postfix-2.10-20120305

diff --git a/postfix/README_FILES/SMTPD_ACCESS_README b/postfix/README_FILES/SMTPD_ACCESS_README
index 99981b516426a5fabfbd57a5dbe189d1dd279e4d..cbe958ed1eb48cfbfeb754adc4073890bfb3f52d 100644 (file)
--- a/postfix/README_FILES/SMTPD_ACCESS_README
+++ b/postfix/README_FILES/SMTPD_ACCESS_README
@@ -256,10 +256,13 @@ soft_bounce
     changing all 5xx SMTP reply codes into 4xx.
 
 warn_if_reject
-    This is a different safety net that changes SMTP server REJECT actions into
-    warnings. Instead of rejecting a command, Postfix logs what it would
-    reject. Specify "warn_if_reject" in an SMTP access restriction list, before
-    the restriction that you want to test without actually rejecting mail.
+    When placed before a reject-type restriction, access table query, or
+    check_policy_service query, this logs a "reject_warning" message instead of
+    rejecting a request (when a reject-type restriction fails due to a
+    temporary error, this logs a "reject_warning" message for any implicit
+    "defer_if_permit" actions that would normally prevent mail from being
+    accepted by some later access restriction). This feature has no effect on
+    defer_if_reject restrictions.
 
 XCLIENT
     With this feature, an authorized SMTP client can impersonate other systems

diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 3a2b79bbc3b8b2e4f198fffe0e05691c3c439890..aeed5bf1072b3727e7fd39ddfcf2f4382896bedc 100644 (file)
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -13,3 +13,11 @@ specifies the release date of a stable release or snapshot release.
 
 If you upgrade from Postfix 2.8 or earlier, read RELEASE_NOTES-2.9
 before proceeding.
+
+Major changes with snapshot 20120303
+====================================
+
+New control for "permit" logging in smtpd_mumble_restrictions.
+Specify "smtpd_log_access_permit_actions = static:all" to log all
+"permit"-style actions, or specify a list of explicit names.  More
+details are in the postconf(5) manpage.

diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index b9b1ba46aa96d07ecc29abcd9b65fdf52b70e0bd..51cc7d0472cd6221e4a1048d3570dc14d97426c7 100644 (file)
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -5,11 +5,6 @@ Wish list:
        Remove this file from the stable release.
 
        Things to do after the stable release:
-
-       smtpd: find out what the interactions would be between
-       warn_if_permit, and explicit or implicit defer_if_reject
-       and defer_if_permit actions. If this can't be stated in
-       simple terms, then it won't be implemented.
  
        postscreen: in the dummy SMTP engine, log the protocol state
        at time of violation (like smtpd, set state->where initially

diff --git a/postfix/html/SMTPD_ACCESS_README.html b/postfix/html/SMTPD_ACCESS_README.html
index eb13ca5510aa2b47cd015c6c52458b004b4c1fc9..5560a3727c574a9ccea7d3ec10fce08527adc6a6 100644 (file)
--- a/postfix/html/SMTPD_ACCESS_README.html
+++ b/postfix/html/SMTPD_ACCESS_README.html
@@ -348,23 +348,14 @@ sender. Specify "<a href="postconf.5.html#soft_bounce">soft_bounce</a> = yes" in
 the Postfix SMTP server from rejecting mail permanently, by changing
 all 5xx SMTP reply codes into 4xx. </p> </dd>
 
