Navigation:
Browse pkgsrc
(this page)
mail postfix
CVSweb ] [ 
Homepage ] [ 
RSS ] [ 
Required by ] [ 
Add to tracker ] 2024-12-07 07:08:57 by Takahiro Kambe | Files touched by this commit (3) |  |
Log message:
mail/postfix: update to 3.9.1
Postfix 3.9.1 (2024-12-04)
Postfix stable release 3.9.1, and legacy releases 3.8.7, 3.7.12,
3.6.16 [An on-line version of this announcement will be available
at https://www.postfix.org/announcements/postfix-3.9.1.html]
Fixed with Postfix 3.9.1:
* The mail_version configuration parameter did not have a
three-number value (3.9 instead of 3.9.0 (it still had the
two-number version from the development releases postfix-3.9-yyyymmdd).
This broke pathnames derived from the mail_version value, such
as shlib_directory. Problem reported by Michael Orlitzky.
Fixed with Postfix 3.9.1, 3.8.7, 3.7.12, 3.6.16:
* Bugfix (defect introduced: Postfix 2.9, date 20111218): with
"smtpd_sasl_auth_enable = no", the permit_sasl_authenticated
feature ignored information that was received with the XCLIENT
LOGIN command, so that the client was treated as unauthenticated.
This was fixed by removing an unnecessary test. Problem reported
by Antonin Verrier.
* Bugfix (defect introduced: postfix 3.0): the default master.cf
multi-instance information, which complicated logfile analysis.
Found during a support discussion.
* Bugfix (defect introduced: Postfix 2.3, date 20051222): file
descriptor leak after failure to connect to a Dovecot auth
server. The impact is limited because Dovecot auth failures are
rare, there are limits on the number of retries (one), on the
number of errors per SMTP session (smtpd_hard_error_limit), on
the number of sessions per SMTP server process (max_use), and
on the number of file handles per process (managed with sysctl).
Found during code maintenance.
* Bugfix (defect introduced: Postfix 3.4, date 20190121): the
postsuper command failed with "open logfile '/path/to/file':
Permission denied" when the maillog_file parameter specified a
filename and Postfix was not running. This was fixed by opening
the maillog_file before dropping root privileges. Found during
code maintenance.
* Bugfix (defect introduced Postfix 3.0). No autodetection of
UTF8 text when missing message headers were automatically
added by Postfix (for example, a From: header with UTF8 full
name information from the password file). This caused Postfix
to send UTF8 in message headers without using the SMTPUTF8
protocol. Problem reported by Michael Tokarev.
|
| 2024-11-14 23:22:33 by Thomas Klausner | Files touched by this commit (2429) |
Log message: *: recursive bump for icu 76 shlib major version bump |
| 2024-11-01 13:55:19 by Thomas Klausner | Files touched by this commit (2426) |
Log message: *: revbump for icu downgrade |
| 2024-11-01 01:54:33 by Thomas Klausner | Files touched by this commit (2427) |
Log message: *: recursive bump for icu 76.1 shlib bump |
| 2024-06-02 17:45:06 by Takahiro Kambe | Files touched by this commit (2) |
Log message: Reset PKGREVISION along with updating postfix to 3.9.0. |
| 2024-06-02 17:43:31 by Takahiro Kambe | Files touched by this commit (3) | |
Log message:
mail/postfix: update to 3.9.0
From release announce
<https://www.postfix.org/announcements/postfix-3.9.0.html>:
Postfix stable release 3.9.0 is available. Postfix 3.5 - 3.8 were
updated earlier this week; after that, Postfix 3.5 will no longer
be updated.
The main changes are below. See the RELEASE_NOTES file for further
details.
Removed functionality:
* As described in DEPRECATION_README, the SMTP server features
"permit_naked_ip_address", "check_relay_domains", and
"reject_maps_rbl" have been removed, after they have been logging
a warning for some 20 years. These features now log a warning
and return a "server configuration error" response.
* The MySQL client no longer supports MySQL versions < 4.0. MySQL
version 4.0 was released in 2003.
Officially obsolete functionality:
* As covered in DEPRECATION_README, the configuration parameter
"disable_dns_lookup" and about a dozen TLS-related parameters
are now officially obsolete. These parameters still work, but
the postconf command logs warnings that they will be removed
from Postfix.
* As covered in DEPRECATION_README, "permit_mx_backup" logs a
warning that it will be removed from Postfix.
Changed functionality:
* In message headers, Postfix now formats numerical days as
two-digit days, i.e. days 1-9 have a leading zero instead of a
leading space. This change was made because the RFC 5322 date
and time specification recommends (i.e. SHOULD) that a single
space be used in each place that folding white space appears.
This change avoids a breaking change in the length of a date
string.
* The MySQL client default characterset is now configurable with
the "charset" configuration file attribute. The default is
"utf8mb4", consistent with the MySQL 8.0 built-in default, but
different from earlier MySQL versions where the built-in default
was "latin1".
New functionality:
* Support to query MongoDB databases, contributed by Hamid Maadani,
based on earlier code by Stephan Ferraro. See MONGODB_README
and mongodb_table(5)
* The RFC 3461 envelope ID is now exported in the local(8) delivery
agent with the ENVID environment variable, and in the pipe(8)
delivery agent with the ${envid} command-line attribute.
* Configurable idle and retry timer settings in the mysql: and
pgsql: clients. A shorter than default retry timer can sped up
the recovery after error, when Postfix is configured with only
one server in the "hosts" attribute. After the code was frozen
for release, we have learned that Postfix can recover faster
from some errors when the single server is specified multiple
times in the "hosts" attribute.
* Optional Postfix TLS support to request an RFC7250 raw public
key instead of an X.509 public-key certificate. The configuration
settings for raw key public support will be ignored when there
is no raw public key support in the local TLS implementation
(i.e. Postfix with OpenSSL versions before 3.2). See RELEASE_NOTES
for more information.
* Preliminary support for OpenSSL configuration files, primarily
OpenSSL 1.1.1b and later. This introduces two new parameters
"tls_config_file" and "tls_config_name", which can be used to
limit collateral damage from OS distributions that crank up
security to 11, increasing the number of plaintext email
deliveries. Details are in the postconf(5) manpage under
"tls_config_file" and "tls_config_name".
Attack resistance:
* With "smtpd_forbid_unauth_pipelining = yes" (the default),
Postfix defends against multiple "blind" SMTP attacks. This
feature was back-ported to older stable releases but disabled
by default.
* With "smtpd_forbid_bare_newline = normalize" (the default)
Postfix defends against SMTP smuggling attacks. See RELEASE_NOTES
for details. This feature was back-ported to older stable
releases but disabled by default.
* Prevent outbound SMTP smuggling, where an attacker uses Postfix
to send email containing a non-standard End-of-DATA sequence,
to exploit inbound SMTP smuggling at a vulnerable remote SMTP
server. With "cleanup_replace_stray_cr_lf = yes" (the default),
the cleanup daemon replaces each stray <CR> or <LF> character
in message content with a space character. This feature was
back-ported to older stable releases with identical functionality.
* The Postfix DNS client now limits the total size of DNS lookup
results to 100 records; it drops the excess records, and logs
a warning. This limit is 20x larger than the number of server
addresses that the Postfix SMTP client is willing to consider
when delivering mail, and is far below the number of records
that could cause a tail recursion crash in dns_rr_append() as
reported by Toshifumi Sakaguchi. This also introduces a similar
limit on the number of DNS requests that a check_*_*_access
restriction can make. All this was back-ported to older stable
releases with identical functionality.
|
| 2024-05-29 18:35:19 by Adam Ciarcinski | Files touched by this commit (1929) | |
Log message: revbump after icu and protobuf updates |
| 2024-02-28 16:16:19 by Takahiro Kambe | Files touched by this commit (2) |
Log message:
mail/postfix: upadte to 3.8.5
3.8.5 (2024-01-22)
Security: this release improves support to defend against an email
spoofing attack (SMTP smuggling) on recipients at a Postfix server. For
background, see https://www.postfix.org/smtp-smuggling.html.
The improvements provide better logging, and better compatibility with
existing SMTP clients (less need to allowlist clients).
Sites concerned about SMTP smuggling attacks should enable this feature
on Internet-facing Postfix servers. For compatibility with non-standard
clients, Postfix by default excludes clients in mynetworks from this
countermeasure.
The recommended settings are:
# Require the standard End-of-DATA sequence \
<CR><LF>.<CR><LF>.
# Otherwise, allow bare <LF> and process it as if the client sent
# <CR><LF>.
#
# This maintains compatibility with many legitimate SMTP client
# applications that send a mix of standard and non-standard line
# endings, but will fail to receive email from client implementations
# that do not terminate DATA content with the standard End-of-DATA
# sequence <CR><LF>.<CR><LF>.
#
# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
# The example below allowlists SMTP clients in trusted networks.
#
smtpd_forbid_bare_newline = normalize
smtpd_forbid_bare_newline_exclusions = $mynetworks
Notes:
* The default setting is "smtpd_forbid_bare_newline = no" in Postfix
releases < 3.9, for compatibility reasons. This means that Postfix
is by default vulnerable to SMTP smuggling.
* The new setting "smtpd_forbid_bare_newline = normalize" is the
default for Postfix releases 3.9 and later.
* The old setting "smtpd_forbid_bare_newline = yes" is now an alias for
"smtpd_forbid_bare_newline = normalize".
* The new setting "smtpd_forbid_bare_newline = reject" will refuse
commands or message content with a bare newline. For details see
the RELEASE_NOTES or the postconf(5) documentation.
|
New packages: