postfix-3.9-20231112

2025-08-22 18:07:41 +00:00 · 2023-11-12 00:00:00 -05:00 · 2023-11-12 00:00:00 -05:00 · 17dbfb9b8b
commit 17dbfb9b8b
parent 702c621b1e
13 changed files with 64 additions and 23 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -27440,11 +27440,14 @@ Apologies for any names omitted.

 20231006

-	Cleanup: attempt to log the SASL username after authentication
-	failure. This appends ", sasl_username=xxx" to SASL authentication
-	failure logging. Based on code by Jozsef Kadlecsik. Files:
-	xsasl/xsasl_server.c, xsasl/xsasl_cyrus_server.c,
-	smtpd/smtpd_sasl_glue.c.
+	Usability: the Postfix SMTP server now attempts to log the
+	SASL username after authentication failure. In Postfix
+	logging, this appends ", sasl_username=xxx" after the reason
+	for SASL authentication failure. The logging replaces an
+	unavailable reason with "(reason unavailable)", and replaces
+	an unavailable sasl_username with "(unavailable)". Based
+	on code by Jozsef Kadlecsik. Files: xsasl/xsasl_server.c,
+	xsasl/xsasl_cyrus_server.c, smtpd/smtpd_sasl_glue.c.

 20231008

@ -27520,3 +27523,33 @@ Apologies for any names omitted.

 	Cleanup: explicit %.100s limits for client-controlled strings
 	in SASL error logging. File: smtpd/smtpd_sasl_glue.c.
+
+20231102
+
+	Bugfix (defect introduced: Postfix 2.3, date 20051222): the
+	Dovecot auth client did not reset the 'reason' from  a
+	previous Dovecot auth service response, before parsing the
+	next Dovecot auth server response. Reported by Stephan
+	Bosch, File: xsasl/xsasl_dovecot_server.c.
+
+20231105
+
+	Cleanup: Postfix SMTP server response with an empty
+	authentication failure reason. File: smtpd/smtpd_sasl_glue.c.
+
+	Cleanup: proxymap error message when the service name is
+	not "proxymap" or "proxywrite". File: proxymap/proxymap.c.
+
+20231109
+
+	Portability: MariaDB emulates MySQL >= 5.7.6, but does not
+	implement mysql_real_escape_string_quote(). Fix by Levente
+	Birta. File: global/dict_mysql.c.
+
+	Portability: more precise MYSQL_VERSION_ID check. File:
+	global/dict_mysql.c.
+
+20231112
+
+	Robustness: don't loop on an 'unfinished' queue file that
+	still has its all-zero SIZE record. File: postcat/postcat.c.
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@ -8,9 +8,10 @@ Wish list:

 	postfix-install should mention makedefs.out.

-	In valid_utf8_string.c, add tests for over-long encodings
-	and surrogates. Can we add tests for 4-byte encodings with
-	strings that are displayable?
+	Propagate information about parsed daemon command-line
+	options to service callback functions. With this, a proxywrite
+	server can enforce a process limit of 1 without duplicating
+	libmaster's command-line parsing code.

 	Add a pre-release check for '.' instead of ','. Generalize
 	from grep '[a-zA-Z0-9]\.  *[a-z]' proto/*|egrep -v
--- a/postfix/html/postcat.1.html
+++ b/postfix/html/postcat.1.html
@ -85,7 +85,7 @@ POSTCAT(1)                                                          POSTCAT(1)
              figuration files.

       <b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
-              The list of environment parameters  that  a  privileged  Postfix
+              The list of environment  variables  that  a  privileged  Postfix
              process  will  import  from  a  non-Postfix  parent  process, or
              name=value environment overrides.

--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@ -3799,7 +3799,8 @@ filtered with the character set that is specified with the
 <dd>The address extension delimiter that was found in the recipient
 address (Postfix 2.11 and later), or the 'first' delimiter specified
 with the system-wide recipient address extension delimiter (Postfix
-3.5.22, 3.5.12, 3.7.8, 3.8.3 and later), or the system-wide recipient
+3.5.22, 3.6.12, 3.7.8, 3.8.3 and later). Historically, this was
+always the system-wide recipient
 address extension delimiter (Postfix 2.10 and earlier). </dd>

 <dt><b>${name?value}</b></dt>
--- a/postfix/man/man1/postcat.1
+++ b/postfix/man/man1/postcat.1
@ -88,7 +88,7 @@ The text below provides only a parameter summary. See
 The default location of the Postfix main.cf and master.cf
 configuration files.
 .IP "\fBimport_environment (see 'postconf -d' output)\fR"
-The list of environment parameters that a privileged Postfix
+The list of environment variables that a privileged Postfix
 process will import from a non\-Postfix parent process, or name=value
 environment overrides.
 .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@ -2417,7 +2417,8 @@ The entire recipient localpart.
 The address extension delimiter that was found in the recipient
 address (Postfix 2.11 and later), or the 'first' delimiter specified
 with the system\-wide recipient address extension delimiter (Postfix
-3.5.22, 3.5.12, 3.7.8, 3.8.3 and later), or the system\-wide recipient
+3.5.22, 3.6.12, 3.7.8, 3.8.3 and later). Historically, this was
+always the system\-wide recipient
 address extension delimiter (Postfix 2.10 and earlier).
 .br
 .IP "\fB${name?value}\fR"
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@ -1783,7 +1783,8 @@ forward_expansion_filter parameter.  </p>
 <dd>The address extension delimiter that was found in the recipient
 address (Postfix 2.11 and later), or the 'first' delimiter specified
 with the system-wide recipient address extension delimiter (Postfix
-3.5.22, 3.5.12, 3.7.8, 3.8.3 and later), or the system-wide recipient
+3.5.22, 3.6.12, 3.7.8, 3.8.3 and later). Historically, this was
+always the system-wide recipient
 address extension delimiter (Postfix 2.10 and earlier). </dd>

