In the 6 weeks since this request was originally filed, there have been two
more postfix bugfix releases. I'd like to upload 3.4.14 instead. I'm
attaching
two debdiffs:
stable.debdiff is the diff from what's currently in stable.
update.debdiff is the change from the original request in May.
Given the upcoming point release, I really would like to get this in now.
Scott Kdiff -Nru postfix-3.4.12/conf/postfix-tls-script postfix-3.4.14/conf/postfix-tls-script
--- postfix-3.4.12/conf/postfix-tls-script 2017-02-18 20:58:20.0 -0500
+++ postfix-3.4.14/conf/postfix-tls-script 2020-05-30 10:37:04.0 -0400
@@ -777,7 +777,7 @@
deploy_server_cert() {
certfile=$1; shift
keyfile=$1; shift
-deploy=$1; shift
+case $# in 0) deploy=;; *) deploy=$1; shift;; esac
# Sets key_algo, key_param and cert_param
check_key "$keyfile" || return 1
diff -Nru postfix-3.4.12/debian/changelog postfix-3.4.14/debian/changelog
--- postfix-3.4.12/debian/changelog 2020-05-18 17:45:37.0 -0400
+++ postfix-3.4.14/debian/changelog 2020-06-29 21:33:31.0 -0400
@@ -1,8 +1,15 @@
-postfix (3.4.12-0+deb10u1) buster; urgency=medium
+postfix (3.4.14-0+deb10u1) buster; urgency=medium
+
+ [Cody Brownstein]
+
+ * README.Debian corrections:
+- Fix instructions wrt SMTP generic mapping
+- Fix authentication configuration example
[Scott Kitterman]
* Updated debian/watch to track postfix 3.4 series for stable updates
+ * Check GPG signature when downloading new versions via uscan
[Wietse Venema]
@@ -40,7 +47,51 @@
concurrent TLS session in the same tlsproxy process. File:
tlsproxy/tlsproxy.c.
- -- Scott Kitterman Mon, 18 May 2020 17:45:37 -0400
+ * 3.4.13
+- Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert"
+ did not handle a missing optional argument. File:
+ conf/postfix-tls-script.
+
+- Bugfix (introduced: Postfix 3.4): in the Postfix SMTP server,
+ the SNI callback reported an error when it was called a
+ second time. This happened after the server-side TLS engine
+ sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP
+ client. Reported by Ján Máté, fixed by Viktor Dukhovni.
+ File: tls/tls_misc.c.
+
+ * 3.4.14
+- Bugfix (introduced: Postfix 3.4): the connection_reuse
+ attribute in smtp_tls_policy_maps resulted in an "invalid
+ attribute name" error. Fix by Thorsten Habich. File:
+ smtp/smtp_tls_policy.c.
+
+- Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
+ reuse was broken for configurations that use explicit trust
+ anchors. Reported by Thorsten Habich. Cause: the tlsproxy
+ client was sending a zero certificate length. File:
+ tls/tls_proxy_client_print.c.
+
+- Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
+ reuse was broken for configurations that use explicit trust
+ anchors. Reported by Thorsten Habich. Fixed by calling DANE
+ initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c.
+
+- Bugfix (introduced: Postfix 2.11): The Postfix smtp(8)
+ client did not send the right SNI name when the TLSA base
+ domain was a secure CNAME expansion of the MX hostname (or
+ non-MX nexthop domain). Domains with CNAME expanded MX hosts
+ are not conformant with RFC5321, and so are rare. Even more
+ rare are MX hosts with TLSA records for their CNAME expansion.
+ For this to matter, the remote SMTP server would also have
+ to select its certificate based on the SNI name in such a
+ way that the original MX host would yield a different
+ certificate. Among the ~2 million hosts in the DANE survey,
+ none meet the conditions for returning a different certificate
+ for the expanded CNAME. Therefore, sending the correct SNI
+ name should not break existing mail flows. Fixed by Viktor
+ Dukhovni. File: src/tls/tls_client.c.
+
+ -- Scott Kitterman Mon, 29 Jun 2020 21:33:31 -0400
postfix (3.4.10-0+deb10u1) buster; urgency=medium
diff -Nru postfix-3.4.12/debian/README.Debian postfix-3.4.14/debian/README.Debian
--- postfix-3.4.12/debian/README.Debian 2020-05-18 16:55:04.0 -0400
+++ postfix-3.4.14/debian/README.Debian 2020-06-29 21:33:10.0 -0400
@@ -156,7 +156,7 @@
After creating the file, run the command:
-postmap /etc/postfix/example.com-passwd
+postmap /etc/postfix/example-passwd
and add the following line to main.cf:
@@ -204,6 +204,14 @@
with 'host.domain' taken from '/etc/mailname'.
+After creating the file, run the command:
+
+postmap /etc/postfix/generic_mapping
+
+and add the following line to main.cf:
+
+sender_generic_maps = hash:/etc/postfix/generic_mapping
+
One advantage to using generic over canonical mapping is that the latter will
be applied to local mail as well. If the system will be configured to send all
mail, even mail addressed to local users, via the smarthost (e.g., via
diff