-<dt> <a href="postconf.5.html#warn_if_reject">warn_if_reject</a> </dt> <dd> <p> This is a different safety net
-that changes SMTP server REJECT actions into warnings. Instead of
-rejecting a command, Postfix logs what it would reject. Specify
-"<a href="postconf.5.html#warn_if_reject">warn_if_reject</a>" in an SMTP access restriction list, before the
-restriction that you want to test without actually rejecting mail.
-</p> </dd>
-
-<!--
-
-<dt> <a href="postconf.5.html#warn_if_permit">warn_if_permit</a> </dt> <dd> <p> This safety net changes SMTP
-server PERMIT actions into warnings. Instead of permitting a command,
-Postfix logs what it would permit. Specify "<a href="postconf.5.html#warn_if_permit">warn_if_permit</a>" in an
-SMTP access restriction list, before the restriction that you want
-to test. <br> This feature is available in Postfix 2.10.  </p>
-</dd>
-
--->
+<dt> <a href="postconf.5.html#warn_if_reject">warn_if_reject</a> </dt> <dd> <p> When placed before a reject-type
+restriction, access table query, or <a href="postconf.5.html#check_policy_service">check_policy_service</a> query,
+this logs a "reject_warning" message instead of rejecting a request
+(when a reject-type restriction fails due to a temporary error,
+this logs a "reject_warning" message for any implicit "<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>"
+actions that would normally prevent mail from being accepted by
+some later access restriction).  This feature has no effect on
+<a href="postconf.5.html#defer_if_reject">defer_if_reject</a> restrictions.  </p> </dd>
 
 <dt> XCLIENT </dt> <dd> <p> With this feature, an authorized SMTP
 client can impersonate other systems and perform realistic SMTP

diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 5440eb3f7e247fb6a41bf1a01338e9025d08c2d1..ea666f671573e1096f3aa8a12359ca85031a6d00 100644 (file)
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -12421,11 +12421,14 @@ This feature is available in Postfix 2.3. </dd>
 
 <dt><b><a name="warn_if_reject">warn_if_reject</a></b></dt>
 
-<dd>Change the meaning of the next restriction, so that it logs
-a warning instead of rejecting a request (look for logfile records
-that contain "reject_warning"). This is useful for testing new
-restrictions in a "live" environment without risking unnecessary
-loss of mail. </dd>
+<dd> A safety net for testing. When "<a href="postconf.5.html#warn_if_reject">warn_if_reject</a>" is placed
+before a reject-type restriction, access table query, or
+<a href="postconf.5.html#check_policy_service">check_policy_service</a> query, this logs a "reject_warning" message
+instead of rejecting a request (when a reject-type restriction fails
+due to a temporary error, this logs a "reject_warning" message for
+any implicit "<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>" actions that would normally prevent
+mail from being accepted by some later access restriction). This
+feature has no effect on <a href="postconf.5.html#defer_if_reject">defer_if_reject</a> restrictions.  </dd>
 
 </dl>
 

diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index afeb6365f199db1027e7fea6a74dda4c6779990e..105cbce42c065182b685efe5f5cd27583c79b0d7 100644 (file)
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -7777,11 +7777,14 @@ mail when used as:
 .ft R
 This feature is available in Postfix 2.3.
 .IP "\fBwarn_if_reject\fR"
-Change the meaning of the next restriction, so that it logs
-a warning instead of rejecting a request (look for logfile records
-that contain "reject_warning"). This is useful for testing new
-restrictions in a "live" environment without risking unnecessary
-loss of mail.
+A safety net for testing. When "warn_if_reject" is placed
+before a reject-type restriction, access table query, or
+check_policy_service query, this logs a "reject_warning" message
+instead of rejecting a request (when a reject-type restriction fails
+due to a temporary error, this logs a "reject_warning" message for
+any implicit "defer_if_permit" actions that would normally prevent
+mail from being accepted by some later access restriction). This
+feature has no effect on defer_if_reject restrictions.
 .PP
 Other restrictions that are valid in this context:
 .IP \(bu

diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink
index 7bb31299b33a50828a37e27efa3dd8707597c370..d7bb6b5e55c7626df9155589dbf90cf8fadbb4b7 100755 (executable)
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@@ -825,7 +825,6 @@ while (<>) {
     s;\breject_plaintext_session\b;<a href="postconf.5.html#reject_plaintext_session">$&</a>;g;
     s;\breject_unauth_pipelining\b;<a href="postconf.5.html#reject_unauth_pipelining">$&</a>;g;
     s;\bwarn_if_reject\b;<a href="postconf.5.html#warn_if_reject">$&</a>;g;
-    s;\bwarn_if_permit\b;<a href="postconf.5.html#warn_if_permit">$&</a>;g;
 
     # Access restrictions - client
 

diff --git a/postfix/proto/SMTPD_ACCESS_README.html b/postfix/proto/SMTPD_ACCESS_README.html
index a3b456176defa12029449e9eefcce90234eedc11..3cd23cd2f834b36a2cd800dd790e3b52f04caf55 100644 (file)
--- a/postfix/proto/SMTPD_ACCESS_README.html
+++ b/postfix/proto/SMTPD_ACCESS_README.html
@@ -348,23 +348,14 @@ sender. Specify "soft_bounce = yes" in the main.cf file to prevent
 the Postfix SMTP server from rejecting mail permanently, by changing
 all 5xx SMTP reply codes into 4xx. </p> </dd>
 
-<dt> warn_if_reject </dt> <dd> <p> This is a different safety net
-that changes SMTP server REJECT actions into warnings. Instead of
-rejecting a command, Postfix logs what it would reject. Specify
-"warn_if_reject" in an SMTP access restriction list, before the
-restriction that you want to test without actually rejecting mail.
-</p> </dd>
-
-<!--
-
-<dt> warn_if_permit </dt> <dd> <p> This safety net changes SMTP
-server PERMIT actions into warnings. Instead of permitting a command,
-Postfix logs what it would permit. Specify "warn_if_permit" in an
-SMTP access restriction list, before the restriction that you want
-to test. <br> This feature is available in Postfix 2.10.  </p>
-</dd>
-
--->
+<dt> warn_if_reject </dt> <dd> <p> When placed before a reject-type
+restriction, access table query, or check_policy_service query,
+this logs a "reject_warning" message instead of rejecting a request
+(when a reject-type restriction fails due to a temporary error,
+this logs a "reject_warning" message for any implicit "defer_if_permit"
+actions that would normally prevent mail from being accepted by
+some later access restriction).  This feature has no effect on
+defer_if_reject restrictions.  </p> </dd>
 
 <dt> XCLIENT </dt> <dd> <p> With this feature, an authorized SMTP
 client can impersonate other systems and perform realistic SMTP

diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 05d07e2e3e201bfe658ddd6615d736e1fa364c8c..4a274ee089b3832c9cc690f04aed73723ef3351a 100644 (file)
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -5141,20 +5141,14 @@ This feature is available in Postfix 2.3. </dd>
 
 <dt><b><a name="warn_if_reject">warn_if_reject</a></b></dt>
 
-<dd>Change the meaning of the next restriction, so that it logs
-a warning instead of rejecting a request (look for logfile records
-that contain "reject_warning"). This is useful for testing new
-restrictions in a "live" environment without risking unnecessary
-loss of mail. </dd>
-
-#<dt><b><a name="warn_if_permit">warn_if_permit</a></b></dt>
-#
-#<dd>Change the meaning of the next restriction, so that it logs
-#a warning instead of permitting a request (look for logfile records
-#that contain "permit_warning"). This is useful for testing new
-#restrictions in a "live" environment without risking unexpected
-#side effects. <br>
-#This feature is available in Postfix 2.10. </dd>
+<dd> A safety net for testing. When "warn_if_reject" is placed
+before a reject-type restriction, access table query, or
+check_policy_service query, this logs a "reject_warning" message
+instead of rejecting a request (when a reject-type restriction fails
+due to a temporary error, this logs a "reject_warning" message for
+any implicit "defer_if_permit" actions that would normally prevent
+mail from being accepted by some later access restriction). This
+feature has no effect on defer_if_reject restrictions.  </dd>
 
 </dl>
 

diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index 72845e0559d7fc06be168d5c620c993bf89efd28..791694897f07753c8db574a5ede097c17282ec65 100644 (file)
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -2154,7 +2154,6 @@ extern int var_map_defer_code;
 #define CHECK_RECIP_NS_ACL     "check_recipient_ns_access"
 
 #define WARN_IF_REJECT         "warn_if_reject"
-#define WARN_IF_PERMIT         "warn_if_permit"
 
 #define REJECT_RBL             "reject_rbl"    /* LaMont compatibility */
 #define REJECT_RBL_CLIENT      "reject_rbl_client"

diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index e47fa4d14e9d21266bd3cda6198628925c873853..2ac9de75bdb51f5195bee210c92d223791a82040 100644 (file)
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE      "20120303"
+#define MAIL_RELEASE_DATE      "20120305"
 #define MAIL_VERSION_NUMBER    "2.10"
 
 #ifdef SNAPSHOT

diff --git a/postfix/src/smtpd/smtpd.h b/postfix/src/smtpd/smtpd.h
index a82c0a6125c67414a95497dcc920ff4e6a236e6e..cc459068223e2d0cead79cdb7b603d9f7b0475f3 100644 (file)
--- a/postfix/src/smtpd/smtpd.h
+++ b/postfix/src/smtpd/smtpd.h
@@ -127,7 +127,6 @@ typedef struct {
     int     sender_rcptmap_checked;    /* sender validated against maps */
     int     recipient_rcptmap_checked; /* recipient validated against maps */
     int     warn_if_reject;            /* force reject into warning */
-    int     warn_if_permit;            /* force permit into warning */
     SMTPD_DEFER defer_if_reject;       /* force reject into deferral */
     SMTPD_DEFER defer_if_permit;       /* force permit into deferral */
     int     defer_if_permit_client;    /* force permit into warning */

diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 65a4d46f40a3b3e8013d2679de39f0785fe8395c..76229f9775c3ab43311c08e4668184ec86e39e68 100644 (file)
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -385,13 +385,6 @@ static STRING_LIST *smtpd_acl_perm_log;
   * XXX With warn_if_reject, do raise the defer_if_reject flag when a
   * permit-style restriction fails. Otherwise, we could reject legitimate
   * mail.
-  * 
-  * XXX Figure out the interactions between warn_if_permit and implicit or
-  * explicit defer_if_permit/reject actions, including the ones that may
-  * trigger when recursing into a lookup table.
-  * 
-  * XXX Some DEFER_IF_PERMIT[0-9] macros expect a flag as first argument but are
-  * given a string argument instead. That is not right.
   */
 static int PRINTFLIKE(5, 6) defer_if(SMTPD_DEFER *, int, int, const char *, const char *,...);
 static int PRINTFLIKE(5, 6) smtpd_check_reject(SMTPD_STATE *, int, int, const char *, const char *,...);
@@ -403,7 +396,13 @@ static int PRINTFLIKE(5, 6) smtpd_check_reject(SMTPD_STATE *, int, int, const ch
 #define DEFER_IF_REJECT4(state, class, code, dsn, fmt, a1, a2, a3, a4) \
     defer_if(&(state)->defer_if_reject, (class), (code), (dsn), (fmt), (a1), (a2), (a3), (a4))
 
-#define DEFER_EXPLICIT 1
+ /*
+  * The following choose between DEFER_IF_PERMIT (only if warn_if_reject is
+  * turned off) and plain DEFER. See tempfail_actions[] below for the mapping
+  * from names to numeric action code.
+  */
+#define DEFER_ALL_ACT          0
+#define DEFER_IF_PERMIT_ACT    1
 
 #define DEFER_IF_PERMIT2(type, state, class, code, dsn, fmt, a1, a2) \
     (((state)->warn_if_reject == 0 && (type) != 0) ? \
@@ -574,8 +573,8 @@ void    smtpd_check_init(void)
        0,
     };
     static NAME_CODE tempfail_actions[] = {
-       DEFER_ALL, 0,
-       DEFER_IF_PERMIT, 1,
+       DEFER_ALL, DEFER_ALL_ACT,
+       DEFER_IF_PERMIT, DEFER_IF_PERMIT_ACT,
        0, -1,
     };
 
