From: Wietse Venema Date: Sat, 16 May 2020 05:00:00 +0000 (-0500) Subject: postfix-3.4.12 X-Git-Tag: v3.4.12^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=24705ce4b5a11372323f98fe36e932bd5c4ef12c;p=thirdparty%2Fpostfix.git postfix-3.4.12 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 73db7c34a..2b4c3bd04 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -24355,3 +24355,60 @@ Apologies for any names omitted. Workaround for broken DANE support after an incompatible change in GLIBC 2.31. This avoids the need for new options in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c. + +20200419 + + Bugfix: segfault in the tlsproxy client role when the server + role was disabled. This typically happens on systems that + do not receive mail, after configuring connection reuse for + outbound TLS. Found during program maintenance. File: + tlsproxy/tlsproxy.c. + +20200420 + + Noise suppression: shut up a compiler that special-cases + string literals. Viktor Dukhovni. File milter/milter.c. + +20200422 + + Security: disable DANE support on Alpine Linux because + libc-musl provides no indication whether DNS responses are + authentic. This broke DANE support without a clear explanation. + File: makedefs. + +20200505 + + Noise suppression: shut up a compiler that special-cases + string literals. Viktor Dukhovni. File smtpd/smtpd_check.c. + +20200509 + + Bugfix (introduced: Postfix 3.5): maillog_file_rotate_suffix + default value used the minute instead of the month. Reported + by Larry Stone. Files: conf/postfix-tls-script, + proto/MAILLOG_README.html, proto/postconf.proto. + global/mail_params.h, postfix/postfix.c. + +20200510 + + Bitrot: avoid U_FILE_ACCESS_ERROR after chroot(), by + initializing the ICU library before making the chroot() + call. Files: util/midna_domain.[hc], global/mail_params.c. + +20200511 + + Noise suppression: avoid "SSL_Shutdown:shutdown while in + init" warnings. File: tls/tls_session.c. + +20200515 + + Bugfix (introduced: Postfix 2.2): a TLS error for a PostgreSQL + client caused a false 'lost connection' error for an SMTP + over TLS session in the same Postfix process. Reported by + Alexander Vasarab, diagnosed by Viktor Dukhovni. File: + tls/tls_bio_ops.c. + + Bugfix (introduced: Postfix 2.8): a TLS error for one TLS + session may cause a false 'lost connection' error for a + concurrent TLS session in the same tlsproxy process. File: + tlsproxy/tlsproxy.c. diff --git a/postfix/README_FILES/MAILLOG_README b/postfix/README_FILES/MAILLOG_README index 518442535..cc8b0974d 100644 --- a/postfix/README_FILES/MAILLOG_README +++ b/postfix/README_FILES/MAILLOG_README @@ -64,7 +64,7 @@ implements the following steps: * Rename the current logfile by appending a suffix that contains the date and time. This suffix is configured with the maillog_file_rotate_suffix - parameter (default: %Y%M%d-%H%M%S). + parameter (default: %Y%m%d-%H%M%S). * Reload Postfix so that postlogd(8) immediately closes the old logfile. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 63e8e5a5b..c98124411 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -16,6 +16,14 @@ specifies the release date of a stable release or snapshot release. If you upgrade from Postfix 3.2 or earlier, read RELEASE_NOTES-3.3 before proceeding. +libc-musl workaround for Postfix 3.2.15, 3.3.10, 3.4.12, and 3.5.2 +------------------------------------------------------------------ + +Security: this release disables DANE support on Linux systems with +libc-musl, because libc-musl provides no indication whether DNS +responses are authentic. This broke DANE support without a clear +explanation. + TLS Workaround for Postfix 3.4.6, 3.3.5, 3.2.10 and 3.1.13 ----------------------------------------------------------- diff --git a/postfix/html/MAILLOG_README.html b/postfix/html/MAILLOG_README.html index b1f97022d..c5b7978ed 100644 --- a/postfix/html/MAILLOG_README.html +++ b/postfix/html/MAILLOG_README.html @@ -114,7 +114,7 @@ run from a terminal. This command implements the following steps:

  • Rename the current logfile by appending a suffix that contains the date and time. This suffix is configured with the -maillog_file_rotate_suffix parameter (default: %Y%M%d-%H%M%S).

    +maillog_file_rotate_suffix parameter (default: %Y%m%d-%H%M%S).

  • Reload Postfix so that postlogd(8) immediately closes the old logfile.

    diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index cba1fac35..aa94c3267 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -6284,7 +6284,7 @@ whitespace.

    maillog_file_rotate_suffix -(default: %Y%M%d-%H%M%S)
    +(default: %Y%m%d-%H%M%S)

    The format of the suffix to append to $maillog_file while rotating the file with "postfix logrotate". See strftime(3) for syntax. The diff --git a/postfix/html/postfix.1.html b/postfix/html/postfix.1.html index 4c5c4f937..eb59ad30d 100644 --- a/postfix/html/postfix.1.html +++ b/postfix/html/postfix.1.html @@ -285,7 +285,7 @@ POSTFIX(1) POSTFIX(1) maillog_file_prefixes (/var, /dev/stdout) A list of allowed prefixes for a maillog_file value. - maillog_file_rotate_suffix (%Y%M%d-%H%M%S) + maillog_file_rotate_suffix (%Y%m%d-%H%M%S) The format of the suffix to append to $maillog_file while rotat- ing the file with "postfix logrotate". diff --git a/postfix/makedefs b/postfix/makedefs index aea15d6f3..64b42f448 100644 --- a/postfix/makedefs +++ b/postfix/makedefs @@ -228,6 +228,19 @@ case $# in *) echo usage: $0 [system release] 1>&2; exit 1;; esac +case "$SYSTEM" in + Linux) + case "`PATH=/bin:/usr/bin ldd /bin/sh`" in + *-musl-*) + case "$CCARGS" in + *-DNO_DNSSEC*) ;; + *) echo Warning: libc-musl breaks DANE/TLSA security. 1>&2 + echo This build will not support DANE/TLSA. 1>&2 + CCARGS="$CCARGS -DNO_DNSSEC";; + esac;; + esac;; +esac + case "$SYSTEM.$RELEASE" in SCO_SV.3.2) SYSTYPE=SCO5 # Use the native compiler by default diff --git a/postfix/man/man1/postfix.1 b/postfix/man/man1/postfix.1 index 7a8a39cd2..412c0c9d1 100644 --- a/postfix/man/man1/postfix.1 +++ b/postfix/man/man1/postfix.1 @@ -252,7 +252,7 @@ The program to run after rotating $maillog_file with "postfix logrotate". .IP "\fBmaillog_file_prefixes (/var, /dev/stdout)\fR" A list of allowed prefixes for a maillog_file value. -.IP "\fBmaillog_file_rotate_suffix (%Y%M%d\-%H%M%S)\fR" +.IP "\fBmaillog_file_rotate_suffix (%Y%m%d\-%H%M%S)\fR" The format of the suffix to append to $maillog_file while rotating the file with "postfix logrotate". .IP "\fBpostlog_service_name (postlog)\fR" diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index fdf6b39d6..ccb087a57 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -3775,7 +3775,7 @@ mistake. Specify one or more prefix strings, separated by comma or whitespace. .PP This feature is available in Postfix 3.4 and later. -.SH maillog_file_rotate_suffix (default: %Y%M%d\-%H%M%S) +.SH maillog_file_rotate_suffix (default: %Y%m%d\-%H%M%S) The format of the suffix to append to $maillog_file while rotating the file with "postfix logrotate". See \fBstrftime\fR(3) for syntax. The default suffix, YYYYMMDD\-HHMMSS, allows logs to be rotated frequently. diff --git a/postfix/proto/MAILLOG_README.html b/postfix/proto/MAILLOG_README.html index 5fad103c5..9b5651822 100644 --- a/postfix/proto/MAILLOG_README.html +++ b/postfix/proto/MAILLOG_README.html @@ -114,7 +114,7 @@ run from a terminal. This command implements the following steps:

  • Rename the current logfile by appending a suffix that contains the date and time. This suffix is configured with the -maillog_file_rotate_suffix parameter (default: %Y%M%d-%H%M%S).

    +maillog_file_rotate_suffix parameter (default: %Y%m%d-%H%M%S).

  • Reload Postfix so that postlogd(8) immediately closes the old logfile.

    diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index f29cdf6e3..a37fb01a3 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -17611,7 +17611,7 @@ first argument.

    This feature is available in Postfix 3.4 and later.

    -%PARAM maillog_file_rotate_suffix %Y%M%d-%H%M%S +%PARAM maillog_file_rotate_suffix %Y%m%d-%H%M%S

    The format of the suffix to append to $maillog_file while rotating the file with "postfix logrotate". See strftime(3) for syntax. The diff --git a/postfix/src/global/mail_params.c b/postfix/src/global/mail_params.c index 8953fe6a2..4b6a05887 100644 --- a/postfix/src/global/mail_params.c +++ b/postfix/src/global/mail_params.c @@ -868,6 +868,8 @@ void mail_params_init() var_smtputf8_enable = 0; #else midna_domain_transitional = var_idna2003_compat; + if (var_smtputf8_enable) + midna_domain_pre_chroot(); #endif util_utf8_enable = var_smtputf8_enable; diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 1f4c207cb..900ef5100 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -4178,7 +4178,7 @@ extern char *var_maillog_file_pfxs; extern char *var_maillog_file_comp; #define VAR_MAILLOG_FILE_STAMP "maillog_file_rotate_suffix" -#define DEF_MAILLOG_FILE_STAMP "%Y%M%d-%H%M%S" +#define DEF_MAILLOG_FILE_STAMP "%Y%m%d-%H%M%S" extern char *var_maillog_file_stamp; #define VAR_POSTLOG_SERVICE "postlog_service_name" diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 189383786..88f58037e 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20200418" -#define MAIL_VERSION_NUMBER "3.4.11" +#define MAIL_RELEASE_DATE "20200516" +#define MAIL_VERSION_NUMBER "3.4.12" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/milter/milter.c b/postfix/src/milter/milter.c index cee169cb4..3d71cc6b4 100644 --- a/postfix/src/milter/milter.c +++ b/postfix/src/milter/milter.c @@ -620,14 +620,14 @@ void milter_disc_event(MILTERS *milters) * names by skipping the redundant "milter_" prefix. */ static ATTR_OVER_TIME time_table[] = { - 7 + VAR_MILT_CONN_TIME, DEF_MILT_CONN_TIME, 0, 1, 0, - 7 + VAR_MILT_CMD_TIME, DEF_MILT_CMD_TIME, 0, 1, 0, - 7 + VAR_MILT_MSG_TIME, DEF_MILT_MSG_TIME, 0, 1, 0, + 7 + (const char *) VAR_MILT_CONN_TIME, DEF_MILT_CONN_TIME, 0, 1, 0, + 7 + (const char *) VAR_MILT_CMD_TIME, DEF_MILT_CMD_TIME, 0, 1, 0, + 7 + (const char *) VAR_MILT_MSG_TIME, DEF_MILT_MSG_TIME, 0, 1, 0, 0, }; static ATTR_OVER_STR str_table[] = { - 7 + VAR_MILT_PROTOCOL, 0, 1, 0, - 7 + VAR_MILT_DEF_ACTION, 0, 1, 0, + 7 + (const char *) VAR_MILT_PROTOCOL, 0, 1, 0, + 7 + (const char *) VAR_MILT_DEF_ACTION, 0, 1, 0, 0, }; diff --git a/postfix/src/postfix/postfix.c b/postfix/src/postfix/postfix.c index f8b3de450..b2306fb60 100644 --- a/postfix/src/postfix/postfix.c +++ b/postfix/src/postfix/postfix.c @@ -242,7 +242,7 @@ /* logrotate". /* .IP "\fBmaillog_file_prefixes (/var, /dev/stdout)\fR" /* A list of allowed prefixes for a maillog_file value. -/* .IP "\fBmaillog_file_rotate_suffix (%Y%M%d-%H%M%S)\fR" +/* .IP "\fBmaillog_file_rotate_suffix (%Y%m%d-%H%M%S)\fR" /* The format of the suffix to append to $maillog_file while rotating /* the file with "postfix logrotate". /* .IP "\fBpostlog_service_name (postlog)\fR" diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index d1caa5ca4..a25b4011e 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -483,20 +483,20 @@ typedef struct { * parameter names by skipping the redundant "smtpd_policy_service_" prefix. */ static ATTR_OVER_TIME time_table[] = { - 21 + VAR_SMTPD_POLICY_TMOUT, DEF_SMTPD_POLICY_TMOUT, 0, 1, 0, - 21 + VAR_SMTPD_POLICY_IDLE, DEF_SMTPD_POLICY_IDLE, 0, 1, 0, - 21 + VAR_SMTPD_POLICY_TTL, DEF_SMTPD_POLICY_TTL, 0, 1, 0, - 21 + VAR_SMTPD_POLICY_TRY_DELAY, DEF_SMTPD_POLICY_TRY_DELAY, 0, 1, 0, + 21 + (const char *) VAR_SMTPD_POLICY_TMOUT, DEF_SMTPD_POLICY_TMOUT, 0, 1, 0, + 21 + (const char *) VAR_SMTPD_POLICY_IDLE, DEF_SMTPD_POLICY_IDLE, 0, 1, 0, + 21 + (const char *) VAR_SMTPD_POLICY_TTL, DEF_SMTPD_POLICY_TTL, 0, 1, 0, + 21 + (const char *) VAR_SMTPD_POLICY_TRY_DELAY, DEF_SMTPD_POLICY_TRY_DELAY, 0, 1, 0, 0, }; static ATTR_OVER_INT int_table[] = { - 21 + VAR_SMTPD_POLICY_REQ_LIMIT, 0, 0, 0, - 21 + VAR_SMTPD_POLICY_TRY_LIMIT, 0, 1, 0, + 21 + (const char *) VAR_SMTPD_POLICY_REQ_LIMIT, 0, 0, 0, + 21 + (const char *) VAR_SMTPD_POLICY_TRY_LIMIT, 0, 1, 0, 0, }; static ATTR_OVER_STR str_table[] = { - 21 + VAR_SMTPD_POLICY_DEF_ACTION, 0, 1, 0, - 21 + VAR_SMTPD_POLICY_CONTEXT, 0, 1, 0, + 21 + (const char *) VAR_SMTPD_POLICY_DEF_ACTION, 0, 1, 0, + 21 + (const char *) VAR_SMTPD_POLICY_CONTEXT, 0, 1, 0, 0, }; diff --git a/postfix/src/tls/tls_bio_ops.c b/postfix/src/tls/tls_bio_ops.c index 1f4ec41f1..9b6619547 100644 --- a/postfix/src/tls/tls_bio_ops.c +++ b/postfix/src/tls/tls_bio_ops.c @@ -194,6 +194,13 @@ int tls_bio(int fd, int timeout, TLS_SESS_STATE *TLScontext, * handling any pending network I/O. */ for (;;) { + + /* + * Flush the per-thread SSL error queue. Otherwise, errors from other + * code that also uses TLS may confuse SSL_get_error(3). + */ + ERR_clear_error(); + if (hsfunc) status = hsfunc(TLScontext->con); else if (rfunc) diff --git a/postfix/src/tls/tls_session.c b/postfix/src/tls/tls_session.c index 3f6027fc4..a4b7a8f25 100644 --- a/postfix/src/tls/tls_session.c +++ b/postfix/src/tls/tls_session.c @@ -118,7 +118,7 @@ void tls_session_stop(TLS_APPL_STATE *unused_ctx, VSTREAM *stream, int timeou * so we will not perform SSL_shutdown() and the session will be removed * as being bad. */ - if (!failure) { + if (!failure && !SSL_in_init(TLScontext->con)) { retval = tls_bio_shutdown(vstream_fileno(stream), timeout, TLScontext); if (!var_tls_fast_shutdown && retval == 0) tls_bio_shutdown(vstream_fileno(stream), timeout, TLScontext); diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c index 50b4154ff..65c7201b4 100644 --- a/postfix/src/tlsproxy/tlsproxy.c +++ b/postfix/src/tlsproxy/tlsproxy.c @@ -781,6 +781,7 @@ static void tlsp_strategy(TLSP_STATE *state) */ if (state->flags & TLSP_FLAG_DO_HANDSHAKE) { state->timeout = state->handshake_timeout; + ERR_clear_error(); if (state->is_server_role) ssl_stat = SSL_accept(tls_context->con); else @@ -809,6 +810,7 @@ static void tlsp_strategy(TLSP_STATE *state) if (NBBIO_ERROR_FLAGS(plaintext_buf)) { if (NBBIO_ACTIVE_FLAGS(plaintext_buf)) nbbio_disable_readwrite(state->plaintext_buf); + ERR_clear_error(); if (!SSL_in_init(tls_context->con) && (ssl_stat = SSL_shutdown(tls_context->con)) < 0) { handshake_err = SSL_get_error(tls_context->con, ssl_stat); @@ -835,6 +837,7 @@ static void tlsp_strategy(TLSP_STATE *state) */ ssl_write_err = SSL_ERROR_NONE; while (NBBIO_READ_PEND(plaintext_buf) > 0) { + ERR_clear_error(); ssl_stat = SSL_write(tls_context->con, NBBIO_READ_BUF(plaintext_buf), NBBIO_READ_PEND(plaintext_buf)); ssl_write_err = SSL_get_error(tls_context->con, ssl_stat); @@ -865,6 +868,7 @@ static void tlsp_strategy(TLSP_STATE *state) */ ssl_read_err = SSL_ERROR_NONE; while (NBBIO_WRITE_PEND(state->plaintext_buf) < NBBIO_BUFSIZE(plaintext_buf)) { + ERR_clear_error(); ssl_stat = SSL_read(tls_context->con, NBBIO_WRITE_BUF(plaintext_buf) + NBBIO_WRITE_PEND(state->plaintext_buf), @@ -1489,16 +1493,15 @@ static void tlsp_service(VSTREAM *plaintext_stream, TLSP_INIT_TIMEOUT, (void *) state); } -/* pre_jail_init - pre-jail initialization */ +/* pre_jail_init_server - pre-jail initialization */ -static void pre_jail_init(char *unused_name, char **unused_argv) +static void pre_jail_init_server(void) { TLS_SERVER_INIT_PROPS props; const char *cert_file; int have_server_cert; int no_server_cert_ok; int require_server_cert; - int clnt_use_tls; /* * The code in this routine is pasted literally from smtpd(8). I am not @@ -1531,7 +1534,7 @@ static void pre_jail_init(char *unused_name, char **unused_argv) } var_tlsp_use_tls = var_tlsp_use_tls || var_tlsp_enforce_tls; if (!var_tlsp_use_tls) { - msg_warn("TLS service is requested, but disabled with %s or %s", + msg_warn("TLS server role is disabled with %s or %s", VAR_TLSP_TLS_LEVEL, VAR_TLSP_USE_TLS); return; } @@ -1622,6 +1625,13 @@ static void pre_jail_init(char *unused_name, char **unused_argv) SSL_CTX_set_mode(tlsp_server_ctx->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); +} + +/* pre_jail_init_client - pre-jail initialization */ + +static void pre_jail_init_client(void) +{ + int clnt_use_tls; /* * The cache with TLS_APPL_STATE instances for different TLS_CLIENT_INIT @@ -1733,6 +1743,18 @@ static void pre_jail_init(char *unused_name, char **unused_argv) msg_warn("TLS client initialization failed"); } } +} + +/* pre_jail_init - pre-jail initialization */ + +static void pre_jail_init(char *unused_name, char **unused_argv) +{ + + /* + * Initialize roles separately. + */ + pre_jail_init_server(); + pre_jail_init_client(); /* * tlsp_client_init() needs to know if it is called pre-jail or diff --git a/postfix/src/util/midna_domain.c b/postfix/src/util/midna_domain.c index 667e75e59..333a5c91d 100644 --- a/postfix/src/util/midna_domain.c +++ b/postfix/src/util/midna_domain.c @@ -20,6 +20,8 @@ /* /* const char *midna_domain_suffix_to_utf8( /* const char *name) +/* AUXILIARY FUNCTIONS +/* void midna_domain_pre_chroot(void) /* DESCRIPTION /* The functions in this module transform domain names from/to /* ASCII and UTF-8 form. The result is cached to avoid repeated @@ -52,6 +54,8 @@ /* /* midna_domain_transitional enables transitional conversion /* between UTF8 and ASCII labels. +/* +/* midna_domain_pre_chroot() does some pre-chroot initialization. /* SEE ALSO /* http://unicode.org/reports/tr46/ Unicode IDNA Compatibility processing /* msg(3) diagnostics interface @@ -144,6 +148,22 @@ static const char *midna_domain_strerror(UErrorCode error, int info_errors) } } +/* midna_domain_pre_chroot - pre-chroot initialization */ + +void midna_domain_pre_chroot(void) +{ + UErrorCode error = U_ZERO_ERROR; + UIDNAInfo info = UIDNA_INFO_INITIALIZER; + UIDNA *idna; + + idna = uidna_openUTS46(midna_domain_transitional ? UIDNA_DEFAULT + : UIDNA_NONTRANSITIONAL_TO_ASCII, &error); + if (U_FAILURE(error)) + msg_warn("ICU library initialization failed: %s", + midna_domain_strerror(error, info.errors)); + uidna_close(idna); +} + /* midna_domain_to_ascii_create - convert domain to ASCII */ static void *midna_domain_to_ascii_create(const char *name, void *unused_context) @@ -327,6 +347,7 @@ const char *midna_domain_suffix_to_utf8(const char *name) /* * Test program - reads names from stdin, reports invalid names to stderr. */ +#include #include #include @@ -350,6 +371,11 @@ int main(int argc, char **argv) /* msg_verbose = 1; */ util_utf8_enable = 1; + if (geteuid() == 0) { + midna_domain_pre_chroot(); + if (chroot(".") != 0) + msg_fatal("chroot(\".\"): %m"); + } while (vstring_fgets_nonl(buffer, VSTREAM_IN)) { bp = STR(buffer); msg_info("> %s", bp); diff --git a/postfix/src/util/midna_domain.h b/postfix/src/util/midna_domain.h index 03d875b10..1abe2a173 100644 --- a/postfix/src/util/midna_domain.h +++ b/postfix/src/util/midna_domain.h @@ -18,6 +18,7 @@ extern const char *midna_domain_to_ascii(const char *); extern const char *midna_domain_to_utf8(const char *); extern const char *midna_domain_suffix_to_ascii(const char *); extern const char *midna_domain_suffix_to_utf8(const char *); +extern void midna_domain_pre_chroot(void); extern int midna_domain_cache_size; extern int midna_domain_transitional;