Accepting request 1143513 from home:computersalat:devel:mail

rework fix for bsc#1192173, rework SMTP Smuggling defaults, sync main.cf patches, sync changes files

OBS-URL: https://build.opensuse.org/request/show/1143513
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=472

postfix-bdb-main.cf.patch

@@ -2,7 +2,7 @@ Index: conf/main.cf
 ===================================================================
 --- conf/main.cf.orig
 +++ conf/main.cf
-@@ -567,6 +567,7 @@ unknown_local_recipient_reject_code = 55
+@@ -576,6 +576,7 @@ unknown_local_recipient_reject_code = 55
  #
  #smtpd_banner = $myhostname ESMTP $mail_name
  #smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
@@ -10,7 +10,7 @@ Index: conf/main.cf
  
  # PARALLEL DELIVERY TO THE SAME DESTINATION
  #
-@@ -673,4 +674,140 @@ sample_directory =
+@@ -682,4 +683,165 @@ sample_directory =
  # readme_directory: The location of the Postfix README files.
  #
  readme_directory =
@@ -39,8 +39,8 @@ Index: conf/main.cf
 +masquerade_classes = envelope_sender, header_sender, header_recipient
 +masquerade_domains = 
 +masquerade_exceptions = 
-+mydestination = $myhostname, localhost.$mydomain
++mydestination = $myhostname, localhost.$mydomain, localhost
-+myhostname = localhost
++myhostname = 
 +mynetworks_style = subnet
 +relayhost = 
 +
@@ -70,6 +70,19 @@ Index: conf/main.cf
 +smtpd_recipient_restrictions = 
 +
 +
++######################################################################
++# SMTP Smuggling (CVE-2023-51764)
++# no: allows SMTP smuggling
++# yes / normalize : 
++#   but allow local clients with non-standard SMTP implementations
++#   such as netcat, fax machines, or load balancer health checks.
++# reject: 
++#   rejects a command or message that contains a bare newline
++######################################################################
++smtpd_forbid_bare_newline = normalize
++smtpd_forbid_bare_newline_exclusions = $mynetworks
++#smtpd_forbid_bare_newline_reject_code = 521
++
 +############################################################
 +# SASL stuff
 +############################################################
@@ -93,6 +106,7 @@ Index: conf/main.cf
 +smtp_use_tls = no
 +#smtp_tls_loglevel = 0
 +smtp_enforce_tls = no
++smtp_tls_security_level = 
 +smtp_tls_CAfile = 
 +smtp_tls_CApath = 
 +smtp_tls_cert_file = 
@@ -103,6 +117,8 @@ Index: conf/main.cf
 +
 +smtpd_use_tls = no
 +#smtpd_tls_loglevel = 0
++smtpd_enforce_tls = no
++smtpd_tls_security_level = 
 +smtpd_tls_CAfile = 
 +smtpd_tls_CApath = 
 +smtpd_tls_cert_file = 
@@ -111,9 +127,17 @@ Index: conf/main.cf
 +smtpd_tls_exclude_ciphers = RC4
 +smtpd_tls_received_header = no
 +############################################################
++# OpenDKIM
++############################################################
++#smtpd_milters = unix:/run/opendkim/opendkim.sock
++#non_smtpd_milters = $smtpd_milters
++#milter_default_action = accept
++#milter_protocol = 2
++############################################################
 +# Start MySQL from postfixwiki.org
 +############################################################
 +relay_domains = $mydestination, hash:/etc/postfix/relay
++#relay_recipient_maps = hash:/etc/postfix/relay_recipients
 +#virtual_alias_domains = 
 +#virtual_alias_maps = hash:/etc/postfix/virtual
 +#virtual_uid_maps = static:303
@@ -146,6 +170,7 @@ Index: conf/main.cf
 +#unknown_client_reject_code = 550
 +#unknown_hostname_reject_code = 550
 +#unverified_recipient_reject_code = 550
++#unverified_sender_reject_code = 550
 +#soft_bounce = yes
 +############################################################
 +#debug_peer_list = example.com

postfix-bdb.spec

@@ -128,14 +128,14 @@ Requires(pre):  shadow
 %endif
 # /usr/lib/postfix/bin//post-install: line 667: ed: command not found
 Requires(pre):  ed
-Requires(preun):ed
+Requires(preun): ed
 Requires(post): ed
-Requires(postun):ed
+Requires(postun): ed
 # /usr/sbin/config.postfix needs perl
 Requires(pre):  perl
-Requires(preun):perl
+Requires(preun): perl
 Requires(post): perl
-Requires(postun):perl
+Requires(postun): perl
 
 %description
 Postfix aims to be an alternative to the widely-used sendmail program with bdb support

postfix-linux45.patch

@@ -2,6 +2,8 @@
  makedefs |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
+Index: makedefs
+===================================================================
 --- makedefs.orig
 +++ makedefs
 @@ -631,8 +631,8 @@ EOF

postfix-main.cf.patch

@@ -50,7 +50,7 @@ Index: conf/main.cf
  
  # PARALLEL DELIVERY TO THE SAME DESTINATION
  #
-@@ -682,4 +683,155 @@ sample_directory =
+@@ -682,4 +683,165 @@ sample_directory =
  # readme_directory: The location of the Postfix README files.
  #
  readme_directory =
@@ -79,6 +79,8 @@ Index: conf/main.cf
 +masquerade_classes = envelope_sender, header_sender, header_recipient
 +masquerade_domains = 
 +masquerade_exceptions = 
++mydestination = $myhostname, localhost.$mydomain, localhost
++myhostname = 
 +mynetworks_style = subnet
 +relayhost = 
 +
@@ -107,12 +109,19 @@ Index: conf/main.cf
 +
 +smtpd_recipient_restrictions = 
 +
-+# mitigation for CVE-2023-51764 - SMTP smuggling attack
++
-+# but allow local clients with non-standard SMTP implementations
++######################################################################
-+# such as netcat, fax machines, or load balancer health checks.
++# SMTP Smuggling (CVE-2023-51764)
-+#
++# no: allows SMTP smuggling
-+smtpd_forbid_bare_newline = yes
++# yes / normalize : 
++#   but allow local clients with non-standard SMTP implementations
++#   such as netcat, fax machines, or load balancer health checks.
++# reject: 
++#   rejects a command or message that contains a bare newline
++######################################################################
++smtpd_forbid_bare_newline = normalize
 +smtpd_forbid_bare_newline_exclusions = $mynetworks
++#smtpd_forbid_bare_newline_reject_code = 521
 +
 +############################################################
 +# SASL stuff
@@ -168,7 +177,7 @@ Index: conf/main.cf
 +# Start MySQL from postfixwiki.org
 +############################################################
 +relay_domains = $mydestination, lmdb:/etc/postfix/relay
-+relay_recipient_maps = lmdb:/etc/postfix/relay_recipients
++#relay_recipient_maps = lmdb:/etc/postfix/relay_recipients
 +#virtual_alias_domains = 
 +#virtual_alias_maps = lmdb:/etc/postfix/virtual
 +#virtual_uid_maps = static:303
@@ -201,6 +210,7 @@ Index: conf/main.cf
 +#unknown_client_reject_code = 550
 +#unknown_hostname_reject_code = 550
 +#unverified_recipient_reject_code = 550
++#unverified_sender_reject_code = 550
 +#soft_bounce = yes
 +############################################################
 +#debug_peer_list = example.com

postfix-ssl-release-buffers.patch

@@ -2,7 +2,7 @@ Index: src/tls/tls_client.c
 ===================================================================
 --- src/tls/tls_client.c.orig
 +++ src/tls/tls_client.c
-@@ -693,6 +693,11 @@ TLS_APPL_STATE *tls_client_init(const TL
+@@ -700,6 +700,11 @@ TLS_APPL_STATE *tls_client_init(const TL
      SSL_CTX_set_security_level(client_ctx, 0);
  #endif
  
@@ -18,7 +18,7 @@ Index: src/tls/tls_server.c
 ===================================================================
 --- src/tls/tls_server.c.orig
 +++ src/tls/tls_server.c
-@@ -493,6 +493,10 @@ TLS_APPL_STATE *tls_server_init(const TL
+@@ -500,6 +500,10 @@ TLS_APPL_STATE *tls_server_init(const TL
      SSL_CTX_set_security_level(sni_ctx, 0);
  #endif
  

postfix-vda-v14-3.0.3.patch

@@ -19,7 +19,7 @@ Index: src/global/mail_params.h
 ===================================================================
 --- src/global/mail_params.h.orig
 +++ src/global/mail_params.h
-@@ -2657,6 +2657,54 @@ extern char *var_virt_uid_maps;
+@@ -2661,6 +2661,54 @@ extern char *var_virt_uid_maps;
  #define DEF_VIRT_GID_MAPS		""
  extern char *var_virt_gid_maps;
  

postfix.changes

@@ -6,6 +6,29 @@ Tue Jan 23 18:24:16 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>
     spoofing attack (SMTP smuggling) on recipients at a Postfix server.
     For background, see https://www.postfix.org/smtp-smuggling.html.
 
+-------------------------------------------------------------------
+Sat Jan  6 22:41:09 UTC 2024 - chris@computersalat.de
+
+- rework fix for bsc#1192173: keep myhostname and mydestination
+  patched, but with upstream default to have them in correct place
+  when updated via config.postfix
+- rework SMTP Smuggling defaults
+  * yes is now alias of 'normalize'
+    smtpd_forbid_bare_newline = normalize
+  * another new option is 'reject' wich should be used in connection
+    with
+    smtpd_forbid_bare_newline_reject_code = 521
+- rework patches
+  * postfix-bdb-main.cf.patch
+  * postfix-main.cf.patch
+- rebase patches
+  * postfix-linux45.patch
+  * postfix-ssl-release-buffers.patch
+  * postfix-vda-v14-3.0.3.patch
+  * set-default-db-type.patch
+- sync changes files
+  * add missing entries in postfix-bdb.changes
+
 -------------------------------------------------------------------
 Thu Dec 28 07:57:23 UTC 2023 - Dirk Müller <dmueller@suse.com>
 

postfix.spec

@@ -110,14 +110,14 @@ BuildRequires:  libnsl-devel
 %endif
 # /usr/lib/postfix/bin//post-install: line 667: ed: command not found
 Requires(pre):  /usr/bin/ed
-Requires(preun):/usr/bin/ed
+Requires(preun): /usr/bin/ed
 Requires(post): /usr/bin/ed
-Requires(postun):/usr/bin/ed
+Requires(postun): /usr/bin/ed
 # /usr/sbin/config.postfix needs perl
 Requires(pre):  perl
-Requires(preun):perl
+Requires(preun): perl
 Requires(post): perl
-Requires(postun):perl
+Requires(postun): perl
 
 %description
 Postfix aims to be an alternative to the widely-used sendmail program.

set-default-db-type.patch

@@ -69,7 +69,7 @@ Index: src/global/mail_params.h
 ===================================================================
 --- src/global/mail_params.h.orig
 +++ src/global/mail_params.h
-@@ -2960,7 +2960,7 @@ extern int var_vrfy_pend_limit;
+@@ -2964,7 +2964,7 @@ extern int var_vrfy_pend_limit;
  extern char *var_verify_service;
  
  #define VAR_VERIFY_MAP			"address_verify_map"
@@ -78,7 +78,7 @@ Index: src/global/mail_params.h
  extern char *var_verify_map;
  
  #define VAR_VERIFY_POS_EXP		"address_verify_positive_expire_time"
-@@ -3762,7 +3762,7 @@ extern char *var_multi_cntrl_cmds;
+@@ -3776,7 +3776,7 @@ extern char *var_multi_cntrl_cmds;
    * postscreen(8)
    */
  #define VAR_PSC_CACHE_MAP	"postscreen_cache_map"