postfix-3.6-20200419

postfix/HISTORY

@@ -24690,3 +24690,14 @@ Apologies for any names omitted.
 
 	Misc fixes for gcc 'multiple definition' errors. Files:
 	master/master_vars.c, smtp/smtp.c, proxymap/proxymap.c.
+
+20200419
+
+	Bugfix: segfault in the tlsproxy client role when the server
+	role was disabled. This typically happens with a first-time
+	Postfix install and after configuring only outbound TLS.
+	File: tlsproxy/tlsproxy.c.
+
+	Portability: libc-musl breaks TLSA/DANE. Force the user to
+	override a test and accept that Postfix will not support
+	TLSA/DANE. File: makedefs.

postfix/makedefs

@@ -220,6 +220,16 @@ case $# in
     # No ${x%%y} support in Solaris 11 /bin/sh
     RELEASE_MAJOR=`expr "$RELEASE" : '\([0-9]*\)'` || exit 1
     VERSION=`(uname -v) 2>/dev/null`
+    case "$SYSTEM.$VERSION" in
+     Linux.#[0-9]*-Alpine*)
+	case "$CCARGS" in
+	 *-DNO_DNSSEC*) ;;
+	 *) echo Warning: libc-musl breaks DANE/TLSA security. 1>&2
+	    echo Use a glibc-based Linux distribution, or build 1>&2
+	    echo with: 'make makefiles CCARGS="-DNO_DNSSEC ..."'. 1>&2
+	    exit 1;;
+	esac;
+    esac
     case "$VERSION" in
      dcosx*) SYSTEM=$VERSION;;
     esac;;

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20200416"
+#define MAIL_RELEASE_DATE	"20200419"
 #define MAIL_VERSION_NUMBER	"3.6"
 
 #ifdef SNAPSHOT

postfix/src/tlsproxy/tlsproxy.c

@@ -1493,16 +1493,15 @@ static void tlsp_service(VSTREAM *plaintext_stream,
 			    TLSP_INIT_TIMEOUT, (void *) state);
 }
 
-/* pre_jail_init - pre-jail initialization */
+/* pre_jail_init_server - pre-jail initialization */
 
-static void pre_jail_init(char *unused_name, char **unused_argv)
+static void pre_jail_init_server(void)
 {
     TLS_SERVER_INIT_PROPS props;
     const char *cert_file;
     int     have_server_cert;
     int     no_server_cert_ok;
     int     require_server_cert;
-    int     clnt_use_tls;
 
     /*
      * The code in this routine is pasted literally from smtpd(8). I am not
@@ -1535,7 +1534,7 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
     }
     var_tlsp_use_tls = var_tlsp_use_tls || var_tlsp_enforce_tls;
     if (!var_tlsp_use_tls) {
-	msg_warn("TLS service is requested, but disabled with %s or %s",
+	msg_warn("TLS server role is disabled with %s or %s",
 		 VAR_TLSP_TLS_LEVEL, VAR_TLSP_USE_TLS);
 	return;
     }
@@ -1626,6 +1625,13 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
 	SSL_CTX_set_mode(tlsp_server_ctx->ssl_ctx,
 			 SSL_MODE_ENABLE_PARTIAL_WRITE
 			 | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
+}
+
+/* pre_jail_init_client - pre-jail initialization */
+
+static void pre_jail_init_client(void)
+{
+    int     clnt_use_tls;
 
     /*
      * The cache with TLS_APPL_STATE instances for different TLS_CLIENT_INIT
@@ -1737,6 +1743,18 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
 		msg_warn("TLS client initialization failed");
 	}
     }
+}
+
+/* pre_jail_init - pre-jail initialization */
+
+static void pre_jail_init(char *unused_name, char **unused_argv)
+{
+
+    /*
+     * Initialize roles separately.
+     */
+    pre_jail_init_server();
+    pre_jail_init_client();
 
     /*
      * tlsp_client_init() needs to know if it is called pre-jail or