diff -ur --new-file /var/tmp/postfix-3.2.9/html/smtp.8.html ./html/smtp.8.html
--- /var/tmp/postfix-3.2.9/html/smtp.8.html 2016-12-04 15:55:06.000000000 -0500
+++ ./html/smtp.8.html 2019-06-29 19:03:41.000000000 -0400
@@ -566,6 +566,12 @@
nexthop destination security level is dane, but the MX record
was found via an "insecure" MX lookup.
+ Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13:
+
+ tls_fast_shutdown_enable (yes)
+ A workaround for implementations that hang Postfix while shuting
+ down a TLS session, until Postfix times out.
+
OBSOLETE STARTTLS CONTROLS
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
diff -ur --new-file /var/tmp/postfix-3.2.9/html/smtpd.8.html ./html/smtpd.8.html
--- /var/tmp/postfix-3.2.9/html/smtpd.8.html 2018-11-17 18:27:45.000000000 -0500
+++ ./html/smtpd.8.html 2019-06-29 19:07:02.000000000 -0400
@@ -571,6 +571,12 @@
The prioritized list of elliptic curves supported by the Postfix
SMTP client and server.
+ Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13:
+
+ tls_fast_shutdown_enable (yes)
+ A workaround for implementations that hang Postfix while shuting
+ down a TLS session, until Postfix times out.
+
OBSOLETE STARTTLS CONTROLS
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
diff -ur --new-file /var/tmp/postfix-3.2.9/html/tlsproxy.8.html ./html/tlsproxy.8.html
--- /var/tmp/postfix-3.2.9/html/tlsproxy.8.html 2018-11-04 18:37:26.000000000 -0500
+++ ./html/tlsproxy.8.html 2019-06-29 19:08:18.000000000 -0400
@@ -159,6 +159,12 @@
tlsmgr_service_name (tlsmgr)
The name of the tlsmgr(8) service entry in master.cf.
+ Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13:
+
+ tls_fast_shutdown_enable (yes)
+ A workaround for implementations that hang Postfix while shuting
+ down a TLS session, until Postfix times out.
+
OBSOLETE STARTTLS SUPPORT CONTROLS
These parameters are supported for compatibility with smtpd(8) legacy
parameters.
diff -ur --new-file /var/tmp/postfix-3.2.9/man/man5/postconf.5 ./man/man5/postconf.5
--- /var/tmp/postfix-3.2.9/man/man5/postconf.5 2018-11-10 19:32:21.000000000 -0500
+++ ./man/man5/postconf.5 2019-06-29 09:34:06.000000000 -0400
@@ -12274,6 +12274,15 @@
encouraged to not change this setting.
.PP
This feature is available in Postfix 2.3 and later.
+.SH tls_fast_shutdown_enable (default: yes)
+A workaround for implementations that hang Postfix while shuting
+down a TLS session, until Postfix times out. With this enabled,
+Postfix will not wait for the remote TLS peer to respond to a TLS
+'close' notification. This behavior is recommended for TLSv1.0 and
+later.
+.PP
+This feature was introduced with Postfix 3.4.6, 3.3.5, 3.2.10,
+and 3.1.13.
.SH tls_high_cipherlist (default: see "postconf \-d" output)
The OpenSSL cipherlist for "high" grade ciphers. This defines
the meaning of the "high" setting in smtpd_tls_ciphers,
diff -ur --new-file /var/tmp/postfix-3.2.9/man/man8/smtp.8 ./man/man8/smtp.8
--- /var/tmp/postfix-3.2.9/man/man8/smtp.8 2016-12-04 15:55:06.000000000 -0500
+++ ./man/man8/smtp.8 2019-06-29 09:34:06.000000000 -0400
@@ -502,6 +502,11 @@
The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is \fBdane\fR, but the MX
record was found via an "insecure" MX lookup.
+.PP
+Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13:
+.IP "\fBtls_fast_shutdown_enable (yes)\fR"
+A workaround for implementations that hang Postfix while shuting
+down a TLS session, until Postfix times out.
.SH "OBSOLETE STARTTLS CONTROLS"
.na
.nf
diff -ur --new-file /var/tmp/postfix-3.2.9/man/man8/smtpd.8 ./man/man8/smtpd.8
--- /var/tmp/postfix-3.2.9/man/man8/smtpd.8 2018-11-17 18:27:45.000000000 -0500
+++ ./man/man8/smtpd.8 2019-06-29 09:34:06.000000000 -0400
@@ -512,6 +512,11 @@
.IP "\fBtls_eecdh_auto_curves (see 'postconf -d' output)\fR"
The prioritized list of elliptic curves supported by the Postfix
SMTP client and server.
+.PP
+Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13:
+.IP "\fBtls_fast_shutdown_enable (yes)\fR"
+A workaround for implementations that hang Postfix while shuting
+down a TLS session, until Postfix times out.
.SH "OBSOLETE STARTTLS CONTROLS"
.na
.nf
diff -ur --new-file /var/tmp/postfix-3.2.9/man/man8/tlsproxy.8 ./man/man8/tlsproxy.8
--- /var/tmp/postfix-3.2.9/man/man8/tlsproxy.8 2018-11-04 18:37:26.000000000 -0500
+++ ./man/man8/tlsproxy.8 2019-06-29 09:34:06.000000000 -0400
@@ -152,6 +152,11 @@
Available in Postfix version 2.11 and later:
.IP "\fBtlsmgr_service_name (tlsmgr)\fR"
The name of the \fBtlsmgr\fR(8) service entry in master.cf.
+.PP
+Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13:
+.IP "\fBtls_fast_shutdown_enable (yes)\fR"
+A workaround for implementations that hang Postfix while shuting
+down a TLS session, until Postfix times out.
.SH "OBSOLETE STARTTLS SUPPORT CONTROLS"
.na
.nf
diff -ur --new-file /var/tmp/postfix-3.2.9/mantools/postlink ./mantools/postlink
--- /var/tmp/postfix-3.2.9/mantools/postlink 2016-12-17 18:22:04.000000000 -0500
+++ ./mantools/postlink 2019-06-25 17:14:41.000000000 -0400
@@ -750,6 +750,7 @@
s;\btls_wildcard_matches_multiple_labels\b;$&;g;
s;\btls_session_ticket_cipher\b;$&;g;
s;\btls_ssl_options\b;$&;g;
+ s;\btls_fast_shutdown_enable\b;$&;g;
s;\bfrozen_delivered_to\b;$&;g;
s;\breset_owner_alias\b;$&;g;
diff -ur --new-file /var/tmp/postfix-3.2.9/proto/postconf.proto ./proto/postconf.proto
--- /var/tmp/postfix-3.2.9/proto/postconf.proto 2018-11-10 19:31:54.000000000 -0500
+++ ./proto/postconf.proto 2019-06-28 17:20:43.000000000 -0400
@@ -16086,6 +16086,17 @@
This feature is available in Postfix 3.0 and later.
+%PARAM tls_fast_shutdown_enable yes
+
+ A workaround for implementations that hang Postfix while shuting
+down a TLS session, until Postfix times out. With this enabled,
+Postfix will not wait for the remote TLS peer to respond to a TLS
+'close' notification. This behavior is recommended for TLSv1.0 and
+later.
+
+ This feature was introduced with Postfix 3.4.6, 3.3.5, 3.2.10,
+and 3.1.13.
+
%PARAM default_delivery_status_filter
Optional filter to replace the delivery status code or explanatory
diff -ur --new-file /var/tmp/postfix-3.2.9/src/global/mail_params.h ./src/global/mail_params.h
--- /var/tmp/postfix-3.2.9/src/global/mail_params.h 2018-02-18 08:35:45.000000000 -0500
+++ ./src/global/mail_params.h 2019-06-27 19:35:46.000000000 -0400
@@ -3308,6 +3308,13 @@
extern bool var_tls_dane_taa_dgst;
/*
+ * The default is backwards-incompatible.
+ */
+#define VAR_TLS_FAST_SHUTDOWN "tls_fast_shutdown"
+#define DEF_TLS_FAST_SHUTDOWN 1
+extern bool var_tls_fast_shutdown;
+
+ /*
* Sendmail-style mail filter support.
*/
#define VAR_SMTPD_MILTERS "smtpd_milters"
diff -ur --new-file /var/tmp/postfix-3.2.9/src/smtp/smtp.c ./src/smtp/smtp.c
--- /var/tmp/postfix-3.2.9/src/smtp/smtp.c 2016-12-04 14:50:52.000000000 -0500
+++ ./src/smtp/smtp.c 2019-06-29 09:34:06.000000000 -0400
@@ -472,6 +472,11 @@
/* The TLS policy for MX hosts with "secure" TLSA records when the
/* nexthop destination security level is \fBdane\fR, but the MX
/* record was found via an "insecure" MX lookup.
+/* .PP
+/* Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13:
+/* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
+/* A workaround for implementations that hang Postfix while shuting
+/* down a TLS session, until Postfix times out.
/* OBSOLETE STARTTLS CONTROLS
/* .ad
/* .fi
diff -ur --new-file /var/tmp/postfix-3.2.9/src/smtpd/smtpd.c ./src/smtpd/smtpd.c
--- /var/tmp/postfix-3.2.9/src/smtpd/smtpd.c 2018-11-17 17:54:43.000000000 -0500
+++ ./src/smtpd/smtpd.c 2019-06-29 09:34:06.000000000 -0400
@@ -478,6 +478,11 @@
/* .IP "\fBtls_eecdh_auto_curves (see 'postconf -d' output)\fR"
/* The prioritized list of elliptic curves supported by the Postfix
/* SMTP client and server.
+/* .PP
+/* Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13:
+/* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
+/* A workaround for implementations that hang Postfix while shuting
+/* down a TLS session, until Postfix times out.
/* OBSOLETE STARTTLS CONTROLS
/* .ad
/* .fi
@@ -3485,6 +3490,12 @@
if (vstream_ferror(state->cleanup))
state->err = CLEANUP_STAT_WRITE;
}
+
+#define IS_SMTP_REJECT(s) \
+ (((s)[0] == '4' || (s)[0] == '5') \
+ && ISDIGIT((s)[1]) && ISDIGIT((s)[2]) \
+ && ((s)[3] == '\0' || (s)[3] == ' ' || (s)[3] == '-'))
+
if (state->err == CLEANUP_STAT_OK)
if (rec_fputs(state->cleanup, REC_TYPE_END, "") < 0
|| vstream_fflush(state->cleanup))
@@ -3492,7 +3503,10 @@
if (state->err == 0) {
why = vstring_alloc(10);
state->err = mail_stream_finish(state->dest, why);
- printable(STR(why), ' ');
+ if (IS_SMTP_REJECT(STR(why)))
+ printable_except(STR(why), ' ', "\r\n");
+ else
+ printable(STR(why), ' ');
} else
mail_stream_cleanup(state->dest);
state->dest = 0;
@@ -3527,11 +3541,6 @@
*
* See also: qmqpd.c
*/
-#define IS_SMTP_REJECT(s) \
- (((s)[0] == '4' || (s)[0] == '5') \
- && ISDIGIT((s)[1]) && ISDIGIT((s)[2]) \
- && ((s)[3] == '\0' || (s)[3] == ' ' || (s)[3] == '-'))
-
if (state->err == CLEANUP_STAT_OK) {
state->error_count = 0;
state->error_mask = 0;
@@ -4993,15 +5002,6 @@
case 0:
/*
- * Reset the per-command counters.
- */
- for (cmdp = smtpd_cmd_table; /* see below */ ; cmdp++) {
- cmdp->success_count = cmdp->total_count = 0;
- if (cmdp->name == 0)
- break;
- }
-
- /*
* In TLS wrapper mode, turn on TLS using code that is shared with
* the STARTTLS command. This code does not return when the handshake
* fails.
@@ -5392,6 +5392,15 @@
}
/*
+ * Reset the per-command counters.
+ */
+ for (cmdp = smtpd_cmd_table; /* see below */ ; cmdp++) {
+ cmdp->success_count = cmdp->total_count = 0;
+ if (cmdp->name == 0)
+ break;
+ }
+
+ /*
* Log total numbers, so that logfile analyzers will see something even
* if the above loop produced no output. When no commands were received
* log "0/0" to simplify the identification of abnormal sessions: any
diff -ur --new-file /var/tmp/postfix-3.2.9/src/tls/Makefile.in ./src/tls/Makefile.in
--- /var/tmp/postfix-3.2.9/src/tls/Makefile.in 2017-02-05 18:36:29.000000000 -0500
+++ ./src/tls/Makefile.in 2019-06-25 17:14:41.000000000 -0400
@@ -431,6 +431,7 @@
tls_session.o: ../../include/argv.h
tls_session.o: ../../include/check_arg.h
tls_session.o: ../../include/dns.h
+tls_session.o: ../../include/mail_params.h
tls_session.o: ../../include/msg.h
tls_session.o: ../../include/myaddrinfo.h
tls_session.o: ../../include/mymalloc.h
diff -ur --new-file /var/tmp/postfix-3.2.9/src/tls/tls_misc.c ./src/tls/tls_misc.c
--- /var/tmp/postfix-3.2.9/src/tls/tls_misc.c 2018-11-17 17:54:43.000000000 -0500
+++ ./src/tls/tls_misc.c 2019-06-25 17:14:41.000000000 -0400
@@ -45,6 +45,7 @@
/* char *var_tls_mgr_service;
/* char *var_tls_tkt_cipher;
/* char *var_openssl_path;
+/* bool var_tls_fast_shutdown;
/*
/* TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx, log_mask)
/* SSL_CTX *ssl_ctx;
@@ -285,6 +286,7 @@
char *var_tls_mgr_service;
char *var_tls_tkt_cipher;
char *var_openssl_path;
+bool var_tls_fast_shutdown;
#ifdef VAR_TLS_PREEMPT_CLIST
bool var_tls_preempt_clist;
@@ -739,6 +741,7 @@
VAR_TLS_DANE_TAA_DGST, DEF_TLS_DANE_TAA_DGST, &var_tls_dane_taa_dgst,
VAR_TLS_PREEMPT_CLIST, DEF_TLS_PREEMPT_CLIST, &var_tls_preempt_clist,
VAR_TLS_MULTI_WILDCARD, DEF_TLS_MULTI_WILDCARD, &var_tls_multi_wildcard,
+ VAR_TLS_FAST_SHUTDOWN, DEF_TLS_FAST_SHUTDOWN, &var_tls_fast_shutdown,
0,
};
static int init_done;
diff -ur --new-file /var/tmp/postfix-3.2.9/src/tls/tls_session.c ./src/tls/tls_session.c
--- /var/tmp/postfix-3.2.9/src/tls/tls_session.c 2008-01-07 20:21:49.000000000 -0500
+++ ./src/tls/tls_session.c 2019-06-25 17:14:41.000000000 -0400
@@ -66,6 +66,10 @@
#include
#include
+/* Global library. */
+
+#include
+
/* TLS library. */
#define TLS_INTERNAL
@@ -90,6 +94,18 @@
msg_panic("%s: stream has no active TLS context", myname);
/*
+ * According to RFC 2246 (TLS 1.0), there is no requirement to wait for
+ * the peer's close-notify. If the application protocol provides
+ * sufficient session termination signaling, then there's no need to
+ * duplicate that at the TLS close-notify layer.
+ *
+ * https://tools.ietf.org/html/rfc2246#section-7.2.1
+ * https://tools.ietf.org/html/rfc4346#section-7.2.1
+ * https://tools.ietf.org/html/rfc5246#section-7.2.1
+ *
+ * Specify 'tls_fast_shutdown = no' to enable the historical behavior
+ * described below.
+ *
* Perform SSL_shutdown() twice, as the first attempt will send out the
* shutdown alert but it will not wait for the peer's shutdown alert.
* Therefore, when we are the first party to send the alert, we must call
@@ -99,7 +115,7 @@
*/
if (!failure) {
retval = tls_bio_shutdown(vstream_fileno(stream), timeout, TLScontext);
- if (retval == 0)
+ if (!var_tls_fast_shutdown && retval == 0)
tls_bio_shutdown(vstream_fileno(stream), timeout, TLScontext);
}
tls_free_context(TLScontext);
diff -ur --new-file /var/tmp/postfix-3.2.9/src/tlsproxy/tlsproxy.c ./src/tlsproxy/tlsproxy.c
--- /var/tmp/postfix-3.2.9/src/tlsproxy/tlsproxy.c 2018-05-19 09:07:28.000000000 -0400
+++ ./src/tlsproxy/tlsproxy.c 2019-06-29 09:34:06.000000000 -0400
@@ -136,6 +136,11 @@
/* Available in Postfix version 2.11 and later:
/* .IP "\fBtlsmgr_service_name (tlsmgr)\fR"
/* The name of the \fBtlsmgr\fR(8) service entry in master.cf.
+/* .PP
+/* Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13:
+/* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
+/* A workaround for implementations that hang Postfix while shuting
+/* down a TLS session, until Postfix times out.
/* OBSOLETE STARTTLS SUPPORT CONTROLS
/* .ad
/* .fi
diff -ur --new-file /var/tmp/postfix-3.2.9/src/util/printable.c ./src/util/printable.c
--- /var/tmp/postfix-3.2.9/src/util/printable.c 2015-01-13 19:19:23.000000000 -0500
+++ ./src/util/printable.c 2019-04-10 17:30:23.000000000 -0400
@@ -11,6 +11,11 @@
/* char *printable(buffer, replacement)
/* char *buffer;
/* int replacement;
+/*
+/* char *printable_except(buffer, replacement, except)
+/* char *buffer;
+/* int replacement;
+/* const char *except;
/* DESCRIPTION
/* printable() replaces non-printable characters
/* in its input with the given replacement.
@@ -24,6 +29,8 @@
/* .IP replacement
/* Replacement value for characters in \fIbuffer\fR that do not
/* pass the ASCII isprint(3) test or that are not valid UTF8.
+/* .IP except
+/* Null-terminated sequence of non-replaced ASCII characters.
/* LICENSE
/* .ad
/* .fi
@@ -33,12 +40,18 @@
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
#include "sys_defs.h"
#include
+#include
/* Utility library. */
@@ -46,8 +59,21 @@
int util_utf8_enable = 0;
+/* printable - binary compatibility */
+
+#undef printable
+
+char *printable(char *, int);
+
char *printable(char *string, int replacement)
{
+ return (printable_except(string, replacement, (char *) 0));
+}
+
+/* printable_except - pass through printable or other preserved characters */
+
+char *printable_except(char *string, int replacement, const char *except)
+{
unsigned char *cp;
int ch;
@@ -57,7 +83,7 @@
*/
cp = (unsigned char *) string;
while ((ch = *cp) != 0) {
- if (ISASCII(ch) && ISPRINT(ch)) {
+ if (ISASCII(ch) && (ISPRINT(ch) || (except && strchr(except, ch)))) {
/* ok */
} else if (util_utf8_enable && ch >= 194 && ch <= 254
&& cp[1] >= 128 && cp[1] < 192) {
diff -ur --new-file /var/tmp/postfix-3.2.9/src/util/stringops.h ./src/util/stringops.h
--- /var/tmp/postfix-3.2.9/src/util/stringops.h 2017-01-04 19:43:25.000000000 -0500
+++ ./src/util/stringops.h 2019-04-10 17:23:22.000000000 -0400
@@ -20,7 +20,7 @@
* External interface.
*/
extern int util_utf8_enable;
-extern char *printable(char *, int);
+extern char *printable_except(char *, int, const char *);
extern char *neuter(char *, const char *, int);
extern char *lowercase(char *);
extern char *casefoldx(int, VSTRING *, const char *, ssize_t);
@@ -32,6 +32,9 @@
extern char *mystrtokq(char **, const char *, const char *);
extern char *translit(char *, const char *, const char *);
+#define printable(string, replacement) \
+ printable_except((string), (replacement), (char *) 0)
+
#ifndef HAVE_BASENAME
#define basename postfix_basename
extern char *basename(const char *);
@@ -86,6 +89,11 @@
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
#endif