From ae4e887d2a8eee1280eff05df47d4162c7922f7d Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Sun, 12 Feb 2017 00:00:00 -0500 Subject: [PATCH] postfix-3.3-20170212 --- postfix/HISTORY | 18 ++- postfix/RELEASE_NOTES | 114 +------------------ postfix/RELEASE_NOTES_3.2 | 180 ++++++++++++++++++++++++++++++ postfix/html/postconf.5.html | 11 +- postfix/man/man5/postconf.5 | 9 +- postfix/mantools/make-relnotes | 14 ++- postfix/proto/postconf.proto | 11 +- postfix/src/global/mail_conf.c | 18 ++- postfix/src/global/mail_version.h | 4 +- postfix/src/postsuper/postsuper.c | 2 +- postfix/src/util/unsafe.c | 41 ++++--- 11 files changed, 271 insertions(+), 151 deletions(-) create mode 100644 postfix/RELEASE_NOTES_3.2 diff --git a/postfix/HISTORY b/postfix/HISTORY index 159afb167..a05d6f154 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -22923,6 +22923,18 @@ Apologies for any names omitted. 20170206 - Bugfix (introduced: Postfix 2.2): check_mumble_a_access - did not handle [ipaddress], unlike check_mumble_mx_access. - Reported by James (postfix_tracker). File: smtpd/smtpd_check.c. + Bugfix (introduced: Postfix 3.0): when check_mumble_a_access + did not handle [ipaddress], unlike check_mumble_mx_access. + When check_mumble_a_access was introduced, some condition + was not updated. Reported by James (postfix_tracker). File: + smtpd/smtpd_check.c. + +20170207 + + Cleanup: rephrased the precondition paranoia. File: + global/mail_conf.c. + +20170211 + + Cleanup: rephrased the precondition for paranoia. File: + util/unsafe.c. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 83ed6c261..f5b1a28ac 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -1,121 +1,17 @@ -This is the Postfix 3.2 (experimental) release. +This is the Postfix 3.3 (experimental) release. -The stable Postfix release is called postfix-3.1.x where 3=major -release number, 1=minor release number, x=patchlevel. The stable +The stable Postfix release is called postfix-3.2.x where 3=major +release number, 2=minor release number, x=patchlevel. The stable release never changes except for patches that address bugs or emergencies. Patches change the patchlevel and the release date. New features are developed in snapshot releases. These are called -postfix-3.2-yyyymmdd where yyyymmdd is the release date (yyyy=year, +postfix-3.3-yyyymmdd where yyyymmdd is the release date (yyyy=year, mm=month, dd=day). Patches are never issued for snapshot releases; instead, a new snapshot is released. The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release. -If you upgrade from Postfix 3.0 or earlier, read RELEASE_NOTES-3.1 +If you upgrade from Postfix 3.1 or earlier, read RELEASE_NOTES-3.2 before proceeding. - -Incompatible changes with snapshot 20161227 -=========================================== - -For safety reasons, the sendmail -C option must specify an authorized -directory: the default configuration directory, a directory that -is listed in the default main.cf file with alternate_config_directories -or multi_instance_directories, or the command must be invoked with -root privileges. This mitigates a problem with the PHP mail() -function. - -Major changes with snapshot 20161227 -==================================== - -Support to negotiate Elliptic curves with OpenSSL 1.0.2 or later -(on platforms where EC algorithms have not been disabled by the -vendor). See TLS_README for details. In summary, this changes the -default smtpd_tls_eecdh_grade setting to "auto", and introduces a -new parameter tls_eecdh_auto_curves with the names of curves that -may be negotiated. The default tls_eecdh_auto_curves setting is -determined at compile time, and depends on the Postfix and OpenSSL -versions. At runtime, Postfix will skip curve names that aren't -supported by the OpenSSL library. - -The MySQL client now has support for stored procedures. See the -mysql_table(5) manpage for details. - -Incompatible changes with snapshot 20161204 -=========================================== - -Postfix 3.2 removes tentative features that were implemented -before the DANE spec was finalized: - -- Support for certificate usage PKIX-EE(1), - -- The ability to disable digest agility. Postfix 3.2 always behaves - as if "tls_dane_digest_agility = on. - -- The ability to disable support for "TLSA 2 [01] [12]" records - that specify the digest of a trust anchor. Postfix 3.2 always - behaves as if "tls_dane_trust_anchor_digest_enable = yes". - -Incompatible changes with snapshot 20161103 -=========================================== - -Postfix 3.2 by default disables the 'transitional' compatibility -between IDNA2003 and IDNA2008, when converting UTF-8 domain names -to/from the ASCII form that is used in DNS lookups. This makes -Postfix behavior consistent with current versions of the Firefox -and Chrome web browsers. Specify "enable_idna2003_compatibility = -yes" for historical behavior. - -This affects the conversion of, for example, the German sz and the -Greek zeta. See http://unicode.org/cldr/utility/idna.jsp for more -examples. - -Major changes with snapshot 20161031 -==================================== - -The smtpd_milter_maps feature supports per-client Milter configuration. -This overrides the global smtpd_milters setting and has the same syntax. A -lookup result of "DISABLE" turns off Milter support. - -Incompatible changes with snapshot 20160925 -=========================================== - -In the Postfix MySQL database client, the default option_group value -has changed to "client", to enable reading of "client" option group -settings in the MySQL options file. This fixes a "not found" problem -with Postfix queries that contain UTF8-encoded non-ASCII text. -Specify an empty option_group value (option_group =) to get -backwards-compatible behavior. - -Major changes with snapshot 20160625 -==================================== - -Support in the Postfix SMTP server for propagating the local SMTP -server IP address and port. This affects the following Postfix -interfaces: - -- Policy delegation. The server address and port are available as -"server_address" and "server_port". See SMTPD_POLICY_README for an -overview of available attributes. - -- Milter applications. The server address and port are available -as "{daemon_addr}" and "{daemon_port}". See MILTER_README for a -table of available attributes. - -- Cyrus SASL. The server address and port are now passed to the -sasl_server_new() function as "ipaddress;port". - -- XCLIENT protocol. The server address and port can be specified -as "DESTADDR" and "DESTPORT". See XCLIENT_README for a description -of the attribute syntax. The new attributes may be of interest for -nxginx. - -Major changes with snapshot 20160527 -==================================== - -Postfix cidr tables now support if..endif, and pattern negation -with "!", just like regexp and pcre tables. The if..endif can speed -up lookups by skipping over irrelevant patterns, and can make rule -maintenance easier because rules for a network can now be placed -inside if..endif. See the cidr_table(5) manpage for syntax details. diff --git a/postfix/RELEASE_NOTES_3.2 b/postfix/RELEASE_NOTES_3.2 new file mode 100644 index 000000000..876d4b7a3 --- /dev/null +++ b/postfix/RELEASE_NOTES_3.2 @@ -0,0 +1,180 @@ +This is the Postfix 3.2 (stable) release. + +The stable Postfix release is called postfix-3.2.x where 3=major +release number, 2=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-3.3-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 3.0 or earlier, read RELEASE_NOTES-3.1 +before proceeding. + +Invisible changes +----------------- + +In addition to the visible changes described below, there is an +ongoing overhaul of low-level code. With each change come updated +tests to ensure that future changes will not 'break' compatibility +with past behavior. + +Major changes - address mapping +------------------------------- + +[Feature 20170128] Postfix 3.2 fixes the handling of address +extensions with email addresses that contain spaces. For example, +the virtual_alias_maps, canonical_maps, and smtp_generic_maps +features now correctly propagate an address extension from "aa +bb+ext"@example.com to "cc dd+ext"@other.example, instead of +producing broken output. + +Major changes - header/body_checks +---------------------------------- + +[Feature 20161008] "PASS" and "STRIP" actions in header/body_checks. +"STRIP" is similar to "IGNORE" but also logs the action, and "PASS" +disables header, body, and Milter inspection for the remainder of +the message content. Contributed by Hobbit. + +Major changes - log analysis +---------------------------- + +[Feature 20160330] The collate.pl script by Viktor Dukhovni for +grouping Postfix logfile records into "sessions" based on queue ID +and process ID information. It's in the auxiliary/collate directory +of the Postfix source tree. + +Major changes - maps support +---------------------------- + +[Feature 20160527] Postfix 3.2 cidr tables support if/endif and +negation (by prepending ! to a pattern), just like regexp and pcre +tables. The primarily purpose is to improve readability of complex +tables. See the cidr_table(5) manpage for syntax details. + +[Incompat 20160925] In the Postfix MySQL database client, the default +option_group value has changed to "client", to enable reading of +"client" option group settings in the MySQL options file. This fixes +a "not found" problem with Postfix queries that contain UTF8-encoded +non-ASCII text. Specify an empty option_group value (option_group +=) to get backwards-compatible behavior. + +[Feature 20161217] Stored-procedure support for MySQL databases. +Contributed