From: Wietse Venema Date: Tue, 1 Jun 2010 05:00:00 +0000 (-0500) Subject: postfix-2.7.1-RC1 X-Git-Tag: v2.7.1-RC1^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d67f85be89da164025a07c80531dea6781b5f2e;p=thirdparty%2Fpostfix.git postfix-2.7.1-RC1 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index c703d0d1b..52f4c24d3 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -15729,3 +15729,42 @@ Apologies for any names omitted. The tcp_table(5) interface is now part of the stable release. The last protocol change was in Postfix 2.1. File: util/dict_open.c. + +20100515 + + Bugfix (introduced Postfix 2.6): the Postfix SMTP client + XFORWARD implementation did not skip "unknown" SMTP client + attributes, causing a syntax error when sending a PORT + attribute. Reported by Victor Duchovni. File: smtp/smtp_proto.c. + +20100526 + + Cleanup: a unit-test driver (for stand-alone tests) was not + updated after an internal API change. Vesa-Matti J Kari + File: milter/milter.c. + +20100529 + + Portability: OpenSSL 1.0.0 changes the priority of anonymous + cyphers. Victor Duchovni. Files: postconf.proto, + global/mail_params.h, tls/tls_certkey.c, tls/tls_client.c, + tls/tls_dh.c, tls/tls_server.c. + + Portability: Mac OS 10.6.3 requires + instead of . Files: makedefs, + util/sys_defs.h, dns/dns.h. + +20100531 + + Robustness: skip LDAP queries with non-ASCII search strings. + The LDAP library requires well-formed UTF-8. Victor Duchovni. + File: global/dict_ldap.c. + +20100601 + + Safety: Postfix processes log a warning when a matchlist + has a #comment at the end of a line (for example mynetworks + or relay_domains). File: util/match_list.c. + + Portability: Berkeley DB 5.x has the same API as Berkeley + DB 4.1 and later. File: util/dict_db.c. diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 23bf1f2a6..eed69738a 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -4428,7 +4428,7 @@ configuration parameter. See there for details.

parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

@@ -4440,7 +4440,7 @@ compiled and linked with OpenSSL 0.9.9 or later.

parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

@@ -9357,7 +9357,7 @@ This file may also contain the Postfix SMTP client ECDSA private key.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

@@ -9375,7 +9375,7 @@ access to the system superuser account ("root"), and no access to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

@@ -12936,7 +12936,7 @@ This file may also contain the Postfix SMTP server private ECDSA key.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

@@ -12954,7 +12954,7 @@ access to the system superuser account ("root"), and no access to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

@@ -12988,7 +12988,7 @@ users.

This feature is available in Postfix 2.6 and later, when it is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

@@ -13776,7 +13776,7 @@ under the SECG name "secp256r1", but OpenSSL does not recognize the latter name.

This feature is available in Postfix 2.6 and later, when it is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

@@ -13799,7 +13799,7 @@ of RFC 4492. You should not gen classified as TOP SECRET.

This feature is available in Postfix 2.6 and later, when it is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

@@ -13812,7 +13812,11 @@ defines the meaning of the "export" setting in smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are -strongly encouraged to not change this setting.

+strongly encouraged to not change this setting. With OpenSSL 1.0.0 and +later the cipherlist may start with an "aNULL:" prefix, which restores +the 0.9.8-compatible ordering of the aNULL ciphers to the top of the +list when they are enabled. This prefix is not needed with previous +OpenSSL releases.

This feature is available in Postfix 2.3 and later.

@@ -13825,7 +13829,11 @@ strongly encouraged to not change this setting.

The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are -strongly encouraged to not change this setting.

+strongly encouraged to not change this setting. With OpenSSL 1.0.0 and +later the cipherlist may start with an "aNULL:" prefix, which restores +the 0.9.8-compatible ordering of the aNULL ciphers to the top of the +list when they are enabled. This prefix is not needed with previous +OpenSSL releases.

This feature is available in Postfix 2.3 and later.

@@ -13838,7 +13846,11 @@ strongly encouraged to not change this setting.

The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are -strongly encouraged to not change this setting.

+strongly encouraged to not change this setting. With OpenSSL 1.0.0 and +later the cipherlist may start with an "aNULL:" prefix, which restores +the 0.9.8-compatible ordering of the aNULL ciphers to the top of the +list when they are enabled. This prefix is not needed with previous +OpenSSL releases.

This feature is available in Postfix 2.3 and later.

@@ -13854,7 +13866,10 @@ defines the meaning of the "medium" setting in

This feature is available in Postfix 2.3 and later.

diff --git a/postfix/makedefs b/postfix/makedefs index b2158197b..b4473c9b8 100644 --- a/postfix/makedefs +++ b/postfix/makedefs @@ -421,6 +421,11 @@ ReliantUNIX-?.5.43) SYSTYPE=ReliantUnix543 [1-6].*) CCARGS="$CCARGS -DNO_IPV6";; *) CCARGS="$CCARGS -DBIND_8_COMPAT -DNO_NETINFO";; esac + # Darwin 10.3.0 no longer has . + case $RELEASE in + ?.*) CCARGS="$CCARGS -DRESOLVE_H_NEEDS_NAMESER8_COMPAT_H";; + *) CCARGS="$CCARGS -DRESOLVE_H_NEEDS_NAMESER_COMPAT_H";; + esac # kqueue and/or poll are broken up to and including MacOS X 10.5 CCARGS="$CCARGS -DNO_KQUEUE" # # Darwin 8.11.1 has kqueue support, but let's play safe diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index c51b73a93..ce268625e 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -2414,13 +2414,13 @@ The LMTP-specific version of the smtp_tls_eccert_file configuration parameter. See there for details. .PP This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later. +compiled and linked with OpenSSL 1.0.0 or later. .SH lmtp_tls_eckey_file (default: empty) The LMTP-specific version of the smtp_tls_eckey_file configuration parameter. See there for details. .PP This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later. +compiled and linked with OpenSSL 1.0.0 or later. .SH lmtp_tls_enforce_peername (default: yes) The LMTP-specific version of the smtp_tls_enforce_peername configuration parameter. See there for details. @@ -5423,7 +5423,7 @@ smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem .ft R .PP This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later. +compiled and linked with OpenSSL 1.0.0 or later. .SH smtp_tls_eckey_file (default: $smtp_tls_eccert_file) File with the Postfix SMTP client ECDSA private key in PEM format. This file may be combined with the Postfix SMTP client ECDSA @@ -5435,7 +5435,7 @@ access to the system superuser account ("root"), and no access to anyone else. .PP This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later. +compiled and linked with OpenSSL 1.0.0 or later. .SH smtp_tls_enforce_peername (default: yes) With mandatory TLS encryption, require that the remote SMTP server hostname matches the information in the remote SMTP server @@ -8129,7 +8129,7 @@ smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem .ft R .PP This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later. +compiled and linked with OpenSSL 1.0.0 or later. .SH smtpd_tls_eckey_file (default: $smtpd_tls_eccert_file) File with the Postfix SMTP server ECDSA private key in PEM format. This file may be combined with the Postfix SMTP server ECDSA certificate @@ -8141,7 +8141,7 @@ access to the system superuser account ("root"), and no access to anyone else. .PP This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later. +compiled and linked with OpenSSL 1.0.0 or later. .SH smtpd_tls_eecdh_grade (default: see "postconf -d" output) The Postfix SMTP server security grade for ephemeral elliptic-curve Diffie-Hellman (EECDH) key exchange. @@ -8165,7 +8165,7 @@ elliptic curve crypto-systems, the "strong" curve