Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/external/ibm-public/postfix/dist Resolve conflicts from last...



details:   https://anonhg.NetBSD.org/src/rev/4e7f309be18d
branches:  trunk
changeset: 810685:4e7f309be18d
user:      tron <tron%NetBSD.org@localhost>
date:      Sat Sep 12 08:23:23 2015 +0000

description:
Resolve conflicts from last import

diffstat:

 external/ibm-public/postfix/dist/README_FILES/TLS_README  |   82 +++---
 external/ibm-public/postfix/dist/html/TLS_README.html     |   72 ++--
 external/ibm-public/postfix/dist/html/postconf.5.html     |  170 +++++-------
 external/ibm-public/postfix/dist/makedefs                 |   12 +-
 external/ibm-public/postfix/dist/man/man5/postconf.5      |  179 +++++--------
 external/ibm-public/postfix/dist/proto/TLS_README.html    |   72 ++--
 external/ibm-public/postfix/dist/proto/postconf.proto     |  170 +++++-------
 external/ibm-public/postfix/dist/src/global/mail_params.h |   20 +-
 external/ibm-public/postfix/dist/src/smtp/smtp.c          |    8 +-
 external/ibm-public/postfix/dist/src/smtpd/smtpd.c        |    8 +-
 external/ibm-public/postfix/dist/src/util/sys_defs.h      |    6 +-
 11 files changed, 350 insertions(+), 449 deletions(-)

diffs (truncated from 1721 to 300 lines):

diff -r d99474bdcc23 -r 4e7f309be18d external/ibm-public/postfix/dist/README_FILES/TLS_README
--- a/external/ibm-public/postfix/dist/README_FILES/TLS_README  Sat Sep 12 08:20:22 2015 +0000
+++ b/external/ibm-public/postfix/dist/README_FILES/TLS_README  Sat Sep 12 08:23:23 2015 +0000
@@ -569,13 +569,15 @@
 
 SSeerrvveerr--ssiiddee cciipphheerr ccoonnttrroollss
 
-The Postfix SMTP server supports 5 distinct cipher security levels as specified
-by the smtpd_tls_mandatory_ciphers configuration parameter, which determines
-the cipher grade with mandatory TLS encryption. The default value is "medium"
-which is essentially 128-bit encryption or better. With opportunistic TLS
-encryption, the minimum accepted cipher grade is typically "export". The
-corresponding smtpd_tls_ciphers parameter (Postfix >= 2.6) controls the cipher
-grade used with opportunistic TLS.
+The Postfix SMTP server supports 5 distinct cipher grades as specified by the
+smtpd_tls_mandatory_ciphers configuration parameter, which determines the
+minimum cipher grade with mandatory TLS encryption. The default minimum cipher
+grade for mandatory TLS is "medium" which is essentially 128-bit encryption or
+better. The smtpd_tls_ciphers parameter (Postfix >= 2.6) controls the minimum
+cipher grade used with opportunistic TLS. Here, the default minimum cipher
+grade is "medium" for Postfix releases after the middle of 2015, "export" for
+older Postfix releases. With Postfix < 2.6, the minimum opportunistic TLS
+cipher grade is always "export".
 
 By default anonymous ciphers are enabled. They are automatically disabled when
 remote SMTP client certificates are requested. If clients are expected to
@@ -585,15 +587,12 @@
 SMTP client to check the server certificate, so excluding anonymous ciphers is
 generally unnecessary.
 
-The "smtpd_tls_ciphers" configuration parameter (Postfix >= 2.6) provides
-control over the minimum cipher grade for opportunistic TLS. With Postfix <
-2.6, the minimum opportunistic TLS cipher grade is always "export".
-
-With mandatory TLS encryption, the Postfix SMTP server will by default disable
-SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS
+With mandatory and opportunistic TLS encryption, the Postfix SMTP server by
+default disables SSLv2 and SSLv3 with Postfix releases after the middle of
+2015; older releases only disable SSLv2 for mandatory TLS. The mandatory TLS
 protocol list is specified via the smtpd_tls_mandatory_protocols configuration
-parameter. The corresponding smtpd_tls_protocols parameter (Postfix >= 2.6)
-controls the SSL/TLS protocols used with opportunistic TLS.
+parameter. The smtpd_tls_protocols parameter (Postfix >= 2.6) controls the SSL/
+TLS protocols used with opportunistic TLS.
 
 Note that the OpenSSL library only supports protocol exclusion (not inclusion).
 For this reason, Postfix can exclude only protocols that are known at the time
@@ -777,13 +776,10 @@
 configured by setting "smtp_tls_security_level = may". For LMTP, use the
 corresponding "lmtp_" parameter.
 
-Since sending in the clear is acceptable, demanding stronger than default TLS
-security mostly reduces inter-operability. If you must restrict TLS protocol or
-cipher selection even with opportunistic TLS, the "smtp_tls_ciphers" and
-"smtp_tls_protocols" configuration parameters (Postfix >= 2.6) provide control
-over the protocols and cipher grade used with opportunistic TLS. With earlier
-releases the opportunistic TLS cipher grade is always "export" and no protocols
-are disabled.
+The "smtp_tls_ciphers" and "smtp_tls_protocols" configuration parameters
+(Postfix >= 2.6) provide control over the cipher grade and protocols used with
+opportunistic TLS. With earlier Postfix releases, opportunistic TLS always uses
+the cipher grade "export" and enables all protocols.
 
 With opportunistic TLS, mail delivery continues even if the server certificate
 is untrusted or bears the wrong name. When the TLS handshake fails for an
@@ -844,7 +840,7 @@
 
 In the example below, traffic to example.com and its sub-domains via the
 corresponding MX hosts always uses TLS. The SSLv2 protocol will be disabled
-(the default setting of smtp_tls_mandatory_protocols excludes "SSLv2"). Only
+(the default setting of smtp_tls_mandatory_protocols excludes SSLv2+3). Only
 high- or medium-strength (i.e. 128 bit or better) ciphers will be used by
 default for all "encrypt" security level sessions.
 
@@ -1629,15 +1625,15 @@
     TLSA records in DNSSEC. If no TLSA records are found, the effective
     security level used is may. If TLSA records are found, but none are usable,
     the effective security level is encrypt. When usable TLSA records are
-    obtained for the remote SMTP server, SSLv2 is automatically disabled (see
-    smtp_tls_mandatory_protocols), and the server certificate must match the
-    TLSA records. RFC 6698 (DANE) TLS authentication and DNSSEC support is
+    obtained for the remote SMTP server, SSLv2+3 are automatically disabled
+    (see smtp_tls_mandatory_protocols), and the server certificate must match
+    the TLSA records. RFC 6698 (DANE) TLS authentication and DNSSEC support is
     available with Postfix 2.11 and later.
 ddaannee--oonnllyy
     Mandatory DANE TLS. The TLS policy for the destination is obtained via TLSA
     records in DNSSEC. If no TLSA records are found, or none are usable, no
     connection is made to the server. When usable TLSA records are obtained for
-    the remote SMTP server, SSLv2 is automatically disabled (see
+    the remote SMTP server, SSLv2+3 are automatically disabled (see
     smtp_tls_mandatory_protocols), and the server certificate must match the
     TLSA records. RFC 6698 (DANE) TLS authentication and DNSSEC support is
     available with Postfix 2.11 and later.
@@ -1768,13 +1764,13 @@
 
 CClliieenntt--ssiiddee cciipphheerr ccoonnttrroollss
 
-The Postfix SMTP client supports 5 distinct cipher security levels as specified
-by the smtp_tls_mandatory_ciphers configuration parameter. This setting
-controls the minimum acceptable SMTP client TLS cipher grade for use with
-mandatory TLS encryption. The default value "medium" is suitable for most
-destinations with which you may want to enforce TLS, and is beyond the reach of
-today's cryptanalytic methods. See smtp_tls_policy_maps for information on how
-to configure ciphers on a per-destination basis.
+The Postfix SMTP client supports 5 distinct cipher grades as specified by the
+smtp_tls_mandatory_ciphers configuration parameter. This setting controls the
+minimum acceptable SMTP client TLS cipher grade for use with mandatory TLS
+encryption. The default value "medium" is suitable for most destinations with
+which you may want to enforce TLS, and is beyond the reach of today's
+cryptanalytic methods. See smtp_tls_policy_maps for information on how to
+configure ciphers on a per-destination basis.
 
 By default anonymous ciphers are allowed, and automatically disabled when
 remote SMTP server certificates are verified. If you want to disable anonymous
@@ -1786,14 +1782,16 @@
 requesting them.
 
 The "smtp_tls_ciphers" configuration parameter (Postfix >= 2.6) provides
-control over the minimum cipher grade for opportunistic TLS. With Postfix <
-2.6, the minimum opportunistic TLS cipher grade is always "export".
+control over the minimum cipher grade for opportunistic TLS. The default
+minimum cipher grade for opportunistic TLS is "medium" for Postfix releases
+after the middle of 2015, and "export" for older releases. With Postfix < 2.6,
+the minimum opportunistic TLS cipher grade is always "export".
 
