Bug#1037305: bookworm-pu: package postfix/3.7.5-2
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
First in the normal series of postfix bug fix updates for bookworm.
[ Impact ]
User will continue to experience the bugs that are fixed by the update.
[ Tests ]
The package has a resonably comprehensive autopkgtest. Am currently
testing the update locally without issue.
[ Risks ]
Risks are low. So far the experience with these Postfix updates has
been very good. Upstream is well regarded for code quality and keeping
maintenance updates focused on changes that are generally in line with
Debian's post-release update policy.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
[Scott Kitterman]
* Refresh patches
[Wietse Venema]
* 3.7.6
- Bugfix (defect introduced: Postfix 1.0): the command "postconf
.. name=v1 .. name=v2 .." (multiple instances of the same
parameter name) created multiple name=value entries with
the same parameter name. It now logs a warning and skips
the earlier update. Found during code maintenance. File:
postconf/postconf_edit.c
- Bugfix (defect introduced: Postfix 3.3): the command "postconf
-M name1/type1='name2 type2 ...'" died with a segmentation
violation when the request matched multiple master.cf
entries. The master.cf file was not damaged. Problem reported
by SATOH Fumiyasu. File: postconf/postconf_master.c.
- Bugfix (defect introduced: Postfix 2.11): the command
"postconf -M name1/type1='name2 type2 ...'" could add a
service definition to master.cf that conflicted with an
already existing service definition. It now replaces all
existing service definitions that match the service pattern
'name1/type1' or the service name and type in 'name2 type2
...' with a single service definition 'name2 type2 ...'.
Problem reported by SATOH Fumiyasu. File: postconf/postconf_edit.c.
- Bitrot: preliminary support for OpenSSL configuration files,
primarily OpenSSL 1.1.1b and later. This introduces new
parameters "tls_config_file" and "tls_config_name", which
can be used to limit collateral damage from OS distributions
that crank up security to 11, increasing the number of
plaintext email deliveries. Details are in the postconf(5)
manpage under "tls_config_file" and "tls_config_name".
Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, posttls-finger/posttls-finger.c,
smtp/smtp.c, smtp/smtp_proto.c, tls/tls_client.c, tls/tls.h,
tls/tls_misc.c, tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c,
tlsproxy/tlsproxy.c.
- Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init'
configurations. This information is independent from the
client or server TLS context, and therefore does not belong
in tls_*_init() or tls_*_start() calls. The tlsproxy(8)
server uses TLS_CLIENT_PARAMS to report differences between
its own global TLS settings, and those from its clients.
Files: posttls-finger/posttls-finger.c, smtp/smtp.c,
smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c,
tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
tls/tls_proxy.h, tlsproxy/tlsproxy.c.
- Cleanup: reverted cosmetic-only changes to minimize the
patch footprint for OpenSSL INI file support; updated daemon
manpages with the new tls_config_file and tls_config_name
configuration parameters. Files: smtp/smtp.c, smtpd/smtpd.c,
tls/tls_client.c, tls/tls.h, tls/tls_server.c, tlsproxy/tlsproxy.c,
- Cleanup: made OpenSSL 'default' INI file support error
handling consistent with OpenSSL default behavior. Viktor
Dukhovni. Files: proto/postconf.proto, tls/tls_misc.c.
- Backwards compatibility for stable releases that originally
had no OpenSSL INI support. Skip the new OpenSSL INI support
code, unless the Postfix configuration actually specifies
non-default tls_config_xxx settings. File: tls/tls_misc.c.
- Cleanup: added a multiple initialization guard in the
tls_library_init() function, and made an initialization
error sticky. File: tls/tls_misc.c.
- Security: new parameter smtpd_forbid_unauth_pipelining
(default: no) to disconnect remote SMTP clients that violate
RFC 2920 (or 5321) command pipelining constraints. Files:
global/mail_params.h, smtpd/smtpd.c, proto/postconf.proto.
[ Other info ]
These fixes will be aligned to postfix 3.8.1 in testing/unstable, which
has been uploaded.
Scott K
diff -Nru postfix-3.7.5/debian/changelog postfix-3.7.6/debian/changelog
--- postfix-3.7.5/debian/changelog 2023-05-03 10:27:40.000000000 -0400
+++ postfix-3.7.6/debian/changelog 2023-06-10 16:31:57.000000000 -0400
@@ -1,3 +1,85 @@
+postfix (3.7.6-0+deb12u1) UNRELEASED; urgency=medium
+
+ [Scott Kitterman]
+
+ * Refresh patches
+
+ [Wietse Venema]
+
+ * 3.7.6
+ - Bugfix (defect introduced: Postfix 1.0): the command "postconf
+ .. name=v1 .. name=v2 .." (multiple instances of the same
+ parameter name) created multiple name=value entries with
+ the same parameter name. It now logs a warning and skips
+ the earlier update. Found during code maintenance. File:
+ postconf/postconf_edit.c
+
+ - Bugfix (defect introduced: Postfix 3.3): the command "postconf
+ -M name1/type1='name2 type2 ...'" died with a segmentation
+ violation when the request matched multiple master.cf
+ entries. The master.cf file was not damaged. Problem reported
+ by SATOH Fumiyasu. File: postconf/postconf_master.c.
+
+ - Bugfix (defect introduced: Postfix 2.11): the command
+ "postconf -M name1/type1='name2 type2 ...'" could add a
+ service definition to master.cf that conflicted with an
+ already existing service definition. It now replaces all
+ existing service definitions that match the service pattern
+ 'name1/type1' or the service name and type in 'name2 type2
+ ...' with a single service definition 'name2 type2 ...'.
+ Problem reported by SATOH Fumiyasu. File: postconf/postconf_edit.c.
+
+ - Bitrot: preliminary support for OpenSSL configuration files,
+ primarily OpenSSL 1.1.1b and later. This introduces new
+ parameters "tls_config_file" and "tls_config_name", which
+ can be used to limit collateral damage from OS distributions
+ that crank up security to 11, increasing the number of
+ plaintext email deliveries. Details are in the postconf(5)
+ manpage under "tls_config_file" and "tls_config_name".
+ Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto,
+ global/mail_params.h, posttls-finger/posttls-finger.c,
+ smtp/smtp.c, smtp/smtp_proto.c, tls/tls_client.c, tls/tls.h,
+ tls/tls_misc.c, tls/tls_proxy_client_print.c,
+ tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c,
+ tlsproxy/tlsproxy.c.
+
+ - Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init'
+ configurations. This information is independent from the
+ client or server TLS context, and therefore does not belong
+ in tls_*_init() or tls_*_start() calls. The tlsproxy(8)
+ server uses TLS_CLIENT_PARAMS to report differences between
+ its own global TLS settings, and those from its clients.
+ Files: posttls-finger/posttls-finger.c, smtp/smtp.c,
+ smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c,
+ tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
+ tls/tls_proxy.h, tlsproxy/tlsproxy.c.
+
+ - Cleanup: reverted cosmetic-only changes to minimize the
+ patch footprint for OpenSSL INI file support; updated daemon
+ manpages with the new tls_config_file and tls_config_name
+ configuration parameters. Files: smtp/smtp.c, smtpd/smtpd.c,
+ tls/tls_client.c, tls/tls.h, tls/tls_server.c, tlsproxy/tlsproxy.c,
+
+ - Cleanup: made OpenSSL 'default' INI file support error
+ handling consistent with OpenSSL default behavior. Viktor
+ Dukhovni. Files: proto/postconf.proto, tls/tls_misc.c.
+
+ - Backwards compatibility for stable releases that originally
+ had no OpenSSL INI support. Skip the new OpenSSL INI support
+ code, unless the Postfix configuration actually specifies
+ non-default tls_config_xxx settings. File: tls/tls_misc.c.
+
+ - Cleanup: added a multiple initialization guard in the
+ tls_library_init() function, and made an initialization
+ error sticky. File: tls/tls_misc.c.
+
+ - Security: new parameter smtpd_forbid_unauth_pipelining
+ (default: no) to disconnect remote SMTP clients that violate
+ RFC 2920 (or 5321) command pipelining constraints. Files:
+ global/mail_params.h, smtpd/smtpd.c, proto/postconf.proto.
