On Tue, Apr 24, 2012 at 05:01:29PM -0400, Wietse Venema wrote:
> [An on-line version of this announcement will be available at
> http://www.postfix.org/announcements/postfix-2.9.2.html]
>
> Postfix stable release 2.9.2, and legacy releases 2.8.10, 2.7.9,
> 2.6.15 are available. They contains workarounds that are already
> part of Postfix 2.10.
>
> These releases add support to turn off the TLSv1.1 and TLSv1.2
> protocols. Introduced with OpenSSL version 1.0.1, these protocols
> are known to cause inter-operability problems, for example with
> some hotmail services.
>
> The radical workaround is to temporarily turn off problematic
> protocols globally:
>
> /etc/postfix/main.cf:
> smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
> smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
>
> smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
> smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
>
> However, it may be better to temporarily turn off problematic
> protocols for broken sites only:
>
> /etc/postfix/main.cf:
> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
>
> /etc/postfix/tls_policy:
> example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2
>
> Notes:
>
> * Note the use of ":" instead of comma or space. Also, note that
> there is NO space around the "=" in "protocols=".
>
> * The smtp_tls_policy_maps lookup key must match the "next-hop"
> destination that is given to the Postfix SMTP client. If you
> override the next-hop destination with transport_maps, relayhost,
> sender_dependent_relayhost_maps, or otherwise, you need to
> specify the same destination for the smtp_tls_policy_maps lookup
> key.
>
> You can find the updated Postfix source code at the mirrors listed
> at http://www.postfix.org/.
>
> Wietse
Just tried to compile 2.9.2 and here is what I get:
Script started on Tue Apr 24 17:36:38 2012
doctor.nl2k.ab.ca//usr/source/postfix-2.9.2$ less configpf
�[?1h�=�[55;1H�[Kmake tidy;
make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL -DUSE_TLS -I/usr/include
-I/usr/contrib/include/ -I/usr/contrib/include/sasl" AUXLIBS="-L/usr/lib/ -ldb-
5.3 -L/usr/contrib/lib -lsasl2 -lssl -lcrypto"
�[55;1H�[K�[7mconfigpf
(END)�[m�[55;1H�[K�[?1l�>doctor.nl2k.ab.ca//usr/source/postfix-2.9.2$ make
set -e; for i in src/util src/global src/dns src/tls src/xsasl src/milter
src/master src/postfix src/fsstone src/smtpstone src/sendmail src/error
src/pickup src/cleanup src/smtpd src/local src/trivial-rewrite src/qmgr
src/oqmgr src/smtp src/bounce src/pipe src/showq src/postalias src/postcat
src/postconf src/postdrop src/postkick src/postlock src/postlog src/postmap
src/postqueue src/postsuper src/qmqpd src/spawn src/flush src/verify
src/virtual src/proxymap src/anvil src/scache src/discard src/tlsmgr
src/postmulti src/postscreen src/dnsblog src/tlsproxy; do (set -e; echo
"[$i]"; cd $i; make 'CC=gcc -Wmissing-prototypes -Wformat -DUSE_SASL_AUTH
-DUSE_CYRUS_SASL -DUSE_TLS -I/usr/include -I/usr/contrib/include/
-I/usr/contrib/include/sasl -DHAS_PCRE' update MAKELEVEL=) || exit 1; done
[src/util]
for i in argv.h attr.h attr_clnt.h auto_clnt.h base64_code.h binhash.h
chroot_uid.h cidr_match.h clean_env.h connect.h ctable.h dict.h dict_cdb.h
dict_cidr.h dict_db.h dict_dbm.h dict_env.h dict_ht.h dict_ni.h dict_nis.h
dict_nisplus.h dict_pcre.h dict_regexp.h dict_sdbm.h dict_static.h dict_tcp.h
dict_unix.h dir_forest.h events.h exec_command.h find_inet.h fsspace.h
fullname.h get_domainname.h get_hostname.h hex_code.h hex_quote.h host_port.h
htable.h inet_addr_host.h inet_addr_list.h inet_addr_local.h inet_proto.h
iostuff.h line_wrap.h listen.h lstat_as.h mac_expand.h mac_parse.h make_dirs.h
mask_addr.h match_list.h msg.h msg_output.h msg_syslog.h msg_vstream.h mvect.h
myaddrinfo.h myflock.h mymalloc.h myrand.h name_code.h name_mask.h netstring.h
nvtable.h open_as.h open_lock.h percentm.h posix_signals.h readlline.h ring.h
safe.h safe_open.h sane_accept.h sane_connect.h sane_fsops.h sane_socketpair.h
sane_time.h scan_dir.h set_eugid.h set_ugid.h sigdelay.h sock_addr.h
spawn_command.h split_at.h stat_as.h stringops.h sys_defs.h timed_connect.h
timed_wait.h trigger.h username.h valid_hostname.h vbuf.h vbuf_print.h
vstream.h vstring.h vstring_vstream.h watchdog.h format_tv.h load_file.h
killme_after.h edit_file.h dict_cache.h dict_thash.h ip_match.h nbbio.h
base32_code.h dict_fail.h warn_stat.h; do cmp -s $i ../../include/$i
2>/dev/null || cp $i ../../include; done
cd ../../include; chmod 644 argv.h attr.h attr_clnt.h auto_clnt.h base64_code.h
binhash.h chroot_uid.h cidr_match.h clean_env.h connect.h ctable.h dict.h
dict_cdb.h dict_cidr.h dict_db.h dict_dbm.h dict_env.h dict_ht.h dict_ni.h
dict_nis.h dict_nisplus.h dict_pcre.h dict_regexp.h dict_sdbm.h dict_static.h
dict_tcp.h dict_unix.h dir_forest.h events.h exec_command.h find_inet.h
fsspace.h fullname.h get_domainname.h get_hostname.h hex_code.h hex_quote.h
host_port.h htable.h inet_addr_host.h inet_addr_list.h inet_addr_local.h
inet_proto.h iostuff.h line_wrap.h listen.h lstat_as.h mac_expand.h
mac_parse.h make_dirs.h mask_addr.h match_list.h msg.h msg_output.h
msg_syslog.h msg_vstream.h mvect.h myaddrinfo.h myflock.h mymalloc.h myrand.h
name_code.h name_mask.h netstring.h nvtable.h open_as.h open_lock.h percentm.h
posix_signals.h readlline.h ring.h safe.h safe_open.h sane_accept.h
sane_connect.h sane_fsops.h sane_socketpair.h sane_time.h scan_dir.h
set_eugid.h set_ugid.h sigdelay.h sock_addr.h spawn_command.h split_at.h
stat_as.h stringops.h sys_defs.h timed_connect.h timed_wait.h trigger.h
username.h valid_hostname.h vbuf.h vbuf_print.h vstream.h vstring.h
vstring_vstream.h watchdog.h format_tv.h load_file.h killme_after.h
edit_file.h dict_cache.h dict_thash.h ip_match.h nbbio.h base32_code.h
dict_fail.h warn_stat.h
[src/global]
ar rv libglobal.a
ranlib libglobal.a
cp libglobal.a ../../lib
ranlib ../../lib/libglobal.a
for i in abounce.h anvil_clnt.h been_here.h bounce.h bounce_log.h canon_addr.h
cfg_parser.h cleanup_user.h clnt_stream.h config.h conv_time.h db_common.h
debug_peer.h debug_process.h defer.h deliver_completed.h deliver_flock.h
deliver_pass.h deliver_request.h dict_ldap.h dict_mysql.h dict_pgsql.h
dict_proxy.h dict_sqlite.h domain_list.h dot_lockfile.h dot_lockfile_as.h
dsb_scan.h dsn.h dsn_buf.h dsn_mask.h dsn_print.h dsn_util.h ehlo_mask.h
ext_prop.h file_id.h flush_clnt.h header_opts.h header_token.h input_transp.h
int_filt.h is_header.h lex_822.h log_adhoc.h mail_addr.h mail_addr_crunch.h
mail_addr_find.h mail_addr_map.h mail_conf.h mail_copy.h mail_date.h
mail_dict.h mail_error.h mail_flush.h mail_open_ok.h mail_params.h
mail_proto.h mail_queue.h mail_run.h mail_scan_dir.h mail_stream.h mail_task.h
mail_version.h maps.h mark_corrupt.h match_parent_style.h mbox_conf.h
mbox_open.h mime_state.h mkmap.h msg_stats.h mynetworks.h mypwd.h
namadr_list.h off_cvt.h opened.h own_inet_addr.h pipe_command.h post_mail.h
qmgr_user.h qmqp_proto.h quote_821_local.h quote_822_local.h quote_flags.h
rcpt_buf.h rcpt_print.h rec_attr_map.h rec_streamlf.h rec_type.h
recipient_list.h record.h resolve_clnt.h resolve_local.h rewrite_clnt.h
scache.h sent.h smtp_stream.h split_addr.h string_list.h strip_addr.h
sys_exits.h timed_ipc.h tok822.h trace.h user_acl.h valid_mailhost_addr.h
verify.h verify_clnt.h verp_sender.h wildcard_inet_addr.h xtext.h
delivered_hdr.h fold_addr.h header_body_checks.h data_redirect.h
match_service.h addr_match_list.h smtp_reply_footer.h safe_ultostr.h
verify_sender_addr.h dict_memcache.h memcache_proto.h server_acl.h; do cmp -s
$i ../../include/$i 2>/dev/null || cp $i ../../include; done
cd ../../include; chmod 644 abounce.h anvil_clnt.h been_here.h bounce.h
bounce_log.h canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h
conv_time.h db_common.h debug_peer.h debug_process.h defer.h
deliver_completed.h deliver_flock.h deliver_pass.h deliver_request.h
dict_ldap.h dict_mysql.h dict_pgsql.h dict_proxy.h dict_sqlite.h domain_list.h
dot_lockfile.h dot_lockfile_as.h dsb_scan.h dsn.h dsn_buf.h dsn_mask.h
dsn_print.h dsn_util.h ehlo_mask.h ext_prop.h file_id.h flush_clnt.h
header_opts.h header_token.h input_transp.h int_filt.h is_header.h lex_822.h
log_adhoc.h mail_addr.h mail_addr_crunch.h mail_addr_find.h mail_addr_map.h
mail_conf.h mail_copy.h mail_date.h mail_dict.h mail_error.h mail_flush.h
mail_open_ok.h mail_params.h mail_proto.h mail_queue.h mail_run.h
mail_scan_dir.h mail_stream.h mail_task.h mail_version.h maps.h mark_corrupt.h
match_parent_style.h mbox_conf.h mbox_open.h mime_state.h mkmap.h msg_stats.h
mynetworks.h mypwd.h namadr_list.h off_cvt.h opened.h own_inet_addr.h
pipe_command.h post_mail.h qmgr_user.h qmqp_proto.h quote_821_local.h
quote_822_local.h quote_flags.h rcpt_buf.h rcpt_print.h rec_attr_map.h
rec_streamlf.h rec_type.h recipient_list.h record.h resolve_clnt.h
resolve_local.h rewrite_clnt.h scache.h sent.h smtp_stream.h split_addr.h
string_list.h strip_addr.h sys_exits.h timed_ipc.h tok822.h trace.h user_acl.h
valid_mailhost_addr.h verify.h verify_clnt.h verp_sender.h
wildcard_inet_addr.h xtext.h delivered_hdr.h fold_addr.h header_body_checks.h
data_redirect.h match_service.h addr_match_list.h smtp_reply_footer.h
safe_ultostr.h verify_sender_addr.h dict_memcache.h memcache_proto.h
server_acl.h
[src/dns]
for i in dns.h; do cmp -s $i ../../include/$i 2>/dev/null || cp $i
../../include; done
cd ../../include; chmod 644 dns.h
[src/tls]
gcc -Wmissing-prototypes -Wformat -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -DUSE_TLS
-I/usr/include -I/usr/contrib/include/ -I/usr/contrib/include/sasl -DHAS_PCRE
-g -O -I. -I../../include -DBSDI4 -c tls_client.c
tls_client.c:862:1: directives may not be used inside a macro argument
tls_client.c:861:76: unterminated argument list invoking macro "SSL_set_options"
tls_client.c: In function `tls_client_start':
tls_client.c:863: `SSL_set_options' undeclared (first use in this function)
tls_client.c:863: (Each undeclared identifier is reported only once
tls_client.c:863: for each function it appears in.)
tls_client.c:869: parse error before ')' token
tls_client.c: At top level:
tls_client.c:904: conflicting types for `tls_int_seed'
tls.h:428: previous declaration of `tls_int_seed'
tls_client.c:904: warning: data definition has no type or storage class
tls_client.c:905: parse error before "void"
tls_client.c:912: parse error before '->' token
tls_client.c:912: conflicting types for `SSL_set_connect_state'
/usr/contrib/include/openssl/ssl.h:1955: previous declaration of
`SSL_set_connect_state'
tls_client.c:912: warning: data definition has no type or storage class
tls_client.c:919: conflicting types for `tls_print_errors'
tls.h:421: previous declaration of `tls_print_errors'
tls_client.c:919: warning: data definition has no type or storage class
tls_client.c:920: parse error before '->' token
tls_client.c:920: conflicting types for `uncache_session'
tls_client.c:273: previous declaration of `uncache_session'
tls_client.c:920: warning: data definition has no type or storage class
tls_client.c:921: warning: parameter names (without types) in function
declaration
tls_client.c:921: conflicting types for `tls_free_context'
tls.h:418: previous declaration of `tls_free_context'
tls_client.c:921: warning: data definition has no type or storage class
tls_client.c:922: parse error before "return"
tls_client.c:929: parse error before '(' token
tls_client.c:951: `props' undeclared here (not in a function)
tls_client.c:951: `props' undeclared here (not in a function)
tls_client.c:951: `TLScontext' undeclared here (not in a function)
tls_client.c:951: initializer element is not constant
tls_client.c:951: warning: data definition has no type or storage class
tls_client.c:952: parse error before "if"
tls_client.c:955: warning: data definition has no type or storage class
tls_client.c:956: parse error before '}' token
tls_client.c:962: parse error before '->' token
tls_client.c:962: warning: data definition has no type or storage class
tls_client.c:963: warning: parameter names (without types) in function
declaration
tls_client.c:963: warning: data definition has no type or storage class
tls_client.c:964: parse error before "return"
tls_client.c:989: warning: parameter names (without types) in function
declaration
tls_client.c:989: conflicting types for `verify_extract_name'
tls_client.c:586: previous declaration of `verify_extract_name'
tls_client.c:989: warning: data definition has no type or storage class
tls_client.c:990: warning: parameter names (without types) in function
declaration
tls_client.c:990: conflicting types for `verify_extract_print'
tls_client.c:731: previous declaration of `verify_extract_print'
tls_client.c:990: warning: data definition has no type or storage class
tls_client.c:992: parse error before "if"
tls_client.c:999: warning: parameter names (without types) in function
declaration
tls_client.c:999: conflicting types for `X509_free'
/usr/contrib/include/openssl/x509.h:839: previous declaration of `X509_free'
tls_client.c:999: warning: data definition has no type or storage class
tls_client.c:1000: parse error before '}' token
tls_client.c:1011: `TLScontext' undeclared here (not in a function)
tls_client.c:1011: warning: initialization makes integer from pointer without a
cast
tls_client.c:1011: initializer element is not constant
tls_client.c:1011: warning: data definition has no type or storage class
tls_client.c:1012: parse error before '->' token
tls_client.c:1020: parse error before '->' token
tls_client.c:1020: conflicting types for `tls_stream_start'
tls.h:349: previous declaration of `tls_stream_start'
tls_client.c:1020: warning: data definition has no type or storage class
tls_client.c:1032: warning: data definition has no type or storage class
tls_client.c:1034: parse error before "return"
*** Error code 1
Stop.
*** Error code 1
Stop.
doctor.nl2k.ab.ca//usr/source/postfix-2.9.2$ openssl version -all
usage:version -[avbofpd]
You have mail in /var/mail/doctor
doctor.nl2k.ab.ca//usr/source/postfix-2.9.2$ ^ll^
openssl version -a
OpenSSL 1.0.2-dev xx XXX xxxx
built on: Tue Apr 24 01:22:10 MDT 2012
platform: debug-bsdi-x86-elf
options: bn(64,32) md2(int) rc4(4x,int) des(ptr,risc1,16,long) idea(int)
blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS
-pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DPERL5
-DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -Wall -g
-DOPENSSL_EXPERIMENTAL_JPAKE -DOPENSSL_EXPERIMENTAL_STORE
-DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
-DGHASH_ASM
OPENSSLDIR: "/usr/contrib"
doctor.nl2k.ab.ca//usr/source/postfix-2.9.2$ exit
exit
Script done on Tue Apr 24 17:38:36 2012
No such issue in 2.9.1
--
Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising!
http://www.fullyfollow.me/rootnl2k Alberta! VOTE!
