Changes - j0ke.net Open Build Service

Changes of Revision 45

[-] [+]	Changed	postfix.spec
@@ -28,7 +28,7 @@ Name: postfix Summary: Postfix Mail Transport Agent -Version: 2.10.1 +Version: 2.10.2 Release: %{?dist} Epoch: 3 Group: System Environment/Daemons
[-] [+]	Changed	_service:download_files:postfix-2.10.2.tar.gz/HISTORY ^
@@ -18276,6 +18276,12 @@ address. Found during Postfix 2.11 code maintenance. File: smtp/smtp_connect.c. +20130518 + + Bugfix (introduced: 1997): memory leak after error while + forwarding mail through the cleanup server. Viktor found + one, Wietse eliminated the rest. File: local/forward.c. + 20130613 Workaround: unhelpful down-stream maintainers fail to install @@ -18283,3 +18289,20 @@ that could have been avoided. We now hard-code the safety net instead. Files: global/mail_params.h, conf/post-install, RELEASE_NOTES. + +20130615 + + TLS Interoperability: turn on SHA-2 digests by force. This + improves interoperability with clients and servers that + deploy SHA-2 digests without the required support for + TLSv1.2-style digest negotiation. Based on patch by Viktor + Dukhovni. Files: tls/tls_client.c, tls/tls_server.c. + +20130616 + + TLS Performance: the Postfix SMTP server TLS session cache + was ineffective because recent OpenSSL versions enable + session tickets by default, resulting in a different ticket + encryption key for each smtpd(8) process. The workaround + turns off session tickets. In 2.11 we'll enable session + tickets properly. Viktor Dukhovni. File: tls/tls_server.c.
[-] [+]	Changed	_service:download_files:postfix-2.10.2.tar.gz/RELEASE_NOTES ^
@@ -14,6 +14,36 @@ If you upgrade from Postfix 2.8 or earlier, read RELEASE_NOTES-2.9 before proceeding. +Debian Exim before 4.80-3 interoperability workaround +----------------------------------------------------- + +Debian Exim versions before 4.80-3 may fail to communicate with +Postfix and possibly other MTAs, with the following Exim SMTP client +error message: + + TLS error on connection to server-name [server-address] + (gnutls_handshake): The Diffie-Hellman prime sent by the server + is not acceptable (not long enough) + +This problem may affect Debian Exim versions before 4.80-3 that use +TLS with EDH (Ephemeral Diffie-Hellman) key exchanges. For details +see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676563 + +To restore Postfix SMTP server interoperability with affected Exim +SMTP clients, configure the Postfix SMTP server to use a 2048-bit +prime number instead of 1024: + + # cd /etc/postfix + # openssl dhparam -out dh2048.pem 2048 + # postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem' + +This change increases the CPU cost of EDH key exchanges (rarely a +problem for SMTP servers) and is unlikely to cause problems with +other SMTP client implementations. + +This problem should not affect EECDH (Ephemeral Elliptic Curve +Diffie-Hellman) key exchanges. + Major changes - laptop-friendliness -----------------------------------
[-] [+]	Changed	_service:download_files:postfix-2.10.2.tar.gz/src/global/mail_version.h ^
@@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20130622" -#define MAIL_VERSION_NUMBER "2.10.1" +#define MAIL_RELEASE_DATE "20130905" +#define MAIL_VERSION_NUMBER "2.10.2" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
[-] [+]	Changed	_service:download_files:postfix-2.10.2.tar.gz/src/local/forward.c ^
@@ -118,6 +118,11 @@ FORWARD_INFO info; VSTREAM cleanup; +#define FORWARD_OPEN_RETURN(res) do { \ + vstring_free(buffer); \ + return (res); \ + } while (0) + /* * Contact the cleanup service and save the new mail queue id. Request * that the cleanup service bounces bad messages to the sender so that we @@ -129,13 +134,13 @@ / cleanup = mail_connect(MAIL_CLASS_PUBLIC, var_cleanup_service, BLOCKING); if (cleanup == 0) - return (0); + FORWARD_OPEN_RETURN(0); close_on_exec(vstream_fileno(cleanup), CLOSE_ON_EXEC); if (attr_scan(cleanup, ATTR_FLAG_STRICT, ATTR_TYPE_STR, MAIL_ATTR_QUEUEID, buffer, ATTR_TYPE_END) != 1) { vstream_fclose(cleanup); - return (0); + FORWARD_OPEN_RETURN(0); } info = (FORWARD_INFO ) mymalloc(sizeof(FORWARD_INFO)); info->cleanup = cleanup; @@ -190,8 +195,7 @@ PASS_ATTR(cleanup, MAIL_ATTR_LOG_IDENT, request->log_ident); PASS_ATTR(cleanup, MAIL_ATTR_RWR_CONTEXT, request->rewrite_context); - vstring_free(buffer); - return (info); + FORWARD_OPEN_RETURN(info); } /* forward_append - append recipient to message envelope */
[-] [+]	Changed	_service:download_files:postfix-2.10.2.tar.gz/src/tls/tls_client.c ^
@@ -336,6 +336,24 @@ } /* + * Register SHA-2 digests, if implemented and not already registered. + * Improves interoperability with clients and servers that prematurely + * deploy SHA-2 certificates. + / +#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256) + if (!EVP_get_digestbyname(LN_sha224)) + EVP_add_digest(EVP_sha224()); + if (!EVP_get_digestbyname(LN_sha256)) + EVP_add_digest(EVP_sha256()); +#endif +#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512) + if (!EVP_get_digestbyname(LN_sha384)) + EVP_add_digest(EVP_sha384()); + if (!EVP_get_digestbyname(LN_sha512)) + EVP_add_digest(EVP_sha512()); +#endif + + / * If the administrator specifies an unsupported digest algorithm, fail * now, rather than in the middle of a TLS handshake. */
[-] [+]	Changed	_service:download_files:postfix-2.10.2.tar.gz/src/tls/tls_server.c ^
@@ -341,6 +341,24 @@ } /* + * Register SHA-2 digests, if implemented and not already registered. + * Improves interoperability with clients and servers that prematurely + * deploy SHA-2 certificates. + / +#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256) + if (!EVP_get_digestbyname(LN_sha224)) + EVP_add_digest(EVP_sha224()); + if (!EVP_get_digestbyname(LN_sha256)) + EVP_add_digest(EVP_sha256()); +#endif +#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512) + if (!EVP_get_digestbyname(LN_sha384)) + EVP_add_digest(EVP_sha384()); + if (!EVP_get_digestbyname(LN_sha512)) + EVP_add_digest(EVP_sha512()); +#endif + + / * If the administrator specifies an unsupported digest algorithm, fail * now, rather than in the middle of a TLS handshake. / @@ -395,6 +413,9 @@ / * Protocol work-arounds, OpenSSL version dependent. */ +#ifdef SSL_OP_NO_TICKET + off \|= SSL_OP_NO_TICKET; +#endif off \|= tls_bug_bits(); SSL_CTX_set_options(server_ctx, off);