From: Wietse Venema Date: Sat, 16 May 2020 05:00:00 +0000 (-0500) Subject: postfix-3.5.2 X-Git-Tag: v3.5.2^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e4cc71a388fa7f5f673ae466d9cc1da663241058;p=thirdparty%2Fpostfix.git postfix-3.5.2 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 3ba46cf5c..5b806f7f9 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -24680,3 +24680,60 @@ Apologies for any names omitted. Workaround for broken DANE support after an incompatible change in GLIBC 2.31. This avoids the need for new options in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c. + +20200419 + + Bugfix: segfault in the tlsproxy client role when the server + role was disabled. This typically happens on systems that + do not receive mail, after configuring connection reuse for + outbound TLS. Found during program maintenance. File: + tlsproxy/tlsproxy.c. + +20200420 + + Noise suppression: shut up a compiler that special-cases + string literals. Viktor Dukhovni. File milter/milter.c. + +20200422 + + Security: disable DANE support on Alpine Linux because + libc-musl provides no indication whether DNS responses are + authentic. This broke DANE support without a clear explanation. + File: makedefs. + +20200505 + + Noise suppression: shut up a compiler that special-cases + string literals. Viktor Dukhovni. File smtpd/smtpd_check.c. + +20200509 + + Bugfix (introduced: Postfix 3.5): maillog_file_rotate_suffix + default value used the minute instead of the month. Reported + by Larry Stone. Files: conf/postfix-tls-script, + proto/MAILLOG_README.html, proto/postconf.proto. + global/mail_params.h, postfix/postfix.c. + +20200510 + + Bitrot: avoid U_FILE_ACCESS_ERROR after chroot(), by + initializing the ICU library before making the chroot() + call. Files: util/midna_domain.[hc], global/mail_params.c. + +20200511 + + Noise suppression: avoid "SSL_Shutdown:shutdown while in + init" warnings. File: tls/tls_session.c. + +20200515 + + Bugfix (introduced: Postfix 2.2): a TLS error for a PostgreSQL + client caused a false 'lost connection' error for an SMTP + over TLS session in the same Postfix process. Reported by + Alexander Vasarab, diagnosed by Viktor Dukhovni. File: + tls/tls_bio_ops.c. + + Bugfix (introduced: Postfix 2.8): a TLS error for one TLS + session may cause a false 'lost connection' error for a + concurrent TLS session in the same tlsproxy process. File: + tlsproxy/tlsproxy.c. diff --git a/postfix/README_FILES/MAILLOG_README b/postfix/README_FILES/MAILLOG_README index 114075984..d0849bb73 100644 --- a/postfix/README_FILES/MAILLOG_README +++ b/postfix/README_FILES/MAILLOG_README @@ -64,7 +64,7 @@ implements the following steps: * Rename the current logfile by appending a suffix that contains the date and time. This suffix is configured with the maillog_file_rotate_suffix - parameter (default: %Y%M%d-%H%M%S). + parameter (default: %Y%m%d-%H%M%S). * Reload Postfix so that postlogd(8) immediately closes the old logfile. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index d3c41b83b..c121e7f01 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -25,6 +25,14 @@ more recent Eclipse Public License 2.0. Recipients can choose to take the software under the license of their choice. Those who are more comfortable with the IPL can continue with that license. +libc-musl workaround for Postfix 3.2.15, 3.3.10, 3.4.12, and 3.5.2 +------------------------------------------------------------------ + +Security: this release disables DANE support on Linux systems with +libc-musl, because libc-musl provides no indication whether DNS +responses are authentic. This broke DANE support without a clear +explanation. + Major changes - multiple relayhost in SMTP ------------------------------------------ diff --git a/postfix/html/MAILLOG_README.html b/postfix/html/MAILLOG_README.html index 0b9f250b3..aa371ba26 100644 --- a/postfix/html/MAILLOG_README.html +++ b/postfix/html/MAILLOG_README.html @@ -114,7 +114,7 @@ run from a terminal. This command implements the following steps:

  • Rename the current logfile by appending a suffix that contains the date and time. This suffix is configured with the -maillog_file_rotate_suffix parameter (default: %Y%M%d-%H%M%S).

