From 38110d57f6c9550620169721da89077dd5aaa3fc Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Fri, 21 Jan 2022 00:00:00 -0500 Subject: [PATCH] postfix-3.7-20220121 --- postfix/HISTORY | 34 +++- postfix/Makefile.in | 12 +- postfix/README_FILES/CYRUS_README | 5 - postfix/RELEASE_NOTES | 6 +- postfix/WISHLIST | 20 +-- postfix/conf/postfix-files | 17 +- postfix/html/postconf.5.html | 31 +++- postfix/html/tlsproxy.8.html | 14 +- postfix/man/man5/postconf.5 | 19 ++- postfix/man/man8/tlsproxy.8 | 12 +- .../mantools/check-double-install-proto-text | 2 +- postfix/mantools/check-postfix-files | 32 ++++ postfix/mantools/check-postlink | 149 ++++-------------- .../mantools/check-spell-install-proto-text | 4 +- postfix/mantools/missing-proxy-read-maps | 4 +- postfix/mantools/postlink | 2 + postfix/proto/postconf.proto | 23 ++- postfix/proto/stop | 4 + postfix/src/global/mail_params.h | 15 +- postfix/src/global/mail_version.h | 2 +- postfix/src/postconf/postconf_builtin.c | 2 + postfix/src/smtp/smtp.h | 6 + postfix/src/smtp/smtp_proto.c | 7 +- postfix/src/smtp/smtp_state.c | 1 + postfix/src/tlsproxy/tlsproxy.c | 12 +- 25 files changed, 261 insertions(+), 174 deletions(-) delete mode 100644 postfix/README_FILES/CYRUS_README create mode 100755 postfix/mantools/check-postfix-files diff --git a/postfix/HISTORY b/postfix/HISTORY index f0f6c55fa..a2d9c97e4 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -26125,7 +26125,7 @@ Apologies for any names omitted. Cleanup: added missing _maps parameter names to the proxy_read_maps default value, based on output from the - mantools/missing-proxy-read-maps script. File: + mantools/missing-proxy-read-maps script. File: global/mail_params.h. Sanity: added LANG=C to the typo-check scripts to get @@ -26195,12 +26195,12 @@ Apologies for any names omitted. 20220117 - Clenaup: the nullmx_reject_code parameter was removed from + Cleanup: the nullmx_reject_code parameter was removed from Postfix 3.0 before it was released, but the manpage was not updated. File: proto/postconf.proto. Cleanup: after seeking past the end of a writable memory-backed - VSTREAM (i.e. backed by a VSTRING), write nulls over the + VSTREAM (i.e. backed by a VSTRING), write nulls over the newly allocated bytes. This behavior is compatible with seeking past the end of a writable regular file. File: util/vstream.c. @@ -26211,6 +26211,32 @@ Apologies for any names omitted. Makefiles, some unit test 'reference' files. Bugfix (documented but not implemented since Postfix 2.2): - missing support for [address] smtp_bind_address and + missing support for [address] in smtp_bind_address and smtp_bind_address6. Reported by Vincent Pelletier. File: smtp/smtp_connect.c. + +20220119 + + Cleanup: the 20211211 change could result in logfile spam. + Added a 1-bit counter to log "breaking long line" only once per + delivery request. File: smtp/smtp_proto.c. + +20220121 + + Cleanup: added a pre-release check for missing entries + in postfix-files. Problem reported by Jaroslav Skarvada. + Files: Makefile.in, conf/postfix-files, + mantools/check-postfix-files. Deleted: CYRUS_README. + + Cleanup: added the RELEASE_NOTES file to the pre-release + checks, after Viktor Dukhovni reported a typo. Files: + mantools/check-double-install-proto-text, + mantools/check-spell-install-proto-text. + + Cleanup: for consistent parameter naming (tlsproxy_client_xxx + correspnds to smtp_tls_xxx), renamed tlsproxy_client_level + to tlsproxy_client_security_level, and tlsproxy_client_policy + to tlsproxy_client_policy_maps, with backwards-compatible + defaults and updated documentation. Problem reported by + Raf. Files: global/mail_params.h, mantools/postlink, + postconf/postconf_builtin.c. diff --git a/postfix/Makefile.in b/postfix/Makefile.in index 3c1071b8b..aa6c7ad9c 100644 --- a/postfix/Makefile.in +++ b/postfix/Makefile.in @@ -114,14 +114,18 @@ manpages: (set -e; echo "[$$i]"; cd $$i; $(MAKE) -f Makefile.in $(OPTS) MAKELEVEL=) || exit 1; \ done smtp_tls_mumble), - rename tlsproxy_client_level to tlsproxy_client_security_level, - and tlsproxy_client_policy to tlsproxy_client_policy_maps. - This requires backwards-compatible defaults and documentation - updates. - A smart query service for live Postfix tables that outputs JSON? Add a pointer to http://mmogilvi.users.sourceforge.net/software/oauthbearer.html in documentation or on-line howtos. + Read http://mmogilvi.users.sourceforge.net/software/oauthbearer.html + and see how we can improve on the Postfix side. + Add verp=+= to the qmgr "from=" logging. This is already implemented but not yet integrated. @@ -76,7 +73,7 @@ Wish list: configuration settings easier to enter. This may be true for main.cf, master.cf and similar files (such as database configuration files, but not necessarily elsewhere). So it - would have to be a readlline flag. + may have to be a readlline flag. Understand what happens with DNSSEC related status fields in posttls-finger when resolv.conf points to a host that @@ -95,18 +92,9 @@ Wish list: events. But the currrent multi_server API fits typical usage better. - Add a configurable filter for SMTP command syntax. Maybe - time for some inline-pcre or inline-regexp map support? - - Update makedefs and sys-defs.h for current Linux kernels and - *BSD releases. - When a secondary instance has no multi_instance_name set, postmulti -i won't be able to find it. - Read http://mmogilvi.users.sourceforge.net/software/oauthbearer.html - and see how we can improve on the Postfix side. - nbbio: exercise the sanity checks with fake msg(3) functions. optreset (bsd-ism) how badly do we need it? diff --git a/postfix/conf/postfix-files b/postfix/conf/postfix-files index 7174b7a9e..643a1f319 100644 --- a/postfix/conf/postfix-files +++ b/postfix/conf/postfix-files @@ -171,8 +171,8 @@ $manpage_directory/man1/postalias.1:f:root:-:644 $manpage_directory/man1/postcat.1:f:root:-:644 $manpage_directory/man1/postconf.1:f:root:-:644 $manpage_directory/man1/postdrop.1:f:root:-:644 -$manpage_directory/man1/postfix.1:f:root:-:644 $manpage_directory/man1/postfix-tls.1:f:root:-:644 +$manpage_directory/man1/postfix.1:f:root:-:644 $manpage_directory/man1/postkick.1:f:root:-:644 $manpage_directory/man1/postlock.1:f:root:-:644 $manpage_directory/man1/postlog.1:f:root:-:644 @@ -276,6 +276,7 @@ $readme_directory/ADDRESS_REWRITING_README:f:root:-:644 $readme_directory/ADDRESS_VERIFICATION_README:f:root:-:644 $readme_directory/BACKSCATTER_README:f:root:-:644 $readme_directory/BASIC_CONFIGURATION_README:f:root:-:644 +$readme_directory/BDAT_README:f:root:-:644 $readme_directory/BUILTIN_FILTER_README:f:root:-:644 $readme_directory/CDB_README:f:root:-:644 $readme_directory/COMPATIBILITY_README:f:root:-:644 @@ -297,16 +298,19 @@ $readme_directory/LMDB_README:f:root:-:644 $readme_directory/LOCAL_RECIPIENT_README:f:root:-:644 $readme_directory/MACOSX_README:f:root:-:644:o $readme_directory/MAILDROP_README:f:root:-:644 +$readme_directory/MAILLOG_README:f:root:-:644 $readme_directory/MEMCACHE_README:f:root:-:644 $readme_directory/MILTER_README:f:root:-:644 $readme_directory/MULTI_INSTANCE_README:f:root:-:644 $readme_directory/MYSQL_README:f:root:-:644 +$readme_directory/SMTPUTF8_README:f:root:-:644 $readme_directory/SQLITE_README:f:root:-:644 $readme_directory/NFS_README:f:root:-:644 $readme_directory/OVERVIEW:f:root:-:644 $readme_directory/PACKAGE_README:f:root:-:644 $readme_directory/PCRE_README:f:root:-:644 $readme_directory/PGSQL_README:f:root:-:644 +$readme_directory/POSTSCREEN_3_5_README:f:root:-:644 $readme_directory/POSTSCREEN_README:f:root:-:644 $readme_directory/QMQP_README:f:root:-:644:o $readme_directory/QSHAPE_README:f:root:-:644 @@ -334,6 +338,7 @@ $html_directory/ADDRESS_REWRITING_README.html:f:root:-:644 $html_directory/ADDRESS_VERIFICATION_README.html:f:root:-:644 $html_directory/BACKSCATTER_README.html:f:root:-:644 $html_directory/BASIC_CONFIGURATION_README.html:f:root:-:644 +$html_directory/BDAT_README.html:f:root:-:644 $html_directory/BUILTIN_FILTER_README.html:f:root:-:644 $html_directory/CDB_README.html:f:root:-:644 $html_directory/COMPATIBILITY_README.html:f:root:-:644 @@ -354,15 +359,19 @@ $html_directory/LINUX_README.html:f:root:-:644 $html_directory/LMDB_README.html:f:root:-:644 $html_directory/LOCAL_RECIPIENT_README.html:f:root:-:644 $html_directory/MAILDROP_README.html:f:root:-:644 +$html_directory/MAILLOG_README.html:f:root:-:644 +$html_directory/MEMCACHE_README.html:f:root:-:644 $html_directory/MILTER_README.html:f:root:-:644 $html_directory/MULTI_INSTANCE_README.html:f:root:-:644 $html_directory/MYSQL_README.html:f:root:-:644 +$html_directory/SMTPUTF8_README.html:f:root:-:644 $html_directory/SQLITE_README.html:f:root:-:644 $html_directory/NFS_README.html:f:root:-:644 $html_directory/OVERVIEW.html:f:root:-:644 $html_directory/PACKAGE_README.html:f:root:-:644 $html_directory/PCRE_README.html:f:root:-:644 $html_directory/PGSQL_README.html:f:root:-:644 +$html_directory/POSTSCREEN_3_5_README.html:f:root:-:644 $html_directory/POSTSCREEN_README.html:f:root:-:644 $html_directory/QMQP_README.html:f:root:-:644:o $html_directory/QSHAPE_README.html:f:root:-:644 @@ -387,6 +396,7 @@ $html_directory/XFORWARD_README.html:f:root:-:644 $html_directory/access.5.html:f:root:-:644 $html_directory/aliases.5.html:f:root:-:644 $html_directory/anvil.8.html:f:root:-:644 +$html_directory/bounce.5.html:f:root:-:644 $html_directory/bounce.8.html:f:root:-:644 $html_directory/canonical.5.html:f:root:-:644 $html_directory/cidr_table.5.html:f:root:-:644 @@ -401,6 +411,7 @@ $html_directory/generic.5.html:f:root:-:644 $html_directory/header_checks.5.html:f:root:-:644 $html_directory/index.html:f:root:-:644 $html_directory/ldap_table.5.html:f:root:-:644 +$html_directory/lmdb_table.5.html:f:root:-:644 $html_directory/lmtp.8.html:f:root:-:644 $html_directory/local.8.html:f:root:-:644 $html_directory/mailq.1.html:f:root:-:644 @@ -423,6 +434,7 @@ $html_directory/postconf.5.html:f:root:-:644 $html_directory/postdrop.1.html:f:root:-:644 $html_directory/postfix-logo.jpg:f:root:-:644 $html_directory/postfix-manuals.html:f:root:-:644 +$html_directory/postfix-tls.1.html:f:root:-:644 $html_directory/postfix-wrapper.5.html:f:root:-:644 $html_directory/postfix.1.html:f:root:-:644 $html_directory/postkick.1.html:f:root:-:644 @@ -442,13 +454,16 @@ $html_directory/qmqp-source.1.html:f:root:-:644 $html_directory/qmqpd.8.html:f:root:-:644 $html_directory/regexp_table.5.html:f:root:-:644 $html_directory/relocated.5.html:f:root:-:644 +$html_directory/scache.8.html:f:root:-:644 $html_directory/sendmail.1.html:h:$html_directory/mailq.1.html:-:644 $html_directory/showq.8.html:f:root:-:644 $html_directory/smtp-sink.1.html:f:root:-:644 $html_directory/smtp-source.1.html:f:root:-:644 $html_directory/smtp.8.html:h:$html_directory/lmtp.8.html:-:644 $html_directory/smtpd.8.html:f:root:-:644 +$html_directory/socketmap_table.5.html:f:root:-:644 $html_directory/spawn.8.html:f:root:-:644 +$html_directory/tlsmgr.8.html:f:root:-:644 $html_directory/tlsproxy.8.html:f:root:-:644 $html_directory/tcp_table.5.html:f:root:-:644 $html_directory/trace.8.html:h:$html_directory/bounce.8.html:-:644 diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 7fd51c5c4..0810dd858 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -19967,6 +19967,18 @@ configure tlsproxy client keys and certificates is via the

