Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/ibm-public/postfix/dist Import Postfix 2.7.2. Chang...
details: https://anonhg.NetBSD.org/src/rev/bacc39ad6884
branches: trunk
changeset: 759059:bacc39ad6884
user: tron <tron%NetBSD.org@localhost>
date: Sat Nov 27 10:34:30 2010 +0000
description:
Import Postfix 2.7.2. Changes since Postfix 2.7.1:
- Postfix no longer automatically appends the system default CA
(certificate authority) certificates, when it reads the CA
certificates specified with {smtp, lmtp, smtpd}_tls_CAfile or
with {smtp, lmtp, smtpd}_tls_CApath. This prevents third-party
certificates from getting mail relay permission with the
permit_tls_all_clientcerts feature. Unfortunately, this change
may cause compatibility problems with configurations that rely
on certificate verification for other purposes. To get the old
behavior, specify "tls_append_default_CA = yes".
- A prior fix for compatibility with Postfix < 2.3 was incomplete.
When pipe-to-command delivery fails with a signal, mail is now
correctly deferred, instead of being returned to sender.
- Poor smtpd_proxy_filter TCP performance over loopback (127.0.0.1)
connections was fixed by adapting the output buffer size to the
MTU.
- The SMTP server no longer applies the reject_rhsbl_helo feature
to non-domain forms such as network addresses. This would cause
false positives with dbl.spamhaus.org.
- The Postfix SMTP server failed to deliver a "421" response and
hang up the connection after Milter error. Instead, the server
delivered a "503 Access denied" response and left the connection
open, due to some Postfix 1.1 workaround for RFC 2821.
- The milter_header_checks parser failed to enable any of the actions
that have no effect on message delivery (warn, replace, prepend,
ignore, dunno, and ok).
diffstat:
external/ibm-public/postfix/dist/HISTORY | 48 +++++++++++
external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES | 12 ++
external/ibm-public/postfix/dist/RELEASE_NOTES | 12 ++
external/ibm-public/postfix/dist/mantools/postlink | 1 +
external/ibm-public/postfix/dist/src/cleanup/cleanup_milter.c | 5 +-
external/ibm-public/postfix/dist/src/global/mail_version.h | 6 +-
external/ibm-public/postfix/dist/src/global/pipe_command.c | 4 +-
external/ibm-public/postfix/dist/src/smtpd/smtpd_check.c | 5 +-
external/ibm-public/postfix/dist/src/smtpd/smtpd_proxy.c | 5 +-
external/ibm-public/postfix/dist/src/tls/Makefile.in | 1 +
external/ibm-public/postfix/dist/src/tls/tls_certkey.c | 8 +-
external/ibm-public/postfix/dist/src/tls/tls_misc.c | 9 +-
12 files changed, 102 insertions(+), 14 deletions(-)
diffs (289 lines):
diff -r 81752e2c2950 -r bacc39ad6884 external/ibm-public/postfix/dist/HISTORY
--- a/external/ibm-public/postfix/dist/HISTORY Sat Nov 27 05:02:35 2010 +0000
+++ b/external/ibm-public/postfix/dist/HISTORY Sat Nov 27 10:34:30 2010 +0000
@@ -15768,3 +15768,51 @@
Portability: Berkeley DB 5.x has the same API as Berkeley
DB 4.1 and later. File: util/dict_db.c.
+
+20100610
+
+ Bugfix (introduced Postfix 2.2): Postfix no longer appends
+ the system default CA certificates to the lists specified
+ with *_tls_CAfile or with *_tls_CApath. This prevents
+ third-party certificates from getting mail relay permission
+ with the permit_tls_all_clientcerts feature. Unfortunately
+ this may cause compatibility problems with configurations
+ that rely on certificate verification for other purposes.
+ To get the old behavior, specify "tls_append_default_CA =
+ yes". Files: tls/tls_certkey.c, tls/tls_misc.c,
+ global/mail_params.h. proto/postconf.proto, mantools/postlink.
+
+20100714
+
+ Compatibility with Postfix < 2.3: fix 20061207 was incomplete
+ (undoing the change to bounce instead of defer after
+ pipe-to-command delivery fails with a signal). Fix by Thomas
+ Arnett. File: global/pipe_command.c.
+
+20100727
+
+ Bugfix: the milter_header_checks parser provided only the
+ actions that change the message flow (reject, filter,
+ discard, redirect) but disabled the non-flow actions (warn,
+ replace, prepend, ignore, dunno, ok). File:
+ cleanup/cleanup_milter.c.
+
+20100827
+
+ Performance: fix for poor smtpd_proxy_filter TCP performance
+ over loopback (127.0.0.1) connections. Problem reported by
+ Mark Martinec. Files: smtpd/smtpd_proxy.c.
+
+20101023
+
+ Cleanup: don't apply reject_rhsbl_helo to non-domain forms
+ such as network addresses. This would cause false positives
+ with dbl.spamhaus.org. File: smtpd/smtpd_check.c.
+
+20101117
+
+ Bugfix: the "421" reply after Milter error was overruled
+ by Postfix 1.1 code that replied with "503" for RFC 2821
+ compliance. We now make an exception for "final" replies,
+ as permitted by RFC. Solution by Victor Duchovni. File:
+ smtpd/smtpd.c.
diff -r 81752e2c2950 -r bacc39ad6884 external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES
--- a/external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES Sat Nov 27 05:02:35 2010 +0000
+++ b/external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES Sat Nov 27 10:34:30 2010 +0000
@@ -14,6 +14,18 @@
If you upgrade from Postfix 2.5 or earlier, read RELEASE_NOTES-2.6
before proceeding.
+Incompatibility with Postfix 2.7.2
+----------------------------------
+
+Postfix no longer appends the system-supplied default CA certificates
+to the lists specified with *_tls_CAfile or with *_tls_CApath. This
+prevents third-party certificates from getting mail relay permission
+with the permit_tls_all_clientcerts feature.
+
+Unfortunately this change may cause compatibility problems when
+configurations rely on certificate verification for other purposes.
+Specify "tls_append_default_CA = yes" for backwards compatibility.
+
Major changes - performance
---------------------------
diff -r 81752e2c2950 -r bacc39ad6884 external/ibm-public/postfix/dist/RELEASE_NOTES
--- a/external/ibm-public/postfix/dist/RELEASE_NOTES Sat Nov 27 05:02:35 2010 +0000
+++ b/external/ibm-public/postfix/dist/RELEASE_NOTES Sat Nov 27 10:34:30 2010 +0000
@@ -14,6 +14,18 @@
If you upgrade from Postfix 2.5 or earlier, read RELEASE_NOTES-2.6
before proceeding.
+Incompatibility with Postfix 2.7.2
+----------------------------------
+
+Postfix no longer appends the system-supplied default CA certificates
+to the lists specified with *_tls_CAfile or with *_tls_CApath. This
+prevents third-party certificates from getting mail relay permission
+with the permit_tls_all_clientcerts feature.
+
+Unfortunately this change may cause compatibility problems when
+configurations rely on certificate verification for other purposes.
+Specify "tls_append_default_CA = yes" for backwards compatibility.
+
Major changes - performance
---------------------------
diff -r 81752e2c2950 -r bacc39ad6884 external/ibm-public/postfix/dist/mantools/postlink
--- a/external/ibm-public/postfix/dist/mantools/postlink Sat Nov 27 05:02:35 2010 +0000
+++ b/external/ibm-public/postfix/dist/mantools/postlink Sat Nov 27 10:34:30 2010 +0000
@@ -676,6 +676,7 @@
s;\btls_null_cipherlist\b;<a href="postconf.5.html#tls_null_cipherlist">$&</a>;g;
s;\btls_eecdh_strong_curve\b;<a href="postconf.5.html#tls_eecdh_strong_curve">$&</a>;g;
s;\btls_eecdh_ultra_curve\b;<a href="postconf.5.html#tls_eecdh_ultra_curve">$&</a>;g;
+ s;\btls_append_default_CA\b;<a href="postconf.5.html#tls_append_default_CA">$&</a>;g;
s;\bfrozen_delivered_to\b;<a href="postconf.5.html#frozen_delivered_to">$&</a>;g;
diff -r 81752e2c2950 -r bacc39ad6884 external/ibm-public/postfix/dist/src/cleanup/cleanup_milter.c
--- a/external/ibm-public/postfix/dist/src/cleanup/cleanup_milter.c Sat Nov 27 05:02:35 2010 +0000
+++ b/external/ibm-public/postfix/dist/src/cleanup/cleanup_milter.c Sat Nov 27 10:34:30 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: cleanup_milter.c,v 1.1.1.2 2010/06/17 18:06:43 tron Exp $ */
+/* $NetBSD: cleanup_milter.c,v 1.1.1.3 2010/11/27 10:35:21 tron Exp $ */
/*++
/* NAME
@@ -372,8 +372,7 @@
}
return ((char *) buf);
}
- msg_warn("unknown command in %s map: %s", map_class, command);
- return ((char *) buf);
+ return ((char *) HBC_CHECKS_STAT_UNKNOWN);
}
/* cleanup_milter_header_checks - inspect Milter-generated header */
diff -r 81752e2c2950 -r bacc39ad6884 external/ibm-public/postfix/dist/src/global/mail_version.h
--- a/external/ibm-public/postfix/dist/src/global/mail_version.h Sat Nov 27 05:02:35 2010 +0000
+++ b/external/ibm-public/postfix/dist/src/global/mail_version.h Sat Nov 27 10:34:30 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: mail_version.h,v 1.1.1.4 2010/06/17 18:06:50 tron Exp $ */
+/* $NetBSD: mail_version.h,v 1.1.1.5 2010/11/27 10:35:27 tron Exp $ */
#ifndef _MAIL_VERSION_H_INCLUDED_
#define _MAIL_VERSION_H_INCLUDED_
@@ -22,8 +22,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20100608"
-#define MAIL_VERSION_NUMBER "2.7.1"
+#define MAIL_RELEASE_DATE "20101123"
+#define MAIL_VERSION_NUMBER "2.7.2"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
diff -r 81752e2c2950 -r bacc39ad6884 external/ibm-public/postfix/dist/src/global/pipe_command.c
--- a/external/ibm-public/postfix/dist/src/global/pipe_command.c Sat Nov 27 05:02:35 2010 +0000
+++ b/external/ibm-public/postfix/dist/src/global/pipe_command.c Sat Nov 27 10:34:30 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: pipe_command.c,v 1.1.1.1 2009/06/23 10:08:47 tron Exp $ */
+/* $NetBSD: pipe_command.c,v 1.1.1.2 2010/11/27 10:35:28 tron Exp $ */
/*++
/* NAME
@@ -630,7 +630,7 @@
*/
if (!NORMAL_EXIT_STATUS(wait_status)) {
if (WIFSIGNALED(wait_status)) {
- dsb_unix(why, "5.3.0", log_len ?
+ dsb_unix(why, "4.3.0", log_len ?
log_buf : sys_exits_detail(EX_SOFTWARE)->text,
"Command died with signal %d: \"%s\"%s%s",
WTERMSIG(wait_status), args.command,
diff -r 81752e2c2950 -r bacc39ad6884 external/ibm-public/postfix/dist/src/smtpd/smtpd_check.c
--- a/external/ibm-public/postfix/dist/src/smtpd/smtpd_check.c Sat Nov 27 05:02:35 2010 +0000
+++ b/external/ibm-public/postfix/dist/src/smtpd/smtpd_check.c Sat Nov 27 10:34:30 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: smtpd_check.c,v 1.1.1.3 2010/06/17 18:07:07 tron Exp $ */
+/* $NetBSD: smtpd_check.c,v 1.1.1.4 2010/11/27 10:35:43 tron Exp $ */
/*++
/* NAME
@@ -3791,7 +3791,8 @@
name);
else {
cpp += 1;
- if (state->helo_name)
+ if (state->helo_name
+ && valid_hostname(state->helo_name, DONT_GRIPE))
status = reject_rbl_domain(state, *cpp, state->helo_name,
SMTPD_NAME_HELO);
}
diff -r 81752e2c2950 -r bacc39ad6884 external/ibm-public/postfix/dist/src/smtpd/smtpd_proxy.c
--- a/external/ibm-public/postfix/dist/src/smtpd/smtpd_proxy.c Sat Nov 27 05:02:35 2010 +0000
+++ b/external/ibm-public/postfix/dist/src/smtpd/smtpd_proxy.c Sat Nov 27 10:34:30 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: smtpd_proxy.c,v 1.1.1.2 2010/06/17 18:07:07 tron Exp $ */
+/* $NetBSD: smtpd_proxy.c,v 1.1.1.3 2010/11/27 10:35:44 tron Exp $ */
/*++
/* NAME
@@ -357,6 +357,9 @@
/* Needed by our DATA-phase record emulation routines. */
vstream_control(proxy->service_stream, VSTREAM_CTL_CONTEXT,
(char *) state, VSTREAM_CTL_END);
+ /* Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE. */
+ if (connect_fn == inet_connect)
+ vstream_tweak_tcp(proxy->service_stream);
smtp_timeout_setup(proxy->service_stream, proxy->timeout);
/*
diff -r 81752e2c2950 -r bacc39ad6884 external/ibm-public/postfix/dist/src/tls/Makefile.in
--- a/external/ibm-public/postfix/dist/src/tls/Makefile.in Sat Nov 27 05:02:35 2010 +0000
+++ b/external/ibm-public/postfix/dist/src/tls/Makefile.in Sat Nov 27 10:34:30 2010 +0000
@@ -101,6 +101,7 @@
tls_bio_ops.o: tls.h
tls_bio_ops.o: tls_bio_ops.c
tls_certkey.o: ../../include/argv.h
+tls_certkey.o: ../../include/mail_params.h
tls_certkey.o: ../../include/msg.h
tls_certkey.o: ../../include/name_code.h
tls_certkey.o: ../../include/name_mask.h
diff -r 81752e2c2950 -r bacc39ad6884 external/ibm-public/postfix/dist/src/tls/tls_certkey.c
--- a/external/ibm-public/postfix/dist/src/tls/tls_certkey.c Sat Nov 27 05:02:35 2010 +0000
+++ b/external/ibm-public/postfix/dist/src/tls/tls_certkey.c Sat Nov 27 10:34:30 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: tls_certkey.c,v 1.1.1.2 2010/06/17 18:07:09 tron Exp $ */
+/* $NetBSD: tls_certkey.c,v 1.1.1.3 2010/11/27 10:35:45 tron Exp $ */
/*++
/* NAME
@@ -72,6 +72,10 @@
#include <msg.h>
+/* Global library. */
+
+#include <mail_params.h>
+
/* TLS library. */
#define TLS_INTERNAL
@@ -93,7 +97,7 @@
tls_print_errors();
return (-1);
}
- if (!SSL_CTX_set_default_verify_paths(ctx)) {
+ if (var_tls_append_def_CA && !SSL_CTX_set_default_verify_paths(ctx)) {
msg_info("cannot set certificate verification paths: "
"disabling TLS support");
tls_print_errors();
diff -r 81752e2c2950 -r bacc39ad6884 external/ibm-public/postfix/dist/src/tls/tls_misc.c
--- a/external/ibm-public/postfix/dist/src/tls/tls_misc.c Sat Nov 27 05:02:35 2010 +0000
+++ b/external/ibm-public/postfix/dist/src/tls/tls_misc.c Sat Nov 27 10:34:30 2010 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: tls_misc.c,v 1.1.1.1 2009/06/23 10:08:57 tron Exp $ */
+/* $NetBSD: tls_misc.c,v 1.1.1.2 2010/11/27 10:35:46 tron Exp $ */
/*++
/* NAME
@@ -17,6 +17,7 @@
/* char *var_tls_eecdh_strong;
/* char *var_tls_eecdh_ultra;
/* int var_tls_daemon_rand_bytes;
+/* bool var_tls_append_def_CA;
/*
/* TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx)
/* SSL_CTX *ssl_ctx;
@@ -192,6 +193,7 @@
int var_tls_daemon_rand_bytes;
char *var_tls_eecdh_strong;
char *var_tls_eecdh_ultra;
+bool var_tls_append_def_CA;
/*
* Index to attach TLScontext pointers to SSL objects, so that they can be
@@ -409,6 +411,10 @@
VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 1, 0,
0,
};
+ static const CONFIG_BOOL_TABLE bool_table[] = {
+ VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
+ 0,
+ };
static int init_done;
if (init_done)
@@ -417,6 +423,7 @@
get_mail_conf_str_table(str_table);
get_mail_conf_int_table(int_table);
+ get_mail_conf_bool_table(bool_table);
}
/* tls_set_ciphers - Set SSL context cipher list */
Home |
Main Index |
Thread Index |
Old Index