postfix-3.6-20200416

2025-08-31 14:17:41 +00:00 · 2020-04-16 00:00:00 -05:00
parent cd2d0e0e1a
commit 210218c2cc
12 changed files with 106 additions and 9 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -24663,7 +24663,7 @@ Apologies for any names omitted.

 	Usability: the Postfix SMTP server now logs a warning when
 	a configuration requests access control by client certificate,
-	but "smtpd_tls_ask_clientcert = no".  Files: proto/postconf.proto,
+	but "smtpd_tls_ask_ccert = no". Files: proto/postconf.proto,
 	smtpd/smtpd_check.c.

 20200316
@@ -24671,3 +24671,22 @@ Apologies for any names omitted.
 	Removed the issuer_cn and subject_cn matches from
 	check_ccert_access. Files: smtpd/smtpd_check.c,
 	proto/postconf.proto.
+
+20200407
+
+	Helper script by Viktor Dukhovni to report TLS information
+	per message delivery. This processes output from the
+	collate.pl script. Files: auxiliary/collate/README.tlstype,
+	auxiliary/collate/tlstype.pl.
+
+20200416
+
+	Workaround for broken builds after an incompatible change
+	in GCC 10. Files: makedefs, Makefile.in.
+
+	Workaround for broken DANE support after an incompatible
+	change in GLIBC 2.31. This avoids the need for new options
+	in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c.
+
+	Misc fixes for gcc 'multiple definition' errors. Files:
+	master/master_vars.c, smtp/smtp.c, proxymap/proxymap.c.
--- a/postfix/Makefile.in
+++ b/postfix/Makefile.in
@@ -1,7 +1,7 @@
 # To test with valgrind:
 # make -i tests VALGRIND="valgrind --tool=memcheck --log-file=/some/where.%p" 
 SHELL	= /bin/sh
-WARN    = -Wmissing-prototypes -Wformat -Wno-comment
+WARN    = -Wmissing-prototypes -Wformat -Wno-comment -fcommon
 OPTS	= 'WARN=$(WARN)'
 DIRS	= src/util src/global src/dns src/tls src/xsasl src/master src/milter \
 	src/postfix src/fsstone src/smtpstone \
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -1,5 +1,11 @@
 Wish list:

+	Read http://mmogilvi.users.sourceforge.net/software/oauthbearer.html
+	and see how we can improve on the Postfix side.
+
+	Investigate feasibility of SO_REUSEPORT (~portable) and
+	SO_REUSEPORT_LB (*BSD).
+
 	nbbio: exercise the sanity checks with fake msg(3) functions.

 	optreset (bsd-ism) how badly do we need it?
--- a/postfix/auxiliary/collate/README.tlstype
+++ b/postfix/auxiliary/collate/README.tlstype
@@ -0,0 +1,37 @@
+On Mon, Apr 06, 2020 at 08:21:32AM +0100, Dominic Raferd wrote:
+
+> Using setting 'smtp_tls_security_level = may' (postfix 3.3.0) is there
+> a reliable way to see from log which outgoing emails were sent in the
+> clear i.e. *not* using TLS?
+
+Yes, provided you don't lose too many log messages[1], and your logging
+subsystem does not reorder them[1], set:
+
+    smtp_tls_loglevel = 1
+
+and use "collate":
+
+    https://github.com/vdukhovni/postfix/tree/master/postfix/auxiliary/collate
+
+whose output you'd send to the attached Perl script.  On my system for
+example:
+
+    # bzcat $(ls -tr /var/log/maillog*) | perl collate.pl | perl tlstype.pl
+
+-- 
+    Viktor.
+
+[1] If your system is suffering under the yoke of systemd-journald, you
+should strongly consider enabling the built-in logging in recent
+versions of Postfix to bypass systemd's broken logging subsystem.
+
+    - It is single-threaded, performs poorly on multi-cpu servers and
+      may not be able to keep up with all the messages generated on a
+      busy multi-cpu system.
+
+    - By default has low message rate limits, dropping messages
+      that exceed the limits.
+
+    - Listens on stream socket rather than a dgram socket, which
+      breaks message ordering from multi-process systems like
+      Postfix.
--- a/postfix/auxiliary/collate/tlstype.pl
+++ b/postfix/auxiliary/collate/tlstype.pl
@@ -0,0 +1,31 @@
+#! /usr/bin/env perl
+
+use strict;
+use warnings;
+
+local $/ = "\n\n";
+
+while (<>) {
+    my $qid;
+    my %tls;
+    my $smtp;
+    foreach my $line (split("\n")) {
+	if ($line =~ m{ postfix(?:\S*?)/qmgr\[\d+\]: (\w+): from=<.*>, size=\d+, nrcpt=\d+ [(]queue active[)]$}) {
+	    $qid //= $1;
+	    next;
+	}
+	if ($line =~ m{ postfix(?:\S*?)/smtp\[(\d+)\]: (\S+) TLS connection established to (\S+): (.*)}) {
+	    $tls{$1}->{lc($3)} = [$2, $4];
+	    next;
+	}
+	if ($line =~ m{.*? postfix(?:\S*?)/smtp\[(\d+)\]: (\w+): (to=.*), relay=(\S+), (delay=\S+, delays=\S+, dsn=2\.\S+, status=sent .*)}) {
+	    next unless $qid eq $2;
+	    if (defined($tls{$1}->{lc($4)}) && ($tls{$1}->{lc($4)}->[2] //= $5) eq $5) {
+		printf "qid=%s, relay=%s, %s -> %s %s\n", $qid, lc($4), $3, @{$tls{$1}->{lc($4)}}[0..1];
+	    } else {
+		delete $tls{$1};
+		printf "qid=%s, relay=%s, %s -> cleartext\n", $qid, lc($4), $3;
+	    }
+	}
+    }
+}
--- a/postfix/makedefs
+++ b/postfix/makedefs
@@ -1136,7 +1136,7 @@ esac
 : ${CC=gcc} ${OPT='-O'} ${DEBUG='-g'} ${AWK=awk} \
 ${WARN='-Wall -Wno-comment -Wformat -Wimplicit -Wmissing-prototypes \
 	-Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \
-	-Wunused -Wno-missing-braces'}
+	-Wunused -Wno-missing-braces -fcommon'}

 # Extract map type names from -DHAS_XXX compiler options.  We avoid
 # problems with tr(1) range syntax by using enumerations instead,
--- a/postfix/src/dns/dns.h
+++ b/postfix/src/dns/dns.h
@@ -59,6 +59,7 @@
 */
 #ifdef NO_DNSSEC
 #undef RES_USE_DNSSEC
+#undef RES_TRUSTAD
 #endif

 /*
@@ -69,6 +70,9 @@
 #endif
 #ifndef RES_USE_EDNS0
 #define RES_USE_EDNS0	0
+#endif
+#ifndef RES_TRUSTAD
+#define RES_TRUSTAD	0
 #endif

 /*-
--- a/postfix/src/dns/dns_lookup.c
+++ b/postfix/src/dns/dns_lookup.c
@@ -116,6 +116,9 @@
 /*	Request DNSSEC validation. This flag is silently ignored
 /*	when the system stub resolver API, resolver(3), does not
 /*	implement DNSSEC.
+/*	Automatically turns on the RES_TRUSTAD flag on systems that
+/*	support this flag (this behavior will be more configurable
+/*	in a later release).
 /* .RE
 /* .IP lflags
 /*	Flags that control the operation of the dns_lookup*()
@@ -458,10 +461,10 @@ static int dns_query(const char *name, int type, unsigned flags,
    /*
     * Set extra options that aren't exposed to the application.
     */
-#define XTRA_FLAGS (RES_USE_EDNS0)
+#define XTRA_FLAGS (RES_USE_EDNS0 | RES_TRUSTAD)

    if (flags & RES_USE_DNSSEC)
-	flags |= RES_USE_EDNS0;
+	flags |= (RES_USE_EDNS0 | RES_TRUSTAD);

    /*
     * Can't append domains: we need the right SOA TTL.
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20200316"
+#define MAIL_RELEASE_DATE	"20200416"
 #define MAIL_VERSION_NUMBER	"3.6"

 #ifdef SNAPSHOT
--- a/postfix/src/master/master_vars.c
+++ b/postfix/src/master/master_vars.c
@@ -46,7 +46,6 @@
 /*
  * Tunable parameters.
  */
-char   *var_inet_protocols;
 int     var_throttle_time;
 char   *var_master_disable;

--- a/postfix/src/proxymap/proxymap.c
+++ b/postfix/src/proxymap/proxymap.c
@@ -259,7 +259,6 @@ char   *var_virt_alias_doms;
 char   *var_virt_mailbox_maps;
 char   *var_virt_mailbox_doms;
 char   *var_relay_rcpt_maps;
-char   *var_relay_domains;
 char   *var_canonical_maps;
 char   *var_send_canon_maps;
 char   *var_rcpt_canon_maps;
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@@ -938,7 +938,6 @@ int     var_smtp_data1_tmout;
 int     var_smtp_data2_tmout;
 int     var_smtp_rset_tmout;
 int     var_smtp_quit_tmout;
-char   *var_inet_interfaces;
 char   *var_notify_classes;
 int     var_smtp_skip_5xx_greeting;
 int     var_ign_mx_lookup_err;