postfix-3.4.7-lp152.2.9.1<>,"`ݸ/=„U8:a\YCe(RQY3 6BbXq ?I3^2 K}hSQАN'XӟqήQ :˄UAg! :27,7/p~F}LAơ3y!`ro; YlfamL7r.m>rns ~XҶ₩VNqB\ȅiE?/ p{:KPq}& pr0Re ~ohD&/>K0? d   @ #(@!$ & (< + X Zt]b$fbfi jt@kt@o@ppp*(p,7p38qX\9r\:z\=9>9?9@9C9F:G:H=lI@XA YA \A]ET^OQbPcQdR6eR;fR>lR@uRPvU9w|xXyzCpostfix3.4.7lp152.2.9.1A fast, secure, and flexible mailerPostfix aims to be an alternative to the widely-used sendmail program.`goat1339TopenSUSE Leap 15.2openSUSEIPL-1.0 OR EPL-2.0http://bugs.opensuse.orgProductivity/Networking/Email/Servershttp://www.postfix.orglinuxi586 if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : for service in postfix.service ; do sysv_service=${service%.*} if [ ! -e /usr/lib/systemd/system/$service ] && [ ! -e /etc/init.d/$sysv_service ]; then mkdir -p /run/systemd/rpm/needs-preset touch /run/systemd/rpm/needs-preset/$service elif [ -e /etc/init.d/$sysv_service ] && [ ! -e /var/lib/systemd/migrated/$sysv_service ]; then /usr/sbin/systemd-sysv-convert --save $sysv_service || : mkdir -p /run/systemd/rpm/needs-sysv-convert touch /run/systemd/rpm/needs-sysv-convert/$service fi done fi VERSIONTEST=$(test -x usr/sbin/postconf && usr/sbin/postconf proxy_read_maps 2>/dev/null || :) if [ -z "$VERSIONTEST" -a -f var/spool/postfix/pid/master.pid ]; then if checkproc -p var/spool/postfix/pid/master.pid usr/lib/postfix/master; then echo "postfix is still running. You have to stop postfix in order to" echo "install a newer version." exit 1 fi fi getent group postfix >/dev/null || groupadd -g 51 -o -r postfix getent group maildrop >/dev/null || groupadd -g 59 -o -r maildrop getent passwd postfix >/dev/null || useradd -r -o -g postfix -u 51 -s /bin/false -c "Postfix Daemon" -d /var/spool/postfix postfix usermod -a -G 59,mail postfix # ---------------------------------------------------------------------------# We never have to run suseconfig for postfix after installation # We only start postfix own upgrade-configuration by update if [ ${1:-0} -gt 1 ]; then touch /var/adm/postfix.configured # Check if main.cf and master.cf was changed manualy MAINCH=0 if [ -e /var/adm/SuSEconfig/md5/etc/postfix/main.cf ]; then MD5SUM1=$( cat /var/adm/SuSEconfig/md5/etc/postfix/main.cf ) MD5SUM2=$( grep -v "^#" /etc/postfix/main.cf | md5sum ) if [ "$MD5SUM1" != "$MD5SUM2" ]; then MAINCH=1 fi fi MASTERCH=0 if [ -e /var/adm/SuSEconfig/md5/etc/postfix/master.cf ]; then MD5SUM1=$( cat /var/adm/SuSEconfig/md5/etc/postfix/master.cf ) MD5SUM2=$( grep -v "^#" /etc/postfix/master.cf | md5sum ) if [ "$MD5SUM1" != "$MD5SUM2" ]; then MASTERCH=1 fi fi echo "Executing upgrade-configuration." /usr/sbin/postfix set-permissions upgrade-configuration setgid_group=maildrop || : if [ "$(/usr/sbin/postconf -h daemon_directory)" != "/usr/lib/postfix/bin/" ]; then /usr/sbin/postconf daemon_directory=/usr/lib/postfix/bin/ fi if [ $MASTERCH -eq 0 ]; then test -e /var/adm/SuSEconfig/md5/etc/postfix/master.cf && grep -v "^#" /etc/postfix/master.cf | md5sum > /var/adm/SuSEconfig/md5/etc/postfix/master.cf fi if [ $MAINCH -eq 0 ]; then test -e /var/adm/SuSEconfig/md5/etc/postfix/main.cf && grep -v "^#" /etc/postfix/main.cf | md5sum > /var/adm/SuSEconfig/md5/etc/postfix/main.cf fi fi if [ -x /usr/bin/systemctl ]; then test -n "$FIRST_ARG" || FIRST_ARG="$1" [ -d /var/lib/systemd/migrated ] || mkdir -p /var/lib/systemd/migrated || : if [ "$YAST_IS_RUNNING" != "instsys" ]; then /usr/bin/systemctl daemon-reload || : fi for service in postfix.service ; do sysv_service=${service%.*} if [ -e /run/systemd/rpm/needs-preset/$service ]; then /usr/bin/systemctl preset $service || : rm "/run/systemd/rpm/needs-preset/$service" || : elif [ -e /run/systemd/rpm/needs-sysv-convert/$service ]; then /usr/sbin/systemd-sysv-convert --apply $sysv_service || : rm "/run/systemd/rpm/needs-sysv-convert/$service" || : touch /var/lib/systemd/migrated/$sysv_service || : fi done fi if [ -x /usr/bin/chkstat ]; then /usr/bin/chkstat -n --set --system /usr/sbin/postqueue fi if [ -x /usr/bin/chkstat ]; then /usr/bin/chkstat -n --set --system /usr/sbin/postdrop fi if [ -x /usr/bin/chkstat ]; then /usr/bin/chkstat -n --set --system /etc/postfix/sasl_passwd fi if [ -x /usr/bin/chkstat ]; then /usr/bin/chkstat -n --set --system /usr/sbin/sendmail fi PNAME=postfix SUBPNAME= SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi PNAME=mail SUBPNAME=-postfix SYSC_TEMPLATE=/usr/share/fillup-templates/sysconfig.$PNAME$SUBPNAME # If template not in new /usr/share/fillup-templates, fallback to old TEMPLATE_DIR if [ ! -f $SYSC_TEMPLATE ] ; then TEMPLATE_DIR=/var/adm/fillup-templates SYSC_TEMPLATE=$TEMPLATE_DIR/sysconfig.$PNAME$SUBPNAME fi SD_NAME="" if [ -x /bin/fillup ] ; then if [ -f $SYSC_TEMPLATE ] ; then echo "Updating /etc/sysconfig/$SD_NAME$PNAME ..." mkdir -p /etc/sysconfig/$SD_NAME touch /etc/sysconfig/$SD_NAME$PNAME /bin/fillup -q /etc/sysconfig/$SD_NAME$PNAME $SYSC_TEMPLATE fi else echo "ERROR: fillup not found. This should not happen. Please compare" echo "/etc/sysconfig/$PNAME and $TEMPLATE_DIR/sysconfig.$PNAME and" echo "update by hand." fi /sbin/ldconfig test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -eq 0 -a -x /usr/bin/systemctl ]; then # Package removal, not upgrade /usr/bin/systemctl --no-reload disable postfix || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_STOP_ON_REMOVAL" && . /etc/sysconfig/services test "$DISABLE_STOP_ON_REMOVAL" = yes -o \ "$DISABLE_STOP_ON_REMOVAL" = 1 && exit 0 /usr/bin/systemctl stop postfix ) || : fi test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ "$FIRST_ARG" -eq 0 -a -x /usr/bin/systemctl ]; then # Package removal, not upgrade /usr/bin/systemctl --no-reload disable postfix.service || : ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_STOP_ON_REMOVAL" && . /etc/sysconfig/services test "$DISABLE_STOP_ON_REMOVAL" = yes -o \ "$DISABLE_STOP_ON_REMOVAL" = 1 && exit 0 /usr/bin/systemctl stop postfix.service ) || : fi # --------------------------------------------------------------------------- test -n "$FIRST_ARG" || FIRST_ARG="$1" if [ $1 -eq 0 ]; then # Package removal for service in postfix.service ; do sysv_service="${service%.*}" rm "/var/lib/systemd/migrated/$sysv_service" || : done fi if [ -x /usr/bin/systemctl ]; then /usr/bin/systemctl daemon-reload || : fi if [ "$FIRST_ARG" -ge 1 ]; then # Package upgrade, not uninstall if [ -x /usr/bin/systemctl ]; then ( test "$YAST_IS_RUNNING" = instsys && exit 0 test -f /etc/sysconfig/services -a \ -z "$DISABLE_RESTART_ON_UPDATE" && . /etc/sysconfig/services test "$DISABLE_RESTART_ON_UPDATE" = yes -o \ "$DISABLE_RESTART_ON_UPDATE" = 1 && exit 0 /usr/bin/systemctl try-restart postfix.service ) || : fi fi /sbin/ldconfig # ---------------------------------------------------------------------------~g}]T) 3'\{{mtSv*n'$H%XR1z61e\hl<Xi5Ơ%%%E5Vht*n'%$H5U56٠%F@uf5y#\E$fE5(5%%%%Ef|EVx5exU&2 /usr/bin/chkstat -n --warn --system -e /usr/sbin/postdrop 1>&2 /usr/bin/chkstat -n --warn --system -e /etc/postfix/sasl_passwd 1>&2 /usr/bin/chkstat -n --warn --system -e /usr/sbin/sendmail 1>&2`` @_]@]b@]m]M`@]:@]9]4S]]^@]@\@\\\@\~d\}@\zp@\y\\\LK\I[[=@[ͻ[[[[ZZUZZkZ@Z)-@Z@ZY@Y@YMY@Y@YY@YyYC@XQ@Xh@XX@XO@XO@X7@XM@Xv@Xk@X9y@X)@X lW1@W WPWJWDB@WDB@WVVVV@VhVU5@U@U@UUlI@UXU6;U3Tء@TOT@TTT@To)@TeTN3TD@Peter Varkoly Peter Varkoly Peter Varkoly Martin Liška Michael Ströder Peter Varkoly chris@computersalat.dePeter Varkoly matthias.gerstner@suse.comchris@computersalat.deMichael Ströder Peter Varkoly Dominique Leuenberger Tomáš Chvátal Peter Varkoly Michael Ströder Peter Varkoly Jiri Slaby Marcus Rueckert Michael Ströder Reinhard Max chris@computersalat.dechris@computersalat.demalte.kraus@suse.comMichael Ströder chris@computersalat.dechris@computersalat.devarkoly@suse.comtchvatal@suse.comvarkoly@suse.commichael@stroeder.comlnussel@suse.deadam.majer@suse.devarkoly@suse.comilya@ilya.pp.uavarkoly@suse.comdimstar@opensuse.orgrbrown@suse.comkukuk@suse.demichael@stroeder.comvarkoly@suse.comchris@computersalat.devarkoly@suse.comvarkoly@suse.commichael@stroeder.comkukuk@suse.devarkoly@suse.commichael@stroeder.comchris@computersalat.dewerner@suse.dechris@computersalat.dekukuk@suse.demrueckert@suse.dewr@rosenauer.orgkukuk@suse.comchris@computersalat.devarkoly@suse.comvarkoly@suse.comchris@computersalat.dechris@computersalat.dechris@computersalat.demichael@stroeder.commichael@stroeder.comschwab@suse.dechris@computersalat.devarkoly@suse.comvarkoly@suse.comopensuse@dstoecker.demrueckert@suse.demrueckert@suse.demrueckert@suse.devarkoly@suse.comvarkoly@suse.commichael@stroeder.comjkeil@suse.demeissner@suse.commeissner@suse.commichael@stroeder.comcrrodriguez@opensuse.orgmpluskal@suse.commrueckert@suse.demrueckert@suse.demichael@stroeder.comvarkoly@suse.comvarkoly@suse.commpluskal@suse.comvarkoly@suse.comvarkoly@suse.comtchvatal@suse.comdimstar@opensuse.orgdmueller@suse.commichael@stroeder.com- (bsc#1186669) - postfix.service has "Requires=var-run.mount" Remove bad requirements- bsc#1181177 L3: running postfix set-permissions gives error: "cannot access....postfix-ldap.so': No such file or directory"- bsc#1176650 L3: What is regularly triggering the "fillup" command and changing modify-time of /etc/sysconfig/postfix? o Remove miss placed fillup_only call from %verifyscript- Backport deprecated-RES_INSECURE1.patch in order to fix boo#1149705.- Update to 3.4.7: * Robustness: the tlsproxy(8) daemon could go into a loop, logging a flood of error messages. Problem reported by Andreas Schulze after enabling SMTP/TLS connection reuse. * Workaround: OpenSSL changed an SSL_Shutdown() non-error result value into an error result value, causing logfile noise. * Configuration: the new 'TLS fast shutdown' parameter name was implemented incorrectly. The documentation said "tls_fast_shutdown_enable", but the code said "tls_fast_shutdown". This was fixed by changing the code, because no-one is expected to override the default. * Performance: workaround for poor TCP loopback performance on LINUX, where getsockopt(..., TCP_MAXSEG, ...) reports a bogus TCP maximal segment size that is 1/2 to 1/3 of the real MSS. To avoid client-side Nagle delays or server-side delayed ACKs caused by multiple smaller-than-MSS writes, Postfix chooses a VSTREAM buffer size that is a small multiple of the reported bogus MSS. This workaround increases the multiplier from 2x to 4x. * Robustness: the Postfix Dovecot client could segfault (null pointer read) or cause an SMTP server assertion to fail when talking to a fake Dovecot server. The Postfix Dovecot client now logs a proper error instead.- bsc#1120757 L3: File Permissions->Paranoid can cause a system hang Break loop if postfix has no permission in spool directory. - add postfix-avoid-infinit-loop-if-no-permission.patch- fix for boo#1144946 mydestination - missing default localhost * update config.postfix- bsc#1142881 - mkpostfixcert from Postfix still uses md- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by firewalld, see [1]. [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html- update example POSTFIX_BASIC_SPAM_PREVENTION: permit_mynetworks for * POSTFIX_SMTPD_HELO_RESTRICTIONS * POSTFIX_SMTPD_RECIPIENT_RESTRICTIONS - fix for: Can't connect to local MySQL server through socket '/run/mysql/mysql.sock' * update config.postfix * update update_chroot.systemd- Update to 3.4.6: * Workaround for implementations that hang Postfix while shutting down a TLS session, until Postfix times out. With "tls_fast_shutdown_enable = yes" (the default), Postfix no longer waits for the TLS peer to respond to a TLS 'close' request. This is recommended with TLSv1.0 and later. * Fixed a too-strict censoring filter that broke multiline Milter responses for header/body events. Problem report by Andreas Thienemann. * The code to reset Postfix SMTP server command counts was not called after a HaProxy handshake failure, causing stale numbers to be reported. Problem report by Joseph Ward. * postconf(5) documentation: tlsext_padding is not a tls_ssl_options feature. * smtp(8) documentation: updated the BUGS section text about Postfix support to reuse open TLS connections. * Portability: added "#undef sun" to util/unix_dgram_connect.c.- Ensure that postfix is member of all groups as before.- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to shortcut the build queues by allowing usage of systemd-mini- Drop the omc config fate#301838: * it is obsolete since SLE11- bsc#1104543 config.postfix does not start tlsmgr in master.cf when using POSTFIX_SMTP_TLS_CLIENT="must". Applyed the proposed patch.- Update to 3.4.5: Bugfix (introduced: Postfix 3.0): LMTP connections over UNIX-domain sockets were cached but not reused, due to a cache lookup key mismatch. Therefore, idle cached connections could exhaust LMTP server resources, resulting in two-second pauses between email deliveries. This problem was investigated by Juliana Rodrigueiro. File: smtp/smtp_connect.c.- Update to 3.4.4 o Incompatible changes - The Postfix SMTP server announces CHUNKING (BDAT command) by default. In the unlikely case that this breaks some important remote SMTP client, disable the feature as follows: /etc/postfix/main.cf: [#] The logging alternative: smtpd_discard_ehlo_keywords = chunking [#] The non-logging alternative: smtpd_discard_ehlo_keywords = chunking, silent_discard - This introduces a new master.cf service 'postlog' with type 'unix-dgram' that is used by the new postlogd(8) daemon. Before backing out to an older Postfix version, edit the master.cf file and remove the postlog entry. - Postfix 3.4 drops support for OpenSSL 1.0.1 - To avoid performance loss under load, the tlsproxy(8) daemon now requires a zero process limit in master.cf (this setting is provided with the default master.cf file). By default, a tlsproxy(8) process will retire after several hours. - To set the tlsproxy process limit to zero: postconf -F tlsproxy/unix/process_limit=0 postfix reload o Major changes - Postfix SMTP server support for RFC 3030 CHUNKING (the BDAT command) without BINARYMIME, in both smtpd(8) and postscreen(8). This has no effect on Milters, smtpd_mumble_restrictions, and smtpd_proxy_filter. See BDAT_README for more. - Support for logging to file or stdout, instead of using syslog. - Logging to file solves a usability problem for MacOS, and eliminates multiple problems with systemd-based systems. - Logging to stdout is useful when Postfix runs in a container, as it eliminates a syslogd dependency. - Better handling of undocumented(!) Linux behavior whether or not signals are delivered to a PID=1 process. - Support for (key, list of filenames) in map source text. Currently, this feature is used only by tls_server_sni_maps. - Automatic retirement: dnsblog(8) and tlsproxy(8) process will now voluntarily retire after after max_idle*max_use, or some sane limit if either limit is disabled. Without this, a process could stay busy for days or more. - Postfix SMTP client support for multiple deliveries per TLS-encrypted connection. This is primarily to improve mail delivery performance for destinations that throttle clients when they don't combine deliveries. This feature is enabled with "smtp_tls_connection_reuse=yes" in main.cf, or with "tls_connection_reuse=yes" in smtp_tls_policy_maps. It supports all Postfix TLS security levels including dane and dane-only. - SNI support in the Postfix SMTP server, the Postfix SMTP client, and in the tlsproxy(8) daemon (both server and client roles). See the postconf(5) documentation for the new tls_server_sni_maps and smtp_tls_servername parameters. - Support for files that contain multiple (key, certificate, trust chain) instances. This was required to implement server-side SNI table lookups, but it also eliminates the need for separate cert/key files for RSA, DSA, Elliptic Curve, and so on. - Support for smtpd_reject_footer_maps (as well as the postscreen variant postscreen_reject_footer_maps) for more informative reject messages. This is indexed with the Postfix SMTP server response text, and overrides the footer specified with smtpd_reject_footer. One will want to use a pcre: or regexp: map with this. o Bugfixes - Andreas Schulze discovered that reject_multi_recipient_bounce was producing false rejects with BDAT commands. This problem already existed with Postfix 2.2 smtpd_end_of_data_restrictons. Postfix 3.4.4 fixes both.- postfix-linux45.patch: support also newer kernels -- pretend we are still at kernel 3. Note that there are no conditionals for LINUX3 or LINUX4. And LINUX5 was generated, but not tested in the code which caused build failures.- skip set -x and fix version update changes entry- Update to 3.3.3 * When the master daemon runs with PID=1 (init mode), it will now reap child processes from non-Postfix code running in the same container, instead of terminating with a panic. * Bugfix (introduced: postfix-2.11): with posttls-finger, connections to unix-domain servers always resulted in "Failed to establish session" even after a connection was established. Jaroslav Skarva. File: posttls-finger/posttls-finger.c. * Bugfix (introduced: Postfix 3.0): with smtputf8_enable=yes, table lookups could casefold the search string when searching a lookup table that does not use fixed-string keys (regexp, pcre, tcp, etc.). Historically, Postfix would not case-fold the search string with such tables. File: util/dict_utf8.c.- PostrgeSQL's pg_config is meant for linking server extensions, use libpq's pkg-config instead, if available. This is needed to fix build with PostgreSQL 11.- rework config.postfix * disable commenting of smtpd_sasl_path/smtpd_sasl_type no need to comment, cause it is set to default anyway and 'uncommenting' would place it at end of file then which is not wanted- rework postfix-main.cf.patch * disable virtual_alias_domains cause (default: $virtual_alias_maps) - rework config.postfix * disable PCONF of virtual_alias_domains virtual_alias_maps will be set anyway to the correct value * extend virtual_alias_maps with - mysql_virtual_alias_domain_maps.cf - mysql_virtual_alias_domain_catchall_maps.cf - rework postfix-mysql, added * mysql_virtual_alias_domain_maps.cf * mysql_virtual_alias_domain_catchall_maps.cf needed for reject_unverified_recipient- binary hardening: link with full RELRO- Update to 3.3.2 * Support for OpenSSL 1.1.1 and TLSv1.3. * Bugfixes: - smtpd_discard_ehlo_keywords could not disable "SMTPUTF8", because some lookup table was using "EHLO_MASK_SMTPUTF8" instead. - minor memory leak in DANE support when minting issuer certs. - The Postfix build did not abort if the m4 command was not installed, resulting in a broken postconf command.- add POSTFIX_RELAY_DOMAINS * more flexibility to add to relay_domains without breaking config.postfix * rework restriction examples in sysconf.postfix based on postfix-buch.com (2. edtion by Hildebrandt, Koetter) - disable weak cipher: RC4 after check with https://ssl-tools.net/mailservers- update config.postfix * don't reject mail from authenticated users even if reject_unknown_client_hostname would match, add permit_sasl_authenticated to all restrictions requires smtpd_delay_reject = yes - update postfix-main.cf.patch * recover removed setting smtpd_sasl_path and smtpd_sasl_type, set to default value config.postfix will not 'enable' (remove #) var, but place modified (enabled) var at end of file, far away from place where it should be - rebase patches * fix-postfix-script.patch * postfix-vda-v14-3.0.3.patch * postfix-linux45.patch * postfix-master.cf.patch * pointer_to_literals.patch * postfix-no-md5.patch- bsc#1092939 - Postfixes postconf gives a lot of LDAP related warnings o add m4 as buildrequires, as proposed.- Add zlib-devel as buildrequires, previously included from openssl-devel- bsc#1087471 Unreleased Postfix update breaks SUSE Manager o Removing setting smtpd_sasl_path and smtpd_sasl_type to empty- Update to 3.3.1 * Postfix did not support running as a PID=1 process, which complicated Postfix deployment in containers. The "postfix start-fg" command will now run the Postfix master daemon as a PID=1 process if possible. Thanks for inputs from Andreas Schulze, Eray Aslan, and Viktor Dukhovni. * Segfault in the postconf(1) command after it could not open a Postfix database configuration file due to a file permission error (dereferencing a null pointer). Reported by Andreas Hasenack, fixed by Viktor Dukhovni. * The luser_relay feature became a black hole, when the luser_relay parameter was set to a non-existent local address (i.e. mail disappeared silently). Reported by J?rgen Thomsen. * Missing error propagation in the tlsproxy(8) daemon could result in a segfault after TLS handshake error (dereferencing a 0xffff...ffff pointer). This daemon handles the TLS protocol when a non-whitelisted client sends a STARTTLS command to postscreen(8).- remove pre-requirements on sysvinit(network) and sysvinit(syslog). There seems to be no good reason for that other than blowing up the dependencies (bsc#1092408).- bsc#1071807 postfix-SuSE/config.postfix: only reload postfix if the actual service is running. This prevents spurious and irrelevant error messages in system logs.- bsc#1082514 autoyast: postfix gets not set myhostname properly - set to localhost- Refresh spec-file via spec-cleaner and manual optinizations. * Add %license macro. * Set license to IPL-1.0 OR EPL-2.0. - Update to 3.3.0 * http://cdn.postfix.johnriley.me/mirrors/postfix-release/official/postfix-3.3.0.RELEASE_NOTES * Dual license: in addition to the historical IBM Public License 1.0, Postfix is now also distributed with the more recent Eclipse Public License 2.0. Recipients can choose to take the software under the license of their choice. Those who are more comfortable with the IPL can continue with that license. * The postconf command now warns about unknown parameter names in a Postfix database configuration file. As with other unknown parameter names, these warnings can help to find typos early. * Container support: Postfix 3.3 will run in the foreground with "postfix start-fg". This requires that Postfix multi-instance support is disabled (the default). To collect Postfix syslog information on the container's host, mount the host's /dev/log socket into the container, for example with "docker run -v /dev/log:/dev/log ...other options...", and specify a distinct Postfix syslog_name setting in the container (for example with "postconf syslog_name=the-name-here"). * Milter support: applications can now send RET and ENVID parameters in SMFIR_CHGFROM (change envelope sender) requests. * Postfix-generated From: headers with 'full name' information are now formatted as "From: name
" by default. Specify "header_from_format = obsolete" to get the earlier form "From: address (name)". * Interoperability: when Postfix IPv6 and IPv4 support are both enabled, the Postfix SMTP client will now relax MX preferences and attempt to schedule similar numbers of IPv4 and IPv6 addresses. This works around mail delivery problems when a destination announces lots of primary MX addresses on IPv6, but is reachable only over IPv4 (or vice versa). The new behavior is controlled with the smtp_balance_mx_inet_protocols parameter. * Compatibility safety net: with compatibility_level < 1, the Postfix SMTP server now warns for mail that would be blocked by the Postfix 2.10 smtpd_relay_restrictions feature, without blocking that mail. There still is a steady trickle of sites that upgrade from an earlier Postfix version.- bsc#1065411 Package postfix should require package system-user-nobody - bsc#1080772 postfix smtpd throttle getting "hello" if no sasl auth was configured- Fix usage of fillup_only:-y is not a valid option to this macro.- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Don't mark postfix.service as config file, this is no config file. - Some of the Requires(pre) are needed for post-install and at runtime, fix the requires.- update to 3.2.4 * DANE interoperability. Postfix builds with OpenSSL 1.0.0 or 1.0.1 failed to send email to some sites with "TLSA 2 X X" DNS records associated with an intermediate CA certificate. Problem report and initial fix by Erwan Legrand. * Missing dynamicmaps support in the Postfix sendmail command. This broke authorized_submit_users settings that use a dynamically-loaded map type. Problem reported by Ulrich Zehl.- bnc#1059512 L3: Postfix Problem The applied changes breaks existing postfix configurations because daemon_directory was not adapted to the new value.- fix build for SLE * nothing provides libnsl-devel * add bcond_with libnsl- bnc#1059512 L3: Postfix Problem To manage multiple Postfix instances on a single host requires that daemon_directory and shlib_directory is different to avoid use of the shared directories also as per-instance directories. For this reason daemon_directory was set to /usr/lib/postfix/bin/. shlib_directory stands /usr/lib/postfix/.- bnc#1016491 postfix raported to log "warning: group or other writable:" on each symlink in config. * Add fix-postfix-script.patch- update to 3.2.3 * Extension propagation was broken with "recipient_delimiter = .". This change reverts a change that was trying to be too clever. * The postqueue command would abort with a panic message after it experienced an output write error while listing the mail queue. This change restores a write error check that was lost with the Postfix 3.2 rewrite of the vbuf_print formatter. * Restored sanity checks for dynamically-specified width and precision in format strings (%*, %.*, and %*.*). These checks were lost with the Postfix 3.2 rewrite of the vbuf_print formatter.- Add libnsl-devel build requires for glibc obsoleting libnsl- bnc#1045264 L3: postmap problem * Applying proposed patch of leen.meyer@ziggo.nl in bnc#771811- update to 3.2.2 * Security: Berkeley DB versions 2 and later try to read settings from a file DB_CONFIG in the current directory. This undocumented feature may introduce undisclosed vulnerabilities resulting in privilege escalation with Postfix set-gid programs (postdrop, postqueue) before they chdir to the Postfix queue directory, and with the postmap and postalias commands depending on whether the user's current directory is writable by other users. This fix does not change Postfix behavior for Berkeley DB versions < 3, but it does reduce postmap and postalias 'create' performance with Berkeley DB versions 3.0 .. 4.6. * The SMTP server receive_override_options were not restored at the end of an SMTP session, after the options were modified by an smtpd_milter_maps setting of "DISABLE". Milter support remained disabled for the life time of the smtpd process. * After the Postfix 3.2 address/domain table lookup overhaul, the check_sender_access and check_recipient_access features ignored a non-default parent_domain_matches_subdomains setting.- revert changes of postfix-main.cf.patch from rev=261 * config.postfix will not 'enable' (remove #) var, but place modified (enabled) var at end of file, far away from place where it should be * keep vars enabled but empty- Some cleanups * Fix SUSE postfix-files to avoid chown errors (anyway this file seems to be obsolete) * Avoid installing shared libraries twice * Refresh patch postfix-linux45.patch- update postfix-master.cf.patch * recover lost (with 3.2.0 update) submission, smtps sections * merge with upstream update - update config.postfix * update master.cf generation for submission - rebase patches against 3.2.0 * pointer_to_literals.patch * postfix-no-md5.patch * postfix-ssl-release-buffers.patch * postfix-vda-v14-3.0.3.patch- Require system group mail - Use mail group name instead of GID- update to 3.2.0 - [Feature 20170128] Postfix 3.2 fixes the handling of address extensions with email addresses that contain spaces. For example, the virtual_alias_maps, canonical_maps, and smtp_generic_maps features now correctly propagate an address extension from "aa bb+ext"@example.com to "cc dd+ext"@other.example, instead of producing broken output. - [Feature 20161008] "PASS" and "STRIP" actions in header/body_checks. "STRIP" is similar to "IGNORE" but also logs the action, and "PASS" disables header, body, and Milter inspection for the remainder of the message content. Contributed by Hobbit. - [Feature 20160330] The collate.pl script by Viktor Dukhovni