Module Name: src
Committed By: tron
Date: Sat Nov 27 10:41:18 UTC 2010
Modified Files:
src/external/ibm-public/postfix/dist/html: postconf.5.html
src/external/ibm-public/postfix/dist/man/man5: postconf.5
src/external/ibm-public/postfix/dist/proto: postconf.proto
src/external/ibm-public/postfix/dist/src/global: mail_params.h
src/external/ibm-public/postfix/dist/src/smtpd: smtpd.c
Log Message:
Resolve conflicts from last import.
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 \
src/external/ibm-public/postfix/dist/html/postconf.5.html
cvs rdiff -u -r1.5 -r1.6 \
src/external/ibm-public/postfix/dist/man/man5/postconf.5
cvs rdiff -u -r1.5 -r1.6 \
src/external/ibm-public/postfix/dist/proto/postconf.proto
cvs rdiff -u -r1.4 -r1.5 \
src/external/ibm-public/postfix/dist/src/global/mail_params.h
cvs rdiff -u -r1.4 -r1.5 \
src/external/ibm-public/postfix/dist/src/smtpd/smtpd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/ibm-public/postfix/dist/html/postconf.5.html
diff -u src/external/ibm-public/postfix/dist/html/postconf.5.html:1.5 src/external/ibm-public/postfix/dist/html/postconf.5.html:1.6
--- src/external/ibm-public/postfix/dist/html/postconf.5.html:1.5 Thu Jun 17 18:18:14 2010
+++ src/external/ibm-public/postfix/dist/html/postconf.5.html Sat Nov 27 10:41:16 2010
@@ -9150,6 +9150,10 @@
but it is best to include all the required certificates directly in
$<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>. </p>
+<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. </p>
+
<p> Example: </p>
<pre>
@@ -9173,6 +9177,10 @@
<p> To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail. </p>
+<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. </p>
+
<p> Example: </p>
<pre>
@@ -10824,8 +10832,11 @@
<dd> Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
-CA, otherwise all clients with a recognized certificate would be
-allowed to relay. This feature is available with Postfix version 2.2.</dd>
+CA. Otherwise, clients with a third-party certificate would also
+be allowed to relay. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" when the
+trusted CA is specified with <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> or <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>,
+to prevent Postfix from appending the system-supplied default CAs.
+This feature is available with Postfix version 2.2.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
@@ -12595,6 +12606,10 @@
but it is best to include all the required certificates directly in the
server certificate file. </p>
+<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. </p>
+
<p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are not
requested, and <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> should remain empty. If you do make use
of client certificates, the distinguished names (DNs) of the certificate
@@ -12626,6 +12641,10 @@
<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> in chroot mode, this directory (or a copy) must be
inside the chroot jail. </p>
+<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. </p>
+
<p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are
not requested, and <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> should remain empty. In contrast
to <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>, DNs of certificate authorities installed
@@ -13739,6 +13758,23 @@
</DD>
+<DT><b><a name="tls_append_default_CA">tls_append_default_CA</a>
+(default: no)</b></DT><DD>
+
+<p> Append the system-supplied default certificate authority
+certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+The default is "no"; this prevents Postfix from trusting third-party
+certificates and giving them relay permission with
+<a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
+
+<p> This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+2.7.2 and later versions. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = yes" for
+backwards compatibility, to avoid breaking certificate verification
+with sites that don't use <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
+
+
+</DD>
+
<DT><b><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a>
(default: 32)</b></DT><DD>
Index: src/external/ibm-public/postfix/dist/man/man5/postconf.5
diff -u src/external/ibm-public/postfix/dist/man/man5/postconf.5:1.5 src/external/ibm-public/postfix/dist/man/man5/postconf.5:1.6
--- src/external/ibm-public/postfix/dist/man/man5/postconf.5:1.5 Thu Jun 17 18:18:15 2010
+++ src/external/ibm-public/postfix/dist/man/man5/postconf.5 Sat Nov 27 10:41:17 2010
@@ -1,4 +1,4 @@
-.\" $NetBSD: postconf.5,v 1.5 2010/06/17 18:18:15 tron Exp $
+.\" $NetBSD: postconf.5,v 1.6 2010/11/27 10:41:17 tron Exp $
.\"
.TH POSTCONF 5
.SH NAME
@@ -5241,6 +5241,10 @@
but it is best to include all the required certificates directly in
$smtp_tls_cert_file.
.PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates.
+.PP
Example:
.PP
.nf
@@ -5261,6 +5265,10 @@
To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail.
.PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates.
+.PP
Example:
.PP
.nf
@@ -6624,8 +6632,11 @@
Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
-CA, otherwise all clients with a recognized certificate would be
-allowed to relay. This feature is available with Postfix version 2.2.
+CA. Otherwise, clients with a third-party certificate would also
+be allowed to relay. Specify "tls_append_default_CA = no" when the
+trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
+to prevent Postfix from appending the system-supplied default CAs.
+This feature is available with Postfix version 2.2.
.IP "\fBpermit_tls_clientcerts\fR"
Permit the request when the remote SMTP client certificate
fingerprint is listed in $relay_clientcerts.
@@ -7830,6 +7841,10 @@
but it is best to include all the required certificates directly in the
server certificate file.
.PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates.
+.PP
By default (see smtpd_tls_ask_ccert), client certificates are not
requested, and smtpd_tls_CAfile should remain empty. If you do make use
of client certificates, the distinguished names (DNs) of the certificate
@@ -7859,6 +7874,10 @@
smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
inside the chroot jail.
.PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates.
+.PP
By default (see smtpd_tls_ask_ccert), client certificates are
not requested, and smtpd_tls_CApath should remain empty. In contrast
to smtpd_tls_CAfile, DNs of certificate authorities installed
@@ -8713,6 +8732,17 @@
\fBlmtp\fR(8)).
.PP
This feature is available in Postfix 2.6 and later.
+.SH tls_append_default_CA (default: no)
+Append the system-supplied default certificate authority
+certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+The default is "no"; this prevents Postfix from trusting third-party
+certificates and giving them relay permission with
+permit_tls_all_clientcerts.
+.PP
+This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
+backwards compatibility, to avoid breaking certificate verification
+with sites that don't use permit_tls_all_clientcerts.
.SH tls_daemon_random_bytes (default: 32)
The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
process requests from the \fBtlsmgr\fR(8) server in order to seed its
Index: src/external/ibm-public/postfix/dist/proto/postconf.proto
diff -u src/external/ibm-public/postfix/dist/proto/postconf.proto:1.5 src/external/ibm-public/postfix/dist/proto/postconf.proto:1.6
--- src/external/ibm-public/postfix/dist/proto/postconf.proto:1.5 Thu Jun 17 18:18:15 2010
+++ src/external/ibm-public/postfix/dist/proto/postconf.proto Sat Nov 27 10:41:17 2010
@@ -4855,8 +4855,11 @@
<dd> Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
-CA, otherwise all clients with a recognized certificate would be
-allowed to relay. This feature is available with Postfix version 2.2.</dd>
+CA. Otherwise, clients with a third-party certificate would also
+be allowed to relay. Specify "tls_append_default_CA = no" when the
+trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
+to prevent Postfix from appending the system-supplied default CAs.
+This feature is available with Postfix version 2.2.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
@@ -8648,6 +8651,10 @@
but it is best to include all the required certificates directly in the
server certificate file. </p>
+<p> Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. </p>
+
<p> By default (see smtpd_tls_ask_ccert), client certificates are not
requested, and smtpd_tls_CAfile should remain empty. If you do make use
of client certificates, the distinguished names (DNs) of the certificate
@@ -8675,6 +8682,10 @@
smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
inside the chroot jail. </p>
+<p> Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. </p>
+
<p> By default (see smtpd_tls_ask_ccert), client certificates are
not requested, and smtpd_tls_CApath should remain empty. In contrast
to smtpd_tls_CAfile, DNs of certificate authorities installed
@@ -9043,6 +9054,10 @@
but it is best to include all the required certificates directly in
$smtp_tls_cert_file. </p>
+<p> Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. </p>
+
<p> Example: </p>
<pre>
@@ -9062,6 +9077,10 @@
<p> To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail. </p>
+<p> Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. </p>
+
<p> Example: </p>
<pre>
@@ -9351,6 +9370,19 @@
<p> This feature is available in Postfix 2.2 and later. </p>
+%PARAM tls_append_default_CA no
+
+<p> Append the system-supplied default certificate authority
+certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+The default is "no"; this prevents Postfix from trusting third-party
+certificates and giving them relay permission with
+permit_tls_all_clientcerts. </p>
+
+<p> This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
+backwards compatibility, to avoid breaking certificate verification
+with sites that don't use permit_tls_all_clientcerts. </p>
+
%PARAM tls_random_exchange_name see "postconf -d" output
<p> Name of the pseudo random number generator (PRNG) state file
Index: src/external/ibm-public/postfix/dist/src/global/mail_params.h
diff -u src/external/ibm-public/postfix/dist/src/global/mail_params.h:1.4 src/external/ibm-public/postfix/dist/src/global/mail_params.h:1.5
--- src/external/ibm-public/postfix/dist/src/global/mail_params.h:1.4 Thu Jun 17 18:18:15 2010
+++ src/external/ibm-public/postfix/dist/src/global/mail_params.h Sat Nov 27 10:41:17 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: mail_params.h,v 1.4 2010/06/17 18:18:15 tron Exp $ */
+/* $NetBSD: mail_params.h,v 1.5 2010/11/27 10:41:17 tron Exp $ */
#ifndef _MAIL_PARAMS_H_INCLUDED_
#define _MAIL_PARAMS_H_INCLUDED_
@@ -625,6 +625,10 @@
#define DEF_DUP_FILTER_LIMIT 1000
extern int var_dup_filter_limit;
+#define VAR_TLS_APPEND_DEF_CA "tls_append_default_CA"
+#define DEF_TLS_APPEND_DEF_CA 0 /* Postfix < 2.8 BC break */
+extern bool var_tls_append_def_CA;
+
#define VAR_TLS_RAND_EXCH_NAME "tls_random_exchange_name"
#define DEF_TLS_RAND_EXCH_NAME "${data_directory}/prng_exch"
extern char *var_tls_rand_exch_name;
Index: src/external/ibm-public/postfix/dist/src/smtpd/smtpd.c
diff -u src/external/ibm-public/postfix/dist/src/smtpd/smtpd.c:1.4 src/external/ibm-public/postfix/dist/src/smtpd/smtpd.c:1.5
--- src/external/ibm-public/postfix/dist/src/smtpd/smtpd.c:1.4 Thu Jun 17 18:18:15 2010
+++ src/external/ibm-public/postfix/dist/src/smtpd/smtpd.c Sat Nov 27 10:41:18 2010
@@ -1,4 +1,4 @@
-/* $NetBSD: smtpd.c,v 1.4 2010/06/17 18:18:15 tron Exp $ */
+/* $NetBSD: smtpd.c,v 1.5 2010/11/27 10:41:18 tron Exp $ */
/*++
/* NAME
@@ -4489,6 +4489,11 @@
}
/* XXX We use the real client for connect access control. */
if (state->access_denied && cmdp->action != quit_cmd) {
+ /* XXX Exception for Milter override. */
+ if (strncmp(state->access_denied + 1, "21", 2) == 0) {
+ smtpd_chat_reply(state, "%s", state->access_denied);
+ continue;
+ }
smtpd_chat_reply(state, "503 5.7.0 Error: access denied for %s",
state->namaddr); /* RFC 2821 Sec 3.1 */
state->error_count++;