is sufficient for most users. .PP This feature is available in Postfix 2.6 and later, when it is -compiled and linked with OpenSSL 0.9.9 or later. +compiled and linked with OpenSSL 1.0.0 or later. .SH smtpd_tls_exclude_ciphers (default: empty) List of ciphers or cipher types to exclude from the SMTP server cipher list at all TLS security levels. Excluding valid ciphers @@ -8740,7 +8740,7 @@ under the SECG name "secp256r1", but OpenSSL does not recognize the latter name. .PP This feature is available in Postfix 2.6 and later, when it is -compiled and linked with OpenSSL 0.9.9 or later. +compiled and linked with OpenSSL 1.0.0 or later. .SH tls_eecdh_ultra_curve (default: secp384r1) The elliptic curve used by the SMTP server for maximally strong ephemeral ECDH key exchange. This curve is used by the Postfix SMTP @@ -8757,28 +8757,40 @@ This default "ultra" curve is specified in NSA "Suite B" Cryptography classified as TOP SECRET. .PP This feature is available in Postfix 2.6 and later, when it is -compiled and linked with OpenSSL 0.9.9 or later. +compiled and linked with OpenSSL 1.0.0 or later. .SH tls_export_cipherlist (default: ALL:+RC4:@STRENGTH) The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are -strongly encouraged to not change this setting. +strongly encouraged to not change this setting. With OpenSSL 1.0.0 and +later the cipherlist may start with an "aNULL:" prefix, which restores +the 0.9.8-compatible ordering of the aNULL ciphers to the top of the +list when they are enabled. This prefix is not needed with previous +OpenSSL releases. .PP This feature is available in Postfix 2.3 and later. .SH tls_high_cipherlist (default: ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH) The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are -strongly encouraged to not change this setting. +strongly encouraged to not change this setting. With OpenSSL 1.0.0 and +later the cipherlist may start with an "aNULL:" prefix, which restores +the 0.9.8-compatible ordering of the aNULL ciphers to the top of the +list when they are enabled. This prefix is not needed with previous +OpenSSL releases. .PP This feature is available in Postfix 2.3 and later. .SH tls_low_cipherlist (default: ALL:!EXPORT:+RC4:@STRENGTH) The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are -strongly encouraged to not change this setting. +strongly encouraged to not change this setting. With OpenSSL 1.0.0 and +later the cipherlist may start with an "aNULL:" prefix, which restores +the 0.9.8-compatible ordering of the aNULL ciphers to the top of the +list when they are enabled. This prefix is not needed with previous +OpenSSL releases. .PP This feature is available in Postfix 2.3 and later. .SH tls_medium_cipherlist (default: ALL:!EXPORT:!LOW:+RC4:@STRENGTH) @@ -8788,7 +8800,10 @@ smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the default cipherlist for mandatory TLS encryption in the TLS client (with anonymous ciphers disabled when verifying server certificates). You are strongly encouraged to not change this -setting. +setting. With OpenSSL 1.0.0 and later the cipherlist may start with an +"aNULL:" prefix, which restores the 0.9.8-compatible ordering of the +aNULL ciphers to the top of the list when they are enabled. This prefix +is not needed with previous OpenSSL releases. .PP This feature is available in Postfix 2.3 and later. .SH tls_null_cipherlist (default: eNULL:!aNULL) diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 1c2c5ea8a..e4f6e8f2d 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -10992,7 +10992,11 @@ attribute. See smtp_tls_policy_maps for notes and examples.