+
+ -- Scott Kitterman <scott@kitterman.com> Sat, 10 Jun 2023 16:31:57 -0400
+
postfix (3.7.5-2) unstable; urgency=medium
[Sergio Durigan Junior]
diff -Nru postfix-3.7.5/debian/patches/10_openssl_version_check.diff postfix-3.7.6/debian/patches/10_openssl_version_check.diff
--- postfix-3.7.5/debian/patches/10_openssl_version_check.diff 2023-05-03 10:12:27.000000000 -0400
+++ postfix-3.7.6/debian/patches/10_openssl_version_check.diff 2023-06-10 16:30:19.000000000 -0400
@@ -2,7 +2,7 @@
===================================================================
--- postfix.orig/src/tls/tls_misc.c
+++ postfix/src/tls/tls_misc.c
-@@ -1269,26 +1269,7 @@ static void tls_version_split(unsigned l
+@@ -1392,26 +1392,7 @@ static void tls_version_split(unsigned l
void tls_check_version(void)
{
diff -Nru postfix-3.7.5/HISTORY postfix-3.7.6/HISTORY
--- postfix-3.7.5/HISTORY 2023-04-18 15:42:17.000000000 -0400
+++ postfix-3.7.6/HISTORY 2023-06-05 15:59:49.000000000 -0400
@@ -26507,3 +26507,90 @@
return "not found" instead of "error" during the time that
all MySQL server connections were turned down after error.
Found during code maintenance. File: global/dict_mysql.c.
+
+20230428
+
+ Bugfix (defect introduced: Postfix 1.0): the command "postconf
+ .. name=v1 .. name=v2 .." (multiple instances of the same
+ parameter name) created multiple name=value entries with
+ the same parameter name. It now logs a warning and skips
+ the earlier update. Found during code maintenance. File:
+ postconf/postconf_edit.c
+
+ Bugfix (defect introduced: Postfix 3.3): the command "postconf
+ -M name1/type1='name2 type2 ...'" died with a segmentation
+ violation when the request matched multiple master.cf
+ entries. The master.cf file was not damaged. Problem reported
+ by SATOH Fumiyasu. File: postconf/postconf_master.c.
+
+20230502
+
+ Bugfix (defect introduced: Postfix 2.11): the command
+ "postconf -M name1/type1='name2 type2 ...'" could add a
+ service definition to master.cf that conflicted with an
+ already existing service definition. It now replaces all
+ existing service definitions that match the service pattern
+ 'name1/type1' or the service name and type in 'name2 type2
+ ...' with a single service definition 'name2 type2 ...'.
+ Problem reported by SATOH Fumiyasu. File: postconf/postconf_edit.c.
+
+20230519
+
+ Bitrot: preliminary support for OpenSSL configuration files,
+ primarily OpenSSL 1.1.1b and later. This introduces new
+ parameters "tls_config_file" and "tls_config_name", which
+ can be used to limit collateral damage from OS distributions
+ that crank up security to 11, increasing the number of
+ plaintext email deliveries. Details are in the postconf(5)
+ manpage under "tls_config_file" and "tls_config_name".
+ Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto,
+ global/mail_params.h, posttls-finger/posttls-finger.c,
+ smtp/smtp.c, smtp/smtp_proto.c, tls/tls_client.c, tls/tls.h,
+ tls/tls_misc.c, tls/tls_proxy_client_print.c,
+ tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c,
+ tlsproxy/tlsproxy.c.
+
+20230523
+
+ Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init'
+ configurations. This information is independent from the
+ client or server TLS context, and therefore does not belong
+ in tls_*_init() or tls_*_start() calls. The tlsproxy(8)
+ server uses TLS_CLIENT_PARAMS to report differences between
+ its own global TLS settings, and those from its clients.
+ Files: posttls-finger/posttls-finger.c, smtp/smtp.c,
+ smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c,
+ tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
+ tls/tls_proxy.h, tlsproxy/tlsproxy.c.
+
+20230524
+
+ Cleanup: reverted cosmetic-only changes to minimize the
+ patch footprint for OpenSSL INI file support; updated daemon
+ manpages with the new tls_config_file and tls_config_name
+ configuration parameters. Files: smtp/smtp.c, smtpd/smtpd.c,
+ tls/tls_client.c, tls/tls.h, tls/tls_server.c, tlsproxy/tlsproxy.c,
+
+20230529
+
+ Cleanup: made OpenSSL 'default' INI file support error
+ handling consistent with OpenSSL default behavior. Viktor
+ Dukhovni. Files: proto/postconf.proto, tls/tls_misc.c.
+
+20230602
+
+ Backwards compatibility for stable releases that originally
+ had no OpenSSL INI support. Skip the new OpenSSL INI support
+ code, unless the Postfix configuration actually specifies
+ non-default tls_config_xxx settings. File: tls/tls_misc.c.
+
+ Cleanup: added a multiple initialization guard in the
+ tls_library_init() function, and made an initialization
+ error sticky. File: tls/tls_misc.c.
+
+20230605
+
+ Security: new parameter smtpd_forbid_unauth_pipelining
+ (default: no) to disconnect remote SMTP clients that violate
+ RFC 2920 (or 5321) command pipelining constraints. Files:
+ global/mail_params.h, smtpd/smtpd.c, proto/postconf.proto.
diff -Nru postfix-3.7.5/html/lmtp.8.html postfix-3.7.6/html/lmtp.8.html
--- postfix-3.7.5/html/lmtp.8.html 2021-12-23 17:24:55.000000000 -0500
+++ postfix-3.7.6/html/lmtp.8.html 2023-06-04 18:23:40.000000000 -0400
@@ -686,6 +686,15 @@
A workaround for implementations that hang Postfix while shut-
ting down a TLS session, until Postfix times out.
+ Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+
+ <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
+ Optional configuration file with baseline OpenSSL settings.
+
+ <b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
+ The application name passed by Postfix to OpenSSL library ini-
+ tialization functions.
+
<b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
diff -Nru postfix-3.7.5/html/postconf.5.html postfix-3.7.6/html/postconf.5.html
--- postfix-3.7.5/html/postconf.5.html 2022-01-21 16:39:35.000000000 -0500
+++ postfix-3.7.6/html/postconf.5.html 2023-06-05 16:57:04.000000000 -0400
@@ -15533,6 +15533,22 @@
</DD>
+<DT><b><a name="smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a>
+(default: Postfix ≥ 3.9: yes)</b></DT><DD>
+
+<p> Disconnect remote SMTP clients that violate <a href="https://tools.ietf.org/html/rfc2920";>RFC 2920</a> (or 5321)
+command pipelining constraints. The server replies with "554 5.5.0
+Error: SMTP protocol synchronization" and logs the unexpected remote
+SMTP client input. Specify "<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> = yes"
+to enable. This feature is enabled by default with Postfix ≥
+3.9. </p>
+
+<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20. </p>
+
+
+</DD>
+
<DT><b><a name="smtpd_forbidden_commands">smtpd_forbidden_commands</a>
(default: CONNECT GET POST <a href="regexp_table.5.html">regexp</a>:{{/^[^A-Z]/ Bogus}})</b></DT><DD>
@@ -19074,6 +19090,113 @@
</DD>
+
+<DT><b><a name="tls_config_file">tls_config_file</a>
+(default: default)</b></DT><DD>
+
+<p> Optional configuration file with baseline OpenSSL settings.
+OpenSSL loads any SSL settings found in the configuration file for
+the selected application name (see <a href="postconf.5.html#tls_config_name">tls_config_name</a>) or else the
+built-in application name "openssl_conf" when no application name is
+specified, or no corresponding configuration section is present.
+</p>
+
+<p> With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
+Postfix) can neither specify an alternative configuration file, nor
+avoid loading the default configuration file. </p>
+
+<p> With OpenSSL 1.1.1b or later, this parameter may be set to one of:
+</p>
+
+<dl>
+
+<dt> <b>default</b> (default) </dt> <dd> Load the system-wide
+"openssl.cnf" configuration file. </dd>
+
+<dt> <b>none</b> (recommended, OpenSSL 1.1.1b or later only) </dt>
+<dd> This setting disables loading of the system-wide "openssl.cnf"
+file. </dd>
+
+<dt> <b><i>/absolute-path</i></b> (OpenSSL 1.1.1b or later only) </dt>
+<dd> Load the configuration file specified by <i>/absolute-path</i>.
+With this setting it is an error for the file to not contain any
+settings for the selected <a href="postconf.5.html#tls_config_name">tls_config_name</a>. There is no fallback to
+the default "openssl_conf" name. </dd>
+
+</dl>
+
+<p> Failures in processing of the built-in default configuration file,
+are silently ignored. Any errors in loading a non-default configuration
+file are detected by Postfix, and cause TLS support to be disabled.
+</p>
+
+<p> The OpenSSL configuration file format is not documented here,
+beyond giving two examples. <p>
+
+<p> Example: Default settings for all applications. </p>
+
+<blockquote>
+<pre>
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation. Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+</pre>
+</blockquote>
+
+<p> Example: Custom settings for an application named "postfix". </p>
+
+<blockquote>
+<pre>
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]". The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+</pre>
+</blockquote>
+
+<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20. </p>
+
+
+</DD>
+
+<DT><b><a name="tls_config_name">tls_config_name</a>
+(default: empty)</b></DT><DD>
+
+<p> The application name passed by Postfix to OpenSSL library
+initialization functions. This name is used to select the desired
+configuration "section" in the OpenSSL configuration file specified
+via the <a href="postconf.5.html#tls_config_file">tls_config_file</a> parameter. When empty, or when the
+selected name is not present in the configuration file, the default
+application name ("openssl_conf") is used as a fallback. </p>
+
+<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20. </p>
+
+
+</DD>
<DT><b><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a>
(default: 32)</b></DT><DD>
diff -Nru postfix-3.7.5/html/smtp.8.html postfix-3.7.6/html/smtp.8.html
--- postfix-3.7.5/html/smtp.8.html 2021-12-23 17:24:55.000000000 -0500
+++ postfix-3.7.6/html/smtp.8.html 2023-06-04 18:23:40.000000000 -0400
@@ -686,6 +686,15 @@
A workaround for implementations that hang Postfix while shut-
ting down a TLS session, until Postfix times out.
+ Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+
+ <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
+ Optional configuration file with baseline OpenSSL settings.
+
+ <b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
+ The application name passed by Postfix to OpenSSL library ini-
+ tialization functions.
+
<b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
diff -Nru postfix-3.7.5/html/smtpd.8.html postfix-3.7.6/html/smtpd.8.html
--- postfix-3.7.5/html/smtpd.8.html 2021-12-23 17:24:56.000000000 -0500
+++ postfix-3.7.6/html/smtpd.8.html 2023-06-05 16:08:12.000000000 -0400
@@ -632,6 +632,15 @@
The email address form that will be used in non-debug logging
(info, warning, etc.).
+ Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+
+ <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
+ Optional configuration file with baseline OpenSSL settings.
+
+ <b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
+ The application name passed by Postfix to OpenSSL library ini-
+ tialization functions.
+
<b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a
@@ -954,6 +963,12 @@
<b><a href="postconf.5.html#header_from_format">header_from_format</a> (standard)</b>
The format of the Postfix-generated <b>From:</b> header.
+ Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+
+ <b><a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> (Postfix</b> ><b>= 3.9: yes)</b>
+ Disconnect remote SMTP clients that violate <a href="https://tools.ietf.org/html/rfc2920";>RFC 2920</a> (or 5321)
+ command pipelining constraints.
+
<b>TARPIT CONTROLS</b>
When a remote SMTP client makes errors, the Postfix SMTP server can
insert delays before responding. This can help to slow down run-away
diff -Nru postfix-3.7.5/html/tlsproxy.8.html postfix-3.7.6/html/tlsproxy.8.html
--- postfix-3.7.5/html/tlsproxy.8.html 2022-02-05 09:58:53.000000000 -0500
+++ postfix-3.7.6/html/tlsproxy.8.html 2023-06-04 18:36:17.000000000 -0400
@@ -150,6 +150,15 @@
A workaround for implementations that hang Postfix while shut-
ting down a TLS session, until Postfix times out.
+ Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+
+ <b><a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)</b>
+ Optional configuration file with baseline OpenSSL settings.
+
+ <b><a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)</b>
+ The application name passed by Postfix to OpenSSL library ini-
+ tialization functions.
+
<b>STARTTLS SERVER CONTROLS</b>
These settings are clones of Postfix SMTP server settings. They allow
<a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> to load the same certificate and private key information as
diff -Nru postfix-3.7.5/man/man5/postconf.5 postfix-3.7.6/man/man5/postconf.5
--- postfix-3.7.5/man/man5/postconf.5 2022-01-21 16:39:35.000000000 -0500
+++ postfix-3.7.6/man/man5/postconf.5 2023-06-05 16:57:05.000000000 -0400
@@ -10677,6 +10677,16 @@
parameter $name expansion.
.PP
This feature is available in Postfix 2.0 and later.
+.SH smtpd_forbid_unauth_pipelining (default: Postfix >= 3.9: yes)
+Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
+command pipelining constraints. The server replies with "554 5.5.0
+Error: SMTP protocol synchronization" and logs the unexpected remote
+SMTP client input. Specify "smtpd_forbid_unauth_pipelining = yes"
+to enable. This feature is enabled by default with Postfix >=
+3.9.
+.PP
+This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20.
.SH smtpd_forbidden_commands (default: CONNECT GET POST regexp:{{/^[^A\-Z]/ Bogus}})
List of commands that cause the Postfix SMTP server to immediately
terminate the session with a 221 code. This can be used to disconnect
@@ -13495,6 +13505,104 @@
2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
backwards compatibility, to avoid breaking certificate verification
with sites that don't use permit_tls_all_clientcerts.
+.SH tls_config_file (default: default)
+Optional configuration file with baseline OpenSSL settings.
+OpenSSL loads any SSL settings found in the configuration file for
+the selected application name (see tls_config_name) or else the
+built\-in application name "openssl_conf" when no application name is
+specified, or no corresponding configuration section is present.
+.PP
+With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
+Postfix) can neither specify an alternative configuration file, nor
+avoid loading the default configuration file.
+.PP
+With OpenSSL 1.1.1b or later, this parameter may be set to one of:
+.IP "\fBdefault\fR (default)"
+Load the system\-wide
+"openssl.cnf" configuration file.
+.br
+.IP "\fBnone\fR (recommended, OpenSSL 1.1.1b or later only)"
+This setting disables loading of the system\-wide "openssl.cnf"
+file.
+.br
+.IP "\fB\fI/absolute\-path\fR\fR (OpenSSL 1.1.1b or later only)"
+Load the configuration file specified by \fI/absolute\-path\fR.
+With this setting it is an error for the file to not contain any
+settings for the selected tls_config_name. There is no fallback to
+the default "openssl_conf" name.
+.br
+.br
+.PP
+Failures in processing of the built\-in default configuration file,
+are silently ignored. Any errors in loading a non\-default configuration
+file are detected by Postfix, and cause TLS support to be disabled.
+.PP
+The OpenSSL configuration file format is not documented here,
+beyond giving two examples.
+.PP
+Example: Default settings for all applications.
+.sp
+.in +4
+.nf
+.na
+.ft C
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation. Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+.fi
+.ad
+.ft R
+.in -4
+.PP
+Example: Custom settings for an application named "postfix".
+.sp
+.in +4
+.nf
+.na
+.ft C
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]". The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+.fi
+.ad
+.ft R
+.in -4
+.PP
+This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20.
+.SH tls_config_name (default: empty)
+The application name passed by Postfix to OpenSSL library
+initialization functions. This name is used to select the desired
+configuration "section" in the OpenSSL configuration file specified
+via the tls_config_file parameter. When empty, or when the
+selected name is not present in the configuration file, the default
+application name ("openssl_conf") is used as a fallback.
+.PP
+This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20.
