postfix-3.5-20190724

postfix/HISTORY

@@ -24307,13 +24307,12 @@ Apologies for any names omitted.
 	to indicate final delivery. Files: smtp/smtp.c, smtp/smtp.h,
 	smtp/smtp_misc.c, smtp/smtp_proto.c, smtp/smtp_rcpt.c.
 
-	Cleanup: don't wait for the TLS peer to respond after sending
+	Workaround for implementations that hang Postfix while
-	a TLS 'close' notification. This should be safe with TLSv1.0
+	shutting down a TLS session, until Postfix times out. With
-	and later. Specify "tls_fast_shutdown_enable = no" to enable
+	"tls_fast_shutdown_enable = yes" (the default), Postfix no
-	historical behavior where Postfix waits, and then sends a
+	longer waits for the TLS peer to respond to a TLS 'close'
-	second TLS 'close' notification before closing the TCP
+	request. This is recommended with TLSv1.0 and later. Files:
-	connection. Files: global/mail_params.h, tls/tls_session.c,
+	global/mail_params.h, tls/tls_session.c, and documentation.
-	and documentation.
 
 20190618
 
@@ -24329,8 +24328,29 @@ Apologies for any names omitted.
 	protocol error. This limits the impact of, for example,
 	pipelining synchronization errors. File: smtp/smtp_trouble.c.
 
-	Bugfix: the code to reset command counts was not called
+	Bugfix (introduced: Postfix 3.0): the code to reset Postfix
-	after a HaProxy handshake failure, causing stale numbers
+	SMTP server command counts was not called after a HaProxy
-	to be reported. The command counts are now reset in the 
+	handshake failure, causing stale numbers to be reported.
-	function that reports the counts. File: smtpd/smtpd.c.
+	The command counts are now reset in the function that reports
-	command-read loop to the function that reports the counts.
+	the counts. Problem report by Joseph Ward. File: smtpd/smtpd.c.
+
+20190719
+
+	Bitrot: OpenBSD stopped having /dev/arandom 8 years ago.
+	Brad Smith. File: util/sys_defs.h.
+
+20190723
+
+	Bugfix: the documentation said tls_fast_shutdown_enable,
+	but the code said tls_fast_shutdown. Viktor Dukhovni. Changed
+	the code because no-one is expected to override the default.
+	File: global/mail_params.h.
+
+20190724
+
+	Cleanup: proxymap(8) support for table search order syntax.
+	File: proxymap/proxymap.c.
+
+	Safety: vstring_set_payload_size() now checks that the
+	payload has not overwritten the safety terminator at the
+	end of the VSTRING buffer. File: util/vstream.c.

postfix/RELEASE_NOTES

@@ -25,22 +25,15 @@ more recent Eclipse Public License 2.0. Recipients can choose to take
 the software under the license of their choice. Those who are more
 comfortable with the IPL can continue with that license.
 
-Incompatibility with snapshot 20190615
-====================================
-
-The Postfix TLS library by default no longer waits after sending a
-TLS 'close' notification. This should be safe with TLSv1.0 and
-later. Specify "tls_fast_shutdown_enable = no" to enable historical
-Postfix behavior.
-
 Major changes with snapshot 20190615
 ====================================
 
-After sending a TLS 'close' notification, the Postfix library by
+This release introduces a workaround for implementations that hang
-default no longer waits for the TLS peer to respond. According to
+Postfix while shutting down a TLS session, until Postfix times out.
-RFC 2246 (TLSv1.0) section 7.2.1, "It is not required for the
+With "tls_fast_shutdown_enable = yes" (the default), Postfix no
-initiator of the close to wait for the responding close_notify alert
+longer waits for a remote TLS peer to respond to a TLS 'close'
-before closing the read side of the connection."
+request. This behavior is recommended with TLSv1.0 and later. Specify
+"tls_fast_shutdown_enable = no" to get historical Postfix behavior.
 
 Dovecot usability: the SMTP+LMTP delivery agent can now prepend
 Delivered-To, X-Original-To and Return-Path headers, just like the

postfix/html/lmtp.8.html

@@ -640,11 +640,11 @@ SMTP(8)                                                                SMTP(8)
               Optional name to send to the  remote  SMTP  server  in  the  TLS
               Server Name Indication (SNI) extension.
 
-       Available in Postfix version 3.5 and later:
+       Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
 
        <b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b>
-              After  sending  a  TLS 'close' notification, do not wait for the
+              A workaround for implementations that hang Postfix while shuting
-              TLS peer to respond.
+              down a TLS session, until Postfix times out.
 
 <b>OBSOLETE STARTTLS CONTROLS</b>
        The following configuration parameters  exist  for  compatibility  with

postfix/html/postconf.5.html

@@ -18548,14 +18548,11 @@ encouraged to not change this setting.  </p>
 <DT><b><a name="tls_fast_shutdown_enable">tls_fast_shutdown_enable</a>
 (default: yes)</b></DT><DD>
 
-<p> After sending a TLS 'close' notification, do not wait for the
+<p> A workaround for implementations that hang Postfix while shuting
-TLS peer to respond.
+down a TLS session, until Postfix times out. With this enabled,
-According to <a href="http://tools.ietf.org/html/rfc2246">RFC 2246</a> (TLSv1.0) section 7.2.1, "It is not required
+Postfix will not wait for the remote TLS peer to respond to a TLS
-for the initiator of the close to wait for the responding close_notify
+'close' notification. This behavior is recommended for TLSv1.0 and
-alert before closing the read side of the connection." </p>
+later. </p>
-
-<p> Specify "<a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> = no" to enable historical
-Postfix behavior.  </p>
 
 
 </DD>

postfix/html/smtp.8.html

@@ -640,11 +640,11 @@ SMTP(8)                                                                SMTP(8)
               Optional name to send to the  remote  SMTP  server  in  the  TLS
               Server Name Indication (SNI) extension.
 
-       Available in Postfix version 3.5 and later:
+       Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
 
        <b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b>
-              After  sending  a  TLS 'close' notification, do not wait for the
+              A workaround for implementations that hang Postfix while shuting
-              TLS peer to respond.
+              down a TLS session, until Postfix times out.
 
 <b>OBSOLETE STARTTLS CONTROLS</b>
        The following configuration parameters  exist  for  compatibility  with

postfix/html/smtpd.8.html

@@ -589,11 +589,11 @@ SMTPD(8)                                                              SMTPD(8)
               clients via the TLS Server Name Indication  (SNI)  extension  to
               the appropriate keys and certificate chains.
 
-       Available in Postfix version 3.5 and later:
+       Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
 
        <b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b>
-              After  sending  a  TLS 'close' notification, do not wait for the
+              A workaround for implementations that hang Postfix while shuting
-              TLS peer to respond.
+              down a TLS session, until Postfix times out.
 
 <b>OBSOLETE STARTTLS CONTROLS</b>
        The following configuration parameters  exist  for  compatibility  with

postfix/html/tlsproxy.8.html

@@ -144,11 +144,11 @@ TLSPROXY(8)                                                        TLSPROXY(8)
               clients via the TLS Server Name Indication  (SNI)  extension  to
               the appropriate keys and certificate chains.
 
-       Available in Postfix version 3.5 and later:
+       Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
 
        <b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b>
-              After  sending  a  TLS 'close' notification, do not wait for the
+              A workaround for implementations that hang Postfix while shuting
-              TLS peer to respond.
+              down a TLS session, until Postfix times out.
 
 <b>STARTTLS SERVER CONTROLS</b>
        These settings are clones of Postfix SMTP server settings.  They  allow

postfix/man/man5/postconf.5

@@ -12944,14 +12944,11 @@ encouraged to not change this setting.
 .PP
 This feature is available in Postfix 2.3 and later.
 .SH tls_fast_shutdown_enable (default: yes)
-After sending a TLS 'close' notification, do not wait for the
+A workaround for implementations that hang Postfix while shuting
-TLS peer to respond.
+down a TLS session, until Postfix times out. With this enabled,
-According to RFC 2246 (TLSv1.0) section 7.2.1, "It is not required
+Postfix will not wait for the remote TLS peer to respond to a TLS
-for the initiator of the close to wait for the responding close_notify
+'close' notification. This behavior is recommended for TLSv1.0 and
-alert before closing the read side of the connection."
+later.
-.PP
-Specify "tls_fast_shutdown_enable = no" to enable historical
-Postfix behavior.
 .SH tls_high_cipherlist (default: see "postconf \-d" output)
 The OpenSSL cipherlist for "high" grade ciphers. This defines
 the meaning of the "high" setting in smtpd_tls_ciphers,

postfix/man/man8/smtp.8

@@ -582,10 +582,10 @@ directly followed by a corresponding certificate chain.
 Optional name to send to the remote SMTP server in the TLS Server
 Name Indication (SNI) extension.
 .PP
-Available in Postfix version 3.5 and later:
+Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
 .IP "\fBtls_fast_shutdown_enable (yes)\fR"
-After sending a TLS 'close' notification, do not wait for the
+A workaround for implementations that hang Postfix while shuting
-TLS peer to respond.
+down a TLS session, until Postfix times out.
 .SH "OBSOLETE STARTTLS CONTROLS"
 .na
 .nf

postfix/man/man8/smtpd.8

@@ -528,10 +528,10 @@ Optional lookup tables that map names received from remote SMTP
 clients via the TLS Server Name Indication (SNI) extension to the
 appropriate keys and certificate chains.
 .PP
-Available in Postfix version 3.5 and later:
+Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
 .IP "\fBtls_fast_shutdown_enable (yes)\fR"
-After sending a TLS 'close' notification, do not wait for the
+A workaround for implementations that hang Postfix while shuting
-TLS peer to respond.
+down a TLS session, until Postfix times out.
 .SH "OBSOLETE STARTTLS CONTROLS"
 .na
 .nf

postfix/man/man8/tlsproxy.8

@@ -146,10 +146,10 @@ Optional lookup tables that map names received from remote SMTP
 clients via the TLS Server Name Indication (SNI) extension to the
 appropriate keys and certificate chains.
 .PP
-Available in Postfix version 3.5 and later:
+Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
 .IP "\fBtls_fast_shutdown_enable (yes)\fR"
-After sending a TLS 'close' notification, do not wait for the
+A workaround for implementations that hang Postfix while shuting
-TLS peer to respond.
+down a TLS session, until Postfix times out.
 .SH "STARTTLS SERVER CONTROLS"
 .na
 .nf

postfix/proto/postconf.proto

@@ -16256,6 +16256,14 @@ support is via the tls_ssl_options parameter.  </p>
 
 <p> This feature is available in Postfix 3.0 and later. </p>
 
+%PARAM tls_fast_shutdown_enable yes
+
+<p> A workaround for implementations that hang Postfix while shuting
+down a TLS session, until Postfix times out. With this enabled,
+Postfix will not wait for the remote TLS peer to respond to a TLS
+'close' notification. This behavior is recommended for TLSv1.0 and
+later. </p>
+
 %PARAM default_delivery_status_filter
 
 <p> Optional filter to replace the delivery status code or explanatory
@@ -17622,14 +17630,3 @@ default suffix, YYYYMMDD-HHMMSS, allows logs to be rotated frequently.
 </p>
 
 <p> This feature is available in Postfix 3.4 and later. </p>
-
-%PARAM tls_fast_shutdown_enable yes
-
-<p> After sending a TLS 'close' notification, do not wait for the
-TLS peer to respond.
-According to RFC 2246 (TLSv1.0) section 7.2.1, "It is not required
-for the initiator of the close to wait for the responding close_notify
-alert before closing the read side of the connection." </p>
-
-<p> Specify "tls_fast_shutdown_enable = no" to enable historical
-Postfix behavior.  </p>

postfix/src/global/mail_params.h

@@ -3331,9 +3331,9 @@ extern char *var_tls_server_sni_maps;
 extern char *var_tls_dane_digests;
 
  /*
-  * Backwards compatibility for Postfix 3.5 and later.
+  * The default is incompatible with pre-TLSv1.0 protocols.
   */
-#define VAR_TLS_FAST_SHUTDOWN	"tls_fast_shutdown"
+#define VAR_TLS_FAST_SHUTDOWN	"tls_fast_shutdown_enable"
 #define DEF_TLS_FAST_SHUTDOWN	1
 extern bool var_tls_fast_shutdown;
 

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20190621"
+#define MAIL_RELEASE_DATE	"20190724"
 #define MAIL_VERSION_NUMBER	"3.5"
 
 #ifdef SNAPSHOT

postfix/src/proxymap/proxymap.c

@@ -313,6 +313,8 @@ static DICT *proxy_map_find(const char *map_type_name, int request_flags,
      * deny the request.
      */
 #define PROXY_MAP_FIND_ERROR_RETURN(x)  { *statp = (x); return (0); }
+#define PROXY_MAP_PARAM_NAME(proxy_writer)  \
+	((proxy_writer) == 0 ? VAR_PROXY_READ_MAPS : VAR_PROXY_WRITE_MAPS)
 
     while (strncmp(map_type_name, PROXY_COLON, PROXY_COLON_LEN) == 0)
 	map_type_name += PROXY_COLON_LEN;
@@ -324,8 +326,7 @@ static DICT *proxy_map_find(const char *map_type_name, int request_flags,
 	msg_warn("to approve this table for %s access, list %s:%s in %s:%s",
 		 proxy_writer == 0 ? "read-only" : "read-write",
 		 DICT_TYPE_PROXY, map_type_name, MAIN_CONF_FILE,
-		 proxy_writer == 0 ? VAR_PROXY_READ_MAPS :
+		 PROXY_MAP_PARAM_NAME(proxy_writer));
-		 VAR_PROXY_WRITE_MAPS);
 	PROXY_MAP_FIND_ERROR_RETURN(PROXY_STAT_DENY);
     }
 
@@ -695,14 +696,33 @@ static void post_jail_init(char *service_name, char **unused_argv)
 				 var_proxy_read_maps);
     proxy_auth_maps = htable_create(13);
     while ((type_name = mystrtokq(&bp, sep, parens)) != 0) {
+	/* Maybe { maptype:mapname attr=value... } */
+	if (*type_name == parens[0]) {
+	    char   *err;
+
+	    /* Warn about blatant syntax error. */
+	    if ((err = extpar(&type_name, parens, EXTPAR_FLAG_NONE)) != 0) {
+		msg_warn("bad %s parameter value: %s",
+			 PROXY_MAP_PARAM_NAME(proxy_writer), err);
+		myfree(err);
+		continue;
+	    }
+	    /* Don't try to second-guess the semantics of { }. */
+	    if ((type_name = mystrtokq(&type_name, sep, parens)) == 0)
+		continue;
+	}
 	if (strncmp(type_name, PROXY_COLON, PROXY_COLON_LEN))
 	    continue;
 	do {
 	    type_name += PROXY_COLON_LEN;
 	} while (!strncmp(type_name, PROXY_COLON, PROXY_COLON_LEN));
 	if (strchr(type_name, ':') != 0
-	    && htable_locate(proxy_auth_maps, type_name) == 0)
+	    && htable_locate(proxy_auth_maps, type_name) == 0) {
 	    (void) htable_enter(proxy_auth_maps, type_name, (void *) 0);
+	    if (msg_verbose)
+		msg_info("whitelisting %s from %s", type_name,
+			 PROXY_MAP_PARAM_NAME(proxy_writer));
+	}
     }
     myfree(saved_filter);
 

postfix/src/smtp/smtp.c

@@ -548,10 +548,10 @@
 /*	Optional name to send to the remote SMTP server in the TLS Server
 /*	Name Indication (SNI) extension.
 /* .PP
-/*	Available in Postfix version 3.5 and later:
+/*	Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
 /* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
-/*	After sending a TLS 'close' notification, do not wait for the
+/*	A workaround for implementations that hang Postfix while shuting
-/*	TLS peer to respond.
+/*	down a TLS session, until Postfix times out.
 /* OBSOLETE STARTTLS CONTROLS
 /* .ad
 /* .fi

postfix/src/smtpd/smtpd.c

@@ -494,10 +494,10 @@
 /*	clients via the TLS Server Name Indication (SNI) extension to the
 /*	appropriate keys and certificate chains.
 /* .PP
-/*	Available in Postfix version 3.5 and later:
+/*	Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
 /* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
-/*	After sending a TLS 'close' notification, do not wait for the
+/*	A workaround for implementations that hang Postfix while shuting
-/*	TLS peer to respond.
+/*	down a TLS session, until Postfix times out.
 /* OBSOLETE STARTTLS CONTROLS
 /* .ad
 /* .fi

postfix/src/tls/tls_misc.c

@@ -46,6 +46,8 @@
 /*	char	*var_tls_mgr_service;
 /*	char	*var_tls_tkt_cipher;
 /*	char	*var_openssl_path;
+/*	char	*var_tls_server_sni_maps;
+/*	bool	var_tls_fast_shutdown;
 /*
 /*	TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx, log_mask)
 /*	SSL_CTX	*ssl_ctx;
@@ -809,7 +811,6 @@ void    tls_get_signature_params(TLS_SESS_STATE *TLScontext)
     const char *peer_sig_curve = 0;
     const char *peer_sig_dgst = 0;
     int     nid;
-    int     got_kex_key;
     SSL    *ssl = TLScontext->con;
     int     srvr = SSL_is_server(ssl);
     X509   *cert;

postfix/src/tlsproxy/tlsproxy.c

@@ -130,10 +130,10 @@
 /*	clients via the TLS Server Name Indication (SNI) extension to the
 /*	appropriate keys and certificate chains.
 /* .PP
-/*	Available in Postfix version 3.5 and later:
+/*	Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
 /* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
-/*	After sending a TLS 'close' notification, do not wait for the
+/*	A workaround for implementations that hang Postfix while shuting
-/*	TLS peer to respond.
+/*	down a TLS session, until Postfix times out.
 /* STARTTLS SERVER CONTROLS
 /* .ad
 /* .fi

postfix/src/util/sys_defs.h

@@ -129,7 +129,7 @@
 #define HAS_FUTIMES			/* XXX maybe earlier */
 #endif
 
-#if (defined(OpenBSD) && OpenBSD >= 199608)
+#if (defined(OpenBSD) && OpenBSD >= 199608 && OpenBSD < 201105)
 #define PREFERRED_RAND_SOURCE	"dev:/dev/arandom"	/* XXX earlier */
 #endif
 

postfix/src/util/vstring.c

@@ -441,6 +441,8 @@ VSTRING *vstring_set_payload_size(VSTRING *vp, ssize_t len)
 {
     if (len < 0 || len > vp->vbuf.len)
 	msg_panic("vstring_set_payload_size: invalid offset: %ld", (long) len);
+    if (vp->vbuf.data[vp->vbuf.len] != 0)
+	msg_panic("vstring_set_payload_size: no safety null byte");
     VSTRING_AT_OFFSET(vp, len);
     return (vp);
 }