Hello community,
here is the log from the commit of package postfix
checked in at Fri Feb 15 01:38:20 CET 2008.
--------
--- postfix/postfix.changes 2008-01-31 15:43:48.000000000 +0100
+++ /mounts/work_src_done/STABLE/postfix/postfix.changes 2008-02-13 15:09:24.142396000 +0100
@@ -1,0 +2,5 @@
+Wed Feb 13 14:58:52 CET 2008 - varkoly@suse.de
+
+- #360572 - postfix %post script leaves lots of backup files in /etc/postfix/
+
+-------------------------------------------------------------------
@@ -10 +15,7 @@
- smtpd(8) to cleanup(8) processes was cleaned up.
+ smtpd(8) to cleanup(8) processes was cleaned up. If you use the
+ Milter feature, and upgrade a live Postfix system, you may see an
+ "unexpected record type" warning from a cleanup(8) server process.
+ To prevent this, execute the command "postfix reload". The
+ incompatibility affects only systems that use the Milter feature.
+ It does not cause loss of mail, just a minor delay until the remote
+ SMTP client retries.
@@ -13,2 +24,11 @@
- sender and recipient addresses in SMTP commands.
-
+ sender and recipient addresses in SMTP commands. With earlier Postfix
+ versions, only recipients were subject to the allow_min_user feature,
+ and the restriction took effect at mail delivery time, causing mail
+ to be bounced later instead of being rejected immediately.
+
+ [Incompat 20071206] The "make install" and "make upgrade" procedures
+ now create a Postfix-owned directory for Postfix-writable data files
+ such as caches and random numbers. The location is specified with
+ the "data_directory" parameter (default: "/var/lib/postfix"), and
+ the ownership is specified with the "mail_owner" parameter.
+
@@ -18 +38,3 @@
- files.
+ files. This avoids a potential security loophole where the ownership
+ of a file (or directory) does not match the trust level of the
+ content of that file (or directory).
@@ -22 +44,23 @@
- data_directory.
+ data_directory. As a migration aid, attempts to open these files
+ under a non-Postfix directory are redirected to the Postfix-owned
+ data_directory, and a warning is logged.
+
+ This is an example of the warning messages:
+
+ Dec 6 12:56:22 bristle postfix/tlsmgr[7899]: warning: request
+ to update file /etc/postfix/prng_exch in non-postfix directory
+ /etc/postfix
+
+ Dec 6 12:56:22 bristle postfix/tlsmgr[7899]: warning: redirecting
+ the request to postfix-owned data_directory /var/lib/postfix
+
+ If you wish to continue using a pre-existing tls_random_exchange_name
+ or address_verify_map file, move it to the Postfix-owned data_directory
+ and change ownership from root to Postfix (that is, change ownership
+ to the account specified with the mail_owner configuration parameter).
+
+ [Feature 20071205] The "make install" and "make upgrade" procedures
+ now create a Postfix-owned directory for Postfix-writable data files
+ such as caches and random numbers. The location is specified with
+ the "data_directory" parameter (default: "/var/lib/postfix"), and
+ the ownership is specified with the "mail_owner" parameter.
@@ -26 +70,6 @@
- access.
+ access. If you copy your old configuration file over the updated
+ one, you may see warnings in the maillog file like this:
+
+ connect #xx to subsystem private/proxywrite: No such file or directory
+
+ To recover, run "postfix upgrade-configuration" again.
@@ -34,4 +83,6 @@
- [Feature 20080107] New "pass" service type in master.cf. This
- allows future front-end daemons to accept all connections from
- the network, and to hand over connections from well-behaved
- clients to Postfix.
+ [Feature 20080107] New "pass" service type in master.cf. Written
+ years ago, this allows future front-end daemons to accept all
+ connections from the network, and to hand over connections from
+ well-behaved clients to Postfix. Since this feature uses file
+ descriptor passing, it imposes no overhead once a connection is
+ handed over to Postfix. See master(5) for a few details.
@@ -42 +93,13 @@
- stress=yes" on the command line.
+ stress=yes" on the command line (under normal conditions it runs
+ the service with "-o stress=" on the command line). This can be
+ used to make main.cf parameter settings stress dependent, for
+ example:
+
+ /etc/postfix/main.cf:
+ smtpd_timeout = ${stress?10}${stress:300}
+ smtpd_hard_error_limit = ${stress?1}${stress:20}
+
+ Translation: under conditions of stress, use an smtpd_timeout value
+ of 10 seconds instead of 300, and use smtpd_hard_error_limit of 1
+ instead of 20. The syntax is explained in the postconf(5) manpage.
+
@@ -46 +109,259 @@
- For more information read /usr/share/doc/packages/postfix/RELEASE_NOTES.
+ Major changes - tls support
+ ---------------------------
+
+ [Incompat 20080109] TLS logging output has changed to make it more
+ useful. Existing logfile parser regular expressions may need
+ adjustment.
+
+ - More log entries include the "hostnamename[ipaddress]" of the
+ remote SMTP peer.
+
+ - Certificate trust chain error reports show only the first
+ error certificate (closest to the trust chain root), and the
+ reporting is more human-readable for the most likely errors.
+
+ - After the completion of the TLS handshake, the session is logged
+ with TLS loglevel >= 1 as either "Untrusted", "Trusted" or
+ "Verified" (SMTP client only).
+ - "Untrusted" means that the certificate trust chain is invalid,
+ or that the root CA is not trusted.
+ - "Trusted" means that the certificate trust chain is valid, and
+ that the root CA is trusted.
+ - "Verified" means that the certificate meets the SMTP client's
+ matching criteria for the destination:
+ - In the case of a destination name match, "Verified" also
+ implies "Trusted".
+ - In the case of a fingerprint match, CA trust is not applicable.
+
+ - The logging of protocol states with TLS loglevel >= 2 no longer
+ reports bogus error conditions when OpenSSL asks Postfix to refill
+ (or flush) network I/O buffers. This loglevel is for debugging
+ only; use 0 or 1 in production configurations.
+
+ [Feature 20080109] The Postfix SMTP client has a new "fingerprint"
+ security level. This avoids dependencies on CAs, and relies entirely
+ on bi-lateral exchange of public keys (really self-signed or private
+ CA signed X.509 public key certificates). Scalability is clearly
+ limited. For details, see the fingerprint discussion in TLS_README.
+
+ [Feature 20080109] The Postfix SMTP server can now use SHA1 instead
+ of MD5 to compute remote SMTP client certificate fingerprints. For
+ backwards compatibility, the default algorithm is MD5. For details,
+ see the "smtpd_tls_fingerprint_digest" parameter in the postconf(5)
+ manual.
+
+ [Feature 20080109] The maximum certificate trust chain depth
+ (verifydepth) is finally implemented in the Postfix TLS library.
+ Previously, the parameter had no effect. The default depth was
+ changed to 9 (the OpenSSL default) for backwards compatibility.
+
+ If you have explicity limited the verification depth in main.cf,
+ check that the configured limit meets your needs. See the
+ "lmtp_tls_scert_verifydepth", "smtp_tls_scert_verifydepth" and
+ "smtpd_tls_ccert_verifydepth" parameters in the postconf(5) manual.
+
+ [Feature 20080109] The selection of SSL/TLS protocols for mandatory
+ TLS can now use exclusion rather than inclusion. Either form is
+ acceptable; see the "lmtp_tls_mandatory_protocols",
+ "smtp_tls_mandatory_protocols" and "smtpd_tls_mandatory_protocols"
+ parameters in the postconf(5) manual.
+
+ Major changes - scheduler
+ -------------------------
+
+ [Feature 20071130] Revised queue manager with separate mechanisms
+ for per-destination concurrency control and for dead destination
+ detection. The concurrency control supports less-than-1 feedback
+ to allow for more gradual concurrency adjustments, and uses hysteresis
+ to avoid rapid oscillations. A destination is declared "dead" after
+ a configurable number of pseudo-cohorts(*) reports connection or
+ handshake failure.
+
+ (*) A pseudo-cohort is a number of delivery requests equal to a
+ destination's delivery concurrency.
+
+ The drawbacks of the old +/-1 feedback scheduler are a) overshoot
+ due to exponential delivery concurrency growth with each pseudo-cohort(*)
+ (5-10-20...); b) throttling down to zero concurrency after a single
+ pseudo-cohort(*) failure. The latter was especially an issue with
+ low-concurrency channels where a single failure could be sufficient
+ to mark a destination as "dead", and suspend further deliveries.
+
+ New configuration parameters: destination_concurrency_feedback_debug,
+ default_destination_concurrency_positive_feedback,
+ default_destination_concurrency_negative_feedback,
+ default_destination_concurrency_failed_cohort_limit, as well as
+ transport-specific versions of the same.
+
+ The default parameter settings are backwards compatible with older
+ Postfix versions. This may change after better defaults are field
+ tested.
+
+ The updated SCHEDULER_README document describes the theory behind
+ the new concurrency scheduler, as well as Patrik Rak's preemptive
+ job scheduler. See postconf(5) for more extensive descriptions of
+ the configuration parameters.
+
+ Major changes - small/home office
+ ---------------------------------
+
+ [Feature 20080115] Preliminary SOHO_README document that combines
+ bits and pieces from other document in one place, so that it is
+ easier to find. This document describes the "mail sending" side
+ only.
++++ 156 more lines (skipped)
++++ between postfix/postfix.changes
++++ and /mounts/work_src_done/STABLE/postfix/postfix.changes
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ postfix.spec ++++++
--- /var/tmp/diff_new_pack.sl7510/_old 2008-02-15 01:37:30.000000000 +0100
+++ /var/tmp/diff_new_pack.sl7510/_new 2008-02-15 01:37:30.000000000 +0100
@@ -10,6 +10,7 @@
# norootforbuild
+
Name: postfix
#!BuildIgnore: sendmail
BuildRequires: db-devel mysql-devel openldap2-devel pcre-devel postgresql-devel
@@ -24,7 +25,7 @@
AutoReqProv: on
Summary: A fast, secure, and flexible mailer
Version: 2.5.0
-Release: 1
+Release: 5
Source: postfix-%{version}.tar.gz
Source1: postfix-SuSE.tar.gz
Patch: dynamic_maps.patch
@@ -388,6 +389,7 @@
rm -f $MD5DIR/$MAINCF
echo "$NEWMD5MAINCF" > $MD5DIR/$MAINCF
echo "backing up $MAINCF to $MAINCF.$BAKSUFFIX"
+ echo "!!! Please clean up the backup files in your /etc/postfix/ !!!"
cp --remove-destination $TMPMAIN $MAINCF.$BAKSUFFIX
fi
else
@@ -581,39 +583,292 @@
Wietse Venema
%changelog
+* Wed Feb 13 2008 varkoly@suse.de
+- #360572 - postfix %%post script leaves lots of backup files in /etc/postfix/
* Wed Jan 30 2008 varkoly@suse.de
- Update to Version 2.5 patchlevel 0
Major changes - critical
------------------------
[Incompat 20071224] The protocol to send Milter information from
- smtpd(8) to cleanup(8) processes was cleaned up.
+ smtpd(8) to cleanup(8) processes was cleaned up. If you use the
+ Milter feature, and upgrade a live Postfix system, you may see an
+ "unexpected record type" warning from a cleanup(8) server process.
+ To prevent this, execute the command "postfix reload". The
+ incompatibility affects only systems that use the Milter feature.
+ It does not cause loss of mail, just a minor delay until the remote
+ SMTP client retries.
[Incompat 20071212] The allow_min_user feature now applies to both
- sender and recipient addresses in SMTP commands.
+ sender and recipient addresses in SMTP commands. With earlier Postfix
+ versions, only recipients were subject to the allow_min_user feature,
+ and the restriction took effect at mail delivery time, causing mail
+ to be bounced later instead of being rejected immediately.
+ [Incompat 20071206] The "make install" and "make upgrade" procedures
+ now create a Postfix-owned directory for Postfix-writable data files
+ such as caches and random numbers. The location is specified with
+ the "data_directory" parameter (default: "/var/lib/postfix"), and
+ the ownership is specified with the "mail_owner" parameter.
[Incompat 20071206] The tlsmgr(8) and verify(8) servers no longer
use root privileges when opening the address_verify_map,
*_tls_session_cache_database, and tls_random_exchange_name cache
- files.
+ files. This avoids a potential security loophole where the ownership
+ of a file (or directory) does not match the trust level of the
+ content of that file (or directory).
[Incompat 20071206] The tlsmgr(8) and verify(8) cache files should
now be stored as Postfix-owned files under the Postfix-owned
- data_directory.
+ data_directory. As a migration aid, attempts to open these files
+ under a non-Postfix directory are redirected to the Postfix-owned
+ data_directory, and a warning is logged.
+ This is an example of the warning messages:
+ Dec 6 12:56:22 bristle postfix/tlsmgr[7899]: warning: request
+ to update file /etc/postfix/prng_exch in non-postfix directory
+ /etc/postfix
+ Dec 6 12:56:22 bristle postfix/tlsmgr[7899]: warning: redirecting
+ the request to postfix-owned data_directory /var/lib/postfix
+ If you wish to continue using a pre-existing tls_random_exchange_name
+ or address_verify_map file, move it to the Postfix-owned data_directory
+ and change ownership from root to Postfix (that is, change ownership
+ to the account specified with the mail_owner configuration parameter).
+ [Feature 20071205] The "make install" and "make upgrade" procedures
+ now create a Postfix-owned directory for Postfix-writable data files
+ such as caches and random numbers. The location is specified with
+ the "data_directory" parameter (default: "/var/lib/postfix"), and
+ the ownership is specified with the "mail_owner" parameter.
[Incompat 20071203] The "make upgrade" procedure adds a new service
"proxywrite" to the master.cf file, for read/write lookup table
- access.
+ access. If you copy your old configuration file over the updated
+ one, you may see warnings in the maillog file like this:
+ connect #xx to subsystem private/proxywrite: No such file or directory
+ To recover, run "postfix upgrade-configuration" again.
[Incompat 20070613] The pipe(8) delivery agent no longer allows
delivery with the same group ID as the main.cf postdrop group.
Major changes - malware defense
-------------------------------
- [Feature 20080107] New "pass" service type in master.cf. This
- allows future front-end daemons to accept all connections from
- the network, and to hand over connections from well-behaved
- clients to Postfix.
+ [Feature 20080107] New "pass" service type in master.cf. Written
+ years ago, this allows future front-end daemons to accept all
+ connections from the network, and to hand over connections from
+ well-behaved clients to Postfix. Since this feature uses file
+ descriptor passing, it imposes no overhead once a connection is
+ handed over to Postfix. See master(5) for a few details.
[Feature 20070911] Stress-adaptive behavior. When a "public" network
service runs into an "all processes are busy" condition, the master(8)
daemon logs a warning, restarts the service, and runs it with "-o
- stress=yes" on the command line.
+ stress=yes" on the command line (under normal conditions it runs
+ the service with "-o stress=" on the command line). This can be
+ used to make main.cf parameter settings stress dependent, for
+ example:
+ /etc/postfix/main.cf:
+ smtpd_timeout = ${stress?10}${stress:300}
+ smtpd_hard_error_limit = ${stress?1}${stress:20}
+ Translation: under conditions of stress, use an smtpd_timeout value
+ of 10 seconds instead of 300, and use smtpd_hard_error_limit of 1
+ instead of 20. The syntax is explained in the postconf(5) manpage.
The STRESS_README file gives examples of how to mitigate flooding
problems.
- For more information read /usr/share/doc/packages/postfix/RELEASE_NOTES.
+ Major changes - tls support
+ ---------------------------
+ [Incompat 20080109] TLS logging output has changed to make it more
+ useful. Existing logfile parser regular expressions may need
+ adjustment.
+ - More log entries include the "hostnamename[ipaddress]" of the
+ remote SMTP peer.
+ - Certificate trust chain error reports show only the first
+ error certificate (closest to the trust chain root), and the
+ reporting is more human-readable for the most likely errors.
+ - After the completion of the TLS handshake, the session is logged
+ with TLS loglevel >= 1 as either "Untrusted", "Trusted" or
+ "Verified" (SMTP client only).
+ - "Untrusted" means that the certificate trust chain is invalid,
+ or that the root CA is not trusted.
+ - "Trusted" means that the certificate trust chain is valid, and
+ that the root CA is trusted.
+ - "Verified" means that the certificate meets the SMTP client's
+ matching criteria for the destination:
+ - In the case of a destination name match, "Verified" also
+ implies "Trusted".
+ - In the case of a fingerprint match, CA trust is not applicable.
+ - The logging of protocol states with TLS loglevel >= 2 no longer
+ reports bogus error conditions when OpenSSL asks Postfix to refill
+ (or flush) network I/O buffers. This loglevel is for debugging
+ only; use 0 or 1 in production configurations.
+ [Feature 20080109] The Postfix SMTP client has a new "fingerprint"
+ security level. This avoids dependencies on CAs, and relies entirely
+ on bi-lateral exchange of public keys (really self-signed or private
+ CA signed X.509 public key certificates). Scalability is clearly
+ limited. For details, see the fingerprint discussion in TLS_README.
+ [Feature 20080109] The Postfix SMTP server can now use SHA1 instead
+ of MD5 to compute remote SMTP client certificate fingerprints. For
+ backwards compatibility, the default algorithm is MD5. For details,
+ see the "smtpd_tls_fingerprint_digest" parameter in the postconf(5)
+ manual.
+ [Feature 20080109] The maximum certificate trust chain depth
+ (verifydepth) is finally implemented in the Postfix TLS library.
+ Previously, the parameter had no effect. The default depth was
+ changed to 9 (the OpenSSL default) for backwards compatibility.
+ If you have explicity limited the verification depth in main.cf,
+ check that the configured limit meets your needs. See the
+ "lmtp_tls_scert_verifydepth", "smtp_tls_scert_verifydepth" and
+ "smtpd_tls_ccert_verifydepth" parameters in the postconf(5) manual.
+ [Feature 20080109] The selection of SSL/TLS protocols for mandatory
+ TLS can now use exclusion rather than inclusion. Either form is
+ acceptable; see the "lmtp_tls_mandatory_protocols",
+ "smtp_tls_mandatory_protocols" and "smtpd_tls_mandatory_protocols"
+ parameters in the postconf(5) manual.
+ Major changes - scheduler
+ -------------------------
+ [Feature 20071130] Revised queue manager with separate mechanisms
+ for per-destination concurrency control and for dead destination
+ detection. The concurrency control supports less-than-1 feedback
+ to allow for more gradual concurrency adjustments, and uses hysteresis
+ to avoid rapid oscillations. A destination is declared "dead" after
+ a configurable number of pseudo-cohorts(*) reports connection or
+ handshake failure.
+ (*) A pseudo-cohort is a number of delivery requests equal to a
+ destination's delivery concurrency.
+ The drawbacks of the old +/-1 feedback scheduler are a) overshoot
+ due to exponential delivery concurrency growth with each pseudo-cohort(*)
+ (5-10-20...); b) throttling down to zero concurrency after a single
+ pseudo-cohort(*) failure. The latter was especially an issue with
+ low-concurrency channels where a single failure could be sufficient
+ to mark a destination as "dead", and suspend further deliveries.
+ New configuration parameters: destination_concurrency_feedback_debug,
+ default_destination_concurrency_positive_feedback,
+ default_destination_concurrency_negative_feedback,
+ default_destination_concurrency_failed_cohort_limit, as well as
+ transport-specific versions of the same.
+ The default parameter settings are backwards compatible with older
+ Postfix versions. This may change after better defaults are field
+ tested.
+ The updated SCHEDULER_README document describes the theory behind
+ the new concurrency scheduler, as well as Patrik Rak's preemptive
+ job scheduler. See postconf(5) for more extensive descriptions of
+ the configuration parameters.
+ Major changes - small/home office
+ ---------------------------------
+ [Feature 20080115] Preliminary SOHO_README document that combines
+ bits and pieces from other document in one place, so that it is
+ easier to find. This document describes the "mail sending" side
+ only.
+ [Feature 20071202] Output rate control in the queue manager. For
+ example, specify "smtp_destination_rate_delay = 5m", to pause five
+ minutes between message deliveries. More information in the postconf(5)
+ manual under "default_destination_rate_delay".
+ Major changes - smtp client
+ ---------------------------
+ [Incompat 20080114] The Postfix SMTP client now by default defers
+ mail after a remote SMTP server rejects a SASL authentication
+ attempt. Specify "smtp_sasl_auth_soft_bounce = no" for the old
+ behavior.
+ [Feature 20080114] The Postfix SMTP client can now avoid making
+ repeated SASL login failures with the same server, username and
+ password. To enable this safety feature, specify for example
+ "smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache"
+ (access through the proxy service is required). Instead of trying
+ to SASL authenticate, the Postfix SMTP client defers or bounces
+ mail as controlled with the new smtp_sasl_auth_soft_bounce configuration
+ parameter.
+ [Feature 20071111] Header/body checks are now available in the SMTP
+ client, after the implementation was moved from the cleanup server
+ to a library module. The SMTP client provides only actions that
+ don't change the message delivery time or destination: warn, replace,
+ prepend, ignore, dunno, ok.
+ [Incompat 20070614] By default, the Postfix Cyrus SASL client no
+ longer sends a SASL authoriZation ID (authzid); it sends only the
+ SASL authentiCation ID (authcid) plus the authcid's password. Specify
+ "send_cyrus_sasl_authzid = yes" to get the old behavior.
+ Major changes - smtp server
+ ---------------------------
+ [Feature 20070724] Not really major. New support for RFC 3848
+ (Received: headers with ESMTPS, ESMTPA, or ESMTPSA); updated SASL
+ support according to RFC 4954, resulting in small changes to SMTP
+ reply codes and (DSN) enhanced status codes.
+ Major changes - milter
+ ----------------------
+ [Incompat 20071224] The protocol to send Milter information from
+ smtpd(8) to cleanup(8) processes was cleaned up. If you use the
+ Milter feature, and upgrade a live Postfix system, you may see an
+ "unexpected record type" warning from a cleanup(8) server process.
+ To prevent this, execute the command "postfix reload". The
+ incompatibility affects only systems that use the Milter feature.
+ It does not cause loss of mail, just a minor delay until the remote
+ SMTP client retries.
+ [Feature 20071221] Support for most of the Sendmail 8.14 Milter
+ protocol features.
+ To enable the new features specify "milter_protocol = 6" and link
+ the filter application with a libmilter library from Sendmail 8.14
+ or later.
+ Sendmail 8.14 Milter features supported at this time:
+ - NR_CONN, NR_HELO, NR_MAIL, NR_RCPT, NR_DATA, NR_UNKN, NR_HDR,
+ NR_EOH, NR_BODY: The filter can tell Postfix that it won't reply
+ to some of the SMTP events that Postfix sends. This makes the
+ protocol less chatty and improves performance.
+ - SKIP: The filter can tell Postfix to skip sending the rest of
+ the message body, which also improves performance.
+ - HDR_LEADSPC: The filter can request that Postfix does not delete
+ the first space character between header name and header value
+ when sending a header to the filter, and that Postfix does not
+ insert a space character between header name and header value
+ when receiving a header from the filter. This fixes a limitation
+ in the old Milter protocol that can break DKIM and DK signatures.
+ - SETSYMLIST: The filter can override one or more of the main.cf
+ milter_xxx_macros parameter settings.
+ Sendmail 8.14 Milter features not supported at this time:
+ - RCPT_REJ: report rejected recipients to the mail filter.
+ - CHGFROM: replace sender, with optional ESMTP command parameters.
+ - ADDRCPT_PAR: add recipient, with optional ESMTP command parameters.
+ It is unclear when (if ever) the missing features will be implemented.
+ SMFIP_RCPT_REJ requires invasive changes in the SMTP server recipient
+ processing and error handling. SMFIR_CHGFROM and SMFIR_ADDRCPT_PAR
+ require ESMTP command-line parsing in the cleanup server. Unfortunately,
+ Sendmail's documentation does not specify what ESMTP options are
+ supported, but only discusses examples of things that don't work.
+ Major changes - address verification
+ ------------------------------------
+ [Incompat 20070514] The default sender address for address verification
+ probes was changed from "postmaster" to "double-bounce", so that
+ the Postfix SMTP server no longer causes surprising behavior by
+ excluding "postmaster" from SMTP server access controls.
+ Major changes - ldap
+ --------------------
+ [Incompat 20071216] Due to an incompatible API change between
+ OpenLDAP 2.0.11 and 2.0.12, an LDAP client compiled for OpenLDAP
+ version <= 2.0.11 will refuse to work with an OpenLDAP library
+ version >= 2.0.12 and vice versa.
+ Major changes - logging
+ -----------------------
+ [Incompat 20080109] TLS logging output has changed to make it more
+ useful. Existing logfile parser regular expressions may need
+ adjustment.
+ - More log entries include the "hostnamename[ipaddress]" of the
+ remote SMTP peer.
+ - Certificate trust chain error reports show only the first
+ error certificate (closest to the trust chain root), and the
+ reporting is more human-readable for the most likely errors.
+ - After the completion of the TLS handshake, the session is logged
+ with TLS loglevel >= 1 as either "Untrusted", "Trusted" or
+ "Verified" (SMTP client only).
+ - "Untrusted" means that the certificate trust chain is invalid,
+ or that the root CA is not trusted.
+ - "Trusted" means that the certificate trust chain is valid, and
+ that the root CA is trusted.
+ - "Verified" means that the certificate meets the SMTP client's
+ matching criteria for the destination:
+ - In the case of a destination name match, "Verified" also
+ implies "Trusted".
+ - In the case of a fingerprint match, CA trust is not applicable.
+ - The logging of protocol states with TLS loglevel >= 2 no longer
+ reports bogus error conditions when OpenSSL asks Postfix to refill
+ (or flush) network I/O buffers. This loglevel is for debugging
+ only; use 0 or 1 in production configurations.
+ [Incompat 20071216] The SMTP "transcript of session" email now
+ includes the remote SMTP server TCP port number.
+ Major changes - loop detection
+ ------------------------------
+ [Incompat 20070422] [Incompat 20070422] When the pipe(8) delivery
+ agent is configured to create the optional Delivered-To: header,
+ it now first checks if that same header is already present in the
+ message. If so, the message is returned as undeliverable. This test
+ should have been included with Postfix 2.0 when Delivered-To: support
+ was added to the pipe(8) delivery agent.
* Tue Jan 08 2008 varkoly@suse.de
- Remove previous fix
* Sun Dec 30 2007 varkoly@suse.de
++++++ postfix-SuSE.tar.gz ++++++
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/postfix-SuSE/SuSEconfig.postfix new/postfix-SuSE/SuSEconfig.postfix
--- old/postfix-SuSE/SuSEconfig.postfix 2008-01-08 09:59:21.000000000 +0100
+++ new/postfix-SuSE/SuSEconfig.postfix 2008-02-13 14:37:44.000000000 +0100
@@ -476,6 +476,7 @@
defined $ENV{POSTFIX_SMTP_TLS_SERVER} ? $ENV{POSTFIX_SMTP_TLS_SERVER} : "no";
my $tlsclient =
defined $ENV{POSTFIX_SMTP_TLS_CLIENT} ? $ENV{POSTFIX_SMTP_TLS_CLIENT} : "no";
+my $normalize = {};
$laptop = lc($laptop);
@@ -491,6 +492,7 @@
chomp;
if( /\#?\s*(smtp\s+inet.*?smtpd)/ ) {
+ if( defined $normalize->{$1} ) { next; } else { $normalize->{$1} = 1; }
if ($nullclient eq "yes") {
$line = "#".$1;
} else {
@@ -504,46 +506,51 @@
$line = $1."-".$2;
}
} elsif( /\#?\s*(local\s+unix.*)/ ) {
+ if( defined $normalize->{$1} ) { next; } else { $normalize->{$1} = 1; }
if ($nullclient eq "yes") {
$line = "#".$1;
} else {
$line = $1;
}
} elsif( /\#?\s*(localhost:10025\s+inet.*)/ ) {
- if ( $use_amavis ne "yes" ) {
- $line = "#".$1;
- } else {
- $line = $1;
- if( $line !~ /receive_override_options=no_unknown_recipient_checks,no_header_body_checks/ )
- {
- $line .= " -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_address_mappings";
- }
- }
+ if( defined $normalize->{$1} ) { next; } else { $normalize->{$1} = 1; }
+ if ( $use_amavis ne "yes" ) {
+ $line = "#".$1;
+ } else {
+ $line = $1;
+ if( $line !~ /receive_override_options=no_unknown_recipient_checks,no_header_body_checks/ )
+ {
+ $line .= " -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_address_mappings";
+ }
+ }
} elsif( /\#?\s*(tlsmgr\s+unix.*)/ ) {
- if ( $tlsclient ne "yes" && $tlsserver ne "yes" ) {
- $line = "#".$1;
- } else {
- $line = $1;
- }
+ if( defined $normalize->{$1} ) { next; } else { $normalize->{$1} = 1; }
+ if ( $tlsclient ne "yes" && $tlsserver ne "yes" ) {
+ $line = "#".$1;
+ } else {
+ $line = $1;
+ }
} elsif( /\#?\s*(smtps\s+inet.*?smtpd)/ ) {
- if ( $tlsserver ne "yes" ) {
- $line = "#".$1." -o smtpd_tls_wrappermode=yes";
- } else {
- $line = $1." -o smtpd_tls_wrappermode=yes";
- }
- if ( $use_amavis eq "yes" ) {
- $line =~ /(\#?\s*smtps\s+inet\s+[yn-]?\s+[yn-]?\s+[yn-]?\s+[0-9?yn-]?\s+)[0-9-]+(.*)/;
- $line = $1."10".$2." -o content_filter=smtp:[127.0.0.1]:10024";
- } else {
- $line =~ /(\#?\s*smtps\s+inet\s+[yn-]?\s+[yn-]?\s+[yn-]?\s+[0-9?yn-]?\s+)[0-9-]+(.*)/;
- $line = $1."-".$2;
- }
+ if( defined $normalize->{$1} ) { next; } else { $normalize->{$1} = 1; }
+ if ( $tlsserver ne "yes" ) {
+ $line = "#".$1." -o smtpd_tls_wrappermode=yes";
+ } else {
+ $line = $1." -o smtpd_tls_wrappermode=yes";
+ }
+ if ( $use_amavis eq "yes" ) {
+ $line =~ /(\#?\s*smtps\s+inet\s+[yn-]?\s+[yn-]?\s+[yn-]?\s+[0-9?yn-]?\s+)[0-9-]+(.*)/;
+ $line = $1."10".$2." -o content_filter=smtp:[127.0.0.1]:10024";
+ } else {
+ $line =~ /(\#?\s*smtps\s+inet\s+[yn-]?\s+[yn-]?\s+[yn-]?\s+[0-9?yn-]?\s+)[0-9-]+(.*)/;
+ $line = $1."-".$2;
+ }
} elsif( /^(\#?\s*(?:pickup|qmgr)\s+)(?:fifo|unix)(\s+.*)/ ) {
- if ( $laptop eq "yes" ) {
- $line = $1."unix".$2;
- } else {
- $line = $1."fifo".$2;
- }
+ if( defined $normalize->{$1} ) { next; } else { $normalize->{$1} = 1; }
+ if ( $laptop eq "yes" ) {
+ $line = $1."unix".$2;
+ } else {
+ $line = $1."fifo".$2;
+ }
} else {
$line = $_;
}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/postfix-SuSE/SuSEconfig.postfix-better new/postfix-SuSE/SuSEconfig.postfix-better
--- old/postfix-SuSE/SuSEconfig.postfix-better 2008-01-08 09:58:15.000000000 +0100
+++ new/postfix-SuSE/SuSEconfig.postfix-better 1970-01-01 01:00:00.000000000 +0100
@@ -1,769 +0,0 @@
-#! /bin/bash
-# Copyright (c) 1999-2001 SuSE GmbH Nuernberg, Germany.
-# Copyright (c) 2002-2004 SuSE Linux AG
-#
-# Author: Carsten Hoeger
-
-export LC_ALL=POSIX
-
-cpifnewer(){
- # remove files, that do no longer exist
- if [ -d $2 -a "$(echo $2/*)" != "$2/*" ]; then
- for i in $2/*; do
- if [ ! -e "/$i" ]; then
- echo "removing old or no longer used $i"
- rm -f $i
- fi
- done
- fi
- test -d $2 || mkdir -p $2
- for i in $1; do
- dst=$2/$(basename $i)
-
- if [ ! -f $dst -a ! -d $dst -a -e $i ]; then
- echo "copying missing $dst from $i"
- cp -af $i $dst
- elif [ ! -d $dst -a $i -nt $dst -o $i -ot $dst ]; then
- echo "updating $dst from $i"
- cp -af $i $dst
- fi
- done
-}
-
-update_db() {
- while test "x$1" != "x" ; do
- pfmap=/etc/postfix/${1%:*}
- mode=${1#*:}
- if [ "$mode" == "$1" ]; then
- mode=644
- fi
- chmod $mode ${pfmap}
- test -e $pfmap && \
- if test $pfmap -nt ${pfmap}.db -o ! -e ${pfmap}.db ; then
- echo "rebuilding ${pfmap}.db"
- postmap ${pfmap}
- fi
- chmod $mode ${pfmap}.db
- shift
- done
-}
-
-get_alias_maps(){
- test -d /etc/aliases.d && test "$(echo /etc/aliases.d/*)" != "/etc/aliases.d/*" && \
- for i in $(find /etc/aliases.d -maxdepth 1 -type f \
- '!' -regex ".*\.\(db\|rpmsave\|rpmorig\)" \
- '!' -regex ".*/\(\.\|#\).*" \
- '!' -regex ".*~$") ; do
- echo -n "$i ";
- done
-}
-
-warn_user(){
- tput bold
- echo -e "\t*** WARNING ***"
- echo -e $1
- echo -e "\t*** WARNING ***"
- tput sgr0
-}
-
-mkchroot(){
-
- if [ ! -d /var/spool/postfix ]; then
- warn_user "\t/var/spool/postfix does not exist!!!\n\
-\tThis should not happen!\n\
-\tPlease reinstall package postfix or create this directory!"
- exit 1
- fi
- cd /var/spool/postfix
-
- if [ "$(echo "$POSTFIX_CHROOT" | tr 'A-Z' 'a-z' )" != "yes" -a \
- "$(echo "$POSTFIX_UPDATE_CHROOT_JAIL" | tr 'A-Z' 'a-z' )" != "no" ]; then
- if [ -d etc ]; then
- echo "removing postfix chroot environment..."
- fi
-
- if grep /var/spool/postfix/proc /proc/mounts &> /dev/null; then
- umount /var/spool/postfix/proc
- fi
-
- rm -rvf etc @lib@ usr var proc
- elif [ "$(echo "$POSTFIX_UPDATE_CHROOT_JAIL" | tr 'A-Z' 'a-z' )" != "no" ]; then
- echo "checking postfix chroot environment..."
-
- if [ -e /lib/security/pam_ldap.so ]; then
- cpifnewer /etc/openldap/ldap.conf etc/openldap
- fi
-
- mkdir -p /var/spool/postfix/proc
- if ! grep /var/spool/postfix/proc /proc/mounts &> /dev/null; then
- mount -t proc proc /var/spool/postfix/proc
- fi
-
- # CA
- CAPATH=`postconf -h smtpd_tls_CApath`
- if [ "CAPATH" ]
- then
- cpifnewer $CAPATH ./$CAPATH
- fi
- # PAM
- cpifnewer "/etc/pam.d/*" etc/pam.d
- cpifnewer "/@lib@/security/*" @lib@/security
- cpifnewer "/@lib@/libpam*" @lib@
- cpifnewer "/usr/@lib@/libcrack.so*" usr/@lib@
-
- # SASL
- cpifnewer /etc/sasldb2 etc
- cpifnewer "/etc/sasl2/*" etc/sasl2
- cpifnewer "/usr/@lib@/sasl2/*" usr/@lib@/sasl2
- cpifnewer "/usr/@lib@/libsasl2*" usr/@lib@
- mkdir -p var/run/sasl2
- test -S /var/run/sasl2/mux && ln -f /var/run/sasl2/mux var/run/sasl2/mux
-
- cpifnewer "/@lib@/libnss*" @lib@
- cpifnewer "/@lib@/libresolv*" @lib@
- cpifnewer "/@lib@/libdb*" @lib@
- cpifnewer "/@lib@/libxcrypt*" @lib@
-
- cpifnewer /etc/host.conf etc
- cpifnewer /etc/nsswitch.conf etc
- cpifnewer /etc/resolv.conf etc
- cpifnewer /etc/services etc
- cpifnewer /etc/hosts etc
- cpifnewer /etc/passwd etc
-
- if [ -L /etc/localtime ]; then
- if [ -z "$TIMEZONE" -o "$TIMEZONE" == "YAST_ASK" ]; then
- warn_user "\tUnable to setup your timezone!\n\
-\tThe logging of the current time in /var/log/mail may be wrong!\n\
-\tPlease set the variable TIMEZONE in /etc/sysconfig/clock!"
- else
- mkdir -p usr/share/zoneinfo/$(dirname $TIMEZONE)
- if [ ! -e /usr/share/zoneinfo/$TIMEZONE ]; then
- warn_user "\t$TIMEZONE is not a regular timezone or the corresponding\n\
-\tfile at /usr/share/zoneinfo does not exist"
- else
- cp -af /usr/share/zoneinfo/$TIMEZONE usr/share/zoneinfo/$TIMEZONE
- ln -sf ../usr/share/zoneinfo/$TIMEZONE etc/localtime
- fi
- fi
- else
- cpifnewer /etc/localtime etc
- fi
-
- chown -R root /var/spool/postfix/{etc,@lib@,usr,var}
- fi
-}
-
-gen_main_cf(){
- TMPDIR=$(mktemp -d /tmp/SuSEconfig.postfix.XXXXXX) || exit 1
- PCONF="/usr/sbin/postconf -c $TMPDIR"
-
- if [ $? -ne 0 ]; then
- warn_user "Can't create temp directory, exiting..."
- exit 1
- fi
- cp -f /etc/postfix/main.cf $TMPDIR/main.cf
-
- # Some default settings, that seem to be useable, at least to me
- $PCONF -e "mail_spool_directory = /var/mail"
- $PCONF -e "canonical_maps = hash:/etc/postfix/canonical"
- $PCONF -e "virtual_alias_maps = hash:/etc/postfix/virtual"
- $PCONF -e "virtual_alias_domains = hash:/etc/postfix/virtual"
- $PCONF -e "relocated_maps = hash:/etc/postfix/relocated"
- $PCONF -e "transport_maps = hash:/etc/postfix/transport"
- $PCONF -e "sender_canonical_maps = hash:/etc/postfix/sender_canonical"
- $PCONF -e "masquerade_exceptions = root"
- $PCONF -e "masquerade_classes = envelope_sender, header_sender, header_recipient"
- $PCONF -e "myhostname = $FQHOSTNAME"
-
-
- # to be on the save side
- $PCONF -e "daemon_directory = @daemon_directory@"
- $PCONF -e "program_directory = @daemon_directory@"
- $PCONF -e "readme_directory = @readme_directory@"
- $PCONF -e "html_directory = @html_directory@"
- $PCONF -e "sample_directory = @sample_directory@"
- $PCONF -e "sendmail_path = @sendmail_path@"
- $PCONF -e "setgid_group = @setgid_group@"
- $PCONF -e "manpage_directory = @manpage_directory@"
- $PCONF -e "newaliases_path = @newaliases_path@"
- $PCONF -e "mailq_path = @mailq_path@"
- $PCONF -e "inet_protocols = all"
- if test "$SMTPD_LISTEN_REMOTE" == "yes" ; then
- $PCONF -e "inet_interfaces = all"
- else
- $PCONF -e "inet_interfaces = localhost"
- fi
- test -n "$POSTFIX_MASQUERADE_DOMAIN" && \
- MASQ_DOMS=$POSTFIX_MASQUERADE_DOMAIN
- if [ -n "$FROM_HEADER" -a "$FROM_HEADER" != "YAST_ASK" ]; then
- if [ -n "$MASQ_DOMS" ]; then
- MASQ_DOMS="$MASQ_DOMS, $FROM_HEADER"
- else
- MASQ_DOMS="$FROM_HEADER"
- fi
- fi
- $PCONF -e "masquerade_domains = $MASQ_DOMS"
-
- if test -z "$POSTFIX_LOCALDOMAINS"; then
- $PCONF -e 'mydestination = $myhostname, localhost.$mydomain'
- else
- $PCONF -e "mydestination = $POSTFIX_LOCALDOMAINS"
- fi
-
- # this overrides the previous
- if test "$POSTFIX_NULLCLIENT" == "yes"; then
- $PCONF -e "mydestination = "
- fi
-
- if test "$POSTFIX_DIALUP" == "yes"; then
- $PCONF -e "defer_transports = smtp"
- $PCONF -e "mynetworks_style = host"
- else
- $PCONF -e "defer_transports = "
- if test -n "$POSTFIX_ADD_MYNETWORKS_STYLE"
- then
- $PCONF -e "mynetworks_style = $POSTFIX_ADD_MYNETWORKS_STYLE"
- fi
- fi
-
- if test "$POSTFIX_NODNS" == "yes"; then
- $PCONF -e "disable_dns_lookups = yes"
- else
- $PCONF -e "disable_dns_lookups = no"
- fi
- if test -n "$POSTFIX_RELAYHOST"; then
- $PCONF -e "relayhost = $POSTFIX_RELAYHOST"
- else
- $PCONF -e "relayhost = "
- fi
-
- case "$POSTFIX_MDA" in
- procmail)
- echo "Setting up procmail as MDA..."
