postfix-3.5-20190908

2025-08-28 20:57:56 +00:00 · 2019-09-08 00:00:00 -05:00 · 2019-09-08 00:00:00 -05:00 · 1a2bf1fc7c
commit 1a2bf1fc7c
parent bb8da60fce
9 changed files with 251 additions and 230 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -24354,3 +24354,45 @@ Apologies for any names omitted.
 	Safety: vstring_set_payload_size() now checks that the
 	payload has not overwritten the safety terminator at the
 	end of the VSTRING buffer. File: util/vstream.c.
 20190813
 	Documentation: access(5) map network address pattern syntax.
 	File: proto/access.
 20190820
 	Workaround for poor TCP loopback performance on LINUX, where
 	getsockopt(..., TCP_MAXSEG, ..) reports a TCP maximal segment
 	size that is 1/2 to 1/3 of the MTU. For example, with kernel
 	5.1.16-300.fc30.x86_64 the TCP client and server announce
 	an mss of 65495 in the TCP handshake, but getsockopt()
 	returns 32741 (less than half). As a matter of principle,
 	Postfix won't turn on client-side TCP_NODELAY because that
 	hides application performance bugs, and because that still
 	suffers from server-side delayed ACKs. Instead, Postfix
 	avoids sending "small" writes back-to-back, by choosing a
 	VSTREAM buffer size that is a multiple of the reported
 	MSS. This workaround bumps the multiplier from 2x to 4x.
 	File: util/vstream_tweak.c.
 20190825
 	Bugfix (introduced: 20051222): the Dovecot client could
 	segfault (null pointer read) or cause an SMTP server assertion
 	to fail when talking to a fake Dovecot server. The client
 	now logs a proper error instead. Problem reported by Tim
 	Düsterhus.  File: xsasl/xsasl_dovecot_server.c.
 20190906
 	Bugfix (introduced: Postfix 3.4): don't whitewash OpenSSL
 	error results after a plaintext output error. The code could
 	loop, and with some OpenSSL error results could flood the
 	log with error messages (see below for a specific case).
 	Problem reported by Andreas Schulze. File: tlsproxy/tlsproxy.c.
 	Bitrot: don't invoke SSL_shutdown() when the SSL engine
 	thinks it is processing a handshake. As of OpenSSL 1.something
 	this returns SSL_ERROR_SSL instead of SSL_ERROR_NONE. File:
 	tlsproxy/tlsproxy.c.
--- a/postfix/conf/access
+++ b/postfix/conf/access
@ -122,21 +122,17 @@
 # 
 #        net.work
 # 
-#        net    Matches the specified IPv4 host address or  subnet-
+#        net    Matches a  remote  IPv4  host  address  or  network
-#               work.  An  IPv4  host address is a sequence of four
+#               address  range.  Specify one to four decimal octets
-#               decimal octets separated by ".".
+#               separated by ".". Do not specify "[]" , "/",  lead-
 #               ing zeros, or hexadecimal forms.
 # 
-#               Subnetworks are matched  by  repeatedly  truncating
+#               Network ranges are matched by repeatedly truncating
-#               the last ".octet" from the remote IPv4 host address
+#               the last ".octet" from a remote IPv4  host  address
-#               string until a match is found in the access  table,
+#               string, until a match is found in the access table,
 #               or until further truncation is not possible.
 # 
-#               NOTE 1: The access map lookup key must be in canon-
+#               NOTE: use the cidr lookup  table  type  to  specify
 #               ical form: do not specify unnecessary null  charac-
 #               ters,  and  do not enclose network address informa-
 #               tion with "[]" characters.
 # 
 #               NOTE 2: use the cidr lookup table type  to  specify
 #               network/netmask  patterns.  See  cidr_table(5)  for
 #               details.
 # 
@ -146,25 +142,20 @@
 # 
 #        net:work
 # 
-#        net    Matches the specified IPv6 host address or  subnet-
+#        net    Matches a  remote  IPv6  host  address  or  network
-#               work.  An  IPv6 host address is a sequence of three
+#               address  range.  Specify three to eight hexadecimal
-#               to eight hexadecimal octet pairs separated by  ":".
+#               octet pairs separated by ":", using the  compressed
 #               form  "::"  for  a  sequence  of  zero-valued octet
 #               pairs. Do not specify "[]", "/", leading zeros,  or
 #               non-compressed forms.
 # 
-#               Subnetworks  are  matched  by repeatedly truncating
+#               A network range is matched by repeatedly truncating
-#               the last ":octetpair" from  the  remote  IPv6  host
+#               the  last  ":octetpair"  from  the  compressed-form
-#               address string until a match is found in the access
+#               remote  IPv6  host address string, until a match is
-#               table, or until further truncation is not possible.