by John Fawcett. See mysql_table(5) for instructions. + +[Feature 20170128] The postmap command, and the inline: and texthash: +maps now support spaces in left-hand field of the lookup table +"source text". Use double quotes (") around a left-hand field that +contains spaces, and use backslash (\) to protect embedded quotes +in a left-hand field. There is no change in the processing of the +right-hand field. + +Major changes - milter support +------------------------------ + +[Feature 20160611] The Postfix SMTP server local IP address and +port are available in the policy delegation protocol (attribute +names: server_address, server_port), in the Milter protocol (macro +names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol +(attribute names: DESTADDR, DESTPORT). + +[Feature 20161024] smtpd_milter_maps support for per-client Milter +configuration that overrides smtpd_milters, and that has the same +syntax. A lookup result of "DISABLE" turns off Milter support. See +MILTER_README.html for details. + +Major changes - policy delegation +--------------------------------- + +[Feature 20160611] The Postfix SMTP server local IP address and +port are available in the policy delegation protocol (attribute +names: server_address, server_port), in the Milter protocol (macro +names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol +(attribute names: DESTADDR, DESTPORT). + +Major changes - postqueue +------------------------- + +[Incompat 20170129] The postqueue command no longer forces all +message arrival times to be reported in UTC. To get the old behavior, +set TZ=UTC in main.cf:import_environment (this override is not +recommended, as it affects all Postfix utities and daemons). + +Major changes - safety +---------------------- + +[Incompat 20161227] For safety reasons, the sendmail -C option must +specify an authorized directory: the default configuration directory, +a directory that is listed in the default main.cf file with +alternate_config_directories or multi_instance_directories, or the +command must be invoked with root privileges (UID 0 and EUID 0). +This mitigates a recurring problem with the PHP mail() function. + +Major changes - sasl +-------------------- + +[Feature 20160625] The Postfix SMTP server now passes remote client +and local server network address and port information to the Cyrus +SASL library. Build with ``make makefiles "CCARGS=$CCARGS +-DNO_IP_CYRUS_SASL_AUTH"'' for backwards compatibility. + +Major changes - smtputf8 +------------------------ + +[Feature 20161103] Postfix 3.2 disables the 'transitional' compatibility +between the IDNA2003 and IDNA2008 standards for internationalized +domain names (domain names beyond the limits of US-ASCII). + +This change makes Postfix behavior consistent with contemporary web +browsers. It affects the handling of some corner cases such as +German sz and Greek zeta. See http://unicode.org/cldr/utility/idna.jsp +for more examples. + +Specify "enable_idna2003_compatibility = yes" to restore historical +behavior (but keep in mind that the rest of the world may not make +that same choice). + +Major changes - tls +------------------- + +[Feature 20160828] Fixes for deprecated OpenSSL 1.1.0 API features, +so that Postfix will build without depending on backwards-compatibility +support. + +[Incompat 20161204] Postfix 3.2 removes tentative features that +were implemented before the DANE spec was finalized: + +- Support for certificate usage PKIX-EE(1), + +- The ability to disable digest agility (Postfix now behaves as if + "tls_dane_digest_agility = on"), and + +- The ability to disable support for "TLSA 2 [01] [12]" records + that specify the digest of a trust anchor (Postfix now behaves + as if "tls_dane_trust_anchor_digest_enable = yes). + +[Feature 20161217] Postfix 3.2 enables elliptic curve negotiation +with OpenSSL >= 1.0.2. This changes the default smtpd_tls_eecdh_grade +setting to "auto", and introduces a new parameter tls_eecdh_auto_curves +with the names of curves that may be negotiated. + +The default tls_eecdh_auto_curves setting is determined at compile +time, and depends on the Postfix and OpenSSL versions. At runtime, +Postfix will skip curve names that aren't supported by the OpenSSL +library. + +Major changes - xclient +----------------------- + +[Feature 20160611] The Postfix SMTP server local IP address and +port are available in the policy delegation protocol (attribute +names: server_address, server_port), in the Milter protocol (macro +names: {daemon_addr}, {daemon_port}), and in the XCLIENT protocol +(attribute names: DESTADDR, DESTPORT). + diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 4dfd5d854..bdeffc8d5 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -784,16 +784,21 @@ cannot match Postfix access tables, because the address is ambiguous.

