nginx.git/src/mail, branch release-1.29.7 nginx Mail: fixed clearing s->passwd in auth http requests. 2026-03-24T14:46:36+00:00 Sergey Kandaurov pluknet@nginx.com 2026-03-18T12:39:37+00:00 9bc13718fe8a59a4538805516be7e141070c22d6 Previously, it was not properly cleared retaining length as part of authenticating with CRAM-MD5 and APOP methods that expect to receive password in auth response. This resulted in null pointer dereference and worker process crash in subsequent auth attempts with CRAM-MD5. Reported by Arkadi Vainbrand. 
Previously, it was not properly cleared retaining length as part of
authenticating with CRAM-MD5 and APOP methods that expect to receive
password in auth response.  This resulted in null pointer dereference
and worker process crash in subsequent auth attempts with CRAM-MD5.

Reported by Arkadi Vainbrand.
Mail: host validation. 2026-03-24T14:46:08+00:00 Roman Arutyunyan arut@nginx.com 2026-02-26T07:52:53+00:00 6f3145006b41a4ec464eed4093553a335d35e8ac Now host name resolved from client address is validated to only contain the characters specified in RFC 1034, Section 3.5. The validation allows to avoid injections when using the resolved host name in auth_http and smtp proxy. Reported by Asim Viladi Oglu Manizada, Colin Warren, Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and Bird Liu (Lanzhou University). 
Now host name resolved from client address is validated to only contain
the characters specified in RFC 1034, Section 3.5.  The validation allows
to avoid injections when using the resolved host name in auth_http and
smtp proxy.

Reported by Asim Viladi Oglu Manizada, Colin Warren,
Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and
Bird Liu (Lanzhou University).
The "multipath" parameter of the "listen" directive. 2026-03-18T21:13:51+00:00 Sergey Kandaurov pluknet@nginx.com 2025-10-16T15:22:56+00:00 920dc099c130e0ea23eb36becd157a95901aa5a2 When configured, it enables Multipath TCP support on a listen socket. As of now it works on Linux starting with Linux 5.6 and glibc 2.32, where it is enabled with an IPPROTO_MPTCP socket(2) protocol. To avoid EADDRINUSE errors in bind() and listen() when transitioning between sockets with different protocols, SO_REUSEPORT is set on both sockets. See f7f1607bf for potential implications. Based on previous work by Maxime Dourov and Anthony Doeraene. 
When configured, it enables Multipath TCP support on a listen socket.
As of now it works on Linux starting with Linux 5.6 and glibc 2.32,
where it is enabled with an IPPROTO_MPTCP socket(2) protocol.

To avoid EADDRINUSE errors in bind() and listen() when transitioning
between sockets with different protocols, SO_REUSEPORT is set on both
sockets.  See f7f1607bf for potential implications.

Based on previous work by Maxime Dourov and Anthony Doeraene.
Mail: fixed type overflow in IMAP literal length parser. 2026-03-04T08:08:09+00:00 Sergey Kandaurov pluknet@nginx.com 2026-02-27T17:46:04+00:00 dff46cd1ae0095922e7eb9cf5b32ebe1e68a5706 The overflow is safe, because the maximum length of literals is limited with the "imap_client_buffer" directive. Reported by Bartłomiej Dmitruk. 
The overflow is safe, because the maximum length of literals
is limited with the "imap_client_buffer" directive.

Reported by Bartłomiej Dmitruk.
Mail: stricter IMAP literals validation. 2026-03-04T08:08:09+00:00 Sergey Kandaurov pluknet@nginx.com 2026-02-27T17:18:16+00:00 aa65a60fc7bcef4152152cf5a4e87f04cad54368 As clarified in RFC 3501, Section 7.5, literals are followed either by SP, for additional command arguments, or CRLF. 
As clarified in RFC 3501, Section 7.5, literals are followed
either by SP, for additional command arguments, or CRLF.
Mail: xtext encoding (RFC 3461) in XCLIENT LOGIN. 2025-09-26T13:04:20+00:00 Sergey Kandaurov pluknet@nginx.com 2025-09-11T14:23:10+00:00 6f81314a070201afc4e25b975b1f915698cff634 The XCLIENT command uses xtext encoding for attribute values, as specified in https://www.postfix.org/XCLIENT_README.html. Reported by Igor Morgenstern of Aisle Research. 
The XCLIENT command uses xtext encoding for attribute values,
as specified in https://www.postfix.org/XCLIENT_README.html.

Reported by Igor Morgenstern of Aisle Research.
Mail: logging upstream to the error log with "smtp_auth none;". 2025-08-13T14:20:34+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-21T13:44:28+00:00 239e10793adb1e32847095ba6c1d14249bf19a5c Previously, it was never logged because of missing login. 
Previously, it was never logged because of missing login.
Mail: reset stale auth credentials with "smtp_auth none;". 2025-08-13T14:20:34+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-07T19:48:44+00:00 9c02c84a7443f3d736a1a5eb3f596de9af8a0c9c They might be reused in a session if an SMTP client proceeded unauthenticated after previous invalid authentication attempts. This could confuse an authentication server when passing stale credentials along with "Auth-Method: none". The condition to send the "Auth-Salt" header is similarly refined. 
They might be reused in a session if an SMTP client proceeded
unauthenticated after previous invalid authentication attempts.
This could confuse an authentication server when passing stale
credentials along with "Auth-Method: none".

The condition to send the "Auth-Salt" header is similarly refined.
Mail: improved error handling in plain/login/cram-md5 auth methods. 2025-08-13T14:20:34+00:00 Sergey Kandaurov pluknet@nginx.com 2025-08-12T11:55:02+00:00 765642b86e0df1b5ef37f42522be7d08d95909c9 Previously, login and password storage could be left in inconsistent state in a session after decoding errors. 
Previously, login and password storage could be left in inconsistent
state in a session after decoding errors.
SSL: support for compressed server certificates with OpenSSL. 2025-08-03T15:15:16+00:00 Sergey Kandaurov pluknet@nginx.com 2025-07-09T15:02:09+00:00 251444fcf4434bfddbe3394a568c51d4f7bd857f The ssl_certificate_compression directive allows to send compressed server certificates. In OpenSSL, they are pre-compressed on startup. To simplify configuration, the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION option is automatically cleared if certificates were pre-compressed. SSL_CTX_compress_certs() may return an error in legitimate cases, e.g., when none of compression algorithms is available or if the resulting compressed size is larger than the original one, thus it is silently ignored. Certificate compression is supported in Chrome with brotli only, in Safari with zlib only, and in Firefox with all listed algorithms. It is supported since Ubuntu 24.10, which has OpenSSL with enabled zlib and zstd support. The actual list of algorithms supported in OpenSSL depends on how the library was configured; it can be brotli, zlib, zstd as listed in RFC 8879. 
The ssl_certificate_compression directive allows to send compressed
server certificates.  In OpenSSL, they are pre-compressed on startup.
To simplify configuration, the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
option is automatically cleared if certificates were pre-compressed.

SSL_CTX_compress_certs() may return an error in legitimate cases,
e.g., when none of compression algorithms is available or if the
resulting compressed size is larger than the original one, thus it
is silently ignored.

Certificate compression is supported in Chrome with brotli only,
in Safari with zlib only, and in Firefox with all listed algorithms.
It is supported since Ubuntu 24.10, which has OpenSSL with enabled
zlib and zstd support.

The actual list of algorithms supported in OpenSSL depends on how
the library was configured; it can be brotli, zlib, zstd as listed
in RFC 8879.