File postfix-3.7-patch06 of Package postfix

Overview Repositories Revisions Requests Users Attributes Meta

File postfix-3.7-patch06 of Package postfix

diff -ur --new-file /var/tmp/postfix-3.7.5/html/lmtp.8.html ./html/lmtp.8.html
--- /var/tmp/postfix-3.7.5/html/lmtp.8.html	2021-12-23 17:24:55.000000000 -0500
+++ ./html/lmtp.8.html	2023-06-04 18:23:40.000000000 -0400
@@ -686,6 +686,15 @@
 A workaround for implementations that hang Postfix while shut-
 ting down a TLS session, until Postfix times out.
 
+ Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+
+ <a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)
+ Optional configuration file with baseline OpenSSL settings.
+
+ <a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)
+ The application name passed by Postfix to OpenSSL library ini-
+ tialization functions.
+
 OBSOLETE STARTTLS CONTROLS
 The following configuration parameters exist for compatibility with
 Postfix versions before 2.3. Support for these will be removed in a
diff -ur --new-file /var/tmp/postfix-3.7.5/html/postconf.5.html ./html/postconf.5.html
--- /var/tmp/postfix-3.7.5/html/postconf.5.html	2022-01-21 16:39:35.000000000 -0500
+++ ./html/postconf.5.html	2023-06-05 16:57:04.000000000 -0400
@@ -15533,6 +15533,22 @@
 
 </DD>
 
+<DT><a name="smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a>
+(default: Postfix &ge; 3.9: yes)</DT><DD>
+
+ Disconnect remote SMTP clients that violate <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (or 5321)
+command pipelining constraints. The server replies with "554 5.5.0
+Error: SMTP protocol synchronization" and logs the unexpected remote
+SMTP client input. Specify "<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> = yes"
+to enable. This feature is enabled by default with Postfix &ge;
+3.9. 
+
+ This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20. 
+
+
+</DD>
+
 <DT><a name="smtpd_forbidden_commands">smtpd_forbidden_commands</a>
 (default: CONNECT GET POST <a href="regexp_table.5.html">regexp</a>:{{/^[^A-Z]/ Bogus}})</DT><DD>
 
@@ -19075,6 +19091,113 @@
 
 </DD>
 
+<DT><a name="tls_config_file">tls_config_file</a>
+(default: default)</DT><DD>
+
+ Optional configuration file with baseline OpenSSL settings.
+OpenSSL loads any SSL settings found in the configuration file for
+the selected application name (see <a href="postconf.5.html#tls_config_name">tls_config_name</a>) or else the
+built-in application name "openssl_conf" when no application name is
+specified, or no corresponding configuration section is present.
+
+
+ With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
+Postfix) can neither specify an alternative configuration file, nor
+avoid loading the default configuration file. 
+
+ With OpenSSL 1.1.1b or later, this parameter may be set to one of:
+
+
+<dl>
+
+<dt> default (default) </dt> <dd> Load the system-wide
+"openssl.cnf" configuration file. </dd>
+
+<dt> none (recommended, OpenSSL 1.1.1b or later only) </dt>
+<dd> This setting disables loading of the system-wide "openssl.cnf"
+file. </dd>
+
+<dt> /absolute-path (OpenSSL 1.1.1b or later only) </dt>
+<dd> Load the configuration file specified by /absolute-path.
+With this setting it is an error for the file to not contain any
+settings for the selected <a href="postconf.5.html#tls_config_name">tls_config_name</a>. There is no fallback to
+the default "openssl_conf" name. </dd>
+
+</dl>
+
+ Failures in processing of the built-in default configuration file,
+are silently ignored. Any errors in loading a non-default configuration
+file are detected by Postfix, and cause TLS support to be disabled.
+
+
+ The OpenSSL configuration file format is not documented here,
+beyond giving two examples. 
+
+ Example: Default settings for all applications. 
+
+<blockquote>
+<pre>
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation. Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+</pre>
+</blockquote>
+
+ Example: Custom settings for an application named "postfix". 
+
+<blockquote>
+<pre>
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]". The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+</pre>
+</blockquote>
+
+ This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20. 
+
+
+</DD>
+
+<DT><a name="tls_config_name">tls_config_name</a>
+(default: empty)</DT><DD>
+
+ The application name passed by Postfix to OpenSSL library
+initialization functions. This name is used to select the desired
+configuration "section" in the OpenSSL configuration file specified
+via the <a href="postconf.5.html#tls_config_file">tls_config_file</a> parameter. When empty, or when the
+selected name is not present in the configuration file, the default
+application name ("openssl_conf") is used as a fallback. 
+
+ This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20. 
+
+
+</DD>
+
 <DT><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a>
 (default: 32)</DT><DD>
 
diff -ur --new-file /var/tmp/postfix-3.7.5/html/smtp.8.html ./html/smtp.8.html
--- /var/tmp/postfix-3.7.5/html/smtp.8.html	2021-12-23 17:24:55.000000000 -0500
+++ ./html/smtp.8.html	2023-06-04 18:23:40.000000000 -0400
@@ -686,6 +686,15 @@
 A workaround for implementations that hang Postfix while shut-
 ting down a TLS session, until Postfix times out.
 
+ Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+
+ <a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)
+ Optional configuration file with baseline OpenSSL settings.
+
+ <a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)
+ The application name passed by Postfix to OpenSSL library ini-
+ tialization functions.
+
 OBSOLETE STARTTLS CONTROLS
 The following configuration parameters exist for compatibility with
 Postfix versions before 2.3. Support for these will be removed in a
diff -ur --new-file /var/tmp/postfix-3.7.5/html/smtpd.8.html ./html/smtpd.8.html
--- /var/tmp/postfix-3.7.5/html/smtpd.8.html	2021-12-23 17:24:56.000000000 -0500
+++ ./html/smtpd.8.html	2023-06-05 16:08:12.000000000 -0400
@@ -632,6 +632,15 @@
 The email address form that will be used in non-debug logging
 (info, warning, etc.).
 
+ Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+
+ <a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)
+ Optional configuration file with baseline OpenSSL settings.
+
+ <a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)
+ The application name passed by Postfix to OpenSSL library ini-
+ tialization functions.
+
 OBSOLETE STARTTLS CONTROLS
 The following configuration parameters exist for compatibility with
 Postfix versions before 2.3. Support for these will be removed in a
@@ -954,6 +963,12 @@
 <a href="postconf.5.html#header_from_format">header_from_format</a> (standard)
 The format of the Postfix-generated From: header.
 
+ Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+
+ <a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> (Postfix &gt;= 3.9: yes)
+ Disconnect remote SMTP clients that violate <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (or 5321)
+ command pipelining constraints.
+
 TARPIT CONTROLS
 When a remote SMTP client makes errors, the Postfix SMTP server can
 insert delays before responding. This can help to slow down run-away
diff -ur --new-file /var/tmp/postfix-3.7.5/html/tlsproxy.8.html ./html/tlsproxy.8.html
--- /var/tmp/postfix-3.7.5/html/tlsproxy.8.html	2022-02-05 09:58:53.000000000 -0500
+++ ./html/tlsproxy.8.html	2023-06-04 18:36:17.000000000 -0400
@@ -150,6 +150,15 @@
 A workaround for implementations that hang Postfix while shut-
 ting down a TLS session, until Postfix times out.
 
+ Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+
+ <a href="postconf.5.html#tls_config_file">tls_config_file</a> (default)
+ Optional configuration file with baseline OpenSSL settings.
+
+ <a href="postconf.5.html#tls_config_name">tls_config_name</a> (empty)
+ The application name passed by Postfix to OpenSSL library ini-
+ tialization functions.
+
 STARTTLS SERVER CONTROLS
 These settings are clones of Postfix SMTP server settings. They allow
 <a href="tlsproxy.8.html">tlsproxy(8)</a> to load the same certificate and private key information as
diff -ur --new-file /var/tmp/postfix-3.7.5/man/man5/postconf.5 ./man/man5/postconf.5
--- /var/tmp/postfix-3.7.5/man/man5/postconf.5	2022-01-21 16:39:35.000000000 -0500
+++ ./man/man5/postconf.5	2023-06-05 16:57:05.000000000 -0400
@@ -10677,6 +10677,16 @@
 parameter $name expansion.
 .PP
 This feature is available in Postfix 2.0 and later.
+.SH smtpd_forbid_unauth_pipelining (default: Postfix >= 3.9: yes)
+Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
+command pipelining constraints. The server replies with "554 5.5.0
+Error: SMTP protocol synchronization" and logs the unexpected remote
+SMTP client input. Specify "smtpd_forbid_unauth_pipelining = yes"
+to enable. This feature is enabled by default with Postfix >=
+3.9.
+.PP
+This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20.
 .SH smtpd_forbidden_commands (default: CONNECT GET POST regexp:{{/^[^A\-Z]/ Bogus}})
 List of commands that cause the Postfix SMTP server to immediately
 terminate the session with a 221 code. This can be used to disconnect
@@ -13495,6 +13505,104 @@
 2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
 backwards compatibility, to avoid breaking certificate verification
 with sites that don't use permit_tls_all_clientcerts.
+.SH tls_config_file (default: default)
+Optional configuration file with baseline OpenSSL settings.
+OpenSSL loads any SSL settings found in the configuration file for
+the selected application name (see tls_config_name) or else the
+built\-in application name "openssl_conf" when no application name is
+specified, or no corresponding configuration section is present.
+.PP
+With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
+Postfix) can neither specify an alternative configuration file, nor
+avoid loading the default configuration file.
+.PP
+With OpenSSL 1.1.1b or later, this parameter may be set to one of:
+.IP "\fBdefault\fR (default)"
+Load the system\-wide
+"openssl.cnf" configuration file.
+.br
+.IP "\fBnone\fR (recommended, OpenSSL 1.1.1b or later only)"
+This setting disables loading of the system\-wide "openssl.cnf"
+file.
+.br
+.IP "\fB\fI/absolute\-path\fR\fR (OpenSSL 1.1.1b or later only)"
+Load the configuration file specified by \fI/absolute\-path\fR.
+With this setting it is an error for the file to not contain any
+settings for the selected tls_config_name. There is no fallback to
+the default "openssl_conf" name.
+.br
+.br
+.PP
+Failures in processing of the built\-in default configuration file,
+are silently ignored. Any errors in loading a non\-default configuration
+file are detected by Postfix, and cause TLS support to be disabled.
+.PP
+The OpenSSL configuration file format is not documented here,
+beyond giving two examples.
+.PP
+Example: Default settings for all applications.
+.sp
+.in +4
+.nf
+.na
+.ft C
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation. Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+.fi
+.ad
+.ft R
+.in -4
+.PP
+Example: Custom settings for an application named "postfix".
+.sp
+.in +4
+.nf
+.na
+.ft C
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]". The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+.fi
+.ad
+.ft R
+.in -4
+.PP
+This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20.
+.SH tls_config_name (default: empty)
+The application name passed by Postfix to OpenSSL library
+initialization functions. This name is used to select the desired
+configuration "section" in the OpenSSL configuration file specified
+via the tls_config_file parameter. When empty, or when the
+selected name is not present in the configuration file, the default
+application name ("openssl_conf") is used as a fallback.
+.PP
+This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20.
 .SH tls_daemon_random_bytes (default: 32)
 The number of pseudo\-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
 process requests from the \fBtlsmgr\fR(8) server in order to seed its
diff -ur --new-file /var/tmp/postfix-3.7.5/man/man8/smtp.8 ./man/man8/smtp.8
--- /var/tmp/postfix-3.7.5/man/man8/smtp.8	2021-10-27 19:38:48.000000000 -0400
+++ ./man/man8/smtp.8	2023-06-05 09:12:12.000000000 -0400
@@ -617,6 +617,13 @@
 .IP "\fBtls_fast_shutdown_enable (yes)\fR"
 A workaround for implementations that hang Postfix while shutting
 down a TLS session, until Postfix times out.
+.PP
+Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+.IP "\fBtls_config_file (default)\fR"
+Optional configuration file with baseline OpenSSL settings.
+.IP "\fBtls_config_name (empty)\fR"
+The application name passed by Postfix to OpenSSL library
+initialization functions.
 .SH "OBSOLETE STARTTLS CONTROLS"
 .na
 .nf
diff -ur --new-file /var/tmp/postfix-3.7.5/man/man8/smtpd.8 ./man/man8/smtpd.8
--- /var/tmp/postfix-3.7.5/man/man8/smtpd.8	2021-10-02 11:40:28.000000000 -0400
+++ ./man/man8/smtpd.8	2023-06-05 16:07:31.000000000 -0400
@@ -559,6 +559,13 @@
 .IP "\fBinfo_log_address_format (external)\fR"
 The email address form that will be used in non\-debug logging
 (info, warning, etc.).
+.PP
+Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+.IP "\fBtls_config_file (default)\fR"
+Optional configuration file with baseline OpenSSL settings.
+.IP "\fBtls_config_name (empty)\fR"
+The application name passed by Postfix to OpenSSL library
+initialization functions.
 .SH "OBSOLETE STARTTLS CONTROLS"
 .na
 .nf
@@ -836,6 +843,11 @@
 smtpd_per_request_deadline.
 .IP "\fBheader_from_format (standard)\fR"
 The format of the Postfix\-generated \fBFrom:\fR header.
+.PP
+Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+.IP "\fBsmtpd_forbid_unauth_pipelining (Postfix >= 3.9: yes)\fR"
+Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
+command pipelining constraints.
 .SH "TARPIT CONTROLS"
 .na
 .nf
diff -ur --new-file /var/tmp/postfix-3.7.5/man/man8/tlsproxy.8 ./man/man8/tlsproxy.8
--- /var/tmp/postfix-3.7.5/man/man8/tlsproxy.8	2022-02-05 09:58:52.000000000 -0500
+++ ./man/man8/tlsproxy.8	2023-06-04 18:04:04.000000000 -0400
@@ -150,6 +150,13 @@
 .IP "\fBtls_fast_shutdown_enable (yes)\fR"
 A workaround for implementations that hang Postfix while shutting
 down a TLS session, until Postfix times out.
+.PP
+Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+.IP "\fBtls_config_file (default)\fR"
+Optional configuration file with baseline OpenSSL settings.
+.IP "\fBtls_config_name (empty)\fR"
+The application name passed by Postfix to OpenSSL library
+initialization functions.
 .SH "STARTTLS SERVER CONTROLS"
 .na
 .nf
diff -ur --new-file /var/tmp/postfix-3.7.5/mantools/postlink ./mantools/postlink
--- /var/tmp/postfix-3.7.5/mantools/postlink	2022-01-21 16:21:09.000000000 -0500
+++ ./mantools/postlink	2023-06-05 15:59:49.000000000 -0400
@@ -555,6 +555,7 @@
 s;\bsmtpd_etrn_restrictions\b;<a href="postconf.5.html#smtpd_etrn_restrictions">$&</a>;g;
 s;\bsmtpd_expansion_filter\b;<a href="postconf.5.html#smtpd_expansion_filter">$&</a>;g;
 s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bidden_commands\b;<a href="postconf.5.html#smtpd_forbidden_commands">$&</a>;g;
+ s;\bsmtpd_for[-</bB>]*\n*[ <bB>]*bid_unauth_pipelining\b;<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">$&</a>;g;
 s;\bsmtpd_hard_error_limit\b;<a href="postconf.5.html#smtpd_hard_error_limit">$&</a>;g;
 s;\bsmtpd_helo_required\b;<a href="postconf.5.html#smtpd_helo_required">$&</a>;g;
 s;\bsmtpd_helo_restrictions\b;<a href="postconf.5.html#smtpd_helo_restrictions">$&</a>;g;
@@ -779,6 +780,8 @@
 s;\btls_session_ticket_cipher\b;<a href="postconf.5.html#tls_session_ticket_cipher">$&</a>;g;
 s;\btls_server_sni_maps\b;<a href="postconf.5.html#tls_server_sni_maps">$&</a>;g;
 s;\btls_ssl_options\b;<a href="postconf.5.html#tls_ssl_options">$&</a>;g;
+ s;\btls_config_name\b;<a href="postconf.5.html#tls_config_name">$&</a>;g;
+ s;\btls_config_file\b;<a href="postconf.5.html#tls_config_file">$&</a>;g;
 s;\btls_dane_digest_agility\b;<a href="postconf.5.html#tls_dane_digest_agility">$&</a>;g;
 s;\btls_dane_trust_anchor_digest_enable\b;<a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">$&</a>;g;
 s;\btls_fast_shutdown_enable\b;<a href="postconf.5.html#tls_fast_shutdown_enable">$&</a>;g;
diff -ur --new-file /var/tmp/postfix-3.7.5/proto/postconf.proto ./proto/postconf.proto
--- /var/tmp/postfix-3.7.5/proto/postconf.proto	2022-01-21 16:12:15.000000000 -0500
+++ ./proto/postconf.proto	2023-06-05 15:59:49.000000000 -0400
@@ -18434,3 +18434,114 @@
 configuration parameter. See there for details. 
 
 This feature is available in Postfix 3.7 and later. 
+ 
+%PARAM tls_config_name
+
+ The application name passed by Postfix to OpenSSL library
+initialization functions. This name is used to select the desired
+configuration "section" in the OpenSSL configuration file specified
+via the tls_config_file parameter. When empty, or when the
+selected name is not present in the configuration file, the default
+application name ("openssl_conf") is used as a fallback. 
+
+ This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20. 
+
+%PARAM tls_config_file default
+
+ Optional configuration file with baseline OpenSSL settings.
+OpenSSL loads any SSL settings found in the configuration file for
+the selected application name (see tls_config_name) or else the
+built-in application name "openssl_conf" when no application name is
+specified, or no corresponding configuration section is present.
+
+
+ With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
+Postfix) can neither specify an alternative configuration file, nor
+avoid loading the default configuration file. 
+
+ With OpenSSL 1.1.1b or later, this parameter may be set to one of:
+
+
+<dl>
+
+<dt> default (default) </dt> <dd> Load the system-wide
+"openssl.cnf" configuration file. </dd>
+
+<dt> none (recommended, OpenSSL 1.1.1b or later only) </dt>
+<dd> This setting disables loading of the system-wide "openssl.cnf"
+file. </dd>
+
+<dt> /absolute-path (OpenSSL 1.1.1b or later only) </dt>
+<dd> Load the configuration file specified by /absolute-path.
+With this setting it is an error for the file to not contain any
+settings for the selected tls_config_name. There is no fallback to
+the default "openssl_conf" name. </dd>
+
+</dl>
+
+ Failures in processing of the built-in default configuration file,
+are silently ignored. Any errors in loading a non-default configuration
+file are detected by Postfix, and cause TLS support to be disabled.
+
+
+ The OpenSSL configuration file format is not documented here,
+beyond giving two examples. 
+
+ Example: Default settings for all applications. 
+
+<blockquote>
+<pre>
+# The name 'openssl_conf' is the default application name
+# The section name to the right of the '=' sign is arbitrary,
+# any name will do, so long as it refers to the desired section.
+#
+# The name 'system_default' selects the settings applied internally
+# by the SSL library as part of SSL object creation. Applications
+# can then apply any additional settings of their choice.
+#
+# In this example, TLS versions prior to 1.2 are disabled by default.
+#
+openssl_conf = system_wide_settings
+[system_wide_settings]
+ssl_conf = ssl_library_settings
+[ssl_library_settings]
+system_default = initial_ssl_settings
+[initial_ssl_settings]
+MinProtocol = TLSv1.2
+</pre>
+</blockquote>
+
+ Example: Custom settings for an application named "postfix". 
+
+<blockquote>
+<pre>
+# The mapping from an application name to the corresponding configuration
+# section must appear near the top of the file, (in what is sometimes called
+# the "default section") prior to the start of any explicitly named
+# "[sections]". The named sections can appear in any order and don't nest.
+#
+postfix = postfix_settings
+[postfix_settings]
+ssl_conf = postfix_ssl_settings
+[postfix_ssl_settings]
+system_default = baseline_postfix_settings
+[baseline_postfix_settings]
+MinProtocol = TLSv1
+</pre>
+</blockquote>
+
+ This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20. 
+
+%PARAM smtpd_forbid_unauth_pipelining Postfix &ge; 3.9: yes
+
+ Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
+command pipelining constraints. The server replies with "554 5.5.0
+Error: SMTP protocol synchronization" and logs the unexpected remote
+SMTP client input. Specify "smtpd_forbid_unauth_pipelining = yes"
+to enable. This feature is enabled by default with Postfix &ge;
+3.9. 
+
+ This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
+3.6.10, and 3.5.20. 
diff -ur --new-file /var/tmp/postfix-3.7.5/src/global/mail_params.h ./src/global/mail_params.h
--- /var/tmp/postfix-3.7.5/src/global/mail_params.h	2022-04-08 18:10:07.000000000 -0400
+++ ./src/global/mail_params.h	2023-06-05 17:44:12.000000000 -0400
@@ -2436,6 +2436,10 @@
 #define DEF_SMTPD_PEERNAME_LOOKUP	1
 extern bool var_smtpd_peername_lookup;
 
