Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package postfix for openSUSE:Factory checked in at 2023-11-13 22:15:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/postfix (Old) and /work/SRC/openSUSE:Factory/.postfix.new.17445 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "postfix" Mon Nov 13 22:15:44 2023 rev:229 rq:1125117 version:3.8.3 Changes: -------- --- /work/SRC/openSUSE:Factory/postfix/postfix-bdb.changes 2023-08-30 10:18:20.991579634 +0200 +++ /work/SRC/openSUSE:Factory/.postfix.new.17445/postfix-bdb.changes 2023-11-13 22:15:50.992410750 +0100 @@ -1,0 +2,33 @@ +Fri Nov 3 14:55:20 UTC 2023 - Arjen de Korte <[email protected]> + +- update to 3.8.3 + * Bugfix (defect introduced Postfix 2.5, date 20080104): the + Postfix SMTP server was waiting for a client command instead + of replying immediately, after a client certificate verification + error in TLS wrappermode. Reported by Andreas Kinzler. + * Usability: the Postfix SMTP server (finally) attempts to log + the SASL username after authentication failure. In Postfix + logging, this appends ", sasl_username=xxx" after the reason + for SASL authentication failure. The logging replaces an + unavailable reason with "(reason unavailable)", and replaces + an unavailable sasl_username with "(unavailable)". Based on + code by Jozsef Kadlecsik. + * Compatibility bugfix (defect introduced: Postfix 2.11, date + 20130405): in forward_path, the expression ${recipient_delimiter} + would expand to an empty string when a recipient address had + no recipient delimiter. The compatibility fix is to use a + configured recipient delimiter value instead. Reported by Tod + A. Sandman. + +------------------------------------------------------------------- +Mon Oct 23 07:43:31 UTC 2023 - Peter Varkoly <[email protected]> + +- Syntax error in update_postmaps script (bsc#1216061) + +------------------------------------------------------------------- +Mon Sep 18 12:38:19 UTC 2023 - Peter Varkoly <[email protected]> + +- postfix: config.postfix causes too tight permission on main.cf + (bsc#1215372) + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/postfix/postfix.changes 2023-08-30 10:18:21.307590910 +0200 +++ /work/SRC/openSUSE:Factory/.postfix.new.17445/postfix.changes 2023-11-13 22:15:51.076413844 +0100 @@ -1,0 +2,33 @@ +Fri Nov 3 14:55:20 UTC 2023 - Arjen de Korte <[email protected]> + +- update to 3.8.3 + * Bugfix (defect introduced Postfix 2.5, date 20080104): the + Postfix SMTP server was waiting for a client command instead + of replying immediately, after a client certificate verification + error in TLS wrappermode. Reported by Andreas Kinzler. + * Usability: the Postfix SMTP server (finally) attempts to log + the SASL username after authentication failure. In Postfix + logging, this appends ", sasl_username=xxx" after the reason + for SASL authentication failure. The logging replaces an + unavailable reason with "(reason unavailable)", and replaces + an unavailable sasl_username with "(unavailable)". Based on + code by Jozsef Kadlecsik. + * Compatibility bugfix (defect introduced: Postfix 2.11, date + 20130405): in forward_path, the expression ${recipient_delimiter} + would expand to an empty string when a recipient address had + no recipient delimiter. The compatibility fix is to use a + configured recipient delimiter value instead. Reported by Tod + A. Sandman. + +------------------------------------------------------------------- +Mon Oct 23 07:43:31 UTC 2023 - Peter Varkoly <[email protected]> + +- Syntax error in update_postmaps script (bsc#1216061) + +------------------------------------------------------------------- +Mon Sep 18 12:38:19 UTC 2023 - Peter Varkoly <[email protected]> + +- postfix: config.postfix causes too tight permission on main.cf + (bsc#1215372) + +------------------------------------------------------------------- Old: ---- postfix-3.8.1.tar.gz postfix-3.8.1.tar.gz.asc New: ---- postfix-3.8.3.tar.gz postfix-3.8.3.