tls/tls_fprint.c evaluated its argument unconditionally;
it should evaluate the argument only if there was no prior
error. Found during code review. File: tls/tls_fprint.c.
+
+20221215
+
+ Foolproofing: postscreen segfault with postscreen_dnsbl_threshold
+ < 1. It should reject such input with a fatal error instead.
+ Discovered by Benny Pedersen. File: postscreen/postscreen.c.
+
+ Documentation: replaced instances of '.domain' in some
+ examples; clarified that bcc maps are indexed by envelope
+ address; lmtp_line_length_limit default wasn't updated to
+ 998. File: proto/postconf.proto.
+
+20221227
+
+ Documentation: the mysql_table(5) manpage did not document
+ the tls_ciphers feature that was added in Postfix 2.11.
+ File: proto/mysql_table.
+
+ Cleanup: added a pre-release check that the parameter lists
+ in the proto/*_table documentation match the global/dict*.c
+ implementations. Files: Makefile.in, mantools/check-table-proto
+
+ Documentation: consistent xxxx_table formatting to make
+ parameter documentation easier to match against the
+ corresponding implementation. Files: proto/mysql_table,
+ proto/pgsql_table, proto/ldap_table.
+
+ Typofixes for changes made 20221207. File: tls/tls_fprint.c.
# Some checks require a bin/postconf executable.
pre-release-checks: typo-check missing-proxy-read-maps-check \
postlink-check postfix-files-check check-spell-history \
- check-double-history
+ check-double-history check-table-proto
postfix-files-check:
mantools/check-postfix-files | diff /dev/null -
check-double-history:
mantools/check-double-history | diff /dev/null -
+check-table-proto:
+ mantools/check-table-proto | diff /dev/null -
+
# The build-time shlib_directory setting must take precedence over
# the installed main.cf settings, otherwise we can't update an
# installed system from dynamicmaps=yes<->dynamicmaps=no or from
default_transport_maps? This would simplify configuration.
Add a pointer to
+ https://fabianlee.org/2019/10/23/docker-running-a-postfix-container-for-testing-mail-during-development/
+ and https://github.com/docker-mailserver/docker-mailserver
+
+ Add a pointer to
+ https://github.com/tarickb/sasl-xoauth2 and/or
http://mmogilvi.users.sourceforge.net/software/oauthbearer.html
in documentation or on-line howtos.
- Read http://mmogilvi.users.sourceforge.net/software/oauthbearer.html
- and see how we can improve on the Postfix side.
+ Read the above links and see how we can improve usability on
+ the Postfix side.
Add verp=+= to the qmgr "from=" logging. This is already
implemented but not yet integrated.
be removed in a future Postfix version.
<b>OTHER OBSOLETE FEATURES</b>
- For backwards compatibility with the pre 2.2 LDAP clients, <b>result_fil-</b>
- <b>ter</b> can for now be used instead of <b>result_format</b>, when the latter
- parameter is not also set. The new name better reflects the function
- of the parameter. This compatibility interface may be removed in a
- future release.
+ <b>result_filter (No default)</b>
+ For backwards compatibility with the pre 2.2 LDAP clients,
+ <b>result_filter</b> can for now be used instead of <b>result_format</b>, when
+ the latter parameter is not also set. The new name better
+ reflects the function of the parameter. This compatibility
+ interface may be removed in a future release.
<b>SEE ALSO</b>
<a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager
TCP you have to specify
hosts = 127.0.0.1
- <b>user, password</b>
+ <b>user</b>
+
+ <b>password</b>
The user name and password to log into the mysql server. Exam-
ple:
user = someone
This parameter is available with Postfix 2.11 and later.
+ <b>tls_ciphers</b>
+ The list of permissible ciphers for SSL encryption.
+
+ This parameter is available with Postfix 2.11 and later.
+
<b>tls_verify_cert (default: no)</b>
Verify that the server's name matches the common name in the
certificate.
matically closed after being idle for about 1 minute, and are
re-opened as necessary.
- <b>user, password</b>
+ <b>user</b>
+
+ <b>password</b>
The user name and password to log into the pgsql server. Exam-
ple:
user = someone
<pre>
<a href="postconf.5.html#address_verify_sender">address_verify_sender</a> = <>
-<a href="postconf.5.html#address_verify_sender">address_verify_sender</a> = postmaster@my.domain
+<a href="postconf.5.html#address_verify_sender">address_verify_sender</a> = postmaster@<a href="postconf.5.html#mydomain">mydomain</a>
</pre>
<p>
</DD>
<DT><b><a name="lmtp_line_length_limit">lmtp_line_length_limit</a>
-(default: 990)</b></DT><DD>
+(default: 998)</b></DT><DD>
<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_line_length_limit">smtp_line_length_limit</a>
configuration parameter. See there for details. </p>
<p>
Optional BCC (blind carbon-copy) address lookup tables, indexed by
-recipient address. The BCC address (multiple results are not
+envelope recipient address. The BCC address (multiple results are not
supported) is added when mail enters from outside of Postfix.
</p>
(default: empty)</b></DT><DD>
<p> Optional BCC (blind carbon-copy) address lookup tables, indexed
-by sender address. The BCC address (multiple results are not
+by envelope sender address. The BCC address (multiple results are not
supported) is added when mail enters from outside of Postfix. </p>
<p>
</p>
<p>
-Example: you want to rewrite the SENDER address "user@ugly.domain"
-to "user@pretty.domain", while still being able to send mail to
-the RECIPIENT address "user@ugly.domain".
+Example: you want to rewrite the SENDER address "user@ugly.example"
+to "user@pretty.example", while still being able to send mail to
+the RECIPIENT address "user@ugly.example".
</p>
<p>
<a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> parameters).
<b><a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> (empty)</b>
- A mapping from actual DNSBL domain name which includes a secret
- password, to the DNSBL domain name that postscreen will reply
- with when it rejects mail.
+ A mapping from an actual DNSBL domain name which includes a
+ secret password, to the DNSBL domain name that postscreen will
+ reply with when it rejects mail.
<b><a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> (empty)</b>
- Optional list of DNS allow/denylist domains, filters and weight
- factors.
+ Optional list of patterns with DNS allow/denylist domains, fil-
+ ters and weight factors.
<b><a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> (1)</b>
The inclusive lower bound for blocking a remote SMTP client,
.nf
.ad
.fi
+.IP "\fBresult_filter (No default)\fR"
For backwards compatibility with the pre
2.2 LDAP clients, \fBresult_filter\fR can for now be used instead
of \fBresult_format\fR, when the latter parameter is not also set.
.nf
hosts = 127.0.0.1
.fi
-.IP "\fBuser, password\fR"
+.IP "\fBuser\fR"
+.IP "\fBpassword\fR"
The user name and password to log into the mysql server.
Example:
.nf
in separate individual files.
.sp
This parameter is available with Postfix 2.11 and later.
+.IP "\fBtls_ciphers\fR"
+The list of permissible ciphers for SSL encryption.
+.sp
+This parameter is available with Postfix 2.11 and later.
.IP "\fBtls_verify_cert (default: no)\fR"
Verify that the server's name matches the common name in the
certificate.
The hosts are tried in random order. The connections are
automatically closed after being idle for about 1 minute,
and are re\-opened as necessary.
-.IP "\fBuser, password\fR"
+.IP "\fBuser\fR"
+.IP "\fBpassword\fR"
The user name and password to log into the pgsql server.
Example:
.nf
.na
.ft C
address_verify_sender = <>
-address_verify_sender = postmaster@my.domain
+address_verify_sender = postmaster@mydomain
.fi
.ad
.ft R
.PP
Time units: s (seconds), m (minutes), h (hours), d (days), w
(weeks). The default time unit is s (seconds).
-.SH lmtp_line_length_limit (default: 990)
+.SH lmtp_line_length_limit (default: 998)
The LMTP\-specific version of the smtp_line_length_limit
configuration parameter. See there for details.
.PP
This feature is available in Postfix 2.1 and later.
.SH recipient_bcc_maps (default: empty)
Optional BCC (blind carbon\-copy) address lookup tables, indexed by
-recipient address. The BCC address (multiple results are not
+envelope recipient address. The BCC address (multiple results are not
supported) is added when mail enters from outside of Postfix.
.PP
Specify zero or more "type:name" lookup tables, separated by
in Postfix version 2.3.
.SH sender_bcc_maps (default: empty)
Optional BCC (blind carbon\-copy) address lookup tables, indexed
-by sender address. The BCC address (multiple results are not
+by envelope sender address. The BCC address (multiple results are not
supported) is added when mail enters from outside of Postfix.
.PP
Specify zero or more "type:name" lookup tables, separated by
sender addresses.
The table format and lookups are documented in \fBcanonical\fR(5).
.PP
-Example: you want to rewrite the SENDER address "user@ugly.domain"
-to "user@pretty.domain", while still being able to send mail to
-the RECIPIENT address "user@ugly.domain".
+Example: you want to rewrite the SENDER address "user@ugly.example"
+to "user@pretty.example", while still being able to send mail to
+the RECIPIENT address "user@ugly.example".
.PP
Note: $sender_canonical_maps is processed before $canonical_maps.
.PP
with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold
parameters).
.IP "\fBpostscreen_dnsbl_reply_map (empty)\fR"
-A mapping from actual DNSBL domain name which includes a secret
+A mapping from an actual DNSBL domain name which includes a secret
password, to the DNSBL domain name that postscreen will reply with
when it rejects mail.
.IP "\fBpostscreen_dnsbl_sites (empty)\fR"
-Optional list of DNS allow/denylist domains, filters and weight
+Optional list of patterns with DNS allow/denylist domains, filters
+and weight
factors.
.IP "\fBpostscreen_dnsbl_threshold (1)\fR"
The inclusive lower bound for blocking a remote SMTP client, based on
--- /dev/null
+#!/bin/sh
+
+# Reports database configuration settings without proto/xxx_table documentation
+
+LANG=C; export LANG
+LC_ALL=C; export LC_ALL
+
+trap 'rm -f from-source.tmp from-doc.tmp 2>/dev/null' 0 1 2 3 15
+
+# For each database type, extract parameter names from its postconf
+# include file, and compare the result against a list of names from
+# the corresponding proto/xxx_table file.
+
+# Force a failure if the pcf*suffixes.h files do not exist. Avoid using
+# bash-specific shell features.
+for map in `(ls src/postconf/pcf*suffixes.h || kill $$) |
+ sed 's;src/postconf/pcf_\(.*\)_suffixes.h$;\1;'`
+do
+ # Extract parameter names from source code.
+ tr -cd '[A-zA-z_0-9\12]' < src/postconf/pcf_${map}_suffixes.h |
+ sort > from-source.tmp
+ # Extract parameter names from documentation.
+ sed -n '/^# *\.IP *"*\\fB\([a-zA-Z_0-9][a-zA-Z_0-9]*\).*/{
+ s//\1/
+ p
+ }' proto/${map}_table | sort > from-doc.tmp
+ cmp -s from-source.tmp from-doc.tmp || {
+ echo Settings in global/dict_${map}.c and proto/${map}_table differ.
+ diff from-source.tmp from-doc.tmp
+ }
+done
+
# OTHER OBSOLETE FEATURES
# .ad
# .fi
+# .IP "\fBresult_filter (No default)\fR"
# For backwards compatibility with the pre
# 2.2 LDAP clients, \fBresult_filter\fR can for now be used instead
# of \fBresult_format\fR, when the latter parameter is not also set.
# .nf
# hosts = 127.0.0.1
# .fi
-# .IP "\fBuser, password\fR"
+# .IP "\fBuser\fR"
+# .IP "\fBpassword\fR"
# The user name and password to log into the mysql server.
# Example:
# .nf
# in separate individual files.
# .sp
# This parameter is available with Postfix 2.11 and later.
+# .IP "\fBtls_ciphers\fR"
+# The list of permissible ciphers for SSL encryption.
+# .sp
+# This parameter is available with Postfix 2.11 and later.
# .IP "\fBtls_verify_cert (default: no)\fR"
# Verify that the server's name matches the common name in the
# certificate.
# The hosts are tried in random order. The connections are
# automatically closed after being idle for about 1 minute,
# and are re-opened as necessary.
-# .IP "\fBuser, password\fR"
+# .IP "\fBuser\fR"
+# .IP "\fBpassword\fR"
# The user name and password to log into the pgsql server.
# Example:
# .nf
<pre>
address_verify_sender = <>
-address_verify_sender = postmaster@my.domain
+address_verify_sender = postmaster@mydomain
</pre>
<p>
<p>
Optional BCC (blind carbon-copy) address lookup tables, indexed by
-recipient address. The BCC address (multiple results are not
+envelope recipient address. The BCC address (multiple results are not
supported) is added when mail enters from outside of Postfix.
