postfix-2.11-20131104

diff --git a/postfix/HISTORY b/postfix/HISTORY
index c4ad5ede728fc2275e553eea1003e54f89fa6632..435f5c65af36e5a0417dfef6a5a953d81039822a 100644 (file)
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -19035,19 +19035,36 @@ Apologies for any names omitted.
        Documentation: added SASL_README example for check_sasl_access.
        File: proto/SASL_README.html.
 
-20131102
-
-       Security violation: by default, LMDB 0.9.9 writes fragments
-       of uninitialized heap memory to a world-readable database
-       file.  This is a basic memory disclosure vulnerability:
-       memory content that a program does not intend to share ends
-       up in a world-readable file. The content of uninitialized
-       heap memory depends on program execution history. That
-       history includes code execution in other libraries that are
-       linked into the program. To work around this problem we
-       disable the use of malloc() in LMDB. However, that does not
-       address several disclosures of stack memory.  File:
-       util/dict_lmdb.c.
-
-       Cleanup: expand TAB characters when generating HTML and
-       README files.  Files: proto/Makefile.in.
+20131102-3
+
+       Security violation: by default, LMDB 0.9.9 writes uninitialized
+       heap memory to a world-readable database file, as chunks
+       of up to 4096 bytes.  This is a gross memory disclosure
+       vulnerability: memory content that a program does not intend
+       to share ends up in a world-readable file.  The content of
+       uninitialized heap memory depends on program execution
+       history. That history includes code execution in other
+       libraries that are linked into the program.
+
+       This is a problem whenever the user who writes the database
+       file differs from the user who reads the database file. For
+       example, a privileged writer and an unprivileged reader.
+       In the case of Postfix, the postmap(1) and postalias(1)
+       commands would leak uninitialized heap memory, as chunks
+       of up to 4096 bytes, from a root-privileged process that
+       writes to a database file, to unprivileged processes that
+       read from that database file.
+
+       To work around this problem the postmap(1) and postalias(1)
+       commands disable the use of malloc() in LMDB. However, that
+       does not address several disclosures of stack memory.  Other
+       Postfix databases do not need this workaround: those databases
+       are maintained by Postfix daemon processes, and are accessible
+       only by the postfix user. File: util/dict_lmdb.c.
+
+20131102-3
+
+       Cleanup: expand TAB characters when generating documentation.
+       This was primarily an issue with non-HTML output, but it does
+       not hurt to do this also for HTML.  Files: proto/Makefile.in,
+       proto/MULTI_INSTANCE_README.html.

diff --git a/postfix/README_FILES/ADDRESS_REWRITING_README b/postfix/README_FILES/ADDRESS_REWRITING_README
index abd4d6a449deec3c4be78a8838c1fc70187217e1..e1fcdee46bd03fe8c1af9e3aaf32bfa8ec623a9d 100644 (file)
--- a/postfix/README_FILES/ADDRESS_REWRITING_README
+++ b/postfix/README_FILES/ADDRESS_REWRITING_README
@@ -655,9 +655,9 @@ Example:
         smtp_generic_maps = hash:/etc/postfix/generic
 
     /etc/postfix/generic:
-        his@localdomain.local           hisaccount@hisisp.example
-        her@localdomain.local           heraccount@herisp.example
-        @localdomain.local                      hisaccount+local@hisisp.example
+        his@localdomain.local               hisaccount@hisisp.example
+        her@localdomain.local               heraccount@herisp.example
+        @localdomain.local                  hisaccount+local@hisisp.example
 
 When mail is sent to a remote host via SMTP, this replaces
 his@localdomain.local by his ISP mail address, replaces her@localdomain.local

diff --git a/postfix/README_FILES/BACKSCATTER_README b/postfix/README_FILES/BACKSCATTER_README
index 12f50a234ba2267177977eae00059a056af9858a..2870d11f8dc8f127096724f8b3efb9efd43c392a 100644 (file)
--- a/postfix/README_FILES/BACKSCATTER_README
+++ b/postfix/README_FILES/BACKSCATTER_README
@@ -119,7 +119,7 @@ this:
         endif
         /^Message-ID:.* <!&!/ DUNNO
         /^Message-ID:.*@(porcupine\.org)/
-        reject forged domain name in Message-ID: header: $1
+            reject forged domain name in Message-ID: header: $1
 
     /etc/postfix/body_checks:
         # Do not indent the patterns between "if" and "endif".
@@ -134,7 +134,7 @@ this:
         endif
         /^[> ]*Message-ID:.* <!&!/ DUNNO
         /^[> ]*Message-ID:.*@(porcupine\.org)/
-        reject forged domain name in Message-ID: header: $1
+            reject forged domain name in Message-ID: header: $1
 
 Notes:
 

diff --git a/postfix/README_FILES/DATABASE_README b/postfix/README_FILES/DATABASE_README
index 0ba1778f18e2dad9a84fcfd1a61155ed19dd05f6..629135c63d32a5dad2ca14c3ff3189ab7368adf2 100644 (file)
--- a/postfix/README_FILES/DATABASE_README
+++ b/postfix/README_FILES/DATABASE_README
@@ -151,16 +151,16 @@ font.
     # Note 1: commands are specified after a TAB character.
     # Note 2: use postalias(1) for local aliases, postmap(1) for the rest.
     aliases.db: aliases.in
-        postalias aliases.in
-        mv aliases.in.db aliases.db
+            postalias aliases.in
+            mv aliases.in.db aliases.db
 
     access.db: access.in
-        postmap access.in
-        mv access.in.db access.db
+            postmap access.in
+            mv access.in.db access.db
 
     virtual.db: virtual.in
-        postmap virtual.in
-        mv virtual.in.db virtual.db
+            postmap virtual.in
+            mv virtual.in.db virtual.db
 
     ...etcetera...
     # v\bvi\bi a\bac\bcc\bce\bes\bss\bs.\b.i\bin\bn

diff --git a/postfix/README_FILES/MULTI_INSTANCE_README b/postfix/README_FILES/MULTI_INSTANCE_README
index 9d2c82e774a468b96d3cd678bd268b76e32cebe9..6e2fb48c56473cea1e2ab010fcf9884616b8ca50 100644 (file)
--- a/postfix/README_FILES/MULTI_INSTANCE_README
+++ b/postfix/README_FILES/MULTI_INSTANCE_README
@@ -157,13 +157,13 @@ submission null client:
         # a template file. The build process expands the template into
         # "mtaadmin+root=mta1"
         #
-        root            mtaadmin+root=mta1
+        root        mtaadmin+root=mta1
 
     /etc/postfix/virtual:
         # Caretaker aliases:
         #
-        root            mtaadmin
-        postmaster      root
+        root        mtaadmin
+        postmaster  root
 
 You would typically also add a Makefile, to automatically run postmap(1)
 commands when source files change. This Makefile also creates a "generic"
@@ -175,13 +175,13 @@ database when none exists.
         all: virtual.cdb generic.cdb
 
         generic: Makefile
-            @echo Creating $@
-            @rm -f $@.tmp
-            @printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` > $@.tmp
-            @mv $@.tmp generic
+                @echo Creating $@
+                @rm -f $@.tmp
+                @printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` > $@.tmp
+                @mv $@.tmp generic
 
         %.cdb: %
-            postmap cdb:$<
+                postmap cdb:$<
 
 Construct the "virtual" and "generic" databases (the latter is created by
 running "make"), then start and test the null-client:
@@ -875,9 +875,9 @@ If you want to override the conventional values of the instance installation
 parameters, specify their values on the command-line:
 
     # postmulti [-I postfix-myinst] [-G mygroup] -e create \
-        "config_directory = /path/to/config_directory" \
-        "queue_directory = /path/to/queue_directory" \
-        "data_directory = /path/to/data_directory"
+            "config_directory = /path/to/config_directory" \
+            "queue_directory = /path/to/queue_directory" \
+            "data_directory = /path/to/data_directory"
 
 A note on the -\b-I\bI and -\b-G\bG options above. These are always used to assign a name
 or group name to an instance, while the -\b-i\bi and -\b-g\bg options always select
@@ -924,7 +924,7 @@ match this name if necessary):
 Otherwise, you must specify the location of its configuration directory:
 
     # postmulti [-I postfix-myinst] [-G mygroup] -e import \
-        "config_directory = /path/of/config_directory"
+            "config_directory = /path/of/config_directory"
 
 When the instance is imported, you can assign a name or a group. As with
 "create", you can control the placement of the new instance in the start order

diff --git a/postfix/README_FILES/RESTRICTION_CLASS_README b/postfix/README_FILES/RESTRICTION_CLASS_README
index f4fbe8fa75ae4ea7314e4a71c8ffc6463b8ddfb9..9c78684f0bd6f34f37310c1804fae6af1c4be82b 100644 (file)
--- a/postfix/README_FILES/RESTRICTION_CLASS_README
+++ b/postfix/README_FILES/RESTRICTION_CLASS_README
@@ -30,9 +30,9 @@ Example:
 
         smtpd_recipient_restrictions =
             permit_mynetworks
-        # reject_unauth_destination is not needed here if the mail
-        # relay policy is specified with smtpd_relay_restrictions
-        # (available with Postfix 2.10 and later).
+            # reject_unauth_destination is not needed here if the mail
+            # relay policy is specified with smtpd_relay_restrictions
+            # (available with Postfix 2.10 and later).
             reject_unauth_destination
             check_recipient_access hash:/etc/postfix/recipient_access
             ...

diff --git a/postfix/README_FILES/SASL_README b/postfix/README_FILES/SASL_README
index 59489414c2969d3b30d4d7d01aec01c5a61bdf13..66b9b415d599dcaf5aa5a42cc234da7979dc3613 100644 (file)
--- a/postfix/README_FILES/SASL_README
+++ b/postfix/README_FILES/SASL_README
@@ -846,19 +846,19 @@ authenticated SMTP clients to send mail to remote destinations. Examples:
     # preferably specified under smtpd_relay_restrictions.
     /etc/postfix/main.cf:
         smtpd_relay_restrictions =
-        permit_mynetworks
-        p\bpe\ber\brm\bmi\bit\bt_\b_s\bsa\bas\bsl\bl_\b_a\bau\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bte\bed\bd
-        reject_unauth_destination
+            permit_mynetworks
+            p\bpe\ber\brm\bmi\bit\bt_\b_s\bsa\bas\bsl\bl_\b_a\bau\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bte\bed\bd
+            reject_unauth_destination
 
     # Older configurations combine relay control and spam control under
     # smtpd_recipient_restrictions. To use this example with Postfix >=
     # 2.10 specify "smtpd_relay_restrictions=".
     /etc/postfix/main.cf:
         smtpd_recipient_restrictions =
-        permit_mynetworks
-        p\bpe\ber\brm\bmi\bit\bt_\b_s\bsa\bas\bsl\bl_\b_a\bau\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bte\bed\bd
-        reject_unauth_destination
-        ...other rules...
+            permit_mynetworks
+            p\bpe\ber\brm\bmi\bit\bt_\b_s\bsa\bas\bsl\bl_\b_a\bau\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bte\bed\bd
+            reject_unauth_destination
+            ...other rules...
 
 E\bEn\bnv\bve\bel\blo\bop\bpe\be s\bse\ben\bnd\bde\ber\br a\bad\bdd\bdr\bre\bes\bss\bs a\bau\but\bth\bho\bor\bri\biz\bza\bat\bti\bio\bon\bn
 
@@ -878,7 +878,7 @@ authenticated client is allowed to use a particular envelope sender address:
         smtpd_recipient_restrictions =
             ...
             r\bre\bej\bje\bec\bct\bt_\b_s\bse\ben\bnd\bde\ber\br_\b_l\blo\bog\bgi\bin\bn_\b_m\bmi\bis\bsm\bma\bat\btc\bch\bh
-        permit_sasl_authenticated
+            permit_sasl_authenticated
             ...
 
 The controlled_envelope_senders table specifies the binding between a sender
@@ -915,14 +915,14 @@ credentials have been compromised.
 
