postfix-2.8.17

diff --git a/postfix/HISTORY b/postfix/HISTORY
index cc8c363d16ed4f4ddeaa1ad07cd59d2a6a20cc5b..af48d17e617c0d01ef20939e9b505869a6c5fa18 100644 (file)
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -16938,3 +16938,36 @@ Apologies for any names omitted.
        each smtpd(8) process.  The workaround turns off session
        tickets. In 2.11 we'll enable session tickets properly.
        Viktor Dukhovni. File: tls/tls_server.c.
+
+20131026
+
+       Future proofing: API changes in the PCRE library.  File:
+       util/dict_pcre.c.
+
+20131127
+
+       Bugfix (introduced: 20090106): the postconf '-#' option
+       erased prior options. File: postconf/postconf.c.
+
+20131129
+
+       Bugfix: Makefile example in MULTI_INSTANCE_README. Viktor
+       Dukhovni. File: proto/MULTI_INSTANCE_README.html.
+
+20131216
+
+       OpenSSL future proofing: tolerate disappearance of named
+       bug-workaround bits without invalidating tls_disable_workarounds
+       configurations.  When support for a bug workaround is removed
+       from OpenSSL, the corresponding bit is defined as zero (i.e.
+       NOOP) instead of causing programs to break. Viktor Dukhovni.
+       File: tls/tls_misc.c.
+
+20131220
+
+       Documentation: typo in SASL_README. Patrick Ben Koetter.
+       File: proto/SASL_README.html.
+
+20140104
+
+       Bugfix: malformed error message. File: conf/post-install.

diff --git a/postfix/README_FILES/MULTI_INSTANCE_README b/postfix/README_FILES/MULTI_INSTANCE_README
index 3ac94733f8fc5edfdeb32ecf288a681b308be8b4..8756a9d6fb26e62a550c929ac984c12f703ff74f 100644 (file)
--- a/postfix/README_FILES/MULTI_INSTANCE_README
+++ b/postfix/README_FILES/MULTI_INSTANCE_README
@@ -177,7 +177,7 @@ database when none exists.
         generic: Makefile
            @echo Creating $@
            @rm -f $@.tmp
-           @printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` > $@.tmp
+           @printf '%s\t%s+root=%s\n' root ${MTAADMIN} `uname -n` > $@.tmp
            @mv $@.tmp generic
 
         %.cdb: %
@@ -492,8 +492,8 @@ Shared among all instances:
     $readme_directory.
 
   * Entries in /etc/passwd and /etc/group for the $mail_owner user and
-    $setgid_group group. The the $mail_owner user provides the mail system with
-    a protected (non-root) execution context. The $setgid_group group is used
+    $setgid_group group. The $mail_owner user provides the mail system with a
+    protected (non-root) execution context. The $setgid_group group is used
     exclusively to support the setgid postdrop(1) and postqueue(1) utilities
     (it m\bmu\bus\bst\bt n\bno\bot\bt be the primary group or secondary group of any users,
     including the $mail_owner user).

diff --git a/postfix/README_FILES/SASL_README b/postfix/README_FILES/SASL_README
index 2ebd342cde3430dee644162b9a339195eb037991..3643308029c0a51298dff389582885d502c33615 100644 (file)
--- a/postfix/README_FILES/SASL_README
+++ b/postfix/README_FILES/SASL_README
@@ -444,7 +444,7 @@ to a PostgreSQL server:
         sql_user: username
         sql_passwd: secret
         sql_database: dbname
-        sql_select: SELECT password FROM users WHERE user = '%u'@'%r'
+        sql_select: SELECT password FROM users WHERE user = '%u@%r'
 
     N\bNo\bot\bte\be
 

diff --git a/postfix/conf/post-install b/postfix/conf/post-install
index 743c69db3fd12221927caa55a0227c366e87ca92..13905b93ab701491e6ab3d8ab4c06498cc2fc53a 100644 (file)
--- a/postfix/conf/post-install
+++ b/postfix/conf/post-install
@@ -464,7 +464,7 @@ test -n "$create" && {
        case $type in
        [hl]) continue;;
        [df]) ;;
-          *) echo unknown type $type for $path in $daemon_directory/postfix-files1>&2; exit 1;;
+          *) echo unknown type $type for $path in $daemon_directory/postfix-files 1>&2; exit 1;;
        esac
        # Expand $name, and canonicalize null fields.
        for name in path owner group flags

diff --git a/postfix/html/MULTI_INSTANCE_README.html b/postfix/html/MULTI_INSTANCE_README.html
index d4874bae9392b375c60241c05401eb528fd8c888..c5e5f7e1d131c49b0a1e0936b2b07ff3a1e42f74 100644 (file)
--- a/postfix/html/MULTI_INSTANCE_README.html
+++ b/postfix/html/MULTI_INSTANCE_README.html
@@ -233,7 +233,7 @@ creates a "generic" database when none exists. </p>
     generic: Makefile
            @echo Creating $@
            @rm -f $@.tmp
-           @printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` &gt; $@.tmp
+           @printf '%s\t%s+root=%s\n' root ${MTAADMIN} `uname -n` &gt; $@.tmp
            @mv $@.tmp generic
 
     %.<a href="CDB_README.html">cdb</a>: %
@@ -620,7 +620,7 @@ $<a href="postconf.5.html#daemon_directory">daemon_directory</a>. </p>
 $<a href="postconf.5.html#manpage_directory">manpage_directory</a> and $<a href="postconf.5.html#readme_directory">readme_directory</a>. </p>
 
 <li><p> Entries in /etc/passwd and /etc/group for the $<a href="postconf.5.html#mail_owner">mail_owner</a> user and
-$<a href="postconf.5.html#setgid_group">setgid_group</a> group. The the $<a href="postconf.5.html#mail_owner">mail_owner</a> user provides the mail system
+$<a href="postconf.5.html#setgid_group">setgid_group</a> group. The $<a href="postconf.5.html#mail_owner">mail_owner</a> user provides the mail system
 with a protected (non-root) execution context. The $<a href="postconf.5.html#setgid_group">setgid_group</a> group
 is used exclusively to support the setgid <a href="postdrop.1.html">postdrop(1)</a> and <a href="postqueue.1.html">postqueue(1)</a>
 utilities (it <b>must not</b> be the primary group or secondary group

diff --git a/postfix/html/SASL_README.html b/postfix/html/SASL_README.html
index bd5fac0e41a5b63a051a0872f84d2f7ad069a6ef..e477c693b0583b8d2f824e1e432ae0729bdc94cb 100644 (file)
--- a/postfix/html/SASL_README.html
+++ b/postfix/html/SASL_README.html
@@ -739,7 +739,7 @@ and connects it to a PostgreSQL server: </p>
     sql_user: username
     sql_passwd: secret
     sql_database: dbname
-    sql_select: SELECT password FROM users WHERE user = '%u'@'%r'
+    sql_select: SELECT password FROM users WHERE user = '%u@%r'
 </pre>
 </blockquote>
 

diff --git a/postfix/proto/MULTI_INSTANCE_README.html b/postfix/proto/MULTI_INSTANCE_README.html
index 375c58cab74f643f9427e32c6c2bb07841e6a068..e6812e7b5fcb8c170924e040c3c7021416ffbfe3 100644 (file)
--- a/postfix/proto/MULTI_INSTANCE_README.html
+++ b/postfix/proto/MULTI_INSTANCE_README.html
@@ -233,7 +233,7 @@ creates a "generic" database when none exists. </p>
     generic: Makefile
            @echo Creating $@
            @rm -f $@.tmp
-           @printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` &gt; $@.tmp
+           @printf '%s\t%s+root=%s\n' root ${MTAADMIN} `uname -n` &gt; $@.tmp
            @mv $@.tmp generic
 
     %.cdb: %
@@ -620,7 +620,7 @@ $daemon_directory. </p>
 $manpage_directory and $readme_directory. </p>
 
 <li><p> Entries in /etc/passwd and /etc/group for the $mail_owner user and
-$setgid_group group. The the $mail_owner user provides the mail system
+$setgid_group group. The $mail_owner user provides the mail system
 with a protected (non-root) execution context. The $setgid_group group
 is used exclusively to support the setgid postdrop(1) and postqueue(1)
 utilities (it <b>must not</b> be the primary group or secondary group

diff --git a/postfix/proto/SASL_README.html b/postfix/proto/SASL_README.html
index 5ab745480d08fc52f7ce026fac577f055b66c94c..e165bb5a2aec15208d67599df9136273b9eea717 100644 (file)
--- a/postfix/proto/SASL_README.html
+++ b/postfix/proto/SASL_README.html
@@ -739,7 +739,7 @@ and connects it to a PostgreSQL server: </p>
     sql_user: username
     sql_passwd: secret
     sql_database: dbname
-    sql_select: SELECT password FROM users WHERE user = '%u'@'%r'
+    sql_select: SELECT password FROM users WHERE user = '%u@%r'
 </pre>
 </blockquote>
 

diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 69a81afd33ee07d32cd337e7b5c38543093323fc..cbaa151a5c349ba963d3ab3b74917ffbf06fde23 100644 (file)
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE      "20130905"
-#define MAIL_VERSION_NUMBER    "2.8.16"
+#define MAIL_RELEASE_DATE      "20140116"
+#define MAIL_VERSION_NUMBER    "2.8.17"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE     "-" MAIL_RELEASE_DATE

diff --git a/postfix/src/postconf/postconf.c b/postfix/src/postconf/postconf.c
index 319e2ea139ef6350e7fcb7a469f166c4125704da..bd7986860cdf8ab36926be48fc934e7a8b3c5b9e 100644 (file)
--- a/postfix/src/postconf/postconf.c
+++ b/postfix/src/postconf/postconf.c
@@ -1157,7 +1157,7 @@ int     main(int argc, char **argv)
            break;
 #endif
        case '#':
-           cmd_mode = COMMENT_OUT;
+           cmd_mode |= COMMENT_OUT;
            break;
 
        case 'h':

diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c
index 005633edf35ee4826d3bae448d7f4d194bc7a03a..8f9607970ee11d88c62bed42c1fb1ad8584b9f79 100644 (file)
--- a/postfix/src/tls/tls_misc.c
+++ b/postfix/src/tls/tls_misc.c
@@ -230,59 +230,72 @@ static const NAME_CODE protocol_table[] = {
 #define NAMEBUG(x)     #x, SSL_OP_##x
 static const LONG_NAME_MASK ssl_bug_tweaks[] = {
 
-#if defined(SSL_OP_MICROSOFT_SESS_ID_BUG)
-    NAMEBUG(MICROSOFT_SESS_ID_BUG),    /* 0x00000001L */
+#ifndef SSL_OP_MICROSOFT_SESS_ID_BUG
+#define SSL_OP_MICROSOFT_SESS_ID_BUG           0
 #endif
+    NAMEBUG(MICROSOFT_SESS_ID_BUG),
 
-#if defined(SSL_OP_NETSCAPE_CHALLENGE_BUG)
-    NAMEBUG(NETSCAPE_CHALLENGE_BUG),   /* 0x00000002L */
+#ifndef SSL_OP_NETSCAPE_CHALLENGE_BUG
+#define SSL_OP_NETSCAPE_CHALLENGE_BUG          0
 #endif
+    NAMEBUG(NETSCAPE_CHALLENGE_BUG),
 
-#if defined(SSL_OP_LEGACY_SERVER_CONNECT)
-    NAMEBUG(LEGACY_SERVER_CONNECT),    /* 0x00000004L */
+#ifndef SSL_OP_LEGACY_SERVER_CONNECT
+#define SSL_OP_LEGACY_SERVER_CONNECT           0
 #endif
+    NAMEBUG(LEGACY_SERVER_CONNECT),
 
-#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
-    NAMEBUG(NETSCAPE_REUSE_CIPHER_CHANGE_BUG), /* 0x00000008L */
-    "CVE-2010-4180", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG,
+#ifndef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0
 #endif
+    NAMEBUG(NETSCAPE_REUSE_CIPHER_CHANGE_BUG),
+    "CVE-2010-4180", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG,
 
-#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
-    NAMEBUG(SSLREF2_REUSE_CERT_TYPE_BUG),      /* 0x00000010L */
+#ifndef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
+#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG     0
 #endif
+    NAMEBUG(SSLREF2_REUSE_CERT_TYPE_BUG),
 
-#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
-    NAMEBUG(MICROSOFT_BIG_SSLV3_BUFFER),/* 0x00000020L  */
+#ifndef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
+#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER      0
 #endif
+    NAMEBUG(MICROSOFT_BIG_SSLV3_BUFFER),
 
-#if defined(SSL_OP_MSIE_SSLV2_RSA_PADDING)
-    NAMEBUG(MSIE_SSLV2_RSA_PADDING),   /* 0x00000040L */
-    "CVE-2005-2969", SSL_OP_MSIE_SSLV2_RSA_PADDING,
+#ifndef SSL_OP_MSIE_SSLV2_RSA_PADDING
+#define SSL_OP_MSIE_SSLV2_RSA_PADDING          0
 #endif
+    NAMEBUG(MSIE_SSLV2_RSA_PADDING),
+    "CVE-2005-2969", SSL_OP_MSIE_SSLV2_RSA_PADDING,
 
-#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
-    NAMEBUG(SSLEAY_080_CLIENT_DH_BUG), /* 0x00000080L */
+#ifndef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                0
 #endif
+    NAMEBUG(SSLEAY_080_CLIENT_DH_BUG),
 
