postfix-3.1.7

diff --git a/postfix/HISTORY b/postfix/HISTORY
index e171f1cfda45b6c0b2fff00a2d7f3dda2aa6b07e..c41f5c54cc8ae52e8b87b9a4775fe7c2378b21ee 100644 (file)
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -22352,3 +22352,17 @@ Apologies for any names omitted.
        by other users. This fix does not change Postfix behavior
        for Berkeley DB < 3, but reduces file create performance
        for Berkeley DB 3 .. 4.6.  File: util/dict_db.c.
+
+20171009
+
+       Bugfix (introduced: Postfix 3.1): DANE support. Postfix
+       builds with OpenSSL 1.0.0 or 1.0.1 failed to send email to
+       some sites with "TLSA 2 X X" records associated with an
+       intermediate CA certificate. Problem report and initial
+       fix by Erwan Legrand. File: src/tls/tls_dane.c.
+
+20171024
+
+       Bugfix (introduced: Postfix 3.0) missing dynamicmaps support
+       in the Postfix sendmail command broke authorized_submit_users
+       with a dynamically-loaded map type. File: sendmail/sendmail.c.

diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 89fdad0954b5fa6d5010c21fd3882f13483ca22a..3cd566de420704320c4bc964aac3353d5f9972a6 100644 (file)
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE      "20170613"
-#define MAIL_VERSION_NUMBER    "3.1.6"
+#define MAIL_RELEASE_DATE      "20171028"
+#define MAIL_VERSION_NUMBER    "3.1.7"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE      "-" MAIL_RELEASE_DATE

diff --git a/postfix/src/sendmail/sendmail.c b/postfix/src/sendmail/sendmail.c
index f111a4f7bb081b5216ca35ca3ca8670d8a46662a..0f6a5f9853a7b4b263380405d5ce0d63896300b7 100644 (file)
--- a/postfix/src/sendmail/sendmail.c
+++ b/postfix/src/sendmail/sendmail.c
@@ -472,6 +472,7 @@
 #include <deliver_request.h>
 #include <mime_state.h>
 #include <header_opts.h>
+#include <mail_dict.h>
 #include <user_acl.h>
 #include <dsn_mask.h>
 
@@ -1082,6 +1083,8 @@ int     main(int argc, char **argv)
     msg_syslog_init(mail_task("sendmail"), LOG_PID, LOG_FACILITY);
     get_mail_conf_str_table(str_table);
 
+    mail_dict_init();
+
     if (chdir(var_queue_dir))
        msg_fatal_status(EX_UNAVAILABLE, "chdir %s: %m", var_queue_dir);
 

diff --git a/postfix/src/tls/tls_dane.c b/postfix/src/tls/tls_dane.c
index 4308108a48a58ba4870f6129a58380b6ef4f10f5..2b13ced5c573f5bb83766c5d0d6dc518891c2498 100644 (file)
--- a/postfix/src/tls/tls_dane.c
+++ b/postfix/src/tls/tls_dane.c
@@ -1511,7 +1511,7 @@ static X509_NAME *akid_issuer_name(AUTHORITY_KEYID *akid)
 
 /* set_issuer - set issuer DN to match akid if specified */
 
-static int set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
+static int set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid, X509_NAME *subj)
 {
     X509_NAME *name = akid_issuer_name(akid);
 
@@ -1521,7 +1521,7 @@ static int set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
      */
     if (name)
        return (X509_set_issuer_name(cert, name));
-    return (X509_set_issuer_name(cert, X509_get_subject_name(cert)));
+    return (X509_set_issuer_name(cert, subj));
 }
 
 /* grow_chain - add certificate to trusted or untrusted chain */
@@ -1583,7 +1583,7 @@ static void wrap_key(TLS_SESS_STATE *TLScontext, int depth,
      */
     if (!X509_set_version(cert, 2)
        || !set_serial(cert, akid, subject)
-       || !set_issuer_name(cert, akid)
+       || !set_issuer_name(cert, akid, name)
        || !X509_gmtime_adj(X509_getm_notBefore(cert), -30 * 86400L)
        || !X509_gmtime_adj(X509_getm_notAfter(cert), 30 * 86400L)
        || !X509_set_subject_name(cert, name)