Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

postfix 2.2.9

This commit is contained in:
rpaulo 2006-02-25 22:04:07 +00:00
parent c9ec09a52e
commit b540f1d62f
32 changed files with 1169 additions and 515 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
gnu/dist/postfix/HISTORY vendored
View File

@ -10794,3 +10794,81 @@ Apologies for any names omitted.
Portability: FreeBSD 6 is a supported platform. Files:
util/sys_defs.h, makedefs.
20010604
Safety: new "smtp_cname_overrides_servername" parameter.
The default value ("yes") is backwards compatible.
With a value of "no", the Postfix SMTP client no longer
allows CNAME expansion to override the hostname that is
used for logging, SASL password lookup, TLS policy decisions,
or TLS certificate verification. Instead it uses the name
of the recipient domain, the host or domain name specified
in Postfix configuration files, or the hostnames obtained
with MX lookups. To prevent cheating with hostnames in MX
lookup results, you will have to suppress MX lookups with
explicit [hostname] entries in transport maps. Files:
dns/dns_lookup.c, dns/dns_rr.c, proto/postconf.proto.
20060108
Bugfix: mailbox_command_maps was not subject to $name
expansion. File: local/local.c.
20060115
Bugfix: don't ignore the per-site policy when SSL library
initialization fails. Introduced after adopting the TLS
patch. File: smtp/smtp_session.c.
20060121
Bugfix: a TLS per-site MUST_NOPEERMATCH policy could not
override a stronger main.cf policy, while a per-site NONE
policy could. Fixed with a clean re-implementation from
Postfix 2.3. File: smtp/smtp_session.c.
Bugfix: a combined TLS per-site (host, recipient) policy
of (NONE, MAY) changed a global MUST policy into NONE, and
a global MUST_NOPEERMATCH into MAY. The result is now NONE.
Problem found by exhaustive simulation. Fixed with a clean
re-implementation from Postfix 2.3. File: smtp/smtp_session.c.
20060130
Bugfix: an empty remote_header_rewrite_domain value caused
trivial-rewrite to dereference a null pointer, but only in
regression tests, not in production. Postfix rewrites
addresses in the remote rewriting context only when the
remote_header_rewrite_domain parameter value is non-empty.
File: trivial-rewrite/rewrite.c.
20060202
Workaround: a malformed domain name lookup result (such as
null MX record) is now treated as a hard error, so that
Postfix will no longer repeatedly try to deliver mail until
the message expires in the queue. However, this will not
reject mail with reject_unknown_sender/recipient_domain.
That would require too much change for a stable release.
File: dns/dns_lookup.c.
20060203
Bugfix: smtpd core dump when SASL is compiled in, turned
off (smtpd_sasl_auth_enable = no) and permit_sasl_authenticated
is specified in local_header_rewrite_clients. Victor Duchovni.
File: smtpd/smtpd_check.c.
20060204
Bugfix: disable the content_filter feature for user-requested
"sendmail -bv" probes, just like it is disabled for probes
generated by Postfix itself. File: *qmgr/qmgr_message.c.
20060212
Workaround: don't consume in_flow tokens when incoming mail
is placed on hold. Back-ported from Postfix 2.3. File:
cleanup/cleanup_api.c.

2
gnu/dist/postfix/README_FILES/SCHEDULER_README vendored
View File

@ -43,7 +43,7 @@ how next message is chosen when delivery agent becomes available. You already
know that oqmgr(8) uses round-robin by destination while qmgr(8) uses simple
FIFO, except for some preemptive magic. The postconf(5) manual documents all
the knobs the user can use to control this preemptive magic - there is nothing
else to the preemption than the quite simple conditions described below.
else to the preemption than the quite simple conditions described in there.
As for programmer-level documentation, this will have to be extracted from all
those emails we have exchanged with Wietse [rats! I hoped that Patrik would do

247
gnu/dist/postfix/README_FILES/TLS_README vendored
View File

@ -68,6 +68,11 @@ To build Postfix with TLS support, first we need to generate the make(1) files
with the necessary definitions. This is done by invoking the command "make
makefiles" in the Postfix top-level directory and with arguments as shown next.
NNOOTTEE:: DDoo nnoott uussee GGnnuu TTLLSS.. IItt wwiillll ssppoonnttaanneeoouussllyy tteerrmmiinnaattee aa PPoossttffiixx ddaaeemmoonn
pprroocceessss wwiitthh eexxiitt ssttaattuuss ccooddee 22,, iinnsstteeaadd ooff aalllloowwiinngg PPoossttffiixx ttoo 11)) rreeppoorrtt tthhee
eerrrroorr ttoo tthhee mmaaiilllloogg ffiillee,, aanndd ttoo 22)) pprroovviiddee ppllaaiinntteexxtt sseerrvviiccee wwhheerree tthhiiss iiss
aapppprroopprriiaattee..
* If the OpenSSL include files (such as ssl.h) are in directory /usr/include/
openssl, and the OpenSSL libraries (such as libssl.so and libcrypto.so) are
in directory /usr/lib:
@ -364,7 +369,9 @@ between multiple smtpd(8) processes, a persistent session cache can be used.
You can specify any database type that can store objects of several kbytes and
that supports the sequence operator. DBM databases are not suitable because
they can only store small objects. The cache is maintained by the tlsmgr(8)
process, so there is no problem with concurrent access.
process, so there is no problem with concurrent access. Session caching is
highly recommended, because the cost of repeatedly negotiating TLS session keys
is high.
Example:
@ -420,7 +427,7 @@ Example:
...
The Postfix list manipulation routines give special treatment to whitespace and
some other characters, making the use of certificate names unpractical. Instead
some other characters, making the use of certificate names impractical. Instead
we use the certificate fingerprints as they are difficult to fake but easy to
use for lookup. Postfix lookup tables are in the form of (key, value) pairs.
Since we only need the key, the value can be chosen freely, e.g. the name of
@ -485,7 +492,12 @@ Topics covered in this section:
* Client-side TLS activity logging
* Client-side TLS session cache
* Enabling TLS in the Postfix SMTP client
* Server certificate verification
* Requiring TLS encryption
* Disabling server certificate verification
* Per-site TLS policies
* Closing a DNS loophole with per-site TLS policies
* Discovering servers that support TLS
* Server certificate verification depth
* Client-side cipher controls
* Miscellaneous client controls
@ -530,12 +542,12 @@ If you want the Postfix SMTP client to accept remote SMTP server certificates
issued by these CAs, append the root certificate to $smtp_tls_CAfile or install
it in the $smtp_tls_CApath directory. When you configure trust in a root CA, it
is not necessary to explicitly trust intermediary CAs signed by the root CA,
unless $smtp_tls_verify_depth is less than the number of CAs in the certificate
chain for the servers of interest. With a verify depth of 1 you can only verify
certificates directly signed by a trusted CA, and all trusted intermediary CAs
need to be configured explicitly. With a verify depth of 2 you can verify
servers signed by a root CA or a direct intermediary CA (so long as the server
is correctly configured to supply its intermediate CA certificate).
unless $smtp_tls_scert_verifydepth is less than the number of CAs in the
certificate chain for the servers of interest. With a verify depth of 1 you can
only verify certificates directly signed by a trusted CA, and all trusted
intermediary CAs need to be configured explicitly. With a verify depth of 2 you
can verify servers signed by a root CA or a direct intermediary CA (so long as
the server is correctly configured to supply its intermediate CA certificate).
RSA key and certificate examples:
@ -608,7 +620,10 @@ between multiple smtp(8) processes, a persistent session cache can be used. You
can specify any database type that can store objects of several kbytes and that
supports the sequence operator. DBM databases are not suitable because they can
only store small objects. The cache is maintained by the tlsmgr(8) process, so
there is no problem with concurrent access.
there is no problem with concurrent access. Session caching is highly
recommended, because the cost of repeatedly negotiating TLS session keys is
high. Future Postfix SMTP servers may limit the number of sessions that a
client is allowed to negotiate per unit time.
Example:
@ -630,20 +645,19 @@ By default, TLS is disabled in the Postfix SMTP client, so no difference to
plain Postfix is visible. If you enable TLS, the Postfix SMTP client will send
STARTTLS when TLS support is announced by the remote SMTP server.
WARNING: MS Exchange servers will announce STARTTLS support even when the
service is not configured, so that the TLS handshake will fail. It may be wise
to not use this option on your central mail hub, as you don't know in advance
whether you are going to connect to such a host. Instead, use the
smtp_tls_per_site recipient/site specific options that are described below.
When the TLS handshake fails and no other server is available, the Postfix SMTP
client defers the delivery attempt, and the mail stays in the queue.
When the server accepts the STARTTLS command, but the subsequent TLS handshake
fails, and no other server is available, the Postfix SMTP client defers the
delivery attempt, and the mail stays in the queue. After a handshake failure,
the communications channel is in an indeterminate state and cannot be used for
non-TLS deliveries.
Example:
/etc/postfix/main.cf:
smtp_use_tls = yes
RReeqquuiirriinngg TTLLSS eennccrryyppttiioonn
You can ENFORCE the use of TLS, so that the Postfix SMTP client will not
deliver mail over unencrypted connections. In this mode, the remote SMTP server
hostname must match the information in the remote server certificate, and the
@ -652,21 +666,22 @@ client. If the remote server certificate doesn't verify or the remote SMTP
server hostname doesn't match, and no other server is available, the delivery
attempt is deferred and the mail stays in the queue.
The remote SMTP server hostname used in the check is beyond question, as it
must be the principal hostname (no CNAME allowed here). Checks are performed
against all names provided as dNSNames in the SubjectAlternativeName. If no
dNSNames are specified, the CommonName is checked. The behavior may be changed
with the smtp_tls_enforce_peername option which is discussed below.
The remote SMTP server hostname is verified against all names provided as
dNSNames in the SubjectAlternativeName. If no dNSNames are specified, the
CommonName is checked. Verification may be turned off with the
smtp_tls_enforce_peername option which is discussed below.
This option is useful only if you know that you will only connect to servers
that support RFC 2487 _and_ that present server certificates that meet the
above requirements. An example would be a client only sends email to one
Enforcing the use of TLS is useful if you know that you will only connect to
servers that support RFC 2487 _and_ that present server certificates that meet
the above requirements. An example would be a client only sends email to one
specific mailhub that offers the necessary STARTTLS support.
Example:
/etc/postfix/main.cf:
smtp_enforce_tls = no
smtp_enforce_tls = yes
DDiissaabblliinngg sseerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn
As of RFC 2487 the requirements for hostname checking for MTA clients are not
set. When TLS is required (smtp_enforce_tls = yes), the option
@ -674,79 +689,140 @@ smtp_tls_enforce_peername can be set to "no" to disable strict remote SMTP
server hostname checking. In this case, the mail delivery will proceed
regardless of the CommonName etc. listed in the certificate.
Note: the smtp_tls_enforce_peername setting has no effect on sessions that are
controlled via the smtp_tls_per_site table.
Disabling the remote SMTP server hostname verification can make sense in closed
environment where special CAs are created. If not used carefully, this option
opens the danger of a "man-in-the-middle" attack (the CommonName of this
possible attacker is logged).
Despite the potential for eliminating "man-in-the-middle" and other attacks,
mandatory certificate/peername verification is not viable as a default Internet
mail delivery policy at this time. A significant fraction of TLS enabled MTAs
uses self-signed certificates, or certificates that are signed by a private
certificate authority. On a machine that delivers mail to the Internet, if you
set smtp_enforce_tls = yes, you should probably also set
smtp_tls_enforce_peername = no. You can use the per-site TLS policies (see
below) to enable full peer verification for specific destinations that are
known to have verifiable TLS server certificates.
Example:
/etc/postfix/main.cf:
smtp_tls_enforce_peername = yes
smtp_enforce_tls = yes
smtp_tls_enforce_peername = no
Generally, trying TLS can be a bad idea, as some servers offer STARTTLS but the
negotiation will fail leading to unexplainable failures. Instead, it may be a
good idea to choose the TLS usage policy based on the recipient or the mailhub
to which you are connecting.
PPeerr--ssiittee TTLLSS ppoolliicciieess
Deciding the TLS usage policy per recipient may be difficult, since a single
email delivery attempt can involve several recipients. Instead, use of TLS is
controlled by the Postfix next-hop destination domain name and by the remote
SMTP server hostname. If either of these matches an entry in the
smtp_tls_per_site table, appropriate action is taken.
A small fraction of servers offer STARTTLS but the negotiation consistently
fails, leading to mail aging out of the queue and bouncing back to the sender.
In such cases, you can use the per-site policies to disable TLS for the problem
sites. Alternatively, you can enable TLS for just a few specific sites and not
enable it for all sites.
The remote SMTP server hostname is simply the DNS name of the server that the
Postfix SMTP client connects to. The next-hop destination is Postfix specific.
By default, this is the domain name in the recipient address, but this
information can be overruled by the transport(5) table or by the relayhost
parameter setting. In these cases the relayhost etc. must be listed in the
smtp_tls_per_site table, instead of the recipient domain name.
The smtp_tls_per_site table is searched for a policy that matches the following
information:
Format of the table: domain or host names are specified on the left-hand side;
no wildcards are allowed. On the right hand side specify one of the following
keywords:
remote SMTP server hostname
This is simply the DNS name of the server that the Postfix SMTP client
connects to; this name may be obtained from other DNS lookups, such as
MX lookups or CNAME lookups.
next-hop destination
This is normally the domain portion of the recipient address, but it
may be overruled by information from the transport(5) table, from the
relayhost parameter setting, or from the relay_transport setting. When
it's not the recipient domain, the next-hop destination can have the
Postfix-specific form "[name]", [name]:port", "name" or "name:port".
When both the hostname lookup and the next-hop lookup succeed, the host policy
does not automatically override the next-hop policy. Instead, precedence is
given to either the more specific or the more secure per-site policy as
described below.
The smtp_tls_per_site table uses a simple "name whitespace value" format.
Specify host names or next-hop destinations on the left-hand side; no wildcards
are allowed. On the right hand side specify one of the following keywords:
NONE
Don't use TLS at all.
Don't use TLS at all. This overrides a less specific MMAAYY lookup result
from the alternate host or next-hop lookup key, and overrides the
global smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername
settings.
MAY
Try to use STARTTLS if offered, otherwise use the unencrypted
connection.
Try to use TLS if the server announces support, otherwise use the
unencrypted connection. This has less precedence than a more specific
result (including NNOONNEE) from the alternate host or next-hop lookup key,
and has less precedence than the more specific global "smtp_enforce_tls
= yes" or "smtp_tls_enforce_peername = yes".
MUST_NOPEERMATCH
Require TLS encryption, but do not require that the remote SMTP server
hostname matches the information in the remote SMTP server certificate,
or that the server certificate was issued by a trusted CA. This
overrides a less secure NNOONNEE or a less specific MMAAYY lookup result from
the alternate host or next-hop lookup key, and overrides the global
smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername settings.
MUST
Require usage of STARTTLS, require that the remote SMTP server hostname
Require TLS encryption, require that the remote SMTP server hostname
matches the information in the remote SMTP server certificate, and
require that the remote SMTP server certificate was issued by a trusted
CA.
MUST_NOPEERMATCH
Require usage of STARTTLS, but do not require that the remote SMTP
server hostname matches the information in the remote SMTP server
certificate, or that the server certificate was issued by a trusted CA.
CA. This overrides a less secure NNOONNEE and MMUUSSTT__NNOOPPEEEERRMMAATTCCHH or a less
specific MMAAYY lookup result from the alternate host or next-hop lookup
key, and overrides the global smtp_use_tls, smtp_enforce_tls and
smtp_tls_enforce_peername settings.
The actual TLS usage policy depends not only on whether the next-hop
destination or remote SMTP server hostname are found in the smtp_tls_per_site
table, but also on the smtp_enforce_tls setting:
The precedences between global (main.cf) and per-site TLS policies can be
summarized as follows:
* If no match was found, the policy is applied as specified with
smtp_enforce_tls.
* When neither the remote SMTP server hostname nor the next-hop destination
are found in the smtp_tls_per_site table, the policy is based on
smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername. Note:
"smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes" imply
"smtp_use_tls = yes".
* If a match was found, and the smtp_enforce_tls policy is "enforce", NONE
explicitly switches it off; otherwise the "enforce" mode is used even for
entries that specify MAY.
* When both hostname and next-hop destination lookups produce a result, the
more specific per-site policy (NONE, MUST, etc) overrides the less specific
one (MAY), and the more secure per-site policy (MUST, etc) overrides the
less secure one (NONE).
Special hint for TLS enforcement mode: since no secure DNS lookup mechanism is
available, mail can be delivered to the wrong remote SMTP server. This is not
prevented by specifying MUST for the next-hop domain name. The recommended
setup is: specify local transport(5) table entries for sensitive domains with
explicit smtp:[mailhost] destinations (since you can assure security of this
table unlike DNS), then specify MUST for these mail hosts in the
smtp_tls_per_site table.
* After the per-site policy lookups are combined, the result generally
overrides the global policy. The exception is the less specific MMAAYY per-
site policy, which is overruled by the more specific global
"smtp_enforce_tls = yes" with server certificate verification as specified
with the smtp_tls_enforce_peername parameter.
CClloossiinngg aa DDNNSS lloooopphhoollee wwiitthh ppeerr--ssiittee TTLLSS ppoolliicciieess
As long as no secure DNS lookup mechanism is available, false hostnames in MX
or CNAME responses can change the server hostname that Postfix uses for TLS
policy lookup and server certificate verification. Even with a perfect match
between the server hostname and the server certificate, there is no guarantee
that Postfix is connected to the right server. To avoid this loophole take the
following steps:
* Eliminate MX lookups. Specify local transport(5) table entries for
sensitive domains with explicit smtp:[mailhost] or smtp:[mailhost]:port
destinations (you can assure security of this table unlike DNS); in the
smtp_tls_per_site table specify the value MMUUSSTT for the key [mailhost] or
smtp:[mailhost]:port. This prevents false hostname information in DNS MX
records from changing the server hostname that Postfix uses for TLS policy
lookup and server certificate verification.
* Disallow CNAME hostname overrides. In main.cf specify
"smtp_cname_overrides_servername = no". This prevents false hostname
information in DNS CNAME records from changing the server hostname that
Postfix uses for TLS policy lookup and server certificate verification.
This feature requires Postfix 2.2.9 or later.
Example:
/etc/postfix/main.cf:
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
relayhost = [msa.example.net]:587
/etc/postfix/tls_per_site:
# relayhost exact nexthop match
[msa.example.net]:587 MUST
# TLS should not be used with the example.org MX hosts.
example.org NONE
# TLS should not be used with the host smtp.example.com.
smtp.example.com NONE
DDiissccoovveerriinngg sseerrvveerrss tthhaatt ssuuppppoorrtt TTLLSS
As we decide on a "per site" basis whether or not to use TLS, it would be good
to have a list of sites that offered "STARTTLS". We can collect it ourselves
@ -763,7 +839,7 @@ Example:
/etc/postfix/main.cf:
smtp_tls_note_starttls_offer = yes
SSeerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn
SSeerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn ddeepptthh
When verifying a remote SMTP server certificate, a verification depth of 1 is
sufficient if the certificate is directly issued by a CA specified with
@ -1012,10 +1088,25 @@ J
and in order to access the TLS session cache databases. Such a protocol
cannot be run across fifos.
* smtp_tls_per_site: the MUST_NOPEERMATCH per-site policy cannot override the
global "smtp_tls_enforce_peername = yes" setting.
* smtp_tls_per_site: a combined (NONE + MAY) lookup result for (hostname and
next-hop destination) produces counter-intuitive results for different
main.cf settings. TLS is enabled with "smtp_tls_enforce_peername = no", but
it is disabled when both "smtp_enforce_tls = yes" and
"smtp_tls_enforce_peername = yes".
The smtp_tls_per_site limitations were removed by the end of the Postfix 2.2
support cycle.
CCrreeddiittss
* TLS support for Postfix was originally developed by Lutz Jänicke at Cottbus
Technical University.
* Wietse Venema adopted the code, did some restructuring, and compiled this
part of the documentation from Lutz's documents.
* Victor Duchovni was instrumental with the re-implementation of the
smtp_tls_per_site code in terms of enforcement levels, which simplified the
implementation greatly.

