From: Wietse Venema Date: Sat, 10 Oct 2015 05:00:00 +0000 (-0500) Subject: postfix-3.0.3 X-Git-Tag: v3.0.3^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0e4e613ad71aa42db332ace7d39af35fd7cac530;p=thirdparty%2Fpostfix.git postfix-3.0.3 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 721de2002..aa689f90d 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -21665,3 +21665,65 @@ Apologies for any names omitted. SSLv2 or SSLv3. See the RELEASE_NOTES file for how to get the old settings back. Files: global/mail_params.h, proto/postconf.proto, and files derived from those. + +20150722 + + The COMPATIBILITY_README text and HTML files were not + installed. File: conf/postfix-files. + +20150903 + + Workaround: disable DNSSEC support for AIX 7x and earlier. + The AIX 6/7 resolver(5) API defines RES_USE_DNSSEC without + defining the "ad" bit. Viktor Dukhovni. Files: makedefs, + proto/INSTALL.html, dns/dns.h. + +20150923 + + Bugfix (introduced: 20120531-617): the Postfix SMTP server + used a larger-than-1 VSTREAM buffer to read the HAProxy + connection hand-off information. This broke TLS wrappermode, + as the TLS helo packet would end up in the plaintext VSTREAM + buffer. Reported by Lukas Erlacher. File: smtpd/smtpd_haproxy.c. + +20150924 + + Bugfix (introduced: 20090216-24): incorrect postmulti error + message. Reported by Patrik Koetter. Fix by Viktor Dukhovni. + File: postmulti/postmulti.c. + + Workaround: don't create a new instance when the template + main.cf and master.cf files are missing, as happens on + Debian-like systems. Viktor Dukhovni. File: conf/postmulti-script. + +20150925 + + Bugfix (introduced: 19970309, fixed 20150421 in development + release): reset errno before calling readdir(), in order + to distinguish between an end-of-directory and an error + condition. File: scandir.c. + +20150930 + + Bugfix (introduced: 20040124): Milter client panic while + adding a header, because the PREPEND action used the same + output function for header_checks and body_checks. Viktor + Dukhovni and Wietse. File: cleanup/cleanup_message.c. + + Bugfix (introduced: 20031128): xtext_unquote() did not + propagate error reports from xtext_unquote_append(), causing + the decoder to return partial ouput, instead of rejecting + malformed input. Fix by Krzysztof Wojta. File: global/xtext.c. + +20151003 + + Bugfix (copied from xtext): uxtext_unquote() did not propagate + error reports from uxtext_unquote_append(), causing the + decoder to return partial output, instead of rejecting + malformed input. Found by searching the code for similar + error patterns as with xtext_unquote(). File: global/uxtext.c. + + Bugfix (introduced: 20141130, fixed around 20150607 in + development release): the DNS multi-query clients forgot + to save and restore h_errno when evaluating the aggregate + result. File: dns/dns_lookup.c. diff --git a/postfix/INSTALL b/postfix/INSTALL index 5e5fa4e90..a17459181 100644 --- a/postfix/INSTALL +++ b/postfix/INSTALL @@ -539,6 +539,9 @@ The following is an extensive list of names and values. || |probably should also override DEF_DB_TYPE as | || |described in section 4.6. | ||_____________________________|______________________________________________| +||-DNO_DNSSEC |Do not build with DNSSEC support, even if the | +|| |resolver library appears to support it. | +||_____________________________|______________________________________________| || |Do not build with Solaris /dev/poll support. | ||-DNO_DEVPOLL |By default, /dev/poll support is compiled in | || |on Solaris versions that are known to support | diff --git a/postfix/README_FILES/INSTALL b/postfix/README_FILES/INSTALL index 401152db5..dac8e8e89 100644 --- a/postfix/README_FILES/INSTALL +++ b/postfix/README_FILES/INSTALL @@ -539,6 +539,9 @@ The following is an extensive list of names and values. || |probably should also override DEF_DB_TYPE as | || |described in section 4.6. | |_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | +||-DNO_DNSSEC |Do not build with DNSSEC support, even if the | +|| |resolver library appears to support it. | +|_|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | || |Do not build with Solaris /dev/poll support. | ||-DNO_DEVPOLL |By default, /dev/poll support is compiled in | || |on Solaris versions that are known to support | diff --git a/postfix/conf/postfix-files b/postfix/conf/postfix-files index b259bca8c..4cb19674b 100644 --- a/postfix/conf/postfix-files +++ b/postfix/conf/postfix-files @@ -274,6 +274,7 @@ $readme_directory/BACKSCATTER_README:f:root:-:644 $readme_directory/BASIC_CONFIGURATION_README:f:root:-:644 $readme_directory/BUILTIN_FILTER_README:f:root:-:644 $readme_directory/CDB_README:f:root:-:644 +$readme_directory/COMPATIBILITY_README:f:root:-:644 $readme_directory/CONNECTION_CACHE_README:f:root:-:644 $readme_directory/CONTENT_INSPECTION_README:f:root:-:644 $readme_directory/DATABASE_README:f:root:-:644 @@ -331,6 +332,7 @@ $html_directory/BACKSCATTER_README.html:f:root:-:644 $html_directory/BASIC_CONFIGURATION_README.html:f:root:-:644 $html_directory/BUILTIN_FILTER_README.html:f:root:-:644 $html_directory/CDB_README.html:f:root:-:644 +$html_directory/COMPATIBILITY_README.html:f:root:-:644 $html_directory/CONNECTION_CACHE_README.html:f:root:-:644 $html_directory/CONTENT_INSPECTION_README.html:f:root:-:644 $html_directory/CYRUS_README.html:f:root:-:644:o diff --git a/postfix/conf/postmulti-script b/postfix/conf/postmulti-script index 349c8941d..b1aea8e0e 100644 --- a/postfix/conf/postmulti-script +++ b/postfix/conf/postmulti-script @@ -142,6 +142,11 @@ create|import) fatal "'$config_directory' lacks a master.cf file" } + test -f $meta_directory/main.cf.proto || + fatal "Missing main.cf prototype: $meta_directory/main.cf.proto" + test -f $meta_directory/master.cf.proto || + fatal "Missing master.cf prototype: $meta_directory/master.cf.proto" + # Create instance-specific directories # test -d $config_directory || diff --git a/postfix/html/INSTALL.html b/postfix/html/INSTALL.html index 1c5f33b03..3154d17f7 100644 --- a/postfix/html/INSTALL.html +++ b/postfix/html/INSTALL.html @@ -810,6 +810,10 @@ platforms that are known to support this feature. If you override this, then you probably should also override DEF_DB_TYPE as described in section 4.6. + -DNO_DNSSEC Do not build with DNSSEC +support, even if the resolver library appears to support it. + + -DNO_DEVPOLL Do not build with Solaris /dev/poll support. By default, /dev/poll support is compiled in on Solaris versions that are known to support diff --git a/postfix/makedefs b/postfix/makedefs index d29b9cf33..dbdc091db 100644 --- a/postfix/makedefs +++ b/postfix/makedefs @@ -45,6 +45,9 @@ # Do not build with Solaris /dev/poll support. # By default, /dev/poll support is compiled in on platforms that # are known to support it. +# .IP \fB-DNO_DNSSEC\fR +# Do not build with DNSSEC support, even if the resolver +# library appears to support it. # .IP \fB-DNO_EPOLL\fR # Do not build with Linux EPOLL support. # By default, EPOLL support is compiled in on platforms that @@ -387,18 +390,21 @@ case "$SYSTEM.$RELEASE" in ;; AIX.