nginx.git/src/mail, branch release-1.23.3 nginx Filtering duplicate addresses in listen (ticket #2400). 2022-11-23T14:30:08+00:00 Maxim Dounin mdounin@mdounin.ru 2022-11-23T14:30:08+00:00 22223c75c9715e568f5710a8eed1fee9e7c2983f Due to the glibc bug[1], getaddrinfo("localhost") with AI_ADDRCONFIG on a typical host with glibc and without IPv6 returns two 127.0.0.1 addresses, and therefore "listen localhost:80;" used to result in "duplicate ... address and port pair" after 4f9b72a229c1. Fix is to explicitly filter out duplicate addresses returned during resolution of a name. [1] https://sourceware.org/bugzilla/show_bug.cgi?id=14969 
Due to the glibc bug[1], getaddrinfo("localhost") with AI_ADDRCONFIG
on a typical host with glibc and without IPv6 returns two 127.0.0.1
addresses, and therefore "listen localhost:80;" used to result in
"duplicate ... address and port pair" after 4f9b72a229c1.

Fix is to explicitly filter out duplicate addresses returned during
resolution of a name.

[1] https://sourceware.org/bugzilla/show_bug.cgi?id=14969
Increased maximum read PROXY protocol header size. 2022-11-02T09:46:16+00:00 Roman Arutyunyan arut@nginx.com 2022-11-02T09:46:16+00:00 7600ca028644d3ecc7e62499d71bbe21fe3bda0d Maximum size for reading the PROXY protocol header is increased to 4096 to accommodate a bigger number of TLVs, which are supported since cca4c8a715de. Maximum size for writing the PROXY protocol header is not changed since only version 1 is currently supported. 
Maximum size for reading the PROXY protocol header is increased to 4096 to
accommodate a bigger number of TLVs, which are supported since cca4c8a715de.

Maximum size for writing the PROXY protocol header is not changed since only
version 1 is currently supported.
SSL: improved validation of ssl_session_cache and ssl_ocsp_cache. 2022-10-17T12:24:53+00:00 Sergey Kandaurov pluknet@nginx.com 2022-10-17T12:24:53+00:00 35fce42269bf1c84eadef6660021cefa08a960d7 Now it properly detects invalid shared zone configuration with omitted size. Previously it used to read outside of the buffer boundary. Found with AddressSanitizer. 
Now it properly detects invalid shared zone configuration with omitted size.
Previously it used to read outside of the buffer boundary.

Found with AddressSanitizer.
Mail: connections with wrong ALPN protocols are now rejected. 2021-10-20T06:45:34+00:00 Vladimir Homutov vl@nginx.com 2021-10-20T06:45:34+00:00 1fecec0cbf1554c0473d5cca0fb55f8dc006e4ba This is a recommended behavior by RFC 7301 and is useful for mitigation of protocol confusion attacks [1]. For POP3 and IMAP protocols IANA-assigned ALPN IDs are used [2]. For the SMTP protocol "smtp" is used. [1] https://alpaca-attack.com/ [2] https://www.iana.org/assignments/tls-extensiontype-values/ 
This is a recommended behavior by RFC 7301 and is useful
for mitigation of protocol confusion attacks [1].

For POP3 and IMAP protocols IANA-assigned ALPN IDs are used [2].
For the SMTP protocol "smtp" is used.

[1] https://alpaca-attack.com/
[2] https://www.iana.org/assignments/tls-extensiontype-values/
Mail: Auth-SSL-Protocol and Auth-SSL-Cipher headers (ticket #2134). 2021-08-13T07:57:47+00:00 Rob Mueller robm@fastmail.fm 2021-08-13T07:57:47+00:00 d4dad02e5ecd523f896a87a08a6582853d83a14d This adds new Auth-SSL-Protocol and Auth-SSL-Cipher headers to the mail proxy auth protocol when SSL is enabled. This can be useful for detecting users using older clients that negotiate old ciphers when you want to upgrade to newer TLS versions of remove suppport for old and insecure ciphers. You can use your auth backend to notify these users before the upgrade that they either need to upgrade their client software or contact your support team to work out an upgrade path. 
This adds new Auth-SSL-Protocol and Auth-SSL-Cipher headers to
the mail proxy auth protocol when SSL is enabled.

This can be useful for detecting users using older clients that
negotiate old ciphers when you want to upgrade to newer
TLS versions of remove suppport for old and insecure ciphers.
You can use your auth backend to notify these users before the
upgrade that they either need to upgrade their client software
or contact your support team to work out an upgrade path.
SSL: ciphers now set before loading certificates (ticket #2035). 2021-08-16T19:40:31+00:00 Maxim Dounin mdounin@mdounin.ru 2021-08-16T19:40:31+00:00 ce5996cdd1b2e150f645efbc337e5a681dbe241c To load old/weak server or client certificates it might be needed to adjust the security level, as introduced in OpenSSL 1.1.0. This change ensures that ciphers are set before loading the certificates, so security level changes via the cipher string apply to certificate loading. 
To load old/weak server or client certificates it might be needed to adjust
the security level, as introduced in OpenSSL 1.1.0.  This change ensures that
ciphers are set before loading the certificates, so security level changes
via the cipher string apply to certificate loading.
Mail: max_errors directive. 2021-05-19T00:13:31+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-19T00:13:31+00:00 173f16f736c10eae46cd15dd861b04b82d91a37a Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands in Exim, specifies the number of errors after which the connection is closed. 
Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
in Exim, specifies the number of errors after which the connection is closed.
Mail: IMAP pipelining support. 2021-05-19T00:13:28+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-19T00:13:28+00:00 5015209054f68141cd4f5f61e874d4497d4ef49c The change is mostly the same as the SMTP one (04e43d03e153 and 3f5d0af4e40a), and ensures that nginx is able to properly handle or reject multiple IMAP commands. The s->cmd field is not really used and set for consistency. Non-synchronizing literals handling in invalid/unknown commands is limited, so when a non-synchronizing literal is detected at the end of a discarded line, the connection is closed. 
The change is mostly the same as the SMTP one (04e43d03e153 and 3f5d0af4e40a),
and ensures that nginx is able to properly handle or reject multiple IMAP
commands.  The s->cmd field is not really used and set for consistency.

Non-synchronizing literals handling in invalid/unknown commands is limited,
so when a non-synchronizing literal is detected at the end of a discarded
line, the connection is closed.
Mail: stricter checking of IMAP tags. 2021-05-19T00:13:26+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-19T00:13:26+00:00 4617dd64b863df111e33b1b395709f4c2f427350 Only "A-Za-z0-9-._" characters now allowed (which is stricter than what RFC 3501 requires, but expected to be enough for all known clients), and tags shouldn't be longer than 32 characters. 
Only "A-Za-z0-9-._" characters now allowed (which is stricter than what
RFC 3501 requires, but expected to be enough for all known clients),
and tags shouldn't be longer than 32 characters.
Mail: fixed backslash handling in IMAP literals. 2021-05-19T00:13:23+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-19T00:13:23+00:00 82840d165144584d1b288521266051a6b5a462eb Previously, s->backslash was set if any of the arguments was a quoted string with a backslash character. After successful command parsing this resulted in all arguments being filtered to remove backslashes. This is, however, incorrect, as backslashes should not be removed from IMAP literals. For example: S: * OK IMAP4 ready C: a01 login {9} S: + OK C: user\name "pass\"word" S: * BAD internal server error resulted in "Auth-User: username" instead of "Auth-User: user\name" as it should. Fix is to apply backslash filtering on per-argument basis during parsing. 
Previously, s->backslash was set if any of the arguments was a quoted
string with a backslash character.  After successful command parsing
this resulted in all arguments being filtered to remove backslashes.
This is, however, incorrect, as backslashes should not be removed from
IMAP literals.  For example:

   S: * OK IMAP4 ready
   C: a01 login {9}
   S: + OK
   C: user\name "pass\"word"
   S: * BAD internal server error

resulted in "Auth-User: username" instead of "Auth-User: user\name"
as it should.

Fix is to apply backslash filtering on per-argument basis during parsing.