From d87d8c1c0f1e3fd5d0198a78769eb00536690dc7 Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Mon, 6 Dec 2010 00:00:00 -0500 Subject: [PATCH] postfix-2.8-20101206 --- postfix/HISTORY | 10 +- postfix/html/ldap_table.5.html | 116 +++++++++++------------ postfix/man/man5/ldap_table.5 | 2 - postfix/proto/ldap_table | 2 - postfix/src/global/dict_ldap.c | 2 - postfix/src/global/mail_version.h | 2 +- postfix/src/global/pipe_command.c | 7 +- postfix/src/postscreen/postscreen_send.c | 5 +- 8 files changed, 73 insertions(+), 73 deletions(-) diff --git a/postfix/HISTORY b/postfix/HISTORY index 759feb0cc..f4a568d66 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -16210,8 +16210,9 @@ Apologies for any names omitted. Feature: the LDAP client can now authenticate to LDAP servers via SASL. This is tested with SASL GSSAPI and Kerberos 5. - Code by Victor Duchovni. Files: global/dict_ldap.c, - proto/LDAP_README.html, proto/ldap_table. + Original code by Quanah Gibson-Mount adapted by Victor + Duchovni. Files: global/dict_ldap.c, proto/LDAP_README.html, + proto/ldap_table. Cleanup: the cleanup server now reports a temporary delivery error when it reaches the virtual_alias_expansion_limit or @@ -16232,3 +16233,8 @@ Apologies for any names omitted. problems with shared library builds. The dependency was not necessary because the callers already specify an explicit time limit. File: global/pipe_command.c. + +20101206 + + postscreen hung up due to incorrect output error test. File: + postscreen/postscreen_send.c. diff --git a/postfix/html/ldap_table.5.html b/postfix/html/ldap_table.5.html index 2c027b8bc..8d8c43039 100644 --- a/postfix/html/ldap_table.5.html +++ b/postfix/html/ldap_table.5.html @@ -607,10 +607,6 @@ LDAP_TABLE(5) LDAP_TABLE(5) The following parameters are relevant to using LDAP with SASL - sasl (default: no) - Whether or not to use SASL binds to the server. - Can be yes or no. - sasl_mechs (default: empty) Space separated list of SASL mechanism(s) to try. @@ -622,15 +618,15 @@ LDAP_TABLE(5) LDAP_TABLE(5) applicable. sasl_minssf (default: 0) - The minimum required sasl security factor required + The minimum required sasl security factor required to establish a connection. LDAP SSL AND STARTTLS PARAMETERS - If you're using the OpenLDAP libraries compiled with SSL - support, Postfix can connect to LDAP SSL servers and can + If you're using the OpenLDAP libraries compiled with SSL + support, Postfix can connect to LDAP SSL servers and can issue the STARTTLS command. - LDAP SSL service can be requested by using a LDAP SSL URL + LDAP SSL service can be requested by using a LDAP SSL URL in the server_host parameter: server_host = ldaps://ldap.example.com:636 @@ -639,82 +635,82 @@ LDAP_TABLE(5) LDAP_TABLE(5) start_tls = yes - Both forms require LDAP protocol version 3, which has to + Both forms require LDAP protocol version 3, which has to be set explicitly with: version = 3 If any of the Postfix programs querying the map is config- - ured in master.cf to run chrooted, all the certificates + ured in master.cf to run chrooted, all the certificates and keys involved have to be copied to the chroot jail. Of - course, the private keys should only be readable by the + course, the private keys should only be readable by the user "postfix". - The following parameters are relevant to LDAP SSL and + The following parameters are relevant to LDAP SSL and STARTTLS: start_tls (default: no) Whether or not to issue STARTTLS upon connection to - the server. Don't set this with LDAP SSL (the SSL + the server. Don't set this with LDAP SSL (the SSL session is setup automatically when the TCP connec- tion is opened). - tls_ca_cert_dir (No default; set either this or + tls_ca_cert_dir (No default; set either this or tls_ca_cert_file) Directory containing X509 Certificate Authority - certificates in PEM format which are to be recog- - nized by the client in SSL/TLS connections. The - files each contain one CA certificate. The files - are looked up by the CA subject name hash value, - which must hence be available. If more than one CA - certificate with the same name hash value exist, - the extension must be different (e.g. 9d66eef0.0, - 9d66eef0.1 etc). The search is performed in the - ordering of the extension number, regardless of + certificates in PEM format which are to be recog- + nized by the client in SSL/TLS connections. The + files each contain one CA certificate. The files + are looked up by the CA subject name hash value, + which must hence be available. If more than one CA + certificate with the same name hash value exist, + the extension must be different (e.g. 9d66eef0.0, + 9d66eef0.1 etc). The search is performed in the + ordering of the extension number, regardless of other properties of the certificates. Use the c_rehash utility (from the OpenSSL distribution) to create the necessary links. - tls_ca_cert_file (No default; set either this or + tls_ca_cert_file (No default; set either this or tls_ca_cert_dir) File containing the X509 Certificate Authority cer- - tificates in PEM format which are to be recognized - by the client in SSL/TLS connections. This setting + tificates in PEM format which are to be recognized + by the client in SSL/TLS connections. This setting takes precedence over tls_ca_cert_dir. tls_cert (No default; you must set this) - File containing client's X509 certificate to be + File containing client's X509 certificate to be used by the client in SSL/ TLS connections. tls_key (No default; you must set this) - File containing the private key corresponding to + File containing the private key corresponding to the above tls_cert. tls_require_cert (default: no) Whether or not to request server's X509 certificate - and check its validity when establishing SSL/TLS - connections. The supported values are no and yes. + and check its validity when establishing SSL/TLS + connections. The supported values are no and yes. - With no, the server certificate trust chain is not - checked, but with OpenLDAP prior to 2.1.13, the + With no, the server certificate trust chain is not + checked, but with OpenLDAP prior to 2.1.13, the name in the server certificate must still match the LDAP server name. With OpenLDAP 2.0.0 to 2.0.11 the - server name is not necessarily what you specified, - rather it is determined (by reverse lookup) from - the IP address of the LDAP server connection. With - OpenLDAP prior to 2.0.13, subjectAlternativeName + server name is not necessarily what you specified, + rather it is determined (by reverse lookup) from + the IP address of the LDAP server connection. With + OpenLDAP prior to 2.0.13, subjectAlternativeName extensions in the LDAP server certificate are - ignored: the server name must match the subject + ignored: the server name must match the subject CommonName. The no setting corresponds to the never - value of TLS_REQCERT in LDAP client configuration + value of TLS_REQCERT in LDAP client configuration files. - Don't use TLS with OpenLDAP 2.0.x (and especially + Don't use TLS with OpenLDAP 2.0.x (and especially with x <= 11) if you can avoid it. - With yes, the server certificate must be issued by - a trusted CA, and not be expired. The LDAP server - name must match one of the name(s) found in the + With yes, the server certificate must be issued by + a trusted CA, and not be expired. The LDAP server + name must match one of the name(s) found in the certificate (see above for OpenLDAP library version dependent behavior). The yes setting corresponds to the demand value of TLS_REQCERT in LDAP client con- @@ -722,27 +718,27 @@ LDAP_TABLE(5) LDAP_TABLE(5) The "try" and "never" values of TLS_REQCERT have no equivalents here. They are not available with - OpenLDAP 2.0, and in any case have questionable - security properties. Either you want TLS verified + OpenLDAP 2.0, and in any case have questionable + security properties. Either you want TLS verified LDAP connections, or you don't. The yes value only works correctly with Postfix 2.5 - and later, or with OpenLDAP 2.0. Earlier Postfix - releases or later OpenLDAP releases don't work - together with this setting. Support for LDAP over - TLS was added to Postfix based on the OpenLDAP 2.0 + and later, or with OpenLDAP 2.0. Earlier Postfix + releases or later OpenLDAP releases don't work + together with this setting. Support for LDAP over + TLS was added to Postfix based on the OpenLDAP 2.0 API. tls_random_file (No default) - Path of a file to obtain random bits from when - /dev/[u]random is not available, to be used by the + Path of a file to obtain random bits from when + /dev/[u]random is not available, to be used by the client in SSL/TLS connections. tls_cipher_suite (No default) Cipher suite to use in SSL/TLS negotiations. EXAMPLE - Here's a basic example for using LDAP to look up local(8) + Here's a basic example for using LDAP to look up local(8) aliases. Assume that in main.cf, you have: alias_maps = hash:/etc/aliases, @@ -753,14 +749,14 @@ LDAP_TABLE(5) LDAP_TABLE(5) server_host = ldap.example.com search_base = dc=example, dc=com - Upon receiving mail for a local address "ldapuser" that - isn't found in the /etc/aliases database, Postfix will + Upon receiving mail for a local address "ldapuser" that + isn't found in the /etc/aliases database, Postfix will search the LDAP server listening at port 389 on ldap.exam- - ple.com. It will bind anonymously, search for any direc- - tory entries whose mailacceptinggeneralid attribute is + ple.com. It will bind anonymously, search for any direc- + tory entries whose mailacceptinggeneralid attribute is "ldapuser", read the "maildrop" attributes of those found, and build a list of their maildrops, which will be treated - as RFC822 addresses to which the message will be deliv- + as RFC822 addresses to which the message will be deliv- ered. SEE ALSO @@ -774,13 +770,13 @@ LDAP_TABLE(5) LDAP_TABLE(5) LDAP_README, Postfix LDAP client guide LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) - Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith - Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon, Mike - Mattice, Prabhat K Singh, Sami Haahtinen, Samuel Tardieu, + Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith + Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon, Mike + Mattice, Prabhat K Singh, Sami Haahtinen, Samuel Tardieu, Victor Duchovni, and many others. LDAP_TABLE(5) diff --git a/postfix/man/man5/ldap_table.5 b/postfix/man/man5/ldap_table.5 index 069e5d893..0b650edeb 100644 --- a/postfix/man/man5/ldap_table.5 +++ b/postfix/man/man5/ldap_table.5 @@ -561,8 +561,6 @@ protocol version is 2 for backwards compatibility. You must set "version = 3" in addition to "bind = sasl". The following parameters are relevant to using LDAP with SASL -.IP "\fBsasl (default: no)\fR" -Whether or not to use SASL binds to the server. Can be yes or no. .IP "\fBsasl_mechs (default: empty)\fR" Space separated list of SASL mechanism(s) to try. .IP "\fBsasl_realm (default: empty)\fR" diff --git a/postfix/proto/ldap_table b/postfix/proto/ldap_table index c6bd42a88..666aa28ab 100644 --- a/postfix/proto/ldap_table +++ b/postfix/proto/ldap_table @@ -547,8 +547,6 @@ # "version = 3" in addition to "bind = sasl". # # The following parameters are relevant to using LDAP with SASL -# .IP "\fBsasl (default: no)\fR" -# Whether or not to use SASL binds to the server. Can be yes or no. # .IP "\fBsasl_mechs (default: empty)\fR" # Space separated list of SASL mechanism(s) to try. # .IP "\fBsasl_realm (default: empty)\fR" diff --git a/postfix/src/global/dict_ldap.c b/postfix/src/global/dict_ldap.c index bf6ed2ee0..f9df3c597 100644 --- a/postfix/src/global/dict_ldap.c +++ b/postfix/src/global/dict_ldap.c @@ -103,8 +103,6 @@ /* .IP version /* Specifies the LDAP protocol version to use. Default is version /* \fI2\fR. -/* .IP "\fBsasl (no)\fR" -/* Whether or not to use SASL binds with the server. /* .IP "\fBsasl_mechs (empty)\fR" /* Specifies a space-separated list of LDAP SASL Mechanisms. /* .IP "\fBsasl_realm (empty)\fR" diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index f38f595b0..8398072a6 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20101204" +#define MAIL_RELEASE_DATE "20101206" #define MAIL_VERSION_NUMBER "2.8" #ifdef SNAPSHOT diff --git a/postfix/src/global/pipe_command.c b/postfix/src/global/pipe_command.c index 9b5565bf7..9c4d8b8cf 100644 --- a/postfix/src/global/pipe_command.c +++ b/postfix/src/global/pipe_command.c @@ -85,7 +85,8 @@ /* configuration parameter. The group ID must be non-zero. /* .IP "PIPE_CMD_TIME_LIMIT (int)" /* The amount of time the command is allowed to run before it -/* is terminated with SIGKILL. The default is DEF_COMMAND_MAXTIME. +/* is terminated with SIGKILL. A non-negative PIPE_CMD_TIME_LIMIT +/* value must be specified. /* .IP "PIPE_CMD_SHELL (char *)" /* The shell to use when executing the command specified with /* PIPE_CMD_COMMAND. This shell is invoked regardless of the @@ -210,7 +211,7 @@ static void get_pipe_args(struct pipe_args * args, va_list ap) args->cwd = 0; args->chroot = 0; - pipe_command_maxtime = DEF_COMMAND_MAXTIME; + pipe_command_maxtime = -1; /* * Then, override the defaults with user-supplied inputs. @@ -276,6 +277,8 @@ static void get_pipe_args(struct pipe_args * args, va_list ap) msg_panic("%s: privileged uid", myname); if (args->gid == 0) msg_panic("%s: privileged gid", myname); + if (pipe_command_maxtime < 0) + msg_panic("%s: missing or invalid PIPE_CMD_TIME_LIMIT", myname); } /* pipe_command_write - write to command with time limit */ diff --git a/postfix/src/postscreen/postscreen_send.c b/postfix/src/postscreen/postscreen_send.c index 4c6df1066..4a7b24e31 100644 --- a/postfix/src/postscreen/postscreen_send.c +++ b/postfix/src/postscreen/postscreen_send.c @@ -85,8 +85,9 @@ int ps_send_reply(int smtp_client_fd, const char *smtp_client_addr, * XXX Need to make sure that the TCP send buffer is large enough for any * response, so that a nasty client can't cause this process to block. */ - ret = write_buf(smtp_client_fd, text, strlen(text), PS_SEND_TEXT_TIMEOUT); - if (ret < 0 && errno != EPIPE) + ret = (write_buf(smtp_client_fd, text, strlen(text), + PS_SEND_TEXT_TIMEOUT) < 0); + if (ret != 0 && errno != EPIPE) msg_warn("write [%s]:%s: %m", smtp_client_addr, smtp_client_port); return (ret); }