Recommended update for postfix

SUSE Recommended Update: Recommended update for postfix
Announcement ID: SUSE-RU-2019:2792-1
Rating: moderate
References: #1142881 #1146231
Affected Products:
  • SUSE Linux Enterprise Software Development Kit 12-SP5
  • SUSE Linux Enterprise Software Development Kit 12-SP4
  • SUSE Linux Enterprise Server 12-SP5
  • SUSE Linux Enterprise Server 12-SP4
  • SUSE Linux Enterprise Desktop 12-SP4

An update that has two recommended fixes can now be installed.

Description:

This update for postfix fixes the following issues:
Postfix was updated to the new minor release 3.2.10, bringing bugfixes and some new features. (bsc#1146231 jsc#ECO-296 jsc#SLE-9800)
Version update to 3.2.10:

  • Starting with Postfix 3.2.5, this software is distributed with a dual license: in addition to the historical IBM Public License 1.0, it is now also distributed with the more recent Eclipse Public License 2.0. Recipients can choose to take the software under the license of their choice.

Other changes and features:
  • This release introduces a workaround for implementations that hang Postfix while shutting down a TLS session, until Postfix times out. With "tls_fast_shutdown_enable = yes" (the default), Postfix no longer waits for a remote TLS peer to respond to a TLS 'close' request. This behavior is recommended with TLSv1.0 and later. Specify "tls_fast_shutdown_enable = no" to get historical Postfix behavior.
  • DANE interoperability. Postfix builds with OpenSSL 1.0.0 or 1.0.1 failed to send email to some sites with "TLSA 2 X X" DNS records associated with an intermediate CA certificate. Problem report and initial fix by Erwan Legrand.
  • Missing dynamicmaps support in the Postfix sendmail command. This broke authorized_submit_users settings that use a dynamically-loaded map type. Problem reported by Ulrich Zehl.
  • Extension propagation was broken with "recipient_delimiter = .". This change reverts a change that was trying to be too clever.
  • The postqueue command would abort with a panic message after it experienced an output write error while listing the mail queue. This change restores a write error check that was lost with the Postfix 3.2 rewrite of the vbuf_print formatter.
  • Restored sanity checks for dynamically-specified width and precision in format strings (%*, %.*, and %*.*). These checks were lost with the Postfix 3.2 rewrite of the vbuf_print formatter.
  • Security: Berkeley DB versions 2 and later try to read settings from a file DB_CONFIG in the current directory. This undocumented feature may introduce undisclosed vulnerabilities resulting in privilege escalation with Postfix set-gid programs (postdrop, postqueue) before they chdir to the Postfix queue directory, and with the postmap and postalias commands depending on whether the user's current directory is writable by other users. This fix does not change Postfix behavior for Berkeley DB versions
  • The SMTP server receive_override_options were not restored at the end of an SMTP session, after the options were modified by an smtpd_milter_maps setting of "DISABLE". Milter support remained disabled for the life time of the smtpd process.
  • After the Postfix 3.2 address/domain table lookup overhaul, the check_sender_access and check_recipient_access features ignored a non-default parent_domain_matches_subdomains setting.

  • mkpostfixcert from Postfix still uses md5 (bsc#1142881)

Patch Instructions:

To install this SUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Software Development Kit 12-SP5:
    zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-2792=1
  • SUSE Linux Enterprise Software Development Kit 12-SP4:
    zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-2792=1
  • SUSE Linux Enterprise Server 12-SP5:
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2792=1
  • SUSE Linux Enterprise Server 12-SP4:
    zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2792=1
  • SUSE Linux Enterprise Desktop 12-SP4:
    zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-2792=1

Package List:

  • SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64):
    • postfix-debuginfo-3.2.10-3.21.2
    • postfix-debugsource-3.2.10-3.21.2
    • postfix-devel-3.2.10-3.21.2
  • SUSE Linux Enterprise Software Development Kit 12-SP4 (aarch64 ppc64le s390x x86_64):
    • postfix-debuginfo-3.2.10-3.21.2
    • postfix-debugsource-3.2.10-3.21.2
    • postfix-devel-3.2.10-3.21.2
  • SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):
    • postfix-3.2.10-3.21.2
    • postfix-debuginfo-3.2.10-3.21.2
    • postfix-debugsource-3.2.10-3.21.2
    • postfix-mysql-3.2.10-3.21.2
    • postfix-mysql-debuginfo-3.2.10-3.21.2
  • SUSE Linux Enterprise Server 12-SP5 (noarch):
    • postfix-doc-3.2.10-3.21.2
  • SUSE Linux Enterprise Server 12-SP4 (aarch64 ppc64le s390x x86_64):
    • postfix-3.2.10-3.21.2
    • postfix-debuginfo-3.2.10-3.21.2
    • postfix-debugsource-3.2.10-3.21.2
    • postfix-mysql-3.2.10-3.21.2
    • postfix-mysql-debuginfo-3.2.10-3.21.2
  • SUSE Linux Enterprise Server 12-SP4 (noarch):
    • postfix-doc-3.2.10-3.21.2
  • SUSE Linux Enterprise Desktop 12-SP4 (x86_64):
    • postfix-3.2.10-3.21.2
    • postfix-debuginfo-3.2.10-3.21.2
    • postfix-debugsource-3.2.10-3.21.2

References: