Prereq: "3.6.9"
diff -ur --new-file /var/tmp/postfix-3.6.9/src/global/mail_version.h ./src/global/mail_version.h
--- /var/tmp/postfix-3.6.9/src/global/mail_version.h 2023-04-18 16:33:03.000000000 -0400
+++ ./src/global/mail_version.h 2023-06-05 16:28:17.000000000 -0400
@@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20230418"
-#define MAIL_VERSION_NUMBER "3.6.9"
+#define MAIL_RELEASE_DATE "20230605"
+#define MAIL_VERSION_NUMBER "3.6.10"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
diff -ur --new-file /var/tmp/postfix-3.6.9/HISTORY ./HISTORY
--- /var/tmp/postfix-3.6.9/HISTORY 2023-04-18 15:41:59.000000000 -0400
+++ ./HISTORY 2023-06-05 16:21:24.000000000 -0400
@@ -25896,3 +25896,90 @@
return "not found" instead of "error" during the time that
all MySQL server connections were turned down after error.
Found during code maintenance. File: global/dict_mysql.c.
+
+20230428
+
+ Bugfix (defect introduced: Postfix 1.0): the command "postconf
+ .. name=v1 .. name=v2 .." (multiple instances of the same
+ parameter name) created multiple name=value entries with
+ the same parameter name. It now logs a warning and skips
+ the earlier update. Found during code maintenance. File:
+ postconf/postconf_edit.c
+
+ Bugfix (defect introduced: Postfix 3.3): the command "postconf
+ -M name1/type1='name2 type2 ...'" died with a segmentation
+ violation when the request matched multiple master.cf
+ entries. The master.cf file was not damaged. Problem reported
+ by SATOH Fumiyasu. File: postconf/postconf_master.c.
+
+20230502
+
+ Bugfix (defect introduced: Postfix 2.11): the command
+ "postconf -M name1/type1='name2 type2 ...'" could add a
+ service definition to master.cf that conflicted with an
+ already existing service definition. It now replaces all
+ existing service definitions that match the service pattern
+ 'name1/type1' or the service name and type in 'name2 type2
+ ...' with a single service definition 'name2 type2 ...'.
+ Problem reported by SATOH Fumiyasu. File: postconf/postconf_edit.c.
+
+20230519
+
+ Bitrot: preliminary support for OpenSSL configuration files,
+ primarily OpenSSL 1.1.1b and later. This introduces new
+ parameters "tls_config_file" and "tls_config_name", which
+ can be used to limit collateral damage from OS distributions
+ that crank up security to 11, increasing the number of
+ plaintext email deliveries. Details are in the postconf(5)
+ manpage under "tls_config_file" and "tls_config_name".
+ Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto,
+ global/mail_params.h, posttls-finger/posttls-finger.c,
+ smtp/smtp.c, smtp/smtp_proto.c, tls/tls_client.c, tls/tls.h,
+ tls/tls_misc.c, tls/tls_proxy_client_print.c,
+ tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c,
+ tlsproxy/tlsproxy.c.
+
+20230523
+
+ Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init'
+ configurations. This information is independent from the
+ client or server TLS context, and therefore does not belong
+ in tls_*_init() or tls_*_start() calls. The tlsproxy(8)
+ server uses TLS_CLIENT_PARAMS to report differences between
+ its own global TLS settings, and those from its clients.
+ Files: posttls-finger/posttls-finger.c, smtp/smtp.c,
+ smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c,
+ tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
+ tls/tls_proxy.h, tlsproxy/tlsproxy.c.
+
+20230524
+
+ Cleanup: reverted cosmetic-only changes to minimize the
+ patch footprint for OpenSSL INI file support; updated daemon
+ manpages with the new tls_config_file and tls_config_name
+ configuration parameters. Files: smtp/smtp.c, smtpd/smtpd.c,
+ tls/tls_client.c, tls/tls.h, tls/tls_server.c, tlsproxy/tlsproxy.c,
+
+20230529
+
+ Cleanup: made OpenSSL 'default' INI file support error
+ handling consistent with OpenSSL default behavior. Viktor
+ Dukhovni. Files: proto/postconf.proto, tls/tls_misc.c.
+
+20230602
+
+ Backwards compatibility for stable releases that originally
+ had no OpenSSL INI support. Skip the new OpenSSL INI support
+ code, unless the Postfix configuration actually specifies
+ non-default tls_config_xxx settings. File: tls/tls_misc.c.
+
+ Cleanup: added a multiple initialization guard in the
+ tls_library_init() function, and made an initialization
+ error sticky. File: tls/tls_misc.c.
+
+20230605
+
+ Security: new parameter smtpd_forbid_unauth_pipelining
+ (default: no) to disconnect remote SMTP clients that violate
+ RFC 2920 (or 5321) command pipelining constraints. Files:
+ global/mail_params.h, smtpd/smtpd.c, proto/postconf.proto.
diff -ur --new-file /var/tmp/postfix-3.6.9/RELEASE_NOTES ./RELEASE_NOTES
--- /var/tmp/postfix-3.6.9/RELEASE_NOTES 2021-04-29 15:58:33.000000000 -0400
+++ ./RELEASE_NOTES 2023-06-05 17:38:31.000000000 -0400
@@ -25,6 +25,23 @@
the software under the license of their choice. Those who are more
comfortable with the IPL can continue with that license.
+Major changes with Postfix 3.6.10
+=================================
+
+Security: the Postfix SMTP server optionally disconnects remote
+SMTP clients that violate RFC 2920 (or 5321) command pipelining
+constraints. The server replies with "554 5.5.0 Error: SMTP protocol
+synchronization" and logs the unexpected remote SMTP client input.
+Specify "smtpd_forbid_unauth_pipelining = yes" to enable. This
+feature is enabled by default in Postfix 3.9 and later.
+
+Workaround to limit collateral damage from OS distributions that
+crank up security to 11, increasing the number of plaintext email
+deliveries. This introduces basic OpenSSL configuration file support,
+with two new parameters "tls_config_file" and "tls_config_name".
+Details are in the postconf(5) manpage under "tls_config_file" and
+"tls_config_name".
+
Major changes - internal protocol identification
------------------------------------------------
diff -ur --new-file /var/tmp/postfix-3.6.9/html/lmtp.8.html ./html/lmtp.8.html
--- /var/tmp/postfix-3.6.9/html/lmtp.8.html 2021-04-18 18:07:10.000000000 -0400
+++ ./html/lmtp.8.html 2023-06-05 10:41:20.000000000 -0400
@@ -668,6 +668,15 @@
A workaround for implementations that hang Postfix while shut-
ting down a TLS session, until Postfix times out.
+ Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+
+ <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
+ Optional configuration file with baseline OpenSSL settings.
+
+ <b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
+ The application name passed by Postfix to OpenSSL library ini-
+ tialization functions.
+
<b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
diff -ur --new-file /var/tmp/postfix-3.6.9/html/postconf.5.html ./html/postconf.5.html
--- /var/tmp/postfix-3.6.9/html/postconf.5.html 2021-04-29 16:06:39.000000000 -0400
+++ ./html/postconf.5.html 2023-06-05 16:58:05.000000000 -0400
@@ -15298,6 +15298,22 @@
</DD>
+<DT><b><a name="smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a>
+(default: Postfix ≥ 3.9: yes)</b></DT><DD>
+
+<p> Disconnect remote SMTP clients that violate <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (or 5321)
+command pipelining constraints. The server replies with "554 5.5.0
+Error: SMTP protocol synchronization" and logs the unexpected remote
+SMTP client input. Specify "<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> = yes"
+to enable. This feature is enabled by default with Postfix ≥
+3.9. </p>
+
+<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20. </p>
+
+
+</DD>
+
<DT><b><a name="smtpd_forbidden_commands">smtpd_forbidden_commands</a>
(default: CONNECT, GET, POST)</b></DT><DD>
@@ -18725,6 +18741,113 @@
</DD>
+<DT><b><a name="tls_config_file">tls_config_file</a>
+(default: default)</b></DT><DD>
+
+<p> Optional configuration file with baseline OpenSSL settings.
+OpenSSL loads any SSL settings found in the configuration file for
+the selected application name (see <a href="postconf.5.html#tls_config_name">tls_config_name</a>) or else the
+built-in application name "openssl_conf" when no application name is
+specified, or no corresponding configuration section is present.
+</p>
+
+<p> With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
+Postfix) can neither specify an alternative configuration file, nor
+avoid loading the default configuration file. </p>
+
+<p> With OpenSSL 1.1.1b or later, this parameter may be set to one of:
+</p>
+
+<dl>
+
+<dt> <b>default</b> (default) </dt> <dd> Load the system-wide
+"openssl.cnf" configuration file. </dd>
+
+<dt> <b>none</b> (recommended, OpenSSL 1.1.1b or later only) </dt>
+<dd> This setting disables loading of the system-wide "openssl.cnf"
+file. </dd>
+
+<dt> <b><i>/absolute-path</i></b> (OpenSSL 1.1.1b or later only) </dt>
+<dd> Load the configuration file specified by <i>/absolute-path</i>.
+With this setting it is an error for the file to not contain any
+settings for the selected <a href="postconf.5.html#tls_config_name">tls_config_name</a>. There is no fallback to
+the default "openssl_conf" name. </dd>
+
+</dl>
+
+<p> Failures in processing of the built-in default configuration file,
+are silently ignored. Any errors in loading a non-default configuration
+file are detected by Postfix, and cause TLS support to be disabled.
+</p>
+
+<p> The OpenSSL configuration file format is not documented here,
+beyond giving two examples. <p>
+
+<p> Example: Default settings for all applications. </p>
+
+<blockquote>
+<pre>
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation. Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+</pre>
+</blockquote>
+
+<p> Example: Custom settings for an application named "postfix". </p>
+
+<blockquote>
+<pre>
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]". The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+</pre>
+</blockquote>
+
+<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20. </p>
+
+
+</DD>
+
+<DT><b><a name="tls_config_name">tls_config_name</a>
+(default: empty)</b></DT><DD>
+
+<p> The application name passed by Postfix to OpenSSL library
+initialization functions. This name is used to select the desired
+configuration "section" in the OpenSSL configuration file specified
+via the <a href="postconf.5.html#tls_config_file">tls_config_file</a> parameter. When empty, or when the
+selected name is not present in the configuration file, the default
+application name ("openssl_conf") is used as a fallback. </p>
+
+<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20. </p>
+
+
+</DD>
+
<DT><b><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a>
(default: 32)</b></DT><DD>
diff -ur --new-file /var/tmp/postfix-3.6.9/html/smtp.8.html ./html/smtp.8.html
--- /var/tmp/postfix-3.6.9/html/smtp.8.html 2021-04-18 18:07:10.000000000 -0400
+++ ./html/smtp.8.html 2023-06-05 10:41:20.000000000 -0400
@@ -668,6 +668,15 @@
A workaround for implementations that hang Postfix while shut-
ting down a TLS session, until Postfix times out.
+ Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+
+ <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
+ Optional configuration file with baseline OpenSSL settings.
+
+ <b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
+ The application name passed by Postfix to OpenSSL library ini-
+ tialization functions.
+
<b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
diff -ur --new-file /var/tmp/postfix-3.6.9/html/smtpd.8.html ./html/smtpd.8.html
--- /var/tmp/postfix-3.6.9/html/smtpd.8.html 2022-02-05 18:24:58.000000000 -0500
+++ ./html/smtpd.8.html 2023-06-05 16:30:31.000000000 -0400
@@ -619,6 +619,15 @@
The email address form that will be used in non-debug logging
(info, warning, etc.).
+ Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+
+ <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
+ Optional configuration file with baseline OpenSSL settings.
+
+ <b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
+ The application name passed by Postfix to OpenSSL library ini-
+ tialization functions.
+
<b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
@@ -921,6 +930,12 @@
to send to this service per time unit, regardless of whether or
not Postfix actually accepts those commands.
+ Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+
+ <b><a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> (Postfix</b> ><b>= 3.9: yes)</b>
+ Disconnect remote SMTP clients that violate <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (or 5321)
+ command pipelining constraints.
+
<b>TARPIT CONTROLS</b>
When a remote SMTP client makes errors, the Postfix SMTP server can
insert delays before responding. This can help to slow down run-away
diff -ur --new-file /var/tmp/postfix-3.6.9/html/tlsproxy.8.html ./html/tlsproxy.8.html
--- /var/tmp/postfix-3.6.9/html/tlsproxy.8.html 2021-02-16 19:32:55.000000000 -0500
+++ ./html/tlsproxy.8.html 2023-06-05 10:44:55.000000000 -0400
@@ -150,6 +150,15 @@
A workaround for implementations that hang Postfix while shut-
ting down a TLS session, until Postfix times out.
+ Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+
+ <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
+ Optional configuration file with baseline OpenSSL settings.
+
+ <b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
+ The application name passed by Postfix to OpenSSL library ini-
+ tialization functions.
+
<b>STARTTLS SERVER CONTROLS</b>
These settings are clones of Postfix SMTP server settings. They allow
<a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> to load the same certificate and private key information as
diff -ur --new-file /var/tmp/postfix-3.6.9/man/man5/postconf.5 ./man/man5/postconf.5
--- /var/tmp/postfix-3.6.9/man/man5/postconf.5 2021-04-18 16:57:07.000000000 -0400
+++ ./man/man5/postconf.5 2023-06-05 16:58:05.000000000 -0400
@@ -10412,6 +10412,16 @@
parameter $name expansion.
.PP
This feature is available in Postfix 2.0 and later.
+.SH smtpd_forbid_unauth_pipelining (default: Postfix >= 3.9: yes)
+Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
+command pipelining constraints. The server replies with "554 5.5.0
+Error: SMTP protocol synchronization" and logs the unexpected remote
+SMTP client input. Specify "smtpd_forbid_unauth_pipelining = yes"
+to enable. This feature is enabled by default with Postfix >=
+3.9.
+.PP
+This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20.
.SH smtpd_forbidden_commands (default: CONNECT, GET, POST)
List of commands that cause the Postfix SMTP server to immediately
terminate the session with a 221 code. This can be used to disconnect
@@ -13122,6 +13132,104 @@
2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
backwards compatibility, to avoid breaking certificate verification
with sites that don't use permit_tls_all_clientcerts.
+.SH tls_config_file (default: default)
+Optional configuration file with baseline OpenSSL settings.
+OpenSSL loads any SSL settings found in the configuration file for
+the selected application name (see tls_config_name) or else the
+built\-in application name "openssl_conf" when no application name is
+specified, or no corresponding configuration section is present.
+.PP
+With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
+Postfix) can neither specify an alternative configuration file, nor
+avoid loading the default configuration file.
+.PP
+With OpenSSL 1.1.1b or later, this parameter may be set to one of:
+.IP "\fBdefault\fR (default)"
+Load the system\-wide
+"openssl.cnf" configuration file.
+.br
+.IP "\fBnone\fR (recommended, OpenSSL 1.1.1b or later only)"
+This setting disables loading of the system\-wide "openssl.cnf"
+file.
+.br
+.IP "\fB\fI/absolute\-path\fR\fR (OpenSSL 1.1.1b or later only)"
+Load the configuration file specified by \fI/absolute\-path\fR.
+With this setting it is an error for the file to not contain any
+settings for the selected tls_config_name. There is no fallback to
+the default "openssl_conf" name.
+.br
+.br
+.PP
+Failures in processing of the built\-in default configuration file,
+are silently ignored. Any errors in loading a non\-default configuration
+file are detected by Postfix, and cause TLS support to be disabled.
+.PP
+The OpenSSL configuration file format is not documented here,
+beyond giving two examples.
+.PP
+Example: Default settings for all applications.
+.sp
+.in +4
+.nf
+.na
+.ft C
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation. Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+.fi
+.ad
+.ft R
+.in -4
+.PP
+Example: Custom settings for an application named "postfix".
+.sp
+.in +4
+.nf
+.na
+.ft C
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]". The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+.fi
+.ad
+.ft R
+.in -4
+.PP
+This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20.
+.SH tls_config_name (default: empty)
+The application name passed by Postfix to OpenSSL library
+initialization functions. This name is used to select the desired
+configuration "section" in the OpenSSL configuration file specified
+via the tls_config_file parameter. When empty, or when the
+selected name is not present in the configuration file, the default
+application name ("openssl_conf") is used as a fallback.
+.PP
+This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20.
.SH tls_daemon_random_bytes (default: 32)
The number of pseudo\-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
process requests from the \fBtlsmgr\fR(8) server in order to seed its
diff -ur --new-file /var/tmp/postfix-3.6.9/man/man8/smtp.8 ./man/man8/smtp.8
--- /var/tmp/postfix-3.6.9/man/man8/smtp.8 2021-04-18 18:07:09.000000000 -0400
+++ ./man/man8/smtp.8 2023-06-05 10:32:57.000000000 -0400
@@ -603,6 +603,13 @@
.IP "\fBtls_fast_shutdown_enable (yes)\fR"
A workaround for implementations that hang Postfix while shutting
down a TLS session, until Postfix times out.
+.PP
+Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+.IP "\fBtls_config_file (default)\fR"
+Optional configuration file with baseline OpenSSL settings.
+.IP "\fBtls_config_name (empty)\fR"
+The application name passed by Postfix to OpenSSL library
+initialization functions.
.SH "OBSOLETE STARTTLS CONTROLS"
.na
.nf
diff -ur --new-file /var/tmp/postfix-3.6.9/man/man8/smtpd.8 ./man/man8/smtpd.8
--- /var/tmp/postfix-3.6.9/man/man8/smtpd.8 2022-02-05 18:24:57.000000000 -0500
+++ ./man/man8/smtpd.8 2023-06-05 16:29:40.000000000 -0400
@@ -548,6 +548,13 @@
.IP "\fBinfo_log_address_format (external)\fR"
The email address form that will be used in non\-debug logging
(info, warning, etc.).
+.PP
+Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+.IP "\fBtls_config_file (default)\fR"
+Optional configuration file with baseline OpenSSL settings.
+.IP "\fBtls_config_name (empty)\fR"
+The application name passed by Postfix to OpenSSL library
+initialization functions.
.SH "OBSOLETE STARTTLS CONTROLS"
.na
.nf
@@ -808,6 +815,11 @@
The maximal number of AUTH commands that any client is allowed to
send to this service per time unit, regardless of whether or not
Postfix actually accepts those commands.
+.PP
+Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+.IP "\fBsmtpd_forbid_unauth_pipelining (Postfix >= 3.9: yes)\fR"
+Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
+command pipelining constraints.
.SH "TARPIT CONTROLS"
.na
.nf
diff -ur --new-file /var/tmp/postfix-3.6.9/man/man8/tlsproxy.8 ./man/man8/tlsproxy.8
--- /var/tmp/postfix-3.6.9/man/man8/tlsproxy.8 2021-02-16 19:32:53.000000000 -0500
+++ ./man/man8/tlsproxy.8 2023-06-05 10:33:30.000000000 -0400
@@ -150,6 +150,13 @@
.IP "\fBtls_fast_shutdown_enable (yes)\fR"
A workaround for implementations that hang Postfix while shutting
down a TLS session, until Postfix times out.
+.PP
+Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+.IP "\fBtls_config_file (default)\fR"
+Optional configuration file with baseline OpenSSL settings.
+.IP "\fBtls_config_name (empty)\fR"
+The application name passed by Postfix to OpenSSL library
+initialization functions.