    +maillog_file_rotate_suffix parameter (default: %Y%m%d-%H%M%S).

  • Reload Postfix so that postlogd(8) immediately closes the old logfile.

    diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 5930016ae..cf34baca6 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -6329,7 +6329,7 @@ whitespace.

    maillog_file_rotate_suffix -(default: %Y%M%d-%H%M%S)
    +(default: %Y%m%d-%H%M%S)

    The format of the suffix to append to $maillog_file while rotating the file with "postfix logrotate". See strftime(3) for syntax. The diff --git a/postfix/html/postfix.1.html b/postfix/html/postfix.1.html index 4c5c4f937..eb59ad30d 100644 --- a/postfix/html/postfix.1.html +++ b/postfix/html/postfix.1.html @@ -285,7 +285,7 @@ POSTFIX(1) POSTFIX(1) maillog_file_prefixes (/var, /dev/stdout) A list of allowed prefixes for a maillog_file value. - maillog_file_rotate_suffix (%Y%M%d-%H%M%S) + maillog_file_rotate_suffix (%Y%m%d-%H%M%S) The format of the suffix to append to $maillog_file while rotat- ing the file with "postfix logrotate". diff --git a/postfix/makedefs b/postfix/makedefs index aea15d6f3..64b42f448 100644 --- a/postfix/makedefs +++ b/postfix/makedefs @@ -228,6 +228,19 @@ case $# in *) echo usage: $0 [system release] 1>&2; exit 1;; esac +case "$SYSTEM" in + Linux) + case "`PATH=/bin:/usr/bin ldd /bin/sh`" in + *-musl-*) + case "$CCARGS" in + *-DNO_DNSSEC*) ;; + *) echo Warning: libc-musl breaks DANE/TLSA security. 1>&2 + echo This build will not support DANE/TLSA. 1>&2 + CCARGS="$CCARGS -DNO_DNSSEC";; + esac;; + esac;; +esac + case "$SYSTEM.$RELEASE" in SCO_SV.3.2) SYSTYPE=SCO5 # Use the native compiler by default diff --git a/postfix/man/man1/postfix.1 b/postfix/man/man1/postfix.1 index 7a8a39cd2..412c0c9d1 100644 --- a/postfix/man/man1/postfix.1 +++ b/postfix/man/man1/postfix.1 @@ -252,7 +252,7 @@ The program to run after rotating $maillog_file with "postfix logrotate". .IP "\fBmaillog_file_prefixes (/var, /dev/stdout)\fR" A list of allowed prefixes for a maillog_file value. -.IP "\fBmaillog_file_rotate_suffix (%Y%M%d\-%H%M%S)\fR" +.IP "\fBmaillog_file_rotate_suffix (%Y%m%d\-%H%M%S)\fR" The format of the suffix to append to $maillog_file while rotating the file with "postfix logrotate". .IP "\fBpostlog_service_name (postlog)\fR" diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index d1e3147b5..0d6dd2712 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -3822,7 +3822,7 @@ mistake. Specify one or more prefix strings, separated by comma or whitespace. .PP This feature is available in Postfix 3.4 and later. -.SH maillog_file_rotate_suffix (default: %Y%M%d\-%H%M%S) +.SH maillog_file_rotate_suffix (default: %Y%m%d\-%H%M%S) The format of the suffix to append to $maillog_file while rotating the file with "postfix logrotate". See \fBstrftime\fR(3) for syntax. The default suffix, YYYYMMDD\-HHMMSS, allows logs to be rotated frequently. diff --git a/postfix/proto/MAILLOG_README.html b/postfix/proto/MAILLOG_README.html index 9804983a7..9951c6c23 100644 --- a/postfix/proto/MAILLOG_README.html +++ b/postfix/proto/MAILLOG_README.html @@ -114,7 +114,7 @@ run from a terminal. This command implements the following steps:

  • Rename the current logfile by appending a suffix that contains the date and time. This suffix is configured with the -maillog_file_rotate_suffix parameter (default: %Y%M%d-%H%M%S).

