From: Wietse Z Venema Date: Sun, 10 May 2026 05:00:00 +0000 (-0500) Subject: postfix-3.12-20260510 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a464cfe3ab5ce93322ec7d392f261d377a060418;p=thirdparty%2Fpostfix.git postfix-3.12-20260510 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index aea6e426e..53a20f718 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -31086,14 +31086,14 @@ Apologies for any names omitted. Tech debt: restructured initialization of $service_name. Also enforced that Postfix daemons ignore $process_name and $service_name parameter settings in main.cf or master.cf - (parameters are read-only). Files: master/dgram_server.c, - master/event_server.c, master/multi_server.c, - master/single_server.c, master/trigger_server.c, - postconf/postconf_builtin.c. + (parameters are read-only). Files: global/mail_params.c, + master/dgram_server.c, master/event_server.c, + master/multi_server.c, master/single_server.c, + master/trigger_server.c, postconf/postconf_builtin.c. 20260508 - Claude AI findings, bought to our attention by Robert Sayre. + Claude AI findings, brought to our attention by Robert Sayre. Deleted an obsolete __MAXINT__ definition (util/timecmp.c); fixed a signed integer overshift operation (util/vstring.h). @@ -31103,6 +31103,22 @@ Apologies for any names omitted. Files: proto/PTEST_README.html, ptest/ptest_log.c, ptest/ptest_log_test.c, ptest/ptest_run.c. +20260509 + + Bitrot fixes: deprecation warning with OpenSSL 4.0 + (tls/tls_dane.c); race condition fix in a test script + (tls/dls_dane.sh). Viktor Dukhovni. + +20260510 + + Bugfix (defect introduced: 20260507): unterminated comment + caused missing initializations, crashing postscreen with a + null pointer while handling a STARTTLS request. Report by + Florian Piekert, fix by Viktor Dukhovni with Claude AI. + Files: master/dgram_server.c, master/event_server.c, + master/multi_server.c, master/single_server.c, + src/master/trigger_server.c. + TODO Reorganize PTEST_LIB, PMOCK_LIB, TESTLIB, TESTLIBS, etc. diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 4b2c242ca..96e4ad8b9 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20260508" +#define MAIL_RELEASE_DATE "20260510" #define MAIL_VERSION_NUMBER "3.12" #ifdef SNAPSHOT diff --git a/postfix/src/master/dgram_server.c b/postfix/src/master/dgram_server.c index 426fc7cd9..7400a7e5f 100644 --- a/postfix/src/master/dgram_server.c +++ b/postfix/src/master/dgram_server.c @@ -446,9 +446,9 @@ NORETURN dgram_server_main(int argc, char **argv, DGRAM_SERVER_FN service,...) break; } } - /* Read-only parameters must not be changed with '-o name=value'. + /* Read-only parameters must not be changed with '-o name=value'. */ set_mail_conf_str(VAR_PROCNAME, var_procname); - var_servname = mystrdup(servname); + var_servname = mystrdup(service_name); set_mail_conf_str(VAR_SERVNAME, var_servname); /* diff --git a/postfix/src/master/event_server.c b/postfix/src/master/event_server.c index f70f124a4..8893430e9 100644 --- a/postfix/src/master/event_server.c +++ b/postfix/src/master/event_server.c @@ -725,9 +725,9 @@ NORETURN event_server_main(int argc, char **argv, MULTI_SERVER_FN service,...) break; } } - /* Read-only parameters must not be changed with '-o name=value'. + /* Read-only parameters must not be changed with '-o name=value'. */ set_mail_conf_str(VAR_PROCNAME, var_procname); - var_servname = mystrdup(servname); + var_servname = mystrdup(service_name); set_mail_conf_str(VAR_SERVNAME, var_servname); /* diff --git a/postfix/src/master/multi_server.c b/postfix/src/master/multi_server.c index 33f0012e0..55255e125 100644 --- a/postfix/src/master/multi_server.c +++ b/postfix/src/master/multi_server.c @@ -703,9 +703,9 @@ NORETURN multi_server_main(int argc, char **argv, MULTI_SERVER_FN service,...) break; } } - /* Read-only parameters must not be changed with '-o name=value'. + /* Read-only parameters must not be changed with '-o name=value'. */ set_mail_conf_str(VAR_PROCNAME, var_procname); - var_servname = mystrdup(servname); + var_servname = mystrdup(service_name); set_mail_conf_str(VAR_SERVNAME, var_servname); /* diff --git a/postfix/src/master/single_server.c b/postfix/src/master/single_server.c index 4c4559f60..de859f6e4 100644 --- a/postfix/src/master/single_server.c +++ b/postfix/src/master/single_server.c @@ -577,9 +577,9 @@ NORETURN single_server_main(int argc, char **argv, SINGLE_SERVER_FN service,...) break; } } - /* Read-only parameters must not be changed with '-o name=value'. + /* Read-only parameters must not be changed with '-o name=value'. */ set_mail_conf_str(VAR_PROCNAME, var_procname); - var_servname = mystrdup(servname); + var_servname = mystrdup(service_name); set_mail_conf_str(VAR_SERVNAME, var_servname); /* diff --git a/postfix/src/master/trigger_server.c b/postfix/src/master/trigger_server.c index 4aca681f4..88f084ee1 100644 --- a/postfix/src/master/trigger_server.c +++ b/postfix/src/master/trigger_server.c @@ -559,9 +559,9 @@ NORETURN trigger_server_main(int argc, char **argv, TRIGGER_SERVER_FN service,.. break; } } - /* Read-only parameters must not be changed with '-o name=value'. + /* Read-only parameters must not be changed with '-o name=value'. */ set_mail_conf_str(VAR_PROCNAME, var_procname); - var_servname = mystrdup(servname); + var_servname = mystrdup(service_name); set_mail_conf_str(VAR_SERVNAME, var_servname); /* diff --git a/postfix/src/tls/tls_dane.c b/postfix/src/tls/tls_dane.c index ffeb87fc7..5533b7b71 100644 --- a/postfix/src/tls/tls_dane.c +++ b/postfix/src/tls/tls_dane.c @@ -1356,7 +1356,7 @@ int main(int argc, char *argv[]) SSL_dane_set_flags(tctx->con, DANE_FLAG_NO_DANE_EE_NAMECHECKS); SSL_dane_set_flags(tctx->con, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); for (i = 7; i < argc; ++i) - if (!SSL_add1_host(tctx->con, argv[i])) + if (!TLS_ADD1_HOST(tctx->con, argv[i])) msg_fatal("error adding hostname: %s", argv[i]); load_tlsa_args(tctx->con, argv); SSL_set_connect_state(tctx->con); diff --git a/postfix/src/tls/tls_dane.sh b/postfix/src/tls/tls_dane.sh index ac7b8a228..9440b3fbc 100644 --- a/postfix/src/tls/tls_dane.sh +++ b/postfix/src/tls/tls_dane.sh @@ -51,6 +51,7 @@ genroot() { local akid=$1; shift exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true") + key "$key" req "$key" "$cn" | cert "$cert" "$exts" -signkey "${key}.pem" -set_serial 1 -days 30 } @@ -65,6 +66,7 @@ genca() { local cakey=$1; shift exts=$(printf "%s\n%s\n%s\n" "$skid" "$akid" "basicConstraints = CA:true") + key "$key" req "$key" "$cn" | cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ -set_serial 2 -days 30 "$@" @@ -83,6 +85,7 @@ genee() { "basicConstraints = CA:false" \ "extendedKeyUsage = serverAuth" \ "subjectAltName = @alts" "DNS=${cn}") + key "$key" req "$key" "$cn" | cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ -set_serial 2 -days 30 "$@" @@ -99,6 +102,7 @@ genss() { "basicConstraints = CA:true" \ "extendedKeyUsage = serverAuth" \ "subjectAltName = @alts" "DNS=${cn}") + key "$key" req "$key" "$cn" | cert "$cert" "$exts" -set_serial 1 -days 30 -signkey "${key}.pem" "$@" } @@ -107,8 +111,9 @@ gennocn() { local key=$1; shift local cert=$1; shift + key "$key" req_nocn "$key" | - cert "$cert" "" -signkey "${key}.pem" -set_serial 1 -days -1 "$@" + cert "$cert" "" -signkey "${key}.pem" -set_serial 1 -days 0 "$@" } runtest() {