Prereq: "2.6.15" diff -cr --new-file /var/tmp/postfix-2.6.15/src/global/mail_version.h ./src/global/mail_version.h *** /var/tmp/postfix-2.6.15/src/global/mail_version.h Tue Apr 24 13:59:17 2012 --- ./src/global/mail_version.h Sun May 20 18:12:59 2012 *************** *** 20,27 **** * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20120424" ! #define MAIL_VERSION_NUMBER "2.6.15" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE --- 20,27 ---- * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20120520" ! #define MAIL_VERSION_NUMBER "2.6.16" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -cr --new-file /var/tmp/postfix-2.6.15/HISTORY ./HISTORY *** /var/tmp/postfix-2.6.15/HISTORY Tue Apr 24 14:04:08 2012 --- ./HISTORY Sun May 20 18:08:10 2012 *************** *** 15628,15630 **** --- 15628,15660 ---- a patch by Victor Duchovni. Files: proto/TLS_README.html, proto/postconf.proto, tls/tls.h, tls/tls_misc.c, tls/tls_client.c, tls/tls_server.c. + + 20120425 + + Workaround: bugs in 10-year old gcc versions break compilation + with #ifdef inside a macro invocation (NOT: definition). + Files: tls/tls.h, tls/tls_client.c, tls/tls_server.c. + + 20120517 + + Workaround: to avoid crashes when the OpenSSL library is + updated without "postfix reload", the Postfix TLS session + cache ID now includes the OpenSSL library version number. + Note: this problem cannot be fixed in tlsmgr(8). Code by + Victor Duchovni. Files: tls/tls_server.c, tls_client.c. + + 20120520 + + Bugfix (introduced Postfix 2.4): the event_drain() function + was comparing bitmasks incorrectly causing the program to + always wait for the full time limit. This error affected + the unused postkick command, but only after s/fifo/unix/ + in master.cf. File: util/events.c. + + Cleanup: laptop users have always been able to avoid + unnecessary disk spin-up by doing s/fifo/unix/ in master.cf + (this is currently not supported on Solaris systems). + However, to make this work reliably, the "postqueue -f" + command must wait until its requests have reached the pickup + and qmgr servers before closing the UNIX-domain request + sockets. Files: postqueue/postqueue.c, postqueue/Makefile.in. diff -cr --new-file /var/tmp/postfix-2.6.15/src/postqueue/Makefile.in ./src/postqueue/Makefile.in *** /var/tmp/postfix-2.6.15/src/postqueue/Makefile.in Thu Jan 15 16:36:39 2009 --- ./src/postqueue/Makefile.in Sun May 20 18:07:33 2012 *************** *** 61,66 **** --- 61,67 ---- postqueue.o: ../../include/attr.h postqueue.o: ../../include/clean_env.h postqueue.o: ../../include/connect.h + postqueue.o: ../../include/events.h postqueue.o: ../../include/flush_clnt.h postqueue.o: ../../include/iostuff.h postqueue.o: ../../include/mail_conf.h diff -cr --new-file /var/tmp/postfix-2.6.15/src/postqueue/postqueue.c ./src/postqueue/postqueue.c *** /var/tmp/postfix-2.6.15/src/postqueue/postqueue.c Fri Apr 17 16:04:00 2009 --- ./src/postqueue/postqueue.c Sun May 20 18:07:33 2012 *************** *** 187,192 **** --- 187,193 ---- #include #include #include + #include /* Global library. */ *************** *** 352,357 **** --- 353,359 ---- if (mail_flush_maildrop() < 0) msg_fatal_status(EX_UNAVAILABLE, "Cannot flush mail queue - mail system is down"); + event_drain(2); } /* flush_site - flush mail for site */ diff -cr --new-file /var/tmp/postfix-2.6.15/src/tls/tls.h ./src/tls/tls.h *** /var/tmp/postfix-2.6.15/src/tls/tls.h Tue Apr 24 13:58:08 2012 --- ./src/tls/tls.h Sun May 20 09:55:00 2012 *************** *** 158,168 **** --- 158,172 ---- #define TLS_PROTOCOL_TLSv1_1 (1<<3) /* TLSv1_1 */ #else #define TLS_PROTOCOL_TLSv1_1 0 /* Unknown */ + #undef SSL_OP_NO_TLSv1_1 + #define SSL_OP_NO_TLSv1_1 0L /* Noop */ #endif #ifdef SSL_TXT_TLSV1_2 #define TLS_PROTOCOL_TLSv1_2 (1<<4) /* TLSv1_2 */ #else #define TLS_PROTOCOL_TLSv1_2 0 /* Unknown */ + #undef SSL_OP_NO_TLSv1_2 + #define SSL_OP_NO_TLSv1_2 0L /* Noop */ #endif #define TLS_KNOWN_PROTOCOLS \ ( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \ diff -cr --new-file /var/tmp/postfix-2.6.15/src/tls/tls_client.c ./src/tls/tls_client.c *** /var/tmp/postfix-2.6.15/src/tls/tls_client.c Tue Apr 24 13:58:08 2012 --- ./src/tls/tls_client.c Sun May 20 09:55:02 2012 *************** *** 783,788 **** --- 783,794 ---- vstring_sprintf_append(myserverid, "&c=%s", cipher_list); /* + * Finally, salt the session key with the OpenSSL library version, + * (run-time, rather than compile-time, just in case that matters). + */ + vstring_sprintf_append(myserverid, "&l=%ld", (long) SSLeay()); + + /* * Allocate a new TLScontext for the new connection and get an SSL * structure. Add the location of TLScontext to the SSL to later retrieve * the information inside the tls_verify_certificate_callback(). *************** *** 814,825 **** if (protomask != 0) SSL_set_options(TLScontext->con, ((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L) - #ifdef SSL_OP_NO_TLSv1_1 | ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L) - #endif - #ifdef SSL_OP_NO_TLSv1_2 | ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L) - #endif | ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) | ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L)); --- 820,827 ---- diff -cr --new-file /var/tmp/postfix-2.6.15/src/tls/tls_server.c ./src/tls/tls_server.c *** /var/tmp/postfix-2.6.15/src/tls/tls_server.c Tue Apr 24 13:58:08 2012 --- ./src/tls/tls_server.c Sun May 20 09:55:02 2012 *************** *** 150,158 **** #define GEN_CACHE_ID(buf, id, len, service) \ do { \ ! buf = vstring_alloc(2 * (len) + 1 + strlen(service) + 3); \ hex_encode(buf, (char *) (id), (len)); \ vstring_sprintf_append(buf, "&s=%s", (service)); \ } while (0) --- 150,159 ---- #define GEN_CACHE_ID(buf, id, len, service) \ do { \ ! buf = vstring_alloc(2 * (len + strlen(service))); \ hex_encode(buf, (char *) (id), (len)); \ vstring_sprintf_append(buf, "&s=%s", (service)); \ + vstring_sprintf_append(buf, "&l=%ld", (long) SSLeay()); \ } while (0) *************** *** 366,377 **** if (protomask != 0) SSL_CTX_set_options(server_ctx, ((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L) - #ifdef SSL_OP_NO_TLSv1_1 | ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L) - #endif - #ifdef SSL_OP_NO_TLSv1_2 | ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L) - #endif | ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) | ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L)); --- 367,374 ---- diff -cr --new-file /var/tmp/postfix-2.6.15/src/util/events.c ./src/util/events.c *** /var/tmp/postfix-2.6.15/src/util/events.c Tue Aug 26 17:43:41 2008 --- ./src/util/events.c Sun May 20 16:59:13 2012 *************** *** 174,179 **** --- 174,180 ---- #define EVENT_MASK_SET(fd, mask) FD_SET((fd), (mask)) #define EVENT_MASK_ISSET(fd, mask) FD_ISSET((fd), (mask)) #define EVENT_MASK_CLR(fd, mask) FD_CLR((fd), (mask)) + #define EVENT_MASK_CMP(m1, m2) memcmp((m1), (m2), EVENT_MASK_BYTE_COUNT(m1)) #else /* *************** *** 220,225 **** --- 221,228 ---- (EVENT_MASK_FD_BYTE((fd), (mask)) & EVENT_MASK_FD_BIT(fd)) #define EVENT_MASK_CLR(fd, mask) \ (EVENT_MASK_FD_BYTE((fd), (mask)) &= ~EVENT_MASK_FD_BIT(fd)) + #define EVENT_MASK_CMP(m1, m2) \ + memcmp((m1)->data, (m2)->data, EVENT_MASK_BYTE_COUNT(m1)) #endif /* *************** *** 635,642 **** max_time = event_present + time_limit; while (event_present < max_time && (event_timer_head.pred != &event_timer_head ! || memcmp(&zero_mask, &event_xmask, ! EVENT_MASK_BYTE_COUNT(&zero_mask)) != 0)) { event_loop(1); #if (EVENTS_STYLE != EVENTS_STYLE_SELECT) if (EVENT_MASK_BYTE_COUNT(&zero_mask) --- 638,644 ---- max_time = event_present + time_limit; while (event_present < max_time && (event_timer_head.pred != &event_timer_head ! || EVENT_MASK_CMP(&zero_mask, &event_xmask) != 0)) { event_loop(1); #if (EVENTS_STYLE != EVENTS_STYLE_SELECT) if (EVENT_MASK_BYTE_COUNT(&zero_mask)