Cleanup: don't log a "connection reset by peer" warning
when postscreen(8) tries to send a server response. File:
postscreen/postscreen_send.c.
+
+20110225
+
+ Workaround (problem introduced with IPv6 support in Postfix
+ 2.2): the SMTP client did not support mail to [ipv6:ipv6addr].
+ Fix based on a patch by Gurusamy Sarathy (Sophos). File:
+ util/host_port.c and regression test files.
+
+20110227
+
+ Portability: FreeBSD closefrom() support time window. Sahil
+ Tandon. File: util/sys_defs.h.
+
+20110313
+
+ Bugfix (introduced Postfix 2.8): postscreen DNSBL scoring
+ error. When a client disconnected and then reconnected
+ before all DNSBL results for the earlier session arrived,
+ DNSBL results for the earlier session would be added to the
+ score for the later session. Problem report by Larry Vaden.
+ Files: dnsblog/dnsblog.c, postscreen/postscreen_dnsbl.c.
+
+ Cleanup: protocol description in dnsblog(8) manpage. File:
+ dnsblog/dnsblog.c.
+
+20110314
+
+ Portability: the SUN compiler had trouble with a pointer
+ expression of the form ``("text1" "text2") + constant'' so
+ we don't try to be so clever. Fix by Victor Duchovni. File:
+ global/mail_params.h.
The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.
+Incompatible changes with Postfix 2.8.2
+---------------------------------------
+
+Use "postfix reload" after "make upgrade" on a running Postfix
+system. This is needed because the protocol between postscreen(8)
+and dnsblog(8) has changed.
+
+Postfix 2.8.0 release notes
+---------------------------
+
If you upgrade from Postfix 2.6 or earlier, read RELEASE_NOTES-2.7
before proceeding.
<b>PROTOCOL</b>
With each connection, the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server receives a DNS
- white/blacklist domain name and an IP address. If the
- address is listed under the DNS white/blacklist, the <b>dns-</b>
- <b>blog</b>(8) server logs the match and replies with the query
- arguments plus a non-zero status. Otherwise it replies
- with the query arguments plus a zero status. Finally, The
- <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server closes the connection.
+ white/blacklist domain name, IP address, and an ID. If
+ the address is listed under the DNS white/blacklist, the
+ <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server logs the match and replies with the
+ query arguments plus an address list with the resulting IP
+ addresses separated by whitespace. Otherwise it replies
+ with the query arguments plus an empty address list.
+ Finally, The <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server closes the connection.
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8).
<b>CONFIGURATION PARAMETERS</b>
- Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as <b>dns-</b>
- <b>blog</b>(8) processes run for only a limited amount of time.
+ Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as <b>dns-</b>
+ <b>blog</b>(8) processes run for only a limited amount of time.
Use the command "<b>postfix reload</b>" to speed up a change.
- The text below provides only a parameter summary. See
+ The text below provides only a parameter summary. See
<a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
<a href="master.5.html">master.cf</a> configuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
- How much time a Postfix daemon process may take to
- handle a request before it is terminated by a
+ How much time a Postfix daemon process may take to
+ handle a request before it is terminated by a
built-in watchdog timer.
<b><a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> (empty)</b>
- Optional list of DNS white/blacklist domains, fil-
+ Optional list of DNS white/blacklist domains, fil-
ters and weight factors.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
over an internal communication channel.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>SEE ALSO</b>
syslogd(5), system logging
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>HISTORY</b>
done
;;
AIX.*) case "`uname -v`" in
+ 6) SYSTYPE=AIX6
+ case "$CC" in
+ cc|*/cc|xlc|*/xlc) CCARGS="$CCARGS -w -blibpath:/usr/lib:/lib:/usr/local/lib";;
+ esac
+ CCARGS="$CCARGS -D_ALL_SOURCE -DHAS_POSIX_REGEXP"
+ ;;
5) SYSTYPE=AIX5
case "$CC" in
cc|*/cc|xlc|*/xlc) CCARGS="$CCARGS -w -blibpath:/usr/lib:/lib:/usr/local/lib";;
.ad
.fi
With each connection, the \fBdnsblog\fR(8) server receives
-a DNS white/blacklist domain name and an IP address. If the
-address is listed under the DNS white/blacklist, the
+a DNS white/blacklist domain name, IP address, and an ID.
+If the address is listed under the DNS white/blacklist, the
\fBdnsblog\fR(8) server logs the match and replies with the
-query arguments plus a non-zero status. Otherwise it replies
-with the query arguments plus a zero status. Finally, The
-\fBdnsblog\fR(8) server closes the connection.
