Prereq: "2.7.1"
diff -cr --new-file /var/tmp/postfix-2.7.1/src/global/mail_version.h ./src/global/mail_version.h
*** /var/tmp/postfix-2.7.1/src/global/mail_version.h Tue Jun 8 08:30:42 2010
--- ./src/global/mail_version.h Tue Nov 23 10:58:55 2010
***************
*** 20,27 ****
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
! #define MAIL_RELEASE_DATE "20100608"
! #define MAIL_VERSION_NUMBER "2.7.1"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
--- 20,27 ----
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
! #define MAIL_RELEASE_DATE "20101123"
! #define MAIL_VERSION_NUMBER "2.7.2"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
diff -cr --new-file /var/tmp/postfix-2.7.1/HISTORY ./HISTORY
*** /var/tmp/postfix-2.7.1/HISTORY Fri Jun 4 08:42:42 2010
--- ./HISTORY Tue Nov 23 11:07:10 2010
***************
*** 15768,15770 ****
--- 15768,15818 ----
Portability: Berkeley DB 5.x has the same API as Berkeley
DB 4.1 and later. File: util/dict_db.c.
+
+ 20100610
+
+ Bugfix (introduced Postfix 2.2): Postfix no longer appends
+ the system default CA certificates to the lists specified
+ with *_tls_CAfile or with *_tls_CApath. This prevents
+ third-party certificates from getting mail relay permission
+ with the permit_tls_all_clientcerts feature. Unfortunately
+ this may cause compatibility problems with configurations
+ that rely on certificate verification for other purposes.
+ To get the old behavior, specify "tls_append_default_CA =
+ yes". Files: tls/tls_certkey.c, tls/tls_misc.c,
+ global/mail_params.h. proto/postconf.proto, mantools/postlink.
+
+ 20100714
+
+ Compatibility with Postfix < 2.3: fix 20061207 was incomplete
+ (undoing the change to bounce instead of defer after
+ pipe-to-command delivery fails with a signal). Fix by Thomas
+ Arnett. File: global/pipe_command.c.
+
+ 20100727
+
+ Bugfix: the milter_header_checks parser provided only the
+ actions that change the message flow (reject, filter,
+ discard, redirect) but disabled the non-flow actions (warn,
+ replace, prepend, ignore, dunno, ok). File:
+ cleanup/cleanup_milter.c.
+
+ 20100827
+
+ Performance: fix for poor smtpd_proxy_filter TCP performance
+ over loopback (127.0.0.1) connections. Problem reported by
+ Mark Martinec. Files: smtpd/smtpd_proxy.c.
+
+ 20101023
+
+ Cleanup: don't apply reject_rhsbl_helo to non-domain forms
+ such as network addresses. This would cause false positives
+ with dbl.spamhaus.org. File: smtpd/smtpd_check.c.
+
+ 20101117
+
+ Bugfix: the "421" reply after Milter error was overruled
+ by Postfix 1.1 code that replied with "503" for RFC 2821
+ compliance. We now make an exception for "final" replies,
+ as permitted by RFC. Solution by Victor Duchovni. File:
+ smtpd/smtpd.c.
diff -cr --new-file /var/tmp/postfix-2.7.1/RELEASE_NOTES ./RELEASE_NOTES
*** /var/tmp/postfix-2.7.1/RELEASE_NOTES Wed Feb 3 16:43:34 2010
--- ./RELEASE_NOTES Tue Nov 23 13:53:31 2010
***************
*** 14,19 ****
--- 14,31 ----
If you upgrade from Postfix 2.5 or earlier, read RELEASE_NOTES-2.6
before proceeding.
+ Incompatibility with Postfix 2.7.2
+ ----------------------------------
+
+ Postfix no longer appends the system-supplied default CA certificates
+ to the lists specified with *_tls_CAfile or with *_tls_CApath. This
+ prevents third-party certificates from getting mail relay permission
+ with the permit_tls_all_clientcerts feature.
+
+ Unfortunately this change may cause compatibility problems when
+ configurations rely on certificate verification for other purposes.
+ Specify "tls_append_default_CA = yes" for backwards compatibility.
+
Major changes - performance
---------------------------
diff -cr --new-file /var/tmp/postfix-2.7.1/html/postconf.5.html ./html/postconf.5.html
*** /var/tmp/postfix-2.7.1/html/postconf.5.html Tue Jun 1 20:01:35 2010
--- ./html/postconf.5.html Tue Jun 15 18:19:06 2010
***************
*** 9150,9155 ****
--- 9150,9159 ----
but it is best to include all the required certificates directly in
$smtp_tls_cert_file.
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+
Example:
***************
*** 9173,9178 ****
--- 9177,9186 ----
To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail.
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+
Example:
***************
*** 10824,10831 ****
Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
! CA, otherwise all clients with a recognized certificate would be
! allowed to relay. This feature is available with Postfix version 2.2.
permit_tls_clientcerts
--- 10832,10842 ----
Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
! CA. Otherwise, clients with a third-party certificate would also
! be allowed to relay. Specify "tls_append_default_CA = no" when the
! trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
! to prevent Postfix from appending the system-supplied default CAs.
! This feature is available with Postfix version 2.2.
permit_tls_clientcerts
***************
*** 12595,12600 ****
--- 12606,12615 ----
but it is best to include all the required certificates directly in the
server certificate file.
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+
By default (see smtpd_tls_ask_ccert), client certificates are not
requested, and smtpd_tls_CAfile should remain empty. If you do make use
of client certificates, the distinguished names (DNs) of the certificate
***************
*** 12626,12631 ****
--- 12641,12650 ----
smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
inside the chroot jail.
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+
By default (see smtpd_tls_ask_ccert), client certificates are
not requested, and smtpd_tls_CApath should remain empty. In contrast
to smtpd_tls_CAfile, DNs of certificate authorities installed
***************
*** 13739,13744 ****
--- 13758,13780 ----
+
tls_append_default_CA
+ (default: no)
+
+ Append the system-supplied default certificate authority
+ certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+ The default is "no"; this prevents Postfix from trusting third-party
+ certificates and giving them relay permission with
+ permit_tls_all_clientcerts.
+
+ This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+ 2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
+ backwards compatibility, to avoid breaking certificate verification
+ with sites that don't use permit_tls_all_clientcerts.
+
+
+
+
tls_daemon_random_bytes
(default: 32)
diff -cr --new-file /var/tmp/postfix-2.7.1/man/man5/postconf.5 ./man/man5/postconf.5
*** /var/tmp/postfix-2.7.1/man/man5/postconf.5 Tue Jun 1 20:01:35 2010
--- ./man/man5/postconf.5 Tue Jun 15 18:19:06 2010
***************
*** 5239,5244 ****
--- 5239,5248 ----
but it is best to include all the required certificates directly in
$smtp_tls_cert_file.
.PP
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+ .PP
Example:
.PP
.nf
***************
*** 5259,5264 ****
--- 5263,5272 ----
To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail.
.PP
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+ .PP
Example:
.PP
.nf
***************
*** 6622,6629 ****
Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
! CA, otherwise all clients with a recognized certificate would be
! allowed to relay. This feature is available with Postfix version 2.2.
.IP "\fBpermit_tls_clientcerts\fR"
Permit the request when the remote SMTP client certificate
fingerprint is listed in $relay_clientcerts.
--- 6630,6640 ----
Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
! CA. Otherwise, clients with a third-party certificate would also
! be allowed to relay. Specify "tls_append_default_CA = no" when the
! trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
! to prevent Postfix from appending the system-supplied default CAs.
! This feature is available with Postfix version 2.2.
.IP "\fBpermit_tls_clientcerts\fR"
Permit the request when the remote SMTP client certificate
fingerprint is listed in $relay_clientcerts.
***************
*** 7828,7833 ****
--- 7839,7848 ----
but it is best to include all the required certificates directly in the
server certificate file.
.PP
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+ .PP
By default (see smtpd_tls_ask_ccert), client certificates are not
requested, and smtpd_tls_CAfile should remain empty. If you do make use
of client certificates, the distinguished names (DNs) of the certificate
***************
*** 7857,7862 ****
--- 7872,7881 ----
smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
inside the chroot jail.
