From 649a63ae62c2ebae181dfd76510f0e8dee3de2be Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Fri, 1 Sep 2023 00:00:00 -0500 Subject: [PATCH] postfix-3.9-20230901 --- postfix/HISTORY | 38 +++++++++++++++++---- postfix/README_FILES/LOCAL_RECIPIENT_README | 2 +- postfix/RELEASE_NOTES | 15 ++++++++ postfix/WISHLIST | 3 ++ postfix/html/LOCAL_RECIPIENT_README.html | 3 +- postfix/html/cleanup.8.html | 7 ++++ postfix/html/postconf.5.html | 23 +++++++++++-- postfix/man/man5/postconf.5 | 16 ++++++++- postfix/man/man8/cleanup.8 | 6 ++++ postfix/mantools/postlink | 1 + postfix/proto/LOCAL_RECIPIENT_README.html | 3 +- postfix/proto/postconf.proto | 19 +++++++++-- postfix/proto/stop.double-history | 1 + postfix/src/cleanup/cleanup.c | 6 ++++ postfix/src/cleanup/cleanup_init.c | 2 ++ postfix/src/cleanup/cleanup_message.c | 5 +++ postfix/src/dns/dns_lookup.c | 6 ++++ postfix/src/global/mail_params.h | 4 +++ postfix/src/global/mail_version.h | 2 +- 19 files changed, 147 insertions(+), 15 deletions(-) diff --git a/postfix/HISTORY b/postfix/HISTORY index 8038271b2..d80549b42 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -27300,10 +27300,11 @@ Apologies for any names omitted. 20230815 - Bugfix (bug introduced: 20140218): when opportunistic TLS fails - during or after the handshake, don't require that a probe - message has a minimum time-in-queue before falling back to - plaintext. Problem reported by Serg. File: smtp/smtp.h. + Bugfix (defect introduced: 20140218): when an address + verification probe fails during or after an opportunistic + TLS handshake, immediately fall back to plaintext, without + enforcing a minimum time-in-queue. Problem reported by Serg. + File: smtp/smtp.h. 20230820 @@ -27320,9 +27321,34 @@ Apologies for any names omitted. but legitimate wildcard names (*.name) in some DNS lookup results and lookup requests. Examples: + name class/type value *.one.example IN CNAME *.other.example *.other.example IN A 10.0.0.1 *.other.example IN TLSA ..certificate info... - Reported first in the context of TLSA record lookups. - Files: util/valid_hostname.[hc], dns/dns_lookup.c. + Such syntax is blesed in RFC 1034 section 4.3.3. + + This problem was reported first in the context of TLSA + record lookups. Files: util/valid_hostname.[hc], + dns/dns_lookup.c. + +20230831 + + Documentation: clarify the scope of local_recipient_maps. + Files: proto/LOCAL_RECIPIENT_README.html, proto/postconf.proto. + + Documentation loose ends. Files: HISTORY, dns/dns_lookup.c. + +20230901 + + Feature: enforce_mime_input_conversion (default: no) to + convert content that claims to be 8-bit into quoted-printable, + before header_checks, body_checks, Milters, and before + after-queue content filters. The typical use case is an MTA + that applies this conversion before signing outbound messages, + so that the signatures will remain valid when a message is + later delivered to an MTA that does not announce 8BITMIME + support, or when a message line exceeds the SMTP length + limit. Files: global/mail_params.c, cleanup/cleanup_message.c, + cleanup/cleanup.c, cleanup/cleanup_init.c, proto/postconf.proto, + mantools/postlink. diff --git a/postfix/README_FILES/LOCAL_RECIPIENT_README b/postfix/README_FILES/LOCAL_RECIPIENT_README index ea4ce2546..c8b97bdd4 100644 --- a/postfix/README_FILES/LOCAL_RECIPIENT_README +++ b/postfix/README_FILES/LOCAL_RECIPIENT_README @@ -30,7 +30,7 @@ addresses of local recipients. A recipient address is local when its domain matches $mydestination, $inet_interfaces or $proxy_interfaces. If a local username or address is not listed in $local_recipient_maps, then the Postfix SMTP server will reject the address with "User unknown in local recipient -table". +table". Other Postfix interfaces may still accept an "unknown" recipient. The default setting, shown below, assumes that you use the default Postfix local(8) delivery agent for local delivery, where recipients are either UNIX diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 7f24aa4b1..ddd29daff 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -26,6 +26,21 @@ now also distributed with the more recent Eclipse Public License license of their choice. Those who are more comfortable with the IPL can continue with that license. +Major changes with snapshot 20230901 +==================================== + +New parameter enforce_mime_input_conversion (default: no) to convert +content that claims to be 8-bit into quoted-printable, before +header_checks, body_checks, Milters, and before after-queue content +filters. This feature does not affect messages that are sent into +smtpd_proxy_filter. + +The typical use case is an MTA that applies this conversion before +signing outbound messages, so that the signatures will remain valid +when a message is later handled by an MTA that does not announce +8BITMIME support, or when a message line exceeds the SMTP length +limit. + Major changes with snapshot 20230807 ==================================== diff --git a/postfix/WISHLIST b/postfix/WISHLIST index 9f409b18b..5a860c18d 100644 --- a/postfix/WISHLIST +++ b/postfix/WISHLIST @@ -8,6 +8,9 @@ Wish list: postfix-install should mention makedefs.out. + Update DKIM examples for signing with the benefits of forced + MIME converison with "enforce_mime_input_conversion = yes" + Deprecate permit_mx_backup. It is fundamentally incompatible with recipient address validation. There is no way to fix that: reject_unverified_recipient requires that the domain is reachable, diff --git a/postfix/html/LOCAL_RECIPIENT_README.html b/postfix/html/LOCAL_RECIPIENT_README.html index a3a363600..5a614e0cc 100644 --- a/postfix/html/LOCAL_RECIPIENT_README.html +++ b/postfix/html/LOCAL_RECIPIENT_README.html @@ -57,7 +57,8 @@ all names or addresses of local recipients. A recipient address is local when its domain matches $mydestination, $inet_interfaces or $proxy_interfaces. If a local username or address is not listed in $local_recipient_maps, then the Postfix SMTP server will reject -the address with "User unknown in local recipient table".

+the address with "User unknown in local recipient table". Other +Postfix interfaces may still accept an "unknown" recipient.

The default setting, shown below, assumes that you use the default Postfix local(8) delivery agent for local delivery, where diff --git a/postfix/html/cleanup.8.html b/postfix/html/cleanup.8.html index 6ee8804e4..442ce03db 100644 --- a/postfix/html/cleanup.8.html +++ b/postfix/html/cleanup.8.html @@ -513,6 +513,13 @@ CLEANUP(8) CLEANUP(8) The email address form that will be used in non-debug logging (info, warning, etc.). + Available in Postfix 3.9 and later: + + enforce_mime_input_conversion (no) + Convert content that claims to be 8-bit into quoted-printable, + before header_checks, body_checks, Milters, and before + after-queue content filters. + FILES /etc/postfix/canonical*, canonical mapping table /etc/postfix/virtual*, virtual mapping table diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 0f895dcf1..d9bc50bc6 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -3423,6 +3423,25 @@ instead of deleting only the non-delivery notification.

This feature is available in Postfix 3.6 and later.

+ + +
enforce_mime_input_conversion +(default: no)
+ +

Convert content that claims to be 8-bit into quoted-printable, +before header_checks, body_checks, Milters, and before after-queue +content filters. This feature does not affect messages that are +sent into smtpd_proxy_filter.

+ +

The typical use case is an MTA that applies this conversion +before signing outbound messages, so that the signatures will remain +valid when a message is later delivered to an MTA that does not +announce 8BITMIME support, or when a message line exceeds the SMTP +length limit.

+ +

This feature is available in Postfix ≥ 3.9.

+ +
error_notice_recipient @@ -6176,8 +6195,8 @@ until a match is found.

If this parameter is non-empty (the default), then the Postfix SMTP -server will reject mail for unknown local users. -

+server will reject mail for unknown local users. Other Postfix +interfaces may still accept an "unknown" recipient.

To turn off local recipient checking in the Postfix SMTP server, diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 553d07411..8ddb007c2 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -2206,6 +2206,19 @@ instead of deleting only the non\-delivery notification. .br .PP This feature is available in Postfix 3.6 and later. +.SH enforce_mime_input_conversion (default: no) +Convert content that claims to be 8\-bit into quoted\-printable, +before header_checks, body_checks, Milters, and before after\-queue +content filters. This feature does not affect messages that are +sent into smtpd_proxy_filter. +.PP +The typical use case is an MTA that applies this conversion +before signing outbound messages, so that the signatures will remain +valid when a message is later delivered to an MTA that does not +announce 8BITMIME support, or when a message line exceeds the SMTP +length limit. +.PP +This feature is available in Postfix >= 3.9. .SH error_notice_recipient (default: postmaster) The recipient of postmaster notifications about mail delivery problems that are caused by policy, resource, software or protocol @@ -3820,7 +3833,8 @@ whitespace or comma. Tables will be searched in the specified order until a match is found. .PP If this parameter is non\-empty (the default), then the Postfix SMTP -server will reject mail for unknown local users. +server will reject mail for unknown local users. Other Postfix +interfaces may still accept an "unknown" recipient. .PP To turn off local recipient checking in the Postfix SMTP server, specify "local_recipient_maps =" (i.e. empty). diff --git a/postfix/man/man8/cleanup.8 b/postfix/man/man8/cleanup.8 index a6bec00c0..d9170647e 100644 --- a/postfix/man/man8/cleanup.8 +++ b/postfix/man/man8/cleanup.8 @@ -459,6 +459,12 @@ Available in Postfix 3.5 and later: .IP "\fBinfo_log_address_format (external)\fR" The email address form that will be used in non\-debug logging (info, warning, etc.). +.PP +Available in Postfix 3.9 and later: +.IP "\fBenforce_mime_input_conversion (no)\fR" +Convert content that claims to be 8\-bit into quoted\-printable, +before header_checks, body_checks, Milters, and before after\-queue +content filters. .SH "FILES" .na .nf diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 59b2716ea..54d29adb3 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -169,6 +169,7 @@ while (<>) { s;\bdisable_dns_lookups\b;$&;g; s;\bdisable_mime_input_processing\b;$&;g; s;\bdisable_mime_output_conversion\b;$&;g; + s;\benforce_mime_input_conversion\b;$&;g; s;\bdisable_verp_bounces\b;$&;g; s;\bdisable_vrfy_command\b;$&;g; s;\bdont_remove\b;$&;g; diff --git a/postfix/proto/LOCAL_RECIPIENT_README.html b/postfix/proto/LOCAL_RECIPIENT_README.html index a06b81f2e..2cb3fb296 100644 --- a/postfix/proto/LOCAL_RECIPIENT_README.html +++ b/postfix/proto/LOCAL_RECIPIENT_README.html @@ -57,7 +57,8 @@ all names or addresses of local recipients. A recipient address is local when its domain matches $mydestination, $inet_interfaces or $proxy_interfaces. If a local username or address is not listed in $local_recipient_maps, then the Postfix SMTP server will reject -the address with "User unknown in local recipient table".

+the address with "User unknown in local recipient table". Other +Postfix interfaces may still accept an "unknown" recipient.

The default setting, shown below, assumes that you use the default Postfix local(8) delivery agent for local delivery, where diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index c47af13c3..6de5a6c3b 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -2468,8 +2468,8 @@ until a match is found.

If this parameter is non-empty (the default), then the Postfix SMTP -server will reject mail for unknown local users. -

+server will reject mail for unknown local users. Other Postfix +interfaces may still accept an "unknown" recipient.

To turn off local recipient checking in the Postfix SMTP server, @@ -19026,3 +19026,18 @@ SMTP client input. This feature is enabled by default with Postfix

This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, 3.6.10, and 3.5.20.

+ +%PARAM enforce_mime_input_conversion no + +

Convert content that claims to be 8-bit into quoted-printable, +before header_checks, body_checks, Milters, and before after-queue +content filters. This feature does not affect messages that are +sent into smtpd_proxy_filter.

+ +

The typical use case is an MTA that applies this conversion +before signing outbound messages, so that the signatures will remain +valid when a message is later delivered to an MTA that does not +announce 8BITMIME support, or when a message line exceeds the SMTP +length limit.

+ +

This feature is available in Postfix ≥ 3.9.

