Accepting request 1328660 from server:mail

- Do not strip binaries at all - also drop " -s " from the CCARGS to prevent stripping there - Re-add dropped change: - fix postfix-SUSE.tar.gz, postfix.service: correct path for postalias from /sbin/postalias to /usr/sbin/postalias - Don't fail strip on non-existing files (easy hack to fix 32bit builds). - Do not strip binaries at all - also drop " -s " from the CCARGS to prevent stripping there - Re-add dropped change: - fix postfix-SUSE.tar.gz, postfix.service: correct path for postalias from /sbin/postalias to /usr/sbin/postalias OBS-URL: https://build.opensuse.org/request/show/1328660 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/postfix?expand=0&rev=261
- also drop " -s " from the CCARGS to prevent stripping there
2026-01-23 16:31:48 +00:00 · 2026-01-22 11:10:32 +00:00 · 2026-01-22 11:00:33 +00:00 · 2026-01-22 10:14:57 +00:00 · 2026-01-21 13:14:31 +00:00 · 2026-01-21 07:51:19 +00:00
13 changed files with 553 additions and 814 deletions
--- a/postfix-3.10.2.tar.gz
+++ b/postfix-3.10.2.tar.gz
--- a/postfix-3.10.2.tar.gz.asc
+++ b/postfix-3.10.2.tar.gz.asc
@@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.18 (FreeBSD)
-
-iFcDBQBoB7V0DAtZDoDKFacRCtBTAP4tSllCanz2DDPS17OywzKRFJVuAiwQFvcD
-PJjWrKThfwD/XFWunMe3Qk79l3upuATtSAtemqlAechhDjkjsRQJKPY=
-=n2hW
-----END PGP SIGNATURE-----
--- a/postfix-3.10.7.tar.gz
+++ b/postfix-3.10.7.tar.gz
--- a/postfix-3.10.7.tar.gz.asc
+++ b/postfix-3.10.7.tar.gz.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.18 (FreeBSD)
+
+iFcDBQBpM0kEDAtZDoDKFacRCpXhAP9LqN+e+DquBEfUO5L4F/yDBHQZ/DWM4BqV
+cihSYdgvEAD/a4xi/SWHJKlRzfOkgcMQaGgqLI0YP5RYgsIyLiwrD6Y=
+=ZTYZ
+-----END PGP SIGNATURE-----
--- a/postfix-SUSE.tar.gz
+++ b/postfix-SUSE.tar.gz
--- a/postfix-bdb-main.cf.patch
+++ b/postfix-bdb-main.cf.patch
@@ -1,171 +0,0 @@
--- conf/main.cf.orig	2025-05-21 13:20:29.531943251 +0200
-+++ conf/main.cf	2025-05-21 13:30:34.282414688 +0200
-@@ -576,6 +576,7 @@ unknown_local_recipient_reject_code = 55
- #
- #smtpd_banner = $myhostname ESMTP $mail_name
- #smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
-+smtpd_banner = $myhostname ESMTP
- 
- # PARALLEL DELIVERY TO THE SAME DESTINATION
- #
-@@ -682,4 +683,160 @@ sample_directory =
- # readme_directory: The location of the Postfix README files.
- #
- readme_directory =
-+
-+############################################################
-+#
-+# before changing values manually consider editing
-+#  /etc/sysconfig/postfix
-+# and run
-+#  config.postfix
-+#
-+# if you miss a feature of config.postfix then just send a
-+# mail to chris@computersalat.de
-+# patches for new feature(s) are also welcome :)
-+#
-+############################################################
-+
-+biff = no
-+content_filter = 
-+delay_warning_time = 0h
-+disable_dns_lookups = no
-+disable_mime_output_conversion = no
-+disable_vrfy_command = yes
-+inet_interfaces = all
- inet_protocols = ipv4
-+masquerade_classes = envelope_sender, header_sender, header_recipient
-+masquerade_domains = 
-+masquerade_exceptions = 
-+mydestination = $myhostname, localhost.$mydomain, localhost
-+mynetworks_style = subnet
-+relayhost = 
-+
-+alias_maps = 
-+canonical_maps = 
-+relocated_maps = 
-+sender_canonical_maps = 
-+transport_maps = 
-+mail_spool_directory = /var/mail 
-+message_strip_characters = 
-+defer_transports = 
-+mailbox_command = 
-+mailbox_transport = 
-+mailbox_size_limit = 0
-+message_size_limit = 0
-+strict_8bitmime = no
-+strict_rfc821_envelopes = no
-+smtpd_delay_reject = yes
-+smtpd_helo_required = no
-+
-+smtpd_client_restrictions = 
-+
-+smtpd_helo_restrictions = 
-+
-+smtpd_sender_restrictions = 
-+
-+smtpd_recipient_restrictions = 
-+
-+
-+######################################################################
-+# SMTP Smuggling (CVE-2023-51764)
-+# no: allows SMTP smuggling
-+# yes / normalize : 
-+#   but allow local clients with non-standard SMTP implementations
-+#   such as netcat, fax machines, or load balancer health checks.
-+# reject: 
-+#   rejects a command or message that contains a bare newline
-+######################################################################
-+smtpd_forbid_bare_newline = normalize
-+smtpd_forbid_bare_newline_exclusions = $mynetworks
-+#smtpd_forbid_bare_newline_reject_code = 521
-+
-+############################################################
-+# SASL stuff
-+############################################################
-+smtp_sasl_auth_enable = no
-+smtp_sasl_security_options = 
-+smtp_sasl_password_maps = 
-+smtpd_sasl_auth_enable = no
-+# cyrus   : smtpd_sasl_type = cyrus
-+#           smtpd_sasl_path = smtpd
-+# dovecot : smtpd_sasl_type = dovecot
-+#           smtpd_sasl_path = private/auth
-+smtpd_sasl_type = cyrus
-+smtpd_sasl_path = smtpd
-+############################################################
-+# TLS stuff
-+############################################################
-+#tls_append_default_CA = no
-+relay_clientcerts = 
-+#tls_random_source = dev:/dev/urandom
-+
-+#smtp_tls_loglevel = 0
-+smtp_tls_security_level = 
-+smtp_tls_CAfile = 
-+smtp_tls_CApath = 
-+smtp_tls_cert_file = 
-+smtp_tls_key_file = 
-+#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
-+#smtp_tls_session_cache_timeout = 3600s
-+smtp_tls_session_cache_database = 
-+
-+#smtpd_tls_loglevel = 0
-+smtpd_tls_security_level = 
-+smtpd_tls_CAfile = 
-+smtpd_tls_CApath = 
-+smtpd_tls_cert_file = 
-+smtpd_tls_key_file = 
-+smtpd_tls_ask_ccert = no
-+smtpd_tls_exclude_ciphers = RC4
-+smtpd_tls_received_header = no
-+############################################################
-+# OpenDKIM
-+############################################################
-+#smtpd_milters = unix:/run/opendkim/opendkim.sock
-+#non_smtpd_milters = $smtpd_milters
-+#milter_default_action = accept
-+#milter_protocol = 2
-+############################################################
-+# Start MySQL from postfixwiki.org
-+############################################################
-+relay_domains = $mydestination, hash:/etc/postfix/relay
-+#relay_recipient_maps = hash:/etc/postfix/relay_recipients
-+#virtual_alias_domains = 
-+#virtual_alias_maps = hash:/etc/postfix/virtual
-+#virtual_uid_maps = static:303
-+#virtual_gid_maps = static:303
-+#virtual_minimum_uid = 303
-+#virtual_mailbox_base = /srv/maildirs
-+#virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
-+#virtual_mailbox_limit = 0
-+#virtual_mailbox_limit_inbox = no
-+#virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
-+## For dovecot LMTP replace 'virtual' with 'lmtp:unix:private/lmtp-dovecot'
-+#virtual_transport = virtual
-+## Additional for quota support
-+#virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
-+#virtual_mailbox_limit_override = yes
-+### Needs Maildir++ compatible IMAP servers, like Courier-IMAP
-+#virtual_maildir_filter = yes
-+#virtual_maildir_filter_maps = hash:/etc/postfix/vfilter
-+#virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later.
-+#virtual_maildir_limit_message_maps = hash:/etc/postfix/vmsg
-+#virtual_overquota_bounce = yes
-+#virtual_trash_count = yes
-+#virtual_trash_name = ".Trash"
-+############################################################
-+# End MySQL from postfixwiki.org
-+############################################################
-+# Rewrite reject codes
-+############################################################
-+#unknown_address_reject_code = 550
-+#unknown_client_reject_code = 550
-+#unknown_hostname_reject_code = 550
-+#unverified_recipient_reject_code = 550
-+#unverified_sender_reject_code = 550
-+#soft_bounce = yes
-+############################################################
-+#debug_peer_list = example.com
-+#debug_peer_level = 3
-+
--- a/postfix-bdb.changes
+++ b/postfix-bdb.changes
@@ -1,3 +1,236 @@
+-------------------------------------------------------------------
+Thu Jan 22 10:59:46 UTC 2026 - Marcus Rueckert <mrueckert@suse.de>
+
+- Do not strip binaries at all
+- also drop " -s " from the CCARGS to prevent stripping there
+
+-------------------------------------------------------------------
+Thu Jan 22 10:09:40 UTC 2026 - Ana Guerrero <ana.guerrero@suse.com>
+
+- Re-add dropped change:
+- fix postfix-SUSE.tar.gz, postfix.service: correct path for postalias
+  from /sbin/postalias to /usr/sbin/postalias
+
+-------------------------------------------------------------------
+Wed Jan 21 07:33:02 UTC 2026 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Don't fail strip on non-existing files (easy hack to fix 32bit
+  builds).
+
+-------------------------------------------------------------------
+Thu Jan 15 17:53:42 UTC 2026 - Peter Varkoly <varkoly@suse.com>
+
+- fix (bsc#1256462) [Build 12.10] openQA test fails in mta: Failed to start postfix.service
+  Remove postfix set-permisson from all spaces
+- Strip binaries
+
+-------------------------------------------------------------------
+Tue Jan 13 20:27:51 UTC 2026 - Peter Varkoly <varkoly@suse.com>
+
+- fix (bsc#1256462) [Build 12.10] openQA test fails in mta: Failed to start postfix.service
+  Put postfix set-permisson into %post
+
+-------------------------------------------------------------------
+Sun Dec 21 20:53:29 UTC 2025 - Peter Varkoly <varkoly@suse.com>
+
+- (jsc#PED-14859) Fix packages for Immutable Mode - postfix
+
+-------------------------------------------------------------------
+Sun Dec 14 18:45:30 UTC 2025 - Peter Varkoly <varkoly@suse.com>
+
+- Put /etc/permissions.d/postfix.paranoid into the postfix-SUSE.tar.gz
+
+-------------------------------------------------------------------
+Thu Dec 11 13:08:02 UTC 2025 - Stefan Botter <obs@botter.cc>
+
+- fix postfix-SUSE.tar.gz, postfix.service: correct path for postalias
+  from /sbin/postalias to /usr/sbin/postalias
+
+-------------------------------------------------------------------
+Wed Dec 10 20:00:47 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
+
+- update to 3.10.7
+  * This patch addresses build errors on recent Linux distributions.
+    With the patch, Postfix builds will run the compiler with a
+    backwards compatibility option that is supported by Gcc and Clang.
+    For other compilers, an error message provides hints.
+
+-------------------------------------------------------------------
+Wed Dec 10 14:35:46 UTC 2025 - Wolfgang Frisch <wolfgang.frisch@suse.com>
+
+- Add /var/spool/mail to the permissions.d drop-in. This directory used to be
+  whitelisted globally in the permissions package but an update for the exim
+  mail server changed that (bsc#1254597 bsc#1240755).
+- Reintroduce permissions.d/postfix-paranoid drop-in that was removed in r534.
+
+-------------------------------------------------------------------
+Fri Dec  5 09:37:39 UTC 2025 - Peter Varkoly <varkoly@suse.com>
+
+- postfix is unable to send mail by default (bsc#1253775)
+  o Clean up the package
+    * Get rid of config.postfix script to avoid unintentional changes
+      of the configuration. The sysconfig files mail and postfix
+      were removed also.
+    * Deliver the original main.cf and master.cf
+    * Remove a lot of deprecated stuff from the package.
+    * Remove the ExecStartPre scripts to maintain the postmaps
+      and the chroot environment.
+    * A new ExecStartPre script manages the default alias map which
+      is part of the default configuration of postfix.
+      /sbin/postalias /etc/aliases
+    * Do not use the permissions framework. A new ExecStartPre script
+      takes care of the right permissions: /usr/sbin/postfix set-permissions
+    * Remove mkpostfixcert
+  o Remove patches:
+    * postfix-master.cf.patch
+    * postfix-main.cf.patch
+    * postfix-bdb-main.cf.patch
+
+-------------------------------------------------------------------
+Wed Nov 26 19:27:24 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
+
+- update to 3.10.6
+  * Bugfix (defect introduced: Postfix 3.10, date: 20250117).
+    Symptom: warning messages that smtp_tls_wrappermode requires
+    "smtp_tls_security_level = encrypt".
+    Root cause: support for "TLS-Required: no" broke client-side
+    TLS wrappermode support, by downgrading a connection to TLS
+    security level 'may'.
+    The fix changes the downgrade level for wrappermode connections
+    to 'encrypt'. Rationale: by design, TLS can be optional only
+    for connections that use STARTTLS. The downgrade to unauthenticated
+    'encrypt' allows a sender to avoid an email delivery problem.
+    Problem reported by Joshua Tyler Cochran.
+  * New logging: the Postfix SMTP client will log a warning when
+    an MX hostname does not match STS policy MX patterns, with
+    "smtp_tls_enforce_sts_mx_patterns = yes" in Postfix, and with
+    TLSRPT support enabled in a TLS policy plugin. It will log a
+    successful match only when verbose logging is enabled.
+  * Bugfix (defect introduced: Postfix 3.10, date: 20240902): SMTP
+    client null pointer crash when an STS policy plugin sends no
+    policy_string or no mx_pattern attributes. This can happen only
+    during tests with a fake STS plugin.
+  * Bugfix (defect introduced: Postfix 2.9, date: 20120307): segfault
+    when a duplicate parameter name is given to "postconf -X" or
+    "postconf -#'.
+  * Documentation: removed incorrect text from the parameter
+    description for smtp_cname_overrides_servername. File:
+    proto/postconf.proto.
+
+-------------------------------------------------------------------
+Mon Nov 10 19:31:34 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
+
+- update to 3.10.5
+  * Workaround for an interface mis-match between the Postfix SMTP
+    client and MTA-STS policy plugins.
+      * The existing behavior is to connect to any MX host listed
+        in DNS, and to match the server certificate against any STS
+        policy MX host pattern.
+      * The corrected behavior is to connect to an MX host only if
+        its name matches any STS policy MX host pattern, and to
+        match the server certificate against the MX hostname.
+    The corrected behavior must be enabled in two places: in Postfix
+    with a new parameter "smtp_tls_enforce_sts_mx_patterns" (default:
+    "yes") and in an MTA-STS plugin by enabling TLSRPT support, so
+    that the plugin forwards STS policy attributes to Postfix. This
+    works even if Postfix TLSRPT support is disabled at build time
+    or at runtime.
+  * TLSRPT Workaround: when a TLSRPT policy-type value is
+    "no-policy-found", pretend that the TLSRPT policy domain value
+    is equal to the recipient domain. This ignores that different
+    policy types (TLSA, STS) use different policy domains. But this
+    is what Microsoft does, and therefore, what other tools expect.
+  * Bugfix (defect introduced: Postfix 3.0): the Postfix SMTP
+    client's connection reuse logic did not distinguish between
+    sessions that require SMTPUTF8 support, and sessions that do
+    not. The solution is 1) to store sessions with different SMTPUTF8
+    requirements under distinct connection cache storage keys, and
+    2) to not cache a connection when SMTPUTF8 is required but the
+    server does not support that feature.
+  * Bugfix (defect introduced: Postfix 3.0, date 20140731): the
+    smtpd 'disconnect' command statistics did not count commands
+    with "bad syntax" and "bad UTF-8 syntax" errors.
+  * Bugfix: the August 2025 patch broke DBM library support which
+    is still needed on Solaris; and the same change could result
+    in warnings with "database X is older than source file Y".
+  * Postfix 3.11 forward compatibility: to avoid ugly warnings when
+    Postfix 3.11 is rolled back to an older version, allow a
+    preliminary 'size' record in maildrop queue files created with
+    Postfix 3.11 or later.
+  * Bugfix (defect introduced: Postfix 3.8, date 20220128):
+    non-reproducible build, because the 'postconf -e' output order
+    for new main.cf entries was no longer deterministic. Problem
+    reported by Oleksandr Natalenko, diagnosis by Eray Aslan.
+  * To make builds predictable, add missing meta_directory and
+    shlib_directory settings to the stock main.cf file. Problem
+    diagnosed by Eray Aslan.
+  * Bugfix (defect introduced: Postfix 3.9, date 20230517):
+    posttls-finger(1) logged an incorrectly-formatted port number.
+    Viktor Dukhovni.
+- rebase postfix-bdb-main.cf.patch
+- adapt rpmlint
+  o dir-or-file-outside-snapshot
+
+-------------------------------------------------------------------
+Tue Aug 19 17:45:58 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
+
+- update to 3.10.4
+  * Fixes for postscreen(8):
+      - Bugfix (defect introduced: Postfix 2.2, date 20050203): after
+        detecting a lookup table change, and after starting a new
+        postscreen process, the old postscreen process logged an ENOTSOCK
+        error while attempting to accept a connection on a socket that
+        it was no longer listening on. This error was introduced first
+        in the multi_server skeleton code, and was five years later
+        duplicated in the event_server skeleton that was created for
+        postscreen.
+      - Bugfix (defect introduced: Postfix 2.8, date 20101230):
+        after detecting a cache table change and before starting a new
+        postscreen process, the old postscreen process did not close the
+        postscreen_cache_map, and therefore kept an exclusive lock that
+        could prevent a new postscreen process from starting.
+  * Fixes for tlsproxy(8):
+      - Bugfix (defect introduced: Postfix 3.7): incorrect backwards
+        compatible support for the legacy configuration parameters
+        tlsproxy_client_level and tlsproxy_client_policy. This
+        disabled the tlsproxy TLS client role when a legacy parameter
+        was set (instead of the newer tlsproxy_client_security_level
+        or tlsproxy_client_policy_maps).
+      - Bugfix (defect introduced: Postfix 3.4): with the TLS client role
+        disabled by configuration, the tlsproxy daemon dereferenced a
+        null pointer while handling a tlsproxy client request.
+  * Reducing process churn: Postfix daemons no longer automatically
+    restart after a btree:, dbm:, hash:, lmdb:, or sdbm: table file
+    modification time change, when they opened that table for writing.
+  * Portability: deleted an <openssl/engine.h> build dependency,
+    because the feature is being removed from OpenSSL, and Postfix
+    no longer needs it.
+  * Cleanup: with "tls_required_enable = yes", the Postfix SMTP client
+    will no longer maintain TLSRPT statistics for messages that contain
+    a "TLS-Required: no" header. This can prevent TLSRPT notifications
+    for TLSRPT notifications.
+  * Bugfix (defect introduced: Postfix 3.6, date 20200710): Postfix TLS
+    client code logged "Untrusted TLS connection" (wrong) instead of
+    "Trusted TLS connection" (right), for a new or resumed TLS session,
+    when a server offered a trusted (valid PKI trust chain) certificate
+    that did not match the expected server name pattern.
+
+-------------------------------------------------------------------
+Sun Aug  3 20:30:23 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
+
+- update to 3.10.3
+  * Bugfix (defect introduced: Postfix-3.10, date 20250117): include
+    the current TLS security level in the SMTP connection cache  
+    lookup key for lookups by next-hop destination, to avoid reusing
+    the same SMTP connection when sending messages with and without 
+    a "TLS-Required: no" header. Likewise, include the current TLS 
+    security level in the TLS session lookup key, to avoid reusing
+    the same TLS session info when sending messages with and without
+    a "TLS-Required: no" header.
+  * Bugfix (defect introduced: Postfix-3.10, date 20250117): the  
+    Postfix SMTP client attempted to look up TLSA records even with
+    "TLS-Required: no". This could result in unnecessary failures.
+
 -------------------------------------------------------------------
 Mon Jun  2 10:41:43 UTC 2025 - Peter Varkoly <varkoly@suse.com>