.SH tls_daemon_random_bytes (default: 32)
The number of pseudo\-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
process requests from the \fBtlsmgr\fR(8) server in order to seed its
diff -Nru postfix-3.7.5/man/man8/smtp.8 postfix-3.7.6/man/man8/smtp.8
--- postfix-3.7.5/man/man8/smtp.8 2021-10-27 19:38:48.000000000 -0400
+++ postfix-3.7.6/man/man8/smtp.8 2023-06-05 09:12:12.000000000 -0400
@@ -617,6 +617,13 @@
.IP "\fBtls_fast_shutdown_enable (yes)\fR"
A workaround for implementations that hang Postfix while shutting
down a TLS session, until Postfix times out.
+.PP
+Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+.IP "\fBtls_config_file (default)\fR"
+Optional configuration file with baseline OpenSSL settings.
+.IP "\fBtls_config_name (empty)\fR"
+The application name passed by Postfix to OpenSSL library
+initialization functions.
.SH "OBSOLETE STARTTLS CONTROLS"
.na
.nf
diff -Nru postfix-3.7.5/man/man8/smtpd.8 postfix-3.7.6/man/man8/smtpd.8
--- postfix-3.7.5/man/man8/smtpd.8 2021-10-02 11:40:28.000000000 -0400
+++ postfix-3.7.6/man/man8/smtpd.8 2023-06-05 16:07:31.000000000 -0400
@@ -559,6 +559,13 @@
.IP "\fBinfo_log_address_format (external)\fR"
The email address form that will be used in non\-debug logging
(info, warning, etc.).
+.PP
+Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+.IP "\fBtls_config_file (default)\fR"
+Optional configuration file with baseline OpenSSL settings.
+.IP "\fBtls_config_name (empty)\fR"
+The application name passed by Postfix to OpenSSL library
+initialization functions.
.SH "OBSOLETE STARTTLS CONTROLS"
.na
.nf
@@ -836,6 +843,11 @@
smtpd_per_request_deadline.
.IP "\fBheader_from_format (standard)\fR"
The format of the Postfix\-generated \fBFrom:\fR header.
+.PP
+Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+.IP "\fBsmtpd_forbid_unauth_pipelining (Postfix >= 3.9: yes)\fR"
+Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
+command pipelining constraints.
.SH "TARPIT CONTROLS"
.na
.nf
diff -Nru postfix-3.7.5/man/man8/tlsproxy.8 postfix-3.7.6/man/man8/tlsproxy.8
--- postfix-3.7.5/man/man8/tlsproxy.8 2022-02-05 09:58:52.000000000 -0500
+++ postfix-3.7.6/man/man8/tlsproxy.8 2023-06-04 18:04:04.000000000 -0400
@@ -150,6 +150,13 @@
.IP "\fBtls_fast_shutdown_enable (yes)\fR"
A workaround for implementations that hang Postfix while shutting
down a TLS session, until Postfix times out.
+.PP
+Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+.IP "\fBtls_config_file (default)\fR"
+Optional configuration file with baseline OpenSSL settings.
+.IP "\fBtls_config_name (empty)\fR"
+The application name passed by Postfix to OpenSSL library
+initialization functions.
.SH "STARTTLS SERVER CONTROLS"
.na
.nf
diff -Nru postfix-3.7.5/mantools/postlink postfix-3.7.6/mantools/postlink
--- postfix-3.7.5/mantools/postlink 2022-01-21 16:21:09.000000000 -0500
+++ postfix-3.7.6/mantools/postlink 2023-06-05 15:59:49.000000000 -0400
@@ -555,6 +555,7 @@
s;\bsmtpd_etrn_restrictions\b;<a href="postconf.5.html#smtpd_etrn_restrictions">$&</a>;g;
s;\bsmtpd_expansion_filter\b;<a href="postconf.5.html#smtpd_expansion_filter">$&</a>;g;
s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bidden_commands\b;<a href="postconf.5.html#smtpd_forbidden_commands">$&</a>;g;
+ s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_unauth_pipelining\b;<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">$&</a>;g;
s;\bsmtpd_hard_error_limit\b;<a href="postconf.5.html#smtpd_hard_error_limit">$&</a>;g;
s;\bsmtpd_helo_required\b;<a href="postconf.5.html#smtpd_helo_required">$&</a>;g;
s;\bsmtpd_helo_restrictions\b;<a href="postconf.5.html#smtpd_helo_restrictions">$&</a>;g;
@@ -779,6 +780,8 @@
s;\btls_session_ticket_cipher\b;<a href="postconf.5.html#tls_session_ticket_cipher">$&</a>;g;
s;\btls_server_sni_maps\b;<a href="postconf.5.html#tls_server_sni_maps">$&</a>;g;
s;\btls_ssl_options\b;<a href="postconf.5.html#tls_ssl_options">$&</a>;g;
+ s;\btls_config_name\b;<a href="postconf.5.html#tls_config_name">$&</a>;g;
+ s;\btls_config_file\b;<a href="postconf.5.html#tls_config_file">$&</a>;g;
s;\btls_dane_digest_agility\b;<a href="postconf.5.html#tls_dane_digest_agility">$&</a>;g;
s;\btls_dane_trust_anchor_digest_enable\b;<a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">$&</a>;g;
s;\btls_fast_shutdown_enable\b;<a href="postconf.5.html#tls_fast_shutdown_enable">$&</a>;g;
diff -Nru postfix-3.7.5/proto/postconf.proto postfix-3.7.6/proto/postconf.proto
--- postfix-3.7.5/proto/postconf.proto 2022-01-21 16:12:15.000000000 -0500
+++ postfix-3.7.6/proto/postconf.proto 2023-06-05 15:59:49.000000000 -0400
@@ -18434,3 +18434,114 @@
configuration parameter. See there for details. </p>
<p> This feature is available in Postfix 3.7 and later. </p>
+
+%PARAM tls_config_name
+
+<p> The application name passed by Postfix to OpenSSL library
+initialization functions. This name is used to select the desired
+configuration "section" in the OpenSSL configuration file specified
+via the tls_config_file parameter. When empty, or when the
+selected name is not present in the configuration file, the default
+application name ("openssl_conf") is used as a fallback. </p>
+
+<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20. </p>
+
+%PARAM tls_config_file default
+
+<p> Optional configuration file with baseline OpenSSL settings.
+OpenSSL loads any SSL settings found in the configuration file for
+the selected application name (see tls_config_name) or else the
+built-in application name "openssl_conf" when no application name is
+specified, or no corresponding configuration section is present.
+</p>
+
+<p> With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
+Postfix) can neither specify an alternative configuration file, nor
+avoid loading the default configuration file. </p>
+
+<p> With OpenSSL 1.1.1b or later, this parameter may be set to one of:
+</p>
+
+<dl>
+
+<dt> <b>default</b> (default) </dt> <dd> Load the system-wide
+"openssl.cnf" configuration file. </dd>
+
+<dt> <b>none</b> (recommended, OpenSSL 1.1.1b or later only) </dt>
+<dd> This setting disables loading of the system-wide "openssl.cnf"
+file. </dd>
+
+<dt> <b><i>/absolute-path</i></b> (OpenSSL 1.1.1b or later only) </dt>
+<dd> Load the configuration file specified by <i>/absolute-path</i>.
+With this setting it is an error for the file to not contain any
+settings for the selected tls_config_name. There is no fallback to
+the default "openssl_conf" name. </dd>
+
+</dl>
+
+<p> Failures in processing of the built-in default configuration file,
+are silently ignored. Any errors in loading a non-default configuration
+file are detected by Postfix, and cause TLS support to be disabled.
+</p>
+
+<p> The OpenSSL configuration file format is not documented here,
+beyond giving two examples. <p>
+
+<p> Example: Default settings for all applications. </p>
+
+<blockquote>
+<pre>
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation. Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+</pre>
+</blockquote>
+
+<p> Example: Custom settings for an application named "postfix". </p>
+
+<blockquote>
+<pre>
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]". The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+</pre>
+</blockquote>
+
+<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20. </p>
+
+%PARAM smtpd_forbid_unauth_pipelining Postfix ≥ 3.9: yes
+
+<p> Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
+command pipelining constraints. The server replies with "554 5.5.0
+Error: SMTP protocol synchronization" and logs the unexpected remote
+SMTP client input. Specify "smtpd_forbid_unauth_pipelining = yes"
+to enable. This feature is enabled by default with Postfix ≥
+3.9. </p>
+
+<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20. </p>
diff -Nru postfix-3.7.5/README_FILES/RELEASE_NOTES postfix-3.7.6/README_FILES/RELEASE_NOTES
--- postfix-3.7.5/README_FILES/RELEASE_NOTES 2022-10-07 18:42:46.000000000 -0400
+++ postfix-3.7.6/README_FILES/RELEASE_NOTES 2023-06-05 17:38:31.000000000 -0400
@@ -25,6 +25,23 @@
the software under the license of their choice. Those who are more
comfortable with the IPL can continue with that license.
+Major changes with Postfix 3.7.6
+================================
+
+Security: the Postfix SMTP server optionally disconnects remote
+SMTP clients that violate RFC 2920 (or 5321) command pipelining
+constraints. The server replies with "554 5.5.0 Error: SMTP protocol
+synchronization" and logs the unexpected remote SMTP client input.
+Specify "smtpd_forbid_unauth_pipelining = yes" to enable. This
+feature is enabled by default in Postfix 3.9 and later.
+
+Workaround to limit collateral damage from OS distributions that
+crank up security to 11, increasing the number of plaintext email
+deliveries. This introduces basic OpenSSL configuration file support,
+with two new parameters "tls_config_file" and "tls_config_name".
+Details are in the postconf(5) manpage under "tls_config_file" and
+"tls_config_name".
+
Bugfix for messages not delivered after "warning: Unexpected record type 'X'
============================================================================
diff -Nru postfix-3.7.5/RELEASE_NOTES postfix-3.7.6/RELEASE_NOTES
--- postfix-3.7.5/RELEASE_NOTES 2022-10-07 18:42:46.000000000 -0400
+++ postfix-3.7.6/RELEASE_NOTES 2023-06-05 17:38:31.000000000 -0400
@@ -25,6 +25,23 @@
the software under the license of their choice. Those who are more
comfortable with the IPL can continue with that license.
+Major changes with Postfix 3.7.6
+================================
+
+Security: the Postfix SMTP server optionally disconnects remote
+SMTP clients that violate RFC 2920 (or 5321) command pipelining
+constraints. The server replies with "554 5.5.0 Error: SMTP protocol
+synchronization" and logs the unexpected remote SMTP client input.
+Specify "smtpd_forbid_unauth_pipelining = yes" to enable. This
+feature is enabled by default in Postfix 3.9 and later.
+
+Workaround to limit collateral damage from OS distributions that
+crank up security to 11, increasing the number of plaintext email
+deliveries. This introduces basic OpenSSL configuration file support,
+with two new parameters "tls_config_file" and "tls_config_name".
+Details are in the postconf(5) manpage under "tls_config_file" and
+"tls_config_name".
+
Bugfix for messages not delivered after "warning: Unexpected record type 'X'
============================================================================
diff -Nru postfix-3.7.5/src/global/mail_params.h postfix-3.7.6/src/global/mail_params.h
--- postfix-3.7.5/src/global/mail_params.h 2022-04-08 18:10:07.000000000 -0400
+++ postfix-3.7.6/src/global/mail_params.h 2023-06-05 17:44:12.000000000 -0400
@@ -2436,6 +2436,10 @@
#define DEF_SMTPD_PEERNAME_LOOKUP 1
extern bool var_smtpd_peername_lookup;
+#define VAR_SMTPD_FORBID_UNAUTH_PIPE "smtpd_forbid_unauth_pipelining"
+#define DEF_SMTPD_FORBID_UNAUTH_PIPE 0
+extern bool var_smtpd_forbid_unauth_pipe;
+
/*
* Heuristic to reject unknown local recipients at the SMTP port.
*/
@@ -3320,8 +3324,17 @@
extern bool var_smtp_cname_overr;
/*
- * TLS cipherlists
+ * TLS library settings
*/
+#define VAR_TLS_CNF_FILE "tls_config_file"
+#define DEF_TLS_CNF_FILE "default"
+extern char *var_tls_cnf_file;
+
+#define VAR_TLS_CNF_NAME "tls_config_name"
+#define DEF_TLS_CNF_NAME ""
+extern char *var_tls_cnf_name;
+
+
#define VAR_TLS_HIGH_CLIST "tls_high_cipherlist"
#define DEF_TLS_HIGH_CLIST "aNULL:-aNULL:HIGH:@STRENGTH"
extern char *var_tls_high_clist;
diff -Nru postfix-3.7.5/src/global/mail_version.h postfix-3.7.6/src/global/mail_version.h
--- postfix-3.7.5/src/global/mail_version.h 2023-04-17 18:42:51.000000000 -0400
+++ postfix-3.7.6/src/global/mail_version.h 2023-06-05 16:08:38.000000000 -0400
@@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20230418"
-#define MAIL_VERSION_NUMBER "3.7.5"
+#define MAIL_RELEASE_DATE "20230605"
+#define MAIL_VERSION_NUMBER "3.7.6"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
diff -Nru postfix-3.7.5/src/postconf/postconf_edit.c postfix-3.7.6/src/postconf/postconf_edit.c
--- postfix-3.7.5/src/postconf/postconf_edit.c 2014-12-06 20:35:33.000000000 -0500
+++ postfix-3.7.6/src/postconf/postconf_edit.c 2023-05-17 14:30:17.000000000 -0400
@@ -192,6 +192,11 @@
} else {
msg_panic("pcf_edit_main: unknown mode %d", mode);
}
+ if ((cvalue = htable_find(table, pattern)) != 0) {
+ msg_warn("ignoring earlier request: '%s = %s'",
+ pattern, cvalue->value);
+ htable_delete(table, pattern, myfree);
+ }
cvalue = (struct cvalue *) mymalloc(sizeof(*cvalue));
cvalue->value = edit_value;
cvalue->found = 0;
@@ -459,8 +464,38 @@
/*
* Match each service pattern.
+ *
+ * Additional care is needed when a request adds or replaces an
+ * entire service definition, instead of a specific field or
+ * parameter. Given a command "postconf -M name1/type1='name2
+ * type2 ...'", where name1 and name2 may differ, and likewise
+ * for type1 and type2:
+ *
+ * - First, if an existing service definition a) matches the service
+ * pattern 'name1/type1', or b) matches the name and type in the
+ * new service definition 'name2 type2 ...', remove the service
+ * definition.
+ *
+ * - Then, after an a) or b) type match, add a new service
+ * definition for 'name2 type2 ...', but only after the first
+ * match.
+ *
+ * - Finally, if a request had no a) or b) type match for any
+ * master.cf service definition, add a new service definition for
+ * 'name2 type2 ...'.
*/
for (req = edit_reqs; req < edit_reqs + num_reqs; req++) {
+ PCF_MASTER_ENT *tentative_entry = 0;
+ int use_tentative_entry = 0;
+
+ /* Additional care for whole service definition requests. */
+ if ((mode & PCF_MASTER_ENTRY) && (mode & PCF_EDIT_CONF)) {
+ tentative_entry = (PCF_MASTER_ENT *)
+ mymalloc(sizeof(*tentative_entry));
+ if ((err = pcf_parse_master_entry(tentative_entry,
+ req->edit_value)) != 0)
+ msg_fatal("%s: \"%s\"", err, req->raw_text);
+ }
if (PCF_MATCH_SERVICE_PATTERN(req->service_pattern,
service_name,
service_type)) {
@@ -506,18 +541,30 @@
* Replace entire master.cf entry.
*/
case PCF_MASTER_ENTRY:
- if (new_entry != 0)
- pcf_free_master_entry(new_entry);
- new_entry = (PCF_MASTER_ENT *)
- mymalloc(sizeof(*new_entry));
- if ((err = pcf_parse_master_entry(new_entry,
- req->edit_value)) != 0)
- msg_fatal("%s: \"%s\"", err, req->raw_text);
+ if (req->match_count == 1)
+ use_tentative_entry = 1;
break;
default:
msg_panic("%s: unknown edit mode %d", myname, mode);
}
}
+ } else if (tentative_entry != 0
+ && PCF_MATCH_SERVICE_PATTERN(tentative_entry->argv,
+ service_name,
+ service_type)) {
+ service_name_type_matched = 1; /* Sticky flag */
+ req->match_count += 1;
+ if (req->match_count == 1)
+ use_tentative_entry = 1;
+ }
+ if (tentative_entry != 0) {
+ if (use_tentative_entry) {
+ if (new_entry != 0)
+ pcf_free_master_entry(new_entry);
+ new_entry = tentative_entry;
+ } else {
+ pcf_free_master_entry(tentative_entry);
+ }
}
}
diff -Nru postfix-3.7.5/src/postconf/postconf_master.c postfix-3.7.6/src/postconf/postconf_master.c
--- postfix-3.7.5/src/postconf/postconf_master.c 2021-12-19 10:04:41.000000000 -0500
+++ postfix-3.7.6/src/postconf/postconf_master.c 2023-05-17 14:30:17.000000000 -0400
@@ -156,6 +156,7 @@
#include <readlline.h>
#include <stringops.h>
#include <split_at.h>
+#include <dict_ht.h>
/* Global library. */
@@ -395,12 +396,12 @@
concatenate("ro", PCF_NAMESP_SEP_STR, masterp->name_space, (char *) 0);
masterp->argv = argv;
masterp->valid_names = 0;
+ masterp->ro_params = dict_ht_open(ro_name_space, O_CREAT | O_RDWR, 0);
process_name = basename(argv->argv[PCF_MASTER_FLD_CMD]);
- dict_update(ro_name_space, VAR_PROCNAME, process_name);
- dict_update(ro_name_space, VAR_SERVNAME,
- strcmp(process_name, argv->argv[0]) != 0 ?
- argv->argv[0] : process_name);
- masterp->ro_params = dict_handle(ro_name_space);
+ dict_put(masterp->ro_params, VAR_PROCNAME, process_name);
+ dict_put(masterp->ro_params, VAR_SERVNAME,
+ strcmp(process_name, argv->argv[0]) != 0 ?
+ argv->argv[0] : process_name);
myfree(ro_name_space);
masterp->all_params = 0;
return (0);
diff -Nru postfix-3.7.5/src/smtp/smtp.c postfix-3.7.6/src/smtp/smtp.c
--- postfix-3.7.5/src/smtp/smtp.c 2021-10-27 19:38:44.000000000 -0400
+++ postfix-3.7.6/src/smtp/smtp.c 2021-10-27 19:38:44.000000000 -0400
@@ -583,6 +583,13 @@
/* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
/* A workaround for implementations that hang Postfix while shutting
/* down a TLS session, until Postfix times out.
+/* .PP
+/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+/* .IP "\fBtls_config_file (default)\fR"
+/* Optional configuration file with baseline OpenSSL settings.
+/* .IP "\fBtls_config_name (empty)\fR"
+/* The application name passed by Postfix to OpenSSL library
+/* initialization functions.
/* OBSOLETE STARTTLS CONTROLS
/* .ad
/* .fi
diff -Nru postfix-3.7.5/src/smtpd/smtpd.c postfix-3.7.6/src/smtpd/smtpd.c
--- postfix-3.7.5/src/smtpd/smtpd.c 2021-10-02 10:46:46.000000000 -0400
+++ postfix-3.7.6/src/smtpd/smtpd.c 2023-06-05 16:01:02.000000000 -0400
@@ -525,6 +525,13 @@
/* .IP "\fBinfo_log_address_format (external)\fR"
/* The email address form that will be used in non-debug logging
/* (info, warning, etc.).
+/* .PP
+/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+/* .IP "\fBtls_config_file (default)\fR"
+/* Optional configuration file with baseline OpenSSL settings.
+/* .IP "\fBtls_config_name (empty)\fR"
+/* The application name passed by Postfix to OpenSSL library
+/* initialization functions.
/* OBSOLETE STARTTLS CONTROLS
/* .ad
/* .fi
@@ -790,6 +797,11 @@
/* smtpd_per_request_deadline.
/* .IP "\fBheader_from_format (standard)\fR"
/* The format of the Postfix-generated \fBFrom:\fR header.
+/* .PP
+/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+/* .IP "\fBsmtpd_forbid_unauth_pipelining (Postfix >= 3.9: yes)\fR"
+/* Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
+/* command pipelining constraints.
/* TARPIT CONTROLS
/* .ad
/* .fi
@@ -1476,6 +1488,7 @@
char *var_milt_unk_macros;
char *var_milt_macro_deflts;
bool var_smtpd_client_port_log;
+bool var_smtpd_forbid_unauth_pipe;
char *var_stress;
char *var_reject_tmpf_act;
@@ -5425,6 +5438,32 @@
static STRING_LIST *smtpd_noop_cmds;
static STRING_LIST *smtpd_forbid_cmds;
+/* smtpd_flag_ill_pipelining - flag pipelining protocol violation */
+
+static int smtpd_flag_ill_pipelining(SMTPD_STATE *state)
+{
+
+ /*
+ * This code will not return after I/O error, timeout, or EOF. VSTREAM
+ * exceptions must be enabled in advance with smtp_stream_setup().
+ */
+ if (vstream_peek(state->client) == 0
+ && peekfd(vstream_fileno(state->client)) > 0)
+ (void) vstream_ungetc(state->client, smtp_fgetc(state->client));
+ if (vstream_peek(state->client) > 0) {
+ if (state->expand_buf == 0)
+ state->expand_buf = vstring_alloc(100);
+ escape(state->expand_buf, vstream_peek_data(state->client),
+ vstream_peek(state->client) < 100 ?
+ vstream_peek(state->client) : 100);
+ msg_info("improper command pipelining after %s from %s: %s",
+ state->where, state->namaddr, STR(state->expand_buf));
+ state->flags |= SMTPD_FLAG_ILL_PIPELINING;
+ return (1);
+ }
+ return (0);
+}
+
/* smtpd_proto - talk the SMTP protocol */
static void smtpd_proto(SMTPD_STATE *state)
@@ -5567,6 +5606,21 @@
#endif
/*
+ * If the client spoke before the server sends the initial greeting,
+ * raise a flag and log the content of the protocol violation. This
+ * check MUST NOT apply to TLS wrappermode connections.
+ */
+ if (SMTPD_STAND_ALONE(state) == 0
+ && vstream_context(state->client) == 0 /* not postscreen */
+ && (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0
+ && smtpd_flag_ill_pipelining(state)
+ && var_smtpd_forbid_unauth_pipe) {
+ smtpd_chat_reply(state,
+ "554 5.5.0 Error: SMTP protocol synchronization");
+ break;
+ }
+
+ /*
* XXX The client connection count/rate control must be consistent in
* its use of client address information in connect and disconnect
* events. For now we exclude xclient authorized hosts from
@@ -5801,16 +5855,11 @@
&& (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0
|| (cmdp->flags & SMTPD_CMD_FLAG_LAST))
&& (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0
- && (vstream_peek(state->client) > 0
- || peekfd(vstream_fileno(state->client)) > 0)) {
- if (state->expand_buf == 0)
- state->expand_buf = vstring_alloc(100);
- escape(state->expand_buf, vstream_peek_data(state->client),
- vstream_peek(state->client) < 100 ?
- vstream_peek(state->client) : 100);
- msg_info("improper command pipelining after %s from %s: %s",
- cmdp->name, state->namaddr, STR(state->expand_buf));
- state->flags |= SMTPD_FLAG_ILL_PIPELINING;
+ && smtpd_flag_ill_pipelining(state)
+ && var_smtpd_forbid_unauth_pipe) {
+ smtpd_chat_reply(state,
+ "554 5.5.0 Error: SMTP protocol synchronization");
+ break;
}
if (cmdp->action(state, argc, argv) != 0)
state->error_count++;
@@ -6479,6 +6528,7 @@
VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup,
VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open,
VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
+ VAR_SMTPD_FORBID_UNAUTH_PIPE, DEF_SMTPD_FORBID_UNAUTH_PIPE, &var_smtpd_forbid_unauth_pipe,
0,
};
static const CONFIG_NBOOL_TABLE nbool_table[] = {
diff -Nru postfix-3.7.5/src/tls/tls_client.c postfix-3.7.6/src/tls/tls_client.c
--- postfix-3.7.5/src/tls/tls_client.c 2023-01-21 16:00:03.000000000 -0500
+++ postfix-3.7.6/src/tls/tls_client.c 2023-06-04 17:46:40.000000000 -0400
@@ -641,6 +641,13 @@
tls_check_version();
/*
+ * Initialize the OpenSSL library, possibly loading its configuration
+ * file.
