From: Wietse Venema Date: Tue, 18 Jan 2011 05:00:00 +0000 (-0500) Subject: postfix-2.9-20110118 X-Git-Tag: v2.9.0-RC1~62 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=250f86ca5c4249b8f838827599e989712d37c5a4;p=thirdparty%2Fpostfix.git postfix-2.9-20110118 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index fb9db51c4..d2f12947a 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -16493,3 +16493,24 @@ Apologies for any names omitted. Workaround: added a panic check for code that is mis-compiled by the HP-UX compiler. File: postscreen/postscreen.c, postscreen/postscreen.h, postscreen/postscreen_state.c. + +20110118 + + Bugfix: the tls_disable_workarounds word list only included + workarounds in SSL_OP_ALL. Problem report by Steve Jenkins, + problem fix by Victor Duchovni. File: tls/tls_misc.c. + + Last-minute incompatible syntax change: Postfix now uses + ";" instead of "," to separate DNSBL/DNSWL address filter + fields inside "[]". The compatibility break is not an issue, + because the syntax never worked in main.cf. Problem reported + by Mark Martinec. Files: util/ip_match.c, util/ip_match.in, + util/ip_match.ref, proto/postconf.proto. + + Cleanup: postscreen now monitors the AVERAGE latency of + table access, and complains at most once per minute. File: + postscreen/postscreen_dict.c. + + Bugfix: support for the "dunno" command somehow disappeared + from the postscreen_access_list implementation. File: + postscreen/postscreen_access.c. diff --git a/postfix/README_FILES/POSTSCREEN_README b/postfix/README_FILES/POSTSCREEN_README index 5e55a0289..294dbda4f 100644 --- a/postfix/README_FILES/POSTSCREEN_README +++ b/postfix/README_FILES/POSTSCREEN_README @@ -31,9 +31,9 @@ postscreen(8) is part of a multi-layer defense. content filters. Typical examples are Amavisd-new, SpamAssassin, and Milter applications. -Each layer reduces the spam volume. The general strategy is to eliminate spam -early with the less expensive defenses and to use the more expensive defenses -for the spam that remains. +Each layer reduces the spam volume. The general strategy is to use the less +expensive defenses first, and to use the more expensive defenses for the spam +that remains. Topics in this document: diff --git a/postfix/RELEASE_NOTES-2.8 b/postfix/RELEASE_NOTES-2.8 index 536b59576..8030c8bcf 100644 --- a/postfix/RELEASE_NOTES-2.8 +++ b/postfix/RELEASE_NOTES-2.8 @@ -237,6 +237,10 @@ Specify "tls_append_default_CA = yes" for backwards compatibility. Major changes - postscreen -------------------------- +See html/POSTSCREEN_README.html for an introduction to postscreen +(or the text version, README_FILES/POSTSCREEN_README). The text +below summarizes milestones in reverse chronological order. + [Incompat 20110111] The postscreen_access_list feature replaces the postscreen_whitelist_networks and postscreen_blacklist_networks features. Reason: CIDR-style access maps are some 100x faster than diff --git a/postfix/html/POSTSCREEN_README.html b/postfix/html/POSTSCREEN_README.html index 11a28a55d..5c74bbcae 100644 --- a/postfix/html/POSTSCREEN_README.html +++ b/postfix/html/POSTSCREEN_README.html @@ -53,8 +53,8 @@ SpamAssassin, and Milter applications.

Each layer reduces the spam volume. The general strategy is to -eliminate spam early with the less expensive defenses and to use -the more expensive defenses for the spam that remains.

+use the less expensive defenses first, and to use the more expensive +defenses for the spam that remains.

Topics in this document:

diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 548eb615f..293a3b45c 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -7025,7 +7025,7 @@ comma or whitespace.

non-error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL replies that match the filter. The filter has the form d.d.d.d, where each d is a number, or a pattern inside [] that contains one -or more comma-separated numbers or number..number ranges.

+or more ";"-separated numbers or number..number ranges.

  • When no "*weight" is specified, postscreen(8) increments the SMTP client's DNSBL score by 1. Otherwise, the weight must be @@ -11842,7 +11842,7 @@ Postfix version 2.5). This feature is available with Postfix version

