deprecated lookup tables. A typical example is "postconf
-PPx '*/*/proxy_read_maps". Files: postconf/postconf.[hc],
postconf/postconf_master.c, postconf/Makefile.in.
+
+20260128
+
+ Miscellaneous text fixes. Files: proto/MYSQL_README.html,
+ proto/postconf.html.prolog, proto/postconf.man.prolog.
+
+20260131
+
+ Cleanup: the tls_legacy_public_key_fingerprints parameter
+ has been removed. It has had no effect since Postfix
+ 3.9.0. Viktor Dukhovni. Files: proto/postconf.proto,
+ global/mail_params.h, tls/tls_misc.c, tls/tls_proxy_client_misc.c,
+ tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
+ tls/tls_proxy.h.
+
+20260217
+
+ Bugfix: (defect introduced: Postfix 2.11): panic() after
+ recursive logging loop with "posttls-finger -v -v -v".
+ Reported by Geert Hendrickx, diagnosed by Viktor Dukhovni,
+ and fixed by Wietse. Files: util/vstream.[hc], util/msg_vstream.c.
+
+ Cleanup: added missing notes in the postconf(5) manpage
+ that an IPv6 address needs to be enclosed in [] for the
+ debug_peer_list and qmqpd_authorized_clients parameters.
+ File: proto/postconf.proto.
-P\bPo\bos\bst\btf\bfi\bix\bx M\bMy\byS\bSQ\bQL\bL H\bHo\bow\bwt\bto\bo
+P\bPo\bos\bst\btf\bfi\bix\bx M\bMy\byS\bSQ\bQL\bL/\b/M\bMa\bar\bri\bia\baD\bDB\bB H\bHo\bow\bwt\bto\bo
-------------------------------------------------------------------------------
<body>
-<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix MySQL Howto</h1>
+<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix MySQL/MariaDB Howto</h1>
<hr>
<li> <p> The expression "${name{value}}" is replaced with the result
from calling the function <i>name</i> with the argument <i>value</i>
-after stripping whitespace betwen the "{", the value, and the "}".
+after stripping whitespace between the "{", the value, and the "}".
An example is the <a href="postconf.5.html#domain_to_ascii">domain_to_ascii</a>{} function. </p>
<li> <p> Each "value" is subject to recursive named parameter and
<p> Specify domain names, network/netmask patterns, "/file/name"
patterns or "<a href="DATABASE_README.html">type:table</a>" lookup tables. The right-hand side result
-from "<a href="DATABASE_README.html">type:table</a>" lookups is ignored. </p>
+from "<a href="DATABASE_README.html">type:table</a>" lookups is ignored. An IPv6 address must be enclosed
+in <tt>[]</tt>. </p>
<p> Pattern matching of domain names is controlled by the presence
or absence of "<a href="postconf.5.html#debug_peer_list">debug_peer_list</a>" in the <a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a>
where the mask specifies the number of bits in the network part.
When a pattern specifies a file name, its contents are substituted
for the file name; when a pattern is a "<a href="DATABASE_README.html">type:table</a>" table specification,
-table lookup is used instead. </p>
+table lookup is used instead. An IPv6 address must be enclosed in
+<tt>[]</tt>. </p>
<p>
Patterns are separated by whitespace and/or commas. In order to
fingerprints used by Postfix 2.9.6 and later. To compute the correct
certificate public-key fingerprints, see <a href="TLS_README.html">TLS_README</a>. </p>
-<p> This feature is available in Postfix 2.9.6 and later. </p>
+<p> This feature is available in Postfix 2.9.6 through 3.10.
+This parameter has had no effect since Postfix 3.9.0, and has been
+removed as of postfix 3.11.0. </p>
</DD>
.IP \(bu
The expression "${name{value}}" is replaced with the result from
calling the function \fIname\fR with the argument \fIvalue\fR
-after stripping whitespace betwen the "{", the value, and the "}".
+after stripping whitespace between the "{", the value, and the "}".
An example is the domain_to_ascii{} function.
.IP \(bu
Each "value" is subject to recursive named parameter and relational
.PP
Specify domain names, network/netmask patterns, "/file/name"
patterns or "type:table" lookup tables. The right\-hand side result
-from "type:table" lookups is ignored.
+from "type:table" lookups is ignored. An IPv6 address must be enclosed
+in [].
.PP
Pattern matching of domain names is controlled by the presence
or absence of "debug_peer_list" in the parent_domain_matches_subdomains
where the mask specifies the number of bits in the network part.
When a pattern specifies a file name, its contents are substituted
for the file name; when a pattern is a "type:table" table specification,
-table lookup is used instead.
+table lookup is used instead. An IPv6 address must be enclosed in
+[].
.PP
Patterns are separated by whitespace and/or commas. In order to
reverse the result, precede a pattern with an
fingerprints used by Postfix 2.9.6 and later. To compute the correct
certificate public\-key fingerprints, see TLS_README.
.PP
-This feature is available in Postfix 2.9.6 and later.
+This feature is available in Postfix 2.9.6 through 3.10.
+This parameter has had no effect since Postfix 3.9.0, and has been
+removed as of postfix 3.11.0.
.SH tls_low_cipherlist (default: see "postconf \-d" output)
The OpenSSL cipherlist for "low" or higher grade ciphers.
Ignored as of Postfix 3.8. In earlier Postfix releases this
smtpd_tls_cipherlist
tls_dane_digest_agility
tls_dane_trust_anchor_digest_enable
+tls_legacy_public_key_fingerprints
tlsproxy_client_level
tlsproxy_client_policy
tlsproxy_tls_session_cache_timeout
<body>
-<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix MySQL Howto</h1>
+<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix MySQL/MariaDB Howto</h1>
<hr>
<li> <p> The expression "${name{value}}" is replaced with the result
from calling the function <i>name</i> with the argument <i>value</i>
-after stripping whitespace betwen the "{", the value, and the "}".
+after stripping whitespace between the "{", the value, and the "}".
An example is the domain_to_ascii{} function. </p>
<li> <p> Each "value" is subject to recursive named parameter and
.IP \(bu
The expression "${name{value}}" is replaced with the result from
calling the function \fIname\fR with the argument \fIvalue\fR
-after stripping whitespace betwen the "{", the value, and the "}".
+after stripping whitespace between the "{", the value, and the "}".
An example is the domain_to_ascii{} function.
.IP \(bu
Each "value" is subject to recursive named parameter and relational
<p> Specify domain names, network/netmask patterns, "/file/name"
patterns or "type:table" lookup tables. The right-hand side result
-from "type:table" lookups is ignored. </p>
+from "type:table" lookups is ignored. An IPv6 address must be enclosed
+in <tt>[]</tt>. </p>
<p> Pattern matching of domain names is controlled by the presence
or absence of "debug_peer_list" in the parent_domain_matches_subdomains
where the mask specifies the number of bits in the network part.
When a pattern specifies a file name, its contents are substituted
for the file name; when a pattern is a "type:table" table specification,
-table lookup is used instead. </p>
+table lookup is used instead. An IPv6 address must be enclosed in
+<tt>[]</tt>. </p>
<p>
Patterns are separated by whitespace and/or commas. In order to
fingerprints used by Postfix 2.9.6 and later. To compute the correct
certificate public-key fingerprints, see TLS_README. </p>
-<p> This feature is available in Postfix 2.9.6 and later. </p>
+<p> This feature is available in Postfix 2.9.6 through 3.10.
+This parameter has had no effect since Postfix 3.9.0, and has been
+removed as of postfix 3.11.0. </p>
%PARAM tlsproxy_watchdog_timeout 10s
to to the lookup result With Postfix 3 11 and later specify
has moved to to a table lookup result and the format for a
after stripping whitespace betwen the the value and the
+after stripping whitespace between the the value and the
domain_to_ascii returns the xn mumble mumble Punycode A label form that Postfix needs This works around a limitation that may be eliminated in a future Postfix version
smtp_requiretls_policy smtp_requiretls_policy inline
xn mumble mumble Punycode A label form that Postfix needs This works around a limitation that may be eliminated in a future Postfix version
+in tt tt p
#define DEF_TLS_TKT_CIPHER "aes-256-cbc"
extern char *var_tls_tkt_cipher;
-#define VAR_TLS_BC_PKEY_FPRINT "tls_legacy_public_key_fingerprints"
-#define DEF_TLS_BC_PKEY_FPRINT 0
-extern bool var_tls_bc_pkey_fprint;
-
#define VAR_TLS_SERVER_SNI_MAPS "tls_server_sni_maps"
#define DEF_TLS_SERVER_SNI_MAPS ""
extern char *var_tls_server_sni_maps;
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20260127"
+#define MAIL_RELEASE_DATE "20260218"
#define MAIL_VERSION_NUMBER "3.12"
#ifdef SNAPSHOT
/* int var_tls_daemon_rand_bytes;
/* bool var_tls_append_def_CA;
/* bool var_tls_preempt_clist;
-/* bool var_tls_bc_pkey_fprint;
/* bool var_tls_multi_wildcard;
/* char *var_tls_mgr_service;
/* char *var_tls_tkt_cipher;
bool var_tls_append_def_CA;
char *var_tls_bug_tweaks;
char *var_tls_ssl_options;
-bool var_tls_bc_pkey_fprint;
bool var_tls_multi_wildcard;
char *var_tls_mgr_service;
char *var_tls_tkt_cipher;
/* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */
static const CONFIG_BOOL_TABLE bool_table[] = {
VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
- VAR_TLS_BC_PKEY_FPRINT, DEF_TLS_BC_PKEY_FPRINT, &var_tls_bc_pkey_fprint,
VAR_TLS_PREEMPT_CLIST, DEF_TLS_PREEMPT_CLIST, &var_tls_preempt_clist,
VAR_TLS_MULTI_WILDCARD, DEF_TLS_MULTI_WILDCARD, &var_tls_multi_wildcard,
VAR_TLS_FAST_SHUTDOWN, DEF_TLS_FAST_SHUTDOWN, &var_tls_fast_shutdown,
char *tls_tkt_cipher;
int tls_daemon_rand_bytes;
int tls_append_def_CA;
- int tls_bc_pkey_fprint;
int tls_preempt_clist;
int tls_multi_wildcard;
} TLS_CLIENT_PARAMS;
#define TLS_PROXY_PARAMS(params, a1, a2, a3, a4, a5, a6, a7, a8, \
- a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19) \
+ a9, a10, a11, a12, a13, a14, a15, a16, a17, a18) \
(((params)->a1), ((params)->a2), ((params)->a3), \
((params)->a4), ((params)->a5), ((params)->a6), ((params)->a7), \
((params)->a8), ((params)->a9), ((params)->a10), ((params)->a11), \
((params)->a12), ((params)->a13), ((params)->a14), ((params)->a15), \
- ((params)->a16), ((params)->a17), ((params)->a18), ((params)->a19))
+ ((params)->a16), ((params)->a17), ((params)->a18))
/*
* tls_proxy_client_param_misc.c, tls_proxy_client_param_print.c, and
tls_tkt_cipher = var_tls_tkt_cipher,
