postfix-2.7-20091115

postfix/HISTORY

@@ -15453,11 +15453,11 @@ Apologies for any names omitted.
 
 20091023
 
-	Feature: specify "smtp_command_maps = pcre:/file/name" to
-	replace incoming SMTP commands before they are executed by
-	the Postfix SMTP server. This a last-resort tool to fix bad
-	command syntax that Postfix would otherwise reject.  See
-	examples in the postconf(5) manual page.  File: smtpd/smtpd.c.
+	Feature: specify "smtp_command_filter = pcre:/file/name"
+	to replace remote SMTP client commands before they are
+	executed by the Postfix SMTP server. This a last-resort
+	tool to fix inter-operability problems.  See examples in
+	the postconf(5) manual page.  File: smtpd/smtpd.c.
 
 20091026
 
@@ -15498,3 +15498,26 @@ Apologies for any names omitted.
 	SMTP servers that reply to the malicious commands after
 	negotiating the Postfix SMTP client TLS session. File:
 	smtp/smtp_proto.c.
+
+20091113
+
+	Workaround: skip interfaces without netmask, to avoid
+	segfaults (reported by Dmitry Karasik). Don't supply a dummy
+	null netmask, as that would turn Postfix into an open relay
+	(mynetworks = 0.0.0.0/0). File: util/inet_addr_local.c.
+
+	Bugfix: forgot to flush output to the smtpd_proxy speed-adjust
+	buffer before truncating the file. Reported by Mark Martinec,
+	fix by Victor Duchovni. File: smtpd/smtpd_proxy.c.
+
+20091114
+
+	Feature: specify "smtp_reply_filter = pcre:/file/name" to
+	replace remote SMTP server reply lines before they are
+	parsed by the Postfix SMTP client. This a last-resort tool
+	to fix inter-operability problems.  See examples in the
+	postconf(5) manual page.  File: smtp/smtp_chat.c.
+
+	Safety: don't send postmaster notifications to report
+	problems delivering (possible) postmaster notifications.
+	File: smtp/smtp_connect.c.

postfix/WISHLIST

@@ -2,6 +2,9 @@ Wish list:
 
 	Remove this file from the stable release.
 
+	Move smtpd_command_filter into smtpd_chat_query() and update
+	the session transcript (see smtp_chat_reply() for an example).
+
 	Add smtpd_sender_login_maps to proxy_read_maps.
 
 	SMTP connection caching without storing connections, to

postfix/html/lmtp.8.html

@@ -196,6 +196,10 @@ SMTP(8)                                                                SMTP(8)
               Quote addresses in SMTP MAIL FROM and RCPT TO  com-
               mands as required by <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a>.
 
+       <b><a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a> (empty)</b>
+              A  mechanism  to transform replies from remote SMTP
+              servers one line at a time.
+
        <b><a href="postconf.5.html#smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a> (yes)</b>
               Skip SMTP servers that greet with a 5XX status code
               (go away, do not try again later).
@@ -539,8 +543,8 @@ SMTP(8)                                                                SMTP(8)
        <b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b>
               Try  to  detect  a mail hijacking attack based on a
               TLS protocol vulnerability  (CVE-2009-3555),  where
-              an attacker prepends malicious  HELO/MAIL/RCPT/DATA
-              commands to a Postfix client TLS session.
+              an  attacker  prepends  malicious HELO, MAIL, RCPT,
+              DATA commands to a Postfix SMTP client TLS session.
 
 <b>OBSOLETE STARTTLS CONTROLS</b>
        The  following configuration parameters exist for compati-

postfix/html/postconf.5.html

@@ -3999,6 +3999,17 @@ The default time unit is s (seconds).
 </p>
 
 
+</DD>
+
+<DT><b><a name="lmtp_reply_filter">lmtp_reply_filter</a>
+(default: empty)</b></DT><DD>
+
+<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a>
+configuration parameter.  See there for details. </p>
+
+<p> This feature is available in Postfix 2.7 and later. </p>
+
+
 </DD>
 
 <DT><b><a name="lmtp_rset_timeout">lmtp_rset_timeout</a>
@@ -4268,6 +4279,17 @@ configuration parameter.  See there for details. </p>
 <p> This feature is available in Postfix 2.3 and later. </p>
 
 
+</DD>
+
+<DT><b><a name="lmtp_tls_block_early_mail_reply">lmtp_tls_block_early_mail_reply</a>
+(default: empty)</b></DT><DD>
+
+<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a>
+configuration parameter.  See there for details. </p>
+
+<p> This feature is available in Postfix 2.7 and later. </p>
+
+
 </DD>
 
 <DT><b><a name="lmtp_tls_cert_file">lmtp_tls_cert_file</a>
@@ -8817,6 +8839,57 @@ The default time unit is s (seconds).
 </p>
 
 
+</DD>
+
+<DT><b><a name="smtp_reply_filter">smtp_reply_filter</a>
+(default: empty)</b></DT><DD>
+
+<p> A mechanism to transform replies from remote SMTP servers one
+line at a time.  This is a last-resort tool to work around server
+replies that break inter-operability with the Postfix SMTP client.
+Other uses involve fault injection to test Postfix's handling of
+invalid responses. </p>
+
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> In the case of a multi-line reply, the Postfix SMTP client
+uses the last reply line's numerical SMTP reply code and enhanced
+status code.  </p>
+
+<li> <p> The numerical SMTP reply code (XYZ) takes precedence over
+the enhanced status code (X.Y.Z).  When the enhanced status code
+initial digit differs from the SMTP reply code initial digit, or
+when no enhanced status code is present, the Postfix SMTP client
+uses a generic enhanced status code (X.0.0) instead. </p>
+
+</ul>
+
+<p> Specify the name of a "<a href="DATABASE_README.html">type:table</a>" lookup table. The search
+string is a single SMTP reply line as received from the remote SMTP
+server, except that the trailing &lt;CR&gt;&lt;LF&gt; are removed.  </p>
+
+<p> Examples: </p>
+
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+    <a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/command_filter
+</pre>
+
+<pre>
+/etc/postfix/reply_filter:
+    # Transform garbage into part of a multi-line reply. Note
+    # that the Postfix SMTP client uses only the last numerical
+    # SMTP reply code and enhanced status code from a multi-line
+    # reply, so it does not matter what we substitute here as
+    # long as it has the right syntax.
+    !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
+</pre>
+
+<p> This feature is available in Postfix 2.7. </p>
+
+
 </DD>
 
 <DT><b><a name="smtp_rset_timeout">smtp_rset_timeout</a>
@@ -9243,10 +9316,10 @@ must be inside the chroot jail. </p>
 
 <p> Try to detect a mail hijacking attack based on a TLS protocol
 vulnerability (CVE-2009-3555), where an attacker prepends malicious
-HELO/MAIL/RCPT/DATA commands to a Postfix client TLS session.  The
-attack would succeed with non-Postfix SMTP servers that reply to
-the malicious HELO/MAIL/RCPT/DATA commands after negotiating the
-Postfix SMTP client TLS session.  </p>
+HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session.
+The attack would succeed with non-Postfix SMTP servers that reply
+to the malicious HELO, MAIL, RCPT, DATA commands after negotiating
+the Postfix SMTP client TLS session.  </p>
 
 <p> This feature is available in Postfix 2.7. </p>
 
@@ -11091,15 +11164,17 @@ Example:
 <DT><b><a name="smtpd_command_filter">smtpd_command_filter</a>
 (default: empty)</b></DT><DD>
 
-<p> A mechanism to substitute incoming SMTP commands.  This is a
-last-resort tool to work around problems with clients that send
-invalid command syntax that would otherwise be rejected by Postfix.
+<p> A mechanism to transform commands from remote SMTP clients.
+This is a last-resort tool to work around client commands that break
+inter-operability with the Postfix SMTP server.  Other uses involve
+fault injection to test Postfix's handling of invalid commands.
 </p>
 
 <p> Specify the name of a "<a href="DATABASE_README.html">type:table</a>" lookup table. The search
-string is the SMTP command as received from the SMTP client, except
-that initial whitespace and the trailing <CR><LF> are removed. The
-result value is executed by the Postfix SMTP server.  </p>
+string is the SMTP command as received from the remote SMTP client,
+except that initial whitespace and the trailing &lt;CR&gt;&lt;LF&gt;
+are removed.  The result value is executed by the Postfix SMTP
+server.  </p>
 
 <p> Examples: </p>
 
@@ -11120,9 +11195,9 @@ result value is executed by the Postfix SMTP server.  </p>
 </pre>
 
 <pre>
-    # Work around clients that send RCPT TO:<'user@domain'>.
+    # Work around clients that send RCPT TO:&lt;'user@domain'&gt;.
     # WARNING: do not lose the parameters that follow the address.
-    /^RCPT\s+TO:\s*<'([^[:space:]]+)'>(.*)/     RCPT TO:<$1>$2
+    /^RCPT\s+TO:\s*&lt;'([^[:space:]]+)'&gt;(.*)/     RCPT TO:&lt;$1&gt;$2
 </pre>
 
 <p> This feature is available in Postfix 2.7. </p>

postfix/html/smtp.8.html

@@ -196,6 +196,10 @@ SMTP(8)                                                                SMTP(8)
               Quote addresses in SMTP MAIL FROM and RCPT TO  com-
               mands as required by <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a>.
 
+       <b><a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a> (empty)</b>
+              A  mechanism  to transform replies from remote SMTP
+              servers one line at a time.
+
        <b><a href="postconf.5.html#smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a> (yes)</b>
               Skip SMTP servers that greet with a 5XX status code
               (go away, do not try again later).
@@ -539,8 +543,8 @@ SMTP(8)                                                                SMTP(8)
        <b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b>
               Try  to  detect  a mail hijacking attack based on a
               TLS protocol vulnerability  (CVE-2009-3555),  where
-              an attacker prepends malicious  HELO/MAIL/RCPT/DATA
-              commands to a Postfix client TLS session.
+              an  attacker  prepends  malicious HELO, MAIL, RCPT,
+              DATA commands to a Postfix SMTP client TLS session.
 
 <b>OBSOLETE STARTTLS CONTROLS</b>
        The  following configuration parameters exist for compati-

postfix/html/smtpd.8.html

@@ -106,7 +106,8 @@ SMTPD(8)                                                              SMTPD(8)
               rejecting the address as invalid.
 
        <b><a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a> (empty)</b>
-              A mechanism to substitute incoming SMTP commands.
+              A  mechanism to transform commands from remote SMTP
+              clients.
 
        <b><a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> (no)</b>
               Request that the Postfix SMTP server  rejects  mail

postfix/man/man5/postconf.5

@@ -2192,6 +2192,11 @@ for receiving the server response.
 .PP
 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
 The default time unit is s (seconds).
+.SH lmtp_reply_filter (default: empty)
+The LMTP-specific version of the smtp_reply_filter
+configuration parameter.  See there for details.
+.PP
+This feature is available in Postfix 2.7 and later.
 .SH lmtp_rset_timeout (default: 20s)
 The LMTP client time limit for sending the RSET command, and
 for receiving the server response. The LMTP client sends RSET in
@@ -2317,6 +2322,11 @@ The LMTP-specific version of the smtp_tls_CApath
 configuration parameter.  See there for details.
 .PP
 This feature is available in Postfix 2.3 and later.
+.SH lmtp_tls_block_early_mail_reply (default: empty)
+The LMTP-specific version of the smtp_tls_block_early_mail_reply
+configuration parameter.  See there for details.
+.PP
+This feature is available in Postfix 2.7 and later.
 .SH lmtp_tls_cert_file (default: empty)
 The LMTP-specific version of the smtp_tls_cert_file
 configuration parameter.  See there for details.
@@ -4977,6 +4987,55 @@ for receiving the server response.
 .PP
 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
 The default time unit is s (seconds).
+.SH smtp_reply_filter (default: empty)
+A mechanism to transform replies from remote SMTP servers one
+line at a time.  This is a last-resort tool to work around server
+replies that break inter-operability with the Postfix SMTP client.
+Other uses involve fault injection to test Postfix's handling of
+invalid responses.
+.PP
+Notes:
+.IP \(bu
+In the case of a multi-line reply, the Postfix SMTP client
+uses the last reply line's numerical SMTP reply code and enhanced
+status code.
+.IP \(bu
+The numerical SMTP reply code (XYZ) takes precedence over
+the enhanced status code (X.Y.Z).  When the enhanced status code
+initial digit differs from the SMTP reply code initial digit, or
+when no enhanced status code is present, the Postfix SMTP client
+uses a generic enhanced status code (X.0.0) instead.
+.PP
+Specify the name of a "type:table" lookup table. The search
+string is a single SMTP reply line as received from the remote SMTP
+server, except that the trailing <CR><LF> are removed.
+.PP
+Examples:
+.PP
+.nf
+.na
+.ft C
+/etc/postfix/main.cf:
+    smtp_reply_filter = pcre:/etc/postfix/command_filter
+.fi
+.ad
+.ft R
+.PP
+.nf
+.na
+.ft C
+/etc/postfix/reply_filter:
+    # Transform garbage into part of a multi-line reply. Note
+    # that the Postfix SMTP client uses only the last numerical
+    # SMTP reply code and enhanced status code from a multi-line
+    # reply, so it does not matter what we substitute here as
+    # long as it has the right syntax.
+    !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
+.fi
+.ad
+.ft R
+.PP
+This feature is available in Postfix 2.7.
 .SH smtp_rset_timeout (default: 20s)
 The SMTP client time limit for sending the RSET command, and
 for receiving the server response. The SMTP client sends RSET in
@@ -5257,10 +5316,10 @@ This feature is available in Postfix 2.2 and later.
 .SH smtp_tls_block_early_mail_reply (default: no)
 Try to detect a mail hijacking attack based on a TLS protocol
 vulnerability (CVE-2009-3555), where an attacker prepends malicious
-HELO/MAIL/RCPT/DATA commands to a Postfix client TLS session.  The
-attack would succeed with non-Postfix SMTP servers that reply to
-the malicious HELO/MAIL/RCPT/DATA commands after negotiating the
-Postfix SMTP client TLS session.
+HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session.
+The attack would succeed with non-Postfix SMTP servers that reply
+to the malicious HELO, MAIL, RCPT, DATA commands after negotiating
+the Postfix SMTP client TLS session.
 .PP
 This feature is available in Postfix 2.7.
 .SH smtp_tls_cert_file (default: empty)
@@ -6789,14 +6848,16 @@ smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
 .ad
 .ft R
 .SH smtpd_command_filter (default: empty)
-A mechanism to substitute incoming SMTP commands.  This is a
-last-resort tool to work around problems with clients that send
-invalid command syntax that would otherwise be rejected by Postfix.
+A mechanism to transform commands from remote SMTP clients.
+This is a last-resort tool to work around client commands that break
+inter-operability with the Postfix SMTP server.  Other uses involve
+fault injection to test Postfix's handling of invalid commands.
 .PP
 Specify the name of a "type:table" lookup table. The search
-string is the SMTP command as received from the SMTP client, except
-that initial whitespace and the trailing <CR><LF> are removed. The
-result value is executed by the Postfix SMTP server.
+string is the SMTP command as received from the remote SMTP client,
+except that initial whitespace and the trailing <CR><LF>
+are removed.  The result value is executed by the Postfix SMTP
+server.
 .PP
 Examples:
 .PP

postfix/man/man8/smtp.8

@@ -185,6 +185,9 @@ per-destination workarounds for CISCO PIX firewall bugs.
 .IP "\fBsmtp_quote_rfc821_envelope (yes)\fR"
 Quote addresses in SMTP MAIL FROM and RCPT TO commands as required
 by RFC 2821.
+.IP "\fBsmtp_reply_filter (empty)\fR"
+A mechanism to transform replies from remote SMTP servers one
+line at a time.
 .IP "\fBsmtp_skip_5xx_greeting (yes)\fR"
 Skip SMTP servers that greet with a 5XX status code (go away, do
 not try again later).
@@ -435,7 +438,7 @@ Available in Postfix version 2.7 and later:
 .IP "\fBsmtp_tls_block_early_mail_reply (no)\fR"
 Try to detect a mail hijacking attack based on a TLS protocol
 vulnerability (CVE-2009-3555), where an attacker prepends malicious
-HELO/MAIL/RCPT/DATA commands to a Postfix client TLS session.
+HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session.
 .SH "OBSOLETE STARTTLS CONTROLS"
 .na
 .nf

postfix/man/man8/smtpd.8

@@ -109,7 +109,7 @@ Resolve an address that ends in the "@" null domain as if the
 local hostname were specified, instead of rejecting the address as
 invalid.
 .IP "\fBsmtpd_command_filter (empty)\fR"
-A mechanism to substitute incoming SMTP commands.
+A mechanism to transform commands from remote SMTP clients.
 .IP "\fBsmtpd_reject_unlisted_sender (no)\fR"
 Request that the Postfix SMTP server rejects mail from unknown
 sender addresses, even when no explicit reject_unlisted_sender

postfix/mantools/postlink

@@ -620,6 +620,7 @@ while (<>) {
     s;\bsmtp_mime_header_checks\b;<a href="postconf.5.html#smtp_mime_header_checks">$&</a>;g;
     s;\bsmtp_nested_header_checks\b;<a href="postconf.5.html#smtp_nested_header_checks">$&</a>;g;
     s;\bsmtp_body_checks\b;<a href="postconf.5.html#smtp_body_checks">$&</a>;g;
+    s;\bsmtp_reply_filter\b;<a href="postconf.5.html#smtp_reply_filter">$&</a>;g;
     s;\bsmtpd_enforce_tls\b;<a href="postconf.5.html#smtpd_enforce_tls">$&</a>;g;
     s;\bsmtpd_sasl_tls_security_options\b;<a href="postconf.5.html#smtpd_sasl_tls_security_options">$&</a>;g;
     s;\bsmtpd_sasl_type\b;<a href="postconf.5.html#smtpd_sasl_type">$&</a>;g;

postfix/proto/postconf.proto

@@ -12590,15 +12590,17 @@ reporting PREGREET, HANGUP or DNSBL results. </dd>
 
 %PARAM smtpd_command_filter 
 
-<p> A mechanism to substitute incoming SMTP commands.  This is a
-last-resort tool to work around problems with clients that send
-invalid command syntax that would otherwise be rejected by Postfix.
+<p> A mechanism to transform commands from remote SMTP clients.
+This is a last-resort tool to work around client commands that break
+inter-operability with the Postfix SMTP server.  Other uses involve
+fault injection to test Postfix's handling of invalid commands.
 </p>
 
 <p> Specify the name of a "type:table" lookup table. The search
-string is the SMTP command as received from the SMTP client, except
-that initial whitespace and the trailing <CR><LF> are removed. The
-result value is executed by the Postfix SMTP server.  </p>
+string is the SMTP command as received from the remote SMTP client,
+except that initial whitespace and the trailing &lt;CR&gt;&lt;LF&gt;
+are removed.  The result value is executed by the Postfix SMTP
+server.  </p>
 
