Prereq: "2.7.14" diff -cr --new-file /var/tmp/postfix-2.7.14/src/global/mail_version.h ./src/global/mail_version.h *** /var/tmp/postfix-2.7.14/src/global/mail_version.h Sat Jun 22 18:22:08 2013 --- ./src/global/mail_version.h Thu Sep 5 08:52:22 2013 *************** *** 20,27 **** * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20130622" ! #define MAIL_VERSION_NUMBER "2.7.14" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE --- 20,27 ---- * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20130905" ! #define MAIL_VERSION_NUMBER "2.7.15" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -cr --new-file /var/tmp/postfix-2.7.14/HISTORY ./HISTORY *** /var/tmp/postfix-2.7.14/HISTORY Wed May 8 12:25:44 2013 --- ./HISTORY Sun Sep 1 18:41:50 2013 *************** *** 16142,16144 **** --- 16142,16167 ---- between different hostnames that resolve to the same IP address. Found during Postfix 2.11 code maintenance. File: smtp/smtp_connect.c. + + 20130518 + + Bugfix (introduced: 1997): memory leak after error while + forwarding mail through the cleanup server. Viktor found + one, Wietse eliminated the rest. File: local/forward.c. + + 20130615 + + TLS Interoperability: turn on SHA-2 digests by force. This + improves interoperability with clients and servers that + deploy SHA-2 digests without the required support for + TLSv1.2-style digest negotiation. Based on patch by Viktor + Dukhovni. Files: tls/tls_client.c, tls/tls_server.c. + + 20130616 + + Workaround: The Postfix SMTP server TLS session cache was + broken because OpenSSL now enables session tickets by + default, resulting in a different ticket encryption key for + each smtpd(8) process. The workaround turns off session + tickets. In 2.11 we'll enable session tickets properly. + Viktor Dukhovni. File: tls/tls_server.c. diff -cr --new-file /var/tmp/postfix-2.7.14/RELEASE_NOTES ./RELEASE_NOTES *** /var/tmp/postfix-2.7.14/RELEASE_NOTES Tue Apr 24 15:58:33 2012 --- ./RELEASE_NOTES Thu Sep 5 08:48:33 2013 *************** *** 14,19 **** --- 14,49 ---- If you upgrade from Postfix 2.5 or earlier, read RELEASE_NOTES-2.6 before proceeding. + Debian Exim before 4.80-3 interoperability workaround + ----------------------------------------------------- + + Debian Exim versions before 4.80-3 may fail to communicate with + Postfix and possibly other MTAs, with the following Exim SMTP client + error message: + + TLS error on connection to server-name [server-address] + (gnutls_handshake): The Diffie-Hellman prime sent by the server + is not acceptable (not long enough) + + This problem may affect Debian Exim versions before 4.80-3 that use + TLS with EDH (Ephemeral Diffie-Hellman) key exchanges. For details + see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676563 + + To restore Postfix SMTP server interoperability with affected Exim + SMTP clients, configure the Postfix SMTP server to use a 2048-bit + prime number instead of 1024: + + # cd /etc/postfix + # openssl dhparam -out dh2048.pem 2048 + # postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem' + + This change increases the CPU cost of EDH key exchanges (rarely a + problem for SMTP servers) and is unlikely to cause problems with + other SMTP client implementations. + + This problem should not affect EECDH (Ephemeral Elliptic Curve + Diffie-Hellman) key exchanges. + Major changes with Postfix 2.7.9 -------------------------------- diff -cr --new-file /var/tmp/postfix-2.7.14/src/local/forward.c ./src/local/forward.c *** /var/tmp/postfix-2.7.14/src/local/forward.c Mon Jun 26 08:59:19 2006 --- ./src/local/forward.c Sun Sep 1 09:25:58 2013 *************** *** 118,123 **** --- 118,128 ---- FORWARD_INFO *info; VSTREAM *cleanup; + #define FORWARD_OPEN_RETURN(res) do { \ + vstring_free(buffer); \ + return (res); \ + } while (0) + /* * Contact the cleanup service and save the new mail queue id. Request * that the cleanup service bounces bad messages to the sender so that we *************** *** 129,141 **** */ cleanup = mail_connect(MAIL_CLASS_PUBLIC, var_cleanup_service, BLOCKING); if (cleanup == 0) ! return (0); close_on_exec(vstream_fileno(cleanup), CLOSE_ON_EXEC); if (attr_scan(cleanup, ATTR_FLAG_STRICT, ATTR_TYPE_STR, MAIL_ATTR_QUEUEID, buffer, ATTR_TYPE_END) != 1) { vstream_fclose(cleanup); ! return (0); } info = (FORWARD_INFO *) mymalloc(sizeof(FORWARD_INFO)); info->cleanup = cleanup; --- 134,146 ---- */ cleanup = mail_connect(MAIL_CLASS_PUBLIC, var_cleanup_service, BLOCKING); if (cleanup == 0) ! FORWARD_OPEN_RETURN(0); close_on_exec(vstream_fileno(cleanup), CLOSE_ON_EXEC); if (attr_scan(cleanup, ATTR_FLAG_STRICT, ATTR_TYPE_STR, MAIL_ATTR_QUEUEID, buffer, ATTR_TYPE_END) != 1) { vstream_fclose(cleanup); ! FORWARD_OPEN_RETURN(0); } info = (FORWARD_INFO *) mymalloc(sizeof(FORWARD_INFO)); info->cleanup = cleanup; *************** *** 186,193 **** PASS_ATTR(cleanup, MAIL_ATTR_SASL_SENDER, request->sasl_sender); PASS_ATTR(cleanup, MAIL_ATTR_RWR_CONTEXT, request->rewrite_context); ! vstring_free(buffer); ! return (info); } /* forward_append - append recipient to message envelope */ --- 191,197 ---- PASS_ATTR(cleanup, MAIL_ATTR_SASL_SENDER, request->sasl_sender); PASS_ATTR(cleanup, MAIL_ATTR_RWR_CONTEXT, request->rewrite_context); ! FORWARD_OPEN_RETURN(info); } /* forward_append - append recipient to message envelope */ diff -cr --new-file /var/tmp/postfix-2.7.14/src/tls/tls_client.c ./src/tls/tls_client.c *** /var/tmp/postfix-2.7.14/src/tls/tls_client.c Sun May 20 09:54:28 2012 --- ./src/tls/tls_client.c Sun Sep 1 09:26:02 2013 *************** *** 325,330 **** --- 325,348 ---- } /* + * Register SHA-2 digests, if implemented and not already registered. + * Improves interoperability with clients and servers that prematurely + * deploy SHA-2 certificates. + */ + #if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256) + if (!EVP_get_digestbyname(LN_sha224)) + EVP_add_digest(EVP_sha224()); + if (!EVP_get_digestbyname(LN_sha256)) + EVP_add_digest(EVP_sha256()); + #endif + #if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512) + if (!EVP_get_digestbyname(LN_sha384)) + EVP_add_digest(EVP_sha384()); + if (!EVP_get_digestbyname(LN_sha512)) + EVP_add_digest(EVP_sha512()); + #endif + + /* * If the administrator specifies an unsupported digest algorithm, fail * now, rather than in the middle of a TLS handshake. */ diff -cr --new-file /var/tmp/postfix-2.7.14/src/tls/tls_server.c ./src/tls/tls_server.c *** /var/tmp/postfix-2.7.14/src/tls/tls_server.c Sun May 20 09:54:28 2012 --- ./src/tls/tls_server.c Sun Sep 1 09:26:02 2013 *************** *** 304,309 **** --- 304,327 ---- } /* + * Register SHA-2 digests, if implemented and not already registered. + * Improves interoperability with clients and servers that prematurely + * deploy SHA-2 certificates. + */ + #if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256) + if (!EVP_get_digestbyname(LN_sha224)) + EVP_add_digest(EVP_sha224()); + if (!EVP_get_digestbyname(LN_sha256)) + EVP_add_digest(EVP_sha256()); + #endif + #if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512) + if (!EVP_get_digestbyname(LN_sha384)) + EVP_add_digest(EVP_sha384()); + if (!EVP_get_digestbyname(LN_sha512)) + EVP_add_digest(EVP_sha512()); + #endif + + /* * If the administrator specifies an unsupported digest algorithm, fail * now, rather than in the middle of a TLS handshake. */ *************** *** 358,363 **** --- 376,384 ---- /* * Protocol work-arounds, OpenSSL version dependent. */ + #ifdef SSL_OP_NO_TICKET + off |= SSL_OP_NO_TICKET; + #endif off |= tls_bug_bits(); SSL_CTX_set_options(server_ctx, off);