- if [ ! -x /usr/bin/procmail ]; then
- warn_user "procmail is not installed, using local as MDA!"
- $PCONF -e "mailbox_command = "
- $PCONF -e "mailbox_transport = "
- else
- $PCONF -e "mailbox_command = /usr/bin/procmail"
- $PCONF -e "mailbox_transport = "
- fi
- if [ $PFMAJOR -ge 2 ]; then
- $PCONF -e "strict_8bitmime = no"
- $PCONF -e "disable_mime_output_conversion = no"
- fi
- ;;
- cyrus)
- echo "Setting up cyrus-imapd via lmtp as MDA..."
- if [ ! -x /usr/lib/cyrus/bin/lmtpd ]; then
- warn_user 1>&2 "cyrus-imapd is not installed, using local as MDA!"
- $PCONF -e "mailbox_command = "
- $PCONF -e "mailbox_transport = "
- else
- LMTPUNIX=$(grep -E "^[[:space:]]*lmtpunix.*" /etc/cyrus.conf)
- if [ -z "$LMTPUNIX" ]; then
- warn_user 1>&2 "you have to add\n\
-lmtpunix cmd=\"lmtpd\" listen=\"/var/lib/imap/socket/lmtp\" prefork=1\n\
-to /etc/cyrus.conf"
- else
- if [ -z "$(echo $LMTPUNIX | grep -E '/var/lib/imap/socket/lmtp')" ]; then
- warn_user 1>&2 "the socket to listen on is wrong in /etc/cyrus.conf\n\
-use listen=\"/var/lib/imap/socket/lmtp\" instead!"
- fi
- fi
- $PCONF -e "mailbox_command = "
- $PCONF -e "mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp"
- if [ $PFMAJOR -ge 2 ]; then
- $PCONF -e "strict_8bitmime = yes"
- $PCONF -e "disable_mime_output_conversion = no"
- fi
- if [ -z "$(id postfix | grep -E 'groups=.*mail')" ]; then
- warn_user 1>&2 "adding postfix user to group mail"
- usermod -G mail postfix
- fi
- fi
- ;;
- local|*)
- echo "Setting up postfix local as MDA..."
- $PCONF -e "mailbox_command = "
- $PCONF -e "mailbox_transport = "
- if [ $PFMAJOR -ge 2 ]; then
- $PCONF -e "strict_8bitmime = no"
- $PCONF -e "disable_mime_output_conversion = no"
- fi
- ;;
- esac
-
- case "$POSTFIX_BASIC_SPAM_PREVENTION" in
- medium)
- echo "Setting up medium SPAM protection..."
- $PCONF -e "smtpd_sender_restrictions = hash:/etc/postfix/access, reject_unknown_sender_domain"
- if test -n "$POSTFIX_RBL_HOSTS"; then
- rblhosts=$(echo ${POSTFIX_RBL_HOSTS//,/ })
- clnt_restrictions=""
- for i in $rblhosts; do
- if [ -z "$clnt_restrictions" ]; then
- clnt_restrictions="reject_rbl_client $i"
- else
- clnt_restrictions="$clnt_restrictions, reject_rbl_client $i"
- fi
- done
- $PCONF -e "smtpd_client_restrictions = $clnt_restrictions"
- else
- $PCONF -e "smtpd_client_restrictions ="
- fi
- $PCONF -e "smtpd_helo_required = yes"
- $PCONF -e "smtpd_helo_restrictions = "
- $PCONF -e "strict_rfc821_envelopes = no"
- $PCONF -e "smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination "
- ;;
- hard)
- echo "Setting up hard SPAM protection..."
- $PCONF -e "smtpd_sender_restrictions = hash:/etc/postfix/access, reject_unknown_sender_domain"
- if test -n "$POSTFIX_RBL_HOSTS"; then
- rblhosts=$(echo ${POSTFIX_RBL_HOSTS//,/ })
- clnt_restrictions=""
- for i in $rblhosts; do
- if [ -z "$clnt_restrictions" ]; then
- clnt_restrictions="reject_rbl_client $i"
- else
- clnt_restrictions="$clnt_restrictions, reject_rbl_client $i"
- fi
- done
- $PCONF -e "smtpd_client_restrictions = permit_mynetworks, $clnt_restrictions, reject_unknown_client"
-
- else
- $PCONF -e \
- "smtpd_client_restrictions = permit_mynetworks, reject_unknown_client"
- fi
- $PCONF -e "smtpd_helo_required = yes"
- $PCONF -e "smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname"
- $PCONF -e "strict_rfc821_envelopes = yes"
- $PCONF -e "smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination"
- ;;
- *)
- if test "$POSTFIX_BASIC_SPAM_PREVENTION" != "off"; then
- warn_user 1>&2 "$POSTFIX_BASIC_SPAM_PREVENTION is an invalid value for POSTFIX_BASIC_SPAM_PREVENTION\n\
-using \"off\" instead!"
- fi
- echo "Setting SPAM protection to \"off\"..."
- $PCONF -e "smtpd_sender_restrictions = hash:/etc/postfix/access"
- $PCONF -e "smtpd_client_restrictions ="
- $PCONF -e "smtpd_helo_required = no"
- $PCONF -e "smtpd_helo_restrictions ="
- $PCONF -e "strict_rfc821_envelopes = no"
- $PCONF -e "smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination"
- ;;
- esac
-
- if test "$POSTFIX_SMTP_AUTH" == "yes"; then
- $PCONF -e "smtp_sasl_auth_enable = yes"
- $PCONF -e "smtp_sasl_security_options = $POSTFIX_SMTP_AUTH_OPTIONS"
- $PCONF -e "smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd"
- else
- $PCONF -e "smtp_sasl_auth_enable = no"
- fi
-
- if test "$POSTFIX_SMTP_AUTH_SERVER" == "yes"; then
- if [ -f /etc/sasl2/smtpd.conf ]; then
- grep saslauthd /etc/sasl2/smtpd.conf >/dev/null && {
- checkproc -p /var/run/sasl2/saslauthd.pid /usr/sbin/saslauthd || {
- warn_user 1>&2 "You are using saslauthd as pwcheck_method in /etc/sasl2/smtpd.conf,\n\
-but saslauthd is not running."
- }
- }
- elif [ -f /usr/@lib@/sasl2/smtpd.conf ]; then
- grep saslauthd /usr/@lib@/sasl2/smtpd.conf >/dev/null && {
- checkproc -p /var/run/sasl2/saslauthd.pid /usr/sbin/saslauthd || {
- warn_user 1>&2 "You are using saslauthd as pwcheck_method in /usr/@lib@/sasl2/smtpd.conf,\n\
-but saslauthd is not running."
- }
- }
- else
- warn_user 1>&2 "You have activated POSTFIX_SMTP_AUTH_SERVER, but you don't have /etc/sasl2/smtpd.conf (nor /usr/@lib@/sasl2/smtpd.conf)"
- fi
- $PCONF -e "smtpd_sasl_auth_enable= yes"
- touch -m -d "1 minute ago" $TMPDIR/main.cf
- CURRENT=$($PCONF -h smtpd_client_restrictions)
- $PCONF -e "smtpd_client_restrictions= permit_sasl_authenticated, $CURRENT"
- touch -m -d "1 minute ago" $TMPDIR/main.cf
- CURRENT=$($PCONF -h smtpd_recipient_restrictions)
- $PCONF -e "smtpd_recipient_restrictions= permit_sasl_authenticated, $CURRENT"
- else
- $PCONF -e "smtpd_sasl_auth_enable= no"
- fi
-
-
- if test "$POSTFIX_SMTP_TLS_SERVER" == "yes"; then
- grep -E '^smtps' /etc/services >/dev/null || {
- warn_user 1>&2 "adding service \"smtps\" to /etc/services"
- echo "smtps 465/tcp # smtp over SSL" >> /etc/services
- }
- $PCONF -e "smtpd_use_tls = yes"
- $PCONF -e "smtpd_tls_CAfile = $POSTFIX_SSL_PATH/$POSTFIX_TLS_CAFILE"
- $PCONF -e "smtpd_tls_cert_file = $POSTFIX_SSL_PATH/$POSTFIX_TLS_CERTFILE"
- $PCONF -e "smtpd_tls_key_file = $POSTFIX_SSL_PATH/$POSTFIX_TLS_KEYFILE"
- $PCONF -e "smtpd_tls_received_header = yes"
- $PCONF -e "tls_daemon_random_source = dev:/dev/urandom"
- $PCONF -e "tls_random_source = dev:/dev/urandom"
- $PCONF -e "relay_clientcerts = hash:/etc/postfix/relay_ccerts"
- $PCONF -e "smtpd_tls_ask_ccert = yes"
- touch -m -d "1 minute ago" $TMPDIR/main.cf
- CURRENT=$($PCONF -h smtpd_recipient_restrictions)
- $PCONF -e "smtpd_recipient_restrictions = permit_tls_clientcerts, $CURRENT"
- else
- $PCONF -e "smtpd_use_tls = no"
- fi
-
- if test "$POSTFIX_SMTP_TLS_CLIENT" == "yes"; then
- $PCONF -e "smtp_use_tls = yes"
- test -s "$POSTFIX_SSL_PATH/$POSTFIX_TLS_CAFILE" && \
- $PCONF -e "smtp_tls_CAfile = $POSTFIX_SSL_PATH/$POSTFIX_TLS_CAFILE"
- test -s "$POSTFIX_SSL_PATH/$POSTFIX_TLS_CERTFILE" && \
- $PCONF -e "smtp_tls_cert_file = $POSTFIX_SSL_PATH/$POSTFIX_TLS_CERTFILE"
- test -s "$POSTFIX_SSL_PATH/$POSTFIX_TLS_KEYFILE" && \
- $PCONF -e "smtp_tls_key_file = $POSTFIX_SSL_PATH/$POSTFIX_TLS_KEYFILE"
- $PCONF -e "smtp_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache"
- else
- $PCONF -e "smtp_use_tls = no"
- fi
-
- ALLMAPS="hash:/etc/aliases"
- for i in $(get_alias_maps); do
- ALLMAPS="${ALLMAPS}, hash:$i"
- done
- $PCONF -e "alias_maps = $ALLMAPS"
-
- for i in $(echo ${!POSTFIX_ADD_*}); do
- touch -m -d "1 minute ago" $TMPDIR/main.cf
- pfkey=$(echo ${i#POSTFIX_ADD_} | tr '[:upper:]' '[:lower:]')
- pfval=$(eval "echo \$$i")
- if [ -z "$($PCONF $pfkey 2>/dev/null)" ]; then
- warn_user 1>&2 "unknown parameter $i ignored"
- else
- $PCONF -e "$pfkey = $pfval"
- fi
- done
-
- cat $TMPDIR/main.cf
- rm -rf $TMPDIR
-}
-
-gen_master_cf(){
- export POSTFIX_LAPTOP
- export POSTFIX_CHROOT
- export POSTFIX_NULLCLIENT
- export USE_AMAVIS
- export POSTFIX_SMTP_TLS_SERVER
- export POSTFIX_SMTP_TLS_CLIENT
-
- perl -e 'use strict;
-
-my $mcf = "/etc/postfix/master.cf";
-my $line;
-
-my $laptop =
- defined $ENV{POSTFIX_LAPTOP} ? $ENV{POSTFIX_LAPTOP} : "no";
-my $nullclient =
- defined $ENV{POSTFIX_NULLCLIENT} ? $ENV{POSTFIX_NULLCLIENT} : "no";
-my $chroot =
- defined $ENV{POSTFIX_CHROOT} ? $ENV{POSTFIX_CHROOT} : "yes";
-my $use_amavis =
- defined $ENV{USE_AMAVIS} ? $ENV{USE_AMAVIS} : "no";
-my $tlsserver =
- defined $ENV{POSTFIX_SMTP_TLS_SERVER} ? $ENV{POSTFIX_SMTP_TLS_SERVER} : "no";
-my $tlsclient =
- defined $ENV{POSTFIX_SMTP_TLS_CLIENT} ? $ENV{POSTFIX_SMTP_TLS_CLIENT} : "no";
-
-
-$laptop = lc($laptop);
-$chroot = lc($chroot);
-$nullclient = lc($nullclient);
-$use_amavis = lc($use_amavis);
-$tlsserver = lc($tlsserver);
-$tlsclient = lc($tlsclient);
-
-open(MCF,"<$mcf") || die "unable to open $mcf: $!";
-
-while( <MCF> ) {
- chomp;
-
- if( /\#?\s*(smtp\s+inet.*?smtpd)/ ) {
- if ($nullclient eq "yes") {
- $line = "#".$1;
- } else {
- $line = $1;
- }
- if ( $use_amavis eq "yes" ) {
- $line =~ /(\#?\s*smtp\s+inet\s+[yn-]?\s+[yn-]?\s+[yn-]?\s+[0-9?yn-]?\s+)[0-9-]+(.*)/;
- $line = $1."10".$2." -o content_filter=smtp:[127.0.0.1]:10024";
- } else {
- $line =~ /(\#?\s*smtp\s+inet\s+[yn-]?\s+[yn-]?\s+[yn-]?\s+[0-9?yn-]?\s+)[0-9-]+(.*)/;
- $line = $1."-".$2;
- }
- } elsif( /\#?\s*(local\s+unix.*)/ ) {
- if ($nullclient eq "yes") {
- $line = "#".$1;
- } else {
- $line = $1;
- }
- } elsif( /\#?\s*(localhost:10025\s+inet.*)/ ) {
- if ( $use_amavis ne "yes" ) {
- $line = "#".$1;
- } else {
- $line = $1;
- if( $line !~ /receive_override_options=no_unknown_recipient_checks,no_header_body_checks/ )
- {
- $line .= " -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_address_mappings";
- }
- }
- } elsif( /\#?\s*(tlsmgr\s+unix.*)/ ) {
- if ( $tlsclient ne "yes" && $tlsserver ne "yes" ) {
- $line = "#".$1;
- } else {
- $line = $1;
- }
- } elsif( /\#?\s*(smtps\s+inet.*?smtpd)/ ) {
- if ( $tlsserver ne "yes" ) {
- $line = "#".$1." -o smtpd_tls_wrappermode=yes";
- } else {
- $line = $1." -o smtpd_tls_wrappermode=yes";
- }
- if ( $use_amavis eq "yes" ) {
- $line =~ /(\#?\s*smtps\s+inet\s+[yn-]?\s+[yn-]?\s+[yn-]?\s+[0-9?yn-]?\s+)[0-9-]+(.*)/;
- $line = $1."10".$2." -o content_filter=smtp:[127.0.0.1]:10024";
- } else {
- $line =~ /(\#?\s*smtps\s+inet\s+[yn-]?\s+[yn-]?\s+[yn-]?\s+[0-9?yn-]?\s+)[0-9-]+(.*)/;
- $line = $1."-".$2;
- }
- } elsif( /^(\#?\s*(?:pickup|qmgr)\s+)(?:fifo|unix)(\s+.*)/ ) {
- if ( $laptop eq "yes" ) {
- $line = $1."unix".$2;
- } else {
- $line = $1."fifo".$2;
- }
- } else {
- $line = $_;
- }
-
- if( $line =~ /^\#/ ) {
- print $line."\n";
- next;
- }
-
- my $match = 0;
- foreach my $serv ( ( "smtp", "pickup", "cleanup", "qmgr", "rewrite",
- "bounce", "defer", "showq", "error", "virtual",
- "lmtp", "smtps", "tlsmgr", "localhost:10025" ) ) {
- if( $line =~ /^$serv\s+/ ) {
- $line =~ /(^$serv\s+\w+\s+[yn-]?\s+[yn-]?\s+)[yn-]?(.*)/;
- print $1.( $chroot eq "yes" ? "y" : "n" ).$2."\n";
- $match = 1;
- } else {
- next;
- }
- }
- print $line."\n" if ! $match;
-}'
-
-}
-
-update_cf() {
- while test "x$1" != "x" ; do
- if [ ! -f $r/etc/postfix/${1}.SuSEconfig ]; then
- eval gen_${1/\./_} > $r/etc/postfix/${1}.SuSEconfig
- test -s $r/etc/postfix/${1}.SuSEconfig || {
- warn_user "Writing $r/etc/postfix/${1}.SuSEconfig failed, exiting..."
- exit 1
- }
- check_md5_and_move $r/etc/postfix/$1
- else
- warn_user "Found /etc/postfix/${1}.SuSEconfig, exiting..."
- exit 1
- fi
- shift
- done
-}
-
-restore_cf() {
- while test "x$1" != "x" ; do
- warn_user "/etc/postfix/${1}: zero file size or missing, restoring
-from @conf_backup_dir@/${1}"
- if [ ! -s @conf_backup_dir@/$1 ]; then
- warn_user "@conf_backup_dir@/${1}: zero file size or missing, exiting..."
- exit 1
- fi
- rm -f /var/adm/SuSEconfig/md5/etc/postfix/$1
- cp --remove-destination @conf_backup_dir@/$1 /etc/postfix/$1
-
- update_cf $1
- shift
- done
-}
-
-gen_CA() {
- openssl=/usr/bin/openssl
- sslpath=$POSTFIX_SSL_PATH
- sslconfig=$sslpath/openssl_postfix.conf
- date="$(date)"
-
- oldmask=$(umask)
- umask 077
- mkdir -p $sslpath/private
- mkdir -p $sslpath/certs
- mkdir -p $sslpath/newcerts
-
- test -f $sslpath/serial || \
- echo 01 > $sslpath/serial
- touch $sslpath/index.txt
- sed -e "s/@POSTFIX_SSL_COUNTRY@/$POSTFIX_SSL_COUNTRY/" \
- -e "s/@POSTFIX_SSL_STATE@/$POSTFIX_SSL_STATE/" \
- -e "s/@POSTFIX_SSL_LOCALITY@/$POSTFIX_SSL_LOCALITY/" \
- -e "s/@POSTFIX_SSL_ORGANIZATION@/$POSTFIX_SSL_ORGANIZATION/" \
- -e "s/@POSTFIX_SSL_ORGANIZATIONAL_UNIT@/$POSTFIX_SSL_ORGANIZATIONAL_UNIT/" \
- -e "s/@POSTFIX_SSL_COMMON_NAME@/$POSTFIX_SSL_COMMON_NAME/" \
- -e "s/@POSTFIX_SSL_EMAIL_ADDRESS@/$POSTFIX_SSL_EMAIL_ADDRESS/" \
- -e "s/@RANDOM@/${RANDOM}${RANDOM}/" \
- -e "s/@COMMENT@/generated by SuSEconfig.postfix at $date/" \
- /etc/postfix/openssl_postfix.conf.in > $sslconfig
-
- echo "creating CA request/certificate..."
- $openssl req -days 2000 -config $sslconfig -new -x509 -nodes \
- -keyout $sslpath/private/cakey.pem -out $sslpath/$POSTFIX_TLS_CAFILE 2>/dev/null || {
- echo "error creating CA request/certificate"
- rm -rf $sslpath
- umask $oldmask
- return
- }
-
- echo "creating certificate request..."
- $openssl req -config $sslconfig -new -nodes -keyout \
- $sslpath/$POSTFIX_TLS_KEYFILE -out $sslpath/certs/postfixreq.pem 2>/dev/null || {
- echo "error creating certificate request"
- rm -rf $sslpath
- umask $oldmask
- return
- }
-
- echo "signing server certificate..."
- $openssl ca -config $sslconfig -notext -batch \
- -out $sslpath/$POSTFIX_TLS_CERTFILE \
- -infiles $sslpath/certs/postfixreq.pem 2>/dev/null || {
- echo "error signing server certificate"
- rm -rf $sslpath
- umask $oldmask
- return
- }
-
- chmod 755 $sslpath
- chmod 755 $sslpath/certs
- chmod 644 $sslpath/cacert.pem
- umask $oldmask
-}
-
-###############################################################################
-#################################### MAIN #####################################
-###############################################################################
-
-r=$ROOT
-
-test -s $r/etc/sysconfig/postfix || {
- echo "No $r/etc/sysconfig/postfix found."
- exit 1
-}
-. $r/etc/sysconfig/postfix
-
-# this file contains generic mail setup information
-test -s $r/etc/sysconfig/mail || {
- echo "No $r/etc/sysconfig/mail found."
- exit 1
-}
-. $r/etc/sysconfig/mail
-
-# We may need TIMEZONE for chroot setup
-test -s $r/etc/sysconfig/clock && . $r/etc/sysconfig/clock
-
-# Try to get a valid hostname...
-FQHOSTNAME=$(hostname -f)
-# check whether hostname contains at least one dot...
-echo $FQHOSTNAME | grep "\." >/dev/null || FQHOSTNAME=""
-
-test -z "$FQHOSTNAME" && {
- # still no valid hostname? Then read /etc/HOSTNAME
- test -s $r/etc/HOSTNAME && read -t 1 FQHOSTNAME < $r/etc/HOSTNAME
- # check whether hostname contains at least one dot...
- echo $FQHOSTNAME | grep "\." >/dev/null || FQHOSTNAME=""
- # still no valid hostname? :-( set hostname to linux.local
- test -z "$FQHOSTNAME" && FQHOSTNAME=linux.local
-}
-
-PFVERSION=$(/usr/sbin/postconf -h mail_version)
-test -z "$PFVERSION" && {
- echo "ERROR - unable to determine the version of postfix, you are running"
- echo "This should not happen. Exit..."
- exit 1
-}
-PFMAJOR=${PFVERSION:0:1}
-
-# check whether we want to use amavis
-if [ -x /usr/sbin/amavisd ]; then
- test -s $r/etc/sysconfig/amavis && . $r/etc/sysconfig/amavis
-fi
-
-test -f $r/lib/YaST/SuSEconfig.functions || {
- echo "ERROR - can not find $r/lib/YaST/SuSEconfig.functions!!"
- echo "This should not happen. Exit..."
- exit 1
-}
-. $r/lib/YaST/SuSEconfig.functions
-
-
-# call mkchroot. The conditions what to do take place in this function.
-mkchroot
-
-# restore main.cf and master.cf, if they had been removed by accident
-test -z "$r" && {
- if [ ! -s /etc/postfix/main.cf ]; then
- restore_cf main.cf
- fi
-
- if [ ! -s /etc/postfix/master.cf ]; then
- restore_cf master.cf
- fi
-}
-
-if test -z "$r" && test "$POSTFIX_SMTP_TLS_SERVER" == yes ; then
- test -d $POSTFIX_SSL_PATH || gen_CA
-fi
-
-if test -z "$r" && test "$POSTFIX_UPDATE_MAPS" == yes ; then
- test -e /etc/aliases && \
- if test /etc/aliases -nt /etc/aliases.db \
- -o ! -e /etc/aliases.db ; then
- echo "Rebuilding /etc/aliases.db."
- /usr/bin/newaliases
- fi
- update_db $POSTFIX_MAP_LIST
-
- for i in $(get_alias_maps); do
- if test $i -nt $i.db -o ! -e $i.db; then
- echo "Rebuilding $i.db"
- /usr/sbin/postalias $i
- fi
- done
-
- /usr/sbin/postfix reload > /dev/null 2>&1
-fi
-
-
-if test "$MAIL_CREATE_CONFIG" != "yes"; then
- exit;
-fi
-
-
-# Note: Because gen_main_cf and gen_master_cf always use original main.cf
-# and master.cf as input base, we won't get a .SuSEconfig file, normally
-
-test -z "$r" && update_cf master.cf main.cf
-
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org