From d63b019a7de1fffb303e6c10d9eff5d2559bcfef Mon Sep 17 00:00:00 2001
From: Wietse Z Venema <wietse@porcupine.org>
Date: Wed, 24 Jul 2024 00:00:00 -0500
Subject: [PATCH] postfix-3.10-20240724

---
 postfix/HISTORY                   | 11 +++++++++++
 postfix/README_FILES/SASL_README  |  9 +++------
 postfix/WISHLIST                  |  2 ++
 postfix/html/SASL_README.html     | 10 +++-------
 postfix/html/postconf.5.html      |  4 ++++
 postfix/man/man5/postconf.5       |  4 ++++
 postfix/proto/SASL_README.html    | 10 +++-------
 postfix/proto/postconf.proto      |  4 ++++
 postfix/src/dns/dns_lookup.c      | 29 +++++++++++++++++++++--------
 postfix/src/global/mail_version.h |  2 +-
 10 files changed, 56 insertions(+), 29 deletions(-)
diff --git a/postfix/HISTORY b/postfix/HISTORY
index 3380077b2..6d457cc90 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -28152,3 +28152,14 @@ Apologies for any names omitted.
 
 	Bitrot: some groff version complains about ".ft C" directives
 	in postconf(5) manpages. File: mantools/postconf2man.
+
+20240724
+
+	Documentation: re-worded some text about Debian hard-coding
+	the Cyrus SASL smtpd.conf search path. Files:
+	proto/SASL_README.html, proto/postconf.proto.
+
+	Cleanup: the Postfix DNS client returned only the first
+	fragment of a multi-fragment TXT record. This would become
+	an issue when looking up policy records with strings longer
+	than 255 bytes. File: dns/dns_lookup.c.
diff --git a/postfix/README_FILES/SASL_README b/postfix/README_FILES/SASL_README
index 83c0b297f..617212e5c 100644
--- a/postfix/README_FILES/SASL_README
+++ b/postfix/README_FILES/SASL_README
@@ -185,12 +185,9 @@ You can read more about the following topics:
     cyrus_sasl_config_path and/or the distribution-specific documentation to
     determine the expected location.
 
-  * Some Debian-based Postfix distributions patch Postfix to hardcode a non-
-    default search path, making it impossible to set an alternate search path
-    via the "cyrus_sasl_config_path" parameter. This is likely to be the case
-    when the distribution documents a Postfix-specific path (e.g. /etc/postfix/
-    sasl/) that is different from the default value of "cyrus_sasl_config_path"
-    (which then is likely to be empty).
+  * Some Debian-based Postfix distributions ignore the "cyrus_sasl_config_path"
+    parameter setting, and force Postfix to open the file /etc/postfix/sasl/
+    smtpd.conf.
 
     NNoottee
 
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index fb78b25b8..9578d25bf 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -26,6 +26,8 @@ Wish list:
 	bounce/annotate.sh should include the 'QUICK INSTRUCTIONS'
 	into the bounce.cf.default file.
 
+	Should smtp_tls_wrappermode have an SMTP_TLS_POLICY override?
+
 	The postsceen NON-SMTP test should log the command in
 	the same format as the BARE NEWLINE and PREGREET tests.
 	Consider logging the entire unadulterated command line.
diff --git a/postfix/html/SASL_README.html b/postfix/html/SASL_README.html
index c95ac8c84..f02208e6e 100644
--- a/postfix/html/SASL_README.html
+++ b/postfix/html/SASL_README.html
@@ -281,13 +281,9 @@ configuration file in <code>/etc/postfix/sasl/</code>,
 <a href="postconf.5.html#cyrus_sasl_config_path">cyrus_sasl_config_path</a></code> and/or the distribution-specific
 documentation to determine the expected location. </p> </li>
 
-<li> <p> Some Debian-based Postfix distributions patch Postfix to
-hardcode a non-default search path, making it impossible to set an
-alternate search path via the "<a href="postconf.5.html#cyrus_sasl_config_path">cyrus_sasl_config_path</a>" parameter.  This
-is likely to be the case when the distribution documents a
-Postfix-specific path (e.g. <code>/etc/postfix/sasl/</code>) that is
-different from the default value of "<a href="postconf.5.html#cyrus_sasl_config_path">cyrus_sasl_config_path</a>" (which
-then is likely to be empty). </p> </li>
+<li> <p> Some Debian-based Postfix distributions ignore the
+"<a href="postconf.5.html#cyrus_sasl_config_path">cyrus_sasl_config_path</a>" parameter setting, and force Postfix to
+open the file <code>/etc/postfix/sasl/smtpd.conf</code>. </p> </li>
 
 </ul>
 
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index a7c3e53bf..76a383c5f 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -1851,6 +1851,10 @@ currently used only to locate the $<a href="postconf.5.html#smtpd_sasl_path">smt
 Specify zero or more directories separated by a colon character,
 or an empty value to use Cyrus SASL's built-in search path.  </p>
 
+<p> Note: some Debian-based Postfix distributions ignore the
+"<a href="postconf.5.html#cyrus_sasl_config_path">cyrus_sasl_config_path</a>" parameter setting, and force Postfix to
+open the file <code>/etc/postfix/sasl/smtpd.conf</code>. </p>
+
 <p> This feature is available in Postfix 2.5 and later when compiled
 with Cyrus SASL 2.1.22 or later. </p>
 
