mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 01:49:47 +00:00
Code Issues Releases Wiki Activity

postfix-2.11-20131104

Browse Source
This commit is contained in:
Wietse Venema 2013-11-04 00:00:00 -05:00 committed by Viktor Dukhovni
parent 78fe66320c
commit 1fa35743a5
20 changed files with 229 additions and 193 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
postfix/HISTORY
View File

@ -19035,19 +19035,36 @@ Apologies for any names omitted.
Documentation: added SASL_README example for check_sasl_access.
File: proto/SASL_README.html.
20131102
20131102-3
Security violation: by default, LMDB 0.9.9 writes fragments
of uninitialized heap memory to a world-readable database
file. This is a basic memory disclosure vulnerability:
memory content that a program does not intend to share ends
up in a world-readable file. The content of uninitialized
heap memory depends on program execution history. That
history includes code execution in other libraries that are
linked into the program. To work around this problem we
disable the use of malloc() in LMDB. However, that does not
address several disclosures of stack memory. File:
util/dict_lmdb.c.
Security violation: by default, LMDB 0.9.9 writes uninitialized
heap memory to a world-readable database file, as chunks
of up to 4096 bytes. This is a gross memory disclosure
vulnerability: memory content that a program does not intend
to share ends up in a world-readable file. The content of
uninitialized heap memory depends on program execution
history. That history includes code execution in other
libraries that are linked into the program.
Cleanup: expand TAB characters when generating HTML and
README files. Files: proto/Makefile.in.
This is a problem whenever the user who writes the database
file differs from the user who reads the database file. For
example, a privileged writer and an unprivileged reader.
In the case of Postfix, the postmap(1) and postalias(1)
commands would leak uninitialized heap memory, as chunks
of up to 4096 bytes, from a root-privileged process that
writes to a database file, to unprivileged processes that
read from that database file.
To work around this problem the postmap(1) and postalias(1)
commands disable the use of malloc() in LMDB. However, that
does not address several disclosures of stack memory. Other
Postfix databases do not need this workaround: those databases
are maintained by Postfix daemon processes, and are accessible
only by the postfix user. File: util/dict_lmdb.c.
20131102-3
Cleanup: expand TAB characters when generating documentation.
This was primarily an issue with non-HTML output, but it does
not hurt to do this also for HTML. Files: proto/Makefile.in,
proto/MULTI_INSTANCE_README.html.

6
postfix/README_FILES/ADDRESS_REWRITING_README
View File

@ -655,9 +655,9 @@ Example:
smtp_generic_maps = hash:/etc/postfix/generic
/etc/postfix/generic:
his@localdomain.local hisaccount@hisisp.example
her@localdomain.local heraccount@herisp.example
@localdomain.local hisaccount+local@hisisp.example
his@localdomain.local hisaccount@hisisp.example
her@localdomain.local heraccount@herisp.example
@localdomain.local hisaccount+local@hisisp.example
When mail is sent to a remote host via SMTP, this replaces
his@localdomain.local by his ISP mail address, replaces her@localdomain.local

4
postfix/README_FILES/BACKSCATTER_README
View File

@ -119,7 +119,7 @@ this:
endif
/^Message-ID:.* <!&!/ DUNNO
/^Message-ID:.*@(porcupine\.org)/
reject forged domain name in Message-ID: header: $1
reject forged domain name in Message-ID: header: $1
/etc/postfix/body_checks:
# Do not indent the patterns between "if" and "endif".
@ -134,7 +134,7 @@ this:
endif
/^[> ]*Message-ID:.* <!&!/ DUNNO
/^[> ]*Message-ID:.*@(porcupine\.org)/
reject forged domain name in Message-ID: header: $1
reject forged domain name in Message-ID: header: $1
Notes:

12
postfix/README_FILES/DATABASE_README
View File

@ -151,16 +151,16 @@ font.
# Note 1: commands are specified after a TAB character.
# Note 2: use postalias(1) for local aliases, postmap(1) for the rest.
aliases.db: aliases.in
postalias aliases.in
mv aliases.in.db aliases.db
postalias aliases.in
mv aliases.in.db aliases.db
access.db: access.in
postmap access.in
mv access.in.db access.db
postmap access.in
mv access.in.db access.db
virtual.db: virtual.in
postmap virtual.in
mv virtual.in.db virtual.db
postmap virtual.in
mv virtual.in.db virtual.db
...etcetera...
# vvii aacccceessss..iinn

24
postfix/README_FILES/MULTI_INSTANCE_README
View File

@ -157,13 +157,13 @@ submission null client:
# a template file. The build process expands the template into
# "mtaadmin+root=mta1"
#
root mtaadmin+root=mta1
root mtaadmin+root=mta1
/etc/postfix/virtual:
# Caretaker aliases:
#
root mtaadmin
postmaster root
root mtaadmin
postmaster root
You would typically also add a Makefile, to automatically run postmap(1)
commands when source files change. This Makefile also creates a "generic"
@ -175,13 +175,13 @@ database when none exists.
all: virtual.cdb generic.cdb
generic: Makefile
@echo Creating $@
@rm -f $@.tmp
@printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` > $@.tmp
@mv $@.tmp generic
@echo Creating $@
@rm -f $@.tmp
@printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` > $@.tmp
@mv $@.tmp generic
%.cdb: %
postmap cdb:$<
postmap cdb:$<
Construct the "virtual" and "generic" databases (the latter is created by
running "make"), then start and test the null-client:
@ -875,9 +875,9 @@ If you want to override the conventional values of the instance installation
parameters, specify their values on the command-line:
# postmulti [-I postfix-myinst] [-G mygroup] -e create \
"config_directory = /path/to/config_directory" \
"queue_directory = /path/to/queue_directory" \
"data_directory = /path/to/data_directory"
"config_directory = /path/to/config_directory" \
"queue_directory = /path/to/queue_directory" \
"data_directory = /path/to/data_directory"
A note on the --II and --GG options above. These are always used to assign a name
or group name to an instance, while the --ii and --gg options always select
@ -924,7 +924,7 @@ match this name if necessary):
Otherwise, you must specify the location of its configuration directory:
# postmulti [-I postfix-myinst] [-G mygroup] -e import \
"config_directory = /path/of/config_directory"
"config_directory = /path/of/config_directory"
When the instance is imported, you can assign a name or a group. As with
"create", you can control the placement of the new instance in the start order

6
postfix/README_FILES/RESTRICTION_CLASS_README
View File

@ -30,9 +30,9 @@ Example:
smtpd_recipient_restrictions =
permit_mynetworks
# reject_unauth_destination is not needed here if the mail
# relay policy is specified with smtpd_relay_restrictions
# (available with Postfix 2.10 and later).
# reject_unauth_destination is not needed here if the mail
# relay policy is specified with smtpd_relay_restrictions
# (available with Postfix 2.10 and later).
reject_unauth_destination
check_recipient_access hash:/etc/postfix/recipient_access
...

26
postfix/README_FILES/SASL_README
View File

@ -846,19 +846,19 @@ authenticated SMTP clients to send mail to remote destinations. Examples:
# preferably specified under smtpd_relay_restrictions.
/etc/postfix/main.cf:
smtpd_relay_restrictions =
permit_mynetworks
ppeerrmmiitt__ssaassll__aauutthheennttiiccaatteedd
reject_unauth_destination
permit_mynetworks
ppeerrmmiitt__ssaassll__aauutthheennttiiccaatteedd
reject_unauth_destination
# Older configurations combine relay control and spam control under
# smtpd_recipient_restrictions. To use this example with Postfix >=
# 2.10 specify "smtpd_relay_restrictions=".
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks
ppeerrmmiitt__ssaassll__aauutthheennttiiccaatteedd
reject_unauth_destination
...other rules...
permit_mynetworks
ppeerrmmiitt__ssaassll__aauutthheennttiiccaatteedd
reject_unauth_destination
...other rules...
EEnnvveellooppee sseennddeerr aaddddrreessss aauutthhoorriizzaattiioonn
@ -878,7 +878,7 @@ authenticated client is allowed to use a particular envelope sender address:
smtpd_recipient_restrictions =
...
rreejjeecctt__sseennddeerr__llooggiinn__mmiissmmaattcchh
permit_sasl_authenticated
permit_sasl_authenticated
...
The controlled_envelope_senders table specifies the binding between a sender
@ -915,14 +915,14 @@ credentials have been compromised.
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks
check_sasl_access hash:/etc/postfix/sasl_access
permit_sasl_authenticated
...
permit_mynetworks
check_sasl_access hash:/etc/postfix/sasl_access
permit_sasl_authenticated
...
/etc/postfix/sasl_access:
# Use this when smtpd_sasl_local_domain is empty.
username HOLD
username HOLD
# Use this when smtpd_sasl_local_domain=example.com.
username@example.com HOLD

