postfix-3.2.0-RC1

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 159afb167d506d6e140231828a08f5a41942b2f5..a05d6f1542c2eef996fe399fc1e904841ec6e02d 100644 (file)
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -22923,6 +22923,18 @@ Apologies for any names omitted.
 
 20170206
 
-       Bugfix (introduced: Postfix 2.2): check_mumble_a_access
-       did not handle [ipaddress], unlike check_mumble_mx_access. 
-       Reported by James (postfix_tracker). File: smtpd/smtpd_check.c.
+       Bugfix (introduced: Postfix 3.0): when check_mumble_a_access
+       did not handle [ipaddress], unlike check_mumble_mx_access.
+       When check_mumble_a_access was introduced, some condition
+       was not updated.  Reported by James (postfix_tracker). File:
+       smtpd/smtpd_check.c.
+
+20170207
+
+       Cleanup: rephrased the precondition paranoia. File:
+       global/mail_conf.c.
+
+20170211
+
+       Cleanup: rephrased the precondition for paranoia. File:
+       util/unsafe.c.

diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 83ed6c261cf9e86054dcccd63d1aac6e986fe998..876d4b7a3627b0f70f9dbc4a6139e1fdd8694077 100644 (file)
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -1,12 +1,12 @@
-This is the Postfix 3.2 (experimental) release.
+This is the Postfix 3.2 (stable) release.
 
-The stable Postfix release is called postfix-3.1.x where 3=major
-release number, 1=minor release number, x=patchlevel.  The stable
+The stable Postfix release is called postfix-3.2.x where 3=major
+release number, 2=minor release number, x=patchlevel.  The stable
 release never changes except for patches that address bugs or
 emergencies. Patches change the patchlevel and the release date.
 
 New features are developed in snapshot releases. These are called
-postfix-3.2-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+postfix-3.3-yyyymmdd where yyyymmdd is the release date (yyyy=year,
 mm=month, dd=day).  Patches are never issued for snapshot releases;
 instead, a new snapshot is released.
 
@@ -16,106 +16,165 @@ specifies the release date of a stable release or snapshot release.
 If you upgrade from Postfix 3.0 or earlier, read RELEASE_NOTES-3.1
 before proceeding.
 
-Incompatible changes with snapshot 20161227
-===========================================
+Invisible changes
+-----------------
+
+In addition to the visible changes described below, there is an
+ongoing overhaul of low-level code. With each change come updated
+tests to ensure that future changes will not 'break' compatibility
+with past behavior.
+
+Major changes - address mapping
+-------------------------------
+
+[Feature 20170128] Postfix 3.2 fixes the handling of address
+extensions with email addresses that contain spaces. For example,
+the virtual_alias_maps, canonical_maps, and smtp_generic_maps
+features now correctly propagate an address extension from "aa
+bb+ext"@example.com to "cc dd+ext"@other.example, instead of
+producing broken output.
+
+Major changes - header/body_checks
+----------------------------------
+
+[Feature 20161008] "PASS" and "STRIP" actions in header/body_checks.
+"STRIP" is similar to "IGNORE" but also logs the action, and "PASS"
+disables header, body, and Milter inspection for the remainder of
+the message content.  Contributed by Hobbit.
+
+Major changes - log analysis
+----------------------------
+
+[Feature 20160330] The collate.pl script by Viktor Dukhovni for
+grouping Postfix logfile records into "sessions" based on queue ID
+and process ID information. It's in the auxiliary/collate directory
+of the Postfix source tree.
+
+Major changes - maps support
+----------------------------
+
+[Feature 20160527] Postfix 3.2 cidr tables support if/endif and
+negation (by prepending ! to a pattern), just like regexp and pcre
+tables.  The primarily purpose is to improve readability of complex
+tables. See the cidr_table(5) manpage for syntax details.
+
+[Incompat 20160925] In the Postfix MySQL database client, the default
+option_group value has changed to "client", to enable reading of
+"client" option group settings in the MySQL options file. This fixes
+a "not found" problem with Postfix queries that contain UTF8-encoded
+non-ASCII text.  Specify an empty option_group value (option_group
+=) to get backwards-compatible behavior.
+
+[Feature 20161217] Stored-procedure support for MySQL databases.
+Contributed by John Fawcett. See mysql_table(5) for instructions.
+
+[Feature 20170128] The postmap command, and the inline: and texthash:
+maps now support spaces in left-hand field of the lookup table
+"source text". Use double quotes (") around a left-hand field that
+contains spaces, and use backslash (\) to protect embedded quotes
+in a left-hand field. There is no change in the processing of the
+right-hand field.
+
+Major changes - milter support
+------------------------------
+
+[Feature 20160611] The Postfix SMTP server local IP address and
+port are available in the policy delegation protocol (attribute
+names: server_address, server_port), in the Milter protocol (macro
+names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol
+(attribute names: DESTADDR, DESTPORT).
+
+[Feature 20161024] smtpd_milter_maps support for per-client Milter
+configuration that overrides smtpd_milters, and that has the same
+syntax. A lookup result of "DISABLE" turns off Milter support. See
+MILTER_README.html for details.
+
+Major changes - policy delegation
+---------------------------------
+
+[Feature 20160611] The Postfix SMTP server local IP address and
+port are available in the policy delegation protocol (attribute
+names: server_address, server_port), in the Milter protocol (macro
+names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol
+(attribute names: DESTADDR, DESTPORT).
+
+Major changes - postqueue
+-------------------------
+
+[Incompat 20170129] The postqueue command no longer forces all
+message arrival times to be reported in UTC. To get the old behavior,
+set TZ=UTC in main.cf:import_environment (this override is not
+recommended, as it affects all Postfix utities and daemons).
+
+Major changes - safety
+----------------------
+
+[Incompat 20161227] For safety reasons, the sendmail -C option must
+specify an authorized directory: the default configuration directory,
+a directory that is listed in the default main.cf file with
+alternate_config_directories or multi_instance_directories, or the
+command must be invoked with root privileges (UID 0 and EUID 0).
+This mitigates a recurring problem with the PHP mail() function.
+
+Major changes - sasl
+--------------------
+
+[Feature 20160625] The Postfix SMTP server now passes remote client
+and local server network address and port information to the Cyrus
+SASL library. Build with ``make makefiles "CCARGS=$CCARGS
+-DNO_IP_CYRUS_SASL_AUTH"'' for backwards compatibility.
+
+Major changes - smtputf8
+------------------------
+
+[Feature 20161103] Postfix 3.2 disables the 'transitional' compatibility
+between the IDNA2003 and IDNA2008 standards for internationalized
+domain names (domain names beyond the limits of US-ASCII).
+
+This change makes Postfix behavior consistent with contemporary web
+browsers. It affects the handling of some corner cases such as
+German sz and Greek zeta. See http://unicode.org/cldr/utility/idna.jsp
+for more examples.
+
+Specify "enable_idna2003_compatibility = yes" to restore historical
+behavior (but keep in mind that the rest of the world may not make
+that same choice).
+
+Major changes - tls
+-------------------
+
+[Feature 20160828] Fixes for deprecated OpenSSL 1.1.0 API features,
+so that Postfix will build without depending on backwards-compatibility
+support.
+
+[Incompat 20161204] Postfix 3.2 removes tentative features that
+were implemented before the DANE spec was finalized:
 
-For safety reasons, the sendmail -C option must specify an authorized
-directory: the default configuration directory, a directory that
-is listed in the default main.cf file with alternate_config_directories
-or multi_instance_directories, or the command must be invoked with
-root privileges.  This mitigates a problem with the PHP mail()
-function.
+- Support for certificate usage PKIX-EE(1),
+
+- The ability to disable digest agility (Postfix now behaves as if
+  "tls_dane_digest_agility = on"), and
 
-Major changes with snapshot 20161227
-====================================
-
-Support to negotiate Elliptic curves with OpenSSL 1.0.2 or later
-(on platforms where EC algorithms have not been disabled by the
-vendor).  See TLS_README for details. In summary, this changes the
-default smtpd_tls_eecdh_grade setting to "auto", and introduces a
-new parameter tls_eecdh_auto_curves with the names of curves that
-may be negotiated.  The default tls_eecdh_auto_curves setting is
-determined at compile time, and depends on the Postfix and OpenSSL
-versions.  At runtime, Postfix will skip curve names that aren't
-supported by the OpenSSL library.
-
-The MySQL client now has support for stored procedures. See the
-mysql_table(5) manpage for details.
+- The ability to disable support for "TLSA 2 [01] [12]" records
+  that specify the digest of a trust anchor (Postfix now behaves
+  as if "tls_dane_trust_anchor_digest_enable = yes).
 
-Incompatible changes with snapshot 20161204
-===========================================
+[Feature 20161217] Postfix 3.2 enables elliptic curve negotiation
+with OpenSSL >= 1.0.2.  This changes the default smtpd_tls_eecdh_grade
+setting to "auto", and introduces a new parameter tls_eecdh_auto_curves
+with the names of curves that may be negotiated.
 
-Postfix 3.2 removes tentative features that were implemented
-before the DANE spec was finalized:
+The default tls_eecdh_auto_curves setting is determined at compile
+time, and depends on the Postfix and OpenSSL versions.  At runtime,
+Postfix will skip curve names that aren't supported by the OpenSSL
+library.
 
-- Support for certificate usage PKIX-EE(1), 
+Major changes - xclient
+-----------------------
 
-- The ability to disable digest agility. Postfix 3.2 always behaves
-  as if "tls_dane_digest_agility = on.
+[Feature 20160611] The Postfix SMTP server local IP address and
+port are available in the policy delegation protocol (attribute
+names: server_address, server_port), in the Milter protocol (macro
+names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol
+(attribute names: DESTADDR, DESTPORT).
 
-- The ability to disable support for "TLSA 2 [01] [12]" records
-  that specify the digest of a trust anchor. Postfix 3.2 always
-  behaves as if "tls_dane_trust_anchor_digest_enable = yes".
-
-Incompatible changes with snapshot 20161103
-===========================================
-
-Postfix 3.2 by default disables the 'transitional' compatibility
-between IDNA2003 and IDNA2008, when converting UTF-8 domain names
-to/from the ASCII form that is used in DNS lookups.  This makes
-Postfix behavior consistent with current versions of the Firefox
-and Chrome web browsers. Specify "enable_idna2003_compatibility =
-yes" for historical behavior.
-
-This affects the conversion of, for example, the German sz and the
-Greek zeta. See http://unicode.org/cldr/utility/idna.jsp for more
-examples.
-
-Major changes with snapshot 20161031
-====================================
-
-The smtpd_milter_maps feature supports per-client Milter configuration.
-This overrides the global smtpd_milters setting and has the same syntax. A
-lookup result of "DISABLE" turns off Milter support.
-
-Incompatible changes with snapshot 20160925
-===========================================
-
-In the Postfix MySQL database client, the default option_group value
-has changed to "client", to enable reading of "client" option group
-settings in the MySQL options file. This fixes a "not found" problem
-with Postfix queries that contain UTF8-encoded non-ASCII text.
-Specify an empty option_group value (option_group =) to get
-backwards-compatible behavior.
-
-Major changes with snapshot 20160625
-====================================
-
-Support in the Postfix SMTP server for propagating the local SMTP
-server IP address and port. This affects the following Postfix
-interfaces:
-
-- Policy delegation. The server address and port are available as
-"server_address" and "server_port". See SMTPD_POLICY_README for an
-overview of available attributes.
-
-- Milter applications. The server address and port are available
-as "{daemon_addr}" and "{daemon_port}". See MILTER_README for a
-table of available attributes.
-
-- Cyrus SASL. The server address and port are now passed to the
-sasl_server_new() function as "ipaddress;port".
-
-- XCLIENT protocol. The server address and port can be specified
-as "DESTADDR" and "DESTPORT". See XCLIENT_README for a description
-of the attribute syntax. The new attributes may be of interest for
-nxginx.
-
-Major changes with snapshot 20160527
-====================================
-
-Postfix cidr tables now support if..endif, and pattern negation
-with "!", just like regexp and pcre tables. The if..endif can speed
-up lookups by skipping over irrelevant patterns, and can make rule
-maintenance easier because rules for a network can now be placed
-inside if..endif.  See the cidr_table(5) manpage for syntax details.

diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 4dfd5d85428dd305850ea9afcac9e4585a9996f3..bdeffc8d58f614eefd70441475a39b0f0ef56480 100644 (file)
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -784,16 +784,21 @@ cannot match Postfix access tables, because the address is ambiguous.
 <p>
 A list of non-default Postfix configuration directories that may
 be specified with "-c <a href="postconf.5.html#config_directory">config_directory</a>" on the command line (in the
-case of <a href="sendmail.1.html">sendmail(1)</a>, with "-C <a href="postconf.5.html#config_directory">config_directory</a>"), or via the MAIL_CONFIG
+case of <a href="sendmail.1.html">sendmail(1)</a>, with the "-C" option), or via the MAIL_CONFIG
 environment parameter.
 </p>
 
 <p>
-This list must be specified in the default Postfix configuration
-directory, and is used by set-gid Postfix commands such as <a href="postqueue.1.html">postqueue(1)</a>
+This list must be specified in the default Postfix <a href="postconf.5.html">main.cf</a> file,
+and will be used by set-gid Postfix commands such as <a href="postqueue.1.html">postqueue(1)</a>
 and <a href="postdrop.1.html">postdrop(1)</a>.
 </p>
 
+<p>
+Specify absolute pathnames, separated by comma or space. Note: $name
+expansion is not supported.
+</p>
+
 
 </DD>
 

diff --git a/postfix/makedefs b/postfix/makedefs
index fde0548b611e401a091812578152875f7108ea9d..7bfe82c91a93773e4917d69c1f19c9221f852ede 100644 (file)
--- a/postfix/makedefs
+++ b/postfix/makedefs
@@ -862,7 +862,7 @@ case "$CC" in
 esac
 
 # Snapshot only.
-CCARGS="$CCARGS -DSNAPSHOT"
+#CCARGS="$CCARGS -DSNAPSHOT"
 
 # Non-production: needs thorough testing, or major changes are still
 # needed before the code stabilizes.

diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index bbdc24eb296c6d286a0c8264b5499e153b67cf7a..ffecdf307b8ea79568aa181036fca79ab1d11123 100644 (file)
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -462,12 +462,15 @@ cannot match Postfix access tables, because the address is ambiguous.
 .SH alternate_config_directories (default: empty)
 A list of non\-default Postfix configuration directories that may
 be specified with "\-c config_directory" on the command line (in the
-case of \fBsendmail\fR(1), with "\-C config_directory"), or via the MAIL_CONFIG
+case of \fBsendmail\fR(1), with the "\-C" option), or via the MAIL_CONFIG
 environment parameter.
 .PP
-This list must be specified in the default Postfix configuration
-directory, and is used by set\-gid Postfix commands such as \fBpostqueue\fR(1)
+This list must be specified in the default Postfix main.cf file,
+and will be used by set\-gid Postfix commands such as \fBpostqueue\fR(1)
 and \fBpostdrop\fR(1).
+.PP
+Specify absolute pathnames, separated by comma or space. Note: $name
+expansion is not supported.
 .SH always_add_missing_headers (default: no)
 Always add (Resent\-) From:, To:, Date: or Message\-ID: headers
 when not present.  Postfix 2.6 and later add these headers only

diff --git a/postfix/mantools/make-relnotes b/postfix/mantools/make-relnotes
index 4d07e66329c122d2bcf1da4269a5c7b73eba2f82..f5d26f37bf8842b303f0533744cf3b2ac8ca80a3 100755 (executable)
--- a/postfix/mantools/make-relnotes
+++ b/postfix/mantools/make-relnotes
@@ -3,12 +3,14 @@
 # Transform RELEASE_NOTES, split into "leader", and "major changes",
 # split into major categories, and prepend dates to paragraphs.
 #
-# Input format: the leader text is copied verbatim; each paragraph
-# starts with [class, class] where a class specifies one or more
-# categories that the change should be listed under. Adding class
-# info is the only manual processing needed to go from a RELEASE_NOTES
-# file to the transformed representation.
-# 
+# Input format: the leader text is copied verbatim; each section
+# starts with "Incompatible changes with snapshot YYYYMMDD" or "Major
+# changes with snapshot YYYYMMDD"; each paragraph starts with [class,
+# class] where a class specifies one or more categories that the
+# change should be listed under. Adding class info is the only manual
+# processing needed to go from a RELEASE_NOTES file to the transformed
+# representation.
+#
 # Output format: each category is printed with a little header and
 # each paragraph is tagged with [Incompat yyyymmdd] or with [Feature
 # yyyymmdd].

diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 69c80f83bae94688c1a8ac0777a4daedd4f9a707..8394f75c6f28396198c89927a2ccdf3e7c4078fc 100644 (file)
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -7126,16 +7126,21 @@ probes, and generates probes on request by other Postfix processes.
 <p>
 A list of non-default Postfix configuration directories that may
 be specified with "-c config_directory" on the command line (in the
-case of sendmail(1), with "-C config_directory"), or via the MAIL_CONFIG
+case of sendmail(1), with the "-C" option), or via the MAIL_CONFIG
 environment parameter.
 </p>
 
 <p>
-This list must be specified in the default Postfix configuration
-directory, and is used by set-gid Postfix commands such as postqueue(1)
+This list must be specified in the default Postfix main.cf file,
+and will be used by set-gid Postfix commands such as postqueue(1)
 and postdrop(1).
 </p>
 
+<p>
+Specify absolute pathnames, separated by comma or space. Note: $name
+expansion is not supported.
+</p>
+
 %PARAM append_at_myorigin yes
 
 <p>

diff --git a/postfix/src/global/mail_conf.c b/postfix/src/global/mail_conf.c
index 5ffbbf46087a958c793ab688ce7e7e30b1c15b0b..47808398bb2ad66342ac090caf9e7a38a8f71a48 100644 (file)
--- a/postfix/src/global/mail_conf.c
+++ b/postfix/src/global/mail_conf.c
@@ -31,8 +31,18 @@
 /*     const char *mail_conf_lookup_eval(name)
 /*     const char *name;
 /* DESCRIPTION
-/*     mail_conf_suck() reads the global Postfix configuration file, and
-/*     stores its values into a global configuration dictionary.
+/*     mail_conf_suck() reads the global Postfix configuration
+/*     file, and stores its values into a global configuration
+/*     dictionary. When the configuration directory name is not
+/*     trusted, this function requires that the directory name is
+/*     authorized with the alternate_config_directories setting
+/*     in the default main.cf file.
+/*
+/*     This function requires that all configuration directory
+/*     override mechanisms set the MAIL_CONFIG environment variable,
+/*     even if the override was specified via the command line.
+/*     This reduces the number of pathways that need to be checked
+/*     for possible security attacks.
 /*
 /*     mail_conf_read() invokes mail_conf_suck() and assigns the values
 /*     to global variables by calling mail_params_init().
@@ -197,8 +207,8 @@ void    mail_conf_suck(void)
     set_mail_conf_str(VAR_CONFIG_DIR, var_config_dir);
 
     /*
-     * If the configuration directory name comes from a different trust
-     * domain, require that it is listed in the default main.cf file.
+     * If the configuration directory name comes from an untrusted source,
+     * require that it is listed in the default main.cf file.
      */
     if (strcmp(var_config_dir, DEF_CONFIG_DIR) != 0    /* non-default */
        && unsafe())                            /* untrusted env and cli */

diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 4c29485267ea0ebfa1b6488abb5a5a5e5a264efd..49d7e90f61ca412fab7ed2209e1e020bdfd60317 100644 (file)
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE      "20170206"
-#define MAIL_VERSION_NUMBER    "3.2"
+#define MAIL_RELEASE_DATE      "20170212"
+#define MAIL_VERSION_NUMBER    "3.2.0-RC1"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE      "-" MAIL_RELEASE_DATE

diff --git a/postfix/src/postsuper/postsuper.c b/postfix/src/postsuper/postsuper.c
index a6293de4310491de1ad89f5fd7341722abb2458c..2bad6f32084e7b30853ecbf57b05c1ae898130cf 100644 (file)
--- a/postfix/src/postsuper/postsuper.c
+++ b/postfix/src/postsuper/postsuper.c
@@ -1239,7 +1239,7 @@ int     main(int argc, char **argv)
     mail_conf_read();
     /* Enforce consistent operation of different Postfix parts. */
     import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ);
-    clean_env(import_env->argv);
+    update_env(import_env->argv);
     argv_free(import_env);
     /* Re-evaluate mail_task() after reading main.cf. */
     msg_syslog_init(mail_task(argv[0]), LOG_PID, LOG_FACILITY);

diff --git a/postfix/src/util/unsafe.c b/postfix/src/util/unsafe.c
index 47d886a4ef15cbef829c2860d48f8d1e38fcf0a0..6c0358ec792d844088af8cf61a1d2c5ca6a12d32 100644 (file)
--- a/postfix/src/util/unsafe.c
+++ b/postfix/src/util/unsafe.c
@@ -8,19 +8,20 @@
 /*
 /*     int     unsafe()
 /* DESCRIPTION
-/*     The \fBunsafe()\fR routine attempts to determine if the process runs
-/*     with any privileges that do not belong to the user. The purpose is
-/*     to make it easy to taint any user-provided data such as the current
-/*     working directory, the process environment, etcetera.
+/*     The \fBunsafe()\fR routine attempts to determine if the process
+/*     (runs with privileges or has access to information) that the
+/*     controlling user has no access to. The purpose is to prevent
+/*     misuse of privileges, including access to protected information.
 /*
-/*     On UNIX systems, the result is true when any of the following
-/*     conditions is true:
+/*     The result is always false when both of the following conditions
+/*     are true:
 /* .IP \(bu
-/*     The real UID is non-zero.
+/*     The real UID is zero.
 /* .IP \(bu
-/*     The effective UID is non-zero.
+/*     The effective UID is zero.
 /* .PP
-/*     Additionally, any of the following conditions must be true:
+/*     Otherwise, the result is true if any of the following conditions
+/*     is true:
 /* .IP \(bu
 /*     The issetuid kernel flag is non-zero (on systems that support
 /*     this concept).
@@ -28,10 +29,6 @@
 /*     The real and effective user id differ.
 /* .IP \(bu
 /*     The real and effective group id differ.
-/* .PP
-/*     Thus, when a process runs as the super-user, it is excluded
-/*     from privilege-escalation concerns, but only if both real
-/*     UID and effective UID are zero.
 /* LICENSE
 /* .ad
 /* .fi
@@ -56,10 +53,20 @@
 
 int     unsafe(void)
 {
-    return ((getuid() || geteuid())
-           && (geteuid() != getuid()
+
+    /*
+     * The super-user is trusted.
+     */
+    if (getuid() == 0 && geteuid() == 0)
+       return (0);
+
+    /*
+     * Danger: don't trust inherited process attributes, and don't leak
+     * privileged info that the parent has no access to.
+     */
+    return (geteuid() != getuid()
 #ifdef HAS_ISSETUGID
-               || issetugid()
+           || issetugid()
 #endif
-               || getgid() != getegid()));
+           || getgid() != getegid());
 }