postfix-2.10.2

diff --git a/postfix/HISTORY b/postfix/HISTORY
index ba23e20b69e9851bc8e964b867ec29585335c306..a9d01ab4912110aa0323a7f9abdf63d648085fd9 100644 (file)
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -18292,17 +18292,17 @@ Apologies for any names omitted.
 
 20130615
 
-       Interoperability: turn on SHA-2XX digests by force. This
-       improves interoperability with clients and servers with
-       ancient OpenSSL versions that prematurely deploy SHA-2
-       certificates. Based on patch by Viktor Dukhovni. Files:
-       tls/tls_client.c, tls/tls_server.c.
+       TLS Interoperability: turn on SHA-2 digests by force.  This
+       improves interoperability with clients and servers that
+       deploy SHA-2 digests without the required support for
+       TLSv1.2-style digest negotiation.  Based on patch by Viktor
+       Dukhovni.  Files: tls/tls_client.c, tls/tls_server.c.
 
 20130616
 
-       Workaround: The Postfix SMTP server TLS session cache was
-       broken because OpenSSL now enables session tickets by
-       default, resulting in a different ticket encryption key for
-       each smtpd(8) process.  The workaround turns off session
-       tickets. In 2.11 we'll enable session tickets properly.
-       Viktor Dukhovni. File: tls/tls_server.c.
+       TLS Performance: the Postfix SMTP server TLS session cache
+       was ineffective because recent OpenSSL versions enable
+       session tickets by default, resulting in a different ticket
+       encryption key for each smtpd(8) process.  The workaround
+       turns off session tickets. In 2.11 we'll enable session
+       tickets properly.  Viktor Dukhovni. File: tls/tls_server.c.

diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 1140ce1eb5a8cd8458d4e360c7a6906a5f5b7ef0..49fdda1fc322810a34ec93baabeb7cc56b4a211b 100644 (file)
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -14,6 +14,36 @@ specifies the release date of a stable release or snapshot release.
 If you upgrade from Postfix 2.8 or earlier, read RELEASE_NOTES-2.9
 before proceeding.
 
+Debian Exim before 4.80-3 interoperability workaround
+-----------------------------------------------------
+
+Debian Exim versions before 4.80-3 may fail to communicate with
+Postfix and possibly other MTAs, with the following Exim SMTP client
+error message:
+
+    TLS error on connection to server-name [server-address]
+    (gnutls_handshake): The Diffie-Hellman prime sent by the server
+    is not acceptable (not long enough)
+
+This problem may affect Debian Exim versions before 4.80-3 that use
+TLS with EDH (Ephemeral Diffie-Hellman) key exchanges. For details
+see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676563
+
+To restore Postfix SMTP server interoperability with affected Exim
+SMTP clients, configure the Postfix SMTP server to use a 2048-bit
+prime number instead of 1024:
+
+    # cd /etc/postfix
+    # openssl dhparam -out dh2048.pem 2048
+    # postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem'
+
+This change increases the CPU cost of EDH key exchanges (rarely a
+problem for SMTP servers) and is unlikely to cause problems with
+other SMTP client implementations.
+
+This problem should not affect EECDH (Ephemeral Elliptic Curve
+Diffie-Hellman) key exchanges.
+
 Major changes - laptop-friendliness
 -----------------------------------
 

diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 6eff8caf3633cdb9ce4c7ff0c14507cb888dcf6c..b40eb482029fb43c98fb88334e9a3d633ccf7482 100644 (file)
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE      "20130901"
-#define MAIL_VERSION_NUMBER    "2.10.2-RC1"
+#define MAIL_RELEASE_DATE      "20130905"
+#define MAIL_VERSION_NUMBER    "2.10.2"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE     "-" MAIL_RELEASE_DATE