Dirk Mueller
e9b4a7071e
- update to 3.8.0 * Support to look up DNS SRV records in the Postfix SMTP/LMTP client, Based on code by Tomas Korbar (Red Hat). For example, with "use_srv_lookup = submission" and "relayhost = example.com:submission", the Postfix SMTP client will look up DNS SRV records for _submission._tcp.example.com, and will relay email through the hosts and ports that are specified with those records. * TLS obsolescence: Postfix now treats the "export" and "low" cipher grade settings as "medium". The "export" and "low" grades are no longer supported in OpenSSL 1.1.1, the minimum version required in Postfix 3.6.0 and later. Also, Postfix default settings now exclude deprecated or unused ciphers (SEED, IDEA, 3DES, RC2, RC4, RC5), digest (MD5), key exchange algorithms (DH, ECDH), and public key algorithm (DSS). * Attack resistance: the Postfix SMTP server can now aggregate smtpd_client_*_rate and smtpd_client_*_count statistics by network block instead of by IP address, to raise the bar against a memory exhaustion attack in the anvil(8) server; Postfix TLS support unconditionally disables TLS renegotiation in the middle of an SMTP connection, to avoid a CPU exhaustion attack. * The PostgreSQL client encoding is now configurable with the "encoding" Postfix configuration file attribute. The default is "UTF8". Previously the encoding was hard-coded as "LATIN1", which is not useful in the context of SMTP. * The postconf command now warns for #comment in or after a Postfix parameter value. Postfix programs do not support #comment after other text, and treat that as input. - rebase/refresh patches * pointer_to_literals.patch * postfix-linux45.patch * postfix-master.cf.patch * postfix-ssl-release-buffers.patch * set-default-db-type.patch OBS-URL: https://build.opensuse.org/request/show/1080180 OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=454
32 lines
971 B
Diff
32 lines
971 B
Diff
Index: src/tls/tls_client.c
|
|
===================================================================
|
|
--- src/tls/tls_client.c.orig
|
|
+++ src/tls/tls_client.c
|
|
@@ -693,6 +693,11 @@ TLS_APPL_STATE *tls_client_init(const TL
|
|
SSL_CTX_set_security_level(client_ctx, 0);
|
|
#endif
|
|
|
|
+#ifdef SSL_MODE_RELEASE_BUFFERS
|
|
+ /* Keep memory usage as low as possible */
|
|
+ SSL_CTX_set_mode(client_ctx, SSL_MODE_RELEASE_BUFFERS);
|
|
+#endif
|
|
+
|
|
/*
|
|
* See the verify callback in tls_verify.c
|
|
*/
|
|
Index: src/tls/tls_server.c
|
|
===================================================================
|
|
--- src/tls/tls_server.c.orig
|
|
+++ src/tls/tls_server.c
|
|
@@ -493,6 +493,10 @@ TLS_APPL_STATE *tls_server_init(const TL
|
|
SSL_CTX_set_security_level(sni_ctx, 0);
|
|
#endif
|
|
|
|
+#ifdef SSL_MODE_RELEASE_BUFFERS
|
|
+ /* Keep memory usage as low as possible */
|
|
+ SSL_CTX_set_mode(server_ctx, SSL_MODE_RELEASE_BUFFERS);
|
|
+#endif
|
|
/*
|
|
* See the verify callback in tls_verify.c
|
|
*/
|