From: Wietse Venema <wietse@porcupine.org>
Date: Tue, 1 Oct 2013 05:00:00 +0000 (-0500)
Subject: postfix-2.11-20131001
X-Git-Tag: v2.11.0-RC1~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8b9901ce03ef16d4b483d465c2865a62590d8bf9;p=thirdparty%2Fpostfix.git

postfix-2.11-20131001
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 27f13d49d..a8c8893a4 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -18969,3 +18969,11 @@ Apologies for any names omitted.
 	LMDB files can still be created by unprivileged Postfix
 	daemon processes under the postfix-owned data_directory.
 	Files: proto/LMDB_README.html, global/mkmap.c.
+
+20131001
+
+	Cleanup: LMDB support is forbidden due to problems with
+	LMDB lock management. These problems hinder error recovery
+	in multi-programmed systems, and prohibit database sharing
+	between privileged writer processes and unprivileged reader
+	processes.
diff --git a/postfix/Makefile.in b/postfix/Makefile.in
index 7145bc437..9fb328a3a 100644
--- a/postfix/Makefile.in
+++ b/postfix/Makefile.in
@@ -59,7 +59,7 @@ libexec/postmulti-script: conf/postmulti-script
 manpages:
 	set -e; for i in $(MANDIRS); do \
 	 (set -e; echo "[$$i]"; cd $$i; $(MAKE) -f Makefile.in $(OPTS) MAKELEVEL=) || exit 1; \
-	done
+	done </dev/null
 
 printfck: update
 
diff --git a/postfix/README_FILES/LMDB_README b/postfix/README_FILES/LMDB_README
index a8c8d022f..63a7051fd 100644
--- a/postfix/README_FILES/LMDB_README
+++ b/postfix/README_FILES/LMDB_README
@@ -1,158 +1,9 @@
 PPoossttffiixx OOppeennLLDDAAPP LLMMDDBB HHoowwttoo
 
 -------------------------------------------------------------------------------
-
-IInnttrroodduuccttiioonn
-
-    Warning: LMDB applications require write access even when the application
-    itself is read-only. This violates the principle of least privilege, and
-    causes all kinds of problems when a non-root process needs to query a root-
-    owned database such as access(5), virtual(5), or transport(5).
-
-    Support to create LMDB databases is no longer available for the postmap(1)
-    and postalias(1) commands. Instead, consider using cdb: to manage root-
-    owned databases under the root-owned config_directory (default: /etc/
-    postfix) such as access(5), virtual(5), or transport(5).
-
-    Support to create LMDB databases is available only for unprivileged Postfix
-    daemon processes such as postscreen(8), tlsmgr(8) and verify(8) that manage
-    postfix-owned databases under the postfix-owned data_directory (default: /
-    var/lib/postfix).
-
-Postfix uses databases of various kinds to store and look up information.
-Postfix databases are specified as "type:name". OpenLDAP LMDB implements the
-Postfix database type "lmdb". The name of a Postfix OpenLDAP LMDB database is
-the name of the database file without the ".lmdb" suffix.
-
-This document describes:
-
- 1. How to build Postfix with OpenLDAP LMDB support.
-
- 2. How to configure LMDB settings.
-
- 3. Missing pthread library trouble.
-
- 4. Unexpected failure modes that don't exist with other Postfix databases.
-
-BBuuiillddiinngg PPoossttffiixx wwiitthh OOppeennLLDDAAPP LLMMDDBB ssuuppppoorrtt
-
-Postfix normally does not enable OpenLDAP LMDB support. To build Postfix with
-OpenLDAP LMDB support, use something like:
-
-    % make makefiles CCARGS="-DHAS_LMDB -I/usr/local/include" \
-        AUXLIBS="-L/usr/local/lib -llmdb"
-    % make
-
-Solaris may need this:
-
-    % make makefiles CCARGS="-DHAS_LMDB -I/usr/local/include" \
-        AUXLIBS="-R/usr/local/lib -L/usr/local/lib -llmdb"
-    % make
-
-The exact pathnames depend on how OpenLDAP LMDB was installed.
-
-CCoonnffiigguurree LLMMDDBB sseettttiinnggss
-
-Postfix provides configuration parameters that control OpenLDAP LMDB database
-behavior.
-
-  * lmdb_map_size (default: 16777216). This setting specifies the initial
-    OpenLDAP LMDB database size limit in bytes. Each time a database becomes
-    full, its size limit is doubled.
-
-  * lmdb_max_readers (default: $default_process_limit). This specifies a hard
-    limit on the number of read transactions that may be open at the same time
-    for the same OpenLDAP LMDB database. When this number is too small, the
-    Postfix LMDB client will log MDB_READERS_FULL warnings, and will run with
-    reduced performance.
-
-MMiissssiinngg pptthhrreeaadd lliibbrraarryy ttrroouubbllee
-
-When building Postfix fails with:
-
-    undefined reference to `pthread_mutexattr_destroy'
-    undefined reference to `pthread_mutexattr_init'
-    undefined reference to `pthread_mutex_lock'
-
-Add the "-lpthread" library to the "make makefiles" command.
-
-    % make makefiles .... AUXLIBS="... -lpthread"
-
-Source code for OpenLDAP LMDB is available at http://www.openldap.org. More
-information is available at http://highlandsun.com/hyc/mdb/.
-
-UUnneexxppeecctteedd ffaaiilluurree mmooddeess ooff PPoossttffiixx LLMMDDBB ddaattaabbaasseess..
-
-As documented below, conversion to LMDB introduces a number of failure modes
-that don't exist with other Postfix databases. Some failure modes have been
-eliminated in the course of time. The writeup below reflects the status as of
-of LMDB 0.9.8.
-
-UUnneexxppeecctteedd ""PPeerrmmiissssiioonn ddeenniieedd"" eerrrroorrss..
-
-Problem:
-    A world-readable LMDB database cannot be opened by a process with a UID
-    that differs from the database file owner, even when an attempt is made to
-    open the database read-only. This problem does not exist with other Postfix
-    databases.
-
-Background:
-    The LMDB implementation requires write access to maintain read locks, and
-    perhaps for other purposes.
-
-Solution:
-    Consider using cdb: to manage root-owned databases under the root-owned /
-    etc or config_directory (default: /etc/postfix) such as access(5), virtual
-    (5), transport(5). Support to create LMDB databases is available only for
-    unprivileged Postfix daemon processes such as postscreen(8), tlsmgr(8) and
-    verify(8) that manage postfix-owned databases under the postfix-owned
-    data_directory (default: /var/lib/postfix).
-
-UUnneexxppeecctteedd ""rreeaaddeerrss ffuullll"" eerrrroorrss..
-
-Problem:
-    Under heavy load, database read operations fail with MDB_READERS_FULL
-    errors. This problem does not exist with other Postfix databases.
-
-Background:
-    The LMDB implementation enforces a hard limit on the number of simultaneous
-    read requests for the same database environment. This limit must be
-    specified in advance with the lmdb_max_readers configuration parameter.
-
-Mitigation:
-    Postfix logs a warning suggesting that the lmdb_max_readers parameter value
-    be increased, and retries the failed operation for a limited number of
-    times while running with reduced performance.
-
-Prevention:
-    Monitor your LMDB files for MDB_READERS_FULL errors. After making the
-    necessary adjustments, restart Postfix.
-
-NNoonn--oobbvviioouuss rreeccoovveerryy wwiitthh  ppoossttssccrreeeenn((88)),, ttllssmmggrr((88)),, oorr vveerriiffyy((88)) ffrroomm aa
-ccoorrrruupptteedd ddaattaabbaassee..
-
-Problem:
-    You cannot rebuild a corrupted LMDB database simply by  waiting until a
-    daemon restarts. This problem does not exist with other Postfix databases.
-
-Background:
-    The Postfix LMDB database client does not truncate the database file.
-    Instead it attempts to create a transaction for a "drop" request plus
-    subsequent "store" requests. That is obviously not possible with a
-    corrupted database file.
-
-Impact:
-    Postfix does not process mail until someone fixes the problem.
-
-Recovery:
-    First delete the ".lmdb" file by hand. Then,  restart postfix.
-
-Prevention:
-    Arrange your file systems such that they never run out of free space.
-
-    Use ECC memory to detect and correct silent corruption of in-memory file
-    system data and metadata.
-
-    Use a file system such as ZFS to detect and correct silent corruption of
-    on-disk file system data and metadata.
+-------------------------------------------------------------------------------
+Postfix LMDB support is forbidden due to problems with LMDB lock management.
+These problems hinder error recovery in multi-programmed systems, and prohibit
+database sharing between privileged writer processes and unprivileged reader
+processes.
 
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 55edeb6cc..956aafeaa 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -14,6 +14,14 @@ specifies the release date of a stable release or snapshot release.
 If you upgrade from Postfix 2.9 or earlier, read RELEASE_NOTES-2.10
 before proceeding.
 
+Major changes with snapshot 20131001
+====================================
+
+LMDB support is forbidden due to problems with LMDB lock management.
+These problems hinder error recovery in multi-programmed systems,
+and prohibit database sharing between privileged writer processes
+and unprivileged reader processes.
+
 Major changes with snapshot 20130929
 ====================================
 
diff --git a/postfix/html/LMDB_README.html b/postfix/html/LMDB_README.html
index 1c862608d..e76cc9005 100644
--- a/postfix/html/LMDB_README.html
+++ b/postfix/html/LMDB_README.html
@@ -17,6 +17,16 @@
 
 <hr>
 
+<hr>
+
+
+<p> Postfix LMDB support is forbidden due to problems with LMDB lock
+management. These problems hinder error recovery in multi-programmed
+systems, and prohibit database sharing between privileged writer
+processes and unprivileged reader processes. </p>
+
+<!--
+
 <h2>Introduction</h2>
 
 <blockquote> <p> Warning: LMDB applications require write access
@@ -185,7 +195,7 @@ restart Postfix. </p> </dd>
 
 </dl>
 
-<!--
+<!- -
 
 <p> <strong>Unexpected <a href="postmap.1.html">postmap(1)</a>/<a href="postalias.1.html">postalias(1)</a> "database full"
 errors.  </strong></p>
@@ -290,17 +300,17 @@ full" error will disappear, at least for a while.  </p>
 sure that <a href="postconf.5.html#lmdb_map_size">lmdb_map_size</a> &gt; 3x the largest LMDB file size. </p>
 </dd> </dl>
 
--->
+- ->
 
-<p> <strong>Non-obvious recovery with <!-- <a href="postmap.1.html">postmap(1)</a>, <a href="postalias.1.html">postalias(1)</a>, -->
+<p> <strong>Non-obvious recovery with <!- - <a href="postmap.1.html">postmap(1)</a>, <a href="postalias.1.html">postalias(1)</a>, - ->
 <a href="postscreen.8.html">postscreen(8)</a>, <a href="tlsmgr.8.html">tlsmgr(8)</a>, or <a href="verify.8.html">verify(8)</a> from a corrupted database.
 </strong></p>
 
 <dl>
 
 <dt> Problem: </dt> <dd> <p> You cannot rebuild a corrupted LMDB
-database simply by <!-- re-running <a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a>, or
-by --> waiting until a daemon restarts.  This problem does not exist
+database simply by <!- - re-running <a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a>, or
+by - -> waiting until a daemon restarts.  This problem does not exist
 with other Postfix databases.  </p> </dd>
 
 <dt> Background: </dt> <dd> <p> The Postfix LMDB database client
@@ -313,10 +323,10 @@ That is obviously not possible with a corrupted database file. </p>
 someone fixes the problem.  </p> </dd>
 
 <dt> Recovery: </dt> <dd> <p> First delete the ".lmdb" file by hand.
-Then, <!-- rebuild the file with the <a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a>
-command if the file was created with those commands, or --> restart
-postfix.  <!-- daemons if the file is maintained by daemon processes.
---> </p> </dd>
+Then, <!- - rebuild the file with the <a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a>
+command if the file was created with those commands, or - -> restart
+postfix.  <!- - daemons if the file is maintained by daemon processes.
+- -> </p> </dd>
 
 <dt> Prevention: </dt> <dd>
 
@@ -330,3 +340,7 @@ in-memory file system data and metadata. </p>
 corruption of on-disk file system data and metadata. </p>
 
 </dd> </dl>
+
+-->
+
+
diff --git a/postfix/proto/LMDB_README.html b/postfix/proto/LMDB_README.html
index 9c148b092..b69f81085 100644
--- a/postfix/proto/LMDB_README.html
+++ b/postfix/proto/LMDB_README.html
@@ -17,6 +17,16 @@
 
 <hr>
 
+<hr>
+
+
+<p> Postfix LMDB support is forbidden due to problems with LMDB lock
+management. These problems hinder error recovery in multi-programmed
+systems, and prohibit database sharing between privileged writer
+processes and unprivileged reader processes. </p>
+
+<!--
+
 <h2>Introduction</h2>
 
 <blockquote> <p> Warning: LMDB applications require write access
@@ -185,7 +195,7 @@ restart Postfix. </p> </dd>
 
 </dl>
 
-<!--
+<!- -
 
 <p> <strong>Unexpected postmap(1)/postalias(1) "database full"
 errors.  </strong></p>
@@ -290,17 +300,17 @@ full" error will disappear, at least for a while.  </p>
 sure that lmdb_map_size &gt; 3x the largest LMDB file size. </p>
 </dd> </dl>
 
--->
+- ->
 
-<p> <strong>Non-obvious recovery with <!-- postmap(1), postalias(1), -->
+<p> <strong>Non-obvious recovery with <!- - postmap(1), postalias(1), - ->
 postscreen(8), tlsmgr(8), or verify(8) from a corrupted database.
 </strong></p>
 
 <dl>
 
 <dt> Problem: </dt> <dd> <p> You cannot rebuild a corrupted LMDB
-database simply by <!-- re-running postmap(1) or postalias(1), or
-by --> waiting until a daemon restarts.  This problem does not exist
+database simply by <!- - re-running postmap(1) or postalias(1), or
+by - -> waiting until a daemon restarts.  This problem does not exist
 with other Postfix databases.  </p> </dd>
 
 <dt> Background: </dt> <dd> <p> The Postfix LMDB database client
@@ -313,10 +323,10 @@ That is obviously not possible with a corrupted database file. </p>
 someone fixes the problem.  </p> </dd>
 
 <dt> Recovery: </dt> <dd> <p> First delete the ".lmdb" file by hand.
-Then, <!-- rebuild the file with the postmap(1) or postalias(1)
-command if the file was created with those commands, or --> restart
-postfix.  <!-- daemons if the file is maintained by daemon processes.
---> </p> </dd>
+Then, <!- - rebuild the file with the postmap(1) or postalias(1)
+command if the file was created with those commands, or - -> restart
+postfix.  <!- - daemons if the file is maintained by daemon processes.
+- -> </p> </dd>
 
 <dt> Prevention: </dt> <dd>
 
@@ -330,3 +340,5 @@ in-memory file system data and metadata. </p>
 corruption of on-disk file system data and metadata. </p>
 
 </dd> </dl>
+
+-->
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 41a11f1f0..c306fbbaf 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20130929"
+#define MAIL_RELEASE_DATE	"20131001"
 #define MAIL_VERSION_NUMBER	"2.11"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/global/mkmap_open.c b/postfix/src/global/mkmap_open.c
index c4b1c45fd..f84ef692d 100644
--- a/postfix/src/global/mkmap_open.c
+++ b/postfix/src/global/mkmap_open.c
@@ -102,29 +102,8 @@ static const MKMAP_OPEN_INFO mkmap_types[] = {
     DICT_TYPE_HASH, mkmap_hash_open,
     DICT_TYPE_BTREE, mkmap_btree_open,
 #endif
-
-    /*
-     * LMDB readers open the LMDB lock file O_RDWR.  This complicates
-     * database sharing between processes that run with different effective
-     * UIDs.
-     * 
-     * For example, this violates the Postfix security model as it passes a
-     * read-write file handle for a root-owned file under /etc/postfix into a
-     * non-root daemon process.
-     * 
-     * This also totally breaks non-root access for root-owned databases by
-     * non-daemon processes.
-     * 
-     * Even if LMDB lock files were kept under /tmp or /var/run, those files
-     * would still have to be world-writable, and that would still violate
-     * the principle of least privilege.
-     * 
-     * For all these reasons, LMDB is supported only for caches that are
-     * maintained by non-root daemon processes such as postscreen(8),
-     * tlsmgr(8) or verify(8). All the effort to recover from bogus LMDB
-     * errors was good for something.
-     */
-#ifdef notdef
+#ifdef HAS_LMDB
+#error "LMDB support is forbidden"
     DICT_TYPE_LMDB, mkmap_lmdb_open,
 #endif
     DICT_TYPE_FAIL, mkmap_fail_open,
diff --git a/postfix/src/util/dict_open.c b/postfix/src/util/dict_open.c
index aee1f8ddd..d3b33aa0f 100644
--- a/postfix/src/util/dict_open.c
+++ b/postfix/src/util/dict_open.c
@@ -299,6 +299,7 @@ static const DICT_OPEN_INFO dict_open_info[] = {
     DICT_TYPE_BTREE, dict_btree_open,
 #endif
 #ifdef HAS_LMDB
+#error "LMDB support is forbidden"
     DICT_TYPE_LMDB, dict_lmdb_open,
 #endif
 #ifdef HAS_NIS