.SH "STARTTLS SERVER CONTROLS"
.na
.nf
diff -ur --new-file /var/tmp/postfix-3.6.9/mantools/postlink ./mantools/postlink
--- /var/tmp/postfix-3.6.9/mantools/postlink 2021-04-29 16:06:21.000000000 -0400
+++ ./mantools/postlink 2023-06-05 16:21:24.000000000 -0400
@@ -548,6 +548,7 @@
s;\bsmtpd_etrn_restrictions\b;<a href="postconf.5.html#smtpd_etrn_restrictions">$&</a>;g;
s;\bsmtpd_expansion_filter\b;<a href="postconf.5.html#smtpd_expansion_filter">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bidden_commands\b;<a href="postconf.5.html#smtpd_forbidden_commands">$&</a>;g;
+ s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_unauth_pipelining\b;<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">$&</a>;g;
s;\bsmtpd_hard_error_limit\b;<a href="postconf.5.html#smtpd_hard_error_limit">$&</a>;g;
s;\bsmtpd_helo_required\b;<a href="postconf.5.html#smtpd_helo_required">$&</a>;g;
s;\bsmtpd_helo_restrictions\b;<a href="postconf.5.html#smtpd_helo_restrictions">$&</a>;g;
@@ -767,6 +768,8 @@
s;\btls_session_ticket_cipher\b;<a href="postconf.5.html#tls_session_ticket_cipher">$&</a>;g;
s;\btls_server_sni_maps\b;<a href="postconf.5.html#tls_server_sni_maps">$&</a>;g;
s;\btls_ssl_options\b;<a href="postconf.5.html#tls_ssl_options">$&</a>;g;
+ s;\btls_config_name\b;<a href="postconf.5.html#tls_config_name">$&</a>;g;
+ s;\btls_config_file\b;<a href="postconf.5.html#tls_config_file">$&</a>;g;
s;\btls_dane_digest_agility\b;<a href="postconf.5.html#tls_dane_digest_agility">$&</a>;g;
s;\btls_dane_trust_anchor_digest_enable\b;<a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">$&</a>;g;
s;\btls_fast_shutdown_enable\b;<a href="postconf.5.html#tls_fast_shutdown_enable">$&</a>;g;
diff -ur --new-file /var/tmp/postfix-3.6.9/proto/postconf.proto ./proto/postconf.proto
--- /var/tmp/postfix-3.6.9/proto/postconf.proto 2021-04-18 16:56:53.000000000 -0400
+++ ./proto/postconf.proto 2023-06-05 16:21:24.000000000 -0400
@@ -18058,3 +18058,114 @@
name or port number. </p>
<p> This feature is available in Postfix 3.6 and later. </p>
+
+%PARAM tls_config_name
+
+<p> The application name passed by Postfix to OpenSSL library
+initialization functions. This name is used to select the desired
+configuration "section" in the OpenSSL configuration file specified
+via the tls_config_file parameter. When empty, or when the
+selected name is not present in the configuration file, the default
+application name ("openssl_conf") is used as a fallback. </p>
+
+<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20. </p>
+
+%PARAM tls_config_file default
+
+<p> Optional configuration file with baseline OpenSSL settings.
+OpenSSL loads any SSL settings found in the configuration file for
+the selected application name (see tls_config_name) or else the
+built-in application name "openssl_conf" when no application name is
+specified, or no corresponding configuration section is present.
+</p>
+
+<p> With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
+Postfix) can neither specify an alternative configuration file, nor
+avoid loading the default configuration file. </p>
+
+<p> With OpenSSL 1.1.1b or later, this parameter may be set to one of:
+</p>
+
+<dl>
+
+<dt> <b>default</b> (default) </dt> <dd> Load the system-wide
+"openssl.cnf" configuration file. </dd>
+
+<dt> <b>none</b> (recommended, OpenSSL 1.1.1b or later only) </dt>
+<dd> This setting disables loading of the system-wide "openssl.cnf"
+file. </dd>
+
+<dt> <b><i>/absolute-path</i></b> (OpenSSL 1.1.1b or later only) </dt>
+<dd> Load the configuration file specified by <i>/absolute-path</i>.
+With this setting it is an error for the file to not contain any
+settings for the selected tls_config_name. There is no fallback to
+the default "openssl_conf" name. </dd>
+
+</dl>
+
+<p> Failures in processing of the built-in default configuration file,
+are silently ignored. Any errors in loading a non-default configuration
+file are detected by Postfix, and cause TLS support to be disabled.
+</p>
+
+<p> The OpenSSL configuration file format is not documented here,
+beyond giving two examples. <p>
+
+<p> Example: Default settings for all applications. </p>
+
+<blockquote>
+<pre>
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation. Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+</pre>
+</blockquote>
+
+<p> Example: Custom settings for an application named "postfix". </p>
+
+<blockquote>
+<pre>
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]". The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+</pre>
+</blockquote>
+
+<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20. </p>
+
+%PARAM smtpd_forbid_unauth_pipelining Postfix ≥ 3.9: yes
+
+<p> Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
+command pipelining constraints. The server replies with "554 5.5.0
+Error: SMTP protocol synchronization" and logs the unexpected remote
+SMTP client input. Specify "smtpd_forbid_unauth_pipelining = yes"
+to enable. This feature is enabled by default with Postfix ≥
+3.9. </p>
+
+<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20. </p>
diff -ur --new-file /var/tmp/postfix-3.6.9/src/global/mail_params.h ./src/global/mail_params.h
--- /var/tmp/postfix-3.6.9/src/global/mail_params.h 2022-03-22 17:23:20.000000000 -0400
+++ ./src/global/mail_params.h 2023-06-05 17:44:04.000000000 -0400
@@ -2430,6 +2430,10 @@
#define DEF_SMTPD_PEERNAME_LOOKUP 1
extern bool var_smtpd_peername_lookup;
+#define VAR_SMTPD_FORBID_UNAUTH_PIPE "smtpd_forbid_unauth_pipelining"
+#define DEF_SMTPD_FORBID_UNAUTH_PIPE 0
+extern bool var_smtpd_forbid_unauth_pipe;
+
/*
* Heuristic to reject unknown local recipients at the SMTP port.
*/
@@ -3313,8 +3317,17 @@
extern bool var_smtp_cname_overr;
/*
- * TLS cipherlists
+ * TLS library settings
*/
+#define VAR_TLS_CNF_FILE "tls_config_file"
+#define DEF_TLS_CNF_FILE "default"
+extern char *var_tls_cnf_file;
+
+#define VAR_TLS_CNF_NAME "tls_config_name"
+#define DEF_TLS_CNF_NAME ""
+extern char *var_tls_cnf_name;
+
+
#define VAR_TLS_HIGH_CLIST "tls_high_cipherlist"
#define DEF_TLS_HIGH_CLIST "aNULL:-aNULL:HIGH:@STRENGTH"
extern char *var_tls_high_clist;
diff -ur --new-file /var/tmp/postfix-3.6.9/src/postconf/postconf_edit.c ./src/postconf/postconf_edit.c
--- /var/tmp/postfix-3.6.9/src/postconf/postconf_edit.c 2014-12-06 20:35:33.000000000 -0500
+++ ./src/postconf/postconf_edit.c 2023-05-17 14:34:32.000000000 -0400
@@ -192,6 +192,11 @@
} else {
msg_panic("pcf_edit_main: unknown mode %d", mode);
}
+ if ((cvalue = htable_find(table, pattern)) != 0) {
+ msg_warn("ignoring earlier request: '%s = %s'",
+ pattern, cvalue->value);
+ htable_delete(table, pattern, myfree);
+ }
cvalue = (struct cvalue *) mymalloc(sizeof(*cvalue));
cvalue->value = edit_value;
cvalue->found = 0;
@@ -459,8 +464,38 @@
/*
* Match each service pattern.
