mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-30 13:48:06 +00:00
Code Issues Releases Wiki Activity

postfix-3.5-20200105

Browse Source
This commit is contained in:
Wietse Venema
2020-01-05 00:00:00 -05:00
committed by Viktor Dukhovni
parent d6c056b2f8
commit 5f3bcc11ef
8 changed files with 77 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
postfix/HISTORY
View File

@@ -24502,3 +24502,23 @@ Apologies for any names omitted.
Bugfix: sanitize server responses before storing them in Bugfix: sanitize server responses before storing them in
the verify database, to avoid Postfix warnings about malformed the verify database, to avoid Postfix warnings about malformed
UTF8. File: verify/verify.c. UTF8. File: verify/verify.c.
20191215
Future proofing: the Postfix DNS library logs a warning if
the DNS_REQ_FLAG_NCACHE_TTL dns_lookup flag is set and the
RES_DNSRCH or RES_DEFNAMES resolver flags are set, and
disables those resolver flags. File: dns/dns_lookup.c.
20191230
Documentation: added the 'X' flag (final delivery) to the
pipe-based final delivery examples in the default master.cf
file. File: conf/master.cf
20201005
Workaround: postlog clients open the socket before entering
the chroot jail and before dropping privileges. This is needed
on MacOS and would not hurt otherwise. Files: util/msg_logger.[hc],
global/maillog_client.c.

6
postfix/conf/master.cf
View File

@@ -79,7 +79,7 @@ postlog unix-dgram n - n - 1 postlogd
# Also specify in main.cf: maildrop_destination_recipient_limit=1 # Also specify in main.cf: maildrop_destination_recipient_limit=1
# #
#maildrop unix - n n - - pipe #maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} # flags=DRXhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
# #
# ==================================================================== # ====================================================================
# #
@@ -98,7 +98,7 @@ postlog unix-dgram n - n - 1 postlogd
# Also specify in main.cf: cyrus_destination_recipient_limit=1 # Also specify in main.cf: cyrus_destination_recipient_limit=1
# #
#cyrus unix - n n - - pipe #cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
# #
# ==================================================================== # ====================================================================
# #
@@ -129,5 +129,5 @@ postlog unix-dgram n - n - 1 postlogd
# ${nexthop} ${user} ${extension} # ${nexthop} ${user} ${extension}
# #
#mailman unix - n n - - pipe #mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py # flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user} # ${nexthop} ${user}

4
postfix/html/postconf.5.html
View File

@@ -18510,7 +18510,7 @@ is unwise to choose an "bleeding-edge" curve supported by only a
small subset of clients. </p> small subset of clients. </p>
<p> The default "strong" curve is rated in NSA <a <p> The default "strong" curve is rated in NSA <a
href="http://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
B</a> for information classified up to SECRET. </p> B</a> for information classified up to SECRET. </p>
<p> Note: elliptic curve names are poorly standardized; different <p> Note: elliptic curve names are poorly standardized; different
@@ -18551,7 +18551,7 @@ curve must be implemented by OpenSSL (as reported by ecparam(1) with the
of <a href="http://tools.ietf.org/html/rfc4492">RFC 4492</a>. You should not generally change this setting. </p> of <a href="http://tools.ietf.org/html/rfc4492">RFC 4492</a>. You should not generally change this setting. </p>
<p> This default "ultra" curve is rated in NSA <a <p> This default "ultra" curve is rated in NSA <a
href="http://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
B</a> for information classified up to TOP SECRET. </p> B</a> for information classified up to TOP SECRET. </p>
<p> If you want to take maximal advantage of ciphers that offer <a <p> If you want to take maximal advantage of ciphers that offer <a

12
postfix/src/dns/dns_lookup.c
View File

@@ -145,6 +145,8 @@
/* available. The per-record reply TTL specifies how long the /* available. The per-record reply TTL specifies how long the
/* DNS_NOTFOUND answer is valid. The caller should pass the /* DNS_NOTFOUND answer is valid. The caller should pass the
/* record(s) to dns_rr_free(). /* record(s) to dns_rr_free().
/* Logs a warning if the RES_DNSRCH or RES_DEFNAMES resolver
/* flags are set, and disables those flags.
/* .RE /* .RE
/* .IP ltype /* .IP ltype
/* The resource record types to be looked up. In the case of /* The resource record types to be looked up. In the case of
@@ -461,6 +463,16 @@ static int dns_query(const char *name, int type, unsigned flags,
if (flags & RES_USE_DNSSEC) if (flags & RES_USE_DNSSEC)
flags |= RES_USE_EDNS0; flags |= RES_USE_EDNS0;
/*
* Can't append domains: we need the right SOA TTL.
*/
#define APPEND_DOMAIN_FLAGS (RES_DNSRCH | RES_DEFNAMES)
if (keep_notfound && (flags & APPEND_DOMAIN_FLAGS)) {
msg_warn("negative caching disables RES_DEFNAMES and RES_DNSRCH");
flags &= ~APPEND_DOMAIN_FLAGS;
}
/* /*
* Save and restore resolver options that we overwrite, to avoid * Save and restore resolver options that we overwrite, to avoid
* surprising behavior in other code that also invokes the resolver. * surprising behavior in other code that also invokes the resolver.

