Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/external/ibm-public/postfix/dist Import Postfix 2.11.6. Chan...

details:   https://anonhg.NetBSD.org/src/rev/716c3f7497b1
branches:  trunk
changeset: 340542:716c3f7497b1
user:      tron <tron%NetBSD.org@localhost>
date:      Sat Sep 12 08:20:22 2015 +0000

description:
Import Postfix 2.11.6. Changes since version 2.11.4:
- Preparation for OpenSSL 1.2 API changes
- The sender_dependent_relayhost_maps feature ignored the relayhost setting
  in the case of a DUNNO lookup result. It would use the recipient domain
  instead.
- The default TLS settings no longer enable export-grade ciphers, and no
  longer enable the SSLv2 and SSLv3 protocols. These ciphers and protocols
  have little if any legitimate use today, and have instead become a
  vehicle for downgrade attacks.

diffstat:

 external/ibm-public/postfix/dist/HISTORY                       |  45 +++++++++-
 external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES    |  34 +++++++
 external/ibm-public/postfix/dist/RELEASE_NOTES                 |  34 +++++++
 external/ibm-public/postfix/dist/html/lmtp.8.html              |   6 +-
 external/ibm-public/postfix/dist/html/smtp.8.html              |   6 +-
 external/ibm-public/postfix/dist/html/smtpd.8.html             |   6 +-
 external/ibm-public/postfix/dist/man/man8/smtp.8               |   8 +-
 external/ibm-public/postfix/dist/man/man8/smtpd.8              |   8 +-
 external/ibm-public/postfix/dist/src/global/mail_version.h     |   6 +-
 external/ibm-public/postfix/dist/src/tls/tls_dane.c            |  12 +-
 external/ibm-public/postfix/dist/src/trivial-rewrite/resolve.c |  15 ++-
 11 files changed, 148 insertions(+), 32 deletions(-)

diffs (truncated from 385 to 300 lines):

diff -r 7aaff6246fae -r 716c3f7497b1 external/ibm-public/postfix/dist/HISTORY
--- a/external/ibm-public/postfix/dist/HISTORY  Fri Sep 11 22:27:17 2015 +0000
+++ b/external/ibm-public/postfix/dist/HISTORY  Sat Sep 12 08:20:22 2015 +0000
@@ -17919,7 +17919,7 @@
 
 20120824
 
-       Feature: support for "sendmail -R hdrs|full". Jan Kundrát.
+       Feature: support for "sendmail -R hdrs|full". Jan Kundr?t.
        File: sendmail/sendmail.c.
 
 20120902
@@ -19641,3 +19641,46 @@
 
        Cleanup: missing " in \%s\" in postconf(1) fatal error
        messages. Iain Hibbert. File: postconf/postconf_master.c.
+
+20150324
+
+       Bugfix (introduced: Postfix 2.6): sender_dependent_relayhost_maps
+       ignored the relayhost setting in the case of a DUNNO lookup
+       result.  It would use the recipient domain instead.  Viktor
+       Dukhovni. Wietse took the pieces of code that enforce the
+       precedence of a sender-dependent relayhost, the global
+       relayhost, and the recipient domain, and put that code
+       together in once place so that it is easier to maintain.
+       File: trivial-rewrite/resolve.c.
+
+20150330
+
+       Bitrot: prepare for future changes in OpenSSL API. Viktor
+       Dukhovni. File: tls_dane.c.
+
+20150408
+
+       Portability: FreeBSD10 support. Files: makedefs, util/sys_defs.h.
+
+       Incompatibility: specifying "make makefiles" with "CC=command"
+       will no longer override the default WARN setting.
+
+20150501
+
+       Support for Linux 4.*, and some simplification for future
+       makedefs files. Files: makedefs, util/sys_defs.h.
+
+20150718
+
+       Security: opportunistic TLS by default uses "medium" or
+       stronger ciphers instead of "export" or stronger. See the
+       RELEASE_NOTES file for how to get the old settings back.
+       Files: global/mail_params.h, proto/TLS_README.html,
+       proto/postconf.proto, and files derived from those.
+
+20150719
+
+       Security: Postfix TLS support by default no longer uses
+       SSLv2 or SSLv3.  See the RELEASE_NOTES file for how to get
+       the old settings back. Files: global/mail_params.h,
+       proto/postconf.proto, and files derived from those.
diff -r 7aaff6246fae -r 716c3f7497b1 external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES
--- a/external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES       Fri Sep 11 22:27:17 2015 +0000
+++ b/external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES       Sat Sep 12 08:20:22 2015 +0000
@@ -14,6 +14,40 @@
 If you upgrade from Postfix 2.9 or earlier, read RELEASE_NOTES-2.10
 before proceeding.
 
+Incompatible change with Postfix 2.11.6
+---------------------------------------
+
+As of the middle of 2015, all supported Postfix releases no longer
+enable "export" grade ciphers for opportunistic TLS, and no longer
+use the deprecated SSLv2 and SSLv3 protocols for mandatory or
+opportunistic TLS.
+
+These changes are very unlikely to cause problems with server-to-server
+communication over the Internet, but they may result in interoperability
+problems with ancient client or server implementations on internal
+networks.  To address this problem, you can revert the changes with:
+
+Postfix SMTP client settings:
+
+    lmtp_tls_ciphers = export
+    smtp_tls_ciphers = export
+    lmtp_tls_protocols = !SSLv2
+    smtp_tls_protocols = !SSLv2
+    lmtp_tls_mandatory_protocols = !SSLv2
+    smtp_tls_mandatory_protocols = !SSLv2
+
+Postfix SMTP server settings:
+
+    smtpd_tls_ciphers = export
+    smtpd_tls_protocols =
+    smtpd_tls_mandatory_protocols = !SSLv2
+
+These settings, if put in main.cf, affect all Postfix SMTP client
+or server communication, which may be undesirable. To be more
+selective, use "-o name=value" parameter overrides on specific
+services in master.cf. Execute the command "postfix reload" to make
+the changes effective.
+
 Major changes - tls
 -------------------
 
diff -r 7aaff6246fae -r 716c3f7497b1 external/ibm-public/postfix/dist/RELEASE_NOTES
--- a/external/ibm-public/postfix/dist/RELEASE_NOTES    Fri Sep 11 22:27:17 2015 +0000
+++ b/external/ibm-public/postfix/dist/RELEASE_NOTES    Sat Sep 12 08:20:22 2015 +0000
@@ -14,6 +14,40 @@
 If you upgrade from Postfix 2.9 or earlier, read RELEASE_NOTES-2.10
 before proceeding.
 
+Incompatible change with Postfix 2.11.6
+---------------------------------------
+
+As of the middle of 2015, all supported Postfix releases no longer
+enable "export" grade ciphers for opportunistic TLS, and no longer
+use the deprecated SSLv2 and SSLv3 protocols for mandatory or
+opportunistic TLS.
+
+These changes are very unlikely to cause problems with server-to-server
+communication over the Internet, but they may result in interoperability
+problems with ancient client or server implementations on internal
+networks.  To address this problem, you can revert the changes with:
+
+Postfix SMTP client settings:
+
+    lmtp_tls_ciphers = export
+    smtp_tls_ciphers = export
+    lmtp_tls_protocols = !SSLv2
+    smtp_tls_protocols = !SSLv2
+    lmtp_tls_mandatory_protocols = !SSLv2
+    smtp_tls_mandatory_protocols = !SSLv2
+
+Postfix SMTP server settings:
+
+    smtpd_tls_ciphers = export
+    smtpd_tls_protocols =
+    smtpd_tls_mandatory_protocols = !SSLv2
+
+These settings, if put in main.cf, affect all Postfix SMTP client
+or server communication, which may be undesirable. To be more
+selective, use "-o name=value" parameter overrides on specific
+services in master.cf. Execute the command "postfix reload" to make
+the changes effective.
+
 Major changes - tls
 -------------------
 
diff -r 7aaff6246fae -r 716c3f7497b1 external/ibm-public/postfix/dist/html/lmtp.8.html
--- a/external/ibm-public/postfix/dist/html/lmtp.8.html Fri Sep 11 22:27:17 2015 +0000
+++ b/external/ibm-public/postfix/dist/html/lmtp.8.html Sat Sep 12 08:20:22 2015 +0000
@@ -432,7 +432,7 @@
               policy by next-hop destination; when a non-empty value is speci-
               fied, this overrides the obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
 
-       <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (!SSLv2)</b>
+       <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (!SSLv2, !SSLv3)</b>
               List  of SSL/TLS protocols that the Postfix SMTP client will use
               with mandatory TLS encryption.
 
@@ -497,11 +497,11 @@
 
        Available in Postfix version 2.6 and later:
 
-       <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2)</b>
+       <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2, !SSLv3)</b>
               List of TLS protocols that the Postfix SMTP client will  exclude
               or include with opportunistic TLS encryption.
 
-       <b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (export)</b>
+       <b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (medium)</b>
               The  minimum  TLS cipher grade that the Postfix SMTP client will
               use with opportunistic TLS encryption.
 
diff -r 7aaff6246fae -r 716c3f7497b1 external/ibm-public/postfix/dist/html/smtp.8.html
--- a/external/ibm-public/postfix/dist/html/smtp.8.html Fri Sep 11 22:27:17 2015 +0000
+++ b/external/ibm-public/postfix/dist/html/smtp.8.html Sat Sep 12 08:20:22 2015 +0000
@@ -432,7 +432,7 @@
               policy by next-hop destination; when a non-empty value is speci-
               fied, this overrides the obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
 
-       <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (!SSLv2)</b>
+       <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (!SSLv2, !SSLv3)</b>
               List  of SSL/TLS protocols that the Postfix SMTP client will use
               with mandatory TLS encryption.
 
@@ -497,11 +497,11 @@
 
        Available in Postfix version 2.6 and later:
 
-       <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2)</b>
+       <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2, !SSLv3)</b>
               List of TLS protocols that the Postfix SMTP client will  exclude
               or include with opportunistic TLS encryption.
 
-       <b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (export)</b>
+       <b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (medium)</b>
               The  minimum  TLS cipher grade that the Postfix SMTP client will
               use with opportunistic TLS encryption.
 
diff -r 7aaff6246fae -r 716c3f7497b1 external/ibm-public/postfix/dist/html/smtpd.8.html
--- a/external/ibm-public/postfix/dist/html/smtpd.8.html        Fri Sep 11 22:27:17 2015 +0000
+++ b/external/ibm-public/postfix/dist/html/smtpd.8.html        Sat Sep 12 08:20:22 2015 +0000
@@ -446,7 +446,7 @@
               Postfix SMTP server cipher list at mandatory TLS  security  lev-
               els.
 
-       <b><a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> (!SSLv2)</b>
+       <b><a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> (!SSLv2, !SSLv3)</b>
               The  SSL/TLS  protocols accepted by the Postfix SMTP server with
               mandatory TLS encryption.
 
@@ -494,11 +494,11 @@
 
        Available in Postfix version 2.6 and later:
 
-       <b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (empty)</b>
+       <b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (!SSLv2, !SSLv3)</b>
               List  of TLS protocols that the Postfix SMTP server will exclude
               or include with opportunistic TLS encryption.
 
-       <b><a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> (export)</b>
+       <b><a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> (medium)</b>
               The minimum TLS cipher grade that the Postfix SMTP  server  will
               use with opportunistic TLS encryption.
 
diff -r 7aaff6246fae -r 716c3f7497b1 external/ibm-public/postfix/dist/man/man8/smtp.8
--- a/external/ibm-public/postfix/dist/man/man8/smtp.8  Fri Sep 11 22:27:17 2015 +0000
+++ b/external/ibm-public/postfix/dist/man/man8/smtp.8  Sat Sep 12 08:20:22 2015 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: smtp.8,v 1.1.1.7 2014/07/06 19:27:46 tron Exp $
+.\"    $NetBSD: smtp.8,v 1.1.1.8 2015/09/12 08:20:33 tron Exp $
 .\"
 .TH SMTP 8 
 .ad
@@ -403,7 +403,7 @@
 Optional lookup tables with the Postfix SMTP client TLS security
 policy by next-hop destination; when a non-empty value is specified,
 this overrides the obsolete smtp_tls_per_site parameter.
-.IP "\fBsmtp_tls_mandatory_protocols (!SSLv2)\fR"
+.IP "\fBsmtp_tls_mandatory_protocols (!SSLv2, !SSLv3)\fR"
 List of SSL/TLS protocols that the Postfix SMTP client will use with
 mandatory TLS encryption.
 .IP "\fBsmtp_tls_scert_verifydepth (9)\fR"
@@ -453,10 +453,10 @@
 certificate fingerprints.
 .PP
 Available in Postfix version 2.6 and later:
-.IP "\fBsmtp_tls_protocols (!SSLv2)\fR"
+.IP "\fBsmtp_tls_protocols (!SSLv2, !SSLv3)\fR"
 List of TLS protocols that the Postfix SMTP client will exclude or
 include with opportunistic TLS encryption.
-.IP "\fBsmtp_tls_ciphers (export)\fR"
+.IP "\fBsmtp_tls_ciphers (medium)\fR"
 The minimum TLS cipher grade that the Postfix SMTP client
 will use with opportunistic TLS encryption.
 .IP "\fBsmtp_tls_eccert_file (empty)\fR"
diff -r 7aaff6246fae -r 716c3f7497b1 external/ibm-public/postfix/dist/man/man8/smtpd.8
--- a/external/ibm-public/postfix/dist/man/man8/smtpd.8 Fri Sep 11 22:27:17 2015 +0000
+++ b/external/ibm-public/postfix/dist/man/man8/smtpd.8 Sat Sep 12 08:20:22 2015 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: smtpd.8,v 1.1.1.7 2014/07/06 19:27:46 tron Exp $
+.\"    $NetBSD: smtpd.8,v 1.1.1.8 2015/09/12 08:20:33 tron Exp $
 .\"
 .TH SMTPD 8 
 .ad
@@ -416,7 +416,7 @@
 .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
 Additional list of ciphers or cipher types to exclude from the
 Postfix SMTP server cipher list at mandatory TLS security levels.
-.IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2)\fR"
+.IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2, !SSLv3)\fR"
 The SSL/TLS protocols accepted by the Postfix SMTP server with
 mandatory TLS encryption.
 .IP "\fBsmtpd_tls_received_header (no)\fR"
@@ -454,10 +454,10 @@
 for \fBcheck_ccert_access\fR and \fBpermit_tls_clientcerts\fR.
 .PP
 Available in Postfix version 2.6 and later:
-.IP "\fBsmtpd_tls_protocols (empty)\fR"
+.IP "\fBsmtpd_tls_protocols (!SSLv2, !SSLv3)\fR"
 List of TLS protocols that the Postfix SMTP server will exclude
 or include with opportunistic TLS encryption.
-.IP "\fBsmtpd_tls_ciphers (export)\fR"
+.IP "\fBsmtpd_tls_ciphers (medium)\fR"
 The minimum TLS cipher grade that the Postfix SMTP server
 will use with opportunistic TLS encryption.
 .IP "\fBsmtpd_tls_eccert_file (empty)\fR"
diff -r 7aaff6246fae -r 716c3f7497b1 external/ibm-public/postfix/dist/src/global/mail_version.h
--- a/external/ibm-public/postfix/dist/src/global/mail_version.h        Fri Sep 11 22:27:17 2015 +0000
+++ b/external/ibm-public/postfix/dist/src/global/mail_version.h        Sat Sep 12 08:20:22 2015 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: mail_version.h,v 1.1.1.23 2015/02/21 11:56:49 tron Exp $       */
+/*     $NetBSD: mail_version.h,v 1.1.1.24 2015/09/12 08:20:35 tron Exp $       */
 
 #ifndef _MAIL_VERSION_H_INCLUDED_
 #define _MAIL_VERSION_H_INCLUDED_
@@ -22,8 +22,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
Home | Main Index | Thread Index | Old Index