+ */
+ if (tls_library_init() == 0)
+ return (0);
+
+ /*
* Create an application data index for SSL objects, so that we can
* attach TLScontext information; this information is needed inside
* tls_verify_certificate_callback().
diff -Nru postfix-3.7.5/src/tls/tls.h postfix-3.7.6/src/tls/tls.h
--- postfix-3.7.5/src/tls/tls.h 2023-01-21 16:00:03.000000000 -0500
+++ postfix-3.7.6/src/tls/tls.h 2023-06-04 17:46:40.000000000 -0400
@@ -77,6 +77,7 @@
#include <openssl/evp.h> /* New OpenSSL 3.0 EVP_PKEY APIs */
#include <openssl/opensslv.h> /* OPENSSL_VERSION_NUMBER */
#include <openssl/ssl.h>
+#include <openssl/conf.h>
/* Appease indent(1) */
#define x509_stack_t STACK_OF(X509)
@@ -322,6 +323,7 @@
* tls_misc.c
*/
extern void tls_param_init(void);
+extern int tls_library_init(void);
/*
* Protocol selection.
diff -Nru postfix-3.7.5/src/tls/tls_misc.c postfix-3.7.6/src/tls/tls_misc.c
--- postfix-3.7.5/src/tls/tls_misc.c 2023-01-15 18:16:48.000000000 -0500
+++ postfix-3.7.6/src/tls/tls_misc.c 2023-06-04 17:51:13.000000000 -0400
@@ -29,6 +29,8 @@
/* #define TLS_INTERNAL
/* #include <tls.h>
/*
+/* char *var_tls_cnf_file;
+/* char *var_tls_cnf_name;
/* char *var_tls_high_clist;
/* char *var_tls_medium_clist;
/* char *var_tls_low_clist;
@@ -69,6 +71,8 @@
/*
/* void tls_param_init()
/*
+/* int tls_library_init(void)
+/*
/* int tls_proto_mask_lims(plist, floor, ceiling)
/* const char *plist;
/* int *floor;
@@ -157,6 +161,9 @@
/* tls_param_init() loads main.cf parameters used internally in
/* TLS library. Any errors are fatal.
/*
+/* tls_library_init() initializes the OpenSSL library, optionally
+/* loading an OpenSSL configuration file.
+/*
/* tls_pre_jail_init() opens any tables that need to be opened before
/* entering a chroot jail. The "role" parameter must be TLS_ROLE_CLIENT
/* for clients and TLS_ROLE_SERVER for servers. Any errors are fatal.
@@ -276,6 +283,8 @@
/*
* Tunable parameters.
*/
+char *var_tls_cnf_file;
+char *var_tls_cnf_name;
char *var_tls_high_clist;
char *var_tls_medium_clist;
char *var_tls_low_clist;
@@ -644,6 +653,8 @@
{
/* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
static const CONFIG_STR_TABLE str_table[] = {
+ VAR_TLS_CNF_FILE, DEF_TLS_CNF_FILE, &var_tls_cnf_file, 0, 0,
+ VAR_TLS_CNF_NAME, DEF_TLS_CNF_NAME, &var_tls_cnf_name, 0, 0,
VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0,
VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0,
@@ -687,6 +698,118 @@
get_mail_conf_bool_table(bool_table);
}
+/* tls_library_init - perform OpenSSL library initialization */
+
+int tls_library_init(void)
+{
+ OPENSSL_INIT_SETTINGS *init_settings;
+ char *conf_name = *var_tls_cnf_name ? var_tls_cnf_name : 0;
+ char *conf_file = 0;
+ unsigned long init_opts = 0;
+
+#define TLS_LIB_INIT_TODO (-1)
+#define TLS_LIB_INIT_ERR (0)
+#define TLS_LIB_INIT_OK (1)
+
+ static int init_res = TLS_LIB_INIT_TODO;
+
+ if (init_res != TLS_LIB_INIT_TODO)
+ return (init_res);
+
+ /*
+ * Backwards compatibility: skip this function unless the Postfix
+ * configuration actually has non-default tls_config_xxx settings.
+ */
+ if (strcmp(var_tls_cnf_file, DEF_TLS_CNF_FILE) == 0
+ && strcmp(var_tls_cnf_name, DEF_TLS_CNF_NAME) == 0) {
+ if (msg_verbose)
+ msg_info("tls_library_init: using backwards-compatible defaults");
+ return (init_res = TLS_LIB_INIT_OK);
+ }
+ if ((init_settings = OPENSSL_INIT_new()) == 0) {
+ msg_warn("error allocating OpenSSL init settings, "
+ "disabling TLS support");
+ return (init_res = TLS_LIB_INIT_ERR);
+ }
+#define TLS_LIB_INIT_RETURN(x) \
+ do { OPENSSL_INIT_free(init_settings); return (init_res = (x)); } while(0)
+
+#if OPENSSL_VERSION_NUMBER < 0x1010102fL
+
+ /*
+ * OpenSSL 1.1.0 through 1.1.1a, no support for custom configuration
+ * files, disabling loading of the file, or getting strict error
+ * handling. Thus, the only supported configuration file is "default".
+ */
+ if (strcmp(var_tls_cnf_file, "default") != 0) {
+ msg_warn("non-default %s = %s requires OpenSSL 1.1.1b or later, "
+ "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
+ TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
+ }
+#else
+ {
+ unsigned long file_flags = 0;
+
+ /*-
+ * OpenSSL 1.1.1b or later:
+ * We can now use a non-default configuration file, or
+ * use none at all. We can also request strict error
+ * reporting.
+ */
+ if (strcmp(var_tls_cnf_file, "none") == 0) {
+ init_opts |= OPENSSL_INIT_NO_LOAD_CONFIG;
+ } else if (strcmp(var_tls_cnf_file, "default") == 0) {
+
+ /*
+ * The default global config file is optional. With "default"
+ * initialisation we don't insist on a match for the requested
+ * application name, allowing fallback to the default application
+ * name, even when a non-default application name is specified.
+ * Errors in loading the default configuration are ignored.
+ */
+ conf_file = 0;
+ file_flags |= CONF_MFLAGS_IGNORE_MISSING_FILE;
+ file_flags |= CONF_MFLAGS_DEFAULT_SECTION;
+ file_flags |= CONF_MFLAGS_IGNORE_RETURN_CODES | CONF_MFLAGS_SILENT;
+ } else if (*var_tls_cnf_file == '/') {
+
+ /*
+ * A custom config file must be present, error reporting is
+ * strict and the configuration section for the requested
+ * application name does not fall back to "openssl_conf" when
+ * missing.
+ */
+ conf_file = var_tls_cnf_file;
+ } else {
+ msg_warn("non-default %s = %s is not an absolute pathname, "
+ "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
+ TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
+ }
+
+ OPENSSL_INIT_set_config_file_flags(init_settings, file_flags);
+ }
+#endif
+
+ if (conf_file)
+ OPENSSL_INIT_set_config_filename(init_settings, conf_file);
+ if (conf_name)
+ OPENSSL_INIT_set_config_appname(init_settings, conf_name);
+
+ if (OPENSSL_init_ssl(init_opts, init_settings) <= 0) {
+ if ((init_opts & OPENSSL_INIT_NO_LOAD_CONFIG) == 0)
+ msg_warn("error loading the '%s' settings from the %s OpenSSL "
+ "configuration file, disabling TLS support",
+ conf_name ? conf_name : "global",
+ conf_file ? conf_file : "default");
+ else
+ msg_warn("error initializing the OpenSSL library, "
+ "disabling TLS support");
+ tls_print_errors();
+ TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
+ }
+ TLS_LIB_INIT_RETURN(TLS_LIB_INIT_OK);
+}
+
/* tls_pre_jail_init - Load TLS related pre-jail tables */
void tls_pre_jail_init(TLS_ROLE role)
diff -Nru postfix-3.7.5/src/tls/tls_proxy_client_misc.c postfix-3.7.6/src/tls/tls_proxy_client_misc.c
--- postfix-3.7.5/src/tls/tls_proxy_client_misc.c 2021-08-06 20:04:05.000000000 -0400
+++ postfix-3.7.6/src/tls/tls_proxy_client_misc.c 2023-06-04 17:46:40.000000000 -0400
@@ -66,6 +66,8 @@
TLS_CLIENT_PARAMS *tls_proxy_client_param_from_config(TLS_CLIENT_PARAMS *params)
{
TLS_PROXY_PARAMS(params,
+ tls_cnf_file = var_tls_cnf_file,
+ tls_cnf_name = var_tls_cnf_name,
tls_high_clist = var_tls_high_clist,
tls_medium_clist = var_tls_medium_clist,
tls_low_clist = var_tls_low_clist,
diff -Nru postfix-3.7.5/src/tls/tls_proxy_client_print.c postfix-3.7.6/src/tls/tls_proxy_client_print.c
--- postfix-3.7.5/src/tls/tls_proxy_client_print.c 2021-08-06 20:04:05.000000000 -0400
+++ postfix-3.7.6/src/tls/tls_proxy_client_print.c 2023-06-04 17:46:40.000000000 -0400
@@ -95,6 +95,8 @@
msg_info("begin tls_proxy_client_param_print");
ret = print_fn(fp, flags | ATTR_FLAG_MORE,
+ SEND_ATTR_STR(TLS_ATTR_CNF_FILE, params->tls_cnf_file),
+ SEND_ATTR_STR(TLS_ATTR_CNF_NAME, params->tls_cnf_name),
SEND_ATTR_STR(VAR_TLS_HIGH_CLIST, params->tls_high_clist),
SEND_ATTR_STR(VAR_TLS_MEDIUM_CLIST,
params->tls_medium_clist),
diff -Nru postfix-3.7.5/src/tls/tls_proxy_client_scan.c postfix-3.7.6/src/tls/tls_proxy_client_scan.c
--- postfix-3.7.5/src/tls/tls_proxy_client_scan.c 2020-07-18 20:21:31.000000000 -0400
+++ postfix-3.7.6/src/tls/tls_proxy_client_scan.c 2023-06-04 17:46:40.000000000 -0400
@@ -121,6 +121,8 @@
void tls_proxy_client_param_free(TLS_CLIENT_PARAMS *params)
{
+ myfree(params->tls_cnf_file);
+ myfree(params->tls_cnf_name);
myfree(params->tls_high_clist);
myfree(params->tls_medium_clist);
myfree(params->tls_low_clist);
@@ -145,6 +147,8 @@
TLS_CLIENT_PARAMS *params
= (TLS_CLIENT_PARAMS *) mymalloc(sizeof(*params));
int ret;
+ VSTRING *cnf_file = vstring_alloc(25);
+ VSTRING *cnf_name = vstring_alloc(25);
VSTRING *tls_high_clist = vstring_alloc(25);
VSTRING *tls_medium_clist = vstring_alloc(25);
VSTRING *tls_low_clist = vstring_alloc(25);
@@ -167,6 +171,8 @@
*/
memset(params, 0, sizeof(*params));
ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
+ RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file),
+ RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name),
RECV_ATTR_STR(VAR_TLS_HIGH_CLIST, tls_high_clist),
RECV_ATTR_STR(VAR_TLS_MEDIUM_CLIST, tls_medium_clist),
RECV_ATTR_STR(VAR_TLS_LOW_CLIST, tls_low_clist),
@@ -192,6 +198,8 @@
¶ms->tls_multi_wildcard),
ATTR_TYPE_END);
/* Always construct a well-formed structure. */
+ params->tls_cnf_file = vstring_export(cnf_file);
+ params->tls_cnf_name = vstring_export(cnf_name);
params->tls_high_clist = vstring_export(tls_high_clist);
params->tls_medium_clist = vstring_export(tls_medium_clist);
params->tls_low_clist = vstring_export(tls_low_clist);
@@ -206,7 +214,7 @@
params->tls_mgr_service = vstring_export(tls_mgr_service);
params->tls_tkt_cipher = vstring_export(tls_tkt_cipher);
- ret = (ret == 18 ? 1 : -1);
+ ret = (ret == 20 ? 1 : -1);
if (ret != 1) {
tls_proxy_client_param_free(params);
params = 0;
diff -Nru postfix-3.7.5/src/tls/tls_proxy.h postfix-3.7.6/src/tls/tls_proxy.h
--- postfix-3.7.5/src/tls/tls_proxy.h 2021-08-06 20:04:05.000000000 -0400
+++ postfix-3.7.6/src/tls/tls_proxy.h 2023-06-04 17:46:40.000000000 -0400
@@ -44,6 +44,8 @@
* VAR_TLS_SERVER_SNI_MAPS.
*/
typedef struct TLS_CLIENT_PARAMS {
+ char *tls_cnf_file;
+ char *tls_cnf_name;
char *tls_high_clist;
char *tls_medium_clist;
char *tls_low_clist;
@@ -65,12 +67,13 @@
} TLS_CLIENT_PARAMS;
#define TLS_PROXY_PARAMS(params, a1, a2, a3, a4, a5, a6, a7, a8, \
- a9, a10, a11, a12, a13, a14, a15, a16, a17, a18) \
+ a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20) \
(((params)->a1), ((params)->a2), ((params)->a3), \
((params)->a4), ((params)->a5), ((params)->a6), ((params)->a7), \
((params)->a8), ((params)->a9), ((params)->a10), ((params)->a11), \
((params)->a12), ((params)->a13), ((params)->a14), ((params)->a15), \
- ((params)->a16), ((params)->a17), ((params)->a18))
+ ((params)->a16), ((params)->a17), ((params)->a18), ((params)->a19), \
+ ((params)->a20))
/*
* tls_proxy_client_param_misc.c, tls_proxy_client_param_print.c, and
@@ -215,6 +218,8 @@
/*
* TLS_CLIENT_INIT_PROPS attributes.
*/
+#define TLS_ATTR_CNF_FILE "config_file"
+#define TLS_ATTR_CNF_NAME "config_name"
#define TLS_ATTR_LOG_PARAM "log_param"
#define TLS_ATTR_LOG_LEVEL "log_level"
#define TLS_ATTR_VERIFYDEPTH "verifydepth"
diff -Nru postfix-3.7.5/src/tls/tls_server.c postfix-3.7.6/src/tls/tls_server.c
--- postfix-3.7.5/src/tls/tls_server.c 2023-01-27 17:01:19.000000000 -0500
+++ postfix-3.7.6/src/tls/tls_server.c 2023-06-04 17:46:40.000000000 -0400
@@ -420,6 +420,13 @@
tls_check_version();
/*
+ * Initialize the OpenSSL library, possibly loading its configuration
+ * file.
+ */
+ if (tls_library_init() == 0)
+ return (0);
+
+ /*
* First validate the protocols. If these are invalid, we can't continue.
*/
protomask = tls_proto_mask_lims(props->protocols, &min_proto, &max_proto);
diff -Nru postfix-3.7.5/src/tlsproxy/tlsproxy.c postfix-3.7.6/src/tlsproxy/tlsproxy.c
--- postfix-3.7.5/src/tlsproxy/tlsproxy.c 2022-02-05 09:56:04.000000000 -0500
+++ postfix-3.7.6/src/tlsproxy/tlsproxy.c 2023-06-04 17:46:40.000000000 -0400
@@ -134,6 +134,13 @@
/* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
/* A workaround for implementations that hang Postfix while shutting
/* down a TLS session, until Postfix times out.
+/* .PP
+/* Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+/* .IP "\fBtls_config_file (default)\fR"
+/* Optional configuration file with baseline OpenSSL settings.
+/* .IP "\fBtls_config_name (empty)\fR"
+/* The application name passed by Postfix to OpenSSL library
+/* initialization functions.
/* STARTTLS SERVER CONTROLS
/* .ad
/* .fi
Reply to: