postfix-2.6.4

postfix/HISTORY

@@ -15272,31 +15272,34 @@ Apologies for any names omitted.
 
 20090805
 
-        Bugfix: don't panic when an unexpected smtpd access map is
-        specified. File: smtpd/smtpd_check.c.
+	Bugfix: don't panic when an unexpected smtpd access map is
+	specified. File: smtpd/smtpd_check.c.
 
 20090807
 
-        Workaround: NS record lookups for certain domains always
-        fail, while other queries for those domains always succeed
-        (and even return replies with NS records as additional
-        information).
+	Workaround: NS record lookups for certain domains always
+	fail, while other queries for those domains always succeed
+	(and even return replies with NS records as additional
+	information).
 
-        This inconsistency would allow spammers to avoid the Postfix
-        check_{client,helo,sender,etc}_ns_access restrictions,
-        because those restrictions have effect only for names that
-        are known in the DNS.
+	This inconsistency in DNS lookup results would allow spammers
+	to circumvent the Postfix check_{client,helo,sender,etc}_ns_access
+	restrictions, because those restrictions have effect only
+	for NS records that can be looked up in the DNS.
 
-        To address this specific inconsistency, the Postfix
-        check_{client,etc}_ns_access feature now requires that a
-        known-in-DNS domain name (or parent thereof) resolves to
-        at least one name server IP address.
+	To address this inconsistency, check_{client,etc}_ns_access
+	now require that a known-in-DNS domain name (or parent
+	thereof) always resolves to at least one name server IP
+	address.
 
-        For consistency, check_{client,etc}_mx_access now requires
-        that a known-in-DNS domain name resolves to at least one
-        mail server IP address.
+	For consistency, check_{client,etc}_mx_access now require
+	that a known-in-DNS domain name always resolves to at least
+	one mail server IP address.
 
-        The IP addresses thus obtained may or may not be "correct".
-        There is little to stop an uncooperative DNS server from
-        lying, especially when the owner of the domain has no
-        intention to receive email.  File: smtpd/smtpd_check.c.
+	These measures merely raise the difficulty level for spammers.
+	The IP address information thus obtained is not necessarily
+	"correct".  There is little to stop an uncooperative DNS
+	server from lying, especially when the owner of the domain
+	has no desire to receive email.  File: smtpd/smtpd_check.c.
+
+	Problem reported by MXTools.com.

postfix/RELEASE_NOTES

@@ -21,19 +21,20 @@ With some domain names, NS record lookups always fail while other
 lookups always succeed (and may even return NS records as additional
 information).  This anomaly could be used by evil elements to skip
 Postfix check_{client,helo,sender,recipient}_ns_access checks,
-because these apply only to domains that are known in the DNS.
+because these apply only to NS records that are found in the DNS.
 
 To address this specific problem, check_{client,etc}_ns_access now
-requires that a known-in-DNS domain name (or parent thereof) resolves
-to at least one name server IP address.
+requires that a known-in-DNS domain name (or parent thereof) always
+resolves to at least one name server IP address.
 
 For consistency, check_{client,etc}_mx_access now requires that a
-known-in-DNS domain name resolves to at least one mail server IP
-address.
+known-in-DNS domain name always resolves to at least one mail server
+IP address.
 
-Keep in mind that these measures provide no hard assurances. There
-is little to stop an uncooperative DNS server from lying, especially
-when the owner of the domain has no intention to receive email.
+These measures provide no hard assurances that the IP address
+information thus obtained is correct. There is little to stop an
+uncooperative DNS server from lying, especially when the owner of
+the domain has no desire to receive email.
 
 Major changes - multi-instance support
 --------------------------------------

postfix/src/global/mail_version.h

@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20090807"
-#define MAIL_VERSION_NUMBER	"2.6.4-RC2"
+#define MAIL_RELEASE_DATE	"20090825"
+#define MAIL_VERSION_NUMBER	"2.6.4"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE