postfix-2.10.4

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 2111c8a49e75a7e6b2a19f49eff5f012d3c5b74f..6f7d6027f8e0b0027ce09e4c1c47843e4966111a 100644 (file)
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -18339,3 +18339,41 @@ Apologies for any names omitted.
 20140104
 
        Bugfix: malformed error message. File: conf/post-install.
+
+20140116
+
+       Workaround: prepend "-I. -I../../include" to CCARGS, to
+       avoid name clashes with non-Postfix header files. File:
+       makedefs.
+
+20140223
+
+       Logging: the TLS client logged that an "Untrusted" TLS
+       connection was established instead of "Anonymous".  Viktor
+       Dukhovni. File: tls/tls_client.c.
+
+20140619
+
+       Bugfix (introduced: 2001): qmqpd null pointer bug when it
+       logs a lost connection while not in a mail transaction.
+       Reported by Michal Adamek. File: qmqpd/qmqpd.c.
+
+20140920
+
+       Bugfix (introduced: 20080212): incorrect client name in
+       reject messages from check_reverse_client_hostname_access
+       and check_reverse_client_hostname_{mx,ns}_access.  They
+       replied with the verified client name, instead of the name
+       that was rejected.  Problem reported by Reindl Harald. File:
+       smtpd/smtpd_check.c.
+
+20141012
+
+       Bugfix (introduced: Postfix 2.3): the PREPEND access/policy
+       action added headers ABOVE Postfix's own Received: header,
+       exposing Postfix's own Received: header to Milters (protocol
+       violation) and hiding the PREPENDed header from Milters.
+       The latter caused problems for DMARC implementations with
+       SPF policy plus DKIM Milter.  PREPENDed headers are now
+       added BELOW Postfix's own Received: header and remain visible
+       to Milters. File: smtpd/smtpd.c.

diff --git a/postfix/makedefs b/postfix/makedefs
index 93b59497ce15804a8a8b0effa11f4c6701112be9..79e32af92257d59922daca8b8f716ce8dae059f1 100644 (file)
--- a/postfix/makedefs
+++ b/postfix/makedefs
@@ -670,6 +670,9 @@ export SYSTYPE AR ARFL RANLIB SYSLIBS CC OPT DEBUG AWK OPTS
 # needed before the code stabilizes.
 #CCARGS="$CCARGS -DNONPROD"
 
+# Workaround.
+CCARGS="-I. -I../../include $CCARGS"
+
 sed 's/  / /g' <<EOF
 SYSTYPE        = $SYSTYPE
 AR     = $AR

diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index bee76810d1b8d2fc7af39986ac2b751d1f15ebd3..7ca6886f32d5af2056039324d9ac84907c53de8d 100644 (file)
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE      "20140116"
-#define MAIL_VERSION_NUMBER    "2.10.3"
+#define MAIL_RELEASE_DATE      "20141013"
+#define MAIL_VERSION_NUMBER    "2.10.4"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE     "-" MAIL_RELEASE_DATE

diff --git a/postfix/src/qmqpd/qmqpd.c b/postfix/src/qmqpd/qmqpd.c
index c720704f22fe19ad73dbf59aa1c4e054e33c6afa..6b8f4f610610692c34c4068a0b4b3ee7d289e26a 100644 (file)
--- a/postfix/src/qmqpd/qmqpd.c
+++ b/postfix/src/qmqpd/qmqpd.c
@@ -706,7 +706,8 @@ static void qmqpd_proto(QMQPD_STATE *state)
      */
     if (state->reason && state->where)
        msg_info("%s: %s: %s while %s",
-             state->queue_id, state->namaddr, state->reason, state->where);
+                state->queue_id ? state->queue_id : "NOQUEUE",
+                state->namaddr, state->reason, state->where);
 }
 
 /* qmqpd_service - service one client */

diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index 8cf16913184a9637ea6c0268104da7f949c2329a..37aa2704dd993019b4eec169193c0159896fa001 100644 (file)
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -2980,13 +2980,6 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
        rec_fputs(state->cleanup, REC_TYPE_MESG, "");
     }
 
-    /*
-     * PREPEND message headers.
-     */
-    if (state->prepend)
-       for (cpp = state->prepend->argv; *cpp; cpp++)
-           out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp);
-
     /*
      * Suppress our own Received: header in the unlikely case that we are an
      * intermediate proxy.
@@ -3076,6 +3069,18 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
                    "\t(envelope-from %s)", STR(state->buffer));
 #endif
     }
+
+    /*
+     * PREPEND message headers below our own Received: header. According
+     * https://www.milter.org/developers/api/smfi_insheader, Milters see only
+     * headers that have been sent by the SMTP client and those header
+     * modifications by earlier filters. Based on this we allow Milters to
+     * see headers added by access map or by policy service.
+     */
+    if (state->prepend)
+       for (cpp = state->prepend->argv; *cpp; cpp++)
+           out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp);
+
     smtpd_chat_reply(state, "354 End data with <CR><LF>.<CR><LF>");
     state->where = SMTPD_AFTER_DATA;
 

diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 52ebc66c1171a6a73f889907fa547eb10af4ded1..44d59d01084a36d221c2d5396769f972e86f640f 100644 (file)
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -3820,7 +3820,7 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
                                         SMTPD_NAME_CLIENT, def_acl);
        } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_ACL, &cpp)) {
            status = check_namadr_access(state, *cpp, state->reverse_name, state->addr,
-                                        FULL, &found, state->namaddr,
+                                        FULL, &found, state->reverse_name,
                                         SMTPD_NAME_REV_CLIENT, def_acl);
            forbid_whitelist(state, name, status, state->reverse_name);
        } else if (strcasecmp(name, REJECT_MAPS_RBL) == 0) {
@@ -3895,14 +3895,14 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
        } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_NS_ACL, &cpp)) {
            if (strcasecmp(state->reverse_name, "unknown") != 0) {
                status = check_server_access(state, *cpp, state->reverse_name,
-                                            T_NS, state->namaddr,
+                                            T_NS, state->reverse_name,
                                             SMTPD_NAME_REV_CLIENT, def_acl);
                forbid_whitelist(state, name, status, state->reverse_name);
            }
        } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_MX_ACL, &cpp)) {
            if (strcasecmp(state->reverse_name, "unknown") != 0) {
                status = check_server_access(state, *cpp, state->reverse_name,
-                                            T_MX, state->namaddr,
+                                            T_MX, state->reverse_name,
                                             SMTPD_NAME_REV_CLIENT, def_acl);
                forbid_whitelist(state, name, status, state->reverse_name);
            }

diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c
index 1a1e305cfa5096df419a80c7d455c198f6e1c390..d78bac356f7c3b16a40e7884e6f58d1ef1e09b32 100644 (file)
--- a/postfix/src/tls/tls_client.c
+++ b/postfix/src/tls/tls_client.c
@@ -1044,7 +1044,9 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
      */
     if (log_mask & TLS_LOG_SUMMARY)
        msg_info("%s TLS connection established to %s: %s with cipher %s "
-             "(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
+                "(%d/%d bits)",
+                !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" :
+                TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
                 TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
              props->namaddr, TLScontext->protocol, TLScontext->cipher_name,
                 TLScontext->cipher_usebits, TLScontext->cipher_algbits);