Changelog:
20180617
Bugfix (introduced: Postfix 2.11): minor memory leak when
minting issuer certs. This affects a tiny minority of use
cases. Viktor Dukhovni, based on a fix by Juan Altmayer
Pizzorno for the ssl_dane library.
20180817
Workaround: postconf build did not abort if the m4 command
is not installed (on a system that does have the make
command, the awk command, the perl command, and the C
compiler?!).
20181104
Multiple 'bit rot' fixes for OpenSSL API changes, including
support to disable TLSv1.3, to avoid issuing multiple session
tickets, and to allow OpenSSL >= 1.1.0 run-time micro version
bumps without complaining about library version mismatches.
Viktor Dukhovni.
20181106
Bugfix (introduced: 3.0): smtpd_discard_ehlo_keywords could
not disable "SMTPUTF8". because the lookup table was using
"EHLO_MASK_SMTPUTF8" instead.
20181110
Documentation: update documentation for Postfix versions
that support disabling TLS 1.3.
20181117
Improved logging of TLS 1.3 summary information, and improved
reporting of the same info in Received: message headers.
Viktor Dukhovni.
MFH: 2018Q4
Simplify some ports where DragonFlyBSD no longer needs to be special-cased.
Submitted by: rene
Reviewed by: bapt, jbeich
Differential Revision: https://reviews.freebsd.org/D17724
Firt definition of MARIADB_VERSION_ID can be found in mariadb102
therefore we have to use MARIADB_BASE_VERSION which is defined in
mariadb55 and mariadb10x
PR: 226266 [1], 220224
Reported by: Zilon [1]
- license is now dual (see Changelog 20180127)
- make EAI optional but on by default [1]
Changelog:
20171116
Bugfix (introduced: Postfix 2.1): don't log warnings
that some restriction returns OK, when the access map
DISCARD feature is in effect. File: smtpd/smtpd_check.c.
20171215
Bugfix (introduced: 20170611): the DB_CONFIG bugfix broke
Berkeley DB configurations with a relative pathname. File:
util/dict_db.c.
20171218
Workaround: reportedly, some res_query(3) implementation
can return -1 with h_errno==0. Instead of terminating with
a panic, the Postfix DNS client now logs a warning and sets
h_errno to TRY_AGAIN. File: dns/dns_lookup.c.
20171226
Documentation patches by Sven Neuhaus. Files:
proto/FORWARD_SECRECY_README.html, proto/MILTER_README.html,
proto/SMTPD_ACCESS_README.html.
20180106
Cleanup: missing mailbox seek-to-end error check in the
local(8) delivery agent. File: local/mailbox.c.
Cleanup: incorrect mailbox seek-to-end error message in the
virtual(8) delivery agent. File: virtual/mailbox.c.
20180127
Licence: in addition to the historical IBM Public License
1.0, this software is now also distributed with the more
recent Eclipse Public License 2.0. Recipients can choose
to take the software under the license of their choice.
Those who are more comfortable with the IPL can continue
with that license. File: LICENSE.
PR: ports/221619 [1]
Submitted by: Kubilay Kocak (koobs@)
MFH: 2018Q1
Changelog:
* DANE interoperability. Postfix builds with OpenSSL 1.0.0 or 1.0.1
failed to send email to some sites with "TLSA 2 X X" DNS records
associated with an intermediate CA certificate. Problem report and
initial fix by Erwan Legrand.
* Missing dynamicmaps support in the Postfix sendmail command. This
broke authorized_submit_users settings that use a dynamically-loaded
map type. Problem reported by Ulrich Zehl.
PR: 223804
Submitted by: zeising
Approved by: maintainer timeout
- When using "make -s install" the build can fail because the
essential modifications to the port build are not made correctly.
# make -s VECHO
true
# make -s VECHO_CMD
echo
PR: 222988
Submitted by: Franco Fichtner <franco@opnsense.org>
Approved by: ohauer (maintainer timeout)
Changelog:
20170620
Bugfix (introduced: Postfix 3.2) extension propagation was
broken with "recipient_delimiter = .". This change reverts
a change that was trying to be too clever. Files:
global/mail_adr_crunch.c, global/mail_addr_crunch.ref.
20170910
Safety: restore sanity checks for dynamically-specified
width and precision in format strings (%*, %.*, and %*.*).
These checks were lost with the Postfix 3.2.2 rewrite of
the vbuf_print formatter. File: vbuf_print.c.
20170923
Bugfix (introduced: Postfix 3.2): panic in the postqueue
command after output write error while listing the queue.
This change restores a write error check that was lost with
the Postfix 3.2.2 rewrite of the vbuf_print formatter.
Problem reported by Andreas Schulze. File: util/vbuf_print.c.