@@ -777,28 +776,38 @@ static void log_whatsup(SMTPD_STATE *state, const char *whatsup,
 
 /* smtpd_acl_permit - permit request with optional logging */
 
-static int smtpd_acl_permit(SMTPD_STATE *state, const char *action,
-                           const char *reply_class, const char *reply_name,
-                                   const char *format,...)
+static int PRINTFLIKE(5, 6) smtpd_acl_permit(SMTPD_STATE *state,
+                                                    const char *action,
+                                                    const char *reply_class,
+                                                    const char *reply_name,
+                                                    const char *format,...)
 {
     va_list ap;
     const char *whatsup;
-    int     retval;
 
-    if (state->warn_if_permit) {
-       whatsup = "permit_warning";
-       retval = SMTPD_CHECK_DUNNO;
+#ifdef notdef
+#define NO_PRINT_ARGS ""
+#else
+#define NO_PRINT_ARGS "%s", ""
+#endif
+
+    /*
+     * First, find out if (and how) this permit action should be logged.
+     */
+    if (state->defer_if_permit.active) {
+       /* This action is overruled. Do not log. */
+       whatsup = 0;
     } else if (string_list_match(smtpd_acl_perm_log, action) != 0) {
+       /* This is not a test. Logging is enabled. */
        whatsup = "permit";
-       retval = SMTPD_CHECK_OK;
     } else {
+       /* This is not a test. Logging is disabled. */
        whatsup = 0;
-       retval = SMTPD_CHECK_OK;
     }
     if (whatsup != 0) {
        vstring_sprintf(error_text, "action=%s for %s=%s",
                        action, reply_class, reply_name);
-       if (format) {
+       if (format && *format) {
            vstring_strcat(error_text, " ");
            va_start(ap, format);
            vstring_vsprintf_append(error_text, format, ap);
@@ -806,7 +815,7 @@ static int smtpd_acl_permit(SMTPD_STATE *state, const char *action,
        }
        log_whatsup(state, whatsup, STR(error_text));
     }
-    return (retval);
+    return (SMTPD_CHECK_OK);
 }
 
 /* smtpd_check_reject - do the boring things that must be done */
@@ -1925,7 +1934,8 @@ static int reject_unverified_address(SMTPD_STATE *state, const char *addr,
        case 4:
            rqst_status =
                DEFER_IF_PERMIT3(unv_addr_tf_act, state, MAIL_ERROR_POLICY,
-                         450, strcmp(reply_class, SMTPD_NAME_SENDER) == 0 ?
+                                reject_code,
+                              strcmp(reply_class, SMTPD_NAME_SENDER) == 0 ?
                                 SND_DSN : "4.1.1",
                            "<%s>: %s rejected: unverified address: %.250s",
                                 reply_name, reply_class, STR(why));
@@ -2250,7 +2260,7 @@ static int check_table_result(SMTPD_STATE *state, const char *table,
      */
     if (STREQUAL(value, DEFER_IF_PERMIT, cmd_len)) {
        dsn_split(&dp, "4.7.1", cmd_text);
-       return (DEFER_IF_PERMIT3(DEFER_EXPLICIT, state, MAIL_ERROR_POLICY,
+       return (DEFER_IF_PERMIT3(DEFER_IF_PERMIT_ACT, state, MAIL_ERROR_POLICY,
                                 var_map_defer_code,
                             smtpd_dsn_fix(DSN_STATUS(dp.dsn), reply_class),
                                 "<%s>: %s rejected: %s",
@@ -3696,11 +3706,6 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
                state->warn_if_reject = state->recursion;
            continue;
        }
-       if (strcasecmp(name, WARN_IF_PERMIT) == 0) {
-           if (state->warn_if_permit == 0)
-               state->warn_if_permit = state->recursion;
-           continue;
-       }
 
        /*
         * Spoof the is_map_command() routine, so that we do not have to make
@@ -3724,9 +3729,8 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
         */
        if (strcasecmp(name, PERMIT_ALL) == 0) {
            status = smtpd_acl_permit(state, name, reply_class,
-                                     reply_name, (char *) 0);
-           if (status == SMTPD_CHECK_OK
-               && cpp[1] != 0 && state->warn_if_reject == 0)
+                                     reply_name, NO_PRINT_ARGS);
+           if (status == SMTPD_CHECK_OK && cpp[1] != 0)
                msg_warn("restriction `%s' after `%s' is ignored",
                         cpp[1], PERMIT_ALL);
        } else if (strcasecmp(name, DEFER_ALL) == 0) {
@@ -3756,7 +3760,8 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
                status = check_policy_service(state, *++cpp, reply_name,
                                              reply_class, def_acl);
        } else if (strcasecmp(name, DEFER_IF_PERMIT) == 0) {
-           status = DEFER_IF_PERMIT2(DEFER_EXPLICIT, state, MAIL_ERROR_POLICY,
+           status = DEFER_IF_PERMIT2(DEFER_IF_PERMIT_ACT,
+                                     state, MAIL_ERROR_POLICY,
                                      450, "4.7.0",
                             "<%s>: %s rejected: defer_if_permit requested",
                                      reply_name, reply_class);
@@ -3787,12 +3792,12 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
            status = permit_inet_interfaces(state);
            if (status == SMTPD_CHECK_OK)
                status = smtpd_acl_permit(state, name, SMTPD_NAME_CLIENT,
-                                         state->namaddr, (char *) 0);
+                                         state->namaddr, NO_PRINT_ARGS);
        } else if (strcasecmp(name, PERMIT_MYNETWORKS) == 0) {
            status = permit_mynetworks(state);
            if (status == SMTPD_CHECK_OK)
                status = smtpd_acl_permit(state, name, SMTPD_NAME_CLIENT,
-                                         state->namaddr, (char *) 0);
+                                         state->namaddr, NO_PRINT_ARGS);
        } else if (is_map_command(state, name, CHECK_CLIENT_ACL, &cpp)) {
            status = check_namadr_access(state, *cpp, state->name, state->addr,
                                         FULL, &found, state->namaddr,
@@ -3819,7 +3824,7 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
                                           SMTPD_NAME_CLIENT);
                if (status == SMTPD_CHECK_OK)
                    status = smtpd_acl_permit(state, name, SMTPD_NAME_CLIENT,
-                                             state->namaddr, (char *) 0);
+                                             state->namaddr, NO_PRINT_ARGS);
            }
        } else if (strcasecmp(name, REJECT_RHSBL_CLIENT) == 0) {
            if (cpp[1] == 0)
@@ -3842,7 +3847,7 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
                                                 SMTPD_NAME_CLIENT);
                    if (status == SMTPD_CHECK_OK)
                        status = smtpd_acl_permit(state, name,
-                            SMTPD_NAME_CLIENT, state->namaddr, (char *) 0);
+                         SMTPD_NAME_CLIENT, state->namaddr, NO_PRINT_ARGS);
                }
            }
        } else if (strcasecmp(name, REJECT_RHSBL_REVERSE_CLIENT) == 0) {
@@ -3923,7 +3928,7 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
                && (status = reject_invalid_hostaddr(state, state->helo_name,
                                   state->helo_name, SMTPD_NAME_HELO)) == 0)
                    status = smtpd_acl_permit(state, name, SMTPD_NAME_HELO,
-                                             state->helo_name, (char *) 0);
+                                          state->helo_name, NO_PRINT_ARGS);
            }
        } else if (is_map_command(state, name, CHECK_HELO_NS_ACL, &cpp)) {
            if (state->helo_name) {
