From: Wietse Venema Date: Tue, 23 Nov 2010 05:00:00 +0000 (-0500) Subject: postfix-2.7.2 X-Git-Tag: v2.7.2^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae634da5bd14121e65ceb3ca0661324299c1d3d3;p=thirdparty%2Fpostfix.git postfix-2.7.2 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 72ec08c6b..8c8fda563 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -15774,10 +15774,45 @@ Apologies for any names omitted. Bugfix (introduced Postfix 2.2): Postfix no longer appends the system default CA certificates to the lists specified with *_tls_CAfile or with *_tls_CApath. This prevents - third-party certificates from being trusted and given mail - relay permission with permit_tls_all_clientcerts. This - change may break valid configurations that do not use - permit_tls_all_clientcerts. To get the old behavior, specify - "tls_append_default_CA = yes". Files: tls/tls_certkey.c, - tls/tls_misc.c, global/mail_params.h. proto/postconf.proto, - mantools/postlink. + third-party certificates from getting mail relay permission + with the permit_tls_all_clientcerts feature. Unfortunately + this may cause compatibility problems with configurations + that rely on certificate verification for other purposes. + To get the old behavior, specify "tls_append_default_CA = + yes". Files: tls/tls_certkey.c, tls/tls_misc.c, + global/mail_params.h. proto/postconf.proto, mantools/postlink. + +20100714 + + Compatibility with Postfix < 2.3: fix 20061207 was incomplete + (undoing the change to bounce instead of defer after + pipe-to-command delivery fails with a signal). Fix by Thomas + Arnett. File: global/pipe_command.c. + +20100727 + + Bugfix: the milter_header_checks parser provided only the + actions that change the message flow (reject, filter, + discard, redirect) but disabled the non-flow actions (warn, + replace, prepend, ignore, dunno, ok). File: + cleanup/cleanup_milter.c. + +20100827 + + Performance: fix for poor smtpd_proxy_filter TCP performance + over loopback (127.0.0.1) connections. Problem reported by + Mark Martinec. Files: smtpd/smtpd_proxy.c. + +20101023 + + Cleanup: don't apply reject_rhsbl_helo to non-domain forms + such as network addresses. This would cause false positives + with dbl.spamhaus.org. File: smtpd/smtpd_check.c. + +20101117 + + Bugfix: the "421" reply after Milter error was overruled + by Postfix 1.1 code that replied with "503" for RFC 2821 + compliance. We now make an exception for "final" replies, + as permitted by RFC. Solution by Victor Duchovni. File: + smtpd/smtpd.c. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index fd52b840f..251967b1b 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -19,12 +19,12 @@ Incompatibility with Postfix 2.7.2 Postfix no longer appends the system-supplied default CA certificates to the lists specified with *_tls_CAfile or with *_tls_CApath. This -prevents third-party certificates from being trusted and given mail -relay permission with permit_tls_all_clientcerts. - -Unfortunately this change may break certificate verification on -sites that don't use permit_tls_all_clientcerts. Specify -"tls_append_default_CA = yes" for backwards compatibility. +prevents third-party certificates from getting mail relay permission +with the permit_tls_all_clientcerts feature. + +Unfortunately this change may cause compatibility problems when +configurations rely on certificate verification for other purposes. +Specify "tls_append_default_CA = yes" for backwards compatibility. Major changes - performance --------------------------- diff --git a/postfix/src/cleanup/cleanup_milter.c b/postfix/src/cleanup/cleanup_milter.c index 6ecfa4c3b..05ded6167 100644 --- a/postfix/src/cleanup/cleanup_milter.c +++ b/postfix/src/cleanup/cleanup_milter.c @@ -370,8 +370,7 @@ static char *cleanup_milter_hbc_extend(void *context, const char *command, } return ((char *) buf); } - msg_warn("unknown command in %s map: %s", map_class, command); - return ((char *) buf); + return ((char *) HBC_CHECKS_STAT_UNKNOWN); } /* cleanup_milter_header_checks - inspect Milter-generated header */ diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 570260265..2257bda31 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20100707" -#define MAIL_VERSION_NUMBER "2.7.2-RC2" +#define MAIL_RELEASE_DATE "20101123" +#define MAIL_VERSION_NUMBER "2.7.2" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/global/pipe_command.c b/postfix/src/global/pipe_command.c index ce3bad0a9..6cd4100ed 100644 --- a/postfix/src/global/pipe_command.c +++ b/postfix/src/global/pipe_command.c @@ -628,7 +628,7 @@ int pipe_command(VSTREAM *src, DSN_BUF *why,...) */ if (!NORMAL_EXIT_STATUS(wait_status)) { if (WIFSIGNALED(wait_status)) { - dsb_unix(why, "5.3.0", log_len ? + dsb_unix(why, "4.3.0", log_len ? log_buf : sys_exits_detail(EX_SOFTWARE)->text, "Command died with signal %d: \"%s\"%s%s", WTERMSIG(wait_status), args.command, diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index 307cdd406..b25cf6146 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -4487,6 +4487,11 @@ static void smtpd_proto(SMTPD_STATE *state) } /* XXX We use the real client for connect access control. */ if (state->access_denied && cmdp->action != quit_cmd) { + /* XXX Exception for Milter override. */ + if (strncmp(state->access_denied + 1, "21", 2) == 0) { + smtpd_chat_reply(state, "%s", state->access_denied); + continue; + } smtpd_chat_reply(state, "503 5.7.0 Error: access denied for %s", state->namaddr); /* RFC 2821 Sec 3.1 */ state->error_count++; diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index 7b7e53b3a..c31e608c5 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -3789,7 +3789,8 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions, name); else { cpp += 1; - if (state->helo_name) + if (state->helo_name + && valid_hostname(state->helo_name, DONT_GRIPE)) status = reject_rbl_domain(state, *cpp, state->helo_name, SMTPD_NAME_HELO); } diff --git a/postfix/src/smtpd/smtpd_proxy.c b/postfix/src/smtpd/smtpd_proxy.c index 0968f5b5b..015866cb3 100644 --- a/postfix/src/smtpd/smtpd_proxy.c +++ b/postfix/src/smtpd/smtpd_proxy.c @@ -355,6 +355,9 @@ static int smtpd_proxy_connect(SMTPD_STATE *state) /* Needed by our DATA-phase record emulation routines. */ vstream_control(proxy->service_stream, VSTREAM_CTL_CONTEXT, (char *) state, VSTREAM_CTL_END); + /* Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE. */ + if (connect_fn == inet_connect) + vstream_tweak_tcp(proxy->service_stream); smtp_timeout_setup(proxy->service_stream, proxy->timeout); /*