diff --git a/postfix/HISTORY b/postfix/HISTORY
index 819cc78a7..31dd8cfc4 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -17629,3 +17629,35 @@ Apologies for any names omitted.
to a missing guard statement after an smtpd_check_rewrite()
call was moved closer to the command processor loop. Fix
by Bartek Szady. File: smtpd/smtpd.c.
+
+20120220
+
+ Cleanup: documentation of how to use only system-supplied
+ certificates with *CAfile and *CApath. File: proto/postconf.proto.
+
+ Cleanup: documentation of smtp_sasl_mechanism_filter. File:
+ proto/postconf.proto.
+
+20120222
+
+ Cleanup: when multiple DNSBLs block an SMTP client, the
+ postscreen "reject" message now gives credit to the DNSBL
+ with the largest weight, instead of the DNSBL that replies
+ first. File: postscreen/postscreeb_dnsbl.c.
+
+ Cleanup: memcache_table(5) manpage. File proto/memcache_table.
+
+20120225
+
+ Cleanup: eliminated the build-time Perl dependency. File:
+ bounce/annotate.sh.
+
+ Cleanup: when -DNO_DB support was added, the makedefs script
+ was not updated to skip the Linux Berkeley DB tests.
+
+ FreeBSD9 is now a supported platform. Files: makedefs,
+ util/sys_defs.h.
+
+20120226
+
+ Cleanup: documentation in postfix-install.
diff --git a/postfix/html/memcache_table.5.html b/postfix/html/memcache_table.5.html
index 01da77ed3..36af14727 100644
--- a/postfix/html/memcache_table.5.html
+++ b/postfix/html/memcache_table.5.html
@@ -84,37 +84,38 @@ MEMCACHE_TABLE(5) MEMCACHE_TABLE(5)
flags (default: 0)
Optional flags that should be stored along with a
- memcache update.
+ memcache update. The flags are ignored when looking
+ up information.
ttl (default: 3600)
The expiration time in seconds of memcache updates.
- NOTE 1: When using a memcache table as
+ NOTE 1: When using a memcache table as
postscreen(8) or verify(8) cache without persistent
backup, specify a zero *_cache_cleanup_interval
- value with all Postfix instances that use the mem-
- cache, and specify the largest postscreen(8) *_ttl
- value or verify(8) *_expire_time value as the mem-
+ value with all Postfix instances that use the mem-
+ cache, and specify the largest postscreen(8) *_ttl
+ value or verify(8) *_expire_time value as the mem-
cache table's ttl value.
- NOTE 2: According to memcache protocol documenta-
- tion, a value greater than 30 days (2592000 sec-
- onds) specifies absolute UNIX time. Smaller values
+ NOTE 2: According to memcache protocol documenta-
+ tion, a value greater than 30 days (2592000 sec-
+ onds) specifies absolute UNIX time. Smaller values
are relative to the time of the update.
MEMCACHE KEY PARAMETERS
key_format (default: %s)
- Format of the lookup and update keys in memcache
- requests. By default, these are the same as the
- lookup and update keys that are given to the Post-
+ Format of the lookup and update keys in memcache
+ requests. By default, these are the same as the
+ lookup and update keys that are given to the Post-
fix memcache client.
NOTE: The key_format feature is not used for backup
database requests.
- When the same memcache database is used to cache
- information from multiple tables, you can use the
- key_format feature to avoid name collisions by
+ When the same memcache database is used to cache
+ information from multiple tables, you can use the
+ key_format feature to avoid name collisions by
prepending a fixed string. Examples:
key_format = aliases:%s
@@ -125,48 +126,48 @@ MEMCACHE_TABLE(5) MEMCACHE_TABLE(5)
%% This is replaced by a literal '%' character.
- %s This is replaced by the memcache client
+ %s This is replaced by the memcache client
input key.
%u When the input key is an address of the form
user@domain, %u is replaced by the SQL
- quoted local part of the address. Other-
- wise, %u is replaced by the entire search
+ quoted local part of the address. Other-
+ wise, %u is replaced by the entire search
string. If the localpart is empty, a lookup
- is silently suppressed and returns no
- results (an update is skipped with a warn-
+ is silently suppressed and returns no
+ results (an update is skipped with a warn-
ing).
%d When the input key is an address of the form
- user@domain, %d is replaced by the domain
+ user@domain, %d is replaced by the domain
part of the address. Otherwise, a lookup is
- silently suppressed and returns no results
+ silently suppressed and returns no results
(an update is skipped with a warning).
%[SUD] The upper-case equivalents of the above
- expansions behave in the key_format parame-
+ expansions behave in the key_format parame-
ter identically to their lower-case counter-
parts.
- %[1-9] The patterns %1, %2, ... %9 are replaced by
+ %[1-9] The patterns %1, %2, ... %9 are replaced by
the corresponding most significant component
- of the input key's domain. If the input key
+ of the input key's domain. If the input key
is user@mail.example.com, then %1 is com, %2
- is example and %3 is mail. If the input key
+ is example and %3 is mail. If the input key
is unqualified or does not have enough
- domain components to satisfy all the speci-
- fied patterns, a lookup is silently sup-
+ domain components to satisfy all the speci-
+ fied patterns, a lookup is silently sup-
pressed and returns no results (an update is
skipped with a warning).
domain (default: no domain list)
This feature can significantly reduce database
server load. Specify a list of domain names, paths
- to files, or "type:table" databases. When speci-
+ to files, or "type:table" databases. When speci-
fied, only fully qualified search keys with a *non-
empty* localpart and a matching domain are eligible
- for lookup or update: bare 'user' lookups, bare
- domain lookups and "@domain" lookups are silently
+ for lookup or update: bare 'user' lookups, bare
+ domain lookups and "@domain" lookups are silently
skipped (updates are skipped with a warning).
Example:
@@ -180,33 +181,33 @@ MEMCACHE_TABLE(5) MEMCACHE_TABLE(5)
The maximal memcache reply line length in bytes.
max_try (default: 2)
- The number of times to try a memcache command
- before giving up. The memcache client does not
+ The number of times to try a memcache command
+ before giving up. The memcache client does not
retry a command when the memcache server accepts no
connection.
retry_pause (default: 1)
- The time in seconds before retrying a failed mem-
+ The time in seconds before retrying a failed mem-
cache command.
timeout (default: 2)
- The time limit for sending a memcache command and
+ The time limit for sending a memcache command and
for receiving a memcache reply.
BUGS
- The Postfix memcache client cannot be used for security-
- sensitive tables such as alias_maps (these may contain
- "|command and "/file/name" destinations), or vir-
- tual_uid_maps, virtual_gid_maps and virtual_mailbox_maps
- (these specify UNIX process privileges or "/file/name"
- destinations). In a typical deployment a memcache data-
- base is writable by any process that can talk to the mem-
- cache server; in contrast, security-sensitive tables must
+ The Postfix memcache client cannot be used for security-
+ sensitive tables such as alias_maps (these may contain
+ "|command and "/file/name" destinations), or vir-
+ tual_uid_maps, virtual_gid_maps and virtual_mailbox_maps
+ (these specify UNIX process privileges or "/file/name"
+ destinations). In a typical deployment a memcache data-
+ base is writable by any process that can talk to the mem-
+ cache server; in contrast, security-sensitive tables must
never be writable by the unprivileged Postfix user.
The Postfix memcache client requires additional configura-
- tion when used as postscreen(8) or verify(8) cache. For
- details see the backup and ttl parameter discussions in
+ tion when used as postscreen(8) or verify(8) cache. For
+ details see the backup and ttl parameter discussions in
the MEMCACHE MAIN PARAMETERS section above.
SEE ALSO
@@ -218,11 +219,11 @@ MEMCACHE_TABLE(5) MEMCACHE_TABLE(5)
MEMCACHE_README, Postfix memcache client guide
LICENSE
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
HISTORY
- Memcache support was introduced with Postfix version 2.9.
+ Memcache support was introduced with Postfix version 2.9.
AUTHOR(S)
Wietse Venema
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index ec54b00c4..81fb9221a 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -10201,10 +10201,10 @@ parameter, but the setting "no" does not.
