From: Wietse Venema <wietse@porcupine.org>
Date: Mon, 7 Feb 2011 05:00:00 +0000 (-0500)
Subject: postfix-2.8.1-RC1
X-Git-Tag: v2.8.1-RC1^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b118cf2923e976805b7e8e69634b275437ef701;p=thirdparty%2Fpostfix.git

postfix-2.8.1-RC1
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index d2f12947a..be9b76521 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -16514,3 +16514,8 @@ Apologies for any names omitted.
 	Bugfix: support for the "dunno" command somehow disappeared
 	from the postscreen_access_list implementation.  File:
 	postscreen/postscreen_access.c.
+
+20110207
+
+	Bugfix (introduced Postfix 2.8): segfault with smtpd_tls_loglevel
+	>= 3. Files: tls/tls_server.c, tls.h, smtpd.c, tlsproxy.c.
diff --git a/postfix/README_FILES/POSTSCREEN_README b/postfix/README_FILES/POSTSCREEN_README
index 294dbda4f..789aa379b 100644
--- a/postfix/README_FILES/POSTSCREEN_README
+++ b/postfix/README_FILES/POSTSCREEN_README
@@ -505,7 +505,7 @@ mail:
 
  3. Uncomment the new "smtpd pass ... smtpd" service in master.cf, and
     duplicate any "-o parameter=value" entries from the smtpd service that was
-    commented out in step 1.
+    commented out in the previous step.
 
     /etc/postfix/master.cf:
         smtpd     pass  -       -       n       -       -       smtpd
diff --git a/postfix/html/POSTSCREEN_README.html b/postfix/html/POSTSCREEN_README.html
index 5c74bbcae..3561164b4 100644
--- a/postfix/html/POSTSCREEN_README.html
+++ b/postfix/html/POSTSCREEN_README.html
@@ -701,7 +701,8 @@ that follow.  </p>
 
 <li> <p> Uncomment the new "<tt>smtpd pass ... smtpd</tt>" service
 in <a href="master.5.html">master.cf</a>, and duplicate any "<tt>-o parameter=value</tt>" entries
-from the smtpd service that was commented out in step 1. </p>
+from the smtpd service that was commented out in the previous step.
+</p>
 
 <pre>
 /etc/postfix/<a href="master.5.html">master.cf</a>:
diff --git a/postfix/html/postscreen.8.html b/postfix/html/postscreen.8.html
index 7b459f768..b2b5367bb 100644
--- a/postfix/html/postscreen.8.html
+++ b/postfix/html/postscreen.8.html
@@ -61,7 +61,7 @@ POSTSCREEN(8)                                                    POSTSCREEN(8)
        <a href="http://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command)
        <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Status Codes)
        <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
-       <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
+       Not: <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
        <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
        <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
        <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
diff --git a/postfix/man/man8/postscreen.8 b/postfix/man/man8/postscreen.8
index 84b85c23a..93062d888 100644
--- a/postfix/man/man8/postscreen.8
+++ b/postfix/man/man8/postscreen.8
@@ -64,7 +64,7 @@ RFC 1870 (Message Size Declaration)
 RFC 1985 (ETRN command)
 RFC 2034 (SMTP Enhanced Status Codes)
 RFC 2821 (SMTP protocol)
-RFC 2920 (SMTP Pipelining)
+Not: RFC 2920 (SMTP Pipelining)
 RFC 3207 (STARTTLS command)
 RFC 3461 (SMTP DSN Extension)
 RFC 3463 (Enhanced Status Codes)
diff --git a/postfix/proto/POSTSCREEN_README.html b/postfix/proto/POSTSCREEN_README.html
index de4640099..e71ebe1a9 100644
--- a/postfix/proto/POSTSCREEN_README.html
+++ b/postfix/proto/POSTSCREEN_README.html
@@ -701,7 +701,8 @@ that follow.  </p>
 
 <li> <p> Uncomment the new "<tt>smtpd pass ... smtpd</tt>" service
 in master.cf, and duplicate any "<tt>-o parameter=value</tt>" entries
-from the smtpd service that was commented out in step 1. </p>
+from the smtpd service that was commented out in the previous step.
+</p>
 
 <pre>
 /etc/postfix/master.cf:
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 8b73cef61..bfe4774a4 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20110120"
-#define MAIL_VERSION_NUMBER	"2.8.0"
+#define MAIL_RELEASE_DATE	"20110207"
+#define MAIL_VERSION_NUMBER	"2.8.1-RC1"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff --git a/postfix/src/postscreen/postscreen.c b/postfix/src/postscreen/postscreen.c
index 7b3332b61..bc43ea27e 100644
--- a/postfix/src/postscreen/postscreen.c
+++ b/postfix/src/postscreen/postscreen.c
@@ -54,7 +54,7 @@
 /*	RFC 1985 (ETRN command)
 /*	RFC 2034 (SMTP Enhanced Status Codes)
 /*	RFC 2821 (SMTP protocol)
-/*	RFC 2920 (SMTP Pipelining)
+/*	Not: RFC 2920 (SMTP Pipelining)
 /*	RFC 3207 (STARTTLS command)
 /*	RFC 3461 (SMTP DSN Extension)
 /*	RFC 3463 (Enhanced Status Codes)
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index 3dd9367b9..d670b8208 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -4028,6 +4028,7 @@ static void smtpd_start_tls(SMTPD_STATE *state)
 	TLS_SERVER_START(&props,
 			 ctx = smtpd_tls_ctx,
 			 stream = state->client,
+			 fd = -1,
 			 log_level = var_smtpd_tls_loglevel,
 			 timeout = var_smtpd_starttls_tmout,
 			 requirecert = requirecert,
diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h
index 6e18badbd..5a06d8bd7 100644
--- a/postfix/src/tls/tls.h
+++ b/postfix/src/tls/tls.h
@@ -268,6 +268,7 @@ typedef struct {
 typedef struct {
     TLS_APPL_STATE *ctx;		/* TLS application context */
     VSTREAM *stream;			/* Client stream */
+    int     fd;				/* Event-driven file descriptor */
     int     log_level;			/* TLS log level */
     int     timeout;			/* TLS handshake timeout */
     int     requirecert;		/* Insist on client cert? */
@@ -293,10 +294,10 @@ extern TLS_SESS_STATE *tls_server_post_accept(TLS_SESS_STATE *);
     ((props)->a12), ((props)->a13), ((props)->a14), ((props)->a15), \
     ((props)->a16), ((props)->a17), ((props)->a18), ((props)->a19), (props)))
 
-#define TLS_SERVER_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10) \
+#define TLS_SERVER_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11) \
     tls_server_start((((props)->a1), ((props)->a2), ((props)->a3), \
     ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \
-    ((props)->a8), ((props)->a9), ((props)->a10), (props)))
+    ((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), (props)))
 
  /*
   * tls_session.c
diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c
index 8792f7102..f764a5a39 100644
--- a/postfix/src/tls/tls_server.c
+++ b/postfix/src/tls/tls_server.c
@@ -89,7 +89,8 @@
 /*	SSL_accept(), SSL_read(), SSL_write() and SSL_shutdown().
 /*
 /*	To maintain control over TLS I/O, an event-driven server
-/*	invokes tls_server_start() with a null VSTREAM argument.
+/*	invokes tls_server_start() with a null VSTREAM argument and
+/*	with an fd argument that specifies the I/O file descriptor.
 /*	Then, tls_server_start() performs all the necessary
 /*	preparations before the TLS handshake and returns a partially
 /*	populated TLS context. The event-driven application is then
@@ -657,6 +658,18 @@ TLS_SESS_STATE *tls_server_start(const TLS_SERVER_START_PROPS *props)
      */
     SSL_set_accept_state(TLScontext->con);
 
+    /*
+     * Connect the SSL connection with the network socket.
+     */
+    if (SSL_set_fd(TLScontext->con, props->stream == 0 ? props->fd :
+		   vstream_fileno(props->stream)) != 1) {
+	msg_info("SSL_set_fd error to %s", props->namaddr);
+	tls_print_errors();
+	uncache_session(app_ctx->ssl_ctx, TLScontext);
+	tls_free_context(TLScontext);
+	return (0);
+    }
+
     /*
      * If the debug level selected is high enough, all of the data is dumped:
      * 3 will dump the SSL negotiation, 4 will dump everything.
@@ -675,17 +688,6 @@ TLS_SESS_STATE *tls_server_start(const TLS_SERVER_START_PROPS *props)
     if (props->stream == 0)
 	return (TLScontext);
 
-    /*
-     * Connect the SSL connection with the network socket.
-     */
-    if (SSL_set_fd(TLScontext->con, vstream_fileno(props->stream)) != 1) {
-	msg_info("SSL_set_fd error to %s", props->namaddr);
-	tls_print_errors();
-	uncache_session(app_ctx->ssl_ctx, TLScontext);
-	tls_free_context(TLScontext);
-	return (0);
-    }
-
     /*
      * Turn on non-blocking I/O so that we can enforce timeouts on network
      * I/O.
diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c
index d52205262..3c6b3c6c9 100644
--- a/postfix/src/tlsproxy/tlsproxy.c
+++ b/postfix/src/tlsproxy/tlsproxy.c
@@ -687,6 +687,7 @@ static void tlsp_start_tls(TLSP_STATE *state)
 	TLS_SERVER_START(&props,
 			 ctx = tlsp_server_ctx,
 			 stream = (VSTREAM *) 0,/* unused */
+			 fd = state->ciphertext_fd,
 			 log_level = var_tlsp_tls_loglevel,
 			 timeout = 0,		/* unused */
 			 requirecert = (var_tlsp_tls_req_ccert
@@ -702,18 +703,6 @@ static void tlsp_start_tls(TLSP_STATE *state)
 	return;
     }
 
-    /*
-     * This program will do the ciphertext I/O, not libtls. In the future,
-     * the above event-driven engine may be factored out as a libtls library
-     * module.
-     */
-    if (SSL_set_fd(state->tls_context->con, state->ciphertext_fd) != 1) {
-	msg_info("SSL_set_fd error to %s", state->remote_endpt);
-	tls_print_errors();
-	tlsp_state_free(state);
-	return;
-    }
-
     /*
      * XXX Do we care about TLS session rate limits? Good postscreen(8)
      * clients will occasionally require the tlsproxy to renew their