Safety: restore sanity checks for dynamically-specified
width and precision in format strings (%*, %.*, and %*.*).
- These checks were lost with the Postfix 3.2.2 rewrite of
+ These checks were lost with the Postfix 3.2 rewrite of
the vbuf_print formatter. File: vbuf_print.c.
Bugfix (introduced: postfix-alpha): improve the 'fatal:
Bugfix (introduced: Postfix 3.2): panic in the postqueue
command after output write error while listing the queue.
This change restores a write error check that was lost with
- the Postfix 3.2.2 rewrite of the vbuf_print formatter.
+ the Postfix 3.2 rewrite of the vbuf_print formatter.
Problem reported by Andreas Schulze. File: util/vbuf_print.c.
+
+20170924
+
+ Cleanup: terminate early after output write error. Files:
+ showq/show_compat.c, showq/show_json.c.
+
+20171009
+
+ Bugfix (introduced: Postfix 3.1): DANE support. Postfix
+ builds with OpenSSL 1.0.0 or 1.0.1 failed to send email to
+ some sites with "TLSA 2 X X" records associated with an
+ intermediate CA certificate. Problem report and initial
+ fix by Erwan Legrand. File: src/tls/tls_dane.c.
Disable -DSNAPSHOT and -DNONPROD in makedefs.
+ After I/O error, store errno in VSTREAM object before errno
+ may be overwritten.
+
Add postwhite as a postscreen-related project.
https://github.com/stevejenkins/postwhite/blob/master/README.md
+ Document postsrsd and postforward for srs-ifying. Would
+ more fine-grained smtp_generic_maps support help?
+
Decide whether to deprecate database configuration pathnames
that start with ".", for example, ldap:./file/name. These forms
are documented for ldap:, memcache:, mysql:, pgsql:, and sqlite:
authentication and DNSSEC support is available with Postfix 2.11
and later. </dd>
-<dt><b><a href="TLS_README.html#client_tls_fingerprint">fingerprint</a></b></dt>
+<dt><b><a href="TLS_README.html#client_tls_fprint">fingerprint</a></b></dt>
<dd>Certificate fingerprint
verification. Available with Postfix 2.5 and later. At this security
level, there are no trusted Certification Authorities. The certificate
(DANE) TLS authentication is available with Postfix 2.11 and later.
</dd>
-<dt><b><a href="TLS_README.html#client_tls_fingerprint">fingerprint</a></b></dt>
+<dt><b><a href="TLS_README.html#client_tls_fprint">fingerprint</a></b></dt>
<dd>Certificate fingerprint verification.
At this security level, there are no trusted Certification Authorities.
The certificate trust chain, expiration date, etc., are
<b><a href="postconf.5.html#alternate_config_directories">alternate_config_directories</a> (empty)</b>
A list of non-default Postfix configuration directories that may
be specified with "-c <a href="postconf.5.html#config_directory">config_directory</a>" on the command line (in
- the case of <a href="sendmail.1.html"><b>sendmail</b>(1)</a>, with "-C <a href="postconf.5.html#config_directory">config_directory</a>"), or via the
+ the case of <a href="sendmail.1.html"><b>sendmail</b>(1)</a>, with the "-C" option), or via the
MAIL_CONFIG environment parameter.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
tion logfiles with mail that is queued to those destinations.
<b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
- The list of environment parameters that a Postfix process will
- import from a non-Postfix parent process.
+ The list of environment parameters that a privileged Postfix
+ process will import from a non-Postfix parent process, or
+ name=value environment overrides.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
The location of the Postfix top-level queue directory.
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
- A prefix that is prepended to the process name in syslog
+ A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
<b><a href="postconf.5.html#trigger_timeout">trigger_timeout</a> (10s)</b>
- The time limit for sending a trigger to a Postfix daemon (for
+ The time limit for sending a trigger to a Postfix daemon (for
example, the <a href="pickup.8.html"><b>pickup</b>(8)</a> or <a href="qmgr.8.html"><b>qmgr</b>(8)</a> daemon).
Available in Postfix version 2.2 and later:
.IP "\fBalternate_config_directories (empty)\fR"
A list of non\-default Postfix configuration directories that may
be specified with "\-c config_directory" on the command line (in the
-case of \fBsendmail\fR(1), with "\-C config_directory"), or via the MAIL_CONFIG
+case of \fBsendmail\fR(1), with the "\-C" option), or via the MAIL_CONFIG
environment parameter.
.IP "\fBconfig_directory (see 'postconf -d' output)\fR"
The default location of the Postfix main.cf and master.cf
Optional list of destinations that are eligible for per\-destination
logfiles with mail that is queued to those destinations.
.IP "\fBimport_environment (see 'postconf -d' output)\fR"
-The list of environment parameters that a Postfix process will
-import from a non\-Postfix parent process.
+The list of environment parameters that a privileged Postfix
+process will import from a non\-Postfix parent process, or name=value
+environment overrides.
.IP "\fBqueue_directory (see 'postconf -d' output)\fR"
The location of the Postfix top\-level queue directory.
.IP "\fBsyslog_facility (mail)\fR"
authentication and DNSSEC support is available with Postfix 2.11
and later. </dd>
-<dt><b><a href="TLS_README.html#client_tls_fingerprint">fingerprint</a></b></dt>
+<dt><b><a href="TLS_README.html#client_tls_fprint">fingerprint</a></b></dt>
<dd>Certificate fingerprint
verification. Available with Postfix 2.5 and later. At this security
level, there are no trusted Certification Authorities. The certificate
(DANE) TLS authentication is available with Postfix 2.11 and later.
</dd>
-<dt><b><a href="TLS_README.html#client_tls_fingerprint">fingerprint</a></b></dt>
+<dt><b><a href="TLS_README.html#client_tls_fprint">fingerprint</a></b></dt>
<dd>Certificate fingerprint verification.
At this security level, there are no trusted Certification Authorities.
The certificate trust chain, expiration date, etc., are
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20170924"
+#define MAIL_RELEASE_DATE "20171009"
#define MAIL_VERSION_NUMBER "3.3"
#ifdef SNAPSHOT
/* .IP "\fBalternate_config_directories (empty)\fR"
/* A list of non-default Postfix configuration directories that may
/* be specified with "-c config_directory" on the command line (in the
-/* case of \fBsendmail\fR(1), with "-C config_directory"), or via the MAIL_CONFIG
+/* case of \fBsendmail\fR(1), with the "-C" option), or via the MAIL_CONFIG
/* environment parameter.
/* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
/* The default location of the Postfix main.cf and master.cf
/* Optional list of destinations that are eligible for per-destination
/* logfiles with mail that is queued to those destinations.
/* .IP "\fBimport_environment (see 'postconf -d' output)\fR"
-/* The list of environment parameters that a Postfix process will
-/* import from a non-Postfix parent process.
+/* The list of environment parameters that a privileged Postfix
+/* process will import from a non-Postfix parent process, or name=value
+/* environment overrides.
/* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
/* The location of the Postfix top-level queue directory.
/* .IP "\fBsyslog_facility (mail)\fR"
#include <time.h>
#include <string.h>
#include <sysexits.h>
+#include <errno.h>
/* Utility library. */
}
queue_size += showq_message(showq_stream);
file_count++;
- vstream_fflush(VSTREAM_OUT);
+ if (vstream_fflush(VSTREAM_OUT)) {
+ if (errno != EPIPE)
+ msg_fatal_status(EX_IOERR, "output write error: %m");
+ return;
+ }
}
if (showq_status < 0)
msg_fatal_status(EX_SOFTWARE, "malformed showq server response");
queue_size / 1024, file_count,
file_count == 1 ? "" : "s");
}
- vstream_fflush(VSTREAM_OUT);
+ if (vstream_fflush(VSTREAM_OUT) && errno != EPIPE)
+ msg_fatal_status(EX_IOERR, "output write error: %m");
}
#include <string.h>
#include <sysexits.h>
#include <ctype.h>
+#include <errno.h>
/* Utility library. */
json_quote(quote_buf, STR(addr)));
/*
- Read zero or more (recipient, reason) pair(s) until attr_scan_more()
+ * Read zero or more (recipient, reason) pair(s) until attr_scan_more()
* consumes a terminator. If the showq daemon messes up, don't try to
* resynchronize.
*/
if (showq_status < 0)
msg_fatal_status(EX_SOFTWARE, "malformed showq server response");
vstream_printf("}\n");
- vstream_fflush(VSTREAM_OUT);
+ if (vstream_fflush(VSTREAM_OUT) && errno != EPIPE)
+ msg_fatal_status(EX_IOERR, "output write error: %m");
}
/* showq_json - streaming JSON-format output adapter */
int showq_status;
/*
- * Emit zero or more queue file objects until attr_scan_more()
- * consumes a terminator.
+ * Emit zero or more queue file objects until attr_scan_more() consumes a
+ * terminator.
*/
- while ((showq_status = attr_scan_more(showq_stream)) > 0) {
+ while ((showq_status = attr_scan_more(showq_stream)) > 0
+ && vstream_ferror(VSTREAM_OUT) == 0) {
format_json(showq_stream);
}
if (showq_status < 0)
/* set_issuer - set issuer DN to match akid if specified */
-static int set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
+static int set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid, X509_NAME *subj)
{
X509_NAME *name = akid_issuer_name(akid);
*/
if (name)
return (X509_set_issuer_name(cert, name));
- return (X509_set_issuer_name(cert, X509_get_subject_name(cert)));
+ return (X509_set_issuer_name(cert, subj));
}
/* grow_chain - add certificate to trusted or untrusted chain */
*/
if (!X509_set_version(cert, 2)
|| !set_serial(cert, akid, subject)
- || !set_issuer_name(cert, akid)
+ || !set_issuer_name(cert, akid, name)
|| !X509_gmtime_adj(X509_getm_notBefore(cert), -30 * 86400L)
|| !X509_gmtime_adj(X509_getm_notAfter(cert), 30 * 86400L)
|| !X509_set_subject_name(cert, name)
#include <mail_conf.h>
#include <msg_vstream.h>
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
+#define SSL_get0_param(s) ((s)->param)
+#endif
+
static int verify_chain(SSL *ssl, x509_stack_t *chain, TLS_SESS_STATE *tctx)
{
int ret;
projects / thirdparty / postfix.git / commitdiff
