import postfix-3.3.1-12.el8_3.1

SOURCES/postfix-3.3.1-tlsv13.patch

@@ -0,0 +1,124 @@
+--- postfix-3.3.1/man/man5/postconf.5
++++ postfix-3.3.2/man/man5/postconf.5
+@@ -8076,6 +8077,9 @@
+ "SSLv3").  The latest patch levels of Postfix >= 2.6, and all
+ versions of Postfix >= 2.10 can explicitly disable support for
+ "TLSv1.1" or "TLSv1.2".
++.PP
++OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
++this can be disabled, if need be, via "!TLSv1.3".
+ .PP
+ At the dane and
+ dane\-only security
+@@ -8391,6 +8397,9 @@
+ and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all
+ versions of Postfix >= 2.10 can explicitly disable support for
+ "TLSv1.1" or "TLSv1.2"
++.PP
++OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
++this can be disabled, if need be, via "!TLSv1.3".
+ .PP
+ To include a protocol list its name, to exclude it, prefix the name
+ with a "!" character. To exclude SSLv2 for opportunistic TLS set
+@@ -11669,6 +11679,9 @@
+ versions of Postfix >= 2.10 can disable support for "TLSv1.1" or
+ "TLSv1.2".
+ .PP
++OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
++this can be disabled, if need be, via "!TLSv1.3".
++.PP
+ Example:
+ .PP
+ .nf
+@@ -11697,6 +11711,9 @@
+ and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all
+ versions of Postfix >= 2.10 can disable support for "TLSv1.1" or
+ "TLSv1.2".
++.PP
++OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
++this can be disabled, if need be, via "!TLSv1.3".
+ .PP
+ To include a protocol list its name, to exclude it, prefix the name
+ with a "!" character. To exclude SSLv2 for opportunistic TLS set
+--- postfix-3.3.1/proto/postconf.proto
++++ postfix-3.3.2/proto/postconf.proto
+@@ -11208,6 +11210,9 @@
+ "SSLv3").  The latest patch levels of Postfix ≥ 2.6, and all
+ versions of Postfix ≥ 2.10 can explicitly disable support for
+ "TLSv1.1" or "TLSv1.2". </p>
++
++<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
++this can be disabled, if need be, via "!TLSv1.3". </p>
+ 
+ <p> At the <a href="TLS_README.html#client_tls_dane">dane</a> and
+ <a href="TLS_README.html#client_tls_dane">dane-only</a> security
+@@ -11405,6 +11411,9 @@
+ disabled.  The latest patch levels of Postfix &ge; 2.6, and all
+ versions of Postfix &ge; 2.10 can disable support for "TLSv1.1" or
+ "TLSv1.2". </p>
++
++<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
++this can be disabled, if need be, via "!TLSv1.3". </p>
+ 
+ <p> Example: </p>
+ 
+@@ -12561,6 +12573,9 @@
+ and "TLSv1.2". The latest patch levels of Postfix &ge; 2.6, and all
+ versions of Postfix &ge; 2.10 can explicitly disable support for
+ "TLSv1.1" or "TLSv1.2"</p>
++
++<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
++this can be disabled, if need be, via "!TLSv1.3". </p>
+ 
+ <p> To include a protocol list its name, to exclude it, prefix the name
+ with a "!" character. To exclude SSLv2 for opportunistic TLS set
+@@ -12593,6 +12609,9 @@
+ and "TLSv1.2". The latest patch levels of Postfix &ge; 2.6, and all
+ versions of Postfix &ge; 2.10 can disable support for "TLSv1.1" or
+ "TLSv1.2". </p>
++
++<p> OpenSSL 1.1.1 introduces support for "TLSv1.3".  With Postfix
++this can be disabled, if need be, via "!TLSv1.3". </p>
+ 
+ <p> To include a protocol list its name, to exclude it, prefix the name
+ with a "!" character. To exclude SSLv2 for opportunistic TLS set
+--- postfix-3.3.1/src/tls/tls.h
++++ postfix-3.3.2/src/tls/tls.h
+@@ -372,10 +415,15 @@
+ #define SSL_OP_NO_TLSv1_2	0L	/* Noop */
+ #endif
+ 
+-#ifdef SSL_TXT_TLSV1_3
++ /*
++  * OpenSSL 1.1.1 does not define a TXT macro for TLS 1.3, so we roll our
++  * own.
++  */
++#define TLS_PROTOCOL_TXT_TLSV1_3	"TLSv1.3"
++
++#if defined(TLS1_3_VERSION) && defined(SSL_OP_NO_TLSv1_3)
+ #define TLS_PROTOCOL_TLSv1_3	(1<<5)	/* TLSv1_3 */
+ #else
+-#define SSL_TXT_TLSV1_3		"TLSv1.3"
+ #define TLS_PROTOCOL_TLSv1_3	0	/* Unknown */
+ #undef  SSL_OP_NO_TLSv1_3
+ #define SSL_OP_NO_TLSv1_3	0L	/* Noop */
+@@ -383,7 +431,7 @@
+ 
+ #define TLS_KNOWN_PROTOCOLS \
+ 	( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \
+-	   | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 )
++	   | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3 )
+ #define TLS_SSL_OP_PROTOMASK(m) \
+ 	    ((((m) & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L) \
+ 	     | (((m) & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) \
+--- postfix-3.3.1/src/tls/tls_misc.c
++++ postfix-3.3.2/src/tls/tls_misc.c
+@@ -279,7 +306,7 @@
+     SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1,
+     SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1,
+     SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2,
+-    SSL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3,
++    TLS_PROTOCOL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3,
+     0, TLS_PROTOCOL_INVALID,
+ };
+ 

SPECS/postfix.spec

@@ -48,7 +48,7 @@
 Name: postfix
 Summary: Postfix Mail Transport Agent
 Version: 3.3.1
-Release: 12%{?dist}
+Release: 12%{?dist}.1
 Epoch: 2
 Group: System Environment/Daemons
 URL: http://www.postfix.org
@@ -96,6 +96,7 @@ Patch9: pflogsumm-1.1.5-datecalc.patch
 Patch10: pflogsumm-1.1.5-ipv6-warnings-fix.patch
 # rhbz#1723950, included upstream
 Patch11: postfix-3.3.1-ref-search-fix.patch
+Patch12: postfix-3.3.1-tlsv13.patch
 
 # Optional patches - set the appropriate environment variables to include
 #                    them when building the package/spec file
@@ -221,6 +222,7 @@ pushd pflogsumm-%{pflogsumm_ver}
 popd
 %endif
 %patch11 -p1 -b .ref-search-fix
+%patch12 -p1 -b .tlsv13
 
 for f in README_FILES/TLS_{LEGACY_,}README TLS_ACKNOWLEDGEMENTS; do
 	iconv -f iso8859-1 -t utf8 -o ${f}{_,} &&
@@ -719,6 +721,10 @@ exit 0
 %endif
 
 %changelog
+* Tue Jan 26 2021 Jan Zerdik <jzerdik@redhat.com> - 2:3.3.1-12.1
+- Backported support for disabling of TLSv1.3
+  Resolves: rhbz#1919233
+
 * Mon Dec 16 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 2:3.3.1-12
 - Fixed DNS resolver to use ref_search instead of ref_query
   Resolves: rhbz#1723950