From patchwork Tue Dec 2 11:57:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9355 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4dLK666GHTz3wpm for ; Tue, 02 Dec 2025 11:58:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4dLK636K9qz7cN for ; Tue, 02 Dec 2025 11:58:03 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4dLK6338BJz331k for ; Tue, 02 Dec 2025 11:58:03 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4dLK5v57rRz33B1 for ; Tue, 02 Dec 2025 11:57:55 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4dLK5v0Y8Rz3wv; Tue, 02 Dec 2025 11:57:55 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1764676675; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gMrAPPjwRhwgpCvy3/BGttu5UeSsanejrIcNVHS2uVI=; b=uN9DNSwCqCH8uUF3mexYqgGFOroUKsFCWQJX62kir0UlDVT0AxefTWh50Ub2lDFMZoCNEj jNoXT56oUKYtWsAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1764676675; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gMrAPPjwRhwgpCvy3/BGttu5UeSsanejrIcNVHS2uVI=; b=QF8E8TdDw3w+VoXQyg4oQ7tUm9qQxTmLi5LRCLwBlJLxgKoHwomSNDvpP8BNR0V3qgA9wR E/su43yHQXIZENjOabhX0imjSZ059jne0MA73r3zoyyPVzkKkKEmwXJqnoOhHj6WDELeeP NZvq5wFfjMeiCSMoXIie58O7YW5mDAu5qkDYOmOS5eUFWdF1kPgJ/fHKddt7tPOMdDwTjI Z1St0/zzQcl52ijj39og3/am01s+C0wkd1SN/PBipHySYpObjkeubKOGAJ7DNoMT6xcN3N 0FtFLHkCn7e4JBLxrcFbUs+3VWOqzuBLGFLTq71TfpAy6mpOXSj2kYzonl+EVw== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] postfix: Update to version 3.10.6 Date: Tue, 2 Dec 2025 12:57:46 +0100 Message-ID: <20251202115747.50373-8-adolf.belka@ipfire.org> In-Reply-To: <20251202115747.50373-1-adolf.belka@ipfire.org> References: <20251202115747.50373-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Update from version 3.10.4 to 3.10.6 - No change to rootfile - Changelog 3.10.6 Bugfix (defect introduced: Postfix 3.10, date: 20250117). Symptom: warning messages that smtp_tls_wrappermode requires "smtp_tls_security_level = encrypt". Root cause: Support for "TLS-Required: no" broke client-side TLS wrappermode support, by downgrading a connection to TLS security level 'may'. The fix changes the downgrade level for wrappermode connections to 'encrypt'. Rationale: by design, TLS can be optional only for connections that use STARTTLS. The downgrade to unauthenticated 'encrypt' allows a sender to avoid an email delivery problem. Problem reported by Joshua Tyler Cochran. New logging: the Postfix SMTP client will log a warning when an MX hostname does not match STS policy MX patterns, with "smtp_tls_enforce_sts_mx_patterns = yes" in Postfix, and with TLSRPT support enabled in a TLS policy plugin. It will log a successful match only when verbose logging is enabled. Bugfix (defect introduced: Postfix 3.10, date: 20240902): SMTP client null pointer crash when an STS policy plugin sends no policy_string or no mx_pattern attributes. This can happen only during tests with a fake STS plugin. Bugfix (defect introduced: Postfix 2.9, date: 20120307): segfault when a duplicate parameter name is given to "postconf -X" or "postconf -#'. Documentation: removed incorrect text from the parameter description for smtp_cname_overrides_servername. File: proto/postconf.proto. 3.10.5 Workaround for an interface mis-match between the Postfix SMTP client and MTA-STS policy plugins. The existing behavior is to connect to any MX host listed in DNS, and to match the server certificate against any STS policy MX host pattern. The corrected behavior is to connect to an MX host only if its name matches any STS policy MX host pattern, and to match the server certificate against the MX hostname. The corrected behavior must be enabled in two places: in Postfix with a new parameter "smtp_tls_enforce_sts_mx_patterns" (default: "yes") and in an MTA-STS plugin by enabling TLSRPT support, so that the plugin forwards STS policy attributes to Postfix. This works even if Postfix TLSRPT support is disabled at build time or at runtime. TLSRPT Workaround: when a TLSRPT policy-type value is "no-policy-found", pretend that the TLSRPT policy domain value is equal to the recipient domain. This ignores that different policy types (TLSA, STS) use different policy domains. But this is what Microsoft does, and therefore, what other tools expect. Bugfix (defect introduced: Postfix 3.0): the Postfix SMTP client's connection reuse logic did not distinguish between sessions that require SMTPUTF8 support, and sessions that do not. The solution is 1) to store sessions with different SMTPUTF8 requirements under distinct connection cache storage keys, and 2) to not cache a connection when SMTPUTF8 is required but the server does not support that feature. Bugfix (defect introduced: Postfix 3.0, date 20140731): the smtpd 'disconnect' command statistics did not count commands with "bad syntax" and "bad UTF-8 syntax" errors. Bugfix: the August 2025 patch broke DBM library support which is still needed on Solaris; and the same change could result in warnings with "database X is older than source file Y". Postfix 3.11 forward compatibility: to avoid ugly warnings when Postfix 3.11 is rolled back to an older version, allow a preliminary 'size' record in maildrop queue files created with Postfix 3.11 or later. Bugfix (defect introduced: Postfix 3.8, date 20220128): non-reproducible build, because the 'postconf -e' output order for new main.cf entries was no longer deterministic. Problem reported by Oleksandr Natalenko, diagnosis by Eray Aslan. To make builds predictable, add missing meta_directory and shlib_directory settings to the stock main.cf file. Problem diagnosed by Eray Aslan. Bugfix (defect introduced: Postfix 3.9, date 20230517): posttls-finger(1) logged an incorrectly-formatted port number. Viktor Dukhovni. Signed-off-by: Adolf Belka --- lfs/postfix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/postfix b/lfs/postfix index 2bc0174d1..a7ff99c4f 100644 --- a/lfs/postfix +++ b/lfs/postfix @@ -26,7 +26,7 @@ include Config SUMMARY = A fast, secure, and flexible mailer -VER = 3.10.4 +VER = 3.10.6 THISAPP = postfix-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = postfix -PAK_VER = 49 +PAK_VER = 50 DEPS = @@ -72,7 +72,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = e0a9b3dbd858e9b2bacb137b886ef35a89220caf91da5bcb90de5fd3df7285645deaff6e58f571cdc75966098cf13190b0315690c270b9f3ed69a21e63d2d3ab +$(DL_FILE)_BLAKE2 = ca9f371f15af45c72ee97830d5bfb08b4ef2020409e55b1a99ef20681dfaec86fa7f7f799caa7b6e5757da0ea9ccbd5ac51104244b2e315f3cedb414b3e46451 install : $(TARGET)