From: Wietse Venema <wietse@porcupine.org>
Date: Mon, 1 Dec 2014 05:00:00 +0000 (-0500)
Subject: postfix-2.12-20141201
X-Git-Tag: v3.0.0-RC1~15
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=17552f259e35d5a3e77b54001534541c19f26bde;p=thirdparty%2Fpostfix.git

postfix-2.12-20141201
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 0c816b905..77e7b778b 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -20860,11 +20860,25 @@ Apologies for any names omitted.
 20141130
 
 	Cleanup: when searching multiple DNS record types for a
-	specific name, and the result status is not DNS_OK, return
-	the rcode and diagnostic text for that status instead of
-	the last rcode and last diagnostic text.
+	specific name, and not all queries return the same result
+	status, do not blindly return the last query's rcode and
+	diagnostic text.  Instead, return rcode and text that is
+	consistent with the aggregate result status.
 
 	Cleanup: un-broke several smtpd regression tests (work in
 	progress, with three more to go).  Files: smtpd/smtpd_check.c,
 	smtpd/smtpd_server.{in,ref}, smtpd/smtpd_exp.{in,ref}.
 	smtpd/smtpd_dnswl.{in,ref}.
+
+	Documentation: added note on Milter-signing bounces.
+
+20141201
+
+	Bugfix (introduced: 20141130): memory leak. File: dns_lookup.c.
+
+	Cleanup: un-broke several dns regression tests by sorting
+	getaddrinfo() results by address family. Files: dns/dns_rr_eq_sa.c,
+	dns/dns_rr_eq_sa.ref, dns/dns_sa_to_rr.c, dns/dns_sa_to_rr.ref.
+
+	Cleanup: missing #ifdef in smtpd_check test driver. File:
+	smtpd/smtpd_check.c.
diff --git a/postfix/README_FILES/MILTER_README b/postfix/README_FILES/MILTER_README
index 1e2216af2..6f8f7c9f9 100644
--- a/postfix/README_FILES/MILTER_README
+++ b/postfix/README_FILES/MILTER_README
@@ -247,7 +247,22 @@ must not REJECT or TEMPFAIL simulated RCPT TO commands. When a
 non_smtpd_milters application REJECTs or TEMPFAILs a recipient, Postfix will
 report a configuration error, and mail will stay in the queue.
 
-None of this is a problem for mail filters that digitally sign mail.
+SSiiggnniinngg iinntteerrnnaallllyy--ggeenneerraatteedd bboouunnccee mmeessssaaggeess
+
+Postfix normally does not apply content filters to mail that is generated
+internally such as bounces or Postmaster notifications. Filtering internally-
+generated bounces would result in loss of mail when a filter rejects a message,
+as the resulting double-bounce message would almost certainly also be blocked.
+
+To sign Postfix's own bounce messages, enable filtering of internally-generated
+bounces (line 2 below), and don't reject any internally-generated bounces with
+non_smtpd_milters, header_checks or body_checks (lines 3-5 below).
+
+    1 /etc/postfix/main.cf:
+    2     internal_mail_filter_classes = bounce
+    3     non_smtpd_milters = don't reject internally-generated bounces
+    4     header_checks = don't reject internally-generated bounces
+    5     body_checks = don't reject internally-generated bounces
 
 MMiilltteerr eerrrroorr hhaannddlliinngg
 
@@ -590,11 +605,6 @@ the CONTENT_INSPECTION_README document for a discussion.
     commands. When this rule is violated, Postfix will report a configuration
     error, and mail will stay in the queue.
 
-  * Postfix currently does not apply content filters to mail that is forwarded
-    or aliased internally, or to mail that is generated internally such as
-    bounces or Postmaster notifications. This may be a problem when you want to
-    apply a signing Milter to such mail.
-
   * When you use the before-queue content filter for incoming SMTP mail (see
     SMTPD_PROXY_README), Milter applications have access only to the SMTP
     command information; they have no access to the message header or body, and
diff --git a/postfix/html/MILTER_README.html b/postfix/html/MILTER_README.html
index dcb5defeb..2bbc43b0b 100644
--- a/postfix/html/MILTER_README.html
+++ b/postfix/html/MILTER_README.html
@@ -428,8 +428,28 @@ commands.  When a <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters<
 a recipient, Postfix will report a configuration error, and mail
 will stay in the queue.  </p>
 