 <p> Examples: </p>
 
@@ -12619,20 +12621,81 @@ result value is executed by the Postfix SMTP server.  </p>
 </pre>
 
 <pre>
-    # Work around clients that send RCPT TO:<'user@domain'>.
+    # Work around clients that send RCPT TO:&lt;'user@domain'&gt;.
     # WARNING: do not lose the parameters that follow the address.
-    /^RCPT\s+TO:\s*<'([^[:space:]]+)'>(.*)/     RCPT TO:<$1>$2
+    /^RCPT\s+TO:\s*&lt;'([^[:space:]]+)'&gt;(.*)/     RCPT TO:&lt;$1&gt;$2
 </pre>
 
 <p> This feature is available in Postfix 2.7. </p>
 
+%PARAM smtp_reply_filter 
+
+<p> A mechanism to transform replies from remote SMTP servers one
+line at a time.  This is a last-resort tool to work around server
+replies that break inter-operability with the Postfix SMTP client.
+Other uses involve fault injection to test Postfix's handling of
+invalid responses. </p>
+
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> In the case of a multi-line reply, the Postfix SMTP client
+uses the last reply line's numerical SMTP reply code and enhanced
+status code.  </p>
+
+<li> <p> The numerical SMTP reply code (XYZ) takes precedence over
+the enhanced status code (X.Y.Z).  When the enhanced status code
+initial digit differs from the SMTP reply code initial digit, or
+when no enhanced status code is present, the Postfix SMTP client
+uses a generic enhanced status code (X.0.0) instead. </p>
+
+</ul>
+
+<p> Specify the name of a "type:table" lookup table. The search
+string is a single SMTP reply line as received from the remote SMTP
+server, except that the trailing &lt;CR&gt;&lt;LF&gt; are removed.  </p>
+
+<p> Examples: </p>
+
+<pre>
+/etc/postfix/main.cf:
+    smtp_reply_filter = pcre:/etc/postfix/command_filter
+</pre>
+
+<pre>
+/etc/postfix/reply_filter:
+    # Transform garbage into part of a multi-line reply. Note
+    # that the Postfix SMTP client uses only the last numerical
+    # SMTP reply code and enhanced status code from a multi-line
+    # reply, so it does not matter what we substitute here as
+    # long as it has the right syntax.
+    !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
+</pre>
+
+<p> This feature is available in Postfix 2.7. </p>
+
+%PARAM lmtp_reply_filter
+
+<p> The LMTP-specific version of the smtp_reply_filter
+configuration parameter.  See there for details. </p>
+
+<p> This feature is available in Postfix 2.7 and later. </p>
+
 %PARAM smtp_tls_block_early_mail_reply no
 
 <p> Try to detect a mail hijacking attack based on a TLS protocol
 vulnerability (CVE-2009-3555), where an attacker prepends malicious
-HELO/MAIL/RCPT/DATA commands to a Postfix client TLS session.  The
-attack would succeed with non-Postfix SMTP servers that reply to
-the malicious HELO/MAIL/RCPT/DATA commands after negotiating the
-Postfix SMTP client TLS session.  </p>
+HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session.
+The attack would succeed with non-Postfix SMTP servers that reply
+to the malicious HELO, MAIL, RCPT, DATA commands after negotiating
+the Postfix SMTP client TLS session.  </p>
 
 <p> This feature is available in Postfix 2.7. </p>
+
+%PARAM lmtp_tls_block_early_mail_reply
+
+<p> The LMTP-specific version of the smtp_tls_block_early_mail_reply
+configuration parameter.  See there for details. </p>
+
+<p> This feature is available in Postfix 2.7 and later. </p>

postfix/src/global/mail_params.h

@@ -1019,6 +1019,12 @@ extern bool var_smtp_always_ehlo;
 #define DEF_SMTP_NEVER_EHLO	0
 extern bool var_smtp_never_ehlo;
 
+#define VAR_SMTP_RESP_FILTER	"smtp_reply_filter"
+#define DEF_SMTP_RESP_FILTER	""
+#define VAR_LMTP_RESP_FILTER	"lmtp_reply_filter"
+#define DEF_LMTP_RESP_FILTER	""
+extern char *var_smtp_resp_filter;
+
 #define VAR_SMTP_BIND_ADDR	"smtp_bind_address"
 #define DEF_SMTP_BIND_ADDR	""
 #define VAR_LMTP_BIND_ADDR	"lmtp_bind_address"

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20091110"
+#define MAIL_RELEASE_DATE	"20091115"
 #define MAIL_VERSION_NUMBER	"2.7"
 
 #ifdef SNAPSHOT

postfix/src/smtp/Makefile.in

@@ -222,6 +222,7 @@ smtp_connect.o: ../../include/host_port.h
 smtp_connect.o: ../../include/htable.h
 smtp_connect.o: ../../include/inet_addr_list.h
 smtp_connect.o: ../../include/iostuff.h
+smtp_connect.o: ../../include/mail_addr.h
 smtp_connect.o: ../../include/mail_error.h
 smtp_connect.o: ../../include/mail_params.h
 smtp_connect.o: ../../include/mail_proto.h

postfix/src/smtp/lmtp_params.c

@@ -51,6 +51,7 @@
 	VAR_LMTP_MIME_CHKS, DEF_LMTP_MIME_CHKS, &var_smtp_mime_chks, 0, 0,
 	VAR_LMTP_NEST_CHKS, DEF_LMTP_NEST_CHKS, &var_smtp_nest_chks, 0, 0,
 	VAR_LMTP_BODY_CHKS, DEF_LMTP_BODY_CHKS, &var_smtp_body_chks, 0, 0,
+	VAR_LMTP_RESP_FILTER, DEF_LMTP_RESP_FILTER, &var_smtp_resp_filter, 0, 0,
 	0,
     };
     static const CONFIG_TIME_TABLE lmtp_time_table[] = {

postfix/src/smtp/smtp.c

@@ -163,6 +163,9 @@
 /* .IP "\fBsmtp_quote_rfc821_envelope (yes)\fR"
 /*	Quote addresses in SMTP MAIL FROM and RCPT TO commands as required
 /*	by RFC 2821.
+/* .IP "\fBsmtp_reply_filter (empty)\fR"
+/*	A mechanism to transform replies from remote SMTP servers one
+/*	line at a time.
 /* .IP "\fBsmtp_skip_5xx_greeting (yes)\fR"
 /*	Skip SMTP servers that greet with a 5XX status code (go away, do
 /*	not try again later).
@@ -405,7 +408,7 @@
 /* .IP "\fBsmtp_tls_block_early_mail_reply (no)\fR"
 /*	Try to detect a mail hijacking attack based on a TLS protocol
 /*	vulnerability (CVE-2009-3555), where an attacker prepends malicious
-/*	HELO/MAIL/RCPT/DATA commands to a Postfix client TLS session.
+/*	HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session.
 /* OBSOLETE STARTTLS CONTROLS
 /* .ad
 /* .fi
@@ -792,6 +795,7 @@ char   *var_smtp_head_chks;
 char   *var_smtp_mime_chks;
 char   *var_smtp_nest_chks;
 char   *var_smtp_body_chks;
+char   *var_smtp_resp_filter;
 bool    var_lmtp_assume_final;
 
  /* Special handling of 535 AUTH errors. */
@@ -1060,6 +1064,14 @@ static void pre_init(char *unused_name, char **unused_argv)
     smtp_body_checks = hbc_body_checks_create(
 				     VAR_SMTP_BODY_CHKS, var_smtp_body_chks,
 					      smtp_hbc_callbacks);
+
+    /*
+     * Server reply filter.
+     */
+    if (*var_smtp_resp_filter)
+	smtp_chat_resp_filter =
+	    dict_open(var_smtp_resp_filter, O_RDONLY,
+		      DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
 }
 
 /* pre_accept - see if tables have changed */

postfix/src/smtp/smtp.h

@@ -20,6 +20,7 @@
 #include <vstring.h>
 #include <argv.h>
 #include <htable.h>
+#include <dict.h>
 
  /*
   * Global library.
@@ -366,7 +367,8 @@ typedef struct SMTP_RESP {		/* server response */
     VSTRING *str_buf;			/* reply buffer */
 } SMTP_RESP;
 
-extern void PRINTFLIKE(2, 3) smtp_chat_cmd(SMTP_SESSION *, char *,...);
+extern void PRINTFLIKE(2, 3) smtp_chat_cmd(SMTP_SESSION *, const char *,...);
+extern DICT *smtp_chat_resp_filter;
 extern SMTP_RESP *smtp_chat_resp(SMTP_SESSION *);
 extern void smtp_chat_init(SMTP_SESSION *);
 extern void smtp_chat_reset(SMTP_SESSION *);

postfix/src/smtp/smtp_chat.c

@@ -18,7 +18,9 @@
 /*
 /*	void	smtp_chat_cmd(session, format, ...)
 /*	SMTP_SESSION *session;
-/*	char	*format;
+/*	const char *format;
+/*
+/*	DICT	*smtp_chat_resp_filter;
 /*
 /*	SMTP_RESP *smtp_chat_resp(session)
 /*	SMTP_SESSION *session;
@@ -69,6 +71,10 @@
 /*	the client and server get out of step due to a broken proxy
 /*	agent.
 /* .PP
+/*	smtp_chat_resp_filter specifies an optional filter to
+/*	transform one server reply line before it is parsed. The
+/*	filter is invoked once for each line of a multi-line reply.
+/*
 /*	smtp_chat_notify() sends a copy of the SMTP transaction log
 /*	to the postmaster for review. The postmaster notice is sent only
 /*	when delivery is possible immediately. It is an error to call
@@ -107,6 +113,7 @@
 #include <stdlib.h>
 #include <setjmp.h>
 #include <string.h>
+#include <limits.h>
 
 /* Utility library. */
 
@@ -133,6 +140,11 @@
 
 #include "smtp.h"
 
+ /*
+  * Server reply transformations.
+  */
+DICT   *smtp_chat_resp_filter;
+
 /* smtp_chat_init - initialize SMTP transaction log */
 
 void    smtp_chat_init(SMTP_SESSION *session)
@@ -152,7 +164,8 @@ void    smtp_chat_reset(SMTP_SESSION *session)
 
 /* smtp_chat_append - append record to SMTP transaction log */
 
-static void smtp_chat_append(SMTP_SESSION *session, char *direction, char *data)
+static void smtp_chat_append(SMTP_SESSION *session, const char *direction,
+			     const char *data)
 {
     char   *line;
 
@@ -165,7 +178,7 @@ static void smtp_chat_append(SMTP_SESSION *session, char *direction, char *data)
 
 /* smtp_chat_cmd - send an SMTP command */
 
-void    smtp_chat_cmd(SMTP_SESSION *session, char *fmt,...)
+void    smtp_chat_cmd(SMTP_SESSION *session, const char *fmt,...)
 {
     va_list ap;
 
@@ -226,6 +239,9 @@ SMTP_RESP *smtp_chat_resp(SMTP_SESSION *session)
     int     last_char;
     int     three_digs = 0;
     size_t  len;
+    const char *new_reply;
+    int     chat_append_flag;
+    int     chat_append_skipped = 0;
 
     /*
      * Initialize the response data buffer.
@@ -254,17 +270,41 @@ SMTP_RESP *smtp_chat_resp(SMTP_SESSION *session)
 	 * Defend against a denial of service attack by limiting the amount
 	 * of multi-line text that we are willing to store.
 	 */
-	if (LEN(rdata.str_buf) < var_line_limit) {
-	    if (LEN(rdata.str_buf))
-		VSTRING_ADDCH(rdata.str_buf, '\n');
-	    vstring_strcat(rdata.str_buf, STR(session->buffer));
+	chat_append_flag = (LEN(rdata.str_buf) < var_line_limit);
+	if (chat_append_flag)
 	    smtp_chat_append(session, "In:  ", STR(session->buffer));
+	else {
+	    if (chat_append_skipped == 0)
+		msg_warn("%s: multi-line response longer than %d %.30s...",
+		  session->namaddrport, var_line_limit, STR(rdata.str_buf));
+	    if (chat_append_skipped < INT_MAX)
+		chat_append_skipped++;
 	}
 
 	/*
-	 * Parse into code and text. Ignore unrecognized garbage. This means
-	 * that any character except space (or end of line) will have the
-	 * same effect as the '-' line continuation character.
+	 * Server reply substitution, for fault-injection testing, or for
+	 * working around broken systems. Use with care.
+	 */
+	if (smtp_chat_resp_filter != 0) {
+	    new_reply = dict_get(smtp_chat_resp_filter, STR(session->buffer));
+	    if (new_reply != 0) {
+		msg_info("%s: replacing server reply \"%s\" with \"%s\"",
+		     session->namaddrport, STR(session->buffer), new_reply);
+		vstring_strcpy(session->buffer, new_reply);
+		if (chat_append_flag) {
+		    smtp_chat_append(session, "Replaced-by: ", "");
+		    smtp_chat_append(session, "     ", new_reply);
+		}
+	    }
+	}
+	if (chat_append_flag) {
+	    if (LEN(rdata.str_buf))
+		VSTRING_ADDCH(rdata.str_buf, '\n');
+	    vstring_strcat(rdata.str_buf, STR(session->buffer));
+	}
+
+	/*
+	 * Parse into code and text. Do not ignore garbage (see below).
 	 */
 	for (cp = STR(session->buffer); *cp && ISDIGIT(*cp); cp++)
 	     /* void */ ;

postfix/src/smtp/smtp_connect.c

@@ -95,6 +95,7 @@
 #include <deliver_pass.h>
 #include <mail_error.h>
 #include <dsn_buf.h>
+#include <mail_addr.h>
 
 /* DNS library. */
 
@@ -374,11 +375,17 @@ static void smtp_cleanup_session(SMTP_STATE *state)
 
     /*
      * Inform the postmaster of trouble.
+     * 
+     * XXX Don't send notifications about errors while sending notifications.
      */
+#define POSSIBLE_NOTIFICATION(sender) \
+	(*sender == 0 || strcmp(sender, mail_addr_double_bounce()) == 0)
+
     if (session->history != 0
 	&& (session->error_mask & name_mask(VAR_NOTIFY_CLASSES,
 					    mail_error_masks,
-					    var_notify_classes)) != 0)
+					    var_notify_classes)) != 0
+	&& POSSIBLE_NOTIFICATION(request->sender) == 0)
 	smtp_chat_notify(session);
 
