From: Wietse Venema <wietse@porcupine.org>
Date: Thu, 16 Jan 2014 05:00:00 +0000 (-0500)
Subject: postfix-2.10.3
X-Git-Tag: v2.10.3^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2e1168f3c1bd6bca3d9640af407e6df81a28f19e;p=thirdparty%2Fpostfix.git

postfix-2.10.3
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index a9d01ab49..2111c8a49 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -18306,3 +18306,36 @@ Apologies for any names omitted.
 	encryption key for each smtpd(8) process.  The workaround
 	turns off session tickets. In 2.11 we'll enable session
 	tickets properly.  Viktor Dukhovni. File: tls/tls_server.c.
+
+20131026
+
+	Future proofing: API changes in the PCRE library.  File:
+	util/dict_pcre.c.
+
+20131127
+
+	Bugfix (introduced: 20090106): the postconf '-#' option
+	erased prior options. File: postconf/postconf.c.
+
+20131129
+
+	Bugfix: Makefile example in MULTI_INSTANCE_README. Viktor
+	Dukhovni. File: proto/MULTI_INSTANCE_README.html.
+
+20131216
+
+	OpenSSL future proofing: tolerate disappearance of named
+	bug-workaround bits without invalidating tls_disable_workarounds
+	configurations.  When support for a bug workaround is removed
+	from OpenSSL, the corresponding bit is defined as zero (i.e.
+	NOOP) instead of causing programs to break. Viktor Dukhovni.
+	File: tls/tls_misc.c.
+
+20131220
+
+	Documentation: typo in SASL_README. Patrick Ben Koetter.
+	File: proto/SASL_README.html.
+
+20140104
+
+	Bugfix: malformed error message. File: conf/post-install.
diff --git a/postfix/README_FILES/MULTI_INSTANCE_README b/postfix/README_FILES/MULTI_INSTANCE_README
index 6186d59cb..6ba963226 100644
--- a/postfix/README_FILES/MULTI_INSTANCE_README
+++ b/postfix/README_FILES/MULTI_INSTANCE_README
@@ -177,7 +177,7 @@ database when none exists.
         generic: Makefile
     	    @echo Creating $@
     	    @rm -f $@.tmp
-    	    @printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` > $@.tmp
+    	    @printf '%s\t%s+root=%s\n' root ${MTAADMIN} `uname -n` > $@.tmp
     	    @mv $@.tmp generic
 
         %.cdb: %
diff --git a/postfix/README_FILES/SASL_README b/postfix/README_FILES/SASL_README
index c35481991..83ccd683c 100644
--- a/postfix/README_FILES/SASL_README
+++ b/postfix/README_FILES/SASL_README
@@ -478,7 +478,7 @@ to a PostgreSQL server:
         sql_user: username
         sql_passwd: secret
         sql_database: dbname
-        sql_select: SELECT password FROM users WHERE user = '%u'@'%r'
+        sql_select: SELECT password FROM users WHERE user = '%u@%r'
 
     NNoottee
 
diff --git a/postfix/conf/post-install b/postfix/conf/post-install
index 91ff4a677..cb2792014 100644
--- a/postfix/conf/post-install
+++ b/postfix/conf/post-install
@@ -464,7 +464,7 @@ test -n "$create" && {
 	case $type in
 	[hl]) continue;;
 	[df]) ;;
-	   *) echo unknown type $type for $path in $daemon_directory/postfix-files1>&2; exit 1;;
+	   *) echo unknown type $type for $path in $daemon_directory/postfix-files 1>&2; exit 1;;
 	esac
 	# Expand $name, and canonicalize null fields.
 	for name in path owner group flags
diff --git a/postfix/html/MULTI_INSTANCE_README.html b/postfix/html/MULTI_INSTANCE_README.html
index 37a708577..15587af70 100644
--- a/postfix/html/MULTI_INSTANCE_README.html
+++ b/postfix/html/MULTI_INSTANCE_README.html
@@ -233,7 +233,7 @@ creates a "generic" database when none exists. </p>
     generic: Makefile
 	    @echo Creating $@
 	    @rm -f $@.tmp
-	    @printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` &gt; $@.tmp
+	    @printf '%s\t%s+root=%s\n' root ${MTAADMIN} `uname -n` &gt; $@.tmp
 	    @mv $@.tmp generic
 
     %.<a href="CDB_README.html">cdb</a>: %
diff --git a/postfix/html/SASL_README.html b/postfix/html/SASL_README.html
index f39feefcd..9c36ab9b5 100644
--- a/postfix/html/SASL_README.html
+++ b/postfix/html/SASL_README.html
@@ -784,7 +784,7 @@ and connects it to a PostgreSQL server: </p>
     sql_user: username
     sql_passwd: secret
     sql_database: dbname
-    sql_select: SELECT password FROM users WHERE user = '%u'@'%r'
+    sql_select: SELECT password FROM users WHERE user = '%u@%r'
 </pre>
 </blockquote>
 
diff --git a/postfix/proto/MULTI_INSTANCE_README.html b/postfix/proto/MULTI_INSTANCE_README.html
index 2b72d1b45..60064dfab 100644
--- a/postfix/proto/MULTI_INSTANCE_README.html
+++ b/postfix/proto/MULTI_INSTANCE_README.html
@@ -233,7 +233,7 @@ creates a "generic" database when none exists. </p>
     generic: Makefile
 	    @echo Creating $@
 	    @rm -f $@.tmp
-	    @printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` &gt; $@.tmp
+	    @printf '%s\t%s+root=%s\n' root ${MTAADMIN} `uname -n` &gt; $@.tmp
 	    @mv $@.tmp generic
 
     %.cdb: %
diff --git a/postfix/proto/SASL_README.html b/postfix/proto/SASL_README.html
index 1146a36a1..278ddee19 100644
--- a/postfix/proto/SASL_README.html
+++ b/postfix/proto/SASL_README.html
@@ -784,7 +784,7 @@ and connects it to a PostgreSQL server: </p>
     sql_user: username
     sql_passwd: secret
     sql_database: dbname
-    sql_select: SELECT password FROM users WHERE user = '%u'@'%r'
+    sql_select: SELECT password FROM users WHERE user = '%u@%r'
 </pre>
 </blockquote>
 
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index b40eb4820..bee76810d 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20130905"
-#define MAIL_VERSION_NUMBER	"2.10.2"
+#define MAIL_RELEASE_DATE	"20140116"
+#define MAIL_VERSION_NUMBER	"2.10.3"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff --git a/postfix/src/postconf/postconf.c b/postfix/src/postconf/postconf.c
index 95bea1702..9876d0fc8 100644
--- a/postfix/src/postconf/postconf.c
+++ b/postfix/src/postconf/postconf.c
@@ -474,7 +474,7 @@ int     main(int argc, char **argv)
 	    cmd_mode |= FOLD_LINE;
 	    break;
 	case '#':
-	    cmd_mode = COMMENT_OUT;
+	    cmd_mode |= COMMENT_OUT;
 	    break;
 	case 'h':
 	    cmd_mode &= ~SHOW_NAME;
diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c
index d09bb3225..e7fe6b630 100644
--- a/postfix/src/tls/tls_misc.c
+++ b/postfix/src/tls/tls_misc.c
@@ -241,59 +241,72 @@ static const NAME_CODE protocol_table[] = {
 #define NAMEBUG(x)	#x, SSL_OP_##x
 static const LONG_NAME_MASK ssl_bug_tweaks[] = {
 
-#if defined(SSL_OP_MICROSOFT_SESS_ID_BUG)
-    NAMEBUG(MICROSOFT_SESS_ID_BUG),	/* 0x00000001L */
+#ifndef SSL_OP_MICROSOFT_SESS_ID_BUG
+#define SSL_OP_MICROSOFT_SESS_ID_BUG		0
 #endif
+    NAMEBUG(MICROSOFT_SESS_ID_BUG),
 
-#if defined(SSL_OP_NETSCAPE_CHALLENGE_BUG)
-    NAMEBUG(NETSCAPE_CHALLENGE_BUG),	/* 0x00000002L */
+#ifndef SSL_OP_NETSCAPE_CHALLENGE_BUG
+#define SSL_OP_NETSCAPE_CHALLENGE_BUG		0
 #endif
+    NAMEBUG(NETSCAPE_CHALLENGE_BUG),
 
-#if defined(SSL_OP_LEGACY_SERVER_CONNECT)
-    NAMEBUG(LEGACY_SERVER_CONNECT),	/* 0x00000004L */
+#ifndef SSL_OP_LEGACY_SERVER_CONNECT
+#define SSL_OP_LEGACY_SERVER_CONNECT		0
 #endif
+    NAMEBUG(LEGACY_SERVER_CONNECT),
 
-#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
-    NAMEBUG(NETSCAPE_REUSE_CIPHER_CHANGE_BUG),	/* 0x00000008L */
-    "CVE-2010-4180", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG,
+#ifndef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0
 #endif
+    NAMEBUG(NETSCAPE_REUSE_CIPHER_CHANGE_BUG),
+    "CVE-2010-4180", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG,
 
-#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
-    NAMEBUG(SSLREF2_REUSE_CERT_TYPE_BUG),	/* 0x00000010L */
+#ifndef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
+#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG	0
 #endif
+    NAMEBUG(SSLREF2_REUSE_CERT_TYPE_BUG),
 
-#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
-    NAMEBUG(MICROSOFT_BIG_SSLV3_BUFFER),/* 0x00000020L	 */
+#ifndef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
+#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER	0
 #endif
+    NAMEBUG(MICROSOFT_BIG_SSLV3_BUFFER),
 
-#if defined(SSL_OP_MSIE_SSLV2_RSA_PADDING)
-    NAMEBUG(MSIE_SSLV2_RSA_PADDING),	/* 0x00000040L */
-    "CVE-2005-2969", SSL_OP_MSIE_SSLV2_RSA_PADDING,
+#ifndef SSL_OP_MSIE_SSLV2_RSA_PADDING
+#define SSL_OP_MSIE_SSLV2_RSA_PADDING		0
 #endif
+    NAMEBUG(MSIE_SSLV2_RSA_PADDING),
+    "CVE-2005-2969", SSL_OP_MSIE_SSLV2_RSA_PADDING,
 