The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are -strongly encouraged to not change this setting.

+strongly encouraged to not change this setting. With OpenSSL 1.0.0 and +later the cipherlist may start with an "aNULL:" prefix, which restores +the 0.9.8-compatible ordering of the aNULL ciphers to the top of the +list when they are enabled. This prefix is not needed with previous +OpenSSL releases.

This feature is available in Postfix 2.3 and later.

@@ -11004,7 +11008,10 @@ smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the default cipherlist for mandatory TLS encryption in the TLS client (with anonymous ciphers disabled when verifying server certificates). You are strongly encouraged to not change this -setting.

+setting. With OpenSSL 1.0.0 and later the cipherlist may start with an +"aNULL:" prefix, which restores the 0.9.8-compatible ordering of the +aNULL ciphers to the top of the list when they are enabled. This prefix +is not needed with previous OpenSSL releases.

This feature is available in Postfix 2.3 and later.

@@ -11013,7 +11020,11 @@ setting.

The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are -strongly encouraged to not change this setting.

+strongly encouraged to not change this setting. With OpenSSL 1.0.0 and +later the cipherlist may start with an "aNULL:" prefix, which restores +the 0.9.8-compatible ordering of the aNULL ciphers to the top of the +list when they are enabled. This prefix is not needed with previous +OpenSSL releases.

This feature is available in Postfix 2.3 and later.

@@ -11024,7 +11035,11 @@ defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are -strongly encouraged to not change this setting.

+strongly encouraged to not change this setting. With OpenSSL 1.0.0 and +later the cipherlist may start with an "aNULL:" prefix, which restores +the 0.9.8-compatible ordering of the aNULL ciphers to the top of the +list when they are enabled. This prefix is not needed with previous +OpenSSL releases.

This feature is available in Postfix 2.3 and later.

@@ -11550,7 +11565,7 @@ under the SECG name "secp256r1", but OpenSSL does not recognize the latter name.

This feature is available in Postfix 2.6 and later, when it is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

%PARAM tls_eecdh_ultra_curve secp384r1 @@ -11569,7 +11584,7 @@ of RFC 4492. You should not generally change this setting.

classified as TOP SECRET.

This feature is available in Postfix 2.6 and later, when it is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtpd_tls_eecdh_grade see "postconf -d" output @@ -11599,7 +11614,7 @@ users.

This feature is available in Postfix 2.6 and later, when it is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtpd_tls_eccert_file @@ -11615,7 +11630,7 @@ smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtpd_tls_eckey_file $smtpd_tls_eccert_file @@ -11629,7 +11644,7 @@ access to the system superuser account ("root"), and no access to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtp_tls_eccert_file @@ -11646,7 +11661,7 @@ smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtp_tls_eckey_file $smtp_tls_eccert_file @@ -11660,7 +11675,7 @@ access to the system superuser account ("root"), and no access to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

%PARAM lmtp_tls_eccert_file @@ -11668,7 +11683,7 @@ compiled and linked with OpenSSL 0.9.9 or later.

parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

%PARAM lmtp_tls_eckey_file @@ -11676,7 +11691,7 @@ compiled and linked with OpenSSL 0.9.9 or later.

parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtp_header_checks diff --git a/postfix/src/dns/dns.h b/postfix/src/dns/dns.h index e95fa67c0..63dc6cb7e 100644 --- a/postfix/src/dns/dns.h +++ b/postfix/src/dns/dns.h @@ -22,6 +22,9 @@ #ifdef RESOLVE_H_NEEDS_NAMESER8_COMPAT_H #include #endif +#ifdef RESOLVE_H_NEEDS_NAMESER_COMPAT_H +#include +#endif #include /* diff --git a/postfix/src/global/dict_ldap.c b/postfix/src/global/dict_ldap.c index 935f194ab..db91011f0 100644 --- a/postfix/src/global/dict_ldap.c +++ b/postfix/src/global/dict_ldap.c @@ -1082,12 +1082,21 @@ static const char *dict_ldap_lookup(DICT *dict, const char *name) static VSTRING *result; int rc = 0; int sizelimit; + const char *cp; dict_errno = 0; if (msg_verbose) msg_info("%s: In dict_ldap_lookup", myname); + for (cp = name; *cp; ++cp) + if (!ISASCII(*cp)) { + if (msg_verbose) + msg_info("%s: %s: Skipping lookup of non-ASCII key '%s'", + myname, dict_ldap->parser->name, name); + return (0); + } + /* * Optionally fold the key. */ @@ -1105,7 +1114,8 @@ static const char *dict_ldap_lookup(DICT *dict, const char *name) */ if (db_common_check_domain(dict_ldap->ctx, name) == 0) { if (msg_verbose) - msg_info("%s: Skipping lookup of '%s'", myname, name); + msg_info("%s: %s: Skipping lookup of key '%s': domain mismatch", + myname, dict_ldap->parser->name, name); return (0); } #define INIT_VSTR(buf, len) do { \ diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 6952706dc..fb94364e3 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -2919,20 +2919,31 @@ extern bool var_smtp_cname_overr; /* * TLS cipherlists */ +#ifdef USE_TLS +#include +#if OPENSSL_VERSION_NUMBER >= 0x1000000fL +#define PREFER_aNULL "aNULL:" +#else +#define PREFER_aNULL "" +#endif +#else +#define PREFER_aNULL "" +#endif + #define VAR_TLS_HIGH_CLIST "tls_high_cipherlist" -#define DEF_TLS_HIGH_CLIST "ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH" +#define DEF_TLS_HIGH_CLIST PREFER_aNULL "ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH" extern char *var_tls_high_clist; #define VAR_TLS_MEDIUM_CLIST "tls_medium_cipherlist" -#define DEF_TLS_MEDIUM_CLIST "ALL:!EXPORT:!LOW:+RC4:@STRENGTH" +#define DEF_TLS_MEDIUM_CLIST PREFER_aNULL "ALL:!EXPORT:!LOW:+RC4:@STRENGTH" extern char *var_tls_medium_clist; #define VAR_TLS_LOW_CLIST "tls_low_cipherlist" -#define DEF_TLS_LOW_CLIST "ALL:!EXPORT:+RC4:@STRENGTH" +#define DEF_TLS_LOW_CLIST PREFER_aNULL "ALL:!EXPORT:+RC4:@STRENGTH" extern char *var_tls_low_clist; #define VAR_TLS_EXPORT_CLIST "tls_export_cipherlist" -#define DEF_TLS_EXPORT_CLIST "ALL:+RC4:@STRENGTH" +#define DEF_TLS_EXPORT_CLIST PREFER_aNULL "ALL:+RC4:@STRENGTH" extern char *var_tls_export_clist; #define VAR_TLS_NULL_CLIST "tls_null_cipherlist" diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 5f8b6c4d9..883b88eb8 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20100213" -#define MAIL_VERSION_NUMBER "2.7.0" +#define MAIL_RELEASE_DATE "20100601" +#define MAIL_VERSION_NUMBER "2.7.1-RC1" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/milter/milter.c b/postfix/src/milter/milter.c index 5ec673248..ee38b0f23 100644 --- a/postfix/src/milter/milter.c +++ b/postfix/src/milter/milter.c @@ -901,7 +901,7 @@ int main(int argc, char **argv) msg_warn("no milters"); continue; } - resp = milter_rcpt_event(milters, (const char **) args); + resp = milter_rcpt_event(milters, 0, (const char **) args); } else if (strcmp(cmd, "unknown") == 0 && argv->argc > 0) { if (milters == 0) { msg_warn("no milters"); diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c index e9586c844..20e020492 100644 --- a/postfix/src/smtp/smtp_proto.c +++ b/postfix/src/smtp/smtp_proto.c @@ -1204,21 +1204,39 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state, * Build the XFORWARD command. With properly sanitized * information, the command length stays within the 512 byte * command line