*) case "`uname -v`" in 6) SYSTYPE=AIX6 + CCARGS="$CCARGS -DNO_DNSSEC" case "$CC" in cc|*/cc|xlc|*/xlc) CCARGS="$CCARGS -w -blibpath:/usr/lib:/lib:/usr/local/lib";; esac CCARGS="$CCARGS -D_ALL_SOURCE -DHAS_POSIX_REGEXP" ;; 5) SYSTYPE=AIX5 + CCARGS="$CCARGS -DNO_DNSSEC" case "$CC" in cc|*/cc|xlc|*/xlc) CCARGS="$CCARGS -w -blibpath:/usr/lib:/lib:/usr/local/lib";; esac CCARGS="$CCARGS -D_ALL_SOURCE -DHAS_POSIX_REGEXP" ;; 4) SYSTYPE=AIX4 + CCARGS="$CCARGS -DNO_DNSSEC" # How embarrassing... case "$CC" in cc|*/cc|xlc|*/xlc) OPT=; CCARGS="$CCARGS -w -blibpath:/usr/lib:/lib:/usr/local/lib";; diff --git a/postfix/proto/INSTALL.html b/postfix/proto/INSTALL.html index 583618e24..63183add4 100644 --- a/postfix/proto/INSTALL.html +++ b/postfix/proto/INSTALL.html @@ -810,6 +810,10 @@ platforms that are known to support this feature. If you override this, then you probably should also override DEF_DB_TYPE as described in section 4.6. + -DNO_DNSSEC Do not build with DNSSEC +support, even if the resolver library appears to support it. + + -DNO_DEVPOLL Do not build with Solaris /dev/poll support. By default, /dev/poll support is compiled in on Solaris versions that are known to support diff --git a/postfix/src/cleanup/cleanup_message.c b/postfix/src/cleanup/cleanup_message.c index 47b7177c6..b33da8f4e 100644 --- a/postfix/src/cleanup/cleanup_message.c +++ b/postfix/src/cleanup/cleanup_message.c @@ -385,11 +385,20 @@ static const char *cleanup_act(CLEANUP_STATE *state, char *context, if (STREQUAL(value, "PREPEND", command_len)) { if (*optional_text == 0) { msg_warn("PREPEND action without text in %s map", map_class); - } else if (strcmp(context, CLEANUP_ACT_CTXT_HEADER) == 0 - && !is_header(optional_text)) { - msg_warn("bad PREPEND header text \"%s\" in %s map -- " - "need \"headername: headervalue\"", - optional_text, map_class); + } else if (strcmp(context, CLEANUP_ACT_CTXT_HEADER) == 0) { + if (!is_header(optional_text)) { + msg_warn("bad PREPEND header text \"%s\" in %s map -- " + "need \"headername: headervalue\"", + optional_text, map_class); + } else { + VSTRING *temp; + + cleanup_act_log(state, "prepend", context, buf, optional_text); + temp = vstring_strcpy(vstring_alloc(strlen(optional_text)), + optional_text); + cleanup_out_header(state, temp); + vstring_free(temp); + } } else { cleanup_act_log(state, "prepend", context, buf, optional_text); cleanup_out_string(state, REC_TYPE_NORM, optional_text); diff --git a/postfix/src/dns/dns.h b/postfix/src/dns/dns.h index 7cfc58108..ee6e1a48a 100644 --- a/postfix/src/dns/dns.h +++ b/postfix/src/dns/dns.h @@ -52,6 +52,13 @@ (cp) += 4; \ } +#endif + +/* + * Disable DNSSEC at compile-time even if RES_USE_DNSSEC is available + */ +#ifdef NO_DNSSEC +#undef RES_USE_DNSSEC #endif /* diff --git a/postfix/src/dns/dns_lookup.c b/postfix/src/dns/dns_lookup.c index 3838ea6b1..ccedb94c1 100644 --- a/postfix/src/dns/dns_lookup.c +++ b/postfix/src/dns/dns_lookup.c @@ -790,6 +790,7 @@ int dns_lookup_rl(const char *name, unsigned flags, DNS_RR **rrlist, int hpref_status = INT_MIN; VSTRING *hpref_rtext = 0; int hpref_rcode; + int hpref_h_errno; DNS_RR *rr; /* Save intermediate highest-priority result. */ @@ -801,6 +802,7 @@ int dns_lookup_rl(const char *name, unsigned flags, DNS_RR **rrlist, vstring_strcpy(hpref_rtext ? hpref_rtext : \ (hpref_rtext = vstring_alloc(VSTRING_LEN(why))), \ vstring_str(why)); \ + hpref_h_errno = h_errno; \ } while (0) /* Restore intermediate highest-priority result. */ @@ -810,6 +812,7 @@ int dns_lookup_rl(const char *name, unsigned flags, DNS_RR **rrlist, *rcode = hpref_rcode; \ if (why && status != DNS_OK) \ vstring_strcpy(why, vstring_str(hpref_rtext)); \ + SET_H_ERRNO(hpref_h_errno); \ } while (0) if (rrlist) @@ -862,6 +865,7 @@ int dns_lookup_rv(const char *name, unsigned flags, DNS_RR **rrlist, int hpref_status = INT_MIN; VSTRING *hpref_rtext = 0; int hpref_rcode; + int hpref_h_errno; DNS_RR *rr; if (rrlist) diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 