Prereq: "2.9.5"
diff -cr --new-file /var/tmp/postfix-2.9.5/src/global/mail_version.h ./src/global/mail_version.h
*** /var/tmp/postfix-2.9.5/src/global/mail_version.h	Wed Dec 12 19:38:59 2012
--- ./src/global/mail_version.h	Sun Feb  3 15:46:53 2013
***************
*** 20,27 ****
    * Patches change both the patchlevel and the release date. Snapshots have no
    * patchlevel; they change the release date only.
    */
! #define MAIL_RELEASE_DATE	"20121213"
! #define MAIL_VERSION_NUMBER	"2.9.5"
  
  #ifdef SNAPSHOT
  # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
--- 20,27 ----
    * Patches change both the patchlevel and the release date. Snapshots have no
    * patchlevel; they change the release date only.
    */
! #define MAIL_RELEASE_DATE	"20130203"
! #define MAIL_VERSION_NUMBER	"2.9.6"
  
  #ifdef SNAPSHOT
  # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff -cr --new-file /var/tmp/postfix-2.9.5/HISTORY ./HISTORY
*** /var/tmp/postfix-2.9.5/HISTORY	Mon Dec 10 09:03:51 2012
--- ./HISTORY	Sun Feb  3 15:14:13 2013
***************
*** 17756,17758 ****
--- 17756,17785 ----
  	This part of the code is not documented and had escaped
  	testing.  Files: util/ip_match.c, util/ip_match.in,
  	util/ip_match.ref.
+ 
+ 20121230
+ 
+ 	Bugfix (omission in feature 20111106): the postconf(1)
+ 	master.cf options parser didn't support "clusters" of
+ 	command-line option letters. File: postconf/postconf_master.c,
+ 	postconf/test40.ref.
+ 
+ 20130131
+ 
+ 	Bugfix: the local(8) delivery agent dereferenced a null
+ 	pointer while delivering to null command (for example, "|"
+ 	in a .forward file).  Reported by Gilles Chehade.
+ 
+ 20130203
+ 
+ 	Bugfix: the undocumented OpenSSL X509_pubkey_digest()
+ 	function is unsuitable for computing certificate PUBLIC KEY
+ 	fingerprints.  Postfix now provides a correct procedure
+ 	that accounts for the algorithm and parameters in addition
+ 	to the key data.  Specify "tls_legacy_public_key_fingerprints
+ 	= yes" if you need backwards compatibility. Fix by Victor
+ 	Duchovni, BC added by Wietse.  Files: tls/tls_verify.c,
+ 	tls/tls_misc.c, proto/TLS_README.html, global/mail_params.h.
+ 
+ 	Bugfix: the 20121010 fix for tls_misc.c was documented but
+ 	not included.
diff -cr --new-file /var/tmp/postfix-2.9.5/README_FILES/TLS_README ./README_FILES/TLS_README
*** /var/tmp/postfix-2.9.5/README_FILES/TLS_README	Tue Apr 24 15:20:56 2012
--- ./README_FILES/TLS_README	Sun Feb  3 14:50:27 2013
***************
*** 462,467 ****
--- 462,495 ----
      /etc/postfix/relay_clientcerts:
          D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home
  
+ To extract the public key fingerprint from an X.509 certificate, you need to
+ extract the public key from the certificate and compute the appropriate digest
+ of its DER (ASN.1) encoding. With OpenSSL the "-pubkey" option of the "x509"
+ command extracts the public key always in "PEM" format. We pipe the result to
+ another OpenSSL command that converts the key to DER and then to the "dgst"
+ command to compute the fingerprint.
+ 
+ The actual command to transform the key to DER format depends on the version of
+ OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" command supports all key
+ types. With OpenSSL 0.9.8 and earlier, the key type is always RSA (nobody uses
+ DSA, and EC keys are not fully supported by 0.9.8), so the "rsa" command is
+ used.
+ 
+     # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+     $ openssl x509 -in cert.pem -noout -pubkey |
+         openssl pkey -pubin -outform DER |
+         openssl dgst -sha1 -c
+     (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+ 
+     # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+     $ openssl x509 -in cert.pem -noout -pubkey |
+         openssl rsa -pubin -outform DER |
+         openssl dgst -md5 -c
+     (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+ 
+ Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incorrectly. To
+ use public-key fingerprints, upgrade to Postfix 2.9.6 or later.
+ 
  SSeerrvveerr--ssiiddee cciipphheerr ccoonnttrroollss
  
  The Postfix SMTP server supports 5 distinct cipher security levels as specified
***************
*** 823,828 ****
--- 851,884 ----
              match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
              match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
  
+ To extract the public key fingerprint from an X.509 certificate, you need to
+ extract the public key from the certificate and compute the appropriate digest
+ of its DER (ASN.1) encoding. With OpenSSL the "-pubkey" option of the "x509"
+ command extracts the public key always in "PEM" format. We pipe the result to
+ another OpenSSL command that converts the key to DER and then to the "dgst"
+ command to compute the fingerprint.
+ 
+ The actual command to transform the key to DER format depends on the version of
+ OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" command supports all key
+ types. With OpenSSL 0.9.8 and earlier, the key type is always RSA (nobody uses
+ DSA, and EC keys are not fully supported by 0.9.8), so the "rsa" command is
+ used.
+ 
+     # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+     $ openssl x509 -in cert.pem -noout -pubkey |
+         openssl pkey -pubin -outform DER |
+         openssl dgst -sha1 -c
+     (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+ 
+     # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+     $ openssl x509 -in cert.pem -noout -pubkey |
+         openssl rsa -pubin -outform DER |
+         openssl dgst -md5 -c
+     (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+ 
+ Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incorrectly. To
+ use public-key fingerprints, upgrade to Postfix 2.9.6 or later.
+ 
  MMaannddaattoorryy sseerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn
  
  At the "verify" TLS security level, messages are sent only over TLS encrypted
diff -cr --new-file /var/tmp/postfix-2.9.5/RELEASE_NOTES ./RELEASE_NOTES
*** /var/tmp/postfix-2.9.5/RELEASE_NOTES	Tue Apr 24 15:58:33 2012
--- ./RELEASE_NOTES	Sun Feb  3 15:22:53 2013
***************
*** 14,19 ****
--- 14,49 ----
  If you upgrade from Postfix 2.7 or earlier, read RELEASE_NOTES-2.8
  before proceeding.
  
