postfix-2.9.10

diff --git a/postfix/HISTORY b/postfix/HISTORY
index d4efeec4d2cc414003d5a23b7f69d86e98038ef2..66c177079ac1529b88cebb47b6ed128ad8e9e5e4 100644 (file)
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -17867,3 +17867,41 @@ Apologies for any names omitted.
 20140104
 
        Bugfix: malformed error message. File: conf/post-install.
+
+20140116
+
+       Workaround: prepend "-I. -I../../include" to CCARGS, to
+       avoid name clashes with non-Postfix header files. File:
+       makedefs.
+
+20140223
+
+       Logging: the TLS client logged that an "Untrusted" TLS
+       connection was established instead of "Anonymous".  Viktor
+       Dukhovni. File: tls/tls_client.c.
+
+20140619
+
+       Bugfix (introduced: 2001): qmqpd null pointer bug when it
+       logs a lost connection while not in a mail transaction.
+       Reported by Michal Adamek. File: qmqpd/qmqpd.c.
+
+20140920
+
+       Bugfix (introduced: 20080212): incorrect client name in
+       reject messages from check_reverse_client_hostname_access
+       and check_reverse_client_hostname_{mx,ns}_access.  They
+       replied with the verified client name, instead of the name
+       that was rejected.  Problem reported by Reindl Harald. File:
+       smtpd/smtpd_check.c.
+
+20141012
+
+       Bugfix (introduced: Postfix 2.3): the PREPEND access/policy
+       action added headers ABOVE Postfix's own Received: header,
+       exposing Postfix's own Received: header to Milters (protocol
+       violation) and hiding the PREPENDed header from Milters.
+       The latter caused problems for DMARC implementations with
+       SPF policy plus DKIM Milter.  PREPENDed headers are now
+       added BELOW Postfix's own Received: header and remain visible
+       to Milters. File: smtpd/smtpd.c.

diff --git a/postfix/makedefs b/postfix/makedefs
index 79933986e743464c6d8df58a4006c56faa5939a1..ed1719a867049bbb954f3ff41212f80d4fe5e279 100644 (file)
--- a/postfix/makedefs
+++ b/postfix/makedefs
@@ -669,6 +669,9 @@ export SYSTYPE AR ARFL RANLIB SYSLIBS CC OPT DEBUG AWK OPTS
 # needed before the code stabilizes.
 #CCARGS="$CCARGS -DNONPROD"
 
+# Workaround.
+CCARGS="-I. -I../../include $CCARGS"
+
 sed 's/  / /g' <<EOF
 SYSTYPE        = $SYSTYPE
 AR     = $AR

diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 1ae1520ff1a925aceb3fb1058b7693861a479aad..1fe1f8f674c904e75665edba09553fb3c0eea3ac 100644 (file)
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE      "20140116"
-#define MAIL_VERSION_NUMBER    "2.9.9"
+#define MAIL_RELEASE_DATE      "20141013"
+#define MAIL_VERSION_NUMBER    "2.9.10"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE     "-" MAIL_RELEASE_DATE

diff --git a/postfix/src/qmqpd/qmqpd.c b/postfix/src/qmqpd/qmqpd.c
index 559c2e0996d86945ab300a835ebb05c55c73fc8c..7c6ca56efa9fa6afcb0521af7b71e47c340e4c2e 100644 (file)
--- a/postfix/src/qmqpd/qmqpd.c
+++ b/postfix/src/qmqpd/qmqpd.c
@@ -706,7 +706,8 @@ static void qmqpd_proto(QMQPD_STATE *state)
      */
     if (state->reason && state->where)
        msg_info("%s: %s: %s while %s",
-             state->queue_id, state->namaddr, state->reason, state->where);
+                state->queue_id ? state->queue_id : "NOQUEUE",
+                state->namaddr, state->reason, state->where);
 }
 
 /* qmqpd_service - service one client */

diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index 2fc7a8f11044997777e2c636e3b1d78f873ab9c9..47fc52172f8c38de635c1b8428b37cf0c669ecf8 100644 (file)
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -2940,13 +2940,6 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
        rec_fputs(state->cleanup, REC_TYPE_MESG, "");
     }
 
-    /*
-     * PREPEND message headers.
-     */
-    if (state->prepend)
-       for (cpp = state->prepend->argv; *cpp; cpp++)
-           out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp);
-
     /*
      * Suppress our own Received: header in the unlikely case that we are an
      * intermediate proxy.
@@ -3036,6 +3029,18 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
                    "\t(envelope-from %s)", STR(state->buffer));
 #endif
     }
+
+    /*
+     * PREPEND message headers below our own Received: header. According
+     * https://www.milter.org/developers/api/smfi_insheader, Milters see only
+     * headers that have been sent by the SMTP client and those header
+     * modifications by earlier filters. Based on this we allow Milters to
+     * see headers added by access map or by policy service.
+     */
+    if (state->prepend)
+       for (cpp = state->prepend->argv; *cpp; cpp++)
+           out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp);
+
     smtpd_chat_reply(state, "354 End data with <CR><LF>.<CR><LF>");
     state->where = SMTPD_AFTER_DATA;
 

diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 341ae3d4242fb77e7c5ce32677122fa86ea129c1..836b843f0285c34a82324dc6a2319b72c4a90be4 100644 (file)
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -3722,7 +3722,7 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
                                         SMTPD_NAME_CLIENT, def_acl);
        } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_ACL, &cpp)) {
            status = check_namadr_access(state, *cpp, state->reverse_name, state->addr,
-                                        FULL, &found, state->namaddr,
+                                        FULL, &found, state->reverse_name,
                                         SMTPD_NAME_REV_CLIENT, def_acl);
            forbid_whitelist(state, name, status, state->reverse_name);
        } else if (strcasecmp(name, REJECT_MAPS_RBL) == 0) {
@@ -3789,14 +3789,14 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
        } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_NS_ACL, &cpp)) {
            if (strcasecmp(state->reverse_name, "unknown") != 0) {
                status = check_server_access(state, *cpp, state->reverse_name,
-                                            T_NS, state->namaddr,
+                                            T_NS, state->reverse_name,
                                             SMTPD_NAME_REV_CLIENT, def_acl);
                forbid_whitelist(state, name, status, state->reverse_name);
            }
        } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_MX_ACL, &cpp)) {
            if (strcasecmp(state->reverse_name, "unknown") != 0) {
                status = check_server_access(state, *cpp, state->reverse_name,
-                                            T_MX, state->namaddr,
+                                            T_MX, state->reverse_name,
                                             SMTPD_NAME_REV_CLIENT, def_acl);
                forbid_whitelist(state, name, status, state->reverse_name);
            }

diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c
index 1a1e305cfa5096df419a80c7d455c198f6e1c390..d78bac356f7c3b16a40e7884e6f58d1ef1e09b32 100644 (file)
--- a/postfix/src/tls/tls_client.c
+++ b/postfix/src/tls/tls_client.c
@@ -1044,7 +1044,9 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
      */
     if (log_mask & TLS_LOG_SUMMARY)
        msg_info("%s TLS connection established to %s: %s with cipher %s "
-             "(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
+                "(%d/%d bits)",
+                !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" :
+                TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
                 TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
              props->namaddr, TLScontext->protocol, TLScontext->cipher_name,
                 TLScontext->cipher_usebits, TLScontext->cipher_algbits);