From e4f7cc48712e22175fcd1a829e9ef96de538fdcb Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Sat, 28 Oct 2017 00:00:00 -0500
Subject: [PATCH] postfix-3.2.4

---
 postfix/HISTORY                   | 18 ++++++++++++++++--
 postfix/src/global/mail_version.h |  4 ++--
 postfix/src/sendmail/Makefile.in  |  1 +
 postfix/src/sendmail/sendmail.c   |  3 +++
 postfix/src/tls/tls_dane.c        | 10 +++++++---
 5 files changed, 29 insertions(+), 7 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 53d021af1..c3989d08a 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -23004,7 +23004,7 @@ Apologies for any names omitted.
 
 	Safety: restore sanity checks for dynamically-specified
 	width and precision in format strings (%*, %.*, and %*.*).
-	These checks were lost with the Postfix 3.2.2 rewrite of
+	These checks were lost with the Postfix 3.2 rewrite of
 	the vbuf_print formatter. File: vbuf_print.c.
 
 20170923
@@ -23012,5 +23012,19 @@ Apologies for any names omitted.
 	Bugfix (introduced: Postfix 3.2): panic in the postqueue
 	command after output write error while listing the queue.
 	This change restores a write error check that was lost with
-	the Postfix 3.2.2 rewrite of the vbuf_print formatter.
+	the Postfix 3.2 rewrite of the vbuf_print formatter.
 	Problem reported by Andreas Schulze. File: util/vbuf_print.c.
+
+20171009
+
+	Bugfix (introduced: Postfix 3.1): DANE support. Postfix
+	builds with OpenSSL 1.0.0 or 1.0.1 failed to send email to
+	some sites with "TLSA 2 X X" records associated with an
+	intermediate CA certificate. Problem report and initial
+	fix by Erwan Legrand. File: src/tls/tls_dane.c.
+
+20171024
+
+	Bugfix (introduced: Postfix 3.0) missing dynamicmaps support
+	in the Postfix sendmail command broke authorized_submit_users
+	with a dynamically-loaded map type. File: sendmail/sendmail.c.
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index e1de974af..fa7fd32cc 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20170924"
-#define MAIL_VERSION_NUMBER	"3.2.3"
+#define MAIL_RELEASE_DATE	"20171028"
+#define MAIL_VERSION_NUMBER	"3.2.4"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff --git a/postfix/src/sendmail/Makefile.in b/postfix/src/sendmail/Makefile.in
index 83fa93bb9..ee023f434 100644
--- a/postfix/src/sendmail/Makefile.in
+++ b/postfix/src/sendmail/Makefile.in
@@ -73,6 +73,7 @@ sendmail.o: ../../include/header_opts.h
 sendmail.o: ../../include/htable.h
 sendmail.o: ../../include/iostuff.h
 sendmail.o: ../../include/mail_conf.h
+sendmail.o: ../../include/mail_dict.h
 sendmail.o: ../../include/mail_flush.h
 sendmail.o: ../../include/mail_params.h
 sendmail.o: ../../include/mail_parm_split.h
diff --git a/postfix/src/sendmail/sendmail.c b/postfix/src/sendmail/sendmail.c
index d63caaf60..340281bc9 100644
--- a/postfix/src/sendmail/sendmail.c
+++ b/postfix/src/sendmail/sendmail.c
@@ -495,6 +495,7 @@
 #include <deliver_request.h>
 #include <mime_state.h>
 #include <header_opts.h>
+#include <mail_dict.h>
 #include <user_acl.h>
 #include <dsn_mask.h>
 #include <mail_parm_split.h>
@@ -1114,6 +1115,8 @@ int     main(int argc, char **argv)
     msg_syslog_init(mail_task("sendmail"), LOG_PID, LOG_FACILITY);
     get_mail_conf_str_table(str_table);
 
+    mail_dict_init();
+
     if (chdir(var_queue_dir))
 	msg_fatal_status(EX_UNAVAILABLE, "chdir %s: %m", var_queue_dir);
 
diff --git a/postfix/src/tls/tls_dane.c b/postfix/src/tls/tls_dane.c
index df4e68542..8ec61379b 100644
--- a/postfix/src/tls/tls_dane.c
+++ b/postfix/src/tls/tls_dane.c
@@ -1450,7 +1450,7 @@ static X509_NAME *akid_issuer_name(AUTHORITY_KEYID *akid)
 
 /* set_issuer - set issuer DN to match akid if specified */
 
-static int set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
+static int set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid, X509_NAME *subj)
 {
     X509_NAME *name = akid_issuer_name(akid);
 
@@ -1460,7 +1460,7 @@ static int set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
      */
     if (name)
 	return (X509_set_issuer_name(cert, name));
-    return (X509_set_issuer_name(cert, X509_get_subject_name(cert)));
+    return (X509_set_issuer_name(cert, subj));
 }
 
 /* grow_chain - add certificate to trusted or untrusted chain */
@@ -1522,7 +1522,7 @@ static void wrap_key(TLS_SESS_STATE *TLScontext, int depth,
      */
     if (!X509_set_version(cert, 2)
 	|| !set_serial(cert, akid, subject)
-	|| !set_issuer_name(cert, akid)
+	|| !set_issuer_name(cert, akid, name)
 	|| !X509_gmtime_adj(X509_getm_notBefore(cert), -30 * 86400L)
 	|| !X509_gmtime_adj(X509_getm_notAfter(cert), 30 * 86400L)
 	|| !X509_set_subject_name(cert, name)
@@ -1798,6 +1798,10 @@ void    tls_dane_set_callback(SSL_CTX *ctx, TLS_SESS_STATE *TLScontext)
 #include <mail_conf.h>
 #include <msg_vstream.h>
 
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
+#define SSL_get0_param(s) ((s)->param)
+#endif
+
 static int verify_chain(SSL *ssl, x509_stack_t *chain, TLS_SESS_STATE *tctx)
 {
     int ret;
-- 
2.47.3