 <dt><b>${name?value}</b></dt>
--- a/postfix/src/global/dict_mysql.c
+++ b/postfix/src/global/dict_mysql.c
@ -210,7 +210,7 @@ static void dict_mysql_quote(DICT *dict, const char *name, VSTRING *result)

    if (dict_mysql->active_host == 0)
 	msg_panic("dict_mysql_quote: no active host");
-#if defined(MYSQL_VERSION_ID) && MYSQL_VERSION_ID >= 50700
+#if MYSQL_VERSION_ID >= 50706 && !defined(MARIADB_VERSION_ID)
    mysql_real_escape_string_quote(dict_mysql->active_host->db,
 				   vstring_end(result), name, len, '\'');
 #else
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@ -20,7 +20,7 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20231030"
+#define MAIL_RELEASE_DATE	"20231112"
 #define MAIL_VERSION_NUMBER	"3.9"

 #ifdef SNAPSHOT
--- a/postfix/src/postcat/postcat.c
+++ b/postfix/src/postcat/postcat.c
@ -76,7 +76,7 @@
 /*	The default location of the Postfix main.cf and master.cf
 /*	configuration files.
 /* .IP "\fBimport_environment (see 'postconf -d' output)\fR"
-/*	The list of environment parameters that a privileged Postfix
+/*	The list of environment variables that a privileged Postfix
 /*	process will import from a non-Postfix parent process, or name=value
 /*	environment overrides.
 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
@ -274,7 +274,7 @@ static void postcat(VSTREAM *fp, VSTRING *buffer, int flags)
 		    break;
 		/* Optimization: skip to extracted segment marker. */
 		if (do_print == 0 && (flags & PC_FLAG_PRINT_ENV)
-		    && data_offset >= 0 && data_size >= 0
+		    && data_offset > 0 && data_size >= 0
 		&& vstream_fseek(fp, data_offset + data_size, SEEK_SET) < 0)
 		    msg_fatal("seek error: %m");
 	    }
@ -289,7 +289,7 @@ static void postcat(VSTREAM *fp, VSTRING *buffer, int flags)
 		PRINT_MARKER(flags, fp, offset, rec_type, "MESSAGE CONTENTS");
 	    /* Optimization: skip to extracted segment marker. */
 	    if ((flags & PC_MASK_PRINT_TEXT) == 0
-		&& data_offset >= 0 && data_size >= 0
+		&& data_offset > 0 && data_size >= 0
 		&& vstream_fseek(fp, data_offset + data_size, SEEK_SET) < 0)
 		msg_fatal("seek error: %m");
 	    /* Update the state machine, even when skipping. */
--- a/postfix/src/proxymap/proxymap.c
+++ b/postfix/src/proxymap/proxymap.c
@ -753,7 +753,7 @@ static void post_jail_init(char *service_name, char **unused_argv)
 	proxy_writer = 1;
    else if (strcmp(service_name, MAIL_SERVICE_PROXYMAP) != 0)
 	msg_fatal("service name must be one of %s or %s",
-		  MAIL_SERVICE_PROXYMAP, MAIL_SERVICE_PROXYMAP);
+		  MAIL_SERVICE_PROXYWRITE, MAIL_SERVICE_PROXYMAP);

    /*
     * Pre-allocate buffers.
--- a/postfix/src/smtpd/smtpd_sasl_glue.c
+++ b/postfix/src/smtpd/smtpd_sasl_glue.c
@ -344,18 +344,20 @@ int     smtpd_sasl_authenticate(SMTPD_STATE *state,
 	}
    }
    if (status != XSASL_AUTH_DONE) {
+	const char *reason = (*STR(state->sasl_reply) ? STR(state->sasl_reply) :
+			      "(reason unavailable)");
+
 	sasl_username = xsasl_server_get_username(state->sasl_server);
 	msg_warn("%s: SASL %.100s authentication failed: %s, sasl_username=%.100s",
-		 state->namaddr, sasl_method, *STR(state->sasl_reply) ?
-		 STR(state->sasl_reply) : "(reason unavailable)",
+		 state->namaddr, sasl_method, reason,
 		 sasl_username ? sasl_username : "(unavailable)");
 	/* RFC 4954 Section 6. */
 	if (status == XSASL_AUTH_TEMP)
 	    smtpd_chat_reply(state, "454 4.7.0 Temporary authentication failure: %s",
-			     STR(state->sasl_reply));
+			     reason);
 	else
 	    smtpd_chat_reply(state, "535 5.7.8 Error: authentication failed: %s",
-			     STR(state->sasl_reply));
+			     reason);
 	return (-1);
    }
    /* RFC 4954 Section 6. */
--- a/postfix/src/xsasl/xsasl_dovecot_server.c
+++ b/postfix/src/xsasl/xsasl_dovecot_server.c
@ -543,6 +543,8 @@ static void xsasl_dovecot_parse_reply_args(XSASL_DOVECOT_SERVER *server,
 	myfree(server->username);
 	server->username = 0;
    }
+    VSTRING_RESET(reply);
+    VSTRING_TERMINATE(reply);

    /*
     * Note: TAB is part of the Dovecot protocol and must not appear in