- FATE#322322 Update postfix to version 3.X
Merging changes with SLES12-SP2
Removeved patches: add_missed_library.patch bnc#947707.diff dynamic_maps.patch postfix-db6.diff
postfix-opensslconfig.patch bnc#947519.diff dynamic_maps_pie.patch
postfix-linux45.patch postfix-post-install.patch
These are included in the new version of postfix
- Remove references to SuSEconfig.postfix from sysconfig docs.
(bsc#871575)
- bnc#947519 SuSEconfig.postfix should enforce umask 022
- bnc#947707 mail generated by Amavis being prevented from being re-adressed by /etc/postfix/virtual
- bnc#972346 /usr/sbin/SuSEconfig.postfix is wrong
OBS-URL: https://build.opensuse.org/request/show/449692
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=248
- update to 3.1.4
* The postscreen daemon did not merge the client test status information
for concurrent sessions from the same IP address.
* The Postfix SMTP server falsely rejected a sender address when validating
a sender address with "smtpd_reject_unlisted_recipient = yes" or with
"reject_unlisted_sender". Cause: the address validation code did not query sender_canonical_maps.
* The virtual delivery agent did not detect failure to skip to the end
of a mailbox file, so that mail would be delivered to the beginning of the file.
This could happen when a mailbox file was already larger than the virtual mailbox size limit.
* The postsuper logged an incorrect rename operation count after creating a missing directory.
* The Postfix SMTP server falsely rejected mail when a sender-dependent "error"
transport was configured. Cause: the SMTP server address validation code
was not updated when the sender_dependent_default_transport_maps feature
was introduced.
* The Postfix SMTP server falsely rejected an SMTPUTF8 sender address, when "smtpd_delay_reject = no".
* The "postfix tls deploy-server-cert" command used the wrong certificate
and key file. This was caused by a cut-and-paste error in the postfix-tls-script file.
OBS-URL: https://build.opensuse.org/request/show/448623
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=247
- bnc#981097 config.postfix creates broken main.cf for tls client configuration
- bnc#981099 /etc/sysconfig/postfix: POSTFIX_SMTP_TLS_CLIENT incomplete
- update to 3.1.1:
- The new address_verify_pending_request_limit
parameter introduces a safety limit for the number of address
verification probes in the active queue. The default limit is 1/4
of the active queue maximum size. The queue manager enforces the
limit by tempfailing probe messages that exceed the limit. This
design avoids dependencies on global counters that get out of sync
after a process or system crash.
- Machine-readable, JSON-formatted queue listing with "postqueue -j"
(no "mailq" equivalent).
- The milter_macro_defaults feature provides an optional list of macro
name=value pairs. These specify default values for Milter macros when
no value is available from the SMTP session context.
- Support to enforce a destination-independent delay between email
deliveries. The following example inserts 20 seconds of delay
between all deliveries with the SMTP transport, limiting the delivery
rate to at most three messages per minute.
smtp_transport_rate_delay = 20s
- Historically, the default setting "postscreen_dnsbl_ttl = 1h" assumes
that a "not found" result from a DNSBL server will be valid for one
hour. This may have been adequate five years ago when postscreen
was first implemented, but nowadays, that one hour can result in
missed opportunities to block new spambots.
To address this, postscreen now respects the TTL of DNSBL "not
found" replies, as well as the TTL of DNSWL replies (both "found"
and "not found"). The TTL for a "not found" reply is determined
according to RFC 2308 (the TTL of an SOA record in the reply).
Support for DNSBL or DNSWL reply TTL values is controlled by two
OBS-URL: https://build.opensuse.org/request/show/397601
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=235
- fix build on sle11 by pointing _libexecdir to /usr/lib all the
time.
- some distros did not pull pkgconfig indirectly. pull it directly.
- fix building the dynamic maps: the old build had postgresql e.g.
with missing symbols.
- convert to AUXLIBS_* instead of plain AUXLIBS which is needed
for proper dynamic maps.
- reordered the CCARGS and AUXLIBS* lines to group by feature
- use pkgconfig or *_config tools where possible
- picked up signed char from fedora spec file
- enable lmdb support: new BR lmdb-devel, new subpackage
postfix-lmdb.
- don't delete vmail user/groups
OBS-URL: https://build.opensuse.org/request/show/376737
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=233
- update to 3.1.0
- Since version 3.0 postfix supports dynamic loading of cdb:, ldap:,
lmdb:, mysql:, pcre:, pgsql:, sdbm:, and sqlite: database clients.
Thats why the patches dynamic_maps.patch and dynamic_maps_pie.patch
could be removed.
- Adapting all the patches to postfix 3.1.0
- The patch postfix-db6.diff is not more neccessary
- Backwards-compatibility safety net.
