diff --git a/postfix/HISTORY b/postfix/HISTORY index a9f34486f..fbe07d763 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -24690,3 +24690,14 @@ Apologies for any names omitted. Misc fixes for gcc 'multiple definition' errors. Files: master/master_vars.c, smtp/smtp.c, proxymap/proxymap.c. + +20200419 + + Bugfix: segfault in the tlsproxy client role when the server + role was disabled. This typically happens with a first-time + Postfix install and after configuring only outbound TLS. + File: tlsproxy/tlsproxy.c. + + Portability: libc-musl breaks TLSA/DANE. Force the user to + override a test and accept that Postfix will not support + TLSA/DANE. File: makedefs. diff --git a/postfix/makedefs b/postfix/makedefs index 101da689d..1ea81cf30 100644 --- a/postfix/makedefs +++ b/postfix/makedefs @@ -220,6 +220,16 @@ case $# in # No ${x%%y} support in Solaris 11 /bin/sh RELEASE_MAJOR=`expr "$RELEASE" : '\([0-9]*\)'` || exit 1 VERSION=`(uname -v) 2>/dev/null` + case "$SYSTEM.$VERSION" in + Linux.#[0-9]*-Alpine*) + case "$CCARGS" in + *-DNO_DNSSEC*) ;; + *) echo Warning: libc-musl breaks DANE/TLSA security. 1>&2 + echo Use a glibc-based Linux distribution, or build 1>&2 + echo with: 'make makefiles CCARGS="-DNO_DNSSEC ..."'. 1>&2 + exit 1;; + esac; + esac case "$VERSION" in dcosx*) SYSTEM=$VERSION;; esac;; diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index d3fe3a1a9..72c386fe3 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20200416" +#define MAIL_RELEASE_DATE "20200419" #define MAIL_VERSION_NUMBER "3.6" #ifdef SNAPSHOT diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c index 6eb70c0ac..587b2f61a 100644 --- a/postfix/src/tlsproxy/tlsproxy.c +++ b/postfix/src/tlsproxy/tlsproxy.c @@ -1493,16 +1493,15 @@ static void tlsp_service(VSTREAM *plaintext_stream, TLSP_INIT_TIMEOUT, (void *) state); } -/* pre_jail_init - pre-jail initialization */ +/* pre_jail_init_server - pre-jail initialization */ -static void pre_jail_init(char *unused_name, char **unused_argv) +static void pre_jail_init_server(void) { TLS_SERVER_INIT_PROPS props; const char *cert_file; int have_server_cert; int no_server_cert_ok; int require_server_cert; - int clnt_use_tls; /* * The code in this routine is pasted literally from smtpd(8). I am not @@ -1535,7 +1534,7 @@ static void pre_jail_init(char *unused_name, char **unused_argv) } var_tlsp_use_tls = var_tlsp_use_tls || var_tlsp_enforce_tls; if (!var_tlsp_use_tls) { - msg_warn("TLS service is requested, but disabled with %s or %s", + msg_warn("TLS server role is disabled with %s or %s", VAR_TLSP_TLS_LEVEL, VAR_TLSP_USE_TLS); return; } @@ -1626,6 +1625,13 @@ static void pre_jail_init(char *unused_name, char **unused_argv) SSL_CTX_set_mode(tlsp_server_ctx->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); +} + +/* pre_jail_init_client - pre-jail initialization */ + +static void pre_jail_init_client(void) +{ + int clnt_use_tls; /* * The cache with TLS_APPL_STATE instances for different TLS_CLIENT_INIT @@ -1737,6 +1743,18 @@ static void pre_jail_init(char *unused_name, char **unused_argv) msg_warn("TLS client initialization failed"); } } +} + +/* pre_jail_init - pre-jail initialization */ + +static void pre_jail_init(char *unused_name, char **unused_argv) +{ + + /* + * Initialize roles separately. + */ + pre_jail_init_server(); + pre_jail_init_client(); /* * tlsp_client_init() needs to know if it is called pre-jail or