From 262723174ed12eee211ac3c96fd1b78ee6ce78abc73427888d6f7b53d09274eb Mon Sep 17 00:00:00 2001 From: Peter Varkoly Date: Sat, 30 Mar 2019 17:47:38 +0000 Subject: [PATCH 1/2] Accepting request 686001 from home:varkoly:branches:server:mail - Update to 3.4.4 o Incompatible changes - The Postfix SMTP server announces CHUNKING (BDAT command) by default. In the unlikely case that this breaks some important remote SMTP client, disable the feature as follows: /etc/postfix/main.cf: # The logging alternative: smtpd_discard_ehlo_keywords = chunking # The non-logging alternative: smtpd_discard_ehlo_keywords = chunking, silent_discard - This introduces a new master.cf service 'postlog' with type 'unix-dgram' that is used by the new postlogd(8) daemon. Before backing out to an older Postfix version, edit the master.cf file and remove the postlog entry. - Postfix 3.4 drops support for OpenSSL 1.0.1 - To avoid performance loss under load, the tlsproxy(8) daemon now requires a zero process limit in master.cf (this setting is provided with the default master.cf file). By default, a tlsproxy(8) process will retire after several hours. - To set the tlsproxy process limit to zero: postconf -F tlsproxy/unix/process_limit=0 postfix reload o Major changes - Postfix SMTP server support for RFC 3030 CHUNKING (the BDAT command) without BINARYMIME, in both smtpd(8) and postscreen(8). This has no effect on Milters, smtpd_mumble_restrictions, and smtpd_proxy_filter. See BDAT_README for more. - Support for logging to file or stdout, instead of using syslog. - Logging to file solves a usability problem for MacOS, and OBS-URL: https://build.opensuse.org/request/show/686001 OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=328 --- postfix-3.3.3.tar.gz | 3 -- postfix-3.4.4.tar.gz | 3 ++ postfix-linux45.patch | 18 ++++---- postfix-master.cf.patch | 72 ++++++------------------------- postfix-ssl-release-buffers.patch | 25 ++++------- postfix.changes | 72 +++++++++++++++++++++++++++++++ postfix.spec | 4 +- 7 files changed, 108 insertions(+), 89 deletions(-) delete mode 100644 postfix-3.3.3.tar.gz create mode 100644 postfix-3.4.4.tar.gz diff --git a/postfix-3.3.3.tar.gz b/postfix-3.3.3.tar.gz deleted file mode 100644 index 9f957a5..0000000 --- a/postfix-3.3.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8740ab65037500ee7844192cf6b798d52ecc4838cd018337a504c52da813285a -size 4429713 diff --git a/postfix-3.4.4.tar.gz b/postfix-3.4.4.tar.gz new file mode 100644 index 0000000..68d7498 --- /dev/null +++ b/postfix-3.4.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:27f2ab631a966a40e002aedc6db9281e5970295fa5fd96b29066e457a4601e34 +size 4581121 diff --git a/postfix-linux45.patch b/postfix-linux45.patch index d3e941a..b8e236f 100644 --- a/postfix-linux45.patch +++ b/postfix-linux45.patch @@ -1,15 +1,13 @@ ---- - makedefs | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- makedefs -+++ makedefs -@@ -546,7 +546,7 @@ EOF +--- makedefs.orig 2019-03-11 13:54:48.176455533 +0100 ++++ makedefs 2019-03-11 13:55:44.512455319 +0100 +@@ -557,8 +557,8 @@ : ${SHLIB_ENV="LD_LIBRARY_PATH=`pwd`/lib"} : ${PLUGIN_LD="${CC-gcc} -shared"} ;; -- Linux.[34].*) SYSTYPE=LINUX$RELEASE_MAJOR -+ Linux.[3-9].*|Linux.[1-9][0-9].*) SYSTYPE=LINUX3 - case "$CCARGS" in +- Linux.[345].*) SYSTYPE=LINUX$RELEASE_MAJOR +- case "$CCARGS" in ++ Linux.[3-9].*|Linux.[1-9][0-9].