From: Wietse Venema Date: Sat, 30 Oct 2021 05:00:00 +0000 (-0500) Subject: postfix-3.7-20211030 X-Git-Tag: v3.7.0-RC1~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5f6b8b9649a9ea02d4e7e72a295d448015e5dc15;p=thirdparty%2Fpostfix.git postfix-3.7-20211030 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index ff4e85686..b6c8e9eb7 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -25810,9 +25810,9 @@ Apologies for any names omitted. 20211022 - Bugfix: the known_tcp_ports setting had no effect. Reported - by Peter. It also wasn't fully implemented. Files: - config_known_tcp_ports.c, mail_params.c, + Bugfix (introduced: Postfix 3.6): the known_tcp_ports setting + had no effect. Reported by Peter. It also wasn't fully + implemented. Files: config_known_tcp_ports.c, mail_params.c, posttls-finger/posttls-finger.c, smtp/smtp_connect.c, util/find_inet.c, util/myaddrinfo.c. @@ -25821,8 +25821,41 @@ Apologies for any names omitted. Documentation: fixed a jq example in the postsuper manpage, to delete the quotes around a queue ID. File: postsuper/postsuper.c. - Cleanup: with "smtputf8_nable = yes" (the default), the + Cleanup: with "smtputf8_enable = yes" (the default), the postscreen(8) dummy SMTP engine will no longer log a "non-UTF-8 key" warning when a remote SMTP client sends garbage. Instead, postscreen(8) will reject the command with the same server repsonse as smtpd(8). File: postscreen/p[ostscreen_smtpd.c. + +20211025 + + Bugfix (introduced: Postfix 3.6): mangled warning where a + hostname and warning message ran together. Viktor Dukhovni. + File: tls/tls_dane.c. + +20211026 + + Feature: with "smtp_bind_address_enforce = yes" the Postfix + SMTP client will defer delivery when it is unable to apply + the smtp_bind_address or smtp_bind_address6 setting. By + default, the Postfix SMTP client continues with delivery, + after logging a warning. File: src/smtp/smtp_connect.c. + +20211027 + + Documentation: readability fix for the text about automatic + or explicit daemon restart (postfix reload) after LMDB table + change. raj. File: proto/lmdb_table. + + Safety: the postqueue command now sanitizes strings before they + are formatted as json output or legacy output. These outputs are + piped into other programs that are run by administrative + users. This closes a hypothetical opportunity for privilege + escalation. Files: util/attr.h, util/attr_scan*.c, + postqueue/showq_json.c, postqueue/showq_compat.c. + +20211030 + + Bugfix: check_ccert_access worked as expected, but produced + a spurious warning when Postfix is built without SASL + support. Fix by Brad Barden. File: smtpd/smtpd_check.c. diff --git a/postfix/html/lmdb_table.5.html b/postfix/html/lmdb_table.5.html index 41b4bc6d9..6fbc8b140 100644 --- a/postfix/html/lmdb_table.5.html +++ b/postfix/html/lmdb_table.5.html @@ -40,13 +40,12 @@ LMDB_TABLE(5) LMDB_TABLE(5) part, address extension or domain portion. This behavior is also found with, for example, btree:, hash:, or ldap: tables. - Unlike other flat-file Postfix databases, changes to an LMDB database - do not trigger automatic daemon program restart, and do not require - "postfix reload". + Changes to an LMDB database do not trigger an automatic daemon restart, + and do not require a daemon restart with "postfix reload". RELIABILITY LMDB's copy-on-write architecture provides safe updates, at the cost of - using more space than some other flat-file databases. Read operations + using more space than some other flat-file databases. Read operations are memory-mapped for speed. Write operations are not memory-mapped to avoid silent corruption due to stray pointer bugs. @@ -55,29 +54,29 @@ LMDB_TABLE(5) LMDB_TABLE(5) as a shared cache for verify(8) or postscreen(8) services. SYNCHRONIZATION - The Postfix LMDB adapter does not use LMDB's built-in locking scheme, - because that would require world-writable lockfiles and would violate - the Postfix security model. Instead, Postfix uses fcntl(2) locks with + The Postfix LMDB adapter does not use LMDB's built-in locking scheme, + because that would require world-writable lockfiles and would violate + the Postfix security model. Instead, Postfix uses fcntl(2) locks with whole-file granularity. Programs that use LMDB's built-in locking pro- tocol will corrupt a Postfix LMDB database or will read garbage. Every Postfix LMDB database read or write transaction must be protected - from start to end with a shared or exclusive fcntl(2) lock. A writer - may atomically downgrade an exclusive lock to a shared lock, but it + from start to end with a shared or exclusive fcntl(2) lock. A writer + may atomically downgrade an exclusive lock to a shared lock, but it must hold an exclusive lock while opening another write transaction. - Note that fcntl(2) locks do not protect transactions within the same - process against each other. If a program cannot avoid making simulta- - neous database requests, then it must protect its transactions with + Note that fcntl(2) locks do not protect transactions within the same + process against each other. If a program cannot avoid making simulta- + neous database requests, then it must protect its transactions with in-process locks, in addition to the per-process fcntl(2) locks. CONFIGURATION PARAMETERS - Short-lived programs automatically pick up changes to main.cf. With - long-running daemon programs, Use the command "postfix reload" after a + Short-lived programs automatically pick up changes to main.cf. With + long-running daemon programs, Use the command "postfix reload" after a configuration change. - lmdb_map_size (default: 16777216) - The initial LMDB database size limit in bytes. + lmdb_map_size (16777216) + The initial OpenLDAP LMDB database size limit in bytes. SEE ALSO postconf(1), Postfix supported lookup tables diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html index 1b62ba97b..5491c4ec2 100644 --- a/postfix/html/lmtp.8.html +++ b/postfix/html/lmtp.8.html @@ -1017,6 +1017,12 @@ SMTP(8) SMTP(8) service_name (read-only) The master.cf service name of a Postfix daemon process. + Available in Postfix 3.7 and later: + + smtp_bind_address_enforce (no) + Defer delivery when the Postfix SMTP client cannot apply the + smtp_bind_address or smtp_bind_address6 setting. + SEE ALSO generic(5), output address rewriting header_checks(5), message header content inspection diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 0ebb72008..73dca5ce6 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -4442,6 +4442,17 @@ parameter. See there for details.

This feature is available in Postfix 2.3 and later.

+ + +
lmtp_bind_address_enforce +(default: empty)
+ +

The LMTP-specific version of the smtp_bind_address_enforce +configuration parameter. See there for details.

+ +

This feature is available in Postfix 3.7 and later.

+ +
lmtp_body_checks @@ -10784,6 +10795,9 @@ for example: +

See smtp_bind_address_enforce for how Postfix should handle +errors (Postfix 3.7 and later).

+

Note 1: when inet_interfaces specifies no more than one IPv4 address, and that address is a non-loopback address, it is automatically used as the smtp_bind_address. This supports virtual @@ -10819,6 +10833,9 @@ for example: +

See smtp_bind_address_enforce for how Postfix should handle +errors (Postfix 3.7 and later).

+

Note 1: when inet_interfaces specifies no more than one IPv6 address, and that address is a non-loopback address, it is automatically used as the smtp_bind_address6. This supports virtual @@ -10829,6 +10846,19 @@ IP hosting, but can be a problem on multi-homed firewalls. See the but this form is not recommended here.

+ + +
smtp_bind_address_enforce +(default: no)
+ +

Defer delivery when the Postfix SMTP client cannot apply the +smtp_bind_address or smtp_bind_address6 setting. By default, the +Postfix SMTP client will continue delivery after logging a warning. +

+ +

This feature is available in Postfix 3.7 and later.

+ +
smtp_body_checks diff --git a/postfix/html/postsuper.1.html b/postfix/html/postsuper.1.html index 1e7b97193..47b98f316 100644 --- a/postfix/html/postsuper.1.html +++ b/postfix/html/postsuper.1.html @@ -44,14 +44,14 @@ POSTSUPER(1) POSTSUPER(1) input. For example, to delete all mail with exactly one recipi- ent user@example.com: - postqueue -j | jq ' + postqueue -j | jq -r ' # See JSON OBJECT FORMAT section in the postqueue(1) manpage select(.recipients[0].address == "user@example.com") | select(.recipients[1].address == null) | .queue_id - ' | tr -d '"' | postsuper -d - + ' | postsuper -d - - Or the historical form: + (note the "jq -r" option), or the historical form: mailq | tail -n +2 | grep -v '^ *(' | awk 'BEGIN { RS = "" } # $7=sender, $8=recipient1, $9=recipient2 diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index 1b62ba97b..5491c4ec2 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -1017,6 +1017,12 @@ SMTP(8) SMTP(8) service_name (read-only) The master.cf service name of a Postfix daemon process. + Available in Postfix 3.7 and later: + + smtp_bind_address_enforce (no) + Defer delivery when the Postfix SMTP client cannot apply the + smtp_bind_address or smtp_bind_address6 setting. + SEE ALSO generic(5), output address rewriting header_checks(5), message header content inspection diff --git a/postfix/man/man1/postsuper.1 b/postfix/man/man1/postsuper.1 index 772c71c47..885330f1d 100644 --- a/postfix/man/man1/postsuper.1 +++ b/postfix/man/man1/postsuper.1 @@ -46,15 +46,15 @@ from standard input. For example, to delete all mail with exactly one recipient \fBuser@example.com\fR: .sp .nf -postqueue \-j | jq ' +postqueue \-j | jq -r ' # See JSON OBJECT FORMAT section in the postqueue(1) manpage select(.recipients[0].address == "user@example.com") | select(.recipients[1].address == null) | .queue_id - ' | tr \-d '"' | postsuper \-d \- + ' | postsuper \-d \- .fi .sp -Or the historical form: +(note the "jq -r" option), or the historical form: .sp .nf mailq | tail \-n +2 | grep \-v '^ *(' | awk 'BEGIN { RS = "" } diff --git a/postfix/man/man5/lmdb_table.5 b/postfix/man/man5/lmdb_table.5 index b324f7674..c4c74d634 100644 --- a/postfix/man/man5/lmdb_table.5 +++ b/postfix/man/man5/lmdb_table.5 @@ -47,9 +47,9 @@ email addresses without the localpart, address extension or domain portion. This behavior is also found with, for example, btree:, hash:, or ldap: tables. -Unlike other flat\-file Postfix databases, changes to -an LMDB database do not trigger automatic daemon program -restart, and do not require "\fBpostfix reload\fR". +Changes to an LMDB database do not trigger an automatic +daemon restart, and do not require a daemon restart with +"\fBpostfix reload\fR". .SH "RELIABILITY" .na .nf @@ -96,8 +96,8 @@ to the per\-process fcntl(2) locks. Short\-lived programs automatically pick up changes to main.cf. With long\-running daemon programs, Use the command "\fBpostfix reload\fR" after a configuration change. -.IP "\fBlmdb_map_size (default: 16777216)\fR" -The initial LMDB database size limit in bytes. +.IP "\fBlmdb_map_size (16777216)\fR" +The initial OpenLDAP LMDB database size limit in bytes. .SH "SEE ALSO" .na .nf diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index d35c3840e..3c7022253 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -2796,6 +2796,11 @@ The LMTP\-specific version of the smtp_bind_address6 configuration parameter. See there for details. .PP This feature is available in Postfix 2.3 and later. +.SH lmtp_bind_address_enforce (default: empty) +The LMTP\-specific version of the smtp_bind_address_enforce +configuration parameter. See there for details. +.PP +This feature is available in Postfix 3.7 and later. .SH lmtp_body_checks (default: empty) The LMTP\-specific version of the smtp_body_checks configuration parameter. See there for details. @@ -6787,6 +6792,9 @@ for example: .ft R .in -4 .PP +See smtp_bind_address_enforce for how Postfix should handle +errors (Postfix 3.7 and later). +.PP Note 1: when inet_interfaces specifies no more than one IPv4 address, and that address is a non\-loopback address, it is automatically used as the smtp_bind_address. This supports virtual @@ -6816,6 +6824,9 @@ for example: .ft R .in -4 .PP +See smtp_bind_address_enforce for how Postfix should handle +errors (Postfix 3.7 and later). +.PP Note 1: when inet_interfaces specifies no more than one IPv6 address, and that address is a non\-loopback address, it is automatically used as the smtp_bind_address6. This supports virtual @@ -6824,6 +6835,12 @@ inet_interfaces documentation for more detail. .PP Note 2: address information may be enclosed inside [], but this form is not recommended here. +.SH smtp_bind_address_enforce (default: no) +Defer delivery when the Postfix SMTP client cannot apply the +smtp_bind_address or smtp_bind_address6 setting. By default, the +Postfix SMTP client will continue delivery after logging a warning. +.PP +This feature is available in Postfix 3.7 and later. .SH smtp_body_checks (default: empty) Restricted \fBbody_checks\fR(5) tables for the Postfix SMTP client. These tables are searched while mail is being delivered. Actions diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8 index add4aec34..477972540 100644 --- a/postfix/man/man8/smtp.8 +++ b/postfix/man/man8/smtp.8 @@ -893,6 +893,11 @@ The default TCP port that the Postfix SMTP client connects to. Available in Postfix 3.3 and later: .IP "\fBservice_name (read\-only)\fR" The master.cf service name of a Postfix daemon process. +.PP +Available in Postfix 3.7 and later: +.IP "\fBsmtp_bind_address_enforce (no)\fR" +Defer delivery when the Postfix SMTP client cannot apply the +smtp_bind_address or smtp_bind_address6 setting. .SH "SEE ALSO" .na .nf diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index bc6854c8d..c1972d13b 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -462,6 +462,7 @@ while (<>) { s;\bsmtp_always_send_ehlo\b;$&;g; s;\bsmtp_bind_address\b;$&;g; s;\bsmtp_bind_address6\b;$&;g; + s;\bsmtp_bind_address_enforce\b;$&;g; s;\bsmtp_cname_overrides_servername\b;$&;g; s;\bsmtp_connect_timeout\b;$&;g; diff --git a/postfix/proto/lmdb_table b/postfix/proto/lmdb_table index 53a9cd903..5bbbc14d3 100644 --- a/postfix/proto/lmdb_table +++ b/postfix/proto/lmdb_table @@ -39,9 +39,9 @@ # or domain portion. This behavior is also found with, for # example, btree:, hash:, or ldap: tables. # -# Unlike other flat-file Postfix databases, changes to -# an LMDB database do not trigger automatic daemon program -# restart, and do not require "\fBpostfix reload\fR". +# Changes to an LMDB database do not trigger an automatic +# daemon restart, and do not require a daemon restart with +# "\fBpostfix reload\fR". # RELIABILITY # .ad # .fi @@ -82,8 +82,8 @@ # Short-lived programs automatically pick up changes to # main.cf. With long-running daemon programs, Use the command # "\fBpostfix reload\fR" after a configuration change. -# .IP "\fBlmdb_map_size (default: 16777216)\fR" -# The initial LMDB database size limit in bytes. +# .IP "\fBlmdb_map_size (16777216)\fR" +# The initial OpenLDAP LMDB database size limit in bytes. # SEE ALSO # postconf(1), Postfix supported lookup tables # postmap(1), Postfix lookup table maintenance diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index a44a51b99..19e5d16df 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -4017,6 +4017,9 @@ for example: +

See smtp_bind_address_enforce for how Postfix should handle +errors (Postfix 3.7 and later).

+

Note 1: when inet_interfaces specifies no more than one IPv4 address, and that address is a non-loopback address, it is automatically used as the smtp_bind_address. This supports virtual @@ -4048,6 +4051,9 @@ for example: +

See smtp_bind_address_enforce for how Postfix should handle +errors (Postfix 3.7 and later).

+

Note 1: when inet_interfaces specifies no more than one IPv6 address, and that address is a non-loopback address, it is automatically used as the smtp_bind_address6. This supports virtual @@ -18179,3 +18185,19 @@ feature, called smtp_per_record_deadline, is available with Postfix 2.9-3.6.

This feature is available in Postfix 3.7 and later.

+ +%PARAM smtp_bind_address_enforce no + +

Defer delivery when the Postfix SMTP client cannot apply the +smtp_bind_address or smtp_bind_address6 setting. By default, the +Postfix SMTP client will continue delivery after logging a warning. +

+ +

This feature is available in Postfix 3.7 and later.

+ +%PARAM lmtp_bind_address_enforce + +

The LMTP-specific version of the smtp_bind_address_enforce +configuration parameter. See there for details.

+ +

This feature is available in Postfix 3.7 and later.

diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index e7679e072..781953c7b 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -1166,6 +1166,12 @@ extern char *var_smtp_bind_addr; #define DEF_LMTP_BIND_ADDR6 "" extern char *var_smtp_bind_addr6; +#define VAR_SMTP_BIND_ADDR_ENFORCE "smtp_bind_address_enforce" +#define DEF_SMTP_BIND_ADDR_ENFORCE 0 +#define VAR_LMTP_BIND_ADDR_ENFORCE "lmtp_bind_address_enforce" +#define DEF_LMTP_BIND_ADDR_ENFORCE 0 +extern bool var_smtp_bind_addr_enforce; + #define VAR_SMTP_HELO_NAME "smtp_helo_name" #define DEF_SMTP_HELO_NAME "$myhostname" #define VAR_LMTP_HELO_NAME "lmtp_lhlo_name" diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 86d963bf7..5766e2cd8 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20211023" +#define MAIL_RELEASE_DATE "20211030" #define MAIL_VERSION_NUMBER "3.7" #ifdef SNAPSHOT diff --git a/postfix/src/postqueue/showq_compat.c b/postfix/src/postqueue/showq_compat.c index 2c2878306..c902b9c5d 100644 --- a/postfix/src/postqueue/showq_compat.c +++ b/postfix/src/postqueue/showq_compat.c @@ -109,7 +109,8 @@ static unsigned long showq_message(VSTREAM *showq_stream) /* * Read the message properties and sender address. */ - if (attr_scan(showq_stream, ATTR_FLAG_MORE | ATTR_FLAG_STRICT, + if (attr_scan(showq_stream, ATTR_FLAG_MORE | ATTR_FLAG_STRICT + | ATTR_FLAG_PRINTABLE, RECV_ATTR_STR(MAIL_ATTR_QUEUE, queue_name), RECV_ATTR_STR(MAIL_ATTR_QUEUEID, queue_id), RECV_ATTR_LONG(MAIL_ATTR_TIME, &arrival_time), @@ -143,7 +144,8 @@ static unsigned long showq_message(VSTREAM *showq_stream) * resynchronize. */ while ((showq_status = attr_scan_more(showq_stream)) > 0) { - if (attr_scan(showq_stream, ATTR_FLAG_MORE | ATTR_FLAG_STRICT, + if (attr_scan(showq_stream, ATTR_FLAG_MORE | ATTR_FLAG_STRICT + | ATTR_FLAG_PRINTABLE, RECV_ATTR_STR(MAIL_ATTR_RECIP, addr), RECV_ATTR_STR(MAIL_ATTR_WHY, why), ATTR_TYPE_END) != 2) diff --git a/postfix/src/postqueue/showq_json.c b/postfix/src/postqueue/showq_json.c index e9d4fb570..fc205c726 100644 --- a/postfix/src/postqueue/showq_json.c +++ b/postfix/src/postqueue/showq_json.c @@ -150,7 +150,8 @@ static void format_json(VSTREAM *showq_stream) /* * Read the message properties and sender address. */ - if (attr_scan(showq_stream, ATTR_FLAG_MORE | ATTR_FLAG_STRICT, + if (attr_scan(showq_stream, ATTR_FLAG_MORE | ATTR_FLAG_STRICT + | ATTR_FLAG_PRINTABLE, RECV_ATTR_STR(MAIL_ATTR_QUEUE, queue_name), RECV_ATTR_STR(MAIL_ATTR_QUEUEID, queue_id), RECV_ATTR_LONG(MAIL_ATTR_TIME, &arrival_time), @@ -180,7 +181,8 @@ static void format_json(VSTREAM *showq_stream) if (rcpt_count > 0) vstream_printf(", "); vstream_printf("{"); - if (attr_scan(showq_stream, ATTR_FLAG_MORE | ATTR_FLAG_STRICT, + if (attr_scan(showq_stream, ATTR_FLAG_MORE | ATTR_FLAG_STRICT + | ATTR_FLAG_PRINTABLE, RECV_ATTR_STR(MAIL_ATTR_RECIP, addr), RECV_ATTR_STR(MAIL_ATTR_WHY, why), ATTR_TYPE_END) != 2) diff --git a/postfix/src/postsuper/postsuper.c b/postfix/src/postsuper/postsuper.c index f2a021ae0..d3f2d5bcd 100644 --- a/postfix/src/postsuper/postsuper.c +++ b/postfix/src/postsuper/postsuper.c @@ -40,15 +40,15 @@ /* with exactly one recipient \fBuser@example.com\fR: /* .sp /* .nf -/* postqueue -j | jq ' +/* postqueue -j | jq -r ' /* # See JSON OBJECT FORMAT section in the postqueue(1) manpage /* select(.recipients[0].address == "user@example.com") /* | select(.recipients[1].address == null) /* | .queue_id -/* ' | tr -d '"' | postsuper -d - +/* ' | postsuper -d - /* .fi /* .sp -/* Or the historical form: +/* (note the "jq -r" option), or the historical form: /* .sp /* .nf /* mailq | tail -n +2 | grep -v '^ *(' | awk 'BEGIN { RS = "" } diff --git a/postfix/src/smtp/lmtp_params.c b/postfix/src/smtp/lmtp_params.c index d4ddfdb65..cc3364642 100644 --- a/postfix/src/smtp/lmtp_params.c +++ b/postfix/src/smtp/lmtp_params.c @@ -127,6 +127,7 @@ VAR_LMTP_ASSUME_FINAL, DEF_LMTP_ASSUME_FINAL, &var_lmtp_assume_final, VAR_LMTP_DUMMY_MAIL_AUTH, DEF_LMTP_DUMMY_MAIL_AUTH, &var_smtp_dummy_mail_auth, VAR_LMTP_BALANCE_INET_PROTO, DEF_LMTP_BALANCE_INET_PROTO, &var_smtp_balance_inet_proto, + VAR_LMTP_BIND_ADDR_ENFORCE, DEF_LMTP_BIND_ADDR_ENFORCE, &var_smtp_bind_addr_enforce, 0, }; static const CONFIG_NBOOL_TABLE lmtp_nbool_table[] = { diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index 60c8fe95e..0561d070c 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -849,6 +849,11 @@ /* Available in Postfix 3.3 and later: /* .IP "\fBservice_name (read-only)\fR" /* The master.cf service name of a Postfix daemon process. +/* .PP +/* Available in Postfix 3.7 and later: +/* .IP "\fBsmtp_bind_address_enforce (no)\fR" +/* Defer delivery when the Postfix SMTP client cannot apply the +/* smtp_bind_address or smtp_bind_address6 setting. /* SEE ALSO /* generic(5), output address rewriting /* header_checks(5), message header content inspection @@ -1087,6 +1092,7 @@ int var_smtp_sasl_auth_cache_time; bool var_smtp_sasl_auth_soft_bounce; char *var_hfrom_format; +bool var_smtp_bind_addr_enforce; /* * Global variables. diff --git a/postfix/src/smtp/smtp_connect.c b/postfix/src/smtp/smtp_connect.c index f93e7efc6..b7bdf253b 100644 --- a/postfix/src/smtp/smtp_connect.c +++ b/postfix/src/smtp/smtp_connect.c @@ -228,9 +228,14 @@ static SMTP_SESSION *smtp_connect_addr(SMTP_ITERATOR *iter, DSN_BUF *why, if ((aierr = hostaddr_to_sockaddr(bind_addr, (char *) 0, 0, &res0)) != 0) msg_fatal("%s: bad %s parameter: %s: %s", myname, bind_var, bind_addr, MAI_STRERROR(aierr)); - if (bind(sock, res0->ai_addr, res0->ai_addrlen) < 0) + if (bind(sock, res0->ai_addr, res0->ai_addrlen) < 0) { msg_warn("%s: bind %s: %m", myname, bind_addr); - else if (msg_verbose) + if (var_smtp_bind_addr_enforce) { + freeaddrinfo(res0); + dsb_simple(why, "4.4.0", "server