--- a/postfix-bdb.spec
+++ b/postfix-bdb.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package postfix-bdb
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -41,12 +41,7 @@
 %define vmdir                /srv/maildirs
 %endif
 %define mail_group           mail
-%define conf_backup_dir      %{_localstatedir}/adm/backup/postfix
 %define unitdir %{_prefix}/lib/systemd
-#Compat macro for new _fillupdir macro introduced in Nov 2017
-%if ! %{defined _fillupdir}
-  %define _fillupdir %{_localstatedir}/adm/fillup-templates
-%endif
 %if 0%{?suse_version} >= 1320 || ( 0%{?suse_version} == 1315 && 0%{?is_opensuse} )
 %bcond_without lmdb
 %else
@@ -59,7 +54,7 @@
 %endif
 %bcond_without ldap
 Name:           postfix-bdb
-Version:        3.10.2
+Version:        3.10.7
 Release:        0
 Summary:        A fast, secure, and flexible mailer
 License:        EPL-2.0 OR IPL-1.0
@@ -78,8 +73,6 @@ Source13:       postfix-vmail-user.conf
 Patch1:         postfix-no-md5.patch
 Patch2:         pointer_to_literals.patch
 Patch3:         ipv6_disabled.patch
-Patch4:         postfix-bdb-main.cf.patch
-Patch5:         postfix-master.cf.patch
 Patch6:         postfix-linux45.patch
 Patch7:         postfix-ssl-release-buffers.patch
 Patch8:         postfix-vda-v14-3.0.3.patch
@@ -108,8 +101,7 @@ BuildRequires:  zlib-devel
 BuildRequires:  pkgconfig(systemd)
 Requires:       iproute2
 Requires(post): permissions
-Requires(pre):  %fillup_prereq
-Requires(pre):  permissions
+
 Conflicts:      exim
 Conflicts:      postfix
 Conflicts:      sendmail
@@ -133,14 +125,9 @@ Requires(pre):  shadow
 Requires:       /usr/bin/cmp
 # /usr/lib/postfix/bin//post-install: line 667: ed: command not found
 Requires(pre):  /usr/bin/ed
-Requires(preun):/usr/bin/ed
+Requires(preun): /usr/bin/ed
 Requires(post): /usr/bin/ed
-Requires(postun):/usr/bin/ed
-# /usr/sbin/config.postfix needs perl
-Requires(pre):  perl
-Requires(preun):perl
-Requires(post): perl
-Requires(postun):perl
+Requires(postun): /usr/bin/ed

 %description
 Postfix aims to be an alternative to the widely-used sendmail program with bdb support
@@ -172,10 +159,6 @@ unset AUXLIBS AUXLIBS_LDAP AUXLIBS_PCRE AUXLIBS_MYSQL AUXLIBS_PGSQL AUXLIBS_SQLI

 export CCARGS="${CCARGS} %{optflags} -fcommon -Wno-comments -Wno-missing-braces -fPIC"

-%if 0%{?suse_version} >= 1600
-export CCARGS="${CCARGS} -std=gnu17"
-%endif
-
 %ifarch s390 s390x ppc
 export CCARGS="${CCARGS} -fsigned-char"
 %endif
@@ -266,6 +249,8 @@ cp lib/libpostfix-*  %{buildroot}/%{_libdir}
 export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:%{buildroot}/%{_libdir}
 sh postfix-install -non-interactive \
       install_root=%{buildroot} \
+       shlib_directory=%{_prefix}/lib/postfix \
+       meta_directory=%{_prefix}/lib/postfix \
       config_directory=%{pf_config_directory} \
       daemon_directory=%{pf_daemon_directory} \
       command_directory=%{pf_command_directory} \
@@ -282,10 +267,8 @@ for i in qmqp-source smtp-sink smtp-source; do
 	install -m 755 bin/$i %{buildroot}%{_sbindir}/$i
 done
 mkdir -p %{buildroot}/sbin/conf.d
-mkdir -p %{buildroot}%{_sysconfdir}/permissions.d
 mkdir -p %{buildroot}/%{_libdir}/sasl2
 mkdir -p %{buildroot}%{_sbindir}
-mkdir -p %{buildroot}/%{conf_backup_dir}
 mkdir -p %{buildroot}/%{pf_sample_directory}
 mkdir -p %{buildroot}/%{pf_html_directory}
 mkdir -p %{buildroot}%{_includedir}/postfix
@@ -296,46 +279,12 @@ mkdir -p %{buildroot}%{_includedir}/postfix
    mkdir -p %{buildroot}%{_sysconfdir}/pam.d
    install -m 644 postfix-SUSE/smtp %{buildroot}%{_sysconfdir}/pam.d/smtp
 %endif
-mkdir -p %{buildroot}%{_fillupdir}
-sed -e 's;@lib@;%{_lib};g' postfix-SUSE/sysconfig.postfix > %{buildroot}%{_fillupdir}/sysconfig.postfix
-install -m 644 postfix-SUSE/sysconfig.mail-postfix %{buildroot}%{_fillupdir}/sysconfig.mail-postfix
-sed -e 's;@lib@;%{_lib};g' \
-    -e 's;@conf_backup_dir@;%{conf_backup_dir};' \
-    -e 's;@daemon_directory@;%{pf_daemon_directory};' \
-    -e 's;@readme_directory@;%{pf_readme_directory};' \
-    -e 's;@html_directory@;%{pf_html_directory};' \
-    -e 's;@sendmail_path@;%{pf_sendmail_path};' \
-    -e 's;@setgid_group@;%{pf_setgid_group};' \
-    -e 's;@manpage_directory@;%{_mandir};' \
-    -e 's;@newaliases_path@;%{pf_newaliases_path};' \
-    -e 's;@sample_directory@;%{pf_sample_directory};' \
-    -e 's;@mailq_path@;%{pf_mailq_path};' postfix-SUSE/config.postfix > %{buildroot}%{_sbindir}/config.postfix
-chmod 755 %{buildroot}%{_sbindir}/config.postfix
-install -m 644 postfix-SUSE/dynamicmaps.cf %{buildroot}%{_sysconfdir}/postfix/dynamicmaps.cf
-install -m 644 postfix-SUSE/ldap_aliases.cf %{buildroot}%{_sysconfdir}/postfix/ldap_aliases.cf
-install -m 644 postfix-SUSE/helo_access %{buildroot}%{_sysconfdir}/postfix/helo_access
-install -m 644 postfix-SUSE/permissions %{buildroot}%{_sysconfdir}/permissions.d/postfix
-install -m 644 postfix-SUSE/sender_canonical %{buildroot}%{_sysconfdir}/postfix/sender_canonical
-install -m 644 postfix-SUSE/relay %{buildroot}%{_sysconfdir}/postfix/relay
-install -m 644 postfix-SUSE/relay_ccerts %{buildroot}%{_sysconfdir}/postfix/relay_ccerts
-install -m 600 postfix-SUSE/sasl_passwd %{buildroot}%{_sysconfdir}/postfix/sasl_passwd
 mkdir -p %{buildroot}%{_sysconfdir}/sasl2
+mkdir -p %{buildroot}%{_sysconfdir}/permissions.d
+install -pm 0644 postfix-SUSE/permissions %{buildroot}%{_sysconfdir}/permissions.d/postfix
+install -pm 0644 postfix-SUSE/permissions.paranoid %{buildroot}%{_sysconfdir}/permissions.d/postfix.paranoid
+
 install -m 600 postfix-SUSE/smtpd.conf %{buildroot}%{_sysconfdir}/sasl2/smtpd.conf
-install -m 644 postfix-SUSE/openssl_postfix.conf.in %{buildroot}%{_sysconfdir}/postfix/openssl_postfix.conf.in
-install -m 755 postfix-SUSE/mkpostfixcert %{buildroot}%{_sbindir}/mkpostfixcert
-{
-cat<<EOF
-#
-# -----------------------------------------------------------------------
-# NOTE: Many parameters have already been added to the end of this file
-#       by config.postfix. So take care that you don't uncomment
-#       and set a parameter without checking whether it has been added
-#       to the end of this file.
-# -----------------------------------------------------------------------
-#
-EOF
-cat conf/main.cf
-} > %{buildroot}%{_sysconfdir}/postfix/main.cf
 %{buildroot}%{_sbindir}/postconf -c %{buildroot}%{_sysconfdir}/postfix \
        -e "manpage_directory = %{_mandir}" \
           "setgid_group      = %{pf_setgid_group}" \
@@ -351,10 +300,6 @@ cat conf/main.cf
 	   "disable_vrfy_command = yes" \
 	   'smtpd_banner      = $myhostname ESMTP'
 #Set Permissions
-install -m 644 postfix-SUSE/postfix-files %{buildroot}%{pf_shlib_directory}/postfix-files
-# create paranoid permissions file
-printf '%%-38s %%-18s %%s\n' %{_sbindir}/postdrop "root.%{pf_setgid_group}" "0755" >> %{buildroot}%{_sysconfdir}/permissions.d/postfix.paranoid
-printf '%%-38s %%-18s %%s\n' %{_sbindir}/postqueue "root.%{pf_setgid_group}" "0755" >> %{buildroot}%{_sysconfdir}/permissions.d/postfix.paranoid
 install -m 644 include/*.h %{buildroot}%{_includedir}/postfix/
 # some rpmlint stuff
 # remove unneeded examples/chroot-setup
@@ -373,11 +318,8 @@ rm -f %{buildroot}%{_sysconfdir}/postfix/*.orig
 mkdir -p %{buildroot}%{_unitdir}
 mkdir -p %{buildroot}%{pf_shlib_directory}/systemd
 install -m 0644 postfix-SUSE/postfix.service         %{buildroot}%{_unitdir}/postfix.service
-install -m 0755 postfix-SUSE/config_postfix.systemd  %{buildroot}%{pf_shlib_directory}/systemd/config_postfix
 install -m 0755 postfix-SUSE/update_chroot.systemd   %{buildroot}%{pf_shlib_directory}/systemd/update_chroot
-install -m 0755 postfix-SUSE/update_postmaps.systemd %{buildroot}%{pf_shlib_directory}/systemd/update_postmaps
 install -m 0755 postfix-SUSE/wait_qmgr.systemd       %{buildroot}%{pf_shlib_directory}/systemd/wait_qmgr
-install -m 0755 postfix-SUSE/cond_slp.systemd        %{buildroot}%{pf_shlib_directory}/systemd/cond_slp
 %if 0%{?suse_version} < 1599
 ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcpostfix
 %endif
@@ -400,7 +342,6 @@ install -m 644 %{SOURCE13} %{buildroot}%{_sysusersdir}/
 %endif

 #Clean up for postfix-bdb
-rm -rf %{buildroot}/etc/postfix/ldap_aliases.cf
 rm -rf %{buildroot}/usr/lib/debug/usr/lib/postfix/postfix-ldap.so-3.5.8-2.11.1.x86_64.debug
 rm -rf %{buildroot}/usr/lib/debug/usr/lib/postfix/postfix-mysql.so-3.5.8-2.11.1.x86_64.debug
 rm -rf %{buildroot}/usr/lib/debug/usr/lib/postfix/postfix-pgsql.so-3.5.8-2.11.1.x86_64.debug
@@ -413,6 +354,7 @@ rm -rf %{buildroot}/%{_includedir}/postfix/

 # posttls-finger is built but not installed
 install -m 755 bin/posttls-finger %{buildroot}%{_sbindir}/
+# ---------------------------------------------------------------------------

 %if 0%{?suse_version} >= 1330
 %pre -f postfix.pre
@@ -443,35 +385,18 @@ fi
 # ---------------------------------------------------------------------------

 %post
-# We never have to run suseconfig for postfix after installation
-# We only start postfix own upgrade-configuration by update
-if [ ${1:-0} -gt 1 ]; then
-	touch %{_localstatedir}/adm/postfix.configured
-        echo "Executing upgrade-configuration."
-        %{_sbindir}/postfix set-permissions upgrade-configuration setgid_group=%{pf_setgid_group} || :
-        if [ "$(%{_sbindir}/postconf -h daemon_directory)" != "%{pf_daemon_directory}" ]; then
-                %{_sbindir}/postconf daemon_directory=%{pf_daemon_directory}
-        fi
-fi
-
 %service_add_post postfix.service
-
+/sbin/ldconfig
 %set_permissions %{_sbindir}/postdrop
 %set_permissions %{_sbindir}/postlog
 %set_permissions %{_sbindir}/postqueue
-%set_permissions %{_sysconfdir}/postfix/sasl_passwd
-%set_permissions %{_sbindir}/sendmail
-
-%{fillup_only postfix}
-%{fillup_only -an mail}
-/sbin/ldconfig
+%set_permissions /var/spool/mail/

 %verifyscript
-%verify_permissions -e %{_sbindir}/postdrop
-%verify_permissions -e %{_sbindir}/postlog
-%verify_permissions -e %{_sbindir}/postqueue
-%verify_permissions -e %{_sysconfdir}/postfix/sasl_passwd
-%verify_permissions -e %{_sbindir}/sendmail
+%verify_permissions %{_sbindir}/postdrop
+%verify_permissions %{_sbindir}/postlog
+%verify_permissions %{_sbindir}/postqueue
+%verify_permissions -e /var/spool/mail/

 %postun
 %service_del_postun postfix.service
@@ -487,28 +412,13 @@ fi
 %else
 %config %{_sysconfdir}/pam.d/*
 %endif
-%{_fillupdir}/sysconfig.postfix
-%{_fillupdir}/sysconfig.mail-postfix
 %dir %{_sysconfdir}/postfix
-%config %{_sysconfdir}/postfix/main.cf.default
-%config(noreplace) %{_sysconfdir}/postfix/[^mysql]*[^mysql]
-%config(noreplace) %{_sysconfdir}/postfix/access
-%config(noreplace) %{_sysconfdir}/postfix/aliases
-%config(noreplace) %{_sysconfdir}/postfix/canonical
-%config(noreplace) %{_sysconfdir}/postfix/header_checks
-%config(noreplace) %{_sysconfdir}/postfix/helo_access
-%config(noreplace) %{_sysconfdir}/postfix/main.cf
-%config(noreplace) %{_sysconfdir}/postfix/master.cf
+%exclude %{_sysconfdir}/postfix/*mysql*
+%config(noreplace) %{_sysconfdir}/postfix/*
 %attr(0750,root,root) %config %{_sysconfdir}/postfix/post-install
 %attr(0750,root,root) %config %{_sysconfdir}/postfix/postfix-tls-script
 %attr(0750,root,root) %config %{_sysconfdir}/postfix/postfix-wrapper
 %attr(0750,root,root) %config %{_sysconfdir}/postfix/postmulti-script
-%config(noreplace) %{_sysconfdir}/postfix/postfix-files
-%config(noreplace) %{_sysconfdir}/postfix/relay
-%config(noreplace) %{_sysconfdir}/postfix/relay_ccerts
-%config(noreplace) %{_sysconfdir}/postfix/sasl_passwd
-%config(noreplace) %{_sysconfdir}/postfix/sender_canonical
-%config(noreplace) %{_sysconfdir}/postfix/virtual

 %dir %{_sysconfdir}/sasl2
 %config(noreplace) %{_sysconfdir}/sasl2/smtpd.conf
@@ -525,11 +435,11 @@ fi
 %dir %{pf_shlib_directory}/systemd
 %attr(0755,root,root) %{pf_shlib_directory}/systemd/*
 %{_unitdir}/postfix.service
-%{_bindir}/*
+%{_bindir}/mailq
+%{_bindir}/newaliases
 %verify(not mode) %attr(2755,root,%{pf_setgid_group}) %{_sbindir}/postdrop
 %verify(not mode) %attr(2755,root,%{pf_setgid_group}) %{_sbindir}/postlog
 %verify(not mode) %attr(2755,root,%{pf_setgid_group}) %{_sbindir}/postqueue
-%attr(0755,root,root) %{_sbindir}/config.postfix
 %attr(0755,root,root) %{_sbindir}/sendmail
 %attr(0755,root,root) %{_sbindir}/postalias
 %attr(0755,root,root) %{_sbindir}/postcat
@@ -545,9 +455,7 @@ fi
 %attr(0755,root,root) %{_sbindir}/qmqp-source
 %attr(0755,root,root) %{_sbindir}/smtp-sink
 %attr(0755,root,root) %{_sbindir}/smtp-source
-%attr(0755,root,root) %{_sbindir}/mkpostfixcert
 %attr(0755,root,root) %{_sbindir}/check_mail_queue
-%attr(0755,root,root) %{_sbindir}/config.postfix
 %if 0%{?suse_version} < 1599
 %{_sbindir}/rcpostfix
 %endif
@@ -564,7 +472,6 @@ fi
 %{pf_shlib_directory}/main.cf.proto
 %{pf_shlib_directory}/master.cf.proto

