Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-6]: src Pull up following revision(s) (requested by tron in ticke...
details: https://anonhg.NetBSD.org/src/rev/da6d16af5def
branches: netbsd-6
changeset: 774219:da6d16af5def
user: riz <riz%NetBSD.org@localhost>
date: Wed Jun 13 19:28:54 2012 +0000
description:
Pull up following revision(s) (requested by tron in ticket #333):
doc/3RDPARTY 1.940 via patch
doc/CHANGES 1.1708 via patch
external/ibm-public/postfix/dist/HISTORY patch
external/ibm-public/postfix/dist/RELEASE_NOTES patch
external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES patch
external/ibm-public/postfix/dist/README_FILES/TLS_README patch
external/ibm-public/postfix/dist/html/TLS_README.html patch
external/ibm-public/postfix/dist/html/lmtp.8.html patch
external/ibm-public/postfix/dist/html/postconf.5.html patch
external/ibm-public/postfix/dist/html/smtp.8.html patch
external/ibm-public/postfix/dist/html/smtpd.8.html patch
external/ibm-public/postfix/dist/man/man5/postconf.5 patch
external/ibm-public/postfix/dist/man/man8/smtp.8 patch
external/ibm-public/postfix/dist/man/man8/smtpd.8 patch
external/ibm-public/postfix/dist/proto/TLS_README.html patch
external/ibm-public/postfix/dist/proto/postconf.proto patch
external/ibm-public/postfix/dist/src/cleanup/cleanup_milter.c patch
external/ibm-public/postfix/dist/src/dnsblog/dnsblog.c patch
external/ibm-public/postfix/dist/src/global/mail_params.h patch
external/ibm-public/postfix/dist/src/global/mail_version.h patch
external/ibm-public/postfix/dist/src/local/Makefile.in patch
external/ibm-public/postfix/dist/src/postlog/postlog.c patch
external/ibm-public/postfix/dist/src/postqueue/Makefile.in patch
external/ibm-public/postfix/dist/src/postqueue/postqueue.c patch
external/ibm-public/postfix/dist/src/smtp/smtp.c patch
external/ibm-public/postfix/dist/src/smtpd/smtpd.c patch
external/ibm-public/postfix/dist/src/tls/tls.h patch
external/ibm-public/postfix/dist/src/tls/tls_client.c patch
external/ibm-public/postfix/dist/src/tls/tls_misc.c patch
external/ibm-public/postfix/dist/src/tls/tls_server.c patch
external/ibm-public/postfix/dist/src/util/events.c patch
external/ibm-public/postfix/dist/src/xsasl/xsasl_cyrus.h patch
external/ibm-public/postfix/dist/src/xsasl/xsasl_cyrus_client.c patch
external/ibm-public/postfix/dist/src/xsasl/xsasl_cyrus_server.c patch
Update Postfix to version 2.8.11:
- The "change header" milter request could replace the wrong header.
A long header name could match a shorter one, because a length check
was done on the wrong string. Reported by Vladimir Vassiliev.
- Core dump when postlog emitted the "usage" message, caused by an
extraneous null assignment. Reported by Kant (fnord.hammer).
- These releases add support to turn off the TLSv1.1 and TLSv1.2
protocols. Introduced with OpenSSL version 1.0.1, these protocols
are known to cause inter-operability problems, for example with some
hotmail services. The radical workaround is to temporarily turn off
problematic protocols globally:
/etc/postfix/main.cf:
smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
However, it may be better to temporarily turn off problematic
protocols for broken sites only:
/etc/postfix/main.cf:
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
/etc/postfix/tls_policy:
example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2
Notes:
Note the use of ":" instead of comma or space. Also, note that there
is NO space around the "=" in "protocols=".
The smtp_tls_policy_maps lookup key must match the "next-hop"
destination that is given to the Postfix SMTP client. If you
override the next-hop destination with transport_maps, relayhost,
sender_dependent_relayhost_maps, or otherwise, you need to specify
the same destination for the smtp_tls_policy_maps lookup key.
- OpenSSL related (all supported Postfix versions).
Some people have reported program crashes when the OpenSSL library
was updated while Postfix was accessing the Postfix TLS session
cache. To avoid this, the Postfix TLS session cache ID now includes
the OpenSSL library version number. This cache ID is not shared via
the network.
- The OpenSSL workaround introduced with the previous stable and legacy
releases did not compile with older gcc compilers. These compilers cant handle #ifdef inside a macro invocation (NOT: definition).
- To avoid repeated warnings from postscreen(8) with "connect to
private/dnsblog service: Connection refused" on FreeBSD, the
dnsblog(8) daemon now uses the single_server program driver instead
of the multi_server driver. This one-line code change has no
performance impact for other systems, and eliminates a high-frequency
accept() race on a shared socket that appears to cause trouble on
FreeBSD. The same single_server program driver has proven itself for
many years in smtpd(8). Problem reported by Sahil Tandon.
- Laptop-friendly support (all supported Postfix versions). A
little-known secret is that Postfix has always had support to avoid
unnecessary disk spin-up for MTIME updates, by doing s/fifo/unix/
in master.cf (this is currently not supported on Solaris systems).
However, two minor fixes are needed to make this bullet-proof.
- In laptop-friendly mode, the "postqueue -f" and "sendmail -q"
commands did not wait until their requests had reached the pickup
and qmgr servers before closing their UNIX-domain request sockets.
- In laptop-friendly mode, the unused postkick command waited for more
than a minute because the event_drain() function was comparing
bitmasks incorrectly on systems with kqueue(2), epoll(2) or
/dev/poll support.
diffstat:
doc/3RDPARTY | 6 +-
doc/CHANGES | 3 +-
external/ibm-public/postfix/dist/HISTORY | 82 ++++++++++
external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES | 37 ++++
external/ibm-public/postfix/dist/README_FILES/TLS_README | 48 +++--
external/ibm-public/postfix/dist/RELEASE_NOTES | 37 ++++
external/ibm-public/postfix/dist/html/TLS_README.html | 30 ++-
external/ibm-public/postfix/dist/html/lmtp.8.html | 2 +-
external/ibm-public/postfix/dist/html/postconf.5.html | 57 ++++--
external/ibm-public/postfix/dist/html/smtp.8.html | 2 +-
external/ibm-public/postfix/dist/html/smtpd.8.html | 2 +-
external/ibm-public/postfix/dist/man/man5/postconf.5 | 57 ++++--
external/ibm-public/postfix/dist/man/man8/smtp.8 | 4 +-
external/ibm-public/postfix/dist/man/man8/smtpd.8 | 4 +-
external/ibm-public/postfix/dist/proto/TLS_README.html | 30 ++-
external/ibm-public/postfix/dist/proto/postconf.proto | 57 ++++--
external/ibm-public/postfix/dist/src/cleanup/cleanup_milter.c | 5 +-
external/ibm-public/postfix/dist/src/dnsblog/dnsblog.c | 13 +-
external/ibm-public/postfix/dist/src/global/mail_params.h | 8 +-
external/ibm-public/postfix/dist/src/global/mail_version.h | 6 +-
external/ibm-public/postfix/dist/src/local/Makefile.in | 1 +
external/ibm-public/postfix/dist/src/postlog/postlog.c | 3 +-
external/ibm-public/postfix/dist/src/postqueue/Makefile.in | 1 +
external/ibm-public/postfix/dist/src/postqueue/postqueue.c | 4 +-
external/ibm-public/postfix/dist/src/smtp/smtp.c | 4 +-
external/ibm-public/postfix/dist/src/smtpd/smtpd.c | 4 +-
external/ibm-public/postfix/dist/src/tls/tls.h | 19 ++-
external/ibm-public/postfix/dist/src/tls/tls_client.c | 10 +-
external/ibm-public/postfix/dist/src/tls/tls_misc.c | 8 +-
external/ibm-public/postfix/dist/src/tls/tls_server.c | 7 +-
external/ibm-public/postfix/dist/src/util/events.c | 8 +-
external/ibm-public/postfix/dist/src/xsasl/xsasl_cyrus.h | 7 +-
external/ibm-public/postfix/dist/src/xsasl/xsasl_cyrus_client.c | 10 +-
external/ibm-public/postfix/dist/src/xsasl/xsasl_cyrus_server.c | 4 +-
34 files changed, 435 insertions(+), 145 deletions(-)
diffs (truncated from 1375 to 300 lines):
diff -r 5341f7cd6725 -r da6d16af5def doc/3RDPARTY
--- a/doc/3RDPARTY Wed Jun 13 19:21:02 2012 +0000
+++ b/doc/3RDPARTY Wed Jun 13 19:28:54 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: 3RDPARTY,v 1.909.2.7 2012/03/07 23:18:21 riz Exp $
+# $NetBSD: 3RDPARTY,v 1.909.2.8 2012/06/13 19:28:55 riz Exp $
#
# This file contains a list of the software that has been integrated into
# NetBSD where we are not the primary maintainer.
@@ -944,8 +944,8 @@
and more.
Package: postfix
-Version: 2.8.8
-Current Vers: 2.8.8/2.9.0
+Version: 2.8.11
+Current Vers: 2.8.11/2.9.3
Maintainer: Wietse Venema <wietse%porcupine.org@localhost>
Archive Site: ftp://postfix.cloud9.net/official/
Home Page: http://www.postfix.org/
diff -r 5341f7cd6725 -r da6d16af5def doc/CHANGES
--- a/doc/CHANGES Wed Jun 13 19:21:02 2012 +0000
+++ b/doc/CHANGES Wed Jun 13 19:28:54 2012 +0000
@@ -1,4 +1,4 @@
-# LIST OF CHANGES FROM LAST RELEASE: <$Revision: 1.1670.2.4 $>
+# LIST OF CHANGES FROM LAST RELEASE: <$Revision: 1.1670.2.5 $>
#
#
# [Note: This file does not mention every change made to the NetBSD source tree.
@@ -1266,3 +1266,4 @@
re(4): Add support for RTL8168E-VL. [nonaka 20120302]
amdtemp(4): Add support for Family 12h. [nonaka 20120302]
postfix(1): Add support for SQLite tables. [tron 20120304]
+ postfix(1): Import version 2.8.11 [tron 20120609]
diff -r 5341f7cd6725 -r da6d16af5def external/ibm-public/postfix/dist/HISTORY
--- a/external/ibm-public/postfix/dist/HISTORY Wed Jun 13 19:21:02 2012 +0000
+++ b/external/ibm-public/postfix/dist/HISTORY Wed Jun 13 19:28:54 2012 +0000
@@ -16747,3 +16747,85 @@
have been updated when it was re-purposed to handle DSN
SUCCESS notifications. Problem reported by Sabahattin
Gucukoglu. File: bounce/bounce_trace_service.c.
+
+20120202
+
+ Bugfix (introduced: Postfix 2.3): the "change header" milter
+ request could replace the wrong header. A long header name
+ could match a shorter one, because a length check was done
+ on the wrong string. Reported by Vladimir Vassiliev. File:
+ cleanup/cleanup_milter.c.
+
+20120214
+
+ Bugfix (introduced: Postfix 2.4): extraneous null assignment
+ caused core dump when postlog emitted the "usage" message.
+ Reported by Kant (fnord.hammer). File: postlog/postlog.c.
+
+20120217
+
+ Cleanup: missing #include statement for bugfix code added
+ 20111226. File: local/unknown.c.
+
+20120401
+
+ Bitrot: shut up useless warnings about Cyrus SASL call-back
+ function pointer type mis-matches. Files: xsasl/xsasl_cyrus.h,
+ xsasl/xsasl_cyrus_server.c, xsasl/xsasl_client.c.
+
+20120422
+
+ Bit-rot: OpenSSL 1.0.1 introduces new protocols. Update the
+ known TLS protocol list so that protocols can be turned off
+ selectively to work around implementation bugs. Based on
+ a patch by Victor Duchovni. Files: proto/TLS_README.html,
+ proto/postconf.proto, tls/tls.h, tls/tls_misc.c, tls/tls_client.c,
+ tls/tls_server.c.
+
+20120425
+
+ Workaround: bugs in 10-year old gcc versions break compilation
+ with #ifdef inside a macro invocation (NOT: definition).
+ Files: tls/tls.h, tls/tls_client.c, tls/tls_server.c.
+
+20120516
+
+ Workaround: apparently, FreeBSD 8.3 kqueue notifications
+ sometimes break when a dnsblog(8) process loses an accept()
+ race on a shared socket, resulting in repeated "connect to
+ private/dnsblog service: Connection refused" warnings. This
+ condition is unique to dnsblog(8). The postscreen(8) daemon
+ closes a postscreen-to-dnsblog connection as soon as it
+ receives a dnsblog(8) reply, resulting in hundreds or
+ thousands of connection requests per second. All other
+ multi-server daemons such as anvil(8) or proxymap(8) have
+ connection lifetimes ranging from 5s to 1000s depending on
+ server load. The workaround is for dnsblog to use the
+ single_server driver instead of the multi_server driver.
