postfix-3.9-20240229

2025-08-22 09:57:34 +00:00 · 2024-02-29 00:00:00 -05:00 · 2024-02-29 00:00:00 -05:00 · 5314560c55
commit 5314560c55
parent 3cb9a575a0
12 changed files with 103 additions and 77 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -27940,5 +27940,19 @@ Apologies for any names omitted.
 	Cleanups. Fixed some dns_rr_create() calls in test code,
 	and reverted a workaround in the DNS record formatter;
 	files: dns/dns_rr_test.c, dns/dns_strrecord.c. Code formatting;
-	file: global/nail_addr_find.c. Added missing test reference;
+	file: global/mail_addr_find.c. Added missing test reference;
 	file: postconf/test76.ref.
+
+20240229
+
+	Clenup: moved the new DNS_RR.flags structure member to the
+	location of a "padding" hole (two bytes for ILP32 systems,
+	6 bytes for LP64). File: dns/dns.h.
+
+	Deprecation: removed permit_naked_ip_address, reject_maps_rbl,
+	and check_relay_domains. These have been logging deprecation
+	warnings since 2005 or earlier, and were removed from Postfix
+	documentation in 2004 (but who reads logs and documentation?).
+	Files: smtpd/smtpd_check.c, smtpd/smtpd_check_backup.ref,
+	smtpd/smtpd_exp.ref, smtpd/smtpd_deprecated.in,
+	smtpd/smtpd_deprecated.ref.
--- a/postfix/proto/stop.double-history
+++ b/postfix/proto/stop.double-history
@ -118,3 +118,4 @@ proto  proto aliases proto virtual proto ADDRESS_REWRITING_README html
 postconf postconf c postconf postconf_dbms c 
 File tlsmgr tlsmgr c 
 restrictions Files dns dns h dns dns_lookup c dns dns_rr c 
+ systems 6 bytes for LP64 File dns dns h 
--- a/postfix/proto/stop.spell-cc
+++ b/postfix/proto/stop.spell-cc
@ -1386,7 +1386,6 @@ th
 tha
 thash
 THASH
-theadsafe
 threadsafe
 thusly
 timecmp
@ -1839,3 +1838,4 @@ depr
 dfhHnopqvx
 fhHoqvx
 foqvx
+ILP
--- a/postfix/src/dns/dns.h
+++ b/postfix/src/dns/dns.h
@ -161,10 +161,11 @@ typedef struct DNS_RR {
    unsigned short pref;		/* T_MX and T_SRV record related */
    unsigned short weight;		/* T_SRV related, defined in rfc2782 */
    unsigned short port;		/* T_SRV related, defined in rfc2782 */
+    /* Assume that flags lives in what was previously padding */
+    unsigned short flags;		/* DNS_RR_FLAG_XX, see below */
    struct DNS_RR *next;		/* linkage */
    size_t  data_len;			/* actual data size */
    char    *data;			/* a bunch of data */
-    int     flags;			/* DNS_RR_FLAG_XX, see below */
     /* Add new fields at the end, for ABI forward compatibility. */
 } DNS_RR;

--- a/postfix/src/dns/dns_lookup.c
+++ b/postfix/src/dns/dns_lookup.c
@ -306,7 +306,7 @@ typedef struct DNS_REPLY {

 /*
  * Use the threadsafe resolver API if available, not because it is
-  * theadsafe, but because it has more functionality.
+  * threadsafe, but because it has more functionality.
  */
 #ifdef USE_RES_NCALLS
 static struct __res_state dns_res_state;
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@ -20,7 +20,7 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20240228"
+#define MAIL_RELEASE_DATE	"20240229"
 #define MAIL_VERSION_NUMBER	"3.9"

 #ifdef SNAPSHOT
--- a/postfix/src/smtpd/Makefile.in
+++ b/postfix/src/smtpd/Makefile.in
@ -75,7 +75,8 @@ broken-tests: smtpd_check_test smtpd_check_test2
 tests:	smtpd_acl_test smtpd_addr_valid_test smtpd_exp_test \
 	smtpd_token_test smtpd_check_test4 smtpd_check_dsn_test \
 	smtpd_check_backup_test smtpd_dnswl_test smtpd_error_test \
-	smtpd_server_test smtpd_nullmx_test smtpd_dns_filter_test
+	smtpd_server_test smtpd_nullmx_test smtpd_dns_filter_test \
+	smtpd_deprecated_test

 root_tests:

@ -171,6 +172,11 @@ smtpd_error_test: smtpd_check smtpd_error.in smtpd_error.ref
 	diff smtpd_error.ref smtpd_check.tmp
 	rm -f smtpd_check.tmp

+smtpd_deprecated_test: smtpd_check smtpd_deprecated.in smtpd_deprecated.ref
+	$(SHLIB_ENV) $(VALGRIND) ./smtpd_check <smtpd_deprecated.in >smtpd_check.tmp 2>&1
+	diff smtpd_deprecated.ref smtpd_check.tmp
+	rm -f smtpd_check.tmp
+
 depend: $(MAKES)
 	(sed '1,/^# do not edit/!d' Makefile.in; \
 	set -e; for i in [a-z][a-z0-9]*.c; do \
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@ -1675,44 +1675,13 @@ static int check_relay_domains(SMTPD_STATE *state, char *recipient,
    /*
     * Restriction check_relay_domains is deprecated as of Postfix 2.2.
     */
-#if 1
-    static int once;
-
-    if (once == 0) {
-	once = 1;
-	msg_warn("support for restriction \"%s\" will be removed from %s; "
-		 "use \"%s\" instead",
-		 CHECK_RELAY_DOMAINS, var_mail_name, REJECT_UNAUTH_DEST);
-    }
-#endif
-
    if (msg_verbose)
 	msg_info("%s: %s", myname, recipient);

-    /*
-     * Permit if the client matches the relay_domains list.
-     */
-    if (domain_list_match(relay_domains, state->name)) {
-	if (warn_compat_break_relay_domains)
-	    msg_info("using backwards-compatible default setting "
-		     VAR_RELAY_DOMAINS "=$mydestination to permit "
-		     "request from client \"%s\"", state->name);
-	return (SMTPD_CHECK_OK);
-    }
-
-    /*
-     * Permit authorized destinations.
-     */
-    if (permit_auth_destination(state, recipient) == SMTPD_CHECK_OK)
-	return (SMTPD_CHECK_OK);
-
-    /*
-     * Deny relaying between sites that both are not in relay_domains.
-     */
-    return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
-			       var_relay_code, "5.7.1",
-			       "<%s>: %s rejected: Relay access denied",
-			       reply_name, reply_class));
+    msg_warn("support for restriction \"%s\" has been removed in %s 3.9; "
+	     "use \"%s\" instead",
+	     CHECK_RELAY_DOMAINS, var_mail_name, REJECT_UNAUTH_DEST);
+    reject_server_error(state);
 }

 /* permit_auth_destination - OK for message relaying */
@ -3928,11 +3897,6 @@ static int permit_dnswl_domain(SMTPD_STATE *state, const char *dnswl_domain,
 static int reject_maps_rbl(SMTPD_STATE *state)
 {
    const char *myname = "reject_maps_rbl";
-    char   *saved_domains = mystrdup(var_maps_rbl_domains);
-    char   *bp = saved_domains;
-    char   *rbl_domain;
-    int     result = SMTPD_CHECK_DUNNO;
-    static int warned;

    if (msg_verbose)
 	msg_info("%s: %s", myname, state->addr);
@ -3940,25 +3904,11 @@ static int reject_maps_rbl(SMTPD_STATE *state)
    /*
     * Restriction reject_maps_rbl is deprecated as of Postfix 2.1.
     */
-    if (warned == 0) {
-	warned++;
-	msg_warn("support for restriction \"%s\" will be removed from %s; "
-		 "use \"%s domain-name\" instead",
-		 REJECT_MAPS_RBL, var_mail_name, REJECT_RBL_CLIENT);
-    }
-    while ((rbl_domain = mystrtok(&bp, CHARS_COMMA_SP)) != 0) {
-	result = reject_rbl_addr(state, rbl_domain, state->addr,
-				 SMTPD_NAME_CLIENT);
-	if (result != SMTPD_CHECK_DUNNO)
-	    break;
-    }
+    msg_warn("support for restriction \"%s\" has been removed in %s 3.9; "
+	     "use \"%s domain-name\" instead",
+	     REJECT_MAPS_RBL, var_mail_name, REJECT_RBL_CLIENT);

-    /*
-     * Clean up.
-     */
-    myfree(saved_domains);
-
-    return (result);
+    reject_server_error(state);
 }

 #ifdef USE_SASL_AUTH
@ -4537,15 +4487,11 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 	    }
 	} else if (strcasecmp(name, PERMIT_NAKED_IP_ADDR) == 0) {
 	    /* permit_naked_ip_addr is deprecated as of Postfix 2.0. */
-	    msg_warn("restriction %s is deprecated. Use %s or %s instead",
-		 PERMIT_NAKED_IP_ADDR, PERMIT_MYNETWORKS, PERMIT_SASL_AUTH);
-	    if (state->helo_name) {
-		if (state->helo_name[strspn(state->helo_name, "0123456789.:")] == 0
-		&& (status = reject_invalid_hostaddr(state, state->helo_name,
-				   state->helo_name, SMTPD_NAME_HELO)) == 0)
-		    status = smtpd_acl_permit(state, name, SMTPD_NAME_HELO,
-					   state->helo_name, NO_PRINT_ARGS);
-	    }
+	    msg_warn("restriction %s has been removed in %s 3.9;"
+		     " use %s or %s instead",
+		     PERMIT_NAKED_IP_ADDR, var_mail_name,
+		     PERMIT_MYNETWORKS, PERMIT_SASL_AUTH);
+	    reject_server_error(state);
 	} else if (is_map_command(state, name, CHECK_HELO_NS_ACL, &cpp)) {
 	    if (state->helo_name) {
 		status = check_server_access(state, *cpp, state->helo_name,
--- a/postfix/src/smtpd/smtpd_check_backup.ref
+++ b/postfix/src/smtpd/smtpd_check_backup.ref
@ -17,6 +17,7 @@ OK
 >>> recipient_restrictions permit_mx_backup,reject
 OK
 >>> rcpt wietse@wzv.porcupine.org
+./smtpd_check: warning: support for restriction "permit_mx_backup" will be removed from Postfix; instead, use "relay_domains"
 OK
 >>> rcpt wietse@backup.porcupine.org
 OK
--- a/postfix/src/smtpd/smtpd_deprecated.in
+++ b/postfix/src/smtpd/smtpd_deprecated.in
@ -0,0 +1,20 @@
+#
+# permit_naked_ip_address
+#
+client foo 127.0.0.2
+recipient_restrictions permit_naked_ip_address
+helo 127.0.0.2
+mail sname@sdomain.example
+rcpt rname@rdomain.example
+#
+# check_relay_domains
+#
+client foo 127.0.0.2
+recipient_restrictions check_relay_domains
+relay_domains foo
+helo 127.0.0.2
+mail sname@sdomain.example
+rcpt rname@rdomain.example
+#
+# reject_maps_rbl is already covered elsewhere.
+#
--- a/postfix/src/smtpd/smtpd_deprecated.ref
+++ b/postfix/src/smtpd/smtpd_deprecated.ref
@ -0,0 +1,35 @@
+>>> #
+>>> # permit_naked_ip_address
+>>> #
+>>> client foo 127.0.0.2
+OK
+>>> recipient_restrictions permit_naked_ip_address
+OK
+>>> helo 127.0.0.2
+OK
+>>> mail sname@sdomain.example
+OK
+>>> rcpt rname@rdomain.example
+./smtpd_check: warning: restriction permit_naked_ip_address has been removed in Postfix 3.9; use permit_mynetworks or permit_sasl_authenticated instead
+./smtpd_check: <queue id>: reject: RCPT from foo[127.0.0.2]: 451 4.3.5 Server configuration error; from=<sname@sdomain.example> to=<rname@rdomain.example> proto=SMTP helo=<127.0.0.2>
+451 4.3.5 Server configuration error
+>>> #
+>>> # check_relay_domains
+>>> #
+>>> client foo 127.0.0.2
+OK
+>>> recipient_restrictions check_relay_domains
+OK
+>>> relay_domains foo
+OK
+>>> helo 127.0.0.2
+OK
+>>> mail sname@sdomain.example
+OK
+>>> rcpt rname@rdomain.example
+./smtpd_check: warning: support for restriction "check_relay_domains" has been removed in Postfix 3.9; use "reject_unauth_destination" instead
+./smtpd_check: <queue id>: reject: RCPT from foo[127.0.0.2]: 451 4.3.5 Server configuration error; from=<sname@sdomain.example> to=<rname@rdomain.example> proto=SMTP helo=<127.0.0.2>
+451 4.3.5 Server configuration error
+>>> #
+>>> # reject_maps_rbl is already covered elsewhere.
+>>> #
--- a/postfix/src/smtpd/smtpd_exp.ref
+++ b/postfix/src/smtpd/smtpd_exp.ref
@ -25,13 +25,15 @@ OK
 >>> client spike.porcupine.org 168.100.3.2
 OK
 >>> rcpt rname@rdomain
-./smtpd_check: warning: support for restriction "reject_maps_rbl" will be removed from Postfix; use "reject_rbl_client domain-name" instead
-OK
+./smtpd_check: warning: support for restriction "reject_maps_rbl" has been removed in Postfix 3.9; use "reject_rbl_client domain-name" instead
+./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.3.2]: 451 4.3.5 Server configuration error; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<foobar>
+451 4.3.5 Server configuration error
 >>> client foo 127.0.0.2
 OK
 >>> rcpt rname@rdomain
-./smtpd_check: <queue id>: reject: RCPT from foo[127.0.0.2]: 554 5.7.1 Service unavailable; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; DNS blocklist test; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<foobar>
-554 5.7.1 Service unavailable; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; DNS blocklist test
+./smtpd_check: warning: support for restriction "reject_maps_rbl" has been removed in Postfix 3.9; use "reject_rbl_client domain-name" instead
+./smtpd_check: <queue id>: reject: RCPT from foo[127.0.0.2]: 451 4.3.5 Server configuration error; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<foobar>
+451 4.3.5 Server configuration error
 >>> #
 >>> recipient_restrictions reject_rbl_client,dnsbltest.porcupine.org
 OK