length limit. + * + * XXX smtpd_xforward_preset() initializes some fields as "unknown" + * and some as null; historically, pickup(8) does not send any of + * these, and the queue manager presets absent fields to "not + * available" except for the rewrite context which is preset to + * local by way of migration aid. These definitions need to be + * centralized for maintainability. */ +#ifndef CAN_FORWARD_CLIENT_NAME +#define _ATTR_AVAIL_AND_KNOWN_(val) \ + (DEL_REQ_ATTR_AVAIL(val) && strcasecmp((val), "unknown")) +#define CAN_FORWARD_CLIENT_NAME _ATTR_AVAIL_AND_KNOWN_ +#define CAN_FORWARD_CLIENT_ADDR _ATTR_AVAIL_AND_KNOWN_ +#define CAN_FORWARD_CLIENT_PORT _ATTR_AVAIL_AND_KNOWN_ +#define CAN_FORWARD_PROTO_NAME _ATTR_AVAIL_AND_KNOWN_ +#define CAN_FORWARD_HELO_NAME DEL_REQ_ATTR_AVAIL +#define CAN_FORWARD_RWR_CONTEXT DEL_REQ_ATTR_AVAIL +#endif + case SMTP_STATE_XFORWARD_NAME_ADDR: vstring_strcpy(next_command, XFORWARD_CMD); if ((session->features & SMTP_FEATURE_XFORWARD_NAME) - && DEL_REQ_ATTR_AVAIL(request->client_name)) { + && CAN_FORWARD_CLIENT_NAME(request->client_name)) { vstring_strcat(next_command, " " XFORWARD_NAME "="); xtext_quote_append(next_command, request->client_name, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_ADDR) - && DEL_REQ_ATTR_AVAIL(request->client_addr)) { + && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) { vstring_strcat(next_command, " " XFORWARD_ADDR "="); xtext_quote_append(next_command, request->client_addr, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_PORT) - && DEL_REQ_ATTR_AVAIL(request->client_port)) { + && CAN_FORWARD_CLIENT_PORT(request->client_port)) { vstring_strcat(next_command, " " XFORWARD_PORT "="); xtext_quote_append(next_command, request->client_port, ""); } @@ -1231,17 +1249,17 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state, case SMTP_STATE_XFORWARD_PROTO_HELO: vstring_strcpy(next_command, XFORWARD_CMD); if ((session->features & SMTP_FEATURE_XFORWARD_PROTO) - && DEL_REQ_ATTR_AVAIL(request->client_proto)) { + && CAN_FORWARD_PROTO_NAME(request->client_proto)) { vstring_strcat(next_command, " " XFORWARD_PROTO "="); xtext_quote_append(next_command, request->client_proto, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_HELO) - && DEL_REQ_ATTR_AVAIL(request->client_helo)) { + && CAN_FORWARD_HELO_NAME(request->client_helo)) { vstring_strcat(next_command, " " XFORWARD_HELO "="); xtext_quote_append(next_command, request->client_helo, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) - && DEL_REQ_ATTR_AVAIL(request->rewrite_context)) { + && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)) { vstring_strcat(next_command, " " XFORWARD_DOMAIN "="); xtext_quote_append(next_command, strcmp(request->rewrite_context, MAIL_ATTR_RWR_LOCAL) ? @@ -1979,19 +1997,19 @@ int smtp_xfer(SMTP_STATE *state) send_name_addr = var_smtp_send_xforward && (((session->features & SMTP_FEATURE_XFORWARD_NAME) - && DEL_REQ_ATTR_AVAIL(request->client_name)) + && CAN_FORWARD_CLIENT_NAME(request->client_name)) || ((session->features & SMTP_FEATURE_XFORWARD_ADDR) - && DEL_REQ_ATTR_AVAIL(request->client_addr)) + && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) || ((session->features & SMTP_FEATURE_XFORWARD_PORT) - && DEL_REQ_ATTR_AVAIL(request->client_port))); + && CAN_FORWARD_CLIENT_PORT(request->client_port))); session->send_proto_helo = var_smtp_send_xforward && (((session->features & SMTP_FEATURE_XFORWARD_PROTO) - && DEL_REQ_ATTR_AVAIL(request->client_proto)) + && CAN_FORWARD_PROTO_NAME(request->client_proto)) || ((session->features & SMTP_FEATURE_XFORWARD_HELO) - && DEL_REQ_ATTR_AVAIL(request->client_helo)) + && CAN_FORWARD_HELO_NAME(request->client_helo)) || ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) - && DEL_REQ_ATTR_AVAIL(request->rewrite_context))); + && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context))); if (send_name_addr) recv_state = send_state = SMTP_STATE_XFORWARD_NAME_ADDR; else if (session->send_proto_helo) diff --git a/postfix/src/tls/tls_certkey.c b/postfix/src/tls/tls_certkey.c index caf9af44a..913b67e23 100644 --- a/postfix/src/tls/tls_certkey.c +++ b/postfix/src/tls/tls_certkey.c @@ -158,7 +158,7 @@ int tls_set_my_certificate_key_info(SSL_CTX *ctx, return (-1); /* logged */ if (*dcert_file && !set_cert_stuff(ctx, "DSA", dcert_file, dkey_file)) return (-1); /* logged */ -#if OPENSSL_VERSION_NUMBER >= 0x00909000 && !defined(OPENSSL_NO_ECDH) +#if OPENSSL_VERSION_NUMBER >= 0x1000000fL && !defined(OPENSSL_NO_ECDH) if (*eccert_file && !set_cert_stuff(ctx, "ECDSA", eccert_file, eckey_file)) return (-1); /* logged */ #else diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c index 455561e12..7fd32d478 100644 --- a/postfix/src/tls/tls_client.c +++ b/postfix/src/tls/tls_client.c @@ -725,7 +725,7 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props) int protomask; const char *cipher_list; SSL_SESSION *session; - SSL_CIPHER *cipher; + const SSL_CIPHER *cipher; X509 *peercert; TLS_SESS_STATE *TLScontext; TLS_APPL_STATE *app_ctx = props->ctx; diff --git a/postfix/src/tls/tls_dh.c b/postfix/src/tls/tls_dh.c index bc5db4f0d..da17be73a 100644 --- a/postfix/src/tls/tls_dh.c +++ b/postfix/src/tls/tls_dh.c @@ -205,7 +205,7 @@ DH *tls_tmp_dh_cb(SSL *unused_ssl, int export, int keylength) int tls_set_eecdh_curve(SSL_CTX *server_ctx, const char *grade) { -#if OPENSSL_VERSION_NUMBER >= 0x00909000 && !defined(OPENSSL_NO_ECDH) +#if OPENSSL_VERSION_NUMBER >= 0x1000000fL && !defined(OPENSSL_NO_ECDH) int nid; EC_KEY *ecdh; const char *curve; diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c index 26ea2afe4..9ed6d20ed 100644 --- a/postfix/src/tls/tls_server.c +++ b/postfix/src/tls/tls_server.c @@ -554,7 +554,7 @@ TLS_SESS_STATE *tls_server_start(const TLS_SERVER_START_PROPS *props) { int sts; TLS_SESS_STATE *TLScontext; - SSL_CIPHER *cipher; + const SSL_CIPHER *cipher; X509 *peer; char buf[CCERT_BUFSIZ]; const char *cipher_list; diff --git a/postfix/src/util/dict_db.c b/postfix/src/util/dict_db.c index e4b301d10..9e82f9b81 100644 --- a/postfix/src/util/dict_db.c +++ b/postfix/src/util/dict_db.c @@ -675,7 +675,7 @@ static DICT *dict_db_open(const char *class, const char *path, int open_flags, msg_fatal("set DB cache size %d: %m", dict_db_cache_size); if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0) msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM); -#if (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0) +#if DB_VERSION_MAJOR == 5 || (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0) if ((errno = db->open(db, 0, db_path, 0, type, db_flags, 0644)) != 0) msg_fatal("open database %s: %m", db_path); #elif (DB_VERSION_MAJOR == 3 || DB_VERSION_MAJOR == 4) diff --git a/postfix/src/util/match_list.c b/postfix/src/util/match_list.c index 8bb6dc5a8..7832e95ea 100644 --- a/postfix/src/util/match_list.c +++ b/postfix/src/util/match_list.c @@ -116,6 +116,11 @@ static ARGV *match_list_parse(ARGV *list, char *string, int init_match) * prepend the negation operator to each item from the file. */ while ((start = mystrtok(&bp, delim)) != 0) { + if (*start == '#') { + msg_warn("%s: comment at end of line is not supported: %s %s", + myname, start, bp); + break; + } for (match = init_match, item = start; *item == '!'; item++) match = !match; if (*item == 0) diff --git a/postfix/src/util/sys_defs.h b/postfix/src/util/sys_defs.h index 026901cb6..cc3e29073 100644 --- a/postfix/src/util/sys_defs.h +++ b/postfix/src/util/sys_defs.h @@ -208,7 +208,6 @@ #define DEF_DB_TYPE "hash" #define ALIAS_DB_MAP "hash:/etc/aliases" #define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0) -#define RESOLVE_H_NEEDS_NAMESER8_COMPAT_H #define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin" #define USE_STATFS #define STATFS_IN_SYS_MOUNT_H