address. Found during Postfix 2.11 code maintenance. File:
smtp/smtp_connect.c.
+20130518
+
+ Bugfix (introduced: 1997): memory leak after error while
+ forwarding mail through the cleanup server. Viktor found
+ one, Wietse eliminated the rest. File: local/forward.c.
+
20130613
Workaround: unhelpful down-stream maintainers fail to install
that could have been avoided. We now hard-code the safety
net instead. Files: global/mail_params.h, conf/post-install,
RELEASE_NOTES.
+
+20130615
+
+ Interoperability: turn on SHA-2XX digests by force. This
+ improves interoperability with clients and servers with
+ ancient OpenSSL versions that prematurely deploy SHA-2
+ certificates. Based on patch by Viktor Dukhovni. Files:
+ tls/tls_client.c, tls/tls_server.c.
+
+20130616
+
+ Workaround: The Postfix SMTP server TLS session cache was
+ broken because OpenSSL now enables session tickets by
+ default, resulting in a different ticket encryption key for
+ each smtpd(8) process. The workaround turns off session
+ tickets. In 2.11 we'll enable session tickets properly.
+ Viktor Dukhovni. File: tls/tls_server.c.
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20130622"
-#define MAIL_VERSION_NUMBER "2.10.1"
+#define MAIL_RELEASE_DATE "20130901"
+#define MAIL_VERSION_NUMBER "2.10.2-RC1"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
FORWARD_INFO *info;
VSTREAM *cleanup;
+#define FORWARD_OPEN_RETURN(res) do { \
+ vstring_free(buffer); \
+ return (res); \
+ } while (0)
+
/*
* Contact the cleanup service and save the new mail queue id. Request
* that the cleanup service bounces bad messages to the sender so that we
*/
cleanup = mail_connect(MAIL_CLASS_PUBLIC, var_cleanup_service, BLOCKING);
if (cleanup == 0)
- return (0);
+ FORWARD_OPEN_RETURN(0);
close_on_exec(vstream_fileno(cleanup), CLOSE_ON_EXEC);
if (attr_scan(cleanup, ATTR_FLAG_STRICT,
ATTR_TYPE_STR, MAIL_ATTR_QUEUEID, buffer,
ATTR_TYPE_END) != 1) {
vstream_fclose(cleanup);
- return (0);
+ FORWARD_OPEN_RETURN(0);
}
info = (FORWARD_INFO *) mymalloc(sizeof(FORWARD_INFO));
info->cleanup = cleanup;
PASS_ATTR(cleanup, MAIL_ATTR_LOG_IDENT, request->log_ident);
PASS_ATTR(cleanup, MAIL_ATTR_RWR_CONTEXT, request->rewrite_context);
- vstring_free(buffer);
- return (info);
+ FORWARD_OPEN_RETURN(info);
}
/* forward_append - append recipient to message envelope */
}
}
+ /*
+ * Register SHA-2 digests, if implemented and not already registered.
+ * Improves interoperability with clients and servers that prematurely
+ * deploy SHA-2 certificates.
+ */
+#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
+ if (!EVP_get_digestbyname(LN_sha224))
+ EVP_add_digest(EVP_sha224());
+ if (!EVP_get_digestbyname(LN_sha256))
+ EVP_add_digest(EVP_sha256());
+#endif
+#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
+ if (!EVP_get_digestbyname(LN_sha384))
+ EVP_add_digest(EVP_sha384());
+ if (!EVP_get_digestbyname(LN_sha512))
+ EVP_add_digest(EVP_sha512());
+#endif
+
/*
* If the administrator specifies an unsupported digest algorithm, fail
* now, rather than in the middle of a TLS handshake.
}
}
+ /*
+ * Register SHA-2 digests, if implemented and not already registered.
+ * Improves interoperability with clients and servers that prematurely
+ * deploy SHA-2 certificates.
+ */
+#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
+ if (!EVP_get_digestbyname(LN_sha224))
+ EVP_add_digest(EVP_sha224());
+ if (!EVP_get_digestbyname(LN_sha256))
+ EVP_add_digest(EVP_sha256());
+#endif
+#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
+ if (!EVP_get_digestbyname(LN_sha384))
+ EVP_add_digest(EVP_sha384());
+ if (!EVP_get_digestbyname(LN_sha512))
+ EVP_add_digest(EVP_sha512());
+#endif
+
/*
* If the administrator specifies an unsupported digest algorithm, fail
* now, rather than in the middle of a TLS handshake.
/*
* Protocol work-arounds, OpenSSL version dependent.
*/
+#ifdef SSL_OP_NO_TICKET
+ off |= SSL_OP_NO_TICKET;
+#endif
off |= tls_bug_bits();
SSL_CTX_set_options(server_ctx, off);
projects / thirdparty / postfix.git / commitdiff
