Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

esolve conflicts from last import.

This commit is contained in:
tron 2013-08-21 20:12:30 +00:00
parent d6384a751f
commit 5ffceba539
8 changed files with 521 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
external/ibm-public/postfix/dist/README_FILES/TLS_README vendored
View File

@ -462,6 +462,34 @@ host:
/etc/postfix/relay_clientcerts:
D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home
To extract the public key fingerprint from an X.509 certificate, you need to
extract the public key from the certificate and compute the appropriate digest
of its DER (ASN.1) encoding. With OpenSSL the "-pubkey" option of the "x509"
command extracts the public key always in "PEM" format. We pipe the result to
another OpenSSL command that converts the key to DER and then to the "dgst"
command to compute the fingerprint.
The actual command to transform the key to DER format depends on the version of
OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" command supports all key
types. With OpenSSL 0.9.8 and earlier, the key type is always RSA (nobody uses
DSA, and EC keys are not fully supported by 0.9.8), so the "rsa" command is
used.
# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha1 -c
(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl rsa -pubin -outform DER |
openssl dgst -md5 -c
(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incorrectly. To
use public-key fingerprints, upgrade to Postfix 2.9.6 or later.
SSeerrvveerr--ssiiddee cciipphheerr ccoonnttrroollss
The Postfix SMTP server supports 5 distinct cipher security levels as specified
@ -823,6 +851,34 @@ the example above, we show two matching fingerprints:
match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
To extract the public key fingerprint from an X.509 certificate, you need to
extract the public key from the certificate and compute the appropriate digest
of its DER (ASN.1) encoding. With OpenSSL the "-pubkey" option of the "x509"
command extracts the public key always in "PEM" format. We pipe the result to
another OpenSSL command that converts the key to DER and then to the "dgst"
command to compute the fingerprint.
The actual command to transform the key to DER format depends on the version of
OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" command supports all key
types. With OpenSSL 0.9.8 and earlier, the key type is always RSA (nobody uses
DSA, and EC keys are not fully supported by 0.9.8), so the "rsa" command is
used.
# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha1 -c
(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl rsa -pubin -outform DER |
openssl dgst -md5 -c
(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incorrectly. To
use public-key fingerprints, upgrade to Postfix 2.9.6 or later.
MMaannddaattoorryy sseerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn
At the "verify" TLS security level, messages are sent only over TLS encrypted

68
external/ibm-public/postfix/dist/html/TLS_README.html vendored
View File

@ -677,6 +677,39 @@ the name of the user or host:</p>
</pre>
</blockquote>
<p> To extract the public key fingerprint from an X.509 certificate,
you need to extract the public key from the certificate and compute
the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
the "-pubkey" option of the "x509" command extracts the public
key always in "PEM" format. We pipe the result to another OpenSSL
command that converts the key to DER and then to the "dgst" command
to compute the fingerprint. </p>
<p> The actual command to transform the key to DER format depends
on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
"pkey" command supports all key types. With OpenSSL 0.9.8 and
earlier, the key type is always RSA (nobody uses DSA, and EC
keys are not fully supported by 0.9.8), so the "rsa" command is
used. </p>
<blockquote>
<pre>
# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha1 -c
(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl rsa -pubin -outform DER |
openssl dgst -md5 -c
(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
</pre>
</blockquote>
<p> Note: Postfix 2.9.0&ndash;2.9.5 computed the public key
fingerprint incorrectly. To use public-key fingerprints, upgrade
to Postfix 2.9.6 or later. </p>
<h3><a name="server_cipher">Server-side cipher controls</a> </h3>
<p> The Postfix SMTP server supports 5 distinct cipher security levels
@ -1074,7 +1107,7 @@ required. The certificate trust chain, expiration date, ... are
not checked. Instead, the <a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> parameter
or the "match" attribute in the <a href="#client_tls_policy">policy</a>
table lists the remote SMTP server certificate fingerprint or
public key fingerprint (Postfix 2.9 and later).
public key fingerprint (Postfix 2.9 and later). </p>
<p> If certificate fingerprints are exchanged securely, this is the
strongest, and least scalable security level. The administrator needs
@ -1136,6 +1169,39 @@ As in the example above, we show two matching fingerprints: </p>
</pre>
</blockquote>
<p> To extract the public key fingerprint from an X.509 certificate,
you need to extract the public key from the certificate and compute
the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
the "-pubkey" option of the "x509" command extracts the public
key always in "PEM" format. We pipe the result to another OpenSSL
command that converts the key to DER and then to the "dgst" command
to compute the fingerprint. </p>
<p> The actual command to transform the key to DER format depends
on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
"pkey" command supports all key types. With OpenSSL 0.9.8 and
earlier, the key type is always RSA (nobody uses DSA, and EC
keys are not fully supported by 0.9.8), so the "rsa" command is
used. </p>
<blockquote>
<pre>
# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha1 -c
(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl rsa -pubin -outform DER |
openssl dgst -md5 -c
(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
</pre>
</blockquote>
<p> Note: Postfix 2.9.0&ndash;2.9.5 computed the public key
fingerprint incorrectly. To use public-key fingerprints, upgrade
to Postfix 2.9.6 or later. </p>
<h4><a name="client_tls_verify"> Mandatory server certificate verification </a> </h4>
<p> At the "verify" TLS security level, messages are sent only over

