Prereq: "2.8.15" diff -cr --new-file /var/tmp/postfix-2.8.15/src/global/mail_version.h ./src/global/mail_version.h *** /var/tmp/postfix-2.8.15/src/global/mail_version.h Sat Jun 22 18:39:28 2013 --- ./src/global/mail_version.h Thu Sep 5 08:51:56 2013 *************** *** 20,27 **** * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20130622" ! #define MAIL_VERSION_NUMBER "2.8.15" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE --- 20,27 ---- * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20130905" ! #define MAIL_VERSION_NUMBER "2.8.16" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -cr --new-file /var/tmp/postfix-2.8.15/HISTORY ./HISTORY *** /var/tmp/postfix-2.8.15/HISTORY Wed May 8 12:25:44 2013 --- ./HISTORY Sun Sep 1 18:42:01 2013 *************** *** 16915,16917 **** --- 16915,16940 ---- between different hostnames that resolve to the same IP address. Found during Postfix 2.11 code maintenance. File: smtp/smtp_connect.c. + + 20130518 + + Bugfix (introduced: 1997): memory leak after error while + forwarding mail through the cleanup server. Viktor found + one, Wietse eliminated the rest. File: local/forward.c. + + 20130615 + + TLS Interoperability: turn on SHA-2 digests by force. This + improves interoperability with clients and servers that + deploy SHA-2 digests without the required support for + TLSv1.2-style digest negotiation. Based on patch by Viktor + Dukhovni. Files: tls/tls_client.c, tls/tls_server.c. + + 20130616 + + Workaround: The Postfix SMTP server TLS session cache was + broken because OpenSSL now enables session tickets by + default, resulting in a different ticket encryption key for + each smtpd(8) process. The workaround turns off session + tickets. In 2.11 we'll enable session tickets properly. + Viktor Dukhovni. File: tls/tls_server.c. diff -cr --new-file /var/tmp/postfix-2.8.15/RELEASE_NOTES ./RELEASE_NOTES *** /var/tmp/postfix-2.8.15/RELEASE_NOTES Tue Apr 24 15:58:33 2012 --- ./RELEASE_NOTES Thu Sep 5 08:47:50 2013 *************** *** 11,16 **** --- 11,46 ---- The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release. + Debian Exim before 4.80-3 interoperability workaround + ----------------------------------------------------- + + Debian Exim versions before 4.80-3 may fail to communicate with + Postfix and possibly other MTAs, with the following Exim SMTP client + error message: + + TLS error on connection to server-name [server-address] + (gnutls_handshake): The Diffie-Hellman prime sent by the server + is not acceptable (not long enough) + + This problem may affect Debian Exim versions before 4.80-3 that use + TLS with EDH (Ephemeral Diffie-Hellman) key exchanges. For details + see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676563 + + To restore Postfix SMTP server interoperability with affected Exim + SMTP clients, configure the Postfix SMTP server to use a 2048-bit + prime number instead of 1024: + + # cd /etc/postfix + # openssl dhparam -out dh2048.pem 2048 + # postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem' + + This change increases the CPU cost of EDH key exchanges (rarely a + problem for SMTP servers) and is unlikely to cause problems with + other SMTP client implementations. + + This problem should not affect EECDH (Ephemeral Elliptic Curve + Diffie-Hellman) key exchanges. + Major changes with Postfix 2.8.10 --------------------------------- diff -cr --new-file /var/tmp/postfix-2.8.15/src/local/forward.c ./src/local/forward.c *** /var/tmp/postfix-2.8.15/src/local/forward.c Sat Jul 24 14:02:55 2010 --- ./src/local/forward.c Sun Sep 1 09:23:35 2013 *************** *** 118,123 **** --- 118,128 ---- FORWARD_INFO *info; VSTREAM *cleanup; + #define FORWARD_OPEN_RETURN(res) do { \ + vstring_free(buffer); \ + return (res); \ + } while (0) + /* * Contact the cleanup service and save the new mail queue id. Request * that the cleanup service bounces bad messages to the sender so that we *************** *** 129,141 **** */ cleanup = mail_connect(MAIL_CLASS_PUBLIC, var_cleanup_service, BLOCKING); if (cleanup == 0) ! return (0); close_on_exec(vstream_fileno(cleanup), CLOSE_ON_EXEC); if (attr_scan(cleanup, ATTR_FLAG_STRICT, ATTR_TYPE_STR, MAIL_ATTR_QUEUEID, buffer, ATTR_TYPE_END) != 1) { vstream_fclose(cleanup); ! return (0); } info = (FORWARD_INFO *) mymalloc(sizeof(FORWARD_INFO)); info->cleanup = cleanup; --- 134,146 ---- */ cleanup = mail_connect(MAIL_CLASS_PUBLIC, var_cleanup_service, BLOCKING); if (cleanup == 0) ! FORWARD_OPEN_RETURN(0); close_on_exec(vstream_fileno(cleanup), CLOSE_ON_EXEC); if (attr_scan(cleanup, ATTR_FLAG_STRICT, ATTR_TYPE_STR, MAIL_ATTR_QUEUEID, buffer, ATTR_TYPE_END) != 1) { vstream_fclose(cleanup); ! FORWARD_OPEN_RETURN(0); } info = (FORWARD_INFO *) mymalloc(sizeof(FORWARD_INFO)); info->cleanup = cleanup; *************** *** 190,197 **** PASS_ATTR(cleanup, MAIL_ATTR_LOG_IDENT, request->log_ident); PASS_ATTR(cleanup, MAIL_ATTR_RWR_CONTEXT, request->rewrite_context); ! vstring_free(buffer); ! return (info); } /* forward_append - append recipient to message envelope */ --- 195,201 ---- PASS_ATTR(cleanup, MAIL_ATTR_LOG_IDENT, request->log_ident); PASS_ATTR(cleanup, MAIL_ATTR_RWR_CONTEXT, request->rewrite_context); ! FORWARD_OPEN_RETURN(info); } /* forward_append - append recipient to message envelope */ diff -cr --new-file /var/tmp/postfix-2.8.15/src/tls/tls_client.c ./src/tls/tls_client.c *** /var/tmp/postfix-2.8.15/src/tls/tls_client.c Sun May 20 09:51:01 2012 --- ./src/tls/tls_client.c Sun Sep 1 09:23:42 2013 *************** *** 326,331 **** --- 326,349 ---- } /* + * Register SHA-2 digests, if implemented and not already registered. + * Improves interoperability with clients and servers that prematurely + * deploy SHA-2 certificates. + */ + #if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256) + if (!EVP_get_digestbyname(LN_sha224)) + EVP_add_digest(EVP_sha224()); + if (!EVP_get_digestbyname(LN_sha256)) + EVP_add_digest(EVP_sha256()); + #endif + #if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512) + if (!EVP_get_digestbyname(LN_sha384)) + EVP_add_digest(EVP_sha384()); + if (!EVP_get_digestbyname(LN_sha512)) + EVP_add_digest(EVP_sha512()); + #endif + + /* * If the administrator specifies an unsupported digest algorithm, fail * now, rather than in the middle of a TLS handshake. */ diff -cr --new-file /var/tmp/postfix-2.8.15/src/tls/tls_server.c ./src/tls/tls_server.c *** /var/tmp/postfix-2.8.15/src/tls/tls_server.c Sun May 20 09:51:01 2012 --- ./src/tls/tls_server.c Sun Sep 1 09:23:42 2013 *************** *** 335,340 **** --- 335,358 ---- } /* + * Register SHA-2 digests, if implemented and not already registered. + * Improves interoperability with clients and servers that prematurely + * deploy SHA-2 certificates. + */ + #if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256) + if (!EVP_get_digestbyname(LN_sha224)) + EVP_add_digest(EVP_sha224()); + if (!EVP_get_digestbyname(LN_sha256)) + EVP_add_digest(EVP_sha256()); + #endif + #if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512) + if (!EVP_get_digestbyname(LN_sha384)) + EVP_add_digest(EVP_sha384()); + if (!EVP_get_digestbyname(LN_sha512)) + EVP_add_digest(EVP_sha512()); + #endif + + /* * If the administrator specifies an unsupported digest algorithm, fail * now, rather than in the middle of a TLS handshake. */ *************** *** 389,394 **** --- 407,415 ---- /* * Protocol work-arounds, OpenSSL version dependent. */ + #ifdef SSL_OP_NO_TICKET + off |= SSL_OP_NO_TICKET; + #endif off |= tls_bug_bits(); SSL_CTX_set_options(server_ctx, off);