postfix-3.9-20230602

diff --git a/postfix/HISTORY b/postfix/HISTORY
index d5e025621004ec0e850891c51762eede88ba4b6a..f4e06455ab4a4fdecb891e9a75390f8d0cb5e938 100644 (file)
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -27239,10 +27239,21 @@ Apologies for any names omitted.
        tlsproxy/tlsproxy.c.
 
        Security: in the Postfix SMTP daemon, improved pipelining
-       detection and reporting; and detect illegal command pipelining
-       before the server greeting. File: smtpd/smtpd.c.
+       detection and reporting; added code to detect illegal command
+       pipelining before the server greeting. File: smtpd/smtpd.c.
 
 20230529
 
        Cleanup: error handling for OpenSSL INI file support. Viktor
        Dukhovni. Files: proto/postconf.proto, tls/tls_misc.c.
+
+20230602
+
+       Backwards compatibility for stable releases that originally
+       had no OpenSSL INI support. Skip the new OpenSSL INI support
+       code, unless the Postfix configuration actually specifies
+       non-default tls_config_xxx settings. File: tls/tls_misc.c.
+
+       Cleanup: added a multiple initialization guard in the
+       tls_library_init() function, and made an initialization error
+       sticky. File: tls/tls_misc.c.

diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index 43f0baadc41fb2bc9c5f68aae47f3a0716dc4c49..8d3bf6bee27fde1df1825814f352d731b7612c50 100644 (file)
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -21,6 +21,10 @@ Wish list:
        Figure out which mysql_*escape_string*() variant to use and
        handle error results accordingly.
 
+       postscreen hints to smtpd to suppress the server greeating
+       after a remote SMTP client has pregreeted. This makes the
+       PIPELINING detection more meaingful.
+
        Multi-recipient support in sender/recipient_bcc_maps and
        always_bcc.
 

diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index e47b9da01d007c24ee44ffe6eee82d14410c1361..7249c51529f2249092491692d7ba0064a37a1f51 100644 (file)
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE      "20230529"
+#define MAIL_RELEASE_DATE      "20230602"
 #define MAIL_VERSION_NUMBER    "3.9"
 
 #ifdef SNAPSHOT

diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c
index 8c087d5a56a2cfec41e16be8fa220db7af490301..c7712b8d09feeb239694a6bb123dc7cd060d69ca 100644 (file)
--- a/postfix/src/tls/tls_misc.c
+++ b/postfix/src/tls/tls_misc.c
@@ -707,14 +707,32 @@ int     tls_library_init(void)
     char   *conf_file = 0;
     unsigned long init_opts = 0;
 
+#define TLS_LIB_INIT_TODO      (-1)
+#define TLS_LIB_INIT_ERR       (0)
+#define TLS_LIB_INIT_OK                (1)
+
+    static int init_res = TLS_LIB_INIT_TODO;
+
+    if (init_res != TLS_LIB_INIT_TODO)
+       return (init_res);
+
+    /*
+     * Backwards compatibility: skip this function unless the Postfix
+     * configuration actually has non-default tls_config_xxx settings.
+     */
+    if (strcmp(var_tls_cnf_file, DEF_TLS_CNF_FILE) == 0
+       && strcmp(var_tls_cnf_name, DEF_TLS_CNF_NAME) == 0) {
+       if (msg_verbose)
+           msg_info("tls_library_init: using backwards-compatible defaults");
+       return (init_res = TLS_LIB_INIT_OK);
+    }
     if ((init_settings = OPENSSL_INIT_new()) == 0) {
        msg_warn("error allocating OpenSSL init settings, "
                 "disabling TLS support");
-       return (0);
+       return (init_res = TLS_LIB_INIT_ERR);
     }
-
 #define TLS_LIB_INIT_RETURN(x) \
-    do { OPENSSL_INIT_free(init_settings); return (x); } while(0)
+    do { OPENSSL_INIT_free(init_settings); return (init_res = (x)); } while(0)
 
 #if OPENSSL_VERSION_NUMBER < 0x1010102fL
 
@@ -726,7 +744,7 @@ int     tls_library_init(void)
     if (strcmp(var_tls_cnf_file, "default") != 0) {
        msg_warn("non-default %s = %s requires OpenSSL 1.1.1b or later, "
               "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
-       TLS_LIB_INIT_RETURN(0);
+       TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
     }
 #else
     {
@@ -765,7 +783,7 @@ int     tls_library_init(void)
        } else {
            msg_warn("non-default %s = %s is not an absolute pathname, "
               "disabling TLS support", VAR_TLS_CNF_FILE, var_tls_cnf_file);
-           TLS_LIB_INIT_RETURN(0);
+           TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
        }
 
        OPENSSL_INIT_set_config_file_flags(init_settings, file_flags);
@@ -787,9 +805,9 @@ int     tls_library_init(void)
            msg_warn("error initializing the OpenSSL library, "
                     "disabling TLS support");
        tls_print_errors();
-       TLS_LIB_INIT_RETURN(0);
+       TLS_LIB_INIT_RETURN(TLS_LIB_INIT_ERR);
     }
-    TLS_LIB_INIT_RETURN(1);
+    TLS_LIB_INIT_RETURN(TLS_LIB_INIT_OK);
 }
 
 /* tls_pre_jail_init - Load TLS related pre-jail tables */