--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package postfix/3.4.5-1
- From: Scott Kitterman <debian@kitterman.com>
- Date: Wed, 25 Sep 2019 17:03:37 -0400
- Message-id: <156944541746.13670.3049387390712249214.reportbug@l5580.kitterman.com>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
As we've been doing, I'd like to update postfix to the current update in
the 3.4 branch (3.4.7-0+deb10u1). I've been running 3.4.6 for some time
locally without issue (ran out of tuits to upload to Debian, so we're
going straight to 3.4.7). I have 3.4.7 running on multiple machines and
there have been no upstream reports of issues.
Please see the attached debdiff for details.
Scott K
diff -Nru postfix-3.4.5/conf/main.cf postfix-3.4.7/conf/main.cf
--- postfix-3.4.5/conf/main.cf 2017-02-18 20:58:20.000000000 -0500
+++ postfix-3.4.7/conf/main.cf 2019-06-02 08:40:36.000000000 -0400
@@ -249,7 +249,7 @@
#
# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
# clients in the same IP subnetworks as the local machine.
-# On Linux, this does works correctly only with interfaces specified
+# On Linux, this works correctly only with interfaces specified
# with the "ifconfig" command.
#
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
diff -Nru postfix-3.4.5/debian/changelog postfix-3.4.7/debian/changelog
--- postfix-3.4.5/debian/changelog 2019-04-01 13:27:26.000000000 -0400
+++ postfix-3.4.7/debian/changelog 2019-09-22 22:36:25.000000000 -0400
@@ -1,3 +1,68 @@
+postfix (3.4.7-0+deb10u1) UNRELEASED; urgency=medium
+
+ [Wietse Venema]
+
+ * 3.4.6
+ - Documentation: tlsext_padding is not a tls_ssl_options
+ feature. File: proto/postconf.proto.
+ - Portability: added "#undef sun" to util/unix_dgram_connect.c
+ (documented for completeness - no impact on Debian)
+ - Bugfix (introduced: Postfix 2.3): a censoring filter broke
+ multiline Milter responses for header/body events. Problem
+ report by Andreas Thienemann. Files: util/printable.c,
+ util/stringops.h, smtpd/smtpd.c
+ - Bugfix (introduced: Postfix 3.3): "smtp_mx_address_limit =
+ 0" no longer meant 'unlimited'. Problem report by Luc Pardon.
+ File: smtp/smtp_addr.c.
+ - Documentation: updated the BUGS section in the smtp(8) manpage
+ about TLS connection reuse. File: smtp/smtp.c.
+ - Workaround for implementations that hang Postfix while
+ shutting down a TLS session, until Postfix times out. With
+ "tls_fast_shutdown_enable = yes" (the default), Postfix no
+ longer waits for the TLS peer to respond to a TLS 'close'
+ request. This is recommended with TLSv1.0 and later. Files:
+ global/mail_params.h, tls/tls_session.c, and documentation.
+ - Bugfix (introduced: Postfix 3.0): the code to reset Postfix
+ SMTP server command counts was not called after a HaProxy
+ handshake failure, causing stale numbers to be reported.
+ The command counts are now reset in the function that reports
+ the counts. File: smtpd/smtpd.c.
+ * 3.4.7
+ - Bugfix: the documentation said tls_fast_shutdown_enable,
+ but the code said tls_fast_shutdown. Viktor Dukhovni. Changed
+ the code because no-one is expected to override the default.
+ File: global/mail_params.h.
+ - Workaround for poor TCP loopback performance on LINUX, where
+ getsockopt(..., TCP_MAXSEG, ..) reports a TCP maximal segment
+ size that is 1/2 to 1/3 of the MTU. For example, with kernel
+ 5.1.16-300.fc30.x86_64 the TCP client and server announce
+ an mss of 65495 in the TCP handshake, but getsockopt()
+ returns 32741 (less than half). As a matter of principle,
+ Postfix won't turn on client-side TCP_NODELAY because that
+ hides application performance bugs, and because that still
+ suffers from server-side delayed ACKs. Instead, Postfix
+ avoids sending "small" writes back-to-back, by choosing a
+ VSTREAM buffer size that is a multiple of the reported MSS.
+ This workaround bumps the multiplier from 2x to 4x. File:
+ util/vstream_tweak.c.
+ - Bugfix (introduced: 20051222): the Dovecot client could
+ segfault (null pointer read) or cause an SMTP server assertion
+ to fail when talking to a fake Dovecot server. The client
+ now logs a proper error instead. Problem reported by Tim
+ Düsterhus. File: xsasl/xsasl_dovecot_server.c.
+ - Bugfix (introduced: Postfix 3.4): don't whitewash OpenSSL
+ error results after a plaintext output error. The code could
+ loop, and with some OpenSSL error results could flood the
+ log with error messages (see below for a specific case).
+ Problem reported by Andreas Schulze. File: tlsproxy/tlsproxy.c.
+ - Bitrot: don't invoke SSL_shutdown() when the SSL engine
+ thinks it is processing a TLS handshake. The commit at
+ https://github.com/openssl/openssl/commit/64193c8218540499984cd63cda41f3cd491f3f59
+ changed the error status, incompatibly, from SSL_ERROR_NONE
+ into SSL_ERROR_SSL. File: tlsproxy/tlsproxxy.c.
+
+ -- Scott Kitterman <scott@kitterman.com> Sun, 22 Sep 2019 22:36:25 -0400
+
postfix (3.4.5-1) unstable; urgency=medium
[Wietse Venema]
diff -Nru postfix-3.4.5/HISTORY postfix-3.4.7/HISTORY
--- postfix-3.4.5/HISTORY 2019-03-30 10:33:58.000000000 -0400
+++ postfix-3.4.7/HISTORY 2019-09-21 11:57:46.000000000 -0400
@@ -24208,3 +24208,88 @@
could exhaust LMTP server resources, resulting in two-second
pauses between email deliveries. This problem was investigated
by Juliana Rodrigueiro. File: smtp/smtp_connect.c.
+
+20190331
+
+ Documentation: tlsext_padding is not a tls_ssl_options
+ feature. File: proto/postconf.proto.
+
+20190401
+
+ Portability: added "#undef sun" to util/unix_dgram_connect.c.
+
+20190403
+
+ Bugfix (introduced: Postfix 2.3): a censoring filter broke
+ multiline Milter responses for header/body events. Problem
+ report by Andreas Thienemann. Files: util/printable.c,
+ util/stringops.h, smtpd/smtpd.c
+
+ Bugfix (introduced: Postfix 3.3): "smtp_mx_address_limit =
+ 0" no longer meant 'unlimited'. Problem report by Luc Pardon.
+ File: smtp/smtp_addr.c.
+
+20190615
+
+ Documentation: updated the BUGS section in the smtp(8) manpage
+ about TLS connection reuse. File: smtp/smtp.c.
+
+ Workaround for implementations that hang Postfix while
+ shutting down a TLS session, until Postfix times out. With
+ "tls_fast_shutdown_enable = yes" (the default), Postfix no
+ longer waits for the TLS peer to respond to a TLS 'close'
+ request. This is recommended with TLSv1.0 and later. Files:
+ global/mail_params.h, tls/tls_session.c, and documentation.
+
+20190621
+
+ Bugfix (introduced: Postfix 3.0): the code to reset Postfix
+ SMTP server command counts was not called after a HaProxy
+ handshake failure, causing stale numbers to be reported.
+ The command counts are now reset in the function that reports
+ the counts. File: smtpd/smtpd.c.
+
+20190723
+
+ Bugfix: the documentation said tls_fast_shutdown_enable,
+ but the code said tls_fast_shutdown. Viktor Dukhovni. Changed
+ the code because no-one is expected to override the default.
+ File: global/mail_params.h.
+
+20190820
+
+ Workaround for poor TCP loopback performance on LINUX, where
+ getsockopt(..., TCP_MAXSEG, ..) reports a TCP maximal segment
+ size that is 1/2 to 1/3 of the MTU. For example, with kernel
+ 5.1.16-300.fc30.x86_64 the TCP client and server announce
+ an mss of 65495 in the TCP handshake, but getsockopt()
+ returns 32741 (less than half). As a matter of principle,
+ Postfix won't turn on client-side TCP_NODELAY because that
+ hides application performance bugs, and because that still
+ suffers from server-side delayed ACKs. Instead, Postfix
+ avoids sending "small" writes back-to-back, by choosing a
+ VSTREAM buffer size that is a multiple of the reported MSS.
+ This workaround bumps the multiplier from 2x to 4x. File:
+ util/vstream_tweak.c.
+
+20190825
+
+ Bugfix (introduced: 20051222): the Dovecot client could
+ segfault (null pointer read) or cause an SMTP server assertion
+ to fail when talking to a fake Dovecot server. The client
+ now logs a proper error instead. Problem reported by Tim
+ Düsterhus. File: xsasl/xsasl_dovecot_server.c.
+
+20190914
+
+ Bugfix (introduced: Postfix 3.4): don't whitewash OpenSSL
+ error results after a plaintext output error. The code could
+ loop, and with some OpenSSL error results could flood the
+ log with error messages (see below for a specific case).
+ Problem reported by Andreas Schulze. File: tlsproxy/tlsproxy.c.
+
+ Bitrot: don't invoke SSL_shutdown() when the SSL engine
+ thinks it is processing a TLS handshake. The commit at
+ https://github.com/openssl/openssl/commit/64193c8218540499984cd63cda41f3cd491f3f59
+ changed the error status, incompatibly, from SSL_ERROR_NONE
+ into SSL_ERROR_SSL. File: tlsproxy/tlsproxxy.c.
diff -Nru postfix-3.4.5/html/lmtp.8.html postfix-3.4.7/html/lmtp.8.html
--- postfix-3.4.5/html/lmtp.8.html 2019-02-10 12:18:26.000000000 -0500
+++ postfix-3.4.7/html/lmtp.8.html 2019-06-29 19:30:31.000000000 -0400
@@ -120,9 +120,8 @@
ter is notified of bounces, protocol problems, and of other trouble.
<b>BUGS</b>
- SMTP and LMTP connection caching does not work with TLS. The necessary
- support for TLS object passivation and re-activation does not exist
- without closing the session, which defeats the purpose.
+ SMTP and LMTP connection reuse for TLS (without closing the SMTP or
+ LMTP connection) is not supported before Postfix 3.4.
SMTP and LMTP connection caching assumes that SASL credentials are
valid for all destinations that map onto the same IP address and TCP
@@ -595,6 +594,12 @@
Optional name to send to the remote SMTP server in the TLS
Server Name Indication (SNI) extension.
+ Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13:
+
+ <b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b>
+ A workaround for implementations that hang Postfix while shuting
+ down a TLS session, until Postfix times out.
+
<b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
diff -Nru postfix-3.4.5/html/postconf.5.html postfix-3.4.7/html/postconf.5.html
--- postfix-3.4.5/html/postconf.5.html 2019-03-24 18:59:02.000000000 -0400
+++ postfix-3.4.7/html/postconf.5.html 2019-06-29 09:33:39.000000000 -0400
@@ -18531,6 +18531,21 @@
</DD>
+<DT><b><a name="tls_fast_shutdown_enable">tls_fast_shutdown_enable</a>
+(default: yes)</b></DT><DD>
+
+<p> A workaround for implementations that hang Postfix while shuting
+down a TLS session, until Postfix times out. With this enabled,
+Postfix will not wait for the remote TLS peer to respond to a TLS
+'close' notification. This behavior is recommended for TLSv1.0 and
+later. </p>
+
+<p> This feature was introduced with Postfix 3.4.6, 3.3.5, 3.2.10,
+and 3.1.13. </p>
+
+
+</DD>
+
<DT><b><a name="tls_high_cipherlist">tls_high_cipherlist</a>
(default: see "postconf -d" output)</b></DT><DD>
@@ -18890,9 +18905,6 @@
<dt><b>PRIORITIZE_CHACHA</b></dt> <dd>Postfix ≥ 3.4. See SSL_CTX_set_options(3).</dd>
-<dt><b>TLSEXT_PADDING</b></dt> <dd>Postfix ≥ 3.4. See
-SSL_CTX_set_options(3).</dd>
-
</dl>
<p> This feature is available in Postfix 2.11 and later. </p>
diff -Nru postfix-3.4.5/html/smtp.8.html postfix-3.4.7/html/smtp.8.html
--- postfix-3.4.5/html/smtp.8.html 2019-02-10 12:18:26.000000000 -0500
+++ postfix-3.4.7/html/smtp.8.html 2019-06-29 19:30:31.000000000 -0400
@@ -120,9 +120,8 @@
ter is notified of bounces, protocol problems, and of other trouble.
<b>BUGS</b>
- SMTP and LMTP connection caching does not work with TLS. The necessary
- support for TLS object passivation and re-activation does not exist
- without closing the session, which defeats the purpose.
+ SMTP and LMTP connection reuse for TLS (without closing the SMTP or
+ LMTP connection) is not supported before Postfix 3.4.
SMTP and LMTP connection caching assumes that SASL credentials are
valid for all destinations that map onto the same IP address and TCP
@@ -595,6 +594,12 @@
Optional name to send to the remote SMTP server in the TLS
Server Name Indication (SNI) extension.
+ Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13:
+
+ <b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b>
+ A workaround for implementations that hang Postfix while shuting
+ down a TLS session, until Postfix times out.
+
<b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
diff -Nru postfix-3.4.5/html/smtpd.8.html postfix-3.4.7/html/smtpd.8.html
--- postfix-3.4.5/html/smtpd.8.html 2019-02-10 17:53:18.000000000 -0500
+++ postfix-3.4.7/html/smtpd.8.html 2019-06-29 19:22:10.000000000 -0400
@@ -589,6 +589,12 @@
clients via the TLS Server Name Indication (SNI) extension to
the appropriate keys and certificate chains.
+ Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13:
+
+ <b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b>
+ A workaround for implementations that hang Postfix while shuting
+ down a TLS session, until Postfix times out.
+
<b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
diff -Nru postfix-3.4.5/html/tlsproxy.8.html postfix-3.4.7/html/tlsproxy.8.html
--- postfix-3.4.5/html/tlsproxy.8.html 2019-02-21 19:27:46.000000000 -0500
+++ postfix-3.4.7/html/tlsproxy.8.html 2019-09-15 19:41:40.000000000 -0400
@@ -337,6 +337,12 @@
usage policy by next-hop destination and by remote TLS server
hostname.
+ Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13:
+
+ <b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b>
+ A workaround for implementations that hang Postfix while shuting
+ down a TLS session, until Postfix times out.
+
<b>OBSOLETE STARTTLS SUPPORT CONTROLS</b>
These parameters are supported for compatibility with <a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy
parameters.
diff -Nru postfix-3.4.5/man/man5/postconf.5 postfix-3.4.7/man/man5/postconf.5
--- postfix-3.4.5/man/man5/postconf.5 2019-03-24 18:59:03.000000000 -0400
+++ postfix-3.4.7/man/man5/postconf.5 2019-06-29 09:33:39.000000000 -0400
@@ -12930,6 +12930,15 @@
encouraged to not change this setting.
.PP
This feature is available in Postfix 2.3 and later.
+.SH tls_fast_shutdown_enable (default: yes)
+A workaround for implementations that hang Postfix while shuting
+down a TLS session, until Postfix times out. With this enabled,
+Postfix will not wait for the remote TLS peer to respond to a TLS
+'close' notification. This behavior is recommended for TLSv1.0 and
+later.
+.PP
+This feature was introduced with Postfix 3.4.6, 3.3.5, 3.2.10,
+and 3.1.13.
.SH tls_high_cipherlist (default: see "postconf \-d" output)
The OpenSSL cipherlist for "high" grade ciphers. This defines
the meaning of the "high" setting in smtpd_tls_ciphers,
@@ -13221,10 +13230,6 @@
.IP "\fBPRIORITIZE_CHACHA\fR"
Postfix >= 3.4. See SSL_CTX_\fBset_options\fR(3).
.br
-.IP "\fBTLSEXT_PADDING\fR"
-Postfix >= 3.4. See
-SSL_CTX_\fBset_options\fR(3).
-.br
.br
.PP
This feature is available in Postfix 2.11 and later.
diff -Nru postfix-3.4.5/man/man8/smtp.8 postfix-3.4.7/man/man8/smtp.8
--- postfix-3.4.5/man/man8/smtp.8 2019-02-10 12:18:26.000000000 -0500
+++ postfix-3.4.7/man/man8/smtp.8 2019-06-29 09:33:39.000000000 -0400
@@ -127,9 +127,8 @@
.SH BUGS
.ad
.fi
-SMTP and LMTP connection caching does not work with TLS. The necessary
-support for TLS object passivation and re\-activation does not
-exist without closing the session, which defeats the purpose.
+SMTP and LMTP connection reuse for TLS (without closing the
+SMTP or LMTP connection) is not supported before Postfix 3.4.
SMTP and LMTP connection caching assumes that SASL credentials
are valid for all destinations that map onto the same IP
@@ -526,6 +525,11 @@
.IP "\fBsmtp_tls_servername (empty)\fR"
Optional name to send to the remote SMTP server in the TLS Server
Name Indication (SNI) extension.
+.PP
+Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13:
+.IP "\fBtls_fast_shutdown_enable (yes)\fR"
+A workaround for implementations that hang Postfix while shuting
+down a TLS session, until Postfix times out.
.SH "OBSOLETE STARTTLS CONTROLS"
.na
.nf
diff -Nru postfix-3.4.5/man/man8/smtpd.8 postfix-3.4.7/man/man8/smtpd.8
--- postfix-3.4.5/man/man8/smtpd.8 2019-02-10 17:53:17.000000000 -0500
+++ postfix-3.4.7/man/man8/smtpd.8 2019-06-29 09:33:39.000000000 -0400
@@ -527,6 +527,11 @@
Optional lookup tables that map names received from remote SMTP
clients via the TLS Server Name Indication (SNI) extension to the
appropriate keys and certificate chains.
+.PP
+Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13:
+.IP "\fBtls_fast_shutdown_enable (yes)\fR"
+A workaround for implementations that hang Postfix while shuting
+down a TLS session, until Postfix times out.
.SH "OBSOLETE STARTTLS CONTROLS"
.na
.nf
diff -Nru postfix-3.4.5/man/man8/tlsproxy.8 postfix-3.4.7/man/man8/tlsproxy.8
--- postfix-3.4.5/man/man8/tlsproxy.8 2019-02-21 19:27:45.000000000 -0500
+++ postfix-3.4.7/man/man8/tlsproxy.8 2019-09-15 19:16:38.000000000 -0400
@@ -302,6 +302,11 @@
Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS
usage policy by next\-hop destination and by remote TLS server
hostname.
+.PP
+Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13:
+.IP "\fBtls_fast_shutdown_enable (yes)\fR"
+A workaround for implementations that hang Postfix while shuting
+down a TLS session, until Postfix times out.
.SH "OBSOLETE STARTTLS SUPPORT CONTROLS"
.na
.nf
diff -Nru postfix-3.4.5/mantools/postlink postfix-3.4.7/mantools/postlink
--- postfix-3.4.5/mantools/postlink 2019-02-10 12:11:46.000000000 -0500
+++ postfix-3.4.7/mantools/postlink 2019-06-25 08:05:54.000000000 -0400
@@ -765,6 +765,7 @@
s;\btls_ssl_options\b;<a href="postconf.5.html#tls_ssl_options">$&</a>;g;
s;\btls_dane_digest_agility\b;<a href="postconf.5.html#tls_dane_digest_agility">$&</a>;g;
s;\btls_dane_trust_anchor_digest_enable\b;<a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">$&</a>;g;
+ s;\btls_fast_shutdown_enable\b;<a href="postconf.5.html#tls_fast_shutdown_enable">$&</a>;g;
s;\bfrozen_delivered_to\b;<a href="postconf.5.html#frozen_delivered_to">$&</a>;g;
s;\breset_owner_alias\b;<a href="postconf.5.html#reset_owner_alias">$&</a>;g;
diff -Nru postfix-3.4.5/proto/postconf.proto postfix-3.4.7/proto/postconf.proto
--- postfix-3.4.5/proto/postconf.proto 2019-03-21 12:41:06.000000000 -0400
+++ postfix-3.4.7/proto/postconf.proto 2019-06-28 17:19:58.000000000 -0400
@@ -16130,9 +16130,6 @@
<dt><b>PRIORITIZE_CHACHA</b></dt> <dd>Postfix ≥ 3.4. See SSL_CTX_set_options(3).</dd>
-<dt><b>TLSEXT_PADDING</b></dt> <dd>Postfix ≥ 3.4. See
-SSL_CTX_set_options(3).</dd>
-
</dl>
<p> This feature is available in Postfix 2.11 and later. </p>
@@ -16245,6 +16242,17 @@
<p> This feature is available in Postfix 3.0 and later. </p>
+%PARAM tls_fast_shutdown_enable yes
+
+<p> A workaround for implementations that hang Postfix while shuting
+down a TLS session, until Postfix times out. With this enabled,
+Postfix will not wait for the remote TLS peer to respond to a TLS
+'close' notification. This behavior is recommended for TLSv1.0 and
+later. </p>
+
+<p> This feature was introduced with Postfix 3.4.6, 3.3.5, 3.2.10,
+and 3.1.13. </p>
+
%PARAM default_delivery_status_filter
<p> Optional filter to replace the delivery status code or explanatory
diff -Nru postfix-3.4.5/README_FILES/RELEASE_NOTES postfix-3.4.7/README_FILES/RELEASE_NOTES
--- postfix-3.4.5/README_FILES/RELEASE_NOTES 2019-02-10 17:43:45.000000000 -0500
+++ postfix-3.4.7/README_FILES/RELEASE_NOTES 2019-06-27 19:19:08.000000000 -0400
@@ -16,6 +16,16 @@
If you upgrade from Postfix 3.2 or earlier, read RELEASE_NOTES-3.3
before proceeding.
+TLS Workaround for Postfix 3.4.6, 3.3.5, 3.2.10 and 3.1.13
+-----------------------------------------------------------
+
+This release introduces a workaround for implementations that hang
+Postfix while shutting down a TLS session, until Postfix times out.
+With "tls_fast_shutdown_enable = yes" (the default), Postfix no
+longer waits for a remote TLS peer to respond to a TLS 'close'
+request. This behavior is recommended with TLSv1.0 and later. Specify
+"tls_fast_shutdown_enable = no" to get historical Postfix behavior.
+
License change
---------------
diff -Nru postfix-3.4.5/RELEASE_NOTES postfix-3.4.7/RELEASE_NOTES
--- postfix-3.4.5/RELEASE_NOTES 2019-02-10 17:43:45.000000000 -0500
+++ postfix-3.4.7/RELEASE_NOTES 2019-06-27 19:19:08.000000000 -0400
@@ -16,6 +16,16 @@
If you upgrade from Postfix 3.2 or earlier, read RELEASE_NOTES-3.3
before proceeding.
+TLS Workaround for Postfix 3.4.6, 3.3.5, 3.2.10 and 3.1.13
+-----------------------------------------------------------
+
+This release introduces a workaround for implementations that hang
+Postfix while shutting down a TLS session, until Postfix times out.
+With "tls_fast_shutdown_enable = yes" (the default), Postfix no
+longer waits for a remote TLS peer to respond to a TLS 'close'
+request. This behavior is recommended with TLSv1.0 and later. Specify
+"tls_fast_shutdown_enable = no" to get historical Postfix behavior.