2
gnu/dist/postfix/html/SCHEDULER_README.html vendored
View File

@ -68,7 +68,7 @@ available. You already know that <a href="qmgr.8.html">oqmgr(8)</a> uses round-
while <a href="qmgr.8.html">qmgr(8)</a> uses simple FIFO, except for some preemptive magic.
The <a href="postconf.5.html">postconf(5)</a> manual documents all the knobs the user
can use to control this preemptive magic - there is nothing else
to the preemption than the quite simple conditions described below.
to the preemption than the quite simple conditions described in there.
</p>
<p> As for programmer-level documentation, this will have to be

314
gnu/dist/postfix/html/TLS_README.html vendored
View File

@ -129,6 +129,11 @@ the <tt>make(1)</tt> files with the necessary definitions. This is
done by invoking the command "<tt>make makefiles</tt>" in the Postfix
top-level directory and with arguments as shown next. </p>
<p> <b> NOTE: Do not use Gnu TLS. It will spontaneously terminate
a Postfix daemon process with exit status code 2, instead of allowing
Postfix to 1) report the error to the maillog file, and to 2) provide
plaintext service where this is appropriate. </b> </p>
<ul>
<li> <p> If the OpenSSL include files (such as <tt>ssl.h</tt>) are
@ -553,7 +558,8 @@ can specify any database type that can store objects of several
kbytes and that supports the sequence operator. DBM databases are
not suitable because they can only store small objects. The cache
is maintained by the <a href="tlsmgr.8.html">tlsmgr(8)</a> process, so there is no problem with
concurrent access. </p>
concurrent access. Session caching is highly recommended, because
the cost of repeatedly negotiating TLS session keys is high.</p>
<p> Example: </p>
@ -632,7 +638,7 @@ certificate must no longer be used (e.g. an employee leaving). </p>
<p> The Postfix list manipulation routines give special treatment
to whitespace and some other characters, making the use of certificate
names unpractical. Instead we use the certificate fingerprints as
names impractical. Instead we use the certificate fingerprints as
they are difficult to fake but easy to use for lookup. Postfix
lookup tables are in the form of (key, value) pairs. Since we only
need the key, the value can be chosen freely, e.g. the name of
@ -725,9 +731,23 @@ key configuration </a>
<li><a href="#client_tls_cache">Client-side TLS session cache</a>
<li><a href="#client_tls"> Enabling TLS in the Postfix SMTP client </a>
<li><a href="#client_tls_enable"> Enabling TLS in the Postfix SMTP client </a>
<li><a href="#client_vrfy_server">Server certificate verification</a>
<li><a href="#client_tls_require"> Requiring TLS encryption </a>
<li><a href="#client_tls_nopeer"> Disabling server certificate verification </a>
<li><a href="#client_tls_per_site"> Per-site TLS policies </a>
<!--
<li><a href="#client_tls_obs"> Obsolete per-site TLS policy support </a>
-->
<li><a href="#client_tls_harden"> Closing a DNS loophole with <!-- legacy --> per-site TLS policies </a>
<li><a href="#client_tls_discover"> Discovering servers that support TLS </a>
<li><a href="#client_vrfy_server">Server certificate verification depth</a>
<li> <a href="#client_cipher">Client-side cipher controls </a>
@ -787,7 +807,7 @@ the overhead of the TLS exchange. </p>
certificates issued by these CAs, append the root certificate to
$<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> or install it in the $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> directory. When
you configure trust in a root CA, it is not necessary to explicitly trust
intermediary CAs signed by the root CA, unless $smtp_tls_verify_depth
intermediary CAs signed by the root CA, unless $<a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a>
is less than the number of CAs in the certificate chain for the servers
of interest. With a verify depth of 1 you can only verify certificates
directly signed by a trusted CA, and all trusted intermediary CAs need to
@ -904,7 +924,10 @@ can specify any database type that can store objects of several
kbytes and that supports the sequence operator. DBM databases are
not suitable because they can only store small objects. The cache
is maintained by the <a href="tlsmgr.8.html">tlsmgr(8)</a> process, so there is no problem with
concurrent access. </p>
concurrent access. Session caching is highly recommended, because
the cost of repeatedly negotiating TLS session keys is high. Future
Postfix SMTP servers may limit the number of sessions that a client
is allowed to negotiate per unit time.</p>
<p> Example: </p>
@ -930,24 +953,19 @@ recommends a maximum of 24 hours. </p>
</pre>
</blockquote>
<h3><a name="client_tls"> Enabling TLS in the Postfix SMTP client </a>
</h3>
<h3><a name="client_tls_enable"> Enabling TLS in the Postfix SMTP
client </a> </h3>
<p> By default, TLS is disabled in the Postfix SMTP client, so no
difference to plain Postfix is visible. If you enable TLS, the
Postfix SMTP client will send STARTTLS when TLS support is announced
by the remote SMTP server. </p>
<p> WARNING: MS Exchange servers will announce STARTTLS support
even when the service is not configured, so that the TLS handshake
will fail. It may be wise to not use this option on your central
mail hub, as you don't know in advance whether you are going to
connect to such a host. Instead, use the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>
recipient/site specific options that are described below. </p>
<p> When the TLS handshake fails and no other server is available,
the Postfix SMTP client defers the delivery attempt, and the mail
stays in the queue. </p>
<p> When the server accepts the STARTTLS command, but the subsequent
TLS handshake fails, and no other server is available, the Postfix SMTP
client defers the delivery attempt, and the mail stays in the queue. After
a handshake failure, the communications channel is in an indeterminate
state and cannot be used for non-TLS deliveries. </p>
<p> Example: </p>
@ -958,6 +976,9 @@ stays in the queue. </p>
</pre>
</blockquote>
<h3><a name="client_tls_require"> Requiring TLS encryption </a>
</h3>
<p> You can ENFORCE the use of TLS, so that the Postfix SMTP client
will not deliver mail over unencrypted connections. In this mode,
the remote SMTP server hostname must match the information in the
@ -967,14 +988,14 @@ server certificate doesn't verify or the remote SMTP server hostname
doesn't match, and no other server is available, the delivery
attempt is deferred and the mail stays in the queue. </p>
<p> The remote SMTP server hostname used in the check is beyond
question, as it must be the principal hostname (no CNAME allowed
here). Checks are performed against all names provided as dNSNames
<p> The remote SMTP server hostname is verified against all names
provided as dNSNames
in the SubjectAlternativeName. If no dNSNames are specified, the
CommonName is checked. The behavior may be changed with the
CommonName is checked. Verification may be turned off with the
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> option which is discussed below. </p>
<p> This option is useful only if you know that you will only
<p> Enforcing the use of TLS is useful if you know that you will
only
connect to servers that support <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> _and_ that present server
certificates that meet the above requirements. An example would
be a client only sends email to one specific mailhub that offers
@ -985,10 +1006,13 @@ the necessary STARTTLS support. </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = no
<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes
</pre>
</blockquote>
<h3> <a name="client_tls_nopeer"> Disabling server certificate
verification </a> </h3>
<p> As of <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> the requirements for hostname checking for MTA
clients are not set. When TLS is required (<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes),
the option <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> can be set to "no" to disable
@ -996,106 +1020,200 @@ strict remote SMTP server hostname checking. In this case, the mail
delivery will proceed regardless of the CommonName etc. listed in
the certificate. </p>
<p> Note: the <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> setting has no effect on
sessions that are controlled via the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table. </p>
<p> Disabling the remote SMTP server hostname verification can
make sense in closed environment where special CAs are created.
If not used carefully, this option opens the danger of a
"man-in-the-middle" attack (the CommonName of this possible attacker
is logged). </p>
<p> Despite the potential for eliminating "man-in-the-middle" and
other attacks, mandatory certificate/peername verification is not
viable as a default Internet mail delivery policy at this time. A
significant fraction of TLS enabled MTAs uses self-signed certificates,
or certificates that are signed by a private certificate authority.
On a machine that delivers mail to the Internet, if you set
<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes, you should probably also set
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = no. You can use the per-site TLS
policies (see below) to enable full peer verification for specific
destinations that are known to have verifiable TLS server certificates.
</p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes
<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = no
</pre>
</blockquote>
<p> Generally, trying TLS can be a bad idea, as some servers offer
STARTTLS but the negotiation will fail leading to unexplainable
failures. Instead, it may be a good idea to choose the TLS usage
policy based on the recipient or the mailhub to which you are
connecting. </p>
<h3> <a name="client_tls_per_site"> Per-site TLS policies </a> </h3>
<p> Deciding the TLS usage policy per recipient may be difficult,
since a single email delivery attempt can involve several recipients.
Instead, use of TLS is controlled by the Postfix next-hop destination
domain name and by the remote SMTP server hostname. If either of these
matches an entry in the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table, appropriate action
is taken. </p>
<p> A small fraction of servers offer STARTTLS but the negotiation
consistently fails, leading to mail aging out of the queue and
bouncing back to the sender. In such cases, you can use the per-site
policies to disable TLS for the problem sites. Alternatively, you
can enable TLS for just a few specific sites and not enable it for
all sites. </p>
<p> The remote SMTP server hostname is simply the DNS name of the
server that the Postfix SMTP client connects to. The next-hop
destination is Postfix specific. By default, this is the domain
name in the recipient address, but this information can be overruled
by the <a href="transport.5.html">transport(5)</a> table or by the <a href="postconf.5.html#relayhost">relayhost</a> parameter setting.
In these cases the <a href="postconf.5.html#relayhost">relayhost</a> etc. must be listed in the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>
table, instead of the recipient domain name. </p>
<!-- insert new-style TLS policy mechanism here
<p> Format of the table: domain or host names are specified on the
left-hand side; no wildcards are allowed. On the right hand side
specify one of the following keywords: </p>
<h3> <a name="client_tls_obs"> Obsolete per-site TLS policy support
</a> </h3>
<p> This section describes an obsolete per-site TLS policy mechanism.
Unlike the newer mechanism it supports TLS policy lookup by server
hostname, and lacks control over what names can appear in server
certificates. Because of this, the obsolete mechanism is vulnerable
to false DNS hostname information in MX or CNAME records. These
attacks can be eliminated only with great difficulty. </p>
-->
<p> The <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table is searched for a policy that matches
the following information: </p>
<blockquote>
<dl>
<dt> NONE </dt> <dd> Don't use TLS at all. </dd>
<dt> remote SMTP server hostname </dt> <dd> This is simply the DNS
name of the server that the Postfix SMTP client connects to; this
name may be obtained from other DNS lookups, such as MX lookups or
CNAME lookups. </dd>
<dt> MAY </dt> <dd> Try to use STARTTLS if offered, otherwise use
the unencrypted connection. </dd>
<dt> MUST </dt> <dd> Require usage of STARTTLS, require that the
remote SMTP server hostname matches the information in the remote
SMTP server certificate, and require that the remote SMTP server
certificate was issued by a trusted CA. </dd>
<dt> MUST_NOPEERMATCH </dt> <dd> Require usage of STARTTLS, but do
not require that the remote SMTP server hostname matches the
information in the remote SMTP server certificate, or that the
server certificate was issued by a trusted CA. </dd>
<dt> next-hop destination </dt> <dd> This is normally the domain
portion of the recipient address, but it may be overruled by
information from the <a href="transport.5.html">transport(5)</a> table, from the <a href="postconf.5.html#relayhost">relayhost</a> parameter
setting, or from the <a href="postconf.5.html#relay_transport">relay_transport</a> setting. When it's not the
recipient domain, the next-hop destination can have the Postfix-specific
form "<tt>[name]</tt>", <tt>[name]:port</tt>", "<tt>name</tt>" or
"<tt>name:port</tt>". </dd>
</dl>
</blockquote>
<p> The actual TLS usage policy depends not only on whether the
next-hop destination or remote SMTP server hostname are found in
the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table, but also on the <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>
setting: </p>
<p> When both the hostname lookup and the next-hop lookup succeed,
the host policy does not automatically override the next-hop policy.
Instead, precedence is given to either the more specific or the
more secure per-site policy as described below. </p>
<p> The <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table uses a simple "<i>name whitespace
value</i>" format. Specify host names or next-hop destinations on
the left-hand side; no wildcards are allowed. On the right hand
side specify one of the following keywords: </p>
<blockquote>
<dl>
<dt> NONE </dt> <dd> Don't use TLS at all. This overrides a less
specific <b>MAY</b> lookup result from the alternate host or next-hop
lookup key, and overrides the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>,
