From: Wietse Z Venema <wietse@porcupine.org>
Date: Wed, 18 Feb 2026 05:00:00 +0000 (-0500)
Subject: postfix-3.9.9
X-Git-Tag: v3.9.9^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=89a6f6de338766b8f523fc0c77caea9ee3a2fafd;p=thirdparty%2Fpostfix.git

postfix-3.9.9
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index f85855610..3cf6d4027 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -28261,3 +28261,24 @@ Apologies for any names omitted.
 	large for the stable releases. Instead, the command "make
 	makefiles" will figure out how to make the compiler
 	backwards-compatible. File: makedefs.
+
+20251208
+
+	Improved Milter error handling for messages that arrive
+	over a long-lived SMTP connection, by changing the default
+	milter_default_action from "tempfail" to the new "shutdown"
+	action (i.e. disconnect the remote SMTP client).
+
+	The problem was that after a single Milter error, Postfix
+	could tempfail all messages that the client sends over a
+	long-lived connection, even if the Milter error was only
+	temporary. This problem was reported by Ankit Kulkarni.
+
+	Files: proto/postconf.proto global/mail_params.h milter/milter8.c.
+
+20260217
+
+	Bugfix: (defect introduced: Postfix 2.11): panic() after
+	recursive logging loop with "posttls-finger -v -v -v".
+	Reported by Geert Hendrickx, diagnosed by Viktor Dukhovni,
+	and fixed by Wietse. Files: util/vstream.[hc], util/msg_vstream.c.
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index d012b8d17..f90dbb8af 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -7280,7 +7280,7 @@ for a list of available macro names and their meanings.  </p>
 </DD>
 
 <DT><b><a name="milter_default_action">milter_default_action</a>
-(default: tempfail)</b></DT><DD>
+(default: see 'postconf -d <a href="postconf.5.html#milter_default_action">milter_default_action</a>' output)</b></DT><DD>
 
 <p> The default action when a Milter (mail filter) response is
 unavailable (for example, bad Postfix configuration or Milter
@@ -7297,11 +7297,20 @@ with a permanent status code.</dd>
 <dt>tempfail</dt> <dd>Reject all further commands in this session
 with a temporary status code. </dd>
 
+<dt>shutdown</dt> <dd>Close the SMTP connection after sending a 421
+SMTP reply. Available in Postfix 3.11, 3.10.8, 3.9.9, 3.8.15, 3.7.20,
+and later. </dd>
+
 <dt>quarantine</dt> <dd>Like "accept", but freeze the message in
 the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a>. Available with Postfix 2.6 and later. </dd>
 
 </dl>
 
+<p> The current default action is "shutdown", i.e. disconnect the
+SMTP client. With the old "tempfail" default, Postfix could tempfail
+all messages that the client sends over a long-lived connection,
+even if a Milter failure is only temporary. </p>
+
 <p> This feature is available in Postfix 2.3 and later. </p>
 
 
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index d8038c327..cf1a1287e 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -4539,7 +4539,7 @@ filter) applications after the SMTP DATA command. See MILTER_README
 for a list of available macro names and their meanings.
 .PP
 This feature is available in Postfix 2.3 and later.
-.SH milter_default_action (default: tempfail)
+.SH milter_default_action (default: see 'postconf \-d milter_default_action' output)
 The default action when a Milter (mail filter) response is
 unavailable (for example, bad Postfix configuration or Milter
 failure). Specify one of the following:
@@ -4554,12 +4554,22 @@ with a permanent status code.
 Reject all further commands in this session
 with a temporary status code.
 .br
+.IP "shutdown"
+Close the SMTP connection after sending a 421
+SMTP reply. Available in Postfix 3.11, 3.10.8, 3.9.9, 3.8.15, 3.7.20,
+and later.
+.br
 .IP "quarantine"
 Like "accept", but freeze the message in
 the "hold" queue. Available with Postfix 2.6 and later.
 .br
 .br
 .PP
+The current default action is "shutdown", i.e. disconnect the
+SMTP client. With the old "tempfail" default, Postfix could tempfail
+all messages that the client sends over a long\-lived connection,
+even if a Milter failure is only temporary.
+.PP
 This feature is available in Postfix 2.3 and later.
 .SH milter_end_of_data_macros (default: see "postconf \-d" output)
 The macros that are sent to Milter (mail filter) applications
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index abd3924cb..8a3e4b3c7 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -12187,7 +12187,7 @@ will not reply for each individual message header.</dd>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
 
-%PARAM milter_default_action tempfail
+%PARAM milter_default_action see 'postconf -d milter_default_action' output
 
 <p> The default action when a Milter (mail filter) response is
 unavailable (for example, bad Postfix configuration or Milter
@@ -12204,11 +12204,20 @@ with a permanent status code.</dd>
 <dt>tempfail</dt> <dd>Reject all further commands in this session
 with a temporary status code. </dd>
 
+<dt>shutdown</dt> <dd>Close the SMTP connection after sending a 421
+SMTP reply. Available in Postfix 3.11, 3.10.8, 3.9.9, 3.8.15, 3.7.20,
+and later. </dd>
+
 <dt>quarantine</dt> <dd>Like "accept", but freeze the message in
 the "hold" queue. Available with Postfix 2.6 and later. </dd>
 
 </dl>
 
+<p> The current default action is "shutdown", i.e. disconnect the
+SMTP client. With the old "tempfail" default, Postfix could tempfail
+all messages that the client sends over a long-lived connection,
+even if a Milter failure is only temporary. </p>
+
 <p> This feature is available in Postfix 2.3 and later. </p>
 
 %PARAM milter_connect_timeout 30s
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index 7a3ce797f..e4ad40a6f 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -3512,7 +3512,7 @@ extern char *var_smtpd_milter_maps;
 extern char *var_cleanup_milters;
 
 #define VAR_MILT_DEF_ACTION		"milter_default_action"
-#define DEF_MILT_DEF_ACTION		"tempfail"
+#define DEF_MILT_DEF_ACTION		"shutdown"
 extern char *var_milt_def_action;
 
 #define VAR_MILT_CONN_MACROS		"milter_connect_macros"
@@ -3567,10 +3567,6 @@ extern int var_milt_msg_time;
 #define DEF_MILT_PROTOCOL		"6"
 extern char *var_milt_protocol;
 
-#define VAR_MILT_DEF_ACTION		"milter_default_action"
-#define DEF_MILT_DEF_ACTION		"tempfail"
-extern char *var_milt_def_action;
-
 #define VAR_MILT_DAEMON_NAME		"milter_macro_daemon_name"
 #define DEF_MILT_DAEMON_NAME		"$" VAR_MYHOSTNAME
 extern char *var_milt_daemon_name;
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index acfd0bf1b..0142198dc 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20251205"
-#define MAIL_VERSION_NUMBER	"3.9.8"
+#define MAIL_RELEASE_DATE	"20260218"
+#define MAIL_VERSION_NUMBER	"3.9.9"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff --git a/postfix/src/milter/milter8.c b/postfix/src/milter/milter8.c
index 6c9a1eec4..b504ffc05 100644
--- a/postfix/src/milter/milter8.c
+++ b/postfix/src/milter/milter8.c
@@ -523,6 +523,8 @@ static int milter8_conf_error(MILTER8 *milter)
     }
     if (strcasecmp(milter->def_action, "accept") == 0) {
 	reply = 0;
+    } else if (strcasecmp(milter->def_action, "shutdown") == 0) {
+	reply = "421 4.3.5 Server configuration problem - try again later";
     } else if (strcasecmp(milter->def_action, "quarantine") == 0) {
 	reply = "H";
     } else {
@@ -557,6 +559,8 @@ static int milter8_comm_error(MILTER8 *milter)
 	reply = "550 5.5.0 Service unavailable";
     } else if (strcasecmp(milter->def_action, "tempfail") == 0) {
 	reply = "451 4.7.1 Service unavailable - try again later";
+    } else if (strcasecmp(milter->def_action, "shutdown") == 0) {
+	reply = "421 4.7.1 Service unavailable - try again later";
     } else if (strcasecmp(milter->def_action, "quarantine") == 0) {
 	reply = "H";
     } else {
diff --git a/postfix/src/util/msg_vstream.c b/postfix/src/util/msg_vstream.c
index b6e24e609..3477b546b 100644
--- a/postfix/src/util/msg_vstream.c
+++ b/postfix/src/util/msg_vstream.c
@@ -80,6 +80,7 @@ void    msg_vstream_init(const char *name, VSTREAM *vp)
 
     msg_tag = name;
     msg_stream = vp;
+    vstream_no_debug(vp);
     if (first_call) {
 	first_call = 0;
 	msg_output(msg_vstream_print);
diff --git a/postfix/src/util/vstream.c b/postfix/src/util/vstream.c
index affbcc0df..5acfb0f10 100644
--- a/postfix/src/util/vstream.c
+++ b/postfix/src/util/vstream.c
@@ -166,6 +166,9 @@
 /*	int	vstream_fstat(stream, flags)
 /*	VSTREAM	*stream;
 /*	int	flags;
+/*
+/*	void	vstream_no_debug(stream)
+/*	VSTREAM	*stream;
 /* DESCRIPTION
 /*	The \fIvstream\fR module implements light-weight buffered I/O
 /*	similar to the standard I/O routines.
@@ -494,6 +497,10 @@
 /* .IP VSTREAM_FLAG_OWN_VSTRING
 /*	The stream 'owns' the VSTRING buffer, and is responsible
 /*	for cleaning up when the stream is closed.
+/*
+/*	vstream_no_debug() disables 'spontaneous' logging of output
+/*	activity on the last specified VSTREAM, to prevent recursive
+/*	logging.
 /* DIAGNOSTICS
 /*	Panics: interface violations. Fatal errors: out of memory.
 /* SEE ALSO
@@ -674,6 +681,8 @@ VSTREAM vstream_fstd[] = {
 	} \
     } while (0)
 
+static VSTREAM *vstream_log_veto;
+
 /* vstream_buf_init - initialize buffer */
 
 static void vstream_buf_init(VBUF *bp, int flags)
@@ -771,7 +780,7 @@ static int vstream_fflush_some(VSTREAM *stream, ssize_t to_flush)
     used = bp->len - bp->cnt;
     left_over = used - to_flush;
 
-    if (msg_verbose > 2 && stream != VSTREAM_ERR)
+    if (msg_verbose > 2 && stream != vstream_log_veto)
 	msg_info("%s: fd %d flush %ld", myname, stream->fd, (long) to_flush);
     if (to_flush < 0 || left_over < 0)
 	msg_panic("%s: bad to_flush %ld", myname, (long) to_flush);
@@ -834,7 +843,7 @@ static int vstream_fflush_some(VSTREAM *stream, ssize_t to_flush)
 		}
 	    }
 	}
-	if (msg_verbose > 2 && stream != VSTREAM_ERR && n != to_flush)
+	if (msg_verbose > 2 && stream != vstream_log_veto && n != to_flush)
 	    msg_info("%s: %d flushed %ld/%ld", myname, stream->fd,
 		     (long) n, (long) to_flush);
     }
@@ -1890,6 +1899,13 @@ VSTREAM *vstream_memreopen(VSTREAM *stream, VSTRING *string, int flags)
     return (stream);
 }
 
+/* vstream_no_debug - debug logging lockout */
+
+void    vstream_no_debug(VSTREAM *stream)
+{
+    vstream_log_veto = stream;
+}
+
 #ifdef TEST
 
 static void copy_line(ssize_t bufsize)
diff --git a/postfix/src/util/vstream.h b/postfix/src/util/vstream.h
index 23688c745..d308253f8 100644
--- a/postfix/src/util/vstream.h
+++ b/postfix/src/util/vstream.h
@@ -274,6 +274,11 @@ extern int vstream_tweak_tcp(VSTREAM *);
 	vstream_memreopen((VSTREAM *) 0, (string), (flags))
 VSTREAM *vstream_memreopen(VSTREAM *, struct VSTRING *, int);
 
+ /*
+  * Debug logging lockout.
+  */
+extern void vstream_no_debug(VSTREAM *);
+
 /* LICENSE
 /* .ad
 /* .fi