Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

HEADS UP: Postfix 2.8.11 imported


I've imported Postfix 2.8.11 into NetBSD-current today. It builds and works
fine under NetBSD/i386. Please submit a bug report if you find any problems.

Here is a list of the changes since version 2.8.8:

- The "change header" milter request could replace the wrong header. A long
  header name could match a shorter one, because a length check was done on
  the wrong string. Reported by Vladimir Vassiliev.
- Core dump when postlog emitted the "usage" message, caused by an extraneous
  null assignment. Reported by Kant (fnord.hammer).
- These releases add support to turn off the TLSv1.1 and TLSv1.2 protocols.
  Introduced with OpenSSL version 1.0.1, these protocols are known to cause
  inter-operability problems, for example with some hotmail services.
  The radical workaround is to temporarily turn off problematic protocols

            smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
            smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2

            smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
            smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2

  However, it may be better to temporarily turn off problematic protocols for
  broken sites only:

            smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

           may protocols=!SSLv2:!TLSv1.1:!TLSv1.2


  Note the use of ":" instead of comma or space. Also, note that there is NO
  space around the "=" in "protocols=".

  The smtp_tls_policy_maps lookup key must match the "next-hop" destination
  that is given to the Postfix SMTP client. If you override the next-hop
  destination with transport_maps, relayhost, sender_dependent_relayhost_maps,
  or otherwise, you need to specify the same destination for the
  smtp_tls_policy_maps lookup key.
- OpenSSL related (all supported Postfix versions).
  Some people have reported program crashes when the OpenSSL library was
  updated while Postfix was accessing the Postfix TLS session cache. To avoid
  this, the Postfix TLS session cache ID now includes the OpenSSL library
  version number. This cache ID is not shared via the network.
- The OpenSSL workaround introduced with the previous stable and legacy
  releases did not compile with older gcc compilers. These compilers can't
  handle #ifdef inside a macro invocation (NOT: definition).
- To avoid repeated warnings from postscreen(8) with "connect to
  private/dnsblog service: Connection refused" on FreeBSD, the dnsblog(8)
  daemon now uses the single_server program driver instead of the multi_server
  driver. This one-line code change has no performance impact for other
  systems, and eliminates a high-frequency accept() race on a shared socket
  that appears to cause trouble on FreeBSD. The same single_server program
  driver has proven itself for many years in smtpd(8). Problem reported by
  Sahil Tandon.
- Laptop-friendly support (all supported Postfix versions). A little-known
  secret is that Postfix has always had support to avoid unnecessary disk
  spin-up for MTIME updates, by doing s/fifo/unix/ in (this is
  currently not supported on Solaris systems). However, two minor fixes are
  needed to make this bullet-proof.
- In laptop-friendly mode, the "postqueue -f" and "sendmail -q" commands did
  not wait until their requests had reached the pickup and qmgr servers before
  closing their UNIX-domain request sockets.
- In laptop-friendly mode, the unused postkick command waited for more than
  a minute because the event_drain() function was comparing bitmasks
  incorrectly on systems with kqueue(2), epoll(2) or /dev/poll support.

        Kind regards

Matthias Scheler                        

Attachment: pgpGfTMYKtPO_.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index