If non-empty, a Postfix SMTP client filter for the remote SMTP
server's list of offered SASL mechanisms. Different client and
-server implementations may support different mechanism lists. By
+server implementations may support different mechanism lists; by
default, the Postfix SMTP client will use the intersection of the
-two. smtp_sasl_mechanism_filter further restricts what server
-mechanisms the client will take into consideration.
+two. smtp_sasl_mechanism_filter specifies an optional third mechanism
+list to intersect with.
Specify mechanism names, "/file/name" patterns or "type:table"
lookup tables. The right-hand side result from "type:table" lookups
@@ -10490,6 +10490,10 @@ file may also be used to augment the client certificate trust chain,
but it is best to include all the required certificates directly in
$smtp_tls_cert_file.
+ Specify "smtp_tls_CAfile = /path/to/system_CA_file" to use
+ONLY the system-supplied default certificate authority certificates.
+
+
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates.
@@ -10517,6 +10521,10 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail.
+ Specify "smtp_tls_CApath = /path/to/system_CA_directory" to
+use ONLY the system-supplied default certificate authority certificates.
+
+
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates.
@@ -14196,6 +14204,10 @@ file may also be used to augment the server certificate trust chain,
but it is best to include all the required certificates directly in the
server certificate file.
+ Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to use ONLY
+the system-supplied default certificate authority certificates.
+
+
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates.
@@ -14231,6 +14243,10 @@ for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
inside the chroot jail.
+ Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to
+use ONLY the system-supplied default certificate authority certificates.
+
+
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates.
diff --git a/postfix/makedefs b/postfix/makedefs
index 316d94b48..92a9717c3 100644
--- a/postfix/makedefs
+++ b/postfix/makedefs
@@ -153,6 +153,8 @@ case "$SYSTEM.$RELEASE" in
;;
FreeBSD.8*) SYSTYPE=FREEBSD8
;;
+ FreeBSD.9*) SYSTYPE=FREEBSD9
+ ;;
OpenBSD.2*) SYSTYPE=OPENBSD2
;;
OpenBSD.3*) SYSTYPE=OPENBSD3
@@ -267,36 +269,31 @@ case "$SYSTEM.$RELEASE" in
esac;;
# Tested with RedHat 3.03 on 20020729.
Linux.1*) SYSTYPE=LINUX1
- SYSLIBS="-ldb"
+ case "$CCARGS" in
+ *-DNO_DB*) ;;
+ *) SYSLIBS="-ldb";;
+ esac
;;
Linux.2*) SYSTYPE=LINUX2
- # Postfix no longer needs DB 1.85 compatibility
- if [ -f /usr/include/db.h ]
- then
- : we are all set
- elif [ -f /usr/include/db/db.h ]
- then
- CCARGS="$CCARGS -I/usr/include/db"
- else
- # No, we're not going to try db1 db2 db3 etc.
- # On a properly installed system, Postfix builds
- # by including and by linking with -ldb
- echo "No include file found." 1>&2
- echo "Install the appropriate db*-devel package first." 1>&2
- echo "See the RELEASE_NOTES file for more information." 1>&2
- exit 1
- fi
- # GDBM locks the DBM .pag file after open. This breaks postmap.
- # if [ -f /usr/include/gdbm-ndbm.h ]
- # then
- # CCARGS="$CCARGS -DHAS_DBM -DPATH_NDBM_H=''"
- # GDBM_LIBS=gdbm
- # elif [ -f /usr/include/gdbm/ndbm.h ]
- # then
- # CCARGS="$CCARGS -DHAS_DBM -DPATH_NDBM_H=''"
- # GDBM_LIBS=gdbm
- # fi
- SYSLIBS="-ldb"
+ case "$CCARGS" in
+ *-DNO_DB*) ;;
+ *) if [ -f /usr/include/db.h ]
+ then
+ : we are all set
+ elif [ -f /usr/include/db/db.h ]
+ then
+ CCARGS="$CCARGS -I/usr/include/db"
+ else
+ # No, we're not going to try db1 db2 db3 etc.
+ # On a properly installed system, Postfix builds
+ # by including and by linking with -ldb
+ echo "No include file found." 1>&2
+ echo "Install the appropriate db*-devel package first." 1>&2
+ exit 1
+ fi
+ SYSLIBS="-ldb"
+ ;;
+ esac
for name in nsl resolv $GDBM_LIBS
do
for lib in /usr/lib64 /lib64 /usr/lib /lib
@@ -350,21 +347,24 @@ EOF
esac
;;
Linux.3*) SYSTYPE=LINUX3
- if [ -f /usr/include/db.h ]
- then
- : we are all set
- elif [ -f /usr/include/db/db.h ]
- then
- CCARGS="$CCARGS -I/usr/include/db"
- else
- # On a properly installed system, Postfix builds
- # by including and by linking with -ldb
- echo "No include file found." 1>&2
- echo "Install the appropriate db*-devel package first." 1>&2
- echo "See the RELEASE_NOTES file for more information." 1>&2
- exit 1
- fi
- SYSLIBS="-ldb"
+ case "$CCARGS" in
+ *-DNO_DB*) ;;
+ *) if [ -f /usr/include/db.h ]
+ then
+ : we are all set
+ elif [ -f /usr/include/db/db.h ]
+ then
+ CCARGS="$CCARGS -I/usr/include/db"
+ else
+ # On a properly installed system, Postfix builds
+ # by including and by linking with -ldb
+ echo "No include file found." 1>&2
+ echo "Install the appropriate db*-devel package first." 1>&2
+ exit 1
+ fi
+ SYSLIBS="-ldb"
+ ;;
+ esac
for name in nsl resolv
do
for lib in /usr/lib64 /lib64 /usr/lib /lib
@@ -378,23 +378,24 @@ EOF
;;
GNU.0*|GNU/kFreeBSD.[567]*)
SYSTYPE=GNU0
- # Postfix no longer needs DB 1.85 compatibility
- if [ -f /usr/include/db.h ]
- then
- : we are all set
- elif [ -f /usr/include/db/db.h ]
- then
- CCARGS="$CCARGS -I/usr/include/db"
- else
- # No, we're not going to try db1 db2 db3 etc.
- # On a properly installed system, Postfix builds
- # by including and by linking with -ldb
- echo "No include file found." 1>&2
- echo "Install the appropriate db*-devel package first." 1>&2
- echo "See the RELEASE_NOTES file for more information." 1>&2
- exit 1
- fi
- SYSLIBS="-ldb"
+ case "$CCARGS" in
+ *-DNO_DB*) ;;
+ *) if [ -f /usr/include/db.h ]
+ then
+ : we are all set
+ elif [ -f /usr/include/db/db.h ]
+ then
+ CCARGS="$CCARGS -I/usr/include/db"
+ else
+ # On a properly installed system, Postfix builds
+ # by including and by linking with -ldb
+ echo "No include file found." 1>&2
+ echo "Install the appropriate db*-devel package first." 1>&2
+ exit 1
+ fi
+ SYSLIBS="-ldb"
+ ;;
+ esac
for name in nsl resolv
do
for lib in /usr/lib64 /lib64 /usr/lib /lib
diff --git a/postfix/man/man5/memcache_table.5 b/postfix/man/man5/memcache_table.5
index 1c33b09fe..692cc8d34 100644
--- a/postfix/man/man5/memcache_table.5
+++ b/postfix/man/man5/memcache_table.5
@@ -88,7 +88,7 @@ setting (depending on whether the access is read-only or
read-write).
.IP "\fBflags (default: 0)\fR"
Optional flags that should be stored along with a memcache
-update.
+update. The flags are ignored when looking up information.
.IP "\fBttl (default: 3600)\fR"
The expiration time in seconds of memcache updates.
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 09506eae2..23cf48301 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -5989,10 +5989,10 @@ This feature is available in Postfix 2.5 and later.