.PP
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+ .PP
By default (see smtpd_tls_ask_ccert), client certificates are
not requested, and smtpd_tls_CApath should remain empty. In contrast
to smtpd_tls_CAfile, DNs of certificate authorities installed
***************
*** 8711,8716 ****
--- 8730,8746 ----
\fBlmtp\fR(8)).
.PP
This feature is available in Postfix 2.6 and later.
+ .SH tls_append_default_CA (default: no)
+ Append the system-supplied default certificate authority
+ certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+ The default is "no"; this prevents Postfix from trusting third-party
+ certificates and giving them relay permission with
+ permit_tls_all_clientcerts.
+ .PP
+ This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+ 2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
+ backwards compatibility, to avoid breaking certificate verification
+ with sites that don't use permit_tls_all_clientcerts.
.SH tls_daemon_random_bytes (default: 32)
The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
process requests from the \fBtlsmgr\fR(8) server in order to seed its
diff -cr --new-file /var/tmp/postfix-2.7.1/mantools/postlink ./mantools/postlink
*** /var/tmp/postfix-2.7.1/mantools/postlink Wed Feb 3 14:53:33 2010
--- ./mantools/postlink Sun Jun 13 14:50:38 2010
***************
*** 676,681 ****
--- 676,682 ----
s;\btls_null_cipherlist\b;$&;g;
s;\btls_eecdh_strong_curve\b;$&;g;
s;\btls_eecdh_ultra_curve\b;$&;g;
+ s;\btls_append_default_CA\b;$&;g;
s;\bfrozen_delivered_to\b;$&;g;
diff -cr --new-file /var/tmp/postfix-2.7.1/proto/postconf.proto ./proto/postconf.proto
*** /var/tmp/postfix-2.7.1/proto/postconf.proto Tue Jun 1 19:52:06 2010
--- ./proto/postconf.proto Tue Jun 15 18:18:48 2010
***************
*** 4855,4862 ****
Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
! CA, otherwise all clients with a recognized certificate would be
! allowed to relay. This feature is available with Postfix version 2.2.
permit_tls_clientcerts
--- 4855,4865 ----
Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
! CA. Otherwise, clients with a third-party certificate would also
! be allowed to relay. Specify "tls_append_default_CA = no" when the
! trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
! to prevent Postfix from appending the system-supplied default CAs.
! This feature is available with Postfix version 2.2.
permit_tls_clientcerts
***************
*** 8648,8653 ****
--- 8651,8660 ----
but it is best to include all the required certificates directly in the
server certificate file.
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+
By default (see smtpd_tls_ask_ccert), client certificates are not
requested, and smtpd_tls_CAfile should remain empty. If you do make use
of client certificates, the distinguished names (DNs) of the certificate
***************
*** 8675,8680 ****
--- 8682,8691 ----
smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
inside the chroot jail.
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+
By default (see smtpd_tls_ask_ccert), client certificates are
not requested, and smtpd_tls_CApath should remain empty. In contrast
to smtpd_tls_CAfile, DNs of certificate authorities installed
***************
*** 9043,9048 ****
--- 9054,9063 ----
but it is best to include all the required certificates directly in
$smtp_tls_cert_file.
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+
Example:
***************
*** 9062,9067 ****
--- 9077,9086 ----
To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail.
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+
Example:
***************
*** 9351,9356 ****
--- 9370,9388 ----
This feature is available in Postfix 2.2 and later.
+ %PARAM tls_append_default_CA no
+
+ Append the system-supplied default certificate authority
+ certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+ The default is "no"; this prevents Postfix from trusting third-party
+ certificates and giving them relay permission with
+ permit_tls_all_clientcerts.
+
+ This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+ 2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
+ backwards compatibility, to avoid breaking certificate verification
+ with sites that don't use permit_tls_all_clientcerts.
+
%PARAM tls_random_exchange_name see "postconf -d" output
Name of the pseudo random number generator (PRNG) state file
diff -cr --new-file /var/tmp/postfix-2.7.1/src/cleanup/cleanup_milter.c ./src/cleanup/cleanup_milter.c
*** /var/tmp/postfix-2.7.1/src/cleanup/cleanup_milter.c Mon Jun 8 07:52:12 2009
--- ./src/cleanup/cleanup_milter.c Tue Jul 27 19:51:08 2010
***************
*** 370,377 ****
}
return ((char *) buf);
}
! msg_warn("unknown command in %s map: %s", map_class, command);
! return ((char *) buf);
}
/* cleanup_milter_header_checks - inspect Milter-generated header */
--- 370,376 ----
}
return ((char *) buf);
}
! return ((char *) HBC_CHECKS_STAT_UNKNOWN);
}
/* cleanup_milter_header_checks - inspect Milter-generated header */
diff -cr --new-file /var/tmp/postfix-2.7.1/src/global/mail_params.h ./src/global/mail_params.h
*** /var/tmp/postfix-2.7.1/src/global/mail_params.h Wed Jun 2 06:57:55 2010
--- ./src/global/mail_params.h Sun Jun 13 15:20:42 2010
***************
*** 623,628 ****
--- 623,632 ----
#define DEF_DUP_FILTER_LIMIT 1000
extern int var_dup_filter_limit;
+ #define VAR_TLS_APPEND_DEF_CA "tls_append_default_CA"
+ #define DEF_TLS_APPEND_DEF_CA 0 /* Postfix < 2.8 BC break */
+ extern bool var_tls_append_def_CA;
+
#define VAR_TLS_RAND_EXCH_NAME "tls_random_exchange_name"
#define DEF_TLS_RAND_EXCH_NAME "${data_directory}/prng_exch"
extern char *var_tls_rand_exch_name;
diff -cr --new-file /var/tmp/postfix-2.7.1/src/global/pipe_command.c ./src/global/pipe_command.c
*** /var/tmp/postfix-2.7.1/src/global/pipe_command.c Tue Jan 8 16:01:16 2008
--- ./src/global/pipe_command.c Wed Jul 14 15:14:11 2010
***************
*** 628,634 ****
*/
if (!NORMAL_EXIT_STATUS(wait_status)) {
if (WIFSIGNALED(wait_status)) {
! dsb_unix(why, "5.3.0", log_len ?
log_buf : sys_exits_detail(EX_SOFTWARE)->text,
"Command died with signal %d: \"%s\"%s%s",
WTERMSIG(wait_status), args.command,
--- 628,634 ----
*/
if (!NORMAL_EXIT_STATUS(wait_status)) {
if (WIFSIGNALED(wait_status)) {
! dsb_unix(why, "4.3.0", log_len ?
log_buf : sys_exits_detail(EX_SOFTWARE)->text,
"Command died with signal %d: \"%s\"%s%s",
WTERMSIG(wait_status), args.command,
diff -cr --new-file /var/tmp/postfix-2.7.1/src/smtpd/smtpd.c ./src/smtpd/smtpd.c
*** /var/tmp/postfix-2.7.1/src/smtpd/smtpd.c Sat Feb 13 20:50:21 2010
--- ./src/smtpd/smtpd.c Mon Nov 22 15:57:59 2010
***************
*** 4487,4492 ****
--- 4487,4497 ----
}
/* XXX We use the real client for connect access control. */
if (state->access_denied && cmdp->action != quit_cmd) {
+ /* XXX Exception for Milter override. */
+ if (strncmp(state->access_denied + 1, "21", 2) == 0) {
+ smtpd_chat_reply(state, "%s", state->access_denied);
+ continue;
+ }
smtpd_chat_reply(state, "503 5.7.0 Error: access denied for %s",
state->namaddr); /* RFC 2821 Sec 3.1 */
state->error_count++;
diff -cr --new-file /var/tmp/postfix-2.7.1/src/smtpd/smtpd_check.c ./src/smtpd/smtpd_check.c
*** /var/tmp/postfix-2.7.1/src/smtpd/smtpd_check.c Thu Nov 5 14:09:43 2009
--- ./src/smtpd/smtpd_check.c Mon Nov 22 13:03:33 2010
***************
*** 3789,3795 ****
name);
else {
cpp += 1;
! if (state->helo_name)
status = reject_rbl_domain(state, *cpp, state->helo_name,
SMTPD_NAME_HELO);
}
--- 3789,3796 ----
name);
else {
cpp += 1;
! if (state->helo_name
! && valid_hostname(state->helo_name, DONT_GRIPE))
status = reject_rbl_domain(state, *cpp, state->helo_name,
SMTPD_NAME_HELO);
}
diff -cr --new-file /var/tmp/postfix-2.7.1/src/smtpd/smtpd_proxy.c ./src/smtpd/smtpd_proxy.c
*** /var/tmp/postfix-2.7.1/src/smtpd/smtpd_proxy.c Fri Jan 29 17:44:19 2010
--- ./src/smtpd/smtpd_proxy.c Fri Aug 27 16:40:33 2010
***************
*** 355,360 ****
--- 355,363 ----
/* Needed by our DATA-phase record emulation routines. */
vstream_control(proxy->service_stream, VSTREAM_CTL_CONTEXT,
(char *) state, VSTREAM_CTL_END);
+ /* Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE. */
+ if (connect_fn == inet_connect)
+ vstream_tweak_tcp(proxy->service_stream);
smtp_timeout_setup(proxy->service_stream, proxy->timeout);
/*
diff -cr --new-file /var/tmp/postfix-2.7.1/src/tls/Makefile.in ./src/tls/Makefile.in
*** /var/tmp/postfix-2.7.1/src/tls/Makefile.in Thu Jan 15 16:36:39 2009
--- ./src/tls/Makefile.in Wed Jul 7 05:26:33 2010
***************
*** 101,106 ****
--- 101,107 ----
tls_bio_ops.o: tls.h
tls_bio_ops.o: tls_bio_ops.c
tls_certkey.o: ../../include/argv.h
+ tls_certkey.o: ../../include/mail_params.h
tls_certkey.o: ../../include/msg.h
tls_certkey.o: ../../include/name_code.h
tls_certkey.o: ../../include/name_mask.h
diff -cr --new-file /var/tmp/postfix-2.7.1/src/tls/tls_certkey.c ./src/tls/tls_certkey.c
*** /var/tmp/postfix-2.7.1/src/tls/tls_certkey.c Tue Jun 1 19:52:06 2010
--- ./src/tls/tls_certkey.c Thu Jun 10 09:34:11 2010
***************
*** 70,75 ****
--- 70,79 ----
#include
+ /* Global library. */
+
+ #include
+
/* TLS library. */
#define TLS_INTERNAL
***************
*** 91,97 ****
tls_print_errors();
return (-1);
}
! if (!SSL_CTX_set_default_verify_paths(ctx)) {
msg_info("cannot set certificate verification paths: "
"disabling TLS support");
tls_print_errors();
--- 95,101 ----
tls_print_errors();
return (-1);
}
! if (var_tls_append_def_CA && !SSL_CTX_set_default_verify_paths(ctx)) {
msg_info("cannot set certificate verification paths: "
"disabling TLS support");
tls_print_errors();
diff -cr --new-file /var/tmp/postfix-2.7.1/src/tls/tls_misc.c ./src/tls/tls_misc.c
*** /var/tmp/postfix-2.7.1/src/tls/tls_misc.c Sat Nov 8 18:35:28 2008
--- ./src/tls/tls_misc.c Wed Jul 7 07:04:43 2010
***************
*** 15,20 ****
--- 15,21 ----
/* char *var_tls_eecdh_strong;
/* char *var_tls_eecdh_ultra;
/* int var_tls_daemon_rand_bytes;
+ /* bool var_tls_append_def_CA;
/*
/* TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx)
/* SSL_CTX *ssl_ctx;
***************
*** 190,195 ****
--- 191,197 ----
int var_tls_daemon_rand_bytes;
char *var_tls_eecdh_strong;
char *var_tls_eecdh_ultra;
+ bool var_tls_append_def_CA;
/*
* Index to attach TLScontext pointers to SSL objects, so that they can be
***************
*** 407,412 ****
--- 409,418 ----
VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 1, 0,
0,
};
+ static const CONFIG_BOOL_TABLE bool_table[] = {
+ VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
+ 0,
+ };
static int init_done;
if (init_done)
***************
*** 415,420 ****
--- 421,427 ----
get_mail_conf_str_table(str_table);
get_mail_conf_int_table(int_table);
+ get_mail_conf_bool_table(bool_table);
}
/* tls_set_ciphers - Set SSL context cipher list */