Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/ibm-public/postfix/dist Resolve conflicts from last...
details: https://anonhg.NetBSD.org/src/rev/429eae47fa88
branches: trunk
changeset: 779666:429eae47fa88
user: tron <tron%NetBSD.org@localhost>
date: Sat Jun 09 11:32:19 2012 +0000
description:
Resolve conflicts from last import.
diffstat:
external/ibm-public/postfix/dist/README_FILES/TLS_README | 48 +++++++-----
external/ibm-public/postfix/dist/html/TLS_README.html | 30 +++++--
external/ibm-public/postfix/dist/html/postconf.5.html | 57 ++++++++++----
external/ibm-public/postfix/dist/man/man5/postconf.5 | 57 ++++++++++----
external/ibm-public/postfix/dist/proto/TLS_README.html | 30 +++++--
external/ibm-public/postfix/dist/proto/postconf.proto | 57 ++++++++++----
external/ibm-public/postfix/dist/src/global/mail_params.h | 8 +-
external/ibm-public/postfix/dist/src/local/unknown.c | 2 +-
external/ibm-public/postfix/dist/src/smtp/smtp.c | 4 +-
external/ibm-public/postfix/dist/src/smtpd/smtpd.c | 4 +-
external/ibm-public/postfix/dist/src/tls/tls_client.c | 10 ++-
external/ibm-public/postfix/dist/src/tls/tls_server.c | 7 +-
12 files changed, 208 insertions(+), 106 deletions(-)
diffs (truncated from 798 to 300 lines):
diff -r 6fc92ea9802b -r 429eae47fa88 external/ibm-public/postfix/dist/README_FILES/TLS_README
--- a/external/ibm-public/postfix/dist/README_FILES/TLS_README Sat Jun 09 11:26:39 2012 +0000
+++ b/external/ibm-public/postfix/dist/README_FILES/TLS_README Sat Jun 09 11:32:19 2012 +0000
@@ -542,11 +542,17 @@
control over the minimum cipher grade for opportunistic TLS. With Postfix <
2.6, the minimum opportunistic TLS cipher grade is always "export".
-With mandatory TLS encryption, the Postfix SMTP server will by default only use
-SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The
-mandatory TLS protocol list is specified via the smtpd_tls_mandatory_protocols
-configuration parameter. The corresponding smtpd_tls_protocols parameter
-(Postfix >= 2.6) controls the SSL/TLS protocols used with opportunistic TLS.
+With mandatory TLS encryption, the Postfix SMTP server will by default disable
+SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS
+protocol list is specified via the smtpd_tls_mandatory_protocols configuration
+parameter. The corresponding smtpd_tls_protocols parameter (Postfix >= 2.6)
+controls the SSL/TLS protocols used with opportunistic TLS.
+
+Note that the OpenSSL library only supports protocol exclusion (not inclusion).
+For this reason, Postfix can exclude only protocols that are known at the time
+the Postfix software is written. If new protocols are added to the OpenSSL
+library, they cannot be excluded without corresponding changes to the Postfix
+source code.
For a server that is not a public Internet MX host, Postfix (>= 2.3) supports
configurations with no server certificates that use o�on�nl�ly�y the anonymous ciphers.
@@ -561,9 +567,10 @@
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_security_level = encrypt
+ # Preferred form with Postfix >= 2.5:
+ smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+ # Alternative form.
smtpd_tls_mandatory_protocols = TLSv1
- # Also available with Postfix >= 2.5:
- smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
If you want to take advantage of ciphers with ephemeral Diffie-Hellman (EDH)
key exchange (this offers "forward-secrecy"), DH parameters are needed. Instead
@@ -594,9 +601,9 @@
smtpd_tls_eecdh_grade = strong
Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later allows TLS
-servers to preempt the TLS client's cipher preference list. This is only
-possible with SSLv3, as in SSLv2 the client chooses the cipher from a list
-supplied by the server.
+servers to preempt the TLS client's cipher preference list. This is possible
+only with SSLv3 and later, as in SSLv2 the client chooses the cipher from a
+list supplied by the server.
By default, the OpenSSL server selects the client's most preferred cipher that
the server supports. With SSLv3 and later, the server may choose its own most
@@ -1048,9 +1055,9 @@
Examples:
In the example below, traffic to example.com and its sub-domains via the
-corresponding MX hosts always uses TLS. The protocol version will be "SSLv3" or
-"TLSv1" (the default setting of smtp_tls_mandatory_protocols excludes "SSLv2").
-Only high or medium strength (i.e. 128 bit or better) ciphers will be used by
+corresponding MX hosts always uses TLS. The SSLv2 protocol will be disabled
+(the default setting of smtp_tls_mandatory_protocols excludes "SSLv2"). Only
+high- or medium-strength (i.e. 128 bit or better) ciphers will be used by
default for all "encrypt" security level sessions.
/etc/postfix/main.cf:
@@ -1714,11 +1721,11 @@
control over the minimum cipher grade for opportunistic TLS. With Postfix <
2.6, the minimum opportunistic TLS cipher grade is always "export".
-With mandatory TLS encryption, the Postfix SMTP client will by default only use
-SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The
-mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols
-configuration parameter. The corresponding smtp_tls_protocols parameter
-(Postfix >= 2.6) controls the SSL/TLS protocols used with opportunistic TLS.
+With mandatory TLS encryption, the Postfix SMTP client will by default disable
+SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS
+protocol list is specified via the smtp_tls_mandatory_protocols configuration
+parameter. The corresponding smtp_tls_protocols parameter (Postfix >= 2.6)
+controls the SSL/TLS protocols used with opportunistic TLS.
Example:
@@ -1726,9 +1733,10 @@
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = RC4, MD5
smtp_tls_exclude_ciphers = aNULL
+ # Preferred form with Postfix >= 2.5:
+ smtp_tls_mandatory_protocols = !SSLv2
+ # Alternative form.
smtp_tls_mandatory_protocols = SSLv3, TLSv1
- # Also available with Postfix >= 2.5:
- smtp_tls_mandatory_protocols = !SSLv2
# Also available with Postfix >= 2.6:
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2
diff -r 6fc92ea9802b -r 429eae47fa88 external/ibm-public/postfix/dist/html/TLS_README.html
--- a/external/ibm-public/postfix/dist/html/TLS_README.html Sat Jun 09 11:26:39 2012 +0000
+++ b/external/ibm-public/postfix/dist/html/TLS_README.html Sat Jun 09 11:32:19 2012 +0000
@@ -790,12 +790,18 @@
"export". </p>
<p> With mandatory TLS encryption, the Postfix SMTP server will by
-default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption
+default disable SSLv2. SSLv2 is used only when TLS encryption
is optional. The mandatory TLS protocol list is specified via the
<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> configuration parameter. The
corresponding <a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> parameter (Postfix ≥ 2.6)
controls the SSL/TLS protocols used with opportunistic TLS. </p>
+<p> Note that the OpenSSL library only supports protocol exclusion
+(not inclusion). For this reason, Postfix can exclude only protocols
+that are known at the time the Postfix software is written. If new
+protocols are added to the OpenSSL library, they cannot be excluded
+without corresponding changes to the Postfix source code. </p>
+
<p> For a server that is not a public Internet MX host, Postfix (≥ 2.3)
supports configurations with no <a href="#server_cert_key">server
certificates</a> that use <b>only</b> the anonymous ciphers. This is
@@ -813,9 +819,10 @@
<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> = high
<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> = aNULL, MD5
<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt
+ # Preferred form with Postfix ≥ 2.5:
+ <a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2, !SSLv3
+ # Alternative form.
<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = TLSv1
- # Also available with Postfix ≥ 2.5:
- <a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2, !SSLv3
</pre>
</blockquote>
@@ -859,8 +866,8 @@
<p> Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later
allows TLS servers to preempt the TLS client's cipher preference list.
-This is only possible with SSLv3, as in SSLv2 the client chooses the
-cipher from a list supplied by the server. </p>
+This is possible only with SSLv3 and later, as in SSLv2 the client
+chooses the cipher from a list supplied by the server. </p>
<p> By default, the OpenSSL server selects the client's most preferred
cipher that the server supports. With SSLv3 and later, the server
@@ -1455,9 +1462,9 @@
<p> Examples: </p>
<p> In the example below, traffic to <i>example.com</i> and its sub-domains
-via the corresponding MX hosts always uses TLS. The protocol version will be
-"SSLv3" or "TLSv1" (the default setting of <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
-excludes "SSLv2"). Only high or medium strength (i.e. 128 bit or
+via the corresponding MX hosts always uses TLS. The SSLv2 protocol
+will be disabled (the default setting of <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
+excludes "SSLv2"). Only high- or medium-strength (i.e. 128 bit or
better) ciphers will be used by default for all "encrypt" security
level sessions. </p>
@@ -2306,7 +2313,7 @@
"export". </p>
<p> With mandatory TLS encryption, the Postfix SMTP client will by
-default only use SSLv3 or TLSv1. SSLv2 is only used when TLS encryption
+default disable SSLv2. SSLv2 is used only when TLS encryption
is optional. The mandatory TLS protocol list is specified via the
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> configuration parameter. The corresponding
<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> parameter (Postfix ≥ 2.6) controls
@@ -2320,9 +2327,10 @@
<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> = medium
<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> = RC4, MD5
<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> = aNULL
+ # Preferred form with Postfix ≥ 2.5:
+ <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2
+ # Alternative form.