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 3237a6c2a..c487657d1 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -1111,6 +1111,10 @@ currently used only to locate the $smtpd_sasl_path.conf file.
 Specify zero or more directories separated by a colon character,
 or an empty value to use Cyrus SASL's built\-in search path.
 .PP
+Note: some Debian\-based Postfix distributions ignore the
+"cyrus_sasl_config_path" parameter setting, and force Postfix to
+open the file <code>/etc/postfix/sasl/smtpd.conf</code>.
+.PP
 This feature is available in Postfix 2.5 and later when compiled
 with Cyrus SASL 2.1.22 or later.
 .SH daemon_directory (default: see "postconf \-d" output)
diff --git a/postfix/proto/SASL_README.html b/postfix/proto/SASL_README.html
index 2af2e7bfb..e19bb33c6 100644
--- a/postfix/proto/SASL_README.html
+++ b/postfix/proto/SASL_README.html
@@ -281,13 +281,9 @@ configuration file in <code>/etc/postfix/sasl/</code>,
 cyrus_sasl_config_path</code> and/or the distribution-specific
 documentation to determine the expected location. </p> </li>
 
-<li> <p> Some Debian-based Postfix distributions patch Postfix to
-hardcode a non-default search path, making it impossible to set an
-alternate search path via the "cyrus_sasl_config_path" parameter.  This
-is likely to be the case when the distribution documents a
-Postfix-specific path (e.g. <code>/etc/postfix/sasl/</code>) that is
-different from the default value of "cyrus_sasl_config_path" (which
-then is likely to be empty). </p> </li>
+<li> <p> Some Debian-based Postfix distributions ignore the
+"cyrus_sasl_config_path" parameter setting, and force Postfix to
+open the file <code>/etc/postfix/sasl/smtpd.conf</code>. </p> </li>
 
 </ul>
 
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index 34ea749d7..1f8bcfded 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -11289,6 +11289,10 @@ currently used only to locate the $smtpd_sasl_path.conf file.
 Specify zero or more directories separated by a colon character,
 or an empty value to use Cyrus SASL's built-in search path.  </p>
 
+<p> Note: some Debian-based Postfix distributions ignore the
+"cyrus_sasl_config_path" parameter setting, and force Postfix to
+open the file <code>/etc/postfix/sasl/smtpd.conf</code>. </p>
+
 <p> This feature is available in Postfix 2.5 and later when compiled
 with Cyrus SASL 2.1.22 or later. </p>
 
diff --git a/postfix/src/dns/dns_lookup.c b/postfix/src/dns/dns_lookup.c
index 4cf9a5f5a..0c212d258 100644
--- a/postfix/src/dns/dns_lookup.c
+++ b/postfix/src/dns/dns_lookup.c
@@ -745,6 +745,7 @@ static int dns_get_rr(DNS_RR **list, const char *orig_name, DNS_REPLY *reply,
 		              DNS_FIXED *fixed)
 {
     char    temp[DNS_NAME_LEN];
+    char    ltemp[USHRT_MAX];
     char   *tempbuf = temp;
     UINT32_TYPE soa_buf[5];
     int     comp_len;
@@ -754,6 +755,7 @@ static int dns_get_rr(DNS_RR **list, const char *orig_name, DNS_REPLY *reply,
     unsigned port = 0;
     unsigned char *src;
     unsigned char *dst;
+    int     frag_len;
     int     ch;
 
 #define MIN2(a, b)	((unsigned)(a) < (unsigned)(b) ? (a) : (b))
@@ -826,17 +828,28 @@ static int dns_get_rr(DNS_RR **list, const char *orig_name, DNS_REPLY *reply,
 #endif
 
 	/*
-	 * We impose the same length limit here as for DNS names. However,
-	 * see T_TLSA discussion below.
+	 * Impose the maximum length (65536) limit for TXT records.
 	 */
     case T_TXT:
-	data_len = MIN2(pos[0] + 1, MIN2(fixed->length + 1, sizeof(temp)));
-	for (src = pos + 1, dst = (unsigned char *) (temp);
-	     dst < (unsigned char *) (temp) + data_len - 1; /* */ ) {
-	    ch = *src++;
-	    *dst++ = (ISPRINT(ch) ? ch : ' ');
+	for (src = pos, dst = (unsigned char *) ltemp;
+	     src < pos + fixed->length; /* */ ) {
+	    frag_len = *src++;
+	    if (msg_verbose)
+		msg_info("frag_len=%d text=\"%.*s\"",
+			 (int) frag_len, (int) frag_len, (char *) src);
+	    if (frag_len > reply->end - src
+	     || frag_len >= ((unsigned char *) ltemp + sizeof(ltemp)) - dst) {
+		msg_warn("extract_answer: bad TXT string length: %d", frag_len);
+		return (DNS_RETRY);
+	    }
+	    while (frag_len-- > 0) {
+		ch = *src++;
+		*dst++ = (ISPRINT(ch) ? ch : ' ');
+	    }
 	}
-	*dst = 0;
+	*dst++ = 0;
+	tempbuf = ltemp;
+	data_len = dst - (unsigned char *) tempbuf;
 	break;
 
 	/*
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 69627fd39..c1cc9ea80 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20240722"
+#define MAIL_RELEASE_DATE	"20240724"
 #define MAIL_VERSION_NUMBER	"3.10"
 
 #ifdef SNAPSHOT