-With mandatory TLS encryption, the Postfix SMTP client will by default disable
-SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS
-protocol list is specified via the smtp_tls_mandatory_protocols configuration
-parameter. The corresponding smtp_tls_protocols parameter (Postfix >= 2.6)
-controls the SSL/TLS protocols used with opportunistic TLS.
+With mandatory and opportunistic TLS encryption, the Postfix SMTP client will
+by default disable SSLv2 and SSLv3. The mandatory TLS protocol list is
+specified via the smtp_tls_mandatory_protocols configuration parameter. The
+corresponding smtp_tls_protocols parameter (Postfix >= 2.6) controls the SSL/
+TLS protocols used with opportunistic TLS.
 
 Example:
 
@@ -1806,7 +1804,7 @@
         # Legacy form for Postfix < 2.5:
         smtp_tls_mandatory_protocols = SSLv3, TLSv1
         # Also available with Postfix >= 2.6:
-        smtp_tls_ciphers = export
+        smtp_tls_ciphers = medium
         smtp_tls_protocols = !SSLv2
 
 CClliieenntt--ssiiddee SSMMTTPPSS ssuuppppoorrtt
diff -r d99474bdcc23 -r 4e7f309be18d external/ibm-public/postfix/dist/html/TLS_README.html
--- a/external/ibm-public/postfix/dist/html/TLS_README.html     Sat Sep 12 08:20:22 2015 +0000
+++ b/external/ibm-public/postfix/dist/html/TLS_README.html     Sat Sep 12 08:23:23 2015 +0000
@@ -810,14 +810,16 @@
 
 <h3><a name="server_cipher">Server-side cipher controls</a> </h3>
 
-<p> The Postfix SMTP server supports 5 distinct cipher security levels
-as specified by the <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> configuration parameter,
-which determines the cipher grade with mandatory TLS encryption. The
-default value is "medium" which is essentially 128-bit encryption or better.
-With opportunistic TLS encryption, the minimum accepted cipher grade is
-typically "export". The corresponding <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> parameter
-(Postfix &ge; 2.6) controls the cipher grade used with opportunistic
-TLS. </p>
+<p> The Postfix SMTP server supports 5 distinct cipher grades as
+specified by the <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> configuration parameter,
+which determines the minimum cipher grade with mandatory TLS
+encryption.  The default minimum cipher grade for mandatory TLS is
+"medium" which is essentially 128-bit encryption or better.  The
+<a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> parameter (Postfix &ge; 2.6) controls the minimum
+cipher grade used with opportunistic TLS.  Here, the default minimum
+cipher grade is "medium" for Postfix releases after the middle of
+2015, "export" for older Postfix releases. With Postfix &lt; 2.6,
+the minimum opportunistic TLS cipher grade is always "export".  </p>
 
 <p> By default anonymous ciphers are enabled. They are automatically
 disabled when remote SMTP client certificates are requested. If
@@ -828,17 +830,12 @@
 a remote SMTP client to check the server certificate, so excluding
 anonymous ciphers is generally unnecessary. </p>
 
-<p> The "<a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>" configuration parameter (Postfix &ge;
-2.6) provides control over the minimum cipher grade for opportunistic
-TLS. With
-Postfix &lt; 2.6, the minimum opportunistic TLS cipher grade is always
-"export". </p>
-
-<p> With mandatory TLS encryption, the Postfix SMTP server will by
-default disable SSLv2. SSLv2 is used only when TLS encryption
-is optional. The mandatory TLS protocol list is specified via the
+<p> With mandatory and opportunistic TLS encryption, the Postfix
+SMTP server by default disables SSLv2 and SSLv3 with Postfix releases
+after the middle of 2015; older releases only disable SSLv2 for
+mandatory TLS. The mandatory TLS protocol list is specified via the
 <a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> configuration parameter.  The
-corresponding <a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> parameter (Postfix &ge; 2.6)
+<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> parameter (Postfix &ge; 2.6)
 controls the SSL/TLS protocols used with opportunistic TLS. </p>
 
 <p> Note that the OpenSSL library only supports protocol exclusion
@@ -1080,14 +1077,11 @@
 Opportunistic TLS can be configured by setting "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may".
 For LMTP, use the corresponding "lmtp_" parameter. </p>
 
-<p> Since sending in the clear is acceptable, demanding stronger
-than default TLS security mostly reduces inter-operability. If you
-must restrict TLS protocol or cipher selection even with opportunistic
-TLS, the "<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>" and "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a>" configuration
-parameters (Postfix &ge; 2.6) provide control over the protocols
-and cipher grade
-used with opportunistic TLS. With earlier releases the opportunistic TLS
-cipher grade is always "export" and no protocols are disabled. </p>
+<p> The "<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>" and "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a>" configuration
+parameters (Postfix &ge; 2.6) provide control over the cipher grade
+and protocols used with opportunistic TLS.  With earlier Postfix
+releases, opportunistic TLS always uses the cipher grade "export"
+and enables all protocols. </p>
 
 <p> With opportunistic TLS, mail delivery continues even if the
 server certificate is untrusted or bears the wrong name.  
@@ -1163,7 +1157,7 @@
 <p> In the example below, traffic to <i>example.com</i> and its sub-domains
 via the corresponding MX hosts always uses TLS. The SSLv2 protocol
 will be disabled (the default setting of <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
-excludes "SSLv2"). Only high- or medium-strength (i.e. 128 bit or
+excludes SSLv2+3). Only high- or medium-strength (i.e. 128 bit or
 better) ciphers will be used by default for all "encrypt" security
 level sessions. </p>
 
@@ -2143,7 +2137,7 @@
 used is <a href="#client_tls_may">may</a>.  If TLSA records are
 found, but none are usable, the effective security level is <a
 href="#client_tls_encrypt">encrypt</a>.  When usable TLSA records
-are obtained for the remote SMTP server, SSLv2 is automatically
+are obtained for the remote SMTP server, SSLv2+3 are automatically
 disabled (see <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>), and the server certificate
 must match the TLSA records.  <a href="http://tools.ietf.org/html/rfc6698";>RFC 6698</a> (DANE) TLS authentication
 and DNSSEC support is available with Postfix 2.11 and later.  </dd>
@@ -2152,7 +2146,7 @@
 The TLS policy for the destination is obtained via TLSA records in
 DNSSEC.  If no TLSA records are found, or none are usable, no
 connection is made to the server.  When usable TLSA records are
-obtained for the remote SMTP server, SSLv2 is automatically disabled
+obtained for the remote SMTP server, SSLv2+3 are automatically disabled
 (see <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>), and the server certificate must
 match the TLSA records.  <a href="http://tools.ietf.org/html/rfc6698";>RFC 6698</a> (DANE) TLS authentication and
 DNSSEC support is available with Postfix 2.11 and later.  </dd>
@@ -2318,7 +2312,7 @@
 
 <h3> <a name="client_cipher">Client-side cipher controls </a> </h3>
 
-<p> The Postfix SMTP client supports 5 distinct cipher security levels
+<p> The Postfix SMTP client supports 5 distinct cipher grades
 as specified by the <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> configuration
 parameter. This setting controls the minimum acceptable SMTP client
 TLS cipher grade for use with mandatory TLS encryption. The default
@@ -2339,13 +2333,15 @@
 little point in requesting them. </p>
 
 <p> The "<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>" configuration parameter (Postfix &ge; 2.6)
-provides control over the minimum cipher grade for opportunistic TLS. With
-Postfix &lt; 2.6, the minimum opportunistic TLS cipher grade is always
-"export". </p>
-
-<p> With mandatory TLS encryption, the Postfix SMTP client will by
-default disable SSLv2. SSLv2 is used only when TLS encryption
-is optional. The mandatory TLS protocol list is specified via the
+provides control over the minimum cipher grade for opportunistic TLS.
+The default minimum cipher grade for opportunistic TLS is "medium"
+for Postfix releases after the middle of 2015, and "export" for
+older releases.  With Postfix &lt; 2.6, the minimum opportunistic
+TLS cipher grade is always "export".  </p>
+
+<p> With mandatory and opportunistic TLS encryption, the Postfix
+SMTP client will by default disable SSLv2 and SSLv3. The mandatory
+TLS protocol list is specified via the
 <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> configuration parameter.  The corresponding
 <a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> parameter (Postfix &ge; 2.6) controls
 the SSL/TLS protocols used with opportunistic TLS. </p>
@@ -2363,7 +2359,7 @@
     # Legacy form for Postfix &lt; 2.5:
     <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = SSLv3, TLSv1
     # Also available with Postfix &ge; 2.6:
-    <a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> = export
+    <a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> = medium
     <a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2
 </pre>
 </blockquote>
diff -r d99474bdcc23 -r 4e7f309be18d external/ibm-public/postfix/dist/html/postconf.5.html
--- a/external/ibm-public/postfix/dist/html/postconf.5.html     Sat Sep 12 08:20:22 2015 +0000
+++ b/external/ibm-public/postfix/dist/html/postconf.5.html     Sat Sep 12 08:23:23 2015 +0000
@@ -4727,7 +4727,7 @@
 </DD>
 
 <DT><b><a name="lmtp_tls_ciphers">lmtp_tls_ciphers</a>
-(default: export)</b></DT><DD>
+(default: medium)</b></DT><DD>
 
 <p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> configuration
 parameter. See there for details. </p>
@@ -4861,7 +4861,7 @@



Home | Main Index | Thread Index | Old Index