A list of non-default Postfix configuration directories that may be specified with "-c config_directory" on the command line (in the -case of sendmail(1), with "-C config_directory"), or via the MAIL_CONFIG +case of sendmail(1), with the "-C" option), or via the MAIL_CONFIG environment parameter.

-This list must be specified in the default Postfix configuration -directory, and is used by set-gid Postfix commands such as postqueue(1) +This list must be specified in the default Postfix main.cf file, +and will be used by set-gid Postfix commands such as postqueue(1) and postdrop(1).

+

+Specify absolute pathnames, separated by comma or space. Note: $name +expansion is not supported. +

+ diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index bbdc24eb2..ffecdf307 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -462,12 +462,15 @@ cannot match Postfix access tables, because the address is ambiguous. .SH alternate_config_directories (default: empty) A list of non\-default Postfix configuration directories that may be specified with "\-c config_directory" on the command line (in the -case of \fBsendmail\fR(1), with "\-C config_directory"), or via the MAIL_CONFIG +case of \fBsendmail\fR(1), with the "\-C" option), or via the MAIL_CONFIG environment parameter. .PP -This list must be specified in the default Postfix configuration -directory, and is used by set\-gid Postfix commands such as \fBpostqueue\fR(1) +This list must be specified in the default Postfix main.cf file, +and will be used by set\-gid Postfix commands such as \fBpostqueue\fR(1) and \fBpostdrop\fR(1). +.PP +Specify absolute pathnames, separated by comma or space. Note: $name +expansion is not supported. .SH always_add_missing_headers (default: no) Always add (Resent\-) From:, To:, Date: or Message\-ID: headers when not present. Postfix 2.6 and later add these headers only diff --git a/postfix/mantools/make-relnotes b/postfix/mantools/make-relnotes index 4d07e6632..f5d26f37b 100755 --- a/postfix/mantools/make-relnotes +++ b/postfix/mantools/make-relnotes @@ -3,12 +3,14 @@ # Transform RELEASE_NOTES, split into "leader", and "major changes", # split into major categories, and prepend dates to paragraphs. # -# Input format: the leader text is copied verbatim; each paragraph -# starts with [class, class] where a class specifies one or more -# categories that the change should be listed under. Adding class -# info is the only manual processing needed to go from a RELEASE_NOTES -# file to the transformed representation. -# +# Input format: the leader text is copied verbatim; each section +# starts with "Incompatible changes with snapshot YYYYMMDD" or "Major +# changes with snapshot YYYYMMDD"; each paragraph starts with [class, +# class] where a class specifies one or more categories that the +# change should be listed under. Adding class info is the only manual +# processing needed to go from a RELEASE_NOTES file to the transformed +# representation. +# # Output format: each category is printed with a little header and # each paragraph is tagged with [Incompat yyyymmdd] or with [Feature # yyyymmdd]. diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 69c80f83b..8394f75c6 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -7126,16 +7126,21 @@ probes, and generates probes on request by other Postfix processes.

A list of non-default Postfix configuration directories that may be specified with "-c config_directory" on the command line (in the -case of sendmail(1), with "-C config_directory"), or via the MAIL_CONFIG +case of sendmail(1), with the "-C" option), or via the MAIL_CONFIG environment parameter.

-This list must be specified in the default Postfix configuration -directory, and is used by set-gid Postfix commands such as postqueue(1) +This list must be specified in the default Postfix main.cf file, +and will be used by set-gid Postfix commands such as postqueue(1) and postdrop(1).

+

+Specify absolute pathnames, separated by comma or space. Note: $name +expansion is not supported. +

+ %PARAM append_at_myorigin yes

diff --git a/postfix/src/global/mail_conf.c b/postfix/src/global/mail_conf.c index 5ffbbf460..47808398b 100644 --- a/postfix/src/global/mail_conf.c +++ b/postfix/src/global/mail_conf.c @@ -31,8 +31,18 @@ /* const char *mail_conf_lookup_eval(name) /* const char *name; /* DESCRIPTION -/* mail_conf_suck() reads the global Postfix configuration file, and -/* stores its values into a global configuration dictionary. +/* mail_conf_suck() reads the global Postfix configuration +/* file, and stores its values into a global configuration +/* dictionary. When the configuration directory name is not +/* trusted, this function requires that the directory name is +/* authorized with the alternate_config_directories setting +/* in the default main.cf file. +/* +/* This function requires that all configuration directory +/* override mechanisms set the MAIL_CONFIG environment variable, +/* even if the override was specified via the command line. +/* This reduces the number of pathways that need to be checked +/* for possible security attacks. /* /* mail_conf_read() invokes mail_conf_suck() and assigns the values /* to global variables by calling mail_params_init(). @@ -197,8 +207,8 @@ void mail_conf_suck(void) set_mail_conf_str(VAR_CONFIG_DIR, var_config_dir); /* - * If the configuration directory name comes from a different trust - * domain, require that it is listed in the default main.cf file. + * If the configuration directory name comes from an untrusted source, + * require that it is listed in the default main.cf file. */ if (strcmp(var_config_dir, DEF_CONFIG_DIR) != 0 /* non-default */ && unsafe()) /* untrusted env and cli */ diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 4c2948526..647f88ea6 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20170206" -#define MAIL_VERSION_NUMBER "3.2" +#define MAIL_RELEASE_DATE "20170212" +#define MAIL_VERSION_NUMBER "3.3" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/postsuper/postsuper.c b/postfix/src/postsuper/postsuper.c index a6293de43..2bad6f320 100644 --- a/postfix/src/postsuper/postsuper.c +++ b/postfix/src/postsuper/postsuper.c @@ -1239,7 +1239,7 @@ int main(int argc, char **argv) mail_conf_read(); /* Enforce consistent operation of different Postfix parts. */ import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ); - clean_env(import_env->argv); + update_env(import_env->argv); argv_free(import_env); /* Re-evaluate mail_task() after reading main.cf. */ msg_syslog_init(mail_task(argv[0]), LOG_PID, LOG_FACILITY); diff --git a/postfix/src/util/unsafe.c b/postfix/src/util/unsafe.c index 47d886a4e..6c0358ec7 100644 --- a/postfix/src/util/unsafe.c +++ b/postfix/src/util/unsafe.c @@ -8,19 +8,20 @@ /* /* int unsafe() /* DESCRIPTION -/* The \fBunsafe()\fR routine attempts to determine if the process runs -/* with any privileges that do not belong to the user. The purpose is -/* to make it easy to taint any user-provided data such as the current -/* working directory, the process environment, etcetera. +/* The \fBunsafe()\fR routine attempts to determine if the process +/* (runs with privileges or has access to information) that the +/* controlling user has no access to. The purpose is to prevent +/* misuse of privileges, including access to protected information. /* -/* On UNIX systems, the result is true when any of the following -/* conditions is true: +/* The result is always false when both of the following conditions +/* are true: /* .IP \(bu -/* The real UID is non-zero. +/* The real UID is zero. /* .IP \(bu -/* The effective UID is non-zero. +/* The effective UID is zero. /* .PP -/* Additionally, any of the following conditions must be true: +/* Otherwise, the result is true if any of the following conditions +/* is true: /* .IP \(bu /* The issetuid kernel flag is non-zero (on systems that support /* this concept). @@ -28,10 +29,6 @@ /* The real and effective user id differ. /* .IP \(bu /* The real and effective group id differ. -/* .PP -/* Thus, when a process runs as the super-user, it is excluded -/* from privilege-escalation concerns, but only if both real -/* UID and effective UID are zero. /* LICENSE /* .ad /* .fi @@ -56,10 +53,20 @@ int unsafe(void) { - return ((getuid() || geteuid()) - && (geteuid() != getuid() + + /* + * The super-user is trusted. + */ + if (getuid() == 0 && geteuid() == 0) + return (0); + + /* + * Danger: don't trust inherited process attributes, and don't leak + * privileged info that the parent has no access to. + */ + return (geteuid() != getuid() #ifdef HAS_ISSETUGID - || issetugid() + || issetugid() #endif - || getgid() != getegid())); + || getgid() != getegid()); }