nginx.git/src/mail, branch release-1.29.6

Mail: fixed type overflow in IMAP literal length parser.

2026-03-04T08:08:09+00:00

The overflow is safe, because the maximum length of literals
is limited with the "imap_client_buffer" directive.

Reported by Bartłomiej Dmitruk.

Mail: stricter IMAP literals validation.

2026-03-04T08:08:09+00:00

As clarified in RFC 3501, Section 7.5, literals are followed
either by SP, for additional command arguments, or CRLF.

Mail: xtext encoding (RFC 3461) in XCLIENT LOGIN.

2025-09-26T13:04:20+00:00

The XCLIENT command uses xtext encoding for attribute values,
as specified in https://www.postfix.org/XCLIENT_README.html.

Reported by Igor Morgenstern of Aisle Research.

Mail: logging upstream to the error log with "smtp_auth none;".

2025-08-13T14:20:34+00:00

Previously, it was never logged because of missing login.

Mail: reset stale auth credentials with "smtp_auth none;".

2025-08-13T14:20:34+00:00

They might be reused in a session if an SMTP client proceeded
unauthenticated after previous invalid authentication attempts.
This could confuse an authentication server when passing stale
credentials along with "Auth-Method: none".

The condition to send the "Auth-Salt" header is similarly refined.

Mail: improved error handling in plain/login/cram-md5 auth methods.

2025-08-13T14:20:34+00:00

Previously, login and password storage could be left in inconsistent
state in a session after decoding errors.

SSL: support for compressed server certificates with OpenSSL.

2025-08-03T15:15:16+00:00

The ssl_certificate_compression directive allows to send compressed
server certificates.  In OpenSSL, they are pre-compressed on startup.
To simplify configuration, the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
option is automatically cleared if certificates were pre-compressed.

SSL_CTX_compress_certs() may return an error in legitimate cases,
e.g., when none of compression algorithms is available or if the
resulting compressed size is larger than the original one, thus it
is silently ignored.

Certificate compression is supported in Chrome with brotli only,
in Safari with zlib only, and in Firefox with all listed algorithms.
It is supported since Ubuntu 24.10, which has OpenSSL with enabled
zlib and zstd support.

The actual list of algorithms supported in OpenSSL depends on how
the library was configured; it can be brotli, zlib, zstd as listed
in RFC 8879.

Mail: handling of LOGIN IMAP command untagged response.

2024-11-26T15:07:17+00:00

In particular, an untagged CAPABILITY response as described in the
interim RFC 3501 internet drafts was seen in various IMAP servers.
Previously resulted in a broken connection, now an untagged response
is proxied to client.

SSL: a new macro to set default protocol versions.

2024-11-22T09:47:22+00:00

This simplifies merging protocol values after ea15896 and ebd18ec.

Further, as outlined in ebd18ec18, for libraries preceeding TLSv1.2+
support, only meaningful versions TLSv1 and TLSv1.1 are set by default.

While here, fixed indentation.

SSL: fixed MSVC compilation after ebd18ec1812b.

2024-11-11T18:29:55+00:00

MSVC generates a compilation error in case #if/#endif is used in a macro
parameter.