diff --git a/postfix/HISTORY b/postfix/HISTORY
index 80bbe08c5..c20f970e2 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -24354,3 +24354,45 @@ Apologies for any names omitted.
Safety: vstring_set_payload_size() now checks that the
payload has not overwritten the safety terminator at the
end of the VSTRING buffer. File: util/vstream.c.
+
+20190813
+
+ Documentation: access(5) map network address pattern syntax.
+ File: proto/access.
+
+20190820
+
+ Workaround for poor TCP loopback performance on LINUX, where
+ getsockopt(..., TCP_MAXSEG, ..) reports a TCP maximal segment
+ size that is 1/2 to 1/3 of the MTU. For example, with kernel
+ 5.1.16-300.fc30.x86_64 the TCP client and server announce
+ an mss of 65495 in the TCP handshake, but getsockopt()
+ returns 32741 (less than half). As a matter of principle,
+ Postfix won't turn on client-side TCP_NODELAY because that
+ hides application performance bugs, and because that still
+ suffers from server-side delayed ACKs. Instead, Postfix
+ avoids sending "small" writes back-to-back, by choosing a
+ VSTREAM buffer size that is a multiple of the reported
+ MSS. This workaround bumps the multiplier from 2x to 4x.
+ File: util/vstream_tweak.c.
+
+20190825
+
+ Bugfix (introduced: 20051222): the Dovecot client could
+ segfault (null pointer read) or cause an SMTP server assertion
+ to fail when talking to a fake Dovecot server. The client
+ now logs a proper error instead. Problem reported by Tim
+ Düsterhus. File: xsasl/xsasl_dovecot_server.c.
+
+20190906
+
+ Bugfix (introduced: Postfix 3.4): don't whitewash OpenSSL
+ error results after a plaintext output error. The code could
+ loop, and with some OpenSSL error results could flood the
+ log with error messages (see below for a specific case).
+ Problem reported by Andreas Schulze. File: tlsproxy/tlsproxy.c.
+
+ Bitrot: don't invoke SSL_shutdown() when the SSL engine
+ thinks it is processing a handshake. As of OpenSSL 1.something
+ this returns SSL_ERROR_SSL instead of SSL_ERROR_NONE. File:
+ tlsproxy/tlsproxy.c.
diff --git a/postfix/conf/access b/postfix/conf/access
index 9d67b9493..257339bfb 100644
--- a/postfix/conf/access
+++ b/postfix/conf/access
@@ -122,21 +122,17 @@
#
# net.work
#
-# net Matches the specified IPv4 host address or subnet-
-# work. An IPv4 host address is a sequence of four
-# decimal octets separated by ".".
+# net Matches a remote IPv4 host address or network
+# address range. Specify one to four decimal octets
+# separated by ".". Do not specify "[]" , "/", lead-
+# ing zeros, or hexadecimal forms.
#
-# Subnetworks are matched by repeatedly truncating
-# the last ".octet" from the remote IPv4 host address
-# string until a match is found in the access table,
+# Network ranges are matched by repeatedly truncating
+# the last ".octet" from a remote IPv4 host address
+# string, until a match is found in the access table,
# or until further truncation is not possible.
#
-# NOTE 1: The access map lookup key must be in canon-
-# ical form: do not specify unnecessary null charac-
-# ters, and do not enclose network address informa-
-# tion with "[]" characters.
-#
-# NOTE 2: use the cidr lookup table type to specify
+# NOTE: use the cidr lookup table type to specify
# network/netmask patterns. See cidr_table(5) for
# details.
#
@@ -146,25 +142,20 @@
#
# net:work
#
-# net Matches the specified IPv6 host address or subnet-
-# work. An IPv6 host address is a sequence of three
-# to eight hexadecimal octet pairs separated by ":".
+# net Matches a remote IPv6 host address or network
+# address range. Specify three to eight hexadecimal
+# octet pairs separated by ":", using the compressed
+# form "::" for a sequence of zero-valued octet
+# pairs. Do not specify "[]", "/", leading zeros, or
+# non-compressed forms.
#
-# Subnetworks are matched by repeatedly truncating
-# the last ":octetpair" from the remote IPv6 host
-# address string until a match is found in the access
-# table, or until further truncation is not possible.