-%{conf_backup_dir}
 %dir %attr(0700,postfix,root) %{pf_data_directory}
 %exclude %{_mandir}/man5/ldap_table.5*
 %exclude %{_mandir}/man5/lmdb_table.5*
--- a/postfix-main.cf.patch
+++ b/postfix-main.cf.patch
@@ -1,211 +0,0 @@
--- conf/main.cf.orig	2025-05-21 13:20:29.531943251 +0200
-+++ conf/main.cf	2025-05-21 13:22:12.037043281 +0200
-@@ -285,7 +285,7 @@ unknown_local_recipient_reject_code = 55
- #
- #mynetworks = 168.100.3.0/28, 127.0.0.0/8
- #mynetworks = $config_directory/mynetworks
-#mynetworks = hash:/etc/postfix/network_table
-+#mynetworks = lmdb:/etc/postfix/network_table
- 
- # The relay_domains parameter restricts what destinations this system will
- # relay mail to.  See the smtpd_relay_restrictions and
-@@ -352,7 +352,7 @@ unknown_local_recipient_reject_code = 55
- # In the left-hand side, specify an @domain.tld wild-card, or specify
- # a user@domain.tld address.
- # 
-#relay_recipient_maps = hash:/etc/postfix/relay_recipients
-+#relay_recipient_maps = lmdb:/etc/postfix/relay_recipients
- 
- # INPUT RATE CONTROL
- #
-@@ -407,8 +407,8 @@ unknown_local_recipient_reject_code = 55
- # "postfix reload" to eliminate the delay.
- #
- #alias_maps = dbm:/etc/aliases
-#alias_maps = hash:/etc/aliases
-#alias_maps = hash:/etc/aliases, nis:mail.aliases
-+#alias_maps = lmdb:/etc/aliases
-+#alias_maps = lmdb:/etc/aliases, nis:mail.aliases
- #alias_maps = netinfo:/aliases
- 
- # The alias_database parameter specifies the alias database(s) that
-@@ -418,8 +418,8 @@ unknown_local_recipient_reject_code = 55
- #
- #alias_database = dbm:/etc/aliases
- #alias_database = dbm:/etc/mail/aliases
-#alias_database = hash:/etc/aliases
-#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
-+#alias_database = lmdb:/etc/aliases
-+#alias_database = lmdb:/etc/aliases, lmdb:/opt/majordomo/aliases
- 
- # ADDRESS EXTENSIONS (e.g., user+foo)
- #
-@@ -576,6 +576,7 @@ unknown_local_recipient_reject_code = 55
- #
- #smtpd_banner = $myhostname ESMTP $mail_name
- #smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
-+smtpd_banner = $myhostname ESMTP
- 
- # PARALLEL DELIVERY TO THE SAME DESTINATION
- #
-@@ -682,4 +683,160 @@ sample_directory =
- # readme_directory: The location of the Postfix README files.
- #
- readme_directory =
-+
-+############################################################
-+#
-+# before changing values manually consider editing
-+#  /etc/sysconfig/postfix
-+# and run
-+#  config.postfix
-+#
-+# if you miss a feature of config.postfix then just send a
-+# mail to chris@computersalat.de
-+# patches for new feature(s) are also welcome :)
-+#
-+############################################################
-+
-+biff = no
-+content_filter = 
-+delay_warning_time = 0h
-+smtp_dns_support_level = enabled
-+disable_mime_output_conversion = no
-+disable_vrfy_command = yes
-+inet_interfaces = all
- inet_protocols = ipv4
-+masquerade_classes = envelope_sender, header_sender, header_recipient
-+masquerade_domains = 
-+masquerade_exceptions = 
-+mydestination = $myhostname, localhost.$mydomain, localhost
-+mynetworks_style = subnet
-+relayhost = 
-+
-+alias_maps = 
-+canonical_maps = 
-+relocated_maps = 
-+sender_canonical_maps = 
-+transport_maps = 
-+mail_spool_directory = /var/mail 
-+message_strip_characters = 
-+defer_transports = 
-+mailbox_command = 
-+mailbox_transport = 
-+mailbox_size_limit = 0
-+message_size_limit = 0
-+strict_8bitmime = no
-+strict_rfc821_envelopes = no
-+smtpd_delay_reject = yes
-+smtpd_helo_required = no
-+
-+smtpd_client_restrictions = 
-+
-+smtpd_helo_restrictions = 
-+
-+smtpd_sender_restrictions = 
-+
-+smtpd_recipient_restrictions = 
-+
-+
-+######################################################################
-+# SMTP Smuggling (CVE-2023-51764)
-+# no: allows SMTP smuggling
-+# yes / normalize : 
-+#   but allow local clients with non-standard SMTP implementations
-+#   such as netcat, fax machines, or load balancer health checks.
-+# reject: 
-+#   rejects a command or message that contains a bare newline
-+######################################################################
-+smtpd_forbid_bare_newline = normalize
-+smtpd_forbid_bare_newline_exclusions = $mynetworks
-+#smtpd_forbid_bare_newline_reject_code = 521
-+
-+############################################################
-+# SASL stuff
-+############################################################
-+smtp_sasl_auth_enable = no
-+smtp_sasl_security_options = 
-+smtp_sasl_password_maps = 
-+smtpd_sasl_auth_enable = no
-+# cyrus   : smtpd_sasl_type = cyrus
-+#           smtpd_sasl_path = smtpd
-+# dovecot : smtpd_sasl_type = dovecot
-+#           smtpd_sasl_path = private/auth
-+smtpd_sasl_type = cyrus
-+smtpd_sasl_path = smtpd
-+############################################################
-+# TLS stuff
-+############################################################
-+#tls_append_default_CA = no
-+relay_clientcerts = 
-+#tls_random_source = dev:/dev/urandom
-+
-+#smtp_tls_loglevel = 0
-+smtp_tls_security_level = 
-+smtp_tls_CAfile = 
-+smtp_tls_CApath = 
-+smtp_tls_cert_file = 
-+smtp_tls_key_file = 
-+#smtp_tls_policy_maps = lmdb:/etc/postfix/tls_policy
-+#smtp_tls_session_cache_timeout = 3600s
-+smtp_tls_session_cache_database = 
-+
-+#smtpd_tls_loglevel = 0
-+smtpd_tls_security_level = 
-+smtpd_tls_CAfile = 
-+smtpd_tls_CApath = 
-+smtpd_tls_cert_file = 
-+smtpd_tls_key_file = 
-+smtpd_tls_ask_ccert = no
-+smtpd_tls_exclude_ciphers = RC4
-+smtpd_tls_received_header = no
-+############################################################
-+# OpenDKIM
-+############################################################
-+#smtpd_milters = unix:/run/opendkim/opendkim.sock
-+#non_smtpd_milters = $smtpd_milters
-+#milter_default_action = accept
-+#milter_protocol = 2
-+############################################################
-+# Start MySQL from postfixwiki.org
-+############################################################
-+relay_domains = $mydestination, lmdb:/etc/postfix/relay
-+#relay_recipient_maps = lmdb:/etc/postfix/relay_recipients
-+#virtual_alias_domains = 
-+#virtual_alias_maps = lmdb:/etc/postfix/virtual
-+#virtual_uid_maps = static:303
-+#virtual_gid_maps = static:303
-+#virtual_minimum_uid = 303
-+#virtual_mailbox_base = /srv/maildirs
-+#virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
-+#virtual_mailbox_limit = 0
-+#virtual_mailbox_limit_inbox = no
-+#virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
-+## For dovecot LMTP replace 'virtual' with 'lmtp:unix:private/lmtp-dovecot'
-+#virtual_transport = virtual
-+## Additional for quota support
-+#virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
-+#virtual_mailbox_limit_override = yes
-+### Needs Maildir++ compatible IMAP servers, like Courier-IMAP
-+#virtual_maildir_filter = yes
-+#virtual_maildir_filter_maps = lmdb:/etc/postfix/vfilter
-+#virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later.
-+#virtual_maildir_limit_message_maps = lmdb:/etc/postfix/vmsg
-+#virtual_overquota_bounce = yes
-+#virtual_trash_count = yes
-+#virtual_trash_name = ".Trash"
-+############################################################
-+# End MySQL from postfixwiki.org
-+############################################################
-+# Rewrite reject codes
-+############################################################
-+#unknown_address_reject_code = 550
-+#unknown_client_reject_code = 550
-+#unknown_hostname_reject_code = 550
-+#unverified_recipient_reject_code = 550
-+#unverified_sender_reject_code = 550
-+#soft_bounce = yes
-+############################################################
-+#debug_peer_list = example.com
-+#debug_peer_level = 3
-+
--- a/postfix-master.cf.patch
+++ b/postfix-master.cf.patch
@@ -1,121 +0,0 @@
-Index: conf/master.cf
-===================================================================
--- conf/master.cf.orig
-+++ conf/master.cf
-@@ -10,6 +10,11 @@
- #               (yes)   (yes)   (no)    (never) (100)
- # ==========================================================================
- smtp      inet  n       -       n       -       -       smtpd
-+#amavis    unix  -       -       n       -       4       smtp
-+#  -o smtp_data_done_timeout=1200
-+#  -o smtp_send_xforward_command=yes
-+#  -o smtp_dns_support_level=disabled
-+#  -o max_use=20
- #smtp      inet  n       -       n       -       1       postscreen
- #smtpd     pass  -       -       n       -       -       smtpd
- #dnsblog   unix  -       -       n       -       0       dnsblog
-@@ -17,34 +22,36 @@ smtp      inet  n       -       n
- # Choose one: enable submission for loopback clients only, or for any client.
- #127.0.0.1:submission inet n -   n       -       -       smtpd
- #submission inet n       -       n       -       -       smtpd
-#  -o syslog_name=postfix/submission
-#  -o smtpd_forbid_unauth_pipelining=no
-#  -o smtpd_tls_security_level=encrypt
-#  -o smtpd_sasl_auth_enable=yes
-#  -o smtpd_tls_auth_only=yes
-#  -o local_header_rewrite_clients=static:all
-#  -o smtpd_hide_client_session=yes
-#  -o smtpd_reject_unlisted_recipient=no
-+#   -o syslog_name=postfix/submission
-+#   -o smtpd_forbid_unauth_pipelining=no
-+#   -o smtpd_tls_security_level=encrypt
-+#   -o content_filter=smtp:[127.0.0.1]:10024
-+#   -o smtpd_sasl_auth_enable=yes
-+#   -o smtpd_tls_auth_only=yes
-+#   -o local_header_rewrite_clients=static:all
-+#   -o smtpd_hide_client_session=yes
-+#   -o smtpd_reject_unlisted_recipient=no
- #     Instead of specifying complex smtpd_<xxx>_restrictions here,
- #     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
- #     here, and specify mua_<xxx>_restrictions in main.cf (where
- #     "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
-#  -o smtpd_client_restrictions=
-#  -o smtpd_helo_restrictions=
-#  -o smtpd_sender_restrictions=
-#  -o smtpd_relay_restrictions=
-#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-#  -o milter_macro_daemon_name=ORIGINATING
-+#   -o smtpd_client_restrictions=$mua_client_restrictions
-+#   -o smtpd_helo_restrictions=$mua_helo_restrictions
-+#   -o smtpd_sender_restrictions=$mua_sender_restrictions
-+#   -o smtpd_recipient_restrictions=
-+#   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-+#   -o milter_macro_daemon_name=ORIGINATING
- # Choose one: enable submissions for loopback clients only, or for any client.
- #127.0.0.1:submissions inet n  -       n       -       -       smtpd
- #submissions     inet  n       -       n       -       -       smtpd
-#  -o syslog_name=postfix/submissions
-#  -o smtpd_forbid_unauth_pipelining=no
-#  -o smtpd_tls_wrappermode=yes
-#  -o smtpd_sasl_auth_enable=yes
-#  -o local_header_rewrite_clients=static:all
-#  -o smtpd_hide_client_session=yes
-#  -o smtpd_reject_unlisted_recipient=no
-+#    -o syslog_name=postfix/submissions
-+#    -o smtpd_forbid_unauth_pipelining=no
-+#    -o smtpd_tls_wrappermode=yes
-+#    -o content_filter=smtp:[127.0.0.1]:10024
-+#    -o smtpd_sasl_auth_enable=yes
-+#    -o local_header_rewrite_clients=static:all
-+#    -o smtpd_hide_client_session=yes
-+#    -o smtpd_reject_unlisted_recipient=no
- #     Instead of specifying complex smtpd_<xxx>_restrictions here,
- #     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
- #     here, and specify mua_<xxx>_restrictions in main.cf (where
-@@ -83,6 +90,26 @@ lmtp      unix  -       -       n
- anvil     unix  -       -       n       -       1       anvil
- scache    unix  -       -       n       -       1       scache
- postlog   unix-dgram n  -       n       -       1       postlogd
-+#localhost:10025 inet   n       -       n       -       -       smtpd
-+#  -o content_filter=
-+#  -o smtpd_delay_reject=no
-+#  -o smtpd_client_restrictions=permit_mynetworks,reject
-+#  -o smtpd_helo_restrictions=
-+#  -o smtpd_sender_restrictions=
-+#  -o smtpd_recipient_restrictions=permit_mynetworks,reject
-+#  -o smtpd_data_restrictions=reject_unauth_pipelining
-+#  -o smtpd_end_of_data_restrictions=
-+#  -o smtpd_restriction_classes=
-+#  -o mynetworks=127.0.0.0/8
-+#  -o smtpd_error_sleep_time=0
-+#  -o smtpd_soft_error_limit=1001
-+#  -o smtpd_hard_error_limit=1000
-+#  -o smtpd_client_connection_count_limit=0
-+#  -o smtpd_client_connection_rate_limit=0
-+#  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_address_mappings
-+#  -o local_header_rewrite_clients=
-+#  -o local_recipient_maps=
-+#  -o relay_recipient_maps=
- #
- # ====================================================================
- # Interfaces to non-Postfix software. Be sure to examine the manual
-@@ -116,7 +143,7 @@ postlog   unix-dgram n  -       n
- # Also specify in main.cf: cyrus_destination_recipient_limit=1
- #
- #cyrus     unix  -       n       n       -       -       pipe
-#  flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
-+#  flags=DRX user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
- #
- # ====================================================================
- #
-@@ -149,3 +176,10 @@ postlog   unix-dgram n  -       n
- #mailman   unix  -       n       n       -       -       pipe
- #  flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
- #  ${nexthop} ${user}
-+#
-+#procmail  unix  -       n       n       -       -       pipe
-+#  flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc ${sender} ${recipient}
-+#
-+#dovecot   unix  -       n       n       -       -       pipe
-+#  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}
-+#
--- a/7
+++ b/7
@@ -1,7 +1,2 @@
-sddFilter("executable-sourced-script .*/sbin/conf.d/SuSEconfig.postfix")
-addFilter("sourced-script-with-shebang .*/sbin/conf.d/SuSEconfig.postfix")
-addFilter("devel-file-in-non-devel-package .*/usr/lib/libpostfix*.so")
-addFilter("devel-file-in-non-devel-package .*/usr/lib64/libpostfix*.so")
-addFilter(".*standard-dir-owned-by-package.*/var/spool/mail.*")
+addFilter("W: no-%check-section")
 addFilter(".*[WE]:.*filelist-forbidden-fhs23.*/var/mail.*")
-
--- a/postfix.changes
+++ b/postfix.changes
@@ -1,3 +1,237 @@
+-------------------------------------------------------------------
+Thu Jan 22 10:59:46 UTC 2026 - Marcus Rueckert <mrueckert@suse.de>
+
+- Do not strip binaries at all
+- also drop " -s " from the CCARGS to prevent stripping there
+
+-------------------------------------------------------------------
+Thu Jan 22 10:09:40 UTC 2026 - Ana Guerrero <ana.guerrero@suse.com>
+
+- Re-add dropped change:
+- fix postfix-SUSE.tar.gz, postfix.service: correct path for postalias
+  from /sbin/postalias to /usr/sbin/postalias
+
+-------------------------------------------------------------------
+Wed Jan 21 07:33:02 UTC 2026 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Don't fail strip on non-existing files (easy hack to fix 32bit
+  builds).
+
+-------------------------------------------------------------------
+Thu Jan 15 17:53:42 UTC 2026 - Peter Varkoly <varkoly@suse.com>
+
+- fix (bsc#1256462) [Build 12.10] openQA test fails in mta: Failed to start postfix.service
+  Remove postfix set-permisson from all spaces
+- Strip binaries
+
+-------------------------------------------------------------------
+Tue Jan 13 20:27:51 UTC 2026 - Peter Varkoly <varkoly@suse.com>
+
+- fix (bsc#1256462) [Build 12.10] openQA test fails in mta: Failed to start postfix.service
+  Put postfix set-permisson into %post
+
+-------------------------------------------------------------------
+Sun Dec 21 20:52:29 UTC 2025 - Peter Varkoly <varkoly@suse.com>
+
+- (jsc#PED-14859) Fix packages for Immutable Mode - postfix
+
+-------------------------------------------------------------------
+Sun Dec 14 18:45:30 UTC 2025 - Peter Varkoly <varkoly@suse.com>
+
+- Put /etc/permissions.d/postfix.paranoid into the postfix-SUSE.tar.gz
+
+-------------------------------------------------------------------
+Thu Dec 11 13:06:30 UTC 2025 - Stefan Botter <obs@botter.cc>
+
+- fix postfix-SUSE.tar.gz, postfix.service: correct path for postalias
+  from /sbin/postalias to /usr/sbin/postalias
+
+-------------------------------------------------------------------
+Wed Dec 10 20:00:47 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
+
+- update to 3.10.7
+  * This patch addresses build errors on recent Linux distributions.
+    With the patch, Postfix builds will run the compiler with a
+    backwards compatibility option that is supported by Gcc and Clang.
+    For other compilers, an error message provides hints.
+
+-------------------------------------------------------------------
+Wed Dec 10 14:35:23 UTC 2025 - Wolfgang Frisch <wolfgang.frisch@suse.com>
+
+- Add /var/spool/mail to the permissions.d drop-in. This directory used to be
+  whitelisted globally in the permissions package but an update for the exim
+  mail server changed that (bsc#1254597 bsc#1240755).
+- Reintroduce permissions.d/postfix-paranoid drop-in that was removed in r534.
+
+-------------------------------------------------------------------
+Fri Dec  5 09:37:39 UTC 2025 - Peter Varkoly <varkoly@suse.com>
+
+- postfix is unable to send mail by default (bsc#1253775)
+  o Clean up the package
+    * Get rid of config.postfix script to avoid unintentional changes
+      of the configuration. The sysconfig files mail and postfix
+      were removed also.
+    * Deliver the original main.cf and master.cf
+    * Remove a lot of deprecated stuff from the package.
+    * Remove the ExecStartPre scripts to maintain the postmaps
+      and the chroot environment.
+    * A new ExecStartPre script manages the default alias map which
+      is part of the default configuration of postfix.
+      /sbin/postalias /etc/aliases
+    * Do not use the permissions framework. A new ExecStartPre script
+      takes care of the right permissions: /usr/sbin/postfix set-permissions
+    * Remove mkpostfixcert
+    * Get rid of berkley db converting scripts
+  o Remove patches:
+    * postfix-master.cf.patch
+    * postfix-main.cf.patch
+    * postfix-bdb-main.cf.patch
+
+-------------------------------------------------------------------
+Wed Nov 26 19:27:24 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
+
+- update to 3.10.6
+  * Bugfix (defect introduced: Postfix 3.10, date: 20250117).
+    Symptom: warning messages that smtp_tls_wrappermode requires
+    "smtp_tls_security_level = encrypt".
+    Root cause: support for "TLS-Required: no" broke client-side
+    TLS wrappermode support, by downgrading a connection to TLS
+    security level 'may'.
+    The fix changes the downgrade level for wrappermode connections
+    to 'encrypt'. Rationale: by design, TLS can be optional only
+    for connections that use STARTTLS. The downgrade to unauthenticated
+    'encrypt' allows a sender to avoid an email delivery problem.
+    Problem reported by Joshua Tyler Cochran.
+  * New logging: the Postfix SMTP client will log a warning when
+    an MX hostname does not match STS policy MX patterns, with
+    "smtp_tls_enforce_sts_mx_patterns = yes" in Postfix, and with
+    TLSRPT support enabled in a TLS policy plugin. It will log a
+    successful match only when verbose logging is enabled.
+  * Bugfix (defect introduced: Postfix 3.10, date: 20240902): SMTP
+    client null pointer crash when an STS policy plugin sends no
+    policy_string or no mx_pattern attributes. This can happen only
+    during tests with a fake STS plugin.
+  * Bugfix (defect introduced: Postfix 2.9, date: 20120307): segfault
+    when a duplicate parameter name is given to "postconf -X" or
+    "postconf -#'.
+  * Documentation: removed incorrect text from the parameter
+    description for smtp_cname_overrides_servername. File:
+    proto/postconf.proto.
+
+-------------------------------------------------------------------
+Mon Nov 10 19:31:34 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
+
+- update to 3.10.5
+  * Workaround for an interface mis-match between the Postfix SMTP
+    client and MTA-STS policy plugins.
+      * The existing behavior is to connect to any MX host listed
+        in DNS, and to match the server certificate against any STS
+        policy MX host pattern.
+      * The corrected behavior is to connect to an MX host only if
+        its name matches any STS policy MX host pattern, and to
+        match the server certificate against the MX hostname.
+    The corrected behavior must be enabled in two places: in Postfix
+    with a new parameter "smtp_tls_enforce_sts_mx_patterns" (default:
+    "yes") and in an MTA-STS plugin by enabling TLSRPT support, so
+    that the plugin forwards STS policy attributes to Postfix. This
+    works even if Postfix TLSRPT support is disabled at build time
+    or at runtime.
+  * TLSRPT Workaround: when a TLSRPT policy-type value is
+    "no-policy-found", pretend that the TLSRPT policy domain value
+    is equal to the recipient domain. This ignores that different
+    policy types (TLSA, STS) use different policy domains. But this
+    is what Microsoft does, and therefore, what other tools expect.
+  * Bugfix (defect introduced: Postfix 3.0): the Postfix SMTP
+    client's connection reuse logic did not distinguish between
+    sessions that require SMTPUTF8 support, and sessions that do
+    not. The solution is 1) to store sessions with different SMTPUTF8
+    requirements under distinct connection cache storage keys, and
+    2) to not cache a connection when SMTPUTF8 is required but the
+    server does not support that feature.
+  * Bugfix (defect introduced: Postfix 3.0, date 20140731): the
+    smtpd 'disconnect' command statistics did not count commands
+    with "bad syntax" and "bad UTF-8 syntax" errors.
+  * Bugfix: the August 2025 patch broke DBM library support which
+    is still needed on Solaris; and the same change could result
+    in warnings with "database X is older than source file Y".
+  * Postfix 3.11 forward compatibility: to avoid ugly warnings when
+    Postfix 3.11 is rolled back to an older version, allow a
+    preliminary 'size' record in maildrop queue files created with
+    Postfix 3.11 or later.
+  * Bugfix (defect introduced: Postfix 3.8, date 20220128):
+    non-reproducible build, because the 'postconf -e' output order
+    for new main.cf entries was no longer deterministic. Problem
+    reported by Oleksandr Natalenko, diagnosis by Eray Aslan.
+  * To make builds predictable, add missing meta_directory and
+    shlib_directory settings to the stock main.cf file. Problem
+    diagnosed by Eray Aslan.
+  * Bugfix (defect introduced: Postfix 3.9, date 20230517):
+    posttls-finger(1) logged an incorrectly-formatted port number.
+    Viktor Dukhovni.
+- rebase postfix-main.cf.patch
+- adapt rpmlint
+  o dir-or-file-outside-snapshot
+
+-------------------------------------------------------------------
+Tue Aug 19 17:45:58 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
+
+- update to 3.10.4
+  * Fixes for postscreen(8):
+      - Bugfix (defect introduced: Postfix 2.2, date 20050203): after
+        detecting a lookup table change, and after starting a new
+        postscreen process, the old postscreen process logged an ENOTSOCK
+        error while attempting to accept a connection on a socket that
+        it was no longer listening on. This error was introduced first
+        in the multi_server skeleton code, and was five years later
+        duplicated in the event_server skeleton that was created for
+        postscreen.
+      - Bugfix (defect introduced: Postfix 2.8, date 20101230):
+        after detecting a cache table change and before starting a new
+        postscreen process, the old postscreen process did not close the
+        postscreen_cache_map, and therefore kept an exclusive lock that
+        could prevent a new postscreen process from starting.
+  * Fixes for tlsproxy(8):
+      - Bugfix (defect introduced: Postfix 3.7): incorrect backwards
+        compatible support for the legacy configuration parameters
+        tlsproxy_client_level and tlsproxy_client_policy. This
+        disabled the tlsproxy TLS client role when a legacy parameter
+        was set (instead of the newer tlsproxy_client_security_level
+        or tlsproxy_client_policy_maps).
+      - Bugfix (defect introduced: Postfix 3.4): with the TLS client role
+        disabled by configuration, the tlsproxy daemon dereferenced a
+        null pointer while handling a tlsproxy client request.
+  * Reducing process churn: Postfix daemons no longer automatically
+    restart after a btree:, dbm:, hash:, lmdb:, or sdbm: table file
+    modification time change, when they opened that table for writing.
+  * Portability: deleted an <openssl/engine.h> build dependency,
+    because the feature is being removed from OpenSSL, and Postfix
+    no longer needs it.
+  * Cleanup: with "tls_required_enable = yes", the Postfix SMTP client
+    will no longer maintain TLSRPT statistics for messages that contain
+    a "TLS-Required: no" header. This can prevent TLSRPT notifications
+    for TLSRPT notifications.
+  * Bugfix (defect introduced: Postfix 3.6, date 20200710): Postfix TLS
+    client code logged "Untrusted TLS connection" (wrong) instead of
+    "Trusted TLS connection" (right), for a new or resumed TLS session,
+    when a server offered a trusted (valid PKI trust chain) certificate
+    that did not match the expected server name pattern.
+
+-------------------------------------------------------------------
+Sun Aug  3 20:30:23 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
+
+- update to 3.10.3
+  * Bugfix (defect introduced: Postfix-3.10, date 20250117): include
+    the current TLS security level in the SMTP connection cache  
+    lookup key for lookups by next-hop destination, to avoid reusing
+    the same SMTP connection when sending messages with and without 
+    a "TLS-Required: no" header. Likewise, include the current TLS 
+    security level in the TLS session lookup key, to avoid reusing
+    the same TLS session info when sending messages with and without
+    a "TLS-Required: no" header.
+  * Bugfix (defect introduced: Postfix-3.10, date 20250117): the  
+    Postfix SMTP client attempted to look up TLSA records even with
+    "TLS-Required: no". This could result in unnecessary failures.
+
 -------------------------------------------------------------------
 Mon Jun  2 10:41:43 UTC 2025 - Peter Varkoly <varkoly@suse.com>

--- a/postfix.spec
+++ b/postfix.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package postfix
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -21,6 +21,8 @@
 %define pf_daemon_directory  %{_prefix}/lib/%{name}/bin/
 %define _libexecdir          %{_prefix}/lib
 %define pf_shlib_directory   %{_prefix}/lib/%{name}
+%define pf_meta_directory    %{_prefix}/lib/%{name}
+%define pf_systemd_directory %{_prefix}/lib/%{name}/systemd
 %define pf_command_directory %{_sbindir}
 %define pf_queue_directory   var/spool/%{name}
 %define pf_sendmail_path     %{_sbindir}/sendmail
@@ -33,12 +35,7 @@
 %define pf_data_directory    %{_localstatedir}/lib/%{name}
 %define pf_database_convert  %{_rundir}/%{name}-needs-convert
 %define mail_group           mail
-%define conf_backup_dir      %{_localstatedir}/adm/backup/%{name}
 %define unitdir %{_prefix}/lib/systemd
-#Compat macro for new _fillupdir macro introduced in Nov 2017
-%if ! %{defined _fillupdir}
-  %define _fillupdir %{_localstatedir}/adm/fillup-templates
-%endif
 %if 0%{?suse_version} < 1599
 %bcond_without libnsl
 %else
@@ -46,7 +43,7 @@
 %endif
 %bcond_without ldap
 Name:           postfix
-Version:        3.10.2
+Version:        3.10.7
 Release:        0
 Summary:        A fast, secure, and flexible mailer
 License:        EPL-2.0 OR IPL-1.0
@@ -57,15 +54,13 @@ Source1:        https://de.postfix.org/ftpmirror/official/postfix-%{version}.tar
 Source2:        %{name}-SUSE.tar.gz
 Source3:        %{name}-mysql.tar.bz2
 Source4:        postfix.keyring
-Source10:       %{name}-rpmlintrc
+Source10:       postfix-rpmlintrc
 Source11:       check_mail_queue
 Source12:       postfix-user.conf
 Source13:       postfix-vmail-user.conf
 Patch1:         %{name}-no-md5.patch
 Patch2:         pointer_to_literals.patch
 Patch3:         ipv6_disabled.patch
-Patch4:         %{name}-main.cf.patch
-Patch5:         %{name}-master.cf.patch
 Patch6:         %{name}-linux45.patch
 Patch7:         %{name}-ssl-release-buffers.patch
 Patch8:         %{name}-vda-v14-3.0.3.patch
@@ -93,9 +88,8 @@ BuildRequires:  zlib-devel
 BuildRequires:  pkgconfig(systemd)
 Requires:       iproute2
 Requires(post): permissions
-Requires(pre):  %fillup_prereq
+
 Requires(pre):  group(%{mail_group})
-Requires(pre):  permissions
 Requires(pre):  user(nobody)
 Conflicts:      exim
 Conflicts:      postfix-bdb
@@ -115,14 +109,9 @@ BuildRequires:  libnsl-devel
 Requires:       /usr/bin/cmp
 # /usr/lib/postfix/bin//post-install: line 667: ed: command not found
 Requires(pre):  /usr/bin/ed
-Requires(preun):/usr/bin/ed
+Requires(preun): /usr/bin/ed
 Requires(post): /usr/bin/ed
-Requires(postun):/usr/bin/ed
-# /usr/sbin/config.postfix needs perl
-Requires(pre):  perl
-Requires(preun):perl
-Requires(post): perl
-Requires(postun):perl
+Requires(postun): /usr/bin/ed

 %description
 Postfix aims to be an alternative to the widely-used sendmail program.
@@ -149,7 +138,6 @@ This package contains the documentation for %{name}
 Summary:        Postfix plugin to support MySQL maps
 Group:          Productivity/Networking/Email/Servers
 Requires(pre):  %{name} = %{version}
-%sysusers_requires
 %if 0%{?suse_version} < 1550
 Provides:       group(vmail)
 %endif
@@ -191,10 +179,6 @@ unset AUXLIBS AUXLIBS_LDAP AUXLIBS_PCRE AUXLIBS_MYSQL AUXLIBS_PGSQL AUXLIBS_SQLI

 export CCARGS="${CCARGS} %{optflags} -fcommon -Wno-comments -Wno-missing-braces -fPIC"

-%if 0%{?suse_version} >= 1600
-export CCARGS="${CCARGS} -std=gnu17"
-%endif
-
 %ifarch s390 s390x ppc
 export CCARGS="${CCARGS} -fsigned-char"
 %endif
@@ -273,14 +257,12 @@ export PIE=-pie
 %install
 mkdir -p %{buildroot}/%{_libdir}
 mkdir -p %{buildroot}%{_sysconfdir}/%{name}
-# create our default postfix ssl DIR (/etc/postfix/ssl)
-mkdir -p %{buildroot}%{_sysconfdir}/%{name}/ssl/certs
-# link cacerts to /etc/ssl/certs
-ln -s ../../ssl/certs %{buildroot}%{_sysconfdir}/%{name}/ssl/cacerts
 cp lib/lib%{name}-*  %{buildroot}/%{_libdir}
 export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:%{buildroot}/%{_libdir}
 sh postfix-install -non-interactive \
       install_root=%{buildroot} \
+       shlib_directory=%{_prefix}/lib/%{name} \
+       meta_directory=%{_prefix}/lib/%{name} \
       config_directory=%{pf_config_directory} \
       daemon_directory=%{pf_daemon_directory} \
       command_directory=%{pf_command_directory} \
@@ -300,7 +282,6 @@ mkdir -p %{buildroot}/sbin/conf.d
 mkdir -p %{buildroot}%{_sysconfdir}/permissions.d
 mkdir -p %{buildroot}/%{_libdir}/sasl2
 mkdir -p %{buildroot}%{_sbindir}
-mkdir -p %{buildroot}/%{conf_backup_dir}
 mkdir -p %{buildroot}/%{pf_sample_directory}
 mkdir -p %{buildroot}/%{pf_html_directory}
 mkdir -p %{buildroot}%{_includedir}/%{name}
@@ -314,46 +295,8 @@ mkdir -p %{buildroot}%{_includedir}/%{name}
 mkdir -p %{buildroot}/%{pf_queue_directory}
 mkdir -p %{buildroot}/var/spool/mail
 ln -s spool/mail %{buildroot}/var/mail
-mkdir -p %{buildroot}%{_fillupdir}
-sed -e 's;@lib@;%{_lib};g' %{name}-SUSE/sysconfig.%{name} > %{buildroot}%{_fillupdir}/sysconfig.%{name}
-install -pm 0644 %{name}-SUSE/sysconfig.mail-%{name} %{buildroot}%{_fillupdir}/sysconfig.mail-%{name}
-sed -e 's;@lib@;%{_lib};g' \
-    -e 's;@conf_backup_dir@;%{conf_backup_dir};' \
-    -e 's;@daemon_directory@;%{pf_daemon_directory};' \
-    -e 's;@readme_directory@;%{pf_readme_directory};' \
-    -e 's;@html_directory@;%{pf_html_directory};' \
-    -e 's;@sendmail_path@;%{pf_sendmail_path};' \
-    -e 's;@setgid_group@;%{pf_setgid_group};' \
-    -e 's;@manpage_directory@;%{_mandir};' \
-    -e 's;@newaliases_path@;%{pf_newaliases_path};' \
-    -e 's;@sample_directory@;%{pf_sample_directory};' \
-    -e 's;@mailq_path@;%{pf_mailq_path};' %{name}-SUSE/config.%{name} > %{buildroot}%{_sbindir}/config.%{name}
-chmod 0755 %{buildroot}%{_sbindir}/config.%{name}
-install -pm 0644 %{name}-SUSE/ldap_aliases.cf %{buildroot}%{_sysconfdir}/%{name}/ldap_aliases.cf
-install -pm 0644 %{name}-SUSE/helo_access %{buildroot}%{_sysconfdir}/%{name}/helo_access
-install -pm 0644 %{name}-SUSE/permissions %{buildroot}%{_sysconfdir}/permissions.d/%{name}
-install -pm 0644 %{name}-SUSE/sender_canonical %{buildroot}%{_sysconfdir}/%{name}/sender_canonical
-install -pm 0644 %{name}-SUSE/relay %{buildroot}%{_sysconfdir}/%{name}/relay
-install -pm 0644 %{name}-SUSE/relay_ccerts %{buildroot}%{_sysconfdir}/%{name}/relay_ccerts
-install -pm 0644 %{name}-SUSE/relay_recipients %{buildroot}%{_sysconfdir}/%{name}/relay_recipients
-install -pm 0600 %{name}-SUSE/sasl_passwd %{buildroot}%{_sysconfdir}/%{name}/sasl_passwd
 mkdir -p %{buildroot}%{_sysconfdir}/sasl2
 install -pm 0600 %{name}-SUSE/smtpd.conf %{buildroot}%{_sysconfdir}/sasl2/smtpd.conf
-install -pm 0644 %{name}-SUSE/openssl_%{name}.conf.in %{buildroot}%{_sysconfdir}/%{name}/openssl_%{name}.conf.in
-install -pm 0755 %{name}-SUSE/mk%{name}cert %{buildroot}%{_sbindir}/mk%{name}cert
-{
-cat<<EOF
-#
-# -----------------------------------------------------------------------
-# NOTE: Many parameters have already been added to the end of this file
-#       by config.postfix. So take care that you don't uncomment
-#       and set a parameter without checking whether it has been added
-#       to the end of this file.
-# -----------------------------------------------------------------------
-#
-EOF
-cat conf/main.cf
-} > %{buildroot}%{_sysconfdir}/%{name}/main.cf
 %{buildroot}%{_sbindir}/postconf -c %{buildroot}%{_sysconfdir}/%{name} \
        -e "manpage_directory = %{_mandir}" \
           "setgid_group      = %{pf_setgid_group}" \
@@ -369,6 +312,8 @@ cat conf/main.cf
 	   "disable_vrfy_command = yes" \
 	   'smtpd_banner      = $myhostname ESMTP'
 #Set Permissions
+install -pm 0644 %{name}-SUSE/permissions %{buildroot}%{_sysconfdir}/permissions.d/%{name}
+install -pm 0644 %{name}-SUSE/permissions.paranoid %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid
 sed -i	-e 's/\(.*ldap.*\)/#\1/g' \
 	-e 's/\(.*mysql.*\)/#\1/g' \
 	-e 's/\(.*pgsql.*\)/#\1/g' \
@@ -376,14 +321,11 @@ sed -i	-e 's/\(.*ldap.*\)/#\1/g' \
 	-e '/html_directory/d' \
 	-e '/manpage_directory/d' \
 	-e '/readme_directory/d' \
-	%{buildroot}%{pf_shlib_directory}/postfix-files
-mkdir -p %{buildroot}%{pf_shlib_directory}/postfix-files.d
+	%{buildroot}%{pf_meta_directory}/postfix-files
+mkdir -p %{buildroot}%{pf_meta_directory}/postfix-files.d
 # postfix-mysql
 install -pm 0644 %{name}-mysql/main.cf-mysql %{buildroot}%{_sysconfdir}/%{name}/main.cf-mysql
 install -pm 0640 %{name}-mysql/*_maps.cf     %{buildroot}%{_sysconfdir}/%{name}/
-# create paranoid permissions file
-printf '%%-38s %%-18s %%s\n' %{_sbindir}/postdrop "root.%{pf_setgid_group}" "0755" >> %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid
-printf '%%-38s %%-18s %%s\n' %{_sbindir}/postqueue "root.%{pf_setgid_group}" "0755" >> %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid
 install -pm 0644 include/*.h %{buildroot}%{_includedir}/%{name}/
 # some rpmlint stuff
 # remove unneeded examples/chroot-setup
@@ -400,13 +342,9 @@ mantools/srctoman - auxiliary/qshape/qshape.pl > %{buildroot}%{_mandir}/man1/qsh
 # Fix build for Leap 42.3.
 rm -f %{buildroot}%{_sysconfdir}/%{name}/*.orig
 mkdir -p %{buildroot}%{_unitdir}/mail-transfer-agent.target.wants/
-mkdir -p %{buildroot}%{pf_shlib_directory}/systemd
+mkdir -p %{buildroot}%{pf_systemd_directory}
 install -pm 0644 %{name}-SUSE/%{name}.service         %{buildroot}%{_unitdir}/%{name}.service
-install -pm 0755 %{name}-SUSE/config_%{name}.systemd  %{buildroot}%{pf_shlib_directory}/systemd/config_%{name}
-install -pm 0755 %{name}-SUSE/update_chroot.systemd   %{buildroot}%{pf_shlib_directory}/systemd/update_chroot
-install -pm 0755 %{name}-SUSE/update_postmaps.systemd %{buildroot}%{pf_shlib_directory}/systemd/update_postmaps
-install -pm 0755 %{name}-SUSE/wait_qmgr.systemd       %{buildroot}%{pf_shlib_directory}/systemd/wait_qmgr
-install -pm 0755 %{name}-SUSE/cond_slp.systemd        %{buildroot}%{pf_shlib_directory}/systemd/cond_slp
+install -pm 0755 %{name}-SUSE/wait_qmgr.systemd       %{buildroot}%{pf_systemd_directory}/wait_qmgr
 %if 0%{?suse_version} < 1599
 ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
 %endif
@@ -423,13 +361,13 @@ do
 done

 # create dynamicmaps.cf.d entries for optional modules
-sed -n -e '/^#/p' -e '/mysql/p' %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf > %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf.d/%{name}-mysql.cf
-sed -i -e '/mysql/d' %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf
-sed -n -e '/^#/p' -e '/pgsql/p' %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf > %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf.d/%{name}-pgsql.cf
-sed -i -e '/pgsql/d' %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf
+sed -n -e '/^#/p' -e '/mysql/p' %{buildroot}%{pf_meta_directory}/dynamicmaps.cf > %{buildroot}%{pf_meta_directory}/dynamicmaps.cf.d/%{name}-mysql.cf
+sed -i -e '/mysql/d' %{buildroot}%{pf_meta_directory}/dynamicmaps.cf
+sed -n -e '/^#/p' -e '/pgsql/p' %{buildroot}%{pf_meta_directory}/dynamicmaps.cf > %{buildroot}%{pf_meta_directory}/dynamicmaps.cf.d/%{name}-pgsql.cf
+sed -i -e '/pgsql/d' %{buildroot}%{pf_meta_directory}/dynamicmaps.cf
 %if %{with ldap}
-sed -n -e '/^#/p' -e "/ldap/p" %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf > %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf.d/%{name}-ldap.cf
-sed -i -e '/ldap/d' %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf
+sed -n -e '/^#/p' -e "/ldap/p" %{buildroot}%{pf_meta_directory}/dynamicmaps.cf > %{buildroot}%{pf_meta_directory}/dynamicmaps.cf.d/%{name}-ldap.cf
+sed -i -e '/ldap/d' %{buildroot}%{pf_meta_directory}/dynamicmaps.cf
 %endif

 install -m 755 %{SOURCE11} %{buildroot}%{_sbindir}/
@@ -439,71 +377,28 @@ install -m 644 %{SOURCE13} %{buildroot}%{_sysusersdir}/

 # posttls-finger is built but not installed
 install -m 755 bin/posttls-finger %{buildroot}%{_sbindir}/
-
 # ---------------------------------------------------------------------------

 %pre -f postfix.pre
-# If existing default database type is hash, we need to convert the
-# databases because hash (and btree) is no longer supported after
-# the upgrade
-if [ -x %{_sbindir}/postconf ]; then
-	DEF_DB_TYPE=$(postconf default_database_type)
-	case $DEF_DB_TYPE in *hash)
-		touch %{pf_database_convert}
-	esac
-fi
 %service_add_pre %{name}.service

 %preun
 %service_del_preun %{name}.service

 %post
-# We never have to run suseconfig for postfix after installation
-# We only start postfix own upgrade-configuration by update
-#
-# If the default database type of the previous installation was
-# hash, we also need to rebuild the databases in the new lmdb
-# format
-if [ ${1:-0} -gt 1 ]; then
-	touch %{_localstatedir}/adm/%{name}.configured
-	echo "Executing upgrade-configuration."
-	%{_sbindir}/%{name} set-permissions upgrade-configuration setgid_group=%{pf_setgid_group} || :
-	if [ "$(%{_sbindir}/postconf -h daemon_directory)" != "%{pf_daemon_directory}" ]; then
-		%{_sbindir}/postconf daemon_directory=%{pf_daemon_directory}
-	fi
-	if [ -e %{pf_database_convert} ]; then
-		sed -i -E "s/(btree|hash):/lmdb:/g" %{pf_config_directory}/{main.cf,master.cf}
-		for i in $(find %{pf_config_directory} -name "*.db"); do
-			postmap ${i%.db}
-		done
-		for i in $(find %{_sysconfdir}/aliases.d/ -name "*.db"); do
-			postalias ${i%.db}
-		done
-		if [ -e %{_sysconfdir}/aliases.db ]; then
-			postalias %{_sysconfdir}/aliases
-		fi
-		rm %{pf_database_convert}
-	fi
-fi
+%service_add_post %{name}.service
 %set_permissions %{_sbindir}/postdrop
 %set_permissions %{_sbindir}/postlog
 %set_permissions %{_sbindir}/postqueue
-%set_permissions %{_sysconfdir}/%{name}/sasl_passwd
-%set_permissions %{_sbindir}/sendmail
-%{fillup_only postfix}
-%{fillup_only -an mail}
-%service_add_post %{name}.service
+
+%verifyscript
+%verify_permissions %{_sbindir}/postdrop
+%verify_permissions %{_sbindir}/postlog
+%verify_permissions %{_sbindir}/postqueue

