Hi all,
I have locally prepared a backport of the postfix package backporting
bookworm-backports, as I still have a machine running on bookworm where
I would like to use the 3.10 branch with the latest possible fixes.
Below you can find two (git) diffs between my changes and the version
previously available in trixie and bookworm-backports, respectively;
only changes to the debian/ directory are included. In short: I just
merged the changes from trixie while keeping the changes from backports,
and haven't added any particular new change myself.
Should I go ahead and upload it, even if I am not the maintainer of the
package?
Bye :)
$ git diff dgit/dgit/trixie -- debian/
diff --git a/debian/changelog b/debian/changelog
index a84c16b9..8a13f8a2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+postfix (3.10.5-1~deb13u1~bpo12+1) bookworm-backports; urgency=medium
+
+ * Rebuild for bookworm-backports.
+
+ -- Andrea Pappacoda <[email protected]> Sun, 25 Jan 2026 12:46:56 +0100
+
postfix (3.10.5-1~deb13u1) trixie; urgency=medium
* new upstream stable/bugfix 3.10.5 release, with multiple fixes.
@@ -108,6 +114,13 @@ postfix (3.10.4-1~deb13u1) trixie; urgency=medium
-- Michael Tokarev <[email protected]> Fri, 22 Aug 2025 09:51:46 +0300
+postfix (3.10.3-2~bpo12+1) bookworm-backports; urgency=medium
+
+ * Rebuild for bookworm-backports:
+ disable tlsrpt (not available on bookworm)
+
+ -- Michael Tokarev <[email protected]> Fri, 18 Jul 2025 21:26:06 +0300
+
postfix (3.10.3-2) unstable; urgency=medium
* d/changelog: fix wrongly formatted previous changelog entry (double email)
diff --git a/debian/control b/debian/control
index 379efe58..383e9c44 100644
--- a/debian/control
+++ b/debian/control
@@ -22,7 +22,7 @@ Build-Depends: debhelper-compat (= 13),
libnsl-dev | libc6-dev (<<2.37-15.1),
libpcre2-dev,
libpq-dev,
- libtlsrpt0-dev,
+#bpo libtlsrpt0-dev,
libsasl2-dev,
libsqlite3-dev,
libssl-dev,
diff --git a/debian/rules b/debian/rules
index 74bc8131..d6fd4ca1 100755
--- a/debian/rules
+++ b/debian/rules
@@ -86,8 +86,8 @@ CCARGS += -DHAS_MONGODB \
CONFARGS += AUXLIBS_MONGODB="-lmongoc-1.0 -lbson-1.0"
endif
-CCARGS += -DUSE_TLSRPT
-AUXLIBS += -ltlsrpt
+#bpo CCARGS += -DUSE_TLSRPT
+#bpo AUXLIBS += -ltlsrpt
%:
dh $@
$ git diff dgit/dgit/bookworm-backports -- debian/
diff --git a/debian/changelog b/debian/changelog
index 38ca1ab9..8a13f8a2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,119 @@
+postfix (3.10.5-1~deb13u1~bpo12+1) bookworm-backports; urgency=medium
+
+ * Rebuild for bookworm-backports.
+
+ -- Andrea Pappacoda <[email protected]> Sun, 25 Jan 2026 12:46:56 +0100
+
+postfix (3.10.5-1~deb13u1) trixie; urgency=medium
+
+ * new upstream stable/bugfix 3.10.5 release, with multiple fixes.
+ From the upstream release notes:
+ - Workaround for an interface mis-match between the Postfix SMTP client
+ and MTA-STS policy plugins.
+ * The existing behavior is to connect to any MX host listed in DNS, and
+ to match the server certificate against any STS policy MX host
pattern.
+ * The corrected behavior is to connect to an MX host only if its
+ name matches any STS policy MX host pattern, and to match the server
+ certificate against the MX hostname.
+ The corrected behavior must be enabled in two places: in Postfix with a
+ new parameter "smtp_tls_enforce_sts_mx_patterns" (default: "yes") and in
+ an MTA-STS plugin by enabling TLSRPT support, so that the plugin
forwards
+ STS policy attributes to Postfix. This works even if Postfix TLSRPT
+ support is disabled at build time or at runtime.
+ - TLSRPT Workaround: when a TLSRPT policy-type value is "no-policy-found",
+ pretend that the TLSRPT policy domain value is equal to the recipient
+ domain. This ignores that different policy types (TLSA, STS) use
different
+ policy domains. But this is what Microsoft does, and therefore,
+ what other tools expect.
+ - Bugfix (defect introduced: Postfix 3.0): the Postfix SMTP client's
+ connection reuse logic did not distinguish between sessions that
+ require SMTPUTF8 support, and sessions that do not. The solution is
+ 1) to store sessions with different SMTPUTF8 requirements
+ under distinct connection cache storage keys, and
+ 2) to not cache a connection when SMTPUTF8 is required
+ but the server does not support that feature
+ - Bugfix (defect introduced: Postfix 3.0, date 20140731):
+ the smtpd 'disconnect' command statistics did not count commands
+ with "bad syntax" and "bad UTF-8 syntax" errors
+ - Postfix 3.11 forward compatibility: to avoid ugly warnings when
+ Postfix 3.11 is rolled back to an older version, allow a preliminary
+ 'size' record in maildrop queue files created with Postfix 3.11 or later
+ - Bugfix (defect introduced: Postfix 3.8, date 20220128):
+ non-reproducible build, because the 'postconf -e' output order
+ for new main.cf entries was no longer deterministic
+ - To make builds predictable, add missing meta_directory and
+ shlib_directory settings to the stock main.cf file
+ - Bugfix (defect introduced: Postfix 3.9, date 20230517):
+ posttls-finger(1) logged an incorrectly-formatted port number
+ * debian/patches/debian-defaults.patch: refresh, update for 2 new
+ parameters (with defaults) in main.cf, and make it with less context
+ * configure-instance.in: fix typo which caused recreating
+ cadir in chroot and excessive logging (Closes: #1115412)
+
+ -- Michael Tokarev <[email protected]> Tue, 28 Oct 2025 13:24:35 +0300
+
+postfix (3.10.4-1~deb13u1) trixie; urgency=medium
+
+ * New upstream stable/bugfix version 3.10.4, with a handful of fixes.
+ From the upstream release notes:
+ - Fixes for postscreen(8):
+ * Bugfix (defect introduced: Postfix 2.2, date 20050203): after
+ detecting a lookup table change, and after starting a new
+ postscreen process, the old postscreen process logged an ENOTSOCK
+ error while attempting to accept a connection on a socket that
+ it was no longer listening on. This error was introduced first
+ in the multi_server skeleton code, and was five years later
+ duplicated in the event_server skeleton that was created for
+ postscreen. Problem reported by Florian Piekert.
+ * Bugfix (defect introduced: Postfix 2.8, date 20101230):
+ after detecting a cache table change and before starting a new
+ postscreen process, the old postscreen process did not close the
+ postscreen_cache_map, and therefore kept an exclusive lock that
+ could prevent a new postscreen process from starting. Problem
+ reported by Florian Piekert.
+ - Fixes for tlsproxy(8):
+ * Bugfix (defect introduced: Postfix 3.7): incorrect backwards
+ compatible support for the legacy configuration parameters
+ tlsproxy_client_level and tlsproxy_client_policy. This
+ disabled the tlsproxy TLS client role when a legacy parameter
+ was set (instead of the newer tlsproxy_client_security_level
+ or tlsproxy_client_policy_maps). Reported by John Doe,
+ diagnosed by Viktor Dukhovni.
+ * Bugfix (defect introduced: Postfix 3.4): with the TLS client role
+ disabled by configuration, the tlsproxy daemon dereferenced a
+ null pointer while handling a tlsproxy client request. Reported by
+ John Doe.
+ - Reducing process churn: Postfix daemons no longer automatically
+ restart after a btree:, dbm:, hash:, lmdb:, or sdbm: table file
+ modification time change, when they opened that table for writing.
+ - Portability: deleted an <openssl/engine.h> build dependency,
+ because the feature is being removed from OpenSSL, and Postfix
+ no longer needs it.
+ - Cleanup: with "tls_required_enable = yes", the Postfix SMTP client
+ will no longer maintain TLSRPT statistics for messages that contain
+ a "TLS-Required: no" header. This can prevent TLSRPT notifications
+ for TLSRPT notifications.
+ - Bugfix (defect introduced: Postfix 3.6, date 20200710): Postfix TLS
+ client code logged "Untrusted TLS connection" (wrong) instead of
+ "Trusted TLS connection" (right), for a new or resumed TLS session,
+ when a server offered a trusted (valid PKI trust chain) certificate
+ that did not match the expected server name pattern. Fix by Viktor
+ Dukhovni.
+ * d/gbp.conf: debian-branch=debian/trixie
+ * configure-instance.in: fix typo
+ * configure-instance.in: limit maxdepth=1 in /etc/ssl/certs dirs
+ * configure-instance.in: use home-grown file copy procedure to sync chroot
+ There are a few issues with using cp(1) to update files in chroot, -
+ a file should be copied even if the source date is *less* than the
+ target date (eg, if a package has been downgraded), which is not done
+ by `cp -u` (#1110704), a file should be copied atomically (copy+rename,
+ not truncate+copy), and care should be taken with extra attributes
+ (#1100100). Use a simple perl-based script (using just perl-base)
+ to update files instead, which fixes all this stuff.
+ (Closes: #1100100, #1110704)
+
+ -- Michael Tokarev <[email protected]> Fri, 22 Aug 2025 09:51:46 +0300
+
postfix (3.10.3-2~bpo12+1) bookworm-backports; urgency=medium
* Rebuild for bookworm-backports:
diff --git a/debian/configure-instance.in b/debian/configure-instance.in
index e7dda123..b990ef3c 100644
--- a/debian/configure-instance.in
+++ b/debian/configure-instance.in
@@ -88,7 +88,7 @@ do
[ -f /$file ] && cp="$cp /$file" || rm="$rm ./$file"
done
[ -n "$rm" ] && rm -f $rm
-[ -n "$cp" ] && cp -pLuf --parents -t . -- $cp
+[ -n "$cp" ] && /usr/lib/postfix/syncfiles.pl $queue_directory $cp
if [ -z "$need_chroot" ]; then
[ ! -d etc/ssl/certs ] || rm -rf etc/ssl/certs
@@ -135,7 +135,7 @@ do
(/*) [ -d $cadir ] || continue;;
(*) continue;;
esac
- case "$cadis_copied " in
+ case "$cadirs_copied " in
(*" $cadir "*) continue ;;
esac
cadirs_copied="$cadirs_copied $cadir"
@@ -155,14 +155,11 @@ do
-o -delete \
\) | while read file; do
# ..and remove files which don't exist in source anymore
- [ -f "$caddr/$file" ] || rm -f "$file"
+ [ -f "$cadir/$file" ] || rm -f "$file"
done
) fi
- mkdir -p $dest
- ( cd $cadir
- find -L . -name '[0-9a-f]*.[0-9]' -type f \
- -exec cp -pLuf -t $dest '{}' +
- )
+ find -L $cadir -maxdepth 1 -name '[0-9a-f]*.[0-9]' -type f \
+ -exec /usr/lib/postfix/syncfiles.pl $queue_directory '{}' +
done
mkdir -p usr/lib/sasl2 # https://bugs.debian.org/426338
diff --git a/debian/gbp.conf b/debian/gbp.conf
index cb4846f4..a3d3f591 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -2,6 +2,6 @@
sign-tags = True
pristine-tar = True
upstream-branch = stable/v3.10
-debian-branch = debian/master
+debian-branch = debian/trixie
debian-tag = v%(version)s
upstream-tag = v%(version)s
diff --git a/debian/patches/debian-defaults.patch
b/debian/patches/debian-defaults.patch
index dedabf8e..5736733d 100644
--- a/debian/patches/debian-defaults.patch
+++ b/debian/patches/debian-defaults.patch
@@ -1,6 +1,7 @@
From: Michael Tokarev <[email protected]>
Subject: Debian-specific defaults for main.cf and master.cf
Date: Thu, 19 Dec 2024 22:37:11 +0300
+Updated: Tue, 28 Oct 2025 10:01:59 +0300
Forwarded: not-needed
Change a few parameters to match Debian defaults.
@@ -8,42 +9,32 @@ Change a few parameters to match Debian defaults.
diff --git a/conf/main.cf b/conf/main.cf
--- a/conf/main.cf
+++ b/conf/main.cf
-@@ -52,10 +52,10 @@ compatibility_level = 3.9
- # environments on different UNIX systems.
+@@ -53,3 +53,3 @@ compatibility_level = 3.10
#
-queue_directory = /var/spool/postfix
+#queue_directory = /var/spool/postfix
- # The command_directory parameter specifies the location of all
- # postXXX commands.
+@@ -58,3 +58,3 @@ queue_directory = /var/spool/postfix
#
-command_directory = /usr/sbin
+#command_directory = /usr/sbin
- # The daemon_directory parameter specifies the location of all Postfix
-@@ -63,5 +63,5 @@ command_directory = /usr/sbin
- # directory must be owned by root.
+@@ -64,3 +64,3 @@ command_directory = /usr/sbin
#
-daemon_directory = /usr/libexec/postfix
+#daemon_directory = /usr/lib/postfix/sbin
- # The data_directory parameter specifies the location of Postfix-writable
-@@ -69,5 +69,5 @@ daemon_directory = /usr/libexec/postfix
- # by the mail_owner account (see below).
+@@ -70,3 +70,3 @@ daemon_directory = /usr/libexec/postfix
#
-data_directory = /var/lib/postfix
+#data_directory = /var/lib/postfix
- # QUEUE AND PROCESS OWNERSHIP
-@@ -80,5 +80,5 @@ data_directory = /var/lib/postfix
- # USER.
+@@ -81,3 +81,3 @@ data_directory = /var/lib/postfix
#
-mail_owner = postfix
+#mail_owner = postfix
- # The default_privs parameter specifies the default rights used by
-@@ -89,4 +89,12 @@ mail_owner = postfix
- #default_privs = nobody
+@@ -90,2 +90,10 @@ mail_owner = postfix
+# The Internet protocols Postfix will attempt to use when making or
+# accepting connections. Specify one or more of "ipv4" or "ipv6",
@@ -54,9 +45,7 @@ diff --git a/conf/main.cf b/conf/main.cf
+inet_protocols = all
+
# INTERNET HOST AND DOMAIN NAMES
- #
-@@ -119,4 +127,9 @@ mail_owner = postfix
- # to recipient addresses that have no @domain part.
+@@ -120,2 +128,7 @@ mail_owner = postfix
#
+# Debian specific: Specifying a file name here will cause the first
+# line of that file to be used as the name. The Debian default is
@@ -64,81 +53,77 @@ diff --git a/conf/main.cf b/conf/main.cf
+#
+myorigin = /etc/mailname
#myorigin = $myhostname
- #myorigin = $mydomain
-@@ -469,6 +482,6 @@ unknown_local_recipient_reject_code = 550
- # ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
+@@ -470,4 +483,4 @@ unknown_local_recipient_reject_code = 550
#
-#mailbox_command = /some/where/procmail
-#mailbox_command = /some/where/procmail -a "$EXTENSION"
+#mailbox_command = /usr/bin/procmail
+#mailbox_command = /usr/bin/procmail -a "$EXTENSION"
- # The mailbox_transport specifies the optional transport in master.cf
-@@ -577,4 +590,5 @@ unknown_local_recipient_reject_code = 550
- #smtpd_banner = $myhostname ESMTP $mail_name
+@@ -578,2 +591,3 @@ unknown_local_recipient_reject_code = 550
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
+smtpd_banner = $myhostname ESMTP $mail_name (@DEB_VENDOR@)
- # PARALLEL DELIVERY TO THE SAME DESTINATION
-@@ -649,15 +663,15 @@ debugger_command =
- # This is the Sendmail-compatible mail posting interface.
+@@ -650,3 +664,3 @@ debugger_command =
#
-sendmail_path =
+#sendmail_path = /usr/sbin/sendmail
- # newaliases_path: The full pathname of the Postfix newaliases command.
- # This is the Sendmail-compatible command to build alias databases.
+@@ -655,3 +669,3 @@ sendmail_path =
#
-newaliases_path =
+#newaliases_path = /usr/bin/newaliases
- # mailq_path: The full pathname of the Postfix mailq command. This
- # is the Sendmail-compatible mail queue listing command.
+@@ -660,3 +674,3 @@ newaliases_path =
#
-mailq_path =
+#mailq_path = /usr/bin/mailq
- # setgid_group: The group for mail submission and queue management
-@@ -665,21 +679,15 @@ mailq_path =
- # is not shared with other accounts, not even with the Postfix account.
+@@ -666,3 +680,3 @@ mailq_path =
#
-setgid_group =
+#setgid_group = postdrop
- # html_directory: The location of the Postfix HTML documentation.
+@@ -670,3 +684,3 @@ setgid_group =
#
-html_directory =
+#html_directory = /usr/share/doc/postfix/html
- # manpage_directory: The location of the Postfix on-line manual pages.
+@@ -674,14 +688,15 @@ html_directory =
#
-manpage_directory =
--
++#manpage_directory = /usr/share/man
+
-# sample_directory: The location of the Postfix sample configuration files.
-# This parameter is obsolete as of Postfix 2.1.
--#
++# readme_directory: The location of the Postfix README files.
+ #
-sample_directory =
-+#manpage_directory = /usr/share/man
++#readme_directory = /usr/share/doc/postfix
- # readme_directory: The location of the Postfix README files.
+-# readme_directory: The location of the Postfix README files.
++# shlib_directory: The location of the Postfix dynamically-linked
libraries.
