From: Wietse Venema Date: Mon, 9 May 2011 05:00:00 +0000 (-0500) Subject: postfix-2.7.4 X-Git-Tag: v2.7.4^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=db3c16f83b5b7a8e98bfdc1ec2270fec4335b5f6;p=thirdparty%2Fpostfix.git postfix-2.7.4 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 980ff8d79..a4922c08e 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -15616,7 +15616,7 @@ Apologies for any names omitted. for the "virtual:" transport to "/etc/postfix/virtual:". Symptom reported by Christoph Anton Mitterer. -20200102 +20100102 Workaround: don't report bogus Berkeley DB close errors as fatal errors. All operations before close are already error @@ -15884,3 +15884,10 @@ Apologies for any names omitted. Portability: FreeBSD closefrom() support time window. Sahil Tandon. File: util/sys_defs.h. + +20110414 + + Bugfix (introduced with Postfix SASL patch 20000314): don't + reuse a server SASL handle after authentication failure. + Problem reported by Thomas Jarosch of Intra2net AG. File: + smtpd/smtpd_proto.c. diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 422598398..8e3f5d5b6 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20110303" -#define MAIL_VERSION_NUMBER "2.7.3" +#define MAIL_RELEASE_DATE "20110509" +#define MAIL_VERSION_NUMBER "2.7.4" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/smtpd/smtpd_sasl_proto.c b/postfix/src/smtpd/smtpd_sasl_proto.c index 89064feb0..1633a80be 100644 --- a/postfix/src/smtpd/smtpd_sasl_proto.c +++ b/postfix/src/smtpd/smtpd_sasl_proto.c @@ -184,6 +184,27 @@ int smtpd_sasl_auth_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) return (-1); } + /* Don't reuse the SASL handle after authentication failure. */ +#ifndef SMTPD_FLAG_AUTH_USED +#define SMTPD_FLAG_AUTH_USED (1<<15) +#endif +#ifndef XSASL_TYPE_CYRUS +#define XSASL_TYPE_CYRUS "cyrus" +#endif + if (state->flags & SMTPD_FLAG_AUTH_USED) { + smtpd_sasl_deactivate(state); +#ifdef USE_TLS + if (state->tls_context != 0) + smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS, + var_smtpd_sasl_tls_opts); + else +#endif + smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS, + var_smtpd_sasl_opts); + } else if (strcmp(var_smtpd_sasl_type, XSASL_TYPE_CYRUS) == 0) { + state->flags |= SMTPD_FLAG_AUTH_USED; + } + /* * All authentication failures shall be logged. The 5xx reply code from * the SASL authentication routine triggers tar-pit delays, which help to