Prereq: "2.11.0" diff -cr --new-file /var/tmp/postfix-2.11.0/src/global/mail_version.h ./src/global/mail_version.h *** /var/tmp/postfix-2.11.0/src/global/mail_version.h Wed Jan 15 17:47:58 2014 --- ./src/global/mail_version.h Wed May 7 13:20:21 2014 *************** *** 20,27 **** * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20140115" ! #define MAIL_VERSION_NUMBER "2.11.0" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE --- 20,27 ---- * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20140507" ! #define MAIL_VERSION_NUMBER "2.11.1" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -cr --new-file /var/tmp/postfix-2.11.0/HISTORY ./HISTORY *** /var/tmp/postfix-2.11.0/HISTORY Wed Jan 15 17:53:59 2014 --- ./HISTORY Wed May 7 13:45:58 2014 *************** *** 19528,19530 **** --- 19528,19576 ---- 20140110-15 Miscellaneous documentation cleanups. + + 20140116 + + Workaround: prepend "-I. -I../../include" to CCARGS, to + avoid name clashes with non-Postfix header files. File: + makedefs. + + 20140125 + + Cleanup: postconf(1) manpage missing version attribution + and incorrect "author" formatting. File: postconf/postconf.c. + + 20140223 + + Logging: the TLS client logged that an "Untrusted" TLS + connection was established instead of "Anonymous". Viktor + Dukhovni. File: tls/tls_client.c. + + 20140227 + + Bugfix: Enforce TLS when TLSA records exist, but all are + unusable; Don't leak dane handle when all TLSA records are + unusable. Viktor Dukhovni. File: smtp/smtp_tls_policy.c. + + Cleanup: log TLS policy lookup errors as warnings. Viktor + Dukhovni. File: smtp/smtp_connect.c. + + 20140407 + + Documentation: the documentation for Postfix > 2.8 TLS + activity logging was incorrect. Loglevel 0 produces no + logging. Instead, information is logged only with loglevel + 1 or higher. Viktor Dukhovni. Files: proto/TLS_README.html, + proto/postconf.proto. + + 20140507 + + Bugfix (introduced: Postfix 2.11): with connection caching + enabled (the default), recipients could be given to the + wrong mail server. Root cause: due to an incorrect predicate, + the Postfix SMTP client could save and restore plaintext + connections that should not be cached, under nonsensical + lookup keys that did not distinguish by destination. Problem + reported by Sahil Tandon, predicate error found by Viktor, + redundant connection restore request eliminated by Wietse. + File: smtp/smtp_connect.c. diff -cr --new-file /var/tmp/postfix-2.11.0/README_FILES/TLS_README ./README_FILES/TLS_README *** /var/tmp/postfix-2.11.0/README_FILES/TLS_README Mon Jan 6 14:49:09 2014 --- ./README_FILES/TLS_README Tue Apr 22 09:52:38 2014 *************** *** 247,273 **** increase the log level from 0..4. Each logging level also includes the information that is logged at a lower logging level. ! _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ! |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |0 |Log only a summary message on TLS |Disable logging of TLS activity.| ! | |handshake completion -- no logging| | ! | |of client certificate trust-chain | | ! | |verification errors if client | | ! | |certificate verification is not | | ! | |required. | | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |1 |Also log trust-chain verification |Also log TLS handshake and | ! | |errors and peer certificate |certificate information. | ! | |summary information. | | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |2 |Also log levels during TLS negotiation. | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |4 |Also log hexadecimal and ASCII dump of complete transmission after | ! | |STARTTLS. | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | Use log level 3 only in case of problems. Use of log level 4 is strongly discouraged. --- 247,271 ---- increase the log level from 0..4. Each logging level also includes the information that is logged at a lower logging level. ! _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ! |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |0 |Disable logging of TLS activity. | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |1 |Log only a summary message on TLS |Log the summary message, peer | ! | |handshake completion -- no logging|certificate summary information| ! | |of client certificate trust-chain |and unconditionally log trust- | ! | |verification errors if client |chain verification errors. | ! | |certificate verification is not | | ! | |required. | | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |2 |Also log levels during TLS negotiation. | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |4 |Also log hexadecimal and ASCII dump of complete transmission after| ! | |STARTTLS. | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | Use log level 3 only in case of problems. Use of log level 4 is strongly discouraged. *************** *** 1321,1347 **** increase the loglevel from 0..4. Each logging level also includes the information that is logged at a lower logging level. ! _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ! |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |0 |Log only a summary message on TLS |Disable logging of TLS activity.| ! | |handshake completion -- no logging| | ! | |of remote SMTP server certificate | | ! | |trust-chain verification errors if| | ! | |server certificate verification is| | ! | |not required. | | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |1 |Also log remote SMTP server trust-|Also log TLS handshake and | ! | |chain verification errors and peer|certificate information. | ! | |certificate summary information. | | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |2 |Also log levels during TLS negotiation. | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |4 |Also log hexadecimal and ASCII dump of complete transmission after | ! | |STARTTLS. | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | Example: --- 1319,1343 ---- increase the loglevel from 0..4. Each logging level also includes the information that is logged at a lower logging level. ! _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ! |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |0 |Disable logging of TLS activity. | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |1 |Log only a summary message on TLS |Log the summary message and | ! | |handshake completion -- no logging|unconditionally log trust-chain| ! | |of remote SMTP server certificate |verification errors. | ! | |trust-chain verification errors if| | ! | |server certificate verification is| | ! | |not required. | | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |2 |Also log levels during TLS negotiation. | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | ! |4 |Also log hexadecimal and ASCII dump of complete transmission after| ! | |STARTTLS. | ! |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | Example: diff -cr --new-file /var/tmp/postfix-2.11.0/html/TLS_README.html ./html/TLS_README.html *** /var/tmp/postfix-2.11.0/html/TLS_README.html Mon Jan 6 14:49:08 2014 --- ./html/TLS_README.html Tue Apr 22 09:52:37 2014 *************** *** 384,399 **** Level Postfix 2.9 and later Earlier releases. ! 0 Log only a summary message on TLS handshake completion — no logging of client certificate trust-chain verification errors if client certificate ! verification is not required. Disable logging ! of TLS activity. ! ! 1 Also log trust-chain ! verification errors and peer certificate summary information. ! Also log TLS handshake and certificate information. ! 2 Also log levels during TLS negotiation. --- 384,398 ---- Level Postfix 2.9 and later Earlier releases. ! 0 Disable ! logging of TLS activity. ! ! 1 Log only a summary message on TLS handshake completion — no logging of client certificate trust-chain verification errors if client certificate ! verification is not required. Log the summary ! message, peer certificate summary information and unconditionally log ! trust-chain verification errors. 2 Also log levels during TLS negotiation. *************** *** 1750,1765 **** Level Postfix 2.9 and later Earlier releases. ! 0 Log only a summary ! message on TLS handshake completion — no logging of remote ! SMTP server certificate trust-chain verification errors if server ! certificate verification is not required. ! Disable logging of TLS activity. ! ! 1 Also log remote ! SMTP server trust-chain verification errors and peer certificate ! summary information. Also log TLS handshake ! and certificate information. 2 Also log levels during TLS negotiation. --- 1749,1763 ---- Level Postfix 2.9 and later Earlier releases. ! 0 Disable ! logging of TLS activity. ! ! 1 Log only a summary ! message on TLS handshake completion — no logging of remote SMTP ! server certificate trust-chain verification errors if server certificate ! verification is not required. Log the summary ! message and unconditionally log trust-chain verification errors. ! 2 Also log levels during TLS negotiation. diff -cr --new-file /var/tmp/postfix-2.11.0/html/postconf.1.html ./html/postconf.1.html *** /var/tmp/postfix-2.11.0/html/postconf.1.html Fri Dec 20 19:37:52 2013 --- ./html/postconf.1.html Sat Mar 22 19:18:38 2014 *************** *** 123,128 **** --- 123,130 ---- The default is as if "-C all" is specified. + This feature is available with Postfix 2.9 and later. + -d Print main.cf default parameter settings instead of actual set- tings. Specify -df to fold long lines for human readability (Postfix 2.9 and later). *************** *** 330,335 **** --- 332,339 ---- -p Show main.cf parameter settings. This is the default. + This feature is available with Postfix 2.11 and later. + -P Show master.cf service parameter settings (by default all ser- vices and all parameters). formatted as one "ser- vice/type/parameter=value" per line. Specify -Pf to fold long *************** *** 444,451 **** The Secure Mailer license must be distributed with this software. AUTHOR(S) ! Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown ! Heights, NY 10598, USA POSTCONF(1) --- 448,457 ---- The Secure Mailer license must be distributed with this software. AUTHOR(S) ! Wietse Venema ! IBM T.J. Watson Research ! P.O. Box 704 ! Yorktown Heights, NY 10598, USA POSTCONF(1) diff -cr --new-file /var/tmp/postfix-2.11.0/html/postconf.5.html ./html/postconf.5.html *** /var/tmp/postfix-2.11.0/html/postconf.5.html Sun Jan 12 13:01:05 2014 --- ./html/postconf.5.html Tue Apr 22 09:52:38 2014 *************** *** 8600,8606 **** 
  # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
! recipient_delimiters = +-
  
--- 8600,8606 ----
  
  
  # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
! recipient_delimiter = +-
  

  
  
***************
*** 11362,11375 ****
  
  

  
! 
 
 
 0 Log only a summary message on TLS handshake completion
  — no logging of remote SMTP server certificate trust-chain
  verification errors if server certificate verification is not required.
! With Postfix 2.8 and earlier, disable logging of TLS activity.  

! 
! 
 
 
 1 Also log remote SMTP server trust-chain verification
! errors and peer certificate summary information. With Postfix 2.8
! and earlier, log TLS handshake and certificate information.  

  
  
 
 
 2 Also log levels during TLS negotiation.  

  
--- 11362,11374 ----
  
  

  
! 
 
 
 0 Disable logging of TLS activity. 

! 
! 
 
 
 1 Log only a summary message on TLS handshake completion
  — no logging of remote SMTP server certificate trust-chain
  verification errors if server certificate verification is not required.
! With Postfix 2.8 and earlier, log the summary message and unconditionally
! log trust-chain verification errors.  

  
  
 
 
 2 Also log levels during TLS negotiation.  

  
***************
*** 15555,15569 ****
  
  

  
! 
 
 
 0 Log only a summary message on TLS handshake completion
! — no logging of remote SMTP client certificate trust-chain verification
! errors
! if client certificate verification is not required. With Postfix 2.8
! and earlier, disable logging of TLS activity. 

! 
! 
 
 
 1 Also log trust-chain verification errors and peer
! certificate name and issuer. With Postfix 2.8 and earlier, log TLS
! handshake and certificate information. 

  
  
 
 
 2 Also log levels during TLS negotiation. 

  
--- 15554,15566 ----
  
  

  
! 
 
 
 0 Disable logging of TLS activity. 

! 
! 
 
 
 1 Log only a summary message on TLS handshake completion
! — no logging of client certificate trust-chain verification errors
! if client certificate verification is not required.  With Postfix 2.8 and
! earlier, log the summary message, peer certificate summary information
! and unconditionally log trust-chain verification errors.  

  
  
 
 
 2 Also log levels during TLS negotiation. 

  
diff -cr --new-file /var/tmp/postfix-2.11.0/makedefs ./makedefs
*** /var/tmp/postfix-2.11.0/makedefs	Sun Jan  5 12:18:56 2014
--- ./makedefs	Thu Jan 16 14:49:11 2014
***************
*** 638,643 ****
--- 638,646 ----
  # needed before the code stabilizes.
  #CCARGS="$CCARGS -DNONPROD"
  
+ # Workaround: prepend Postfix include files before other include files.
+ CCARGS="-I. -I../../include $CCARGS"
+ 
  sed 's/  / /g' <  Level   Postfix 2.9 and later  Earlier
  releases.  
  
!   0   Log only a summary
  message on TLS handshake completion — no logging of client
  certificate trust-chain verification errors if client certificate
! verification is not required.   Disable logging
! of TLS activity. 
! 
!   1   Also log trust-chain
! verification errors and peer certificate summary information. 
!  Also log TLS handshake and certificate information.
!  
  
    2   Also
  log levels during TLS negotiation.   
--- 384,398 ----
    Level   Postfix 2.9 and later  Earlier
  releases.  
  
!   0   Disable
! logging of TLS activity.  
! 
!   1   Log only a summary
  message on TLS handshake completion — no logging of client
  certificate trust-chain verification errors if client certificate
! verification is not required.   Log the summary
! message, peer certificate summary information and unconditionally log
! trust-chain verification errors.   
  
    2   Also
  log levels during TLS negotiation.   
***************
*** 1750,1765 ****
    Level   Postfix 2.9 and later  Earlier
  releases.  
  
!   0   Log only a summary
! message on TLS handshake completion — no logging of remote
! SMTP server certificate trust-chain verification errors if server
! certificate verification is not required.  
! Disable logging of TLS activity. 
! 
!   1   Also log remote
! SMTP server trust-chain verification errors and peer certificate
! summary information.   Also log TLS handshake
! and certificate information.   
  
