From e4fe320b10f59fdd3c02df40ad6d208373f0fe3b Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Mon, 17 Jan 2011 00:00:00 -0500 Subject: [PATCH] postfix-2.8.0-RC2 --- postfix/HISTORY | 22 + postfix/RELEASE_NOTES | 30 +- postfix/WISHLIST | 613 ---------------------- postfix/html/postconf.5.html | 8 +- postfix/man/man5/postconf.5 | 7 +- postfix/proto/postconf.proto | 8 +- postfix/src/global/mail_params.h | 8 - postfix/src/global/mail_version.h | 4 +- postfix/src/postscreen/postscreen.c | 19 +- postfix/src/postscreen/postscreen.h | 6 +- postfix/src/postscreen/postscreen_state.c | 4 +- postfix/src/tlsproxy/tlsproxy.c | 2 +- postfix/src/util/sys_defs.h | 12 +- postfix/src/util/watchdog.c | 1 + 14 files changed, 91 insertions(+), 653 deletions(-) delete mode 100644 postfix/WISHLIST diff --git a/postfix/HISTORY b/postfix/HISTORY index 5551d5577..fb9db51c4 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -16471,3 +16471,25 @@ Apologies for any names omitted. Cleanup: documentation, in preparation for the Postfix 2.8 stable release. + +20110117 + + Bugfix (introduced Postfix alpha, or thereabouts): on HP-UX + the Postfix event engine was deaf for SIGALRM signals. + Symptoms were killed processes when the watchdog timeout + was less than max_idle. The fix is the same as Solaris fix + 20110109. Since we can't know what other systems need this, + the workaround is enabled by default. Files: util/sys_defs.h. + + Cleanup: "smtpd_tls_eecdh_grade = strong" by default, instead + of snapshot-only. File: global/mail_params.h, proto/postconf.proto. + + Cleanup: missing "#include " in util/watchdog.c. + + Bugfix: when compiled without -DUSE_TLS, tlsproxy used the + wrong server skeleton (multi_server instead of event_server). + File: tlsproxy/tlsproxy.c. + + Workaround: added a panic check for code that is mis-compiled + by the HP-UX compiler. File: postscreen/postscreen.c, + postscreen/postscreen.h, postscreen/postscreen_state.c. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 632904bf0..536b59576 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -14,6 +14,31 @@ specifies the release date of a stable release or snapshot release. If you upgrade from Postfix 2.6 or earlier, read RELEASE_NOTES-2.7 before proceeding. +Major changes - restart Postfix +------------------------------- + +If you upgrade from Postfix 2.6 or earlier, you must execute "postfix +stop" and "postfix start" before you can use the postscreen(8) +daemon. This is needed because the Postfix 2.6 "pass" master service +type did not work reliably on some systems. + +If you upgrade from Postfix 2.7, or from Postfix 2.8 before July +25, 2010, you must execute "postfix reload" (or "postfix stop" +followed by "postfix start"). This is needed because the queue +manager to delivery agent protocol has changed. Failure to do this +results in repeated logging of warnings with: + + warning: unexpected attribute rewrite_context ... + +If the warning does not go away after restarting Postfix, examine +the output from this command: + + strings -af /usr/libexec/postfix/* | grep mail_version= + +(where /usr/libexec/postfix is the value of main.cf:daemon_directory) +and update the executables that have a version string that differs +from the other programs. + Major changes - DNSBL/DNSWL support ----------------------------------- @@ -324,11 +349,6 @@ parameter specifies how long to keep an expired entry in the cache. This prevents a client from being logged as "NEW" after its record expired only a little while ago. -[Incompat 20091008] If you upgrade from Postfix 2.6 or earlier, you -must stop and start the Postfix master daemon before you can use -the postscreen(8) daemon. This is needed because the Postfix 2.6 -"pass" master service type did not work reliably on some systems. - [Feature 20091008] Prototype postscreen(8) server that runs a number of time-consuming checks in parallel for all incoming SMTP connections, before clients are allowed to talk to a real Postfix SMTP server. diff --git a/postfix/WISHLIST b/postfix/WISHLIST deleted file mode 100644 index 7004a33b3..000000000 --- a/postfix/WISHLIST +++ /dev/null @@ -1,613 +0,0 @@ -Wish list: - - Things to do before the stable release: - - Remove this file from the stable release. - - Things to do after the stable release: - - When does it pay off to send domains in the active queue - to a DNS prefetch daemon? Could this generalize to a dynamic - transport map that piggy-backs domains with the same MX - host into the same mail delivery transaction? - - inline table where the "whitespace replacement" character - is specified in-line. Ex: inline:XYname1Xvalue1Yname2Xvalue2 - would instantiate a table with (name1, value1) and (name2, - value2). I'm afraid this is just too ugly. - - tlsproxy(8) should receive TLS preferences from postscreen(8) - and smtpd(8), instead of reading them from main.cf. This - means that many tlsproxy_ parameters become postscreen_ - parameters, and that tls_server_init() parameters move to - to tls_server_start(). That is a significant API change. - - anvil rate limit for sasl_username. - - Encapsulate nbbio buffer access and update by tlsproxy. - - Full-duplex support for tlsproxy(8). This requires updating - events(3) and nbbio(3). - - Register automagic destructor for object attached to VSTREAM. - - smtpd xclient option for sasl_username. - - Use different ipc time limits for email message transactions - (smtpd, pickup)->cleanup and for quick query/reply transactions - such as address rewriting/resolution. Beware of large time - limits for local or virtual alias expansion. - - permit_tempfail_action (default: defer_if_reject) to be - used as the default value for dnswl_tempfail_action and - rhswl_tempfail_action. Steal liberally from the code that - implements unverified_recipient_tempfail_action etc. - - Support filtering of messages that are generated by Postfix: - This would apply to postmaster notices and bounce messages - (DKIM), and address verification (BATV). - - As postscreen implements more ESMTP keywords, need to copy - inter-operability features from smtpd to filter keywords - and command syntax. - - Consistency: in postconf.proto make
..
tags bold. - - postscreen(8): listen on multiple IP addresses and enforce - that the client contacts the primary MX address first (i.e. - punish hosts that contact the secondary before the primary). - The downside with any approach that relies on temporary - punishment is that it does not scale to configurations - with multiple equal-preference MX hosts. Such hosts would - have to share the postscreen cache, causing an unacceptable - performance bottleneck and a single point of failure. - - According to a paper by Ted Unangst at BSDCON09, kqueue - reports state changes, i.e. kqueue indicates when the socket - becomes readable. Specifically, he writes when kqueue reports - a socket becomes readable but no data is read from that - socket, later kqueue calls won't report the socket as - readable. That's not what happens on FreeBSD 8.0, where - kqueue will keep reporting the socket as readable when - nothing is read. Also, FreeBSD 8.0 kqueue still reports - the socket as readable after a read operation does not empty - the kernel buffer. We need a test program for this that - repeats these tests with OpenBSD and NetBSD (and MacOS X - once they fix their kqueue implementation). - - Would it help if there were different cleanup_service - parameter names for different message paths? smtpd(8) uses - the same cleanup_service value for receiving remote mail - and for submitting postmaster problem reports. Do we need - separate mumble_cleanup_service_name parameters for "inject", - "notify" and "forward" (with backwards compatible defaults)? - - IF/ENDIF support for CIDR tables. - - Make postconf aware of magical suffixes (the ones that - combine with transport names) and show them in "postconf - -n" output. Making this work with "postconf -d" is trickier. - - Need a regular expression table to translate address - verification responses into hard/soft/accept reply codes. - - Is there a way to make sendmail -V work after local alias - expansion? Majordomo-like mailing lists would benefit from - this; the example in VERP_README does not work in the general - case. - - When an alias is a member of an :include: list with owner- - alias, local(8) needs an option to deliver alias or alias->user - indirectly. What happens when an :include: list with owner- - alias includes another list? - - Don't allow empty result values in pcre and regexp maps. - Postfix doesn't allow them anywhere else (check this). - - Make PCRE_MAX_CAPTURE configurable. - - Add some checks for tokens starting with #. A challenge - is to report sensible context from the guts of some low-level - parser, without introducing a great deal of clumsiness. - - Add sendmail macros for {verify} and maybe other TLS info. - - Find out if we are doing the correct thing by looking at - state->milter_reject_text when expanding {rcpt_addr} or - {rcpt_host}. - - Find out why post_mail() etc. block when the qmgr fifo is - full (answer: trigger_timeout). How can this cause delays - in the queue manager? When a recipient bounces during - (transport, nexthop, address) resolution, it is redirected - to the error or retry mailer; and bounce-after-delivery is - asynchrounous so it can't block the queue manager, either. - - Add smtpd_sender_login_maps to proxy_read_maps, and make - sure that defaults are set before proxy_read_maps is - evaluated. What other parameters are worthy of being - whitelisted for proxy access? Is there a way to automate - this decision? - - How to ensure that proxy_read_maps is processed after all - its dependencies are initialized, or just bite the bullet - and rewrite the parameter initialization code. - - The cleanup virtual alias expansion limit does not really - deliver on its promises. 