+ Major changes with Postfix 2.9.6
+ --------------------------------
+ 
+ Thanks to OpenSSL documentation, the Postfix 2.9.0..2.9.5 SMTP
+ client and server computed incorrect TLS certificate PUBLIC-KEY
+ fingerprints.  Support for certificate PUBLIC-KEY finger prints
+ was introduced with Postfix 2.9; there is no known problem with the
+ certificate fingerprint algorithms available since Postfix 2.2.
+ 
+ Certificate PUBLIC-KEY finger prints may be used in the Postfix
+ SMTP server (with "check_ccert_access") and in the Postfix SMTP
+ client (with the "fingerprint" security level).  
+ 
+ Specify "tls_legacy_public_key_fingerprints = yes" temporarily, 
+ pending a migration from configuration files with incorrect Postfix
+ 2.9.0..2.9.5 certificate PUBLIC-KEY finger prints, to the correct
+ fingerprints used by Postfix 2.9.6 and later.
+ 
+ To compute the correct PUBLIC-KEY finger prints:
+ 
+ # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+ $ openssl x509 -in cert.pem -noout -pubkey | \
+     openssl pkey -pubin -outform DER | \
+     openssl dgst -sha1 -c
+ 
+ # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+ $ openssl x509 -in cert.pem -noout -pubkey | \
+     openssl rsa -pubin -outform DER | \
+     openssl dgst -md5 -c
+ 
  Major changes with Postfix 2.9.2
  --------------------------------
  
diff -cr --new-file /var/tmp/postfix-2.9.5/html/TLS_README.html ./html/TLS_README.html
*** /var/tmp/postfix-2.9.5/html/TLS_README.html	Tue Apr 24 15:20:54 2012
--- ./html/TLS_README.html	Sun Feb  3 14:50:24 2013
***************
*** 677,682 ****
--- 677,715 ----
  </pre>
  </blockquote>
  
+ <p> To extract the public key fingerprint from an X.509 certificate,
+ you need to extract the public key from the certificate and compute
+ the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+ the "-pubkey" option of the "x509" command extracts the public
+ key always in "PEM" format. We pipe the result to another OpenSSL
+ command that converts the key to DER and then to the "dgst" command
+ to compute the fingerprint. </p>
+ 
+ <p> The actual command to transform the key to DER format depends
+ on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+ "pkey" command supports all key types. With OpenSSL 0.9.8 and
+ earlier, the key type is always RSA (nobody uses DSA, and EC
+ keys are not fully supported by 0.9.8), so the "rsa" command is
+ used. </p>
+ <blockquote>
+ <pre>
+ # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+ $ openssl x509 -in cert.pem -noout -pubkey |
+     openssl pkey -pubin -outform DER |
+     openssl dgst -sha1 -c
+ (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+ 
+ # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+ $ openssl x509 -in cert.pem -noout -pubkey |
+     openssl rsa -pubin -outform DER |
+     openssl dgst -md5 -c
+ (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+ </pre>
+ </blockquote>
+ <p> Note: Postfix 2.9.0&ndash;2.9.5 computed the public key
+ fingerprint incorrectly. To use public-key fingerprints, upgrade
+ to Postfix 2.9.6 or later. </p>
+ 
  <h3><a name="server_cipher">Server-side cipher controls</a> </h3>
  
  <p> The Postfix SMTP server supports 5 distinct cipher security levels
***************
*** 1074,1080 ****
  not checked. Instead, the <a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> parameter
  or the "match" attribute in the <a href="#client_tls_policy">policy</a>
  table lists the remote SMTP server certificate fingerprint or
! public key fingerprint (Postfix 2.9 and later).
  
  <p> If certificate fingerprints are exchanged securely, this is the
  strongest, and least scalable security level. The administrator needs
--- 1107,1113 ----
  not checked. Instead, the <a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> parameter
  or the "match" attribute in the <a href="#client_tls_policy">policy</a>
  table lists the remote SMTP server certificate fingerprint or
! public key fingerprint (Postfix 2.9 and later). </p>
  
  <p> If certificate fingerprints are exchanged securely, this is the
  strongest, and least scalable security level. The administrator needs
***************
*** 1136,1141 ****
--- 1169,1207 ----
  </pre>
  </blockquote>
  
+ <p> To extract the public key fingerprint from an X.509 certificate,
+ you need to extract the public key from the certificate and compute
+ the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+ the "-pubkey" option of the "x509" command extracts the public
+ key always in "PEM" format. We pipe the result to another OpenSSL
+ command that converts the key to DER and then to the "dgst" command
+ to compute the fingerprint. </p>
+ 
+ <p> The actual command to transform the key to DER format depends
+ on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+ "pkey" command supports all key types. With OpenSSL 0.9.8 and
+ earlier, the key type is always RSA (nobody uses DSA, and EC
+ keys are not fully supported by 0.9.8), so the "rsa" command is
+ used. </p>
+ <blockquote>
+ <pre>
+ # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+ $ openssl x509 -in cert.pem -noout -pubkey |
+     openssl pkey -pubin -outform DER |
+     openssl dgst -sha1 -c
+ (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+ 
+ # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+ $ openssl x509 -in cert.pem -noout -pubkey |
+     openssl rsa -pubin -outform DER |
+     openssl dgst -md5 -c
+ (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+ </pre>
+ </blockquote>
+ <p> Note: Postfix 2.9.0&ndash;2.9.5 computed the public key
+ fingerprint incorrectly. To use public-key fingerprints, upgrade
+ to Postfix 2.9.6 or later. </p>
+ 
  <h4><a name="client_tls_verify"> Mandatory server certificate verification </a> </h4>
  
  <p> At the "verify" TLS security level, messages are sent only over
diff -cr --new-file /var/tmp/postfix-2.9.5/html/postconf.5.html ./html/postconf.5.html
*** /var/tmp/postfix-2.9.5/html/postconf.5.html	Tue Apr 24 15:20:56 2012
--- ./html/postconf.5.html	Sun Feb  3 15:53:45 2013
***************
*** 8440,8445 ****
--- 8440,8449 ----
  an appropriate <a href="access.5.html">access(5)</a> policy for each client.
  See <a href="RESTRICTION_CLASS_README.html">RESTRICTION_CLASS_README</a>.</p>
  
+ <p> <b>Note:</b> Postfix 2.9.0&ndash;2.9.5 computed the public key
+ fingerprint incorrectly. To use public-key fingerprints, upgrade
+ to Postfix 2.9.6 or later. </p>
+ 
  <p>This feature is available with Postfix version 2.2.</p>
  
  
***************
*** 10895,10905 ****
  </pre>
  </blockquote>
  
! <p> Public key fingerprints are more difficult to extract, however,
! the SHA-1 public key fingerprint is often present as the value of the
! "Subject Key Identifier" extension in X.509v3 certificates. The Postfix
! SMTP server and client log the peer certificate fingerprint and public
! key fingerprint when TLS loglevel is 1 or higher. </p>
  
  <p> This feature is available in Postfix 2.5 and later. </p>
  
--- 10899,10945 ----
  </pre>
  </blockquote>
  
! <p> To extract the public key fingerprint from an X.509 certificate,
! you need to extract the public key from the certificate and compute
! the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
! the "-pubkey" option of the "x509" command extracts the public
! key always in "PEM" format. We pipe the result to another OpenSSL
! command that converts the key to DER and then to the "dgst" command
! to compute the fingerprint. </p>
! 
! <p> The actual command to transform the key to DER format depends
! on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
! "pkey" command supports all key types. With OpenSSL 0.9.8 and
! earlier, the key type is always RSA (nobody uses DSA, and EC
! keys are not fully supported by 0.9.8), so the "rsa" command is
! used. </p>
! <blockquote>
! <pre>
! # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
! $ openssl x509 -in cert.pem -noout -pubkey |
!     openssl pkey -pubin -outform DER |
!     openssl dgst -sha1 -c
! (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
! </pre>
! </blockquote>
! 
! <blockquote>
! <pre>
! # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
! $ openssl x509 -in cert.pem -noout -pubkey |
!     openssl rsa -pubin -outform DER |
!     openssl dgst -md5 -c
! (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
! </pre>
! </blockquote>
! 
! <p> The Postfix SMTP server and client log the peer (leaf) certificate
! fingerprint and public key fingerprint when TLS loglevel is 1 or
! higher. </p>
! 
! <p> <b>Note:</b> Postfix 2.9.0&ndash;2.9.5 computed the public key
! fingerprint incorrectly. To use public-key fingerprints, upgrade
! to Postfix 2.9.6 or later. </p>
  
  <p> This feature is available in Postfix 2.5 and later. </p>
  
***************
*** 14688,14698 ****
  </pre>
  </blockquote>
  
! <p> Public key fingerprints are more difficult to extract, however,
! the SHA-1 public key fingerprint is often present as the value of the
! "Subject Key Identifier" extension in X.509v3 certificates. The Postfix
! SMTP server and client log the peer certificate fingerprint and public
! key fingerprint when TLS loglevel is 1 or higher. </p>
  
  <p> Example: client-certificate access table, with sha1 fingerprints: </p>
  
--- 14728,14774 ----
  </pre>
  </blockquote>
  
! <p> To extract the public key fingerprint from an X.509 certificate,
! you need to extract the public key from the certificate and compute
! the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
! the "-pubkey" option of the "x509" command extracts the public
! key always in "PEM" format. We pipe the result to another OpenSSL
! command that converts the key to DER and then to the "dgst" command
! to compute the fingerprint. </p>
! 
! <p> The actual command to transform the key to DER format depends
! on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
! "pkey" command supports all key types. With OpenSSL 0.9.8 and
! earlier, the key type is always RSA (nobody uses DSA, and EC
! keys are not fully supported by 0.9.8), so the "rsa" command is
! used. </p>
! <blockquote>
! <pre>
! # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
! $ openssl x509 -in cert.pem -noout -pubkey |
!     openssl pkey -pubin -outform DER |
!     openssl dgst -sha1 -c
! (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
! </pre>
! </blockquote>
! 
! <blockquote>
! <pre>
! # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
! $ openssl x509 -in cert.pem -noout -pubkey |
!     openssl rsa -pubin -outform DER |
!     openssl dgst -md5 -c
! (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
! </pre>
! </blockquote>
! 
! <p> The Postfix SMTP server and client log the peer (leaf) certificate
! fingerprint and public key fingerprint when TLS loglevel is 1 or
! higher. </p>
! 
! <p> <b>Note:</b> Postfix 2.9.0&ndash;2.9.5 computed the public key
! fingerprint incorrectly. To use public-key fingerprints, upgrade
! to Postfix 2.9.6 or later. </p>
  
  <p> Example: client-certificate access table, with sha1 fingerprints: </p>
  
***************
*** 15587,15592 ****
--- 15663,15687 ----
  
  </DD>
  
+ <DT><b><a name="tls_legacy_public_key_fingerprints">tls_legacy_public_key_fingerprints</a>
+ (default: no)</b></DT><DD>
+ 
+ <p> A temporary migration aid for sites that use certificate
+ <i>public-key</i> fingerprints with Postfix 2.9.0..2.9.5, which use
+ an incorrect algorithm. This parameter has no effect on the certificate
+ fingerprint support that is available since Postfix 2.2. </p>
+ 
+ <p> Specify "<a href="postconf.5.html#tls_legacy_public_key_fingerprint">tls_legacy_public_key_fingerprints</a> = yes" temporarily,
+ pending a migration from configuration files with incorrect Postfix
+ 2.9.0..2.9.5 certificate public-key finger prints, to the correct
+ fingerprints used by Postfix 2.9.6 and later.  To compute the correct
+ certificate public-key fingerprints, see <a href="TLS_README.html">TLS_README</a>. </p>
+ 
+ <p> This feature is available in Postfix 2.9.6 and later.  </p>
+ 
+ 
+ </DD>
+ 
  <DT><b><a name="tls_low_cipherlist">tls_low_cipherlist</a>
  (default: ALL:!EXPORT:+RC4:@STRENGTH)</b></DT><DD>
  
diff -cr --new-file /var/tmp/postfix-2.9.5/man/man5/postconf.5 ./man/man5/postconf.5
*** /var/tmp/postfix-2.9.5/man/man5/postconf.5	Tue Apr 24 15:20:56 2012
--- ./man/man5/postconf.5	Sun Feb  3 15:53:46 2013
***************
*** 4887,4892 ****
--- 4887,4896 ----
  an appropriate \fBaccess\fR(5) policy for each client.
  See RESTRICTION_CLASS_README.
  .PP
+ \fBNote:\fR Postfix 2.9.0&ndash;2.9.5 computed the public key
+ fingerprint incorrectly. To use public-key fingerprints, upgrade
+ to Postfix 2.9.6 or later.
+ .PP
  This feature is available with Postfix version 2.2.
  .SH relay_destination_concurrency_limit (default: $default_destination_concurrency_limit)
  The maximal number of parallel deliveries to the same destination
***************
*** 6534,6544 ****
  .ft R
  .in -4
  .PP
! Public key fingerprints are more difficult to extract, however,
! the SHA-1 public key fingerprint is often present as the value of the
! "Subject Key Identifier" extension in X.509v3 certificates. The Postfix
! SMTP server and client log the peer certificate fingerprint and public
! key fingerprint when TLS loglevel is 1 or higher.
  .PP
  This feature is available in Postfix 2.5 and later.
  .SH smtp_tls_key_file (default: $smtp_tls_cert_file)
--- 6538,6593 ----
  .ft R
  .in -4
  .PP
! To extract the public key fingerprint from an X.509 certificate,
! you need to extract the public key from the certificate and compute
! the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
! the "-pubkey" option of the "x509" command extracts the public
! key always in "PEM" format. We pipe the result to another OpenSSL
! command that converts the key to DER and then to the "dgst" command
! to compute the fingerprint.
! .PP
! The actual command to transform the key to DER format depends
! on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
! "pkey" command supports all key types. With OpenSSL 0.9.8 and
! earlier, the key type is always RSA (nobody uses DSA, and EC
! keys are not fully supported by 0.9.8), so the "rsa" command is
! used.
! .sp
! .in +4
! .nf
! .na
! .ft C
! # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
! $ openssl x509 -in cert.pem -noout -pubkey |
!     openssl pkey -pubin -outform DER |
!     openssl dgst -sha1 -c
! (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
! .fi
! .ad
! .ft R
! .in -4
! .sp
! .in +4
! .nf
! .na
! .ft C
! # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
! $ openssl x509 -in cert.pem -noout -pubkey |
!     openssl rsa -pubin -outform DER |
!     openssl dgst -md5 -c
! (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
! .fi
! .ad
! .ft R
! .in -4
! .PP
! The Postfix SMTP server and client log the peer (leaf) certificate
! fingerprint and public key fingerprint when TLS loglevel is 1 or
! higher.
! .PP
! \fBNote:\fR Postfix 2.9.0&ndash;2.9.5 computed the public key
! fingerprint incorrectly. To use public-key fingerprints, upgrade
! to Postfix 2.9.6 or later.
  .PP
  This feature is available in Postfix 2.5 and later.
  .SH smtp_tls_key_file (default: $smtp_tls_cert_file)
***************
*** 9426,9436 ****
  .ft R
  .in -4
  .PP
! Public key fingerprints are more difficult to extract, however,
! the SHA-1 public key fingerprint is often present as the value of the
! "Subject Key Identifier" extension in X.509v3 certificates. The Postfix
! SMTP server and client log the peer certificate fingerprint and public
! key fingerprint when TLS loglevel is 1 or higher.
  .PP
  Example: client-certificate access table, with sha1 fingerprints:
  .sp
--- 9475,9530 ----
  .ft R
  .in -4
  .PP
! To extract the public key fingerprint from an X.509 certificate,
! you need to extract the public key from the certificate and compute
! the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
! the "-pubkey" option of the "x509" command extracts the public
! key always in "PEM" format. We pipe the result to another OpenSSL
! command that converts the key to DER and then to the "dgst" command
! to compute the fingerprint.
! .PP
! The actual command to transform the key to DER format depends
! on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
! "pkey" command supports all key types. With OpenSSL 0.9.8 and
! earlier, the key type is always RSA (nobody uses DSA, and EC
! keys are not fully supported by 0.9.8), so the "rsa" command is
! used.
! .sp
! .in +4
! .nf
! .na
! .ft C
! # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
! $ openssl x509 -in cert.pem -noout -pubkey |
!     openssl pkey -pubin -outform DER |
!     openssl dgst -sha1 -c
! (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
! .fi
! .ad
! .ft R
! .in -4
! .sp
! .in +4
! .nf
! .na
! .ft C
! # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
! $ openssl x509 -in cert.pem -noout -pubkey |
!     openssl rsa -pubin -outform DER |
!     openssl dgst -md5 -c
! (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
! .fi
! .ad
! .ft R
! .in -4
! .PP
! The Postfix SMTP server and client log the peer (leaf) certificate
! fingerprint and public key fingerprint when TLS loglevel is 1 or
! higher.
! .PP
! \fBNote:\fR Postfix 2.9.0&ndash;2.9.5 computed the public key
! fingerprint incorrectly. To use public-key fingerprints, upgrade
! to Postfix 2.9.6 or later.
  .PP
  Example: client-certificate access table, with sha1 fingerprints:
  .sp
***************
*** 10075,10080 ****
--- 10169,10187 ----
  OpenSSL releases.
  .PP
  This feature is available in Postfix 2.3 and later.
+ .SH tls_legacy_public_key_fingerprints (default: no)
+ A temporary migration aid for sites that use certificate
+ \fIpublic-key\fR fingerprints with Postfix 2.9.0..2.9.5, which use
+ an incorrect algorithm. This parameter has no effect on the certificate
+ fingerprint support that is available since Postfix 2.2.
+ .PP
+ Specify "tls_legacy_public_key_fingerprints = yes" temporarily,
+ pending a migration from configuration files with incorrect Postfix
+ 2.9.0..2.9.5 certificate public-key finger prints, to the correct
+ fingerprints used by Postfix 2.9.6 and later.  To compute the correct
+ certificate public-key fingerprints, see TLS_README.
+ .PP
+ This feature is available in Postfix 2.9.6 and later.
  .SH tls_low_cipherlist (default: ALL:!EXPORT:+RC4:@STRENGTH)
  The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
  the meaning of the "low" setting in smtpd_tls_mandatory_ciphers,
diff -cr --new-file /var/tmp/postfix-2.9.5/mantools/postlink ./mantools/postlink
*** /var/tmp/postfix-2.9.5/mantools/postlink	Fri Dec  9 13:43:40 2011
--- ./mantools/postlink	Sun Feb  3 14:49:54 2013
***************
*** 689,694 ****
--- 689,695 ----
      s;\btls_preempt_cipherlist\b;<a href="postconf.5.html#tls_preempt_cipherlist">$&</a>;g;
      s;\btls_disable_workarounds\b;<a href="postconf.5.html#tls_disable_workarounds">$&</a>;g;
      s;\btls_append_default_CA\b;<a href="postconf.5.html#tls_append_default_CA">$&</a>;g;
+     s;\btls_legacy_public_key_fingerprints\b;<a href="postconf.5.html#tls_legacy_public_key_fingerprint">$&</a>;g;
   
      s;\bfrozen_delivered_to\b;<a href="postconf.5.html#frozen_delivered_to">$&</a>;g;
      s;\breset_owner_alias\b;<a href="postconf.5.html#reset_owner_alias">$&</a>;g;
diff -cr --new-file /var/tmp/postfix-2.9.5/proto/TLS_README.html ./proto/TLS_README.html
*** /var/tmp/postfix-2.9.5/proto/TLS_README.html	Tue Apr 24 13:07:22 2012
--- ./proto/TLS_README.html	Sun Feb  3 14:49:54 2013
***************
*** 677,682 ****
--- 677,715 ----
  </pre>
  </blockquote>
  
+ <p> To extract the public key fingerprint from an X.509 certificate,
+ you need to extract the public key from the certificate and compute
+ the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+ the "-pubkey" option of the "x509" command extracts the public
+ key always in "PEM" format. We pipe the result to another OpenSSL
+ command that converts the key to DER and then to the "dgst" command
+ to compute the fingerprint. </p>
+ 
+ <p> The actual command to transform the key to DER format depends
+ on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+ "pkey" command supports all key types. With OpenSSL 0.9.8 and
+ earlier, the key type is always RSA (nobody uses DSA, and EC
+ keys are not fully supported by 0.9.8), so the "rsa" command is
+ used. </p>
+ <blockquote>
+ <pre>
+ # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+ $ openssl x509 -in cert.pem -noout -pubkey |
+     openssl pkey -pubin -outform DER |
+     openssl dgst -sha1 -c
+ (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+ 
+ # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+ $ openssl x509 -in cert.pem -noout -pubkey |
+     openssl rsa -pubin -outform DER |
+     openssl dgst -md5 -c
+ (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+ </pre>
+ </blockquote>
+ <p> Note: Postfix 2.9.0&ndash;2.9.5 computed the public key
+ fingerprint incorrectly. To use public-key fingerprints, upgrade
+ to Postfix 2.9.6 or later. </p>
+ 
  <h3><a name="server_cipher">Server-side cipher controls</a> </h3>
  
  <p> The Postfix SMTP server supports 5 distinct cipher security levels
***************
*** 1074,1080 ****
  not checked. Instead, the smtp_tls_fingerprint_cert_match parameter
  or the "match" attribute in the <a href="#client_tls_policy">policy</a>
  table lists the remote SMTP server certificate fingerprint or
! public key fingerprint (Postfix 2.9 and later).
  
  <p> If certificate fingerprints are exchanged securely, this is the
  strongest, and least scalable security level. The administrator needs
--- 1107,1113 ----
  not checked. Instead, the smtp_tls_fingerprint_cert_match parameter
  or the "match" attribute in the <a href="#client_tls_policy">policy</a>
  table lists the remote SMTP server certificate fingerprint or
! public key fingerprint (Postfix 2.9 and later). </p>
  
  <p> If certificate fingerprints are exchanged securely, this is the
  strongest, and least scalable security level. The administrator needs
***************
*** 1136,1141 ****
--- 1169,1207 ----
  </pre>
  </blockquote>
  
+ <p> To extract the public key fingerprint from an X.509 certificate,
+ you need to extract the public key from the certificate and compute
+ the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+ the "-pubkey" option of the "x509" command extracts the public
+ key always in "PEM" format. We pipe the result to another OpenSSL
+ command that converts the key to DER and then to the "dgst" command
+ to compute the fingerprint. </p>
+ 
+ <p> The actual command to transform the key to DER format depends
+ on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+ "pkey" command supports all key types. With OpenSSL 0.9.8 and
+ earlier, the key type is always RSA (nobody uses DSA, and EC
+ keys are not fully supported by 0.9.8), so the "rsa" command is
+ used. </p>
+ <blockquote>
+ <pre>
+ # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+ $ openssl x509 -in cert.pem -noout -pubkey |
+     openssl pkey -pubin -outform DER |
+     openssl dgst -sha1 -c
+ (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+ 
+ # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+ $ openssl x509 -in cert.pem -noout -pubkey |
+     openssl rsa -pubin -outform DER |
+     openssl dgst -md5 -c
+ (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+ </pre>
+ </blockquote>
+ <p> Note: Postfix 2.9.0&ndash;2.9.5 computed the public key
+ fingerprint incorrectly. To use public-key fingerprints, upgrade
+ to Postfix 2.9.6 or later. </p>
+ 
  <h4><a name="client_tls_verify"> Mandatory server certificate verification </a> </h4>
  
  <p> At the "verify" TLS security level, messages are sent only over
diff -cr --new-file /var/tmp/postfix-2.9.5/proto/postconf.proto ./proto/postconf.proto
*** /var/tmp/postfix-2.9.5/proto/postconf.proto	Tue Apr 24 13:07:22 2012
--- ./proto/postconf.proto	Sun Feb  3 15:53:34 2013
***************
*** 9065,9070 ****
--- 9065,9074 ----
  an appropriate access(5) policy for each client.
  See RESTRICTION_CLASS_README.</p>
  
+ <p> <b>Note:</b> Postfix 2.9.0&ndash;2.9.5 computed the public key
+ fingerprint incorrectly. To use public-key fingerprints, upgrade
+ to Postfix 2.9.6 or later. </p>
+ 
  <p>This feature is available with Postfix version 2.2.</p>
  
  %PARAM smtpd_tls_cipherlist
***************
*** 11489,11499 ****
  </pre>
  </blockquote>
  
! <p> Public key fingerprints are more difficult to extract, however,
! the SHA-1 public key fingerprint is often present as the value of the
! "Subject Key Identifier" extension in X.509v3 certificates. The Postfix
! SMTP server and client log the peer certificate fingerprint and public
! key fingerprint when TLS loglevel is 1 or higher. </p>
  
  <p> This feature is available in Postfix 2.5 and later. </p>
  
--- 11493,11539 ----
  </pre>
  </blockquote>
  
! <p> To extract the public key fingerprint from an X.509 certificate,
! you need to extract the public key from the certificate and compute
! the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
! the "-pubkey" option of the "x509" command extracts the public
! key always in "PEM" format. We pipe the result to another OpenSSL
! command that converts the key to DER and then to the "dgst" command
! to compute the fingerprint. </p>
! 
! <p> The actual command to transform the key to DER format depends
! on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
! "pkey" command supports all key types. With OpenSSL 0.9.8 and
! earlier, the key type is always RSA (nobody uses DSA, and EC
! keys are not fully supported by 0.9.8), so the "rsa" command is
! used. </p>
! <blockquote>
! <pre>
! # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
! $ openssl x509 -in cert.pem -noout -pubkey |
!     openssl pkey -pubin -outform DER |
!     openssl dgst -sha1 -c
! (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
! </pre>
! </blockquote>
! 
! <blockquote>
! <pre>
! # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
! $ openssl x509 -in cert.pem -noout -pubkey |
!     openssl rsa -pubin -outform DER |
!     openssl dgst -md5 -c
! (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
! </pre>
! </blockquote>
! 
! <p> The Postfix SMTP server and client log the peer (leaf) certificate
! fingerprint and public key fingerprint when TLS loglevel is 1 or
! higher. </p>
! 
! <p> <b>Note:</b> Postfix 2.9.0&ndash;2.9.5 computed the public key
! fingerprint incorrectly. To use public-key fingerprints, upgrade
! to Postfix 2.9.6 or later. </p>
  
  <p> This feature is available in Postfix 2.5 and later. </p>
  
***************
*** 11607,11617 ****
  </pre>
  </blockquote>
  
! <p> Public key fingerprints are more difficult to extract, however,
! the SHA-1 public key fingerprint is often present as the value of the
! "Subject Key Identifier" extension in X.509v3 certificates. The Postfix
! SMTP server and client log the peer certificate fingerprint and public
! key fingerprint when TLS loglevel is 1 or higher. </p>
  
  <p> Example: client-certificate access table, with sha1 fingerprints: </p>
  
--- 11647,11693 ----
  </pre>
  </blockquote>
  
! <p> To extract the public key fingerprint from an X.509 certificate,
! you need to extract the public key from the certificate and compute
! the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
! the "-pubkey" option of the "x509" command extracts the public
! key always in "PEM" format. We pipe the result to another OpenSSL
! command that converts the key to DER and then to the "dgst" command
! to compute the fingerprint. </p>
! 
! <p> The actual command to transform the key to DER format depends
! on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
! "pkey" command supports all key types. With OpenSSL 0.9.8 and
! earlier, the key type is always RSA (nobody uses DSA, and EC
! keys are not fully supported by 0.9.8), so the "rsa" command is
! used. </p>
! <blockquote>
! <pre>
! # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
! $ openssl x509 -in cert.pem -noout -pubkey |
!     openssl pkey -pubin -outform DER |
!     openssl dgst -sha1 -c
! (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
! </pre>
! </blockquote>
! 
! <blockquote>
! <pre>
! # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
! $ openssl x509 -in cert.pem -noout -pubkey |
!     openssl rsa -pubin -outform DER |
!     openssl dgst -md5 -c
! (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
! </pre>
! </blockquote>
! 
! <p> The Postfix SMTP server and client log the peer (leaf) certificate
! fingerprint and public key fingerprint when TLS loglevel is 1 or
! higher. </p>
! 
! <p> <b>Note:</b> Postfix 2.9.0&ndash;2.9.5 computed the public key
! fingerprint incorrectly. To use public-key fingerprints, upgrade
! to Postfix 2.9.6 or later. </p>
  
  <p> Example: client-certificate access table, with sha1 fingerprints: </p>
  
***************
*** 13869,13874 ****
--- 13945,13965 ----
  
  <p> This feature is available in Postfix 2.8 and later.  </p>
  
+ %PARAM tls_legacy_public_key_fingerprints no
+ 
+ <p> A temporary migration aid for sites that use certificate
+ <i>public-key</i> fingerprints with Postfix 2.9.0..2.9.5, which use
+ an incorrect algorithm. This parameter has no effect on the certificate
+ fingerprint support that is available since Postfix 2.2. </p>
+ 
+ <p> Specify "tls_legacy_public_key_fingerprints = yes" temporarily,
+ pending a migration from configuration files with incorrect Postfix
+ 2.9.0..2.9.5 certificate public-key finger prints, to the correct
+ fingerprints used by Postfix 2.9.6 and later.  To compute the correct
+ certificate public-key fingerprints, see TLS_README. </p>
+ 
+ <p> This feature is available in Postfix 2.9.6 and later.  </p>
+ 
  %PARAM tlsproxy_watchdog_timeout 10s
  
  <p> How much time a tlsproxy(8) process may take to process local
diff -cr --new-file /var/tmp/postfix-2.9.5/src/global/mail_params.h ./src/global/mail_params.h
*** /var/tmp/postfix-2.9.5/src/global/mail_params.h	Tue Apr 24 13:07:22 2012
--- ./src/global/mail_params.h	Sun Feb  3 14:49:54 2013
***************
*** 3035,3040 ****
--- 3035,3044 ----
  #define DEF_TLS_BUG_TWEAKS	TLS_BUG_TWEAKS
  extern char *var_tls_bug_tweaks;
  
+ #define VAR_TLS_BC_PKEY_FPRINT	"tls_legacy_public_key_fingerprints"
+ #define DEF_TLS_BC_PKEY_FPRINT	0
+ extern bool var_tls_bc_pkey_fprint;
+ 
   /*
    * Sendmail-style mail filter support.
    */
diff -cr --new-file /var/tmp/postfix-2.9.5/src/postconf/Makefile.in ./src/postconf/Makefile.in
*** /var/tmp/postfix-2.9.5/src/postconf/Makefile.in	Sun Jan 22 10:55:21 2012
--- ./src/postconf/Makefile.in	Sat Jan  5 14:59:51 2013
***************
*** 42,48 ****
  
  tests: test1 test2 test3 test4 test5 test6 test7 test8 test9 test10 test11 \
  	test12 test13 test14 test15 test16 test17 test18 test19 test20 test21 \
! 	test22 test23 test24 test25 test26 test27 test28 test29 test30
  
  root_tests:
  
--- 42,48 ----
  
  tests: test1 test2 test3 test4 test5 test6 test7 test8 test9 test10 test11 \
  	test12 test13 test14 test15 test16 test17 test18 test19 test20 test21 \
! 	test22 test23 test24 test25 test26 test27 test28 test29 test30 test40
  
  root_tests:
  
***************
*** 414,419 ****
--- 414,430 ----
  	diff test30.ref test30.tmp
  	rm -f main.cf master.cf test30.tmp
  
+ test40:	$(PROG) test40.ref
+ 	rm -f main.cf master.cf
+ 	touch main.cf master.cf
+ 	echo foo unix - n n - 0 other >> master.cf
+ 	echo ' -voaaa=bbb' >> master.cf
+ 	echo ' -vo ccc=$$aaa' >> master.cf
+ 	echo ' -v -oddd=$$ccc' >> master.cf
+ 	./$(PROG) -Mfc . unix >test40.tmp 2>&1
+ 	diff test40.ref test40.tmp
+ 	rm -f main.cf master.cf test40.tmp
+ 
  printfck: $(OBJS) $(PROG)
  	rm -rf printfck
  	mkdir printfck
diff -cr --new-file /var/tmp/postfix-2.9.5/src/postconf/postconf_master.c ./src/postconf/postconf_master.c
*** /var/tmp/postfix-2.9.5/src/postconf/postconf_master.c	Sat Jan 21 16:11:38 2012
--- ./src/postconf/postconf_master.c	Mon Dec 31 16:23:52 2012
***************
*** 74,79 ****
--- 74,81 ----
  {
      int     field;
      char   *arg;
+     char   *cp;
+     char   *junk;
  
      /*
       * Normalize options to simplify later processing.
***************
*** 82,87 ****
--- 84,99 ----
  	arg = argv->argv[field];
  	if (arg[0] != '-' || strcmp(arg, "--") == 0)
  	    break;
+ 	for (cp = arg + 1; *cp; cp++) {
+ 	    if (*cp == 'o' && cp > arg + 1) {
+ 		/* Split "-stuffo" into "-stuff" and "-o". */
+ 		junk = concatenate("-", cp, (char *) 0);
+ 		argv_insert_one(argv, field + 1, junk);
+ 		myfree(junk);
+ 		*cp = 0;
+ 		break;
+ 	    }
+ 	}
  	if (strncmp(arg, "-o", 2) == 0) {
  	    if (arg[2] != 0) {
  		/* Split "-oname=value" into "-o" "name=value". */
diff -cr --new-file /var/tmp/postfix-2.9.5/src/postconf/test40.ref ./src/postconf/test40.ref
*** /var/tmp/postfix-2.9.5/src/postconf/test40.ref	Wed Dec 31 19:00:00 1969
--- ./src/postconf/test40.ref	Mon Dec 31 16:32:31 2012
***************
*** 0 ****
--- 1,4 ----
+ foo        unix  -       n       n       -       0       other -v
+     -o aaa=bbb -v
+     -o ccc=$aaa -v
+     -o ddd=$ccc
diff -cr --new-file /var/tmp/postfix-2.9.5/src/tls/Makefile.in ./src/tls/Makefile.in
*** /var/tmp/postfix-2.9.5/src/tls/Makefile.in	Sun Jan 22 10:55:15 2012
--- ./src/tls/Makefile.in	Sun Feb  3 15:17:01 2013
***************
*** 319,324 ****
--- 319,325 ----
  tls_stream.o: tls.h
  tls_stream.o: tls_stream.c
  tls_verify.o: ../../include/argv.h
+ tls_verify.o: ../../include/mail_params.h
  tls_verify.o: ../../include/msg.h
  tls_verify.o: ../../include/mymalloc.h
  tls_verify.o: ../../include/name_code.h
diff -cr --new-file /var/tmp/postfix-2.9.5/src/tls/tls_misc.c ./src/tls/tls_misc.c
*** /var/tmp/postfix-2.9.5/src/tls/tls_misc.c	Sun Apr 22 18:08:04 2012
--- ./src/tls/tls_misc.c	Sun Feb  3 14:58:42 2013
***************
*** 17,22 ****
--- 17,23 ----
  /*	int	var_tls_daemon_rand_bytes;
  /*	bool    var_tls_append_def_CA;
  /*	bool	var_tls_preempt_clist;
+ /*	bool	var_tls_bc_pkey_fprint;
  /*
  /*	TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx, log_mask)
  /*	SSL_CTX	*ssl_ctx;
***************
*** 205,210 ****
--- 206,212 ----
  char   *var_tls_eecdh_ultra;
  bool    var_tls_append_def_CA;
  char   *var_tls_bug_tweaks;
+ bool    var_tls_bc_pkey_fprint;
  
  #ifdef VAR_TLS_PREEMPT_CLIST
  bool    var_tls_preempt_clist;
***************
*** 510,517 ****
  	else
  	    include |= code =
  		name_code(protocol_table, NAME_CODE_FLAG_NONE, tok);
! 	if (code == TLS_PROTOCOL_INVALID)
  	    return TLS_PROTOCOL_INVALID;
      }
      myfree(save);
  
--- 512,521 ----
  	else
  	    include |= code =
  		name_code(protocol_table, NAME_CODE_FLAG_NONE, tok);
! 	if (code == TLS_PROTOCOL_INVALID) {
! 	    myfree(save);
  	    return TLS_PROTOCOL_INVALID;
+ 	}
      }
      myfree(save);
  
***************
*** 546,551 ****
--- 550,556 ----
      };
      static const CONFIG_BOOL_TABLE bool_table[] = {
  	VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
+ 	VAR_TLS_BC_PKEY_FPRINT, DEF_TLS_BC_PKEY_FPRINT, &var_tls_bc_pkey_fprint,
  #if OPENSSL_VERSION_NUMBER >= 0x0090700fL	/* OpenSSL 0.9.7 and later */
  	VAR_TLS_PREEMPT_CLIST, DEF_TLS_PREEMPT_CLIST, &var_tls_preempt_clist,
  #endif
diff -cr --new-file /var/tmp/postfix-2.9.5/src/tls/tls_verify.c ./src/tls/tls_verify.c
*** /var/tmp/postfix-2.9.5/src/tls/tls_verify.c	Mon Dec  5 16:03:07 2011
--- ./src/tls/tls_verify.c	Sun Feb  3 14:49:54 2013
***************
*** 23,28 ****
--- 23,32 ----
  /*	X509   *peercert;
  /*	const char *dgst;
  /*
+ /*	char *tls_pkey_fprint(peercert, dgst)
+ /*	X509   *peercert;
+ /*	const char *dgst;
+ /*
  /*	int	tls_verify_certificate_callback(ok, ctx)
  /*	int	ok;
  /*	X509_STORE_CTX *ctx;
***************
*** 50,55 ****
--- 54,64 ----
  /*	value is dynamically allocated with mymalloc(), and the caller
  /*	must eventually free it with myfree().
  /*
+ /*	tls_pkey_fprint() returns a public-key fingerprint; in all
+ /*	other respects the function behaves as tls_fingerprint().
+ /*	The var_tls_bc_pkey_fprint variable enables an incorrect
+ /*	algorithm that was used in Postfix versions 2.9.[0-5].
+ /*	
  /*	tls_verify_callback() is called several times (directly or
  /*	indirectly) from crypto/x509/x509_vfy.c. It is called as
  /*	a final check, and if it returns "0", the handshake is
***************
*** 140,145 ****
--- 149,158 ----
  #include <mymalloc.h>
  #include <stringops.h>
  
+ /* Global library. */
+ 
+ #include <mail_params.h>
+ 
  /* TLS library. */
  
  #define TLS_INTERNAL
***************
*** 490,503 ****
      return (cn ? cn : mystrdup(""));
  }
  
! typedef int (*x509_dgst_cb) (const X509 *, const EVP_MD *, unsigned char *, unsigned int *);
! 
! /* tls_fprint - extract cert or pkey fingerprint from certificate */
  
! static char *tls_fprint(X509 *peercert, x509_dgst_cb x509_dgst,
! 			        const char *dgst)
  {
!     const char *myname = "tls_fingerprint";
      const EVP_MD *md_alg;
      unsigned char md_buf[EVP_MAX_MD_SIZE];
      unsigned int md_len;
--- 503,514 ----
      return (cn ? cn : mystrdup(""));
  }
  
! /* tls_fprint - compute and encode digest of DER-encoded object */
  
! static char *tls_fprint(const char *buf, int len, const char *dgst)
  {
!     const char *myname = "tls_fprint";
!     EVP_MD_CTX *mdctx;
      const EVP_MD *md_alg;
      unsigned char md_buf[EVP_MAX_MD_SIZE];
      unsigned int md_len;
***************
*** 508,517 ****
      if ((md_alg = EVP_get_digestbyname(dgst)) == 0)
  	msg_panic("%s: digest algorithm \"%s\" not found", myname, dgst);
  
!     /* Fails when serialization to ASN.1 runs out of memory */
!     if (x509_dgst(peercert, md_alg, md_buf, &md_len) == 0)
! 	msg_fatal("%s: error computing certificate %s digest (out of memory?)",
! 		  myname, dgst);
  
      /* Check for OpenSSL contract violation */
      if (md_len > EVP_MAX_MD_SIZE || md_len >= INT_MAX / 3)
--- 519,530 ----
      if ((md_alg = EVP_get_digestbyname(dgst)) == 0)
  	msg_panic("%s: digest algorithm \"%s\" not found", myname, dgst);
  
!     mdctx = EVP_MD_CTX_create();
!     if (EVP_DigestInit_ex(mdctx, md_alg, NULL) == 0
!         || EVP_DigestUpdate(mdctx, buf, len) == 0
!         || EVP_DigestFinal_ex(mdctx, md_buf, &md_len) == 0)
!         msg_fatal("%s: error computing %s message digest", myname, dgst);
!     EVP_MD_CTX_destroy(mdctx);
  
      /* Check for OpenSSL contract violation */
      if (md_len > EVP_MAX_MD_SIZE || md_len >= INT_MAX / 3)
***************
*** 531,544 ****
  
  char   *tls_fingerprint(X509 *peercert, const char *dgst)
  {
!     return (tls_fprint(peercert, X509_digest, dgst));
  }
  
  /* tls_pkey_fprint - extract public key fingerprint from certificate */
  
  char   *tls_pkey_fprint(X509 *peercert, const char *dgst)
  {
!     return (tls_fprint(peercert, X509_pubkey_digest, dgst));
  }
  
  #endif
--- 544,598 ----
  
  char   *tls_fingerprint(X509 *peercert, const char *dgst)
  {
!     int     len;
!     char   *buf;
!     char   *buf2;
!     char   *result;
! 
!     len = i2d_X509(peercert, NULL);
!     buf2 = buf = mymalloc(len);
!     i2d_X509(peercert, (unsigned char **)&buf2);
!     if (buf2 - buf != len)
!         msg_panic("i2d_X509 invalid result length");
! 
!     result = tls_fprint(buf, len, dgst);
!     myfree(buf);
! 
!     return (result);
  }
  
  /* tls_pkey_fprint - extract public key fingerprint from certificate */
  
  char   *tls_pkey_fprint(X509 *peercert, const char *dgst)
  {
!     if (var_tls_bc_pkey_fprint) {
! 	const char *myname = "tls_pkey_fprint";
! 	ASN1_BIT_STRING *key;
! 	char   *result;
! 
! 	key = X509_get0_pubkey_bitstr(peercert);
! 	if (key == 0)
! 	    msg_fatal("%s: error extracting legacy public-key fingerprint: %m",
! 		      myname);
! 
! 	result = tls_fprint((char *) key->data, key->length, dgst);
! 	return (result);
!     } else {
! 	int     len;
! 	char   *buf;
! 	char   *buf2;
! 	char   *result;
! 
! 	len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(peercert), NULL);
! 	buf2 = buf = mymalloc(len);
! 	i2d_X509_PUBKEY(X509_get_X509_PUBKEY(peercert), (unsigned char **) &buf2);
! 	if (buf2 - buf != len)
! 	    msg_panic("i2d_X509_PUBKEY invalid result length");
! 
! 	result = tls_fprint(buf, len, dgst);
! 	myfree(buf);
! 	return (result);
!     }
  }
  
  #endif
diff -cr --new-file /var/tmp/postfix-2.9.5/src/util/exec_command.c ./src/util/exec_command.c
*** /var/tmp/postfix-2.9.5/src/util/exec_command.c	Tue Jan 18 20:22:18 2005
--- ./src/util/exec_command.c	Fri Feb  1 16:52:30 2013
***************
*** 63,69 ****
      /*
       * See if this command contains any shell magic characters.
       */
!     if (command[strspn(command, ok_chars)] == 0) {
  
  	/*
  	 * No shell meta characters found, so we can try to avoid the overhead
--- 63,70 ----
      /*
       * See if this command contains any shell magic characters.
       */
!     if (command[strspn(command, ok_chars)] == 0
! 	&& command[strspn(command, SPACE_TAB)] != 0) {
  
  	/*
  	 * No shell meta characters found, so we can try to avoid the overhead