-<p> None of this is a problem for mail filters that digitally sign
-mail. </p>
+<h4> Signing internally-generated bounce messages </h4>
+
+<li> <p> Postfix normally does not apply content filters to mail
+that is generated internally such as bounces or Postmaster
+notifications. Filtering internally-generated bounces would result
+in loss of mail when a filter rejects a message, as the resulting
+double-bounce message would almost certainly also be blocked. </p>
+
+<p>  To sign Postfix's own bounce messages, enable filtering of
+internally-generated bounces (line 2 below), and don't reject any
+internally-generated bounces with <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a>
+or <a href="postconf.5.html#body_checks">body_checks</a> (lines 3-5 below).  </p>
+
+<blockquote>
+<pre>
+1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
+2     <a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> = bounce
+3     <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a> = <i>don't reject internally-generated bounces</i>
+4     <a href="postconf.5.html#header_checks">header_checks</a> = <i>don't reject internally-generated bounces</i>
+5     <a href="postconf.5.html#body_checks">body_checks</a> = <i>don't reject internally-generated bounces</i>
+</pre>
+</blockquote>
 
 <h3><a name="errors">Milter error handling</a></h3>
 
@@ -885,12 +905,6 @@ TEMPFAIL simulated RCPT TO commands. When this rule is violated,
 Postfix will report a configuration error, and mail will stay in
 the queue.  </p>
 
-<li> <p> Postfix currently does not apply content filters to mail
-that is forwarded or aliased internally, or to mail that is generated
-internally such as bounces or Postmaster notifications. This may
-be a problem when you want to apply a signing Milter to such mail.
-</p>
-
 <li> <p> When you use the before-queue content filter for incoming
 SMTP mail (see <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a>), Milter applications have access
 only to the SMTP command information; they have no access to the
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index b8e3b0188..73b4aac5b 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -10333,18 +10333,21 @@ implemented.  </p>
 
 <ul>
 
-<li> <p> The <a href="postconf.5.html#smtp_dns_reply_filter">smtp_dns_reply_filter</a> and <a href="postconf.5.html#lmtp_dns_reply_filter">lmtp_dns_reply_filter</a> features
-are used only for Postfix SMTP or LMTP client DNS lookups of MX,
-A, and AAAAA records to locate a remote SMTP or LMTP server, including
-lookups that are made to implement the features <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a>
-and <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>. </p>
+<li> <p> Postfix DNS reply filters have no effect on implicit DNS
+lookups through nsswitch.conf or equivalent mechanisms.  </p>
 
-<li> <p> The Postfix SMTP or LMTP client defers mail delivery when
+<li> <p> The Postfix SMTP and LMTP client use <a href="postconf.5.html#smtp_dns_reply_filter">smtp_dns_reply_filter</a>
+and <a href="postconf.5.html#lmtp_dns_reply_filter">lmtp_dns_reply_filter</a> only to locate a remote SMTP or LMTP
+server (record types MX, A, and AAAAA).  These lookups are also
+made to implement the features <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> and
+<a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>.  </p>
+
+<li> <p> The Postfix SMTP and LMTP client defer mail delivery when
 a filter removes all lookup results from a successful query.  </p>
 
-<li> <p> The <a href="postconf.5.html#smtpd_dns_reply_filter">smtpd_dns_reply_filter</a> feature is used only for Postfix
-SMTP server DNS lookups of MX, A, AAAAA, and TXT records to implement
-the features <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a>, <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a>,
+<li> <p> Postfix SMTP server uses <a href="postconf.5.html#smtpd_dns_reply_filter">smtpd_dns_reply_filter</a> only to
+look up MX, A, AAAAA, and TXT records to implement the features
+<a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a>, <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a>,
 <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a>, reject_rbl_*, and reject_rhsbl_*.
 </p>
 
@@ -10352,9 +10355,6 @@ the features <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unkno
 delivery when a filter removes all lookup results from a successful
 query.  </p>
 
-<li> <p> Implicit DNS lookups through nsswitch.conf or equivalent
-mechanisms are not filtered.  </p>
-
 </ul>
 
 <p> Example: ignore Google AAAA records in Postfix SMTP client DNS
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index d39d69251..29253cc4c 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -6394,26 +6394,26 @@ implemented.
 .PP
 Notes:
 .IP \(bu
-The smtp_dns_reply_filter and lmtp_dns_reply_filter features
-are used only for Postfix SMTP or LMTP client DNS lookups of MX,
-A, and AAAAA records to locate a remote SMTP or LMTP server, including
-lookups that are made to implement the features reject_unverified_sender
-and reject_unverified_recipient.
+Postfix DNS reply filters have no effect on implicit DNS
+lookups through nsswitch.conf or equivalent mechanisms.
 .IP \(bu
-The Postfix SMTP or LMTP client defers mail delivery when
+The Postfix SMTP and LMTP client use smtp_dns_reply_filter
+and lmtp_dns_reply_filter only to locate a remote SMTP or LMTP
+server (record types MX, A, and AAAAA).  These lookups are also
+made to implement the features reject_unverified_sender and
+reject_unverified_recipient.
+.IP \(bu
+The Postfix SMTP and LMTP client defer mail delivery when
 a filter removes all lookup results from a successful query.
 .IP \(bu
-The smtpd_dns_reply_filter feature is used only for Postfix
-SMTP server DNS lookups of MX, A, AAAAA, and TXT records to implement
-the features reject_unknown_helo_hostname, reject_unknown_sender_domain,
+Postfix SMTP server uses smtpd_dns_reply_filter only to
+look up MX, A, AAAAA, and TXT records to implement the features
+reject_unknown_helo_hostname, reject_unknown_sender_domain,
 reject_unknown_recipient_domain, reject_rbl_*, and reject_rhsbl_*.
 .IP \(bu
 The Postfix SMTP server logs a warning or defers mail
 delivery when a filter removes all lookup results from a successful
 query.
-.IP \(bu
-Implicit DNS lookups through nsswitch.conf or equivalent
-mechanisms are not filtered.
 .br
 .PP
 Example: ignore Google AAAA records in Postfix SMTP client DNS
diff --git a/postfix/proto/MILTER_README.html b/postfix/proto/MILTER_README.html
index 27984feca..5b634c0dc 100644
--- a/postfix/proto/MILTER_README.html
+++ b/postfix/proto/MILTER_README.html
@@ -428,8 +428,28 @@ commands.  When a non_smtpd_milters application REJECTs or TEMPFAILs
 a recipient, Postfix will report a configuration error, and mail
 will stay in the queue.  </p>
 
-<p> None of this is a problem for mail filters that digitally sign
-mail. </p>
+<h4> Signing internally-generated bounce messages </h4>
+
+<li> <p> Postfix normally does not apply content filters to mail
+that is generated internally such as bounces or Postmaster
+notifications. Filtering internally-generated bounces would result
+in loss of mail when a filter rejects a message, as the resulting
+double-bounce message would almost certainly also be blocked. </p>
+
+<p>  To sign Postfix's own bounce messages, enable filtering of
+internally-generated bounces (line 2 below), and don't reject any
+internally-generated bounces with non_smtpd_milters, header_checks
+or body_checks (lines 3-5 below).  </p>
+
+<blockquote>
+<pre>
+1 /etc/postfix/main.cf:
+2     internal_mail_filter_classes = bounce
+3     non_smtpd_milters = <i>don't reject internally-generated bounces</i>
+4     header_checks = <i>don't reject internally-generated bounces</i>
+5     body_checks = <i>don't reject internally-generated bounces</i>
+</pre>
+</blockquote>
 
 <h3><a name="errors">Milter error handling</a></h3>
 
@@ -885,12 +905,6 @@ TEMPFAIL simulated RCPT TO commands. When this rule is violated,
 Postfix will report a configuration error, and mail will stay in
 the queue.  </p>
 
-<li> <p> Postfix currently does not apply content filters to mail
-that is forwarded or aliased internally, or to mail that is generated
-internally such as bounces or Postmaster notifications. This may
-be a problem when you want to apply a signing Milter to such mail.
-</p>
-
 <li> <p> When you use the before-queue content filter for incoming
 SMTP mail (see SMTPD_PROXY_README), Milter applications have access
 only to the SMTP command information; they have no access to the
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 8816efc87..0502e60ea 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -16331,18 +16331,21 @@ implemented.  </p>
 
 <ul>
 
-<li> <p> The smtp_dns_reply_filter and lmtp_dns_reply_filter features
-are used only for Postfix SMTP or LMTP client DNS lookups of MX,
-A, and AAAAA records to locate a remote SMTP or LMTP server, including
-lookups that are made to implement the features reject_unverified_sender
-and reject_unverified_recipient. </p>
+<li> <p> Postfix DNS reply filters have no effect on implicit DNS
+lookups through nsswitch.conf or equivalent mechanisms.  </p>
 
-<li> <p> The Postfix SMTP or LMTP client defers mail delivery when
+<li> <p> The Postfix SMTP and LMTP client use smtp_dns_reply_filter
+and lmtp_dns_reply_filter only to locate a remote SMTP or LMTP
+server (record types MX, A, and AAAAA).  These lookups are also
+made to implement the features reject_unverified_sender and
+reject_unverified_recipient.  </p>
+
+<li> <p> The Postfix SMTP and LMTP client defer mail delivery when
 a filter removes all lookup results from a successful query.  </p>
 
-<li> <p> The smtpd_dns_reply_filter feature is used only for Postfix
-SMTP server DNS lookups of MX, A, AAAAA, and TXT records to implement
-the features reject_unknown_helo_hostname, reject_unknown_sender_domain,
+<li> <p> Postfix SMTP server uses smtpd_dns_reply_filter only to
+look up MX, A, AAAAA, and TXT records to implement the features
+reject_unknown_helo_hostname, reject_unknown_sender_domain,
 reject_unknown_recipient_domain, reject_rbl_*, and reject_rhsbl_*.
 </p>
 
@@ -16350,9 +16353,6 @@ reject_unknown_recipient_domain, reject_rbl_*, and reject_rhsbl_*.
 delivery when a filter removes all lookup results from a successful
 query.  </p>
 
-<li> <p> Implicit DNS lookups through nsswitch.conf or equivalent
-mechanisms are not filtered.  </p>
-
 </ul>
 
 <p> Example: ignore Google AAAA records in Postfix SMTP client DNS
diff --git a/postfix/src/dns/dns_lookup.c b/postfix/src/dns/dns_lookup.c
index 3618550ce..076c65177 100644
--- a/postfix/src/dns/dns_lookup.c
+++ b/postfix/src/dns/dns_lookup.c
@@ -801,7 +801,7 @@ int     dns_lookup_rl(const char *name, unsigned flags, DNS_RR **rrlist,
 	    hpref_rcode = *rcode; \
 	if (why && status != DNS_OK) \
 	    vstring_strcpy(hpref_rtext ? hpref_rtext : \
-			   vstring_alloc(VSTRING_LEN(why)), \
+			   (hpref_rtext = vstring_alloc(VSTRING_LEN(why))), \
 			   vstring_str(why)); \
     } while (0)
 
diff --git a/postfix/src/dns/dns_rr_eq_sa.c b/postfix/src/dns/dns_rr_eq_sa.c
index baecab790..67b0f97f4 100644
--- a/postfix/src/dns/dns_rr_eq_sa.c
+++ b/postfix/src/dns/dns_rr_eq_sa.c
@@ -77,9 +77,11 @@ int     dns_rr_eq_sa(DNS_RR *rr, struct sockaddr * sa)
   * Stand-alone test program.
   */
 #ifdef TEST
+#include <stdlib.h>
 #include <vstream.h>
 #include <myaddrinfo.h>
 #include <inet_proto.h>
+#include <mymalloc.h>
 
 static const char *myname;
 
@@ -88,6 +90,14 @@ static NORETURN usage(void)
     msg_fatal("usage: %s hostname address", myname);
 }
 
+static int compare_family(const void *a, const void *b)
+{
+    struct addrinfo *resa = *(struct addrinfo **) a;
+    struct addrinfo *resb = *(struct addrinfo **) b;
+
+    return (resa->ai_family - resb->ai_family);
+}
+
 int     main(int argc, char **argv)
 {
     MAI_HOSTADDR_STR hostaddr;
@@ -95,6 +105,8 @@ int     main(int argc, char **argv)
     struct addrinfo *res0;
     struct addrinfo *res1;
     struct addrinfo *res;
+    struct addrinfo **resv;
+    size_t  len, n;
     int     aierr;
 
     myname = argv[0];
@@ -116,19 +128,26 @@ int     main(int argc, char **argv)
 
 	if ((aierr = hostname_to_sockaddr(argv[0], (char *) 0, 0, &res0)) != 0)
 	    msg_fatal("host name %s: %s", argv[0], MAI_STRERROR(aierr));
-	for (res = res0; res != 0; res = res->ai_next) {
-	    SOCKADDR_TO_HOSTADDR(res->ai_addr, res->ai_addrlen,
+	       for (len = 0, res = res0; res != 0; res = res->ai_next)
+            len += 1;
+        resv = (struct addrinfo **) mymalloc(len * sizeof(*resv));
+        for (len = 0, res = res0; res != 0; res = res->ai_next)
+            resv[len++] = res;
+        qsort((void *) resv, len, sizeof(*resv), compare_family);
+        for (n = 0; n < len; n++) {
+	    SOCKADDR_TO_HOSTADDR(resv[n]->ai_addr, resv[n]->ai_addrlen,
 				 &hostaddr, (MAI_SERVPORT_STR *) 0, 0);
 	    vstream_printf("%s =?= %s\n", hostaddr.buf, argv[1]);
 	    vstream_printf("tested by function: %s\n",
-			   dns_rr_eq_sa(rr, res->ai_addr) ?
+			   dns_rr_eq_sa(rr, resv[n]->ai_addr) ?
 			   "yes" : "no");
 	    vstream_printf("tested by macro:    %s\n",
-			   DNS_RR_EQ_SA(rr, res->ai_addr) ?
+			   DNS_RR_EQ_SA(rr, resv[n]->ai_addr) ?
 			   "yes" : "no");
 	}
 	dns_rr_free(rr);
 	freeaddrinfo(res0);
+	myfree((void *) resv);
 	vstream_fflush(VSTREAM_OUT);
 	argv += 1;
     }
diff --git a/postfix/src/dns/dns_rr_eq_sa.ref b/postfix/src/dns/dns_rr_eq_sa.ref
index 668726692..75fb0c3d4 100644
--- a/postfix/src/dns/dns_rr_eq_sa.ref
+++ b/postfix/src/dns/dns_rr_eq_sa.ref
@@ -1,24 +1,24 @@
-2604:8d00:189::2 =?= 168.100.189.2
-tested by function: no
-tested by macro:    no
 168.100.189.2 =?= 168.100.189.2
 tested by function: yes
 tested by macro:    yes
-2604:8d00:189::2 =?= 168.100.189.3
+2604:8d00:189::2 =?= 168.100.189.2
 tested by function: no
 tested by macro:    no
 168.100.189.2 =?= 168.100.189.3
 tested by function: no
 tested by macro:    no
+2604:8d00:189::2 =?= 168.100.189.3
+tested by function: no
+tested by macro:    no
+168.100.189.2 =?= 2604:8d00:189::2
+tested by function: no
+tested by macro:    no
 2604:8d00:189::2 =?= 2604:8d00:189::2
 tested by function: yes
 tested by macro:    yes
-168.100.189.2 =?= 2604:8d00:189::2
+168.100.189.2 =?= 2604:8d00:189::3
 tested by function: no
 tested by macro:    no
 2604:8d00:189::2 =?= 2604:8d00:189::3
 tested by function: no
 tested by macro:    no
-168.100.189.2 =?= 2604:8d00:189::3
-tested by function: no
-tested by macro:    no
diff --git a/postfix/src/dns/dns_sa_to_rr.c b/postfix/src/dns/dns_sa_to_rr.c
index 8a0e15722..6b9efcc17 100644
--- a/postfix/src/dns/dns_sa_to_rr.c
+++ b/postfix/src/dns/dns_sa_to_rr.c
@@ -50,7 +50,7 @@
 
 /* dns_sa_to_rr - socket address to resource record */
 
-DNS_RR *dns_sa_to_rr(const char *hostname, unsigned pref, struct sockaddr * sa)
+DNS_RR *dns_sa_to_rr(const char *hostname, unsigned pref, struct sockaddr *sa)
 {
 #define DUMMY_TTL	0
 
@@ -74,9 +74,11 @@ DNS_RR *dns_sa_to_rr(const char *hostname, unsigned pref, struct sockaddr * sa)
   * Stand-alone test program.
   */
 #ifdef TEST
+#include <stdlib.h>
 #include <vstream.h>
 #include <myaddrinfo.h>
 #include <inet_proto.h>
+#include <mymalloc.h>
 
 static const char *myname;
 
@@ -85,11 +87,21 @@ static NORETURN usage(void)
     msg_fatal("usage: %s hostname", myname);
 }
 
+static int compare_family(const void *a, const void *b)
+{
+    struct addrinfo *resa = *(struct addrinfo **) a;
+    struct addrinfo *resb = *(struct addrinfo **) b;
+
+    return (resa->ai_family - resb->ai_family);
+}
+
 int     main(int argc, char **argv)
 {
     MAI_HOSTADDR_STR hostaddr;
     struct addrinfo *res0;
     struct addrinfo *res;
+    struct addrinfo **resv;
+    size_t  len, n;
     DNS_RR *rr;
     int     aierr;
 
@@ -102,8 +114,14 @@ int     main(int argc, char **argv)
     while (*++argv) {
 	if ((aierr = hostname_to_sockaddr(argv[0], (char *) 0, 0, &res0)) != 0)
 	    msg_fatal("%s: %s", argv[0], MAI_STRERROR(aierr));
-	for (res = res0; res != 0; res = res->ai_next) {
-	    if ((rr = dns_sa_to_rr(argv[0], 0, res->ai_addr)) == 0)
+	for (len = 0, res = res0; res != 0; res = res->ai_next)
+	    len += 1;
+	resv = (struct addrinfo **) mymalloc(len * sizeof(*resv));
+	for (len = 0, res = res0; res != 0; res = res->ai_next)
+	    resv[len++] = res;
+	qsort((void *) resv, len, sizeof(*resv), compare_family);
+	for (n = 0; n < len; n++) {
+	    if ((rr = dns_sa_to_rr(argv[0], 0, resv[n]->ai_addr)) == 0)
 		msg_fatal("dns_sa_to_rr: %m");
 	    if (dns_rr_to_pa(rr, &hostaddr) == 0)
 		msg_fatal("dns_rr_to_pa: %m");
@@ -112,6 +130,7 @@ int     main(int argc, char **argv)
 	    dns_rr_free(rr);
 	}
 	freeaddrinfo(res0);
+	myfree((void *) resv);
     }
     return (0);
 }
diff --git a/postfix/src/dns/dns_sa_to_rr.ref b/postfix/src/dns/dns_sa_to_rr.ref
index 0b67b74e2..86c022d56 100644
--- a/postfix/src/dns/dns_sa_to_rr.ref
+++ b/postfix/src/dns/dns_sa_to_rr.ref
@@ -1,2 +1,2 @@
-spike.porcupine.org -> 2604:8d00:189::2
 spike.porcupine.org -> 168.100.189.2
+spike.porcupine.org -> 2604:8d00:189::2
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 17c960c6b..3509a6058 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20141130"
+#define MAIL_RELEASE_DATE	"20141201"
 #define MAIL_VERSION_NUMBER	"2.12"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index 3237ca0f7..476bcfed0 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -6183,10 +6183,12 @@ int     main(int argc, char **argv)
 #define FREE_STRING(s) { if (s) myfree(s); }
     FREE_STRING(state.helo_name);
     FREE_STRING(state.sender);
+#ifdef USE_TLS
     if (state.tls_context) {
 	FREE_STRING(state.tls_context->peer_cert_fprint);
 	myfree((char *) state.tls_context);
     }
+#endif
     exit(0);
 }