1) It promises to truncate the - result without aborting delivery, which would be undesirable - anyway, but that is not what it does, so that is good. 2) - It keeps all the recipients from multi-recipient database - lookup, then terminates further recursion when the result - exceeds the expansion limit. This behavior achieves the - original goal that all things shall have a finite size (even - though but we don'really care how large they are) but may - result in surprises when recipients are listed in virtual - alias domains or need expansion for other reasons. In a - phone call with Victor, a reasonable way out is to set the - limit to some large number (100000) and abort delivery when - the result exceeds the limit. - - Should the postscreen save permanent white/black list lookup - results to the temporary cache, and query the temporary - cache first? Skipping white/black list lookups will speed - up the handling of "good" clients without a permanent - whitelist entry. Of course, this means that updates to the - white/black lists do not immediately take effect. Workarounds: - 1) use a shorter temporary cache TTL for clients on the - permanent black/white lists; 2) ignore cached white/black - list lookup results after "postfix reload"; 2) adjust the - logging, for example "WHITELISTED address (cached)" and - "BLACKLISTED address (cached)" to eliminate surprises. - Comparing the cache entry time with the white/blacklist - file modification time is not foolproof: for example, pcre - or CIDR tables are read only once. - - It would be nice if the generic dict_cache(3) cache manager - could postpone process suicide until cache cleanup is - completed (but that is not possible when postscreen forks - into the background to finish already-accepted connections, - and it is not desirable when a host is being shut down). - - When postscreen drops a connection, a 521 "greeting" should - be of the form "521 servername..." and not have an enhanced - status code. The "521 5.7.1" form can be used after EHLO. - Of course no spammer is going to complain about Postfix - SMTP compliance. - - Find a place to document all the mail routing mechanisms - in one place so people can figure out how Postfix works. - - Investigate viability of Sendmail socket maps (the moral - equivalent of tcp_table(5)), and dns maps. - - The access map BCC action is marked "not stable", perhaps - because people would also expect BCC actions in header/body_checks. - How much would it take to make the queue file editing code - generally usable? - - Move smtpd_command_filter into smtpd_chat_query() and update - the session transcript (see smtp_chat_reply() for an example). - - SMTP connection caching without storing connections, to - improve TLS mail delivery performance. - - postscreen has separate socket budgets for whitelisted - clients and for other clients. If we add a dummy SMTP engine - then we extend the session length for non-whitelisted clients - and need to increase the socket budget (or create a new - budget class, which complicates the user interface). - - Should not milter8_mail_event() unset the "hold" default - reply? Better, the default reply should not be used for - this purpose. - - Unescape the pregreeter's HELO command argument so that - don't show up as ??. - - Make postscreen logging easier. Always log connect, then log - why the connection is or is not forwarded. - - Don't send MASTER_STAT_TAKEN/MASTER_STAT_AVAIL when a server - runs with process limit of 1. But this means the master - never learns that the process is successful and will always - pause $service_throttle_time before restarting a failed service. - - Don't bother maintaining a per-service lockfile when a - server runs with process limit of 1. The purpose of the - lockfile is to avoid thundering herd problems when the kernel - wakes up multiple processes for each new client connection. - - Concurrency/speed-matching: invoke a before-queue (smtpd_proxy) - filter after the entire message is received, so that fewer - filter processes will be running simultaneously. In some - parts of the world, after-queue filtering is problematic. - - This is different than the MailChannels patented solution - to multiplex many slow SMTP connections over a few fast - SMTP connections. We simply postpone opening the connection - to the filter, and rely on the before-filter SMTP server - to reject invalid recipients. MailChannels uses one - connection-to-MTA to discover invalid recipients, receives - the email message with a potentially reduced bitrate, and - then uses another connection-to-MTA to deliver the message - quickly. - - Implement PREPEND action for milter_header_checks. Save the - to-be-prepended text to buffer, then emit it along with the - new header. - - Fix the header_body_checks API, so that the name of the map - class (e.g. milter_header_checks) is available for logging. - - Fix the mime_state and header_body_checks APIs, so that - they use VSTRINGs. This simplifies REPLACE actions. - - Update FILTER_README for multi-instance support, and rename - the old document to FILTER_LEGACY_README. - - Need to sign delivery status notifications, to avoid surprises - when eventually people start enforcing DKIM etc. signatures. - - Either document or remove the internal_mail_filter_classes - feature (it's disabled by default). - - "postconf -N" option to print user-defined parameter names - (these have no defaults, since they exist only when - specified in main.cf or with "-o name=value"). - - Make the "unknown recipient" test configurable as - first|last|never, with "yes"=="last" for backwards - compatibility. The "first" setting is good for performance - (stress=yes) when all users are defined in local files; but - it may perform worse when users are in networked tables. - - Cleanup: make DNSBL query format configurable beyond the - client's reversed IP address. - - With 'final delivery' in the LMTP client, need an option - to also add delivered-to and other pipe(8) features. This - requires making mail_copy() functionality available in - non-mailbox context. - - Cleanup: modernize the "add missing From: header" code, to - ``phrase '' form. Most likely, quote the entire phrase - if it contains any text that is special, then rfc822_externalize - the whole thing. - - SMTP server: make the server_addr and server_port available - to policy server, Dovecot, and perhaps Milters. - - Med: local and remote source port and IP address for smtpd - policy hook. - - Maybe change maps_rbl_reject_code default to 521, and - update wording in STRESS_README. - - Encapsulate time_t comparisons so that they can be made - system dependent (use difftime() where available). - - Encapsulate time_t conversions (e.g. REC_TYPE_TIME) so that - they can be made system dependent. - - Plan for time_t larger than long, or wait for LP64 to - dominate the world? - - Make "AUTH=<>" appendage to MAIL FROM configurable, enabled - by default. - - To support ternary operator without a huge parsing effort, - consider ${value?{xxx}:{yyy}} where ${name} is existing - syntax, and where ?{text} and :{text} are new syntax that - is unlikely to break existing configurations. Or perhaps - it's just too ugly. - - Write delivery rate delay example (which _README?) and auth - failure cache example (SASL_README). Then include them in - SOHO_README. - - Look for alternatives for the use of non_smtpd_milters. - This involves some way to force local submissions to go - through a local SMTP client and server, without triggering - "mail loops back to myself" false alarms. The advantage is - that it makes smtpd_mumble_restrictions available for local - and remote mail; the disadvantage is that it makes local - submissions more dependent on networking. One possibility - is to use "pickup -o content_filter=smtp:127.0.0.1:10025", - or a dedicated SMTP client/server on UNIX-domain sockets; - we could also decide to always suppress "mail loop" detection - for loopback connections. Another option is to have the - pickup or cleanup server drive an SMTP client directly; - this would require extension of the mail_stream() interface, - plus a way to handle bounced/deferred recipients intelligently, - but it would be at odds with Postfix design where delivery - agents access queue files directly; exposing delivery agents - to raw queue files violates another Postfix design principle. - - Consolidate duplicated code in *_server_accept_{pass,inet}(). - - Consolidate duplicated code in {inet,unix,upass}_trigger.c. - - In the SMTP client, handle 421 replies in smtp_loop() by - having the input function raise a flag after detecting 421 - (kill connection caching and be sure to do the right thing - with RSET probes), leave the smtp_loop() per-command reply - handlers unchanged, and have the smtp_loop() reader loop - bail out with smtp_site_fail("server disconnected after - %s", where), but only in the case that it isn't already in - the final state. But first we need to clean up the handling - of do/don't cache, expired, bad and dead sessions. - - Combine smtpd_peer.c and qmqpd_peer.c into a single function - that produces a client context object, and provide attribute - print/scan routines that pass these client context objects - around. With this, we no longer have to update multiple - pieces of code when a client attribute is added. Ditto for - SASL and TLS context. - - Make TLS_BIO_BUFSIZE run-time adjustable, to future-proof - Postfix for remote connections with MSS > 8 kbytes. - - Don't log "warning: XXXXX: undeliverable postmaster - notification discarded" for spam from outside. - - Really need a cleanup driver that allows testing against - Milter applications instead of synthetic events. This would - have to provide stubs for clients that talk to Postfix - daemon processes. See if this approach can also be used for - other daemons. - - smtpd(8) exempts $address_verify_sender from access controls, - but it doesn't know whether cleanup(8) or delivery agents - modify the sender. Would it be possible to "calibrate" this - exemption, perhaps by having delivery agents pass the probe - sender to the verify server, keeping in mind that the probe - sender may differ per delivery agent due to output rewriting. - - Update attr_print/scan() so they can send/receive file - descriptors. This simplifies kludgy code in many daemons. - - Would there be a problem adding $smtpd_mumble_restrictions - and $smtpd_sender_login_maps to the default proxy_read_maps - settings? - - Remove defer(8) and trace(8) references and man pages. These - are services not program names. On the other hand we have - man pages for lmtp(8) and smtp(8), but not for relay(8). - Likewise, retry(8) does not have a man page. - - Bind all deliveries to the same local delivery process, - making Postfix perform as poorly as monolithic mailers, but - giving a possibility to eliminate duplicate deliveries. - - Maybe declare loop when resolve_local(mxhost) is true? - - Update message content length when adding/removing headers. - - Need scache size limit. - - Make postcat header/body aware so people can grep headers. - What headers? primary, mime, nested? What body? Does it - include the mime and attached headers? - - REDIRECT should override original recipient info, and - probably override DSN as well. - - Find out if with Sendmail, a Milter "add recipient" request - results in