+# A network range is matched by repeatedly truncating
+# the last ":octetpair" from the compressed-form
+# remote IPv6 host address string, until a match is
+# found in the access table, or until further trunca-
+# tion is not possible.
#
-# NOTE 1: the truncation and comparison are done with
-# the string representation of the IPv6 host address.
-# Thus, not all the ":" subnetworks will be tried.
-#
-# NOTE 2: The access map lookup key must be in canon-
-# ical form: do not specify unnecessary null charac-
-# ters, and do not enclose network address informa-
-# tion with "[]" characters.
-#
-# NOTE 3: use the cidr lookup table type to specify
+# NOTE: use the cidr lookup table type to specify
# network/netmask patterns. See cidr_table(5) for
# details.
#
@@ -175,64 +166,64 @@
#
# all-numerical
# An all-numerical result is treated as OK. This for-
-# mat is generated by address-based relay authoriza-
+# mat is generated by address-based relay authoriza-
# tion schemes such as pop-before-smtp.
#
# For other accept actions, see "OTHER ACTIONS" below.
#
# REJECT ACTIONS
-# Postfix version 2.3 and later support enhanced status
-# codes as defined in RFC 3463. When no code is specified
-# at the beginning of the text below, Postfix inserts a
-# default enhanced status code of "5.7.1" in the case of
-# reject actions, and "4.7.1" in the case of defer actions.
+# Postfix version 2.3 and later support enhanced status
+# codes as defined in RFC 3463. When no code is specified
+# at the beginning of the text below, Postfix inserts a
+# default enhanced status code of "5.7.1" in the case of
+# reject actions, and "4.7.1" in the case of defer actions.
# See "ENHANCED STATUS CODES" below.
#
# 4NN text
#
# 5NN text
-# Reject the address etc. that matches the pattern,
+# Reject the address etc. that matches the pattern,
# and respond with the numerical three-digit code and
-# text. 4NN means "try again later", while 5NN means
+# text. 4NN means "try again later", while 5NN means
# "do not try again".
#
-# The following responses have special meaning for
+# The following responses have special meaning for
# the Postfix SMTP server:
#
# 421 text (Postfix 2.3 and later)
#
# 521 text (Postfix 2.6 and later)
-# After responding with the numerical
-# three-digit code and text, disconnect imme-
+# After responding with the numerical
+# three-digit code and text, disconnect imme-
# diately from the SMTP client. This frees up
-# SMTP server resources so that they can be
+# SMTP server resources so that they can be
# made available to another SMTP client.
#
# Note: The "521" response should be used only
-# with botnets and other malware where inter-
+# with botnets and other malware where inter-
# operability is of no concern. The "send 521
-# and disconnect" behavior is NOT defined in
+# and disconnect" behavior is NOT defined in
# the SMTP standard.
#
# REJECT optional text...
-# Reject the address etc. that matches the pattern.
-# Reply with "$access_map_reject_code optional
-# text..." when the optional text is specified, oth-
+# Reject the address etc. that matches the pattern.
+# Reply with "$access_map_reject_code optional
+# text..." when the optional text is specified, oth-
# erwise reply with a generic error response message.
#
# DEFER optional text...
-# Reject the address etc. that matches the pattern.
-# Reply with "$access_map_defer_code optional
-# text..." when the optional text is specified, oth-
+# Reject the address etc. that matches the pattern.
+# Reply with "$access_map_defer_code optional
+# text..." when the optional text is specified, oth-
# erwise reply with a generic error response message.
#
# This feature is available in Postfix 2.6 and later.
#
# DEFER_IF_REJECT optional text...
-# Defer the request if some later restriction would
-# result in a REJECT action. Reply with
-# "$access_map_defer_code 4.7.1 optional text..."
-# when the optional text is specified, otherwise
+# Defer the request if some later restriction would
+# result in a REJECT action. Reply with
+# "$access_map_defer_code 4.7.1 optional text..."
+# when the optional text is specified, otherwise
# reply with a generic error response message.
#
# Prior to Postfix 2.6, the SMTP reply code is 450.
@@ -240,10 +231,10 @@
# This feature is available in Postfix 2.1 and later.
#
# DEFER_IF_PERMIT optional text...
-# Defer the request if some later restriction would
-# result in a an explicit or implicit PERMIT action.
-# Reply with "$access_map_defer_code 4.7.1 optional
-# text..." when the optional text is specified, oth-
+# Defer the request if some later restriction would
+# result in a an explicit or implicit PERMIT action.
+# Reply with "$access_map_defer_code 4.7.1 optional
+# text..." when the optional text is specified, oth-
# erwise reply with a generic error response message.
#
# Prior to Postfix 2.6, the SMTP reply code is 450.
@@ -258,195 +249,195 @@
# reject_unauth_destination, and so on).
#
# BCC user@domain
-# Send one copy of the message to the specified
+# Send one copy of the message to the specified
# recipient.
#
-# If multiple BCC actions are specified within the
-# same SMTP MAIL transaction, with Postfix 3.0 only
+# If multiple BCC actions are specified within the
+# same SMTP MAIL transaction, with Postfix 3.0 only
# the last action will be used.
#
# This feature is available in Postfix 3.0 and later.
#
# DISCARD optional text...
-# Claim successful delivery and silently discard the
-# message. Log the optional text if specified, oth-
+# Claim successful delivery and silently discard the
+# message. Log the optional text if specified, oth-
# erwise log a generic message.
#
-# Note: this action currently affects all recipients
-# of the message. To discard only one recipient
-# without discarding the entire message, use the
+# Note: this action currently affects all recipients
+# of the message. To discard only one recipient
+# without discarding the entire message, use the
# transport(5) table to direct mail to the discard(8)
# service.
#
# This feature is available in Postfix 2.0 and later.
#
-# DUNNO Pretend that the lookup key was not found. This
-# prevents Postfix from trying substrings of the
-# lookup key (such as a subdomain name, or a network
+# DUNNO Pretend that the lookup key was not found. This
+# prevents Postfix from trying substrings of the
+# lookup key (such as a subdomain name, or a network
# address subnetwork).
#
# This feature is available in Postfix 2.0 and later.
#
# FILTER transport:destination
-# After the message is queued, send the entire mes-
+# After the message is queued, send the entire mes-
# sage through the specified external content filter.
-# The transport name specifies the first field of a
-# mail delivery agent definition in master.cf; the
-# syntax of the next-hop destination is described in
+# The transport name specifies the first field of a
+# mail delivery agent definition in master.cf; the
+# syntax of the next-hop destination is described in
# the manual page of the corresponding delivery
-# agent. More information about external content
+# agent. More information about external content
# filters is in the Postfix FILTER_README file.
#
-# Note 1: do not use $number regular expression sub-
-# stitutions for transport or destination unless you
+# Note 1: do not use $number regular expression sub-
+# stitutions for transport or destination unless you
# know that the information has a trusted origin.
#
-# Note 2: this action overrides the main.cf con-
-# tent_filter setting, and affects all recipients of
-# the message. In the case that multiple FILTER
+# Note 2: this action overrides the main.cf con-
+# tent_filter setting, and affects all recipients of
+# the message. In the case that multiple FILTER
# actions fire, only the last one is executed.
#
-# Note 3: the purpose of the FILTER command is to
-# override message routing. To override the recipi-
-# ent's transport but not the next-hop destination,
-# specify an empty filter destination (Postfix 2.7
+# Note 3: the purpose of the FILTER command is to
+# override message routing. To override the recipi-
+# ent's transport but not the next-hop destination,
+# specify an empty filter destination (Postfix 2.7
# and later), or specify a transport:destination that
-# delivers through a different Postfix instance
-# (Postfix 2.6 and earlier). Other options are using
-# the recipient-dependent transport_maps or the sen-
+# delivers through a different Postfix instance
+# (Postfix 2.6 and earlier). Other options are using
+# the recipient-dependent transport_maps or the sen-
# der-dependent sender_dependent_default_transport-
# _maps features.
#
# This feature is available in Postfix 2.0 and later.
#
# HOLD optional text...
-# Place the message on the hold queue, where it will
-# sit until someone either deletes it or releases it
-# for delivery. Log the optional text if specified,
+# Place the message on the hold queue, where it will
+# sit until someone either deletes it or releases it
+# for delivery. Log the optional text if specified,
# otherwise log a generic message.
#
-# Mail that is placed on hold can be examined with
-# the postcat(1) command, and can be destroyed or
+# Mail that is placed on hold can be examined with
+# the postcat(1) command, and can be destroyed or
# released with the postsuper(1) command.
#
-# Note: use "postsuper -r" to release mail that was
-# kept on hold for a significant fraction of $maxi-
+# Note: use "postsuper -r" to release mail that was
+# kept on hold for a significant fraction of $maxi-
# mal_queue_lifetime or $bounce_queue_lifetime, or
-# longer. Use "postsuper -H" only for mail that will
+# longer. Use "postsuper -H" only for mail that will
# not expire within a few delivery attempts.
#
-# Note: this action currently affects all recipients
+# Note: this action currently affects all recipients
# of the message.
#
# This feature is available in Postfix 2.0 and later.
#
# PREPEND headername: headervalue
-# Prepend the specified message header to the mes-
-# sage. When more than one PREPEND action executes,
-# the first prepended header appears before the sec-
+# Prepend the specified message header to the mes-
+# sage. When more than one PREPEND action executes,
+# the first prepended header appears before the sec-
# ond etc. prepended header.
#
-# Note: this action must execute before the message
-# content is received; it cannot execute in the con-
+# Note: this action must execute before the message
+# content is received; it cannot execute in the con-
# text of smtpd_end_of_data_restrictions.
#
# This feature is available in Postfix 2.1 and later.
#
# REDIRECT user@domain
-# After the message is queued, send the message to
+# After the message is queued, send the message to
# the specified address instead of the intended
# recipient(s). When multiple REDIRECT actions fire,
# only the last one takes effect.
#
-# Note: this action overrides the FILTER action, and
-# currently overrides all recipients of the message.
+# Note: this action overrides the FILTER action, and
+# currently overrides all recipients of the message.
