Hello community,

here is the log from the commit of package postfix for openSUSE:Factory checked 
in at 2020-06-30 21:55:29
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/postfix (Old)
 and      /work/SRC/openSUSE:Factory/.postfix.new.3060 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "postfix"

Tue Jun 30 21:55:29 2020 rev:186 rq:817783 version:3.5.4

Changes:
--------
--- /work/SRC/openSUSE:Factory/postfix/postfix.changes  2020-06-23 
21:03:27.689623223 +0200
+++ /work/SRC/openSUSE:Factory/.postfix.new.3060/postfix.changes        
2020-06-30 21:55:36.638600204 +0200
@@ -1,0 +2,19 @@
+Mon Jun 29 18:44:13 UTC 2020 - Michael Ströder <mich...@stroeder.com>
+
+- Update to 3.5.4:
+  * The connection_reuse attribute in smtp_tls_policy_maps always
+    resulted in an "invalid attribute name" error.
+  * SMTP over TLS connection reuse always failed for Postfix SMTP
+    client configurations that specify explicit trust anchors (remote
+    SMTP server certificates or public keys).
+  * The Postfix SMTP client's DANE implementation would always send
+    an SNI option with the name in a destination's MX record, even
+    if the MX record pointed to a CNAME record. MX records that
+    point to CNAME records are not conformant with RFC5321, and so
+    are rare.
+    Based on the DANE survey of ~2 million hosts it was found that
+    with the corrected SMTP client behavior, sending SNI with the
+    CNAME-expanded name, the SMTP server would not send a different
+    certificate. This fix should therefore be safe.
+
+-------------------------------------------------------------------

Old:
----
  postfix-3.5.3.tar.gz

New:
----
  postfix-3.5.4.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ postfix.spec ++++++
--- /var/tmp/diff_new_pack.lPk2us/_old  2020-06-30 21:55:37.750603645 +0200
+++ /var/tmp/diff_new_pack.lPk2us/_new  2020-06-30 21:55:37.754603658 +0200
@@ -53,7 +53,7 @@
 %bcond_with    libnsl
 %endif
 Name:           postfix
-Version:        3.5.3
+Version:        3.5.4
 Release:        0
 Summary:        A fast, secure, and flexible mailer
 License:        IPL-1.0 OR EPL-2.0

++++++ postfix-3.5.3.tar.gz -> postfix-3.5.4.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-3.5.3/HISTORY new/postfix-3.5.4/HISTORY
--- old/postfix-3.5.3/HISTORY   2020-06-10 23:08:14.000000000 +0200
+++ new/postfix-3.5.4/HISTORY   2020-06-27 23:18:55.000000000 +0200
@@ -24753,3 +24753,41 @@
        client. Reported by Ján Máté, fixed by Viktor Dukhovni.
        File: tls/tls_misc.c.
 
+20200617
+
+       Bugfix (introduced: Postfix 3.4): the connection_reuse
+       attribute in smtp_tls_policy_maps resulted in an "invalid
+       attribute name" error. Fix by Thorsten Habich. File:
+       smtp/smtp_tls_policy.c.
+
+20200619
+
+       Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
+       reuse was broken for configurations that use explicit trust
+       anchors. Reported by Thorsten Habich. Cause: the tlsproxy
+       client was sending a zero certificate length. File:
+       tls/tls_proxy_client_print.c.
+
+20200620
+
+       Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
+       reuse was broken for configurations that use explicit trust
+       anchors. Reported by Thorsten Habich. Fixed by calling DANE
+       initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c.
+
+20200626
+
+       Bugfix (introduced: Postfix 2.11): The Postfix smtp(8)
+       client did not send the right SNI name when the TLSA base
+       domain was a secure CNAME expansion of the MX hostname (or
+       non-MX nexthop domain). Domains with CNAME expanded MX hosts
+       are not conformant with RFC5321, and so are rare. Even more
+       rare are MX hosts with TLSA records for their CNAME expansion.
+       For this to matter, the remote SMTP server would also have
+       to select its certificate based on the SNI name in such a
+       way that the original MX host would yield a different
+       certificate. Among the ~2 million hosts in the DANE survey,
+       none meet the conditions for returning a different certificate
+       for the expanded CNAME. Therefore, sending the correct SNI
+       name should not break existing mail flows. Fixed by Viktor
+       Dukhovni. File: src/tls/tls_client.c.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-3.5.3/src/global/mail_version.h 
new/postfix-3.5.4/src/global/mail_version.h
--- old/postfix-3.5.3/src/global/mail_version.h 2020-06-14 22:52:23.000000000 
+0200
+++ new/postfix-3.5.4/src/global/mail_version.h 2020-06-27 23:30:07.000000000 
+0200
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE      "20200614"
-#define MAIL_VERSION_NUMBER    "3.5.3"
+#define MAIL_RELEASE_DATE      "20200627"
+#define MAIL_VERSION_NUMBER    "3.5.4"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE      "-" MAIL_RELEASE_DATE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-3.5.3/src/smtp/smtp_tls_policy.c 
new/postfix-3.5.4/src/smtp/smtp_tls_policy.c
--- old/postfix-3.5.3/src/smtp/smtp_tls_policy.c        2018-12-26 
20:21:49.000000000 +0100
+++ new/postfix-3.5.4/src/smtp/smtp_tls_policy.c        2020-06-17 
17:19:54.000000000 +0200
@@ -389,6 +389,7 @@
                         WHERE, name, val);
                INVALID_RETURN(tls->why, site_level);
            }
+           continue;
        }
        msg_warn("%s: invalid attribute name: \"%s\"", WHERE, name);
        INVALID_RETURN(tls->why, site_level);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-3.5.3/src/tls/tls_client.c 
new/postfix-3.5.4/src/tls/tls_client.c
--- old/postfix-3.5.3/src/tls/tls_client.c      2020-03-08 15:59:02.000000000 
+0100
+++ new/postfix-3.5.4/src/tls/tls_client.c      2020-06-27 23:13:06.000000000 
+0200
@@ -1018,10 +1018,13 @@
         * avoid SNI, and there are no plans to support SNI in the Postfix
         * SMTP server).
         * 
+        * Per RFC7672, the required SNI name is the TLSA "base domain" (the one
+        * used to construct the "_25._tcp.<fqdn>" TLSA record DNS query).
+        * 
         * Since the hostname is DNSSEC-validated, it must be a DNS FQDN and
         * thererefore valid for use with SNI.
         */
-       sni = props->host;
+       sni = props->dane->base_domain;
     } else if (props->sni && *props->sni) {
        if (strcmp(props->sni, "hostname") == 0)
            sni = props->host;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-3.5.3/src/tls/tls_proxy_client_print.c 
new/postfix-3.5.4/src/tls/tls_proxy_client_print.c
--- old/postfix-3.5.3/src/tls/tls_proxy_client_print.c  2019-02-11 
14:11:43.000000000 +0100
+++ new/postfix-3.5.4/src/tls/tls_proxy_client_print.c  2020-06-19 
19:39:34.000000000 +0200
@@ -213,6 +213,7 @@
            i2d_X509(tp->cert, &bp);
            if ((char *) bp - STR(buf) != len)
                msg_panic("i2d_X509 failed to encode certificate");
+           vstring_set_payload_size(buf, len);
            ret = print_fn(fp, flags | ATTR_FLAG_MORE,
                           SEND_ATTR_DATA(TLS_ATTR_CERT, LEN(buf), STR(buf)),
                           ATTR_TYPE_END);
@@ -258,6 +259,7 @@
            i2d_PUBKEY(tp->pkey, &bp);
            if ((char *) bp - STR(buf) != len)
                msg_panic("i2d_PUBKEY failed to encode public key");
+           vstring_set_payload_size(buf, len);
            ret = print_fn(fp, flags | ATTR_FLAG_MORE,
                           SEND_ATTR_DATA(TLS_ATTR_PKEY, LEN(buf), STR(buf)),
                           ATTR_TYPE_END);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-3.5.3/src/tlsproxy/tlsproxy.c 
new/postfix-3.5.4/src/tlsproxy/tlsproxy.c
--- old/postfix-3.5.3/src/tlsproxy/tlsproxy.c   2020-05-15 15:29:14.000000000 
+0200
+++ new/postfix-3.5.4/src/tlsproxy/tlsproxy.c   2020-06-20 20:55:59.000000000 
+0200
@@ -997,12 +997,12 @@
     state->client_start_props->ctx = state->appl_state;
     state->client_start_props->fd = state->ciphertext_fd;
     /* These predicates and warning belong inside tls_client_start(). */
-    if (!TLS_DANE_BASED(state->client_start_props->tls_level)
-       || tls_dane_avail())
-       state->tls_context = tls_client_start(state->client_start_props);
-    else
+    if (!tls_dane_avail()                      /* mandatory side effects!! */
+       &&TLS_DANE_BASED(state->client_start_props->tls_level))
        msg_warn("%s: DANE requested, but not available",
                 state->client_start_props->namaddr);
+    else
+       state->tls_context = tls_client_start(state->client_start_props);
     if (state->tls_context != 0)
        return (TLSP_STAT_OK);
 


Reply via email to