diff --git a/postfix/HISTORY b/postfix/HISTORY
index 759feb0cc..f4a568d66 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -16210,8 +16210,9 @@ Apologies for any names omitted.
Feature: the LDAP client can now authenticate to LDAP servers
via SASL. This is tested with SASL GSSAPI and Kerberos 5.
- Code by Victor Duchovni. Files: global/dict_ldap.c,
- proto/LDAP_README.html, proto/ldap_table.
+ Original code by Quanah Gibson-Mount adapted by Victor
+ Duchovni. Files: global/dict_ldap.c, proto/LDAP_README.html,
+ proto/ldap_table.
Cleanup: the cleanup server now reports a temporary delivery
error when it reaches the virtual_alias_expansion_limit or
@@ -16232,3 +16233,8 @@ Apologies for any names omitted.
problems with shared library builds. The dependency was not
necessary because the callers already specify an explicit
time limit. File: global/pipe_command.c.
+
+20101206
+
+ postscreen hung up due to incorrect output error test. File:
+ postscreen/postscreen_send.c.
diff --git a/postfix/html/ldap_table.5.html b/postfix/html/ldap_table.5.html
index 2c027b8bc..8d8c43039 100644
--- a/postfix/html/ldap_table.5.html
+++ b/postfix/html/ldap_table.5.html
@@ -607,10 +607,6 @@ LDAP_TABLE(5) LDAP_TABLE(5)
The following parameters are relevant to using LDAP with
SASL
- sasl (default: no)
- Whether or not to use SASL binds to the server.
- Can be yes or no.
-
sasl_mechs (default: empty)
Space separated list of SASL mechanism(s) to try.
@@ -622,15 +618,15 @@ LDAP_TABLE(5) LDAP_TABLE(5)
applicable.
sasl_minssf (default: 0)
- The minimum required sasl security factor required
+ The minimum required sasl security factor required
to establish a connection.
LDAP SSL AND STARTTLS PARAMETERS
- If you're using the OpenLDAP libraries compiled with SSL
- support, Postfix can connect to LDAP SSL servers and can
+ If you're using the OpenLDAP libraries compiled with SSL
+ support, Postfix can connect to LDAP SSL servers and can
issue the STARTTLS command.
- LDAP SSL service can be requested by using a LDAP SSL URL
+ LDAP SSL service can be requested by using a LDAP SSL URL
in the server_host parameter:
server_host = ldaps://ldap.example.com:636
@@ -639,82 +635,82 @@ LDAP_TABLE(5) LDAP_TABLE(5)
start_tls = yes
- Both forms require LDAP protocol version 3, which has to
+ Both forms require LDAP protocol version 3, which has to
be set explicitly with:
version = 3
If any of the Postfix programs querying the map is config-
- ured in master.cf to run chrooted, all the certificates
+ ured in master.cf to run chrooted, all the certificates
and keys involved have to be copied to the chroot jail. Of
- course, the private keys should only be readable by the
+ course, the private keys should only be readable by the
user "postfix".
- The following parameters are relevant to LDAP SSL and
+ The following parameters are relevant to LDAP SSL and
STARTTLS:
start_tls (default: no)
Whether or not to issue STARTTLS upon connection to
- the server. Don't set this with LDAP SSL (the SSL
+ the server. Don't set this with LDAP SSL (the SSL
session is setup automatically when the TCP connec-
tion is opened).
- tls_ca_cert_dir (No default; set either this or
+ tls_ca_cert_dir (No default; set either this or
tls_ca_cert_file)
Directory containing X509 Certificate Authority
- certificates in PEM format which are to be recog-
- nized by the client in SSL/TLS connections. The
- files each contain one CA certificate. The files
- are looked up by the CA subject name hash value,
- which must hence be available. If more than one CA
- certificate with the same name hash value exist,
- the extension must be different (e.g. 9d66eef0.0,
- 9d66eef0.1 etc). The search is performed in the
- ordering of the extension number, regardless of
+ certificates in PEM format which are to be recog-
+ nized by the client in SSL/TLS connections. The
+ files each contain one CA certificate. The files
+ are looked up by the CA subject name hash value,
+ which must hence be available. If more than one CA
+ certificate with the same name hash value exist,
+ the extension must be different (e.g. 9d66eef0.0,
+ 9d66eef0.1 etc). The search is performed in the
+ ordering of the extension number, regardless of
other properties of the certificates. Use the
c_rehash utility (from the OpenSSL distribution) to
create the necessary links.
- tls_ca_cert_file (No default; set either this or
+ tls_ca_cert_file (No default; set either this or
tls_ca_cert_dir)
File containing the X509 Certificate Authority cer-
- tificates in PEM format which are to be recognized
- by the client in SSL/TLS connections. This setting
+ tificates in PEM format which are to be recognized
+ by the client in SSL/TLS connections. This setting
takes precedence over tls_ca_cert_dir.
tls_cert (No default; you must set this)
- File containing client's X509 certificate to be
+ File containing client's X509 certificate to be
used by the client in SSL/ TLS connections.
tls_key (No default; you must set this)
- File containing the private key corresponding to
+ File containing the private key corresponding to
the above tls_cert.
tls_require_cert (default: no)
Whether or not to request server's X509 certificate
- and check its validity when establishing SSL/TLS
- connections. The supported values are no and yes.
+ and check its validity when establishing SSL/TLS
+ connections. The supported values are no and yes.
- With no, the server certificate trust chain is not
- checked, but with OpenLDAP prior to 2.1.13, the
+ With no, the server certificate trust chain is not
+ checked, but with OpenLDAP prior to 2.1.13, the
name in the server certificate must still match the
LDAP server name. With OpenLDAP 2.0.0 to 2.0.11 the
- server name is not necessarily what you specified,
- rather it is determined (by reverse lookup) from
- the IP address of the LDAP server connection. With
- OpenLDAP prior to 2.0.13, subjectAlternativeName
+ server name is not necessarily what you specified,
+ rather it is determined (by reverse lookup) from
+ the IP address of the LDAP server connection. With
+ OpenLDAP prior to 2.0.13, subjectAlternativeName
extensions in the LDAP server certificate are
- ignored: the server name must match the subject
+ ignored: the server name must match the subject
CommonName. The no setting corresponds to the never
- value of TLS_REQCERT in LDAP client configuration
+ value of TLS_REQCERT in LDAP client configuration
files.
- Don't use TLS with OpenLDAP 2.0.x (and especially
+ Don't use TLS with OpenLDAP 2.0.x (and especially
with x <= 11) if you can avoid it.
- With yes, the server certificate must be issued by
- a trusted CA, and not be expired. The LDAP server
- name must match one of the name(s) found in the
+ With yes, the server certificate must be issued by
+ a trusted CA, and not be expired. The LDAP server
+ name must match one of the name(s) found in the
certificate (see above for OpenLDAP library version
dependent behavior). The yes setting corresponds to
the demand value of TLS_REQCERT in LDAP client con-
@@ -722,27 +718,27 @@ LDAP_TABLE(5) LDAP_TABLE(5)
The "try" and "never" values of TLS_REQCERT have no
equivalents here. They are not available with
- OpenLDAP 2.0, and in any case have questionable
- security properties. Either you want TLS verified
+ OpenLDAP 2.0, and in any case have questionable
+ security properties. Either you want TLS verified
LDAP connections, or you don't.
The yes value only works correctly with Postfix 2.5
- and later, or with OpenLDAP 2.0. Earlier Postfix
- releases or later OpenLDAP releases don't work
- together with this setting. Support for LDAP over
- TLS was added to Postfix based on the OpenLDAP 2.0
+ and later, or with OpenLDAP 2.0. Earlier Postfix
+ releases or later OpenLDAP releases don't work
+ together with this setting. Support for LDAP over
+ TLS was added to Postfix based on the OpenLDAP 2.0
API.
tls_random_file (No default)
- Path of a file to obtain random bits from when
- /dev/[u]random is not available, to be used by the
+ Path of a file to obtain random bits from when
+ /dev/[u]random is not available, to be used by the
client in SSL/TLS connections.
tls_cipher_suite (No default)
Cipher suite to use in SSL/TLS negotiations.
EXAMPLE
- Here's a basic example for using LDAP to look up local(8)
+ Here's a basic example for using LDAP to look up local(8)
aliases. Assume that in main.cf, you have:
alias_maps = hash:/etc/aliases,
@@ -753,14 +749,14 @@ LDAP_TABLE(5) LDAP_TABLE(5)
server_host = ldap.example.com
search_base = dc=example, dc=com
- Upon receiving mail for a local address "ldapuser" that
- isn't found in the /etc/aliases database, Postfix will
+ Upon receiving mail for a local address "ldapuser" that
+ isn't found in the /etc/aliases database, Postfix will
search the LDAP server listening at port 389 on ldap.exam-
- ple.com. It will bind anonymously, search for any direc-
- tory entries whose mailacceptinggeneralid attribute is
+ ple.com. It will bind anonymously, search for any direc-
+ tory entries whose mailacceptinggeneralid attribute is
"ldapuser", read the "maildrop" attributes of those found,
and build a list of their maildrops, which will be treated
- as RFC822 addresses to which the message will be deliv-
+ as RFC822 addresses to which the message will be deliv-
ered.
SEE ALSO
@@ -774,13 +770,13 @@ LDAP_TABLE(5) LDAP_TABLE(5)
LDAP_README, Postfix LDAP client guide
LICENSE
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
AUTHOR(S)
- Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith
- Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon, Mike
- Mattice, Prabhat K Singh, Sami Haahtinen, Samuel Tardieu,
+ Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith
+ Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon, Mike
+ Mattice, Prabhat K Singh, Sami Haahtinen, Samuel Tardieu,
Victor Duchovni, and many others.
LDAP_TABLE(5)
diff --git a/postfix/man/man5/ldap_table.5 b/postfix/man/man5/ldap_table.5
index 069e5d893..0b650edeb 100644
--- a/postfix/man/man5/ldap_table.5
+++ b/postfix/man/man5/ldap_table.5
@@ -561,8 +561,6 @@ protocol version is 2 for backwards compatibility. You must set
"version = 3" in addition to "bind = sasl".
The following parameters are relevant to using LDAP with SASL
-.IP "\fBsasl (default: no)\fR"
-Whether or not to use SASL binds to the server. Can be yes or no.
.IP "\fBsasl_mechs (default: empty)\fR"
Space separated list of SASL mechanism(s) to try.
.IP "\fBsasl_realm (default: empty)\fR"
diff --git a/postfix/proto/ldap_table b/postfix/proto/ldap_table
index c6bd42a88..666aa28ab 100644
--- a/postfix/proto/ldap_table
+++ b/postfix/proto/ldap_table
@@ -547,8 +547,6 @@
# "version = 3" in addition to "bind = sasl".
#
# The following parameters are relevant to using LDAP with SASL
-# .IP "\fBsasl (default: no)\fR"
-# Whether or not to use SASL binds to the server. Can be yes or no.
# .IP "\fBsasl_mechs (default: empty)\fR"
# Space separated list of SASL mechanism(s) to try.
# .IP "\fBsasl_realm (default: empty)\fR"
diff --git a/postfix/src/global/dict_ldap.c b/postfix/src/global/dict_ldap.c
index bf6ed2ee0..f9df3c597 100644
--- a/postfix/src/global/dict_ldap.c
+++ b/postfix/src/global/dict_ldap.c
@@ -103,8 +103,6 @@
/* .IP version
/* Specifies the LDAP protocol version to use. Default is version
/* \fI2\fR.
-/* .IP "\fBsasl (no)\fR"
-/* Whether or not to use SASL binds with the server.
/* .IP "\fBsasl_mechs (empty)\fR"
/* Specifies a space-separated list of LDAP SASL Mechanisms.
/* .IP "\fBsasl_realm (empty)\fR"
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index f38f595b0..8398072a6 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20101204"
+#define MAIL_RELEASE_DATE "20101206"
#define MAIL_VERSION_NUMBER "2.8"
#ifdef SNAPSHOT
diff --git a/postfix/src/global/pipe_command.c b/postfix/src/global/pipe_command.c
index 9b5565bf7..9c4d8b8cf 100644
--- a/postfix/src/global/pipe_command.c
+++ b/postfix/src/global/pipe_command.c
@@ -85,7 +85,8 @@
/* configuration parameter. The group ID must be non-zero.
/* .IP "PIPE_CMD_TIME_LIMIT (int)"
/* The amount of time the command is allowed to run before it
-/* is terminated with SIGKILL. The default is DEF_COMMAND_MAXTIME.
+/* is terminated with SIGKILL. A non-negative PIPE_CMD_TIME_LIMIT
+/* value must be specified.
/* .IP "PIPE_CMD_SHELL (char *)"
/* The shell to use when executing the command specified with
/* PIPE_CMD_COMMAND. This shell is invoked regardless of the
@@ -210,7 +211,7 @@ static void get_pipe_args(struct pipe_args * args, va_list ap)
args->cwd = 0;
args->chroot = 0;
- pipe_command_maxtime = DEF_COMMAND_MAXTIME;
+ pipe_command_maxtime = -1;
/*
* Then, override the defaults with user-supplied inputs.
@@ -276,6 +277,8 @@ static void get_pipe_args(struct pipe_args * args, va_list ap)
msg_panic("%s: privileged uid", myname);
if (args->gid == 0)
msg_panic("%s: privileged gid", myname);
+ if (pipe_command_maxtime < 0)
+ msg_panic("%s: missing or invalid PIPE_CMD_TIME_LIMIT", myname);
}
/* pipe_command_write - write to command with time limit */
diff --git a/postfix/src/postscreen/postscreen_send.c b/postfix/src/postscreen/postscreen_send.c
index 4c6df1066..4a7b24e31 100644
--- a/postfix/src/postscreen/postscreen_send.c
+++ b/postfix/src/postscreen/postscreen_send.c
@@ -85,8 +85,9 @@ int ps_send_reply(int smtp_client_fd, const char *smtp_client_addr,
* XXX Need to make sure that the TCP send buffer is large enough for any
* response, so that a nasty client can't cause this process to block.
*/
- ret = write_buf(smtp_client_fd, text, strlen(text), PS_SEND_TEXT_TIMEOUT);
- if (ret < 0 && errno != EPIPE)
+ ret = (write_buf(smtp_client_fd, text, strlen(text),
+ PS_SEND_TEXT_TIMEOUT) < 0);
+ if (ret != 0 && errno != EPIPE)
msg_warn("write [%s]:%s: %m", smtp_client_addr, smtp_client_port);
return (ret);
}