8
postfix/README_FILES/SCHEDULER_README
View File

@ -594,10 +594,10 @@ The first approximation of the new scheduling algorithm is like this:
if transport process limit reached continue
foreach transport's job (in the order of the transport's job list)
do
foreach job's peer (round-robin-by-destination)
if peer->queue->concurrency < peer->queue->window
return next peer entry.
done
foreach job's peer (round-robin-by-destination)
if peer->queue->concurrency < peer->queue->window
return next peer entry.
done
done
done

6
postfix/README_FILES/TLS_README
View File

@ -1140,7 +1140,7 @@ the example above, we show two matching fingerprints:
smtp_tls_fingerprint_digest = md5
/etc/postfix/tls_policy:
example.com fingerprint
example.com fingerprint
match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
@ -1753,8 +1753,8 @@ Example:
[mail.example.org]:587 secure match=nexthop
# Postfix 2.5 and later
[thumb.example.org] fingerprint
match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
# Postfix 2.6 and later
example.info may protocols=!SSLv2 ciphers=medium
exclude=3DES

2
postfix/html/MULTI_INSTANCE_README.html
View File

@ -554,7 +554,7 @@ pre-filter input instance include: </p>
# Avoid splitting the envelope and scanning messages multiple times.
# Match the re-injection server's recipient limit.
#
<a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> = 1000
<a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> = 1000
# Tolerate occasional high latency in the content filter.
#

2
postfix/proto/MULTI_INSTANCE_README.html
View File

@ -554,7 +554,7 @@ pre-filter input instance include: </p>
# Avoid splitting the envelope and scanning messages multiple times.
# Match the re-injection server's recipient limit.
#
smtp_destination_recipient_limit = 1000
smtp_destination_recipient_limit = 1000
# Tolerate occasional high latency in the content filter.
#

216
postfix/proto/Makefile.in
View File

@ -139,328 +139,328 @@ clobber:
$(SRCTOMAN) - $? | $(AWK) | nroff -man | col -bx | uniq | sed 's/^/# /' >$@
../html/ADDRESS_CLASS_README.html: ADDRESS_CLASS_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/ADDRESS_REWRITING_README.html: ADDRESS_REWRITING_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/ADDRESS_VERIFICATION_README.html: ADDRESS_VERIFICATION_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/BACKSCATTER_README.html: BACKSCATTER_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/CDB_README.html: CDB_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/CONNECTION_CACHE_README.html: CONNECTION_CACHE_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/CONTENT_INSPECTION_README.html: CONTENT_INSPECTION_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/CYRUS_README.html: CYRUS_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/BASIC_CONFIGURATION_README.html: BASIC_CONFIGURATION_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/BUILTIN_FILTER_README.html: BUILTIN_FILTER_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/DATABASE_README.html: DATABASE_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/DB_README.html: DB_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/DEBUG_README.html: DEBUG_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/DSN_README.html: DSN_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/ETRN_README.html: ETRN_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/FILTER_README.html: FILTER_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/INSTALL.html: INSTALL.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/IPV6_README.html: IPV6_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/LDAP_README.html: LDAP_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/LINUX_README.html: LINUX_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/LOCAL_RECIPIENT_README.html: LOCAL_RECIPIENT_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/MAILDROP_README.html: MAILDROP_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/LMDB_README.html: LMDB_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/MEMCACHE_README.html: MEMCACHE_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/MILTER_README.html: MILTER_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/MULTI_INSTANCE_README.html: MULTI_INSTANCE_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/MYSQL_README.html: MYSQL_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/NFS_README.html: NFS_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/OVERVIEW.html: OVERVIEW.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/PACKAGE_README.html: PACKAGE_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/PCRE_README.html: PCRE_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/PGSQL_README.html: PGSQL_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/POSTSCREEN_README.html: POSTSCREEN_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/QMQP_README.html: QMQP_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/QSHAPE_README.html: QSHAPE_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/RESTRICTION_CLASS_README.html: RESTRICTION_CLASS_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/SASL_README.html: SASL_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/SCHEDULER_README.html: SCHEDULER_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/SMTPD_ACCESS_README.html: SMTPD_ACCESS_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/SMTPD_POLICY_README.html: SMTPD_POLICY_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/SMTPD_PROXY_README.html: SMTPD_PROXY_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/SOHO_README.html: $(MAKESOHO) $(DEPSOHO)
$(MAKESOHO) | $(POSTLINK) | $(DETAB) >$@
../html/SQLITE_README.html: SQLITE_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/STANDARD_CONFIGURATION_README.html: STANDARD_CONFIGURATION_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/STRESS_README.html: STRESS_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/TUNING_README.html: TUNING_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/UUCP_README.html: UUCP_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/ULTRIX_README.html: ULTRIX_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/VERP_README.html: VERP_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/VIRTUAL_README.html: VIRTUAL_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/XCLIENT_README.html: XCLIENT_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/XFORWARD_README.html: XFORWARD_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/TLS_README.html: TLS_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../html/TLS_LEGACY_README.html: TLS_LEGACY_README.html
$(POSTLINK) $? | $(DETAB) >$@
$(DETAB) $? | $(POSTLINK) >$@
../README_FILES/ADDRESS_CLASS_README: ADDRESS_CLASS_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/ADDRESS_REWRITING_README: ADDRESS_REWRITING_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/ADDRESS_VERIFICATION_README: ADDRESS_VERIFICATION_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/BACKSCATTER_README: BACKSCATTER_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/BASIC_CONFIGURATION_README: BASIC_CONFIGURATION_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/BUILTIN_FILTER_README: BUILTIN_FILTER_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/CDB_README: CDB_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/CONNECTION_CACHE_README: CONNECTION_CACHE_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/CONTENT_INSPECTION_README: CONTENT_INSPECTION_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/CYRUS_README: CYRUS_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/DATABASE_README: DATABASE_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/DB_README: DB_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/DEBUG_README: DEBUG_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/DSN_README: DSN_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/ETRN_README: ETRN_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/FILTER_README: FILTER_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/INSTALL: INSTALL.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/IPV6_README: IPV6_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/LDAP_README: LDAP_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/LINUX_README: LINUX_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/LOCAL_RECIPIENT_README: LOCAL_RECIPIENT_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/MAILDROP_README: MAILDROP_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/LMDB_README: LMDB_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/MEMCACHE_README: MEMCACHE_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/MILTER_README: MILTER_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/MULTI_INSTANCE_README: MULTI_INSTANCE_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/MYSQL_README: MYSQL_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/NFS_README: NFS_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/OVERVIEW: OVERVIEW.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/PACKAGE_README: PACKAGE_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/PCRE_README: PCRE_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/PGSQL_README: PGSQL_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/POSTSCREEN_README: POSTSCREEN_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/QMQP_README: QMQP_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/QSHAPE_README: QSHAPE_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/RESTRICTION_CLASS_README: RESTRICTION_CLASS_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/SASL_README: SASL_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/SCHEDULER_README: SCHEDULER_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/SMTPD_ACCESS_README: SMTPD_ACCESS_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/SMTPD_POLICY_README: SMTPD_POLICY_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/SMTPD_PROXY_README: SMTPD_PROXY_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/SOHO_README: $(MAKESOHO) $(DEPSOHO)
$(MAKESOHO) | $(HT2READ) | $(DETAB) >$@
../README_FILES/SQLITE_README: SQLITE_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/STANDARD_CONFIGURATION_README: STANDARD_CONFIGURATION_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/STRESS_README: STRESS_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/TUNING_README: TUNING_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/UUCP_README: UUCP_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/ULTRIX_README: ULTRIX_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/VERP_README: VERP_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/VIRTUAL_README: VIRTUAL_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/XCLIENT_README: XCLIENT_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/XFORWARD_README: XFORWARD_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/TLS_README: TLS_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/TLS_LEGACY_README: TLS_LEGACY_README.html
$(HT2READ) $? | $(DETAB) >$@
$(DETAB) $? | $(HT2READ) >$@
../README_FILES/AAAREADME: ../html/index.html $(MAKEAAA)
$(MAKEAAA) ../html/index.html | $(HT2READ) | $(DETAB) >$@
@ -468,8 +468,8 @@ clobber:
../man/man5/postconf.5: postconf.man.prolog postconf.proto postconf.man.epilog \
../mantools/xpostconf ../mantools/postconf2html ../mantools/postconf2man
(cat postconf.man.prolog; ../mantools/xpostconf postconf.proto | \
../mantools/postconf2html | ../mantools/postconf2man | \
sed 's/\\e&/\\\&/'; cat postconf.man.epilog ) | $(DETAB) > $@
$(DETAB) | ../mantools/postconf2html | ../mantools/postconf2man | \
sed 's/\\e&/\\\&/'; cat postconf.man.epilog ) > $@
../html/postconf.5.html: postconf.html.prolog postconf.proto \
postconf.html.epilog ../mantools/xpostconf ../mantools/postconf2html \

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20131103"
#define MAIL_RELEASE_DATE "20131104"
#define MAIL_VERSION_NUMBER "2.11"
#ifdef SNAPSHOT

1
postfix/src/postalias/postalias.c
View File

@ -290,6 +290,7 @@ static void postalias(char *map_type, char *path_name, int postalias_flags,
if ((source_fp = vstream_fopen(path_name, O_RDONLY, 0)) == 0)
msg_fatal("open %s: %m", path_name);
}
dict_flags |= DICT_FLAG_WORLD_READ;
if (fstat(vstream_fileno(source_fp), &st) < 0)
msg_fatal("fstat %s: %m", path_name);

1
postfix/src/postmap/postmap.c
View File

@ -353,6 +353,7 @@ static void postmap(char *map_type, char *path_name, int postmap_flags,
if ((source_fp = vstream_fopen(path_name, O_RDONLY, 0)) == 0)
msg_fatal("open %s: %m", path_name);
}
dict_flags |= DICT_FLAG_WORLD_READ;
if (fstat(vstream_fileno(source_fp), &st) < 0)
msg_fatal("fstat %s: %m", path_name);

1
postfix/src/util/dict.c
View File

@ -590,6 +590,7 @@ static const NAME_MASK dict_mask[] = {
"fold_mul", DICT_FLAG_FOLD_MUL, /* case-fold with multi-case key map */
"open_lock", DICT_FLAG_OPEN_LOCK, /* permanent lock upon open */
"bulk_update", DICT_FLAG_BULK_UPDATE, /* bulk update if supported */
"world_read", DICT_FLAG_WORLD_READ, /* assume writer != reader */
0,
};

1
postfix/src/util/dict.h
View File

@ -96,6 +96,7 @@ extern DICT *dict_debug(DICT *);
#define DICT_FLAG_FOLD_ANY (DICT_FLAG_FOLD_FIX | DICT_FLAG_FOLD_MUL)
#define DICT_FLAG_OPEN_LOCK (1<<16) /* perm lock if not multi-writer safe */
#define DICT_FLAG_BULK_UPDATE (1<<17) /* optimize for bulk updates */
#define DICT_FLAG_WORLD_READ (1<<18) /* assume writer != reader */
/* IMPORTANT: Update the dict_mask[] table when the above changes */

