From: Wietse Venema <wietse@porcupine.org>
Date: Sat, 28 Oct 2017 05:00:00 +0000 (-0500)
Subject: postfix-3.1.7
X-Git-Tag: v3.1.7^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=41a6012875f4e3eb3658466e7ce34385331a2db5;p=thirdparty%2Fpostfix.git

postfix-3.1.7
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index e171f1cfd..c41f5c54c 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -22352,3 +22352,17 @@ Apologies for any names omitted.
 	by other users. This fix does not change Postfix behavior
 	for Berkeley DB < 3, but reduces file create performance
 	for Berkeley DB 3 .. 4.6.  File: util/dict_db.c.
+
+20171009
+
+	Bugfix (introduced: Postfix 3.1): DANE support. Postfix
+	builds with OpenSSL 1.0.0 or 1.0.1 failed to send email to
+	some sites with "TLSA 2 X X" records associated with an
+	intermediate CA certificate. Problem report and initial
+	fix by Erwan Legrand. File: src/tls/tls_dane.c.
+
+20171024
+
+	Bugfix (introduced: Postfix 3.0) missing dynamicmaps support
+	in the Postfix sendmail command broke authorized_submit_users
+	with a dynamically-loaded map type. File: sendmail/sendmail.c.
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 89fdad095..3cd566de4 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20170613"
-#define MAIL_VERSION_NUMBER	"3.1.6"
+#define MAIL_RELEASE_DATE	"20171028"
+#define MAIL_VERSION_NUMBER	"3.1.7"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff --git a/postfix/src/sendmail/sendmail.c b/postfix/src/sendmail/sendmail.c
index f111a4f7b..0f6a5f985 100644
--- a/postfix/src/sendmail/sendmail.c
+++ b/postfix/src/sendmail/sendmail.c
@@ -472,6 +472,7 @@
 #include <deliver_request.h>
 #include <mime_state.h>
 #include <header_opts.h>
+#include <mail_dict.h>
 #include <user_acl.h>
 #include <dsn_mask.h>
 
@@ -1082,6 +1083,8 @@ int     main(int argc, char **argv)
     msg_syslog_init(mail_task("sendmail"), LOG_PID, LOG_FACILITY);
     get_mail_conf_str_table(str_table);
 
+    mail_dict_init();
+
     if (chdir(var_queue_dir))
 	msg_fatal_status(EX_UNAVAILABLE, "chdir %s: %m", var_queue_dir);
 
diff --git a/postfix/src/tls/tls_dane.c b/postfix/src/tls/tls_dane.c
index 4308108a4..2b13ced5c 100644
--- a/postfix/src/tls/tls_dane.c
+++ b/postfix/src/tls/tls_dane.c
@@ -1511,7 +1511,7 @@ static X509_NAME *akid_issuer_name(AUTHORITY_KEYID *akid)
 
 /* set_issuer - set issuer DN to match akid if specified */
 
-static int set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
+static int set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid, X509_NAME *subj)
 {
     X509_NAME *name = akid_issuer_name(akid);
 
@@ -1521,7 +1521,7 @@ static int set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
      */
     if (name)
 	return (X509_set_issuer_name(cert, name));
-    return (X509_set_issuer_name(cert, X509_get_subject_name(cert)));
+    return (X509_set_issuer_name(cert, subj));
 }
 
 /* grow_chain - add certificate to trusted or untrusted chain */
@@ -1583,7 +1583,7 @@ static void wrap_key(TLS_SESS_STATE *TLScontext, int depth,
      */
     if (!X509_set_version(cert, 2)
 	|| !set_serial(cert, akid, subject)
-	|| !set_issuer_name(cert, akid)
+	|| !set_issuer_name(cert, akid, name)
 	|| !X509_gmtime_adj(X509_getm_notBefore(cert), -30 * 86400L)
 	|| !X509_gmtime_adj(X509_getm_notAfter(cert), 30 * 86400L)
 	|| !X509_set_subject_name(cert, name)