    Reject the request when the reversed client network address is listed with the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later only). Each "d" is a number, -or a pattern inside "[]" that contains one or more comma-separated +or a pattern inside "[]" that contains one or more ";"-separated numbers or number..number ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is specified, reject the request when the reversed client network address is listed with any A record under @@ -11858,7 +11858,7 @@ This feature is available in Postfix 2.0 and later.
    Accept the request when the reversed client network address is listed with the A record "d.d.d.d" under dnswl_domain. Each "d" is a number, or a pattern inside "[]" that contains -one or more comma-separated numbers or number..number ranges. +one or more ";"-separated numbers or number..number ranges. If no "=d.d.d.d" is specified, accept the request when the reversed client network address is listed with any A record under dnswl_domain.
    For safety, permit_dnswl_client is silently @@ -11871,7 +11871,7 @@ is available in Postfix 2.8 and later.
    Reject the request when the client hostname is listed with the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later only). Each "d" is a number, or a pattern -inside "[]" that contains one or more comma-separated numbers or +inside "[]" that contains one or more ";"-separated numbers or number..number ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is specified, reject the request when the client hostname is listed with @@ -11886,7 +11886,7 @@ produce better results.
    Accept the request when the client hostname is listed with the A record "d.d.d.d" under rhswl_domain. Each "d" is a number, or a pattern inside "[]" that contains one or more -comma-separated numbers or number..number ranges. If no +";"-separated numbers or number..number ranges. If no "=d.d.d.d" is specified, accept the request when the client hostname is listed with any A record under rhswl_domain.
    Caution: client name whitelisting is fragile, since the client @@ -11903,7 +11903,7 @@ when whitelist lookup fails. This feature is available in Postfix
    Reject the request when the unverified reverse client hostname is listed with the A record "d.d.d.d" under rbl_domain. Each "d" is a number, or a pattern inside "[]" that contains -one or more comma-separated numbers or number..number ranges. +one or more ";"-separated numbers or number..number ranges. If no "=d.d.d.d" is specified, reject the request when the unverified reverse client hostname is listed with any A record under rbl_domain. See the reject_rbl_client description above for @@ -12564,7 +12564,7 @@ rejected requests (default: 504).
    Reject the request when the HELO or EHLO hostname hostname is listed with the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later only). Each "d" is a number, -or a pattern inside "[]" that contains one or more comma-separated +or a pattern inside "[]" that contains one or more ";"-separated numbers or number..number ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is specified, reject the request when the HELO or EHLO hostname is @@ -12989,7 +12989,7 @@ rejected requests (default: 504).
    Reject the request when the RCPT TO domain is listed with the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later only). Each "d" is a number, or a pattern -inside "[]" that contains one or more comma-separated numbers or +inside "[]" that contains one or more ";"-separated numbers or number..number ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is specified, reject the request when the RCPT TO domain is listed with @@ -13615,7 +13615,7 @@ rejected requests (default: 504).
    Reject the request when the MAIL FROM domain is listed with the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later only). Each "d" is a number, or a -pattern inside "[]" that contains one or more comma-separated numbers +pattern inside "[]" that contains one or more ";"-separated numbers or number..number ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is specified, reject the request when the MAIL FROM domain is @@ -15012,26 +15012,46 @@ added after your Postfix source code was last updated, in that case you can only disable one of these via the hexadecimal syntax above.

    -
    MICROSOFT_SESS_ID_BUGSee SSL_CTX_set_options(3)
    -
    NETSCAPE_CHALLENGE_BUGSee SSL_CTX_set_options(3)
    -
    LEGACY_SERVER_CONNECTSee SSL_CTX_set_options(3)
    -
    NETSCAPE_REUSE_CIPHER_CHANGE_BUG also aliased as -CVE-2010-4180. Postfix 2.8 disables this work-around by default -with OpenSSL versions that may predate the fix. Fixed in OpenSSL 0.9.8q -and OpenSSL 1.0.0c.
    -
    SSLREF2_REUSE_CERT_TYPE_BUGSee SSL_CTX_set_options(3)
    -
    MICROSOFT_BIG_SSLV3_BUFFERSee SSL_CTX_set_options(3)
    -
    MSIE_SSLV2_RSA_PADDING also aliased as -CVE-2005-2969. Postfix 2.8 disables this work-around by default -with OpenSSL versions that may predate the fix. Fixed in OpenSSL 0.9.7h -and OpenSSL 0.9.8a.
    -
    SSLEAY_080_CLIENT_DH_BUGSee SSL_CTX_set_options(3)
    -
    TLS_D5_BUGSee SSL_CTX_set_options(3)
    -
    TLS_BLOCK_PADDING_BUGSee SSL_CTX_set_options(3)
    -
    TLS_ROLLBACK_BUGSee SSL_CTX_set_options(3). This is disabled -in OpenSSL 0.9.7 and later. Nobody should still be using 0.9.6!
    -
    DONT_INSERT_EMPTY_FRAGMENTSSee SSL_CTX_set_options(3)
    -
    CRYPTOPRO_TLSEXT_BUGNew with GOST support in OpenSSL 1.0.0.
    + +
    MICROSOFT_SESS_ID_BUG
    See SSL_CTX_set_options(3)
    + +
    NETSCAPE_CHALLENGE_BUG
    See SSL_CTX_set_options(3)
    + +
    LEGACY_SERVER_CONNECT
    See SSL_CTX_set_options(3)
    + +
    NETSCAPE_REUSE_CIPHER_CHANGE_BUG
    also aliased +as CVE-2010-4180. Postfix 2.8 disables this work-around by +default with OpenSSL versions that may predate the fix. Fixed in +OpenSSL 0.9.8q and OpenSSL 1.0.0c.
    + +
    SSLREF2_REUSE_CERT_TYPE_BUG
    See +SSL_CTX_set_options(3)
    + +
    MICROSOFT_BIG_SSLV3_BUFFER
    See +SSL_CTX_set_options(3)
    + +
    MSIE_SSLV2_RSA_PADDING
    also aliased as +CVE-2005-2969. Postfix 2.8 disables this work-around by +default with OpenSSL versions that may predate the fix. Fixed in +OpenSSL 0.9.7h and OpenSSL 0.9.8a.
    + +
    SSLEAY_080_CLIENT_DH_BUG
    See +SSL_CTX_set_options(3)
    + +
    TLS_D5_BUG
    See SSL_CTX_set_options(3)
    + +
    TLS_BLOCK_PADDING_BUG
    See SSL_CTX_set_options(3)
    + +
    TLS_ROLLBACK_BUG
    See SSL_CTX_set_options(3). +This is disabled in OpenSSL 0.9.7 and later. Nobody should still +be using 0.9.6!
    + +
    DONT_INSERT_EMPTY_FRAGMENTS
    See +SSL_CTX_set_options(3)
    + +
    CRYPTOPRO_TLSEXT_BUG
    New with GOST support in +OpenSSL 1.0.0.
    +

    This feature is available in Postfix 2.8 and later.

    diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index ac9bfab21..cbd42a3d0 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -4001,7 +4001,7 @@ When no "=filter" is specified, \fBpostscreen\fR(8) will use any non-error DNSBL reply. Otherwise, \fBpostscreen\fR(8) uses only DNSBL replies that match the filter. The filter has the form d.d.d.d, where each d is a number, or a pattern inside [] that contains one -or more comma-separated numbers or number..number ranges. +or more ";"-separated numbers or number..number ranges. .IP \(bu When no "*weight" is specified, \fBpostscreen\fR(8) increments the SMTP client's DNSBL score by 1. Otherwise, the weight must be @@ -7283,7 +7283,7 @@ Postfix version 2.5). This feature is available with Postfix version Reject the request when the reversed client network address is listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR (Postfix version 2.1 and later only). Each "\fId\fR" is a number, -or a pattern inside "[]" that contains one or more comma-separated +or a pattern inside "[]" that contains one or more ";"-separated numbers or number..number ranges (Postfix version 2.8 and later). If no "\fI=d.d.d.d\fR" is specified, reject the request when the reversed client network address is listed with any A record under @@ -7298,7 +7298,7 @@ This feature is available in Postfix 2.0 and later. Accept the request when the reversed client network address is listed with the A record "\fId.d.d.d\fR" under \fIdnswl_domain\fR. Each "\fId\fR" is a number, or a pattern inside "[]" that contains -one or more comma-separated numbers or number..number ranges. +one or more ";"-separated numbers or number..number ranges. If no "\fI=d.d.d.d\fR" is specified, accept the request when the reversed client network address is listed with any A record under \fIdnswl_domain\fR. @@ -7311,7 +7311,7 @@ is available in Postfix 2.8 and later. Reject the request when the client hostname is listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR (Postfix version 2.1 and later only). Each "\fId\fR" is a number, or a pattern -inside "[]" that contains one or more comma-separated numbers or +inside "[]" that contains one or more ";"-separated numbers or number..number ranges (Postfix version 2.8 and later). If no "\fI=d.d.d.d\fR" is specified, reject the request when the client hostname is listed with @@ -7324,7 +7324,7 @@ produce better results. Accept the request when the client hostname is listed with the A record "\fId.d.d.d\fR" under \fIrhswl_domain\fR. Each "\fId\fR" is a number, or a pattern inside "[]" that contains one or more -comma-separated numbers or number..number ranges. If no +";"-separated numbers or number..number ranges. If no "\fI=d.d.d.d\fR" is specified, accept the request when the client hostname is listed with any A record under \fIrhswl_domain\fR. .br @@ -7341,7 +7341,7 @@ when whitelist lookup fails. This feature is available in Postfix Reject the request when the unverified reverse client hostname is listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR. Each "\fId\fR" is a number, or a pattern inside "[]" that contains -one or more comma-separated numbers or number..number ranges. +one or more ";"-separated numbers or number..number ranges. If no "\fI=d.d.d.d\fR" is specified, reject the request when the unverified reverse client hostname is listed with any A record under \fIrbl_domain\fR. See the reject_rbl_client description above for @@ -7828,7 +7828,7 @@ rejected requests (default: 504). Reject the request when the HELO or EHLO hostname hostname is listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR (Postfix version 2.1 and later only). Each "\fId\fR" is a number, -or a pattern inside "[]" that contains one or more comma-separated +or a pattern inside "[]" that contains one or more ";"-separated numbers or number..number ranges (Postfix version 2.8 and later). If no "\fI=d.d.d.d\fR" is specified, reject the request when the HELO or EHLO hostname is @@ -8080,7 +8080,7 @@ rejected requests (default: 504). Reject the request when the RCPT TO domain is listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR (Postfix version 2.1 and later only). Each "\fId\fR" is a number, or a pattern -inside "[]" that contains one or more comma-separated numbers or +inside "[]" that contains one or more ";"-separated numbers or number..number ranges (Postfix version 2.8 and later). If no "\fI=d.d.d.d\fR" is specified, reject the request when the RCPT TO domain is listed with @@ -8525,7 +8525,7 @@ rejected requests (default: 504). Reject the request when the MAIL FROM domain is listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR (Postfix version 2.1 and later only). Each "\fId\fR" is a number, or a -pattern inside "[]" that contains one or more comma-separated numbers +pattern inside "[]" that contains one or more ";"-separated numbers or number..number ranges (Postfix version 2.8 and later). If no "\fI=d.d.d.d\fR" is specified, reject the request when the MAIL FROM domain is @@ -9599,26 +9599,46 @@ of specific named bug work-arounds chosen from the list below. It is possible that your OpenSSL version includes new bug work-arounds added after your Postfix source code was last updated, in that case you can only disable one of these via the hexadecimal syntax above. -.IP "\fBMICROSOFT_SESS_ID_BUG\fRSee SSL_CTX_\fBset_options\fR(3)" -.IP "\fBNETSCAPE_CHALLENGE_BUG\fRSee SSL_CTX_\fBset_options\fR(3)" -.IP "\fBLEGACY_SERVER_CONNECT\fRSee SSL_CTX_\fBset_options\fR(3)" -.IP "\fBNETSCAPE_REUSE_CIPHER_CHANGE_BUG\fR also aliased as -\fBCVE-2010-4180\fR. Postfix 2.8 disables this work-around by default -with OpenSSL versions that may predate the fix. Fixed in OpenSSL 0.9.8q -and OpenSSL 1.0.0c." -.IP "\fBSSLREF2_REUSE_CERT_TYPE_BUG\fRSee SSL_CTX_\fBset_options\fR(3)" -.IP "\fBMICROSOFT_BIG_SSLV3_BUFFER\fRSee SSL_CTX_\fBset_options\fR(3)" -.IP "\fBMSIE_SSLV2_RSA_PADDING\fR also aliased as -\fBCVE-2005-2969\fR. Postfix 2.8 disables this work-around by default -with OpenSSL versions that may predate the fix. Fixed in OpenSSL 0.9.7h -and OpenSSL 0.9.8a." -.IP "\fBSSLEAY_080_CLIENT_DH_BUG\fRSee SSL_CTX_\fBset_options\fR(3)" -.IP "\fBTLS_D5_BUG\fRSee SSL_CTX_\fBset_options\fR(3)" -.IP "\fBTLS_BLOCK_PADDING_BUG\fRSee SSL_CTX_\fBset_options\fR(3)" -.IP "\fBTLS_ROLLBACK_BUG\fRSee SSL_CTX_\fBset_options\fR(3). This is disabled -in OpenSSL 0.9.7 and later. Nobody should still be using 0.9.6!" -.IP "\fBDONT_INSERT_EMPTY_FRAGMENTS\fRSee SSL_CTX_\fBset_options\fR(3)" -.IP "\fBCRYPTOPRO_TLSEXT_BUG\fRNew with GOST support in OpenSSL 1.0.0." +.IP "\fBMICROSOFT_SESS_ID_BUG\fR" +See SSL_CTX_\fBset_options\fR(3) +.IP "\fBNETSCAPE_CHALLENGE_BUG\fR" +See SSL_CTX_\fBset_options\fR(3) +.IP "\fBLEGACY_SERVER_CONNECT\fR" +See SSL_CTX_\fBset_options\fR(3) +.IP "\fBNETSCAPE_REUSE_CIPHER_CHANGE_BUG\fR" +also aliased +as \fBCVE-2010-4180\fR. Postfix 2.8 disables this work-around by +default with OpenSSL versions that may predate the fix. Fixed in +OpenSSL 0.9.8q and OpenSSL 1.0.0c. +.IP "\fBSSLREF2_REUSE_CERT_TYPE_BUG\fR" +See +SSL_CTX_\fBset_options\fR(3) +.IP "\fBMICROSOFT_BIG_SSLV3_BUFFER\fR" +See +SSL_CTX_\fBset_options\fR(3) +.IP "\fBMSIE_SSLV2_RSA_PADDING\fR" +also aliased as +\fBCVE-2005-2969\fR. Postfix 2.8 disables this work-around by +default with OpenSSL versions that may predate the fix. Fixed in +OpenSSL 0.9.7h and OpenSSL 0.9.8a. +.IP "\fBSSLEAY_080_CLIENT_DH_BUG\fR" +See +SSL_CTX_\fBset_options\fR(3) +.IP "\fBTLS_D5_BUG\fR" +See SSL_CTX_\fBset_options\fR(3) +.IP "\fBTLS_BLOCK_PADDING_BUG\fR" +See SSL_CTX_\fBset_options\fR(3) +.IP "\fBTLS_ROLLBACK_BUG\fR" +See SSL_CTX_\fBset_options\fR(3). +This is disabled in OpenSSL 0.9.7 and later. Nobody should still +be using 0.9.6! +.IP "\fBDONT_INSERT_EMPTY_FRAGMENTS\fR" +See +SSL_CTX_\fBset_options\fR(3) +.IP "\fBCRYPTOPRO_TLSEXT_BUG\fR" +New with GOST support in +OpenSSL 1.0.0. +.PP This feature is available in Postfix 2.8 and later. .SH tls_eecdh_strong_curve (default: prime256v1) The elliptic curve used by the SMTP server for sensibly strong diff --git a/postfix/proto/POSTSCREEN_README.html b/postfix/proto/POSTSCREEN_README.html index cb7da2cc5..de4640099 100644 --- a/postfix/proto/POSTSCREEN_README.html +++ b/postfix/proto/POSTSCREEN_README.html @@ -53,8 +53,8 @@ SpamAssassin, and Milter applications.