This feature is available in Postfix 3.4 and later.

+ + +
tlsproxy_client_level +(default: $smtp_tls_security_level)
+ +

The default TLS security level for the Postfix tlsproxy(8) +client. See smtp_tls_security_level for further details.

+ +

This feature is available in Postfix 3.4 - 3.6. It was +renamed to tlsproxy_client_security_level in Postfix 3.7.

+ +
tlsproxy_client_loglevel @@ -20001,6 +20013,19 @@ hostname. See smtp_tls_per_site

This feature is available in Postfix 3.4 and later.

+ + +
tlsproxy_client_policy +(default: $smtp_tls_policy_maps)
+ +

Optional lookup tables with the Postfix tlsproxy(8) client TLS +security policy by next-hop destination. See smtp_tls_policy_maps +for further details.

+ +

This feature is available in Postfix 3.4 - 3.6. It was +renamed to tlsproxy_client_policy_maps in Postfix 3.7.

+ +
tlsproxy_client_policy_maps @@ -20010,7 +20035,8 @@ hostname. See smtp_tls_per_site security policy by next-hop destination. See smtp_tls_policy_maps for further details.

-

This feature is available in Postfix 3.4 and later.

+

This feature is available in Postfix 3.7 and later. It +was previously called tlsproxy_client_policy.