-#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
-    NAMEBUG(SSLEAY_080_CLIENT_DH_BUG),	/* 0x00000080L */
+#ifndef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG		0
 #endif
+    NAMEBUG(SSLEAY_080_CLIENT_DH_BUG),
 
-#if defined(SSL_OP_TLS_D5_BUG)
-    NAMEBUG(TLS_D5_BUG),		/* 0x00000100L	 */
+#ifndef SSL_OP_TLS_D5_BUG
+#define SSL_OP_TLS_D5_BUG			0
 #endif
+    NAMEBUG(TLS_D5_BUG),
 
-#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
-    NAMEBUG(TLS_BLOCK_PADDING_BUG),	/* 0x00000200L */
+#ifndef SSL_OP_TLS_BLOCK_PADDING_BUG
+#define SSL_OP_TLS_BLOCK_PADDING_BUG		0
 #endif
+    NAMEBUG(TLS_BLOCK_PADDING_BUG),
 
-#if defined(SSL_OP_TLS_ROLLBACK_BUG)
-    NAMEBUG(TLS_ROLLBACK_BUG),		/* 0x00000400L */
+#ifndef SSL_OP_TLS_ROLLBACK_BUG
+#define SSL_OP_TLS_ROLLBACK_BUG			0
 #endif
+    NAMEBUG(TLS_ROLLBACK_BUG),
 
-#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
-    NAMEBUG(DONT_INSERT_EMPTY_FRAGMENTS),	/* 0x00000800L */
+#ifndef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS	0
 #endif
+    NAMEBUG(DONT_INSERT_EMPTY_FRAGMENTS),
 
-#if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
-    NAMEBUG(CRYPTOPRO_TLSEXT_BUG),	/* 0x80000000L */
+#ifndef SSL_OP_CRYPTOPRO_TLSEXT_BUG
+#define SSL_OP_CRYPTOPRO_TLSEXT_BUG		0
 #endif
+    NAMEBUG(CRYPTOPRO_TLSEXT_BUG),
     0, 0,
 };
 
@@ -869,7 +882,8 @@ long    tls_bug_bits(void)
 {
     long    bits = SSL_OP_ALL;		/* Work around all known bugs */
 
-#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L && \
+	OPENSSL_VERSION_NUMBER < 0x10000000L
     long    lib_version = SSLeay();
 
     /*
@@ -895,6 +909,10 @@ long    tls_bug_bits(void)
 	bits &= ~long_name_mask_opt(VAR_TLS_BUG_TWEAKS, ssl_bug_tweaks,
 				    var_tls_bug_tweaks, NAME_MASK_ANY_CASE |
 				    NAME_MASK_NUMBER | NAME_MASK_WARN);
+#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
+	/* Not relevant to SMTP */
+	bits &= ~SSL_OP_SAFARI_ECDHE_ECDSA_BUG;
+#endif
     }
     return (bits);
 }
diff --git a/postfix/src/util/dict_pcre.c b/postfix/src/util/dict_pcre.c
index 060019ec5..3ae2104b9 100644
--- a/postfix/src/util/dict_pcre.c
+++ b/postfix/src/util/dict_pcre.c
@@ -61,6 +61,15 @@
 #include "pcre.h"
 #include "warn_stat.h"
 
+ /*
+  * Backwards compatibility.
+  */
+#ifdef PCRE_STUDY_JIT_COMPILE
+#define DICT_PCRE_FREE_STUDY(x)	pcre_free_study(x)
+#else
+#define DICT_PCRE_FREE_STUDY(x)	pcre_free((char *) (x))
+#endif
+
  /*
   * Support for IF/ENDIF based on an idea by Bert Driehuis.
   */
@@ -389,7 +398,7 @@ static void dict_pcre_close(DICT *dict)
 	    if (match_rule->pattern)
 		myfree((char *) match_rule->pattern);
 	    if (match_rule->hints)
-		myfree((char *) match_rule->hints);
+		DICT_PCRE_FREE_STUDY(match_rule->hints);
 	    if (match_rule->replacement)
 		myfree((char *) match_rule->replacement);
 	    break;
@@ -398,7 +407,7 @@ static void dict_pcre_close(DICT *dict)
 	    if (if_rule->pattern)
 		myfree((char *) if_rule->pattern);
 	    if (if_rule->hints)
-		myfree((char *) if_rule->hints);
+		DICT_PCRE_FREE_STUDY(if_rule->hints);
 	    break;
 	case DICT_PCRE_OP_ENDIF:
 	    break;
@@ -679,7 +688,7 @@ static DICT_PCRE_RULE *dict_pcre_parse_rule(const char *mapname, int lineno,
 	    if (engine.pattern)
 		myfree((char *) engine.pattern);
 	    if (engine.hints)
-		myfree((char *) engine.hints);
+		DICT_PCRE_FREE_STUDY(engine.hints);
 	    CREATE_MATCHOP_ERROR_RETURN(0);
 	}
 #endif