and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings. </dd>
<dt> MAY </dt> <dd> Try to use TLS if the server announces support,
otherwise use the unencrypted connection. This has less precedence
than a more specific result (including <b>NONE</b>) from the alternate
host or next-hop lookup key, and has less precedence than the more
specific global "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" or "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
= yes". </dd>
<dt> MUST_NOPEERMATCH </dt> <dd> Require TLS encryption, but do not
require that the remote SMTP server hostname matches the information
in the remote SMTP server certificate, or that the server certificate
was issued by a trusted CA. This overrides a less secure <b>NONE</b>
or a less specific <b>MAY</b> lookup result from the alternate host
or next-hop lookup key, and overrides the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,
<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings. </dd>
<dt> MUST </dt> <dd> Require TLS encryption, require that the remote
SMTP server hostname matches the information in the remote SMTP
server certificate, and require that the remote SMTP server certificate
was issued by a trusted CA. This overrides a less secure <b>NONE</b>
and <b>MUST_NOPEERMATCH</b> or a less specific <b>MAY</b> lookup
result from the alternate host or next-hop lookup key, and overrides
the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
settings. </dd>
</dl>
</blockquote>
<p> The precedences between global (main.cf) and per-site TLS
policies can be summarized as follows: </p>
<ul>
<li> <p> If no match was found, the policy is applied as specified
with <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>. </p>
<li> <p> When neither the remote SMTP server hostname nor the
next-hop destination are found in the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table, the
policy is based on <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. Note: "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" and
"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes" imply "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = yes". </p>
<li> <p> If a match was found, and the <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> policy is
"enforce", NONE explicitly switches it off; otherwise the "enforce"
mode is used even for entries that specify MAY. </p>
<li> <p> When both hostname and next-hop destination lookups produce
a result, the more specific per-site policy (NONE, MUST, etc)
overrides the less specific one (MAY), and the more secure per-site
policy (MUST, etc) overrides the less secure one (NONE). </p>
<li> <p> After the per-site policy lookups are combined, the result
generally overrides the global policy. The exception is the less
specific <b>MAY</b> per-site policy, which is overruled by the more
specific global "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" with server certificate
verification as specified with the <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
parameter. </p>
</ul>
<p> Special hint for TLS enforcement mode: since no secure DNS
lookup mechanism is available, mail can be delivered to the wrong
remote SMTP server. This is not prevented by specifying MUST for
the next-hop domain name. The recommended setup is: specify local
<a href="transport.5.html">transport(5)</a> table entries for sensitive domains with explicit
<a href="smtp.8.html">smtp</a>:[mailhost] destinations (since you can assure security of this
table unlike DNS), then specify MUST for these mail hosts in the
<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table. </p>
<h3> <a name="client_tls_harden"> Closing a DNS loophole with
<!-- legacy --> per-site TLS policies </a> </h3>
<p> As long as no secure DNS lookup mechanism is available, false
hostnames in MX or CNAME responses can change the server hostname
that Postfix uses for TLS policy lookup and server certificate
verification. Even with a perfect match between the server hostname
and the server certificate, there is no guarantee that Postfix is
connected to the right server. To avoid this loophole take the
following steps: </p>
<ul>
<li> <p> Eliminate MX lookups. Specify local <a href="transport.5.html">transport(5)</a> table
entries for sensitive domains with explicit <a href="smtp.8.html">smtp</a>:[<i>mailhost</i>]
or <a href="smtp.8.html">smtp</a>:[<i>mailhost</i>]:<i>port</i> destinations (you can assure
security of this table unlike DNS); in the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table
specify the value <b>MUST</b> for the key [<i>mailhost</i>] or
<a href="smtp.8.html">smtp</a>:[<i>mailhost</i>]:<i>port</i>. This prevents false hostname
information in DNS MX records from changing the server hostname
that Postfix uses for TLS policy lookup and server certificate
verification. </p>
<li> <p> Disallow CNAME hostname overrides. In main.cf specify
"<a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> = no". This prevents false hostname
information in DNS CNAME records from changing the server hostname
that Postfix uses for TLS policy lookup and server certificate
verification. This feature requires Postfix 2.2.9 or later. </p>
</ul>
<p> Example: </p>
<blockquote>
<pre>
<blockquote> <pre>
/etc/postfix/main.cf:
<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> = hash:/etc/postfix/tls_per_site
<a href="postconf.5.html#relayhost">relayhost</a> = [msa.example.net]:587
/etc/postfix/tls_per_site:
# <a href="postconf.5.html#relayhost">relayhost</a> exact nexthop match
[msa.example.net]:587 MUST
# TLS should not be used with the <i>example.org</i> MX hosts.
example.org NONE
# TLS should not be used with the host <i>smtp.example.com</i>.
smtp.example.com NONE
</pre>
</blockquote>
<h3> <a name="client_tls_discover"> Discovering servers that support
TLS </a> </h3>
<p> As we decide on a "per site" basis whether or not to use TLS,
it would be good to have a list of sites that offered "STARTTLS".
We can collect it ourselves with this option. </p>
@ -1119,7 +1237,7 @@ postfix/smtp[pid]: Host offered STARTTLS: [hostname.example.com]
</pre>
</blockquote>
<h3><a name="client_vrfy_server">Server certificate verification</a> </h3>
<h3><a name="client_vrfy_server">Server certificate verification depth</a> </h3>
<p> When verifying a remote SMTP server certificate, a verification
depth of 1 is sufficient if the certificate is directly issued by
@ -1376,7 +1494,7 @@ super-user privileges. </p>
</blockquote>
<li> <p> Configure Postfix, by adding the following to
<tt>/etc/postfix/main.cf</tt>. </p>
<tt>/etc/postfix/main.cf </tt>. </p>
<blockquote>
<pre>
@ -1443,8 +1561,22 @@ protocol in order to access the <a href="tlsmgr.8.html">tlsmgr(8)</a> pseudo-ran
generation (PRNG) pool, and in order to access the TLS session
cache databases. Such a protocol cannot be run across fifos. </p>
<li> <p> <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>: the MUST_NOPEERMATCH per-site policy
cannot override the global "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes" setting.
</p>
<li> <p> <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>: a combined (NONE + MAY) lookup result
for (hostname and next-hop destination) produces counter-intuitive
results for different main.cf settings. TLS is enabled with
"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = no", but it is disabled when both
"<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" and "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes".
</p>
</ul>
<p> The <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> limitations were removed by the end of
the Postfix 2.2 support cycle. </p>
<h2><a name="credits">Credits </a> </h2>
<ul>
@ -1455,6 +1587,10 @@ J&auml;nicke at Cottbus Technical University.
<li> Wietse Venema adopted the code, did some restructuring, and
compiled this part of the documentation from Lutz's documents.
<li> Victor Duchovni was instrumental with the re-implementation
of the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> code in terms of enforcement levels, which
simplified the implementation greatly.
</ul>
</body>

102
gnu/dist/postfix/html/postconf.5.html vendored
View File

@ -3352,7 +3352,7 @@ is suitable for, e.g., pop-before-smtp lookup tables. </dd>
<p> Examples: </p>
<p> The Postfix < 2.2 backwards compatible setting: always rewrite
<p> The Postfix &lt; 2.2 backwards compatible setting: always rewrite
message headers, and always append my own domain to incomplete
header addresses. </p>
@ -5765,6 +5765,21 @@ IP hosting, but can be a problem on multi-homed firewalls. See the
but this form is not recommended here. </p>
</DD>
<DT><b><a name="smtp_cname_overrides_servername">smtp_cname_overrides_servername</a>
(default: yes)</b></DT><DD>
<p> Allow DNS CNAME records to override the servername that the
Postfix SMTP client uses for logging, SASL password lookup, TLS
policy decisions, or TLS certificate verification. The default value
(yes) is backwards compatible. Specify "no" to harden Postfix 2.2
<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> hostname-based policies against false hostname
information in DNS CNAME records. </p>
<p> This feature is available in Postfix 2.2.9 and later. </p>
</DD>
<DT><b><a name="smtp_connect_timeout">smtp_connect_timeout</a>
@ -6736,38 +6751,79 @@ postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
(default: empty)</b></DT><DD>
<p> Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop domain name and by remote SMTP server hostname.
</p>
policy by next-hop destination and by remote SMTP server hostname.
When both lookups succeed, the more specific per-site policy (NONE,
MUST, etc) overrides the less specific one (MAY), and the more
secure per-site policy (MUST, etc) overrides the less secure one
(NONE). </p>
<p> Table format: domain names or server hostnames are specified
on the left-hand side; no wildcards are allowed. On the right hand
side specify one of the following keywords: </p>
<p> Specify a next-hop destination or server hostname on the left-hand
side; no wildcards are allowed. The next-hop destination is either
the recipient domain, or the destination specified with a <a href="transport.5.html">transport(5)</a>
table, the <a href="postconf.5.html#relayhost">relayhost</a> parameter, or the <a href="postconf.5.html#relay_transport">relay_transport</a> parameter.
On the right hand side specify one of the following keywords: </p>
<dl>
<dt> NONE </dt> <dd>Don't use TLS at all. </dd>
<dt> NONE </dt> <dd> Don't use TLS at all. This overrides a less
specific <b>MAY</b> lookup result from the alternate host or next-hop
lookup key, and overrides the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>,
and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings. </dd>
<dt> MAY </dt> <dd>Try to use STARTTLS if offered, otherwise use
the unencrypted connection. </dd>
<dt> MAY </dt> <dd> Try to use TLS if the server announces support,
otherwise use the unencrypted connection. This has less precedence
than a more specific result (including <b>NONE</b>) from the alternate
host or next-hop lookup key, and has less precedence than the more
specific global "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" or "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
= yes". </dd>
<dt> MUST </dt> <dd>Require usage of STARTTLS, require that the
remote SMTP server hostname matches the information in the remote
SMTP server certificate, and require that the remote SMTP server
certificate was issued by a trusted CA. </dd>
<dt> MUST_NOPEERMATCH </dt> <dd> Require TLS encryption, but do not
require that the remote SMTP server hostname matches the information
in the remote SMTP server certificate, or that the server certificate
was issued by a trusted CA. This overrides a less secure <b>NONE</b>
or a less specific <b>MAY</b> lookup result from the alternate host
or next-hop lookup key, and overrides the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,
<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings. </dd>
<dt> MUST_NOPEERMATCH </dt> <dd>Require usage of STARTTLS, but do
not require that the remote SMTP server hostname matches the
information in the remote SMTP server certificate, or that the
server certificate was issued by a trusted CA. </dd>
<dt> MUST </dt> <dd> Require TLS encryption, require that the remote
SMTP server hostname matches the information in the remote SMTP
server certificate, and require that the remote SMTP server certificate
was issued by a trusted CA. This overrides a less secure <b>NONE</b>
and <b>MUST_NOPEERMATCH</b> or a less specific <b>MAY</b> lookup
result from the alternate host or next-hop lookup key, and overrides
the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
settings. </dd>
</dl>
<p> Special hint for enforcement mode: since no secure DNS lookup
mechanism is available, the recommended setup is: specify local
<a href="transport.5.html">transport(5)</a> table entries for sensitive domains with explicit
<a href="smtp.8.html">smtp</a>:[mailhost] destinations (since you can assure security of this
table unlike DNS), then specify MUST for these mail hosts in the
<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table. </p>
<p> As long as no secure DNS lookup mechanism is available, false
hostnames in MX or CNAME responses can change the server hostname
that Postfix uses for TLS policy lookup and server certificate
verification. Even with a perfect match between the server hostname
and the server certificate, there is no guarantee that Postfix is
connected to the right server. To avoid this loophole take the
following steps: </p>
<ul>
<li> Disallow CNAME hostname overrides. In main.cf specify
"<a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> = no". This prevents false hostname
information in DNS CNAME records from changing the server hostname
that Postfix uses for TLS policy lookup and server certificate
verification. This feature requires Postfix 2.2.9 or later.
<li> Eliminate MX lookups. Specify local <a href="transport.5.html">transport(5)</a> table entries
for sensitive domains with explicit <a href="smtp.8.html">smtp</a>:[mailhost] or <a href="smtp.8.html">smtp</a>:[mailhost]:port
destinations. This prevents false hostname information in DNS MX
records from changing the server hostname that Postfix uses for TLS
policy lookup and server certificate verification.
<li> Specify MUST for these mail hosts (including [ ] and port) in
the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table.
</ul>
<p> </p>
</DD>