+ This one-line code change eliminates the accept() race
+ without any Postfix performance impact. Problem reported
+ by Sahil Tandon. File: dnsblog/dnsblog.c.
+
+20120517
+
+ Workaround: to avoid crashes when the OpenSSL library is
+ updated without "postfix reload", the Postfix TLS session
+ cache ID now includes the OpenSSL library version number.
+ Note: this problem cannot be fixed in tlsmgr(8). Code by
+ Victor Duchovni. Files: tls/tls_server.c, tls_client.c.
+
+20120520
+
+ Bugfix (introduced Postfix 2.4): the event_drain() function
+ was comparing bitmasks incorrectly causing the program to
+ always wait for the full time limit. This error affected
+ the unused postkick command, but only after s/fifo/unix/
+ in master.cf. File: util/events.c.
+
+ Cleanup: laptop users have always been able to avoid
+ unnecessary disk spin-up by doing s/fifo/unix/ in master.cf
+ (this is currently not supported on Solaris systems).
+ However, to make this work reliably, the "postqueue -f"
+ command must wait until its requests have reached the pickup
+ and qmgr servers before closing the UNIX-domain request
+ sockets. Files: postqueue/postqueue.c, postqueue/Makefile.in.
diff -r 5341f7cd6725 -r da6d16af5def external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES
--- a/external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES Wed Jun 13 19:21:02 2012 +0000
+++ b/external/ibm-public/postfix/dist/README_FILES/RELEASE_NOTES Wed Jun 13 19:28:54 2012 +0000
@@ -11,6 +11,43 @@
The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.
+Major changes with Postfix 2.8.10
+---------------------------------
+
+This release adds support to turn off the TLSv1.1 and TLSv1.2
+protocols. Introduced with OpenSSL version 1.0.1, these are known
+to cause inter-operability problems with for example hotmail.
+
+The radical workaround is to temporarily turn off problematic
+protocols globally:
+
+/etc/postfix/main.cf:
+ smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
+ smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
+
+ smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
+ smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
+
+However, it may be better to temporarily turn off problematic
+protocols for broken sites only:
+
+/etc/postfix/main.cf:
+ smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
+
+/etc/postfix/tls_policy:
+ example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2
+
+Important:
+
+- Note the use of ":" instead of comma or space. Also, note that
+ there is NO space around the "=" in "protocols=".
+
+- The smtp_tls_policy_maps lookup key must match the "next-hop"
+ destination that is given to the Postfix SMTP client. If you
+ override the next-hop destination with transport_maps, relayhost,
+ sender_dependent_relayhost_maps, or otherwise, you need to specify
+ the same destination for the smtp_tls_policy_maps lookup key.
+
Incompatible changes with Postfix 2.8.2
---------------------------------------
diff -r 5341f7cd6725 -r da6d16af5def external/ibm-public/postfix/dist/README_FILES/TLS_README
--- a/external/ibm-public/postfix/dist/README_FILES/TLS_README Wed Jun 13 19:21:02 2012 +0000
+++ b/external/ibm-public/postfix/dist/README_FILES/TLS_README Wed Jun 13 19:28:54 2012 +0000
@@ -542,11 +542,17 @@
control over the minimum cipher grade for opportunistic TLS. With Postfix <
2.6, the minimum opportunistic TLS cipher grade is always "export".
-With mandatory TLS encryption, the Postfix SMTP server will by default only use
-SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The
-mandatory TLS protocol list is specified via the smtpd_tls_mandatory_protocols
-configuration parameter. The corresponding smtpd_tls_protocols parameter
-(Postfix >= 2.6) controls the SSL/TLS protocols used with opportunistic TLS.
+With mandatory TLS encryption, the Postfix SMTP server will by default disable
+SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS
+protocol list is specified via the smtpd_tls_mandatory_protocols configuration
+parameter. The corresponding smtpd_tls_protocols parameter (Postfix >= 2.6)
+controls the SSL/TLS protocols used with opportunistic TLS.
+
+Note that the OpenSSL library only supports protocol exclusion (not inclusion).
+For this reason, Postfix can exclude only protocols that are known at the time
+the Postfix software is written. If new protocols are added to the OpenSSL
+library, they cannot be excluded without corresponding changes to the Postfix
+source code.
For a server that is not a public Internet MX host, Postfix (>= 2.3) supports
configurations with no server certificates that use o�on�nl�ly�y the anonymous ciphers.
@@ -561,9 +567,10 @@
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_security_level = encrypt
+ # Preferred form with Postfix >= 2.5:
+ smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
+ # Alternative form.
smtpd_tls_mandatory_protocols = TLSv1
- # Also available with Postfix >= 2.5:
- smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
If you want to take advantage of ciphers with ephemeral Diffie-Hellman (EDH)
key exchange (this offers "forward-secrecy"), DH parameters are needed. Instead
@@ -594,9 +601,9 @@
smtpd_tls_eecdh_grade = strong
Postfix 2.8 and later, in combination with OpenSSL 0.9.7 and later allows TLS
-servers to preempt the TLS client's cipher preference list. This is only
-possible with SSLv3, as in SSLv2 the client chooses the cipher from a list
-supplied by the server.
+servers to preempt the TLS client's cipher preference list. This is possible
+only with SSLv3 and later, as in SSLv2 the client chooses the cipher from a
+list supplied by the server.
By default, the OpenSSL server selects the client's most preferred cipher that
the server supports. With SSLv3 and later, the server may choose its own most
@@ -1048,9 +1055,9 @@
Examples:
In the example below, traffic to example.com and its sub-domains via the
-corresponding MX hosts always uses TLS. The protocol version will be "SSLv3" or
-"TLSv1" (the default setting of smtp_tls_mandatory_protocols excludes "SSLv2").
-Only high or medium strength (i.e. 128 bit or better) ciphers will be used by
+corresponding MX hosts always uses TLS. The SSLv2 protocol will be disabled
+(the default setting of smtp_tls_mandatory_protocols excludes "SSLv2"). Only
+high- or medium-strength (i.e. 128 bit or better) ciphers will be used by
default for all "encrypt" security level sessions.
/etc/postfix/main.cf:
@@ -1714,11 +1721,11 @@
control over the minimum cipher grade for opportunistic TLS. With Postfix <
2.6, the minimum opportunistic TLS cipher grade is always "export".
-With mandatory TLS encryption, the Postfix SMTP client will by default only use
-SSLv3 or TLSv1. SSLv2 is only used when TLS encryption is optional. The
-mandatory TLS protocol list is specified via the smtp_tls_mandatory_protocols
-configuration parameter. The corresponding smtp_tls_protocols parameter
-(Postfix >= 2.6) controls the SSL/TLS protocols used with opportunistic TLS.
+With mandatory TLS encryption, the Postfix SMTP client will by default disable
+SSLv2. SSLv2 is used only when TLS encryption is optional. The mandatory TLS
+protocol list is specified via the smtp_tls_mandatory_protocols configuration
+parameter. The corresponding smtp_tls_protocols parameter (Postfix >= 2.6)
+controls the SSL/TLS protocols used with opportunistic TLS.
Example:
@@ -1726,9 +1733,10 @@
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = RC4, MD5
smtp_tls_exclude_ciphers = aNULL
+ # Preferred form with Postfix >= 2.5:
+ smtp_tls_mandatory_protocols = !SSLv2
+ # Alternative form.
smtp_tls_mandatory_protocols = SSLv3, TLSv1
- # Also available with Postfix >= 2.5:
- smtp_tls_mandatory_protocols = !SSLv2
# Also available with Postfix >= 2.6:
smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2
diff -r 5341f7cd6725 -r da6d16af5def external/ibm-public/postfix/dist/RELEASE_NOTES
--- a/external/ibm-public/postfix/dist/RELEASE_NOTES Wed Jun 13 19:21:02 2012 +0000
+++ b/external/ibm-public/postfix/dist/RELEASE_NOTES Wed Jun 13 19:28:54 2012 +0000
@@ -11,6 +11,43 @@
The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.
+Major changes with Postfix 2.8.10
+---------------------------------
+
+This release adds support to turn off the TLSv1.1 and TLSv1.2
+protocols. Introduced with OpenSSL version 1.0.1, these are known
+to cause inter-operability problems with for example hotmail.
+
+The radical workaround is to temporarily turn off problematic
+protocols globally:
+
+/etc/postfix/main.cf:
+ smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
+ smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
+
+ smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
+ smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
+
+However, it may be better to temporarily turn off problematic
+protocols for broken sites only:
+
+/etc/postfix/main.cf:
+ smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
+
+/etc/postfix/tls_policy:
+ example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2
+
+Important:
+
Home |
Main Index |
Thread Index |
Old Index