diff --git a/postfix-3.8.6.tar.gz b/postfix-3.8.6.tar.gz deleted file mode 100644 index fdd358c..0000000 --- a/postfix-3.8.6.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4b6e17c826cc438cc3016a9c0a55ea7e77c6cbafba7dd57241d81b690b0e9774 -size 4873054 diff --git a/postfix-3.8.6.tar.gz.asc b/postfix-3.8.6.tar.gz.asc deleted file mode 100644 index ffabfc4..0000000 --- a/postfix-3.8.6.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2.0.18 (FreeBSD) - -iFcDBQBl5ietDAtZDoDKFacRCohlAP9+xzfCths5ZTBLzZJwDMI8hFS+1oDXOC4C -1z1Zh0OKtgD/T7DfIIG3MjyGAC/oqUD7ssjUZapz6XRu/fhSiOK1NU8= -=v0k3 ------END PGP SIGNATURE----- diff --git a/postfix-3.9.0.tar.gz b/postfix-3.9.0.tar.gz new file mode 100644 index 0000000..314468b --- /dev/null +++ b/postfix-3.9.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:56f5e420e7c25455a4e96c19b672f80f9a0a35fb5becc9247c9e3d5dcc617f34 +size 4953133 diff --git a/postfix-3.9.0.tar.gz.asc b/postfix-3.9.0.tar.gz.asc new file mode 100644 index 0000000..1d8b99b --- /dev/null +++ b/postfix-3.9.0.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.18 (FreeBSD) + +iFcDBQBl6JfdDAtZDoDKFacRCspDAP9CWwo61cuT1VgMaP+TrcP5izmrJSRxLMJN +ubLPqIcYZAD9FM/D0BP7oUAbxDEY5vF3qWiayCJehlEmspmTg+xeYG8= +=dY5B +-----END PGP SIGNATURE----- diff --git a/postfix-SUSE.tar.gz b/postfix-SUSE.tar.gz index 53b0d18..8d29432 100644 --- a/postfix-SUSE.tar.gz +++ b/postfix-SUSE.tar.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8b7a3bb2858ad845ca66466645a3a11e503864d2290797f0fc0a338045c886c1 -size 25320 +oid sha256:e821768e6588644218eba31183d4af029deac8693b7df03a3903a4aa31868c8f +size 23874 diff --git a/postfix-bdb.changes b/postfix-bdb.changes index c5d76bc..01c8e8a 100644 --- a/postfix-bdb.changes +++ b/postfix-bdb.changes @@ -1,3 +1,91 @@ +------------------------------------------------------------------- +Thu Mar 7 18:42:30 UTC 2024 - Arjen de Korte + +- update to 3.9.0 + * As described in DEPRECATION_README, the SMTP server features + "permit_naked_ip_address", "check_relay_domains", and + "reject_maps_rbl" have been removed, after they have been logging + a warning for some 20 years. These features now log a warning + and return a "server configuration error" response. + * The MySQL client no longer supports MySQL versions < 4.0. MySQL + version 4.0 was released in 2003. + * As covered in DEPRECATION_README, the configuration parameter + "disable_dns_lookup" and about a dozen TLS-related parameters + are now officially obsolete. These parameters still work, but + the postconf command logs warnings that they will be removed + from Postfix. + * As covered in DEPRECATION_README, "permit_mx_backup" logs a + warning that it will be removed from Postfix. + * In message headers, Postfix now formats numerical days as + two-digit days, i.e. days 1-9 have a leading zero instead of a + leading space. This change was made because the RFC 5322 date + and time specification recommends (i.e. SHOULD) that a single + space be used in each place that folding white space appears. + This change avoids a breaking change in the length of a date + string. + * The MySQL client default characterset is now configurable with + the "charset" configuration file attribute. The default is + "utf8mb4", consistent with the MySQL 8.0 built-in default, but + different from earlier MySQL versions where the built-in default + was "latin1". + * Support to query MongoDB databases, contributed by Hamid Maadani, + based on earlier code by Stephan Ferraro. See MONGODB_README + and mongodb_table(5) + * The RFC 3461 envelope ID is now exported in the local(8) delivery + agent with the ENVID environment variable, and in the pipe(8) + delivery agent with the ${envid} command-line attribute. + * Configurable idle and retry timer settings in the mysql: and + pgsql: clients. A shorter than default retry timer can sped up + the recovery after error, when Postfix is configured with only + one server in the "hosts" attribute. After the code was frozen + for release, we have learned that Postfix can recover faster + from some errors when the single server is specified multiple + times in the "hosts" attribute. + * Optional Postfix TLS support to request an RFC7250 raw public + key instead of an X.509 public-key certificate. The configuration + settings for raw key public support will be ignored when there + is no raw public key support in the local TLS implementation + (i.e. Postfix with OpenSSL versions before 3.2). See RELEASE_NOTES + for more information. + * Preliminary support for OpenSSL configuration files, primarily + OpenSSL 1.1.1b and later. This introduces two new parameters + "tls_config_file" and "tls_config_name", which can be used to + limit collateral damage from OS distributions that crank up + security to 11, increasing the number of plaintext email + deliveries. Details are in the postconf(5) manpage under + "tls_config_file" and "tls_config_name". + * With "smtpd_forbid_unauth_pipelining = yes" (the default), + Postfix defends against multiple "blind" SMTP attacks. This + feature was back-ported to older stable releases but disabled + by default. + * With "smtpd_forbid_bare_newline = normalize" (the default) + Postfix defends against SMTP smuggling attacks. See RELEASE_NOTES + for details. This feature was back-ported to older stable + releases but disabled by default. + * Prevent outbound SMTP smuggling, where an attacker uses Postfix + to send email containing a non-standard End-of-DATA sequence, + to exploit inbound SMTP smuggling at a vulnerable remote SMTP + server. With "cleanup_replace_stray_cr_lf = yes" (the default), + the cleanup daemon replaces each stray or character + in message content with a space character. This feature was + back-ported to older stable releases with identical functionality. + * The Postfix DNS client now limits the total size of DNS lookup + results to 100 records; it drops the excess records, and logs + a warning. This limit is 20x larger than the number of server + addresses that the Postfix SMTP client is willing to consider + when delivering mail, and is far below the number of records + that could cause a tail recursion crash in dns_rr_append() as + reported by Toshifumi Sakaguchi. This also introduces a similar + limit on the number of DNS requests that a check_*_*_access + restriction can make. All this was back-ported to older stable + releases with identical functionality. +- refreshed patch: + % postfix-no-md5.patch +- change obsoleted "disable_dns_lookups" to "smtp_dns_support_level" + % postfix-SUSE.tar.gz + % postfix-main.cf.patch + % postfix-master.cf.patch + ------------------------------------------------------------------- Tue Mar 5 16:46:16 UTC 2024 - Arjen de Korte diff --git a/postfix-bdb.spec b/postfix-bdb.spec index 6cf8eb0..8fd7c68 100644 --- a/postfix-bdb.spec +++ b/postfix-bdb.spec @@ -59,7 +59,7 @@ %endif %bcond_without ldap Name: postfix-bdb -Version: 3.8.6 +Version: 3.9.0 Release: 0 Summary: A fast, secure, and flexible mailer License: EPL-2.0 OR IPL-1.0 diff --git a/postfix-main.cf.patch b/postfix-main.cf.patch index d8c0571..ce30c23 100644 --- a/postfix-main.cf.patch +++ b/postfix-main.cf.patch @@ -71,7 +71,7 @@ Index: conf/main.cf +biff = no +content_filter = +delay_warning_time = 0h -+disable_dns_lookups = no ++smtp_dns_support_level = enabled +disable_mime_output_conversion = no +disable_vrfy_command = yes +inet_interfaces = all diff --git a/postfix-master.cf.patch b/postfix-master.cf.patch index 92be2b9..d69a20e 100644 --- a/postfix-master.cf.patch +++ b/postfix-master.cf.patch @@ -9,7 +9,7 @@ Index: conf/master.cf +#amavis unix - - n - 4 smtp +# -o smtp_data_done_timeout=1200 +# -o smtp_send_xforward_command=yes -+# -o disable_dns_lookups=yes ++# -o smtp_dns_support_level=disabled +# -o max_use=20 #smtp inet n - n - 1 postscreen #smtpd pass - - n - - smtpd diff --git a/postfix-no-md5.patch b/postfix-no-md5.patch index 572cc06..c36ca1c 100644 --- a/postfix-no-md5.patch +++ b/postfix-no-md5.patch @@ -2,7 +2,7 @@ Index: src/global/mail_params.h =================================================================== --- src/global/mail_params.h.orig +++ src/global/mail_params.h -@@ -1387,7 +1387,7 @@ extern char *var_smtpd_tls_mand_excl; +@@ -1391,7 +1391,7 @@ extern char *var_smtpd_tls_mand_excl; #define VAR_SMTPD_TLS_FPT_DGST "smtpd_tls_fingerprint_digest" #define DEF_SMTPD_TLS_FPT_DGST "${{$compatibility_level} + +- update to 3.9.0 + * As described in DEPRECATION_README, the SMTP server features + "permit_naked_ip_address", "check_relay_domains", and + "reject_maps_rbl" have been removed, after they have been logging + a warning for some 20 years. These features now log a warning + and return a "server configuration error" response. + * The MySQL client no longer supports MySQL versions < 4.0. MySQL + version 4.0 was released in 2003. + * As covered in DEPRECATION_README, the configuration parameter + "disable_dns_lookup" and about a dozen TLS-related parameters + are now officially obsolete. These parameters