2
postfix/src/global/mail_version.h
View File

@@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20191214" #define MAIL_RELEASE_DATE "20200105"
#define MAIL_VERSION_NUMBER "3.5" #define MAIL_VERSION_NUMBER "3.5"
#ifdef SNAPSHOT #ifdef SNAPSHOT

4
postfix/src/global/maillog_client.c
View File

@@ -210,7 +210,7 @@ void maillog_client_init(const char *progname, int flags)
if (var_maillog_file && *var_maillog_file) { if (var_maillog_file && *var_maillog_file) {
ARGV *good_prefixes = argv_split(var_maillog_file_pfxs, ARGV *good_prefixes = argv_split(var_maillog_file_pfxs,
CHARS_COMMA_SP); CHARS_COMMA_SP);
char **cpp; char **cpp;
for (cpp = good_prefixes->argv; /* see below */ ; cpp++) { for (cpp = good_prefixes->argv; /* see below */ ; cpp++) {
if (*cpp == 0) if (*cpp == 0)
@@ -264,6 +264,8 @@ void maillog_client_init(const char *progname, int flags)
} }
if (service_path != import_service_path) if (service_path != import_service_path)
myfree(service_path); myfree(service_path);
msg_logger_control(CA_MSG_LOGGER_CTL_CONNECT_NOW,
CA_MSG_LOGGER_CTL_END);
} }
/* /*

44
postfix/src/util/msg_logger.c
View File

@@ -62,6 +62,10 @@
/* .IP CA_MSG_LOGGER_CTL_DISABLE /* .IP CA_MSG_LOGGER_CTL_DISABLE
/* Disable the msg_logger. This remains in effect until the /* Disable the msg_logger. This remains in effect until the
/* next msg_logger_init() call. /* next msg_logger_init() call.
/* .IP CA_MSG_LOGGER_CTL_CONNECT_NOW
/* Close the logging socket if it was already open, and open
/* the logging socket now, if permitted by current settings.
/* Otherwise, the open is delayed until a logging request.
/* SEE ALSO /* SEE ALSO
/* msg(3) diagnostics module /* msg(3) diagnostics module
/* BUGS /* BUGS
@@ -111,6 +115,8 @@ static void (*msg_logger_fallback_fn) (const char *);
static int msg_logger_fallback_only_override = 0; static int msg_logger_fallback_only_override = 0;
static int msg_logger_enable = 0; static int msg_logger_enable = 0;
#define MSG_LOGGER_NEED_SOCKET() (msg_logger_fallback_only_override == 0)
/* /*
* Other state. * Other state.
*/ */
@@ -130,6 +136,26 @@ static int msg_logger_sock = MSG_LOGGER_SOCK_NONE;
#define STR(x) vstring_str(x) #define STR(x) vstring_str(x)
#define LEN(x) VSTRING_LEN(x) #define LEN(x) VSTRING_LEN(x)
/* msg_logger_connect - connect to logger service */
static void msg_logger_connect(void)
{
if (msg_logger_sock == MSG_LOGGER_SOCK_NONE) {
msg_logger_sock = unix_dgram_connect(msg_logger_unix_path, BLOCKING);
if (msg_logger_sock >= 0)
close_on_exec(msg_logger_sock, CLOSE_ON_EXEC);
}
}
/* msg_logger_disconnect - disconnect from logger service */
static void msg_logger_disconnect(void)
{
if (msg_logger_sock != MSG_LOGGER_SOCK_NONE) {
(void) close(msg_logger_sock);
msg_logger_sock = MSG_LOGGER_SOCK_NONE;
}
}
/* msg_logger_print - log info to service or file */ /* msg_logger_print - log info to service or file */
@@ -203,12 +229,8 @@ static void msg_logger_print(int level, const char *text)
* will report ENOENT if the endpoint does not exist, ECONNREFUSED if no * will report ENOENT if the endpoint does not exist, ECONNREFUSED if no
* server has opened the endpoint. * server has opened the endpoint.
*/ */
if (msg_logger_fallback_only_override == 0 if (MSG_LOGGER_NEED_SOCKET())
&& msg_logger_sock == MSG_LOGGER_SOCK_NONE) { msg_logger_connect();
msg_logger_sock = unix_dgram_connect(msg_logger_unix_path, BLOCKING);
if (msg_logger_sock >= 0)
close_on_exec(msg_logger_sock, CLOSE_ON_EXEC);
}
if (msg_logger_sock != MSG_LOGGER_SOCK_NONE) { if (msg_logger_sock != MSG_LOGGER_SOCK_NONE) {
send(msg_logger_sock, STR(msg_logger_buf), LEN(msg_logger_buf), 0); send(msg_logger_sock, STR(msg_logger_buf), LEN(msg_logger_buf), 0);
} else if (msg_logger_fallback_fn) { } else if (msg_logger_fallback_fn) {
@@ -286,10 +308,7 @@ void msg_logger_control(int name,...)
switch (name) { switch (name) {
case MSG_LOGGER_CTL_FALLBACK_ONLY: case MSG_LOGGER_CTL_FALLBACK_ONLY:
msg_logger_fallback_only_override = 1; msg_logger_fallback_only_override = 1;
if (msg_logger_sock != MSG_LOGGER_SOCK_NONE) { msg_logger_disconnect();
(void) close(msg_logger_sock);
msg_logger_sock = MSG_LOGGER_SOCK_NONE;
}
break; break;
case MSG_LOGGER_CTL_FALLBACK_FN: case MSG_LOGGER_CTL_FALLBACK_FN:
msg_logger_fallback_fn = va_arg(ap, MSG_LOGGER_FALLBACK_FN); msg_logger_fallback_fn = va_arg(ap, MSG_LOGGER_FALLBACK_FN);
@@ -297,6 +316,11 @@ void msg_logger_control(int name,...)
case MSG_LOGGER_CTL_DISABLE: case MSG_LOGGER_CTL_DISABLE:
msg_logger_enable = 0; msg_logger_enable = 0;
break; break;
case MSG_LOGGER_CTL_CONNECT_NOW:
msg_logger_disconnect();
if (MSG_LOGGER_NEED_SOCKET())
msg_logger_connect();
break;
default: default:
msg_panic("%s: bad name %d", myname, name); msg_panic("%s: bad name %d", myname, name);
} }

2
postfix/src/util/msg_logger.h
View File

@@ -35,6 +35,7 @@ extern void msg_logger_control(int,...);
#define MSG_LOGGER_CTL_FALLBACK_ONLY 1 #define MSG_LOGGER_CTL_FALLBACK_ONLY 1
#define MSG_LOGGER_CTL_FALLBACK_FN 2 #define MSG_LOGGER_CTL_FALLBACK_FN 2
#define MSG_LOGGER_CTL_DISABLE 3 #define MSG_LOGGER_CTL_DISABLE 3
#define MSG_LOGGER_CTL_CONNECT_NOW 4
/* Safer API: type-checked arguments, external use. */ /* Safer API: type-checked arguments, external use. */
#define CA_MSG_LOGGER_CTL_END MSG_LOGGER_CTL_END #define CA_MSG_LOGGER_CTL_END MSG_LOGGER_CTL_END
@@ -43,6 +44,7 @@ extern void msg_logger_control(int,...);
MSG_LOGGER_CTL_FALLBACK_FN, CHECK_VAL(MSG_LOGGER_CTL, \ MSG_LOGGER_CTL_FALLBACK_FN, CHECK_VAL(MSG_LOGGER_CTL, \
MSG_LOGGER_FALLBACK_FN, (v)) MSG_LOGGER_FALLBACK_FN, (v))
#define CA_MSG_LOGGER_CTL_DISABLE MSG_LOGGER_CTL_DISABLE #define CA_MSG_LOGGER_CTL_DISABLE MSG_LOGGER_CTL_DISABLE
#define CA_MSG_LOGGER_CTL_CONNECT_NOW MSG_LOGGER_CTL_CONNECT_NOW
CHECK_VAL_HELPER_DCL(MSG_LOGGER_CTL, MSG_LOGGER_FALLBACK_FN); CHECK_VAL_HELPER_DCL(MSG_LOGGER_CTL, MSG_LOGGER_FALLBACK_FN);