Bug#960974: buster-pu: package postfix/3.4.14-0+deb10u1
In the 6 weeks since this request was originally filed, there have been two
more postfix bugfix releases. I'd like to upload 3.4.14 instead. I'm attaching
two debdiffs:
stable.debdiff is the diff from what's currently in stable.
update.debdiff is the change from the original request in May.
Given the upcoming point release, I really would like to get this in now.
Scott K
diff -Nru postfix-3.4.12/conf/postfix-tls-script postfix-3.4.14/conf/postfix-tls-script
--- postfix-3.4.12/conf/postfix-tls-script 2017-02-18 20:58:20.000000000 -0500
+++ postfix-3.4.14/conf/postfix-tls-script 2020-05-30 10:37:04.000000000 -0400
@@ -777,7 +777,7 @@
deploy_server_cert() {
certfile=$1; shift
keyfile=$1; shift
- deploy=$1; shift
+ case $# in 0) deploy=;; *) deploy=$1; shift;; esac
# Sets key_algo, key_param and cert_param
check_key "$keyfile" || return 1
diff -Nru postfix-3.4.12/debian/changelog postfix-3.4.14/debian/changelog
--- postfix-3.4.12/debian/changelog 2020-05-18 17:45:37.000000000 -0400
+++ postfix-3.4.14/debian/changelog 2020-06-29 21:33:31.000000000 -0400
@@ -1,8 +1,15 @@
-postfix (3.4.12-0+deb10u1) buster; urgency=medium
+postfix (3.4.14-0+deb10u1) buster; urgency=medium
+
+ [Cody Brownstein]
+
+ * README.Debian corrections:
+ - Fix instructions wrt SMTP generic mapping
+ - Fix authentication configuration example
[Scott Kitterman]
* Updated debian/watch to track postfix 3.4 series for stable updates
+ * Check GPG signature when downloading new versions via uscan
[Wietse Venema]
@@ -40,7 +47,51 @@
concurrent TLS session in the same tlsproxy process. File:
tlsproxy/tlsproxy.c.
- -- Scott Kitterman <scott@kitterman.com> Mon, 18 May 2020 17:45:37 -0400
+ * 3.4.13
+ - Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert"
+ did not handle a missing optional argument. File:
+ conf/postfix-tls-script.
+
+ - Bugfix (introduced: Postfix 3.4): in the Postfix SMTP server,
+ the SNI callback reported an error when it was called a
+ second time. This happened after the server-side TLS engine
+ sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP
+ client. Reported by Ján Máté, fixed by Viktor Dukhovni.
+ File: tls/tls_misc.c.
+
+ * 3.4.14
+ - Bugfix (introduced: Postfix 3.4): the connection_reuse
+ attribute in smtp_tls_policy_maps resulted in an "invalid
+ attribute name" error. Fix by Thorsten Habich. File:
+ smtp/smtp_tls_policy.c.
+
+ - Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
+ reuse was broken for configurations that use explicit trust
+ anchors. Reported by Thorsten Habich. Cause: the tlsproxy
+ client was sending a zero certificate length. File:
+ tls/tls_proxy_client_print.c.
+
+ - Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
+ reuse was broken for configurations that use explicit trust
+ anchors. Reported by Thorsten Habich. Fixed by calling DANE
+ initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c.
+
+ - Bugfix (introduced: Postfix 2.11): The Postfix smtp(8)
+ client did not send the right SNI name when the TLSA base
+ domain was a secure CNAME expansion of the MX hostname (or
+ non-MX nexthop domain). Domains with CNAME expanded MX hosts
+ are not conformant with RFC5321, and so are rare. Even more
+ rare are MX hosts with TLSA records for their CNAME expansion.
+ For this to matter, the remote SMTP server would also have
+ to select its certificate based on the SNI name in such a
+ way that the original MX host would yield a different
+ certificate. Among the ~2 million hosts in the DANE survey,
+ none meet the conditions for returning a different certificate
+ for the expanded CNAME. Therefore, sending the correct SNI
+ name should not break existing mail flows. Fixed by Viktor
+ Dukhovni. File: src/tls/tls_client.c.
+
+ -- Scott Kitterman <scott@kitterman.com> Mon, 29 Jun 2020 21:33:31 -0400
postfix (3.4.10-0+deb10u1) buster; urgency=medium
diff -Nru postfix-3.4.12/debian/README.Debian postfix-3.4.14/debian/README.Debian
--- postfix-3.4.12/debian/README.Debian 2020-05-18 16:55:04.000000000 -0400
+++ postfix-3.4.14/debian/README.Debian 2020-06-29 21:33:10.000000000 -0400
@@ -156,7 +156,7 @@
After creating the file, run the command:
-postmap /etc/postfix/example.com-passwd
+postmap /etc/postfix/example-passwd
and add the following line to main.cf:
@@ -204,6 +204,14 @@
with 'host.domain' taken from '/etc/mailname'.
+After creating the file, run the command:
+
+postmap /etc/postfix/generic_mapping
+
+and add the following line to main.cf:
+
+sender_generic_maps = hash:/etc/postfix/generic_mapping
+
One advantage to using generic over canonical mapping is that the latter will
be applied to local mail as well. If the system will be configured to send all
mail, even mail addressed to local users, via the smarthost (e.g., via
diff -Nru postfix-3.4.12/debian/upstream/signing-key.asc postfix-3.4.14/debian/upstream/signing-key.asc
--- postfix-3.4.12/debian/upstream/signing-key.asc 1969-12-31 19:00:00.000000000 -0500
+++ postfix-3.4.14/debian/upstream/signing-key.asc 2020-06-29 21:13:50.000000000 -0400
@@ -0,0 +1,154 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.18 (FreeBSD)
+
+mQMuBFYZbx0RCADaN3/xzcSgTh/Zdpn5Ia0cRAGF/0ZKbd6azuiFTvXQd/JLZkYj
+DkNHHGZImtQhPf+aa7JXCUSqrbgvSyYOYUI6enx+W8RBzvYBWEccW1Ls4D7mxUmA
+CbHfcGn7gdEXaQaHS4sJzoYCGRboOKyLCGHvSajxr+HidAv9JEzuGb20TRZ9bL9B
+P3LrKIleSSJICH5qU+mGtCE0nZspAhpbLizCAx9jkS5lKfmPI7ua2q+nDQJ3/Q9I
+mfJGM6HR2SvPR5hl9ZoZF0p44bl30hmwezbkx151+Zt23MW+OWUtpoZQBiW5q3J0
+wa6td1llChOrjTYBhSIhiHifC59FCnxp48EzAQCGskLjC2PyrPOOPMRez5yaxLJq
+YhAuOc8hZNVmCSeVKQf+MbxsyUaraay4SpUIwtzRYZVBrdjM8XGeBJcmFBhWHaoD
+G1fIflmP8RfmP0lx8CUSMR4o508mKZ8Rf5VQlAkjUFMeCG+3Hf1bmvZqUwiwy27o
+tuhud+XSN5QErzbP7nakkmE8vUhzWQAYIrg/GMSWOZW74JWuhRUgBgEDG8AMQNRS
+JfABm3/c+xJlidnLjgam73iG0VM/ivzdOKKZM/XCqihmpSJg7U0a2C0cnOOFQkHa
++ym7rgeZJrUM2A/KEWS8i/eqBlp7RZXovpSFfFIWWbM9HngdjND0Kk7RMxtzgt6p
+GrQaqArthyOlMpZ72xTdnUGex5rxgo19J9eJmkrg7wf/cncD5yuR99/myQjAqx+a
+uHOV7vOclyyZB7HLqW5ry4AozRv8TNTPsYUNc7ie4gjslkwXFSgv/RVjBIMeM7Jd
+JRvBvehttr0SnkiiixTFEjw1n9kIJAh3YD+3/zP2rz2nxYyQhCdswcQNVHWQcx17
+bCMgzXw5ysjusG+lej1dueEApXlU6+mfnfbQ05lR4u5wAxfbcqN6vS4aEiYbTixL
+Kgm9wffU9Snshqz4OU4Nj8so2OtDrCyAZ+WQEOY7A+j96VUFeM3FaBnvWz8b5JZg
+JaMbKr5naovFIBaDBzLzxjn42IcI778EwFetXbFGrLSZU17FoufDnOEFKbwkJehh
+o7QkV2lldHNlIFZlbmVtYSA8d2lldHNlQHBvcmN1cGluZS5vcmc+iHoEExEIACIF
+AlYZbx0CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEAwLWQ6AyhWn4h8B
+AIMevjwXE2/kAQb/H5VJ+arXkE8FRH0crSCvFcrKTES8AP9ToDZzYv/OvG8swSe3
+oWK5eIFcpE8+G7EpCsBfE/t+gokBHAQQAQIABgUCVhly2AAKCRAHL2DwwSvNmSxM
+CACPPUp1ubd07nR8PET6meHHC7UnsvhibnGD2y1pbHzLBQi6U4oLQqowHj1tF/sk
+xcdC48V+bNCs3Q80lkky9UpjJLaVlQcoJHFrluORDw0RfshRqaYP2T0ZJqYRjV2e
+N1lBoDWaGiNuGfQLxSaj+yRsS66Q0cX3dR5xCXhsa2MYyLa0EavrWNeIve/FdLbk
+QVFSECvXd62n+P4tH2VEdTocmJ2tioAIMruvVcUFNDxNBa6vNNMtUVM9cNzHbkzH
+sBFTBKqzNfWpLSPXcSWbEZ+DWRBeiVJ683hiRugDeQ2VIinqt/BNO0vbAWtJV9yV
+sVlrpwHoysisUuYIBJYWsCyQiJwEEAECAAYFAlYZddMACgkQ3IDyptUyfLky0QP9
+Hubtzxg2DiiundHEZUIzBHF5Wopi/eCmsZcKXhUcrf8T8zN1y9O2GwUIV+7wIAUp
+n2vEXSbZ+zO3XEmmkClgYPRu+cO9mSswZ2LKZEtfgOTX66JVLK5pusxswLmYnWqV
+l3qC+rJMDIy9NvcV/XwkIqrdBArwDnQEwaU0EaZStkG5Ag0EVhlvHRAIAI/ORSNY
+4F1dujiRX7RiW+VYDTnmz3CIrRF9oKUKvZsqLEaP0hK8Ozn7jgFy0n1jBlFWGxrK
+dQgevQkQf1WpYEUVO20nrS9kx3BWYXsoOlT/3mGXT8gR5CD7vAY4xWl2740c2Km1
+fmJy08JKcOa/j+kUuaNUx5uqskyr66bKyhSvW9qWKKBL92dqoQsquVH3wF5B6j20
+UpiN5rnV65OriY1MwWeaBK7+yfkP4PqTYLQ4CKl0Zcqar17SUvmmWTYZEtm6r9UI
+ZP/uNFMu7kqfQZrmHDozsKJezcKSTuFFJmcLztY+2SfN0iH2DNlbwfJ/g6jyCDz8
+s4EtAQCIIuOOvucABA0H/RN17RQfhJdNLhyvOmHq8xtHpc9ja+JCsn9/cvx9LjaP
+Qeg/sqqpyjCED4cNNFPpw3InHi6dWG6ImdEkzKdyTgvMo1MV0eeuHibxFUDVrNeF
+v3zYKR4/Hy97ETmhd3ny/t19kZh3osDHRq4uau00aGHn01Gxq5tFEFufrVhY27YI
+ZpTmhn67Gspdf+BP92DCOou+IsPaljiuJd0TwU2OXrY+RJYTNANPttCoexqXEhba
+M06kZehxFbeDUj2oFVwCZDiNDcQssKALM1fvC/Gp/HI2HDciKiSeiR8hDlQJavHx
+U/0I/G5kLTeDfXIguf5b7MM8awhG8XeehmqP9RIauoeIYQQYEQgACQUCVhlvHQIb
+DAAKCRAMC1kOgMoVp5aUAP9F2s2Qu/NTmAmLTKbBGTzJlR2JF1XfQOi8H0r6fNvA
+4wD+OeVe1s+AlR80UoTb97YyuGvFvVr4xFm/Qk776pbAXLY=
+=yZP5
+-----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: PGPfreeware 5.0i for non-commercial use
+
+mQENA0Ije1oAAAEIALlEqB1UICFF3dfwDij9LHtBhtiEfGnv0PL5rRmSJ4rA9pqs
+oM3oc0nfgnB502XpeCkT1RW5ymQggEx7+8fXnWhNUAmNGPrbmWzymvrdr4XnPOoB
+ODlnVYkc9Gt5BLRNSfuLbc1G3nH+FDzhpuJ5zqtb8RrYm5FOPU7eC9QnVoC2nXPW
+fPfTWVXQoCOEuQQ3zZHEculWQYhRVgxI+CFZjWzWgwZq3wWi/nGGZcFYRtCfodH4
+UiP0lvj8tOEhD8vUGQKiQGwiw/BBbiCm5ZPcCkSOWxXbZTUrkfTzwse9Ka2blmgH
+AhlySLtSD/tCX2ykzQEK9JJDw4++By9g8MErzZkABRG0JFdpZXRzZSBWZW5lbWEg
+PHdpZXRzZUBwb3JjdXBpbmUub3JnPokBFQMFEEIje1oHL2DwwSvNmQEBA8oIALG7
+Un8SRtlQ+EXMSK/MyJLD9+T/tS1vq2Z6BwN6oZ0G21VvbMdhXvOEjPUFXhJPIFs8
+pNIYtUV/uQMiMZsATOlJObe3ZkXazdbpGcGAekO0G158CYy2mH50hqYLewTYCt3T
+TNf6fSu+bVFrrQ8S/89QDceN0M+WFECgjlYHMTMqB2Ye2KZRWAQG1S8hLLFG42HV
+QaWAVG4yR4xZEC0sYuMBZQTJlJXWb/CnhdlcdS2y5DRq/UYZ5oM/ZilKnIxnWzvf
+zZM/5+5d7DA0YLjY2uIiSGWs9MfQv1MwvAPjTs/Aiz0j3y5lCa3lVObGskroUhN6
+Pf14rTC6p585H3mQBRuJAJQDBRBCI3uC3IDyptUyfLkBAUJtA/jL8AHJtrrb6/CV
+w0gBL0vIVI2FV2F7FxmttbHV9HqErkB7bypuFoUZkbrYd8jl5aco4E2fet8avoVF
+JKaY+YwcUTpy0wZSwYr6vt+bm1lMDg2BuNdd3j8lcJ5qzTo0SRfuGoJaIDKbqUIR
+g+zlLNnoLgf8qPhyFczoiN/MZKl0
+=Uc/Z
+-----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.2
+
+mQCNAirDhV8AAAED/i4LrhQ/mwOgam8ZfQpEcxYoE9kru5oRDGtoVeKae/4bUver
+aGX7qVtskD6vwPwr2FF6JW2c+z2oY4JGPGUArORiigoT82/q6vqT0Wm1jIPsXQSB
+ZCkBoyvBcmXEi+J7eDBbWLPDxeDimgrORbAIQ4uikRafs8KlpNyA8qbVMny5AAUR
+tCV3aWV0c2UgdmVuZW1hIDx3aWV0c2VAd3p2Lndpbi50dWUubmw+iQCVAgUQMGq3
+lNmn2lx+CrKBAQFa9gQArugc+G/gKE/Oq5a572ZobbaI4E76YknpF4quLJ3NxRTP
+DAsAQOfM3tMlpYGPt/8zpqetOpNTElZyblHcHNI95wuYz0U3UH7OwmOGoD8FtON+
+vuUO5bOmUsjnlKV7MetIPZl2Ht81mnouOgtaEClQK3Bjkmqh9gRW61IcuMqcrACJ
+ARUDBRAxDqLR57u1Gl0NQHkBAYAeB/4xfFxNOjvfOrsjLefbcmORFi4ZFJxHLEc+
+szgK8J+nEZnQqpcXJ2QaNpXY3FYFR2NnPOteoTFO//DqX9v9MblYOo5KRKaYhhhz
+VzWhoq9s+nCKaTNEQr1BkAGJsrw4D5M3wTY6vu/z8O7BZFV8N2aFuV/3w8fb3ABi
+80DAaV+2fN+x04gtPEfJJnTvbhBhYMczzvqwnuW/NnWw9SS/rVuWrV60HRWtFQnR
+h7BqqE/8mafjmV0dF3GPM3zKvOq7ivOsfHUslvqP+YdIfuygTAQqkdEK1k1j4+0t
+wqF4XGIXB67w4AyybnvjCbJsQavYQgJIDSngjpSzBPRFyfs5tr/ViQCVAwUQMQ6i
+M05B7Bs/MbpVAQFeSgQAihFUGbn8uY6I7J4H73rwrI49XEJcdmop4/CO3fazP+jM
+pBR+O/EYTXHYb2AB1IWV8jeqMvcjDww9iylfXSdRhu29xPhAFyLq93+AC63p3WnC
+X9HP+6LQepuO8HETMsUo2beywin8V43IEE7wpkV36HhipzhOqSOJg6dHoJxq0jqJ
+AJUDBRAweOef5PJqLyI0q20BAdIhA/4vmWq5lh9ZB9xiNL41NMJcLx9KiXKeewl/
+Lnz2Sc95A6PEo+/0h1TRtdfNE+HBegJ+3GbTz+qsUTNGYslfw1uzhVVwke3VWegi
+j4W7QBKfolXR/QeIOE9YIl6sFiXCupNig8QLyFYZCv3cBF1rg7zcpnpBCoEVe4qB
+gfG8edNMwYkAlQMFEDBzrxICT4RrFG3ijQEBlIID/1tgODC51T64V/b97YYBRPWD
+FMeFI+BIqWDwJrynoAl5qoHdi8nAGAVqpg006bRcaXgra5ZclRFMDytuhL5Ss3v5
+t6ydsulRndafEhY8yFTR4rjHrsxIfa1Ku3PR9m2c6kiRnQW88wL9bjKJ2caDBPeH
+FsePOcUfsUTcZg69bIz+iQCVAwUQMG++9DH/t4NEE7aRAQEFnAP+OWpls7UuOm55
+ZIyKMsXee0KbrXshwR8brHPShEwzYYQG2C0giu/lhpMvLyNg/K7l52+/Jz+x9y4U
+HDffDPFOG4J9QirNL9PCOCpKhpMvX5GXeHiD5VNK15JaD/58J8CnlPnQMfVSrcmq
+JX2XPB2BMrm4y9ibAbxkeWfqO7YXYTiJAJUDBRAwaqn6Gts03AL4jIEBAcqCBAC2
+gsdcPBgHZo8zhbdUZ0GRPiObyjVeC+poW/9f7vFkoX1SBZE9EWoXzxZ5lEDaZlv8
+PGua5yQWy+qEm6+MS8puv3dBi5d1kb97tqbvVZcsEpI+e+ygljnV5PtesMjqGaq9
+ZxhueAekfNj5kHo32HupwbDXNHC3j8rFunqfGUUB6okAlQMFEDBqX0voJUrjD0yX
+dQEBjiwEANOf185iXALuJUlV3/MYxnJbmC+J/08rD4at+fxLTbH2LU6WpfVyDEmQ
+xahelAKKVDiPJK2/ct6SEnYG2nmRQKIKiU5k7g05vufQi7CyfHVOQuXvlFZkoNz7
+uDEDk/EKfMUT7Lw7qLilK7POGkWrPhwSdFDgP4qWuq77enjet8RNiQCVAgUQMGgn
+6SJRltlmbQBRAQGk2QP+MR8rAlXGgVNqR1SQjKmutmDe5gFNuHB/StLKdRWOb5fc
+oJspE4TLHoayTMfT0PQtP6BOL3Nn1GvNe/X/J47/rC17VZlP680uG8as7jKeJib4
+6znNJr7lpb9/IeKUTTZk2TbSv4eFjpo6ZlDxRca/5TmvKDjxS4Z973bRSd1CK5iJ
+AJUDBRAwacpgufMnN2zLdBkBAbOUBAC4hEmF/ywCS7Lc95P1S5e+3W5QfBOISSsN
+1sWcFA5+aRXFxA4/zaDOBZiTmKLCVOaBPh66h16QjMyswjGpCyrKG/DHFu0P6Tdo
+cW2hyu9FRNKE7nWDx+JBw3sJNsR5NrdrNSkxuI5ae8VM4qp+AAafTf2yaCQUiiPL
+Bfs10T6D4YkAlQMFEDBpykFiZfpIB1Z0VQEBPV0EAJ65XnrutwZ7isTcGOXrb2Va
+vnsL020c58qHrcpPXFQczp/R6Woh8xYEJdM0CZL+ulDtuODv5ZtZhhy3ZgpKLOk/
+397IWrQDHZwXMIGLxzYN1S6zMTI929fplK9cyRHln3Rstt4fbrLNpyfIXUx0PTC0
+Cp205yzrEcKt/IqX/sKYiQCVAwUQMGnHUAQmfXmOCknRAQEJRwP/SARfkEKPKx9U
+2NEcuJvHC/jpqoUZ/gUQP9nIkRuMLqzO3SraPM4ZlSEyzJg2qagJJ2PaYYN3YAbT
+UfElGpWmS9oy/k7hdg68L2hBPC/z7kRXQF7Ydn4l+X1enKXtMb7cKVBelQfbULmy
+6JY5MSx7Grtrdi91QsQuq2VCkGimJqeJAJUDBRAwZ/3ro2xF3nu86kkBAXyeA/0Z
+MXHkn7nuf1KwhIL/fYaV4zLSDeUclOuO1afEg63bwNNcj1XE6ZpEiHTTY8kbx3Z6
+wWrXsNfEl/rQzjezXgX/py38+YHamyAhrJpb7UyPUW0EBSvhwqx8ZnK1wqqsegy9
+KnutkeF+BXL/EswooKab5zvF1glKBuJyunCrUgG4MYkAlQMFEDBn/C87f8e8znZr
+HwEBH5YD/jtnDovJRAdHQeqKQFma7W9N+Abqx5q3/3dXzPaQDzR/74VsqKwnDOrF
+TMnbsREUCA51tM8ZbC4J5aSzN3tNIFXN+gCixT/8fVxshQuYP2O/sMuHqVDH5FQR
+2UPvORSJWSaFTbfgCOfNbHV18uKDmImiYATWouyS9uLWTlNEjdK3iQCVAwUQMGai
+rFiXq3zaXLJBAQF6QgQA0p/HnqrN5UJr14iJziPYVekkLmdhQ5x1KE+SEpakNkzE
+0dPlL+DKpkW2Ay+puopwOzGa2wWOkcmvtBfWUoFhMDMZS1I86BvYGIlsfAd8rcYf
+pN8qo0e32tgRG8Ftp6TIQQFLwOxVzDVlOCL+AgFI3zc2Qsm5zT2L+ceD3f2F2veJ
+AHUCBRAvzCraaA8r0KMuYqEBAW/UAv9sv6+2UbrUO2a7z+S/keQ+I5Wp+KiZRgjU
+58XRqYlQ0qAFp2F1snjRAYy6GFceVbJvj8ydK3hq6OfADywqG1Eq0kcq+OMt/4tO
+Z0yiXbCegrTvaUukW6ZftonelLXhpSCJAJUDBRAviXcRE9wTBKB3hqEBAW36A/9m
+x57+4pe+0zEbkNIKAqmdT2n1AZXiCc/1sLJ1D5uuZ6kS4xK6P1z9UXMeVgtekmz1
+mF8JuM265VHKNAhWPclur2zhfDKHFz5DTGCUxSGObXzJwnw8+CTHh7wV3NxK5l9o
+UjqEfQSvsl6H/wc7KspKWyqsZk7LQcYC4o5ZAo/5kIkAlQMFEC+IFuvKbyuD/AwC
+1QEBoS8D/RmXEJrUpr/oFAzFozP7F1sM91xtye2lzK4RGbYUxjlrZs6vWPhGmJzf
+NzX5D03plADkUk6la8cHTFdTDls2jpobVUAeuZXnWOYhRhUnL4NOZdl6Vr2cYd+I
+zfdG9220Oy+jHodN7+16j5/M/ezoxBpZJwsPHfdF7NVOZVIGTbZZiQCVAwUQL30a
+Z9yA8qbVMny5AQEnOwP7BphCYkobRu0ZTT4ZROD5tExJ8IbBv2n29vCddAg+VCuw
+XwGjObwjIUZbGx8pPx1GWOqYATAouFoWBh0WueWK5h+ZUzD6dKl2lMNUTQ3h3uF3
+yZM35YK9jSDrH2u/W4E8orqU+BahkeyRvM0vCINdnm88p2hIIIiLdpCQJB37qrGJ
+AJUCBRAubfYWwMf8FvAPBCEBAVmrA/9xJIGybDPjmtnwc/k2FRbEJQbVkyZq+nja
+aeE5si/TdvrzS580zGnye9uABdRbAKceOa91Rm/OEtmzeDjFPJ/pdcZ13FUDNBlQ
+Shyt4P3abOb24kiL67MwJy+70Wbg+C71O7Hed2NVqFUEtkSg2hlV09kCxr4+aQIR
+fQYVcr7R+YkAlQIFEC5t9dpsodCHBnntkQEBh5oD/1ozk6LmRoT0qN9VHDFKnJzZ
+RagTBfA3JpsxWmnkdOpmMSeb+f7SCwH+FwtRYNLX+8Z54/dR8esPNy08FfDNGz6U
+C2Eu4eLy330wei8QtfLdytcSIij2OJRJetg9xrzw5H7h2Hia3oWJ2CzHFmH2YWEx
+QvYhDAIWTwektUQLYl+viQCVAgUQLmrlqOMR7qLvJ+dxAQGt3QP/WDFIlcxrgy1B
+uxgvT9CkSjjJgKzV1D8z8iodPLul9s+1WxUGYTIYvdN67QXREYLV7yh0YRdBNVBr
+NdtKutstdsbW/y6LHed4Id+sBuK4Y7OAN38mtjuaOpZLFGm8ex15KVvRJb/77u7y
+LOixdFS7DpiSnaXoZpxC9vFMmm2R1Iu0JHdpZXRzZSB2ZW5lbWEgPHdpZXRzZUBw
+b3JjdXBpbmUub3JnPokAlQMFEDTZBvTcgPKm1TJ8uQEBoRMD/RkjT4YtF/ltBN+V
+eCLv272pxZo38JJZEGyWg4QTHXYQ7ayVc22RL3vQLEMRISvZnvl6pe2UMzgI8jOH
+NWhTtvrKuvR/M/nvqTpFf8lp0SiF/ZVVeGCaSmS1Eoyp1dk76qPRCl6RcI6bTv2F
+NT2RRKl3v4t4iEXnEjiyS6irzd2b
+=o1uH
+-----END PGP PUBLIC KEY BLOCK-----
diff -Nru postfix-3.4.12/debian/watch postfix-3.4.14/debian/watch
--- postfix-3.4.12/debian/watch 2020-05-18 16:55:04.000000000 -0400
+++ postfix-3.4.14/debian/watch 2020-06-29 21:33:10.000000000 -0400
@@ -1,3 +1,3 @@
version=3
-opts=pasv ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-(3.4[\d+\.]+)\.tar\.gz
+opts=pasv,pgpsigurlmangle=s/$/.gpg2/ ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-(3.4[\d+\.]+)\.tar\.gz
diff -Nru postfix-3.4.12/HISTORY postfix-3.4.14/HISTORY
--- postfix-3.4.12/HISTORY 2020-05-16 16:25:06.000000000 -0400
+++ postfix-3.4.14/HISTORY 2020-06-27 17:15:17.000000000 -0400
@@ -24412,3 +24412,57 @@
session may cause a false 'lost connection' error for a
concurrent TLS session in the same tlsproxy process. File:
tlsproxy/tlsproxy.c.
+
+20200530
+
+ Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert"
+ did not handle a missing optional argument. File:
+ conf/postfix-tls-script.
+
+20200610
+
+ Bugfix (introduced: Postfix 3.4): in the Postfix SMTP server,
+ the SNI callback reported an error when it was called a
+ second time. This happened after the server-side TLS engine
+ sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP
+ client. Reported by Ján Máté, fixed by Viktor Dukhovni.
+ File: tls/tls_misc.c.
+
+20200617
+
+ Bugfix (introduced: Postfix 3.4): the connection_reuse
+ attribute in smtp_tls_policy_maps resulted in an "invalid
+ attribute name" error. Fix by Thorsten Habich. File:
+ smtp/smtp_tls_policy.c.
+
+20200619
+
+ Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
+ reuse was broken for configurations that use explicit trust
+ anchors. Reported by Thorsten Habich. Cause: the tlsproxy
+ client was sending a zero certificate length. File:
+ tls/tls_proxy_client_print.c.
+
+20200620
+
+ Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
+ reuse was broken for configurations that use explicit trust
+ anchors. Reported by Thorsten Habich. Fixed by calling DANE
+ initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c.
+
+20200626
+
+ Bugfix (introduced: Postfix 2.11): The Postfix smtp(8)
+ client did not send the right SNI name when the TLSA base
+ domain was a secure CNAME expansion of the MX hostname (or
+ non-MX nexthop domain). Domains with CNAME expanded MX hosts
+ are not conformant with RFC5321, and so are rare. Even more
+ rare are MX hosts with TLSA records for their CNAME expansion.
+ For this to matter, the remote SMTP server would also have
+ to select its certificate based on the SNI name in such a
+ way that the original MX host would yield a different
+ certificate. Among the ~2 million hosts in the DANE survey,
+ none meet the conditions for returning a different certificate
+ for the expanded CNAME. Therefore, sending the correct SNI
+ name should not break existing mail flows. Fixed by Viktor
+ Dukhovni. File: src/tls/tls_client.c.
diff -Nru postfix-3.4.12/src/global/mail_version.h postfix-3.4.14/src/global/mail_version.h
--- postfix-3.4.12/src/global/mail_version.h 2020-05-16 12:01:12.000000000 -0400
+++ postfix-3.4.14/src/global/mail_version.h 2020-06-27 17:26:28.000000000 -0400
@@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20200516"
-#define MAIL_VERSION_NUMBER "3.4.12"
+#define MAIL_RELEASE_DATE "20200627"
+#define MAIL_VERSION_NUMBER "3.4.14"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
diff -Nru postfix-3.4.12/src/smtp/smtp_tls_policy.c postfix-3.4.14/src/smtp/smtp_tls_policy.c
--- postfix-3.4.12/src/smtp/smtp_tls_policy.c 2018-12-26 14:21:49.000000000 -0500
+++ postfix-3.4.14/src/smtp/smtp_tls_policy.c 2020-06-17 11:19:54.000000000 -0400
@@ -389,6 +389,7 @@
WHERE, name, val);
INVALID_RETURN(tls->why, site_level);
}
+ continue;
}
msg_warn("%s: invalid attribute name: \"%s\"", WHERE, name);
INVALID_RETURN(tls->why, site_level);
diff -Nru postfix-3.4.12/src/tls/tls_client.c postfix-3.4.14/src/tls/tls_client.c
--- postfix-3.4.12/src/tls/tls_client.c 2019-02-18 18:03:54.000000000 -0500
+++ postfix-3.4.14/src/tls/tls_client.c 2020-06-27 17:43:46.000000000 -0400
@@ -1018,10 +1018,13 @@
* avoid SNI, and there are no plans to support SNI in the Postfix
* SMTP server).
*
+ * Per RFC7672, the required SNI name is the TLSA "base domain" (the one
+ * used to construct the "_25._tcp.<fqdn>" TLSA record DNS query).
+ *
* Since the hostname is DNSSEC-validated, it must be a DNS FQDN and
* thererefore valid for use with SNI.
*/
- sni = props->host;
+ sni = props->dane->base_domain;
} else if (props->sni && *props->sni) {
if (strcmp(props->sni, "hostname") == 0)
sni = props->host;
diff -Nru postfix-3.4.12/src/tls/tls_misc.c postfix-3.4.14/src/tls/tls_misc.c
--- postfix-3.4.12/src/tls/tls_misc.c 2019-06-25 17:51:24.000000000 -0400
+++ postfix-3.4.14/src/tls/tls_misc.c 2020-06-10 17:16:49.000000000 -0400
@@ -686,6 +686,27 @@
TLScontext->namaddr, sni);
return SSL_TLSEXT_ERR_NOACK;
}
+
+ /*
+ * With TLS 1.3, when the client's proposed key share is not supported by
+ * the server, the server may issue a HelloRetryRequest (HRR), and the
+ * client will then retry with a new key share on a curve supported by
+ * the server. This results in the SNI callback running twice for the
+ * same connection.
+ *
+ * When that happens, The client MUST send the essentially the same hello
+ * message, including the SNI name, and since we've already loaded our
+ * certificate chain, we don't need to do it again! Therefore, if we've
+ * already recorded the peer SNI name, just check that it has not
+ * changed, and return success.
+ */
+ if (TLScontext->peer_sni) {
+ if (strcmp(sni, TLScontext->peer_sni) == 0)
+ return SSL_TLSEXT_ERR_OK;
+ msg_warn("TLS SNI changed from %s initially %s, %s after hello retry",
+ TLScontext->namaddr, TLScontext->peer_sni, sni);
+ return SSL_TLSEXT_ERR_NOACK;
+ }
do {
/* Don't silently skip maps opened with the wrong flags. */
pem = maps_file_find(tls_server_sni_maps, cp, 0);
diff -Nru postfix-3.4.12/src/tls/tls_proxy_client_print.c postfix-3.4.14/src/tls/tls_proxy_client_print.c
--- postfix-3.4.12/src/tls/tls_proxy_client_print.c 2019-02-11 08:11:43.000000000 -0500
+++ postfix-3.4.14/src/tls/tls_proxy_client_print.c 2020-06-19 13:39:34.000000000 -0400
@@ -213,6 +213,7 @@
i2d_X509(tp->cert, &bp);
if ((char *) bp - STR(buf) != len)
msg_panic("i2d_X509 failed to encode certificate");
+ vstring_set_payload_size(buf, len);
ret = print_fn(fp, flags | ATTR_FLAG_MORE,
SEND_ATTR_DATA(TLS_ATTR_CERT, LEN(buf), STR(buf)),
ATTR_TYPE_END);
@@ -258,6 +259,7 @@
i2d_PUBKEY(tp->pkey, &bp);
if ((char *) bp - STR(buf) != len)
msg_panic("i2d_PUBKEY failed to encode public key");
+ vstring_set_payload_size(buf, len);
ret = print_fn(fp, flags | ATTR_FLAG_MORE,
SEND_ATTR_DATA(TLS_ATTR_PKEY, LEN(buf), STR(buf)),
ATTR_TYPE_END);
diff -Nru postfix-3.4.12/src/tlsproxy/tlsproxy.c postfix-3.4.14/src/tlsproxy/tlsproxy.c
--- postfix-3.4.12/src/tlsproxy/tlsproxy.c 2020-05-16 11:49:04.000000000 -0400
+++ postfix-3.4.14/src/tlsproxy/tlsproxy.c 2020-06-20 15:32:27.000000000 -0400
@@ -993,12 +993,12 @@
state->client_start_props->ctx = state->appl_state;
state->client_start_props->fd = state->ciphertext_fd;
/* These predicates and warning belong inside tls_client_start(). */
- if (!TLS_DANE_BASED(state->client_start_props->tls_level)
- || tls_dane_avail())
- state->tls_context = tls_client_start(state->client_start_props);
- else
+ if (!tls_dane_avail() /* mandatory side effects!! */
+ &&TLS_DANE_BASED(state->client_start_props->tls_level))
msg_warn("%s: DANE requested, but not available",
state->client_start_props->namaddr);
+ else
+ state->tls_context = tls_client_start(state->client_start_props);
if (state->tls_context != 0)
return (TLSP_STAT_OK);
diff -Nru postfix-3.4.10/conf/postfix-tls-script postfix-3.4.14/conf/postfix-tls-script
--- postfix-3.4.10/conf/postfix-tls-script 2017-02-18 20:58:20.000000000 -0500
+++ postfix-3.4.14/conf/postfix-tls-script 2020-05-30 10:37:04.000000000 -0400
@@ -777,7 +777,7 @@
deploy_server_cert() {
certfile=$1; shift
keyfile=$1; shift
- deploy=$1; shift
+ case $# in 0) deploy=;; *) deploy=$1; shift;; esac
# Sets key_algo, key_param and cert_param
check_key "$keyfile" || return 1
diff -Nru postfix-3.4.10/debian/changelog postfix-3.4.14/debian/changelog
--- postfix-3.4.10/debian/changelog 2020-03-16 15:43:44.000000000 -0400
+++ postfix-3.4.14/debian/changelog 2020-06-29 21:33:31.000000000 -0400
@@ -1,3 +1,98 @@
+postfix (3.4.14-0+deb10u1) buster; urgency=medium
+
+ [Cody Brownstein]
+
+ * README.Debian corrections:
+ - Fix instructions wrt SMTP generic mapping
+ - Fix authentication configuration example
+
+ [Scott Kitterman]
+
+ * Updated debian/watch to track postfix 3.4 series for stable updates
+ * Check GPG signature when downloading new versions via uscan
+
+ [Wietse Venema]
+
+ * 3.4.11
+ - No changes that affect Debian 10 (Buster)
+
+ * 3.4.12
+ - Bugfix: segfault in the tlsproxy client role when the server
+ role was disabled. This typically happens on systems that
+ do not receive mail, after configuring connection reuse for
+ outbound TLS. Found during program maintenance. File:
+ tlsproxy/tlsproxy.c.
+
+ - Bugfix (introduced: Postfix 3.4): maillog_file_rotate_suffix
+ default value used the minute instead of the month. Reported
+ by Larry Stone. Files: conf/postfix-tls-script,
+ proto/MAILLOG_README.html, proto/postconf.proto.
+ global/mail_params.h, postfix/postfix.c.
+
+ - Bitrot: avoid U_FILE_ACCESS_ERROR after chroot(), by
+ initializing the ICU library before making the chroot()
+ call. Files: util/midna_domain.[hc], global/mail_params.c.
+
+ - Noise suppression: avoid "SSL_Shutdown:shutdown while in
+ init" warnings. File: tls/tls_session.c.
+
+ - Bugfix (introduced: Postfix 2.2): a TLS error for a PostgreSQL
+ client caused a false 'lost connection' error for an SMTP
+ over TLS session in the same Postfix process. Reported by
+ Alexander Vasarab, diagnosed by Viktor Dukhovni. File:
+ tls/tls_bio_ops.c.
+
+ - Bugfix (introduced: Postfix 2.8): a TLS error for one TLS
+ session may cause a false 'lost connection' error for a
+ concurrent TLS session in the same tlsproxy process. File:
+ tlsproxy/tlsproxy.c.
+
+ * 3.4.13
+ - Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert"
+ did not handle a missing optional argument. File:
+ conf/postfix-tls-script.
+
+ - Bugfix (introduced: Postfix 3.4): in the Postfix SMTP server,
+ the SNI callback reported an error when it was called a
+ second time. This happened after the server-side TLS engine
+ sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP
+ client. Reported by Ján Máté, fixed by Viktor Dukhovni.
+ File: tls/tls_misc.c.
+
+ * 3.4.14
+ - Bugfix (introduced: Postfix 3.4): the connection_reuse
+ attribute in smtp_tls_policy_maps resulted in an "invalid
+ attribute name" error. Fix by Thorsten Habich. File:
+ smtp/smtp_tls_policy.c.
+
+ - Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
+ reuse was broken for configurations that use explicit trust
+ anchors. Reported by Thorsten Habich. Cause: the tlsproxy
+ client was sending a zero certificate length. File:
+ tls/tls_proxy_client_print.c.
+
+ - Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
+ reuse was broken for configurations that use explicit trust
+ anchors. Reported by Thorsten Habich. Fixed by calling DANE
+ initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c.
+
+ - Bugfix (introduced: Postfix 2.11): The Postfix smtp(8)
+ client did not send the right SNI name when the TLSA base
+ domain was a secure CNAME expansion of the MX hostname (or
+ non-MX nexthop domain). Domains with CNAME expanded MX hosts
+ are not conformant with RFC5321, and so are rare. Even more
+ rare are MX hosts with TLSA records for their CNAME expansion.
+ For this to matter, the remote SMTP server would also have
+ to select its certificate based on the SNI name in such a
+ way that the original MX host would yield a different
+ certificate. Among the ~2 million hosts in the DANE survey,
+ none meet the conditions for returning a different certificate
+ for the expanded CNAME. Therefore, sending the correct SNI
+ name should not break existing mail flows. Fixed by Viktor
+ Dukhovni. File: src/tls/tls_client.c.
+
+ -- Scott Kitterman <scott@kitterman.com> Mon, 29 Jun 2020 21:33:31 -0400
+
postfix (3.4.10-0+deb10u1) buster; urgency=medium
[Wietse Venema]
diff -Nru postfix-3.4.10/debian/README.Debian postfix-3.4.14/debian/README.Debian
--- postfix-3.4.10/debian/README.Debian 2020-03-16 06:33:05.000000000 -0400
+++ postfix-3.4.14/debian/README.Debian 2020-06-29 21:33:10.000000000 -0400
@@ -156,7 +156,7 @@
After creating the file, run the command:
-postmap /etc/postfix/example.com-passwd
+postmap /etc/postfix/example-passwd
and add the following line to main.cf:
@@ -204,6 +204,14 @@
with 'host.domain' taken from '/etc/mailname'.
+After creating the file, run the command:
+
+postmap /etc/postfix/generic_mapping
+
+and add the following line to main.cf:
+
+sender_generic_maps = hash:/etc/postfix/generic_mapping
+
One advantage to using generic over canonical mapping is that the latter will
be applied to local mail as well. If the system will be configured to send all
mail, even mail addressed to local users, via the smarthost (e.g., via
diff -Nru postfix-3.4.10/debian/upstream/signing-key.asc postfix-3.4.14/debian/upstream/signing-key.asc
--- postfix-3.4.10/debian/upstream/signing-key.asc 1969-12-31 19:00:00.000000000 -0500
+++ postfix-3.4.14/debian/upstream/signing-key.asc 2020-06-29 21:13:50.000000000 -0400
@@ -0,0 +1,154 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.18 (FreeBSD)
+
+mQMuBFYZbx0RCADaN3/xzcSgTh/Zdpn5Ia0cRAGF/0ZKbd6azuiFTvXQd/JLZkYj
+DkNHHGZImtQhPf+aa7JXCUSqrbgvSyYOYUI6enx+W8RBzvYBWEccW1Ls4D7mxUmA
+CbHfcGn7gdEXaQaHS4sJzoYCGRboOKyLCGHvSajxr+HidAv9JEzuGb20TRZ9bL9B
+P3LrKIleSSJICH5qU+mGtCE0nZspAhpbLizCAx9jkS5lKfmPI7ua2q+nDQJ3/Q9I
+mfJGM6HR2SvPR5hl9ZoZF0p44bl30hmwezbkx151+Zt23MW+OWUtpoZQBiW5q3J0
+wa6td1llChOrjTYBhSIhiHifC59FCnxp48EzAQCGskLjC2PyrPOOPMRez5yaxLJq
+YhAuOc8hZNVmCSeVKQf+MbxsyUaraay4SpUIwtzRYZVBrdjM8XGeBJcmFBhWHaoD
+G1fIflmP8RfmP0lx8CUSMR4o508mKZ8Rf5VQlAkjUFMeCG+3Hf1bmvZqUwiwy27o
+tuhud+XSN5QErzbP7nakkmE8vUhzWQAYIrg/GMSWOZW74JWuhRUgBgEDG8AMQNRS
+JfABm3/c+xJlidnLjgam73iG0VM/ivzdOKKZM/XCqihmpSJg7U0a2C0cnOOFQkHa
++ym7rgeZJrUM2A/KEWS8i/eqBlp7RZXovpSFfFIWWbM9HngdjND0Kk7RMxtzgt6p
+GrQaqArthyOlMpZ72xTdnUGex5rxgo19J9eJmkrg7wf/cncD5yuR99/myQjAqx+a
+uHOV7vOclyyZB7HLqW5ry4AozRv8TNTPsYUNc7ie4gjslkwXFSgv/RVjBIMeM7Jd
+JRvBvehttr0SnkiiixTFEjw1n9kIJAh3YD+3/zP2rz2nxYyQhCdswcQNVHWQcx17
+bCMgzXw5ysjusG+lej1dueEApXlU6+mfnfbQ05lR4u5wAxfbcqN6vS4aEiYbTixL
+Kgm9wffU9Snshqz4OU4Nj8so2OtDrCyAZ+WQEOY7A+j96VUFeM3FaBnvWz8b5JZg
+JaMbKr5naovFIBaDBzLzxjn42IcI778EwFetXbFGrLSZU17FoufDnOEFKbwkJehh
+o7QkV2lldHNlIFZlbmVtYSA8d2lldHNlQHBvcmN1cGluZS5vcmc+iHoEExEIACIF
+AlYZbx0CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEAwLWQ6AyhWn4h8B
+AIMevjwXE2/kAQb/H5VJ+arXkE8FRH0crSCvFcrKTES8AP9ToDZzYv/OvG8swSe3
+oWK5eIFcpE8+G7EpCsBfE/t+gokBHAQQAQIABgUCVhly2AAKCRAHL2DwwSvNmSxM
+CACPPUp1ubd07nR8PET6meHHC7UnsvhibnGD2y1pbHzLBQi6U4oLQqowHj1tF/sk
+xcdC48V+bNCs3Q80lkky9UpjJLaVlQcoJHFrluORDw0RfshRqaYP2T0ZJqYRjV2e
+N1lBoDWaGiNuGfQLxSaj+yRsS66Q0cX3dR5xCXhsa2MYyLa0EavrWNeIve/FdLbk
+QVFSECvXd62n+P4tH2VEdTocmJ2tioAIMruvVcUFNDxNBa6vNNMtUVM9cNzHbkzH
+sBFTBKqzNfWpLSPXcSWbEZ+DWRBeiVJ683hiRugDeQ2VIinqt/BNO0vbAWtJV9yV
+sVlrpwHoysisUuYIBJYWsCyQiJwEEAECAAYFAlYZddMACgkQ3IDyptUyfLky0QP9
+Hubtzxg2DiiundHEZUIzBHF5Wopi/eCmsZcKXhUcrf8T8zN1y9O2GwUIV+7wIAUp
+n2vEXSbZ+zO3XEmmkClgYPRu+cO9mSswZ2LKZEtfgOTX66JVLK5pusxswLmYnWqV
+l3qC+rJMDIy9NvcV/XwkIqrdBArwDnQEwaU0EaZStkG5Ag0EVhlvHRAIAI/ORSNY
+4F1dujiRX7RiW+VYDTnmz3CIrRF9oKUKvZsqLEaP0hK8Ozn7jgFy0n1jBlFWGxrK
+dQgevQkQf1WpYEUVO20nrS9kx3BWYXsoOlT/3mGXT8gR5CD7vAY4xWl2740c2Km1
+fmJy08JKcOa/j+kUuaNUx5uqskyr66bKyhSvW9qWKKBL92dqoQsquVH3wF5B6j20
+UpiN5rnV65OriY1MwWeaBK7+yfkP4PqTYLQ4CKl0Zcqar17SUvmmWTYZEtm6r9UI
+ZP/uNFMu7kqfQZrmHDozsKJezcKSTuFFJmcLztY+2SfN0iH2DNlbwfJ/g6jyCDz8
+s4EtAQCIIuOOvucABA0H/RN17RQfhJdNLhyvOmHq8xtHpc9ja+JCsn9/cvx9LjaP
+Qeg/sqqpyjCED4cNNFPpw3InHi6dWG6ImdEkzKdyTgvMo1MV0eeuHibxFUDVrNeF
+v3zYKR4/Hy97ETmhd3ny/t19kZh3osDHRq4uau00aGHn01Gxq5tFEFufrVhY27YI
+ZpTmhn67Gspdf+BP92DCOou+IsPaljiuJd0TwU2OXrY+RJYTNANPttCoexqXEhba
+M06kZehxFbeDUj2oFVwCZDiNDcQssKALM1fvC/Gp/HI2HDciKiSeiR8hDlQJavHx
+U/0I/G5kLTeDfXIguf5b7MM8awhG8XeehmqP9RIauoeIYQQYEQgACQUCVhlvHQIb
+DAAKCRAMC1kOgMoVp5aUAP9F2s2Qu/NTmAmLTKbBGTzJlR2JF1XfQOi8H0r6fNvA
+4wD+OeVe1s+AlR80UoTb97YyuGvFvVr4xFm/Qk776pbAXLY=
+=yZP5
+-----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: PGPfreeware 5.0i for non-commercial use
+
+mQENA0Ije1oAAAEIALlEqB1UICFF3dfwDij9LHtBhtiEfGnv0PL5rRmSJ4rA9pqs
+oM3oc0nfgnB502XpeCkT1RW5ymQggEx7+8fXnWhNUAmNGPrbmWzymvrdr4XnPOoB
+ODlnVYkc9Gt5BLRNSfuLbc1G3nH+FDzhpuJ5zqtb8RrYm5FOPU7eC9QnVoC2nXPW
+fPfTWVXQoCOEuQQ3zZHEculWQYhRVgxI+CFZjWzWgwZq3wWi/nGGZcFYRtCfodH4
+UiP0lvj8tOEhD8vUGQKiQGwiw/BBbiCm5ZPcCkSOWxXbZTUrkfTzwse9Ka2blmgH
+AhlySLtSD/tCX2ykzQEK9JJDw4++By9g8MErzZkABRG0JFdpZXRzZSBWZW5lbWEg
+PHdpZXRzZUBwb3JjdXBpbmUub3JnPokBFQMFEEIje1oHL2DwwSvNmQEBA8oIALG7
+Un8SRtlQ+EXMSK/MyJLD9+T/tS1vq2Z6BwN6oZ0G21VvbMdhXvOEjPUFXhJPIFs8
+pNIYtUV/uQMiMZsATOlJObe3ZkXazdbpGcGAekO0G158CYy2mH50hqYLewTYCt3T
+TNf6fSu+bVFrrQ8S/89QDceN0M+WFECgjlYHMTMqB2Ye2KZRWAQG1S8hLLFG42HV
+QaWAVG4yR4xZEC0sYuMBZQTJlJXWb/CnhdlcdS2y5DRq/UYZ5oM/ZilKnIxnWzvf
+zZM/5+5d7DA0YLjY2uIiSGWs9MfQv1MwvAPjTs/Aiz0j3y5lCa3lVObGskroUhN6
+Pf14rTC6p585H3mQBRuJAJQDBRBCI3uC3IDyptUyfLkBAUJtA/jL8AHJtrrb6/CV
+w0gBL0vIVI2FV2F7FxmttbHV9HqErkB7bypuFoUZkbrYd8jl5aco4E2fet8avoVF
+JKaY+YwcUTpy0wZSwYr6vt+bm1lMDg2BuNdd3j8lcJ5qzTo0SRfuGoJaIDKbqUIR
+g+zlLNnoLgf8qPhyFczoiN/MZKl0
+=Uc/Z
+-----END PGP PUBLIC KEY BLOCK-----
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: 2.6.2
+
+mQCNAirDhV8AAAED/i4LrhQ/mwOgam8ZfQpEcxYoE9kru5oRDGtoVeKae/4bUver
+aGX7qVtskD6vwPwr2FF6JW2c+z2oY4JGPGUArORiigoT82/q6vqT0Wm1jIPsXQSB
+ZCkBoyvBcmXEi+J7eDBbWLPDxeDimgrORbAIQ4uikRafs8KlpNyA8qbVMny5AAUR
+tCV3aWV0c2UgdmVuZW1hIDx3aWV0c2VAd3p2Lndpbi50dWUubmw+iQCVAgUQMGq3
+lNmn2lx+CrKBAQFa9gQArugc+G/gKE/Oq5a572ZobbaI4E76YknpF4quLJ3NxRTP
+DAsAQOfM3tMlpYGPt/8zpqetOpNTElZyblHcHNI95wuYz0U3UH7OwmOGoD8FtON+
+vuUO5bOmUsjnlKV7MetIPZl2Ht81mnouOgtaEClQK3Bjkmqh9gRW61IcuMqcrACJ
+ARUDBRAxDqLR57u1Gl0NQHkBAYAeB/4xfFxNOjvfOrsjLefbcmORFi4ZFJxHLEc+
+szgK8J+nEZnQqpcXJ2QaNpXY3FYFR2NnPOteoTFO//DqX9v9MblYOo5KRKaYhhhz
+VzWhoq9s+nCKaTNEQr1BkAGJsrw4D5M3wTY6vu/z8O7BZFV8N2aFuV/3w8fb3ABi
+80DAaV+2fN+x04gtPEfJJnTvbhBhYMczzvqwnuW/NnWw9SS/rVuWrV60HRWtFQnR
+h7BqqE/8mafjmV0dF3GPM3zKvOq7ivOsfHUslvqP+YdIfuygTAQqkdEK1k1j4+0t
+wqF4XGIXB67w4AyybnvjCbJsQavYQgJIDSngjpSzBPRFyfs5tr/ViQCVAwUQMQ6i
+M05B7Bs/MbpVAQFeSgQAihFUGbn8uY6I7J4H73rwrI49XEJcdmop4/CO3fazP+jM
+pBR+O/EYTXHYb2AB1IWV8jeqMvcjDww9iylfXSdRhu29xPhAFyLq93+AC63p3WnC
+X9HP+6LQepuO8HETMsUo2beywin8V43IEE7wpkV36HhipzhOqSOJg6dHoJxq0jqJ
+AJUDBRAweOef5PJqLyI0q20BAdIhA/4vmWq5lh9ZB9xiNL41NMJcLx9KiXKeewl/
+Lnz2Sc95A6PEo+/0h1TRtdfNE+HBegJ+3GbTz+qsUTNGYslfw1uzhVVwke3VWegi
+j4W7QBKfolXR/QeIOE9YIl6sFiXCupNig8QLyFYZCv3cBF1rg7zcpnpBCoEVe4qB
+gfG8edNMwYkAlQMFEDBzrxICT4RrFG3ijQEBlIID/1tgODC51T64V/b97YYBRPWD
+FMeFI+BIqWDwJrynoAl5qoHdi8nAGAVqpg006bRcaXgra5ZclRFMDytuhL5Ss3v5
+t6ydsulRndafEhY8yFTR4rjHrsxIfa1Ku3PR9m2c6kiRnQW88wL9bjKJ2caDBPeH
+FsePOcUfsUTcZg69bIz+iQCVAwUQMG++9DH/t4NEE7aRAQEFnAP+OWpls7UuOm55
+ZIyKMsXee0KbrXshwR8brHPShEwzYYQG2C0giu/lhpMvLyNg/K7l52+/Jz+x9y4U
+HDffDPFOG4J9QirNL9PCOCpKhpMvX5GXeHiD5VNK15JaD/58J8CnlPnQMfVSrcmq
+JX2XPB2BMrm4y9ibAbxkeWfqO7YXYTiJAJUDBRAwaqn6Gts03AL4jIEBAcqCBAC2
+gsdcPBgHZo8zhbdUZ0GRPiObyjVeC+poW/9f7vFkoX1SBZE9EWoXzxZ5lEDaZlv8
+PGua5yQWy+qEm6+MS8puv3dBi5d1kb97tqbvVZcsEpI+e+ygljnV5PtesMjqGaq9
+ZxhueAekfNj5kHo32HupwbDXNHC3j8rFunqfGUUB6okAlQMFEDBqX0voJUrjD0yX
+dQEBjiwEANOf185iXALuJUlV3/MYxnJbmC+J/08rD4at+fxLTbH2LU6WpfVyDEmQ
+xahelAKKVDiPJK2/ct6SEnYG2nmRQKIKiU5k7g05vufQi7CyfHVOQuXvlFZkoNz7
+uDEDk/EKfMUT7Lw7qLilK7POGkWrPhwSdFDgP4qWuq77enjet8RNiQCVAgUQMGgn
+6SJRltlmbQBRAQGk2QP+MR8rAlXGgVNqR1SQjKmutmDe5gFNuHB/StLKdRWOb5fc
+oJspE4TLHoayTMfT0PQtP6BOL3Nn1GvNe/X/J47/rC17VZlP680uG8as7jKeJib4
+6znNJr7lpb9/IeKUTTZk2TbSv4eFjpo6ZlDxRca/5TmvKDjxS4Z973bRSd1CK5iJ
+AJUDBRAwacpgufMnN2zLdBkBAbOUBAC4hEmF/ywCS7Lc95P1S5e+3W5QfBOISSsN
+1sWcFA5+aRXFxA4/zaDOBZiTmKLCVOaBPh66h16QjMyswjGpCyrKG/DHFu0P6Tdo
+cW2hyu9FRNKE7nWDx+JBw3sJNsR5NrdrNSkxuI5ae8VM4qp+AAafTf2yaCQUiiPL
+Bfs10T6D4YkAlQMFEDBpykFiZfpIB1Z0VQEBPV0EAJ65XnrutwZ7isTcGOXrb2Va
+vnsL020c58qHrcpPXFQczp/R6Woh8xYEJdM0CZL+ulDtuODv5ZtZhhy3ZgpKLOk/
+397IWrQDHZwXMIGLxzYN1S6zMTI929fplK9cyRHln3Rstt4fbrLNpyfIXUx0PTC0
+Cp205yzrEcKt/IqX/sKYiQCVAwUQMGnHUAQmfXmOCknRAQEJRwP/SARfkEKPKx9U
+2NEcuJvHC/jpqoUZ/gUQP9nIkRuMLqzO3SraPM4ZlSEyzJg2qagJJ2PaYYN3YAbT
+UfElGpWmS9oy/k7hdg68L2hBPC/z7kRXQF7Ydn4l+X1enKXtMb7cKVBelQfbULmy
+6JY5MSx7Grtrdi91QsQuq2VCkGimJqeJAJUDBRAwZ/3ro2xF3nu86kkBAXyeA/0Z
+MXHkn7nuf1KwhIL/fYaV4zLSDeUclOuO1afEg63bwNNcj1XE6ZpEiHTTY8kbx3Z6
+wWrXsNfEl/rQzjezXgX/py38+YHamyAhrJpb7UyPUW0EBSvhwqx8ZnK1wqqsegy9
+KnutkeF+BXL/EswooKab5zvF1glKBuJyunCrUgG4MYkAlQMFEDBn/C87f8e8znZr
+HwEBH5YD/jtnDovJRAdHQeqKQFma7W9N+Abqx5q3/3dXzPaQDzR/74VsqKwnDOrF
+TMnbsREUCA51tM8ZbC4J5aSzN3tNIFXN+gCixT/8fVxshQuYP2O/sMuHqVDH5FQR
+2UPvORSJWSaFTbfgCOfNbHV18uKDmImiYATWouyS9uLWTlNEjdK3iQCVAwUQMGai
+rFiXq3zaXLJBAQF6QgQA0p/HnqrN5UJr14iJziPYVekkLmdhQ5x1KE+SEpakNkzE
+0dPlL+DKpkW2Ay+puopwOzGa2wWOkcmvtBfWUoFhMDMZS1I86BvYGIlsfAd8rcYf
+pN8qo0e32tgRG8Ftp6TIQQFLwOxVzDVlOCL+AgFI3zc2Qsm5zT2L+ceD3f2F2veJ
+AHUCBRAvzCraaA8r0KMuYqEBAW/UAv9sv6+2UbrUO2a7z+S/keQ+I5Wp+KiZRgjU
+58XRqYlQ0qAFp2F1snjRAYy6GFceVbJvj8ydK3hq6OfADywqG1Eq0kcq+OMt/4tO
+Z0yiXbCegrTvaUukW6ZftonelLXhpSCJAJUDBRAviXcRE9wTBKB3hqEBAW36A/9m
+x57+4pe+0zEbkNIKAqmdT2n1AZXiCc/1sLJ1D5uuZ6kS4xK6P1z9UXMeVgtekmz1
+mF8JuM265VHKNAhWPclur2zhfDKHFz5DTGCUxSGObXzJwnw8+CTHh7wV3NxK5l9o
+UjqEfQSvsl6H/wc7KspKWyqsZk7LQcYC4o5ZAo/5kIkAlQMFEC+IFuvKbyuD/AwC
+1QEBoS8D/RmXEJrUpr/oFAzFozP7F1sM91xtye2lzK4RGbYUxjlrZs6vWPhGmJzf
+NzX5D03plADkUk6la8cHTFdTDls2jpobVUAeuZXnWOYhRhUnL4NOZdl6Vr2cYd+I
+zfdG9220Oy+jHodN7+16j5/M/ezoxBpZJwsPHfdF7NVOZVIGTbZZiQCVAwUQL30a
+Z9yA8qbVMny5AQEnOwP7BphCYkobRu0ZTT4ZROD5tExJ8IbBv2n29vCddAg+VCuw
+XwGjObwjIUZbGx8pPx1GWOqYATAouFoWBh0WueWK5h+ZUzD6dKl2lMNUTQ3h3uF3
+yZM35YK9jSDrH2u/W4E8orqU+BahkeyRvM0vCINdnm88p2hIIIiLdpCQJB37qrGJ
+AJUCBRAubfYWwMf8FvAPBCEBAVmrA/9xJIGybDPjmtnwc/k2FRbEJQbVkyZq+nja
+aeE5si/TdvrzS580zGnye9uABdRbAKceOa91Rm/OEtmzeDjFPJ/pdcZ13FUDNBlQ
+Shyt4P3abOb24kiL67MwJy+70Wbg+C71O7Hed2NVqFUEtkSg2hlV09kCxr4+aQIR
+fQYVcr7R+YkAlQIFEC5t9dpsodCHBnntkQEBh5oD/1ozk6LmRoT0qN9VHDFKnJzZ
+RagTBfA3JpsxWmnkdOpmMSeb+f7SCwH+FwtRYNLX+8Z54/dR8esPNy08FfDNGz6U
+C2Eu4eLy330wei8QtfLdytcSIij2OJRJetg9xrzw5H7h2Hia3oWJ2CzHFmH2YWEx
+QvYhDAIWTwektUQLYl+viQCVAgUQLmrlqOMR7qLvJ+dxAQGt3QP/WDFIlcxrgy1B
+uxgvT9CkSjjJgKzV1D8z8iodPLul9s+1WxUGYTIYvdN67QXREYLV7yh0YRdBNVBr
+NdtKutstdsbW/y6LHed4Id+sBuK4Y7OAN38mtjuaOpZLFGm8ex15KVvRJb/77u7y
+LOixdFS7DpiSnaXoZpxC9vFMmm2R1Iu0JHdpZXRzZSB2ZW5lbWEgPHdpZXRzZUBw
+b3JjdXBpbmUub3JnPokAlQMFEDTZBvTcgPKm1TJ8uQEBoRMD/RkjT4YtF/ltBN+V
+eCLv272pxZo38JJZEGyWg4QTHXYQ7ayVc22RL3vQLEMRISvZnvl6pe2UMzgI8jOH
+NWhTtvrKuvR/M/nvqTpFf8lp0SiF/ZVVeGCaSmS1Eoyp1dk76qPRCl6RcI6bTv2F
+NT2RRKl3v4t4iEXnEjiyS6irzd2b
+=o1uH
+-----END PGP PUBLIC KEY BLOCK-----
diff -Nru postfix-3.4.10/debian/watch postfix-3.4.14/debian/watch
--- postfix-3.4.10/debian/watch 2020-03-16 06:33:05.000000000 -0400
+++ postfix-3.4.14/debian/watch 2020-06-29 21:33:10.000000000 -0400
@@ -1,3 +1,3 @@
version=3
-opts=pasv ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-([\d+\.]+)\.tar\.gz
+opts=pasv,pgpsigurlmangle=s/$/.gpg2/ ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-(3.4[\d+\.]+)\.tar\.gz
diff -Nru postfix-3.4.10/HISTORY postfix-3.4.14/HISTORY
--- postfix-3.4.10/HISTORY 2020-03-12 10:58:26.000000000 -0400
+++ postfix-3.4.14/HISTORY 2020-06-27 17:15:17.000000000 -0400
@@ -24346,3 +24346,123 @@
multi-Milter configuration during MAIL FROM. Milter client
state was not properly reset after one of the Milters failed.
Reported by WeiYu Wu.
+
+20200416
+
+ Workaround for broken builds after an incompatible change
+ in GCC 10. Files: makedefs, Makefile.in.
