This problem was reported first in the context of TLSA
record lookups. Files: util/valid_hostname.[hc],
dns/dns_lookup.c.
+
+20230929
+
+ Bugfix (defect introduced Postfix 2.5, 20080104): the Postfix
+ SMTP server was waiting for a client command instead of
+ replying immediately, after a client certificate verification
+ error in TLS wrappermode. Reported by Andreas Kinzler. File:
+ smtpd/smtpd.c.
+
+20231006
+
+ Usability: the Postfix SMTP server now attempts to log the
+ SASL username after authentication failure. In Postfix
+ logging, this appends ", sasl_username=xxx" after the reason
+ for SASL authentication failure. The logging replaces an
+ unavailable reason with "(reason unavailable)", and replaces
+ an unavailable sasl_username with "(unavailable)". Based
+ on code by Jozsef Kadlecsik. Files: xsasl/xsasl_server.c,
+ xsasl/xsasl_cyrus_server.c, smtpd/smtpd_sasl_glue.c.
+
+20231026
+
+ Bugfix (defect introduced: Postfix 2.11): in forward_path,
+ the expression ${recipient_delimiter} would expand to an
+ empty string when a recipient address had no recipient
+ delimiter. Fixed by restoring Postfix 2.10 behavior to use
+ a configured recipient delimiter value. Reported by Tod
+ A. Sandman. Files: proto/postconf.proto, local/local_expand.c.
<dt><b>$<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a></b></dt>
<dd>The address extension delimiter that was found in the recipient
-address (Postfix 2.11 and later), or the system-wide recipient
+address (Postfix 2.11 and later), or the 'first' delimiter specified
+with the system-wide recipient address extension delimiter (Postfix
+3.5.22, 3.5.12, 3.7.8, 3.8.3 and later). Historically, this was
+always the system-wide recipient
address extension delimiter (Postfix 2.10 and earlier). </dd>
<dt><b>${name?value}</b></dt>
.br
.IP "\fB$recipient_delimiter\fR"
The address extension delimiter that was found in the recipient
-address (Postfix 2.11 and later), or the system\-wide recipient
+address (Postfix 2.11 and later), or the 'first' delimiter specified
+with the system\-wide recipient address extension delimiter (Postfix
+3.5.22, 3.5.12, 3.7.8, 3.8.3 and later). Historically, this was
+always the system\-wide recipient
address extension delimiter (Postfix 2.10 and earlier).
.br
.IP "\fB${name?value}\fR"
<dt><b>$recipient_delimiter</b></dt>
<dd>The address extension delimiter that was found in the recipient
-address (Postfix 2.11 and later), or the system-wide recipient
+address (Postfix 2.11 and later), or the 'first' delimiter specified
+with the system-wide recipient address extension delimiter (Postfix
+3.5.22, 3.5.12, 3.7.8, 3.8.3 and later). Historically, this was
+always the system-wide recipient
address extension delimiter (Postfix 2.10 and earlier). </dd>
<dt><b>${name?value}</b></dt>
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20230901"
-#define MAIL_VERSION_NUMBER "3.5.21"
+#define MAIL_RELEASE_DATE "20231101"
+#define MAIL_VERSION_NUMBER "3.5.22"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
} else if (STREQ(name, "recipient_delimiter")) {
rcpt_delim[0] =
local->state->msg_attr.local[strlen(local->state->msg_attr.user)];
+ if (rcpt_delim[0] == 0)
+ rcpt_delim[0] = var_rcpt_delim[0];
rcpt_delim[1] = 0;
return (rcpt_delim[0] ? rcpt_delim : 0);
#if 0
if (requirecert && TLS_CERT_IS_TRUSTED(state->tls_context) == 0) {
/*
- * Fetch and reject the next command (should be EHLO), then
- * disconnect (side-effect of returning "421 ...".
+ * In non-wrappermode, fetch the next command (should be EHLO). Reply
+ * with 421, then disconnect (as a side-effect of replying with 421).
*/
cert_present = TLS_CERT_IS_PRESENT(state->tls_context);
msg_info("NOQUEUE: abort: TLS from %s: %s",
state->namaddr, cert_present ?
"Client certificate not trusted" :
"No client certificate presented");
- smtpd_chat_query(state);
+ if (var_smtpd_tls_wrappermode == 0)
+ smtpd_chat_query(state);
smtpd_chat_reply(state, "421 4.7.1 %s Error: %s",
var_myhostname, cert_present ?
"Client certificate not trusted" :
}
}
if (status != XSASL_AUTH_DONE) {
- msg_warn("%s: SASL %s authentication failed: %s",
- state->namaddr, sasl_method,
- STR(state->sasl_reply));
+ sasl_username = xsasl_server_get_username(state->sasl_server);
+ msg_warn("%s: SASL %.100s authentication failed: %s, sasl_username=%.100s",
+ state->namaddr, sasl_method, *STR(state->sasl_reply) ?
+ STR(state->sasl_reply) : "(reason unavailable)",
+ sasl_username ? sasl_username : "(unavailable)");
/* RFC 4954 Section 6. */
if (status == XSASL_AUTH_TEMP)
smtpd_chat_reply(state, "454 4.7.0 Temporary authentication failure: %s",
/*
* XXX Do not free(serverout).
*/
+ if (server->username)
+ myfree(server->username);
sasl_status = sasl_getprop(server->sasl_conn, SASL_USERNAME, &serverout);
if (sasl_status != SASL_OK || serverout == 0) {
- msg_warn("%s: sasl_getprop SASL_USERNAME botch: %s",
- myname, xsasl_cyrus_strerror(sasl_status));
- return (0);
+ server->username = 0;
+ } else {
+ server->username = mystrdup(serverout);
+ printable(server->username, '?');
}
- if (server->username)
- myfree(server->username);
- server->username = mystrdup(serverout);
- printable(server->username, '?');
return (server->username);
}
projects / thirdparty / postfix.git / commitdiff
