postfix-2.11.11

postfix/HISTORY

@@ -19793,3 +19793,28 @@ Apologies for any names omitted.
 	by other users. This fix does not change Postfix behavior
 	for Berkeley DB < 3, but reduces file create performance
 	for Berkeley DB 3 .. 4.6.  File: util/dict_db.c.
+
+20171116
+
+	Bugfix (introduced: Postfix 2.1): don't log warnings 
+	that some restriction returns OK, when the access map
+	DISCARD feature is in effect. File: smtpd/smtpd_check.c.
+
+20171215
+
+	Bugfix (introduced: 20170611): the DB_CONFIG bugfix broke
+	Berkeley DB configurations with a relative pathname.  File:
+	util/dict_db.c.
+
+20171226
+
+	Documentation patches by Sven Neuhaus. Files:
+	proto/FORWARD_SECRECY_README.html, proto/SMTPD_ACCESS_README.html.
+
+20180106
+
+	Cleanup: missing mailbox seek-to-end error check in the
+	local(8) delivery agent. File: local/mailbox.c.
+
+	Cleanup: incorrect mailbox seek-to-end error message in the
+	virtual(8) delivery agent. File: virtual/mailbox.c.

postfix/html/FORWARD_SECRECY_README.html

@@ -313,9 +313,9 @@ few seconds to a few minutes): </p>
 <pre>
 # cd /etc/postfix
 # umask 022
-# openssl dhparam -out dh512.tmp 512 && mv dh512.tmp dh512.pem
+# openssl dhparam -out dh512.tmp 512 &amp;&amp; mv dh512.tmp dh512.pem
-# openssl dhparam -out dh1024.tmp 1024 && mv dh1024.tmp dh1024.pem
+# openssl dhparam -out dh1024.tmp 1024 &amp;&amp; mv dh1024.tmp dh1024.pem
-# openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem
+# openssl dhparam -out dh2048.tmp 2048 &amp;&amp; mv dh2048.tmp dh2048.pem
 # chmod 644 dh512.pem dh1024.pem dh2048.pem
 </pre>
 </blockquote>

postfix/html/SMTPD_ACCESS_README.html

@@ -250,7 +250,7 @@ Reject MAIL FROM information </td> </tr>
 relay policy</td>
 <td rowspan="2"> Reject RCPT TO information </td> </tr>
 
-<tr> <td> &lt 2.10</td> <td> Not available </td> 
+<tr> <td> &lt; 2.10</td> <td> Not available </td> 
 </tr>
 
 <tr> <td rowspan="2"> <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> </td> <td> &ge;
@@ -258,7 +258,7 @@ relay policy</td>
 relay policy</td>
 <td rowspan="2"> Reject RCPT TO information </td> </tr>
 
-<tr> <td> &lt 2.10</td> <td> Required </td> </tr>
+<tr> <td> &lt; 2.10</td> <td> Required </td> </tr>
 
 <tr> <td> <a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> </td> <td> &ge; 2.0 </td> <td>
 Optional </td> <td>

postfix/proto/FORWARD_SECRECY_README.html

@@ -313,9 +313,9 @@ few seconds to a few minutes): </p>
 <pre>
 # cd /etc/postfix
 # umask 022
-# openssl dhparam -out dh512.tmp 512 && mv dh512.tmp dh512.pem
+# openssl dhparam -out dh512.tmp 512 &amp;&amp; mv dh512.tmp dh512.pem
-# openssl dhparam -out dh1024.tmp 1024 && mv dh1024.tmp dh1024.pem
+# openssl dhparam -out dh1024.tmp 1024 &amp;&amp; mv dh1024.tmp dh1024.pem
-# openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem
+# openssl dhparam -out dh2048.tmp 2048 &amp;&amp; mv dh2048.tmp dh2048.pem
 # chmod 644 dh512.pem dh1024.pem dh2048.pem
 </pre>
 </blockquote>

postfix/proto/SMTPD_ACCESS_README.html

@@ -250,7 +250,7 @@ Reject MAIL FROM information </td> </tr>
 relay policy</td>
 <td rowspan="2"> Reject RCPT TO information </td> </tr>
 
-<tr> <td> &lt 2.10</td> <td> Not available </td> 
+<tr> <td> &lt; 2.10</td> <td> Not available </td> 
 </tr>
 
 <tr> <td rowspan="2"> smtpd_recipient_restrictions </td> <td> &ge;
@@ -258,7 +258,7 @@ relay policy</td>
 relay policy</td>
 <td rowspan="2"> Reject RCPT TO information </td> </tr>
 
-<tr> <td> &lt 2.10</td> <td> Required </td> </tr>
+<tr> <td> &lt; 2.10</td> <td> Required </td> </tr>
 
