File postfix-3.5-patch20 of Package postfix

Overview Repositories Revisions Requests Users Attributes Meta

File postfix-3.5-patch20 of Package postfix

diff -ur --new-file /var/tmp/postfix-3.5.19/src/global/mail_params.h ./src/global/mail_params.h
--- /var/tmp/postfix-3.5.19/src/global/mail_params.h	2022-03-22 17:30:42.000000000 -0400
+++ ./src/global/mail_params.h	2023-06-05 17:44:55.000000000 -0400
@@ -2381,6 +2381,10 @@
 #define DEF_SMTPD_PEERNAME_LOOKUP	1
 extern bool var_smtpd_peername_lookup;
 
+#define VAR_SMTPD_FORBID_UNAUTH_PIPE	"smtpd_forbid_unauth_pipelining"
+#define DEF_SMTPD_FORBID_UNAUTH_PIPE	1
+extern bool var_smtpd_forbid_unauth_pipe;
+
  /*
   * Heuristic to reject unknown local recipients at the SMTP port.
   */
@@ -3263,8 +3267,17 @@
 extern bool var_smtp_cname_overr;
 
  /*
-  * TLS cipherlists
+  * TLS library settings
   */
+#define VAR_TLS_CNF_FILE	"tls_config_file"
+#define DEF_TLS_CNF_FILE	"default"
+extern char *var_tls_cnf_file;
+
+#define VAR_TLS_CNF_NAME	"tls_config_name"
+#define DEF_TLS_CNF_NAME	""
+extern char *var_tls_cnf_name;
+
+
 #define VAR_TLS_HIGH_CLIST	"tls_high_cipherlist"
 #define DEF_TLS_HIGH_CLIST	"aNULL:-aNULL:HIGH:@STRENGTH"
 extern char *var_tls_high_clist;
diff -ur --new-file /var/tmp/postfix-3.5.19/src/postconf/postconf_edit.c ./src/postconf/postconf_edit.c
--- /var/tmp/postfix-3.5.19/src/postconf/postconf_edit.c	2014-12-06 20:35:33.000000000 -0500
+++ ./src/postconf/postconf_edit.c	2023-05-17 14:43:08.000000000 -0400
@@ -192,6 +192,11 @@
 	} else {
 	    msg_panic("pcf_edit_main: unknown mode %d", mode);
 	}
+	if ((cvalue = htable_find(table, pattern)) != 0) {
+	    msg_warn("ignoring earlier request: '%s = %s'",
+		     pattern, cvalue->value);
+	    htable_delete(table, pattern, myfree);
+	}
 	cvalue = (struct cvalue *) mymalloc(sizeof(*cvalue));
 	cvalue->value = edit_value;
 	cvalue->found = 0;
@@ -459,8 +464,38 @@
 