50
postfix/src/util/dict_lmdb.c
View File

@ -551,35 +551,45 @@ DICT *dict_lmdb_open(const char *path, int open_flags, int dict_flags)
mdb_path = concatenate(path, "." DICT_TYPE_LMDB, (char *) 0);
/*
* Security violation.
*
* By default, LMDB 0.9.9 writes uninitialized heap memory to a
* world-readable database file. This is a basic memory disclosure
* vulnerability: memory content that a program does not intend to share
* ends up in a world-readable file. The content of uninitialized heap
* memory depends on program execution history. That history includes
* code execution in other libraries that are linked into the program.
*
* As a workaround we turn on MDB_WRITEMAP which disables the use of
* malloc() in LMDB. However, that does not address several disclosures
* of stack memory.
* Impedance adapters.
*/
mdb_flags = MDB_NOSUBDIR | MDB_NOLOCK;
if (open_flags == O_RDONLY)
mdb_flags |= MDB_RDONLY;
/*
* Replace with MDB_VERSION_FULL < MDB_VERINT(X, Y, Z) after this is
* fixed up-stream.
*/
#if 1
mdb_flags |= MDB_WRITEMAP;
#endif
slmdb_flags = 0;
if (dict_flags & DICT_FLAG_BULK_UPDATE)
slmdb_flags |= SLMDB_FLAG_BULK;
/*
* Security violation.
*
* By default, LMDB 0.9.9 writes uninitialized heap memory to a
* world-readable database file, as chunks of up to 4096 bytes. This is a
* gross memory disclosure vulnerability: memory content that a program
* does not intend to share ends up in a world-readable file. The content
* of uninitialized heap memory depends on program execution history.
* That history includes code execution in other libraries that are
* linked into the program.
*
* This is a problem whenever the user who writes the database file differs
* from the user who reads the database file. For example, a privileged
* writer and an unprivileged reader. In the case of Postfix, the
* postmap(1) and postalias(1) commands would leak uninitialized heap
* memory, as chunks of up to 4096 bytes, from a root-privileged process
* that writes to a database file, to unprivileged processes that read
* from that database file.
*
* As a workaround the postmap(1) and postalias(1) commands turn on
* MDB_WRITEMAP which disables the use of malloc() in LMDB. However, that
* does not address several disclosures of stack memory. Other Postfix
* databases do not need this workaround: those databases are maintained
* by Postfix daemon processes, and are accessible only by the postfix
* user.
*/
if (dict_flags & DICT_FLAG_WORLD_READ)
mdb_flags |= MDB_WRITEMAP;
/*
* Gracefully handle most database open errors.
*/

3
postfix/src/util/dict_open.c
View File

@ -126,6 +126,9 @@
/* Enable preliminary code for bulk-mode database updates.
/* The caller must create an exception handler with dict_jmp_alloc()
/* and must trap exceptions from the database client with dict_setjmp().
/* .IP DICT_FLAG_WORLD_READ
/* Assume that the database file will be read by users other
/* than the writer.
/* .IP DICT_FLAG_DEBUG
/* Enable additional logging.
/* .PP

6
postfix/src/util/slmdb.c
View File

@ -295,9 +295,11 @@ static int slmdb_recover(SLMDB *slmdb, int status)
MDB_envinfo info;
/*
* Limit the number of recovery attempts per slmdb(3) API request.
* Recover bulk transactions only if they can be restarted. Limit
* the number of recovery attempts per slmdb(3) API request.
*/
if ((slmdb->api_retry_count += 1) >= slmdb->api_retry_limit)
if ((slmdb->txn != 0 && slmdb->longjmp_fn == 0)
|| ((slmdb->api_retry_count += 1) >= slmdb->api_retry_limit))
return (status);
/*