 %postun
 %service_del_postun %{name}.service

-%verifyscript
-%verify_permissions -e %{_sbindir}/postdrop
-%verify_permissions -e %{_sbindir}/postlog
-%verify_permissions -e %{_sbindir}/postqueue
-%verify_permissions -e %{_sysconfdir}/%{name}/sasl_passwd
-%verify_permissions -e %{_sbindir}/sendmail
-
 # ---------------------------------------------------------------------------

 %pre    mysql -f vmail.pre
@@ -520,50 +415,35 @@ fi
 %files
 %license LICENSE TLS_LICENSE
 %doc RELEASE_NOTES
+%exclude %{_sysconfdir}/%{name}/*mysql*
+%exclude %{_sysconfdir}/%{name}/LICENSE
+%exclude %{_sysconfdir}/%{name}/TLS_LICENSE
+%exclude %{_mandir}/man5/ldap_table.5*
+%exclude %{_mandir}/man5/mysql_table.5*
+%exclude %{_mandir}/man5/pgsql_table.5*
 %if 0%{?suse_version} >= 1600
 %{_pam_vendordir}/smtp
 %else
 %config %{_sysconfdir}/pam.d/*
 %endif
-%{_fillupdir}/sysconfig.%{name}
-%{_fillupdir}/sysconfig.mail-%{name}
 %dir %{_sysconfdir}/%{name}
-%config %{_sysconfdir}/%{name}/main.cf.default
-%config(noreplace) %{_sysconfdir}/%{name}/[^mysql]*[^mysql]
-%config(noreplace) %{_sysconfdir}/%{name}/access
-%config(noreplace) %{_sysconfdir}/%{name}/aliases
-%config(noreplace) %{_sysconfdir}/%{name}/canonical
-%config(noreplace) %{_sysconfdir}/%{name}/header_checks
-%config(noreplace) %{_sysconfdir}/%{name}/helo_access
-%config(noreplace) %{_sysconfdir}/%{name}/main.cf
-%config(noreplace) %{_sysconfdir}/%{name}/master.cf
-%config(noreplace) %{_sysconfdir}/%{name}/relay
-%config(noreplace) %{_sysconfdir}/%{name}/relay_ccerts
-%config(noreplace) %{_sysconfdir}/%{name}/relay_recipients
-%config(noreplace) %{_sysconfdir}/%{name}/sasl_passwd
-%config(noreplace) %{_sysconfdir}/%{name}/sender_canonical
-%config(noreplace) %{_sysconfdir}/%{name}/virtual
+%config(noreplace) %{_sysconfdir}/%{name}/*
 %ghost %attr(0644,root,root) %{_sysconfdir}/%{name}/*.lmdb
 %ghost %attr(0644,root,root) %{_sysconfdir}/aliases.lmdb
 %dir %{_sysconfdir}/sasl2
 %config(noreplace) %{_sysconfdir}/sasl2/smtpd.conf
-%exclude %{_sysconfdir}/%{name}/LICENSE
-%exclude %{_sysconfdir}/%{name}/TLS_LICENSE
 %config %{_sysconfdir}/permissions.d/%{name}
 %config %{_sysconfdir}/permissions.d/%{name}.paranoid
-%{pf_shlib_directory}/%{name}-files
-# create our default postfix ssl DIR (/etc/postfix/ssl)
-%dir %{_sysconfdir}/%{name}/ssl
-%dir %{_sysconfdir}/%{name}/ssl/certs
-%{_sysconfdir}/%{name}/ssl/cacerts
-%dir %{pf_shlib_directory}/systemd
-%attr(0755,root,root) %{pf_shlib_directory}/systemd/*
+%{pf_meta_directory}/%{name}-files
+%dir %{pf_systemd_directory}
+%attr(0755,root,root) %{pf_systemd_directory}/*
 %{_unitdir}/%{name}.service
 %{_unitdir}/mail-transfer-agent.target.wants
+%{_bindir}/mailq
+%{_bindir}/newaliases
 %verify(not mode) %attr(2755,root,%{pf_setgid_group}) %{_sbindir}/postdrop
 %verify(not mode) %attr(2755,root,%{pf_setgid_group}) %{_sbindir}/postlog
 %verify(not mode) %attr(2755,root,%{pf_setgid_group}) %{_sbindir}/postqueue
-%{_bindir}/*
 %attr(0755,root,root) %{_sbindir}/sendmail
 %attr(0755,root,root) %{_sbindir}/postalias
 %attr(0755,root,root) %{_sbindir}/postcat
@@ -579,9 +459,7 @@ fi
 %attr(0755,root,root) %{_sbindir}/qmqp-source
 %attr(0755,root,root) %{_sbindir}/smtp-sink
 %attr(0755,root,root) %{_sbindir}/smtp-source
-%attr(0755,root,root) %{_sbindir}/mk%{name}cert
 %attr(0755,root,root) %{_sbindir}/check_mail_queue
-%attr(0755,root,root) %{_sbindir}/config.%{name}
 %if 0%{?suse_version} < 1599
 %{_sbindir}/rc%{name}
 %endif
@@ -595,20 +473,16 @@ fi
 %{pf_shlib_directory}/lib%{name}-master.so
 %{pf_shlib_directory}/lib%{name}-tls.so
 %{pf_shlib_directory}/lib%{name}-util.so
-%{pf_shlib_directory}/dynamicmaps.cf
-%{pf_shlib_directory}/main.cf.proto
-%{pf_shlib_directory}/makedefs.out
-%{pf_shlib_directory}/master.cf.proto
+%{pf_meta_directory}/dynamicmaps.cf
+%{pf_meta_directory}/main.cf.proto
+%{pf_meta_directory}/makedefs.out
+%{pf_meta_directory}/master.cf.proto
 %dir %{pf_daemon_directory}
 %{pf_daemon_directory}/*
-%dir %{pf_shlib_directory}/dynamicmaps.cf.d
-%dir %{pf_shlib_directory}/postfix-files.d
+%dir %{pf_meta_directory}/dynamicmaps.cf.d
+%dir %{pf_meta_directory}/postfix-files.d

-%{conf_backup_dir}
 %dir %attr(0700,%{name},root) %{pf_data_directory}
-%exclude %{_mandir}/man5/ldap_table.5*
-%exclude %{_mandir}/man5/mysql_table.5*
-%exclude %{_mandir}/man5/pgsql_table.5*
 %{_mandir}/man?/*%{?ext_man}
 %dir %attr(0755,root,root) /%{pf_queue_directory}
 %dir %attr(0755,root,root) /%{pf_queue_directory}/pid
@@ -625,9 +499,9 @@ fi
 %dir %attr(0700,%{name},root) /%{pf_queue_directory}/trace
 %dir %attr(0730,%{name},maildrop) /%{pf_queue_directory}/maildrop
 %dir %attr(0710,%{name},maildrop) /%{pf_queue_directory}/public
-%dir %attr(1777,root,root) /var/spool/mail
-/var/mail
 %{_sysusersdir}/postfix-user.conf
+/var/mail
+/var/spool/mail

 %files devel
 %{_includedir}/%{name}/
@@ -641,20 +515,19 @@ fi
 %config(noreplace) %attr(640, root, %{name}) %{_sysconfdir}/%{name}/*_maps.cf
 %config(noreplace) %{_sysconfdir}/%{name}/main.cf-mysql
 %{pf_shlib_directory}/%{name}-mysql.so
-%{pf_shlib_directory}/dynamicmaps.cf.d/%{name}-mysql.cf
+%{pf_meta_directory}/dynamicmaps.cf.d/%{name}-mysql.cf
 %{_mandir}/man5/mysql_table.5%{?ext_man}
 %{_sysusersdir}/postfix-vmail-user.conf

 %files postgresql
 %{pf_shlib_directory}/%{name}-pgsql.so
-%{pf_shlib_directory}/dynamicmaps.cf.d/%{name}-pgsql.cf
+%{pf_meta_directory}/dynamicmaps.cf.d/%{name}-pgsql.cf
 %{_mandir}/man5/pgsql_table.5%{?ext_man}

 %if %{with ldap}
 %files ldap
-%config(noreplace) %{_sysconfdir}/%{name}/ldap_aliases.cf
 %{pf_shlib_directory}/%{name}-ldap.so
-%{pf_shlib_directory}/dynamicmaps.cf.d/%{name}-ldap.cf
+%{pf_meta_directory}/dynamicmaps.cf.d/%{name}-ldap.cf
 %{_mandir}/man5/ldap_table.5%{?ext_man}
 %endif
Author	SHA256	Message	Date
Ana Guerrero	d226bdcd77	Accepting request 1328660 from server:mail - Do not strip binaries at all - also drop " -s " from the CCARGS to prevent stripping there - Re-add dropped change: - fix postfix-SUSE.tar.gz, postfix.service: correct path for postalias from /sbin/postalias to /usr/sbin/postalias - Don't fail strip on non-existing files (easy hack to fix 32bit builds). - Do not strip binaries at all - also drop " -s " from the CCARGS to prevent stripping there - Re-add dropped change: - fix postfix-SUSE.tar.gz, postfix.service: correct path for postalias from /sbin/postalias to /usr/sbin/postalias OBS-URL: https://build.opensuse.org/request/show/1328660 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/postfix?expand=0&rev=261	2026-01-23 16:31:48 +00:00
Marcus Rueckert	c1cf3ad407	- also drop " -s " from the CCARGS to prevent stripping there - also drop " -s " from the CCARGS to prevent stripping there OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=554	2026-01-22 11:10:32 +00:00
Marcus Rueckert	86c74641a6	- Do not strip binaries at all - Re-add dropped change: - fix postfix-SUSE.tar.gz, postfix.service: correct path for postalias from /sbin/postalias to /usr/sbin/postalias - Don't fail strip on non-existing files (easy hack to fix 32bit builds). - Do not strip binaries at all OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=553	2026-01-22 11:00:33 +00:00
Ana Guerrero	2fa940886d	- Re-add dropped change: - fix postfix-SUSE.tar.gz, postfix.service: correct path for postalias from /sbin/postalias to /usr/sbin/postalias OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=552	2026-01-22 10:14:57 +00:00
Ana Guerrero	be924eb0b8	Accepting request 1328436 from server:mail - Don't fail strip on non-existing files (easy hack to fix 32bit builds). - (jsc#PED-14859) Fix packages for Immutable Mode - postfix (forwarded request 1328433 from dimstar) OBS-URL: https://build.opensuse.org/request/show/1328436 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/postfix?expand=0&rev=260	2026-01-21 13:14:31 +00:00
Dominique Leuenberger	98e8e29d85	- Don't fail strip on non-existing files (easy hack to fix 32bit builds). - (jsc#PED-14859) Fix packages for Immutable Mode - postfix OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=550	2026-01-21 07:51:19 +00:00
Peter Varkoly	fb8d0d55dd	- fix (bsc#1256462) [Build 12.10] openQA test fails in mta: Failed to start postfix.service Remove postfix set-permisson from all spaces - Strip binaries - fix (bsc#1256462) [Build 12.10] openQA test fails in mta: Failed to start postfix.service Remove postfix set-permisson from all spaces - Strip binaries OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=549	2026-01-20 20:23:32 +00:00
Ana Guerrero	78d8198753	Accepting request 1327227 from server:mail - (jsc#PED-14859) Fix packages for Immutable Mode - postfix - Put /etc/permissions.d/postfix.paranoid into the postfix-SUSE.tar.gz - fix postfix-SUSE.tar.gz, postfix.service: correct path for postalias from /sbin/postalias to /usr/sbin/postalias - update to 3.10.7 * This patch addresses build errors on recent Linux distributions. With the patch, Postfix builds will run the compiler with a backwards compatibility option that is supported by Gcc and Clang. For other compilers, an error message provides hints. - Add /var/spool/mail to the permissions.d drop-in. This directory used to be whitelisted globally in the permissions package but an update for the exim mail server changed that (bsc#1254597 bsc#1240755). - Reintroduce permissions.d/postfix-paranoid drop-in that was removed in r534. - postfix is unable to send mail by default (bsc#1253775) o Clean up the package * Get rid of config.postfix script to avoid unintentional changes of the configuration. The sysconfig files mail and postfix were removed also. * Deliver the original main.cf and master.cf * Remove a lot of deprecated stuff from the package. * Remove the ExecStartPre scripts to maintain the postmaps and the chroot environment. * A new ExecStartPre script manages the default alias map which is part of the default configuration of postfix. /sbin/postalias /etc/aliases OBS-URL: https://build.opensuse.org/request/show/1327227 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/postfix?expand=0&rev=259	2026-01-14 15:19:28 +00:00
Peter Varkoly	933be084e3	- fix (bsc#1256462) [Build 12.10] openQA test fails in mta: Failed to start postfix.service Put postfix set-permisson into %post - fix (bsc#1256462) [Build 12.10] openQA test fails in mta: Failed to start postfix.service Put postfix set-permisson into %post OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=547	2026-01-14 14:39:02 +00:00
Peter Varkoly	14c619346c	OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=546	2026-01-14 13:11:45 +00:00
Peter Varkoly	d646fa824a	Fix changes OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=545	2026-01-13 22:40:06 +00:00
Peter Varkoly	f65101426b	Remove bad StartPreExec OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=544	2026-01-13 21:58:57 +00:00
Peter Varkoly	c80ebd392c	- fix (bsc#1256462) [Build 12.10] openQA test fails in mta: Failed to start postfix.service Put postfix set-permisson into %post OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=543	2026-01-13 21:57:16 +00:00
Peter Varkoly	0ef40347d7	- fix (bsc#1256462) [Build 12.10] openQA test fails in mta: Failed to start postfix.service Put postfix set-permisson into %post OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=542	2026-01-13 20:29:20 +00:00
Peter Varkoly	7570232dd5	- (jsc#PED-14859) Fix packages for Immutable Mode - postfix - (jsc#PED-14859) Fix packages for Immutable Mode - postfix OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=541	2025-12-21 20:53:52 +00:00
Peter Varkoly	75cccd4aa2	- Put /etc/permissions.d/postfix.paranoid into the postfix-SUSE.tar.gz - Put /etc/permissions.d/postfix.paranoid into the postfix-SUSE.tar.gz OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=540	2025-12-14 18:47:38 +00:00
Peter Varkoly	586fe82787	- fix postfix-SUSE.tar.gz, postfix.service: correct path for postalias from /sbin/postalias to /usr/sbin/postalias - fix postfix-SUSE.tar.gz, postfix.service: correct path for postalias from /sbin/postalias to /usr/sbin/postalias OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=539	2025-12-14 18:30:47 +00:00
Peter Varkoly	70205cb7cb	- update to 3.10.7 * This patch addresses build errors on recent Linux distributions. With the patch, Postfix builds will run the compiler with a backwards compatibility option that is supported by Gcc and Clang. For other compilers, an error message provides hints. - update to 3.10.7 * This patch addresses build errors on recent Linux distributions. With the patch, Postfix builds will run the compiler with a backwards compatibility option that is supported by Gcc and Clang. For other compilers, an error message provides hints. OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=538	2025-12-11 11:28:06 +00:00
Peter Varkoly	7e07dc866e	- Add /var/spool/mail to the permissions.d drop-in. This directory used to be whitelisted globally in the permissions package but an update for the exim mail server changed that (bsc#1254597 bsc#1240755). - Reintroduce permissions.d/postfix-paranoid drop-in that was removed in r534. - Add /var/spool/mail to the permissions.d drop-in. This directory used to be whitelisted globally in the permissions package but an update for the exim mail server changed that (bsc#1254597 bsc#1240755). - Reintroduce permissions.d/postfix-paranoid drop-in that was removed in r534. OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=537	2025-12-10 16:00:17 +00:00
Peter Varkoly	8ceffd393c	Fix permission stuff OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=536	2025-12-10 13:13:48 +00:00
Peter Varkoly	aae6308621	Adapt changes OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=535	2025-12-08 11:33:53 +00:00
Peter Varkoly	a137672f6f	- postfix is unable to send mail by default (bsc#1253775) o Clean up the package * Get rid of config.postfix script to avoid unintentional changes of the configuration. The sysconfig files mail and postfix were removed also. * Deliver the original main.cf and master.cf * Remove a lot of deprecated stuff from the package. * Remove the ExecStartPre scripts to maintain the postmaps and the chroot environment. * A new ExecStartPre script manages the default alias map which is part of the default configuration of postfix. /sbin/postalias /etc/aliases * Do not use the permissions framework. A new ExecStartPre script takes care of the right permissions: /usr/sbin/postfix set-permissions * Remove mkpostfixcert - postfix is unable to send mail by default (bsc#1253775) o Clean up the package * Get rid of config.postfix script to avoid unintentional changes of the configuration. The sysconfig files mail and postfix were removed also. * Deliver the original main.cf and master.cf * Remove a lot of deprecated stuff from the package. * Remove the ExecStartPre scripts to maintain the postmaps and the chroot environment. * A new ExecStartPre script manages the default alias map which is part of the default configuration of postfix. /sbin/postalias /etc/aliases * Do not use the permissions framework. A new ExecStartPre script takes care of the right permissions: /usr/sbin/postfix set-permissions OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=534	2025-12-08 10:58:57 +00:00
Ana Guerrero	e4dadb5000	Accepting request 1320355 from server:mail OBS-URL: https://build.opensuse.org/request/show/1320355 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/postfix?expand=0&rev=258	2025-11-28 15:50:43 +00:00
Peter Varkoly	b6d140c55b	- update to 3.10.6 * Bugfix (defect introduced: Postfix 3.10, date: 20250117). Symptom: warning messages that smtp_tls_wrappermode requires "smtp_tls_security_level = encrypt". Root cause: support for "TLS-Required: no" broke client-side TLS wrappermode support, by downgrading a connection to TLS security level 'may'. The fix changes the downgrade level for wrappermode connections to 'encrypt'. Rationale: by design, TLS can be optional only for connections that use STARTTLS. The downgrade to unauthenticated 'encrypt' allows a sender to avoid an email delivery problem. Problem reported by Joshua Tyler Cochran. * New logging: the Postfix SMTP client will log a warning when an MX hostname does not match STS policy MX patterns, with "smtp_tls_enforce_sts_mx_patterns = yes" in Postfix, and with TLSRPT support enabled in a TLS policy plugin. It will log a successful match only when verbose logging is enabled. * Bugfix (defect introduced: Postfix 3.10, date: 20240902): SMTP client null pointer crash when an STS policy plugin sends no policy_string or no mx_pattern attributes. This can happen only during tests with a fake STS plugin. * Bugfix (defect introduced: Postfix 2.9, date: 20120307): segfault when a duplicate parameter name is given to "postconf -X" or "postconf -#'. * Documentation: removed incorrect text from the parameter description for smtp_cname_overrides_servername. File: proto/postconf.proto. - update to 3.10.6 * Bugfix (defect introduced: Postfix 3.10, date: 20250117). Symptom: warning messages that smtp_tls_wrappermode requires "smtp_tls_security_level = encrypt". Root cause: support for "TLS-Required: no" broke client-side TLS wrappermode support, by downgrading a connection to TLS security level 'may'. The fix changes the downgrade level for wrappermode connections to 'encrypt'. Rationale: by design, TLS can be optional only for connections that use STARTTLS. The downgrade to unauthenticated 'encrypt' allows a sender to avoid an email delivery problem. Problem reported by Joshua Tyler Cochran. * New logging: the Postfix SMTP client will log a warning when an MX hostname does not match STS policy MX patterns, with "smtp_tls_enforce_sts_mx_patterns = yes" in Postfix, and with TLSRPT support enabled in a TLS policy plugin. It will log a successful match only when verbose logging is enabled. * Bugfix (defect introduced: Postfix 3.10, date: 20240902): SMTP client null pointer crash when an STS policy plugin sends no policy_string or no mx_pattern attributes. This can happen only during tests with a fake STS plugin. * Bugfix (defect introduced: Postfix 2.9, date: 20120307): segfault when a duplicate parameter name is given to "postconf -X" or "postconf -#'. * Documentation: removed incorrect text from the parameter description for smtp_cname_overrides_servername. File: proto/postconf.proto. OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=532	2025-11-27 15:56:38 +00:00
Ana Guerrero	5a7ffca241	Accepting request 1319697 from server:mail OBS-URL: https://build.opensuse.org/request/show/1319697 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/postfix?expand=0&rev=257	2025-11-25 14:52:00 +00:00
Peter Varkoly	c996d2b3fa	- update to 3.10.5 * Workaround for an interface mis-match between the Postfix SMTP client and MTA-STS policy plugins. * The existing behavior is to connect to any MX host listed in DNS, and to match the server certificate against any STS policy MX host pattern. * The corrected behavior is to connect to an MX host only if its name matches any STS policy MX host pattern, and to match the server certificate against the MX hostname. The corrected behavior must be enabled in two places: in Postfix with a new parameter "smtp_tls_enforce_sts_mx_patterns" (default: "yes") and in an MTA-STS plugin by enabling TLSRPT support, so that the plugin forwards STS policy attributes to Postfix. This works even if Postfix TLSRPT support is disabled at build time or at runtime. * TLSRPT Workaround: when a TLSRPT policy-type value is "no-policy-found", pretend that the TLSRPT policy domain value is equal to the recipient domain. This ignores that different policy types (TLSA, STS) use different policy domains. But this is what Microsoft does, and therefore, what other tools expect. * Bugfix (defect introduced: Postfix 3.0): the Postfix SMTP client's connection reuse logic did not distinguish between sessions that require SMTPUTF8 support, and sessions that do not. The solution is 1) to store sessions with different SMTPUTF8 requirements under distinct connection cache storage keys, and 2) to not cache a connection when SMTPUTF8 is required but the server does not support that feature. * Bugfix (defect introduced: Postfix 3.0, date 20140731): the smtpd 'disconnect' command statistics did not count commands with "bad syntax" and "bad UTF-8 syntax" errors. * Bugfix: the August 2025 patch broke DBM library support which is still needed on Solaris; and the same change could result in warnings with "database X is older than source file Y". * Postfix 3.11 forward compatibility: to avoid ugly warnings when Postfix 3.11 is rolled back to an older version, allow a preliminary 'size' record in maildrop queue files created with Postfix 3.11 or later. * Bugfix (defect introduced: Postfix 3.8, date 20220128): non-reproducible build, because the 'postconf -e' output order for new main.cf entries was no longer deterministic. Problem reported by Oleksandr Natalenko, diagnosis by Eray Aslan. * To make builds predictable, add missing meta_directory and shlib_directory settings to the stock main.cf file. Problem diagnosed by Eray Aslan. * Bugfix (defect introduced: Postfix 3.9, date 20230517): posttls-finger(1) logged an incorrectly-formatted port number. Viktor Dukhovni. - rebase postfix-bdb-main.cf.patch - adapt rpmlint o dir-or-file-outside-snapshot OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=530	2025-11-24 10:11:12 +00:00
Ana Guerrero	6e9f9fb39d	Accepting request 1302032 from server:mail OBS-URL: https://build.opensuse.org/request/show/1302032 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/postfix?expand=0&rev=256	2025-09-01 15:16:44 +00:00
Peter Varkoly	0f4d618a6b	Accepting request 1300344 from home:adkorte:branches:server:mail - update to 3.10.4 * Fixes for postscreen(8): - Bugfix (defect introduced: Postfix 2.2, date 20050203): after detecting a lookup table change, and after starting a new postscreen process, the old postscreen process logged an ENOTSOCK error while attempting to accept a connection on a socket that it was no longer listening on. This error was introduced first in the multi_server skeleton code, and was five years later duplicated in the event_server skeleton that was created for postscreen. - Bugfix (defect introduced: Postfix 2.8, date 20101230): after detecting a cache table change and before starting a new postscreen process, the old postscreen process did not close the postscreen_cache_map, and therefore kept an exclusive lock that could prevent a new postscreen process from starting. * Fixes for tlsproxy(8): - Bugfix (defect introduced: Postfix 3.7): incorrect backwards compatible support for the legacy configuration parameters tlsproxy_client_level and tlsproxy_client_policy. This disabled the tlsproxy TLS client role when a legacy parameter was set (instead of the newer tlsproxy_client_security_level or tlsproxy_client_policy_maps). - Bugfix (defect introduced: Postfix 3.4): with the TLS client role disabled by configuration, the tlsproxy daemon dereferenced a null pointer while handling a tlsproxy client request. * Reducing process churn: Postfix daemons no longer automatically restart after a btree:, dbm:, hash:, lmdb:, or sdbm: table file modification time change, when they opened that table for writing. * Portability: deleted an <openssl/engine.h> build dependency, because the feature is being removed from OpenSSL, and Postfix no longer needs it. * Cleanup: with "tls_required_enable = yes", the Postfix SMTP client will no longer maintain TLSRPT statistics for messages that contain a "TLS-Required: no" header. This can prevent TLSRPT notifications for TLSRPT notifications. * Bugfix (defect introduced: Postfix 3.6, date 20200710): Postfix TLS client code logged "Untrusted TLS connection" (wrong) instead of "Trusted TLS connection" (right), for a new or resumed TLS session, when a server offered a trusted (valid PKI trust chain) certificate that did not match the expected server name pattern. OBS-URL: https://build.opensuse.org/request/show/1300344 OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=528	2025-08-30 17:43:47 +00:00
Dominique Leuenberger	aea29ecb92	Accepting request 1298201 from server:mail OBS-URL: https://build.opensuse.org/request/show/1298201 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/postfix?expand=0&rev=255	2025-08-09 17:58:46 +00:00
Peter Varkoly	682d6d2595	- update to 3.10.3 * Bugfix (defect introduced: Postfix-3.10, date 20250117): include the current TLS security level in the SMTP connection cache lookup key for lookups by next-hop destination, to avoid reusing the same SMTP connection when sending messages with and without a "TLS-Required: no" header. Likewise, include the current TLS security level in the TLS session lookup key, to avoid reusing the same TLS session info when sending messages with and without a "TLS-Required: no" header. * Bugfix (defect introduced: Postfix-3.10, date 20250117): the Postfix SMTP client attempted to look up TLSA records even with "TLS-Required: no". This could result in unnecessary failures. OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=526	2025-08-07 18:51:15 +00:00