Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package postfix for openSUSE:Factory checked in at 2024-02-09 23:51:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/postfix (Old) and /work/SRC/openSUSE:Factory/.postfix.new.1815 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "postfix" Fri Feb 9 23:51:52 2024 rev:235 rq:1145294 version:3.8.5 Changes: -------- --- /work/SRC/openSUSE:Factory/postfix/postfix-bdb.changes 2024-01-26 22:46:30.462556839 +0100 +++ /work/SRC/openSUSE:Factory/.postfix.new.1815/postfix-bdb.changes 2024-02-09 23:52:06.994524273 +0100 @@ -9,0 +10,23 @@ +Sat Jan 6 22:41:09 UTC 2024 - ch...@computersalat.de + +- rework fix for bsc#1192173: keep myhostname and mydestination + patched, but with upstream default to have them in correct place + when updated via config.postfix +- rework SMTP Smuggling defaults + * yes is now alias of 'normalize' + smtpd_forbid_bare_newline = normalize + * another new option is 'reject' wich should be used in connection + with + smtpd_forbid_bare_newline_reject_code = 521 +- rework patches + * postfix-bdb-main.cf.patch + * postfix-main.cf.patch +- rebase patches + * postfix-linux45.patch + * postfix-ssl-release-buffers.patch + * postfix-vda-v14-3.0.3.patch + * set-default-db-type.patch +- sync changes files + * add missing entries in postfix-bdb.changes + +------------------------------------------------------------------- @@ -20 +43 @@ -- update to 3.8.4 +- update to 3.8.4 (bsc#1218304, CVE-2023-51764): @@ -24 +47 @@ - https://www.postfix.org/smtp-smuggling.html. + https://www.postfix.org/smtp-smuggling.html @@ -114,0 +138,6 @@ +Thu May 4 11:23:41 UTC 2023 - Dominique Leuenberger <dims...@opensuse.org> + +- Add _multibuild to define 2nd spec file as additional flavor. + Eliminates the need for source package links in OBS. + +------------------------------------------------------------------- @@ -192 +221,6 @@ -Mon Nov 14 15:07:44 UTC 2022 - Peter Varkoly <vark...@suse.com> +Wed Jan 18 12:09:13 UTC 2023 - Hu <cathy...@suse.com> + +- Fix SELinux labeling issue caused by /usr/sbin/config.postfix (bsc#1207227). + +------------------------------------------------------------------- +Mon Nov 14 15:05:42 UTC 2022 - Peter Varkoly <vark...@suse.com> --- /work/SRC/openSUSE:Factory/postfix/postfix.changes 2024-01-26 22:46:30.538559576 +0100 +++ /work/SRC/openSUSE:Factory/.postfix.new.1815/postfix.changes 2024-02-09 23:52:07.182531048 +0100 @@ -9,0 +10,23 @@ +Sat Jan 6 22:41:09 UTC 2024 - ch...@computersalat.de + +- rework fix for bsc#1192173: keep myhostname and mydestination + patched, but with upstream default to have them in correct place + when updated via config.postfix +- rework SMTP Smuggling defaults + * yes is now alias of 'normalize' + smtpd_forbid_bare_newline = normalize + * another new option is 'reject' wich should be used in connection + with + smtpd_forbid_bare_newline_reject_code = 521 +- rework patches + * postfix-bdb-main.cf.patch + * postfix-main.cf.patch +- rebase patches + * postfix-linux45.patch + * postfix-ssl-release-buffers.patch + * postfix-vda-v14-3.0.3.patch + * set-default-db-type.patch +- sync changes files + * add missing entries in postfix-bdb.changes + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ postfix-bdb.spec ++++++ --- /var/tmp/diff_new_pack.EuTgXM/_old 2024-02-09 23:52:08.886592453 +0100 +++ /var/tmp/diff_new_pack.EuTgXM/_new 2024-02-09 23:52:08.886592453 +0100 @@ -128,14 +128,14 @@ %endif # /usr/lib/postfix/bin//post-install: line 667: ed: command not found Requires(pre): ed -Requires(preun):ed +Requires(preun): ed Requires(post): ed -Requires(postun):ed +Requires(postun): ed # /usr/sbin/config.postfix needs perl Requires(pre): perl -Requires(preun):perl +Requires(preun): perl Requires(post): perl -Requires(postun):perl +Requires(postun): perl %description Postfix aims to be an alternative to the widely-used sendmail program with bdb support ++++++ postfix.spec ++++++ --- /var/tmp/diff_new_pack.EuTgXM/_old 2024-02-09 23:52:08.930594039 +0100 +++ /var/tmp/diff_new_pack.EuTgXM/_new 2024-02-09 23:52:08.934594183 +0100 @@ -110,14 +110,14 @@ %endif # /usr/lib/postfix/bin//post-install: line 667: ed: command not found Requires(pre): /usr/bin/ed -Requires(preun):/usr/bin/ed +Requires(preun): /usr/bin/ed Requires(post): /usr/bin/ed -Requires(postun):/usr/bin/ed +Requires(postun): /usr/bin/ed # /usr/sbin/config.postfix needs perl Requires(pre): perl -Requires(preun):perl +Requires(preun): perl Requires(post): perl -Requires(postun):perl +Requires(postun): perl %description Postfix aims to be an alternative to the widely-used sendmail program. ++++++ postfix-bdb-main.cf.patch ++++++ --- /var/tmp/diff_new_pack.EuTgXM/_old 2024-02-09 23:52:09.002596633 +0100 +++ /var/tmp/diff_new_pack.EuTgXM/_new 2024-02-09 23:52:09.002596633 +0100 @@ -2,7 +2,7 @@ =================================================================== --- conf/main.cf.orig +++ conf/main.cf -@@ -567,6 +567,7 @@ unknown_local_recipient_reject_code = 55 +@@ -576,6 +576,7 @@ unknown_local_recipient_reject_code = 55 # #smtpd_banner = $myhostname ESMTP $mail_name #smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) @@ -10,7 +10,7 @@ # PARALLEL DELIVERY TO THE SAME DESTINATION # -@@ -673,4 +674,140 @@ sample_directory = +@@ -682,4 +683,165 @@ sample_directory = # readme_directory: The location of the Postfix README files. # readme_directory = @@ -39,8 +39,8 @@ +masquerade_classes = envelope_sender, header_sender, header_recipient +masquerade_domains = +masquerade_exceptions = -+mydestination = $myhostname, localhost.$mydomain -+myhostname = localhost ++mydestination = $myhostname, localhost.$mydomain, localhost ++myhostname = +mynetworks_style = subnet +relayhost = + @@ -70,6 +70,19 @@ +smtpd_recipient_restrictions = + + ++###################################################################### ++# SMTP Smuggling (CVE-2023-51764) ++# no: allows SMTP smuggling ++# yes / normalize : ++# but allow local clients with non-standard SMTP implementations ++# such as netcat, fax machines, or load balancer health checks. ++# reject: ++# rejects a command or message that contains a bare newline ++###################################################################### ++smtpd_forbid_bare_newline = normalize ++smtpd_forbid_bare_newline_exclusions = $mynetworks ++#smtpd_forbid_bare_newline_reject_code = 521 ++ +############################################################ +# SASL stuff +############################################################ @@ -93,6 +106,7 @@ +smtp_use_tls = no +#smtp_tls_loglevel = 0 +smtp_enforce_tls = no ++smtp_tls_security_level = +smtp_tls_CAfile = +smtp_tls_CApath = +smtp_tls_cert_file = @@ -103,6 +117,8 @@ + +smtpd_use_tls = no +#smtpd_tls_loglevel = 0 ++smtpd_enforce_tls = no ++smtpd_tls_security_level = +smtpd_tls_CAfile = +smtpd_tls_CApath = +smtpd_tls_cert_file = @@ -111,9 +127,17 @@ +smtpd_tls_exclude_ciphers = RC4 +smtpd_tls_received_header = no +############################################################ ++# OpenDKIM ++############################################################ ++#smtpd_milters = unix:/run/opendkim/opendkim.sock ++#non_smtpd_milters = $smtpd_milters ++#milter_default_action = accept ++#milter_protocol = 2 ++############################################################ +# Start MySQL from postfixwiki.org +############################################################ +relay_domains = $mydestination, hash:/etc/postfix/relay ++#relay_recipient_maps = hash:/etc/postfix/relay_recipients +#virtual_alias_domains = +#virtual_alias_maps = hash:/etc/postfix/virtual +#virtual_uid_maps = static:303 @@ -146,6 +170,7 @@ +#unknown_client_reject_code = 550 +#unknown_hostname_reject_code = 550 +#unverified_recipient_reject_code = 550 ++#unverified_sender_reject_code = 550 +#soft_bounce = yes +############################################################ +#debug_peer_list = example.com ++++++ postfix-linux45.patch ++++++ --- /var/tmp/diff_new_pack.EuTgXM/_old 2024-02-09 23:52:09.018597210 +0100 +++ /var/tmp/diff_new_pack.EuTgXM/_new 2024-02-09 23:52:09.022597354 +0100 @@ -2,6 +2,8 @@ makedefs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) +Index: makedefs +=================================================================== --- makedefs.orig +++ makedefs @@ -631,8 +631,8 @@ EOF ++++++ postfix-main.cf.patch ++++++ --- /var/tmp/diff_new_pack.EuTgXM/_old 2024-02-09 23:52:09.034597786 +0100 +++ /var/tmp/diff_new_pack.EuTgXM/_new 2024-02-09 23:52:09.038597931 +0100 @@ -50,7 +50,7 @@ # PARALLEL DELIVERY TO THE SAME DESTINATION # -@@ -682,4 +683,155 @@ sample_directory = +@@ -682,4 +683,165 @@ sample_directory = # readme_directory: The location of the Postfix README files. # readme_directory = @@ -79,6 +79,8 @@ +masquerade_classes = envelope_sender, header_sender, header_recipient +masquerade_domains = +masquerade_exceptions = ++mydestination = $myhostname, localhost.