diff --git a/.gitignore b/.gitignore index 6725802..e27edc8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/pflogsumm-1.1.5.tar.gz -SOURCES/postfix-3.3.1.tar.gz +SOURCES/postfix-3.5.8.tar.gz diff --git a/.postfix.metadata b/.postfix.metadata index 0735629..32c6f41 100644 --- a/.postfix.metadata +++ b/.postfix.metadata @@ -1,2 +1,2 @@ d18daa19d725e64c2b7e6c8da458b2d563272645 SOURCES/pflogsumm-1.1.5.tar.gz -1b56e682298abf947be4921a5c0d50ba8012eee1 SOURCES/postfix-3.3.1.tar.gz +1dfb10729498be5d387dc730117c2a845dd93ac0 SOURCES/postfix-3.5.8.tar.gz diff --git a/SOURCES/README-RedHat.txt b/SOURCES/README-RedHat.txt new file mode 100644 index 0000000..713eaf6 --- /dev/null +++ b/SOURCES/README-RedHat.txt @@ -0,0 +1,65 @@ +This Postfix build behaves differently from the upstream postfix-3.5.8. +It's because in RHEL-8 backward compatibility is kept to postfix-3.3.1. + +For the upstream postfix-3.5.8 behavior either run the following commands: + +# postconf info_log_address_format=external +# postconf smtpd_discard_ehlo_keywords= +# postconf rhel_ipv6_normalize=yes + +Or go through the following steps: + +1. Change the configuration option 'info_log_address_format' to 'external'. +In RHEL-8 it's by default set to 'internal' to mitigate [Incompat 20191109]. + +2. Change the configuration option 'smtpd_discard_ehlo_keywords' to ''. +In RHEL-8 it's by default set to 'chunking' to mitigate [Incompat 20180826]. + +3. Add RHEL-8 specific configuration option 'rhel_ipv6_normalize' and set it +to 'yes'. In RHEL-8 this option was added to mitigate [Incompat 20190427]. + +Details from the upstream RELEASE_NOTES: + +[Incompat 20191109] +Postfix daemon processes now log the from= and +to= addresses in external (quoted) form in non-debug logging (info, +warning, etc.). This means that when an address localpart contains +spaces or other special characters, the localpart will be quoted, +for example: + + from=<"name with spaces"@example.com> + +Older Postfix versions would log the internal (unquoted) form: + + from= + +The external and internal forms are identical for the vast majority +of email addresses that contain no spaces or other special characters +in the localpart. + +Specify "info_log_address_format = internal" for backwards +compatibility. + +The logging in external form is consistent with the address form +that Postfix 3.2 and later prefer for table lookups. It is therefore +the more useful form for non-debug logging. + +[Incompat 20180826] +The Postfix SMTP server announces CHUNKING (BDAT +command) by default. In the unlikely case that this breaks some +important remote SMTP client, disable the feature as follows: + +/etc/postfix/main.cf: + # The logging alternative: + smtpd_discard_ehlo_keywords = chunking + # The non-logging alternative: + smtpd_discard_ehlo_keywords = chunking, silent_discard + +See BDAT_README for more. + +[Incompat 20190427] +Postfix now normalizes IP addresses received +with XCLIENT, XFORWARD, or with the HaProxy protocol, for consistency +with direct connections to Postfix. This may change the appearance +of logging, and the way that check_client_access will match subnets +of an IPv6 address. diff --git a/SOURCES/postfix-3.3.1-posttls-finger-unix-fix.patch b/SOURCES/postfix-3.3.1-posttls-finger-unix-fix.patch deleted file mode 100644 index cbfe96d..0000000 --- a/SOURCES/postfix-3.3.1-posttls-finger-unix-fix.