From: Wietse Venema Date: Mon, 27 Apr 2009 05:00:00 +0000 (-0500) Subject: postfix-2.7-20090427 X-Git-Tag: v2.7.0-RC1~27 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f364bbc0e89ed6ffd4e7fd7fd6c6c4e1fdd6e725;p=thirdparty%2Fpostfix.git postfix-2.7-20090427 --- diff --git a/postfix/README_FILES/FILTER_README b/postfix/README_FILES/FILTER_README index a06923e60..ee5a275de 100644 --- a/postfix/README_FILES/FILTER_README +++ b/postfix/README_FILES/FILTER_README @@ -200,8 +200,7 @@ Once you're satisfied with the content filtering script: concurrent processes, use whatever process limit is feasible for your machine. Content inspection software can gobble up a lot of system resources, so you don't want to have too much of it running at the same - time. The empty null_sender feature is both necessary and available with - Postfix 2.3 and later. + time. The empty null_sender setting is required with Postfix 2.3 and later. * To turn on content filtering for mail arriving via SMTP only, append "- o content_filter=filter:dummy" to the master.cf entry that defines the diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index bad090302..970dc5ced 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -11,6 +11,30 @@ instead, a new snapshot is released. The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release. +Incompatibility with snapshot 20090426 +====================================== + +The Postfix SMTP client no longer tries to use the obsolete SSLv2 +protocol by default, as this may prevent the use of modern SSL +features. Lack of SSLv2 support should never be a problem, since +SSLv3 was defined in 1996, and TLSv1 in 2006. The Postfix SMTP +server maintains SSLv2 support for backwards compatibility with +ancient clients. + +Major changes with snapshot 20090426 +==================================== + +The following improvements have been made to the Milter implementation: + +- Improved compatibility of the {mail_addr} and {rcpt_addr} macros. + +- Support for the {mail_host}, {mail_mailer}, {rcpt_host} and +{rcpt_mailer} macros. + +- Milters can now request rejected recipients with the SMFIP_RCPT_REJ +feature. In this case, {rcpt_mailer} is "error", {rcpt_host} is an +enhanced status code, and {rcpt_addr} is descriptive text. + Incompatibility with snapshot 20090330 ====================================== diff --git a/postfix/html/FILTER_README.html b/postfix/html/FILTER_README.html index 5cc68299c..f1a6c12c8 100644 --- a/postfix/html/FILTER_README.html +++ b/postfix/html/FILTER_README.html @@ -374,8 +374,8 @@ description of the command syntax below).

limit of 10 concurrent processes, use whatever process limit is feasible for your machine. Content inspection software can gobble up a lot of system resources, so you don't want to have too much -of it running at the same time. The empty null_sender feature is -both necessary and available with Postfix 2.3 and later.

+of it running at the same time. The empty null_sender setting is +required with Postfix 2.3 and later.

  • To turn on content filtering for mail arriving via SMTP only, append "-o content_filter=filter:dummy" to the master.cf diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 1777b2787..500502a46 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -9693,8 +9693,8 @@ configurations in environments where DNS security is not assured.

    List of TLS protocols that the Postfix SMTP client will exclude or include with opportunistic TLS encryption. Starting with Postfix 2.6, -the Postfix SMTP client will by default only use SSLv3 and TLSv1, the -SSLv2 protocol is insecure and obsolete.

    +the Postfix SMTP client will by default not use the obsolete SSLv2 +protocol.

    In main.cf the values are separated by whitespace, commas or colons. In the policy table (see smtp_tls_policy_maps) the only valid diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 290b269a9..54015f74f 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -5764,8 +5764,8 @@ This feature is available in Postfix 2.3 and later. .SH smtp_tls_protocols (default: !SSLv2) List of TLS protocols that the Postfix SMTP client will exclude or include with opportunistic TLS encryption. Starting with Postfix 2.6, -the Postfix SMTP client will by default only use SSLv3 and TLSv1, the -SSLv2 protocol is insecure and obsolete. +the Postfix SMTP client will by default not use the obsolete SSLv2 +protocol. .PP In main.cf the values are separated by whitespace, commas or colons. In the policy table (see smtp_tls_policy_maps) the only valid diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 3d01af7c5..7d4d59e52 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -667,7 +667,6 @@ while (<>) { s;\btls_eecdh_ultra_curve\b;$&;g; s;\bfrozen_delivered_to\b;$&;g; - s;\bfrozen_owner_alias\b;$&;g; # Transport-dependent magical parameters. diff --git a/postfix/proto/FILTER_README.html b/postfix/proto/FILTER_README.html index 7ee33f665..d021d8a33 100644 --- a/postfix/proto/FILTER_README.html +++ b/postfix/proto/FILTER_README.html @@ -374,8 +374,8 @@ description of the command syntax below).

    limit of 10 concurrent processes, use whatever process limit is feasible for your machine. Content inspection software can gobble up a lot of system resources, so you don't want to have too much -of it running at the same time. The empty null_sender feature is -both necessary and available with Postfix 2.3 and later.

    +of it running at the same time. The empty null_sender setting is +required with Postfix 2.3 and later.

  • To turn on content filtering for mail arriving via SMTP only, append "-o content_filter=filter:dummy" to the master.cf diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index f46e246cc..083d51c48 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -11288,8 +11288,8 @@ the hostname and IP address. The logging format is "host[address]:port".

    List of TLS protocols that the Postfix SMTP client will exclude or include with opportunistic TLS encryption. Starting with Postfix 2.6, -the Postfix SMTP client will by default only use SSLv3 and TLSv1, the -SSLv2 protocol is insecure and obsolete.

    +the Postfix SMTP client will by default not use the obsolete SSLv2 +protocol.

    In main.cf the values are separated by whitespace, commas or colons. In the policy table (see smtp_tls_policy_maps) the only valid diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 80c6d4906..f0cc339ff 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20090426" +#define MAIL_RELEASE_DATE "20090427" #define MAIL_VERSION_NUMBER "2.7" #ifdef SNAPSHOT diff --git a/postfix/src/milter/milter.c b/postfix/src/milter/milter.c index 718940445..afd227e12 100644 --- a/postfix/src/milter/milter.c +++ b/postfix/src/milter/milter.c @@ -160,12 +160,14 @@ /* /* milter_rcpt_event() reports an RCPT TO event to the specified /* milter instances, after sending the macros that were specified -/* with the milter_create() rcpt_macros argument. When the flags -/* argument is non-zero, it selects only milter instances that -/* have at least one of the specificed flags. Known flags are: +/* with the milter_create() rcpt_macros argument. The flags +/* argument supports the following: /* .IP MILTER_FLAG_WANT_RCPT_REJ -/* This milter expects to receive rejected recipients with the -/* {rcpt_mailer} macro set to "error". +/* When this flag is cleared, invoke all milters. When this +/* flag is set, invoke only milters that want to receive +/* rejected recipients; with Sendmail V8 Milters, {rcpt_mailer} +/* is set to "error", {rcpt_host} is set to an enhanced status +/* code, and {rcpt_addr} is set to descriptive text. /* .PP /* milter_data_event() reports a DATA event to the specified /* milter instances, after sending the macros that were specified diff --git a/postfix/src/smtpd/smtpd_milter.c b/postfix/src/smtpd/smtpd_milter.c index b129f352a..2557b3dcc 100644 --- a/postfix/src/smtpd/smtpd_milter.c +++ b/postfix/src/smtpd/smtpd_milter.c @@ -189,6 +189,7 @@ const char *smtpd_milter_eval(const char *name, void *ptr) if (state->recipient[0] == 0) return (""); if (state->milter_reject_text) { + /* 554 5.7.1 : Relay access denied */ vstring_strcpy(state->expand_buf, state->milter_reject_text + 4); cp = split_at(STR(state->expand_buf), ' '); return (cp ? split_at(cp, ' ') : cp); @@ -205,6 +206,7 @@ const char *smtpd_milter_eval(const char *name, void *ptr) if (state->recipient == 0) return (0); if (state->milter_reject_text) { + /* 554 5.7.1 : Relay access denied */ vstring_strcpy(state->expand_buf, state->milter_reject_text + 4); (void) split_at(STR(state->expand_buf), ' '); return (STR(state->expand_buf)); diff --git a/postfix/src/util/Makefile.in b/postfix/src/util/Makefile.in index 3db912c7e..de0172e2f 100644 --- a/postfix/src/util/Makefile.in +++ b/postfix/src/util/Makefile.in @@ -569,6 +569,7 @@ argv.o: sys_defs.h argv_split.o: argv.h argv_split.o: argv_split.c argv_split.o: mymalloc.h +argv_split.o: msg.h argv_split.o: stringops.h argv_split.o: sys_defs.h argv_split.o: vbuf.h diff --git a/postfix/src/util/argv.h b/postfix/src/util/argv.h index f369c084d..b039fbb72 100644 --- a/postfix/src/util/argv.h +++ b/postfix/src/util/argv.h @@ -28,6 +28,7 @@ extern void argv_truncate(ARGV *, ssize_t); extern ARGV *argv_free(ARGV *); extern ARGV *argv_split(const char *, const char *); +extern ARGV *argv_split_count(const char *, const char *, ssize_t); extern ARGV *argv_split_append(ARGV *, const char *, const char *); #define ARGV_END ((char *) 0) diff --git a/postfix/src/util/argv_split.c b/postfix/src/util/argv_split.c index d7e6bafa2..920bf399a 100644 --- a/postfix/src/util/argv_split.c +++ b/postfix/src/util/argv_split.c @@ -9,6 +9,10 @@ /* ARGV *argv_split(string, delim) /* const char *string; /* +/* ARGV *argv_split_count(string, delim, count) +/* const char *string; +/* ssize_t count; +/* /* ARGV *argv_split_append(argv, string, delim) /* ARGV *argv; /* const char *string; @@ -18,6 +22,11 @@ /* to the delimiters specified in \fIdelim\fR. The result is /* a null-terminated string array. /* +/* argv_split_count() is like argv_split() but stops splitting +/* input after at most \fIcount\fR -1 times and leaves the +/* remainder, if any, in the last array element. It is an error +/* to specify a count < 1. +/* /* argv_split_append() performs the same operation as argv_split(), /* but appends the result to an existing string array. /* SEE ALSO @@ -38,12 +47,14 @@ /* System libraries. */ #include +#include /* Application-specific. */ #include "mymalloc.h" #include "stringops.h" #include "argv.h" +#include "msg.h" /* argv_split - split string into token array */ @@ -61,6 +72,28 @@ ARGV *argv_split(const char *string, const char *delim) return (argvp); } +/* argv_split_count - split string into token array */ + +ARGV *argv_split_count(const char *string, const char *delim, ssize_t count) +{ + ARGV *argvp = argv_alloc(1); + char *saved_string = mystrdup(string); + char *bp = saved_string; + char *arg; + + if (count < 1) + msg_panic("argv_split_count: bad count: %ld", (long) count); + while (count-- > 1 && (arg = mystrtok(&bp, delim)) != 0) + argv_add(argvp, arg, (char *) 0); + if (*bp) + bp += strspn(bp, delim); + if (*bp) + argv_add(argvp, bp, (char *) 0); + argv_terminate(argvp); + myfree(saved_string); + return (argvp); +} + /* argv_split_append - split string into token array, append to array */ ARGV *argv_split_append(ARGV *argvp, const char *string, const char *delim) diff --git a/postfix/src/xsasl/xsasl_dovecot_server.c b/postfix/src/xsasl/xsasl_dovecot_server.c index 3ad1c74b5..4af958ebd 100644 --- a/postfix/src/xsasl/xsasl_dovecot_server.c +++ b/postfix/src/xsasl/xsasl_dovecot_server.c @@ -282,7 +282,7 @@ static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp) VSTREAM_CTL_TIMEOUT, AUTH_TIMEOUT, VSTREAM_CTL_END); - /* XXX Encapsulate for logging. */ + /* XXX Encapsulate for logging. */ vstream_fprintf(sasl_stream, "VERSION\t%u\t%u\n" "CPID\t%u\n", @@ -295,7 +295,7 @@ static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp) } success = 0; line_str = vstring_alloc(256); - /* XXX Encapsulate for logging. */ + /* XXX Encapsulate for logging. */ while (vstring_get_nonl(line_str, sasl_stream) != VSTREAM_EOF) { line = vstring_str(line_str); @@ -545,7 +545,7 @@ static int xsasl_dovecot_handle_reply(XSASL_DOVECOT_SERVER *server, const char *myname = "xsasl_dovecot_handle_reply"; char *line, *cmd; - /* XXX Encapsulate for logging. */ + /* XXX Encapsulate for logging. */ while (vstring_get_nonl(server->sasl_line, server->impl->sasl_stream) != VSTREAM_EOF) { line = vstring_str(server->sasl_line); @@ -647,7 +647,7 @@ int xsasl_dovecot_server_first(XSASL_SERVER *xp, const char *sasl_method, server->service, server->server_addr, server->client_addr); if (server->tls_flag) - /* XXX Encapsulate for logging. */ + /* XXX Encapsulate for logging. */ vstream_fputs("\tsecured", server->impl->sasl_stream); if (init_response) { @@ -655,7 +655,7 @@ int xsasl_dovecot_server_first(XSASL_SERVER *xp, const char *sasl_method, * initial response is already base64 encoded, so we can send it * directly. */ - /* XXX Encapsulate for logging. */ + /* XXX Encapsulate for logging. */ vstream_fprintf(server->impl->sasl_stream, "\tresp=%s", init_response); } @@ -690,7 +690,7 @@ static int xsasl_dovecot_server_next(XSASL_SERVER *xp, const char *request, vstring_strcpy(reply, "Invalid base64 data in continued response"); return XSASL_AUTH_FAIL; } - /* XXX Encapsulate for logging. */ + /* XXX Encapsulate for logging. */ vstream_fprintf(server->impl->sasl_stream, "CONT\t%u\t%s\n", server->last_request_id, request); if (vstream_fflush(server->impl->sasl_stream) == VSTREAM_EOF) {