NOTIFY=NONE as Postfix does now. - - Update FILTER_README with mailing list suggestions to tag - with a badness indicator and then filter down-stream. - - Make null local-part handling configurable: either expand - into mailer-daemon (current bahavior) or disallow (strict - behavior, currently implemented only in the SMTP server). - - The type of var_message_limit (and other file size/offset - configuration parameters or internal protocol attributes) - should be changed from int to off_t. This also requires - checking all expressions in which var_message_limit etc. - appears: qmqpd, netstring, deliver_request, ... - - Add M flag (enable multi-recipient delivery) to pipe daemon. - - The usage of TLScontext->cache_type is unclear. It specifies - a TLS session cache type (smtpd, smtp, or lmtp), but it is - sometimes used as an indicator that TLS session caching is - unavailable. In reality, that decision is made by not - registering call-back functions for cache maintenance. - - Postfix TLS library code should copy any strings that it - receives from the application, instead of passing them - around as pointers. TLScontext->cache_type is a case in - point. - - Are transport:nexthop null fields the same as in the case - of default_transport etc. parameters? - - Don't lose bits when converting st_dev into maildir file - name. It's 64 bits on Linux. Found with the BEAM source - code analyzer. Is this really a problem, or are they just - using 64 bits for upwards compatibility with LP64 systems? - - Do or don't introduce unknown_reverse_client_reject_code. - - Check that "UINT32 == unsigned int" choice is ok (i.e. LP64 - UNIX). - - Tempfail when a Milter application tries to negotiate content - access, while it is configured in an SMTP server that runs - before the smtpd_proxy filter. - - Log DSN original recipient when rejecting mail. - - Keep whitespace between label and ":"? - - Make the map case folding/locking options configurable, if - not at run-time then at least at compile time so we get - consistent behavior across applications. - - Investigate what it would take to eliminate oqmgr, and to - make the old behavior configurable in a unified queue - manager. This would shave another 2.7 KLOC from the source - footprint. - - Document the case folding strategy for match_list like - features. - - Eliminate the (incoming,deferred)->active rename operation. - This requires an in-memory hash of queue file names to avoid - duplicate open() operations. - - Softbounce fallback-to-ISP for SOHO users. This heuristic - assumes that when direct-to-MX delivery fails with 5XX, - delivery via the ISP may still succeed. This could be - implemented by enabling soft bounces for destinations other - than the smtp_fallback_relay. So the only benefit of this - over the existing soft_bounce feature is that it has no - effect on smtp_fallback_relay deliveries. - - Centralize main.cf parameter input so that defaults work - consistently. What about parameter names that are prefixed - with mail delivery transport names? - - Fix default time unit handling so that we can have a default - bounce lifetime of $maximal_queue_lifetime, without causing - panics when a non-default maximal_queue_lifetime setting - includes no time unit. - - After the 20051222 ISASCII paranoia, lowercase() lowercases - ASCII text only. - - Privacy: remove local command/pathname details from remote - delivery status reports, and log them via local msg_warn(). - - Is it safe to cache a connection after it has been used for - more than some number of address verification probes? - - Try to recognize that Resent- headers appear in blocks, - newest block first. But don't break on incorrect header - block organization. - - Hard limits on cache sizes (anvil, specifically). - - Laptop friendliness: make the qmgr remember when the next - deferred queue scan needs to be done, and have the pickup - server stat() the maildrop directory before searching it. - - Low: replace_sender/replace_recipient actions in access - maps, so they can be used in policy servers? - - Low: configurable order of local(8) delivery methods. - - Med: smtp_connect_timeout_budget (default: 3x smtp_connect_timeout) - to limit the total time spent trying to connect. - - Med: transform IPv4-in-IPv6 address literals to IPv4 form - when comparing against local IP addresses? - - Med: transform IPv4-in-IPv6 address literals to IPv4 form - when eliminating MX mailer loops? - - Med: Postfix requires [] around IPv6 address information - in match lists such as mynetworks, debug_peer_list etc., - but the [] must not be specified in access(5) maps. Other - places don't care. For now, this gotcha is documented in - IPV6_README and in postconf(5) with each feature that may - use IPv6 address information. The general recommendation - is not to use [] unless absolutely necessary. - - Med: the partial address matching of IPv6 addresses in - access(5) maps is a bit lame: it repeatedly truncates the - last ":octetpair" from the printable address representation - until a match is found or until truncation is no longer - possible. Since one or more ":" are usually omitted from - the printable IPv6 address representation, this does not - really try all the possibilities that one might expect to - be tried. For now, this gotcha is documented in