./mail/postfix, Postfix SMTP server and tools

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: pkgsrc-2010Q4, Version: 2.7.3, Package name: postfix-2.7.3, Maintainer: pkgsrc-users

Postfix aims to be an alternative to the widely-used sendmail
program. Sendmail is responsible for 70% of all e-mail delivered
on the Internet. With an estimated 100 million users, that's an
estimated 10 billion (10^10) messages daily. A stunning number.

Although IBM supported the Postfix development, it abstains from
control over its evolution. The goal is to have Postfix installed
on as many systems as possible. To this end, the software is given
away with no strings attached to it, so that it can evolve with
input from and under control by its users.

In other words, IBM releases Postfix only once. I will be around
to guide its development for a limited time.

MESSAGE.NetBSD [+/-]
MESSAGE.sasl [+/-]

Required to build:
[lang/perl5]

Package options: tls, bdb

Master sites: (Expand)

Version history: (Expand)

CVS history: (Expand)


   2011-03-09 20:22:12 by Matthias Scheler | Files touched by this commit (3) | Package updated
Log message:
Pullup ticket #3384 - requested by taca
mail/postfix: security update

Revisions pulled up:
- mail/postfix/Makefile					patch
- mail/postfix/distinfo					patch
- mail/postfix/patches/patch-ag				patch

---
Postfix legacy releases 2.7.3, 2.6.9, 2.5.12 and 2.4.16 are available.
These releases contain a fix for CVE-2011-0411 which allows plaintext
command injection with SMTP sessions over TLS. This defect was
introduced with Postfix version 2.2. The same flaw exists in other
implementations of the STARTTLS command.

    Note: CVE-2011-0411 is an issue only for the minority of SMTP
    clients that actually verify server certificates. Without server
    certificate verification, clients are always vulnerable to
    man-in-the-middle attacks that allow attackers to inject
    plaintext commands or responses into SMTP sessions, and more.

Postfix 2.8 and 2.9 are not affected.

The following problems were fixed with the Postfix legacy releases:

    * Fix for CVE-2011-0411: discard buffered plaintext input,
      after reading the SMTP "STARTTLS" command or response.

    * Fix to the local delivery agent: look up the "unextended"
      address in the local aliases database, when that address has
      a malformed address extension.

    * Fix to virtual alias expansion: report a tempfail error,
      instead of silently ignoring recipients that exceed the
      virtual_alias_expansion_limit or the virtual_alias_recursion_limit.

    * Fix for Solaris: the Postfix event engine was deaf for SIGHUP
      and SIGALRM signals after the switch from select() to /dev/poll.
      Symptoms were delayed "postfix reload" response, and killed
      processes with watchdog timeout values under 100 seconds.

    * Fix for HP-UX: the Postfix event engine was deaf for SIGALRM
      signals. Symptoms were killed processes with watchdog timeout
      values under 100 seconds.

    * Fix for BSD-ish mkdir() to prevent maildir directories from
      inheriting their group ownership from the parent directory.

    * Fix to the SMTP client: missing support for mail to
      [ipv6:ipv6addr] address literal destinations.

    * FreeBSD back-ported closefrom() from FreeBSD 8x to 7x, breaking
      Postfix builds retroactively.

Historical note:

    Wietse Venema discovered the problem two weeks before the
    Postfix 2.8 release, and silently fixed it pending further
    investigation. While investigating the problem's scope and
    impact, Victor Duchovni found that many other TLS applications
    were also affected. At that point, CERT/CC was asked to coordinate
    with the problem's resolution.

You can find the updated Postfix source code at the mirrors listed
at http://www.postfix.org/.