Hello community, here is the log from the commit of package postfix for openSUSE:Factory checked in at 2019-10-07 13:37:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/postfix (Old) and /work/SRC/openSUSE:Factory/.postfix.new.2352 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "postfix" Mon Oct 7 13:37:15 2019 rev:178 rq:733867 version:3.4.7 Changes: -------- --- /work/SRC/openSUSE:Factory/postfix/postfix.changes 2019-09-27 14:43:55.801469726 +0200 +++ /work/SRC/openSUSE:Factory/.postfix.new.2352/postfix.changes 2019-10-07 13:37:18.372959841 +0200 @@ -7,0 +8,27 @@ +Sun Sep 22 16:45:39 UTC 2019 - Michael Ströder <[email protected]> + +- Update to 3.4.7: + * Robustness: the tlsproxy(8) daemon could go into a loop, logging + a flood of error messages. Problem reported by Andreas Schulze + after enabling SMTP/TLS connection reuse. + * Workaround: OpenSSL changed an SSL_Shutdown() non-error result + value into an error result value, causing logfile noise. + * Configuration: the new 'TLS fast shutdown' parameter name was + implemented incorrectly. The documentation said + "tls_fast_shutdown_enable", but the code said "tls_fast_shutdown". + This was fixed by changing the code, because no-one is expected + to override the default. + * Performance: workaround for poor TCP loopback performance on + LINUX, where getsockopt(..., TCP_MAXSEG, ...) reports a bogus + TCP maximal segment size that is 1/2 to 1/3 of the real MSS. + To avoid client-side Nagle delays or server-side delayed ACKs + caused by multiple smaller-than-MSS writes, Postfix chooses a + VSTREAM buffer size that is a small multiple of the reported + bogus MSS. This workaround increases the multiplier from 2x to + 4x. + * Robustness: the Postfix Dovecot client could segfault (null + pointer read) or cause an SMTP server assertion to fail when + talking to a fake Dovecot server. The Postfix Dovecot client + now logs a proper error instead. + +------------------------------------------------------------------- Old: ---- postfix-3.4.6.tar.gz New: ---- postfix-3.4.7.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ postfix.spec ++++++ --- /var/tmp/diff_new_pack.4cswSa/_old 2019-10-07 13:37:19.332957186 +0200 +++ /var/tmp/diff_new_pack.4cswSa/_new 2019-10-07 13:37:19.336957176 +0200 @@ -53,7 +53,7 @@ %bcond_with libnsl %endif Name: postfix -Version: 3.4.6 +Version: 3.4.7 Release: 0 Summary: A fast, secure, and flexible mailer License: IPL-1.0 OR EPL-2.0 ++++++ postfix-3.4.6.tar.gz -> postfix-3.4.7.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.4.6/HISTORY new/postfix-3.4.7/HISTORY --- old/postfix-3.4.6/HISTORY 2019-06-28 01:36:26.000000000 +0200 +++ new/postfix-3.4.7/HISTORY 2019-09-21 17:57:46.000000000 +0200 @@ -24248,3 +24248,48 @@ handshake failure, causing stale numbers to be reported. The command counts are now reset in the function that reports the counts. File: smtpd/smtpd.c. + +20190723 + + Bugfix: the documentation said tls_fast_shutdown_enable, + but the code said tls_fast_shutdown. Viktor Dukhovni. Changed + the code because no-one is expected to override the default. + File: global/mail_params.h. + +20190820 + + Workaround for poor TCP loopback performance on LINUX, where + getsockopt(..., TCP_MAXSEG, ..) reports a TCP maximal segment + size that is 1/2 to 1/3 of the MTU. For example, with kernel + 5.1.16-300.fc30.x86_64 the TCP client and server announce + an mss of 65495 in the TCP handshake, but getsockopt() + returns 32741 (less than half). As a matter of principle, + Postfix won't turn on client-side TCP_NODELAY because that + hides application performance bugs, and because that still + suffers from server-side delayed ACKs. Instead, Postfix + avoids sending "small" writes back-to-back, by choosing a + VSTREAM buffer size that is a multiple of the reported MSS. + This workaround bumps the multiplier from 2x to 4x. File: + util/vstream_tweak.c. + +20190825 + + Bugfix (introduced: 20051222): the Dovecot client could + segfault (null pointer read) or cause an SMTP server assertion + to fail when talking to a fake Dovecot server. The client + now logs a proper error instead. Problem reported by Tim + Düsterhus. File: xsasl/xsasl_dovecot_server.c. + +20190914 + + Bugfix (introduced: Postfix 3.4): don't whitewash OpenSSL + error results after a plaintext output error. The code could + loop, and with some OpenSSL error results could flood the + log with error messages (see below for a specific case). + Problem reported by Andreas Schulze. File: tlsproxy/tlsproxy.c. + + Bitrot: don't invoke SSL_shutdown() when the SSL engine + thinks it is processing a TLS handshake. The commit at + https://github.com/openssl/openssl/commit/64193c8218540499984cd63cda41f3cd491f3f59 + changed the error status, incompatibly, from SSL_ERROR_NONE + into SSL_ERROR_SSL. File: tlsproxy/tlsproxxy.c. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.4.6/src/global/mail_params.h new/postfix-3.4.7/src/global/mail_params.h --- old/postfix-3.4.6/src/global/mail_params.h 2019-06-27 23:38:33.000000000 +0200 +++ new/postfix-3.4.7/src/global/mail_params.h 2019-07-24 00:46:37.000000000 +0200 @@ -3333,7 +3333,7 @@ /* * The default is backwards-incompatible. */ -#define VAR_TLS_FAST_SHUTDOWN "tls_fast_shutdown" +#define VAR_TLS_FAST_SHUTDOWN "tls_fast_shutdown_enable" #define DEF_TLS_FAST_SHUTDOWN 1 extern bool var_tls_fast_shutdown; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.4.6/src/global/mail_version.h new/postfix-3.4.7/src/global/mail_version.h --- old/postfix-3.4.6/src/global/mail_version.h 2019-06-29 15:57:49.000000000 +0200 +++ new/postfix-3.4.7/src/global/mail_version.h 2019-09-21 18:24:58.000000000 +0200 @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20190629" -#define MAIL_VERSION_NUMBER "3.4.6" +#define MAIL_RELEASE_DATE "20190921" +#define MAIL_VERSION_NUMBER "3.4.7" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.4.6/src/tlsproxy/tlsproxy.c new/postfix-3.4.7/src/tlsproxy/tlsproxy.c --- old/postfix-3.4.6/src/tlsproxy/tlsproxy.c 2019-06-29 15:33:40.000000000 +0200 +++ new/postfix-3.4.7/src/tlsproxy/tlsproxy.c 2019-09-15 00:43:05.000000000 +0200 @@ -618,11 +618,11 @@ switch (err) { /* - * No error from SSL_read and SSL_write means that the plaintext - * output buffer is full and that the plaintext input buffer is - * empty. Stop read/write events on the ciphertext stream. Keep the - * timer alive as a safety mechanism for the case that the plaintext - * pseudothreads get stuck. + * No error means a successful SSL_accept/connect/shutdown request or + * sequence of SSL_read/write requests. Disable read/write events on + * the ciphertext stream. Keep the ciphertext stream timer alive as a + * safety mechanism for the case that the plaintext pseudothreads get + * stuck. */ case SSL_ERROR_NONE: if (state->ssl_last_err != SSL_ERROR_NONE) { @@ -676,10 +676,23 @@ default: /* - * Allow buffered-up plaintext output to trickle out. + * Allow buffered-up plaintext output to trickle out. Permanently + * disable read/write activity on the ciphertext stream, so that this + * function will no longer be called. Keep the ciphertext stream + * timer alive as a safety mechanism for the case that the plaintext + * pseudothreads get stuck. Return into tlsp_strategy(), which will + * enable plaintext write events. */ - if (state->plaintext_buf && NBBIO_WRITE_PEND(state->plaintext_buf)) +#define TLSP_CAN_TRICKLE_OUT_PLAINTEXT(buf) \ + ((buf) && !NBBIO_ERROR_FLAGS(buf) && NBBIO_WRITE_PEND(buf)) + + if (TLSP_CAN_TRICKLE_OUT_PLAINTEXT(state->plaintext_buf)) { + event_disable_readwrite(ciphertext_fd); + event_request_timer(tlsp_ciphertext_event, (void *) state, + state->timeout); + state->flags |= TLSP_FLAG_NO_MORE_CIPHERTEXT_IO; return (TLSP_STAT_OK); + } tlsp_state_free(state); return (TLSP_STAT_ERR); } @@ -750,6 +763,18 @@ int handshake_err; /* + * This function is called after every ciphertext or plaintext event, to + * schedule new ciphertext or plaintext I/O. + */ + + /* + * Try to make an SSL I/O request. If this fails with SSL_ERROR_WANT_READ + * or SSL_ERROR_WANT_WRITE, enable ciphertext read or write events, and + * retry the SSL I/O request in a later tlsp_strategy() call. + */ + if ((state->flags & TLSP_FLAG_NO_MORE_CIPHERTEXT_IO) == 0) { + + /* * Do not enable plain-text I/O before completing the TLS handshake. * Otherwise the remote peer can prepend plaintext to the optional * TLS_SESS_STATE object. @@ -784,9 +809,8 @@ if (NBBIO_ERROR_FLAGS(plaintext_buf)) { if (NBBIO_ACTIVE_FLAGS(plaintext_buf)) nbbio_disable_readwrite(state->plaintext_buf); - ssl_stat = SSL_shutdown(tls_context->con); - /* XXX Wait for return value 1 if sessions are to be reused? */ - if (ssl_stat < 0) { + if (!SSL_in_init(tls_context->con) + && (ssl_stat = SSL_shutdown(tls_context->con)) < 0) { handshake_err = SSL_get_error(tls_context->con, ssl_stat); tlsp_eval_tls_error(state, handshake_err); /* At this point, state could be a dangling pointer. */ @@ -862,6 +886,19 @@ ssl_write_err : ssl_read_err) < 0) /* At this point, state is a dangling pointer. */ return; + } + + /* + * Destroy state when the ciphertext I/O was permanently disbled and we + * can no longer trickle out plaintext. + */ + else { + plaintext_buf = state->plaintext_buf; + if (!TLSP_CAN_TRICKLE_OUT_PLAINTEXT(plaintext_buf)) { + tlsp_state_free(state); + return; + } + } /* * Try to enable/disable plaintext read/write events. Basically, if we diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.4.6/src/tlsproxy/tlsproxy.h new/postfix-3.4.7/src/tlsproxy/tlsproxy.h --- old/postfix-3.4.6/src/tlsproxy/tlsproxy.h 2019-02-08 23:22:24.000000000 +0100 +++ new/postfix-3.4.7/src/tlsproxy/tlsproxy.h 2019-09-15 00:43:05.000000000 +0200 @@ -47,6 +47,7 @@ } TLSP_STATE; #define TLSP_FLAG_DO_HANDSHAKE (1<<0) +#define TLSP_FLAG_NO_MORE_CIPHERTEXT_IO (1<<1) /* overrides DO_HANDSHAKE */ extern TLSP_STATE *tlsp_state_create(const char *, VSTREAM *); extern void tlsp_state_free(TLSP_STATE *); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.4.6/src/util/vstream_tweak.c new/postfix-3.4.7/src/util/vstream_tweak.c --- old/postfix-3.4.6/src/util/vstream_tweak.c 2014-12-25 17:47:17.000000000 +0100 +++ new/postfix-3.4.7/src/util/vstream_tweak.c 2019-09-08 16:36:14.000000000 +0200 @@ -124,12 +124,20 @@ * stream buffer size to less than VSTREAM_BUFSIZE, when the request is * made before the first stream read or write operation. We don't want to * reduce the buffer size. + * + * As of 20190820 we increase the mss size multipler from 2x to 4x, because + * some LINUX loopback TCP stacks report an MSS of 21845 which is 3x + * smaller than the MTU of 65536. Even with a VSTREAM buffer 2x the + * reported MSS size, performance would suck due to Nagle or delayed ACK + * delays. */ #define EFF_BUFFER_SIZE(fp) (vstream_req_bufsize(fp) ? \ vstream_req_bufsize(fp) : VSTREAM_BUFSIZE) #ifdef CA_VSTREAM_CTL_BUFSIZE - if (mss > EFF_BUFFER_SIZE(fp) / 2) { + if (mss > EFF_BUFFER_SIZE(fp) / 4) { + if (mss < INT_MAX / 2) + mss *= 2; if (mss < INT_MAX / 2) mss *= 2; vstream_control(fp, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.4.6/src/xsasl/xsasl_dovecot_server.c new/postfix-3.4.7/src/xsasl/xsasl_dovecot_server.c --- old/postfix-3.4.6/src/xsasl/xsasl_dovecot_server.c 2016-01-24 01:50:54.000000000 +0100 +++ new/postfix-3.4.7/src/xsasl/xsasl_dovecot_server.c 2019-08-27 09:35:11.000000000 +0200 @@ -584,10 +584,20 @@ if (xsasl_dovecot_parse_reply(server, &line) == 0) { /* authentication successful */ xsasl_dovecot_parse_reply_args(server, line, reply, 1); + if (server->username == 0) { + msg_warn("missing Dovecot server %s username field", cmd); + vstring_strcpy(reply, "Authentication backend error"); + return XSASL_AUTH_FAIL; + } return XSASL_AUTH_DONE; } } else if (strcmp(cmd, "CONT") == 0) { if (xsasl_dovecot_parse_reply(server, &line) == 0) { + if (line == 0) { + msg_warn("missing Dovecot server %s reply field", cmd); + vstring_strcpy(reply, "Authentication backend error"); + return XSASL_AUTH_FAIL; + } vstring_strcpy(reply, line); return XSASL_AUTH_MORE; }