configuration error"); + return (0); + } + } else if (msg_verbose) msg_info("%s: bind %s", myname, bind_addr); freeaddrinfo(res0); } diff --git a/postfix/src/smtp/smtp_params.c b/postfix/src/smtp/smtp_params.c index ef65bc547..cd54f8fcb 100644 --- a/postfix/src/smtp/smtp_params.c +++ b/postfix/src/smtp/smtp_params.c @@ -131,6 +131,7 @@ VAR_LMTP_ASSUME_FINAL, DEF_LMTP_ASSUME_FINAL, &var_lmtp_assume_final, VAR_SMTP_DUMMY_MAIL_AUTH, DEF_SMTP_DUMMY_MAIL_AUTH, &var_smtp_dummy_mail_auth, VAR_SMTP_BALANCE_INET_PROTO, DEF_SMTP_BALANCE_INET_PROTO, &var_smtp_balance_inet_proto, + VAR_SMTP_BIND_ADDR_ENFORCE, DEF_SMTP_BIND_ADDR_ENFORCE, &var_smtp_bind_addr_enforce, 0, }; static const CONFIG_NBOOL_TABLE smtp_nbool_table[] = { diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index 1a2d558ab..5bbee93b2 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -4374,8 +4374,8 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions, } } else if (is_map_command(state, name, CHECK_CCERT_ACL, &cpp)) { status = check_ccert_access(state, *cpp, def_acl); -#ifdef USE_SASL_AUTH } else if (is_map_command(state, name, CHECK_SASL_ACL, &cpp)) { +#ifdef USE_SASL_AUTH if (var_smtpd_sasl_enable) { if (state->sasl_username && state->sasl_username[0]) status = check_sasl_access(state, *cpp, def_acl); diff --git a/postfix/src/tls/tls_dane.c b/postfix/src/tls/tls_dane.c index a31a51374..752bb5b1c 100644 --- a/postfix/src/tls/tls_dane.c +++ b/postfix/src/tls/tls_dane.c @@ -392,7 +392,7 @@ static void tlsa_carp(const char *s1, const char *s2, const char *s3, vstring_sprintf(top, "..."); } - msg_warn("%s%s%s%s: %u %u %u %s%s%s", s1, s2, s3, s4, u, s, m, STR(top), + msg_warn("%s%s%s %s: %u %u %u %s%s%s", s1, s2, s3, s4, u, s, m, STR(top), dlen > MAX_DUMP_BYTES ? "..." : "", dlen > MAX_DUMP_BYTES ? STR(bot) : ""); } @@ -807,13 +807,13 @@ int tls_dane_enable(TLS_SESS_STATE *TLScontext) continue; } if (ret == 0) { - tlsa_carp(TLScontext->namaddr, ": ", "", "unusable TLSA RR", + tlsa_carp(TLScontext->namaddr, ":", "", "unusable TLSA RR", tp->usage, tp->selector, tp->mtype, tp->data, tp->length); continue; } /* Internal problem in OpenSSL */ - tlsa_carp(TLScontext->namaddr, ": ", "", "error loading trust settings", + tlsa_carp(TLScontext->namaddr, ":", "", "error loading trust settings", tp->usage, tp->selector, tp->mtype, tp->data, tp->length); tls_print_errors(); return (-1); diff --git a/postfix/src/util/attr.h b/postfix/src/util/attr.h index c62c22607..067405f58 100644 --- a/postfix/src/util/attr.h +++ b/postfix/src/util/attr.h @@ -101,9 +101,10 @@ CHECK_VAL_HELPER_DCL(ATTR, ATTR_SCAN_CUSTOM_FN); #define ATTR_FLAG_MISSING (1<<0) /* Flag missing attribute */ #define ATTR_FLAG_EXTRA (1<<1) /* Flag spurious attribute */ #define ATTR_FLAG_MORE (1<<2) /* Don't skip or terminate */ +#define ATTR_FLAG_PRINTABLE (1<<3) /* Sanitize received strings */ #define ATTR_FLAG_STRICT (ATTR_FLAG_MISSING | ATTR_FLAG_EXTRA) -#define ATTR_FLAG_ALL (07) +#define ATTR_FLAG_ALL (017) /* * Default to null-terminated, as opposed to base64-encoded. diff --git a/postfix/src/util/attr_scan0.c b/postfix/src/util/attr_scan0.c index 57746407c..13aa12504 100644 --- a/postfix/src/util/attr_scan0.c +++ b/postfix/src/util/attr_scan0.c @@ -86,6 +86,8 @@ /* same input attribute list. /* By default, attr_scan0() skips forward past the input attribute list /* terminator. +/* .IP ATTR_FLAG_PRINTABLE +/* Santize received string values with printable(_, '?'). /* .IP ATTR_FLAG_STRICT /* For convenience, this value combines both ATTR_FLAG_MISSING and /* ATTR_FLAG_EXTRA. @@ -178,6 +180,7 @@ #include #include #include +#include #include /* Application specific. */ @@ -412,6 +415,8 @@ int attr_vscan0(VSTREAM *fp, int flags, va_list ap) if ((ch = attr_scan0_string(fp, string, "input attribute value")) < 0) return (-1); + if (flags & ATTR_FLAG_PRINTABLE) + (void) printable(STR(string), '?'); break; case ATTR_TYPE_DATA: string = va_arg(ap, VSTRING *); @@ -443,6 +448,10 @@ int attr_vscan0(VSTREAM *fp, int flags, va_list ap) if ((ch = attr_scan0_string(fp, str_buf, "input attribute value")) < 0) return (-1); + if (flags & ATTR_FLAG_PRINTABLE) { + (void) printable(STR(name_buf), '?'); + (void) printable(STR(str_buf), '?'); + } if (htable_locate(hash_table, STR(name_buf)) != 0) { if ((flags & ATTR_FLAG_EXTRA) != 0) { msg_warn("duplicate attribute %s in input from %s", diff --git a/postfix/src/util/attr_scan64.c b/postfix/src/util/attr_scan64.c index 0a5eb3ee5..0d9b114c4 100644 --- a/postfix/src/util/attr_scan64.c +++ b/postfix/src/util/attr_scan64.c @@ -88,6 +88,8 @@ /* same input attribute list. /* By default, attr_scan64() skips forward past the input attribute list /* terminator. +/* .IP ATTR_FLAG_PRINTABLE +/* Santize received string values with printable(_, '?'). /* .IP ATTR_FLAG_STRICT /* For convenience, this value combines both ATTR_FLAG_MISSING and /* ATTR_FLAG_EXTRA. @@ -179,6 +181,7 @@ #include #include #include +#include #include /* Application specific. */ @@ -451,6 +454,8 @@ int attr_vscan64(VSTREAM *fp, int flags, va_list ap) STR(name_buf), VSTREAM_PATH(fp)); return (-1); } + if (flags & ATTR_FLAG_PRINTABLE) + (void) printable(STR(string), '?'); break; case ATTR_TYPE_DATA: if (ch != ':') { @@ -512,6 +517,10 @@ int attr_vscan64(VSTREAM *fp, int flags, va_list ap) STR(name_buf), VSTREAM_PATH(fp)); return (-1); } + if (flags & ATTR_FLAG_PRINTABLE) { + (void) printable(STR(name_buf), '?'); + (void) printable(STR(str_buf), '?'); + } if (htable_locate(hash_table, STR(name_buf)) != 0) { if ((flags & ATTR_FLAG_EXTRA) != 0) { msg_warn("duplicate attribute %s in input from %s", diff --git a/postfix/src/util/attr_scan_plain.c b/postfix/src/util/attr_scan_plain.c index b003d4585..d7e2f6677 100644 --- a/postfix/src/util/attr_scan_plain.c +++ b/postfix/src/util/attr_scan_plain.c @@ -86,6 +86,8 @@ /* from the same input attribute list. /* By default, attr_scan_plain() skips forward past the input attribute /* list terminator. +/* .IP ATTR_FLAG_PRINTABLE +/* Santize received string values with printable(_, '?'). /* .IP ATTR_FLAG_STRICT /* For convenience, this value combines both ATTR_FLAG_MISSING and /* ATTR_FLAG_EXTRA. @@ -177,6 +179,7 @@ #include #include #include +#include #include /* Application specific. */ @@ -444,6 +447,8 @@ int attr_vscan_plain(VSTREAM *fp, int flags, va_list ap) if ((ch = attr_scan_plain_string(fp, string, 0, "input attribute value")) < 0) return (-1); + if (flags & ATTR_FLAG_PRINTABLE) + (void) printable(STR(string), '?'); break; case ATTR_TYPE_DATA: if (ch != '=') { @@ -490,6 +495,10 @@ int attr_vscan_plain(VSTREAM *fp, int flags, va_list ap) if ((ch = attr_scan_plain_string(fp, str_buf, 0, "input attribute value")) < 0) return (-1); + if (flags & ATTR_FLAG_PRINTABLE) { + (void) printable(STR(name_buf), '?'); + (void) printable(STR(str_buf), '?'); + } if (htable_locate(hash_table, STR(name_buf)) != 0) { if ((flags & ATTR_FLAG_EXTRA) != 0) { msg_warn("duplicate attribute %s in input from %s",