CVS commit: pkgsrc/mail/postfix

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/mail/postfix
From: Frédéric Fauberteau <triaxx%netbsd.org@localhost>
Date: Thu, 21 Jan 2021 16:37:59 +0000

Module Name:    pkgsrc
Committed By:   triaxx
Date:           Thu Jan 21 16:37:59 UTC 2021

Modified Files:
        pkgsrc/mail/postfix: Makefile.common distinfo
        pkgsrc/mail/postfix/patches: patch-src_dns_dns__lookup.c

Log Message:
postfix: Update to 3.5.9

upstream changes:
-----------------
This update improves the reporting of DNSSEC problems that may affect DANE
security. DNSSEC support may unavailable because of local configuration, libc
incompatibility, or other infrastructure issues. This was backported from
Postfix 3.6.

Background: DNSSEC validation is needed for Postfix DANE support; this ensures
that Postfix receives TLSA records with secure TLS server certificate info.
When DNSSEC validation is unavailable, mail deliveries using opportunistic DANE
(security level 'dane') will not be protected by server certificate info in
TLSA records, and mail deliveries using mandatory DANE (security level
'dane-only') will not be made at all.

This update introduces the following behavior: when a process requests DNSSEC
support (typically, for Postfix DANE support), the process may now do a runtime
test to determine if DNSSEC validation is available.

The new dnssec_probe parameter specifies a DNS query type (default: "ns") and
DNS query name (default: ".") that Postfix may use to determine whether DNSSEC
validation is available. Specify an empty value to disable this feature.

When dnssec_probe is enabled, a Postfix process will send a DNSSEC probe after
1) the process made a DNS query that requested DNSSEC validation, 2) the
process did not receive a DNSSEC validated response to this query or to an
earlier query, and 3) the process did not already send a DNSSEC probe.

When the DNSSEC probe has no response, or when the response is not DNSSEC
validated, Postfix logs a warning that DNSSEC validation may be unavailable.
Examples:

warning: DNSSEC validation may be unavailable
warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
warning: reason: dnssec_probe 'ns:.' received no response: Server failure

With this update, the Postfix build system will no longer automatically disable
DNSSEC support when it determines that Postfix will use libc-musl. This removes
the earlier libc-musl workaround introduced with Postfix 3.2.15, 3.3.10,
3.4.12, and 3.5.2.


To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 pkgsrc/mail/postfix/Makefile.common
cvs rdiff -u -r1.190 -r1.191 pkgsrc/mail/postfix/distinfo
cvs rdiff -u -r1.7 -r1.8 \
    pkgsrc/mail/postfix/patches/patch-src_dns_dns__lookup.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/mail/postfix/Makefile.common
diff -u pkgsrc/mail/postfix/Makefile.common:1.31 pkgsrc/mail/postfix/Makefile.common:1.32
--- pkgsrc/mail/postfix/Makefile.common:1.31    Sun Nov 22 11:14:44 2020
+++ pkgsrc/mail/postfix/Makefile.common Thu Jan 21 16:37:59 2021
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile.common,v 1.31 2020/11/22 11:14:44 adam Exp $
+# $NetBSD: Makefile.common,v 1.32 2021/01/21 16:37:59 triaxx Exp $
 # used by mail/postfix/Makefile
 # used by mail/postfix/Makefile.module
 
-DISTNAME=      postfix-3.5.8
+DISTNAME=      postfix-3.5.9
 CATEGORIES=    mail
 MASTER_SITES=  ftp://ftp.porcupine.org/mirrors/postfix-release/official/
 MASTER_SITES+= http://mirrors.isc.org/pub/postfix/official/

Index: pkgsrc/mail/postfix/distinfo
diff -u pkgsrc/mail/postfix/distinfo:1.190 pkgsrc/mail/postfix/distinfo:1.191
--- pkgsrc/mail/postfix/distinfo:1.190  Sun Nov 22 11:14:44 2020
+++ pkgsrc/mail/postfix/distinfo        Thu Jan 21 16:37:59 2021
@@ -1,10 +1,10 @@
-$NetBSD: distinfo,v 1.190 2020/11/22 11:14:44 adam Exp $
+$NetBSD: distinfo,v 1.191 2021/01/21 16:37:59 triaxx Exp $
 