+#define VAR_SMTPD_FORBID_UNAUTH_PIPE	"smtpd_forbid_unauth_pipelining"
+#define DEF_SMTPD_FORBID_UNAUTH_PIPE	1
+extern bool var_smtpd_forbid_unauth_pipe;
+
 /*
 * Heuristic to reject unknown local recipients at the SMTP port.
 */
@@ -3320,8 +3324,17 @@
 extern bool var_smtp_cname_overr;
 
 /*
- * TLS cipherlists
+ * TLS library settings
 */
+#define VAR_TLS_CNF_FILE	"tls_config_file"
+#define DEF_TLS_CNF_FILE	"default"
+extern char *var_tls_cnf_file;
+
+#define VAR_TLS_CNF_NAME	"tls_config_name"
+#define DEF_TLS_CNF_NAME	""
+extern char *var_tls_cnf_name;
+
+
 #define VAR_TLS_HIGH_CLIST	"tls_high_cipherlist"
 #define DEF_TLS_HIGH_CLIST	"aNULL:-aNULL:HIGH:@STRENGTH"
 extern char *var_tls_high_clist;
diff -ur --new-file /var/tmp/postfix-3.7.5/src/postconf/postconf_edit.c ./src/postconf/postconf_edit.c
--- /var/tmp/postfix-3.7.5/src/postconf/postconf_edit.c	2014-12-06 20:35:33.000000000 -0500
+++ ./src/postconf/postconf_edit.c	2023-05-17 14:30:17.000000000 -0400
@@ -192,6 +192,11 @@
 	} else {
 	 msg_panic("pcf_edit_main: unknown mode %d", mode);
 	}
+	if ((cvalue = htable_find(table, pattern)) != 0) {
+	 msg_warn("ignoring earlier request: '%s = %s'",
+		 pattern, cvalue->value);
+	 htable_delete(table, pattern, myfree);
+	}
 	cvalue = (struct cvalue *) mymalloc(sizeof(*cvalue));
 	cvalue->value = edit_value;
 	cvalue->found = 0;
@@ -459,8 +464,38 @@
 
 	 /*
 	 * Match each service pattern.
+	 * 
+	 * Additional care is needed when a request adds or replaces an
+	 * entire service definition, instead of a specific field or
+	 * parameter. Given a command "postconf -M name1/type1='name2
+	 * type2 ...'", where name1 and name2 may differ, and likewise
+	 * for type1 and type2:
+	 * 
+	 * - First, if an existing service definition a) matches the service
+	 * pattern 'name1/type1', or b) matches the name and type in the
+	 * new service definition 'name2 type2 ...', remove the service
+	 * definition.
+	 * 
+	 * - Then, after an a) or b) type match, add a new service
+	 * definition for 'name2 type2 ...', but only after the first
+	 * match.
+	 * 
+	 * - Finally, if a request had no a) or b) type match for any
+	 * master.cf service definition, add a new service definition for
+	 * 'name2 type2 ...'.
 	 */
 	 for (req = edit_reqs; req < edit_reqs + num_reqs; req++) {
+		PCF_MASTER_ENT *tentative_entry = 0;
+		int use_tentative_entry = 0;
+
+		/* Additional care for whole service definition requests. */
+		if ((mode & PCF_MASTER_ENTRY) && (mode & PCF_EDIT_CONF)) {
+		 tentative_entry = (PCF_MASTER_ENT *)
+			mymalloc(sizeof(*tentative_entry));
+		 if ((err = pcf_parse_master_entry(tentative_entry,
+						 req->edit_value)) != 0)
+			msg_fatal("%s: \"%s\"", err, req->raw_text);
+		}
 		if (PCF_MATCH_SERVICE_PATTERN(req->service_pattern,
 					 service_name,
 					 service_type)) {
@@ -506,18 +541,30 @@
 			 * Replace entire master.cf entry.
 			 */
 			case PCF_MASTER_ENTRY:
-			 if (new_entry != 0)
-				pcf_free_master_entry(new_entry);
-			 new_entry = (PCF_MASTER_ENT *)
-				mymalloc(sizeof(*new_entry));
-			 if ((err = pcf_parse_master_entry(new_entry,
-						 req->edit_value)) != 0)
-				msg_fatal("%s: \"%s\"", err, req->raw_text);
+			 if (req->match_count == 1)
+				use_tentative_entry = 1;
 			 break;
 			default:
 			 msg_panic("%s: unknown edit mode %d", myname, mode);
 			}
 		 }
+		} else if (tentative_entry != 0
+			 && PCF_MATCH_SERVICE_PATTERN(tentative_entry->argv,
+						 service_name,
+						 service_type)) {
+		 service_name_type_matched = 1;	/* Sticky flag */
+		 req->match_count += 1;
+		 if (req->match_count == 1)
+			use_tentative_entry = 1;
+		}
+		if (tentative_entry != 0) {
+		 if (use_tentative_entry) {
+			if (new_entry != 0)
+			 pcf_free_master_entry(new_entry);
+			new_entry = tentative_entry;
+		 } else {
+			pcf_free_master_entry(tentative_entry);
+		 }
 		}
 	 }
 