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ postfix-bdb.spec ++++++ --- /var/tmp/diff_new_pack.Qfb7NQ/_old 2023-11-13 22:15:53.032485864 +0100 +++ /var/tmp/diff_new_pack.Qfb7NQ/_new 2023-11-13 22:15:53.032485864 +0100 @@ -59,7 +59,7 @@ %endif %bcond_without ldap Name: postfix-bdb -Version: 3.8.1 +Version: 3.8.3 Release: 0 Summary: A fast, secure, and flexible mailer License: IPL-1.0 OR EPL-2.0 postfix.spec: same change ++++++ postfix-3.8.1.tar.gz -> postfix-3.8.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.8.1/HISTORY new/postfix-3.8.3/HISTORY --- old/postfix-3.8.1/HISTORY 2023-06-05 21:08:34.000000000 +0200 +++ new/postfix-3.8.3/HISTORY 2023-10-31 19:51:03.000000000 +0100 @@ -27159,3 +27159,56 @@ (default: no) to disconnect remote SMTP clients that violate RFC 2920 (or 5321) command pipelining constraints. Files: global/mail_params.h, smtpd/smtpd.c, proto/postconf.proto. + +20230815 + + Bugfix (bug introduced: 20140218): when opportunistic TLS fails + during or after the handshake, don't require that a probe + message spent a minimum time-in-queue before falling back to + plaintext. Problem reported by Serg. File: smtp/smtp.h. + +20230819 + + Bugfix (defect introduced: 19980207): the valid_hostname() + check in the Postfix DNS client library was blocking unusual + but legitimate wildcard names (*.name) in some DNS lookup + results and lookup requests. Examples: + + name class/type value + *.one.example IN CNAME *.other.example + *.other.example IN A 10.0.0.1 + *.other.example IN TLSA ..certificate info... + + Such syntax is blesed in RFC 1034 section 4.3.3. + + This problem was reported first in the context of TLSA + record lookups. Files: util/valid_hostname.[hc], + dns/dns_lookup.c. + +20230929 + + Bugfix (defect introduced Postfix 2.5, 20080104): the Postfix + SMTP server was waiting for a client command instead of + replying immediately, after a client certificate verification + error in TLS wrappermode. Reported by Andreas Kinzler. File: + smtpd/smtpd.c. + +20231006 + + Usability: the Postfix SMTP server now attempts to log the + SASL username after authentication failure. In Postfix + logging, this appends ", sasl_username=xxx" after the reason + for SASL authentication failure. The logging replaces an + unavailable reason with "(reason unavailable)", and replaces + an unavailable sasl_username with "(unavailable)". Based + on code by Jozsef Kadlecsik. Files: xsasl/xsasl_server.c, + xsasl/xsasl_cyrus_server.c, smtpd/smtpd_sasl_glue.c. + +20231026 + + Bugfix (defect introduced: Postfix 2.11): in forward_path, + the expression ${recipient_delimiter} would expand to an + empty string when a recipient address had no recipient + delimiter. Fixed by restoring Postfix 2.10 behavior to use + a configured recipient delimiter value. Reported by Tod + A. Sandman. Files: proto/postconf.proto, local/local_expand.c. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.8.1/html/postconf.5.html new/postfix-3.8.3/html/postconf.5.html --- old/postfix-3.8.1/html/postconf.5.html 2023-06-05 21:23:21.000000000 +0200 +++ new/postfix-3.8.3/html/postconf.5.html 2023-11-01 17:32:11.000000000 +0100 @@ -3761,7 +3761,10 @@ <dt><b>$<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a></b></dt> <dd>The address extension delimiter that was found in the recipient -address (Postfix 2.11 and later), or the system-wide recipient +address (Postfix 2.11 and later), or the 'first' delimiter specified +with the system-wide recipient address extension delimiter (Postfix +3.5.22, 3.5.12, 3.7.8, 3.8.3 and later). Historically, this was +always the system-wide recipient address extension delimiter (Postfix 2.10 and earlier). </dd> <dt><b>${name?value}</b></dt> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.8.1/man/man5/postconf.5 new/postfix-3.8.3/man/man5/postconf.5 --- old/postfix-3.8.1/man/man5/postconf.5 2023-06-05 21:23:21.000000000 +0200 +++ new/postfix-3.8.3/man/man5/postconf.5 2023-11-01 17:32:11.000000000 +0100 @@ -2388,7 +2388,10 @@ .br .IP "\fB$recipient_delimiter\fR" The address extension delimiter that was found in the recipient -address (Postfix 2.11 and later), or the system\-wide recipient +address (Postfix 2.11 and later), or the 'first' delimiter specified +with the system\-wide recipient address extension delimiter (Postfix +3.5.22, 3.5.12, 3.7.8, 3.8.3 and later). Historically, this was +always the system\-wide recipient address extension delimiter (Postfix 2.10 and earlier). .br .IP "\fB${name?value}\fR" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.8.1/proto/postconf.proto new/postfix-3.8.3/proto/postconf.proto --- old/postfix-3.8.1/proto/postconf.proto 2023-06-05 21:12:17.000000000 +0200 +++ new/postfix-3.8.3/proto/postconf.proto 2023-11-01 00:39:34.000000000 +0100 @@ -1764,7 +1764,10 @@ <dt><b>$recipient_delimiter</b></dt> <dd>The address extension delimiter that was found in the recipient -address (Postfix 2.11 and later), or the system-wide recipient +address (Postfix 2.11 and later), or the 'first' delimiter specified +with the system-wide recipient address extension delimiter (Postfix +3.5.22, 3.5.12, 3.7.8, 3.8.3 and later). Historically, this was +always the system-wide recipient address extension delimiter (Postfix 2.10 and earlier). </dd> <dt><b>${name?value}</b></dt> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.8.1/src/dns/dns_lookup.c new/postfix-3.8.3/src/dns/dns_lookup.c --- old/postfix-3.8.1/src/dns/dns_lookup.c 2023-02-10 21:45:53.000000000 +0100 +++ new/postfix-3.8.3/src/dns/dns_lookup.c 2023-08-31 20:57:22.000000000 +0200 @@ -710,7 +710,7 @@ if (valid_hostaddr(name, DONT_GRIPE)) { result = PASS_NAME; gripe = "numeric domain name"; - } else if (!valid_hostname(name, DO_GRIPE)) { + } else if (!valid_hostname(name, DO_GRIPE | DO_WILDCARD)) { result = REJECT_NAME; gripe = "malformed domain name"; } else { @@ -1045,7 +1045,7 @@ /* * The Linux resolver misbehaves when given an invalid domain name. */ - if (strcmp(name, ".") && !valid_hostname(name, DONT_GRIPE)) { + if (strcmp(name, ".") && !valid_hostname(name, DONT_GRIPE | DO_WILDCARD)) { if (why) vstring_sprintf(why, "Name service error for %s: invalid host or domain name", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.8.1/src/global/mail_version.h new/postfix-3.8.3/src/global/mail_version.h --- old/postfix-3.8.1/src/global/mail_version.h 2023-06-05 21:14:35.000000000 +0200 +++ new/postfix-3.8.3/src/global/mail_version.h 2023-11-01 18:03:36.000000000 +0100 @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20230605" -#define MAIL_VERSION_NUMBER "3.8.1" +#define MAIL_RELEASE_DATE "20231101" +#define MAIL_VERSION_NUMBER "3.8.3" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.8.1/src/local/local_expand.c