    Each layer reduces the spam volume. The general strategy is to -eliminate spam early with the less expensive defenses and to use -the more expensive defenses for the spam that remains.

    +use the less expensive defenses first, and to use the more expensive +defenses for the spam that remains.

    Topics in this document:

    diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 3797966c6..4fac6825c 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -4880,7 +4880,7 @@ Postfix version 2.5). This feature is available with Postfix version
    Reject the request when the reversed client network address is listed with the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later only). Each "d" is a number, -or a pattern inside "[]" that contains one or more comma-separated +or a pattern inside "[]" that contains one or more ";"-separated numbers or number..number ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is specified, reject the request when the reversed client network address is listed with any A record under @@ -4896,7 +4896,7 @@ This feature is available in Postfix 2.0 and later.
    Accept the request when the reversed client network address is listed with the A record "d.d.d.d" under dnswl_domain. Each "d" is a number, or a pattern inside "[]" that contains -one or more comma-separated numbers or number..number ranges. +one or more ";"-separated numbers or number..number ranges. If no "=d.d.d.d" is specified, accept the request when the reversed client network address is listed with any A record under dnswl_domain.
    For safety, permit_dnswl_client is silently @@ -4909,7 +4909,7 @@ is available in Postfix 2.8 and later.
    Reject the request when the client hostname is listed with the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later only). Each "d" is a number, or a pattern -inside "[]" that contains one or more comma-separated numbers or +inside "[]" that contains one or more ";"-separated numbers or number..number ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is specified, reject the request when the client hostname is listed with @@ -4924,7 +4924,7 @@ produce better results.
    Accept the request when the client hostname is listed with the A record "d.d.d.d" under rhswl_domain. Each "d" is a number, or a pattern inside "[]" that contains one or more -comma-separated numbers or number..number ranges. If no +";"-separated numbers or number..number ranges. If no "=d.d.d.d" is specified, accept the request when the client hostname is listed with any A record under rhswl_domain.
    Caution: client name whitelisting is fragile, since the client @@ -4941,7 +4941,7 @@ when whitelist lookup fails. This feature is available in Postfix
    Reject the request when the unverified reverse client hostname is listed with the A record "d.d.d.d" under rbl_domain. Each "d" is a number, or a pattern inside "[]" that contains -one or more comma-separated numbers or number..number ranges. +one or more ";"-separated numbers or number..number ranges. If no "=d.d.d.d" is specified, reject the request when the unverified reverse client hostname is listed with any A record under rbl_domain. See the reject_rbl_client description above for @@ -5403,7 +5403,7 @@ rejected requests (default: 504).
    Reject the request when the HELO or EHLO hostname hostname is listed with the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later only). Each "d" is a number, -or a pattern inside "[]" that contains one or more comma-separated +or a pattern inside "[]" that contains one or more ";"-separated numbers or number..number ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is specified, reject the request when the HELO or EHLO hostname is @@ -5702,7 +5702,7 @@ rejected requests (default: 504).
    Reject the request when the RCPT TO domain is listed with the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later only). Each "d" is a number, or a pattern -inside "[]" that contains one or more comma-separated numbers or +inside "[]" that contains one or more ";"-separated numbers or number..number ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is specified, reject the request when the RCPT TO domain is listed with @@ -6080,7 +6080,7 @@ rejected requests (default: 504).
    Reject the request when the MAIL FROM domain is listed with the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later only). Each "d" is a number, or a -pattern inside "[]" that contains one or more comma-separated numbers +pattern inside "[]" that contains one or more ";"-separated numbers or number..number ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is specified, reject the request when the MAIL FROM domain is @@ -12713,7 +12713,7 @@ comma or whitespace.

    non-error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL replies that match the filter. The filter has the form d.d.d.d, where each d is a number, or a pattern inside [] that contains one -or more comma-separated numbers or number..number ranges.

    +or more ";"-separated numbers or number..number ranges.

  • When no "*weight" is specified, postscreen(8) increments the SMTP client's DNSBL score by 1. Otherwise, the weight must be @@ -13572,26 +13572,46 @@ added after your Postfix source code was last updated, in that case you can only disable one of these via the hexadecimal syntax above.

    -
    MICROSOFT_SESS_ID_BUGSee SSL_CTX_set_options(3)
    -
    NETSCAPE_CHALLENGE_BUGSee SSL_CTX_set_options(3)
    -
    LEGACY_SERVER_CONNECTSee SSL_CTX_set_options(3)
    -
    NETSCAPE_REUSE_CIPHER_CHANGE_BUG also aliased as -CVE-2010-4180. Postfix 2.8 disables this work-around by default -with OpenSSL versions that may predate the fix. Fixed in OpenSSL 0.9.8q -and OpenSSL 1.0.0c.
    -
    SSLREF2_REUSE_CERT_TYPE_BUGSee SSL_CTX_set_options(3)
    -
    MICROSOFT_BIG_SSLV3_BUFFERSee SSL_CTX_set_options(3)
    -
    MSIE_SSLV2_RSA_PADDING also aliased as -CVE-2005-2969. Postfix 2.8 disables this work-around by default -with OpenSSL versions that may predate the fix. Fixed in OpenSSL 0.9.7h -and OpenSSL 0.9.8a.
    -
    SSLEAY_080_CLIENT_DH_BUGSee SSL_CTX_set_options(3)
    -
    TLS_D5_BUGSee SSL_CTX_set_options(3)
    -
    TLS_BLOCK_PADDING_BUGSee SSL_CTX_set_options(3)
    -
    TLS_ROLLBACK_BUGSee SSL_CTX_set_options(3). This is disabled -in OpenSSL 0.9.7 and later. Nobody should still be using 0.9.6!
    -
    DONT_INSERT_EMPTY_FRAGMENTSSee SSL_CTX_set_options(3)
    -
    CRYPTOPRO_TLSEXT_BUGNew with GOST support in OpenSSL 1.0.0.
    + +
    MICROSOFT_SESS_ID_BUG
    See SSL_CTX_set_options(3)
    + +
    NETSCAPE_CHALLENGE_BUG
    See SSL_CTX_set_options(3)
    + +
    LEGACY_SERVER_CONNECT
    See SSL_CTX_set_options(3)
    + +
    NETSCAPE_REUSE_CIPHER_CHANGE_BUG
    also aliased +as CVE-2010-4180. Postfix 2.8 disables this work-around by +default with OpenSSL versions that may predate the fix. Fixed in +OpenSSL 0.9.8q and OpenSSL 1.0.0c.
    + +
    SSLREF2_REUSE_CERT_TYPE_BUG
    See +SSL_CTX_set_options(3)
    + +
    MICROSOFT_BIG_SSLV3_BUFFER
    See +SSL_CTX_set_options(3)
    + +
    MSIE_SSLV2_RSA_PADDING
    also aliased as +CVE-2005-2969. Postfix 2.8 disables this work-around by +default with OpenSSL versions that may predate the fix. Fixed in +OpenSSL 0.9.7h and OpenSSL 0.9.8a.
    + +
    SSLEAY_080_CLIENT_DH_BUG
    See +SSL_CTX_set_options(3)
    + +
    TLS_D5_BUG
    See SSL_CTX_set_options(3)
    + +
    TLS_BLOCK_PADDING_BUG
    See SSL_CTX_set_options(3)
    + +
    TLS_ROLLBACK_BUG
    See SSL_CTX_set_options(3). +This is disabled in OpenSSL 0.9.7 and later. Nobody should still +be using 0.9.6!
    + +
    DONT_INSERT_EMPTY_FRAGMENTS
    See +SSL_CTX_set_options(3)
    + +
    CRYPTOPRO_TLSEXT_BUG
    New with GOST support in +OpenSSL 1.0.0.
    +