@@ -4050,14 +4055,14 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
                                    state->recipient, SMTPD_NAME_RECIPIENT);
                if (status == SMTPD_CHECK_OK)
                    status = smtpd_acl_permit(state, name, SMTPD_NAME_RECIPIENT,
-                                             state->recipient, (char *) 0);
+                                          state->recipient, NO_PRINT_ARGS);
            }
        } else if (strcasecmp(name, PERMIT_AUTH_DEST) == 0) {
            if (state->recipient) {
                status = permit_auth_destination(state, state->recipient);
                if (status == SMTPD_CHECK_OK)
                    status = smtpd_acl_permit(state, name, SMTPD_NAME_RECIPIENT,
-                                             state->recipient, (char *) 0);
+                                          state->recipient, NO_PRINT_ARGS);
            }
        } else if (strcasecmp(name, REJECT_UNAUTH_DEST) == 0) {
            if (state->recipient)
@@ -4068,9 +4073,8 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
                                    state->recipient, SMTPD_NAME_RECIPIENT);
            if (status == SMTPD_CHECK_OK)
                status = smtpd_acl_permit(state, name, SMTPD_NAME_RECIPIENT,
-                                         state->recipient, (char *) 0);
-           if (cpp[1] != 0 && state->warn_if_reject == 0
-               && state->warn_if_permit == 0)
+                                         state->recipient, NO_PRINT_ARGS);
+           if (cpp[1] != 0 && state->warn_if_reject == 0)
                msg_warn("restriction `%s' after `%s' is ignored",
                         cpp[1], CHECK_RELAY_DOMAINS);
        } else if (strcasecmp(name, PERMIT_SASL_AUTH) == 0) {
@@ -4080,19 +4084,19 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
                                          SMTPD_CHECK_OK, SMTPD_CHECK_DUNNO);
                if (status == SMTPD_CHECK_OK)
                    status = smtpd_acl_permit(state, name, SMTPD_NAME_CLIENT,
-                                             state->namaddr, (char *) 0);
+                                             state->namaddr, NO_PRINT_ARGS);
            }
 #endif
        } else if (strcasecmp(name, PERMIT_TLS_ALL_CLIENTCERTS) == 0) {
            status = permit_tls_clientcerts(state, 1);
            if (status == SMTPD_CHECK_OK)
                status = smtpd_acl_permit(state, name, SMTPD_NAME_CLIENT,
-                                         state->namaddr, (char *) 0);
+                                         state->namaddr, NO_PRINT_ARGS);
        } else if (strcasecmp(name, PERMIT_TLS_CLIENTCERTS) == 0) {
            status = permit_tls_clientcerts(state, 0);
            if (status == SMTPD_CHECK_OK)
                status = smtpd_acl_permit(state, name, SMTPD_NAME_CLIENT,
-                                         state->namaddr, (char *) 0);
+                                         state->namaddr, NO_PRINT_ARGS);
        } else if (strcasecmp(name, REJECT_UNKNOWN_RCPTDOM) == 0) {
            if (state->recipient)
                status = reject_unknown_address(state, state->recipient,
@@ -4180,8 +4184,6 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
        }
        if (state->warn_if_reject >= state->recursion)
            state->warn_if_reject = 0;
-       if (state->warn_if_permit >= state->recursion)
-           state->warn_if_permit = 0;
 
        if (status != 0)
            break;
@@ -4194,6 +4196,10 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 
     state->recursion = saved_recursion;
 
+    /* In case the list terminated with one or more warn_if_mumble. */
+    if (state->warn_if_reject >= state->recursion)
+       state->warn_if_reject = 0;
+
     return (status);
 }
 
@@ -4307,7 +4313,6 @@ char   *smtpd_check_client(SMTPD_STATE *state)
 #define SMTPD_CHECK_RESET() { \
        state->recursion = 0; \
        state->warn_if_reject = 0; \
-       state->warn_if_permit = 0; \
        state->defer_if_reject.active = 0; \
     }