-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 22 Aug 2025 09:51:46 +0300 Source: postfix Architecture: source Version: 3.10.4-1~deb13u1 Distribution: trixie Urgency: medium Maintainer: Debian Postfix Team Changed-By: Michael Tokarev Closes: 1100100 1110704 Changes: postfix (3.10.4-1~deb13u1) trixie; urgency=medium . * New upstream stable/bugfix version 3.10.4, with a handful of fixes. From the upstream release notes: - Fixes for postscreen(8): * Bugfix (defect introduced: Postfix 2.2, date 20050203): after detecting a lookup table change, and after starting a new postscreen process, the old postscreen process logged an ENOTSOCK error while attempting to accept a connection on a socket that it was no longer listening on. This error was introduced first in the multi_server skeleton code, and was five years later duplicated in the event_server skeleton that was created for postscreen. Problem reported by Florian Piekert. * Bugfix (defect introduced: Postfix 2.8, date 20101230): after detecting a cache table change and before starting a new postscreen process, the old postscreen process did not close the postscreen_cache_map, and therefore kept an exclusive lock that could prevent a new postscreen process from starting. Problem reported by Florian Piekert. - Fixes for tlsproxy(8): * Bugfix (defect introduced: Postfix 3.7): incorrect backwards compatible support for the legacy configuration parameters tlsproxy_client_level and tlsproxy_client_policy. This disabled the tlsproxy TLS client role when a legacy parameter was set (instead of the newer tlsproxy_client_security_level or tlsproxy_client_policy_maps). Reported by John Doe, diagnosed by Viktor Dukhovni. * Bugfix (defect introduced: Postfix 3.4): with the TLS client role disabled by configuration, the tlsproxy daemon dereferenced a null pointer while handling a tlsproxy client request. Reported by John Doe. - Reducing process churn: Postfix daemons no longer automatically restart after a btree:, dbm:, hash:, lmdb:, or sdbm: table file modification time change, when they opened that table for writing. - Portability: deleted an build dependency, because the feature is being removed from OpenSSL, and Postfix no longer needs it. - Cleanup: with "tls_required_enable = yes", the Postfix SMTP client will no longer maintain TLSRPT statistics for messages that contain a "TLS-Required: no" header. This can prevent TLSRPT notifications for TLSRPT notifications. - Bugfix (defect introduced: Postfix 3.6, date 20200710): Postfix TLS client code logged "Untrusted TLS connection" (wrong) instead of "Trusted TLS connection" (right), for a new or resumed TLS session, when a server offered a trusted (valid PKI trust chain) certificate that did not match the expected server name pattern. Fix by Viktor Dukhovni. * d/gbp.conf: debian-branch=debian/trixie * configure-instance.in: fix typo * configure-instance.in: limit maxdepth=1 in /etc/ssl/certs dirs * configure-instance.in: use home-grown file copy procedure to sync chroot There are a few issues with using cp(1) to update files in chroot, - a file should be copied even if the source date is *less* than the target date (eg, if a package has been downgraded), which is not done by `cp -u` (#1110704), a file should be copied atomically (copy+rename, not truncate+copy), and care should be taken with extra attributes (#1100100). Use a simple perl-based script (using just perl-base) to update files instead, which fixes all this stuff. (Closes: #1100100, #1110704) Checksums-Sha1: c313b8d1e0c28d6f66d4a92f08a729742da2f0dc 3193 postfix_3.10.4-1~deb13u1.dsc a6c4489bd7d0868ac0374e2b97b83fc9c2c2c2b9 5050100 postfix_3.10.4.orig.tar.gz fe2532dfd80afa849c4655788c45787827f0c275 220 postfix_3.10.4.orig.tar.gz.asc aeaca58181b5da49ae277347d1c7039145c1d220 199408 postfix_3.10.4-1~deb13u1.debian.tar.xz 340ebc36d1c1b3f1399ab0447decd3fe9dd58c02 5738 postfix_3.10.4-1~deb13u1_source.buildinfo Checksums-Sha256: 03510c7dae7331b27669f6918e39129a570f71885b927d67fd10c90b8fcec30c 3193 postfix_3.10.4-1~deb13u1.dsc cfb66861fe8f964787ddaeab15f3ca3e7ef3de730f97171afc4a5eca338ca444 5050100 postfix_3.10.4.orig.tar.gz dd85a2d75a87e5e1d4cae8117b05aed56055b0c85e450e500d01e66017c5e302 220 postfix_3.10.4.orig.tar.gz.asc 1b5c780f721a5ae9efd941d29e940ddb75f2ef362bf9f7bdb4773ce15bfb2e2d 199408 postfix_3.10.4-1~deb13u1.debian.tar.xz 2ff6db19687f3df52dc763b03313d5368d1f5f822d2943a818645c24b6e05dce 5738 postfix_3.10.4-1~deb13u1_source.buildinfo Files: 6bccc564cfd2e802b2c4a1ca009ddeaf 3193 mail optional postfix_3.10.4-1~deb13u1.dsc c9f472fe0455eff7a8334479fb0f1154 5050100 mail optional postfix_3.10.4.orig.tar.gz bc0e8eb3f4aa659c4819d9f35193894f 220 mail optional postfix_3.10.4.orig.tar.gz.asc a52f5e68ef61263185baadb71b51fd80 199408 mail optional postfix_3.10.4-1~deb13u1.debian.tar.xz 6488c53934e00b75d4d6a072bf38bef3 5738 mail optional postfix_3.10.4-1~deb13u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZKoqtTHVaQM2a/75gqpKJDselHgFAmioFJoACgkQgqpKJDse lHj62A/+IfvR4KeS54aLu/lOV/gd+ikfR7CJXx5h9M35gk1A0VcPLpy5yBWeAIr4 bUviIsY5gD9H+8I6pY2hBsIRibEkBLldYCxh2x2yXID1KnyHLFwGw6eakh0Vo6q5 K2UEHef5nYiN1RZ5nANeoil++DqDQrNXR9H64HH41xh83RAxrwHYdINgSf79GGTt PZXSoAsr7Z7TB1jD4zot9t9845VVOUAFFBQxp1xOM8z9o9tvj7ntR1XRgKDSeML6 TgFo0hyNl6YJX72g/qTwOmR5Sj4+wCz1doOU90fUiV2R0k/PVU+4vqDkL6J3cX5B +VuRdxRUKOevQ+XU6UqPK4IeOv4dVBdynogJ9WlBSKlq/E5K1aYSccwiV6LoHZNK ASuwfqL48FVsY6BYp+YuGiW3x7uJdsAoVLrAKxSZS0/p24h2b0Db2hCTTDLhhKbr CgtDa25nnML9dX96Lv/Vu8mZVbgpO71bYJU/fqBxCQtOUeL6fjre15f424vAH5Uo HIS2GNSYa6QVPBLbAfml+TmpvWs8sbdra28+gAN+3oBx/tvm3K6Grsch/tXvo0GU oD4GD0WFWQ6C56d/fhQipq8bI2SwQj2RlExQKlUE8MVC0U/mbBe4ZB+vQdklhTxV EOTQg6oKN+tcohuAnwH2eyn1ar8mftZnv7fbmo3c4aRY/dQhbIs= =2kHb -----END PGP SIGNATURE-----