#
# This feature is available in Postfix 2.1 and later.
#
# INFO optional text...
# Log an informational record with the optional text,
-# together with client information and if available,
-# with helo, sender, recipient and protocol informa-
+# together with client information and if available,
+# with helo, sender, recipient and protocol informa-
# tion.
#
# This feature is available in Postfix 3.0 and later.
#
# WARN optional text...
# Log a warning with the optional text, together with
-# client information and if available, with helo,
+# client information and if available, with helo,
# sender, recipient and protocol information.
#
# This feature is available in Postfix 2.1 and later.
#
# ENHANCED STATUS CODES
-# Postfix version 2.3 and later support enhanced status
-# codes as defined in RFC 3463. When an enhanced status
-# code is specified in an access table, it is subject to
-# modification. The following transformations are needed
-# when the same access table is used for client, helo,
-# sender, or recipient access restrictions; they happen
+# Postfix version 2.3 and later support enhanced status
+# codes as defined in RFC 3463. When an enhanced status
+# code is specified in an access table, it is subject to
+# modification. The following transformations are needed
+# when the same access table is used for client, helo,
+# sender, or recipient access restrictions; they happen
# regardless of whether Postfix replies to a MAIL FROM, RCPT
# TO or other SMTP command.
#
-# o When a sender address matches a REJECT action, the
-# Postfix SMTP server will transform a recipient DSN
-# status (e.g., 4.1.1-4.1.6) into the corresponding
+# o When a sender address matches a REJECT action, the
+# Postfix SMTP server will transform a recipient DSN
+# status (e.g., 4.1.1-4.1.6) into the corresponding
# sender DSN status, and vice versa.
#
-# o When non-address information matches a REJECT
-# action (such as the HELO command argument or the
-# client hostname/address), the Postfix SMTP server
-# will transform a sender or recipient DSN status
-# into a generic non-address DSN status (e.g.,
+# o When non-address information matches a REJECT
+# action (such as the HELO command argument or the
+# client hostname/address), the Postfix SMTP server
+# will transform a sender or recipient DSN status
+# into a generic non-address DSN status (e.g.,
# 4.0.0).
#
# REGULAR EXPRESSION TABLES
-# This section describes how the table lookups change when
+# This section describes how the table lookups change when
# the table is given in the form of regular expressions. For
-# a description of regular expression lookup table syntax,
+# a description of regular expression lookup table syntax,
# see regexp_table(5) or pcre_table(5).
#
-# Each pattern is a regular expression that is applied to
+# Each pattern is a regular expression that is applied to
# the entire string being looked up. Depending on the appli-
-# cation, that string is an entire client hostname, an
+# cation, that string is an entire client hostname, an
# entire client IP address, or an entire mail address. Thus,
# no parent domain or parent network search is done,
-# user@domain mail addresses are not broken up into their
+# user@domain mail addresses are not broken up into their
# user@ and domain constituent parts, nor is user+foo broken
# up into user and foo.
#
-# Patterns are applied in the order as specified in the ta-
-# ble, until a pattern is found that matches the search