for grouping Postfix logfile records into "sessions" based on queue ID and process ID information. It's in the auxiliary/collate directory of the Postfix source tree. - [Feature 20160527] Postfix 3.2 cidr tables support if/endif and negation (by prepending ! to a pattern), just like regexp and pcre tables. The primarily purpose is to improve readability of complex tables. See the cidr_table(5) manpage for syntax details. - [Incompat 20160925] In the Postfix MySQL database client, the default option_group value has changed to "client", to enable reading of "client" option group settings in the MySQL options file. This fixes a "not found" problem with Postfix queries that contain UTF8-encoded non-ASCII text. Specify an empty option_group value (option_group =) to get backwards-compatible behavior. - [Feature 20161217] Stored-procedure support for MySQL databases. Contributed by John Fawcett. See mysql_table(5) for instructions. - [Feature 20170128] The postmap command, and the inline: and texthash: maps now support spaces in left-hand field of the lookup table "source text". Use double quotes (") around a left-hand field that contains spaces, and use backslash (\) to protect embedded quotes in a left-hand field. There is no change in the processing of the right-hand field. - [Feature 20160611] The Postfix SMTP server local IP address and port are available in the policy delegation protocol (attribute names: server_address, server_port), in the Milter protocol (macro names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol (attribute names: DESTADDR, DESTPORT). - [Feature 20161024] smtpd_milter_maps support for per-client Milter configuration that overrides smtpd_milters, and that has the same syntax. A lookup result of "DISABLE" turns off Milter support. See MILTER_README.html for details. - [Feature 20160611] The Postfix SMTP server local IP address and port are available in the policy delegation protocol (attribute names: server_address, server_port), in the Milter protocol (macro names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol (attribute names: DESTADDR, DESTPORT). - [Incompat 20170129] The postqueue command no longer forces all message arrival times to be reported in UTC. To get the old behavior, set TZ=UTC in main.cf:import_environment (this override is not recommended, as it affects all Postfix utities and daemons). - [Incompat 20161227] For safety reasons, the sendmail -C option must specify an authorized directory: the default configuration directory, a directory that is listed in the default main.cf file with alternate_config_directories or multi_instance_directories, or the command must be invoked with root privileges (UID 0 and EUID 0). This mitigates a recurring problem with the PHP mail() function. - [Feature 20160625] The Postfix SMTP server now passes remote client and local server network address and port information to the Cyrus SASL library. Build with ``make makefiles "CCARGS=$CCARGS -DNO_IP_CYRUS_SASL_AUTH"'' for backwards compatibility. - [Feature 20161103] Postfix 3.2 disables the 'transitional' compatibility between the IDNA2003 and IDNA2008 standards for internationalized domain names (domain names beyond the limits of US-ASCII). This change makes Postfix behavior consistent with contemporary web browsers. It affects the handling of some corner cases such as German sz and Greek zeta. See http://unicode.org/cldr/utility/idna.jsp for more examples. Specify "enable_idna2003_compatibility = yes" to restore historical behavior (but keep in mind that the rest of the world may not make that same choice). - [Feature 20160828] Fixes for deprecated OpenSSL 1.1.0 API features, so that Postfix will build without depending on backwards-compatibility support. [Incompat 20161204] Postfix 3.2 removes tentative features that were implemented before the DANE spec was finalized: - Support for certificate usage PKIX-EE(1), - The ability to disable digest agility (Postfix now behaves as if "tls_dane_digest_agility = on"), and - The ability to disable support for "TLSA 2 [01] [12]" records that specify the digest of a trust anchor (Postfix now behaves as if "tls_dane_trust_anchor_digest_enable = yes). - [Feature 20161217] Postfix 3.2 enables elliptic curve negotiation with OpenSSL >= 1.0.2. This changes the default smtpd_tls_eecdh_grade setting to "auto", and introduces a new parameter tls_eecdh_auto_curves with the names of curves that may be negotiated. The default tls_eecdh_auto_curves setting is determined at compile time, and depends on the Postfix and OpenSSL versions. At runtime, Postfix will skip curve names that aren't supported by the OpenSSL library. - [Feature 20160611] The Postfix SMTP server local IP address and port are available in the policy delegation protocol (attribute names: server_address, server_port), in the Milter protocol (macro names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol (attribute names: DESTADDR, DESTPORT). - refresh postfix-master.cf.patch- make sure that system users can be created in %pre- Fix requires: - shadow is needed for postfix-mysql pre-install section - insserv is not needed if systemd is used- update postfix-mysql * update mysql_*.cf files * update postfix-mysql.sql (INNODB, utf8) - update postfix-main.cf.patch * uncomment smtpd_sasl_path, smtpd_sasl_type can be changed via POSTFIX_SMTP_AUTH_SERVICE=(cyrus,dovecot) * add option for smtp_tls_policy_maps (commented) - update postfix-master.cf.patch * fix indentation of submission, smtps options for correct enabling via config.postfix - update config.postfix * fix sync of CA certificates * fix master.cf generation for submission, smtps - rebase postfix-vda-v14-3.0.3.patch- FATE#322322 Update postfix to version 3.X Merging changes with SLES12-SP2 Removeved patches: add_missed_library.patch bnc#947707.diff dynamic_maps.patch postfix-db6.diff postfix-opensslconfig.patch bnc#947519.diff dynamic_maps_pie.patch postfix-post-install.patch These are included in the new version of postfix - Remove references to SuSEconfig.postfix from sysconfig docs. (bsc#871575) - bnc#947519 SuSEconfig.postfix should enforce umask 022 - bnc#947707 mail generated by Amavis being prevented from being re-adressed by /etc/postfix/virtual - bnc#972346 /usr/sbin/SuSEconfig.postfix is wrong - postfix-linux45.patch: handle Linux 4.x and Linux 5.x (used by aarch64) (bsc#940289)- update to 3.1.4 * The postscreen daemon did not merge the client test status information for concurrent sessions from the same IP address. * The Postfix SMTP server falsely rejected a sender address when validating a sender address with "smtpd_reject_unlisted_recipient = yes" or with "reject_unlisted_sender". Cause: the address validation code did not query sender_canonical_maps. * The virtual delivery agent did not detect failure to skip to the end of a mailbox file, so that mail would be delivered to the beginning of the file. This could happen when a mailbox file was already larger than the virtual mailbox size limit. * The postsuper logged an incorrect rename operation count after creating a missing directory. * The Postfix SMTP server falsely rejected mail when a sender-dependent "error" transport was configured. Cause: the SMTP server address validation code was not updated when the sender_dependent_default_transport_maps feature was introduced. * The Postfix SMTP server falsely rejected an SMTPUTF8 sender address, when "smtpd_delay_reject = no". * The "postfix tls deploy-server-cert" command used the wrong certificate and key file. This was caused by a cut-and-paste error in the postfix-tls-script file.- improve config.postfix * improve SASL stuff * add POSTFIX_SMTP_AUTH_SERVICE=(cyrus|dovecot)- improve config.postfix * improve with MySQL stuff- update vda patch to latest available * remove postfix-vda-v13-3.10.0.patch * add postfix-vda-v14-3.0.3.patch - rebase patches (and to be p0) * pointer_to_literals.patch * postfix-main.cf.patch * postfix-master.cf.patch * postfix-no-md5.patch * postfix-ssl-release-buffers.patch - add /etc/postfix/ssl as default DIR for SSL stuff * cacerts -> ../../ssl/certs/ * certs/ - revert POSTFIX_SSL_PATH from '/etc/ssl' to '/etc/postfix/ssl' - improve config.postfix * revert smtpd_tls_CApath to POSTFIX_SSL_PATH/cacerts which is a symlink to /etc/ssl/certs Without reverting, 'gen_CA' would create files which would then be on the previous defined 'sslpath(/etc/ssl)/certs' (smtpd_tls_CApath) Cert reqs would be placed in 'sslpath(/etc/ssl)/certs/postfixreq.pem' which is not a good idea. * mkchroot: sync '/etc/postfix/ssl' to chroot * improve PCONF for smtp{,d}_tls_{cert,key}_file, adding/removing from main.cf, show warning if enabled and file is missing- update to 3.1.3: * The Postfix SMTP server did not reset a previous session's failed/total command counts before rejecting a client that exceeds request or concurrency rates. This resulted in incorrect failed/total command counts being logged at the end of the rejected session. * The unionmap multi-table interface did not propagate table lookup errors, resulting in false "user unknown" responses. * The documentation was updated with a workaround for false "not found" errors with MySQL map queries that contain UTF8-encoded text. The workaround is to specify "option_group = client" in Postfix MySQL configuration files. This will be the default setting with Postfix 3.2 and later.- update to 3.1.2: * Changes to make Postfix build with OpenSSL 1.1.0. * The makedefs script ignored readme_directory=pathname overrides. Fix by Todd C. Olson. * The tls_session_ticket_cipher documentation says that the default cipher for TLS session tickets is aes-256-cbc, but the implemented default was aes-128-cbc. Note that TLS session ticket keys are rotated after 1/2 hour, to limit the impact of attacks on session ticket keys.- postfix-post-install.patch: remove empty patch- fix Changelog cause of Factory decline- Fix typo in config.postfix- bnc#981097 config.postfix creates broken main.cf for tls client configuration - bnc#981099 /etc/sysconfig/postfix: POSTFIX_SMTP_TLS_CLIENT incomplete - update to 3.1.1: - The new address_verify_pending_request_limit parameter introduces a safety limit for the number of address verification probes in the active queue. The default limit is 1/4 of the active queue maximum size. The queue manager enforces the limit by tempfailing probe messages that exceed the limit. This design avoids dependencies on global counters that get out of sync after a process or system crash. - Machine-readable, JSON-formatted queue listing with "postqueue -j" (no "mailq" equivalent). - The milter_macro_defaults feature provides an optional list of macro name=value pairs. These specify default values for Milter macros when no value is available from the SMTP session context. - Support to enforce a destination-independent delay between email deliveries. The following example inserts 20 seconds of delay between all deliveries with the SMTP transport, limiting the delivery rate to at most three messages per minute. smtp_transport_rate_delay = 20s - Historically, the default setting "postscreen_dnsbl_ttl = 1h" assumes that a "not found" result from a DNSBL server will be valid for one hour. This may have been adequate five years ago when postscreen was first implemented, but nowadays, that one hour can result in missed opportunities to block new spambots. To address this, postscreen now respects the TTL of DNSBL "not found" replies, as well as the TTL of DNSWL replies (both "found" and "not found"). The TTL for a "not found" reply is determined according to RFC 2308 (the TTL of an SOA record in the reply). Support for DNSBL or DNSWL reply TTL values is controlled by two configuration parameters: postscreen_dnsbl_min_ttl (default: 60 seconds). postscreen_dnsbl_max_ttl (default: $postscreen_dnsbl_ttl or 1 hour) The postscreen_dnsbl_ttl parameter is now obsolete, and has become the default value for the new postscreen_dnsbl_max_ttl parameter. - New "smtpd_client_auth_rate_limit" feature, to enforce an optional rate limit on AUTH commands per SMTP client IP address. Similar to other smtpd_client_*_rate_limit features, this enforces a limit on the number of requests per $anvil_rate_time_unit. - New SMTPD policy service attribute "policy_context", with a corresponding "smtpd_policy_service_policy_context" configuration parameter. Originally, this was implemented to share the same SMTPD policy service endpoint among multiple check_policy_service clients. - A new "postfix tls" command to quickly enable opportunistic TLS in the Postfix SMTP client or server, and to manage SMTP server keys and certificates, including certificate signing requests and TLSA DNS records for DANE.- build with working support for SMTPUTF8- fix build on sle11 by pointing _libexecdir to /usr/lib all the time.- some distros did not pull pkgconfig indirectly. pull it directly.- fix building the dynamic maps: the old build had postgresql e.g. with missing symbols. - convert to AUXLIBS_* instead of plain AUXLIBS which is needed for proper dynamic maps. - reordered the CCARGS and AUXLIBS* lines to group by feature - use pkgconfig or *_config tools where possible - picked up signed char from fedora spec file - enable lmdb support: new BR lmdb-devel, new subpackage postfix-lmdb. - don't delete vmail user/groups- update to 3.1.0 - Since version 3.0 postfix supports dynamic loading of cdb:, ldap:, lmdb:, mysql:, pcre:, pgsql:, sdbm:, and sqlite: database clients. Thats why the patches dynamic_maps.patch and dynamic_maps_pie.patch could be removed. - Adapting all the patches to postfix 3.1.0 - remove obsolete patches * add_missed_library.patch * postfix-opensslconfig.patch - update vda patch * remove postfix-vda-v13-2.10.0.patch * add postfix-vda-v13-3.10.0.patch - The patch postfix-db6.diff is not more neccessary - Backwards-compatibility safety net. With NEW Postfix installs, you MUST install a main.cf file with the setting "compatibility_level = 2". See conf/main.cf for an example. With UPGRADES of existing Postfix systems, you MUST NOT change the main.cf compatibility_level setting, nor add this setting if it does not exist. Several Postfix default settings have changed with Postfix 3.0. To avoid massive frustration with existing Postfix installations, Postfix 3.0 comes with a safety net that forces Postfix to keep running with backwards-compatible main.cf and master.cf default settings. This safety net depends on the main.cf compatibility_level setting (default: 0). Details are in COMPATIBILITY_README. - Major changes - tls * [Feature 20160207] A new "postfix tls" command to quickly enable opportunistic TLS in the Postfix SMTP client or server, and to manage SMTP server keys and certificates, including certificate signing requests and TLSA DNS records for DANE. * As of the middle of 2015, all supported Postfix releases no longer nable "export" grade ciphers for opportunistic TLS, and no longer use the deprecated SSLv2 and SSLv3 protocols for mandatory or opportunistic TLS. * [Incompat 20150719] The default Diffie-Hellman non-export prime was updated from 1024 to 2048 bits, because SMTP clients are starting to reject TLS handshakes with primes smaller than 2048 bits. * [Feature 20160103] The Postfix SMTP client by default enables DANE policies when an MX host has a (DNSSEC) secure TLSA DNS record, even if the MX DNS record was obtained with insecure lookups. The existence of a secure TLSA record implies that the host wants to talk TLS and not plaintext. For details see the smtp_tls_dane_insecure_mx_policy configuration parameter. - Major changes - default settings [Incompat 20141009] The default settings have changed for relay_domains (new: empty, old: $mydestination) and mynetworks_style (new: host, old: subnet). However the backwards-compatibility safety net will prevent these changes from taking effect, giving the system administrator the option to make an old default setting permanent in main.cf or to adopt the new default setting, before turning off backwards compatibility. See COMPATIBILITY_README for details. [Incompat 20141001] A new backwards-compatibility safety net forces Postfix to run with backwards-compatible main.cf and master.cf default settings after an upgrade to a newer but incompatible Postfix version. See COMPATIBILITY_README for details. While the backwards-compatible default settings are in effect, Postfix logs what services or what email would be affected by the incompatible change. Based on this the administrator can make some backwards-compatibility settings permanent in main.cf or master.cf, before turning off backwards compatibility. - Major changes - address verification safety [Feature 20151227] The new address_verify_pending_request_limit parameter introduces a safety limit for the number of address verification probes in the active queue. The default limit is 1/4 of the active queue maximum size. The queue manager enforces the limit by tempfailing probe messages that exceed the limit. This design avoids dependencies on global counters that get out of sync after a process or system crash. Tempfailing verify requests is not as bad as one might think. The Postfix verify cache proactively updates active addresses weeks before they expire. The address_verify_pending_request_limit affects only unknown addresses, and inactive addresses that have expired from the address verify cache (by default, after 31 days). - Major changes - json support [Feature 20151129] Machine-readable, JSON-formatted queue listing with "postqueue -j" (no "mailq" equivalent). The output is a stream of JSON objects, one per queue file. To simplify parsing, each JSON object is formatted as one text line followed by one newline character. See the postqueue(1) manpage for a detailed description of the output format. - Major changes - milter support [Feature 20150523] The milter_macro_defaults feature provides an optional list of macro name=value pairs. These specify default values for Milter macros when no value is available from the SMTP session context. For example, with "milter_macro_defaults = auth_type=TLS", the Postfix SMTP server will send an auth_type of "TLS" to a Milter, unless the remote client authenticates with SASL. This feature was originally implemented for a submission service that may authenticate clients with a TLS certificate, without having to make changes to the code that implements TLS support. - Major changes - output rate control [Feature 20150710] Destination-independent delivery rate delay Support to enforce a destination-independent delay between email deliveries. The following example inserts 20 seconds of delay between all deliveries with the SMTP transport, limiting the delivery rate to at most three messages per minute. /etc/postfix/main.cf: smtp_transport_rate_delay = 20s For details, see the description of default_transport_rate_delay and transport_transport_rate_delay in the postconf(5) manpage. - Major changes - postscreen dnsbl [Feature 20150710] postscreen support for the TTL of DNSBL and DNSWL lookup results Historically, the default setting "postscreen_dnsbl_ttl = 1h" assumes that a "not found" result from a DNSBL server will be valid for one hour. This may have been adequate five years ago when postscreen was first implemented, but nowadays, that one hour can result in missed opportunities to block new spambots. To address this, postscreen now respects the TTL of DNSBL "not found" replies, as well as the TTL of DNSWL replies (both "found" and "not found"). The TTL for a "not found" reply is determined according to RFC 2308 (the TTL of an SOA record in the reply). Support for DNSBL or DNSWL reply TTL values is controlled by two configuration parameters: postscreen_dnsbl_min_ttl (default: 60 seconds). This parameter specifies a minimum for the amount of time that a DNSBL or DNSWL result will be cached in the postscreen_cache_map. This prevents an excessive number of postscreen cache updates when a DNSBL or DNSWL server specifies a very small reply TTL. postscreen_dnsbl_max_ttl (default: $postscreen_dnsbl_ttl or 1 hour) This parameter specifies a maximum for the amount of time that a DNSBL or DNSWL result will be cached in the postscreen_cache_map. This prevents cache pollution when a DNSBL or DNSWL server specifies a very large reply TTL. The postscreen_dnsbl_ttl parameter is now obsolete, and has become the default value for the new postscreen_dnsbl_max_ttl parameter. - Major changes - sasl auth safety [Feature 20151031] New "smtpd_client_auth_rate_limit" feature, to enforce an optional rate limit on AUTH commands per SMTP client IP address. Similar to other smtpd_client_*_rate_limit features, this enforces a limit on the number of requests per $anvil_rate_time_unit. - Major changes - smtpd policy [Feature 20150913] New SMTPD policy service attribute "policy_context", with a corresponding "smtpd_policy_service_policy_context" configuration parameter. Originally, this was implemented to share the same SMTPD policy service endpoint among multiple check_policy_service clients.- bnc#958329 postfix fails to start when openslp is not installed- upstream update postfix 2.11.7: * The Postfix Milter client aborted with a panic while adding a message header, after adding a short message header with the header_checks PREPEND action. Fixed by invoking the header output function while PREPENDing a message header. * False alarms while scanning the Postfix queue. Fixed by resetting errno before calling readdir(). This defect was introduced 19970309. * The postmulti command produced an incorrect error message. * The postmulti command now refuses to create a new MTA instance when the template main.cf or master.cf file are missing. This is a common problem on Debian-like systems. * Turning on Postfix SMTP server HAProxy support broke TLS wrappermode. Fixed by temporarily using a 1-byte VSTREAM buffer to read the HAProxy connection hand-off information. * The xtext_unquote() function did not propagate error reports from xtext_unquote_append(), causing the decoder to return partial output, instead of rejecting malformed input. The Postfix SMTP server uses this function to parse input for the ENVID and ORCPT parameters, and for XFORWARD and XCLIENT command parameters.- boo#934060: Remove quirky hostname logic from config.postfix * /etc/hostname doesn't contain anything useful * linux.local is no good either * postfix will use `hostname`.localdomain as fallback- postfix-no-md5.patch: replace fingerprint defaults by sha1. bsc#928885- %verifyscript is a new section, move it out of the %ifdef so the fillups are run afterwards.- upstream update postfix 2.11.6: Default settings have been updated so that they no longer enable export-grade ciphers, and no longer enable the SSLv2 and SSLv3 protocols. - removed postfix-2.11.5_linux4.patch because it's obsolete - Bugfix (introduced: Postfix 2.11): with connection caching enabled (the default), recipients could be given to the wrong mail server. (bsc#944722)- postfix-SuSE.tar.gz/postfix.service: None of nss-lookup.target network.target local-fs.target time-sync.target should be Wanted or Required except by the services the implement the relevant functionality i.e network.target is wanted/required by networkmanager, wicked, systemd-network. other software must be ordered After them, see systemd.special(7)- Fix library symlink generation (boo#928662)- added postfix-2.11.5_linux4.patch: Allow building on kernel 4. Patch taken from: https://groups.google.com/forum/#!topic/mailing.postfix.users/fufS22sMGWY- update to postfix 2.11.5 - Bugfix (introduced: Postfix 2.6): sender_dependent_relayhost_maps ignored the relayhost setting in the case of a DUNNO lookup result. It would use the recipient domain instead. Viktor Dukhovni. Wietse took the pieces of code that enforce the precedence of a sender-dependent relayhost, the global relayhost, and the recipient domain, and put that code together in once place so that it is easier to maintain. File: trivial-rewrite/resolve.c. - Bitrot: prepare for future changes in OpenSSL API. Viktor Dukhovni. File: tls_dane.c. - Incompatibility: specifying "make makefiles" with "CC=command" will no longer override the default WARN setting.- upstream update postfix 2.11.4: Postfix 2.11.4 only: * Fix a core dump when smtp_policy_maps specifies an invalid TLS level. * Fix a missing " in \%s\", in postconf(1) fatal error messages, which violated the C language spec. Reported by Iain Hibbert. All supported releases: * Stop excessive recursion in the cleanup server while recovering from a virtual alias expansion loop. Problem found at Two Sigma. * Stop exponential memory allocation with virtual alias expansion loops. This came to light after fixing the previous problem.- correct pf_daemon_directory in spec. This must be /usr/lib/- bnc#914086 syntax error in config.postfix - Adapt config.postfix to be able to run on SLE11 too.- Don't install sysvinit script when systemd is used - Make explicit PreReq dependencies conditional only for older systems - Don't try to set explicit attributes to symlinks - Cleanup spec file vith spec-cleaner- bnc#912594 config.postfix creates config based on old options- bnc#911806 config.postfix does not set up correct saslauthd socket directory for chroot - bnc#910265 config.postfix does not upgrade the chroot - bnc#908003 wrong access rights on /usr/sbin/postdrop causes permission denied when trying to send a mail as non root user - bnc#729154 wrong permissions for some postfix components- Remove keyring and things as it is md5 based one no longer accepted by gpg 2.1- No longer perform gpg validation; osc source_validator does it implicit: + Drop gpg-offline BuildRequires. + No longer execute gpg_verify.- restore previously lost fix: Fri Oct 11 13:32:32 UTC 2013 - matz@suse.de - Ignore errors in %pre/%post.- postfix 2.11.3: * Fix for configurations that prepend message headers with Postfix access maps, policy servers or Milter applications. Postfix now hides its own Received: header from Milters and exposes prepended headers to Milters, regardless of the mechanism used to prepend a header. This fix reverts a partial solution that was released on October 13, 2014, and replaces it with a complete solution. * Portability fix for MacOS X 10.7.x (Darwin 11.x) build procedure. - postfix 2.11.2: * Fix for DMARC implementations based on SPF policy plus DKIM Milter. The PREPEND access/policy action added headers ABOVE Postfix's own Received: header, exposing Postfix's own Received: header to Milters (protocol violation) and hiding the PREPENDed header from Milters. PREPENDed headers are now added BELOW Postfix's own Received: header and remain visible to Milters. * The Postfix SMTP server logged an incorrect client name in reject messages for check_reverse_client_hostname_access and check_reverse_client_hostname_{mx,ns}_access. They replied with the verified client name, instead of the name that was rejected. * The qmqpd daemon crashed with null pointer bug when logging a lost connection while not in a mail transaction./bin/sh/bin/sh/bin/sh/bin/sh/bin/shgoat13 1624903901  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPERSTBVWXYZ[\]^_`abcdefghijklmnpqrstuvwxyz{|}~3.4.7-lp152.2.9.13.4.7-lp152.2.9.13.4.7-lp152.2.9.1 smtppostfixpostfix.paranoidpostfixLICENSETLS_LICENSEaccessaliasesbounce.cf.defaultcanonicaldynamicmaps.cfgenericheader_checkshelo_accessldap_aliases.cfmain.cfmain.cf.defaultmakedefs.outmaster.cfopenssl_postfix.conf.inpost-installpostfix-filespostfix-scriptpostfix-tls-scriptpostfix-wrapperpostmulti-scriptrelayrelay_ccertsrelocatedsasl_passwdsender_canonicalsslcacertscertssystemcond_slpconfig_postfixupdate_chrootupdate_postmapswait_qmgrtransportvirtualsasl2smtpd.confmailqnewaliaseslibpostfix-dns.solibpostfix-global.solibpostfix-master.solibpostfix-tls.solibpostfix-util.sopostfixbinanvilbouncecleanupdiscarddnsblogerrorflushlmtplocalmasternqmgroqmgrpickuppipepost-installpostfix-scriptpostfix-tls-scriptpostfix-wrapperpostlogdpostmulti-scriptpostscreenproxymapqmgrqmqpdscacheshowqsmtpsmtpdspawntlsmgrtlsproxytrivial-rewriteverifyvirtualdynamicmaps.cfdynamicmaps.cf.dlibpostfix-dns.solibpostfix-global.solibpostfix-master.solibpostfix-tls.solibpostfix-util.somain.cf.protomakedefs.outmaster.cf.protopostfix-filespostfix-files.dpostfix-ldap.sopostfix-pcre.sosendmailpostfix.servicecheck_mail_queueconfig.postfixmkpostfixcertpostaliaspostcatpostconfpostdroppostfixpostkickpostlockpostlogpostmappostmultipostqueuepostsuperqmqp-sourcercpostfixsendmailsmtp-sinksmtp-sourcesysconfig.mail-postfixsysconfig.postfixpostfixLICENSEmailq.1.gznewaliases.1.gzpostalias.1.gzpostcat.1.gzpostconf.1.gzpostdrop.1.gzpostfix-tls.1.gzpostfix.1.gzpostkick.1.gzpostlock.1.gzpostlog.1.gzpostmap.1.gzpostmulti.1.gzpostqueue.1.gzpostsuper.1.gzsendmail.1.gzaccess.5.gzaliases.5.gzbody_checks.5.gzbounce.5.gzcanonical.5.gzcidr_table.5.gzgeneric.5.gzheader_checks.5.gzldap_table.5.gzlmdb_table.5.gzmaster.5.gzmemcache_table.5.gzmysql_table.5.gznisplus_table.5.gzpcre_table.5.gzpgsql_table.5.gzpostconf.5.gzpostfix-wrapper.5.gzregexp_table.5.gzrelocated.5.gzsocketmap_table.5.gzsqlite_table.5.gztcp_table.5.gztransport.5.gzvirtual.5.gzanvil.8.gzbounce.8.gzcleanup.8.gzdefer.8.gzdiscard.8.gzdnsblog.8.gzerror.8.gzflush.8.gzlmtp.8.gzlocal.8.gzmaster.8.gzoqmgr.8.gzpickup.8.gzpipe.8.gzpostlogd.8.gzpostscreen.8.gzproxymap.8.gzqmgr.8.gzqmqpd.8.gzscache.8.gzshowq.8.gzsmtp.8.gzsmtpd.8.gzspawn.8.gztlsmgr.8.gztlsproxy.8.gztrace.8.gztrivial-rewrite.8.gzverify.8.gzvirtual.8.gzpostfixpostfixpostfixactivebouncecorruptdeferdeferredflushholdincomingmaildropprivatepublicsavedtrace/etc/pam.d//etc/permissions.d//etc//etc/postfix//etc/postfix/ssl//etc/postfix/system//etc//etc/sasl2//usr/bin//usr/lib//usr/lib/postfix//usr/lib/postfix/bin//usr/lib/systemd/system//usr/sbin//usr/share/fillup-templates//usr/share/licenses//usr/share/licenses/postfix//usr/share/man/man1//usr/share/man/man5//usr/share/man/man8//var/adm/backup//var/lib//var/spool//var/spool/postfix/-fomit-frame-pointer -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.opensuse.org/openSUSE:Maintenance:16624/openSUSE_Leap_15.2_Update/f54aad3ef4398b55e159f08aed18284d-postfix.openSUSE_Leap_15.2_Updatedrpmxz5i586-suse-linux   !"#$%&'()*+,-./0123456788888888888888888888888888888888888888888888888888888888888888888888888ASCII textdirectoryASCII text, with very long linesPOSIX shell script, ASCII text executableBourne-Again shell script, ASCII text executableELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=8fac72ceaed17efdcf3fda64849838261c2807f8, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=9120cff35b933db3f52ce472fd7f9d80e082aca7, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=e5cf066f12d91fa3f8800e4a3044fe7a5ab3d70d, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=de8193729eac401fc5b8d1e17c4da440618ea191, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=707db370ca4932ad2c2956aea7108bc5b970ef8f, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=c8d717e822200f7a2388063c5255bb8f22f027ca, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=b2d28f071eaf2f050058f8dd8e5bf7e30efeebef, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=c3bc1824b0b1af079d93cf6e9ab80cff1c814e6f, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=96918013ea092c8bea27c0983967b5d16e2218d9, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=903a86513eb7d83dbe71fd6b6ee63ad73429823a, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=15e453fa574acb048f6de3b211f01544d146a2d2, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=3a62c2dc220d49e228330160a90554dcab1d631c, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=0d80adc8d24ae0cf40d1561e0e8982f0bd55e437, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=ab6344469eea5bb3d2bc390e1c2b4a143e38e6ad, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=29231185e4df07d04eaeadf6518e013acd0c733e, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=b940ccd5586d2ed8ac3f51c3ec0d9b3e549a4ae2, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=a9e36f9cd7cd76a94fa80cabe41ef55a62035d4e, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=54723f9c7aa1267188d06884b0cfdc3b24c7dbd7, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=ad5ade82fcf41fc11719fccc013d0f6085441293, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=9234cf1f7a7c6b824445cd78ac29d34e2ae6b741, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=3e3361c519ca3587fb8b4186782561c87dd13c83, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=8a2bc7d2bf24f832c9b3d9d9f5f21a60b3c170b9, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=5da64adb43bbbcf20b475c83e62d32e80707e3b8, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=730103803f46cc688ccd4048fcbb90a33fef52e8, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=dc88d2c032873124ed13c5c74179b7dd90526b54, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=7afbda2d80d3b5148c089dd82b636f83f6fd52ce, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=cd32d928129c42567235039a3f3b85dff281236b, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=1bb007cb7918ab21336e14b1af9ba6c940f6fe42, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=33d3faa69d488f91ff1239d46032b83e74b669bc, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=e8348b7946e19703c83081dcaa08945c6f781943, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=6578245a9260d77cacb5f12be2ddf1e799d328cb, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=4974f27345ffc7c092a9b13585c4f648ad7e6601, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=0e163aac300a884adca1fce795ef067efc98c3bf, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[sha1]=c10b48c154d41a558958636c075e2580501c59c3, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=661d7f03cc38e06d03c11fc56f2c4f8fcb0a7f16, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=fd3f72964108cebc152029a5a8d71f30c34fa8ba, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=f4c35673045aa100613e9911a3fa18264c405f48, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=44f201bce7ba3a2222d45b578de185925f684c73, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=466ab8af82853e6aa8bfa2a32b78a8d9498010e9, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=fd78a86b5fcf094aa714f4d0ee4c004f55d301bd, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=bd62bd645b39ca7b925abe2f2845892b53aea86b, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=888d5287e42481dc5f41a89c2adc9316d12da958, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=db75ab48d6fbcb5fbc7dc2dd6df54dadc41df463, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=453633111608d4d59e4899c01c6c96c5291149a5, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=009a0faab7790ba261756c3ea5b6749703a66fd3, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=4c39558aa78eb597f162a0cf28f83e59fea6b006, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=7a074b8153a1149be684285ccc24e0f883d117eb, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=381d017760864e9b8774aa23d19e99bf64851641, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=26897077abb52b8d51042ec53f353b7027645bc7, for GNU/Linux 3.2.0, strippedELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=3a9e2d7256b7a84a4e2ba806e90a54cac48c2e68, for GNU/Linux 3.2.0, strippedtroff or preprocessor input, ASCII text (gzip compressed data, max compression, from Unix)!-@FOX_gnv%06=FNTUVW]epuz          RRRRRRPR-R.RRRRRR,RPRRRRRRRRRRPRRRRRPRR2R1RRRRRR0RRPR RR%RRRRRRRRRRRR$RR!RRRR)R(R+RRRRRRR)R(R+RRRRRRR)R(R+RRRRR)R(R+RRRRR'R)R(R+RRRRR)R(R+RRRRRR)R(R+RRRRRRRRRRR)R*R'R(R+RR/RRRRRR)R(R+RRRRRRR(R+RRRRRRR)R(R+RRRRRRR)R(R+RRRRR)R(R+RRRRR)R(R+RRRRRRRRR)R(R+RRRRRRRR)R*R'R(R+RRRRR)R(R+RRRRRRR)R(R+RRRRRRR)R(R+RRRRR)R(R+RRRRR)R(R+RRRRRRRRRRR)R*R'R(R+RR/RRRRRRRRR)R*R'R(R+R/RRRR)R(R+RRRRRR)R*R'R(R+RRR1RRRR)R*R'R(R+R0RRRR)R(R+RRRRR)R(R+RRRRRRR)R(R+RRRRRRR#R"RRRRRR&RRRRRRRR(R+RRRRRRR(R+RRRRRRR*R'R(R+R/RRRR(R+RRRR(R+RRRR(R+RRRR(R+RRRR(R+RRRRRR(R+RRRRRR(R+RRRRRR(R+RRRRR(R+RRRRRRR(R+RRRRRR(R+RRRRRRR(R+RRRRRRRR(R+RwQxx+.#~[utf-84b18aaec0198e319d84f54e7592cf0d033d126914c8f70a6719d715ee43bc44f?P7zXZ !t/t`]"k%rܮGVchyɭ?fo;TӚRT@+4vj@%séu*[#:˦zMw련Gfoѐ9x)GqM ]0#)rpW)J┫ D˵pݒH6Rk ѦdȻӀ O#Ը}fߠ Σ&CLOC1V.zx@^AC933O~p؎ݶyKuydʲW} uZزdB(A :߸Jʙ7TD!{ NBbЃ!6IiqrYoM&&$ ̯6;|\\PِA^ 2EZPabd|B6G1p8`)T8$W]8 'T|A|~YQ˻;*i3|7Gh x"/H= bL{`-;Sc?):Y߱2s" 350 ĩ;yRVUV=!WCk÷'-Z?89JrNP4D\c+LAlUXDā$NY>j ,li#MpD' TԤgn/ʊȘ0I5;B&rznPƕ/X~T| q s3 c]!6W<55Ox6O Գn [Mt20,n=?`'Ӛ.~9RuI噶]_3~Q§q@U K=*ߩ5Ҡ p}8:H 8{ck)^%̱Bܶt׫=& ?%TR4ܔe @S jo+b7j,*c9+C~·ڈ/RmdMr8.`BStqBq+Ӌ&C߃6,|V~xx&S,E@X/`$fX(!F~A>[: wx`|::mQmz,Ԍ3~N5dvjgd9"EBr}O3sԋ$cn ,**5+P3y,ҥ#ǎ~UH?n#~PlDʚQ/EL qpu2!\xuo޺{b+$ l=.,u!&ۃٻr(<8NX!dvY$!.`<-۠Tl_HWpL4o[;PC D4DCJp=?M$*n(BQ,'WQ'MP``r.Hݛ[:gcsꃍ~[#SN.;jK*5| ؟V*U#8Z ʣ$EEgMWMcmicth+Oh+${{unwxWUj[ൻ{E}QW$ϬHVj Yc8f$١CUc{/W`ksAV/z(6 5 ?wJ tIQأc OG9EA-/0g=Pt3]R״L=q@n$ Ѭ 4~x1$ Eƚ'ii_7ot>yq#ʖwC V/qoYH2i%\Ky* vM26CfQ Da3ӢLK\рgg QxQ7ШG29'!Gx(#i?x>!X}mW8v >$3:֯| 7[|#gKUZHYױ8o}/hTmTp HZߏa 3-QI Nb+>6PҴfàCY;X*)e: mXIUȆ&hFH0s?.(y;ހ# bηC uSȢyxJcV3WQM*19O~6|d4b-X J.OX{lW~Rj_AJEܒx ;VeSr$nSE[DM]9*vvMAյPcI6O%B i 6t3WvKeZٛ+Y tCvāgw(H! RDsEvozzjϾɌ/)Q5b,z1  K;ԕNtxw ms}@:pIԆZEG\^+Sh{(VB:@?=Div4cZp!Rdҳ"7CI6CcA;C0ib0Tv?.+toրw[Ψ&QePŠC_خj+i?[kf(phCQ湑:/,"ff٫IY5̕Ut劲xD`]}f'ڔY/l7STsEfU3 -%,ۺzRA%o754` G_'L'22Y.11D̖7h~'j+ ҎQ7ߏS2 Vە=s xdmDŽe_l0qM`w`fWx$А'!V =BzA5Dx^#2v".ThrOly?oJf-V3_*܃`)HqHPysjoPT[cX _ iwAs@vxO B4SN}؍Q 4!{Wי涢mI7Q+]o3!K@k-#?K`y EӫvelI`$1o0.cZT$Š@2~ Di+Nb'@y澬_h7=ͩ*o!&)ºgk%,#:Bfvd5BF }mEe$cPɦu %kj.d3j.o؀SU\gTGc%g/\w n 4u/wA)rBNmok!Yd !@|ċQ$~dU"JXxD"U.Ie| 1ރ0[.WKL1,EhïSV+_Pi Kd_2°^"Uf"8KNKx鱸ҩZ`S|:"D8Ab><6Ր t|09ΨeK}7NT-ߘ3_dkkp8܈uq{X˳%b )K2`P;PzꏰY<pB#+"UNIM\R_ OT?'h5@a4+ o]n,>< ;jK6)Bd}3hM-؞E:A7̑FCƸ 9Wvk+cfU}-s#m҂C)u}'Wka_ hQ*& |e/$͉9}?