|
[-]
[+]
|
Changed |
postfix.spec
|
|
|
|
[-]
[+]
|
Changed |
_service:download_files:postfix-2.11.1.tar.gz/HISTORY
^
|
| @@ -19528,3 +19528,49 @@
20140110-15
Miscellaneous documentation cleanups.
+
+20140116
+
+ Workaround: prepend "-I. -I../../include" to CCARGS, to
+ avoid name clashes with non-Postfix header files. File:
+ makedefs.
+
+20140125
+
+ Cleanup: postconf(1) manpage missing version attribution
+ and incorrect "author" formatting. File: postconf/postconf.c.
+
+20140223
+
+ Logging: the TLS client logged that an "Untrusted" TLS
+ connection was established instead of "Anonymous". Viktor
+ Dukhovni. File: tls/tls_client.c.
+
+20140227
+
+ Bugfix: Enforce TLS when TLSA records exist, but all are
+ unusable; Don't leak dane handle when all TLSA records are
+ unusable. Viktor Dukhovni. File: smtp/smtp_tls_policy.c.
+
+ Cleanup: log TLS policy lookup errors as warnings. Viktor
+ Dukhovni. File: smtp/smtp_connect.c.
+
+20140407
+
+ Documentation: the documentation for Postfix > 2.8 TLS
+ activity logging was incorrect. Loglevel 0 produces no
+ logging. Instead, information is logged only with loglevel
+ 1 or higher. Viktor Dukhovni. Files: proto/TLS_README.html,
+ proto/postconf.proto.
+
+20140507
+
+ Bugfix (introduced: Postfix 2.11): with connection caching
+ enabled (the default), recipients could be given to the
+ wrong mail server. Root cause: due to an incorrect predicate,
+ the Postfix SMTP client could save and restore plaintext
+ connections that should not be cached, under nonsensical
+ lookup keys that did not distinguish by destination. Problem
+ reported by Sahil Tandon, predicate error found by Viktor,
+ redundant connection restore request eliminated by Wietse.
+ File: smtp/smtp_connect.c.
|
|
[-]
[+]
|
Changed |
_service:download_files:postfix-2.11.1.tar.gz/README_FILES/TLS_README
^
|
| @@ -247,27 +247,25 @@
increase the log level from 0..4. Each logging level also includes the
information that is logged at a lower logging level.
- _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
- |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |0 |Log only a summary message on TLS |Disable logging of TLS activity.|
- | |handshake completion -- no logging| |
- | |of client certificate trust-chain | |
- | |verification errors if client | |
- | |certificate verification is not | |
- | |required. | |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |1 |Also log trust-chain verification |Also log TLS handshake and |
- | |errors and peer certificate |certificate information. |
- | |summary information. | |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |2 |Also log levels during TLS negotiation. |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |4 |Also log hexadecimal and ASCII dump of complete transmission after |
- | |STARTTLS. |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+ |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |0 |Disable logging of TLS activity. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |1 |Log only a summary message on TLS |Log the summary message, peer |
+ | |handshake completion -- no logging|certificate summary information|
+ | |of client certificate trust-chain |and unconditionally log trust- |
+ | |verification errors if client |chain verification errors. |
+ | |certificate verification is not | |
+ | |required. | |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |2 |Also log levels during TLS negotiation. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |4 |Also log hexadecimal and ASCII dump of complete transmission after|
+ | |STARTTLS. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
Use log level 3 only in case of problems. Use of log level 4 is strongly
discouraged.
@@ -1321,27 +1319,25 @@
increase the loglevel from 0..4. Each logging level also includes the
information that is logged at a lower logging level.
- _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
- |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |0 |Log only a summary message on TLS |Disable logging of TLS activity.|
- | |handshake completion -- no logging| |
- | |of remote SMTP server certificate | |
- | |trust-chain verification errors if| |
- | |server certificate verification is| |
- | |not required. | |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |1 |Also log remote SMTP server trust-|Also log TLS handshake and |
- | |chain verification errors and peer|certificate information. |
- | |certificate summary information. | |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |2 |Also log levels during TLS negotiation. |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
- |4 |Also log hexadecimal and ASCII dump of complete transmission after |
- | |STARTTLS. |
- |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+ |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |0 |Disable logging of TLS activity. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |1 |Log only a summary message on TLS |Log the summary message and |
+ | |handshake completion -- no logging|unconditionally log trust-chain|
+ | |of remote SMTP server certificate |verification errors. |
+ | |trust-chain verification errors if| |
+ | |server certificate verification is| |
+ | |not required. | |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |2 |Also log levels during TLS negotiation. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+ |4 |Also log hexadecimal and ASCII dump of complete transmission after|
+ | |STARTTLS. |
+ |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
Example:
|
|
[-]
[+]
|
Changed |
_service:download_files:postfix-2.11.1.tar.gz/html/TLS_README.html
^
|
| @@ -384,16 +384,15 @@
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr>
-<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
+<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
+logging of TLS activity. </td> </tr>
+
+<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
message on TLS handshake completion — no logging of client
certificate trust-chain verification errors if client certificate
-verification is not required. </td> <td valign="top"> Disable logging
-of TLS activity.</td> </tr>
-
-<tr> <td valign="top"> 1 </td> <td valign="top"> Also log trust-chain
-verification errors and peer certificate summary information. </td>
-<td valign="top"> Also log TLS handshake and certificate information.
