Prereq: "2.6.6" diff -cr --new-file /var/tmp/postfix-2.6.6/src/global/mail_version.h ./src/global/mail_version.h *** /var/tmp/postfix-2.6.6/src/global/mail_version.h Fri Mar 19 20:01:31 2010 --- ./src/global/mail_version.h Tue Jun 8 08:40:49 2010 *************** *** 20,27 **** * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20100319" ! #define MAIL_VERSION_NUMBER "2.6.6" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE --- 20,27 ---- * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20100608" ! #define MAIL_VERSION_NUMBER "2.6.7" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -cr --new-file /var/tmp/postfix-2.6.6/HISTORY ./HISTORY *** /var/tmp/postfix-2.6.6/HISTORY Fri Mar 19 19:54:34 2010 --- ./HISTORY Fri Jun 4 08:42:54 2010 *************** *** 15338,15340 **** --- 15338,15369 ---- a mailbox address inside <>, which broke expectations. RFC 2821 (and 5321) is vague about the VRFY request format, but spends lots of text on the reply format. File: smtpd/smtpd.c. + + 20100515 + + Bugfix (introduced Postfix 2.6): the Postfix SMTP client + XFORWARD implementation did not skip "unknown" SMTP client + attributes, causing a syntax error when sending a PORT + attribute. Reported by Victor Duchovni. File: smtp/smtp_proto.c. + + 20100529 + + Portability: OpenSSL 1.0.0 changes the priority of anonymous + cyphers. Victor Duchovni. Files: postconf.proto, + global/mail_params.h, tls/tls_certkey.c, tls/tls_client.c, + tls/tls_dh.c, tls/tls_server.c. + + Portability: Mac OS 10.6.3 requires + instead of . Files: makedefs, util/sys_defs.h, + dns/dns.h. + + 20100531 + + Robustness: skip LDAP queries with non-ASCII search strings. + The LDAP library requires well-formed UTF-8. Victor Duchovni. + File: global/dict_ldap.c. + + 20100601 + + Portability: Berkeley DB 5.x has the same API as Berkeley + DB 4.1 and later. File: util/dict_db.c. diff -cr --new-file /var/tmp/postfix-2.6.6/html/postconf.5.html ./html/postconf.5.html *** /var/tmp/postfix-2.6.6/html/postconf.5.html Fri Mar 19 20:00:19 2010 --- ./html/postconf.5.html Wed Jun 2 08:30:15 2010 *************** *** 4279,4285 **** parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

--- 4279,4285 ---- parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

*************** *** 4291,4297 **** parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

--- 4291,4297 ---- parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

*************** *** 9081,9087 ****

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

--- 9081,9087 ----

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

*************** *** 9099,9105 **** to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

--- 9099,9105 ---- to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

*************** *** 12534,12540 ****

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

--- 12534,12540 ----

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

*************** *** 12552,12558 **** to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

--- 12552,12558 ---- to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

*************** *** 12586,12592 ****

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 0.9.9 or later.

--- 12586,12592 ----

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 1.0.0 or later.

*************** *** 13380,13386 **** latter name.

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 0.9.9 or later.

--- 13380,13386 ---- latter name.

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 1.0.0 or later.

*************** *** 13403,13409 **** classified as TOP SECRET.

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 0.9.9 or later.

--- 13403,13409 ---- classified as TOP SECRET.

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 1.0.0 or later.

*************** *** 13416,13422 **** smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are ! strongly encouraged to not change this setting.

This feature is available in Postfix 2.3 and later.

--- 13416,13426 ---- smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and ! later the cipherlist may start with an "aNULL:" prefix, which restores ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the ! list when they are enabled. This prefix is not needed with previous ! OpenSSL releases.

This feature is available in Postfix 2.3 and later.

*************** *** 13429,13435 ****

The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting.

This feature is available in Postfix 2.3 and later.

--- 13433,13443 ----

The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and ! later the cipherlist may start with an "aNULL:" prefix, which restores ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the ! list when they are enabled. This prefix is not needed with previous ! OpenSSL releases.

This feature is available in Postfix 2.3 and later.

*************** *** 13442,13448 ****

The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting.

This feature is available in Postfix 2.3 and later.

--- 13450,13460 ----

The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and ! later the cipherlist may start with an "aNULL:" prefix, which restores ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the ! list when they are enabled. This prefix is not needed with previous ! OpenSSL releases.

This feature is available in Postfix 2.3 and later.

*************** *** 13458,13464 **** the default cipherlist for mandatory TLS encryption in the TLS client (with anonymous ciphers disabled when verifying server certificates). You are strongly encouraged to not change this ! setting.

This feature is available in Postfix 2.3 and later.

--- 13470,13479 ---- the default cipherlist for mandatory TLS encryption in the TLS client (with anonymous ciphers disabled when verifying server certificates). You are strongly encouraged to not change this ! setting. With OpenSSL 1.0.0 and later the cipherlist may start with an ! "aNULL:" prefix, which restores the 0.9.8-compatible ordering of the ! aNULL ciphers to the top of the list when they are enabled. This prefix ! is not needed with previous OpenSSL releases.

This feature is available in Postfix 2.3 and later.

diff -cr --new-file /var/tmp/postfix-2.6.6/makedefs ./makedefs *** /var/tmp/postfix-2.6.6/makedefs Sun Oct 18 20:30:12 2009 --- ./makedefs Thu Jun 3 08:59:55 2010 *************** *** 412,417 **** --- 412,422 ---- [1-6].*) CCARGS="$CCARGS -DNO_IPV6";; *) CCARGS="$CCARGS -DBIND_8_COMPAT -DNO_NETINFO";; esac + # Darwin 10.3.0 no longer has . + case $RELEASE in + ?.*) CCARGS="$CCARGS -DRESOLVE_H_NEEDS_NAMESER8_COMPAT_H";; + *) CCARGS="$CCARGS -DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H";; + esac # kqueue and/or poll are broken up to and including MacOS X 10.5 CCARGS="$CCARGS -DNO_KQUEUE" # # Darwin 8.11.1 has kqueue support, but let's play safe diff -cr --new-file /var/tmp/postfix-2.6.6/man/man5/postconf.5 ./man/man5/postconf.5 *** /var/tmp/postfix-2.6.6/man/man5/postconf.5 Fri Mar 19 20:00:19 2010 --- ./man/man5/postconf.5 Wed Jun 2 08:30:15 2010 *************** *** 2326,2338 **** parameter. See there for details. .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later. .SH lmtp_tls_eckey_file (default: empty) The LMTP-specific version of the smtp_tls_eckey_file configuration parameter. See there for details. .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later. .SH lmtp_tls_enforce_peername (default: yes) The LMTP-specific version of the smtp_tls_enforce_peername configuration parameter. See there for details. --- 2326,2338 ---- parameter. See there for details. .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later. .SH lmtp_tls_eckey_file (default: empty) The LMTP-specific version of the smtp_tls_eckey_file configuration parameter. See there for details. .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later. .SH lmtp_tls_enforce_peername (default: yes) The LMTP-specific version of the smtp_tls_enforce_peername configuration parameter. See there for details. *************** *** 5221,5227 **** .ft R .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later. .SH smtp_tls_eckey_file (default: $smtp_tls_eccert_file) File with the Postfix SMTP client ECDSA private key in PEM format. This file may be combined with the Postfix SMTP client ECDSA --- 5221,5227 ---- .ft R .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later. .SH smtp_tls_eckey_file (default: $smtp_tls_eccert_file) File with the Postfix SMTP client ECDSA private key in PEM format. This file may be combined with the Postfix SMTP client ECDSA *************** *** 5233,5239 **** to anyone else. .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later. .SH smtp_tls_enforce_peername (default: yes) With mandatory TLS encryption, require that the remote SMTP server hostname matches the information in the remote SMTP server --- 5233,5239 ---- to anyone else. .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later. .SH smtp_tls_enforce_peername (default: yes) With mandatory TLS encryption, require that the remote SMTP server hostname matches the information in the remote SMTP server *************** *** 7820,7826 **** .ft R .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later. .SH smtpd_tls_eckey_file (default: $smtpd_tls_eccert_file) File with the Postfix SMTP server ECDSA private key in PEM format. This file may be combined with the Postfix SMTP server ECDSA certificate --- 7820,7826 ---- .ft R .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later. .SH smtpd_tls_eckey_file (default: $smtpd_tls_eccert_file) File with the Postfix SMTP server ECDSA private key in PEM format. This file may be combined with the Postfix SMTP server ECDSA certificate *************** *** 7832,7838 **** to anyone else. .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later. .SH smtpd_tls_eecdh_grade (default: see "postconf -d" output) The Postfix SMTP server security grade for ephemeral elliptic-curve Diffie-Hellman (EECDH) key exchange. --- 7832,7838 ---- to anyone else. .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later. .SH smtpd_tls_eecdh_grade (default: see "postconf -d" output) The Postfix SMTP server security grade for ephemeral elliptic-curve Diffie-Hellman (EECDH) key exchange. *************** *** 7856,7862 **** users. .PP This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 0.9.9 or later. .SH smtpd_tls_exclude_ciphers (default: empty) List of ciphers or cipher types to exclude from the SMTP server cipher list at all TLS security levels. Excluding valid ciphers --- 7856,7862 ---- users. .PP This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 1.0.0 or later. .SH smtpd_tls_exclude_ciphers (default: empty) List of ciphers or cipher types to exclude from the SMTP server cipher list at all TLS security levels. Excluding valid ciphers *************** *** 8437,8443 **** latter name. .PP This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 0.9.9 or later. .SH tls_eecdh_ultra_curve (default: secp384r1) The elliptic curve used by the SMTP server for maximally strong ephemeral ECDH key exchange. This curve is used by the Postfix SMTP --- 8437,8443 ---- latter name. .PP This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 1.0.0 or later. .SH tls_eecdh_ultra_curve (default: secp384r1) The elliptic curve used by the SMTP server for maximally strong ephemeral ECDH key exchange. This curve is used by the Postfix SMTP *************** *** 8454,8481 **** classified as TOP SECRET. .PP This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 0.9.9 or later. .SH tls_export_cipherlist (default: ALL:+RC4:@STRENGTH) The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are ! strongly encouraged to not change this setting. .PP This feature is available in Postfix 2.3 and later. .SH tls_high_cipherlist (default: ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH) The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting. .PP This feature is available in Postfix 2.3 and later. .SH tls_low_cipherlist (default: ALL:!EXPORT:+RC4:@STRENGTH) The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting. .PP This feature is available in Postfix 2.3 and later. .SH tls_medium_cipherlist (default: ALL:!EXPORT:!LOW:+RC4:@STRENGTH) --- 8454,8493 ---- classified as TOP SECRET. .PP This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 1.0.0 or later. .SH tls_export_cipherlist (default: ALL:+RC4:@STRENGTH) The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and ! later the cipherlist may start with an "aNULL:" prefix, which restores ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the ! list when they are enabled. This prefix is not needed with previous ! OpenSSL releases. .PP This feature is available in Postfix 2.3 and later. .SH tls_high_cipherlist (default: ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH) The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and ! later the cipherlist may start with an "aNULL:" prefix, which restores ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the ! list when they are enabled. This prefix is not needed with previous ! OpenSSL releases. .PP This feature is available in Postfix 2.3 and later. .SH tls_low_cipherlist (default: ALL:!EXPORT:+RC4:@STRENGTH) The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and ! later the cipherlist may start with an "aNULL:" prefix, which restores ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the ! list when they are enabled. This prefix is not needed with previous ! OpenSSL releases. .PP This feature is available in Postfix 2.3 and later. .SH tls_medium_cipherlist (default: ALL:!EXPORT:!LOW:+RC4:@STRENGTH) *************** *** 8485,8491 **** the default cipherlist for mandatory TLS encryption in the TLS client (with anonymous ciphers disabled when verifying server certificates). You are strongly encouraged to not change this ! setting. .PP This feature is available in Postfix 2.3 and later. .SH tls_null_cipherlist (default: eNULL:!aNULL) --- 8497,8506 ---- the default cipherlist for mandatory TLS encryption in the TLS client (with anonymous ciphers disabled when verifying server certificates). You are strongly encouraged to not change this ! setting. With OpenSSL 1.0.0 and later the cipherlist may start with an ! "aNULL:" prefix, which restores the 0.9.8-compatible ordering of the ! aNULL ciphers to the top of the list when they are enabled. This prefix ! is not needed with previous OpenSSL releases. .PP This feature is available in Postfix 2.3 and later. .SH tls_null_cipherlist (default: eNULL:!aNULL) diff -cr --new-file /var/tmp/postfix-2.6.6/proto/postconf.proto ./proto/postconf.proto *** /var/tmp/postfix-2.6.6/proto/postconf.proto Fri Mar 19 18:53:21 2010 --- ./proto/postconf.proto Wed Jun 2 08:28:22 2010 *************** *** 10891,10897 ****

The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting.

This feature is available in Postfix 2.3 and later.

--- 10891,10901 ----

The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and ! later the cipherlist may start with an "aNULL:" prefix, which restores ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the ! list when they are enabled. This prefix is not needed with previous ! OpenSSL releases.

This feature is available in Postfix 2.3 and later.

*************** *** 10903,10909 **** the default cipherlist for mandatory TLS encryption in the TLS client (with anonymous ciphers disabled when verifying server certificates). You are strongly encouraged to not change this ! setting.

This feature is available in Postfix 2.3 and later.

--- 10907,10916 ---- the default cipherlist for mandatory TLS encryption in the TLS client (with anonymous ciphers disabled when verifying server certificates). You are strongly encouraged to not change this ! setting. With OpenSSL 1.0.0 and later the cipherlist may start with an ! "aNULL:" prefix, which restores the 0.9.8-compatible ordering of the ! aNULL ciphers to the top of the list when they are enabled. This prefix ! is not needed with previous OpenSSL releases.

This feature is available in Postfix 2.3 and later.

*************** *** 10912,10918 ****

The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting.

This feature is available in Postfix 2.3 and later.

--- 10919,10929 ----

The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and ! later the cipherlist may start with an "aNULL:" prefix, which restores ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the ! list when they are enabled. This prefix is not needed with previous ! OpenSSL releases.

This feature is available in Postfix 2.3 and later.

*************** *** 10923,10929 **** smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are ! strongly encouraged to not change this setting.

This feature is available in Postfix 2.3 and later.

--- 10934,10944 ---- smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and ! later the cipherlist may start with an "aNULL:" prefix, which restores ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the ! list when they are enabled. This prefix is not needed with previous ! OpenSSL releases.

This feature is available in Postfix 2.3 and later.

*************** *** 11449,11455 **** latter name.

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 0.9.9 or later.

%PARAM tls_eecdh_ultra_curve secp384r1 --- 11464,11470 ---- latter name.

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 1.0.0 or later.

%PARAM tls_eecdh_ultra_curve secp384r1 *************** *** 11468,11474 **** classified as TOP SECRET.

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 0.9.9 or later.

%PARAM smtpd_tls_eecdh_grade see "postconf -d" output --- 11483,11489 ---- classified as TOP SECRET.

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtpd_tls_eecdh_grade see "postconf -d" output *************** *** 11498,11504 ****

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 0.9.9 or later.

%PARAM smtpd_tls_eccert_file --- 11513,11519 ----

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtpd_tls_eccert_file *************** *** 11514,11520 ****

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

%PARAM smtpd_tls_eckey_file $smtpd_tls_eccert_file --- 11529,11535 ----

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtpd_tls_eckey_file $smtpd_tls_eccert_file *************** *** 11528,11534 **** to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

%PARAM smtp_tls_eccert_file --- 11543,11549 ---- to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtp_tls_eccert_file *************** *** 11545,11551 ****

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

%PARAM smtp_tls_eckey_file $smtp_tls_eccert_file --- 11560,11566 ----

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtp_tls_eckey_file $smtp_tls_eccert_file *************** *** 11559,11565 **** to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

%PARAM lmtp_tls_eccert_file --- 11574,11580 ---- to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

%PARAM lmtp_tls_eccert_file *************** *** 11567,11573 **** parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

%PARAM lmtp_tls_eckey_file --- 11582,11588 ---- parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

%PARAM lmtp_tls_eckey_file *************** *** 11575,11581 **** parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

%PARAM smtp_header_checks --- 11590,11596 ---- parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtp_header_checks diff -cr --new-file /var/tmp/postfix-2.6.6/src/dns/dns.h ./src/dns/dns.h *** /var/tmp/postfix-2.6.6/src/dns/dns.h Sun Nov 9 16:42:03 2008 --- ./src/dns/dns.h Thu Jun 3 08:57:05 2010 *************** *** 22,27 **** --- 22,30 ---- #ifdef RESOLVE_H_NEEDS_NAMESER8_COMPAT_H #include #endif + #ifdef RESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H + #include + #endif #include /* diff -cr --new-file /var/tmp/postfix-2.6.6/src/global/dict_ldap.c ./src/global/dict_ldap.c *** /var/tmp/postfix-2.6.6/src/global/dict_ldap.c Tue Mar 3 20:25:53 2009 --- ./src/global/dict_ldap.c Sat May 29 18:08:26 2010 *************** *** 1082,1093 **** --- 1082,1102 ---- static VSTRING *result; int rc = 0; int sizelimit; + const char *cp; dict_errno = 0; if (msg_verbose) msg_info("%s: In dict_ldap_lookup", myname); + for (cp = name; *cp; ++cp) + if (!ISASCII(*cp)) { + if (msg_verbose) + msg_info("%s: %s: Skipping lookup of non-ASCII key '%s'", + myname, dict_ldap->parser->name, name); + return (0); + } + /* * Optionally fold the key. */ *************** *** 1105,1111 **** */ if (db_common_check_domain(dict_ldap->ctx, name) == 0) { if (msg_verbose) ! msg_info("%s: Skipping lookup of '%s'", myname, name); return (0); } #define INIT_VSTR(buf, len) do { \ --- 1114,1121 ---- */ if (db_common_check_domain(dict_ldap->ctx, name) == 0) { if (msg_verbose) ! msg_info("%s: %s: Skipping lookup of key '%s': domain mismatch", ! myname, dict_ldap->parser->name, name); return (0); } #define INIT_VSTR(buf, len) do { \ diff -cr --new-file /var/tmp/postfix-2.6.6/src/global/mail_params.h ./src/global/mail_params.h *** /var/tmp/postfix-2.6.6/src/global/mail_params.h Fri Mar 19 17:08:47 2010 --- ./src/global/mail_params.h Wed Jun 2 08:28:21 2010 *************** *** 2875,2894 **** /* * TLS cipherlists */ #define VAR_TLS_HIGH_CLIST "tls_high_cipherlist" ! #define DEF_TLS_HIGH_CLIST "ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH" extern char *var_tls_high_clist; #define VAR_TLS_MEDIUM_CLIST "tls_medium_cipherlist" ! #define DEF_TLS_MEDIUM_CLIST "ALL:!EXPORT:!LOW:+RC4:@STRENGTH" extern char *var_tls_medium_clist; #define VAR_TLS_LOW_CLIST "tls_low_cipherlist" ! #define DEF_TLS_LOW_CLIST "ALL:!EXPORT:+RC4:@STRENGTH" extern char *var_tls_low_clist; #define VAR_TLS_EXPORT_CLIST "tls_export_cipherlist" ! #define DEF_TLS_EXPORT_CLIST "ALL:+RC4:@STRENGTH" extern char *var_tls_export_clist; #define VAR_TLS_NULL_CLIST "tls_null_cipherlist" --- 2875,2905 ---- /* * TLS cipherlists */ + #ifdef USE_TLS + #include + #if OPENSSL_VERSION_NUMBER >= 0x1000000fL + #define PREFER_aNULL "aNULL:-aNULL:" + #else + #define PREFER_aNULL "" + #endif + #else + #define PREFER_aNULL "" + #endif + #define VAR_TLS_HIGH_CLIST "tls_high_cipherlist" ! #define DEF_TLS_HIGH_CLIST PREFER_aNULL "ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH" extern char *var_tls_high_clist; #define VAR_TLS_MEDIUM_CLIST "tls_medium_cipherlist" ! #define DEF_TLS_MEDIUM_CLIST PREFER_aNULL "ALL:!EXPORT:!LOW:+RC4:@STRENGTH" extern char *var_tls_medium_clist; #define VAR_TLS_LOW_CLIST "tls_low_cipherlist" ! #define DEF_TLS_LOW_CLIST PREFER_aNULL "ALL:!EXPORT:+RC4:@STRENGTH" extern char *var_tls_low_clist; #define VAR_TLS_EXPORT_CLIST "tls_export_cipherlist" ! #define DEF_TLS_EXPORT_CLIST PREFER_aNULL "ALL:+RC4:@STRENGTH" extern char *var_tls_export_clist; #define VAR_TLS_NULL_CLIST "tls_null_cipherlist" diff -cr --new-file /var/tmp/postfix-2.6.6/src/smtp/smtp_proto.c ./src/smtp/smtp_proto.c *** /var/tmp/postfix-2.6.6/src/smtp/smtp_proto.c Tue Apr 28 14:50:39 2009 --- ./src/smtp/smtp_proto.c Thu Jun 3 10:45:33 2010 *************** *** 1205,1224 **** * information, the command length stays within the 512 byte * command line length limit. */ case SMTP_STATE_XFORWARD_NAME_ADDR: vstring_strcpy(next_command, XFORWARD_CMD); if ((session->features & SMTP_FEATURE_XFORWARD_NAME) ! && DEL_REQ_ATTR_AVAIL(request->client_name)) { vstring_strcat(next_command, " " XFORWARD_NAME "="); xtext_quote_append(next_command, request->client_name, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_ADDR) ! && DEL_REQ_ATTR_AVAIL(request->client_addr)) { vstring_strcat(next_command, " " XFORWARD_ADDR "="); xtext_quote_append(next_command, request->client_addr, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_PORT) ! && DEL_REQ_ATTR_AVAIL(request->client_port)) { vstring_strcat(next_command, " " XFORWARD_PORT "="); xtext_quote_append(next_command, request->client_port, ""); } --- 1205,1235 ---- * information, the command length stays within the 512 byte * command line length limit. */ + #ifndef CAN_FORWARD_CLIENT_NAME + #define _ATTR_AVAIL_AND_KNOWN_(val) \ + (DEL_REQ_ATTR_AVAIL(val) && strcasecmp((val), "unknown")) + #define CAN_FORWARD_CLIENT_NAME _ATTR_AVAIL_AND_KNOWN_ + #define CAN_FORWARD_CLIENT_ADDR _ATTR_AVAIL_AND_KNOWN_ + #define CAN_FORWARD_CLIENT_PORT _ATTR_AVAIL_AND_KNOWN_ + #define CAN_FORWARD_PROTO_NAME _ATTR_AVAIL_AND_KNOWN_ + #define CAN_FORWARD_HELO_NAME DEL_REQ_ATTR_AVAIL + #define CAN_FORWARD_RWR_CONTEXT DEL_REQ_ATTR_AVAIL + #endif + case SMTP_STATE_XFORWARD_NAME_ADDR: vstring_strcpy(next_command, XFORWARD_CMD); if ((session->features & SMTP_FEATURE_XFORWARD_NAME) ! && CAN_FORWARD_CLIENT_NAME(request->client_name)) { vstring_strcat(next_command, " " XFORWARD_NAME "="); xtext_quote_append(next_command, request->client_name, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_ADDR) ! && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) { vstring_strcat(next_command, " " XFORWARD_ADDR "="); xtext_quote_append(next_command, request->client_addr, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_PORT) ! && CAN_FORWARD_CLIENT_PORT(request->client_port)) { vstring_strcat(next_command, " " XFORWARD_PORT "="); xtext_quote_append(next_command, request->client_port, ""); } *************** *** 1231,1247 **** case SMTP_STATE_XFORWARD_PROTO_HELO: vstring_strcpy(next_command, XFORWARD_CMD); if ((session->features & SMTP_FEATURE_XFORWARD_PROTO) ! && DEL_REQ_ATTR_AVAIL(request->client_proto)) { vstring_strcat(next_command, " " XFORWARD_PROTO "="); xtext_quote_append(next_command, request->client_proto, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_HELO) ! && DEL_REQ_ATTR_AVAIL(request->client_helo)) { vstring_strcat(next_command, " " XFORWARD_HELO "="); xtext_quote_append(next_command, request->client_helo, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) ! && DEL_REQ_ATTR_AVAIL(request->rewrite_context)) { vstring_strcat(next_command, " " XFORWARD_DOMAIN "="); xtext_quote_append(next_command, strcmp(request->rewrite_context, MAIL_ATTR_RWR_LOCAL) ? --- 1242,1258 ---- case SMTP_STATE_XFORWARD_PROTO_HELO: vstring_strcpy(next_command, XFORWARD_CMD); if ((session->features & SMTP_FEATURE_XFORWARD_PROTO) ! && CAN_FORWARD_PROTO_NAME(request->client_proto)) { vstring_strcat(next_command, " " XFORWARD_PROTO "="); xtext_quote_append(next_command, request->client_proto, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_HELO) ! && CAN_FORWARD_HELO_NAME(request->client_helo)) { vstring_strcat(next_command, " " XFORWARD_HELO "="); xtext_quote_append(next_command, request->client_helo, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) ! && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)) { vstring_strcat(next_command, " " XFORWARD_DOMAIN "="); xtext_quote_append(next_command, strcmp(request->rewrite_context, MAIL_ATTR_RWR_LOCAL) ? *************** *** 1923,1941 **** send_name_addr = var_smtp_send_xforward && (((session->features & SMTP_FEATURE_XFORWARD_NAME) ! && DEL_REQ_ATTR_AVAIL(request->client_name)) || ((session->features & SMTP_FEATURE_XFORWARD_ADDR) ! && DEL_REQ_ATTR_AVAIL(request->client_addr)) || ((session->features & SMTP_FEATURE_XFORWARD_PORT) ! && DEL_REQ_ATTR_AVAIL(request->client_port))); session->send_proto_helo = var_smtp_send_xforward && (((session->features & SMTP_FEATURE_XFORWARD_PROTO) ! && DEL_REQ_ATTR_AVAIL(request->client_proto)) || ((session->features & SMTP_FEATURE_XFORWARD_HELO) ! && DEL_REQ_ATTR_AVAIL(request->client_helo)) || ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) ! && DEL_REQ_ATTR_AVAIL(request->rewrite_context))); if (send_name_addr) recv_state = send_state = SMTP_STATE_XFORWARD_NAME_ADDR; else if (session->send_proto_helo) --- 1934,1952 ---- send_name_addr = var_smtp_send_xforward && (((session->features & SMTP_FEATURE_XFORWARD_NAME) ! && CAN_FORWARD_CLIENT_NAME(request->client_name)) || ((session->features & SMTP_FEATURE_XFORWARD_ADDR) ! && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) || ((session->features & SMTP_FEATURE_XFORWARD_PORT) ! && CAN_FORWARD_CLIENT_PORT(request->client_port))); session->send_proto_helo = var_smtp_send_xforward && (((session->features & SMTP_FEATURE_XFORWARD_PROTO) ! && CAN_FORWARD_PROTO_NAME(request->client_proto)) || ((session->features & SMTP_FEATURE_XFORWARD_HELO) ! && CAN_FORWARD_HELO_NAME(request->client_helo)) || ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) ! && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context))); if (send_name_addr) recv_state = send_state = SMTP_STATE_XFORWARD_NAME_ADDR; else if (session->send_proto_helo) diff -cr --new-file /var/tmp/postfix-2.6.6/src/tls/tls_certkey.c ./src/tls/tls_certkey.c *** /var/tmp/postfix-2.6.6/src/tls/tls_certkey.c Sat Nov 8 18:53:49 2008 --- ./src/tls/tls_certkey.c Wed Jun 2 08:28:22 2010 *************** *** 158,164 **** return (-1); /* logged */ if (*dcert_file && !set_cert_stuff(ctx, "DSA", dcert_file, dkey_file)) return (-1); /* logged */ ! #if OPENSSL_VERSION_NUMBER >= 0x00909000 && !defined(OPENSSL_NO_ECDH) if (*eccert_file && !set_cert_stuff(ctx, "ECDSA", eccert_file, eckey_file)) return (-1); /* logged */ #else --- 158,164 ---- return (-1); /* logged */ if (*dcert_file && !set_cert_stuff(ctx, "DSA", dcert_file, dkey_file)) return (-1); /* logged */ ! #if OPENSSL_VERSION_NUMBER >= 0x1000000fL && !defined(OPENSSL_NO_ECDH) if (*eccert_file && !set_cert_stuff(ctx, "ECDSA", eccert_file, eckey_file)) return (-1); /* logged */ #else diff -cr --new-file /var/tmp/postfix-2.6.6/src/tls/tls_client.c ./src/tls/tls_client.c *** /var/tmp/postfix-2.6.6/src/tls/tls_client.c Sat Nov 8 18:51:41 2008 --- ./src/tls/tls_client.c Wed Jun 2 08:28:22 2010 *************** *** 725,731 **** int protomask; const char *cipher_list; SSL_SESSION *session; ! SSL_CIPHER *cipher; X509 *peercert; TLS_SESS_STATE *TLScontext; TLS_APPL_STATE *app_ctx = props->ctx; --- 725,731 ---- int protomask; const char *cipher_list; SSL_SESSION *session; ! const SSL_CIPHER *cipher; X509 *peercert; TLS_SESS_STATE *TLScontext; TLS_APPL_STATE *app_ctx = props->ctx; diff -cr --new-file /var/tmp/postfix-2.6.6/src/tls/tls_dh.c ./src/tls/tls_dh.c *** /var/tmp/postfix-2.6.6/src/tls/tls_dh.c Sun Nov 9 15:11:14 2008 --- ./src/tls/tls_dh.c Wed Jun 2 08:28:22 2010 *************** *** 205,211 **** int tls_set_eecdh_curve(SSL_CTX *server_ctx, const char *grade) { ! #if OPENSSL_VERSION_NUMBER >= 0x00909000 && !defined(OPENSSL_NO_ECDH) int nid; EC_KEY *ecdh; const char *curve; --- 205,211 ---- int tls_set_eecdh_curve(SSL_CTX *server_ctx, const char *grade) { ! #if OPENSSL_VERSION_NUMBER >= 0x1000000fL && !defined(OPENSSL_NO_ECDH) int nid; EC_KEY *ecdh; const char *curve; diff -cr --new-file /var/tmp/postfix-2.6.6/src/tls/tls_server.c ./src/tls/tls_server.c *** /var/tmp/postfix-2.6.6/src/tls/tls_server.c Sat Nov 8 18:51:48 2008 --- ./src/tls/tls_server.c Wed Jun 2 08:28:22 2010 *************** *** 554,560 **** { int sts; TLS_SESS_STATE *TLScontext; ! SSL_CIPHER *cipher; X509 *peer; char buf[CCERT_BUFSIZ]; const char *cipher_list; --- 554,560 ---- { int sts; TLS_SESS_STATE *TLScontext; ! const SSL_CIPHER *cipher; X509 *peer; char buf[CCERT_BUFSIZ]; const char *cipher_list; diff -cr --new-file /var/tmp/postfix-2.6.6/src/util/dict_db.c ./src/util/dict_db.c *** /var/tmp/postfix-2.6.6/src/util/dict_db.c Thu Jan 4 09:06:07 2007 --- ./src/util/dict_db.c Thu Jun 3 10:39:38 2010 *************** *** 664,670 **** msg_fatal("set DB cache size %d: %m", dict_db_cache_size); if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0) msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM); ! #if (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0) if ((errno = db->open(db, 0, db_path, 0, type, db_flags, 0644)) != 0) msg_fatal("open database %s: %m", db_path); #elif (DB_VERSION_MAJOR == 3 || DB_VERSION_MAJOR == 4) --- 664,670 ---- msg_fatal("set DB cache size %d: %m", dict_db_cache_size); if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0) msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM); ! #if DB_VERSION_MAJOR == 5 || (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0) if ((errno = db->open(db, 0, db_path, 0, type, db_flags, 0644)) != 0) msg_fatal("open database %s: %m", db_path); #elif (DB_VERSION_MAJOR == 3 || DB_VERSION_MAJOR == 4) diff -cr --new-file /var/tmp/postfix-2.6.6/src/util/sys_defs.h ./src/util/sys_defs.h *** /var/tmp/postfix-2.6.6/src/util/sys_defs.h Fri Mar 19 20:24:15 2010 --- ./src/util/sys_defs.h Thu Jun 3 09:07:02 2010 *************** *** 208,214 **** #define DEF_DB_TYPE "hash" #define ALIAS_DB_MAP "hash:/etc/aliases" #define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0) - #define RESOLVE_H_NEEDS_NAMESER8_COMPAT_H #define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin" #define USE_STATFS #define STATFS_IN_SYS_MOUNT_H --- 208,213 ----