From 5f3bcc11efef9baf2516eff3a4001f927c27d934 Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Sun, 5 Jan 2020 00:00:00 -0500 Subject: [PATCH] postfix-3.5-20200105 --- postfix/HISTORY | 20 +++++++++++++ postfix/conf/master.cf | 6 ++-- postfix/html/postconf.5.html | 4 +-- postfix/src/dns/dns_lookup.c | 12 ++++++++ postfix/src/global/mail_version.h | 2 +- postfix/src/global/maillog_client.c | 4 ++- postfix/src/util/msg_logger.c | 44 ++++++++++++++++++++++------- postfix/src/util/msg_logger.h | 2 ++ 8 files changed, 77 insertions(+), 17 deletions(-) diff --git a/postfix/HISTORY b/postfix/HISTORY index 5fdba30d0..d6778f0b2 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -24502,3 +24502,23 @@ Apologies for any names omitted. Bugfix: sanitize server responses before storing them in the verify database, to avoid Postfix warnings about malformed UTF8. File: verify/verify.c. + +20191215 + + Future proofing: the Postfix DNS library logs a warning if + the DNS_REQ_FLAG_NCACHE_TTL dns_lookup flag is set and the + RES_DNSRCH or RES_DEFNAMES resolver flags are set, and + disables those resolver flags. File: dns/dns_lookup.c. + +20191230 + + Documentation: added the 'X' flag (final delivery) to the + pipe-based final delivery examples in the default master.cf + file. File: conf/master.cf + +20201005 + + Workaround: postlog clients open the socket before entering + the chroot jail and before dropping privileges. This is needed + on MacOS and would not hurt otherwise. Files: util/msg_logger.[hc], + global/maillog_client.c. diff --git a/postfix/conf/master.cf b/postfix/conf/master.cf index c0f250803..30c3458e6 100644 --- a/postfix/conf/master.cf +++ b/postfix/conf/master.cf @@ -79,7 +79,7 @@ postlog unix-dgram n - n - 1 postlogd # Also specify in main.cf: maildrop_destination_recipient_limit=1 # #maildrop unix - n n - - pipe -# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} +# flags=DRXhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} # # ==================================================================== # @@ -98,7 +98,7 @@ postlog unix-dgram n - n - 1 postlogd # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe -# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # @@ -129,5 +129,5 @@ postlog unix-dgram n - n - 1 postlogd # ${nexthop} ${user} ${extension} # #mailman unix - n n - - pipe -# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py +# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py # ${nexthop} ${user} diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index df9c7c08e..f6cc50c1e 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -18510,7 +18510,7 @@ is unwise to choose an "bleeding-edge" curve supported by only a small subset of clients.

The default "strong" curve is rated in NSA Suite +href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite B for information classified up to SECRET.

Note: elliptic curve names are poorly standardized; different @@ -18551,7 +18551,7 @@ curve must be implemented by OpenSSL (as reported by ecparam(1) with the of RFC 4492. You should not generally change this setting.

This default "ultra" curve is rated in NSA Suite +href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite B for information classified up to TOP SECRET.

If you want to take maximal advantage of ciphers that offer argv; /* see below */ ; cpp++) { if (*cpp == 0) @@ -264,6 +264,8 @@ void maillog_client_init(const char *progname, int flags) } if (service_path != import_service_path) myfree(service_path); + msg_logger_control(CA_MSG_LOGGER_CTL_CONNECT_NOW, + CA_MSG_LOGGER_CTL_END); } /* diff --git a/postfix/src/util/msg_logger.c b/postfix/src/util/msg_logger.c index 7c8f34dd6..5a00c3476 100644 --- a/postfix/src/util/msg_logger.c +++ b/postfix/src/util/msg_logger.c @@ -62,6 +62,10 @@ /* .IP CA_MSG_LOGGER_CTL_DISABLE /* Disable the msg_logger. This remains in effect until the /* next msg_logger_init() call. +/* .IP CA_MSG_LOGGER_CTL_CONNECT_NOW +/* Close the logging socket if it was already open, and open +/* the logging socket now, if permitted by current settings. +/* Otherwise, the open is delayed until a logging request. /* SEE ALSO /* msg(3) diagnostics module /* BUGS @@ -111,6 +115,8 @@ static void (*msg_logger_fallback_fn) (const char *); static int msg_logger_fallback_only_override = 0; static int msg_logger_enable = 0; +#define MSG_LOGGER_NEED_SOCKET() (msg_logger_fallback_only_override == 0) + /* * Other state. */ @@ -130,6 +136,26 @@ static int msg_logger_sock = MSG_LOGGER_SOCK_NONE; #define STR(x) vstring_str(x) #define LEN(x) VSTRING_LEN(x) +/* msg_logger_connect - connect to logger service */ + +static void msg_logger_connect(void) +{ + if (msg_logger_sock == MSG_LOGGER_SOCK_NONE) { + msg_logger_sock = unix_dgram_connect(msg_logger_unix_path, BLOCKING); + if (msg_logger_sock >= 0) + close_on_exec(msg_logger_sock, CLOSE_ON_EXEC); + } +} + +/* msg_logger_disconnect - disconnect from logger service */ + +static void msg_logger_disconnect(void) +{ + if (msg_logger_sock != MSG_LOGGER_SOCK_NONE) { + (void) close(msg_logger_sock); + msg_logger_sock = MSG_LOGGER_SOCK_NONE; + } +} /* msg_logger_print - log info to service or file */ @@ -203,12 +229,8 @@ static void msg_logger_print(int level, const char *text) * will report ENOENT if the endpoint does not exist, ECONNREFUSED if no * server has opened the endpoint. */ - if (msg_logger_fallback_only_override == 0 - && msg_logger_sock == MSG_LOGGER_SOCK_NONE) { - msg_logger_sock = unix_dgram_connect(msg_logger_unix_path, BLOCKING); - if (msg_logger_sock >= 0) - close_on_exec(msg_logger_sock, CLOSE_ON_EXEC); - } + if (MSG_LOGGER_NEED_SOCKET()) + msg_logger_connect(); if (msg_logger_sock != MSG_LOGGER_SOCK_NONE) { send(msg_logger_sock, STR(msg_logger_buf), LEN(msg_logger_buf), 0); } else if (msg_logger_fallback_fn) { @@ -286,10 +308,7 @@ void msg_logger_control(int name,...) switch (name) { case MSG_LOGGER_CTL_FALLBACK_ONLY: msg_logger_fallback_only_override = 1; - if (msg_logger_sock != MSG_LOGGER_SOCK_NONE) { - (void) close(msg_logger_sock); - msg_logger_sock = MSG_LOGGER_SOCK_NONE; - } + msg_logger_disconnect(); break; case MSG_LOGGER_CTL_FALLBACK_FN: msg_logger_fallback_fn = va_arg(ap, MSG_LOGGER_FALLBACK_FN); @@ -297,6 +316,11 @@ void msg_logger_control(int name,...) case MSG_LOGGER_CTL_DISABLE: msg_logger_enable = 0; break; + case MSG_LOGGER_CTL_CONNECT_NOW: + msg_logger_disconnect(); + if (MSG_LOGGER_NEED_SOCKET()) + msg_logger_connect(); + break; default: msg_panic("%s: bad name %d", myname, name); } diff --git a/postfix/src/util/msg_logger.h b/postfix/src/util/msg_logger.h index e135e7e38..4179f8b06 100644 --- a/postfix/src/util/msg_logger.h +++ b/postfix/src/util/msg_logger.h @@ -35,6 +35,7 @@ extern void msg_logger_control(int,...); #define MSG_LOGGER_CTL_FALLBACK_ONLY 1 #define MSG_LOGGER_CTL_FALLBACK_FN 2 #define MSG_LOGGER_CTL_DISABLE 3 +#define MSG_LOGGER_CTL_CONNECT_NOW 4 /* Safer API: type-checked arguments, external use. */ #define CA_MSG_LOGGER_CTL_END MSG_LOGGER_CTL_END @@ -43,6 +44,7 @@ extern void msg_logger_control(int,...); MSG_LOGGER_CTL_FALLBACK_FN, CHECK_VAL(MSG_LOGGER_CTL, \ MSG_LOGGER_FALLBACK_FN, (v)) #define CA_MSG_LOGGER_CTL_DISABLE MSG_LOGGER_CTL_DISABLE +#define CA_MSG_LOGGER_CTL_CONNECT_NOW MSG_LOGGER_CTL_CONNECT_NOW CHECK_VAL_HELPER_DCL(MSG_LOGGER_CTL, MSG_LOGGER_FALLBACK_FN);