 	    /*
 	     * Match each service pattern.
+	     * 
+	     * Additional care is needed when a request adds or replaces an
+	     * entire service definition, instead of a specific field or
+	     * parameter. Given a command "postconf -M name1/type1='name2
+	     * type2 ...'", where name1 and name2 may differ, and likewise
+	     * for type1 and type2:
+	     * 
+	     * - First, if an existing service definition a) matches the service
+	     * pattern 'name1/type1', or b) matches the name and type in the
+	     * new service definition 'name2 type2 ...', remove the service
+	     * definition.
+	     * 
+	     * - Then, after an a) or b) type match, add a new service
+	     * definition for 'name2 type2 ...', but only after the first
+	     * match.
+	     * 
+	     * - Finally, if a request had no a) or b) type match for any
+	     * master.cf service definition, add a new service definition for
+	     * 'name2 type2 ...'.
 	     */
 	    for (req = edit_reqs; req < edit_reqs + num_reqs; req++) {
+		PCF_MASTER_ENT *tentative_entry = 0;
+		int     use_tentative_entry = 0;
+
+		/* Additional care for whole service definition requests. */
+		if ((mode & PCF_MASTER_ENTRY) && (mode & PCF_EDIT_CONF)) {
+		    tentative_entry = (PCF_MASTER_ENT *)
+			mymalloc(sizeof(*tentative_entry));
+		    if ((err = pcf_parse_master_entry(tentative_entry,
+						      req->edit_value)) != 0)
+			msg_fatal("%s: \"%s\"", err, req->raw_text);
+		}
 		if (PCF_MATCH_SERVICE_PATTERN(req->service_pattern,
 					      service_name,
 					      service_type)) {
@@ -506,18 +541,30 @@
 			     * Replace entire master.cf entry.
 			     */
 			case PCF_MASTER_ENTRY:
-			    if (new_entry != 0)
-				pcf_free_master_entry(new_entry);
-			    new_entry = (PCF_MASTER_ENT *)
-				mymalloc(sizeof(*new_entry));
-			    if ((err = pcf_parse_master_entry(new_entry,
-						     req->edit_value)) != 0)
-				msg_fatal("%s: \"%s\"", err, req->raw_text);
+			    if (req->match_count == 1)
+				use_tentative_entry = 1;
 			    break;
 			default:
 			    msg_panic("%s: unknown edit mode %d", myname, mode);
 			}
 		    }
+		} else if (tentative_entry != 0
+			 && PCF_MATCH_SERVICE_PATTERN(tentative_entry->argv,
+						      service_name,
+						      service_type)) {
+		    service_name_type_matched = 1;	/* Sticky flag */
+		    req->match_count += 1;
+		    if (req->match_count == 1)
+			use_tentative_entry = 1;
+		}
+		if (tentative_entry != 0) {
+		    if (use_tentative_entry) {
+			if (new_entry != 0)
+			    pcf_free_master_entry(new_entry);
+			new_entry = tentative_entry;
+		    } else {
+			pcf_free_master_entry(tentative_entry);
+		    }
 		}
 	    }
 
diff -ur --new-file /var/tmp/postfix-3.5.19/src/postconf/postconf_master.c ./src/postconf/postconf_master.c
--- /var/tmp/postfix-3.5.19/src/postconf/postconf_master.c	2020-03-08 12:35:20.000000000 -0400
+++ ./src/postconf/postconf_master.c	2023-05-17 14:43:08.000000000 -0400
@@ -156,6 +156,7 @@
 #include <readlline.h>
 #include <stringops.h>
 #include <split_at.h>
+#include <dict_ht.h>
 
 /* Global library. */
 
@@ -393,12 +394,12 @@
 	concatenate("ro", PCF_NAMESP_SEP_STR, masterp->name_space, (char *) 0);
     masterp->argv = argv;
     masterp->valid_names = 0;
+    masterp->ro_params = dict_ht_open(ro_name_space, O_CREAT | O_RDWR, 0);
     process_name = basename(argv->argv[PCF_MASTER_FLD_CMD]);
-    dict_update(ro_name_space, VAR_PROCNAME, process_name);
-    dict_update(ro_name_space, VAR_SERVNAME,
-		strcmp(process_name, argv->argv[0]) != 0 ?
-		argv->argv[0] : process_name);
-    masterp->ro_params = dict_handle(ro_name_space);
+    dict_put(masterp->ro_params, VAR_PROCNAME, process_name);
+    dict_put(masterp->ro_params, VAR_SERVNAME,
+	     strcmp(process_name, argv->argv[0]) != 0 ?
+	     argv->argv[0] : process_name);
     myfree(ro_name_space);
     masterp->all_params = 0;
     return (0);
diff -ur --new-file /var/tmp/postfix-3.5.19/src/smtpd/smtpd.c ./src/smtpd/smtpd.c
--- /var/tmp/postfix-3.5.19/src/smtpd/smtpd.c	2021-11-15 08:42:43.000000000 -0500
+++ ./src/smtpd/smtpd.c	2023-06-05 16:34:00.000000000 -0400
 /* OBSOLETE STARTTLS CONTROLS
 /* .ad
 /* .fi
@@ -751,6 +758,11 @@
 /*	The maximal number of AUTH commands that any client is allowed to
 /*	send to this service per time unit, regardless of whether or not
 /*	Postfix actually accepts those commands.
+/* .PP
+/*	Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+/* .IP "\fBsmtpd_forbid_unauth_pipelining (Postfix >= 3.9: yes)\fR"
+/*	Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
+/*	command pipelining constraints.
 /* TARPIT CONTROLS
 /* .ad
 /* .fi
@@ -1436,6 +1448,7 @@
 char   *var_milt_unk_macros;
 char   *var_milt_macro_deflts;
 bool    var_smtpd_client_port_log;
+bool    var_smtpd_forbid_unauth_pipe;
 char   *var_stress;
 
