Subject: CVS commit: pkgsrc/mail/postfix
From: =?UTF-8?B?RnLDqWTDqXJpYyBGYXViZXJ0ZWF1?=
Date: 2021-01-21 17:37:59
Message id: 20210121163759.7627EFA9D@cvs.NetBSD.org
Log Message:
postfix: Update to 3.5.9

upstream changes:
-----------------
This update improves the reporting of DNSSEC problems that may affect DANE
security. DNSSEC support may unavailable because of local configuration, libc
incompatibility, or other infrastructure issues. This was backported from
Postfix 3.6.

Background: DNSSEC validation is needed for Postfix DANE support; this ensures
that Postfix receives TLSA records with secure TLS server certificate info.
When DNSSEC validation is unavailable, mail deliveries using opportunistic DANE
(security level 'dane') will not be protected by server certificate info in
TLSA records, and mail deliveries using mandatory DANE (security level
'dane-only') will not be made at all.

This update introduces the following behavior: when a process requests DNSSEC
support (typically, for Postfix DANE support), the process may now do a runtime
test to determine if DNSSEC validation is available.

The new dnssec_probe parameter specifies a DNS query type (default: \ 
"ns") and
DNS query name (default: ".") that Postfix may use to determine \ 
whether DNSSEC
validation is available. Specify an empty value to disable this feature.

When dnssec_probe is enabled, a Postfix process will send a DNSSEC probe after
1) the process made a DNS query that requested DNSSEC validation, 2) the
process did not receive a DNSSEC validated response to this query or to an
earlier query, and 3) the process did not already send a DNSSEC probe.

When the DNSSEC probe has no response, or when the response is not DNSSEC
validated, Postfix logs a warning that DNSSEC validation may be unavailable.
Examples:

warning: DNSSEC validation may be unavailable
warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
warning: reason: dnssec_probe 'ns:.' received no response: Server failure

With this update, the Postfix build system will no longer automatically disable
DNSSEC support when it determines that Postfix will use libc-musl. This removes
the earlier libc-musl workaround introduced with Postfix 3.2.15, 3.3.10,
3.4.12, and 3.5.2.
Files:
RevisionActionfile
1.32modifypkgsrc/mail/postfix/Makefile.common
1.191modifypkgsrc/mail/postfix/distinfo
1.8modifypkgsrc/mail/postfix/patches/patch-src_dns_dns__lookup.c