ח(GZj\/]ɣ$!uJ D_n~Cs3/-P!ɇ 5w80M" ..+oF@q0d j lq&Ɣ'XنY+F)V&zTuǟ<.}9&(; IO-[+Фr/խ-q ~XTV-э>!HF%R[ }dSYe7U5cPOk1*ӯ3/Q]3ՕA7*ZjYY{2ϵHs4 즿eM!iZVw3*C#f(%R>ңW6N)! ~=(yU,=ÑM gģ+ Z{Aej xf'CDr0aw!Wr8+Jԝ9fhf7UCQ 0Jj!#1Մ#(K| ?e!l#d u+LQ`% V,ɔZ>+虍؋Aٺg;+_8(;WtsE>}Xzغ!5"Wmjo&{!ixfdGp_򏰸-ۗ +AКc6ODe\_pp}8<߀؉ßf2՗_WKuq(_B\/@?)eTrw]7o8haA9#fsÔ׽G, ?33IG/uCMh Q!x"x@[0&vScPR>#d뽠Z4[TcCNm[S}ŗf˓#Bb) ]2>@)k{Jk߫+rzKŸ,N0u3E.t,UPXYvSVGb} ! aI3CwО)>Ё7Ζݐ˃T'1Q#5= R|p`Xujp;%}U-Cهѵ?XYφV4~ lKIIBS6Q%-9wqqStf\|BϡL@9)*B LhsSmjDԈ @^CT }}ÿ́}f"\(SW)}9HfdM!v>e; n[ <` ۤ?j4D[=;.Z7$ ξ YčB0@O1+;Ƣ%cɦbޏzhp,Lb75.)AhO1ո \gb}I d?/F素#s)0DWWL؝yݏ֫@E"*Xg6]6~;b!G~wuE%MȅgͲ,O$/ @ xaۧHAy3Yfa$iƎܩ1'eD9F] " _8~Rt?sy1RTqsМF$pVݝPܖLW**aJ֚)Ȗa >H21idmȨtTq' !kܦc(DY-/J'׽Oڡ-3T;@ܞSbSs{%|&1*0ObXMy-tp#CF1Ft6Ȍf8&+#|LNZdRKeZLɜr0'MEɅa{{kthP#& Lq}$׍}╥J('wT!c#Qne!?-J7ĝ-Z~TzՅ?A k ]9/؏wjQ1`J79s<Ѓ^x˲ )PV)+fh2A(bj, *p@AA[\Uv=!=LKr B7jx= H94|K m3ps3ciAx>/1hê *tTOVs.mīH%qc64J~CAHcI$D^0*6E3n#`26q0 W1HIw^Z-9ojYZU*>Kv"*]O!z8`I 4df#l F2eՇ9Rc(NNx$+Zn-\=JÇcv]V/1< TAT|x4i8UX?wbg6pYedzV]=* ҘE}9l)œa, EhcRTNSGjul?Y ?-z6s o5oyqKk`Gʋ`tq[]!;x_;vZOsW.-c ʏGu󍝛-\ǚo;((5۱K@ *-cZ*[Jهy],`ԞhGvSVY?[ jd+&ĘhYX£`y fk5?ϱV7p@WD_)SO$Bg@Ua2@Q5gW[Os- qҼ=tISE A|*KI\&pˆd͏1 򖽝%{b#SgH1G)MwPwd&ҸϨj4K?14GsVfLn[*ttGG¯ a~;[_/6ѱjS :Zɺ,?u0byљs}rxʉ@g bݼ}],I0V{80FiG%ܥ@6G.%)fż*"bvYB"J"씠J^Oja@ĚuVj/ֲ>,HiͣQ|֭,YwRY7Q|)+?SQMջ x %fYI-Ec'pPJh" ՞#N>xeU9B~5\{E8:RTotTxr!~|$rIwowz،~ (<hwكNdJ0U\]AYngݭ| $eUm/҂]>hy֊ }d9u#3 ZGF E[0"^@d18**rxV9>C0'tC="of%V`Lp1eCQ8)ic X~N@p+"ƈR:>ѻ]nM1#|}2TBQV7r-Uop*_$Ե`Iq;M`At2v7ּkZ1sƊz,j"5xH`;1L٢C۳ Z;6=a;:(s'?" "{oYw &#]bw7.fJ\,P@"P1%@2EOKՐ:BS\u^m_gw}WbGVNԘ" X~LOAc$'RͽERJJpp ܗKل3et ,FA#P=CLݽ]5Ę,s@iI5OLA&M ]NgtI l ,q<.e-,Rd*S`ȟ%Mo)ZqbA/!Ȝ|]|}JyM}9H&Y0vu@dц Af7?!eU3@>f9(oZ8be.\106\:۴E]9D,gII-r\1A||^{QS]C;tpz D5SX?~ᓦmX{| t?g*][.Yb(b|lOsS9[j d mfL96@^D|of* LUS^SޢzE\Ϧ098oagSk|x_ FVi2zf||<v  Y: Y`I uoC^*qtѢ wu8R'+AY1 x1pk4O{FػU"J)n*5g@$7Ktp_ِȊ$,VI0:J$07^A:Lw.Xq)F _w{^࿸a'Ni)7NzV Tk#Sx`UQOa8^~q>.Yb vS1LRc$Nzb6VȫuQ7T?g4+@)ηhŷc^ڞQV`3Ih ɟ[ }iB{Hʺ6{}5Y\aEA0?lykb#L> Ȏ6jEVjKs|_'t@PPSoWFыf@愿 OD$y2ҋ09B~U6q Dkx:zaxZlDjŤqL;ZIf$w)[A-:·sC\ࣶ*hB KTz< JnAc<jS^@04!setrM1<}Q%ΰd\6L Q?(@ke{cqݧU]w4!6\G,FV`-1Hvᐡ@ax?|Q7@K1ȥ8/:18>ϭWZ\=>kɝH P v}{Xt c]'F0˟`E_ܯ9TmLڟCD~tR왙x  Djo.S,J%Y{ꈵFjwItsc>mdڔO\DMزkEcj`~q@x,q q6rt=%/Q8`튁$qTj_Y8nUQZ KnNޒDz4] g/lbqcdȟA.#˴L*xɠO}'ib H$yTE8+]HrA ɺ1׍;5}mpĕ_o|j/YqZ- G5T5 AUxPE ݢ#_ȇDR]zgcunc&~M5 }AT_Nq c+P)y'M]7xCZ_ϳw+ck&Q!0ο Q[~2f_Tc nBk}{S6tٓR.#3ksr(g[ G)a|*s=2# =WHWɱHs|f*k[!PoB7?ҎQWw$-W יHE[0Da,ǎj=wĀUS1ts9Y<"sxZoOGKJ?!ai1¸\xuje*Ohƾn?雰>;mNA Z~_,,?k1Li%Dx o헻"Z%6*TsݼIVPn4K:ř|$KA-5?4%T*f/^wp򵋬 *t0;ߺs੔02vT&du==r$ow[g,4r.'#Ƌ"}kyRϤhn ɇ2T oUN]qq#wDy9cԘ!o%Dd]p%HUpVo@5( >1o/C/gQA'PU0$J֢KDe#t`UTpbg tzxҐl o!4h^u"/4MJRWfohCTŸ}ӽ;o]e9 A3+HhC>,e'Zb\kz]ܶZq 3%[]vƠϤN>?{P˲zj?hzMn)`>PL;mB[g,#dVBPUlbEd,9%nGOu7&jFkDKC| ">̺E8-`7m#7 dYzbQEHiu3l[n :7垯OA/;CMn0XɳD 'c9_M,d+j$K&P=*gk=PZ=<3v|Gh7>H59Cj801M jKe˚eH4>B YjQ}ȥ}we21<-'eWɩ2^d|g:xj|oqr3/;S$3'k'ͪ4쟟,IVyzBQfƇFMG8r$\p-VA9 +y!ɜkݷ("9B .WVW |p|!W?u8Z<8'M VXl! Ye4`? K{\Z埰)Y؅:-WYGpj=Q#2L<8 Ѱו.;J3!rwQ!O!0ݝ I#=$D3E̬n\IV ]z7!i)xzhAh#v;$oҜ"!BtR6+HiqH~/yUn*c2`6TGSv<`跲SVmT( a2f"NѝAI4ÍGHL[ĪighJd|CH i[[ {يxR斤W7nURڲ3ʤnCH' ί9`.t׍T\UZ!93 pkV|656̵v8ؽ i}&9̘-Դx؝[RQit?fvmPMѣ&sbEk6zkUkciU(oͧ: I+D~I={ &f{q[ɲ\ʬpO"=L24S+FSș\߁nkPף10mkԲ7#ptFЬ5ӯz V]41yŇ34uVn=o3k+Z45s&E/ ).Um, {"pJQ N&Ոf9a]u]yOcS?;ݫŕ!* Aֻ]Io?:4Ēvщvd _}`F]=m!Z"Z ~l>8F;t[9@\Z?ll@)Va9'd&g*Ŀvi5X1}fB]B碊FL+ՓM20 øᬾ%ټO4 Ffǂk|fiЈ=je0*VafZE>VznXf/lP9y-)d iMrmp)ThSH07,dKT#r] ӧY"6Äx`@)s|XS?t{I9Qpp*Rǩ軤קCd}o}z؃ųŠJ{Mx8)㼩WD*qAEG&$t(?apV(**\+1?ca r}׌oˢ`p3m"cixQXh ÐPK6jHIb #W\dSϣFRjqQմh̲2o":J`1i(P|'궫4o?2_-4@Qe>P@Db\` ˸@\,%0{RS$0ħmUU!{SwlsMcS B7+V'ΜIOq_Q?ESFҾB, j}fՆּqUX?ߡlG%2L7N[2L^rv$[Y9l+LW2'CW(KN͠)$~/ViH,G Xz/2[>cr :Qn~B1iD"fZrE} ^/nhSq3k @[r$rTY;/}⊙Jqt薫\SV0fZgՌoQ9Nh&ZA "򰮈Ŧl6L7ٟ B2u찢0[ecB慫rQch0O Xd *B']~MTӳL.WN9/4SX>d򉭧 .=Hbg#$vʧu+goEMQ٫ev]ԖgY+&'iF^&|tG/S+Q狼bQDQ@%4MFe΃n\N7{IJ$0S/e UBJ,!c]Z8egS6; <"/)C9m" 9jheϧ7TneıWLô]82eJDXD&RhSB4~ \?`deRȁWώ:ybs,! @C ',s!:\ fX+v#)~WrW-crr1Z~u~j 67a~-$lӃI#eU'9\٨2 mr3X<! hNѼC}`R59{ZY j70,OMq%Q!3%h`Ʉ-aڰnd쫚>EqT܄^Ky~6"t|.vʻ92d\W.\,'I^o\EсSm0ٻ]sp|zpVzYHWJ,w\O<q}΃Aĥ{C _6p}P\kTNg{sr­hH"%=0dCe?։qEL*<_t yeb@J7($/FʡƭOCs~[P Nɢ6RԸr{!HtJ:ɍSHb]}Ř6KVf rq<%@L|@ [Y\r_O0%#?xp?ƅ kRv f¼U ̢)4I}!~N*e,h^]e+ la /6 L27c@2cq~ܗ"4TٰxIrLG`3ijXao9l5~O.!+c [ aZَ\*}i *ΒqnB{-Is7YW3D MSf8{67wkjCÔp $%7s bvIsoߐK0'}ғCQӕ:([?T7*ֈnP0+[y4|>򓥾ZF& At95¢'4%p9Yk@sG&> `m2hmҒ\X.``GV^g^c;r Yv̝@["[ g[謱ʍ,G)GYSQbfօ":?}%*9#P-r_YߺE,b9?(I 38EOHUf dā|ϬZ*/ QjԨ_q mY#VcS)bOIoW9SڸȀ^vNOqň!Hr_dQdLl:(c0<>nc75d_cgu^QB\)(pܢ+Չ6ƺlCBץq1'Hu8zfD 3SJw08% p>-\iH ȵgi(1a̐=q@5Q!<PDme ~Ҧv8SJKk 9Z\?W=iи4M@#u+O;5ҘlJ#B] .<H#9AnUCnJ89=[ =" |$9.pXs]Xp_&ԈZD . ILNin0Pフ:g+C)Ճr7>z}Yޛ#r<ܸ&\-T[3I [,;C(o)ݖTc)8.wN5ס5MuKzAyCfF8b^׏m/.[*de%sh>:QU7a(4. !Zp{>g~=9R֙T WSxLKwWO2ٯ6~(":YkN)SdY!SԐy}=.3Ⴚ$"T0~.^?)y~OImg C`zEvᒒ}^asXū\9SWnւD;T{ pXڦ[u'V Pp_ѻ-!ֳg,'MDH`_9 à?sc׮e.,wNCwsGz C n) 6L${v t:8#|¾21ψ<|{ =jy{`jP+SVF8PNzF*9  zf>Bu4@#R4,,.})$>-#r?o~Qre;G9:mF:~HAkMw0Kb9}TZd ?迩IV8ݢ9ɽwV۝Q+YסCy59Wb$hA^6Uu3T9 N# 󮍛!cyϱi=5 c0eVe`.t&g`r%f>ǸA!;{M*e&lG+w<̪zϟ5BCҖ9aht߈{T #nKG<_W_3}WGNϭy:K$g+S vt 41-›P ReN6 ݆^%SV+qTcfhoILy\[lZ=J.Q%|,l/ bY6rɃɞ-:4QUG@kvt(|gdmϰoTڞكڝRˁPaq X:DEkmV*=p^,rzg*RsxV^Tjݮc`A?ss|Xi$Tq! vh 3]u;IsrF h`F0JDLFb~=CVE{$EMN\fe%dǔNW &}E3DQ͜BitUhSUQ^wj$PM'Ӣ}]LI@XV]A4s3eu:"xfA>Kcpx݀_S2?AgJ_% Qp ]OYY!~Mspض!V݌v0wRr3C[C!S@dv.T0JEh%%onsuxvYBe2&!$&Co(+g;XQ* tHƙo>PWBU c)K`ą)Yzc/!]]My n1%^ķD?w1>Re'?1rͣʟ43oPQưP:{9"ySP5W >ż0nLf]]Xu4n(ou\C9Q]]hr5lG#˻r64Yrx@OqExNta6) p} 2 b,>X?`a4-el3 gFy imj!erd,<ȔW%K9UXJ15Deؚ g+={˕M (…@Oyȑ]L8E`Ʌ7b_Ç;)$msфդƕB:>z )#$s 7q1=tYﱄeA`|Ci?_.@"&UȹcA"(9#yJ 9%R,4X*~ỨخĹ },\I?SQV.ʵgوxz/z)p*JyB.teg8=4c} 775ZۉmlW&ڃ\ofX ?C  ⮅dv/V4rCaU";}f8px6 ˘&*F>nTI$<}hq%aLEDu(Đ U8I0a}b3d9 KnphxV6ӑfM5>v•lehe@h)G5Z82١5d@IgW!1еDe MdZ Z߹z"SQZK~Kȧ\O8OlܛA*} PMt> 2N&UpX|0E.վG .0}9\uuj!/}tcaMɭi U|Bw0у煕J$Qn 0ZzrX3DsdCH3}td@H[?ZGp_Ys'`scʪM1]a4&H۫2WUx$^jA )LpTNG=:Sf'錮z[JPBVm?wȮޜ._Vy'jggyȻ͵Fqf;`Րi5n)4P (v~C L}J2 2zz͞ۉKzޜ/G{eMޤ̦!,z@xFVm,azNX[$Xf I`D.m35d>XҪ(]$z#>nmSxofzsh)*9u Zhg2j'w,? y~E@ҍ_' x(#![9s6*Z<?N>E`hscY?<Ƨȟ`ri|*SC_; 2܈ IeFŗf\n6 W_6aYU籑^ZHi{pPi0܃,a;]˚H?vM9,9n]:ULӂmCޯ_u>,u|H)rE p9r%Р,0H-!9o}/؜k`IsUb*R 7dtT[d\@`+Y/AuDzxۖk!S l3 f`d  xo YHT6;l4RR K(sz>YG,5R?h#NOrg<Nʲ$ _=rRR~Ȯ0]IC8'l$\Y$9b^#f0~ix+mEi"C*',p£4S4Rf^NI- .y3㞘~Q]}8?'''068~0 E/C(wB^"Bt?`V>[<;jX`d#/oh5A8(/p7̔KZ~Y!H}nKg:O2\«Bj|^:pnRUWKGo *F8G2:bu]HCz|zlyx:|1JT$&π}TسpP<3_) MQgĭ]F'[ZdrK^^Mrbj@1Y$R6[+{4o:B-Z꣩^_6\0|8gv/ $0D5"Wen;_fTt`? ~ z(NHCQ$S38"Toi׮5_@NzRI8__lqnbR xXYy4$ B~"^ ;Ce$ cǏncb9< ?ػsx̧G34W2en` r8C$qW* EռWM0BiǨߤNf]a9iYUT0P+B6xA'4u`ɭpIDz\b4 cZ.7 J*tKxsaR!(^JILl&y*n&tc.8[=3t~-na!?QɅ.s[!ijz&G#BNAj/(([|9]@q0 `[(ss"v@D-#f%be ./+"ǁ#1ZH =+MBU.PQU{m2/IAA)4 v2{8ΈWNı:tT۾8㢶SS<ՠljqcV7NHY7áXR)=?_w$m>m*l# 4R B " 0"-ܸݹe÷c~"zNZ1tiun/݌)I3b}ݷbCd8Zceezidͱ< !Yz_0W!Q(s#܇MwT% fh՟=O>:2`,SھVq.fd3#򩩅iP ]~ Kۭ|i/wTjz0Y (w>0z*[ϧL|eM:t)U ʣ> Knw<4:i'd/O| :|욖/nP%5+XiP*:< avts}UjajQ_cVr`n }g_#CD0(|2A2;t4߄^p&'^71pp& pr:TfJ&7>jZ^N6'#9*4K?ٺ,13K(@6j^y}nU Xp_D_6cb,ȳ?w5v]F $9ELdrn؜K(2u_vI='VO1 pTHGX2SOn:&Y r*I_Z3M1/v_6ySTc[=(|ˎLs,E'Gz>|`RfHH4 9$Le{ IuP߇G1cY@s{U9vo!-O?{,t$1+(6z06Y q3{~vdGJ%3$}57TKAFD{ S=(S&ƥ7*u:^_ er\$b&)4?m7甪BkFfX^%h 7iSHca5yvMM!$sQ>JTMn>OK0U:bMEO*7>[ViZ+ฟXRN cJ˼9tnSd |S¡R$|K2Z2n1HSF^l.S8ڥQ<- fD){ Ms;n5|&4#ݫ~-BcE*Q1[9w읢[!lh;zb2R|+a( <`cc[aLt6 o-T\!=#Y 1 ,D&{91yg`.LVJx20lq]a$q&廸O*YwaeT^"2|qOh8]fOfkC=3*Etp䋧AWUH>F)V;k3EQ,PxW)SF0!w(y28N5sFˉd( qʭKYuu,:Qrv 8aw\% EΓP`zW>F"Aaۖt~0Kj4 aMΥPQ 0~[8ՇkE~>MWZmdFJtu\![ qwxe`K݊@c^4wӾ6в;x>3RIi{ʙ ~ʈо$t)$· wJPJ8#Ste&uV:e㗇n`)'#兘CSh n|$7rQR{wlATc$pso|Hعy)GH4@[.,X(ǿM9:ػUK1|Y.\a%O54EKSi4V߯R9|p?O=Gv} b~1)yYڰBbdU`;iF+tkOq뉝ՒʌNe٣=J:rϬ!$gh 6t⇬ƲRΚd!s_7$ǟx9OM|hJ[ZU:AQiSY-X9% 6o虥} { Ǻ02%ƸӖOa)?@e+@MTކ\4|=IpoXTķ^: X)8@>CVdB"ƢQϧH:'(0b:^#]sJɎ Nx,TBI:p%5 to~ty ڡem'R}Sn nBBV+;< @X$@6h su@}'7igƭ2b҅Fvȉw# nj_EWW 7)q ;ޘz/vy{1{O0]Ur=Ϛ,Wp4z~ 0Y}UX,TNNja~{=*k8,HHƱr%*IV8A<7D0SJ[e_\<2'.FA2 7 Wl`AϢ#NoE~/s)$[)A}ѾA-@8I$+vB8=OAI1ƕתOi磻%'#o*m-r;V3ԧ}KMNPT=cēѵemtjgpXc+s< 9`x59}r+3&>qBVx8+L㼖CD8I"ŖMVKCŜ\( 6<*ctȹ1']^ibY~n2L|x6J [%֛+hp䤖yFEQ/Ξ+u.X6JH( 9 Ce B ߽W("|BvLK4:@[ex4)̖k_6?_oaaO8Ny=0CGtф,66M taCT1Gލ H 1bҫ[3\ V Uy;˱9ڻ^:/暛7# .8d?Srz6%wLX`x:,tKO)?[dM bl0܊QYDV 2wlyn('7{ׇM2W a%,纆H0気C0 9aܚnjg&E3lO%{-^ّvHH7#yku f1ġwmqÁ/}|:f OlۉV*?ݰg1\4G>V*8+r6?<:{T'l8ԗ`y6e;vPČ>-ɔ\I麐m| rdKD9$!5 # ԗ7߻4|wZ01{x gIEH8qVl6wEQdxm&UpjWUhegSChBdh DbXzٯ)]32t8()vN /DEhY|hm}OźY'ɟ!'4u5vM9-ݦusUU`nQ*?ŲbW87s~%g"ܦXBD r#"2!xYfyL'D{~y@_\_V`RyK^>BMIT?On[Ϧ<~^00?2tHW=3>@IcQ޹r?YcX'5*yBi#.,ro蘐#L2>4͉W(p ߽%i6>Oпצ L^G!߉袼R'*C0p~OG7;de>5 L/Ua ه]8a^a$YO{e}w5]{~qiOR&K麫IK#+\k}H=!"+ ^{#=A`'N4qCpF}OH8?Z$ ϵ@ڊ>a q[]y%00 gZ{y|fC/V{pe2t ^/pFҷ搁ӲAEXB+}zcz5-`2dmfT&~iq=.Nh^3 D1x{YnqIjIdȤ'AӰ% /t!Ć-+}Q}u&uبg*\ٶ<׎J^wXѓ;(qI^]-d\7ӹMdusl%G;^W*`k)S+^Y>x$[ZER2S\2Շ)+xS"a}ܲRkE#9rk K[~"- 5ڃ-A$<k4a1\p*OJ'*B`t RȂ,_0_!^ەjy ]sJ-EN܆44'wڢkS3OyyH6"6;r Ոmʗ6iol՟e ЬRwe$Jw^ݛگ5Ztѿ)̨{{1QFI9{.;fGW^M()mǔy3oQ,@L+ߵQߢ=#ģ](Ax}wda.<7< Q%Xj9SJdy/ˠǺO4Jv[y|u%pT>3/_; ąliʡ,>R@?hl0;Ē.dj1IL$sT贼s|*jUu6zDu|ZS͸Z0",%Wx"hG4/z'b(Pdi^j2,vG'tj&BX)K>|Rk!M݈IJ#oو< lEKWLo>ї[*ls9J^PlFב ժ2ت{$M0PO=0uG/ ĚCo2L1!y` _ @*t>kA-s݅2Y#F+A6iUO@Y| ަ=FڔZ ]XdY`3U|-tU4d\ụx4<.moCi-SJMga0!|˛C΅W⽄{ +Lm*%hScߵc@3hJv,1EL8b9W u>aգMbfz7Կ ' 66x{o?Y\Yt<ׄ*aJ SLn4<Bz^P*T )/zֈs:#Q]9;¿=sU1>x8  R8WL:Knum"'LqR"mbhJ Ӏ򷚛\IH3n1vŖ0Re]Z:>i5ǀ ۳-24<ϑ7&c$RB-Kf;K5!P]uʀr"R\\ө@R6?GB}v3@WVtZOF@rZԃ&p@"/_U {X$܃ r\[2;b1"Jp394m$`kπȱGxAyi*aDDv֦A Ɣ/1 t@CFK/G Et0/z~MnG2DѨ 'h4:Җc aŸ6JHu ]_SIӊ>C/&"Jsn낲ksK28xJ u ^*:s~t ο" { pvik:!4RBm!2q ɭf|f}V~OXR( Fm'?Tq5ϪՁRE]xϨl0ݮ"5Q[m[޷ZJe+ upZ @v.9i"fÈz囂XuWi-@+|k~?CDC檛-M}AVEI**p{C~d¨MGWgTo*Hj2dSjt͍mcS(]ap b< LQEG1/L$:xC)Oі?M;y'R9ֻ1h'eGl/x'b_pb0%Lv~.;9tH,3oUwH#Ogh  Z3NZnMV]εsMxKѿP?0|aoqjoG+uLx㏖ ]@ YZ