    +maillog_file_rotate_suffix parameter (default: %Y%m%d-%H%M%S).

  • Reload Postfix so that postlogd(8) immediately closes the old logfile.

    diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index ca384963b..3d5365743 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -17651,7 +17651,7 @@ first argument.

    This feature is available in Postfix 3.4 and later.

    -%PARAM maillog_file_rotate_suffix %Y%M%d-%H%M%S +%PARAM maillog_file_rotate_suffix %Y%m%d-%H%M%S

    The format of the suffix to append to $maillog_file while rotating the file with "postfix logrotate". See strftime(3) for syntax. The diff --git a/postfix/src/global/mail_params.c b/postfix/src/global/mail_params.c index 8b4ad0ba4..91c70f75e 100644 --- a/postfix/src/global/mail_params.c +++ b/postfix/src/global/mail_params.c @@ -871,6 +871,8 @@ void mail_params_init() var_smtputf8_enable = 0; #else midna_domain_transitional = var_idna2003_compat; + if (var_smtputf8_enable) + midna_domain_pre_chroot(); #endif util_utf8_enable = var_smtputf8_enable; diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index f9576be28..a6119f1b2 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -4181,7 +4181,7 @@ extern char *var_maillog_file_pfxs; extern char *var_maillog_file_comp; #define VAR_MAILLOG_FILE_STAMP "maillog_file_rotate_suffix" -#define DEF_MAILLOG_FILE_STAMP "%Y%M%d-%H%M%S" +#define DEF_MAILLOG_FILE_STAMP "%Y%m%d-%H%M%S" extern char *var_maillog_file_stamp; #define VAR_POSTLOG_SERVICE "postlog_service_name" diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 3896ea80f..da996319f 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20200418" -#define MAIL_VERSION_NUMBER "3.5.1" +#define MAIL_RELEASE_DATE "20200516" +#define MAIL_VERSION_NUMBER "3.5.2" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/milter/milter.c b/postfix/src/milter/milter.c index cee169cb4..3d71cc6b4 100644 --- a/postfix/src/milter/milter.c +++ b/postfix/src/milter/milter.c @@ -620,14 +620,14 @@ void milter_disc_event(MILTERS *milters) * names by skipping the redundant "milter_" prefix. */ static ATTR_OVER_TIME time_table[] = { - 7 + VAR_MILT_CONN_TIME, DEF_MILT_CONN_TIME, 0, 1, 0, - 7 + VAR_MILT_CMD_TIME, DEF_MILT_CMD_TIME, 0, 1, 0, - 7 + VAR_MILT_MSG_TIME, DEF_MILT_MSG_TIME, 0, 1, 0, + 7 + (const char *) VAR_MILT_CONN_TIME, DEF_MILT_CONN_TIME, 0, 1, 0, + 7 + (const char *) VAR_MILT_CMD_TIME, DEF_MILT_CMD_TIME, 0, 1, 0, + 7 + (const char *) VAR_MILT_MSG_TIME, DEF_MILT_MSG_TIME, 0, 1, 0, 0, }; static ATTR_OVER_STR str_table[] = { - 7 + VAR_MILT_PROTOCOL, 0, 1, 0, - 7 + VAR_MILT_DEF_ACTION, 0, 1, 0, + 7 + (const char *) VAR_MILT_PROTOCOL, 0, 1, 0, + 7 + (const char *) VAR_MILT_DEF_ACTION, 0, 1, 0, 0, }; diff --git a/postfix/src/postfix/postfix.c b/postfix/src/postfix/postfix.c index f8b3de450..b2306fb60 100644 --- a/postfix/src/postfix/postfix.c +++ b/postfix/src/postfix/postfix.c @@ -242,7 +242,7 @@ /* logrotate". /* .IP "\fBmaillog_file_prefixes (/var, /dev/stdout)\fR" /* A list of allowed prefixes for a maillog_file value. -/* .IP "\fBmaillog_file_rotate_suffix (%Y%M%d-%H%M%S)\fR" +/* .IP "\fBmaillog_file_rotate_suffix (%Y%m%d-%H%M%S)\fR" /* The format of the suffix to append to $maillog_file while rotating /* the file with "postfix logrotate". /* .IP "\fBpostlog_service_name (postlog)\fR" diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index 35c713158..85d594498 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -486,20 +486,20 @@ typedef struct { * parameter names by skipping the redundant "smtpd_policy_service_" prefix. */ static ATTR_OVER_TIME time_table[] = { - 21 + VAR_SMTPD_POLICY_TMOUT, DEF_SMTPD_POLICY_TMOUT, 0, 1, 0, - 21 + VAR_SMTPD_POLICY_IDLE, DEF_SMTPD_POLICY_IDLE, 0, 1, 0, - 21 + VAR_SMTPD_POLICY_TTL, DEF_SMTPD_POLICY_TTL, 0, 1, 0, - 21 + VAR_SMTPD_POLICY_TRY_DELAY, DEF_SMTPD_POLICY_TRY_DELAY, 0, 1, 0, + 21 + (const char *) VAR_SMTPD_POLICY_TMOUT, DEF_SMTPD_POLICY_TMOUT, 0, 1, 0, + 21 + (const char *) VAR_SMTPD_POLICY_IDLE, DEF_SMTPD_POLICY_IDLE, 0, 1, 0, + 21 + (const char *) VAR_SMTPD_POLICY_TTL, DEF_SMTPD_POLICY_TTL, 0, 1, 0, + 21 + (const char *) VAR_SMTPD_POLICY_TRY_DELAY, DEF_SMTPD_POLICY_TRY_DELAY, 0, 1, 0, 0, }; static ATTR_OVER_INT int_table[] = { - 21 + VAR_SMTPD_POLICY_REQ_LIMIT, 0, 0, 0, - 21 + VAR_SMTPD_POLICY_TRY_LIMIT, 0, 1, 0, + 21 + (const char *) VAR_SMTPD_POLICY_REQ_LIMIT, 0, 0, 0, + 21 + (const char *) VAR_SMTPD_POLICY_TRY_LIMIT, 0, 1, 0, 0, }; static ATTR_OVER_STR str_table[] = { - 21 + VAR_SMTPD_POLICY_DEF_ACTION, 0, 1, 0, - 21 + VAR_SMTPD_POLICY_CONTEXT, 0, 1, 0, + 21 + (const char *) VAR_SMTPD_POLICY_DEF_ACTION, 0, 1, 0, + 21 + (const char *) VAR_SMTPD_POLICY_CONTEXT, 0, 1, 0, 0, }; diff --git a/postfix/src/tls/tls_bio_ops.c b/postfix/src/tls/tls_bio_ops.c index 1f4ec41f1..9b6619547 100644 --- a/postfix/src/tls/tls_bio_ops.c +++ b/postfix/src/tls/tls_bio_ops.c @@ -194,6 +194,13 @@ int tls_bio(int fd, int timeout, TLS_SESS_STATE *TLScontext, * handling any pending network I/O. */ for (;;) { + + /* + * Flush the per-thread SSL error queue. Otherwise, errors from other + * code that also uses TLS may confuse SSL_get_error(3). + */ + ERR_clear_error(); + if (hsfunc) status = hsfunc(TLScontext->con); else if (rfunc) diff --git a/postfix/src/tls/tls_session.c b/postfix/src/tls/tls_session.c index 3f6027fc4..a4b7a8f25 100644 --- a/postfix/src/tls/tls_session.c +++ b/postfix/src/tls/tls_session.c @@ -118,7 +118,7 @@ void tls_session_stop(TLS_APPL_STATE *unused_ctx, VSTREAM *stream, int timeou * so we will not perform SSL_shutdown() and the session will be removed * as being bad. */ - if (!failure) { + if (!failure && !SSL_in_init(TLScontext->con)) { retval = tls_bio_shutdown(vstream_fileno(stream), timeout, TLScontext); if (!var_tls_fast_shutdown && retval == 0) tls_bio_shutdown(vstream_fileno(stream), timeout, TLScontext); diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c index 6eb70c0ac..70ea8042e 100644 --- a/postfix/src/tlsproxy/tlsproxy.c +++ b/postfix/src/tlsproxy/tlsproxy.c @@ -781,6 +781,7 @@ static void tlsp_strategy(TLSP_STATE *state) */ if (state->flags & TLSP_FLAG_DO_HANDSHAKE) { state->timeout = state->handshake_timeout; + ERR_clear_error(); if (state->is_server_role) ssl_stat = SSL_accept(tls_context->con); else @@ -809,6 +810,7 @@ static void tlsp_strategy(TLSP_STATE *state) if (NBBIO_ERROR_FLAGS(plaintext_buf)) { if (NBBIO_ACTIVE_FLAGS(plaintext_buf)) nbbio_disable_readwrite(state->plaintext_buf); + ERR_clear_error(); if (!SSL_in_init(tls_context->con) && (ssl_stat = SSL_shutdown(tls_context->con)) < 0) { handshake_err = SSL_get_error(tls_context->con, ssl_stat); @@ -838,6 +840,7 @@ static void tlsp_strategy(TLSP_STATE *state) */ ssl_write_err = SSL_ERROR_NONE; while (NBBIO_READ_PEND(plaintext_buf) > 0) { + ERR_clear_error(); ssl_stat = SSL_write(tls_context->con, NBBIO_READ_BUF(plaintext_buf), NBBIO_READ_PEND(plaintext_buf)); ssl_write_err = SSL_get_error(tls_context->con, ssl_stat); @@ -870,6 +873,7 @@ static void tlsp_strategy(TLSP_STATE *state) */ ssl_read_err = SSL_ERROR_NONE; while (NBBIO_WRITE_PEND(state->plaintext_buf) < NBBIO_BUFSIZE(plaintext_buf)) { + ERR_clear_error(); ssl_stat = SSL_read(tls_context->con, NBBIO_WRITE_BUF(plaintext_buf) + NBBIO_WRITE_PEND(state->plaintext_buf), @@ -1493,16 +1497,15 @@ static void tlsp_service(VSTREAM *plaintext_stream, TLSP_INIT_TIMEOUT, (void *) state); } -/* pre_jail_init - pre-jail initialization */ +/* pre_jail_init_server - pre-jail initialization */ -static void pre_jail_init(char *unused_name, char **unused_argv) +static void pre_jail_init_server(void) { TLS_SERVER_INIT_PROPS props; const char *cert_file; int have_server_cert; int no_server_cert_ok; int require_server_cert; - int clnt_use_tls; /* * The code in this routine is pasted literally from smtpd(8). I am not @@ -1535,7 +1538,7 @@ static void pre_jail_init(char *unused_name, char **unused_argv) } var_tlsp_use_tls = var_tlsp_use_tls || var_tlsp_enforce_tls; if (!var_tlsp_use_tls) { - msg_warn("TLS service is requested, but disabled with %s or %s", + msg_warn("TLS server role is disabled with %s or %s", VAR_TLSP_TLS_LEVEL, VAR_TLSP_USE_TLS); return; } @@ -1626,6 +1629,13 @@ static void pre_jail_init(char *unused_name, char **unused_argv) SSL_CTX_set_mode(tlsp_server_ctx->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); +} + +/* pre_jail_init_client - pre-jail initialization */ + +static void pre_jail_init_client(void) +{ + int clnt_use_tls; /* * The cache with TLS_APPL_STATE instances for different TLS_CLIENT_INIT @@ -1737,6 +1747,18 @@ static void pre_jail_init(char *unused_name, char **unused_argv) msg_warn("TLS client initialization failed"); } } +} + +/* pre_jail_init - pre-jail initialization */ + +static void pre_jail_init(char *unused_name, char **unused_argv) +{ + + /* + * Initialize roles separately. + */ + pre_jail_init_server(); + pre_jail_init_client(); /* * tlsp_client_init() needs to know if it is called pre-jail or diff --git a/postfix/src/util/midna_domain.c b/postfix/src/util/midna_domain.c index 667e75e59..333a5c91d 100644 --- a/postfix/src/util/midna_domain.c +++ b/postfix/src/util/midna_domain.c @@ -20,6 +20,8 @@ /* /* const char *midna_domain_suffix_to_utf8( /* const char *name) +/* AUXILIARY FUNCTIONS +/* void midna_domain_pre_chroot(void) /* DESCRIPTION /* The functions in this module transform domain names from/to /* ASCII and UTF-8 form. The result is cached to avoid repeated @@ -52,6 +54,8 @@ /* /* midna_domain_transitional enables transitional conversion /* between UTF8 and ASCII labels. +/* +/* midna_domain_pre_chroot() does some pre-chroot initialization. /* SEE ALSO /* http://unicode.org/reports/tr46/ Unicode IDNA Compatibility processing /* msg(3) diagnostics interface @@ -144,6 +148,22 @@ static const char *midna_domain_strerror(UErrorCode error, int info_errors) } } +/* midna_domain_pre_chroot - pre-chroot initialization */ + +void midna_domain_pre_chroot(void) +{ + UErrorCode error = U_ZERO_ERROR; + UIDNAInfo info = UIDNA_INFO_INITIALIZER; + UIDNA *idna; + + idna = uidna_openUTS46(midna_domain_transitional ? UIDNA_DEFAULT + : UIDNA_NONTRANSITIONAL_TO_ASCII, &error); + if (U_FAILURE(error)) + msg_warn("ICU library initialization failed: %s", + midna_domain_strerror(error, info.errors)); + uidna_close(idna); +} + /* midna_domain_to_ascii_create - convert domain to ASCII */ static void *midna_domain_to_ascii_create(const char *name, void *unused_context) @@ -327,6 +347,7 @@ const char *midna_domain_suffix_to_utf8(const char *name) /* * Test program - reads names from stdin, reports invalid names to stderr. */ +#include #include #include @@ -350,6 +371,11 @@ int main(int argc, char **argv) /* msg_verbose = 1; */ util_utf8_enable = 1; + if (geteuid() == 0) { + midna_domain_pre_chroot(); + if (chroot(".") != 0) + msg_fatal("chroot(\".\"): %m"); + } while (vstring_fgets_nonl(buffer, VSTREAM_IN)) { bp = STR(buffer); msg_info("> %s", bp); diff --git a/postfix/src/util/midna_domain.h b/postfix/src/util/midna_domain.h index 03d875b10..1abe2a173 100644 --- a/postfix/src/util/midna_domain.h +++ b/postfix/src/util/midna_domain.h @@ -18,6 +18,7 @@ extern const char *midna_domain_to_ascii(const char *); extern const char *midna_domain_to_utf8(const char *); extern const char *midna_domain_suffix_to_ascii(const char *); extern const char *midna_domain_suffix_to_utf8(const char *); +extern void midna_domain_pre_chroot(void); extern int midna_domain_cache_size; extern int midna_domain_transitional;