postfix-2.8.18

diff --git a/postfix/HISTORY b/postfix/HISTORY
index af48d17e617c0d01ef20939e9b505869a6c5fa18..c98975b6682fdf5b85faf1ab00233efdb6df3e8b 100644 (file)
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -16971,3 +16971,41 @@ Apologies for any names omitted.
 20140104
 
        Bugfix: malformed error message. File: conf/post-install.
+
+20140116
+
+       Workaround: prepend "-I. -I../../include" to CCARGS, to
+       avoid name clashes with non-Postfix header files. File:
+       makedefs.
+
+20140223
+
+       Logging: the TLS client logged that an "Untrusted" TLS
+       connection was established instead of "Anonymous".  Viktor
+       Dukhovni. File: tls/tls_client.c.
+
+20140619
+
+       Bugfix (introduced: 2001): qmqpd null pointer bug when it
+       logs a lost connection while not in a mail transaction.
+       Reported by Michal Adamek. File: qmqpd/qmqpd.c.
+
+20140920
+
+       Bugfix (introduced: 20080212): incorrect client name in
+       reject messages from check_reverse_client_hostname_access
+       and check_reverse_client_hostname_{mx,ns}_access.  They
+       replied with the verified client name, instead of the name
+       that was rejected.  Problem reported by Reindl Harald. File:
+       smtpd/smtpd_check.c.
+
+20141012
+
+       Bugfix (introduced: Postfix 2.3): the PREPEND access/policy
+       action added headers ABOVE Postfix's own Received: header,
+       exposing Postfix's own Received: header to Milters (protocol
+       violation) and hiding the PREPENDed header from Milters.
+       The latter caused problems for DMARC implementations with
+       SPF policy plus DKIM Milter.  PREPENDed headers are now
+       added BELOW Postfix's own Received: header and remain visible
+       to Milters. File: smtpd/smtpd.c.

diff --git a/postfix/makedefs b/postfix/makedefs
index bac97ea555a9f55d209e8f9524e34352bad7f113..11fb06a683b355c4499c6415202c581427a7e766 100644 (file)
--- a/postfix/makedefs
+++ b/postfix/makedefs
@@ -658,6 +658,9 @@ export SYSTYPE AR ARFL RANLIB SYSLIBS CC OPT DEBUG AWK OPTS
 # needed before the code stabilizes.
 #CCARGS="$CCARGS -DNONPROD"
 
+# Workaround.
+CCARGS="-I. -I../../include $CCARGS"
+
 sed 's/  / /g' <<EOF
 SYSTYPE        = $SYSTYPE
 AR     = $AR

diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index cbaa151a5c349ba963d3ab3b74917ffbf06fde23..6f7098f922664729af9dcd64bac24587505b9875 100644 (file)
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE      "20140116"
-#define MAIL_VERSION_NUMBER    "2.8.17"
+#define MAIL_RELEASE_DATE      "20141013"
+#define MAIL_VERSION_NUMBER    "2.8.18"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE     "-" MAIL_RELEASE_DATE

diff --git a/postfix/src/qmqpd/qmqpd.c b/postfix/src/qmqpd/qmqpd.c
index 4c5c6cfa8ad330ff9d507e7576ead5714fc561e2..877a1eca49166a9784cbcc828669c35e2621a8af 100644 (file)
--- a/postfix/src/qmqpd/qmqpd.c
+++ b/postfix/src/qmqpd/qmqpd.c
@@ -700,7 +700,8 @@ static void qmqpd_proto(QMQPD_STATE *state)
      */
     if (state->reason && state->where)
        msg_info("%s: %s: %s while %s",
-             state->queue_id, state->namaddr, state->reason, state->where);
+                state->queue_id ? state->queue_id : "NOQUEUE",
+                state->namaddr, state->reason, state->where);
 }
 
 /* qmqpd_service - service one client */

diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index 218836d494fc69dade00678b766001c169a65af7..294986c235d8e070dd174f4e2b6829ec9455ca0e 100644 (file)
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -2829,13 +2829,6 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
        rec_fputs(state->cleanup, REC_TYPE_MESG, "");
     }
 
-    /*
-     * PREPEND message headers.
-     */
-    if (state->prepend)
-       for (cpp = state->prepend->argv; *cpp; cpp++)
-           out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp);
-
     /*
      * Suppress our own Received: header in the unlikely case that we are an
      * intermediate proxy.
@@ -2926,6 +2919,18 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
                    "\t(envelope-from %s)", STR(state->buffer));
 #endif
     }
+
+    /*
+     * PREPEND message headers below our own Received: header. According
+     * https://www.milter.org/developers/api/smfi_insheader, Milters see only
+     * headers that have been sent by the SMTP client and those header
+     * modifications by earlier filters. Based on this we allow Milters to
+     * see headers added by access map or by policy service.
+     */
+    if (state->prepend)
+       for (cpp = state->prepend->argv; *cpp; cpp++)
+           out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp);
+
     smtpd_chat_reply(state, "354 End data with <CR><LF>.<CR><LF>");
     state->where = SMTPD_AFTER_DATA;
 

diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 40780d778b4529c56a418135db6fa597a2609406..28c8308411d2bf5f3f92ade5999e39d12bc1c095 100644 (file)
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -3697,7 +3697,7 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
                                         SMTPD_NAME_CLIENT, def_acl);
        } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_ACL, &cpp)) {
            status = check_namadr_access(state, *cpp, state->reverse_name, state->addr,
-                                        FULL, &found, state->namaddr,
+                                        FULL, &found, state->reverse_name,
                                         SMTPD_NAME_REV_CLIENT, def_acl);
            forbid_whitelist(state, name, status, state->reverse_name);
        } else if (strcasecmp(name, REJECT_MAPS_RBL) == 0) {
@@ -3764,14 +3764,14 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
        } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_NS_ACL, &cpp)) {
            if (strcasecmp(state->reverse_name, "unknown") != 0) {
                status = check_server_access(state, *cpp, state->reverse_name,
-                                            T_NS, state->namaddr,
+                                            T_NS, state->reverse_name,
                                             SMTPD_NAME_REV_CLIENT, def_acl);
                forbid_whitelist(state, name, status, state->reverse_name);
            }
        } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_MX_ACL, &cpp)) {
            if (strcasecmp(state->reverse_name, "unknown") != 0) {
                status = check_server_access(state, *cpp, state->reverse_name,
-                                            T_MX, state->namaddr,
+                                            T_MX, state->reverse_name,
                                             SMTPD_NAME_REV_CLIENT, def_acl);
                forbid_whitelist(state, name, status, state->reverse_name);
            }

diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c
index aacd74adfca0b889a55a5ed297206f40e71d01bc..5137f92bf4922ad0b71dea2d023f249ed2514aa2 100644 (file)
--- a/postfix/src/tls/tls_client.c
+++ b/postfix/src/tls/tls_client.c
@@ -983,7 +983,9 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
      */
     if (props->log_level >= 1)
        msg_info("%s TLS connection established to %s: %s with cipher %s "
-             "(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
+                "(%d/%d bits)",
+                !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" :
+                TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
                 TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
              props->namaddr, TLScontext->protocol, TLScontext->cipher_name,
                 TLScontext->cipher_usebits, TLScontext->cipher_algbits);