From 33383c8ee6a001c1915a69d9e7811d92ec54c5e8 Mon Sep 17 00:00:00 2001
From: Wietse Z Venema <wietse@porcupine.org>
Date: Wed, 4 Dec 2024 00:00:00 -0500
Subject: [PATCH] postfix-3.8.7

---
 postfix/HISTORY                          | 43 ++++++++++++++++++++++++
 postfix/conf/master.cf                   |  2 +-
 postfix/src/cleanup/cleanup_message.c    | 10 +++---
 postfix/src/global/mail_version.h        |  4 +--
 postfix/src/global/maillog_client.c      | 19 ++++++++---
 postfix/src/smtpd/smtpd_check.c          | 12 +++----
 postfix/src/util/msg_logger.c            |  6 ++++
 postfix/src/xsasl/xsasl_dovecot_server.c |  1 +
 8 files changed, 79 insertions(+), 18 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 3892273d4..6bc9c73a7 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -27326,3 +27326,46 @@ Apologies for any names omitted.
 	restrictions. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_rr.c,
 	dns/test_dns_lookup.c, posttls-finger/posttls-finger.c,
 	smtp/smtp_addr.c, smtpd/smtpd_check.c.
+
+20240930
+
+	Bugfix (defect introduced: Postfix 2.9, date 20111218):
+	with "smtpd_sasl_auth_enable = no", info received with
+	XCLIENT LOGIN was ignored by permit_sasl_authenticated.
+	The fix was to remove a test and to rely solely on the
+	sasl_mechanism property which is null when a remote SMTP
+	client is not authenticated. File: src/smtpd/smtpd_check.c.
+
+20241021
+
+	Bugfix (defect introduced: postfix 3.0): the default master.cf
+	syslog_name setting for the relay service did not preserve
+	multi-instance information. File: conf/master.cf.
+
+20241027
+
+	Bugfix (defect introduced: Postfix 2.3, date 20051222):
+	file descriptor leak after failure to connect to a Dovecot
+	auth server. The impact is limited because there are limits
+	on the number of retries (one), on the number of errors per
+	SMTP session (smtpd_hard_error_limit), on the number of
+	sessions per SMTP server process (max_use), and on the
+	number file handles per process (managed with sysctl).
+	File: xsasl/xsasl_dovecot_server.c.
+
+20241122
+
+	Bugfix (defect introduced: Postfix 3.4, date 20190121): the
+	postsuper command failed with "open logfile 'xxx': Permission
+	denied" when the maillog_file parameter specified a filename
+	and Postfix was not running. This was fixed by opening the
+	maillog_file before dropping root privileges. Files:
+	util/msg_logger.c, global/maillog_client.c.
+
+20241201
+
+	Bugfix (defect introduced Postfix 3.0). Missing UTF8
+	autodetection for headers that are automatically generated
+	by Postfix (for example, a From: header with UTF8 full name
+	information from the password file). Reported by Michael
+	Tokarev. File: src/cleanup/cleanup_message.c.
diff --git a/postfix/conf/master.cf b/postfix/conf/master.cf
index fd282dd29..abd6daeb2 100644
--- a/postfix/conf/master.cf
+++ b/postfix/conf/master.cf
@@ -67,7 +67,7 @@ proxymap  unix  -       -       n       -       -       proxymap
 proxywrite unix -       -       n       -       1       proxymap
 smtp      unix  -       -       n       -       -       smtp
 relay     unix  -       -       n       -       -       smtp
-        -o syslog_name=postfix/$service_name
+        -o syslog_name=${multi_instance_name?{$multi_instance_name}:{postfix}}/$service_name
 #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
 showq     unix  n       -       n       -       -       showq
 error     unix  -       -       n       -       -       error
diff --git a/postfix/src/cleanup/cleanup_message.c b/postfix/src/cleanup/cleanup_message.c
index 1ee0a525a..07dfa161b 100644
--- a/postfix/src/cleanup/cleanup_message.c
+++ b/postfix/src/cleanup/cleanup_message.c
@@ -723,8 +723,9 @@ static void cleanup_header_done_callback(void *context)
 	    vstring_sprintf(state->temp1, "%s.%s@%s",
 			    time_stamp, state->queue_id, var_myhostname);
 	}
-	cleanup_out_format(state, REC_TYPE_NORM, "%sMessage-Id: <%s>",
-			   state->resent, vstring_str(state->temp1));
+	vstring_sprintf(state->temp2, "%sMessage-Id: <%s>",
+			state->resent, vstring_str(state->temp1));
+	cleanup_out_header(state, state->temp2);
 	msg_info("%s: %smessage-id=<%s>",
 		 state->queue_id, *state->resent ? "resent-" : "",
 		 vstring_str(state->temp1));
@@ -741,8 +742,9 @@ static void cleanup_header_done_callback(void *context)
     if ((state->hdr_rewrite_context || var_always_add_hdrs)
 	&& (state->headers_seen & (1 << (state->resent[0] ?
 				       HDR_RESENT_DATE : HDR_DATE))) == 0) {
-	cleanup_out_format(state, REC_TYPE_NORM, "%sDate: %s",
+	vstring_sprintf(state->temp2, "%sDate: %s",
 		      state->resent, mail_date(state->arrival_time.tv_sec));
+	cleanup_out_header(state, state->temp2);
     }
 
     /*
@@ -805,7 +807,7 @@ static void cleanup_header_done_callback(void *context)
 	    vstring_sprintf(state->temp2, "%sFrom: %s",
 			    state->resent, vstring_str(state->temp1));
 	}
-	CLEANUP_OUT_BUF(state, REC_TYPE_NORM, state->temp2);
+	cleanup_out_header(state, state->temp2);
     }
 
     /*
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 9eda667f8..1663b1e0e 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20240304"
-#define MAIL_VERSION_NUMBER	"3.8.6"
+#define MAIL_RELEASE_DATE	"20241204"
+#define MAIL_VERSION_NUMBER	"3.8.7"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff --git a/postfix/src/global/maillog_client.c b/postfix/src/global/maillog_client.c
index 7f79a1f6d..c28f024ca 100644
--- a/postfix/src/global/maillog_client.c
+++ b/postfix/src/global/maillog_client.c
@@ -120,6 +120,7 @@ static int maillog_client_flags;
 static void maillog_client_logwriter_fallback(const char *text)
 {
     static int fallback_guard = 0;
+    static VSTREAM *fp;
 
     /*
      * Guard against recursive calls.
@@ -129,10 +130,20 @@ static void maillog_client_logwriter_fallback(const char *text)
      * logfile. All we can do is to hope that stderr logging will bring out
      * the bad news.
      */
-    if (fallback_guard == 0 && var_maillog_file && *var_maillog_file
-	&& logwriter_one_shot(var_maillog_file, text, strlen(text)) < 0) {
-	fallback_guard = 1;
-	msg_fatal("logfile '%s' write error: %m", var_maillog_file);
+    if (fallback_guard++ == 0 && var_maillog_file && *var_maillog_file) {
+	if (text == 0 && fp != 0) {
+	    (void) vstream_fclose(fp);
+	    fp = 0;
+	}
+	if (fp == 0) {
+	    fp = logwriter_open_or_die(var_maillog_file);
+	    close_on_exec(vstream_fileno(fp), CLOSE_ON_EXEC);
+	}
+	if (text && (logwriter_write(fp, text, strlen(text)) != 0 ||
+		     vstream_fflush(fp) != 0)) {
+	    msg_fatal("logfile '%s' write error: %m", var_maillog_file);
+	}
+	fallback_guard = 0;
     }
 }
 
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 093aa0634..8eb0fe9de 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -4671,13 +4671,11 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 			 cpp[1], CHECK_RELAY_DOMAINS);
 	} else if (strcasecmp(name, PERMIT_SASL_AUTH) == 0) {
 #ifdef USE_SASL_AUTH
-	    if (smtpd_sasl_is_active(state)) {
-		status = permit_sasl_auth(state,
-					  SMTPD_CHECK_OK, SMTPD_CHECK_DUNNO);
-		if (status == SMTPD_CHECK_OK)
-		    status = smtpd_acl_permit(state, name, SMTPD_NAME_CLIENT,
-					      state->namaddr, NO_PRINT_ARGS);
-	    }
+	    status = permit_sasl_auth(state,
+				      SMTPD_CHECK_OK, SMTPD_CHECK_DUNNO);
+	    if (status == SMTPD_CHECK_OK)
+		status = smtpd_acl_permit(state, name, SMTPD_NAME_CLIENT,
+					  state->namaddr, NO_PRINT_ARGS);
 #endif
 	} else if (strcasecmp(name, PERMIT_TLS_ALL_CLIENTCERTS) == 0) {
 	    status = permit_tls_clientcerts(state, 1);
diff --git a/postfix/src/util/msg_logger.c b/postfix/src/util/msg_logger.c
index 07c9e92f8..2d813d358 100644
--- a/postfix/src/util/msg_logger.c
+++ b/postfix/src/util/msg_logger.c
@@ -59,6 +59,9 @@
 /*	Override the fallback setting (see above) with the specified
 /*	function pointer. This remains in effect until the next
 /*	msg_logger_init() or msg_logger_control() call.
+/*	When the function is called with a null argument, it should
+/*	allocate resources immediately. This is needed in programs
+/*	that drop privileges after process initialization.
 /* .IP CA_MSG_LOGGER_CTL_DISABLE
 /*	Disable the msg_logger. This remains in effect until the
 /*	next msg_logger_init() call.
@@ -320,6 +323,9 @@ void    msg_logger_control(int name,...)
 	    msg_logger_disconnect();
 	    if (MSG_LOGGER_NEED_SOCKET())
 		msg_logger_connect();
+	    if (msg_logger_sock == MSG_LOGGER_SOCK_NONE
+		&& msg_logger_fallback_fn)
+		msg_logger_fallback_fn((char *) 0);
 	    break;
 	default:
 	    msg_panic("%s: bad name %d", myname, name);
diff --git a/postfix/src/xsasl/xsasl_dovecot_server.c b/postfix/src/xsasl/xsasl_dovecot_server.c
index 4a0c085cc..ac93a2da9 100644
--- a/postfix/src/xsasl/xsasl_dovecot_server.c
+++ b/postfix/src/xsasl/xsasl_dovecot_server.c
@@ -297,6 +297,7 @@ static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp)
 		    (unsigned int) getpid());
     if (vstream_fflush(sasl_stream) == VSTREAM_EOF) {
 	msg_warn("SASL: Couldn't send handshake: %m");
+	(void) vstream_fclose(sasl_stream);
 	return (-1);
     }
     success = 0;
-- 
2.47.3