rpm/postfix
SHA256
1
0
Fork 0
forked from pool/postfix
Code Pull Requests Activity

Accepting request 1156371 from home:adkorte:branches:server:mail

Browse Source 
- update to 3.9.0
  * As described in DEPRECATION_README, the SMTP server features
    "permit_naked_ip_address", "check_relay_domains", and
    "reject_maps_rbl" have been removed, after they have been logging
    a warning for some 20 years. These features now log a warning
    and return a "server configuration error" response.
  * The MySQL client no longer supports MySQL versions < 4.0. MySQL
    version 4.0 was released in 2003.
  * As covered in DEPRECATION_README, the configuration parameter
    "disable_dns_lookup" and about a dozen TLS-related parameters
    are now officially obsolete. These parameters still work, but
    the postconf command logs warnings that they will be removed
    from Postfix.
  * As covered in DEPRECATION_README, "permit_mx_backup" logs a
    warning that it will be removed from Postfix.
  * In message headers, Postfix now formats numerical days as
    two-digit days, i.e. days 1-9 have a leading zero instead of a
    leading space. This change was made because the RFC 5322 date
    and time specification recommends (i.e. SHOULD) that a single
    space be used in each place that folding white space appears.
    This change avoids a breaking change in the length of a date
    string.
  * The MySQL client default characterset is now configurable with
    the "charset" configuration file attribute. The default is
    "utf8mb4", consistent with the MySQL 8.0 built-in default, but
    different from earlier MySQL versions where the built-in default
    was "latin1".
  * Support to query MongoDB databases, contributed by Hamid Maadani,
    based on earlier code by Stephan Ferraro. See MONGODB_README
    and mongodb_table(5)
  * The RFC 3461 envelope ID is now exported in the local(8) delivery
    agent with the ENVID environment variable, and in the pipe(8)
    delivery agent with the ${envid} command-line attribute.
  * Configurable idle and retry timer settings in the mysql: and
    pgsql: clients. A shorter than default retry timer can sped up
    the recovery after error, when Postfix is configured with only
    one server in the "hosts" attribute. After the code was frozen
    for release, we have learned that Postfix can recover faster
    from some errors when the single server is specified multiple
    times in the "hosts" attribute.
  * Optional Postfix TLS support to request an RFC7250 raw public
    key instead of an X.509 public-key certificate. The configuration
    settings for raw key public support will be ignored when there
    is no raw public key support in the local TLS implementation
    (i.e. Postfix with OpenSSL versions before 3.2). See RELEASE_NOTES
    for more information.
  * Preliminary support for OpenSSL configuration files, primarily
    OpenSSL 1.1.1b and later. This introduces two new parameters
    "tls_config_file" and "tls_config_name", which can be used to
    limit collateral damage from OS distributions that crank up
    security to 11, increasing the number of plaintext email
    deliveries. Details are in the postconf(5) manpage under
    "tls_config_file" and "tls_config_name".
  * With "smtpd_forbid_unauth_pipelining = yes" (the default),
    Postfix defends against multiple "blind" SMTP attacks. This
    feature was back-ported to older stable releases but disabled
    by default.
  * With "smtpd_forbid_bare_newline = normalize" (the default)
    Postfix defends against SMTP smuggling attacks. See RELEASE_NOTES
    for details. This feature was back-ported to older stable
    releases but disabled by default.
  * Prevent outbound SMTP smuggling, where an attacker uses Postfix
    to send email containing a non-standard End-of-DATA sequence,
    to exploit inbound SMTP smuggling at a vulnerable remote SMTP
    server. With "cleanup_replace_stray_cr_lf = yes" (the default),
    the cleanup daemon replaces each stray <CR> or <LF> character
    in message content with a space character. This feature was
    back-ported to older stable releases with identical functionality.
  * The Postfix DNS client now limits the total size of DNS lookup
    results to 100 records; it drops the excess records, and logs
    a warning. This limit is 20x larger than the number of server
    addresses that the Postfix SMTP client is willing to consider
    when delivering mail, and is far below the number of records
    that could cause a tail recursion crash in dns_rr_append() as
    reported by Toshifumi Sakaguchi. This also introduces a similar
    limit on the number of DNS requests that a check_*_*_access
    restriction can make. All this was back-ported to older stable
    releases with identical functionality.
- refreshed patch:
  % postfix-no-md5.patch
- change obsoleted "disable_dns_lookups" to "smtp_dns_support_level"
  % postfix-SUSE.tar.gz
  % postfix-main.cf.patch
  % postfix-master.cf.patch

OBS-URL: https://build.opensuse.org/request/show/1156371
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=481
This commit is contained in:
Dirk Stoecker 2024-05-14 13:19:15 +00:00 committed by Git OBS Bridge
parent b15c7168cb
commit 113e4ff966
12 changed files with 195 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
postfix-3.8.6.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4b6e17c826cc438cc3016a9c0a55ea7e77c6cbafba7dd57241d81b690b0e9774
size 4873054

7
postfix-3.8.6.tar.gz.asc
View File

@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iFcDBQBl5ietDAtZDoDKFacRCohlAP9+xzfCths5ZTBLzZJwDMI8hFS+1oDXOC4C
1z1Zh0OKtgD/T7DfIIG3MjyGAC/oqUD7ssjUZapz6XRu/fhSiOK1NU8=
=v0k3
-----END PGP SIGNATURE-----

BIN
postfix-3.9.0.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

7
postfix-3.9.0.tar.gz.asc Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iFcDBQBl6JfdDAtZDoDKFacRCspDAP9CWwo61cuT1VgMaP+TrcP5izmrJSRxLMJN
ubLPqIcYZAD9FM/D0BP7oUAbxDEY5vF3qWiayCJehlEmspmTg+xeYG8=
=dY5B
-----END PGP SIGNATURE-----

BIN
postfix-SUSE.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

88
postfix-bdb.changes
View File

@ -1,3 +1,91 @@
-------------------------------------------------------------------
Thu Mar 7 18:42:30 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>
- update to 3.9.0
* As described in DEPRECATION_README, the SMTP server features
"permit_naked_ip_address", "check_relay_domains", and
"reject_maps_rbl" have been removed, after they have been logging
a warning for some 20 years. These features now log a warning
and return a "server configuration error" response.
* The MySQL client no longer supports MySQL versions < 4.0. MySQL
version 4.0 was released in 2003.
* As covered in DEPRECATION_README, the configuration parameter
"disable_dns_lookup" and about a dozen TLS-related parameters
are now officially obsolete. These parameters still work, but
the postconf command logs warnings that they will be removed
from Postfix.
* As covered in DEPRECATION_README, "permit_mx_backup" logs a
warning that it will be removed from Postfix.
* In message headers, Postfix now formats numerical days as
two-digit days, i.e. days 1-9 have a leading zero instead of a
leading space. This change was made because the RFC 5322 date
and time specification recommends (i.e. SHOULD) that a single
space be used in each place that folding white space appears.
This change avoids a breaking change in the length of a date
string.
* The MySQL client default characterset is now configurable with
the "charset" configuration file attribute. The default is
"utf8mb4", consistent with the MySQL 8.0 built-in default, but
different from earlier MySQL versions where the built-in default
was "latin1".
* Support to query MongoDB databases, contributed by Hamid Maadani,
based on earlier code by Stephan Ferraro. See MONGODB_README
and mongodb_table(5)
* The RFC 3461 envelope ID is now exported in the local(8) delivery
agent with the ENVID environment variable, and in the pipe(8)
delivery agent with the ${envid} command-line attribute.
* Configurable idle and retry timer settings in the mysql: and
pgsql: clients. A shorter than default retry timer can sped up
the recovery after error, when Postfix is configured with only
one server in the "hosts" attribute. After the code was frozen
for release, we have learned that Postfix can recover faster
from some errors when the single server is specified multiple
times in the "hosts" attribute.
* Optional Postfix TLS support to request an RFC7250 raw public
key instead of an X.509 public-key certificate. The configuration
settings for raw key public support will be ignored when there
is no raw public key support in the local TLS implementation
(i.e. Postfix with OpenSSL versions before 3.2). See RELEASE_NOTES
for more information.
* Preliminary support for OpenSSL configuration files, primarily
OpenSSL 1.1.1b and later. This introduces two new parameters
"tls_config_file" and "tls_config_name", which can be used to
limit collateral damage from OS distributions that crank up
security to 11, increasing the number of plaintext email
deliveries. Details are in the postconf(5) manpage under
"tls_config_file" and "tls_config_name".
* With "smtpd_forbid_unauth_pipelining = yes" (the default),
Postfix defends against multiple "blind" SMTP attacks. This
feature was back-ported to older stable releases but disabled
by default.
* With "smtpd_forbid_bare_newline = normalize" (the default)
Postfix defends against SMTP smuggling attacks. See RELEASE_NOTES
for details. This feature was back-ported to older stable
releases but disabled by default.
* Prevent outbound SMTP smuggling, where an attacker uses Postfix
to send email containing a non-standard End-of-DATA sequence,
to exploit inbound SMTP smuggling at a vulnerable remote SMTP
server. With "cleanup_replace_stray_cr_lf = yes" (the default),
the cleanup daemon replaces each stray <CR> or <LF> character
in message content with a space character. This feature was
back-ported to older stable releases with identical functionality.
* The Postfix DNS client now limits the total size of DNS lookup
results to 100 records; it drops the excess records, and logs
a warning. This limit is 20x larger than the number of server
addresses that the Postfix SMTP client is willing to consider
when delivering mail, and is far below the number of records
that could cause a tail recursion crash in dns_rr_append() as
reported by Toshifumi Sakaguchi. This also introduces a similar
limit on the number of DNS requests that a check_*_*_access
restriction can make. All this was back-ported to older stable
releases with identical functionality.
- refreshed patch:
% postfix-no-md5.patch
- change obsoleted "disable_dns_lookups" to "smtp_dns_support_level"
% postfix-SUSE.tar.gz
% postfix-main.cf.patch
% postfix-master.cf.patch
-------------------------------------------------------------------
Tue Mar 5 16:46:16 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>

2
postfix-bdb.spec
View File

@ -59,7 +59,7 @@
%endif
%bcond_without ldap
Name: postfix-bdb
Version: 3.8.6
Version: 3.9.0
Release: 0
Summary: A fast, secure, and flexible mailer
License: EPL-2.0 OR IPL-1.0

2
postfix-main.cf.patch
View File

@ -71,7 +71,7 @@ Index: conf/main.cf
+biff = no
+content_filter =
+delay_warning_time = 0h
+disable_dns_lookups = no
+smtp_dns_support_level = enabled
+disable_mime_output_conversion = no
+disable_vrfy_command = yes
+inet_interfaces = all

2
postfix-master.cf.patch
View File

@ -9,7 +9,7 @@ Index: conf/master.cf
+#amavis unix - - n - 4 smtp
+# -o smtp_data_done_timeout=1200
+# -o smtp_send_xforward_command=yes
+# -o disable_dns_lookups=yes
+# -o smtp_dns_support_level=disabled
+# -o max_use=20
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd

6
postfix-no-md5.patch
View File

@ -2,7 +2,7 @@ Index: src/global/mail_params.h
===================================================================
--- src/global/mail_params.h.orig
+++ src/global/mail_params.h
@@ -1387,7 +1387,7 @@ extern char *var_smtpd_tls_mand_excl;
@@ -1391,7 +1391,7 @@ extern char *var_smtpd_tls_mand_excl;
#define VAR_SMTPD_TLS_FPT_DGST "smtpd_tls_fingerprint_digest"
#define DEF_SMTPD_TLS_FPT_DGST "${{$compatibility_level} <level {3.6} ? " \
@ -11,7 +11,7 @@ Index: src/global/mail_params.h
extern char *var_smtpd_tls_fpt_dgst;
#define VAR_SMTPD_TLS_512_FILE "smtpd_tls_dh512_param_file"
@@ -1549,10 +1549,10 @@ extern char *var_smtp_tls_mand_excl;
@@ -1553,10 +1553,10 @@ extern char *var_smtp_tls_mand_excl;
#define VAR_SMTP_TLS_FPT_DGST "smtp_tls_fingerprint_digest"
#define DEF_SMTP_TLS_FPT_DGST "${{$compatibility_level} <level {3.6} ? " \
@ -23,4 +23,4 @@ Index: src/global/mail_params.h
+ "{sha1} : {sha256}}"
extern char *var_smtp_tls_fpt_dgst;
#define VAR_SMTP_TLS_TAFILE "smtp_tls_trust_anchor_file"
#define VAR_SMTP_TLS_ENABLE_RPK "smtp_tls_enable_rpk"

88
postfix.changes
View File

@ -3,6 +3,94 @@ Fri Apr 5 01:44:30 UTC 2024 - Georg Pfuetzenreuter <mail+rpm@georg-pfuetzenreut
- Move qshape(1) out of -doc, install it as a binary with the main package
-------------------------------------------------------------------
Thu Mar 7 18:42:30 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>
- update to 3.9.0
* As described in DEPRECATION_README, the SMTP server features
"permit_naked_ip_address", "check_relay_domains", and
"reject_maps_rbl" have been removed, after they have been logging
a warning for some 20 years. These features now log a warning
and return a "server configuration error" response.
* The MySQL client no longer supports MySQL versions < 4.0. MySQL
version 4.0 was released in 2003.
* As covered in DEPRECATION_README, the configuration parameter
"disable_dns_lookup" and about a dozen TLS-related parameters
are now officially obsolete. These parameters still work, but
the postconf command logs warnings that they will be removed
from Postfix.
* As covered in DEPRECATION_README, "permit_mx_backup" logs a
warning that it will be removed from Postfix.
* In message headers, Postfix now formats numerical days as
two-digit days, i.e. days 1-9 have a leading zero instead of a
leading space. This change was made because the RFC 5322 date
and time specification recommends (i.e. SHOULD) that a single
space be used in each place that folding white space appears.
This change avoids a breaking change in the length of a date
string.
* The MySQL client default characterset is now configurable with
the "charset" configuration file attribute. The default is
"utf8mb4", consistent with the MySQL 8.0 built-in default, but
different from earlier MySQL versions where the built-in default
was "latin1".
* Support to query MongoDB databases, contributed by Hamid Maadani,
based on earlier code by Stephan Ferraro. See MONGODB_README
and mongodb_table(5)
* The RFC 3461 envelope ID is now exported in the local(8) delivery
agent with the ENVID environment variable, and in the pipe(8)
delivery agent with the ${envid} command-line attribute.
* Configurable idle and retry timer settings in the mysql: and
pgsql: clients. A shorter than default retry timer can sped up
the recovery after error, when Postfix is configured with only
one server in the "hosts" attribute. After the code was frozen
for release, we have learned that Postfix can recover faster
from some errors when the single server is specified multiple
times in the "hosts" attribute.
* Optional Postfix TLS support to request an RFC7250 raw public
key instead of an X.509 public-key certificate. The configuration
settings for raw key public support will be ignored when there
is no raw public key support in the local TLS implementation
(i.e. Postfix with OpenSSL versions before 3.2). See RELEASE_NOTES
for more information.
* Preliminary support for OpenSSL configuration files, primarily
OpenSSL 1.1.1b and later. This introduces two new parameters
"tls_config_file" and "tls_config_name", which can be used to
limit collateral damage from OS distributions that crank up
security to 11, increasing the number of plaintext email
deliveries. Details are in the postconf(5) manpage under
"tls_config_file" and "tls_config_name".
* With "smtpd_forbid_unauth_pipelining = yes" (the default),
Postfix defends against multiple "blind" SMTP attacks. This
feature was back-ported to older stable releases but disabled
by default.
* With "smtpd_forbid_bare_newline = normalize" (the default)
Postfix defends against SMTP smuggling attacks. See RELEASE_NOTES
for details. This feature was back-ported to older stable
releases but disabled by default.
* Prevent outbound SMTP smuggling, where an attacker uses Postfix
to send email containing a non-standard End-of-DATA sequence,
to exploit inbound SMTP smuggling at a vulnerable remote SMTP
server. With "cleanup_replace_stray_cr_lf = yes" (the default),
the cleanup daemon replaces each stray <CR> or <LF> character
in message content with a space character. This feature was
back-ported to older stable releases with identical functionality.
* The Postfix DNS client now limits the total size of DNS lookup
results to 100 records; it drops the excess records, and logs
a warning. This limit is 20x larger than the number of server
addresses that the Postfix SMTP client is willing to consider
when delivering mail, and is far below the number of records
that could cause a tail recursion crash in dns_rr_append() as
reported by Toshifumi Sakaguchi. This also introduces a similar
limit on the number of DNS requests that a check_*_*_access
restriction can make. All this was back-ported to older stable
releases with identical functionality.
- refreshed patch:
% postfix-no-md5.patch
- change obsoleted "disable_dns_lookups" to "smtp_dns_support_level"
% postfix-SUSE.tar.gz
% postfix-main.cf.patch
% postfix-master.cf.patch
-------------------------------------------------------------------
Tue Mar 5 16:46:16 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>

2
postfix.spec
View File

@ -46,7 +46,7 @@
%endif
%bcond_without ldap
Name: postfix
Version: 3.8.6
Version: 3.9.0
Release: 0
Summary: A fast, secure, and flexible mailer
License: EPL-2.0 OR IPL-1.0