between different hostnames that resolve to the same IP
address. Found during Postfix 2.11 code maintenance. File:
smtp/smtp_connect.c.
+
+20130518
+
+ Bugfix (introduced: 1997): memory leak after error while
+ forwarding mail through the cleanup server. Viktor found
+ one, Wietse eliminated the rest. File: local/forward.c.
+
+20130615
+
+ TLS Interoperability: turn on SHA-2 digests by force. This
+ improves interoperability with clients and servers that
+ deploy SHA-2 digests without the required support for
+ TLSv1.2-style digest negotiation. Based on patch by Viktor
+ Dukhovni. Files: tls/tls_client.c, tls/tls_server.c.
+
+20130616
+
+ Workaround: The Postfix SMTP server TLS session cache was
+ broken because OpenSSL now enables session tickets by
+ default, resulting in a different ticket encryption key for
+ each smtpd(8) process. The workaround turns off session
+ tickets. In 2.11 we'll enable session tickets properly.
+ Viktor Dukhovni. File: tls/tls_server.c.
If you upgrade from Postfix 2.7 or earlier, read RELEASE_NOTES-2.8
before proceeding.
+Debian Exim before 4.80-3 interoperability workaround
+-----------------------------------------------------
+
+Debian Exim versions before 4.80-3 may fail to communicate with
+Postfix and possibly other MTAs, with the following Exim SMTP client
+error message:
+
+ TLS error on connection to server-name [server-address]
+ (gnutls_handshake): The Diffie-Hellman prime sent by the server
+ is not acceptable (not long enough)
+
+This problem may affect Debian Exim versions before 4.80-3 that use
+TLS with EDH (Ephemeral Diffie-Hellman) key exchanges. For details
+see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676563
+
+To restore Postfix SMTP server interoperability with affected Exim
+SMTP clients, configure the Postfix SMTP server to use a 2048-bit
+prime number instead of 1024:
+
+ # cd /etc/postfix
+ # openssl dhparam -out dh2048.pem 2048
+ # postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem'
+
+This change increases the CPU cost of EDH key exchanges (rarely a
+problem for SMTP servers) and is unlikely to cause problems with
+other SMTP client implementations.
+
+This problem should not affect EECDH (Ephemeral Elliptic Curve
+Diffie-Hellman) key exchanges.
+
Major changes with Postfix 2.9.6
--------------------------------
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20130622"
-#define MAIL_VERSION_NUMBER "2.9.7"
+#define MAIL_RELEASE_DATE "20130905"
+#define MAIL_VERSION_NUMBER "2.9.8"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
FORWARD_INFO *info;
VSTREAM *cleanup;
+#define FORWARD_OPEN_RETURN(res) do { \
+ vstring_free(buffer); \
+ return (res); \
+ } while (0)
+
/*
* Contact the cleanup service and save the new mail queue id. Request
* that the cleanup service bounces bad messages to the sender so that we
*/
cleanup = mail_connect(MAIL_CLASS_PUBLIC, var_cleanup_service, BLOCKING);
if (cleanup == 0)
- return (0);
+ FORWARD_OPEN_RETURN(0);
close_on_exec(vstream_fileno(cleanup), CLOSE_ON_EXEC);
if (attr_scan(cleanup, ATTR_FLAG_STRICT,
ATTR_TYPE_STR, MAIL_ATTR_QUEUEID, buffer,
ATTR_TYPE_END) != 1) {
vstream_fclose(cleanup);
- return (0);
+ FORWARD_OPEN_RETURN(0);
}
info = (FORWARD_INFO *) mymalloc(sizeof(FORWARD_INFO));
info->cleanup = cleanup;
PASS_ATTR(cleanup, MAIL_ATTR_LOG_IDENT, request->log_ident);
PASS_ATTR(cleanup, MAIL_ATTR_RWR_CONTEXT, request->rewrite_context);
- vstring_free(buffer);
- return (info);
+ FORWARD_OPEN_RETURN(info);
}
/* forward_append - append recipient to message envelope */
}
}
+ /*
+ * Register SHA-2 digests, if implemented and not already registered.
+ * Improves interoperability with clients and servers that prematurely
+ * deploy SHA-2 certificates.
+ */
+#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
+ if (!EVP_get_digestbyname(LN_sha224))
+ EVP_add_digest(EVP_sha224());
+ if (!EVP_get_digestbyname(LN_sha256))
+ EVP_add_digest(EVP_sha256());
+#endif
+#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
+ if (!EVP_get_digestbyname(LN_sha384))
+ EVP_add_digest(EVP_sha384());
+ if (!EVP_get_digestbyname(LN_sha512))
+ EVP_add_digest(EVP_sha512());
+#endif
+
/*
* If the administrator specifies an unsupported digest algorithm, fail
* now, rather than in the middle of a TLS handshake.
}
}
+ /*
+ * Register SHA-2 digests, if implemented and not already registered.
+ * Improves interoperability with clients and servers that prematurely
+ * deploy SHA-2 certificates.
+ */
+#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
+ if (!EVP_get_digestbyname(LN_sha224))
+ EVP_add_digest(EVP_sha224());
+ if (!EVP_get_digestbyname(LN_sha256))
+ EVP_add_digest(EVP_sha256());
+#endif
+#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
+ if (!EVP_get_digestbyname(LN_sha384))
+ EVP_add_digest(EVP_sha384());
+ if (!EVP_get_digestbyname(LN_sha512))
+ EVP_add_digest(EVP_sha512());
+#endif
+
/*
* If the administrator specifies an unsupported digest algorithm, fail
* now, rather than in the middle of a TLS handshake.
/*
* Protocol work-arounds, OpenSSL version dependent.
*/
+#ifdef SSL_OP_NO_TICKET
+ off |= SSL_OP_NO_TICKET;
+#endif
off |= tls_bug_bits();
SSL_CTX_set_options(server_ctx, off);
projects / thirdparty / postfix.git / commitdiff