+
+ Workaround for broken DANE support after an incompatible
+ change in GLIBC 2.31. This avoids the need for new options
+ in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c.
+
+20200419
+
+ Bugfix: segfault in the tlsproxy client role when the server
+ role was disabled. This typically happens on systems that
+ do not receive mail, after configuring connection reuse for
+ outbound TLS. Found during program maintenance. File:
+ tlsproxy/tlsproxy.c.
+
+20200420
+
+ Noise suppression: shut up a compiler that special-cases
+ string literals. Viktor Dukhovni. File milter/milter.c.
+
+20200422
+
+ Security: disable DANE support on Alpine Linux because
+ libc-musl provides no indication whether DNS responses are
+ authentic. This broke DANE support without a clear explanation.
+ File: makedefs.
+
+20200505
+
+ Noise suppression: shut up a compiler that special-cases
+ string literals. Viktor Dukhovni. File smtpd/smtpd_check.c.
+
+20200509
+
+ Bugfix (introduced: Postfix 3.5): maillog_file_rotate_suffix
+ default value used the minute instead of the month. Reported
+ by Larry Stone. Files: conf/postfix-tls-script,
+ proto/MAILLOG_README.html, proto/postconf.proto.
+ global/mail_params.h, postfix/postfix.c.
+
+20200510
+
+ Bitrot: avoid U_FILE_ACCESS_ERROR after chroot(), by
+ initializing the ICU library before making the chroot()
+ call. Files: util/midna_domain.[hc], global/mail_params.c.
+
+20200511
+
+ Noise suppression: avoid "SSL_Shutdown:shutdown while in
+ init" warnings. File: tls/tls_session.c.
+
+20200515
+
+ Bugfix (introduced: Postfix 2.2): a TLS error for a PostgreSQL
+ client caused a false 'lost connection' error for an SMTP
+ over TLS session in the same Postfix process. Reported by
+ Alexander Vasarab, diagnosed by Viktor Dukhovni. File:
+ tls/tls_bio_ops.c.
+
+ Bugfix (introduced: Postfix 2.8): a TLS error for one TLS
+ session may cause a false 'lost connection' error for a
+ concurrent TLS session in the same tlsproxy process. File:
+ tlsproxy/tlsproxy.c.
+
+20200530
+
+ Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert"
+ did not handle a missing optional argument. File:
+ conf/postfix-tls-script.
+
+20200610
+
+ Bugfix (introduced: Postfix 3.4): in the Postfix SMTP server,
+ the SNI callback reported an error when it was called a
+ second time. This happened after the server-side TLS engine
+ sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP
+ client. Reported by Ján Máté, fixed by Viktor Dukhovni.
+ File: tls/tls_misc.c.
+
+20200617
+
+ Bugfix (introduced: Postfix 3.4): the connection_reuse
+ attribute in smtp_tls_policy_maps resulted in an "invalid
+ attribute name" error. Fix by Thorsten Habich. File:
+ smtp/smtp_tls_policy.c.
+
+20200619
+
+ Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
+ reuse was broken for configurations that use explicit trust
+ anchors. Reported by Thorsten Habich. Cause: the tlsproxy
+ client was sending a zero certificate length. File:
+ tls/tls_proxy_client_print.c.
+
+20200620
+
+ Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
+ reuse was broken for configurations that use explicit trust
+ anchors. Reported by Thorsten Habich. Fixed by calling DANE
+ initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c.
+
+20200626
+
+ Bugfix (introduced: Postfix 2.11): The Postfix smtp(8)
+ client did not send the right SNI name when the TLSA base
+ domain was a secure CNAME expansion of the MX hostname (or
+ non-MX nexthop domain). Domains with CNAME expanded MX hosts
+ are not conformant with RFC5321, and so are rare. Even more
+ rare are MX hosts with TLSA records for their CNAME expansion.
+ For this to matter, the remote SMTP server would also have
+ to select its certificate based on the SNI name in such a
+ way that the original MX host would yield a different
+ certificate. Among the ~2 million hosts in the DANE survey,
+ none meet the conditions for returning a different certificate
+ for the expanded CNAME. Therefore, sending the correct SNI
+ name should not break existing mail flows. Fixed by Viktor
+ Dukhovni. File: src/tls/tls_client.c.
diff -Nru postfix-3.4.10/html/MAILLOG_README.html postfix-3.4.14/html/MAILLOG_README.html
--- postfix-3.4.10/html/MAILLOG_README.html 2019-02-03 16:26:07.000000000 -0500
+++ postfix-3.4.14/html/MAILLOG_README.html 2020-05-09 16:21:56.000000000 -0400
@@ -114,7 +114,7 @@
<li> <p> Rename the current logfile by appending a suffix that
contains the date and time. This suffix is configured with the
-<a href="postconf.5.html#maillog_file_rotate_suffix">maillog_file_rotate_suffix</a> parameter (default: %Y%M%d-%H%M%S). </p>
+<a href="postconf.5.html#maillog_file_rotate_suffix">maillog_file_rotate_suffix</a> parameter (default: %Y%m%d-%H%M%S). </p>
<li> <p> Reload Postfix so that <a href="postlogd.8.html">postlogd(8)</a> immediately closes the
old logfile. </p>
diff -Nru postfix-3.4.10/html/postconf.5.html postfix-3.4.14/html/postconf.5.html
--- postfix-3.4.10/html/postconf.5.html 2019-06-29 09:33:39.000000000 -0400
+++ postfix-3.4.14/html/postconf.5.html 2020-05-09 16:21:56.000000000 -0400
@@ -6284,7 +6284,7 @@
</DD>
<DT><b><a name="maillog_file_rotate_suffix">maillog_file_rotate_suffix</a>
-(default: %Y%M%d-%H%M%S)</b></DT><DD>
+(default: %Y%m%d-%H%M%S)</b></DT><DD>
<p> The format of the suffix to append to $<a href="postconf.5.html#maillog_file">maillog_file</a> while rotating
the file with "postfix logrotate". See strftime(3) for syntax. The
diff -Nru postfix-3.4.10/html/postfix.1.html postfix-3.4.14/html/postfix.1.html
--- postfix-3.4.10/html/postfix.1.html 2019-02-01 07:23:33.000000000 -0500
+++ postfix-3.4.14/html/postfix.1.html 2020-05-09 16:21:56.000000000 -0400
@@ -285,7 +285,7 @@
<b><a href="postconf.5.html#maillog_file_prefixes">maillog_file_prefixes</a> (/var, /dev/stdout)</b>
A list of allowed prefixes for a <a href="postconf.5.html#maillog_file">maillog_file</a> value.
- <b><a href="postconf.5.html#maillog_file_rotate_suffix">maillog_file_rotate_suffix</a> (%Y%M%d-%H%M%S)</b>
+ <b><a href="postconf.5.html#maillog_file_rotate_suffix">maillog_file_rotate_suffix</a> (%Y%m%d-%H%M%S)</b>
The format of the suffix to append to $<a href="postconf.5.html#maillog_file">maillog_file</a> while rotat-
ing the file with "postfix logrotate".
diff -Nru postfix-3.4.10/makedefs postfix-3.4.14/makedefs
--- postfix-3.4.10/makedefs 2019-03-10 19:42:59.000000000 -0400
+++ postfix-3.4.14/makedefs 2020-05-06 10:10:41.000000000 -0400
@@ -228,6 +228,19 @@
*) echo usage: $0 [system release] 1>&2; exit 1;;
esac
+case "$SYSTEM" in
+ Linux)
+ case "`PATH=/bin:/usr/bin ldd /bin/sh`" in
+ *-musl-*)
+ case "$CCARGS" in
+ *-DNO_DNSSEC*) ;;
+ *) echo Warning: libc-musl breaks DANE/TLSA security. 1>&2
+ echo This build will not support DANE/TLSA. 1>&2
+ CCARGS="$CCARGS -DNO_DNSSEC";;
+ esac;;
+ esac;;
+esac
+
case "$SYSTEM.$RELEASE" in
SCO_SV.3.2) SYSTYPE=SCO5
# Use the native compiler by default
@@ -1136,7 +1149,7 @@
: ${CC=gcc} ${OPT='-O'} ${DEBUG='-g'} ${AWK=awk} \
${WARN='-Wall -Wno-comment -Wformat -Wimplicit -Wmissing-prototypes \
-Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \
- -Wunused -Wno-missing-braces'}
+ -Wunused -Wno-missing-braces -fcommon'}
# Extract map type names from -DHAS_XXX compiler options. We avoid
# problems with tr(1) range syntax by using enumerations instead,
diff -Nru postfix-3.4.10/Makefile.in postfix-3.4.14/Makefile.in
--- postfix-3.4.10/Makefile.in 2019-01-29 17:24:42.000000000 -0500
+++ postfix-3.4.14/Makefile.in 2020-04-18 11:25:46.000000000 -0400
@@ -1,5 +1,5 @@
SHELL = /bin/sh
-WARN = -Wmissing-prototypes -Wformat -Wno-comment
+WARN = -Wmissing-prototypes -Wformat -Wno-comment -fcommon
OPTS = 'WARN=$(WARN)'
DIRS = src/util src/global src/dns src/tls src/xsasl src/master src/milter \
src/postfix src/fsstone src/smtpstone \
diff -Nru postfix-3.4.10/man/man1/postfix.1 postfix-3.4.14/man/man1/postfix.1
--- postfix-3.4.10/man/man1/postfix.1 2019-02-01 07:23:32.000000000 -0500
+++ postfix-3.4.14/man/man1/postfix.1 2020-05-12 19:29:36.000000000 -0400
@@ -252,7 +252,7 @@
logrotate".
.IP "\fBmaillog_file_prefixes (/var, /dev/stdout)\fR"
A list of allowed prefixes for a maillog_file value.
-.IP "\fBmaillog_file_rotate_suffix (%Y%M%d\-%H%M%S)\fR"
+.IP "\fBmaillog_file_rotate_suffix (%Y%m%d\-%H%M%S)\fR"
The format of the suffix to append to $maillog_file while rotating
the file with "postfix logrotate".
.IP "\fBpostlog_service_name (postlog)\fR"
diff -Nru postfix-3.4.10/man/man5/postconf.5 postfix-3.4.14/man/man5/postconf.5
--- postfix-3.4.10/man/man5/postconf.5 2019-06-29 09:33:39.000000000 -0400
+++ postfix-3.4.14/man/man5/postconf.5 2020-05-12 19:29:36.000000000 -0400
@@ -3775,7 +3775,7 @@
whitespace.
.PP
This feature is available in Postfix 3.4 and later.
-.SH maillog_file_rotate_suffix (default: %Y%M%d\-%H%M%S)
+.SH maillog_file_rotate_suffix (default: %Y%m%d\-%H%M%S)
The format of the suffix to append to $maillog_file while rotating
the file with "postfix logrotate". See \fBstrftime\fR(3) for syntax. The
default suffix, YYYYMMDD\-HHMMSS, allows logs to be rotated frequently.
diff -Nru postfix-3.4.10/proto/MAILLOG_README.html postfix-3.4.14/proto/MAILLOG_README.html
--- postfix-3.4.10/proto/MAILLOG_README.html 2019-02-03 16:26:05.000000000 -0500
+++ postfix-3.4.14/proto/MAILLOG_README.html 2020-05-09 16:21:56.000000000 -0400
@@ -114,7 +114,7 @@
<li> <p> Rename the current logfile by appending a suffix that
contains the date and time. This suffix is configured with the
-maillog_file_rotate_suffix parameter (default: %Y%M%d-%H%M%S). </p>
+maillog_file_rotate_suffix parameter (default: %Y%m%d-%H%M%S). </p>
<li> <p> Reload Postfix so that postlogd(8) immediately closes the
old logfile. </p>
diff -Nru postfix-3.4.10/proto/postconf.proto postfix-3.4.14/proto/postconf.proto
--- postfix-3.4.10/proto/postconf.proto 2019-06-28 17:19:58.000000000 -0400
+++ postfix-3.4.14/proto/postconf.proto 2020-05-09 16:21:56.000000000 -0400
@@ -17611,7 +17611,7 @@
<p> This feature is available in Postfix 3.4 and later. </p>
-%PARAM maillog_file_rotate_suffix %Y%M%d-%H%M%S
+%PARAM maillog_file_rotate_suffix %Y%m%d-%H%M%S
<p> The format of the suffix to append to $maillog_file while rotating
the file with "postfix logrotate". See strftime(3) for syntax. The
diff -Nru postfix-3.4.10/README_FILES/MAILLOG_README postfix-3.4.14/README_FILES/MAILLOG_README
--- postfix-3.4.10/README_FILES/MAILLOG_README 2019-02-03 16:26:07.000000000 -0500
+++ postfix-3.4.14/README_FILES/MAILLOG_README 2020-05-09 16:21:56.000000000 -0400
@@ -64,7 +64,7 @@
* Rename the current logfile by appending a suffix that contains the date and
time. This suffix is configured with the maillog_file_rotate_suffix
- parameter (default: %Y%M%d-%H%M%S).
+ parameter (default: %Y%m%d-%H%M%S).
* Reload Postfix so that postlogd(8) immediately closes the old logfile.
diff -Nru postfix-3.4.10/README_FILES/RELEASE_NOTES postfix-3.4.14/README_FILES/RELEASE_NOTES
--- postfix-3.4.10/README_FILES/RELEASE_NOTES 2019-06-27 19:19:08.000000000 -0400
+++ postfix-3.4.14/README_FILES/RELEASE_NOTES 2020-05-16 17:21:36.000000000 -0400
@@ -16,6 +16,14 @@
If you upgrade from Postfix 3.2 or earlier, read RELEASE_NOTES-3.3
before proceeding.
+libc-musl workaround for Postfix 3.2.15, 3.3.10, 3.4.12, and 3.5.2
+------------------------------------------------------------------
+
+Security: this release disables DANE support on Linux systems with
+libc-musl, because libc-musl provides no indication whether DNS
+responses are authentic. This broke DANE support without a clear
+explanation.
+
TLS Workaround for Postfix 3.4.6, 3.3.5, 3.2.10 and 3.1.13
-----------------------------------------------------------
diff -Nru postfix-3.4.10/RELEASE_NOTES postfix-3.4.14/RELEASE_NOTES
--- postfix-3.4.10/RELEASE_NOTES 2019-06-27 19:19:08.000000000 -0400
+++ postfix-3.4.14/RELEASE_NOTES 2020-05-16 17:21:36.000000000 -0400
@@ -16,6 +16,14 @@
If you upgrade from Postfix 3.2 or earlier, read RELEASE_NOTES-3.3
before proceeding.
+libc-musl workaround for Postfix 3.2.15, 3.3.10, 3.4.12, and 3.5.2
+------------------------------------------------------------------
+
+Security: this release disables DANE support on Linux systems with
+libc-musl, because libc-musl provides no indication whether DNS
+responses are authentic. This broke DANE support without a clear
+explanation.
+
TLS Workaround for Postfix 3.4.6, 3.3.5, 3.2.10 and 3.1.13
-----------------------------------------------------------
diff -Nru postfix-3.4.10/src/dns/dns.h postfix-3.4.14/src/dns/dns.h
--- postfix-3.4.10/src/dns/dns.h 2017-12-27 17:29:44.000000000 -0500
+++ postfix-3.4.14/src/dns/dns.h 2020-04-18 11:22:54.000000000 -0400
@@ -59,6 +59,7 @@
*/
#ifdef NO_DNSSEC
#undef RES_USE_DNSSEC
+#undef RES_TRUSTAD
#endif
/*
@@ -70,6 +71,9 @@
#ifndef RES_USE_EDNS0
#define RES_USE_EDNS0 0
#endif
+#ifndef RES_TRUSTAD
+#define RES_TRUSTAD 0
+#endif
/*-
* TLSA: https://tools.ietf.org/html/rfc6698#section-7.1
diff -Nru postfix-3.4.10/src/dns/dns_lookup.c postfix-3.4.14/src/dns/dns_lookup.c
--- postfix-3.4.10/src/dns/dns_lookup.c 2019-12-15 11:13:04.000000000 -0500
+++ postfix-3.4.14/src/dns/dns_lookup.c 2020-04-18 11:22:54.000000000 -0400
@@ -116,6 +116,9 @@
/* Request DNSSEC validation. This flag is silently ignored
/* when the system stub resolver API, resolver(3), does not
/* implement DNSSEC.
+/* Automatically turns on the RES_TRUSTAD flag on systems that
+/* support this flag (this behavior will be more configurable
+/* in a later release).
/* .RE
/* .IP lflags
/* Flags that control the operation of the dns_lookup*()
@@ -453,10 +456,10 @@
/*
* Set extra options that aren't exposed to the application.
*/
-#define XTRA_FLAGS (RES_USE_EDNS0)
+#define XTRA_FLAGS (RES_USE_EDNS0 | RES_TRUSTAD)
if (flags & RES_USE_DNSSEC)
- flags |= RES_USE_EDNS0;
+ flags |= (RES_USE_EDNS0 | RES_TRUSTAD);
/*
* Save and restore resolver options that we overwrite, to avoid
diff -Nru postfix-3.4.10/src/dns/dns_str_resflags.c postfix-3.4.14/src/dns/dns_str_resflags.c
--- postfix-3.4.10/src/dns/dns_str_resflags.c 2016-05-15 11:20:14.000000000 -0400
+++ postfix-3.4.14/src/dns/dns_str_resflags.c 2020-04-18 13:06:43.000000000 -0400
@@ -60,10 +60,16 @@
"RES_DEFNAMES", RES_DEFNAMES,
"RES_STAYOPEN", RES_STAYOPEN,
"RES_DNSRCH", RES_DNSRCH,
+#ifdef RES_INSECURE1
"RES_INSECURE1", RES_INSECURE1,
+#endif
+#ifdef RES_INSECURE2
"RES_INSECURE2", RES_INSECURE2,
+#endif
"RES_NOALIASES", RES_NOALIASES,
+#ifdef RES_USE_INET6
"RES_USE_INET6", RES_USE_INET6,
+#endif
#ifdef RES_ROTATE
"RES_ROTATE", RES_ROTATE,
#endif
diff -Nru postfix-3.4.10/src/global/mail_params.c postfix-3.4.14/src/global/mail_params.c
--- postfix-3.4.10/src/global/mail_params.c 2019-01-31 17:34:41.000000000 -0500
+++ postfix-3.4.14/src/global/mail_params.c 2020-05-12 19:15:37.000000000 -0400
@@ -868,6 +868,8 @@
var_smtputf8_enable = 0;
#else
midna_domain_transitional = var_idna2003_compat;
+ if (var_smtputf8_enable)
+ midna_domain_pre_chroot();
#endif
util_utf8_enable = var_smtputf8_enable;
diff -Nru postfix-3.4.10/src/global/mail_params.h postfix-3.4.14/src/global/mail_params.h
--- postfix-3.4.10/src/global/mail_params.h 2019-07-23 18:46:37.000000000 -0400
+++ postfix-3.4.14/src/global/mail_params.h 2020-05-09 16:21:56.000000000 -0400
@@ -4178,7 +4178,7 @@
extern char *var_maillog_file_comp;
#define VAR_MAILLOG_FILE_STAMP "maillog_file_rotate_suffix"
-#define DEF_MAILLOG_FILE_STAMP "%Y%M%d-%H%M%S"
+#define DEF_MAILLOG_FILE_STAMP "%Y%m%d-%H%M%S"
extern char *var_maillog_file_stamp;
#define VAR_POSTLOG_SERVICE "postlog_service_name"
diff -Nru postfix-3.4.10/src/global/mail_version.h postfix-3.4.14/src/global/mail_version.h
--- postfix-3.4.10/src/global/mail_version.h 2020-03-12 10:52:04.000000000 -0400
+++ postfix-3.4.14/src/global/mail_version.h 2020-06-27 17:26:28.000000000 -0400
@@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20200312"
-#define MAIL_VERSION_NUMBER "3.4.10"
+#define MAIL_RELEASE_DATE "20200627"
+#define MAIL_VERSION_NUMBER "3.4.14"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
diff -Nru postfix-3.4.10/src/milter/milter.c postfix-3.4.14/src/milter/milter.c
--- postfix-3.4.10/src/milter/milter.c 2020-02-02 12:37:46.000000000 -0500
+++ postfix-3.4.14/src/milter/milter.c 2020-04-20 18:14:22.000000000 -0400
@@ -620,14 +620,14 @@
* names by skipping the redundant "milter_" prefix.
*/
static ATTR_OVER_TIME time_table[] = {
- 7 + VAR_MILT_CONN_TIME, DEF_MILT_CONN_TIME, 0, 1, 0,
- 7 + VAR_MILT_CMD_TIME, DEF_MILT_CMD_TIME, 0, 1, 0,
- 7 + VAR_MILT_MSG_TIME, DEF_MILT_MSG_TIME, 0, 1, 0,
+ 7 + (const char *) VAR_MILT_CONN_TIME, DEF_MILT_CONN_TIME, 0, 1, 0,
+ 7 + (const char *) VAR_MILT_CMD_TIME, DEF_MILT_CMD_TIME, 0, 1, 0,
+ 7 + (const char *) VAR_MILT_MSG_TIME, DEF_MILT_MSG_TIME, 0, 1, 0,
0,
};
static ATTR_OVER_STR str_table[] = {
- 7 + VAR_MILT_PROTOCOL, 0, 1, 0,
- 7 + VAR_MILT_DEF_ACTION, 0, 1, 0,
+ 7 + (const char *) VAR_MILT_PROTOCOL, 0, 1, 0,
+ 7 + (const char *) VAR_MILT_DEF_ACTION, 0, 1, 0,
0,
};
diff -Nru postfix-3.4.10/src/postfix/postfix.c postfix-3.4.14/src/postfix/postfix.c
--- postfix-3.4.10/src/postfix/postfix.c 2019-02-01 07:23:22.000000000 -0500
+++ postfix-3.4.14/src/postfix/postfix.c 2020-05-09 16:21:56.000000000 -0400
@@ -242,7 +242,7 @@
/* logrotate".
/* .IP "\fBmaillog_file_prefixes (/var, /dev/stdout)\fR"
/* A list of allowed prefixes for a maillog_file value.
-/* .IP "\fBmaillog_file_rotate_suffix (%Y%M%d-%H%M%S)\fR"
+/* .IP "\fBmaillog_file_rotate_suffix (%Y%m%d-%H%M%S)\fR"
/* The format of the suffix to append to $maillog_file while rotating
/* the file with "postfix logrotate".
/* .IP "\fBpostlog_service_name (postlog)\fR"
diff -Nru postfix-3.4.10/src/smtp/smtp_tls_policy.c postfix-3.4.14/src/smtp/smtp_tls_policy.c
--- postfix-3.4.10/src/smtp/smtp_tls_policy.c 2018-12-26 14:21:49.000000000 -0500
+++ postfix-3.4.14/src/smtp/smtp_tls_policy.c 2020-06-17 11:19:54.000000000 -0400
@@ -389,6 +389,7 @@
WHERE, name, val);
INVALID_RETURN(tls->why, site_level);
}
+ continue;
}
msg_warn("%s: invalid attribute name: \"%s\"", WHERE, name);
INVALID_RETURN(tls->why, site_level);
diff -Nru postfix-3.4.10/src/smtpd/smtpd_check.c postfix-3.4.14/src/smtpd/smtpd_check.c
--- postfix-3.4.10/src/smtpd/smtpd_check.c 2019-03-12 08:28:20.000000000 -0400
+++ postfix-3.4.14/src/smtpd/smtpd_check.c 2020-05-05 18:34:05.000000000 -0400
@@ -483,20 +483,20 @@
* parameter names by skipping the redundant "smtpd_policy_service_" prefix.
*/
static ATTR_OVER_TIME time_table[] = {
- 21 + VAR_SMTPD_POLICY_TMOUT, DEF_SMTPD_POLICY_TMOUT, 0, 1, 0,
- 21 + VAR_SMTPD_POLICY_IDLE, DEF_SMTPD_POLICY_IDLE, 0, 1, 0,
- 21 + VAR_SMTPD_POLICY_TTL, DEF_SMTPD_POLICY_TTL, 0, 1, 0,
- 21 + VAR_SMTPD_POLICY_TRY_DELAY, DEF_SMTPD_POLICY_TRY_DELAY, 0, 1, 0,
+ 21 + (const char *) VAR_SMTPD_POLICY_TMOUT, DEF_SMTPD_POLICY_TMOUT, 0, 1, 0,
+ 21 + (const char *) VAR_SMTPD_POLICY_IDLE, DEF_SMTPD_POLICY_IDLE, 0, 1, 0,
+ 21 + (const char *) VAR_SMTPD_POLICY_TTL, DEF_SMTPD_POLICY_TTL, 0, 1, 0,
+ 21 + (const char *) VAR_SMTPD_POLICY_TRY_DELAY, DEF_SMTPD_POLICY_TRY_DELAY, 0, 1, 0,
0,
};
static ATTR_OVER_INT int_table[] = {
- 21 + VAR_SMTPD_POLICY_REQ_LIMIT, 0, 0, 0,
- 21 + VAR_SMTPD_POLICY_TRY_LIMIT, 0, 1, 0,
+ 21 + (const char *) VAR_SMTPD_POLICY_REQ_LIMIT, 0, 0, 0,
+ 21 + (const char *) VAR_SMTPD_POLICY_TRY_LIMIT, 0, 1, 0,
0,
};
static ATTR_OVER_STR str_table[] = {
- 21 + VAR_SMTPD_POLICY_DEF_ACTION, 0, 1, 0,
- 21 + VAR_SMTPD_POLICY_CONTEXT, 0, 1, 0,
+ 21 + (const char *) VAR_SMTPD_POLICY_DEF_ACTION, 0, 1, 0,
+ 21 + (const char *) VAR_SMTPD_POLICY_CONTEXT, 0, 1, 0,
0,
};
diff -Nru postfix-3.4.10/src/tls/tls_bio_ops.c postfix-3.4.14/src/tls/tls_bio_ops.c
--- postfix-3.4.10/src/tls/tls_bio_ops.c 2013-05-30 08:45:03.000000000 -0400
+++ postfix-3.4.14/src/tls/tls_bio_ops.c 2020-05-16 11:48:08.000000000 -0400
@@ -194,6 +194,13 @@
* handling any pending network I/O.
*/
for (;;) {
+
+ /*
+ * Flush the per-thread SSL error queue. Otherwise, errors from other
+ * code that also uses TLS may confuse SSL_get_error(3).
+ */
+ ERR_clear_error();
+
if (hsfunc)
status = hsfunc(TLScontext->con);
else if (rfunc)
diff -Nru postfix-3.4.10/src/tls/tls_client.c postfix-3.4.14/src/tls/tls_client.c
--- postfix-3.4.10/src/tls/tls_client.c 2019-02-18 18:03:54.000000000 -0500
+++ postfix-3.4.14/src/tls/tls_client.c 2020-06-27 17:43:46.000000000 -0400
@@ -1018,10 +1018,13 @@
* avoid SNI, and there are no plans to support SNI in the Postfix
* SMTP server).
*
+ * Per RFC7672, the required SNI name is the TLSA "base domain" (the one
+ * used to construct the "_25._tcp.<fqdn>" TLSA record DNS query).
+ *
* Since the hostname is DNSSEC-validated, it must be a DNS FQDN and
* thererefore valid for use with SNI.
*/
- sni = props->host;
+ sni = props->dane->base_domain;
} else if (props->sni && *props->sni) {
if (strcmp(props->sni, "hostname") == 0)
sni = props->host;
diff -Nru postfix-3.4.10/src/tls/tls_misc.c postfix-3.4.14/src/tls/tls_misc.c
--- postfix-3.4.10/src/tls/tls_misc.c 2019-06-25 17:51:24.000000000 -0400
+++ postfix-3.4.14/src/tls/tls_misc.c 2020-06-10 17:16:49.000000000 -0400
@@ -686,6 +686,27 @@
TLScontext->namaddr, sni);
return SSL_TLSEXT_ERR_NOACK;
}
+
+ /*
+ * With TLS 1.3, when the client's proposed key share is not supported by
+ * the server, the server may issue a HelloRetryRequest (HRR), and the
+ * client will then retry with a new key share on a curve supported by
+ * the server. This results in the SNI callback running twice for the
+ * same connection.
+ *
+ * When that happens, The client MUST send the essentially the same hello
+ * message, including the SNI name, and since we've already loaded our
+ * certificate chain, we don't need to do it again! Therefore, if we've
+ * already recorded the peer SNI name, just check that it has not
+ * changed, and return success.
+ */
+ if (TLScontext->peer_sni) {
+ if (strcmp(sni, TLScontext->peer_sni) == 0)
+ return SSL_TLSEXT_ERR_OK;
+ msg_warn("TLS SNI changed from %s initially %s, %s after hello retry",
+ TLScontext->namaddr, TLScontext->peer_sni, sni);
+ return SSL_TLSEXT_ERR_NOACK;
+ }
do {
/* Don't silently skip maps opened with the wrong flags. */
pem = maps_file_find(tls_server_sni_maps, cp, 0);
diff -Nru postfix-3.4.10/src/tls/tls_proxy_client_print.c postfix-3.4.14/src/tls/tls_proxy_client_print.c
--- postfix-3.4.10/src/tls/tls_proxy_client_print.c 2019-02-11 08:11:43.000000000 -0500
+++ postfix-3.4.14/src/tls/tls_proxy_client_print.c 2020-06-19 13:39:34.000000000 -0400
@@ -213,6 +213,7 @@
i2d_X509(tp->cert, &bp);
if ((char *) bp - STR(buf) != len)
msg_panic("i2d_X509 failed to encode certificate");
+ vstring_set_payload_size(buf, len);
ret = print_fn(fp, flags | ATTR_FLAG_MORE,
SEND_ATTR_DATA(TLS_ATTR_CERT, LEN(buf), STR(buf)),
ATTR_TYPE_END);
@@ -258,6 +259,7 @@
i2d_PUBKEY(tp->pkey, &bp);
if ((char *) bp - STR(buf) != len)
msg_panic("i2d_PUBKEY failed to encode public key");
+ vstring_set_payload_size(buf, len);
ret = print_fn(fp, flags | ATTR_FLAG_MORE,
SEND_ATTR_DATA(TLS_ATTR_PKEY, LEN(buf), STR(buf)),
ATTR_TYPE_END);
diff -Nru postfix-3.4.10/src/tls/tls_session.c postfix-3.4.14/src/tls/tls_session.c
--- postfix-3.4.10/src/tls/tls_session.c 2019-06-25 08:05:54.000000000 -0400
+++ postfix-3.4.14/src/tls/tls_session.c 2020-05-12 19:17:34.000000000 -0400
@@ -118,7 +118,7 @@
* so we will not perform SSL_shutdown() and the session will be removed
* as being bad.
*/
- if (!failure) {
+ if (!failure && !SSL_in_init(TLScontext->con)) {
retval = tls_bio_shutdown(vstream_fileno(stream), timeout, TLScontext);
if (!var_tls_fast_shutdown && retval == 0)
tls_bio_shutdown(vstream_fileno(stream), timeout, TLScontext);
diff -Nru postfix-3.4.10/src/tlsproxy/tlsproxy.c postfix-3.4.14/src/tlsproxy/tlsproxy.c
--- postfix-3.4.10/src/tlsproxy/tlsproxy.c 2019-09-14 18:43:05.000000000 -0400
+++ postfix-3.4.14/src/tlsproxy/tlsproxy.c 2020-06-20 15:32:27.000000000 -0400
@@ -781,6 +781,7 @@
*/
if (state->flags & TLSP_FLAG_DO_HANDSHAKE) {
state->timeout = state->handshake_timeout;
+ ERR_clear_error();
if (state->is_server_role)
ssl_stat = SSL_accept(tls_context->con);
else
@@ -809,6 +810,7 @@
if (NBBIO_ERROR_FLAGS(plaintext_buf)) {
if (NBBIO_ACTIVE_FLAGS(plaintext_buf))
nbbio_disable_readwrite(state->plaintext_buf);
+ ERR_clear_error();
if (!SSL_in_init(tls_context->con)
&& (ssl_stat = SSL_shutdown(tls_context->con)) < 0) {
handshake_err = SSL_get_error(tls_context->con, ssl_stat);
@@ -835,6 +837,7 @@
*/
ssl_write_err = SSL_ERROR_NONE;
while (NBBIO_READ_PEND(plaintext_buf) > 0) {
+ ERR_clear_error();
ssl_stat = SSL_write(tls_context->con, NBBIO_READ_BUF(plaintext_buf),
NBBIO_READ_PEND(plaintext_buf));
ssl_write_err = SSL_get_error(tls_context->con, ssl_stat);
@@ -865,6 +868,7 @@
*/
ssl_read_err = SSL_ERROR_NONE;
while (NBBIO_WRITE_PEND(state->plaintext_buf) < NBBIO_BUFSIZE(plaintext_buf)) {
+ ERR_clear_error();
ssl_stat = SSL_read(tls_context->con,
NBBIO_WRITE_BUF(plaintext_buf)
+ NBBIO_WRITE_PEND(state->plaintext_buf),
@@ -989,12 +993,12 @@
state->client_start_props->ctx = state->appl_state;
state->client_start_props->fd = state->ciphertext_fd;
/* These predicates and warning belong inside tls_client_start(). */
- if (!TLS_DANE_BASED(state->client_start_props->tls_level)
- || tls_dane_avail())
- state->tls_context = tls_client_start(state->client_start_props);
- else
+ if (!tls_dane_avail() /* mandatory side effects!! */
+ &&TLS_DANE_BASED(state->client_start_props->tls_level))
msg_warn("%s: DANE requested, but not available",
state->client_start_props->namaddr);
+ else
+ state->tls_context = tls_client_start(state->client_start_props);
if (state->tls_context != 0)
return (TLSP_STAT_OK);
@@ -1489,16 +1493,15 @@
TLSP_INIT_TIMEOUT, (void *) state);
}
-/* pre_jail_init - pre-jail initialization */
+/* pre_jail_init_server - pre-jail initialization */
-static void pre_jail_init(char *unused_name, char **unused_argv)
+static void pre_jail_init_server(void)
{
TLS_SERVER_INIT_PROPS props;
const char *cert_file;
int have_server_cert;
int no_server_cert_ok;
int require_server_cert;
- int clnt_use_tls;
/*
* The code in this routine is pasted literally from smtpd(8). I am not
@@ -1531,7 +1534,7 @@
}
var_tlsp_use_tls = var_tlsp_use_tls || var_tlsp_enforce_tls;
if (!var_tlsp_use_tls) {
- msg_warn("TLS service is requested, but disabled with %s or %s",
+ msg_warn("TLS server role is disabled with %s or %s",
VAR_TLSP_TLS_LEVEL, VAR_TLSP_USE_TLS);
return;
}
@@ -1622,6 +1625,13 @@
SSL_CTX_set_mode(tlsp_server_ctx->ssl_ctx,
SSL_MODE_ENABLE_PARTIAL_WRITE
| SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
+}
+
+/* pre_jail_init_client - pre-jail initialization */
+
+static void pre_jail_init_client(void)
+{
+ int clnt_use_tls;
/*
* The cache with TLS_APPL_STATE instances for different TLS_CLIENT_INIT
@@ -1733,6 +1743,18 @@
msg_warn("TLS client initialization failed");
}
}
+}
+
+/* pre_jail_init - pre-jail initialization */
+
+static void pre_jail_init(char *unused_name, char **unused_argv)
+{
+
+ /*
+ * Initialize roles separately.
+ */
+ pre_jail_init_server();
+ pre_jail_init_client();
/*
* tlsp_client_init() needs to know if it is called pre-jail or
diff -Nru postfix-3.4.10/src/util/midna_domain.c postfix-3.4.14/src/util/midna_domain.c
--- postfix-3.4.10/src/util/midna_domain.c 2016-12-04 12:40:19.000000000 -0500
+++ postfix-3.4.14/src/util/midna_domain.c 2020-05-12 19:15:37.000000000 -0400
@@ -20,6 +20,8 @@
/*
/* const char *midna_domain_suffix_to_utf8(
/* const char *name)
+/* AUXILIARY FUNCTIONS
+/* void midna_domain_pre_chroot(void)
/* DESCRIPTION
/* The functions in this module transform domain names from/to
/* ASCII and UTF-8 form. The result is cached to avoid repeated
@@ -52,6 +54,8 @@
/*
/* midna_domain_transitional enables transitional conversion
/* between UTF8 and ASCII labels.
+/*
+/* midna_domain_pre_chroot() does some pre-chroot initialization.
/* SEE ALSO
/* http://unicode.org/reports/tr46/ Unicode IDNA Compatibility processing
/* msg(3) diagnostics interface
@@ -144,6 +148,22 @@
}
}
+/* midna_domain_pre_chroot - pre-chroot initialization */
+
+void midna_domain_pre_chroot(void)
+{
+ UErrorCode error = U_ZERO_ERROR;
+ UIDNAInfo info = UIDNA_INFO_INITIALIZER;
+ UIDNA *idna;
+
+ idna = uidna_openUTS46(midna_domain_transitional ? UIDNA_DEFAULT
+ : UIDNA_NONTRANSITIONAL_TO_ASCII, &error);
+ if (U_FAILURE(error))
+ msg_warn("ICU library initialization failed: %s",
+ midna_domain_strerror(error, info.errors));
+ uidna_close(idna);
+}
+
/* midna_domain_to_ascii_create - convert domain to ASCII */
static void *midna_domain_to_ascii_create(const char *name, void *unused_context)
@@ -327,6 +347,7 @@
/*
* Test program - reads names from stdin, reports invalid names to stderr.
*/
+#include <unistd.h>
#include <stdlib.h>
#include <locale.h>
@@ -350,6 +371,11 @@
/* msg_verbose = 1; */
util_utf8_enable = 1;
+ if (geteuid() == 0) {
+ midna_domain_pre_chroot();
+ if (chroot(".") != 0)
+ msg_fatal("chroot(\".\"): %m");
+ }
while (vstring_fgets_nonl(buffer, VSTREAM_IN)) {
bp = STR(buffer);
msg_info("> %s", bp);
diff -Nru postfix-3.4.10/src/util/midna_domain.h postfix-3.4.14/src/util/midna_domain.h
--- postfix-3.4.10/src/util/midna_domain.h 2016-11-05 18:38:56.000000000 -0400
+++ postfix-3.4.14/src/util/midna_domain.h 2020-05-12 19:15:37.000000000 -0400
@@ -18,6 +18,7 @@
extern const char *midna_domain_to_utf8(const char *);
extern const char *midna_domain_suffix_to_ascii(const char *);
extern const char *midna_domain_suffix_to_utf8(const char *);
+extern void midna_domain_pre_chroot(void);
extern int midna_domain_cache_size;
extern int midna_domain_transitional;
Reply to: