Prereq: "3.7.5" diff -ur --new-file /var/tmp/postfix-3.7.5/src/global/mail_version.h ./src/global/mail_version.h --- /var/tmp/postfix-3.7.5/src/global/mail_version.h 2023-04-17 18:42:51.000000000 -0400 +++ ./src/global/mail_version.h 2023-06-05 16:08:38.000000000 -0400 @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20230418" -#define MAIL_VERSION_NUMBER "3.7.5" +#define MAIL_RELEASE_DATE "20230605" +#define MAIL_VERSION_NUMBER "3.7.6" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -ur --new-file /var/tmp/postfix-3.7.5/HISTORY ./HISTORY --- /var/tmp/postfix-3.7.5/HISTORY 2023-04-18 15:42:17.000000000 -0400 +++ ./HISTORY 2023-06-05 15:59:49.000000000 -0400 @@ -26507,3 +26507,90 @@ return "not found" instead of "error" during the time that all MySQL server connections were turned down after error. Found during code maintenance. File: global/dict_mysql.c. + +20230428 + + Bugfix (defect introduced: Postfix 1.0): the command "postconf + .. name=v1 .. name=v2 .." (multiple instances of the same + parameter name) created multiple name=value entries with + the same parameter name. It now logs a warning and skips + the earlier update. Found during code maintenance. File: + postconf/postconf_edit.c + + Bugfix (defect introduced: Postfix 3.3): the command "postconf + -M name1/type1='name2 type2 ...'" died with a segmentation + violation when the request matched multiple master.cf + entries. The master.cf file was not damaged. Problem reported + by SATOH Fumiyasu. File: postconf/postconf_master.c. + +20230502 + + Bugfix (defect introduced: Postfix 2.11): the command + "postconf -M name1/type1='name2 type2 ...'" could add a + service definition to master.cf that conflicted with an + already existing service definition. It now replaces all + existing service definitions that match the service pattern + 'name1/type1' or the service name and type in 'name2 type2 + ...' with a single service definition 'name2 type2 ...'. + Problem reported by SATOH Fumiyasu. File: postconf/postconf_edit.c. + +20230519 + + Bitrot: preliminary support for OpenSSL configuration files, + primarily OpenSSL 1.1.1b and later. This introduces new + parameters "tls_config_file" and "tls_config_name", which + can be used to limit collateral damage from OS distributions + that crank up security to 11, increasing the number of + plaintext email deliveries. Details are in the postconf(5) + manpage under "tls_config_file" and "tls_config_name". + Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto, + global/mail_params.h, posttls-finger/posttls-finger.c, + smtp/smtp.c, smtp/smtp_proto.c, tls/tls_client.c, tls/tls.h, + tls/tls_misc.c, tls/tls_proxy_client_print.c, + tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c, + tlsproxy/tlsproxy.c. + +20230523 + + Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init' + configurations. This information is independent from the + client or server TLS context, and therefore does not belong + in tls_*_init() or tls_*_start() calls. The tlsproxy(8) + server uses TLS_CLIENT_PARAMS to report differences between + its own global TLS settings, and those from its clients. + Files: posttls-finger/posttls-finger.c, smtp/smtp.c, + smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c, + tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c, + tls/tls_proxy.h, tlsproxy/tlsproxy.c. + +20230524 + + Cleanup: reverted cosmetic-only changes to minimize the + patch footprint for OpenSSL INI file support; updated daemon + manpages with the new tls_config_file and tls_config_name + configuration parameters. Files: smtp/smtp.c, smtpd/smtpd.c, + tls/tls_client.c, tls/tls.h, tls/tls_server.c, tlsproxy/tlsproxy.c, + +20230529 + + Cleanup: made OpenSSL 'default' INI file support error + handling consistent with OpenSSL default behavior. Viktor + Dukhovni. Files: proto/postconf.proto, tls/tls_misc.c. + +20230602 + + Backwards compatibility for stable releases that originally + had no OpenSSL INI support. Skip the new OpenSSL INI support + code, unless the Postfix configuration actually specifies + non-default tls_config_xxx settings. File: tls/tls_misc.c. + + Cleanup: added a multiple initialization guard in the + tls_library_init() function, and made an initialization + error sticky. File: tls/tls_misc.c. + +20230605 + + Security: new parameter smtpd_forbid_unauth_pipelining + (default: no) to disconnect remote SMTP clients that violate + RFC 2920 (or 5321) command pipelining constraints. Files: + global/mail_params.h, smtpd/smtpd.c, proto/postconf.proto. diff -ur --new-file /var/tmp/postfix-3.7.5/RELEASE_NOTES ./RELEASE_NOTES --- /var/tmp/postfix-3.7.5/RELEASE_NOTES 2022-10-07 18:42:46.000000000 -0400 +++ ./RELEASE_NOTES 2023-06-05 17:38:31.000000000 -0400 @@ -25,6 +25,23 @@ the software under the license of their choice. Those who are more comfortable with the IPL can continue with that license. +Major changes with Postfix 3.7.6 +================================ + +Security: the Postfix SMTP server optionally disconnects remote +SMTP clients that violate RFC 2920 (or 5321) command pipelining +constraints. The server replies with "554 5.5.0 Error: SMTP protocol +synchronization" and logs the unexpected remote SMTP client input. +Specify "smtpd_forbid_unauth_pipelining = yes" to enable. This +feature is enabled by default in Postfix 3.9 and later. + +Workaround to limit collateral damage from OS distributions that +crank up security to 11, increasing the number of plaintext email +deliveries. This introduces basic OpenSSL configuration file support, +with two new parameters "tls_config_file" and "tls_config_name". +Details are in the postconf(5) manpage under "tls_config_file" and +"tls_config_name". + Bugfix for messages not delivered after "warning: Unexpected record type 'X' ============================================================================ diff -ur --new-file /var/tmp/postfix-3.7.5/html/lmtp.8.html ./html/lmtp.8.html --- /var/tmp/postfix-3.7.5/html/lmtp.8.html 2021-12-23 17:24:55.000000000 -0500 +++ ./html/lmtp.8.html 2023-06-04 18:23:40.000000000 -0400 @@ -686,6 +686,15 @@ A workaround for implementations that hang Postfix while shut- ting down a TLS session, until Postfix times out. + Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: + + tls_config_file (default) + Optional configuration file with baseline OpenSSL settings. + + tls_config_name (empty) + The application name passed by Postfix to OpenSSL library ini- + tialization functions. + OBSOLETE STARTTLS CONTROLS The following configuration parameters exist for compatibility with Postfix versions before 2.3. Support for these will be removed in a diff -ur --new-file /var/tmp/postfix-3.7.5/html/postconf.5.html ./html/postconf.5.html --- /var/tmp/postfix-3.7.5/html/postconf.5.html 2022-01-21 16:39:35.000000000 -0500 +++ ./html/postconf.5.html 2023-06-05 16:57:04.000000000 -0400 @@ -15533,6 +15533,22 @@ +
smtpd_forbid_unauth_pipelining +(default: Postfix ≥ 3.9: yes)
+ +

Disconnect remote SMTP clients that violate RFC 2920 (or 5321) +command pipelining constraints. The server replies with "554 5.5.0 +Error: SMTP protocol synchronization" and logs the unexpected remote +SMTP client input. Specify "smtpd_forbid_unauth_pipelining = yes" +to enable. This feature is enabled by default with Postfix ≥ +3.9.

+ +

This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20.

+ + +
+
smtpd_forbidden_commands (default: CONNECT GET POST regexp:{{/^[^A-Z]/ Bogus}})
@@ -19075,6 +19091,113 @@
+
tls_config_file +(default: default)
+ +

Optional configuration file with baseline OpenSSL settings. +OpenSSL loads any SSL settings found in the configuration file for +the selected application name (see tls_config_name) or else the +built-in application name "openssl_conf" when no application name is +specified, or no corresponding configuration section is present. +

+ +

With OpenSSL releases 1.1.1 and 1.1.1a, applications (including +Postfix) can neither specify an alternative configuration file, nor +avoid loading the default configuration file.

+ +

With OpenSSL 1.1.1b or later, this parameter may be set to one of: +

+ +
+ +
default (default)
Load the system-wide +"openssl.cnf" configuration file.
+ +
none (recommended, OpenSSL 1.1.1b or later only)
+
This setting disables loading of the system-wide "openssl.cnf" +file.
+ +
/absolute-path (OpenSSL 1.1.1b or later only)
+
Load the configuration file specified by /absolute-path. +With this setting it is an error for the file to not contain any +settings for the selected tls_config_name. There is no fallback to +the default "openssl_conf" name.
+ +
+ +

Failures in processing of the built-in default configuration file, +are silently ignored. Any errors in loading a non-default configuration +file are detected by Postfix, and cause TLS support to be disabled. +

+ +

The OpenSSL configuration file format is not documented here, +beyond giving two examples.

+ +

Example: Default settings for all applications.

+ +
+
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation.  Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+
+
+ +

Example: Custom settings for an application named "postfix".

+ +
+
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]".  The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+
+
+ +

This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20.

+ + +
+ +
tls_config_name +(default: empty)
+ +

The application name passed by Postfix to OpenSSL library +initialization functions. This name is used to select the desired +configuration "section" in the OpenSSL configuration file specified +via the tls_config_file parameter. When empty, or when the +selected name is not present in the configuration file, the default +application name ("openssl_conf") is used as a fallback.

+ +

This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20.

