From: Wietse Venema Date: Sat, 27 Jan 2018 05:00:00 +0000 (-0500) Subject: postfix-3.1.8 X-Git-Tag: v3.1.8^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64d75aa804f9d29d680bd69c45191726e5633444;p=thirdparty%2Fpostfix.git postfix-3.1.8 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index c41f5c54c..25c05fe68 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -22366,3 +22366,35 @@ Apologies for any names omitted. Bugfix (introduced: Postfix 3.0) missing dynamicmaps support in the Postfix sendmail command broke authorized_submit_users with a dynamically-loaded map type. File: sendmail/sendmail.c. + +20171116 + + Bugfix (introduced: Postfix 2.1): don't log warnings + that some restriction returns OK, when the access map + DISCARD feature is in effect. File: smtpd/smtpd_check.c. + +20171215 + + Bugfix (introduced: 20170611): the DB_CONFIG bugfix broke + Berkeley DB configurations with a relative pathname. File: + util/dict_db.c. + +20171218 + + Workaround: reportedly, some res_query(3) implementation + can return -1 with h_errno==0. Instead of terminating with + a panic, the Postfix DNS client now logs a warning and sets + h_errno to TRY_AGAIN. File: dns/dns_lookup.c. + +20171226 + + Documentation patches by Sven Neuhaus. Files: + proto/FORWARD_SECRECY_README.html, proto/SMTPD_ACCESS_README.html. + +20180106 + + Cleanup: missing mailbox seek-to-end error check in the + local(8) delivery agent. File: local/mailbox.c. + + Cleanup: incorrect mailbox seek-to-end error message in the + virtual(8) delivery agent. File: virtual/mailbox.c. diff --git a/postfix/html/FORWARD_SECRECY_README.html b/postfix/html/FORWARD_SECRECY_README.html index a7c2f24e2..d1364ef54 100644 --- a/postfix/html/FORWARD_SECRECY_README.html +++ b/postfix/html/FORWARD_SECRECY_README.html @@ -322,9 +322,9 @@ few seconds to a few minutes): 

 # cd /etc/postfix
 # umask 022
-# openssl dhparam -out dh512.tmp 512 && mv dh512.tmp dh512.pem
-# openssl dhparam -out dh1024.tmp 1024 && mv dh1024.tmp dh1024.pem
-# openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem
+# openssl dhparam -out dh512.tmp 512 && mv dh512.tmp dh512.pem
+# openssl dhparam -out dh1024.tmp 1024 && mv dh1024.tmp dh1024.pem
+# openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem
 # chmod 644 dh512.pem dh1024.pem dh2048.pem
diff --git a/postfix/html/SMTPD_ACCESS_README.html b/postfix/html/SMTPD_ACCESS_README.html index 411440c7a..83235574a 100644 --- a/postfix/html/SMTPD_ACCESS_README.html +++ b/postfix/html/SMTPD_ACCESS_README.html @@ -251,7 +251,7 @@ Reject MAIL FROM information relay policy Reject RCPT TO information - < 2.10 Not available + < 2.10 Not available smtpd_recipient_restrictions ≥ @@ -259,7 +259,7 @@ relay policy relay policy Reject RCPT TO information - < 2.10 Required + < 2.10 Required smtpd_data_restrictions ≥ 2.0 Optional diff --git a/postfix/proto/FORWARD_SECRECY_README.html b/postfix/proto/FORWARD_SECRECY_README.html index 36110b8d8..3db4ee843 100644 --- a/postfix/proto/FORWARD_SECRECY_README.html +++ b/postfix/proto/FORWARD_SECRECY_README.html @@ -322,9 +322,9 @@ few seconds to a few minutes): 

 # cd /etc/postfix
 # umask 022
-# openssl dhparam -out dh512.tmp 512 && mv dh512.tmp dh512.pem
-# openssl dhparam -out dh1024.tmp 1024 && mv dh1024.tmp dh1024.pem
-# openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem
+# openssl dhparam -out dh512.tmp 512 && mv dh512.tmp dh512.pem
+# openssl dhparam -out dh1024.tmp 1024 && mv dh1024.tmp dh1024.pem
+# openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem
 # chmod 644 dh512.pem dh1024.pem dh2048.pem
diff --git a/postfix/proto/SMTPD_ACCESS_README.html b/postfix/proto/SMTPD_ACCESS_README.html index ef45e1dd4..5952bb278 100644 --- a/postfix/proto/SMTPD_ACCESS_README.html +++ b/postfix/proto/SMTPD_ACCESS_README.html @@ -251,7 +251,7 @@ Reject MAIL FROM information relay policy Reject RCPT TO information - < 2.10 Not available + < 2.10 Not available smtpd_recipient_restrictions ≥ @@ -259,7 +259,7 @@ relay policy relay policy Reject RCPT TO information - < 2.10 Required + < 2.10 Required smtpd_data_restrictions ≥ 2.0 Optional diff --git a/postfix/src/dns/dns_lookup.c b/postfix/src/dns/dns_lookup.c index fe59aa647..e144dab62 100644 --- a/postfix/src/dns/dns_lookup.c +++ b/postfix/src/dns/dns_lookup.c @@ -397,6 +397,14 @@ static int dns_res_search(const char *name, int class, int type, /* Prepare for returning a null-padded server reply. */ memset(answer, 0, anslen); len = res_query(name, class, type, answer, anslen); + /* Begin API creep workaround. */ + if (len < 0 && h_errno == 0) { + SET_H_ERRNO(TRY_AGAIN); + msg_warn("res_query(\"%s\", %d, %d, %p, %d) returns %d with h_errno==0" + " -- setting h_errno=TRY_AGAIN", + name, class, type, answer, anslen, len); + } + /* End API creep workaround. */ if (len > 0) { SET_H_ERRNO(0); } else if (keep_notfound && NOT_FOUND_H_ERRNO(h_errno)) { diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 3cd566de4..5df75bc5c 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20171028" -#define MAIL_VERSION_NUMBER "3.1.7" +#define MAIL_RELEASE_DATE "20180127" +#define MAIL_VERSION_NUMBER "3.1.8" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/local/mailbox.c b/postfix/src/local/mailbox.c index 887333c62..d4f01bf71 100644 --- a/postfix/src/local/mailbox.c +++ b/postfix/src/local/mailbox.c @@ -97,7 +97,7 @@ static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr) int deliver_status; int copy_flags; VSTRING *biff; - long end; + off_t end; struct stat st; uid_t spool_uid; gid_t spool_gid; @@ -202,7 +202,8 @@ static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr) msg_warn("specify \"%s = no\" to ignore mailbox ownership mismatch", VAR_STRICT_MBOX_OWNER); } else { - end = vstream_fseek(mp->fp, (off_t) 0, SEEK_END); + if ((end = vstream_fseek(mp->fp, (off_t) 0, SEEK_END)) < 0) + msg_fatal("seek mailbox file %s: %m", mailbox); mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp, copy_flags, "\n", why); } diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index 4b7bbc808..000602301 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -4053,7 +4053,7 @@ static int is_map_command(SMTPD_STATE *state, const char *name, static void forbid_whitelist(SMTPD_STATE *state, const char *name, int status, const char *target) { - if (status == SMTPD_CHECK_OK) { + if (state->discard == 0 && status == SMTPD_CHECK_OK) { msg_warn("restriction %s returns OK for %s", name, target); msg_warn("this is not allowed for security reasons"); msg_warn("use DUNNO instead of OK if you want to make an exception"); diff --git a/postfix/src/util/dict_db.c b/postfix/src/util/dict_db.c index e3d341060..956d2c3f5 100644 --- a/postfix/src/util/dict_db.c +++ b/postfix/src/util/dict_db.c @@ -615,6 +615,7 @@ static DICT *dict_db_open(const char *class, const char *path, int open_flags, struct stat st; DB *db = 0; char *db_path = 0; + VSTRING *db_base_buf = 0; int lock_fd = -1; int dbfd; @@ -671,6 +672,7 @@ static DICT *dict_db_open(const char *class, const char *path, int open_flags, #define FREE_RETURN(e) do { \ DICT *_dict = (e); if (db) DICT_DB_CLOSE(db); \ if (lock_fd >= 0) (void) close(lock_fd); \ + if (db_base_buf) vstring_free(db_base_buf); \ if (db_path) myfree(db_path); return (_dict); \ } while (0) @@ -735,18 +737,22 @@ static DICT *dict_db_open(const char *class, const char *path, int open_flags, msg_panic("db_create null result"); if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0) msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM); + db_base_buf = vstring_alloc(100); #if DB_VERSION_MAJOR == 6 || DB_VERSION_MAJOR == 5 || \ (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0) - if ((errno = db->open(db, 0, db_path, 0, type, db_flags, 0644)) != 0) + if ((errno = db->open(db, 0, sane_basename(db_base_buf, db_path), + 0, type, db_flags, 0644)) != 0) FREE_RETURN(dict_surrogate(class, path, open_flags, dict_flags, "open database %s: %m", db_path)); #elif (DB_VERSION_MAJOR == 3 || DB_VERSION_MAJOR == 4) - if ((errno = db->open(db, db_path, 0, type, db_flags, 0644)) != 0) + if ((errno = db->open(db, sane_basename(db_base_buf, db_path), 0, + type, db_flags, 0644)) != 0) FREE_RETURN(dict_surrogate(class, path, open_flags, dict_flags, "open database %s: %m", db_path)); #else #error "Unsupported Berkeley DB version" #endif + vstring_free(db_base_buf); if ((errno = db->fd(db, &dbfd)) != 0) msg_fatal("get database file descriptor: %m"); #endif diff --git a/postfix/src/virtual/mailbox.c b/postfix/src/virtual/mailbox.c index 51e646de7..a8042f200 100644 --- a/postfix/src/virtual/mailbox.c +++ b/postfix/src/virtual/mailbox.c @@ -132,7 +132,7 @@ static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr) VAR_STRICT_MBOX_OWNER); } else { if (vstream_fseek(mp->fp, (off_t) 0, SEEK_END) < 0) - msg_fatal("%s: seek queue file %s: %m", + msg_fatal("%s: seek mailbox file %s: %m", myname, VSTREAM_PATH(mp->fp)); mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp, copy_flags, "\n", why);