From b558caf8fde04d2ef15c247d95c4579dd95cc1fc Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Tue, 8 Jun 2010 00:00:00 -0500 Subject: [PATCH] postfix-2.6.7 --- postfix/HISTORY | 29 ++++++++++++++++++++++ postfix/html/postconf.5.html | 41 +++++++++++++++++++++---------- postfix/makedefs | 5 ++++ postfix/man/man5/postconf.5 | 41 +++++++++++++++++++++---------- postfix/proto/postconf.proto | 41 +++++++++++++++++++++---------- postfix/src/dns/dns.h | 3 +++ postfix/src/global/dict_ldap.c | 12 ++++++++- postfix/src/global/mail_params.h | 19 +++++++++++--- postfix/src/global/mail_version.h | 4 +-- postfix/src/smtp/smtp_proto.c | 35 +++++++++++++++++--------- postfix/src/tls/tls_certkey.c | 2 +- postfix/src/tls/tls_client.c | 2 +- postfix/src/tls/tls_dh.c | 2 +- postfix/src/tls/tls_server.c | 2 +- postfix/src/util/dict_db.c | 2 +- postfix/src/util/sys_defs.h | 1 - 16 files changed, 177 insertions(+), 64 deletions(-) diff --git a/postfix/HISTORY b/postfix/HISTORY index 35a4f1d37..fb86fb8fd 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -15338,3 +15338,32 @@ Apologies for any names omitted. a mailbox address inside <>, which broke expectations. RFC 2821 (and 5321) is vague about the VRFY request format, but spends lots of text on the reply format. File: smtpd/smtpd.c. + +20100515 + + Bugfix (introduced Postfix 2.6): the Postfix SMTP client + XFORWARD implementation did not skip "unknown" SMTP client + attributes, causing a syntax error when sending a PORT + attribute. Reported by Victor Duchovni. File: smtp/smtp_proto.c. + +20100529 + + Portability: OpenSSL 1.0.0 changes the priority of anonymous + cyphers. Victor Duchovni. Files: postconf.proto, + global/mail_params.h, tls/tls_certkey.c, tls/tls_client.c, + tls/tls_dh.c, tls/tls_server.c. + + Portability: Mac OS 10.6.3 requires + instead of . Files: makedefs, util/sys_defs.h, + dns/dns.h. + +20100531 + + Robustness: skip LDAP queries with non-ASCII search strings. + The LDAP library requires well-formed UTF-8. Victor Duchovni. + File: global/dict_ldap.c. + +20100601 + + Portability: Berkeley DB 5.x has the same API as Berkeley + DB 4.1 and later. File: util/dict_db.c. diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 48c7003db..701485daa 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -4279,7 +4279,7 @@ configuration parameter. See there for details.

parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

@@ -4291,7 +4291,7 @@ compiled and linked with OpenSSL 0.9.9 or later.

parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

@@ -9081,7 +9081,7 @@ This file may also contain the Postfix SMTP client ECDSA private key.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

@@ -9099,7 +9099,7 @@ access to the system superuser account ("root"), and no access to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

@@ -12534,7 +12534,7 @@ This file may also contain the Postfix SMTP server private ECDSA key.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

@@ -12552,7 +12552,7 @@ access to the system superuser account ("root"), and no access to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

@@ -12586,7 +12586,7 @@ users.

This feature is available in Postfix 2.6 and later, when it is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

@@ -13380,7 +13380,7 @@ under the SECG name "secp256r1", but OpenSSL does not recognize the latter name.

This feature is available in Postfix 2.6 and later, when it is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

@@ -13403,7 +13403,7 @@ of RFC 4492. You should not gen classified as TOP SECRET.

This feature is available in Postfix 2.6 and later, when it is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

@@ -13416,7 +13416,11 @@ defines the meaning of the "export" setting in smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are -strongly encouraged to not change this setting.

+strongly encouraged to not change this setting. With OpenSSL 1.0.0 and +later the cipherlist may start with an "aNULL:" prefix, which restores +the 0.9.8-compatible ordering of the aNULL ciphers to the top of the +list when they are enabled. This prefix is not needed with previous +OpenSSL releases.