tls_daemon_rand_bytes = var_tls_daemon_rand_bytes,
tls_append_def_CA = var_tls_append_def_CA,
- tls_bc_pkey_fprint = var_tls_bc_pkey_fprint,
tls_preempt_clist = var_tls_preempt_clist,
tls_multi_wildcard = var_tls_multi_wildcard);
return (params);
params->tls_daemon_rand_bytes),
SEND_ATTR_INT(VAR_TLS_APPEND_DEF_CA,
params->tls_append_def_CA),
- SEND_ATTR_INT(VAR_TLS_BC_PKEY_FPRINT,
- params->tls_bc_pkey_fprint),
SEND_ATTR_INT(VAR_TLS_PREEMPT_CLIST,
params->tls_preempt_clist),
SEND_ATTR_INT(VAR_TLS_MULTI_WILDCARD,
¶ms->tls_daemon_rand_bytes),
RECV_ATTR_INT(VAR_TLS_APPEND_DEF_CA,
¶ms->tls_append_def_CA),
- RECV_ATTR_INT(VAR_TLS_BC_PKEY_FPRINT,
- ¶ms->tls_bc_pkey_fprint),
RECV_ATTR_INT(VAR_TLS_PREEMPT_CLIST,
¶ms->tls_preempt_clist),
RECV_ATTR_INT(VAR_TLS_MULTI_WILDCARD,
params->tls_mgr_service = vstring_export(tls_mgr_service);
params->tls_tkt_cipher = vstring_export(tls_tkt_cipher);
- ret = (ret == 19 ? 1 : -1);
+ ret = (ret == 18 ? 1 : -1);
if (ret != 1) {
tls_proxy_client_param_free(params);
params = 0;
msg_tag = name;
msg_stream = vp;
+ vstream_no_debug(vp);
if (first_call) {
first_call = 0;
msg_output(msg_vstream_print);
/* int vstream_fstat(stream, flags)
/* VSTREAM *stream;
/* int flags;
+/*
+/* void vstream_no_debug(stream)
+/* VSTREAM *stream;
/* DESCRIPTION
/* The \fIvstream\fR module implements light-weight buffered I/O
/* similar to the standard I/O routines.
/* .IP VSTREAM_FLAG_OWN_VSTRING
/* The stream 'owns' the VSTRING buffer, and is responsible
/* for cleaning up when the stream is closed.
+/*
+/* vstream_no_debug() disables 'spontaneous' logging of output
+/* activity on the last specified VSTREAM, to prevent recursive
+/* logging.
/* DIAGNOSTICS
/* Panics: interface violations. Fatal errors: out of memory.
/* SEE ALSO
} \
} while (0)
+static VSTREAM *vstream_log_veto;
+
/* vstream_buf_init - initialize buffer */
static void vstream_buf_init(VBUF *bp, int flags)
used = bp->len - bp->cnt;
left_over = used - to_flush;
- if (msg_verbose > 2 && stream != VSTREAM_ERR)
+ if (msg_verbose > 2 && stream != vstream_log_veto)
msg_info("%s: fd %d flush %ld", myname, stream->fd, (long) to_flush);
if (to_flush < 0 || left_over < 0)
msg_panic("%s: bad to_flush %ld", myname, (long) to_flush);
}
}
}
- if (msg_verbose > 2 && stream != VSTREAM_ERR && n != to_flush)
+ if (msg_verbose > 2 && stream != vstream_log_veto && n != to_flush)
msg_info("%s: %d flushed %ld/%ld", myname, stream->fd,
(long) n, (long) to_flush);
}
return (stream);
}
+/* vstream_no_debug - debug logging lockout */
+
+void vstream_no_debug(VSTREAM *stream)
+{
+ vstream_log_veto = stream;
+}
+
#ifdef TEST
static void copy_line(ssize_t bufsize)
vstream_memreopen((VSTREAM *) 0, (string), (flags))
VSTREAM *vstream_memreopen(VSTREAM *, struct VSTRING *, int);
+ /*
+ * Debug logging lockout.
+ */
+extern void vstream_no_debug(VSTREAM *);
+
/* LICENSE
/* .ad
/* .fi
projects / thirdparty / postfix.git / commitdiff