 <tr> <td> smtpd_data_restrictions </td> <td> &ge; 2.0 </td> <td>
 Optional </td> <td>

postfix/src/global/mail_version.h

@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20170613"
+#define MAIL_RELEASE_DATE	"20180127"
-#define MAIL_VERSION_NUMBER	"2.11.10"
+#define MAIL_VERSION_NUMBER	"2.11.11"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE

postfix/src/local/mailbox.c

@@ -97,7 +97,7 @@ static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr)
     int     deliver_status;
     int     copy_flags;
     VSTRING *biff;
-    long    end;
+    off_t   end;
     struct stat st;
     uid_t   spool_uid;
     gid_t   spool_gid;
@@ -202,7 +202,8 @@ static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr)
 	    msg_warn("specify \"%s = no\" to ignore mailbox ownership mismatch",
 		     VAR_STRICT_MBOX_OWNER);
 	} else {
-	    end = vstream_fseek(mp->fp, (off_t) 0, SEEK_END);
+	    if ((end = vstream_fseek(mp->fp, (off_t) 0, SEEK_END)) < 0)
+		msg_fatal("seek mailbox file %s: %m", mailbox);
 	    mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp,
 					 copy_flags, "\n", why);
 	}

postfix/src/smtpd/smtpd_check.c

@@ -3707,7 +3707,7 @@ static int is_map_command(SMTPD_STATE *state, const char *name,
 static void forbid_whitelist(SMTPD_STATE *state, const char *name,
 			             int status, const char *target)
 {
-    if (status == SMTPD_CHECK_OK) {
+    if (state->discard == 0 && status == SMTPD_CHECK_OK) {
 	msg_warn("restriction %s returns OK for %s", name, target);
 	msg_warn("this is not allowed for security reasons");
 	msg_warn("use DUNNO instead of OK if you want to make an exception");

postfix/src/util/dict_db.c

@@ -620,6 +620,7 @@ static DICT *dict_db_open(const char *class, const char *path, int open_flags,
     struct stat st;
     DB     *db = 0;
     char   *db_path = 0;
+    VSTRING *db_base_buf = 0;
     int     lock_fd = -1;
     int     dbfd;
 
@@ -675,6 +676,7 @@ static DICT *dict_db_open(const char *class, const char *path, int open_flags,
 #define LOCK_OPEN_FLAGS(f) ((f) & ~(O_CREAT|O_TRUNC))
 #define FREE_RETURN(e) do { \
 	DICT *_dict = (e); if (db) DICT_DB_CLOSE(db); \
+	if (db_base_buf) vstring_free(db_base_buf); \
 	if (db_path) myfree(db_path); return (_dict); \
     } while (0)
 
@@ -739,17 +741,21 @@ static DICT *dict_db_open(const char *class, const char *path, int open_flags,
 	msg_panic("db_create null result");
     if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0)
 	msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM);
+    db_base_buf = vstring_alloc(100);
 #if DB_VERSION_MAJOR == 5 || (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0)
-    if ((errno = db->open(db, 0, db_path, 0, type, db_flags, 0644)) != 0)
+    if ((errno = db->open(db, 0, sane_basename(db_base_buf, db_path),
+			  0, type, db_flags, 0644)) != 0)
 	FREE_RETURN(dict_surrogate(class, path, open_flags, dict_flags,
 				   "open database %s: %m", db_path));
 #elif (DB_VERSION_MAJOR == 3 || DB_VERSION_MAJOR == 4)
-    if ((errno = db->open(db, db_path, 0, type, db_flags, 0644)) != 0)
+    if ((errno = db->open(db, sane_basename(db_base_buf, db_path), 0,
+			  type, db_flags, 0644)) != 0)
 	FREE_RETURN(dict_surrogate(class, path, open_flags, dict_flags,
 				   "open database %s: %m", db_path));
 #else
 #error "Unsupported Berkeley DB version"
 #endif
+    vstring_free(db_base_buf);
     if ((errno = db->fd(db, &dbfd)) != 0)
 	msg_fatal("get database file descriptor: %m");
 #endif

postfix/src/virtual/mailbox.c

@@ -132,7 +132,7 @@ static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr)
 		     VAR_STRICT_MBOX_OWNER);
 	} else {
 	    if (vstream_fseek(mp->fp, (off_t) 0, SEEK_END) < 0)
-		msg_fatal("%s: seek queue file %s: %m",
+		msg_fatal("%s: seek mailbox file %s: %m",
 			  myname, VSTREAM_PATH(mp->fp));
 	    mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp,
 					 copy_flags, "\n", why);