mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-29 05:07:58 +00:00
Code Issues Releases Wiki Activity

postfix-3.3-20170212

Browse Source
This commit is contained in:
Wietse Venema 2017-02-12 00:00:00 -05:00 committed by Viktor Dukhovni
parent feca6d955e
commit ae4e887d2a
11 changed files with 271 additions and 151 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
postfix/HISTORY
View File

@ -22923,6 +22923,18 @@ Apologies for any names omitted.
20170206
Bugfix (introduced: Postfix 2.2): check_mumble_a_access
did not handle [ipaddress], unlike check_mumble_mx_access.
Reported by James (postfix_tracker). File: smtpd/smtpd_check.c.
Bugfix (introduced: Postfix 3.0): when check_mumble_a_access
did not handle [ipaddress], unlike check_mumble_mx_access.
When check_mumble_a_access was introduced, some condition
was not updated. Reported by James (postfix_tracker). File:
smtpd/smtpd_check.c.
20170207
Cleanup: rephrased the precondition paranoia. File:
global/mail_conf.c.
20170211
Cleanup: rephrased the precondition for paranoia. File:
util/unsafe.c.

114
postfix/RELEASE_NOTES
View File

@ -1,121 +1,17 @@
This is the Postfix 3.2 (experimental) release.
This is the Postfix 3.3 (experimental) release.
The stable Postfix release is called postfix-3.1.x where 3=major
release number, 1=minor release number, x=patchlevel. The stable
The stable Postfix release is called postfix-3.2.x where 3=major
release number, 2=minor release number, x=patchlevel. The stable
release never changes except for patches that address bugs or
emergencies. Patches change the patchlevel and the release date.
New features are developed in snapshot releases. These are called
postfix-3.2-yyyymmdd where yyyymmdd is the release date (yyyy=year,
postfix-3.3-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day). Patches are never issued for snapshot releases;
instead, a new snapshot is released.
The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.
If you upgrade from Postfix 3.0 or earlier, read RELEASE_NOTES-3.1
If you upgrade from Postfix 3.1 or earlier, read RELEASE_NOTES-3.2
before proceeding.
Incompatible changes with snapshot 20161227
===========================================
For safety reasons, the sendmail -C option must specify an authorized
directory: the default configuration directory, a directory that
is listed in the default main.cf file with alternate_config_directories
or multi_instance_directories, or the command must be invoked with
root privileges. This mitigates a problem with the PHP mail()
function.
Major changes with snapshot 20161227
====================================
Support to negotiate Elliptic curves with OpenSSL 1.0.2 or later
(on platforms where EC algorithms have not been disabled by the
vendor). See TLS_README for details. In summary, this changes the
default smtpd_tls_eecdh_grade setting to "auto", and introduces a
new parameter tls_eecdh_auto_curves with the names of curves that
may be negotiated. The default tls_eecdh_auto_curves setting is
determined at compile time, and depends on the Postfix and OpenSSL
versions. At runtime, Postfix will skip curve names that aren't
supported by the OpenSSL library.
The MySQL client now has support for stored procedures. See the
mysql_table(5) manpage for details.
Incompatible changes with snapshot 20161204
===========================================
Postfix 3.2 removes tentative features that were implemented
before the DANE spec was finalized:
- Support for certificate usage PKIX-EE(1),
- The ability to disable digest agility. Postfix 3.2 always behaves
as if "tls_dane_digest_agility = on.
- The ability to disable support for "TLSA 2 [01] [12]" records
that specify the digest of a trust anchor. Postfix 3.2 always
behaves as if "tls_dane_trust_anchor_digest_enable = yes".
Incompatible changes with snapshot 20161103
===========================================
Postfix 3.2 by default disables the 'transitional' compatibility
between IDNA2003 and IDNA2008, when converting UTF-8 domain names
to/from the ASCII form that is used in DNS lookups. This makes
Postfix behavior consistent with current versions of the Firefox
and Chrome web browsers. Specify "enable_idna2003_compatibility =
yes" for historical behavior.
This affects the conversion of, for example, the German sz and the
Greek zeta. See http://unicode.org/cldr/utility/idna.jsp for more
examples.
Major changes with snapshot 20161031
====================================
The smtpd_milter_maps feature supports per-client Milter configuration.
This overrides the global smtpd_milters setting and has the same syntax. A
lookup result of "DISABLE" turns off Milter support.
Incompatible changes with snapshot 20160925
===========================================
In the Postfix MySQL database client, the default option_group value
has changed to "client", to enable reading of "client" option group
settings in the MySQL options file. This fixes a "not found" problem
with Postfix queries that contain UTF8-encoded non-ASCII text.
Specify an empty option_group value (option_group =) to get
backwards-compatible behavior.
Major changes with snapshot 20160625
====================================
Support in the Postfix SMTP server for propagating the local SMTP
server IP address and port. This affects the following Postfix
interfaces:
- Policy delegation. The server address and port are available as
"server_address" and "server_port". See SMTPD_POLICY_README for an
overview of available attributes.
- Milter applications. The server address and port are available
as "{daemon_addr}" and "{daemon_port}". See MILTER_README for a
table of available attributes.
- Cyrus SASL. The server address and port are now passed to the
sasl_server_new() function as "ipaddress;port".
- XCLIENT protocol. The server address and port can be specified
as "DESTADDR" and "DESTPORT". See XCLIENT_README for a description
of the attribute syntax. The new attributes may be of interest for
nxginx.
Major changes with snapshot 20160527
====================================
Postfix cidr tables now support if..endif, and pattern negation
with "!", just like regexp and pcre tables. The if..endif can speed
up lookups by skipping over irrelevant patterns, and can make rule
maintenance easier because rules for a network can now be placed
inside if..endif. See the cidr_table(5) manpage for syntax details.

180
postfix/RELEASE_NOTES_3.2 Normal file
View File

@ -0,0 +1,180 @@
This is the Postfix 3.2 (stable) release.
The stable Postfix release is called postfix-3.2.x where 3=major
release number, 2=minor release number, x=patchlevel. The stable
release never changes except for patches that address bugs or
emergencies. Patches change the patchlevel and the release date.
New features are developed in snapshot releases. These are called
postfix-3.3-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day). Patches are never issued for snapshot releases;
instead, a new snapshot is released.
The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.
If you upgrade from Postfix 3.0 or earlier, read RELEASE_NOTES-3.1
before proceeding.
Invisible changes
-----------------
In addition to the visible changes described below, there is an
ongoing overhaul of low-level code. With each change come updated
tests to ensure that future changes will not 'break' compatibility
with past behavior.
Major changes - address mapping
-------------------------------
[Feature 20170128] Postfix 3.2 fixes the handling of address
extensions with email addresses that contain spaces. For example,
the virtual_alias_maps, canonical_maps, and smtp_generic_maps
features now correctly propagate an address extension from "aa
bb+ext"@example.com to "cc dd+ext"@other.example, instead of
producing broken output.
Major changes - header/body_checks
----------------------------------
[Feature 20161008] "PASS" and "STRIP" actions in header/body_checks.
"STRIP" is similar to "IGNORE" but also logs the action, and "PASS"
disables header, body, and Milter inspection for the remainder of
the message content. Contributed by Hobbit.
Major changes - log analysis
----------------------------
[Feature 20160330] The collate.pl script by Viktor Dukhovni for
grouping Postfix logfile records into "sessions" based on queue ID
and process ID information. It's in the auxiliary/collate directory
of the Postfix source tree.
Major changes - maps support
----------------------------
[Feature 20160527] Postfix 3.2 cidr tables support if/endif and
negation (by prepending ! to a pattern), just like regexp and pcre
tables. The primarily purpose is to improve readability of complex
tables. See the cidr_table(5) manpage for syntax details.
[Incompat 20160925] In the Postfix MySQL database client, the default
option_group value has changed to "client", to enable reading of
"client" option group settings in the MySQL options file. This fixes
a "not found" problem with Postfix queries that contain UTF8-encoded
non-ASCII text. Specify an empty option_group value (option_group
=) to get backwards-compatible behavior.
[Feature 20161217] Stored-procedure support for MySQL databases.
Contributed by John Fawcett. See mysql_table(5) for instructions.
[Feature 20170128] The postmap command, and the inline: and texthash:
maps now support spaces in left-hand field of the lookup table
"source text". Use double quotes (") around a left-hand field that
contains spaces, and use backslash (\) to protect embedded quotes
in a left-hand field. There is no change in the processing of the
right-hand field.
Major changes - milter support
------------------------------
[Feature 20160611] The Postfix SMTP server local IP address and
port are available in the policy delegation protocol (attribute
names: server_address, server_port), in the Milter protocol (macro
names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol
(attribute names: DESTADDR, DESTPORT).
[Feature 20161024] smtpd_milter_maps support for per-client Milter
configuration that overrides smtpd_milters, and that has the same
syntax. A lookup result of "DISABLE" turns off Milter support. See
MILTER_README.html for details.
Major changes - policy delegation
---------------------------------
[Feature 20160611] The Postfix SMTP server local IP address and
port are available in the policy delegation protocol (attribute
names: server_address, server_port), in the Milter protocol (macro
names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol
(attribute names: DESTADDR, DESTPORT).
Major changes - postqueue
-------------------------
[Incompat 20170129] The postqueue command no longer forces all
message arrival times to be reported in UTC. To get the old behavior,
set TZ=UTC in main.cf:import_environment (this override is not
recommended, as it affects all Postfix utities and daemons).
Major changes - safety
----------------------
[Incompat 20161227] For safety reasons, the sendmail -C option must
specify an authorized directory: the default configuration directory,
a directory that is listed in the default main.cf file with
alternate_config_directories or multi_instance_directories, or the
command must be invoked with root privileges (UID 0 and EUID 0).
This mitigates a recurring problem with the PHP mail() function.
Major changes - sasl
--------------------
[Feature 20160625] The Postfix SMTP server now passes remote client
and local server network address and port information to the Cyrus
SASL library. Build with ``make makefiles "CCARGS=$CCARGS
-DNO_IP_CYRUS_SASL_AUTH"'' for backwards compatibility.
Major changes - smtputf8
------------------------
[Feature 20161103] Postfix 3.2 disables the 'transitional' compatibility
between the IDNA2003 and IDNA2008 standards for internationalized
domain names (domain names beyond the limits of US-ASCII).
This change makes Postfix behavior consistent with contemporary web
browsers. It affects the handling of some corner cases such as
German sz and Greek zeta. See http://unicode.org/cldr/utility/idna.jsp
for more examples.
Specify "enable_idna2003_compatibility = yes" to restore historical
behavior (but keep in mind that the rest of the world may not make
that same choice).
Major changes - tls
-------------------
[Feature 20160828] Fixes for deprecated OpenSSL 1.1.0 API features,
so that Postfix will build without depending on backwards-compatibility
support.
[Incompat 20161204] Postfix 3.2 removes tentative features that
were implemented before the DANE spec was finalized:
- Support for certificate usage PKIX-EE(1),
- The ability to disable digest agility (Postfix now behaves as if
"tls_dane_digest_agility = on"), and
- The ability to disable support for "TLSA 2 [01] [12]" records
that specify the digest of a trust anchor (Postfix now behaves
as if "tls_dane_trust_anchor_digest_enable = yes).
[Feature 20161217] Postfix 3.2 enables elliptic curve negotiation
with OpenSSL >= 1.0.2. This changes the default smtpd_tls_eecdh_grade
setting to "auto", and introduces a new parameter tls_eecdh_auto_curves
with the names of curves that may be negotiated.
The default tls_eecdh_auto_curves setting is determined at compile
time, and depends on the Postfix and OpenSSL versions. At runtime,
Postfix will skip curve names that aren't supported by the OpenSSL
library.
Major changes - xclient
-----------------------
[Feature 20160611] The Postfix SMTP server local IP address and
port are available in the policy delegation protocol (attribute
names: server_address, server_port), in the Milter protocol (macro
names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol
(attribute names: DESTADDR, DESTPORT).

11
postfix/html/postconf.5.html
View File

@ -784,16 +784,21 @@ cannot match Postfix access tables, because the address is ambiguous.
<p>
A list of non-default Postfix configuration directories that may
be specified with "-c <a href="postconf.5.html#config_directory">config_directory</a>" on the command line (in the
case of <a href="sendmail.1.html">sendmail(1)</a>, with "-C <a href="postconf.5.html#config_directory">config_directory</a>"), or via the MAIL_CONFIG
case of <a href="sendmail.1.html">sendmail(1)</a>, with the "-C" option), or via the MAIL_CONFIG
environment parameter.
</p>
<p>
This list must be specified in the default Postfix configuration
directory, and is used by set-gid Postfix commands such as <a href="postqueue.1.html">postqueue(1)</a>
This list must be specified in the default Postfix <a href="postconf.5.html">main.cf</a> file,
and will be used by set-gid Postfix commands such as <a href="postqueue.1.html">postqueue(1)</a>
and <a href="postdrop.1.html">postdrop(1)</a>.
</p>
<p>
Specify absolute pathnames, separated by comma or space. Note: $name
expansion is not supported.
</p>
</DD>

9
postfix/man/man5/postconf.5
View File

@ -462,12 +462,15 @@ cannot match Postfix access tables, because the address is ambiguous.
.SH alternate_config_directories (default: empty)
A list of non\-default Postfix configuration directories that may
be specified with "\-c config_directory" on the command line (in the
case of \fBsendmail\fR(1), with "\-C config_directory"), or via the MAIL_CONFIG
case of \fBsendmail\fR(1), with the "\-C" option), or via the MAIL_CONFIG
environment parameter.
.PP
This list must be specified in the default Postfix configuration
directory, and is used by set\-gid Postfix commands such as \fBpostqueue\fR(1)
This list must be specified in the default Postfix main.cf file,
and will be used by set\-gid Postfix commands such as \fBpostqueue\fR(1)
and \fBpostdrop\fR(1).
.PP
Specify absolute pathnames, separated by comma or space. Note: $name
expansion is not supported.
.SH always_add_missing_headers (default: no)
Always add (Resent\-) From:, To:, Date: or Message\-ID: headers
when not present. Postfix 2.6 and later add these headers only

14
postfix/mantools/make-relnotes
View File

@ -3,12 +3,14 @@
# Transform RELEASE_NOTES, split into "leader", and "major changes",
# split into major categories, and prepend dates to paragraphs.
#
# Input format: the leader text is copied verbatim; each paragraph
# starts with [class, class] where a class specifies one or more
# categories that the change should be listed under. Adding class
# info is the only manual processing needed to go from a RELEASE_NOTES
# file to the transformed representation.
#
# Input format: the leader text is copied verbatim; each section
# starts with "Incompatible changes with snapshot YYYYMMDD" or "Major
# changes with snapshot YYYYMMDD"; each paragraph starts with [class,
# class] where a class specifies one or more categories that the
# change should be listed under. Adding class info is the only manual
# processing needed to go from a RELEASE_NOTES file to the transformed
# representation.
#
# Output format: each category is printed with a little header and
# each paragraph is tagged with [Incompat yyyymmdd] or with [Feature
# yyyymmdd].

11
postfix/proto/postconf.proto
View File

@ -7126,16 +7126,21 @@ probes, and generates probes on request by other Postfix processes.
<p>
A list of non-default Postfix configuration directories that may
be specified with "-c config_directory" on the command line (in the
case of sendmail(1), with "-C config_directory"), or via the MAIL_CONFIG
case of sendmail(1), with the "-C" option), or via the MAIL_CONFIG
environment parameter.
</p>
<p>
This list must be specified in the default Postfix configuration
directory, and is used by set-gid Postfix commands such as postqueue(1)
This list must be specified in the default Postfix main.cf file,
and will be used by set-gid Postfix commands such as postqueue(1)
and postdrop(1).
</p>
<p>
Specify absolute pathnames, separated by comma or space. Note: $name
expansion is not supported.
</p>
%PARAM append_at_myorigin yes
<p>

18
postfix/src/global/mail_conf.c
View File

@ -31,8 +31,18 @@
/* const char *mail_conf_lookup_eval(name)
/* const char *name;
/* DESCRIPTION
/* mail_conf_suck() reads the global Postfix configuration file, and
/* stores its values into a global configuration dictionary.
/* mail_conf_suck() reads the global Postfix configuration
/* file, and stores its values into a global configuration
/* dictionary. When the configuration directory name is not
/* trusted, this function requires that the directory name is
/* authorized with the alternate_config_directories setting
/* in the default main.cf file.
/*
/* This function requires that all configuration directory
/* override mechanisms set the MAIL_CONFIG environment variable,
/* even if the override was specified via the command line.
/* This reduces the number of pathways that need to be checked
/* for possible security attacks.
/*
/* mail_conf_read() invokes mail_conf_suck() and assigns the values
/* to global variables by calling mail_params_init().
@ -197,8 +207,8 @@ void mail_conf_suck(void)
set_mail_conf_str(VAR_CONFIG_DIR, var_config_dir);
/*
* If the configuration directory name comes from a different trust
* domain, require that it is listed in the default main.cf file.
* If the configuration directory name comes from an untrusted source,
* require that it is listed in the default main.cf file.
*/
if (strcmp(var_config_dir, DEF_CONFIG_DIR) != 0 /* non-default */
&& unsafe()) /* untrusted env and cli */

4
postfix/src/global/mail_version.h
View File

@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20170206"
#define MAIL_VERSION_NUMBER "3.2"
#define MAIL_RELEASE_DATE "20170212"
#define MAIL_VERSION_NUMBER "3.3"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE

2
postfix/src/postsuper/postsuper.c
View File

@ -1239,7 +1239,7 @@ int main(int argc, char **argv)
mail_conf_read();
/* Enforce consistent operation of different Postfix parts. */
import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ);
clean_env(import_env->argv);
update_env(import_env->argv);
argv_free(import_env);
/* Re-evaluate mail_task() after reading main.cf. */
msg_syslog_init(mail_task(argv[0]), LOG_PID, LOG_FACILITY);

41
postfix/src/util/unsafe.c
View File

@ -8,19 +8,20 @@
/*
/* int unsafe()
/* DESCRIPTION
/* The \fBunsafe()\fR routine attempts to determine if the process runs
/* with any privileges that do not belong to the user. The purpose is
/* to make it easy to taint any user-provided data such as the current
/* working directory, the process environment, etcetera.
/* The \fBunsafe()\fR routine attempts to determine if the process
/* (runs with privileges or has access to information) that the
/* controlling user has no access to. The purpose is to prevent
/* misuse of privileges, including access to protected information.
/*
/* On UNIX systems, the result is true when any of the following
/* conditions is true:
/* The result is always false when both of the following conditions
/* are true:
/* .IP \(bu
/* The real UID is non-zero.
/* The real UID is zero.
/* .IP \(bu
/* The effective UID is non-zero.
/* The effective UID is zero.
/* .PP
/* Additionally, any of the following conditions must be true:
/* Otherwise, the result is true if any of the following conditions
/* is true:
/* .IP \(bu
/* The issetuid kernel flag is non-zero (on systems that support
/* this concept).
@ -28,10 +29,6 @@
/* The real and effective user id differ.
/* .IP \(bu
/* The real and effective group id differ.
/* .PP
/* Thus, when a process runs as the super-user, it is excluded
/* from privilege-escalation concerns, but only if both real
/* UID and effective UID are zero.
/* LICENSE
/* .ad
/* .fi
@ -56,10 +53,20 @@
int unsafe(void)
{
return ((getuid() || geteuid())
&& (geteuid() != getuid()
/*
* The super-user is trusted.
*/
if (getuid() == 0 && geteuid() == 0)
return (0);
/*
* Danger: don't trust inherited process attributes, and don't leak
* privileged info that the parent has no access to.
*/
return (geteuid() != getuid()
#ifdef HAS_ISSETUGID
|| issetugid()
|| issetugid()
#endif
|| getgid() != getegid()));
|| getgid() != getegid());
}