++#
++#shlib_directory = /usr/lib/postfix
++
++# meta_directory: The location of the Postfix non-executable files
++# that are shared among all instances.
#
-readme_directory =
-inet_protocols = ipv4
-+#readme_directory = /usr/share/doc/postfix
+-shlib_directory = /usr/lib/postfix/${mail_version}
+-meta_directory = /etc/postfix
++#meta_directory = /etc/postfix
diff --git a/conf/master.cf b/conf/master.cf
--- a/conf/master.cf
+++ b/conf/master.cf
-@@ -94,5 +94,5 @@ postlog unix-dgram n - n - 1
postlogd
- #
+@@ -99,3 +99,3 @@ postlog unix-dgram n - n - 1
postlogd
#maildrop unix - n n - - pipe
-# flags=DRXhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
+# flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
- # ====================================================================
-@@ -137,5 +137,5 @@ postlog unix-dgram n - n - 1
postlogd
- #
+@@ -142,3 +142,3 @@ postlog unix-dgram n - n - 1
postlogd
#bsmtp unix - n n - - pipe
-# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
+# flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -f $sender $nexthop
$recipient
#
- #scalemail-backend unix - n n - 2 pipe
diff --git a/debian/rules b/debian/rules
index 8f9aec9c..d6fd4ca1 100755
--- a/debian/rules
+++ b/debian/rules
@@ -239,6 +239,7 @@ override_dh_install-arch:
sed 's/@MULTIARCH@/${DEB_HOST_MULTIARCH}/' debian/configure-instance.in
> \
${base}${prvlibdir}/configure-instance.sh
chmod 0755 ${base}${prvlibdir}/configure-instance.sh
+ install -m0755 debian/syncfiles.pl ${base}${prvlibdir}/
echo ${package}:Provides=$(if $(filter
${DEB_VENDOR},Ubuntu),default-mta) \
>> debian/${package}.substvars
install -m0644 debian/postfix.ufw.profile -DT
${base}/etc/ufw/applications.d/postfix
diff --git a/debian/syncfiles.pl b/debian/syncfiles.pl
new file mode 100755
index 00000000..6f300797
--- /dev/null
+++ b/debian/syncfiles.pl
@@ -0,0 +1,67 @@
+#! /usr/bin/perl -W
+#
+# Update a set of files in the given chroot dir.
+# Decision to update is based on file size and date, -
+# if any of these don't match, whole file is copied
+# to a temp file and renamed into place.
+# In the destination, files are copied with full path.
+# Only regular files (or symlinks to regular files)
+# are copied.
+
+use strict;
+use Fcntl qw(O_RDONLY O_WRONLY O_EXCL O_CREAT S_IMODE S_ISREG);
+use Errno qw(EEXIST ENOENT);
+
+my $dest = shift @ARGV;
+
+-d "$dest" or die "not a directory: $dest\n";
+
+foreach my $snm (@ARGV) {
+
+ sysopen SRC, $snm, O_RDONLY
+ and my @sst = stat SRC
+ or die "unable to open $snm: $!\n";
+
+ my $dnm = "$dest/$snm";
+ if (my @dst = stat $dnm) {
+ next if $sst[7] == $dst[7] && $sst[9] == $dst[9];
+ }
+
+ die "$snm: not a regular file\n"
+ unless S_ISREG($sst[2]);
+
+ print "updating $snm => $dnm\n";
+
+ my $dtnm = "$dnm.tmp";
+ unlink "$dtnm";
+
+ while (!sysopen DST, $dtnm, O_WRONLY|O_EXCL|O_CREAT, 0600) {
+ $! == ENOENT or die "unable to create $dtnm: $!\n";
+ my @c = split /\/+/, $snm;
+ pop @c; # all but last component
+ my $dd = $dest;
+ foreach my $c (@c) {
+ $dd .= '/' . $c;
+ unless (mkdir $dd, 0755) {
+ die "unable to mkdir $dd: $!" unless $! == EEXIST;
+ }
+ }
+ }
+
+ my $r;
+ while($r = sysread(SRC,$_,64*1024)) {
+ syswrite(DST,$_) or die "error writing to $dtnm: $!\n";
+ }
+ $r == 0 or die "error reading from $snm: $!\n";
+ close SRC;
+
+ utime $sst[9], $sst[9], \*DST;
+ chmod S_IMODE($sst[2]), \*DST;
+ chown $sst[4], $sst[5], \*DST;
+
+ close DST and rename $dtnm, $dnm
+ or die "error renaming $dtnm to $dnm: $!\n";
+
+}
+
+exit 0;