115
external/ibm-public/postfix/dist/html/postconf.5.html vendored
View File

@ -8440,6 +8440,10 @@ D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home </p>
an appropriate <a href="access.5.html">access(5)</a> policy for each client.
See <a href="RESTRICTION_CLASS_README.html">RESTRICTION_CLASS_README</a>.</p>
<p> <b>Note:</b> Postfix 2.9.0&ndash;2.9.5 computed the public key
fingerprint incorrectly. To use public-key fingerprints, upgrade
to Postfix 2.9.6 or later. </p>
<p>This feature is available with Postfix version 2.2.</p>
@ -10895,11 +10899,47 @@ SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
</pre>
</blockquote>
<p> Public key fingerprints are more difficult to extract, however,
the SHA-1 public key fingerprint is often present as the value of the
"Subject Key Identifier" extension in X.509v3 certificates. The Postfix
SMTP server and client log the peer certificate fingerprint and public
key fingerprint when TLS loglevel is 1 or higher. </p>
<p> To extract the public key fingerprint from an X.509 certificate,
you need to extract the public key from the certificate and compute
the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
the "-pubkey" option of the "x509" command extracts the public
key always in "PEM" format. We pipe the result to another OpenSSL
command that converts the key to DER and then to the "dgst" command
to compute the fingerprint. </p>
<p> The actual command to transform the key to DER format depends
on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
"pkey" command supports all key types. With OpenSSL 0.9.8 and
earlier, the key type is always RSA (nobody uses DSA, and EC
keys are not fully supported by 0.9.8), so the "rsa" command is
used. </p>
<blockquote>
<pre>
# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha1 -c
(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
</pre>
</blockquote>
<blockquote>
<pre>
# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl rsa -pubin -outform DER |
openssl dgst -md5 -c
(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
</pre>
</blockquote>
<p> The Postfix SMTP server and client log the peer (leaf) certificate
fingerprint and public key fingerprint when TLS loglevel is 1 or
higher. </p>
<p> <b>Note:</b> Postfix 2.9.0&ndash;2.9.5 computed the public key
fingerprint incorrectly. To use public-key fingerprints, upgrade
to Postfix 2.9.6 or later. </p>
<p> This feature is available in Postfix 2.5 and later. </p>
@ -14688,11 +14728,47 @@ SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
</pre>
</blockquote>
<p> Public key fingerprints are more difficult to extract, however,
the SHA-1 public key fingerprint is often present as the value of the
"Subject Key Identifier" extension in X.509v3 certificates. The Postfix
SMTP server and client log the peer certificate fingerprint and public
key fingerprint when TLS loglevel is 1 or higher. </p>
<p> To extract the public key fingerprint from an X.509 certificate,
you need to extract the public key from the certificate and compute
the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
the "-pubkey" option of the "x509" command extracts the public
key always in "PEM" format. We pipe the result to another OpenSSL
command that converts the key to DER and then to the "dgst" command
to compute the fingerprint. </p>
<p> The actual command to transform the key to DER format depends
on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
"pkey" command supports all key types. With OpenSSL 0.9.8 and
earlier, the key type is always RSA (nobody uses DSA, and EC
keys are not fully supported by 0.9.8), so the "rsa" command is
used. </p>
<blockquote>
<pre>
# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha1 -c
(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
</pre>
</blockquote>
<blockquote>
<pre>
# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl rsa -pubin -outform DER |
openssl dgst -md5 -c
(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
</pre>
</blockquote>
<p> The Postfix SMTP server and client log the peer (leaf) certificate
fingerprint and public key fingerprint when TLS loglevel is 1 or
higher. </p>
<p> <b>Note:</b> Postfix 2.9.0&ndash;2.9.5 computed the public key
fingerprint incorrectly. To use public-key fingerprints, upgrade
to Postfix 2.9.6 or later. </p>
<p> Example: client-certificate access table, with sha1 fingerprints: </p>
@ -15585,6 +15661,25 @@ OpenSSL releases. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
</DD>
<DT><b><a name="tls_legacy_public_key_fingerprints">tls_legacy_public_key_fingerprints</a>
(default: no)</b></DT><DD>
<p> A temporary migration aid for sites that use certificate
<i>public-key</i> fingerprints with Postfix 2.9.0..2.9.5, which use
an incorrect algorithm. This parameter has no effect on the certificate
fingerprint support that is available since Postfix 2.2. </p>
<p> Specify "<a href="postconf.5.html#tls_legacy_public_key_fingerprint">tls_legacy_public_key_fingerprints</a> = yes" temporarily,
pending a migration from configuration files with incorrect Postfix
2.9.0..2.9.5 certificate public-key finger prints, to the correct
fingerprints used by Postfix 2.9.6 and later. To compute the correct
certificate public-key fingerprints, see <a href="TLS_README.html">TLS_README</a>. </p>
<p> This feature is available in Postfix 2.9.6 and later. </p>
</DD>
<DT><b><a name="tls_low_cipherlist">tls_low_cipherlist</a>

129
external/ibm-public/postfix/dist/man/man5/postconf.5 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: postconf.5,v 1.10 2013/01/02 19:18:32 tron Exp $
.\" $NetBSD: postconf.5,v 1.11 2013/08/21 20:12:31 tron Exp $
.\"
.TH POSTCONF 5
.SH NAME
@ -4889,6 +4889,10 @@ For more fine-grained control, use check_ccert_access to select
an appropriate \fBaccess\fR(5) policy for each client.
See RESTRICTION_CLASS_README.
.PP
\fBNote:\fR Postfix 2.9.0&ndash;2.9.5 computed the public key
fingerprint incorrectly. To use public-key fingerprints, upgrade
to Postfix 2.9.6 or later.
.PP
This feature is available with Postfix version 2.2.
.SH relay_destination_concurrency_limit (default: $default_destination_concurrency_limit)
The maximal number of parallel deliveries to the same destination
@ -6536,11 +6540,56 @@ SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
.ft R
.in -4
.PP
Public key fingerprints are more difficult to extract, however,
the SHA-1 public key fingerprint is often present as the value of the
"Subject Key Identifier" extension in X.509v3 certificates. The Postfix
SMTP server and client log the peer certificate fingerprint and public
key fingerprint when TLS loglevel is 1 or higher.
To extract the public key fingerprint from an X.509 certificate,
you need to extract the public key from the certificate and compute
the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
the "-pubkey" option of the "x509" command extracts the public
key always in "PEM" format. We pipe the result to another OpenSSL
command that converts the key to DER and then to the "dgst" command
to compute the fingerprint.
.PP
The actual command to transform the key to DER format depends
on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
"pkey" command supports all key types. With OpenSSL 0.9.8 and
earlier, the key type is always RSA (nobody uses DSA, and EC
keys are not fully supported by 0.9.8), so the "rsa" command is
used.
.sp
.in +4
.nf
.na
.ft C
# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha1 -c
(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
.fi
.ad
.ft R
.in -4
.sp
.in +4
.nf
.na
.ft C
# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl rsa -pubin -outform DER |
openssl dgst -md5 -c
(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
.fi
.ad
.ft R
.in -4
.PP
The Postfix SMTP server and client log the peer (leaf) certificate
fingerprint and public key fingerprint when TLS loglevel is 1 or
higher.
.PP
\fBNote:\fR Postfix 2.9.0&ndash;2.9.5 computed the public key
fingerprint incorrectly. To use public-key fingerprints, upgrade
to Postfix 2.9.6 or later.
.PP
This feature is available in Postfix 2.5 and later.
.SH smtp_tls_key_file (default: $smtp_tls_cert_file)
@ -9428,11 +9477,56 @@ SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
.ft R
.in -4
.PP
Public key fingerprints are more difficult to extract, however,
the SHA-1 public key fingerprint is often present as the value of the
"Subject Key Identifier" extension in X.509v3 certificates. The Postfix
SMTP server and client log the peer certificate fingerprint and public
key fingerprint when TLS loglevel is 1 or higher.
To extract the public key fingerprint from an X.509 certificate,
you need to extract the public key from the certificate and compute
the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
the "-pubkey" option of the "x509" command extracts the public
key always in "PEM" format. We pipe the result to another OpenSSL
command that converts the key to DER and then to the "dgst" command
to compute the fingerprint.
.PP
The actual command to transform the key to DER format depends
on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
"pkey" command supports all key types. With OpenSSL 0.9.8 and
earlier, the key type is always RSA (nobody uses DSA, and EC
keys are not fully supported by 0.9.8), so the "rsa" command is
used.
.sp
.in +4
.nf
.na
.ft C
# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha1 -c
(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
.fi
.ad
.ft R
.in -4
.sp
.in +4
.nf
.na
.ft C
# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl rsa -pubin -outform DER |
openssl dgst -md5 -c
(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
.fi
.ad
.ft R
.in -4
.PP
The Postfix SMTP server and client log the peer (leaf) certificate
fingerprint and public key fingerprint when TLS loglevel is 1 or
higher.
.PP
\fBNote:\fR Postfix 2.9.0&ndash;2.9.5 computed the public key
fingerprint incorrectly. To use public-key fingerprints, upgrade
to Postfix 2.9.6 or later.
.PP
Example: client-certificate access table, with sha1 fingerprints:
.sp
@ -10077,6 +10171,19 @@ list when they are enabled. This prefix is not needed with previous
OpenSSL releases.
.PP
This feature is available in Postfix 2.3 and later.
.SH tls_legacy_public_key_fingerprints (default: no)
A temporary migration aid for sites that use certificate
\fIpublic-key\fR fingerprints with Postfix 2.9.0..2.9.5, which use
an incorrect algorithm. This parameter has no effect on the certificate
fingerprint support that is available since Postfix 2.2.
.PP
Specify "tls_legacy_public_key_fingerprints = yes" temporarily,
pending a migration from configuration files with incorrect Postfix
2.9.0..2.9.5 certificate public-key finger prints, to the correct
fingerprints used by Postfix 2.9.6 and later. To compute the correct
certificate public-key fingerprints, see TLS_README.
.PP
This feature is available in Postfix 2.9.6 and later.
.SH tls_low_cipherlist (default: ALL:!EXPORT:+RC4:@STRENGTH)
The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
the meaning of the "low" setting in smtpd_tls_mandatory_ciphers,

68
external/ibm-public/postfix/dist/proto/TLS_README.html vendored
View File

@ -677,6 +677,39 @@ the name of the user or host:</p>
</pre>
</blockquote>
<p> To extract the public key fingerprint from an X.509 certificate,
you need to extract the public key from the certificate and compute
the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
the "-pubkey" option of the "x509" command extracts the public
key always in "PEM" format. We pipe the result to another OpenSSL
command that converts the key to DER and then to the "dgst" command
to compute the fingerprint. </p>
<p> The actual command to transform the key to DER format depends
on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
"pkey" command supports all key types. With OpenSSL 0.9.8 and
earlier, the key type is always RSA (nobody uses DSA, and EC
keys are not fully supported by 0.9.8), so the "rsa" command is
used. </p>
<blockquote>
<pre>
# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha1 -c
(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl rsa -pubin -outform DER |
openssl dgst -md5 -c
(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
</pre>
</blockquote>
<p> Note: Postfix 2.9.0&ndash;2.9.5 computed the public key
fingerprint incorrectly. To use public-key fingerprints, upgrade
to Postfix 2.9.6 or later. </p>
<h3><a name="server_cipher">Server-side cipher controls</a> </h3>
<p> The Postfix SMTP server supports 5 distinct cipher security levels
@ -1074,7 +1107,7 @@ required. The certificate trust chain, expiration date, ... are
not checked. Instead, the smtp_tls_fingerprint_cert_match parameter
or the "match" attribute in the <a href="#client_tls_policy">policy</a>
table lists the remote SMTP server certificate fingerprint or
public key fingerprint (Postfix 2.9 and later).
public key fingerprint (Postfix 2.9 and later). </p>
<p> If certificate fingerprints are exchanged securely, this is the
strongest, and least scalable security level. The administrator needs
@ -1136,6 +1169,39 @@ As in the example above, we show two matching fingerprints: </p>
</pre>
</blockquote>
<p> To extract the public key fingerprint from an X.509 certificate,
you need to extract the public key from the certificate and compute
the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
the "-pubkey" option of the "x509" command extracts the public
key always in "PEM" format. We pipe the result to another OpenSSL
command that converts the key to DER and then to the "dgst" command
to compute the fingerprint. </p>
<p> The actual command to transform the key to DER format depends
on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
"pkey" command supports all key types. With OpenSSL 0.9.8 and
earlier, the key type is always RSA (nobody uses DSA, and EC
keys are not fully supported by 0.9.8), so the "rsa" command is
used. </p>
<blockquote>
<pre>
# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha1 -c
(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl rsa -pubin -outform DER |
openssl dgst -md5 -c
(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
</pre>
</blockquote>
<p> Note: Postfix 2.9.0&ndash;2.9.5 computed the public key
fingerprint incorrectly. To use public-key fingerprints, upgrade
to Postfix 2.9.6 or later. </p>
<h4><a name="client_tls_verify"> Mandatory server certificate verification </a> </h4>
<p> At the "verify" TLS security level, messages are sent only over

111
external/ibm-public/postfix/dist/proto/postconf.proto vendored
View File

@ -9065,6 +9065,10 @@ relay_clientcerts = hash:/etc/postfix/relay_clientcerts
an appropriate access(5) policy for each client.
See RESTRICTION_CLASS_README.</p>
<p> <b>Note:</b> Postfix 2.9.0&ndash;2.9.5 computed the public key
fingerprint incorrectly. To use public-key fingerprints, upgrade
to Postfix 2.9.6 or later. </p>
<p>This feature is available with Postfix version 2.2.</p>
%PARAM smtpd_tls_cipherlist
@ -11489,11 +11493,47 @@ SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
</pre>
</blockquote>
<p> Public key fingerprints are more difficult to extract, however,
the SHA-1 public key fingerprint is often present as the value of the
"Subject Key Identifier" extension in X.509v3 certificates. The Postfix
SMTP server and client log the peer certificate fingerprint and public
key fingerprint when TLS loglevel is 1 or higher. </p>
<p> To extract the public key fingerprint from an X.509 certificate,
you need to extract the public key from the certificate and compute
the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
the "-pubkey" option of the "x509" command extracts the public
key always in "PEM" format. We pipe the result to another OpenSSL
command that converts the key to DER and then to the "dgst" command
to compute the fingerprint. </p>
<p> The actual command to transform the key to DER format depends
on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
"pkey" command supports all key types. With OpenSSL 0.9.8 and
earlier, the key type is always RSA (nobody uses DSA, and EC
keys are not fully supported by 0.9.8), so the "rsa" command is
used. </p>
<blockquote>
<pre>
# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha1 -c
(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
</pre>
</blockquote>
<blockquote>
<pre>
# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl rsa -pubin -outform DER |
openssl dgst -md5 -c
(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
</pre>
</blockquote>
<p> The Postfix SMTP server and client log the peer (leaf) certificate
fingerprint and public key fingerprint when TLS loglevel is 1 or
higher. </p>
<p> <b>Note:</b> Postfix 2.9.0&ndash;2.9.5 computed the public key
fingerprint incorrectly. To use public-key fingerprints, upgrade
to Postfix 2.9.6 or later. </p>
<p> This feature is available in Postfix 2.5 and later. </p>
@ -11607,11 +11647,47 @@ SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
</pre>
</blockquote>
<p> Public key fingerprints are more difficult to extract, however,
the SHA-1 public key fingerprint is often present as the value of the
"Subject Key Identifier" extension in X.509v3 certificates. The Postfix
SMTP server and client log the peer certificate fingerprint and public
key fingerprint when TLS loglevel is 1 or higher. </p>
<p> To extract the public key fingerprint from an X.509 certificate,
you need to extract the public key from the certificate and compute
the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
the "-pubkey" option of the "x509" command extracts the public
key always in "PEM" format. We pipe the result to another OpenSSL
command that converts the key to DER and then to the "dgst" command
to compute the fingerprint. </p>