+# Patterns are applied in the order as specified in the ta-
+# ble, until a pattern is found that matches the search
# string.
#
-# Actions are the same as with indexed file lookups, with
-# the additional feature that parenthesized substrings from
+# Actions are the same as with indexed file lookups, with
+# the additional feature that parenthesized substrings from
# the pattern can be interpolated as $1, $2 and so on.
#
# TCP-BASED TABLES
-# This section describes how the table lookups change when
+# This section describes how the table lookups change when
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
# ble(5). This feature is not available up to and including
# Postfix version 2.4.
#
-# Each lookup operation uses the entire query string once.
-# Depending on the application, that string is an entire
+# Each lookup operation uses the entire query string once.
+# Depending on the application, that string is an entire
# client hostname, an entire client IP address, or an entire
-# mail address. Thus, no parent domain or parent network
-# search is done, user@domain mail addresses are not broken
-# up into their user@ and domain constituent parts, nor is
+# mail address. Thus, no parent domain or parent network
+# search is done, user@domain mail addresses are not broken
+# up into their user@ and domain constituent parts, nor is
# user+foo broken up into user and foo.
#
# Actions are the same as with indexed file lookups.
#
# EXAMPLE
-# The following example uses an indexed file, so that the
-# order of table entries does not matter. The example per-
-# mits access by the client at address 1.2.3.4 but rejects
-# all other clients in 1.2.3.0/24. Instead of hash lookup
-# tables, some systems use dbm. Use the command "postconf
-# -m" to find out what lookup tables Postfix supports on
+# The following example uses an indexed file, so that the
+# order of table entries does not matter. The example per-
+# mits access by the client at address 1.2.3.4 but rejects
+# all other clients in 1.2.3.0/24. Instead of hash lookup
+# tables, some systems use dbm. Use the command "postconf
+# -m" to find out what lookup tables Postfix supports on
# your system.
#
# /etc/postfix/main.cf:
@@ -457,11 +448,11 @@
# 1.2.3 REJECT
# 1.2.3.4 OK
#
-# Execute the command "postmap /etc/postfix/access" after
+# Execute the command "postmap /etc/postfix/access" after
# editing the file.
#
# BUGS
-# The table format does not understand quoting conventions.
+# The table format does not understand quoting conventions.
#
# SEE ALSO
# postmap(1), Postfix lookup table manager
@@ -470,13 +461,13 @@
# transport(5), transport:nexthop syntax
#
# README FILES
-# Use "postconf readme_directory" or "postconf html_direc-
+# Use "postconf readme_directory" or "postconf html_direc-
# tory" to locate this information.
# SMTPD_ACCESS_README, built-in SMTP server access control
# DATABASE_README, Postfix lookup table overview
#
# LICENSE
-# The Secure Mailer license must be distributed with this
+# The Secure Mailer license must be distributed with this
# software.
#
# AUTHOR(S)
diff --git a/postfix/html/access.5.html b/postfix/html/access.5.html
index f43b4b252..9adcb0271 100644
--- a/postfix/html/access.5.html
+++ b/postfix/html/access.5.html
@@ -114,21 +114,17 @@ ACCESS(5) ACCESS(5)
net.work
- net Matches the specified IPv4 host address or subnetwork. An IPv4
- host address is a sequence of four decimal octets separated by
- ".".
+ net Matches a remote IPv4 host address or network address range.
+ Specify one to four decimal octets separated by ".". Do not
+ specify "[]" , "/", leading zeros, or hexadecimal forms.
- Subnetworks are matched by repeatedly truncating the last
- ".octet" from the remote IPv4 host address string until a match
+ Network ranges are matched by repeatedly truncating the last
+ ".octet" from a remote IPv4 host address string, until a match
is found in the access table, or until further truncation is not
possible.
- NOTE 1: The access map lookup key must be in canonical form: do
- not specify unnecessary null characters, and do not enclose net-
- work address information with "[]" characters.
-
- NOTE 2: use the cidr lookup table type to specify network/net-
- mask patterns. See cidr_table(5) for details.
+ NOTE: use the cidr lookup table type to specify network/netmask
+ patterns. See cidr_table(5) for details.
net:work:addr:ess
@@ -136,25 +132,19 @@ ACCESS(5) ACCESS(5)
net:work
- net Matches the specified IPv6 host address or subnetwork. An IPv6
- host address is a sequence of three to eight hexadecimal octet
- pairs separated by ":".
+ net Matches a remote IPv6 host address or network address range.
+ Specify three to eight hexadecimal octet pairs separated by ":",
+ using the compressed form "::" for a sequence of zero-valued
+ octet pairs. Do not specify "[]", "/", leading zeros, or
+ non-compressed forms.
- Subnetworks are matched by repeatedly truncating the last
- ":octetpair" from the remote IPv6 host address string until a
- match is found in the access table, or until further truncation
- is not possible.
+ A network range is matched by repeatedly truncating the last
+ ":octetpair" from the compressed-form remote IPv6 host address
+ string, until a match is found in the access table, or until
+ further truncation is not possible.
- NOTE 1: the truncation and comparison are done with the string
- representation of the IPv6 host address. Thus, not all the ":"
- subnetworks will be tried.
-
- NOTE 2: The access map lookup key must be in canonical form: do
- not specify unnecessary null characters, and do not enclose net-
- work address information with "[]" characters.
-
- NOTE 3: use the cidr lookup table type to specify network/net-
- mask patterns. See cidr_table(5) for details.
+ NOTE: use the cidr lookup table type to specify network/netmask
+ patterns. See cidr_table(5) for details.
IPv6 support is available in Postfix 2.2 and later.
diff --git a/postfix/man/man5/access.5 b/postfix/man/man5/access.5
index 4fb7b6ba2..d1f7f92cb 100644
--- a/postfix/man/man5/access.5
+++ b/postfix/man/man5/access.5
@@ -121,43 +121,33 @@ string \fBsmtpd_access_maps\fR is not listed in the Postfix
.IP \fInet.work.addr\fR
.IP \fInet.work\fR
.IP \fInet\fR
-Matches the specified IPv4 host address or subnetwork. An
-IPv4 host address is a sequence of four decimal octets
-separated by ".".
+Matches a remote IPv4 host address or network address range.
+Specify one to four decimal octets separated by ".". Do not
+specify "[]" , "/", leading zeros, or hexadecimal forms.
-Subnetworks are matched by repeatedly truncating the last
-".octet" from the remote IPv4 host address string until a
+Network ranges are matched by repeatedly truncating the last
+".octet" from a remote IPv4 host address string, until a
match is found in the access table, or until further
truncation is not possible.
-NOTE 1: The access map lookup key must be in canonical form:
-do not specify unnecessary null characters, and do not
-enclose network address information with "[]" characters.
-
-NOTE 2: use the \fBcidr\fR lookup table type to specify
+NOTE: use the \fBcidr\fR lookup table type to specify
network/netmask patterns. See \fBcidr_table\fR(5) for details.
.IP \fInet:work:addr:ess\fR
.IP \fInet:work:addr\fR
.IP \fInet:work\fR
.IP \fInet\fR
-Matches the specified IPv6 host address or subnetwork. An
-IPv6 host address is a sequence of three to eight hexadecimal
-octet pairs separated by ":".
+Matches a remote IPv6 host address or network address range.
+Specify three to eight hexadecimal octet pairs separated
+by ":", using the compressed form "::" for a sequence of
+zero\-valued octet pairs. Do not specify "[]", "/", leading
+zeros, or non\-compressed forms.
-Subnetworks are matched by repeatedly truncating the last
-":octetpair" from the remote IPv6 host address string until
-a match is found in the access table, or until further
-truncation is not possible.
+A network range is matched by repeatedly truncating the
+last ":octetpair" from the compressed\-form remote IPv6 host
+address string, until a match is found in the access table,
+or until further truncation is not possible.
-NOTE 1: the truncation and comparison are done with the
-string representation of the IPv6 host address. Thus, not
-all the ":" subnetworks will be tried.
-
-NOTE 2: The access map lookup key must be in canonical form:
-do not specify unnecessary null characters, and do not
-enclose network address information with "[]" characters.
-
-NOTE 3: use the \fBcidr\fR lookup table type to specify
+NOTE: use the \fBcidr\fR lookup table type to specify
network/netmask patterns. See \fBcidr_table\fR(5) for details.
IPv6 support is available in Postfix 2.2 and later.
diff --git a/postfix/proto/access b/postfix/proto/access
index 983bf37e2..e01cc0f0e 100644
--- a/postfix/proto/access
+++ b/postfix/proto/access
@@ -105,43 +105,33 @@
# .IP \fInet.work.addr\fR
# .IP \fInet.work\fR
# .IP \fInet\fR
-# Matches the specified IPv4 host address or subnetwork. An
-# IPv4 host address is a sequence of four decimal octets
-# separated by ".".
+# Matches a remote IPv4 host address or network address range.
+# Specify one to four decimal octets separated by ".". Do not
+# specify "[]" , "/", leading zeros, or hexadecimal forms.
#
-# Subnetworks are matched by repeatedly truncating the last
-# ".octet" from the remote IPv4 host address string until a
+# Network ranges are matched by repeatedly truncating the last
+# ".octet" from a remote IPv4 host address string, until a
# match is found in the access table, or until further
# truncation is not possible.
#
-# NOTE 1: The access map lookup key must be in canonical form:
-# do not specify unnecessary null characters, and do not
-# enclose network address information with "[]" characters.
-#
-# NOTE 2: use the \fBcidr\fR lookup table type to specify
+# NOTE: use the \fBcidr\fR lookup table type to specify
# network/netmask patterns. See \fBcidr_table\fR(5) for details.
# .IP \fInet:work:addr:ess\fR
# .IP \fInet:work:addr\fR
# .IP \fInet:work\fR
# .IP \fInet\fR
-# Matches the specified IPv6 host address or subnetwork. An
-# IPv6 host address is a sequence of three to eight hexadecimal
-# octet pairs separated by ":".
+# Matches a remote IPv6 host address or network address range.
+# Specify three to eight hexadecimal octet pairs separated
+# by ":", using the compressed form "::" for a sequence of
+# zero-valued octet pairs. Do not specify "[]", "/", leading
+# zeros, or non-compressed forms.
#
-# Subnetworks are matched by repeatedly truncating the last
-# ":octetpair" from the remote IPv6 host address string until
-# a match is found in the access table, or until further
-# truncation is not possible.
+# A network range is matched by repeatedly truncating the
+# last ":octetpair" from the compressed-form remote IPv6 host
+# address string, until a match is found in the access table,
+# or until further truncation is not possible.
#
-# NOTE 1: the truncation and comparison are done with the
-# string representation of the IPv6 host address. Thus, not
-# all the ":" subnetworks will be tried.
-#
-# NOTE 2: The access map lookup key must be in canonical form:
-# do not specify unnecessary null characters, and do not
-# enclose network address information with "[]" characters.
-#
-# NOTE 3: use the \fBcidr\fR lookup table type to specify
+# NOTE: use the \fBcidr\fR lookup table type to specify
# network/netmask patterns. See \fBcidr_table\fR(5) for details.
#
# IPv6 support is available in Postfix 2.2 and later.
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 819754f35..e3402dd5a 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20190724"
+#define MAIL_RELEASE_DATE "20190908"
#define MAIL_VERSION_NUMBER "3.5"
#ifdef SNAPSHOT
diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c
index 7e47efe9a..a622c715d 100644
--- a/postfix/src/tlsproxy/tlsproxy.c
+++ b/postfix/src/tlsproxy/tlsproxy.c
@@ -678,7 +678,8 @@ static int tlsp_eval_tls_error(TLSP_STATE *state, int err)
/*
* Allow buffered-up plaintext output to trickle out.
*/
- if (state->plaintext_buf && NBBIO_WRITE_PEND(state->plaintext_buf))
+ if (state->plaintext_buf && !NBBIO_ERROR_FLAGS(state->plaintext_buf)
+ && NBBIO_WRITE_PEND(state->plaintext_buf))
return (TLSP_STAT_OK);
tlsp_state_free(state);
return (TLSP_STAT_ERR);
@@ -784,9 +785,8 @@ static void tlsp_strategy(TLSP_STATE *state)
if (NBBIO_ERROR_FLAGS(plaintext_buf)) {
if (NBBIO_ACTIVE_FLAGS(plaintext_buf))
nbbio_disable_readwrite(state->plaintext_buf);
- ssl_stat = SSL_shutdown(tls_context->con);
- /* XXX Wait for return value 1 if sessions are to be reused? */
- if (ssl_stat < 0) {
+ if (!SSL_in_init(tls_context->con)
+ && (ssl_stat = SSL_shutdown(tls_context->con)) < 0) {
handshake_err = SSL_get_error(tls_context->con, ssl_stat);
tlsp_eval_tls_error(state, handshake_err);
/* At this point, state could be a dangling pointer. */
diff --git a/postfix/src/util/vstream_tweak.c b/postfix/src/util/vstream_tweak.c
index 668654d05..a2e220c45 100644
--- a/postfix/src/util/vstream_tweak.c
+++ b/postfix/src/util/vstream_tweak.c
@@ -124,12 +124,20 @@ int vstream_tweak_tcp(VSTREAM *fp)
* stream buffer size to less than VSTREAM_BUFSIZE, when the request is
* made before the first stream read or write operation. We don't want to
* reduce the buffer size.
+ *
+ * As of 20190820 we increase the mss size multipler from 2x to 4x, because
+ * some LINUX loopback TCP stacks report an MSS of 21845 which is 3x
+ * smaller than the MTU of 65536. Even with a VSTREAM buffer 2x the
+ * reported MSS size, performance would suck due to Nagle or delayed ACK
+ * delays.
*/
#define EFF_BUFFER_SIZE(fp) (vstream_req_bufsize(fp) ? \
vstream_req_bufsize(fp) : VSTREAM_BUFSIZE)
#ifdef CA_VSTREAM_CTL_BUFSIZE
- if (mss > EFF_BUFFER_SIZE(fp) / 2) {
+ if (mss > EFF_BUFFER_SIZE(fp) / 4) {
+ if (mss < INT_MAX / 2)
+ mss *= 2;
if (mss < INT_MAX / 2)
mss *= 2;
vstream_control(fp,
diff --git a/postfix/src/xsasl/xsasl_dovecot_server.c b/postfix/src/xsasl/xsasl_dovecot_server.c
index 226cf11a6..601f7874b 100644
--- a/postfix/src/xsasl/xsasl_dovecot_server.c
+++ b/postfix/src/xsasl/xsasl_dovecot_server.c
@@ -584,10 +584,20 @@ static int xsasl_dovecot_handle_reply(XSASL_DOVECOT_SERVER *server,
if (xsasl_dovecot_parse_reply(server, &line) == 0) {
/* authentication successful */
xsasl_dovecot_parse_reply_args(server, line, reply, 1);
+ if (server->username == 0) {
+ msg_warn("missing Dovecot server %s username field", cmd);
+ vstring_strcpy(reply, "Authentication backend error");
+ return XSASL_AUTH_FAIL;
+ }
return XSASL_AUTH_DONE;
}
} else if (strcmp(cmd, "CONT") == 0) {
if (xsasl_dovecot_parse_reply(server, &line) == 0) {
+ if (line == 0) {
+ msg_warn("missing Dovecot server %s reply field", cmd);
+ vstring_strcpy(reply, "Authentication backend error");
+ return XSASL_AUTH_FAIL;
+ }
vstring_strcpy(reply, line);
return XSASL_AUTH_MORE;
}