 char   *var_reject_tmpf_act;
@@ -5363,6 +5376,32 @@
 static STRING_LIST *smtpd_noop_cmds;
 static STRING_LIST *smtpd_forbid_cmds;
 
+/* smtpd_flag_ill_pipelining - flag pipelining protocol violation */
+
+static int smtpd_flag_ill_pipelining(SMTPD_STATE *state)
+{
+
+    /*
+     * This code will not return after I/O error, timeout, or EOF. VSTREAM
+     * exceptions must be enabled in advance with smtp_stream_setup().
+     */
+    if (vstream_peek(state->client) == 0
+	&& peekfd(vstream_fileno(state->client)) > 0)
+	(void) vstream_ungetc(state->client, smtp_fgetc(state->client));
+    if (vstream_peek(state->client) > 0) {
+	if (state->expand_buf == 0)
+	    state->expand_buf = vstring_alloc(100);
+	escape(state->expand_buf, vstream_peek_data(state->client),
+	       vstream_peek(state->client) < 100 ?
+	       vstream_peek(state->client) : 100);
+	msg_info("improper command pipelining after %s from %s: %s",
+		 state->where, state->namaddr, STR(state->expand_buf));
+	state->flags |= SMTPD_FLAG_ILL_PIPELINING;
+	return (1);
+    }
+    return (0);
+}
+
 /* smtpd_proto - talk the SMTP protocol */
 
 static void smtpd_proto(SMTPD_STATE *state)
@@ -5502,6 +5541,21 @@
 #endif
 
 	/*
+	 * If the client spoke before the server sends the initial greeting,
+	 * raise a flag and log the content of the protocol violation. This
+	 * check MUST NOT apply to TLS wrappermode connections.
+	 */
+	if (SMTPD_STAND_ALONE(state) == 0
+	    && vstream_context(state->client) == 0	/* not postscreen */
+	    && (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0
+	    && smtpd_flag_ill_pipelining(state)
+	    && var_smtpd_forbid_unauth_pipe) {
+	    smtpd_chat_reply(state,
+			  "554 5.5.0 Error: SMTP protocol synchronization");
+	    break;
+	}
+
+	/*
 	 * XXX The client connection count/rate control must be consistent in
 	 * its use of client address information in connect and disconnect
 	 * events. For now we exclude xclient authorized hosts from
@@ -5728,16 +5782,11 @@
 		&& (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0
 		    || (cmdp->flags & SMTPD_CMD_FLAG_LAST))
 		&& (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0
-		&& (vstream_peek(state->client) > 0
-		    || peekfd(vstream_fileno(state->client)) > 0)) {
-		if (state->expand_buf == 0)
-		    state->expand_buf = vstring_alloc(100);
-		escape(state->expand_buf, vstream_peek_data(state->client),
-		       vstream_peek(state->client) < 100 ?
-		       vstream_peek(state->client) : 100);
-		msg_info("improper command pipelining after %s from %s: %s",
-			 cmdp->name, state->namaddr, STR(state->expand_buf));
-		state->flags |= SMTPD_FLAG_ILL_PIPELINING;
+		&& smtpd_flag_ill_pipelining(state)
+		&& var_smtpd_forbid_unauth_pipe) {
+		smtpd_chat_reply(state,
+			  "554 5.5.0 Error: SMTP protocol synchronization");
+		break;
 	    }
 	    if (cmdp->action(state, argc, argv) != 0)
 		state->error_count++;
@@ -6400,6 +6449,7 @@
 	VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup,
 	VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open,
 	VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
+	VAR_SMTPD_FORBID_UNAUTH_PIPE, DEF_SMTPD_FORBID_UNAUTH_PIPE, &var_smtpd_forbid_unauth_pipe,
 	0,
     };
     static const CONFIG_NBOOL_TABLE nbool_table[] = {
diff -ur --new-file /var/tmp/postfix-3.5.19/src/tls/tls.h ./src/tls/tls.h
--- /var/tmp/postfix-3.5.19/src/tls/tls.h	2023-01-28 10:42:43.000000000 -0500
+++ ./src/tls/tls.h	2023-06-05 11:07:48.000000000 -0400
@@ -77,6 +77,7 @@
 #include <openssl/crypto.h>		/* Legacy SSLEAY_VERSION_NUMBER */
 #include <openssl/opensslv.h>		/* OPENSSL_VERSION_NUMBER */
 #include <openssl/ssl.h>
+#include <openssl/conf.h>
 