+ *
+ * Additional care is needed when a request adds or replaces an
+ * entire service definition, instead of a specific field or
+ * parameter. Given a command "postconf -M name1/type1='name2
+ * type2 ...'", where name1 and name2 may differ, and likewise
+ * for type1 and type2:
+ *
+ * - First, if an existing service definition a) matches the service
+ * pattern 'name1/type1', or b) matches the name and type in the
+ * new service definition 'name2 type2 ...', remove the service
+ * definition.
+ *
+ * - Then, after an a) or b) type match, add a new service
+ * definition for 'name2 type2 ...', but only after the first
+ * match.
+ *
+ * - Finally, if a request had no a) or b) type match for any
+ * master.cf service definition, add a new service definition for
+ * 'name2 type2 ...'.
*/
for (req = edit_reqs; req < edit_reqs + num_reqs; req++) {
+ PCF_MASTER_ENT *tentative_entry = 0;
+ int use_tentative_entry = 0;
+
+ /* Additional care for whole service definition requests. */
+ if ((mode & PCF_MASTER_ENTRY) && (mode & PCF_EDIT_CONF)) {
+ tentative_entry = (PCF_MASTER_ENT *)
+ mymalloc(sizeof(*tentative_entry));
+ if ((err = pcf_parse_master_entry(tentative_entry,
+ req->edit_value)) != 0)
+ msg_fatal("%s: \"%s\"", err, req->raw_text);
+ }
if (PCF_MATCH_SERVICE_PATTERN(req->service_pattern,
service_name,
service_type)) {
@@ -506,18 +541,30 @@
* Replace entire master.cf entry.
*/
case PCF_MASTER_ENTRY:
- if (new_entry != 0)
- pcf_free_master_entry(new_entry);
- new_entry = (PCF_MASTER_ENT *)
- mymalloc(sizeof(*new_entry));
- if ((err = pcf_parse_master_entry(new_entry,
- req->edit_value)) != 0)
- msg_fatal("%s: \"%s\"", err, req->raw_text);
+ if (req->match_count == 1)
+ use_tentative_entry = 1;
break;
default:
msg_panic("%s: unknown edit mode %d", myname, mode);
}
}
+ } else if (tentative_entry != 0
+ && PCF_MATCH_SERVICE_PATTERN(tentative_entry->argv,
+ service_name,
+ service_type)) {
+ service_name_type_matched = 1; /* Sticky flag */
+ req->match_count += 1;
+ if (req->match_count == 1)
+ use_tentative_entry = 1;
+ }
+ if (tentative_entry != 0) {
+ if (use_tentative_entry) {
+ if (new_entry != 0)
+ pcf_free_master_entry(new_entry);
+ new_entry = tentative_entry;
+ } else {
+ pcf_free_master_entry(tentative_entry);
+ }
}
}
diff -ur --new-file /var/tmp/postfix-3.6.9/src/postconf/postconf_master.c ./src/postconf/postconf_master.c
--- /var/tmp/postfix-3.6.9/src/postconf/postconf_master.c 2020-03-08 12:35:20.000000000 -0400
+++ ./src/postconf/postconf_master.c 2023-05-17 14:34:32.000000000 -0400
@@ -156,6 +156,7 @@
#include <readlline.h>
#include <stringops.h>
#include <split_at.h>
+#include <dict_ht.h>
/* Global library. */
@@ -393,12 +394,12 @@
concatenate("ro", PCF_NAMESP_SEP_STR, masterp->name_space, (char *) 0);
masterp->argv = argv;
masterp->valid_names = 0;
+ masterp->ro_params = dict_ht_open(ro_name_space, O_CREAT | O_RDWR, 0);
process_name = basename(argv->argv[PCF_MASTER_FLD_CMD]);
- dict_update(ro_name_space, VAR_PROCNAME, process_name);
- dict_update(ro_name_space, VAR_SERVNAME,
- strcmp(process_name, argv->argv[0]) != 0 ?
- argv->argv[0] : process_name);
- masterp->ro_params = dict_handle(ro_name_space);
+ dict_put(masterp->ro_params, VAR_PROCNAME, process_name);
+ dict_put(masterp->ro_params, VAR_SERVNAME,
+ strcmp(process_name, argv->argv[0]) != 0 ?
+ argv->argv[0] : process_name);
myfree(ro_name_space);
masterp->all_params = 0;
return (0);
diff -ur --new-file /var/tmp/postfix-3.6.9/src/smtp/smtp.c ./src/smtp/smtp.c
--- /var/tmp/postfix-3.6.9/src/smtp/smtp.c 2021-04-18 18:07:09.000000000 -0400
+++ ./src/smtp/smtp.c 2023-06-05 10:10:16.000000000 -0400
@@ -569,6 +569,13 @@
/* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
/* A workaround for implementations that hang Postfix while shutting
/* down a TLS session, until Postfix times out.
+/* .PP
+/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+/* .IP "\fBtls_config_file (default)\fR"
+/* Optional configuration file with baseline OpenSSL settings.
+/* .IP "\fBtls_config_name (empty)\fR"
+/* The application name passed by Postfix to OpenSSL library
+/* initialization functions.
/* OBSOLETE STARTTLS CONTROLS
/* .ad
/* .fi
diff -ur --new-file /var/tmp/postfix-3.6.9/src/smtpd/smtpd.c ./src/smtpd/smtpd.c
--- /var/tmp/postfix-3.6.9/src/smtpd/smtpd.c 2021-11-15 08:42:43.000000000 -0500
+++ ./src/smtpd/smtpd.c 2023-06-05 16:23:05.000000000 -0400
@@ -514,6 +514,13 @@
/* .IP "\fBinfo_log_address_format (external)\fR"
/* The email address form that will be used in non-debug logging
/* (info, warning, etc.).
+/* .PP
+/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+/* .IP "\fBtls_config_file (default)\fR"
+/* Optional configuration file with baseline OpenSSL settings.
+/* .IP "\fBtls_config_name (empty)\fR"
+/* The application name passed by Postfix to OpenSSL library
+/* initialization functions.
/* OBSOLETE STARTTLS CONTROLS
/* .ad
/* .fi
@@ -762,6 +769,11 @@
/* The maximal number of AUTH commands that any client is allowed to
/* send to this service per time unit, regardless of whether or not
/* Postfix actually accepts those commands.
+/* .PP
+/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+/* .IP "\fBsmtpd_forbid_unauth_pipelining (Postfix >= 3.9: yes)\fR"
+/* Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
+/* command pipelining constraints.
/* TARPIT CONTROLS
/* .ad
/* .fi
@@ -1447,6 +1459,7 @@
char *var_milt_unk_macros;
char *var_milt_macro_deflts;
bool var_smtpd_client_port_log;
+bool var_smtpd_forbid_unauth_pipe;
char *var_stress;
char *var_reject_tmpf_act;
@@ -5375,6 +5388,32 @@
static STRING_LIST *smtpd_noop_cmds;
static STRING_LIST *smtpd_forbid_cmds;
+/* smtpd_flag_ill_pipelining - flag pipelining protocol violation */
+
+static int smtpd_flag_ill_pipelining(SMTPD_STATE *state)
+{
+
+ /*
+ * This code will not return after I/O error, timeout, or EOF. VSTREAM
+ * exceptions must be enabled in advance with smtp_stream_setup().
+ */
+ if (vstream_peek(state->client) == 0
+ && peekfd(vstream_fileno(state->client)) > 0)
+ (void) vstream_ungetc(state->client, smtp_fgetc(state->client));
+ if (vstream_peek(state->client) > 0) {
+ if (state->expand_buf == 0)
+ state->expand_buf = vstring_alloc(100);
+ escape(state->expand_buf, vstream_peek_data(state->client),
+ vstream_peek(state->client) < 100 ?
+ vstream_peek(state->client) : 100);
+ msg_info("improper command pipelining after %s from %s: %s",
+ state->where, state->namaddr, STR(state->expand_buf));
+ state->flags |= SMTPD_FLAG_ILL_PIPELINING;
+ return (1);
+ }
+ return (0);
+}
+
/* smtpd_proto - talk the SMTP protocol */
static void smtpd_proto(SMTPD_STATE *state)
@@ -5514,6 +5553,21 @@
#endif
/*
+ * If the client spoke before the server sends the initial greeting,
+ * raise a flag and log the content of the protocol violation. This
+ * check MUST NOT apply to TLS wrappermode connections.
+ */
+ if (SMTPD_STAND_ALONE(state) == 0
+ && vstream_context(state->client) == 0 /* not postscreen */
+ && (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0
+ && smtpd_flag_ill_pipelining(state)
+ && var_smtpd_forbid_unauth_pipe) {
+ smtpd_chat_reply(state,
+ "554 5.5.0 Error: SMTP protocol synchronization");
+ break;
+ }
+
+ /*
* XXX The client connection count/rate control must be consistent in
* its use of client address information in connect and disconnect
* events. For now we exclude xclient authorized hosts from
@@ -5740,16 +5794,11 @@
&& (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0
|| (cmdp->flags & SMTPD_CMD_FLAG_LAST))
&& (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0
- && (vstream_peek(state->client) > 0
- || peekfd(vstream_fileno(state->client)) > 0)) {
- if (state->expand_buf == 0)
- state->expand_buf = vstring_alloc(100);
- escape(state->expand_buf, vstream_peek_data(state->client),
- vstream_peek(state->client) < 100 ?
- vstream_peek(state->client) : 100);
- msg_info("improper command pipelining after %s from %s: %s",
- cmdp->name, state->namaddr, STR(state->expand_buf));
- state->flags |= SMTPD_FLAG_ILL_PIPELINING;
+ && smtpd_flag_ill_pipelining(state)
+ && var_smtpd_forbid_unauth_pipe) {
+ smtpd_chat_reply(state,
+ "554 5.5.0 Error: SMTP protocol synchronization");
+ break;
}
if (cmdp->action(state, argc, argv) != 0)
state->error_count++;
@@ -6412,6 +6461,7 @@
VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup,
VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open,
VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
+ VAR_SMTPD_FORBID_UNAUTH_PIPE, DEF_SMTPD_FORBID_UNAUTH_PIPE, &var_smtpd_forbid_unauth_pipe,
0,
};
static const CONFIG_NBOOL_TABLE nbool_table[] = {
diff -ur --new-file /var/tmp/postfix-3.6.9/src/tls/tls.h ./src/tls/tls.h
--- /var/tmp/postfix-3.6.9/src/tls/tls.h 2023-01-28 10:35:30.000000000 -0500
+++ ./src/tls/tls.h 2023-06-05 10:10:16.000000000 -0400
@@ -76,6 +76,7 @@
#include <openssl/crypto.h> /* Legacy SSLEAY_VERSION_NUMBER */
#include <openssl/opensslv.h> /* OPENSSL_VERSION_NUMBER */
#include <openssl/ssl.h>
+#include <openssl/conf.h>
/* Appease indent(1) */
#define x509_stack_t STACK_OF(X509)
@@ -311,6 +312,7 @@
* tls_misc.c
*/
extern void tls_param_init(void);
+extern int tls_library_init(void);
/*
* Protocol selection.
diff -ur --new-file /var/tmp/postfix-3.6.9/src/tls/tls_client.c ./src/tls/tls_client.c
--- /var/tmp/postfix-3.6.9/src/tls/tls_client.c 2023-01-21 16:00:02.000000000 -0500
+++ ./src/tls/tls_client.c 2023-06-05 10:10:16.000000000 -0400
@@ -641,6 +641,13 @@
tls_check_version();
/*
+ * Initialize the OpenSSL library, possibly loading its configuration
+ * file.
+ */
+ if (tls_library_init() == 0)
+ return (0);
+
+ /*
* Create an application data index for SSL objects, so that we can
* attach TLScontext information; this information is needed inside
* tls_verify_certificate_callback().
diff -ur --new-file /var/tmp/postfix-3.6.9/src/tls/tls_misc.c ./src/tls/tls_misc.c
--- /var/tmp/postfix-3.6.9/src/tls/tls_misc.c 2023-01-15 18:36:26.000000000 -0500
+++ ./src/tls/tls_misc.c 2023-06-05 10:13:13.000000000 -0400
@@ -29,6 +29,8 @@
/* #define TLS_INTERNAL
/* #include <tls.h>
/*
+/* char *var_tls_cnf_file;
+/* char *var_tls_cnf_name;
/* char *var_tls_high_clist;
/* char *var_tls_medium_clist;
/* char *var_tls_low_clist;
@@ -69,6 +71,8 @@
/*
/* void tls_param_init()
/*
+/* int tls_library_init(void)
+/*
/* int tls_proto_mask_lims(plist, floor, ceiling)
/* const char *plist;
/* int *floor;
@@ -155,6 +159,9 @@
/* tls_param_init() loads main.cf parameters used internally in
/* TLS library. Any errors are fatal.
/*
+/* tls_library_init() initializes the OpenSSL library, optionally
+/* loading an OpenSSL configuration file.
+/*
/* tls_pre_jail_init() opens any tables that need to be opened before
/* entering a chroot jail. The "role" parameter must be TLS_ROLE_CLIENT
/* for clients and TLS_ROLE_SERVER for servers. Any errors are fatal.
@@ -274,6 +281,8 @@
/*
* Tunable parameters.
*/
+char *var_tls_cnf_file;
+char *var_tls_cnf_name;
char *var_tls_high_clist;
char *var_tls_medium_clist;
char *var_tls_low_clist;
@@ -642,6 +651,8 @@
{
/* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
static const CONFIG_STR_TABLE str_table[] = {
+ VAR_TLS_CNF_FILE, DEF_TLS_CNF_FILE, &var_tls_cnf_file, 0, 0,
+ VAR_TLS_CNF_NAME, DEF_TLS_CNF_NAME, &var_tls_cnf_name, 0, 0,
VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0,
VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0,
@@ -685,6 +696,118 @@
get_mail_conf_bool_table(bool_table);
}
+/* tls_library_init - perform OpenSSL library initialization */
+
+int tls_library_init(void)
+{
+ OPENSSL_INIT_SETTINGS *init_settings;
+ char *conf_name = *var_tls_cnf_name ? var_tls_cnf_name : 0;
+ char *conf_file = 0;
+ unsigned long init_opts = 0;
+
+#define TLS_LIB_INIT_TODO (-1)
+#define TLS_LIB_INIT_ERR (0)
+#define TLS_LIB_INIT_OK (1)
+
+ static int init_res = TLS_LIB_INIT_TODO;
+
+ if (init_res != TLS_LIB_INIT_TODO)
+ return (init_res);
+
+ /*
+ * Backwards compatibility: skip this function unless the Postfix
+ * configuration actually has non-default tls_config_xxx settings.
+ */
+ if (strcmp(var_tls_cnf_file, DEF_TLS_CNF_FILE) == 0
+ && strcmp(var_tls_cnf_name, DEF_TLS_CNF_NAME) == 0) {
+ if (msg_verbose)
+ msg_info("tls_library_init: using backwards-compatible defaults");
+ return (init_res = TLS_LIB_INIT_OK);
+ }
+ if ((init_settings = OPENSSL_INIT_new()) == 0) {
+ msg_warn("error allocating OpenSSL init settings, "
+ "disabling TLS support");
+ return (init_res = TLS_LIB_INIT_ERR);
+ }
+#define TLS_LIB_INIT_RETURN(x) \
+ do { OPENSSL_INIT_free(init_settings); return (init_res = (x)); } while(0)
+
+#if OPENSSL_VERSION_NUMBER < 0x1010102fL
+
+ /*
+ * OpenSSL 1.1.0 through 1.1.1a, no support for custom configuration
+ * files, disabling loading of the file, or getting strict error
+ * handling. Thus, the only supported configuration file is "default".
+ */
+ if (strcmp(var_tls_cnf_file, "default") != 0) {
+ msg_warn("non-default %s = %s requires OpenSSL 1.1.1b or later, "
+ "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
+ TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
+ }
+#else
+ {
+ unsigned long file_flags = 0;
+
+ /*-
+ * OpenSSL 1.1.1b or later:
+ * We can now use a non-default configuration file, or
+ * use none at all. We can also request strict error
+ * reporting.
+ */
+ if (strcmp(var_tls_cnf_file, "none") == 0) {
+ init_opts |= OPENSSL_INIT_NO_LOAD_CONFIG;
+ } else if (strcmp(var_tls_cnf_file, "default") == 0) {
+
+ /*
+ * The default global config file is optional. With "default"
+ * initialisation we don't insist on a match for the requested
+ * application name, allowing fallback to the default application
+ * name, even when a non-default application name is specified.
+ * Errors in loading the default configuration are ignored.
+ */
+ conf_file = 0;
+ file_flags |= CONF_MFLAGS_IGNORE_MISSING_FILE;
+ file_flags |= CONF_MFLAGS_DEFAULT_SECTION;
+ file_flags |= CONF_MFLAGS_IGNORE_RETURN_CODES | CONF_MFLAGS_SILENT;
+ } else if (*var_tls_cnf_file == '/') {
+
+ /*
+ * A custom config file must be present, error reporting is
+ * strict and the configuration section for the requested
+ * application name does not fall back to "openssl_conf" when
+ * missing.
+ */
+ conf_file = var_tls_cnf_file;
+ } else {
+ msg_warn("non-default %s = %s is not an absolute pathname, "
+ "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
+ TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
+ }
+
+ OPENSSL_INIT_set_config_file_flags(init_settings, file_flags);
+ }
+#endif
+
+ if (conf_file)
+ OPENSSL_INIT_set_config_filename(init_settings, conf_file);
+ if (conf_name)
+ OPENSSL_INIT_set_config_appname(init_settings, conf_name);
+
+ if (OPENSSL_init_ssl(init_opts, init_settings) <= 0) {
+ if ((init_opts & OPENSSL_INIT_NO_LOAD_CONFIG) == 0)
+ msg_warn("error loading the '%s' settings from the %s OpenSSL "
+ "configuration file, disabling TLS support",
+ conf_name ? conf_name : "global",
+ conf_file ? conf_file : "default");
+ else
+ msg_warn("error initializing the OpenSSL library, "
+ "disabling TLS support");
+ tls_print_errors();
+ TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
+ }
+ TLS_LIB_INIT_RETURN(TLS_LIB_INIT_OK);
+}
+
/* tls_pre_jail_init - Load TLS related pre-jail tables */
void tls_pre_jail_init(TLS_ROLE role)
diff -ur --new-file /var/tmp/postfix-3.6.9/src/tls/tls_proxy.h ./src/tls/tls_proxy.h
--- /var/tmp/postfix-3.6.9/src/tls/tls_proxy.h 2020-07-10 19:01:45.000000000 -0400
+++ ./src/tls/tls_proxy.h 2023-06-05 10:10:17.000000000 -0400
@@ -44,6 +44,8 @@
* VAR_TLS_SERVER_SNI_MAPS.
*/
typedef struct TLS_CLIENT_PARAMS {
+ char *tls_cnf_file;
+ char *tls_cnf_name;
char *tls_high_clist;
char *tls_medium_clist;
char *tls_low_clist;
@@ -65,12 +67,13 @@
} TLS_CLIENT_PARAMS;
#define TLS_PROXY_PARAMS(params, a1, a2, a3, a4, a5, a6, a7, a8, \
- a9, a10, a11, a12, a13, a14, a15, a16, a17, a18) \
+ a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20) \
(((params)->a1), ((params)->a2), ((params)->a3), \
((params)->a4), ((params)->a5), ((params)->a6), ((params)->a7), \
((params)->a8), ((params)->a9), ((params)->a10), ((params)->a11), \
((params)->a12), ((params)->a13), ((params)->a14), ((params)->a15), \
- ((params)->a16), ((params)->a17), ((params)->a18))
+ ((params)->a16), ((params)->a17), ((params)->a18), ((params)->a19), \
+ ((params)->a20))
/*
* tls_proxy_client_param_misc.c, tls_proxy_client_param_print.c, and
@@ -217,6 +220,8 @@
/*
* TLS_CLIENT_INIT_PROPS attributes.
*/
+#define TLS_ATTR_CNF_FILE "config_file"
+#define TLS_ATTR_CNF_NAME "config_name"
#define TLS_ATTR_LOG_PARAM "log_param"
#define TLS_ATTR_LOG_LEVEL "log_level"
#define TLS_ATTR_VERIFYDEPTH "verifydepth"
diff -ur --new-file /var/tmp/postfix-3.6.9/src/tls/tls_proxy_client_misc.c ./src/tls/tls_proxy_client_misc.c
--- /var/tmp/postfix-3.6.9/src/tls/tls_proxy_client_misc.c 2019-02-11 08:39:43.000000000 -0500
+++ ./src/tls/tls_proxy_client_misc.c 2023-06-05 10:10:16.000000000 -0400
@@ -78,6 +78,8 @@
TLS_CLIENT_PARAMS *tls_proxy_client_param_from_config(TLS_CLIENT_PARAMS *params)
{
TLS_PROXY_PARAMS(params,
+ tls_cnf_file = var_tls_cnf_file,
+ tls_cnf_name = var_tls_cnf_name,
tls_high_clist = var_tls_high_clist,
tls_medium_clist = var_tls_medium_clist,
tls_low_clist = var_tls_low_clist,
diff -ur --new-file /var/tmp/postfix-3.6.9/src/tls/tls_proxy_client_print.c ./src/tls/tls_proxy_client_print.c
--- /var/tmp/postfix-3.6.9/src/tls/tls_proxy_client_print.c 2020-07-10 19:01:45.000000000 -0400
+++ ./src/tls/tls_proxy_client_print.c 2023-06-05 10:10:16.000000000 -0400
@@ -95,6 +95,8 @@
msg_info("begin tls_proxy_client_param_print");
ret = print_fn(fp, flags | ATTR_FLAG_MORE,
+ SEND_ATTR_STR(TLS_ATTR_CNF_FILE, params->tls_cnf_file),
+ SEND_ATTR_STR(TLS_ATTR_CNF_NAME, params->tls_cnf_name),
SEND_ATTR_STR(VAR_TLS_HIGH_CLIST, params->tls_high_clist),
SEND_ATTR_STR(VAR_TLS_MEDIUM_CLIST,
params->tls_medium_clist),
diff -ur --new-file /var/tmp/postfix-3.6.9/src/tls/tls_proxy_client_scan.c ./src/tls/tls_proxy_client_scan.c
--- /var/tmp/postfix-3.6.9/src/tls/tls_proxy_client_scan.c 2020-07-18 20:21:31.000000000 -0400
+++ ./src/tls/tls_proxy_client_scan.c 2023-06-05 10:10:17.000000000 -0400
@@ -121,6 +121,8 @@
void tls_proxy_client_param_free(TLS_CLIENT_PARAMS *params)
{
+ myfree(params->tls_cnf_file);
+ myfree(params->tls_cnf_name);
myfree(params->tls_high_clist);
myfree(params->tls_medium_clist);
myfree(params->tls_low_clist);
@@ -145,6 +147,8 @@
TLS_CLIENT_PARAMS *params
= (TLS_CLIENT_PARAMS *) mymalloc(sizeof(*params));
int ret;
+ VSTRING *cnf_file = vstring_alloc(25);
+ VSTRING *cnf_name = vstring_alloc(25);
VSTRING *tls_high_clist = vstring_alloc(25);
VSTRING *tls_medium_clist = vstring_alloc(25);
VSTRING *tls_low_clist = vstring_alloc(25);
@@ -167,6 +171,8 @@
*/
memset(params, 0, sizeof(*params));
ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
+ RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file),
+ RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name),
RECV_ATTR_STR(VAR_TLS_HIGH_CLIST, tls_high_clist),
RECV_ATTR_STR(VAR_TLS_MEDIUM_CLIST, tls_medium_clist),
RECV_ATTR_STR(VAR_TLS_LOW_CLIST, tls_low_clist),
@@ -192,6 +198,8 @@
¶ms->tls_multi_wildcard),
ATTR_TYPE_END);
/* Always construct a well-formed structure. */
+ params->tls_cnf_file = vstring_export(cnf_file);
+ params->tls_cnf_name = vstring_export(cnf_name);
params->tls_high_clist = vstring_export(tls_high_clist);
params->tls_medium_clist = vstring_export(tls_medium_clist);
params->tls_low_clist = vstring_export(tls_low_clist);
@@ -206,7 +214,7 @@
params->tls_mgr_service = vstring_export(tls_mgr_service);
params->tls_tkt_cipher = vstring_export(tls_tkt_cipher);
- ret = (ret == 18 ? 1 : -1);
+ ret = (ret == 20 ? 1 : -1);
if (ret != 1) {
tls_proxy_client_param_free(params);
params = 0;
diff -ur --new-file /var/tmp/postfix-3.6.9/src/tls/tls_server.c ./src/tls/tls_server.c
--- /var/tmp/postfix-3.6.9/src/tls/tls_server.c 2023-01-28 10:35:30.000000000 -0500
+++ ./src/tls/tls_server.c 2023-06-05 10:10:17.000000000 -0400
@@ -371,6 +371,13 @@
tls_check_version();
/*
+ * Initialize the OpenSSL library, possibly loading its configuration
+ * file.
+ */
+ if (tls_library_init() == 0)
+ return (0);
+
+ /*
* First validate the protocols. If these are invalid, we can't continue.
*/
protomask = tls_proto_mask_lims(props->protocols, &min_proto, &max_proto);
diff -ur --new-file /var/tmp/postfix-3.6.9/src/tlsproxy/tlsproxy.c ./src/tlsproxy/tlsproxy.c
--- /var/tmp/postfix-3.6.9/src/tlsproxy/tlsproxy.c 2021-02-16 18:30:21.000000000 -0500
+++ ./src/tlsproxy/tlsproxy.c 2023-06-05 10:10:17.000000000 -0400
@@ -134,6 +134,13 @@
/* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
/* A workaround for implementations that hang Postfix while shutting
/* down a TLS session, until Postfix times out.
+/* .PP
+/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+/* .IP "\fBtls_config_file (default)\fR"
+/* Optional configuration file with baseline OpenSSL settings.
+/* .IP "\fBtls_config_name (empty)\fR"
+/* The application name passed by Postfix to OpenSSL library
+/* initialization functions.
/* STARTTLS SERVER CONTROLS
/* .ad
/* .fi