Accepting request 1173989 from server:mail

OBS-URL: https://build.opensuse.org/request/show/1173989
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/postfix?expand=0&rev=238

postfix-3.8.6.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4b6e17c826cc438cc3016a9c0a55ea7e77c6cbafba7dd57241d81b690b0e9774
-size 4873054

postfix-3.8.6.tar.gz.asc

@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.18 (FreeBSD)
-
-iFcDBQBl5ietDAtZDoDKFacRCohlAP9+xzfCths5ZTBLzZJwDMI8hFS+1oDXOC4C
-1z1Zh0OKtgD/T7DfIIG3MjyGAC/oqUD7ssjUZapz6XRu/fhSiOK1NU8=
-=v0k3
------END PGP SIGNATURE-----

postfix-3.9.0.tar.gz.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.18 (FreeBSD)
+
+iFcDBQBl6JfdDAtZDoDKFacRCspDAP9CWwo61cuT1VgMaP+TrcP5izmrJSRxLMJN
+ubLPqIcYZAD9FM/D0BP7oUAbxDEY5vF3qWiayCJehlEmspmTg+xeYG8=
+=dY5B
+-----END PGP SIGNATURE-----

postfix-bdb.changes

@@ -1,3 +1,91 @@
+-------------------------------------------------------------------
+Thu Mar  7 18:42:30 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>
+
+- update to 3.9.0
+  * As described in DEPRECATION_README, the SMTP server features
+    "permit_naked_ip_address", "check_relay_domains", and
+    "reject_maps_rbl" have been removed, after they have been logging
+    a warning for some 20 years. These features now log a warning
+    and return a "server configuration error" response.
+  * The MySQL client no longer supports MySQL versions < 4.0. MySQL
+    version 4.0 was released in 2003.
+  * As covered in DEPRECATION_README, the configuration parameter
+    "disable_dns_lookup" and about a dozen TLS-related parameters
+    are now officially obsolete. These parameters still work, but
+    the postconf command logs warnings that they will be removed
+    from Postfix.
+  * As covered in DEPRECATION_README, "permit_mx_backup" logs a
+    warning that it will be removed from Postfix.
+  * In message headers, Postfix now formats numerical days as
+    two-digit days, i.e. days 1-9 have a leading zero instead of a
+    leading space. This change was made because the RFC 5322 date
+    and time specification recommends (i.e. SHOULD) that a single
+    space be used in each place that folding white space appears.
+    This change avoids a breaking change in the length of a date
+    string.
+  * The MySQL client default characterset is now configurable with
+    the "charset" configuration file attribute. The default is
+    "utf8mb4", consistent with the MySQL 8.0 built-in default, but
+    different from earlier MySQL versions where the built-in default
+    was "latin1".
+  * Support to query MongoDB databases, contributed by Hamid Maadani,
+    based on earlier code by Stephan Ferraro. See MONGODB_README
+    and mongodb_table(5)
+  * The RFC 3461 envelope ID is now exported in the local(8) delivery
+    agent with the ENVID environment variable, and in the pipe(8)
+    delivery agent with the ${envid} command-line attribute.
+  * Configurable idle and retry timer settings in the mysql: and
+    pgsql: clients. A shorter than default retry timer can sped up
+    the recovery after error, when Postfix is configured with only
+    one server in the "hosts" attribute. After the code was frozen
+    for release, we have learned that Postfix can recover faster
+    from some errors when the single server is specified multiple
+    times in the "hosts" attribute.
+  * Optional Postfix TLS support to request an RFC7250 raw public
+    key instead of an X.509 public-key certificate. The configuration
+    settings for raw key public support will be ignored when there
+    is no raw public key support in the local TLS implementation
+    (i.e. Postfix with OpenSSL versions before 3.2). See RELEASE_NOTES
+    for more information.
+  * Preliminary support for OpenSSL configuration files, primarily
+    OpenSSL 1.1.1b and later. This introduces two new parameters
+    "tls_config_file" and "tls_config_name", which can be used to
+    limit collateral damage from OS distributions that crank up
+    security to 11, increasing the number of plaintext email
+    deliveries. Details are in the postconf(5) manpage under
+    "tls_config_file" and "tls_config_name".
+  * With "smtpd_forbid_unauth_pipelining = yes" (the default),
+    Postfix defends against multiple "blind" SMTP attacks. This
+    feature was back-ported to older stable releases but disabled
+    by default.
+  * With "smtpd_forbid_bare_newline = normalize" (the default)
+    Postfix defends against SMTP smuggling attacks. See RELEASE_NOTES
+    for details. This feature was back-ported to older stable
+    releases but disabled by default.
+  * Prevent outbound SMTP smuggling, where an attacker uses Postfix
+    to send email containing a non-standard End-of-DATA sequence,
+    to exploit inbound SMTP smuggling at a vulnerable remote SMTP
+    server. With "cleanup_replace_stray_cr_lf = yes" (the default),
+    the cleanup daemon replaces each stray <CR> or <LF> character
+    in message content with a space character. This feature was
+    back-ported to older stable releases with identical functionality.
+  * The Postfix DNS client now limits the total size of DNS lookup
+    results to 100 records; it drops the excess records, and logs
+    a warning. This limit is 20x larger than the number of server
+    addresses that the Postfix SMTP client is willing to consider
+    when delivering mail, and is far below the number of records
+    that could cause a tail recursion crash in dns_rr_append() as
+    reported by Toshifumi Sakaguchi. This also introduces a similar
+    limit on the number of DNS requests that a check_*_*_access
+    restriction can make. All this was back-ported to older stable
+    releases with identical functionality.
+- refreshed patch:
+  % postfix-no-md5.patch
+- change obsoleted "disable_dns_lookups" to "smtp_dns_support_level"
+  % postfix-SUSE.tar.gz
+  % postfix-main.cf.patch
+  % postfix-master.cf.patch
+
 -------------------------------------------------------------------
 Tue Mar  5 16:46:16 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>
 

postfix-bdb.spec

@@ -59,7 +59,7 @@
 %endif
 %bcond_without ldap
 Name:           postfix-bdb
-Version:        3.8.6
+Version:        3.9.0
 Release:        0
 Summary:        A fast, secure, and flexible mailer
 License:        EPL-2.0 OR IPL-1.0

postfix-main.cf.patch

@@ -71,7 +71,7 @@ Index: conf/main.cf
 +biff = no
 +content_filter = 
 +delay_warning_time = 0h
-+disable_dns_lookups = no
++smtp_dns_support_level = enabled
 +disable_mime_output_conversion = no
 +disable_vrfy_command = yes
 +inet_interfaces = all

postfix-master.cf.patch

@@ -9,7 +9,7 @@ Index: conf/master.cf
 +#amavis    unix  -       -       n       -       4       smtp
 +#  -o smtp_data_done_timeout=1200
 +#  -o smtp_send_xforward_command=yes
-+#  -o disable_dns_lookups=yes
++#  -o smtp_dns_support_level=disabled
 +#  -o max_use=20
  #smtp      inet  n       -       n       -       1       postscreen
  #smtpd     pass  -       -       n       -       -       smtpd

postfix-no-md5.patch

@@ -2,7 +2,7 @@ Index: src/global/mail_params.h
 ===================================================================
 --- src/global/mail_params.h.orig
 +++ src/global/mail_params.h
-@@ -1387,7 +1387,7 @@ extern char *var_smtpd_tls_mand_excl;
+@@ -1391,7 +1391,7 @@ extern char *var_smtpd_tls_mand_excl;
  
  #define VAR_SMTPD_TLS_FPT_DGST	"smtpd_tls_fingerprint_digest"
  #define DEF_SMTPD_TLS_FPT_DGST	"${{$compatibility_level} <level {3.6} ? " \
@@ -11,7 +11,7 @@ Index: src/global/mail_params.h
  extern char *var_smtpd_tls_fpt_dgst;
  
  #define VAR_SMTPD_TLS_512_FILE	"smtpd_tls_dh512_param_file"
-@@ -1549,10 +1549,10 @@ extern char *var_smtp_tls_mand_excl;
+@@ -1553,10 +1553,10 @@ extern char *var_smtp_tls_mand_excl;
  
  #define VAR_SMTP_TLS_FPT_DGST	"smtp_tls_fingerprint_digest"
  #define DEF_SMTP_TLS_FPT_DGST	"${{$compatibility_level} <level {3.6} ? " \
@@ -23,4 +23,4 @@ Index: src/global/mail_params.h
 +                                "{sha1} : {sha256}}"
  extern char *var_smtp_tls_fpt_dgst;
  
- #define VAR_SMTP_TLS_TAFILE	"smtp_tls_trust_anchor_file"
+ #define VAR_SMTP_TLS_ENABLE_RPK	"smtp_tls_enable_rpk"

postfix.changes

@@ -3,6 +3,94 @@ Fri Apr  5 01:44:30 UTC 2024 - Georg Pfuetzenreuter <mail+rpm@georg-pfuetzenreut
 
 - Move qshape(1) out of -doc, install it as a binary with the main package
 
+-------------------------------------------------------------------
+Thu Mar  7 18:42:30 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>
+
+- update to 3.9.0
+  * As described in DEPRECATION_README, the SMTP server features
+    "permit_naked_ip_address", "check_relay_domains", and
+    "reject_maps_rbl" have been removed, after they have been logging
+    a warning for some 20 years. These features now log a warning
+    and return a "server configuration error" response.
+  * The MySQL client no longer supports MySQL versions < 4.0. MySQL
+    version 4.0 was released in 2003.
+  * As covered in DEPRECATION_README, the configuration parameter
+    "disable_dns_lookup" and about a dozen TLS-related parameters
+    are now officially obsolete. These parameters still work, but
+    the postconf command logs warnings that they will be removed
+    from Postfix.
+  * As covered in DEPRECATION_README, "permit_mx_backup" logs a
+    warning that it will be removed from Postfix.
+  * In message headers, Postfix now formats numerical days as
+    two-digit days, i.e. days 1-9 have a leading zero instead of a
+    leading space. This change was made because the RFC 5322 date
+    and time specification recommends (i.e. SHOULD) that a single
+    space be used in each place that folding white space appears.
+    This change avoids a breaking change in the length of a date
+    string.
+  * The MySQL client default characterset is now configurable with
+    the "charset" configuration file attribute. The default is
+    "utf8mb4", consistent with the MySQL 8.0 built-in default, but
+    different from earlier MySQL versions where the built-in default
+    was "latin1".
+  * Support to query MongoDB databases, contributed by Hamid Maadani,
+    based on earlier code by Stephan Ferraro. See MONGODB_README
+    and mongodb_table(5)
+  * The RFC 3461 envelope ID is now exported in the local(8) delivery
+    agent with the ENVID environment variable, and in the pipe(8)
+    delivery agent with the ${envid} command-line attribute.
+  * Configurable idle and retry timer settings in the mysql: and
+    pgsql: clients. A shorter than default retry timer can sped up
+    the recovery after error, when Postfix is configured with only
+    one server in the "hosts" attribute. After the code was frozen
+    for release, we have learned that Postfix can recover faster
+    from some errors when the single server is specified multiple
+    times in the "hosts" attribute.
+  * Optional Postfix TLS support to request an RFC7250 raw public
+    key instead of an X.509 public-key certificate. The configuration
+    settings for raw key public support will be ignored when there
+    is no raw public key support in the local TLS implementation
+    (i.e. Postfix with OpenSSL versions before 3.2). See RELEASE_NOTES
+    for more information.
+  * Preliminary support for OpenSSL configuration files, primarily
+    OpenSSL 1.1.1b and later. This introduces two new parameters
+    "tls_config_file" and "tls_config_name", which can be used to
+    limit collateral damage from OS distributions that crank up
+    security to 11, increasing the number of plaintext email
+    deliveries. Details are in the postconf(5) manpage under
+    "tls_config_file" and "tls_config_name".
+  * With "smtpd_forbid_unauth_pipelining = yes" (the default),
+    Postfix defends against multiple "blind" SMTP attacks. This
+    feature was back-ported to older stable releases but disabled
+    by default.
+  * With "smtpd_forbid_bare_newline = normalize" (the default)
+    Postfix defends against SMTP smuggling attacks. See RELEASE_NOTES
+    for details. This feature was back-ported to older stable
+    releases but disabled by default.
+  * Prevent outbound SMTP smuggling, where an attacker uses Postfix
+    to send email containing a non-standard End-of-DATA sequence,
+    to exploit inbound SMTP smuggling at a vulnerable remote SMTP
+    server. With "cleanup_replace_stray_cr_lf = yes" (the default),
+    the cleanup daemon replaces each stray <CR> or <LF> character
+    in message content with a space character. This feature was
+    back-ported to older stable releases with identical functionality.
+  * The Postfix DNS client now limits the total size of DNS lookup
+    results to 100 records; it drops the excess records, and logs
+    a warning. This limit is 20x larger than the number of server
+    addresses that the Postfix SMTP client is willing to consider
+    when delivering mail, and is far below the number of records
+    that could cause a tail recursion crash in dns_rr_append() as
+    reported by Toshifumi Sakaguchi. This also introduces a similar
+    limit on the number of DNS requests that a check_*_*_access
+    restriction can make. All this was back-ported to older stable
+    releases with identical functionality.
+- refreshed patch:
+  % postfix-no-md5.patch
+- change obsoleted "disable_dns_lookups" to "smtp_dns_support_level"
+  % postfix-SUSE.tar.gz
+  % postfix-main.cf.patch
+  % postfix-master.cf.patch
+
 -------------------------------------------------------------------
 Tue Mar  5 16:46:16 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>
 

postfix.spec

@@ -46,7 +46,7 @@
 %endif
 %bcond_without ldap
 Name:           postfix
-Version:        3.8.6
+Version:        3.9.0
 Release:        0
 Summary:        A fast, secure, and flexible mailer
 License:        EPL-2.0 OR IPL-1.0