    This feature is available in Postfix 2.8 and later.

    diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index ef4fa9b38..7577a9fd1 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20110117" +#define MAIL_RELEASE_DATE "20110118" #define MAIL_VERSION_NUMBER "2.9" #ifdef SNAPSHOT diff --git a/postfix/src/postscreen/postscreen_access.c b/postfix/src/postscreen/postscreen_access.c index 5c67495f7..ba386a509 100644 --- a/postfix/src/postscreen/postscreen_access.c +++ b/postfix/src/postscreen/postscreen_access.c @@ -169,6 +169,8 @@ int psc_acl_eval(PSC_STATE *state, ARGV *acl, const char *origin) "of this access list", name); return (PSC_ACL_ACT_ERROR); } + } else if (STREQ(name, PSC_ACL_NAME_DUNNO)) { + return (PSC_ACL_ACT_DUNNO); } else { msg_warn("%s: unknown command: %s -- ignoring the remainder " "of this access list", origin, name); diff --git a/postfix/src/postscreen/postscreen_dict.c b/postfix/src/postscreen/postscreen_dict.c index 1db010251..ce7efd056 100644 --- a/postfix/src/postscreen/postscreen_dict.c +++ b/postfix/src/postscreen/postscreen_dict.c @@ -68,22 +68,50 @@ #include +/* psc_average - moving average */ + +static double psc_average(double new, double old) +{ + return (0.1 * new + 0.9 * old); +} + /* * Monitor time-critical operations. + * + * XXX Averaging support was added during a stable release candidate, so it + * provides only the absolute minimum necessary. A complete implementation + * should maintain separate statistics for each table, and it should not + * complain when the average time between table access is larger than the + * average table access latency. */ #define PSC_GET_TIME_BEFORE_LOOKUP \ struct timeval _before, _after; \ DELTA_TIME _delta; \ + double _new_delta_ms; \ GETTIMEOFDAY(&_before); -#define PSC_DELTA_MS(d) ((d).dt_sec * 1000 + (d).dt_usec / 1000) +#define PSC_DELTA_MS(d) ((d).dt_sec * 1000.0 + (d).dt_usec / 1000.0) + +#ifndef PSC_THRESHOLD_MS +#define PSC_THRESHOLD_MS 100 /* nag if latency > 100ms */ +#endif + +#ifndef PSC_WARN_LOCKOUT_S +#define PSC_WARN_LOCKOUT_S 60 /* don't nag for 60s */ +#endif + +static time_t psc_last_warn = 0; -#define PSC_CHECK_TIME_AFTER_LOOKUP(table, action) \ +#define PSC_CHECK_TIME_AFTER_LOOKUP(table, action, average) \ GETTIMEOFDAY(&_after); \ PSC_CALC_DELTA(_delta, _after, _before); \ - if (_delta.dt_sec > 1 || _delta.dt_usec > 100000) \ - msg_warn("%s: %s %s took %d ms", \ - myname, (table), (action), PSC_DELTA_MS(_delta)); + _new_delta_ms = PSC_DELTA_MS(_delta); \ + if ((average = psc_average(_new_delta_ms, average)) > PSC_THRESHOLD_MS \ + && psc_last_warn < event_time() - PSC_WARN_LOCKOUT_S) { \ + msg_warn("%s: %s %s average delay is %.0f ms", \ + myname, (table), (action), average); \ + psc_last_warn = event_time(); \ + } /* psc_addr_match_list_match - time-critical address list lookup */ @@ -92,10 +120,11 @@ int psc_addr_match_list_match(ADDR_MATCH_LIST *addr_list, { const char *myname = "psc_addr_match_list_match"; int result; + static double latency_ms; PSC_GET_TIME_BEFORE_LOOKUP; result = addr_match_list_match(addr_list, addr_str); - PSC_CHECK_TIME_AFTER_LOOKUP("address list", "lookup"); + PSC_CHECK_TIME_AFTER_LOOKUP("address list", "lookup", latency_ms); return (result); } @@ -105,10 +134,11 @@ const char *psc_cache_lookup(DICT_CACHE *cache, const char *key) { const char *myname = "psc_cache_lookup"; const char *result; + static double latency_ms; PSC_GET_TIME_BEFORE_LOOKUP; result = dict_cache_lookup(cache, key); - PSC_CHECK_TIME_AFTER_LOOKUP(dict_cache_name(cache), "lookup"); + PSC_CHECK_TIME_AFTER_LOOKUP(dict_cache_name(cache), "lookup", latency_ms); return (result); } @@ -117,10 +147,11 @@ const char *psc_cache_lookup(DICT_CACHE *cache, const char *key) void psc_cache_update(DICT_CACHE *cache, const char *key, const char *value) { const char *myname = "psc_cache_update"; + static double latency_ms; PSC_GET_TIME_BEFORE_LOOKUP; dict_cache_update(cache, key, value); - PSC_CHECK_TIME_AFTER_LOOKUP(dict_cache_name(cache), "update"); + PSC_CHECK_TIME_AFTER_LOOKUP(dict_cache_name(cache), "update", latency_ms); } /* psc_dict_get - time-critical table lookup */ @@ -129,10 +160,11 @@ const