+ + +
+
tls_daemon_random_bytes (default: 32)
diff -ur --new-file /var/tmp/postfix-3.7.5/html/smtp.8.html ./html/smtp.8.html --- /var/tmp/postfix-3.7.5/html/smtp.8.html 2021-12-23 17:24:55.000000000 -0500 +++ ./html/smtp.8.html 2023-06-04 18:23:40.000000000 -0400 @@ -686,6 +686,15 @@ A workaround for implementations that hang Postfix while shut- ting down a TLS session, until Postfix times out. + Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: + + tls_config_file (default) + Optional configuration file with baseline OpenSSL settings. + + tls_config_name (empty) + The application name passed by Postfix to OpenSSL library ini- + tialization functions. + OBSOLETE STARTTLS CONTROLS The following configuration parameters exist for compatibility with Postfix versions before 2.3. Support for these will be removed in a diff -ur --new-file /var/tmp/postfix-3.7.5/html/smtpd.8.html ./html/smtpd.8.html --- /var/tmp/postfix-3.7.5/html/smtpd.8.html 2021-12-23 17:24:56.000000000 -0500 +++ ./html/smtpd.8.html 2023-06-05 16:08:12.000000000 -0400 @@ -632,6 +632,15 @@ The email address form that will be used in non-debug logging (info, warning, etc.). + Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: + + tls_config_file (default) + Optional configuration file with baseline OpenSSL settings. + + tls_config_name (empty) + The application name passed by Postfix to OpenSSL library ini- + tialization functions. + OBSOLETE STARTTLS CONTROLS The following configuration parameters exist for compatibility with Postfix versions before 2.3. Support for these will be removed in a @@ -954,6 +963,12 @@ header_from_format (standard) The format of the Postfix-generated From: header. + Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: + + smtpd_forbid_unauth_pipelining (Postfix >= 3.9: yes) + Disconnect remote SMTP clients that violate RFC 2920 (or 5321) + command pipelining constraints. + TARPIT CONTROLS When a remote SMTP client makes errors, the Postfix SMTP server can insert delays before responding. This can help to slow down run-away diff -ur --new-file /var/tmp/postfix-3.7.5/html/tlsproxy.8.html ./html/tlsproxy.8.html --- /var/tmp/postfix-3.7.5/html/tlsproxy.8.html 2022-02-05 09:58:53.000000000 -0500 +++ ./html/tlsproxy.8.html 2023-06-04 18:36:17.000000000 -0400 @@ -150,6 +150,15 @@ A workaround for implementations that hang Postfix while shut- ting down a TLS session, until Postfix times out. + Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: + + tls_config_file (default) + Optional configuration file with baseline OpenSSL settings. + + tls_config_name (empty) + The application name passed by Postfix to OpenSSL library ini- + tialization functions. + STARTTLS SERVER CONTROLS These settings are clones of Postfix SMTP server settings. They allow tlsproxy(8) to load the same certificate and private key information as diff -ur --new-file /var/tmp/postfix-3.7.5/man/man5/postconf.5 ./man/man5/postconf.5 --- /var/tmp/postfix-3.7.5/man/man5/postconf.5 2022-01-21 16:39:35.000000000 -0500 +++ ./man/man5/postconf.5 2023-06-05 16:57:05.000000000 -0400 @@ -10677,6 +10677,16 @@ parameter $name expansion. .PP This feature is available in Postfix 2.0 and later. +.SH smtpd_forbid_unauth_pipelining (default: Postfix >= 3.9: yes) +Disconnect remote SMTP clients that violate RFC 2920 (or 5321) +command pipelining constraints. The server replies with "554 5.5.0 +Error: SMTP protocol synchronization" and logs the unexpected remote +SMTP client input. Specify "smtpd_forbid_unauth_pipelining = yes" +to enable. This feature is enabled by default with Postfix >= +3.9. +.PP +This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20. .SH smtpd_forbidden_commands (default: CONNECT GET POST regexp:{{/^[^A\-Z]/ Bogus}}) List of commands that cause the Postfix SMTP server to immediately terminate the session with a 221 code. This can be used to disconnect @@ -13495,6 +13505,104 @@ 2.7.2 and later versions. Specify "tls_append_default_CA = yes" for backwards compatibility, to avoid breaking certificate verification with sites that don't use permit_tls_all_clientcerts. +.SH tls_config_file (default: default) +Optional configuration file with baseline OpenSSL settings. +OpenSSL loads any SSL settings found in the configuration file for +the selected application name (see tls_config_name) or else the +built\-in application name "openssl_conf" when no application name is +specified, or no corresponding configuration section is present. +.PP +With OpenSSL releases 1.1.1 and 1.1.1a, applications (including +Postfix) can neither specify an alternative configuration file, nor +avoid loading the default configuration file. +.PP +With OpenSSL 1.1.1b or later, this parameter may be set to one of: +.IP "\fBdefault\fR (default)" +Load the system\-wide +"openssl.cnf" configuration file. +.br +.IP "\fBnone\fR (recommended, OpenSSL 1.1.1b or later only)" +This setting disables loading of the system\-wide "openssl.cnf" +file. +.br +.IP "\fB\fI/absolute\-path\fR\fR (OpenSSL 1.1.1b or later only)" +Load the configuration file specified by \fI/absolute\-path\fR. +With this setting it is an error for the file to not contain any +settings for the selected tls_config_name. There is no fallback to +the default "openssl_conf" name. +.br +.br +.PP +Failures in processing of the built\-in default configuration file, +are silently ignored. Any errors in loading a non\-default configuration +file are detected by Postfix, and cause TLS support to be disabled. +.PP +The OpenSSL configuration file format is not documented here, +beyond giving two examples. +.PP +Example: Default settings for all applications. +.sp +.in +4 +.nf +.na +.ft C +# The name 'openssl_conf' is the default application name +# The section name to the right of the '=' sign is arbitrary, +# any name will do, so long as it refers to the desired section. +# +# The name 'system_default' selects the settings applied internally +# by the SSL library as part of SSL object creation. Applications +# can then apply any additional settings of their choice. +# +# In this example, TLS versions prior to 1.2 are disabled by default. +# +openssl_conf = system_wide_settings +[system_wide_settings] +ssl_conf = ssl_library_settings +[ssl_library_settings] +system_default = initial_ssl_settings +[initial_ssl_settings] +MinProtocol = TLSv1.2 +.fi +.ad +.ft R +.in -4 +.PP +Example: Custom settings for an application named "postfix". +.sp +.in +4 +.nf +.na +.ft C +# The mapping from an application name to the corresponding configuration +# section must appear near the top of the file, (in what is sometimes called +# the "default section") prior to the start of any explicitly named +# "[sections]". The named sections can appear in any order and don't nest. +# +postfix = postfix_settings +[postfix_settings] +ssl_conf = postfix_ssl_settings +[postfix_ssl_settings] +system_default = baseline_postfix_settings +[baseline_postfix_settings] +MinProtocol = TLSv1 +.fi +.ad +.ft R +.in -4 +.PP +This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20. +.SH tls_config_name (default: empty) +The application name passed by Postfix to OpenSSL library +initialization functions. This name is used to select the desired +configuration "section" in the OpenSSL configuration file specified +via the tls_config_file parameter. When empty, or when the +selected name is not present in the configuration file, the default +application name ("openssl_conf") is used as a fallback. +.PP +This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20. .SH tls_daemon_random_bytes (default: 32) The number of pseudo\-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8) process requests from the \fBtlsmgr\fR(8) server in order to seed its diff -ur --new-file /var/tmp/postfix-3.7.5/man/man8/smtp.8 ./man/man8/smtp.8 --- /var/tmp/postfix-3.7.5/man/man8/smtp.8 2021-10-27 19:38:48.000000000 -0400 +++ ./man/man8/smtp.8 2023-06-05 09:12:12.000000000 -0400 @@ -617,6 +617,13 @@ .IP "\fBtls_fast_shutdown_enable (yes)\fR" A workaround for implementations that hang Postfix while shutting down a TLS session, until Postfix times out. +.PP +Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: +.IP "\fBtls_config_file (default)\fR" +Optional configuration file with baseline OpenSSL settings. +.IP "\fBtls_config_name (empty)\fR" +The application name passed by Postfix to OpenSSL library +initialization functions. .SH "OBSOLETE STARTTLS CONTROLS" .na .nf diff -ur --new-file /var/tmp/postfix-3.7.5/man/man8/smtpd.8 ./man/man8/smtpd.8 --- /var/tmp/postfix-3.7.5/man/man8/smtpd.8 2021-10-02 11:40:28.000000000 -0400 +++ ./man/man8/smtpd.8 2023-06-05 16:07:31.000000000 -0400 @@ -559,6 +559,13 @@ .IP "\fBinfo_log_address_format (external)\fR" The email address form that will be used in non\-debug logging (info, warning, etc.). +.PP +Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: +.IP "\fBtls_config_file (default)\fR" +Optional configuration file with baseline OpenSSL settings. +.IP "\fBtls_config_name (empty)\fR" +The application name passed by Postfix to OpenSSL library +initialization functions. .SH "OBSOLETE STARTTLS CONTROLS" .na .nf @@ -836,6 +843,11 @@ smtpd_per_request_deadline. .IP "\fBheader_from_format (standard)\fR" The format of the Postfix\-generated \fBFrom:\fR header. +.PP +Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: +.IP "\fBsmtpd_forbid_unauth_pipelining (Postfix >= 3.9: yes)\fR" +Disconnect remote SMTP clients that violate RFC 2920 (or 5321) +command pipelining constraints. .SH "TARPIT CONTROLS" .na .nf diff -ur --new-file /var/tmp/postfix-3.7.5/man/man8/tlsproxy.8 ./man/man8/tlsproxy.8 --- /var/tmp/postfix-3.7.5/man/man8/tlsproxy.8 2022-02-05 09:58:52.000000000 -0500 +++ ./man/man8/tlsproxy.8 2023-06-04 18:04:04.000000000 -0400 @@ -150,6 +150,13 @@ .IP "\fBtls_fast_shutdown_enable (yes)\fR" A workaround for implementations that hang Postfix while shutting down a TLS session, until Postfix times out. +.PP +Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: +.IP "\fBtls_config_file (default)\fR" +Optional configuration file with baseline OpenSSL settings. +.IP "\fBtls_config_name (empty)\fR" +The application name passed by Postfix to OpenSSL library +initialization functions. .SH "STARTTLS SERVER CONTROLS" .na .nf diff -ur --new-file /var/tmp/postfix-3.7.5/mantools/postlink ./mantools/postlink --- /var/tmp/postfix-3.7.5/mantools/postlink 2022-01-21 16:21:09.000000000 -0500 +++ ./mantools/postlink 2023-06-05 15:59:49.000000000 -0400 @@ -555,6 +555,7 @@ s;\bsmtpd_etrn_restrictions\b;$&;g; s;\bsmtpd_expansion_filter\b;$&;g; s;\bsmtpd_for[-]*\n*[ ]*bidden_commands\b;$&;g; + s;\bsmtpd_for[-]*\n*[ ]*bid_unauth_pipelining\b;$&;g; s;\bsmtpd_hard_error_limit\b;$&;g; s;\bsmtpd_helo_required\b;$&;g; s;\bsmtpd_helo_restrictions\b;$&;g; @@ -779,6 +780,8 @@ s;\btls_session_ticket_cipher\b;$&;g; s;\btls_server_sni_maps\b;$&;g; s;\btls_ssl_options\b;$&;g; + s;\btls_config_name\b;$&;g; + s;\btls_config_file\b;$&;g; s;\btls_dane_digest_agility\b;$&;g; s;\btls_dane_trust_anchor_digest_enable\b;$&;g; s;\btls_fast_shutdown_enable\b;$&;g; diff -ur --new-file /var/tmp/postfix-3.7.5/proto/postconf.proto ./proto/postconf.proto --- /var/tmp/postfix-3.7.5/proto/postconf.proto 2022-01-21 16:12:15.000000000 -0500 +++ ./proto/postconf.proto 2023-06-05 15:59:49.000000000 -0400 @@ -18434,3 +18434,114 @@ configuration parameter. See there for details.

This feature is available in Postfix 3.7 and later.

+ +%PARAM tls_config_name + +

The application name passed by Postfix to OpenSSL library +initialization functions. This name is used to select the desired +configuration "section" in the OpenSSL configuration file specified +via the tls_config_file parameter. When empty, or when the +selected name is not present in the configuration file, the default +application name ("openssl_conf") is used as a fallback.

+ +

This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20.

+ +%PARAM tls_config_file default + +

Optional configuration file with baseline OpenSSL settings. +OpenSSL loads any SSL settings found in the configuration file for +the selected application name (see tls_config_name) or else the +built-in application name "openssl_conf" when no application name is +specified, or no corresponding configuration section is present. +

+ +

With OpenSSL releases 1.1.1 and 1.1.1a, applications (including +Postfix) can neither specify an alternative configuration file, nor +avoid loading the default configuration file.

+ +

With OpenSSL 1.1.1b or later, this parameter may be set to one of: +

+ +
+ +
default (default)
Load the system-wide +"openssl.cnf" configuration file.
+ +
none (recommended, OpenSSL 1.1.1b or later only)
+
This setting disables loading of the system-wide "openssl.cnf" +file.
+ +
/absolute-path (OpenSSL 1.1.1b or later only)
+
Load the configuration file specified by /absolute-path. +With this setting it is an error for the file to not contain any +settings for the selected tls_config_name. There is no fallback to +the default "openssl_conf" name.
+ +
+ +

Failures in processing of the built-in default configuration file, +are silently ignored. Any errors in loading a non-default configuration +file are detected by Postfix, and cause TLS support to be disabled. +

+ +

The OpenSSL configuration file format is not documented here, +beyond giving two examples.

+ +

Example: Default settings for all applications.

+ +
+
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation.  Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+
+
+ +

Example: Custom settings for an application named "postfix".

+ +
+
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]".  The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+
+
+ +

This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20.

+ +%PARAM smtpd_forbid_unauth_pipelining Postfix ≥ 3.9: yes + +

Disconnect remote SMTP clients that violate RFC 2920 (or 5321) +command pipelining constraints. The server replies with "554 5.5.0 +Error: SMTP protocol synchronization" and logs the unexpected remote +SMTP client input. Specify "smtpd_forbid_unauth_pipelining = yes" +to enable. This feature is enabled by default with Postfix ≥ +3.9.

+ +

This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20.

diff -ur --new-file /var/tmp/postfix-3.7.5/src/global/mail_params.h ./src/global/mail_params.h --- /var/tmp/postfix-3.7.5/src/global/mail_params.h 2022-04-08 18:10:07.000000000 -0400 +++ ./src/global/mail_params.h 2023-06-05 17:44:12.000000000 -0400 @@ -2436,6 +2436,10 @@ #define DEF_SMTPD_PEERNAME_LOOKUP 1 extern bool var_smtpd_peername_lookup; +#define VAR_SMTPD_FORBID_UNAUTH_PIPE "smtpd_forbid_unauth_pipelining" +#define DEF_SMTPD_FORBID_UNAUTH_PIPE 0 +extern bool var_smtpd_forbid_unauth_pipe; + /* * Heuristic to reject unknown local recipients at the SMTP port. */ @@ -3320,8 +3324,17 @@ extern bool var_smtp_cname_overr; /* - * TLS cipherlists + * TLS library settings */ +#define VAR_TLS_CNF_FILE "tls_config_file" +#define DEF_TLS_CNF_FILE "default" +extern char *var_tls_cnf_file; + +#define VAR_TLS_CNF_NAME "tls_config_name" +#define DEF_TLS_CNF_NAME "" +extern char *var_tls_cnf_name; + + #define VAR_TLS_HIGH_CLIST "tls_high_cipherlist" #define DEF_TLS_HIGH_CLIST "aNULL:-aNULL:HIGH:@STRENGTH" extern char *var_tls_high_clist; diff -ur --new-file /var/tmp/postfix-3.7.5/src/postconf/postconf_edit.c ./src/postconf/postconf_edit.c --- /var/tmp/postfix-3.7.5/src/postconf/postconf_edit.c 2014-12-06 20:35:33.000000000 -0500 +++ ./src/postconf/postconf_edit.c 2023-05-17 14:30:17.000000000 -0400 @@ -192,6 +192,11 @@ } else { msg_panic("pcf_edit_main: unknown mode %d", mode); } + if ((cvalue = htable_find(table, pattern)) != 0) { + msg_warn("ignoring earlier request: '%s = %s'", + pattern, cvalue->value); + htable_delete(table, pattern, myfree); + } cvalue = (struct cvalue *) mymalloc(sizeof(*cvalue)); cvalue->value = edit_value; cvalue->found = 0; @@ -459,8 +464,38 @@ /* * Match each service pattern. + * + * Additional care is needed when a request adds or replaces an + * entire service definition, instead of a specific field or + * parameter. Given a command "postconf -M name1/type1='name2 + * type2 ...'", where name1 and name2 may differ, and likewise + * for type1 and type2: + * + * - First, if an existing service definition a) matches the service + * pattern 'name1/type1', or b) matches the name and type in the + * new service definition 'name2 type2 ...', remove the service + * definition. + * + * - Then, after an a) or b) type match, add a new service + * definition for 'name2 type2 ...', but only after the first + * match. + * + * - Finally, if a request had no a) or b) type match for any + * master.cf service definition, add a new service definition for + * 'name2 type2 ...'. */ for (req = edit_reqs; req < edit_reqs + num_reqs; req++) { + PCF_MASTER_ENT *tentative_entry = 0; + int use_tentative_entry = 0; + + /* Additional care for whole service definition requests. */ + if ((mode & PCF_MASTER_ENTRY) && (mode & PCF_EDIT_CONF)) { + tentative_entry = (PCF_MASTER_ENT *) + mymalloc(sizeof(*tentative_entry)); + if ((err = pcf_parse_master_entry(tentative_entry, + req->edit_value)) != 0) + msg_fatal("%s: \"%s\"", err, req->raw_text); + } if (PCF_MATCH_SERVICE_PATTERN(req->service_pattern, service_name, service_type)) { @@ -506,18 +541,30 @@ * Replace entire master.cf entry. */ case PCF_MASTER_ENTRY: - if (new_entry != 0) - pcf_free_master_entry(new_entry); - new_entry = (PCF_MASTER_ENT *) - mymalloc(sizeof(*new_entry)); - if ((err = pcf_parse_master_entry(new_entry, - req->edit_value)) != 0) - msg_fatal("%s: \"%s\"", err, req->raw_text); + if (req->match_count == 1) + use_tentative_entry = 1; break; default: msg_panic("%s: unknown edit mode %d", myname, mode); } } + } else if (tentative_entry != 0 + && PCF_MATCH_SERVICE_PATTERN(tentative_entry->argv, + service_name, + service_type)) { + service_name_type_matched = 1; /* Sticky flag */ + req->match_count += 1; + if (req->match_count == 1) + use_tentative_entry = 1; + } + if (tentative_entry != 0) { + if (use_tentative_entry) { + if (new_entry != 0) + pcf_free_master_entry(new_entry); + new_entry = tentative_entry; + } else { + pcf_free_master_entry(tentative_entry); + } } } diff -ur --new-file /var/tmp/postfix-3.7.5/src/postconf/postconf_master.c ./src/postconf/postconf_master.c --- /var/tmp/postfix-3.7.5/src/postconf/postconf_master.c 2021-12-19 10:04:41.000000000 -0500 +++ ./src/postconf/postconf_master.c 2023-05-17 14:30:17.000000000 -0400 @@ -156,6 +156,7 @@ #include #include #include +#include /* Global library. */ @@ -395,12 +396,12 @@ concatenate("ro", PCF_NAMESP_SEP_STR, masterp->name_space, (char *) 0); masterp->argv = argv; masterp->valid_names = 0; + masterp->ro_params = dict_ht_open(ro_name_space, O_CREAT | O_RDWR, 0); process_name = basename(argv->argv[PCF_MASTER_FLD_CMD]); - dict_update(ro_name_space, VAR_PROCNAME, process_name); - dict_update(ro_name_space, VAR_SERVNAME, - strcmp(process_name, argv->argv[0]) != 0 ? - argv->argv[0] : process_name); - masterp->ro_params = dict_handle(ro_name_space); + dict_put(masterp->ro_params, VAR_PROCNAME, process_name); + dict_put(masterp->ro_params, VAR_SERVNAME, + strcmp(process_name, argv->argv[0]) != 0 ? + argv->argv[0] : process_name); myfree(ro_name_space); masterp->all_params = 0; return (0); diff -ur --new-file /var/tmp/postfix-3.7.5/src/smtp/smtp.c ./src/smtp/smtp.c --- /var/tmp/postfix-3.7.5/src/smtp/smtp.c 2021-10-27 19:38:44.000000000 -0400 +++ ./src/smtp/smtp.c 2021-10-27 19:38:44.000000000 -0400 @@ -583,6 +583,13 @@ /* .IP "\fBtls_fast_shutdown_enable (yes)\fR" /* A workaround for implementations that hang Postfix while shutting /* down a TLS session, until Postfix times out. +/* .PP +/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: +/* .IP "\fBtls_config_file (default)\fR" +/* Optional configuration file with baseline OpenSSL settings. +/* .IP "\fBtls_config_name (empty)\fR" +/* The application name passed by Postfix to OpenSSL library +/* initialization functions. /* OBSOLETE STARTTLS CONTROLS /* .ad /* .fi diff -ur --new-file /var/tmp/postfix-3.7.5/src/smtpd/smtpd.c ./src/smtpd/smtpd.c --- /var/tmp/postfix-3.7.5/src/smtpd/smtpd.c 2021-10-02 10:46:46.000000000 -0400 +++ ./src/smtpd/smtpd.c 2023-06-05 16:01:02.000000000 -0400 @@ -525,6 +525,13 @@ /* .IP "\fBinfo_log_address_format (external)\fR" /* The email address form that will be used in non-debug logging /* (info, warning, etc.). +/* .PP +/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: +/* .IP "\fBtls_config_file (default)\fR" +/* Optional configuration file with baseline OpenSSL settings. +/* .IP "\fBtls_config_name (empty)\fR" +/* The application name passed by Postfix to OpenSSL library +/* initialization functions. /* OBSOLETE STARTTLS CONTROLS /* .ad /* .fi @@ -790,6 +797,11 @@ /* smtpd_per_request_deadline. /* .IP "\fBheader_from_format (standard)\fR" /* The format of the Postfix-generated \fBFrom:\fR header. +/* .PP +/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: +/* .IP "\fBsmtpd_forbid_unauth_pipelining (Postfix >= 3.9: yes)\fR" +/* Disconnect remote SMTP clients that violate RFC 2920 (or 5321) +/* command pipelining constraints. /* TARPIT CONTROLS /* .ad /* .fi @@ -1476,6 +1488,7 @@ char *var_milt_unk_macros; char *var_milt_macro_deflts; bool var_smtpd_client_port_log; +bool var_smtpd_forbid_unauth_pipe; char *var_stress; char *var_reject_tmpf_act; @@ -5425,6 +5438,32 @@ static STRING_LIST *smtpd_noop_cmds; static STRING_LIST *smtpd_forbid_cmds; +/* smtpd_flag_ill_pipelining - flag pipelining protocol violation */ + +static int smtpd_flag_ill_pipelining(SMTPD_STATE *state) +{ + + /* + * This code will not return after I/O error, timeout, or EOF. VSTREAM + * exceptions must be enabled in advance with smtp_stream_setup(). + */ + if (vstream_peek(state->client) == 0 + && peekfd(vstream_fileno(state->client)) > 0) + (void) vstream_ungetc(state->client, smtp_fgetc(state->client)); + if (vstream_peek(state->client) > 0) { + if (state->expand_buf == 0) + state->expand_buf = vstring_alloc(100); + escape(state->expand_buf, vstream_peek_data(state->client), + vstream_peek(state->client) < 100 ? + vstream_peek(state->client) : 100); + msg_info("improper command pipelining after %s from %s: %s", + state->where, state->namaddr, STR(state->expand_buf)); + state->flags |= SMTPD_FLAG_ILL_PIPELINING; + return (1); + } + return (0); +} + /* smtpd_proto - talk the SMTP protocol */ static void smtpd_proto(SMTPD_STATE *state) @@ -5567,6 +5606,21 @@ #endif /* + * If the client spoke before the server sends the initial greeting, + * raise a flag and log the content of the protocol violation. This + * check MUST NOT apply to TLS wrappermode connections. + */ + if (SMTPD_STAND_ALONE(state) == 0 + && vstream_context(state->client) == 0 /* not postscreen */ + && (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0 + && smtpd_flag_ill_pipelining(state) + && var_smtpd_forbid_unauth_pipe) { + smtpd_chat_reply(state, + "554 5.5.0 Error: SMTP protocol synchronization"); + break; + } + + /* * XXX The client connection count/rate control must be consistent in * its use of client address information in connect and disconnect * events. For now we exclude xclient authorized hosts from @@ -5801,16 +5855,11 @@ && (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0 || (cmdp->flags & SMTPD_CMD_FLAG_LAST)) && (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0 - && (vstream_peek(state->client) > 0 - || peekfd(vstream_fileno(state->client)) > 0)) { - if (state->expand_buf == 0) - state->expand_buf = vstring_alloc(100); - escape(state->expand_buf, vstream_peek_data(state->client), - vstream_peek(state->client) < 100 ? - vstream_peek(state->client) : 100); - msg_info("improper command pipelining after %s from %s: %s", - cmdp->name, state->namaddr, STR(state->expand_buf)); - state->flags |= SMTPD_FLAG_ILL_PIPELINING; + && smtpd_flag_ill_pipelining(state) + && var_smtpd_forbid_unauth_pipe) { + smtpd_chat_reply(state, + "554 5.5.0 Error: SMTP protocol synchronization"); + break; } if (cmdp->action(state, argc, argv) != 0) state->error_count++; @@ -6479,6 +6528,7 @@ VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup, VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open, VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log, + VAR_SMTPD_FORBID_UNAUTH_PIPE, DEF_SMTPD_FORBID_UNAUTH_PIPE, &var_smtpd_forbid_unauth_pipe, 0, }; static const CONFIG_NBOOL_TABLE nbool_table[] = { diff -ur --new-file /var/tmp/postfix-3.7.5/src/tls/tls.h ./src/tls/tls.h --- /var/tmp/postfix-3.7.5/src/tls/tls.h 2023-01-21 16:00:03.000000000 -0500 +++ ./src/tls/tls.h 2023-06-04 17:46:40.000000000 -0400 @@ -77,6 +77,7 @@ #include /* New OpenSSL 3.0 EVP_PKEY APIs */ #include /* OPENSSL_VERSION_NUMBER */ #include +#include /* Appease indent(1) */ #define x509_stack_t STACK_OF(X509) @@ -322,6 +323,7 @@ * tls_misc.c */ extern void tls_param_init(void); +extern int tls_library_init(void); /* * Protocol selection. diff -ur --new-file /var/tmp/postfix-3.7.5/src/tls/tls_client.c ./src/tls/tls_client.c --- /var/tmp/postfix-3.7.5/src/tls/tls_client.c 2023-01-21 16:00:03.000000000 -0500 +++ ./src/tls/tls_client.c 2023-06-04 17:46:40.000000000 -0400 @@ -641,6 +641,13 @@ tls_check_version(); /* + * Initialize the OpenSSL library, possibly loading its configuration + * file. + */ + if (tls_library_init() == 0) + return (0); + + /* * Create an application data index for SSL objects, so that we can * attach TLScontext information; this information is needed inside * tls_verify_certificate_callback(). diff -ur --new-file /var/tmp/postfix-3.7.5/src/tls/tls_misc.c ./src/tls/tls_misc.c --- /var/tmp/postfix-3.7.5/src/tls/tls_misc.c 2023-01-15 18:16:48.000000000 -0500 +++ ./src/tls/tls_misc.c 2023-06-04 17:51:13.000000000 -0400 @@ -29,6 +29,8 @@ /* #define TLS_INTERNAL /* #include /* +/* char *var_tls_cnf_file; +/* char *var_tls_cnf_name; /* char *var_tls_high_clist; /* char *var_tls_medium_clist; /* char *var_tls_low_clist; @@ -69,6 +71,8 @@ /* /* void tls_param_init() /* +/* int tls_library_init(void) +/* /* int tls_proto_mask_lims(plist, floor, ceiling) /* const char *plist; /* int *floor; @@ -157,6 +161,9 @@ /* tls_param_init() loads main.cf parameters used internally in /* TLS library. Any errors are fatal. /* +/* tls_library_init() initializes the OpenSSL library, optionally +/* loading an OpenSSL configuration file. +/* /* tls_pre_jail_init() opens any tables that need to be opened before /* entering a chroot jail. The "role" parameter must be TLS_ROLE_CLIENT /* for clients and TLS_ROLE_SERVER for servers. Any errors are fatal. @@ -276,6 +283,8 @@ /* * Tunable parameters. */ +char *var_tls_cnf_file; +char *var_tls_cnf_name; char *var_tls_high_clist; char *var_tls_medium_clist; char *var_tls_low_clist; @@ -644,6 +653,8 @@ { /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */ static const CONFIG_STR_TABLE str_table[] = { + VAR_TLS_CNF_FILE, DEF_TLS_CNF_FILE, &var_tls_cnf_file, 0, 0, + VAR_TLS_CNF_NAME, DEF_TLS_CNF_NAME, &var_tls_cnf_name, 0, 0, VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0, VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0, VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0, @@ -687,6 +698,118 @@ get_mail_conf_bool_table(bool_table); } +/* tls_library_init - perform OpenSSL library initialization */ + +int tls_library_init(void) +{ + OPENSSL_INIT_SETTINGS *init_settings; + char *conf_name = *var_tls_cnf_name ? var_tls_cnf_name : 0; + char *conf_file = 0; + unsigned long init_opts = 0; + +#define TLS_LIB_INIT_TODO (-1) +#define TLS_LIB_INIT_ERR (0) +#define TLS_LIB_INIT_OK (1) + + static int init_res = TLS_LIB_INIT_TODO; + + if (init_res != TLS_LIB_INIT_TODO) + return (init_res); + + /* + * Backwards compatibility: skip this function unless the Postfix + * configuration actually has non-default tls_config_xxx settings. + */ + if (strcmp(var_tls_cnf_file, DEF_TLS_CNF_FILE) == 0 + && strcmp(var_tls_cnf_name, DEF_TLS_CNF_NAME) == 0) { + if (msg_verbose) + msg_info("tls_library_init: using backwards-compatible defaults"); + return (init_res = TLS_LIB_INIT_OK); + } + if ((init_settings = OPENSSL_INIT_new()) == 0) { + msg_warn("error allocating OpenSSL init settings, " + "disabling TLS support"); + return (init_res = TLS_LIB_INIT_ERR); + } +#define TLS_LIB_INIT_RETURN(x) \ + do { OPENSSL_INIT_free(init_settings); return (init_res = (x)); } while(0) + +#if OPENSSL_VERSION_NUMBER < 0x1010102fL + + /* + * OpenSSL 1.1.0 through 1.1.1a, no support for custom configuration + * files, disabling loading of the file, or getting strict error + * handling. Thus, the only supported configuration file is "default". + */ + if (strcmp(var_tls_cnf_file, "default") != 0) { + msg_warn("non-default %s = %s requires OpenSSL 1.1.1b or later, " + "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file); + TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR); + } +#else + { + unsigned long file_flags = 0; + + /*- + * OpenSSL 1.1.1b or later: + * We can now use a non-default configuration file, or + * use none at all. We can also request strict error + * reporting. + */ + if (strcmp(var_tls_cnf_file, "none") == 0) { + init_opts |= OPENSSL_INIT_NO_LOAD_CONFIG; + } else if (strcmp(var_tls_cnf_file, "default") == 0) { + + /* + * The default global config file is optional. With "default" + * initialisation we don't insist on a match for the requested + * application name, allowing fallback to the default application + * name, even when a non-default application name is specified. + * Errors in loading the default configuration are ignored. + */ + conf_file = 0; + file_flags |= CONF_MFLAGS_IGNORE_MISSING_FILE; + file_flags |= CONF_MFLAGS_DEFAULT_SECTION; + file_flags |= CONF_MFLAGS_IGNORE_RETURN_CODES | CONF_MFLAGS_SILENT; + } else if (*var_tls_cnf_file == '/') { + + /* + * A custom config file must be present, error reporting is + * strict and the configuration section for the requested + * application name does not fall back to "openssl_conf" when + * missing. + */ + conf_file = var_tls_cnf_file; + } else { + msg_warn("non-default %s = %s is not an absolute pathname, " + "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file); + TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR); + } + + OPENSSL_INIT_set_config_file_flags(init_settings, file_flags); + } +#endif + + if (conf_file) + OPENSSL_INIT_set_config_filename(init_settings, conf_file); + if (conf_name) + OPENSSL_INIT_set_config_appname(init_settings, conf_name); + + if (OPENSSL_init_ssl(init_opts, init_settings) <= 0) { + if ((init_opts & OPENSSL_INIT_NO_LOAD_CONFIG) == 0) + msg_warn("error loading the '%s' settings from the %s OpenSSL " + "configuration file, disabling TLS support", + conf_name ? conf_name : "global", + conf_file ? conf_file : "default"); + else + msg_warn("error initializing the OpenSSL library, " + "disabling TLS support"); + tls_print_errors(); + TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR); + } + TLS_LIB_INIT_RETURN(TLS_LIB_INIT_OK); +} + /* tls_pre_jail_init - Load TLS related pre-jail tables */ void tls_pre_jail_init(TLS_ROLE role) diff -ur --new-file /var/tmp/postfix-3.7.5/src/tls/tls_proxy.h ./src/tls/tls_proxy.h --- /var/tmp/postfix-3.7.5/src/tls/tls_proxy.h 