+
License change
---------------
diff -Nru postfix-3.4.5/src/global/mail_params.h postfix-3.4.7/src/global/mail_params.h
--- postfix-3.4.5/src/global/mail_params.h 2019-02-11 08:05:13.000000000 -0500
+++ postfix-3.4.7/src/global/mail_params.h 2019-07-23 18:46:37.000000000 -0400
@@ -3331,6 +3331,13 @@
extern char *var_tls_dane_digests;
/*
+ * The default is backwards-incompatible.
+ */
+#define VAR_TLS_FAST_SHUTDOWN "tls_fast_shutdown_enable"
+#define DEF_TLS_FAST_SHUTDOWN 1
+extern bool var_tls_fast_shutdown;
+
+ /*
* Sendmail-style mail filter support.
*/
#define VAR_SMTPD_MILTERS "smtpd_milters"
diff -Nru postfix-3.4.5/src/global/mail_version.h postfix-3.4.7/src/global/mail_version.h
--- postfix-3.4.5/src/global/mail_version.h 2019-03-30 10:38:23.000000000 -0400
+++ postfix-3.4.7/src/global/mail_version.h 2019-09-21 12:24:58.000000000 -0400
@@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20190330"
-#define MAIL_VERSION_NUMBER "3.4.5"
+#define MAIL_RELEASE_DATE "20190921"
+#define MAIL_VERSION_NUMBER "3.4.7"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
diff -Nru postfix-3.4.5/src/smtp/smtp_addr.c postfix-3.4.7/src/smtp/smtp_addr.c
--- postfix-3.4.5/src/smtp/smtp_addr.c 2017-12-27 16:53:13.000000000 -0500
+++ postfix-3.4.7/src/smtp/smtp_addr.c 2019-04-03 18:03:38.000000000 -0400
@@ -623,7 +623,7 @@
if (var_smtp_rand_addr)
addr_list = dns_rr_shuffle(addr_list);
addr_list = dns_rr_sort(addr_list, SMTP_COMPARE_ADDR(misc_flags));
- if (var_smtp_balance_inet_proto)
+ if (var_smtp_mxaddr_limit > 0 && var_smtp_balance_inet_proto)
addr_list = smtp_balance_inet_proto(addr_list, misc_flags,
var_smtp_mxaddr_limit);
}
@@ -683,7 +683,7 @@
/* The following changes the order of equal-preference hosts. */
if (inet_proto_info()->ai_family_list[1] != 0)
addr_list = dns_rr_sort(addr_list, SMTP_COMPARE_ADDR(misc_flags));
- if (var_smtp_balance_inet_proto)
+ if (var_smtp_mxaddr_limit > 0 && var_smtp_balance_inet_proto)
addr_list = smtp_balance_inet_proto(addr_list, misc_flags,
var_smtp_mxaddr_limit);
}
diff -Nru postfix-3.4.5/src/smtp/smtp.c postfix-3.4.7/src/smtp/smtp.c
--- postfix-3.4.5/src/smtp/smtp.c 2019-02-10 12:18:26.000000000 -0500
+++ postfix-3.4.7/src/smtp/smtp.c 2019-06-29 09:33:39.000000000 -0400
@@ -109,9 +109,8 @@
/* the postmaster is notified of bounces, protocol problems, and of
/* other trouble.
/* BUGS
-/* SMTP and LMTP connection caching does not work with TLS. The necessary
-/* support for TLS object passivation and re-activation does not
-/* exist without closing the session, which defeats the purpose.
+/* SMTP and LMTP connection reuse for TLS (without closing the
+/* SMTP or LMTP connection) is not supported before Postfix 3.4.
/*
/* SMTP and LMTP connection caching assumes that SASL credentials
/* are valid for all destinations that map onto the same IP
@@ -496,6 +495,11 @@
/* .IP "\fBsmtp_tls_servername (empty)\fR"
/* Optional name to send to the remote SMTP server in the TLS Server
/* Name Indication (SNI) extension.
+/* .PP
+/* Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13:
+/* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
+/* A workaround for implementations that hang Postfix while shuting
+/* down a TLS session, until Postfix times out.
/* OBSOLETE STARTTLS CONTROLS
/* .ad
/* .fi
diff -Nru postfix-3.4.5/src/smtpd/smtpd.c postfix-3.4.7/src/smtpd/smtpd.c
--- postfix-3.4.5/src/smtpd/smtpd.c 2019-03-30 08:05:29.000000000 -0400
+++ postfix-3.4.7/src/smtpd/smtpd.c 2019-06-29 09:33:39.000000000 -0400
@@ -493,6 +493,11 @@
/* Optional lookup tables that map names received from remote SMTP
/* clients via the TLS Server Name Indication (SNI) extension to the
/* appropriate keys and certificate chains.
+/* .PP
+/* Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13:
+/* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
+/* A workaround for implementations that hang Postfix while shuting
+/* down a TLS session, until Postfix times out.
/* OBSOLETE STARTTLS CONTROLS
/* .ad
/* .fi
@@ -3528,6 +3533,11 @@
int saved_err;
const CLEANUP_STAT_DETAIL *detail;
+#define IS_SMTP_REJECT(s) \
+ (((s)[0] == '4' || (s)[0] == '5') \
+ && ISDIGIT((s)[1]) && ISDIGIT((s)[2]) \
+ && ((s)[3] == '\0' || (s)[3] == ' ' || (s)[3] == '-'))
+
if (state->err == CLEANUP_STAT_OK
&& SMTPD_STAND_ALONE(state) == 0
&& (err = smtpd_check_eod(state)) != 0) {
@@ -3598,7 +3608,10 @@
if (state->err == 0) {
why = vstring_alloc(10);
state->err = mail_stream_finish(state->dest, why);
- printable(STR(why), ' ');
+ if (IS_SMTP_REJECT(STR(why)))
+ printable_except(STR(why), ' ', "\r\n");
+ else
+ printable(STR(why), ' ');
} else
mail_stream_cleanup(state->dest);
state->dest = 0;
@@ -3633,11 +3646,6 @@
*
* See also: qmqpd.c
*/
-#define IS_SMTP_REJECT(s) \
- (((s)[0] == '4' || (s)[0] == '5') \
- && ISDIGIT((s)[1]) && ISDIGIT((s)[2]) \
- && ((s)[3] == '\0' || (s)[3] == ' ' || (s)[3] == '-'))
-
if (state->err == CLEANUP_STAT_OK) {
state->error_count = 0;
state->error_mask = 0;
@@ -5413,15 +5421,6 @@
case 0:
/*
- * Reset the per-command counters.
- */
- for (cmdp = smtpd_cmd_table; /* see below */ ; cmdp++) {
- cmdp->success_count = cmdp->total_count = 0;
- if (cmdp->name == 0)
- break;
- }
-
- /*
* In TLS wrapper mode, turn on TLS using code that is shared with
* the STARTTLS command. This code does not return when the handshake
* fails.
@@ -5818,6 +5817,15 @@
if (cmdp->name == 0)
break;
}
+
+ /*
+ * Reset the per-command counters.
+ */
+ for (cmdp = smtpd_cmd_table; /* see below */ ; cmdp++) {
+ cmdp->success_count = cmdp->total_count = 0;
+ if (cmdp->name == 0)
+ break;
+ }
/*
* Log total numbers, so that logfile analyzers will see something even
diff -Nru postfix-3.4.5/src/tls/Makefile.in postfix-3.4.7/src/tls/Makefile.in
--- postfix-3.4.5/src/tls/Makefile.in 2019-03-07 19:04:25.000000000 -0500
+++ postfix-3.4.7/src/tls/Makefile.in 2019-06-25 08:05:54.000000000 -0400
@@ -572,6 +572,7 @@
tls_session.o: ../../include/argv.h
tls_session.o: ../../include/check_arg.h
tls_session.o: ../../include/dns.h
+tls_session.o: ../../include/mail_params.h
tls_session.o: ../../include/msg.h
tls_session.o: ../../include/myaddrinfo.h
tls_session.o: ../../include/mymalloc.h
diff -Nru postfix-3.4.5/src/tls/tls_misc.c postfix-3.4.7/src/tls/tls_misc.c
--- postfix-3.4.5/src/tls/tls_misc.c 2019-02-21 19:22:18.000000000 -0500
+++ postfix-3.4.7/src/tls/tls_misc.c 2019-06-25 17:51:24.000000000 -0400
@@ -46,6 +46,8 @@
/* char *var_tls_mgr_service;
/* char *var_tls_tkt_cipher;
/* char *var_openssl_path;
+/* char *var_tls_server_sni_maps;
+/* bool var_tls_fast_shutdown;
/*
/* TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx, log_mask)
/* SSL_CTX *ssl_ctx;
@@ -289,6 +291,7 @@
char *var_tls_tkt_cipher;
char *var_openssl_path;
char *var_tls_server_sni_maps;
+bool var_tls_fast_shutdown;
static MAPS *tls_server_sni_maps;
@@ -625,6 +628,7 @@
VAR_TLS_BC_PKEY_FPRINT, DEF_TLS_BC_PKEY_FPRINT, &var_tls_bc_pkey_fprint,
VAR_TLS_PREEMPT_CLIST, DEF_TLS_PREEMPT_CLIST, &var_tls_preempt_clist,
VAR_TLS_MULTI_WILDCARD, DEF_TLS_MULTI_WILDCARD, &var_tls_multi_wildcard,
+ VAR_TLS_FAST_SHUTDOWN, DEF_TLS_FAST_SHUTDOWN, &var_tls_fast_shutdown,
0,
};
static int init_done;
diff -Nru postfix-3.4.5/src/tls/tls_session.c postfix-3.4.7/src/tls/tls_session.c
--- postfix-3.4.5/src/tls/tls_session.c 2018-12-26 14:21:49.000000000 -0500
+++ postfix-3.4.7/src/tls/tls_session.c 2019-06-25 08:05:54.000000000 -0400
@@ -71,6 +71,10 @@
#include <msg.h>
#include <mymalloc.h>
+/* Global library. */
+
+#include <mail_params.h>
+
/* TLS library. */
#define TLS_INTERNAL
@@ -95,6 +99,18 @@
msg_panic("%s: stream has no active TLS context", myname);
/*
+ * According to RFC 2246 (TLS 1.0), there is no requirement to wait for
+ * the peer's close-notify. If the application protocol provides
+ * sufficient session termination signaling, then there's no need to
+ * duplicate that at the TLS close-notify layer.
+ *
+ * https://tools.ietf.org/html/rfc2246#section-7.2.1
+ * https://tools.ietf.org/html/rfc4346#section-7.2.1
+ * https://tools.ietf.org/html/rfc5246#section-7.2.1
+ *
+ * Specify 'tls_fast_shutdown = no' to enable the historical behavior
+ * described below.
+ *
* Perform SSL_shutdown() twice, as the first attempt will send out the
* shutdown alert but it will not wait for the peer's shutdown alert.
* Therefore, when we are the first party to send the alert, we must call
@@ -104,7 +120,7 @@
*/
if (!failure) {
retval = tls_bio_shutdown(vstream_fileno(stream), timeout, TLScontext);
- if (retval == 0)
+ if (!var_tls_fast_shutdown && retval == 0)
tls_bio_shutdown(vstream_fileno(stream), timeout, TLScontext);
}
tls_free_context(TLScontext);
diff -Nru postfix-3.4.5/src/tlsproxy/tlsproxy.c postfix-3.4.7/src/tlsproxy/tlsproxy.c
--- postfix-3.4.5/src/tlsproxy/tlsproxy.c 2019-02-21 19:24:38.000000000 -0500
+++ postfix-3.4.7/src/tlsproxy/tlsproxy.c 2019-09-14 18:43:05.000000000 -0400
@@ -282,6 +282,11 @@
/* Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS
/* usage policy by next-hop destination and by remote TLS server
/* hostname.
