Prereq: "2.4.10"
diff -cr --new-file /var/tmp/postfix-2.4.10/src/global/mail_version.h ./src/global/mail_version.h
*** /var/tmp/postfix-2.4.10/src/global/mail_version.h	Sat Jan  3 20:56:00 2009
--- ./src/global/mail_version.h	Tue May 12 13:11:13 2009
***************
*** 20,27 ****
    * Patches change both the patchlevel and the release date. Snapshots have no
    * patchlevel; they change the release date only.
    */
! #define MAIL_RELEASE_DATE	"20090103"
! #define MAIL_VERSION_NUMBER	"2.4.10"
  
  #ifdef SNAPSHOT
  # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
--- 20,27 ----
    * Patches change both the patchlevel and the release date. Snapshots have no
    * patchlevel; they change the release date only.
    */
! #define MAIL_RELEASE_DATE	"20090511"
! #define MAIL_VERSION_NUMBER	"2.4.11"
  
  #ifdef SNAPSHOT
  # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff -cr --new-file /var/tmp/postfix-2.4.10/HISTORY ./HISTORY
*** /var/tmp/postfix-2.4.10/HISTORY	Sat Jan  3 20:39:08 2009
--- ./HISTORY	Tue May 12 13:10:38 2009
***************
*** 13663,13665 ****
--- 13663,13676 ----
  	Cleanup: adjust the VSTREAM buffer strategy when reusing
  	an SMTP connection with a large TCP MSS value. File:
  	smtp/smtp_reuse.c.
+ 
+ 20090419
+ 
+ 	Bugfix: don't re-enable SIGHUP if it is ignored in the
+ 	parent. This may cause random "Postfix integrity check
+ 	failed" errors at boot time (POSIX SIGHUP death), causing
+ 	Postfix not to start. We duplicate code from postdrop and
+ 	thus avoid past mistakes.  File: postsuper/postsuper.c.
+ 
+ 	Robustness: don't re-enable SIGTERM if it is ignored in the
+ 	parent. Files: postsuper/postsuper.c, postdrop/postdrop.c.
diff -cr --new-file /var/tmp/postfix-2.4.10/src/postdrop/postdrop.c ./src/postdrop/postdrop.c
*** /var/tmp/postfix-2.4.10/src/postdrop/postdrop.c	Tue May 29 20:22:55 2007
--- ./src/postdrop/postdrop.c	Tue May 12 13:06:51 2009
***************
*** 340,346 ****
  
      signal(SIGINT, postdrop_sig);
      signal(SIGQUIT, postdrop_sig);
!     signal(SIGTERM, postdrop_sig);
      if (signal(SIGHUP, SIG_IGN) == SIG_DFL)
  	signal(SIGHUP, postdrop_sig);
      msg_cleanup(postdrop_cleanup);
--- 340,347 ----
  
      signal(SIGINT, postdrop_sig);
      signal(SIGQUIT, postdrop_sig);
!     if (signal(SIGTERM, SIG_IGN) == SIG_DFL)
! 	signal(SIGTERM, postdrop_sig);
      if (signal(SIGHUP, SIG_IGN) == SIG_DFL)
  	signal(SIGHUP, postdrop_sig);
      msg_cleanup(postdrop_cleanup);
diff -cr --new-file /var/tmp/postfix-2.4.10/src/postsuper/postsuper.c ./src/postsuper/postsuper.c
*** /var/tmp/postfix-2.4.10/src/postsuper/postsuper.c	Mon Mar 26 20:21:41 2007
--- ./src/postsuper/postsuper.c	Tue May 12 13:09:51 2009
***************
*** 968,978 ****
      /*
       * This commands requires root privileges. We therefore do not worry
       * about hostile signals, and report problems via msg_warn().
       */
!     if (signal(SIGHUP, SIG_IGN) != SIG_IGN) {
! 	(void) signal(SIGINT, SIG_IGN);
  	(void) signal(SIGQUIT, SIG_IGN);
  	(void) signal(SIGTERM, SIG_IGN);
  	if (inode_mismatch > 0 || inode_fixed > 0 || position_mismatch > 0)
  	    msg_warn("OPERATION INCOMPLETE -- RERUN COMMAND TO FIX THE QUEUE FIRST");
  	if (sig)
--- 968,984 ----
      /*
       * This commands requires root privileges. We therefore do not worry
       * about hostile signals, and report problems via msg_warn().
+      * 
+      * We use the in-kernel SIGINT handler address as an atomic variable to
+      * prevent nested interrupted() calls. For this reason, main() must
+      * configure interrupted() as SIGINT handler before other signal handlers
+      * are allowed to invoke interrupted(). See also similar code in
+      * postdrop.
       */
!     if (signal(SIGINT, SIG_IGN) != SIG_IGN) {
  	(void) signal(SIGQUIT, SIG_IGN);
  	(void) signal(SIGTERM, SIG_IGN);
+ 	(void) signal(SIGHUP, SIG_IGN);
  	if (inode_mismatch > 0 || inode_fixed > 0 || position_mismatch > 0)
  	    msg_warn("OPERATION INCOMPLETE -- RERUN COMMAND TO FIX THE QUEUE FIRST");
  	if (sig)
***************
*** 1169,1179 ****
       * 
       * Set up signal handlers after permanently dropping super-user privileges,
       * so that signal handlers will always run with the correct privileges.
       */
-     signal(SIGHUP, interrupted);
      signal(SIGINT, interrupted);
      signal(SIGQUIT, interrupted);
!     signal(SIGTERM, interrupted);
      msg_cleanup(fatal_warning);
  
      /*
--- 1175,1194 ----
       * 
       * Set up signal handlers after permanently dropping super-user privileges,
       * so that signal handlers will always run with the correct privileges.
+      * 
+      * XXX Don't enable SIGHUP or SIGTERM if it was ignored by the parent.
+      * 
+      * interrupted() uses the in-kernel SIGINT handler address as an atomic
+      * variable to prevent nested interrupted() calls. For this reason, the
+      * SIGINT handler must be configured before other signal handlers are
+      * allowed to invoke interrupted(). See also similar code in postdrop.
       */
      signal(SIGINT, interrupted);
      signal(SIGQUIT, interrupted);
!     if (signal(SIGTERM, SIG_IGN) == SIG_DFL)
! 	signal(SIGTERM, interrupted);
!     if (signal(SIGHUP, SIG_IGN) == SIG_DFL)
! 	signal(SIGHUP, interrupted);
      msg_cleanup(fatal_warning);
  
      /*