From e9b4a7071e4a577779f2e000a9c3e1f3a1a2e87d3c6b7cb7010853190e5c1a54 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Thu, 27 Apr 2023 21:59:58 +0000 Subject: [PATCH] Accepting request 1080180 from home:adkorte:branches:server:mail - update to 3.8.0 * Support to look up DNS SRV records in the Postfix SMTP/LMTP client, Based on code by Tomas Korbar (Red Hat). For example, with "use_srv_lookup = submission" and "relayhost = example.com:submission", the Postfix SMTP client will look up DNS SRV records for _submission._tcp.example.com, and will relay email through the hosts and ports that are specified with those records. * TLS obsolescence: Postfix now treats the "export" and "low" cipher grade settings as "medium". The "export" and "low" grades are no longer supported in OpenSSL 1.1.1, the minimum version required in Postfix 3.6.0 and later. Also, Postfix default settings now exclude deprecated or unused ciphers (SEED, IDEA, 3DES, RC2, RC4, RC5), digest (MD5), key exchange algorithms (DH, ECDH), and public key algorithm (DSS). * Attack resistance: the Postfix SMTP server can now aggregate smtpd_client_*_rate and smtpd_client_*_count statistics by network block instead of by IP address, to raise the bar against a memory exhaustion attack in the anvil(8) server; Postfix TLS support unconditionally disables TLS renegotiation in the middle of an SMTP connection, to avoid a CPU exhaustion attack. * The PostgreSQL client encoding is now configurable with the "encoding" Postfix configuration file attribute. The default is "UTF8". Previously the encoding was hard-coded as "LATIN1", which is not useful in the context of SMTP. * The postconf command now warns for #comment in or after a Postfix parameter value. Postfix programs do not support #comment after other text, and treat that as input. - rebase/refresh patches * pointer_to_literals.patch * postfix-linux45.patch * postfix-master.cf.patch * postfix-ssl-release-buffers.patch * set-default-db-type.patch OBS-URL: https://build.opensuse.org/request/show/1080180 OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=454 --- pointer_to_literals.patch | 6 ++--- postfix-3.7.4.tar.gz | 3 --- postfix-3.7.4.tar.gz.asc | 7 ------ postfix-3.8.0.tar.gz | 3 +++ postfix-3.8.0.tar.gz.asc | 7 ++++++ postfix-bdb.changes | 38 +++++++++++++++++++++++++++++++ postfix-bdb.spec | 4 ++-- postfix-linux45.patch | 8 ++++--- postfix-master.cf.patch | 12 ++++++---- postfix-ssl-release-buffers.patch | 2 +- postfix.changes | 38 +++++++++++++++++++++++++++++++ postfix.spec | 5 ++-- set-default-db-type.patch | 10 ++++---- 13 files changed, 113 insertions(+), 30 deletions(-) delete mode 100644 postfix-3.7.4.tar.gz delete mode 100644 postfix-3.7.4.tar.gz.asc create mode 100644 postfix-3.8.0.tar.gz create mode 100644 postfix-3.8.0.tar.gz.asc diff --git a/pointer_to_literals.patch b/pointer_to_literals.patch index dec95c8..727f60a 100644 --- a/pointer_to_literals.patch +++ b/pointer_to_literals.patch @@ -28,7 +28,7 @@ Index: src/smtpd/smtpd_check.c =================================================================== --- src/smtpd/smtpd_check.c.orig +++ src/smtpd/smtpd_check.c -@@ -383,6 +383,10 @@ static STRING_LIST *smtpd_acl_perm_log; +@@ -384,6 +384,10 @@ static STRING_LIST *smtpd_acl_perm_log; #define CONST_STR(x) ((const char *) vstring_str(x)) #define UPDATE_STRING(ptr,val) { if (ptr) myfree(ptr); ptr = mystrdup(val); } @@ -39,7 +39,7 @@ Index: src/smtpd/smtpd_check.c /* * If some decision can't be made due to a temporary error, then change * other decisions into deferrals. -@@ -2394,8 +2398,6 @@ static int check_table_result(SMTPD_STAT +@@ -2395,8 +2399,6 @@ static int check_table_result(SMTPD_STAT if (msg_verbose) msg_info("%s: %s %s %s", myname, table, value, datum); @@ -48,7 +48,7 @@ Index: src/smtpd/smtpd_check.c /* * DUNNO means skip this table. Silently ignore optional text. */ -@@ -3482,8 +3484,6 @@ static const char *rbl_expand_lookup(con +@@ -3483,8 +3485,6 @@ static const char *rbl_expand_lookup(con SMTPD_RBL_EXPAND_CONTEXT *rbl_exp = (SMTPD_RBL_EXPAND_CONTEXT *) context; SMTPD_STATE *state = rbl_exp->state; diff --git a/postfix-3.7.4.tar.gz b/postfix-3.7.4.tar.gz deleted file mode 100644 index 43ae678..0000000 --- a/postfix-3.7.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4c137a2303448f25993836837deeae87fac5d4d03af11ade8e9bead806328645 -size 4833834 diff --git a/postfix-3.7.4.tar.gz.asc b/postfix-3.7.4.tar.gz.asc deleted file mode 100644 index f1cb0e0..0000000 --- a/postfix-3.7.4.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2.0.18 (FreeBSD) - -iFcDBQBjzFvcDAtZDoDKFacRCi65AP9HiQ6xU2JlaR+OuYh3ZRvMZhGjkHuJhXNP -6WYbr48pHwD+If3p4MRLiehbNxK3uSWyaOC3ztV6NTEbk1rwfbdBGGI= -=nQt/ ------END PGP SIGNATURE----- diff --git a/postfix-3.8.0.tar.gz b/postfix-3.8.0.tar.gz new file mode 100644 index 0000000..00c1246 --- /dev/null +++ b/postfix-3.8.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a3ad8029bd2c6b0c576477a0f77bf9d2c0b761cbaa0efbfef47969efea6eade9 +size 4851893 diff --git a/postfix-3.8.0.tar.gz.asc b/postfix-3.8.0.tar.gz.asc new file mode 100644 index 0000000..76acc9e --- /dev/null +++ b/postfix-3.8.0.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.18 (FreeBSD) + +iFcDBQBkPGrxDAtZDoDKFacRCg/AAPwNXQ/mbp1mtpkHvt4IznBvn/YxlNW1qwnL +N4rUESsQHQD/R0bN2WGvAS2pgStoRdM2Tgf0tx3JzCUqwN1fA58vxSA= +=JS+i +-----END PGP SIGNATURE----- diff --git a/postfix-bdb.changes b/postfix-bdb.changes index dab4c1f..c85d9ce 100644 --- a/postfix-bdb.changes +++ b/postfix-bdb.changes @@ -1,3 +1,41 @@ +------------------------------------------------------------------- +Tue Apr 18 18:14:49 UTC 2023 - Arjen de Korte + +- update to 3.8.0 + * Support to look up DNS SRV records in the Postfix SMTP/LMTP + client, Based on code by Tomas Korbar (Red Hat). For example, + with "use_srv_lookup = submission" and "relayhost = + example.com:submission", the Postfix SMTP client will look up + DNS SRV records for _submission._tcp.example.com, and will relay + email through the hosts and ports that are specified with those + records. + * TLS obsolescence: Postfix now treats the "export" and "low" + cipher grade settings as "medium". The "export" and "low" grades + are no longer supported in OpenSSL 1.1.1, the minimum version + required in Postfix 3.6.0 and later. Also, Postfix default + settings now exclude deprecated or unused ciphers (SEED, IDEA, + 3DES, RC2, RC4, RC5), digest (MD5), key exchange algorithms + (DH, ECDH), and public key algorithm (DSS). + * Attack resistance: the Postfix SMTP server can now aggregate + smtpd_client_*_rate and smtpd_client_*_count statistics by + network block instead of by IP address, to raise the bar against + a memory exhaustion attack in the anvil(8) server; Postfix TLS + support unconditionally disables TLS renegotiation in the middle + of an SMTP connection, to avoid a CPU exhaustion attack. + * The PostgreSQL client encoding is now configurable with the + "encoding" Postfix configuration file attribute. The default + is "UTF8". Previously the encoding was hard-coded as "LATIN1", + which is not useful in the context of SMTP. + * The postconf command now warns for #comment in or after a Postfix + parameter value. Postfix programs do not support #comment after + other text, and treat that as input. +- rebase/refresh patches + * pointer_to_literals.patch + * postfix-linux45.patch + * postfix-master.cf.patch + * postfix-ssl-release-buffers.patch + * set-default-db-type.patch + ------------------------------------------------------------------- Sat Feb 25 15:15:58 UTC 2023 - Otto Hollmann diff --git a/postfix-bdb.spec b/postfix-bdb.spec index 1e5ffc4..04497a6 100644 --- a/postfix-bdb.spec +++ b/postfix-bdb.spec @@ -1,7 +1,7 @@ # # spec file for package postfix-bdb # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -59,7 +59,7 @@ %endif %bcond_without ldap Name: postfix-bdb -Version: 3.7.4 +Version: 3.8.0 Release: 0 Summary: A fast, secure, and flexible mailer License: IPL-1.0 OR EPL-2.0 diff --git a/postfix-linux45.patch b/postfix-linux45.patch index ee1f6f4..80d9f86 100644 --- a/postfix-linux45.patch +++ b/postfix-linux45.patch @@ -4,12 +4,14 @@ --- makedefs.orig +++ makedefs -@@ -627,7 +627,7 @@ EOF +@@ -631,8 +631,8 @@ EOF : ${SHLIB_ENV="LD_LIBRARY_PATH=`pwd`/lib"} : ${PLUGIN_LD="${CC-gcc} -shared"} ;; --Linux.[3456].*) SYSTYPE=LINUX$RELEASE_MAJOR -+Linux.[3-9].*|Linux.[1-9][0-9].*) SYSTYPE=LINUX3 +- Linux.[3456].*) +- SYSTYPE=LINUX$RELEASE_MAJOR ++ Linux.[3-9].*|Linux.[1-9][0-9].*) ++ SYSTYPE=LINUX3 case "$CCARGS" in *-DNO_DB*) ;; *-DHAS_DB*) ;; diff --git a/postfix-master.cf.patch b/postfix-master.cf.patch index d76430b..92be2b9 100644 --- a/postfix-master.cf.patch +++ b/postfix-master.cf.patch @@ -14,7 +14,7 @@ Index: conf/master.cf #smtp inet n - n - 1 postscreen #smtpd pass - - n - - smtpd #dnsblog unix - - n - 0 dnsblog -@@ -17,38 +22,40 @@ smtp inet n - n +@@ -17,40 +22,42 @@ smtp inet n - n # Choose one: enable submission for loopback clients only, or for any client. #127.0.0.1:submission inet n - n - - smtpd #submission inet n - n - - smtpd @@ -22,12 +22,14 @@ Index: conf/master.cf -# -o smtpd_tls_security_level=encrypt -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_tls_auth_only=yes +-# -o local_header_rewrite_clients=static:all -# -o smtpd_reject_unlisted_recipient=no +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o content_filter=smtp:[127.0.0.1]:10024 +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_auth_only=yes ++# -o local_header_rewrite_clients=static:all +# -o smtpd_reject_unlisted_recipient=no # Instead of specifying complex smtpd__restrictions here, # specify "smtpd__restrictions=$mua__restrictions" @@ -51,11 +53,13 @@ Index: conf/master.cf -# -o syslog_name=postfix/submissions -# -o smtpd_tls_wrappermode=yes -# -o smtpd_sasl_auth_enable=yes +-# -o local_header_rewrite_clients=static:all -# -o smtpd_reject_unlisted_recipient=no +# -o syslog_name=postfix/submissions +# -o smtpd_tls_wrappermode=yes +# -o content_filter=smtp:[127.0.0.1]:10024 +# -o smtpd_sasl_auth_enable=yes ++# -o local_header_rewrite_clients=static:all +# -o smtpd_reject_unlisted_recipient=no # Instead of specifying complex smtpd__restrictions here, # specify "smtpd__restrictions=$mua__restrictions" @@ -76,7 +80,7 @@ Index: conf/master.cf #628 inet n - n - - qmqpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup -@@ -77,6 +84,26 @@ lmtp unix - - n +@@ -79,6 +86,26 @@ lmtp unix - - n anvil unix - - n - 1 anvil scache unix - - n - 1 scache postlog unix-dgram n - n - 1 postlogd @@ -103,7 +107,7 @@ Index: conf/master.cf # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual -@@ -110,7 +137,7 @@ postlog unix-dgram n - n +@@ -112,7 +139,7 @@ postlog unix-dgram n - n # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe @@ -112,7 +116,7 @@ Index: conf/master.cf # # ==================================================================== # -@@ -143,3 +170,10 @@ postlog unix-dgram n - n +@@ -145,3 +172,10 @@ postlog unix-dgram n - n #mailman unix - n n - - pipe # flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py # ${nexthop} ${user} diff --git a/postfix-ssl-release-buffers.patch b/postfix-ssl-release-buffers.patch index 1a66b5d..262292f 100644 --- a/postfix-ssl-release-buffers.patch +++ b/postfix-ssl-release-buffers.patch @@ -18,7 +18,7 @@ Index: src/tls/tls_server.c =================================================================== --- src/tls/tls_server.c.orig +++ src/tls/tls_server.c -@@ -490,6 +490,10 @@ TLS_APPL_STATE *tls_server_init(const TL +@@ -493,6 +493,10 @@ TLS_APPL_STATE *tls_server_init(const TL SSL_CTX_set_security_level(sni_ctx, 0); #endif diff --git a/postfix.changes b/postfix.changes index d7c2386..a111173 100644 --- a/postfix.changes +++ b/postfix.changes @@ -1,3 +1,41 @@ +------------------------------------------------------------------- +Tue Apr 18 18:14:49 UTC 2023 - Arjen de Korte + +- update to 3.8.0 + * Support to look up DNS SRV records in the Postfix SMTP/LMTP + client, Based on code by Tomas Korbar (Red Hat). For example, + with "use_srv_lookup = submission" and "relayhost = + example.com:submission", the Postfix SMTP client will look up + DNS SRV records for _submission._tcp.example.com, and will relay + email through the hosts and ports that are specified with those + records. + * TLS obsolescence: Postfix now treats the "export" and "low" + cipher grade settings as "medium". The "export" and "low" grades + are no longer supported in OpenSSL 1.1.1, the minimum version + required in Postfix 3.6.0 and later. Also, Postfix default + settings now exclude deprecated or unused ciphers (SEED, IDEA, + 3DES, RC2, RC4, RC5), digest (MD5), key exchange algorithms + (DH, ECDH), and public key algorithm (DSS). + * Attack resistance: the Postfix SMTP server can now aggregate + smtpd_client_*_rate and smtpd_client_*_count statistics by + network block instead of by IP address, to raise the bar against + a memory exhaustion attack in the anvil(8) server; Postfix TLS + support unconditionally disables TLS renegotiation in the middle + of an SMTP connection, to avoid a CPU exhaustion attack. + * The PostgreSQL client encoding is now configurable with the + "encoding" Postfix configuration file attribute. The default + is "UTF8". Previously the encoding was hard-coded as "LATIN1", + which is not useful in the context of SMTP. + * The postconf command now warns for #comment in or after a Postfix + parameter value. Postfix programs do not support #comment after + other text, and treat that as input. +- rebase/refresh patches + * pointer_to_literals.patch + * postfix-linux45.patch + * postfix-master.cf.patch + * postfix-ssl-release-buffers.patch + * set-default-db-type.patch + ------------------------------------------------------------------- Sat Feb 25 15:15:58 UTC 2023 - Otto Hollmann diff --git a/postfix.spec b/postfix.spec index ee13a93..bbf7f3f 100644 --- a/postfix.spec +++ b/postfix.spec @@ -1,7 +1,7 @@ # # spec file for package postfix # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -46,7 +46,7 @@ %endif %bcond_without ldap Name: postfix -Version: 3.7.4 +Version: 3.8.0 Release: 0 Summary: A fast, secure, and flexible mailer License: IPL-1.0 OR EPL-2.0 @@ -126,6 +126,7 @@ Postfix aims to be an alternative to the widely-used sendmail program. Summary: Development headers for the %{name} package Group: Development/Libraries/C and C++ Requires(pre): %{name} = %{version} +BuildArch: noarch %description devel Postfix aims to be an alternative to the widely-used sendmail program. diff --git a/set-default-db-type.patch b/set-default-db-type.patch index c8a6675..b4e7998 100644 --- a/set-default-db-type.patch +++ b/set-default-db-type.patch @@ -29,7 +29,7 @@ Index: src/util/sys_defs.h #define ALIAS_DB_MAP DEF_DB_TYPE ":/etc/aliases" #else #define HAS_DBM -@@ -763,7 +763,7 @@ extern int initgroups(const char *, int) +@@ -775,7 +775,7 @@ extern int initgroups(const char *, int) #define DEF_MAILBOX_LOCK "fcntl, dotlock" /* RedHat >= 4.x */ #define HAS_FSYNC #define HAS_DB @@ -38,7 +38,7 @@ Index: src/util/sys_defs.h #define ALIAS_DB_MAP DEF_DB_TYPE ":/etc/aliases" #ifndef NO_NIS #define HAS_NIS -@@ -846,7 +846,7 @@ extern int initgroups(const char *, int) +@@ -851,7 +851,7 @@ extern int initgroups(const char *, int) #define DEF_MAILBOX_LOCK "dotlock" /* verified RedHat 3.03 */ #define HAS_FSYNC #define HAS_DB @@ -47,7 +47,7 @@ Index: src/util/sys_defs.h #define ALIAS_DB_MAP DEF_DB_TYPE ":/etc/aliases" #ifndef NO_NIS #define HAS_NIS -@@ -879,7 +879,7 @@ extern int initgroups(const char *, int) +@@ -884,7 +884,7 @@ extern int initgroups(const char *, int) #define DEF_MAILBOX_LOCK "fcntl, dotlock" /* RedHat >= 4.x */ #define HAS_FSYNC #define HAS_DB @@ -56,7 +56,7 @@ Index: src/util/sys_defs.h #define ALIAS_DB_MAP DEF_DB_TYPE ":/etc/aliases" #ifndef NO_NIS #define HAS_NIS -@@ -1204,7 +1204,7 @@ extern int opterr; /* XXX use