access(5). - - Low: reject HELO with any domain name or IP address that - this MTA is the final destination for. - - Low: should the Delivered-To: test in local(8) be configurable? - - Low: make mail_addr_find() lookup configurable. - - Low: update events.c so that 1-second timer requests do not - suffer from rounding errors. This is needed for 1-second - SMTP session caching time limits. A 1-second interval would - become arbitrarily short when an event is scheduled just - before the current second rolls over. - - Low: configurable internal/system locking method. - - Low: add INSTALL section for pre-existing Postfix systems. - - Low: add INSTALL section for pre-existing RPM Postfixes. - - Low: disallow smtpd_recipient_limit < 100 (the RFC minimum). - - Low: noise filter: allow smtp(8) to retry immediately if - all MXes return a quick ECONNRESET or 4xx reply during the - initial handshake. Retry once? How many times? - - Low: make post-install a "postfix-only script" so it can - take data from the environment instead of main.cf. - - Low: randomize deferred mail backoff. - - Med: separate ulimit for delivery to command? - - Med: postsuper -r should do something with recipients in - bounce logfiles, to make sure the sender will be notified. - To be perfectly safe, no process other than the queue manager - should move a queue file away from the active queue. - - This could involve tagging a queue file, and use up another - permission bit (postsuper tags a "hot" file, qmgr requeues it). - - Low: postsuper re-run after renaming files, but only a - limited number of times. - - Low: smtp-source may block when sending large test messages. - - Med: find a way to log the sender address when MAIL FROM - is rejected due to lack of disk space. - - Low: revise other local delivery agent duplicate filters. - - Low: all table lookups should consistently use internalized - (unquoted) or externalized (quoted) forms as lookup keys. - smtpd, qmgr, local, etc. use unquoted address forms as keys. - cleanup uses quoted forms. - - Low: have a configurable list of errno values for mailbox - or maildir delivery that result in deferral rather than - bouncing mail. What about "killed by signal" exits? - - Low: after reorganizing configuration parameters, add flags - to all parameters whose value can be read from file. - - Medium: need in-process caching for map lookups. LDAP servers - seem to need this in particular. Need a way to expire cached - results that are too old. - - Low: generic showq protocol, to allow for more intelligent - processing than just mailq. Maybe marry this with postsuper. - - Low: default domain for appending to unqualified recipients, - so that unqualified names can be delivered locally. - - Low: The $process_id_directory setting is not used anywhere - in Postfix. Problem reported by Michael Smith, texas.net. - This should be documented, or better, the code should warn - about attempts to set read-only parameters. - - Low: postconf -e edits parameters that postconf won't list. - - Low: while converting 8bit text to quoted-printable, perhaps - use =46rom to avoid having to produce >From when delivering - to mailbox. - - virtual_mailbox_path expression like forward_path, so that - people can specify prefix and suffix. diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index b879d0a45..548eb615f 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -14177,14 +14177,14 @@ Diffie-Hellman (EECDH) key exchange.

none
Don't use EECDH. Ciphers based on EECDH key -exchange will be disabled. This is the default in official Postfix -releases (mail_version = major.minor.patchlevel).
+exchange will be disabled. This is the default in Postfix versions +2.6 and 2.7.
strong
Use EECDH with approximately 128 bits of security at a reasonable computational cost. This is the current best-practice trade-off between security and computational -efficiency. This is the default in Postfix snapshot releases -(mail_version = major.minor-releasedate).
+efficiency. This is the default in Postfix version 2.8 and later. +
ultra
Use EECDH with approximately 192 bits of security at computational cost that is approximately twice as high diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 994b6b3ef..ac9bfab21 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -8988,14 +8988,13 @@ Diffie-Hellman (EECDH) key exchange. The available choices are: .IP "\fBnone\fR" Don't use EECDH. Ciphers based on EECDH key -exchange will be disabled. This is the default in official Postfix -releases (mail_version = major.minor.patchlevel). +exchange will be disabled. This is the default in Postfix versions +2.6 and 2.7. .IP "\fBstrong\fR" Use EECDH with approximately 128 bits of security at a reasonable computational cost. This is the current best-practice trade-off between security and computational -efficiency. This is the default in Postfix snapshot releases -(mail_version = major.minor-releasedate). +efficiency. This is the default in Postfix version 2.8 and later. .IP "\fBultra\fR" Use EECDH with approximately 192 bits of security at computational cost that is approximately twice as high diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 4e6df6662..3797966c6 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -11739,14 +11739,14 @@ Diffie-Hellman (EECDH) key exchange.

none
Don't use EECDH. Ciphers based on EECDH key -exchange will be disabled. This is the default in official Postfix -releases (mail_version = major.minor.patchlevel).
+exchange will be disabled. This is the default in Postfix versions +2.6 and 2.7.
strong
Use EECDH with approximately 128 bits of security at a reasonable computational cost. This is the current best-practice trade-off between security and computational -efficiency. This is the default in Postfix snapshot releases -(mail_version = major.minor-releasedate).
+efficiency. This is the default in Postfix version 2.8 and later. +
ultra
Use EECDH with approximately 192 bits of security at computational cost that is approximately twice as high diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 61f914c06..15d6394b7 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -1281,11 +1281,7 @@ extern char *var_smtpd_tls_dh512_param_file; extern char *var_smtpd_tls_dh1024_param_file; #define VAR_SMTPD_TLS_EECDH "smtpd_tls_eecdh_grade" -#ifdef SNAPSHOT #define DEF_SMTPD_TLS_EECDH "strong" -#else -#define DEF_SMTPD_TLS_EECDH "none" -#endif extern char *var_smtpd_tls_eecdh; #define VAR_SMTPD_TLS_LOGLEVEL "smtpd_tls_loglevel" @@ -3557,11 +3553,7 @@ extern char *var_tlsp_tls_dh512_param_file; extern char *var_tlsp_tls_dh1024_param_file; #define VAR_TLSP_TLS_EECDH "tlsproxy_tls_eecdh_grade" -#ifdef SNAPSHOT #define DEF_TLSP_TLS_EECDH "$" VAR_SMTPD_TLS_EECDH -#else -#define DEF_TLSP_TLS_EECDH "$" VAR_SMTPD_TLS_EECDH -#endif extern char *var_tlsp_tls_eecdh; #define VAR_TLSP_TLS_LOGLEVEL "tlsproxy_tls_loglevel" diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index c7efd0d08..e9df97954 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20110116" -#define MAIL_VERSION_NUMBER "2.8.0-RC1" +#define MAIL_RELEASE_DATE "20110117" +#define MAIL_VERSION_NUMBER "2.8.0-RC2" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/postscreen/postscreen.c b/postfix/src/postscreen/postscreen.c index 7fcc3edbf..8df426924 100644 --- a/postfix/src/postscreen/postscreen.c +++ b/postfix/src/postscreen/postscreen.c @@ -416,7 +416,7 @@ int var_psc_post_queue_limit; int var_psc_pre_queue_limit; int var_psc_watchdog; -#undef MIGRATION_WARNING +#define MIGRATION_WARNING #ifdef MIGRATION_WARNING char *var_psc_wlist_nets; @@ -487,8 +487,8 @@ int psc_normal_greet_wait; /* stressed greet wait */ int psc_stress_cmd_time_limit; /* stressed command limit */ int psc_normal_cmd_time_limit; /* normal command time limit */ int psc_stress; /* stress level */ -int psc_check_queue_length_lowat; /* stress low-water mark */ -int psc_check_queue_length_hiwat; /* stress high-water mark */ +int psc_lowat_check_queue_length; /* stress low-water mark */ +int psc_hiwat_check_queue_length; /* stress high-water mark */ DICT *psc_dnsbl_reply; /* DNSBL name mapper */ HTABLE *psc_client_concurrency; /* per-client concurrency */ @@ -1048,12 +1048,19 @@ static void post_jail_init(char *unused_name, char **unused_argv) psc_normal_greet_wait = get_mail_conf_time(VAR_PSC_GREET_WAIT, DEF_PSC_GREET_WAIT, 1, 0); - psc_check_queue_length_lowat = .7 * var_psc_pre_queue_limit; - psc_check_queue_length_hiwat = .9 * var_psc_pre_queue_limit; + psc_lowat_check_queue_length = .7 * var_psc_pre_queue_limit; + psc_hiwat_check_queue_length = .9 * var_psc_pre_queue_limit; if (msg_verbose) msg_info(VAR_PSC_CMD_TIME ": stress=%d normal=%d lowat=%d hiwat=%d", psc_stress_cmd_time_limit, psc_normal_cmd_time_limit, - psc_check_queue_length_lowat, psc_check_queue_length_hiwat); + psc_lowat_check_queue_length, psc_hiwat_check_queue_length); + + if (psc_lowat_check_queue_length == 0) + msg_panic("compiler error: 0.7 * %d = %d", var_psc_pre_queue_limit, + psc_lowat_check_queue_length); + if (psc_hiwat_check_queue_length == 0) + msg_panic("compiler error: 0.9 * %d = %d", var_psc_pre_queue_limit, + psc_hiwat_check_queue_length); /* * Per-client concurrency. diff --git a/postfix/src/postscreen/postscreen.h b/postfix/src/postscreen/postscreen.h index f141a0d36..afea976ff 100644 --- a/postfix/src/postscreen/postscreen.h +++ b/postfix/src/postscreen/postscreen.h @@ -292,8 +292,8 @@ extern int psc_normal_greet_wait; /* stressed greet wait */ extern int psc_stress_cmd_time_limit; /* stressed command limit */ extern int psc_normal_cmd_time_limit; /* normal command time limit */ extern int psc_stress; /* stress level */ -extern int psc_check_queue_length_lowat;/* stress low-water mark */ -extern int psc_check_queue_length_hiwat;/* stress high-water mark */ +extern int psc_lowat_check_queue_length;/* stress low-water mark */ +extern int psc_hiwat_check_queue_length;/* stress high-water mark */ extern DICT *psc_dnsbl_reply; /* DNSBL name mapper */ extern HTABLE *psc_client_concurrency; /* per-client concurrency */ @@ -469,7 +469,7 @@ extern const char *psc_expand_lookup(const char *, int, char *); extern void psc_acl_pre_jail_init(void); extern ARGV *psc_acl_parse(const char *, const char *); -extern int psc_acl_eval(PSC_STATE *,ARGV *, const char *); +extern int psc_acl_eval(PSC_STATE *, ARGV *, const char *); /* LICENSE /* .ad diff --git a/postfix/src/postscreen/postscreen_state.c b/postfix/src/postscreen/postscreen_state.c index bb205d5e1..fe189ffa2 100644 --- a/postfix/src/postscreen/postscreen_state.c +++ b/postfix/src/postscreen/postscreen_state.c @@ -171,7 +171,7 @@ PSC_STATE *psc_new_session_state(VSTREAM *stream, * Update the stress level. */ if (psc_stress == 0 - && psc_check_queue_length >= psc_check_queue_length_hiwat) { + && psc_check_queue_length >= psc_hiwat_check_queue_length) { psc_stress = 1; msg_info("entering STRESS mode with %d connections", psc_check_queue_length); @@ -238,7 +238,7 @@ void psc_free_session_state(PSC_STATE *state) * Update the stress level. */ if (psc_stress != 0 - && psc_check_queue_length <= psc_check_queue_length_lowat) { + && psc_check_queue_length <= psc_lowat_check_queue_length) { psc_stress = 0; msg_info("leaving STRESS mode with %d connections", psc_check_queue_length); diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c index 06dea0e95..d52205262 100644 --- a/postfix/src/tlsproxy/tlsproxy.c +++ b/postfix/src/tlsproxy/tlsproxy.c @@ -1147,7 +1147,7 @@ int main(int argc, char **argv) * (including logging) and then invoke the tlsp_service() routine to log * the message that says why this program will not run. */ - multi_server_main(argc, argv, tlsp_service, + event_server_main(argc, argv, tlsp_service, 0); } diff --git a/postfix/src/util/sys_defs.h b/postfix/src/util/sys_defs.h index 26fbace79..f3d0eaa5b 100644 --- a/postfix/src/util/sys_defs.h +++ b/postfix/src/util/sys_defs.h @@ -441,7 +441,6 @@ extern int opterr; #define USE_SYSV_POLL #ifndef NO_DEVPOLL # define EVENTS_STYLE EVENTS_STYLE_DEVPOLL -# define USE_WATCHDOG_PIPE #endif /* @@ -1280,6 +1279,17 @@ extern int dup2_pass_on_exec(int oldd, int newd); extern const char *inet_ntop(int, const void *, char *, size_t); extern int inet_pton(int, const char *, void *); +#endif + + /* + * Workaround: after a watchdog alarm signal, wake up from select/poll/etc. + * by writing to a pipe. Solaris needs this, and HP-UX apparently, too. The + * run-time cost is negligible so we just turn it on for all systems. As a + * side benefit, making this code system-independent will simplify the + * detection of bit-rot problems. + */ +#ifndef NO_WATCHDOG_PIPE +#define USE_WATCHDOG_PIPE #endif /* diff --git a/postfix/src/util/watchdog.c b/postfix/src/util/watchdog.c index 7481c8887..71b483fbe 100644 --- a/postfix/src/util/watchdog.c +++ b/postfix/src/util/watchdog.c @@ -126,6 +126,7 @@ static WATCHDOG *watchdog_curr; * watchdog timeout is less than the max_idle time. */ #ifdef USE_WATCHDOG_PIPE +#include #include #include