2021-08-06 20:04:05.000000000 -0400 +++ ./src/tls/tls_proxy.h 2023-06-04 17:46:40.000000000 -0400 @@ -44,6 +44,8 @@ * VAR_TLS_SERVER_SNI_MAPS. */ typedef struct TLS_CLIENT_PARAMS { + char *tls_cnf_file; + char *tls_cnf_name; char *tls_high_clist; char *tls_medium_clist; char *tls_low_clist; @@ -65,12 +67,13 @@ } TLS_CLIENT_PARAMS; #define TLS_PROXY_PARAMS(params, a1, a2, a3, a4, a5, a6, a7, a8, \ - a9, a10, a11, a12, a13, a14, a15, a16, a17, a18) \ + a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20) \ (((params)->a1), ((params)->a2), ((params)->a3), \ ((params)->a4), ((params)->a5), ((params)->a6), ((params)->a7), \ ((params)->a8), ((params)->a9), ((params)->a10), ((params)->a11), \ ((params)->a12), ((params)->a13), ((params)->a14), ((params)->a15), \ - ((params)->a16), ((params)->a17), ((params)->a18)) + ((params)->a16), ((params)->a17), ((params)->a18), ((params)->a19), \ + ((params)->a20)) /* * tls_proxy_client_param_misc.c, tls_proxy_client_param_print.c, and @@ -215,6 +218,8 @@ /* * TLS_CLIENT_INIT_PROPS attributes. */ +#define TLS_ATTR_CNF_FILE "config_file" +#define TLS_ATTR_CNF_NAME "config_name" #define TLS_ATTR_LOG_PARAM "log_param" #define TLS_ATTR_LOG_LEVEL "log_level" #define TLS_ATTR_VERIFYDEPTH "verifydepth" diff -ur --new-file /var/tmp/postfix-3.7.5/src/tls/tls_proxy_client_misc.c ./src/tls/tls_proxy_client_misc.c --- /var/tmp/postfix-3.7.5/src/tls/tls_proxy_client_misc.c 2021-08-06 20:04:05.000000000 -0400 +++ ./src/tls/tls_proxy_client_misc.c 2023-06-04 17:46:40.000000000 -0400 @@ -66,6 +66,8 @@ TLS_CLIENT_PARAMS *tls_proxy_client_param_from_config(TLS_CLIENT_PARAMS *params) { TLS_PROXY_PARAMS(params, + tls_cnf_file = var_tls_cnf_file, + tls_cnf_name = var_tls_cnf_name, tls_high_clist = var_tls_high_clist, tls_medium_clist = var_tls_medium_clist, tls_low_clist = var_tls_low_clist, diff -ur --new-file /var/tmp/postfix-3.7.5/src/tls/tls_proxy_client_print.c ./src/tls/tls_proxy_client_print.c --- /var/tmp/postfix-3.7.5/src/tls/tls_proxy_client_print.c 2021-08-06 20:04:05.000000000 -0400 +++ ./src/tls/tls_proxy_client_print.c 2023-06-04 17:46:40.000000000 -0400 @@ -95,6 +95,8 @@ msg_info("begin tls_proxy_client_param_print"); ret = print_fn(fp, flags | ATTR_FLAG_MORE, + SEND_ATTR_STR(TLS_ATTR_CNF_FILE, params->tls_cnf_file), + SEND_ATTR_STR(TLS_ATTR_CNF_NAME, params->tls_cnf_name), SEND_ATTR_STR(VAR_TLS_HIGH_CLIST, params->tls_high_clist), SEND_ATTR_STR(VAR_TLS_MEDIUM_CLIST, params->tls_medium_clist), diff -ur --new-file /var/tmp/postfix-3.7.5/src/tls/tls_proxy_client_scan.c ./src/tls/tls_proxy_client_scan.c --- /var/tmp/postfix-3.7.5/src/tls/tls_proxy_client_scan.c 2020-07-18 20:21:31.000000000 -0400 +++ ./src/tls/tls_proxy_client_scan.c 2023-06-04 17:46:40.000000000 -0400 @@ -121,6 +121,8 @@ void tls_proxy_client_param_free(TLS_CLIENT_PARAMS *params) { + myfree(params->tls_cnf_file); + myfree(params->tls_cnf_name); myfree(params->tls_high_clist); myfree(params->tls_medium_clist); myfree(params->tls_low_clist); @@ -145,6 +147,8 @@ TLS_CLIENT_PARAMS *params = (TLS_CLIENT_PARAMS *) mymalloc(sizeof(*params)); int ret; + VSTRING *cnf_file = vstring_alloc(25); + VSTRING *cnf_name = vstring_alloc(25); VSTRING *tls_high_clist = vstring_alloc(25); VSTRING *tls_medium_clist = vstring_alloc(25); VSTRING *tls_low_clist = vstring_alloc(25); @@ -167,6 +171,8 @@ */ memset(params, 0, sizeof(*params)); ret = scan_fn(fp, flags | ATTR_FLAG_MORE, + RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file), + RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name), RECV_ATTR_STR(VAR_TLS_HIGH_CLIST, tls_high_clist), RECV_ATTR_STR(VAR_TLS_MEDIUM_CLIST, tls_medium_clist), RECV_ATTR_STR(VAR_TLS_LOW_CLIST, tls_low_clist), @@ -192,6 +198,8 @@ ¶ms->tls_multi_wildcard), ATTR_TYPE_END); /* Always construct a well-formed structure. */ + params->tls_cnf_file = vstring_export(cnf_file); + params->tls_cnf_name = vstring_export(cnf_name); params->tls_high_clist = vstring_export(tls_high_clist); params->tls_medium_clist = vstring_export(tls_medium_clist); params->tls_low_clist = vstring_export(tls_low_clist); @@ -206,7 +214,7 @@ params->tls_mgr_service = vstring_export(tls_mgr_service); params->tls_tkt_cipher = vstring_export(tls_tkt_cipher); - ret = (ret == 18 ? 1 : -1); + ret = (ret == 20 ? 1 : -1); if (ret != 1) { tls_proxy_client_param_free(params); params = 0; diff -ur --new-file /var/tmp/postfix-3.7.5/src/tls/tls_server.c ./src/tls/tls_server.c --- /var/tmp/postfix-3.7.5/src/tls/tls_server.c 2023-01-27 17:01:19.000000000 -0500 +++ ./src/tls/tls_server.c 2023-06-04 17:46:40.000000000 -0400 @@ -420,6 +420,13 @@ tls_check_version(); /* + * Initialize the OpenSSL library, possibly loading its configuration + * file. + */ + if (tls_library_init() == 0) + return (0); + + /* * First validate the protocols. If these are invalid, we can't continue. */ protomask = tls_proto_mask_lims(props->protocols, &min_proto, &max_proto); diff -ur --new-file /var/tmp/postfix-3.7.5/src/tlsproxy/tlsproxy.c ./src/tlsproxy/tlsproxy.c --- /var/tmp/postfix-3.7.5/src/tlsproxy/tlsproxy.c 2022-02-05 09:56:04.000000000 -0500 +++ ./src/tlsproxy/tlsproxy.c 2023-06-04 17:46:40.000000000 -0400 @@ -134,6 +134,13 @@ /* .IP "\fBtls_fast_shutdown_enable (yes)\fR" /* A workaround for implementations that hang Postfix while shutting /* down a TLS session, until Postfix times out. +/* .PP +/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: +/* .IP "\fBtls_config_file (default)\fR" +/* Optional configuration file with baseline OpenSSL settings. +/* .IP "\fBtls_config_name (empty)\fR" +/* The application name passed by Postfix to OpenSSL library +/* initialization functions. /* STARTTLS SERVER CONTROLS /* .ad /* .fi