From b7660498e26672b8ca1a296bebaecff4d4d92b15 Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Tue, 11 Jun 2013 00:17:07 -0400
Subject: [PATCH] postfix-2.11-20130613

---
 postfix/HISTORY                             | 13 ++++
 postfix/RELEASE_NOTES_2.10                  | 67 +++++++++------------
 postfix/conf/post-install                   | 39 ++++++------
 postfix/html/postconf.5.html                |  2 +-
 postfix/man/man5/postconf.5                 |  2 +-
 postfix/proto/postconf.proto                |  2 +-
 postfix/src/global/mail_params.h            |  3 +-
 postfix/src/global/mail_version.h           |  2 +-
 postfix/src/posttls-finger/posttls-finger.c |  3 +
 postfix/src/smtp/smtp_tls_policy.c          |  3 +-
 postfix/src/tls/tls_dane.c                  |  2 +
 11 files changed, 75 insertions(+), 63 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index c8ee7e1dd..658fbe6c6 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -18703,3 +18703,16 @@ Apologies for any names omitted.
 
 	Cleanup (DANE support): be more explicit in the logging of
 	object digests.  Viktor Dukhovni. tls/tls_dane.c.
+
+20100613
+
+	Workaround: unhelpful down-stream maintainers fail to install
+	the new smtpd_relay_restrictions safety net, causing things
+	to break. We hard-code the safety net instead.  Files:
+	global/mail_params.h, conf/post-install, RELEASE_NOTES_2.10.
+
+	Bugfix (DANE support): when TLSA records are insecure,
+	report that none are found. Viktor Dukhovni. Files:
+	posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c,
+	tls/tls_dane.c.
+
diff --git a/postfix/RELEASE_NOTES_2.10 b/postfix/RELEASE_NOTES_2.10
index 8e269c2cf..1140ce1eb 100644
--- a/postfix/RELEASE_NOTES_2.10
+++ b/postfix/RELEASE_NOTES_2.10
@@ -110,21 +110,22 @@ authentication in the proxy agent (Postfix 2.9 and later).
 Major changes - relay safety
 ----------------------------
 
-[Incompat 20121007] As part of a forward compatibility safety net,
-the Postfix installation procedure adds the following
-smtpd_relay_restrictions entry to main.cf when there is none:
+[Incompat 20130613] New smtpd_relay_restrictions parameter built-in
+default settings:
 
     smtpd_relay_restrictions = 
 	permit_mynetworks 
 	permit_sasl_authenticated 
 	defer_unauth_destination
 
+This safety net prevents open relay problems due to mistakes
+with spam filter rules in smtpd_recipient_restrictions.
+
 If your site has a complex mail relay policy configured under
-smtpd_recipient_restrictions, this safety net will defer mail that
-the built-in smtpd_relay_restrictions setting would bounce. 
+smtpd_recipient_restrictions, this safety net may defer mail that
+Postfix should accept.
 
-To eliminate this safety net, take one of the following three
-actions:
+To fix this safety net, take one of the following actions:
 
 - Set smtpd_relay_restrictions empty, and keep using the existing
   mail relay authorization policy in smtpd_recipient_restrictions.
@@ -132,18 +133,16 @@ actions:
 - Copy the existing mail relay authorization policy from
   smtpd_recipient_restrictions to smtpd_relay_restrictions.
 
-- Set smtpd_relay_restrictions by hand to the new built-in
-  policy: permit_mynetworks reject_unauth_destination.
-
 There is no need to change the value of smtpd_recipient_restrictions.
 
-[Feature 20121007] This version introduces the smtpd_relay_restrictions
+[Feature 20130613] This version introduces the smtpd_relay_restrictions
 feature for mail relay control. The new built-in default settings
 are:
 
     smtpd_relay_restrictions = 
 	permit_mynetworks 
-	reject_unauth_destination
+ 	permit_sasl_authenticated
+	defer_unauth_destination
 
     smtpd_recipient_restrictions =
 	( optional spam blocking rules would go here )
@@ -164,40 +163,32 @@ with smtpd_relay_restrictions, so that a permissive spam blocking
 policy under smtpd_recipient_restrictions will not unexpectedly
 result in a permissive mail relay policy.
 
-As usual, this new feature is introduced with safety nets to prevent
-surprises when a site upgrades from an earlier Postfix release.
+As of Postfix 2.10.0 the smtpd_relay_restrictions parameter built-in
+default settings are:
 
-1 - FORWARD COMPATIBILITY SAFETY NET: the Postfix installation
-    procedure adds the following smtpd_relay_restrictions entry to
-    main.cf when there is none:
-
-    smtpd_relay_restrictions = 
-	permit_mynetworks 
-	permit_sasl_authenticated 
-	defer_unauth_destination
+    smtpd_relay_restrictions =
+        permit_mynetworks
+        permit_sasl_authenticated
+        defer_unauth_destination
 
-    If your site has a complex mail relay policy configured under
-    smtpd_recipient_restrictions, this safety net will defer mail
-    that the built-in smtpd_relay_restrictions setting would bounce.
+If your site has a complex mail relay policy configured under
+smtpd_recipient_restrictions, this safety net may defer mail that
+Postfix should accept.
 
-    To eliminate this safety net, take one of the following three
-    actions:
+To migrate from an earlier Postfix release with the least amount
+of pain:
 
-    - Set smtpd_relay_restrictions empty, and keep using the existing
-      mail relay authorization policy in smtpd_recipient_restrictions.
+- Set smtpd_relay_restrictions empty, and keep using the existing
+  mail relay authorization policy in smtpd_recipient_restrictions.
 
-    - Copy the existing mail relay authorization policy from
-      smtpd_recipient_restrictions to smtpd_relay_restrictions.
+- There is no need to change the value of smtpd_recipient_restrictions.
 
-    - Set smtpd_relay_restrictions by hand to the new built-in
-      policy: permit_mynetworks reject_unauth_destination.
+To take advantage of the new smtpd_relay_restrictions feature:
 
-    There is no need to change the value of smtpd_recipient_restrictions.
+- Copy the existing mail relay authorization policy from
+  smtpd_recipient_restrictions to smtpd_relay_restrictions.
 
-2 - BACKWARDS COMPATIBILITY SAFETY NET: sites that migrate from
-    Postfix versions before 2.10 can set smtpd_relay_restrictions
-    to the empty value, and use smtpd_recipient_restrictions exactly
-    as they used it before.
+- There is no need to change the value of smtpd_recipient_restrictions.
 
 Major changes - start-up
 ------------------------
diff --git a/postfix/conf/post-install b/postfix/conf/post-install
index 80e9a99e9..91ff4a677 100644
--- a/postfix/conf/post-install
+++ b/postfix/conf/post-install
@@ -809,25 +809,26 @@ EOF
 	$POSTCONF -c $config_directory inet_protocols=ipv4 || exit 1
     }
 
-    # Postfix 2.10.
-    # Safety net for incompatible changes due to the introduction
-    # of the smtpd_relay_restrictions feature to separate the
-    # mail relay policy from the spam blocking policy.
-    # PLEASE DO NOT REMOVE THIS CODE. ITS PURPOSE IS TO PREVENT
-    # INBOUND MAIL FROM UNEXPECTEDLY BOUNCING AFTER UPGRADING FROM
-    # POSTFIX BEFORE 2.10.
-    test -n "`$POSTCONF -c $config_directory -n smtpd_relay_restrictions`" || {
-	cat <<EOF | ${FMT}
-    COMPATIBILITY: editing $config_directory/main.cf, overriding
-    smtpd_relay_restrictions to prevent inbound mail from
-    unexpectedly bouncing.
-    Specify an empty smtpd_relay_restrictions value to keep using 
-    smtpd_recipient_restrictions as before.
-EOF
-	$POSTCONF -c $config_directory "smtpd_relay_restrictions = \
-	    permit_mynetworks permit_sasl_authenticated \
-	    defer_unauth_destination" || exit 1
-    }
+# Disabled because unhelpful down-stream maintainers disable the safety net.
+#    # Postfix 2.10.
+#    # Safety net for incompatible changes due to the introduction
+#    # of the smtpd_relay_restrictions feature to separate the
+#    # mail relay policy from the spam blocking policy.
+#    # PLEASE DO NOT REMOVE THIS CODE. ITS PURPOSE IS TO PREVENT
+#    # INBOUND MAIL FROM UNEXPECTEDLY BOUNCING AFTER UPGRADING FROM
+#    # POSTFIX BEFORE 2.10.
+#    test -n "`$POSTCONF -c $config_directory -n smtpd_relay_restrictions`" || {
+#	cat <<EOF | ${FMT}
+#    COMPATIBILITY: editing $config_directory/main.cf, overriding
+#    smtpd_relay_restrictions to prevent inbound mail from
+#    unexpectedly bouncing.
+#    Specify an empty smtpd_relay_restrictions value to keep using 
+#    smtpd_recipient_restrictions as before.
+#EOF
+#	$POSTCONF -c $config_directory "smtpd_relay_restrictions = \
+#	    permit_mynetworks permit_sasl_authenticated \
+#	    defer_unauth_destination" || exit 1
+#    }
 }
 
 # A reminder if this is the first time Postfix is being installed.
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index 09cacecca..fa2320993 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -14211,7 +14211,7 @@ This feature is available in Postfix 2.1 and later.
 </DD>
 
 <DT><b><a name="smtpd_relay_restrictions">smtpd_relay_restrictions</a>
-(default: <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>)</b></DT><DD>
+(default: <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>, <a href="postconf.5.html#defer_unauth_destination">defer_unauth_destination</a>)</b></DT><DD>
 
 <p> Access restrictions for mail relay control that the Postfix
 SMTP server applies in the context of the RCPT TO command, before
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index f7a9d7a0e..0888296d8 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -9446,7 +9446,7 @@ not null.
 .br
 .PP
 This feature is available in Postfix 2.1 and later.
-.SH smtpd_relay_restrictions (default: permit_mynetworks, reject_unauth_destination)
+.SH smtpd_relay_restrictions (default: permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination)
 Access restrictions for mail relay control that the Postfix
 SMTP server applies in the context of the RCPT TO command, before
 smtpd_recipient_restrictions.
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index df5433977..793bcf03f 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -5948,7 +5948,7 @@ Example:
 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
 </pre>
 
-%PARAM smtpd_relay_restrictions permit_mynetworks, reject_unauth_destination
+%PARAM smtpd_relay_restrictions permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
 
 <p> Access restrictions for mail relay control that the Postfix
 SMTP server applies in the context of the RCPT TO command, before
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index a1951ec8a..e4a7dd7b6 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -1975,7 +1975,8 @@ extern char *var_mail_checks;
 
 #define VAR_RELAY_CHECKS	"smtpd_relay_restrictions"
 #define DEF_RELAY_CHECKS	PERMIT_MYNETWORKS ", " \
-				REJECT_UNAUTH_DEST
+				PERMIT_SASL_AUTH \
+				DEFER_UNAUTH_DEST
 extern char *var_relay_checks;
 
 #define VAR_RCPT_CHECKS		"smtpd_recipient_restrictions"
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 27f63d0d2..7132bde41 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20130608"
+#define MAIL_RELEASE_DATE	"20130613"
 #define MAIL_VERSION_NUMBER	"2.11"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/posttls-finger/posttls-finger.c b/postfix/src/posttls-finger/posttls-finger.c
index 3ca448ac3..03dc1ead6 100644
--- a/postfix/src/posttls-finger/posttls-finger.c
+++ b/postfix/src/posttls-finger/posttls-finger.c
@@ -1171,6 +1171,9 @@ static int dane_host_level(STATE *state, DNS_RR *addr)
 			     tls_dane_unusable(state->ddane) ?
 			     "usable " : "");
 		level = TLS_LEV_SECURE;
+	    } else if (!TLS_DANE_HASTA(state->ddane)
+		       && !TLS_DANE_HASEE(state->ddane)) {
+		msg_panic("empty DANE match list");
 	    } else {
 		if (state->match)
 		    argv_free(state->match);
diff --git a/postfix/src/smtp/smtp_tls_policy.c b/postfix/src/smtp/smtp_tls_policy.c
index 152763a37..bad77d2af 100644
--- a/postfix/src/smtp/smtp_tls_policy.c
+++ b/postfix/src/smtp/smtp_tls_policy.c
@@ -823,7 +823,8 @@ static void dane_init(SMTP_TLS_POLICY *tls, SMTP_ITERATOR *iter)
     if (TLS_DANE_HASTA(dane)) {
 	tls->matchargv = argv_alloc(2);
 	argv_add(tls->matchargv, "hostname", "nexthop", ARGV_END);
-    }
+    } else if (!TLS_DANE_HASEE(dane))
+	msg_panic("empty DANE match list");
     tls->dane = dane;
     tls->level = TLS_LEV_DANE;
     return;
diff --git a/postfix/src/tls/tls_dane.c b/postfix/src/tls/tls_dane.c
index 47b106981..b9c327ff5 100644
--- a/postfix/src/tls/tls_dane.c
+++ b/postfix/src/tls/tls_dane.c
@@ -716,6 +716,8 @@ static void *dane_lookup(const char *tlsa_fqdn, void *unused_ctx)
 
 	if (rrs->dnssec_valid)
 	    parse_tlsa_rrs(dane, rrs);
+	else
+	    dane->flags |= TLS_DANE_FLAG_NORRS;
 
 	dns_rr_free(rrs);
 	break;
-- 
2.47.3