Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package postfix for openSUSE:Factory checked in at 2021-02-01 13:25:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/postfix (Old) and /work/SRC/openSUSE:Factory/.postfix.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "postfix" Mon Feb 1 13:25:26 2021 rev:196 rq:867220 version:3.5.9 Changes: -------- New Changes file: --- /dev/null 2021-01-11 18:20:20.070723563 +0100 +++ /work/SRC/openSUSE:Factory/.postfix.new.28504/postfix-bdb.changes 2021-02-01 13:25:44.753873497 +0100 @@ -0,0 +1,5071 @@ +------------------------------------------------------------------- +Wed Jan 27 15:14:50 UTC 2021 - Peter Varkoly <varkoly@suse.com> + +- bsc#1180473 - [Build 20201230] postfix has invalid default config + Fixing config.postfix and sysconfig.postfix + +------------------------------------------------------------------- +Mon Jan 25 10:31:03 UTC 2021 - Paolo Stivanin <info@paolostivanin.com> + +- Update to 3.5.9: + * improves the reporting of DNSSEC problems that may affect + DANE security + +------------------------------------------------------------------- +Wed Jan 20 15:19:13 UTC 2021 - Peter Varkoly <varkoly@suse.com> + +- postfix-bdb-lmdb should provide postfix-lmdb + +------------------------------------------------------------------- +Tue Dec 8 13:36:35 UTC 2020 - Peter Varkoly <varkoly@suse.com> + +- bsc#1176650 L3: What is regularly triggering the "fillup" + command and changing modify-time of /etc/sysconfig/postfix? + o Remove miss placed fillup_only call from %verifyscript + +------------------------------------------------------------------- +Thu Nov 26 15:30:10 UTC 2020 - Peter Varkoly <varkoly@suse.com> + +- Remove Berkeley DB dependency (JIRA#SLE-12191) + The pacakges postfix is build without Berkely DB support. + lmdb will be used instead of BDB. + The pacakges postfix-bdb is build with Berkely DB support. + o add patch for main.cf for postfix-bdb package + postfix-bdb-main.cf.patch + +------------------------------------------------------------------- +Sun Nov 8 20:59:23 UTC 2020 - Michael Str��der <michael@stroeder.com> + +- Update to 3.5.8 + * The Postfix SMTP client inserted <CR><LF> into message headers longer + than $line_length_limit (default: 2048), causing all subsequent header + content to become message body content. + * The postscreen daemon did not save a copy of the + postscreen_dnsbl_reply_map lookup result. This has no effect when the + recommended texthash: look table is used, but it could result in stale + data with other lookup tables. + * After deleting a recipient with a Milter, the Postfix recipient + duplicate filter was not updated; the filter suppressed requests + to add the recipient back. + * Memory leak: the static: maps did not free their casefolding buffer. + * With "smtpd_tls_wrappermode = yes", the smtps service was waiting for a + TLS handshake, after processing an XCLIENT command. + * The smtp_sasl_mechanism_filter implementation ignored table lookup + errors, treating them as 'not found'. + * The code that looks for Delivered-To: headers ignored headers longer + than $line_length_limit (default: 2048). + +------------------------------------------------------------------- +Mon Aug 31 13:38:04 UTC 2020 - Michael Str��der <michael@stroeder.com> + +- Update to 3.5.7 + * Fixed random certificate verification failures with + "smtp_tls_connection_reuse = yes", because tlsproxy(8) was using + the wrong global TLS context for connections that use DANE or + non-DANE trust anchors. + +------------------------------------------------------------------- +Tue Aug 25 13:54:40 UTC 2020 - Thorsten Kukuk <kukuk@suse.com> + +- Move ldap into an own sub-package like all other databases +- Move manual pages to correct sub-package + +------------------------------------------------------------------- +Fri Aug 21 08:44:22 UTC 2020 - Thorsten Kukuk <kukuk@suse.com> + +- Use sysusers.d to create system accounts +- Remove wrong %config for systemd directory content + +------------------------------------------------------------------- +Sun Aug 9 06:55:01 UTC 2020 - Arjen de Korte <suse+build@de-korte.org> + +- Use the correct signature file for source verification +- Rename postfix-3.5.6.tar.gz.sig to postfix-3.5.6.tar.gz.asc (to + prevent confusion, as the signature file from upstream with .sig + extension is incompatible with the build service) + +------------------------------------------------------------------- +Sun Jul 26 21:22:39 UTC 2020 - Michael Str��der <michael@stroeder.com> + +- Update to 3.5.6 with following fixes: + * Workaround for unexpected TLS interoperability problems when Postfix + runs on OS distributions with system-wide OpenSSL configurations. + * Memory leaks in the Postfix TLS library, the largest one + involving multiple kBytes per peer certificate. + +------------------------------------------------------------------- +Thu Jul 16 20:42:19 UTC 2020 - Arjen de Korte <suse+build@de-korte.org> + +- Add source verification (add postfix.keyring) + +------------------------------------------------------------------- +Fri Jul 3 14:06:53 UTC 2020 - Thorsten Kukuk <kukuk@suse.com> + +- Use systemd_ordering instead of systemd_require. +- Move /etc/postfix/system to /usr/lib/postfix/systemd [bsc#1173688] +- Drop /var/adm/SuSEconfig from %post, it does nothing. +- Rename postfix-SuSE to postfix-SUSE +- Delete postfix-SUSE/README.SuSE, company name spelled wrong, + completly outdated and not used. +- Delete postfix-SUSE/SPAMASSASSIN+POSTFIX.SuSE, company name + spelled wrong, outdated and not used. +- sysconfig.mail-postfix: Fix description of MAIL_CREATE_CONFIG, + SuSEconfig is gone since ages. +- update_chroot.systemd: Remove advice to run SuSEconfig. +- Remove rc.postfix, not used, outdated. +- mkpostfixcert: Remove advice to run SuSEconfig. + +------------------------------------------------------------------- +Mon Jun 29 18:44:13 UTC 2020 - Michael Str��der <michael@stroeder.com> + +- Update to 3.5.4: + * The connection_reuse attribute in smtp_tls_policy_maps always + resulted in an "invalid attribute name" error. + * SMTP over TLS connection reuse always failed for Postfix SMTP + client configurations that specify explicit trust anchors (remote + SMTP server certificates or public keys). + * The Postfix SMTP client's DANE implementation would always send + an SNI option with the name in a destination's MX record, even + if the MX record pointed to a CNAME record. MX records that + point to CNAME records are not conformant with RFC5321, and so + are rare. + Based on the DANE survey of ~2 million hosts it was found that + with the corrected SMTP client behavior, sending SNI with the + CNAME-expanded name, the SMTP server would not send a different + certificate. This fix should therefore be safe. + +------------------------------------------------------------------- +Mon Jun 15 16:09:57 UTC 2020 - Michael Str��der <michael@stroeder.com> + +- Update to 3.5.3: + * TLS handshake failure in the Postfix SMTP server during SNI + processing, after the server-side TLS engine sent a TLSv1.3 + HelloRetryRequest (HRR) to a remote SMTP client. + * The command "postfix tls deploy-server-cert" did not handle a + missing optional argument. This bug was introduced in Postfix + 3.1. + +------------------------------------------------------------------- +Sun May 17 19:57:57 UTC 2020 - Michael Str��der <michael@stroeder.com> + +- Update to 3.5.2: + * A TLS error for a database client caused a false 'lost connection' + error for an SMTP over TLS session in the same Postfix process. + This bug was introduced with Postfix 2.2. + * The same bug existed in the tlsproxy(8) daemon, where a TLS + error for one TLS session could cause a false 'lost connection' + error for a concurrent TLS session in the same process. This + bug was introduced with Postfix 2.8. + * The Postfix build now disables DANE support on Linux systems + with libc-musl such as Alpine, because libc-musl provides no + indication whether DNS responses are authentic. This broke DANE + support without a clear explanation. + * Due to implementation changes in the ICU library, some Postfix + daemons reported file access errrors (U_FILE_ACCESS_ERROR) after + chroot(). This was fixed by initializing the ICU library before + making the chroot() call. + * Minor code changes to silence a compiler that special-cases + string literals. + * Segfault (null pointer) in the tlsproxy(8) client role when the + server role was disabled. This typically happened on systems + that do not receive mail, after configuring connection reuse + for outbound SMTP over TLS. + * The date portion of the maillog_file_rotate_suffix default value + used the minute (%M) instead of the month (%m). + +------------------------------------------------------------------- +Mon May 11 20:07:40 UTC 2020 - Arjen de Korte <suse+build@de-korte.org> + +- boo#1106004 fix incorrect locations for files in postfix-files + +------------------------------------------------------------------- +Sun Apr 19 10:22:12 UTC 2020 - Michael Str��der <michael@stroeder.com> + +- Dropped deprecated-RES_INSECURE1.patch to make DNSSEC-secured + lookups and DANE mail transport work again +- Update to 3.5.1: + * Support for the haproxy v2 protocol. The Postfix implementation + supports TCP over IPv4 and IPv6, as well as non-proxied + connections; the latter are typically used for heartbeat tests. + * Support to force-expire email messages. This introduces new + postsuper(1) command-line options to request expiration, and + additional information in mailq(1) or postqueue(1) output. + * The Postfix SMTP and LMTP client support a list of nexthop + destinations separated by comma or whitespace. These destinations + will be tried in the specified order. + * Incompatible changes: + * Logging: Postfix daemon processes now log the from= and to= ++++ 4874 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Factory/.postfix.new.28504/postfix-bdb.changes --- /work/SRC/openSUSE:Factory/postfix/postfix.changes 2021-01-26 14:41:17.910934719 +0100 +++ /work/SRC/openSUSE:Factory/.postfix.new.28504/postfix.changes 2021-02-01 13:25:45.337874413 +0100 @@ -1,0 +2,78 @@ +Wed Jan 27 15:14:50 UTC 2021 - Peter Varkoly <varkoly@suse.com> + +- bsc#1180473 - [Build 20201230] postfix has invalid default config + Fixing config.postfix and sysconfig.postfix + +------------------------------------------------------------------- +Mon Jan 25 10:28:26 UTC 2021 - Paolo Stivanin <info@paolostivanin.com> + +- Update to 3.5.9 + * improves the reporting of DNSSEC problems that may affect + DANE security + +------------------------------------------------------------------- +Thu Jan 7 12:26:08 UTC 2021 - Arjen de Korte <suse+build@de-korte.org> + +- Only do the conversion from the hash/btree databases to lmdb when + the default database type changes from hash to lmdb and do not + stop and start the service (the old compiled databases can live + together with the new ones) + - convert-bdb-to-lmdb.sh +- Clean up the specfile + * Remove < 1330 conditional builds + * Use generated postfix-files instead of the obsolete one from + postfix-SUSE.tar.gz + * Use dynamicmaps.cf.d instead of modifying dynamicmaps.cf upon + (de)installation of optional mysql, pgsql and ldap subpackages + * Use default location for post-install, postfix-tls-script, + postfix-wrapper and postmulti-script + +------------------------------------------------------------------- +Mon Jan 4 12:17:03 UTC 2021 - Peter Varkoly <varkoly@suse.com> + +- Set lmdb to be the default db. +- Convert btree tables to lmdb too. Stop postfix before converting from + bdb to lmdb +- This package is without bdb support. That's why convert must be done + without any suse release condition. + o remove patch postfix-no-btree.patch + o add set-default-db-type.patch + +------------------------------------------------------------------- +Fri Dec 25 20:32:04 UTC 2020 - Arjen de Korte <suse+build@de-korte.org> + +- Set database type for address_verify_map and postscreen_cache_map + to lmdb (btree requires Berkeley DB) + o add postfix-no-btree.patch + +------------------------------------------------------------------- +Fri Dec 25 10:28:30 UTC 2020 - Arjen de Korte <suse+build@de-korte.org> + +- Set default database type to lmdb and fix update_postmaps script + +------------------------------------------------------------------- +Thu Dec 24 14:09:32 UTC 2020 - Arjen de Korte <suse+build@de-korte.org> + +- Use variable substition instead of sed to remove .db suffix and + substitute hash: for lmdb: in /etc/postfix/master.cf as well. + Check before substitution if there is something to do (to keep + rpmcheck happy). + +------------------------------------------------------------------- +Tue Dec 8 13:36:35 UTC 2020 - Peter Varkoly <varkoly@suse.com> + +- bsc#1176650 L3: What is regularly triggering the "fillup" + command and changing modify-time of /etc/sysconfig/postfix? + o Remove miss placed fillup_only call from %verifyscript + +------------------------------------------------------------------- +Thu Nov 26 15:30:10 UTC 2020 - Peter Varkoly <varkoly@suse.com> + +- Remove Berkeley DB dependency (JIRA#SLE-12191) + The pacakges postfix is build without Berkely DB support. + lmdb will be used instead of BDB. + The pacakges postfix-bdb is build with Berkely DB support. + o add patch for main.cf for postfix-bdb package + postfix-bdb-main.cf.patch + +------------------------------------------------------------------- Old: ---- postfix-3.5.8.tar.gz postfix-3.5.8.tar.gz.asc New: ---- postfix-3.5.9.tar.gz postfix-3.5.9.tar.gz.asc postfix-bdb-main.cf.patch postfix-bdb.changes postfix-bdb.spec pre_checkin.sh set-default-db-type.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ postfix-bdb.spec ++++++ # # spec file for package postfix-bdb # # Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define pf_docdir %{_docdir}/postfix-doc %define pf_config_directory %{_sysconfdir}/postfix %define pf_daemon_directory %{_prefix}/lib/postfix/bin/ %define _libexecdir %{_prefix}/lib %define pf_shlib_directory %{_prefix}/lib/postfix %define pf_command_directory %{_sbindir} %define pf_queue_directory var/spool/postfix %define pf_sendmail_path %{_sbindir}/sendmail %define pf_newaliases_path %{_bindir}/newaliases %define pf_mailq_path %{_bindir}/mailq %define pf_setgid_group maildrop %define pf_readme_directory %{_docdir}/postfix-doc/README_FILES %define pf_html_directory %{_docdir}/postfix-doc/html %define pf_sample_directory %{_docdir}/postfix-doc/samples %define pf_data_directory %{_localstatedir}/lib/postfix %if 0%{?suse_version} < 1330 %define pf_uid 51 %define pf_gid 51 %define maildrop_gid 59 %define vmusr vmail %define vmgid 303 %define vmid 303 %define vmdir /srv/maildirs %endif %define mail_group mail %define conf_backup_dir %{_localstatedir}/adm/backup/postfix %define unitdir %{_prefix}/lib/systemd #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif %if 0%{?suse_version} >= 1320 || ( 0%{?suse_version} == 1315 && 0%{?is_opensuse} ) %bcond_without lmdb %bcond_without libnsl %else %bcond_with lmdb %bcond_with libnsl %endif %bcond_without ldap Name: postfix-bdb Version: 3.5.9 Release: 0 Summary: A fast, secure, and flexible mailer License: IPL-1.0 OR EPL-2.0 Group: Productivity/Networking/Email/Servers URL: http://www.postfix.org Source0: http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-%{version}.tar.gz Source1: http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-%{version}.tar.gz.gpg2#/postfix-%{version}.tar.gz.asc Source2: postfix-SUSE.tar.gz Source3: postfix-mysql.tar.bz2 #Source4: http://cdn.postfix.johnriley.me/mirrors/postfix-release/wietse.pgp#/postfix.... Source4: postfix.keyring Source10: postfix-rpmlintrc Source11: check_mail_queue Source12: postfix-user.conf Source13: postfix-vmail-user.conf Patch1: postfix-no-md5.patch Patch2: pointer_to_literals.patch Patch3: ipv6_disabled.patch Patch4: postfix-bdb-main.cf.patch Patch5: postfix-master.cf.patch Patch6: postfix-linux45.patch Patch7: postfix-ssl-release-buffers.patch Patch8: postfix-vda-v14-3.0.3.patch Patch9: fix-postfix-script.patch Patch10: postfix-avoid-infinit-loop-if-no-permission.patch BuildRequires: ca-certificates BuildRequires: cyrus-sasl-devel BuildRequires: db-devel BuildRequires: diffutils BuildRequires: fdupes BuildRequires: libicu-devel BuildRequires: libopenssl-devel BuildRequires: m4 BuildRequires: mysql-devel %if %{with ldap} BuildRequires: openldap2-devel %endif BuildRequires: pcre-devel BuildRequires: pkgconfig BuildRequires: postgresql-devel BuildRequires: shadow BuildRequires: zlib-devel BuildRequires: pkgconfig(systemd) Requires: iproute2 Requires(post): permissions Requires(pre): %fillup_prereq Requires(pre): permissions Conflicts: exim Conflicts: sendmail Conflicts: postfix Provides: smtp_daemon %{?systemd_ordering} %if %{with lmdb} BuildRequires: lmdb-devel %endif %if %{with libnsl} BuildRequires: libnsl-devel %endif %if 0%{?suse_version} >= 1330 BuildRequires: sysuser-tools Requires: system-user-nobody Requires: group(%{mail_group}) Requires(pre): group(%{mail_group}) %sysusers_requires %else Requires(pre): shadow %endif %description Postfix aims to be an alternative to the widely-used sendmail program with bdb support %if %{with lmdb} %package lmdb Summary: Postfix plugin to support LMDB maps Group: Productivity/Networking/Email/Servers Requires(pre): postfix-bdb = %{version} Conflicts: postfix Provides: postfix-lmdb = %{version}-%{release} Obsoletes: postfix-lmdb < %{version}-%{release} Conflicts: postfix-lmdb < %{version}-%{release} %description lmdb Postfix plugin to support LMDB maps. This library will be loaded by starting postfix if you'll access a postmap which is stored in lmdb. %endif %prep %setup -n postfix-%{version} -a 2 -a 3 %patch1 %patch2 %patch3 %patch4 %patch5 %patch6 %patch7 %patch8 %patch9 %patch10 # --------------------------------------------------------------------------- %build unset AUXLIBS AUXLIBS_LDAP AUXLIBS_PCRE AUXLIBS_MYSQL AUXLIBS_PGSQL AUXLIBS_SQLITE AUXLIBS_CDB export CCARGS="${CCARGS} %{optflags} -fcommon -Wno-comments -Wno-missing-braces -fPIC" %ifarch s390 s390x ppc export CCARGS="${CCARGS} -fsigned-char" %endif # if pkg-config openssl ; then export CCARGS="${CCARGS} -DUSE_TLS $(pkg-config --cflags openssl)" export AUXLIBS="$AUXLIBS $(pkg-config --libs openssl)" else export CCARGS="${CCARGS} -DUSE_TLS" export AUXLIBS="${AUXLIBS} -lssl -lcrypto" fi # %if %{with ldap} export CCARGS="${CCARGS} -DHAS_LDAP -DLDAP_DEPRECATED=1 -DUSE_LDAP_SASL" export AUXLIBS_LDAP="-lldap -llber" %endif # export CCARGS="${CCARGS} -DHAS_PCRE" export AUXLIBS_PCRE="-lpcre" # export CCARGS="${CCARGS} -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I%{_includedir}/sasl" if pkg-config libsasl2 ; then export AUXLIBS="$AUXLIBS $(pkg-config --libs libsasl2)" else export AUXLIBS="$AUXLIBS -lsasl2" fi # export CCARGS="${CCARGS} -DHAS_MYSQL $(mysql_config --cflags)" export AUXLIBS_MYSQL="$(mysql_config --libs)" # if pkg-config --exists libpq ; then export CCARGS="${CCARGS} -DHAS_PGSQL $(pkg-config libpq --cflags)" export AUXLIBS_PGSQL="$(pkg-config libpq --libs)" else export CCARGS="${CCARGS} -DHAS_PGSQL -I$(pg_config --includedir)" export AUXLIBS_PGSQL="-lpq" fi # %if %{with lmdb} export CCARGS="${CCARGS} -DHAS_LMDB -I/usr/local/include" \ export AUXLIBS_LMDB="-llmdb" %endif # # TODO #export AUXLIBS_SQLITE #export AUXLIBS_CDB #export AUXLIBS_SDBM export PIE=-pie # using SHLIB_RPATH to specify unrelated linker flags, because LDFLAGS is # ignored make makefiles pie=yes shared=yes dynamicmaps=yes \ shlib_directory=%{_prefix}/lib/postfix \ meta_directory=%{_prefix}/lib/postfix \ config_directory=%{_sysconfdir}/postfix \ SHLIB_RPATH="-Wl,-rpath,%{pf_shlib_directory} -Wl,-z,relro,-z,now" make %{?_smp_mflags} %if 0%{?suse_version} >= 1330 # Create postfix user %sysusers_generate_pre %{SOURCE12} postfix %sysusers_generate_pre %{SOURCE13} vmail %endif # --------------------------------------------------------------------------- %install mkdir -p %{buildroot}/%{_libdir} mkdir -p %{buildroot}%{_sysconfdir}/postfix cp conf/* %{buildroot}%{_sysconfdir}/postfix # create our default postfix ssl DIR (/etc/postfix/ssl) mkdir -p %{buildroot}%{_sysconfdir}/postfix/ssl/certs # link cacerts to /etc/ssl/certs ln -sf ../../ssl/certs %{buildroot}%{_sysconfdir}/postfix/ssl/cacerts cp lib/libpostfix-* %{buildroot}/%{_libdir} export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:%{buildroot}/%{_libdir} sh postfix-install -non-interactive \ install_root=%{buildroot} \ config_directory=%{pf_config_directory} \ daemon_directory=%{pf_daemon_directory} \ command_directory=%{pf_command_directory} \ queue_directory=/%{pf_queue_directory} \ sendmail_path=%{pf_sendmail_path} \ newaliases_path=%{pf_newaliases_path} \ mailq_path=%{pf_mailq_path} \ manpage_directory=%{_mandir} \ setgid_group=%{pf_setgid_group} \ readme_directory=%{pf_readme_directory} \ data_directory=%{pf_data_directory} ln -sf ../sbin/sendmail %{buildroot}%{_libexecdir}/sendmail for i in qmqp-source smtp-sink smtp-source; do install -m 755 bin/$i %{buildroot}%{_sbindir}/$i done mkdir -p %{buildroot}/sbin/conf.d mkdir -p %{buildroot}%{_sysconfdir}/permissions.d mkdir -p %{buildroot}/%{_libdir}/sasl2 mkdir -p %{buildroot}%{_sbindir} mkdir -p %{buildroot}/%{conf_backup_dir} mkdir -p %{buildroot}/%{pf_sample_directory} mkdir -p %{buildroot}/%{pf_html_directory} mkdir -p %{buildroot}%{_includedir}/postfix mkdir -p %{buildroot}%{_sysconfdir}/pam.d install -m 644 postfix-SUSE/smtp %{buildroot}%{_sysconfdir}/pam.d/smtp mkdir -p %{buildroot}%{_fillupdir} sed -e 's;@lib@;%{_lib};g' postfix-SUSE/sysconfig.postfix > %{buildroot}%{_fillupdir}/sysconfig.postfix install -m 644 postfix-SUSE/sysconfig.mail-postfix %{buildroot}%{_fillupdir}/sysconfig.mail-postfix sed -e 's;@lib@;%{_lib};g' \ -e 's;@conf_backup_dir@;%{conf_backup_dir};' \ -e 's;@daemon_directory@;%{pf_daemon_directory};' \ -e 's;@readme_directory@;%{pf_readme_directory};' \ -e 's;@html_directory@;%{pf_html_directory};' \ -e 's;@sendmail_path@;%{pf_sendmail_path};' \ -e 's;@setgid_group@;%{pf_setgid_group};' \ -e 's;@manpage_directory@;%{_mandir};' \ -e 's;@newaliases_path@;%{pf_newaliases_path};' \ -e 's;@sample_directory@;%{pf_sample_directory};' \ -e 's;@mailq_path@;%{pf_mailq_path};' postfix-SUSE/config.postfix > %{buildroot}%{_sbindir}/config.postfix chmod 755 %{buildroot}%{_sbindir}/config.postfix install -m 644 postfix-SUSE/dynamicmaps.cf %{buildroot}%{_sysconfdir}/postfix/dynamicmaps.cf install -m 644 postfix-SUSE/ldap_aliases.cf %{buildroot}%{_sysconfdir}/postfix/ldap_aliases.cf install -m 644 postfix-SUSE/helo_access %{buildroot}%{_sysconfdir}/postfix/helo_access install -m 644 postfix-SUSE/permissions %{buildroot}%{_sysconfdir}/permissions.d/postfix install -m 644 postfix-SUSE/sender_canonical %{buildroot}%{_sysconfdir}/postfix/sender_canonical install -m 644 postfix-SUSE/relay %{buildroot}%{_sysconfdir}/postfix/relay install -m 644 postfix-SUSE/relay_ccerts %{buildroot}%{_sysconfdir}/postfix/relay_ccerts install -m 600 postfix-SUSE/sasl_passwd %{buildroot}%{_sysconfdir}/postfix/sasl_passwd mkdir -p %{buildroot}%{_sysconfdir}/sasl2 install -m 600 postfix-SUSE/smtpd.conf %{buildroot}%{_sysconfdir}/sasl2/smtpd.conf install -m 644 postfix-SUSE/openssl_postfix.conf.in %{buildroot}%{_sysconfdir}/postfix/openssl_postfix.conf.in install -m 755 postfix-SUSE/mkpostfixcert %{buildroot}%{_sbindir}/mkpostfixcert { cat<<EOF # # ----------------------------------------------------------------------- # NOTE: Many parameters have already been added to the end of this file # by config.postfix. So take care that you don't uncomment # and set a parameter without checking whether it has been added # to the end of this file. # ----------------------------------------------------------------------- # EOF cat conf/main.cf } > %{buildroot}%{_sysconfdir}/postfix/main.cf %{buildroot}%{_sbindir}/postconf -c %{buildroot}%{_sysconfdir}/postfix \ -e "manpage_directory = %{_mandir}" \ "setgid_group = %{pf_setgid_group}" \ "mailq_path = %{pf_mailq_path}" \ "newaliases_path = %{pf_newaliases_path}" \ "sendmail_path = %{pf_sendmail_path}" \ "readme_directory = %{pf_readme_directory}" \ "html_directory = %{pf_html_directory}" \ "sample_directory = %{pf_sample_directory}" \ "daemon_directory = %{pf_daemon_directory}" \ "smtpd_helo_required = yes" \ "smtpd_delay_reject = yes" \ "disable_vrfy_command = yes" \ 'smtpd_banner = $myhostname ESMTP' #Set Permissions install -m 644 postfix-SUSE/postfix-files %{buildroot}%{pf_shlib_directory}/postfix-files # create paranoid permissions file printf '%%-38s %%-18s %%s\n' %{_sbindir}/postdrop "root.%{pf_setgid_group}" "0755" >> %{buildroot}%{_sysconfdir}/permissions.d/postfix.paranoid printf '%%-38s %%-18s %%s\n' %{_sbindir}/postqueue "root.%{pf_setgid_group}" "0755" >> %{buildroot}%{_sysconfdir}/permissions.d/postfix.paranoid install -m 644 include/*.h %{buildroot}%{_includedir}/postfix/ # some rpmlint stuff # remove unneeded examples/chroot-setup for example in AIX42 BSDI* F* HPUX* IRIX* NETBSD1 NEXTSTEP3 OPENSTEP4 OSF1 Solaris*; do rm examples/chroot-setup/${example} done cp -a examples/* %{buildroot}%{pf_sample_directory} cp -a html/* %{buildroot}%{pf_html_directory} cp -a auxiliary %{buildroot}%{pf_docdir} rm %{buildroot}%{pf_docdir}/README_FILES/INSTALL # Fix build for Leap 42.3. rm -f %{buildroot}%{_sysconfdir}/postfix/*.orig mkdir -p %{buildroot}%{_unitdir} mkdir -p %{buildroot}%{pf_shlib_directory}/systemd install -m 0644 postfix-SUSE/postfix.service %{buildroot}%{_unitdir}/postfix.service install -m 0755 postfix-SUSE/config_postfix.systemd %{buildroot}%{pf_shlib_directory}/systemd/config_postfix install -m 0755 postfix-SUSE/update_chroot.systemd %{buildroot}%{pf_shlib_directory}/systemd/update_chroot install -m 0755 postfix-SUSE/update_postmaps.systemd %{buildroot}%{pf_shlib_directory}/systemd/update_postmaps install -m 0755 postfix-SUSE/wait_qmgr.systemd %{buildroot}%{pf_shlib_directory}/systemd/wait_qmgr install -m 0755 postfix-SUSE/cond_slp.systemd %{buildroot}%{pf_shlib_directory}/systemd/cond_slp ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcpostfix %fdupes %{buildroot}%{pf_docdir} %fdupes %{buildroot}%{_mandir} for path in %{buildroot}%{pf_shlib_directory}/libpostfix-*.so do test -e "$path" || continue name=${path##*/} cmp "$path" %{buildroot}%{_libdir}/$name || continue rm -vf $path ln -sf %{_libdir}/$name $path done # --------------------------------------------------------------------------- install -m 755 %{SOURCE11} %{buildroot}%{_sbindir}/ %if 0%{?suse_version} >= 1330 mkdir -p %{buildroot}%{_sysusersdir} install -m 644 %{SOURCE12} %{buildroot}%{_sysusersdir}/ install -m 644 %{SOURCE13} %{buildroot}%{_sysusersdir}/ %endif #Clean up for postfix-bdb rm -rf %{buildroot}/etc/postfix/ldap_aliases.cf rm -rf %{buildroot}/usr/lib/debug/usr/lib/postfix/postfix-ldap.so-3.5.8-2.11.1.x86_64.debug rm -rf %{buildroot}/usr/lib/debug/usr/lib/postfix/postfix-mysql.so-3.5.8-2.11.1.x86_64.debug rm -rf %{buildroot}/usr/lib/debug/usr/lib/postfix/postfix-pgsql.so-3.5.8-2.11.1.x86_64.debug rm -rf %{buildroot}/usr/lib/postfix/postfix-ldap.so rm -rf %{buildroot}/usr/lib/postfix/postfix-mysql.so rm -rf %{buildroot}/usr/lib/postfix/postfix-pgsql.so rm -rf %{buildroot}/usr/lib/sysusers.d/postfix-vmail-user.conf rm -rf %{buildroot}/usr/share/doc/packages/postfix-doc/ rm -rf %{buildroot}/%{_includedir}/postfix/ %if 0%{?suse_version} >= 1330 %pre -f postfix.pre %else %pre getent group postfix >/dev/null || groupadd -g %{pf_gid} -o -r postfix getent group maildrop >/dev/null || groupadd -g %{maildrop_gid} -o -r maildrop getent passwd postfix >/dev/null || useradd -r -o -g postfix -u %{pf_uid} -s /bin/false -c "Postfix Daemon" -d /%{pf_queue_directory} postfix usermod -a -G %{maildrop_gid},%{mail_group} postfix %endif %service_add_pre postfix.service VERSIONTEST=$(test -x usr/sbin/postconf && usr/sbin/postconf proxy_read_maps 2>/dev/null || :) if [ -z "$VERSIONTEST" -a -f %{pf_queue_directory}/pid/master.pid ]; then if checkproc -p %{pf_queue_directory}/pid/master.pid usr/lib/postfix/master; then echo "postfix is still running. You have to stop postfix in order to" echo "install a newer version." exit 1 fi fi # --------------------------------------------------------------------------- %preun %stop_on_removal postfix %service_del_preun postfix.service # --------------------------------------------------------------------------- %post # We never have to run suseconfig for postfix after installation # We only start postfix own upgrade-configuration by update if [ ${1:-0} -gt 1 ]; then touch %{_localstatedir}/adm/postfix.configured echo "Executing upgrade-configuration." %{_sbindir}/postfix set-permissions upgrade-configuration setgid_group=%{pf_setgid_group} || : if [ "$(%{_sbindir}/postconf -h daemon_directory)" != "%{pf_daemon_directory}" ]; then %{_sbindir}/postconf daemon_directory=%{pf_daemon_directory} fi fi %service_add_post postfix.service %set_permissions %{_sbindir}/postqueue %set_permissions %{_sbindir}/postdrop %set_permissions %{_sysconfdir}/postfix/sasl_passwd %set_permissions %{_sbindir}/sendmail %{fillup_only postfix} %{fillup_only -an mail} /sbin/ldconfig %verifyscript %verify_permissions -e %{_sbindir}/postqueue %verify_permissions -e %{_sbindir}/postdrop %verify_permissions -e %{_sysconfdir}/postfix/sasl_passwd %verify_permissions -e %{_sbindir}/sendmail %postun %service_del_postun postfix.service /sbin/ldconfig # --------------------------------------------------------------------------- %files %license LICENSE %config %{_sysconfdir}/pam.d/* %{_fillupdir}/sysconfig.postfix %{_fillupdir}/sysconfig.mail-postfix %{_sbindir}/config.postfix %dir %{_sysconfdir}/postfix %config %{_sysconfdir}/postfix/main.cf.default %config(noreplace) %{_sysconfdir}/postfix/[^mysql]*[^mysql] %config(noreplace) %{_sysconfdir}/postfix/access %config(noreplace) %{_sysconfdir}/postfix/aliases %config(noreplace) %{_sysconfdir}/postfix/canonical %config(noreplace) %{_sysconfdir}/postfix/header_checks %config(noreplace) %{_sysconfdir}/postfix/helo_access %config(noreplace) %{_sysconfdir}/postfix/main.cf %config(noreplace) %{_sysconfdir}/postfix/master.cf %attr(0750,root,root) %config %{_sysconfdir}/postfix/post-install %attr(0750,root,root) %config %{_sysconfdir}/postfix/postfix-tls-script %attr(0750,root,root) %config %{_sysconfdir}/postfix/postfix-wrapper %attr(0750,root,root) %config %{_sysconfdir}/postfix/postmulti-script %config(noreplace) %{_sysconfdir}/postfix/postfix-files %config(noreplace) %{_sysconfdir}/postfix/relay %config(noreplace) %{_sysconfdir}/postfix/relay_ccerts %config(noreplace) %{_sysconfdir}/postfix/sasl_passwd %config(noreplace) %{_sysconfdir}/postfix/sender_canonical %config(noreplace) %{_sysconfdir}/postfix/virtual %dir %{_sysconfdir}/sasl2 %config(noreplace) %{_sysconfdir}/sasl2/smtpd.conf %config %{_sysconfdir}/postfix/LICENSE %config %{_sysconfdir}/postfix/TLS_LICENSE %config %{_sysconfdir}/permissions.d/postfix %config %{_sysconfdir}/permissions.d/postfix.paranoid %attr(0644, root, root) %config %{_sysconfdir}/postfix/makedefs.out %{pf_shlib_directory}/postfix-files # create our default postfix ssl DIR (/etc/postfix/ssl) %dir %{_sysconfdir}/postfix/ssl %dir %{_sysconfdir}/postfix/ssl/certs %{_sysconfdir}/postfix/ssl/cacerts %dir %{pf_shlib_directory}/systemd %attr(0755,root,root) %{pf_shlib_directory}/systemd/* %{_unitdir}/postfix.service %verify(not mode) %attr(2755,root,%{pf_setgid_group}) %{_sbindir}/postdrop %verify(not mode) %attr(2755,root,%{pf_setgid_group}) %{_sbindir}/postqueue %{_bindir}/mailq %{_bindir}/newaliases %attr(0755,root,root) %{_sbindir}/sendmail %attr(0755,root,root) %{_sbindir}/postalias %attr(0755,root,root) %{_sbindir}/postcat %attr(0755,root,root) %{_sbindir}/postconf %attr(0755,root,root) %{_sbindir}/postfix %attr(0755,root,root) %{_sbindir}/postkick %attr(0755,root,root) %{_sbindir}/postlock %attr(0755,root,root) %{_sbindir}/postlog %attr(0755,root,root) %{_sbindir}/postmap %attr(0755,root,root) %{_sbindir}/postmulti %attr(0755,root,root) %{_sbindir}/postsuper %attr(0755,root,root) %{_sbindir}/qmqp-source %attr(0755,root,root) %{_sbindir}/smtp-sink %attr(0755,root,root) %{_sbindir}/smtp-source %attr(0755,root,root) %{_sbindir}/mkpostfixcert %attr(0755,root,root) %{_sbindir}/check_mail_queue %attr(0755,root,root) %{_sbindir}/config.postfix %{_sbindir}/rcpostfix %{_libdir}/lib* %{_libexecdir}/sendmail %dir %{pf_shlib_directory} %{pf_shlib_directory}/*[^.so] %{pf_shlib_directory}/postfix-pcre.so %{pf_shlib_directory}/libpostfix-dns.so %{pf_shlib_directory}/libpostfix-global.so %{pf_shlib_directory}/libpostfix-master.so %{pf_shlib_directory}/libpostfix-tls.so %{pf_shlib_directory}/libpostfix-util.so %{pf_shlib_directory}/main.cf.proto %{pf_shlib_directory}/master.cf.proto %{conf_backup_dir} %dir %attr(0700,postfix,root) %{pf_data_directory} %exclude %{_mandir}/man5/ldap_table.5* %exclude %{_mandir}/man5/lmdb_table.5* %exclude %{_mandir}/man5/mysql_table.5* %exclude %{_mandir}/man5/pgsql_table.5* %{_mandir}/man?/*%{?ext_man} %dir %attr(0755,root,root) /%{pf_queue_directory} %dir %attr(0700,postfix,root) /%{pf_queue_directory}/active %dir %attr(0700,postfix,root) /%{pf_queue_directory}/bounce %dir %attr(0700,postfix,root) /%{pf_queue_directory}/corrupt %dir %attr(0700,postfix,root) /%{pf_queue_directory}/defer %dir %attr(0700,postfix,root) /%{pf_queue_directory}/deferred %dir %attr(0700,postfix,root) /%{pf_queue_directory}/flush %dir %attr(0700,postfix,root) /%{pf_queue_directory}/hold %dir %attr(0700,postfix,root) /%{pf_queue_directory}/incoming %dir %attr(0700,postfix,root) /%{pf_queue_directory}/private %dir %attr(0700,postfix,root) /%{pf_queue_directory}/saved %dir %attr(0700,postfix,root) /%{pf_queue_directory}/trace %dir %attr(0730,postfix,maildrop) /%{pf_queue_directory}/maildrop %dir %attr(0710,postfix,maildrop) /%{pf_queue_directory}/public %if 0%{?suse_version} >= 1330 %{_sysusersdir}/postfix-user.conf %endif %if %{with lmdb} %files lmdb %{pf_shlib_directory}/postfix-lmdb.so %{_mandir}/man5/lmdb_table.5%{?ext_man} %endif %changelog ++++++ postfix.spec ++++++ --- /var/tmp/diff_new_pack.E1P2gB/_old 2021-02-01 13:25:46.497876232 +0100 +++ /var/tmp/diff_new_pack.E1P2gB/_new 2021-02-01 13:25:46.501876239 +0100 @@ -31,15 +31,7 @@ %define pf_html_directory %{_docdir}/%{name}-doc/html %define pf_sample_directory %{_docdir}/%{name}-doc/samples %define pf_data_directory %{_localstatedir}/lib/%{name} -%if 0%{?suse_version} < 1330 -%define pf_uid 51 -%define pf_gid 51 -%define maildrop_gid 59 -%define vmusr vmail -%define vmgid 303 -%define vmid 303 -%define vmdir /srv/maildirs -%endif +%define pf_database_convert %{_rundir}/%{name}-needs-convert %define mail_group mail %define conf_backup_dir %{_localstatedir}/adm/backup/%{name} %define unitdir %{_prefix}/lib/systemd @@ -47,16 +39,10 @@ %if ! %{defined _fillupdir} %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif -%if 0%{?suse_version} >= 1320 || ( 0%{?suse_version} == 1315 && 0%{?is_opensuse} ) -%bcond_without lmdb %bcond_without libnsl -%else -%bcond_with lmdb -%bcond_with libnsl -%endif %bcond_without ldap Name: postfix -Version: 3.5.8 +Version: 3.5.9 Release: 0 Summary: A fast, secure, and flexible mailer License: IPL-1.0 OR EPL-2.0 @@ -82,9 +68,10 @@ Patch8: %{name}-vda-v14-3.0.3.patch Patch9: fix-postfix-script.patch Patch10: %{name}-avoid-infinit-loop-if-no-permission.patch +Patch11: set-default-db-type.patch BuildRequires: ca-certificates BuildRequires: cyrus-sasl-devel -BuildRequires: db-devel +#BuildRequires: db-devel BuildRequires: diffutils BuildRequires: fdupes BuildRequires: libicu-devel @@ -94,6 +81,7 @@ %if %{with ldap} BuildRequires: openldap2-devel %endif +BuildRequires: lmdb-devel BuildRequires: pcre-devel BuildRequires: pkgconfig BuildRequires: postgresql-devel @@ -106,23 +94,19 @@ Requires(pre): permissions Conflicts: exim Conflicts: sendmail +Conflicts: postfix-bdb +Provides: postfix-lmdb = %{version}-%{release} +Obsoletes: postfix-lmdb < %{version}-%{release} Provides: smtp_daemon %{?systemd_ordering} -%if %{with lmdb} -BuildRequires: lmdb-devel -%endif %if %{with libnsl} BuildRequires: libnsl-devel %endif -%if 0%{?suse_version} >= 1330 BuildRequires: sysuser-tools Requires: system-user-nobody Requires: group(%{mail_group}) Requires(pre): group(%{mail_group}) %sysusers_requires -%else -Requires(pre): shadow -%endif %description Postfix aims to be an alternative to the widely-used sendmail program. @@ -148,11 +132,7 @@ Summary: Postfix plugin to support MySQL maps Group: Productivity/Networking/Email/Servers Requires(pre): %{name} = %{version} -%if 0%{?suse_version} >= 1330 %sysusers_requires -%else -Requires(pre): shadow -%endif %description mysql Postfix plugin to support MySQL maps. This library will be loaded by @@ -180,18 +160,6 @@ maps with Postfix, you need this. %endif -%if %{with lmdb} -%package lmdb -Summary: Postfix plugin to support LMDB maps -Group: Productivity/Networking/Email/Servers -Requires(pre): %{name} = %{version} - -%description lmdb -Postfix plugin to support LMDB maps. This library will be loaded -by starting %{name} if you'll access a postmap which is stored in -PostgreSQL. -%endif - %prep %setup -q -a 2 -a 3 %patch1 @@ -204,6 +172,7 @@ %patch8 %patch9 %patch10 +%patch11 # --------------------------------------------------------------------------- @@ -249,15 +218,15 @@ export AUXLIBS_PGSQL="-lpq" fi # -%if %{with lmdb} export CCARGS="${CCARGS} -DHAS_LMDB -I/usr/local/include" \ export AUXLIBS_LMDB="-llmdb" -%endif # # TODO #export AUXLIBS_SQLITE #export AUXLIBS_CDB #export AUXLIBS_SDBM +# Remove berkeley DB and set lmdb as default +export CCARGS="${CCARGS} -DNO_DB -DDEF_DB_TYPE=\\\"lmdb\\\"" export PIE=-pie # using SHLIB_RPATH to specify unrelated linker flags, because LDFLAGS is @@ -268,17 +237,14 @@ config_directory=%{_sysconfdir}/%{name} \ SHLIB_RPATH="-Wl,-rpath,%{pf_shlib_directory} -Wl,-z,relro,-z,now" make %{?_smp_mflags} -%if 0%{?suse_version} >= 1330 # Create postfix user %sysusers_generate_pre %{SOURCE12} postfix %sysusers_generate_pre %{SOURCE13} vmail -%endif # --------------------------------------------------------------------------- %install mkdir -p %{buildroot}/%{_libdir} mkdir -p %{buildroot}%{_sysconfdir}/%{name} -cp conf/* %{buildroot}%{_sysconfdir}/%{name} # create our default postfix ssl DIR (/etc/postfix/ssl) mkdir -p %{buildroot}%{_sysconfdir}/%{name}/ssl/certs # link cacerts to /etc/ssl/certs @@ -327,7 +293,6 @@ -e 's;@sample_directory@;%{pf_sample_directory};' \ -e 's;@mailq_path@;%{pf_mailq_path};' %{name}-SUSE/config.%{name} > %{buildroot}%{_sbindir}/config.%{name} chmod 755 %{buildroot}%{_sbindir}/config.%{name} -install -m 644 %{name}-SUSE/dynamicmaps.cf %{buildroot}%{_sysconfdir}/%{name}/dynamicmaps.cf install -m 644 %{name}-SUSE/ldap_aliases.cf %{buildroot}%{_sysconfdir}/%{name}/ldap_aliases.cf install -m 644 %{name}-SUSE/helo_access %{buildroot}%{_sysconfdir}/%{name}/helo_access install -m 644 %{name}-SUSE/permissions %{buildroot}%{_sysconfdir}/permissions.d/%{name} @@ -367,7 +332,15 @@ "disable_vrfy_command = yes" \ 'smtpd_banner = $myhostname ESMTP' #Set Permissions -install -m 644 %{name}-SUSE/%{name}-files %{buildroot}%{pf_shlib_directory}/%{name}-files +sed -i -e 's/\(.*ldap.*\)/#\1/g' \ + -e 's/\(.*mysql.*\)/#\1/g' \ + -e 's/\(.*pgsql.*\)/#\1/g' \ + -e 's/\(.*LICENSE.*\)/#\1/g' \ + -e '/html_directory/d' \ + -e '/manpage_directory/d' \ + -e '/readme_directory/d' \ + %{buildroot}%{pf_shlib_directory}/postfix-files +mkdir -p %{buildroot}%{pf_shlib_directory}/postfix-files.d # postfix-mysql install -m 644 %{name}-mysql/main.cf-mysql %{buildroot}%{_sysconfdir}/%{name}/main.cf-mysql install -m 640 %{name}-mysql/*_maps.cf %{buildroot}%{_sysconfdir}/%{name}/ @@ -405,97 +378,46 @@ rm -vf $path ln -sf %{_libdir}/$name $path done -# --------------------------------------------------------------------------- + +# create dynamicmaps.cf.d entries for optional modules +sed -n -e '/^#/p' -e '/mysql/p' %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf > %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf.d/%{name}-mysql.cf +sed -i -e '/mysql/d' %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf +sed -n -e '/^#/p' -e '/pgsql/p' %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf > %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf.d/%{name}-pgsql.cf +sed -i -e '/pgsql/d' %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf +%if %{with ldap} +sed -n -e '/^#/p' -e "/ldap/p" %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf > %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf.d/%{name}-ldap.cf +sed -i -e '/ldap/d' %{buildroot}%{pf_shlib_directory}/dynamicmaps.cf +%endif + install -m 755 %{SOURCE11} %{buildroot}%{_sbindir}/ -%if 0%{?suse_version} >= 1330 mkdir -p %{buildroot}%{_sysusersdir} install -m 644 %{SOURCE12} %{buildroot}%{_sysusersdir}/ install -m 644 %{SOURCE13} %{buildroot}%{_sysusersdir}/ -%endif - -%if 0%{?suse_version} >= 1330 -%pre -f postfix.pre -%else -%pre -getent group %{name} >/dev/null || groupadd -g %{pf_gid} -o -r %{name} -getent group maildrop >/dev/null || groupadd -g %{maildrop_gid} -o -r maildrop -getent passwd %{name} >/dev/null || useradd -r -o -g %{name} -u %{pf_uid} -s /bin/false -c "Postfix Daemon" -d /%{pf_queue_directory} %{name} -usermod -a -G %{maildrop_gid},%{mail_group} %{name} -%endif -%service_add_pre %{name}.service - -VERSIONTEST=$(test -x usr/sbin/postconf && usr/sbin/postconf proxy_read_maps 2>/dev/null || :) -if [ -z "$VERSIONTEST" -a -f %{pf_queue_directory}/pid/master.pid ]; then - if checkproc -p %{pf_queue_directory}/pid/master.pid usr/lib/%{name}/master; then - echo "%{name} is still running. You have to stop %{name} in order to" - echo "install a newer version." - exit 1 - fi -fi # --------------------------------------------------------------------------- -%if 0%{?suse_version} >= 1330 -%pre mysql -f vmail.pre -%else -%pre mysql -#echo "PARAM_pre: "$1 -# on `rpm -ivh` PARAM is 1 -# on `rpm -Uvh` PARAM is 2 -if [ "$1" = "1" ]; then - echo "Adding %{vmusr} user" - if [ -z "`getent group %{vmusr} 2>/dev/null`" ]; then - groupadd -r -g %{vmgid} %{vmusr} - fi - if [ -z "`getent passwd %{vmusr} 2>/dev/null`" ]; then - useradd -c "maildirs chef" -d %{vmdir} -g %{vmusr} -u %{vmid} -r -s /bin/false %{vmusr} - fi +%pre -f postfix.pre +# If existing default database type is hash, we need to convert the +# databases because hash (and btree) is no longer supported after +# the upgrade +if [ -x %{_sbindir}/postconf ]; then + DEF_DB_TYPE=$(postconf default_database_type) + case $DEF_DB_TYPE in *hash) + touch %{pf_database_convert} + esac fi -%endif -# --------------------------------------------------------------------------- +%service_add_pre %{name}.service %preun -%stop_on_removal %{name} %service_del_preun %{name}.service -# --------------------------------------------------------------------------- - -%preun mysql -#echo "PARAM_preun: "$1 -# on `rpm -e` PARAM is 0 -if [ "$1" = "0" ]; then - FILE=etc/%{name}/dynamicmaps.cf - if [ -e "$FILE" ] ; then - if grep -q "^mysql[[:space:]]" ${FILE}; then - echo "Removing mysql map entry from ${FILE}" - sed "/^mysql[[:space:]]/d" ${FILE} > ${FILE}.$$ && \ - cp --remove-destination ${FILE}.$$ ${FILE} && \ - rm ${FILE}.$$ - fi - else - echo "Can not find \"$FILE\". Not updating the file." >&2 - fi -fi -# --------------------------------------------------------------------------- - -%preun postgresql -if [ "$1" = 0 ] ; then - FILE=etc/%{name}/dynamicmaps.cf - if [ -e "$FILE" ] ; then - if grep -q "^pgsql[[:space:]]" ${FILE}; then - echo "Removing pgsql map entry from ${FILE}" - sed "/^pgsql[[:space:]]/d" ${FILE} > ${FILE}.$$ && \ - cp --remove-destination ${FILE}.$$ ${FILE} && \ - rm ${FILE}.$$ - fi - else - echo "Can not find \"$FILE\". Not updating the file." >&2 - fi -fi -# --------------------------------------------------------------------------- %post # We never have to run suseconfig for postfix after installation # We only start postfix own upgrade-configuration by update +# +# If the default database type of the previous installation was +# hash, we also need to rebuild the databases in the new lmdb +# format if [ ${1:-0} -gt 1 ]; then touch %{_localstatedir}/adm/%{name}.configured echo "Executing upgrade-configuration." @@ -503,50 +425,54 @@ if [ "$(%{_sbindir}/postconf -h daemon_directory)" != "%{pf_daemon_directory}" ]; then %{_sbindir}/postconf daemon_directory=%{pf_daemon_directory} fi + if [ -e %{pf_database_convert} ]; then + sed -i -E "s/(btree|hash):/lmdb:/g" %{pf_config_directory}/{main.cf,master.cf} + for i in $(find %{pf_config_directory} -name "*.db"); do + postmap ${i%.db} + done + for i in $(find %{_sysconfdir}/aliases.d/ -name "*.db"); do + postalias ${i%.db} + done + if [ -e %{_sysconfdir}/aliases.db ]; then + postalias %{_sysconfdir}/aliases + fi + rm %{pf_database_convert} + fi fi - -%service_add_post %{name}.service - %set_permissions %{_sbindir}/postqueue %set_permissions %{_sbindir}/postdrop %set_permissions %{_sysconfdir}/%{name}/sasl_passwd %set_permissions %{_sbindir}/sendmail - %{fillup_only postfix} %{fillup_only -an mail} -/sbin/ldconfig +%service_add_post %{name}.service + +%postun +%service_del_postun %{name}.service %verifyscript %verify_permissions -e %{_sbindir}/postqueue %verify_permissions -e %{_sbindir}/postdrop %verify_permissions -e %{_sysconfdir}/%{name}/sasl_passwd %verify_permissions -e %{_sbindir}/sendmail -%{fillup_only postfix} - -%postun -%service_del_postun %{name}.service -/sbin/ldconfig # --------------------------------------------------------------------------- -%post postgresql -FILE=etc/%{name}/dynamicmaps.cf -if ! grep -q "^pgsql[[:space:]]" ${FILE}; then - echo "Adding pgsql map entry to ${FILE}" - echo "pgsql %{pf_shlib_directory}/dict_pgsql.so dict_pgsql_open" >> ${FILE} -fi -# --------------------------------------------------------------------------- +%pre mysql -f vmail.pre -%post mysql -FILE=etc/%{name}/dynamicmaps.cf -if ! grep -q "^mysql[[:space:]]" ${FILE}; then - echo "Adding mysql map entry to ${FILE}" - echo "mysql %{pf_shlib_directory}/dict_mysql.so dict_mysql_open" >> ${FILE} -fi -# --------------------------------------------------------------------------- +%post mysql -p /sbin/ldconfig +%postun mysql -p /sbin/ldconfig + +%post postgresql -p /sbin/ldconfig +%postun postgresql -p /sbin/ldconfig + +%if %{with ldap} +%post ldap -p /sbin/ldconfig +%postun ldap -p /sbin/ldconfig +%endif %files -%license LICENSE +%license LICENSE TLS_LICENSE %config %{_sysconfdir}/pam.d/* %{_fillupdir}/sysconfig.%{name} %{_fillupdir}/sysconfig.mail-%{name} @@ -561,24 +487,19 @@ %config(noreplace) %{_sysconfdir}/%{name}/helo_access %config(noreplace) %{_sysconfdir}/%{name}/main.cf %config(noreplace) %{_sysconfdir}/%{name}/master.cf -%attr(0750,root,root) %config %{_sysconfdir}/%{name}/post-install -%attr(0750,root,root) %config %{_sysconfdir}/%{name}/%{name}-tls-script -%attr(0750,root,root) %config %{_sysconfdir}/%{name}/%{name}-wrapper -%attr(0750,root,root) %config %{_sysconfdir}/%{name}/postmulti-script -%config(noreplace) %{_sysconfdir}/%{name}/%{name}-files %config(noreplace) %{_sysconfdir}/%{name}/relay %config(noreplace) %{_sysconfdir}/%{name}/relay_ccerts %config(noreplace) %{_sysconfdir}/%{name}/sasl_passwd %config(noreplace) %{_sysconfdir}/%{name}/sender_canonical %config(noreplace) %{_sysconfdir}/%{name}/virtual - +%ghost %{_sysconfdir}/%{name}/*.lmdb +%ghost %{_sysconfdir}/aliases.lmdb %dir %{_sysconfdir}/sasl2 %config(noreplace) %{_sysconfdir}/sasl2/smtpd.conf -%config %{_sysconfdir}/%{name}/LICENSE -%config %{_sysconfdir}/%{name}/TLS_LICENSE +%exclude %{_sysconfdir}/%{name}/LICENSE +%exclude %{_sysconfdir}/%{name}/TLS_LICENSE %config %{_sysconfdir}/permissions.d/%{name} %config %{_sysconfdir}/permissions.d/%{name}.paranoid -%attr(0644, root, root) %config %{_sysconfdir}/%{name}/makedefs.out %{pf_shlib_directory}/%{name}-files # create our default postfix ssl DIR (/etc/postfix/ssl) %dir %{_sysconfdir}/%{name}/ssl @@ -612,20 +533,25 @@ %{_libdir}/lib* %{_libexecdir}/sendmail %dir %{pf_shlib_directory} -%{pf_shlib_directory}/*[^.so] %{pf_shlib_directory}/%{name}-pcre.so +%{pf_shlib_directory}/%{name}-lmdb.so %{pf_shlib_directory}/lib%{name}-dns.so %{pf_shlib_directory}/lib%{name}-global.so %{pf_shlib_directory}/lib%{name}-master.so %{pf_shlib_directory}/lib%{name}-tls.so %{pf_shlib_directory}/lib%{name}-util.so +%{pf_shlib_directory}/dynamicmaps.cf %{pf_shlib_directory}/main.cf.proto +%{pf_shlib_directory}/makedefs.out %{pf_shlib_directory}/master.cf.proto +%dir %{pf_daemon_directory} +%{pf_daemon_directory}/* +%dir %{pf_shlib_directory}/dynamicmaps.cf.d +%dir %{pf_shlib_directory}/postfix-files.d %{conf_backup_dir} %dir %attr(0700,%{name},root) %{pf_data_directory} %exclude %{_mandir}/man5/ldap_table.5* -%exclude %{_mandir}/man5/lmdb_table.5* %exclude %{_mandir}/man5/mysql_table.5* %exclude %{_mandir}/man5/pgsql_table.5* %{_mandir}/man?/*%{?ext_man} @@ -643,9 +569,7 @@ %dir %attr(0700,%{name},root) /%{pf_queue_directory}/trace %dir %attr(0730,%{name},maildrop) /%{pf_queue_directory}/maildrop %dir %attr(0710,%{name},maildrop) /%{pf_queue_directory}/public -%if 0%{?suse_version} >= 1330 %{_sysusersdir}/postfix-user.conf -%endif %files devel %{_includedir}/%{name}/ @@ -659,26 +583,21 @@ %config(noreplace) %attr(640, root, %{name}) %{_sysconfdir}/%{name}/*_maps.cf %config(noreplace) %{_sysconfdir}/%{name}/main.cf-mysql %{pf_shlib_directory}/%{name}-mysql.so +%{pf_shlib_directory}/dynamicmaps.cf.d/%{name}-mysql.cf %{_mandir}/man5/mysql_table.5%{?ext_man} -%if 0%{?suse_version} >= 1330 %{_sysusersdir}/postfix-vmail-user.conf -%endif %files postgresql %{pf_shlib_directory}/%{name}-pgsql.so +%{pf_shlib_directory}/dynamicmaps.cf.d/%{name}-pgsql.cf %{_mandir}/man5/pgsql_table.5%{?ext_man} %if %{with ldap} %files ldap %config(noreplace) %{_sysconfdir}/%{name}/ldap_aliases.cf %{pf_shlib_directory}/%{name}-ldap.so +%{pf_shlib_directory}/dynamicmaps.cf.d/%{name}-ldap.cf %{_mandir}/man5/ldap_table.5%{?ext_man} %endif -%if %{with lmdb} -%files lmdb -%{pf_shlib_directory}/%{name}-lmdb.so -%{_mandir}/man5/lmdb_table.5%{?ext_man} -%endif - %changelog ++++++ postfix-3.5.8.tar.gz -> postfix-3.5.9.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.8/HISTORY new/postfix-3.5.9/HISTORY --- old/postfix-3.5.8/HISTORY 2020-11-05 00:11:27.000000000 +0100 +++ new/postfix-3.5.9/HISTORY 2021-01-17 15:54:57.000000000 +0100 @@ -24882,3 +24882,26 @@ subsequent header content to become message body content. Reported by Andreas Weigel, fix by Viktor Dukhovni. File: smtp/smtp_proto.c. + +20210116 + + Feature: when a Postfix program makes a DNS query that + requests DNSSEC validation (usually for Postfix DANE support) + but the DNS response is not DNSSEC validated, Postfix will + send a DNS query configured with the "dnssec_probe" parameter + to determine if DNSSEC support is available, and logs a + warning if it is not. By default, the probe has type "ns" + and domain name ".". The probe is sent once per process + lifetime. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_sec.c, + test_dns_lookup.c, global/mail_params.[hc], mantools/postlink. + + The makedefs script no longer disables DNSSEC when Postfix + is built with libc-musl. Instead Postfix will rely on the + new dnssec_probe feature, and will log a warning when Postfix + requests DNSSEC validation, but the infrastructure does not + validate DNSSEC signatures. File: makedefs. + + The default "smtp_tls_dane_insecure_mx_policy = dane" was + causing unnecessary dnssec_probe activity. The default is now + "dane" when smtp_tls_security_level is "dane", otherwise it is + "may". File: global/mail_params.h. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.8/RELEASE_NOTES new/postfix-3.5.9/RELEASE_NOTES --- old/postfix-3.5.8/RELEASE_NOTES 2020-05-16 23:20:59.000000000 +0200 +++ new/postfix-3.5.9/RELEASE_NOTES 2021-01-16 23:24:24.000000000 +0100 @@ -25,9 +25,50 @@ the software under the license of their choice. Those who are more comfortable with the IPL can continue with that license. +Runtime detection of DNSSEC support +----------------------------------- + +The Postfix build system will no longer automatically disable DNSSEC +support when it determines that Postfix will use libc-musl. This removes +the earlier libc-musl workaround for Postfix 3.2.15, 3.3.10, 3.4.12, +and 3.5.2. + +Now, when a Postfix process requests DNSSEC support (typically, for +Postfix DANE support), the process may do a runtime test to determine if +DNSSEC validation is available. DNSSEC support may be broken because of +local configuration, libc incompatibility, or other infrastructure issues. + +Background: DNSSEC validation is needed for Postfix DANE support; +this ensures that Postfix receives TLSA records with secure TLS +server certificate info. When DNSSEC validation is unavailable, +mail deliveries using opportunistic DANE will not be protected by +server certificate info in TLSA records, and mail deliveries using +mandatory DANE will not be made at all. + +The dnssec_probe parameter specifies the DNS query type (default: +"ns") and DNS query name (default: ".") that Postfix may use to +determine whether DNSSEC validation is available. Specify an empty +value to disable this feature. + +By default, a Postfix process will send a DNSSEC probe after 1) the +process made a DNS query that requested DNSSEC validation, 2) the +process did not receive a DNSSEC validated response to this query +or to an earlier query, and 3) the process did not already send a +DNSSEC probe. + +When the DNSSEC probe has no response, or when the response is not +DNSSEC validated, Postfix logs a warning that DNSSEC validation may +be unavailable. Examples: + +warning: DNSSEC validation may be unavailable +warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated +warning: reason: dnssec_probe 'ns:.' received no response: Server failure + +This feature was backported from Postfix 3.6. + libc-musl workaround for Postfix 3.2.15, 3.3.10, 3.4.12, and 3.5.2 ------------------------------------------------------------------ - + Security: this release disables DANE support on Linux systems with libc-musl, because libc-musl provides no indication whether DNS responses are authentic. This broke DANE support without a clear diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.8/html/lmtp.8.html new/postfix-3.5.9/html/lmtp.8.html --- old/postfix-3.5.8/html/lmtp.8.html 2020-03-08 16:09:09.000000000 +0100 +++ new/postfix-3.5.9/html/lmtp.8.html 2021-01-17 00:19:54.000000000 +0100 @@ -365,6 +365,13 @@ The email address form that will be used in non-debug logging (info, warning, etc.). + Available in Postfix 3.5.9 and later: + + <b><a href="postconf.5.html#dnssec_probe">dnssec_probe</a> (ns:.)</b> + The DNS query type (default: "ns") and DNS query name (default: + ".") that Postfix may use to determine whether DNSSEC validation + is available. + <b>MIME PROCESSING CONTROLS</b> Available in Postfix version 2.0 and later: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.8/html/postconf.5.html new/postfix-3.5.9/html/postconf.5.html --- old/postfix-3.5.8/html/postconf.5.html 2020-05-09 17:51:27.000000000 +0200 +++ new/postfix-3.5.9/html/postconf.5.html 2021-01-17 16:10:20.000000000 +0100 @@ -3031,6 +3031,66 @@ </DD> +<DT><b><a name="dnssec_probe">dnssec_probe</a> +(default: ns:.)</b></DT><DD> + +<p> The DNS query type (default: "ns") and DNS query name (default: +".") that Postfix may use to determine whether DNSSEC validation +is available. +</p> + +<p> Background: DNSSEC validation is needed for Postfix DANE support; +this ensures that Postfix receives TLSA records with secure TLS +server certificate info. When DNSSEC validation is unavailable, +mail deliveries using <i>opportunistic</i> DANE will not be protected +by server certificate info in TLSA records, and mail deliveries +using <i>mandatory</i> DANE will not be made at all. </p> + +<p> By default, a Postfix process will send a DNSSEC probe after +1) the process made a DNS query that requested DNSSEC validation, +2) the process did not receive a DNSSEC validated response to this +query or to an earlier query, and 3) the process did not already +send a DNSSEC probe. <p> + +<p> When the DNSSEC probe has no response, or when the response is +not DNSSEC validated, Postfix logs a warning that DNSSEC validation +may be unavailable. </p> + +<p> Example: </p> + +<pre> +warning: DNSSEC validation may be unavailable +warning: reason: <a href="postconf.5.html#dnssec_probe">dnssec_probe</a> 'ns:.' received a response that is not DNSSEC validated +warning: reason: <a href="postconf.5.html#dnssec_probe">dnssec_probe</a> 'ns:.' received no response: Server failure +</pre> + +<p> Possible reasons why DNSSEC validation may be unavailable: </p> + +<ul> + +<li> The local /etc/resolv.conf file specifies a DNS resolver that +does not validate DNSSEC signatures (that's +$<a href="postconf.5.html#queue_directory">queue_directory</a>/etc/resolv.conf when a Postfix daemon runs in a +chroot jail). + +<li> The local system library does not pass on the "DNSSEC validated" +bit to Postfix, or Postfix does not know how to ask the library to +do that. + +</ul> + +<p> By default, the DNSSEC probe asks for the DNS root zone NS +records, because resolvers should always have that information +cached. If Postfix runs on a network where the DNS root zone is not +reachable, specify a different probe, or specify an empty <a href="postconf.5.html#dnssec_probe">dnssec_probe</a> +value to disable the feature. </p> + +<p> This feature was backported from Postfix 3.6 to Postfix versions +3.5.9, 3.4.19, 3.3.16. 3.2.21. </p> + + +</DD> + <DT><b><a name="dont_remove">dont_remove</a> (default: 0)</b></DT><DD> @@ -12377,7 +12437,7 @@ </DD> <DT><b><a name="smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> -(default: dane)</b></DT><DD> +(default: see "postconf -d" output)</b></DT><DD> <p> The TLS policy for MX hosts with "secure" TLSA records when the nexthop destination security level is <b>dane</b>, but the MX @@ -12401,6 +12461,12 @@ "Verified", because the MX host name could have been forged. </dd> </dl> +<p> The default setting for Postfix ≥ 3.6 is "dane" with +"<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = dane", otherwise "may". This behavior +was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21. +With earlier +Postfix versions the default setting was always "dane". </p> + <p> Though with "insecure" MX records an active attacker can compromise SMTP transport security by returning forged MX records, such attacks are "tamper-evident" since any forged MX hostnames diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.8/html/smtp.8.html new/postfix-3.5.9/html/smtp.8.html --- old/postfix-3.5.8/html/smtp.8.html 2020-03-08 16:09:09.000000000 +0100 +++ new/postfix-3.5.9/html/smtp.8.html 2021-01-17 00:19:54.000000000 +0100 @@ -365,6 +365,13 @@ The email address form that will be used in non-debug logging (info, warning, etc.). + Available in Postfix 3.5.9 and later: + + <b><a href="postconf.5.html#dnssec_probe">dnssec_probe</a> (ns:.)</b> + The DNS query type (default: "ns") and DNS query name (default: + ".") that Postfix may use to determine whether DNSSEC validation + is available. + <b>MIME PROCESSING CONTROLS</b> Available in Postfix version 2.0 and later: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.8/makedefs new/postfix-3.5.9/makedefs --- old/postfix-3.5.8/makedefs 2020-05-06 16:10:47.000000000 +0200 +++ new/postfix-3.5.9/makedefs 2021-01-16 16:10:00.000000000 +0100 @@ -228,19 +228,6 @@ *) echo usage: $0 [system release] 1>&2; exit 1;; esac -case "$SYSTEM" in - Linux) - case "`PATH=/bin:/usr/bin ldd /bin/sh`" in - *-musl-*) - case "$CCARGS" in - *-DNO_DNSSEC*) ;; - *) echo Warning: libc-musl breaks DANE/TLSA security. 1>&2 - echo This build will not support DANE/TLSA. 1>&2 - CCARGS="$CCARGS -DNO_DNSSEC";; - esac;; - esac;; -esac - case "$SYSTEM.$RELEASE" in SCO_SV.3.2) SYSTYPE=SCO5 # Use the native compiler by default diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.8/man/man5/postconf.5 new/postfix-3.5.9/man/man5/postconf.5 --- old/postfix-3.5.8/man/man5/postconf.5 2020-05-09 17:52:30.000000000 +0200 +++ new/postfix-3.5.9/man/man5/postconf.5 2021-01-17 16:10:20.000000000 +0100 @@ -1897,6 +1897,60 @@ service performs DNS white/blacklist lookups. .PP This feature is available in Postfix 2.8 and later. +.SH dnssec_probe (default: ns:.) +The DNS query type (default: "ns") and DNS query name (default: +".") that Postfix may use to determine whether DNSSEC validation +is available. +.PP +Background: DNSSEC validation is needed for Postfix DANE support; +this ensures that Postfix receives TLSA records with secure TLS +server certificate info. When DNSSEC validation is unavailable, +mail deliveries using \fIopportunistic\fR DANE will not be protected +by server certificate info in TLSA records, and mail deliveries +using \fImandatory\fR DANE will not be made at all. +.PP +By default, a Postfix process will send a DNSSEC probe after +1) the process made a DNS query that requested DNSSEC validation, +2) the process did not receive a DNSSEC validated response to this +query or to an earlier query, and 3) the process did not already +send a DNSSEC probe. +.PP +When the DNSSEC probe has no response, or when the response is +not DNSSEC validated, Postfix logs a warning that DNSSEC validation +may be unavailable. +.PP +Example: +.PP +.nf +.na +.ft C +warning: DNSSEC validation may be unavailable +warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated +warning: reason: dnssec_probe 'ns:.' received no response: Server failure +.fi +.ad +.ft R +.PP +Possible reasons why DNSSEC validation may be unavailable: +.IP \(bu +The local /etc/resolv.conf file specifies a DNS resolver that +does not validate DNSSEC signatures (that's +$queue_directory/etc/resolv.conf when a Postfix daemon runs in a +chroot jail). +.IP \(bu +The local system library does not pass on the "DNSSEC validated" +bit to Postfix, or Postfix does not know how to ask the library to +do that. +.br +.PP +By default, the DNSSEC probe asks for the DNS root zone NS +records, because resolvers should always have that information +cached. If Postfix runs on a network where the DNS root zone is not +reachable, specify a different probe, or specify an empty dnssec_probe +value to disable the feature. +.PP +This feature was backported from Postfix 3.6 to Postfix versions +3.5.9, 3.4.19, 3.3.16. 3.2.21. .SH dont_remove (default: 0) Don't remove queue files and save them to the "saved" mail queue. This is a debugging aid. To inspect the envelope information and @@ -7921,7 +7975,7 @@ TLS connection reuse" for background details. .PP This feature is available in Postfix 3.4 and later. -.SH smtp_tls_dane_insecure_mx_policy (default: dane) +.SH smtp_tls_dane_insecure_mx_policy (default: see "postconf \-d" output) The TLS policy for MX hosts with "secure" TLSA records when the nexthop destination security level is \fBdane\fR, but the MX record was found via an "insecure" MX lookup. The choices are: @@ -7942,6 +7996,12 @@ "Verified", because the MX host name could have been forged. .br .br +The default setting for Postfix >= 3.6 is "dane" with +"smtp_tls_security_level = dane", otherwise "may". This behavior +was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21. +With earlier +Postfix versions the default setting was always "dane". +.PP Though with "insecure" MX records an active attacker can compromise SMTP transport security by returning forged MX records, such attacks are "tamper\-evident" since any forged MX hostnames diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.8/man/man8/smtp.8 new/postfix-3.5.9/man/man8/smtp.8 --- old/postfix-3.5.8/man/man8/smtp.8 2020-03-08 16:09:08.000000000 +0100 +++ new/postfix-3.5.9/man/man8/smtp.8 2021-01-17 00:19:54.000000000 +0100 @@ -356,6 +356,12 @@ .IP "\fBinfo_log_address_format (external)\fR" The email address form that will be used in non\-debug logging (info, warning, etc.). +.PP +Available in Postfix 3.5.9 and later: +.IP "\fBdnssec_probe (ns:.)\fR" +The DNS query type (default: "ns") and DNS query name (default: +".") that Postfix may use to determine whether DNSSEC validation +is available. .SH "MIME PROCESSING CONTROLS" .na .nf diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.8/mantools/postlink new/postfix-3.5.9/mantools/postlink --- old/postfix-3.5.8/mantools/postlink 2020-01-26 18:34:39.000000000 +0100 +++ new/postfix-3.5.9/mantools/postlink 2021-01-16 23:31:12.000000000 +0100 @@ -695,6 +695,7 @@ s;\bsmtp_per_record_deadline\b;<a href="postconf.5.html#smtp_per_record_deadline">$&</a>;g; s;\bsmtp_send_dummy_mail_auth\b;<a href="postconf.5.html#smtp_send_dummy_mail_auth">$&</a>;g; s;\bsmtp_balance_inet_protocols\b;<a href="postconf.5.html#smtp_balance_inet_protocols">$&</a>;g; + s;\bdnssec_probe\b;<a href="postconf.5.html#dnssec_probe">$&</a>;g; s;\bsmtp_tls_connection_reuse\b;<a href="postconf.5.html#smtp_tls_connection_reuse">$&</a>;g; s;\blmtp_tls_connection_reuse\b;<a href="postconf.5.html#lmtp_tls_connection_reuse">$&</a>;g; s;\bsmtpd_enforce_tls\b;<a href="postconf.5.html#smtpd_enforce_tls">$&</a>;g; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.8/proto/postconf.proto new/postfix-3.5.9/proto/postconf.proto --- old/postfix-3.5.8/proto/postconf.proto 2020-05-09 17:51:27.000000000 +0200 +++ new/postfix-3.5.9/proto/postconf.proto 2021-01-17 16:10:15.000000000 +0100 @@ -16815,7 +16815,7 @@ This feature is available in Postfix 3.1 and later. </p> -%PARAM smtp_tls_dane_insecure_mx_policy dane +%PARAM smtp_tls_dane_insecure_mx_policy see "postconf -d" output <p> The TLS policy for MX hosts with "secure" TLSA records when the nexthop destination security level is <b>dane</b>, but the MX @@ -16839,6 +16839,12 @@ "Verified", because the MX host name could have been forged. </dd> </dl> +<p> The default setting for Postfix ≥ 3.6 is "dane" with +"smtp_tls_security_level = dane", otherwise "may". This behavior +was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21. +With earlier +Postfix versions the default setting was always "dane". </p> + <p> Though with "insecure" MX records an active attacker can compromise SMTP transport security by returning forged MX records, such attacks are "tamper-evident" since any forged MX hostnames @@ -17698,3 +17704,59 @@ such games to circumvent Postfix access policies. </p> <p> This feature is available in Postfix 3.5 and later. </p> + +%PARAM dnssec_probe ns:. + +<p> The DNS query type (default: "ns") and DNS query name (default: +".") that Postfix may use to determine whether DNSSEC validation +is available. +</p> + +<p> Background: DNSSEC validation is needed for Postfix DANE support; +this ensures that Postfix receives TLSA records with secure TLS +server certificate info. When DNSSEC validation is unavailable, +mail deliveries using <i>opportunistic</i> DANE will not be protected +by server certificate info in TLSA records, and mail deliveries +using <i>mandatory</i> DANE will not be made at all. </p> + +<p> By default, a Postfix process will send a DNSSEC probe after +1) the process made a DNS query that requested DNSSEC validation, +2) the process did not receive a DNSSEC validated response to this +query or to an earlier query, and 3) the process did not already +send a DNSSEC probe. <p> + +<p> When the DNSSEC probe has no response, or when the response is +not DNSSEC validated, Postfix logs a warning that DNSSEC validation +may be unavailable. </p> + +<p> Example: </p> + +<pre> +warning: DNSSEC validation may be unavailable +warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated +warning: reason: dnssec_probe 'ns:.' received no response: Server failure +</pre> + +<p> Possible reasons why DNSSEC validation may be unavailable: </p> + +<ul> + +<li> The local /etc/resolv.conf file specifies a DNS resolver that +does not validate DNSSEC signatures (that's +$queue_directory/etc/resolv.conf when a Postfix daemon runs in a +chroot jail). + +<li> The local system library does not pass on the "DNSSEC validated" +bit to Postfix, or Postfix does not know how to ask the library to +do that. + +</ul> + +<p> By default, the DNSSEC probe asks for the DNS root zone NS +records, because resolvers should always have that information +cached. If Postfix runs on a network where the DNS root zone is not +reachable, specify a different probe, or specify an empty dnssec_probe +value to disable the feature. </p> + +<p> This feature was backported from Postfix 3.6 to Postfix versions +3.5.9, 3.4.19, 3.3.16. 3.2.21. </p> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.8/src/dns/Makefile.in new/postfix-3.5.9/src/dns/Makefile.in --- old/postfix-3.5.8/src/dns/Makefile.in 2019-12-15 01:01:17.000000000 +0100 +++ new/postfix-3.5.9/src/dns/Makefile.in 2021-01-09 02:23:37.000000000 +0100 @@ -1,10 +1,10 @@ SHELL = /bin/sh SRCS = dns_lookup.c dns_rr.c dns_strerror.c dns_strtype.c dns_rr_to_pa.c \ dns_sa_to_rr.c dns_rr_eq_sa.c dns_rr_to_sa.c dns_strrecord.c \ - dns_rr_filter.c dns_str_resflags.c + dns_rr_filter.c dns_str_resflags.c dns_sec.c OBJS = dns_lookup.o dns_rr.o dns_strerror.o dns_strtype.o dns_rr_to_pa.o \ dns_sa_to_rr.o dns_rr_eq_sa.o dns_rr_to_sa.o dns_strrecord.o \ - dns_rr_filter.o dns_str_resflags.o + dns_rr_filter.o dns_str_resflags.o dns_sec.o HDRS = dns.h TESTSRC = test_dns_lookup.c test_alias_token.c DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE) @@ -76,7 +76,7 @@ done cd $(INC_DIR); chmod 644 $(HDRS) -test_dns_lookup: test_dns_lookup.c $(LIB) $(LIBS) +test_dns_lookup: test_dns_lookup.c all $(LIB) $(LIBS) $(CC) $(CFLAGS) -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS) dns_rr_to_pa: $(LIB) $(LIBS) @@ -346,6 +346,18 @@ dns_sa_to_rr.o: ../../include/vstring.h dns_sa_to_rr.o: dns.h dns_sa_to_rr.o: dns_sa_to_rr.c +dns_sec.o: ../../include/check_arg.h +dns_sec.o: ../../include/mail_params.h +dns_sec.o: ../../include/msg.h +dns_sec.o: ../../include/myaddrinfo.h +dns_sec.o: ../../include/mymalloc.h +dns_sec.o: ../../include/sock_addr.h +dns_sec.o: ../../include/split_at.h +dns_sec.o: ../../include/sys_defs.h +dns_sec.o: ../../include/vbuf.h +dns_sec.o: ../../include/vstring.h +dns_sec.o: dns.h +dns_sec.o: dns_sec.c dns_str_resflags.o: ../../include/check_arg.h dns_str_resflags.o: ../../include/myaddrinfo.h dns_str_resflags.o: ../../include/name_mask.h diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.8/src/dns/dns.h new/postfix-3.5.9/src/dns/dns.h --- old/postfix-3.5.8/src/dns/dns.h 2020-04-16 19:07:58.000000000 +0200 +++ new/postfix-3.5.9/src/dns/dns.h 2021-01-16 23:37:12.000000000 +0100 @@ -244,7 +244,12 @@ (lflags), (ltype)) /* - * Request flags. + * The dns_lookup() rflag that requests DNSSEC validation. + */ +#define DNS_WANT_DNSSEC_VALIDATION(rflags) ((rflags) & RES_USE_DNSSEC) + + /* + * lflags. */ #define DNS_REQ_FLAG_STOP_OK (1<<0) #define DNS_REQ_FLAG_STOP_INVAL (1<<1) @@ -309,6 +314,18 @@ */ const char *dns_str_resflags(unsigned long); + /* + * dns_sec.c. + */ +#define DNS_SEC_FLAG_AVAILABLE (1<<0) /* got some DNSSEC validated reply */ +#define DNS_SEC_FLAG_DONT_PROBE (1<<1) /* probe already sent, or disabled */ + +#define DNS_SEC_STATS_SET(flags) (dns_sec_stats |= (flags)) +#define DNS_SEC_STATS_TEST(flags) (dns_sec_stats & (flags)) + +extern int dns_sec_stats; /* See DNS_SEC_FLAG_XXX above */ +extern void dns_sec_probe(int); + /* LICENSE /* .ad /* .fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.8/src/dns/dns_lookup.c new/postfix-3.5.9/src/dns/dns_lookup.c --- old/postfix-3.5.8/src/dns/dns_lookup.c 2020-04-16 19:07:58.000000000 +0200 +++ new/postfix-3.5.9/src/dns/dns_lookup.c 2021-01-16 17:24:08.000000000 +0100 @@ -171,6 +171,12 @@ /* Pointer to storage for the reply RCODE value. This gives /* more detailed information than DNS_FAIL, DNS_RETRY, etc. /* DIAGNOSTICS +/* If DNSSEC validation is requested but the response is not +/* DNSSEC validated, dns_lookup() will send a one-time probe +/* query as configured with the \fBdnssec_probe\fR configuration +/* parameter, and will log a warning when the probe response +/* was not DNSSEC validated. +/* .PP /* dns_lookup() returns one of the following codes and sets the /* \fIwhy\fR argument accordingly: /* .IP DNS_OK @@ -463,7 +469,7 @@ */ #define XTRA_FLAGS (RES_USE_EDNS0 | RES_TRUSTAD) - if (flags & RES_USE_DNSSEC) + if (DNS_WANT_DNSSEC_VALIDATION(flags)) flags |= (RES_USE_EDNS0 | RES_TRUSTAD); /* @@ -510,6 +516,8 @@ _res.options |= saved_options; reply_header = (HEADER *) reply->buf; reply->rcode = reply_header->rcode; + if ((reply->dnssec_ad = !!reply_header->ad) != 0) + DNS_SEC_STATS_SET(DNS_SEC_FLAG_AVAILABLE); if (h_errno != 0) { if (why) vstring_sprintf(why, "Host or domain name not found. " @@ -561,13 +569,8 @@ /* * Initialize the reply structure. Some structure members are filled on - * the fly while the reply is being parsed. Coerce AD bit to boolean. + * the fly while the reply is being parsed. */ -#if RES_USE_DNSSEC != 0 - reply->dnssec_ad = (flags & RES_USE_DNSSEC) ? !!reply_header->ad : 0; -#else - reply->dnssec_ad = 0; -#endif SET_HAVE_DNS_REPLY_PACKET(reply, len); reply->query_start = reply->buf + sizeof(HEADER); reply->answer_start = 0; @@ -885,7 +888,9 @@ CORRUPT(DNS_RETRY); if ((status = dns_get_fixed(pos, &fixed)) != DNS_OK) CORRUPT(status); - if (!valid_rr_name(rr_name, "resource name", fixed.type, reply)) + if (strcmp(orig_name, ".") == 0 && *rr_name == 0) + /* Allow empty response name for root queries. */ ; + else if (!valid_rr_name(rr_name, "resource name", fixed.type, reply)) CORRUPT(DNS_INVAL); if (fqdn) vstring_strcpy(fqdn, rr_name); @@ -973,7 +978,7 @@ /* * The Linux resolver misbehaves when given an invalid domain name. */ - if (!valid_hostname(name, DONT_GRIPE)) { + if (strcmp(name, ".") && !valid_hostname(name, DONT_GRIPE)) { if (why) vstring_sprintf(why, "Name service error for %s: invalid host or domain name", @@ -1010,6 +1015,10 @@ (void) dns_get_answer(orig_name, &reply, T_SOA, rrlist, fqdn, cname, c_len, &maybe_secure); } + if (DNS_WANT_DNSSEC_VALIDATION(flags) + && !DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE | \ + DNS_SEC_FLAG_DONT_PROBE)) + dns_sec_probe(flags); /* XXX Clobbers 'reply' */ return (status); } @@ -1019,6 +1028,10 @@ */ status = dns_get_answer(orig_name, &reply, type, rrlist, fqdn, cname, c_len, &maybe_secure); + if (DNS_WANT_DNSSEC_VALIDATION(flags) + && !DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE | \ + DNS_SEC_FLAG_DONT_PROBE)) + dns_sec_probe(flags); /* XXX Clobbers 'reply' */ switch (status) { default: if (why) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.8/src/dns/dns_sec.c new/postfix-3.5.9/src/dns/dns_sec.c --- old/postfix-3.5.8/src/dns/dns_sec.c 1970-01-01 01:00:00.000000000 +0100 +++ new/postfix-3.5.9/src/dns/dns_sec.c 2021-01-12 00:32:06.000000000 +0100 @@ -0,0 +1,144 @@ +/*++ +/* NAME +/* dns_sec 3 +/* SUMMARY +/* DNSSEC validation availability +/* SYNOPSIS +/* #include <dns.h> +/* +/* DNS_SEC_STATS_SET( +/* int flags) +/* +/* DNS_SEC_STATS_TEST( +/* int flags) +/* +/* void dns_sec_probe( +/* int rflags) +/* DESCRIPTION +/* This module maintains information about the availability of +/* DNSSEC validation, in global flags that summarize +/* process-lifetime history. +/* .IP DNS_SEC_FLAG_AVAILABLE +/* The process has received at least one DNSSEC validated +/* response to a query that requested DNSSEC validation. +/* .IP DNS_SEC_FLAG_DONT_PROBE +/* The process has sent a DNSSEC probe (see below), or DNSSEC +/* probing is disabled by configuration. +/* .PP +/* DNS_SEC_STATS_SET() sets one or more DNS_SEC_FLAG_* flags, +/* and DNS_SEC_STATS_TEST() returns non-zero if any of the +/* specified flags is set. +/* +/* dns_sec_probe() generates a query to the target specified +/* with the \fBdnssec_probe\fR configuration parameter. It +/* sets the DNS_SEC_FLAG_DONT_PROBE flag, and it calls +/* dns_lookup() which sets DNS_SEC_FLAG_AVAILABLE if it receives +/* a DNSSEC validated response. Preconditions: +/* .IP \(bu +/* The rflags argument must request DNSSEC validation (in the +/* same manner as dns_lookup() rflags argument). +/* .IP \(bu +/* The DNS_SEC_FLAG_AVAILABLE and DNS_SEC_FLAG_DONT_PROBE +/* flags must be false. +/* LICENSE +/* .ad +/* .fi +/* The Secure Mailer license must be distributed with this software. +/* AUTHOR(S) +/* Wietse Venema +/* Google, Inc. +/* 111 8th Avenue +/* New York, NY 10011, USA +/*--*/ + +#include <sys_defs.h> + + /* + * Utility library. + */ +#include <msg.h> +#include <mymalloc.h> +#include <split_at.h> +#include <vstring.h> + + /* + * Global library. + */ +#include <mail_params.h> + + /* + * DNS library. + */ +#include <dns.h> + +int dns_sec_stats; + +/* dns_sec_probe - send a probe to establish DNSSEC viability */ + +void dns_sec_probe(int rflags) +{ + const char myname[] = "dns_sec_probe"; + char *saved_dnssec_probe; + char *qname; + int qtype; + DNS_RR *rrlist = 0; + int dns_status; + VSTRING *why; + + /* + * Sanity checks. + */ + if (!DNS_WANT_DNSSEC_VALIDATION(rflags)) + msg_panic("%s: DNSSEC is not requested", myname); + if (DNS_SEC_STATS_TEST(DNS_SEC_FLAG_DONT_PROBE)) + msg_panic("%s: DNSSEC probe was already sent, or probing is disabled", + myname); + if (DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE)) + msg_panic("%s: already have validated DNS response", myname); + + /* + * Don't recurse. + */ + DNS_SEC_STATS_SET(DNS_SEC_FLAG_DONT_PROBE); + + /* + * Don't probe. + */ + if (*var_dnssec_probe == 0) + return; + + /* + * Parse the probe spec. Format is type:resource. + */ + saved_dnssec_probe = mystrdup(var_dnssec_probe); + if ((qname = split_at(saved_dnssec_probe, ':')) == 0 || *qname == 0 + || (qtype = dns_type(saved_dnssec_probe)) == 0) + msg_fatal("malformed %s value: %s format is qtype:qname", + VAR_DNSSEC_PROBE, var_dnssec_probe); + + why = vstring_alloc(100); + dns_status = dns_lookup(qname, qtype, rflags, &rrlist, (VSTRING *) 0, why); + if (!DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE)) + msg_warn("DNSSEC validation may be unavailable"); + else if (msg_verbose) + msg_info(VAR_DNSSEC_PROBE + " '%s' received a response that is DNSSEC validated", + var_dnssec_probe); + switch (dns_status) { + default: + if (!DNS_SEC_STATS_TEST(DNS_SEC_FLAG_AVAILABLE)) + msg_warn("reason: " VAR_DNSSEC_PROBE + " '%s' received a response that is not DNSSEC validated", + var_dnssec_probe); + if (rrlist) + dns_rr_free(rrlist); + break; + case DNS_RETRY: + case DNS_FAIL: + msg_warn("reason: " VAR_DNSSEC_PROBE " '%s' received no response: %s", + var_dnssec_probe, vstring_str(why)); + break; + } + myfree(saved_dnssec_probe); + vstring_free(why); +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.8/src/dns/test_dns_lookup.c new/postfix-3.5.9/src/dns/test_dns_lookup.c --- old/postfix-3.5.8/src/dns/test_dns_lookup.c 2016-02-22 00:06:59.000000000 +0100 +++ new/postfix-3.5.9/src/dns/test_dns_lookup.c 2021-01-16 17:24:08.000000000 +0100 @@ -77,6 +77,9 @@ int ch; int lflags = DNS_REQ_FLAG_NONE; + if (var_dnssec_probe == 0) + var_dnssec_probe = mystrdup(DEF_DNSSEC_PROBE); + msg_vstream_init(argv[0], VSTREAM_ERR); while ((ch = GETOPT(argc, argv, "f:npv")) > 0) { switch (ch) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.8/src/global/mail_params.c new/postfix-3.5.9/src/global/mail_params.c --- old/postfix-3.5.8/src/global/mail_params.c 2020-05-13 01:32:37.000000000 +0200 +++ new/postfix-3.5.9/src/global/mail_params.c 2021-01-16 16:51:12.000000000 +0100 @@ -152,6 +152,8 @@ /* char *var_maillog_file_comp; /* char *var_maillog_file_stamp; /* char *var_postlog_service; +/* +/* char *var_dnssec_probe; /* DESCRIPTION /* This module (actually the associated include file) defines /* the names and defaults of all mail configuration parameters. @@ -362,6 +364,8 @@ char *var_maillog_file_stamp; char *var_postlog_service; +char *var_dnssec_probe; + const char null_format_string[1] = ""; /* @@ -689,6 +693,7 @@ VAR_MAILLOG_FILE_COMP, DEF_MAILLOG_FILE_COMP, &var_maillog_file_comp, 1, 0, VAR_MAILLOG_FILE_STAMP, DEF_MAILLOG_FILE_STAMP, &var_maillog_file_stamp, 1, 0, VAR_POSTLOG_SERVICE, DEF_POSTLOG_SERVICE, &var_postlog_service, 1, 0, + VAR_DNSSEC_PROBE, DEF_DNSSEC_PROBE, &var_dnssec_probe, 0, 0, 0, }; static const CONFIG_BOOL_TABLE first_bool_defaults[] = { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.8/src/global/mail_params.h new/postfix-3.5.9/src/global/mail_params.h --- old/postfix-3.5.8/src/global/mail_params.h 2020-05-09 17:51:27.000000000 +0200 +++ new/postfix-3.5.9/src/global/mail_params.h 2021-01-17 14:11:47.000000000 +0100 @@ -1617,7 +1617,7 @@ /* SMTP only */ #define VAR_SMTP_TLS_INSECURE_MX_POLICY "smtp_tls_dane_insecure_mx_policy" -#define DEF_SMTP_TLS_INSECURE_MX_POLICY "dane" +#define DEF_SMTP_TLS_INSECURE_MX_POLICY "${{$smtp_tls_security_level} == {dane} ? {dane} : {may}}" extern char *var_smtp_tls_insecure_mx_policy; /* @@ -4202,6 +4202,13 @@ #define DEF_INFO_LOG_ADDR_FORM INFO_LOG_ADDR_FORM_NAME_EXTERNAL extern char *var_info_log_addr_form; + /* + * DNSSEC probing, to find out if DNSSEC validation is available. + */ +#define VAR_DNSSEC_PROBE "dnssec_probe" +#define DEF_DNSSEC_PROBE "ns:." +extern char *var_dnssec_probe; + /* LICENSE /* .ad /* .fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.8/src/global/mail_version.h new/postfix-3.5.9/src/global/mail_version.h --- old/postfix-3.5.8/src/global/mail_version.h 2020-11-07 22:27:54.000000000 +0100 +++ new/postfix-3.5.9/src/global/mail_version.h 2021-01-17 16:23:45.000000000 +0100 @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20201107" -#define MAIL_VERSION_NUMBER "3.5.8" +#define MAIL_RELEASE_DATE "20210117" +#define MAIL_VERSION_NUMBER "3.5.9" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.5.8/src/smtp/smtp.c new/postfix-3.5.9/src/smtp/smtp.c --- old/postfix-3.5.8/src/smtp/smtp.c 2020-03-08 15:53:22.000000000 +0100 +++ new/postfix-3.5.9/src/smtp/smtp.c 2021-01-16 17:30:07.000000000 +0100 @@ -330,6 +330,12 @@ /* .IP "\fBinfo_log_address_format (external)\fR" /* The email address form that will be used in non-debug logging /* (info, warning, etc.). +/* .PP +/* Available in Postfix 3.5.9 and later: +/* .IP "\fBdnssec_probe (ns:.)\fR" +/* The DNS query type (default: "ns") and DNS query name (default: +/* ".") that Postfix may use to determine whether DNSSEC validation +/* is available. /* MIME PROCESSING CONTROLS /* .ad /* .fi ++++++ postfix-SUSE.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-SUSE/config.postfix new/postfix-SUSE/config.postfix --- old/postfix-SUSE/config.postfix 2019-08-09 16:49:41.000000000 +0200 +++ new/postfix-SUSE/config.postfix 2021-01-27 16:11:35.035521646 +0100 @@ -12,7 +12,7 @@ if [ -d /run ]; then export RUN="/run" fi - +DEF_DB_TYPE=$(/usr/sbin/postconf -h default_database_type) cpifnewer(){ # remove files, that do no longer exist if [ -d $2 -a "$(echo $2/*)" != "$2/*" ]; then @@ -266,16 +266,16 @@ # Some default settings, that seem to be useable, at least to me $PCONF -e "mail_spool_directory = /var/mail" - $PCONF -e "canonical_maps = hash:/etc/postfix/canonical" + $PCONF -e "canonical_maps = $DEF_DB_TYPE:/etc/postfix/canonical" # virtual_alias_domains (default: $virtual_alias_maps) - #$PCONF -e "virtual_alias_domains = hash:/etc/postfix/virtual" - $PCONF -e "relocated_maps = hash:/etc/postfix/relocated" + #$PCONF -e "virtual_alias_domains = $DEF_DB_TYPE:/etc/postfix/virtual" + $PCONF -e "relocated_maps = $DEF_DB_TYPE:/etc/postfix/relocated" if [ "$(echo "$POSTFIX_TRANSPORT_MAPS" | tr 'A-Z' 'a-z' )" != "" ]; then $PCONF -e "transport_maps = $POSTFIX_TRANSPORT_MAPS" else - $PCONF -e "transport_maps = hash:/etc/postfix/transport" + $PCONF -e "transport_maps = $DEF_DB_TYPE:/etc/postfix/transport" fi - $PCONF -e "sender_canonical_maps = hash:/etc/postfix/sender_canonical" + $PCONF -e "sender_canonical_maps = $DEF_DB_TYPE:/etc/postfix/sender_canonical" $PCONF -e "masquerade_exceptions = root" $PCONF -e "masquerade_classes = envelope_sender, header_sender, header_recipient" if [ -n "${FQHOSTNAME}" ]; then @@ -428,7 +428,7 @@ case "$POSTFIX_BASIC_SPAM_PREVENTION" in medium) echo 1>&2 "Setting up medium SPAM protection..." - $PCONF -e "smtpd_sender_restrictions = hash:/etc/postfix/access, reject_unknown_sender_domain" + $PCONF -e "smtpd_sender_restrictions = $DEF_DB_TYPE:/etc/postfix/access, reject_unknown_sender_domain" if test -n "$POSTFIX_RBL_HOSTS"; then rblhosts=$(echo ${POSTFIX_RBL_HOSTS//,/ }) clnt_restrictions="" @@ -450,7 +450,7 @@ ;; hard) echo 1>&2 "Setting up hard SPAM protection..." - $PCONF -e "smtpd_sender_restrictions = hash:/etc/postfix/access, reject_unknown_sender_domain" + $PCONF -e "smtpd_sender_restrictions = $DEF_DB_TYPE:/etc/postfix/access, reject_unknown_sender_domain" if test -n "$POSTFIX_RBL_HOSTS"; then rblhosts=$(echo ${POSTFIX_RBL_HOSTS//,/ }) clnt_restrictions="" @@ -506,7 +506,7 @@ sender_restrictions=$(echo ${POSTFIX_SMTPD_SENDER_RESTRICTIONS/\ \+/,/ }) $PCONF -e "smtpd_sender_restrictions = $sender_restrictions" else - $PCONF -e "smtpd_sender_restrictions = hash:/etc/postfix/access, reject_unknown_sender_domain" + $PCONF -e "smtpd_sender_restrictions = $DEF_DB_TYPE:/etc/postfix/access, reject_unknown_sender_domain" fi if [ -n "$POSTFIX_SMTPD_RECIPIENT_RESTRICTIONS" ]; then rcpt_restrictions=$(echo ${POSTFIX_SMTPD_RECIPIENT_RESTRICTIONS/\ \+/,/ }) @@ -524,7 +524,7 @@ using \"off\" instead!" fi echo 1>&2 "Setting SPAM protection to \"off\"..." - $PCONF -e "smtpd_sender_restrictions = hash:/etc/postfix/access" + $PCONF -e "smtpd_sender_restrictions = $DEF_DB_TYPE:/etc/postfix/access" $PCONF -e "smtpd_client_restrictions =" $PCONF -e "smtpd_helo_required = no" $PCONF -e "smtpd_helo_restrictions =" @@ -536,7 +536,7 @@ if [ "$( echo "$POSTFIX_SMTP_AUTH" | tr 'A-Z' 'a-z' )" != "no" ]; then $PCONF -e "smtp_sasl_auth_enable = yes" $PCONF -e "smtp_sasl_security_options = $POSTFIX_SMTP_AUTH_OPTIONS" - $PCONF -e "smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd" + $PCONF -e "smtp_sasl_password_maps = $DEF_DB_TYPE:/etc/postfix/sasl_passwd" else $PCONF -e "smtp_sasl_auth_enable = no" $PCONF -e "smtp_sasl_security_options = " @@ -627,7 +627,7 @@ else $PCONF -e "smtpd_tls_key_file =" fi - $PCONF -e "relay_clientcerts = hash:/etc/postfix/relay_ccerts" + $PCONF -e "relay_clientcerts = $DEF_DB_TYPE:/etc/postfix/relay_ccerts" $PCONF -e "smtpd_tls_ask_ccert = yes" $PCONF -e "smtpd_tls_received_header = yes" touch -m -d "1 minute ago" $TMPDIR/main.cf @@ -681,7 +681,11 @@ else $PCONF -e "smtp_tls_key_file =" fi - $PCONF -e "smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache" + if [ $DEF_DB_TYPE = "hash" ]; then + $PCONF -e "smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache" + else + $PCONF -e "smtp_tls_session_cache_database = $DEF_DB_TYPE:/var/lib/postfix/smtp_tls_session_cache" + fi else $PCONF -e "smtp_tls_CAfile =" $PCONF -e "smtp_tls_CApath =" @@ -690,9 +694,9 @@ $PCONF -e "smtp_tls_session_cache_database =" fi - ALLMAPS="hash:/etc/aliases" + ALLMAPS="$DEF_DB_TYPE:/etc/aliases" for i in $(get_alias_maps); do - ALLMAPS="${ALLMAPS}, hash:$i" + ALLMAPS="${ALLMAPS}, $DEF_DB_TYPE:$i" done $PCONF -e "alias_maps = $ALLMAPS" @@ -730,6 +734,8 @@ my $pf_relay_domains = $ENV{POSTFIX_RELAY_DOMAINS}; +my $def_db_type = $ENV{DEF_DB_TYPE}; + open(MNCF,"<$mncf") || die "unable to open $mncf: $!"; while( <MNCF> ) { @@ -737,13 +743,13 @@ if( /\#?(virtual_alias_maps\s=\s).*/ ) { if ($with_mysql ne "yes" && $with_ldap ne "yes") { - $line = $1."hash:/etc/postfix/virtual"; + $line = $1."$def_db_type:/etc/postfix/virtual"; } elsif ($with_ldap eq "yes" && $with_mysql ne "yes") { - $line = $1."hash:/etc/postfix/virtual ldap:/etc/postfix/ldap_aliases.cf"; + $line = $1."$def_db_type:/etc/postfix/virtual ldap:/etc/postfix/ldap_aliases.cf"; } elsif ($with_mysql eq "yes" && $with_ldap ne "yes") { - $line = $1."hash:/etc/postfix/virtual mysql:/etc/postfix/mysql_virtual_alias_maps.cf mysql:/etc/postfix/mysql_virtual_alias_domain_maps.cf mysql:/etc/postfix/mysql_virtual_alias_domain_catchall_maps.cf"; + $line = $1."$def_db_type:/etc/postfix/virtual mysql:/etc/postfix/mysql_virtual_alias_maps.cf mysql:/etc/postfix/mysql_virtual_alias_domain_maps.cf mysql:/etc/postfix/mysql_virtual_alias_domain_catchall_maps.cf"; } elsif ($with_mysql eq "yes" && $with_ldap eq "yes") { - $line = $1."hash:/etc/postfix/virtual ldap:/etc/postfix/ldap_aliases.cf mysql:/etc/postfix/mysql_virtual_alias_maps.cf mysql:/etc/postfix/mysql_virtual_alias_domain_maps.cf mysql:/etc/postfix/mysql_virtual_alias_domain_catchall_maps.cf"; + $line = $1."$def_db_type:/etc/postfix/virtual ldap:/etc/postfix/ldap_aliases.cf mysql:/etc/postfix/mysql_virtual_alias_maps.cf mysql:/etc/postfix/mysql_virtual_alias_domain_maps.cf mysql:/etc/postfix/mysql_virtual_alias_domain_catchall_maps.cf"; } } elsif( /\#?(virtual_uid_maps\s=.*)/ ) { if ($with_mysql ne "yes") { @@ -819,9 +825,9 @@ } } elsif ( /^(relay_domains\s=\s).*/ ) { if ($with_mysql ne "yes") { - $line = $1."\$mydestination hash:/etc/postfix/relay $pf_relay_domains"; + $line = $1."\$mydestination $def_db_type:/etc/postfix/relay $pf_relay_domains"; } else { - $line = $1."\$mydestination hash:/etc/postfix/relay mysql:/etc/postfix/mysql_relay_domains_maps.cf $pf_relay_domains"; + $line = $1."\$mydestination $def_db_type:/etc/postfix/relay mysql:/etc/postfix/mysql_relay_domains_maps.cf $pf_relay_domains"; } } else { $line = $_; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-SUSE/sysconfig.postfix new/postfix-SUSE/sysconfig.postfix --- old/postfix-SUSE/sysconfig.postfix 2019-03-25 18:13:09.000000000 +0100 +++ new/postfix-SUSE/sysconfig.postfix 2021-01-27 16:11:35.035521646 +0100 @@ -186,15 +186,15 @@ ## Type: string ## Default: "" # Defaults by config.postfix: -# without MySQL: $mydestination hash:/etc/postfix/relay -# with MySQL: $mydestination hash:/etc/postfix/relay mysql:/etc/postfix/mysql_relay_domains_maps.cf +# without MySQL: $mydestination lmdb:/etc/postfix/relay +# with MySQL: $mydestination lmdb:/etc/postfix/relay mysql:/etc/postfix/mysql_relay_domains_maps.cf # # Here you can add further *maps.cf files if needed # POSTFIX_RELAY_DOMAINS="" ## Type: string -## Default: hash:/etc/postfix/transport +## Default: lmdb:/etc/postfix/transport # # The list of transport_maps postfix should look for # @@ -251,9 +251,9 @@ # # Example: # POSTFIX_SMTPD_CLIENT_RESTRICTIONS="permit_mynetworks, -# check_client_access hash:/etc/postfix/pop-before-smtp, -# check_client_access hash:/etc/postfix/relay, -# check_client_access hash:/etc/postfix/access, +# check_client_access lmdb:/etc/postfix/pop-before-smtp, +# check_client_access lmdb:/etc/postfix/relay, +# check_client_access lmdb:/etc/postfix/access, # reject_unknown_client_hostname, # reject_unauth_pipelining" # @@ -272,7 +272,7 @@ # # Example: # POSTFIX_SMTPD_HELO_RESTRICTIONS="permit_mynetworks, -# check_helo_access hash:/etc/postfix/helo_access, +# check_helo_access lmdb:/etc/postfix/helo_access, # reject_invalid_helo_hostname, # reject_non_fqdn_helo_hostname, # reject_unknown_helo_hostname, @@ -281,20 +281,20 @@ POSTFIX_SMTPD_HELO_RESTRICTIONS="" ## Type: string -## Default: "hash:/etc/postfix/access, reject_unknown_sender_domain" +## Default: "lmdb:/etc/postfix/access, reject_unknown_sender_domain" ## Config: postfix # # Fill "POSTFIX_SMTPD_SENDER_RESTRICTIONS" for completion of this RESTRICTION # # A comma or space separated list of restrictions # Note: if set to ... -# medium: "hash:/etc/postfix/access, reject_unknown_sender_domain" -# hard : "hash:/etc/postfix/access, reject_unknown_sender_domain" +# medium: "lmdb:/etc/postfix/access, reject_unknown_sender_domain" +# hard : "lmdb:/etc/postfix/access, reject_unknown_sender_domain" # # Example: # POSTFIX_SMTPD_SENDER_RESTRICTIONS=" -# check_sender_access hash:/etc/postfix/access, -# check_sender_a_access hash:/etc/postfix/access, +# check_sender_access lmdb:/etc/postfix/access, +# check_sender_a_access lmdb:/etc/postfix/access, # reject_non_fqdn_sender, # reject_unknown_sender_domain, # reject_unauth_pipelining" @@ -314,7 +314,7 @@ # # Example: # POSTFIX_SMTPD_RECIPIENT_RESTRICTIONS="permit_mynetworks, -# check_recipient_access hash:/etc/postfix/access, +# check_recipient_access lmdb:/etc/postfix/access, # reject_non_fqdn_recipient, # reject_unauth_destination, # reject_unknown_recipient_domain, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-SUSE/update_postmaps.systemd new/postfix-SUSE/update_postmaps.systemd --- old/postfix-SUSE/update_postmaps.systemd 2017-07-27 12:40:51.000000000 +0200 +++ new/postfix-SUSE/update_postmaps.systemd 2020-12-25 11:57:50.000000000 +0100 @@ -4,7 +4,7 @@ # Author: Peter Varkoly # Please send feedback to http://www.suse.de/feedback/ # -# /etc/postfix/system/update_postmaps +# /usr/lib/postfix/systemd/update_postmaps # @@ -13,22 +13,34 @@ if [ -n "${POSTFIX_UPDATE_MAPS/[yY][Ee][Ss]/}" ]; then return fi +# find extension based on default database type +case $(postconf default_database_type) in + *hash) + e="db" + ;; + *lmdb) + e="lmdb" + ;; + *) + # not supported + return + ;; +esac # Update the postmaps for i in $POSTFIX_MAP_LIST; do p=${i#*:} [ x$p = x$i ] && p=644 m=/etc/postfix/${i%:*}; - d=$m.db + d=$m.$e if [ -e $m -a $m -nt $d ]; then postmap $m; fi chmod $p $d done for i in /etc/aliases /etc/aliases.d/*; do - m=${i/.db//} - d=$m.db + m=${i%.$e} + d=$m.$e if [ -e $m -a $m -nt $d ]; then postalias $m; fi done - ++++++ postfix-bdb-main.cf.patch ++++++ Index: conf/main.cf =================================================================== --- conf/main.cf.orig +++ conf/main.cf @@ -567,6 +567,7 @@ unknown_local_recipient_reject_code = 55 # #smtpd_banner = $myhostname ESMTP $mail_name #smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) +smtpd_banner = $myhostname ESMTP # PARALLEL DELIVERY TO THE SAME DESTINATION # @@ -673,4 +674,140 @@ sample_directory = # readme_directory: The location of the Postfix README files. # readme_directory = + +############################################################ +# +# before changing values manually consider editing +# /etc/sysconfig/postfix +# and run +# config.postfix +# +# if you miss a feature of config.postfix then just send a +# mail to chris@computersalat.de +# patches for new feature(s) are also welcome :) +# +############################################################ + +biff = no +content_filter = +delay_warning_time = 0h +disable_dns_lookups = no +disable_mime_output_conversion = no +disable_vrfy_command = yes +inet_interfaces = all inet_protocols = ipv4 +masquerade_classes = envelope_sender, header_sender, header_recipient +masquerade_domains = +masquerade_exceptions = +mydestination = $myhostname, localhost.$mydomain +myhostname = localhost +mynetworks_style = subnet +relayhost = + +alias_maps = +canonical_maps = +relocated_maps = +sender_canonical_maps = +transport_maps = +mail_spool_directory = /var/mail +message_strip_characters = +defer_transports = +mailbox_command = +mailbox_transport = +mailbox_size_limit = 0 +message_size_limit = 0 +strict_8bitmime = no +strict_rfc821_envelopes = no +smtpd_delay_reject = yes +smtpd_helo_required = no + +smtpd_client_restrictions = + +smtpd_helo_restrictions = + +smtpd_sender_restrictions = + +smtpd_recipient_restrictions = + + +############################################################ +# SASL stuff +############################################################ +smtp_sasl_auth_enable = no +smtp_sasl_security_options = +smtp_sasl_password_maps = +smtpd_sasl_auth_enable = no +# cyrus : smtpd_sasl_type = cyrus +# smtpd_sasl_path = smtpd +# dovecot : smtpd_sasl_type = dovecot +# smtpd_sasl_path = private/auth +smtpd_sasl_type = cyrus +smtpd_sasl_path = smtpd +############################################################ +# TLS stuff +############################################################ +#tls_append_default_CA = no +relay_clientcerts = +#tls_random_source = dev:/dev/urandom + +smtp_use_tls = no +#smtp_tls_loglevel = 0 +smtp_enforce_tls = no +smtp_tls_CAfile = +smtp_tls_CApath = +smtp_tls_cert_file = +smtp_tls_key_file = +#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy +#smtp_tls_session_cache_timeout = 3600s +smtp_tls_session_cache_database = + +smtpd_use_tls = no +#smtpd_tls_loglevel = 0 +smtpd_tls_CAfile = +smtpd_tls_CApath = +smtpd_tls_cert_file = +smtpd_tls_key_file = +smtpd_tls_ask_ccert = no +smtpd_tls_exclude_ciphers = RC4 +smtpd_tls_received_header = no +############################################################ +# Start MySQL from postfixwiki.org +############################################################ +relay_domains = $mydestination, hash:/etc/postfix/relay +#virtual_alias_domains = +#virtual_alias_maps = hash:/etc/postfix/virtual +#virtual_uid_maps = static:303 +#virtual_gid_maps = static:303 +#virtual_minimum_uid = 303 +#virtual_mailbox_base = /srv/maildirs +#virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf +#virtual_mailbox_limit = 0 +#virtual_mailbox_limit_inbox = no +#virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf +## For dovecot LMTP replace 'virtual' with 'lmtp:unix:private/dovecot-lmtp' +#virtual_transport = virtual +## Additional for quota support +#virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf +#virtual_mailbox_limit_override = yes +### Needs Maildir++ compatible IMAP servers, like Courier-IMAP +#virtual_maildir_filter = yes +#virtual_maildir_filter_maps = hash:/etc/postfix/vfilter +#virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later. +#virtual_maildir_limit_message_maps = hash:/etc/postfix/vmsg +#virtual_overquota_bounce = yes +#virtual_trash_count = yes +#virtual_trash_name = ".Trash" +############################################################ +# End MySQL from postfixwiki.org +############################################################ +# Rewrite reject codes +############################################################ +#unknown_address_reject_code = 550 +#unknown_client_reject_code = 550 +#unknown_hostname_reject_code = 550 +#unverified_recipient_reject_code = 550 +#soft_bounce = yes +############################################################ +#debug_peer_list = example.com +#debug_peer_level = 3 + ++++++ postfix-main.cf.patch ++++++ --- /var/tmp/diff_new_pack.E1P2gB/_old 2021-02-01 13:25:47.965878535 +0100 +++ /var/tmp/diff_new_pack.E1P2gB/_new 2021-02-01 13:25:47.969878541 +0100 @@ -1,8 +1,46 @@ -Index: conf/main.cf -=================================================================== ---- conf/main.cf.orig -+++ conf/main.cf -@@ -567,6 +567,7 @@ unknown_local_recipient_reject_code = 55 +--- conf/main.cf-orig 2020-11-26 19:22:10.273349060 +0100 ++++ conf/main.cf 2020-11-26 19:22:57.917974110 +0100 +@@ -278,7 +278,7 @@ + # + #mynetworks = 168.100.189.0/28, 127.0.0.0/8 + #mynetworks = $config_directory/mynetworks +-#mynetworks = hash:/etc/postfix/network_table ++#mynetworks = lmdb:/etc/postfix/network_table + + # The relay_domains parameter restricts what destinations this system will + # relay mail to. See the smtpd_recipient_restrictions description in +@@ -343,7 +343,7 @@ + # In the left-hand side, specify an @domain.tld wild-card, or specify + # a user@domain.tld address. + # +-#relay_recipient_maps = hash:/etc/postfix/relay_recipients ++#relay_recipient_maps = lmdb:/etc/postfix/relay_recipients + + # INPUT RATE CONTROL + # +@@ -398,8 +398,8 @@ + # "postfix reload" to eliminate the delay. + # + #alias_maps = dbm:/etc/aliases +-#alias_maps = hash:/etc/aliases +-#alias_maps = hash:/etc/aliases, nis:mail.aliases ++#alias_maps = lmdb:/etc/aliases ++#alias_maps = lmdb:/etc/aliases, nis:mail.aliases + #alias_maps = netinfo:/aliases + + # The alias_database parameter specifies the alias database(s) that +@@ -409,8 +409,8 @@ + # + #alias_database = dbm:/etc/aliases + #alias_database = dbm:/etc/mail/aliases +-#alias_database = hash:/etc/aliases +-#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases ++#alias_database = lmdb:/etc/aliases ++#alias_database = lmdb:/etc/aliases, lmdb:/opt/majordomo/aliases + + # ADDRESS EXTENSIONS (e.g., user+foo) + # +@@ -567,6 +567,7 @@ # #smtpd_banner = $myhostname ESMTP $mail_name #smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) @@ -10,7 +48,7 @@ # PARALLEL DELIVERY TO THE SAME DESTINATION # -@@ -673,4 +674,140 @@ sample_directory = +@@ -673,4 +674,140 @@ # readme_directory: The location of the Postfix README files. # readme_directory = @@ -97,7 +135,7 @@ +smtp_tls_CApath = +smtp_tls_cert_file = +smtp_tls_key_file = -+#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy ++#smtp_tls_policy_maps = lmdb:/etc/postfix/tls_policy +#smtp_tls_session_cache_timeout = 3600s +smtp_tls_session_cache_database = + @@ -113,9 +151,9 @@ +############################################################ +# Start MySQL from postfixwiki.org +############################################################ -+relay_domains = $mydestination, hash:/etc/postfix/relay ++relay_domains = $mydestination, lmdb:/etc/postfix/relay +#virtual_alias_domains = -+#virtual_alias_maps = hash:/etc/postfix/virtual ++#virtual_alias_maps = lmdb:/etc/postfix/virtual +#virtual_uid_maps = static:303 +#virtual_gid_maps = static:303 +#virtual_minimum_uid = 303 @@ -131,9 +169,9 @@ +#virtual_mailbox_limit_override = yes +### Needs Maildir++ compatible IMAP servers, like Courier-IMAP +#virtual_maildir_filter = yes -+#virtual_maildir_filter_maps = hash:/etc/postfix/vfilter ++#virtual_maildir_filter_maps = lmdb:/etc/postfix/vfilter +#virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn his diskspace quota, please try again later. -+#virtual_maildir_limit_message_maps = hash:/etc/postfix/vmsg ++#virtual_maildir_limit_message_maps = lmdb:/etc/postfix/vmsg +#virtual_overquota_bounce = yes +#virtual_trash_count = yes +#virtual_trash_name = ".Trash" ++++++ pre_checkin.sh ++++++ #!/bin/bash echo -n "Generating postfix-bdb " cp postfix.changes postfix-bdb.changes VERSION=$(awk '/^Version/ {print $2; exit;} {next;};' < postfix.spec) perl -pi -e "s/^Version:.*/Version: $VERSION/" postfix-bdb.spec echo "Done." ++++++ set-default-db-type.patch ++++++ --- src/util/sys_defs.h.orig 2021-01-04 13:12:06.272285413 +0100 +++ src/util/sys_defs.h 2021-01-04 13:12:38.412720371 +0100 @@ -51,7 +51,7 @@ #define HAS_FSYNC #define HAS_DB #define HAS_SA_LEN -#define NATIVE_DB_TYPE "hash" +#define NATIVE_DB_TYPE "lmdb" #if (defined(__NetBSD_Version__) && __NetBSD_Version__ >= 104250000) #define ALIAS_DB_MAP DEF_DB_TYPE ":/etc/mail/aliases" /* sendmail 8.10 */ #endif @@ -232,7 +232,7 @@ #define HAS_FSYNC #define HAS_DB #define HAS_SA_LEN -#define NATIVE_DB_TYPE "hash" +#define NATIVE_DB_TYPE "lmdb" #define ALIAS_DB_MAP DEF_DB_TYPE ":/etc/aliases" #define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0) #define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin" @@ -289,7 +289,7 @@ #define HAS_FSYNC /* might be set by makedef */ #ifdef HAS_DB -#define NATIVE_DB_TYPE "hash" +#define NATIVE_DB_TYPE "lmdb" #define ALIAS_DB_MAP DEF_DB_TYPE ":/etc/aliases" #else #define HAS_DBM @@ -761,7 +761,7 @@ #define DEF_MAILBOX_LOCK "fcntl, dotlock" /* RedHat >= 4.x */ #define HAS_FSYNC #define HAS_DB -#define NATIVE_DB_TYPE "hash" +#define NATIVE_DB_TYPE "lmdb" #define ALIAS_DB_MAP DEF_DB_TYPE ":/etc/aliases" #ifndef NO_NIS #define HAS_NIS @@ -841,7 +841,7 @@ #define DEF_MAILBOX_LOCK "dotlock" /* verified RedHat 3.03 */ #define HAS_FSYNC #define HAS_DB -#define NATIVE_DB_TYPE "hash" +#define NATIVE_DB_TYPE "lmdb" #define ALIAS_DB_MAP DEF_DB_TYPE ":/etc/aliases" #ifndef NO_NIS #define HAS_NIS @@ -874,7 +874,7 @@ #define DEF_MAILBOX_LOCK "fcntl, dotlock" /* RedHat >= 4.x */ #define HAS_FSYNC #define HAS_DB -#define NATIVE_DB_TYPE "hash" +#define NATIVE_DB_TYPE "lmdb" #define ALIAS_DB_MAP DEF_DB_TYPE ":/etc/aliases" #ifndef NO_NIS #define HAS_NIS @@ -1199,7 +1199,7 @@ #define INTERNAL_LOCK MYFLOCK_STYLE_FCNTL #define DEF_MAILBOX_LOCK "fcntl, dotlock" #define HAS_FSYNC -#define NATIVE_DB_TYPE "hash" +#define NATIVE_DB_TYPE "lmdb" #define ALIAS_DB_MAP DEF_DB_TYPE ":/etc/aliases" /* Uncomment the following line if you have NIS package installed */ /* #define HAS_NIS */ --- src/global/mail_params.h.orig 2020-05-09 17:51:27.000000000 +0200 +++ src/global/mail_params.h 2020-12-25 21:04:11.428544623 +0100 @@ -2826,7 +2826,7 @@ extern int var_vrfy_pend_limit; extern char *var_verify_service; #define VAR_VERIFY_MAP "address_verify_map" -#define DEF_VERIFY_MAP "btree:$data_directory/verify_cache" +#define DEF_VERIFY_MAP "lmdb:$data_directory/verify_cache" extern char *var_verify_map; #define VAR_VERIFY_POS_EXP "address_verify_positive_expire_time" @@ -3594,7 +3594,7 @@ extern char *var_multi_cntrl_cmds; * postscreen(8) */ #define VAR_PSC_CACHE_MAP "postscreen_cache_map" -#define DEF_PSC_CACHE_MAP "btree:$data_directory/postscreen_cache" +#define DEF_PSC_CACHE_MAP "lmdb:$data_directory/postscreen_cache" extern char *var_psc_cache_map; #define VAR_SMTPD_SERVICE "smtpd_service_name" --- man/man1/postmap.1.orig 2021-01-05 10:57:44.915488687 +0100 +++ man/man1/postmap.1 2021-01-05 11:10:12.377571721 +0100 @@ -63,7 +63,7 @@ By default the lookup key is mapped to lowercase to make the lookups case insensitive; as of Postfix 2.3 this case folding happens only with tables whose lookup keys are -fixed\-case strings such as btree:, dbm: or hash:. With +fixed\-case strings such as dbm:. With earlier versions, the lookup key is folded even with tables where a lookup field can match both upper and lower case text, such as regexp: and pcre:. This resulted in loss of @@ -210,9 +210,9 @@ The \fBpostmap\fR(1) command can query any supported file type, but it can create only the following file types: .RS -.IP \fBbtree\fR -The output file is a btree file, named \fIfile_name\fB.db\fR. -This is available on systems with support for \fBdb\fR databases. +.IP \fBlmdb\fR +The output file is a lmdb file, named \fIfile_name\fB.lmdb\fR. +This is available on systems with support for \fBlmdb\fR databases. .IP \fBcdb\fR The output consists of one file, named \fIfile_name\fB.cdb\fR. This is available on systems with support for \fBcdb\fR databases. @@ -220,9 +220,6 @@ The output consists of two files, named \fIfile_name\fB.pag\fR and \fIfile_name\fB.dir\fR. This is available on systems with support for \fBdbm\fR databases. -.IP \fBhash\fR -The output file is a hashed file, named \fIfile_name\fB.db\fR. -This is available on systems with support for \fBdb\fR databases. .IP \fBfail\fR A table that reliably fails all requests. The lookup table name is used for logging only. This table exists to simplify @@ -267,12 +264,6 @@ this program. The text below provides only a parameter summary. See \fBpostconf\fR(5) for more details including examples. -.IP "\fBberkeley_db_create_buffer_size (16777216)\fR" -The per\-table I/O buffer size for programs that create Berkeley DB -hash or btree tables. -.IP "\fBberkeley_db_read_buffer_size (131072)\fR" -The per\-table I/O buffer size for programs that read Berkeley DB -hash or btree tables. .IP "\fBconfig_directory (see 'postconf -d' output)\fR" The default location of the Postfix main.cf and master.cf configuration files. --- man/man1/postalias.1.orig 2021-01-05 10:58:04.579753235 +0100 +++ man/man1/postalias.1 2021-01-05 11:08:10.135919006 +0100 @@ -34,7 +34,7 @@ By default the lookup key is mapped to lowercase to make the lookups case insensitive; as of Postfix 2.3 this case folding happens only with tables whose lookup keys are -fixed\-case strings such as btree:, dbm: or hash:. With +fixed\-case strings such as dbm:. With earlier versions, the lookup key is folded even with tables where a lookup field can match both upper and lower case text, such as regexp: and pcre:. This resulted in loss of @@ -122,9 +122,9 @@ The \fBpostalias\fR(1) command can query any supported file type, but it can create only the following file types: .RS -.IP \fBbtree\fR -The output is a btree file, named \fIfile_name\fB.db\fR. -This is available on systems with support for \fBdb\fR databases. +.IP \fBlmdb\fR +The output is a lmdb file, named \fIfile_name\fB.lmdb\fR. +This is available on systems with support for \fBlmdb\fR databases. .IP \fBcdb\fR The output is one file named \fIfile_name\fB.cdb\fR. This is available on systems with support for \fBcdb\fR databases. @@ -132,9 +132,6 @@ The output consists of two files, named \fIfile_name\fB.pag\fR and \fIfile_name\fB.dir\fR. This is available on systems with support for \fBdbm\fR databases. -.IP \fBhash\fR -The output is a hashed file, named \fIfile_name\fB.db\fR. -This is available on systems with support for \fBdb\fR databases. .IP \fBfail\fR A table that reliably fails all requests. The lookup table name is used for logging only. This table exists to simplify @@ -187,12 +184,6 @@ .IP "\fBconfig_directory (see 'postconf -d' output)\fR" The default location of the Postfix main.cf and master.cf configuration files. -.IP "\fBberkeley_db_create_buffer_size (16777216)\fR" -The per\-table I/O buffer size for programs that create Berkeley DB -hash or btree tables. -.IP "\fBberkeley_db_read_buffer_size (131072)\fR" -The per\-table I/O buffer size for programs that read Berkeley DB -hash or btree tables. .IP "\fBdefault_database_type (see 'postconf -d' output)\fR" The default database type for use in \fBnewaliases\fR(1), \fBpostalias\fR(1) and \fBpostmap\fR(1) commands.