From 80ea97106eb08e45082801b237a8bf13990623d4 Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Fri, 23 Nov 2012 00:00:00 -0500 Subject: [PATCH] postfix-2.10-20121123 --- postfix/HISTORY | 41 +++++++++++++ postfix/Makefile.in | 2 +- postfix/README_FILES/POSTSCREEN_README | 37 +++++++----- postfix/README_FILES/SASL_README | 3 +- postfix/README_FILES/TLS_README | 6 +- postfix/RELEASE_NOTES | 14 +++++ postfix/WISHLIST | 4 ++ postfix/html/POSTSCREEN_README.html | 56 +++++++++++------- postfix/html/SASL_README.html | 2 +- postfix/html/TLS_README.html | 6 +- postfix/html/memcache_table.5.html | 71 +++++++++++++---------- postfix/makedefs | 1 + postfix/man/man5/memcache_table.5 | 43 ++++++++------ postfix/proto/POSTSCREEN_README.html | 56 +++++++++++------- postfix/proto/SASL_README.html | 2 +- postfix/proto/TLS_README.html | 6 +- postfix/proto/memcache_table | 43 ++++++++------ postfix/src/global/mail_version.h | 2 +- postfix/src/postscreen/postscreen.h | 8 +++ postfix/src/postscreen/postscreen_smtpd.c | 48 ++++++++++----- postfix/src/postscreen/postscreen_state.c | 1 + postfix/src/qmqpd/qmqpd.c | 2 +- postfix/src/smtpd/smtpd_check.c | 12 +++- 23 files changed, 311 insertions(+), 155 deletions(-) diff --git a/postfix/HISTORY b/postfix/HISTORY index abae11cae..485b4298f 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -18079,3 +18079,44 @@ Apologies for any names omitted. Bugfix: smtpd_relay_restrictions compatibility shim did not detect "empty" value. Sahil Tandon. The same problem existed with the inet_protocols shim. File: conf/post-install. + +20121105 + + Cleanup: the postscreen(8) "deep protocol" tests now log + the SMTP command that precedes a protocol violation. Files: + postscreen/postscreen_smtpd.c, proto/POSTSCREEN_README.html. + + Bugfix (introduced: Postfix 1.1): wrong string termination + when handling a MBOX From_ line at the start of a message. + File: qmqpd/qmqpd.c. + +20121110 + + Cleanup: specify $(WARN) on the MacOS X compiler command + line to suppress "nested comment" and possibly other unwanted + warnings. Problem reported by Jim Reid. File: makedefs, + Makefile.in. + +20121119 + + Documentation: added a note that key_format is required + when postscreen(8) and verify(8) share the same memcache + (with different persistent backup databases, or course) + otherwise automatic cache cleanup breaks due to a name + collision for the "last cache cleanup" database record. + File: proto/memcache. + +20121122 + + Cleanup: the safety-check for smtpd_recipient_restrictions + and smtpd_relay_restrictions now detects permit before + reject. File: smtpd/smtpd_check.c. + + Cleanup: the safety-check for smtpd_recipient_restrictions + and smtpd_relay_restrictions is no longer case-sensitive. + File: smtpd/smtpd_check.c. + +20121123 + + Cleanup: consistent escaping of commands in postscreen deep + protocol test logging. File: postscreen/postscreen_smtpd.c. diff --git a/postfix/Makefile.in b/postfix/Makefile.in index e45ba73a0..a16c89fdf 100644 --- a/postfix/Makefile.in +++ b/postfix/Makefile.in @@ -1,5 +1,5 @@ SHELL = /bin/sh -WARN = -Wmissing-prototypes -Wformat +WARN = -Wmissing-prototypes -Wformat -Wno-comment OPTS = 'CC=$(CC)' DIRS = src/util src/global src/dns src/tls src/xsasl src/milter src/master \ src/postfix src/fsstone src/smtpstone \ diff --git a/postfix/README_FILES/POSTSCREEN_README b/postfix/README_FILES/POSTSCREEN_README index 4a1d66498..6c59a5d14 100644 --- a/postfix/README_FILES/POSTSCREEN_README +++ b/postfix/README_FILES/POSTSCREEN_README @@ -18,17 +18,17 @@ by allowing whitelisted clients to skip tests, postscreen(8) minimizes its impact on legitimate email traffic. postscreen(8) should not be used on SMTP ports that receive mail from end-user -clients (MUAs). In a typical deployment, postscreen(8) is used on the "port 25" -service, while MUA clients submit mail via the submission service (port 587) -which normally requires client authentication, or via a "port 25" server that -provides no MX service (i.e. a dedicated server that provides submission -service on port 25). +clients (MUAs). In a typical deployment, postscreen(8) handles the MX service +on TCP port 25, while MUA clients submit mail via the submission service on TCP +port 587 which requires client authentication. Alternatively, a site could set +up a dedicated, non-postscreen, "port 25" server that provides submission +service and client authentication, but no MX service. postscreen(8) is part of a multi-layer defense. * As the first layer, postscreen(8) blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented - as a single process to make this defense as cheap as possible. + as a single process to make this defense as inexpensive as possible. * The second layer implements more complex SMTP-level access checks with Postfix SMTP servers, policy daemons, and Milter applications. @@ -415,11 +415,12 @@ in SMTP engine anyway. This is to make postscreen(8) logging more informative. When a client sends non-SMTP commands, postscreen(8) logs this as: - NNOONN--SSMMTTPP CCOOMMMMAANNDD ffrroomm [address]:port command + NNOONN--SSMMTTPP CCOOMMMMAANNDD ffrroomm [address]:port aafftteerr command: text Translation: the SMTP client at [address]:port sent a command that matches the postscreen_forbidden_commands parameter, or that has the syntax of a message -header label. +header label (text followed by optional space and ":"). The "aafftteerr command" +portion is logged with Postfix 2.10 and later. The postscreen_non_smtp_command_action parameter specifies the action that is taken next. See "When tests fail after the 220 SMTP server greeting" below. @@ -439,10 +440,11 @@ in SMTP engine anyway. This is to make postscreen(8) logging more informative. When a client sends bare newline characters, postscreen(8) logs this as: - BBAARREE NNEEWWLLIINNEE ffrroomm [address]:port + BBAARREE NNEEWWLLIINNEE ffrroomm [address]:port aafftteerr command Translation: the SMTP client at [address]:port sent a bare newline character, -that is newline not preceded by carriage return. +that is newline not preceded by carriage return. The "aafftteerr command" portion is +logged with Postfix 2.10 and later. The postscreen_bare_newline_action parameter specifies the action that is taken next. See "When tests fail after the 220 SMTP server greeting" below. @@ -484,23 +486,26 @@ The following errors are reported by the built-in SMTP engine. This engine never accepts mail, therefore it has per-session limits on the number of commands and on the session length. - CCOOMMMMAANNDD TTIIMMEE LLIIMMIITT ffrroomm [address]:port + CCOOMMMMAANNDD TTIIMMEE LLIIMMIITT ffrroomm [address]:port aafftteerr command Translation: the SMTP client at [address]:port reached the per-command time limit as specified with the postscreen_command_time_limit parameter. The -session is terminated immediately. +session is terminated immediately. The "aafftteerr command" portion is logged with +Postfix 2.10 and later. - CCOOMMMMAANNDD CCOOUUNNTT LLIIMMIITT ffrroomm [address]:port + CCOOMMMMAANNDD CCOOUUNNTT LLIIMMIITT ffrroomm [address]:port aafftteerr command Translation: the SMTP client at [address]:port reached the per-session command count limit as specified with the postscreen_command_count_limit parameter. The -session is terminated immediately. +session is terminated immediately. The "aafftteerr command" portion is logged with +Postfix 2.10 and later. - CCOOMMMMAANNDD LLEENNGGTTHH LLIIMMIITT ffrroomm [address]:port + CCOOMMMMAANNDD LLEENNGGTTHH LLIIMMIITT ffrroomm [address]:port aafftteerr command Translation: the SMTP client at [address]:port reached the per-command length limit, as specified with the line_length_limit parameter. The session is -terminated immediately. +terminated immediately. The "aafftteerr command" portion is logged with Postfix 2.10 +and later. When an SMTP client makes too many connections at the same time, or when all postscreen(8) ports are busy, postscreen(8) rejects the connection with a 421 diff --git a/postfix/README_FILES/SASL_README b/postfix/README_FILES/SASL_README index 5d8bbaa6b..c35481991 100644 --- a/postfix/README_FILES/SASL_README +++ b/postfix/README_FILES/SASL_README @@ -55,7 +55,8 @@ different steps: addresses the client may use. Successful authentication in the Postfix SMTP server requires a functional SASL -framework. Configuring SASL should therefore always be the first step. +framework. Configuring SASL should therefore always be the first step, before +configuring Postfix. You can read more about the following topics: diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README index c716989ea..4694f931f 100644 --- a/postfix/README_FILES/TLS_README +++ b/postfix/README_FILES/TLS_README @@ -147,7 +147,7 @@ Their DSA counterparts: smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem smtpd_tls_dkey_file = $smtpd_tls_dcert_file -Their ECDSA counterparts (Postfix >= 2.6 + OpenSSL >= 0.9.9): +Their ECDSA counterparts (Postfix >= 2.6 + OpenSSL >= 1.0.0): /etc/postfix/main.cf: # Most clients will not be ECDSA capable, so you will likely also need @@ -540,7 +540,7 @@ To generate your own set of DH parameters, use: % ooppeennssssll ggeennddhh --oouutt //eettcc//ppoossttffiixx//ddhh__11002244..ppeemm --22 11002244 Support for elliptic curve cryptography is available with Postfix 2.6 and -OpenSSL 0.9.9 or later. To enable ephemeral elliptic curve Diffie-Hellman +OpenSSL 1.0.0 or later. To enable ephemeral elliptic curve Diffie-Hellman (EECDH) key-exchange, set "smtpd_tls_eecdh_grade = strong" or "smtpd_tls_eecdh_grade = ultra". The "ultra" setting is substantially more CPU intensive, and "strong" is sufficiently secure for most situations. @@ -1085,7 +1085,7 @@ Their DSA counterparts: smtp_tls_dcert_file = /etc/postfix/client-dsa.pem smtp_tls_dkey_file = $smtp_tls_dcert_file -Their ECDSA counterparts (Postfix >= 2.6 + OpenSSL >= 0.9.9): +Their ECDSA counterparts (Postfix >= 2.6 + OpenSSL >= 1.0.0): /etc/postfix/main.cf: smtp_tls_eccert_file = /etc/postfix/client-ecdsa.pem diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 117af91e9..dfb95f1f2 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -14,6 +14,20 @@ specifies the release date of a stable release or snapshot release. If you upgrade from Postfix 2.8 or earlier, read RELEASE_NOTES-2.9 before proceeding. +Incompatible changes with snapshot 20121123 +=========================================== + +The postscreen deep protocol tests now log the last command before +a protocol error ("UNIMPLEMENTED" when the last command is not +implemented, "CONNECT" when there was no prior command). The +changed logfile messages are: + +NON-SMTP COMMAND from [address]:port after command: text +BARE NEWLINE from [address]:port after command +COMMAND TIME LIMIT from [address]:port after command +COMMAND COUNT LIMIT from [address]:port after command +COMMAND LENGTH LIMIT from [address]:port after command + Incompatible changes with snapshot 20121007 =========================================== diff --git a/postfix/WISHLIST b/postfix/WISHLIST index 8a5399412..b9dd0be81 100644 --- a/postfix/WISHLIST +++ b/postfix/WISHLIST @@ -11,6 +11,10 @@ Wish list: Don't forget Apple's code donation for fetching mail from IMAP server. + smtpd_muble_restrictions rule names are case-insensitive. + restriction_classes values are case-sensitive but should + be case-insensitive for consistency with smtpd_muble_restrictions. + Make "rename" the default when postmapping a DB file (later: use copy+rename for postmap -i, postmap -d). diff --git a/postfix/html/POSTSCREEN_README.html b/postfix/html/POSTSCREEN_README.html index f2ded3c7c..ba47369e9 100644 --- a/postfix/html/POSTSCREEN_README.html +++ b/postfix/html/POSTSCREEN_README.html @@ -35,11 +35,11 @@ pass its tests; by allowing whitelisted clients to skip tests,

postscreen(8) should not be used on SMTP ports that receive mail from end-user clients (MUAs). In a typical deployment, -postscreen(8) is used on the "port 25" service, while MUA clients -submit mail via the submission service (port 587) which normally -requires client authentication, or via a "port 25" server that -provides no MX service (i.e. a dedicated server that provides -submission service on port 25).

+postscreen(8) handles the MX service on TCP port 25, while MUA +clients submit mail via the submission service on TCP port 587 which +requires client authentication. Alternatively, a site could set up +a dedicated, non-postscreen, "port 25" server that provides submission +service and client authentication, but no MX service.

postscreen(8) is part of a multi-layer defense.

@@ -48,11 +48,12 @@ submission service on port 25).

  • As the first layer, postscreen(8) blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense -as cheap as possible.

    +as inexpensive as possible.

  • The second layer implements more complex SMTP-level access -checks with Postfix SMTP servers, policy daemons, and Milter -applications.

    +checks with Postfix SMTP servers, +policy daemons, and +Milter applications.

  • The third layer performs light-weight content inspection with the Postfix built-in header_checks and body_checks. This can @@ -60,8 +61,10 @@ block unacceptable attachments such as executable programs, and worms or viruses with easy-to-recognize signatures.

  • The fourth layer provides heavy-weight content inspection -with external content filters. Typical examples are Amavisd-new, -SpamAssassin, and Milter applications.

    +with external content filters. Typical examples are Amavisd-new, SpamAssassin, and Milter applications.

    @@ -562,12 +565,15 @@ logging more informative.

    as: 

    -    NON-SMTP COMMAND from [address]:port command
+    NON-SMTP COMMAND from [address]:port after command: text

    Translation: the SMTP client at [address]:port sent a -command that matches the postscreen_forbidden_commands -parameter, or that has the syntax of a message header label.

    +command that matches the postscreen_forbidden_commands +parameter, or that has the syntax of a message header label (text +followed by optional space and ":"). +The "after command" portion is logged with +Postfix 2.10 and later.

    The postscreen_non_smtp_command_action parameter specifies the action that is taken next. See "When @@ -594,12 +600,14 @@ this as: 

    -    BARE NEWLINE from [address]:port
+    BARE NEWLINE from [address]:port after command

    Translation: the SMTP client at [address]:port sent a bare newline character, that is newline not preceded by carriage -return.

    +return. +The "after command" portion is logged with +Postfix 2.10 and later.

    The postscreen_bare_newline_action parameter specifies the action that is taken next. See "When @@ -676,29 +684,35 @@ This engine never accepts mail, therefore it has per-session limits on the number of commands and on the session length. 

    -    COMMAND TIME LIMIT from [address]:port
+    COMMAND TIME LIMIT from [address]:port after command

    Translation: the SMTP client at [address]:port reached the per-command time limit as specified with the postscreen_command_time_limit -parameter. The session is terminated immediately.

    +parameter. The session is terminated immediately. +The "after command" portion is logged with +Postfix 2.10 and later. 

    -    COMMAND COUNT LIMIT from [address]:port
+    COMMAND COUNT LIMIT from [address]:port after command

    Translation: the SMTP client at [address]:port reached the per-session command count limit as specified with the postscreen_command_count_limit parameter. The session is terminated -immediately.

    +immediately. +The "after command" portion is logged with +Postfix 2.10 and later. 

    -    COMMAND LENGTH LIMIT from [address]:port
+    COMMAND LENGTH LIMIT from [address]:port after command

    Translation: the SMTP client at [address]:port reached the per-command length limit, as specified with the line_length_limit -parameter. The session is terminated immediately.

    +parameter. The session is terminated immediately. +The "after command" portion is logged with +Postfix 2.10 and later.

    When an SMTP client makes too many connections at the same time, or when all postscreen(8) ports are busy, postscreen(8) rejects the diff --git a/postfix/html/SASL_README.html b/postfix/html/SASL_README.html index 18ed0cf01..f39feefcd 100644 --- a/postfix/html/SASL_README.html +++ b/postfix/html/SASL_README.html @@ -87,7 +87,7 @@ what envelope sender addresses the client may use.

    • Successful authentication in the Postfix SMTP server requires a functional SASL framework. Configuring SASL should therefore -always be the first step.

    +always be the first step, before configuring Postfix.

    You can read more about the following topics:

    diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html index 8459dc318..cea177f4a 100644 --- a/postfix/html/TLS_README.html +++ b/postfix/html/TLS_README.html @@ -245,7 +245,7 @@ $smtpd_tls_CAfile or install it i -

    Their ECDSA counterparts (Postfix ≥ 2.6 + OpenSSL ≥ 0.9.9):

    +

    Their ECDSA counterparts (Postfix ≥ 2.6 + OpenSSL ≥ 1.0.0): 

    @@ -773,7 +773,7 @@ settings.

    Support for elliptic curve cryptography is available with Postfix -2.6 and OpenSSL 0.9.9 or later. To enable ephemeral elliptic curve +2.6 and OpenSSL 1.0.0 or later. To enable ephemeral elliptic curve Diffie-Hellman (EECDH) key-exchange, set "smtpd_tls_eecdh_grade = strong" or "smtpd_tls_eecdh_grade = ultra". The "ultra" setting is substantially more CPU intensive, and "strong" is sufficiently @@ -1474,7 +1474,7 @@ $smtp_tls_CAfile or install it in -

    Their ECDSA counterparts (Postfix ≥ 2.6 + OpenSSL ≥ 0.9.9):

    +

    Their ECDSA counterparts (Postfix ≥ 2.6 + OpenSSL ≥ 1.0.0): 

    diff --git a/postfix/html/memcache_table.5.html b/postfix/html/memcache_table.5.html
index 36af14727..ce087b74f 100644
--- a/postfix/html/memcache_table.5.html
+++ b/postfix/html/memcache_table.5.html
@@ -69,57 +69,68 @@ MEMCACHE_TABLE(5)                                            MEMCACHE_TABLE(5)
               Access to remote proxymap servers is under develop-
               ment.
 
-              NOTE  1: When using memcache with persistent backup
-              as postscreen(8) or verify(8) cache, disable  auto-
-              matic  cache cleanup (*_cache_cleanup_interval = 0)
-              in all Postfix instances except  for  one  instance
-              that will be responsible for cache cleanup.
-
-              NOTE  2:  In the case of a proxied backup database,
-              the  full  backup  database  name  (including   the
-              "proxy:"  prefix) must be specified in the proxymap
-              server's proxy_read_maps or  proxy_write_maps  set-
-              ting  (depending on whether the access is read-only
-              or read-write).
+              NOTE  1: When sharing a persistent postscreen(8) or
+              verify(8) cache, disable  automatic  cache  cleanup
+              (set  *_cache_cleanup_interval = 0) except with one
+              Postfix instance that will be responsible for cache
+              cleanup.
+
+              NOTE  2:  When different tables share the same mem-
+              cache database, each table should use the  key_for-
+              mat  feature  (see below) to prepend its own unique
+              string to the  lookup  key.   Otherwise,  automatic
+              postscreen(8)  or  verify(8)  cache cleanup may not
+              work.
+
+              NOTE 3: When the backup database is  accessed  with
+              "proxy:"  lookups,  the  full  backup database name
+              (including the "proxy:" prefix) must  be  specified
+              in   the   proxymap   server's  proxy_read_maps  or
+              proxy_write_maps setting (depending on whether  the
+              access is read-only or read-write).
 
        flags (default: 0)
-              Optional flags that should be stored along  with  a
+              Optional  flags  that should be stored along with a
               memcache update. The flags are ignored when looking
               up information.
 
        ttl (default: 3600)
               The expiration time in seconds of memcache updates.
 
-              NOTE   1:   When   using   a   memcache   table  as
+              NOTE  1:   When   using   a   memcache   table   as
               postscreen(8) or verify(8) cache without persistent
               backup,  specify  a  zero  *_cache_cleanup_interval
-              value with all Postfix instances that use the  mem-
-              cache,  and specify the largest postscreen(8) *_ttl
-              value or verify(8) *_expire_time value as the  mem-
+              value  with all Postfix instances that use the mem-
+              cache, and specify the largest postscreen(8)  *_ttl
+              value  or verify(8) *_expire_time value as the mem-
               cache table's ttl value.
 
-              NOTE  2:  According to memcache protocol documenta-
-              tion, a value greater than 30  days  (2592000  sec-
-              onds)  specifies absolute UNIX time. Smaller values
+              NOTE 2: According to memcache  protocol  documenta-
+              tion,  a  value  greater than 30 days (2592000 sec-
+              onds) specifies absolute UNIX time. Smaller  values
               are relative to the time of the update.
 
 MEMCACHE KEY PARAMETERS
        key_format (default: %s)
-              Format of the lookup and update  keys  in  memcache
-              requests.   By  default,  these are the same as the
-              lookup and update keys that are given to the  Post-
+              Format  of  the  lookup and update keys in memcache
+              requests.  By default, these are the  same  as  the
+              lookup  and update keys that are given to the Post-
               fix memcache client.
 
-              NOTE: The key_format feature is not used for backup
-              database requests.
+              NOTE 1: The key_format  feature  is  not  used  for
+              backup database requests.
 
-              When the same memcache database is  used  to  cache
-              information  from  multiple tables, you can use the
-              key_format feature  to  avoid  name  collisions  by
-              prepending a fixed string.  Examples:
+              NOTE  2:  When different tables share the same mem-
+              cache database, each table should prepend  its  own
+              unique  string to the lookup key.  Otherwise, auto-
+              matic postscreen(8) or verify(8) cache cleanup  may
+              not work.
+
+              Examples:
 
                   key_format = aliases:%s
-                  key_format = access:%s
+                  key_format = verify:%s
+                  key_format = postscreen:%s
 
               The key_format parameter supports the following '%'
               expansions:
diff --git a/postfix/makedefs b/postfix/makedefs
index 050c87878..f0151f35d 100644
--- a/postfix/makedefs
+++ b/postfix/makedefs
@@ -454,6 +454,7 @@ ReliantUNIX-?.5.43) SYSTYPE=ReliantUnix543
     Darwin.*)   SYSTYPE=MACOSX
 		# Use the native compiler by default
 		: ${CC=cc}
+		CCARGS="$CCARGS \$(WARN)"
 		# Darwin > 1.3 uses awk and flat_namespace
 		case $RELEASE in
 		 1.[0-3]) AWK=gawk;;
diff --git a/postfix/man/man5/memcache_table.5 b/postfix/man/man5/memcache_table.5
index 692cc8d34..9809420e3 100644
--- a/postfix/man/man5/memcache_table.5
+++ b/postfix/man/man5/memcache_table.5
@@ -74,18 +74,22 @@ information in the persistent database. Specify a Postfix
 
 Access to remote proxymap servers is under development.
 
-NOTE 1: When using memcache with persistent backup as
-\fBpostscreen\fR(8) or \fBverify\fR(8) cache, disable
-automatic cache cleanup (*_cache_cleanup_interval = 0) in
-all Postfix instances except for one instance that will be
-responsible for cache cleanup.
-
-NOTE 2: In the case of a proxied backup database, the full
-backup database
-name (including the "proxy:" prefix) must be specified in
-the proxymap server's proxy_read_maps or proxy_write_maps
-setting (depending on whether the access is read-only or
-read-write).
+NOTE 1: When sharing a persistent \fBpostscreen\fR(8) or
+\fBverify\fR(8) cache, disable automatic cache cleanup (set
+*_cache_cleanup_interval = 0) except with one Postfix
+instance that will be responsible for cache cleanup.
+
+NOTE 2: When different tables share the same memcache
+database, each table should use the \fBkey_format\fR feature
+(see below) to prepend its own unique string to the lookup
+key.  Otherwise, automatic \fBpostscreen\fR(8) or \fBverify\fR(8)
+cache cleanup may not work.
+
+NOTE 3: When the backup database is accessed with "proxy:"
+lookups, the full backup database name (including the
+"proxy:" prefix) must be specified in the proxymap server's
+proxy_read_maps or proxy_write_maps setting (depending on
+whether the access is read-only or read-write).
 .IP "\fBflags (default: 0)\fR"
 Optional flags that should be stored along with a memcache
 update. The flags are ignored when looking up information.
@@ -113,17 +117,20 @@ Format of the lookup and update keys in memcache requests.
 By default, these are the same as the lookup and update
 keys that are given to the Postfix memcache client.
 
-NOTE: The \fBkey_format\fR feature is not used for \fBbackup\fR
+NOTE 1: The \fBkey_format\fR feature is not used for \fBbackup\fR
 database requests.
 
-When the same memcache database is used to cache information
-from multiple tables, you can use the \fBkey_format\fR
-feature to avoid name collisions by prepending a fixed
-string.  Examples:
+NOTE 2: When different tables share the same memcache
+database, each table should prepend its own unique string
+to the lookup key.  Otherwise, automatic \fBpostscreen\fR(8)
+or \fBverify\fR(8) cache cleanup may not work.
+
+Examples:
 
 .nf
     key_format = aliases:%s
-    key_format = access:%s
+    key_format = verify:%s
+    key_format = postscreen:%s
 .fi
 
 The \fBkey_format\fR parameter supports the following '%'
diff --git a/postfix/proto/POSTSCREEN_README.html b/postfix/proto/POSTSCREEN_README.html
index fb10721af..c7a4f020e 100644
--- a/postfix/proto/POSTSCREEN_README.html
+++ b/postfix/proto/POSTSCREEN_README.html
@@ -35,11 +35,11 @@ postscreen(8) minimizes its impact on legitimate email traffic.
 
 
     postscreen(8) should not be used on SMTP ports that receive
 mail from end-user clients (MUAs). In a typical deployment,
-postscreen(8) is used on the "port 25" service, while MUA clients
-submit mail via the submission service (port 587) which normally
-requires client authentication, or via a "port 25" server that
-provides no MX service (i.e. a dedicated server that provides
-submission service on port 25). 
    
+postscreen(8) handles the MX service on TCP port 25, while MUA
+clients submit mail via the submission service on TCP port 587 which
+requires client authentication. Alternatively, a site could set up
+a dedicated, non-postscreen, "port 25" server that provides submission
+service and client authentication, but no MX service.  
    
 
 
     postscreen(8) is part of a multi-layer defense. 
    
 
@@ -48,11 +48,12 @@ submission service on port 25). 
    
 
  •  
     As the first layer, postscreen(8) blocks connections from
 zombies and other spambots that are responsible for about 90% of
 all spam.  It is implemented as a single process to make this defense
-as cheap as possible. 
    
+as inexpensive as possible. 
    
 
 
  •  
     The second layer implements more complex SMTP-level access
-checks with Postfix SMTP servers, policy daemons, and Milter
-applications. 
    
+checks with Postfix SMTP servers, 
+policy daemons, and 
+Milter applications. 
    
 
 
  •  
     The third layer performs light-weight content inspection
 with the Postfix built-in header_checks and body_checks. This can
@@ -60,8 +61,10 @@ block unacceptable attachments such as executable programs, and
 worms or viruses with easy-to-recognize signatures. 
    
 
 
  •  
     The fourth layer provides heavy-weight content inspection
-with external content filters. Typical examples are Amavisd-new,
-SpamAssassin, and Milter applications. 
    
+with external content filters. Typical examples are Amavisd-new, SpamAssassin, and Milter applications. 
    
 
 
 
@@ -562,12 +565,15 @@ logging more informative.  
    
 as: 
    
 
 
    -    NON-SMTP COMMAND from [address]:port command
+    NON-SMTP COMMAND from [address]:port after command: text
 
    
 
 
     Translation: the SMTP client at [address]:port sent a
-command that matches the postscreen_forbidden_commands
-parameter, or that has the syntax of a message header label. 
    
+command that matches the postscreen_forbidden_commands
+parameter, or that has the syntax of a message header label (text 
+followed by optional space and ":").
+The "after command" portion is logged with
+Postfix 2.10 and later. 
    
 
 
     The postscreen_non_smtp_command_action parameter specifies
 the action that is taken next.  See "When
@@ -594,12 +600,14 @@ this as:
 
    
 
 
    -    BARE NEWLINE from [address]:port
+    BARE NEWLINE from [address]:port after command
 
    
 
 
     Translation: the SMTP client at [address]:port sent a bare
 newline character, that is newline not preceded by carriage
-return. 
    
+return.
+The "after command" portion is logged with
+Postfix 2.10 and later. 
    
 
 
     The postscreen_bare_newline_action parameter specifies the
 action that is taken next.  See "When
@@ -676,29 +684,35 @@ This engine never accepts mail, therefore it has per-session limits
 on the number of commands and on the session length. 
    
 
 
    -    COMMAND TIME LIMIT from [address]:port
+    COMMAND TIME LIMIT from [address]:port after command
 
    
 
 
     Translation: the SMTP client at [address]:port reached the
 per-command time limit as specified with the postscreen_command_time_limit
-parameter.  The session is terminated immediately. 
    
+parameter.  The session is terminated immediately.
+The "after command" portion is logged with
+Postfix 2.10 and later. 
    
 
 
    -    COMMAND COUNT LIMIT from [address]:port
+    COMMAND COUNT LIMIT from [address]:port after command
 
    
 
 
     Translation: the SMTP client at [address]:port reached the
 per-session command count limit as specified with the
 postscreen_command_count_limit parameter.  The session is terminated
-immediately. 
    
+immediately.
+The "after command" portion is logged with
+Postfix 2.10 and later. 
    
 
 
    -    COMMAND LENGTH LIMIT from [address]:port
+    COMMAND LENGTH LIMIT from [address]:port after command
 
    
 
 
     Translation: the SMTP client at [address]:port reached the
 per-command length limit, as specified with the line_length_limit
-parameter.  The session is terminated immediately. 
    
+parameter.  The session is terminated immediately.
+The "after command" portion is logged with
+Postfix 2.10 and later. 
    
 
 
     When an SMTP client makes too many connections at the same time,
 or when all postscreen(8) ports are busy, postscreen(8) rejects the
diff --git a/postfix/proto/SASL_README.html b/postfix/proto/SASL_README.html
index 1581b5efb..1146a36a1 100644
--- a/postfix/proto/SASL_README.html
+++ b/postfix/proto/SASL_README.html
@@ -87,7 +87,7 @@ what envelope sender addresses the client may use. 
     
    • 
 
 
     Successful authentication in the Postfix SMTP server requires
 a functional SASL framework. Configuring SASL should therefore
-always be the first step. 
    
+always be the first step, before configuring Postfix. 
    
 
 
     You can read more about the following topics: 
    
 
diff --git a/postfix/proto/TLS_README.html b/postfix/proto/TLS_README.html
index 960f7d299..f0b2f94f5 100644
--- a/postfix/proto/TLS_README.html
+++ b/postfix/proto/TLS_README.html
@@ -245,7 +245,7 @@ $smtpd_tls_CAfile or install it in the $smtpd_tls_CApath directory.
    -

    Their ECDSA counterparts (Postfix ≥ 2.6 + OpenSSL ≥ 0.9.9):

    +

    Their ECDSA counterparts (Postfix ≥ 2.6 + OpenSSL ≥ 1.0.0): 

    @@ -773,7 +773,7 @@ settings.

    Support for elliptic curve cryptography is available with Postfix -2.6 and OpenSSL 0.9.9 or later. To enable ephemeral elliptic curve +2.6 and OpenSSL 1.0.0 or later. To enable ephemeral elliptic curve Diffie-Hellman (EECDH) key-exchange, set "smtpd_tls_eecdh_grade = strong" or "smtpd_tls_eecdh_grade = ultra". The "ultra" setting is substantially more CPU intensive, and "strong" is sufficiently @@ -1474,7 +1474,7 @@ $smtp_tls_CAfile or install it in the $smtp_tls_CApath directory.

    -

    Their ECDSA counterparts (Postfix ≥ 2.6 + OpenSSL ≥ 0.9.9):

    +

    Their ECDSA counterparts (Postfix ≥ 2.6 + OpenSSL ≥ 1.0.0): 

    diff --git a/postfix/proto/memcache_table b/postfix/proto/memcache_table
index c065e65da..de9e2fd91 100644
--- a/postfix/proto/memcache_table
+++ b/postfix/proto/memcache_table
@@ -66,18 +66,22 @@
 #
 #	Access to remote proxymap servers is under development.
 #
-#	NOTE 1: When using memcache with persistent backup as
-#	\fBpostscreen\fR(8) or \fBverify\fR(8) cache, disable
-#	automatic cache cleanup (*_cache_cleanup_interval = 0) in
-#	all Postfix instances except for one instance that will be
-#	responsible for cache cleanup.
-#
-#	NOTE 2: In the case of a proxied backup database, the full
-#	backup database
-#	name (including the "proxy:" prefix) must be specified in
-#	the proxymap server's proxy_read_maps or proxy_write_maps
-#	setting (depending on whether the access is read-only or
-#	read-write).
+#	NOTE 1: When sharing a persistent \fBpostscreen\fR(8) or
+#	\fBverify\fR(8) cache, disable automatic cache cleanup (set
+#	*_cache_cleanup_interval = 0) except with one Postfix
+#	instance that will be responsible for cache cleanup.
+#
+#	NOTE 2: When different tables share the same memcache
+#	database, each table should use the \fBkey_format\fR feature
+#	(see below) to prepend its own unique string to the lookup
+#	key.  Otherwise, automatic \fBpostscreen\fR(8) or \fBverify\fR(8)
+#	cache cleanup may not work.
+#
+#	NOTE 3: When the backup database is accessed with "proxy:"
+#	lookups, the full backup database name (including the
+#	"proxy:" prefix) must be specified in the proxymap server's
+#	proxy_read_maps or proxy_write_maps setting (depending on
+#	whether the access is read-only or read-write).
 # .IP "\fBflags (default: 0)\fR"
 #	Optional flags that should be stored along with a memcache
 #	update. The flags are ignored when looking up information.
@@ -103,17 +107,20 @@
 #	By default, these are the same as the lookup and update
 #	keys that are given to the Postfix memcache client.
 #
-#	NOTE: The \fBkey_format\fR feature is not used for \fBbackup\fR
+#	NOTE 1: The \fBkey_format\fR feature is not used for \fBbackup\fR
 #	database requests.
 #
-#	When the same memcache database is used to cache information
-#	from multiple tables, you can use the \fBkey_format\fR
-#	feature to avoid name collisions by prepending a fixed
-#	string.  Examples:
+#	NOTE 2: When different tables share the same memcache
+#	database, each table should prepend its own unique string
+#	to the lookup key.  Otherwise, automatic \fBpostscreen\fR(8)
+#	or \fBverify\fR(8) cache cleanup may not work.
+#
+#	Examples:
 #
 # .nf
 #	    key_format = aliases:%s
-#	    key_format = access:%s
+#	    key_format = verify:%s
+#	    key_format = postscreen:%s
 # .fi
 #
 #	The \fBkey_format\fR parameter supports the following '%'
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index d8b20a616..09466a4dd 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20121031"
+#define MAIL_RELEASE_DATE	"20121123"
 #define MAIL_VERSION_NUMBER	"2.10"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/postscreen/postscreen.h b/postfix/src/postscreen/postscreen.h
index 860a134b6..3fe0a9b6b 100644
--- a/postfix/src/postscreen/postscreen.h
+++ b/postfix/src/postscreen/postscreen.h
@@ -73,6 +73,7 @@ typedef struct {
     /* smtpd(8) compatibility */
     int     ehlo_discard_mask;		/* EHLO filter */
     VSTRING *expand_buf;		/* macro expansion */
+    const char *where;			/* SMTP protocol state */
 } PSC_STATE;
 
 #define PSC_TIME_STAMP_NEW		(0)	/* test was never passed */
@@ -210,6 +211,13 @@ typedef struct {
 #define PSC_STATE_MASK_ANY_UPDATE \
 	(PSC_STATE_MASK_ANY_PASS | PSC_STATE_FLAG_PENAL_UPDATE)
 
+ /*
+  * Meta-commands for state->where that reflect the initial command processor
+  * state and commands that aren't implemented.
+  */
+#define PSC_SMTPD_CMD_CONNECT		"CONNECT"
+#define PSC_SMTPD_CMD_UNIMPL		"UNIMPLEMENTED"
+
  /*
   * See log_adhoc.c for discussion.
   */
diff --git a/postfix/src/postscreen/postscreen_smtpd.c b/postfix/src/postscreen/postscreen_smtpd.c
index 7e319f713..77bb8f475 100644
--- a/postfix/src/postscreen/postscreen_smtpd.c
+++ b/postfix/src/postscreen/postscreen_smtpd.c
@@ -224,6 +224,15 @@ static void psc_smtpd_read_event(int, char *);
     PSC_CLEAR_EVENT_REQUEST(vstream_fileno((state)->smtp_client_stream), \
 			   psc_smtpd_time_event, (char *) (state));
 
+ /*
+  * Make control characters and other non-text visible.
+  */
+#define PSC_SMTPD_ESCAPE_TEXT(dest, src, src_len, max_len) do { \
+	ssize_t _s_len = (src_len); \
+	ssize_t _m_len = (max_len); \
+	(void) escape((dest), (src), _s_len < _m_len ? _s_len : _m_len); \
+    } while (0)
+
  /*
   * Command parser support.
   */
@@ -664,7 +673,8 @@ static void psc_smtpd_time_event(int event, char *context)
 		 state->smtp_client_addr, state->smtp_client_port,
 		 psc_print_state_flags(state->flags, myname));
 
-    msg_info("COMMAND TIME LIMIT from [%s]:%s", PSC_CLIENT_ADDR_PORT(state));
+    msg_info("COMMAND TIME LIMIT from [%s]:%s after %s",
+	     PSC_CLIENT_ADDR_PORT(state), state->where);
     PSC_CLEAR_EVENT_DROP_SESSION_STATE(state, psc_smtpd_time_event,
 				       psc_smtpd_timeout_reply);
 }
@@ -715,6 +725,7 @@ static void psc_smtpd_read_event(int event, char *context)
 	int     want;
 	int     next_state;
     };
+    const char *saved_where;
 
 #define PSC_SMTPD_CMD_ST_ANY		0
 #define PSC_SMTPD_CMD_ST_CR		1
@@ -778,8 +789,8 @@ static void psc_smtpd_read_event(int event, char *context)
 	     */
 	    if (state->read_state == PSC_SMTPD_CMD_ST_ANY
 		&& VSTRING_LEN(state->cmd_buffer) >= var_line_limit) {
-		msg_info("COMMAND LENGTH LIMIT from [%s]:%s",
-			 PSC_CLIENT_ADDR_PORT(state));
+		msg_info("COMMAND LENGTH LIMIT from [%s]:%s after %s",
+			 PSC_CLIENT_ADDR_PORT(state), state->where);
 		PSC_CLEAR_EVENT_DROP_SESSION_STATE(state, psc_smtpd_time_event,
 						   psc_smtpd_421_reply);
 		return;
@@ -815,8 +826,10 @@ static void psc_smtpd_read_event(int event, char *context)
 	    if (ch == '\n') {
 		if ((state->flags & PSC_STATE_MASK_BARLF_TODO_SKIP)
 		    == PSC_STATE_FLAG_BARLF_TODO) {
-		    msg_info("BARE NEWLINE from [%s]:%s",
-			     PSC_CLIENT_ADDR_PORT(state));
+		    PSC_SMTPD_ESCAPE_TEXT(psc_temp, STR(state->cmd_buffer),
+				   VSTRING_LEN(state->cmd_buffer) - 1, 100);
+		    msg_info("BARE NEWLINE from [%s]:%s after %s",
+			     PSC_CLIENT_ADDR_PORT(state), STR(psc_temp));
 		    PSC_FAIL_SESSION_STATE(state, PSC_STATE_FLAG_BARLF_FAIL);
 		    PSC_UNPASS_SESSION_STATE(state, PSC_STATE_FLAG_BARLF_PASS);
 		    state->barlf_stamp = PSC_TIME_STAMP_DISABLED;	/* XXX */
@@ -914,9 +927,14 @@ static void psc_smtpd_read_event(int event, char *context)
 	 * 
 	 * Caution: cmdp->name and cmdp->action may be null on loop exit.
 	 */
-	for (cmdp = command_table; cmdp->name != 0; cmdp++)
-	    if (strcasecmp(command, cmdp->name) == 0)
+	saved_where = state->where;
+	state->where = PSC_SMTPD_CMD_UNIMPL;
+	for (cmdp = command_table; cmdp->name != 0; cmdp++) {
+	    if (strcasecmp(command, cmdp->name) == 0) {
+		state->where = cmdp->name;
 		break;
+	    }
+	}
 
 	if ((state->flags & PSC_STATE_FLAG_SMTPD_X21)
 	    && cmdp->action != psc_quit_cmd) {
@@ -932,8 +950,11 @@ static void psc_smtpd_read_event(int event, char *context)
 		|| (*var_psc_forbid_cmds
 		    && string_list_match(psc_forbid_cmds, command)))) {
 	    printable(command, '?');
-	    msg_info("NON-SMTP COMMAND from [%s]:%s %.100s %.100s",
-		     PSC_CLIENT_ADDR_PORT(state), command, cmd_buffer_ptr);
+	    PSC_SMTPD_ESCAPE_TEXT(psc_temp, cmd_buffer_ptr,
+				  strlen(cmd_buffer_ptr), 100);
+	    msg_info("NON-SMTP COMMAND from [%s]:%s after %s: %.100s %s",
+		     PSC_CLIENT_ADDR_PORT(state), saved_where,
+		     command, STR(psc_temp));
 	    PSC_FAIL_SESSION_STATE(state, PSC_STATE_FLAG_NSMTP_FAIL);
 	    PSC_UNPASS_SESSION_STATE(state, PSC_STATE_FLAG_NSMTP_PASS);
 	    state->nsmtp_stamp = PSC_TIME_STAMP_DISABLED;	/* XXX */
@@ -967,9 +988,8 @@ static void psc_smtpd_read_event(int event, char *context)
 	if ((state->flags & PSC_STATE_MASK_PIPEL_TODO_SKIP)
 	    == PSC_STATE_FLAG_PIPEL_TODO && !PSC_SMTPD_BUFFER_EMPTY(state)) {
 	    printable(command, '?');
-	    escape(psc_temp, PSC_SMTPD_PEEK_DATA(state),
-		   PSC_SMTPD_PEEK_LEN(state) < 100 ?
-		   PSC_SMTPD_PEEK_LEN(state) : 100);
+	    PSC_SMTPD_ESCAPE_TEXT(psc_temp, PSC_SMTPD_PEEK_DATA(state),
+				  PSC_SMTPD_PEEK_LEN(state), 100);
 	    msg_info("COMMAND PIPELINING from [%s]:%s after %.100s: %s",
 		     PSC_CLIENT_ADDR_PORT(state), command, STR(psc_temp));
 	    PSC_FAIL_SESSION_STATE(state, PSC_STATE_FLAG_PIPEL_FAIL);
@@ -1033,8 +1053,8 @@ static void psc_smtpd_read_event(int event, char *context)
 	/* Command COUNT limit test. */
 	if (++state->command_count > var_psc_cmd_count
 	    && cmdp->action != psc_quit_cmd) {
-	    msg_info("COMMAND COUNT LIMIT from [%s]:%s",
-		     PSC_CLIENT_ADDR_PORT(state));
+	    msg_info("COMMAND COUNT LIMIT from [%s]:%s after %s",
+		     PSC_CLIENT_ADDR_PORT(state), saved_where);
 	    PSC_CLEAR_EVENT_DROP_SESSION_STATE(state, psc_smtpd_time_event,
 					       psc_smtpd_421_reply);
 	    return;
diff --git a/postfix/src/postscreen/postscreen_state.c b/postfix/src/postscreen/postscreen_state.c
index e199eb885..5b97ce032 100644
--- a/postfix/src/postscreen/postscreen_state.c
+++ b/postfix/src/postscreen/postscreen_state.c
@@ -173,6 +173,7 @@ PSC_STATE *psc_new_session_state(VSTREAM *stream,
     state->read_state = 0;
     state->ehlo_discard_mask = 0;		/* XXX Should be ~0 */
     state->expand_buf = 0;
+    state->where = PSC_SMTPD_CMD_CONNECT;
 
     /*
      * Update the stress level.
diff --git a/postfix/src/qmqpd/qmqpd.c b/postfix/src/qmqpd/qmqpd.c
index 559c2e099..c720704f2 100644
--- a/postfix/src/qmqpd/qmqpd.c
+++ b/postfix/src/qmqpd/qmqpd.c
@@ -473,7 +473,7 @@ static void qmqpd_write_content(QMQPD_STATE *state)
 	if (first) {
 	    if (strncmp(start + strspn(start, ">"), "From ", 5) == 0) {
 		rec_fprintf(state->cleanup, rec_type,
-			    "X-Mailbox-Line: %*s", len, start);
+			    "X-Mailbox-Line: %.*s", len, start);
 		continue;
 	    }
 	    first = 0;
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 09ea4bf96..52ebc66c1 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -518,13 +518,20 @@ static int has_required(ARGV *restrictions, const char **required)
      * Recursively check list membership.
      */
     for (rest = restrictions->argv; *rest; rest++) {
-	if (strcmp(*rest, WARN_IF_REJECT) == 0 && rest[1] != 0) {
+	if (strcasecmp(*rest, WARN_IF_REJECT) == 0 && rest[1] != 0) {
 	    rest += 1;
 	    continue;
 	}
+	if (strcasecmp(*rest, PERMIT_ALL) == 0) {
+	    if (rest[1] != 0)
+		msg_warn("restriction `%s' after `%s' is ignored",
+			 rest[1], rest[0]);
+	    return (0);
+	}
 	for (reqd = required; *reqd; reqd++)
-	    if (strcmp(*rest, *reqd) == 0)
+	    if (strcasecmp(*rest, *reqd) == 0)
 		return (1);
+	/* XXX This lookup operation should not be case-sensitive. */
 	if ((expansion = (ARGV *) htable_find(smtpd_rest_classes, *rest)) != 0)
 	    if (has_required(expansion, required))
 		return (1);
@@ -684,6 +691,7 @@ void    smtpd_check_init(void)
 	while ((name = mystrtok(&cp, RESTRICTION_SEPARATORS)) != 0) {
 	    if ((value = mail_conf_lookup_eval(name)) == 0 || *value == 0)
 		msg_fatal("restriction class `%s' needs a definition", name);
+	    /* XXX This store operation should not be case-sensitive. */
 	    htable_enter(smtpd_rest_classes, name,
 			 (char *) smtpd_check_parse(SMTPD_CHECK_PARSE_ALL,
 						    value));
-- 
2.47.3