From 0670e294e047854ed357197321cca2238ff801fb Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Fri, 3 Feb 2006 00:00:00 -0500
Subject: [PATCH] postfix-2.3-20060203

---
 postfix/HISTORY                    | 14 +++++++++++++-
 postfix/src/cleanup/cleanup_addr.c |  3 +++
 postfix/src/global/mail_version.h  |  2 +-
 postfix/src/smtpd/smtpd_check.c    | 28 +++++++++++++---------------
 4 files changed, 30 insertions(+), 17 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index c58ffee55..bad71993e 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -11965,7 +11965,19 @@ Apologies for any names omitted.
 	hard errors (change 20050726) they were still processed as
 	soft errors. File: dns/dns_lookup.c.
 
-Open issues:
+20060203
+
+	Bugfix: smtpd core dump when SASL was compiled in, turned
+	off (smtpd_sasl_auth_enable = no) and permit_sasl_authenticated
+	was specified in local_header_rewrite_clients. Victor
+	Duchovni.  File: smtpd/smtpd_check.c.
+
+	Cleanup: don't complain about useless SASL or TLS "permit"
+	restrictions when SASL or TLS aren't compiled in, but do
+	reject mail when reject_plaintext_session is specified while
+	TLS isn't compiled in. File: smtpd/smtpd_check.c.
+
+Wish list:
 
 	Make the map case folding/locking options configurable, if
 	not at run-time then at least at compile time so we get
diff --git a/postfix/src/cleanup/cleanup_addr.c b/postfix/src/cleanup/cleanup_addr.c
index 3f7ffbb75..1e1f20cd3 100644
--- a/postfix/src/cleanup/cleanup_addr.c
+++ b/postfix/src/cleanup/cleanup_addr.c
@@ -99,6 +99,9 @@ void    cleanup_addr_sender(CLEANUP_STATE *state, const char *buf)
      * for replying. Having to support both forms is error prone, therefore
      * an incomplete envelope address is rewritten to fully qualified form in
      * the local domain context.
+     * 
+     * 20000520: Replace mailer-daemon@$myorigin by the null address, to handle
+     * bounced mail traffic more robustly.
      */
     cleanup_rewrite_internal(MAIL_ATTR_RWR_LOCAL, clean_addr, buf);
     if (strncasecmp(STR(clean_addr), MAIL_ADDR_MAIL_DAEMON "@",
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 5b145f059..d564ee652 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20060202"
+#define MAIL_RELEASE_DATE	"20060203"
 #define MAIL_VERSION_NUMBER	"2.3"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 2caa81af4..82c1d0346 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -956,18 +956,17 @@ static int reject_unknown_client(SMTPD_STATE *state)
 
 static int reject_plaintext_session(SMTPD_STATE *state)
 {
-#ifdef USE_TLS
     char   *myname = "reject_plaintext_session";
 
     if (msg_verbose)
 	msg_info("%s: %s %s", myname, state->name, state->addr);
 
+#ifdef USE_TLS
     if (state->tls_context == 0)
+#endif
 	return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
 				   var_plaintext_code, "4.7.1",
 				   "Session encryption is required"));
-#endif
-    return (SMTPD_CHECK_DUNNO);
 }
 
 /* permit_inet_interfaces - succeed if client my own address */
@@ -3480,10 +3479,8 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 	    } else
 		sleep(atoi(*++cpp));
 #endif
-#ifdef USE_TLS
 	} else if (strcasecmp(name, REJECT_PLAINTEXT_SESSION) == 0) {
 	    status = reject_plaintext_session(state);
-#endif
 	}
 
 	/*
@@ -3521,8 +3518,8 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 		    status = reject_rbl_domain(state, *cpp, state->name,
 					       SMTPD_NAME_CLIENT);
 	    }
-#ifdef USE_TLS
 	} else if (is_map_command(state, name, CHECK_CCERT_ACL, &cpp)) {
+#ifdef USE_TLS
 	    status = check_ccert_access(state, *cpp, def_acl);
 #endif
 	}
@@ -3699,17 +3696,17 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 		msg_warn("restriction `%s' after `%s' is ignored",
 			 cpp[1], CHECK_RELAY_DOMAINS);
 	} else if (strcasecmp(name, PERMIT_SASL_AUTH) == 0) {
-	    if (var_smtpd_sasl_enable)
 #ifdef USE_SASL_AUTH
+	    if (var_smtpd_sasl_enable)
 		status = permit_sasl_auth(state,
 					  SMTPD_CHECK_OK, SMTPD_CHECK_DUNNO);
-#else
-		msg_warn("restriction `%s' ignored: no SASL support", name);
 #endif
-#ifdef USE_TLS
 	} else if (strcasecmp(name, PERMIT_TLS_ALL_CLIENTCERTS) == 0) {
+#ifdef USE_TLS
 	    status = permit_tls_clientcerts(state, 1);
+#endif
 	} else if (strcasecmp(name, PERMIT_TLS_CLIENTCERTS) == 0) {
+#ifdef USE_TLS
 	    status = permit_tls_clientcerts(state, 0);
 #endif
 	} else if (strcasecmp(name, REJECT_UNKNOWN_RCPTDOM) == 0) {
@@ -3866,15 +3863,16 @@ void    smtpd_check_rewrite(SMTPD_STATE *state)
 		status = SMTPD_CHECK_OK;
 	} else if (strcasecmp(name, PERMIT_SASL_AUTH) == 0) {
 #ifdef USE_SASL_AUTH
-	    status = permit_sasl_auth(state, SMTPD_CHECK_OK,
-				      SMTPD_CHECK_DUNNO);
-#else
-	    status = SMTPD_CHECK_DUNNO;
+	    if (var_smtpd_sasl_enable)
+		status = permit_sasl_auth(state, SMTPD_CHECK_OK,
+					  SMTPD_CHECK_DUNNO);
 #endif
-#ifdef USE_TLS
 	} else if (strcasecmp(name, PERMIT_TLS_ALL_CLIENTCERTS) == 0) {
+#ifdef USE_TLS
 	    status = permit_tls_clientcerts(state, 1);
+#endif
 	} else if (strcasecmp(name, PERMIT_TLS_CLIENTCERTS) == 0) {
+#ifdef USE_TLS
 	    status = permit_tls_clientcerts(state, 0);
 #endif
 	} else {
-- 
2.47.3