Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package postfix for openSUSE:Factory checked in at 2021-02-02 14:14:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/postfix (Old) and /work/SRC/openSUSE:Factory/.postfix.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "postfix" Tue Feb 2 14:14:54 2021 rev:197 rq: version:3.5.8 Changes: -------- --- /work/SRC/openSUSE:Factory/postfix/postfix.changes 2021-02-01 13:25:45.337874413 +0100 +++ /work/SRC/openSUSE:Factory/.postfix.new.28504/postfix.changes 2021-02-02 14:14:56.170289767 +0100 @@ -2,78 +1,0 @@ -Wed Jan 27 15:14:50 UTC 2021 - Peter Varkoly <varkoly@suse.com> - -- bsc#1180473 - [Build 20201230] postfix has invalid default config - Fixing config.postfix and sysconfig.postfix - -------------------------------------------------------------------- -Mon Jan 25 10:28:26 UTC 2021 - Paolo Stivanin <info@paolostivanin.com> - -- Update to 3.5.9 - * improves the reporting of DNSSEC problems that may affect - DANE security - -------------------------------------------------------------------- -Thu Jan 7 12:26:08 UTC 2021 - Arjen de Korte <suse+build@de-korte.org> - -- Only do the conversion from the hash/btree databases to lmdb when - the default database type changes from hash to lmdb and do not - stop and start the service (the old compiled databases can live - together with the new ones) - - convert-bdb-to-lmdb.sh -- Clean up the specfile - * Remove < 1330 conditional builds - * Use generated postfix-files instead of the obsolete one from - postfix-SUSE.tar.gz - * Use dynamicmaps.cf.d instead of modifying dynamicmaps.cf upon - (de)installation of optional mysql, pgsql and ldap subpackages - * Use default location for post-install, postfix-tls-script, - postfix-wrapper and postmulti-script - -------------------------------------------------------------------- -Mon Jan 4 12:17:03 UTC 2021 - Peter Varkoly <varkoly@suse.com> - -- Set lmdb to be the default db. -- Convert btree tables to lmdb too. Stop postfix before converting from - bdb to lmdb -- This package is without bdb support. That's why convert must be done - without any suse release condition. - o remove patch postfix-no-btree.patch - o add set-default-db-type.patch - -------------------------------------------------------------------- -Fri Dec 25 20:32:04 UTC 2020 - Arjen de Korte <suse+build@de-korte.org> - -- Set database type for address_verify_map and postscreen_cache_map - to lmdb (btree requires Berkeley DB) - o add postfix-no-btree.patch - -------------------------------------------------------------------- -Fri Dec 25 10:28:30 UTC 2020 - Arjen de Korte <suse+build@de-korte.org> - -- Set default database type to lmdb and fix update_postmaps script - -------------------------------------------------------------------- -Thu Dec 24 14:09:32 UTC 2020 - Arjen de Korte <suse+build@de-korte.org> - -- Use variable substition instead of sed to remove .db suffix and - substitute hash: for lmdb: in /etc/postfix/master.cf as well. - Check before substitution if there is something to do (to keep - rpmcheck happy). - -------------------------------------------------------------------- -Tue Dec 8 13:36:35 UTC 2020 - Peter Varkoly <varkoly@suse.com> - -- bsc#1176650 L3: What is regularly triggering the "fillup" - command and changing modify-time of /etc/sysconfig/postfix? - o Remove miss placed fillup_only call from %verifyscript - -------------------------------------------------------------------- -Thu Nov 26 15:30:10 UTC 2020 - Peter Varkoly <varkoly@suse.com> - -- Remove Berkeley DB dependency (JIRA#SLE-12191) - The pacakges postfix is build without Berkely DB support. - lmdb will be used instead of BDB. - The pacakges postfix-bdb is build with Berkely DB support. - o add patch for main.cf for postfix-bdb package - postfix-bdb-main.cf.patch - -------------------------------------------------------------------- Old: ---- postfix-3.5.9.tar.gz postfix-3.5.9.tar.gz.asc postfix-bdb-main.cf.patch postfix-bdb.changes postfix-bdb.spec pre_checkin.sh set-default-db-type.patch New: ---- postfix-3.5.8.tar.gz postfix-3.5.8.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ postfix.spec ++++++ --- /var/tmp/diff_new_pack.QOL3vu/_old 2021-02-02 14:14:57.158291700 +0100 +++ /var/tmp/diff_new_pack.QOL3vu/_new 2021-02-02 14:14:57.162291709 +0100 @@ -31,7 +31,15 @@ %define pf_html_directory %{_docdir}/%{name}-doc/html %define pf_sample_directory %{_docdir}/%{name}-doc/samples %define pf_data_directory %{_localstatedir}/lib/%{name} -%define pf_database_convert %{_rundir}/%{name}-needs-convert +%if 0%{?suse_version} < 1330 +%define pf_uid 51 +%define pf_gid 51 +%define maildrop_gid 59 +%define vmusr vmail +%define vmgid 303 +%define vmid 303 +%define vmdir /srv/maildirs +%endif %define mail_group mail %define conf_backup_dir %{_localstatedir}/adm/backup/%{name} %define unitdir %{_prefix}/lib/systemd @@ -39,10 +47,16 @@ %if ! %{defined _fillupdir} %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif +%if 0%{?suse_version} >= 1320 || ( 0%{?suse_version} == 1315 && 0%{?is_opensuse} ) +%bcond_without lmdb %bcond_without libnsl +%else +%bcond_with lmdb +%bcond_with libnsl +%endif %bcond_without ldap Name: postfix -Version: 3.5.9 +Version: 3.5.8 Release: 0 Summary: A fast, secure, and flexible mailer License: IPL-1.0 OR EPL-2.0 @@ -68,10 +82,9 @@ Patch8: %{name}-vda-v14-3.0.3.patch Patch9: fix-postfix-script.patch Patch10: %{name}-avoid-infinit-loop-if-no-permission.patch -Patch11: set-default-db-type.patch BuildRequires: ca-certificates BuildRequires: cyrus-sasl-devel -#BuildRequires: db-devel +BuildRequires: db-devel BuildRequires: diffutils BuildRequires: fdupes BuildRequires: libicu-devel @@ -81,7 +94,6 @@ %if %{with ldap} BuildRequires: openldap2-devel %endif -BuildRequires: lmdb-devel BuildRequires: pcre-devel BuildRequires: pkgconfig BuildRequires: postgresql-devel @@ -94,19 +106,23 @@ Requires(pre): permissions Conflicts: exim Conflicts: sendmail -Conflicts: postfix-bdb -Provides: postfix-lmdb = %{version}-%{release} -Obsoletes: postfix-lmdb < %{version}-%{release} Provides: smtp_daemon %{?systemd_ordering} +%if %{with lmdb} +BuildRequires: lmdb-devel +%endif %if %{with libnsl} BuildRequires: libnsl-devel %endif +%if 0%{?suse_version} >= 1330 BuildRequires: sysuser-tools Requires: system-user-nobody Requires: group(%{mail_group}) Requires(pre): group(%{mail_group}) %sysusers_requires +%else +Requires(pre): shadow +%endif %description Postfix aims to be an alternative to the widely-used sendmail program. @@ -132,7 +148,11 @@ Summary: Postfix plugin to support MySQL maps Group: Productivity/Networking/Email/Servers Requires(pre): %{name} = %{version} +%if 0%{?suse_version} >= 1330 %sysusers_requires +%else +Requires(pre): shadow +%endif %description mysql Postfix plugin to support MySQL maps. This library will be loaded by @@ -160,6 +180,18 @@ maps with Postfix, you need this. %endif +%if %{with lmdb} +%package lmdb +Summary: Postfix plugin to support LMDB maps +Group: Productivity/Networking/Email/Servers +Requires(pre): %{name} = %{version} + +%description lmdb +Postfix plugin to support LMDB maps. This library will be loaded +by starting %{name} if you'll access a postmap which is stored in +PostgreSQL. +%endif + %prep %setup -q -a 2 -a 3 %patch1 @@ -172,7 +204,6 @@ %patch8 %patch9 %patch10 -%patch11 # --------------------------------------------------------------------------- @@ -218,15 +249,15 @@ export AUXLIBS_PGSQL="-lpq" fi # +%if %{with lmdb} export CCARGS="${CCARGS} -DHAS_LMDB -I/usr/local/include" \ export AUXLIBS_LMDB="-llmdb" +%endif # # TODO #export AUXLIBS_SQLITE #export AUXLIBS_CDB #export AUXLIBS_SDBM -# Remove berkeley DB and set lmdb as default -export CCARGS="${CCARGS} -DNO_DB -DDEF_DB_TYPE=\\\"lmdb\\\"" export PIE=-pie # using SHLIB_RPATH to specify unrelated linker flags, because LDFLAGS is @@ -237,14 +268,17 @@ config_directory=%{_sysconfdir}/%{name} \ SHLIB_RPATH="-Wl,-rpath,%{pf_shlib_directory} -Wl,-z,relro,-z,now" make %{?_smp_mflags} +%if 0%{?suse_version} >= 1330 # Create postfix user %sysusers_generate_pre %{SOURCE12} postfix %sysusers_generate_pre %{SOURCE13} vmail +%endif # --------------------------------------------------------------------------- %install mkdir -p %{buildroot}/%{_libdir} mkdir -p %{buildroot}%{_sysconfdir}/%{name} +cp conf/* %{buildroot}%{_sysconfdir}/%{name} # create our default postfix ssl DIR (/etc/postfix/ssl) mkdir -p %{buildroot}%{_sysconfdir}/%{name}/ssl/certs # link cacerts to /etc/ssl/certs @@ -293,6 +327,7 @@ -e 's;@sample_directory@;%{pf_sample_directory};' \ -e 's;@mailq_path@;%{pf_mailq_path};' %{name}-SUSE/config.%{name} > %{buildroot}%{_sbindir}/config.%{name} chmod 755 %{buildroot}%{_sbindir}/config.%{name} +install -m 644 %{name}-SUSE/dynamicmaps.cf %{buildroot}%{_sysconfdir}/%{name}/dynamicmaps.cf install -m 644 %{name}-SUSE/ldap_aliases.cf %{buildroot}%{_sysconfdir}/%{name}/ldap_aliases.cf install -m 644 %{name}-SUSE/helo_access %{buildroot}%{_sysconfdir}/%{name}/helo_access install -m 644 %{name}-SUSE/permissions %{buildroot}%{_sysconfdir}/permissions.d/%{name} @@ -332,15 +367,7 @@ "disable_vrfy_command = yes" \ 'smtpd_banner = $myhostname ESMTP' #Set Permissions -sed -i -e 's/\(.*ldap.*\)/#\1/g' \ - -e 's/\(.*mysql.*\)/#\1/g' \ - -e 's/\(.*pgsql.*\)/#\1/g' \ - -e 's/\(.*LICENSE.*\)/#\1/g' \ - -e '/html_directory/d' \ - -e '/manpage_directory/d' \ - -e '/readme_directory/d' \ - %{buildroot}%{pf_shlib_directory}/postfix-files -mkdir -p %{buildroot}%{pf_shlib_directory}/postfix-files.d +install -m 644 %{name}-SUSE/%{name}-files %{buildroot}%{pf_shlib_directory}/%{name}-files # postfix-mysql install -m 644 %{name}-mysql/main.cf-mysql %{buildroot}%{_sysconfdir}/%{name}/main.cf-mysql install -m 640 %{name}-mysql/*_maps.cf %{buildroot}%{_sysconfdir}/%{name}/ @@ -378,46 +405,97 @@ rm -vf $path ln -sf %{_libdir}/$name $path done - -# create dynamicmaps.cf.d entries for optional modules -sed -n -e '/^#/p' -e '/mysql/p' %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf > %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf.d/%{name}-mysql.cf -sed -i -e '/mysql/d' %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf -sed -n -e '/^#/p' -e '/pgsql/p' %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf > %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf.d/%{name}-pgsql.cf -sed -i -e '/pgsql/d' %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf -%if %{with ldap} -sed -n -e '/^#/p' -e "/ldap/p" %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf > %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf.d/%{name}-ldap.cf -sed -i -e '/ldap/d' %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf -%endif - +# --------------------------------------------------------------------------- install -m 755 %{SOURCE11} %{buildroot}%{_sbindir}/ +%if 0%{?suse_version} >= 1330 mkdir -p %{buildroot}%{_sysusersdir} install -m 644 %{SOURCE12} %{buildroot}%{_sysusersdir}/ install -m 644 %{SOURCE13} %{buildroot}%{_sysusersdir}/ +%endif + +%if 0%{?suse_version} >= 1330 +%pre -f postfix.pre +%else +%pre +getent group %{name} >/dev/null || groupadd -g %{pf_gid} -o -r %{name} +getent group maildrop >/dev/null || groupadd -g %{maildrop_gid} -o -r maildrop +getent passwd %{name} >/dev/null || useradd -r -o -g %{name} -u %{pf_uid} -s /bin/false -c "Postfix Daemon" -d /%{pf_queue_directory} %{name} +usermod -a -G %{maildrop_gid},%{mail_group} %{name} +%endif +%service_add_pre %{name}.service + +VERSIONTEST=$(test -x usr/sbin/postconf && usr/sbin/postconf proxy_read_maps 2>/dev/null || :) +if [ -z "$VERSIONTEST" -a -f %{pf_queue_directory}/pid/master.pid ]; then + if checkproc -p %{pf_queue_directory}/pid/master.pid usr/lib/%{name}/master; then + echo "%{name} is still running. You have to stop %{name} in order to" + echo "install a newer version." + exit 1 + fi +fi # --------------------------------------------------------------------------- -%pre -f postfix.pre -# If existing default database type is hash, we need to convert the -# databases because hash (and btree) is no longer supported after -# the upgrade -if [ -x %{_sbindir}/postconf ]; then - DEF_DB_TYPE=$(postconf default_database_type) - case $DEF_DB_TYPE in *hash) - touch %{pf_database_convert} - esac +%if 0%{?suse_version} >= 1330 +%pre mysql -f vmail.pre +%else +%pre mysql +#echo "PARAM_pre: "$1 +# on `rpm -ivh` PARAM is 1 +# on `rpm -Uvh` PARAM is 2 +if [ "$1" = "1" ]; then + echo "Adding %{vmusr} user" + if [ -z "`getent group %{vmusr} 2>/dev/null`" ]; then + groupadd -r -g %{vmgid} %{vmusr} + fi + if [ -z "`getent passwd %{vmusr} 2>/dev/null`" ]; then + useradd -c "maildirs chef" -d %{vmdir} -g %{vmusr} -u %{vmid} -r -s /bin/false %{vmusr} + fi fi -%service_add_pre %{name}.service +%endif +# --------------------------------------------------------------------------- %preun +%stop_on_removal %{name} %service_del_preun %{name}.service +# --------------------------------------------------------------------------- + +%preun mysql +#echo "PARAM_preun: "$1 +# on `rpm -e` PARAM is 0 +if [ "$1" = "0" ]; then + FILE=etc/%{name}/dynamicmaps.cf + if [ -e "$FILE" ] ; then + if grep -q "^mysql[[:space:]]" ${FILE}; then + echo "Removing mysql map entry from ${FILE}" + sed "/^mysql[[:space:]]/d" ${FILE} > ${FILE}.$$ && \ + cp --remove-destination ${FILE}.$$ ${FILE} && \ + rm ${FILE}.$$ + fi + else + echo "Can not find \"$FILE\". Not updating the file." >&2 + fi +fi +# --------------------------------------------------------------------------- + +%preun postgresql +if [ "$1" = 0 ] ; then + FILE=etc/%{name}/dynamicmaps.cf + if [ -e "$FILE" ] ; then + if grep -q "^pgsql[[:space:]]" ${FILE}; then + echo "Removing pgsql map entry from ${FILE}" + sed "/^pgsql[[:space:]]/d" ${FILE} > ${FILE}.$$ && \ + cp --remove-destination ${FILE}.$$ ${FILE} && \ + rm ${FILE}.$$ + fi + else + echo "Can not find \"$FILE\". Not updating the file." >&2 + fi +fi +# --------------------------------------------------------------------------- %post # We never have to run suseconfig for postfix after installation # We only start postfix own upgrade-configuration by update -# -# If the default database type of the previous installation was -# hash, we also need to rebuild the databases in the new lmdb -# format if [ ${1:-0} -gt 1 ]; then touch %{_localstatedir}/adm/%{name}.configured echo "Executing upgrade-configuration." @@ -425,54 +503,50 @@ if [ "$(%{_sbindir}/postconf -h daemon_directory)" != "%{pf_daemon_directory}" ]; then %{_sbindir}/postconf daemon_directory=%{pf_daemon_directory} fi - if [ -e %{pf_database_convert} ]; then - sed -i -E "s/(btree|hash):/lmdb:/g" %{pf_config_directory}/{main.cf,master.cf} - for i in $(find %{pf_config_directory} -name "*.db"); do - postmap ${i%.db} - done - for i in $(find %{_sysconfdir}/aliases.d/ -name "*.db"); do - postalias ${i%.db} - done - if [ -e %{_sysconfdir}/aliases.db ]; then - postalias %{_sysconfdir}/aliases - fi - rm %{pf_database_convert} - fi fi + +%service_add_post %{name}.service + %set_permissions %{_sbindir}/postqueue %set_permissions %{_sbindir}/postdrop %set_permissions %{_sysconfdir}/%{name}/sasl_passwd %set_permissions %{_sbindir}/sendmail + %{fillup_only postfix} %{fillup_only -an mail} -%service_add_post %{name}.service - -%postun -%service_del_postun %{name}.service +/sbin/ldconfig %verifyscript %verify_permissions -e %{_sbindir}/postqueue %verify_permissions -e %{_sbindir}/postdrop %verify_permissions -e %{_sysconfdir}/%{name}/sasl_passwd %verify_permissions -e %{_sbindir}/sendmail +%{fillup_only postfix} -# --------------------------------------------------------------------------- - -%pre mysql -f vmail.pre +%postun +%service_del_postun %{name}.service +/sbin/ldconfig -%post mysql -p /sbin/ldconfig -%postun mysql -p /sbin/ldconfig +# --------------------------------------------------------------------------- -%post postgresql -p /sbin/ldconfig -%postun postgresql -p /sbin/ldconfig +%post postgresql +FILE=etc/%{name}/dynamicmaps.cf +if ! grep -q "^pgsql[[:space:]]" ${FILE}; then + echo "Adding pgsql map entry to ${FILE}" + echo "pgsql %{pf_shlib_directory}/dict_pgsql.so dict_pgsql_open" >> ${FILE} +fi +# --------------------------------------------------------------------------- -%if %{with ldap} -%post ldap -p /sbin/ldconfig -%postun ldap -p /sbin/ldconfig -%endif +%post mysql +FILE=etc/%{name}/dynamicmaps.cf +if ! grep -q "^mysql[[:space:]]" ${FILE}; then + echo "Adding mysql map entry to ${FILE}" + echo "mysql %{pf_shlib_directory}/dict_mysql.so dict_mysql_open" >> ${FILE} +fi +# --------------------------------------------------------------------------- %files -%license LICENSE TLS_LICENSE +%license LICENSE %config %{_sysconfdir}/pam.d/* %{_fillupdir}/sysconfig.%{name} %{_fillupdir}/sysconfig.mail-%{name} @@ -487,19 +561,24 @@ %config(noreplace) %{_sysconfdir}/%{name}/helo_access %config(noreplace) %{_sysconfdir}/%{name}/main.cf %config(noreplace) %{_sysconfdir}/%{name}/master.cf +%attr(0750,root,root) %config %{_sysconfdir}/%{name}/post-install +%attr(0750,root,root) %config %{_sysconfdir}/%{name}/%{name}-tls-script +%attr(0750,root,root) %config %{_sysconfdir}/%{name}/%{name}-wrapper +%attr(0750,root,root) %config %{_sysconfdir}/%{name}/postmulti-script +%config(noreplace) %{_sysconfdir}/%{name}/%{name}-files %config(noreplace) %{_sysconfdir}/%{name}/relay %config(noreplace) %{_sysconfdir}/%{name}/relay_ccerts %config(noreplace) %{_sysconfdir}/%{name}/sasl_passwd %config(noreplace) %{_sysconfdir}/%{name}/sender_canonical %config(noreplace) %{_sysconfdir}/%{name}/virtual -%ghost %{_sysconfdir}/%{name}/*.lmdb -%ghost %{_sysconfdir}/aliases.lmdb + %dir %{_sysconfdir}/sasl2 %config(noreplace) %{_sysconfdir}/sasl2/smtpd.conf -%exclude %{_sysconfdir}/%{name}/LICENSE -%exclude %{_sysconfdir}/%{name}/TLS_LICENSE +%config %{_sysconfdir}/%{name}/LICENSE +%config %{_sysconfdir}/%{name}/TLS_LICENSE %config %{_sysconfdir}/permissions.d/%{name} %config %{_sysconfdir}/permissions.d/%{name}.paranoid +%attr(0644, root, root) %config %{_sysconfdir}/%{name}/makedefs.out %{pf_shlib_directory}/%{name}-files # create our default postfix ssl DIR (/etc/postfix/ssl) %dir %{_sysconfdir}/%{name}/ssl @@ -533,25 +612,20 @@ %{_libdir}/lib* %{_libexecdir}/sendmail %dir %{pf_shlib_directory} +%{pf_shlib_directory}/*[^.so] %{pf_shlib_directory}/%{name}-pcre.so -%{pf_shlib_directory}/%{name}-lmdb.so %{pf_shlib_directory}/lib%{name}-dns.so %{pf_shlib_directory}/lib%{name}-global.so %{pf_shlib_directory}/lib%{name}-master.so %{pf_shlib_directory}/lib%{name}-tls.so %{pf_shlib_directory}/lib%{name}-util.so -%{pf_shlib_directory}/dynamicmaps.cf %{pf_shlib_directory}/main.cf.proto -%{pf_shlib_directory}/makedefs.out %{pf_shlib_directory}/master.cf.proto -%dir %{pf_daemon_directory} -%{pf_daemon_directory}/* -%dir %{pf_shlib_directory}/dynamicmaps.cf.d -%dir %{pf_shlib_directory}/postfix-files.d %{conf_backup_dir} %dir %attr(0700,%{name},root) %{pf_data_directory} %exclude %{_mandir}/man5/ldap_table.5* +%exclude %{_mandir}/man5/lmdb_table.5* %exclude %{_mandir}/man5/mysql_table.5* %exclude %{_mandir}/man5/pgsql_table.5* %{_mandir}/man?/*%{?ext_man} @@ -569,7 +643,9 @@ %dir %attr(0700,%{name},root) /%{pf_queue_directory}/trace %dir %attr(0730,%{name},maildrop) /%{pf_queue_directory}/maildrop %dir %attr(0710,%{name},maildrop) /%{pf_queue_directory}/public +%if 0%{?suse_version} >= 1330 %{_sysusersdir}/postfix-user.conf +%endif %files devel %{_includedir}/%{name}/ @@ -583,21 +659,26 @@ %config(noreplace) %attr(640, root, %{name}) %{_sysconfdir}/%{name}/*_maps.cf %config(noreplace) %{_sysconfdir}/%{name}/main.cf-mysql %{pf_shlib_directory}/%{name}-mysql.so -%{pf_shlib_directory}/dynamicmaps.cf.d/%{name}-mysql.cf %{_mandir}/man5/mysql_table.5%{?ext_man} +%if 0%{?suse_version} >= 1330 %{_sysusersdir}/postfix-vmail-user.conf +%endif %files postgresql %{pf_shlib_directory}/%{name}-pgsql.so -%{pf_shlib_directory}/dynamicmaps.cf.d/%{name}-pgsql.cf %{_mandir}/man5/pgsql_table.5%{?ext_man} %if %{with ldap} %files ldap %config(noreplace) %{_sysconfdir}/%{name}/ldap_aliases.cf %{pf_shlib_directory}/%{name}-ldap.so -%{pf_shlib_directory}/dynamicmaps.cf.d/%{name}-ldap.cf %{_mandir}/man5/ldap_table.5%{?ext_man} %endif +%if %{with lmdb} +%files lmdb +%{pf_shlib_directory}/%{name}-lmdb.so +%{_mandir}/man5/lmdb_table.5%{?ext_man} +%endif + %changelog ++++++ postfix-3.5.9.tar.gz -> postfix-3.5.8.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.9/HISTORY new/postfix-3.5.8/HISTORY --- old/postfix-3.5.9/HISTORY 2021-01-17 15:54:57.000000000 +0100 +++ new/postfix-3.5.8/HISTORY 2020-11-05 00:11:27.000000000 +0100 @@ -24882,26 +24882,3 @@ subsequent header content to become message body content. Reported by Andreas Weigel, fix by Viktor Dukhovni. File: smtp/smtp_proto.c. - -20210116 - - Feature: when a Postfix program makes a DNS query that - requests DNSSEC validation (usually for Postfix DANE support) - but the DNS response is not DNSSEC validated, Postfix will - send a DNS query configured with the "dnssec_probe" parameter - to determine if DNSSEC support is available, and logs a - warning if it is not. By default, the probe has type "ns" - and domain name ".". The probe is sent once per process - lifetime. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_sec.c, - test_dns_lookup.c, global/mail_params.[hc], mantools/postlink. - - The makedefs script no longer disables DNSSEC when Postfix - is built with libc-musl. Instead Postfix will rely on the - new dnssec_probe feature, and will log a warning when Postfix - requests DNSSEC validation, but the infrastructure does not - validate DNSSEC signatures. File: makedefs. - - The default "smtp_tls_dane_insecure_mx_policy = dane" was - causing unnecessary dnssec_probe activity. The default is now - "dane" when smtp_tls_security_level is "dane", otherwise it is - "may". File: global/mail_params.h. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.9/RELEASE_NOTES new/postfix-3.5.8/RELEASE_NOTES --- old/postfix-3.5.9/RELEASE_NOTES 2021-01-16 23:24:24.000000000 +0100 +++ new/postfix-3.5.8/RELEASE_NOTES 2020-05-16 23:20:59.000000000 +0200 @@ -25,50 +25,9 @@ the software under the license of their choice. Those who are more comfortable with the IPL can continue with that license. -Runtime detection of DNSSEC support ------------------------------------ - -The Postfix build system will no longer automatically disable DNSSEC -support when it determines that Postfix will use libc-musl. This removes -the earlier libc-musl workaround for Postfix 3.2.15, 3.3.10, 3.4.12, -and 3.5.2. - -Now, when a Postfix process requests DNSSEC support (typically, for -Postfix DANE support), the process may do a runtime test to determine if -DNSSEC validation is available. DNSSEC support may be broken because of -local configuration, libc incompatibility, or other infrastructure issues. - -Background: DNSSEC validation is needed for Postfix DANE support; -this ensures that Postfix receives TLSA records with secure TLS -server certificate info. When DNSSEC validation is unavailable, -mail deliveries using opportunistic DANE will not be protected by -server certificate info in TLSA records, and mail deliveries using -mandatory DANE will not be made at all. - -The dnssec_probe parameter specifies the DNS query type (default: -"ns") and DNS query name (default: ".") that Postfix may use to -determine whether DNSSEC validation is available. Specify an empty -value to disable this feature. - -By default, a Postfix process will send a DNSSEC probe after 1) the -process made a DNS query that requested DNSSEC validation, 2) the -process did not receive a DNSSEC validated response to this query -or to an earlier query, and 3) the process did not already send a -DNSSEC probe. - -When the DNSSEC probe has no response, or when the response is not -DNSSEC validated, Postfix logs a warning that DNSSEC validation may -be unavailable. Examples: - -warning: DNSSEC validation may be unavailable -warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated -warning: reason: dnssec_probe 'ns:.' received no response: Server failure - -This feature was backported from Postfix 3.6. - libc-musl workaround for Postfix 3.2.15, 3.3.10, 3.4.12, and 3.5.2 ------------------------------------------------------------------ - + Security: this release disables DANE support on Linux systems with libc-musl, because libc-musl provides no indication whether DNS responses are authentic. This broke DANE support without a clear diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.9/html/lmtp.8.html new/postfix-3.5.8/html/lmtp.8.html --- old/postfix-3.5.9/html/lmtp.8.html 2021-01-17 00:19:54.000000000 +0100 +++ new/postfix-3.5.8/html/lmtp.8.html 2020-03-08 16:09:09.000000000 +0100 @@ -365,13 +365,6 @@ The email address form that will be used in non-debug logging (info, warning, etc.). - Available in Postfix 3.5.9 and later: - - <b><a href="postconf.5.html#dnssec_probe">dnssec_probe</a> (ns:.)</b> - The DNS query type (default: "ns") and DNS query name (default: - ".") that Postfix may use to determine whether DNSSEC validation - is available. - <b>MIME PROCESSING CONTROLS</b> Available in Postfix version 2.0 and later: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.9/html/postconf.5.html new/postfix-3.5.8/html/postconf.5.html --- old/postfix-3.5.9/html/postconf.5.html 2021-01-17 16:10:20.000000000 +0100 +++ new/postfix-3.5.8/html/postconf.5.html 2020-05-09 17:51:27.000000000 +0200 @@ -3031,66 +3031,6 @@ </DD> -<DT><b><a name="dnssec_probe">dnssec_probe</a> -(default: ns:.)</b></DT><DD> - -<p> The DNS query type (default: "ns") and DNS query name (default: -".") that Postfix may use to determine whether DNSSEC validation -is available. -</p> - -<p> Background: DNSSEC validation is needed for Postfix DANE support; -this ensures that Postfix receives TLSA records with secure TLS -server certificate info. When DNSSEC validation is unavailable, -mail deliveries using <i>opportunistic</i> DANE will not be protected -by server certificate info in TLSA records, and mail deliveries -using <i>mandatory</i> DANE will not be made at all. </p> - -<p> By default, a Postfix process will send a DNSSEC probe after -1) the process made a DNS query that requested DNSSEC validation, -2) the process did not receive a DNSSEC validated response to this -query or to an earlier query, and 3) the process did not already -send a DNSSEC probe. <p> - -<p> When the DNSSEC probe has no response, or when the response is -not DNSSEC validated, Postfix logs a warning that DNSSEC validation -may be unavailable. </p> - -<p> Example: </p> - -<pre> -warning: DNSSEC validation may be unavailable -warning: reason: <a href="postconf.5.html#dnssec_probe">dnssec_probe</a> 'ns:.' received a response that is not DNSSEC validated -warning: reason: <a href="postconf.5.html#dnssec_probe">dnssec_probe</a> 'ns:.' received no response: Server failure -</pre> - -<p> Possible reasons why DNSSEC validation may be unavailable: </p> - -<ul> - -<li> The local /etc/resolv.conf file specifies a DNS resolver that -does not validate DNSSEC signatures (that's -$<a href="postconf.5.html#queue_directory">queue_directory</a>/etc/resolv.conf when a Postfix daemon runs in a -chroot jail). - -<li> The local system library does not pass on the "DNSSEC validated" -bit to Postfix, or Postfix does not know how to ask the library to -do that. - -</ul> - -<p> By default, the DNSSEC probe asks for the DNS root zone NS -records, because resolvers should always have that information -cached. If Postfix runs on a network where the DNS root zone is not -reachable, specify a different probe, or specify an empty <a href="postconf.5.html#dnssec_probe">dnssec_probe</a> -value to disable the feature. </p> - -<p> This feature was backported from Postfix 3.6 to Postfix versions -3.5.9, 3.4.19, 3.3.16. 3.2.21. </p> - - -</DD> - <DT><b><a name="dont_remove">dont_remove</a> (default: 0)</b></DT><DD> @@ -12437,7 +12377,7 @@ </DD> <DT><b><a name="smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> -(default: see "postconf -d" output)</b></DT><DD> +(default: dane)</b></DT><DD> <p> The TLS policy for MX hosts with "secure" TLSA records when the nexthop destination security level is <b>dane</b>, but the MX @@ -12461,12 +12401,6 @@ "Verified", because the MX host name could have been forged. </dd> </dl> -<p> The default setting for Postfix ≥ 3.6 is "dane" with -"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = dane", otherwise "may". This behavior -was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21. -With earlier -Postfix versions the default setting was always "dane". </p> - <p> Though with "insecure" MX records an active attacker can compromise SMTP transport security by returning forged MX records, such attacks are "tamper-evident" since any forged MX hostnames diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.9/html/smtp.8.html new/postfix-3.5.8/html/smtp.8.html --- old/postfix-3.5.9/html/smtp.8.html 2021-01-17 00:19:54.000000000 +0100 +++ new/postfix-3.5.8/html/smtp.8.html 2020-03-08 16:09:09.000000000 +0100 @@ -365,13 +365,6 @@ The email address form that will be used in non-debug logging (info, warning, etc.). - Available in Postfix 3.5.9 and later: - - <b><a href="postconf.5.html#dnssec_probe">dnssec_probe</a> (ns:.)</b> - The DNS query type (default: "ns") and DNS query name (default: - ".") that Postfix may use to determine whether DNSSEC validation - is available. - <b>MIME PROCESSING CONTROLS</b> Available in Postfix version 2.0 and later: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.9/makedefs new/postfix-3.5.8/makedefs --- old/postfix-3.5.9/makedefs 2021-01-16 16:10:00.000000000 +0100 +++ new/postfix-3.5.8/makedefs 2020-05-06 16:10:47.000000000 +0200 @@ -228,6 +228,19 @@ *) echo usage: $0 [system release] 1>&2; exit 1;; esac +case "$SYSTEM" in + Linux) + case "`PATH=/bin:/usr/bin ldd /bin/sh`" in + *-musl-*) + case "$CCARGS" in + *-DNO_DNSSEC*) ;; + *) echo Warning: libc-musl breaks DANE/TLSA security. 1>&2 + echo This build will not support DANE/TLSA. 1>&2 + CCARGS="$CCARGS -DNO_DNSSEC";; + esac;; + esac;; +esac + case "$SYSTEM.$RELEASE" in SCO_SV.3.2) SYSTYPE=SCO5 # Use the native compiler by default diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.9/man/man5/postconf.5 new/postfix-3.5.8/man/man5/postconf.5 --- old/postfix-3.5.9/man/man5/postconf.5 2021-01-17 16:10:20.000000000 +0100 +++ new/postfix-3.5.8/man/man5/postconf.5 2020-05-09 17:52:30.000000000 +0200 @@ -1897,60 +1897,6 @@ service performs DNS white/blacklist lookups. .PP This feature is available in Postfix 2.8 and later. -.SH dnssec_probe (default: ns:.) -The DNS query type (default: "ns") and DNS query name (default: -".") that Postfix may use to determine whether DNSSEC validation -is available. -.PP -Background: DNSSEC validation is needed for Postfix DANE support; -this ensures that Postfix receives TLSA records with secure TLS -server certificate info. When DNSSEC validation is unavailable, -mail deliveries using \fIopportunistic\fR DANE will not be protected -by server certificate info in TLSA records, and mail deliveries -using \fImandatory\fR DANE will not be made at all. -.PP -By default, a Postfix process will send a DNSSEC probe after -1) the process made a DNS query that requested DNSSEC validation, -2) the process did not receive a DNSSEC validated response to this -query or to an earlier query, and 3) the process did not already -send a DNSSEC probe. -.PP -When the DNSSEC probe has no response, or when the response is -not DNSSEC validated, Postfix logs a warning that DNSSEC validation -may be unavailable. -.PP -Example: -.PP -.nf -.na -.ft C -warning: DNSSEC validation may be unavailable -warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated -warning: reason: dnssec_probe 'ns:.' received no response: Server failure -.fi -.ad -.ft R -.PP -Possible reasons why DNSSEC validation may be unavailable: -.IP \(bu -The local /etc/resolv.conf file specifies a DNS resolver that -does not validate DNSSEC signatures (that's -$queue_directory/etc/resolv.conf when a Postfix daemon runs in a -chroot jail). -.IP \(bu -The local system library does not pass on the "DNSSEC validated" -bit to Postfix, or Postfix does not know how to ask the library to -do that. -.br -.PP -By default, the DNSSEC probe asks for the DNS root zone NS -records, because resolvers should always have that information -cached. If Postfix runs on a network where the DNS root zone is not -reachable, specify a different probe, or specify an empty dnssec_probe -value to disable the feature. -.PP -This feature was backported from Postfix 3.6 to Postfix versions -3.5.9, 3.4.19, 3.3.16. 3.2.21. .SH dont_remove (default: 0) Don't remove queue files and save them to the "saved" mail queue. This is a debugging aid. To inspect the envelope information and @@ -7975,7 +7921,7 @@ TLS connection reuse" for background details. .PP This feature is available in Postfix 3.4 and later. -.SH smtp_tls_dane_insecure_mx_policy (default: see "postconf \-d" output) +.SH smtp_tls_dane_insecure_mx_policy (default: dane) The TLS policy for MX hosts with "secure" TLSA records when the nexthop destination security level is \fBdane\fR, but the MX record was found via an "insecure" MX lookup. The choices are: @@ -7996,12 +7942,6 @@ "Verified", because the MX host name could have been forged. .br .br -The default setting for Postfix >= 3.6 is "dane" with -"smtp_tls_security_level = dane", otherwise "may". This behavior -was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21. -With earlier -Postfix versions the default setting was always "dane". -.PP Though with "insecure" MX records an active attacker can compromise SMTP transport security by returning forged MX records, such attacks are "tamper\-evident" since any forged MX hostnames diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.9/man/man8/smtp.8 new/postfix-3.5.8/man/man8/smtp.8 --- old/postfix-3.5.9/man/man8/smtp.8 2021-01-17 00:19:54.000000000 +0100 +++ new/postfix-3.5.8/man/man8/smtp.8 2020-03-08 16:09:08.000000000 +0100 @@ -356,12 +356,6 @@ .IP "\fBinfo_log_address_format (external)\fR" The email address form that will be used in non\-debug logging (info, warning, etc.). -.PP -Available in Postfix 3.5.9 and later: -.IP "\fBdnssec_probe (ns:.)\fR" -The DNS query type (default: "ns") and DNS query name (default: -".") that Postfix may use to determine whether DNSSEC validation -is available. .SH "MIME PROCESSING CONTROLS" .na .nf diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.9/mantools/postlink new/postfix-3.5.8/mantools/postlink --- old/postfix-3.5.9/mantools/postlink 2021-01-16 23:31:12.000000000 +0100 +++ new/postfix-3.5.8/mantools/postlink 2020-01-26 18:34:39.000000000 +0100 @@ -695,7 +695,6 @@ s;\bsmtp_per_record_deadline\b;<a href="postconf.5.html#smtp_per_record_deadline">$&</a>;g; s;\bsmtp_send_dummy_mail_auth\b;<a href="postconf.5.html#smtp_send_dummy_mail_auth">$&</a>;g; s;\bsmtp_balance_inet_protocols\b;<a href="postconf.5.html#smtp_balance_inet_protocols">$&</a>;g; - s;\bdnssec_probe\b;<a href="postconf.5.html#dnssec_probe">$&</a>;g; s;\bsmtp_tls_connection_reuse\b;<a href="postconf.5.html#smtp_tls_connection_reuse">$&</a>;g; s;\blmtp_tls_connection_reuse\b;<a href="postconf.5.html#lmtp_tls_connection_reuse">$&</a>;g; s;\bsmtpd_enforce_tls\b;<a href="postconf.5.html#smtpd_enforce_tls">$&</a>;g; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.9/proto/postconf.proto new/postfix-3.5.8/proto/postconf.proto --- old/postfix-3.5.9/proto/postconf.proto 2021-01-17 16:10:15.000000000 +0100 +++ new/postfix-3.5.8/proto/postconf.proto 2020-05-09 17:51:27.000000000 +0200 @@ -16815,7 +16815,7 @@ This feature is available in Postfix 3.1 and later. </p> -%PARAM smtp_tls_dane_insecure_mx_policy see "postconf -d" output +%PARAM smtp_tls_dane_insecure_mx_policy dane <p> The TLS policy for MX hosts with "secure" TLSA records when the nexthop destination security level is <b>dane</b>, but the MX @@ -16839,12 +16839,6 @@ "Verified", because the MX host name could have been forged. </dd> </dl> -<p> The default setting for Postfix ≥ 3.6 is "dane" with -"smtp_tls_security_level = dane", otherwise "may". This behavior -was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21. -With earlier -Postfix versions the default setting was always "dane". </p> - <p> Though with "insecure" MX records an active attacker can compromise SMTP transport security by returning forged MX records, such attacks are "tamper-evident" since any forged MX hostnames @@ -17704,59 +17698,3 @@ such games to circumvent Postfix access policies. </p> <p> This feature is available in Postfix 3.5 and later. </p> - -%PARAM dnssec_probe ns:. - -<p> The DNS query type (default: "ns") and DNS query name (default: -".") that Postfix may use to determine whether DNSSEC validation -is available. -</p> - -<p> Background: DNSSEC validation is needed for Postfix DANE support; -this ensures that Postfix receives TLSA records with secure TLS -server certificate info. When DNSSEC validation is unavailable, -mail deliveries using <i>opportunistic</i> DANE will not be protected -by server certificate info in TLSA records, and mail deliveries -using <i>mandatory</i> DANE will not be made at all. </p> - -<p> By default, a Postfix process will send a DNSSEC probe after -1) the process made a DNS query that requested DNSSEC validation, -2) the process did not receive a DNSSEC validated response to this -query or to an earlier query, and 3) the process did not already -send a DNSSEC probe. <p> - -<p> When the DNSSEC probe has no response, or when the response is -not DNSSEC validated, Postfix logs a warning that DNSSEC validation -may be unavailable. </p> - -<p> Example: </p> - -<pre> -warning: DNSSEC validation may be unavailable -warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated -warning: reason: dnssec_probe 'ns:.' received no response: Server failure -</pre> - -<p> Possible reasons why DNSSEC validation may be unavailable: </p> - -<ul> - -<li> The local /etc/resolv.conf file specifies a DNS resolver that -does not validate DNSSEC signatures (that's -$queue_directory/etc/resolv.conf when a Postfix daemon runs in a -chroot jail). - -<li> The local system library does not pass on the "DNSSEC validated" -bit to Postfix, or Postfix does not know how to ask the library to -do that. - -</ul> - -<p> By default, the DNSSEC probe asks for the DNS root zone NS -records, because resolvers should always have that information -cached. If Postfix runs on a network where the DNS root zone is not -reachable, specify a different probe, or specify an empty dnssec_probe -value to disable the feature. </p> - -<p> This feature was backported from Postfix 3.6 to Postfix versions -3.5.9, 3.4.19, 3.3.16. 3.2.21. </p> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.9/src/dns/Makefile.in new/postfix-3.5.8/src/dns/Makefile.in --- old/postfix-3.5.9/src/dns/Makefile.in 2021-01-09 02:23:37.000000000 +0100 +++ new/postfix-3.5.8/src/dns/Makefile.in 2019-12-15 01:01:17.000000000 +0100 @@ -1,10 +1,10 @@ SHELL = /bin/sh SRCS = dns_lookup.c dns_rr.c dns_strerror.c dns_strtype.c dns_rr_to_pa.c \ dns_sa_to_rr.c dns_rr_eq_sa.c dns_rr_to_sa.c dns_strrecord.c \ - dns_rr_filter.c dns_str_resflags.c dns_sec.c + dns_rr_filter.c dns_str_resflags.c OBJS = dns_lookup.o dns_rr.o dns_strerror.o dns_strtype.o dns_rr_to_pa.o \ dns_sa_to_rr.o dns_rr_eq_sa.o dns_rr_to_sa.o dns_strrecord.o \ - dns_rr_filter.o dns_str_resflags.o dns_sec.o + dns_rr_filter.o dns_str_resflags.o HDRS = dns.h TESTSRC = test_dns_lookup.c test_alias_token.c DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE) @@ -76,7 +76,7 @@ done cd $(INC_DIR); chmod 644 $(HDRS) -test_dns_lookup: test_dns_lookup.c all $(LIB) $(LIBS) +test_dns_lookup: test_dns_lookup.c $(LIB) $(LIBS) $(CC) $(CFLAGS) -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS) dns_rr_to_pa: $(LIB) $(LIBS) @@ -346,18 +346,6 @@ dns_sa_to_rr.o: ../../include/vstring.h dns_sa_to_rr.o: dns.h dns_sa_to_rr.o: dns_sa_to_rr.c -dns_sec.o: ../../include/check_arg.h -dns_sec.o: ../../include/mail_params.h -dns_sec.o: ../../include/msg.h -dns_sec.o: ../../include/myaddrinfo.h -dns_sec.o: ../../include/mymalloc.h -dns_sec.o: ../../include/sock_addr.h -dns_sec.o: ../../include/split_at.h -dns_sec.o: ../../include/sys_defs.h -dns_sec.o: ../../include/vbuf.h -dns_sec.o: ../../include/vstring.h -dns_sec.o: dns.h -dns_sec.o: dns_sec.c dns_str_resflags.o: ../../include/check_arg.h dns_str_resflags.o: ../../include/myaddrinfo.h dns_str_resflags.o: ../../include/name_mask.h diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.9/src/dns/dns.h new/postfix-3.5.8/src/dns/dns.h --- old/postfix-3.5.9/src/dns/dns.h 2021-01-16 23:37:12.000000000 +0100 +++ new/postfix-3.5.8/src/dns/dns.h 2020-04-16 19:07:58.000000000 +0200 @@ -244,12 +244,7 @@ (lflags), (ltype)) /* - * The dns_lookup() rflag that requests DNSSEC validation. - */ -#define DNS_WANT_DNSSEC_VALIDATION(rflags) ((rflags) & RES_USE_DNSSEC) - - /* - * lflags. + * Request flags. */ #define DNS_REQ_FLAG_STOP_OK (1<<0) #define DNS_REQ_FLAG_STOP_INVAL (1<<1) @@ -314,18 +309,6 @@ */ const char *dns_str_resflags(unsigned long); - /* - * dns_sec.c. - */ -#define DNS_SEC_FLAG_AVAILABLE (1<<0) /* got some DNSSEC validated reply */ -#define DNS_SEC_FLAG_DONT_PROBE (1<<1) /* probe already sent, or disabled */ - -#define DNS_SEC_STATS_SET(flags) (dns_sec_stats |= (flags)) -#define DNS_SEC_STATS_TEST(flags) (dns_sec_stats & (flags)) - -extern int dns_sec_stats; /* See DNS_SEC_FLAG_XXX above */ -extern void dns_sec_probe(int); - /* LICENSE /* .ad /* .fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.9/src/dns/dns_lookup.c new/postfix-3.5.8/src/dns/dns_lookup.c --- old/postfix-3.5.9/src/dns/dns_lookup.c 2021-01-16 17:24:08.000000000 +0100 +++ new/postfix-3.5.8/src/dns/dns_lookup.c 2020-04-16 19:07:58.000000000 +0200 @@ -171,12 +171,6 @@ /* Pointer to storage for the reply RCODE value. This gives /* more detailed information than DNS_FAIL, DNS_RETRY, etc. /* DIAGNOSTICS -/* If DNSSEC validation is requested but the response is not -/* DNSSEC validated, dns_lookup() will send a one-time probe -/* query as configured with the \fBdnssec_probe\fR configuration -/* parameter, and will log a warning when the probe response -/* was not DNSSEC validated. -/* .PP /* dns_lookup() returns one of the following codes and sets the /* \fIwhy\fR argument accordingly: /* .IP DNS_OK @@ -469,7 +463,7 @@ */ #define XTRA_FLAGS (RES_USE_EDNS0 | RES_TRUSTAD) - if (DNS_WANT_DNSSEC_VALIDATION(flags)) + if (flags & RES_USE_DNSSEC) flags |= (RES_USE_EDNS0 | RES_TRUSTAD); /* @@ -516,8 +510,6 @@ _res.options |= saved_options; reply_header = (HEADER *) reply->buf; reply->rcode = reply_header->rcode; - if ((reply->dnssec_ad = !!reply_header->ad) != 0) - DNS_SEC_STATS_SET(DNS_SEC_FLAG_AVAILABLE); if (h_errno != 0) { if (why) vstring_sprintf(why, "Host or domain name not found. " @@ -569,8 +561,13 @@ /* * Initialize the reply structure. Some structure members are filled on - * the fly while the reply is being parsed. + * the fly while the reply is being parsed. Coerce AD bit to boolean. */ +#if RES_USE_DNSSEC != 0 + reply->dnssec_ad = (flags & RES_USE_DNSSEC) ? !!reply_header->ad : 0; +#else + reply->dnssec_ad = 0; +#endif SET_HAVE_DNS_REPLY_PACKET(reply, len); reply->query_start = reply->buf + sizeof(HEADER); reply->answer_start = 0; @@ -888,9 +885,7 @@ CORRUPT(DNS_RETRY); if ((status = dns_get_fixed(pos, &fixed)) != DNS_OK) CORRUPT(status); - if (strcmp(orig_name, ".") == 0 && *rr_name == 0) - /* Allow empty response name for root queries. */ ; - else if (!valid_rr_name(rr_name, "resource name", fixed.type, reply)) + if (!valid_rr_name(rr_name, "resource name", fixed.type, reply)) CORRUPT(DNS_INVAL); if (fqdn) vstring_strcpy(fqdn, rr_name); @@ -978,7 +973,7 @@ /* * The Linux resolver misbehaves when given an invalid domain name. */ - if (strcmp(name, ".") && !valid_hostname(name, DONT_GRIPE)) { + if (!valid_hostname(name, DONT_GRIPE)) { if (why) vstring_sprintf(why, "Name service error for %s: invalid host or domain name", @@ -1015,10 +1010,6 @@ (void) dns_get_answer(orig_name, &reply, T_SOA, rrlist, fqdn, cname, c_len, &maybe_secure); } - if (DNS_WANT_DNSSEC_VALIDATION(flags) - && !DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE | \ - DNS_SEC_FLAG_DONT_PROBE)) - dns_sec_probe(flags); /* XXX Clobbers 'reply' */ return (status); } @@ -1028,10 +1019,6 @@ */ status = dns_get_answer(orig_name, &reply, type, rrlist, fqdn, cname, c_len, &maybe_secure); - if (DNS_WANT_DNSSEC_VALIDATION(flags) - && !DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE | \ - DNS_SEC_FLAG_DONT_PROBE)) - dns_sec_probe(flags); /* XXX Clobbers 'reply' */ switch (status) { default: if (why) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.9/src/dns/dns_sec.c new/postfix-3.5.8/src/dns/dns_sec.c --- old/postfix-3.5.9/src/dns/dns_sec.c 2021-01-12 00:32:06.000000000 +0100 +++ new/postfix-3.5.8/src/dns/dns_sec.c 1970-01-01 01:00:00.000000000 +0100 @@ -1,144 +0,0 @@ -/*++ -/* NAME -/* dns_sec 3 -/* SUMMARY -/* DNSSEC validation availability -/* SYNOPSIS -/* #include <dns.h> -/* -/* DNS_SEC_STATS_SET( -/* int flags) -/* -/* DNS_SEC_STATS_TEST( -/* int flags) -/* -/* void dns_sec_probe( -/* int rflags) -/* DESCRIPTION -/* This module maintains information about the availability of -/* DNSSEC validation, in global flags that summarize -/* process-lifetime history. -/* .IP DNS_SEC_FLAG_AVAILABLE -/* The process has received at least one DNSSEC validated -/* response to a query that requested DNSSEC validation. -/* .IP DNS_SEC_FLAG_DONT_PROBE -/* The process has sent a DNSSEC probe (see below), or DNSSEC -/* probing is disabled by configuration. -/* .PP -/* DNS_SEC_STATS_SET() sets one or more DNS_SEC_FLAG_* flags, -/* and DNS_SEC_STATS_TEST() returns non-zero if any of the -/* specified flags is set. -/* -/* dns_sec_probe() generates a query to the target specified -/* with the \fBdnssec_probe\fR configuration parameter. It -/* sets the DNS_SEC_FLAG_DONT_PROBE flag, and it calls -/* dns_lookup() which sets DNS_SEC_FLAG_AVAILABLE if it receives -/* a DNSSEC validated response. Preconditions: -/* .IP \(bu -/* The rflags argument must request DNSSEC validation (in the -/* same manner as dns_lookup() rflags argument). -/* .IP \(bu -/* The DNS_SEC_FLAG_AVAILABLE and DNS_SEC_FLAG_DONT_PROBE -/* flags must be false. -/* LICENSE -/* .ad -/* .fi -/* The Secure Mailer license must be distributed with this software. -/* AUTHOR(S) -/* Wietse Venema -/* Google, Inc. -/* 111 8th Avenue -/* New York, NY 10011, USA -/*--*/ - -#include <sys_defs.h> - - /* - * Utility library. - */ -#include <msg.h> -#include <mymalloc.h> -#include <split_at.h> -#include <vstring.h> - - /* - * Global library. - */ -#include <mail_params.h> - - /* - * DNS library. - */ -#include <dns.h> - -int dns_sec_stats; - -/* dns_sec_probe - send a probe to establish DNSSEC viability */ - -void dns_sec_probe(int rflags) -{ - const char myname[] = "dns_sec_probe"; - char *saved_dnssec_probe; - char *qname; - int qtype; - DNS_RR *rrlist = 0; - int dns_status; - VSTRING *why; - - /* - * Sanity checks. - */ - if (!DNS_WANT_DNSSEC_VALIDATION(rflags)) - msg_panic("%s: DNSSEC is not requested", myname); - if (DNS_SEC_STATS_TEST(DNS_SEC_FLAG_DONT_PROBE)) - msg_panic("%s: DNSSEC probe was already sent, or probing is disabled", - myname); - if (DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE)) - msg_panic("%s: already have validated DNS response", myname); - - /* - * Don't recurse. - */ - DNS_SEC_STATS_SET(DNS_SEC_FLAG_DONT_PROBE); - - /* - * Don't probe. - */ - if (*var_dnssec_probe == 0) - return; - - /* - * Parse the probe spec. Format is type:resource. - */ - saved_dnssec_probe = mystrdup(var_dnssec_probe); - if ((qname = split_at(saved_dnssec_probe, ':')) == 0 || *qname == 0 - || (qtype = dns_type(saved_dnssec_probe)) == 0) - msg_fatal("malformed %s value: %s format is qtype:qname", - VAR_DNSSEC_PROBE, var_dnssec_probe); - - why = vstring_alloc(100); - dns_status = dns_lookup(qname, qtype, rflags, &rrlist, (VSTRING *) 0, why); - if (!DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE)) - msg_warn("DNSSEC validation may be unavailable"); - else if (msg_verbose) - msg_info(VAR_DNSSEC_PROBE - " '%s' received a response that is DNSSEC validated", - var_dnssec_probe); - switch (dns_status) { - default: - if (!DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE)) - msg_warn("reason: " VAR_DNSSEC_PROBE - " '%s' received a response that is not DNSSEC validated", - var_dnssec_probe); - if (rrlist) - dns_rr_free(rrlist); - break; - case DNS_RETRY: - case DNS_FAIL: - msg_warn("reason: " VAR_DNSSEC_PROBE " '%s' received no response: %s", - var_dnssec_probe, vstring_str(why)); - break; - } - myfree(saved_dnssec_probe); - vstring_free(why); -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.9/src/dns/test_dns_lookup.c new/postfix-3.5.8/src/dns/test_dns_lookup.c --- old/postfix-3.5.9/src/dns/test_dns_lookup.c 2021-01-16 17:24:08.000000000 +0100 +++ new/postfix-3.5.8/src/dns/test_dns_lookup.c 2016-02-22 00:06:59.000000000 +0100 @@ -77,9 +77,6 @@ int ch; int lflags = DNS_REQ_FLAG_NONE; - if (var_dnssec_probe == 0) - var_dnssec_probe = mystrdup(DEF_DNSSEC_PROBE); - msg_vstream_init(argv[0], VSTREAM_ERR); while ((ch = GETOPT(argc, argv, "f:npv")) > 0) { switch (ch) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.9/src/global/mail_params.c new/postfix-3.5.8/src/global/mail_params.c --- old/postfix-3.5.9/src/global/mail_params.c 2021-01-16 16:51:12.000000000 +0100 +++ new/postfix-3.5.8/src/global/mail_params.c 2020-05-13 01:32:37.000000000 +0200 @@ -152,8 +152,6 @@ /* char *var_maillog_file_comp; /* char *var_maillog_file_stamp; /* char *var_postlog_service; -/* -/* char *var_dnssec_probe; /* DESCRIPTION /* This module (actually the associated include file) defines /* the names and defaults of all mail configuration parameters. @@ -364,8 +362,6 @@ char *var_maillog_file_stamp; char *var_postlog_service; -char *var_dnssec_probe; - const char null_format_string[1] = ""; /* @@ -693,7 +689,6 @@ VAR_MAILLOG_FILE_COMP, DEF_MAILLOG_FILE_COMP, &var_maillog_file_comp, 1, 0, VAR_MAILLOG_FILE_STAMP, DEF_MAILLOG_FILE_STAMP, &var_maillog_file_stamp, 1, 0, VAR_POSTLOG_SERVICE, DEF_POSTLOG_SERVICE, &var_postlog_service, 1, 0, - VAR_DNSSEC_PROBE, DEF_DNSSEC_PROBE, &var_dnssec_probe, 0, 0, 0, }; static const CONFIG_BOOL_TABLE first_bool_defaults[] = { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.9/src/global/mail_params.h new/postfix-3.5.8/src/global/mail_params.h --- old/postfix-3.5.9/src/global/mail_params.h 2021-01-17 14:11:47.000000000 +0100 +++ new/postfix-3.5.8/src/global/mail_params.h 2020-05-09 17:51:27.000000000 +0200 @@ -1617,7 +1617,7 @@ /* SMTP only */ #define VAR_SMTP_TLS_INSECURE_MX_POLICY "smtp_tls_dane_insecure_mx_policy" -#define DEF_SMTP_TLS_INSECURE_MX_POLICY "${{$smtp_tls_security_level} == {dane} ? {dane} : {may}}" +#define DEF_SMTP_TLS_INSECURE_MX_POLICY "dane" extern char *var_smtp_tls_insecure_mx_policy; /* @@ -4202,13 +4202,6 @@ #define DEF_INFO_LOG_ADDR_FORM INFO_LOG_ADDR_FORM_NAME_EXTERNAL extern char *var_info_log_addr_form; - /* - * DNSSEC probing, to find out if DNSSEC validation is available. - */ -#define VAR_DNSSEC_PROBE "dnssec_probe" -#define DEF_DNSSEC_PROBE "ns:." -extern char *var_dnssec_probe; - /* LICENSE /* .ad /* .fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.9/src/global/mail_version.h new/postfix-3.5.8/src/global/mail_version.h --- old/postfix-3.5.9/src/global/mail_version.h 2021-01-17 16:23:45.000000000 +0100 +++ new/postfix-3.5.8/src/global/mail_version.h 2020-11-07 22:27:54.000000000 +0100 @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20210117" -#define MAIL_VERSION_NUMBER "3.5.9" +#define MAIL_RELEASE_DATE "20201107" +#define MAIL_VERSION_NUMBER "3.5.8" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.9/src/smtp/smtp.c new/postfix-3.5.8/src/smtp/smtp.c --- old/postfix-3.5.9/src/smtp/smtp.c 2021-01-16 17:30:07.000000000 +0100 +++ new/postfix-3.5.8/src/smtp/smtp.c 2020-03-08 15:53:22.000000000 +0100 @@ -330,12 +330,6 @@ /* .IP "\fBinfo_log_address_format (external)\fR" /* The email address form that will be used in non-debug logging /* (info, warning, etc.). -/* .PP -/* Available in Postfix 3.5.9 and later: -/* .IP "\fBdnssec_probe (ns:.)\fR" -/* The DNS query type (default: "ns") and DNS query name (default: -/* ".") that Postfix may use to determine whether DNSSEC validation -/* is available. /* MIME PROCESSING CONTROLS /* .ad /* .fi ++++++ postfix-SUSE.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-SUSE/config.postfix new/postfix-SUSE/config.postfix --- old/postfix-SUSE/config.postfix 2021-01-27 16:11:35.035521646 +0100 +++ new/postfix-SUSE/config.postfix 2019-08-09 16:49:41.000000000 +0200 @@ -12,7 +12,7 @@ if [ -d /run ]; then export RUN="/run" fi -DEF_DB_TYPE=$(/usr/sbin/postconf -h default_database_type) + cpifnewer(){ # remove files, that do no longer exist if [ -d $2 -a "$(echo $2/*)" != "$2/*" ]; then @@ -266,16 +266,16 @@ # Some default settings, that seem to be useable, at least to me $PCONF -e "mail_spool_directory = /var/mail" - $PCONF -e "canonical_maps = $DEF_DB_TYPE:/etc/postfix/canonical" + $PCONF -e "canonical_maps = hash:/etc/postfix/canonical" # virtual_alias_domains (default: $virtual_alias_maps) - #$PCONF -e "virtual_alias_domains = $DEF_DB_TYPE:/etc/postfix/virtual" - $PCONF -e "relocated_maps = $DEF_DB_TYPE:/etc/postfix/relocated" + #$PCONF -e "virtual_alias_domains = hash:/etc/postfix/virtual" + $PCONF -e "relocated_maps = hash:/etc/postfix/relocated" if [ "$(echo "$POSTFIX_TRANSPORT_MAPS" | tr 'A-Z' 'a-z' )" != "" ]; then $PCONF -e "transport_maps = $POSTFIX_TRANSPORT_MAPS" else - $PCONF -e "transport_maps = $DEF_DB_TYPE:/etc/postfix/transport" + $PCONF -e "transport_maps = hash:/etc/postfix/transport" fi - $PCONF -e "sender_canonical_maps = $DEF_DB_TYPE:/etc/postfix/sender_canonical" + $PCONF -e "sender_canonical_maps = hash:/etc/postfix/sender_canonical" $PCONF -e "masquerade_exceptions = root" $PCONF -e "masquerade_classes = envelope_sender, header_sender, header_recipient" if [ -n "${FQHOSTNAME}" ]; then @@ -428,7 +428,7 @@ case "$POSTFIX_BASIC_SPAM_PREVENTION" in medium) echo 1>&2 "Setting up medium SPAM protection..." - $PCONF -e "smtpd_sender_restrictions = $DEF_DB_TYPE:/etc/postfix/access, reject_unknown_sender_domain" + $PCONF -e "smtpd_sender_restrictions = hash:/etc/postfix/access, reject_unknown_sender_domain" if test -n "$POSTFIX_RBL_HOSTS"; then rblhosts=$(echo ${POSTFIX_RBL_HOSTS//,/ }) clnt_restrictions="" @@ -450,7 +450,7 @@ ;; hard) echo 1>&2 "Setting up hard SPAM protection..." - $PCONF -e "smtpd_sender_restrictions = $DEF_DB_TYPE:/etc/postfix/access, reject_unknown_sender_domain" + $PCONF -e "smtpd_sender_restrictions = hash:/etc/postfix/access, reject_unknown_sender_domain" if test -n "$POSTFIX_RBL_HOSTS"; then rblhosts=$(echo ${POSTFIX_RBL_HOSTS//,/ }) clnt_restrictions="" @@ -506,7 +506,7 @@ sender_restrictions=$(echo ${POSTFIX_SMTPD_SENDER_RESTRICTIONS/\ \+/,/ }) $PCONF -e "smtpd_sender_restrictions = $sender_restrictions" else - $PCONF -e "smtpd_sender_restrictions = $DEF_DB_TYPE:/etc/postfix/access, reject_unknown_sender_domain" + $PCONF -e "smtpd_sender_restrictions = hash:/etc/postfix/access, reject_unknown_sender_domain" fi if [ -n "$POSTFIX_SMTPD_RECIPIENT_RESTRICTIONS" ]; then rcpt_restrictions=$(echo ${POSTFIX_SMTPD_RECIPIENT_RESTRICTIONS/\ \+/,/ }) @@ -524,7 +524,7 @@ using \"off\" instead!" fi echo 1>&2 "Setting SPAM protection to \"off\"..." - $PCONF -e "smtpd_sender_restrictions = $DEF_DB_TYPE:/etc/postfix/access" + $PCONF -e "smtpd_sender_restrictions = hash:/etc/postfix/access" $PCONF -e "smtpd_client_restrictions =" $PCONF -e "smtpd_helo_required = no" $PCONF -e "smtpd_helo_restrictions =" @@ -536,7 +536,7 @@ if [ "$( echo "$POSTFIX_SMTP_AUTH" | tr 'A-Z' 'a-z' )" != "no" ]; then $PCONF -e "smtp_sasl_auth_enable = yes" $PCONF -e "smtp_sasl_security_options = $POSTFIX_SMTP_AUTH_OPTIONS" - $PCONF -e "smtp_sasl_password_maps = $DEF_DB_TYPE:/etc/postfix/sasl_passwd" + $PCONF -e "smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd" else $PCONF -e "smtp_sasl_auth_enable = no" $PCONF -e "smtp_sasl_security_options = " @@ -627,7 +627,7 @@ else $PCONF -e "smtpd_tls_key_file =" fi - $PCONF -e "relay_clientcerts = $DEF_DB_TYPE:/etc/postfix/relay_ccerts" + $PCONF -e "relay_clientcerts = hash:/etc/postfix/relay_ccerts" $PCONF -e "smtpd_tls_ask_ccert = yes" $PCONF -e "smtpd_tls_received_header = yes" touch -m -d "1 minute ago" $TMPDIR/main.cf @@ -681,11 +681,7 @@ else $PCONF -e "smtp_tls_key_file =" fi - if [ $DEF_DB_TYPE = "hash" ]; then - $PCONF -e "smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache" - else - $PCONF -e "smtp_tls_session_cache_database = $DEF_DB_TYPE:/var/lib/postfix/smtp_tls_session_cache" - fi + $PCONF -e "smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache" else $PCONF -e "smtp_tls_CAfile =" $PCONF -e "smtp_tls_CApath =" @@ -694,9 +690,9 @@ $PCONF -e "smtp_tls_session_cache_database =" fi - ALLMAPS="$DEF_DB_TYPE:/etc/aliases" + ALLMAPS="hash:/etc/aliases" for i in $(get_alias_maps); do - ALLMAPS="${ALLMAPS}, $DEF_DB_TYPE:$i" + ALLMAPS="${ALLMAPS}, hash:$i" done $PCONF -e "alias_maps = $ALLMAPS" @@ -734,8 +730,6 @@ my $pf_relay_domains = $ENV{POSTFIX_RELAY_DOMAINS}; -my $def_db_type = $ENV{DEF_DB_TYPE}; - open(MNCF,"<$mncf") || die "unable to open $mncf: $!"; while( <MNCF> ) { @@ -743,13 +737,13 @@ if( /\#?(virtual_alias_maps\s=\s).*/ ) { if ($with_mysql ne "yes" && $with_ldap ne "yes") { - $line = $1."$def_db_type:/etc/postfix/virtual"; + $line = $1."hash:/etc/postfix/virtual"; } elsif ($with_ldap eq "yes" && $with_mysql ne "yes") { - $line = $1."$def_db_type:/etc/postfix/virtual ldap:/etc/postfix/ldap_aliases.cf"; + $line = $1."hash:/etc/postfix/virtual ldap:/etc/postfix/ldap_aliases.cf"; } elsif ($with_mysql eq "yes" && $with_ldap ne "yes") { - $line = $1."$def_db_type:/etc/postfix/virtual mysql:/etc/postfix/mysql_virtual_alias_maps.cf mysql:/etc/postfix/mysql_virtual_alias_domain_maps.cf mysql:/etc/postfix/mysql_virtual_alias_domain_catchall_maps.cf"; + $line = $1."hash:/etc/postfix/virtual mysql:/etc/postfix/mysql_virtual_alias_maps.cf mysql:/etc/postfix/mysql_virtual_alias_domain_maps.cf mysql:/etc/postfix/mysql_virtual_alias_domain_catchall_maps.cf"; } elsif ($with_mysql eq "yes" && $with_ldap eq "yes") { - $line = $1."$def_db_type:/etc/postfix/virtual ldap:/etc/postfix/ldap_aliases.cf mysql:/etc/postfix/mysql_virtual_alias_maps.cf mysql:/etc/postfix/mysql_virtual_alias_domain_maps.cf mysql:/etc/postfix/mysql_virtual_alias_domain_catchall_maps.cf"; + $line = $1."hash:/etc/postfix/virtual ldap:/etc/postfix/ldap_aliases.cf mysql:/etc/postfix/mysql_virtual_alias_maps.cf mysql:/etc/postfix/mysql_virtual_alias_domain_maps.cf mysql:/etc/postfix/mysql_virtual_alias_domain_catchall_maps.cf"; } } elsif( /\#?(virtual_uid_maps\s=.*)/ ) { if ($with_mysql ne "yes") { @@ -825,9 +819,9 @@ } } elsif ( /^(relay_domains\s=\s).*/ ) { if ($with_mysql ne "yes") { - $line = $1."\$mydestination $def_db_type:/etc/postfix/relay $pf_relay_domains"; + $line = $1."\$mydestination hash:/etc/postfix/relay $pf_relay_domains"; } else { - $line = $1."\$mydestination $def_db_type:/etc/postfix/relay mysql:/etc/postfix/mysql_relay_domains_maps.cf $pf_relay_domains"; + $line = $1."\$mydestination hash:/etc/postfix/relay mysql:/etc/postfix/mysql_relay_domains_maps.cf $pf_relay_domains"; } } else { $line = $_; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-SUSE/sysconfig.postfix new/postfix-SUSE/sysconfig.postfix --- old/postfix-SUSE/sysconfig.postfix 2021-01-27 16:11:35.035521646 +0100 +++ new/postfix-SUSE/sysconfig.postfix 2019-03-25 18:13:09.000000000 +0100 @@ -186,15 +186,15 @@ ## Type: string ## Default: "" # Defaults by config.postfix: -# without MySQL: $mydestination lmdb:/etc/postfix/relay -# with MySQL: $mydestination lmdb:/etc/postfix/relay mysql:/etc/postfix/mysql_relay_domains_maps.cf +# without MySQL: $mydestination hash:/etc/postfix/relay +# with MySQL: $mydestination hash:/etc/postfix/relay mysql:/etc/postfix/mysql_relay_domains_maps.cf # # Here you can add further *maps.cf files if needed # POSTFIX_RELAY_DOMAINS="" ## Type: string -## Default: lmdb:/etc/postfix/transport +## Default: hash:/etc/postfix/transport # # The list of transport_maps postfix should look for # @@ -251,9 +251,9 @@ # # Example: # POSTFIX_SMTPD_CLIENT_RESTRICTIONS="permit_mynetworks, -# check_client_access lmdb:/etc/postfix/pop-before-smtp, -# check_client_access lmdb:/etc/postfix/relay, -# check_client_access lmdb:/etc/postfix/access, +# check_client_access hash:/etc/postfix/pop-before-smtp, +# check_client_access hash:/etc/postfix/relay, +# check_client_access hash:/etc/postfix/access, # reject_unknown_client_hostname, # reject_unauth_pipelining" # @@ -272,7 +272,7 @@ # # Example: # POSTFIX_SMTPD_HELO_RESTRICTIONS="permit_mynetworks, -# check_helo_access lmdb:/etc/postfix/helo_access, +# check_helo_access hash:/etc/postfix/helo_access, # reject_invalid_helo_hostname, # reject_non_fqdn_helo_hostname, # reject_unknown_helo_hostname, @@ -281,20 +281,20 @@ POSTFIX_SMTPD_HELO_RESTRICTIONS="" ## Type: string -## Default: "lmdb:/etc/postfix/access, reject_unknown_sender_domain" +## Default: "hash:/etc/postfix/access, reject_unknown_sender_domain" ## Config: postfix # # Fill "POSTFIX_SMTPD_SENDER_RESTRICTIONS" for completion of this RESTRICTION # # A comma or space separated list of restrictions # Note: if set to ... -# medium: "lmdb:/etc/postfix/access, reject_unknown_sender_domain" -# hard : "lmdb:/etc/postfix/access, reject_unknown_sender_domain" +# medium: "hash:/etc/postfix/access, reject_unknown_sender_domain" +# hard : "hash:/etc/postfix/access, reject_unknown_sender_domain" # # Example: # POSTFIX_SMTPD_SENDER_RESTRICTIONS=" -# check_sender_access lmdb:/etc/postfix/access, -# check_sender_a_access lmdb:/etc/postfix/access, +# check_sender_access hash:/etc/postfix/access, +# check_sender_a_access hash:/etc/postfix/access, # reject_non_fqdn_sender, # reject_unknown_sender_domain, # reject_unauth_pipelining" @@ -314,7 +314,7 @@ # # Example: # POSTFIX_SMTPD_RECIPIENT_RESTRICTIONS="permit_mynetworks, -# check_recipient_access lmdb:/etc/postfix/access, +# check_recipient_access hash:/etc/postfix/access, # reject_non_fqdn_recipient, # reject_unauth_destination, # reject_unknown_recipient_domain, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-SUSE/update_postmaps.systemd new/postfix-SUSE/update_postmaps.systemd --- old/postfix-SUSE/update_postmaps.systemd 2020-12-25 11:57:50.000000000 +0100 +++ new/postfix-SUSE/update_postmaps.systemd 2017-07-27 12:40:51.000000000 +0200 @@ -4,7 +4,7 @@ # Author: Peter Varkoly # Please send feedback to http://www.suse.de/feedback/ # -# /usr/lib/postfix/systemd/update_postmaps +# /etc/postfix/system/update_postmaps # @@ -13,34 +13,22 @@ if [ -n "${POSTFIX_UPDATE_MAPS/[yY][Ee][Ss]/}" ]; then return fi -# find extension based on default database type -case $(postconf default_database_type) in - *hash) - e="db" - ;; - *lmdb) - e="lmdb" - ;; - *) - # not supported - return - ;; -esac # Update the postmaps for i in $POSTFIX_MAP_LIST; do p=${i#*:} [ x$p = x$i ] && p=644 m=/etc/postfix/${i%:*}; - d=$m.$e + d=$m.db if [ -e $m -a $m -nt $d ]; then postmap $m; fi chmod $p $d done for i in /etc/aliases /etc/aliases.d/*; do - m=${i%.$e} - d=$m.$e + m=${i/.db//} + d=$m.db if [ -e $m -a $m -nt $d ]; then postalias $m; fi done + ++++++ postfix-main.cf.patch ++++++ --- /var/tmp/diff_new_pack.QOL3vu/_old 2021-02-02 14:14:58.654294627 +0100 +++ /var/tmp/diff_new_pack.QOL3vu/_new 2021-02-02 14:14:58.654294627 +0100 @@ -1,46 +1,8 @@ ---- conf/main.cf-orig 2020-11-26 19:22:10.273349060 +0100 -+++ conf/main.cf 2020-11-26 19:22:57.917974110 +0100 -@@ -278,7 +278,7 @@ - # - #mynetworks = 168.100.189.0/28, 127.0.0.0/8 - #mynetworks = $config_directory/mynetworks --#mynetworks = hash:/etc/postfix/network_table -+#mynetworks = lmdb:/etc/postfix/network_table - - # The relay_domains parameter restricts what destinations this system will - # relay mail to. See the smtpd_recipient_restrictions description in -@@ -343,7 +343,7 @@ - # In the left-hand side, specify an @domain.tld wild-card, or specify - # a user@domain.tld address. - # --#relay_recipient_maps = hash:/etc/postfix/relay_recipients -+#relay_recipient_maps = lmdb:/etc/postfix/relay_recipients - - # INPUT RATE CONTROL - # -@@ -398,8 +398,8 @@ - # "postfix reload" to eliminate the delay. - # - #alias_maps = dbm:/etc/aliases --#alias_maps = hash:/etc/aliases --#alias_maps = hash:/etc/aliases, nis:mail.aliases -+#alias_maps = lmdb:/etc/aliases -+#alias_maps = lmdb:/etc/aliases, nis:mail.aliases - #alias_maps = netinfo:/aliases - - # The alias_database parameter specifies the alias database(s) that -@@ -409,8 +409,8 @@ - # - #alias_database = dbm:/etc/aliases - #alias_database = dbm:/etc/mail/aliases --#alias_database = hash:/etc/aliases --#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases -+#alias_database = lmdb:/etc/aliases -+#alias_database = lmdb:/etc/aliases, lmdb:/opt/majordomo/aliases - - # ADDRESS EXTENSIONS (e.g., user+foo) - # -@@ -567,6 +567,7 @@ +Index: conf/main.cf +=================================================================== +--- conf/main.cf.orig ++++ conf/main.cf +@@ -567,6 +567,7 @@ unknown_local_recipient_reject_code = 55 # #smtpd_banner = $myhostname ESMTP $mail_name #smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) @@ -48,7 +10,7 @@ # PARALLEL DELIVERY TO THE SAME DESTINATION # -@@ -673,4 +674,140 @@ +@@ -673,4 +674,140 @@ sample_directory = # readme_directory: The location of the Postfix README files. # readme_directory = @@ -135,7 +97,7 @@ +smtp_tls_CApath = +smtp_tls_cert_file = +smtp_tls_key_file = -+#smtp_tls_policy_maps = lmdb:/etc/postfix/tls_policy ++#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy +#smtp_tls_session_cache_timeout = 3600s +smtp_tls_session_cache_database = + @@ -151,9 +113,9 @@ +############################################################ +# Start MySQL from postfixwiki.org +############################################################ -+relay_domains = $mydestination, lmdb:/etc/postfix/relay ++relay_domains = $mydestination, hash:/etc/postfix/relay +#virtual_alias_domains = -+#virtual_alias_maps = lmdb:/etc/postfix/virtual ++#virtual_alias_maps = hash:/etc/postfix/virtual +#virtual_uid_maps = static:303 +#virtual_gid_maps = static:303 +#virtual_minimum_uid = 303 @@ -169,9 +131,9 @@ +#virtual_mailbox_limit_override = yes +### Needs Maildir++ compatible IMAP servers, like Courier-IMAP +#virtual_maildir_filter = yes -+#virtual_maildir_filter_maps = lmdb:/etc/postfix/vfilter ++#virtual_maildir_filter_maps = hash:/etc/postfix/vfilter +#virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later. -+#virtual_maildir_limit_message_maps = lmdb:/etc/postfix/vmsg ++#virtual_maildir_limit_message_maps = hash:/etc/postfix/vmsg +#virtual_overquota_bounce = yes +#virtual_trash_count = yes +#virtual_trash_name = ".Trash"