$mydomain, localhost ++myhostname = +mynetworks_style = subnet +relayhost = + @@ -107,12 +109,19 @@ + +smtpd_recipient_restrictions = + -+# mitigation for CVE-2023-51764 - SMTP smuggling attack -+# but allow local clients with non-standard SMTP implementations -+# such as netcat, fax machines, or load balancer health checks. -+# -+smtpd_forbid_bare_newline = yes ++ ++###################################################################### ++# SMTP Smuggling (CVE-2023-51764) ++# no: allows SMTP smuggling ++# yes / normalize : ++# but allow local clients with non-standard SMTP implementations ++# such as netcat, fax machines, or load balancer health checks. ++# reject: ++# rejects a command or message that contains a bare newline ++###################################################################### ++smtpd_forbid_bare_newline = normalize +smtpd_forbid_bare_newline_exclusions = $mynetworks ++#smtpd_forbid_bare_newline_reject_code = 521 + +############################################################ +# SASL stuff @@ -168,7 +177,7 @@ +# Start MySQL from postfixwiki.org +############################################################ +relay_domains = $mydestination, lmdb:/etc/postfix/relay -+relay_recipient_maps = lmdb:/etc/postfix/relay_recipients ++#relay_recipient_maps = lmdb:/etc/postfix/relay_recipients +#virtual_alias_domains = +#virtual_alias_maps = lmdb:/etc/postfix/virtual +#virtual_uid_maps = static:303 @@ -201,6 +210,7 @@ +#unknown_client_reject_code = 550 +#unknown_hostname_reject_code = 550 +#unverified_recipient_reject_code = 550 ++#unverified_sender_reject_code = 550 +#soft_bounce = yes +############################################################ +#debug_peer_list = example.com ++++++ postfix-ssl-release-buffers.patch ++++++ --- /var/tmp/diff_new_pack.EuTgXM/_old 2024-02-09 23:52:09.082599516 +0100 +++ /var/tmp/diff_new_pack.EuTgXM/_new 2024-02-09 23:52:09.090599804 +0100 @@ -2,7 +2,7 @@ =================================================================== --- src/tls/tls_client.c.orig +++ src/tls/tls_client.c -@@ -693,6 +693,11 @@ TLS_APPL_STATE *tls_client_init(const TL +@@ -700,6 +700,11 @@ TLS_APPL_STATE *tls_client_init(const TL SSL_CTX_set_security_level(client_ctx, 0); #endif @@ -18,7 +18,7 @@ =================================================================== --- src/tls/tls_server.c.orig +++ src/tls/tls_server.c -@@ -493,6 +493,10 @@ TLS_APPL_STATE *tls_server_init(const TL +@@ -500,6 +500,10 @@ TLS_APPL_STATE *tls_server_init(const TL SSL_CTX_set_security_level(sni_ctx, 0); #endif ++++++ postfix-vda-v14-3.0.3.patch ++++++ --- /var/tmp/diff_new_pack.EuTgXM/_old 2024-02-09 23:52:09.110600525 +0100 +++ /var/tmp/diff_new_pack.EuTgXM/_new 2024-02-09 23:52:09.114600669 +0100 @@ -19,7 +19,7 @@ =================================================================== --- src/global/mail_params.h.orig +++ src/global/mail_params.h -@@ -2657,6 +2657,54 @@ extern char *var_virt_uid_maps; +@@ -2661,6 +2661,54 @@ extern char *var_virt_uid_maps; #define DEF_VIRT_GID_MAPS "" extern char *var_virt_gid_maps; ++++++ set-default-db-type.patch ++++++ --- /var/tmp/diff_new_pack.EuTgXM/_old 2024-02-09 23:52:09.150601967 +0100 +++ /var/tmp/diff_new_pack.EuTgXM/_new 2024-02-09 23:52:09.154602111 +0100 @@ -69,7 +69,7 @@ =================================================================== --- src/global/mail_params.h.orig +++ src/global/mail_params.h -@@ -2960,7 +2960,7 @@ extern int var_vrfy_pend_limit; +@@ -2964,7 +2964,7 @@ extern int var_vrfy_pend_limit; extern char *var_verify_service; #define VAR_VERIFY_MAP "address_verify_map" @@ -78,7 +78,7 @@ extern char *var_verify_map; #define VAR_VERIFY_POS_EXP "address_verify_positive_expire_time" -@@ -3762,7 +3762,7 @@ extern char *var_multi_cntrl_cmds; +@@ -3776,7 +3776,7 @@ extern char *var_multi_cntrl_cmds; * postscreen(8) */ #define VAR_PSC_CACHE_MAP "postscreen_cache_map"