.SH smtp_sasl_mechanism_filter (default: empty)
If non-empty, a Postfix SMTP client filter for the remote SMTP
server's list of offered SASL mechanisms. Different client and
-server implementations may support different mechanism lists. By
+server implementations may support different mechanism lists; by
default, the Postfix SMTP client will use the intersection of the
-two. smtp_sasl_mechanism_filter further restricts what server
-mechanisms the client will take into consideration.
+two. smtp_sasl_mechanism_filter specifies an optional third mechanism
+list to intersect with.
.PP
Specify mechanism names, "/file/name" patterns or "type:table"
lookup tables. The right-hand side result from "type:table" lookups
@@ -6160,6 +6160,9 @@ file may also be used to augment the client certificate trust chain,
but it is best to include all the required certificates directly in
$smtp_tls_cert_file.
.PP
+Specify "smtp_tls_CAfile = /path/to/system_CA_file" to use
+ONLY the system-supplied default certificate authority certificates.
+.PP
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates.
@@ -6184,6 +6187,9 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail.
.PP
+Specify "smtp_tls_CApath = /path/to/system_CA_directory" to
+use ONLY the system-supplied default certificate authority certificates.
+.PP
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates.
@@ -8993,6 +8999,9 @@ file may also be used to augment the server certificate trust chain,
but it is best to include all the required certificates directly in the
server certificate file.
.PP
+Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to use ONLY
+the system-supplied default certificate authority certificates.
+.PP
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates.
@@ -9026,6 +9035,9 @@ for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
inside the chroot jail.
.PP
+Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to
+use ONLY the system-supplied default certificate authority certificates.
+.PP
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates.
diff --git a/postfix/postfix-install b/postfix/postfix-install
index 49225ac88..7f14c03ef 100644
--- a/postfix/postfix-install
+++ b/postfix/postfix-install
@@ -104,7 +104,7 @@
# users. The built-in default directory name is system dependent.
# This parameter setting is recorded in the installed main.cf file.
# .IP html_directory
-# The destination directory for the Postfix HTML files.
+# The final destination directory for the Postfix HTML files.
# This parameter setting is recorded in the installed main.cf file.
# .IP queue_directory
# The final destination directory for Postfix queues.
@@ -138,14 +138,14 @@
# The built-in default group name is postdrop.
# This parameter setting is recorded in the installed main.cf file.
# .IP manpage_directory
-# The destination directory for the Postfix on-line manual pages.
+# The final destination directory for the Postfix on-line manual pages.
# This parameter setting is recorded in the installed main.cf file.
# .IP sample_directory
-# The destination directory for the Postfix sample configuration files.
-# This parameter is obsolete as of Postfix version 2.1.
+# The final destination directory for the Postfix sample configuration
+# files. This parameter is obsolete as of Postfix version 2.1.
# This parameter setting is recorded in the installed main.cf file.
# .IP readme_directory
-# The destination directory for the Postfix README files.
+# The final destination directory for the Postfix README files.
# This parameter setting is recorded in the installed main.cf file.
# SEE ALSO
# post-install(1) post-installation procedure
@@ -350,13 +350,14 @@ management commands. Specify a group name with a numerical group
ID that is not shared with other accounts, not even with the Postfix
mail_owner account. You can no longer specify \"no\" here."
-manpage_directory_prompt="the destination directory for the Postfix on-line
-manual pages. You can no longer specify \"no\" here."
+manpage_directory_prompt="the final destination directory for the
+Postfix on-line manual pages. You can no longer specify \"no\"
+here."
-readme_directory_prompt="the destination directory for the Postfix
+readme_directory_prompt="the final destination directory for the Postfix
README files. Specify \"no\" if you do not want to install these files."
-html_directory_prompt="the destination directory for the Postfix
+html_directory_prompt="the final destination directory for the Postfix
HTML files. Specify \"no\" if you do not want to install these files."
# Default settings, just to get started.
diff --git a/postfix/proto/memcache_table b/postfix/proto/memcache_table
index 3dc4678b7..c065e65da 100644
--- a/postfix/proto/memcache_table
+++ b/postfix/proto/memcache_table
@@ -80,7 +80,7 @@
# read-write).
# .IP "\fBflags (default: 0)\fR"
# Optional flags that should be stored along with a memcache
-# update.