     /etc/postfix/main.cf:
         smtpd_recipient_restrictions =
-        permit_mynetworks
-        check_sasl_access hash:/etc/postfix/sasl_access
-        permit_sasl_authenticated
-        ...
+            permit_mynetworks
+            check_sasl_access hash:/etc/postfix/sasl_access
+            permit_sasl_authenticated
+            ...
 
     /etc/postfix/sasl_access:
          # Use this when smtpd_sasl_local_domain is empty.
-         username       HOLD
+         username   HOLD
          # Use this when smtpd_sasl_local_domain=example.com.
          username@example.com HOLD
 

diff --git a/postfix/README_FILES/SCHEDULER_README b/postfix/README_FILES/SCHEDULER_README
index 3223d2ada5834dd20d4179dbbbf81e8ccf563109..a6f7702ffc51b861ab9f8fa9d1f2bbb37640bc5d 100644 (file)
--- a/postfix/README_FILES/SCHEDULER_README
+++ b/postfix/README_FILES/SCHEDULER_README
@@ -594,10 +594,10 @@ The first approximation of the new scheduling algorithm is like this:
         if transport process limit reached continue
         foreach transport's job (in the order of the transport's job list)
         do
-        foreach job's peer (round-robin-by-destination)
-             if peer->queue->concurrency < peer->queue->window
-                 return next peer entry.
-        done
+            foreach job's peer (round-robin-by-destination)
+                 if peer->queue->concurrency < peer->queue->window
+                     return next peer entry.
+            done
         done
     done
 

diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README
index 93ea07b42cdc576c6715f2de718f145ad30c4248..4728a624d2b914426649a1808ea748946d6265dd 100644 (file)
--- a/postfix/README_FILES/TLS_README
+++ b/postfix/README_FILES/TLS_README
@@ -1140,7 +1140,7 @@ the example above, we show two matching fingerprints:
         smtp_tls_fingerprint_digest = md5
 
     /etc/postfix/tls_policy:
-        example.com     fingerprint
+        example.com fingerprint
             match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
             match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
 
@@ -1753,8 +1753,8 @@ Example:
         [mail.example.org]:587  secure match=nexthop
         # Postfix 2.5 and later
         [thumb.example.org]         fingerprint
-                match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
-        match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
+            match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
+            match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
         # Postfix 2.6 and later
         example.info            may protocols=!SSLv2 ciphers=medium
     exclude=3DES

diff --git a/postfix/html/MULTI_INSTANCE_README.html b/postfix/html/MULTI_INSTANCE_README.html
index 2444e1dd9050ea22bc6ec044b602d74ca094fa5b..6aca5f53d4b9276bba450aaa33e6b9226a8bca11 100644 (file)
--- a/postfix/html/MULTI_INSTANCE_README.html
+++ b/postfix/html/MULTI_INSTANCE_README.html
@@ -554,7 +554,7 @@ pre-filter input instance include: </p>
     # Avoid splitting the envelope and scanning messages multiple times.
     # Match the re-injection server's recipient limit.
     #
-        <a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> = 1000
+    <a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> = 1000
 
     # Tolerate occasional high latency in the content filter.
     #

diff --git a/postfix/proto/MULTI_INSTANCE_README.html b/postfix/proto/MULTI_INSTANCE_README.html
index 2b72d1b45b1376aa83c54c5a569b5387942c08e0..59bb4fbd9301c3334bd0db6719d466a7ab3219f3 100644 (file)
--- a/postfix/proto/MULTI_INSTANCE_README.html
+++ b/postfix/proto/MULTI_INSTANCE_README.html
@@ -554,7 +554,7 @@ pre-filter input instance include: </p>
     # Avoid splitting the envelope and scanning messages multiple times.
     # Match the re-injection server's recipient limit.
     #
-       smtp_destination_recipient_limit = 1000
+    smtp_destination_recipient_limit = 1000
 
     # Tolerate occasional high latency in the content filter.
     #

diff --git a/postfix/proto/Makefile.in b/postfix/proto/Makefile.in
index adfcf2591d4d778737c1e0b0356c7b48c792a1b6..3c039ab5d52c53a21a01010392120135aa88e183 100644 (file)
--- a/postfix/proto/Makefile.in
+++ b/postfix/proto/Makefile.in
@@ -139,328 +139,328 @@ clobber:
        $(SRCTOMAN) - $? | $(AWK) | nroff -man | col -bx | uniq | sed 's/^/# /' >$@
 
 ../html/ADDRESS_CLASS_README.html: ADDRESS_CLASS_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/ADDRESS_REWRITING_README.html: ADDRESS_REWRITING_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/ADDRESS_VERIFICATION_README.html: ADDRESS_VERIFICATION_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/BACKSCATTER_README.html: BACKSCATTER_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/CDB_README.html: CDB_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/CONNECTION_CACHE_README.html: CONNECTION_CACHE_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/CONTENT_INSPECTION_README.html: CONTENT_INSPECTION_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/CYRUS_README.html: CYRUS_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/BASIC_CONFIGURATION_README.html: BASIC_CONFIGURATION_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/BUILTIN_FILTER_README.html: BUILTIN_FILTER_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/DATABASE_README.html: DATABASE_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/DB_README.html: DB_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/DEBUG_README.html: DEBUG_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/DSN_README.html: DSN_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/ETRN_README.html: ETRN_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/FILTER_README.html: FILTER_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/INSTALL.html: INSTALL.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/IPV6_README.html: IPV6_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/LDAP_README.html: LDAP_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/LINUX_README.html: LINUX_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/LOCAL_RECIPIENT_README.html: LOCAL_RECIPIENT_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/MAILDROP_README.html: MAILDROP_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/LMDB_README.html: LMDB_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/MEMCACHE_README.html: MEMCACHE_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/MILTER_README.html: MILTER_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/MULTI_INSTANCE_README.html: MULTI_INSTANCE_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/MYSQL_README.html: MYSQL_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/NFS_README.html: NFS_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/OVERVIEW.html: OVERVIEW.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/PACKAGE_README.html: PACKAGE_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/PCRE_README.html: PCRE_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/PGSQL_README.html: PGSQL_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/POSTSCREEN_README.html: POSTSCREEN_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/QMQP_README.html: QMQP_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/QSHAPE_README.html: QSHAPE_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/RESTRICTION_CLASS_README.html: RESTRICTION_CLASS_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/SASL_README.html: SASL_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/SCHEDULER_README.html: SCHEDULER_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/SMTPD_ACCESS_README.html: SMTPD_ACCESS_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/SMTPD_POLICY_README.html: SMTPD_POLICY_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/SMTPD_PROXY_README.html: SMTPD_PROXY_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/SOHO_README.html: $(MAKESOHO) $(DEPSOHO)
        $(MAKESOHO) | $(POSTLINK) | $(DETAB) >$@
 
 ../html/SQLITE_README.html: SQLITE_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/STANDARD_CONFIGURATION_README.html: STANDARD_CONFIGURATION_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/STRESS_README.html: STRESS_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/TUNING_README.html: TUNING_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/UUCP_README.html: UUCP_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/ULTRIX_README.html: ULTRIX_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/VERP_README.html: VERP_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/VIRTUAL_README.html: VIRTUAL_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/XCLIENT_README.html: XCLIENT_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/XFORWARD_README.html: XFORWARD_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/TLS_README.html: TLS_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../html/TLS_LEGACY_README.html: TLS_LEGACY_README.html
-       $(POSTLINK) $? | $(DETAB) >$@
+       $(DETAB) $? | $(POSTLINK) >$@
 
 ../README_FILES/ADDRESS_CLASS_README: ADDRESS_CLASS_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/ADDRESS_REWRITING_README: ADDRESS_REWRITING_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/ADDRESS_VERIFICATION_README: ADDRESS_VERIFICATION_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/BACKSCATTER_README: BACKSCATTER_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/BASIC_CONFIGURATION_README: BASIC_CONFIGURATION_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/BUILTIN_FILTER_README: BUILTIN_FILTER_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/CDB_README: CDB_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/CONNECTION_CACHE_README: CONNECTION_CACHE_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/CONTENT_INSPECTION_README: CONTENT_INSPECTION_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/CYRUS_README: CYRUS_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/DATABASE_README: DATABASE_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/DB_README: DB_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/DEBUG_README: DEBUG_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/DSN_README: DSN_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/ETRN_README: ETRN_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/FILTER_README: FILTER_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/INSTALL: INSTALL.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/IPV6_README: IPV6_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/LDAP_README: LDAP_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/LINUX_README: LINUX_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/LOCAL_RECIPIENT_README: LOCAL_RECIPIENT_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/MAILDROP_README: MAILDROP_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/LMDB_README: LMDB_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/MEMCACHE_README: MEMCACHE_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/MILTER_README: MILTER_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/MULTI_INSTANCE_README: MULTI_INSTANCE_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/MYSQL_README: MYSQL_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/NFS_README: NFS_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/OVERVIEW: OVERVIEW.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/PACKAGE_README: PACKAGE_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/PCRE_README: PCRE_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/PGSQL_README: PGSQL_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/POSTSCREEN_README: POSTSCREEN_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/QMQP_README: QMQP_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/QSHAPE_README: QSHAPE_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/RESTRICTION_CLASS_README: RESTRICTION_CLASS_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/SASL_README: SASL_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/SCHEDULER_README: SCHEDULER_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/SMTPD_ACCESS_README: SMTPD_ACCESS_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/SMTPD_POLICY_README: SMTPD_POLICY_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/SMTPD_PROXY_README: SMTPD_PROXY_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/SOHO_README: $(MAKESOHO) $(DEPSOHO)
        $(MAKESOHO) | $(HT2READ) | $(DETAB) >$@
 
 ../README_FILES/SQLITE_README: SQLITE_README.html
-       $(HT2READ) $? | $(DETAB) >$@ 
+       $(DETAB) $? | $(HT2READ) >$@ 
 
 ../README_FILES/STANDARD_CONFIGURATION_README: STANDARD_CONFIGURATION_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/STRESS_README: STRESS_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/TUNING_README: TUNING_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/UUCP_README: UUCP_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/ULTRIX_README: ULTRIX_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/VERP_README: VERP_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/VIRTUAL_README: VIRTUAL_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/XCLIENT_README: XCLIENT_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/XFORWARD_README: XFORWARD_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/TLS_README: TLS_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/TLS_LEGACY_README: TLS_LEGACY_README.html
-       $(HT2READ) $? | $(DETAB) >$@
+       $(DETAB) $? | $(HT2READ) >$@
 
 ../README_FILES/AAAREADME: ../html/index.html $(MAKEAAA)
        $(MAKEAAA) ../html/index.html | $(HT2READ) | $(DETAB) >$@
@@ -468,8 +468,8 @@ clobber:
 ../man/man5/postconf.5: postconf.man.prolog postconf.proto postconf.man.epilog \
        ../mantools/xpostconf ../mantools/postconf2html ../mantools/postconf2man
        (cat postconf.man.prolog; ../mantools/xpostconf postconf.proto | \
-           ../mantools/postconf2html | ../mantools/postconf2man | \
-               sed 's/\\e&/\\\&/'; cat postconf.man.epilog ) | $(DETAB) > $@
+           $(DETAB) | ../mantools/postconf2html | ../mantools/postconf2man | \
+               sed 's/\\e&/\\\&/'; cat postconf.man.epilog ) > $@
 
 ../html/postconf.5.html: postconf.html.prolog postconf.proto \
        postconf.html.epilog ../mantools/xpostconf ../mantools/postconf2html \

diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 04ddb62aa748105cea0f7e72ca67a5507e6990a3..d4dbebdc1cab487d1fc475ba5922df5556d8972e 100644 (file)
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE      "20131103"
+#define MAIL_RELEASE_DATE      "20131104"
 #define MAIL_VERSION_NUMBER    "2.11"
 
