Recommended update for postfix

Announcement ID: SUSE-RU-2019:2792-1
Rating: moderate
References:
Affected Products:
  • SUSE Linux Enterprise Desktop 12 SP4
  • SUSE Linux Enterprise Desktop 12 SP5
  • SUSE Linux Enterprise High Performance Computing 12 SP4
  • SUSE Linux Enterprise High Performance Computing 12 SP5
  • SUSE Linux Enterprise Server 12 SP4
  • SUSE Linux Enterprise Server 12 SP5
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5
  • SUSE Linux Enterprise Software Development Kit 12 SP4
  • SUSE Linux Enterprise Software Development Kit 12 SP5

An update that contains two features and has two fixes can now be installed.

Description:

This update for postfix fixes the following issues:

Postfix was updated to the new minor release 3.2.10, bringing bugfixes and some new features. (bsc#1146231 jsc#ECO-296 jsc#SLE-9800)

Version update to 3.2.10:

  • Starting with Postfix 3.2.5, this software is distributed with a dual license: in addition to the historical IBM Public License 1.0, it is now also distributed with the more recent Eclipse Public License 2.0. Recipients can choose to take the software under the license of their choice.

Other changes and features:

  • This release introduces a workaround for implementations that hang Postfix while shutting down a TLS session, until Postfix times out. With "tls_fast_shutdown_enable = yes" (the default), Postfix no longer waits for a remote TLS peer to respond to a TLS 'close' request. This behavior is recommended with TLSv1.0 and later. Specify "tls_fast_shutdown_enable = no" to get historical Postfix behavior.
  • DANE interoperability. Postfix builds with OpenSSL 1.0.0 or 1.0.1 failed to send email to some sites with "TLSA 2 X X" DNS records associated with an intermediate CA certificate. Problem report and initial fix by Erwan Legrand.
  • Missing dynamicmaps support in the Postfix sendmail command. This broke authorized_submit_users settings that use a dynamically-loaded map type. Problem reported by Ulrich Zehl.
  • Extension propagation was broken with "recipient_delimiter = .". This change reverts a change that was trying to be too clever.
  • The postqueue command would abort with a panic message after it experienced an output write error while listing the mail queue. This change restores a write error check that was lost with the Postfix 3.2 rewrite of the vbuf_print formatter.
  • Restored sanity checks for dynamically-specified width and precision in format strings (%, %., and %.). These checks were lost with the Postfix 3.2 rewrite of the vbuf_print formatter.
  • Security: Berkeley DB versions 2 and later try to read settings from a file DB_CONFIG in the current directory. This undocumented feature may introduce undisclosed vulnerabilities resulting in privilege escalation with Postfix set-gid programs (postdrop, postqueue) before they chdir to the Postfix queue directory, and with the postmap and postalias commands depending on whether the user's current directory is writable by other users. This fix does not change Postfix behavior for Berkeley DB versions < 3, but it does reduce postmap and postalias 'create' performance with Berkeley DB versions 3.0 .. 4.6.
  • The SMTP server receive_override_options were not restored at the end of an SMTP session, after the options were modified by an smtpd_milter_maps setting of "DISABLE". Milter support remained disabled for the life time of the smtpd process.
  • After the Postfix 3.2 address/domain table lookup overhaul, the check_sender_access and check_recipient_access features ignored a non-default parent_domain_matches_subdomains setting.

  • mkpostfixcert from Postfix still uses md5 (bsc#1142881)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Desktop 12 SP4
    zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-2792=1
  • SUSE Linux Enterprise Desktop 12 SP5
    zypper in -t patch SUSE-SLE-DESKTOP-12-SP5-2019-2792=1
  • SUSE Linux Enterprise Software Development Kit 12 SP4
    zypper in -t patch SUSE-SLE-SDK-12-SP4-2019-2792=1
  • SUSE Linux Enterprise Software Development Kit 12 SP5
    zypper in -t patch SUSE-SLE-SDK-12-SP5-2019-2792=1
  • SUSE Linux Enterprise High Performance Computing 12 SP4
    zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2792=1
  • SUSE Linux Enterprise Server 12 SP4
    zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2792=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
    zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2792=1
  • SUSE Linux Enterprise High Performance Computing 12 SP5
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2792=1
  • SUSE Linux Enterprise Server 12 SP5
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2792=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-2792=1

Package List:

  • SUSE Linux Enterprise Desktop 12 SP4 (x86_64)
    • postfix-debuginfo-3.2.10-3.21.2
    • postfix-3.2.10-3.21.2
    • postfix-debugsource-3.2.10-3.21.2
  • SUSE Linux Enterprise Desktop 12 SP5 (x86_64)
    • postfix-debuginfo-3.2.10-3.21.2
    • postfix-3.2.10-3.21.2
    • postfix-debugsource-3.2.10-3.21.2
  • SUSE Linux Enterprise Software Development Kit 12 SP4 (aarch64 ppc64le s390x x86_64)
    • postfix-devel-3.2.10-3.21.2
    • postfix-debuginfo-3.2.10-3.21.2
    • postfix-debugsource-3.2.10-3.21.2
  • SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x x86_64)
    • postfix-devel-3.2.10-3.21.2
    • postfix-debuginfo-3.2.10-3.21.2
    • postfix-debugsource-3.2.10-3.21.2
  • SUSE Linux Enterprise High Performance Computing 12 SP4 (aarch64 x86_64)
    • postfix-mysql-debuginfo-3.2.10-3.21.2
    • postfix-debuginfo-3.2.10-3.21.2
    • postfix-mysql-3.2.10-3.21.2
    • postfix-3.2.10-3.21.2
    • postfix-debugsource-3.2.10-3.21.2
  • SUSE Linux Enterprise High Performance Computing 12 SP4 (noarch)
    • postfix-doc-3.2.10-3.21.2
  • SUSE Linux Enterprise Server 12 SP4 (aarch64 ppc64le s390x x86_64)
    • postfix-mysql-debuginfo-3.2.10-3.21.2
    • postfix-debuginfo-3.2.10-3.21.2
    • postfix-mysql-3.2.10-3.21.2
    • postfix-3.2.10-3.21.2
    • postfix-debugsource-3.2.10-3.21.2
  • SUSE Linux Enterprise Server 12 SP4 (noarch)
    • postfix-doc-3.2.10-3.21.2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4 (ppc64le x86_64)
    • postfix-mysql-debuginfo-3.2.10-3.21.2
    • postfix-debuginfo-3.2.10-3.21.2
    • postfix-mysql-3.2.10-3.21.2
    • postfix-3.2.10-3.21.2
    • postfix-debugsource-3.2.10-3.21.2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4 (noarch)
    • postfix-doc-3.2.10-3.21.2
  • SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64)
    • postfix-mysql-debuginfo-3.2.10-3.21.2
    • postfix-debuginfo-3.2.10-3.21.2
    • postfix-mysql-3.2.10-3.21.2
    • postfix-3.2.10-3.21.2
    • postfix-debugsource-3.2.10-3.21.2
  • SUSE Linux Enterprise High Performance Computing 12 SP5 (noarch)
    • postfix-doc-3.2.10-3.21.2
  • SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64)
    • postfix-mysql-debuginfo-3.2.10-3.21.2
    • postfix-debuginfo-3.2.10-3.21.2
    • postfix-mysql-3.2.10-3.21.2
    • postfix-3.2.10-3.21.2
    • postfix-debugsource-3.2.10-3.21.2
  • SUSE Linux Enterprise Server 12 SP5 (noarch)
    • postfix-doc-3.2.10-3.21.2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
    • postfix-mysql-debuginfo-3.2.10-3.21.2
    • postfix-debuginfo-3.2.10-3.21.2
    • postfix-mysql-3.2.10-3.21.2
    • postfix-3.2.10-3.21.2
    • postfix-debugsource-3.2.10-3.21.2
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5 (noarch)
    • postfix-doc-3.2.10-3.21.2

References: