mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-28 12:48:01 +00:00
Code Issues Releases Wiki Activity

postfix-3.5-20190908

Browse Source
This commit is contained in:
Wietse Venema 2019-09-08 00:00:00 -05:00 committed by Viktor Dukhovni
parent bb8da60fce
commit 1a2bf1fc7c
9 changed files with 251 additions and 230 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
postfix/HISTORY
View File

@ -24354,3 +24354,45 @@ Apologies for any names omitted.
Safety: vstring_set_payload_size() now checks that the
payload has not overwritten the safety terminator at the
end of the VSTRING buffer. File: util/vstream.c.
20190813
Documentation: access(5) map network address pattern syntax.
File: proto/access.
20190820
Workaround for poor TCP loopback performance on LINUX, where
getsockopt(..., TCP_MAXSEG, ..) reports a TCP maximal segment
size that is 1/2 to 1/3 of the MTU. For example, with kernel
5.1.16-300.fc30.x86_64 the TCP client and server announce
an mss of 65495 in the TCP handshake, but getsockopt()
returns 32741 (less than half). As a matter of principle,
Postfix won't turn on client-side TCP_NODELAY because that
hides application performance bugs, and because that still
suffers from server-side delayed ACKs. Instead, Postfix
avoids sending "small" writes back-to-back, by choosing a
VSTREAM buffer size that is a multiple of the reported
MSS. This workaround bumps the multiplier from 2x to 4x.
File: util/vstream_tweak.c.
20190825
Bugfix (introduced: 20051222): the Dovecot client could
segfault (null pointer read) or cause an SMTP server assertion
to fail when talking to a fake Dovecot server. The client
now logs a proper error instead. Problem reported by Tim
Düsterhus. File: xsasl/xsasl_dovecot_server.c.
20190906
Bugfix (introduced: Postfix 3.4): don't whitewash OpenSSL
error results after a plaintext output error. The code could
loop, and with some OpenSSL error results could flood the
log with error messages (see below for a specific case).
Problem reported by Andreas Schulze. File: tlsproxy/tlsproxy.c.
Bitrot: don't invoke SSL_shutdown() when the SSL engine
thinks it is processing a handshake. As of OpenSSL 1.something
this returns SSL_ERROR_SSL instead of SSL_ERROR_NONE. File:
tlsproxy/tlsproxy.c.

49
postfix/conf/access
View File

@ -122,21 +122,17 @@
#
# net.work
#
# net Matches the specified IPv4 host address or subnet-
# work. An IPv4 host address is a sequence of four
# decimal octets separated by ".".
# net Matches a remote IPv4 host address or network
# address range. Specify one to four decimal octets
# separated by ".". Do not specify "[]" , "/", lead-
# ing zeros, or hexadecimal forms.
#
# Subnetworks are matched by repeatedly truncating
# the last ".octet" from the remote IPv4 host address
# string until a match is found in the access table,
# Network ranges are matched by repeatedly truncating
# the last ".octet" from a remote IPv4 host address
# string, until a match is found in the access table,
# or until further truncation is not possible.
#
# NOTE 1: The access map lookup key must be in canon-
# ical form: do not specify unnecessary null charac-
# ters, and do not enclose network address informa-
# tion with "[]" characters.
#
# NOTE 2: use the cidr lookup table type to specify
# NOTE: use the cidr lookup table type to specify
# network/netmask patterns. See cidr_table(5) for
# details.
#
@ -146,25 +142,20 @@
#
# net:work
#
# net Matches the specified IPv6 host address or subnet-
# work. An IPv6 host address is a sequence of three
# to eight hexadecimal octet pairs separated by ":".
# net Matches a remote IPv6 host address or network
# address range. Specify three to eight hexadecimal
# octet pairs separated by ":", using the compressed
# form "::" for a sequence of zero-valued octet
# pairs. Do not specify "[]", "/", leading zeros, or
# non-compressed forms.
#
# Subnetworks are matched by repeatedly truncating
# the last ":octetpair" from the remote IPv6 host
# address string until a match is found in the access
# table, or until further truncation is not possible.
# A network range is matched by repeatedly truncating
# the last ":octetpair" from the compressed-form
# remote IPv6 host address string, until a match is
# found in the access table, or until further trunca-
# tion is not possible.
#
# NOTE 1: the truncation and comparison are done with
# the string representation of the IPv6 host address.
# Thus, not all the ":" subnetworks will be tried.
#
# NOTE 2: The access map lookup key must be in canon-
# ical form: do not specify unnecessary null charac-
# ters, and do not enclose network address informa-
# tion with "[]" characters.
#
# NOTE 3: use the cidr lookup table type to specify
# NOTE: use the cidr lookup table type to specify
# network/netmask patterns. See cidr_table(5) for
# details.
#

46
postfix/html/access.5.html
View File

@ -114,21 +114,17 @@ ACCESS(5) ACCESS(5)
<i>net.work</i>
<i>net</i> Matches the specified IPv4 host address or subnetwork. An IPv4
host address is a sequence of four decimal octets separated by
".".
<i>net</i> Matches a remote IPv4 host address or network address range.
Specify one to four decimal octets separated by ".". Do not
specify "[]" , "/", leading zeros, or hexadecimal forms.
Subnetworks are matched by repeatedly truncating the last
".octet" from the remote IPv4 host address string until a match
Network ranges are matched by repeatedly truncating the last
".octet" from a remote IPv4 host address string, until a match
is found in the access table, or until further truncation is not
possible.
NOTE 1: The access map lookup key must be in canonical form: do
not specify unnecessary null characters, and do not enclose net-
work address information with "[]" characters.
NOTE 2: use the <b>cidr</b> lookup table type to specify network/net-
mask patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for details.
NOTE: use the <b>cidr</b> lookup table type to specify network/netmask
patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for details.
<i>net:work:addr:ess</i>
@ -136,25 +132,19 @@ ACCESS(5) ACCESS(5)
<i>net:work</i>
<i>net</i> Matches the specified IPv6 host address or subnetwork. An IPv6
host address is a sequence of three to eight hexadecimal octet
pairs separated by ":".
<i>net</i> Matches a remote IPv6 host address or network address range.
Specify three to eight hexadecimal octet pairs separated by ":",
using the compressed form "::" for a sequence of zero-valued
octet pairs. Do not specify "[]", "/", leading zeros, or
non-compressed forms.
Subnetworks are matched by repeatedly truncating the last
":octetpair" from the remote IPv6 host address string until a
match is found in the access table, or until further truncation
is not possible.
A network range is matched by repeatedly truncating the last
":octetpair" from the compressed-form remote IPv6 host address
string, until a match is found in the access table, or until
further truncation is not possible.
NOTE 1: the truncation and comparison are done with the string
representation of the IPv6 host address. Thus, not all the ":"
subnetworks will be tried.
NOTE 2: The access map lookup key must be in canonical form: do
not specify unnecessary null characters, and do not enclose net-
work address information with "[]" characters.
NOTE 3: use the <b>cidr</b> lookup table type to specify network/net-
mask patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for details.
NOTE: use the <b>cidr</b> lookup table type to specify network/netmask
patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for details.
IPv6 support is available in Postfix 2.2 and later.

42
postfix/man/man5/access.5
View File

@ -121,43 +121,33 @@ string \fBsmtpd_access_maps\fR is not listed in the Postfix
.IP \fInet.work.addr\fR
.IP \fInet.work\fR
.IP \fInet\fR
Matches the specified IPv4 host address or subnetwork. An
IPv4 host address is a sequence of four decimal octets
separated by ".".
Matches a remote IPv4 host address or network address range.
Specify one to four decimal octets separated by ".". Do not
specify "[]" , "/", leading zeros, or hexadecimal forms.
Subnetworks are matched by repeatedly truncating the last
".octet" from the remote IPv4 host address string until a
Network ranges are matched by repeatedly truncating the last
".octet" from a remote IPv4 host address string, until a
match is found in the access table, or until further
truncation is not possible.
NOTE 1: The access map lookup key must be in canonical form:
do not specify unnecessary null characters, and do not
enclose network address information with "[]" characters.
NOTE 2: use the \fBcidr\fR lookup table type to specify
NOTE: use the \fBcidr\fR lookup table type to specify
network/netmask patterns. See \fBcidr_table\fR(5) for details.
.IP \fInet:work:addr:ess\fR
.IP \fInet:work:addr\fR
.IP \fInet:work\fR
.IP \fInet\fR
Matches the specified IPv6 host address or subnetwork. An
IPv6 host address is a sequence of three to eight hexadecimal
octet pairs separated by ":".
Matches a remote IPv6 host address or network address range.
Specify three to eight hexadecimal octet pairs separated
by ":", using the compressed form "::" for a sequence of
zero\-valued octet pairs. Do not specify "[]", "/", leading
zeros, or non\-compressed forms.
Subnetworks are matched by repeatedly truncating the last
":octetpair" from the remote IPv6 host address string until
a match is found in the access table, or until further
truncation is not possible.
A network range is matched by repeatedly truncating the
last ":octetpair" from the compressed\-form remote IPv6 host
address string, until a match is found in the access table,
or until further truncation is not possible.
NOTE 1: the truncation and comparison are done with the
string representation of the IPv6 host address. Thus, not
all the ":" subnetworks will be tried.
NOTE 2: The access map lookup key must be in canonical form:
do not specify unnecessary null characters, and do not
enclose network address information with "[]" characters.
NOTE 3: use the \fBcidr\fR lookup table type to specify
NOTE: use the \fBcidr\fR lookup table type to specify
network/netmask patterns. See \fBcidr_table\fR(5) for details.
IPv6 support is available in Postfix 2.2 and later.

42
postfix/proto/access
View File

@ -105,43 +105,33 @@
# .IP \fInet.work.addr\fR
# .IP \fInet.work\fR
# .IP \fInet\fR
# Matches the specified IPv4 host address or subnetwork. An
# IPv4 host address is a sequence of four decimal octets
# separated by ".".
# Matches a remote IPv4 host address or network address range.
# Specify one to four decimal octets separated by ".". Do not
# specify "[]" , "/", leading zeros, or hexadecimal forms.
#
# Subnetworks are matched by repeatedly truncating the last
# ".octet" from the remote IPv4 host address string until a
# Network ranges are matched by repeatedly truncating the last
# ".octet" from a remote IPv4 host address string, until a
# match is found in the access table, or until further
# truncation is not possible.
#
# NOTE 1: The access map lookup key must be in canonical form:
# do not specify unnecessary null characters, and do not
# enclose network address information with "[]" characters.
#
# NOTE 2: use the \fBcidr\fR lookup table type to specify
# NOTE: use the \fBcidr\fR lookup table type to specify
# network/netmask patterns. See \fBcidr_table\fR(5) for details.
# .IP \fInet:work:addr:ess\fR
# .IP \fInet:work:addr\fR
# .IP \fInet:work\fR
# .IP \fInet\fR
# Matches the specified IPv6 host address or subnetwork. An
# IPv6 host address is a sequence of three to eight hexadecimal
# octet pairs separated by ":".
# Matches a remote IPv6 host address or network address range.
# Specify three to eight hexadecimal octet pairs separated
# by ":", using the compressed form "::" for a sequence of
# zero-valued octet pairs. Do not specify "[]", "/", leading
# zeros, or non-compressed forms.
#
# Subnetworks are matched by repeatedly truncating the last
# ":octetpair" from the remote IPv6 host address string until
# a match is found in the access table, or until further
# truncation is not possible.
# A network range is matched by repeatedly truncating the
# last ":octetpair" from the compressed-form remote IPv6 host
# address string, until a match is found in the access table,
# or until further truncation is not possible.
#
# NOTE 1: the truncation and comparison are done with the
# string representation of the IPv6 host address. Thus, not
# all the ":" subnetworks will be tried.
#
# NOTE 2: The access map lookup key must be in canonical form:
# do not specify unnecessary null characters, and do not
# enclose network address information with "[]" characters.
#
# NOTE 3: use the \fBcidr\fR lookup table type to specify
# NOTE: use the \fBcidr\fR lookup table type to specify
# network/netmask patterns. See \fBcidr_table\fR(5) for details.
#
# IPv6 support is available in Postfix 2.2 and later.

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20190724"
#define MAIL_RELEASE_DATE "20190908"
#define MAIL_VERSION_NUMBER "3.5"
#ifdef SNAPSHOT

8
postfix/src/tlsproxy/tlsproxy.c
View File

@ -678,7 +678,8 @@ static int tlsp_eval_tls_error(TLSP_STATE *state, int err)
/*
* Allow buffered-up plaintext output to trickle out.
*/
if (state->plaintext_buf && NBBIO_WRITE_PEND(state->plaintext_buf))
if (state->plaintext_buf && !NBBIO_ERROR_FLAGS(state->plaintext_buf)
&& NBBIO_WRITE_PEND(state->plaintext_buf))
return (TLSP_STAT_OK);
tlsp_state_free(state);
return (TLSP_STAT_ERR);
@ -784,9 +785,8 @@ static void tlsp_strategy(TLSP_STATE *state)
if (NBBIO_ERROR_FLAGS(plaintext_buf)) {
if (NBBIO_ACTIVE_FLAGS(plaintext_buf))
nbbio_disable_readwrite(state->plaintext_buf);
ssl_stat = SSL_shutdown(tls_context->con);
/* XXX Wait for return value 1 if sessions are to be reused? */
if (ssl_stat < 0) {
if (!SSL_in_init(tls_context->con)
&& (ssl_stat = SSL_shutdown(tls_context->con)) < 0) {
handshake_err = SSL_get_error(tls_context->con, ssl_stat);
tlsp_eval_tls_error(state, handshake_err);
/* At this point, state could be a dangling pointer. */

10
postfix/src/util/vstream_tweak.c
View File

@ -124,12 +124,20 @@ int vstream_tweak_tcp(VSTREAM *fp)
* stream buffer size to less than VSTREAM_BUFSIZE, when the request is
* made before the first stream read or write operation. We don't want to
* reduce the buffer size.
*
* As of 20190820 we increase the mss size multipler from 2x to 4x, because
* some LINUX loopback TCP stacks report an MSS of 21845 which is 3x
* smaller than the MTU of 65536. Even with a VSTREAM buffer 2x the
* reported MSS size, performance would suck due to Nagle or delayed ACK
* delays.
*/
#define EFF_BUFFER_SIZE(fp) (vstream_req_bufsize(fp) ? \
vstream_req_bufsize(fp) : VSTREAM_BUFSIZE)
#ifdef CA_VSTREAM_CTL_BUFSIZE
if (mss > EFF_BUFFER_SIZE(fp) / 2) {
if (mss > EFF_BUFFER_SIZE(fp) / 4) {
if (mss < INT_MAX / 2)
mss *= 2;
if (mss < INT_MAX / 2)
mss *= 2;
vstream_control(fp,

10
postfix/src/xsasl/xsasl_dovecot_server.c
View File

@ -584,10 +584,20 @@ static int xsasl_dovecot_handle_reply(XSASL_DOVECOT_SERVER *server,
if (xsasl_dovecot_parse_reply(server, &line) == 0) {
/* authentication successful */
xsasl_dovecot_parse_reply_args(server, line, reply, 1);
if (server->username == 0) {
msg_warn("missing Dovecot server %s username field", cmd);
vstring_strcpy(reply, "Authentication backend error");
return XSASL_AUTH_FAIL;
}
return XSASL_AUTH_DONE;
}
} else if (strcmp(cmd, "CONT") == 0) {
if (xsasl_dovecot_parse_reply(server, &line) == 0) {
if (line == 0) {
msg_warn("missing Dovecot server %s reply field", cmd);
vstring_strcpy(reply, "Authentication backend error");
return XSASL_AUTH_FAIL;
}
vstring_strcpy(reply, line);
return XSASL_AUTH_MORE;
}