Prereq: "2.8.7" diff -cr --new-file /var/tmp/postfix-2.8.7/src/global/mail_version.h ./src/global/mail_version.h *** /var/tmp/postfix-2.8.7/src/global/mail_version.h Sat Nov 5 15:17:13 2011 --- ./src/global/mail_version.h Wed Feb 1 14:18:16 2012 *************** *** 20,27 **** * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20111105" ! #define MAIL_VERSION_NUMBER "2.8.7" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE --- 20,27 ---- * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20120201" ! #define MAIL_VERSION_NUMBER "2.8.8" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -cr --new-file /var/tmp/postfix-2.8.7/HISTORY ./HISTORY *** /var/tmp/postfix-2.8.7/HISTORY Sat Nov 5 15:16:53 2011 --- ./HISTORY Tue Jan 31 16:13:45 2012 *************** *** 16695,16697 **** --- 16695,16749 ---- Portability: OpenBSD 5.x is supported. Files: makedefs, util/sys_defs.h. + + Portability: Dovecot now officially supports more socket + types for its authentication server. File: + xsasl/xsasl_dovecot_server.c. + + 20111126 + + Bitrot: changes in error reporting to the under-documented + OpenLDAP API. Problem reported by Quanah Gibson-Mount. Fix + by Viktor Dukhovni. File: global/dict_ldap.c. + + 20111205 + + Bugfix: tlsproxy(8) stored TLS sessions with a serverID of + "tlsproxy" instead of "smtpd", wasting an opportunity for + session reuse. File: tlsproxy/tlsproxy.c. + + 20111211 + + Bugfix: missing lookup table entry and terminator, causing + proxymap server segfault when postscreen(8) or verify(8) + attempted to access their cache via the proxymap server. + This could never have worked anyway, because the Postfix + 2.8 proxymap protocol does not support cache cleanup. File + util/dict.c. + + 20111226 + + Bugfix (introduced 20110426): after lookup error with + mailbox_transport_maps, mailbox_command_maps or + fallback_transport_maps, the local delivery agent did not + log the problem before deferring mail, and produced no defer + logfile record. Files: local/mailbox.c, local/unknown.c. + + 20120127 + + Bugfix (introduced: Postfix 2.8): the Postfix client sqlite + quoting routine returned the unquoted result instead of the + quoted text. The opportunities for misuse are limited, + because Postfix sqlite files are usually owned by root, and + Postfix daemons usually run with non-root privileges so + they can't corrupt the database. Problem reported by Rob + McGee (rob0). File: global/dict_sqlite.c. + + 20120130 + + Bugfix (introduced: Postfix 2.3): the trace service did not + distinguish between notifications for a non-bounce or a + bounce message. This code pre-dates DSN support and should + have been updated when it was re-purposed to handle DSN + SUCCESS notifications. Problem reported by Sabahattin + Gucukoglu. File: bounce/bounce_trace_service.c. diff -cr --new-file /var/tmp/postfix-2.8.7/src/bounce/bounce_trace_service.c ./src/bounce/bounce_trace_service.c *** /var/tmp/postfix-2.8.7/src/bounce/bounce_trace_service.c Tue Apr 28 13:27:43 2009 --- ./src/bounce/bounce_trace_service.c Mon Jan 30 20:49:54 2012 *************** *** 83,90 **** BOUNCE_INFO *bounce_info; int bounce_status = 1; VSTREAM *bounce; ! VSTRING *new_id = vstring_alloc(10); int count; /* * Initialize. Open queue file, bounce log, etc. --- 83,121 ---- BOUNCE_INFO *bounce_info; int bounce_status = 1; VSTREAM *bounce; ! int notify_mask = name_mask(VAR_NOTIFY_CLASSES, mail_error_masks, ! var_notify_classes); ! VSTRING *new_id; int count; + const char *sender; + + /* + * For consistency with fail/delay notifications, send notification for a + * non-bounce message as a single-bounce message, send notification for a + * single-bounce message as a double-bounce message, and drop requests to + * send notification for a double-bounce message. + */ + #define NULL_SENDER MAIL_ADDR_EMPTY /* special address */ + + if (strcasecmp(recipient, mail_addr_double_bounce()) == 0) { + msg_info("%s: not sending trace/success notification for " + "double-bounce message", queue_id); + return (0); + } else if (*recipient == 0) { + if ((notify_mask & MAIL_ERROR_2BOUNCE) != 0) { + recipient = var_2bounce_rcpt; + sender = mail_addr_double_bounce(); + } else { + msg_info("%s: not sending trace/success notification " + "for single-bounce message", queue_id); + if (mail_queue_remove(service, queue_id) && errno != ENOENT) + msg_fatal("remove %s %s: %m", service, queue_id); + return (0); + } + } else { + /* Always send notification for non-bounce message. */ + sender = NULL_SENDER; + } /* * Initialize. Open queue file, bounce log, etc. *************** *** 126,132 **** bounce_mail_free(bounce_info); return (0); } - #define NULL_SENDER MAIL_ADDR_EMPTY /* special address */ #define NULL_TRACE_FLAGS 0 /* --- 157,162 ---- *************** *** 139,145 **** * there are fewer potential left-over files to remove up when we create * a new queue file. */ ! if ((bounce = post_mail_fopen_nowait(NULL_SENDER, recipient, INT_FILT_MASK_BOUNCE, NULL_TRACE_FLAGS, new_id)) != 0) { --- 169,176 ---- * there are fewer potential left-over files to remove up when we create * a new queue file. */ ! new_id = vstring_alloc(10); ! if ((bounce = post_mail_fopen_nowait(sender, recipient, INT_FILT_MASK_BOUNCE, NULL_TRACE_FLAGS, new_id)) != 0) { diff -cr --new-file /var/tmp/postfix-2.8.7/src/global/dict_ldap.c ./src/global/dict_ldap.c *** /var/tmp/postfix-2.8.7/src/global/dict_ldap.c Mon Dec 6 08:20:11 2010 --- ./src/global/dict_ldap.c Tue Jan 31 16:26:42 2012 *************** *** 225,230 **** --- 225,231 ---- #include "mail_conf.h" #if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP) + /* * SASL headers, for sasl_interact_t. Either SASL v1 or v2 should be fine. */ *************** *** 242,254 **** #define DICT_LDAP_DO_SASL(d) ((d)->bind == DICT_LDAP_BIND_SASL) static const NAME_CODE bindopt_table[] = { ! CONFIG_BOOL_NO, DICT_LDAP_BIND_NONE, ! "none", DICT_LDAP_BIND_NONE, ! CONFIG_BOOL_YES, DICT_LDAP_BIND_SIMPLE, ! "simple", DICT_LDAP_BIND_SIMPLE, #ifdef LDAP_API_FEATURE_X_OPENLDAP #if defined(USE_LDAP_SASL) ! "sasl", DICT_LDAP_BIND_SASL, #endif #endif 0, -1, --- 243,255 ---- #define DICT_LDAP_DO_SASL(d) ((d)->bind == DICT_LDAP_BIND_SASL) static const NAME_CODE bindopt_table[] = { ! CONFIG_BOOL_NO, DICT_LDAP_BIND_NONE, ! "none", DICT_LDAP_BIND_NONE, ! CONFIG_BOOL_YES, DICT_LDAP_BIND_SIMPLE, ! "simple", DICT_LDAP_BIND_SIMPLE, #ifdef LDAP_API_FEATURE_X_OPENLDAP #if defined(USE_LDAP_SASL) ! "sasl", DICT_LDAP_BIND_SASL, #endif #endif 0, -1, *************** *** 292,300 **** #ifdef LDAP_API_FEATURE_X_OPENLDAP #if defined(USE_LDAP_SASL) int sasl; ! char *sasl_mechs; ! char *sasl_realm; ! char *sasl_authz; int sasl_minssf; #endif int ldap_ssl; --- 293,301 ---- #ifdef LDAP_API_FEATURE_X_OPENLDAP #if defined(USE_LDAP_SASL) int sasl; ! char *sasl_mechs; ! char *sasl_realm; ! char *sasl_authz; int sasl_minssf; #endif int ldap_ssl; *************** *** 451,478 **** } #if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP) /* * Context structure for SASL property callback. */ typedef struct bind_props { ! char *authcid; ! char *passwd; ! char *realm; ! char *authzid; } bind_props; ! static int ! ldap_b2_interact(LDAP *ld, unsigned flags, void *props, void *inter) { sasl_interact_t *in; ! bind_props *ctx = (bind_props *)props; ! for (in = inter; in->id != SASL_CB_LIST_END; in++) ! { in->result = NULL; ! switch(in->id) ! { case SASL_CB_GETREALM: in->result = ctx->realm; break; --- 452,477 ---- } #if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP) + /* * Context structure for SASL property callback. */ typedef struct bind_props { ! char *authcid; ! char *passwd; ! char *realm; ! char *authzid; } bind_props; ! static int ldap_b2_interact(LDAP *ld, unsigned flags, void *props, void *inter) { sasl_interact_t *in; ! bind_props *ctx = (bind_props *) props; ! for (in = inter; in->id != SASL_CB_LIST_END; in++) { in->result = NULL; ! switch (in->id) { case SASL_CB_GETREALM: in->result = ctx->realm; break; *************** *** 491,496 **** --- 490,496 ---- } return LDAP_SUCCESS; } + #endif /* dict_ldap_result - Read and parse LDAP result */ *************** *** 498,503 **** --- 498,504 ---- static int dict_ldap_result(LDAP *ld, int msgid, int timeout, LDAPMessage **res) { struct timeval mytimeval; + int err; mytimeval.tv_sec = timeout; mytimeval.tv_usec = 0; *************** *** 506,514 **** if (ldap_result(ld, msgid, GET_ALL, &mytimeval, res) == -1) return (dict_ldap_get_errno(ld)); ! if (dict_ldap_get_errno(ld) == LDAP_TIMEOUT) { ! (void) dict_ldap_abandon(ld, msgid); ! return (dict_ldap_set_errno(ld, LDAP_TIMEOUT)); } return LDAP_SUCCESS; } --- 507,518 ---- if (ldap_result(ld, msgid, GET_ALL, &mytimeval, res) == -1) return (dict_ldap_get_errno(ld)); ! if ((err = dict_ldap_get_errno(ld)) != LDAP_SUCCESS) { ! if (err == LDAP_TIMEOUT) { ! (void) dict_ldap_abandon(ld, msgid); ! return (dict_ldap_set_errno(ld, LDAP_TIMEOUT)); ! } ! return err; } return LDAP_SUCCESS; } *************** *** 529,535 **** vstring_sprintf(minssf, "minssf=%d", dict_ldap->sasl_minssf); if ((rc = ldap_set_option(dict_ldap->ld, LDAP_OPT_X_SASL_SECPROPS, ! (char *) minssf)) != LDAP_OPT_SUCCESS) return (rc); props.authcid = dict_ldap->bind_dn; --- 533,539 ---- vstring_sprintf(minssf, "minssf=%d", dict_ldap->sasl_minssf); if ((rc = ldap_set_option(dict_ldap->ld, LDAP_OPT_X_SASL_SECPROPS, ! (char *) minssf)) != LDAP_OPT_SUCCESS) return (rc); props.authcid = dict_ldap->bind_dn; *************** *** 538,550 **** props.authzid = dict_ldap->sasl_authz; if ((rc = ldap_sasl_interactive_bind_s(dict_ldap->ld, NULL, ! dict_ldap->sasl_mechs, NULL, NULL, ! LDAP_SASL_QUIET, ldap_b2_interact, ! &props)) != LDAP_SUCCESS) return (rc); return (LDAP_SUCCESS); } #endif /* dict_ldap_bind_st - Synchronous simple auth with timeout */ --- 542,555 ---- props.authzid = dict_ldap->sasl_authz; if ((rc = ldap_sasl_interactive_bind_s(dict_ldap->ld, NULL, ! dict_ldap->sasl_mechs, NULL, NULL, ! LDAP_SASL_QUIET, ldap_b2_interact, ! &props)) != LDAP_SUCCESS) return (rc); return (LDAP_SUCCESS); } + #endif /* dict_ldap_bind_st - Synchronous simple auth with timeout */ *************** *** 552,557 **** --- 557,563 ---- static int dict_ldap_bind_st(DICT_LDAP *dict_ldap) { int rc; + int err = LDAP_SUCCESS; int msgid; LDAPMessage *res; struct berval cred; *************** *** 567,573 **** return (rc); #define FREE_RESULT 1 ! return (ldap_parse_sasl_bind_result(dict_ldap->ld, res, 0, FREE_RESULT)); } /* search_st - Synchronous search with timeout */ --- 573,580 ---- return (rc); #define FREE_RESULT 1 ! rc = ldap_parse_result(dict_ldap->ld, res, &err, 0, 0, 0, 0, FREE_RESULT); ! return (rc == LDAP_SUCCESS ? err : rc); } /* search_st - Synchronous search with timeout */ *************** *** 868,873 **** --- 875,881 ---- #define DN_LOG_VAL(dict_ldap) \ ((dict_ldap)->bind_dn[0] ? (dict_ldap)->bind_dn : "empty or implicit") + /* * If this server requires a bind, do so. Thanks to Sam Tardieu for * noticing that the original bind call was broken. *************** *** 1873,1878 **** --- 1881,1887 ---- #ifdef LDAP_API_FEATURE_X_OPENLDAP #if defined(USE_LDAP_SASL) + /* * SASL options */ diff -cr --new-file /var/tmp/postfix-2.8.7/src/global/dict_sqlite.c ./src/global/dict_sqlite.c *** /var/tmp/postfix-2.8.7/src/global/dict_sqlite.c Thu Sep 9 11:01:12 2010 --- ./src/global/dict_sqlite.c Fri Jan 27 15:04:41 2012 *************** *** 57,62 **** --- 57,68 ---- /* AUTHOR(S) /* Axel Steiner /* ast@treibsand.com + /* + /* Adopted and updated by: + /* Wietse Venema + /* IBM T.J. Watson Research + /* P.O. Box 704 + /* Yorktown Heights, NY 10598, USA /*--*/ /* System library. */ *************** *** 109,115 **** /* Fix 20100616 */ if (quoted_text == 0) msg_fatal("dict_sqlite_quote: out of memory"); ! vstring_strcat(result, raw_text); sqlite3_free(quoted_text); } --- 115,121 ---- /* Fix 20100616 */ if (quoted_text == 0) msg_fatal("dict_sqlite_quote: out of memory"); ! vstring_strcat(result, quoted_text); sqlite3_free(quoted_text); } *************** *** 151,156 **** --- 157,167 ---- int status; /* + * In case of return without lookup (skipped key, etc.). + */ + dict_errno = 0; + + /* * Don't frustrate future attempts to make Postfix UTF-8 transparent. */ if (!valid_utf_8(name, strlen(name))) { diff -cr --new-file /var/tmp/postfix-2.8.7/src/global/maps.c ./src/global/maps.c *** /var/tmp/postfix-2.8.7/src/global/maps.c Thu Jun 15 14:07:15 2006 --- ./src/global/maps.c Mon Dec 26 19:46:44 2011 *************** *** 164,169 **** --- 164,174 ---- DICT *dict; /* + * In case of return without map lookup (empty name or no maps). + */ + dict_errno = 0; + + /* * Temp. workaround, for buggy callers that pass zero-length keys when * given partial addresses. */ *************** *** 189,194 **** --- 194,200 ---- *map_name, name, expansion); return (expansion); } else if (dict_errno != 0) { + msg_warn("%s:%s lookup of %s failed", dict->type, dict->name, name); break; } } diff -cr --new-file /var/tmp/postfix-2.8.7/src/local/mailbox.c ./src/local/mailbox.c *** /var/tmp/postfix-2.8.7/src/local/mailbox.c Tue Apr 26 15:12:46 2011 --- ./src/local/mailbox.c Sun Dec 25 15:15:55 2011 *************** *** 289,295 **** } else if (dict_errno != 0) { /* Details in the logfile. */ dsb_simple(state.msg_attr.why, "4.3.0", "table lookup failure"); ! *statusp = DEL_STAT_DEFER; return (YES); } if (*var_mailbox_transport) { --- 289,296 ---- } else if (dict_errno != 0) { /* Details in the logfile. */ dsb_simple(state.msg_attr.why, "4.3.0", "table lookup failure"); ! *statusp = defer_append(BOUNCE_FLAGS(state.request), ! BOUNCE_ATTR(state.msg_attr)); return (YES); } if (*var_mailbox_transport) { *************** *** 333,339 **** } else if (dict_errno != 0) { /* Details in the logfile. */ dsb_simple(state.msg_attr.why, "4.3.0", "table lookup failure"); ! status = DEL_STAT_DEFER; } else if (*var_mailbox_command) { status = deliver_command(state, usr_attr, var_mailbox_command); } else if (*var_home_mailbox && LAST_CHAR(var_home_mailbox) == '/') { --- 334,341 ---- } else if (dict_errno != 0) { /* Details in the logfile. */ dsb_simple(state.msg_attr.why, "4.3.0", "table lookup failure"); ! status = defer_append(BOUNCE_FLAGS(state.request), ! BOUNCE_ATTR(state.msg_attr)); } else if (*var_mailbox_command) { status = deliver_command(state, usr_attr, var_mailbox_command); } else if (*var_home_mailbox && LAST_CHAR(var_home_mailbox) == '/') { diff -cr --new-file /var/tmp/postfix-2.8.7/src/local/unknown.c ./src/local/unknown.c *** /var/tmp/postfix-2.8.7/src/local/unknown.c Tue Apr 26 15:11:43 2011 --- ./src/local/unknown.c Sun Dec 25 15:16:15 2011 *************** *** 120,126 **** } else if (dict_errno != 0) { /* Details in the logfile. */ dsb_simple(state.msg_attr.why, "4.3.0", "table lookup failure"); ! return (DEL_STAT_DEFER); } if (*var_fallback_transport) { state.msg_attr.rcpt.offset = -1L; --- 120,127 ---- } else if (dict_errno != 0) { /* Details in the logfile. */ dsb_simple(state.msg_attr.why, "4.3.0", "table lookup failure"); ! return (defer_append(BOUNCE_FLAGS(state.request), ! BOUNCE_ATTR(state.msg_attr))); } if (*var_fallback_transport) { state.msg_attr.rcpt.offset = -1L; diff -cr --new-file /var/tmp/postfix-2.8.7/src/tlsproxy/tlsproxy.c ./src/tlsproxy/tlsproxy.c *** /var/tmp/postfix-2.8.7/src/tlsproxy/tlsproxy.c Mon Feb 7 10:32:28 2011 --- ./src/tlsproxy/tlsproxy.c Mon Dec 5 19:28:55 2011 *************** *** 692,698 **** timeout = 0, /* unused */ requirecert = (var_tlsp_tls_req_ccert && var_tlsp_enforce_tls), ! serverid = state->service, namaddr = state->remote_endpt, cipher_grade = cipher_grade, cipher_exclusions = STR(cipher_exclusions), --- 692,698 ---- timeout = 0, /* unused */ requirecert = (var_tlsp_tls_req_ccert && var_tlsp_enforce_tls), ! serverid = MAIL_SERVICE_SMTPD, /* XXX */ namaddr = state->remote_endpt, cipher_grade = cipher_grade, cipher_exclusions = STR(cipher_exclusions), diff -cr --new-file /var/tmp/postfix-2.8.7/src/util/dict.c ./src/util/dict.c *** /var/tmp/postfix-2.8.7/src/util/dict.c Wed Sep 8 17:23:24 2010 --- ./src/util/dict.c Sat Dec 17 17:46:55 2011 *************** *** 536,541 **** --- 536,543 ---- "no_unauth", (1 << 13), /* disallow unauthenticated data */ "fold_fix", (1 << 14), /* case-fold with fixed-case key map */ "fold_mul", (1 << 15), /* case-fold with multi-case key map */ + "open_lock", (1 << 16), /* permanent lock upon open */ + 0, }; /* dict_flags_str - convert mask to string for debugging purposes */ diff -cr --new-file /var/tmp/postfix-2.8.7/src/xsasl/xsasl_dovecot_server.c ./src/xsasl/xsasl_dovecot_server.c *** /var/tmp/postfix-2.8.7/src/xsasl/xsasl_dovecot_server.c Thu Dec 30 20:19:44 2010 --- ./src/xsasl/xsasl_dovecot_server.c Thu Nov 17 16:53:25 2011 *************** *** 371,381 **** { XSASL_DOVECOT_SERVER_IMPL *xp; - if (strchr(path_info, '/') == 0) - msg_warn("when SASL type is \"%s\", SASL path \"%s\" " - "should be a socket pathname", - server_type, path_info); - xp = (XSASL_DOVECOT_SERVER_IMPL *) mymalloc(sizeof(*xp)); xp->xsasl.create = xsasl_dovecot_server_create; xp->xsasl.done = xsasl_dovecot_server_done; --- 371,376 ----