-#if defined(SSL_OP_TLS_D5_BUG)
-    NAMEBUG(TLS_D5_BUG),               /* 0x00000100L   */
+#ifndef SSL_OP_TLS_D5_BUG
+#define SSL_OP_TLS_D5_BUG                      0
 #endif
+    NAMEBUG(TLS_D5_BUG),
 
-#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
-    NAMEBUG(TLS_BLOCK_PADDING_BUG),    /* 0x00000200L */
+#ifndef SSL_OP_TLS_BLOCK_PADDING_BUG
+#define SSL_OP_TLS_BLOCK_PADDING_BUG           0
 #endif
+    NAMEBUG(TLS_BLOCK_PADDING_BUG),
 
-#if defined(SSL_OP_TLS_ROLLBACK_BUG)
-    NAMEBUG(TLS_ROLLBACK_BUG),         /* 0x00000400L */
+#ifndef SSL_OP_TLS_ROLLBACK_BUG
+#define SSL_OP_TLS_ROLLBACK_BUG                        0
 #endif
+    NAMEBUG(TLS_ROLLBACK_BUG),
 
-#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
-    NAMEBUG(DONT_INSERT_EMPTY_FRAGMENTS),      /* 0x00000800L */
+#ifndef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS     0
 #endif
+    NAMEBUG(DONT_INSERT_EMPTY_FRAGMENTS),
 
-#if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
-    NAMEBUG(CRYPTOPRO_TLSEXT_BUG),     /* 0x80000000L */
+#ifndef SSL_OP_CRYPTOPRO_TLSEXT_BUG
+#define SSL_OP_CRYPTOPRO_TLSEXT_BUG            0
 #endif
+    NAMEBUG(CRYPTOPRO_TLSEXT_BUG),
     0, 0,
 };
 
@@ -802,7 +815,8 @@ long    tls_bug_bits(void)
     long    bits = SSL_OP_ALL;         /* Work around all known bugs */
     long    mask;
 
-#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L && \
+       OPENSSL_VERSION_NUMBER < 0x10000000L
     long    lib_version = SSLeay();
 
     /*
@@ -828,6 +842,10 @@ long    tls_bug_bits(void)
        bits &= ~long_name_mask_opt(VAR_TLS_BUG_TWEAKS, ssl_bug_tweaks,
                                    var_tls_bug_tweaks, NAME_MASK_ANY_CASE |
                                    NAME_MASK_NUMBER | NAME_MASK_WARN);
+#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
+       /* Not relevant to SMTP */
+       bits &= ~SSL_OP_SAFARI_ECDHE_ECDSA_BUG;
+#endif
     }
     return (bits);
 }

diff --git a/postfix/src/util/dict_pcre.c b/postfix/src/util/dict_pcre.c
index 2f1f3906dba06a671d06fba87d4f1bbbeea0255b..0c420a3a98d1f7fe7360d11392db7ef6a056a342 100644 (file)
--- a/postfix/src/util/dict_pcre.c
+++ b/postfix/src/util/dict_pcre.c
@@ -59,6 +59,15 @@
 #include "mac_parse.h"
 #include "pcre.h"
 
+ /*
+  * Backwards compatibility.
+  */
+#ifdef PCRE_STUDY_JIT_COMPILE
+#define DICT_PCRE_FREE_STUDY(x)        pcre_free_study(x)
+#else
+#define DICT_PCRE_FREE_STUDY(x)        pcre_free((char *) (x))
+#endif
+
  /*
   * Support for IF/ENDIF based on an idea by Bert Driehuis.
   */
@@ -387,7 +396,7 @@ static void dict_pcre_close(DICT *dict)
            if (match_rule->pattern)
                myfree((char *) match_rule->pattern);
            if (match_rule->hints)
-               myfree((char *) match_rule->hints);
+               DICT_PCRE_FREE_STUDY(match_rule->hints);
            if (match_rule->replacement)
                myfree((char *) match_rule->replacement);
            break;
@@ -396,7 +405,7 @@ static void dict_pcre_close(DICT *dict)
            if (if_rule->pattern)
                myfree((char *) if_rule->pattern);
            if (if_rule->hints)
-               myfree((char *) if_rule->hints);
+               DICT_PCRE_FREE_STUDY(if_rule->hints);
            break;
        case DICT_PCRE_OP_ENDIF:
            break;
@@ -677,7 +686,7 @@ static DICT_PCRE_RULE *dict_pcre_parse_rule(const char *mapname, int lineno,
            if (engine.pattern)
                myfree((char *) engine.pattern);
            if (engine.hints)
-               myfree((char *) engine.hints);
+               DICT_PCRE_FREE_STUDY(engine.hints);
            CREATE_MATCHOP_ERROR_RETURN(0);
        }
 #endif