postfix-2.9-20110117

postfix/HISTORY

@@ -16471,3 +16471,25 @@ Apologies for any names omitted.
 
 	Cleanup: documentation, in preparation for the Postfix 2.8
 	stable release.
+
+20110117
+
+	Bugfix (introduced Postfix alpha, or thereabouts): on HP-UX
+	the Postfix event engine was deaf for SIGALRM signals.
+	Symptoms were killed processes when the watchdog timeout
+	was less than max_idle.  The fix is the same as Solaris fix
+	20110109. Since we can't know what other systems need this,
+	the workaround is enabled by default.  Files: util/sys_defs.h.
+
+	Cleanup: "smtpd_tls_eecdh_grade = strong" by default, instead
+	of snapshot-only. File: global/mail_params.h, proto/postconf.proto.
+
+	Cleanup: missing "#include <errno.h>" in util/watchdog.c.
+
+	Bugfix: when compiled without -DUSE_TLS, tlsproxy used the
+	wrong server skeleton (multi_server instead of event_server).
+	File: tlsproxy/tlsproxy.c.
+
+	Workaround: added a panic check for code that is mis-compiled
+	by the HP-UX compiler.  File: postscreen/postscreen.c,
+	postscreen/postscreen.h, postscreen/postscreen_state.c.

postfix/RELEASE_NOTES-2.8

@@ -14,6 +14,31 @@ specifies the release date of a stable release or snapshot release.
 If you upgrade from Postfix 2.6 or earlier, read RELEASE_NOTES-2.7
 before proceeding.
 
+Major changes - restart Postfix
+-------------------------------
+
+If you upgrade from Postfix 2.6 or earlier, you must execute "postfix
+stop" and "postfix start" before you can use the postscreen(8)
+daemon.  This is needed because the Postfix 2.6 "pass" master service
+type did not work reliably on some systems.
+
+If you upgrade from Postfix 2.7, or from Postfix 2.8 before July
+25, 2010, you must execute "postfix reload" (or "postfix stop"
+followed by "postfix start"). This is needed because the queue
+manager to delivery agent protocol has changed. Failure to do this
+results in repeated logging of warnings with:
+
+    warning: unexpected attribute rewrite_context ...
+
+If the warning does not go away after restarting Postfix, examine
+the output from this command:
+
+    strings -af /usr/libexec/postfix/* | grep mail_version=
+
+(where /usr/libexec/postfix is the value of main.cf:daemon_directory)
+and update the executables that have a version string that differs
+from the other programs.
+
 Major changes - DNSBL/DNSWL support
 -----------------------------------
 
@@ -324,11 +349,6 @@ parameter specifies how long to keep an expired entry in the cache.
 This prevents a client from being logged as "NEW" after its record
 expired only a little while ago.
 
-[Incompat 20091008] If you upgrade from Postfix 2.6 or earlier, you
-must stop and start the Postfix master daemon before you can use
-the postscreen(8) daemon.  This is needed because the Postfix 2.6
-"pass" master service type did not work reliably on some systems.
-
 [Feature 20091008] Prototype postscreen(8) server that runs a number
 of time-consuming checks in parallel for all incoming SMTP connections,
 before clients are allowed to talk to a real Postfix SMTP server.

postfix/WISHLIST

@@ -6,6 +6,15 @@ Wish list:
 
 	Things to do after the stable release:
 
+	events.c: cache the side effects of file descriptor event
+	enable/disable operations in user space, and do bulk kernel
+	updates at event_loop() time.  This can eliminate costly
+	system calls with successive event disable/enable operations
+	on the same file descriptor. This can also eliminate the
+	need for tricky code that tries to avoid the expense of
+	successive disable/enable operations. Such code is likely
+	to introduce bugs.
+
 	When does it pay off to send domains in the active queue
 	to a DNS prefetch daemon? Could this generalize to a dynamic
 	transport map that piggy-backs domains with the same MX

postfix/html/postconf.5.html

@@ -14177,14 +14177,14 @@ Diffie-Hellman (EECDH) key exchange. </p>
 <dl>
 
 <dt><b>none</b></dt> <dd> Don't use EECDH. Ciphers based on EECDH key
-exchange will be disabled. This is the default in official Postfix
+exchange will be disabled. This is the default in Postfix versions
-releases (<a href="postconf.5.html#mail_version">mail_version</a> = major.minor.patchlevel). </dd>
+2.6 and 2.7. </dd>
 
 <dt><b>strong</b></dt> <dd> Use EECDH with approximately 128
 bits of security at a reasonable computational cost. This is the
 current best-practice trade-off between security and computational
-efficiency. This is the default in Postfix snapshot releases
+efficiency. This is the default in Postfix version 2.8 and later.
-(<a href="postconf.5.html#mail_version">mail_version</a> = major.minor-releasedate). </dd>
+</dd>
 
 <dt><b>ultra</b></dt> <dd> Use EECDH with approximately 192 bits of
 security at computational cost that is approximately twice as high

postfix/man/man5/postconf.5

@@ -8988,14 +8988,13 @@ Diffie-Hellman (EECDH) key exchange.
 The available choices are:
 .IP "\fBnone\fR"
 Don't use EECDH. Ciphers based on EECDH key
-exchange will be disabled. This is the default in official Postfix
+exchange will be disabled. This is the default in Postfix versions
-releases (mail_version = major.minor.patchlevel).
+2.6 and 2.7.
 .IP "\fBstrong\fR"
 Use EECDH with approximately 128
 bits of security at a reasonable computational cost. This is the
 current best-practice trade-off between security and computational
-efficiency. This is the default in Postfix snapshot releases
+efficiency. This is the default in Postfix version 2.8 and later.
-(mail_version = major.minor-releasedate).
 .IP "\fBultra\fR"
 Use EECDH with approximately 192 bits of
 security at computational cost that is approximately twice as high

postfix/proto/postconf.proto

@@ -11739,14 +11739,14 @@ Diffie-Hellman (EECDH) key exchange. </p>
 <dl>
 
 <dt><b>none</b></dt> <dd> Don't use EECDH. Ciphers based on EECDH key
-exchange will be disabled. This is the default in official Postfix
+exchange will be disabled. This is the default in Postfix versions
-releases (mail_version = major.minor.patchlevel). </dd>
+2.6 and 2.7. </dd>
 
 <dt><b>strong</b></dt> <dd> Use EECDH with approximately 128
 bits of security at a reasonable computational cost. This is the
 current best-practice trade-off between security and computational
-efficiency. This is the default in Postfix snapshot releases
+efficiency. This is the default in Postfix version 2.8 and later.
-(mail_version = major.minor-releasedate). </dd>
+</dd>
 
 <dt><b>ultra</b></dt> <dd> Use EECDH with approximately 192 bits of
 security at computational cost that is approximately twice as high

postfix/src/global/mail_params.h

@@ -1281,11 +1281,7 @@ extern char *var_smtpd_tls_dh512_param_file;
 extern char *var_smtpd_tls_dh1024_param_file;
 
 #define VAR_SMTPD_TLS_EECDH	"smtpd_tls_eecdh_grade"
-#ifdef SNAPSHOT
 #define DEF_SMTPD_TLS_EECDH	"strong"
-#else
-#define DEF_SMTPD_TLS_EECDH	"none"
-#endif
 extern char *var_smtpd_tls_eecdh;
 
 #define VAR_SMTPD_TLS_LOGLEVEL	"smtpd_tls_loglevel"
@@ -3557,11 +3553,7 @@ extern char *var_tlsp_tls_dh512_param_file;
 extern char *var_tlsp_tls_dh1024_param_file;
 
 #define VAR_TLSP_TLS_EECDH	"tlsproxy_tls_eecdh_grade"
-#ifdef SNAPSHOT
 #define DEF_TLSP_TLS_EECDH	"$" VAR_SMTPD_TLS_EECDH
-#else
-#define DEF_TLSP_TLS_EECDH	"$" VAR_SMTPD_TLS_EECDH
-#endif
 extern char *var_tlsp_tls_eecdh;
 
 #define VAR_TLSP_TLS_LOGLEVEL	"tlsproxy_tls_loglevel"

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20110116"
+#define MAIL_RELEASE_DATE	"20110117"
 #define MAIL_VERSION_NUMBER	"2.9"
 
 #ifdef SNAPSHOT

postfix/src/postscreen/postscreen.c

@@ -487,8 +487,8 @@ int     psc_normal_greet_wait;		/* stressed greet wait */
 int     psc_stress_cmd_time_limit;	/* stressed command limit */
 int     psc_normal_cmd_time_limit;	/* normal command time limit */
 int     psc_stress;			/* stress level */
-int     psc_check_queue_length_lowat;	/* stress low-water mark */
+int     psc_lowat_check_queue_length;	/* stress low-water mark */
-int     psc_check_queue_length_hiwat;	/* stress high-water mark */
+int     psc_hiwat_check_queue_length;	/* stress high-water mark */
 DICT   *psc_dnsbl_reply;		/* DNSBL name mapper */
 HTABLE *psc_client_concurrency;		/* per-client concurrency */
 
@@ -1048,12 +1048,19 @@ static void post_jail_init(char *unused_name, char **unused_argv)
     psc_normal_greet_wait =
 	get_mail_conf_time(VAR_PSC_GREET_WAIT, DEF_PSC_GREET_WAIT, 1, 0);
 
-    psc_check_queue_length_lowat = .7 * var_psc_pre_queue_limit;
+    psc_lowat_check_queue_length = .7 * var_psc_pre_queue_limit;
-    psc_check_queue_length_hiwat = .9 * var_psc_pre_queue_limit;
+    psc_hiwat_check_queue_length = .9 * var_psc_pre_queue_limit;
     if (msg_verbose)
 	msg_info(VAR_PSC_CMD_TIME ": stress=%d normal=%d lowat=%d hiwat=%d",
 		 psc_stress_cmd_time_limit, psc_normal_cmd_time_limit,
-		 psc_check_queue_length_lowat, psc_check_queue_length_hiwat);
+		 psc_lowat_check_queue_length, psc_hiwat_check_queue_length);
+
+    if (psc_lowat_check_queue_length == 0)
+	msg_panic("compiler error: 0.7 * %d = %d", var_psc_pre_queue_limit,
+		  psc_lowat_check_queue_length);
+    if (psc_hiwat_check_queue_length == 0)
+	msg_panic("compiler error: 0.9 * %d = %d", var_psc_pre_queue_limit,
+		  psc_hiwat_check_queue_length);
 
     /*
      * Per-client concurrency.

postfix/src/postscreen/postscreen.h

@@ -292,8 +292,8 @@ extern int psc_normal_greet_wait;	/* stressed greet wait */
 extern int psc_stress_cmd_time_limit;	/* stressed command limit */
 extern int psc_normal_cmd_time_limit;	/* normal command time limit */
 extern int psc_stress;			/* stress level */
-extern int psc_check_queue_length_lowat;/* stress low-water mark */
+extern int psc_lowat_check_queue_length;/* stress low-water mark */
-extern int psc_check_queue_length_hiwat;/* stress high-water mark */
+extern int psc_hiwat_check_queue_length;/* stress high-water mark */
 extern DICT *psc_dnsbl_reply;		/* DNSBL name mapper */
 extern HTABLE *psc_client_concurrency;	/* per-client concurrency */
 
@@ -469,7 +469,7 @@ extern const char *psc_expand_lookup(const char *, int, char *);
 
 extern void psc_acl_pre_jail_init(void);
 extern ARGV *psc_acl_parse(const char *, const char *);
-extern int psc_acl_eval(PSC_STATE *,ARGV *, const char *);
+extern int psc_acl_eval(PSC_STATE *, ARGV *, const char *);
 
 /* LICENSE
 /* .ad

postfix/src/postscreen/postscreen_state.c

@@ -171,7 +171,7 @@ PSC_STATE *psc_new_session_state(VSTREAM *stream,
      * Update the stress level.
      */
     if (psc_stress == 0
-	&& psc_check_queue_length >= psc_check_queue_length_hiwat) {
+	&& psc_check_queue_length >= psc_hiwat_check_queue_length) {
 	psc_stress = 1;
 	msg_info("entering STRESS mode with %d connections",
 		 psc_check_queue_length);
@@ -238,7 +238,7 @@ void    psc_free_session_state(PSC_STATE *state)
      * Update the stress level.
      */
     if (psc_stress != 0
-	&& psc_check_queue_length <= psc_check_queue_length_lowat) {
+	&& psc_check_queue_length <= psc_lowat_check_queue_length) {
 	psc_stress = 0;
 	msg_info("leaving STRESS mode with %d connections",
 		 psc_check_queue_length);

postfix/src/tlsproxy/tlsproxy.c

@@ -1147,7 +1147,7 @@ int     main(int argc, char **argv)
      * (including logging) and then invoke the tlsp_service() routine to log
      * the message that says why this program will not run.
      */
-    multi_server_main(argc, argv, tlsp_service,
+    event_server_main(argc, argv, tlsp_service,
 		      0);
 }
 

postfix/src/util/sys_defs.h

@@ -441,7 +441,6 @@ extern int opterr;
 #define USE_SYSV_POLL
 #ifndef NO_DEVPOLL
 # define EVENTS_STYLE	EVENTS_STYLE_DEVPOLL
-# define USE_WATCHDOG_PIPE
 #endif
 
 /*
@@ -1280,6 +1279,17 @@ extern int dup2_pass_on_exec(int oldd, int newd);
 extern const char *inet_ntop(int, const void *, char *, size_t);
 extern int inet_pton(int, const char *, void *);
 
+#endif
+
+ /*
+  * Workaround: after a watchdog alarm signal, wake up from select/poll/etc.
+  * by writing to a pipe. Solaris needs this, and HP-UX apparently, too. The
+  * run-time cost is negligible so we just turn it on for all systems. As a
+  * side benefit, making this code system-independent will simplify the
+  * detection of bit-rot problems.
+  */
+#ifndef NO_WATCHDOG_PIPE
+#define USE_WATCHDOG_PIPE
 #endif
 
  /*

postfix/src/util/watchdog.c

@@ -126,6 +126,7 @@ static WATCHDOG *watchdog_curr;
   * watchdog timeout is less than the max_idle time.
   */
 #ifdef USE_WATCHDOG_PIPE
+#include <errno.h>
 #include <iostuff.h>
 #include <events.h>