+# update. The flags are ignored when looking up information.
# .IP "\fBttl (default: 3600)\fR"
# The expiration time in seconds of memcache updates.
#
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 8e5e47a36..63804d43c 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -4362,10 +4362,10 @@ smtp_sasl_security_options = noplaintext
If non-empty, a Postfix SMTP client filter for the remote SMTP
server's list of offered SASL mechanisms. Different client and
-server implementations may support different mechanism lists. By
+server implementations may support different mechanism lists; by
default, the Postfix SMTP client will use the intersection of the
-two. smtp_sasl_mechanism_filter further restricts what server
-mechanisms the client will take into consideration.
+two. smtp_sasl_mechanism_filter specifies an optional third mechanism
+list to intersect with.
Specify mechanism names, "/file/name" patterns or "type:table"
lookup tables. The right-hand side result from "type:table" lookups
@@ -8811,6 +8811,10 @@ file may also be used to augment the server certificate trust chain,
but it is best to include all the required certificates directly in the
server certificate file.
+ Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to use ONLY
+the system-supplied default certificate authority certificates.
+
+
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates.
@@ -8842,6 +8846,10 @@ for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
inside the chroot jail.
+ Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to
+use ONLY the system-supplied default certificate authority certificates.
+
+
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates.
@@ -9221,6 +9229,10 @@ file may also be used to augment the client certificate trust chain,
but it is best to include all the required certificates directly in
$smtp_tls_cert_file.
+ Specify "smtp_tls_CAfile = /path/to/system_CA_file" to use
+ONLY the system-supplied default certificate authority certificates.
+
+
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates.
@@ -9244,6 +9256,10 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail.
+ Specify "smtp_tls_CApath = /path/to/system_CA_directory" to
+use ONLY the system-supplied default certificate authority certificates.
+
+
Specify "tls_append_default_CA = no" to prevent Postfix from
appending the system-supplied default CAs and trusting third-party
certificates.
diff --git a/postfix/src/bounce/Makefile.in b/postfix/src/bounce/Makefile.in
index 09de6e9d0..8c98151db 100644
--- a/postfix/src/bounce/Makefile.in
+++ b/postfix/src/bounce/Makefile.in
@@ -25,9 +25,9 @@ $(PROG): $(OBJS) $(LIBS)
$(CC) $(CFLAGS) -o $@ $(OBJS) $(LIBS) $(SYSLIBS)
# Eliminate dependency on installed Postfix.
-../../conf/bounce.cf.default: template_test.ref annotate.pl
+../../conf/bounce.cf.default: template_test.ref annotate.sh
rm -f $@
- perl annotate.pl $@
+ ./annotate.sh $@
main.cf:
echo queue_directory=. >main.cf
diff --git a/postfix/src/bounce/annotate.pl b/postfix/src/bounce/annotate.sh
old mode 100644
new mode 100755
similarity index 91%
rename from postfix/src/bounce/annotate.pl
rename to postfix/src/bounce/annotate.sh
index a7aabfe67..c2acaa847
--- a/postfix/src/bounce/annotate.pl
+++ b/postfix/src/bounce/annotate.sh
@@ -1,4 +1,6 @@
-print <<'EOF'
+#!/bin/sh
+
+cat <<'EOF'
#
# Do not edit this file. This file shows the default delivery status
# notification (DSN) messages that are built into Postfix.
@@ -60,10 +62,11 @@ EOF
# bounce_template_file = $config_directory/bounce.cf
#
#EOF
-;
-while (<>) {
- if (/^failure_template/) { print <<'EOF'
+IFS=
+while read line; do
+ case "$line" in
+ failure_template*) cat <<'EOF'
#
# The failure template is used when mail is returned to the sender;
@@ -72,8 +75,8 @@ while (<>) {
#
EOF
-;
- } elsif (/^delay_template/) { print <<'EOF'
+ ;;
+ delay_template*) cat <<'EOF'
#
# The delay template is used when mail is delayed. Note a neat trick:
@@ -90,8 +93,8 @@ EOF
#
EOF
-;
- } elsif (/^success_template/) { print <<'EOF'
+ ;;
+ success_template*) cat <<'EOF'
#
# The success template is used when mail is delivered to mailbox,
@@ -101,17 +104,17 @@ EOF
#
EOF
-;
- } elsif (/^verify_template/) { print <<'EOF'
+ ;;
+ verify_template*) cat <<'EOF'
#
# The verify template is used for address verification (sendmail -bv
-# address...). or for verbose mail delivery (sendmail -v address...).
+# address...) or for verbose mail delivery (sendmail -v address...).
# It is an error to specify a Postmaster-Subject: here.
#
EOF
-;
- }
- print $_;
-}
+ ;;
+ esac
+ echo "$line";
+done
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index b53552213..00c359944 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20120218"
+#define MAIL_RELEASE_DATE "20120226"
#define MAIL_VERSION_NUMBER "2.10"
#ifdef SNAPSHOT
diff --git a/postfix/src/postscreen/postscreen_dnsbl.c b/postfix/src/postscreen/postscreen_dnsbl.c
index b85a9da93..82f88240c 100644
--- a/postfix/src/postscreen/postscreen_dnsbl.c
+++ b/postfix/src/postscreen/postscreen_dnsbl.c
@@ -139,7 +139,8 @@ typedef struct {
} PSC_CALL_BACK_ENTRY;
typedef struct {
- const char *dnsbl; /* one contributing DNSBL */
+ const char *dnsbl_name; /* DNSBL with largest contribution */
+ int dnsbl_weight; /* weight of largest contribution */
int total; /* combined blocklist score */
int refcount; /* score reference count */
int pending_lookups; /* nr of DNS requests in flight */
@@ -328,7 +329,7 @@ int psc_dnsbl_retrieve(const char *client_addr, const char **dnsbl_name,
* Reads are destructive.
*/
result_score = score->total;
- *dnsbl_name = score->dnsbl;
+ *dnsbl_name = score->dnsbl_name;
score->refcount -= 1;
if (score->refcount < 1) {
if (msg_verbose > 1)
@@ -398,8 +399,11 @@ static void psc_dnsbl_receive(int event, char *context)
if (site->byte_codes == 0
|| psc_dnsbl_match(site->byte_codes, reply_argv ? reply_argv :
(reply_argv = argv_split(STR(reply_addr), " ")))) {
- if (score->dnsbl == 0)
- score->dnsbl = head->safe_dnsbl;
+ if (score->dnsbl_name == 0
+ || score->dnsbl_weight < site->weight) {
+ score->dnsbl_name = head->safe_dnsbl;
+ score->dnsbl_weight = site->weight;
+ }
score->total += site->weight;
if (msg_verbose > 1)
msg_info("%s: filter=\"%s\" weight=%d score=%d",
@@ -477,7 +481,8 @@ int psc_dnsbl_request(const char *client_addr,
msg_info("%s: create blocklist score for %s", myname, client_addr);
score = (PSC_DNSBL_SCORE *) mymalloc(sizeof(*score));
score->request_id = request_count++;
- score->dnsbl = 0;
+ score->dnsbl_name = 0;
+ score->dnsbl_weight = 0;
score->total = 0;
score->refcount = 1;
score->pending_lookups = 0;
diff --git a/postfix/src/util/sys_defs.h b/postfix/src/util/sys_defs.h
index b6af7cfea..482fa7327 100644
--- a/postfix/src/util/sys_defs.h
+++ b/postfix/src/util/sys_defs.h
@@ -25,7 +25,7 @@
*/
#if defined(FREEBSD2) || defined(FREEBSD3) || defined(FREEBSD4) \
|| defined(FREEBSD5) || defined(FREEBSD6) || defined(FREEBSD7) \
- || defined(FREEBSD8) \
+ || defined(FREEBSD8) || defined(FREEBSD9) \
|| defined(BSDI2) || defined(BSDI3) || defined(BSDI4) \
|| defined(OPENBSD2) || defined(OPENBSD3) || defined(OPENBSD4) \
|| defined(OPENBSD5) \