The NetBSD Project

CVS log for pkgsrc/mail/postfix/Makefile.common

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / mail / postfix

Request diff between arbitrary revisions


Default branch: MAIN


Revision 1.45 / (download) - annotate - [select for diffs], Sat Jul 15 14:56:26 2023 UTC (4 months, 3 weeks ago) by otis
Branch: MAIN
CVS Tags: pkgsrc-2023Q3-base, pkgsrc-2023Q3, HEAD
Changes since 1.44: +2 -2 lines
Diff to previous 1.44 (colored)

postfix: Update to 3.8.1

Major changes with Postfix 3.8.1
================================

- Security: the Postfix SMTP server optionally disconnects remote SMTP clients
  that violate RFC 2920 (or 5321) command pipelining constraints. The server
  replies with "554 5.5.0 Error: SMTP protocol synchronization" and logs the
  unexpected remote SMTP client input. Specify "smtpd_forbid_unauth_pipelining
  = yes" to enable. This feature is enabled by default in Postfix 3.9 and
  later.

- Workaround to limit collateral damage from OS distributions that crank up
  security to 11, increasing the number of plaintext email deliveries. This
  introduces basic OpenSSL configuration file support, with two new parameters
  "tls_config_file" and "tls_config_name". Details are in the postconf(5)
  manpage under "tls_config_file" and "tls_config_name".

Full release notes:
http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-3.8.1.RELEASE_NOTES

Revision 1.44 / (download) - annotate - [select for diffs], Mon May 8 04:30:44 2023 UTC (6 months, 4 weeks ago) by triaxx
Branch: MAIN
CVS Tags: pkgsrc-2023Q2-base, pkgsrc-2023Q2
Changes since 1.43: +2 -2 lines
Diff to previous 1.43 (colored)

postfix: Update to 3.8.0

upstream changes:
-----------------
Postfix 3.7.8
  o Support to look up DNS SRV records in the Postfix SMTP/LMTP client, Based
    on code by Tomas Korbar (Red Hat). For example, with "use_srv_lookup =
    submission" and "relayhost = example.com:submission", the Postfix SMTP
    client will look up DNS SRV records for _submission._tcp.example.com, and
    will relay email through the hosts and ports that are specified with those
    records.
  o TLS obsolescence: Postfix now treats the "export" and "low" cipher grade
    settings as "medium". The "export" and "low" grades are no longer supported
    in OpenSSL 1.1.1, the minimum version required in Postfix 3.6.0 and later.
    Also, Postfix default settings now exclude deprecated or unused ciphers
    (SEED, IDEA, 3DES, RC2, RC4, RC5), digest (MD5), key exchange algorithms
    (DH, ECDH), and public key algorithm (DSS).
  o Attack resistance: the Postfix SMTP server can now aggregate
    smtpd_client_*_rate and smtpd_client_*_count statistics by network block
    instead of by IP address, to raise the bar against a memory exhaustion
    attack in the anvil(8) server; Postfix TLS support unconditionally disables
    TLS renegotiation in the middle of an SMTP connection, to avoid a CPU
    exhaustion attack.
  o The PostgreSQL client encoding is now configurable with the "encoding"
    Postfix configuration file attribute. The default is "UTF8". Previously the
    encoding was hard-coded as "LATIN1", which is not useful in the context of
    SMTP.
  o The postconf command now warns for #comment in or after a Postfix parameter
    value. Postfix programs do not support #comment after other text, and treat
    that as input.

Revision 1.43 / (download) - annotate - [select for diffs], Sat Jan 28 09:28:30 2023 UTC (10 months, 1 week ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2023Q1-base, pkgsrc-2023Q1
Changes since 1.42: +2 -2 lines
Diff to previous 1.42 (colored)

mail/postfix: update to 3.7.4

Postfix 3.7.4 (2023-01-22)

  * Workaround: with OpenSSL 3 and later always turn on
    SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages and missed
    opportunities for TLS session reuse. This is safe because the SMTP
    protocol implements application-level framing, and is therefore not
    affected by TLS truncation attacks. Fix by Viktor Dukhovni.

  * Workaround: OpenSSL 3.x EVP_get_digestbyname() can return
    lazily-bound handles for digest implementations. In sufficiently
    hostile configurations, Postfix could mistakenly believe that a digest
    algorithm is available, and fail when it is not. A similar workaround
    may be needed for EVP_get_cipherbyname(). Fix by Viktor Dukhovni.

  * Bugfix (bug introduced in Postfix 2.11): the checkok() macro in
    tls/tls_fprint.c evaluated its argument unconditionally; it should
    evaluate the argument only if there was no prior error. Found during
    code review.

  * Bugfix (bug introduced in Postfix 2.8): postscreen died with a
    segmentation violation when postscreen_dnsbl_threshold < 1. It
    should reject such input with a fatal error instead. Discovered by
    Benny Pedersen.

  * Bitrot: fixes for linker warnings from newer Darwin (MacOS)
    versions. Viktor Dukhovni.

  * Portability: Linux 6 support.

  * Added missing documentation that cidr:, pcre: and regexp: tables
    support inline specification only in Postfix 3.7 and later.

Revision 1.42 / (download) - annotate - [select for diffs], Sat Oct 15 20:34:57 2022 UTC (13 months, 2 weeks ago) by triaxx
Branch: MAIN
CVS Tags: pkgsrc-2022Q4-base, pkgsrc-2022Q4
Changes since 1.41: +2 -2 lines
Diff to previous 1.41 (colored)

postfix: Update to 3.7.3

upstream changes:
Postfix 3.7.3
  o This fixes a bug where some messages were not delivered after "warning:
    Unexpected record type 'X'.

Revision 1.41 / (download) - annotate - [select for diffs], Thu Jul 21 15:08:39 2022 UTC (16 months, 2 weeks ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2022Q3-base, pkgsrc-2022Q3
Changes since 1.40: +2 -2 lines
Diff to previous 1.40 (colored)

mail/postfix: update to 3.7.2

3.7.0 (2022-02-07)

  * Support to inline the content of small cidr:, pcre:, and regexp:
    tables in Postfix parameter values. An example is the new
    smtpd_forbidden_commands default value, "CONNECT GET POST
    regexp:{{/^[^A-Z]/ Thrash}}", to quickly drop connections from
    clients that send garbage.

  * To make the maillog_file feature more useful, including stdout
    logging from a container, the postlog(1) command is now set-gid
    postdrop, so that unprivileged programs can use it to write
    logging through the postlogd(8) daemon. This required hardening
    the postlog(1) command against privilege escalation attacks.

  * Support for library APIs: OpenSSL 3.0.0, PCRE2, Berkeley DB 18.

  * Postfix programs now randomize the initial state of in-memory
    hash tables, to defend against hash collision attacks involving
    a large number of attacker-chosen lookup keys. Presently, the
    only known opportunity for such attacks involves remote SMTP
    client IPv6 addresses in the anvil(8) service, and requires
    making hundreds of short-lived connections per second while
    cycling through thousands of different client IP addresses.

  * Updated defense against remote clients or servers that 'trickle'
    SMTP or LMTP traffic. This replaces the old per-record deadlines
    with per-request deadlines and minimum data rates.

  * Many typofixes by raf and Wietse.


3.7.1 (2022-04-18)

  * (problem introduced: Postfix 2.7) The milter_header_checks maps
    are now opened before the cleanup(8) server enters the chroot
    jail. Problem reported by Jesper Dybdal.

  * In an internal client module, "host or service not found" was
    a fatal error, causing the milter_default_action setting to be
    ignored. It is now a non-fatal error, just like a failure to
    connect. Problem reported by Christian Degenkolb.

  * The proxy_read_maps default value was missing up to 27 parameter
    names. The corresponding lookup tables were not automatically
    authorized for use with the proxymap(8) service. The parameter
    names were ending in _checks, _reply_footer, _reply_filter,
    _command_filter, and _delivery_status_filter.

  * (problem introduced: Postfix 3.0) With dynamic map loading
    enabled, an attempt to create a map with "postmap regexp:path"
    would result in a bogus error message "Is the postfix-regexp
    package installed?" instead of "unsupported map type for this
    operation". This happened with all non-dynamic map types (static,
    cidr, etc.) that have no 'bulk create' support. Problem reported
    by Greg Klanderman.

  * In PCRE_README, "pcre2 --libs" should be "pcre2 --libs8". Problem
    reported by Carlos Velasco.

  * Documented in the postlogd(8) daemon manpage that the Postfix
    >= 3.7 postlog(1) command can run with setgid permissions.

3.7.2 (2022-04-28)

This reverts an overly complex change in the postscreen SMTP engine
(made during Postfix 3.7 development), and replaces it with much
simpler code. The bad change was crashing postscreen on some systems
after receiving malformed input (for example, a TLS "hello" message).

Revision 1.40 / (download) - annotate - [select for diffs], Wed Jan 26 17:41:31 2022 UTC (22 months, 1 week ago) by triaxx
Branch: MAIN
CVS Tags: pkgsrc-2022Q2-base, pkgsrc-2022Q2, pkgsrc-2022Q1-base, pkgsrc-2022Q1
Changes since 1.39: +2 -2 lines
Diff to previous 1.39 (colored)

postfix: Update to 3.6.4

upstream changes:
-----------------
 Fixed in Postfix 3.6.4, 3.5.14, 3.4.24, 3.3.21:
  o Bug introduced in bugfix 20210708: duplicate bounce_notice_recipient
    entries in postconf output. This was caused by an incomplete fix to send
    SMTP session transcripts to $bounce_notice_recipient. Reported by Vincent
    Lefevre.
  o Bug introduced in Postfix 3.0: the proxymap daemon did not automatically
    authorize proxied maps inside pipemap (example:
    pipemap:{proxy:maptype:mapname, ...}) or inside unionmap. Problem reported
    by Mirko Vogt.
  o Bug introduced in Postfix 2.5: off-by-one error while writing a string
    terminator. This code passed all memory corruption tests, presumably
    because it wrote over an alignment padding byte, or over an adjacent
    character byte that was never read. Reported by Robert Siemer.

Fixed in Postfix 3.6.4, 3.5.14, 3.4.24:
  o The proxymap daemon did not automatically authorize map features added
    after Postfix 3.3, caused by missing *_maps parameter names in the
    proxy_read_maps default value. Found during code maintenance.

Revision 1.39 / (download) - annotate - [select for diffs], Sat Dec 18 10:50:33 2021 UTC (23 months, 2 weeks ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2021Q4-base, pkgsrc-2021Q4
Changes since 1.38: +2 -1 lines
Diff to previous 1.38 (colored)

postfix: add -headerpad_max_install_names for Darwin builds

Revision 1.38 / (download) - annotate - [select for diffs], Mon Nov 8 13:58:09 2021 UTC (2 years ago) by taca
Branch: MAIN
Changes since 1.37: +2 -2 lines
Diff to previous 1.37 (colored)

mail/postfix: update to 3.6.3

Quote from release announce:

Fixed in Postfix 3.6.3, 3.5.13, 3.4.23, 3.3.20:

  * (problem introduced in Postfix 2.4, released in 2007): queue
    file corruption after a Milter (for example, MIMEDefang) made
    a request to replace the message body with a copy of that message
    body plus additional text (for example, a SpamAssassin report).

    The most likely impacts were a) the queue manager reporting a
    fatal error resulting in email delivery delays, or b) the queue
    manager reporting the corruption and moving the message to the
    corrupt queue for damaged messages.

    However, a determined adversary could craft an email message
    that would trigger the bug, and insert into its queue file a
    content filter destination or a redirect email address. Postfix
    would then deliver the message headers there, in most cases
    without delivering the message body. With enough experimentation,
    an attacker could make Postfix deliver both the message headers
    and body.

    Some details of a successful attack depend on the Milter
    implementation, and on the Postfix and Milter configuration
    details; these can be determined remotely through experimentation.
    Failed experiments may be detected when the queue manager
    terminates with a fatal error, or when the queue manager moves
    damaged files to the "corrupt" queue as evidence.

    Technical details: when Postfix executes a "replace body" Milter
    request it will reuse queue file storage that was used by the
    existing email message body. If the new body is larger, Postfix
    will append body content to the end of the queue file. The
    corruption happened when a Milter (for example, MIMEDefang)
    made a request to replace the body of a message with a new body
    that contained a copy of the original body plus some new text,
    and the original body contained a line longer than $line_length_limit
    bytes (for example, an image encoded in base64 without hard or
    soft line breaks). In queue files, Postfix stores a long text
    line as multiple records with up to $line_length_limit bytes
    each. Unfortunately, Postfix's "replace body" support did not
    account for the additional queue file space needed to store the
    second etc. record headers. And thus, the last record(s) of a
    long text line could overwrite one or more queue file records
    immediately after the space that was previously occupied by the
    original message body.

    Problem report by Benoit Panizzon.

  * (problem introduced in Postfix 2.10, released in 2012): The
    postconf "-x" option could produce incorrect output, because
    multiple functions were implicitly sharing a buffer for
    intermediate results. Problem report by raf, root cause analysis
    by Viktor Dukhovni.

  * (problem introduced in Postfix 2.11, released in 2013): The
    check_ccert_access feature worked as expected, but produced a
    spurious warning when Postfix was built without SASL support.
    Fix by Brad Barden.

  * Fix for a compiler warning due to a missing 'const' qualifier
    when compiling Postfix with OpenSSL 3. Depending on compiler
    settings this could cause the build to fail.

Fixed in Postfix 3.6:

  * The known_tcp_ports settings had no effect. It also wasn't fully
    implemented. Problem report by Peter.

  * Fix for missing space between a hostname and warning text.

Revision 1.37 / (download) - annotate - [select for diffs], Mon Jul 26 15:38:10 2021 UTC (2 years, 4 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2021Q3-base, pkgsrc-2021Q3
Changes since 1.36: +2 -2 lines
Diff to previous 1.36 (colored)

mail/postfix: update to 3.6.2

* pkgsrc change: Add supportfor blocklistd(3) (and blacklistd(3)).

* From release annuonce:

Fixed in Postfix 3.6.2, 3.5.12, 3.4.22, 3.3.19:

  * In Postfix 3.6, fixed a false "Result too large" (ERANGE) fatal
    error in the compatibility_level parser, because there was no
    'errno = 0' statement before an strtol() call. In Postfix
    3.3-3.5, fixed two older latent bugs of this kind (introduced
    in 1999 and in Postfix 2.11). Problem reported by David Bohman.

  * (problem introduced in Postfix 3.3) "Null pointer read" error
    in the cleanup daemon when "header_from_format = standard" (the
    default as of Postfix 3.3), and email was submitted with
    /usr/sbin/sendmail without From: header, and an all-space full
    name was specified in 1) the password file, 2) with "sendmail
    -F", or 3) with the NAME environment variable. Found by Renaud
    Metrich.

  * (problem introduced in Postfix 2.4) False "too many reverse
    jump" warnings in the showq daemon, because loop detection code
    was comparing memory addresses instead of queue file names.
    Reported by Mehmet Avcioglu.

  * (problem introduced in 1999) The Postfix SMTP server was sending
    all session transcripts to the error_notice_recipient (default:
    postmaster), instead of sending transcripts of bounced mail to
    the bounce_notice_recipient (default: postmaster). Reported by
    Hans van Zijst.

Fixed in Postfix 3.6.2, 3.5.12, 3.4.22:

  * The texthash: map implementation broke tls_server_sni_maps,
    because it did not support multi-file inputs. Reported by
    Christopher Gurnee, who also found an instance of the missing
    code in the "postmap -F" source code. File: util/dict_thash.c.

Revision 1.36 / (download) - annotate - [select for diffs], Mon Jun 14 14:29:47 2021 UTC (2 years, 5 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2021Q2-base, pkgsrc-2021Q2
Changes since 1.35: +2 -2 lines
Diff to previous 1.35 (colored)

mail/postfix: update to 3.6.1

3.6.1 (2021-06-14)

Fixed in Postfix 3.6.1, 3.5.11, 3.4.21, 3.3.18:

  * Bugfix (introduced: Postfix 2.11): the command "postmap
    lmdb:/file/name" (create LMDB database from textfile) handled
    duplicate input keys ungracefully, discarding entries stored
    up to and including the duplicate key, and causing a double
    free() call with lmdb versions 0.9.17 and later. Reported by
    Adi Prasaja; double free() root cause analysis by Howard Chu.

Fixed in Postfix 3.6.1, 3.5.11, 3.4.21:

  * Typo (introduced: Postfix 3.4): silent_discard should be
    silent-discard in BDAT_README.

Revision 1.35 / (download) - annotate - [select for diffs], Wed Jun 2 15:29:56 2021 UTC (2 years, 6 months ago) by taca
Branch: MAIN
Changes since 1.34: +2 -2 lines
Diff to previous 1.34 (colored)

mail/postfix: update to 3.6.0

Postfix stable release 3.6.0 is available. This ends the support
for legacy release Postfix 3.2.

The main changes are below. See the RELEASE_NOTES file for further
details.

Incompatible changes:

  * This release requires "postfix stop" before updating, or before
    backing out to an earlier release, because some internal protocols
    have changed. Otherwise, long-running daemons (pickup, qmgr,
    verify, tlsproxy, postscreen) may fail to communicate with the
    rest of Postfix, causing mail delivery delays until Postfix is
    restarted.

  * Respectful logging. Postfix version 3.6 deprecates terminology
    that implies white is better than black. Instead, Postfix prefers
    'allowlist', 'denylist', and variations on those words. This
    change affects Postfix documentation, and postscreen parameters
    and logging.

    To keep the old postscreen logging set "respectful_logging =
    no" in main.cf before setting "compatibility_level = 3.6".  In
    any case, the old postscreen parameter names will keep working
    as before.

Other changes:

  * The minimum supported OpenSSL version is 1.1.1, which will reach
    the end of life by 2023-09-11. Postfix 3.6 is expected to reach
    the end of support in 2025. Until then, Postfix will be updated
    as needed for compatibility with OpenSSL.

    The default fingerprint digest has changed from md5 to sha256
    (Postfix 3.6 with compatibility_level >= 3.6). With a lower
    compatibility_level setting, Postfix defaults to using md5, and
    logs a warning when a Postfix configuration specifies no explicit
    digest type.

    The export-grade Diffie-Hellman key exchange is no longer
    supported, and the tlsproxy_tls_dh512_param_file parameter is
    ignored,

  * Better error messages when someone configures an incorrect
    program in master.cf. To recognize such mistakes, every Postfix
    internal service, including the postdrop command, announces the
    name of its protocol before doing any other I/O, and every
    Postfix client program, including the Postfix sendmail command,
    will verify that the protocol name matches what it expects.

  * Fine-grained control over the envelope sender address for
    submission with the Postfix sendmail (or postdrop) commands.

