Prereq: "2.8.17" diff -cr --new-file /var/tmp/postfix-2.8.17/src/global/mail_version.h ./src/global/mail_version.h *** /var/tmp/postfix-2.8.17/src/global/mail_version.h 2014-01-16 08:18:57.000000000 -0500 --- ./src/global/mail_version.h 2014-10-13 18:59:15.000000000 -0400 *************** *** 20,27 **** * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20140116" ! #define MAIL_VERSION_NUMBER "2.8.17" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE --- 20,27 ---- * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20141013" ! #define MAIL_VERSION_NUMBER "2.8.18" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -cr --new-file /var/tmp/postfix-2.8.17/HISTORY ./HISTORY *** /var/tmp/postfix-2.8.17/HISTORY 2014-01-16 08:29:59.000000000 -0500 --- ./HISTORY 2014-10-13 18:18:42.000000000 -0400 *************** *** 16971,16973 **** --- 16971,17011 ---- 20140104 Bugfix: malformed error message. File: conf/post-install. + + 20140116 + + Workaround: prepend "-I. -I../../include" to CCARGS, to + avoid name clashes with non-Postfix header files. File: + makedefs. + + 20140223 + + Logging: the TLS client logged that an "Untrusted" TLS + connection was established instead of "Anonymous". Viktor + Dukhovni. File: tls/tls_client.c. + + 20140619 + + Bugfix (introduced: 2001): qmqpd null pointer bug when it + logs a lost connection while not in a mail transaction. + Reported by Michal Adamek. File: qmqpd/qmqpd.c. + + 20140920 + + Bugfix (introduced: 20080212): incorrect client name in + reject messages from check_reverse_client_hostname_access + and check_reverse_client_hostname_{mx,ns}_access. They + replied with the verified client name, instead of the name + that was rejected. Problem reported by Reindl Harald. File: + smtpd/smtpd_check.c. + + 20141012 + + Bugfix (introduced: Postfix 2.3): the PREPEND access/policy + action added headers ABOVE Postfix's own Received: header, + exposing Postfix's own Received: header to Milters (protocol + violation) and hiding the PREPENDed header from Milters. + The latter caused problems for DMARC implementations with + SPF policy plus DKIM Milter. PREPENDed headers are now + added BELOW Postfix's own Received: header and remain visible + to Milters. File: smtpd/smtpd.c. diff -cr --new-file /var/tmp/postfix-2.8.17/makedefs ./makedefs *** /var/tmp/postfix-2.8.17/makedefs 2012-12-12 17:49:32.000000000 -0500 --- ./makedefs 2014-01-16 17:09:15.000000000 -0500 *************** *** 658,663 **** --- 658,666 ---- # needed before the code stabilizes. #CCARGS="$CCARGS -DNONPROD" + # Workaround. + CCARGS="-I. -I../../include $CCARGS" + sed 's/ / /g' <reason && state->where) msg_info("%s: %s: %s while %s", ! state->queue_id, state->namaddr, state->reason, state->where); } /* qmqpd_service - service one client */ --- 700,707 ---- */ if (state->reason && state->where) msg_info("%s: %s: %s while %s", ! state->queue_id ? state->queue_id : "NOQUEUE", ! state->namaddr, state->reason, state->where); } /* qmqpd_service - service one client */ diff -cr --new-file /var/tmp/postfix-2.8.17/src/smtpd/smtpd.c ./src/smtpd/smtpd.c *** /var/tmp/postfix-2.8.17/src/smtpd/smtpd.c 2012-04-24 15:30:18.000000000 -0400 --- ./src/smtpd/smtpd.c 2014-10-13 18:15:52.000000000 -0400 *************** *** 2830,2842 **** } /* - * PREPEND message headers. - */ - if (state->prepend) - for (cpp = state->prepend->argv; *cpp; cpp++) - out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp); - - /* * Suppress our own Received: header in the unlikely case that we are an * intermediate proxy. */ --- 2830,2835 ---- *************** *** 2926,2931 **** --- 2919,2936 ---- "\t(envelope-from %s)", STR(state->buffer)); #endif } + + /* + * PREPEND message headers below our own Received: header. According + * https://www.milter.org/developers/api/smfi_insheader, Milters see only + * headers that have been sent by the SMTP client and those header + * modifications by earlier filters. Based on this we allow Milters to + * see headers added by access map or by policy service. + */ + if (state->prepend) + for (cpp = state->prepend->argv; *cpp; cpp++) + out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp); + smtpd_chat_reply(state, "354 End data with ."); state->where = SMTPD_AFTER_DATA; diff -cr --new-file /var/tmp/postfix-2.8.17/src/smtpd/smtpd_check.c ./src/smtpd/smtpd_check.c *** /var/tmp/postfix-2.8.17/src/smtpd/smtpd_check.c 2011-06-15 13:31:35.000000000 -0400 --- ./src/smtpd/smtpd_check.c 2014-09-20 20:41:53.000000000 -0400 *************** *** 3697,3703 **** SMTPD_NAME_CLIENT, def_acl); } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_ACL, &cpp)) { status = check_namadr_access(state, *cpp, state->reverse_name, state->addr, ! FULL, &found, state->namaddr, SMTPD_NAME_REV_CLIENT, def_acl); forbid_whitelist(state, name, status, state->reverse_name); } else if (strcasecmp(name, REJECT_MAPS_RBL) == 0) { --- 3697,3703 ---- SMTPD_NAME_CLIENT, def_acl); } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_ACL, &cpp)) { status = check_namadr_access(state, *cpp, state->reverse_name, state->addr, ! FULL, &found, state->reverse_name, SMTPD_NAME_REV_CLIENT, def_acl); forbid_whitelist(state, name, status, state->reverse_name); } else if (strcasecmp(name, REJECT_MAPS_RBL) == 0) { *************** *** 3764,3777 **** } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_NS_ACL, &cpp)) { if (strcasecmp(state->reverse_name, "unknown") != 0) { status = check_server_access(state, *cpp, state->reverse_name, ! T_NS, state->namaddr, SMTPD_NAME_REV_CLIENT, def_acl); forbid_whitelist(state, name, status, state->reverse_name); } } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_MX_ACL, &cpp)) { if (strcasecmp(state->reverse_name, "unknown") != 0) { status = check_server_access(state, *cpp, state->reverse_name, ! T_MX, state->namaddr, SMTPD_NAME_REV_CLIENT, def_acl); forbid_whitelist(state, name, status, state->reverse_name); } --- 3764,3777 ---- } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_NS_ACL, &cpp)) { if (strcasecmp(state->reverse_name, "unknown") != 0) { status = check_server_access(state, *cpp, state->reverse_name, ! T_NS, state->reverse_name, SMTPD_NAME_REV_CLIENT, def_acl); forbid_whitelist(state, name, status, state->reverse_name); } } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_MX_ACL, &cpp)) { if (strcasecmp(state->reverse_name, "unknown") != 0) { status = check_server_access(state, *cpp, state->reverse_name, ! T_MX, state->reverse_name, SMTPD_NAME_REV_CLIENT, def_acl); forbid_whitelist(state, name, status, state->reverse_name); } diff -cr --new-file /var/tmp/postfix-2.8.17/src/tls/tls_client.c ./src/tls/tls_client.c *** /var/tmp/postfix-2.8.17/src/tls/tls_client.c 2013-09-01 09:23:42.000000000 -0400 --- ./src/tls/tls_client.c 2014-02-23 12:34:27.000000000 -0500 *************** *** 983,989 **** */ if (props->log_level >= 1) msg_info("%s TLS connection established to %s: %s with cipher %s " ! "(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" : TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted", props->namaddr, TLScontext->protocol, TLScontext->cipher_name, TLScontext->cipher_usebits, TLScontext->cipher_algbits); --- 983,991 ---- */ if (props->log_level >= 1) msg_info("%s TLS connection established to %s: %s with cipher %s " ! "(%d/%d bits)", ! !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" : ! TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" : TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted", props->namaddr, TLScontext->protocol, TLScontext->cipher_name, TLScontext->cipher_usebits, TLScontext->cipher_algbits);