SLFO-pool/postfix
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main postfix revision 64a93f74b88b89f905761c03b7711ef7

Browse Source
This commit is contained in:
Adrian Schröter
2025-03-14 11:09:55 +01:00
parent 979eb33c7e
commit d1acf0e8b3
9 changed files with 232 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
postfix-3.10.1.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

7
postfix-3.10.1.tar.gz.asc Normal file
View File

@@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iFcDBQBnvJgoDAtZDoDKFacRClSOAP9rqxX/tEqZmqgT2u74aN3aVtmxOWYscLUr
iU9CA1SCJwD+KCq88qZVmJ3cjym7JxNybNWZifTf+UojADZgOJjtyb0=
=vB8f
-----END PGP SIGNATURE-----

BIN
postfix-3.9.0.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

7
postfix-3.9.0.tar.gz.asc
View File

@@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iFcDBQBl6JfdDAtZDoDKFacRCspDAP9CWwo61cuT1VgMaP+TrcP5izmrJSRxLMJN
ubLPqIcYZAD9FM/D0BP7oUAbxDEY5vF3qWiayCJehlEmspmTg+xeYG8=
=dY5B
-----END PGP SIGNATURE-----

102
postfix-bdb.changes
View File

@@ -1,3 +1,105 @@
-------------------------------------------------------------------
Tue Feb 25 19:00:58 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
- update to 3.10.1
* Bugfix (defect introduced: 20250210): a recent 'fix' for the
default smtp_tls_dane_insecure_mx_policy setting resulted in
unnecessary 'dnssec_probe' warnings, on systems that disable
DNSSEC lookups (which is the default).
-------------------------------------------------------------------
Tue Feb 18 20:23:53 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
- update to 3.10.0
* Internal protocol change: Postfix needs "postfix reload" (or "postfix
stop" and "postfix start") after upgrade, because of a change in the
delivery agent protocol. If this step is skipped, Postfix delivery
agents will log a warning:
unexpected attribute smtputf8 from xxx socket (expecting: sendopts)
where xxx is the delivery agent service name.
* Forward compatibility: Support for OpenSSL 3.5 post-quantum
cryptography. To manage algorithm selection, OpenSSL introduces new
TLS group syntax that Postfix will not attempt to imitate. Instead,
Postfix now allows the tls_eecdh_auto_curves and tls_ffdhe_auto_groups
parameter values to have an empty value. When both are set empty, the
algorithm selection can be managed through OpenSSL configuration. For
more, look for "Post-quantum" in the postconf(5) manpage.
* Support for the RFC 8689 "TLS-Required: no" message header to request
delivery of messages (such as TLSRPT summaries) even if the preferred
TLS security policy cannot be enforced. This limits the Postfix SMTP
client to "smtp_tls_security_level = may" which does not authenticate
server certificates and which allows falling back to plaintext.
* Support for the REQUIRETLS SMTP service extension will evolve in
Postfix 3.11.
* Support for the TLSRPT protocol (defined in RFC 8460). With this,
a domain can publish a policy in DNS that requests daily summary
reports for successful and failed SMTP-over-TLS connections to that
domain's MX hosts. This supports both DANE (built-in) and MTA-STS
(via an smtp_tls_policy_maps plugin). The implementation uses a
TLSRPT library and reporting infrastructure that are maintained by
sys4. For details, see TLSRPT_README.
* Privacy: With "smtpd_hide_client_session = yes", the Postfix
SMTP server generates a Received: header without client session
info. This setting may be used with the MUA submission services
(port 465 and 587).
* Support for RFC 2047 encoding of non-ASCII "full name" information
in Postfix-generated From: message headers. Encoding non-ASCII full
names can avoid the need to use SMTPUTF8, and therefore can avoid
incompatibility with sites that do not support SMTPUTF8. See the
full_name_encoding_charset parameter description for details.
* Database performance: When mysql: or pgsql: configuration specifies
a single host, assume that it is a load balancer and reconnect
immediately after a single failure, instead of failing all requests
for 60s.
* The Postfix Milter implementation now logs the reason for a
'quarantine' action, instead of "milter triggers HOLD action".
* The SMTP server now logs the queue ID (or "NOQUEUE") when a connection
ends abnormally (timeout, lost connection, or too many errors),
and the cleanup server now logs "queueid: canceled" when a message
transaction is started but not completed. These changes simplify
logfile analysis.
* Dovecot SASL client logging for "Invalid authentication mechanism"
now includes the name of that mechanism.
* Postfix SMTP server 'reject' logging now shows the sasl_method,
sasl_username, and sasl_sender if available.
-------------------------------------------------------------------
Thu Dec 5 19:05:33 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>
- update to 3.9.1
* The mail_version configuration parameter did not have a three-number
value (3.9 instead of 3.9.0; it still had the two-number version
from the development releases postfix-3.9-yyyymmdd). This broke
pathnames derived from the mail_version value, such as
shlib_directory.
* Bugfix (defect introduced: Postfix 2.9, date 20111218): with
"smtpd_sasl_auth_enable = no", the permit_sasl_authenticated feature
ignored information that was received with the XCLIENT LOGIN
command, so that the client was treated as unauthenticated. This was
fixed by removing an unnecessary test.
* Bugfix (defect introduced: postfix 3.0): the default master.cf
syslog_name setting for the relay service did not preserve
multi-instance information, which complicated logfile analysis.
* Bugfix (defect introduced: Postfix 2.3, date 20051222): file
descriptor leak after failure to connect to a Dovecot auth server.
The impact is limited because Dovecot auth failures are rare, there
are limits on the number of retries (one), on the number of errors
per SMTP session (smtpd_hard_error_limit), on the number of sessions
per SMTP server process (max_use), and on the number of file handles
per process (managed with sysctl).
* Bugfix (defect introduced: Postfix 3.4, date 20190121): the
postsuper command failed with "open logfile '/path/to/file':
Permission denied" when the maillog_file parameter specified a
filename and Postfix was not running. This was fixed by opening the
maillog_file before dropping root privileges.
* Bugfix (defect introduced Postfix 3.0). No autodetection of UTF8
text when missing message headers were automatically added by
Postfix (for example, a From: header with UTF8 full name information
from the password file). This caused Postfix to send UTF8 in message
headers without using the SMTPUTF8 protocol.
-------------------------------------------------------------------
Tue Sep 24 08:29:59 UTC 2024 - Peter Varkoly <varkoly@suse.com>

4
postfix-bdb.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package postfix-bdb
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -59,7 +59,7 @@
%endif
%bcond_without ldap
Name: postfix-bdb
Version: 3.9.0
Version: 3.10.1
Release: 0
Summary: A fast, secure, and flexible mailer
License: EPL-2.0 OR IPL-1.0

32
postfix-master.cf.patch
View File

@@ -14,22 +14,26 @@ Index: conf/master.cf
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
@@ -17,40 +22,42 @@ smtp inet n - n
@@ -17,34 +22,36 @@ smtp inet n - n
# Choose one: enable submission for loopback clients only, or for any client.
#127.0.0.1:submission inet n - n - - smtpd
#submission inet n - n - - smtpd
-# -o syslog_name=postfix/submission
-# -o smtpd_forbid_unauth_pipelining=no
-# -o smtpd_tls_security_level=encrypt
-# -o smtpd_sasl_auth_enable=yes
-# -o smtpd_tls_auth_only=yes
-# -o local_header_rewrite_clients=static:all
-# -o smtpd_hide_client_session=yes
-# -o smtpd_reject_unlisted_recipient=no
+# -o syslog_name=postfix/submission
+# -o smtpd_forbid_unauth_pipelining=no
+# -o smtpd_tls_security_level=encrypt
+# -o content_filter=smtp:[127.0.0.1]:10024
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_tls_auth_only=yes
+# -o local_header_rewrite_clients=static:all
+# -o smtpd_hide_client_session=yes
+# -o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
@@ -51,36 +55,24 @@ Index: conf/master.cf
#127.0.0.1:submissions inet n - n - - smtpd
#submissions inet n - n - - smtpd
-# -o syslog_name=postfix/submissions
-# -o smtpd_forbid_unauth_pipelining=no
-# -o smtpd_tls_wrappermode=yes
-# -o smtpd_sasl_auth_enable=yes
-# -o local_header_rewrite_clients=static:all
-# -o smtpd_hide_client_session=yes
-# -o smtpd_reject_unlisted_recipient=no
+# -o syslog_name=postfix/submissions
+# -o smtpd_forbid_unauth_pipelining=no
+# -o smtpd_tls_wrappermode=yes
+# -o content_filter=smtp:[127.0.0.1]:10024
+# -o smtpd_sasl_auth_enable=yes
+# -o local_header_rewrite_clients=static:all
+# -o smtpd_hide_client_session=yes
+# -o smtpd_reject_unlisted_recipient=no
# Instead of specifying complex smtpd_<xxx>_restrictions here,
# specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
# here, and specify mua_<xxx>_restrictions in main.cf (where
# "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
-# -o smtpd_client_restrictions=
-# -o smtpd_helo_restrictions=
-# -o smtpd_sender_restrictions=
-# -o smtpd_relay_restrictions=
-# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-# -o milter_macro_daemon_name=ORIGINATING
+# -o smtpd_client_restrictions=$mua_client_restrictions
+# -o smtpd_helo_restrictions=$mua_helo_restrictions
+# -o smtpd_sender_restrictions=$mua_sender_restrictions
+# -o smtpd_recipient_restrictions=
+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
@@ -79,6 +86,26 @@ lmtp unix - - n
@@ -83,6 +90,26 @@ lmtp unix - - n
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
@@ -107,7 +99,7 @@ Index: conf/master.cf
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
@@ -112,7 +139,7 @@ postlog unix-dgram n - n
@@ -116,7 +143,7 @@ postlog unix-dgram n - n
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
@@ -116,7 +108,7 @@ Index: conf/master.cf
#
# ====================================================================
#
@@ -145,3 +172,10 @@ postlog unix-dgram n - n
@@ -149,3 +176,10 @@ postlog unix-dgram n - n
#mailman unix - n n - - pipe
# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}

102
postfix.changes
View File

@@ -1,3 +1,105 @@
-------------------------------------------------------------------
Tue Feb 25 19:00:58 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
- update to 3.10.1
* Bugfix (defect introduced: 20250210): a recent 'fix' for the
default smtp_tls_dane_insecure_mx_policy setting resulted in
unnecessary 'dnssec_probe' warnings, on systems that disable
DNSSEC lookups (which is the default).
-------------------------------------------------------------------
Tue Feb 18 20:23:53 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
- update to 3.10.0
* Internal protocol change: Postfix needs "postfix reload" (or "postfix
stop" and "postfix start") after upgrade, because of a change in the
delivery agent protocol. If this step is skipped, Postfix delivery
agents will log a warning:
unexpected attribute smtputf8 from xxx socket (expecting: sendopts)
where xxx is the delivery agent service name.
* Forward compatibility: Support for OpenSSL 3.5 post-quantum
cryptography. To manage algorithm selection, OpenSSL introduces new
TLS group syntax that Postfix will not attempt to imitate. Instead,
Postfix now allows the tls_eecdh_auto_curves and tls_ffdhe_auto_groups
parameter values to have an empty value. When both are set empty, the
algorithm selection can be managed through OpenSSL configuration. For
more, look for "Post-quantum" in the postconf(5) manpage.
* Support for the RFC 8689 "TLS-Required: no" message header to request
delivery of messages (such as TLSRPT summaries) even if the preferred
TLS security policy cannot be enforced. This limits the Postfix SMTP
client to "smtp_tls_security_level = may" which does not authenticate
server certificates and which allows falling back to plaintext.
* Support for the REQUIRETLS SMTP service extension will evolve in
Postfix 3.11.
* Support for the TLSRPT protocol (defined in RFC 8460). With this,
a domain can publish a policy in DNS that requests daily summary
reports for successful and failed SMTP-over-TLS connections to that
domain's MX hosts. This supports both DANE (built-in) and MTA-STS
(via an smtp_tls_policy_maps plugin). The implementation uses a
TLSRPT library and reporting infrastructure that are maintained by
sys4. For details, see TLSRPT_README.
* Privacy: With "smtpd_hide_client_session = yes", the Postfix
SMTP server generates a Received: header without client session
info. This setting may be used with the MUA submission services
(port 465 and 587).
* Support for RFC 2047 encoding of non-ASCII "full name" information
in Postfix-generated From: message headers. Encoding non-ASCII full
names can avoid the need to use SMTPUTF8, and therefore can avoid
incompatibility with sites that do not support SMTPUTF8. See the
full_name_encoding_charset parameter description for details.
* Database performance: When mysql: or pgsql: configuration specifies
a single host, assume that it is a load balancer and reconnect
immediately after a single failure, instead of failing all requests
for 60s.
* The Postfix Milter implementation now logs the reason for a
'quarantine' action, instead of "milter triggers HOLD action".
* The SMTP server now logs the queue ID (or "NOQUEUE") when a connection
ends abnormally (timeout, lost connection, or too many errors),
and the cleanup server now logs "queueid: canceled" when a message
transaction is started but not completed. These changes simplify
logfile analysis.
* Dovecot SASL client logging for "Invalid authentication mechanism"
now includes the name of that mechanism.
* Postfix SMTP server 'reject' logging now shows the sasl_method,
sasl_username, and sasl_sender if available.
-------------------------------------------------------------------
Thu Dec 5 19:05:33 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>
- update to 3.9.1
* The mail_version configuration parameter did not have a three-number
value (3.9 instead of 3.9.0; it still had the two-number version
from the development releases postfix-3.9-yyyymmdd). This broke
pathnames derived from the mail_version value, such as
shlib_directory.
* Bugfix (defect introduced: Postfix 2.9, date 20111218): with
"smtpd_sasl_auth_enable = no", the permit_sasl_authenticated feature
ignored information that was received with the XCLIENT LOGIN
command, so that the client was treated as unauthenticated. This was
fixed by removing an unnecessary test.
* Bugfix (defect introduced: postfix 3.0): the default master.cf
syslog_name setting for the relay service did not preserve
multi-instance information, which complicated logfile analysis.
* Bugfix (defect introduced: Postfix 2.3, date 20051222): file
descriptor leak after failure to connect to a Dovecot auth server.
The impact is limited because Dovecot auth failures are rare, there
are limits on the number of retries (one), on the number of errors
per SMTP session (smtpd_hard_error_limit), on the number of sessions
per SMTP server process (max_use), and on the number of file handles
per process (managed with sysctl).
* Bugfix (defect introduced: Postfix 3.4, date 20190121): the
postsuper command failed with "open logfile '/path/to/file':
Permission denied" when the maillog_file parameter specified a
filename and Postfix was not running. This was fixed by opening the
maillog_file before dropping root privileges.
* Bugfix (defect introduced Postfix 3.0). No autodetection of UTF8
text when missing message headers were automatically added by
Postfix (for example, a From: header with UTF8 full name information
from the password file). This caused Postfix to send UTF8 in message
headers without using the SMTPUTF8 protocol.
-------------------------------------------------------------------
Tue Sep 24 08:29:19 UTC 2024 - Peter Varkoly <varkoly@suse.com>

8
postfix.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package postfix
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -46,7 +46,7 @@
%endif
%bcond_without ldap
Name: postfix
Version: 3.9.0
Version: 3.10.1
Release: 0
Summary: A fast, secure, and flexible mailer
License: EPL-2.0 OR IPL-1.0
@@ -525,8 +525,8 @@ fi
%config(noreplace) %{_sysconfdir}/%{name}/sasl_passwd
%config(noreplace) %{_sysconfdir}/%{name}/sender_canonical
%config(noreplace) %{_sysconfdir}/%{name}/virtual
%ghost %{_sysconfdir}/%{name}/*.lmdb
%ghost %{_sysconfdir}/aliases.lmdb
%ghost %attr(0644,root,root) %{_sysconfdir}/%{name}/*.lmdb
%ghost %attr(0644,root,root) %{_sysconfdir}/aliases.lmdb
%dir %{_sysconfdir}/sasl2
%config(noreplace) %{_sysconfdir}/sasl2/smtpd.conf
%exclude %{_sysconfdir}/%{name}/LICENSE