postfix-3.12-20260615

diff --git a/postfix/HISTORY b/postfix/HISTORY
index c5841ef25273bbcef45ae896f64423c165486ffd..bcb366b82c7811763f7781dd15d17bb7c47e96c3 100644 (file)
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -31175,32 +31175,47 @@ Apologies for any names omitted.
 20260524
 
        Bugfix (defect introduced: Postfix 3.1, date 20150607):
 20260524
 
        Bugfix (defect introduced: Postfix 3.1, date 20150607):

-       null pointer dereference and heap data overread in the
-       Postfix SMTP client's smtp_dns_reply_filter (this is disabled
-       by default), when the Postfix SMTP client is configured to
-       use opportunistic or mandatory DANE authentication (this
-       is disabled by default); and the destination domain publishes
-       a TLSA record that is empty or shorter than 20 bytes; and
-       the OS is configured to use a resolver that passes such a
-       TLSA record. For example, a zero-length TLSA record is
-       blocked by BIND, Google DNS, OpenDNS, and by configurations
-       that use systemd-resolved (the default on many LINUX systems);
-       it is passed by Cloudflare, Quad9 DNS, and unbound, if these
-       resolvers are used without systemd-resolved.
+       null pointer read and heap data overread in the Postfix
+       SMTP client's smtp_dns_reply_filter. Problem reported by
+       TristanInSec, found with ASAN. Also reported by other people.
+       Reproduction and real-world impact researched by Wietse.
+       File: dns/dns_strrecord.c.

 
        The root cause is a missing 'break' statement after the
 
        The root cause is a missing 'break' statement after the

-       code that converts a TLSA record to string, resulting in a
-       null pointer crash when the record length is zero; or a
-       data overread (or rarely, a segfault) with 0 < record length
-       < 20 bytes. The overread content is not disclosed.
-
-       The impact of crashes is easily overstated. That said,
-       crashes must be eliminated regardless of their impact.
+       code that converts a TLSA record to string.
+
+       Reproduction:
+       =============
+
+       The problem happens when smtp_dns_reply_filter is configured
+       (this is disabled by default); the Postfix SMTP client is
+       configured to use opportunistic or mandatory DANE authentication
+       (this is disabled by default); the destination domain
+       publishes a TLSA record that is empty or shorter than 20
+       bytes; and the OS is configured to use a resolver that
+       passes such a TLSA record. For example, a zero-length TLSA
+       record is blocked by BIND, Google DNS, OpenDNS, and by
+       configurations that use systemd-resolved (the default on
+       many LINUX systems); it is passed by Cloudflare, Quad9 DNS,
+       and unbound, as long as these resolvers are used without
+       systemd-resolved.
+
+       Impact statement:
+       =================
+
+       SMTP client termination with a null pointer read crash when
+       the TLSA record length is zero; or an SMTP client data
+       overread (or rarely, SMTP client termination with a read
+       segfault crash) when 0 < record length < 20 bytes. The
+       overread content is not disclosed.
+
+       The impact of SMTP client crashes is easily overstated.
+       That said, crashes must be eliminated regardless of their
+       impact.

 
        On systems that deliver fewer than one message per minute,
 
        On systems that deliver fewer than one message per minute,

-       a null pointer or other segfault crash can result in a delay
-       of up to one minute for email delivery to other destination
-       domains.
+       an SMTP client crash can result in a delay of up to one
+       minute for email delivery to other destination domains.

 
        On systems with a larger traffic volume, the impact of a
        null pointer or other segfault crash on deliveries to other
 
        On systems with a larger traffic volume, the impact of a
        null pointer or other segfault crash on deliveries to other


@@ -31213,10 +31228,6 @@ Apologies for any names omitted.
        SMTP client read time limits which are several minutes by
        default).
 
        SMTP client read time limits which are several minutes by
        default).
 

-       Problem reported by TristanInSec, found with ASAN. Also
-       reported by other people. Reproduction and real-world impact
-       researched by Wietse. File: dns/dns_strrecord.c.
-

 20260529
 
        Robustness: Postfix SMTP server will no longer receive (and
 20260529
 
        Robustness: Postfix SMTP server will no longer receive (and


@@ -31232,15 +31243,87 @@ Apologies for any names omitted.
        of text while receiving a long SMTP response line.
 
        Robustness: do not receive (and discard) unlimited amounts
        of text while receiving a long SMTP response line.
 