This feature is available in Postfix 2.3 and later.

@@ -13429,7 +13433,11 @@ strongly encouraged to not change this setting.

The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are -strongly encouraged to not change this setting.

+strongly encouraged to not change this setting. With OpenSSL 1.0.0 and +later the cipherlist may start with an "aNULL:" prefix, which restores +the 0.9.8-compatible ordering of the aNULL ciphers to the top of the +list when they are enabled. This prefix is not needed with previous +OpenSSL releases.

This feature is available in Postfix 2.3 and later.

@@ -13442,7 +13450,11 @@ strongly encouraged to not change this setting.

The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are -strongly encouraged to not change this setting.

+strongly encouraged to not change this setting. With OpenSSL 1.0.0 and +later the cipherlist may start with an "aNULL:" prefix, which restores +the 0.9.8-compatible ordering of the aNULL ciphers to the top of the +list when they are enabled. This prefix is not needed with previous +OpenSSL releases.

This feature is available in Postfix 2.3 and later.

@@ -13458,7 +13470,10 @@ defines the meaning of the "medium" setting in

This feature is available in Postfix 2.3 and later.

diff --git a/postfix/makedefs b/postfix/makedefs index 320c9ff46..75ff5f40d 100644 --- a/postfix/makedefs +++ b/postfix/makedefs @@ -412,6 +412,11 @@ ReliantUNIX-?.5.43) SYSTYPE=ReliantUnix543 [1-6].*) CCARGS="$CCARGS -DNO_IPV6";; *) CCARGS="$CCARGS -DBIND_8_COMPAT -DNO_NETINFO";; esac + # Darwin 10.3.0 no longer has . + case $RELEASE in + ?.*) CCARGS="$CCARGS -DRESOLVE_H_NEEDS_NAMESER8_COMPAT_H";; + *) CCARGS="$CCARGS -DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H";; + esac # kqueue and/or poll are broken up to and including MacOS X 10.5 CCARGS="$CCARGS -DNO_KQUEUE" # # Darwin 8.11.1 has kqueue support, but let's play safe diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index b85d17877..ee6788987 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -2326,13 +2326,13 @@ The LMTP-specific version of the smtp_tls_eccert_file configuration parameter. See there for details. .PP This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later. +compiled and linked with OpenSSL 1.0.0 or later. .SH lmtp_tls_eckey_file (default: empty) The LMTP-specific version of the smtp_tls_eckey_file configuration parameter. See there for details. .PP This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later. +compiled and linked with OpenSSL 1.0.0 or later. .SH lmtp_tls_enforce_peername (default: yes) The LMTP-specific version of the smtp_tls_enforce_peername configuration parameter. See there for details. @@ -5221,7 +5221,7 @@ smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem .ft R .PP This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later. +compiled and linked with OpenSSL 1.0.0 or later. .SH smtp_tls_eckey_file (default: $smtp_tls_eccert_file) File with the Postfix SMTP client ECDSA private key in PEM format. This file may be combined with the Postfix SMTP client ECDSA @@ -5233,7 +5233,7 @@ access to the system superuser account ("root"), and no access to anyone else. .PP This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later. +compiled and linked with OpenSSL 1.0.0 or later. .SH smtp_tls_enforce_peername (default: yes) With mandatory TLS encryption, require that the remote SMTP server hostname matches the information in the remote SMTP server @@ -7820,7 +7820,7 @@ smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem .ft R .PP This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later. +compiled and linked with OpenSSL 1.0.0 or later. .SH smtpd_tls_eckey_file (default: $smtpd_tls_eccert_file) File with the Postfix SMTP server ECDSA private key in PEM format. This file may be combined with the Postfix SMTP server ECDSA certificate @@ -7832,7 +7832,7 @@ access to the system superuser account ("root"), and no access to anyone else. .PP This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later. +compiled and linked with OpenSSL 1.0.0 or later. .SH smtpd_tls_eecdh_grade (default: see "postconf -d" output) The Postfix SMTP server security grade