-</td> </tr>
+verification is not required. </td> <td valign="top"> Log the summary
+message, peer certificate summary information and unconditionally log
+trust-chain verification errors. </td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr>
@@ -1750,16 +1749,15 @@
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr>
-<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
-message on TLS handshake completion — no logging of remote
-SMTP server certificate trust-chain verification errors if server
-certificate verification is not required. </td> <td valign="top">
-Disable logging of TLS activity.</td> </tr>
-
-<tr> <td valign="top"> 1 </td> <td valign="top"> Also log remote
-SMTP server trust-chain verification errors and peer certificate
-summary information. </td> <td valign="top"> Also log TLS handshake
-and certificate information. </td> </tr>
+<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
+logging of TLS activity. </td> </tr>
+
+<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
+message on TLS handshake completion — no logging of remote SMTP
+server certificate trust-chain verification errors if server certificate
+verification is not required. </td> <td valign="top"> Log the summary
+message and unconditionally log trust-chain verification errors.
+</td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr>
|
|
[-]
[+]
|
Changed |
_service:download_files:postfix-2.11.1.tar.gz/html/postconf.1.html
^
|
| @@ -123,6 +123,8 @@
The default is as if "<b>-C all</b>" is specified.
+ This feature is available with Postfix 2.9 and later.
+
<b>-d</b> Print <a href="postconf.5.html"><b>main.cf</b></a> default parameter settings instead of actual set-
tings. Specify <b>-df</b> to fold long lines for human readability
(Postfix 2.9 and later).
@@ -330,6 +332,8 @@
<b>-p</b> Show <a href="postconf.5.html"><b>main.cf</b></a> parameter settings. This is the default.
+ This feature is available with Postfix 2.11 and later.
+
<b>-P</b> Show <a href="master.5.html"><b>master.cf</b></a> service parameter settings (by default all ser-
vices and all parameters). formatted as one "<i>ser-</i>
<i>vice/type/parameter=value</i>" per line. Specify <b>-Pf</b> to fold long
@@ -444,8 +448,10 @@
The Secure Mailer license must be distributed with this software.
<b>AUTHOR(S)</b>
- Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown
- Heights, NY 10598, USA
+ Wietse Venema
+ IBM T.J. Watson Research
+ P.O. Box 704
+ Yorktown Heights, NY 10598, USA
POSTCONF(1)
</pre> </body> </html>
|
|
[-]
[+]
|
Changed |
_service:download_files:postfix-2.11.1.tar.gz/html/postconf.5.html
^
|
| @@ -8600,7 +8600,7 @@
<pre>
# Handle both Postfix and qmail extensions (Postfix 2.11 and later).
-recipient_delimiters = +-
+<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> = +-
</pre>
<pre>
@@ -11362,14 +11362,13 @@
<dl compact>
-<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
+<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
+
+<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
— no logging of remote SMTP server certificate trust-chain
verification errors if server certificate verification is not required.
-With Postfix 2.8 and earlier, disable logging of TLS activity. </dd>
-
-<dt> </dt> <dd> 1 Also log remote SMTP server trust-chain verification
-errors and peer certificate summary information. With Postfix 2.8
-and earlier, log TLS handshake and certificate information. </dd>
+With Postfix 2.8 and earlier, log the summary message and unconditionally
+log trust-chain verification errors. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
@@ -15555,15 +15554,13 @@
<dl compact>
-<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
-— no logging of remote SMTP client certificate trust-chain verification
-errors
-if client certificate verification is not required. With Postfix 2.8
-and earlier, disable logging of TLS activity. </dd>
-
-<dt> </dt> <dd> 1 Also log trust-chain verification errors and peer
-certificate name and issuer. With Postfix 2.8 and earlier, log TLS
-handshake and certificate information. </dd>
+<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
+
+<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
+— no logging of client certificate trust-chain verification errors
+if client certificate verification is not required. With Postfix 2.8 and
+earlier, log the summary message, peer certificate summary information
+and unconditionally log trust-chain verification errors. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
|
|
[-]
[+]
|
Changed |
_service:download_files:postfix-2.11.1.tar.gz/makedefs
^
|
| @@ -638,6 +638,9 @@
# needed before the code stabilizes.
#CCARGS="$CCARGS -DNONPROD"
+# Workaround: prepend Postfix include files before other include files.
+CCARGS="-I. -I../../include $CCARGS"
+
sed 's/ / /g' <<EOF
SYSTYPE = $SYSTYPE
AR = $AR
|
|
[-]
[+]
|
Changed |
_service:download_files:postfix-2.11.1.tar.gz/man/man1/postconf.1
^
|
| @@ -143,6 +143,8 @@
.IP
The default is as if "\fB-C all\fR" is
specified.
+
+This feature is available with Postfix 2.9 and later.
.IP \fB-d\fR
Print \fBmain.cf\fR default parameter settings instead of
actual settings.
@@ -347,6 +349,8 @@
This feature is available with Postfix 2.10 and later.
.IP \fB-p\fR
Show \fBmain.cf\fR parameter settings. This is the default.
+
+This feature is available with Postfix 2.11 and later.
.IP \fB-P\fR
Show \fBmaster.cf\fR service parameter settings (by default
all services and all parameters). formatted as one
@@ -486,5 +490,7 @@
.SH "AUTHOR(S)"
.na
.nf
-Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown
-Heights, NY 10598, USA
+Wietse Venema
+IBM T.J. Watson Research
+P.O. Box 704
+Yorktown Heights, NY 10598, USA
|
|
[-]
[+]
|
Changed |
_service:download_files:postfix-2.11.1.tar.gz/man/man5/postconf.5
^
|
| @@ -5176,7 +5176,7 @@
.na
.ft C
# Handle both Postfix and qmail extensions (Postfix 2.11 and later).
-recipient_delimiters = +-
+recipient_delimiter = +-
.fi
.ad
.ft R
@@ -7120,15 +7120,14 @@
Each logging level also includes the information that is logged at
a lower logging level.
.IP ""
-0 Log only a summary message on TLS handshake completion
-- no logging of remote SMTP server certificate trust-chain
-verification errors if server certificate verification is not required.
-With Postfix 2.8 and earlier, disable logging of TLS activity.
+0 Disable logging of TLS activity.
.br
.IP ""
-1 Also log remote SMTP server trust-chain verification
-errors and peer certificate summary information. With Postfix 2.8
-and earlier, log TLS handshake and certificate information.
+1 Log only a summary message on TLS handshake completion
+- no logging of remote SMTP server certificate trust-chain
+verification errors if server certificate verification is not required.
+With Postfix 2.8 and earlier, log the summary message and unconditionally
+log trust-chain verification errors.
.br
.IP ""
2 Also log levels during TLS negotiation.
@@ -10554,16 +10553,14 @@
Each logging level also includes the information that is logged at
a lower logging level.
.IP ""
-0 Log only a summary message on TLS handshake completion
-- no logging of remote SMTP client certificate trust-chain verification
-errors
-if client certificate verification is not required. With Postfix 2.8
-and earlier, disable logging of TLS activity.
+0 Disable logging of TLS activity.
.br
.IP ""
-1 Also log trust-chain verification errors and peer
-certificate name and issuer. With Postfix 2.8 and earlier, log TLS
-handshake and certificate information.
+1 Log only a summary message on TLS handshake completion
+- no logging of client certificate trust-chain verification errors
+if client certificate verification is not required. With Postfix 2.8 and
+earlier, log the summary message, peer certificate summary information
+and unconditionally log trust-chain verification errors.
.br
.IP ""
2 Also log levels during TLS negotiation.
|
|
[-]
[+]
|
Changed |
_service:download_files:postfix-2.11.1.tar.gz/proto/TLS_README.html
^
|
| @@ -384,16 +384,15 @@
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr>
-<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
+<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
+logging of TLS activity. </td> </tr>
+
+<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
message on TLS handshake completion — no logging of client
certificate trust-chain verification errors if client certificate
-verification is not required. </td> <td valign="top"> Disable logging
-of TLS activity.</td> </tr>
-
-<tr> <td valign="top"> 1 </td> <td valign="top"> Also log trust-chain
-verification errors and peer certificate summary information. </td>
-<td valign="top"> Also log TLS handshake and certificate information.
