break; default: state->is_server_role = 0; @@ -1220,6 +1243,7 @@ static void tlsp_get_request_event(int event, void *context) SEND_ATTR_INT(MAIL_ATTR_STATUS, ready), ATTR_TYPE_END) != 0 || vstream_fflush(plaintext_stream) != 0 + || (req_flags & TLS_PROXY_FLAG_PROBE_ONLY) || ready == 0) { tlsp_request_read_event(plaintext_fd, tlsp_close_event, TLSP_INIT_TIMEOUT, (void *) state); @@ -1281,8 +1305,8 @@ static void pre_jail_init(char *unused_name, char **unused_argv) /* * Initialize roles separately. */ - pre_jail_init_server(); - tlsp_pre_jail_client_init(); + tlsp_server_role_ready = pre_jail_init_server(); + tlsp_client_role_ready = tlsp_pre_jail_client_init(); } MAIL_VERSION_STAMP_DECLARE; @@ -1398,7 +1422,6 @@ int main(int argc, char **argv) VAR_TLSP_TLS_LOGLEVEL, DEF_TLSP_TLS_LOGLEVEL, &var_tlsp_tls_loglevel, 0, 0, VAR_TLSP_TLS_LEVEL, DEF_TLSP_TLS_LEVEL, &var_tlsp_tls_level, 0, 0, VAR_TLSP_CLNT_LOGLEVEL, DEF_TLSP_CLNT_LOGLEVEL, &var_tlsp_clnt_loglevel, 0, 0, - VAR_TLSP_CLNT_LOGPARAM, DEF_TLSP_CLNT_LOGPARAM, &var_tlsp_clnt_logparam, 0, 0, VAR_TLSP_CLNT_CHAIN_FILES, DEF_TLSP_CLNT_CHAIN_FILES, &var_tlsp_clnt_chain_files, 0, 0, VAR_TLSP_CLNT_CERT_FILE, DEF_TLSP_CLNT_CERT_FILE, &var_tlsp_clnt_cert_file, 0, 0, VAR_TLSP_CLNT_KEY_FILE, DEF_TLSP_CLNT_KEY_FILE, &var_tlsp_clnt_key_file, 0, 0, diff --git a/postfix/src/tlsproxy/tlsproxy_client.c b/postfix/src/tlsproxy/tlsproxy_client.c index cb638b3f7..535cb1477 100644 --- a/postfix/src/tlsproxy/tlsproxy_client.c +++ b/postfix/src/tlsproxy/tlsproxy_client.c @@ -6,7 +6,7 @@ /* SYNOPSIS /* #include /* -/* void tlsp_pre_jail_client_init(void) +/* bool tlsp_pre_jail_client_init(void) /* /* TLS_APPL_STATE *tlsp_client_init( /* TLS_CLIENT_PARAMS *tls_params, @@ -16,10 +16,11 @@ /* DESCRIPTION /* This module implements TLS proxy client role support. /* -/* tlsp_pre_jail_client_init() saves a copy of serialized -/* TLS_CLIENT_PARAMS and TLS_CLIENT_INIT_PROPS based on configuration -/* parameter settings. These will be used as a reference when -/* receiving a request for the client role. +/* tlsp_pre_jail_client_init() creates an SSL context based on local +/* tlsproxy(8) client configuration, and populates TLS_CLIENT_PARAMS +/* and TLS_CLIENT_INIT_PROPS objects that will be used as a reference +/* when receiving a remote request for the client role. The result +/* is true if successful. /* /* tlsp_client_init() processes a request for the TLS proxy client /* role. If the request has not been seen before it checks the @@ -29,8 +30,7 @@ /* /* tlsp_client_start_pre_handshake() requests the tls_client_start() /* handshake. It returns TLSP_STAT_OK when the request succeeds. -/* Otherwise, it returns TLSP_STAT_ERR and state becomes a dangling -/* pointer. +/* Otherwise, it destroys the state and returns TLSP_STAT_ERR. /* DIAGNOSTICS /* Problems and transactions are logged to \fBsyslogd\fR(8) /* or \fBpostlogd\fR(8). @@ -131,6 +131,7 @@ TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *tls_params, VSTRING *init_buf; char *init_key; int log_hints = 0; + const char *saved_log_param; /* * Use one TLS_APPL_STATE object for all requests that specify the same @@ -141,13 +142,21 @@ TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *tls_params, * First, compute the TLS_APPL_STATE cache lookup key. Save a copy of the * pre-jail request TLS_CLIENT_PARAMS and TLSPROXY_CLIENT_INIT_PROPS * settings, so that we can detect post-jail requests that do not match. + * + * For TLS_APPL_STATE cache lookup, ignore harmless differences in + * xxx_tls_loglevel parameter names. They don't affect program behavior. */ param_buf = vstring_alloc(100); param_key = tls_proxy_client_param_serialize(attr_print_plain, param_buf, tls_params); + init_buf = vstring_alloc(100); + saved_log_param = init_props->log_param; + init_props->log_param = "dummy"; init_key = tls_proxy_client_init_serialize(attr_print_plain, init_buf, init_props); + init_props->log_param = saved_log_param; + #define TLSP_CLIENT_INIT_RETURN(retval) do { \ vstring_free(init_buf); \ vstring_free(param_buf); \ @@ -256,10 +265,22 @@ TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *tls_params, /* tlsp_pre_jail_client_init - pre-jail initialization */ -void tlsp_pre_jail_client_init(void) +bool tlsp_pre_jail_client_init(void) { int clnt_use_tls; + /* + * TODO(wietse): simplify module initialization state and module error + * state. + */ + bool ret = false; + + /* + * Sanity check. + */ + if (tlsp_pre_jail_client_done) + msg_panic("%s: multiple calls", __func__); + /* * The cache with TLS_APPL_STATE instances for different TLS_CLIENT_INIT * configurations. @@ -355,7 +376,7 @@ void tlsp_pre_jail_client_init(void) */ (void) tls_proxy_client_param_from_config(&tls_params); (void) TLS_CLIENT_INIT_ARGS(&init_props, - log_param = var_tlsp_clnt_logparam, + log_param = VAR_TLSP_CLNT_LOGLEVEL, log_level = var_tlsp_clnt_loglevel, verifydepth = var_tlsp_clnt_scert_vd, cache_type = TLS_MGR_SCACHE_SMTP, @@ -371,6 +392,8 @@ void tlsp_pre_jail_client_init(void) mdalg = var_tlsp_clnt_fpt_dgst); if (tlsp_client_init(&tls_params, &init_props) == 0) msg_warn("TLS client initialization failed"); + else + ret = true; } /* @@ -384,6 +407,8 @@ void tlsp_pre_jail_client_init(void) * explicit. */ tlsp_pre_jail_client_done = 1; + + return (ret); } #endif diff --git a/postfix/src/tlsproxy/tlsproxy_client.h b/postfix/src/tlsproxy/tlsproxy_client.h index ed15197cf..67cc31e24 100644 --- a/postfix/src/tlsproxy/tlsproxy_client.h +++ b/postfix/src/tlsproxy/tlsproxy_client.h @@ -22,7 +22,7 @@ */ #include -extern void tlsp_pre_jail_client_init(void); +extern bool tlsp_pre_jail_client_init(void); extern TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *, TLS_CLIENT_INIT_PROPS *); extern int tlsp_client_start_pre_handshake(TLSP_STATE *); diff --git a/postfix/src/tlsproxy/tlsproxy_server.c b/postfix/src/tlsproxy/tlsproxy_server.c index c733bcbbb..c07ad47bf 100644 --- a/postfix/src/tlsproxy/tlsproxy_server.c +++ b/postfix/src/tlsproxy/tlsproxy_server.c @@ -6,36 +6,33 @@ /* SYNOPSIS /* #include /* -/* void pre_jail_init_server(void) -/*Begin TODO +/* bool pre_jail_init_server(void) +/* /* TLS_APPL_STATE *tlsp_server_init( /* TLS_SERVER_PARAMS *tls_params, /* TLS_SERVER_INIT_PROPS *init_props) -/*End TODO +/* /* int tlsp_server_start_pre_handshake(TLSP_STATE *state) /* DESCRIPTION /* This module implements TLS proxy server role support. The legacy /* implementation uses the same tlsproxy(8) configuration for all /* tls_server_init() and tls_server_start() calls. /* -/* pre_jail_init_server() creates an SSL context based on tlsproxy(8) -/* server configuration. -/*Begin TODO -/* A future version will save a copy of serialized TLS_SERVER_PARAMS -/* and TLS_SERVER_INIT_PROPS based on tlsproxy(8) server -/* configuration. These will be used as a reference when receiving -/* a request for the server role. +/* pre_jail_init_server() creates an SSL context based on local +/* tlsproxy(8) server configuration, and creates TLS_SERVER_PARAMS +/* and TLS_SERVER_INIT_PROPS objects that will be used as a reference +/* when receiving a remote request for the server role. The result +/* is true if successful. /* /* tlsp_server_init() processes a request for the TLS proxy server -/* role. If the request has not been seen before it checks the +/* role. If the request has not been seen before, it checks the /* request for relevant differences that would conflict with /* tlsproxy(8) server configuration. The result is null when TLS /* is not available. -/*End TODO +/* /* tlsp_server_start_pre_handshake() requests the tls_server_start() /* handshake. It returns TLSP_STAT_OK when the request succeeds. -/* Otherwise, it returns TLSP_STAT_ERR and state becomes a dangling -/* pointer. +/* Otherwise, it destroys the state, and returns TLSP_STAT_ERR. /* DIAGNOSTICS /* Problems are logged to \fBsyslogd\fR(8) or \fBpostlogd\fR(8). /* LICENSE @@ -80,6 +77,7 @@ /* * Global library. */ +#include #include /* @@ -95,96 +93,213 @@ */ #include #include +#include /* * TLS per-process status. - * - * TODO(wietse) delete externally visible state after tlsp_server_init() is - * implemented. */ -TLS_APPL_STATE *tlsp_server_ctx; -static int ask_client_cert; -const char *server_role_disabled; +static int ask_client_cert; /* move to pre-jail code? */ +static int tlsp_pre_jail_server_done; +static char *tlsp_pre_jail_server_param_key; /* pre-jail global params */ +static char *tlsp_pre_jail_server_init_key; /* pre-jail init props */ + + /* + * TLS per-server status. + */ +static HTABLE *tlsp_server_app_cache; +static BH_TABLE *tlsp_server_params_nag_filter; /* tlsp_server_start_pre_handshake - turn on TLS or force disconnect */ int tlsp_server_start_pre_handshake(TLSP_STATE *state) { - TLS_SERVER_START_PROPS props; - static char *cipher_grade; - static VSTRING *cipher_exclusions; + state->server_start_props->ctx = state->appl_state; + state->server_start_props->fd = state->ciphertext_fd; + state->tls_context = tls_server_start(state->server_start_props); + if (state->tls_context == 0) { + tlsp_state_free(state); + return (TLSP_STAT_ERR); + } /* - * The code in this routine is pasted literally from smtpd(8). I am not - * going to sanitize this because doing so surely will break things in - * unexpected ways. + * XXX Do we care about TLS session rate limits? Good postscreen(8) + * clients will occasionally require the tlsproxy to renew their + * allowlist status, but bad clients hammering the server can suck up + * lots of CPU cycles. Per-client concurrency limits in postscreen(8) + * will divert only naive security "researchers". */ + return (TLSP_STAT_OK); +} + +/* tlsp_server_init - initialize a TLS server engine */ + +TLS_APPL_STATE *tlsp_server_init(TLS_SERVER_PARAMS *tls_params, + TLS_SERVER_INIT_PROPS *init_props) +{ + TLS_APPL_STATE *appl_state; + VSTRING *param_buf; + char *param_key; + VSTRING *init_buf; + char *init_key; + int log_hints = 0; + const char *saved_log_param; /* - * Perform the before-handshake portion of per-session initialization. - * Pass a null VSTREAM to indicate that this program will do the - * ciphertext I/O, not libtls. + * Use one TLS_APPL_STATE object for all requests that specify the same + * TLS_SERVER_INIT_PROPS. Each TLS_APPL_STATE owns an SSL_CTX, which is + * expensive to create. Bug: TLS_SERVER_PARAMS are not used when creating + * a TLS_APPL_STATE instance. * - * The cipher grade and exclusions don't change between sessions. Compute - * just once and cache. + * First, compute the TLS_APPL_STATE cache lookup key. Save a copy of the + * pre-jail request TLS_SERVER_PARAMS and TLSPROXY_SERVER_INIT_PROPS + * settings, so that we can detect post-jail requests that do not match. + * + * For TLS_APPL_STATE cache lookup, ignore harmless differences in + * xxx_tls_loglevel parameter names. They don't affect program behavior. */ -#define ADD_EXCLUDE(vstr, str) \ - do { \ - if (*(str)) \ - vstring_sprintf_append((vstr), "%s%s", \ - VSTRING_LEN(vstr) ? " " : "", (str)); \ + param_buf = vstring_alloc(100); + param_key = tls_proxy_server_param_serialize(attr_print_plain, param_buf, + tls_params); + + init_buf = vstring_alloc(100); + saved_log_param = init_props->log_param; + init_props->log_param = "dummy"; + init_key = tls_proxy_server_init_serialize(attr_print_plain, init_buf, + init_props); + init_props->log_param = saved_log_param; + +#define TLSP_SERVER_INIT_RETURN(retval) do { \ + vstring_free(init_buf); \ + vstring_free(param_buf); \ + return (retval); \ } while (0) - if (cipher_grade == 0) { - cipher_grade = - var_tlsp_enforce_tls ? var_tlsp_tls_mand_ciph : var_tlsp_tls_ciph; - cipher_exclusions = vstring_alloc(10); - ADD_EXCLUDE(cipher_exclusions, var_tlsp_tls_excl_ciph); - if (var_tlsp_enforce_tls) - ADD_EXCLUDE(cipher_exclusions, var_tlsp_tls_mand_excl); - if (ask_client_cert) - ADD_EXCLUDE(cipher_exclusions, "aNULL"); + if (tlsp_pre_jail_server_done == 0) { + if (tlsp_pre_jail_server_param_key == 0 + || tlsp_pre_jail_server_init_key == 0) { + tlsp_pre_jail_server_param_key = mystrdup(param_key); + tlsp_pre_jail_server_init_key = mystrdup(init_key); + } else if (strcmp(tlsp_pre_jail_server_param_key, param_key) != 0 + || strcmp(tlsp_pre_jail_server_init_key, init_key) != 0) { + msg_panic("tlsp_server_init: too many pre-jail calls"); + } } - state->tls_context = - TLS_SERVER_START(&props, - ctx = tlsp_server_ctx, - stream = (VSTREAM *) 0,/* unused */ - fd = state->ciphertext_fd, - timeout = 0, /* unused */ - requirecert = (var_tlsp_tls_req_ccert - && var_tlsp_enforce_tls), - enable_rpk = var_tlsp_tls_enable_rpk, - serverid = state->server_id, - namaddr = state->remote_endpt, - cipher_grade = cipher_grade, - cipher_exclusions = STR(cipher_exclusions), - mdalg = var_tlsp_tls_fpt_dgst); - if (state->tls_context == 0) { - tlsp_state_free(state); - return (TLSP_STAT_ERR); + /* + * Log a warning if a post-jail request uses unexpected TLS_SERVER_PARAMS + * settings. Bug: TLS_SERVER_PARAMS settings are not used when creating a + * TLS_APPL_STATE instance; this makes a mismatch of TLS_SERVER_PARAMS + * settings problematic. + */ + else if (tlsp_pre_jail_server_param_key == 0 + || tlsp_pre_jail_server_init_key == 0) { + msg_warn("TLS server role is disabled by configuration"); + TLSP_SERVER_INIT_RETURN(0); + } else if (!been_here_fixed(tlsp_server_params_nag_filter, param_key) + && strcmp(tlsp_pre_jail_server_param_key, param_key) != 0) { + msg_warn("request from tlsproxy client with unexpected settings"); + tlsp_log_config_diff(tlsp_pre_jail_server_param_key, param_key); + log_hints = 1; } /* - * XXX Do we care about TLS session rate limits? Good postscreen(8) - * clients will occasionally require the tlsproxy to renew their - * allowlist status, but bad clients hammering the server can suck up - * lots of CPU cycles. Per-client concurrency limits in postscreen(8) - * will divert only naive security "researchers". + * Look up the cached TLS_APPL_STATE for this tls_server_init request. */ - return (TLSP_STAT_OK); + if ((appl_state = (TLS_APPL_STATE *) + htable_find(tlsp_server_app_cache, init_key)) == 0) { + + /* + * Before creating a TLS_APPL_STATE instance, log a warning if a + * post-jail request differs from the saved pre-jail request AND the + * post-jail request specifies file/directory pathname arguments. + * Unexpected requests containing pathnames are problematic after + * chroot (pathname resolution) and after dropping privileges (key + * files must be root read-only). Unexpected requests are not a + * problem as long as they contain no pathnames (for example a + * tls_loglevel change). + * + * We could eliminate some of this complication by adding code that + * opens a cert/key lookup table at pre-jail time, and by reading + * cert/key info on-the-fly from that table. But then all requests + * would still have to specify the same table. + */ +#define NOT_EMPTY(x) ((x) && *(x)) + + if (tlsp_pre_jail_server_done + && strcmp(tlsp_pre_jail_server_init_key, init_key) != 0 + && (NOT_EMPTY(init_props->chain_files) + || NOT_EMPTY(init_props->cert_file) + || NOT_EMPTY(init_props->key_file) + || NOT_EMPTY(init_props->dcert_file) + || NOT_EMPTY(init_props->dkey_file) + || NOT_EMPTY(init_props->eccert_file) + || NOT_EMPTY(init_props->eckey_file) + || NOT_EMPTY(init_props->CAfile) + || NOT_EMPTY(init_props->CApath))) { + msg_warn("request from tlsproxy server with unexpected settings"); + tlsp_log_config_diff(tlsp_pre_jail_server_init_key, init_key); + log_hints = 1; + } + } + if (log_hints) + msg_warn("to avoid this warning, 1) identify the tlsproxy " + "server that is making this request, 2) configure " + "a custom tlsproxy service with settings that " + "match that tlsproxy server, and 3) configure " + "that tlsproxy server with a tlsproxy_service_name " + "setting that resolves to that custom tlsproxy " + "service"); + + /* + * TLS_APPL_STATE creation may fail when a post-jail request specifies + * unexpected cert/key information, but that is OK because we already + * logged a warning with configuration suggestions. + */ + if (appl_state == 0 && (appl_state = tls_server_init(init_props)) != 0) { + (void) htable_enter(tlsp_server_app_cache, init_key, + (void *) appl_state); + + /* + * To maintain sanity, allow partial SSL_write() operations, and + * allow SSL_write() buffer pointers to change after a WANT_READ or + * WANT_WRITE result. This is based on OpenSSL developers talking on + * a mailing list, but is not supported by documentation. If this + * code stops working then no-one can be held responsible. + */ + SSL_CTX_set_mode(appl_state->ssl_ctx, + SSL_MODE_ENABLE_PARTIAL_WRITE + | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); + } + TLSP_SERVER_INIT_RETURN(appl_state); } /* pre_jail_init_server - pre-jail initialization */ -void pre_jail_init_server(void) +bool pre_jail_init_server(void) { - TLS_SERVER_INIT_PROPS props; const char *cert_file; int have_server_cert; int no_server_cert_ok; int require_server_cert; + /* + * TODO(wietse): simplify module initialization state and module error + * state (too many booleans). + */ + bool ret = false; + + /* + * Sanity check. + */ + if (tlsp_pre_jail_server_done) + msg_panic("%s: multiple calls", __func__); + + /* + * The cache with TLS_APPL_STATE instances for different TLS_CLIENT_INIT + * configurations. + */ + tlsp_server_app_cache = htable_create(10); + /* * The code in this routine is pasted literally from smtpd(8). I am not * going to sanitize this because doing so surely will break things in @@ -216,8 +331,8 @@ void pre_jail_init_server(void) } var_tlsp_use_tls = var_tlsp_use_tls || var_tlsp_enforce_tls; if (!var_tlsp_use_tls) { - server_role_disabled = "TLS server role is disabled by configuration"; - return; + tlsp_pre_jail_server_done = 1; + return (false); } /* @@ -258,6 +373,8 @@ void pre_jail_init_server(void) msg_warn("Can't require client certs unless TLS is required"); /* After a show-stopper error, log a warning. */ if (have_server_cert || (no_server_cert_ok && !require_server_cert)) { + TLS_SERVER_PARAMS tls_params; + TLS_SERVER_INIT_PROPS init_props; tls_pre_jail_init(TLS_ROLE_SERVER); @@ -265,47 +382,53 @@ void pre_jail_init_server(void) * Large parameter lists are error-prone, so we emulate a language * feature that C does not have natively: named parameter lists. */ - tlsp_server_ctx = - TLS_SERVER_INIT(&props, - log_param = VAR_TLSP_TLS_LOGLEVEL, - log_level = var_tlsp_tls_loglevel, - verifydepth = var_tlsp_tls_ccert_vd, - cache_type = TLS_MGR_SCACHE_SMTPD, - set_sessid = var_tlsp_tls_set_sessid, - chain_files = var_tlsp_tls_chain_files, - cert_file = cert_file, - key_file = var_tlsp_tls_key_file, - dcert_file = var_tlsp_tls_dcert_file, - dkey_file = var_tlsp_tls_dkey_file, - eccert_file = var_tlsp_tls_eccert_file, - eckey_file = var_tlsp_tls_eckey_file, - CAfile = var_tlsp_tls_CAfile, - CApath = var_tlsp_tls_CApath, - dh1024_param_file - = var_tlsp_tls_dh1024_param_file, - dh512_param_file - = var_tlsp_tls_dh512_param_file, - eecdh_grade = var_tlsp_tls_eecdh, - protocols = var_tlsp_enforce_tls ? - var_tlsp_tls_mand_proto : - var_tlsp_tls_proto, - ask_ccert = ask_client_cert, - mdalg = var_tlsp_tls_fpt_dgst); + (void) tls_proxy_server_param_from_config(&tls_params); + (void) TLS_SERVER_INIT_ARGS(&init_props, + log_param = VAR_TLSP_TLS_LOGLEVEL, + log_level = var_tlsp_tls_loglevel, + verifydepth = var_tlsp_tls_ccert_vd, + cache_type = TLS_MGR_SCACHE_SMTPD, + set_sessid = var_tlsp_tls_set_sessid, + chain_files = var_tlsp_tls_chain_files, + cert_file = cert_file, + key_file = var_tlsp_tls_key_file, + dcert_file = var_tlsp_tls_dcert_file, + dkey_file = var_tlsp_tls_dkey_file, + eccert_file = var_tlsp_tls_eccert_file, + eckey_file = var_tlsp_tls_eckey_file, + CAfile = var_tlsp_tls_CAfile, + CApath = var_tlsp_tls_CApath, + dh1024_param_file + = var_tlsp_tls_dh1024_param_file, + dh512_param_file + = var_tlsp_tls_dh512_param_file, + eecdh_grade = var_tlsp_tls_eecdh, + protocols = var_tlsp_enforce_tls ? + var_tlsp_tls_mand_proto : + var_tlsp_tls_proto, + ask_ccert = ask_client_cert, + mdalg = var_tlsp_tls_fpt_dgst); + if (tlsp_server_init(&tls_params, &init_props) == 0) + msg_warn("TLS server initialization failed"); + else + ret = true; } else { msg_warn("No server certs available. TLS can't be enabled"); } /* - * To maintain sanity, allow partial SSL_write() operations, and allow - * SSL_write() buffer pointers to change after a WANT_READ or WANT_WRITE - * result. This is based on OpenSSL developers talking on a mailing list, - * but is not supported by documentation. If this code stops working then - * no-one can be held responsible. + * Bug: TLS_SERVER_PARAMS attributes are not used when creating a + * TLS_APPL_STATE instance; we can only warn about attribute mismatches. */ - if (tlsp_server_ctx) - SSL_CTX_set_mode(tlsp_server_ctx->ssl_ctx, - SSL_MODE_ENABLE_PARTIAL_WRITE - | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); + tlsp_server_params_nag_filter = been_here_init(BH_BOUND_NONE, BH_FLAG_NONE); + + /* + * Any of the static global variables would suffice, but this is more + * explicit. + */ + tlsp_pre_jail_server_done = 1; + + return (ret); } #endif diff --git a/postfix/src/tlsproxy/tlsproxy_server.h b/postfix/src/tlsproxy/tlsproxy_server.h index f4938d22f..d57940984 100644 --- a/postfix/src/tlsproxy/tlsproxy_server.h +++ b/postfix/src/tlsproxy/tlsproxy_server.h @@ -22,16 +22,10 @@ */ #include -extern void pre_jail_init_server(void); +extern bool pre_jail_init_server(void); extern TLS_APPL_STATE *tlsp_server_init(TLS_SERVER_PARAMS *, TLS_SERVER_INIT_PROPS *); extern int tlsp_server_start_pre_handshake(TLSP_STATE *); - /* - * TODO(wietse): delete these after tlsp_server_init() is implemented. - */ -extern TLS_APPL_STATE *tlsp_server_ctx; -extern const char *server_role_disabled; - /* LICENSE /* .ad /* .fi