-SHA1 (postfix-3.5.8.tar.gz) = 1dfb10729498be5d387dc730117c2a845dd93ac0
-RMD160 (postfix-3.5.8.tar.gz) = 110351d43f0b1b8e5fa63d7f5d557fff5ece2b46
-SHA512 (postfix-3.5.8.tar.gz) = 0abb07d99e343b76e6a26b4a090af9d592f4dfd03c8c737cc72bfb0f4267dafcbb0cb0aa7b6255f8b834c9289d89a5c47b167be3758239309937cb77e0d9464b
-Size (postfix-3.5.8.tar.gz) = 4614733 bytes
+SHA1 (postfix-3.5.9.tar.gz) = f7caa483ebbb7f7b4f912dcfb879a5f1017c327e
+RMD160 (postfix-3.5.9.tar.gz) = 7df8bcf324ab6604ab1a6ba2f47eadeeebd1c65e
+SHA512 (postfix-3.5.9.tar.gz) = 9ff3a33cdd5811e470d5c6cfa896fa76e4d3257b139deec5f420d18e34232f327b7c8496c5d13566c6f9ae1fdf8719feb9981372b2869b0208a2eb3a1daaeadd
+Size (postfix-3.5.9.tar.gz) = 4620852 bytes
 SHA1 (patch-aa) = c8216f133e202a7bb37682b0dbc1448f021e7c1c
 SHA1 (patch-ag) = c126c572e36bf2bcbd3f6e5d8332a3d26e704109
 SHA1 (patch-ai) = 51748ccf92da543f7ff640f36906a29b5db3f6e3
-SHA1 (patch-src_dns_dns__lookup.c) = 036872a0e6e438d0253469ea447c0c9c1de0188d
+SHA1 (patch-src_dns_dns__lookup.c) = 1e3fbd8e8b900e3fbd7160344c150bf147e4490a

Index: pkgsrc/mail/postfix/patches/patch-src_dns_dns__lookup.c
diff -u pkgsrc/mail/postfix/patches/patch-src_dns_dns__lookup.c:1.7 pkgsrc/mail/postfix/patches/patch-src_dns_dns__lookup.c:1.8
--- pkgsrc/mail/postfix/patches/patch-src_dns_dns__lookup.c:1.7 Sun Apr 26 09:33:26 2020
+++ pkgsrc/mail/postfix/patches/patch-src_dns_dns__lookup.c     Thu Jan 21 16:37:59 2021
@@ -1,10 +1,10 @@
-$NetBSD: patch-src_dns_dns__lookup.c,v 1.7 2020/04/26 09:33:26 taca Exp $
+$NetBSD: patch-src_dns_dns__lookup.c,v 1.8 2021/01/21 16:37:59 triaxx Exp $
 
 Fix runtime problem when mysql PKG_OPTIONS is enabled.
 
---- src/dns/dns_lookup.c.orig  2019-12-15 16:19:34.000000000 +0000
+--- src/dns/dns_lookup.c.orig  2021-01-16 16:24:08.000000000 +0000
 +++ src/dns/dns_lookup.c
-@@ -247,6 +247,8 @@
+@@ -256,6 +256,8 @@
  
  /* Local stuff. */
  
@@ -13,7 +13,7 @@ Fix runtime problem when mysql PKG_OPTIO
   /*
    * Structure to keep track of things while decoding a name server reply.
    */
-@@ -311,7 +313,7 @@ typedef struct DNS_REPLY {
+@@ -320,7 +322,7 @@ typedef struct DNS_REPLY {
  
  /* dns_res_query - a res_query() clone that can return negative replies */
  
@@ -22,7 +22,7 @@ Fix runtime problem when mysql PKG_OPTIO
                                 unsigned char *answer, int anslen)
  {
      unsigned char msg_buf[MAX_DNS_QUERY_SIZE];
-@@ -340,14 +342,14 @@ static int dns_res_query(const char *nam
+@@ -349,14 +351,14 @@ static int dns_res_query(const char *nam
  #define NO_MKQUERY_DATA_LEN     ((int) 0)
  #define NO_MKQUERY_NEWRR        ((unsigned char *) 0)
  
@@ -39,7 +39,7 @@ Fix runtime problem when mysql PKG_OPTIO
        SET_H_ERRNO(TRY_AGAIN);
        if (msg_verbose)
            msg_info("res_send() failed");
-@@ -378,7 +380,7 @@ static int dns_res_query(const char *nam
+@@ -387,7 +389,7 @@ static int dns_res_query(const char *nam
  
  /* dns_res_search - res_search() that can return negative replies */
  
@@ -48,7 +48,7 @@ Fix runtime problem when mysql PKG_OPTIO
                       unsigned char *answer, int anslen, int keep_notfound)
  {
      int     len;
-@@ -401,7 +403,7 @@ static int dns_res_search(const char *na
+@@ -410,7 +412,7 @@ static int dns_res_search(const char *na
      if (keep_notfound)
        /* Prepare for returning a null-padded server reply. */
        memset(answer, 0, anslen);
@@ -57,7 +57,7 @@ Fix runtime problem when mysql PKG_OPTIO
      /* Begin API creep workaround. */
      if (len < 0 && h_errno == 0) {
        SET_H_ERRNO(TRY_AGAIN);
-@@ -440,7 +442,7 @@ static int dns_query(const char *name, i
+@@ -449,7 +451,7 @@ static int dns_query(const char *name, i
      /*
       * Initialize the name service.
       */
@@ -66,7 +66,7 @@ Fix runtime problem when mysql PKG_OPTIO
        if (why)
            vstring_strcpy(why, "Name service initialization failure");
        return (DNS_FAIL);
-@@ -479,32 +481,32 @@ static int dns_query(const char *name, i
+@@ -488,18 +490,18 @@ static int dns_query(const char *name, i
       */
  #define SAVE_FLAGS (USER_FLAGS | XTRA_FLAGS)
  
@@ -85,19 +85,16 @@ Fix runtime problem when mysql PKG_OPTIO
        if (keep_notfound && var_dns_ncache_ttl_fix) {
  #ifdef HAVE_RES_SEND
 -          len = dns_res_query((char *) name, C_IN, type, reply->buf,
-+              len = dns_res_query(&rstate, (char *) name, C_IN, type, reply->buf,
++      len = dns_res_query(&rstate, (char *) name, C_IN, type, reply->buf,
                                reply->buf_len);
  #else
            var_dns_ncache_ttl_fix = 0;
-           msg_warn("system library does not support %s=yes"
-                    " -- ignoring this setting", VAR_DNS_NCACHE_TTL_FIX);
--          len = dns_res_search((char *) name, C_IN, type, reply->buf,
-+          len = dns_res_search(&rstate, (char *) name, C_IN, type, reply->buf,
+@@ -509,11 +511,11 @@ static int dns_query(const char *name, i
                                 reply->buf_len, keep_notfound);
  #endif
        } else {
 -          len = dns_res_search((char *) name, C_IN, type, reply->buf,
-+              len = dns_res_search(&rstate, (char *) name, C_IN, type, reply->buf,
++          len = dns_res_search(&rstate, (char *) name, C_IN, type, reply->buf,
                                 reply->buf_len, keep_notfound);
        }
 -      _res.options &= ~flags;
@@ -106,4 +103,4 @@ Fix runtime problem when mysql PKG_OPTIO
 +      rstate.options |= saved_options;
        reply_header = (HEADER *) reply->buf;
        reply->rcode = reply_header->rcode;
-       if (h_errno != 0) {
+       if ((reply->dnssec_ad = !!reply_header->ad) != 0)

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index