*) SYSTYPE=LINUX3 ++ case "$CCARGS" in *-DNO_DB*) ;; *-DHAS_DB*) ;; + *) if [ -f /usr/include/db.h ] diff --git a/postfix-master.cf.patch b/postfix-master.cf.patch index 88d3f7b..0ca7485 100644 --- a/postfix-master.cf.patch +++ b/postfix-master.cf.patch @@ -1,8 +1,6 @@ -Index: conf/master.cf -=================================================================== ---- conf/master.cf.orig -+++ conf/master.cf -@@ -10,33 +10,39 @@ +--- conf/master.cf.orig 2019-03-11 13:45:38.792457629 +0100 ++++ conf/master.cf 2019-03-11 13:50:08.312456601 +0100 +@@ -10,6 +10,11 @@ # (yes) (yes) (no) (never) (100) # ========================================================================== smtp inet n - n - - smtpd @@ -14,59 +12,18 @@ Index: conf/master.cf #smtp inet n - n - 1 postscreen #smtpd pass - - n - - smtpd #dnsblog unix - - n - 0 dnsblog - #tlsproxy unix - - n - 0 tlsproxy - #submission inet n - n - - smtpd --# -o syslog_name=postfix/submission --# -o smtpd_tls_security_level=encrypt --# -o smtpd_sasl_auth_enable=yes --# -o smtpd_tls_auth_only=yes --# -o smtpd_reject_unlisted_recipient=no --# -o smtpd_client_restrictions=$mua_client_restrictions --# -o smtpd_helo_restrictions=$mua_helo_restrictions --# -o smtpd_sender_restrictions=$mua_sender_restrictions --# -o smtpd_recipient_restrictions= --# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject --# -o milter_macro_daemon_name=ORIGINATING -+# -o syslog_name=postfix/submission -+# -o smtpd_tls_security_level=encrypt -+# -o smtpd_sasl_auth_enable=yes -+# -o smtpd_tls_auth_only=yes -+# -o smtpd_reject_unlisted_recipient=no -+# -o smtpd_client_restrictions=$mua_client_restrictions -+# -o smtpd_helo_restrictions=$mua_helo_restrictions -+# -o smtpd_sender_restrictions=$mua_sender_restrictions -+# -o smtpd_recipient_restrictions= -+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -+# -o milter_macro_daemon_name=ORIGINATING +@@ -29,6 +34,7 @@ #smtps inet n - n - - smtpd --# -o syslog_name=postfix/smtps --# -o smtpd_tls_wrappermode=yes --# -o smtpd_sasl_auth_enable=yes --# -o smtpd_reject_unlisted_recipient=no --# -o smtpd_client_restrictions=$mua_client_restrictions --# -o smtpd_helo_restrictions=$mua_helo_restrictions --# -o smtpd_sender_restrictions=$mua_sender_restrictions --# -o smtpd_recipient_restrictions= --# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject --# -o milter_macro_daemon_name=ORIGINATING -+# -o syslog_name=postfix/smtps -+# -o smtpd_tls_wrappermode=yes -+# -o content_filter=smtp:[127.0.0.1]:10024 -+# -o smtpd_sasl_auth_enable=yes -+# -o smtpd_reject_unlisted_recipient=no -+# -o smtpd_client_restrictions=$mua_client_restrictions -+# -o smtpd_helo_restrictions=$mua_helo_restrictions -+# -o smtpd_sender_restrictions=$mua_sender_restrictions -+# -o smtpd_recipient_restrictions= -+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -+# -o milter_macro_daemon_name=ORIGINATING - #628 inet n - n - - qmqpd - pickup unix n - n 60 1 pickup - cleanup unix n - n - 0 cleanup -@@ -64,6 +70,27 @@ virtual unix - n n - lmtp unix - - n - - lmtp + # -o syslog_name=postfix/smtps + # -o smtpd_tls_wrappermode=yes ++# -o content_filter=smtp:[127.0.0.1]:10024 + # -o smtpd_sasl_auth_enable=yes + # -o smtpd_reject_unlisted_recipient=no + # -o smtpd_client_restrictions=$mua_client_restrictions +@@ -65,6 +71,26 @@ anvil unix - - n - 1 anvil scache unix - - n - 1 scache + postlog unix-dgram n - n - 1 postlogd +#localhost:10025 inet n - n - - smtpd +# -o content_filter= +# -o smtpd_delay_reject=no @@ -87,11 +44,10 @@ Index: conf/master.cf +# -o local_header_rewrite_clients= +# -o local_recipient_maps= +# -o relay_recipient_maps= -+ # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual -@@ -97,7 +124,7 @@ scache unix - - n +@@ -98,7 +124,7 @@ # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe @@ -100,7 +56,7 @@ Index: conf/master.cf # # ==================================================================== # -@@ -130,3 +157,10 @@ scache unix - - n +@@ -131,3 +157,10 @@ #mailman unix - n n - - pipe # flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py # ${nexthop} ${user} diff --git a/postfix-ssl-release-buffers.patch b/postfix-ssl-release-buffers.patch index 5a3ef7f..38c4763 100644 --- a/postfix-ssl-release-buffers.patch +++ b/postfix-ssl-release-buffers.patch @@ -1,34 +1,27 @@ -Index: src/tls/tls_client.c -=================================================================== ---- src/tls/tls_client.c.orig -+++ src/tls/tls_client.c -@@ -363,6 +363,12 @@ TLS_APPL_STATE *tls_client_init(const TL +--- src/tls/tls_client.c.orig 2019-03-11 14:24:34.492448719 +0100 ++++ src/tls/tls_client.c 2019-03-11 14:27:42.824448001 +0100 +@@ -397,6 +397,11 @@ SSL_CTX_set_security_level(client_ctx, 0); #endif -+ /* Keep memory usage as low as possible */ -+ +#ifdef SSL_MODE_RELEASE_BUFFERS ++ /* Keep memory usage as low as possible */ + SSL_CTX_set_mode(client_ctx, SSL_MODE_RELEASE_BUFFERS); +#endif + /* * See the verify callback in tls_verify.c */ -Index: src/tls/tls_server.c -=================================================================== ---- src/tls/tls_server.c.orig -+++ src/tls/tls_server.c -@@ -454,6 +454,12 @@ TLS_APPL_STATE *tls_server_init(const TL - SSL_CTX_set_security_level(server_ctx, 0); +--- src/tls/tls_server.c.orig 2019-03-11 14:26:04.700448375 +0100 ++++ src/tls/tls_server.c 2019-03-11 14:27:49.184447977 +0100 +@@ -455,6 +455,10 @@ + SSL_CTX_set_security_level(sni_ctx, 0); #endif -+ /* Keep memory usage as low as possible */ -+ +#ifdef SSL_MODE_RELEASE_BUFFERS ++ /* Keep memory usage as low as possible */ + SSL_CTX_set_mode(server_ctx, SSL_MODE_RELEASE_BUFFERS); +#endif -+ /* * See the verify callback in tls_verify.c */ diff --git a/postfix.changes b/postfix.changes index 7bee9a6..c0dd9a2 100644 --- a/postfix.changes +++ b/postfix.changes @@ -1,3 +1,75 @@ +------------------------------------------------------------------- +Mon Mar 18 09:56:11 UTC 2019 - Peter Varkoly + +- Update to 3.4.4 + + o Incompatible changes + - The Postfix SMTP server announces CHUNKING (BDAT + command) by default. In the unlikely case that this breaks some + important remote SMTP client, disable the feature as follows: + + /etc/postfix/main.cf: + # The logging alternative: + smtpd_discard_ehlo_keywords = chunking + # The non-logging alternative: + smtpd_discard_ehlo_keywords = chunking, silent_discard + - This introduces a new master.cf service 'postlog' + with type 'unix-dgram' that is used by the new postlogd(8) daemon. + Before backing out to an older Postfix version, edit the master.cf + file and remove the postlog entry. + - Postfix 3.4 drops support for OpenSSL 1.0.1 + - To avoid performance loss under load, the + tlsproxy(8) daemon now requires a zero process limit in master.cf + (this setting is provided with the default master.cf file). By + default, a tlsproxy(8) process will retire after several hours. + - To set the tlsproxy process limit to zero: + postconf -F tlsproxy/unix/process_limit=0 + postfix reload + o Major changes + - Postfix SMTP server support for RFC 3030 CHUNKING + (the BDAT command) without BINARYMIME, in both smtpd(8) and + postscreen(8). This has no effect on Milters, smtpd_mumble_restrictions, + and smtpd_proxy_filter. See BDAT_README for more. + - Support for logging to file or stdout, instead of using syslog. + - Logging to file solves a usability problem for MacOS, and + eliminates multiple problems with systemd-based systems. + - Logging to stdout is useful when Postfix runs in a container, as + it eliminates a syslogd dependency. + - Better handling of undocumented(!) Linux behavior + whether or not signals are delivered to a PID=1 process. + - Support for (key, list of filenames) in map source text. + Currently, this feature is used only by tls_server_sni_maps. + - Automatic retirement: dnsblog(8) and tlsproxy(8) process + will now voluntarily retire after after max_idle*max_use, or some + sane limit if either limit is disabled. Without this, a process + could stay busy for days or more. + - Postfix SMTP client support for multiple deliveries + per TLS-encrypted connection. This is primarily to improve mail + delivery performance for destinations that throttle clients when + they don't combine deliveries. + This feature is enabled with "smtp_tls_connection_reuse=yes" in + main.cf, or with "tls_connection_reuse=yes" in smtp_tls_policy_maps. + It supports all Postfix TLS security levels including dane and + dane-only. + - SNI support in the Postfix SMTP server, the + Postfix SMTP client, and in the tlsproxy(8) daemon (both server and + client roles). See the postconf(5) documentation for the new + tls_server_sni_maps and smtp_tls_servername parameters. + - Support for files that contain multiple (key, certificate, trust chain) + instances. This was required to implement + server-side SNI table lookups, but it also eliminates the need for + separate cert/key files for RSA, DSA, Elliptic Curve, and so on. + - Support for smtpd_reject_footer_maps (as well as the postscreen + variant postscreen_reject_footer_maps) for more informative reject + messages. This is indexed with the Postfix SMTP server response + text, and overrides the footer specified with smtpd_reject_footer. + One will want to use a pcre: or regexp: map with this. + o Bugfixes + - Andreas Schulze discovered that reject_multi_recipient_bounce + was producing false rejects with BDAT commands. This problem + already existed with Postfix 2.2 smtpd_end_of_data_restrictons. + Postfix 3.4.4 fixes both. + ------------------------------------------------------------------- Tue Mar 5 13:21:35 UTC 2019 - Jiri Slaby diff --git a/postfix.spec b/postfix.spec index 50d5439..be4db09 100644 --- a/postfix.spec +++ b/postfix.spec @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # @@ -55,7 +55,7 @@ %bcond_with libnsl %endif Name: postfix -Version: 3.3.3 +Version: 3.4.4 Release: 0 Summary: A fast, secure, and flexible mailer License: IPL-1.0 OR EPL-2.0 From 575e5e15f9df77fe8fa9bd33103b2658801fab0bc51c8c2b42449fa8f48a4710 Mon Sep 17 00:00:00 2001 From: Peter Varkoly Date: Mon, 1 Apr 2019 09:01:43 +0000 Subject: [PATCH 2/2] Accepting request 690159 from home:stroeder:branches:server:mail Update to 3.4.5 OBS-URL: https://build.opensuse.org/request/show/690159 OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=329 --- postfix-3.4.4.tar.gz | 3 --- postfix-3.4.5.tar.gz | 3 +++ postfix.changes | 11 +++++++++++ postfix.spec | 2 +- 4 files changed, 15 insertions(+), 4 deletions(-) delete mode 100644 postfix-3.4.4.tar.gz create mode 100644 postfix-3.4.5.tar.gz diff --git a/postfix-3.4.4.tar.gz b/postfix-3.4.4.tar.gz deleted file mode 100644 index 68d7498..0000000 --- a/postfix-3.4.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:27f2ab631a966a40e002aedc6db9281e5970295fa5fd96b29066e457a4601e34 -size 4581121 diff --git a/postfix-3.4.5.tar.gz b/postfix-3.4.5.tar.gz new file mode 100644 index 0000000..e2d6197 --- /dev/null +++ b/postfix-3.4.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8b2ba54f9d2a049582a0ed3ee2dbe96ba57e278feea9cb4f80e1a61844e6319f +size 4581301 diff --git a/postfix.changes b/postfix.changes index c0dd9a2..77fa21d 100644 --- a/postfix.changes +++ b/postfix.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Sun Mar 31 09:08:58 UTC 2019 - Michael Ströder + +- Update to 3.4.5: + Bugfix (introduced: Postfix 3.0): LMTP connections over + UNIX-domain sockets were cached but not reused, due to a + cache lookup key mismatch. Therefore, idle cached connections + could exhaust LMTP server resources, resulting in two-second + pauses between email deliveries. This problem was investigated + by Juliana Rodrigueiro. File: smtp/smtp_connect.c. + ------------------------------------------------------------------- Mon Mar 18 09:56:11 UTC 2019 - Peter Varkoly diff --git a/postfix.spec b/postfix.spec index be4db09..b4aa013 100644 --- a/postfix.spec +++ b/postfix.spec @@ -55,7 +55,7 @@ %bcond_with libnsl %endif Name: postfix -Version: 3.4.4 +Version: 3.4.5 Release: 0 Summary: A fast, secure, and flexible mailer License: IPL-1.0 OR EPL-2.0