Postfix official release 20010228 Patch 05 fixes a problem with
canonical and virtual address rewriting, and with the parsing of
malformed address extensions. 

The problem happens when you have both address extensions enabled
(non-null recipient_delimiter setting in main.cf) and virtual or
canonical lookup tables. Specific details are given below.

This patch applies to older Postfix releases (19990119 and later)
as well, but you will have to delete all text before the sections
that update the mail_addr_map.c and split_addr.c files.

Under some conditions an email address extension could be appended
twice to the result. Combined with an obscure address extension
parsing bug, this could result in exponential growth of an address
until the cleanup process runs out of memory.

Example 1: virtual or canonical map entry that suffers from address
extension duplication.

    # user+ext@domain.name -> user+ext+ext@another.domain
    user@domain.name	@another.domain

Example 2: virtual or canonical map entry that suffers from address
extension exponential growth until the cleanup process runs out of
memory.

    # +ext@domain.name -> +ext+ext+ext+ext....@domain.name
    # Only if the same domain name appears left and right!
    @domain.name    @domain.name

Normally, Postfix terminates recursion with canonical or virtual
maps and issues a warning.  However, in this case the cleanup
process runs out of memory before those controls take effect.

A patch is appended below the signature. A complete source kit,
postfix-20010228-pl05.tar.gz, will be made available from the
primary site:

   ftp://ftp.porcupine.org/mirrors/postfix-release/official/
   http://ftp.porcupine.org/mirrors/postfix-release/index.html

including a PGP signature (postfix-20010228-pl05.tar.gz.sig).

These files are expected to arrive on the Postfix download sites
in a day or so. See http://www.postfix.org/ for a list of download
sites.

	Wietse

Prereq: "Postfix-20010228-pl04"
diff -cr --new-file ../postfix-20010228-pl04/src/global/mail_version.h ./src/global/mail_version.h
*** ../postfix-20010228-pl04/src/global/mail_version.h	Tue Jul 31 14:47:45 2001
--- ./src/global/mail_version.h	Mon Sep 17 16:12:24 2001
***************
*** 15,21 ****
    * Version of this program.
    */
  #define VAR_MAIL_VERSION	"mail_version"
! #define DEF_MAIL_VERSION	"Postfix-20010228-pl04"
  extern char *var_mail_version;
  
  /* LICENSE
--- 15,21 ----
    * Version of this program.
    */
  #define VAR_MAIL_VERSION	"mail_version"
! #define DEF_MAIL_VERSION	"Postfix-20010228-pl05"
  extern char *var_mail_version;
  
  /* LICENSE
diff -cr --new-file ../postfix-20010228-pl04/HISTORY ./HISTORY
*** ../postfix-20010228-pl04/HISTORY	Tue Jul 31 17:13:42 2001
--- ./HISTORY	Mon Sep 17 17:44:21 2001
***************
*** 5096,5098 ****
--- 5096,5111 ----
  	of hostnames in $inet_interfaces, so that Postfix does not
  	suddenly refuse to start up after someone changes the DNS.
  	Files:  util/inet_addr_list.c global/own_inet_addr.c.
+ 
+ 20010917
+ 
+ 	Bugfix: an address extension could be appended multiple
+ 	times to the result of a canonical or virtual map lookup.
+ 	File: global/mail_addr_map.c.  Fix by Victor Duchovni,
+ 	Morgan Stanley.
+ 
+ 	Bugfix: because split_addr() would split an address even
+ 	when there was no data before the recipient delimiter, the
+ 	above bug could cause an address to grow exponentially in
+ 	size.  Problem reported by Victor Duchovni, Morgan Stanley.
+ 	File:  global/split_addr.c.
diff -cr --new-file ../postfix-20010228-pl04/src/global/mail_addr_map.c ./src/global/mail_addr_map.c
*** ../postfix-20010228-pl04/src/global/mail_addr_map.c	Thu Nov 18 13:43:17 1999
--- ./src/global/mail_addr_map.c	Mon Sep 17 17:34:47 2001
***************
*** 98,103 ****
--- 98,121 ----
  		vstring_strcpy(buffer, address);
  	    vstring_strcat(buffer, string);
  	    string = STR(buffer);
+ 
+ 	    /*
+ 	     * The above code copies the address, including address
+ 	     * extension, to the result. Discard the address extension at
+ 	     * this point, to prevent a second address extension copy by
+ 	     * mail_addr_crunch() below.  Fix by Victor Duchovni, Morgan
+ 	     * Stanley.
+ 	     * 
+ 	     * In combination with an obscure bug in the split_addr() routine
+ 	     * that mis-parsed an address without information before the
+ 	     * extension, this could result in the exponential growth of the
+ 	     * size of an address. Problem reported by Victor Duchovni,
+ 	     * Morgan Stanley.
+ 	     */
+ 	    if (extension) {
+ 		myfree(extension);
+ 		extension = 0;
+ 	    }
  	}
  
  	/*
***************
*** 159,164 ****
--- 177,183 ----
       */
      mail_conf_read();
      msg_verbose = 1;
+     var_rcpt_delim = "+";
      if (chdir(var_queue_dir) < 0)
  	msg_fatal("chdir %s: %m", var_queue_dir);
      path = maps_create(argv[0], argv[1], DICT_FLAG_LOCK);
diff -cr --new-file ../postfix-20010228-pl04/src/global/split_addr.c ./src/global/split_addr.c
*** ../postfix-20010228-pl04/src/global/split_addr.c	Thu Dec  7 10:48:35 2000
--- ./src/global/split_addr.c	Mon Sep 17 17:27:06 2001
***************
*** 76,82 ****
      }
  
      /*
!      * Safe to split this address.
       */
!     return (split_at(localpart, delimiter));
  }
--- 76,83 ----
      }
  
      /*
!      * Safe to split this address. Do not split the address if the result
!      * would have a null localpart.
       */
!     return (delimiter == *localpart ? 0 : split_at(localpart, delimiter));
  }