From b540f1d62fb2ea4d1e754d9d4fb6a1061cf0706e Mon Sep 17 00:00:00 2001 From: rpaulo Date: Sat, 25 Feb 2006 22:04:07 +0000 Subject: [PATCH] postfix 2.2.9 --- gnu/dist/postfix/HISTORY | 78 +++++ .../postfix/README_FILES/SCHEDULER_README | 2 +- gnu/dist/postfix/README_FILES/TLS_README | 247 +++++++++----- gnu/dist/postfix/html/SCHEDULER_README.html | 2 +- gnu/dist/postfix/html/TLS_README.html | 314 +++++++++++++----- gnu/dist/postfix/html/postconf.5.html | 102 ++++-- gnu/dist/postfix/html/smtp.8.html | 206 ++++++------ gnu/dist/postfix/man/man8/smtp.8 | 6 +- gnu/dist/postfix/mantools/postlink | 1 + gnu/dist/postfix/proto/SCHEDULER_README.html | 2 +- gnu/dist/postfix/proto/TLS_README.html | 314 +++++++++++++----- gnu/dist/postfix/proto/postconf.proto | 98 ++++-- gnu/dist/postfix/src/cleanup/cleanup_api.c | 10 +- gnu/dist/postfix/src/dns/dns.h | 8 +- gnu/dist/postfix/src/dns/dns_rr.c | 22 +- gnu/dist/postfix/src/dns/dns_sa_to_rr.c | 6 +- gnu/dist/postfix/src/dns/test_dns_lookup.c | 4 +- gnu/dist/postfix/src/global/ehlo_mask.ref | 4 +- gnu/dist/postfix/src/global/input_transp.c | 4 +- gnu/dist/postfix/src/global/mail_addr_find.c | 7 +- gnu/dist/postfix/src/global/mail_version.h | 6 +- gnu/dist/postfix/src/lmtp/lmtp_addr.c | 4 +- gnu/dist/postfix/src/lmtp/lmtp_connect.c | 6 +- gnu/dist/postfix/src/local/local.c | 4 +- gnu/dist/postfix/src/oqmgr/qmgr_message.c | 10 +- gnu/dist/postfix/src/smtp/smtp.c | 8 +- gnu/dist/postfix/src/smtp/smtp.h | 8 +- gnu/dist/postfix/src/smtp/smtp_session.c | 187 +++++++---- gnu/dist/postfix/src/smtpd/smtpd_exp.ref | 4 +- .../postfix/src/trivial-rewrite/rewrite.c | 6 +- gnu/dist/postfix/src/util/inet_util.c | 2 +- gnu/dist/postfix/src/util/inet_util.h | 2 +- 32 files changed, 1169 insertions(+), 515 deletions(-) diff --git a/gnu/dist/postfix/HISTORY b/gnu/dist/postfix/HISTORY index a6fac711b4ae..0fea8fb362b2 100644 --- a/gnu/dist/postfix/HISTORY +++ b/gnu/dist/postfix/HISTORY @@ -10794,3 +10794,81 @@ Apologies for any names omitted. Portability: FreeBSD 6 is a supported platform. Files: util/sys_defs.h, makedefs. + +20010604 + + Safety: new "smtp_cname_overrides_servername" parameter. + The default value ("yes") is backwards compatible. + + With a value of "no", the Postfix SMTP client no longer + allows CNAME expansion to override the hostname that is + used for logging, SASL password lookup, TLS policy decisions, + or TLS certificate verification. Instead it uses the name + of the recipient domain, the host or domain name specified + in Postfix configuration files, or the hostnames obtained + with MX lookups. To prevent cheating with hostnames in MX + lookup results, you will have to suppress MX lookups with + explicit [hostname] entries in transport maps. Files: + dns/dns_lookup.c, dns/dns_rr.c, proto/postconf.proto. + +20060108 + + Bugfix: mailbox_command_maps was not subject to $name + expansion. File: local/local.c. + +20060115 + + Bugfix: don't ignore the per-site policy when SSL library + initialization fails. Introduced after adopting the TLS + patch. File: smtp/smtp_session.c. + +20060121 + + Bugfix: a TLS per-site MUST_NOPEERMATCH policy could not + override a stronger main.cf policy, while a per-site NONE + policy could. Fixed with a clean re-implementation from + Postfix 2.3. File: smtp/smtp_session.c. + + Bugfix: a combined TLS per-site (host, recipient) policy + of (NONE, MAY) changed a global MUST policy into NONE, and + a global MUST_NOPEERMATCH into MAY. The result is now NONE. + Problem found by exhaustive simulation. Fixed with a clean + re-implementation from Postfix 2.3. File: smtp/smtp_session.c. + +20060130 + + Bugfix: an empty remote_header_rewrite_domain value caused + trivial-rewrite to dereference a null pointer, but only in + regression tests, not in production. Postfix rewrites + addresses in the remote rewriting context only when the + remote_header_rewrite_domain parameter value is non-empty. + File: trivial-rewrite/rewrite.c. + +20060202 + + Workaround: a malformed domain name lookup result (such as + null MX record) is now treated as a hard error, so that + Postfix will no longer repeatedly try to deliver mail until + the message expires in the queue. However, this will not + reject mail with reject_unknown_sender/recipient_domain. + That would require too much change for a stable release. + File: dns/dns_lookup.c. + +20060203 + + Bugfix: smtpd core dump when SASL is compiled in, turned + off (smtpd_sasl_auth_enable = no) and permit_sasl_authenticated + is specified in local_header_rewrite_clients. Victor Duchovni. + File: smtpd/smtpd_check.c. + +20060204 + + Bugfix: disable the content_filter feature for user-requested + "sendmail -bv" probes, just like it is disabled for probes + generated by Postfix itself. File: *qmgr/qmgr_message.c. + +20060212 + + Workaround: don't consume in_flow tokens when incoming mail + is placed on hold. Back-ported from Postfix 2.3. File: + cleanup/cleanup_api.c. diff --git a/gnu/dist/postfix/README_FILES/SCHEDULER_README b/gnu/dist/postfix/README_FILES/SCHEDULER_README index ec924e9064b4..f94581196b1e 100644 --- a/gnu/dist/postfix/README_FILES/SCHEDULER_README +++ b/gnu/dist/postfix/README_FILES/SCHEDULER_README @@ -43,7 +43,7 @@ how next message is chosen when delivery agent becomes available. You already know that oqmgr(8) uses round-robin by destination while qmgr(8) uses simple FIFO, except for some preemptive magic. The postconf(5) manual documents all the knobs the user can use to control this preemptive magic - there is nothing -else to the preemption than the quite simple conditions described below. +else to the preemption than the quite simple conditions described in there. As for programmer-level documentation, this will have to be extracted from all those emails we have exchanged with Wietse [rats! I hoped that Patrik would do diff --git a/gnu/dist/postfix/README_FILES/TLS_README b/gnu/dist/postfix/README_FILES/TLS_README index 25d0aa43d312..ba9fb6d10a0d 100644 --- a/gnu/dist/postfix/README_FILES/TLS_README +++ b/gnu/dist/postfix/README_FILES/TLS_README @@ -68,6 +68,11 @@ To build Postfix with TLS support, first we need to generate the make(1) files with the necessary definitions. This is done by invoking the command "make makefiles" in the Postfix top-level directory and with arguments as shown next. +NNOOTTEE:: DDoo nnoott uussee GGnnuu TTLLSS.. IItt wwiillll ssppoonnttaanneeoouussllyy tteerrmmiinnaattee aa PPoossttffiixx ddaaeemmoonn +pprroocceessss wwiitthh eexxiitt ssttaattuuss ccooddee 22,, iinnsstteeaadd ooff aalllloowwiinngg PPoossttffiixx ttoo 11)) rreeppoorrtt tthhee +eerrrroorr ttoo tthhee mmaaiilllloogg ffiillee,, aanndd ttoo 22)) pprroovviiddee ppllaaiinntteexxtt sseerrvviiccee wwhheerree tthhiiss iiss +aapppprroopprriiaattee.. + * If the OpenSSL include files (such as ssl.h) are in directory /usr/include/ openssl, and the OpenSSL libraries (such as libssl.so and libcrypto.so) are in directory /usr/lib: @@ -364,7 +369,9 @@ between multiple smtpd(8) processes, a persistent session cache can be used. You can specify any database type that can store objects of several kbytes and that supports the sequence operator. DBM databases are not suitable because they can only store small objects. The cache is maintained by the tlsmgr(8) -process, so there is no problem with concurrent access. +process, so there is no problem with concurrent access. Session caching is +highly recommended, because the cost of repeatedly negotiating TLS session keys +is high. Example: @@ -420,7 +427,7 @@ Example: ... The Postfix list manipulation routines give special treatment to whitespace and -some other characters, making the use of certificate names unpractical. Instead +some other characters, making the use of certificate names impractical. Instead we use the certificate fingerprints as they are difficult to fake but easy to use for lookup. Postfix lookup tables are in the form of (key, value) pairs. Since we only need the key, the value can be chosen freely, e.g. the name of @@ -485,7 +492,12 @@ Topics covered in this section: * Client-side TLS activity logging * Client-side TLS session cache * Enabling TLS in the Postfix SMTP client - * Server certificate verification + * Requiring TLS encryption + * Disabling server certificate verification + * Per-site TLS policies + * Closing a DNS loophole with per-site TLS policies + * Discovering servers that support TLS + * Server certificate verification depth * Client-side cipher controls * Miscellaneous client controls @@ -530,12 +542,12 @@ If you want the Postfix SMTP client to accept remote SMTP server certificates issued by these CAs, append the root certificate to $smtp_tls_CAfile or install it in the $smtp_tls_CApath directory. When you configure trust in a root CA, it is not necessary to explicitly trust intermediary CAs signed by the root CA, -unless $smtp_tls_verify_depth is less than the number of CAs in the certificate -chain for the servers of interest. With a verify depth of 1 you can only verify -certificates directly signed by a trusted CA, and all trusted intermediary CAs -need to be configured explicitly. With a verify depth of 2 you can verify -servers signed by a root CA or a direct intermediary CA (so long as the server -is correctly configured to supply its intermediate CA certificate). +unless $smtp_tls_scert_verifydepth is less than the number of CAs in the +certificate chain for the servers of interest. With a verify depth of 1 you can +only verify certificates directly signed by a trusted CA, and all trusted +intermediary CAs need to be configured explicitly. With a verify depth of 2 you +can verify servers signed by a root CA or a direct intermediary CA (so long as +the server is correctly configured to supply its intermediate CA certificate). RSA key and certificate examples: @@ -608,7 +620,10 @@ between multiple smtp(8) processes, a persistent session cache can be used. You can specify any database type that can store objects of several kbytes and that supports the sequence operator. DBM databases are not suitable because they can only store small objects. The cache is maintained by the tlsmgr(8) process, so -there is no problem with concurrent access. +there is no problem with concurrent access. Session caching is highly +recommended, because the cost of repeatedly negotiating TLS session keys is +high. Future Postfix SMTP servers may limit the number of sessions that a +client is allowed to negotiate per unit time. Example: @@ -630,20 +645,19 @@ By default, TLS is disabled in the Postfix SMTP client, so no difference to plain Postfix is visible. If you enable TLS, the Postfix SMTP client will send STARTTLS when TLS support is announced by the remote SMTP server. -WARNING: MS Exchange servers will announce STARTTLS support even when the -service is not configured, so that the TLS handshake will fail. It may be wise -to not use this option on your central mail hub, as you don't know in advance -whether you are going to connect to such a host. Instead, use the -smtp_tls_per_site recipient/site specific options that are described below. - -When the TLS handshake fails and no other server is available, the Postfix SMTP -client defers the delivery attempt, and the mail stays in the queue. +When the server accepts the STARTTLS command, but the subsequent TLS handshake +fails, and no other server is available, the Postfix SMTP client defers the +delivery attempt, and the mail stays in the queue. After a handshake failure, +the communications channel is in an indeterminate state and cannot be used for +non-TLS deliveries. Example: /etc/postfix/main.cf: smtp_use_tls = yes +RReeqquuiirriinngg TTLLSS eennccrryyppttiioonn + You can ENFORCE the use of TLS, so that the Postfix SMTP client will not deliver mail over unencrypted connections. In this mode, the remote SMTP server hostname must match the information in the remote server certificate, and the @@ -652,21 +666,22 @@ client. If the remote server certificate doesn't verify or the remote SMTP server hostname doesn't match, and no other server is available, the delivery attempt is deferred and the mail stays in the queue. -The remote SMTP server hostname used in the check is beyond question, as it -must be the principal hostname (no CNAME allowed here). Checks are performed -against all names provided as dNSNames in the SubjectAlternativeName. If no -dNSNames are specified, the CommonName is checked. The behavior may be changed -with the smtp_tls_enforce_peername option which is discussed below. +The remote SMTP server hostname is verified against all names provided as +dNSNames in the SubjectAlternativeName. If no dNSNames are specified, the +CommonName is checked. Verification may be turned off with the +smtp_tls_enforce_peername option which is discussed below. -This option is useful only if you know that you will only connect to