From 3656d4ed7e7eabb54c31ebb289dabd062939344a Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Sun, 23 Jan 2022 00:00:00 -0500
Subject: [PATCH] postfix-3.8-20220123

---
 postfix/HISTORY                     |   6 +
 postfix/README_FILES/LINUX_README   |  13 ++
 postfix/RELEASE_NOTES               |  82 +------------
 postfix/RELEASE_NOTES-3.7           | 178 ++++++++++++++++++++++++++++
 postfix/conf/main.cf                |   2 +-
 postfix/html/LINUX_README.html      |  15 +++
 postfix/proto/LINUX_README.html     |  15 +++
 postfix/proto/stop.spell-proto-html |   2 +
 postfix/src/global/mail_version.h   |   4 +-
 9 files changed, 237 insertions(+), 80 deletions(-)
 create mode 100644 postfix/RELEASE_NOTES-3.7

diff --git a/postfix/HISTORY b/postfix/HISTORY
index a2d9c97e4..d53113bba 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -26240,3 +26240,9 @@ Apologies for any names omitted.
 	defaults and updated documentation. Problem reported by
 	Raf. Files: global/mail_params.h, mantools/postlink,
 	postconf/postconf_builtin.c.
+
+20220123
+
+	Documentation: added LINUX_README sections for logging in
+	a container, and for systemd logging workarounds. File:
+	proto/LINUX_README.hmtl.
diff --git a/postfix/README_FILES/LINUX_README b/postfix/README_FILES/LINUX_README
index 6330278a1..b8288798f 100644
--- a/postfix/README_FILES/LINUX_README
+++ b/postfix/README_FILES/LINUX_README
@@ -47,6 +47,12 @@ mail spool directory. Workaround:
 
     # chmod 1777 /var/spool/mail
 
+LLooggggiinngg iinn aa ccoonnttaaiinneerr
+
+When running Postfix inside a container, you can use stdout logging as
+described in MAILLOG_README. Alternatives: run syslogd inside the container, or
+mount the host's syslog socket inside the container.
+
 SSyyssllooggdd ppeerrffoorrmmaannccee
 
 LINUX ssyyssllooggdd uses synchronous writes by default. Because of this, ssyyssllooggdd can
@@ -59,3 +65,10 @@ synchronous mail logfile writes by editing /etc/syslog.conf and by prepending a
 
 Send a "kkiillll --HHUUPP" to the ssyyssllooggdd to make the change effective.
 
+OOtthheerr llooggggiinngg ppeerrffoorrmmaannccee iissssuueess
+
+LINUX ssyysstteemmdd intercepts all logging and enforces its own rate limits before
+handing off requests to a backend such as rrssyyssllooggdd or ssyysslloogg--nngg. On a busy mail
+server this can result in information loss. As a workaround, you can use
+Postfix's built-in logging as described in MAILLOG_README.
+
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index e87e35ec0..84541eda0 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -1,19 +1,19 @@
-This is the Postfix 3.7 (experimental) release.
+This is the Postfix 3.8 (experimental) release.
 
-The stable Postfix release is called postfix-3.6.x where 3=major
-release number, 6=minor release number, x=patchlevel.  The stable
+The stable Postfix release is called postfix-3.7.x where 3=major
+release number, 7=minor release number, x=patchlevel.  The stable
 release never changes except for patches that address bugs or
 emergencies. Patches change the patchlevel and the release date.
 
 New features are developed in snapshot releases. These are called
-postfix-3.7-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+postfix-3.8-yyyymmdd where yyyymmdd is the release date (yyyy=year,
 mm=month, dd=day).  Patches are never issued for snapshot releases;
 instead, a new snapshot is released.
 
 The mail_release_date configuration parameter (format: yyyymmdd)
 specifies the release date of a stable release or snapshot release.
 
-If you upgrade from Postfix 3.5 or earlier, read RELEASE_NOTES-3.6
+If you upgrade from Postfix 3.6 or earlier, read RELEASE_NOTES-3.7
 before proceeding.
 
 License change
@@ -24,75 +24,3 @@ historical IBM Public License 1.0, it is now also distributed with the
 more recent Eclipse Public License 2.0. Recipients can choose to take
 the software under the license of their choice. Those who are more
 comfortable with the IPL can continue with that license.
-
-Major changes with snapshot 20211127
-====================================
-
-Support for the pcre2 library (the legacy pcre library is no longer
-maintained). The Postfix build procedure automatically detects if
-the pcre2 library is installed, and if it is unavailable, the Postfix
-build procedure will detect if the legacy pcre library is installed.
-See PCRE_README if you need to build Postfix with a specific library.
-
-Visible differences: some error messages may have a different text,
-and the 'X' pattern flag is no longer supported with pcre2.
-
-Major changes with snapshot 20210815
-====================================
-
-Updated defense against remote clients or servers that 'trickle'
-SMTP or LMTP traffic. The new {smtpd,smtp,lmtp}_per_request_deadline
-parameters replace {smtpd,smtp,lmtp}_per_record_deadline, with
-backwards compatible default settings. This defense is enabled by
-default in the Postfix SMTP server in case of overload.
-
-The new smtpd_per_record_deadline parameter limits the combined
-time for the Postfix SMTP server to receive a request and to send
-a response, while the new {smtp,lmtp}_per_record_deadline parameters
-limit the combined time for the Postfix SMTP or LMTP client to send
-a request and to receive a response.
-
-Additionally, the new smtpd_min_data_rate parameter enforces a
-minimum plaintext data transfer rate for DATA and BDAT requests,
-but only when smtpd_per_record_deadline is enabled. After a read
-operation transfers N plaintext bytes (possibly after TLS decryption),
-and after the DATA or BDAT request deadline is decreased by the
-elapsed time of that read operation, the DATA or BDAT request
-deadline is increased by N/smtpd_min_data_rate seconds. However,
-the deadline is never increased beyond the smtpd_timeout value. The
-default minimum data rate is 500 (bytes/second) but is still subject
-to change.
-
-The new {smtp,lmtp}_min_data_rate parameters enforce the corresponding
-minimum DATA transfer rates for the Postfix SMTP and LMTP client.
-
-Major changes with snapshot 20210605
-====================================
-
-Support to inline the content of small cidr, pcre, and regexp tables.
-
-Example:
-
-    smtpd_forbidden_commands =
-	CONNECT GET POST regexp:{{/^[^A-Z]/ Thrash}}
-
-The basic syntax is:
-
-/etc/postfix/main.cf:
-    parameter = .. map-type:{ { rule-1 }, { rule-2 } .. } ..
-
-/etc/postfix/master.cf:
-    .. -o { parameter = .. map-type:{ { rule-1 }, { rule-2 } .. } .. } ..
-
-Postfix ignores whitespace after '{' and before '}', and writes each
-rule as one text line to an in-memory file: 
-
-in-memory file:
-    rule-1
-    rule-2
-    ..
-
-Postfix parses the result as if it is a file in /etc/postfix.
-
-Note: if a rule contains $, specify $$, to keep Postfix from trying to
-do $name expansion as it evaluates the parameter value.
diff --git a/postfix/RELEASE_NOTES-3.7 b/postfix/RELEASE_NOTES-3.7
new file mode 100644
index 000000000..fd6b9fce6
--- /dev/null
+++ b/postfix/RELEASE_NOTES-3.7
@@ -0,0 +1,178 @@
+This is the Postfix 3.7 (stable) release.
+
+The stable Postfix release is called postfix-3.7.x where 3=major
+release number, 7=minor release number, x=patchlevel.  The stable
+release never changes except for patches that address bugs or
+emergencies. Patches change the patchlevel and the release date.
+
+New features are developed in snapshot releases. These are called
+postfix-3.8-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+mm=month, dd=day).  Patches are never issued for snapshot releases;
+instead, a new snapshot is released.
+
+The mail_release_date configuration parameter (format: yyyymmdd)
+specifies the release date of a stable release or snapshot release.
+
+If you upgrade from Postfix 3.5 or earlier, read RELEASE_NOTES-3.6
+before proceeding.
+
+License change
+---------------
+
+This software is distributed with a dual license: in addition to the
+historical IBM Public License 1.0, it is now also distributed with the
+more recent Eclipse Public License 2.0. Recipients can choose to take
+the software under the license of their choice. Those who are more
+comfortable with the IPL can continue with that license.
+
+Major changes - configuration
+-----------------------------
+
+[Feature 20210605] Support to inline the content of small cidr,
+pcre, and regexp tables.
+
+Example:
+
+    smtpd_forbidden_commands =
+	CONNECT GET POST regexp:{{/^[^A-Z]/ Thrash}}
+
+The basic syntax is:
+
+/etc/postfix/main.cf:
+    parameter = .. map-type:{ { rule-1 }, { rule-2 } .. } ..
+
+/etc/postfix/master.cf:
+    .. -o { parameter = .. map-type:{ { rule-1 }, { rule-2 } .. } .. } ..
+
+where map-type is one of cidr, pcre, or regexp.
+
+Postfix ignores whitespace after '{' and before '}', and writes each
+rule as one text line to a nameless in-memory file: 
+
+in-memory file:
+    rule-1
+    rule-2
+    ..
+
+Postfix parses the result as if it is a file in /etc/postfix.
+
+Note: if a rule contains $, specify $$, to keep Postfix from trying
+to do $name expansion as it evaluates the parameter value.
+
+Major changes - lmdb support
+----------------------------
+
+[Feature 20210605] Overhauled the LMDB client implementation, added
+integration tests for future-proofing.
+
+Major changes - logging
+-----------------------
+
+[Feature 20210815] To make the maillog_file feature more useful,
+the postlog(1) command is now set-gid postdrop, so that unprivileged
+programs can write logging through the postlogd(8) daemon.  This
+required hardening the postlog(1) command against privilege escalation
+attacks.
+
+Major changes - pcre2 support
+-----------------------------
+
+[Feature 20211127] Support for the pcre2 library (the legacy pcre
+library is no longer maintained). The Postfix build procedure
+automatically detects if the pcre2 library is installed, and if it
+is unavailable, the Postfix build procedure will detect if the
+legacy pcre library is installed.  See PCRE_README if you need to
+build Postfix with a specific library.
+
+Visible differences: some error messages may have a different text,
+and the 'X' pattern flag is no longer supported with pcre2.
+
+Major changes - safety
+----------------------
+
+[Feature 20210926] Prevent sharing of xxx_tls_session_cache_database
+instances between different Postfix instances when a database is
+not multi-writer safe. These databases are now opened with a permanent
+lock. The tlsmgr(8) daemon will raise a fatal error when it attempts
+to open an xxx_tls_session_cache_database that is already opened
+by a different tlsmgr(8) process.
+
+Major changes - security
+------------------------
+
+[Feature 20220102] Postfix programs now randomize the initial state
+of in-memory hash tables, to defend against hash collision attacks
+involving a large number of attacker-chosen lookup keys.  Presently,
+the only known opportunity for such attacks involves remote SMTP
+client IPv6 addresses in the anvil(8) service. That would require
+making hundreds of short-lived connections per second, because the
+service ages out idle connections after 100s. Other tables with
+attacker-chosen lookup keys are by design limited in size. The fix
+is cheap, and therefore implemented for all Postfix in-memory hash
+tables. Problem reported by Pascal Junod.
+
+[Feature 20211030] The postqueue command now sanitizes non-printable
+characters in strings before they are formatted as json output or
+legacy output. These outputs are piped into other programs that are
+run by administrative users. This closes a hypothetical opportunity
+for privilege escalation.
+
+[Feature 20210815] Updated defense against remote clients or servers
+that 'trickle' SMTP or LMTP traffic. 
+
+The new {smtpd,smtp,lmtp}_per_request_deadline parameters replace
+{smtpd,smtp,lmtp}_per_record_deadline, with backwards compatible
+default settings. This defense is enabled by default in the Postfix
+SMTP server in case of overload.
+
+The new smtpd_per_record_deadline parameter limits the combined
+time for the Postfix SMTP server to receive a request and to send
+a response, while the new {smtp,lmtp}_per_record_deadline parameters
+limit the combined time for the Postfix SMTP or LMTP client to send
+a request and to receive a response.
+
+Additionally, the new smtpd_min_data_rate parameter enforces a
+minimum plaintext data transfer rate for DATA and BDAT requests,
+but only when smtpd_per_record_deadline is enabled. After a read
+operation transfers N plaintext bytes (possibly after TLS decryption),
+and after the DATA or BDAT request deadline is decreased by the
+elapsed time of that read operation, the DATA or BDAT request
+deadline is increased by N/smtpd_min_data_rate seconds. However,
+the deadline is never increased beyond the smtpd_timeout value. The
+default minimum data rate is 500 (bytes/second) but is still subject
+to change.
+
+The new {smtp,lmtp}_min_data_rate parameters enforce the corresponding
+minimum DATA transfer rates for the Postfix SMTP and LMTP client.
+
+Major changes - tls support
+---------------------------
+
+[Incompat 20220121] Renamed tlsproxy_client_level to
+tlsproxy_client_security_level, and tlsproxy_client_policy to
+tlsproxy_client_policy_maps, for consistent parameter naming
+(tlsproxy_client_xxx corresponds to smtp_tls_xxx).
+
+This change was made with backwards-compatible default settings,
+and with updated documentation.
+
+[Feature 20210926] Postfix was updated to support OpenSSL 3.0.0
+features, and to work around OpenSSL 3.0.0 bit-rot (avoid using
+deprecated features).
+
+Other code health
+-----------------
+
+[typos] Typo fixes by raf.
+
+[pre-release checks] Added pre-release checks to detect new typos,
+and missing entries in postfix-files (some documentation would not
+be installed), missing postlink rules (would result in missing
+hyperlinks in documentation), missing proxy_read_maps entries (the
+proxymap daemon would not automatically authorize some proxied maps).
+
+[memory stream] Improved support for memory-based streams made it
+possible to eliminate ad-hoc code that converted tlsproxy(8) protocol
+data to and from serialized form, and to inline small cidr:, pcre:,
+and regexp: maps in main.cf.
+
diff --git a/postfix/conf/main.cf b/postfix/conf/main.cf
index 47de43463..2ee799671 100644
--- a/postfix/conf/main.cf
+++ b/postfix/conf/main.cf
@@ -31,7 +31,7 @@
 #
 # The level below is what should be used with new (not upgrade) installs.
 #
-compatibility_level = 3.7
+compatibility_level = 3.8
 
 # SOFT BOUNCE
 #
diff --git a/postfix/html/LINUX_README.html b/postfix/html/LINUX_README.html
index 84d16e206..0d5b0eef5 100644
--- a/postfix/html/LINUX_README.html
+++ b/postfix/html/LINUX_README.html
@@ -81,6 +81,13 @@ to write to the mail spool directory. Workaround: </p>
 </pre>
 </blockquote>
 
+<h2>Logging in a container</h2>
+
+<p> When running Postfix inside a container, you can use stdout
+logging as described in <a href="MAILLOG_README.html">MAILLOG_README</a>. Alternatives: run syslogd
+inside the container, or mount the host's syslog socket inside the
+container. </p>
+
 <h2>Syslogd performance</h2>
 
 <p> LINUX <b>syslogd</b> uses synchronous writes by default. Because
@@ -99,6 +106,14 @@ logfile name:  </p>
 <p> Send a "<b>kill -HUP</b>" to the <b>syslogd</b> to make the
 change effective.  </p>
 
+<h2>Other logging performance issues</h2>
+
+<p> LINUX <b>systemd</b> intercepts all logging and enforces its
+own rate limits before handing off requests to a backend such as
+<b>rsyslogd</b> or <b>syslog-ng</b>. On a busy mail server this can
+result in information loss. As a workaround, you can use Postfix's
+built-in logging as described in <a href="MAILLOG_README.html">MAILLOG_README</a>. </p>
+
 </body>
 
 </html>
diff --git a/postfix/proto/LINUX_README.html b/postfix/proto/LINUX_README.html
index f04375e31..76c605f3a 100644
--- a/postfix/proto/LINUX_README.html
+++ b/postfix/proto/LINUX_README.html
@@ -81,6 +81,13 @@ to write to the mail spool directory. Workaround: </p>
 </pre>
 </blockquote>
 
+<h2>Logging in a container</h2>
+
+<p> When running Postfix inside a container, you can use stdout
+logging as described in MAILLOG_README. Alternatives: run syslogd
+inside the container, or mount the host's syslog socket inside the
+container. </p>
+
 <h2>Syslogd performance</h2>
 
 <p> LINUX <b>syslogd</b> uses synchronous writes by default. Because
@@ -99,6 +106,14 @@ logfile name:  </p>
 <p> Send a "<b>kill -HUP</b>" to the <b>syslogd</b> to make the
 change effective.  </p>
 
+<h2>Other logging performance issues</h2>
+
+<p> LINUX <b>systemd</b> intercepts all logging and enforces its
+own rate limits before handing off requests to a backend such as
+<b>rsyslogd</b> or <b>syslog-ng</b>. On a busy mail server this can
+result in information loss. As a workaround, you can use Postfix's
+built-in logging as described in MAILLOG_README. </p>
+
 </body>
 
 </html>
diff --git a/postfix/proto/stop.spell-proto-html b/postfix/proto/stop.spell-proto-html
index 937c984f5..a4ad7c594 100644
--- a/postfix/proto/stop.spell-proto-html
+++ b/postfix/proto/stop.spell-proto-html
@@ -346,3 +346,5 @@ rs
 subj
 wiki
 JÃ
+ng
+rsyslogd
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 4d5bd1f72..96d0bb6c4 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20220121"
-#define MAIL_VERSION_NUMBER	"3.7"
+#define MAIL_RELEASE_DATE	"20220123"
+#define MAIL_VERSION_NUMBER	"3.8"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
-- 
2.47.3