postfix-2.10-20120630

postfix/HISTORY

@@ -17865,3 +17865,15 @@ Apologies for any names omitted.
 	Bugfix (introduced: 20120531-617): in the postscreen module
 	for HAproxy sypport, a VSTREAM buffer size request was not
 	LP64-clean.  File: postscreen/postscreen_haproxy.c.
+
+	Cleanup: avoid single-character reads in the postscreen
+	HAproxy module. File: postscreen/postscreen_haproxy.c.
+
+20120628
+
+	Workaround: heuristic to detect missing (ssize_t) type-cast
+	in VSTREAM buffer size requests. File: util/vstream.c.
+
+20120629
+
+	Workaround: "sendmail -bl" emulation. File: sendmail/sendmail.c.

postfix/WISHLIST

@@ -9,16 +9,25 @@ Wish list:
 	Don't forget Apple's code donation for fetching mail from
 	IMAP server.
 
+	mem_pool module for frequently-allocated objects
+	such as postscreen VSTRINGS and STATE objects.
+	Operations: create, put, get, maybe destroy.
+	Call-backs: create, reset, and maybe destroy.
+
 	Make "rename" the default when postmapping a DB file
 	(later: use copy+rename for postmap -i, postmap -d).
 
 	"no-cache" option for selected postscreen tests?
 
-	Need primitive to find out if a map has a local lock.  If
-	it doesn't (like memcache or proxied map), then postscreen
-	etc. don't need to close a cache after "postfix reload".
-	After a fork() it is OK to keep using a memcache or proxymap
-	handle, because the parent exits immediately.
+	Need a new DICT flag to indicate that a map handle supports
+	locking.  If it doesn't (as with memcache or proxymap
+	handles), then postscreen etc. don't need to close a cache
+	file after "postfix reload".  After a fork() it is OK to
+	keep using a memcache or proxymap handle, because the parent
+	exits immediately.  For this to work, the memcache client
+	needs to propagate the flag from a persistent backup map,
+	but the proxymap protocol should not propagate this to the
+	client.
 
 	Different TTL values for different DNSBL sources?
 

postfix/html/mailq.1.html

@@ -93,6 +93,11 @@ SENDMAIL(1)                                                        SENDMAIL(1)
        <b>-bi</b>    Initialize  alias database. See the <b>newaliases</b> com-
               mand above.
 
+       <b>-bl</b>    Go into daemon mode. To accept only  local  connec-
+              tions   as  with  Sendmail's  <b>-bl</b>  option,  specify
+              "<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> = loopback</b>" in the Postfix <a href="postconf.5.html"><b>main.cf</b></a>
+              configuration file.
+
        <b>-bm</b>    Read  mail  from  standard  input  and  arrange for
               delivery.  This is the default mode of operation.
 

postfix/html/newaliases.1.html

@@ -93,6 +93,11 @@ SENDMAIL(1)                                                        SENDMAIL(1)
        <b>-bi</b>    Initialize  alias database. See the <b>newaliases</b> com-
               mand above.
 
+       <b>-bl</b>    Go into daemon mode. To accept only  local  connec-
+              tions   as  with  Sendmail's  <b>-bl</b>  option,  specify
+              "<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> = loopback</b>" in the Postfix <a href="postconf.5.html"><b>main.cf</b></a>
+              configuration file.
+
        <b>-bm</b>    Read  mail  from  standard  input  and  arrange for
               delivery.  This is the default mode of operation.
 

postfix/html/postconf.5.html

@@ -12969,8 +12969,8 @@ feature is available in Postfix 2.1 and later.
 
 <dt><b><a name="reject_invalid_helo_hostname">reject_invalid_helo_hostname</a></b> (with Postfix &lt; 2.3: reject_invalid_hostname)</dt>
 
-<dd>Reject the request when the HELO or EHLO hostname syntax is
-invalid. Note: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully enforce
+<dd>Reject the request when the HELO or EHLO hostname is malformed.
+Note: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully enforce
 this restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a client can simply
 skip <a href="postconf.5.html#reject_invalid_helo_hostname">reject_invalid_helo_hostname</a> by not sending HELO or EHLO).
 <br> The <a href="postconf.5.html#invalid_hostname_reject_code">invalid_hostname_reject_code</a> specifies the response code

postfix/html/sendmail.1.html

@@ -93,6 +93,11 @@ SENDMAIL(1)                                                        SENDMAIL(1)
        <b>-bi</b>    Initialize  alias database. See the <b>newaliases</b> com-
               mand above.
 
+       <b>-bl</b>    Go into daemon mode. To accept only  local  connec-
+              tions   as  with  Sendmail's  <b>-bl</b>  option,  specify
+              "<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> = loopback</b>" in the Postfix <a href="postconf.5.html"><b>main.cf</b></a>
+              configuration file.
+
        <b>-bm</b>    Read  mail  from  standard  input  and  arrange for
               delivery.  This is the default mode of operation.
 

postfix/man/man1/sendmail.1

@@ -82,6 +82,11 @@ Postfix has no persistent host status database.
 .IP \fB-bi\fR
 Initialize alias database. See the \fBnewaliases\fR
 command above.
+.IP \fB-bl\fR
+Go into daemon mode. To accept only local connections as
+with Sendmail\'s \fB-bl\fR option, specify "\fBinet_interfaces
+= loopback\fR" in the Postfix \fBmain.cf\fR configuration
+file.
 .IP \fB-bm\fR
 Read mail from standard input and arrange for delivery.
 This is the default mode of operation.

postfix/man/man5/postconf.5

@@ -8158,8 +8158,8 @@ restriction (without "smtpd_helo_required = yes", a client can
 simply skip check_helo_ns_access by not sending HELO or EHLO). This
 feature is available in Postfix 2.1 and later.
 .IP "\fBreject_invalid_helo_hostname\fR (with Postfix < 2.3: reject_invalid_hostname)"
-Reject the request when the HELO or EHLO hostname syntax is
-invalid. Note: specify "smtpd_helo_required = yes" to fully enforce
+Reject the request when the HELO or EHLO hostname is malformed.
+Note: specify "smtpd_helo_required = yes" to fully enforce
 this restriction (without "smtpd_helo_required = yes", a client can simply
 skip reject_invalid_helo_hostname by not sending HELO or EHLO).
 .br

postfix/proto/postconf.proto

@@ -5432,8 +5432,8 @@ feature is available in Postfix 2.1 and later.
 
 <dt><b><a name="reject_invalid_helo_hostname">reject_invalid_helo_hostname</a></b> (with Postfix &lt; 2.3: reject_invalid_hostname)</dt>
 
-<dd>Reject the request when the HELO or EHLO hostname syntax is
-invalid. Note: specify "smtpd_helo_required = yes" to fully enforce
+<dd>Reject the request when the HELO or EHLO hostname is malformed.
+Note: specify "smtpd_helo_required = yes" to fully enforce
 this restriction (without "smtpd_helo_required = yes", a client can simply
 skip reject_invalid_helo_hostname by not sending HELO or EHLO).
 <br> The invalid_hostname_reject_code specifies the response code

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20120627"
+#define MAIL_RELEASE_DATE	"20120630"
 #define MAIL_VERSION_NUMBER	"2.10"
 
 #ifdef SNAPSHOT

postfix/src/postscreen/postscreen_endpt.c

@@ -6,11 +6,11 @@
 /* SYNOPSIS
 /*	#include <postscreen.h>
 /*
-/*	void	psc_endpt_lookup(smtp_client_stream,
-/*			void *lookup_done(status, smtp_client_stream,
+/*	void	psc_endpt_lookup(smtp_client_stream, lookup_done)
+/*	VSTREAM	*smtp_client_stream;
+/*	void	(*lookup_done)(status, smtp_client_stream,
 /*				smtp_client_addr, smtp_client_port,
-/*				smtp_server_addr, smtp_server_port))
-/*	VSTRING	*smtp_client_stream;
+/*				smtp_server_addr, smtp_server_port)
 /*	int	status;
 /*	MAI_HOSTADDR_STR *smtp_client_addr;
 /*	MAI_SERVPORT_STR *smtp_client_port;
@@ -18,13 +18,33 @@
 /*	MAI_SERVPORT_STR *smtp_server_port;
 /* DESCRIPTION
 /*	psc_endpt_lookup() looks up remote and local connection
-/*	endpoint information through local system calls or through
-/*	a remote proxy protocol. The lookup_done() call-back routine
-/*	passes the result status, address and port information. The
-/*	result status is -1 in case of error, 0 in case of success.
-/*	This function (and its supporting routines) logs a warning
-/*	in case of error, and never communicates with a remote SMTP
-/*	client.
+/*	endpoint information, either through local system calls,
+/*	or through an adapter for an up-stream proxy protocol.
+/*
+/*	The following summarizes what the postscreen(8) server
+/*	expects from a proxy protocol adapter routine.
+/* .IP \(bu
+/*	Accept the same arguments as psc_endpt_lookup().
+/* .IP \(bu
+/*	Validate protocol, address and port syntax. Permit only
+/*	protocols that are configured with the main.cf:inet_protocols
+/*	setting.
+/* .IP \(bu
+/*	Convert IPv4-in-IPv6 address syntax to IPv4 syntax when
+/*	both IPv6 and IPv4 support are enabled with main.cf:inet_protocols.
+/* .IP \(bu
+/*	Log a clear warning message that explains why a request
+/*	fails.
+/* .IP \(bu
+/*	Never talk to the remote SMTP client.
+/* .PP
+/*	Arguments:
+/* .IP client_stream
+/*	A brand-new stream that is connected to the remote client.
+/* .IP lookup
+/*	Call-back routine that reports the result status, address
+/*	and port information. The result status is -1 in case of
+/*	error, 0 in case of success.
 /* LICENSE
 /* .ad
 /* .fi

postfix/src/postscreen/postscreen_haproxy.c

@@ -6,11 +6,11 @@
 /* SYNOPSIS
 /*	#include <postscreen_haproxy.h>
 /*
-/*	void	psc_endpt_haproxy_lookup(smtp_client_stream,
-/*			void *lookup_done(status, smtp_client_stream,
-/*				smtp_client_addr, smtp_client_port,
-/*				smtp_server_addr, smtp_server_port))
+/*	void	psc_endpt_haproxy_lookup(smtp_client_stream, lookup_done)
 /*	VSTRING	*smtp_client_stream;
+/*	void	(*lookup_done)(status, smtp_client_stream,
+/*				smtp_client_addr, smtp_client_port,
+/*				smtp_server_addr, smtp_server_port)
 /*	int	status;
 /*	MAI_HOSTADDR_STR *smtp_client_addr;
 /*	MAI_SERVPORT_STR *smtp_client_port;
@@ -20,16 +20,6 @@
 /*	psc_endpt_haproxy_lookup() looks up connection endpoint
 /*	information via the haproxy protocol.  Arguments and results
 /*	conform to the postscreen_endpt(3) API.
-/*
-/*	The following summarizes what the Postfix SMTP server expects
-/*	from an up-stream proxy adapter.
-/* .IP \(bu
-/*	Validate address and port syntax. Permit only protocols
-/*	that are configured with the main.cf:inet_protocols
-/*	setting.
-/* .IP \(bu
-/*	Convert IPv4-in-IPv6 address syntax to IPv4 form, when both
-/*	IPv4 and IPv6 support are enabled with main.cf:inet_protocols.
 /* LICENSE
 /* .ad
 /* .fi
@@ -91,9 +81,16 @@ static void psc_endpt_haproxy_event(int event, char *context)
     int     last_char = 0;
     const char *err;
     VSTRING *escape_buf;
+    char    read_buf[HAPROXY_MAX_LEN];
+    ssize_t read_len;
+    char   *cp;
 
     /*
-     * Basic event processing.
+     * We must not read(2) past the <CR><LF> that terminates the haproxy
+     * line. For efficiency reasons we read the entire haproxy line in one
+     * read(2) call when we know that the line is unfragmented. In the rare
+     * case that the line is fragmented, we fall back and read(2) it one
+     * character at a time.
      */
     switch (event) {
     case EVENT_TIME:
@@ -101,6 +98,20 @@ static void psc_endpt_haproxy_event(int event, char *context)
 	status = -1;
 	break;
     case EVENT_READ:
+	/* Determine the initial VSTREAM read(2) buffer size. */
+	if (VSTRING_LEN(state->buffer) == 0) {
+	    if ((read_len = recv(vstream_fileno(state->stream),
+			      read_buf, sizeof(read_buf) - 1, MSG_PEEK)) > 0
+		&& ((cp = memchr(read_buf, '\n', read_len)) != 0)) {
+		read_len = cp - read_buf + 1;
+	    } else {
+		read_len = 1;
+	    }
+	    vstream_control(state->stream, VSTREAM_CTL_BUFSIZE, read_len,
+			    VSTREAM_CTL_END);
+	}
+	/* Drain the VSTREAM buffer, otherwise this pseudo-thread will hang. */
+	do {
 	    if ((last_char = VSTREAM_GETC(state->stream)) == VSTREAM_EOF) {
 		if (vstream_ferror(state->stream))
 		    msg_warn("haproxy read: %m");
@@ -115,6 +126,7 @@ static void psc_endpt_haproxy_event(int event, char *context)
 		break;
 	    }
 	    VSTRING_ADDCH(state->buffer, last_char);
+	} while (vstream_peek(state->stream) > 0);
 	break;
     }
 
@@ -174,18 +186,6 @@ void    psc_endpt_haproxy_lookup(VSTREAM *stream,
     state->notify = notify;
     state->buffer = vstring_alloc(100);
 
-    /*
-     * We don't assume that the haproxy line will be unfragmented. Therefore,
-     * we use read(2) instead of recv(..., MSG_PEEK).
-     * 
-     * We must not read(2) past the <CR><LF> that terminates the haproxy line.
-     * Therefore we force one-character read(2) calls.
-     * 
-     * We want to (eventually) build this on top of a reusable line read
-     * routine, once we have figured out an easy-to-use and efficient API.
-     */
-    vstream_control(stream, VSTREAM_CTL_BUFSIZE, 1, VSTREAM_CTL_END);
-
     /*
      * Read the haproxy line.
      */

postfix/src/sendmail/sendmail.c

@@ -76,6 +76,11 @@
 /* .IP \fB-bi\fR
 /*	Initialize alias database. See the \fBnewaliases\fR
 /*	command above.
+/* .IP \fB-bl\fR
+/*	Go into daemon mode. To accept only local connections as
+/*	with Sendmail\'s \fB-bl\fR option, specify "\fBinet_interfaces
+/*	= loopback\fR" in the Postfix \fBmain.cf\fR configuration
+/*	file.
 /* .IP \fB-bm\fR
 /*	Read mail from standard input and arrange for delivery.
 /*	This is the default mode of operation.
@@ -1182,6 +1187,7 @@ int     main(int argc, char **argv)
 	    default:
 		msg_fatal_status(EX_USAGE, "unsupported: -%c%c", c, *optarg);
 	    case 'd':				/* daemon mode */
+	    case 'l':				/* daemon mode */
 		if (mode == SM_MODE_FLUSHQ)
 		    msg_warn("ignoring -q option in daemon mode");
 		mode = SM_MODE_DAEMON;

postfix/src/smtpd/smtpd_haproxy.c

@@ -15,12 +15,12 @@
 /*	The following summarizes what the Postfix SMTP server expects
 /*	from an up-stream proxy adapter.
 /* .IP \(bu
-/*	Validate address and port syntax. Permit only protocols
-/*	that are configured with the main.cf:inet_protocols
+/*	Validate protocol, address and port syntax. Permit only
+/*	protocols that are configured with the main.cf:inet_protocols
 /*	setting.
 /* .IP \(bu
-/*	Convert IPv4-in-IPv6 address syntax to IPv4 syntax, when
-/*	both IPv4 and IPv6 support are enabled with main.cf:inet_protocols.
+/*	Convert IPv4-in-IPv6 address syntax to IPv4 syntax when
+/*	both IPv6 and IPv4 support are enabled with main.cf:inet_protocols.
 /* .IP \(bu
 /*	Update the following session context fields: addr, port,
 /*	rfc_addr, addr_family, dest_addr. The addr_family field
@@ -30,7 +30,10 @@
 /*	mystrdup(). In case of error, leave unassigned string fields
 /*	at their initial zero value.
 /* .IP \(bu
-/*	Log warnings in case of data format error.
+/*	Log a clear warning message that explains why a request
+/*	fails.
+/* .IP \(bu
+/*	Never talk to the remote SMTP client.
 /* .PP
 /*	Arguments:
 /* .IP state
@@ -113,7 +116,7 @@ int     smtpd_peer_from_haproxy(SMTPD_STATE *state)
     case 0:
 	if (smtp_get(state->buffer, state->client, HAPROXY_MAX_LEN,
 		     SMTP_GET_FLAG_NONE) != '\n') {
-	    msg_warn("haproxy line > %d characters", HAPROXY_MAX_LEN);
+	    msg_warn("haproxy read: line > %d characters", HAPROXY_MAX_LEN);
 	    return (-1);
 	}
 	if ((proxy_err = haproxy_srvr_parse(STR(state->buffer),

postfix/src/util/pass_accept.c

@@ -73,7 +73,7 @@ int     pass_accept(int listen_fd)
     }
 }
 
-/* pass_accept_attr - accept attribute list and descriptor */
+/* pass_accept_attr - accept descriptor and attribute list */
 
 int     pass_accept_attr(int listen_fd, HTABLE **attr)
 {

postfix/src/util/vstream.c

@@ -1478,8 +1478,9 @@ void    vstream_control(VSTREAM *stream, int name,...)
 	     */
 	case VSTREAM_CTL_BUFSIZE:
 	    req_bufsize = va_arg(ap, ssize_t);
-	    if (req_bufsize < 0)
-		msg_panic("VSTREAM_CTL_BUFSIZE with negative size: %ld",
+	    /* Heuristic to detect missing (ssize_t) type cast on LP64 hosts. */
+	    if (req_bufsize < 0 || req_bufsize > INT_MAX)
+		msg_panic("unreasonable VSTREAM_CTL_BUFSIZE request: %ld",
 			  (long) req_bufsize);
 	    if (req_bufsize > 0 && stream != VSTREAM_ERR)
 		stream->req_bufsize = req_bufsize;