servers -that support RFC 2487 _and_ that present server certificates that meet the -above requirements. An example would be a client only sends email to one +Enforcing the use of TLS is useful if you know that you will only connect to +servers that support RFC 2487 _and_ that present server certificates that meet +the above requirements. An example would be a client only sends email to one specific mailhub that offers the necessary STARTTLS support. Example: /etc/postfix/main.cf: - smtp_enforce_tls = no + smtp_enforce_tls = yes + +DDiissaabblliinngg sseerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn As of RFC 2487 the requirements for hostname checking for MTA clients are not set. When TLS is required (smtp_enforce_tls = yes), the option @@ -674,79 +689,140 @@ smtp_tls_enforce_peername can be set to "no" to disable strict remote SMTP server hostname checking. In this case, the mail delivery will proceed regardless of the CommonName etc. listed in the certificate. -Note: the smtp_tls_enforce_peername setting has no effect on sessions that are -controlled via the smtp_tls_per_site table. - -Disabling the remote SMTP server hostname verification can make sense in closed -environment where special CAs are created. If not used carefully, this option -opens the danger of a "man-in-the-middle" attack (the CommonName of this -possible attacker is logged). +Despite the potential for eliminating "man-in-the-middle" and other attacks, +mandatory certificate/peername verification is not viable as a default Internet +mail delivery policy at this time. A significant fraction of TLS enabled MTAs +uses self-signed certificates, or certificates that are signed by a private +certificate authority. On a machine that delivers mail to the Internet, if you +set smtp_enforce_tls = yes, you should probably also set +smtp_tls_enforce_peername = no. You can use the per-site TLS policies (see +below) to enable full peer verification for specific destinations that are +known to have verifiable TLS server certificates. Example: /etc/postfix/main.cf: - smtp_tls_enforce_peername = yes + smtp_enforce_tls = yes + smtp_tls_enforce_peername = no -Generally, trying TLS can be a bad idea, as some servers offer STARTTLS but the -negotiation will fail leading to unexplainable failures. Instead, it may be a -good idea to choose the TLS usage policy based on the recipient or the mailhub -to which you are connecting. +PPeerr--ssiittee TTLLSS ppoolliicciieess -Deciding the TLS usage policy per recipient may be difficult, since a single -email delivery attempt can involve several recipients. Instead, use of TLS is -controlled by the Postfix next-hop destination domain name and by the remote -SMTP server hostname. If either of these matches an entry in the -smtp_tls_per_site table, appropriate action is taken. +A small fraction of servers offer STARTTLS but the negotiation consistently +fails, leading to mail aging out of the queue and bouncing back to the sender. +In such cases, you can use the per-site policies to disable TLS for the problem +sites. Alternatively, you can enable TLS for just a few specific sites and not +enable it for all sites. -The remote SMTP server hostname is simply the DNS name of the server that the -Postfix SMTP client connects to. The next-hop destination is Postfix specific. -By default, this is the domain name in the recipient address, but this -information can be overruled by the transport(5) table or by the relayhost -parameter setting. In these cases the relayhost etc. must be listed in the -smtp_tls_per_site table, instead of the recipient domain name. +The smtp_tls_per_site table is searched for a policy that matches the following +information: -Format of the table: domain or host names are specified on the left-hand side; -no wildcards are allowed. On the right hand side specify one of the following -keywords: + remote SMTP server hostname + This is simply the DNS name of the server that the Postfix SMTP client + connects to; this name may be obtained from other DNS lookups, such as + MX lookups or CNAME lookups. + next-hop destination + This is normally the domain portion of the recipient address, but it + may be overruled by information from the transport(5) table, from the + relayhost parameter setting, or from the relay_transport setting. When + it's not the recipient domain, the next-hop destination can have the + Postfix-specific form "[name]", [name]:port", "name" or "name:port". + +When both the hostname lookup and the next-hop lookup succeed, the host policy +does not automatically override the next-hop policy. Instead, precedence is +given to either the more specific or the more secure per-site policy as +described below. + +The smtp_tls_per_site table uses a simple "name whitespace value" format. +Specify host names or next-hop destinations on the left-hand side; no wildcards +are allowed. On the right hand side specify one of the following keywords: NONE - Don't use TLS at all. + Don't use TLS at all. This overrides a less specific MMAAYY lookup result + from the alternate host or next-hop lookup key, and overrides the + global smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername + settings. MAY - Try to use STARTTLS if offered, otherwise use the unencrypted - connection. + Try to use TLS if the server announces support, otherwise use the + unencrypted connection. This has less precedence than a more specific + result (including NNOONNEE) from the alternate host or next-hop lookup key, + and has less precedence than the more specific global "smtp_enforce_tls + = yes" or "smtp_tls_enforce_peername = yes". + MUST_NOPEERMATCH + Require TLS encryption, but do not require that the remote SMTP server + hostname matches the information in the remote SMTP server certificate, + or that the server certificate was issued by a trusted CA. This + overrides a less secure NNOONNEE or a less specific MMAAYY lookup result from + the alternate host or next-hop lookup key, and overrides the global + smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername settings. MUST - Require usage of STARTTLS, require that the remote SMTP server hostname + Require TLS encryption, require that the remote SMTP server hostname matches the information in the remote SMTP server certificate, and require that the remote SMTP server certificate was issued by a trusted - CA. - MUST_NOPEERMATCH - Require usage of STARTTLS, but do not require that the remote SMTP - server hostname matches the information in the remote SMTP server - certificate, or that the server certificate was issued by a trusted CA. + CA. This overrides a less secure NNOONNEE and MMUUSSTT__NNOOPPEEEERRMMAATTCCHH or a less + specific MMAAYY lookup result from the alternate host or next-hop lookup + key, and overrides the global smtp_use_tls, smtp_enforce_tls and + smtp_tls_enforce_peername settings. -The actual TLS usage policy depends not only on whether the next-hop -destination or remote SMTP server hostname are found in the smtp_tls_per_site -table, but also on the smtp_enforce_tls setting: +The precedences between global (main.cf) and per-site TLS policies can be +summarized as follows: - * If no match was found, the policy is applied as specified with - smtp_enforce_tls. + * When neither the remote SMTP server hostname nor the next-hop destination + are found in the smtp_tls_per_site table, the policy is based on + smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername. Note: + "smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes" imply + "smtp_use_tls = yes". - * If a match was found, and the smtp_enforce_tls policy is "enforce", NONE - explicitly switches it off; otherwise the "enforce" mode is used even for - entries that specify MAY. + * When both hostname and next-hop destination lookups produce a result, the + more specific per-site policy (NONE, MUST, etc) overrides the less specific + one (MAY), and the more secure per-site policy (MUST, etc) overrides the + less secure one (NONE). -Special hint for TLS enforcement mode: since no secure DNS lookup mechanism is -available, mail can be delivered to the wrong remote SMTP server. This is not -prevented by specifying MUST for the next-hop domain name. The recommended -setup is: specify local transport(5) table entries for sensitive domains with -explicit smtp:[mailhost] destinations (since you can assure security of this -table unlike DNS), then specify MUST for these mail hosts in the -smtp_tls_per_site table. + * After the per-site policy lookups are combined, the result generally + overrides the global policy. The exception is the less specific MMAAYY per- + site policy, which is overruled by the more specific global + "smtp_enforce_tls = yes" with server certificate verification as specified + with the smtp_tls_enforce_peername parameter. + +CClloossiinngg aa DDNNSS lloooopphhoollee wwiitthh ppeerr--ssiittee TTLLSS ppoolliicciieess + +As long as no secure DNS lookup mechanism is available, false hostnames in MX +or CNAME responses can change the server hostname that Postfix uses for TLS +policy lookup and server certificate verification. Even with a perfect match +between the server hostname and the server certificate, there is no guarantee +that Postfix is connected to the right server. To avoid this loophole take the +following steps: + + * Eliminate MX lookups. Specify local transport(5) table entries for + sensitive domains with explicit smtp:[mailhost] or smtp:[mailhost]:port + destinations (you can assure security of this table unlike DNS); in the + smtp_tls_per_site table specify the value MMUUSSTT for the key [mailhost] or + smtp:[mailhost]:port. This prevents false hostname information in DNS MX + records from changing the server hostname that Postfix uses for TLS policy + lookup and server certificate verification. + + * Disallow CNAME hostname overrides. In main.cf specify + "smtp_cname_overrides_servername = no". This prevents false hostname + information in DNS CNAME records from changing the server hostname that + Postfix uses for TLS policy lookup and server certificate verification. + This feature requires Postfix 2.2.9 or later. Example: /etc/postfix/main.cf: smtp_tls_per_site = hash:/etc/postfix/tls_per_site + relayhost = [msa.example.net]:587 + + /etc/postfix/tls_per_site: + # relayhost exact nexthop match + [msa.example.net]:587 MUST + + # TLS should not be used with the example.org MX hosts. + example.org NONE + + # TLS should not be used with the host smtp.example.com. + smtp.example.com NONE + +DDiissccoovveerriinngg sseerrvveerrss tthhaatt ssuuppppoorrtt TTLLSS As we decide on a "per site" basis whether or not to use TLS, it would be good to have a list of sites that offered "STARTTLS". We can collect it ourselves @@ -763,7 +839,7 @@ Example: /etc/postfix/main.cf: smtp_tls_note_starttls_offer = yes -SSeerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn +SSeerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn ddeepptthh When verifying a remote SMTP server certificate, a verification depth of 1 is sufficient if the certificate is directly issued by a CA specified with @@ -1012,10 +1088,25 @@ J and in order to access the TLS session cache databases. Such a protocol cannot be run across fifos. + * smtp_tls_per_site: the MUST_NOPEERMATCH per-site policy cannot override the + global "smtp_tls_enforce_peername = yes" setting. + + * smtp_tls_per_site: a combined (NONE + MAY) lookup result for (hostname and + next-hop destination) produces counter-intuitive results for different + main.cf settings. TLS is enabled with "smtp_tls_enforce_peername = no", but + it is disabled when both "smtp_enforce_tls = yes" and + "smtp_tls_enforce_peername = yes". + +The smtp_tls_per_site limitations were removed by the end of the Postfix 2.2 +support cycle. + CCrreeddiittss * TLS support for Postfix was originally developed by Lutz Jänicke at Cottbus Technical University. * Wietse Venema adopted the code, did some restructuring, and compiled this part of the documentation from Lutz's documents. + * Victor Duchovni was instrumental with the re-implementation of the + smtp_tls_per_site code in terms of enforcement levels, which simplified the + implementation greatly. diff --git a/gnu/dist/postfix/html/SCHEDULER_README.html b/gnu/dist/postfix/html/SCHEDULER_README.html index d2a0973f05da..25f56a51aae9 100644 --- a/gnu/dist/postfix/html/SCHEDULER_README.html +++ b/gnu/dist/postfix/html/SCHEDULER_README.html @@ -68,7 +68,7 @@ available. You already know that oqmgr(8) uses round- while qmgr(8) uses simple FIFO, except for some preemptive magic. The postconf(5) manual documents all the knobs the user can use to control this preemptive magic - there is nothing else -to the preemption than the quite simple conditions described below. +to the preemption than the quite simple conditions described in there.

As for programmer-level documentation, this will have to be diff --git a/gnu/dist/postfix/html/TLS_README.html b/gnu/dist/postfix/html/TLS_README.html index cf4b4c6e289d..f34021436243 100644 --- a/gnu/dist/postfix/html/TLS_README.html +++ b/gnu/dist/postfix/html/TLS_README.html @@ -129,6 +129,11 @@ the make(1) files with the necessary definitions. This is done by invoking the command "make makefiles" in the Postfix top-level directory and with arguments as shown next.

+

NOTE: Do not use Gnu TLS. It will spontaneously terminate +a Postfix daemon process with exit status code 2, instead of allowing +Postfix to 1) report the error to the maillog file, and to 2) provide +plaintext service where this is appropriate.

+ +

The smtp_tls_per_site limitations were removed by the end of +the Postfix 2.2 support cycle.

+

Credits

diff --git a/gnu/dist/postfix/html/postconf.5.html b/gnu/dist/postfix/html/postconf.5.html index c9d1260c148c..208c1f71040a 100644 --- a/gnu/dist/postfix/html/postconf.5.html +++ b/gnu/dist/postfix/html/postconf.5.html @@ -3352,7 +3352,7 @@ is suitable for, e.g., pop-before-smtp lookup tables.

Examples:

-

The Postfix < 2.2 backwards compatible setting: always rewrite +

The Postfix < 2.2 backwards compatible setting: always rewrite message headers, and always append my own domain to incomplete header addresses.

@@ -5765,6 +5765,21 @@ IP hosting, but can be a problem on multi-homed firewalls. See the but this form is not recommended here.

+ + +
smtp_cname_overrides_servername +(default: yes)
+ +

Allow DNS CNAME records to override the servername that the +Postfix SMTP client uses for logging, SASL password lookup, TLS +policy decisions, or TLS certificate verification. The default value +(yes) is backwards compatible. Specify "no" to harden Postfix 2.2 +smtp_tls_per_site hostname-based policies against false hostname +information in DNS CNAME records.

+ +

This feature is available in Postfix 2.2.9 and later.

+ +
smtp_connect_timeout @@ -6736,38 +6751,79 @@ postfix/smtp[pid]: Host offered STARTTLS: [name.of.host] (default: empty)

Optional lookup tables with the Postfix SMTP client TLS usage -policy by next-hop domain name and by remote SMTP server hostname. -

+policy by next-hop destination and by remote SMTP server hostname. +When both lookups succeed, the more specific per-site policy (NONE, +MUST, etc) overrides the less specific one (MAY), and the more +secure per-site policy (MUST, etc) overrides the less secure one +(NONE).

-

Table format: domain names or server hostnames are specified -on the left-hand side; no wildcards are allowed. On the right hand -side specify one of the following keywords:

+

Specify a next-hop destination or server hostname on the left-hand +side; no wildcards are allowed. The next-hop destination is either +the recipient domain, or the destination specified with a transport(5) +table, the relayhost parameter, or the relay_transport parameter. +On the right hand side specify one of the following keywords:

-
NONE
Don't use TLS at all.
+
NONE
Don't use TLS at all. This overrides a less +specific MAY lookup result from the alternate host or next-hop +lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls, +and smtp_tls_enforce_peername settings.
-
MAY
Try to use STARTTLS if offered, otherwise use -the unencrypted connection.
+
MAY
Try to use TLS if the server announces support, +otherwise use the unencrypted connection. This has less precedence +than a more specific result (including NONE) from the alternate +host or next-hop lookup key, and has less precedence than the more +specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername += yes".
-
MUST
Require usage of STARTTLS, require that the -remote SMTP server hostname matches the information in the remote -SMTP server certificate, and require that the remote SMTP server -certificate was issued by a trusted CA.
+
MUST_NOPEERMATCH
Require TLS encryption, but do not +require that the remote SMTP server hostname matches the information +in the remote SMTP server certificate, or that the server certificate +was issued by a trusted CA. This overrides a less secure NONE +or a less specific MAY lookup result from the alternate host +or next-hop lookup key, and overrides the global smtp_use_tls, +smtp_enforce_tls and smtp_tls_enforce_peername settings.
-
MUST_NOPEERMATCH
Require usage of STARTTLS, but do -not require that the remote SMTP server hostname matches the -information in the remote SMTP server certificate, or that the -server certificate was issued by a trusted CA.
+
MUST
Require TLS encryption, require that the remote +SMTP server hostname matches the information in the remote SMTP +server certificate, and require that the remote SMTP server certificate +was issued by a trusted CA. This overrides a less secure NONE +and MUST_NOPEERMATCH or a less specific MAY lookup +result from the alternate host or next-hop lookup key, and overrides +the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername +settings.
-

Special hint for enforcement mode: since no secure DNS lookup -mechanism is available, the recommended setup is: specify local -transport(5) table entries for sensitive domains with explicit -smtp:[mailhost] destinations (since you can assure security of this -table unlike DNS), then specify MUST for these mail hosts in the -smtp_tls_per_site table.

+

As long as no secure DNS lookup mechanism is available, false +hostnames in MX or CNAME responses can change the server hostname +that Postfix uses for TLS policy lookup and server certificate +verification. Even with a perfect match between the server hostname +and the server certificate, there is no guarantee that Postfix is +connected to the right server. To avoid this loophole take the +following steps:

+ + + +

diff --git a/gnu/dist/postfix/html/smtp.8.html b/gnu/dist/postfix/html/smtp.8.html index 95c51c2a9d35..14c20b2fde7a 100644 --- a/gnu/dist/postfix/html/smtp.8.html +++ b/gnu/dist/postfix/html/smtp.8.html @@ -99,8 +99,14 @@ SMTP(8) SMTP(8) smtp_never_send_ehlo (no) Never send EHLO at the start of an SMTP session. + smtp_cname_overrides_servername (yes) + Allow DNS CNAME records to override the servername + that the Postfix SMTP client uses for logging, SASL + password lookup, TLS policy decisions, or TLS cer- + tificate verification. + smtp_defer_if_no_mx_address_found (no) - Defer mail delivery when no MX record resolves to + Defer mail delivery when no MX record resolves to an IP address. smtp_line_length_limit (990) @@ -108,17 +114,17 @@ SMTP(8) SMTP(8) that Postfix will send via SMTP. smtp_pix_workaround_delay_time (10s) - How long the Postfix SMTP client pauses before + How long the Postfix SMTP client pauses before sending ".<CR><LF>" in order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug. smtp_pix_workaround_threshold_time (500s) - How long a message must be queued before the PIX - firewall "<CR><LF>.<CR><LF>" bug workaround is + How long a message must be queued before the PIX + firewall "<CR><LF>.<CR><LF>" bug workaround is turned on. smtp_quote_rfc821_envelope (yes) - Quote addresses in SMTP MAIL FROM and RCPT TO com- + Quote addresses in SMTP MAIL FROM and RCPT TO com- mands as required by RFC 821. smtp_skip_5xx_greeting (yes) @@ -126,7 +132,7 @@ SMTP(8) SMTP(8) (go away, do not try again later). smtp_skip_quit_response (yes) - Do not wait for the response to the SMTP QUIT com- + Do not wait for the response to the SMTP QUIT com- mand. Available in Postfix version 2.0 and earlier: @@ -138,21 +144,21 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and later: smtp_discard_ehlo_keyword_address_maps (empty) - Lookup tables, indexed by the remote SMTP server - address, with case insensitive lists of EHLO key- - words (pipelining, starttls, auth, etc.) that the + Lookup tables, indexed by the remote SMTP server + address, with case insensitive lists of EHLO key- + words (pipelining, starttls, auth, etc.) that the SMTP client will ignore in the EHLO response from a remote SMTP server. smtp_discard_ehlo_keywords (empty) - A case insensitive list of EHLO keywords (pipelin- - ing, starttls, auth, etc.) that the SMTP client + A case insensitive list of EHLO keywords (pipelin- + ing, starttls, auth, etc.) that the SMTP client will ignore in the EHLO response from a remote SMTP server. smtp_generic_maps (empty) Optional lookup tables that perform address rewrit- - ing in the SMTP client, typically to transform a + ing in the SMTP client, typically to transform a locally valid address into a globally valid address when sending mail across the Internet. @@ -160,7 +166,7 @@ SMTP(8) SMTP(8) Available in Postfix version 2.0 and later: disable_mime_output_conversion (no) - Disable the conversion of 8BITMIME format to 7BIT + Disable the conversion of 8BITMIME format to 7BIT format. mime_boundary_length_limit (2048) @@ -175,110 +181,110 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: smtp_send_xforward_command (no) - Send the non-standard XFORWARD command when the - Postfix SMTP server EHLO response announces XFOR- + Send the non-standard XFORWARD command when the + Postfix SMTP server EHLO response announces XFOR- WARD support. SASL AUTHENTICATION CONTROLS smtp_sasl_auth_enable (no) - Enable SASL authentication in the Postfix SMTP + Enable SASL authentication in the Postfix SMTP client. smtp_sasl_password_maps (empty) - Optional SMTP client lookup tables with one user- - name:password entry per remote hostname or domain. + Optional SMTP client lookup tables with one user- + name:password entry per remote hostname or domain. smtp_sasl_security_options (noplaintext, noanonymous) - What authentication mechanisms the Postfix SMTP + What authentication mechanisms the Postfix SMTP client is allowed to use. Available in Postfix version 2.2 and later: smtp_sasl_mechanism_filter (empty) - If non-empty, a Postfix SMTP client filter for the - remote SMTP server's list of offered SASL mecha- + If non-empty, a Postfix SMTP client filter for the + remote SMTP server's list of offered SASL mecha- nisms. STARTTLS SUPPORT CONTROLS - Detailed information about STARTTLS configuration may be + Detailed information about STARTTLS configuration may be found in the TLS_README document. smtp_use_tls (no) - Opportunistic mode: use TLS when a remote SMTP - server announces STARTTLS support, otherwise send + Opportunistic mode: use TLS when a remote SMTP + server announces STARTTLS support, otherwise send the mail in the clear. smtp_enforce_tls (no) - Enforcement mode: require that remote SMTP servers - use TLS encryption, and never send mail in the + Enforcement mode: require that remote SMTP servers + use TLS encryption, and never send mail in the clear. smtp_sasl_tls_security_options ($smtp_sasl_secu- rity_options) - The SASL authentication security options that the - Postfix SMTP client uses for TLS encrypted SMTP + The SASL authentication security options that the + Postfix SMTP client uses for TLS encrypted SMTP sessions. smtp_starttls_timeout (300s) - Time limit for Postfix SMTP client write and read - operations during TLS startup and shutdown hand- + Time limit for Postfix SMTP client write and read + operations during TLS startup and shutdown hand- shake procedures. smtp_tls_CAfile (empty) - The file with the certificate of the certification - authority (CA) that issued the Postfix SMTP client + The file with the certificate of the certification + authority (CA) that issued the Postfix SMTP client certificate. smtp_tls_CApath (empty) - Directory with PEM format certificate authority - certificates that the Postfix SMTP client uses to + Directory with PEM format certificate authority + certificates that the Postfix SMTP client uses to verify a remote SMTP server certificate. smtp_tls_cert_file (empty) - File with the Postfix SMTP client RSA certificate + File with the Postfix SMTP client RSA certificate in PEM format. smtp_tls_cipherlist (empty) - Controls the Postfix SMTP client TLS cipher selec- + Controls the Postfix SMTP client TLS cipher selec- tion scheme. smtp_tls_dcert_file (empty) - File with the Postfix SMTP client DSA certificate + File with the Postfix SMTP client DSA certificate in PEM format. smtp_tls_dkey_file ($smtp_tls_dcert_file) - File with the Postfix SMTP client DSA private key + File with the Postfix SMTP client DSA private key in PEM format. smtp_tls_enforce_peername (yes) - When TLS encryption is enforced, require that the + When TLS encryption is enforced, require that the remote SMTP server hostname matches the information in the remote SMTP server certificate. smtp_tls_key_file ($smtp_tls_cert_file) - File with the Postfix SMTP client RSA private key + File with the Postfix SMTP client RSA private key in PEM format. smtp_tls_loglevel (0) - Enable additional Postfix SMTP client logging of + Enable additional Postfix SMTP client logging of TLS activity. smtp_tls_note_starttls_offer (no) - Log the hostname of a remote SMTP server that - offers STARTTLS, when TLS is not already enabled + Log the hostname of a remote SMTP server that + offers STARTTLS, when TLS is not already enabled for that server. smtp_tls_per_site (empty) Optional lookup tables with the Postfix SMTP client - TLS usage policy by next-hop domain name and by + TLS usage policy by next-hop domain name and by remote SMTP server hostname. smtp_tls_scert_verifydepth (5) - The verification depth for remote SMTP server cer- + The verification depth for remote SMTP server cer- tificates. smtp_tls_session_cache_database (empty) - Name of the file containing the optional Postfix + Name of the file containing the optional Postfix SMTP client TLS session cache. smtp_tls_session_cache_timeout (3600s) @@ -286,31 +292,31 @@ SMTP(8) SMTP(8) sion cache information. tls_daemon_random_bytes (32) - The number of pseudo-random bytes that an smtp(8) - or smtpd(8) process requests from the tlsmgr(8) - server in order to seed its internal pseudo random + The number of pseudo-random bytes that an smtp(8) + or smtpd(8) process requests from the tlsmgr(8) + server in order to seed its internal pseudo random number generator (PRNG). RESOURCE AND RATE CONTROLS smtp_destination_concurrency_limit ($default_destina- tion_concurrency_limit) - The maximal number of parallel deliveries to the - same destination via the smtp message delivery + The maximal number of parallel deliveries to the + same destination via the smtp message delivery transport. smtp_destination_recipient_limit ($default_destina- tion_recipient_limit) - The maximal number of recipients per delivery via + The maximal number of recipients per delivery via the smtp message delivery transport. smtp_connect_timeout (30s) - The SMTP client time limit for completing a TCP + The SMTP client time limit for completing a TCP connection, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The SMTP client time limit for sending the HELO or - EHLO command, and for receiving the initial server + The SMTP client time limit for sending the HELO or + EHLO command, and for receiving the initial server response. smtp_xforward_timeout (300s) @@ -318,30 +324,30 @@ SMTP(8) SMTP(8) command, and for receiving the server response. smtp_mail_timeout (300s) - The SMTP client time limit for sending the MAIL - FROM command, and for receiving the server + The SMTP client time limit for sending the MAIL + FROM command, and for receiving the server response. smtp_rcpt_timeout (300s) - The SMTP client time limit for sending the SMTP - RCPT TO command, and for receiving the server + The SMTP client time limit for sending the SMTP + RCPT TO command, and for receiving the server response. smtp_data_init_timeout (120s) - The SMTP client time limit for sending the SMTP - DATA command, and for receiving the server + The SMTP client time limit for sending the SMTP + DATA command, and for receiving the server response. smtp_data_xfer_timeout (180s) - The SMTP client time limit for sending the SMTP + The SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) - The SMTP client time limit for sending the SMTP + The SMTP client time limit for sending the SMTP ".", and for receiving the server response. smtp_quit_timeout (300s) - The SMTP client time limit for sending the QUIT + The SMTP client time limit for sending the QUIT command, and for receiving the server response. Available in Postfix version 2.1 and later: @@ -352,77 +358,77 @@ SMTP(8) SMTP(8) lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery - request before giving up or delivering to a fall- + The maximal number of SMTP sessions per delivery + request before giving up or delivering to a fall- back relay host, or zero (no limit). smtp_rset_timeout (20s) - The SMTP client time limit for sending the RSET + The SMTP client time limit for sending the RSET command, and for receiving the server response. Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. smtp_connection_cache_reuse_limit (10) When SMTP connection caching is enabled, the number - of times that an SMTP session is reused before it + of times that an SMTP session is reused before it is closed. smtp_connection_cache_time_limit (2s) When SMTP connection caching is enabled, the amount - of time that an unused SMTP client socket is kept + of time that an unused SMTP client socket is kept open before it is closed. TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a - remote client or server matches a pattern in the + The increment in verbose logging level when a + remote client or server matches a pattern in the debug_peer_list parameter. debug_peer_list (empty) - Optional list of remote client or server hostname - or network address patterns that cause the verbose - logging level to increase by the amount specified + Optional list of remote client or server hostname + or network address patterns that cause the verbose + logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about - mail delivery problems that are caused by policy, + The recipient of postmaster notifications about + mail delivery problems that are caused by policy, resource, software or protocol errors. notify_classes (resource, software) - The list of error classes that are reported to the + The list of error classes that are reported to the postmaster. MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and + The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to - handle a request before it is terminated by a + How much time a Postfix daemon process may take to + handle a request before it is terminated by a built-in watchdog timer. disable_dns_lookups (no) - Disable DNS lookups in the Postfix SMTP and LMTP + Disable DNS lookups in the Postfix SMTP and LMTP clients. fallback_relay (empty) - Optional list of relay hosts for SMTP destinations + Optional list of relay hosts for SMTP destinations that can't be found or that are unreachable. inet_interfaces (all) @@ -430,7 +436,7 @@ SMTP(8) SMTP(8) tem receives mail on. inet_protocols (ipv4) - The Internet protocols Postfix will attempt to use + The Internet protocols Postfix will attempt to use when making or accepting connections. ipc_timeout (3600s) @@ -438,55 +444,55 @@ SMTP(8) SMTP(8) over an internal communication channel. max_idle (100s) - The maximum amount of time that an idle Postfix - daemon process waits for the next service request + The maximum amount of time that an idle Postfix + daemon process waits for the next service request before exiting. max_use (100) - The maximal number of connection requests before a + The maximal number of connection requests before a Postfix daemon process terminates. process_id (read-only) - The process ID of a Postfix command or daemon + The process ID of a Postfix command or daemon process. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. proxy_interfaces (empty) The network interface addresses that this mail sys- - tem receives mail on by way of a proxy or network + tem receives mail on by way of a proxy or network address translation unit. smtp_bind_address (empty) An optional numerical network address that the SMTP - client should bind to when making an IPv4 connec- + client should bind to when making an IPv4 connec- tion. smtp_bind_address6 (empty) An optional numerical network address that the SMTP - client should bind to when making an IPv6 connec- + client should bind to when making an IPv6 connec- tion. smtp_helo_name ($myhostname) - The hostname to send in the SMTP EHLO or HELO com- + The hostname to send in the SMTP EHLO or HELO com- mand. smtp_host_lookup (dns) - What mechanisms when the SMTP client uses to look + What mechanisms when the SMTP client uses to look up a host's IP address. smtp_randomize_addresses (yes) - Randomize the order of equal-preference MX host + Randomize the order of equal-preference MX host addresses. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (postfix) - The mail system name that is prepended to the - process name in syslog records, so that "smtpd" + The mail system name that is prepended to the + process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". SEE ALSO @@ -504,7 +510,7 @@ SMTP(8) SMTP(8) TLS_README, Postfix STARTTLS howto LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/gnu/dist/postfix/man/man8/smtp.8 b/gnu/dist/postfix/man/man8/smtp.8 index 7e776e00b09a..b05aab16b1fc 100644 --- a/gnu/dist/postfix/man/man8/smtp.8 +++ b/gnu/dist/postfix/man/man8/smtp.8 @@ -1,4 +1,4 @@ -.\" $NetBSD: smtp.8,v 1.1.1.9 2005/08/18 21:04:23 rpaulo Exp $ +.\" $NetBSD: smtp.8,v 1.1.1.10 2006/02/25 22:06:48 rpaulo Exp $ .\" .TH SMTP 8 .ad @@ -105,6 +105,10 @@ Ignore DNS MX lookups that produce no response. Always send EHLO at the start of an SMTP session. .IP "\fBsmtp_never_send_ehlo (no)\fR" Never send EHLO at the start of an SMTP session. +.IP "\fBsmtp_cname_overrides_servername (yes)\fR" +Allow DNS CNAME records to override the servername that the +Postfix SMTP client uses for logging, SASL password lookup, TLS +policy decisions, or TLS certificate verification. .IP "\fBsmtp_defer_if_no_mx_address_found (no)\fR" Defer mail delivery when no MX record resolves to an IP address. .IP "\fBsmtp_line_length_limit (990)\fR" diff --git a/gnu/dist/postfix/mantools/postlink b/gnu/dist/postfix/mantools/postlink index 7f2db8e601c1..6f90f1be9dce 100755 --- a/gnu/dist/postfix/mantools/postlink +++ b/gnu/dist/postfix/mantools/postlink @@ -313,6 +313,7 @@ while (<>) { s;\bsmtp_always_send_ehlo\b;$&;g; s;\bsmtp_bind_address\b;$&;g; s;\bsmtp_bind_address6\b;$&;g; + s;\bsmtp_cname_overrides_servername\b;$&;g; s;\bsmtp_connect_timeout\b;$&;g; s;\bsmtp_connection_cache_on_demand\b;$&;g; diff --git a/gnu/dist/postfix/proto/SCHEDULER_README.html b/gnu/dist/postfix/proto/SCHEDULER_README.html index 5d91f6c9b32f..c81be4857952 100644 --- a/gnu/dist/postfix/proto/SCHEDULER_README.html +++ b/gnu/dist/postfix/proto/SCHEDULER_README.html @@ -68,7 +68,7 @@ available. You already know that oqmgr(8) uses round-robin by destination while qmgr(8) uses simple FIFO, except for some preemptive magic. The postconf(5) manual documents all the knobs the user can use to control this preemptive magic - there is nothing else -to the preemption than the quite simple conditions described below. +to the preemption than the quite simple conditions described in there.

As for programmer-level documentation, this will have to be diff --git a/gnu/dist/postfix/proto/TLS_README.html b/gnu/dist/postfix/proto/TLS_README.html index 04711f7ccd62..e4ed4bcee636 100644 --- a/gnu/dist/postfix/proto/TLS_README.html +++ b/gnu/dist/postfix/proto/TLS_README.html @@ -129,6 +129,11 @@ the make(1) files with the necessary definitions. This is done by invoking the command "make makefiles" in the Postfix top-level directory and with arguments as shown next.

+

NOTE: Do not use Gnu TLS. It will spontaneously terminate +a Postfix daemon process with exit status code 2, instead of allowing +Postfix to 1) report the error to the maillog file, and to 2) provide +plaintext service where this is appropriate.

+ +

The smtp_tls_per_site limitations were removed by the end of +the Postfix 2.2 support cycle.

+

Credits

diff --git a/gnu/dist/postfix/proto/postconf.proto b/gnu/dist/postfix/proto/postconf.proto index 3ab5bd2c3a54..11b1fc17d303 100644 --- a/gnu/dist/postfix/proto/postconf.proto +++ b/gnu/dist/postfix/proto/postconf.proto @@ -7750,7 +7750,7 @@ is suitable for, e.g., pop-before-smtp lookup tables.

Examples:

-

The Postfix < 2.2 backwards compatible setting: always rewrite +

The Postfix < 2.2 backwards compatible setting: always rewrite message headers, and always append my own domain to incomplete header addresses.

@@ -8251,38 +8251,79 @@ CommonName of this attacker will be logged).

%PARAM smtp_tls_per_site

Optional lookup tables with the Postfix SMTP client TLS usage -policy by next-hop domain name and by remote SMTP server hostname. -

+policy by next-hop destination and by remote SMTP server hostname. +When both lookups succeed, the more specific per-site policy (NONE, +MUST, etc) overrides the less specific one (MAY), and the more +secure per-site policy (MUST, etc) overrides the less secure one +(NONE).

-

Table format: domain names or server hostnames are specified -on the left-hand side; no wildcards are allowed. On the right hand -side specify one of the following keywords:

+

Specify a next-hop destination or server hostname on the left-hand +side; no wildcards are allowed. The next-hop destination is either +the recipient domain, or the destination specified with a transport(5) +table, the relayhost parameter, or the relay_transport parameter. +On the right hand side specify one of the following keywords:

-
NONE
Don't use TLS at all.
+
NONE
Don't use TLS at all. This overrides a less +specific MAY lookup result from the alternate host or next-hop +lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls, +and smtp_tls_enforce_peername settings.
-
MAY
Try to use STARTTLS if offered, otherwise use -the unencrypted connection.
+
MAY
Try to use TLS if the server announces support, +otherwise use the unencrypted connection. This has less precedence +than a more specific result (including NONE) from the alternate +host or next-hop lookup key, and has less precedence than the more +specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername += yes".
-
MUST
Require usage of STARTTLS, require that the -remote SMTP server hostname matches the information in the remote -SMTP server certificate, and require that the remote SMTP server -certificate was issued by a trusted CA.
+
MUST_NOPEERMATCH
Require TLS encryption, but do not +require that the remote SMTP server hostname matches the information +in the remote SMTP server certificate, or that the server certificate +was issued by a trusted CA. This overrides a less secure NONE +or a less specific MAY lookup result from the alternate host +or next-hop lookup key, and overrides the global smtp_use_tls, +smtp_enforce_tls and smtp_tls_enforce_peername settings.
-
MUST_NOPEERMATCH
Require usage of STARTTLS, but do -not require that the remote SMTP server hostname matches the -information in the remote SMTP server certificate, or that the -server certificate was issued by a trusted CA.
+
MUST
Require TLS encryption, require that the remote +SMTP server hostname matches the information in the remote SMTP +server certificate, and require that the remote SMTP server certificate +was issued by a trusted CA. This overrides a less secure NONE +and MUST_NOPEERMATCH or a less specific MAY lookup +result from the alternate host or next-hop lookup key, and overrides +the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername +settings.
-

Special hint for enforcement mode: since no secure DNS lookup -mechanism is available, the recommended setup is: specify local -transport(5) table entries for sensitive domains with explicit -smtp:[mailhost] destinations (since you can assure security of this -table unlike DNS), then specify MUST for these mail hosts in the -smtp_tls_per_site table.

+

As long as no secure DNS lookup mechanism is available, false +hostnames in MX or CNAME responses can change the server hostname +that Postfix uses for TLS policy lookup and server certificate +verification. Even with a perfect match between the server hostname +and the server certificate, there is no guarantee that Postfix is +connected to the right server. To avoid this loophole take the +following steps:

+ + + +

%PARAM smtp_tls_scert_verifydepth 5 @@ -8412,3 +8453,14 @@ examples are shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README documents.

This feature is available in Postfix 2.2 and later.

+ +%PARAM smtp_cname_overrides_servername yes + +

Allow DNS CNAME records to override the servername that the +Postfix SMTP client uses for logging, SASL password lookup, TLS +policy decisions, or TLS certificate verification. The default value +(yes) is backwards compatible. Specify "no" to harden Postfix 2.2 +smtp_tls_per_site hostname-based policies against false hostname +information in DNS CNAME records.

+ +

This feature is available in Postfix 2.2.9 and later.

diff --git a/gnu/dist/postfix/src/cleanup/cleanup_api.c b/gnu/dist/postfix/src/cleanup/cleanup_api.c index 0b85e48ddfeb..6c5edda67d0b 100644 --- a/gnu/dist/postfix/src/cleanup/cleanup_api.c +++ b/gnu/dist/postfix/src/cleanup/cleanup_api.c @@ -1,4 +1,4 @@ -/* $NetBSD: cleanup_api.c,v 1.1.1.6 2004/05/31 00:24:27 heas Exp $ */ +/* $NetBSD: cleanup_api.c,v 1.1.1.7 2006/02/25 22:08:15 rpaulo Exp $ */ /*++ /* NAME @@ -226,6 +226,14 @@ int cleanup_flush(CLEANUP_STATE *state) vstream_control(state->handle->stream, VSTREAM_CTL_PATH, cleanup_path, VSTREAM_CTL_END); + + /* + * XXX: When delivering to a non-incoming queue, do not consume + * in_flow tokens. Unfortunately we can't move the code that + * consumes tokens until after the mail is received, because that + * would increase the risk of duplicate deliveries (RFC 1047). + */ + (void) mail_flow_put(1); } state->errs = mail_stream_finish(state->handle, (VSTRING *) 0); } else { diff --git a/gnu/dist/postfix/src/dns/dns.h b/gnu/dist/postfix/src/dns/dns.h index 93e6e636d495..246d39feb5ea 100644 --- a/gnu/dist/postfix/src/dns/dns.h +++ b/gnu/dist/postfix/src/dns/dns.h @@ -1,4 +1,4 @@ -/* $NetBSD: dns.h,v 1.1.1.5 2005/12/01 21:42:42 rpaulo Exp $ */ +/* $NetBSD: dns.h,v 1.1.1.6 2006/02/25 22:08:22 rpaulo Exp $ */ #ifndef _DNS_H_INCLUDED_ #define _DNS_H_INCLUDED_ @@ -82,7 +82,8 @@ typedef struct DNS_FIXED { * named after the things one can expect to find in a DNS resource record. */ typedef struct DNS_RR { - char *name; /* name, mystrdup()ed */ + char *qname; /* query name, mystrdup()ed */ + char *rname; /* reply name, mystrdup()ed */ unsigned short type; /* T_A, T_CNAME, etc. */ unsigned short class; /* C_IN, etc. */ unsigned int ttl; /* always */ @@ -106,7 +107,8 @@ extern unsigned dns_type(const char *); /* * dns_rr.c */ -extern DNS_RR *dns_rr_create(const char *, ushort, ushort, +extern DNS_RR *dns_rr_create(const char *, const char *, + ushort, ushort, unsigned, unsigned, const char *, unsigned); extern void dns_rr_free(DNS_RR *); diff --git a/gnu/dist/postfix/src/dns/dns_rr.c b/gnu/dist/postfix/src/dns/dns_rr.c index 889a7cc35fc1..418a4d74d936 100644 --- a/gnu/dist/postfix/src/dns/dns_rr.c +++ b/gnu/dist/postfix/src/dns/dns_rr.c @@ -1,4 +1,4 @@ -/* $NetBSD: dns_rr.c,v 1.1.1.4 2005/08/18 21:05:58 rpaulo Exp $ */ +/* $NetBSD: dns_rr.c,v 1.1.1.5 2006/02/25 22:08:23 rpaulo Exp $ */ /*++ /* NAME @@ -8,9 +8,10 @@ /* SYNOPSIS /* #include /* -/* DNS_RR *dns_rr_create(name, type, class, ttl, preference, +/* DNS_RR *dns_rr_create(qname, rname, type, class, ttl, preference, /* data, data_len) -/* const char *name; +/* const char *qname; +/* const char *rname; /* unsigned short type; /* unsigned short class; /* unsigned int ttl; @@ -43,7 +44,8 @@ /* information, and maintain lists of DNS resource records. /* /* dns_rr_create() creates and initializes one resource record. -/* The \fIname\fR record specifies the record name. +/* The \fIqname\fR field specifies the query name. +/* The \fIrname\fR field specifies the reply name. /* \fIpreference\fR is used for MX records; \fIdata\fR is a null /* pointer or specifies optional resource-specific data; /* \fIdata_len\fR is the amount of resource-specific data. @@ -93,14 +95,16 @@ /* dns_rr_create - fill in resource record structure */ -DNS_RR *dns_rr_create(const char *name, ushort type, ushort class, +DNS_RR *dns_rr_create(const char *qname, const char *rname, + ushort type, ushort class, unsigned int ttl, unsigned pref, const char *data, unsigned data_len) { DNS_RR *rr; rr = (DNS_RR *) mymalloc(sizeof(*rr) + data_len - 1); - rr->name = mystrdup(name); + rr->qname = mystrdup(qname); + rr->rname = mystrdup(rname); rr->type = type; rr->class = class; rr->ttl = ttl; @@ -119,7 +123,8 @@ void dns_rr_free(DNS_RR *rr) if (rr) { if (rr->next) dns_rr_free(rr->next); - myfree(rr->name); + myfree(rr->qname); + myfree(rr->rname); myfree((char *) rr); } } @@ -136,7 +141,8 @@ DNS_RR *dns_rr_copy(DNS_RR *src) */ dst = (DNS_RR *) mymalloc(len); memcpy((char *) dst, (char *) src, len); - dst->name = mystrdup(src->name); + dst->qname = mystrdup(src->qname); + dst->rname = mystrdup(src->rname); dst->next = 0; return (dst); } diff --git a/gnu/dist/postfix/src/dns/dns_sa_to_rr.c b/gnu/dist/postfix/src/dns/dns_sa_to_rr.c index 9cbeeb14f7de..17ab56521d58 100644 --- a/gnu/dist/postfix/src/dns/dns_sa_to_rr.c +++ b/gnu/dist/postfix/src/dns/dns_sa_to_rr.c @@ -1,4 +1,4 @@ -/* $NetBSD: dns_sa_to_rr.c,v 1.1.1.1 2005/08/18 21:05:59 rpaulo Exp $ */ +/* $NetBSD: dns_sa_to_rr.c,v 1.1.1.2 2006/02/25 22:08:24 rpaulo Exp $ */ /*++ /* NAME @@ -56,12 +56,12 @@ DNS_RR *dns_sa_to_rr(const char *hostname, unsigned pref, struct sockaddr * sa) #define DUMMY_TTL 0 if (sa->sa_family == AF_INET) { - return (dns_rr_create(hostname, T_A, C_IN, DUMMY_TTL, pref, + return (dns_rr_create(hostname, hostname, T_A, C_IN, DUMMY_TTL, pref, (char *) &SOCK_ADDR_IN_ADDR(sa), sizeof(SOCK_ADDR_IN_ADDR(sa)))); #ifdef HAS_IPV6 } else if (sa->sa_family == AF_INET6) { - return (dns_rr_create(hostname, T_AAAA, C_IN, DUMMY_TTL, pref, + return (dns_rr_create(hostname, hostname, T_AAAA, C_IN, DUMMY_TTL, pref, (char *) &SOCK_ADDR_IN6_ADDR(sa), sizeof(SOCK_ADDR_IN6_ADDR(sa)))); #endif diff --git a/gnu/dist/postfix/src/dns/test_dns_lookup.c b/gnu/dist/postfix/src/dns/test_dns_lookup.c index 63c7e849727b..428fb13db3ce 100644 --- a/gnu/dist/postfix/src/dns/test_dns_lookup.c +++ b/gnu/dist/postfix/src/dns/test_dns_lookup.c @@ -1,4 +1,4 @@ -/* $NetBSD: test_dns_lookup.c,v 1.1.1.3 2005/08/18 21:05:59 rpaulo Exp $ */ +/* $NetBSD: test_dns_lookup.c,v 1.1.1.4 2006/02/25 22:08:24 rpaulo Exp $ */ /*++ /* NAME @@ -47,7 +47,7 @@ static void print_rr(DNS_RR *rr) MAI_HOSTADDR_STR host; while (rr) { - printf("%s: ttl: %9d ", rr->name, rr->ttl); + printf("%s: ttl: %9d ", rr->rname, rr->ttl); switch (rr->type) { case T_A: #ifdef T_AAAA diff --git a/gnu/dist/postfix/src/global/ehlo_mask.ref b/gnu/dist/postfix/src/global/ehlo_mask.ref index 4c6dab3557e5..f0b34967e10d 100644 --- a/gnu/dist/postfix/src/global/ehlo_mask.ref +++ b/gnu/dist/postfix/src/global/ehlo_mask.ref @@ -1,3 +1,3 @@ -starttls, 8bitmime, verp, etrn, etrn -> 0x51 -> 8BITMIME ETRN VERP +starttls, 8bitmime, verp, etrn, etrn -> 0xd1 -> 8BITMIME ETRN VERP STARTTLS foobar, auth, pipelining, size, vrfy -> 0x2e -> AUTH PIPELINING SIZE VRFY -xclient, xforward -> 0x180 -> XCLIENT XFORWARD +xclient, xforward -> 0x300 -> XCLIENT XFORWARD diff --git a/gnu/dist/postfix/src/global/input_transp.c b/gnu/dist/postfix/src/global/input_transp.c index 342dae9fd71a..ec5f678d7d77 100644 --- a/gnu/dist/postfix/src/global/input_transp.c +++ b/gnu/dist/postfix/src/global/input_transp.c @@ -1,4 +1,4 @@ -/* $NetBSD: input_transp.c,v 1.1.1.3 2005/08/18 21:06:20 rpaulo Exp $ */ +/* $NetBSD: input_transp.c,v 1.1.1.4 2006/02/25 22:08:49 rpaulo Exp $ */ /*++ /* NAME @@ -28,7 +28,7 @@ /* given in parentheses: /* .IP "no_unknown_recipient_checks (INPUT_TRANSP_UNKNOWN_RCPT)" /* Do not try to reject unknown recipients. -/* .IP "no_address_mapping (INPUT_TRANSP_ADDRESS_MAPPING) +/* .IP "no_address_mappings (INPUT_TRANSP_ADDRESS_MAPPING) /* Disable canonical address mapping, virtual alias map expansion, /* address masquerading, and automatic BCC recipients. /* .IP "no_header_body_checkss (INPUT_TRANSP_HEADER_BODY) diff --git a/gnu/dist/postfix/src/global/mail_addr_find.c b/gnu/dist/postfix/src/global/mail_addr_find.c index 1af4bd589cc8..2e84ac6a8674 100644 --- a/gnu/dist/postfix/src/global/mail_addr_find.c +++ b/gnu/dist/postfix/src/global/mail_addr_find.c @@ -1,4 +1,4 @@ -/* $NetBSD: mail_addr_find.c,v 1.1.1.4 2004/05/31 00:24:31 heas Exp $ */ +/* $NetBSD: mail_addr_find.c,v 1.1.1.5 2006/02/25 22:08:49 rpaulo Exp $ */ /*++ /* NAME @@ -109,7 +109,10 @@ const char *mail_addr_find(MAPS *path, const char *address, char **extp) if (*var_rcpt_delim == 0) { bare_key = saved_ext = 0; } else { - bare_key = strip_addr(full_key, &saved_ext, *var_rcpt_delim); + /* Preserve case of extension. */ + bare_key = strip_addr(address, &saved_ext, *var_rcpt_delim); + if (bare_key != 0) + lowercase(bare_key); } /* diff --git a/gnu/dist/postfix/src/global/mail_version.h b/gnu/dist/postfix/src/global/mail_version.h index 11543fe5e189..67a81fcf2c08 100644 --- a/gnu/dist/postfix/src/global/mail_version.h +++ b/gnu/dist/postfix/src/global/mail_version.h @@ -1,4 +1,4 @@ -/* $NetBSD: mail_version.h,v 1.1.1.20 2006/01/05 02:11:43 rpaulo Exp $ */ +/* $NetBSD: mail_version.h,v 1.1.1.21 2006/02/25 22:08:59 rpaulo Exp $ */ #ifndef _MAIL_VERSION_H_INCLUDED_ #define _MAIL_VERSION_H_INCLUDED_ @@ -22,8 +22,8 @@ * Patches change the patchlevel and the release date. Snapshots change the * release date only. */ -#define MAIL_RELEASE_DATE "20060103" -#define MAIL_VERSION_NUMBER "2.2.8" +#define MAIL_RELEASE_DATE "20060221" +#define MAIL_VERSION_NUMBER "2.2.9" #define VAR_MAIL_VERSION "mail_version" #ifdef SNAPSHOT diff --git a/gnu/dist/postfix/src/lmtp/lmtp_addr.c b/gnu/dist/postfix/src/lmtp/lmtp_addr.c index 2abec0f3a4d1..ef3edc1890cc 100644 --- a/gnu/dist/postfix/src/lmtp/lmtp_addr.c +++ b/gnu/dist/postfix/src/lmtp/lmtp_addr.c @@ -1,4 +1,4 @@ -/* $NetBSD: lmtp_addr.c,v 1.1.1.3 2005/08/18 21:07:17 rpaulo Exp $ */ +/* $NetBSD: lmtp_addr.c,v 1.1.1.4 2006/02/25 22:09:20 rpaulo Exp $ */ /*++ /* NAME @@ -107,7 +107,7 @@ static void lmtp_print_addr(char *what, DNS_RR *addr_list) msg_warn("skipping record type %s: %m", dns_strtype(addr->type)); } else { msg_info("pref %4d host %s/%s", - addr->pref, addr->name, + addr->pref, addr->rname, hostaddr.buf); } } diff --git a/gnu/dist/postfix/src/lmtp/lmtp_connect.c b/gnu/dist/postfix/src/lmtp/lmtp_connect.c index 4c01d26eb733..4578715f0946 100644 --- a/gnu/dist/postfix/src/lmtp/lmtp_connect.c +++ b/gnu/dist/postfix/src/lmtp/lmtp_connect.c @@ -1,4 +1,4 @@ -/* $NetBSD: lmtp_connect.c,v 1.1.1.6 2005/08/18 21:07:18 rpaulo Exp $ */ +/* $NetBSD: lmtp_connect.c,v 1.1.1.7 2006/02/25 22:09:21 rpaulo Exp $ */ /*++ /* NAME @@ -202,10 +202,10 @@ static LMTP_SESSION *lmtp_connect_addr(DNS_RR *addr, unsigned port, SOCKADDR_TO_HOSTADDR(sa, salen, &hostaddr, (MAI_SERVPORT_STR *) 0, 0); if (msg_verbose) msg_info("%s: trying: %s[%s] port %d...", - myname, addr->name, hostaddr.buf, ntohs(port)); + myname, addr->rname, hostaddr.buf, ntohs(port)); return (lmtp_connect_sock(sock, sa, salen, - addr->name, hostaddr.buf, destination, why)); + addr->rname, hostaddr.buf, destination, why)); } /* lmtp_connect_sock - connect a socket over some transport */ diff --git a/gnu/dist/postfix/src/local/local.c b/gnu/dist/postfix/src/local/local.c index 766c719918b3..fda9b7b0cca4 100644 --- a/gnu/dist/postfix/src/local/local.c +++ b/gnu/dist/postfix/src/local/local.c @@ -1,4 +1,4 @@ -/* $NetBSD: local.c,v 1.1.1.7 2005/08/18 21:07:29 rpaulo Exp $ */ +/* $NetBSD: local.c,v 1.1.1.8 2006/02/25 22:09:27 rpaulo Exp $ */ /*++ /* NAME @@ -831,6 +831,7 @@ int main(int argc, char **argv) VAR_PROP_EXTENSION, DEF_PROP_EXTENSION, &var_prop_extension, 0, 0, VAR_DELIVER_HDR, DEF_DELIVER_HDR, &var_deliver_hdr, 0, 0, VAR_MAILBOX_LOCK, DEF_MAILBOX_LOCK, &var_mailbox_lock, 1, 0, + VAR_MAILBOX_CMD_MAPS, DEF_MAILBOX_CMD_MAPS, &var_mailbox_cmd_maps, 0, 0, 0, }; static CONFIG_BOOL_TABLE bool_table[] = { @@ -846,7 +847,6 @@ int main(int argc, char **argv) VAR_EXEC_DIRECTORY, DEF_EXEC_DIRECTORY, &var_exec_directory, 0, 0, VAR_FORWARD_PATH, DEF_FORWARD_PATH, &var_forward_path, 0, 0, VAR_MAILBOX_COMMAND, DEF_MAILBOX_COMMAND, &var_mailbox_command, 0, 0, - VAR_MAILBOX_CMD_MAPS, DEF_MAILBOX_CMD_MAPS, &var_mailbox_cmd_maps, 0, 0, VAR_LUSER_RELAY, DEF_LUSER_RELAY, &var_luser_relay, 0, 0, 0, }; diff --git a/gnu/dist/postfix/src/oqmgr/qmgr_message.c b/gnu/dist/postfix/src/oqmgr/qmgr_message.c index 314ddee8b073..fc6c787eee29 100644 --- a/gnu/dist/postfix/src/oqmgr/qmgr_message.c +++ b/gnu/dist/postfix/src/oqmgr/qmgr_message.c @@ -1,4 +1,4 @@ -/* $NetBSD: qmgr_message.c,v 1.1.1.4 2005/08/18 21:07:58 rpaulo Exp $ */ +/* $NetBSD: qmgr_message.c,v 1.1.1.5 2006/02/25 22:09:39 rpaulo Exp $ */ /*++ /* NAME @@ -843,8 +843,14 @@ static void qmgr_message_resolve(QMGR_MESSAGE *message) /* * Content filtering overrides the address resolver. + * + * XXX Bypass content_filter inspection for user-generated probes + * (sendmail -bv). MTA-generated probes never have the "please filter + * me" bits turned on, but we handle them here anyway for the sake of + * future proofing. */ - else if (message->filter_xport) { + else if (message->filter_xport + && (message->tflags & DEL_REQ_TRACE_ONLY_MASK) == 0) { vstring_strcpy(reply.transport, message->filter_xport); if ((nexthop = split_at(STR(reply.transport), ':')) == 0 || *nexthop == 0) diff --git a/gnu/dist/postfix/src/smtp/smtp.c b/gnu/dist/postfix/src/smtp/smtp.c index b19c70ed4432..a4b68b89d93b 100644 --- a/gnu/dist/postfix/src/smtp/smtp.c +++ b/gnu/dist/postfix/src/smtp/smtp.c @@ -1,4 +1,4 @@ -/* $NetBSD: smtp.c,v 1.1.1.8 2005/08/18 21:08:49 rpaulo Exp $ */ +/* $NetBSD: smtp.c,v 1.1.1.9 2006/02/25 22:10:02 rpaulo Exp $ */ /*++ /* NAME @@ -87,6 +87,10 @@ /* Always send EHLO at the start of an SMTP session. /* .IP "\fBsmtp_never_send_ehlo (no)\fR" /* Never send EHLO at the start of an SMTP session. +/* .IP "\fBsmtp_cname_overrides_servername (yes)\fR" +/* Allow DNS CNAME records to override the servername that the +/* Postfix SMTP client uses for logging, SASL password lookup, TLS +/* policy decisions, or TLS certificate verification. /* .IP "\fBsmtp_defer_if_no_mx_address_found (no)\fR" /* Defer mail delivery when no MX record resolves to an IP address. /* .IP "\fBsmtp_line_length_limit (990)\fR" @@ -499,6 +503,7 @@ bool var_smtp_tls_note_starttls_offer; char *var_smtp_generic_maps; char *var_prop_extension; +bool var_smtp_cname_overr; /* * Global variables. smtp_errno is set by the address lookup routines and by @@ -792,6 +797,7 @@ int main(int argc, char **argv) VAR_SMTP_TLS_ENFORCE_PN, DEF_SMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername, VAR_SMTP_TLS_NOTEOFFER, DEF_SMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer, #endif + VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr, 0, }; diff --git a/gnu/dist/postfix/src/smtp/smtp.h b/gnu/dist/postfix/src/smtp/smtp.h index df7b95443085..540c92e631e2 100644 --- a/gnu/dist/postfix/src/smtp/smtp.h +++ b/gnu/dist/postfix/src/smtp/smtp.h @@ -1,4 +1,4 @@ -/* $NetBSD: smtp.h,v 1.1.1.6 2005/08/18 21:08:50 rpaulo Exp $ */ +/* $NetBSD: smtp.h,v 1.1.1.7 2006/02/25 22:10:03 rpaulo Exp $ */ /*++ /* NAME @@ -166,6 +166,12 @@ extern SSL_CTX *smtp_tls_ctx; /* client-side TLS engine */ #endif + + /* + * What's in a name? + */ +#define SMTP_HNAME(rr) (var_smtp_cname_overr ? (rr)->rname : (rr)->qname) + /* * smtp_session.c */ diff --git a/gnu/dist/postfix/src/smtp/smtp_session.c b/gnu/dist/postfix/src/smtp/smtp_session.c index 9ffd36dec7fd..81b25b08c3a8 100644 --- a/gnu/dist/postfix/src/smtp/smtp_session.c +++ b/gnu/dist/postfix/src/smtp/smtp_session.c @@ -1,4 +1,4 @@ -/* $NetBSD: smtp_session.c,v 1.1.1.3 2005/08/18 21:08:58 rpaulo Exp $ */ +/* $NetBSD: smtp_session.c,v 1.1.1.4 2006/02/25 22:10:08 rpaulo Exp $ */ /*++ /* NAME @@ -130,14 +130,20 @@ #ifdef USE_TLS /* - * Per-site policies can override main.cf settings. + * TLS enforcement level. Actual TLS policies will be NONE or higher. + * + * There are two pseudo levels: NOTFOUND is a sentinel value for the ease of + * implementation; MAY is a wild-card that indicates "anything goes". + * + * Non pseudo levels can also be used to indicate the actual security level of + * a session. */ -typedef struct { - int dont_use; /* don't use TLS */ - int use; /* useless, see above */ - int enforce; /* must always use TLS */ - int enforce_peername; /* must verify certificate name */ -} SMTP_TLS_SITE_POLICY; +#define SMTP_TLS_LEV_NOTFOUND (-1) /* sentinel */ +#define SMTP_TLS_LEV_NONE 0 /* plain-text only */ +#define SMTP_TLS_LEV_MAY 1 /* wildcard */ +#define SMTP_TLS_LEV_ENCRYPT 2 /* encrypted connection */ +#define SMTP_TLS_LEV_VERIFY 3 /* certificate verified */ +#define SMTP_TLS_LEV_STRICT 4 /* "secure" verification */ static MAPS *tls_per_site; /* lookup table(s) */ @@ -149,9 +155,21 @@ void smtp_tls_list_init(void) DICT_FLAG_LOCK); } +/* smtp_tls_policy_print - print policy level */ + +static void smtp_tls_policy_print(const char *name, int level) +{ + msg_info("%s TLS level: %s", name, + level == SMTP_TLS_LEV_VERIFY ? "verify" : + level == SMTP_TLS_LEV_ENCRYPT ? "encrypt" : + level == SMTP_TLS_LEV_MAY ? "may" : + level == SMTP_TLS_LEV_NONE ? "none" : + "unknown"); +} + /* smtp_tls_site_policy - look up per-site TLS policy */ -static void smtp_tls_site_policy(SMTP_TLS_SITE_POLICY *policy, +static void smtp_tls_site_policy(int *site_level, const char *site_name, const char *site_class) { @@ -159,33 +177,101 @@ static void smtp_tls_site_policy(SMTP_TLS_SITE_POLICY *policy, char *lookup_key; /* - * Initialize the default policy. - */ - policy->dont_use = 0; - policy->use = 0; - policy->enforce = 0; - policy->enforce_peername = 0; - - /* - * Look up a non-default policy. + * Look up a non-default policy. In case of multiple lookup results, the + * precedence order is a permutation of the TLS enforcement level order: + * VERIFY, ENCRYPT, NONE, MAY, NOTFOUND. I.e. we override MAY with a more + * specific policy including NONE, otherwise we choose the stronger + * enforcement level. */ lookup_key = lowercase(mystrdup(site_name)); if ((lookup = maps_find(tls_per_site, lookup_key, 0)) != 0) { - if (!strcasecmp(lookup, "NONE")) - policy->dont_use = 1; - else if (!strcasecmp(lookup, "MAY")) - policy->use = 1; - else if (!strcasecmp(lookup, "MUST")) - policy->enforce = policy->enforce_peername = 1; - else if (!strcasecmp(lookup, "MUST_NOPEERMATCH")) - policy->enforce = 1; - else + if (!strcasecmp(lookup, "NONE")) { + /* NONE overrides MAY or NOTFOUND. */ + if (*site_level <= SMTP_TLS_LEV_MAY) + *site_level = SMTP_TLS_LEV_NONE; + } else if (!strcasecmp(lookup, "MAY")) { + /* MAY overrides NOTFOUND but not NONE. */ + if (*site_level < SMTP_TLS_LEV_NONE) + *site_level = SMTP_TLS_LEV_MAY; + } else if (!strcasecmp(lookup, "MUST_NOPEERMATCH")) { + if (*site_level < SMTP_TLS_LEV_ENCRYPT) + *site_level = SMTP_TLS_LEV_ENCRYPT; + } else if (!strcasecmp(lookup, "MUST")) { + if (*site_level < SMTP_TLS_LEV_VERIFY) + *site_level = SMTP_TLS_LEV_VERIFY; + } else { msg_warn("Table %s: ignoring unknown TLS policy '%s' for %s %s", var_smtp_tls_per_site, lookup, site_class, site_name); + } } myfree(lookup_key); } +/* smtp_tls_level_init - configure session TLS enforcement level */ + +static int smtp_tls_level_init(const char *dest, const char *host) +{ + int global_level; + int site_level; + int tls_level; + + /* + * Compute the global TLS policy. This is the default policy level when + * no per-site policy exists. It also is used to override a wild-card + * per-site policy. + */ + if (var_smtp_enforce_tls) + global_level = var_smtp_tls_enforce_peername ? + SMTP_TLS_LEV_VERIFY : SMTP_TLS_LEV_ENCRYPT; + else + global_level = var_smtp_use_tls ? + SMTP_TLS_LEV_MAY : SMTP_TLS_LEV_NONE; + if (msg_verbose) + smtp_tls_policy_print("global", global_level); + + /* + * Compute the per-site TLS enforcement level. For compatibility with the + * original TLS patch, this algorithm is gives equal precedence to host + * and next-hop policies. + */ + site_level = SMTP_TLS_LEV_NOTFOUND; + + if (tls_per_site) { + smtp_tls_site_policy(&site_level, dest, "next-hop destination"); + if (strcasecmp(dest, host) != 0) + smtp_tls_site_policy(&site_level, host, "server hostname"); + if (msg_verbose) + smtp_tls_policy_print("site", site_level); + } + + /* + * Override a wild-card per-site policy with a more specific global + * policy. + * + * With the original TLS patch, 1) a per-site ENCRYPT could not override a + * global VERIFY, and 2) a combined per-site (NONE+MAY) policy produced + * inconsistent results: it changed a global VERIFY into NONE, while + * producing MAY with all weaker global policy settings. + * + * With the current implementation, a combined per-site (NONE+MAY) + * consistently overrides global policy with NONE, and global policy can + * override only a per-site MAY wildcard. That is, specific policies + * consistently override wildcard policies, and (non-wildcard) per-site + * policies consistently override global policies. + */ + if (site_level == SMTP_TLS_LEV_NOTFOUND + || (site_level == SMTP_TLS_LEV_MAY + && global_level > SMTP_TLS_LEV_MAY)) + tls_level = global_level; + else + tls_level = site_level; + + if (msg_verbose && tls_per_site) + smtp_tls_policy_print("effective", tls_level); + + return (tls_level); +} + #endif /* smtp_session_alloc - allocate and initialize SMTP_SESSION structure */ @@ -196,12 +282,6 @@ SMTP_SESSION *smtp_session_alloc(VSTREAM *stream, const char *dest, { SMTP_SESSION *session; -#ifdef USE_TLS - SMTP_TLS_SITE_POLICY host_policy; - SMTP_TLS_SITE_POLICY rcpt_policy; - -#endif - session = (SMTP_SESSION *) mymalloc(sizeof(*session)); session->stream = stream; session->dest = mystrdup(dest); @@ -238,39 +318,14 @@ SMTP_SESSION *smtp_session_alloc(VSTREAM *stream, const char *dest, session->tls_enforce_peername = 0; session->tls_context = 0; session->tls_info = tls_info_zero; - - /* - * Override the main.cf TLS policy with an optional per-site policy. - */ - if (smtp_tls_ctx != 0) { - smtp_tls_site_policy(&host_policy, host, "receiving host"); - smtp_tls_site_policy(&rcpt_policy, dest, "recipient domain"); - - /* - * Set up TLS enforcement for this session. - */ - if ((var_smtp_enforce_tls && !host_policy.dont_use && !rcpt_policy.dont_use) - || host_policy.enforce || rcpt_policy.enforce) - session->tls_enforce_tls = session->tls_use_tls = 1; - - /* - * Set up peername checking for this session. - * - * We want to make sure that a MUST* entry in the tls_per_site table - * always has precedence. MUST always must lead to a peername check, - * MUST_NOPEERMATCH must always disable it. Only when no explicit - * setting has been found, the default will be used. There is the - * case left, that both "host" and "recipient" settings conflict. In - * this case, the "host" setting wins. - */ - if (host_policy.enforce && host_policy.enforce_peername) - session->tls_enforce_peername = 1; - else if (rcpt_policy.enforce && rcpt_policy.enforce_peername) - session->tls_enforce_peername = 1; - else if (var_smtp_enforce_tls && var_smtp_tls_enforce_peername) - session->tls_enforce_peername = 1; - else if ((var_smtp_use_tls && !host_policy.dont_use && !rcpt_policy.dont_use) || host_policy.use || rcpt_policy.use) - session->tls_use_tls = 1; + switch (smtp_tls_level_init(dest, host)) { + case SMTP_TLS_LEV_VERIFY: + session->tls_enforce_peername = 1; + case SMTP_TLS_LEV_ENCRYPT: + session->tls_enforce_tls = 1; + case SMTP_TLS_LEV_MAY: + session->tls_use_tls = 1; + break; } #endif debug_peer_check(host, addr); diff --git a/gnu/dist/postfix/src/smtpd/smtpd_exp.ref b/gnu/dist/postfix/src/smtpd/smtpd_exp.ref index fcee7f2a3747..8f1f4204edb8 100644 --- a/gnu/dist/postfix/src/smtpd/smtpd_exp.ref +++ b/gnu/dist/postfix/src/smtpd/smtpd_exp.ref @@ -107,8 +107,8 @@ OK >>> mail sname@sdomain OK >>> rcpt rname@rdomain -./smtpd_check: : reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@domain; from= to= proto=SMTP helo= -554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@domain +./smtpd_check: : reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@example.tld; from= to= proto=SMTP helo= +554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@example.tld >>> # >>> # Check MX access >>> # diff --git a/gnu/dist/postfix/src/trivial-rewrite/rewrite.c b/gnu/dist/postfix/src/trivial-rewrite/rewrite.c index 2fa5e88e3da8..74e30d47d386 100644 --- a/gnu/dist/postfix/src/trivial-rewrite/rewrite.c +++ b/gnu/dist/postfix/src/trivial-rewrite/rewrite.c @@ -1,4 +1,4 @@ -/* $NetBSD: rewrite.c,v 1.1.1.7 2005/08/18 21:09:45 rpaulo Exp $ */ +/* $NetBSD: rewrite.c,v 1.1.1.8 2006/02/25 22:10:35 rpaulo Exp $ */ /*++ /* NAME @@ -175,7 +175,8 @@ void rewrite_tree(RWR_CONTEXT *context, TOK822 *tree) /* * Append missing @origin */ - else if (var_append_at_myorigin != 0) { + else if (var_append_at_myorigin != 0 + && context->origin[0][0] != 0) { domain = tok822_sub_append(tree, tok822_alloc('@', (char *) 0)); tok822_sub_append(tree, tok822_scan(REW_PARAM_VALUE(context->origin), (TOK822 **) 0)); @@ -188,6 +189,7 @@ void rewrite_tree(RWR_CONTEXT *context, TOK822 *tree) * alone. */ if (var_append_dot_mydomain != 0 + && context->domain[0][0] != 0 && (domain = tok822_rfind_type(tree->tail, '@')) != 0 && domain != tree->tail && tok822_find_type(domain, TOK822_DOMLIT) == 0 diff --git a/gnu/dist/postfix/src/util/inet_util.c b/gnu/dist/postfix/src/util/inet_util.c index 8718c7db0efc..08ad25d06d43 100644 --- a/gnu/dist/postfix/src/util/inet_util.c +++ b/gnu/dist/postfix/src/util/inet_util.c @@ -1,4 +1,4 @@ -/* $NetBSD: inet_util.c,v 1.1.1.5 2006/01/05 02:17:36 rpaulo Exp $ */ +/* $NetBSD: inet_util.c,v 1.1.1.6 2006/02/25 22:10:55 rpaulo Exp $ */ /*++ /* NAME diff --git a/gnu/dist/postfix/src/util/inet_util.h b/gnu/dist/postfix/src/util/inet_util.h index 94f5eeabd6ce..9c476b47aeec 100644 --- a/gnu/dist/postfix/src/util/inet_util.h +++ b/gnu/dist/postfix/src/util/inet_util.h @@ -1,4 +1,4 @@ -/* $NetBSD: inet_util.h,v 1.1.1.5 2006/01/05 02:17:39 rpaulo Exp $ */ +/* $NetBSD: inet_util.h,v 1.1.1.6 2006/02/25 22:10:55 rpaulo Exp $ */ #ifndef _INET_UTIL_H_INCLUDED_ #define _INET_UTIL_H_INCLUDED_