-</td> </tr>
+verification is not required. </td> <td valign="top"> Log the summary
+message, peer certificate summary information and unconditionally log
+trust-chain verification errors. </td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr>
@@ -1750,16 +1749,15 @@
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr>
-<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
-message on TLS handshake completion — no logging of remote
-SMTP server certificate trust-chain verification errors if server
-certificate verification is not required. </td> <td valign="top">
-Disable logging of TLS activity.</td> </tr>
-
-<tr> <td valign="top"> 1 </td> <td valign="top"> Also log remote
-SMTP server trust-chain verification errors and peer certificate
-summary information. </td> <td valign="top"> Also log TLS handshake
-and certificate information. </td> </tr>
+<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
+logging of TLS activity. </td> </tr>
+
+<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
+message on TLS handshake completion — no logging of remote SMTP
+server certificate trust-chain verification errors if server certificate
+verification is not required. </td> <td valign="top"> Log the summary
+message and unconditionally log trust-chain verification errors.
+</td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr>
|
|
[-]
[+]
|
Changed |
_service:download_files:postfix-2.11.1.tar.gz/proto/postconf.proto
^
|
| @@ -3546,7 +3546,7 @@
<pre>
# Handle both Postfix and qmail extensions (Postfix 2.11 and later).
-recipient_delimiters = +-
+recipient_delimiter = +-
</pre>
<pre>
@@ -9127,15 +9127,13 @@
<dl compact>
-<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
-— no logging of remote SMTP client certificate trust-chain verification
-errors
-if client certificate verification is not required. With Postfix 2.8
-and earlier, disable logging of TLS activity. </dd>
-
-<dt> </dt> <dd> 1 Also log trust-chain verification errors and peer
-certificate name and issuer. With Postfix 2.8 and earlier, log TLS
-handshake and certificate information. </dd>
+<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
+
+<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
+— no logging of client certificate trust-chain verification errors
+if client certificate verification is not required. With Postfix 2.8 and
+earlier, log the summary message, peer certificate summary information
+and unconditionally log trust-chain verification errors. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
@@ -9551,14 +9549,13 @@
<dl compact>
-<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
+<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
+
+<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
— no logging of remote SMTP server certificate trust-chain
verification errors if server certificate verification is not required.
-With Postfix 2.8 and earlier, disable logging of TLS activity. </dd>
-
-<dt> </dt> <dd> 1 Also log remote SMTP server trust-chain verification
-errors and peer certificate summary information. With Postfix 2.8
-and earlier, log TLS handshake and certificate information. </dd>
+With Postfix 2.8 and earlier, log the summary message and unconditionally
+log trust-chain verification errors. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
|
|
[-]
[+]
|
Changed |
_service:download_files:postfix-2.11.1.tar.gz/src/global/mail_version.h
^
|
| @@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20140115"
-#define MAIL_VERSION_NUMBER "2.11.0"
+#define MAIL_RELEASE_DATE "20140507"
+#define MAIL_VERSION_NUMBER "2.11.1"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
|
|
[-]
[+]
|
Changed |
_service:download_files:postfix-2.11.1.tar.gz/src/postconf/postconf.c
^
|
| @@ -137,6 +137,8 @@
/* .IP
/* The default is as if "\fB-C all\fR" is
/* specified.
+/*
+/* This feature is available with Postfix 2.9 and later.
/* .IP \fB-d\fR
/* Print \fBmain.cf\fR default parameter settings instead of
/* actual settings.
@@ -341,6 +343,8 @@
/* This feature is available with Postfix 2.10 and later.
/* .IP \fB-p\fR
/* Show \fBmain.cf\fR parameter settings. This is the default.
+/*
+/* This feature is available with Postfix 2.11 and later.
/* .IP \fB-P\fR
/* Show \fBmaster.cf\fR service parameter settings (by default
/* all services and all parameters). formatted as one
@@ -464,8 +468,10 @@
/* The Secure Mailer license must be distributed with this
/* software.
/* AUTHOR(S)
-/* Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown
-/* Heights, NY 10598, USA
+/* Wietse Venema
+/* IBM T.J. Watson Research
+/* P.O. Box 704
+/* Yorktown Heights, NY 10598, USA
/*--*/
/* System library. */
|
|
[-]
[+]
|
Changed |
_service:download_files:postfix-2.11.1.tar.gz/src/smtp/smtp.h
^
|
| @@ -195,7 +195,7 @@
STR((state)->iterator->request_nexthop)[0] = 0; \
}
-#define HAVE_NEXTHOP_STATE(state) (STR((state)->iterator->request_nexthop) != 0)
+#define HAVE_NEXTHOP_STATE(state) (STR((state)->iterator->request_nexthop)[0] != 0)
/*
|
|
[-]
[+]
|
Changed |
_service:download_files:postfix-2.11.1.tar.gz/src/smtp/smtp_connect.c
^
|
| @@ -510,7 +510,7 @@
*/
#ifdef USE_TLS
if (!smtp_tls_policy_cache_query(why, state->tls, iter)) {
- msg_info("TLS policy lookup error for %s/%s: %s",
+ msg_warn("TLS policy lookup error for %s/%s: %s",
STR(iter->host), STR(iter->addr), STR(why->reason));
return;
}
@@ -666,6 +666,7 @@
#endif
SMTP_ITER_SAVE_DEST(state->iterator);
if (*addr_list && SMTP_RCPT_LEFT(state) > 0
+ && HAVE_NEXTHOP_STATE(state)
&& (session = smtp_reuse_nexthop(state, SMTP_KEY_MASK_SCACHE_DEST_LABEL)) != 0) {
session_count = 1;
smtp_update_addr_list(addr_list, STR(iter->addr), session_count);
@@ -716,7 +717,7 @@
iter->rr = addr;
#ifdef USE_TLS
if (!smtp_tls_policy_cache_query(why, state->tls, iter)) {
- msg_info("TLS policy lookup error for %s/%s: %s",
+ msg_warn("TLS policy lookup error for %s/%s: %s",
STR(iter->dest), STR(iter->host), STR(why->reason));
continue;
/* XXX Assume there is no code at the end of this loop. */
@@ -956,7 +957,7 @@
iter->rr = addr;
#ifdef USE_TLS
if (!smtp_tls_policy_cache_query(why, state->tls, iter)) {
- msg_info("TLS policy lookup for %s/%s: %s",
+ msg_warn("TLS policy lookup for %s/%s: %s",
STR(iter->dest), STR(iter->host), STR(why->reason));
continue;
/* XXX Assume there is no code at the end of this loop. */
|
|
[-]
[+]
|
Changed |
_service:download_files:postfix-2.11.1.tar.gz/src/smtp/smtp_tls_policy.c
^
|
| @@ -525,8 +525,8 @@
/*
* DANE initialization may change the security level to something else,
* so do this early, so that we use the right level below. Note that
- * "dane-only" changes to "dane" after any fallback strategies are
- * applied.
+ * "dane-only" changes to "dane" once we obtain the requisite TLSA
+ * records.
*/
if (tls->level == TLS_LEV_DANE || tls->level == TLS_LEV_DANE_ONLY)
dane_init(tls, iter);
@@ -706,6 +706,7 @@
#define NONDANE_CONFIG 0 /* Administrator's fault */
#define NONDANE_DEST 1 /* Remote server's fault */
+#define DANE_UNUSABLE 2 /* Remote server's fault */
static void PRINTFLIKE(4, 5) dane_incompat(SMTP_TLS_POLICY *tls,
SMTP_ITERATOR *iter,
@@ -716,12 +717,12 @@
va_start(ap, fmt);
if (tls->level == TLS_LEV_DANE) {
- tls->level = TLS_LEV_MAY;
+ tls->level = (errtype == DANE_UNUSABLE) ? TLS_LEV_ENCRYPT : TLS_LEV_MAY;
if (errtype == NONDANE_CONFIG)
vmsg_warn(fmt, ap);
else if (msg_verbose)
vmsg_info(fmt, ap);
- } else {
+ } else { /* dane-only */
if (errtype == NONDANE_CONFIG) {
vmsg_warn(fmt, ap);
MARK_INVALID(tls->why, &tls->level);
@@ -816,7 +817,8 @@
* given verifier some of the CAs are surely not trustworthy).
*/
if (tls_dane_unusable(dane)) {
- dane_incompat(tls, iter, NONDANE_DEST, "TLSA records unusable");
+ dane_incompat(tls, iter, DANE_UNUSABLE, "TLSA records unusable");
+ tls_dane_free(dane);
return;
}
|
|
[-]
[+]
|
Changed |
_service:download_files:postfix-2.11.1.tar.gz/src/tls/tls_client.c
^
|
| @@ -1045,7 +1045,9 @@
*/
if (log_mask & TLS_LOG_SUMMARY)
msg_info("%s TLS connection established to %s: %s with cipher %s "
- "(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
+ "(%d/%d bits)",
+ !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" :
+ TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
props->namaddr, TLScontext->protocol, TLScontext->cipher_name,
TLScontext->cipher_usebits, TLScontext->cipher_algbits);
|