206
gnu/dist/postfix/html/smtp.8.html vendored
View File

@ -99,8 +99,14 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#smtp_never_send_ehlo">smtp_never_send_ehlo</a> (no)</b>
Never send EHLO at the start of an SMTP session.
<b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (yes)</b>
Allow DNS CNAME records to override the servername
that the Postfix SMTP client uses for logging, SASL
password lookup, TLS policy decisions, or TLS cer-
tificate verification.
<b><a href="postconf.5.html#smtp_defer_if_no_mx_address_found">smtp_defer_if_no_mx_address_found</a> (no)</b>
Defer mail delivery when no MX record resolves to
Defer mail delivery when no MX record resolves to
an IP address.
<b><a href="postconf.5.html#smtp_line_length_limit">smtp_line_length_limit</a> (990)</b>
@ -108,17 +114,17 @@ SMTP(8) SMTP(8)
that Postfix will send via SMTP.
<b><a href="postconf.5.html#smtp_pix_workaround_delay_time">smtp_pix_workaround_delay_time</a> (10s)</b>
How long the Postfix SMTP client pauses before
How long the Postfix SMTP client pauses before
sending ".&lt;CR&gt;&lt;LF&gt;" in order to work around the PIX
firewall "&lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;" bug.
<b><a href="postconf.5.html#smtp_pix_workaround_threshold_time">smtp_pix_workaround_threshold_time</a> (500s)</b>
How long a message must be queued before the PIX
firewall "&lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;" bug workaround is
How long a message must be queued before the PIX
firewall "&lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;" bug workaround is
turned on.
<b><a href="postconf.5.html#smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a> (yes)</b>
Quote addresses in SMTP MAIL FROM and RCPT TO com-
Quote addresses in SMTP MAIL FROM and RCPT TO com-
mands as required by <a href="http://www.faqs.org/rfcs/rfc821.html">RFC 821</a>.
<b><a href="postconf.5.html#smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a> (yes)</b>
@ -126,7 +132,7 @@ SMTP(8) SMTP(8)
(go away, do not try again later).
<b><a href="postconf.5.html#smtp_skip_quit_response">smtp_skip_quit_response</a> (yes)</b>
Do not wait for the response to the SMTP QUIT com-
Do not wait for the response to the SMTP QUIT com-
mand.
Available in Postfix version 2.0 and earlier:
@ -138,21 +144,21 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_discard_ehlo_keyword_address_maps">smtp_discard_ehlo_keyword_address_maps</a> (empty)</b>
Lookup tables, indexed by the remote SMTP server
address, with case insensitive lists of EHLO key-
words (pipelining, starttls, auth, etc.) that the
Lookup tables, indexed by the remote SMTP server
address, with case insensitive lists of EHLO key-
words (pipelining, starttls, auth, etc.) that the
SMTP client will ignore in the EHLO response from a
remote SMTP server.
<b><a href="postconf.5.html#smtp_discard_ehlo_keywords">smtp_discard_ehlo_keywords</a> (empty)</b>
A case insensitive list of EHLO keywords (pipelin-
ing, starttls, auth, etc.) that the SMTP client
A case insensitive list of EHLO keywords (pipelin-
ing, starttls, auth, etc.) that the SMTP client
will ignore in the EHLO response from a remote SMTP
server.
<b><a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> (empty)</b>
Optional lookup tables that perform address rewrit-
ing in the SMTP client, typically to transform a
ing in the SMTP client, typically to transform a
locally valid address into a globally valid address
when sending mail across the Internet.
@ -160,7 +166,7 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.0 and later:
<b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b>
Disable the conversion of 8BITMIME format to 7BIT
Disable the conversion of 8BITMIME format to 7BIT
format.
<b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b>
@ -175,110 +181,110 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b>
Send the non-standard XFORWARD command when the
Postfix SMTP server EHLO response announces XFOR-
Send the non-standard XFORWARD command when the
Postfix SMTP server EHLO response announces XFOR-
WARD support.
<b>SASL AUTHENTICATION CONTROLS</b>
<b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b>
Enable SASL authentication in the Postfix SMTP
Enable SASL authentication in the Postfix SMTP
client.
<b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b>
Optional SMTP client lookup tables with one user-
name:password entry per remote hostname or domain.
Optional SMTP client lookup tables with one user-
name:password entry per remote hostname or domain.
<b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b>
What authentication mechanisms the Postfix SMTP
What authentication mechanisms the Postfix SMTP
client is allowed to use.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
If non-empty, a Postfix SMTP client filter for the
remote SMTP server's list of offered SASL mecha-
If non-empty, a Postfix SMTP client filter for the
remote SMTP server's list of offered SASL mecha-
nisms.
<b>STARTTLS SUPPORT CONTROLS</b>
Detailed information about STARTTLS configuration may be
Detailed information about STARTTLS configuration may be
found in the <a href="TLS_README.html">TLS_README</a> document.
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
Opportunistic mode: use TLS when a remote SMTP
server announces STARTTLS support, otherwise send
Opportunistic mode: use TLS when a remote SMTP
server announces STARTTLS support, otherwise send
the mail in the clear.
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
Enforcement mode: require that remote SMTP servers
use TLS encryption, and never send mail in the
Enforcement mode: require that remote SMTP servers
use TLS encryption, and never send mail in the
clear.
<b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b>
<b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b>
The SASL authentication security options that the
Postfix SMTP client uses for TLS encrypted SMTP
The SASL authentication security options that the
Postfix SMTP client uses for TLS encrypted SMTP
sessions.
<b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
Time limit for Postfix SMTP client write and read
operations during TLS startup and shutdown hand-
Time limit for Postfix SMTP client write and read
operations during TLS startup and shutdown hand-
shake procedures.
<b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
The file with the certificate of the certification
authority (CA) that issued the Postfix SMTP client
The file with the certificate of the certification
authority (CA) that issued the Postfix SMTP client
certificate.
<b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
Directory with PEM format certificate authority
certificates that the Postfix SMTP client uses to
Directory with PEM format certificate authority
certificates that the Postfix SMTP client uses to
verify a remote SMTP server certificate.
<b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b>
File with the Postfix SMTP client RSA certificate
File with the Postfix SMTP client RSA certificate
in PEM format.
<b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
Controls the Postfix SMTP client TLS cipher selec-
Controls the Postfix SMTP client TLS cipher selec-
tion scheme.
<b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
File with the Postfix SMTP client DSA certificate
File with the Postfix SMTP client DSA certificate
in PEM format.
<b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b>
File with the Postfix SMTP client DSA private key
File with the Postfix SMTP client DSA private key
in PEM format.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
When TLS encryption is enforced, require that the
When TLS encryption is enforced, require that the
remote SMTP server hostname matches the information
in the remote SMTP server certificate.
<b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b>
File with the Postfix SMTP client RSA private key
File with the Postfix SMTP client RSA private key
in PEM format.
<b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
Enable additional Postfix SMTP client logging of
Enable additional Postfix SMTP client logging of
TLS activity.
<b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
Log the hostname of a remote SMTP server that
offers STARTTLS, when TLS is not already enabled
Log the hostname of a remote SMTP server that
offers STARTTLS, when TLS is not already enabled
for that server.
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
Optional lookup tables with the Postfix SMTP client
TLS usage policy by next-hop domain name and by
TLS usage policy by next-hop domain name and by
remote SMTP server hostname.
<b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (5)</b>
The verification depth for remote SMTP server cer-
The verification depth for remote SMTP server cer-
tificates.
<b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
Name of the file containing the optional Postfix
Name of the file containing the optional Postfix
SMTP client TLS session cache.
<b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
@ -286,31 +292,31 @@ SMTP(8) SMTP(8)
sion cache information.
<b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
server in order to seed its internal pseudo random
The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
server in order to seed its internal pseudo random
number generator (PRNG).
<b>RESOURCE AND RATE CONTROLS</b>
<b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b>
The maximal number of parallel deliveries to the
same destination via the smtp message delivery
The maximal number of parallel deliveries to the
same destination via the smtp message delivery
transport.
<b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b>
<b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b>
The maximal number of recipients per delivery via
The maximal number of recipients per delivery via
the smtp message delivery transport.
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
The SMTP client time limit for completing a TCP
The SMTP client time limit for completing a TCP
connection, or zero (use the operating system
built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
The SMTP client time limit for sending the HELO or
EHLO command, and for receiving the initial server
The SMTP client time limit for sending the HELO or
EHLO command, and for receiving the initial server
response.
<b><a href="postconf.5.html#smtp_xforward_timeout">smtp_xforward_timeout</a> (300s)</b>
@ -318,30 +324,30 @@ SMTP(8) SMTP(8)
command, and for receiving the server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
The SMTP client time limit for sending the MAIL
FROM command, and for receiving the server
The SMTP client time limit for sending the MAIL
FROM command, and for receiving the server
response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
The SMTP client time limit for sending the SMTP
RCPT TO command, and for receiving the server
The SMTP client time limit for sending the SMTP
RCPT TO command, and for receiving the server
response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
The SMTP client time limit for sending the SMTP
DATA command, and for receiving the server
The SMTP client time limit for sending the SMTP
DATA command, and for receiving the server
response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
The SMTP client time limit for sending the SMTP
The SMTP client time limit for sending the SMTP
message content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
The SMTP client time limit for sending the SMTP
The SMTP client time limit for sending the SMTP
".", and for receiving the server response.
<b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b>
The SMTP client time limit for sending the QUIT
The SMTP client time limit for sending the QUIT
command, and for receiving the server response.
Available in Postfix version 2.1 and later:
@ -352,77 +358,77 @@ SMTP(8) SMTP(8)
lookups, or zero (no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
The maximal number of SMTP sessions per delivery
request before giving up or delivering to a fall-
The maximal number of SMTP sessions per delivery
request before giving up or delivering to a fall-
back relay host, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
The SMTP client time limit for sending the RSET
The SMTP client time limit for sending the RSET
command, and for receiving the server response.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
Permanently enable SMTP connection caching for the
Permanently enable SMTP connection caching for the
specified destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
Temporarily enable SMTP connection caching while a
Temporarily enable SMTP connection caching while a
destination has a high volume of mail in the active
queue.
<b><a href="postconf.5.html#smtp_connection_cache_reuse_limit">smtp_connection_cache_reuse_limit</a> (10)</b>
When SMTP connection caching is enabled, the number
of times that an SMTP session is reused before it
of times that an SMTP session is reused before it
is closed.
<b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b>
When SMTP connection caching is enabled, the amount
of time that an unused SMTP client socket is kept
of time that an unused SMTP client socket is kept
open before it is closed.
<b>TROUBLE SHOOTING CONTROLS</b>
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
The increment in verbose logging level when a
remote client or server matches a pattern in the
The increment in verbose logging level when a
remote client or server matches a pattern in the
<a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
Optional list of remote client or server hostname
or network address patterns that cause the verbose
logging level to increase by the amount specified
Optional list of remote client or server hostname
or network address patterns that cause the verbose
logging level to increase by the amount specified
in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
The recipient of postmaster notifications about
mail delivery problems that are caused by policy,
The recipient of postmaster notifications about
mail delivery problems that are caused by policy,
resource, software or protocol errors.
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
The list of error classes that are reported to the
The list of error classes that are reported to the
postmaster.
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
Where the Postfix SMTP client should deliver mail
Where the Postfix SMTP client should deliver mail
when it detects a "mail loops back to myself" error
condition.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix main.cf and
The default location of the Postfix main.cf and
master.cf configuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
How much time a Postfix daemon process may take to
handle a request before it is terminated by a
How much time a Postfix daemon process may take to
handle a request before it is terminated by a
built-in watchdog timer.
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
Disable DNS lookups in the Postfix SMTP and LMTP
Disable DNS lookups in the Postfix SMTP and LMTP
clients.
<b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b>
Optional list of relay hosts for SMTP destinations
Optional list of relay hosts for SMTP destinations
that can't be found or that are unreachable.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
@ -430,7 +436,7 @@ SMTP(8) SMTP(8)
tem receives mail on.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
The Internet protocols Postfix will attempt to use
The Internet protocols Postfix will attempt to use
when making or accepting connections.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
@ -438,55 +444,55 @@ SMTP(8) SMTP(8)
over an internal communication channel.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
daemon process waits for the next service request
The maximum amount of time that an idle Postfix
daemon process waits for the next service request
before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
The maximal number of connection requests before a
The maximal number of connection requests before a
Postfix daemon process terminates.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
The process ID of a Postfix command or daemon
The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
The process name of a Postfix command or daemon
The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The network interface addresses that this mail sys-
tem receives mail on by way of a proxy or network
tem receives mail on by way of a proxy or network
address translation unit.
<b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
An optional numerical network address that the SMTP
client should bind to when making an IPv4 connec-
client should bind to when making an IPv4 connec-
tion.
<b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
An optional numerical network address that the SMTP
client should bind to when making an IPv6 connec-
client should bind to when making an IPv6 connec-
tion.
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
The hostname to send in the SMTP EHLO or HELO com-
The hostname to send in the SMTP EHLO or HELO com-
mand.
<b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
What mechanisms when the SMTP client uses to look
What mechanisms when the SMTP client uses to look
up a host's IP address.
<b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
Randomize the order of equal-preference MX host
Randomize the order of equal-preference MX host
addresses.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
The mail system name that is prepended to the
process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>SEE ALSO</b>
@ -504,7 +510,7 @@ SMTP(8) SMTP(8)
<a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto
<b>LICENSE</b>
The Secure Mailer license must be distributed with this
The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>

6
gnu/dist/postfix/man/man8/smtp.8 vendored
View File

@ -1,4 +1,4 @@
.\" $NetBSD: smtp.8,v 1.1.1.9 2005/08/18 21:04:23 rpaulo Exp $
.\" $NetBSD: smtp.8,v 1.1.1.10 2006/02/25 22:06:48 rpaulo Exp $
.\"
.TH SMTP 8
.ad
@ -105,6 +105,10 @@ Ignore DNS MX lookups that produce no response.
Always send EHLO at the start of an SMTP session.
.IP "\fBsmtp_never_send_ehlo (no)\fR"
Never send EHLO at the start of an SMTP session.
.IP "\fBsmtp_cname_overrides_servername (yes)\fR"
Allow DNS CNAME records to override the servername that the
Postfix SMTP client uses for logging, SASL password lookup, TLS
policy decisions, or TLS certificate verification.
.IP "\fBsmtp_defer_if_no_mx_address_found (no)\fR"
Defer mail delivery when no MX record resolves to an IP address.
.IP "\fBsmtp_line_length_limit (990)\fR"

1
gnu/dist/postfix/mantools/postlink vendored
View File

@ -313,6 +313,7 @@ while (<>) {
s;\bsmtp_always_send_ehlo\b;<a href="postconf.5.html#smtp_always_send_ehlo">$&</a>;g;
s;\bsmtp_bind_address\b;<a href="postconf.5.html#smtp_bind_address">$&</a>;g;
s;\bsmtp_bind_address6\b;<a href="postconf.5.html#smtp_bind_address6">$&</a>;g;
s;\bsmtp_cname_overrides_servername\b;<a href="postconf.5.html#smtp_cname_overrides_servername">$&</a>;g;
s;\bsmtp_connect_timeout\b;<a href="postconf.5.html#smtp_connect_timeout">$&</a>;g;
s;\bsmtp_connection_cache_on_demand\b;<a href="postconf.5.html#smtp_connection_cache_on_demand">$&</a>;g;

2
gnu/dist/postfix/proto/SCHEDULER_README.html vendored
View File

@ -68,7 +68,7 @@ available. You already know that oqmgr(8) uses round-robin by destination
while qmgr(8) uses simple FIFO, except for some preemptive magic.
The postconf(5) manual documents all the knobs the user
can use to control this preemptive magic - there is nothing else
to the preemption than the quite simple conditions described below.
to the preemption than the quite simple conditions described in there.
</p>
<p> As for programmer-level documentation, this will have to be

314
gnu/dist/postfix/proto/TLS_README.html vendored
View File

@ -129,6 +129,11 @@ the <tt>make(1)</tt> files with the necessary definitions. This is
done by invoking the command "<tt>make makefiles</tt>" in the Postfix
top-level directory and with arguments as shown next. </p>
<p> <b> NOTE: Do not use Gnu TLS. It will spontaneously terminate
a Postfix daemon process with exit status code 2, instead of allowing
Postfix to 1) report the error to the maillog file, and to 2) provide
plaintext service where this is appropriate. </b> </p>
<ul>
<li> <p> If the OpenSSL include files (such as <tt>ssl.h</tt>) are
@ -553,7 +558,8 @@ can specify any database type that can store objects of several
kbytes and that supports the sequence operator. DBM databases are
not suitable because they can only store small objects. The cache
is maintained by the tlsmgr(8) process, so there is no problem with
concurrent access. </p>
concurrent access. Session caching is highly recommended, because
the cost of repeatedly negotiating TLS session keys is high.</p>
<p> Example: </p>
@ -632,7 +638,7 @@ certificate must no longer be used (e.g. an employee leaving). </p>
<p> The Postfix list manipulation routines give special treatment
to whitespace and some other characters, making the use of certificate
names unpractical. Instead we use the certificate fingerprints as
names impractical. Instead we use the certificate fingerprints as
they are difficult to fake but easy to use for lookup. Postfix
lookup tables are in the form of (key, value) pairs. Since we only
need the key, the value can be chosen freely, e.g. the name of
@ -725,9 +731,23 @@ key configuration </a>
<li><a href="#client_tls_cache">Client-side TLS session cache</a>
<li><a href="#client_tls"> Enabling TLS in the Postfix SMTP client </a>
<li><a href="#client_tls_enable"> Enabling TLS in the Postfix SMTP client </a>
<li><a href="#client_vrfy_server">Server certificate verification</a>
<li><a href="#client_tls_require"> Requiring TLS encryption </a>
<li><a href="#client_tls_nopeer"> Disabling server certificate verification </a>
<li><a href="#client_tls_per_site"> Per-site TLS policies </a>
<!--
<li><a href="#client_tls_obs"> Obsolete per-site TLS policy support </a>
-->
<li><a href="#client_tls_harden"> Closing a DNS loophole with <!-- legacy --> per-site TLS policies </a>
<li><a href="#client_tls_discover"> Discovering servers that support TLS </a>
<li><a href="#client_vrfy_server">Server certificate verification depth</a>
<li> <a href="#client_cipher">Client-side cipher controls </a>
@ -787,7 +807,7 @@ the overhead of the TLS exchange. </p>
certificates issued by these CAs, append the root certificate to
$smtp_tls_CAfile or install it in the $smtp_tls_CApath directory. When
you configure trust in a root CA, it is not necessary to explicitly trust
intermediary CAs signed by the root CA, unless $smtp_tls_verify_depth
intermediary CAs signed by the root CA, unless $smtp_tls_scert_verifydepth
is less than the number of CAs in the certificate chain for the servers
of interest. With a verify depth of 1 you can only verify certificates
directly signed by a trusted CA, and all trusted intermediary CAs need to
@ -904,7 +924,10 @@ can specify any database type that can store objects of several
kbytes and that supports the sequence operator. DBM databases are
not suitable because they can only store small objects. The cache
is maintained by the tlsmgr(8) process, so there is no problem with
concurrent access. </p>
concurrent access. Session caching is highly recommended, because
the cost of repeatedly negotiating TLS session keys is high. Future
Postfix SMTP servers may limit the number of sessions that a client
is allowed to negotiate per unit time.</p>
<p> Example: </p>
@ -930,24 +953,19 @@ recommends a maximum of 24 hours. </p>
</pre>
</blockquote>
<h3><a name="client_tls"> Enabling TLS in the Postfix SMTP client </a>
</h3>
<h3><a name="client_tls_enable"> Enabling TLS in the Postfix SMTP
client </a> </h3>
<p> By default, TLS is disabled in the Postfix SMTP client, so no
difference to plain Postfix is visible. If you enable TLS, the
Postfix SMTP client will send STARTTLS when TLS support is announced
by the remote SMTP server. </p>
<p> WARNING: MS Exchange servers will announce STARTTLS support
even when the service is not configured, so that the TLS handshake
will fail. It may be wise to not use this option on your central
mail hub, as you don't know in advance whether you are going to
connect to such a host. Instead, use the smtp_tls_per_site
recipient/site specific options that are described below. </p>
<p> When the TLS handshake fails and no other server is available,
the Postfix SMTP client defers the delivery attempt, and the mail
stays in the queue. </p>
<p> When the server accepts the STARTTLS command, but the subsequent
TLS handshake fails, and no other server is available, the Postfix SMTP
client defers the delivery attempt, and the mail stays in the queue. After
a handshake failure, the communications channel is in an indeterminate
state and cannot be used for non-TLS deliveries. </p>
<p> Example: </p>
@ -958,6 +976,9 @@ stays in the queue. </p>
</pre>
</blockquote>
<h3><a name="client_tls_require"> Requiring TLS encryption </a>
</h3>
<p> You can ENFORCE the use of TLS, so that the Postfix SMTP client
will not deliver mail over unencrypted connections. In this mode,
the remote SMTP server hostname must match the information in the
@ -967,14 +988,14 @@ server certificate doesn't verify or the remote SMTP server hostname
doesn't match, and no other server is available, the delivery
attempt is deferred and the mail stays in the queue. </p>
<p> The remote SMTP server hostname used in the check is beyond
question, as it must be the principal hostname (no CNAME allowed
here). Checks are performed against all names provided as dNSNames
<p> The remote SMTP server hostname is verified against all names
provided as dNSNames
in the SubjectAlternativeName. If no dNSNames are specified, the
CommonName is checked. The behavior may be changed with the
CommonName is checked. Verification may be turned off with the
smtp_tls_enforce_peername option which is discussed below. </p>
<p> This option is useful only if you know that you will only
<p> Enforcing the use of TLS is useful if you know that you will
only
connect to servers that support RFC 2487 _and_ that present server
certificates that meet the above requirements. An example would
be a client only sends email to one specific mailhub that offers
@ -985,10 +1006,13 @@ the necessary STARTTLS support. </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
smtp_enforce_tls = no
smtp_enforce_tls = yes
</pre>
</blockquote>
<h3> <a name="client_tls_nopeer"> Disabling server certificate
verification </a> </h3>
<p> As of RFC 2487 the requirements for hostname checking for MTA
clients are not set. When TLS is required (smtp_enforce_tls = yes),
the option smtp_tls_enforce_peername can be set to "no" to disable
@ -996,106 +1020,200 @@ strict remote SMTP server hostname checking. In this case, the mail
delivery will proceed regardless of the CommonName etc. listed in
the certificate. </p>
<p> Note: the smtp_tls_enforce_peername setting has no effect on
sessions that are controlled via the smtp_tls_per_site table. </p>
<p> Disabling the remote SMTP server hostname verification can
make sense in closed environment where special CAs are created.
If not used carefully, this option opens the danger of a
"man-in-the-middle" attack (the CommonName of this possible attacker
is logged). </p>
<p> Despite the potential for eliminating "man-in-the-middle" and
other attacks, mandatory certificate/peername verification is not
viable as a default Internet mail delivery policy at this time. A
significant fraction of TLS enabled MTAs uses self-signed certificates,
or certificates that are signed by a private certificate authority.
On a machine that delivers mail to the Internet, if you set
smtp_enforce_tls = yes, you should probably also set
smtp_tls_enforce_peername = no. You can use the per-site TLS
policies (see below) to enable full peer verification for specific
destinations that are known to have verifiable TLS server certificates.
</p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
smtp_tls_enforce_peername = yes
smtp_enforce_tls = yes
smtp_tls_enforce_peername = no
</pre>
</blockquote>
<p> Generally, trying TLS can be a bad idea, as some servers offer
STARTTLS but the negotiation will fail leading to unexplainable
failures. Instead, it may be a good idea to choose the TLS usage
policy based on the recipient or the mailhub to which you are
connecting. </p>
<h3> <a name="client_tls_per_site"> Per-site TLS policies </a> </h3>
<p> Deciding the TLS usage policy per recipient may be difficult,
since a single email delivery attempt can involve several recipients.
Instead, use of TLS is controlled by the Postfix next-hop destination
domain name and by the remote SMTP server hostname. If either of these
matches an entry in the smtp_tls_per_site table, appropriate action
is taken. </p>
<p> A small fraction of servers offer STARTTLS but the negotiation
consistently fails, leading to mail aging out of the queue and
bouncing back to the sender. In such cases, you can use the per-site
policies to disable TLS for the problem sites. Alternatively, you
can enable TLS for just a few specific sites and not enable it for
all sites. </p>
<p> The remote SMTP server hostname is simply the DNS name of the
server that the Postfix SMTP client connects to. The next-hop
destination is Postfix specific. By default, this is the domain
name in the recipient address, but this information can be overruled
by the transport(5) table or by the relayhost parameter setting.
In these cases the relayhost etc. must be listed in the smtp_tls_per_site
table, instead of the recipient domain name. </p>
<!-- insert new-style TLS policy mechanism here
<p> Format of the table: domain or host names are specified on the
left-hand side; no wildcards are allowed. On the right hand side
specify one of the following keywords: </p>
<h3> <a name="client_tls_obs"> Obsolete per-site TLS policy support
</a> </h3>
<p> This section describes an obsolete per-site TLS policy mechanism.
Unlike the newer mechanism it supports TLS policy lookup by server
hostname, and lacks control over what names can appear in server
certificates. Because of this, the obsolete mechanism is vulnerable
to false DNS hostname information in MX or CNAME records. These
attacks can be eliminated only with great difficulty. </p>
-->
<p> The smtp_tls_per_site table is searched for a policy that matches
the following information: </p>
<blockquote>
<dl>
<dt> NONE </dt> <dd> Don't use TLS at all. </dd>
<dt> remote SMTP server hostname </dt> <dd> This is simply the DNS
name of the server that the Postfix SMTP client connects to; this
name may be obtained from other DNS lookups, such as MX lookups or
CNAME lookups. </dd>
<dt> MAY </dt> <dd> Try to use STARTTLS if offered, otherwise use
the unencrypted connection. </dd>
<dt> MUST </dt> <dd> Require usage of STARTTLS, require that the
remote SMTP server hostname matches the information in the remote
SMTP server certificate, and require that the remote SMTP server
certificate was issued by a trusted CA. </dd>
<dt> MUST_NOPEERMATCH </dt> <dd> Require usage of STARTTLS, but do
not require that the remote SMTP server hostname matches the
information in the remote SMTP server certificate, or that the
server certificate was issued by a trusted CA. </dd>
<dt> next-hop destination </dt> <dd> This is normally the domain
portion of the recipient address, but it may be overruled by
information from the transport(5) table, from the relayhost parameter
setting, or from the relay_transport setting. When it's not the
recipient domain, the next-hop destination can have the Postfix-specific
form "<tt>[name]</tt>", <tt>[name]:port</tt>", "<tt>name</tt>" or
"<tt>name:port</tt>". </dd>
</dl>
</blockquote>
<p> The actual TLS usage policy depends not only on whether the
next-hop destination or remote SMTP server hostname are found in
the smtp_tls_per_site table, but also on the smtp_enforce_tls
setting: </p>
<p> When both the hostname lookup and the next-hop lookup succeed,
the host policy does not automatically override the next-hop policy.
Instead, precedence is given to either the more specific or the
more secure per-site policy as described below. </p>
<p> The smtp_tls_per_site table uses a simple "<i>name whitespace
value</i>" format. Specify host names or next-hop destinations on
the left-hand side; no wildcards are allowed. On the right hand
side specify one of the following keywords: </p>
<blockquote>
<dl>
<dt> NONE </dt> <dd> Don't use TLS at all. This overrides a less
specific <b>MAY</b> lookup result from the alternate host or next-hop
lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls,
and smtp_tls_enforce_peername settings. </dd>
<dt> MAY </dt> <dd> Try to use TLS if the server announces support,
otherwise use the unencrypted connection. This has less precedence
than a more specific result (including <b>NONE</b>) from the alternate
host or next-hop lookup key, and has less precedence than the more
specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername
= yes". </dd>
<dt> MUST_NOPEERMATCH </dt> <dd> Require TLS encryption, but do not
require that the remote SMTP server hostname matches the information
in the remote SMTP server certificate, or that the server certificate
was issued by a trusted CA. This overrides a less secure <b>NONE</b>
or a less specific <b>MAY</b> lookup result from the alternate host
or next-hop lookup key, and overrides the global smtp_use_tls,
smtp_enforce_tls and smtp_tls_enforce_peername settings. </dd>
<dt> MUST </dt> <dd> Require TLS encryption, require that the remote
SMTP server hostname matches the information in the remote SMTP
server certificate, and require that the remote SMTP server certificate
was issued by a trusted CA. This overrides a less secure <b>NONE</b>
and <b>MUST_NOPEERMATCH</b> or a less specific <b>MAY</b> lookup
result from the alternate host or next-hop lookup key, and overrides
the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername
settings. </dd>
</dl>
</blockquote>
<p> The precedences between global (main.cf) and per-site TLS
policies can be summarized as follows: </p>
<ul>
<li> <p> If no match was found, the policy is applied as specified
with smtp_enforce_tls. </p>
<li> <p> When neither the remote SMTP server hostname nor the
next-hop destination are found in the smtp_tls_per_site table, the
policy is based on smtp_use_tls, smtp_enforce_tls and
smtp_tls_enforce_peername. Note: "smtp_enforce_tls = yes" and
"smtp_tls_enforce_peername = yes" imply "smtp_use_tls = yes". </p>
<li> <p> If a match was found, and the smtp_enforce_tls policy is
"enforce", NONE explicitly switches it off; otherwise the "enforce"
mode is used even for entries that specify MAY. </p>
<li> <p> When both hostname and next-hop destination lookups produce
a result, the more specific per-site policy (NONE, MUST, etc)
overrides the less specific one (MAY), and the more secure per-site
policy (MUST, etc) overrides the less secure one (NONE). </p>
<li> <p> After the per-site policy lookups are combined, the result
generally overrides the global policy. The exception is the less
specific <b>MAY</b> per-site policy, which is overruled by the more
specific global "smtp_enforce_tls = yes" with server certificate
verification as specified with the smtp_tls_enforce_peername
parameter. </p>
</ul>
<p> Special hint for TLS enforcement mode: since no secure DNS
lookup mechanism is available, mail can be delivered to the wrong
remote SMTP server. This is not prevented by specifying MUST for
the next-hop domain name. The recommended setup is: specify local
transport(5) table entries for sensitive domains with explicit
smtp:[mailhost] destinations (since you can assure security of this
table unlike DNS), then specify MUST for these mail hosts in the
smtp_tls_per_site table. </p>
<h3> <a name="client_tls_harden"> Closing a DNS loophole with
<!-- legacy --> per-site TLS policies </a> </h3>
<p> As long as no secure DNS lookup mechanism is available, false
hostnames in MX or CNAME responses can change the server hostname
that Postfix uses for TLS policy lookup and server certificate
verification. Even with a perfect match between the server hostname
and the server certificate, there is no guarantee that Postfix is
connected to the right server. To avoid this loophole take the
following steps: </p>
<ul>
<li> <p> Eliminate MX lookups. Specify local transport(5) table
entries for sensitive domains with explicit smtp:[<i>mailhost</i>]
or smtp:[<i>mailhost</i>]:<i>port</i> destinations (you can assure
security of this table unlike DNS); in the smtp_tls_per_site table
specify the value <b>MUST</b> for the key [<i>mailhost</i>] or
smtp:[<i>mailhost</i>]:<i>port</i>. This prevents false hostname
information in DNS MX records from changing the server hostname
that Postfix uses for TLS policy lookup and server certificate
verification. </p>
<li> <p> Disallow CNAME hostname overrides. In main.cf specify
"smtp_cname_overrides_servername = no". This prevents false hostname
information in DNS CNAME records from changing the server hostname
that Postfix uses for TLS policy lookup and server certificate
verification. This feature requires Postfix 2.2.9 or later. </p>
</ul>
<p> Example: </p>
<blockquote>
<pre>
<blockquote> <pre>
/etc/postfix/main.cf:
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
relayhost = [msa.example.net]:587
/etc/postfix/tls_per_site:
# relayhost exact nexthop match
[msa.example.net]:587 MUST
# TLS should not be used with the <i>example.org</i> MX hosts.
example.org NONE
# TLS should not be used with the host <i>smtp.example.com</i>.
smtp.example.com NONE
</pre>
</blockquote>
<h3> <a name="client_tls_discover"> Discovering servers that support
TLS </a> </h3>
<p> As we decide on a "per site" basis whether or not to use TLS,
it would be good to have a list of sites that offered "STARTTLS".
We can collect it ourselves with this option. </p>
@ -1119,7 +1237,7 @@ postfix/smtp[pid]: Host offered STARTTLS: [hostname.example.com]
</pre>
</blockquote>
<h3><a name="client_vrfy_server">Server certificate verification</a> </h3>
<h3><a name="client_vrfy_server">Server certificate verification depth</a> </h3>
<p> When verifying a remote SMTP server certificate, a verification
depth of 1 is sufficient if the certificate is directly issued by
@ -1376,7 +1494,7 @@ super-user privileges. </p>
</blockquote>
<li> <p> Configure Postfix, by adding the following to
<tt>/etc/postfix/main.cf</tt>. </p>
<tt>/etc/postfix/main.cf </tt>. </p>
<blockquote>
<pre>
@ -1443,8 +1561,22 @@ protocol in order to access the tlsmgr(8) pseudo-random number
generation (PRNG) pool, and in order to access the TLS session
cache databases. Such a protocol cannot be run across fifos. </p>
<li> <p> smtp_tls_per_site: the MUST_NOPEERMATCH per-site policy
cannot override the global "smtp_tls_enforce_peername = yes" setting.
</p>
<li> <p> smtp_tls_per_site: a combined (NONE + MAY) lookup result
for (hostname and next-hop destination) produces counter-intuitive
results for different main.cf settings. TLS is enabled with
"smtp_tls_enforce_peername = no", but it is disabled when both
"smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes".
</p>
</ul>
<p> The smtp_tls_per_site limitations were removed by the end of
the Postfix 2.2 support cycle. </p>
<h2><a name="credits">Credits </a> </h2>
<ul>
@ -1455,6 +1587,10 @@ J&auml;nicke at Cottbus Technical University.
<li> Wietse Venema adopted the code, did some restructuring, and
compiled this part of the documentation from Lutz's documents.
<li> Victor Duchovni was instrumental with the re-implementation
of the smtp_tls_per_site code in terms of enforcement levels, which
simplified the implementation greatly.
</ul>
</body>

98
gnu/dist/postfix/proto/postconf.proto vendored
View File

@ -7750,7 +7750,7 @@ is suitable for, e.g., pop-before-smtp lookup tables. </dd>
<p> Examples: </p>
<p> The Postfix < 2.2 backwards compatible setting: always rewrite
<p> The Postfix &lt; 2.2 backwards compatible setting: always rewrite
message headers, and always append my own domain to incomplete
header addresses. </p>
@ -8251,38 +8251,79 @@ CommonName of this attacker will be logged). </p>
%PARAM smtp_tls_per_site
<p> Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop domain name and by remote SMTP server hostname.
</p>
policy by next-hop destination and by remote SMTP server hostname.
When both lookups succeed, the more specific per-site policy (NONE,
MUST, etc) overrides the less specific one (MAY), and the more
secure per-site policy (MUST, etc) overrides the less secure one
(NONE). </p>
<p> Table format: domain names or server hostnames are specified
on the left-hand side; no wildcards are allowed. On the right hand
side specify one of the following keywords: </p>
<p> Specify a next-hop destination or server hostname on the left-hand
side; no wildcards are allowed. The next-hop destination is either
the recipient domain, or the destination specified with a transport(5)
table, the relayhost parameter, or the relay_transport parameter.
On the right hand side specify one of the following keywords: </p>
<dl>
<dt> NONE </dt> <dd>Don't use TLS at all. </dd>
<dt> NONE </dt> <dd> Don't use TLS at all. This overrides a less
specific <b>MAY</b> lookup result from the alternate host or next-hop
lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls,
and smtp_tls_enforce_peername settings. </dd>
<dt> MAY </dt> <dd>Try to use STARTTLS if offered, otherwise use
the unencrypted connection. </dd>
<dt> MAY </dt> <dd> Try to use TLS if the server announces support,
otherwise use the unencrypted connection. This has less precedence
than a more specific result (including <b>NONE</b>) from the alternate
host or next-hop lookup key, and has less precedence than the more
specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername
= yes". </dd>
<dt> MUST </dt> <dd>Require usage of STARTTLS, require that the
remote SMTP server hostname matches the information in the remote
SMTP server certificate, and require that the remote SMTP server
certificate was issued by a trusted CA. </dd>
<dt> MUST_NOPEERMATCH </dt> <dd> Require TLS encryption, but do not
require that the remote SMTP server hostname matches the information
in the remote SMTP server certificate, or that the server certificate
was issued by a trusted CA. This overrides a less secure <b>NONE</b>
or a less specific <b>MAY</b> lookup result from the alternate host
or next-hop lookup key, and overrides the global smtp_use_tls,
smtp_enforce_tls and smtp_tls_enforce_peername settings. </dd>
<dt> MUST_NOPEERMATCH </dt> <dd>Require usage of STARTTLS, but do
not require that the remote SMTP server hostname matches the
information in the remote SMTP server certificate, or that the
server certificate was issued by a trusted CA. </dd>
<dt> MUST </dt> <dd> Require TLS encryption, require that the remote
SMTP server hostname matches the information in the remote SMTP
server certificate, and require that the remote SMTP server certificate
was issued by a trusted CA. This overrides a less secure <b>NONE</b>
and <b>MUST_NOPEERMATCH</b> or a less specific <b>MAY</b> lookup
result from the alternate host or next-hop lookup key, and overrides
the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername
settings. </dd>
</dl>
<p> Special hint for enforcement mode: since no secure DNS lookup
mechanism is available, the recommended setup is: specify local
transport(5) table entries for sensitive domains with explicit
smtp:[mailhost] destinations (since you can assure security of this
table unlike DNS), then specify MUST for these mail hosts in the
smtp_tls_per_site table. </p>
<p> As long as no secure DNS lookup mechanism is available, false
hostnames in MX or CNAME responses can change the server hostname
that Postfix uses for TLS policy lookup and server certificate
verification. Even with a perfect match between the server hostname
and the server certificate, there is no guarantee that Postfix is
connected to the right server. To avoid this loophole take the
following steps: </p>
<ul>
<li> Disallow CNAME hostname overrides. In main.cf specify
"smtp_cname_overrides_servername = no". This prevents false hostname
information in DNS CNAME records from changing the server hostname
that Postfix uses for TLS policy lookup and server certificate
verification. This feature requires Postfix 2.2.9 or later.
<li> Eliminate MX lookups. Specify local transport(5) table entries
for sensitive domains with explicit smtp:[mailhost] or smtp:[mailhost]:port
destinations. This prevents false hostname information in DNS MX
records from changing the server hostname that Postfix uses for TLS
policy lookup and server certificate verification.
<li> Specify MUST for these mail hosts (including [ ] and port) in
the smtp_tls_per_site table.
</ul>
<p> </p>
%PARAM smtp_tls_scert_verifydepth 5
@ -8412,3 +8453,14 @@ examples are shown in the ADDRESS_REWRITING_README and
STANDARD_CONFIGURATION_README documents. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
%PARAM smtp_cname_overrides_servername yes
<p> Allow DNS CNAME records to override the servername that the
Postfix SMTP client uses for logging, SASL password lookup, TLS
policy decisions, or TLS certificate verification. The default value
(yes) is backwards compatible. Specify "no" to harden Postfix 2.2
smtp_tls_per_site hostname-based policies against false hostname
information in DNS CNAME records. </p>
<p> This feature is available in Postfix 2.2.9 and later. </p>

10
gnu/dist/postfix/src/cleanup/cleanup_api.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: cleanup_api.c,v 1.1.1.6 2004/05/31 00:24:27 heas Exp $ */
/* $NetBSD: cleanup_api.c,v 1.1.1.7 2006/02/25 22:08:15 rpaulo Exp $ */
/*++
/* NAME
@ -226,6 +226,14 @@ int cleanup_flush(CLEANUP_STATE *state)
vstream_control(state->handle->stream,
VSTREAM_CTL_PATH, cleanup_path,
VSTREAM_CTL_END);
/*
* XXX: When delivering to a non-incoming queue, do not consume
* in_flow tokens. Unfortunately we can't move the code that
* consumes tokens until after the mail is received, because that
* would increase the risk of duplicate deliveries (RFC 1047).
*/
(void) mail_flow_put(1);
}
state->errs = mail_stream_finish(state->handle, (VSTRING *) 0);
} else {

8
gnu/dist/postfix/src/dns/dns.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: dns.h,v 1.1.1.5 2005/12/01 21:42:42 rpaulo Exp $ */
/* $NetBSD: dns.h,v 1.1.1.6 2006/02/25 22:08:22 rpaulo Exp $ */
#ifndef _DNS_H_INCLUDED_
#define _DNS_H_INCLUDED_
@ -82,7 +82,8 @@ typedef struct DNS_FIXED {
* named after the things one can expect to find in a DNS resource record.
*/
typedef struct DNS_RR {
char *name; /* name, mystrdup()ed */
char *qname; /* query name, mystrdup()ed */
char *rname; /* reply name, mystrdup()ed */
unsigned short type; /* T_A, T_CNAME, etc. */
unsigned short class; /* C_IN, etc. */
unsigned int ttl; /* always */
@ -106,7 +107,8 @@ extern unsigned dns_type(const char *);
/*
* dns_rr.c
*/
extern DNS_RR *dns_rr_create(const char *, ushort, ushort,
extern DNS_RR *dns_rr_create(const char *, const char *,
ushort, ushort,
unsigned, unsigned,
const char *, unsigned);
extern void dns_rr_free(DNS_RR *);

22
gnu/dist/postfix/src/dns/dns_rr.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: dns_rr.c,v 1.1.1.4 2005/08/18 21:05:58 rpaulo Exp $ */
/* $NetBSD: dns_rr.c,v 1.1.1.5 2006/02/25 22:08:23 rpaulo Exp $ */
/*++
/* NAME
@ -8,9 +8,10 @@
/* SYNOPSIS
/* #include <dns.h>
/*
/* DNS_RR *dns_rr_create(name, type, class, ttl, preference,
/* DNS_RR *dns_rr_create(qname, rname, type, class, ttl, preference,
/* data, data_len)
/* const char *name;
/* const char *qname;
/* const char *rname;
/* unsigned short type;
/* unsigned short class;
/* unsigned int ttl;
@ -43,7 +44,8 @@
/* information, and maintain lists of DNS resource records.
/*
/* dns_rr_create() creates and initializes one resource record.
/* The \fIname\fR record specifies the record name.
/* The \fIqname\fR field specifies the query name.
/* The \fIrname\fR field specifies the reply name.
/* \fIpreference\fR is used for MX records; \fIdata\fR is a null
/* pointer or specifies optional resource-specific data;
/* \fIdata_len\fR is the amount of resource-specific data.
@ -93,14 +95,16 @@
/* dns_rr_create - fill in resource record structure */
DNS_RR *dns_rr_create(const char *name, ushort type, ushort class,
DNS_RR *dns_rr_create(const char *qname, const char *rname,
ushort type, ushort class,
unsigned int ttl, unsigned pref,
const char *data, unsigned data_len)
{
DNS_RR *rr;
rr = (DNS_RR *) mymalloc(sizeof(*rr) + data_len - 1);
rr->name = mystrdup(name);
rr->qname = mystrdup(qname);
rr->rname = mystrdup(rname);
rr->type = type;
rr->class = class;
rr->ttl = ttl;
@ -119,7 +123,8 @@ void dns_rr_free(DNS_RR *rr)
if (rr) {
if (rr->next)
dns_rr_free(rr->next);
myfree(rr->name);
myfree(rr->qname);
myfree(rr->rname);
myfree((char *) rr);
}
}
@ -136,7 +141,8 @@ DNS_RR *dns_rr_copy(DNS_RR *src)
*/
dst = (DNS_RR *) mymalloc(len);
memcpy((char *) dst, (char *) src, len);
dst->name = mystrdup(src->name);
dst->qname = mystrdup(src->qname);
dst->rname = mystrdup(src->rname);
dst->next = 0;
return (dst);
}

6
gnu/dist/postfix/src/dns/dns_sa_to_rr.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: dns_sa_to_rr.c,v 1.1.1.1 2005/08/18 21:05:59 rpaulo Exp $ */
/* $NetBSD: dns_sa_to_rr.c,v 1.1.1.2 2006/02/25 22:08:24 rpaulo Exp $ */
/*++
/* NAME
@ -56,12 +56,12 @@ DNS_RR *dns_sa_to_rr(const char *hostname, unsigned pref, struct sockaddr * sa)
#define DUMMY_TTL 0
if (sa->sa_family == AF_INET) {
return (dns_rr_create(hostname, T_A, C_IN, DUMMY_TTL, pref,
return (dns_rr_create(hostname, hostname, T_A, C_IN, DUMMY_TTL, pref,
(char *) &SOCK_ADDR_IN_ADDR(sa),
sizeof(SOCK_ADDR_IN_ADDR(sa))));
#ifdef HAS_IPV6
} else if (sa->sa_family == AF_INET6) {
return (dns_rr_create(hostname, T_AAAA, C_IN, DUMMY_TTL, pref,
return (dns_rr_create(hostname, hostname, T_AAAA, C_IN, DUMMY_TTL, pref,
(char *) &SOCK_ADDR_IN6_ADDR(sa),
sizeof(SOCK_ADDR_IN6_ADDR(sa))));
#endif

4
gnu/dist/postfix/src/dns/test_dns_lookup.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: test_dns_lookup.c,v 1.1.1.3 2005/08/18 21:05:59 rpaulo Exp $ */
/* $NetBSD: test_dns_lookup.c,v 1.1.1.4 2006/02/25 22:08:24 rpaulo Exp $ */
/*++
/* NAME
@ -47,7 +47,7 @@ static void print_rr(DNS_RR *rr)
MAI_HOSTADDR_STR host;
while (rr) {
printf("%s: ttl: %9d ", rr->name, rr->ttl);
printf("%s: ttl: %9d ", rr->rname, rr->ttl);
switch (rr->type) {
case T_A:
#ifdef T_AAAA

4
gnu/dist/postfix/src/global/ehlo_mask.ref vendored
View File

@ -1,3 +1,3 @@
starttls, 8bitmime, verp, etrn, etrn -> 0x51 -> 8BITMIME ETRN VERP
starttls, 8bitmime, verp, etrn, etrn -> 0xd1 -> 8BITMIME ETRN VERP STARTTLS
foobar, auth, pipelining, size, vrfy -> 0x2e -> AUTH PIPELINING SIZE VRFY
xclient, xforward -> 0x180 -> XCLIENT XFORWARD
xclient, xforward -> 0x300 -> XCLIENT XFORWARD

4
gnu/dist/postfix/src/global/input_transp.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: input_transp.c,v 1.1.1.3 2005/08/18 21:06:20 rpaulo Exp $ */
/* $NetBSD: input_transp.c,v 1.1.1.4 2006/02/25 22:08:49 rpaulo Exp $ */
/*++
/* NAME
@ -28,7 +28,7 @@
/* given in parentheses:
/* .IP "no_unknown_recipient_checks (INPUT_TRANSP_UNKNOWN_RCPT)"
/* Do not try to reject unknown recipients.
/* .IP "no_address_mapping (INPUT_TRANSP_ADDRESS_MAPPING)
/* .IP "no_address_mappings (INPUT_TRANSP_ADDRESS_MAPPING)
/* Disable canonical address mapping, virtual alias map expansion,
/* address masquerading, and automatic BCC recipients.
/* .IP "no_header_body_checkss (INPUT_TRANSP_HEADER_BODY)

7
gnu/dist/postfix/src/global/mail_addr_find.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: mail_addr_find.c,v 1.1.1.4 2004/05/31 00:24:31 heas Exp $ */
/* $NetBSD: mail_addr_find.c,v 1.1.1.5 2006/02/25 22:08:49 rpaulo Exp $ */
/*++
/* NAME
@ -109,7 +109,10 @@ const char *mail_addr_find(MAPS *path, const char *address, char **extp)
if (*var_rcpt_delim == 0) {
bare_key = saved_ext = 0;
} else {
bare_key = strip_addr(full_key, &saved_ext, *var_rcpt_delim);
/* Preserve case of extension. */
bare_key = strip_addr(address, &saved_ext, *var_rcpt_delim);
if (bare_key != 0)
lowercase(bare_key);
}
/*

6
gnu/dist/postfix/src/global/mail_version.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: mail_version.h,v 1.1.1.20 2006/01/05 02:11:43 rpaulo Exp $ */
/* $NetBSD: mail_version.h,v 1.1.1.21 2006/02/25 22:08:59 rpaulo Exp $ */
#ifndef _MAIL_VERSION_H_INCLUDED_
#define _MAIL_VERSION_H_INCLUDED_
@ -22,8 +22,8 @@
* Patches change the patchlevel and the release date. Snapshots change the
* release date only.
*/
#define MAIL_RELEASE_DATE "20060103"
#define MAIL_VERSION_NUMBER "2.2.8"
#define MAIL_RELEASE_DATE "20060221"
#define MAIL_VERSION_NUMBER "2.2.9"
#define VAR_MAIL_VERSION "mail_version"
#ifdef SNAPSHOT

4
gnu/dist/postfix/src/lmtp/lmtp_addr.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: lmtp_addr.c,v 1.1.1.3 2005/08/18 21:07:17 rpaulo Exp $ */
/* $NetBSD: lmtp_addr.c,v 1.1.1.4 2006/02/25 22:09:20 rpaulo Exp $ */
/*++
/* NAME
@ -107,7 +107,7 @@ static void lmtp_print_addr(char *what, DNS_RR *addr_list)
msg_warn("skipping record type %s: %m", dns_strtype(addr->type));
} else {
msg_info("pref %4d host %s/%s",
addr->pref, addr->name,
addr->pref, addr->rname,
hostaddr.buf);
}
}

6
gnu/dist/postfix/src/lmtp/lmtp_connect.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: lmtp_connect.c,v 1.1.1.6 2005/08/18 21:07:18 rpaulo Exp $ */
/* $NetBSD: lmtp_connect.c,v 1.1.1.7 2006/02/25 22:09:21 rpaulo Exp $ */
/*++
/* NAME
@ -202,10 +202,10 @@ static LMTP_SESSION *lmtp_connect_addr(DNS_RR *addr, unsigned port,
SOCKADDR_TO_HOSTADDR(sa, salen, &hostaddr, (MAI_SERVPORT_STR *) 0, 0);
if (msg_verbose)
msg_info("%s: trying: %s[%s] port %d...",
myname, addr->name, hostaddr.buf, ntohs(port));
myname, addr->rname, hostaddr.buf, ntohs(port));
return (lmtp_connect_sock(sock, sa, salen,
addr->name, hostaddr.buf, destination, why));
addr->rname, hostaddr.buf, destination, why));
}
/* lmtp_connect_sock - connect a socket over some transport */

4
gnu/dist/postfix/src/local/local.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: local.c,v 1.1.1.7 2005/08/18 21:07:29 rpaulo Exp $ */
/* $NetBSD: local.c,v 1.1.1.8 2006/02/25 22:09:27 rpaulo Exp $ */
/*++
/* NAME
@ -831,6 +831,7 @@ int main(int argc, char **argv)
VAR_PROP_EXTENSION, DEF_PROP_EXTENSION, &var_prop_extension, 0, 0,
VAR_DELIVER_HDR, DEF_DELIVER_HDR, &var_deliver_hdr, 0, 0,
VAR_MAILBOX_LOCK, DEF_MAILBOX_LOCK, &var_mailbox_lock, 1, 0,
VAR_MAILBOX_CMD_MAPS, DEF_MAILBOX_CMD_MAPS, &var_mailbox_cmd_maps, 0, 0,
0,
};
static CONFIG_BOOL_TABLE bool_table[] = {
@ -846,7 +847,6 @@ int main(int argc, char **argv)
VAR_EXEC_DIRECTORY, DEF_EXEC_DIRECTORY, &var_exec_directory, 0, 0,
VAR_FORWARD_PATH, DEF_FORWARD_PATH, &var_forward_path, 0, 0,
VAR_MAILBOX_COMMAND, DEF_MAILBOX_COMMAND, &var_mailbox_command, 0, 0,
VAR_MAILBOX_CMD_MAPS, DEF_MAILBOX_CMD_MAPS, &var_mailbox_cmd_maps, 0, 0,
VAR_LUSER_RELAY, DEF_LUSER_RELAY, &var_luser_relay, 0, 0,
0,
};

10
gnu/dist/postfix/src/oqmgr/qmgr_message.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: qmgr_message.c,v 1.1.1.4 2005/08/18 21:07:58 rpaulo Exp $ */
/* $NetBSD: qmgr_message.c,v 1.1.1.5 2006/02/25 22:09:39 rpaulo Exp $ */
/*++
/* NAME
@ -843,8 +843,14 @@ static void qmgr_message_resolve(QMGR_MESSAGE *message)
/*
* Content filtering overrides the address resolver.
*
* XXX Bypass content_filter inspection for user-generated probes
* (sendmail -bv). MTA-generated probes never have the "please filter
* me" bits turned on, but we handle them here anyway for the sake of
* future proofing.
*/
else if (message->filter_xport) {
else if (message->filter_xport
&& (message->tflags & DEL_REQ_TRACE_ONLY_MASK) == 0) {
vstring_strcpy(reply.transport, message->filter_xport);
if ((nexthop = split_at(STR(reply.transport), ':')) == 0
|| *nexthop == 0)

8
gnu/dist/postfix/src/smtp/smtp.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: smtp.c,v 1.1.1.8 2005/08/18 21:08:49 rpaulo Exp $ */
/* $NetBSD: smtp.c,v 1.1.1.9 2006/02/25 22:10:02 rpaulo Exp $ */
/*++
/* NAME
@ -87,6 +87,10 @@
/* Always send EHLO at the start of an SMTP session.
/* .IP "\fBsmtp_never_send_ehlo (no)\fR"
/* Never send EHLO at the start of an SMTP session.
/* .IP "\fBsmtp_cname_overrides_servername (yes)\fR"
/* Allow DNS CNAME records to override the servername that the
/* Postfix SMTP client uses for logging, SASL password lookup, TLS
/* policy decisions, or TLS certificate verification.
/* .IP "\fBsmtp_defer_if_no_mx_address_found (no)\fR"
/* Defer mail delivery when no MX record resolves to an IP address.
/* .IP "\fBsmtp_line_length_limit (990)\fR"
@ -499,6 +503,7 @@ bool var_smtp_tls_note_starttls_offer;
char *var_smtp_generic_maps;
char *var_prop_extension;
bool var_smtp_cname_overr;
/*
* Global variables. smtp_errno is set by the address lookup routines and by
@ -792,6 +797,7 @@ int main(int argc, char **argv)
VAR_SMTP_TLS_ENFORCE_PN, DEF_SMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername,
VAR_SMTP_TLS_NOTEOFFER, DEF_SMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer,
#endif
VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr,
0,
};

8
gnu/dist/postfix/src/smtp/smtp.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: smtp.h,v 1.1.1.6 2005/08/18 21:08:50 rpaulo Exp $ */
/* $NetBSD: smtp.h,v 1.1.1.7 2006/02/25 22:10:03 rpaulo Exp $ */
/*++
/* NAME
@ -166,6 +166,12 @@ extern SSL_CTX *smtp_tls_ctx; /* client-side TLS engine */
#endif
/*
* What's in a name?
*/
#define SMTP_HNAME(rr) (var_smtp_cname_overr ? (rr)->rname : (rr)->qname)
/*
* smtp_session.c
*/

187
gnu/dist/postfix/src/smtp/smtp_session.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: smtp_session.c,v 1.1.1.3 2005/08/18 21:08:58 rpaulo Exp $ */
/* $NetBSD: smtp_session.c,v 1.1.1.4 2006/02/25 22:10:08 rpaulo Exp $ */
/*++
/* NAME
@ -130,14 +130,20 @@
#ifdef USE_TLS
/*
* Per-site policies can override main.cf settings.
* TLS enforcement level. Actual TLS policies will be NONE or higher.
*
* There are two pseudo levels: NOTFOUND is a sentinel value for the ease of
* implementation; MAY is a wild-card that indicates "anything goes".
*
* Non pseudo levels can also be used to indicate the actual security level of
* a session.
*/
typedef struct {
int dont_use; /* don't use TLS */
int use; /* useless, see above */
int enforce; /* must always use TLS */
int enforce_peername; /* must verify certificate name */
} SMTP_TLS_SITE_POLICY;
#define SMTP_TLS_LEV_NOTFOUND (-1) /* sentinel */
#define SMTP_TLS_LEV_NONE 0 /* plain-text only */
#define SMTP_TLS_LEV_MAY 1 /* wildcard */
#define SMTP_TLS_LEV_ENCRYPT 2 /* encrypted connection */
#define SMTP_TLS_LEV_VERIFY 3 /* certificate verified */
#define SMTP_TLS_LEV_STRICT 4 /* "secure" verification */
static MAPS *tls_per_site; /* lookup table(s) */
@ -149,9 +155,21 @@ void smtp_tls_list_init(void)
DICT_FLAG_LOCK);
}
/* smtp_tls_policy_print - print policy level */
static void smtp_tls_policy_print(const char *name, int level)
{
msg_info("%s TLS level: %s", name,
level == SMTP_TLS_LEV_VERIFY ? "verify" :
level == SMTP_TLS_LEV_ENCRYPT ? "encrypt" :
level == SMTP_TLS_LEV_MAY ? "may" :
level == SMTP_TLS_LEV_NONE ? "none" :
"unknown");
}
/* smtp_tls_site_policy - look up per-site TLS policy */
static void smtp_tls_site_policy(SMTP_TLS_SITE_POLICY *policy,
static void smtp_tls_site_policy(int *site_level,
const char *site_name,
const char *site_class)
{
@ -159,33 +177,101 @@ static void smtp_tls_site_policy(SMTP_TLS_SITE_POLICY *policy,
char *lookup_key;
/*
* Initialize the default policy.
*/
policy->dont_use = 0;
policy->use = 0;
policy->enforce = 0;
policy->enforce_peername = 0;
/*
* Look up a non-default policy.
* Look up a non-default policy. In case of multiple lookup results, the
* precedence order is a permutation of the TLS enforcement level order:
* VERIFY, ENCRYPT, NONE, MAY, NOTFOUND. I.e. we override MAY with a more
* specific policy including NONE, otherwise we choose the stronger
* enforcement level.
*/
lookup_key = lowercase(mystrdup(site_name));
if ((lookup = maps_find(tls_per_site, lookup_key, 0)) != 0) {
if (!strcasecmp(lookup, "NONE"))
policy->dont_use = 1;
else if (!strcasecmp(lookup, "MAY"))
policy->use = 1;
else if (!strcasecmp(lookup, "MUST"))
policy->enforce = policy->enforce_peername = 1;
else if (!strcasecmp(lookup, "MUST_NOPEERMATCH"))
policy->enforce = 1;
else
if (!strcasecmp(lookup, "NONE")) {
/* NONE overrides MAY or NOTFOUND. */
if (*site_level <= SMTP_TLS_LEV_MAY)
*site_level = SMTP_TLS_LEV_NONE;
} else if (!strcasecmp(lookup, "MAY")) {
/* MAY overrides NOTFOUND but not NONE. */
if (*site_level < SMTP_TLS_LEV_NONE)
*site_level = SMTP_TLS_LEV_MAY;
} else if (!strcasecmp(lookup, "MUST_NOPEERMATCH")) {
if (*site_level < SMTP_TLS_LEV_ENCRYPT)
*site_level = SMTP_TLS_LEV_ENCRYPT;
} else if (!strcasecmp(lookup, "MUST")) {
if (*site_level < SMTP_TLS_LEV_VERIFY)
*site_level = SMTP_TLS_LEV_VERIFY;
} else {
msg_warn("Table %s: ignoring unknown TLS policy '%s' for %s %s",
var_smtp_tls_per_site, lookup, site_class, site_name);
}
}
myfree(lookup_key);
}
/* smtp_tls_level_init - configure session TLS enforcement level */
static int smtp_tls_level_init(const char *dest, const char *host)
{
int global_level;
int site_level;
int tls_level;
/*
* Compute the global TLS policy. This is the default policy level when
* no per-site policy exists. It also is used to override a wild-card
* per-site policy.
*/
if (var_smtp_enforce_tls)
global_level = var_smtp_tls_enforce_peername ?
SMTP_TLS_LEV_VERIFY : SMTP_TLS_LEV_ENCRYPT;
else
global_level = var_smtp_use_tls ?
SMTP_TLS_LEV_MAY : SMTP_TLS_LEV_NONE;
if (msg_verbose)
smtp_tls_policy_print("global", global_level);
/*
* Compute the per-site TLS enforcement level. For compatibility with the
* original TLS patch, this algorithm is gives equal precedence to host
* and next-hop policies.
*/
site_level = SMTP_TLS_LEV_NOTFOUND;
if (tls_per_site) {
smtp_tls_site_policy(&site_level, dest, "next-hop destination");
if (strcasecmp(dest, host) != 0)
smtp_tls_site_policy(&site_level, host, "server hostname");
if (msg_verbose)
smtp_tls_policy_print("site", site_level);
}
/*
* Override a wild-card per-site policy with a more specific global
* policy.
*
* With the original TLS patch, 1) a per-site ENCRYPT could not override a
* global VERIFY, and 2) a combined per-site (NONE+MAY) policy produced
* inconsistent results: it changed a global VERIFY into NONE, while
* producing MAY with all weaker global policy settings.
*
* With the current implementation, a combined per-site (NONE+MAY)
* consistently overrides global policy with NONE, and global policy can
* override only a per-site MAY wildcard. That is, specific policies
* consistently override wildcard policies, and (non-wildcard) per-site
* policies consistently override global policies.
*/
if (site_level == SMTP_TLS_LEV_NOTFOUND
|| (site_level == SMTP_TLS_LEV_MAY
&& global_level > SMTP_TLS_LEV_MAY))
tls_level = global_level;
else
tls_level = site_level;
if (msg_verbose && tls_per_site)
smtp_tls_policy_print("effective", tls_level);
return (tls_level);
}
#endif
/* smtp_session_alloc - allocate and initialize SMTP_SESSION structure */
@ -196,12 +282,6 @@ SMTP_SESSION *smtp_session_alloc(VSTREAM *stream, const char *dest,
{
SMTP_SESSION *session;
#ifdef USE_TLS
SMTP_TLS_SITE_POLICY host_policy;
SMTP_TLS_SITE_POLICY rcpt_policy;
#endif
session = (SMTP_SESSION *) mymalloc(sizeof(*session));
session->stream = stream;
session->dest = mystrdup(dest);
@ -238,39 +318,14 @@ SMTP_SESSION *smtp_session_alloc(VSTREAM *stream, const char *dest,
session->tls_enforce_peername = 0;
session->tls_context = 0;
session->tls_info = tls_info_zero;
/*
* Override the main.cf TLS policy with an optional per-site policy.
*/
if (smtp_tls_ctx != 0) {
smtp_tls_site_policy(&host_policy, host, "receiving host");
smtp_tls_site_policy(&rcpt_policy, dest, "recipient domain");
/*
* Set up TLS enforcement for this session.
*/
if ((var_smtp_enforce_tls && !host_policy.dont_use && !rcpt_policy.dont_use)
|| host_policy.enforce || rcpt_policy.enforce)
session->tls_enforce_tls = session->tls_use_tls = 1;
/*
* Set up peername checking for this session.
*
* We want to make sure that a MUST* entry in the tls_per_site table
* always has precedence. MUST always must lead to a peername check,
* MUST_NOPEERMATCH must always disable it. Only when no explicit
* setting has been found, the default will be used. There is the
* case left, that both "host" and "recipient" settings conflict. In
* this case, the "host" setting wins.
*/
if (host_policy.enforce && host_policy.enforce_peername)
session->tls_enforce_peername = 1;
else if (rcpt_policy.enforce && rcpt_policy.enforce_peername)
session->tls_enforce_peername = 1;
else if (var_smtp_enforce_tls && var_smtp_tls_enforce_peername)
session->tls_enforce_peername = 1;
else if ((var_smtp_use_tls && !host_policy.dont_use && !rcpt_policy.dont_use) || host_policy.use || rcpt_policy.use)
session->tls_use_tls = 1;
switch (smtp_tls_level_init(dest, host)) {
case SMTP_TLS_LEV_VERIFY:
session->tls_enforce_peername = 1;
case SMTP_TLS_LEV_ENCRYPT:
session->tls_enforce_tls = 1;
case SMTP_TLS_LEV_MAY:
session->tls_use_tls = 1;
break;
}
#endif
debug_peer_check(host, addr);

4
gnu/dist/postfix/src/smtpd/smtpd_exp.ref vendored
View File

@ -107,8 +107,8 @@ OK
>>> mail sname@sdomain
OK
>>> rcpt rname@rdomain
./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@domain; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<example.tld>
554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@domain
./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@example.tld; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<example.tld>
554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@example.tld
>>> #
>>> # Check MX access
>>> #

6
gnu/dist/postfix/src/trivial-rewrite/rewrite.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: rewrite.c,v 1.1.1.7 2005/08/18 21:09:45 rpaulo Exp $ */
/* $NetBSD: rewrite.c,v 1.1.1.8 2006/02/25 22:10:35 rpaulo Exp $ */
/*++
/* NAME
@ -175,7 +175,8 @@ void rewrite_tree(RWR_CONTEXT *context, TOK822 *tree)
/*
* Append missing @origin
*/
else if (var_append_at_myorigin != 0) {
else if (var_append_at_myorigin != 0
&& context->origin[0][0] != 0) {
domain = tok822_sub_append(tree, tok822_alloc('@', (char *) 0));
tok822_sub_append(tree, tok822_scan(REW_PARAM_VALUE(context->origin),
(TOK822 **) 0));
@ -188,6 +189,7 @@ void rewrite_tree(RWR_CONTEXT *context, TOK822 *tree)
* alone.
*/
if (var_append_dot_mydomain != 0
&& context->domain[0][0] != 0
&& (domain = tok822_rfind_type(tree->tail, '@')) != 0
&& domain != tree->tail
&& tok822_find_type(domain, TOK822_DOMLIT) == 0

2
gnu/dist/postfix/src/util/inet_util.c vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: inet_util.c,v 1.1.1.5 2006/01/05 02:17:36 rpaulo Exp $ */
/* $NetBSD: inet_util.c,v 1.1.1.6 2006/02/25 22:10:55 rpaulo Exp $ */
/*++
/* NAME

2
gnu/dist/postfix/src/util/inet_util.h vendored
View File

@ -1,4 +1,4 @@
/* $NetBSD: inet_util.h,v 1.1.1.5 2006/01/05 02:17:39 rpaulo Exp $ */
/* $NetBSD: inet_util.h,v 1.1.1.6 2006/02/25 22:10:55 rpaulo Exp $ */
#ifndef _INET_UTIL_H_INCLUDED_
#define _INET_UTIL_H_INCLUDED_