From 33a1009adc60a274a8203a1fee315fa54b51deb7 Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Wed, 24 Feb 2016 00:00:00 -0500 Subject: [PATCH] postfix-3.1.0 --- postfix/RELEASE_NOTES | 22 ++++++++++------------ postfix/conf/postfix-tls-script | 8 +++++--- postfix/html/postfix-tls.1.html | 26 ++++++++++++++------------ postfix/man/man1/postfix-tls.1 | 8 +++++--- postfix/src/global/mail_version.h | 4 ++-- 5 files changed, 36 insertions(+), 32 deletions(-) diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 5a5eed240..aa2fbf257 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -14,6 +14,7 @@ The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release. If you upgrade from Postfix 2.11 or earlier, read RELEASE_NOTES-3.0 +before proceeding. Major changes - address verification safety ------------------------------------------- @@ -127,9 +128,6 @@ with a corresponding "smtpd_policy_service_policy_context" configuration parameter. Originally, this was implemented to share the same SMTPD policy service endpoint among multiple check_policy_service clients. -Incompatible change with Postfix snapshot 20150721 -================================================== - Major changes - tls ------------------- @@ -146,15 +144,6 @@ existence of a secure TLSA record implies that the host wants to talk TLS and not plaintext. For details see the smtp_tls_dane_insecure_mx_policy configuration parameter. -[Incompat 20150719] The default Diffie-Hellman non-export prime was -updated from 1024 to 2048 bits, because SMTP clients are starting -to reject TLS handshakes with primes smaller than 2048 bits. - -Historically, this prime size is not negotiable, and each site needs -to determine which prime size works best for the majority of its -clients. See FORWARD_SECRECY_README for some hints in the quick-start -section. - [Incompat 20150721] As of the middle of 2015, all supported Postfix releases no longer enable "export" grade ciphers for opportunistic TLS, and no longer use the deprecated SSLv2 and SSLv3 protocols for @@ -186,3 +175,12 @@ selective, use "-o name=value" parameter overrides on specific services in master.cf. Execute the command "postfix reload" to make the changes effective. +[Incompat 20150719] The default Diffie-Hellman non-export prime was +updated from 1024 to 2048 bits, because SMTP clients are starting +to reject TLS handshakes with primes smaller than 2048 bits. + +Historically, this prime size is not negotiable, and each site needs +to determine which prime size works best for the majority of its +clients. See FORWARD_SECRECY_README for some hints in the quick-start +section. + diff --git a/postfix/conf/postfix-tls-script b/postfix/conf/postfix-tls-script index c8e991e59..c43ed10dc 100644 --- a/postfix/conf/postfix-tls-script +++ b/postfix/conf/postfix-tls-script @@ -116,12 +116,13 @@ # and certificate). After the new certificate and key are # deployed any obsolete keys and certificates may be removed # by hand. The \fIkeyfile\fR and \fIcertfile\fR filenames -# are relative to the Postfix configuration directory. +# may be relative to the Postfix configuration directory. # .IP "\fBoutput-server-csr\fR [\fB-k \fIkeyfile\fR] [\fIhostname\fB...\fR]" # Write to stdout a certificate signing request (CSR) for the # specified \fIkeyfile\fR. # .sp -# Instead of a filename, \fIkeyfile\fR may specify one of the +# Instead of an absolute pathname or a pathname relative to +# $config_directory, \fIkeyfile\fR may specify one of the # supported key algorithm names (see "\fBpostconf -T # public-key-algorithms\fR"). In that case, the corresponding # setting from main.cf is used to locate the \fIkeyfile\fR. @@ -136,7 +137,8 @@ # the specified \fIkeyfile\fR values. The default \fIhostname\fR # is the value of the \fBmyhostname\fR main.cf parameter. # .sp -# Instead of filenames, the \fIkeyfile\fR list may specify +# Instead of absolute pathnames or pathnames relative to +# $config_directory, the \fIkeyfile\fR list may specify # names of supported public key algorithms (see "\fBpostconf # -T public-key-algorithms\fR"). In that case, the actual # \fIkeyfile\fR list uses the values of the corresponding diff --git a/postfix/html/postfix-tls.1.html b/postfix/html/postfix-tls.1.html index 520c0bd97..d34989dc9 100644 --- a/postfix/html/postfix-tls.1.html +++ b/postfix/html/postfix-tls.1.html @@ -115,31 +115,33 @@ POSTFIX-TLS(1) POSTFIX-TLS(1) to deploy the generated key and certificate). After the new certificate and key are deployed any obsolete keys and certifi- cates may be removed by hand. The keyfile and certfile file- - names are relative to the Postfix configuration directory. + names may be relative to the Postfix configuration directory. output-server-csr [-k keyfile] [hostname...] Write to stdout a certificate signing request (CSR) for the specified keyfile. - Instead of a filename, keyfile may specify one of the supported - key algorithm names (see "postconf -T public-key-algorithms"). - In that case, the corresponding setting from main.cf is used to + Instead of an absolute pathname or a pathname relative to $con- + fig_directory, keyfile may specify one of the supported key + algorithm names (see "postconf -T public-key-algorithms"). In + that case, the corresponding setting from main.cf is used to locate the keyfile. The default keyfile value is rsa. - Zero or more hostname values can be specified. The default + Zero or more hostname values can be specified. The default hostname is the value of myhostname main.cf parameter. output-server-tlsa [-h hostname] [keyfile...] - Write to stdout a DANE TLSA RRset suitable for a port 25 SMTP + Write to stdout a DANE TLSA RRset suitable for a port 25 SMTP server on host hostname with keys from any of the specified key- - file values. The default hostname is the value of the myhost- + file values. The default hostname is the value of the myhost- name main.cf parameter. - Instead of filenames, the keyfile list may specify names of sup- - ported public key algorithms (see "postconf -T public-key-algo- - rithms"). In that case, the actual keyfile list uses the values - of the corresponding Postfix server TLS key file parameters. If - a parameter value is empty or equal to none, then no TLSA record + Instead of absolute pathnames or pathnames relative to $con- + fig_directory, the keyfile list may specify names of supported + public key algorithms (see "postconf -T public-key-algorithms"). + In that case, the actual keyfile list uses the values of the + corresponding Postfix server TLS key file parameters. If a + parameter value is empty or equal to none, then no TLSA record is output for that algorithm. The default keyfile list consists of the two supported algo- diff --git a/postfix/man/man1/postfix-tls.1 b/postfix/man/man1/postfix-tls.1 index 406be571b..3569f503e 100644 --- a/postfix/man/man1/postfix-tls.1 +++ b/postfix/man/man1/postfix-tls.1 @@ -120,12 +120,13 @@ display the full command needed to deploy the generated key and certificate). After the new certificate and key are deployed any obsolete keys and certificates may be removed by hand. The \fIkeyfile\fR and \fIcertfile\fR filenames -are relative to the Postfix configuration directory. +may be relative to the Postfix configuration directory. .IP "\fBoutput\-server\-csr\fR [\fB\-k \fIkeyfile\fR] [\fIhostname\fB...\fR]" Write to stdout a certificate signing request (CSR) for the specified \fIkeyfile\fR. .sp -Instead of a filename, \fIkeyfile\fR may specify one of the +Instead of an absolute pathname or a pathname relative to +$config_directory, \fIkeyfile\fR may specify one of the supported key algorithm names (see "\fBpostconf \-T public\-key\-algorithms\fR"). In that case, the corresponding setting from main.cf is used to locate the \fIkeyfile\fR. @@ -140,7 +141,8 @@ SMTP server on host \fIhostname\fR with keys from any of the specified \fIkeyfile\fR values. The default \fIhostname\fR is the value of the \fBmyhostname\fR main.cf parameter. .sp -Instead of filenames, the \fIkeyfile\fR list may specify +Instead of absolute pathnames or pathnames relative to +$config_directory, the \fIkeyfile\fR list may specify names of supported public key algorithms (see "\fBpostconf \-T public\-key\-algorithms\fR"). In that case, the actual \fIkeyfile\fR list uses the values of the corresponding diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 9d84a25fe..4838f79b5 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20160221" -#define MAIL_VERSION_NUMBER "3.1.0-RC1" +#define MAIL_RELEASE_DATE "20160224" +#define MAIL_VERSION_NUMBER "3.1.0" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE -- 2.47.3