        Robustness: do not receive (and discard) unlimited amounts

-       of data with BDAT commands. Problem introduced: Postfix
+       of input with BDAT commands. Problem introduced: Postfix

        3.4, date: 20180825; found during code maintenance. File:
        smtpd/smtpd.c.
 
        3.4, date: 20180825; found during code maintenance. File:
        smtpd/smtpd.c.
 

+       Impact statement: 
+       =================
+
+       Postfix should not receive and discard unlimited amounts
+       of input in SMTP or BDAT commands, but fixing that will not
+       fundamentally change the situation.
+
+       By design, any SMTP client can force a server to receive
+       (and discard) an unlimited amount of text.
+
+       For example, an attacker can repeatedly send messages that
+       are a little under the server's message size limit and abort
+       each transaction a before reaching the message end. When
+       sending a message with the "DATA" command, an attacker would
+       disconnect instead of sending <CR><LF>.<CR><LF>; and when
+       sending a message with the "BDAT" command, an attacker would
+       send "RSET" instead of "BDAT LAST".
+
+       To mitigate such abuse, Postfix can rate-limit the number
+       of message transactions from the same IP address or address
+       range (see smtpd_client_message_rate_limit and *prefix_length
+       parameters). Such a defense is ineffective when faced with
+       a distributed attack (botnet); for that, postscreen combined
+       with an IP reputation service (DNSBL) may be more effective.
+

 20260531
 
        Bugfix: (defect introduced: Postfix 3.6, date: 20200710):
 20260531
 
        Bugfix: (defect introduced: Postfix 3.6, date: 20200710):

-       panic() while parsing a TLSA record with length 3. Found
-       during code maintenance. File: tls/tls_dane.c.
+       panic (assertion failure and voluntary crash) while parsing
+       a TLSA reply with length 3. Found during code maintenance.
+       File: tls/tls_dane.c.
+
+        Reproduction:
+        =============
+
+       The problem happens when the Postfix SMTP client is configured
+       to use opportunistic or mandatory DANE authentication (this
+       is disabled by default); a destination domain publishes a
+       TLSA record with a length of three bytes; and the OS is
+       configured to use a resolver that passes such a TLSA record.
+       For example, a length-three TLSA record is blocked by BIND,
+       and by configurations that use systemd-resolved (the default
+       on many LINUX systems). It is passed by many other resolvers.
+
+       This bug enables an attack that is more potent than an
+       older Postfix 3.1 bug in TLSA reply handling (null pointer
+       read with zero-length TLSA, or undisclosed memory overread).
+
+       - An attack with a length-three TLSA reply does not depend
+       on smtp_dns_reply_filter configuration.
+
+       - An attack with a length-three TLSA reply propagates through
+       more resolvers than an attack with a length-zero TLSA reply.
+
+       Impact statement:
+       =================
+
+       SMTP client voluntary termination (crash) after an assertion
+       failure. This is a fail-safe mechanism.
+
+       The impact of crashes (voluntary or not) is easily overstated.
+       That said, crashes must be eliminated regardless of their
+       impact.
+
+       On systems that deliver fewer than one message per minute,
+       an SMTP client crash can result in a delay of up to one
+       minute for email delivery to other destination domains.
+
+       On systems with a larger traffic volume, the impact of an
+       SMTP client crash on deliveries to other destination domains
+       is minor because Postfix reuses SMTP client processes and
+       replaces a failed process within seconds (self-healing);
+       the practical impact is believed to be no worse than that
+       of an uncooperative receiver that tarpits SMTP connections
+       from Postfix to one or more destination domains under their
+       control (by replying within Postfix SMTP client read time
+       limits which are several minutes by default).

 
 20260602
 
 
 20260602
 


@@ -31262,9 +31345,9 @@ Apologies for any names omitted.
 
 20260605
 
 
 20260605
 

-       Tech debt: the cleanup daemon now allows TAB characters in an
-       unencoded ENVID received in the message input stream. File:
-       cleanup/cleanup_envelope.c.
+       Tech debt: the cleanup daemon now allows TAB characters in
+       an unencoded ENVID received in the message input stream.
+       File: cleanup/cleanup_envelope.c.

 
        Tech debt: the Milter client CHGFROM handler now allows
        encoded TAB characters in ENVID parameters, and disallows
 
        Tech debt: the Milter client CHGFROM handler now allows
        encoded TAB characters in ENVID parameters, and disallows


@@ -31291,10 +31374,17 @@ Apologies for any names omitted.
 
        Technical debt: added uxtext_quote(3) support to encode
        only ASCII character values (i.e. utf-8-addr-unitext as
 
        Technical debt: added uxtext_quote(3) support to encode
        only ASCII character values (i.e. utf-8-addr-unitext as

-       defined in RFC 6533). Also added unit tests. This code
-       will be used only in SMTP RCPT TO commands. Files:
+       defined in RFC 6533). Also added unit tests. This code will
+       be used only in SMTP RCPT TO commands. Files:

        global/uxtext_quote.[hc], global/uxtext_quote_test.c.
 
        global/uxtext_quote.[hc], global/uxtext_quote_test.c.
 

+20260608
+
+       Bugfix (defect introduced: Postfix 3.0, date: 20140708):
+       the SMTP client did not xtext_quote a '+' character in a
+       DSN ORCPT parameter value. Found during code maintenance.
+       File: smtp_proto.c.
+

 TODO
 
        Reorganize PTEST_LIB, PMOCK_LIB, TESTLIB, TESTLIBS, etc.
 TODO
 
        Reorganize PTEST_LIB, PMOCK_LIB, TESTLIB, TESTLIBS, etc.

diff --git a/postfix/proto/stop.double-history b/postfix/proto/stop.double-history
index 2dde19d542d3ec7f8432bd8190c395383ef13f66..28e51888fa8c5137a1e6780934f956f8db9ed680 100644 (file)
--- a/postfix/proto/stop.double-history
+++ b/postfix/proto/stop.double-history
@@ -262,3 +262,7 @@ proto  proto stop proto stop double cc
  postscreen postscreen c postscreen postscreen_tls_conf c 
  anvil anvil c global anvil_clnt hc proto postconf proto 
  global smtp_stream c smtpd smtpd c smtpd smtpd_chat h 
  postscreen postscreen c postscreen postscreen_tls_conf c 
  anvil anvil c global anvil_clnt hc proto postconf proto 
  global smtp_stream c smtpd smtpd c smtpd smtpd_chat h 

+ by Michael Wollner File smtpd smtpd c 
+ are not printable or whitespace Files smtpd smtpd c 
+ support File smtpd smtpd c 
+ sendmail sendmail c 

diff --git a/postfix/proto/stop.spell-cc b/postfix/proto/stop.spell-cc
index 0fb87a2ca51cfaed3a707a19cfd5e3aa8c768e85..b6e5f5a8c8b68ac51e9e32d71b5d0796b84147aa 100644 (file)
--- a/postfix/proto/stop.spell-cc
+++ b/postfix/proto/stop.spell-cc
@@ -1993,3 +1993,7 @@ datetime
 getpeername
 overshift
 Sayre
 getpeername
 overshift
 Sayre

+jk
+unitext
+esmtpargs
+uncoded

diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index c4fb3b233ad7cee3426f07ffb87e6ea97694e0f7..54f31d114ca5da64cd59d282c9134a809021f4b6 100644 (file)
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */

-#define MAIL_RELEASE_DATE      "20260607"
+#define MAIL_RELEASE_DATE      "20260615"

 #define MAIL_VERSION_NUMBER    "3.12"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_NUMBER    "3.12"
 
 #ifdef SNAPSHOT

diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c
index 6de6ad56e00a02861101853ff756e8bb05db0af9..4499087b67b50a292b97758cb9543e107ee09411 100644 (file)
--- a/postfix/src/smtp/smtp_proto.c
+++ b/postfix/src/smtp/smtp_proto.c
@@ -2048,7 +2048,7 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
                            vstring_sprintf_append(next_command, " ORCPT=%s",
                                             vstring_str(session->scratch));
                    } else {
                            vstring_sprintf_append(next_command, " ORCPT=%s",
                                             vstring_str(session->scratch));
                    } else {

-                       xtext_quote(session->scratch, orcpt_type_addr, "=");
+                       xtext_quote(session->scratch, orcpt_type_addr, "+=");

                        vstring_sprintf_append(next_command, " ORCPT=%s",
                                             vstring_str(session->scratch));
                    }
                        vstring_sprintf_append(next_command, " ORCPT=%s",
                                             vstring_str(session->scratch));
                    }