    2   Also
  log levels during TLS negotiation.  
--- 1749,1763 ----
    Level   Postfix 2.9 and later  Earlier
  releases.  
  
!   0   Disable
! logging of TLS activity.   
! 
!   1   Log only a summary
! message on TLS handshake completion — no logging of remote SMTP
! server certificate trust-chain verification errors if server certificate
! verification is not required.   Log the summary
! message and unconditionally log trust-chain verification errors.
!  
  
    2   Also
  log levels during TLS negotiation.  
diff -cr --new-file /var/tmp/postfix-2.11.0/proto/postconf.proto ./proto/postconf.proto
*** /var/tmp/postfix-2.11.0/proto/postconf.proto	Sun Jan 12 13:00:56 2014
--- ./proto/postconf.proto	Tue Apr 22 09:50:29 2014
***************
*** 3546,3552 ****
  
  
  # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
! recipient_delimiters = +-
  

  
  
--- 3546,3552 ----
  
  
  # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
! recipient_delimiter = +-
  

  
  
***************
*** 9127,9141 ****
  
  

  
! 
 
 
 0 Log only a summary message on TLS handshake completion
! — no logging of remote SMTP client certificate trust-chain verification 
! errors
! if client certificate verification is not required. With Postfix 2.8
! and earlier, disable logging of TLS activity. 

! 
! 
 
 
 1 Also log trust-chain verification errors and peer
! certificate name and issuer. With Postfix 2.8 and earlier, log TLS
! handshake and certificate information. 

  
  
 
 
 2 Also log levels during TLS negotiation. 

  
--- 9127,9139 ----
  
  

  
! 
 
 
 0 Disable logging of TLS activity. 

! 
! 
 
 
 1 Log only a summary message on TLS handshake completion
! — no logging of client certificate trust-chain verification errors
! if client certificate verification is not required.  With Postfix 2.8 and
! earlier, log the summary message, peer certificate summary information
! and unconditionally log trust-chain verification errors.  

  
  
 
 
 2 Also log levels during TLS negotiation. 

  
***************
*** 9551,9564 ****
  
  

  
! 
 
 
 0 Log only a summary message on TLS handshake completion
  — no logging of remote SMTP server certificate trust-chain
  verification errors if server certificate verification is not required.
! With Postfix 2.8 and earlier, disable logging of TLS activity.  

! 
! 
 
 
 1 Also log remote SMTP server trust-chain verification
! errors and peer certificate summary information. With Postfix 2.8
! and earlier, log TLS handshake and certificate information.  

  
  
 
 
 2 Also log levels during TLS negotiation.  

  
--- 9549,9561 ----
  
  

  
! 
 
 
 0 Disable logging of TLS activity. 

! 
! 
 
 
 1 Log only a summary message on TLS handshake completion
  — no logging of remote SMTP server certificate trust-chain
  verification errors if server certificate verification is not required.
! With Postfix 2.8 and earlier, log the summary message and unconditionally
! log trust-chain verification errors.  

  
  
 
 
 2 Also log levels during TLS negotiation.  

  
diff -cr --new-file /var/tmp/postfix-2.11.0/src/postconf/postconf.c ./src/postconf/postconf.c
*** /var/tmp/postfix-2.11.0/src/postconf/postconf.c	Fri Dec 20 13:35:56 2013
--- ./src/postconf/postconf.c	Sat Jan 25 15:11:46 2014
***************
*** 137,142 ****
--- 137,144 ----
  /* .IP
  /*	The default is as if "\fB-C all\fR" is
  /*	specified.
+ /*
+ /*	This feature is available with Postfix 2.9 and later.
  /* .IP \fB-d\fR
  /*	Print \fBmain.cf\fR default parameter settings instead of
  /*	actual settings.
***************
*** 341,346 ****
--- 343,350 ----
  /*	This feature is available with Postfix 2.10 and later.
  /* .IP \fB-p\fR
  /*	Show \fBmain.cf\fR parameter settings. This is the default.
+ /*
+ /*	This feature is available with Postfix 2.11 and later.
  /* .IP \fB-P\fR
  /*	Show \fBmaster.cf\fR service parameter settings (by default
  /*	all services and all parameters).  formatted as one
***************
*** 464,471 ****
  /*	The Secure Mailer license must be distributed with this
  /*	software.
  /* AUTHOR(S)
! /*	Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown
! /*	Heights, NY 10598, USA
  /*--*/
  
  /* System library. */
--- 468,477 ----
  /*	The Secure Mailer license must be distributed with this
  /*	software.
  /* AUTHOR(S)
! /*	Wietse Venema
! /*	IBM T.J. Watson Research
! /*	P.O. Box 704
! /*	Yorktown Heights, NY 10598, USA
  /*--*/
  
  /* System library. */
diff -cr --new-file /var/tmp/postfix-2.11.0/src/smtp/smtp.h ./src/smtp/smtp.h
*** /var/tmp/postfix-2.11.0/src/smtp/smtp.h	Fri Jan  3 20:02:30 2014
--- ./src/smtp/smtp.h	Wed May  7 13:17:29 2014
***************
*** 195,201 ****
  	STR((state)->iterator->request_nexthop)[0] = 0; \
      }
  
! #define HAVE_NEXTHOP_STATE(state) (STR((state)->iterator->request_nexthop) != 0)
  
  
   /*
--- 195,201 ----
  	STR((state)->iterator->request_nexthop)[0] = 0; \
      }
  
! #define HAVE_NEXTHOP_STATE(state) (STR((state)->iterator->request_nexthop)[0] != 0)
  
  
   /*
diff -cr --new-file /var/tmp/postfix-2.11.0/src/smtp/smtp_connect.c ./src/smtp/smtp_connect.c
*** /var/tmp/postfix-2.11.0/src/smtp/smtp_connect.c	Fri Jan  3 19:56:24 2014
--- ./src/smtp/smtp_connect.c	Wed May  7 13:17:29 2014
***************
*** 510,516 ****
       */
  #ifdef USE_TLS
      if (!smtp_tls_policy_cache_query(why, state->tls, iter)) {
! 	msg_info("TLS policy lookup error for %s/%s: %s",
  		 STR(iter->host), STR(iter->addr), STR(why->reason));
  	return;
      }
--- 510,516 ----
       */
  #ifdef USE_TLS
      if (!smtp_tls_policy_cache_query(why, state->tls, iter)) {
! 	msg_warn("TLS policy lookup error for %s/%s: %s",
  		 STR(iter->host), STR(iter->addr), STR(why->reason));
  	return;
      }
***************
*** 666,671 ****
--- 666,672 ----
  #endif
      SMTP_ITER_SAVE_DEST(state->iterator);
      if (*addr_list && SMTP_RCPT_LEFT(state) > 0
+ 	&& HAVE_NEXTHOP_STATE(state)
  	&& (session = smtp_reuse_nexthop(state, SMTP_KEY_MASK_SCACHE_DEST_LABEL)) != 0) {
  	session_count = 1;
  	smtp_update_addr_list(addr_list, STR(iter->addr), session_count);
***************
*** 716,722 ****
  	iter->rr = addr;
  #ifdef USE_TLS
  	if (!smtp_tls_policy_cache_query(why, state->tls, iter)) {
! 	    msg_info("TLS policy lookup error for %s/%s: %s",
  		     STR(iter->dest), STR(iter->host), STR(why->reason));
  	    continue;
  	    /* XXX Assume there is no code at the end of this loop. */
--- 717,723 ----
  	iter->rr = addr;
  #ifdef USE_TLS
  	if (!smtp_tls_policy_cache_query(why, state->tls, iter)) {
! 	    msg_warn("TLS policy lookup error for %s/%s: %s",
  		     STR(iter->dest), STR(iter->host), STR(why->reason));
  	    continue;
  	    /* XXX Assume there is no code at the end of this loop. */
***************
*** 956,962 ****
  	    iter->rr = addr;
  #ifdef USE_TLS
  	    if (!smtp_tls_policy_cache_query(why, state->tls, iter)) {
! 		msg_info("TLS policy lookup for %s/%s: %s",
  			 STR(iter->dest), STR(iter->host), STR(why->reason));
  		continue;
  		/* XXX Assume there is no code at the end of this loop. */
--- 957,963 ----
  	    iter->rr = addr;
  #ifdef USE_TLS
  	    if (!smtp_tls_policy_cache_query(why, state->tls, iter)) {
! 		msg_warn("TLS policy lookup for %s/%s: %s",
  			 STR(iter->dest), STR(iter->host), STR(why->reason));
  		continue;
  		/* XXX Assume there is no code at the end of this loop. */
diff -cr --new-file /var/tmp/postfix-2.11.0/src/smtp/smtp_tls_policy.c ./src/smtp/smtp_tls_policy.c
*** /var/tmp/postfix-2.11.0/src/smtp/smtp_tls_policy.c	Thu Jan  9 10:00:36 2014
--- ./src/smtp/smtp_tls_policy.c	Mon Mar  3 14:53:26 2014
***************
*** 525,532 ****
      /*
       * DANE initialization may change the security level to something else,
       * so do this early, so that we use the right level below.  Note that
!      * "dane-only" changes to "dane" after any fallback strategies are
!      * applied.
       */
      if (tls->level == TLS_LEV_DANE || tls->level == TLS_LEV_DANE_ONLY)
  	dane_init(tls, iter);
--- 525,532 ----
      /*
       * DANE initialization may change the security level to something else,
       * so do this early, so that we use the right level below.  Note that
!      * "dane-only" changes to "dane" once we obtain the requisite TLSA
!      * records.
       */
      if (tls->level == TLS_LEV_DANE || tls->level == TLS_LEV_DANE_ONLY)
  	dane_init(tls, iter);
***************
*** 706,711 ****
--- 706,712 ----
  
  #define NONDANE_CONFIG	0		/* Administrator's fault */
  #define NONDANE_DEST	1		/* Remote server's fault */
+ #define DANE_UNUSABLE	2		/* Remote server's fault */
  
  static void PRINTFLIKE(4, 5) dane_incompat(SMTP_TLS_POLICY *tls,
  					           SMTP_ITERATOR *iter,
***************
*** 716,727 ****
  
      va_start(ap, fmt);
      if (tls->level == TLS_LEV_DANE) {
! 	tls->level = TLS_LEV_MAY;
  	if (errtype == NONDANE_CONFIG)
  	    vmsg_warn(fmt, ap);
  	else if (msg_verbose)
  	    vmsg_info(fmt, ap);
!     } else {
  	if (errtype == NONDANE_CONFIG) {
  	    vmsg_warn(fmt, ap);
  	    MARK_INVALID(tls->why, &tls->level);
--- 717,728 ----
  
      va_start(ap, fmt);
      if (tls->level == TLS_LEV_DANE) {
! 	tls->level = (errtype == DANE_UNUSABLE) ? TLS_LEV_ENCRYPT : TLS_LEV_MAY;
  	if (errtype == NONDANE_CONFIG)
  	    vmsg_warn(fmt, ap);
  	else if (msg_verbose)
  	    vmsg_info(fmt, ap);
!     } else {					/* dane-only */
  	if (errtype == NONDANE_CONFIG) {
  	    vmsg_warn(fmt, ap);
  	    MARK_INVALID(tls->why, &tls->level);
***************
*** 816,822 ****
       * given verifier some of the CAs are surely not trustworthy).
       */
      if (tls_dane_unusable(dane)) {
! 	dane_incompat(tls, iter, NONDANE_DEST, "TLSA records unusable");
  	return;
      }
  
--- 817,824 ----
       * given verifier some of the CAs are surely not trustworthy).
       */
      if (tls_dane_unusable(dane)) {
! 	dane_incompat(tls, iter, DANE_UNUSABLE, "TLSA records unusable");
! 	tls_dane_free(dane);
  	return;
      }
  
diff -cr --new-file /var/tmp/postfix-2.11.0/src/tls/tls_client.c ./src/tls/tls_client.c
*** /var/tmp/postfix-2.11.0/src/tls/tls_client.c	Sun Dec 15 08:35:52 2013
--- ./src/tls/tls_client.c	Sun Feb 23 12:25:52 2014
***************
*** 1045,1051 ****
       */
      if (log_mask & TLS_LOG_SUMMARY)
  	msg_info("%s TLS connection established to %s: %s with cipher %s "
! 	      "(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
  		 TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
  	      props->namaddr, TLScontext->protocol, TLScontext->cipher_name,
  		 TLScontext->cipher_usebits, TLScontext->cipher_algbits);
--- 1045,1053 ----
       */
      if (log_mask & TLS_LOG_SUMMARY)
  	msg_info("%s TLS connection established to %s: %s with cipher %s "
! 		 "(%d/%d bits)",
! 		 !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" :
! 		 TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
  		 TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
  	      props->namaddr, TLScontext->protocol, TLScontext->cipher_name,
  		 TLScontext->cipher_usebits, TLScontext->cipher_algbits);