postfix-3.2.0-RC1

2025-08-29 13:18:12 +00:00 · 2017-02-12 00:00:00 -05:00 · 2017-02-12 00:00:00 -05:00 · 41a8fe84f2
commit 41a8fe84f2
parent feca6d955e
11 changed files with 238 additions and 135 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -22923,6 +22923,18 @@ Apologies for any names omitted.
 20170206
-	Bugfix (introduced: Postfix 2.2): check_mumble_a_access
+	Bugfix (introduced: Postfix 3.0): when check_mumble_a_access
-	did not handle [ipaddress], unlike check_mumble_mx_access. 
+	did not handle [ipaddress], unlike check_mumble_mx_access.
-	Reported by James (postfix_tracker). File: smtpd/smtpd_check.c.
+	When check_mumble_a_access was introduced, some condition
 	was not updated.  Reported by James (postfix_tracker). File:
 	smtpd/smtpd_check.c.
 20170207
 	Cleanup: rephrased the precondition paranoia. File:
 	global/mail_conf.c.
 20170211
 	Cleanup: rephrased the precondition for paranoia. File:
 	util/unsafe.c.
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@ -1,12 +1,12 @@
-This is the Postfix 3.2 (experimental) release.
+This is the Postfix 3.2 (stable) release.
-The stable Postfix release is called postfix-3.1.x where 3=major
+The stable Postfix release is called postfix-3.2.x where 3=major
-release number, 1=minor release number, x=patchlevel.  The stable
+release number, 2=minor release number, x=patchlevel.  The stable
 release never changes except for patches that address bugs or
 emergencies. Patches change the patchlevel and the release date.
 New features are developed in snapshot releases. These are called
-postfix-3.2-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+postfix-3.3-yyyymmdd where yyyymmdd is the release date (yyyy=year,
 mm=month, dd=day).  Patches are never issued for snapshot releases;
 instead, a new snapshot is released.
@ -16,106 +16,165 @@ specifies the release date of a stable release or snapshot release.
 If you upgrade from Postfix 3.0 or earlier, read RELEASE_NOTES-3.1
 before proceeding.
-Incompatible changes with snapshot 20161227
+Invisible changes
-===========================================
+-----------------
-For safety reasons, the sendmail -C option must specify an authorized
+In addition to the visible changes described below, there is an
-directory: the default configuration directory, a directory that
+ongoing overhaul of low-level code. With each change come updated
-is listed in the default main.cf file with alternate_config_directories
+tests to ensure that future changes will not 'break' compatibility
-or multi_instance_directories, or the command must be invoked with
+with past behavior.
 root privileges.  This mitigates a problem with the PHP mail()
 function.
-Major changes with snapshot 20161227
+Major changes - address mapping
-====================================
+-------------------------------
-Support to negotiate Elliptic curves with OpenSSL 1.0.2 or later
+[Feature 20170128] Postfix 3.2 fixes the handling of address
-(on platforms where EC algorithms have not been disabled by the
+extensions with email addresses that contain spaces. For example,
-vendor).  See TLS_README for details. In summary, this changes the
+the virtual_alias_maps, canonical_maps, and smtp_generic_maps
-default smtpd_tls_eecdh_grade setting to "auto", and introduces a
+features now correctly propagate an address extension from "aa
-new parameter tls_eecdh_auto_curves with the names of curves that
+bb+ext"@example.com to "cc dd+ext"@other.example, instead of
-may be negotiated.  The default tls_eecdh_auto_curves setting is
+producing broken output.
 determined at compile time, and depends on the Postfix and OpenSSL
 versions.  At runtime, Postfix will skip curve names that aren't
 supported by the OpenSSL library.
-The MySQL client now has support for stored procedures. See the
+Major changes - header/body_checks
-mysql_table(5) manpage for details.
+----------------------------------
-Incompatible changes with snapshot 20161204
+[Feature 20161008] "PASS" and "STRIP" actions in header/body_checks.
-===========================================
+"STRIP" is similar to "IGNORE" but also logs the action, and "PASS"
 disables header, body, and Milter inspection for the remainder of
 the message content.  Contributed by Hobbit.
-Postfix 3.2 removes tentative features that were implemented
+Major changes - log analysis
-before the DANE spec was finalized:
+----------------------------
- Support for certificate usage PKIX-EE(1), 
+[Feature 20160330] The collate.pl script by Viktor Dukhovni for
 grouping Postfix logfile records into "sessions" based on queue ID
 and process ID information. It's in the auxiliary/collate directory
 of the Postfix source tree.
- The ability to disable digest agility. Postfix 3.2 always behaves
+Major changes - maps support
-  as if "tls_dane_digest_agility = on.
+----------------------------
 [Feature 20160527] Postfix 3.2 cidr tables support if/endif and
 negation (by prepending ! to a pattern), just like regexp and pcre
 tables.  The primarily purpose is to improve readability of complex
 tables. See the cidr_table(5) manpage for syntax details.
 [Incompat 20160925] In the Postfix MySQL database client, the default
 option_group value has changed to "client", to enable reading of
 "client" option group settings in the MySQL options file. This fixes
 a "not found" problem with Postfix queries that contain UTF8-encoded
 non-ASCII text.  Specify an empty option_group value (option_group
 =) to get backwards-compatible behavior.
 [Feature 20161217] Stored-procedure support for MySQL databases.
 Contributed by John Fawcett. See mysql_table(5) for instructions.
 [Feature 20170128] The postmap command, and the inline: and texthash:
 maps now support spaces in left-hand field of the lookup table
 "source text". Use double quotes (") around a left-hand field that
 contains spaces, and use backslash (\) to protect embedded quotes
 in a left-hand field. There is no change in the processing of the
 right-hand field.
 Major changes - milter support
 ------------------------------
 [Feature 20160611] The Postfix SMTP server local IP address and
 port are available in the policy delegation protocol (attribute
 names: server_address, server_port), in the Milter protocol (macro
 names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol
 (attribute names: DESTADDR, DESTPORT).
 [Feature 20161024] smtpd_milter_maps support for per-client Milter
 configuration that overrides smtpd_milters, and that has the same
 syntax. A lookup result of "DISABLE" turns off Milter support. See
 MILTER_README.html for details.
 Major changes - policy delegation
 ---------------------------------
 [Feature 20160611] The Postfix SMTP server local IP address and
 port are available in the policy delegation protocol (attribute
 names: server_address, server_port), in the Milter protocol (macro
 names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol
 (attribute names: DESTADDR, DESTPORT).
 Major changes - postqueue
 -------------------------
 [Incompat 20170129] The postqueue command no longer forces all
 message arrival times to be reported in UTC. To get the old behavior,
 set TZ=UTC in main.cf:import_environment (this override is not
 recommended, as it affects all Postfix utities and daemons).
 Major changes - safety
 ----------------------
 [Incompat 20161227] For safety reasons, the sendmail -C option must
 specify an authorized directory: the default configuration directory,
 a directory that is listed in the default main.cf file with
 alternate_config_directories or multi_instance_directories, or the
 command must be invoked with root privileges (UID 0 and EUID 0).
 This mitigates a recurring problem with the PHP mail() function.
 Major changes - sasl
 --------------------
 [Feature 20160625] The Postfix SMTP server now passes remote client
 and local server network address and port information to the Cyrus
 SASL library. Build with ``make makefiles "CCARGS=$CCARGS
 -DNO_IP_CYRUS_SASL_AUTH"'' for backwards compatibility.
 Major changes - smtputf8
 ------------------------
 [Feature 20161103] Postfix 3.2 disables the 'transitional' compatibility
 between the IDNA2003 and IDNA2008 standards for internationalized
 domain names (domain names beyond the limits of US-ASCII).
 This change makes Postfix behavior consistent with contemporary web
 browsers. It affects the handling of some corner cases such as
 German sz and Greek zeta. See http://unicode.org/cldr/utility/idna.jsp
 for more examples.
 Specify "enable_idna2003_compatibility = yes" to restore historical
 behavior (but keep in mind that the rest of the world may not make
 that same choice).
 Major changes - tls
 -------------------
 [Feature 20160828] Fixes for deprecated OpenSSL 1.1.0 API features,
 so that Postfix will build without depending on backwards-compatibility
 support.
 [Incompat 20161204] Postfix 3.2 removes tentative features that
 were implemented before the DANE spec was finalized:
 - Support for certificate usage PKIX-EE(1),
 - The ability to disable digest agility (Postfix now behaves as if
  "tls_dane_digest_agility = on"), and
 - The ability to disable support for "TLSA 2 [01] [12]" records
-  that specify the digest of a trust anchor. Postfix 3.2 always
+  that specify the digest of a trust anchor (Postfix now behaves
-  behaves as if "tls_dane_trust_anchor_digest_enable = yes".
+  as if "tls_dane_trust_anchor_digest_enable = yes).
-Incompatible changes with snapshot 20161103
+[Feature 20161217] Postfix 3.2 enables elliptic curve negotiation
-===========================================
+with OpenSSL >= 1.0.2.  This changes the default smtpd_tls_eecdh_grade
 setting to "auto", and introduces a new parameter tls_eecdh_auto_curves
 with the names of curves that may be negotiated.
-Postfix 3.2 by default disables the 'transitional' compatibility
+The default tls_eecdh_auto_curves setting is determined at compile
-between IDNA2003 and IDNA2008, when converting UTF-8 domain names
+time, and depends on the Postfix and OpenSSL versions.  At runtime,
-to/from the ASCII form that is used in DNS lookups.  This makes
+Postfix will skip curve names that aren't supported by the OpenSSL
-Postfix behavior consistent with current versions of the Firefox
+library.
 and Chrome web browsers. Specify "enable_idna2003_compatibility =
 yes" for historical behavior.
-This affects the conversion of, for example, the German sz and the
+Major changes - xclient
-Greek zeta. See http://unicode.org/cldr/utility/idna.jsp for more
+-----------------------
 examples.
-Major changes with snapshot 20161031
+[Feature 20160611] The Postfix SMTP server local IP address and
-====================================
+port are available in the policy delegation protocol (attribute
 names: server_address, server_port), in the Milter protocol (macro
 names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol
 (attribute names: DESTADDR, DESTPORT).
 The smtpd_milter_maps feature supports per-client Milter configuration.
 This overrides the global smtpd_milters setting and has the same syntax. A
 lookup result of "DISABLE" turns off Milter support.
 Incompatible changes with snapshot 20160925
 ===========================================
 In the Postfix MySQL database client, the default option_group value
 has changed to "client", to enable reading of "client" option group
 settings in the MySQL options file. This fixes a "not found" problem
 with Postfix queries that contain UTF8-encoded non-ASCII text.
 Specify an empty option_group value (option_group =) to get
 backwards-compatible behavior.
 Major changes with snapshot 20160625
 ====================================
 Support in the Postfix SMTP server for propagating the local SMTP
 server IP address and port. This affects the following Postfix
 interfaces:
 - Policy delegation. The server address and port are available as
 "server_address" and "server_port". See SMTPD_POLICY_README for an
 overview of available attributes.
 - Milter applications. The server address and port are available
 as "{daemon_addr}" and "{daemon_port}". See MILTER_README for a
 table of available attributes.
 - Cyrus SASL. The server address and port are now passed to the
 sasl_server_new() function as "ipaddress;port".
 - XCLIENT protocol. The server address and port can be specified
 as "DESTADDR" and "DESTPORT". See XCLIENT_README for a description
 of the attribute syntax. The new attributes may be of interest for
 nxginx.
 Major changes with snapshot 20160527
 ====================================
 Postfix cidr tables now support if..endif, and pattern negation
 with "!", just like regexp and pcre tables. The if..endif can speed
 up lookups by skipping over irrelevant patterns, and can make rule
 maintenance easier because rules for a network can now be placed
 inside if..endif.  See the cidr_table(5) manpage for syntax details.
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@ -784,16 +784,21 @@ cannot match Postfix access tables, because the address is ambiguous.
 <p>
 A list of non-default Postfix configuration directories that may
 be specified with "-c <a href="postconf.5.html#config_directory">config_directory</a>" on the command line (in the
-case of <a href="sendmail.1.html">sendmail(1)</a>, with "-C <a href="postconf.5.html#config_directory">config_directory</a>"), or via the MAIL_CONFIG
+case of <a href="sendmail.1.html">sendmail(1)</a>, with the "-C" option), or via the MAIL_CONFIG
 environment parameter.
 </p>
 <p>
-This list must be specified in the default Postfix configuration
+This list must be specified in the default Postfix <a href="postconf.5.html">main.cf</a> file,
-directory, and is used by set-gid Postfix commands such as <a href="postqueue.1.html">postqueue(1)</a>
+and will be used by set-gid Postfix commands such as <a href="postqueue.1.html">postqueue(1)</a>
 and <a href="postdrop.1.html">postdrop(1)</a>.
 </p>
 <p>
 Specify absolute pathnames, separated by comma or space. Note: $name
 expansion is not supported.
 </p>
 </DD>
--- a/postfix/makedefs
+++ b/postfix/makedefs
@ -862,7 +862,7 @@ case "$CC" in
 esac
 # Snapshot only.
-CCARGS="$CCARGS -DSNAPSHOT"
+#CCARGS="$CCARGS -DSNAPSHOT"
 # Non-production: needs thorough testing, or major changes are still
 # needed before the code stabilizes.
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@ -462,12 +462,15 @@ cannot match Postfix access tables, because the address is ambiguous.
 .SH alternate_config_directories (default: empty)
 A list of non\-default Postfix configuration directories that may
 be specified with "\-c config_directory" on the command line (in the
-case of \fBsendmail\fR(1), with "\-C config_directory"), or via the MAIL_CONFIG
+case of \fBsendmail\fR(1), with the "\-C" option), or via the MAIL_CONFIG
 environment parameter.
 .PP
-This list must be specified in the default Postfix configuration
+This list must be specified in the default Postfix main.cf file,
-directory, and is used by set\-gid Postfix commands such as \fBpostqueue\fR(1)
+and will be used by set\-gid Postfix commands such as \fBpostqueue\fR(1)
 and \fBpostdrop\fR(1).
 .PP
 Specify absolute pathnames, separated by comma or space. Note: $name
 expansion is not supported.
 .SH always_add_missing_headers (default: no)
 Always add (Resent\-) From:, To:, Date: or Message\-ID: headers
 when not present.  Postfix 2.6 and later add these headers only
--- a/postfix/mantools/make-relnotes
+++ b/postfix/mantools/make-relnotes
@ -3,12 +3,14 @@
 # Transform RELEASE_NOTES, split into "leader", and "major changes",
 # split into major categories, and prepend dates to paragraphs.
 #
-# Input format: the leader text is copied verbatim; each paragraph
+# Input format: the leader text is copied verbatim; each section
-# starts with [class, class] where a class specifies one or more
+# starts with "Incompatible changes with snapshot YYYYMMDD" or "Major
-# categories that the change should be listed under. Adding class
+# changes with snapshot YYYYMMDD"; each paragraph starts with [class,
-# info is the only manual processing needed to go from a RELEASE_NOTES
+# class] where a class specifies one or more categories that the
-# file to the transformed representation.
+# change should be listed under. Adding class info is the only manual
-# 
+# processing needed to go from a RELEASE_NOTES file to the transformed
 # representation.
 #
 # Output format: each category is printed with a little header and
 # each paragraph is tagged with [Incompat yyyymmdd] or with [Feature
 # yyyymmdd].
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@ -7126,16 +7126,21 @@ probes, and generates probes on request by other Postfix processes.
 <p>
 A list of non-default Postfix configuration directories that may
 be specified with "-c config_directory" on the command line (in the
-case of sendmail(1), with "-C config_directory"), or via the MAIL_CONFIG
+case of sendmail(1), with the "-C" option), or via the MAIL_CONFIG
 environment parameter.
 </p>
 <p>
-This list must be specified in the default Postfix configuration
+This list must be specified in the default Postfix main.cf file,
-directory, and is used by set-gid Postfix commands such as postqueue(1)
+and will be used by set-gid Postfix commands such as postqueue(1)
 and postdrop(1).
 </p>
 <p>
 Specify absolute pathnames, separated by comma or space. Note: $name
 expansion is not supported.
 </p>
 %PARAM append_at_myorigin yes
 <p>
--- a/postfix/src/global/mail_conf.c
+++ b/postfix/src/global/mail_conf.c
@ -31,8 +31,18 @@
 /*	const char *mail_conf_lookup_eval(name)
 /*	const char *name;
 /* DESCRIPTION
-/*	mail_conf_suck() reads the global Postfix configuration file, and
+/*	mail_conf_suck() reads the global Postfix configuration
-/*	stores its values into a global configuration dictionary.
+/*	file, and stores its values into a global configuration
 /*	dictionary. When the configuration directory name is not
 /*	trusted, this function requires that the directory name is
 /*	authorized with the alternate_config_directories setting
 /*	in the default main.cf file.
 /*
 /*	This function requires that all configuration directory
 /*	override mechanisms set the MAIL_CONFIG environment variable,
 /*	even if the override was specified via the command line.
 /*	This reduces the number of pathways that need to be checked
 /*	for possible security attacks.
 /*
 /*	mail_conf_read() invokes mail_conf_suck() and assigns the values
 /*	to global variables by calling mail_params_init().
@ -197,8 +207,8 @@ void    mail_conf_suck(void)
    set_mail_conf_str(VAR_CONFIG_DIR, var_config_dir);
    /*
-     * If the configuration directory name comes from a different trust
+     * If the configuration directory name comes from an untrusted source,
-     * domain, require that it is listed in the default main.cf file.
+     * require that it is listed in the default main.cf file.
     */
    if (strcmp(var_config_dir, DEF_CONFIG_DIR) != 0	/* non-default */
 	&& unsafe())				/* untrusted env and cli */
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@ -20,8 +20,8 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20170206"
+#define MAIL_RELEASE_DATE	"20170212"
-#define MAIL_VERSION_NUMBER	"3.2"
+#define MAIL_VERSION_NUMBER	"3.2.0-RC1"
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
--- a/postfix/src/postsuper/postsuper.c
+++ b/postfix/src/postsuper/postsuper.c
@ -1239,7 +1239,7 @@ int     main(int argc, char **argv)
    mail_conf_read();
    /* Enforce consistent operation of different Postfix parts. */
    import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ);
-    clean_env(import_env->argv);
+    update_env(import_env->argv);
    argv_free(import_env);
    /* Re-evaluate mail_task() after reading main.cf. */
    msg_syslog_init(mail_task(argv[0]), LOG_PID, LOG_FACILITY);
--- a/postfix/src/util/unsafe.c
+++ b/postfix/src/util/unsafe.c
@ -8,19 +8,20 @@
 /*
 /*	int	unsafe()
 /* DESCRIPTION
-/*	The \fBunsafe()\fR routine attempts to determine if the process runs
+/*	The \fBunsafe()\fR routine attempts to determine if the process
-/*	with any privileges that do not belong to the user. The purpose is
+/*	(runs with privileges or has access to information) that the
-/*	to make it easy to taint any user-provided data such as the current
+/*	controlling user has no access to. The purpose is to prevent
-/*	working directory, the process environment, etcetera.
+/*	misuse of privileges, including access to protected information.
 /*
-/*	On UNIX systems, the result is true when any of the following
+/*	The result is always false when both of the following conditions
-/*	conditions is true:
+/*	are true:
 /* .IP \(bu
-/*	The real UID is non-zero.
+/*	The real UID is zero.
 /* .IP \(bu
-/*	The effective UID is non-zero.
+/*	The effective UID is zero.
 /* .PP
-/*	Additionally, any of the following conditions must be true:
+/*	Otherwise, the result is true if any of the following conditions
 /*	is true:
 /* .IP \(bu
 /*	The issetuid kernel flag is non-zero (on systems that support
 /*	this concept).
@ -28,10 +29,6 @@
 /*	The real and effective user id differ.
 /* .IP \(bu
 /*	The real and effective group id differ.
 /* .PP
 /*	Thus, when a process runs as the super-user, it is excluded
 /*	from privilege-escalation concerns, but only if both real
 /*	UID and effective UID are zero.
 /* LICENSE
 /* .ad
 /* .fi
@ -56,10 +53,20 @@
 int     unsafe(void)
 {
-    return ((getuid() || geteuid())
+
-	    && (geteuid() != getuid()
+    /*
     * The super-user is trusted.
     */
    if (getuid() == 0 && geteuid() == 0)
 	return (0);
    /*
     * Danger: don't trust inherited process attributes, and don't leak
     * privileged info that the parent has no access to.
     */
    return (geteuid() != getuid()
 #ifdef HAS_ISSETUGID
-		|| issetugid()
+	    || issetugid()
 #endif
-		|| getgid() != getegid()));
+	    || getgid() != getegid());
 }