postfix-2.2-20050210

postfix/HISTORY

@@ -10336,11 +10336,31 @@ Apologies for any names omitted.
 	Cleanup: documented the myorigin/mydomain address rewriting
 	in canonical, generics and virtual alias maps.
 
+20050210
+
+	Bugfix: spurious fallback_relay warnings after 20050202.
+	Victor Duchovni.  File: smtp/smtp_connect.c.
+
+	Bugfix: (introduced while adopting Postfix/TLS patch) the
+	TLS cache scan stopped after expiring one entry.  Victor
+	Duchovni.  File: tls/tls_scache.c.
+
+	Safety: delete-behind when removing expired entries from
+	TLS session caches. Some maps mis-behave when the current
+	entry is deleted. File: tls/tls_scache.c.
+
 Open problems:
 
 	Med: local and remote source port and IP address for smtpd
 	policy hook.
 
+	Med: should "generics" be "generic", for consistency with
+	"canonical" and "virtual".
+
+	Med: canonical/generic/virtual mapping always append
+	myorigin/mydomain and never remote_header_rewrite_domain;
+	this needs to be clear from documentation.
+
 	Med: disable address rewriting after XCLIENT? Introduce a
 	better concept of original submission?
 

postfix/README_FILES/SMTPD_POLICY_README

@@ -273,7 +273,7 @@ found at http://www.monkeys.com/anti-spam/filtering/sender-domain-validate.in.
      5         reject_unauth_destination
      6         check_sender_access hash:/etc/postfix/sender_access
      7         ...
-     8     restriction_classes = greylist
+     8     smtpd_restriction_classes = greylist
      9     greylist = check_policy_service unix:private/policy
     10
     11 /etc/postfix/sender_access:

postfix/conf/canonical

@@ -102,8 +102,11 @@
 #        o      When  the  result  has  the  form @otherdomain, the
 #               result becomes the same user in otherdomain.
 # 
-#        o      The  result  is   rewritten   as   specified   with
+#        o      When "append_at_myorigin=yes", append  "@$myorigin"
-#               append_at_myorigin or with append_dot_mydomain.
+#               to addresses without "@domain".
+# 
+#        o      When "append_dot_mydomain=yes", append ".$mydomain"
+#               to addresses without ".domain".
 # 
 # ADDRESS EXTENSION
 #        When a mail address localpart contains the optional recip-
@@ -181,14 +184,6 @@
 # 
 #        Other parameters of interest:
 # 
-#        append_at_myorigin
-#               Do or don't append "@$myorigin" to addresses  with-
-#               out domain.  This must be turned on in Postfix.
-# 
-#        append_dot_mydomain
-#               Do  or don't append ".$mydomain" to addresses with-
-#               out "." on the right-hand side of the @.
-# 
 #        inet_interfaces
 #               The  network  interface  addresses that this system
 #               receives mail on.  You need to stop and start Post-

postfix/conf/generics

@@ -89,8 +89,11 @@
 #        o      When the result  has  the  form  @otherdomain,  the
 #               result becomes the same user in otherdomain.
 # 
-#        o      The   result   is   rewritten   as  specified  with
+#        o      When  "append_at_myorigin=yes", append "@$myorigin"
-#               append_at_myorigin or with append_dot_mydomain.
+#               to addresses without "@domain".
+# 
+#        o      When "append_dot_mydomain=yes", append ".$mydomain"
+#               to addresses without ".domain".
 # 
 # ADDRESS EXTENSION
 #        When a mail address localpart contains the optional recip-
@@ -180,14 +183,6 @@
 # 
 #        Other parameters of interest:
 # 
-#        append_at_myorigin
-#               Do  or don't append "@$myorigin" to addresses with-
-#               out domain.  This must be turned on in Postfix.
-# 
-#        append_dot_mydomain
-#               Do or don't append ".$mydomain" to addresses  with-
-#               out "." on the right-hand side of the @.
-# 
 #        inet_interfaces
 #               The network interface addresses  that  this  system
 #               receives mail on.  You need to stop and start Post-

postfix/conf/virtual

@@ -103,8 +103,11 @@
 #               works only for the first address in a multi-address
 #               lookup result.
 # 
-#        o      The  result  is   rewritten   as   specified   with
+#        o      When "append_at_myorigin=yes", append  "@$myorigin"
-#               append_at_myorigin or with append_dot_mydomain.
+#               to addresses without "@domain".
+# 
+#        o      When "append_dot_mydomain=yes", append ".$mydomain"
+#               to addresses without ".domain".
 # 
 # ADDRESS EXTENSION
 #        When a mail address localpart contains the optional recip-
@@ -226,14 +229,6 @@
 # 
 #        Other parameters of interest:
 # 
-#        append_at_myorigin
-#               Do  or don't append "@$myorigin" to addresses with-
-#               out domain.  This must be turned on in Postfix.
-# 
-#        append_dot_mydomain
-#               Do or don't append ".$mydomain" to addresses  with-
-#               out "." on the right-hand side of the @.
-# 
 #        inet_interfaces
 #               The network interface addresses  that  this  system
 #               receives mail on.  You need to stop and start Post-

postfix/html/SMTPD_POLICY_README.html

@@ -386,7 +386,7 @@ forged MAIL FROM domains can be found at
  5         <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> 
  6         <a href="postconf.5.html#check_sender_access">check_sender_access</a> hash:/etc/postfix/sender_access
  7         ...
- 8     restriction_classes = greylist
+ 8     <a href="postconf.5.html#smtpd_restriction_classes">smtpd_restriction_classes</a> = greylist
  9     greylist = <a href="postconf.5.html#check_policy_service">check_policy_service</a> unix:private/policy
 10 
 11 /etc/postfix/sender_access:

postfix/html/canonical.5.html

@@ -108,8 +108,11 @@ CANONICAL(5)                                         CANONICAL(5)
        <b>o</b>      When  the  result  has  the  form @<i>otherdomain</i>, the
               result becomes the same <i>user</i> in <i>otherdomain</i>.
 
-       <b>o</b>      The  result  is   rewritten   as   specified   with
+       <b>o</b>      When "<b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a>=yes</b>", append  "<b>@$<a href="postconf.5.html#myorigin">myorigin</a></b>"
-              <b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a></b> or with <b><a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a></b>.
+              to addresses without "@domain".
+
+       <b>o</b>      When "<b><a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a>=yes</b>", append "<b>.$<a href="postconf.5.html#mydomain">mydomain</a></b>"
+              to addresses without ".domain".
 
 <b>ADDRESS EXTENSION</b>
        When a mail address localpart contains the optional recip-
@@ -187,14 +190,6 @@ CANONICAL(5)                                         CANONICAL(5)
 
        Other parameters of interest:
 
-       <b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a></b>
-              Do or don't append "<b>@$<a href="postconf.5.html#myorigin">myorigin</a></b>" to addresses  with-
-              out domain.  This must be turned on in Postfix.
-
-       <b><a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a></b>
-              Do  or don't append "<b>.$<a href="postconf.5.html#mydomain">mydomain</a></b>" to addresses with-
-              out "." on the right-hand side of the @.
-
        <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b>
               The  network  interface  addresses that this system
               receives mail on.  You need to stop and start Post-

postfix/html/generics.5.html

@@ -95,8 +95,11 @@ GENERICS(5)                                           GENERICS(5)
        <b>o</b>      When the result  has  the  form  @<i>otherdomain</i>,  the
               result becomes the same <i>user</i> in <i>otherdomain</i>.
 
-       <b>o</b>      The   result   is   rewritten   as  specified  with
+       <b>o</b>      When  "<b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a>=yes</b>", append "<b>@$<a href="postconf.5.html#myorigin">myorigin</a></b>"
-              <b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a></b> or with <b><a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a></b>.
+              to addresses without "@domain".
+
+       <b>o</b>      When "<b><a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a>=yes</b>", append "<b>.$<a href="postconf.5.html#mydomain">mydomain</a></b>"
+              to addresses without ".domain".
 
 <b>ADDRESS EXTENSION</b>
        When a mail address localpart contains the optional recip-
@@ -186,14 +189,6 @@ GENERICS(5)                                           GENERICS(5)
 
        Other parameters of interest:
 
-       <b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a></b>
-              Do  or don't append "<b>@$<a href="postconf.5.html#myorigin">myorigin</a></b>" to addresses with-
-              out domain.  This must be turned on in Postfix.
-
-       <b><a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a></b>
-              Do or don't append "<b>.$<a href="postconf.5.html#mydomain">mydomain</a></b>" to addresses  with-
-              out "." on the right-hand side of the @.
-
        <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b>
               The network interface addresses  that  this  system
               receives mail on.  You need to stop and start Post-

postfix/html/virtual.5.html

@@ -109,8 +109,11 @@ VIRTUAL(5)                                             VIRTUAL(5)
               works only for the first address in a multi-address
               lookup result.
 
-       <b>o</b>      The  result  is   rewritten   as   specified   with
+       <b>o</b>      When "<b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a>=yes</b>", append  "<b>@$<a href="postconf.5.html#myorigin">myorigin</a></b>"
-              <b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a></b> or with <b><a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a></b>.
+              to addresses without "@domain".
+
+       <b>o</b>      When "<b><a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a>=yes</b>", append "<b>.$<a href="postconf.5.html#mydomain">mydomain</a></b>"
+              to addresses without ".domain".
 
 <b>ADDRESS EXTENSION</b>
        When a mail address localpart contains the optional recip-
@@ -133,7 +136,7 @@ VIRTUAL(5)                                             VIRTUAL(5)
        <a href="virtual.8.html"><b>virtual</b>(8)</a>  mail  delivery  agent.  With  virtual  mailbox
        domains,  each recipient address can have its own mailbox.
 
-       With  a  virtual  alias domain, the virtual domain has its
+       With a <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a>, the virtual  domain  has  its
        own  user  name  space. Local (i.e. non-virtual) usernames
        are not visible in a <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a>. In  particular,
        local  <a href="aliases.5.html"><b>aliases</b>(5)</a>  and local mailing lists are not visible
@@ -167,7 +170,7 @@ VIRTUAL(5)                                             VIRTUAL(5)
        rejects  mail  for  <i>unknown-user</i>@<i>virtual-alias.domain</i>   as
        undeliverable.
 
-       Instead of specifying the virtual alias  domain  name  via
+       Instead  of  specifying  the <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a> name via
        the <b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a></b> table, you may also specify it  via
        the <b>main.cf <a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a></b> configuration parameter.
        This latter parameter uses the same syntax as the  <b>main.cf</b>
@@ -232,14 +235,6 @@ VIRTUAL(5)                                             VIRTUAL(5)
 
        Other parameters of interest:
 
-       <b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a></b>
-              Do  or don't append "<b>@$<a href="postconf.5.html#myorigin">myorigin</a></b>" to addresses with-
-              out domain.  This must be turned on in Postfix.
-
-       <b><a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a></b>
-              Do or don't append "<b>.$<a href="postconf.5.html#mydomain">mydomain</a></b>" to addresses  with-
-              out "." on the right-hand side of the @.
-
        <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b>
               The network interface addresses  that  this  system
               receives mail on.  You need to stop and start Post-

postfix/man/man5/canonical.5

@@ -104,8 +104,11 @@ The lookup result is subject to address rewriting:
 When the result has the form @\fIotherdomain\fR, the
 result becomes the same \fIuser\fR in \fIotherdomain\fR.
 .IP \(bu
-The result is rewritten as specified with \fBappend_at_myorigin\fR
+When "\fBappend_at_myorigin=yes\fR", append "\fB@$myorigin\fR"
-or with \fBappend_dot_mydomain\fR.
+to addresses without "@domain".
+.IP \(bu
+When "\fBappend_dot_mydomain=yes\fR", append
+"\fB.$mydomain\fR" to addresses without ".domain".
 .SH "ADDRESS EXTENSION"
 .na
 .nf
@@ -185,12 +188,6 @@ Specify zero or more of \fBcanonical\fR, \fBvirtual\fR, \fBalias\fR,
 \fBforward\fR, \fBinclude\fR, or \fBgenerics\fR.
 .PP
 Other parameters of interest:
-.IP \fBappend_at_myorigin\fR
-Do or don't append "\fB@$myorigin\fR" to addresses without domain.
-This must be turned on in Postfix.
-.IP \fBappend_dot_mydomain\fR
-Do or don't append "\fB.$mydomain\fR" to addresses without "." on
-the right-hand side of the @.
 .IP \fBinet_interfaces\fR
 The network interface addresses that this system receives mail on.
 You need to stop and start Postfix when this parameter changes.

postfix/man/man5/generics.5

@@ -94,8 +94,11 @@ The lookup result is subject to address rewriting:
 When the result has the form @\fIotherdomain\fR, the
 result becomes the same \fIuser\fR in \fIotherdomain\fR.
 .IP \(bu
-The result is rewritten as specified with \fBappend_at_myorigin\fR
+When "\fBappend_at_myorigin=yes\fR", append "\fB@$myorigin\fR"
-or with \fBappend_dot_mydomain\fR.
+to addresses without "@domain".
+.IP \(bu
+When "\fBappend_dot_mydomain=yes\fR", append
+"\fB.$mydomain\fR" to addresses without ".domain".
 .SH "ADDRESS EXTENSION"
 .na
 .nf
@@ -202,12 +205,6 @@ Specify zero or more of \fBcanonical\fR, \fBvirtual\fR, \fBalias\fR,
 \fBforward\fR, \fBinclude\fR, or \fBgenerics\fR.
 .PP
 Other parameters of interest:
-.IP \fBappend_at_myorigin\fR
-Do or don't append "\fB@$myorigin\fR" to addresses without domain.
-This must be turned on in Postfix.
-.IP \fBappend_dot_mydomain\fR
-Do or don't append "\fB.$mydomain\fR" to addresses without "." on
-the right-hand side of the @.
 .IP \fBinet_interfaces\fR
 The network interface addresses that this system receives mail on.
 You need to stop and start Postfix when this parameter changes.

postfix/man/man5/virtual.5

@@ -102,8 +102,11 @@ result becomes the same \fIuser\fR in \fIotherdomain\fR.
 This works only for the first address in a multi-address
 lookup result.
 .IP \(bu
-The result is rewritten as specified with \fBappend_at_myorigin\fR
+When "\fBappend_at_myorigin=yes\fR", append "\fB@$myorigin\fR"
-or with \fBappend_dot_mydomain\fR.
+to addresses without "@domain".
+.IP \(bu
+When "\fBappend_dot_mydomain=yes\fR", append
+"\fB.$mydomain\fR" to addresses without ".domain".
 .SH "ADDRESS EXTENSION"
 .na
 .nf
@@ -238,12 +241,6 @@ Specify zero or more of \fBcanonical\fR, \fBvirtual\fR, \fBalias\fR,
 \fBforward\fR, \fBinclude\fR, or \fBgenerics\fR.
 .PP
 Other parameters of interest:
-.IP \fBappend_at_myorigin\fR
-Do or don't append "\fB@$myorigin\fR" to addresses without domain.
-This must be turned on in Postfix.
-.IP \fBappend_dot_mydomain\fR
-Do or don't append "\fB.$mydomain\fR" to addresses without "." on
-the right-hand side of the @.
 .IP \fBinet_interfaces\fR
 The network interface addresses that this system receives mail on.
 You need to stop and start Postfix when this parameter changes.

postfix/proto/SMTPD_POLICY_README.html

@@ -386,7 +386,7 @@ http://www.monkeys.com/anti-spam/filtering/sender-domain-validate.in.
  5         reject_unauth_destination 
  6         check_sender_access hash:/etc/postfix/sender_access
  7         ...
- 8     restriction_classes = greylist
+ 8     smtpd_restriction_classes = greylist
  9     greylist = check_policy_service unix:private/policy
 10 
 11 /etc/postfix/sender_access:

postfix/proto/canonical

@@ -92,8 +92,11 @@
 #	When the result has the form @\fIotherdomain\fR, the
 #	result becomes the same \fIuser\fR in \fIotherdomain\fR.
 # .IP \(bu
-#	The result is rewritten as specified with \fBappend_at_myorigin\fR
+#	When "\fBappend_at_myorigin=yes\fR", append "\fB@$myorigin\fR"
-#	or with \fBappend_dot_mydomain\fR.
+#	to addresses without "@domain".
+# .IP \(bu
+#	When "\fBappend_dot_mydomain=yes\fR", append
+#	"\fB.$mydomain\fR" to addresses without ".domain".
 # ADDRESS EXTENSION
 # .fi
 # .ad
@@ -163,12 +166,6 @@
 #	\fBforward\fR, \fBinclude\fR, or \fBgenerics\fR.
 # .PP
 #	Other parameters of interest:
-# .IP \fBappend_at_myorigin\fR
-#	Do or don't append "\fB@$myorigin\fR" to addresses without domain.
-#	This must be turned on in Postfix.
-# .IP \fBappend_dot_mydomain\fR
-#	Do or don't append "\fB.$mydomain\fR" to addresses without "." on
-#	the right-hand side of the @.
 # .IP \fBinet_interfaces\fR
 #	The network interface addresses that this system receives mail on.
 #	You need to stop and start Postfix when this parameter changes.

postfix/proto/generics

@@ -82,8 +82,11 @@
 #	When the result has the form @\fIotherdomain\fR, the
 #	result becomes the same \fIuser\fR in \fIotherdomain\fR.
 # .IP \(bu
-#	The result is rewritten as specified with \fBappend_at_myorigin\fR
+#	When "\fBappend_at_myorigin=yes\fR", append "\fB@$myorigin\fR"
-#	or with \fBappend_dot_mydomain\fR.
+#	to addresses without "@domain".
+# .IP \(bu
+#	When "\fBappend_dot_mydomain=yes\fR", append
+#	"\fB.$mydomain\fR" to addresses without ".domain".
 # ADDRESS EXTENSION
 # .fi
 # .ad
@@ -178,12 +181,6 @@
 #	\fBforward\fR, \fBinclude\fR, or \fBgenerics\fR.
 # .PP
 #	Other parameters of interest:
-# .IP \fBappend_at_myorigin\fR
-#	Do or don't append "\fB@$myorigin\fR" to addresses without domain.
-#	This must be turned on in Postfix.
-# .IP \fBappend_dot_mydomain\fR
-#	Do or don't append "\fB.$mydomain\fR" to addresses without "." on 
-#	the right-hand side of the @.
 # .IP \fBinet_interfaces\fR
 #	The network interface addresses that this system receives mail on.
 #	You need to stop and start Postfix when this parameter changes.

postfix/proto/virtual

@@ -90,8 +90,11 @@
 #	This works only for the first address in a multi-address
 #	lookup result.
 # .IP \(bu
-#	The result is rewritten as specified with \fBappend_at_myorigin\fR
+#	When "\fBappend_at_myorigin=yes\fR", append "\fB@$myorigin\fR"
-#	or with \fBappend_dot_mydomain\fR.
+#	to addresses without "@domain".
+# .IP \(bu
+#	When "\fBappend_dot_mydomain=yes\fR", append
+#	"\fB.$mydomain\fR" to addresses without ".domain".
 # ADDRESS EXTENSION
 # .fi
 # .ad
@@ -214,12 +217,6 @@
 #	\fBforward\fR, \fBinclude\fR, or \fBgenerics\fR.
 # .PP
 #	Other parameters of interest:
-# .IP \fBappend_at_myorigin\fR
-#	Do or don't append "\fB@$myorigin\fR" to addresses without domain.
-#	This must be turned on in Postfix.
-# .IP \fBappend_dot_mydomain\fR
-#	Do or don't append "\fB.$mydomain\fR" to addresses without "." on
-#	the right-hand side of the @.
 # .IP \fBinet_interfaces\fR
 #	The network interface addresses that this system receives mail on.
 #	You need to stop and start Postfix when this parameter changes.

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change the patchlevel and the release date. Snapshots change the
   * release date only.
   */
-#define MAIL_RELEASE_DATE	"20050209"
+#define MAIL_RELEASE_DATE	"20050210"
 #define MAIL_VERSION_NUMBER	"2.2"
 
 #define VAR_MAIL_VERSION	"mail_version"

postfix/src/smtp/smtp_connect.c

@@ -558,7 +558,7 @@ int     smtp_connect(SMTP_STATE *state)
      * getting lost in the complexity.
      */
 #define IS_FALLBACK_RELAY(cpp, sites, non_fallback_sites) \
-	    ((cpp) >= (sites)->argv + (non_fallback_sites))
+	    (*(cpp) && (cpp) >= (sites)->argv + (non_fallback_sites))
 
     for (cpp = sites->argv; SMTP_RCPT_LEFT(state) > 0 && (dest = *cpp) != 0; cpp++) {
 	if (i_am_mx && IS_FALLBACK_RELAY(cpp, sites, non_fallback_sites))

postfix/src/smtp/smtp_map11.c

@@ -162,6 +162,7 @@ int     main(int argc, char **argv)
 	msg_info("-- end %s --", *argv);
     }
     vstring_free(buf);
+    maps_free(maps);
     return (0);
 }
 

postfix/src/tls/Makefile.in

@@ -25,7 +25,7 @@ MAKES	=
 all: $(LIB)
 
 Makefile: Makefile.in
-	(echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../../makedefs && cat $?) >$@
+	(echo "# DO NOT EDIT"; tail +2 ../../conf/makedefs.out; cat $?) >$@
 
 test:	$(TESTPROG)
 

postfix/src/tls/tls_scache.c

@@ -372,6 +372,7 @@ int     tls_scache_lookup(TLS_SCACHE *cp, const char *cache_id,
     /*
      * Initialize. Don't leak data.
      */
+    if (session)
 	VSTRING_RESET(session);
 
     /*
@@ -446,30 +447,66 @@ int     tls_scache_sequence(TLS_SCACHE *cp, int first_next,
 {
     const char *member;
     const char *value;
-    char   *saved_member;
+    char   *saved_cursor;
+    int     seq_status;
+
+    /*
+     * XXX Deleting entries while enumerating a map can he tricky. Some map
+     * types have a concept of cursor and support a "delete the current
+     * element" operation. Some map types without cursors don't behave well
+     * when the current first/next entry is deleted (example: Berkeley DB <
+     * 2). To avoid trouble, we delete an expired entry after advancing the
+     * current first/next position beyond it, and ignore client requests to
+     * delete the current entry.
+     */
 
     /*
      * Find the first or next database entry.
      */
-    if (dict_seq(cp->db, first_next, &member, &value) != 0)
+    seq_status = dict_seq(cp->db, first_next, &member, &value);
+
+    /*
+     * Delete behind. This is a no-op if an expired cache entry was updated
+     * in the mean time.
+     */
+    if (cp->flags & TLS_SCACHE_FLAG_DEL_CURSOR) {
+	cp->flags &= ~TLS_SCACHE_FLAG_DEL_CURSOR;
+	saved_cursor = cp->saved_cursor;
+	cp->saved_cursor = 0;
+	tls_scache_lookup(cp, saved_cursor, TLS_SCACHE_ANY_OPENSSL_VSN,
+			  TLS_SCACHE_ANY_FLAGS, (long *) 0, (int *) 0,
+			  (VSTRING *) 0);
+	myfree(saved_cursor);
+    } else {
+	if (cp->saved_cursor)
+	    myfree(cp->saved_cursor);
+	cp->saved_cursor = 0;
+    }
+
+    /*
+     * Did we find a first or next database entry?
+     */
+    if (seq_status != 0)
 	return (0);				/* End of list reached */
 
+    /*
+     * Safety against client requests to delete the current first/next entry.
+     */
+    cp->saved_cursor = mystrdup(member);
+
     /*
      * Activate the passivated cache entry and check the version and time
-     * stamp information.
+     * stamp information. Schedule it for deletion if it is bad or too old.
      */
     if (tls_scache_decode(cp, member, value, strlen(value), openssl_version,
 			  flags, out_openssl_version, out_flags,
 			  out_session) == 0) {
-	saved_member = mystrdup(member);
+	cp->flags |= TLS_SCACHE_FLAG_DEL_CURSOR;
-	tls_scache_delete(cp, saved_member);
-	myfree(saved_member);
-	return (0);
     } else {
 	if (out_cache_id)
 	    *out_cache_id = mystrdup(member);
-	return (1);
     }
+    return (1);
 }
 
 /* tls_scache_delete - delete session from cache */
@@ -484,9 +521,12 @@ int     tls_scache_delete(TLS_SCACHE *cp, const char *cache_id)
 	msg_info("delete %s session id=%s", cp->cache_label, cache_id);
 
     /*
-     * Do it.
+     * Do it, unless we would delete the current first/next entry. Some map
+     * types don't have cursors, and some of those don't behave when the
+     * "current" entry is deleted.
      */
-    return (dict_del(cp->db, cache_id) == 0);
+    return ((cp->saved_cursor != 0 && strcmp(cp->saved_cursor, cache_id) == 0)
+	    || dict_del(cp->db, cache_id) == 0);
 }
 
 /* tls_scache_open - open TLS session cache file */
@@ -537,10 +577,12 @@ TLS_SCACHE *tls_scache_open(const char *dbname, const char *cache_label,
      * Create the TLS_SCACHE object.
      */
     cp = (TLS_SCACHE *) mymalloc(sizeof(*cp));
+    cp->flags = 0;
     cp->db = dict;
     cp->cache_label = mystrdup(cache_label);
     cp->log_level = log_level;
     cp->timeout = timeout;
+    cp->saved_cursor = 0;
 
     return (cp);
 }
@@ -561,6 +603,8 @@ void    tls_scache_close(TLS_SCACHE *cp)
      */
     dict_close(cp->db);
     myfree(cp->cache_label);
+    if (cp->saved_cursor)
+	myfree(cp->saved_cursor);
     myfree((char *) cp);
 }
 

postfix/src/tls/tls_scache.h

@@ -21,12 +21,16 @@
   * External interface.
   */
 typedef struct {
+    int     flags;			/* see below */
     DICT   *db;				/* database handle */
     char   *cache_label;		/* "client" or "server" */
     int     log_level;			/* smtp(d)_tls_log_level */
     int     timeout;			/* smtp(d)_tls_session_cache_timeout */
+    char   *saved_cursor;		/* cursor cache ID */
 } TLS_SCACHE;
 
+#define TLS_SCACHE_FLAG_DEL_CURSOR	(1<<0)
+
 extern TLS_SCACHE *tls_scache_open(const char *, const char *, int, int);
 extern void tls_scache_close(TLS_SCACHE *);
 extern int tls_scache_lookup(TLS_SCACHE *, const char *, long, int, long *, int *, VSTRING *);

postfix/src/util/dict_db.c

@@ -393,17 +393,19 @@ static int dict_db_sequence(DICT *dict, int function,
     dict_errno = 0;
     memset(&db_key, 0, sizeof(db_key));
     memset(&db_value, 0, sizeof(db_value));
-    if (dict_db->cursor == 0)
-	db->cursor(db, NULL, &(dict_db->cursor), 0);
 
     /*
      * Determine the function.
      */
     switch (function) {
     case DICT_SEQ_FUN_FIRST:
+	if (dict_db->cursor == 0)
+	    db->cursor(db, NULL, &(dict_db->cursor), 0);
 	db_function = DB_FIRST;
 	break;
     case DICT_SEQ_FUN_NEXT:
+	if (dict_db->cursor == 0)
+	    msg_panic("%s: no cursor", myname);
 	db_function = DB_NEXT;
 	break;
     default:
@@ -421,7 +423,7 @@ static int dict_db_sequence(DICT *dict, int function,
      * Database lookup.
      */
     status =
-	dict_db->cursor->c_get(dict_db->cursor, &db_key, &db_value, DB_NEXT);
+	dict_db->cursor->c_get(dict_db->cursor, &db_key, &db_value, db_function);
     if (status != 0 && status != DB_NOTFOUND)
 	msg_fatal("error [%d] seeking %s: %m", status, dict_db->dict.name);
 

postfix/src/util/dict_open.c

@@ -380,7 +380,7 @@ int     main(int argc, char **argv)
     int     open_flags;
     char   *bufp;
     char   *cmd;
-    char   *key;
+    const char *key;
     const char *value;
     int     ch;
 
@@ -408,18 +408,24 @@ int     main(int argc, char **argv)
     else
 	msg_fatal("unknown access mode: %s", argv[2]);
     dict_name = argv[optind];
-    dict = dict_open(dict_name, open_flags, DICT_FLAG_LOCK);
+    dict = dict_open(dict_name, open_flags, DICT_FLAG_LOCK | DICT_FLAG_DUP_REPLACE);
     dict_register(dict_name, dict);
     while (vstring_fgets_nonl(inbuf, VSTREAM_IN)) {
 	bufp = vstring_str(inbuf);
-	if ((cmd = mystrtok(&bufp, " ")) == 0 || *bufp == 0) {
+	if (!isatty(0)) {
-	    vstream_printf("usage: del key|get key|put key=value\n");
+	    vstream_printf("> %s\n", bufp);
+	    vstream_fflush(VSTREAM_OUT);
+	}
+	if (*bufp == '#')
+	    continue;
+	if ((cmd = mystrtok(&bufp, " ")) == 0) {
+	    vstream_printf("usage: del key|get key|put key=value|first|next\n");
 	    vstream_fflush(VSTREAM_OUT);
 	    continue;
 	}
 	if (dict_changed_name())
 	    msg_warn("dictionary has changed");
-	key = vstring_str(unescape(keybuf, mystrtok(&bufp, " =")));
+	key = *bufp ? vstring_str(unescape(keybuf, mystrtok(&bufp, " ="))) : 0;
 	value = mystrtok(&bufp, " =");
 	if (strcmp(cmd, "del") == 0 && key && !value) {
 	    if (dict_del(dict, key))
@@ -437,8 +443,22 @@ int     main(int argc, char **argv)
 	} else if (strcmp(cmd, "put") == 0 && key && value) {
 	    dict_put(dict, key, value);
 	    vstream_printf("%s=%s\n", key, value);
+	} else if (strcmp(cmd, "first") == 0 && !key && !value) {
+	    if (dict_seq(dict, DICT_SEQ_FUN_FIRST, &key, &value) == 0)
+		vstream_printf("%s=%s\n", key, value);
+	    else
+		vstream_printf("%s\n",
+			       dict_errno == DICT_ERR_RETRY ?
+			       "soft error" : "not found");
+	} else if (strcmp(cmd, "next") == 0 && !key && !value) {
+	    if (dict_seq(dict, DICT_SEQ_FUN_NEXT, &key, &value) == 0)
+		vstream_printf("%s=%s\n", key, value);
+	    else
+		vstream_printf("%s\n",
+			       dict_errno == DICT_ERR_RETRY ?
+			       "soft error" : "not found");
 	} else {
-	    vstream_printf("usage: del key|get key|put key=value\n");
+	    vstream_printf("usage: del key|get key|put key=value|first|next\n");
 	}
 	vstream_fflush(VSTREAM_OUT);
     }