<p> The actual command to transform the key to DER format depends
on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
"pkey" command supports all key types. With OpenSSL 0.9.8 and
earlier, the key type is always RSA (nobody uses DSA, and EC
keys are not fully supported by 0.9.8), so the "rsa" command is
used. </p>
<blockquote>
<pre>
# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha1 -c
(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
</pre>
</blockquote>
<blockquote>
<pre>
# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
$ openssl x509 -in cert.pem -noout -pubkey |
openssl rsa -pubin -outform DER |
openssl dgst -md5 -c
(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
</pre>
</blockquote>
<p> The Postfix SMTP server and client log the peer (leaf) certificate
fingerprint and public key fingerprint when TLS loglevel is 1 or
higher. </p>
<p> <b>Note:</b> Postfix 2.9.0&ndash;2.9.5 computed the public key
fingerprint incorrectly. To use public-key fingerprints, upgrade
to Postfix 2.9.6 or later. </p>
<p> Example: client-certificate access table, with sha1 fingerprints: </p>
@ -13869,6 +13945,21 @@ OpenSSL 1.0.0.</dd>
<p> This feature is available in Postfix 2.8 and later. </p>
%PARAM tls_legacy_public_key_fingerprints no
<p> A temporary migration aid for sites that use certificate
<i>public-key</i> fingerprints with Postfix 2.9.0..2.9.5, which use
an incorrect algorithm. This parameter has no effect on the certificate
fingerprint support that is available since Postfix 2.2. </p>
<p> Specify "tls_legacy_public_key_fingerprints = yes" temporarily,
pending a migration from configuration files with incorrect Postfix
2.9.0..2.9.5 certificate public-key finger prints, to the correct
fingerprints used by Postfix 2.9.6 and later. To compute the correct
certificate public-key fingerprints, see TLS_README. </p>
<p> This feature is available in Postfix 2.9.6 and later. </p>
%PARAM tlsproxy_watchdog_timeout 10s
<p> How much time a tlsproxy(8) process may take to process local

6
external/ibm-public/postfix/dist/src/global/mail_params.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: mail_params.h,v 1.9 2013/01/02 19:18:34 tron Exp $ */
/* $NetBSD: mail_params.h,v 1.10 2013/08/21 20:12:31 tron Exp $ */
#ifndef _MAIL_PARAMS_H_INCLUDED_
#define _MAIL_PARAMS_H_INCLUDED_
@ -3037,6 +3037,10 @@ extern bool var_tls_preempt_clist;
#define DEF_TLS_BUG_TWEAKS TLS_BUG_TWEAKS
extern char *var_tls_bug_tweaks;
#define VAR_TLS_BC_PKEY_FPRINT "tls_legacy_public_key_fingerprints"
#define DEF_TLS_BC_PKEY_FPRINT 0
extern bool var_tls_bc_pkey_fprint;
/*
* Sendmail-style mail filter support.
*/

4
external/ibm-public/postfix/dist/src/tls/tls_client.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: tls_client.c,v 1.6 2013/01/02 19:18:36 tron Exp $ */
/* $NetBSD: tls_client.c,v 1.7 2013/08/21 20:12:31 tron Exp $ */
/*++
/* NAME
@ -996,7 +996,7 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
if (TLScontext->log_mask &
(TLS_LOG_CERTMATCH | TLS_LOG_VERBOSE | TLS_LOG_PEERCERT))
msg_info("%s: subject_CN=%s, issuer_CN=%s, "
"fingerprint %s, pkey_fingerprint=%s", props->namaddr,
"fingerprint=%s, pkey_fingerprint=%s", props->namaddr,
TLScontext->peer_CN, TLScontext->issuer_CN,
TLScontext->peer_fingerprint,
TLScontext->peer_pkey_fprint);