char *psc_dict_get(DICT *dict, const char *key) { const char *myname = "psc_dict_get"; const char *result; + static double latency_ms; PSC_GET_TIME_BEFORE_LOOKUP; result = dict_get(dict, key); - PSC_CHECK_TIME_AFTER_LOOKUP(dict->name, "lookup"); + PSC_CHECK_TIME_AFTER_LOOKUP(dict->name, "lookup", latency_ms); return (result); } @@ -142,9 +174,10 @@ const char *psc_maps_find(MAPS *maps, const char *key, int flags) { const char *myname = "psc_maps_find"; const char *result; + static double latency_ms; PSC_GET_TIME_BEFORE_LOOKUP; result = maps_find(maps, key, flags); - PSC_CHECK_TIME_AFTER_LOOKUP(maps->title, "lookup"); + PSC_CHECK_TIME_AFTER_LOOKUP(maps->title, "lookup", latency_ms); return (result); } diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c index bc7b70382..e4d217d27 100644 --- a/postfix/src/tls/tls_misc.c +++ b/postfix/src/tls/tls_misc.c @@ -219,76 +219,62 @@ static const NAME_CODE protocol_table[] = { }; /* - * SSL_OP_MUMBLE bug work-around name <=> mask conversion. We expect the C - * preprocessor to be able to handle "long" #if operands + * SSL_OP_MUMBLE bug work-around name <=> mask conversion. */ #define NAMEBUG(x) #x, SSL_OP_##x static const LONG_NAME_MASK ssl_bug_tweaks[] = { -#if defined(SSL_OP_MICROSOFT_SESS_ID_BUG) && \ - ((SSL_OP_MICROSOFT_SESS_ID_BUG & SSL_OP_ALL) != 0L) +#if defined(SSL_OP_MICROSOFT_SESS_ID_BUG) NAMEBUG(MICROSOFT_SESS_ID_BUG), /* 0x00000001L */ #endif -#if defined(SSL_OP_NETSCAPE_CHALLENGE_BUG) && \ - ((SSL_OP_NETSCAPE_CHALLENGE_BUG & SSL_OP_ALL) != 0L) +#if defined(SSL_OP_NETSCAPE_CHALLENGE_BUG) NAMEBUG(NETSCAPE_CHALLENGE_BUG), /* 0x00000002L */ #endif -#if defined(SSL_OP_LEGACY_SERVER_CONNECT) && \ - ((SSL_OP_LEGACY_SERVER_CONNECT & SSL_OP_ALL) != 0L) +#if defined(SSL_OP_LEGACY_SERVER_CONNECT) NAMEBUG(LEGACY_SERVER_CONNECT), /* 0x00000004L */ #endif -#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && \ - ((SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG & SSL_OP_ALL) != 0L) +#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) NAMEBUG(NETSCAPE_REUSE_CIPHER_CHANGE_BUG), /* 0x00000008L */ "CVE-2010-4180", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG, #endif -#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG) && \ - ((SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG & SSL_OP_ALL) != 0L) +#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG) NAMEBUG(SSLREF2_REUSE_CERT_TYPE_BUG), /* 0x00000010L */ #endif -#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) && \ - ((SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER & SSL_OP_ALL) != 0L) +#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) NAMEBUG(MICROSOFT_BIG_SSLV3_BUFFER),/* 0x00000020L */ #endif -#if defined(SSL_OP_MSIE_SSLV2_RSA_PADDING) && \ - ((SSL_OP_MSIE_SSLV2_RSA_PADDING & SSL_OP_ALL) != 0L) +#if defined(SSL_OP_MSIE_SSLV2_RSA_PADDING) NAMEBUG(MSIE_SSLV2_RSA_PADDING), /* 0x00000040L */ "CVE-2005-2969", SSL_OP_MSIE_SSLV2_RSA_PADDING, #endif -#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG) && \ - ((SSL_OP_SSLEAY_080_CLIENT_DH_BUG & SSL_OP_ALL) != 0L) +#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG) NAMEBUG(SSLEAY_080_CLIENT_DH_BUG), /* 0x00000080L */ #endif -#if defined(SSL_OP_TLS_D5_BUG) && \ - ((SSL_OP_TLS_D5_BUG & SSL_OP_ALL) != 0L) +#if defined(SSL_OP_TLS_D5_BUG) NAMEBUG(TLS_D5_BUG), /* 0x00000100L */ #endif -#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG) && \ - ((SSL_OP_TLS_BLOCK_PADDING_BUG & SSL_OP_ALL) != 0L) +#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG) NAMEBUG(TLS_BLOCK_PADDING_BUG), /* 0x00000200L */ #endif -#if defined(SSL_OP_TLS_ROLLBACK_BUG) && \ - ((SSL_OP_TLS_ROLLBACK_BUG & SSL_OP_ALL) != 0L) +#if defined(SSL_OP_TLS_ROLLBACK_BUG) NAMEBUG(TLS_ROLLBACK_BUG), /* 0x00000400L */ #endif -#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && \ - ((SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS & SSL_OP_ALL) != 0L) +#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) NAMEBUG(DONT_INSERT_EMPTY_FRAGMENTS), /* 0x00000800L */ #endif -#if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG) && \ - ((SSL_OP_CRYPTOPRO_TLSEXT_BUG & SSL_OP_ALL) != 0L) +#if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG) NAMEBUG(CRYPTOPRO_TLSEXT_BUG), /* 0x80000000L */ #endif 0, 0, diff --git a/postfix/src/util/ip_match.c b/postfix/src/util/ip_match.c index eb9333481..1cf1b78d8 100644 --- a/postfix/src/util/ip_match.c +++ b/postfix/src/util/ip_match.c @@ -64,7 +64,7 @@ /* .fi /* An IPv4 address pattern has four fields separated by ".". /* Each field is either a decimal number, or a sequence inside -/* "[]" that contains one or more comma-separated decimal +/* "[]" that contains one or more ";"-separated decimal /* numbers or number..number ranges. /* /* Examples of patterns are 1.2.3.4 (matches itself, as one @@ -91,7 +91,7 @@ /* .br /* v4octet = any decimal number in the range 0 through 255 /* .br -/* v4sequence = v4seq_member | v4sequence "," v4seq_member +/* v4sequence = v4seq_member | v4sequence ";" v4seq_member /* .br /* v4seq_member = v4octet | v4octet ".." v4octet /* .in @@ -206,7 +206,7 @@ char *ip_match_dump(VSTRING *printable, const char *byte_codes) } /* Output the wild-card field separator and repeat the loop. */ if (*bp != IP_MATCH_CODE_CLOSE) - vstring_sprintf_append(printable, ","); + vstring_sprintf_append(printable, ";"); } vstring_sprintf_append(printable, "]"); } @@ -507,7 +507,7 @@ char *ip_match_parse(VSTRING *byte_codes, char *pattern) */ case IP_MATCH_CODE_OPEN: VSTRING_ADDCH(byte_codes, IP_MATCH_CODE_OPEN); - /* Require comma-separated numbers or numeric ranges. */ + /* Require ";"-separated numbers or numeric ranges. */ for (;;) { token_type = ip_match_next_token(&cp, &saved_cp, &oval); if (token_type == IP_MATCH_CODE_OVAL) { @@ -537,16 +537,16 @@ char *ip_match_parse(VSTRING *byte_codes, char *pattern) VSTRING_ADDCH(byte_codes, IP_MATCH_CODE_OVAL); VSTRING_ADDCH(byte_codes, saved_oval); } - /* Require "," or end-of-wildcard. */ + /* Require ";" or end-of-wildcard. */ token_type = look_ahead; - if (token_type == ',') { + if (token_type == ';') { continue; } else if (token_type == IP_MATCH_CODE_CLOSE) { break; } else { ipmatch_print_parse_error(byte_codes, pattern, saved_cp, cp, - "need \",\" or \"%c\"", + "need \";\" or \"%c\"", IP_MATCH_CODE_CLOSE); return (STR(byte_codes)); } diff --git a/postfix/src/util/ip_match.in b/postfix/src/util/ip_match.in index 0aae84b58..bca0d6e67 100644 --- a/postfix/src/util/ip_match.in +++ b/postfix/src/util/ip_match.in @@ -4,12 +4,12 @@ 1.2.3. 1.2.3 a -1.2.3,4 +1.2.3;4 1.2.[3].4 1.2.[].4 1.2.[.4 1.2.].4 -1.2.[1..127,128..255].5 +1.2.[1..127;128..255].5 1.2.[1-255].5 1.2.[1..127.128..255].5 1.2.3.[4] @@ -19,4 +19,4 @@ a 1.2.3.[x] 1.2.3.4x 1.2.[3..11].5 1.2.3.5 1.2.2.5 1.2.11.5 1.2.12.5 1.2.11.6 -1.2.[3,5,7,9,11].5 1.2.3.5 1.2.2.5 1.2.4.5 1.2.11.5 1.2.12.5 1.2.11.6 +1.2.[3;5;7;9;11].5 1.2.3.5 1.2.2.5 1.2.4.5 1.2.11.5 1.2.12.5 1.2.11.6 diff --git a/postfix/src/util/ip_match.ref b/postfix/src/util/ip_match.ref index 3293b10ec..22c823edf 100644 --- a/postfix/src/util/ip_match.ref +++ b/postfix/src/util/ip_match.ref @@ -10,8 +10,8 @@ Error: need decimal number 0..255 or "[" at "1.2.3.><" Error: need "." at "1.2.3><" > a Error: need decimal number 0..255 or "[" at ">a<" -> 1.2.3,4 -Error: need "." at "1.2.3>,<4" +> 1.2.3;4 +Error: need "." at "1.2.3>;<4" > 1.2.[3].4 Code: 1.2.[3].4 > 1.2.[].4 @@ -20,12 +20,12 @@ Error: need decimal number 0..255 at "1.2.[>]<.4" Error: need decimal number 0..255 at "1.2.[>.<4" > 1.2.].4 Error: need decimal number 0..255 or "[" at "1.2.>]<.4" -> 1.2.[1..127,128..255].5 -Code: 1.2.[1..127,128..255].5 +> 1.2.[1..127;128..255].5 +Code: 1.2.[1..127;128..255].5 > 1.2.[1-255].5 -Error: need "," or "]" at "1.2.[1>-<255].5" +Error: need ";" or "]" at "1.2.[1>-<255].5" > 1.2.[1..127.128..255].5 -Error: need "," or "]" at "1.2.[1..127>.<128..255].5" +Error: need ";" or "]" at "1.2.[1..127>.<128..255].5" > 1.2.3.[4] Code: 1.2.3.[4] > 1.2.3.[4..1] @@ -45,8 +45,8 @@ Match 1.2.2.5: no Match 1.2.11.5: yes Match 1.2.12.5: no Match 1.2.11.6: no -> 1.2.[3,5,7,9,11].5 1.2.3.5 1.2.2.5 1.2.4.5 1.2.11.5 1.2.12.5 1.2.11.6 -Code: 1.2.[3,5,7,9,11].5 +> 1.2.[3;5;7;9;11].5 1.2.3.5 1.2.2.5 1.2.4.5 1.2.11.5 1.2.12.5 1.2.11.6 +Code: 1.2.[3;5;7;9;11].5 Match 1.2.3.5: yes Match 1.2.2.5: no Match 1.2.4.5: no