From: Wietse Venema Date: Thu, 5 Sep 2013 12:58:00 +0000 (-0400) Subject: postfix-2.10.2 X-Git-Tag: v2.10.2^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eef718b99f57c1d02f91e1deca1da33cdef92a27;p=thirdparty%2Fpostfix.git postfix-2.10.2 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index ba23e20b6..a9d01ab49 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -18292,17 +18292,17 @@ Apologies for any names omitted. 20130615 - Interoperability: turn on SHA-2XX digests by force. This - improves interoperability with clients and servers with - ancient OpenSSL versions that prematurely deploy SHA-2 - certificates. Based on patch by Viktor Dukhovni. Files: - tls/tls_client.c, tls/tls_server.c. + TLS Interoperability: turn on SHA-2 digests by force. This + improves interoperability with clients and servers that + deploy SHA-2 digests without the required support for + TLSv1.2-style digest negotiation. Based on patch by Viktor + Dukhovni. Files: tls/tls_client.c, tls/tls_server.c. 20130616 - Workaround: The Postfix SMTP server TLS session cache was - broken because OpenSSL now enables session tickets by - default, resulting in a different ticket encryption key for - each smtpd(8) process. The workaround turns off session - tickets. In 2.11 we'll enable session tickets properly. - Viktor Dukhovni. File: tls/tls_server.c. + TLS Performance: the Postfix SMTP server TLS session cache + was ineffective because recent OpenSSL versions enable + session tickets by default, resulting in a different ticket + encryption key for each smtpd(8) process. The workaround + turns off session tickets. In 2.11 we'll enable session + tickets properly. Viktor Dukhovni. File: tls/tls_server.c. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 1140ce1eb..49fdda1fc 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -14,6 +14,36 @@ specifies the release date of a stable release or snapshot release. If you upgrade from Postfix 2.8 or earlier, read RELEASE_NOTES-2.9 before proceeding. +Debian Exim before 4.80-3 interoperability workaround +----------------------------------------------------- + +Debian Exim versions before 4.80-3 may fail to communicate with +Postfix and possibly other MTAs, with the following Exim SMTP client +error message: + + TLS error on connection to server-name [server-address] + (gnutls_handshake): The Diffie-Hellman prime sent by the server + is not acceptable (not long enough) + +This problem may affect Debian Exim versions before 4.80-3 that use +TLS with EDH (Ephemeral Diffie-Hellman) key exchanges. For details +see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676563 + +To restore Postfix SMTP server interoperability with affected Exim +SMTP clients, configure the Postfix SMTP server to use a 2048-bit +prime number instead of 1024: + + # cd /etc/postfix + # openssl dhparam -out dh2048.pem 2048 + # postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem' + +This change increases the CPU cost of EDH key exchanges (rarely a +problem for SMTP servers) and is unlikely to cause problems with +other SMTP client implementations. + +This problem should not affect EECDH (Ephemeral Elliptic Curve +Diffie-Hellman) key exchanges. + Major changes - laptop-friendliness ----------------------------------- diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 6eff8caf3..b40eb4820 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20130901" -#define MAIL_VERSION_NUMBER "2.10.2-RC1" +#define MAIL_RELEASE_DATE "20130905" +#define MAIL_VERSION_NUMBER "2.10.2" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE