postfix-2.10-20121123

postfix/HISTORY

@@ -18079,3 +18079,44 @@ Apologies for any names omitted.
 	Bugfix: smtpd_relay_restrictions compatibility shim did not
 	detect "empty" value.  Sahil Tandon. The same problem existed
 	with the inet_protocols shim. File: conf/post-install.
+
+20121105
+
+	Cleanup: the postscreen(8) "deep protocol" tests now log
+	the SMTP command that precedes a protocol violation.  Files:
+	postscreen/postscreen_smtpd.c, proto/POSTSCREEN_README.html.
+
+	Bugfix (introduced: Postfix 1.1): wrong string termination
+	when handling a MBOX From_ line at the start of a message.
+	File: qmqpd/qmqpd.c.
+
+20121110
+
+	Cleanup: specify $(WARN) on the MacOS X compiler command
+	line to suppress "nested comment" and possibly other unwanted
+	warnings. Problem reported by Jim Reid. File: makedefs,
+	Makefile.in.
+
+20121119
+
+	Documentation: added a note that key_format is required
+	when postscreen(8) and verify(8) share the same memcache
+	(with different persistent backup databases, or course)
+	otherwise automatic cache cleanup breaks due to a name
+	collision for the "last cache cleanup" database record.
+	File: proto/memcache.
+
+20121122
+
+	Cleanup: the safety-check for smtpd_recipient_restrictions
+	and smtpd_relay_restrictions now detects permit before
+	reject.  File: smtpd/smtpd_check.c.
+
+	Cleanup: the safety-check for smtpd_recipient_restrictions
+	and smtpd_relay_restrictions is no longer case-sensitive.
+	File: smtpd/smtpd_check.c.
+
+20121123
+
+	Cleanup: consistent escaping of commands in postscreen deep
+	protocol test logging. File: postscreen/postscreen_smtpd.c.

postfix/Makefile.in

@@ -1,5 +1,5 @@
 SHELL	= /bin/sh
-WARN    = -Wmissing-prototypes -Wformat
+WARN    = -Wmissing-prototypes -Wformat -Wno-comment
 OPTS	= 'CC=$(CC)'
 DIRS	= src/util src/global src/dns src/tls src/xsasl src/milter src/master \
 	src/postfix src/fsstone src/smtpstone \

postfix/README_FILES/POSTSCREEN_README

@@ -18,17 +18,17 @@ by allowing whitelisted clients to skip tests, postscreen(8) minimizes its
 impact on legitimate email traffic.
 
 postscreen(8) should not be used on SMTP ports that receive mail from end-user
-clients (MUAs). In a typical deployment, postscreen(8) is used on the "port 25"
-service, while MUA clients submit mail via the submission service (port 587)
-which normally requires client authentication, or via a "port 25" server that
-provides no MX service (i.e. a dedicated server that provides submission
-service on port 25).
+clients (MUAs). In a typical deployment, postscreen(8) handles the MX service
+on TCP port 25, while MUA clients submit mail via the submission service on TCP
+port 587 which requires client authentication. Alternatively, a site could set
+up a dedicated, non-postscreen, "port 25" server that provides submission
+service and client authentication, but no MX service.
 
 postscreen(8) is part of a multi-layer defense.
 
   * As the first layer, postscreen(8) blocks connections from zombies and other
     spambots that are responsible for about 90% of all spam. It is implemented
-    as a single process to make this defense as cheap as possible.
+    as a single process to make this defense as inexpensive as possible.
 
   * The second layer implements more complex SMTP-level access checks with
     Postfix SMTP servers, policy daemons, and Milter applications.
@@ -415,11 +415,12 @@ in SMTP engine anyway. This is to make postscreen(8) logging more informative.
 
 When a client sends non-SMTP commands, postscreen(8) logs this as:
 
-    NNOONN--SSMMTTPP CCOOMMMMAANNDD ffrroomm [address]:port command
+    NNOONN--SSMMTTPP CCOOMMMMAANNDD ffrroomm [address]:port aafftteerr command: text
 
 Translation: the SMTP client at [address]:port sent a command that matches the
 postscreen_forbidden_commands parameter, or that has the syntax of a message
-header label.
+header label (text followed by optional space and ":"). The "aafftteerr command"
+portion is logged with Postfix 2.10 and later.
 
 The postscreen_non_smtp_command_action parameter specifies the action that is
 taken next. See "When tests fail after the 220 SMTP server greeting" below.
@@ -439,10 +440,11 @@ in SMTP engine anyway. This is to make postscreen(8) logging more informative.
 
 When a client sends bare newline characters, postscreen(8) logs this as:
 
-    BBAARREE NNEEWWLLIINNEE ffrroomm [address]:port
+    BBAARREE NNEEWWLLIINNEE ffrroomm [address]:port aafftteerr command
 
 Translation: the SMTP client at [address]:port sent a bare newline character,
-that is newline not preceded by carriage return.
+that is newline not preceded by carriage return. The "aafftteerr command" portion is
+logged with Postfix 2.10 and later.
 
 The postscreen_bare_newline_action parameter specifies the action that is taken
 next. See "When tests fail after the 220 SMTP server greeting" below.
@@ -484,23 +486,26 @@ The following errors are reported by the built-in SMTP engine. This engine
 never accepts mail, therefore it has per-session limits on the number of
 commands and on the session length.
 
-    CCOOMMMMAANNDD TTIIMMEE LLIIMMIITT ffrroomm [address]:port
+    CCOOMMMMAANNDD TTIIMMEE LLIIMMIITT ffrroomm [address]:port aafftteerr command
 
 Translation: the SMTP client at [address]:port reached the per-command time
 limit as specified with the postscreen_command_time_limit parameter. The
-session is terminated immediately.
+session is terminated immediately. The "aafftteerr command" portion is logged with
+Postfix 2.10 and later.
 
-    CCOOMMMMAANNDD CCOOUUNNTT LLIIMMIITT ffrroomm [address]:port
+    CCOOMMMMAANNDD CCOOUUNNTT LLIIMMIITT ffrroomm [address]:port aafftteerr command
 
 Translation: the SMTP client at [address]:port reached the per-session command
 count limit as specified with the postscreen_command_count_limit parameter. The
-session is terminated immediately.
+session is terminated immediately. The "aafftteerr command" portion is logged with
+Postfix 2.10 and later.
 
-    CCOOMMMMAANNDD LLEENNGGTTHH LLIIMMIITT ffrroomm [address]:port
+    CCOOMMMMAANNDD LLEENNGGTTHH LLIIMMIITT ffrroomm [address]:port aafftteerr command
 
 Translation: the SMTP client at [address]:port reached the per-command length
 limit, as specified with the line_length_limit parameter. The session is
-terminated immediately.
+terminated immediately. The "aafftteerr command" portion is logged with Postfix 2.10
+and later.
 
 When an SMTP client makes too many connections at the same time, or when all
 postscreen(8) ports are busy, postscreen(8) rejects the connection with a 421

postfix/README_FILES/SASL_README

@@ -55,7 +55,8 @@ different steps:
     addresses the client may use.
 
 Successful authentication in the Postfix SMTP server requires a functional SASL
-framework. Configuring SASL should therefore always be the first step.
+framework. Configuring SASL should therefore always be the first step, before
+configuring Postfix.
 
 You can read more about the following topics:
 

postfix/README_FILES/TLS_README

@@ -147,7 +147,7 @@ Their DSA counterparts:
         smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
         smtpd_tls_dkey_file = $smtpd_tls_dcert_file
 
-Their ECDSA counterparts (Postfix >= 2.6 + OpenSSL >= 0.9.9):
+Their ECDSA counterparts (Postfix >= 2.6 + OpenSSL >= 1.0.0):
 
     /etc/postfix/main.cf:
         # Most clients will not be ECDSA capable, so you will likely also need
@@ -540,7 +540,7 @@ To generate your own set of DH parameters, use:
     % ooppeennssssll ggeennddhh --oouutt //eettcc//ppoossttffiixx//ddhh__11002244..ppeemm --22 11002244
 
 Support for elliptic curve cryptography is available with Postfix 2.6 and
-OpenSSL 0.9.9 or later. To enable ephemeral elliptic curve Diffie-Hellman
+OpenSSL 1.0.0 or later. To enable ephemeral elliptic curve Diffie-Hellman
 (EECDH) key-exchange, set "smtpd_tls_eecdh_grade = strong" or
 "smtpd_tls_eecdh_grade = ultra". The "ultra" setting is substantially more CPU
 intensive, and "strong" is sufficiently secure for most situations.
@@ -1085,7 +1085,7 @@ Their DSA counterparts:
         smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
         smtp_tls_dkey_file = $smtp_tls_dcert_file
 
-Their ECDSA counterparts (Postfix >= 2.6 + OpenSSL >= 0.9.9):
+Their ECDSA counterparts (Postfix >= 2.6 + OpenSSL >= 1.0.0):
 
     /etc/postfix/main.cf:
         smtp_tls_eccert_file = /etc/postfix/client-ecdsa.pem

postfix/RELEASE_NOTES

@@ -14,6 +14,20 @@ specifies the release date of a stable release or snapshot release.
 If you upgrade from Postfix 2.8 or earlier, read RELEASE_NOTES-2.9
 before proceeding.
 
+Incompatible changes with snapshot 20121123
+===========================================
+
+The postscreen deep protocol tests now log the last command before
+a protocol error ("UNIMPLEMENTED" when the last command is not
+implemented, "CONNECT" when there was no prior command). The
+changed logfile messages are:
+
+NON-SMTP COMMAND from [address]:port after command: text
+BARE NEWLINE from [address]:port after command
+COMMAND TIME LIMIT from [address]:port after command
+COMMAND COUNT LIMIT from [address]:port after command
+COMMAND LENGTH LIMIT from [address]:port after command
+
 Incompatible changes with snapshot 20121007
 ===========================================
 

postfix/WISHLIST

@@ -11,6 +11,10 @@ Wish list:
 	Don't forget Apple's code donation for fetching mail from
 	IMAP server.
 
+	smtpd_muble_restrictions rule names are case-insensitive.
+	restriction_classes values are case-sensitive but should
+	be case-insensitive for consistency with smtpd_muble_restrictions.
+
 	Make "rename" the default when postmapping a DB file
 	(later: use copy+rename for postmap -i, postmap -d).
 

postfix/html/POSTSCREEN_README.html

@@ -35,11 +35,11 @@ pass its tests; by allowing whitelisted clients to skip tests,
 
 <p> <a href="postscreen.8.html">postscreen(8)</a> should not be used on SMTP ports that receive
 mail from end-user clients (MUAs). In a typical deployment,
-<a href="postscreen.8.html">postscreen(8)</a> is used on the "port 25" service, while MUA clients
-submit mail via the submission service (port 587) which normally
-requires client authentication, or via a "port 25" server that
-provides no MX service (i.e. a dedicated server that provides
-submission service on port 25). </p>
+<a href="postscreen.8.html">postscreen(8)</a> handles the MX service on TCP port 25, while MUA
+clients submit mail via the submission service on TCP port 587 which
+requires client authentication. Alternatively, a site could set up
+a dedicated, non-postscreen, "port 25" server that provides submission
+service and client authentication, but no MX service.  </p>
 
 <p> <a href="postscreen.8.html">postscreen(8)</a> is part of a multi-layer defense. <p>
 
@@ -48,11 +48,12 @@ submission service on port 25). </p>
 <li> <p> As the first layer, <a href="postscreen.8.html">postscreen(8)</a> blocks connections from
 zombies and other spambots that are responsible for about 90% of
 all spam.  It is implemented as a single process to make this defense
-as cheap as possible. </p>
+as inexpensive as possible. </p>
 
 <li> <p> The second layer implements more complex SMTP-level access
-checks with Postfix SMTP servers, policy daemons, and Milter
-applications. </p>
+checks with <a href="SMTPD_ACCESS_README.html">Postfix SMTP servers</a>, 
+<a href="SMTPD_POLICY_README.html">policy daemons</a>, and 
+<a href="MILTER_README.html">Milter applications</a>. </p>
 
 <li> <p> The third layer performs light-weight content inspection
 with the Postfix built-in <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>. This can
@@ -60,8 +61,10 @@ block unacceptable attachments such as executable programs, and
 worms or viruses with easy-to-recognize signatures. </p>
 
 <li> <p> The fourth layer provides heavy-weight content inspection
-with external content filters. Typical examples are Amavisd-new,
-SpamAssassin, and Milter applications. </p>
+with external content filters. Typical examples are <a
+href="http://www.ijs.si/software/amavisd/">Amavisd-new</a>, <a
+href="http://spamassassin.apache.org/">SpamAssassin</a>, and <a
+href="MILTER_README.html">Milter applications</a>. </p>
 
 </ul>
 
@@ -562,12 +565,15 @@ logging more informative.  </p>
 as: </p>
 
 <pre>
-    <b>NON-SMTP COMMAND from</b> <i>[address]:port command</i>
+    <b>NON-SMTP COMMAND from</b> <i>[address]:port</i> <b>after</b> <i>command: text</i>
 </pre>
 
 <p> Translation: the SMTP client at <i>[address]:port</i> sent a
-<i>command</i> that matches the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a>
-parameter, or that has the syntax of a message header label. </p>
+command that matches the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a>
+parameter, or that has the syntax of a message header label (text 
+followed by optional space and ":").
+The "<tt><b>after</b> <i>command</i></tt>" portion is logged with
+Postfix 2.10 and later. </p>
 
 <p> The <a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> parameter specifies
 the action that is taken next.  See "<a href="#fail_after_220">When
@@ -594,12 +600,14 @@ this as:
 </p>
 
 <pre>
-    <b>BARE NEWLINE from</b> <i>[address]:port</i>
+    <b>BARE NEWLINE from</b> <i>[address]:port</i> <b>after</b> <i>command</i>
 </pre>
 
 <p> Translation: the SMTP client at <i>[address]:port</i> sent a bare
 newline character, that is newline not preceded by carriage
-return. </p>
+return.
+The "<tt><b>after</b> <i>command</i></tt>" portion is logged with
+Postfix 2.10 and later. </p>
 
 <p> The <a href="postconf.5.html#postscreen_bare_newline_action">postscreen_bare_newline_action</a> parameter specifies the
 action that is taken next.  See "<a href="#fail_after_220">When
@@ -676,29 +684,35 @@ This engine never accepts mail, therefore it has per-session limits
 on the number of commands and on the session length. </p>
 
 <pre>
-    <b>COMMAND TIME LIMIT</b> <b>from</b> <i>[address]:port</i>
+    <b>COMMAND TIME LIMIT</b> <b>from</b> <i>[address]:port</i> <b>after</b> <i>command</i>
 </pre>
 
 <p> Translation: the SMTP client at <i>[address]:port</i> reached the
 per-command time limit as specified with the <a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a>
-parameter.  The session is terminated immediately. </p>
+parameter.  The session is terminated immediately.
+The "<tt><b>after</b> <i>command</i></tt>" portion is logged with
+Postfix 2.10 and later. </p>
 
 <pre>
-    <b>COMMAND COUNT LIMIT from</b> <i>[address]:port</i>
+    <b>COMMAND COUNT LIMIT from</b> <i>[address]:port</i> <b>after</b> <i>command</i>
 </pre>
 
 <p> Translation: the SMTP client at <i>[address]:port</i> reached the
 per-session command count limit as specified with the
 <a href="postconf.5.html#postscreen_command_count_limit">postscreen_command_count_limit</a> parameter.  The session is terminated
-immediately. </p>
+immediately.
+The "<tt><b>after</b> <i>command</i></tt>" portion is logged with
+Postfix 2.10 and later. </p>
 
 <pre>
-    <b>COMMAND LENGTH LIMIT from</b> <i>[address]:port</i>
+    <b>COMMAND LENGTH LIMIT from</b> <i>[address]:port</i> <b>after</b> <i>command</i>
 </pre>
 
 <p> Translation: the SMTP client at <i>[address]:port</i> reached the
 per-command length limit, as specified with the <a href="postconf.5.html#line_length_limit">line_length_limit</a>
-parameter.  The session is terminated immediately. </p>
+parameter.  The session is terminated immediately.
+The "<tt><b>after</b> <i>command</i></tt>" portion is logged with
+Postfix 2.10 and later. </p>
 
 <p> When an SMTP client makes too many connections at the same time,
 or when all <a href="postscreen.8.html">postscreen(8)</a> ports are busy, <a href="postscreen.8.html">postscreen(8)</a> rejects the

postfix/html/SASL_README.html

@@ -87,7 +87,7 @@ what envelope sender addresses the client may use. </p> </li>
 
 <p> Successful authentication in the Postfix SMTP server requires
 a functional SASL framework. Configuring SASL should therefore
-always be the first step. </p>
+always be the first step, before configuring Postfix. </p>
 
 <p> You can read more about the following topics: </p>
 

postfix/html/TLS_README.html

@@ -245,7 +245,7 @@ $<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> or install it i
 </pre>  
 </blockquote>
 
-<p> Their ECDSA counterparts (Postfix &ge; 2.6 + OpenSSL &ge; 0.9.9): </p>
+<p> Their ECDSA counterparts (Postfix &ge; 2.6 + OpenSSL &ge; 1.0.0): </p>
 
 <blockquote>
 <pre>
@@ -773,7 +773,7 @@ settings. </p>
 </blockquote>
 
 <p> Support for elliptic curve cryptography is available with Postfix
-2.6 and OpenSSL 0.9.9 or later.  To enable ephemeral elliptic curve
+2.6 and OpenSSL 1.0.0 or later.  To enable ephemeral elliptic curve
 Diffie-Hellman (EECDH) key-exchange, set "<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> =
 strong" or "<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> = ultra". The "ultra" setting is
 substantially more CPU intensive, and "strong" is sufficiently
@@ -1474,7 +1474,7 @@ $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> or install it in
 </pre>  
 </blockquote>
 
-<p> Their ECDSA counterparts (Postfix &ge; 2.6 + OpenSSL &ge; 0.9.9): </p>
+<p> Their ECDSA counterparts (Postfix &ge; 2.6 + OpenSSL &ge; 1.0.0): </p>
 
 <blockquote>
 <pre>

postfix/html/memcache_table.5.html

@@ -69,18 +69,25 @@ MEMCACHE_TABLE(5)                                            MEMCACHE_TABLE(5)
               Access to remote proxymap servers is under develop-
               ment.
 
-              NOTE  1: When using memcache with persistent backup
-              as <a href="postscreen.8.html"><b>postscreen</b>(8)</a> or <a href="verify.8.html"><b>verify</b>(8)</a> cache, disable  auto-
-              matic  cache cleanup (*_cache_cleanup_interval = 0)
-              in all Postfix instances except  for  one  instance
-              that will be responsible for cache cleanup.
+              NOTE  1: When sharing a persistent <a href="postscreen.8.html"><b>postscreen</b>(8)</a> or
+              <a href="verify.8.html"><b>verify</b>(8)</a> cache, disable  automatic  cache  cleanup
+              (set  *_cache_cleanup_interval = 0) except with one
+              Postfix instance that will be responsible for cache
+              cleanup.
 
-              NOTE  2:  In the case of a proxied backup database,
-              the  full  backup  database  name  (including   the
-              "<a href="proxymap.8.html">proxy</a>:"  prefix) must be specified in the proxymap
-              server's <a href="postconf.5.html#proxy_read_maps">proxy_read_maps</a> or  <a href="postconf.5.html#proxy_write_maps">proxy_write_maps</a>  set-
-              ting  (depending on whether the access is read-only
-              or read-write).
+              NOTE  2:  When different tables share the same mem-
+              cache database, each table should use the  <b>key_for-</b>
+              <b>mat</b>  feature  (see below) to prepend its own unique
+              string to the  lookup  key.   Otherwise,  automatic
+              <a href="postscreen.8.html"><b>postscreen</b>(8)</a>  or  <a href="verify.8.html"><b>verify</b>(8)</a>  cache cleanup may not
+              work.
+
+              NOTE 3: When the backup database is  accessed  with
+              "<a href="proxymap.8.html">proxy</a>:"  lookups,  the  full  backup database name
+              (including the "<a href="proxymap.8.html">proxy</a>:" prefix) must  be  specified
+              in   the   proxymap   server's  <a href="postconf.5.html#proxy_read_maps">proxy_read_maps</a>  or
+              <a href="postconf.5.html#proxy_write_maps">proxy_write_maps</a> setting (depending on whether  the
+              access is read-only or read-write).
 
        <b>flags (default: 0)</b>
               Optional  flags  that should be stored along with a
@@ -110,16 +117,20 @@ MEMCACHE_TABLE(5)                                            MEMCACHE_TABLE(5)
               lookup  and update keys that are given to the Post-
               fix memcache client.
 
-              NOTE: The <b>key_format</b> feature is not used for <b>backup</b>
-              database requests.
+              NOTE 1: The <b>key_format</b>  feature  is  not  used  for
+              <b>backup</b> database requests.
 
-              When the same memcache database is  used  to  cache
-              information  from  multiple tables, you can use the
-              <b>key_format</b> feature  to  avoid  name  collisions  by
-              prepending a fixed string.  Examples:
+              NOTE  2:  When different tables share the same mem-
+              cache database, each table should prepend  its  own
+              unique  string to the lookup key.  Otherwise, auto-
+              matic <a href="postscreen.8.html"><b>postscreen</b>(8)</a> or <a href="verify.8.html"><b>verify</b>(8)</a> cache cleanup  may
+              not work.
+
+              Examples:
 
                   key_format = aliases:%s
-                  key_format = access:%s
+                  key_format = verify:%s
+                  key_format = postscreen:%s
 
               The <b>key_format</b> parameter supports the following '%'
               expansions:

postfix/makedefs

@@ -454,6 +454,7 @@ ReliantUNIX-?.5.43) SYSTYPE=ReliantUnix543
     Darwin.*)   SYSTYPE=MACOSX
 		# Use the native compiler by default
 		: ${CC=cc}
+		CCARGS="$CCARGS \$(WARN)"
 		# Darwin > 1.3 uses awk and flat_namespace
 		case $RELEASE in
 		 1.[0-3]) AWK=gawk;;

postfix/man/man5/memcache_table.5

@@ -74,18 +74,22 @@ information in the persistent database. Specify a Postfix
 
 Access to remote proxymap servers is under development.
 
-NOTE 1: When using memcache with persistent backup as
-\fBpostscreen\fR(8) or \fBverify\fR(8) cache, disable
-automatic cache cleanup (*_cache_cleanup_interval = 0) in
-all Postfix instances except for one instance that will be
-responsible for cache cleanup.
+NOTE 1: When sharing a persistent \fBpostscreen\fR(8) or
+\fBverify\fR(8) cache, disable automatic cache cleanup (set
+*_cache_cleanup_interval = 0) except with one Postfix
+instance that will be responsible for cache cleanup.
 
-NOTE 2: In the case of a proxied backup database, the full
-backup database
-name (including the "proxy:" prefix) must be specified in
-the proxymap server's proxy_read_maps or proxy_write_maps
-setting (depending on whether the access is read-only or
-read-write).
+NOTE 2: When different tables share the same memcache
+database, each table should use the \fBkey_format\fR feature
+(see below) to prepend its own unique string to the lookup
+key.  Otherwise, automatic \fBpostscreen\fR(8) or \fBverify\fR(8)
+cache cleanup may not work.
+
+NOTE 3: When the backup database is accessed with "proxy:"
+lookups, the full backup database name (including the
+"proxy:" prefix) must be specified in the proxymap server's
+proxy_read_maps or proxy_write_maps setting (depending on
+whether the access is read-only or read-write).
 .IP "\fBflags (default: 0)\fR"
 Optional flags that should be stored along with a memcache
 update. The flags are ignored when looking up information.
@@ -113,17 +117,20 @@ Format of the lookup and update keys in memcache requests.
 By default, these are the same as the lookup and update
 keys that are given to the Postfix memcache client.
 
-NOTE: The \fBkey_format\fR feature is not used for \fBbackup\fR
+NOTE 1: The \fBkey_format\fR feature is not used for \fBbackup\fR
 database requests.
 
-When the same memcache database is used to cache information
-from multiple tables, you can use the \fBkey_format\fR
-feature to avoid name collisions by prepending a fixed
-string.  Examples:
+NOTE 2: When different tables share the same memcache
+database, each table should prepend its own unique string
+to the lookup key.  Otherwise, automatic \fBpostscreen\fR(8)
+or \fBverify\fR(8) cache cleanup may not work.
+
+Examples:
 
 .nf
     key_format = aliases:%s
-    key_format = access:%s
+    key_format = verify:%s
+    key_format = postscreen:%s
 .fi
 
 The \fBkey_format\fR parameter supports the following '%'

postfix/proto/POSTSCREEN_README.html

@@ -35,11 +35,11 @@ postscreen(8) minimizes its impact on legitimate email traffic.
 
 <p> postscreen(8) should not be used on SMTP ports that receive
 mail from end-user clients (MUAs). In a typical deployment,
-postscreen(8) is used on the "port 25" service, while MUA clients
-submit mail via the submission service (port 587) which normally
-requires client authentication, or via a "port 25" server that
-provides no MX service (i.e. a dedicated server that provides
-submission service on port 25). </p>
+postscreen(8) handles the MX service on TCP port 25, while MUA
+clients submit mail via the submission service on TCP port 587 which
+requires client authentication. Alternatively, a site could set up
+a dedicated, non-postscreen, "port 25" server that provides submission
+service and client authentication, but no MX service.  </p>
 
 <p> postscreen(8) is part of a multi-layer defense. <p>
 
@@ -48,11 +48,12 @@ submission service on port 25). </p>
 <li> <p> As the first layer, postscreen(8) blocks connections from
 zombies and other spambots that are responsible for about 90% of
 all spam.  It is implemented as a single process to make this defense
-as cheap as possible. </p>
+as inexpensive as possible. </p>
 
 <li> <p> The second layer implements more complex SMTP-level access
-checks with Postfix SMTP servers, policy daemons, and Milter
-applications. </p>
+checks with <a href="SMTPD_ACCESS_README.html">Postfix SMTP servers</a>, 
+<a href="SMTPD_POLICY_README.html">policy daemons</a>, and 
+<a href="MILTER_README.html">Milter applications</a>. </p>
 
 <li> <p> The third layer performs light-weight content inspection
 with the Postfix built-in header_checks and body_checks. This can
@@ -60,8 +61,10 @@ block unacceptable attachments such as executable programs, and
 worms or viruses with easy-to-recognize signatures. </p>
 
 <li> <p> The fourth layer provides heavy-weight content inspection
-with external content filters. Typical examples are Amavisd-new,
-SpamAssassin, and Milter applications. </p>
+with external content filters. Typical examples are <a
+href="http://www.ijs.si/software/amavisd/">Amavisd-new</a>, <a
+href="http://spamassassin.apache.org/">SpamAssassin</a>, and <a
+href="MILTER_README.html">Milter applications</a>. </p>
 
 </ul>
 
@@ -562,12 +565,15 @@ logging more informative.  </p>
 as: </p>
 
 <pre>
-    <b>NON-SMTP COMMAND from</b> <i>[address]:port command</i>
+    <b>NON-SMTP COMMAND from</b> <i>[address]:port</i> <b>after</b> <i>command: text</i>
 </pre>
 
 <p> Translation: the SMTP client at <i>[address]:port</i> sent a
-<i>command</i> that matches the postscreen_forbidden_commands
-parameter, or that has the syntax of a message header label. </p>
+command that matches the postscreen_forbidden_commands
+parameter, or that has the syntax of a message header label (text 
+followed by optional space and ":").
+The "<tt><b>after</b> <i>command</i></tt>" portion is logged with
+Postfix 2.10 and later. </p>
 
 <p> The postscreen_non_smtp_command_action parameter specifies
 the action that is taken next.  See "<a href="#fail_after_220">When
@@ -594,12 +600,14 @@ this as:
 </p>
 
 <pre>
-    <b>BARE NEWLINE from</b> <i>[address]:port</i>
+    <b>BARE NEWLINE from</b> <i>[address]:port</i> <b>after</b> <i>command</i>
 </pre>
 
 <p> Translation: the SMTP client at <i>[address]:port</i> sent a bare
 newline character, that is newline not preceded by carriage
-return. </p>
+return.
+The "<tt><b>after</b> <i>command</i></tt>" portion is logged with
+Postfix 2.10 and later. </p>
 
 <p> The postscreen_bare_newline_action parameter specifies the
 action that is taken next.  See "<a href="#fail_after_220">When
@@ -676,29 +684,35 @@ This engine never accepts mail, therefore it has per-session limits
 on the number of commands and on the session length. </p>
 
 <pre>
-    <b>COMMAND TIME LIMIT</b> <b>from</b> <i>[address]:port</i>
+    <b>COMMAND TIME LIMIT</b> <b>from</b> <i>[address]:port</i> <b>after</b> <i>command</i>
 </pre>
 
 <p> Translation: the SMTP client at <i>[address]:port</i> reached the
 per-command time limit as specified with the postscreen_command_time_limit
-parameter.  The session is terminated immediately. </p>
+parameter.  The session is terminated immediately.
+The "<tt><b>after</b> <i>command</i></tt>" portion is logged with
+Postfix 2.10 and later. </p>
 
 <pre>
-    <b>COMMAND COUNT LIMIT from</b> <i>[address]:port</i>
+    <b>COMMAND COUNT LIMIT from</b> <i>[address]:port</i> <b>after</b> <i>command</i>
 </pre>
 
 <p> Translation: the SMTP client at <i>[address]:port</i> reached the
 per-session command count limit as specified with the
 postscreen_command_count_limit parameter.  The session is terminated
-immediately. </p>
+immediately.
+The "<tt><b>after</b> <i>command</i></tt>" portion is logged with
+Postfix 2.10 and later. </p>
 
 <pre>
-    <b>COMMAND LENGTH LIMIT from</b> <i>[address]:port</i>
+    <b>COMMAND LENGTH LIMIT from</b> <i>[address]:port</i> <b>after</b> <i>command</i>
 </pre>
 
 <p> Translation: the SMTP client at <i>[address]:port</i> reached the
 per-command length limit, as specified with the line_length_limit
-parameter.  The session is terminated immediately. </p>
+parameter.  The session is terminated immediately.
+The "<tt><b>after</b> <i>command</i></tt>" portion is logged with
+Postfix 2.10 and later. </p>
 
 <p> When an SMTP client makes too many connections at the same time,
 or when all postscreen(8) ports are busy, postscreen(8) rejects the

postfix/proto/SASL_README.html

@@ -87,7 +87,7 @@ what envelope sender addresses the client may use. </p> </li>
 
 <p> Successful authentication in the Postfix SMTP server requires
 a functional SASL framework. Configuring SASL should therefore
-always be the first step. </p>
+always be the first step, before configuring Postfix. </p>
 
 <p> You can read more about the following topics: </p>
 

postfix/proto/TLS_README.html

@@ -245,7 +245,7 @@ $smtpd_tls_CAfile or install it in the $smtpd_tls_CApath directory. </p>
 </pre>  
 </blockquote>
 
-<p> Their ECDSA counterparts (Postfix &ge; 2.6 + OpenSSL &ge; 0.9.9): </p>
+<p> Their ECDSA counterparts (Postfix &ge; 2.6 + OpenSSL &ge; 1.0.0): </p>
 
 <blockquote>
 <pre>
@@ -773,7 +773,7 @@ settings. </p>
 </blockquote>
 
 <p> Support for elliptic curve cryptography is available with Postfix
-2.6 and OpenSSL 0.9.9 or later.  To enable ephemeral elliptic curve
+2.6 and OpenSSL 1.0.0 or later.  To enable ephemeral elliptic curve
 Diffie-Hellman (EECDH) key-exchange, set "smtpd_tls_eecdh_grade =
 strong" or "smtpd_tls_eecdh_grade = ultra". The "ultra" setting is
 substantially more CPU intensive, and "strong" is sufficiently
@@ -1474,7 +1474,7 @@ $smtp_tls_CAfile or install it in the $smtp_tls_CApath directory. </p>
 </pre>  
 </blockquote>
 
-<p> Their ECDSA counterparts (Postfix &ge; 2.6 + OpenSSL &ge; 0.9.9): </p>
+<p> Their ECDSA counterparts (Postfix &ge; 2.6 + OpenSSL &ge; 1.0.0): </p>
 
 <blockquote>
 <pre>

postfix/proto/memcache_table

@@ -66,18 +66,22 @@
 #
 #	Access to remote proxymap servers is under development.
 #
-#	NOTE 1: When using memcache with persistent backup as
-#	\fBpostscreen\fR(8) or \fBverify\fR(8) cache, disable
-#	automatic cache cleanup (*_cache_cleanup_interval = 0) in
-#	all Postfix instances except for one instance that will be
-#	responsible for cache cleanup.
+#	NOTE 1: When sharing a persistent \fBpostscreen\fR(8) or
+#	\fBverify\fR(8) cache, disable automatic cache cleanup (set
+#	*_cache_cleanup_interval = 0) except with one Postfix
+#	instance that will be responsible for cache cleanup.
 #
-#	NOTE 2: In the case of a proxied backup database, the full
-#	backup database
-#	name (including the "proxy:" prefix) must be specified in
-#	the proxymap server's proxy_read_maps or proxy_write_maps
-#	setting (depending on whether the access is read-only or
-#	read-write).
+#	NOTE 2: When different tables share the same memcache
+#	database, each table should use the \fBkey_format\fR feature
+#	(see below) to prepend its own unique string to the lookup
+#	key.  Otherwise, automatic \fBpostscreen\fR(8) or \fBverify\fR(8)
+#	cache cleanup may not work.
+#
+#	NOTE 3: When the backup database is accessed with "proxy:"
+#	lookups, the full backup database name (including the
+#	"proxy:" prefix) must be specified in the proxymap server's
+#	proxy_read_maps or proxy_write_maps setting (depending on
+#	whether the access is read-only or read-write).
 # .IP "\fBflags (default: 0)\fR"
 #	Optional flags that should be stored along with a memcache
 #	update. The flags are ignored when looking up information.
@@ -103,17 +107,20 @@
 #	By default, these are the same as the lookup and update
 #	keys that are given to the Postfix memcache client.
 #
-#	NOTE: The \fBkey_format\fR feature is not used for \fBbackup\fR
+#	NOTE 1: The \fBkey_format\fR feature is not used for \fBbackup\fR
 #	database requests.
 #
-#	When the same memcache database is used to cache information
-#	from multiple tables, you can use the \fBkey_format\fR
-#	feature to avoid name collisions by prepending a fixed
-#	string.  Examples:
+#	NOTE 2: When different tables share the same memcache
+#	database, each table should prepend its own unique string
+#	to the lookup key.  Otherwise, automatic \fBpostscreen\fR(8)
+#	or \fBverify\fR(8) cache cleanup may not work.
+#
+#	Examples:
 #
 # .nf
 #	    key_format = aliases:%s
-#	    key_format = access:%s
+#	    key_format = verify:%s
+#	    key_format = postscreen:%s
 # .fi
 #
 #	The \fBkey_format\fR parameter supports the following '%'

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20121031"
+#define MAIL_RELEASE_DATE	"20121123"
 #define MAIL_VERSION_NUMBER	"2.10"
 
 #ifdef SNAPSHOT

postfix/src/postscreen/postscreen.h

@@ -73,6 +73,7 @@ typedef struct {
     /* smtpd(8) compatibility */
     int     ehlo_discard_mask;		/* EHLO filter */
     VSTRING *expand_buf;		/* macro expansion */
+    const char *where;			/* SMTP protocol state */
 } PSC_STATE;
 
 #define PSC_TIME_STAMP_NEW		(0)	/* test was never passed */
@@ -210,6 +211,13 @@ typedef struct {
 #define PSC_STATE_MASK_ANY_UPDATE \
 	(PSC_STATE_MASK_ANY_PASS | PSC_STATE_FLAG_PENAL_UPDATE)
 
+ /*
+  * Meta-commands for state->where that reflect the initial command processor
+  * state and commands that aren't implemented.
+  */
+#define PSC_SMTPD_CMD_CONNECT		"CONNECT"
+#define PSC_SMTPD_CMD_UNIMPL		"UNIMPLEMENTED"
+
  /*
   * See log_adhoc.c for discussion.
   */

postfix/src/postscreen/postscreen_smtpd.c

@@ -224,6 +224,15 @@ static void psc_smtpd_read_event(int, char *);
     PSC_CLEAR_EVENT_REQUEST(vstream_fileno((state)->smtp_client_stream), \
 			   psc_smtpd_time_event, (char *) (state));
 
+ /*
+  * Make control characters and other non-text visible.
+  */
+#define PSC_SMTPD_ESCAPE_TEXT(dest, src, src_len, max_len) do { \
+	ssize_t _s_len = (src_len); \
+	ssize_t _m_len = (max_len); \
+	(void) escape((dest), (src), _s_len < _m_len ? _s_len : _m_len); \
+    } while (0)
+
  /*
   * Command parser support.
   */
@@ -664,7 +673,8 @@ static void psc_smtpd_time_event(int event, char *context)
 		 state->smtp_client_addr, state->smtp_client_port,
 		 psc_print_state_flags(state->flags, myname));
 
-    msg_info("COMMAND TIME LIMIT from [%s]:%s", PSC_CLIENT_ADDR_PORT(state));
+    msg_info("COMMAND TIME LIMIT from [%s]:%s after %s",
+	     PSC_CLIENT_ADDR_PORT(state), state->where);
     PSC_CLEAR_EVENT_DROP_SESSION_STATE(state, psc_smtpd_time_event,
 				       psc_smtpd_timeout_reply);
 }
@@ -715,6 +725,7 @@ static void psc_smtpd_read_event(int event, char *context)
 	int     want;
 	int     next_state;
     };
+    const char *saved_where;
 
 #define PSC_SMTPD_CMD_ST_ANY		0
 #define PSC_SMTPD_CMD_ST_CR		1
@@ -778,8 +789,8 @@ static void psc_smtpd_read_event(int event, char *context)
 	     */
 	    if (state->read_state == PSC_SMTPD_CMD_ST_ANY
 		&& VSTRING_LEN(state->cmd_buffer) >= var_line_limit) {
-		msg_info("COMMAND LENGTH LIMIT from [%s]:%s",
-			 PSC_CLIENT_ADDR_PORT(state));
+		msg_info("COMMAND LENGTH LIMIT from [%s]:%s after %s",
+			 PSC_CLIENT_ADDR_PORT(state), state->where);
 		PSC_CLEAR_EVENT_DROP_SESSION_STATE(state, psc_smtpd_time_event,
 						   psc_smtpd_421_reply);
 		return;
@@ -815,8 +826,10 @@ static void psc_smtpd_read_event(int event, char *context)
 	    if (ch == '\n') {
 		if ((state->flags & PSC_STATE_MASK_BARLF_TODO_SKIP)
 		    == PSC_STATE_FLAG_BARLF_TODO) {
-		    msg_info("BARE NEWLINE from [%s]:%s",
-			     PSC_CLIENT_ADDR_PORT(state));
+		    PSC_SMTPD_ESCAPE_TEXT(psc_temp, STR(state->cmd_buffer),
+				   VSTRING_LEN(state->cmd_buffer) - 1, 100);
+		    msg_info("BARE NEWLINE from [%s]:%s after %s",
+			     PSC_CLIENT_ADDR_PORT(state), STR(psc_temp));
 		    PSC_FAIL_SESSION_STATE(state, PSC_STATE_FLAG_BARLF_FAIL);
 		    PSC_UNPASS_SESSION_STATE(state, PSC_STATE_FLAG_BARLF_PASS);
 		    state->barlf_stamp = PSC_TIME_STAMP_DISABLED;	/* XXX */
@@ -914,9 +927,14 @@ static void psc_smtpd_read_event(int event, char *context)
 	 * 
 	 * Caution: cmdp->name and cmdp->action may be null on loop exit.
 	 */
-	for (cmdp = command_table; cmdp->name != 0; cmdp++)
-	    if (strcasecmp(command, cmdp->name) == 0)
+	saved_where = state->where;
+	state->where = PSC_SMTPD_CMD_UNIMPL;
+	for (cmdp = command_table; cmdp->name != 0; cmdp++) {
+	    if (strcasecmp(command, cmdp->name) == 0) {
+		state->where = cmdp->name;
 		break;
+	    }
+	}
 
 	if ((state->flags & PSC_STATE_FLAG_SMTPD_X21)
 	    && cmdp->action != psc_quit_cmd) {
@@ -932,8 +950,11 @@ static void psc_smtpd_read_event(int event, char *context)
 		|| (*var_psc_forbid_cmds
 		    && string_list_match(psc_forbid_cmds, command)))) {
 	    printable(command, '?');
-	    msg_info("NON-SMTP COMMAND from [%s]:%s %.100s %.100s",
-		     PSC_CLIENT_ADDR_PORT(state), command, cmd_buffer_ptr);
+	    PSC_SMTPD_ESCAPE_TEXT(psc_temp, cmd_buffer_ptr,
+				  strlen(cmd_buffer_ptr), 100);
+	    msg_info("NON-SMTP COMMAND from [%s]:%s after %s: %.100s %s",
+		     PSC_CLIENT_ADDR_PORT(state), saved_where,
+		     command, STR(psc_temp));
 	    PSC_FAIL_SESSION_STATE(state, PSC_STATE_FLAG_NSMTP_FAIL);
 	    PSC_UNPASS_SESSION_STATE(state, PSC_STATE_FLAG_NSMTP_PASS);
 	    state->nsmtp_stamp = PSC_TIME_STAMP_DISABLED;	/* XXX */
@@ -967,9 +988,8 @@ static void psc_smtpd_read_event(int event, char *context)
 	if ((state->flags & PSC_STATE_MASK_PIPEL_TODO_SKIP)
 	    == PSC_STATE_FLAG_PIPEL_TODO && !PSC_SMTPD_BUFFER_EMPTY(state)) {
 	    printable(command, '?');
-	    escape(psc_temp, PSC_SMTPD_PEEK_DATA(state),
-		   PSC_SMTPD_PEEK_LEN(state) < 100 ?
-		   PSC_SMTPD_PEEK_LEN(state) : 100);
+	    PSC_SMTPD_ESCAPE_TEXT(psc_temp, PSC_SMTPD_PEEK_DATA(state),
+				  PSC_SMTPD_PEEK_LEN(state), 100);
 	    msg_info("COMMAND PIPELINING from [%s]:%s after %.100s: %s",
 		     PSC_CLIENT_ADDR_PORT(state), command, STR(psc_temp));
 	    PSC_FAIL_SESSION_STATE(state, PSC_STATE_FLAG_PIPEL_FAIL);
@@ -1033,8 +1053,8 @@ static void psc_smtpd_read_event(int event, char *context)
 	/* Command COUNT limit test. */
 	if (++state->command_count > var_psc_cmd_count
 	    && cmdp->action != psc_quit_cmd) {
-	    msg_info("COMMAND COUNT LIMIT from [%s]:%s",
-		     PSC_CLIENT_ADDR_PORT(state));
+	    msg_info("COMMAND COUNT LIMIT from [%s]:%s after %s",
+		     PSC_CLIENT_ADDR_PORT(state), saved_where);
 	    PSC_CLEAR_EVENT_DROP_SESSION_STATE(state, psc_smtpd_time_event,
 					       psc_smtpd_421_reply);
 	    return;

postfix/src/postscreen/postscreen_state.c

@@ -173,6 +173,7 @@ PSC_STATE *psc_new_session_state(VSTREAM *stream,
     state->read_state = 0;
     state->ehlo_discard_mask = 0;		/* XXX Should be ~0 */
     state->expand_buf = 0;
+    state->where = PSC_SMTPD_CMD_CONNECT;
 
     /*
      * Update the stress level.

postfix/src/qmqpd/qmqpd.c

@@ -473,7 +473,7 @@ static void qmqpd_write_content(QMQPD_STATE *state)
 	if (first) {
 	    if (strncmp(start + strspn(start, ">"), "From ", 5) == 0) {
 		rec_fprintf(state->cleanup, rec_type,
-			    "X-Mailbox-Line: %*s", len, start);
+			    "X-Mailbox-Line: %.*s", len, start);
 		continue;
 	    }
 	    first = 0;

postfix/src/smtpd/smtpd_check.c

@@ -518,13 +518,20 @@ static int has_required(ARGV *restrictions, const char **required)
      * Recursively check list membership.
      */
     for (rest = restrictions->argv; *rest; rest++) {
-	if (strcmp(*rest, WARN_IF_REJECT) == 0 && rest[1] != 0) {
+	if (strcasecmp(*rest, WARN_IF_REJECT) == 0 && rest[1] != 0) {
 	    rest += 1;
 	    continue;
 	}
+	if (strcasecmp(*rest, PERMIT_ALL) == 0) {
+	    if (rest[1] != 0)
+		msg_warn("restriction `%s' after `%s' is ignored",
+			 rest[1], rest[0]);
+	    return (0);
+	}
 	for (reqd = required; *reqd; reqd++)
-	    if (strcmp(*rest, *reqd) == 0)
+	    if (strcasecmp(*rest, *reqd) == 0)
 		return (1);
+	/* XXX This lookup operation should not be case-sensitive. */
 	if ((expansion = (ARGV *) htable_find(smtpd_rest_classes, *rest)) != 0)
 	    if (has_required(expansion, required))
 		return (1);
@@ -684,6 +691,7 @@ void    smtpd_check_init(void)
 	while ((name = mystrtok(&cp, RESTRICTION_SEPARATORS)) != 0) {
 	    if ((value = mail_conf_lookup_eval(name)) == 0 || *value == 0)
 		msg_fatal("restriction class `%s' needs a definition", name);
+	    /* XXX This store operation should not be case-sensitive. */
 	    htable_enter(smtpd_rest_classes, name,
 			 (char *) smtpd_check_parse(SMTPD_CHECK_PARSE_ALL,
 						    value));