+#               found in the access table, or until further trunca-
 #               tion is not possible.
 # 
-#               NOTE 1: the truncation and comparison are done with
+#               NOTE:  use  the  cidr  lookup table type to specify
 #               the string representation of the IPv6 host address.
 #               Thus, not all the ":" subnetworks will be tried.
 # 
 #               NOTE 2: The access map lookup key must be in canon-
 #               ical form: do not specify unnecessary null  charac-
 #               ters,  and  do not enclose network address informa-
 #               tion with "[]" characters.
 # 
 #               NOTE 3: use the cidr lookup table type  to  specify
 #               network/netmask  patterns.  See  cidr_table(5)  for
 #               details.
 # 
--- a/postfix/html/access.5.html
+++ b/postfix/html/access.5.html
@ -114,21 +114,17 @@ ACCESS(5)                                                            ACCESS(5)
       <i>net.work</i>
-       <i>net</i>    Matches  the  specified IPv4 host address or subnetwork. An IPv4
+       <i>net</i>    Matches  a  remote  IPv4  host address or network address range.
-              host address is a sequence of four decimal octets  separated  by
+              Specify one to four decimal octets  separated  by  ".".  Do  not
-              ".".
+              specify "[]" , "/", leading zeros, or hexadecimal forms.
-              Subnetworks  are  matched  by  repeatedly  truncating  the  last
+              Network  ranges  are  matched  by repeatedly truncating the last
-              ".octet" from the remote IPv4 host address string until a  match
+              ".octet" from a remote IPv4 host address string, until  a  match
              is found in the access table, or until further truncation is not
              possible.
-              NOTE 1: The access map lookup key must be in canonical form:  do
+              NOTE: use the <b>cidr</b> lookup table type to specify  network/netmask
-              not specify unnecessary null characters, and do not enclose net-
+              patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for details.
              work address information with "[]" characters.
              NOTE 2: use the <b>cidr</b> lookup table type to  specify  network/net-
              mask patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for details.
       <i>net:work:addr:ess</i>
@ -136,25 +132,19 @@ ACCESS(5)                                                            ACCESS(5)
       <i>net:work</i>
-       <i>net</i>    Matches  the  specified IPv6 host address or subnetwork. An IPv6
+       <i>net</i>    Matches  a  remote  IPv6  host address or network address range.
-              host address is a sequence of three to eight  hexadecimal  octet
+              Specify three to eight hexadecimal octet pairs separated by ":",
-              pairs separated by ":".
+              using  the  compressed  form  "::" for a sequence of zero-valued
              octet pairs.  Do  not  specify  "[]",  "/",  leading  zeros,  or
              non-compressed forms.
-              Subnetworks  are  matched  by  repeatedly  truncating  the  last
+              A  network  range  is  matched by repeatedly truncating the last
-              ":octetpair" from the remote IPv6 host address  string  until  a
+              ":octetpair" from the compressed-form remote IPv6  host  address
-              match  is found in the access table, or until further truncation
+              string,  until  a  match  is found in the access table, or until
-              is not possible.
+              further truncation is not possible.
-              NOTE 1: the truncation and comparison are done with  the  string
+              NOTE: use the <b>cidr</b> lookup table type to specify  network/netmask
-              representation  of  the IPv6 host address. Thus, not all the ":"
+              patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for details.
              subnetworks will be tried.
              NOTE 2: The access map lookup key must be in canonical form:  do
              not specify unnecessary null characters, and do not enclose net-
              work address information with "[]" characters.
              NOTE 3: use the <b>cidr</b> lookup table type to  specify  network/net-
              mask patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for details.
              IPv6 support is available in Postfix 2.2 and later.
--- a/postfix/man/man5/access.5
+++ b/postfix/man/man5/access.5
@ -121,43 +121,33 @@ string \fBsmtpd_access_maps\fR is not listed in the Postfix
 .IP \fInet.work.addr\fR
 .IP \fInet.work\fR
 .IP \fInet\fR
-Matches the specified IPv4 host address or subnetwork. An
+Matches a remote IPv4 host address or network address range.
-IPv4 host address is a sequence of four decimal octets
+Specify one to four decimal octets separated by ".". Do not
-separated by ".".
+specify "[]" , "/", leading zeros, or hexadecimal forms.
-Subnetworks are matched by repeatedly truncating the last
+Network ranges are matched by repeatedly truncating the last
-".octet" from the remote IPv4 host address string until a
+".octet" from a remote IPv4 host address string, until a
 match is found in the access table, or until further
 truncation is not possible.
-NOTE 1: The access map lookup key must be in canonical form:
+NOTE: use the \fBcidr\fR lookup table type to specify
 do not specify unnecessary null characters, and do not
 enclose network address information with "[]" characters.
 NOTE 2: use the \fBcidr\fR lookup table type to specify
 network/netmask patterns. See \fBcidr_table\fR(5) for details.
 .IP \fInet:work:addr:ess\fR
 .IP \fInet:work:addr\fR
 .IP \fInet:work\fR
 .IP \fInet\fR
-Matches the specified IPv6 host address or subnetwork. An
+Matches a remote IPv6 host address or network address range.
-IPv6 host address is a sequence of three to eight hexadecimal
+Specify three to eight hexadecimal octet pairs separated
-octet pairs separated by ":".
+by ":", using the compressed form "::" for a sequence of
 zero\-valued octet pairs. Do not specify "[]", "/", leading
 zeros, or non\-compressed forms.
-Subnetworks are matched by repeatedly truncating the last
+A network range is matched by repeatedly truncating the
-":octetpair" from the remote IPv6 host address string until
+last ":octetpair" from the compressed\-form remote IPv6 host
-a match is found in the access table, or until further
+address string, until a match is found in the access table,
-truncation is not possible.
+or until further truncation is not possible.
-NOTE 1: the truncation and comparison are done with the
+NOTE: use the \fBcidr\fR lookup table type to specify
 string representation of the IPv6 host address. Thus, not
 all the ":" subnetworks will be tried.
 NOTE 2: The access map lookup key must be in canonical form:
 do not specify unnecessary null characters, and do not
 enclose network address information with "[]" characters.
 NOTE 3: use the \fBcidr\fR lookup table type to specify
 network/netmask patterns. See \fBcidr_table\fR(5) for details.
 IPv6 support is available in Postfix 2.2 and later.
--- a/postfix/proto/access
+++ b/postfix/proto/access
@ -105,43 +105,33 @@
 # .IP \fInet.work.addr\fR
 # .IP \fInet.work\fR
 # .IP \fInet\fR
-#	Matches the specified IPv4 host address or subnetwork. An
+#	Matches a remote IPv4 host address or network address range.
-#	IPv4 host address is a sequence of four decimal octets
+#	Specify one to four decimal octets separated by ".". Do not
-#	separated by ".".
+#	specify "[]" , "/", leading zeros, or hexadecimal forms.
 #
-#	Subnetworks are matched by repeatedly truncating the last
+#	Network ranges are matched by repeatedly truncating the last
-#	".octet" from the remote IPv4 host address string until a
+#	".octet" from a remote IPv4 host address string, until a
 #	match is found in the access table, or until further
 #	truncation is not possible.
 #
-#	NOTE 1: The access map lookup key must be in canonical form:
+#	NOTE: use the \fBcidr\fR lookup table type to specify
 #	do not specify unnecessary null characters, and do not
 #	enclose network address information with "[]" characters.
 #
 #	NOTE 2: use the \fBcidr\fR lookup table type to specify
 #	network/netmask patterns. See \fBcidr_table\fR(5) for details.
 # .IP \fInet:work:addr:ess\fR
 # .IP \fInet:work:addr\fR
 # .IP \fInet:work\fR
 # .IP \fInet\fR
-#	Matches the specified IPv6 host address or subnetwork. An
+#	Matches a remote IPv6 host address or network address range.
-#	IPv6 host address is a sequence of three to eight hexadecimal
+#	Specify three to eight hexadecimal octet pairs separated
-#	octet pairs separated by ":".
+#	by ":", using the compressed form "::" for a sequence of
 #	zero-valued octet pairs. Do not specify "[]", "/", leading
 #	zeros, or non-compressed forms.
 #
-#	Subnetworks are matched by repeatedly truncating the last
+#	A network range is matched by repeatedly truncating the
-#	":octetpair" from the remote IPv6 host address string until
+#	last ":octetpair" from the compressed-form remote IPv6 host
-#	a match is found in the access table, or until further
+#	address string, until a match is found in the access table,
-#	truncation is not possible.
+#	or until further truncation is not possible.