+/* .PP
+/* Introduced with Postfix 3.4.6, 3.3.5, 3.2.10, and 3.1.13:
+/* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
+/* A workaround for implementations that hang Postfix while shuting
+/* down a TLS session, until Postfix times out.
/* OBSOLETE STARTTLS SUPPORT CONTROLS
/* .ad
/* .fi
@@ -613,11 +618,11 @@
switch (err) {
/*
- * No error from SSL_read and SSL_write means that the plaintext
- * output buffer is full and that the plaintext input buffer is
- * empty. Stop read/write events on the ciphertext stream. Keep the
- * timer alive as a safety mechanism for the case that the plaintext
- * pseudothreads get stuck.
+ * No error means a successful SSL_accept/connect/shutdown request or
+ * sequence of SSL_read/write requests. Disable read/write events on
+ * the ciphertext stream. Keep the ciphertext stream timer alive as a
+ * safety mechanism for the case that the plaintext pseudothreads get
+ * stuck.
*/
case SSL_ERROR_NONE:
if (state->ssl_last_err != SSL_ERROR_NONE) {
@@ -671,10 +676,23 @@
default:
/*
- * Allow buffered-up plaintext output to trickle out.
+ * Allow buffered-up plaintext output to trickle out. Permanently
+ * disable read/write activity on the ciphertext stream, so that this
+ * function will no longer be called. Keep the ciphertext stream
+ * timer alive as a safety mechanism for the case that the plaintext
+ * pseudothreads get stuck. Return into tlsp_strategy(), which will
+ * enable plaintext write events.
*/
- if (state->plaintext_buf && NBBIO_WRITE_PEND(state->plaintext_buf))
+#define TLSP_CAN_TRICKLE_OUT_PLAINTEXT(buf) \
+ ((buf) && !NBBIO_ERROR_FLAGS(buf) && NBBIO_WRITE_PEND(buf))
+
+ if (TLSP_CAN_TRICKLE_OUT_PLAINTEXT(state->plaintext_buf)) {
+ event_disable_readwrite(ciphertext_fd);
+ event_request_timer(tlsp_ciphertext_event, (void *) state,
+ state->timeout);
+ state->flags |= TLSP_FLAG_NO_MORE_CIPHERTEXT_IO;
return (TLSP_STAT_OK);
+ }
tlsp_state_free(state);
return (TLSP_STAT_ERR);
}
@@ -745,6 +763,18 @@
int handshake_err;
/*
+ * This function is called after every ciphertext or plaintext event, to
+ * schedule new ciphertext or plaintext I/O.
+ */
+
+ /*
+ * Try to make an SSL I/O request. If this fails with SSL_ERROR_WANT_READ
+ * or SSL_ERROR_WANT_WRITE, enable ciphertext read or write events, and
+ * retry the SSL I/O request in a later tlsp_strategy() call.
+ */
+ if ((state->flags & TLSP_FLAG_NO_MORE_CIPHERTEXT_IO) == 0) {
+
+ /*
* Do not enable plain-text I/O before completing the TLS handshake.
* Otherwise the remote peer can prepend plaintext to the optional
* TLS_SESS_STATE object.
@@ -779,9 +809,8 @@
if (NBBIO_ERROR_FLAGS(plaintext_buf)) {
if (NBBIO_ACTIVE_FLAGS(plaintext_buf))
nbbio_disable_readwrite(state->plaintext_buf);
- ssl_stat = SSL_shutdown(tls_context->con);
- /* XXX Wait for return value 1 if sessions are to be reused? */
- if (ssl_stat < 0) {
+ if (!SSL_in_init(tls_context->con)
+ && (ssl_stat = SSL_shutdown(tls_context->con)) < 0) {
handshake_err = SSL_get_error(tls_context->con, ssl_stat);
tlsp_eval_tls_error(state, handshake_err);
/* At this point, state could be a dangling pointer. */
@@ -857,6 +886,19 @@
ssl_write_err : ssl_read_err) < 0)
/* At this point, state is a dangling pointer. */
return;
+ }
+
+ /*
+ * Destroy state when the ciphertext I/O was permanently disbled and we
+ * can no longer trickle out plaintext.
+ */
+ else {
+ plaintext_buf = state->plaintext_buf;
+ if (!TLSP_CAN_TRICKLE_OUT_PLAINTEXT(plaintext_buf)) {
+ tlsp_state_free(state);
+ return;
+ }
+ }
/*
* Try to enable/disable plaintext read/write events. Basically, if we
diff -Nru postfix-3.4.5/src/tlsproxy/tlsproxy.h postfix-3.4.7/src/tlsproxy/tlsproxy.h
--- postfix-3.4.5/src/tlsproxy/tlsproxy.h 2019-02-08 17:22:24.000000000 -0500
+++ postfix-3.4.7/src/tlsproxy/tlsproxy.h 2019-09-14 18:43:05.000000000 -0400
@@ -47,6 +47,7 @@
} TLSP_STATE;
#define TLSP_FLAG_DO_HANDSHAKE (1<<0)
+#define TLSP_FLAG_NO_MORE_CIPHERTEXT_IO (1<<1) /* overrides DO_HANDSHAKE */
extern TLSP_STATE *tlsp_state_create(const char *, VSTREAM *);
extern void tlsp_state_free(TLSP_STATE *);
diff -Nru postfix-3.4.5/src/util/printable.c postfix-3.4.7/src/util/printable.c
--- postfix-3.4.5/src/util/printable.c 2015-01-13 19:19:23.000000000 -0500
+++ postfix-3.4.7/src/util/printable.c 2019-04-10 17:30:23.000000000 -0400
@@ -11,6 +11,11 @@
/* char *printable(buffer, replacement)
/* char *buffer;
/* int replacement;
+/*
+/* char *printable_except(buffer, replacement, except)
+/* char *buffer;
+/* int replacement;
+/* const char *except;
/* DESCRIPTION
/* printable() replaces non-printable characters
/* in its input with the given replacement.
@@ -24,6 +29,8 @@
/* .IP replacement
/* Replacement value for characters in \fIbuffer\fR that do not
/* pass the ASCII isprint(3) test or that are not valid UTF8.
+/* .IP except
+/* Null-terminated sequence of non-replaced ASCII characters.
/* LICENSE
/* .ad
/* .fi
@@ -33,12 +40,18 @@
/* IBM T.J. Watson Research
/* P.O. Box 704
/* Yorktown Heights, NY 10598, USA
+/*
+/* Wietse Venema
+/* Google, Inc.
+/* 111 8th Avenue
+/* New York, NY 10011, USA
/*--*/
/* System library. */
#include "sys_defs.h"
#include <ctype.h>
+#include <string.h>
/* Utility library. */
@@ -46,8 +59,21 @@
int util_utf8_enable = 0;
+/* printable - binary compatibility */
+
+#undef printable
+
+char *printable(char *, int);
+
char *printable(char *string, int replacement)
{
+ return (printable_except(string, replacement, (char *) 0));
+}
+
+/* printable_except - pass through printable or other preserved characters */
+
+char *printable_except(char *string, int replacement, const char *except)
+{
unsigned char *cp;
int ch;
@@ -57,7 +83,7 @@
*/
cp = (unsigned char *) string;
while ((ch = *cp) != 0) {
- if (ISASCII(ch) && ISPRINT(ch)) {
+ if (ISASCII(ch) && (ISPRINT(ch) || (except && strchr(except, ch)))) {
/* ok */
} else if (util_utf8_enable && ch >= 194 && ch <= 254
&& cp[1] >= 128 && cp[1] < 192) {
diff -Nru postfix-3.4.5/src/util/stringops.h postfix-3.4.7/src/util/stringops.h
--- postfix-3.4.5/src/util/stringops.h 2017-12-27 17:29:45.000000000 -0500
+++ postfix-3.4.7/src/util/stringops.h 2019-04-10 17:23:22.000000000 -0400
@@ -20,7 +20,7 @@
* External interface.
*/
extern int util_utf8_enable;
-extern char *printable(char *, int);
+extern char *printable_except(char *, int, const char *);
extern char *neuter(char *, const char *, int);
extern char *lowercase(char *);
extern char *casefoldx(int, VSTRING *, const char *, ssize_t);
@@ -32,6 +32,9 @@
extern char *mystrtokq(char **, const char *, const char *);
extern char *translit(char *, const char *, const char *);
+#define printable(string, replacement) \
+ printable_except((string), (replacement), (char *) 0)
+
#ifndef HAVE_BASENAME
#define basename postfix_basename
extern char *basename(const char *);
diff -Nru postfix-3.4.5/src/util/unix_dgram_connect.c postfix-3.4.7/src/util/unix_dgram_connect.c
--- postfix-3.4.5/src/util/unix_dgram_connect.c 2019-01-29 17:24:42.000000000 -0500
+++ postfix-3.4.7/src/util/unix_dgram_connect.c 2019-04-01 17:48:27.000000000 -0400
@@ -60,6 +60,7 @@
int unix_dgram_connect(const char *path, int block_mode)
{
const char myname[] = "unix_dgram_connect";
+#undef sun
struct sockaddr_un sun;
ssize_t path_len;
int sock;
diff -Nru postfix-3.4.5/src/util/vstream_tweak.c postfix-3.4.7/src/util/vstream_tweak.c
--- postfix-3.4.5/src/util/vstream_tweak.c 2014-12-25 11:47:17.000000000 -0500
+++ postfix-3.4.7/src/util/vstream_tweak.c 2019-09-08 10:36:14.000000000 -0400
@@ -124,12 +124,20 @@
* stream buffer size to less than VSTREAM_BUFSIZE, when the request is
* made before the first stream read or write operation. We don't want to
* reduce the buffer size.
+ *
+ * As of 20190820 we increase the mss size multipler from 2x to 4x, because
+ * some LINUX loopback TCP stacks report an MSS of 21845 which is 3x
+ * smaller than the MTU of 65536. Even with a VSTREAM buffer 2x the
+ * reported MSS size, performance would suck due to Nagle or delayed ACK
+ * delays.
*/
#define EFF_BUFFER_SIZE(fp) (vstream_req_bufsize(fp) ? \
vstream_req_bufsize(fp) : VSTREAM_BUFSIZE)
#ifdef CA_VSTREAM_CTL_BUFSIZE
- if (mss > EFF_BUFFER_SIZE(fp) / 2) {
+ if (mss > EFF_BUFFER_SIZE(fp) / 4) {
+ if (mss < INT_MAX / 2)
+ mss *= 2;
if (mss < INT_MAX / 2)
mss *= 2;
vstream_control(fp,
diff -Nru postfix-3.4.5/src/xsasl/xsasl_dovecot_server.c postfix-3.4.7/src/xsasl/xsasl_dovecot_server.c
--- postfix-3.4.5/src/xsasl/xsasl_dovecot_server.c 2016-01-23 19:50:54.000000000 -0500
+++ postfix-3.4.7/src/xsasl/xsasl_dovecot_server.c 2019-08-27 03:35:11.000000000 -0400
@@ -584,10 +584,20 @@
if (xsasl_dovecot_parse_reply(server, &line) == 0) {
/* authentication successful */
xsasl_dovecot_parse_reply_args(server, line, reply, 1);
+ if (server->username == 0) {
+ msg_warn("missing Dovecot server %s username field", cmd);
+ vstring_strcpy(reply, "Authentication backend error");
+ return XSASL_AUTH_FAIL;
+ }
return XSASL_AUTH_DONE;
}
} else if (strcmp(cmd, "CONT") == 0) {
if (xsasl_dovecot_parse_reply(server, &line) == 0) {
+ if (line == 0) {
+ msg_warn("missing Dovecot server %s reply field", cmd);
+ vstring_strcpy(reply, "Authentication backend error");
+ return XSASL_AUTH_FAIL;
+ }
vstring_strcpy(reply, line);
return XSASL_AUTH_MORE;
}
--- End Message ---