  /* Appease indent(1) */
 #define x509_stack_t STACK_OF(X509)
@@ -362,6 +363,7 @@
   * tls_misc.c
   */
 extern void tls_param_init(void);
+extern int tls_library_init(void);
 
  /*
   * Protocol selection.
diff -ur --new-file /var/tmp/postfix-3.5.19/src/tls/tls_client.c ./src/tls/tls_client.c
--- /var/tmp/postfix-3.5.19/src/tls/tls_client.c	2023-01-21 16:00:03.000000000 -0500
+++ ./src/tls/tls_client.c	2023-06-05 11:07:48.000000000 -0400
@@ -345,6 +345,13 @@
 #endif
 
     /*
+     * Initialize the OpenSSL library, possibly loading its configuration
+     * file.
+     */
+    if (tls_library_init() == 0)
+	return (0);
+
+    /*
      * Create an application data index for SSL objects, so that we can
      * attach TLScontext information; this information is needed inside
      * tls_verify_certificate_callback().
diff -ur --new-file /var/tmp/postfix-3.5.19/src/tls/tls_misc.c ./src/tls/tls_misc.c
--- /var/tmp/postfix-3.5.19/src/tls/tls_misc.c	2023-01-21 08:37:17.000000000 -0500
+++ ./src/tls/tls_misc.c	2023-06-05 11:09:45.000000000 -0400
@@ -29,6 +29,8 @@
 /*	#define TLS_INTERNAL
 /*	#include <tls.h>
 /*
+/*	char	*var_tls_cnf_file;
+/*	char	*var_tls_cnf_name;
 /*	char	*var_tls_high_clist;
 /*	char	*var_tls_medium_clist;
 /*	char	*var_tls_low_clist;
@@ -69,6 +71,8 @@
 /*
 /*	void	tls_param_init()
 /*
+/*	int     tls_library_init(void)
+/*
 /*	int	tls_protocol_mask(plist)
 /*	const char *plist;
 /*
@@ -153,6 +157,9 @@
 /*	tls_param_init() loads main.cf parameters used internally in
 /*	TLS library. Any errors are fatal.
 /*
+/*	tls_library_init() initializes the OpenSSL library, optionally
+/*	loading an OpenSSL configuration file.
+/*
 /*	tls_pre_jail_init() opens any tables that need to be opened before
 /*	entering a chroot jail. The "role" parameter must be TLS_ROLE_CLIENT
 /*	for clients and TLS_ROLE_SERVER for servers. Any errors are fatal.
@@ -272,6 +279,8 @@
  /*
   * Tunable parameters.
   */
+char   *var_tls_cnf_file;
+char   *var_tls_cnf_name;
 char   *var_tls_high_clist;
 char   *var_tls_medium_clist;
 char   *var_tls_low_clist;
@@ -599,6 +608,8 @@
 {
     /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
     static const CONFIG_STR_TABLE str_table[] = {
+	VAR_TLS_CNF_FILE, DEF_TLS_CNF_FILE, &var_tls_cnf_file, 0, 0,
+	VAR_TLS_CNF_NAME, DEF_TLS_CNF_NAME, &var_tls_cnf_name, 0, 0,
 	VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
 	VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0,
 	VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0,
@@ -642,6 +653,118 @@
     get_mail_conf_bool_table(bool_table);
 }
 
+/* tls_library_init - perform OpenSSL library initialization */
+
+int     tls_library_init(void)
+{
+    OPENSSL_INIT_SETTINGS *init_settings;
+    char   *conf_name = *var_tls_cnf_name ? var_tls_cnf_name : 0;
+    char   *conf_file = 0;
+    unsigned long init_opts = 0;
+
+#define TLS_LIB_INIT_TODO	(-1)
+#define TLS_LIB_INIT_ERR	(0)
+#define TLS_LIB_INIT_OK		(1)
+
+    static int init_res = TLS_LIB_INIT_TODO;
+
+    if (init_res != TLS_LIB_INIT_TODO)
+	return (init_res);
+
+    /*
+     * Backwards compatibility: skip this function unless the Postfix
+     * configuration actually has non-default tls_config_xxx settings.
+     */
+    if (strcmp(var_tls_cnf_file, DEF_TLS_CNF_FILE) == 0
+	&& strcmp(var_tls_cnf_name, DEF_TLS_CNF_NAME) == 0) {
+	if (msg_verbose)
+	    msg_info("tls_library_init: using backwards-compatible defaults");
+	return (init_res = TLS_LIB_INIT_OK);
+    }
+    if ((init_settings = OPENSSL_INIT_new()) == 0) {
+	msg_warn("error allocating OpenSSL init settings, "
+		 "disabling TLS support");
+	return (init_res = TLS_LIB_INIT_ERR);
+    }
+#define TLS_LIB_INIT_RETURN(x) \
+    do { OPENSSL_INIT_free(init_settings); return (init_res = (x)); } while(0)
+
+#if OPENSSL_VERSION_NUMBER < 0x1010102fL
+
+    /*
+     * OpenSSL 1.1.0 through 1.1.1a, no support for custom configuration
+     * files, disabling loading of the file, or getting strict error
+     * handling.  Thus, the only supported configuration file is "default".
+     */
+    if (strcmp(var_tls_cnf_file, "default") != 0) {
+	msg_warn("non-default %s = %s requires OpenSSL 1.1.1b or later, "
+	       "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
+	TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
+    }
+#else
+    {
+	unsigned long file_flags = 0;
+
+	/*-
+	 * OpenSSL 1.1.1b or later:
+	 * We can now use a non-default configuration file, or
+	 * use none at all.  We can also request strict error
+	 * reporting.
+	 */
+	if (strcmp(var_tls_cnf_file, "none") == 0) {
+	    init_opts |= OPENSSL_INIT_NO_LOAD_CONFIG;
+	} else if (strcmp(var_tls_cnf_file, "default") == 0) {
+
+	    /*
+	     * The default global config file is optional.  With "default"
+	     * initialisation we don't insist on a match for the requested
+	     * application name, allowing fallback to the default application
+	     * name, even when a non-default application name is specified.
+	     * Errors in loading the default configuration are ignored.
+	     */
+	    conf_file = 0;
+	    file_flags |= CONF_MFLAGS_IGNORE_MISSING_FILE;
+	    file_flags |= CONF_MFLAGS_DEFAULT_SECTION;
+	    file_flags |= CONF_MFLAGS_IGNORE_RETURN_CODES | CONF_MFLAGS_SILENT;
+	} else if (*var_tls_cnf_file == '/') {
+
+	    /*
+	     * A custom config file must be present, error reporting is
+	     * strict and the configuration section for the requested
+	     * application name does not fall back to "openssl_conf" when
+	     * missing.
+	     */
+	    conf_file = var_tls_cnf_file;
+	} else {
+	    msg_warn("non-default %s = %s is not an absolute pathname, "
+	       "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
+	    TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
+	}
+
+	OPENSSL_INIT_set_config_file_flags(init_settings, file_flags);
+    }
+#endif
+
+    if (conf_file)
+	OPENSSL_INIT_set_config_filename(init_settings, conf_file);
+    if (conf_name)
+	OPENSSL_INIT_set_config_appname(init_settings, conf_name);
+
+    if (OPENSSL_init_ssl(init_opts, init_settings) <= 0) {
+	if ((init_opts & OPENSSL_INIT_NO_LOAD_CONFIG) == 0)
+	    msg_warn("error loading the '%s' settings from the %s OpenSSL "
+		     "configuration file, disabling TLS support",
+		     conf_name ? conf_name : "global",
+		     conf_file ? conf_file : "default");
+	else
+	    msg_warn("error initializing the OpenSSL library, "
+		     "disabling TLS support");
+	tls_print_errors();
+	TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
+    }
+    TLS_LIB_INIT_RETURN(TLS_LIB_INIT_OK);
+}
+
 /* tls_pre_jail_init - Load TLS related pre-jail tables */
 
 void    tls_pre_jail_init(TLS_ROLE role)
diff -ur --new-file /var/tmp/postfix-3.5.19/src/tls/tls_proxy.h ./src/tls/tls_proxy.h
--- /var/tmp/postfix-3.5.19/src/tls/tls_proxy.h	2019-02-11 08:30:11.000000000 -0500
+++ ./src/tls/tls_proxy.h	2023-06-05 11:07:48.000000000 -0400
@@ -44,6 +44,8 @@
   * VAR_TLS_SERVER_SNI_MAPS.
   */
 typedef struct TLS_CLIENT_PARAMS {
+    char   *tls_cnf_file;
+    char   *tls_cnf_name;
     char   *tls_high_clist;
     char   *tls_medium_clist;
     char   *tls_low_clist;
@@ -65,12 +67,13 @@
 } TLS_CLIENT_PARAMS;
 
 #define TLS_PROXY_PARAMS(params, a1, a2, a3, a4, a5, a6, a7, a8, \
-    a9, a10, a11, a12, a13, a14, a15, a16, a17, a18) \
+    a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20) \
     (((params)->a1), ((params)->a2), ((params)->a3), \
     ((params)->a4), ((params)->a5), ((params)->a6), ((params)->a7), \
     ((params)->a8), ((params)->a9), ((params)->a10), ((params)->a11), \
     ((params)->a12), ((params)->a13), ((params)->a14), ((params)->a15), \
-    ((params)->a16), ((params)->a17), ((params)->a18))
+    ((params)->a16), ((params)->a17), ((params)->a18), ((params)->a19), \
+    ((params)->a20))
 
  /*
   * tls_proxy_client_param_misc.c, tls_proxy_client_param_print.c, and
@@ -216,6 +219,8 @@
  /*
   * TLS_CLIENT_INIT_PROPS attributes.
   */
+#define TLS_ATTR_CNF_FILE	"config_file"
+#define TLS_ATTR_CNF_NAME	"config_name"
 #define TLS_ATTR_LOG_PARAM	"log_param"
 #define TLS_ATTR_LOG_LEVEL	"log_level"
 #define TLS_ATTR_VERIFYDEPTH	"verifydepth"
diff -ur --new-file /var/tmp/postfix-3.5.19/src/tls/tls_proxy_client_misc.c ./src/tls/tls_proxy_client_misc.c
--- /var/tmp/postfix-3.5.19/src/tls/tls_proxy_client_misc.c	2019-02-11 08:39:43.000000000 -0500
+++ ./src/tls/tls_proxy_client_misc.c	2023-06-05 11:07:48.000000000 -0400
@@ -78,6 +78,8 @@
 TLS_CLIENT_PARAMS *tls_proxy_client_param_from_config(TLS_CLIENT_PARAMS *params)
 {
     TLS_PROXY_PARAMS(params,
+		     tls_cnf_file = var_tls_cnf_file,
+		     tls_cnf_name = var_tls_cnf_name,
 		     tls_high_clist = var_tls_high_clist,
 		     tls_medium_clist = var_tls_medium_clist,
 		     tls_low_clist = var_tls_low_clist,
diff -ur --new-file /var/tmp/postfix-3.5.19/src/tls/tls_proxy_client_print.c ./src/tls/tls_proxy_client_print.c
--- /var/tmp/postfix-3.5.19/src/tls/tls_proxy_client_print.c	2020-06-19 13:39:34.000000000 -0400
+++ ./src/tls/tls_proxy_client_print.c	2023-06-05 11:07:48.000000000 -0400
@@ -95,6 +95,8 @@
 	msg_info("begin tls_proxy_client_param_print");
 
     ret = print_fn(fp, flags | ATTR_FLAG_MORE,
+		   SEND_ATTR_STR(TLS_ATTR_CNF_FILE, params->tls_cnf_file),
+		   SEND_ATTR_STR(TLS_ATTR_CNF_NAME,  params->tls_cnf_name),
 		   SEND_ATTR_STR(VAR_TLS_HIGH_CLIST, params->tls_high_clist),
 		   SEND_ATTR_STR(VAR_TLS_MEDIUM_CLIST,
 				 params->tls_medium_clist),
diff -ur --new-file /var/tmp/postfix-3.5.19/src/tls/tls_proxy_client_scan.c ./src/tls/tls_proxy_client_scan.c
--- /var/tmp/postfix-3.5.19/src/tls/tls_proxy_client_scan.c	2021-04-03 12:13:35.000000000 -0400
+++ ./src/tls/tls_proxy_client_scan.c	2023-06-05 11:07:48.000000000 -0400
@@ -120,6 +120,8 @@
 
 void    tls_proxy_client_param_free(TLS_CLIENT_PARAMS *params)
 {
+    myfree(params->tls_cnf_file);
+    myfree(params->tls_cnf_name);
     myfree(params->tls_high_clist);
     myfree(params->tls_medium_clist);
     myfree(params->tls_low_clist);
@@ -144,6 +146,8 @@
     TLS_CLIENT_PARAMS *params
     = (TLS_CLIENT_PARAMS *) mymalloc(sizeof(*params));
     int     ret;
+    VSTRING *cnf_file = vstring_alloc(25);
+    VSTRING *cnf_name = vstring_alloc(25);
     VSTRING *tls_high_clist = vstring_alloc(25);
     VSTRING *tls_medium_clist = vstring_alloc(25);
     VSTRING *tls_low_clist = vstring_alloc(25);
@@ -166,6 +170,8 @@
      */
     memset(params, 0, sizeof(*params));
     ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
+		  RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file),
+		  RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name),
 		  RECV_ATTR_STR(VAR_TLS_HIGH_CLIST, tls_high_clist),
 		  RECV_ATTR_STR(VAR_TLS_MEDIUM_CLIST, tls_medium_clist),
 		  RECV_ATTR_STR(VAR_TLS_LOW_CLIST, tls_low_clist),
@@ -191,6 +197,8 @@
 				&params->tls_multi_wildcard),
 		  ATTR_TYPE_END);
     /* Always construct a well-formed structure. */
+    params->tls_cnf_file = vstring_export(cnf_file);
+    params->tls_cnf_name = vstring_export(cnf_name);
     params->tls_high_clist = vstring_export(tls_high_clist);
     params->tls_medium_clist = vstring_export(tls_medium_clist);
     params->tls_low_clist = vstring_export(tls_low_clist);
@@ -205,7 +213,7 @@
     params->tls_mgr_service = vstring_export(tls_mgr_service);
     params->tls_tkt_cipher = vstring_export(tls_tkt_cipher);
 
-    ret = (ret == 18 ? 1 : -1);
+    ret = (ret == 20 ? 1 : -1);
     if (ret != 1) {
 	tls_proxy_client_param_free(params);
 	params = 0;
diff -ur --new-file /var/tmp/postfix-3.5.19/src/tls/tls_server.c ./src/tls/tls_server.c
--- /var/tmp/postfix-3.5.19/src/tls/tls_server.c	2023-01-28 10:42:43.000000000 -0500
+++ ./src/tls/tls_server.c	2023-06-05 11:07:48.000000000 -0400
@@ -387,6 +387,13 @@
 #endif
 
     /*
+     * Initialize the OpenSSL library, possibly loading its configuration
+     * file.
+     */
+    if (tls_library_init() == 0)
+	return (0);
+
+    /*
      * First validate the protocols. If these are invalid, we can't continue.
      */
     protomask = tls_protocol_mask(props->protocols);

Places

File postfix-3.5-patch20 of Package postfix

Places