 #
-#	NOTE 1: the truncation and comparison are done with the
+#	NOTE: use the \fBcidr\fR lookup table type to specify
 #	string representation of the IPv6 host address. Thus, not
 #	all the ":" subnetworks will be tried.
 #
 #	NOTE 2: The access map lookup key must be in canonical form:
 #	do not specify unnecessary null characters, and do not
 #	enclose network address information with "[]" characters.
 #
 #	NOTE 3: use the \fBcidr\fR lookup table type to specify
 #	network/netmask patterns. See \fBcidr_table\fR(5) for details.
 #
 #	IPv6 support is available in Postfix 2.2 and later.
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@ -20,7 +20,7 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20190724"
+#define MAIL_RELEASE_DATE	"20190908"
 #define MAIL_VERSION_NUMBER	"3.5"
 #ifdef SNAPSHOT
--- a/postfix/src/tlsproxy/tlsproxy.c
+++ b/postfix/src/tlsproxy/tlsproxy.c
@ -678,7 +678,8 @@ static int tlsp_eval_tls_error(TLSP_STATE *state, int err)
 	/*
 	 * Allow buffered-up plaintext output to trickle out.
 	 */
-	if (state->plaintext_buf && NBBIO_WRITE_PEND(state->plaintext_buf))
+	if (state->plaintext_buf && !NBBIO_ERROR_FLAGS(state->plaintext_buf)
 	    && NBBIO_WRITE_PEND(state->plaintext_buf))
 	    return (TLSP_STAT_OK);
 	tlsp_state_free(state);
 	return (TLSP_STAT_ERR);
@ -784,9 +785,8 @@ static void tlsp_strategy(TLSP_STATE *state)
    if (NBBIO_ERROR_FLAGS(plaintext_buf)) {
 	if (NBBIO_ACTIVE_FLAGS(plaintext_buf))
 	    nbbio_disable_readwrite(state->plaintext_buf);
-	ssl_stat = SSL_shutdown(tls_context->con);
+	if (!SSL_in_init(tls_context->con)
-	/* XXX Wait for return value 1 if sessions are to be reused? */
+	    && (ssl_stat = SSL_shutdown(tls_context->con)) < 0) {
 	if (ssl_stat < 0) {
 	    handshake_err = SSL_get_error(tls_context->con, ssl_stat);
 	    tlsp_eval_tls_error(state, handshake_err);
 	    /* At this point, state could be a dangling pointer. */
--- a/postfix/src/util/vstream_tweak.c
+++ b/postfix/src/util/vstream_tweak.c
@ -124,12 +124,20 @@ int     vstream_tweak_tcp(VSTREAM *fp)
     * stream buffer size to less than VSTREAM_BUFSIZE, when the request is
     * made before the first stream read or write operation. We don't want to
     * reduce the buffer size.
     * 
     * As of 20190820 we increase the mss size multipler from 2x to 4x, because
     * some LINUX loopback TCP stacks report an MSS of 21845 which is 3x
     * smaller than the MTU of 65536. Even with a VSTREAM buffer 2x the
     * reported MSS size, performance would suck due to Nagle or delayed ACK
     * delays.
     */
 #define EFF_BUFFER_SIZE(fp) (vstream_req_bufsize(fp) ? \
 		vstream_req_bufsize(fp) : VSTREAM_BUFSIZE)
 #ifdef CA_VSTREAM_CTL_BUFSIZE
-    if (mss > EFF_BUFFER_SIZE(fp) / 2) {
+    if (mss > EFF_BUFFER_SIZE(fp) / 4) {
 	if (mss < INT_MAX / 2)
 	    mss *= 2;
 	if (mss < INT_MAX / 2)
 	    mss *= 2;
 	vstream_control(fp,
--- a/postfix/src/xsasl/xsasl_dovecot_server.c
+++ b/postfix/src/xsasl/xsasl_dovecot_server.c
@ -584,10 +584,20 @@ static int xsasl_dovecot_handle_reply(XSASL_DOVECOT_SERVER *server,
 	    if (xsasl_dovecot_parse_reply(server, &line) == 0) {
 		/* authentication successful */
 		xsasl_dovecot_parse_reply_args(server, line, reply, 1);
 		if (server->username == 0) {
 		    msg_warn("missing Dovecot server %s username field", cmd);
 		    vstring_strcpy(reply, "Authentication backend error");
 		    return XSASL_AUTH_FAIL;
 		}
 		return XSASL_AUTH_DONE;
 	    }
 	} else if (strcmp(cmd, "CONT") == 0) {
 	    if (xsasl_dovecot_parse_reply(server, &line) == 0) {
 		if (line == 0) {
 		    msg_warn("missing Dovecot server %s reply field", cmd);
 		    vstring_strcpy(reply, "Authentication backend error");
 		    return XSASL_AUTH_FAIL;
 		}
 		vstring_strcpy(reply, line);
 		return XSASL_AUTH_MORE;
 	    }