Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package postfix for openSUSE:Factory checked in at 2025-11-28 16:50:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/postfix (Old) and /work/SRC/openSUSE:Factory/.postfix.new.14147 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "postfix" Fri Nov 28 16:50:43 2025 rev:258 rq:1320355 version:3.10.6 Changes: -------- --- /work/SRC/openSUSE:Factory/postfix/postfix-bdb.changes 2025-11-25 15:53:08.403222526 +0100 +++ /work/SRC/openSUSE:Factory/.postfix.new.14147/postfix-bdb.changes 2025-11-28 16:51:06.109661230 +0100 @@ -1,0 +2,31 @@ +Wed Nov 26 19:27:24 UTC 2025 - Arjen de Korte <[email protected]> + +- update to 3.10.6 + * Bugfix (defect introduced: Postfix 3.10, date: 20250117). + Symptom: warning messages that smtp_tls_wrappermode requires + "smtp_tls_security_level = encrypt". + Root cause: support for "TLS-Required: no" broke client-side + TLS wrappermode support, by downgrading a connection to TLS + security level 'may'. + The fix changes the downgrade level for wrappermode connections + to 'encrypt'. Rationale: by design, TLS can be optional only + for connections that use STARTTLS. The downgrade to unauthenticated + 'encrypt' allows a sender to avoid an email delivery problem. + Problem reported by Joshua Tyler Cochran. + * New logging: the Postfix SMTP client will log a warning when + an MX hostname does not match STS policy MX patterns, with + "smtp_tls_enforce_sts_mx_patterns = yes" in Postfix, and with + TLSRPT support enabled in a TLS policy plugin. It will log a + successful match only when verbose logging is enabled. + * Bugfix (defect introduced: Postfix 3.10, date: 20240902): SMTP + client null pointer crash when an STS policy plugin sends no + policy_string or no mx_pattern attributes. This can happen only + during tests with a fake STS plugin. + * Bugfix (defect introduced: Postfix 2.9, date: 20120307): segfault + when a duplicate parameter name is given to "postconf -X" or + "postconf -#'. + * Documentation: removed incorrect text from the parameter + description for smtp_cname_overrides_servername. File: + proto/postconf.proto. + +------------------------------------------------------------------- postfix.changes: same change Old: ---- postfix-3.10.5.tar.gz postfix-3.10.5.tar.gz.asc New: ---- postfix-3.10.6.tar.gz postfix-3.10.6.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ postfix-bdb.spec ++++++ --- /var/tmp/diff_new_pack.Mxayue/_old 2025-11-28 16:51:10.329838935 +0100 +++ /var/tmp/diff_new_pack.Mxayue/_new 2025-11-28 16:51:10.329838935 +0100 @@ -1,7 +1,7 @@ # # spec file for package postfix-bdb # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -59,7 +59,7 @@ %endif %bcond_without ldap Name: postfix-bdb -Version: 3.10.5 +Version: 3.10.6 Release: 0 Summary: A fast, secure, and flexible mailer License: EPL-2.0 OR IPL-1.0 postfix.spec: same change ++++++ postfix-3.10.5.tar.gz -> postfix-3.10.6.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.10.5/HISTORY new/postfix-3.10.6/HISTORY --- old/postfix-3.10.5/HISTORY 2025-10-24 17:06:14.000000000 +0200 +++ new/postfix-3.10.6/HISTORY 2025-11-25 20:45:54.000000000 +0100 @@ -29208,3 +29208,43 @@ with "database X is older than source file Y". Files: util/dict.c, util/dict_db.c, util/dict_dbm.c, util/dict_lmdb.c, util/dict_sdbm.c. + +20251024 + + Logging: with "smtp_tls_enforce_sts_mx_patterns=yes" and + TLSRPT support enabled in a TLS policy plugin, the Postfix + SMTP client logs a warning when an MX hostname does not + match STS policy MX patterns; it logs a successful match + when verbose logging is enabled. File: smtp/smtp_tls_policy.c. + +20251027 + + Bugfix (defect introduced: Postfix 3.10, date: 20240902): + SMTP client null pointer crash when an STS policy plugin + sends no policy_string or no mx_pattern attributes. This + can happen only during tests with a fake STS plugin. File: + smtp/smtp_tlsrpt.c. + +20251028 + + Documentation: removed incorrect text from the parameter + description for smtp_cname_overrides_servername. File: + proto/postconf.proto. + +20251031 + + Bugfix (defect introduced: Postfix 3.10, date 20250117): + support for "TLS-Required: no" broke client-side TLS wrappermode + support, by downgrading a connection to TLS security level 'may'. + The solution is to change the downgrade level for wrappermode + connections to 'encrypt'. Rationale: by design, TLS can be + optional only for connections that use STARTTLS. The downgrade + to unauthenticated 'encrypt' allows a sender to avoid an email + delivery problem. Problem reported by Joshua Tyler Cochran. + File: smtp/smtp_tls_policy.c. + +20251120 + + Bugfix (defect introduced: Postfix 2.9, date: 20120307): + segfault with duplicate parameter name in "postconf -X" or + "postconf -#'. File: postconf/postconf_edit.c. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.10.5/html/postconf.5.html new/postfix-3.10.6/html/postconf.5.html --- old/postfix-3.10.5/html/postconf.5.html 2025-10-26 23:52:23.000000000 +0100 +++ new/postfix-3.10.6/html/postconf.5.html 2025-11-25 18:31:07.000000000 +0100 @@ -11373,10 +11373,6 @@ password file lookups more predictable. This is the default setting as of Postfix 2.3. </p> -<p> When DNS CNAME records are validated with secure DNS lookups -(<a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a> = dnssec), they are always allowed to -override the above servername (Postfix 2.11 and later). </p> - <p> This feature is available in Postfix 2.2.9 and later. </p> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.10.5/man/man5/postconf.5 new/postfix-3.10.6/man/man5/postconf.5 --- old/postfix-3.10.5/man/man5/postconf.5 2025-10-26 23:52:23.000000000 +0100 +++ new/postfix-3.10.6/man/man5/postconf.5 2025-11-25 18:31:07.000000000 +0100 @@ -7136,10 +7136,6 @@ password file lookups more predictable. This is the default setting as of Postfix 2.3. .PP -When DNS CNAME records are validated with secure DNS lookups -(smtp_dns_support_level = dnssec), they are always allowed to -override the above servername (Postfix 2.11 and later). -.PP This feature is available in Postfix 2.2.9 and later. .SH smtp_connect_timeout (default: 30s) The Postfix SMTP client time limit for completing a TCP connection, or diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.10.5/proto/postconf.proto new/postfix-3.10.6/proto/postconf.proto --- old/postfix-3.10.5/proto/postconf.proto 2025-10-24 16:41:15.000000000 +0200 +++ new/postfix-3.10.6/proto/postconf.proto 2025-11-25 18:19:06.000000000 +0100 @@ -11398,10 +11398,6 @@ password file lookups more predictable. This is the default setting as of Postfix 2.3. </p> -<p> When DNS CNAME records are validated with secure DNS lookups -(smtp_dns_support_level = dnssec), they are always allowed to -override the above servername (Postfix 2.11 and later). </p> - <p> This feature is available in Postfix 2.2.9 and later. </p> %PARAM lmtp_cname_overrides_servername yes diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.10.5/src/global/mail_version.h new/postfix-3.10.6/src/global/mail_version.h --- old/postfix-3.10.5/src/global/mail_version.h 2025-10-26 23:48:02.000000000 +0100 +++ new/postfix-3.10.6/src/global/mail_version.h 2025-11-25 18:18:20.000000000 +0100 @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20251026" -#define MAIL_VERSION_NUMBER "3.10.5" +#define MAIL_RELEASE_DATE "20251125" +#define MAIL_VERSION_NUMBER "3.10.6" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.10.5/src/postconf/postconf_edit.c new/postfix-3.10.6/src/postconf/postconf_edit.c --- old/postfix-3.10.5/src/postconf/postconf_edit.c 2025-10-23 22:03:49.000000000 +0200 +++ new/postfix-3.10.6/src/postconf/postconf_edit.c 2025-11-25 18:20:32.000000000 +0100 @@ -209,8 +209,10 @@ msg_panic("pcf_edit_main: unknown mode %d", mode); } if ((cvalue = htable_find(table, pattern)) != 0) { - msg_warn("ignoring earlier request: '%s = %s'", - pattern, cvalue->value); + if (edit_value && cvalue->value + && strcmp(edit_value, cvalue->value) != 0) + msg_warn("ignoring earlier request: '%s = %s'", + pattern, cvalue->value); htable_delete(table, pattern, myfree); } cvalue = (struct cvalue *) mymalloc(sizeof(*cvalue)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.10.5/src/smtp/smtp_tls_policy.c new/postfix-3.10.6/src/smtp/smtp_tls_policy.c --- old/postfix-3.10.5/src/smtp/smtp_tls_policy.c 2025-10-24 16:41:15.000000000 +0200 +++ new/postfix-3.10.6/src/smtp/smtp_tls_policy.c 2025-11-25 20:31:07.000000000 +0100 @@ -187,9 +187,16 @@ } else #endif aname = name; - for (pattp = tls->ext_mx_host_patterns->argv; *pattp; pattp++) - if (match_sts_mx_host_pattern(*pattp, aname)) + for (pattp = tls->ext_mx_host_patterns->argv; *pattp; pattp++) { + if (match_sts_mx_host_pattern(*pattp, aname)) { + if (msg_verbose) + msg_info("MX name '%s' matches STS MX pattern for '%s'", + aname, tls->ext_policy_domain ? tls->ext_policy_domain : ""); return (1); + } + } + msg_warn("MX name '%s' does not match STS MX pattern for '%s'", + aname, tls->ext_policy_domain ? tls->ext_policy_domain : ""); return (0); } /* No applicable policy name patterns. */ @@ -725,8 +732,13 @@ if (STATE_TLS_NOT_REQUIRED(iter->parent)) { if (msg_verbose) msg_info("%s: no tls policy lookup", __func__); - if (tls->level > TLS_LEV_MAY) - tls->level = TLS_LEV_MAY; + if (var_smtp_tls_wrappermode) { + if (tls->level > TLS_LEV_ENCRYPT) + tls->level = TLS_LEV_ENCRYPT; + } else { + if (tls->level > TLS_LEV_MAY) + tls->level = TLS_LEV_MAY; + } } else if (tls_policy) { tls_policy_lookup(tls, &site_level, dest, "next-hop destination"); } else if (tls_per_site) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.10.5/src/smtp/smtp_tlsrpt.c new/postfix-3.10.6/src/smtp/smtp_tlsrpt.c --- old/postfix-3.10.5/src/smtp/smtp_tlsrpt.c 2024-10-11 00:15:24.000000000 +0200 +++ new/postfix-3.10.6/src/smtp/smtp_tlsrpt.c 2025-11-25 20:23:32.000000000 +0100 @@ -306,13 +306,15 @@ if (tls->ext_policy_type == 0) msg_panic("smtp_tlsrpt_set_ext_policy: no policy type"); +#define ARGV_OR_NULL(ap) ((ap) ? (ap)->argv : 0) + switch (policy_type_val = convert_tlsrpt_policy_type(tls->ext_policy_type)) { case TLSRPT_POLICY_STS: trw_set_tls_policy(state->tlsrpt, policy_type_val, - (const char *const *) tls->ext_policy_strings->argv, + (const char *const *) ARGV_OR_NULL(tls->ext_policy_strings), tls->ext_policy_domain, - (const char *const *) tls->ext_mx_host_patterns->argv); + (const char *const *) ARGV_OR_NULL(tls->ext_mx_host_patterns)); break; case TLSRPT_NO_POLICY_FOUND: smtp_tlsrpt_set_no_policy(state);