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = SSLv3, TLSv1
- # Also available with Postfix ≥ 2.5:
- <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2
# Also available with Postfix ≥ 2.6:
<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> = export
<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2
diff -r 6fc92ea9802b -r 429eae47fa88 external/ibm-public/postfix/dist/html/postconf.5.html
--- a/external/ibm-public/postfix/dist/html/postconf.5.html Sat Jun 09 11:26:39 2012 +0000
+++ b/external/ibm-public/postfix/dist/html/postconf.5.html Sat Jun 09 11:32:19 2012 +0000
@@ -4582,7 +4582,7 @@
</DD>
<DT><b><a name="lmtp_tls_mandatory_protocols">lmtp_tls_mandatory_protocols</a>
-(default: SSLv3, TLSv1)</b></DT><DD>
+(default: !SSLv2)</b></DT><DD>
<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
configuration parameter. See there for details. </p>
@@ -10692,7 +10692,7 @@
</DD>
<DT><b><a name="smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
-(default: SSLv3, TLSv1)</b></DT><DD>
+(default: !SSLv2)</b></DT><DD>
<p> List of SSL/TLS protocols that the Postfix SMTP client will use with
mandatory TLS encryption. In <a href="postconf.5.html">main.cf</a> the values are separated by
@@ -10701,12 +10701,19 @@
empty value means allow all protocols. The valid protocol names, (see
<b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3" and "TLSv1". </p>
+<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+1.0.1 or later, these, or any other new protocol versions, are
+unconditionally enabled. </p>
+
<p> With Postfix ≥ 2.5 the parameter syntax is expanded to support
protocol exclusions. One can now explicitly exclude SSLv2 by setting
"<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2". To exclude both SSLv2 and
SSLv3 set "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !SSLv3". Listing
-the protocols to include, rather than protocols to exclude, is still
-supported; use the form you find more intuitive. </p>
+the protocols to include, rather than protocols to exclude, is
+supported, but not recommended. The exclusion form more closely
+matches the behaviour when the OpenSSL library is newer than Postfix.
+</p>
<p> Since SSL version 2 has known protocol weaknesses and is now
deprecated, the default setting excludes "SSLv2". This means that by
@@ -10719,9 +10726,10 @@
<p> Example: </p>
<pre>
+# Preferred form with Postfix ≥ 2.5:
+<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !SSLv3
+# Alternative form.
<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = TLSv1
-# Alternative form with Postfix ≥ 2.5:
-<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !SSLv3
</pre>
<p> This feature is available in Postfix 2.3 and later. </p>
@@ -10977,14 +10985,18 @@
protocol names, (see <b>SSL_get_version(3)</b>), are "SSLv2", "SSLv3"
and "TLSv1". </p>
+<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+1.0.1 or later, these, or any other new protocol versions, are
+unconditionally enabled. </p>
+
<p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 even for opportunistic TLS set
"<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2, !SSLv3". Explicitly listing the protocols to
-include, is supported, but not recommended. OpenSSL provides no mechanisms
-for excluding protocols not known at compile-time. If Postfix is linked
-against an OpenSSL library that supports additional protocol versions,
-they cannot be excluded using either syntax. </p>
+include, rather than protocols to exclude, is supported, but not
+recommended. The exclusion form more closely matches the behaviour
+when the OpenSSL library is newer than Postfix. </p>
<p> Example: </p>
<pre>
@@ -14436,7 +14448,7 @@
</DD>
<DT><b><a name="smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>
-(default: SSLv3, TLSv1)</b></DT><DD>
+(default: !SSLv2)</b></DT><DD>
<p> The SSL/TLS protocols accepted by the Postfix SMTP server with
mandatory TLS encryption. If the list is empty, the server supports all
@@ -14445,12 +14457,19 @@
names separated by whitespace, commas or colons. The supported protocol
names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive. </p>
+<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+1.0.1 or later, these, or any other new protocol versions, are
+unconditionally enabled. </p>
+
<p> With Postfix ≥ 2.5 the parameter syntax is expanded to support
protocol exclusions. One can now explicitly exclude SSLv2 by setting
"<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2". To exclude both SSLv2 and
SSLv3 set "<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2, !SSLv3". Listing
-the protocols to include, rather than protocols to exclude, is still
-supported, use the form you find more intuitive. </p>
+the protocols to include, rather than protocols to exclude, is
+supported, but not recommended. The exclusion form more closely
+matches the behaviour when the OpenSSL library is newer than Postfix.
+</p>
<p> Since SSL version 2 has known protocol weaknesses and is now
deprecated, the default setting excludes "SSLv2". This means that
@@ -14484,14 +14503,18 @@
"TLSv1". In <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> table entries, "protocols" attribute
values are separated by a colon. </p>
+<p> Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"
+and "TLSv1.2". If an older Postfix version is linked against OpenSSL
+1.0.1 or later, these, or any other new protocol versions, are
+unconditionally enabled. </p>
+
<p> To include a protocol list its name, to exclude it, prefix the name
with a "!" character. To exclude SSLv2 even for opportunistic TLS set
"<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = !SSLv2, !SSLv3". Explicitly listing the protocols to
Home |
Main Index |
Thread Index |
Old Index