with "database X is older than source file Y". Files:
util/dict.c, util/dict_db.c, util/dict_dbm.c, util/dict_lmdb.c,
util/dict_sdbm.c.
+
+20251024
+
+ Logging: with "smtp_tls_enforce_sts_mx_patterns=yes" and
+ TLSRPT support enabled in a TLS policy plugin, the Postfix
+ SMTP client logs a warning when an MX hostname does not
+ match STS policy MX patterns; it logs a successful match
+ when verbose logging is enabled. File: smtp/smtp_tls_policy.c.
+
+20251027
+
+ Bugfix (defect introduced: Postfix 3.10, date: 20240902):
+ SMTP client null pointer crash when an STS policy plugin
+ sends no policy_string or no mx_pattern attributes. This
+ can happen only during tests with a fake STS plugin. File:
+ smtp/smtp_tlsrpt.c.
+
+20251028
+
+ Documentation: removed incorrect text from the parameter
+ description for smtp_cname_overrides_servername. File:
+ proto/postconf.proto.
+
+20251031
+
+ Bugfix (defect introduced: Postfix 3.10, date 20250117):
+ support for "TLS-Required: no" broke client-side TLS wrappermode
+ support, by downgrading a connection to TLS security level 'may'.
+ The solution is to change the downgrade level for wrappermode
+ connections to 'encrypt'. Rationale: by design, TLS can be
+ optional only for connections that use STARTTLS. The downgrade
+ to unauthenticated 'encrypt' allows a sender to avoid an email
+ delivery problem. Problem reported by Joshua Tyler Cochran.
+ File: smtp/smtp_tls_policy.c.
+
+20251120
+
+ Bugfix (defect introduced: Postfix 2.9, date: 20120307):
+ segfault with duplicate parameter name in "postconf -X" or
+ "postconf -#'. File: postconf/postconf_edit.c.
password file lookups more predictable. This is the default setting
as of Postfix 2.3. </p>
-<p> When DNS CNAME records are validated with secure DNS lookups
-(<a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a> = dnssec), they are always allowed to
-override the above servername (Postfix 2.11 and later). </p>
-
<p> This feature is available in Postfix 2.2.9 and later. </p>
password file lookups more predictable. This is the default setting
as of Postfix 2.3.
.PP
-When DNS CNAME records are validated with secure DNS lookups
-(smtp_dns_support_level = dnssec), they are always allowed to
-override the above servername (Postfix 2.11 and later).
-.PP
This feature is available in Postfix 2.2.9 and later.
.SH smtp_connect_timeout (default: 30s)
The Postfix SMTP client time limit for completing a TCP connection, or
password file lookups more predictable. This is the default setting
as of Postfix 2.3. </p>
-<p> When DNS CNAME records are validated with secure DNS lookups
-(smtp_dns_support_level = dnssec), they are always allowed to
-override the above servername (Postfix 2.11 and later). </p>
-
<p> This feature is available in Postfix 2.2.9 and later. </p>
%PARAM lmtp_cname_overrides_servername yes
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20251026"
-#define MAIL_VERSION_NUMBER "3.10.5"
+#define MAIL_RELEASE_DATE "20251125"
+#define MAIL_VERSION_NUMBER "3.10.6"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
msg_panic("pcf_edit_main: unknown mode %d", mode);
}
if ((cvalue = htable_find(table, pattern)) != 0) {
- msg_warn("ignoring earlier request: '%s = %s'",
- pattern, cvalue->value);
+ if (edit_value && cvalue->value
+ && strcmp(edit_value, cvalue->value) != 0)
+ msg_warn("ignoring earlier request: '%s = %s'",
+ pattern, cvalue->value);
htable_delete(table, pattern, myfree);
}
cvalue = (struct cvalue *) mymalloc(sizeof(*cvalue));
} else
#endif
aname = name;
- for (pattp = tls->ext_mx_host_patterns->argv; *pattp; pattp++)
- if (match_sts_mx_host_pattern(*pattp, aname))
+ for (pattp = tls->ext_mx_host_patterns->argv; *pattp; pattp++) {
+ if (match_sts_mx_host_pattern(*pattp, aname)) {
+ if (msg_verbose)
+ msg_info("MX name '%s' matches STS MX pattern for '%s'",
+ aname, tls->ext_policy_domain ? tls->ext_policy_domain : "");
return (1);
+ }
+ }
+ msg_warn("MX name '%s' does not match STS MX pattern for '%s'",
+ aname, tls->ext_policy_domain ? tls->ext_policy_domain : "");
return (0);
}
/* No applicable policy name patterns. */
if (STATE_TLS_NOT_REQUIRED(iter->parent)) {
if (msg_verbose)
msg_info("%s: no tls policy lookup", __func__);
- if (tls->level > TLS_LEV_MAY)
- tls->level = TLS_LEV_MAY;
+ if (var_smtp_tls_wrappermode) {
+ if (tls->level > TLS_LEV_ENCRYPT)
+ tls->level = TLS_LEV_ENCRYPT;
+ } else {
+ if (tls->level > TLS_LEV_MAY)
+ tls->level = TLS_LEV_MAY;
+ }
} else if (tls_policy) {
tls_policy_lookup(tls, &site_level, dest, "next-hop destination");
} else if (tls_per_site) {
if (tls->ext_policy_type == 0)
msg_panic("smtp_tlsrpt_set_ext_policy: no policy type");
+#define ARGV_OR_NULL(ap) ((ap) ? (ap)->argv : 0)
+
switch (policy_type_val =
convert_tlsrpt_policy_type(tls->ext_policy_type)) {
case TLSRPT_POLICY_STS:
trw_set_tls_policy(state->tlsrpt, policy_type_val,
- (const char *const *) tls->ext_policy_strings->argv,
+ (const char *const *) ARGV_OR_NULL(tls->ext_policy_strings),
tls->ext_policy_domain,
- (const char *const *) tls->ext_mx_host_patterns->argv);
+ (const char *const *) ARGV_OR_NULL(tls->ext_mx_host_patterns));
break;
case TLSRPT_NO_POLICY_FOUND:
smtp_tlsrpt_set_no_policy(state);
projects / thirdparty / postfix.git / commitdiff