diff -ur --new-file /var/tmp/postfix-3.7.5/src/postconf/postconf_master.c ./src/postconf/postconf_master.c
--- /var/tmp/postfix-3.7.5/src/postconf/postconf_master.c	2021-12-19 10:04:41.000000000 -0500
+++ ./src/postconf/postconf_master.c	2023-05-17 14:30:17.000000000 -0400
@@ -156,6 +156,7 @@
 #include <readlline.h>
 #include <stringops.h>
 #include <split_at.h>
+#include <dict_ht.h>
 
 /* Global library. */
 
@@ -395,12 +396,12 @@
 	concatenate("ro", PCF_NAMESP_SEP_STR, masterp->name_space, (char *) 0);
 masterp->argv = argv;
 masterp->valid_names = 0;
+ masterp->ro_params = dict_ht_open(ro_name_space, O_CREAT | O_RDWR, 0);
 process_name = basename(argv->argv[PCF_MASTER_FLD_CMD]);
- dict_update(ro_name_space, VAR_PROCNAME, process_name);
- dict_update(ro_name_space, VAR_SERVNAME,
-		strcmp(process_name, argv->argv[0]) != 0 ?
-		argv->argv[0] : process_name);
- masterp->ro_params = dict_handle(ro_name_space);
+ dict_put(masterp->ro_params, VAR_PROCNAME, process_name);
+ dict_put(masterp->ro_params, VAR_SERVNAME,
+	 strcmp(process_name, argv->argv[0]) != 0 ?
+	 argv->argv[0] : process_name);
 myfree(ro_name_space);
 masterp->all_params = 0;
 return (0);
diff -ur --new-file /var/tmp/postfix-3.7.5/src/smtp/smtp.c ./src/smtp/smtp.c
--- /var/tmp/postfix-3.7.5/src/smtp/smtp.c	2021-10-27 19:38:44.000000000 -0400
+++ ./src/smtp/smtp.c	2021-10-27 19:38:44.000000000 -0400
@@ -583,6 +583,13 @@
 /* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
 /*	A workaround for implementations that hang Postfix while shutting
 /*	down a TLS session, until Postfix times out.
+/* .PP
+/*	Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+/* .IP "\fBtls_config_file (default)\fR"
+/*	Optional configuration file with baseline OpenSSL settings.
+/* .IP "\fBtls_config_name (empty)\fR"
+/*	The application name passed by Postfix to OpenSSL library
+/*	initialization functions.
 /* OBSOLETE STARTTLS CONTROLS
 /* .ad
 /* .fi
diff -ur --new-file /var/tmp/postfix-3.7.5/src/smtpd/smtpd.c ./src/smtpd/smtpd.c
--- /var/tmp/postfix-3.7.5/src/smtpd/smtpd.c	2021-10-02 10:46:46.000000000 -0400
+++ ./src/smtpd/smtpd.c	2023-06-05 16:01:02.000000000 -0400
@@ -525,6 +525,13 @@
 /* .IP "\fBinfo_log_address_format (external)\fR"
 /*	The email address form that will be used in non-debug logging
 /*	(info, warning, etc.).
+/* .PP
+/*	Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+/* .IP "\fBtls_config_file (default)\fR"
+/*	Optional configuration file with baseline OpenSSL settings.
+/* .IP "\fBtls_config_name (empty)\fR"
+/*	The application name passed by Postfix to OpenSSL library
+/*	initialization functions.
 /* OBSOLETE STARTTLS CONTROLS
 /* .ad
 /* .fi
@@ -790,6 +797,11 @@
 /*	smtpd_per_request_deadline.
 /* .IP "\fBheader_from_format (standard)\fR"
 /*	The format of the Postfix-generated \fBFrom:\fR header.
+/* .PP
+/*	Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+/* .IP "\fBsmtpd_forbid_unauth_pipelining (Postfix >= 3.9: yes)\fR"
+/*	Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
+/*	command pipelining constraints.
 /* TARPIT CONTROLS
 /* .ad
 /* .fi
@@ -1476,6 +1488,7 @@
 char *var_milt_unk_macros;
 char *var_milt_macro_deflts;
 bool var_smtpd_client_port_log;
+bool var_smtpd_forbid_unauth_pipe;
 char *var_stress;
 
 char *var_reject_tmpf_act;
@@ -5425,6 +5438,32 @@
 static STRING_LIST *smtpd_noop_cmds;
 static STRING_LIST *smtpd_forbid_cmds;
 
+/* smtpd_flag_ill_pipelining - flag pipelining protocol violation */
+
+static int smtpd_flag_ill_pipelining(SMTPD_STATE *state)
+{
+
+ /*
+ * This code will not return after I/O error, timeout, or EOF. VSTREAM
+ * exceptions must be enabled in advance with smtp_stream_setup().
+ */
+ if (vstream_peek(state->client) == 0
+	&& peekfd(vstream_fileno(state->client)) > 0)
+	(void) vstream_ungetc(state->client, smtp_fgetc(state->client));
+ if (vstream_peek(state->client) > 0) {
+	if (state->expand_buf == 0)
+	 state->expand_buf = vstring_alloc(100);
+	escape(state->expand_buf, vstream_peek_data(state->client),
+	 vstream_peek(state->client) < 100 ?
+	 vstream_peek(state->client) : 100);
+	msg_info("improper command pipelining after %s from %s: %s",
+		 state->where, state->namaddr, STR(state->expand_buf));
+	state->flags |= SMTPD_FLAG_ILL_PIPELINING;
+	return (1);
+ }
+ return (0);
+}
+
 /* smtpd_proto - talk the SMTP protocol */
 
 static void smtpd_proto(SMTPD_STATE *state)
@@ -5567,6 +5606,21 @@
 #endif
 
 	/*
+	 * If the client spoke before the server sends the initial greeting,
+	 * raise a flag and log the content of the protocol violation. This
+	 * check MUST NOT apply to TLS wrappermode connections.
+	 */
+	if (SMTPD_STAND_ALONE(state) == 0
+	 && vstream_context(state->client) == 0	/* not postscreen */
+	 && (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0
+	 && smtpd_flag_ill_pipelining(state)
+	 && var_smtpd_forbid_unauth_pipe) {
+	 smtpd_chat_reply(state,
+			 "554 5.5.0 Error: SMTP protocol synchronization");
+	 break;
+	}
+
+	/*
 	 * XXX The client connection count/rate control must be consistent in
 	 * its use of client address information in connect and disconnect
 	 * events. For now we exclude xclient authorized hosts from
@@ -5801,16 +5855,11 @@
 		&& (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0
 		 || (cmdp->flags & SMTPD_CMD_FLAG_LAST))
 		&& (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0
-		&& (vstream_peek(state->client) > 0
-		 || peekfd(vstream_fileno(state->client)) > 0)) {
-		if (state->expand_buf == 0)
-		 state->expand_buf = vstring_alloc(100);
-		escape(state->expand_buf, vstream_peek_data(state->client),
-		 vstream_peek(state->client) < 100 ?
-		 vstream_peek(state->client) : 100);
-		msg_info("improper command pipelining after %s from %s: %s",
-			 cmdp->name, state->namaddr, STR(state->expand_buf));
-		state->flags |= SMTPD_FLAG_ILL_PIPELINING;
+		&& smtpd_flag_ill_pipelining(state)
+		&& var_smtpd_forbid_unauth_pipe) {
+		smtpd_chat_reply(state,
+			 "554 5.5.0 Error: SMTP protocol synchronization");
+		break;
 	 }
 	 if (cmdp->action(state, argc, argv) != 0)
 		state->error_count++;
@@ -6479,6 +6528,7 @@
 	VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup,
 	VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open,
 	VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
+	VAR_SMTPD_FORBID_UNAUTH_PIPE, DEF_SMTPD_FORBID_UNAUTH_PIPE, &var_smtpd_forbid_unauth_pipe,
 	0,
 };
 static const CONFIG_NBOOL_TABLE nbool_table[] = {
diff -ur --new-file /var/tmp/postfix-3.7.5/src/tls/tls.h ./src/tls/tls.h
--- /var/tmp/postfix-3.7.5/src/tls/tls.h	2023-01-21 16:00:03.000000000 -0500
+++ ./src/tls/tls.h	2023-06-04 17:46:40.000000000 -0400
@@ -77,6 +77,7 @@
 #include <openssl/evp.h>		/* New OpenSSL 3.0 EVP_PKEY APIs */
 #include <openssl/opensslv.h>		/* OPENSSL_VERSION_NUMBER */
 #include <openssl/ssl.h>
+#include <openssl/conf.h>
 
 /* Appease indent(1) */
 #define x509_stack_t STACK_OF(X509)
@@ -322,6 +323,7 @@
 * tls_misc.c
 */
 extern void tls_param_init(void);
+extern int tls_library_init(void);
 
 /*
 * Protocol selection.
diff -ur --new-file /var/tmp/postfix-3.7.5/src/tls/tls_client.c ./src/tls/tls_client.c
--- /var/tmp/postfix-3.7.5/src/tls/tls_client.c	2023-01-21 16:00:03.000000000 -0500
+++ ./src/tls/tls_client.c	2023-06-04 17:46:40.000000000 -0400
@@ -641,6 +641,13 @@
 tls_check_version();
 
 /*
+ * Initialize the OpenSSL library, possibly loading its configuration
+ * file.
+ */
+ if (tls_library_init() == 0)
+	return (0);
+
+ /*
 * Create an application data index for SSL objects, so that we can
 * attach TLScontext information; this information is needed inside
 * tls_verify_certificate_callback().
diff -ur --new-file /var/tmp/postfix-3.7.5/src/tls/tls_misc.c ./src/tls/tls_misc.c
--- /var/tmp/postfix-3.7.5/src/tls/tls_misc.c	2023-01-15 18:16:48.000000000 -0500
+++ ./src/tls/tls_misc.c	2023-06-04 17:51:13.000000000 -0400
@@ -29,6 +29,8 @@
 /*	#define TLS_INTERNAL
 /*	#include <tls.h>
 /*
+/*	char	*var_tls_cnf_file;
+/*	char	*var_tls_cnf_name;
 /*	char	*var_tls_high_clist;
 /*	char	*var_tls_medium_clist;
 /*	char	*var_tls_low_clist;
@@ -69,6 +71,8 @@
 /*
 /*	void	tls_param_init()
 /*
+/*	int tls_library_init(void)
+/*
 /*	int	tls_proto_mask_lims(plist, floor, ceiling)
 /*	const char *plist;
 /*	int	*floor;
@@ -157,6 +161,9 @@
 /*	tls_param_init() loads main.cf parameters used internally in
 /*	TLS library. Any errors are fatal.
 /*
+/*	tls_library_init() initializes the OpenSSL library, optionally
+/*	loading an OpenSSL configuration file.
+/*
 /*	tls_pre_jail_init() opens any tables that need to be opened before
 /*	entering a chroot jail. The "role" parameter must be TLS_ROLE_CLIENT
 /*	for clients and TLS_ROLE_SERVER for servers. Any errors are fatal.
@@ -276,6 +283,8 @@
 /*
 * Tunable parameters.
 */
+char *var_tls_cnf_file;
+char *var_tls_cnf_name;
 char *var_tls_high_clist;
 char *var_tls_medium_clist;
 char *var_tls_low_clist;
@@ -644,6 +653,8 @@
 {
 /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
 static const CONFIG_STR_TABLE str_table[] = {
+	VAR_TLS_CNF_FILE, DEF_TLS_CNF_FILE, &var_tls_cnf_file, 0, 0,
+	VAR_TLS_CNF_NAME, DEF_TLS_CNF_NAME, &var_tls_cnf_name, 0, 0,
 	VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0,
 	VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0,
 	VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_clist, 1, 0,
@@ -687,6 +698,118 @@
 get_mail_conf_bool_table(bool_table);
 }
 