0d7a1b560..2a7aca542 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20150720" -#define MAIL_VERSION_NUMBER "3.0.2" +#define MAIL_RELEASE_DATE "20151010" +#define MAIL_VERSION_NUMBER "3.0.3" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/global/uxtext.c b/postfix/src/global/uxtext.c index 03e5cc138..d374de4a6 100644 --- a/postfix/src/global/uxtext.c +++ b/postfix/src/global/uxtext.c @@ -214,8 +214,7 @@ VSTRING *uxtext_unquote_append(VSTRING *unquoted, const char *quoted) VSTRING *uxtext_unquote(VSTRING *unquoted, const char *quoted) { VSTRING_RESET(unquoted); - uxtext_unquote_append(unquoted, quoted); - return (unquoted); + return (uxtext_unquote_append(unquoted, quoted) ? unquoted : 0); } #ifdef TEST diff --git a/postfix/src/global/xtext.c b/postfix/src/global/xtext.c index e5605d7be..9a0225111 100644 --- a/postfix/src/global/xtext.c +++ b/postfix/src/global/xtext.c @@ -134,8 +134,7 @@ VSTRING *xtext_unquote_append(VSTRING *unquoted, const char *quoted) VSTRING *xtext_unquote(VSTRING *unquoted, const char *quoted) { VSTRING_RESET(unquoted); - xtext_unquote_append(unquoted, quoted); - return (unquoted); + return (xtext_unquote_append(unquoted, quoted) ? unquoted : 0); } #ifdef TEST diff --git a/postfix/src/postmulti/postmulti.c b/postfix/src/postmulti/postmulti.c index 0d124ae7b..8fdc23185 100644 --- a/postfix/src/postmulti/postmulti.c +++ b/postfix/src/postmulti/postmulti.c @@ -1711,7 +1711,7 @@ int main(int argc, char **argv) case 'e': if ((code = EDIT_CMD_CODE(optarg)) < 0) msg_fatal("Invalid '-e' edit action '%s'. Specify '%s', " - "'%s', '%s', '%s', '%s', '%s', '%s', '%s' or '%s'", + "'%s', '%s', '%s', '%s', '%s', '%s' or '%s'", optarg, EDIT_CMD_STR(EDIT_CMD_CREATE), EDIT_CMD_STR(EDIT_CMD_DESTROY), @@ -1720,8 +1720,7 @@ int main(int argc, char **argv) EDIT_CMD_STR(EDIT_CMD_ENABLE), EDIT_CMD_STR(EDIT_CMD_DISABLE), EDIT_CMD_STR(EDIT_CMD_ASSIGN), - EDIT_CMD_STR(EDIT_CMD_INIT), - optarg); + EDIT_CMD_STR(EDIT_CMD_INIT)); if (cmd_mode != code) command_mode_count++; cmd_mode = code; diff --git a/postfix/src/smtpd/smtpd_haproxy.c b/postfix/src/smtpd/smtpd_haproxy.c index 599e3ed42..a4c527ce3 100644 --- a/postfix/src/smtpd/smtpd_haproxy.c +++ b/postfix/src/smtpd/smtpd_haproxy.c @@ -95,6 +95,14 @@ int smtpd_peer_from_haproxy(SMTPD_STATE *state) int io_err; VSTRING *escape_buf; + /* + * While reading HAProxy handshake information, don't buffer input beyond + * the end-of-line. That would break the TLS wrappermode handshake. + */ + vstream_control(state->client, + VSTREAM_CTL_BUFSIZE, 1, + VSTREAM_CTL_END); + /* * Note: the haproxy_srvr_parse() routine performs address protocol * checks, address and port syntax checks, and converts IPv4-in-IPv6 @@ -142,6 +150,13 @@ int smtpd_peer_from_haproxy(SMTPD_STATE *state) * Avoid surprises in the Dovecot authentication server. */ state->dest_addr = mystrdup(smtp_server_addr.buf); + + /* + * Enable normal buffering. + */ + vstream_control(state->client, + VSTREAM_CTL_BUFSIZE, VSTREAM_BUFSIZE, + VSTREAM_CTL_END); return (0); } } diff --git a/postfix/src/util/scan_dir.c b/postfix/src/util/scan_dir.c index d8c76cfce..432c9f4f6 100644 --- a/postfix/src/util/scan_dir.c +++ b/postfix/src/util/scan_dir.c @@ -78,6 +78,7 @@ #endif #endif #include +#include /* Utility library. */ @@ -177,6 +178,13 @@ char *scan_dir_next(SCAN_DIR *scan) #define STREQ(x,y) (strcmp((x),(y)) == 0) if (info) { + + /* + * Fix 20150421: readdir() does not reset errno after reaching the + * end-of-directory. This dates back all the way to the initial + * implementation of 19970309. + */ + errno = 0; while ((dp = readdir(info->dir)) != 0) { if (STREQ(dp->d_name, ".") || STREQ(dp->d_name, "..")) { if (msg_verbose > 1)