postfix-lmdb: update to 3.5.10

5 files changed, 47 insertions, 27 deletions

diff --git a/postfix-lmdb/.signature b/postfix-lmdb/.signature
index 8652c4ff8..e67dd8249 100644
--- a/postfix-lmdb/.signature
+++ b/postfix-lmdb/.signature
@@ -1,15 +1,15 @@
 untrusted comment: verify with /etc/ports/contrib.pub
-RWSagIOpLGJF38+KOnQGbaIUW82eL0DQkmLgUylfs2r0PpUUobpR1ZKWLOsiFrHPjt4Jrk1k77Usuo4gEUCqS1eIHPUBWUBiwg8=
-SHA256 (Pkgfile) = de4e93a4dc2a52d14573b98ff4e0235952784cc289ef969ea44c3399cb597875
+RWSagIOpLGJF35D0u9AVbgDpYYu6Zyab8GRFP/q9nfkHsJK4HWU9oJrEEqVeannd3dI16dpAry8rNaYQvve3pv5bAlW1iyvqmwc=
+SHA256 (Pkgfile) = 746a2d74681fe18966f98b46b16c40ed30c45c2cbb09042c5e958ebed18a8e97
 SHA256 (.footprint) = c4bef46624508b9105e8c5816c322560a560c09e9c5507509eb95c886d52a387
-SHA256 (postfix-3.5.9.tar.gz) = 51ced5a3165a415beba812b6c9ead0496b7172ac6c3beb654d2ccd9a1b00762b
+SHA256 (postfix-3.5.10.tar.gz) = 5bb4d7d72d7512b58f3a31426dcbd394fd354e0a43de21da89466b057a0228f8
 SHA256 (lmdb-default.patch) = 11f42333ae0640a3ca579463ed28007973693b93bc734b5d82225fcb516bf05e
 SHA256 (postfix-install.patch) = 7185d2b2e4d7cc090b958c1d372c16e15f274465e2123686a0d97db20e2b5943
 SHA256 (post-install) = b459d6e4c56384c24d5f3473964ed6442b2c501406745d1fd46c6b453e393138
 SHA256 (postfix.rc) = 5ac60205a95faf4633c64bc60d2689f654b997932e3bbc1204b66df7b5dce1d2
 SHA256 (aliases) = 60ae98d869800055b248c32c183a1836cc5a698cf337cb7ad734e862ae80e95a
 SHA256 (README) = f6422a14ad8e7aeacb966db68bd2e27fa17dfac9cb8d406f61dae38d45629d8e
-SHA256 (relay_clientcerts) = 98e7e663f4d9b9a648c4b9198cce3faf9aef82fc81600d2268bf09b84ee39890
+SHA256 (relay_clientcerts) = 2aa69a949c06826e2f5a760791fb5cebb37e6797613270fd11381c33afa38297
 SHA256 (sender_restrict) = b83ab2c27d6966876c6cfa7f12d5c3d3065fb11507a69199ce8d30a757217e4c
-SHA256 (main-addon.cf) = 82282c81995c15084efb20c52f62a4844cce3fe12fa09ad5b26d39c13d127ff8
-SHA256 (master.patch) = a4f576de6d511201f6329f6904246acfc21707bd69391fca5a14d9b44de74f1a
+SHA256 (main-addon.cf) = 4d0dec5805262595687492dc9ff16c51ee955bf566b9197c05fde87caeb6a212
+SHA256 (master.patch) = 2554c5e37ae7a87ee771aa46502aa99bf3668da0bbf3313664dd63e9336e794b
diff --git a/postfix-lmdb/Pkgfile b/postfix-lmdb/Pkgfile
index 1e58adadb..3efdc75ef 100644
--- a/postfix-lmdb/Pkgfile
+++ b/postfix-lmdb/Pkgfile
@@ -2,11 +2,12 @@
 # URL:         https://www.postfix.org/
 # Maintainer:  Steffen Nurpmeso, steffen at sdaoden dot eu
 # Depends on:  libpcre lmdb   openssl
+# Optional:    dovecot cyrus-sasl
 
 rname=postfix
 name=postfix-lmdb
-version=3.5.9
-release=2
+version=3.5.10
+release=1
 source=(
    https://de.${rname}.org/ftpmirror/official/${rname}-${version}.tar.gz
    lmdb-default.patch postfix-install.patch post-install
@@ -15,8 +16,6 @@ source=(
    main-addon.cf master.patch
 )
 
-isinst() { pkginfo -i | grep -qE "^${1}[[:space:]]"; }
-
 build() {
    cd ${rname}-${version}
 
@@ -27,11 +26,11 @@ build() {
    cca=${cca}' -DHAS_LMDB -DDEF_DB_TYPE=\"lmdb\" -DHAS_PCRE -DUSE_TLS'
    aux=
 
-   if isinst dovecot; then # TODO UNTESTED!
+   if prt-get isinst dovecot; then # TODO UNTESTED!
       cca=${cca}' -DUSE_SASL_AUTH -DDEF_SASL_SERVER=dovecot'
    fi
 
-   if isinst cyrus-sasl; then # TODO UNTESTED!
+   if prt-get isinst cyrus-sasl; then # TODO UNTESTED!
       cca=${cca}' -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl'
       aux=${aux}' -lsasl2'
    fi
diff --git a/postfix-lmdb/main-addon.cf b/postfix-lmdb/main-addon.cf
index 729916ac3..dd8bc9d91 100644
--- a/postfix-lmdb/main-addon.cf
+++ b/postfix-lmdb/main-addon.cf
@@ -40,6 +40,7 @@ mailbox_size_limit = 100000000
 message_size_limit = 442000
 
 ## TLSPROXY(8) (where diverging from daemon / client)
+
 tls_append_default_CA = no
 
 ## POSTFIX DAEMON
@@ -141,17 +142,19 @@ smtpd_per_record_deadline = yes
 smtpd_timeout = 15s
 smtpd_starttls_timeout = 15s
 smtpd_junk_command_limit = 5
-smtpd_log_access_permit_actions = 1
-smtpd_client_connection_rate_limit = 20
-smtpd_client_connection_count_limit = 2
+#smtpd_log_access_permit_actions =
+#    permit_tls_clientcerts,
+#    permit_sasl_authenticated
+#smtpd_client_connection_rate_limit = 20
+#smtpd_client_connection_count_limit = 2
 
+#TLS Do not forget to look into master.cf!
 # That one is for client certificates!
 #smtpd_tls_CAfile = /etc/dovecot/cert.pem
 #TLS smtpd_tls_chain_files = /etc/postfix-lmdb/key_and_cert.pem
 #TLS smtpd_tls_dh1024_param_file = /etc/postfix-lmdb/dh2048.pem
-#TLS smtpd_tls_security_level = may
-#TLS comment out next; usually enabled per-service in master.cf!
-smtpd_tls_security_level = none
+# This are managed per-service in master.cf!
+#smtpd_tls_security_level = none
 #RELAY smtpd_tls_ask_ccert = yes
 smtpd_tls_ask_ccert = no
 smtpd_tls_auth_only = yes
@@ -161,7 +164,6 @@ smtpd_tls_received_header = no
 smtpd_tls_fingerprint_digest = sha256
 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
-#SMART When only relaying to smarthost, the next can be =high !?!
 smtpd_tls_mandatory_ciphers = medium
 smtpd_tls_mandatory_exclude_ciphers =
    aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
@@ -169,6 +171,8 @@ smtpd_tls_mandatory_exclude_ciphers =
 smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers
 smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
 smtpd_tls_connection_reuse = yes
+smtpd_tls_session_cache_database = lmdb:/var/lib/postfix-lmdb/smtpd_scache
+smtpd_tls_session_cache_timeout = 3600s
 
 # Usually enabled per-service in master.cf!
 #smtpd_sasl_auth_enable = yes
@@ -181,20 +185,22 @@ smtpd_sasl_tls_security_options = noanonymous
 
 ## POSTFIX CLIENT
 
-#TLS smtp_tls_security_level = $smtpd_tls_security_level
 #TLS comment out next
+#SMART comment out next
 smtp_tls_security_level = may
+# To always go directly SMTPS/SUBMISSIONS
 #smtp_tls_wrappermode = yes
 smtp_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest
 smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
 smtp_tls_protocols = $smtpd_tls_protocols
+#SMART When only relaying to smarthost, the next can be =high !?!
 smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
 smtp_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
 smtp_tls_ciphers = $smtpd_tls_ciphers
 smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
 smtp_tls_connection_reuse = $smtpd_tls_connection_reuse
 smtp_tls_session_cache_database = lmdb:/var/lib/postfix-lmdb/smtp_scache
-smtp_tls_session_cache_timeout = 3600s
+smtp_tls_session_cache_timeout = $smtpd_tls_session_cache_timeout 
 
 #smtp_sasl_auth_enable = $smtpd_sasl_auth_enable
 #smtp_sasl_type = $smtpd_sasl_type
@@ -208,13 +214,17 @@ smtp_tls_session_cache_timeout = 3600s
 #   One or more destinations in the form of a domain name, hostname,
 #   hostname:port, [hostname]:port, [hostaddress]  or [hostaddress]:port,
 #   separated by comma or whitespace.  The form [hostname] turns off MX lookups
+# check man(5) postconf -> local_header_rewrite_clients;
+#   "Or", i.e., for mail(1): use "-r myname@mydesired.host"
 #SMART relayhost = [HOST]:submissions
+#SMART Next only when going directly SMTPS/SUBMISSIONS
 #SMART smtp_tls_wrappermode = yes
 #SMART smtp_tls_chain_files = $smtpd_tls_chain_files
+#SMART EITHER these three
 #SMART smtp_tls_security_level = verify
-# This requires a full chain, otherwise look around verify_depth
 #SMART smtp_tls_CAfile = /etc/ssl/cert.pem
-#SMART therefore OR (better, maybe)
+#SMART smtp_tls_scert_verifydepth = 9
+#SMART OR these two
 #SMART smtp_tls_security_level = fingerprint
 #SMART smtp_tls_fingerprint_cert_match = FINGERPRINT
 # The following is not tested, really, and may not work with default config
@@ -237,3 +247,9 @@ smtp_tls_session_cache_timeout = 3600s
 #   user1@example.com  [mail.example.com]:submission
 #   user2@example.net  [mail.example.net]
 
+# Permanently (to _destinations) instead if this is "no"
+smtp_connection_cache_on_demand = yes
+# $relayhost WITHOUT [] and : etc.!!
+smtp_connection_cache_destinations = $relayhost
+smtp_connection_cache_time_limit = 10s
+smtp_connection_reuse_count_limit = 242
diff --git a/postfix-lmdb/master.patch b/postfix-lmdb/master.patch
index 19ca910a1..71dd124f3 100644
--- a/postfix-lmdb/master.patch
+++ b/postfix-lmdb/master.patch
@@ -1,6 +1,6 @@
---- master.cf	2021-02-10 01:28:29.091526626 +0100
-+++ master.cf.new	2021-02-10 01:30:19.998198603 +0100
-@@ -10,6 +10,17 @@
+--- master.cf.orig	2021-04-12 20:30:45.650213781 +0200
++++ master.cf	2021-04-12 20:32:34.676882357 +0200
+@@ -10,6 +10,18 @@
  #               (yes)   (yes)   (no)    (never) (100)
  # ==========================================================================
  smtp      inet  n       -       n       -       -       smtpd
@@ -9,7 +9,8 @@
 +#TLS   -o smtpd_sasl_auth_enable=no
 +#TLS submission inet n       -       n       -       -       smtpd
 +#TLS  -o smtpd_tls_security_level=encrypt
-+#TLS  -o smtpd_sasl_auth_enable=no
++#TLS  -o smtpd_sasl_auth_enable=yes
++#TLS # This was SMTPS aka :465. I use it as that.
 +#TLS submissions     inet  n       -       n       -       -       smtpd
 +#TLS  -o smtpd_tls_wrappermode=yes
 +#TLS  -o smtpd_sasl_auth_enable=no
diff --git a/postfix-lmdb/relay_clientcerts b/postfix-lmdb/relay_clientcerts
index 1d3fbb31c..a5afd293c 100644
--- a/postfix-lmdb/relay_clientcerts
+++ b/postfix-lmdb/relay_clientcerts
@@ -1 +1,5 @@
 # FINGERPRINT any value
+# openssl x509 -noout -sha256 -fingerprint < CERT.pem
+# OR
+# openssl x509 -outform DER -in CERT.pem | openssl dgst -sha256 -c
+