- adjust PORTSCOUT
Changelog:
20170221
Compatibility fix (introduced: Postfix 3.1): some Milter
applications do not recognize macros sent as {name} when
macros have single-character names. Postfix now sends such
macros without {} as it has done historically. Viktor
Dukhovni. File: milter/milter.c.
20170402
Bugfix (introduced: Postfix 3.2): restore the SMTP server
receive override options at the end of an SMTP session,
after the options may have been modified by an smtpd_milter_maps
setting of "DISABLE". Problem report by Christian R__ner,
root cause analysis by Viktor Dukhovni. File: smtpd/smtpd.c.
20170430
Safety net: append a null byte to vstring buffers, so that
C-style string operations won't scribble past the end. File:
vstring.c.
20170531
Bugfix (introduced: Postfix 3.2): after the table lookup
overhaul, the check_sender_access and check_recipient_access
features ignored the parent_domain_matches_subdomains
setting. Reported by Henrik Larsson. File: smtpd/smtpd_check.c.
20170610
Workaround (introduced: Postfix 3.0 20140718): prevent MIME
downgrade of Postfix-generated message/delivery status.
It's supposed to be 7bit, therefore quoted-printable encoding
is not expected. Problem reported by Griff. File:
bounce/bounce_notify_util.c.
20170611
Security: Berkeley DB 2 and later try to read settings from
a file DB_CONFIG in the current directory. This undocumented
feature may introduce undisclosed vulnerabilities resulting
in privilege escalation with Postfix set-gid programs
(postdrop, postqueue) before they chdir to the Postfix queue
directory, and with the postmap and postalias commands
depending on whether the user's current directory is writable
by other users. This fix does not change Postfix behavior
for Berkeley DB < 3, but reduces file create performance
for Berkeley DB 3 .. 4.6. File: util/dict_db.c.
PR: 219996
Reported by: Markus Kohlmeyer
MFH: 2017Q2
This release ends support for legacy release Postfix 2.10.
The main changes in no particular order are:
* Elliptic curve negotiation with OpenSSL ≥ 1.0.2. This changes the default
smtpd_tls_eecdh_grade setting to "auto", and introduces a new parameter
tls_eecdh_auto_curves with the names of curves that may be negotiated.
* Stored-procedure support for MySQL databases. Contributed by John Fawcett.
See the mysql_table(5) manpage for details.
* Cidr: table support for if/endif and negation (by prepending ! to a pattern),
just like regexp: and pcre: tables. See the cidr_table(5) manpage for details.
* The postmap command and the inline: and texthash: maps now support spaces in
left-hand field of lookup table source text. Use double quotes (") around a
left-hand field that contains spaces, and use backslash (\) to protect quotes
in a left-hand field.
* Support for per-client Milter configuration (smtpd_milter_maps) that
overrides the main.cf smtpd_milters setting, and that has the same syntax. A
lookup result of "DISABLE" turns off Milter support for that client. See
MILTER_README.html for details.
* The local SMTP server IP address and port are available in the policy
delegation protocol (attribute names: server_address, server_port), in the
Milter protocol (macro names: {daemon_addr}, {daemon_port}), and in the XCLIENT
protocol (attribute names: DESTADDR, DESTPORT).
* For safety reasons, the Postfix sendmail -C option must specify an authorized
directory: the default configuration directory, a directory that is listed in
the default main.cf file with alternate_config_directories or
multi_instance_directories, otherwise the command must be invoked with root
privileges. This mitigates a recurring "jail break" problem with the PHP mail()
function.
* "PASS" and "STRIP" actions in header/body_checks. "STRIP" is similar to
"IGNORE" but also logs the action, and "PASS" disables header, body, and Milter
inspection for the remainder of the message content. Contributed by Hobbit.
* The collate.pl script by Viktor Dukhovni for grouping Postfix logfile records
into "sessions" based on queue ID and process ID information, in the
auxiliary/collate directory of the Postfix source tree.
Disabled or removed behavior:
* SMTPUTF8 support: Postfix 3.2 disables the 'transitional' compatibility
between the IDNA2003 and IDNA2008 standards for internationalized domain names
(domain names beyond the limits of US-ASCII). This makes Postfix behavior
consistent with contemporary web browsers. See RELEASE_NOTES for more.
* Postfix 3.2 removes tentative features that were implemented before the DANE
spec was finalized: support for certificate usage PKIX-EE(1), the ability to
disable digest agility, and the ability to disable support for "TLSA 2 [01]
[12]" records that specify the digest of a trust anchor. See RELEASE_NOTES for
more.
PR: 218697
Submitted by: pi
Reviewed by: flo
Approved by: maintainer timeout
Changelog:
20161105
Bugfix (introduced: Postfix 1.1): the postsuper command did not count a
successful rename operation after error recovery.