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/posttls-finger/posttls-finger.c b/src/posttls-finger/posttls-finger.c -index 5f559b4..86a8b01 100644 ---- a/src/posttls-finger/posttls-finger.c -+++ b/src/posttls-finger/posttls-finger.c -@@ -1409,7 +1409,7 @@ static int connect_dest(STATE *state) - */ - if (state->smtp == 0) { - if (strncmp(dest, "unix:", 5) == 0) { -- connect_unix(state, dest + 5); -+ state->stream = connect_unix(state, dest + 5); - if (!state->stream) - msg_info("Failed to establish session to %s: %s", - dest, vstring_str(state->why->reason)); diff --git a/SOURCES/postfix-3.3.1-ref-search-fix.patch b/SOURCES/postfix-3.3.1-ref-search-fix.patch deleted file mode 100644 index c7d831e..0000000 --- a/SOURCES/postfix-3.3.1-ref-search-fix.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/dns/dns_lookup.c b/src/dns/dns_lookup.c -index 1ea98b3..1bfeb7e 100644 ---- a/src/dns/dns_lookup.c -+++ b/src/dns/dns_lookup.c -@@ -396,7 +396,7 @@ static int dns_res_search(const char *name, int class, int type, - if (keep_notfound) - /* Prepare for returning a null-padded server reply. */ - memset(answer, 0, anslen); -- len = res_query(name, class, type, answer, anslen); -+ len = res_search(name, class, type, answer, anslen); - /* Begin API creep workaround. */ - if (len < 0 && h_errno == 0) { - SET_H_ERRNO(TRY_AGAIN); diff --git a/SOURCES/postfix-3.3.1-tlsv13.patch b/SOURCES/postfix-3.3.1-tlsv13.patch deleted file mode 100644 index 0dfb935..0000000 --- a/SOURCES/postfix-3.3.1-tlsv13.patch +++ /dev/null @@ -1,124 +0,0 @@ ---- postfix-3.3.1/man/man5/postconf.5 -+++ postfix-3.3.2/man/man5/postconf.5 -@@ -8076,6 +8077,9 @@ - "SSLv3"). The latest patch levels of Postfix >= 2.6, and all - versions of Postfix >= 2.10 can explicitly disable support for - "TLSv1.1" or "TLSv1.2". -+.PP -+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix -+this can be disabled, if need be, via "!TLSv1.3". - .PP - At the dane and - dane\-only security -@@ -8391,6 +8397,9 @@ - and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all - versions of Postfix >= 2.10 can explicitly disable support for - "TLSv1.1" or "TLSv1.2" -+.PP -+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix -+this can be disabled, if need be, via "!TLSv1.3". - .PP - To include a protocol list its name, to exclude it, prefix the name - with a "!" character. To exclude SSLv2 for opportunistic TLS set -@@ -11669,6 +11679,9 @@ - versions of Postfix >= 2.10 can disable support for "TLSv1.1" or - "TLSv1.2". - .PP -+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix -+this can be disabled, if need be, via "!TLSv1.3". -+.PP - Example: - .PP - .nf -@@ -11697,6 +11711,9 @@ - and "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all - versions of Postfix >= 2.10 can disable support for "TLSv1.1" or - "TLSv1.2". -+.PP -+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix -+this can be disabled, if need be, via "!TLSv1.3". - .PP - To include a protocol list its name, to exclude it, prefix the name - with a "!" character. To exclude SSLv2 for opportunistic TLS set ---- postfix-3.3.1/proto/postconf.proto -+++ postfix-3.3.2/proto/postconf.proto -@@ -11208,6 +11210,9 @@ - "SSLv3"). The latest patch levels of Postfix ≥ 2.6, and all - versions of Postfix ≥ 2.10 can explicitly disable support for - "TLSv1.1" or "TLSv1.2".

-+ -+

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix -+this can be disabled, if need be, via "!TLSv1.3".

- -

At the dane and - dane-only security -@@ -11405,6 +11411,9 @@ - disabled. The latest patch levels of Postfix ≥ 2.6, and all - versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or - "TLSv1.2".

-+ -+

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix -+this can be disabled, if need be, via "!TLSv1.3".

- -

Example:

- -@@ -12561,6 +12573,9 @@ - and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all - versions of Postfix ≥ 2.10 can explicitly disable support for - "TLSv1.1" or "TLSv1.2"

-+ -+

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix -+this can be disabled, if need be, via "!TLSv1.3".

- -

To include a protocol list its name, to exclude it, prefix the name - with a "!" character. To exclude SSLv2 for opportunistic TLS set -@@ -12593,6 +12609,9 @@ - and "TLSv1.2". The latest patch levels of Postfix ≥ 2.6, and all - versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or - "TLSv1.2".

-+ -+

OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix -+this can be disabled, if need be, via "!TLSv1.3".

- -

To include a protocol list its name, to exclude it, prefix the name - with a "!" character. To exclude SSLv2 for opportunistic TLS set ---- postfix-3.3.1/src/tls/tls.h -+++ postfix-3.3.2/src/tls/tls.h -@@ -372,10 +415,15 @@ - #define SSL_OP_NO_TLSv1_2 0L /* Noop */ - #endif - --#ifdef SSL_TXT_TLSV1_3 -+ /* -+ * OpenSSL 1.1.1 does not define a TXT macro for TLS 1.3, so we roll our -+ * own. -+ */ -+#define TLS_PROTOCOL_TXT_TLSV1_3 "TLSv1.3" -+ -+#if defined(TLS1_3_VERSION) && defined(SSL_OP_NO_TLSv1_3) - #define TLS_PROTOCOL_TLSv1_3 (1<<5) /* TLSv1_3 */ - #else --#define SSL_TXT_TLSV1_3 "TLSv1.3" - #define TLS_PROTOCOL_TLSv1_3 0 /* Unknown */ - #undef SSL_OP_NO_TLSv1_3 - #define SSL_OP_NO_TLSv1_3 0L /* Noop */ -@@ -383,7 +431,7 @@ - - #define TLS_KNOWN_PROTOCOLS \ - ( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \ -- | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 ) -+ | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3 ) - #define TLS_SSL_OP_PROTOMASK(m) \ - ((((m) & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L) \ - | (((m) & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) \ ---- postfix-3.3.1/src/tls/tls_misc.c -+++ postfix-3.3.2/src/tls/tls_misc.c -@@ -279,7 +306,7 @@ - SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1, - SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1, - SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2, -- SSL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3, -+ TLS_PROTOCOL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3, - 0, TLS_PROTOCOL_INVALID, - }; - diff --git a/SOURCES/postfix-3.1.0-alternatives.patch b/SOURCES/postfix-3.3.3-alternatives.patch similarity index 92% rename from SOURCES/postfix-3.1.0-alternatives.patch rename to SOURCES/postfix-3.3.3-alternatives.patch index ff4e6c7..2c3ba18 100644 --- a/SOURCES/postfix-3.1.0-alternatives.patch +++ b/SOURCES/postfix-3.3.3-alternatives.patch @@ -1,8 +1,8 @@ diff --git a/conf/post-install b/conf/post-install -index 904cefa..5f1039b 100644 +index 25ef7e6..4fd6434 100644 --- a/conf/post-install +++ b/conf/post-install -@@ -532,6 +532,17 @@ test -n "$create" && { +@@ -537,6 +537,17 @@ test -n "$create" && { case $path in no|no/*) continue;; esac diff --git a/SOURCES/postfix-3.1.0-files.patch b/SOURCES/postfix-3.4.0-files.patch similarity index 90% rename from SOURCES/postfix-3.1.0-files.patch rename to SOURCES/postfix-3.4.0-files.patch index 273dbbd..ad73553 100644 --- a/SOURCES/postfix-3.1.0-files.patch +++ b/SOURCES/postfix-3.4.0-files.patch @@ -1,5 +1,5 @@ diff --git a/conf/postfix-files b/conf/postfix-files -index a433f4f..3ecdb5b 100644 +index 4ed9d1f..19711d2 100644 --- a/conf/postfix-files +++ b/conf/postfix-files @@ -83,7 +83,6 @@ $shlib_directory/${LIB_PREFIX}sqlite${LIB_SUFFIX}:f:root:-:755 @@ -10,7 +10,7 @@ index a433f4f..3ecdb5b 100644 $meta_directory/master.cf.proto:f:root:-:644 $meta_directory/postfix-files.d:d:root:-:755 $meta_directory/postfix-files:f:root:-:644 -@@ -140,18 +139,13 @@ $command_directory/postqueue:f:root:$setgid_group:2755:u +@@ -141,18 +140,13 @@ $command_directory/postqueue:f:root:$setgid_group:2755:u $sendmail_path:f:root:-:755 $newaliases_path:l:$sendmail_path $mailq_path:l:$sendmail_path @@ -29,7 +29,7 @@ index a433f4f..3ecdb5b 100644 $config_directory/main.cf:f:root:-:644:p $config_directory/master.cf:f:root:-:644:p $config_directory/pcre_table:f:root:-:644:o -@@ -164,8 +158,8 @@ $config_directory/postfix-script:f:root:-:755:o +@@ -165,8 +159,8 @@ $config_directory/postfix-script:f:root:-:755:o $config_directory/postfix-script-sgid:f:root:-:755:o $config_directory/postfix-script-nosgid:f:root:-:755:o $config_directory/post-install:f:root:-:755:o @@ -40,7 +40,7 @@ index a433f4f..3ecdb5b 100644 $manpage_directory/man1/postalias.1:f:root:-:644 $manpage_directory/man1/postcat.1:f:root:-:644 $manpage_directory/man1/postconf.1:f:root:-:644 -@@ -179,9 +173,9 @@ $manpage_directory/man1/postmap.1:f:root:-:644 +@@ -180,9 +174,9 @@ $manpage_directory/man1/postmap.1:f:root:-:644 $manpage_directory/man1/postmulti.1:f:root:-:644 $manpage_directory/man1/postqueue.1:f:root:-:644 $manpage_directory/man1/postsuper.1:f:root:-:644 @@ -52,7 +52,7 @@ index a433f4f..3ecdb5b 100644 $manpage_directory/man5/body_checks.5:f:root:-:644 $manpage_directory/man5/bounce.5:f:root:-:644 $manpage_directory/man5/canonical.5:f:root:-:644 -@@ -228,7 +222,7 @@ $manpage_directory/man8/qmqpd.8:f:root:-:644 +@@ -230,7 +224,7 @@ $manpage_directory/man8/qmqpd.8:f:root:-:644 $manpage_directory/man8/scache.8:f:root:-:644 $manpage_directory/man8/showq.8:f:root:-:644 $manpage_directory/man8/smtp.8:f:root:-:644 diff --git a/SOURCES/postfix-3.2.0-large-fs.patch b/SOURCES/postfix-3.4.0-large-fs.patch similarity index 92% rename from SOURCES/postfix-3.2.0-large-fs.patch rename to SOURCES/postfix-3.4.0-large-fs.patch index 227d1b7..fbc55f1 100644 --- a/SOURCES/postfix-3.2.0-large-fs.patch +++ b/SOURCES/postfix-3.4.0-large-fs.patch @@ -21,10 +21,10 @@ index 50a4aa7..beef3db 100644 if (msg_verbose) msg_info("%s: %s: block size %lu, blocks free %lu", diff --git a/src/util/sys_defs.h b/src/util/sys_defs.h -index 3f570c4..611d9cd 100644 +index a8d2571..ad07498 100644 --- a/src/util/sys_defs.h +++ b/src/util/sys_defs.h -@@ -768,8 +768,8 @@ extern int initgroups(const char *, int); +@@ -769,8 +769,8 @@ extern int initgroups(const char *, int); #define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0) #define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin" #define FIONREAD_IN_TERMIOS_H diff --git a/SOURCES/postfix-3.4.4-chroot-example-fix.patch b/SOURCES/postfix-3.4.4-chroot-example-fix.patch new file mode 100644 index 0000000..5870b4c --- /dev/null +++ b/SOURCES/postfix-3.4.4-chroot-example-fix.patch @@ -0,0 +1,35 @@ +--- a/examples/chroot-setup/LINUX2 2006-01-01 15:53:58.000000000 -0800 ++++ b/examples/chroot-setup/LINUX2 2016-11-27 00:45:52.145301784 -0800 +@@ -45,14 +45,14 @@ + # 20060101 /lib64 support by Keith Owens. + # + +-CP="cp -p" ++CP="cp -p -Z" + + cond_copy() { + # find files as per pattern in $1 + # if any, copy to directory $2 + dir=`dirname "$1"` + pat=`basename "$1"` +- lr=`find "$dir" -maxdepth 1 -name "$pat"` ++ lr=`find "$dir/" -maxdepth 1 -name "$pat"` + if test ! -d "$2" ; then exit 1 ; fi + if test "x$lr" != "x" ; then $CP $1 "$2" ; fi + } +@@ -63,8 +63,8 @@ + POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix} + cd ${POSTFIX_DIR} + +-mkdir -p etc lib usr/lib/zoneinfo +-test -d /lib64 && mkdir -p lib64 ++mkdir -p -Z etc lib usr/lib/zoneinfo ++test -d /lib64 && mkdir -p -Z lib64 + + # find localtime (SuSE 5.3 does not have /etc/localtime) + lt=/etc/localtime +@@ -88,4 +88,3 @@ + cond_copy '/lib64/libdb.so*' lib64 + fi + +-postfix reload diff --git a/SOURCES/postfix-3.2.0-config.patch b/SOURCES/postfix-3.5.0-config.patch similarity index 94% rename from SOURCES/postfix-3.2.0-config.patch rename to SOURCES/postfix-3.5.0-config.patch index fd62120..da42263 100644 --- a/SOURCES/postfix-3.2.0-config.patch +++ b/SOURCES/postfix-3.5.0-config.patch @@ -1,5 +1,5 @@ diff --git a/conf/main.cf b/conf/main.cf -index 7af8bde..fbe5c62 100644 +index 7af8bde..495e346 100644 --- a/conf/main.cf +++ b/conf/main.cf @@ -132,6 +132,10 @@ mail_owner = postfix @@ -123,15 +123,15 @@ index 7af8bde..fbe5c62 100644 +# +smtp_tls_security_level = may diff --git a/conf/master.cf b/conf/master.cf -index b67ed59..a9633ba 100644 +index c0f2508..05c5d07 100644 --- a/conf/master.cf +++ b/conf/master.cf -@@ -96,14 +96,14 @@ scache unix - - n - 1 scache +@@ -98,14 +98,14 @@ postlog unix-dgram n - n - 1 postlogd # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe --# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} -+# user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user} +-# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} ++# flags=DRX user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # diff --git a/SOURCES/postfix-3.5.8-back-compat-3.3.1.patch b/SOURCES/postfix-3.5.8-back-compat-3.3.1.patch new file mode 100644 index 0000000..c444912 --- /dev/null +++ b/SOURCES/postfix-3.5.8-back-compat-3.3.1.patch @@ -0,0 +1,158 @@ +diff --git a/src/global/mail_params.c b/src/global/mail_params.c +index 91c70f7..483613c 100644 +--- a/src/global/mail_params.c ++++ b/src/global/mail_params.c +@@ -379,6 +379,8 @@ int warn_compat_break_smtputf8_enable; + int warn_compat_break_chroot; + int warn_compat_break_relay_restrictions; + ++bool var_rhel_ipv6_normalize; ++ + /* check_myhostname - lookup hostname and validate */ + + static const char *check_myhostname(void) +@@ -825,6 +827,7 @@ void mail_params_init() + VAR_LONG_QUEUE_IDS, DEF_LONG_QUEUE_IDS, &var_long_queue_ids, + VAR_STRICT_SMTPUTF8, DEF_STRICT_SMTPUTF8, &var_strict_smtputf8, + VAR_ENABLE_ORCPT, DEF_ENABLE_ORCPT, &var_enable_orcpt, ++ VAR_RHEL_IPV6_NORMALIZE, DEF_RHEL_IPV6_NORMALIZE, &var_rhel_ipv6_normalize, + 0, + }; + const char *cp; +diff --git a/src/global/mail_params.h b/src/global/mail_params.h +index e4358ca..74459d9 100644 +--- a/src/global/mail_params.h ++++ b/src/global/mail_params.h +@@ -3153,7 +3153,7 @@ extern char *var_local_rwr_clients; + * EHLO keyword filter. + */ + #define VAR_SMTPD_EHLO_DIS_WORDS "smtpd_discard_ehlo_keywords" +-#define DEF_SMTPD_EHLO_DIS_WORDS "" ++#define DEF_SMTPD_EHLO_DIS_WORDS "chunking" + extern char *var_smtpd_ehlo_dis_words; + + #define VAR_SMTPD_EHLO_DIS_MAPS "smtpd_discard_ehlo_keyword_address_maps" +@@ -4199,9 +4199,13 @@ extern int var_postlogd_watchdog; + #define INFO_LOG_ADDR_FORM_NAME_INTERNAL "internal" + + #define VAR_INFO_LOG_ADDR_FORM "info_log_address_format" +-#define DEF_INFO_LOG_ADDR_FORM INFO_LOG_ADDR_FORM_NAME_EXTERNAL ++#define DEF_INFO_LOG_ADDR_FORM INFO_LOG_ADDR_FORM_NAME_INTERNAL + extern char *var_info_log_addr_form; + ++#define VAR_RHEL_IPV6_NORMALIZE "rhel_ipv6_normalize" ++#define DEF_RHEL_IPV6_NORMALIZE 0 ++extern bool var_rhel_ipv6_normalize; ++ + /* LICENSE + /* .ad + /* .fi +diff --git a/src/smtpd/smtpd.c b/src/smtpd/smtpd.c +index da7227f..53e640e 100644 +--- a/src/smtpd/smtpd.c ++++ b/src/smtpd/smtpd.c +@@ -4334,6 +4334,7 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) + SMTPD_TOKEN *argp; + char *raw_value; + char *attr_value; ++ const char *bare_value; + char *attr_name; + int update_namaddr = 0; + int name_status; +@@ -4481,15 +4482,31 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) + UPDATE_STR(state->addr, attr_value); + UPDATE_STR(state->rfc_addr, attr_value); + } else { +- neuter(attr_value, NEUTER_CHARACTERS, '?'); +- if (normalize_mailhost_addr(attr_value, &state->rfc_addr, ++ if (var_rhel_ipv6_normalize) { ++ neuter(attr_value, NEUTER_CHARACTERS, '?'); ++ } ++ if ((var_rhel_ipv6_normalize && ++ normalize_mailhost_addr(attr_value, &state->rfc_addr, + &state->addr, +- &state->addr_family) < 0) { ++ &state->addr_family) < 0) || ++ (!var_rhel_ipv6_normalize && ++ (bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0)) { + state->error_mask |= MAIL_ERROR_PROTOCOL; + smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", + XCLIENT_ADDR, attr_value); + return (-1); + } ++ if (!var_rhel_ipv6_normalize) { ++ UPDATE_STR(state->addr, bare_value); ++ UPDATE_STR(state->rfc_addr, attr_value); ++#ifdef HAS_IPV6 ++ if (strncasecmp(attr_value, INET_PROTO_NAME_IPV6 ":", ++ sizeof(INET_PROTO_NAME_IPV6 ":") - 1) == 0) ++ state->addr_family = AF_INET6; ++ else ++#endif ++ state->addr_family = AF_INET; ++ } + } + update_namaddr = 1; + } +@@ -4569,17 +4586,25 @@ static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) + attr_value = SERVER_ADDR_UNKNOWN; + UPDATE_STR(state->dest_addr, attr_value); + } else { ++ if (var_rhel_ipv6_normalize) { + #define NO_NORM_RFC_ADDR ((char **) 0) + #define NO_NORM_ADDR_FAMILY ((int *) 0) +- neuter(attr_value, NEUTER_CHARACTERS, '?'); +- if (normalize_mailhost_addr(attr_value, NO_NORM_RFC_ADDR, ++ neuter(attr_value, NEUTER_CHARACTERS, '?'); ++ } ++ if ((var_rhel_ipv6_normalize && ++ normalize_mailhost_addr(attr_value, NO_NORM_RFC_ADDR, + &state->dest_addr, +- NO_NORM_ADDR_FAMILY) < 0) { ++ NO_NORM_ADDR_FAMILY) < 0) || ++ (!var_rhel_ipv6_normalize && ++ (bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0)) { + state->error_mask |= MAIL_ERROR_PROTOCOL; + smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", + XCLIENT_DESTADDR, attr_value); + return (-1); + } ++ if (!var_rhel_ipv6_normalize) { ++ UPDATE_STR(state->dest_addr, bare_value); ++ } + } + /* XXX Require same address family as client address. */ + } +@@ -4690,6 +4715,7 @@ static int xforward_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) + SMTPD_TOKEN *argp; + char *raw_value; + char *attr_value; ++ const char *bare_value; + char *attr_name; + int updated = 0; + static const NAME_CODE xforward_flags[] = { +@@ -4808,15 +4834,22 @@ static int xforward_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) + UPDATE_STR(state->xforward.addr, attr_value); + } else { + neuter(attr_value, NEUTER_CHARACTERS, '?'); +- if (normalize_mailhost_addr(attr_value, ++ if ((var_rhel_ipv6_normalize && ++ normalize_mailhost_addr(attr_value, + &state->xforward.rfc_addr, + &state->xforward.addr, +- NO_NORM_ADDR_FAMILY) < 0) { ++ NO_NORM_ADDR_FAMILY) < 0) || ++ (!var_rhel_ipv6_normalize && ++ (bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0)) { + state->error_mask |= MAIL_ERROR_PROTOCOL; + smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", + XFORWARD_ADDR, attr_value); + return (-1); + } ++ if (!var_rhel_ipv6_normalize) { ++ UPDATE_STR(state->xforward.addr, bare_value); ++ UPDATE_STR(state->xforward.rfc_addr, attr_value); ++ } + } + break; + diff --git a/SPECS/postfix.spec b/SPECS/postfix.spec index 8c91f14..5dc9c82 100644 --- a/SPECS/postfix.spec +++ b/SPECS/postfix.spec @@ -6,6 +6,7 @@ %bcond_without sqlite %bcond_without cdb %bcond_without ldap +%bcond_without lmdb %bcond_without pcre %bcond_without sasl %bcond_without tls @@ -47,13 +48,13 @@ Name: postfix Summary: Postfix Mail Transport Agent -Version: 3.3.1 -Release: 12%{?dist}.1 +Version: 3.5.8 +Release: 1%{?dist} Epoch: 2 Group: System Environment/Daemons URL: http://www.postfix.org License: (IBM and GPLv2+) or (EPL-2.0 and GPLv2+) -Requires(post): systemd +Requires(post): systemd hostname Requires(post): %{_sbindir}/alternatives Requires(post): %{_bindir}/openssl Requires(post): %{_bindir}/hostname @@ -63,7 +64,7 @@ Requires(preun): %{_sbindir}/alternatives Requires(preun): systemd Requires(postun): systemd # Required by /usr/libexec/postfix/postfix-script -Requires: diffutils +Requires: diffutils, findutils Provides: MTA smtpd smtpdaemon server(smtp) Source0: ftp://ftp.porcupine.org/mirrors/postfix-release/official/%{name}-%{version}.tar.gz @@ -71,6 +72,7 @@ Source2: postfix.service Source3: README-Postfix-SASL-RedHat.txt Source4: postfix.aliasesdb Source5: postfix-chroot-update +Source6: README-RedHat.txt # Sources 50-99 are upstream [patch] contributions @@ -86,17 +88,15 @@ Source101: postfix-pam.conf # Patches -Patch1: postfix-3.2.0-config.patch -Patch2: postfix-3.1.0-files.patch -Patch3: postfix-3.1.0-alternatives.patch -Patch4: postfix-3.2.0-large-fs.patch -Patch5: postfix-3.3.1-posttls-finger-unix-fix.patch +Patch1: postfix-3.5.0-config.patch +Patch2: postfix-3.4.0-files.patch +Patch3: postfix-3.3.3-alternatives.patch +Patch4: postfix-3.4.0-large-fs.patch Patch9: pflogsumm-1.1.5-datecalc.patch # rhbz#1384871, sent upstream Patch10: pflogsumm-1.1.5-ipv6-warnings-fix.patch -# rhbz#1723950, included upstream -Patch11: postfix-3.3.1-ref-search-fix.patch -Patch12: postfix-3.3.1-tlsv13.patch +Patch11: postfix-3.4.4-chroot-example-fix.patch +Patch12: postfix-3.5.8-back-compat-3.3.1.patch # Optional patches - set the appropriate environment variables to include # them when building the package/spec file @@ -105,9 +105,10 @@ Patch12: postfix-3.3.1-tlsv13.patch # Determine the different packages required for building postfix BuildRequires: libdb-devel, perl-generators, pkgconfig, zlib-devel BuildRequires: systemd-units, libicu-devel, libnsl2-devel -BuildRequires: gcc, m4 +BuildRequires: gcc, m4, findutils %{?with_ldap:BuildRequires: openldap-devel} +%{?with_lmdb:BuildRequires: lmdb-devel} %{?with_sasl:BuildRequires: cyrus-sasl-devel} %{?with_pcre:BuildRequires: pcre-devel} %{?with_mysql:BuildRequires: mariadb-connector-c-devel} @@ -190,6 +191,16 @@ This provides support for LDAP maps in Postfix. If you plan to use LDAP maps with Postfix, you need this. %endif +%if %{with lmdb} +%package lmdb +Summary: Postfix LDMB map support +Requires: %{name} = %{epoch}:%{version}-%{release} + +%description lmdb +This provides support for LMDB maps in Postfix. If you plan to use LMDB +maps with Postfix, you need this. +%endif + %if %{with pcre} %package pcre Summary: Postfix PCRE map support @@ -207,7 +218,6 @@ maps with Postfix, you need this. %patch2 -p1 -b .files %patch3 -p1 -b .alternatives %patch4 -p1 -b .large-fs -%patch5 -p1 -b .posttls-finger-unix-fix # Change DEF_SHLIB_DIR according to build host sed -i \ @@ -221,8 +231,10 @@ pushd pflogsumm-%{pflogsumm_ver} %patch10 -p1 -b .ipv6-warnings-fix popd %endif -%patch11 -p1 -b .ref-search-fix -%patch12 -p1 -b .tlsv13 +%patch11 -p1 -b .chroot-example-fix +# Improve backward compatibility with postfix-3.3.1, +# for details see rhbz#1688389 +%patch12 -p1 -b .back-compat-3.3.1 for f in README_FILES/TLS_{LEGACY_,}README TLS_ACKNOWLEDGEMENTS; do iconv -f iso8859-1 -t utf8 -o ${f}{_,} && @@ -230,8 +242,8 @@ for f in README_FILES/TLS_{LEGACY_,}README TLS_ACKNOWLEDGEMENTS; do done %build -unset AUXLIBS AUXLIBS_LDAP AUXLIBS_PCRE AUXLIBS_MYSQL AUXLIBS_PGSQL AUXLIBS_SQLITE AUXLIBS_CDB -CCARGS="-fPIC" +unset AUXLIBS AUXLIBS_LDAP AUXLIBS_LMDB AUXLIBS_PCRE AUXLIBS_MYSQL AUXLIBS_PGSQL AUXLIBS_SQLITE AUXLIBS_CDB +CCARGS="-fPIC -fcommon" AUXLIBS="-lnsl" %ifarch s390 s390x ppc @@ -242,6 +254,10 @@ CCARGS="${CCARGS} -fsigned-char" CCARGS="${CCARGS} -DHAS_LDAP -DLDAP_DEPRECATED=1 %{?with_sasl:-DUSE_LDAP_SASL}" AUXLIBS_LDAP="-lldap -llber" %endif +%if %{with lmdb} + CCARGS="${CCARGS} -DHAS_LMDB" + AUXLIBS_LMDB="-llmdb" +%endif %if %{with pcre} # -I option required for pcre 3.4 (and later?) CCARGS="${CCARGS} -DHAS_PCRE -I%{_includedir}/pcre" @@ -292,19 +308,17 @@ LDFLAGS="%{?__global_ldflags} %{?_hardened_build:-Wl,-z,relro,-z,now}" # way how to get them in make -f Makefile.init makefiles shared=yes dynamicmaps=yes \ %{?_hardened_build:pie=yes} CCARGS="${CCARGS}" AUXLIBS="${AUXLIBS}" \ - AUXLIBS_LDAP="${AUXLIBS_LDAP}" AUXLIBS_PCRE="${AUXLIBS_PCRE}" \ - AUXLIBS_MYSQL="${AUXLIBS_MYSQL}" AUXLIBS_PGSQL="${AUXLIBS_PGSQL}" \ - AUXLIBS_SQLITE="${AUXLIBS_SQLITE}" AUXLIBS_CDB="${AUXLIBS_CDB}"\ + AUXLIBS_LDAP="${AUXLIBS_LDAP}" AUXLIBS_LMDB="${AUXLIBS_LMDB}" \ + AUXLIBS_PCRE="${AUXLIBS_PCRE}" AUXLIBS_MYSQL="${AUXLIBS_MYSQL}" \ + AUXLIBS_PGSQL="${AUXLIBS_PGSQL}" AUXLIBS_SQLITE="${AUXLIBS_SQLITE}" \ + AUXLIBS_CDB="${AUXLIBS_CDB}" \ DEBUG="" SHLIB_RPATH="-Wl,-rpath,%{postfix_shlib_dir} $LDFLAGS" \ OPT="$RPM_OPT_FLAGS -fno-strict-aliasing -Wno-comment" \ POSTFIX_INSTALL_OPTS=-keep-build-mtime -make %{?_smp_mflags} +%make_build %install -rm -rf $RPM_BUILD_ROOT -mkdir -p $RPM_BUILD_ROOT - # install postfix into $RPM_BUILD_ROOT # Move stuff around so we don't conflict with sendmail @@ -344,8 +358,8 @@ for i in active bounce corrupt defer deferred flush incoming private saved maild mkdir -p $RPM_BUILD_ROOT%{postfix_queue_dir}/$i done -# install performance benchmark tools by hand -for i in smtp-sink smtp-source ; do +# install performance benchmark and test tools by hand +for i in smtp-sink smtp-source posttls-finger ; do install -c -m 755 bin/$i $RPM_BUILD_ROOT%{postfix_command_dir}/ install -c -m 755 man/man1/$i.1 $RPM_BUILD_ROOT%{_mandir}/man1/ done @@ -367,7 +381,7 @@ install -m 644 %{SOURCE101} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/smtp.postfix # prepare documentation mkdir -p $RPM_BUILD_ROOT%{postfix_doc_dir} -cp -p %{SOURCE3} COMPATIBILITY LICENSE TLS_ACKNOWLEDGEMENTS TLS_LICENSE $RPM_BUILD_ROOT%{postfix_doc_dir} +cp -p %{SOURCE3} %{SOURCE6} COMPATIBILITY LICENSE TLS_ACKNOWLEDGEMENTS TLS_LICENSE $RPM_BUILD_ROOT%{postfix_doc_dir} mkdir -p $RPM_BUILD_ROOT%{postfix_doc_dir}/examples{,/chroot-setup} cp -pr examples/{qmail-local,smtpd-policy} $RPM_BUILD_ROOT%{postfix_doc_dir}/examples @@ -422,7 +436,7 @@ function split_file # split global dynamic maps configuration to individual sub-packages pushd $RPM_BUILD_ROOT%{postfix_config_dir} for map in %{?with_mysql:mysql} %{?with_pgsql:pgsql} %{?with_sqlite:sqlite} \ -%{?with_cdb:cdb} %{?with_ldap:ldap} %{?with_pcre:pcre}; do +%{?with_cdb:cdb} %{?with_ldap:ldap} %{?with_lmdb:lmdb} %{?with_pcre:pcre}; do rm -f dynamicmaps.cf.d/"$map" "postfix-files.d/$map" split_file "^\s*$map\b" "$map" dynamicmaps.cf sed -i "s|postfix-$map\\.so|%{postfix_shlib_dir}/\\0|" "dynamicmaps.cf.d/$map" @@ -557,6 +571,8 @@ exit 0 %exclude %{postfix_doc_dir}/README_FILES/CDB_README %exclude %{_mandir}/man5/ldap_table.5* %exclude %{postfix_doc_dir}/README_FILES/LDAP_README +%exclude %{_mandir}/man5/lmdb_table.5* +%exclude %{postfix_doc_dir}/README_FILES/LMDB_README %exclude %{_mandir}/man5/pcre_table.5* %exclude %{postfix_doc_dir}/README_FILES/PCRE_README @@ -597,6 +613,7 @@ exit 0 %attr(0755, root, root) %{postfix_command_dir}/smtp-sink %attr(0755, root, root) %{postfix_command_dir}/smtp-source +%attr(0755, root, root) %{postfix_command_dir}/posttls-finger %attr(0755, root, root) %{postfix_command_dir}/postalias %attr(0755, root, root) %{postfix_command_dir}/postcat @@ -633,6 +650,7 @@ exit 0 %attr(0755, root, root) %{postfix_daemon_dir}/postfix-wrapper %attr(0755, root, root) %{postfix_daemon_dir}/postmulti-script %attr(0755, root, root) %{postfix_daemon_dir}/postscreen +%attr(0755, root, root) %{postfix_daemon_dir}/postlogd %attr(0755, root, root) %{postfix_daemon_dir}/proxymap %attr(0755, root, root) %{postfix_shlib_dir}/libpostfix-*.so %{_bindir}/mailq.postfix @@ -711,6 +729,15 @@ exit 0 %attr(0644, root, root) %{postfix_doc_dir}/README_FILES/LDAP_README %endif +%if %{with lmdb} +%files lmdb +%attr(0644, root, root) %{postfix_config_dir}/dynamicmaps.cf.d/lmdb +%attr(0644, root, root) %{postfix_config_dir}/postfix-files.d/lmdb +%attr(0755, root, root) %{postfix_shlib_dir}/postfix-lmdb.so +%attr(0644, root, root) %{_mandir}/man5/lmdb_table.5* +%attr(0644, root, root) %{postfix_doc_dir}/README_FILES/LMDB_README +%endif + %if %{with pcre} %files pcre %attr(0644, root, root) %{postfix_config_dir}/dynamicmaps.cf.d/pcre @@ -721,9 +748,9 @@ exit 0 %endif %changelog -* Tue Jan 26 2021 Jan Zerdik - 2:3.3.1-12.1 -- Backported support for disabling of TLSv1.3 - Resolves: rhbz#1919233 +* Fri Nov 13 2020 Jaroslav Škarvada - 2:3.5.8-1 +- New version + Resolves: rhbz#1688389 * Mon Dec 16 2019 Jaroslav Škarvada - 2:3.3.1-12 - Fixed DNS resolver to use ref_search instead of ref_query