diff --git a/postfix/proto/stop.double-history b/postfix/proto/stop.double-history index d0e837eb9..2fb2cee88 100644 --- a/postfix/proto/stop.double-history +++ b/postfix/proto/stop.double-history @@ -65,3 +65,4 @@ proto proto aliases proto virtual proto ADDRESS_REWRITING_README html reported by Serg File smtp smtp h smtp lmtp_params c smtp smtp c smtp smtp_params c plaintext Problem reported by Serg File smtp smtp h + cleanup cleanup c cleanup cleanup_init c proto postconf proto diff --git a/postfix/src/cleanup/cleanup.c b/postfix/src/cleanup/cleanup.c index b1f475dcc..ab9ae249e 100644 --- a/postfix/src/cleanup/cleanup.c +++ b/postfix/src/cleanup/cleanup.c @@ -427,6 +427,12 @@ /* .IP "\fBinfo_log_address_format (external)\fR" /* The email address form that will be used in non-debug logging /* (info, warning, etc.). +/* .PP +/* Available in Postfix 3.9 and later: +/* .IP "\fBenforce_mime_input_conversion (no)\fR" +/* Convert content that claims to be 8-bit into quoted-printable, +/* before header_checks, body_checks, Milters, and before after-queue +/* content filters. /* FILES /* /etc/postfix/canonical*, canonical mapping table /* /etc/postfix/virtual*, virtual mapping table diff --git a/postfix/src/cleanup/cleanup_init.c b/postfix/src/cleanup/cleanup_init.c index 8c43a0212..a25068dd9 100644 --- a/postfix/src/cleanup/cleanup_init.c +++ b/postfix/src/cleanup/cleanup_init.c @@ -174,6 +174,7 @@ int var_auto_8bit_enc_hdr; /* auto-detect 8bit encoding header */ int var_always_add_hdrs; /* always add missing headers */ int var_virt_addrlen_limit; /* stop exponential growth */ char *var_hfrom_format; /* header_from_format */ +int var_enforce_mime_iconv; /* enforce mime downgrade on input */ const CONFIG_INT_TABLE cleanup_int_table[] = { VAR_HOPCOUNT_LIMIT, DEF_HOPCOUNT_LIMIT, &var_hopcount_limit, 1, 0, @@ -190,6 +191,7 @@ const CONFIG_BOOL_TABLE cleanup_bool_table[] = { VAR_VERP_BOUNCE_OFF, DEF_VERP_BOUNCE_OFF, &var_verp_bounce_off, VAR_AUTO_8BIT_ENC_HDR, DEF_AUTO_8BIT_ENC_HDR, &var_auto_8bit_enc_hdr, VAR_ALWAYS_ADD_HDRS, DEF_ALWAYS_ADD_HDRS, &var_always_add_hdrs, + VAR_ENFORCE_MIME_ICONV, DEF_ENFORCE_MIME_ICONV, &var_enforce_mime_iconv, 0, }; diff --git a/postfix/src/cleanup/cleanup_message.c b/postfix/src/cleanup/cleanup_message.c index f2b86d05b..3eb893863 100644 --- a/postfix/src/cleanup/cleanup_message.c +++ b/postfix/src/cleanup/cleanup_message.c @@ -1052,6 +1052,9 @@ void cleanup_message(CLEANUP_STATE *state, int type, const char *buf, ssize_t */ mime_options = 0; if (var_disable_mime_input) { + if (var_enforce_mime_iconv) + msg_fatal("do not specify both %s=yes and %s=yes", + VAR_DISABLE_MIME_INPUT, VAR_ENFORCE_MIME_ICONV); mime_options |= MIME_OPT_DISABLE_MIME; } else { /* Turn off content checks if bouncing or forwarding mail. */ @@ -1068,6 +1071,8 @@ void cleanup_message(CLEANUP_STATE *state, int type, const char *buf, ssize_t || *var_nesthdr_checks) mime_options |= MIME_OPT_REPORT_NESTING; } + if (var_enforce_mime_iconv) + mime_options |= MIME_OPT_DOWNGRADE; } state->mime_state = mime_state_alloc(mime_options, cleanup_header_callback, diff --git a/postfix/src/dns/dns_lookup.c b/postfix/src/dns/dns_lookup.c index 06028c804..bccdd83f5 100644 --- a/postfix/src/dns/dns_lookup.c +++ b/postfix/src/dns/dns_lookup.c @@ -85,6 +85,12 @@ /* an invalid name is reported as a DNS_INVAL result, while /* malformed replies are reported as transient errors. /* +/* Note: in dns_lookup*() results and queries, a name may start +/* with a "*" label, which is valid according to RFC 1034 +/* section 4.3.3. Such a name will not pass valid_hostname() +/* checks in the rest of Postfix, because it is not a valid +/* host or domain name. +/* /* dns_get_h_errno() returns the last error. This deprecates /* usage of the global h_errno variable. We should not rely /* on that being updated. diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 1d964b496..649b8290a 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -3088,6 +3088,10 @@ extern bool var_disable_mime_input; #define DEF_DISABLE_MIME_OCONV 0 extern bool var_disable_mime_oconv; +#define VAR_ENFORCE_MIME_ICONV "enforce_mime_input_conversion" +#define DEF_ENFORCE_MIME_ICONV 0 +extern bool var_enforce_mime_iconv; + #define VAR_STRICT_8BITMIME "strict_8bitmime" #define DEF_STRICT_8BITMIME 0 extern bool var_strict_8bitmime; diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 7d6a25f33..e85db1d76 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20230821" +#define MAIL_RELEASE_DATE "20230901" #define MAIL_VERSION_NUMBER "3.9" #ifdef SNAPSHOT -- 2.47.3