From patchwork Wed Feb 26 18:12:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8496 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Z5GmH4ztZz3xGq for ; Sun, 2 Mar 2025 09:26:39 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Z5GmG2N7Vz7YQ; Sun, 2 Mar 2025 09:26:38 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Z5GmG1twcz34N5; Sun, 2 Mar 2025 09:26:38 +0000 (UTC) Received: by mail02.haj.ipfire.org (Postfix, from userid 109) id 4Z5Glp0Qg3z35Z9; Sun, 2 Mar 2025 09:45:14 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Z32dR5gNbz34Zy for ; Wed, 26 Feb 2025 18:12:59 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Z32dR49z5z28b; Wed, 26 Feb 2025 18:12:59 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1740593579; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LidKmX5kPzfAipEtNCQtyrIBrRe5lgIdwYzq/HL3D+s=; b=IowFETZi3Pk07hf7KcU94xhlrn5CaRz8i0t5x2/iqEN0po5qP/jIX7LAkMbv0fSyzkVdbb E4nIz2rkXZEHH/Dg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1740593579; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LidKmX5kPzfAipEtNCQtyrIBrRe5lgIdwYzq/HL3D+s=; b=g+6X+tVxdoiXajuBjJtj25a/TtCyUK56O5xCLKXOcpEW/dWgWV/ox0I95ssPCWj0fYX77I qCb/AJQ6Ib+5RrYRUP2OD0900xbcIDJHxeQMJWbeNHWXP3ykCj1AZjyeuWa9MnErDbLctr +xbM1rIXHIP+gD7VivkXFvQcQlqA189FEmIRXXJLRNAARshOOEnrdkXDZM1OawDwg+Qr4e opYOLja0RbqZFsFq/I4fK5dFp4u6HWYFl2dQzZdvogMmSAsg5pXMHw5tIN+oQjzfPfR4m6 QD2EgCbboC4MCWNp9fB46ob4FSSr36kjWD67iUjmDbMs/vtwKByUDjjzT8BJWA== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] postfix: Update to version 3.10.1 Date: Wed, 26 Feb 2025 19:12:46 +0100 Message-ID: <20250226181250.1470980-5-adolf.belka@ipfire.org> In-Reply-To: <20250226181250.1470980-1-adolf.belka@ipfire.org> References: <20250226181250.1470980-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: UCG4ILMJRCTZBNOXPSYPP3AV5JCDYMBM X-Message-ID-Hash: UCG4ILMJRCTZBNOXPSYPP3AV5JCDYMBM X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Update from version 3.9.1 to 3.10.1 - Update of rootfile not required - Changelog 3.10.1 Bugfix (defect introduced: 20250210): a recent 'fix' for the default smtp_tls_dane_insecure_mx_policy setting resulted in unnecessary 'dnssec_probe' warnings, on systems that disable DNSSEC lookups (which is the default). 3.10.0 Changes that need a restart: Internal protocol change: Postfix needs "postfix reload" (or "postfix stop" and "postfix start") after upgrade, because of a change in the delivery agent protocol. If this step is skipped, Postfix delivery agents will log a warning: unexpected attribute smtputf8 from xxx socket (expecting: sendopts) where xxx is the delivery agent service name. Changes in TLS support: Forward compatibility: Support for OpenSSL 3.5 post-quantum cryptography. To manage algorithm selection, OpenSSL introduces new TLS group syntax that Postfix will not attempt to imitate. Instead, Postfix now allows the tls_eecdh_auto_curves and tls_ffdhe_auto_groups parameter values to have an empty value. When both are set empty, the algorithm selection can be managed through OpenSSL configuration. For more, look for "Post-quantum" in the postconf(5) manpage. Support for the RFC 8689 "TLS-Required: no" message header to request delivery of messages (such as TLSRPT summaries) even if the preferred TLS security policy cannot be enforced. This limits the Postfix SMTP client to "smtp_tls_security_level = may" which does not authenticate server certificates and which allows falling back to plaintext. Support for the REQUIRETLS SMTP service extension will evolve in Postfix 3.11. Support for the TLSRPT protocol (defined in RFC 8460). With this, a domain can publish a policy in DNS that requests daily summary reports for successful and failed SMTP-over-TLS connections to that domain's MX hosts. This supports both DANE (built-in) and MTA-STS (via an smtp_tls_policy_maps plugin). The implementation uses a TLSRPT library and reporting infrastructure that are maintained by sys4. For details, see TLSRPT_README. Miscellaneous changes: Privacy: With "smtpd_hide_client_session = yes", the Postfix SMTP server generates a Received: header without client session info. This setting may be used with the MUA submission services (port 465 and 587). Support for RFC 2047 encoding of non-ASCII "full name" information in Postfix-generated From: message headers. Encoding non-ASCII full names can avoid the need to use SMTPUTF8, and therefore can avoid incompatibility with sites that do not support SMTPUTF8. See the full_name_encoding_charset parameter description for details. Database performance: When mysql: or pgsql: configuration specifies a single host, assume that it is a load balancer and reconnect immediately after a single failure, instead of failing all requests for 60s. Changes in logging: The Postfix Milter implementation now logs the reason for a 'quarantine' action, instead of "milter triggers HOLD action". The SMTP server now logs the queue ID (or "NOQUEUE") when a connection ends abnormally (timeout, lost connection, or too many errors), and the cleanup server now logs "queueid: canceled" when a message transaction is started but not completed. These changes simplify logfile analysis. Dovecot SASL client logging for "Invalid authentication mechanism" now includes the name of that mechanism. Postfix SMTP server 'reject' logging now shows the sasl_method, sasl_username, and sasl_sender if available. 3.9.2 Forward compatibility: Support for OpenSSL 3.5 post-quantum cryptography. To manage algorithm selection, OpenSSL introduces new TLS group syntax that Postfix will not attempt to imitate. Instead, Postfix now allows the tls_eecdh_auto_curves and tls_ffdhe_auto_groups parameter values to have an empty value. When both are set empty, the algorithm selection can be managed through OpenSSL configuration. Viktor Dukhovni. Forward compatibility: ignore new queue file flag bits that may be used with Postfix 3.10 and later. This is a safety in case a Postfix 3.10 upgrade needs to be rolled back, after the new TLS-Required feature has been used. Performance: when a mysql: or pgsql: configuration specifies a single host, assume that it is a load balancer and reconnect immediately after a single failure, instead of failing all requests for 60s. Bugfix (defect introduced: Postfix 3.4, date 20181113): a server with multiple TLS certificates could report, for a resumed TLS session, the wrong server-signature and server-digest names in logging and Received: message headers. Viktor Dukhovni. Bugfix (defect introduced: Postfix 3.3, date 20180107) small memory leak in the cleanup daemon when generating a "From: full-name " message header. The impact is limited because the number of requests is bounded by the "max_use" configuration parameter. Found during code maintenance. Bugfix (defect introduced: Postfix 3.0): the bounce daemon mangled a non-ASCII address localpart in the "X-Postfix-Sender:" field of a delivery status notification. It backslash-escaped each byte in a multi-byte character. This behavior was implemented in Postfix 2.1 (no support for UTF8 local-parts), but it became incorrect after SMTPUTF8 support was implemented in Postfix 3.0. Bugfix (defect introduced: Postfix 3.6): Reverted the default smtp_tls_dane_insecure_mx_policy setting to "dane" as of Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and 3.10.0. By mistake the default was dependent on the smtp_tls_security_level setting. Problem reported by Ömer Güven. Portability: added "include " for a SUNOS5 workaround. Gary R. Schmidt. Signed-off-by: Adolf Belka --- lfs/postfix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/postfix b/lfs/postfix index 2435f3c39..c9fe4cbd8 100644 --- a/lfs/postfix +++ b/lfs/postfix @@ -26,7 +26,7 @@ include Config SUMMARY = A fast, secure, and flexible mailer -VER = 3.9.1 +VER = 3.10.1 THISAPP = postfix-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = postfix -PAK_VER = 46 +PAK_VER = 47 DEPS = @@ -70,7 +70,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 78be7bf0f0d9e46429b40f98ddc98cac442cfdb404d77073346c973f3d0d4c52f299fc7f5d64bddaaf2db60dd234c52790f1efe4995faee8e2cd10c6f8e2096f +$(DL_FILE)_BLAKE2 = ff2ff4a6fc61eb7f513124abc7a03f69b4c195967816a28a4708fbe7256e78959d499941747ef2fea7999bd2754e2e640e98e247a7870449cffb66ebf30ffee9 install : $(TARGET)