still work, but + the postconf command logs warnings that they will be removed + from Postfix. + * As covered in DEPRECATION_README, "permit_mx_backup" logs a + warning that it will be removed from Postfix. + * In message headers, Postfix now formats numerical days as + two-digit days, i.e. days 1-9 have a leading zero instead of a + leading space. This change was made because the RFC 5322 date + and time specification recommends (i.e. SHOULD) that a single + space be used in each place that folding white space appears. + This change avoids a breaking change in the length of a date + string. + * The MySQL client default characterset is now configurable with + the "charset" configuration file attribute. The default is + "utf8mb4", consistent with the MySQL 8.0 built-in default, but + different from earlier MySQL versions where the built-in default + was "latin1". + * Support to query MongoDB databases, contributed by Hamid Maadani, + based on earlier code by Stephan Ferraro. See MONGODB_README + and mongodb_table(5) + * The RFC 3461 envelope ID is now exported in the local(8) delivery + agent with the ENVID environment variable, and in the pipe(8) + delivery agent with the ${envid} command-line attribute. + * Configurable idle and retry timer settings in the mysql: and + pgsql: clients. A shorter than default retry timer can sped up + the recovery after error, when Postfix is configured with only + one server in the "hosts" attribute. After the code was frozen + for release, we have learned that Postfix can recover faster + from some errors when the single server is specified multiple + times in the "hosts" attribute. + * Optional Postfix TLS support to request an RFC7250 raw public + key instead of an X.509 public-key certificate. The configuration + settings for raw key public support will be ignored when there + is no raw public key support in the local TLS implementation + (i.e. Postfix with OpenSSL versions before 3.2). See RELEASE_NOTES + for more information. + * Preliminary support for OpenSSL configuration files, primarily + OpenSSL 1.1.1b and later. This introduces two new parameters + "tls_config_file" and "tls_config_name", which can be used to + limit collateral damage from OS distributions that crank up + security to 11, increasing the number of plaintext email + deliveries. Details are in the postconf(5) manpage under + "tls_config_file" and "tls_config_name". + * With "smtpd_forbid_unauth_pipelining = yes" (the default), + Postfix defends against multiple "blind" SMTP attacks. This + feature was back-ported to older stable releases but disabled + by default. + * With "smtpd_forbid_bare_newline = normalize" (the default) + Postfix defends against SMTP smuggling attacks. See RELEASE_NOTES + for details. This feature was back-ported to older stable + releases but disabled by default. + * Prevent outbound SMTP smuggling, where an attacker uses Postfix + to send email containing a non-standard End-of-DATA sequence, + to exploit inbound SMTP smuggling at a vulnerable remote SMTP + server. With "cleanup_replace_stray_cr_lf = yes" (the default), + the cleanup daemon replaces each stray or character + in message content with a space character. This feature was + back-ported to older stable releases with identical functionality. + * The Postfix DNS client now limits the total size of DNS lookup + results to 100 records; it drops the excess records, and logs + a warning. This limit is 20x larger than the number of server + addresses that the Postfix SMTP client is willing to consider + when delivering mail, and is far below the number of records + that could cause a tail recursion crash in dns_rr_append() as + reported by Toshifumi Sakaguchi. This also introduces a similar + limit on the number of DNS requests that a check_*_*_access + restriction can make. All this was back-ported to older stable + releases with identical functionality. +- refreshed patch: + % postfix-no-md5.patch +- change obsoleted "disable_dns_lookups" to "smtp_dns_support_level" + % postfix-SUSE.tar.gz + % postfix-main.cf.patch + % postfix-master.cf.patch + ------------------------------------------------------------------- Tue Mar 5 16:46:16 UTC 2024 - Arjen de Korte diff --git a/postfix.spec b/postfix.spec index bb93768..4fe1c74 100644 --- a/postfix.spec +++ b/postfix.spec @@ -46,7 +46,7 @@ %endif %bcond_without ldap Name: postfix -Version: 3.8.6 +Version: 3.9.0 Release: 0 Summary: A fast, secure, and flexible mailer License: EPL-2.0 OR IPL-1.0