Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package postfix for openSUSE:Factory checked in at 2022-04-12 21:43:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/postfix (Old) and /work/SRC/openSUSE:Factory/.postfix.new.1900 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "postfix" Tue Apr 12 21:43:14 2022 rev:213 rq:968129 version:3.6.5 Changes: -------- --- /work/SRC/openSUSE:Factory/postfix/postfix-bdb.changes 2021-10-25 08:50:29.499347280 +0200 +++ /work/SRC/openSUSE:Factory/.postfix.new.1900/postfix-bdb.changes 2022-04-12 21:43:17.419715522 +0200 @@ -1,0 +2,90 @@ +Mon Apr 4 09:02:48 UTC 2022 - Peter Varkoly <[email protected]> + +- config.postfix fails to set smtp_tls_security_level + (bsc#1192314) + +------------------------------------------------------------------- +Fri Mar 18 20:29:34 UTC 2022 - Michael Str??der <[email protected]> + +- update to 3.6.5 + * Glibc 2.34 implements closefrom(). This was causing a conflict + with Postfix's implementation for systems that have no closefrom() + implementation. + * Support for Berkeley DB version 18. +- removed obsolete postfix-3.6.2-glibc-234-build-fix.patch + +------------------------------------------------------------------- +Mon Mar 14 09:52:48 UTC 2022 - Peter Varkoly <[email protected]> + +- Postfix on start don't run postalias /etc/postfix/aliases + (error open database /etc/postfix/aliases.lmdb). (bsc#1197041) + Apply proposed patch + +------------------------------------------------------------------- +Wed Feb 9 09:22:41 UTC 2022 - Peter Varkoly <[email protected]> + +- config.postfix can't handle symlink'd /etc/resolv.cof + (bsc#1195019) + Adapt proposed change: using "cp -afL" by copying. + +------------------------------------------------------------------- +Tue Jan 18 23:32:41 UTC 2022 - Michael Str??der <[email protected]> + +- Update to 3.6.4 + * Bug introduced in bugfix 20210708: duplicate bounce_notice_recipient + entries in postconf output. This was caused by an incomplete + fix to send SMTP session transcripts to $bounce_notice_recipient. + * Bug introduced in Postfix 3.0: the proxymap daemon did not + automatically authorize proxied maps inside pipemap (example: + pipemap:{proxy:maptype:mapname, ...}) or inside unionmap. + * Bug introduced in Postfix 2.5: off-by-one error while writing + a string terminator. This code passed all memory corruption + tests, presumably because it wrote over an alignment padding + byte, or over an adjacent character byte that was never read. + * The proxymap daemon did not automatically authorize map features + added after Postfix 3.3, caused by missing *_maps parameter + names in the proxy_read_maps default value. Found during code + maintenance. + +------------------------------------------------------------------- +Mon Nov 8 10:26:56 UTC 2021 - Michael Str??der <[email protected]> + +- Update to 3.6.3 + * (problem introduced in Postfix 2.4, released in 2007): queue + file corruption after a Milter (for example, MIMEDefang) made + a request to replace the message body with a copy of that message + body plus additional text (for example, a SpamAssassin report). + * (problem introduced in Postfix 2.10, released in 2012): The + postconf "-x" option could produce incorrect output, because + multiple functions were implicitly sharing a buffer for + intermediate results. Problem report by raf, root cause analysis + by Viktor Dukhovni. + * (problem introduced in Postfix 2.11, released in 2013): The + check_ccert_access feature worked as expected, but produced a + spurious warning when Postfix was built without SASL support. + Fix by Brad Barden. + * Fix for a compiler warning due to a missing 'const' qualifier + when compiling Postfix with OpenSSL 3. Depending on compiler + settings this could cause the build to fail. + * The known_tcp_ports settings had no effect. It also wasn't fully + implemented. Problem report by Peter. + * Fix for missing space between a hostname and warning text. + +------------------------------------------------------------------- +Fri Oct 22 09:45:40 UTC 2021 - Dirk Stoecker <[email protected]> + +- Ensure postfix can write to home directory or server side + filtering wont work (sieve) + +------------------------------------------------------------------- +Fri Oct 22 08:46:19 UTC 2021 - Johannes Segitz <[email protected]> + +- Ensure service can write to /etc/postfix + +------------------------------------------------------------------- +Thu Oct 21 15:39:55 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service (bsc#1181400). Added + harden_postfix.service.patch + +------------------------------------------------------------------- @@ -16 +106 @@ -Tue Aug 24 09:55:02 UTC 2021 - Peter Varkoly <[email protected]> +Tue Aug 24 09:55:42 UTC 2021 - Peter Varkoly <[email protected]> @@ -5305 +5394,0 @@ - --- /work/SRC/openSUSE:Factory/postfix/postfix.changes 2021-10-25 08:50:29.527347305 +0200 +++ /work/SRC/openSUSE:Factory/.postfix.new.1900/postfix.changes 2022-04-12 21:43:17.511714464 +0200 @@ -1,0 +2,98 @@ +Mon Apr 4 09:01:56 UTC 2022 - Peter Varkoly <[email protected]> + +- config.postfix fails to set smtp_tls_security_level + (bsc#1192314) + +------------------------------------------------------------------- +Tue Mar 29 10:12:29 UTC 2022 - ???????? ???????????? <[email protected]> + +- Refreshed spec-file via spec-cleaner and manual optimizated. + * Added -p flag to all install commands. + * Removed -f flag from all ln commands. +- Changed file harden_postfix.service.patch (boo#1191988). + +------------------------------------------------------------------- +Fri Mar 18 20:29:34 UTC 2022 - Michael Str??der <[email protected]> + +- update to 3.6.5 + * Glibc 2.34 implements closefrom(). This was causing a conflict + with Postfix's implementation for systems that have no closefrom() + implementation. + * Support for Berkeley DB version 18. +- removed obsolete postfix-3.6.2-glibc-234-build-fix.patch + +------------------------------------------------------------------- +Mon Mar 14 09:52:48 UTC 2022 - Peter Varkoly <[email protected]> + +- Postfix on start don't run postalias /etc/postfix/aliases + (error open database /etc/postfix/aliases.lmdb). (bsc#1197041) + Apply proposed patch + +------------------------------------------------------------------- +Wed Feb 9 09:22:41 UTC 2022 - Peter Varkoly <[email protected]> + +- config.postfix can't handle symlink'd /etc/resolv.cof + (bsc#1195019) + Adapt proposed change: using "cp -afL" by copying. + +------------------------------------------------------------------- +Tue Jan 18 23:32:41 UTC 2022 - Michael Str??der <[email protected]> + +- Update to 3.6.4 + * Bug introduced in bugfix 20210708: duplicate bounce_notice_recipient + entries in postconf output. This was caused by an incomplete + fix to send SMTP session transcripts to $bounce_notice_recipient. + * Bug introduced in Postfix 3.0: the proxymap daemon did not + automatically authorize proxied maps inside pipemap (example: + pipemap:{proxy:maptype:mapname, ...}) or inside unionmap. + * Bug introduced in Postfix 2.5: off-by-one error while writing + a string terminator. This code passed all memory corruption + tests, presumably because it wrote over an alignment padding + byte, or over an adjacent character byte that was never read. + * The proxymap daemon did not automatically authorize map features + added after Postfix 3.3, caused by missing *_maps parameter + names in the proxy_read_maps default value. Found during code + maintenance. + +------------------------------------------------------------------- +Mon Nov 8 10:26:56 UTC 2021 - Michael Str??der <[email protected]> + +- Update to 3.6.3 + * (problem introduced in Postfix 2.4, released in 2007): queue + file corruption after a Milter (for example, MIMEDefang) made + a request to replace the message body with a copy of that message + body plus additional text (for example, a SpamAssassin report). + * (problem introduced in Postfix 2.10, released in 2012): The + postconf "-x" option could produce incorrect output, because + multiple functions were implicitly sharing a buffer for + intermediate results. Problem report by raf, root cause analysis + by Viktor Dukhovni. + * (problem introduced in Postfix 2.11, released in 2013): The + check_ccert_access feature worked as expected, but produced a + spurious warning when Postfix was built without SASL support. + Fix by Brad Barden. + * Fix for a compiler warning due to a missing 'const' qualifier + when compiling Postfix with OpenSSL 3. Depending on compiler + settings this could cause the build to fail. + * The known_tcp_ports settings had no effect. It also wasn't fully + implemented. Problem report by Peter. + * Fix for missing space between a hostname and warning text. + +------------------------------------------------------------------- +Fri Oct 22 09:45:40 UTC 2021 - Dirk Stoecker <[email protected]> + +- Ensure postfix can write to home directory or server side + filtering wont work (sieve) + +------------------------------------------------------------------- +Fri Oct 22 08:46:19 UTC 2021 - Johannes Segitz <[email protected]> + +- Ensure service can write to /etc/postfix + +------------------------------------------------------------------- +Thu Oct 21 15:39:55 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service (bsc#1181400). Added + harden_postfix.service.patch + +------------------------------------------------------------------- @@ -5305 +5402,0 @@ - Old: ---- postfix-3.6.2-glibc-234-build-fix.patch postfix-3.6.2.tar.gz postfix-3.6.2.tar.gz.asc New: ---- harden_postfix.service.patch postfix-3.6.5.tar.gz postfix-3.6.5.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ postfix-bdb.spec ++++++ --- /var/tmp/diff_new_pack.oAWoeR/_old 2022-04-12 21:43:18.639701492 +0200 +++ /var/tmp/diff_new_pack.oAWoeR/_new 2022-04-12 21:43:18.643701447 +0200 @@ -56,7 +56,7 @@ %endif %bcond_without ldap Name: postfix-bdb -Version: 3.6.2 +Version: 3.6.5 Release: 0 Summary: A fast, secure, and flexible mailer License: IPL-1.0 OR EPL-2.0 @@ -82,7 +82,7 @@ Patch8: postfix-vda-v14-3.0.3.patch Patch9: fix-postfix-script.patch Patch10: postfix-avoid-infinit-loop-if-no-permission.patch -Patch11: postfix-3.6.2-glibc-234-build-fix.patch +Patch12: harden_postfix.service.patch BuildRequires: ca-certificates BuildRequires: cyrus-sasl-devel BuildRequires: db-devel @@ -156,7 +156,7 @@ %patch8 %patch9 %patch10 -%patch11 -p1 +%patch12 -p1 # --------------------------------------------------------------------------- ++++++ postfix.spec ++++++ --- /var/tmp/diff_new_pack.oAWoeR/_old 2022-04-12 21:43:18.683700986 +0200 +++ /var/tmp/diff_new_pack.oAWoeR/_new 2022-04-12 21:43:18.691700894 +0200 @@ -1,7 +1,7 @@ # # spec file for package postfix # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -42,7 +42,7 @@ %bcond_without libnsl %bcond_without ldap Name: postfix -Version: 3.6.2 +Version: 3.6.5 Release: 0 Summary: A fast, secure, and flexible mailer License: IPL-1.0 OR EPL-2.0 @@ -52,7 +52,6 @@ Source1: http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-%{version}.tar.gz.gpg2#/postfix-%{version}.tar.gz.asc Source2: %{name}-SUSE.tar.gz Source3: %{name}-mysql.tar.bz2 -#Source4: http://cdn.postfix.johnriley.me/mirrors/postfix-release/wietse.pgp#/postfix.keyring Source4: postfix.keyring Source10: %{name}-rpmlintrc Source11: check_mail_queue @@ -69,44 +68,43 @@ Patch9: fix-postfix-script.patch Patch10: %{name}-avoid-infinit-loop-if-no-permission.patch Patch11: set-default-db-type.patch -Patch12: postfix-3.6.2-glibc-234-build-fix.patch +Patch12: harden_postfix.service.patch BuildRequires: ca-certificates BuildRequires: cyrus-sasl-devel -#BuildRequires: db-devel BuildRequires: diffutils BuildRequires: fdupes BuildRequires: libicu-devel BuildRequires: libopenssl-devel >= 1.1.1 +BuildRequires: lmdb-devel BuildRequires: m4 BuildRequires: mysql-devel -%if %{with ldap} -BuildRequires: openldap2-devel -%endif -BuildRequires: lmdb-devel BuildRequires: pcre-devel BuildRequires: pkgconfig BuildRequires: postgresql-devel BuildRequires: shadow +BuildRequires: sysuser-tools BuildRequires: zlib-devel BuildRequires: pkgconfig(systemd) Requires: iproute2 Requires(post): permissions Requires(pre): %fillup_prereq +Requires(pre): group(%{mail_group}) Requires(pre): permissions +Requires(pre): user(nobody) Conflicts: exim -Conflicts: sendmail Conflicts: postfix-bdb +Conflicts: sendmail Provides: postfix-lmdb = %{version}-%{release} Obsoletes: postfix-lmdb < %{version}-%{release} Provides: smtp_daemon %{?systemd_ordering} +%sysusers_requires +%if %{with ldap} +BuildRequires: openldap2-devel +%endif %if %{with libnsl} BuildRequires: libnsl-devel %endif -BuildRequires: sysuser-tools -Requires(pre): user(nobody) -Requires(pre): group(%{mail_group}) -%sysusers_requires %description Postfix aims to be an alternative to the widely-used sendmail program. @@ -132,10 +130,10 @@ Summary: Postfix plugin to support MySQL maps Group: Productivity/Networking/Email/Servers Requires(pre): %{name} = %{version} +%sysusers_requires %if 0%{?suse_version} < 1550 Provides: group(vmail) %endif -%sysusers_requires %description mysql Postfix plugin to support MySQL maps. This library will be loaded by @@ -235,12 +233,12 @@ export PIE=-pie # using SHLIB_RPATH to specify unrelated linker flags, because LDFLAGS is # ignored -make makefiles pie=yes shared=yes dynamicmaps=yes \ +%make_build makefiles pie=yes shared=yes dynamicmaps=yes \ shlib_directory=%{_prefix}/lib/%{name} \ meta_directory=%{_prefix}/lib/%{name} \ config_directory=%{_sysconfdir}/%{name} \ SHLIB_RPATH="-Wl,-rpath,%{pf_shlib_directory} -Wl,-z,relro,-z,now" -make %{?_smp_mflags} +%make_build # Create postfix user %sysusers_generate_pre %{SOURCE12} postfix postfix-user.conf %sysusers_generate_pre %{SOURCE13} vmail postfix-vmail-user.conf @@ -252,7 +250,7 @@ # create our default postfix ssl DIR (/etc/postfix/ssl) mkdir -p %{buildroot}%{_sysconfdir}/%{name}/ssl/certs # link cacerts to /etc/ssl/certs -ln -sf ../../ssl/certs %{buildroot}%{_sysconfdir}/%{name}/ssl/cacerts +ln -s ../../ssl/certs %{buildroot}%{_sysconfdir}/%{name}/ssl/cacerts cp lib/lib%{name}-* %{buildroot}/%{_libdir} export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:%{buildroot}/%{_libdir} sh postfix-install -non-interactive \ @@ -268,9 +266,9 @@ setgid_group=%{pf_setgid_group} \ readme_directory=%{pf_readme_directory} \ data_directory=%{pf_data_directory} -ln -sf ../sbin/sendmail %{buildroot}%{_libexecdir}/sendmail +ln -s ../sbin/sendmail %{buildroot}%{_libexecdir}/sendmail for i in qmqp-source smtp-sink smtp-source; do - install -m 755 bin/$i %{buildroot}%{_sbindir}/$i + install -pm 0755 bin/$i %{buildroot}%{_sbindir}/$i done mkdir -p %{buildroot}/sbin/conf.d mkdir -p %{buildroot}%{_sysconfdir}/permissions.d @@ -281,10 +279,10 @@ mkdir -p %{buildroot}/%{pf_html_directory} mkdir -p %{buildroot}%{_includedir}/%{name} mkdir -p %{buildroot}%{_sysconfdir}/pam.d -install -m 644 %{name}-SUSE/smtp %{buildroot}%{_sysconfdir}/pam.d/smtp +install -pm 0644 %{name}-SUSE/smtp %{buildroot}%{_sysconfdir}/pam.d/smtp mkdir -p %{buildroot}%{_fillupdir} sed -e 's;@lib@;%{_lib};g' %{name}-SUSE/sysconfig.%{name} > %{buildroot}%{_fillupdir}/sysconfig.%{name} -install -m 644 %{name}-SUSE/sysconfig.mail-%{name} %{buildroot}%{_fillupdir}/sysconfig.mail-%{name} +install -pm 0644 %{name}-SUSE/sysconfig.mail-%{name} %{buildroot}%{_fillupdir}/sysconfig.mail-%{name} sed -e 's;@lib@;%{_lib};g' \ -e 's;@conf_backup_dir@;%{conf_backup_dir};' \ -e 's;@daemon_directory@;%{pf_daemon_directory};' \ @@ -296,19 +294,19 @@ -e 's;@newaliases_path@;%{pf_newaliases_path};' \ -e 's;@sample_directory@;%{pf_sample_directory};' \ -e 's;@mailq_path@;%{pf_mailq_path};' %{name}-SUSE/config.%{name} > %{buildroot}%{_sbindir}/config.%{name} -chmod 755 %{buildroot}%{_sbindir}/config.%{name} -install -m 644 %{name}-SUSE/ldap_aliases.cf %{buildroot}%{_sysconfdir}/%{name}/ldap_aliases.cf -install -m 644 %{name}-SUSE/helo_access %{buildroot}%{_sysconfdir}/%{name}/helo_access -install -m 644 %{name}-SUSE/permissions %{buildroot}%{_sysconfdir}/permissions.d/%{name} -install -m 644 %{name}-SUSE/sender_canonical %{buildroot}%{_sysconfdir}/%{name}/sender_canonical -install -m 644 %{name}-SUSE/relay %{buildroot}%{_sysconfdir}/%{name}/relay -install -m 644 %{name}-SUSE/relay_ccerts %{buildroot}%{_sysconfdir}/%{name}/relay_ccerts -install -m 644 %{name}-SUSE/relay_recipients %{buildroot}%{_sysconfdir}/%{name}/relay_recipients -install -m 600 %{name}-SUSE/sasl_passwd %{buildroot}%{_sysconfdir}/%{name}/sasl_passwd +chmod 0755 %{buildroot}%{_sbindir}/config.%{name} +install -pm 0644 %{name}-SUSE/ldap_aliases.cf %{buildroot}%{_sysconfdir}/%{name}/ldap_aliases.cf +install -pm 0644 %{name}-SUSE/helo_access %{buildroot}%{_sysconfdir}/%{name}/helo_access +install -pm 0644 %{name}-SUSE/permissions %{buildroot}%{_sysconfdir}/permissions.d/%{name} +install -pm 0644 %{name}-SUSE/sender_canonical %{buildroot}%{_sysconfdir}/%{name}/sender_canonical +install -pm 0644 %{name}-SUSE/relay %{buildroot}%{_sysconfdir}/%{name}/relay +install -pm 0644 %{name}-SUSE/relay_ccerts %{buildroot}%{_sysconfdir}/%{name}/relay_ccerts +install -pm 0644 %{name}-SUSE/relay_recipients %{buildroot}%{_sysconfdir}/%{name}/relay_recipients +install -pm 0600 %{name}-SUSE/sasl_passwd %{buildroot}%{_sysconfdir}/%{name}/sasl_passwd mkdir -p %{buildroot}%{_sysconfdir}/sasl2 -install -m 600 %{name}-SUSE/smtpd.conf %{buildroot}%{_sysconfdir}/sasl2/smtpd.conf -install -m 644 %{name}-SUSE/openssl_%{name}.conf.in %{buildroot}%{_sysconfdir}/%{name}/openssl_%{name}.conf.in -install -m 755 %{name}-SUSE/mk%{name}cert %{buildroot}%{_sbindir}/mk%{name}cert +install -pm 0600 %{name}-SUSE/smtpd.conf %{buildroot}%{_sysconfdir}/sasl2/smtpd.conf +install -pm 0644 %{name}-SUSE/openssl_%{name}.conf.in %{buildroot}%{_sysconfdir}/%{name}/openssl_%{name}.conf.in +install -pm 0755 %{name}-SUSE/mk%{name}cert %{buildroot}%{_sbindir}/mk%{name}cert { cat<<EOF # @@ -347,12 +345,12 @@ %{buildroot}%{pf_shlib_directory}/postfix-files mkdir -p %{buildroot}%{pf_shlib_directory}/postfix-files.d # postfix-mysql -install -m 644 %{name}-mysql/main.cf-mysql %{buildroot}%{_sysconfdir}/%{name}/main.cf-mysql -install -m 640 %{name}-mysql/*_maps.cf %{buildroot}%{_sysconfdir}/%{name}/ +install -pm 0644 %{name}-mysql/main.cf-mysql %{buildroot}%{_sysconfdir}/%{name}/main.cf-mysql +install -pm 0640 %{name}-mysql/*_maps.cf %{buildroot}%{_sysconfdir}/%{name}/ # create paranoid permissions file printf '%%-38s %%-18s %%s\n' %{_sbindir}/postdrop "root.%{pf_setgid_group}" "0755" >> %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid printf '%%-38s %%-18s %%s\n' %{_sbindir}/postqueue "root.%{pf_setgid_group}" "0755" >> %{buildroot}%{_sysconfdir}/permissions.d/%{name}.paranoid -install -m 644 include/*.h %{buildroot}%{_includedir}/%{name}/ +install -pm 0644 include/*.h %{buildroot}%{_includedir}/%{name}/ # some rpmlint stuff # remove unneeded examples/chroot-setup for example in AIX42 BSDI* F* HPUX* IRIX* NETBSD1 NEXTSTEP3 OPENSTEP4 OSF1 Solaris*; do @@ -366,12 +364,12 @@ rm -f %{buildroot}%{_sysconfdir}/%{name}/*.orig mkdir -p %{buildroot}%{_unitdir}/mail-transfer-agent.target.wants/ mkdir -p %{buildroot}%{pf_shlib_directory}/systemd -install -m 0644 %{name}-SUSE/%{name}.service %{buildroot}%{_unitdir}/%{name}.service -install -m 0755 %{name}-SUSE/config_%{name}.systemd %{buildroot}%{pf_shlib_directory}/systemd/config_%{name} -install -m 0755 %{name}-SUSE/update_chroot.systemd %{buildroot}%{pf_shlib_directory}/systemd/update_chroot -install -m 0755 %{name}-SUSE/update_postmaps.systemd %{buildroot}%{pf_shlib_directory}/systemd/update_postmaps -install -m 0755 %{name}-SUSE/wait_qmgr.systemd %{buildroot}%{pf_shlib_directory}/systemd/wait_qmgr -install -m 0755 %{name}-SUSE/cond_slp.systemd %{buildroot}%{pf_shlib_directory}/systemd/cond_slp +install -pm 0644 %{name}-SUSE/%{name}.service %{buildroot}%{_unitdir}/%{name}.service +install -pm 0755 %{name}-SUSE/config_%{name}.systemd %{buildroot}%{pf_shlib_directory}/systemd/config_%{name} +install -pm 0755 %{name}-SUSE/update_chroot.systemd %{buildroot}%{pf_shlib_directory}/systemd/update_chroot +install -pm 0755 %{name}-SUSE/update_postmaps.systemd %{buildroot}%{pf_shlib_directory}/systemd/update_postmaps +install -pm 0755 %{name}-SUSE/wait_qmgr.systemd %{buildroot}%{pf_shlib_directory}/systemd/wait_qmgr +install -pm 0755 %{name}-SUSE/cond_slp.systemd %{buildroot}%{pf_shlib_directory}/systemd/cond_slp ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} ln -sv %{_unitdir}/%{name}.service %{buildroot}%{_unitdir}/mail-transfer-agent.target.wants/%{name}.service %fdupes %{buildroot}%{pf_docdir} @@ -465,10 +463,8 @@ # --------------------------------------------------------------------------- %pre mysql -f vmail.pre - %post mysql -p /sbin/ldconfig %postun mysql -p /sbin/ldconfig - %post postgresql -p /sbin/ldconfig %postun postgresql -p /sbin/ldconfig ++++++ harden_postfix.service.patch ++++++ Index: postfix-3.6.2/postfix-SUSE/postfix.service =================================================================== --- postfix-3.6.2.orig/postfix-SUSE/postfix.service +++ postfix-3.6.2/postfix-SUSE/postfix.service @@ -19,6 +19,24 @@ After=amavis.service mysql.service cyrus Conflicts=sendmail.service exim.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort + +# Needed write permissions for /etc/aliases.* or /etc/aliases.lmdb +# https://bugzilla.opensuse.org/show_bug.cgi?id=1191988 +#ProtectSystem=full +#ReadWritePaths=/etc/postfix + +ProtectHome=false +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type=forking PIDFile=/var/spool/postfix/pid/master.pid ExecStartPre=-/bin/echo 'Starting mail service (Postfix)' ++++++ postfix-3.6.2.tar.gz -> postfix-3.6.5.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/HISTORY new/postfix-3.6.5/HISTORY --- old/postfix-3.6.2/HISTORY 2021-07-25 00:41:41.000000000 +0200 +++ new/postfix-3.6.5/HISTORY 2022-02-04 21:59:47.000000000 +0100 @@ -25612,3 +25612,126 @@ was comparing memory addresses instead of queue file names. It now properly compares strings. Reported by Mehmet Avcioglu. File: global/record.c. + +20210811 + + Bitrot: OpenSSL 3.x requires const. File: tls/tls_misc.c. + +20210925 + + Bugfix (bug introduced: Postfix 2.10): postconf -x produced + incorrect output, because different functions were implicitly + sharing a buffer for intermediate results. Reported + by raf, root cause analysis by Viktor Dukhovni. File: + postconf/postconf_builtin.c. + +20211022 + + Bugfix (introduced: Postfix 3.6): the known_tcp_ports setting + had no effect. Reported by Peter. The feature wasn't fully + implemented. Files: config_known_tcp_ports.c, mail_params.c, + posttls-finger/posttls-finger.c, smtp/smtp_connect.c, + util/find_inet.c, util/myaddrinfo.c. + +20211025 + + Bugfix (introduced: Postfix 3.6): mangled warning where a + hostname and warning message run together. Viktor Dukhovni. + File: tls/tls_dane.c. + +20211030 + + Bugfix (problem introduced: Postfix 2.11): check_ccert_access + worked as expected, but produced a spurious warning when + Postfix was built without SASL support. Fix by Brad Barden. + File: smtpd/smtpd_check.c. + +20211105 + + Bugfix (introduced: Postfix 2.4): queue file corruption + after a Milter (for example, MIMEDefang) made a request to + replace the message body with a copy of that message body + plus additional text (for example, a SpamAssassin report). + + The most likely impacts were a) the queue manager reporting + a fatal error resulting in email delivery delays, or b) the + queue manager reporting the corruption and moving the message + to the corrupt queue for damaged messages. + + However, a determined adversary could craft an email message + that would trigger the bug, and insert a content filter + destination or a redirect email address into its queue file. + Postfix would then deliver the message headers there, in + most cases without delivering the message body. With enough + experimentation, an attacker could make Postfix deliver + both the message headers and body. + + The details of a successful attack depend on the Milter + implementation, and on the Postfix and Milter configuration + details; these can be determined remotely through + experimentation. Failed experiments may be detected when + the queue manager terminates with a fatal error, or when + the queue manager moves damaged files to the "corrupt" queue + as evidence. + + Technical details: when Postfix executes a "replace body" + Milter request it will reuse queue file storage that was + used by the existing email message body. If the new body + is larger, Postfix will append body content to the end of + the queue file. The corruption happened when a Milter (for + example, MIMEDefang) made a request to replace the body of + a message with a new body that contained a copy of the + original body plus some new text, and the original body + contained a line longer than $line_length_limit bytes (for + example, an image encoded in base64 without hard or soft + line breaks). In queue files, Postfix stores a long text + line as multiple records with up to $line_length_limit bytes + each. Unfortunately, Postfix's "replace body" support did + not account for the additional queue file space needed to + store the second etc. record headers. And thus, the last + record(s) of a long text line could overwrite one or more + queue file records immediately after the space that was + previously occupied by the original message body. + + Problem report by Beno??t Panizzon. + +20211115 + + Bugfix (introduced: 20210708): duplicate bounce_notice_recipient + entries in postconf output. The fix to send SMTP session + transcripts to bounce_notice_recipient was incomplete. + Reported by Vincent Lefevre. File: smtpd/smtpd.c. + +20211216 + + Bugfix (introduced: Postfix 3.0): the proxymap daemon did + not automatically authorize proxied maps inside pipemap + (example: pipemap:{proxy:maptype:mapname, ...}) or inside + unionmap. Problem reported by Mirko Vogt. Files: + proxymap/proxymap.c. + +20211220 + + Bugfix (introduced: Postfix 2.5): off-by-one error while + writing a string terminator. This code had passed all memory + corruption tests, presumably because it wrote over an + alignment padding byte, or over an adjacent character byte + that was never read. Reported by Robert Siemer. Files: + *qmgr/qmgr_feedback.c. + +20211223 + + Cleanup: added missing _maps parameter names to the + proxy_read_maps default value, based on output from the + mantools/missing-proxy-read-maps script. File: + global/mail_params.h. + +20220120 + + Bitrot: Glibc 2.34 implements closefrom(). File: + util/sys_defs.h. + +20220202 + + Bitrot: Berkeley DB 18 is like Berkeley DB 6. Yasuhiro + Kimura. File: util/dict_db.c. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/cleanup/cleanup_body_edit.c new/postfix-3.6.5/src/cleanup/cleanup_body_edit.c --- old/postfix-3.6.2/src/cleanup/cleanup_body_edit.c 2017-12-27 23:29:44.000000000 +0100 +++ new/postfix-3.6.5/src/cleanup/cleanup_body_edit.c 2021-11-05 23:29:08.000000000 +0100 @@ -207,7 +207,7 @@ /* * Finally, output the queue file record. */ - CLEANUP_OUT_BUF(state, REC_TYPE_NORM, buf); + CLEANUP_OUT_BUF(state, rec_type, buf); curr_rp->write_offs = vstream_ftell(state->dst); return (0); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/cleanup/cleanup_milter.c new/postfix-3.6.5/src/cleanup/cleanup_milter.c --- old/postfix-3.6.2/src/cleanup/cleanup_milter.c 2020-09-25 22:11:17.000000000 +0200 +++ new/postfix-3.6.5/src/cleanup/cleanup_milter.c 2021-11-05 23:29:08.000000000 +0100 @@ -1836,7 +1836,8 @@ /* cleanup_repl_body - replace message body */ -static const char *cleanup_repl_body(void *context, int cmd, VSTRING *buf) +static const char *cleanup_repl_body(void *context, int cmd, int rec_type, + VSTRING *buf) { const char *myname = "cleanup_repl_body"; CLEANUP_STATE *state = (CLEANUP_STATE *) context; @@ -1848,7 +1849,7 @@ */ switch (cmd) { case MILTER_BODY_LINE: - if (cleanup_body_edit_write(state, REC_TYPE_NORM, buf) < 0) + if (cleanup_body_edit_write(state, rec_type, buf) < 0) return (cleanup_milter_error(state, errno)); break; case MILTER_BODY_START: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/global/config_known_tcp_ports.c new/postfix-3.6.5/src/global/config_known_tcp_ports.c --- old/postfix-3.6.2/src/global/config_known_tcp_ports.c 2021-04-19 20:56:10.000000000 +0200 +++ new/postfix-3.6.5/src/global/config_known_tcp_ports.c 2021-11-07 01:09:01.000000000 +0100 @@ -58,6 +58,8 @@ ARGV *association; char **cpp; + clear_known_tcp_ports(); + /* * The settings is in the form of associations separated by comma. Split * it into separate associations. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/global/mail_params.c new/postfix-3.6.5/src/global/mail_params.c --- old/postfix-3.6.2/src/global/mail_params.c 2021-04-18 23:10:45.000000000 +0200 +++ new/postfix-3.6.5/src/global/mail_params.c 2021-11-07 01:20:40.000000000 +0100 @@ -237,6 +237,7 @@ #include <own_inet_addr.h> #include <mail_params.h> #include <compat_level.h> +#include <config_known_tcp_ports.h> /* * Special configuration variables. @@ -923,6 +924,11 @@ util_utf8_enable = var_smtputf8_enable; /* + * Configure the known TCP port mappings. + */ + config_known_tcp_ports(VAR_KNOWN_TCP_PORTS, var_known_tcp_ports); + + /* * What protocols should we attempt to support? The result is stored in * the global inet_proto_table variable. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/global/mail_params.h new/postfix-3.6.5/src/global/mail_params.h --- old/postfix-3.6.2/src/global/mail_params.h 2021-04-18 21:49:59.000000000 +0200 +++ new/postfix-3.6.5/src/global/mail_params.h 2022-01-12 01:35:25.000000000 +0100 @@ -2491,7 +2491,11 @@ " $" VAR_SMTPD_EHLO_DIS_MAPS \ " $" VAR_SMTPD_MILTER_MAPS \ " $" VAR_VIRT_GID_MAPS \ - " $" VAR_VIRT_UID_MAPS + " $" VAR_VIRT_UID_MAPS \ + " $" VAR_LOCAL_LOGIN_SND_MAPS \ + " $" VAR_PSC_REJ_FTR_MAPS \ + " $" VAR_SMTPD_REJ_FTR_MAPS \ + " $" VAR_TLS_SERVER_SNI_MAPS extern char *var_proxy_read_maps; #define VAR_PROXY_WRITE_MAPS "proxy_write_maps" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/global/mail_version.h new/postfix-3.6.5/src/global/mail_version.h --- old/postfix-3.6.2/src/global/mail_version.h 2021-07-25 01:16:27.000000000 +0200 +++ new/postfix-3.6.5/src/global/mail_version.h 2022-02-06 00:24:30.000000000 +0100 @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20210724" -#define MAIL_VERSION_NUMBER "3.6.2" +#define MAIL_RELEASE_DATE "20220205" +#define MAIL_VERSION_NUMBER "3.6.5" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/milter/milter.h new/postfix-3.6.5/src/milter/milter.h --- old/postfix-3.6.2/src/milter/milter.h 2020-06-08 18:34:32.000000000 +0200 +++ new/postfix-3.6.5/src/milter/milter.h 2021-11-05 23:29:08.000000000 +0100 @@ -100,7 +100,7 @@ typedef const char *(*MILTER_EDIT_FROM_FN) (void *, const char *, const char *); typedef const char *(*MILTER_EDIT_RCPT_FN) (void *, const char *); typedef const char *(*MILTER_EDIT_RCPT_PAR_FN) (void *, const char *, const char *); -typedef const char *(*MILTER_EDIT_BODY_FN) (void *, int, VSTRING *); +typedef const char *(*MILTER_EDIT_BODY_FN) (void *, int, int, VSTRING *); typedef struct MILTERS { MILTER *milter_list; /* linked list of Milters */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/milter/milter8.c new/postfix-3.6.5/src/milter/milter8.c --- old/postfix-3.6.2/src/milter/milter8.c 2020-02-02 21:49:15.000000000 +0100 +++ new/postfix-3.6.5/src/milter/milter8.c 2021-11-05 23:29:08.000000000 +0100 @@ -1147,10 +1147,12 @@ if (edit_resp == 0 && LEN(body_line_buf) > 0) edit_resp = parent->repl_body(parent->chg_context, MILTER_BODY_LINE, + REC_TYPE_NORM, body_line_buf); if (edit_resp == 0) edit_resp = parent->repl_body(parent->chg_context, MILTER_BODY_END, + /* unused*/ 0, (VSTRING *) 0); body_edit_lockout = 1; vstring_free(body_line_buf); @@ -1546,6 +1548,7 @@ body_line_buf = vstring_alloc(var_line_limit); edit_resp = parent->repl_body(parent->chg_context, MILTER_BODY_START, + /* unused */ 0, (VSTRING *) 0); } /* Extract lines from the on-the-wire CRLF format. */ @@ -1559,9 +1562,18 @@ LEN(body_line_buf) - 1); edit_resp = parent->repl_body(parent->chg_context, MILTER_BODY_LINE, + REC_TYPE_NORM, body_line_buf); VSTRING_RESET(body_line_buf); } else { + /* Preserves \r if not followed by \n. */ + if (LEN(body_line_buf) == var_line_limit) { + edit_resp = parent->repl_body(parent->chg_context, + MILTER_BODY_LINE, + REC_TYPE_CONT, + body_line_buf); + VSTRING_RESET(body_line_buf); + } VSTRING_ADDCH(body_line_buf, ch); } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/oqmgr/qmgr_feedback.c new/postfix-3.6.5/src/oqmgr/qmgr_feedback.c --- old/postfix-3.6.2/src/oqmgr/qmgr_feedback.c 2008-01-08 21:51:39.000000000 +0100 +++ new/postfix-3.6.5/src/oqmgr/qmgr_feedback.c 2021-12-22 23:49:37.000000000 +0100 @@ -109,7 +109,7 @@ double enum_val; char denom_str[30 + 1]; double denom_val; - char slash; + char slash[1 + 1]; char junk; char *fbck_name; char *fbck_val; @@ -135,7 +135,7 @@ fb->base = -1; /* assume error */ switch (sscanf(fbck_val, "%lf %1[/] %30s%c", - &enum_val, &slash, denom_str, &junk)) { + &enum_val, slash, denom_str, &junk)) { case 1: fb->index = QMGR_FEEDBACK_IDX_NONE; fb->base = enum_val; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/postconf/postconf_builtin.c new/postfix-3.6.5/src/postconf/postconf_builtin.c --- old/postfix-3.6.2/src/postconf/postconf_builtin.c 2021-02-18 20:44:05.000000000 +0100 +++ new/postfix-3.6.5/src/postconf/postconf_builtin.c 2021-09-26 01:01:35.000000000 +0200 @@ -247,6 +247,7 @@ static const char *pcf_mynetworks(void) { static const char *networks; + VSTRING *exp_buf; const char *junk; /* @@ -255,10 +256,12 @@ if (networks) return (networks); + exp_buf = vstring_alloc(100); + if (var_inet_interfaces == 0) { if ((pcf_cmd_mode & PCF_SHOW_DEFS) || (junk = mail_conf_lookup_eval(VAR_INET_INTERFACES)) == 0) - junk = pcf_expand_parameter_value((VSTRING *) 0, pcf_cmd_mode, + junk = pcf_expand_parameter_value(exp_buf, pcf_cmd_mode, DEF_INET_INTERFACES, (PCF_MASTER_ENT *) 0); var_inet_interfaces = mystrdup(junk); @@ -266,7 +269,7 @@ if (var_mynetworks_style == 0) { if ((pcf_cmd_mode & PCF_SHOW_DEFS) || (junk = mail_conf_lookup_eval(VAR_MYNETWORKS_STYLE)) == 0) - junk = pcf_expand_parameter_value((VSTRING *) 0, pcf_cmd_mode, + junk = pcf_expand_parameter_value(exp_buf, pcf_cmd_mode, DEF_MYNETWORKS_STYLE, (PCF_MASTER_ENT *) 0); var_mynetworks_style = mystrdup(junk); @@ -274,12 +277,13 @@ if (var_inet_protocols == 0) { if ((pcf_cmd_mode & PCF_SHOW_DEFS) || (junk = mail_conf_lookup_eval(VAR_INET_PROTOCOLS)) == 0) - junk = pcf_expand_parameter_value((VSTRING *) 0, pcf_cmd_mode, + junk = pcf_expand_parameter_value(exp_buf, pcf_cmd_mode, DEF_INET_PROTOCOLS, (PCF_MASTER_ENT *) 0); var_inet_protocols = mystrdup(junk); (void) inet_proto_init(VAR_INET_PROTOCOLS, var_inet_protocols); } + vstring_free(exp_buf); return (networks = mystrdup(mynetworks())); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/posttls-finger/posttls-finger.c new/postfix-3.6.5/src/posttls-finger/posttls-finger.c --- old/postfix-3.6.2/src/posttls-finger/posttls-finger.c 2021-04-18 22:44:01.000000000 +0200 +++ new/postfix-3.6.5/src/posttls-finger/posttls-finger.c 2021-11-07 01:09:01.000000000 +0100 @@ -1488,12 +1488,14 @@ /* * Convert service to port number, network byte order. */ + service = (char *) filter_known_tcp_port(service); if (alldig(service)) { if ((port = atoi(service)) >= 65536 || port == 0) - msg_fatal("bad network port in destination: %s", destination); + msg_fatal("bad network port: %s for destination: %s", + service, destination); *portp = htons(port); } else { - if ((sp = getservbyname(filter_known_tcp_port(service), protocol)) != 0) + if ((sp = getservbyname(service, protocol)) != 0) *portp = sp->s_port; else if (strcmp(service, "smtp") == 0) *portp = htons(25); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/proxymap/proxymap.c new/postfix-3.6.5/src/proxymap/proxymap.c --- old/postfix-3.6.2/src/proxymap/proxymap.c 2021-02-17 01:07:26.000000000 +0100 +++ new/postfix-3.6.5/src/proxymap/proxymap.c 2021-12-23 23:37:41.000000000 +0100 @@ -232,6 +232,8 @@ #include <htable.h> #include <stringops.h> #include <dict.h> +#include <dict_pipe.h> +#include <dict_union.h> /* Global library. */ @@ -295,6 +297,27 @@ #define STR(x) vstring_str(x) #define VSTREQ(x,y) (strcmp(STR(x),y) == 0) +/* get_nested_dict_name - return nested dictionary name pointer, or null */ + +static char *get_nested_dict_name(char *type_name) +{ + const struct { + const char *type_col; + ssize_t type_col_len; + } *prefix, prefixes[] = { + DICT_TYPE_UNION ":", (sizeof(DICT_TYPE_UNION ":") - 1), + DICT_TYPE_PIPE ":", (sizeof(DICT_TYPE_PIPE ":") - 1), + }; + +#define COUNT_OF(x) (sizeof(x)/sizeof((x)[0])) + + for (prefix = prefixes; prefix < prefixes + COUNT_OF(prefixes); prefix++) { + if (strncmp(type_name, prefix->type_col, prefix->type_col_len) == 0) + return (type_name + prefix->type_col_len); + } + return (0); +} + /* proxy_map_find - look up or open table */ static DICT *proxy_map_find(const char *map_type_name, int request_flags, @@ -660,41 +683,17 @@ return (dict_open(map, open_flags, dict_flags)); } -/* post_jail_init - initialization after privilege drop */ +/* authorize_proxied_maps - recursively authorize maps */ -static void post_jail_init(char *service_name, char **unused_argv) +static void authorize_proxied_maps(char *bp) { const char *sep = CHARS_COMMA_SP; const char *parens = CHARS_BRACE; - char *saved_filter; - char *bp; char *type_name; - /* - * Are we proxy writer? - */ - if (strcmp(service_name, MAIL_SERVICE_PROXYWRITE) == 0) - proxy_writer = 1; - else if (strcmp(service_name, MAIL_SERVICE_PROXYMAP) != 0) - msg_fatal("service name must be one of %s or %s", - MAIL_SERVICE_PROXYMAP, MAIL_SERVICE_PROXYMAP); - - /* - * Pre-allocate buffers. - */ - request = vstring_alloc(10); - request_map = vstring_alloc(10); - request_key = vstring_alloc(10); - request_value = vstring_alloc(10); - map_type_name_flags = vstring_alloc(10); - - /* - * Prepare the pre-approved list of proxied tables. - */ - saved_filter = bp = mystrdup(proxy_writer ? var_proxy_write_maps : - var_proxy_read_maps); - proxy_auth_maps = htable_create(13); while ((type_name = mystrtokq(&bp, sep, parens)) != 0) { + char *nested_info; + /* Maybe { maptype:mapname attr=value... } */ if (*type_name == parens[0]) { char *err; @@ -710,6 +709,22 @@ if ((type_name = mystrtokq(&type_name, sep, parens)) == 0) continue; } + /* Recurse into nested map (pipemap, unionmap). */ + if ((nested_info = get_nested_dict_name(type_name)) != 0) { + char *err; + + if (*nested_info != parens[0]) + continue; + /* Warn about blatant syntax error. */ + if ((err = extpar(&nested_info, parens, EXTPAR_FLAG_NONE)) != 0) { + msg_warn("bad %s parameter value: %s", + PROXY_MAP_PARAM_NAME(proxy_writer), err); + myfree(err); + continue; + } + authorize_proxied_maps(nested_info); + continue; + } if (strncmp(type_name, PROXY_COLON, PROXY_COLON_LEN)) continue; do { @@ -723,6 +738,39 @@ PROXY_MAP_PARAM_NAME(proxy_writer)); } } +} + +/* post_jail_init - initialization after privilege drop */ + +static void post_jail_init(char *service_name, char **unused_argv) +{ + char *saved_filter; + + /* + * Are we proxy writer? + */ + if (strcmp(service_name, MAIL_SERVICE_PROXYWRITE) == 0) + proxy_writer = 1; + else if (strcmp(service_name, MAIL_SERVICE_PROXYMAP) != 0) + msg_fatal("service name must be one of %s or %s", + MAIL_SERVICE_PROXYMAP, MAIL_SERVICE_PROXYMAP); + + /* + * Pre-allocate buffers. + */ + request = vstring_alloc(10); + request_map = vstring_alloc(10); + request_key = vstring_alloc(10); + request_value = vstring_alloc(10); + map_type_name_flags = vstring_alloc(10); + + /* + * Prepare the pre-approved list of proxied tables. + */ + saved_filter = mystrdup(proxy_writer ? var_proxy_write_maps : + var_proxy_read_maps); + proxy_auth_maps = htable_create(13); + authorize_proxied_maps(saved_filter); myfree(saved_filter); /* diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/qmgr/qmgr_feedback.c new/postfix-3.6.5/src/qmgr/qmgr_feedback.c --- old/postfix-3.6.2/src/qmgr/qmgr_feedback.c 2008-01-08 21:51:44.000000000 +0100 +++ new/postfix-3.6.5/src/qmgr/qmgr_feedback.c 2021-12-22 23:49:37.000000000 +0100 @@ -109,7 +109,7 @@ double enum_val; char denom_str[30 + 1]; double denom_val; - char slash; + char slash[1 + 1]; char junk; char *fbck_name; char *fbck_val; @@ -135,7 +135,7 @@ fb->base = -1; /* assume error */ switch (sscanf(fbck_val, "%lf %1[/] %30s%c", - &enum_val, &slash, denom_str, &junk)) { + &enum_val, slash, denom_str, &junk)) { case 1: fb->index = QMGR_FEEDBACK_IDX_NONE; fb->base = enum_val; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/smtp/smtp_connect.c new/postfix-3.6.5/src/smtp/smtp_connect.c --- old/postfix-3.6.2/src/smtp/smtp_connect.c 2021-04-18 22:42:40.000000000 +0200 +++ new/postfix-3.6.5/src/smtp/smtp_connect.c 2021-11-07 01:09:01.000000000 +0100 @@ -356,12 +356,14 @@ /* * Convert service to port number, network byte order. */ + service = (char *) filter_known_tcp_port(service); if (alldig(service)) { if ((port = atoi(service)) >= 65536 || port == 0) - msg_fatal("bad network port in destination: %s", destination); + msg_fatal("bad network port: %s for destination: %s", + service, destination); *portp = htons(port); } else { - if ((sp = getservbyname(filter_known_tcp_port(service), protocol)) == 0) + if ((sp = getservbyname(service, protocol)) == 0) msg_fatal("unknown service: %s/%s", service, protocol); *portp = sp->s_port; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/smtpd/smtpd.c new/postfix-3.6.5/src/smtpd/smtpd.c --- old/postfix-3.6.2/src/smtpd/smtpd.c 2021-07-24 23:43:57.000000000 +0200 +++ new/postfix-3.6.5/src/smtpd/smtpd.c 2021-11-15 14:42:43.000000000 +0100 @@ -6432,7 +6432,7 @@ VAR_EOD_CHECKS, DEF_EOD_CHECKS, &var_eod_checks, 0, 0, VAR_MAPS_RBL_DOMAINS, DEF_MAPS_RBL_DOMAINS, &var_maps_rbl_domains, 0, 0, VAR_RBL_REPLY_MAPS, DEF_RBL_REPLY_MAPS, &var_rbl_reply_maps, 0, 0, - VAR_BOUNCE_RCPT, DEF_ERROR_RCPT, &var_bounce_rcpt, 1, 0, + VAR_BOUNCE_RCPT, DEF_BOUNCE_RCPT, &var_bounce_rcpt, 1, 0, VAR_ERROR_RCPT, DEF_ERROR_RCPT, &var_error_rcpt, 1, 0, VAR_REST_CLASSES, DEF_REST_CLASSES, &var_rest_classes, 0, 0, VAR_CANONICAL_MAPS, DEF_CANONICAL_MAPS, &var_canonical_maps, 0, 0, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/smtpd/smtpd_check.c new/postfix-3.6.5/src/smtpd/smtpd_check.c --- old/postfix-3.6.2/src/smtpd/smtpd_check.c 2021-04-04 17:54:29.000000000 +0200 +++ new/postfix-3.6.5/src/smtpd/smtpd_check.c 2021-11-07 00:43:54.000000000 +0100 @@ -4374,8 +4374,8 @@ } } else if (is_map_command(state, name, CHECK_CCERT_ACL, &cpp)) { status = check_ccert_access(state, *cpp, def_acl); -#ifdef USE_SASL_AUTH } else if (is_map_command(state, name, CHECK_SASL_ACL, &cpp)) { +#ifdef USE_SASL_AUTH if (var_smtpd_sasl_enable) { if (state->sasl_username && state->sasl_username[0]) status = check_sasl_access(state, *cpp, def_acl); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/tls/tls_dane.c new/postfix-3.6.5/src/tls/tls_dane.c --- old/postfix-3.6.2/src/tls/tls_dane.c 2020-07-19 18:18:48.000000000 +0200 +++ new/postfix-3.6.5/src/tls/tls_dane.c 2021-10-25 15:35:37.000000000 +0200 @@ -392,7 +392,7 @@ vstring_sprintf(top, "..."); } - msg_warn("%s%s%s%s: %u %u %u %s%s%s", s1, s2, s3, s4, u, s, m, STR(top), + msg_warn("%s%s%s %s: %u %u %u %s%s%s", s1, s2, s3, s4, u, s, m, STR(top), dlen > MAX_DUMP_BYTES ? "..." : "", dlen > MAX_DUMP_BYTES ? STR(bot) : ""); } @@ -807,13 +807,13 @@ continue; } if (ret == 0) { - tlsa_carp(TLScontext->namaddr, ": ", "", "unusable TLSA RR", + tlsa_carp(TLScontext->namaddr, ":", "", "unusable TLSA RR", tp->usage, tp->selector, tp->mtype, tp->data, tp->length); continue; } /* Internal problem in OpenSSL */ - tlsa_carp(TLScontext->namaddr, ": ", "", "error loading trust settings", + tlsa_carp(TLScontext->namaddr, ":", "", "error loading trust settings", tp->usage, tp->selector, tp->mtype, tp->data, tp->length); tls_print_errors(); return (-1); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/tls/tls_misc.c new/postfix-3.6.5/src/tls/tls_misc.c --- old/postfix-3.6.2/src/tls/tls_misc.c 2020-07-26 23:27:35.000000000 +0200 +++ new/postfix-3.6.5/src/tls/tls_misc.c 2021-08-11 21:10:08.000000000 +0200 @@ -883,7 +883,7 @@ EVP_PKEY *peer_pkey = 0; #ifndef OPENSSL_NO_EC - EC_KEY *eckey; + const EC_KEY *eckey; #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/util/dict_db.c new/postfix-3.6.5/src/util/dict_db.c --- old/postfix-3.6.2/src/util/dict_db.c 2018-11-06 23:25:54.000000000 +0100 +++ new/postfix-3.6.5/src/util/dict_db.c 2022-02-04 21:55:06.000000000 +0100 @@ -753,7 +753,7 @@ if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0) msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM); db_base_buf = vstring_alloc(100); -#if DB_VERSION_MAJOR == 6 || DB_VERSION_MAJOR == 5 || \ +#if DB_VERSION_MAJOR == 18 || DB_VERSION_MAJOR == 6 || DB_VERSION_MAJOR == 5 || \ (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0) if ((errno = db->open(db, 0, sane_basename(db_base_buf, db_path), 0, type, db_flags, 0644)) != 0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/util/find_inet.c new/postfix-3.6.5/src/util/find_inet.c --- old/postfix-3.6.2/src/util/find_inet.c 2021-04-18 22:05:04.000000000 +0200 +++ new/postfix-3.6.5/src/util/find_inet.c 2021-11-07 01:29:34.000000000 +0100 @@ -85,12 +85,13 @@ struct servent *sp; int port; + service = filter_known_tcp_port(service); if (alldig(service) && (port = atoi(service)) != 0) { if (port < 0 || port > 65535) msg_fatal("bad port number: %s", service); return (htons(port)); } else { - if ((sp = getservbyname(filter_known_tcp_port(service), protocol)) == 0) + if ((sp = getservbyname(service, protocol)) == 0) msg_fatal("unknown service: %s/%s", service, protocol); return (sp->s_port); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/util/myaddrinfo.c new/postfix-3.6.5/src/util/myaddrinfo.c --- old/postfix-3.6.2/src/util/myaddrinfo.c 2021-04-18 22:03:51.000000000 +0200 +++ new/postfix-3.6.5/src/util/myaddrinfo.c 2021-11-07 01:09:01.000000000 +0100 @@ -271,6 +271,7 @@ const char *proto; unsigned port; + service = filter_known_tcp_port(service); if (alldig(service)) { port = atoi(service); return (port < 65536 ? htons(port) : -1); @@ -282,7 +283,7 @@ } else { return (-1); } - if ((sp = getservbyname(filter_known_tcp_port(service), proto)) != 0) { + if ((sp = getservbyname(service, proto)) != 0) { return (sp->s_port); } else { return (-1); @@ -445,7 +446,12 @@ } #endif } - err = getaddrinfo(hostname, filter_known_tcp_port(service), &hints, res); + if (service) { + service = filter_known_tcp_port(service); + if (alldig(service)) + hints.ai_flags |= AI_NUMERICSERV; + } + err = getaddrinfo(hostname, service, &hints, res); #if defined(BROKEN_AI_NULL_SERVICE) if (service == 0 && err == 0) { struct addrinfo *r; @@ -561,7 +567,12 @@ } #endif } - err = getaddrinfo(hostaddr, filter_known_tcp_port(service), &hints, res); + if (service) { + service = filter_known_tcp_port(service); + if (alldig(service)) + hints.ai_flags |= AI_NUMERICSERV; + } + err = getaddrinfo(hostaddr, service, &hints, res); #if defined(BROKEN_AI_NULL_SERVICE) if (service == 0 && err == 0) { struct addrinfo *r; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.6.2/src/util/sys_defs.h new/postfix-3.6.5/src/util/sys_defs.h --- old/postfix-3.6.2/src/util/sys_defs.h 2020-05-21 15:34:23.000000000 +0200 +++ new/postfix-3.6.5/src/util/sys_defs.h 2022-01-31 00:20:24.000000000 +0100 @@ -827,6 +827,9 @@ #define HAVE_POSIX_GETPW_R #endif #endif +#if HAVE_GLIBC_API_VERSION_SUPPORT(2, 34) +#define HAS_CLOSEFROM +#endif #endif ++++++ postfix-SUSE.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-SUSE/config.postfix new/postfix-SUSE/config.postfix --- old/postfix-SUSE/config.postfix 2021-10-07 10:09:05.350217677 +0200 +++ new/postfix-SUSE/config.postfix 2022-04-04 11:00:41.175540721 +0200 @@ -37,10 +37,10 @@ if [ ! -f $dst -a ! -d $dst -a -e $i ]; then echo "copying missing $dst from $i" - cp -af $i $dst + cp -afL $i $dst elif [ ! -d $dst -a $i -nt $dst -o $i -ot $dst ]; then echo "updating $dst from $i" - cp -af $i $dst + cp -afL $i $dst fi done } @@ -718,10 +718,12 @@ if test "$POSTFIX_SMTP_TLS_CLIENT" == "yes"; then $PCONF -e "smtp_use_tls = yes" $PCONF -e "smtp_enforce_tls = no" + $PCONF -e "smtp_tls_security_level = encrypt" fi if test "$POSTFIX_SMTP_TLS_CLIENT" == "must"; then $PCONF -e "smtp_use_tls = yes" $PCONF -e "smtp_enforce_tls = yes" + $PCONF -e "smtp_tls_security_level = encrypt" fi if test "$POSTFIX_SMTP_TLS_CLIENT" = "yes" -o "$POSTFIX_SMTP_TLS_CLIENT" = "must" ; then if [ -n "$POSTFIX_TLS_CAFILE" -a -s "$POSTFIX_SSL_PATH/$POSTFIX_TLS_CAFILE" ]; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-SUSE/update_postmaps.systemd new/postfix-SUSE/update_postmaps.systemd --- old/postfix-SUSE/update_postmaps.systemd 2020-12-25 11:57:50.000000000 +0100 +++ new/postfix-SUSE/update_postmaps.systemd 2022-03-14 10:51:56.032331082 +0100 @@ -37,7 +37,7 @@ fi chmod $p $d done -for i in /etc/aliases /etc/aliases.d/*; do +for i in /etc/aliases /etc/postfix/aliases /etc/aliases.d/*; do m=${i%.$e} d=$m.$e if [ -e $m -a $m -nt $d ]; then