    Example:

    /etc/postfix/main.cf:
        # Allow root and postfix full control, anyone else can only
        # send mail as themselves. Use "uid:" followed by the numerical
        # UID when the UID has no entry in the UNIX password file.
        local_login_sender_maps =
            inline:{ { root = *}, { postfix = * } },
            pcre:/etc/postfix/login_senders

    /etc/postfix/login_senders:
       # Allow both the bare username and the user@domain forms.
        /(.+)/ $1 $1@example.com

  * Threaded bounces. This allows mail readers to present a
    non-delivery, delayed delivery, or successful delivery notification
    in the same email thread as the original message.

    Unfortunately, this also makes it easy for users to mistakenly
    delete the whole email thread (all related messages), instead
    of deleting only the delivery status notification.

    To enable, specify "enable_threaded_bounces = yes".

  * Postfix by default no longer uses the services(5) database to
    look up the TCP ports for SMTP and LMTP services. Instead, this
    information is configured with the new known_tcp_ports configuration
    parameter (default: lmtp=24, smtp=25, smtps=submissions=465,
    submission=587). When a service is not specified in known_tcp_ports,
    Postfix will still query the services(5) database.

  * Starting with Postfix version 3.6, the compatibility level is
    "3.6". In future Postfix releases, the compatibility level will
    be the Postfix version that introduced the last incompatible
    change. The level is formatted as 'major.minor.patch', where
    'patch' is usually omitted and defaults to zero. Earlier
    compatibility levels are 0, 1 and 2.

    This also introduces main.cf and master.cf support for the
    <=level, < level, and other operators to compare compatibility
    levels. With the standard <=, <, etc. operators, compatibility
    level 3.10 would be less than 3.9, which is undesirable.

Revision 1.34 / (download) - annotate - [select for diffs], Sun May 2 12:11:51 2021 UTC (2 years, 7 months ago) by wiz
Branch: MAIN
Changes since 1.33: +1 -2 lines
Diff to previous 1.33 (colored)

postfix: remove non-existent download site

Revision 1.33 / (download) - annotate - [select for diffs], Mon Apr 26 15:26:08 2021 UTC (2 years, 7 months ago) by triaxx
Branch: MAIN
Changes since 1.32: +2 -2 lines
Diff to previous 1.32 (colored)

postfix: Update to 3.5.10

upstream changes:
-----------------
Fixed in 3.5.10:
  o Missing null pointer checks (introduced in Postfix 3.4) after an internal I/O error during the smtp(8) to tlsproxy(8) handshake. Found by Coverity, reported by Jaroslav Skarvada. Based on a fix by Viktor Dukhovni.
  o Null pointer bug (introduced in Postfix 3.0) and memory leak (introduced in Postfix 3.4) after an inline: table syntax error in main.cf or master.cf. Found by Coverity, reported by Jaroslav Skarvada. Based on a fix by Viktor Dukhovni.
  o Incomplete null pointer check (introduced: Postfix 2.10) after truncated HaProxy version 1 handshake message. Found by Coverity, reported by Jaroslav Skarvada. Fix by Viktor Dukhovni.
  o Missing null pointer check (introduced: Postfix alpha) after null argv[0] value.

Revision 1.32 / (download) - annotate - [select for diffs], Thu Jan 21 16:37:59 2021 UTC (2 years, 10 months ago) by triaxx
Branch: MAIN
CVS Tags: pkgsrc-2021Q1-base, pkgsrc-2021Q1
Changes since 1.31: +2 -2 lines
Diff to previous 1.31 (colored)

postfix: Update to 3.5.9

upstream changes:
-----------------
This update improves the reporting of DNSSEC problems that may affect DANE
security. DNSSEC support may unavailable because of local configuration, libc
incompatibility, or other infrastructure issues. This was backported from
Postfix 3.6.

Background: DNSSEC validation is needed for Postfix DANE support; this ensures
that Postfix receives TLSA records with secure TLS server certificate info.
When DNSSEC validation is unavailable, mail deliveries using opportunistic DANE
(security level 'dane') will not be protected by server certificate info in
TLSA records, and mail deliveries using mandatory DANE (security level
'dane-only') will not be made at all.

This update introduces the following behavior: when a process requests DNSSEC
support (typically, for Postfix DANE support), the process may now do a runtime
test to determine if DNSSEC validation is available.

The new dnssec_probe parameter specifies a DNS query type (default: "ns") and
DNS query name (default: ".") that Postfix may use to determine whether DNSSEC
validation is available. Specify an empty value to disable this feature.

When dnssec_probe is enabled, a Postfix process will send a DNSSEC probe after
1) the process made a DNS query that requested DNSSEC validation, 2) the
process did not receive a DNSSEC validated response to this query or to an
earlier query, and 3) the process did not already send a DNSSEC probe.

When the DNSSEC probe has no response, or when the response is not DNSSEC
validated, Postfix logs a warning that DNSSEC validation may be unavailable.
Examples:

warning: DNSSEC validation may be unavailable
warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
warning: reason: dnssec_probe 'ns:.' received no response: Server failure

With this update, the Postfix build system will no longer automatically disable
DNSSEC support when it determines that Postfix will use libc-musl. This removes
the earlier libc-musl workaround introduced with Postfix 3.2.15, 3.3.10,
3.4.12, and 3.5.2.

Revision 1.31 / (download) - annotate - [select for diffs], Sun Nov 22 11:14:44 2020 UTC (3 years ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2020Q4-base, pkgsrc-2020Q4
Changes since 1.30: +2 -2 lines
Diff to previous 1.30 (colored)

postfix: updated to 3.5.8

Fixed in Postfix version 3.5.8:

[Postfix 3.5 and later] The Postfix SMTP client inserted <CR><LF> into message headers with lines longer than $line_length_limit (default: 2048), causing all subsequent header content to become message body content. Reported by Andreas Weigel.

Fixed in Postfix versions 3.5.8, 3.4.18, 3.3.15, 3.2.20:

[Postfix 2.8 and later] The postscreen daemon did not save a copy of the postscreen_dnsbl_reply_map lookup result. This has no effect when the recommended texthash: lookup table is used, but it could result in stale data with other lookup tables.

[Postfix 2.3 and later] After deleting a recipient with a Milter, the Postfix recipient duplicate filter was not updated; the filter suppressed requests to add the recipient back. Reported by Mehmet Avcioglu.

[Postfix 2.3 and later] Memory leak: the static: maps did not free their casefolding buffer.

[Postfix 2.2 and later] With "smtpd_tls_wrappermode = yes", the smtps service was waiting for a TLS handshake, after processing an XCLIENT command. Reported by Aki Tuomi.

[Postfix 2.0 and later] The smtp_sasl_mechanism_filter implementation ignored table lookup errors, treating them as 'not found'.

[Postfix alpha and later] The code that looks for Delivered-To: headers ignored headers longer than $line_length_limit (default: 2048).

Revision 1.30 / (download) - annotate - [select for diffs], Mon Aug 31 13:07:46 2020 UTC (3 years, 3 months ago) by otis
Branch: MAIN
CVS Tags: pkgsrc-2020Q3-base, pkgsrc-2020Q3
Changes since 1.29: +2 -2 lines
Diff to previous 1.29 (colored)

mail/postfix: Update to 3.5.7

Changelog:
With "smtp_tls_connection_reuse = yes", tlsproxy(8) was using the wrong global
TLS context for connections that use DANE trust anchors or that use non-DANE
trust anchors. This resulted in a global certificate verify function pointer
race, between TLS handshakes that use trust achors and concurrent TLS
handshakes that use PKI. No memory was corrupted in the course of all this.

Reference: http://www.postfix.org/announcements/postfix-3.5.7.html

Revision 1.29 / (download) - annotate - [select for diffs], Thu Aug 27 13:57:14 2020 UTC (3 years, 3 months ago) by triaxx
Branch: MAIN
Changes since 1.28: +2 -2 lines
Diff to previous 1.28 (colored)

postfix: Update to 3.5.6

upstream changes:
-----------------
Fixed in Postfix versions 3.5.6, 3.4.16, 3.3.14, 3.2.19:

  * One fix for memory leaks in the Postfix TLS library was back-ported to the wrong place, resulting in undefined program behavior.

Fixed in Postfix versions 3.5.6, 3.4.16:

  * The workaround for allowed TLS protocol versions did not explictly override the system-wide OpenSSL configuration, for sessions where the remote SMTP client sends SNI. It's better to be safe than sorry.

 Fixed in Postfix versions 3.5.5, 3.4.15, 3.3.13, 3.2.18:

  * Workaround for unexpected TLS interoperability problems when Postfix runs on OS distributions with system-wide OpenSSL configurations.

  * Memory leaks in the Postfix TLS library, the largest one involving multiple kBytes per peer certificate.

Revision 1.28 / (download) - annotate - [select for diffs], Tue Jun 30 15:00:45 2020 UTC (3 years, 5 months ago) by taca
Branch: MAIN
Changes since 1.27: +2 -2 lines
Diff to previous 1.27 (colored)

mail/postfix: update to 3.5.4

Update postfix to 3.5.4.


Fixed in Postfix 3.5.4, 3.4.14:

  * The connection_reuse attribute in smtp_tls_policy_maps always
    resulted in an "invalid attribute name" error. Fix by Thorsten
    Habich.

  * SMTP over TLS connection reuse always failed for Postfix SMTP
    client configurations that specify explicit trust anchors (remote
    SMTP server certificates or public keys). Reported by Thorsten
    Habich.

Fixed in Postfix versions 3.5.4, 3.4.14, 3.3.12, 3.2.17:

  * The Postfix SMTP client's DANE implementation would always send
    an SNI option with the name in a destination's MX record, even
    if the MX record pointed to a CNAME record. MX records that
    point to CNAME records are not conformant with RFC5321, and so
    are rare.

    Based on the DANE survey of ~2 million hosts it was found that
    with the corrected SMTP client behavior, sending SNI with the
    CNAME-expanded name, the SMTP server would not send a different
    certificate. This fix should therefore be safe.

Revision 1.27 / (download) - annotate - [select for diffs], Mon Jun 15 15:43:32 2020 UTC (3 years, 5 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2020Q2-base, pkgsrc-2020Q2
Changes since 1.26: +2 -2 lines
Diff to previous 1.26 (colored)

mail/postfix: update to 3.5.3

Update postfix and related pacakges to 3.5.3.


Quote freom release announce.

Postfix 3.5.3, 3.4.13:

  * TLS handshake failure in the Postfix SMTP server during SNI
    processing, after the server-side TLS engine sent a TLSv1.3
    HelloRetryRequest (HRR) to a remote SMTP client. Reported by
    J??n M??t??, fixed by Viktor Dukhovni.

Postfix versions 3.5.3, 3.4.13, 3.3.11, 3.2.16:

  * The command "postfix tls deploy-server-cert" did not handle a
    missing optional argument. This bug was introduced in Postfix
    3.1.

Revision 1.26 / (download) - annotate - [select for diffs], Mon May 18 14:21:53 2020 UTC (3 years, 6 months ago) by triaxx
Branch: MAIN
Changes since 1.25: +2 -2 lines
Diff to previous 1.25 (colored)

postfix: update to 3.5.2

upstream changes:
-----------------
 Postfix versions 3.5.2, 3.4.12, 3.2.10, 3.2.15:
  * A TLS error for a database client caused a false 'lost connection' error for an SMTP over TLS session in the same Postfix process. Reported by Alexander Vasarab, diagnosed by Viktor Dukhovni. This bug was introduced with Postfix 2.2.
  * The same bug existed in the tlsproxy(8) daemon, where a TLS error for one TLS session could cause a false 'lost connection' error for a concurrent TLS session in the same process. This bug was introduced with Postfix 2.8.
  * The Postfix build now disables DANE support on Linux systems with libc-musl, because libc-musl provides no indication whether DNS responses are authentic. This broke DANE support without a clear explanation.
  * Due to implementation changes in the ICU library, some Postfix daemons reported file access errrors (U_FILE_ACCESS_ERROR) after chroot(). This was fixed by initializing the ICU library before making the chroot() call.
  * Minor code changes to silence a compiler that special-cases string literals.

Postfix 3.5.2, 3.4.12:
  * Segfault in the tlsproxy(8) client role when the server role was disabled. This typically happened on systems that do not receive mail, after configuring connection reuse for outbound SMTP over TLS.
  * The date portion of the maillog_file_rotate_suffix default value used the minute (%M) instead of the month (%m). Reported by Larry Stone.

Revision 1.25 / (download) - annotate - [select for diffs], Sun Apr 26 09:33:25 2020 UTC (3 years, 7 months ago) by taca
Branch: MAIN
Changes since 1.24: +2 -2 lines
Diff to previous 1.24 (colored)

mail/postfix: update to 3.5.1

Update postfix to 3.5.1.


3.5.0 (2020-03-16)

Postfix stable release 3.5.0 is available. Support has ended for
legacy release Postfix 3.1.

The main changes are below. See the RELEASE_NOTES file for further details.

  * Support for the haproxy v2 protocol. The Postfix implementation
    supports TCP over IPv4 and IPv6, as well as non-proxied
    connections; the latter are typically used for heartbeat tests.

  * Support to force-expire email messages. This introduces new
    postsuper(1) command-line options to request expiration, and
    additional information in mailq(1) or postqueue(1) output.

  * The Postfix SMTP and LMTP client support a list of nexthop
    destinations separated by comma or whitespace. These destinations
    will be tried in the specified order. Examples:

    /etc/postfix/main.cf:
        relayhost = foo.example, bar.example
        default_transport = smtp:foo.example, bar.example

Incompatible changes:

  * Logging: Postfix daemon processes now log the from= and to=
    addresses in external (quoted) form in non-debug logging (info,
    warning, etc.). This means that when an address localpart
    contains spaces or other special characters, the localpart will
    be quoted, for example:

	from=<"name with spaces"@example.com>

    Specify "info_log_address_format = internal" for backwards compatibility.

  * Postfix now normalizes IP addresses received with XCLIENT,
    XFORWARD, or with the HaProxy protocol, for consistency with
    direct connections to Postfix. This may change the appearance
    of logging, and the way that check_client_access will match
    subnets of an IPv6 address.


3.5.1 (2020-04-20)

Postfix versions 3.5.1, 3.4.11, 3.3.9, 3.2.14:

  * Bitrot workaround for broken builds after an incompatible change
    in GCC 10.

  * Bitrot workaround for broken DANE/DNSSEC support after an
    incompatible change in GLIBC 2.31. This change avoids the need
    for new options in /etc/resolv.conf.

Revision 1.24 / (download) - annotate - [select for diffs], Tue Feb 11 20:40:27 2020 UTC (3 years, 9 months ago) by triaxx
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base, pkgsrc-2020Q1
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored)

postfix: update to 3.4.9

upstream changes:
-----------------
 Fixed in all supported stable releases:

    Bug (introduced: Postfix 3.1): smtp_dns_resolver_options were broken while adding support for negative DNS response caching in postscreen. Postfix was inadvertently changed to call res_query() instead of res_search(). Reported by Jaroslav Skarvada.

    Bug (introduced: Postfix 2.5): Postfix ignored the CONNECT macro overrides from a Milter application. Postfix now evaluates the Milter macros for an SMTP CONNECT event after the Postfix-to-Milter connection is negotiated. Problem reported by David Bürgin.

    Bug (introduced: Postfix 3.0): sanitize (remote) server responses before storing them in the verify database, to avoid Postfix warnings about malformed UTF8. Found during code maintenance.

Revision 1.23 / (download) - annotate - [select for diffs], Tue Jan 28 08:16:51 2020 UTC (3 years, 10 months ago) by triaxx
Branch: MAIN
Changes since 1.22: +3 -1 lines
Diff to previous 1.22 (colored)

mail/postfix: fix insufficient permissions for var/spool/postfix/...

pkgsrc changes:
---------------
  * Remove the subdirectories of var/spool/postfix to avoid insufficient
    permissions when upgrading (Thanks Matthias!).

Revision 1.22 / (download) - annotate - [select for diffs], Mon Dec 9 08:45:14 2019 UTC (3 years, 11 months ago) by triaxx
Branch: MAIN
CVS Tags: pkgsrc-2019Q4-base, pkgsrc-2019Q4
Changes since 1.21: +2 -2 lines
Diff to previous 1.21 (colored)

postfix: update to 3.4.8

upstream changes:
-----------------
    Fix for an Exim interoperability problem when postscreen after-220 checks
    are enabled. Bug introduced in Postfix 3.4: the code that detected
    "PIPELINING after BDAT" looked at the wrong variable. The warning now says
    "BDAT without valid RCPT", and the error is no longer treated as a command
    PIPELINING error, thus allowing mail to be delivered. Meanwhile, Exim has
    been fixed to stop sending BDAT commands when postscreen rejects all RCPT
    commands.

    Usability bug, introduced in Postfix 3.4: the parser for key/certificate
    chain files rejected inputs that contain an EC PARAMETERS object. While
    this is technically correct (the documentation says what types are allowed)
    this is surprising behavior because the legacy cert/key parameters will
    accept such inputs. For now, the parser skips object types that it does not
    know about for usability, and logs a warning because ignoring inputs is not
    kosher.

    Bug introduced in Postfix 2.8: don't gratuitously enable all after-220
    tests when only one such test is enabled. This made selective tests
    impossible with 'good' clients. This will be fixed in older Postfix
    versions at some later time.

Revision 1.21 / (download) - annotate - [select for diffs], Sat Nov 2 16:25:26 2019 UTC (4 years, 1 month ago) by rillig
Branch: MAIN
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored)

mail: align variable assignments

pkglint -Wall -F --only aligned -r

No manual corrections.

Revision 1.20 / (download) - annotate - [select for diffs], Mon Sep 23 20:00:07 2019 UTC (4 years, 2 months ago) by triaxx
Branch: MAIN
CVS Tags: pkgsrc-2019Q3-base, pkgsrc-2019Q3
Changes since 1.19: +2 -2 lines
Diff to previous 1.19 (colored)

postfix: Update to 3.4.7

upstream changes:
-----------------
* Robustness: the tlsproxy(8) daemon could go into a loop, logging a flood of
  error messages. Problem reported by Andreas Schulze after enabling SMTP/TLS
  connection reuse.
* Workaround: OpenSSL changed an SSL_Shutdown() non-error result value into an
  error result value, causing logfile noise.
* Configuration: the new 'TLS fast shutdown' parameter name was implemented
  incorrectly. The documentation said "tls_fast_shutdown_enable", but the code
  said "tls_fast_shutdown". This was fixed by changing the code, because no-one
  is expected to override the default.
* Performance: workaround for poor TCP loopback performance on LINUX, where
  getsockopt(..., TCP_MAXSEG, ...) reports a bogus TCP maximal segment size that
  is 1/2 to 1/3 of the real MSS. To avoid client-side Nagle delays or
  server-side delayed ACKs caused by multiple smaller-than-MSS writes, Postfix
  chooses a VSTREAM buffer size that is a small multiple of the reported bogus
  MSS. This workaround increases the multiplier from 2x to 4x.
* Robustness: the Postfix Dovecot client could segfault (null pointer read) or
  cause an SMTP server assertion to fail when talking to a fake Dovecot server.
  The Postfix Dovecot client now logs a proper error instead. Problem reported
  by Tim Düsterhus.

Revision 1.19 / (download) - annotate - [select for diffs], Wed Jul 17 13:33:00 2019 UTC (4 years, 4 months ago) by triaxx
Branch: MAIN
Changes since 1.18: +2 -2 lines
Diff to previous 1.18 (colored)

postfix: update to 3.4.6

pkgsrc changes:
---------------
  * change COMMENT to make pkglint happy (inspired by http://www.postfix.org/)
  * update PLIST using make print-PLIST (missing @pkgdir)

upstream changes:
-----------------
20181125

	Cleanup: dict_file_to_xxx() takes a list of file names
	separated by CHARS_COMMA_SP. Shoe-horned into the existing
	API, make it nicer when there is time. File: util/dict_file.c.

20181127

	Cleanup: encapsulated clumsy 'read into VSTRING' code with
	easier-to-use vstream_fread_buf() and vstream_fread_app()
	primitives. Files: global/memcache_proto.c, global/record.c,
	global/smtp_stream.c, global/smtp_stream.h, global/uxtext.c,
	global/xtext.c, milter/milter8.c, util/dict_file.c,
	util/hex_quote.c, util/netstring.c, util/vstream.c,
	util/vstream.h. Verified with "make tests".

	Cleanup: simplified the smtp_fread() API (introduced for
	BDAT support), and changed the name to smtp_fread_buf().
	Files: global/smtp_stream.c, smtpd/smtpd.c. Verified with
	~megabyte BDAT commands.

	Cleanup: simplified a tlsproxy-internal API. File:
	tlsproxy/tlsproxy.c.

20181128

	Initial support for key/certificate chain files that will
	replace the proliferation of separate parameters for
	RSA/DSA/ECC/etc. key and certificate files. Viktor
	Dukhovni.

20181201

	Cleanup: replaced the remaining unsafe VSTRING_AT_OFFSET()
	calls with safe vstring_set_payload_size() calls, in code
	that directly writes into VSTRING. Files: tls/tls_session.c,
	tlsmgr/tlsmgr.c, util/casefold.c, util/vstring.c, util/vstring.h,
	xsasl/xsasl_cyrus_client.c.

	Cleanup: postscreen_command_time_limit did not need to be
	a 'raw' parameter. This makes "postconf -x" behavior more
	consistent. Files: global/mail_params.h, postscreen/postscreen.c.

	Documentation: added text that the following parameter
	values are not subject to Postfix parameter $name expansion:
	default_rbl_reply, command_execution_directory, luser_relay,
	smtpd_reject_footer. These have their own documented $name
	substitution mechanism. File: proto/postconf.proto.

20181202

	Bugfix: posttls-finger reported an error for UNIX-domain
	connections, even if they did not fail. Found by Coverity.
	File: posttls-finger/posttls-finger.c.

20181208

	Documentation: add even more redundancy to the rate-delay
	description. File: proto/postconf.proto.

20181210

	Cleanup: code deduplication. File: util/dict_file.c.

20181226

	Cleanup: code deduplication and better encapsulation with
	PSC_DEL_CLIENT_STATE() and PSC_DEL_SERVER_STATE() macros.
	Files: postscreen/postscreen.h, postscreen/postscreen_state.c.

	Documentation: POSTSCREEN_README did not describe the
	postscreen_post_queue_limit, and attributed the wrong reject
	message to the postscreen_pre_queue_limit. Problem reported
	by Michael Orlitzky. File: proto/POSTSCREEN_README.html.

	(20181226-nonprod) Compatibility: removed support for OpenSSL
	1.0.1 (not supported since December 31, 2016) and earlier
	releases. This eliminated a large number of #ifdefs with
	bitrot workarounds.  Viktor Dukhovni. Files: global/mail_params.h,
	posttls-finger/posttls-finger.c, tls/tls.h, tls/tls_certkey.c,
	tls/tls_client.c, tls/tls_dane.c, tls/tls_dh.c, tls/tls_misc.c,
	tls/tls_proxy_client_scan.c, tls/tls_rsa.c, tls/tls_server.c,
	tls/tls_session.c.

	(20181226-nonprod) Use the OpenSSL 1.0.2 and later API for
	setting ECDHE curves. Viktor Dukhovni. Files: tls/tls.h,
	tls/tls_client.c, tls/tls_dh.c.

	(20181226-nonprod) Documentation update for TLS support.
	Viktor Dukhovni. Files: mantools/postlink, proto/TLS_README.html,
	proto/postconf.proto, src/sendmail/sendmail.c, src/smtpd/smtpd.c.

20181229

	Explicit maps_file_find() and dict_file_lookup() methods
	that decode base64 content. Decoding content is not built
	into the dict->lookup() method, because that would complicate
	the implementation of map nesting (inline, thash), map
	composition (pipemap, unionmap), and map proxying.  For
	consistency, decoding base64 file content is also not built
	into the maps_find() method. Files: util/dict.h.
	util/dict_file.c, global/maps.[hc], postmap/postmap.c.

20190106

        Documentation: documented the SRC_RHS_IS_FILE flag in
        dict_open.c, and updated the -F description in the postmap
        manpage. Files: util/dict_open.c, postmap/postmap.c.

	(20190106-nonprod) Feature: support for files that combine
	multiple (key, certificate, trust chain) instances in one
	file, to avoid separate files for RSA, DSA, Elliptic Curve,
	and so on. Viktor Dukhovni. Files: .indent.pro,
	global/mail_params.h, posttls-finger/posttls-finger.c,
	smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_params.c,
	smtp/smtp_proto.c, smtpd/smtpd.c, tls/tls.h, tls/tls_certkey.c,
	tls/tls_client.c, tls/tls_proxy.h, tls/tls_proxy_client_print.c,
	tls/tls_proxy_client_scan.c, tls/tls_proxy_server_print.c,
	tls/tls_proxy_server_scan.c, tls/tls_server.c, tlsproxy/tlsproxy.c.

	(20190106-nonprod) Create a second, no-key no-cert, SSL_CTX
	for use with SNI. Viktor Dukhovni. Files: src/tls/tls.h,
	src/tls/tls_client.c, src/tls/tls_misc.c, src/tls/tls_server.c.

	(20190106-nonprod) Server-side SNI support. Viktor Dukhovni.
	Files: src/global/mail_params.h, src/smtp/smtp.c,
	src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_certkey.c,
	src/tls/tls_misc.c, src/tlsproxy/tlsproxy.c,

	(20190106-nonprod) Configurable client-side SNI signal.
	Viktor Dukhovni. Files: global/mail_params.h,
	posttls-finger/posttls-finger.c, smtp/lmtp_params.c,
	smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c,
	smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_client.c,
	tls/tls_proxy.h, tls/tls_proxy_client_print.c,
	tls/tls_proxy_client_scan.c.

20190121

	Logging: support for internal logging file, without using
	syslog (it uses the new postlogd daemon instead). This
	solves a usability problem for MacOS, may help getting
	around systemd, and solves 99% of the problem for logging
	to stdout in a container (hopefully we have 100% soon).
	Enable by setting, for example, "maillog_file =
	/var/log/postfix.log").  This works fine for daemons, and
	with some limitations for non-daemon programs.  See
	RELEASE_NOTES for more details.  Files: conf/master.cf,
	conf/post-install, conf/postfix-files, conf/postfix-script,
	mantools/postlink, proto/master, proto/postconf.proto,
	global/mail_params.c, global/mail_params.h, global/mail_proto.h,
	global/maillog_client.c, global/maillog_client.h,
	master/dgram_server.c, master/event_server.c, master/mail_server.h,
	master/master.c, master/master.h, master/master_ent.c,
	master/master_listen.c, master/master_proto.h,
	master/master_wakeup.c, master/multi_server.c,
	master/single_server.c, master/trigger_server.c,
	postalias/postalias.c, postconf/postconf_master.c,
	postdrop/postdrop.c, postfix/postfix.c, postkick/postkick.c,
	postlog/postlog.c, postlogd/postlogd.c, postmap/postmap.c,
	postmulti/postmulti.c, postqueue/postqueue.c,
	postsuper/postsuper.c, sendmail/sendmail.c, util/connect.h,
	util/listen.h, util/logwriter.c, util/logwriter.h,
	util/msg_logger.c, util/msg_logger.h, util/msg_output.c,
	util/msg_output.h, util/unix_dgram_connect.c,
	util/unix_dgram_listen.c.

	Cleanup: cert/key/chain loading, plus unit tests to exercise
	non-error and error cases. Viktor Dukhovni. Files: tls/*.pem,
	tls*.pem.ref, tls/tls_certkey.c.

20190126

	Safety: Postfix programs will log to either syslog or postlog
	but not both; and postlogd forwards postlog logging to
	syslog, when a configuration change removes the maillog_file
	pathname, but some programs still use the old configuration.
	Files: util/msg_syslog.[hc], util/msg_logger.c,
	global/maillog_client.c, postlogd/postlogd.c,

	Bugfix (introduced: Postfix 20110109, Postfix 2.10): watchdog
	pipe file descriptor leak. This pipe provides one source
	of liveness, data from this pipe is discarded, and therefore
	this does not enable privilege escalation or DOS. File:
	util/watchdog.c.

	Feature: stdout logging support; requires "postfix start-fg"
	and "maillog_file = /dev/stdout". Files: master/master.c,
	conf/postfix-script.

20190127

	Safety: when maillog_file is specified, 'postfix check' now
	requires that the postlog service is enabled in master.cf.
	Otherwise 'postfix start' etc. will log a fatal error. File:
	conf/postfix-script.

	Documentation: added policy_context example. File:
	proto/SMTPD_POLICY_README.html.

20190128

	Testing: run libtls tests under Valgrind. File tls/Makefile.in.

20190129

	Safety: require that $maillog_file matches one of the
	pathname prefixes specified in $maillog_file_prefixes. The
	maillog file is created by root, and the prefixes limit the
	damage from a single configuration error. Files:
	global/mail_params.[hc], global/maillog_client.c.

20191201

	Feature: "postfix logrotate" command with configurable
	compression program and datestamp filename suffix. File:
	conf/postfix-script.

20190202

	Cleanup: log a warning when the client sends a malformed
	SNI; log an info message when the client sends a valid SNI
	that does not match the SNI lookup tables; update the
	FORWARD_SECRECY_README logging examples. Viktor Dukhovni.
	Files: proto/FORWARD_SECRECY_README.html, tls/tls.h,
	tls/tls_client.c, tls/tls_misc.c.

20190208

	Debugging: the master(8) daemon now logs a warning if a
	master.cf entry is defined multiple times. File:
	src/master/master_conf.c.

20190209

	Debugging: tlsproxy(8) now logs more details about unexpected
	configuration differences between the Postfix SMTP client
	and the tlsproxy(8) daemon.

20190210

	Documentation: Postfix 3.4.0 RELEASE NOTES.

	Documentation: added BDAT_README.

	Documentation: global TLS settings. Files: mantools/postlink,
	smtp/smtp.c, tlsproxy/tlsproxy.c.

20190211

	Cleanup: removed obsolete parameters: tls_dane_digest_agility,
	tls_dane_trust_anchor_digest_enable; removed openssl_path
	parameter from configuration difference checks in tlsproxy.
	Files: global/mail_params.h, tls/tls_misc.c,
	tls/tls_proxy_client_misc.c, tls/tls_proxy_client_print.c,
	tls/tls_proxy_client_scan.c, tls/tls_proxy.h.

20190212

	Cleanup: missing #ifdef USE_TLS. Files: smtp/smtp_session.c,
	posttls-finger/posttls-finger.c.

20190217

	Cleanup: when the master daemon runs with PID=1 (init mode),
	reap orhpan processes from non-Postfix code running in the
	same container, instead of terminating with a panic. File:
	master/master_spawn.c.

20190218

	Bugfix: tlsproxy did not enable DANE-style PKI because
	libtls seems to have to accreted multiple init functions
	instead of reusing the tls_client_init() and tls_client_start()
	API. And some functions that do initialization don't even
	have init in their name! Problem report by Andreas Schulze.
	Viktor Dukhovni. Files: tls/tls_misc.c, tlsproxy/tlsproxy.c.

	Workaround: Postfix libtls makes DANE-specific changes to
	the shared SSL_CTX. To avoid false sharing, tlsproxy needs
	to label the SSL_CTX cache with DANE bits until we can
	remove the code that modifies SSL_CTX. File: tlsproxy/tlsproxy.c.

	Cleanup: Postfix libtls changed the shared SSL_CTX to
	override ciphers. instead of changing the SSL handle. To
	avoid false sharing in tlsproxy, the changes are now made
	to the SSL handle. Viktor Dukhovni. Files: tls/tls.h,
	tls/tls_client.c, tls/tls_misc.c, tls/tls_server.c.

20190219

	Bugfix: in the Postfix SMTP client, TLS wrappermode was not
	tested in tlsproxy mode. It needed some setup for buffering
	and timeouts. Problem report by Andreas Schulze. File:
	smtp/smtp_proto.c.

20190304

	Bugfix: a reversed test broke TLS configurations that specify
	the same filename for a private key and certificate. Reported
	by Mike Kazantsev. Fix by Viktor Dukhovni. Wietse fixed the
	test. Files: tls/tls_certkey.c, tls/Makefile.in.

20190310

	Bitrot: LINUX5s support, after some sanity checks with a
	rawhide prerelease version. Files: makedefs, util/sys_defs.h.

	Bugfix (introduced: 20181226): broken DANE trust anchor
	file support, caused by left-over debris from the 20181226
	TLS library overhaul. By intrigeri. File: tls/tls_dane.c.

	Bugfix (introduced: Postfix-1.0.1): null pointer read, while
	logging a warning after a corrupted bounce log file. File:
	global/bounce_log.c.

	Bugfix (introduced: Postfix-2.9.0): null pointer read, while
	logging a warning after a postscreen_command_filter read
	error. File: postscreen/postscreen_smtpd.c. global/bounce_log.c

20190312

	Bugfix (introduced: Postfix 2.2): reject_multi_recipient_bounce
	has been producing false rejects starting with the Postfix
	2.2 smtpd_end_of_data_restrictons, and for the same reasons,
	does the same with the Postfix 3.4 BDAT command. The latter
	was reported by Andreas Schulze. File: smtpd/smtpd_check.c.

20190319

	With message_size_limit=0 (which is NOT DOCUMENTED), BDAT
	chunks were always rejected as too large. File: smtpd/smtpd.c

20190328

	Bugfix (introduced: Postfix 3.0): LMTP connections over
	UNIX-domain sockets were cached but not reused, due to a
	cache lookup key mismatch. Therefore, idle cached connections
	could exhaust LMTP server resources, resulting in two-second
	pauses between email deliveries. This problem was investigated
	by Juliana Rodrigueiro. File: smtp/smtp_connect.c.

20190331

	Documentation: tlsext_padding is not a tls_ssl_options
	feature. File: proto/postconf.proto.

20190401

	Portability: added "#undef sun" to util/unix_dgram_connect.c.

20190403

	Bugfix (introduced: Postfix 2.3): a censoring filter broke
	multiline Milter responses for header/body events. Problem
	report by Andreas Thienemann. Files: util/printable.c,
	util/stringops.h, smtpd/smtpd.c

	Bugfix (introduced: Postfix 3.3): "smtp_mx_address_limit =
	0" no longer meant 'unlimited'. Problem report by Luc Pardon.
	File: smtp/smtp_addr.c.

20190615

	Documentation: updated the BUGS section in the smtp(8) manpage
	about TLS connection reuse. File: smtp/smtp.c.

	Workaround for implementations that hang Postfix while
	shutting down a TLS session, until Postfix times out. With
	"tls_fast_shutdown_enable = yes" (the default), Postfix no
	longer waits for the TLS peer to respond to a TLS 'close'
	request. This is recommended with TLSv1.0 and later. Files:
	global/mail_params.h, tls/tls_session.c, and documentation.

20190621

	Bugfix (introduced: Postfix 3.0): the code to reset Postfix
	SMTP server command counts was not called after a HaProxy
	handshake failure, causing stale numbers to be reported.
	The command counts are now reset in the function that reports
	the counts. File: smtpd/smtpd.c.

Revision 1.18 / (download) - annotate - [select for diffs], Tue Apr 30 03:41:51 2019 UTC (4 years, 7 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2019Q2-base, pkgsrc-2019Q2
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored)

mail/postfix: update to 3.3.3

This announcement concerns fixes for problems that were introduced
with Postfix 3.0 and later. This is the final update for Postfix
3.0.

Fixed in Postfix 3.3 and later:

  * When the master daemon runs with PID=1 (init mode), it will now
    reap child processes from non-Postfix code running in the same
    container, instead of terminating with a panic. Reported by
    Tamas Gerczei.

Fixed in Postfix 3.0 and later:

  * With smtputf8_enable=yes, table lookups could casefold the
    search string when searching a lookup table that does not use
    fixed-string keys (regexp, pcre, tcp, etc.).

  * With the posttls-finger test program, connections to unix-domain
    servers always resulted in "Failed to establish session" even
    after a connection was established. Reported by Jaroslav Skarva.

Revision 1.17 / (download) - annotate - [select for diffs], Sat Dec 15 16:35:23 2018 UTC (4 years, 11 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2019Q1-base, pkgsrc-2019Q1, pkgsrc-2018Q4-base, pkgsrc-2018Q4
Changes since 1.16: +2 -2 lines
Diff to previous 1.16 (colored)

mail/postfix: update to 3.3.2

Changes for all supported stable releases:

  * Support for OpenSSL 1.1.1, and support for TLSv1.3-specific
    features.

      - Updated Postfix TLS documentation examples for TLSv1.3. See
        FORWARD_SECRECY_README.

      - New TLSv1.3-specific attributes in Postfix logging and in
        Postfix "Received:" message headers: key exchange, server
        signature, client signature.

      - New option to selectively disable TLSv1.3 in *_tls_protocols
        settings.

      - New server-side support to avoid issuing multiple session
        tickets.

      - New support to allow OpenSSL >= 1.1.0 run-time micro version
        bumps without logging Postfix warnings about library version
        mismatches.

Fixed in all stable releases:

  * Bugfix: smtpd_discard_ehlo_keywords could not disable "SMTPUTF8",
    because some lookup table was using "EHLO_MASK_SMTPUTF8" instead.

  * Bugfix: minor memory leak in DANE support when minting issuer
    certs. This affects a tiny minority of use cases.

Fixed in Postfix 3.3.2:

  * Bugfix: the Postfix build did not abort if the m4 command was
    not installed, resulting in a broken postconf command.

Revision 1.16 / (download) - annotate - [select for diffs], Mon May 21 14:49:47 2018 UTC (5 years, 6 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2018Q3-base, pkgsrc-2018Q3, pkgsrc-2018Q2-base, pkgsrc-2018Q2
Changes since 1.15: +2 -2 lines
Diff to previous 1.15 (colored)

mail/postfix: update to 3.3.1

[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.3.1.html]

Fixed in Postfix 3.3:

  * Postfix did not support running as a PID=1 process, which
    complicated Postfix deployment in containers. The "postfix
    start-fg" command will now run the Postfix master daemon as a
    PID=1 process if possible. Thanks for inputs from Andreas
    Schulze, Eray Aslan, and Viktor Dukhovni.

  * Segfault in the postconf(1) command after it could not open a
    Postfix database configuration file due to a file permission
    error (dereferencing a null pointer). Reported by Andreas
    Hasenack, fixed by Viktor Dukhovni.

Fixed in Postfix 3.3, 3.2, 3.1, 3.0:

  * The luser_relay feature became a black hole, when the luser_relay
    parameter was set to a non-existent local address (i.e. mail
    disappeared silently). Reported by J?rgen Thomsen.

  * Missing error propagation in the tlsproxy(8) daemon could result
    in a segfault after TLS handshake error (dereferencing a
    0xffff...ffff pointer). This daemon handles the TLS protocol
    when a non-whitelisted client sends a STARTTLS command to
    postscreen(8).

Revision 1.15 / (download) - annotate - [select for diffs], Wed Mar 21 15:28:45 2018 UTC (5 years, 8 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2018Q1-base, pkgsrc-2018Q1
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored)

mail/postfix: update to 3.3.0

Postfix stable release 3.3.0 is available. This release ends support
for legacy release Postfix 2.11.

The main changes are:

  * Dual license: in addition to the historical IBM Public License
    1.0, Postfix is now also distributed with the more recent Eclipse
    Public License 2.0. Recipients can choose to take the software
    under the license of their choice. Those who are more comfortable
    with the IPL can continue with that license.

  * The postconf command now warns about unknown parameter names
    in a Postfix database configuration file. As with other unknown
    parameter names, these warnings can help to find typos early.

  * Container support: Postfix 3.3 will run in the foreground with
    "postfix start-fg". This requires that Postfix multi-instance
    support is disabled (the default). To collect Postfix syslog
    information on the container's host, mount the host's /dev/log
    socket into the container, for example with "docker run -v
    /dev/log:/dev/log ...other options...", and specify a distinct
    Postfix syslog_name setting in the container (for example with
    "postconf syslog_name=the-name-here").

  * Milter support: applications can now send RET and ENVID parameters
    in SMFIR_CHGFROM (change envelope sender) requests.

  * Postfix-generated From: headers with 'full name' information
    are now formatted as "From: name <address>" by default. Specify
    "header_from_format = obsolete" to get the earlier form "From:
    address (name)".

  * Interoperability: when Postfix IPv6 and IPv4 support are both
    enabled, the Postfix SMTP client will now relax MX preferences
    and attempt to schedule similar numbers of IPv4 and IPv6
    addresses. This works around mail delivery problems when a
    destination announces lots of primary MX addresses on IPv6, but
    is reachable only over IPv4 (or vice versa). The new behavior
    is controlled with the smtp_balance_mx_inet_protocols parameter.

  * Compatibility safety net: with compatibility_level < 1, the
    Postfix SMTP server now warns for mail that would be blocked
    by the Postfix 2.10 smtpd_relay_restrictions feature, without
    blocking that mail. There still is a steady trickle of sites
    that upgrade from an earlier Postfix version.

Revision 1.14 / (download) - annotate - [select for diffs], Sun Feb 25 12:27:49 2018 UTC (5 years, 9 months ago) by taca
Branch: MAIN
Changes since 1.13: +2 -2 lines
Diff to previous 1.13 (colored)

mail/postfix: update to 3.2.5

Update mail/postfix to 3.2.5.

[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.2.4.html]

This announcement concerns fixes for problems that were introduced
with Postfix 3.0 and later. Older supported releases are unaffected.

Fixed in Postfix 3.1 and later:

  * DANE interoperability. Postfix builds with OpenSSL 1.0.0 or
    1.0.1 failed to send email to some sites with "TLSA 2 X X" DNS
    records associated with an intermediate CA certificate. Problem
    report and initial fix by Erwan Legrand.

Fixed in Postfix 3.0 and later:

  * Missing dynamicmaps support in the Postfix sendmail command.
    This broke authorized_submit_users settings that use a
    dynamically-loaded map type. Problem reported by Ulrich Zehl.

Revision 1.13 / (download) - annotate - [select for diffs], Sat Dec 9 02:34:48 2017 UTC (5 years, 11 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2017Q4-base, pkgsrc-2017Q4
Changes since 1.12: +2 -2 lines
Diff to previous 1.12 (colored)

mail/postfix: Update to 3.2.4

[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.2.4.html]

This announcement concerns fixes for problems that were introduced
with Postfix 3.0 and later. Older supported releases are unaffected.

Fixed in Postfix 3.1 and later:

  * DANE interoperability. Postfix builds with OpenSSL 1.0.0 or
    1.0.1 failed to send email to some sites with "TLSA 2 X X" DNS
    records associated with an intermediate CA certificate. Problem
    report and initial fix by Erwan Legrand.

Fixed in Postfix 3.0 and later:

  * Missing dynamicmaps support in the Postfix sendmail command.
    This broke authorized_submit_users settings that use a
    dynamically-loaded map type. Problem reported by Ulrich Zehl.

Revision 1.12 / (download) - annotate - [select for diffs], Fri Oct 13 17:13:19 2017 UTC (6 years, 1 month ago) by taca
Branch: MAIN
Changes since 1.11: +2 -2 lines
Diff to previous 1.11 (colored)

pkgsrc/mail: Update to 3.2.3

[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.2.3.html]

This announcement concerns fixes for problems that were introduced
with Postfix 3.2. Older releases are unaffected.

Fixed in Postfix 3.2 and later:

 * Extension propagation was broken with "recipient_delimiter = .".
   This change reverts a change that was trying to be too clever.

 * The postqueue command would abort with a panic message after it
   experienced an output write error while listing the mail queue.
   This change restores a write error check that was lost with the
   Postfix 3.2 rewrite of the vbuf_print formatter.

 * Restored sanity checks for dynamically-specified width and precision
   in format strings (%*, %.*, and %*.*). These checks were lost with
   the Postfix 3.2 rewrite of the vbuf_print formatter.

Revision 1.11 / (download) - annotate - [select for diffs], Mon Jun 19 06:54:15 2017 UTC (6 years, 5 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2017Q3-base, pkgsrc-2017Q3, pkgsrc-2017Q2-base, pkgsrc-2017Q2
Changes since 1.10: +1 -3 lines
Diff to previous 1.10 (colored)

Remove two non-working mirror sites.

Revision 1.10 / (download) - annotate - [select for diffs], Sat Jun 17 08:02:22 2017 UTC (6 years, 5 months ago) by taca
Branch: MAIN
Changes since 1.9: +2 -2 lines
Diff to previous 1.9 (colored)

Update postfix to 3.2.2.

pkgsrc change: Add support for NetBSD 8.

This announcement (June 13, 2017) includes changes that were released
with an earlier update (June 10, 2017). The announcement was postponed
to avoid confusion due to repeated notification.

Fixed in all supported releases:

  * Security: Berkeley DB versions 2 and later try to read settings
    from a file DB_CONFIG in the current directory. This undocumented
    feature may introduce undisclosed vulnerabilities resulting in
    privilege escalation with Postfix set-gid programs (postdrop,
    postqueue) before they chdir to the Postfix queue directory,
    and with the postmap and postalias commands depending on whether
    the user's current directory is writable by other users. This
    fix does not change Postfix behavior for Berkeley DB versions
    < 3, but it does reduce postmap and postalias 'create' performance
    with Berkeley DB versions 3.0 .. 4.6.

Fixed in Postfix 3.2 and later:

  * The SMTP server receive_override_options were not restored at
    the end of an SMTP session, after the options were modified by
    an smtpd_milter_maps setting of "DISABLE". Milter support
    remained disabled for the life time of the smtpd process.

  * After the Postfix 3.2 address/domain table lookup overhaul, the
    check_sender_access and check_recipient_access features ignored
    a non-default parent_domain_matches_subdomains setting.

Revision 1.9 / (download) - annotate - [select for diffs], Mon Apr 24 20:11:40 2017 UTC (6 years, 7 months ago) by fhajny
Branch: MAIN
Changes since 1.8: +2 -2 lines
Diff to previous 1.8 (colored)

Update mail/postfix to 3.2.0.

- Elliptic curve negotiation with OpenSSL >= 1.0.2. This changes the
  default smtpd_tls_eecdh_grade setting to "auto", and introduces a
  new parameter tls_eecdh_auto_curves with the names of curves that may
  be negotiated.
- Stored-procedure support for MySQL databases.
- Cidr: table support for if/endif and negation (by prepending ! to a
  pattern), just like regexp: and pcre: tables. See the cidr_table(5)
  manpage for details.
- The postmap command and the inline: and texthash: maps now support
  spaces in left-hand field of lookup table source text. Use double
  quotes (") around a left-hand field that contains spaces, and use
  backslash (\) to protect quotes in a left-hand field.
- Support for per-client Milter configuration (smtpd_milter_maps) that
  overrides the main.cf smtpd_milters setting, and that has the same
  syntax. A lookup result of "DISABLE" turns off Milter support for that
  client.
- The local SMTP server IP address and port are available in the
  policy delegation protocol (attribute names: server_address,
  server_port), in the Milter protocol (macro names: {daemon_addr},
  {daemon_port}), and in the XCLIENT protocol (attribute names:
  DESTADDR, DESTPORT).
- For safety reasons, the Postfix sendmail -C option must specify an
  authorized directory: the default configuration directory, a
  directory that is listed in the default main.cf file with
  alternate_config_directories or multi_instance_directories, otherwise
  the command must be invoked with root privileges. This mitigates a
  recurring "jail break" problem with the PHP mail() function.
- "PASS" and "STRIP" actions in header/body_checks. "STRIP" is similar
  to "IGNORE" but also logs the action, and "PASS" disables header,
  body, and Milter inspection for the remainder of the message content.
- The collate.pl script by Viktor Dukhovni for grouping Postfix
  logfile records into "sessions" based on queue ID and process ID
  information, in the auxiliary/collate directory of the Postfix source
  tree.

Disabled or removed behavior:
- SMTPUTF8 support: Postfix 3.2 disables the 'transitional'
  compatibility between the IDNA2003 and IDNA2008 standards for
  internationalized domain names (domain names beyond the limits of
  US-ASCII). This makes Postfix behavior consistent with contemporary
  web browsers.
- Postfix 3.2 removes tentative features that were implemented before
  the DANE spec was finalized: support for certificate usage
  PKIX-EE(1), the ability to disable digest agility, and the ability to
  disable support for "TLSA 2 [01] [12]" records that specify the digest
  of a trust anchor.

Revision 1.8 / (download) - annotate - [select for diffs], Sat Mar 4 06:26:24 2017 UTC (6 years, 9 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2017Q1-base, pkgsrc-2017Q1
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored)

Update postfix to 3.1.4.

Postfix stable release 3.1.4 is available, as well as legacy releases
3.0.8 and 2.11.9. There will be no further updates for Postfix 2.10.

Fixed with Postfix 3.1.4, 3.0.8, and 2.11.9:

  * The postscreen daemon did not merge the client test status
    information for concurrent sessions from the same IP address.
    Thus, after one session recorded its successful tests in the
    postscreen cache, a concurrent session from that same IP address
    that passed fewer tests could later "wipe out" some of that
    progress in the postscreen cache. The fix has proven itself for
    five months in the development release, and should be safe to
    use in the stable releases.

  * The Postfix SMTP server falsely rejected a sender address when
    validating a sender address with "smtpd_reject_unlisted_recipient
    = yes" or with "reject_unlisted_sender". Cause: the address
    validation code did not query sender_canonical_maps.

  * The virtual delivery agent did not detect failure to skip to
    the end of a mailbox file, so that mail would be delivered to
    the beginning of the file. This could happen when a mailbox
    file was already larger than the virtual mailbox size limit.

  * The postsuper command logged an incorrect rename operation count
    after creating a missing directory.

Fixed with Postfix 3.1.4 and 3.0.8:

  * The Postfix SMTP server falsely rejected mail when a sender-dependent
    "error" transport was configured. Cause: the SMTP server address
    validation code was not updated when the
    sender_dependent_default_transport_maps feature was introduced.
    The fix has proven itself for six months in the development
    release, and should be safe to use in the stable releases.
    Unfortunately, Postfix 2.11 is too different to benefit from
    the same fix.

  * The Postfix SMTP server falsely rejected an SMTPUTF8 sender
    address, when "smtpd_delay_reject = no".

Fixed with Postfix 3.1.4:

  * The "postfix tls deploy-server-cert" command used the wrong
    certificate and key file. This was caused by a cut-and-paste
    error in the postfix-tls-script file.

Revision 1.7 / (download) - annotate - [select for diffs], Sat Jan 21 23:49:02 2017 UTC (6 years, 10 months ago) by rillig
Branch: MAIN
Changes since 1.6: +1 -2 lines
Diff to previous 1.6 (colored)

Fixed PKGREVISION to be only defined directly in the package Makefile.

Revision 1.6 / (download) - annotate - [select for diffs], Mon Oct 31 04:19:07 2016 UTC (7 years, 1 month ago) by maya
Branch: MAIN
CVS Tags: pkgsrc-2016Q4-base, pkgsrc-2016Q4
Changes since 1.5: +2 -1 lines
Diff to previous 1.5 (colored)

postfix: use pkgconfig instead of icu-config to find icu cflags
and ldflags. should help PR pkg/51354: mail/postfix eai option does not
work because of test in makedef.

bump PKGREVISION

Revision 1.5 / (download) - annotate - [select for diffs], Fri Oct 28 16:10:51 2016 UTC (7 years, 1 month ago) by jperkin
Branch: MAIN
Changes since 1.4: +11 -3 lines
Diff to previous 1.4 (colored)

Make the postfix user/group names variables.

Revision 1.4 / (download) - annotate - [select for diffs], Sun Oct 9 12:28:19 2016 UTC (7 years, 1 month ago) by taca
Branch: MAIN
Changes since 1.3: +2 -2 lines
Diff to previous 1.3 (colored)

Update postfix to 3.1.3.

Fixed with Postfix 3.1.3 and 3.0.7:

  * The Postfix SMTP server did not reset a previous session's
    failed/total command counts before rejecting a client that
    exceeds request or concurrency rates. This resulted in incorrect
    failed/total command counts being logged at the end of the
    rejected session.

  * The unionmap multi-table interface did not propagate table
    lookup errors, resulting in false "user unknown" responses.

  * The documentation was updated with a workaround for false "not
    found" errors with MySQL map queries that contain UTF8-encoded
    text. The workaround is to specify "option_group = client" in
    Postfix MySQL configuration files. This will be the default
    setting with Postfix 3.2 and later.

Revision 1.3 / (download) - annotate - [select for diffs], Sun Sep 18 17:10:28 2016 UTC (7 years, 2 months ago) by taca
Branch: MAIN
CVS Tags: pkgsrc-2016Q3-base, pkgsrc-2016Q3
Changes since 1.2: +2 -2 lines
Diff to previous 1.2 (colored)

Update postfix to 3.1.2.

3.1.0

The main changes in no particular order are:

  * "postfix tls" command to simplify setup of opportunistic TLS,
    and to simplify SMTP server key/certificate management.

  * Positive and negative DNS reply TTL support in postscreen(8).

  * SASL AUTH rate limit in the Postfix SMTP server.

  * A safety limit on the number of address verify requests.

  * JSON-format Postfix queue listing.

  * Destination-independent delivery rate delay

For details, see the RELEASE_NOTES file.


3.1.1

Fixed in all supported releases:

  * The Milter "replace sender" (SMFIR_CHGFROM) request lost an
    address that was added with sender_bcc_maps, resulting in a
    "rcpt count mismatch" warning. Reported by Joerg Backschues.
    This defect was introduced with Postfix 2.6.

  * The "bad filetype" example in the header_checks(5) manpage
    falsely rejected Content- headers with ``name="example";
    x-apple-part-url="example.com"''.  Reported by Cedric Knight.
    This defect was introduced with Postfix 2.6.


3.1.2

Fixed with Postfix 3.1.2:

  * Changes to make Postfix build with OpenSSL 1.1.0.

Fixed with Postfix 3.1.2 and 3.0.6:

  * The makedefs script ignored readme_directory=pathname overrides.
    Fix by Todd C. Olson.

  * The tls_session_ticket_cipher documentation says that the default
    cipher for TLS session tickets is aes-256-cbc, but the implemented
    default was aes-128-cbc. Note that TLS session ticket keys are
    rotated after 1/2 hour, to limit the impact of attacks on session
    ticket keys.

Revision 1.2 / (download) - annotate - [select for diffs], Sun Apr 10 16:39:28 2016 UTC (7 years, 7 months ago) by joerg
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base, pkgsrc-2016Q2
Changes since 1.1: +1 -3 lines
Diff to previous 1.1 (colored)

Adjust checks for _USE_DESTDIR != no or incorrect references to
USE_DESTDIR.

Revision 1.1 / (download) - annotate - [select for diffs], Mon Sep 7 09:47:01 2015 UTC (8 years, 3 months ago) by fhajny
Branch: MAIN
CVS Tags: pkgsrc-2016Q1-base, pkgsrc-2016Q1, pkgsrc-2015Q4-base, pkgsrc-2015Q4, pkgsrc-2015Q3-base, pkgsrc-2015Q3

Update mail/postfix to 3.0.2.

Database and regexp map functionality is now split into separate packages:

- postfix-cdb
- postfix-ldap
- postfix-lmdb
- postfix-mysql
- postfix-pcre
- postfix-pgsql
- postfix-sqlite

Upstream changelog follows.


Postfix 3.0.2
-------------
No delta against 2.11.6.

Postfix 3.0.1
-------------
- Build error when compiling the Postfix SMTP server with SASL support
  but no TLS support.
- The DNS "resource record to text" converter, used for xxx_dns_reply_filter
  pattern matching, appended a '.' to TXT record resource values.
- The postscreen(8) manpage specified an incorrect Postfix version number
  for the postscreen_dnsbl_timeout parameter.
- The postfix-install script expanded macros in parameter values when
  trying to detect parameter overrides, causing unnecessary main.cf updates
  during "postfix start" etc.
- Some low-level cleanup of UTF-8 string handling with no visible change
  in behavior (besides better performance).

Postfix 3.0.0
-------------
- SMTPUTF8 support for internationalized domain names and address
  localparts as defined in RFC 6530 and related documents.
- Support for Postfix dynamically-linked libraries and database plugins.
- An OPT-IN safety net for the selective adoption of new Postfix default
  settings. If you do nothing, the old Postfix default settings *should*
  remain in effect (complain to your downstream maintainer if that is not
  the case).
- Support for operations on multiple lookup tables. The
  pipemap:{map1,map2...} database type implements a pipeline of lookup
  tables where the result from one lookup table becomes a query for
  the next table; the unionmap:{map1,map2,...} database type sends the

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>