nginx.git/src/mail, branch release-1.5.9 nginx Mail: fixed passing of IPv6 client address in XCLIENT. 2014-01-17T18:06:04+00:00 Ruslan Ermilov ru@nginx.com 2014-01-17T18:06:04+00:00 8b7fe56e95f7fe51438566150dda68027735198e 






SSL: ssl_session_tickets directive.
2014-01-10T15:12:40+00:00

Dirkjan Bussink
d.bussink@gmail.com

2014-01-10T15:12:40+00:00

58a240d7735652138da46c64b5eb9e661e5533f5

This adds support so it's possible to explicitly disable SSL Session
Tickets. In order to have good Forward Secrecy support either the
session ticket key has to be reloaded by using nginx' binary upgrade
process or using an external key file and reloading the configuration.
This directive adds another possibility to have good support by
disabling session tickets altogether.

If session tickets are enabled and the process lives for a long a time,
an attacker can grab the session ticket from the process and use that to
decrypt any traffic that occured during the entire lifetime of the
process.





This adds support so it's possible to explicitly disable SSL Session
Tickets. In order to have good Forward Secrecy support either the
session ticket key has to be reloaded by using nginx' binary upgrade
process or using an external key file and reloading the configuration.
This directive adds another possibility to have good support by
disabling session tickets altogether.

If session tickets are enabled and the process lives for a long a time,
an attacker can grab the session ticket from the process and use that to
decrypt any traffic that occured during the entire lifetime of the
process.







Resolver: implemented IPv6 name to address resolving.
2013-12-09T06:53:28+00:00

Ruslan Ermilov
ru@nginx.com

2013-12-09T06:53:28+00:00

769eded73267274e018f460dd76b417538aa5934












Changed resolver API to use ngx_addr_t.
2013-12-06T10:30:27+00:00

Ruslan Ermilov
ru@nginx.com

2013-12-06T10:30:27+00:00

3aeefbcaea75c1ccf158be15afe61ce863978be9












SSL: added ability to set keys used for Session Tickets (RFC5077).
2013-10-11T23:05:24+00:00

Piotr Sikora
piotr@cloudflare.com

2013-10-11T23:05:24+00:00

79be6a5462498af8655aaed141f13a1d2a34abc8

In order to support key rollover, ssl_session_ticket_key can be defined
multiple times. The first key will be used to issue and resume Session
Tickets, while the rest will be used only to resume them.

    ssl_session_ticket_key  session_tickets/current.key;
    ssl_session_ticket_key  session_tickets/prev-1h.key;
    ssl_session_ticket_key  session_tickets/prev-2h.key;

Please note that nginx supports Session Tickets even without explicit
configuration of the keys and this feature should be only used in setups
where SSL traffic is distributed across multiple nginx servers.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>





In order to support key rollover, ssl_session_ticket_key can be defined
multiple times. The first key will be used to issue and resume Session
Tickets, while the rest will be used only to resume them.

    ssl_session_ticket_key  session_tickets/current.key;
    ssl_session_ticket_key  session_tickets/prev-1h.key;
    ssl_session_ticket_key  session_tickets/prev-2h.key;

Please note that nginx supports Session Tickets even without explicit
configuration of the keys and this feature should be only used in setups
where SSL traffic is distributed across multiple nginx servers.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>







Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
2013-09-30T18:10:13+00:00

Maxim Dounin
mdounin@mdounin.ru

2013-09-30T18:10:13+00:00

ef8c64acbe7b826b2bbd2dacc0e173cf79b26d37

A configuration like "mail { starttls on; server {}}" triggered NULL
pointer dereference in ngx_mail_ssl_merge_conf() as conf->file was not set.





A configuration like "mail { starttls on; server {}}" triggered NULL
pointer dereference in ngx_mail_ssl_merge_conf() as conf->file was not set.







Mail: fixed overrun of allocated memory (ticket #411).
2013-09-30T18:10:08+00:00

Maxim Dounin
mdounin@mdounin.ru

2013-09-30T18:10:08+00:00

aa36cc39a40a8d6a1e5fbc7a527b1a39db790d01

Reported by Markus Linnala.





Reported by Markus Linnala.







Mail: handle smtp multiline replies.
2013-09-30T18:10:03+00:00

Maxim Dounin
mdounin@mdounin.ru

2013-09-30T18:10:03+00:00

f2b5192c30e51b3376eb09525c0d0a75fda30c38

See here for details:

http://nginx.org/pipermail/nginx/2010-August/021713.html
http://nginx.org/pipermail/nginx/2010-August/021784.html
http://nginx.org/pipermail/nginx/2010-August/021785.html





See here for details:

http://nginx.org/pipermail/nginx/2010-August/021713.html
http://nginx.org/pipermail/nginx/2010-August/021784.html
http://nginx.org/pipermail/nginx/2010-August/021785.html







Mail: smtp pipelining support.
2013-09-30T18:09:57+00:00

Maxim Dounin
mdounin@mdounin.ru

2013-09-30T18:09:57+00:00

4f6f653f482abc3b963727ea5f2c5d708d8fd605

Basically, this does the following two changes (and corresponding
modifications of related code):

1. Does not reset session buffer unless it's reached it's end, and always
wait for LF to terminate command (even if we detected invalid command).

2. Record command name to make it available for handlers (since now we
can't assume that command starts from s->buffer->start).





Basically, this does the following two changes (and corresponding
modifications of related code):

1. Does not reset session buffer unless it's reached it's end, and always
wait for LF to terminate command (even if we detected invalid command).

2. Record command name to make it available for handlers (since now we
can't assume that command starts from s->buffer->start).







Mail: added session close on smtp_greeting_delay violation.
2013-09-30T18:09:50+00:00

Maxim Dounin
mdounin@mdounin.ru

2013-09-30T18:09:50+00:00

32d6035303426bfd027d00030d0749cc0e85c6fb

A server MUST send greeting before other replies, while before this
change in case of smtp_greeting_delay violation the 220 greeting was
sent after several 503 replies to commands received before greeting,
resulting in protocol synchronization loss.  Moreover, further commands
were accepted after the greeting.

While closing a connection isn't strictly RFC compliant (RFC 5321
requires servers to wait for a QUIT before closing a connection), it's
probably good enough for practial uses.





A server MUST send greeting before other replies, while before this
change in case of smtp_greeting_delay violation the 220 greeting was
sent after several 503 replies to commands received before greeting,
resulting in protocol synchronization loss.  Moreover, further commands
were accepted after the greeting.

While closing a connection isn't strictly RFC compliant (RFC 5321
requires servers to wait for a QUIT before closing a connection), it's
probably good enough for practial uses.