+/* tls_library_init - perform OpenSSL library initialization */
+
+int tls_library_init(void)
+{
+ OPENSSL_INIT_SETTINGS *init_settings;
+ char *conf_name = *var_tls_cnf_name ? var_tls_cnf_name : 0;
+ char *conf_file = 0;
+ unsigned long init_opts = 0;
+
+#define TLS_LIB_INIT_TODO	(-1)
+#define TLS_LIB_INIT_ERR	(0)
+#define TLS_LIB_INIT_OK		(1)
+
+ static int init_res = TLS_LIB_INIT_TODO;
+
+ if (init_res != TLS_LIB_INIT_TODO)
+	return (init_res);
+
+ /*
+ * Backwards compatibility: skip this function unless the Postfix
+ * configuration actually has non-default tls_config_xxx settings.
+ */
+ if (strcmp(var_tls_cnf_file, DEF_TLS_CNF_FILE) == 0
+	&& strcmp(var_tls_cnf_name, DEF_TLS_CNF_NAME) == 0) {
+	if (msg_verbose)
+	 msg_info("tls_library_init: using backwards-compatible defaults");
+	return (init_res = TLS_LIB_INIT_OK);
+ }
+ if ((init_settings = OPENSSL_INIT_new()) == 0) {
+	msg_warn("error allocating OpenSSL init settings, "
+		 "disabling TLS support");
+	return (init_res = TLS_LIB_INIT_ERR);
+ }
+#define TLS_LIB_INIT_RETURN(x) \
+ do { OPENSSL_INIT_free(init_settings); return (init_res = (x)); } while(0)
+
+#if OPENSSL_VERSION_NUMBER < 0x1010102fL
+
+ /*
+ * OpenSSL 1.1.0 through 1.1.1a, no support for custom configuration
+ * files, disabling loading of the file, or getting strict error
+ * handling. Thus, the only supported configuration file is "default".
+ */
+ if (strcmp(var_tls_cnf_file, "default") != 0) {
+	msg_warn("non-default %s = %s requires OpenSSL 1.1.1b or later, "
+	 "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
+	TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
+ }
+#else
+ {
+	unsigned long file_flags = 0;
+
+	/*-
+	 * OpenSSL 1.1.1b or later:
+	 * We can now use a non-default configuration file, or
+	 * use none at all. We can also request strict error
+	 * reporting.
+	 */
+	if (strcmp(var_tls_cnf_file, "none") == 0) {
+	 init_opts |= OPENSSL_INIT_NO_LOAD_CONFIG;
+	} else if (strcmp(var_tls_cnf_file, "default") == 0) {
+
+	 /*
+	 * The default global config file is optional. With "default"
+	 * initialisation we don't insist on a match for the requested
+	 * application name, allowing fallback to the default application
+	 * name, even when a non-default application name is specified.
+	 * Errors in loading the default configuration are ignored.
+	 */
+	 conf_file = 0;
+	 file_flags |= CONF_MFLAGS_IGNORE_MISSING_FILE;
+	 file_flags |= CONF_MFLAGS_DEFAULT_SECTION;
+	 file_flags |= CONF_MFLAGS_IGNORE_RETURN_CODES | CONF_MFLAGS_SILENT;
+	} else if (*var_tls_cnf_file == '/') {
+
+	 /*
+	 * A custom config file must be present, error reporting is
+	 * strict and the configuration section for the requested
+	 * application name does not fall back to "openssl_conf" when
+	 * missing.
+	 */
+	 conf_file = var_tls_cnf_file;
+	} else {
+	 msg_warn("non-default %s = %s is not an absolute pathname, "
+	 "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
+	 TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
+	}
+
+	OPENSSL_INIT_set_config_file_flags(init_settings, file_flags);
+ }
+#endif
+
+ if (conf_file)
+	OPENSSL_INIT_set_config_filename(init_settings, conf_file);
+ if (conf_name)
+	OPENSSL_INIT_set_config_appname(init_settings, conf_name);
+
+ if (OPENSSL_init_ssl(init_opts, init_settings) <= 0) {
+	if ((init_opts & OPENSSL_INIT_NO_LOAD_CONFIG) == 0)
+	 msg_warn("error loading the '%s' settings from the %s OpenSSL "
+		 "configuration file, disabling TLS support",
+		 conf_name ? conf_name : "global",
+		 conf_file ? conf_file : "default");
+	else
+	 msg_warn("error initializing the OpenSSL library, "
+		 "disabling TLS support");
+	tls_print_errors();
+	TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
+ }
+ TLS_LIB_INIT_RETURN(TLS_LIB_INIT_OK);
+}
+
 /* tls_pre_jail_init - Load TLS related pre-jail tables */
 
 void tls_pre_jail_init(TLS_ROLE role)
diff -ur --new-file /var/tmp/postfix-3.7.5/src/tls/tls_proxy.h ./src/tls/tls_proxy.h
--- /var/tmp/postfix-3.7.5/src/tls/tls_proxy.h	2021-08-06 20:04:05.000000000 -0400
+++ ./src/tls/tls_proxy.h	2023-06-04 17:46:40.000000000 -0400
@@ -44,6 +44,8 @@
 * VAR_TLS_SERVER_SNI_MAPS.
 */
 typedef struct TLS_CLIENT_PARAMS {
+ char *tls_cnf_file;
+ char *tls_cnf_name;
 char *tls_high_clist;
 char *tls_medium_clist;
 char *tls_low_clist;
@@ -65,12 +67,13 @@
 } TLS_CLIENT_PARAMS;
 
 #define TLS_PROXY_PARAMS(params, a1, a2, a3, a4, a5, a6, a7, a8, \
- a9, a10, a11, a12, a13, a14, a15, a16, a17, a18) \
+ a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20) \
 (((params)->a1), ((params)->a2), ((params)->a3), \
 ((params)->a4), ((params)->a5), ((params)->a6), ((params)->a7), \
 ((params)->a8), ((params)->a9), ((params)->a10), ((params)->a11), \
 ((params)->a12), ((params)->a13), ((params)->a14), ((params)->a15), \
- ((params)->a16), ((params)->a17), ((params)->a18))
+ ((params)->a16), ((params)->a17), ((params)->a18), ((params)->a19), \
+ ((params)->a20))
 
 /*
 * tls_proxy_client_param_misc.c, tls_proxy_client_param_print.c, and
@@ -215,6 +218,8 @@
 /*
 * TLS_CLIENT_INIT_PROPS attributes.
 */
+#define TLS_ATTR_CNF_FILE	"config_file"
+#define TLS_ATTR_CNF_NAME	"config_name"
 #define TLS_ATTR_LOG_PARAM	"log_param"
 #define TLS_ATTR_LOG_LEVEL	"log_level"
 #define TLS_ATTR_VERIFYDEPTH	"verifydepth"
diff -ur --new-file /var/tmp/postfix-3.7.5/src/tls/tls_proxy_client_misc.c ./src/tls/tls_proxy_client_misc.c
--- /var/tmp/postfix-3.7.5/src/tls/tls_proxy_client_misc.c	2021-08-06 20:04:05.000000000 -0400
+++ ./src/tls/tls_proxy_client_misc.c	2023-06-04 17:46:40.000000000 -0400
@@ -66,6 +66,8 @@
 TLS_CLIENT_PARAMS *tls_proxy_client_param_from_config(TLS_CLIENT_PARAMS *params)
 {
 TLS_PROXY_PARAMS(params,
+		 tls_cnf_file = var_tls_cnf_file,
+		 tls_cnf_name = var_tls_cnf_name,
 		 tls_high_clist = var_tls_high_clist,
 		 tls_medium_clist = var_tls_medium_clist,
 		 tls_low_clist = var_tls_low_clist,
diff -ur --new-file /var/tmp/postfix-3.7.5/src/tls/tls_proxy_client_print.c ./src/tls/tls_proxy_client_print.c
--- /var/tmp/postfix-3.7.5/src/tls/tls_proxy_client_print.c	2021-08-06 20:04:05.000000000 -0400
+++ ./src/tls/tls_proxy_client_print.c	2023-06-04 17:46:40.000000000 -0400
@@ -95,6 +95,8 @@
 	msg_info("begin tls_proxy_client_param_print");
 
 ret = print_fn(fp, flags | ATTR_FLAG_MORE,
+		 SEND_ATTR_STR(TLS_ATTR_CNF_FILE, params->tls_cnf_file),
+		 SEND_ATTR_STR(TLS_ATTR_CNF_NAME, params->tls_cnf_name),
 		 SEND_ATTR_STR(VAR_TLS_HIGH_CLIST, params->tls_high_clist),
 		 SEND_ATTR_STR(VAR_TLS_MEDIUM_CLIST,
 				 params->tls_medium_clist),
diff -ur --new-file /var/tmp/postfix-3.7.5/src/tls/tls_proxy_client_scan.c ./src/tls/tls_proxy_client_scan.c
--- /var/tmp/postfix-3.7.5/src/tls/tls_proxy_client_scan.c	2020-07-18 20:21:31.000000000 -0400
+++ ./src/tls/tls_proxy_client_scan.c	2023-06-04 17:46:40.000000000 -0400
@@ -121,6 +121,8 @@
 
 void tls_proxy_client_param_free(TLS_CLIENT_PARAMS *params)
 {
+ myfree(params->tls_cnf_file);
+ myfree(params->tls_cnf_name);
 myfree(params->tls_high_clist);
 myfree(params->tls_medium_clist);
 myfree(params->tls_low_clist);
@@ -145,6 +147,8 @@
 TLS_CLIENT_PARAMS *params
 = (TLS_CLIENT_PARAMS *) mymalloc(sizeof(*params));
 int ret;
+ VSTRING *cnf_file = vstring_alloc(25);
+ VSTRING *cnf_name = vstring_alloc(25);
 VSTRING *tls_high_clist = vstring_alloc(25);
 VSTRING *tls_medium_clist = vstring_alloc(25);
 VSTRING *tls_low_clist = vstring_alloc(25);
@@ -167,6 +171,8 @@
 */
 memset(params, 0, sizeof(*params));
 ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
+		 RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file),
+		 RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name),
 		 RECV_ATTR_STR(VAR_TLS_HIGH_CLIST, tls_high_clist),
 		 RECV_ATTR_STR(VAR_TLS_MEDIUM_CLIST, tls_medium_clist),
 		 RECV_ATTR_STR(VAR_TLS_LOW_CLIST, tls_low_clist),
@@ -192,6 +198,8 @@
 				&params->tls_multi_wildcard),
 		 ATTR_TYPE_END);
 /* Always construct a well-formed structure. */
+ params->tls_cnf_file = vstring_export(cnf_file);
+ params->tls_cnf_name = vstring_export(cnf_name);
 params->tls_high_clist = vstring_export(tls_high_clist);
 params->tls_medium_clist = vstring_export(tls_medium_clist);
 params->tls_low_clist = vstring_export(tls_low_clist);
@@ -206,7 +214,7 @@
 params->tls_mgr_service = vstring_export(tls_mgr_service);
 params->tls_tkt_cipher = vstring_export(tls_tkt_cipher);
 
- ret = (ret == 18 ? 1 : -1);
+ ret = (ret == 20 ? 1 : -1);
 if (ret != 1) {
 	tls_proxy_client_param_free(params);
 	params = 0;
diff -ur --new-file /var/tmp/postfix-3.7.5/src/tls/tls_server.c ./src/tls/tls_server.c
--- /var/tmp/postfix-3.7.5/src/tls/tls_server.c	2023-01-27 17:01:19.000000000 -0500
+++ ./src/tls/tls_server.c	2023-06-04 17:46:40.000000000 -0400
@@ -420,6 +420,13 @@
 tls_check_version();
 
 /*
+ * Initialize the OpenSSL library, possibly loading its configuration
+ * file.
+ */
+ if (tls_library_init() == 0)
+	return (0);
+
+ /*
 * First validate the protocols. If these are invalid, we can't continue.
 */
 protomask = tls_proto_mask_lims(props->protocols, &min_proto, &max_proto);
diff -ur --new-file /var/tmp/postfix-3.7.5/src/tlsproxy/tlsproxy.c ./src/tlsproxy/tlsproxy.c
--- /var/tmp/postfix-3.7.5/src/tlsproxy/tlsproxy.c	2022-02-05 09:56:04.000000000 -0500
+++ ./src/tlsproxy/tlsproxy.c	2023-06-04 17:46:40.000000000 -0400
@@ -134,6 +134,13 @@
 /* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
 /*	A workaround for implementations that hang Postfix while shutting
 /*	down a TLS session, until Postfix times out.
+/* .PP
+/*	Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+/* .IP "\fBtls_config_file (default)\fR"
+/*	Optional configuration file with baseline OpenSSL settings.
+/* .IP "\fBtls_config_name (empty)\fR"
+/*	The application name passed by Postfix to OpenSSL library
+/*	initialization functions.
 /* STARTTLS SERVER CONTROLS
 /* .ad
 /* .fi

Places

File postfix-3.7-patch06 of Package postfix

Places