for ephemeral elliptic-curve Diffie-Hellman (EECDH) key exchange. @@ -7856,7 +7856,7 @@ elliptic curve crypto-systems, the "strong" curve is sufficient for most users. .PP This feature is available in Postfix 2.6 and later, when it is -compiled and linked with OpenSSL 0.9.9 or later. +compiled and linked with OpenSSL 1.0.0 or later. .SH smtpd_tls_exclude_ciphers (default: empty) List of ciphers or cipher types to exclude from the SMTP server cipher list at all TLS security levels. Excluding valid ciphers @@ -8437,7 +8437,7 @@ under the SECG name "secp256r1", but OpenSSL does not recognize the latter name. .PP This feature is available in Postfix 2.6 and later, when it is -compiled and linked with OpenSSL 0.9.9 or later. +compiled and linked with OpenSSL 1.0.0 or later. .SH tls_eecdh_ultra_curve (default: secp384r1) The elliptic curve used by the SMTP server for maximally strong ephemeral ECDH key exchange. This curve is used by the Postfix SMTP @@ -8454,28 +8454,40 @@ This default "ultra" curve is specified in NSA "Suite B" Cryptography classified as TOP SECRET. .PP This feature is available in Postfix 2.6 and later, when it is -compiled and linked with OpenSSL 0.9.9 or later. +compiled and linked with OpenSSL 1.0.0 or later. .SH tls_export_cipherlist (default: ALL:+RC4:@STRENGTH) The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are -strongly encouraged to not change this setting. +strongly encouraged to not change this setting. With OpenSSL 1.0.0 and +later the cipherlist may start with an "aNULL:" prefix, which restores +the 0.9.8-compatible ordering of the aNULL ciphers to the top of the +list when they are enabled. This prefix is not needed with previous +OpenSSL releases. .PP This feature is available in Postfix 2.3 and later. .SH tls_high_cipherlist (default: ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH) The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are -strongly encouraged to not change this setting. +strongly encouraged to not change this setting. With OpenSSL 1.0.0 and +later the cipherlist may start with an "aNULL:" prefix, which restores +the 0.9.8-compatible ordering of the aNULL ciphers to the top of the +list when they are enabled. This prefix is not needed with previous +OpenSSL releases. .PP This feature is available in Postfix 2.3 and later. .SH tls_low_cipherlist (default: ALL:!EXPORT:+RC4:@STRENGTH) The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are -strongly encouraged to not change this setting. +strongly encouraged to not change this setting. With OpenSSL 1.0.0 and +later the cipherlist may start with an "aNULL:" prefix, which restores +the 0.9.8-compatible ordering of the aNULL ciphers to the top of the +list when they are enabled. This prefix is not needed with previous +OpenSSL releases. .PP This feature is available in Postfix 2.3 and later. .SH tls_medium_cipherlist (default: ALL:!EXPORT:!LOW:+RC4:@STRENGTH) @@ -8485,7 +8497,10 @@ smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the default cipherlist for mandatory TLS encryption in the TLS client (with anonymous ciphers disabled when verifying server certificates). You are strongly encouraged to not change this -setting. +setting. With OpenSSL 1.0.0 and later the cipherlist may start with an +"aNULL:" prefix, which restores the 0.9.8-compatible ordering of the +aNULL ciphers to the top of the list when they are enabled. This prefix +is not needed with previous OpenSSL releases. .PP This feature is available in Postfix 2.3 and later. .SH tls_null_cipherlist (default: eNULL:!aNULL) diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index ae69f8d3a..eb30b1902 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -10891,7 +10891,11 @@ attribute. See smtp_tls_policy_maps for notes and examples.

The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are -strongly encouraged to not change this setting.

+strongly encouraged to not change this setting. With OpenSSL 1.0.0 and +later the cipherlist may start with an "aNULL:" prefix, which restores +the 0.9.8-compatible ordering of the aNULL ciphers to the top of the +list when they are enabled. This prefix is not needed with previous +OpenSSL releases.

This feature is available in Postfix 2.3 and later.

@@ -10903,7 +10907,10 @@ smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the default cipherlist for mandatory TLS encryption in the TLS client (with anonymous ciphers disabled when verifying server certificates). You are strongly encouraged to not change this -setting.

+setting. With OpenSSL 1.0.0 and later the cipherlist may start with an +"aNULL:" prefix, which restores the 0.9.8-compatible ordering of the +aNULL ciphers to the top of the list when they are enabled. This prefix +is not needed with previous OpenSSL releases.

This feature is available in Postfix 2.3 and later.

@@ -10912,7 +10919,11 @@ setting.

The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are -strongly encouraged to not change this setting.

+strongly encouraged to not change this setting. With OpenSSL 1.0.0 and +later the cipherlist may start with an "aNULL:" prefix, which restores +the 0.9.8-compatible ordering of the aNULL ciphers to the top of the +list when they are enabled. This prefix is not needed with previous +OpenSSL releases.

This feature is available in Postfix 2.3 and later.

@@ -10923,7 +10934,11 @@ defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is the cipherlist for the opportunistic ("may") TLS client security level and is the default cipherlist for the SMTP server. You are -strongly encouraged to not change this setting.

+strongly encouraged to not change this setting. With OpenSSL 1.0.0 and +later the cipherlist may start with an "aNULL:" prefix, which restores +the 0.9.8-compatible ordering of the aNULL ciphers to the top of the +list when they are enabled. This prefix is not needed with previous +OpenSSL releases.

This feature is available in Postfix 2.3 and later.

@@ -11449,7 +11464,7 @@ under the SECG name "secp256r1", but OpenSSL does not recognize the latter name.

This feature is available in Postfix 2.6 and later, when it is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

%PARAM tls_eecdh_ultra_curve secp384r1 @@ -11468,7 +11483,7 @@ of RFC 4492. You should not generally change this setting.

classified as TOP SECRET.

This feature is available in Postfix 2.6 and later, when it is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtpd_tls_eecdh_grade see "postconf -d" output @@ -11498,7 +11513,7 @@ users.

This feature is available in Postfix 2.6 and later, when it is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtpd_tls_eccert_file @@ -11514,7 +11529,7 @@ smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtpd_tls_eckey_file $smtpd_tls_eccert_file @@ -11528,7 +11543,7 @@ access to the system superuser account ("root"), and no access to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtp_tls_eccert_file @@ -11545,7 +11560,7 @@ smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtp_tls_eckey_file $smtp_tls_eccert_file @@ -11559,7 +11574,7 @@ access to the system superuser account ("root"), and no access to anyone else.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

%PARAM lmtp_tls_eccert_file @@ -11567,7 +11582,7 @@ compiled and linked with OpenSSL 0.9.9 or later.

parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

%PARAM lmtp_tls_eckey_file @@ -11575,7 +11590,7 @@ compiled and linked with OpenSSL 0.9.9 or later.

parameter. See there for details.

This feature is available in Postfix 2.6 and later, when Postfix is -compiled and linked with OpenSSL 0.9.9 or later.

+compiled and linked with OpenSSL 1.0.0 or later.

%PARAM smtp_header_checks diff --git a/postfix/src/dns/dns.h b/postfix/src/dns/dns.h index e95fa67c0..74e6cf6af 100644 --- a/postfix/src/dns/dns.h +++ b/postfix/src/dns/dns.h @@ -22,6 +22,9 @@ #ifdef RESOLVE_H_NEEDS_NAMESER8_COMPAT_H #include #endif +#ifdef RESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H +#include +#endif #include /* diff --git a/postfix/src/global/dict_ldap.c b/postfix/src/global/dict_ldap.c index 935f194ab..db91011f0 100644 --- a/postfix/src/global/dict_ldap.c +++ b/postfix/src/global/dict_ldap.c @@ -1082,12 +1082,21 @@ static const char *dict_ldap_lookup(DICT *dict, const char *name) static VSTRING *result; int rc = 0; int sizelimit; + const char *cp; dict_errno = 0; if (msg_verbose) msg_info("%s: In dict_ldap_lookup", myname); + for (cp = name; *cp; ++cp) + if (!ISASCII(*cp)) { + if (msg_verbose) + msg_info("%s: %s: Skipping lookup of non-ASCII key '%s'", + myname, dict_ldap->parser->name, name); + return (0); + } + /* * Optionally fold the key. */ @@ -1105,7 +1114,8 @@ static const char *dict_ldap_lookup(DICT *dict, const char *name) */ if (db_common_check_domain(dict_ldap->ctx, name) == 0) { if (msg_verbose) - msg_info("%s: Skipping lookup of '%s'", myname, name); + msg_info("%s: %s: Skipping lookup of key '%s': domain mismatch", + myname, dict_ldap->parser->name, name); return (0); } #define INIT_VSTR(buf, len) do { \ diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 5237f2572..8afc34ca8 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -2875,20 +2875,31 @@ extern bool var_smtp_cname_overr; /* * TLS cipherlists */ +#ifdef USE_TLS +#include +#if OPENSSL_VERSION_NUMBER >= 0x1000000fL +#define PREFER_aNULL "aNULL:-aNULL:" +#else +#define PREFER_aNULL "" +#endif +#else +#define PREFER_aNULL "" +#endif + #define VAR_TLS_HIGH_CLIST "tls_high_cipherlist" -#define DEF_TLS_HIGH_CLIST "ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH" +#define DEF_TLS_HIGH_CLIST PREFER_aNULL "ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH" extern char *var_tls_high_clist; #define VAR_TLS_MEDIUM_CLIST "tls_medium_cipherlist" -#define DEF_TLS_MEDIUM_CLIST "ALL:!EXPORT:!LOW:+RC4:@STRENGTH" +#define DEF_TLS_MEDIUM_CLIST PREFER_aNULL "ALL:!EXPORT:!LOW:+RC4:@STRENGTH" extern char *var_tls_medium_clist; #define VAR_TLS_LOW_CLIST "tls_low_cipherlist" -#define DEF_TLS_LOW_CLIST "ALL:!EXPORT:+RC4:@STRENGTH" +#define DEF_TLS_LOW_CLIST PREFER_aNULL "ALL:!EXPORT:+RC4:@STRENGTH" extern char *var_tls_low_clist; #define VAR_TLS_EXPORT_CLIST "tls_export_cipherlist" -#define DEF_TLS_EXPORT_CLIST "ALL:+RC4:@STRENGTH" +#define DEF_TLS_EXPORT_CLIST PREFER_aNULL "ALL:+RC4:@STRENGTH" extern char *var_tls_export_clist; #define VAR_TLS_NULL_CLIST "tls_null_cipherlist" diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index a19d850aa..a6661fcc6 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20100319" -#define MAIL_VERSION_NUMBER "2.6.6" +#define MAIL_RELEASE_DATE "20100608" +#define MAIL_VERSION_NUMBER "2.6.7" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c index c74b5fbce..0b69c0b63 100644 --- a/postfix/src/smtp/smtp_proto.c +++ b/postfix/src/smtp/smtp_proto.c @@ -1205,20 +1205,31 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state, * information, the command length stays within the 512 byte * command line length limit. */ +#ifndef CAN_FORWARD_CLIENT_NAME +#define _ATTR_AVAIL_AND_KNOWN_(val) \ + (DEL_REQ_ATTR_AVAIL(val) && strcasecmp((val), "unknown")) +#define CAN_FORWARD_CLIENT_NAME _ATTR_AVAIL_AND_KNOWN_ +#define CAN_FORWARD_CLIENT_ADDR _ATTR_AVAIL_AND_KNOWN_ +#define CAN_FORWARD_CLIENT_PORT _ATTR_AVAIL_AND_KNOWN_ +#define CAN_FORWARD_PROTO_NAME _ATTR_AVAIL_AND_KNOWN_ +#define CAN_FORWARD_HELO_NAME DEL_REQ_ATTR_AVAIL +#define CAN_FORWARD_RWR_CONTEXT DEL_REQ_ATTR_AVAIL +#endif + case SMTP_STATE_XFORWARD_NAME_ADDR: vstring_strcpy(next_command, XFORWARD_CMD); if ((session->features & SMTP_FEATURE_XFORWARD_NAME) - && DEL_REQ_ATTR_AVAIL(request->client_name)) { + && CAN_FORWARD_CLIENT_NAME(request->client_name)) { vstring_strcat(next_command, " " XFORWARD_NAME "="); xtext_quote_append(next_command, request->client_name, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_ADDR) - && DEL_REQ_ATTR_AVAIL(request->client_addr)) { + && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) { vstring_strcat(next_command, " " XFORWARD_ADDR "="); xtext_quote_append(next_command, request->client_addr, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_PORT) - && DEL_REQ_ATTR_AVAIL(request->client_port)) { + && CAN_FORWARD_CLIENT_PORT(request->client_port)) { vstring_strcat(next_command, " " XFORWARD_PORT "="); xtext_quote_append(next_command, request->client_port, ""); } @@ -1231,17 +1242,17 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state, case SMTP_STATE_XFORWARD_PROTO_HELO: vstring_strcpy(next_command, XFORWARD_CMD); if ((session->features & SMTP_FEATURE_XFORWARD_PROTO) - && DEL_REQ_ATTR_AVAIL(request->client_proto)) { + && CAN_FORWARD_PROTO_NAME(request->client_proto)) { vstring_strcat(next_command, " " XFORWARD_PROTO "="); xtext_quote_append(next_command, request->client_proto, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_HELO) - && DEL_REQ_ATTR_AVAIL(request->client_helo)) { + && CAN_FORWARD_HELO_NAME(request->client_helo)) { vstring_strcat(next_command, " " XFORWARD_HELO "="); xtext_quote_append(next_command, request->client_helo, ""); } if ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) - && DEL_REQ_ATTR_AVAIL(request->rewrite_context)) { + && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)) { vstring_strcat(next_command, " " XFORWARD_DOMAIN "="); xtext_quote_append(next_command, strcmp(request->rewrite_context, MAIL_ATTR_RWR_LOCAL) ? @@ -1923,19 +1934,19 @@ int smtp_xfer(SMTP_STATE *state) send_name_addr = var_smtp_send_xforward && (((session->features & SMTP_FEATURE_XFORWARD_NAME) - && DEL_REQ_ATTR_AVAIL(request->client_name)) + && CAN_FORWARD_CLIENT_NAME(request->client_name)) || ((session->features & SMTP_FEATURE_XFORWARD_ADDR) - && DEL_REQ_ATTR_AVAIL(request->client_addr)) + && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) || ((session->features & SMTP_FEATURE_XFORWARD_PORT) - && DEL_REQ_ATTR_AVAIL(request->client_port))); + && CAN_FORWARD_CLIENT_PORT(request->client_port))); session->send_proto_helo = var_smtp_send_xforward && (((session->features & SMTP_FEATURE_XFORWARD_PROTO) - && DEL_REQ_ATTR_AVAIL(request->client_proto)) + && CAN_FORWARD_PROTO_NAME(request->client_proto)) || ((session->features & SMTP_FEATURE_XFORWARD_HELO) - && DEL_REQ_ATTR_AVAIL(request->client_helo)) + && CAN_FORWARD_HELO_NAME(request->client_helo)) || ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) - && DEL_REQ_ATTR_AVAIL(request->rewrite_context))); + && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context))); if (send_name_addr) recv_state = send_state = SMTP_STATE_XFORWARD_NAME_ADDR; else if (session->send_proto_helo) diff --git a/postfix/src/tls/tls_certkey.c b/postfix/src/tls/tls_certkey.c index caf9af44a..913b67e23 100644 --- a/postfix/src/tls/tls_certkey.c +++ b/postfix/src/tls/tls_certkey.c @@ -158,7 +158,7 @@ int tls_set_my_certificate_key_info(SSL_CTX *ctx, return (-1); /* logged */ if (*dcert_file && !set_cert_stuff(ctx, "DSA", dcert_file, dkey_file)) return (-1); /* logged */ -#if OPENSSL_VERSION_NUMBER >= 0x00909000 && !defined(OPENSSL_NO_ECDH) +#if OPENSSL_VERSION_NUMBER >= 0x1000000fL && !defined(OPENSSL_NO_ECDH) if (*eccert_file && !set_cert_stuff(ctx, "ECDSA", eccert_file, eckey_file)) return (-1); /* logged */ #else diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c index 455561e12..7fd32d478 100644 --- a/postfix/src/tls/tls_client.c +++ b/postfix/src/tls/tls_client.c @@ -725,7 +725,7 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props) int protomask; const char *cipher_list; SSL_SESSION *session; - SSL_CIPHER *cipher; + const SSL_CIPHER *cipher; X509 *peercert; TLS_SESS_STATE *TLScontext; TLS_APPL_STATE *app_ctx = props->ctx; diff --git a/postfix/src/tls/tls_dh.c b/postfix/src/tls/tls_dh.c index bc5db4f0d..da17be73a 100644 --- a/postfix/src/tls/tls_dh.c +++ b/postfix/src/tls/tls_dh.c @@ -205,7 +205,7 @@ DH *tls_tmp_dh_cb(SSL *unused_ssl, int export, int keylength) int tls_set_eecdh_curve(SSL_CTX *server_ctx, const char *grade) { -#if OPENSSL_VERSION_NUMBER >= 0x00909000 && !defined(OPENSSL_NO_ECDH) +#if OPENSSL_VERSION_NUMBER >= 0x1000000fL && !defined(OPENSSL_NO_ECDH) int nid; EC_KEY *ecdh; const char *curve; diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c index 26ea2afe4..9ed6d20ed 100644 --- a/postfix/src/tls/tls_server.c +++ b/postfix/src/tls/tls_server.c @@ -554,7 +554,7 @@ TLS_SESS_STATE *tls_server_start(const TLS_SERVER_START_PROPS *props) { int sts; TLS_SESS_STATE *TLScontext; - SSL_CIPHER *cipher; + const SSL_CIPHER *cipher; X509 *peer; char buf[CCERT_BUFSIZ]; const char *cipher_list; diff --git a/postfix/src/util/dict_db.c b/postfix/src/util/dict_db.c index d58e3f459..f279989aa 100644 --- a/postfix/src/util/dict_db.c +++ b/postfix/src/util/dict_db.c @@ -664,7 +664,7 @@ static DICT *dict_db_open(const char *class, const char *path, int open_flags, msg_fatal("set DB cache size %d: %m", dict_db_cache_size); if (type == DB_HASH && db->set_h_nelem(db, DICT_DB_NELM) != 0) msg_fatal("set DB hash element count %d: %m", DICT_DB_NELM); -#if (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0) +#if DB_VERSION_MAJOR == 5 || (DB_VERSION_MAJOR == 4 && DB_VERSION_MINOR > 0) if ((errno = db->open(db, 0, db_path, 0, type, db_flags, 0644)) != 0) msg_fatal("open database %s: %m", db_path); #elif (DB_VERSION_MAJOR == 3 || DB_VERSION_MAJOR == 4) diff --git a/postfix/src/util/sys_defs.h b/postfix/src/util/sys_defs.h index ff2552b82..8465c85dd 100644 --- a/postfix/src/util/sys_defs.h +++ b/postfix/src/util/sys_defs.h @@ -208,7 +208,6 @@ #define DEF_DB_TYPE "hash" #define ALIAS_DB_MAP "hash:/etc/aliases" #define GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *) 0) -#define RESOLVE_H_NEEDS_NAMESER8_COMPAT_H #define ROOT_PATH "/bin:/usr/bin:/sbin:/usr/sbin" #define USE_STATFS #define STATFS_IN_SYS_MOUNT_H