Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/ibm-public/postfix/dist Import Postfix 2.9.7. Chang...
details: https://anonhg.NetBSD.org/src/rev/3594e42ea554
branches: trunk
changeset: 789546:3594e42ea554
user: tron <tron%NetBSD.org@localhost>
date: Wed Aug 21 20:09:37 2013 +0000
description:
Import Postfix 2.9.7. Changes since version 2.9.5:
- Thanks to OpenSSL documentation, the Postfix 2.9.0..2.9.5 SMTP
client and server used an incorrect procedure to compute TLS
certificate PUBLIC-KEY fingerprints (these may be used in the
check_ccert_access and in smtp_tls_policy_maps features). Support
for certificate PUBLIC-KEY finger prints was introduced with Postfix
2.9; there is no known problem with the certificate fingerprint
algorithms available since Postfix 2.2.
Specify "tls_legacy_public_key_fingerprints = yes" temporarily,
pending a migration from configuration files with incorrect Postfix
2.9.0..2.9.5 certificate PUBLIC-KEY finger prints, to the correct
fingerprints used by Postfix 2.9.6 and later.
- Bugfix (introduced: Postfix 2.0): when myhostname is not listed in
mydestination, the trivial-rewrite resolver may log "do not list in both
mydestination and ". The fix is to re-resolve a domain-less address after
adding $myhostname as the surrogate domain, so that it pops out with the
right address-class label. Reported by Quanah Gibson-Mount.
- Bugfix (introduced: Postfix 2.3): don't reuse TCP connections when
smtp_tls_policy_maps is specified. TLS policies may depend on the remote
destination, but the Postfix <2.11 SMTP connection cache client does not
distinguish between different destinations that resolve to the same
IP address. Victor Duchovni. Found during Postfix 2.11 code maintenance.
- Bugfix (introduced: Postfix 2.2): don't reuse TCP connections when
SASL authentication is enabled. SASL passwords may depend on the
remote SMTP server hostname, but the Postfix <2.11 SMTP connection
cache client does not distinguish between different hostnames that
resolve to the same IP address. Found during Postfix 2.11 code
maintenance.
diffstat:
external/ibm-public/postfix/dist/HISTORY | 55 ++++++
external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES | 30 +++
external/ibm-public/postfix/dist/RELEASE_NOTES | 30 +++
external/ibm-public/postfix/dist/mantools/postlink | 1 +
external/ibm-public/postfix/dist/src/global/mail_version.h | 6 +-
external/ibm-public/postfix/dist/src/postconf/Makefile.in | 13 +-
external/ibm-public/postfix/dist/src/postconf/postconf_master.c | 14 +-
external/ibm-public/postfix/dist/src/postconf/test40.ref | 4 +
external/ibm-public/postfix/dist/src/smtp/smtp_connect.c | 6 +-
external/ibm-public/postfix/dist/src/smtp/smtp_reuse.c | 4 +-
external/ibm-public/postfix/dist/src/tls/Makefile.in | 1 +
external/ibm-public/postfix/dist/src/tls/tls_misc.c | 9 +-
external/ibm-public/postfix/dist/src/tls/tls_verify.c | 80 ++++++++-
external/ibm-public/postfix/dist/src/trivial-rewrite/resolve.c | 15 +-
external/ibm-public/postfix/dist/src/util/exec_command.c | 5 +-
15 files changed, 243 insertions(+), 30 deletions(-)
diffs (truncated from 530 to 300 lines):
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/HISTORY
--- a/external/ibm-public/postfix/dist/HISTORY Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/HISTORY Wed Aug 21 20:09:37 2013 +0000
@@ -17756,3 +17756,58 @@
This part of the code is not documented and had escaped
testing. Files: util/ip_match.c, util/ip_match.in,
util/ip_match.ref.
+
+20121230
+
+ Bugfix (omission in feature 20111106): the postconf(1)
+ master.cf options parser didn't support "clusters" of
+ command-line option letters. File: postconf/postconf_master.c,
+ postconf/test40.ref.
+
+20130131
+
+ Bugfix: the local(8) delivery agent dereferenced a null
+ pointer while delivering to null command (for example, "|"
+ in a .forward file). Reported by Gilles Chehade.
+
+20130203
+
+ Bugfix: the undocumented OpenSSL X509_pubkey_digest()
+ function is unsuitable for computing certificate PUBLIC KEY
+ fingerprints. Postfix now provides a correct procedure
+ that accounts for the algorithm and parameters in addition
+ to the key data. Specify "tls_legacy_public_key_fingerprints
+ = yes" if you need backwards compatibility. Fix by Victor
+ Duchovni, BC added by Wietse. Files: tls/tls_verify.c,
+ tls/tls_misc.c, proto/TLS_README.html, global/mail_params.h.
+
+ Bugfix: the 20121010 fix for tls_misc.c was documented but
+ not included.
+
+20130403
+
+ Bugfix (introduced: Postfix 2.3): don't reuse TCP connections
+ when smtp_tls_policy_maps is specified. Victor Duchovni.
+ Found during Postfix 2.11 code maintenance. File:
+ smtp/smtp_reuse.c.
+
+20130423
+
+ Bugfix (introduced: Postfix 2.0): when myhostname is not
+ listed in mydestination, the trivial-rewrite resolver may
+ log "do not list <myhostname value> in both mydestination
+ and <name of non-mydestination domain list>". The fix is
+ to re-resolve a domain-less address after adding $myhostname
+ as the surrogate domain, so that it pops out with the right
+ address-class label. Problem reported by Quanah Gibson-Mount.
+ File: trivial-rewrite/resolve.c.
+
+20130425
+
+ Bugfix (introduced: Postfix 2.2): don't reuse TCP connections
+ when SASL authentication is enabled. SASL passwords may
+ depend on the remote SMTP server hostname, but the Postfix
+ <2.11 SMTP connection cache client does not distinguish
+ between different hostnames that resolve to the same IP
+ address. Found during Postfix 2.11 code maintenance. File:
+ smtp/smtp_connect.c.
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES
--- a/external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES Wed Aug 21 20:09:37 2013 +0000
@@ -14,6 +14,36 @@
If you upgrade from Postfix 2.7 or earlier, read RELEASE_NOTES-2.8
before proceeding.
+Major changes with Postfix 2.9.6
+--------------------------------
+
+Thanks to OpenSSL documentation, the Postfix 2.9.0..2.9.5 SMTP
+client and server computed incorrect TLS certificate PUBLIC-KEY
+fingerprints. Support for certificate PUBLIC-KEY finger prints
+was introduced with Postfix 2.9; there is no known problem with the
+certificate fingerprint algorithms available since Postfix 2.2.
+
+Certificate PUBLIC-KEY finger prints may be used in the Postfix
+SMTP server (with "check_ccert_access") and in the Postfix SMTP
+client (with the "fingerprint" security level).
+
+Specify "tls_legacy_public_key_fingerprints = yes" temporarily,
+pending a migration from configuration files with incorrect Postfix
+2.9.0..2.9.5 certificate PUBLIC-KEY finger prints, to the correct
+fingerprints used by Postfix 2.9.6 and later.
+
+To compute the correct PUBLIC-KEY finger prints:
+
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey | \
+ openssl pkey -pubin -outform DER | \
+ openssl dgst -sha1 -c
+
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey | \
+ openssl rsa -pubin -outform DER | \
+ openssl dgst -md5 -c
+
Major changes with Postfix 2.9.2
--------------------------------
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/RELEASE_NOTES
--- a/external/ibm-public/postfix/dist/RELEASE_NOTES Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/RELEASE_NOTES Wed Aug 21 20:09:37 2013 +0000
@@ -14,6 +14,36 @@
If you upgrade from Postfix 2.7 or earlier, read RELEASE_NOTES-2.8
before proceeding.
+Major changes with Postfix 2.9.6
+--------------------------------
+
+Thanks to OpenSSL documentation, the Postfix 2.9.0..2.9.5 SMTP
+client and server computed incorrect TLS certificate PUBLIC-KEY
+fingerprints. Support for certificate PUBLIC-KEY finger prints
+was introduced with Postfix 2.9; there is no known problem with the
+certificate fingerprint algorithms available since Postfix 2.2.
+
+Certificate PUBLIC-KEY finger prints may be used in the Postfix
+SMTP server (with "check_ccert_access") and in the Postfix SMTP
+client (with the "fingerprint" security level).
+
+Specify "tls_legacy_public_key_fingerprints = yes" temporarily,
+pending a migration from configuration files with incorrect Postfix
+2.9.0..2.9.5 certificate PUBLIC-KEY finger prints, to the correct
+fingerprints used by Postfix 2.9.6 and later.
+
+To compute the correct PUBLIC-KEY finger prints:
+
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey | \
+ openssl pkey -pubin -outform DER | \
+ openssl dgst -sha1 -c
+
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey | \
+ openssl rsa -pubin -outform DER | \
+ openssl dgst -md5 -c
+
Major changes with Postfix 2.9.2
--------------------------------
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/mantools/postlink
--- a/external/ibm-public/postfix/dist/mantools/postlink Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/mantools/postlink Wed Aug 21 20:09:37 2013 +0000
@@ -689,6 +689,7 @@
s;\btls_preempt_cipherlist\b;<a href="postconf.5.html#tls_preempt_cipherlist">$&</a>;g;
s;\btls_disable_workarounds\b;<a href="postconf.5.html#tls_disable_workarounds">$&</a>;g;
s;\btls_append_default_CA\b;<a href="postconf.5.html#tls_append_default_CA">$&</a>;g;
+ s;\btls_legacy_public_key_fingerprints\b;<a href="postconf.5.html#tls_legacy_public_key_fingerprint">$&</a>;g;
s;\bfrozen_delivered_to\b;<a href="postconf.5.html#frozen_delivered_to">$&</a>;g;
s;\breset_owner_alias\b;<a href="postconf.5.html#reset_owner_alias">$&</a>;g;
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/src/global/mail_version.h
--- a/external/ibm-public/postfix/dist/src/global/mail_version.h Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/src/global/mail_version.h Wed Aug 21 20:09:37 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: mail_version.h,v 1.1.1.17 2013/01/02 18:58:59 tron Exp $ */
+/* $NetBSD: mail_version.h,v 1.1.1.18 2013/08/21 20:09:52 tron Exp $ */
#ifndef _MAIL_VERSION_H_INCLUDED_
#define _MAIL_VERSION_H_INCLUDED_
@@ -22,8 +22,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20121213"
-#define MAIL_VERSION_NUMBER "2.9.5"
+#define MAIL_RELEASE_DATE "20130622"
+#define MAIL_VERSION_NUMBER "2.9.7"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/src/postconf/Makefile.in
--- a/external/ibm-public/postfix/dist/src/postconf/Makefile.in Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/src/postconf/Makefile.in Wed Aug 21 20:09:37 2013 +0000
@@ -42,7 +42,7 @@
tests: test1 test2 test3 test4 test5 test6 test7 test8 test9 test10 test11 \
test12 test13 test14 test15 test16 test17 test18 test19 test20 test21 \
- test22 test23 test24 test25 test26 test27 test28 test29 test30
+ test22 test23 test24 test25 test26 test27 test28 test29 test30 test40
root_tests:
@@ -414,6 +414,17 @@
diff test30.ref test30.tmp
rm -f main.cf master.cf test30.tmp
+test40: $(PROG) test40.ref
+ rm -f main.cf master.cf
+ touch main.cf master.cf
+ echo foo unix - n n - 0 other >> master.cf
+ echo ' -voaaa=bbb' >> master.cf
+ echo ' -vo ccc=$$aaa' >> master.cf
+ echo ' -v -oddd=$$ccc' >> master.cf
+ ./$(PROG) -Mfc . unix >test40.tmp 2>&1
+ diff test40.ref test40.tmp
+ rm -f main.cf master.cf test40.tmp
+
printfck: $(OBJS) $(PROG)
rm -rf printfck
mkdir printfck
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/src/postconf/postconf_master.c
--- a/external/ibm-public/postfix/dist/src/postconf/postconf_master.c Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/src/postconf/postconf_master.c Wed Aug 21 20:09:37 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: postconf_master.c,v 1.1.1.1 2013/01/02 18:59:03 tron Exp $ */
+/* $NetBSD: postconf_master.c,v 1.1.1.2 2013/08/21 20:09:54 tron Exp $ */
/*++
/* NAME
@@ -76,6 +76,8 @@
{
int field;
char *arg;
+ char *cp;
+ char *junk;
/*
* Normalize options to simplify later processing.
@@ -84,6 +86,16 @@
arg = argv->argv[field];
if (arg[0] != '-' || strcmp(arg, "--") == 0)
break;
+ for (cp = arg + 1; *cp; cp++) {
+ if (*cp == 'o' && cp > arg + 1) {
+ /* Split "-stuffo" into "-stuff" and "-o". */
+ junk = concatenate("-", cp, (char *) 0);
+ argv_insert_one(argv, field + 1, junk);
+ myfree(junk);
+ *cp = 0;
+ break;
+ }
+ }
if (strncmp(arg, "-o", 2) == 0) {
if (arg[2] != 0) {
/* Split "-oname=value" into "-o" "name=value". */
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/src/postconf/test40.ref
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/ibm-public/postfix/dist/src/postconf/test40.ref Wed Aug 21 20:09:37 2013 +0000
@@ -0,0 +1,4 @@
+foo unix - n n - 0 other -v
+ -o aaa=bbb -v
+ -o ccc=$aaa -v
+ -o ddd=$ccc
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/src/smtp/smtp_connect.c
--- a/external/ibm-public/postfix/dist/src/smtp/smtp_connect.c Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/src/smtp/smtp_connect.c Wed Aug 21 20:09:37 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: smtp_connect.c,v 1.1.1.3 2013/01/02 18:59:07 tron Exp $ */
+/* $NetBSD: smtp_connect.c,v 1.1.1.4 2013/08/21 20:09:56 tron Exp $ */
/*++
/* NAME
@@ -459,12 +459,12 @@
state->misc_flags &= ~SMTP_MISC_FLAG_CONN_CACHE_MASK;
/*
- * XXX Disable connection caching when sender-dependent authentication is
+ * XXX Disable connection caching when SASL authentication is
* enabled. We must not send someone elses mail over an authenticated
* connection, and we must not send mail that requires authentication
* over a connection that wasn't authenticated.
*/
- if (var_smtp_sender_auth)
+ if (var_smtp_sasl_passwd && *var_smtp_sasl_passwd)
return;
if (smtp_cache_dest && string_list_match(smtp_cache_dest, dest)) {
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/src/smtp/smtp_reuse.c
--- a/external/ibm-public/postfix/dist/src/smtp/smtp_reuse.c Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/src/smtp/smtp_reuse.c Wed Aug 21 20:09:37 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: smtp_reuse.c,v 1.1.1.1 2009/06/23 10:08:54 tron Exp $ */
+/* $NetBSD: smtp_reuse.c,v 1.1.1.2 2013/08/21 20:09:56 tron Exp $ */
/*++
/* NAME
@@ -272,7 +272,7 @@
* credentials or the wrong TLS policy.
*/
if ((var_smtp_tls_per_site && *var_smtp_tls_per_site)
- || (var_smtp_sasl_passwd && *var_smtp_sasl_passwd))
+ || (var_smtp_tls_policy && *var_smtp_tls_policy))
return (0);
/*
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/src/tls/Makefile.in
--- a/external/ibm-public/postfix/dist/src/tls/Makefile.in Wed Aug 21 19:48:35 2013 +0000
+++ b/external/ibm-public/postfix/dist/src/tls/Makefile.in Wed Aug 21 20:09:37 2013 +0000
@@ -319,6 +319,7 @@
tls_stream.o: tls.h
tls_stream.o: tls_stream.c
tls_verify.o: ../../include/argv.h
+tls_verify.o: ../../include/mail_params.h
tls_verify.o: ../../include/msg.h
tls_verify.o: ../../include/mymalloc.h
tls_verify.o: ../../include/name_code.h
diff -r 9aef216bff6f -r 3594e42ea554 external/ibm-public/postfix/dist/src/tls/tls_misc.c
Home |
Main Index |
Thread Index |
Old Index