- Update from version 3.8.3 to 3.8.4
- Update of rootfile not required
- Permanent fix for smtp smuggling will be in version 3.9. However the fix has been
backported into version 3.8.4 but with the default for the parameter of "no".
- This patch sets the defaults for all the main.cf parameters highlighted by Wietse
Venema in http://www.postfix.org/smtp-smuggling.html
- Additionally the implementation of smtpd_forbid_bare_newline = yes has been added to
the install.sh pak for postfix so that it will be included into any main.cf file being
restored from backup. This parameter is available for the first time in 3.8.4 so will
not be in any backup prior to this release and can therefore be safely applied to
restored versions of main.cf.
- This fix in install.sh will be able to be removed when version 3.9 is released early
in 2024 as the default for that parameter in that version onwards will then be "yes"
- Changelog
3.8.4
Security: with "smtpd_forbid_bare_newline = yes" (default
"no" for Postfix < 3.9), reply with "Error: bare <LF>
received" and disconnect when an SMTP client sends a line
ending in <LF>, violating the RFC 5321 requirement that
lines must end in <CR><LF>. This prevents SMTP smuggling
attacks that target a recipient at a Postfix server. For
backwards compatibility, local clients are excluded by
default with "smtpd_forbid_bare_newline_exclusions =
$mynetworks". Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
smtpd/smtpd.c.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 3.8.2 to 3.8.3
- Update of rootfile not required
- Changelog
3.8.3
Bugfix (defect introduced Postfix 2.5, date 20080104): the Postfix SMTP server
was waiting for a client command instead of replying immediately, after a
client certificate verification error in TLS wrappermode. Reported by
Andreas Kinzler.
Usability: the Postfix SMTP server (finally) attempts to log the SASL username
after authentication failure. In Postfix logging, this appends
", sasl_username=xxx" after the reason for SASL authentication failure. The
logging replaces an unavailable reason with "(reason unavailable)", and
replaces an unavailable sasl_username with "(unavailable)". Based on code by
Jozsef Kadlecsik.
Compatibility bugfix (defect introduced: Postfix 2.11, date 20130405): in
forward_path, the expression ${recipient_delimiter} would expand to an empty
string when a recipient address had no recipient delimiter. The compatibility
fix is to use a configured recipient delimiter value instead. Reported by
Tod A. Sandman.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Since we have extended services.cgi that it reads the Services field
from the Pakfire metadata, we will need to make sure that that metadata
is going to be on those systems.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
Bumping across one of our scripts with very long trailing whitespaces, I
thought it might be a good idea to clean these up. Doing so, some
missing or inconsistent licence headers were fixed.
There is no need in shipping all these files en bloc, as their
functionality won't change.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
* Add a Summary and Services field to all pak lfs files
* Replace occurances of INSTALL_INITSCRIPT with new INSTALL_INITSCRIPTS
macro in all pak lfs files.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update postfix from version 3.5.6 to 3.5.7
see ftp://ftp.cs.uu.nl/mirror/postfix/postfix-release/official/postfix-3.5.7.RELEASE_NOTES
Supporting request from Peter Müller
Signed-off-by: Adolf Belka<ahb@ipfire@gmail.com
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Not sure why this has ever been there. This simply makes it
nicer to read and edit because we can have line-breaks now.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Most of these files still used old dates and/or domain names for contact
mail addresses. This is now replaced by an up-to-date copyright line.
Just some housekeeping... :-)
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This can be used together but there is no need to
always install amavis when someone wants to use postfix
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is outdated and half of it is not maintained any more.
Users should configure postfix themselves based on the
default configuration.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
