Changelog
postfix (3.4.14-0+deb10u1) buster; urgency=medium
[Cody Brownstein]
* README.Debian corrections:
- Fix instructions wrt SMTP generic mapping
- Fix authentication configuration example
[Scott Kitterman]
* Updated debian/watch to track postfix 3.4 series for stable updates
* Check GPG signature when downloading new versions via uscan
[Wietse Venema]
* 3.4.11
- No changes that affect Debian 10 (Buster)
* 3.4.12
- Bugfix: segfault in the tlsproxy client role when the server
role was disabled. This typically happens on systems that
do not receive mail, after configuring connection reuse for
outbound TLS. Found during program maintenance. File:
tlsproxy/tlsproxy.c.
- Bugfix (introduced: Postfix 3.4): maillog_file_rotate_suffix
default value used the minute instead of the month. Reported
by Larry Stone. Files: conf/postfix-tls-script,
proto/MAILLOG_README.html, proto/postconf.proto.
global/mail_params.h, postfix/postfix.c.
- Bitrot: avoid U_FILE_ACCESS_ERROR after chroot(), by
initializing the ICU library before making the chroot()
call. Files: util/midna_domain.[hc], global/mail_params.c.
- Noise suppression: avoid "SSL_Shutdown:shutdown while in
init" warnings. File: tls/tls_session.c.
- Bugfix (introduced: Postfix 2.2): a TLS error for a PostgreSQL
client caused a false 'lost connection' error for an SMTP
over TLS session in the same Postfix process. Reported by
Alexander Vasarab, diagnosed by Viktor Dukhovni. File:
tls/tls_bio_ops.c.
- Bugfix (introduced: Postfix 2.8): a TLS error for one TLS
session may cause a false 'lost connection' error for a
concurrent TLS session in the same tlsproxy process. File:
tlsproxy/tlsproxy.c.
* 3.4.13
- Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert"
did not handle a missing optional argument. File:
conf/postfix-tls-script.
- Bugfix (introduced: Postfix 3.4): in the Postfix SMTP server,
the SNI callback reported an error when it was called a
second time. This happened after the server-side TLS engine
sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP
client. Reported by Ján Máté, fixed by Viktor Dukhovni.
File: tls/tls_misc.c.
* 3.4.14
- Bugfix (introduced: Postfix 3.4): the connection_reuse
attribute in smtp_tls_policy_maps resulted in an "invalid
attribute name" error. Fix by Thorsten Habich. File:
smtp/smtp_tls_policy.c.
- Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
reuse was broken for configurations that use explicit trust
anchors. Reported by Thorsten Habich. Cause: the tlsproxy
client was sending a zero certificate length. File:
tls/tls_proxy_client_print.c.
- Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
reuse was broken for configurations that use explicit trust
anchors. Reported by Thorsten Habich. Fixed by calling DANE
initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c.
- Bugfix (introduced: Postfix 2.11): The Postfix smtp(8)
client did not send the right SNI name when the TLSA base
domain was a secure CNAME expansion of the MX hostname (or
non-MX nexthop domain). Domains with CNAME expanded MX hosts
are not conformant with RFC5321, and so are rare. Even more
rare are MX hosts with TLSA records for their CNAME expansion.
For this to matter, the remote SMTP server would also have
to select its certificate based on the SNI name in such a
way that the original MX host would yield a different
certificate. Among the ~2 million hosts in the DANE survey,
none meet the conditions for returning a different certificate
for the expanded CNAME. Therefore, sending the correct SNI
name should not break existing mail flows. Fixed by Viktor
Dukhovni. File: src/tls/tls_client.c.
-- Scott Kitterman <email address hidden> Mon, 29 Jun 2020 21:33:31 -0400