@@ -20032,7 +20058,8 @@ See smtp_tls_scert_verifyde

The default TLS security level for the Postfix tlsproxy(8) client. See smtp_tls_security_level for further details.

-

This feature is available in Postfix 3.4 and later.

+

This feature is available in Postfix 3.7 and later. It +was previously called tlsproxy_client_level.

diff --git a/postfix/html/tlsproxy.8.html b/postfix/html/tlsproxy.8.html index b78bed370..d0b8b0ea1 100644 --- a/postfix/html/tlsproxy.8.html +++ b/postfix/html/tlsproxy.8.html @@ -323,11 +323,11 @@ TLSPROXY(8) TLSPROXY(8) tlsproxy_client_scert_verifydepth ($smtp_tls_scert_verifydepth) The verification depth for remote TLS server certificates. - tlsproxy_client_security_level ($smtp_tls_security_level) + tlsproxy_client_level ($smtp_tls_security_level) The default TLS security level for the Postfix tlsproxy(8) client. - tlsproxy_client_policy_maps ($smtp_tls_policy_maps) + tlsproxy_client_policy ($smtp_tls_policy_maps) Optional lookup tables with the Postfix tlsproxy(8) client TLS security policy by next-hop destination. @@ -343,6 +343,16 @@ TLSPROXY(8) TLSPROXY(8) usage policy by next-hop destination and by remote TLS server hostname. + Available in Postfix version 3.7 and later: + + tlsproxy_client_security_level ($smtp_tls_security_level) + The default TLS security level for the Postfix tlsproxy(8) + client. + + tlsproxy_client_policy_maps ($smtp_tls_policy_maps) + Optional lookup tables with the Postfix tlsproxy(8) client TLS + security policy by next-hop destination. + OBSOLETE STARTTLS SUPPORT CONTROLS These parameters are supported for compatibility with smtpd(8) legacy parameters. diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 649df2c60..58cfe3648 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -14185,6 +14185,12 @@ configure tlsproxy client keys and certificates is via the "tlsproxy_client_chain_files" parameter. .PP This feature is available in Postfix 3.4 and later. +.SH tlsproxy_client_level (default: $smtp_tls_security_level) +The default TLS security level for the Postfix \fBtlsproxy\fR(8) +client. See smtp_tls_security_level for further details. +.PP +This feature is available in Postfix 3.4 \- 3.6. It was +renamed to tlsproxy_client_security_level in Postfix 3.7. .SH tlsproxy_client_loglevel (default: $smtp_tls_loglevel) Enable additional Postfix \fBtlsproxy\fR(8) client logging of TLS activity. See smtp_tls_loglevel for further details. @@ -14201,12 +14207,20 @@ usage policy by next\-hop destination and by remote TLS server hostname. See smtp_tls_per_site for further details. .PP This feature is available in Postfix 3.4 and later. +.SH tlsproxy_client_policy (default: $smtp_tls_policy_maps) +Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS +security policy by next\-hop destination. See smtp_tls_policy_maps +for further details. +.PP +This feature is available in Postfix 3.4 \- 3.6. It was +renamed to tlsproxy_client_policy_maps in Postfix 3.7. .SH tlsproxy_client_policy_maps (default: $smtp_tls_policy_maps) Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS security policy by next\-hop destination. See smtp_tls_policy_maps for further details. .PP -This feature is available in Postfix 3.4 and later. +This feature is available in Postfix 3.7 and later. It +was previously called tlsproxy_client_policy. .SH tlsproxy_client_scert_verifydepth (default: $smtp_tls_scert_verifydepth) The verification depth for remote TLS server certificates. See smtp_tls_scert_verifydepth for further details. @@ -14216,7 +14230,8 @@ This feature is available in Postfix 3.4 and later. The default TLS security level for the Postfix \fBtlsproxy\fR(8) client. See smtp_tls_security_level for further details. .PP -This feature is available in Postfix 3.4 and later. +This feature is available in Postfix 3.7 and later. It +was previously called tlsproxy_client_level. .SH tlsproxy_client_use_tls (default: $smtp_use_tls) Opportunistic mode: use TLS when a remote server announces TLS support. See smtp_use_tls for further details. Use diff --git a/postfix/man/man8/tlsproxy.8 b/postfix/man/man8/tlsproxy.8 index fa1e572b5..10b447606 100644 --- a/postfix/man/man8/tlsproxy.8 +++ b/postfix/man/man8/tlsproxy.8 @@ -292,10 +292,10 @@ The name of the parameter that provides the tlsproxy_client_loglevel value. .IP "\fBtlsproxy_client_scert_verifydepth ($smtp_tls_scert_verifydepth)\fR" The verification depth for remote TLS server certificates. -.IP "\fBtlsproxy_client_security_level ($smtp_tls_security_level)\fR" +.IP "\fBtlsproxy_client_level ($smtp_tls_security_level)\fR" The default TLS security level for the Postfix \fBtlsproxy\fR(8) client. -.IP "\fBtlsproxy_client_policy_maps ($smtp_tls_policy_maps)\fR" +.IP "\fBtlsproxy_client_policy ($smtp_tls_policy_maps)\fR" Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS security policy by next\-hop destination. .IP "\fBtlsproxy_client_use_tls ($smtp_use_tls)\fR" @@ -307,6 +307,14 @@ Enforcement mode: require that SMTP servers use TLS encryption. Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS usage policy by next\-hop destination and by remote TLS server hostname. +.PP +Available in Postfix version 3.7 and later: +.IP "\fBtlsproxy_client_security_level ($smtp_tls_security_level)\fR" +The default TLS security level for the Postfix \fBtlsproxy\fR(8) +client. +.IP "\fBtlsproxy_client_policy_maps ($smtp_tls_policy_maps)\fR" +Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS +security policy by next\-hop destination. .SH "OBSOLETE STARTTLS SUPPORT CONTROLS" .na .nf diff --git a/postfix/mantools/check-double-install-proto-text b/postfix/mantools/check-double-install-proto-text index 4a27b84e5..bab88bc6d 100755 --- a/postfix/mantools/check-double-install-proto-text +++ b/postfix/mantools/check-double-install-proto-text @@ -4,4 +4,4 @@ LANG=C; export LANG -ls *install* proto/* | egrep -v 'stop|Makefile|html|\.proto' | xargs mantools/deroff | mantools/find-double | fgrep -vxf proto/stop.double-install-proto-text +(ls *install* proto/* | egrep -v 'stop|Makefile|html|\.proto' | xargs mantools/deroff; cat RELEASE_NOTES) | mantools/find-double | fgrep -vxf proto/stop.double-install-proto-text diff --git a/postfix/mantools/check-postfix-files b/postfix/mantools/check-postfix-files new file mode 100755 index 000000000..ea85d4058 --- /dev/null +++ b/postfix/mantools/check-postfix-files @@ -0,0 +1,32 @@ +#!/bin/sh + +# Reports missing documentation file names in postfix-files. For +# simplicity and maintainability this looks at file basenames only. +# The odds that a file is installed in the wrong place are small. + +trap 'rm -f expected.tmp actual.tmp' 0 1 2 3 15 + +LANG=C; export LANG +LC_ALL=C; export LC_ALL + +# Extract file basenames from postfix-files. + +awk -F: ' + BEGIN { want["f"] = want["h"] = want["l"] = want["p"] = 1 } + want[$2] == 1 { n = split($1, path, "/"); print path[n] } +' conf/postfix-files | sort >actual.tmp + +# Create a list of expected names, excluding files that aren't installed. + +(ls man/man?/* html/*.html |sed 's/.*\///' | egrep -v '^makedefs.1 +^posttls-finger.1 +^qmqp-sink.1 +^qmqp-source.1 +^qshape.1 +^smtp-sink.1 +^smtp-source.1' +ls README_FILES) | sort >expected.tmp + +# Compare the expected names against the names in postfix-files. + +comm -23 expected.tmp actual.tmp diff --git a/postfix/mantools/check-postlink b/postfix/mantools/check-postlink index cdb7e079b..21472d64e 100755 --- a/postfix/mantools/check-postlink +++ b/postfix/mantools/check-postlink @@ -1,11 +1,11 @@ #!/bin/sh -# Look for missing parameter names in postlink +# Reports parameter names that have no postlink rules. LANG=C; export LANG LC_ALL=C; export LC_ALL -trap 'rm -f postlink.tmp postconf.tmp check-postlink.tmp 2>/dev/null' 0 1 2 3 15 +trap 'rm -f postlink.tmp postconf.tmp stoplist.tmp 2>/dev/null' 0 1 2 3 15 # Extract parameters from postlink script. This also produces names # of obsolete parameters, and non-parameter names such as SMTPD @@ -17,124 +17,41 @@ sed -n '/[ ].*href="postconf\.5\.html#/{ p }' mantools/postlink | sort > postlink.tmp -# Extract parameters from postconf output. +# Extract parameters from postconf output, using the stock configurations. bin/postconf -dHc conf | sort >postconf.tmp -# Filter the output through a whitelist. +# Filter the postconf output through a stoplist. First, parameter +# names prefixed by their service name. -cat >check-postlink.tmp <<'EOF' -error_delivery_slot_cost -error_delivery_slot_discount -error_delivery_slot_loan -error_destination_concurrency_failed_cohort_limit -error_destination_concurrency_limit -error_destination_concurrency_negative_feedback -error_destination_concurrency_positive_feedback -error_destination_rate_delay -error_destination_recipient_limit -error_extra_recipient_limit -error_initial_destination_concurrency -error_minimum_delivery_slots -error_recipient_limit -error_recipient_refill_delay -error_recipient_refill_limit -error_transport_rate_delay -lmtp_body_checks -lmtp_cname_overrides_servername -lmtp_delivery_slot_cost -lmtp_delivery_slot_discount -lmtp_delivery_slot_loan -lmtp_destination_concurrency_failed_cohort_limit -lmtp_destination_concurrency_negative_feedback -lmtp_destination_concurrency_positive_feedback -lmtp_destination_rate_delay -lmtp_extra_recipient_limit -lmtp_header_checks -lmtp_initial_destination_concurrency -lmtp_mime_header_checks -lmtp_minimum_delivery_slots -lmtp_nested_header_checks -lmtp_recipient_limit -lmtp_recipient_refill_delay -lmtp_recipient_refill_limit -lmtp_transport_rate_delay -local_delivery_slot_cost -local_delivery_slot_discount -local_delivery_slot_loan -local_destination_concurrency_failed_cohort_limit -local_destination_concurrency_negative_feedback -local_destination_concurrency_positive_feedback -local_destination_rate_delay -local_extra_recipient_limit -local_initial_destination_concurrency -local_minimum_delivery_slots -local_recipient_limit -local_recipient_refill_delay -local_recipient_refill_limit -local_transport_rate_delay -relay_delivery_slot_cost -relay_delivery_slot_discount -relay_delivery_slot_loan -relay_destination_concurrency_failed_cohort_limit -relay_destination_concurrency_negative_feedback -relay_destination_concurrency_positive_feedback -relay_destination_rate_delay -relay_extra_recipient_limit -relay_initial_destination_concurrency -relay_minimum_delivery_slots -relay_recipient_limit -relay_recipient_refill_delay -relay_recipient_refill_limit -relay_transport_rate_delay -retry_delivery_slot_cost -retry_delivery_slot_discount -retry_delivery_slot_loan -retry_destination_concurrency_failed_cohort_limit -retry_destination_concurrency_limit -retry_destination_concurrency_negative_feedback -retry_destination_concurrency_positive_feedback -retry_destination_rate_delay -retry_destination_recipient_limit -retry_extra_recipient_limit -retry_initial_destination_concurrency -retry_minimum_delivery_slots -retry_recipient_limit -retry_recipient_refill_delay -retry_recipient_refill_limit -retry_transport_rate_delay -smtp_delivery_slot_cost -smtp_delivery_slot_discount -smtp_delivery_slot_loan -smtp_destination_concurrency_failed_cohort_limit -smtp_destination_concurrency_negative_feedback -smtp_destination_concurrency_positive_feedback -smtp_destination_rate_delay -smtp_extra_recipient_limit -smtp_initial_destination_concurrency -smtp_minimum_delivery_slots -smtp_recipient_limit -smtp_recipient_refill_delay -smtp_recipient_refill_limit -smtp_transport_rate_delay +for xport in error lmtp local relay retry smtp virtual +do + cat <stoplist.tmp + +# Second, pseudo parameters, read-only parameters, etc. + +cat >>stoplist.tmp <<'EOF' stress -tlsproxy_client_level -tlsproxy_client_policy -virtual_delivery_slot_cost -virtual_delivery_slot_discount -virtual_delivery_slot_loan -virtual_destination_concurrency_failed_cohort_limit -virtual_destination_concurrency_negative_feedback -virtual_destination_concurrency_positive_feedback -virtual_destination_rate_delay -virtual_extra_recipient_limit -virtual_initial_destination_concurrency -virtual_minimum_delivery_slots -virtual_recipient_limit -virtual_recipient_refill_delay -virtual_recipient_refill_limit -virtual_transport_rate_delay - EOF -comm -23 postconf.tmp postlink.tmp | fgrep -vx -f check-postlink.tmp +# Report names from postconf that have no rule in mantools/postlink. + +comm -23 postconf.tmp postlink.tmp | fgrep -vx -f stoplist.tmp diff --git a/postfix/mantools/check-spell-install-proto-text b/postfix/mantools/check-spell-install-proto-text index fbf75c736..19b8140a0 100755 --- a/postfix/mantools/check-spell-install-proto-text +++ b/postfix/mantools/check-spell-install-proto-text @@ -1,7 +1,7 @@ #!/bin/sh -# Spellchecks the install scripts and proto non-html files. +# Spellchecks the release notes, install scripts, and proto non-html files. LANG=C; export LANG -ls *install* proto/* | egrep -v 'stop|Makefile|html|\.proto' | mantools/deroff | spell | fgrep -vxf proto/stop +(ls *install* proto/* | egrep -v 'stop|Makefile|html|\.proto' | mantools/deroff; cat RELEASE_NOTES) | spell | fgrep -vxf proto/stop diff --git a/postfix/mantools/missing-proxy-read-maps b/postfix/mantools/missing-proxy-read-maps index 58dc39071..11ddc4fbe 100755 --- a/postfix/mantools/missing-proxy-read-maps +++ b/postfix/mantools/missing-proxy-read-maps @@ -2,7 +2,7 @@ # Outputs missing mail_params.h lines for the proxy_read_maps default # value. -# + # First, get the proxy_read_maps default value from postconf command # output. This gives us a list of parameter names that are already # present in the proxy_read_maps default value. @@ -36,7 +36,7 @@ while ($line = ) { } } close(MAIL_PARAMS) || die "close $mail_params_h: !$\n"; -# + # Produce mail_params.h lines for all parameters that have names # ending in _maps and that are not listed in proxy_read_maps. We get # the full parameter name list from postconf command output. Abort diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 602d80c83..2b1ad8b2a 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -1130,8 +1130,10 @@ while (<>) { s;\btlsproxy_client_loglevel_parameter\b;$&;g; s;\btlsproxy_client_scert_verifydepth\b;$&;g; + s;\btlsproxy_client_level\b;$&;g; s;\btlsproxy_client_security_level\b;$&;g; s;\btlsproxy_client_per_site\b;$&;g; + s;\btlsproxy_client_policy\b;$&;g; s;\btlsproxy_client_policy_maps\b;$&;g; s;\btlsproxy_client_use_tls\b;$&;g; s;\btlsproxy_client_enforce_tls\b;$&;g; diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index e45d4afec..9b5a550d4 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -17493,12 +17493,21 @@ See smtp_tls_scert_verifydepth for further details.

This feature is available in Postfix 3.4 and later.

+%PARAM tlsproxy_client_level $smtp_tls_security_level + +

The default TLS security level for the Postfix tlsproxy(8) +client. See smtp_tls_security_level for further details.

+ +

This feature is available in Postfix 3.4 - 3.6. It was +renamed to tlsproxy_client_security_level in Postfix 3.7.

+ %PARAM tlsproxy_client_security_level $smtp_tls_security_level

The default TLS security level for the Postfix tlsproxy(8) client. See smtp_tls_security_level for further details.

-

This feature is available in Postfix 3.4 and later.

+

This feature is available in Postfix 3.7 and later. It +was previously called tlsproxy_client_level.

%PARAM tlsproxy_client_per_site $smtp_tls_per_site @@ -17508,13 +17517,23 @@ hostname. See smtp_tls_per_site for further details.

This feature is available in Postfix 3.4 and later.

+%PARAM tlsproxy_client_policy $smtp_tls_policy_maps + +

Optional lookup tables with the Postfix tlsproxy(8) client TLS +security policy by next-hop destination. See smtp_tls_policy_maps +for further details.

+ +

This feature is available in Postfix 3.4 - 3.6. It was +renamed to tlsproxy_client_policy_maps in Postfix 3.7.

+ %PARAM tlsproxy_client_policy_maps $smtp_tls_policy_maps

Optional lookup tables with the Postfix tlsproxy(8) client TLS security policy by next-hop destination. See smtp_tls_policy_maps for further details.

-

This feature is available in Postfix 3.4 and later.

+

This feature is available in Postfix 3.7 and later. It +was previously called tlsproxy_client_policy.

%PARAM tlsproxy_client_use_tls $smtp_use_tls diff --git a/postfix/proto/stop b/postfix/proto/stop index 1679528a3..930c11e35 100644 --- a/postfix/proto/stop +++ b/postfix/proto/stop @@ -1551,3 +1551,7 @@ proto ICMP NORANDOMIZE wallclock +BDAT +IPL +yyyy +yyyymmdd diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 4b530648a..01cce33ce 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -2501,7 +2501,8 @@ extern int var_local_rcpt_code; " $" VAR_LOCAL_LOGIN_SND_MAPS \ " $" VAR_PSC_REJ_FTR_MAPS \ " $" VAR_SMTPD_REJ_FTR_MAPS \ - " $" VAR_TLS_SERVER_SNI_MAPS + " $" VAR_TLS_SERVER_SNI_MAPS \ + " $" VAR_TLSP_CLNT_POLICY extern char *var_proxy_read_maps; #define VAR_PROXY_WRITE_MAPS "proxy_write_maps" @@ -4065,16 +4066,20 @@ extern bool var_tlsp_clnt_use_tls; #define DEF_TLSP_CLNT_ENFORCE_TLS "$" VAR_SMTP_ENFORCE_TLS extern bool var_tlsp_clnt_enforce_tls; -#define VAR_TLSP_CLNT_LEVEL "tlsproxy_client_level" -#define DEF_TLSP_CLNT_LEVEL "$" VAR_SMTP_TLS_LEVEL +/* Migrate an incorrect name. */ +#define OBS_TLSP_CLNT_LEVEL "tlsproxy_client_level" +#define VAR_TLSP_CLNT_LEVEL "tlsproxy_client_security_level" +#define DEF_TLSP_CLNT_LEVEL "${" OBS_TLSP_CLNT_LEVEL ":$" VAR_SMTP_TLS_LEVEL "}" extern char *var_tlsp_clnt_level; #define VAR_TLSP_CLNT_PER_SITE "tlsproxy_client_per_site" #define DEF_TLSP_CLNT_PER_SITE "$" VAR_SMTP_TLS_PER_SITE extern char *var_tlsp_clnt_per_site; -#define VAR_TLSP_CLNT_POLICY "tlsproxy_client_policy" -#define DEF_TLSP_CLNT_POLICY "$" VAR_SMTP_TLS_POLICY +/* Migrate an incorrect name. */ +#define OBS_TLSP_CLNT_POLICY "tlsproxy_client_policy" +#define VAR_TLSP_CLNT_POLICY "tlsproxy_client_policy_maps" +#define DEF_TLSP_CLNT_POLICY "${" OBS_TLSP_CLNT_POLICY ":$" VAR_SMTP_TLS_POLICY "}" extern char *var_tlsp_clnt_policy; /* diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index ff5c7013c..4d5bd1f72 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20220117" +#define MAIL_RELEASE_DATE "20220121" #define MAIL_VERSION_NUMBER "3.7" #ifdef SNAPSHOT diff --git a/postfix/src/postconf/postconf_builtin.c b/postfix/src/postconf/postconf_builtin.c index f430568bb..1fc337c5f 100644 --- a/postfix/src/postconf/postconf_builtin.c +++ b/postfix/src/postconf/postconf_builtin.c @@ -148,6 +148,8 @@ static const CONFIG_STR_TABLE pcf_legacy_str_table[] = { {"lmtp_per_record_deadline", ""}, {"smtp_per_record_deadline", ""}, {"smtpd_per_record_deadline", ""}, + {"tlsproxy_client_level", ""}, + {"tlsproxy_client_policy", ""}, 0, }; diff --git a/postfix/src/smtp/smtp.h b/postfix/src/smtp/smtp.h index 137ccc802..742ed300c 100644 --- a/postfix/src/smtp/smtp.h +++ b/postfix/src/smtp/smtp.h @@ -191,6 +191,12 @@ typedef struct SMTP_STATE { * assume per-server debug_peer support. */ int debug_peer_per_nexthop; + + /* + * One-bit counters to avoid logging the same warning multiple times per + * delivery request. + */ + int logged_line_length_limit:1; } SMTP_STATE; /* diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c index 650b5306f..2ceb0f35c 100644 --- a/postfix/src/smtp/smtp_proto.c +++ b/postfix/src/smtp/smtp_proto.c @@ -1194,8 +1194,11 @@ static void smtp_text_out(void *context, int rec_type, * multibyte characters can span queue file records, for * example if line_length_limit == smtp_line_length_limit. */ - msg_info("%s: breaking line > %d bytes with SPACE", - state->request->queue_id, var_smtp_line_limit); + if (state->logged_line_length_limit == 0) { + msg_info("%s: breaking line > %d bytes with SPACE", + state->request->queue_id, var_smtp_line_limit); + state->logged_line_length_limit = 1; + } } } else { if (rec_type == REC_TYPE_CONT) { diff --git a/postfix/src/smtp/smtp_state.c b/postfix/src/smtp/smtp_state.c index 3416e0f5d..6b81fa4ed 100644 --- a/postfix/src/smtp/smtp_state.c +++ b/postfix/src/smtp/smtp_state.c @@ -88,6 +88,7 @@ SMTP_STATE *smtp_state_alloc(void) } state->why = dsb_create(); state->debug_peer_per_nexthop = 0; + state->logged_line_length_limit = 0; return (state); } diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c index 836177629..42b7a75e7 100644 --- a/postfix/src/tlsproxy/tlsproxy.c +++ b/postfix/src/tlsproxy/tlsproxy.c @@ -272,10 +272,10 @@ /* value. /* .IP "\fBtlsproxy_client_scert_verifydepth ($smtp_tls_scert_verifydepth)\fR" /* The verification depth for remote TLS server certificates. -/* .IP "\fBtlsproxy_client_security_level ($smtp_tls_security_level)\fR" +/* .IP "\fBtlsproxy_client_level ($smtp_tls_security_level)\fR" /* The default TLS security level for the Postfix \fBtlsproxy\fR(8) /* client. -/* .IP "\fBtlsproxy_client_policy_maps ($smtp_tls_policy_maps)\fR" +/* .IP "\fBtlsproxy_client_policy ($smtp_tls_policy_maps)\fR" /* Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS /* security policy by next-hop destination. /* .IP "\fBtlsproxy_client_use_tls ($smtp_use_tls)\fR" @@ -287,6 +287,14 @@ /* Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS /* usage policy by next-hop destination and by remote TLS server /* hostname. +/* .PP +/* Available in Postfix version 3.7 and later: +/* .IP "\fBtlsproxy_client_security_level ($smtp_tls_security_level)\fR" +/* The default TLS security level for the Postfix \fBtlsproxy\fR(8) +/* client. +/* .IP "\fBtlsproxy_client_policy_maps ($smtp_tls_policy_maps)\fR" +/* Optional lookup tables with the Postfix \fBtlsproxy\fR(8) client TLS +/* security policy by next-hop destination. /* OBSOLETE STARTTLS SUPPORT CONTROLS /* .ad /* .fi