new/postfix-3.8.3/src/local/local_expand.c --- old/postfix-3.8.1/src/local/local_expand.c 2014-12-07 02:35:33.000000000 +0100 +++ new/postfix-3.8.3/src/local/local_expand.c 2023-10-26 22:31:24.000000000 +0200 @@ -138,6 +138,8 @@ } else if (STREQ(name, "recipient_delimiter")) { rcpt_delim[0] = local->state->msg_attr.local[strlen(local->state->msg_attr.user)]; + if (rcpt_delim[0] == 0) + rcpt_delim[0] = var_rcpt_delim[0]; rcpt_delim[1] = 0; return (rcpt_delim[0] ? rcpt_delim : 0); #if 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.8.1/src/smtp/smtp.h new/postfix-3.8.3/src/smtp/smtp.h --- old/postfix-3.8.1/src/smtp/smtp.h 2023-04-16 23:17:01.000000000 +0200 +++ new/postfix-3.8.3/src/smtp/smtp.h 2023-08-31 20:46:21.000000000 +0200 @@ -504,17 +504,19 @@ (session->state->request->msg_stats.active_arrival.tv_sec - \ session->state->request->msg_stats.incoming_arrival.tv_sec) +#define TRACE_REQ_ONLY (DEL_REQ_TRACE_ONLY(state->request->flags)) + #define PLAINTEXT_FALLBACK_OK_AFTER_STARTTLS_FAILURE \ (session->tls_context == 0 \ && state->tls->level == TLS_LEV_MAY \ - && PREACTIVE_DELAY >= var_min_backoff_time \ + && (TRACE_REQ_ONLY || PREACTIVE_DELAY >= var_min_backoff_time) \ && !HAVE_SASL_CREDENTIALS) #define PLAINTEXT_FALLBACK_OK_AFTER_TLS_SESSION_FAILURE \ (session->tls_context != 0 \ && SMTP_RCPT_LEFT(state) > SMTP_RCPT_MARK_COUNT(state) \ && state->tls->level == TLS_LEV_MAY \ - && PREACTIVE_DELAY >= var_min_backoff_time \ + && (TRACE_REQ_ONLY || PREACTIVE_DELAY >= var_min_backoff_time) \ && !HAVE_SASL_CREDENTIALS) /* diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.8.1/src/smtpd/smtpd.c new/postfix-3.8.3/src/smtpd/smtpd.c --- old/postfix-3.8.1/src/smtpd/smtpd.c 2023-06-05 21:06:51.000000000 +0200 +++ new/postfix-3.8.3/src/smtpd/smtpd.c 2023-10-27 00:41:32.000000000 +0200 @@ -5198,15 +5198,16 @@ if (requirecert && TLS_CERT_IS_TRUSTED(state->tls_context) == 0) { /* - * Fetch and reject the next command (should be EHLO), then - * disconnect (side-effect of returning "421 ...". + * In non-wrappermode, fetch the next command (should be EHLO). Reply + * with 421, then disconnect (as a side-effect of replying with 421). */ cert_present = TLS_CERT_IS_PRESENT(state->tls_context); msg_info("NOQUEUE: abort: TLS from %s: %s", state->namaddr, cert_present ? "Client certificate not trusted" : "No client certificate presented"); - smtpd_chat_query(state); + if (var_smtpd_tls_wrappermode == 0) + smtpd_chat_query(state); smtpd_chat_reply(state, "421 4.7.1 %s Error: %s", var_myhostname, cert_present ? "Client certificate not trusted" : diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.8.1/src/smtpd/smtpd_sasl_glue.c new/postfix-3.8.3/src/smtpd/smtpd_sasl_glue.c --- old/postfix-3.8.1/src/smtpd/smtpd_sasl_glue.c 2020-08-30 23:03:46.000000000 +0200 +++ new/postfix-3.8.3/src/smtpd/smtpd_sasl_glue.c 2023-10-31 00:16:11.000000000 +0100 @@ -340,9 +340,11 @@ } } if (status != XSASL_AUTH_DONE) { - msg_warn("%s: SASL %s authentication failed: %s", - state->namaddr, sasl_method, - STR(state->sasl_reply)); + sasl_username = xsasl_server_get_username(state->sasl_server); + msg_warn("%s: SASL %.100s authentication failed: %s, sasl_username=%.100s", + state->namaddr, sasl_method, *STR(state->sasl_reply) ? + STR(state->sasl_reply) : "(reason unavailable)", + sasl_username ? sasl_username : "(unavailable)"); /* RFC 4954 Section 6. */ if (status == XSASL_AUTH_TEMP) smtpd_chat_reply(state, "454 4.7.0 Temporary authentication failure: %s", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.8.1/src/util/valid_hostname.c new/postfix-3.8.3/src/util/valid_hostname.c --- old/postfix-3.8.1/src/util/valid_hostname.c 2015-01-29 13:16:48.000000000 +0100 +++ new/postfix-3.8.3/src/util/valid_hostname.c 2023-08-31 20:54:01.000000000 +0200 @@ -83,7 +83,7 @@ /* valid_hostname - screen out bad hostnames */ -int valid_hostname(const char *name, int gripe) +int valid_hostname(const char *name, int flags) { const char *myname = "valid_hostname"; const char *cp; @@ -91,6 +91,7 @@ int label_count = 0; int non_numeric = 0; int ch; + int gripe = flags & DO_GRIPE; /* * Trivial cases first. @@ -116,6 +117,15 @@ } if (!ISDIGIT(ch)) non_numeric = 1; + } else if ((flags & DO_WILDCARD) && ch == '*') { + if (label_length || label_count || (cp[1] && cp[1] != '.')) { + if (gripe) + msg_warn("%s: '*' can be the first label only: %.100s", myname, name); + return (0); + } + label_count++; + label_length++; + non_numeric = 1; } else if (ch == '.') { if (label_length == 0 || cp[1] == 0) { if (gripe) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.8.1/src/util/valid_hostname.h new/postfix-3.8.3/src/util/valid_hostname.h --- old/postfix-3.8.1/src/util/valid_hostname.h 2012-06-15 21:17:32.000000000 +0200 +++ new/postfix-3.8.3/src/util/valid_hostname.h 2023-08-31 20:54:01.000000000 +0200 @@ -18,6 +18,8 @@ #define DONT_GRIPE 0 #define DO_GRIPE 1 +#define DONT_WILDCARD 0 +#define DO_WILDCARD (1<<1) extern int valid_hostname(const char *, int); extern int valid_hostaddr(const char *, int); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.8.1/src/xsasl/xsasl_cyrus_server.c new/postfix-3.8.3/src/xsasl/xsasl_cyrus_server.c --- old/postfix-3.8.1/src/xsasl/xsasl_cyrus_server.c 2016-06-26 02:45:17.000000000 +0200 +++ new/postfix-3.8.3/src/xsasl/xsasl_cyrus_server.c 2023-10-31 00:16:11.000000000 +0100 @@ -625,16 +625,15 @@ /* * XXX Do not free(serverout). */ + if (server->username) + myfree(server->username); sasl_status = sasl_getprop(server->sasl_conn, SASL_USERNAME, &serverout); if (sasl_status != SASL_OK || serverout == 0) { - msg_warn("%s: sasl_getprop SASL_USERNAME botch: %s", - myname, xsasl_cyrus_strerror(sasl_status)); - return (0); + server->username = 0; + } else { + server->username = mystrdup(serverout); + printable(server->username, '?'); } - if (server->username) - myfree(server->username); - server->username = mystrdup(serverout); - printable(server->username, '?'); return (server->username); } ++++++ postfix-SUSE.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-SUSE/config.postfix new/postfix-SUSE/config.postfix --- old/postfix-SUSE/config.postfix 2023-07-06 13:45:44.446089671 +0200 +++ new/postfix-SUSE/config.postfix 2023-09-18 14:39:38.192120920 +0200 @@ -1377,7 +1377,8 @@ cp /etc/postfix/${1} "@conf_backup_dir@/${1}$B" cp /etc/postfix/${1} "@conf_backup_dir@/${1}" eval gen_${1/\./_} > $TMPFILE - mv -Z $TMPFILE /etc/postfix/${1}; + cp --no-preserve=mode,ownership $TMPFILE /etc/postfix/${1}; + rm -f $TMPFILE shift done } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-SUSE/update_postmaps.systemd new/postfix-SUSE/update_postmaps.systemd --- old/postfix-SUSE/update_postmaps.systemd 2022-03-14 10:51:56.032331082 +0100 +++ new/postfix-SUSE/update_postmaps.systemd 2023-10-23 09:43:04.761843274 +0200 @@ -11,7 +11,7 @@ test -f /etc/sysconfig/postfix && . /etc/sysconfig/postfix if [ -n "${POSTFIX_UPDATE_MAPS/[yY][Ee][Ss]/}" ]; then - return + exit fi # find extension based on default database type case $(postconf default_database_type) in @@ -22,8 +22,8 @@ e="lmdb" ;; *) - # not supported - return + echo "Not supported database" + exit 1 ;; esac # Update the postmaps
