Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/external/ibm-public/postfix/dist Import Postfix 2.9.7. Chang...



details:   https://anonhg.NetBSD.org/src/rev/3594e42ea554
branches:  trunk
changeset: 789546:3594e42ea554
user:      tron <tron%NetBSD.org@localhost>
date:      Wed Aug 21 20:09:37 2013 +0000

description:
Import Postfix 2.9.7. Changes since version 2.9.5:
- Thanks to OpenSSL documentation, the Postfix 2.9.0..2.9.5 SMTP
  client and server used an incorrect procedure to compute TLS
  certificate PUBLIC-KEY fingerprints (these may be used in the
  check_ccert_access and in smtp_tls_policy_maps features). Support
  for certificate PUBLIC-KEY finger prints was introduced with Postfix
  2.9; there is no known problem with the certificate fingerprint
  algorithms available since Postfix 2.2.
  Specify "tls_legacy_public_key_fingerprints = yes" temporarily,
  pending a migration from configuration files with incorrect Postfix
  2.9.0..2.9.5 certificate PUBLIC-KEY finger prints, to the correct
  fingerprints used by Postfix 2.9.6 and later.
- Bugfix (introduced: Postfix 2.0): when myhostname is not listed in
  mydestination, the trivial-rewrite resolver may log "do not list in both
  mydestination and ". The fix is to re-resolve a domain-less address after
  adding $myhostname as the surrogate domain, so that it pops out with the
  right address-class label. Reported by Quanah Gibson-Mount.
- Bugfix (introduced: Postfix 2.3): don't reuse TCP connections when
  smtp_tls_policy_maps is specified. TLS policies may depend on the remote
  destination, but the Postfix <2.11 SMTP connection cache client does not
  distinguish between different destinations that resolve to the same
  IP address. Victor Duchovni. Found during Postfix 2.11 code maintenance.
- Bugfix (introduced: Postfix 2.2): don't reuse TCP connections when
  SASL authentication is enabled. SASL passwords may depend on the
  remote SMTP server hostname, but the Postfix <2.11 SMTP connection
  cache client does not distinguish between different hostnames that
  resolve to the same IP address. Found during Postfix 2.11 code
  maintenance.

diffstat:

 external/ibm-public/postfix/dist/HISTORY                        |  55 ++++++
 external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES     |  30 +++
 external/ibm-public/postfix/dist/RELEASE_NOTES                  |  30 +++
 external/ibm-public/postfix/dist/mantools/postlink              |   1 +
 external/ibm-public/postfix/dist/src/global/mail_version.h      |   6 +-
 external/ibm-public/postfix/dist/src/postconf/Makefile.in       |  13 +-
 external/ibm-public/postfix/dist/src/postconf/postconf_master.c |  14 +-
 external/ibm-public/postfix/dist/src/postconf/test40.ref        |   4 +
 external/ibm-public/postfix/dist/src/smtp/smtp_connect.c        |   6 +-
 external/ibm-public/postfix/dist/src/smtp/smtp_reuse.c          |   4 +-
 external/ibm-public/postfix/dist/src/tls/Makefile.in            |   1 +
 external/ibm-public/postfix/dist/src/tls/tls_misc.c             |   9 +-
 external/ibm-public/postfix/dist/src/tls/tls_verify.c           |  80 ++++++++-
 external/ibm-public/postfix/dist/src/trivial-rewrite/resolve.c  |  15 +-
 external/ibm-public/postfix/dist/src/util/exec_command.c        |   5 +-
 15 files changed, 243 insertions(+), 30 deletions(-)

diffs (truncated from 530 to 300 lines):

diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/HISTORY
--- a/external/ibm-public/postfix/dist/HISTORY  Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/HISTORY  Wed Aug 21 20:09:37 2013 +0000
@@ -17756,3 +17756,58 @@
        This part of the code is not documented and had escaped
        testing.  Files: util/ip_match.c, util/ip_match.in,
        util/ip_match.ref.
+
+20121230
+
+       Bugfix (omission in feature 20111106): the postconf(1)
+       master.cf options parser didn't support "clusters" of
+       command-line option letters. File: postconf/postconf_master.c,
+       postconf/test40.ref.
+
+20130131
+
+       Bugfix: the local(8) delivery agent dereferenced a null
+       pointer while delivering to null command (for example, "|"
+       in a .forward file).  Reported by Gilles Chehade.
+
+20130203
+
+       Bugfix: the undocumented OpenSSL X509_pubkey_digest()
+       function is unsuitable for computing certificate PUBLIC KEY
+       fingerprints.  Postfix now provides a correct procedure
+       that accounts for the algorithm and parameters in addition
+       to the key data.  Specify "tls_legacy_public_key_fingerprints
+       = yes" if you need backwards compatibility. Fix by Victor
+       Duchovni, BC added by Wietse.  Files: tls/tls_verify.c,
+       tls/tls_misc.c, proto/TLS_README.html, global/mail_params.h.
+
+       Bugfix: the 20121010 fix for tls_misc.c was documented but
+       not included.
+
+20130403
+
+       Bugfix (introduced: Postfix 2.3): don't reuse TCP connections
+       when smtp_tls_policy_maps is specified. Victor Duchovni.
+       Found during Postfix 2.11 code maintenance.  File:
+       smtp/smtp_reuse.c.
+
+20130423
+
+       Bugfix (introduced: Postfix 2.0): when myhostname is not
+       listed in mydestination, the trivial-rewrite resolver may
+       log "do not list <myhostname value> in both mydestination
+       and <name of non-mydestination domain list>".  The fix is
+       to re-resolve a domain-less address after adding $myhostname
+       as the surrogate domain, so that it pops out with the right
+       address-class label.  Problem reported by Quanah Gibson-Mount.
+       File: trivial-rewrite/resolve.c.
+
+20130425
+
+       Bugfix (introduced: Postfix 2.2): don't reuse TCP connections
+       when SASL authentication is enabled. SASL passwords may
+       depend on the remote SMTP server hostname, but the Postfix
+       <2.11 SMTP connection cache client does not distinguish
+       between different hostnames that resolve to the same IP
+       address.  Found during Postfix 2.11 code maintenance.  File:
+       smtp/smtp_connect.c.
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES
--- a/external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES       Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES       Wed Aug 21 20:09:37 2013 +0000
@@ -14,6 +14,36 @@
 If you upgrade from Postfix 2.7 or earlier, read RELEASE_NOTES-2.8
 before proceeding.
 
+Major changes with Postfix 2.9.6
+--------------------------------
+
+Thanks to OpenSSL documentation, the Postfix 2.9.0..2.9.5 SMTP
+client and server computed incorrect TLS certificate PUBLIC-KEY
+fingerprints.  Support for certificate PUBLIC-KEY finger prints
+was introduced with Postfix 2.9; there is no known problem with the
+certificate fingerprint algorithms available since Postfix 2.2.
+
+Certificate PUBLIC-KEY finger prints may be used in the Postfix
+SMTP server (with "check_ccert_access") and in the Postfix SMTP
+client (with the "fingerprint" security level).  
+
+Specify "tls_legacy_public_key_fingerprints = yes" temporarily, 
+pending a migration from configuration files with incorrect Postfix
+2.9.0..2.9.5 certificate PUBLIC-KEY finger prints, to the correct
+fingerprints used by Postfix 2.9.6 and later.
+
+To compute the correct PUBLIC-KEY finger prints:
+
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey | \
+    openssl pkey -pubin -outform DER | \
+    openssl dgst -sha1 -c
+
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey | \
+    openssl rsa -pubin -outform DER | \
+    openssl dgst -md5 -c
+
 Major changes with Postfix 2.9.2
 --------------------------------
 
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/RELEASE_NOTES
--- a/external/ibm-public/postfix/dist/RELEASE_NOTES    Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/RELEASE_NOTES    Wed Aug 21 20:09:37 2013 +0000
@@ -14,6 +14,36 @@
 If you upgrade from Postfix 2.7 or earlier, read RELEASE_NOTES-2.8
 before proceeding.
 
+Major changes with Postfix 2.9.6
+--------------------------------
+
+Thanks to OpenSSL documentation, the Postfix 2.9.0..2.9.5 SMTP
+client and server computed incorrect TLS certificate PUBLIC-KEY
+fingerprints.  Support for certificate PUBLIC-KEY finger prints
+was introduced with Postfix 2.9; there is no known problem with the
+certificate fingerprint algorithms available since Postfix 2.2.
+
+Certificate PUBLIC-KEY finger prints may be used in the Postfix
+SMTP server (with "check_ccert_access") and in the Postfix SMTP
+client (with the "fingerprint" security level).  
+
+Specify "tls_legacy_public_key_fingerprints = yes" temporarily, 
+pending a migration from configuration files with incorrect Postfix
+2.9.0..2.9.5 certificate PUBLIC-KEY finger prints, to the correct
+fingerprints used by Postfix 2.9.6 and later.
+
+To compute the correct PUBLIC-KEY finger prints:
+
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey | \
+    openssl pkey -pubin -outform DER | \
+    openssl dgst -sha1 -c
+
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey | \
+    openssl rsa -pubin -outform DER | \
+    openssl dgst -md5 -c
+
 Major changes with Postfix 2.9.2
 --------------------------------
 
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/mantools/postlink
--- a/external/ibm-public/postfix/dist/mantools/postlink        Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/mantools/postlink        Wed Aug 21 20:09:37 2013 +0000
@@ -689,6 +689,7 @@
     s;\btls_preempt_cipherlist\b;<a href="postconf.5.html#tls_preempt_cipherlist">$&</a>;g;
     s;\btls_disable_workarounds\b;<a href="postconf.5.html#tls_disable_workarounds">$&</a>;g;
     s;\btls_append_default_CA\b;<a href="postconf.5.html#tls_append_default_CA">$&</a>;g;
+    s;\btls_legacy_public_key_fingerprints\b;<a href="postconf.5.html#tls_legacy_public_key_fingerprint">$&</a>;g;
  
     s;\bfrozen_delivered_to\b;<a href="postconf.5.html#frozen_delivered_to">$&</a>;g;
     s;\breset_owner_alias\b;<a href="postconf.5.html#reset_owner_alias">$&</a>;g;
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/src/global/mail_version.h
--- a/external/ibm-public/postfix/dist/src/global/mail_version.h        Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/src/global/mail_version.h        Wed Aug 21 20:09:37 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: mail_version.h,v 1.1.1.17 2013/01/02 18:58:59 tron Exp $       */
+/*     $NetBSD: mail_version.h,v 1.1.1.18 2013/08/21 20:09:52 tron Exp $       */
 
 #ifndef _MAIL_VERSION_H_INCLUDED_
 #define _MAIL_VERSION_H_INCLUDED_
@@ -22,8 +22,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE      "20121213"
-#define MAIL_VERSION_NUMBER    "2.9.5"
+#define MAIL_RELEASE_DATE      "20130622"
+#define MAIL_VERSION_NUMBER    "2.9.7"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE     "-" MAIL_RELEASE_DATE
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/src/postconf/Makefile.in
--- a/external/ibm-public/postfix/dist/src/postconf/Makefile.in Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/src/postconf/Makefile.in Wed Aug 21 20:09:37 2013 +0000
@@ -42,7 +42,7 @@
 
 tests: test1 test2 test3 test4 test5 test6 test7 test8 test9 test10 test11 \
        test12 test13 test14 test15 test16 test17 test18 test19 test20 test21 \
-       test22 test23 test24 test25 test26 test27 test28 test29 test30
+       test22 test23 test24 test25 test26 test27 test28 test29 test30 test40
 
 root_tests:
 
@@ -414,6 +414,17 @@
        diff test30.ref test30.tmp
        rm -f main.cf master.cf test30.tmp
 
+test40:        $(PROG) test40.ref
+       rm -f main.cf master.cf
+       touch main.cf master.cf
+       echo foo unix - n n - 0 other >> master.cf
+       echo ' -voaaa=bbb' >> master.cf
+       echo ' -vo ccc=$$aaa' >> master.cf
+       echo ' -v -oddd=$$ccc' >> master.cf
+       ./$(PROG) -Mfc . unix >test40.tmp 2>&1
+       diff test40.ref test40.tmp
+       rm -f main.cf master.cf test40.tmp
+
 printfck: $(OBJS) $(PROG)
        rm -rf printfck
        mkdir printfck
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/src/postconf/postconf_master.c
--- a/external/ibm-public/postfix/dist/src/postconf/postconf_master.c   Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/src/postconf/postconf_master.c   Wed Aug 21 20:09:37 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: postconf_master.c,v 1.1.1.1 2013/01/02 18:59:03 tron Exp $     */
+/*     $NetBSD: postconf_master.c,v 1.1.1.2 2013/08/21 20:09:54 tron Exp $     */
 
 /*++
 /* NAME
@@ -76,6 +76,8 @@
 {
     int     field;
     char   *arg;
+    char   *cp;
+    char   *junk;
 
     /*
      * Normalize options to simplify later processing.
@@ -84,6 +86,16 @@
        arg = argv->argv[field];
        if (arg[0] != '-' || strcmp(arg, "--") == 0)
            break;
+       for (cp = arg + 1; *cp; cp++) {
+           if (*cp == 'o' && cp > arg + 1) {
+               /* Split "-stuffo" into "-stuff" and "-o". */
+               junk = concatenate("-", cp, (char *) 0);
+               argv_insert_one(argv, field + 1, junk);
+               myfree(junk);
+               *cp = 0;
+               break;
+           }
+       }
        if (strncmp(arg, "-o", 2) == 0) {
            if (arg[2] != 0) {
                /* Split "-oname=value" into "-o" "name=value". */
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/src/postconf/test40.ref
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/external/ibm-public/postfix/dist/src/postconf/test40.ref  Wed Aug 21 20:09:37 2013 +0000
@@ -0,0 +1,4 @@
+foo        unix  -       n       n       -       0       other -v
+    -o aaa=bbb -v
+    -o ccc=$aaa -v
+    -o ddd=$ccc
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/src/smtp/smtp_connect.c
--- a/external/ibm-public/postfix/dist/src/smtp/smtp_connect.c  Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/src/smtp/smtp_connect.c  Wed Aug 21 20:09:37 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: smtp_connect.c,v 1.1.1.3 2013/01/02 18:59:07 tron Exp $        */
+/*     $NetBSD: smtp_connect.c,v 1.1.1.4 2013/08/21 20:09:56 tron Exp $        */
 
 /*++
 /* NAME
@@ -459,12 +459,12 @@
     state->misc_flags &= ~SMTP_MISC_FLAG_CONN_CACHE_MASK;
 
     /*
-     * XXX Disable connection caching when sender-dependent authentication is
+     * XXX Disable connection caching when SASL authentication is
      * enabled. We must not send someone elses mail over an authenticated
      * connection, and we must not send mail that requires authentication
      * over a connection that wasn't authenticated.
      */
-    if (var_smtp_sender_auth)
+    if (var_smtp_sasl_passwd && *var_smtp_sasl_passwd)
        return;
 
     if (smtp_cache_dest && string_list_match(smtp_cache_dest, dest)) {
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/src/smtp/smtp_reuse.c
--- a/external/ibm-public/postfix/dist/src/smtp/smtp_reuse.c    Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/src/smtp/smtp_reuse.c    Wed Aug 21 20:09:37 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: smtp_reuse.c,v 1.1.1.1 2009/06/23 10:08:54 tron Exp $  */
+/*     $NetBSD: smtp_reuse.c,v 1.1.1.2 2013/08/21 20:09:56 tron Exp $  */
 
 /*++
 /* NAME
@@ -272,7 +272,7 @@
      * credentials or the wrong TLS policy.
      */
     if ((var_smtp_tls_per_site && *var_smtp_tls_per_site)
-       || (var_smtp_sasl_passwd && *var_smtp_sasl_passwd))
+       || (var_smtp_tls_policy && *var_smtp_tls_policy))
        return (0);
 
     /*
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/src/tls/Makefile.in
--- a/external/ibm-public/postfix/dist/src/tls/Makefile.in      Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/src/tls/Makefile.in      Wed Aug 21 20:09:37 2013 +0000
@@ -319,6 +319,7 @@
 tls_stream.o: tls.h
 tls_stream.o: tls_stream.c
 tls_verify.o: ../../include/argv.h
+tls_verify.o: ../../include/mail_params.h
 tls_verify.o: ../../include/msg.h
 tls_verify.o: ../../include/mymalloc.h
 tls_verify.o: ../../include/name_code.h
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/src/tls/tls_misc.c



Home | Main Index | Thread Index | Old Index