With NEW Postfix installs, you MUST install a main.cf file with
the setting "compatibility_level = 2". See conf/main.cf for an
example.
With UPGRADES of existing Postfix systems, you MUST NOT change the
main.cf compatibility_level setting, nor add this setting if it
does not exist.
Several Postfix default settings have changed with Postfix 3.0. To
avoid massive frustration with existing Postfix installations,
Postfix 3.0 comes with a safety net that forces Postfix to keep
running with backwards-compatible main.cf and master.cf default
settings. This safety net depends on the main.cf compatibility_level
setting (default: 0). Details are in COMPATIBILITY_README.
- Major changes - tls
* [Feature 20160207] A new "postfix tls" command to quickly enable
opportunistic TLS in the Postfix SMTP client or server, and to
manage SMTP server keys and certificates, including certificate
signing requests and TLSA DNS records for DANE.
* As of the middle of 2015, all supported Postfix releases no longer
nable "export" grade ciphers for opportunistic TLS, and no longer
use the deprecated SSLv2 and SSLv3 protocols for mandatory or
OBS-URL: https://build.opensuse.org/request/show/373635
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=232
* Fix for DMARC implementations based on SPF policy plus DKIM Milter.
* The Postfix SMTP server logged an incorrect client name in reject
messages for check_reverse_client_hostname_access and check_reverse_client_hostname_{mx,ns}_access.
* The qmqpd daemon crashed with null pointer bug when logging a lost connection while not in a mail transaction.
* The TLS client logged that an anonymous TLS connection was "Untrusted", instead of "Anonymous".
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=230
- postfix-SuSE.tar.gz/postfix.service: None of
nss-lookup.target network.target local-fs.target time-sync.target
should be Wanted or Required except by the services
the implement the relevant functionality i.e network.target
is wanted/required by networkmanager, wicked,
systemd-network. other software must be ordered After them,
see systemd.special(7)
OBS-URL: https://build.opensuse.org/request/show/309705
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=223
- Bugfix (introduced: Postfix 2.6):
sender_dependent_relayhost_maps ignored the relayhost setting
in the case of a DUNNO lookup result. It would use the
recipient domain instead. Viktor Dukhovni. Wietse took the
pieces of code that enforce the precedence of a
sender-dependent relayhost, the global relayhost, and the
recipient domain, and put that code together in once place so
that it is easier to maintain. File:
trivial-rewrite/resolve.c.
- Bitrot: prepare for future changes in OpenSSL API. Viktor
Dukhovni. File: tls_dane.c.
- Incompatibility: specifying "make makefiles" with "CC=command"
will no longer override the default WARN setting.
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=216
- bnc#912594 config.postfix creates config based on old options
- bnc#911806 config.postfix does not set up correct saslauthd socket directory for chroot
- bnc#910265 config.postfix does not upgrade the chroot
- bnc#908003 wrong access rights on /usr/sbin/postdrop causes
permission denied when trying to send a mail as non root user
- bnc#729154 wrong permissions for some postfix components
OBS-URL: https://build.opensuse.org/request/show/280976
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=206
* TLS
o Support for PKI-less TLS server certificate verification, where
the CA public key or the server certificate is identified via DNSSEC lookup
* LMDB database support
* master
o The master_service_disable parameter value syntax has changed:
use "service/type" instead of "service.type".
* postconf:
o Support for advanced master.cf query and update operations.
This was implemented primarily to support automated system management tools.
o The postconf command produces more warnings
* relay safety
New smtpd_relay_restrictions parameter built-in default settings:
smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
defer_unauth_destination
* postscreen whitelisting
Allow a remote SMTP client to skip postscreen(8) tests based on
its postscreen_dnsbl_sites score.
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=180
unsuitable for computing certificate PUBLIC KEY fingerprints.
Postfix now provides a correct procedure that accounts for
the algorithm and parameters in addition to the key data. Specify
"tls_legacy_public_key_fingerprints = yes" if you need backwards compatibility.
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=160
* tls support:
Support to turn off the TLSv1.1 and TLSv1.2 protocols:
To temporarily turn off problematic protocols globally:
/etc/postfix/main.cf:
smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
However, it may be better to temporarily turn off problematic
protocols for broken sites only:
/etc/postfix/main.cf:
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
/etc/postfix/tls_policy:
example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2
* 20111012 To simplify integration with third-party
applications, the Postfix sendmail command now always transforms
all input lines ending in <CR><LF> into UNIX format (lines ending
in <LF>). Specify "sendmail_fix_line_endings = strict" to restore
historical Postfix behavior (i.e. convert all input lines ending
in <CR><LF> only if the first line ends in <CR><LF>).
* 20120114 Logfile-based alerting systems may need to be
updated to look for "error" messages in addition to "fatal" messages.
Specify "daemon_table_open_error_is_fatal = yes" to get the historical
behavior (immediate termination with "fatal" message).
* enable_long_queue_ids Postfix 2.9 introduces support for non-repeating queue IDs (also
used as queue file names). These names are encoded in a mix of upper
case, lower case and decimal digit characters. Long queue IDs are
disabled by default to avoid breaking tools that parse logfiles and
that expect queue IDs with the smaller [A-F0-9] character set.
* 20111209 memcache lookup and update support. This provides
a way to share postscreen(8) or verify(8) caches between Postfix
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=154
was comparing bitmasks incorrectly causing the program to
always wait for the full time limit. This error affected
the unused postkick command, but only after s/fifo/unix/
in master.cf. File: util/events.c.
- Cleanup: laptop users have always been able to avoid
unnecessary disk spin-up by doing s/fifo/unix/ in master.cf
(this is currently not supported on Solaris systems).
However, to make this work reliably, the "postqueue -f"
command must wait until its requests have reached the pickup
and qmgr servers before closing the UNIX-domain request
sockets. Files: postqueue/postqueue.c, postqueue/Makefile.in.
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=143
Bugfixes:
smtpd(8) did not sanitize newline characters in cleanup(8)
REJECT messages, causing them to be sent out via SMTP as bare newline characters.
smtpd(8) sent multi-line responses from a before-queue content filter as text with
bare <LF> instead of <CR><LF>.
Workaround: postscreen sent non-compliant SMTP responses (220- followed by 421)
when it could not give a connection to a real smtpd process, causing some
remote SMTP clients to bounce mail.
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=104
* DNSBL/DNSWL:
o Support for address patterns in DNS blacklist and whitelist lookup results.
o The Postfix SMTP server now supports DNS-based whitelisting with several safety features
* Support for read-only sqlite database access.
* Alias expansion:
o Postfix now reports a temporary delivery error when the result
of virtual alias expansion would exceed the virtual_alias_recursion_limit
or virtual_alias_expansion_limit.
o To avoid repeated delivery to mailing lists with pathological
nested alias configurations, the local(8) delivery agent now keeps
the owner-alias attribute of a parent alias, when delivering mail
to a child alias that does not have its own owner alias.
* The Postfix SMTP client no longer appends the local domain when
looking up a DNS name without ".".
* The SMTP server now supports contact information that is appended
to "reject" responses: smtpd_reject_footer
* Postfix by default no longer adds a "To: undisclosed-recipients:;"
header when no recipient specified in the message header.
* tls support:
o The Postfix SMTP server now always re-computes the SASL mechanism
list after successful completion of the STARTTLS command.
o The smtpd_starttls_timeout default value is now stress-dependent.
o Postfix no longer appends the system-supplied default CA certificates
to the lists specified with *_tls_CAfile or with *_tls_CApath.
* New feature: Prototype postscreen(8) server that runs a number
of time-consuming checks in parallel for all incoming SMTP connections,
before clients are allowed to talk to a real Postfix SMTP server.
It detects clients that start talking too soon, or clients that appear
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=62
* Bugfix (introduced Postfix 2.6) in the XFORWARD implementation,
which sends remote SMTP client attributes through SMTP-based content filters.
The Postfix SMTP client did not skip "unknown" SMTP client attributes,
causing a syntax error when sending an "unknown" client PORT attribute.
* Robustness: skip LDAP queries with non-ASCII search strings, instead of failing with a database lookup error.
* Safety: Postfix processes now log a warning when a matchlist has
a #comment at the end of a line (for example mynetworks or relay_domains).
* Portability: OpenSSL 1.0.0 changes the priority of anonymous cyphers.
* Portability: Berkeley DB 5.x is now supported.
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=42
* performance
[Feature 20100101] Periodic cache cleanup for the verify(8) cache
database. The time between cache cleanup runs is controlled with
the address_verify_cache_cleanup_interval (default: 12h) parameter.
Cache cleanup increases the database access latency, so this should
not be run more often than necessary.
[Feature 20091109] Improved before-queue filter performance. With
"smtpd_proxy_options = speed_adjust", the Postfix SMTP server
receives the entire message before it connects to a before-queue
content filter. This means you can run more SMTP server processes
with the same number of running content filter processes, and thus,
handle more mail. This feature is off by default until it is proven
to create no new problems.
This addresses a concern of people in Europe who want to reject all
bad mail with a before-queue filter. The alternative, an after-queue
filter, means they would have to discard bad mail (which is illegal)
or bounce bad mail (which violates good network citizenship).
NOTE 1: When this feature is turned on, a filter cannot selectively
reject recipients of a multi-recipient message. It is OK to reject
all recipients of the same multi-recipient message, as is deferring
or accepting all recipients of the same multi-recipient message.
NOTE 2: This feature increases the minimum amount of free queue
space by $message_size_limit. The extra space is needed to save the
message to a temporary file.
To keep the performance overhead low, the same temporary file is
reused with successive mail transactions (the file is of course
truncated before reuse, so there is no information leakage).
* sender reputation
[Feature 20100117] The FILTER action in access maps or header/body_checks
now supports sender reputation schemes that dynamically choose the
SMTP source IP address. Typically, mail is split into classes, and
all mail in class X is sent out from an SMTP client IP address that
is reserved for class X.
This is implemented by specifying FILTER actions with empty next-hop
destinations in access maps or header/body_checks, and by configuring
in master.cf one Postfix SMTP client for each SMTP source IP address,
where each client has its own "-o myhostname" and "-o smtp_bind_address"
settings.
[Feature 20091209] sender_dependent_default_transport_maps, a
per-sender override for default_transport. The original motivation
is to use different output channels (with different source IP
addresses) for different sender addresses, in order to keep their
IP-based reputations separate from each other.
The result value syntax is that of default_transport, not transport_maps.
Thus, sender_dependent_default_transport_maps does not support the
special transport_maps result value syntax for null transport, null
nexthop, or null email address.
This feature makes sender_dependent_relayhost_maps pretty much
redundant (though sender_dependent_relayhost_maps will often be
easier to use because that is the only thing people want to override).
* address verification
[Incompat 20100101] The verify(8) service now uses a persistent
cache by default (address_verify_map = btree:$data_directory/verify_cache).
To disable, specify "address_verify_map =" in main.cf.
When periodic cache cleanup is enabled (the default), the verify(8)
server now requires that the cache database supports the "delete"
and "sequence" operations. To disable periodic cache cleanup specify
a zero address_verify_cache_cleanup_interval value.
[Feature 20100101] Periodic cache cleanup for the verify(8) cache
database. The time between cache cleanup runs is controlled with
the address_verify_cache_cleanup_interval (default: 12h) parameter.
Cache cleanup increases the database access latency, so this should
not be run more often than necessary.
* content filter
[Incompat 20100117] The meaning of an empty filter next-hop destination
has changed (for example, "content_filter = foo:" or "FILTER foo:").
Postfix now uses the recipient domain, instead of using $myhostname
as in Postfix 2.6 and earlier. To restore the old behavior specify
"default_filter_nexthop = $myhostname", or specify a non-empty
next-hop content filter destination.
This compatibility option is not needed with SMTP-based content
filters, because these always have an explicit next-hop destination.
With pipe-based filters that specify no next-hop destination, the
compatibility option restores the FIFO order of deliveries. Without
the compatibility option, the delivery order for filters without
next-hop destination changes to round-robin domain selection.
[Feature 20100117] The FILTER action in access maps or header/body_checks
now supports sender reputation schemes that dynamically choose the
SMTP source IP address. Typically, mail is split into classes, and
all mail in class X is sent out from an SMTP client IP address that
is reserved for class X.
This is implemented by specifying FILTER actions with empty next-hop
destinations in access maps or header/body_checks, and by configuring
in master.cf one Postfix SMTP client for each SMTP source IP address,
where each client has its own "-o myhostname" and "-o smtp_bind_address"
settings.
[Feature 20091109] Improved before-queue filter performance. With
"smtpd_proxy_options = speed_adjust", the Postfix SMTP server
receives the entire message before it connects to a before-queue
content filter. This means you can run more SMTP server processes
with the same number of running content filter processes, and thus,
handle more mail. This feature is off by default until it is proven
to create no new problems.
This addresses a concern of people in Europe who want to reject all
bad mail with a before-queue filter. The alternative, an after-queue
filter, means they would have to discard bad mail (which is illegal)
or bounce bad mail (which violates good network citizenship).
NOTE 1: When this feature is turned on, a filter cannot selectively
reject recipients of a multi-recipient message. It is OK to reject
all recipients of the same multi-recipient message, as is deferring
or accepting all recipients of the same multi-recipient message.
NOTE 2: This feature increases the minimum amount of free queue
space by $message_size_limit. The extra space is needed to save the
message to a temporary file.
To keep the performance overhead low, the same temporary file is
reused with successive mail transactions (the file is of course
truncated before reuse, so there is no information leakage).
* milter
[Feature 20090606] Support for header checks on Milter-generated
message headers. This can be used, for example, to control mail
flow with Milter-generated headers that carry indicators for badness
or goodness. For details, see the postconf(5) section for
"milter_header_checks". Currently, all header_checks features are
implemented except PREPEND.
* multi-instance support
[Incompat 20090606] The "postmulti -e destroy" command no longer
attempts to remove files that are created AFTER "postmulti -e
create". It still works as expected immediately after creating an
instance by mistake. Trying to automatically remove other files
is too risky because Postfix-owned directories are by design not
trusted.
OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=33