Prereq: "2.7.0" diff -cr --new-file /var/tmp/postfix-2.7.0/src/global/mail_version.h ./src/global/mail_version.h *** /var/tmp/postfix-2.7.0/src/global/mail_version.h Sat Feb 13 21:02:01 2010 --- ./src/global/mail_version.h Tue Jun 8 08:30:42 2010 *************** *** 20,27 **** * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20100213" ! #define MAIL_VERSION_NUMBER "2.7.0" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE --- 20,27 ---- * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20100608" ! #define MAIL_VERSION_NUMBER "2.7.1" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -cr --new-file /var/tmp/postfix-2.7.0/HISTORY ./HISTORY *** /var/tmp/postfix-2.7.0/HISTORY Tue Feb 9 19:32:33 2010 --- ./HISTORY Fri Jun 4 08:42:42 2010 *************** *** 15729,15731 **** --- 15729,15770 ---- The tcp_table(5) interface is now part of the stable release. The last protocol change was in Postfix 2.1. File: util/dict_open.c. + + 20100515 + + Bugfix (introduced Postfix 2.6): the Postfix SMTP client + XFORWARD implementation did not skip "unknown" SMTP client + attributes, causing a syntax error when sending a PORT + attribute. Reported by Victor Duchovni. File: smtp/smtp_proto.c. + + 20100526 + + Cleanup: a unit-test driver (for stand-alone tests) was not + updated after an internal API change. Vesa-Matti J Kari + File: milter/milter.c. + + 20100529 + + Portability: OpenSSL 1.0.0 changes the priority of anonymous + cyphers. Victor Duchovni. Files: postconf.proto, + global/mail_params.h, tls/tls_certkey.c, tls/tls_client.c, + tls/tls_dh.c, tls/tls_server.c. + + Portability: Mac OS 10.6.3 requires + instead of . Files: makedefs, util/sys_defs.h, + dns/dns.h. + + 20100531 + + Robustness: skip LDAP queries with non-ASCII search strings. + The LDAP library requires well-formed UTF-8. Victor Duchovni. + File: global/dict_ldap.c. + + 20100601 + + Safety: Postfix processes log a warning when a matchlist + has a #comment at the end of a line (for example mynetworks + or relay_domains). File: util/match_list.c. + + Portability: Berkeley DB 5.x has the same API as Berkeley + DB 4.1 and later. File: util/dict_db.c. diff -cr --new-file /var/tmp/postfix-2.7.0/html/postconf.5.html ./html/postconf.5.html *** /var/tmp/postfix-2.7.0/html/postconf.5.html Sat Feb 13 20:51:19 2010 --- ./html/postconf.5.html Tue Jun 1 20:01:35 2010 *************** *** 4428,4434 **** parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

--- 4428,4434 ---- parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

*************** *** 4440,4446 **** parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

--- 4440,4446 ---- parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

*************** *** 9357,9363 ****

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

--- 9357,9363 ----

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

*************** *** 9375,9381 **** to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

--- 9375,9381 ---- to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

*************** *** 12936,12942 ****

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

--- 12936,12942 ----

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

*************** *** 12954,12960 **** to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

--- 12954,12960 ---- to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

*************** *** 12988,12994 ****

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 0.9.9 or later.

--- 12988,12994 ----

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 1.0.0 or later.

*************** *** 13776,13782 **** latter name.

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 0.9.9 or later.

--- 13776,13782 ---- latter name.

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 1.0.0 or later.

*************** *** 13799,13805 **** classified as TOP SECRET.

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 0.9.9 or later.

--- 13799,13805 ---- classified as TOP SECRET.

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 1.0.0 or later.

*************** *** 13812,13818 **** smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are ! strongly encouraged to not change this setting.

This feature is available in Postfix 2.3 and later.

--- 13812,13822 ---- smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and ! later the cipherlist may start with an "aNULL:" prefix, which restores ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the ! list when they are enabled. This prefix is not needed with previous ! OpenSSL releases.

This feature is available in Postfix 2.3 and later.

*************** *** 13825,13831 ****

The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting.

This feature is available in Postfix 2.3 and later.

--- 13829,13839 ----

The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and ! later the cipherlist may start with an "aNULL:" prefix, which restores ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the ! list when they are enabled. This prefix is not needed with previous ! OpenSSL releases.

This feature is available in Postfix 2.3 and later.

*************** *** 13838,13844 ****

The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting.

This feature is available in Postfix 2.3 and later.

--- 13846,13856 ----

The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and ! later the cipherlist may start with an "aNULL:" prefix, which restores ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the ! list when they are enabled. This prefix is not needed with previous ! OpenSSL releases.

This feature is available in Postfix 2.3 and later.

*************** *** 13854,13860 **** the default cipherlist for mandatory TLS encryption in the TLS client (with anonymous ciphers disabled when verifying server certificates). You are strongly encouraged to not change this ! setting.

This feature is available in Postfix 2.3 and later.

--- 13866,13875 ---- the default cipherlist for mandatory TLS encryption in the TLS client (with anonymous ciphers disabled when verifying server certificates). You are strongly encouraged to not change this ! setting. With OpenSSL 1.0.0 and later the cipherlist may start with an ! "aNULL:" prefix, which restores the 0.9.8-compatible ordering of the ! aNULL ciphers to the top of the list when they are enabled. This prefix ! is not needed with previous OpenSSL releases.

This feature is available in Postfix 2.3 and later.

diff -cr --new-file /var/tmp/postfix-2.7.0/makedefs ./makedefs *** /var/tmp/postfix-2.7.0/makedefs Wed Feb 3 15:58:58 2010 --- ./makedefs Thu Jun 3 09:00:02 2010 *************** *** 421,426 **** --- 421,431 ---- [1-6].*) CCARGS="$CCARGS -DNO_IPV6";; *) CCARGS="$CCARGS -DBIND_8_COMPAT -DNO_NETINFO";; esac + # Darwin 10.3.0 no longer has . + case $RELEASE in + ?.*) CCARGS="$CCARGS -DRESOLVE_H_NEEDS_NAMESER8_COMPAT_H";; + *) CCARGS="$CCARGS -DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H";; + esac # kqueue and/or poll are broken up to and including MacOS X 10.5 CCARGS="$CCARGS -DNO_KQUEUE" # # Darwin 8.11.1 has kqueue support, but let's play safe diff -cr --new-file /var/tmp/postfix-2.7.0/man/man5/postconf.5 ./man/man5/postconf.5 *** /var/tmp/postfix-2.7.0/man/man5/postconf.5 Sat Feb 13 20:51:20 2010 --- ./man/man5/postconf.5 Tue Jun 1 20:01:35 2010 *************** *** 2414,2426 **** parameter. See there for details. .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later. .SH lmtp_tls_eckey_file (default: empty) The LMTP-specific version of the smtp_tls_eckey_file configuration parameter. See there for details. .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later. .SH lmtp_tls_enforce_peername (default: yes) The LMTP-specific version of the smtp_tls_enforce_peername configuration parameter. See there for details. --- 2414,2426 ---- parameter. See there for details. .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later. .SH lmtp_tls_eckey_file (default: empty) The LMTP-specific version of the smtp_tls_eckey_file configuration parameter. See there for details. .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later. .SH lmtp_tls_enforce_peername (default: yes) The LMTP-specific version of the smtp_tls_enforce_peername configuration parameter. See there for details. *************** *** 5423,5429 **** .ft R .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later. .SH smtp_tls_eckey_file (default: $smtp_tls_eccert_file) File with the Postfix SMTP client ECDSA private key in PEM format. This file may be combined with the Postfix SMTP client ECDSA --- 5423,5429 ---- .ft R .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later. .SH smtp_tls_eckey_file (default: $smtp_tls_eccert_file) File with the Postfix SMTP client ECDSA private key in PEM format. This file may be combined with the Postfix SMTP client ECDSA *************** *** 5435,5441 **** to anyone else. .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later. .SH smtp_tls_enforce_peername (default: yes) With mandatory TLS encryption, require that the remote SMTP server hostname matches the information in the remote SMTP server --- 5435,5441 ---- to anyone else. .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later. .SH smtp_tls_enforce_peername (default: yes) With mandatory TLS encryption, require that the remote SMTP server hostname matches the information in the remote SMTP server *************** *** 8129,8135 **** .ft R .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later. .SH smtpd_tls_eckey_file (default: $smtpd_tls_eccert_file) File with the Postfix SMTP server ECDSA private key in PEM format. This file may be combined with the Postfix SMTP server ECDSA certificate --- 8129,8135 ---- .ft R .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later. .SH smtpd_tls_eckey_file (default: $smtpd_tls_eccert_file) File with the Postfix SMTP server ECDSA private key in PEM format. This file may be combined with the Postfix SMTP server ECDSA certificate *************** *** 8141,8147 **** to anyone else. .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later. .SH smtpd_tls_eecdh_grade (default: see "postconf -d" output) The Postfix SMTP server security grade for ephemeral elliptic-curve Diffie-Hellman (EECDH) key exchange. --- 8141,8147 ---- to anyone else. .PP This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later. .SH smtpd_tls_eecdh_grade (default: see "postconf -d" output) The Postfix SMTP server security grade for ephemeral elliptic-curve Diffie-Hellman (EECDH) key exchange. *************** *** 8165,8171 **** users. .PP This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 0.9.9 or later. .SH smtpd_tls_exclude_ciphers (default: empty) List of ciphers or cipher types to exclude from the SMTP server cipher list at all TLS security levels. Excluding valid ciphers --- 8165,8171 ---- users. .PP This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 1.0.0 or later. .SH smtpd_tls_exclude_ciphers (default: empty) List of ciphers or cipher types to exclude from the SMTP server cipher list at all TLS security levels. Excluding valid ciphers *************** *** 8740,8746 **** latter name. .PP This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 0.9.9 or later. .SH tls_eecdh_ultra_curve (default: secp384r1) The elliptic curve used by the SMTP server for maximally strong ephemeral ECDH key exchange. This curve is used by the Postfix SMTP --- 8740,8746 ---- latter name. .PP This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 1.0.0 or later. .SH tls_eecdh_ultra_curve (default: secp384r1) The elliptic curve used by the SMTP server for maximally strong ephemeral ECDH key exchange. This curve is used by the Postfix SMTP *************** *** 8757,8784 **** classified as TOP SECRET. .PP This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 0.9.9 or later. .SH tls_export_cipherlist (default: ALL:+RC4:@STRENGTH) The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are ! strongly encouraged to not change this setting. .PP This feature is available in Postfix 2.3 and later. .SH tls_high_cipherlist (default: ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH) The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting. .PP This feature is available in Postfix 2.3 and later. .SH tls_low_cipherlist (default: ALL:!EXPORT:+RC4:@STRENGTH) The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting. .PP This feature is available in Postfix 2.3 and later. .SH tls_medium_cipherlist (default: ALL:!EXPORT:!LOW:+RC4:@STRENGTH) --- 8757,8796 ---- classified as TOP SECRET. .PP This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 1.0.0 or later. .SH tls_export_cipherlist (default: ALL:+RC4:@STRENGTH) The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and ! later the cipherlist may start with an "aNULL:" prefix, which restores ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the ! list when they are enabled. This prefix is not needed with previous ! OpenSSL releases. .PP This feature is available in Postfix 2.3 and later. .SH tls_high_cipherlist (default: ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH) The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and ! later the cipherlist may start with an "aNULL:" prefix, which restores ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the ! list when they are enabled. This prefix is not needed with previous ! OpenSSL releases. .PP This feature is available in Postfix 2.3 and later. .SH tls_low_cipherlist (default: ALL:!EXPORT:+RC4:@STRENGTH) The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and ! later the cipherlist may start with an "aNULL:" prefix, which restores ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the ! list when they are enabled. This prefix is not needed with previous ! OpenSSL releases. .PP This feature is available in Postfix 2.3 and later. .SH tls_medium_cipherlist (default: ALL:!EXPORT:!LOW:+RC4:@STRENGTH) *************** *** 8788,8794 **** the default cipherlist for mandatory TLS encryption in the TLS client (with anonymous ciphers disabled when verifying server certificates). You are strongly encouraged to not change this ! setting. .PP This feature is available in Postfix 2.3 and later. .SH tls_null_cipherlist (default: eNULL:!aNULL) --- 8800,8809 ---- the default cipherlist for mandatory TLS encryption in the TLS client (with anonymous ciphers disabled when verifying server certificates). You are strongly encouraged to not change this ! setting. With OpenSSL 1.0.0 and later the cipherlist may start with an ! "aNULL:" prefix, which restores the 0.9.8-compatible ordering of the ! aNULL ciphers to the top of the list when they are enabled. This prefix ! is not needed with previous OpenSSL releases. .PP This feature is available in Postfix 2.3 and later. .SH tls_null_cipherlist (default: eNULL:!aNULL) diff -cr --new-file /var/tmp/postfix-2.7.0/proto/postconf.proto ./proto/postconf.proto *** /var/tmp/postfix-2.7.0/proto/postconf.proto Sat Feb 13 20:50:59 2010 --- ./proto/postconf.proto Tue Jun 1 19:52:06 2010 *************** *** 10992,10998 ****

The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting.

This feature is available in Postfix 2.3 and later.

--- 10992,11002 ----

The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and ! later the cipherlist may start with an "aNULL:" prefix, which restores ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the ! list when they are enabled. This prefix is not needed with previous ! OpenSSL releases.

This feature is available in Postfix 2.3 and later.

*************** *** 11004,11010 **** the default cipherlist for mandatory TLS encryption in the TLS client (with anonymous ciphers disabled when verifying server certificates). You are strongly encouraged to not change this ! setting.

This feature is available in Postfix 2.3 and later.

--- 11008,11017 ---- the default cipherlist for mandatory TLS encryption in the TLS client (with anonymous ciphers disabled when verifying server certificates). You are strongly encouraged to not change this ! setting. With OpenSSL 1.0.0 and later the cipherlist may start with an ! "aNULL:" prefix, which restores the 0.9.8-compatible ordering of the ! aNULL ciphers to the top of the list when they are enabled. This prefix ! is not needed with previous OpenSSL releases.

This feature is available in Postfix 2.3 and later.

*************** *** 11013,11019 ****

The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting.

This feature is available in Postfix 2.3 and later.

--- 11020,11030 ----

The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and ! later the cipherlist may start with an "aNULL:" prefix, which restores ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the ! list when they are enabled. This prefix is not needed with previous ! OpenSSL releases.

This feature is available in Postfix 2.3 and later.

*************** *** 11024,11030 **** smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are ! strongly encouraged to not change this setting.

This feature is available in Postfix 2.3 and later.

--- 11035,11045 ---- smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and ! later the cipherlist may start with an "aNULL:" prefix, which restores ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the ! list when they are enabled. This prefix is not needed with previous ! OpenSSL releases.

This feature is available in Postfix 2.3 and later.

*************** *** 11550,11556 **** latter name.

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 0.9.9 or later.

%PARAM tls_eecdh_ultra_curve secp384r1 --- 11565,11571 ---- latter name.

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 1.0.0 or later.

%PARAM tls_eecdh_ultra_curve secp384r1 *************** *** 11569,11575 **** classified as TOP SECRET.

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 0.9.9 or later.

%PARAM smtpd_tls_eecdh_grade see "postconf -d" output --- 11584,11590 ---- classified as TOP SECRET.

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtpd_tls_eecdh_grade see "postconf -d" output *************** *** 11599,11605 ****

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 0.9.9 or later.

%PARAM smtpd_tls_eccert_file --- 11614,11620 ----

This feature is available in Postfix 2.6 and later, when it is ! compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtpd_tls_eccert_file *************** *** 11615,11621 ****

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

%PARAM smtpd_tls_eckey_file $smtpd_tls_eccert_file --- 11630,11636 ----

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtpd_tls_eckey_file $smtpd_tls_eccert_file *************** *** 11629,11635 **** to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

%PARAM smtp_tls_eccert_file --- 11644,11650 ---- to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtp_tls_eccert_file *************** *** 11646,11652 ****

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

%PARAM smtp_tls_eckey_file $smtp_tls_eccert_file --- 11661,11667 ----

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtp_tls_eckey_file $smtp_tls_eccert_file *************** *** 11660,11666 **** to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

%PARAM lmtp_tls_eccert_file --- 11675,11681 ---- to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

%PARAM lmtp_tls_eccert_file *************** *** 11668,11674 **** parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

%PARAM lmtp_tls_eckey_file --- 11683,11689 ---- parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

%PARAM lmtp_tls_eckey_file *************** *** 11676,11682 **** parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 0.9.9 or later.

%PARAM smtp_header_checks --- 11691,11697 ---- parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is ! compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtp_header_checks diff -cr --new-file /var/tmp/postfix-2.7.0/src/dns/dns.h ./src/dns/dns.h *** /var/tmp/postfix-2.7.0/src/dns/dns.h Sun Nov 9 16:42:03 2008 --- ./src/dns/dns.h Thu Jun 3 08:57:05 2010 *************** *** 22,27 **** --- 22,30 ---- #ifdef RESOLVE_H_NEEDS_NAMESER8_COMPAT_H #include #endif + #ifdef RESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H + #include + #endif #include /* diff -cr --new-file /var/tmp/postfix-2.7.0/src/global/dict_ldap.c ./src/global/dict_ldap.c *** /var/tmp/postfix-2.7.0/src/global/dict_ldap.c Tue Mar 3 20:25:53 2009 --- ./src/global/dict_ldap.c Sat May 29 18:08:26 2010 *************** *** 1082,1093 **** --- 1082,1102 ---- static VSTRING *result; int rc = 0; int sizelimit; + const char *cp; dict_errno = 0; if (msg_verbose) msg_info("%s: In dict_ldap_lookup", myname); + for (cp = name; *cp; ++cp) + if (!ISASCII(*cp)) { + if (msg_verbose) + msg_info("%s: %s: Skipping lookup of non-ASCII key '%s'", + myname, dict_ldap->parser->name, name); + return (0); + } + /* * Optionally fold the key. */ *************** *** 1105,1111 **** */ if (db_common_check_domain(dict_ldap->ctx, name) == 0) { if (msg_verbose) ! msg_info("%s: Skipping lookup of '%s'", myname, name); return (0); } #define INIT_VSTR(buf, len) do { \ --- 1114,1121 ---- */ if (db_common_check_domain(dict_ldap->ctx, name) == 0) { if (msg_verbose) ! msg_info("%s: %s: Skipping lookup of key '%s': domain mismatch", ! myname, dict_ldap->parser->name, name); return (0); } #define INIT_VSTR(buf, len) do { \ diff -cr --new-file /var/tmp/postfix-2.7.0/src/global/mail_params.h ./src/global/mail_params.h *** /var/tmp/postfix-2.7.0/src/global/mail_params.h Sun Jan 17 15:54:35 2010 --- ./src/global/mail_params.h Wed Jun 2 06:57:55 2010 *************** *** 2919,2938 **** /* * TLS cipherlists */ #define VAR_TLS_HIGH_CLIST "tls_high_cipherlist" ! #define DEF_TLS_HIGH_CLIST "ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH" extern char *var_tls_high_clist; #define VAR_TLS_MEDIUM_CLIST "tls_medium_cipherlist" ! #define DEF_TLS_MEDIUM_CLIST "ALL:!EXPORT:!LOW:+RC4:@STRENGTH" extern char *var_tls_medium_clist; #define VAR_TLS_LOW_CLIST "tls_low_cipherlist" ! #define DEF_TLS_LOW_CLIST "ALL:!EXPORT:+RC4:@STRENGTH" extern char *var_tls_low_clist; #define VAR_TLS_EXPORT_CLIST "tls_export_cipherlist" ! #define DEF_TLS_EXPORT_CLIST "ALL:+RC4:@STRENGTH" extern char *var_tls_export_clist; #define VAR_TLS_NULL_CLIST "tls_null_cipherlist" --- 2919,2949 ---- /* * TLS cipherlists */ + #ifdef USE_TLS + #include + #if OPENSSL_VERSION_NUMBER >= 0x1000000fL + #define PREFER_aNULL "aNULL:-aNULL:" + #else + #define PREFER_aNULL "" + #endif + #else + #define PREFER_aNULL "" + #endif + #define VAR_TLS_HIGH_CLIST "tls_high_cipherlist" ! #define DEF_TLS_HIGH_CLIST PREFER_aNULL "ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH" extern char *var_tls_high_clist; #define VAR_TLS_MEDIUM_CLIST "tls_medium_cipherlist" ! #define DEF_TLS_MEDIUM_CLIST PREFER_aNULL "ALL:!EXPORT:!LOW:+RC4:@STRENGTH" extern char *var_tls_medium_clist; #define VAR_TLS_LOW_CLIST "tls_low_cipherlist" ! #define DEF_TLS_LOW_CLIST PREFER_aNULL "ALL:!EXPORT:+RC4:@STRENGTH" extern char *var_tls_low_clist; #define VAR_TLS_EXPORT_CLIST "tls_export_cipherlist" ! #define DEF_TLS_EXPORT_CLIST PREFER_aNULL "ALL:+RC4:@STRENGTH" extern char *var_tls_export_clist; #define VAR_TLS_NULL_CLIST "tls_null_cipherlist" diff -cr --new-file /var/tmp/postfix-2.7.0/src/milter/milter.c ./src/milter/milter.c *** /var/tmp/postfix-2.7.0/src/milter/milter.c Mon Apr 27 10:57:04 2009 --- ./src/milter/milter.c Wed May 26 10:28:24 2010 *************** *** 901,907 **** msg_warn("no milters"); continue; } ! resp = milter_rcpt_event(milters, (const char **) args); } else if (strcmp(cmd, "unknown") == 0 && argv->argc > 0) { if (milters == 0) { msg_warn("no milters"); --- 901,907 ---- msg_warn("no milters"); continue; } ! resp = milter_rcpt_event(milters, 0, (const char **) args); } else if (strcmp(cmd, "unknown") == 0 && argv->argc > 0) { if (milters == 0) { msg_warn("no milters"); diff -cr --new-file /var/tmp/postfix-2.7.0/src/smtp/smtp_proto.c ./src/smtp/smtp_proto.c *** /var/tmp/postfix-2.7.0/src/smtp/smtp_proto.c Tue Nov 10 20:48:13 2009 --- ./src/smtp/smtp_proto.c Tue Jun 1 16:17:30 2010 *************** *** 1204,1224 **** * Build the XFORWARD command. With properly sanitized * information, the command length stays within the 512 byte * command line length limit. ! */ case SMTP_STATE_XFORWARD_NAME_ADDR: vstring_strcpy(next_command, XFORWARD_CMD); if ((session->features & SMTP_FEATURE_XFORWARD_NAME) ! && DEL_REQ_ATTR_AVAIL(request->client_name)) { vstring_strcat(next_command, " " XFORWARD_NAME "="); xtext_quote_append(next_command, request->client_name, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_ADDR) ! && DEL_REQ_ATTR_AVAIL(request->client_addr)) { vstring_strcat(next_command, " " XFORWARD_ADDR "="); xtext_quote_append(next_command, request->client_addr, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_PORT) ! && DEL_REQ_ATTR_AVAIL(request->client_port)) { vstring_strcat(next_command, " " XFORWARD_PORT "="); xtext_quote_append(next_command, request->client_port, ""); } --- 1204,1242 ---- * Build the XFORWARD command. With properly sanitized * information, the command length stays within the 512 byte * command line length limit. ! * ! * XXX smtpd_xforward_preset() initializes some fields as "unknown" ! * and some as null; historically, pickup(8) does not send any of ! * these, and the queue manager presets absent fields to "not ! * available" except for the rewrite context which is preset to ! * local by way of migration aid. These definitions need to be ! * centralized for maintainability. ! */ ! #ifndef CAN_FORWARD_CLIENT_NAME ! #define _ATTR_AVAIL_AND_KNOWN_(val) \ ! (DEL_REQ_ATTR_AVAIL(val) && strcasecmp((val), "unknown")) ! #define CAN_FORWARD_CLIENT_NAME _ATTR_AVAIL_AND_KNOWN_ ! #define CAN_FORWARD_CLIENT_ADDR _ATTR_AVAIL_AND_KNOWN_ ! #define CAN_FORWARD_CLIENT_PORT _ATTR_AVAIL_AND_KNOWN_ ! #define CAN_FORWARD_PROTO_NAME _ATTR_AVAIL_AND_KNOWN_ ! #define CAN_FORWARD_HELO_NAME DEL_REQ_ATTR_AVAIL ! #define CAN_FORWARD_RWR_CONTEXT DEL_REQ_ATTR_AVAIL ! #endif ! case SMTP_STATE_XFORWARD_NAME_ADDR: vstring_strcpy(next_command, XFORWARD_CMD); if ((session->features & SMTP_FEATURE_XFORWARD_NAME) ! && CAN_FORWARD_CLIENT_NAME(request->client_name)) { vstring_strcat(next_command, " " XFORWARD_NAME "="); xtext_quote_append(next_command, request->client_name, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_ADDR) ! && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) { vstring_strcat(next_command, " " XFORWARD_ADDR "="); xtext_quote_append(next_command, request->client_addr, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_PORT) ! && CAN_FORWARD_CLIENT_PORT(request->client_port)) { vstring_strcat(next_command, " " XFORWARD_PORT "="); xtext_quote_append(next_command, request->client_port, ""); } *************** *** 1231,1247 **** case SMTP_STATE_XFORWARD_PROTO_HELO: vstring_strcpy(next_command, XFORWARD_CMD); if ((session->features & SMTP_FEATURE_XFORWARD_PROTO) ! && DEL_REQ_ATTR_AVAIL(request->client_proto)) { vstring_strcat(next_command, " " XFORWARD_PROTO "="); xtext_quote_append(next_command, request->client_proto, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_HELO) ! && DEL_REQ_ATTR_AVAIL(request->client_helo)) { vstring_strcat(next_command, " " XFORWARD_HELO "="); xtext_quote_append(next_command, request->client_helo, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) ! && DEL_REQ_ATTR_AVAIL(request->rewrite_context)) { vstring_strcat(next_command, " " XFORWARD_DOMAIN "="); xtext_quote_append(next_command, strcmp(request->rewrite_context, MAIL_ATTR_RWR_LOCAL) ? --- 1249,1265 ---- case SMTP_STATE_XFORWARD_PROTO_HELO: vstring_strcpy(next_command, XFORWARD_CMD); if ((session->features & SMTP_FEATURE_XFORWARD_PROTO) ! && CAN_FORWARD_PROTO_NAME(request->client_proto)) { vstring_strcat(next_command, " " XFORWARD_PROTO "="); xtext_quote_append(next_command, request->client_proto, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_HELO) ! && CAN_FORWARD_HELO_NAME(request->client_helo)) { vstring_strcat(next_command, " " XFORWARD_HELO "="); xtext_quote_append(next_command, request->client_helo, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) ! && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)) { vstring_strcat(next_command, " " XFORWARD_DOMAIN "="); xtext_quote_append(next_command, strcmp(request->rewrite_context, MAIL_ATTR_RWR_LOCAL) ? *************** *** 1979,1997 **** send_name_addr = var_smtp_send_xforward && (((session->features & SMTP_FEATURE_XFORWARD_NAME) ! && DEL_REQ_ATTR_AVAIL(request->client_name)) || ((session->features & SMTP_FEATURE_XFORWARD_ADDR) ! && DEL_REQ_ATTR_AVAIL(request->client_addr)) || ((session->features & SMTP_FEATURE_XFORWARD_PORT) ! && DEL_REQ_ATTR_AVAIL(request->client_port))); session->send_proto_helo = var_smtp_send_xforward && (((session->features & SMTP_FEATURE_XFORWARD_PROTO) ! && DEL_REQ_ATTR_AVAIL(request->client_proto)) || ((session->features & SMTP_FEATURE_XFORWARD_HELO) ! && DEL_REQ_ATTR_AVAIL(request->client_helo)) || ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) ! && DEL_REQ_ATTR_AVAIL(request->rewrite_context))); if (send_name_addr) recv_state = send_state = SMTP_STATE_XFORWARD_NAME_ADDR; else if (session->send_proto_helo) --- 1997,2015 ---- send_name_addr = var_smtp_send_xforward && (((session->features & SMTP_FEATURE_XFORWARD_NAME) ! && CAN_FORWARD_CLIENT_NAME(request->client_name)) || ((session->features & SMTP_FEATURE_XFORWARD_ADDR) ! && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) || ((session->features & SMTP_FEATURE_XFORWARD_PORT) ! && CAN_FORWARD_CLIENT_PORT(request->client_port))); session->send_proto_helo = var_smtp_send_xforward && (((session->features & SMTP_FEATURE_XFORWARD_PROTO) ! && CAN_FORWARD_PROTO_NAME(request->client_proto)) || ((session->features & SMTP_FEATURE_XFORWARD_HELO) ! && CAN_FORWARD_HELO_NAME(request->client_helo)) || ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) ! && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context))); if (send_name_addr) recv_state = send_state = SMTP_STATE_XFORWARD_NAME_ADDR; else if (session->send_proto_helo) diff -cr --new-file /var/tmp/postfix-2.7.0/src/tls/tls_certkey.c ./src/tls/tls_certkey.c *** /var/tmp/postfix-2.7.0/src/tls/tls_certkey.c Sat Nov 8 18:53:49 2008 --- ./src/tls/tls_certkey.c Tue Jun 1 19:52:06 2010 *************** *** 158,164 **** return (-1); /* logged */ if (*dcert_file && !set_cert_stuff(ctx, "DSA", dcert_file, dkey_file)) return (-1); /* logged */ ! #if OPENSSL_VERSION_NUMBER >= 0x00909000 && !defined(OPENSSL_NO_ECDH) if (*eccert_file && !set_cert_stuff(ctx, "ECDSA", eccert_file, eckey_file)) return (-1); /* logged */ #else --- 158,164 ---- return (-1); /* logged */ if (*dcert_file && !set_cert_stuff(ctx, "DSA", dcert_file, dkey_file)) return (-1); /* logged */ ! #if OPENSSL_VERSION_NUMBER >= 0x1000000fL && !defined(OPENSSL_NO_ECDH) if (*eccert_file && !set_cert_stuff(ctx, "ECDSA", eccert_file, eckey_file)) return (-1); /* logged */ #else diff -cr --new-file /var/tmp/postfix-2.7.0/src/tls/tls_client.c ./src/tls/tls_client.c *** /var/tmp/postfix-2.7.0/src/tls/tls_client.c Sat Nov 8 18:51:41 2008 --- ./src/tls/tls_client.c Tue Jun 1 19:52:06 2010 *************** *** 725,731 **** int protomask; const char *cipher_list; SSL_SESSION *session; ! SSL_CIPHER *cipher; X509 *peercert; TLS_SESS_STATE *TLScontext; TLS_APPL_STATE *app_ctx = props->ctx; --- 725,731 ---- int protomask; const char *cipher_list; SSL_SESSION *session; ! const SSL_CIPHER *cipher; X509 *peercert; TLS_SESS_STATE *TLScontext; TLS_APPL_STATE *app_ctx = props->ctx; diff -cr --new-file /var/tmp/postfix-2.7.0/src/tls/tls_dh.c ./src/tls/tls_dh.c *** /var/tmp/postfix-2.7.0/src/tls/tls_dh.c Sun Nov 9 15:11:14 2008 --- ./src/tls/tls_dh.c Tue Jun 1 19:52:06 2010 *************** *** 205,211 **** int tls_set_eecdh_curve(SSL_CTX *server_ctx, const char *grade) { ! #if OPENSSL_VERSION_NUMBER >= 0x00909000 && !defined(OPENSSL_NO_ECDH) int nid; EC_KEY *ecdh; const char *curve; --- 205,211 ---- int tls_set_eecdh_curve(SSL_CTX *server_ctx, const char *grade) { ! #if OPENSSL_VERSION_NUMBER >= 0x1000000fL && !defined(OPENSSL_NO_ECDH) int nid; EC_KEY *ecdh; const char *curve; diff -cr --new-file /var/tmp/postfix-2.7.0/src/tls/tls_server.c ./src/tls/tls_server.c *** /var/tmp/postfix-2.7.0/src/tls/tls_server.c Sat Nov 8 18:51:48 2008 --- ./src/tls/tls_server.c Tue Jun 1 19:52:06 2010 *************** *** 554,560 **** { int sts; TLS_SESS_STATE *TLScontext; ! SSL_CIPHER *cipher; X509 *peer; char buf[CCERT_BUFSIZ]; const char *cipher_list; --- 554,560 ---- { int sts; TLS_SESS_STATE *TLScontext; ! const SSL_CIPHER *cipher; X509 *peer; char buf[CCERT_BUFSIZ]; const char *cipher_list; diff -cr --new-file /var/tmp/postfix-2.7.0/src/util/dict_db.c ./src/util/dict_db.c *** /var/tmp/postfix-2.7.0/src/util/dict_db.c Sat Jan 2 16:28:08 2010 --- ./src/util/dict_db.c Tue Jun 1 17:07:49 2010 *************** *** 675,681 **** msg_fatal("set DB cache size %d: %m", dict_db_cache_size); if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0) msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM); ! #if (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0) if ((errno = db->open(db, 0, db_path, 0, type, db_flags, 0644)) != 0) msg_fatal("open database %s: %m", db_path); #elif (DB_VERSION_MAJOR == 3 || DB_VERSION_MAJOR == 4) --- 675,681 ---- msg_fatal("set DB cache size %d: %m", dict_db_cache_size); if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0) msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM); ! #if DB_VERSION_MAJOR == 5 || (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0) if ((errno = db->open(db, 0, db_path, 0, type, db_flags, 0644)) != 0) msg_fatal("open database %s: %m", db_path); #elif (DB_VERSION_MAJOR == 3 || DB_VERSION_MAJOR == 4) diff -cr --new-file /var/tmp/postfix-2.7.0/src/util/match_list.c ./src/util/match_list.c *** /var/tmp/postfix-2.7.0/src/util/match_list.c Thu Jan 18 19:21:13 2007 --- ./src/util/match_list.c Tue Jun 1 14:10:20 2010 *************** *** 116,121 **** --- 116,126 ---- * prepend the negation operator to each item from the file. */ while ((start = mystrtok(&bp, delim)) != 0) { + if (*start == '#') { + msg_warn("%s: comment at end of line is not supported: %s %s", + myname, start, bp); + break; + } for (match = init_match, item = start; *item == '!'; item++) match = !match; if (*item == 0) diff -cr --new-file /var/tmp/postfix-2.7.0/src/util/sys_defs.h ./src/util/sys_defs.h *** /var/tmp/postfix-2.7.0/src/util/sys_defs.h Sat Nov 14 18:32:37 2009 --- ./src/util/sys_defs.h Tue Jun 1 19:56:57 2010 *************** *** 208,214 **** #define DEF_DB_TYPE "hash" #define ALIAS_DB_MAP "hash:/etc/aliases" #define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0) - #define RESOLVE_H_NEEDS_NAMESER8_COMPAT_H #define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin" #define USE_STATFS #define STATFS_IN_SYS_MOUNT_H --- 208,213 ----