From 42dbfa896eedf75e8a87c2bc250f39c5620ef7ed Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Sun, 24 Dec 2006 00:00:00 -0500
Subject: [PATCH] postfix-2.4-20061224

---
 postfix/HISTORY                    | 16 ++++++++-------
 postfix/README_FILES/FILTER_README |  5 +++++
 postfix/RELEASE_NOTES              | 14 +++++++++++++
 postfix/html/FILTER_README.html    |  5 +++++
 postfix/html/pipe.8.html           | 33 +++++++++++++++++-------------
 postfix/html/spawn.8.html          | 31 ++++++++++++++++------------
 postfix/man/man8/pipe.8            |  4 ++++
 postfix/man/man8/spawn.8           |  4 ++++
 postfix/proto/FILTER_README.html   |  5 +++++
 postfix/src/global/mail_version.h  |  2 +-
 postfix/src/milter/milter8.c       | 25 +++-------------------
 postfix/src/pipe/pipe.c            |  6 +++++-
 postfix/src/spawn/spawn.c          |  6 +++++-
 13 files changed, 97 insertions(+), 59 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 37bc435e4..51a92d9bf 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -12816,9 +12816,6 @@ Apologies for any names omitted.
 
 20061106
 
-	The following is implemented using snapshot 20061019 as the
-	code base.
-
 	Feature: new retry delivery agent, to avoid the synchronous
 	defer service client in the queue manager. This code is
 	co-located with the error(8) server. File: error/error.c.
@@ -12987,11 +12984,11 @@ Apologies for any names omitted.
 
 20061211
 
-	When doing server access control by the TLS client fingerprint,
-	do not require client certificate verification.  Victor
-	Duchovni.  File: smtpd/smtpd_check.c.
+	Cleanup: when doing server access control by the remote TLS
+	client fingerprint, do not require client certificate
+	verification.  Victor Duchovni.  File: smtpd/smtpd_check.c.
 
-	When the remote SMTP client certificate isn't verified,
+	Safety: when the remote TLS client certificate isn't verified,
 	don't send ccert_subject and ccert_issuer attributes in
 	check_policy_service requests. Victor Duchovni. File:
 	smtpd/smtpd_check.c.
@@ -13045,6 +13042,11 @@ Apologies for any names omitted.
 	N+M) could work as if (N, N) had been specified. Problem
 	reported by Mark Martinec.  File: milter/milter8.c.
 
+20061221
+
+	Feature: time unit suffix support in _command_time_limit.
+	Files: pipe/pipe.c, spawn/spawn.c.
+
 Wish list:
 
 	Update MILTER_README with Martinec info.
diff --git a/postfix/README_FILES/FILTER_README b/postfix/README_FILES/FILTER_README
index 330e58630..970583712 100644
--- a/postfix/README_FILES/FILTER_README
+++ b/postfix/README_FILES/FILTER_README
@@ -331,6 +331,7 @@ the Postfix master.cf file:
         scan      unix  -       -       n       -       10      smtp
             -o smtp_send_xforward_command=yes
             -o disable_mime_output_conversion=yes
+            -o smtp_generic_maps=
 
   * This runs up to 10 content filters in parallel. Instead of a limit of 10
     concurrent processes, use whatever process limit is feasible for your
@@ -349,6 +350,10 @@ the Postfix master.cf file:
     because some SMTP-based content filters don't announce 8BITMIME support,
     even though they can handle it just fine.
 
+  * The "-o smtp_generic_maps=" is a workaround that prevents local address
+    rewriting with generic(5) maps. Such rewriting should happen only when mail
+    is sent out to the Internet.
+
 AAddvvaanncceedd ccoonntteenntt ffiilltteerr:: rruunnnniinngg tthhee ccoonntteenntt ffiilltteerr
 
 The content filter can be set up with the Postfix spawn service, which is the
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 8f14d7827..84d03ca59 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -32,6 +32,20 @@ More precise queue flushing with the ETRN, "postqueue -s site", and
 New per-queue-file flushing with "postqueue -i queueid" and "sendmail
 -qIqueueid".
 
+Incompatible changes with Postfix snapshot 20061214
+===================================================
+
+The check_smtpd_policy client sends TLS certificate attributes
+(client ccert_subject, ccert_issuer) only after successful client
+certificate verification. The reason is that the certification
+verification status itself is not available in the policy request.
+
+The check_smtpd_policy client sends TLS certificate fingerprint
+information even when the certificate itself was not verified.
+
+The remote SMTP client TLS certificate fingerprint can be used for
+access control even when the certificate itself was not verified.
+
 Incompatible changes with Postfix snapshot 20061209
 ===================================================
 
diff --git a/postfix/html/FILTER_README.html b/postfix/html/FILTER_README.html
index bd78079a8..b678175bc 100644
--- a/postfix/html/FILTER_README.html
+++ b/postfix/html/FILTER_README.html
@@ -616,6 +616,7 @@ how one would set up the service in the Postfix <a href="master.5.html">master.c
     scan      unix  -       -       n       -       10      smtp
         -o <a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a>=yes
         -o <a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a>=yes
+        -o <a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a>=
 </pre>
 </blockquote>
 
@@ -639,6 +640,10 @@ that prevents the breaking of domainkeys and other digital signatures.
 This is needed because some SMTP-based content filters don't announce
 8BITMIME support, even though they can handle it just fine.  </p>
 
+<li> <p> The "-o <a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a>=" is a workaround that prevents
+local address rewriting with <a href="generic.5.html">generic(5)</a> maps. Such rewriting should
+happen only when mail is sent out to the Internet.  </p>
+
 </ul>
 
 <h3>Advanced content filter: running the content filter</h3>
diff --git a/postfix/html/pipe.8.html b/postfix/html/pipe.8.html
index ac970d48e..26de9e7ed 100644
--- a/postfix/html/pipe.8.html
+++ b/postfix/html/pipe.8.html
@@ -373,22 +373,27 @@ PIPE(8)                                                                PIPE(8)
               for delivery via the named <i>transport</i>.  The limit is
               enforced by the pipe delivery agent.
 
+              Postfix 2.4 and later support a suffix that  speci-
+              fies  the  time  unit:  s (seconds), m (minutes), h
+              (hours), d (days), w (weeks). The default time unit
+              is seconds.
+
 <b>MISCELLANEOUS CONTROLS</b>
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
+              The  default  location  of  the Postfix <a href="postconf.5.html">main.cf</a> and
               <a href="master.5.html">master.cf</a> configuration files.
 
        <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
-              How  much time a Postfix daemon process may take to
-              handle a request  before  it  is  terminated  by  a
+              How much time a Postfix daemon process may take  to
+              handle  a  request  before  it  is  terminated by a
               built-in watchdog timer.
 
        <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
-              The  maximal  number  of  digits  after the decimal
+              The maximal number  of  digits  after  the  decimal
               point when logging sub-second delay values.
 
        <b><a href="postconf.5.html#export_environment">export_environment</a> (see 'postconf -d' output)</b>
-              The list of environment variables  that  a  Postfix
+              The  list  of  environment variables that a Postfix
               process will export to non-Postfix processes.
 
        <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
@@ -400,24 +405,24 @@ PIPE(8)                                                                PIPE(8)
               and most Postfix daemon processes.
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The  maximum  amount  of  time that an idle Postfix
-              daemon process waits for the next  service  request
+              The maximum amount of time  that  an  idle  Postfix
+              daemon  process  waits for the next service request
               before exiting.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The  maximal number of connection requests before a
+              The maximal number of connection requests before  a
               Postfix daemon process terminates.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The process ID  of  a  Postfix  command  or  daemon
+              The  process  ID  of  a  Postfix  command or daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The  process  name  of  a Postfix command or daemon
+              The process name of a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The location of the Postfix top-level queue  direc-
+              The  location of the Postfix top-level queue direc-
               tory.
 
        <b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
@@ -428,8 +433,8 @@ PIPE(8)                                                                PIPE(8)
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The mail system  name  that  is  prepended  to  the
-              process  name  in  syslog  records, so that "smtpd"
+              The  mail  system  name  that  is  prepended to the
+              process name in syslog  records,  so  that  "smtpd"
               becomes, for example, "postfix/smtpd".
 
 <b>SEE ALSO</b>
@@ -441,7 +446,7 @@ PIPE(8)                                                                PIPE(8)
        syslogd(8), system logging
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/html/spawn.8.html b/postfix/html/spawn.8.html
index e26c8a80a..b5e402946 100644
--- a/postfix/html/spawn.8.html
+++ b/postfix/html/spawn.8.html
@@ -81,18 +81,23 @@ SPAWN(8)                                                              SPAWN(8)
               The  amount  of  time the command is allowed to run
               before it is terminated.
 
+              Postfix 2.4 and later support a suffix that  speci-
+              fies  the  time  unit:  s (seconds), m (minutes), h
+              (hours), d (days), w (weeks). The default time unit
+              is seconds.
+
 <b>MISCELLANEOUS</b>
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
+              The  default  location  of  the Postfix <a href="postconf.5.html">main.cf</a> and
               <a href="master.5.html">master.cf</a> configuration files.
 
        <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
-              How  much time a Postfix daemon process may take to
-              handle a request  before  it  is  terminated  by  a
+              How much time a Postfix daemon process may take  to
+              handle  a  request  before  it  is  terminated by a
               built-in watchdog timer.
 
        <b><a href="postconf.5.html#export_environment">export_environment</a> (see 'postconf -d' output)</b>
-              The  list  of  environment variables that a Postfix
+              The list of environment variables  that  a  Postfix
               process will export to non-Postfix processes.
 
        <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
@@ -104,32 +109,32 @@ SPAWN(8)                                                              SPAWN(8)
               and most Postfix daemon processes.
 
        <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
-              The maximum amount of time  that  an  idle  Postfix
-              daemon  process  waits for the next service request
+              The  maximum  amount  of  time that an idle Postfix
+              daemon process waits for the next  service  request
               before exiting.
 
        <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
-              The maximal number of connection requests before  a
+              The  maximal number of connection requests before a
               Postfix daemon process terminates.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The  process  ID  of  a  Postfix  command or daemon
+              The process ID  of  a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The process name of a  Postfix  command  or  daemon
+              The  process  name  of  a Postfix command or daemon
               process.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The  location of the Postfix top-level queue direc-
+              The location of the Postfix top-level queue  direc-
               tory.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
-              The mail system  name  that  is  prepended  to  the
-              process  name  in  syslog  records, so that "smtpd"
+              The  mail  system  name  that  is  prepended to the
+              process name in syslog  records,  so  that  "smtpd"
               becomes, for example, "postfix/smtpd".
 
 <b>SEE ALSO</b>
@@ -138,7 +143,7 @@ SPAWN(8)                                                              SPAWN(8)
        syslogd(8), system logging
 
 <b>LICENSE</b>
-       The Secure Mailer license must be  distributed  with  this
+       The  Secure  Mailer  license must be distributed with this
        software.
 
 <b>AUTHOR(S)</b>
diff --git a/postfix/man/man8/pipe.8 b/postfix/man/man8/pipe.8
index ef34634b0..d2ccd3175 100644
--- a/postfix/man/man8/pipe.8
+++ b/postfix/man/man8/pipe.8
@@ -323,6 +323,10 @@ The limit is enforced by the Postfix queue manager.
 Limit the time for delivery to external command, for delivery via
 the named \fItransport\fR.
 The limit is enforced by the pipe delivery agent.
+
+Postfix 2.4 and later support a suffix that specifies the
+time unit: s (seconds), m (minutes), h (hours), d (days),
+w (weeks). The default time unit is seconds.
 .SH "MISCELLANEOUS CONTROLS"
 .na
 .nf
diff --git a/postfix/man/man8/spawn.8 b/postfix/man/man8/spawn.8
index 72ebfcec9..df72c346a 100644
--- a/postfix/man/man8/spawn.8
+++ b/postfix/man/man8/spawn.8
@@ -87,6 +87,10 @@ in the \fBmaster.cf\fR file.
 .IP "\fItransport\fB_time_limit ($command_time_limit)\fR"
 The amount of time the command is allowed to run before it is
 terminated.
+
+Postfix 2.4 and later support a suffix that specifies the
+time unit: s (seconds), m (minutes), h (hours), d (days),
+w (weeks). The default time unit is seconds.
 .SH "MISCELLANEOUS"
 .na
 .nf
diff --git a/postfix/proto/FILTER_README.html b/postfix/proto/FILTER_README.html
index 7e586878d..2cdb80384 100644
--- a/postfix/proto/FILTER_README.html
+++ b/postfix/proto/FILTER_README.html
@@ -616,6 +616,7 @@ how one would set up the service in the Postfix master.cf file:
     scan      unix  -       -       n       -       10      smtp
         -o smtp_send_xforward_command=yes
         -o disable_mime_output_conversion=yes
+        -o smtp_generic_maps=
 </pre>
 </blockquote>
 
@@ -639,6 +640,10 @@ that prevents the breaking of domainkeys and other digital signatures.
 This is needed because some SMTP-based content filters don't announce
 8BITMIME support, even though they can handle it just fine.  </p>
 
+<li> <p> The "-o smtp_generic_maps=" is a workaround that prevents
+local address rewriting with generic(5) maps. Such rewriting should
+happen only when mail is sent out to the Internet.  </p>
+
 </ul>
 
 <h3>Advanced content filter: running the content filter</h3>
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 87273163e..1f8d3b091 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20061221"
+#define MAIL_RELEASE_DATE	"20061224"
 #define MAIL_VERSION_NUMBER	"2.4"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/milter/milter8.c b/postfix/src/milter/milter8.c
index 2819f2c43..96f637b49 100644
--- a/postfix/src/milter/milter8.c
+++ b/postfix/src/milter/milter8.c
@@ -143,12 +143,6 @@
 #define SMFIR_REPLYCODE		'y'	/* reply code etc */
 #define SMFIR_QUARANTINE	'q'	/* quarantine */
 
- /* Introduced with Sendmail 8.14. */
-#define SMFIR_ADDRCPT_PAR	'2'	/* add recipient (incl. ESMTP args) */
-#define SMFIR_CHGFROM		'e'	/* change envelope sender (from) */
-#define SMFIR_SETSYMLIST	'l'	/* set list of symbols (macros) */
-#define SMFIR_SKIP		's'	/* skip */
-
  /*
   * Commands that the filter does not want to receive, and replies that the
   * filter will not send.
@@ -160,23 +154,10 @@
 #define SMFIP_NOBODY		(1L<<4)	/* MTA should not send body */
 #define SMFIP_NOHDRS		(1L<<5)	/* MTA should not send headers */
 #define SMFIP_NOEOH		(1L<<6)	/* MTA should not send EOH */
-#define SMFIP_NR_HDR		(1L<<7)	/* filter will not reply per header */
-#define SMFIP_NOHREPL		SMFIP_NR_HDR
+#define SMFIP_NOHREPL		(1L<<7)	/* filter will not reply per header */
 #define SMFIP_NOUNKNOWN 	(1L<<8)	/* MTA should not send unknown cmd */
 #define SMFIP_NODATA		(1L<<9)	/* MTA should not send DATA */
 
- /* Introduced with Sendmail 8.14. */
-#define SMFIP_SKIP	0x00000400L	/* MTA understands SMFIS_SKIP */
-#define SMFIP_RCPT_REJ	0x00000800L	/* MTA should send rejected RCPTs */
-#define SMFIP_NR_CONN	0x00001000L	/* No reply for connect */
-#define SMFIP_NR_HELO	0x00002000L	/* No reply for HELO */
-#define SMFIP_NR_MAIL	0x00004000L	/* No reply for MAIL */
-#define SMFIP_NR_RCPT	0x00008000L	/* No reply for RCPT */
-#define SMFIP_NR_DATA	0x00010000L	/* No reply for DATA */
-#define SMFIP_NR_UNKN	0x00020000L	/* No reply for UNKN */
-#define SMFIP_NR_EOH	0x00040000L	/* No reply for eoh */
-#define SMFIP_NR_BODY	0x00080000L	/* No reply for body chunk */
-
  /*
   * Modifications that the filter may request at the end of the message body.
   */
@@ -589,10 +570,10 @@ static int vmilter8_read_data(MILTER8 *milter, ssize_t data_len, va_list ap)
 	    break;
 
 	    /*
-	     * Raw on-the-wire format.
+	     * Raw on-the-wire format, without explicit null terminator.
 	     */
 	case MILTER8_DATA_BUFFER:
-	    if (data_left < 1) {
+	    if (data_left < 0) {
 		msg_warn("milter %s: no data in input packet", milter->m.name);
 		return (milter8_comm_error(milter));
 	    }
diff --git a/postfix/src/pipe/pipe.c b/postfix/src/pipe/pipe.c
index 086370263..839b93108 100644
--- a/postfix/src/pipe/pipe.c
+++ b/postfix/src/pipe/pipe.c
@@ -303,6 +303,10 @@
 /*	Limit the time for delivery to external command, for delivery via
 /*	the named \fItransport\fR.
 /*	The limit is enforced by the pipe delivery agent.
+/*
+/*	Postfix 2.4 and later support a suffix that specifies the
+/*	time unit: s (seconds), m (minutes), h (hours), d (days),
+/*	w (weeks). The default time unit is seconds.
 /* MISCELLANEOUS CONTROLS
 /* .ad
 /* .fi
@@ -714,7 +718,7 @@ static void get_service_params(PIPE_PARAMS *config, char *service)
      * Figure out the command time limit for this transport.
      */
     config->time_limit =
-	get_mail_conf_int2(service, "_time_limit", var_command_maxtime, 1, 0);
+	get_mail_conf_time2(service, "_time_limit", var_command_maxtime, 's', 1, 0);
 
     /*
      * Give the poor tester a clue of what is going on.
diff --git a/postfix/src/spawn/spawn.c b/postfix/src/spawn/spawn.c
index 403f6da71..71345724a 100644
--- a/postfix/src/spawn/spawn.c
+++ b/postfix/src/spawn/spawn.c
@@ -69,6 +69,10 @@
 /* .IP "\fItransport\fB_time_limit ($command_time_limit)\fR"
 /*	The amount of time the command is allowed to run before it is
 /*	terminated.
+/*
+/*	Postfix 2.4 and later support a suffix that specifies the 
+/*	time unit: s (seconds), m (minutes), h (hours), d (days),
+/*	w (weeks). The default time unit is seconds.
 /* MISCELLANEOUS
 /* .ad
 /* .fi
@@ -190,7 +194,7 @@ static void get_service_attr(SPAWN_ATTR *attr, char *service, char **argv)
      * Figure out the command time limit for this transport.
      */
     attr->time_limit =
-	get_mail_conf_int2(service, "_time_limit", var_command_maxtime, 1, 0);
+	get_mail_conf_time2(service, "_time_limit", var_command_maxtime, 's', 1, 0);
 
     /*
      * Iterate over the command-line attribute list.