+query arguments plus an address list with the resulting IP
+addresses separated by whitespace. Otherwise it replies
+with the query arguments plus an empty address list. Finally,
+The \fBdnsblog\fR(8) server closes the connection.
.SH DIAGNOSTICS
.ad
.fi
/* .ad
/* .fi
/* With each connection, the \fBdnsblog\fR(8) server receives
-/* a DNS white/blacklist domain name and an IP address. If the
-/* address is listed under the DNS white/blacklist, the
+/* a DNS white/blacklist domain name, IP address, and an ID.
+/* If the address is listed under the DNS white/blacklist, the
/* \fBdnsblog\fR(8) server logs the match and replies with the
-/* query arguments plus a non-zero status. Otherwise it replies
-/* with the query arguments plus a zero status. Finally, The
-/* \fBdnsblog\fR(8) server closes the connection.
+/* query arguments plus an address list with the resulting IP
+/* addresses separated by whitespace. Otherwise it replies
+/* with the query arguments plus an empty address list. Finally,
+/* The \fBdnsblog\fR(8) server closes the connection.
/* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8).
/* CONFIGURATION PARAMETERS
static void dnsblog_service(VSTREAM *client_stream, char *unused_service,
char **argv)
{
+ int request_id;
/*
* Sanity check. This service takes no command-line arguments.
ATTR_FLAG_MORE | ATTR_FLAG_STRICT,
ATTR_TYPE_STR, MAIL_ATTR_RBL_DOMAIN, rbl_domain,
ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, addr,
- ATTR_TYPE_END) == 2) {
+ ATTR_TYPE_INT, MAIL_ATTR_LABEL, &request_id,
+ ATTR_TYPE_END) == 3) {
(void) dnsblog_query(result, STR(rbl_domain), STR(addr));
if (var_dnsblog_delay > 0)
sleep(var_dnsblog_delay);
attr_print(client_stream, ATTR_FLAG_NONE,
ATTR_TYPE_STR, MAIL_ATTR_RBL_DOMAIN, STR(rbl_domain),
ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, STR(addr),
+ ATTR_TYPE_INT, MAIL_ATTR_LABEL, request_id,
ATTR_TYPE_STR, MAIL_ATTR_RBL_ADDR, STR(result),
ATTR_TYPE_END);
vstream_fflush(client_stream);
#define DEF_TLS_PREEMPT_CLIST 0
extern bool var_tls_preempt_clist;
-#ifdef USE_TLS
-
- /*
- * The tweak for CVE-2005-2969 is needed in some versions prior to 1.0.0
- */
+ /* The tweak for CVE-2010-4180 is needed in some versions prior to 1.0.1 */
+ /* The tweak for CVE-2005-2969 is needed in some versions prior to 1.0.0 */
+#if defined(USE_TLS) && (OPENSSL_VERSION_NUMBER < 0x1000100fL)
#if (OPENSSL_VERSION_NUMBER < 0x1000000fL)
-#define TLS_BUG_TWEAK_A " CVE-2005-2969"
+#define TLS_BUG_TWEAKS "CVE-2005-2969 CVE-2010-4180"
#else
-#define TLS_BUG_TWEAK_A ""
+#define TLS_BUG_TWEAKS "CVE-2010-4180"
#endif
-
- /*
- * The tweak for CVE-2010-4180 is needed in some versions prior to 1.0.1
- */
-#if (OPENSSL_VERSION_NUMBER < 0x1000100fL)
-#define TLS_BUG_TWEAK_B " CVE-2010-4180"
#else
-#define TLS_BUG_TWEAK_B " "
+#define TLS_BUG_TWEAKS ""
#endif
-#else /* USE_TLS */
-#define TLS_BUG_TWEAK_A ""
-#define TLS_BUG_TWEAK_B " "
-#endif /* USE_TLS */
-
#define VAR_TLS_BUG_TWEAKS "tls_disable_workarounds"
-#define DEF_TLS_BUG_TWEAKS ((TLS_BUG_TWEAK_A TLS_BUG_TWEAK_B)+1)
+#define DEF_TLS_BUG_TWEAKS TLS_BUG_TWEAKS
extern char *var_tls_bug_tweaks;
/*
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20110222"
-#define MAIL_VERSION_NUMBER "2.8.1"
+#define MAIL_RELEASE_DATE "20110316"
+#define MAIL_VERSION_NUMBER "2.8.2-RC1"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
int total; /* combined blocklist score */
int refcount; /* score reference count */
int pending_lookups; /* nr of DNS requests in flight */
+ int request_id; /* duplicate suppression */
/* Call-back table support. */
int index; /* next table index */
int limit; /* last valid index */
PSC_DNSBL_HEAD *head;
PSC_DNSBL_SITE *site;
ARGV *reply_argv;
+ int request_id;
PSC_CLEAR_EVENT_REQUEST(vstream_fileno(stream), psc_dnsbl_receive, context);
ATTR_FLAG_STRICT,
ATTR_TYPE_STR, MAIL_ATTR_RBL_DOMAIN, reply_dnsbl,
ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, reply_client,
+ ATTR_TYPE_INT, MAIL_ATTR_LABEL, &request_id,
ATTR_TYPE_STR, MAIL_ATTR_RBL_ADDR, reply_addr,
- ATTR_TYPE_END) == 3
+ ATTR_TYPE_END) == 4
&& (score = (PSC_DNSBL_SCORE *)
- htable_find(dnsbl_score_cache, STR(reply_client))) != 0) {
+ htable_find(dnsbl_score_cache, STR(reply_client))) != 0
+ && score->request_id == request_id) {
/*
* Run this response past all applicable DNSBL filters and update the
HTABLE_INFO **ht;
PSC_DNSBL_SCORE *score;
HTABLE_INFO *hash_node;
+ static int request_count;
/*
* Some spambots make several connections at nearly the same time,
if (msg_verbose > 1)
msg_info("%s: create blocklist score for %s", myname, client_addr);
score = (PSC_DNSBL_SCORE *) mymalloc(sizeof(*score));
+ score->request_id = request_count++;
score->dnsbl = 0;
score->total = 0;
score->refcount = 1;
attr_print(stream, ATTR_FLAG_NONE,
ATTR_TYPE_STR, MAIL_ATTR_RBL_DOMAIN, ht[0]->key,
ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, client_addr,
+ ATTR_TYPE_INT, MAIL_ATTR_LABEL, score->request_id,
ATTR_TYPE_END);
if (vstream_fflush(stream) != 0) {
msg_warn("%s: error sending to %s service: %m",
#include <host_port.h>
+ /*
+ * Point-fix workaround. The libutil library should be email agnostic, but
+ * we can't rip up the library APIs in the stable releases.
+ */
+#include <string.h>
+#ifdef STRCASECMP_IN_STRINGS_H
+#include <strings.h>
+#endif
+#define IPV6_COL "IPv6:" /* RFC 2821 */
+#define IPV6_COL_LEN (sizeof(IPV6_COL) - 1)
+#define HAS_IPV6_COL(str) (strncasecmp((str), IPV6_COL, IPV6_COL_LEN) == 0)
+
/* host_port - parse string into host and port, destroy string */
const char *host_port(char *buf, char **host, char *def_host,
char **port, char *def_service)
{
char *cp = buf;
+ int ipv6 = 0;
/*
* [host]:port, [host]:, [host].
+ * [ipv6:ipv6addr]:port, [ipv6:ipv6addr]:, [ipv6:ipv6addr].
*/
if (*cp == '[') {
- *host = ++cp;
+ ++cp;
+ if ((ipv6 = HAS_IPV6_COL(cp)) != 0)
+ cp += IPV6_COL_LEN;
+ *host = cp;
if ((cp = split_at(cp, ']')) == 0)
return ("missing \"]\"");
if (*cp && *cp++ != ':')
return ("garbage after \"]\"");
+ if (ipv6 && !valid_ipv6_hostaddr(*host, DONT_GRIPE))
+ return ("malformed IPv6 address");
*port = *cp ? cp : def_service;
}
#define HAS_DUPLEX_PIPE /* 4.1 breaks with kqueue(2) */
#endif
-#if __FreeBSD_version >= 800107 /* safe; don't believe the experts */
+#if (__FreeBSD_version >= 702104 && __FreeBSD_version <= 800000) \
+ || __FreeBSD_version >= 800100
#define HAS_CLOSEFROM
#endif
* AIX: a SYSV-flavored hybrid. NB: fcntl() and flock() access the same
* underlying locking primitives.
*/
-#ifdef AIX5
+#if defined(AIX5) || defined(AIX6)
#define SUPPORTED
#include <sys/types.h>
#define UINT32_TYPE unsigned int
projects / thirdparty / postfix.git / commitdiff