</p>
%PARAM sender_bcc_maps
<p> Optional BCC (blind carbon-copy) address lookup tables, indexed
-by sender address. The BCC address (multiple results are not
+by envelope sender address. The BCC address (multiple results are not
supported) is added when mail enters from outside of Postfix. </p>
<p>
</p>
<p>
-Example: you want to rewrite the SENDER address "user@ugly.domain"
-to "user@pretty.domain", while still being able to send mail to
-the RECIPIENT address "user@ugly.domain".
+Example: you want to rewrite the SENDER address "user@ugly.example"
+to "user@pretty.example", while still being able to send mail to
+the RECIPIENT address "user@ugly.example".
</p>
<p>
<p> This feature is available in Postfix 2.3 and later. </p>
-%PARAM lmtp_line_length_limit 990
+%PARAM lmtp_line_length_limit 998
<p> The LMTP-specific version of the smtp_line_length_limit
configuration parameter. See there for details. </p>
src global mail_dict c src postalias postalias c
src postmap postmap c
manpage File postqueue postqueue c
+ Fix by Viktor Dukhovni Files tls tls h tls tls_dane c
+ Discovered by Benny Pedersen File postscreen postscreen c
reinit
COMPAR
deduplicate
+digestbyname
+mdctxPtr
Pau
Mahoney
manpages
+Andreas
+Menzel
+Weigel
+checkok
+cipherbyname
+Foolproofing
+Pedersen
+Typofixes
+segfault
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20221207"
+#define MAIL_RELEASE_DATE "20221227"
#define MAIL_VERSION_NUMBER "3.8"
#ifdef SNAPSHOT
/* with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold
/* parameters).
/* .IP "\fBpostscreen_dnsbl_reply_map (empty)\fR"
-/* A mapping from actual DNSBL domain name which includes a secret
+/* A mapping from an actual DNSBL domain name which includes a secret
/* password, to the DNSBL domain name that postscreen will reply with
/* when it rejects mail.
/* .IP "\fBpostscreen_dnsbl_sites (empty)\fR"
-/* Optional list of DNS allow/denylist domains, filters and weight
+/* Optional list of patterns with DNS allow/denylist domains, filters
+/* and weight
/* factors.
/* .IP "\fBpostscreen_dnsbl_threshold (1)\fR"
/* The inclusive lower bound for blocking a remote SMTP client, based on
0,
};
static const CONFIG_INT_TABLE int_table[] = {
- VAR_PSC_DNSBL_THRESH, DEF_PSC_DNSBL_THRESH, &var_psc_dnsbl_thresh, 0, 0,
+ VAR_PSC_DNSBL_THRESH, DEF_PSC_DNSBL_THRESH, &var_psc_dnsbl_thresh, 1, 0,
VAR_PSC_CMD_COUNT, DEF_PSC_CMD_COUNT, &var_psc_cmd_count, 1, 0,
VAR_SMTPD_CCONN_LIMIT, DEF_SMTPD_CCONN_LIMIT, &var_smtpd_cconn_limit, 0, 0,
0,
checkok(md = EVP_get_digestbyname(mdalg));
/*
- * Sanity check: Newer shared libraries could (hypothentical ABI break)
+ * Sanity check: Newer shared libraries could (hypothetical ABI break)
* allow larger digests, we avoid such poison algorithms.
*/
checkok(EVP_MD_size(md) <= EVP_MAX_MD_SIZE);
* panic if the fallback algorithm is not available, as it was verified
* available in tls_client_init() and must not simply vanish. Our
* provider set is not expected to change once the OpenSSL library is
- * initialised.
+ * initialized.
*/
if (tls_digest_byname(mdalg = LN_sha256, &mdctx) == 0
&& tls_digest_byname(mdalg = props->mdalg, &mdctx) == 0)
projects / thirdparty / postfix.git / commitdiff
