From: Wietse Venema Date: Thu, 5 Sep 2013 12:55:00 +0000 (-0400) Subject: postfix-2.8.16 X-Git-Tag: v2.8.16^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=56213cadf6570759aa5cb14a7b3468d89d9bf408;p=thirdparty%2Fpostfix.git postfix-2.8.16 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 551924974..cc8c363d1 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -16915,3 +16915,26 @@ Apologies for any names omitted. between different hostnames that resolve to the same IP address. Found during Postfix 2.11 code maintenance. File: smtp/smtp_connect.c. + +20130518 + + Bugfix (introduced: 1997): memory leak after error while + forwarding mail through the cleanup server. Viktor found + one, Wietse eliminated the rest. File: local/forward.c. + +20130615 + + TLS Interoperability: turn on SHA-2 digests by force. This + improves interoperability with clients and servers that + deploy SHA-2 digests without the required support for + TLSv1.2-style digest negotiation. Based on patch by Viktor + Dukhovni. Files: tls/tls_client.c, tls/tls_server.c. + +20130616 + + Workaround: The Postfix SMTP server TLS session cache was + broken because OpenSSL now enables session tickets by + default, resulting in a different ticket encryption key for + each smtpd(8) process. The workaround turns off session + tickets. In 2.11 we'll enable session tickets properly. + Viktor Dukhovni. File: tls/tls_server.c. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 1ff26b026..e1ac92bc4 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -11,6 +11,36 @@ instead, a new snapshot is released. The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release. +Debian Exim before 4.80-3 interoperability workaround +----------------------------------------------------- + +Debian Exim versions before 4.80-3 may fail to communicate with +Postfix and possibly other MTAs, with the following Exim SMTP client +error message: + + TLS error on connection to server-name [server-address] + (gnutls_handshake): The Diffie-Hellman prime sent by the server + is not acceptable (not long enough) + +This problem may affect Debian Exim versions before 4.80-3 that use +TLS with EDH (Ephemeral Diffie-Hellman) key exchanges. For details +see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676563 + +To restore Postfix SMTP server interoperability with affected Exim +SMTP clients, configure the Postfix SMTP server to use a 2048-bit +prime number instead of 1024: + + # cd /etc/postfix + # openssl dhparam -out dh2048.pem 2048 + # postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem' + +This change increases the CPU cost of EDH key exchanges (rarely a +problem for SMTP servers) and is unlikely to cause problems with +other SMTP client implementations. + +This problem should not affect EECDH (Ephemeral Elliptic Curve +Diffie-Hellman) key exchanges. + Major changes with Postfix 2.8.10 --------------------------------- diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index f3b4b51b0..69a81afd3 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20130622" -#define MAIL_VERSION_NUMBER "2.8.15" +#define MAIL_RELEASE_DATE "20130905" +#define MAIL_VERSION_NUMBER "2.8.16" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/local/forward.c b/postfix/src/local/forward.c index 6ebe74f18..fb7da4f2e 100644 --- a/postfix/src/local/forward.c +++ b/postfix/src/local/forward.c @@ -118,6 +118,11 @@ static FORWARD_INFO *forward_open(DELIVER_REQUEST *request, const char *sender) FORWARD_INFO *info; VSTREAM *cleanup; +#define FORWARD_OPEN_RETURN(res) do { \ + vstring_free(buffer); \ + return (res); \ + } while (0) + /* * Contact the cleanup service and save the new mail queue id. Request * that the cleanup service bounces bad messages to the sender so that we @@ -129,13 +134,13 @@ static FORWARD_INFO *forward_open(DELIVER_REQUEST *request, const char *sender) */ cleanup = mail_connect(MAIL_CLASS_PUBLIC, var_cleanup_service, BLOCKING); if (cleanup == 0) - return (0); + FORWARD_OPEN_RETURN(0); close_on_exec(vstream_fileno(cleanup), CLOSE_ON_EXEC); if (attr_scan(cleanup, ATTR_FLAG_STRICT, ATTR_TYPE_STR, MAIL_ATTR_QUEUEID, buffer, ATTR_TYPE_END) != 1) { vstream_fclose(cleanup); - return (0); + FORWARD_OPEN_RETURN(0); } info = (FORWARD_INFO *) mymalloc(sizeof(FORWARD_INFO)); info->cleanup = cleanup; @@ -190,8 +195,7 @@ static FORWARD_INFO *forward_open(DELIVER_REQUEST *request, const char *sender) PASS_ATTR(cleanup, MAIL_ATTR_LOG_IDENT, request->log_ident); PASS_ATTR(cleanup, MAIL_ATTR_RWR_CONTEXT, request->rewrite_context); - vstring_free(buffer); - return (info); + FORWARD_OPEN_RETURN(info); } /* forward_append - append recipient to message envelope */ diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c index 1709f9990..aacd74adf 100644 --- a/postfix/src/tls/tls_client.c +++ b/postfix/src/tls/tls_client.c @@ -325,6 +325,24 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props) } } + /* + * Register SHA-2 digests, if implemented and not already registered. + * Improves interoperability with clients and servers that prematurely + * deploy SHA-2 certificates. + */ +#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256) + if (!EVP_get_digestbyname(LN_sha224)) + EVP_add_digest(EVP_sha224()); + if (!EVP_get_digestbyname(LN_sha256)) + EVP_add_digest(EVP_sha256()); +#endif +#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512) + if (!EVP_get_digestbyname(LN_sha384)) + EVP_add_digest(EVP_sha384()); + if (!EVP_get_digestbyname(LN_sha512)) + EVP_add_digest(EVP_sha512()); +#endif + /* * If the administrator specifies an unsupported digest algorithm, fail * now, rather than in the middle of a TLS handshake. diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c index 5195a80a9..c236d4c6b 100644 --- a/postfix/src/tls/tls_server.c +++ b/postfix/src/tls/tls_server.c @@ -334,6 +334,24 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props) } } + /* + * Register SHA-2 digests, if implemented and not already registered. + * Improves interoperability with clients and servers that prematurely + * deploy SHA-2 certificates. + */ +#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256) + if (!EVP_get_digestbyname(LN_sha224)) + EVP_add_digest(EVP_sha224()); + if (!EVP_get_digestbyname(LN_sha256)) + EVP_add_digest(EVP_sha256()); +#endif +#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512) + if (!EVP_get_digestbyname(LN_sha384)) + EVP_add_digest(EVP_sha384()); + if (!EVP_get_digestbyname(LN_sha512)) + EVP_add_digest(EVP_sha512()); +#endif + /* * If the administrator specifies an unsupported digest algorithm, fail * now, rather than in the middle of a TLS handshake. @@ -389,6 +407,9 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props) /* * Protocol work-arounds, OpenSSL version dependent. */ +#ifdef SSL_OP_NO_TICKET + off |= SSL_OP_NO_TICKET; +#endif off |= tls_bug_bits(); SSL_CTX_set_options(server_ctx, off);