diff --git a/postfix/HISTORY b/postfix/HISTORY
index c4ad5ede7..435f5c65a 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -19035,19 +19035,36 @@ Apologies for any names omitted.
Documentation: added SASL_README example for check_sasl_access.
File: proto/SASL_README.html.
-20131102
+20131102-3
- Security violation: by default, LMDB 0.9.9 writes fragments
- of uninitialized heap memory to a world-readable database
- file. This is a basic memory disclosure vulnerability:
- memory content that a program does not intend to share ends
- up in a world-readable file. The content of uninitialized
- heap memory depends on program execution history. That
- history includes code execution in other libraries that are
- linked into the program. To work around this problem we
- disable the use of malloc() in LMDB. However, that does not
- address several disclosures of stack memory. File:
- util/dict_lmdb.c.
+ Security violation: by default, LMDB 0.9.9 writes uninitialized
+ heap memory to a world-readable database file, as chunks
+ of up to 4096 bytes. This is a gross memory disclosure
+ vulnerability: memory content that a program does not intend
+ to share ends up in a world-readable file. The content of
+ uninitialized heap memory depends on program execution
+ history. That history includes code execution in other
+ libraries that are linked into the program.
- Cleanup: expand TAB characters when generating HTML and
- README files. Files: proto/Makefile.in.
+ This is a problem whenever the user who writes the database
+ file differs from the user who reads the database file. For
+ example, a privileged writer and an unprivileged reader.
+ In the case of Postfix, the postmap(1) and postalias(1)
+ commands would leak uninitialized heap memory, as chunks
+ of up to 4096 bytes, from a root-privileged process that
+ writes to a database file, to unprivileged processes that
+ read from that database file.
+
+ To work around this problem the postmap(1) and postalias(1)
+ commands disable the use of malloc() in LMDB. However, that
+ does not address several disclosures of stack memory. Other
+ Postfix databases do not need this workaround: those databases
+ are maintained by Postfix daemon processes, and are accessible
+ only by the postfix user. File: util/dict_lmdb.c.
+
+20131102-3
+
+ Cleanup: expand TAB characters when generating documentation.
+ This was primarily an issue with non-HTML output, but it does
+ not hurt to do this also for HTML. Files: proto/Makefile.in,
+ proto/MULTI_INSTANCE_README.html.
diff --git a/postfix/README_FILES/ADDRESS_REWRITING_README b/postfix/README_FILES/ADDRESS_REWRITING_README
index abd4d6a44..e1fcdee46 100644
--- a/postfix/README_FILES/ADDRESS_REWRITING_README
+++ b/postfix/README_FILES/ADDRESS_REWRITING_README
@@ -655,9 +655,9 @@ Example:
smtp_generic_maps = hash:/etc/postfix/generic
/etc/postfix/generic:
- his@localdomain.local hisaccount@hisisp.example
- her@localdomain.local heraccount@herisp.example
- @localdomain.local hisaccount+local@hisisp.example
+ his@localdomain.local hisaccount@hisisp.example
+ her@localdomain.local heraccount@herisp.example
+ @localdomain.local hisaccount+local@hisisp.example
When mail is sent to a remote host via SMTP, this replaces
his@localdomain.local by his ISP mail address, replaces her@localdomain.local
diff --git a/postfix/README_FILES/BACKSCATTER_README b/postfix/README_FILES/BACKSCATTER_README
index 12f50a234..2870d11f8 100644
--- a/postfix/README_FILES/BACKSCATTER_README
+++ b/postfix/README_FILES/BACKSCATTER_README
@@ -119,7 +119,7 @@ this:
endif
/^Message-ID:.* ]*Message-ID:.* ]*Message-ID:.*@(porcupine\.org)/
- reject forged domain name in Message-ID: header: $1
+ reject forged domain name in Message-ID: header: $1
Notes:
diff --git a/postfix/README_FILES/DATABASE_README b/postfix/README_FILES/DATABASE_README
index 0ba1778f1..629135c63 100644
--- a/postfix/README_FILES/DATABASE_README
+++ b/postfix/README_FILES/DATABASE_README
@@ -151,16 +151,16 @@ font.
# Note 1: commands are specified after a TAB character.
# Note 2: use postalias(1) for local aliases, postmap(1) for the rest.
aliases.db: aliases.in
- postalias aliases.in
- mv aliases.in.db aliases.db
+ postalias aliases.in
+ mv aliases.in.db aliases.db
access.db: access.in
- postmap access.in
- mv access.in.db access.db
+ postmap access.in
+ mv access.in.db access.db
virtual.db: virtual.in
- postmap virtual.in
- mv virtual.in.db virtual.db
+ postmap virtual.in
+ mv virtual.in.db virtual.db
...etcetera...
# v�vi�i a�ac�cc�ce�es�ss�s.�.i�in�n
diff --git a/postfix/README_FILES/MULTI_INSTANCE_README b/postfix/README_FILES/MULTI_INSTANCE_README
index 9d2c82e77..6e2fb48c5 100644
--- a/postfix/README_FILES/MULTI_INSTANCE_README
+++ b/postfix/README_FILES/MULTI_INSTANCE_README
@@ -157,13 +157,13 @@ submission null client:
# a template file. The build process expands the template into
# "mtaadmin+root=mta1"
#
- root mtaadmin+root=mta1
+ root mtaadmin+root=mta1
/etc/postfix/virtual:
# Caretaker aliases:
#
- root mtaadmin
- postmaster root
+ root mtaadmin
+ postmaster root
You would typically also add a Makefile, to automatically run postmap(1)
commands when source files change. This Makefile also creates a "generic"
@@ -175,13 +175,13 @@ database when none exists.
all: virtual.cdb generic.cdb
generic: Makefile
- @echo Creating $@
- @rm -f $@.tmp
- @printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` > $@.tmp
- @mv $@.tmp generic
+ @echo Creating $@
+ @rm -f $@.tmp
+ @printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` > $@.tmp
+ @mv $@.tmp generic
%.cdb: %
- postmap cdb:$<
+ postmap cdb:$<
Construct the "virtual" and "generic" databases (the latter is created by
running "make"), then start and test the null-client:
@@ -875,9 +875,9 @@ If you want to override the conventional values of the instance installation
parameters, specify their values on the command-line:
# postmulti [-I postfix-myinst] [-G mygroup] -e create \
- "config_directory = /path/to/config_directory" \
- "queue_directory = /path/to/queue_directory" \
- "data_directory = /path/to/data_directory"
+ "config_directory = /path/to/config_directory" \
+ "queue_directory = /path/to/queue_directory" \
+ "data_directory = /path/to/data_directory"
A note on the -�-I�I and -�-G�G options above. These are always used to assign a name
or group name to an instance, while the -�-i�i and -�-g�g options always select
@@ -924,7 +924,7 @@ match this name if necessary):
Otherwise, you must specify the location of its configuration directory:
# postmulti [-I postfix-myinst] [-G mygroup] -e import \
- "config_directory = /path/of/config_directory"
+ "config_directory = /path/of/config_directory"
When the instance is imported, you can assign a name or a group. As with
"create", you can control the placement of the new instance in the start order
diff --git a/postfix/README_FILES/RESTRICTION_CLASS_README b/postfix/README_FILES/RESTRICTION_CLASS_README
index f4fbe8fa7..9c78684f0 100644
--- a/postfix/README_FILES/RESTRICTION_CLASS_README
+++ b/postfix/README_FILES/RESTRICTION_CLASS_README
@@ -30,9 +30,9 @@ Example:
smtpd_recipient_restrictions =
permit_mynetworks
- # reject_unauth_destination is not needed here if the mail
- # relay policy is specified with smtpd_relay_restrictions
- # (available with Postfix 2.10 and later).
+ # reject_unauth_destination is not needed here if the mail
+ # relay policy is specified with smtpd_relay_restrictions
+ # (available with Postfix 2.10 and later).
reject_unauth_destination
check_recipient_access hash:/etc/postfix/recipient_access
...
diff --git a/postfix/README_FILES/SASL_README b/postfix/README_FILES/SASL_README
index 59489414c..66b9b415d 100644
--- a/postfix/README_FILES/SASL_README
+++ b/postfix/README_FILES/SASL_README
@@ -846,19 +846,19 @@ authenticated SMTP clients to send mail to remote destinations. Examples:
# preferably specified under smtpd_relay_restrictions.
/etc/postfix/main.cf:
smtpd_relay_restrictions =
- permit_mynetworks
- p�pe�er�rm�mi�it�t_�_s�sa�as�sl�l_�_a�au�ut�th�he�en�nt�ti�ic�ca�at�te�ed�d
- reject_unauth_destination
+ permit_mynetworks
+ p�pe�er�rm�mi�it�t_�_s�sa�as�sl�l_�_a�au�ut�th�he�en�nt�ti�ic�ca�at�te�ed�d
+ reject_unauth_destination
# Older configurations combine relay control and spam control under
# smtpd_recipient_restrictions. To use this example with Postfix >=
# 2.10 specify "smtpd_relay_restrictions=".
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
- permit_mynetworks
- p�pe�er�rm�mi�it�t_�_s�sa�as�sl�l_�_a�au�ut�th�he�en�nt�ti�ic�ca�at�te�ed�d
- reject_unauth_destination
- ...other rules...
+ permit_mynetworks
+ p�pe�er�rm�mi�it�t_�_s�sa�as�sl�l_�_a�au�ut�th�he�en�nt�ti�ic�ca�at�te�ed�d
+ reject_unauth_destination
+ ...other rules...
E�En�nv�ve�el�lo�op�pe�e s�se�en�nd�de�er�r a�ad�dd�dr�re�es�ss�s a�au�ut�th�ho�or�ri�iz�za�at�ti�io�on�n
@@ -878,7 +878,7 @@ authenticated client is allowed to use a particular envelope sender address:
smtpd_recipient_restrictions =
...
r�re�ej�je�ec�ct�t_�_s�se�en�nd�de�er�r_�_l�lo�og�gi�in�n_�_m�mi�is�sm�ma�at�tc�ch�h
- permit_sasl_authenticated
+ permit_sasl_authenticated
...
The controlled_envelope_senders table specifies the binding between a sender
@@ -915,14 +915,14 @@ credentials have been compromised.
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
- permit_mynetworks
- check_sasl_access hash:/etc/postfix/sasl_access
- permit_sasl_authenticated
- ...
+ permit_mynetworks
+ check_sasl_access hash:/etc/postfix/sasl_access
+ permit_sasl_authenticated
+ ...
/etc/postfix/sasl_access:
# Use this when smtpd_sasl_local_domain is empty.
- username HOLD
+ username HOLD
# Use this when smtpd_sasl_local_domain=example.com.
username@example.com HOLD
diff --git a/postfix/README_FILES/SCHEDULER_README b/postfix/README_FILES/SCHEDULER_README
index 3223d2ada..a6f7702ff 100644
--- a/postfix/README_FILES/SCHEDULER_README
+++ b/postfix/README_FILES/SCHEDULER_README
@@ -594,10 +594,10 @@ The first approximation of the new scheduling algorithm is like this:
if transport process limit reached continue
foreach transport's job (in the order of the transport's job list)
do
- foreach job's peer (round-robin-by-destination)
- if peer->queue->concurrency < peer->queue->window
- return next peer entry.
- done
+ foreach job's peer (round-robin-by-destination)
+ if peer->queue->concurrency < peer->queue->window
+ return next peer entry.
+ done
done
done
diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README
index 93ea07b42..4728a624d 100644
--- a/postfix/README_FILES/TLS_README
+++ b/postfix/README_FILES/TLS_README
@@ -1140,7 +1140,7 @@ the example above, we show two matching fingerprints:
smtp_tls_fingerprint_digest = md5
/etc/postfix/tls_policy:
- example.com fingerprint
+ example.com fingerprint
match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
@@ -1753,8 +1753,8 @@ Example:
[mail.example.org]:587 secure match=nexthop
# Postfix 2.5 and later
[thumb.example.org] fingerprint
- match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
- match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
+ match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
+ match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
# Postfix 2.6 and later
example.info may protocols=!SSLv2 ciphers=medium
exclude=3DES
diff --git a/postfix/html/MULTI_INSTANCE_README.html b/postfix/html/MULTI_INSTANCE_README.html
index 2444e1dd9..6aca5f53d 100644
--- a/postfix/html/MULTI_INSTANCE_README.html
+++ b/postfix/html/MULTI_INSTANCE_README.html
@@ -554,7 +554,7 @@ pre-filter input instance include:
# Avoid splitting the envelope and scanning messages multiple times.
# Match the re-injection server's recipient limit.
#
- smtp_destination_recipient_limit = 1000
+ smtp_destination_recipient_limit = 1000
# Tolerate occasional high latency in the content filter.
#
diff --git a/postfix/proto/MULTI_INSTANCE_README.html b/postfix/proto/MULTI_INSTANCE_README.html
index 2b72d1b45..59bb4fbd9 100644
--- a/postfix/proto/MULTI_INSTANCE_README.html
+++ b/postfix/proto/MULTI_INSTANCE_README.html
@@ -554,7 +554,7 @@ pre-filter input instance include:
# Avoid splitting the envelope and scanning messages multiple times.
# Match the re-injection server's recipient limit.
#
- smtp_destination_recipient_limit = 1000
+ smtp_destination_recipient_limit = 1000
# Tolerate occasional high latency in the content filter.
#
diff --git a/postfix/proto/Makefile.in b/postfix/proto/Makefile.in
index adfcf2591..3c039ab5d 100644
--- a/postfix/proto/Makefile.in
+++ b/postfix/proto/Makefile.in
@@ -139,328 +139,328 @@ clobber:
$(SRCTOMAN) - $? | $(AWK) | nroff -man | col -bx | uniq | sed 's/^/# /' >$@
../html/ADDRESS_CLASS_README.html: ADDRESS_CLASS_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/ADDRESS_REWRITING_README.html: ADDRESS_REWRITING_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/ADDRESS_VERIFICATION_README.html: ADDRESS_VERIFICATION_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/BACKSCATTER_README.html: BACKSCATTER_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/CDB_README.html: CDB_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/CONNECTION_CACHE_README.html: CONNECTION_CACHE_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/CONTENT_INSPECTION_README.html: CONTENT_INSPECTION_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/CYRUS_README.html: CYRUS_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/BASIC_CONFIGURATION_README.html: BASIC_CONFIGURATION_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/BUILTIN_FILTER_README.html: BUILTIN_FILTER_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/DATABASE_README.html: DATABASE_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/DB_README.html: DB_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/DEBUG_README.html: DEBUG_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/DSN_README.html: DSN_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/ETRN_README.html: ETRN_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/FILTER_README.html: FILTER_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/INSTALL.html: INSTALL.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/IPV6_README.html: IPV6_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/LDAP_README.html: LDAP_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/LINUX_README.html: LINUX_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/LOCAL_RECIPIENT_README.html: LOCAL_RECIPIENT_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/MAILDROP_README.html: MAILDROP_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/LMDB_README.html: LMDB_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/MEMCACHE_README.html: MEMCACHE_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/MILTER_README.html: MILTER_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/MULTI_INSTANCE_README.html: MULTI_INSTANCE_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/MYSQL_README.html: MYSQL_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/NFS_README.html: NFS_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/OVERVIEW.html: OVERVIEW.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/PACKAGE_README.html: PACKAGE_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/PCRE_README.html: PCRE_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/PGSQL_README.html: PGSQL_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/POSTSCREEN_README.html: POSTSCREEN_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/QMQP_README.html: QMQP_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/QSHAPE_README.html: QSHAPE_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/RESTRICTION_CLASS_README.html: RESTRICTION_CLASS_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/SASL_README.html: SASL_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/SCHEDULER_README.html: SCHEDULER_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/SMTPD_ACCESS_README.html: SMTPD_ACCESS_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/SMTPD_POLICY_README.html: SMTPD_POLICY_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/SMTPD_PROXY_README.html: SMTPD_PROXY_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/SOHO_README.html: $(MAKESOHO) $(DEPSOHO)
$(MAKESOHO) | $(POSTLINK) | $(DETAB) >$@
../html/SQLITE_README.html: SQLITE_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/STANDARD_CONFIGURATION_README.html: STANDARD_CONFIGURATION_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/STRESS_README.html: STRESS_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/TUNING_README.html: TUNING_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/UUCP_README.html: UUCP_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/ULTRIX_README.html: ULTRIX_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/VERP_README.html: VERP_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/VIRTUAL_README.html: VIRTUAL_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/XCLIENT_README.html: XCLIENT_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/XFORWARD_README.html: XFORWARD_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/TLS_README.html: TLS_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../html/TLS_LEGACY_README.html: TLS_LEGACY_README.html
- $(POSTLINK) $? | $(DETAB) >$@
+ $(DETAB) $? | $(POSTLINK) >$@
../README_FILES/ADDRESS_CLASS_README: ADDRESS_CLASS_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/ADDRESS_REWRITING_README: ADDRESS_REWRITING_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/ADDRESS_VERIFICATION_README: ADDRESS_VERIFICATION_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/BACKSCATTER_README: BACKSCATTER_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/BASIC_CONFIGURATION_README: BASIC_CONFIGURATION_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/BUILTIN_FILTER_README: BUILTIN_FILTER_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/CDB_README: CDB_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/CONNECTION_CACHE_README: CONNECTION_CACHE_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/CONTENT_INSPECTION_README: CONTENT_INSPECTION_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/CYRUS_README: CYRUS_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/DATABASE_README: DATABASE_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/DB_README: DB_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/DEBUG_README: DEBUG_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/DSN_README: DSN_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/ETRN_README: ETRN_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/FILTER_README: FILTER_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/INSTALL: INSTALL.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/IPV6_README: IPV6_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/LDAP_README: LDAP_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/LINUX_README: LINUX_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/LOCAL_RECIPIENT_README: LOCAL_RECIPIENT_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/MAILDROP_README: MAILDROP_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/LMDB_README: LMDB_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/MEMCACHE_README: MEMCACHE_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/MILTER_README: MILTER_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/MULTI_INSTANCE_README: MULTI_INSTANCE_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/MYSQL_README: MYSQL_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/NFS_README: NFS_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/OVERVIEW: OVERVIEW.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/PACKAGE_README: PACKAGE_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/PCRE_README: PCRE_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/PGSQL_README: PGSQL_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/POSTSCREEN_README: POSTSCREEN_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/QMQP_README: QMQP_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/QSHAPE_README: QSHAPE_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/RESTRICTION_CLASS_README: RESTRICTION_CLASS_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/SASL_README: SASL_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/SCHEDULER_README: SCHEDULER_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/SMTPD_ACCESS_README: SMTPD_ACCESS_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/SMTPD_POLICY_README: SMTPD_POLICY_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/SMTPD_PROXY_README: SMTPD_PROXY_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/SOHO_README: $(MAKESOHO) $(DEPSOHO)
$(MAKESOHO) | $(HT2READ) | $(DETAB) >$@
../README_FILES/SQLITE_README: SQLITE_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/STANDARD_CONFIGURATION_README: STANDARD_CONFIGURATION_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/STRESS_README: STRESS_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/TUNING_README: TUNING_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/UUCP_README: UUCP_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/ULTRIX_README: ULTRIX_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/VERP_README: VERP_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/VIRTUAL_README: VIRTUAL_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/XCLIENT_README: XCLIENT_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/XFORWARD_README: XFORWARD_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/TLS_README: TLS_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/TLS_LEGACY_README: TLS_LEGACY_README.html
- $(HT2READ) $? | $(DETAB) >$@
+ $(DETAB) $? | $(HT2READ) >$@
../README_FILES/AAAREADME: ../html/index.html $(MAKEAAA)
$(MAKEAAA) ../html/index.html | $(HT2READ) | $(DETAB) >$@
@@ -468,8 +468,8 @@ clobber:
../man/man5/postconf.5: postconf.man.prolog postconf.proto postconf.man.epilog \
../mantools/xpostconf ../mantools/postconf2html ../mantools/postconf2man
(cat postconf.man.prolog; ../mantools/xpostconf postconf.proto | \
- ../mantools/postconf2html | ../mantools/postconf2man | \
- sed 's/\\e&/\\\&/'; cat postconf.man.epilog ) | $(DETAB) > $@
+ $(DETAB) | ../mantools/postconf2html | ../mantools/postconf2man | \
+ sed 's/\\e&/\\\&/'; cat postconf.man.epilog ) > $@
../html/postconf.5.html: postconf.html.prolog postconf.proto \
postconf.html.epilog ../mantools/xpostconf ../mantools/postconf2html \
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 04ddb62aa..d4dbebdc1 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20131103"
+#define MAIL_RELEASE_DATE "20131104"
#define MAIL_VERSION_NUMBER "2.11"
#ifdef SNAPSHOT
diff --git a/postfix/src/postalias/postalias.c b/postfix/src/postalias/postalias.c
index 430c15641..fd5351534 100644
--- a/postfix/src/postalias/postalias.c
+++ b/postfix/src/postalias/postalias.c
@@ -290,6 +290,7 @@ static void postalias(char *map_type, char *path_name, int postalias_flags,
if ((source_fp = vstream_fopen(path_name, O_RDONLY, 0)) == 0)
msg_fatal("open %s: %m", path_name);
}
+ dict_flags |= DICT_FLAG_WORLD_READ;
if (fstat(vstream_fileno(source_fp), &st) < 0)
msg_fatal("fstat %s: %m", path_name);
diff --git a/postfix/src/postmap/postmap.c b/postfix/src/postmap/postmap.c
index e10ac1669..26348041e 100644
--- a/postfix/src/postmap/postmap.c
+++ b/postfix/src/postmap/postmap.c
@@ -353,6 +353,7 @@ static void postmap(char *map_type, char *path_name, int postmap_flags,
if ((source_fp = vstream_fopen(path_name, O_RDONLY, 0)) == 0)
msg_fatal("open %s: %m", path_name);
}
+ dict_flags |= DICT_FLAG_WORLD_READ;
if (fstat(vstream_fileno(source_fp), &st) < 0)
msg_fatal("fstat %s: %m", path_name);
diff --git a/postfix/src/util/dict.c b/postfix/src/util/dict.c
index 3c4a9b1b8..e1e11cf4d 100644
--- a/postfix/src/util/dict.c
+++ b/postfix/src/util/dict.c
@@ -590,6 +590,7 @@ static const NAME_MASK dict_mask[] = {
"fold_mul", DICT_FLAG_FOLD_MUL, /* case-fold with multi-case key map */
"open_lock", DICT_FLAG_OPEN_LOCK, /* permanent lock upon open */
"bulk_update", DICT_FLAG_BULK_UPDATE, /* bulk update if supported */
+ "world_read", DICT_FLAG_WORLD_READ, /* assume writer != reader */
0,
};
diff --git a/postfix/src/util/dict.h b/postfix/src/util/dict.h
index d255aac3b..c8564f6bd 100644
--- a/postfix/src/util/dict.h
+++ b/postfix/src/util/dict.h
@@ -96,6 +96,7 @@ extern DICT *dict_debug(DICT *);
#define DICT_FLAG_FOLD_ANY (DICT_FLAG_FOLD_FIX | DICT_FLAG_FOLD_MUL)
#define DICT_FLAG_OPEN_LOCK (1<<16) /* perm lock if not multi-writer safe */
#define DICT_FLAG_BULK_UPDATE (1<<17) /* optimize for bulk updates */
+#define DICT_FLAG_WORLD_READ (1<<18) /* assume writer != reader */
/* IMPORTANT: Update the dict_mask[] table when the above changes */
diff --git a/postfix/src/util/dict_lmdb.c b/postfix/src/util/dict_lmdb.c
index aa6836042..2bc032107 100644
--- a/postfix/src/util/dict_lmdb.c
+++ b/postfix/src/util/dict_lmdb.c
@@ -551,35 +551,45 @@ DICT *dict_lmdb_open(const char *path, int open_flags, int dict_flags)
mdb_path = concatenate(path, "." DICT_TYPE_LMDB, (char *) 0);
/*
- * Security violation.
- *
- * By default, LMDB 0.9.9 writes uninitialized heap memory to a
- * world-readable database file. This is a basic memory disclosure
- * vulnerability: memory content that a program does not intend to share
- * ends up in a world-readable file. The content of uninitialized heap
- * memory depends on program execution history. That history includes
- * code execution in other libraries that are linked into the program.
- *
- * As a workaround we turn on MDB_WRITEMAP which disables the use of
- * malloc() in LMDB. However, that does not address several disclosures
- * of stack memory.
+ * Impedance adapters.
*/
mdb_flags = MDB_NOSUBDIR | MDB_NOLOCK;
if (open_flags == O_RDONLY)
mdb_flags |= MDB_RDONLY;
- /*
- * Replace with MDB_VERSION_FULL < MDB_VERINT(X, Y, Z) after this is
- * fixed up-stream.
- */
-#if 1
- mdb_flags |= MDB_WRITEMAP;
-#endif
-
slmdb_flags = 0;
if (dict_flags & DICT_FLAG_BULK_UPDATE)
slmdb_flags |= SLMDB_FLAG_BULK;
+ /*
+ * Security violation.
+ *
+ * By default, LMDB 0.9.9 writes uninitialized heap memory to a
+ * world-readable database file, as chunks of up to 4096 bytes. This is a
+ * gross memory disclosure vulnerability: memory content that a program
+ * does not intend to share ends up in a world-readable file. The content
+ * of uninitialized heap memory depends on program execution history.
+ * That history includes code execution in other libraries that are
+ * linked into the program.
+ *
+ * This is a problem whenever the user who writes the database file differs
+ * from the user who reads the database file. For example, a privileged
+ * writer and an unprivileged reader. In the case of Postfix, the
+ * postmap(1) and postalias(1) commands would leak uninitialized heap
+ * memory, as chunks of up to 4096 bytes, from a root-privileged process
+ * that writes to a database file, to unprivileged processes that read
+ * from that database file.
+ *
+ * As a workaround the postmap(1) and postalias(1) commands turn on
+ * MDB_WRITEMAP which disables the use of malloc() in LMDB. However, that
+ * does not address several disclosures of stack memory. Other Postfix
+ * databases do not need this workaround: those databases are maintained
+ * by Postfix daemon processes, and are accessible only by the postfix
+ * user.
+ */
+ if (dict_flags & DICT_FLAG_WORLD_READ)
+ mdb_flags |= MDB_WRITEMAP;
+
/*
* Gracefully handle most database open errors.
*/
diff --git a/postfix/src/util/dict_open.c b/postfix/src/util/dict_open.c
index aee1f8ddd..a8b5a0a72 100644
--- a/postfix/src/util/dict_open.c
+++ b/postfix/src/util/dict_open.c
@@ -126,6 +126,9 @@
/* Enable preliminary code for bulk-mode database updates.
/* The caller must create an exception handler with dict_jmp_alloc()
/* and must trap exceptions from the database client with dict_setjmp().
+/* .IP DICT_FLAG_WORLD_READ
+/* Assume that the database file will be read by users other
+/* than the writer.
/* .IP DICT_FLAG_DEBUG
/* Enable additional logging.
/* .PP
diff --git a/postfix/src/util/slmdb.c b/postfix/src/util/slmdb.c
index a471c5c0b..5a038620e 100644
--- a/postfix/src/util/slmdb.c
+++ b/postfix/src/util/slmdb.c
@@ -295,9 +295,11 @@ static int slmdb_recover(SLMDB *slmdb, int status)
MDB_envinfo info;
/*
- * Limit the number of recovery attempts per slmdb(3) API request.
+ * Recover bulk transactions only if they can be restarted. Limit
+ * the number of recovery attempts per slmdb(3) API request.
*/
- if ((slmdb->api_retry_count += 1) >= slmdb->api_retry_limit)
+ if ((slmdb->txn != 0 && slmdb->longjmp_fn == 0)
+ || ((slmdb->api_retry_count += 1) >= slmdb->api_retry_limit))
return (status);
/*