 #ifdef SNAPSHOT

diff --git a/postfix/src/postalias/postalias.c b/postfix/src/postalias/postalias.c
index 430c156417d989e1744cd5d1b14812d9fd57b8a7..fd535153471e739f202cbfe7cd9909e4d76f9505 100644 (file)
--- a/postfix/src/postalias/postalias.c
+++ b/postfix/src/postalias/postalias.c
@@ -290,6 +290,7 @@ static void postalias(char *map_type, char *path_name, int postalias_flags,
        if ((source_fp = vstream_fopen(path_name, O_RDONLY, 0)) == 0)
            msg_fatal("open %s: %m", path_name);
     }
+    dict_flags |= DICT_FLAG_WORLD_READ;
     if (fstat(vstream_fileno(source_fp), &st) < 0)
        msg_fatal("fstat %s: %m", path_name);
 

diff --git a/postfix/src/postmap/postmap.c b/postfix/src/postmap/postmap.c
index e10ac166976467a1993e02631cc1e18c8ee4d7d4..26348041ef03e9b2db8b2e1def14795634f0f899 100644 (file)
--- a/postfix/src/postmap/postmap.c
+++ b/postfix/src/postmap/postmap.c
@@ -353,6 +353,7 @@ static void postmap(char *map_type, char *path_name, int postmap_flags,
        if ((source_fp = vstream_fopen(path_name, O_RDONLY, 0)) == 0)
            msg_fatal("open %s: %m", path_name);
     }
+    dict_flags |= DICT_FLAG_WORLD_READ;
     if (fstat(vstream_fileno(source_fp), &st) < 0)
        msg_fatal("fstat %s: %m", path_name);
 

diff --git a/postfix/src/util/dict.c b/postfix/src/util/dict.c
index 3c4a9b1b83f3b87de85c6bb3a3f17f0dd0ddc94b..e1e11cf4dbab6a8ac96db69394c849df9beb325d 100644 (file)
--- a/postfix/src/util/dict.c
+++ b/postfix/src/util/dict.c
@@ -590,6 +590,7 @@ static const NAME_MASK dict_mask[] = {
     "fold_mul", DICT_FLAG_FOLD_MUL,    /* case-fold with multi-case key map */
     "open_lock", DICT_FLAG_OPEN_LOCK,  /* permanent lock upon open */
     "bulk_update", DICT_FLAG_BULK_UPDATE,      /* bulk update if supported */
+    "world_read", DICT_FLAG_WORLD_READ,        /* assume writer != reader */
     0,
 };
 

diff --git a/postfix/src/util/dict.h b/postfix/src/util/dict.h
index d255aac3b0ade884fba414f75860197617d996d1..c8564f6bd8a311f2cec4de37369a09293d23b044 100644 (file)
--- a/postfix/src/util/dict.h
+++ b/postfix/src/util/dict.h
@@ -96,6 +96,7 @@ extern DICT *dict_debug(DICT *);
 #define DICT_FLAG_FOLD_ANY     (DICT_FLAG_FOLD_FIX | DICT_FLAG_FOLD_MUL)
 #define DICT_FLAG_OPEN_LOCK    (1<<16) /* perm lock if not multi-writer safe */
 #define DICT_FLAG_BULK_UPDATE  (1<<17) /* optimize for bulk updates */
+#define DICT_FLAG_WORLD_READ   (1<<18) /* assume writer != reader */
 
  /* IMPORTANT: Update the dict_mask[] table when the above changes */
 

diff --git a/postfix/src/util/dict_lmdb.c b/postfix/src/util/dict_lmdb.c
index aa6836042f908cbfe400ecab40d3dec17a0b45a5..2bc032107635704a78c98f173426f4f070bc1a61 100644 (file)
--- a/postfix/src/util/dict_lmdb.c
+++ b/postfix/src/util/dict_lmdb.c
@@ -551,35 +551,45 @@ DICT   *dict_lmdb_open(const char *path, int open_flags, int dict_flags)
     mdb_path = concatenate(path, "." DICT_TYPE_LMDB, (char *) 0);
 
     /*
-     * Security violation.
-     * 
-     * By default, LMDB 0.9.9 writes uninitialized heap memory to a
-     * world-readable database file. This is a basic memory disclosure
-     * vulnerability: memory content that a program does not intend to share
-     * ends up in a world-readable file. The content of uninitialized heap
-     * memory depends on program execution history. That history includes
-     * code execution in other libraries that are linked into the program.
-     * 
-     * As a workaround we turn on MDB_WRITEMAP which disables the use of
-     * malloc() in LMDB. However, that does not address several disclosures
-     * of stack memory.
+     * Impedance adapters.
      */
     mdb_flags = MDB_NOSUBDIR | MDB_NOLOCK;
     if (open_flags == O_RDONLY)
        mdb_flags |= MDB_RDONLY;
 
-    /*
-     * Replace with MDB_VERSION_FULL < MDB_VERINT(X, Y, Z) after this is
-     * fixed up-stream.
-     */
-#if 1
-    mdb_flags |= MDB_WRITEMAP;
-#endif
-
     slmdb_flags = 0;
     if (dict_flags & DICT_FLAG_BULK_UPDATE)
        slmdb_flags |= SLMDB_FLAG_BULK;
 
+    /*
+     * Security violation.
+     * 
+     * By default, LMDB 0.9.9 writes uninitialized heap memory to a
+     * world-readable database file, as chunks of up to 4096 bytes. This is a
+     * gross memory disclosure vulnerability: memory content that a program
+     * does not intend to share ends up in a world-readable file. The content
+     * of uninitialized heap memory depends on program execution history.
+     * That history includes code execution in other libraries that are
+     * linked into the program.
+     * 
+     * This is a problem whenever the user who writes the database file differs
+     * from the user who reads the database file. For example, a privileged
+     * writer and an unprivileged reader. In the case of Postfix, the
+     * postmap(1) and postalias(1) commands would leak uninitialized heap
+     * memory, as chunks of up to 4096 bytes, from a root-privileged process
+     * that writes to a database file, to unprivileged processes that read
+     * from that database file.
+     * 
+     * As a workaround the postmap(1) and postalias(1) commands turn on
+     * MDB_WRITEMAP which disables the use of malloc() in LMDB. However, that
+     * does not address several disclosures of stack memory. Other Postfix
+     * databases do not need this workaround: those databases are maintained
+     * by Postfix daemon processes, and are accessible only by the postfix
+     * user.
+     */
+    if (dict_flags & DICT_FLAG_WORLD_READ)
+       mdb_flags |= MDB_WRITEMAP;
+
     /*
      * Gracefully handle most database open errors.
      */

diff --git a/postfix/src/util/dict_open.c b/postfix/src/util/dict_open.c
index aee1f8ddd9de04aaa9fd71dc6ee7272b3d2e922a..a8b5a0a7243bc7ac887b3274452cf871e1f84d42 100644 (file)
--- a/postfix/src/util/dict_open.c
+++ b/postfix/src/util/dict_open.c
@@ -126,6 +126,9 @@
 /*     Enable preliminary code for bulk-mode database updates.
 /*     The caller must create an exception handler with dict_jmp_alloc()
 /*     and must trap exceptions from the database client with dict_setjmp().
+/* .IP DICT_FLAG_WORLD_READ
+/*     Assume that the database file will be read by users other
+/*     than the writer.
 /* .IP DICT_FLAG_DEBUG
 /*     Enable additional logging.
 /* .PP

diff --git a/postfix/src/util/slmdb.c b/postfix/src/util/slmdb.c
index a471c5c0b898b14c3ad21dfb74141555daaf5140..5a038620e2e18700309c47b9ba1552c8638f92d7 100644 (file)
--- a/postfix/src/util/slmdb.c
+++ b/postfix/src/util/slmdb.c
@@ -295,9 +295,11 @@ static int slmdb_recover(SLMDB *slmdb, int status)
     MDB_envinfo info;
 
     /*
-     * Limit the number of recovery attempts per slmdb(3) API request.
+     * Recover bulk transactions only if they can be restarted. Limit
+     * the number of recovery attempts per slmdb(3) API request.
      */
-    if ((slmdb->api_retry_count += 1) >= slmdb->api_retry_limit)
+    if ((slmdb->txn != 0 && slmdb->longjmp_fn == 0)
+       || ((slmdb->api_retry_count += 1) >= slmdb->api_retry_limit))
        return (status);
 
     /*