20161204
Bugfix (introduced: Postfix 3.1): cut-and-paste error in the "postfix
tls deploy-server-cert" command, causing the wrong certfile and keyfile
to be used.
Robustness: create a new keyfile when "postfix tls new-server-cert" is
invoked and main.cf specifies a non-existent keyfile.
20161206
Bugfix (introduced: Postfix 3.0): when receiving a MAIL FROM...SMTPUTF8
command while smtpd_delay_reject=no, enable SMTPUTF8 support before
processing smtpd_sender_restrictions.
20161220
Bugfix (introduced: Postfix 2.1.0): the Postfix SMTP daemon did not query
sender_canonical_maps when rejecting unknown senders with
"smtpd_reject_unlisted_recipient = yes" or with reject_unlisted_sender.
MFH: 2017Q1
The only reason to use post-stage is because the port needs to do
"things" at a later time, like some plist manipulation.
While there, fold post-install in do-install targets when they are
defined.
PR: 214780
Submitted by: mat
Exp-run by: antoine
Sponsored by: Absolight
Changelog:
20160911
Bugfix (introduced: Postfix 3.0): the SMTP daemon did not
reset a previous session's command counts before rejecting
a client that exceeds request or concurrency rates. File:
smtpd/smtpd.c.
20160917
Bugfix (introduced: Postfix 3.0): the unionmap did not
propagate table lookup errors. Based on patch by Roel van
Meer. Files: util/dict_union.c, util/dict_union_test.*.
20160925
Workaround (problem introduced: Postfix 2.11): to avoid
false "not found" errors with MySQL map queries that contain
UTF8-encoded text, specify "option_group = client" in Postfix
MySQL configuration files. This will be the default setting
with Postfix 3.2 and later.
- Clean up the Makefile.
- Follow some upstream recommendations (--with-data-packaging=archive,
--disable-renaming, -DICU_NO_USER_DATA_OVERRIDE).
- Patch makefiles to install static libraries with INSTALL_DATA so they
aren't stripped.
- Patch config/mh-bsd-gcc to sync with config/mh-linux-gcc.
- Fix endianness detection in ICU. The code wanted to use BYTE_ORDER
defined in machine/endian.h, but this isn't visible because ICU is
compiled with _XOPEN_SOURCE. Patch the code to use _BYTE_ORDER instead.
- Compile ICU with C++11 compiler to enable move constructors.
- Patch ICU to fix a problem with atomics in the case of a C++11 compiler
without C++11 header <atomic> (like Clang on FreeBSD 9).
- Bump all ports that depend on it due to library version change.
- Add USES=compiler:c++0x to some ports that pick up -std=c++0x from ICU
pkgconfig files.
- Add USES=compiler:c++11-lib to graphics/libcdr01 because it also needs
a C++11 runtime library now. Add this to all ports that depend on it
so their executables load the right libstdc++.so on FreeBSD 9.
PR: 205120
Exp-run by: antoine
Approved by: portmgr (antoine)
20160819
Bugfix (introduced: Postfix 3.0): the makedefs script ignored
readme_directory=pathname overrides. Fix by Todd C. Olson.
File: makedefs.
20160821
Bugfix (introduced: Postfix 3.0): the tls_session_ticket_cipher
documentation says aes-256-cbc, but the implementation was
using aes-128-cbc (note that Postfix SMTP server and client
processes have a limited life time).
20160828
Bitrot: fixes for incompatible OpenSSL 1.1.0 API changes.
Viktor Dukhovni. Files: posttls-finger/posttls-finger.c,
tls/tls.h, tls/tls_dane.c, tls/tls_verify.c, tls/tls_server.c,
tls/tls_client.c.
Users updating from postfix 2.11 should read:
ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-3.0.0.RELEASE_NOTES
ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-3.1.0.RELEASE_NOTES
Dovecot SASL does not need any dependency, from now it will be always build into postfix
and the default SASL unless Cyrus is also added (there is no conflict between them)
- add support for FreeBSD 10.3 mailwrapper (install mailer.conf into LOCALBASE/mail instead /etc/mail)
- add better reload support to rc script
- display correct path in pkg-message
- add support for postfix-sasl slave port
- bump PORTREVISION
Many Thanks to all testers!
PR: 195662
PR: 205162
- install postfix specific mailer.conf.postfix into DATADIR [2]
- use new notation instead PATCH_DIST_STRIP
- bump PORTREVISION
1) detect if the port is installed without TERM, in this case
do not ask the to make postfix the default mailer and respect
the env POSTFIX_DEFAULT_MTA. This helps tools like salt,
ansible, cfengine and puppet during the first package installation.
2) $DATADIR/mailer.conf.postfix can be used by the tools in 1)
MFH: 2016Q1
- Support multiple values in *_OLD_CMD, i.e. we can now fix both "/usr/bin/python" and "/usr/bin/env python" at the same time
- Default *_OLD_CMD values are now always appended, so you don't need to specify them in individual ports
- Add lua support (depends on USES=lua)
- Add more default values, such as "/usr/bin/env foo" for python, perl, bash, ruby and lua
- Shebangfix now matches whole words, e.g. we will no longer (erroneously) replace "/usr/bin/perl5.005" with "${perl_CMD}5.005" (but "/usr/bin/perl -tt" is still (correctly) replaced with "${perl_CMD} -tt")
Note that *_OLD_CMD items containing spaces must now be quoted (e.g. perl_OLD_CMD=/bin/perl /usr/bin/perl "/usr/bin/env perl")
Update shebangfix usage according to new rules in many ports:
- Remove *_OLD_CMD for patterns now replaced by default
- Quote custom *_OLD_CMD which contain spaces
Fix shebangfix usage in many ports (irrelevant to infrastructure change):
- Remove redundant SHEBANG_LANG (no need to duplicate default langs)
- Remove redundant *_CMD (such as python_CMD=${LOCALBASE}/bin/python${PYTHON_VER} when USES=python is present)
- Never use *_OLD_CMD in REINPLACE_CMD matchers, these should always look for exact string
Approved by: portmgr (bapt)
Differential Revision: D3756
- use target helpers
ChangeLog:
20150903
Workaround: disable DNSSEC support for AIX 7x and earlier.
The AIX 6/7 resolver(5) API defines RES_USE_DNSSEC without
defining the "ad" bit. Viktor Dukhovni. Files: makedefs,
proto/INSTALL.html, dns/dns.h.
20150923
Bugfix (introduced: 20120531-617): the Postfix SMTP server
used a larger-than-1 VSTREAM buffer to read the HAProxy
connection hand-off information. This broke TLS wrappermode,
as the TLS helo packet would end up in the plaintext VSTREAM
buffer. Reported by Lukas Erlacher. File: smtpd/smtpd_haproxy.c.
20150924
Bugfix (introduced: 20090216-24): incorrect postmulti error
message. Reported by Patrik Koetter. Fix by Viktor Dukhovni.
File: postmulti/postmulti.c.
Workaround: don't create a new instance when the template
main.cf and master.cf files are missing, as happens on
Debian-like systems. Viktor Dukhovni. File: conf/postmulti-script.
20150925
Bugfix (introduced: 19970309, fixed 20150421 in development
release): reset errno before calling readdir(), in order
to distinguish between an end-of-directory and an error
condition. File: scandir.c.
20150930
Bugfix (introduced: 20040124): Milter client panic while
adding a header, because the PREPEND action used the same
output function for header_checks and body_checks. Viktor
Dukhovni and Wietse. File: cleanup/cleanup_message.c.
Bugfix (introduced: 20031128): xtext_unquote() did not
propagate error reports from xtext_unquote_append(), causing
the decoder to return partial ouput, instead of rejecting
malformed input. Fix by Krzysztof Wojta. File: global/xtext.c.
20150501
Support for Linux 4.*, and some simplification for future
makedefs files. Files: makedefs, util/sys_defs.h.
20150718
Security: opportunistic TLS by default uses "medium" or
stronger ciphers instead of "export" or stronger. See the
RELEASE_NOTES file for how to get the old settings back.
Files: global/mail_params.h, proto/TLS_README.html,
proto/postconf.proto, and files derived from those.
20150719
Security: Postfix TLS support by default no longer uses
SSLv2 or SSLv3. See the RELEASE_NOTES file for how to get
the old settings back. Files: global/mail_params.h,
proto/postconf.proto, and files derived from those.
Incompatible change with Postfix 2.11.6 / 3.0.2
-------------------------------------------------
As of the middle of 2015, all supported Postfix releases no longer
enable "export" grade ciphers for opportunistic TLS, and no longer
use the deprecated SSLv2 and SSLv3 protocols for mandatory or
opportunistic TLS.
These changes are very unlikely to cause problems with server-to-server
communication over the Internet, but they may result in interoperability
problems with ancient client or server implementations on internal
networks. To address this problem, you can revert the changes with:
Postfix SMTP client settings:
lmtp_tls_ciphers = export
smtp_tls_ciphers = export
lmtp_tls_protocols = !SSLv2
smtp_tls_protocols = !SSLv2
lmtp_tls_mandatory_protocols = !SSLv2
smtp_tls_mandatory_protocols = !SSLv2
Postfix SMTP server settings:
smtpd_tls_ciphers = export
smtpd_tls_protocols =
smtpd_tls_mandatory_protocols = !SSLv2
These settings, if put in main.cf, affect all Postfix SMTP client
or server communication, which may be undesirable. To be more
selective, use "-o name=value" parameter overrides on specific
services in master.cf. Execute the command "postfix reload" to make
the changes effective.