     /*

postfix/src/smtp/smtp_params.c

@@ -52,6 +52,7 @@
 	VAR_SMTP_MIME_CHKS, DEF_SMTP_MIME_CHKS, &var_smtp_mime_chks, 0, 0,
 	VAR_SMTP_NEST_CHKS, DEF_SMTP_NEST_CHKS, &var_smtp_nest_chks, 0, 0,
 	VAR_SMTP_BODY_CHKS, DEF_SMTP_BODY_CHKS, &var_smtp_body_chks, 0, 0,
+	VAR_SMTP_RESP_FILTER, DEF_SMTP_RESP_FILTER, &var_smtp_resp_filter, 0, 0,
 	0,
     };
     static const CONFIG_TIME_TABLE smtp_time_table[] = {

postfix/src/smtp/smtp_trouble.c

@@ -288,7 +288,7 @@ static void vsmtp_fill_dsn(SMTP_STATE *state, const char *mta_name,
      * cycles.
      */
     VSTRING_RESET(why->reason);
-    if (mta_name && reply && reply[0] != '4' && reply[0] != '5') {
+    if (mta_name && status && status[0] != '4' && status[0] != '5') {
 	vstring_strcpy(why->reason, "Protocol error: ");
 	status = "5.5.0";
     }

postfix/src/smtpd/smtpd.c

@@ -93,7 +93,7 @@
 /*	local hostname were specified, instead of rejecting the address as
 /*	invalid.
 /* .IP "\fBsmtpd_command_filter (empty)\fR"
-/*	A mechanism to substitute incoming SMTP commands.
+/*	A mechanism to transform commands from remote SMTP clients.
 /* .IP "\fBsmtpd_reject_unlisted_sender (no)\fR"
 /*	Request that the Postfix SMTP server rejects mail from unknown
 /*	sender addresses, even when no explicit reject_unlisted_sender
@@ -4431,12 +4431,16 @@ static void smtpd_proto(SMTPD_STATE *state)
 	    }
 	    watchdog_pat();
 	    smtpd_chat_query(state);
+	    /* Move into smtpd_chat_query() and update session transcript. */
 	    if (smtpd_cmd_filter != 0) {
 		for (cp = STR(state->buffer); *cp && IS_SPACE_TAB(*cp); cp++)
 		     /* void */ ;
-		if ((cp = dict_get(smtpd_cmd_filter, cp)) != 0)
+		if ((cp = dict_get(smtpd_cmd_filter, cp)) != 0) {
+		    msg_info("%s: replacing client command \"%s\" with \"%s\"",
+			     state->namaddr, STR(state->buffer), cp);
 		    vstring_strcpy(state->buffer, cp);
 		}
+	    }
 	    if ((argc = smtpd_token(vstring_str(state->buffer), &argv)) == 0) {
 		state->error_mask |= MAIL_ERROR_PROTOCOL;
 		smtpd_chat_reply(state, "500 5.5.2 Error: bad syntax");

postfix/src/smtpd/smtpd_proxy.c

@@ -183,7 +183,6 @@
 /* System library. */
 
 #include <sys_defs.h>
-#include <sys/stat.h>
 #include <ctype.h>
 #include <unistd.h>
 
@@ -556,6 +555,7 @@ static int smtpd_proxy_replay_send(SMTPD_STATE *state)
      */
     if (vstream_ferror(smtpd_proxy_replay_stream)
 	|| vstream_feof(smtpd_proxy_replay_stream)
+	|| rec_put(smtpd_proxy_replay_stream, REC_TYPE_END, "", 0) != REC_TYPE_END
 	|| vstream_fflush(smtpd_proxy_replay_stream))
 	/* NOT: fsync(vstream_fileno(smtpd_proxy_replay_stream)) */
 	return (smtpd_proxy_replay_rdwr_error(state));
@@ -615,9 +615,9 @@ static int smtpd_proxy_replay_send(SMTPD_STATE *state)
 	    break;
 
 	    /*
-	     * End of replay log.
+	     * Explicit end marker, instead of implicit EOF.
 	     */
-	case REC_TYPE_EOF:
+	case REC_TYPE_END:
 	    return (0);
 
 	    /*
@@ -954,7 +954,7 @@ static int smtpd_proxy_rec_fprintf(VSTREAM *stream, int rec_type,
 static int smtpd_proxy_replay_setup(SMTPD_STATE *state)
 {
     const char *myname = "smtpd_proxy_replay_setup";
-    struct stat st;
+    off_t   file_offs;
 
     /*
      * Where possible reuse an existing replay logfile, because creating a
@@ -962,29 +962,20 @@ static int smtpd_proxy_replay_setup(SMTPD_STATE *state)
      * we must truncate the file before reuse. For performance reasons we
      * should truncate the file immediately after the end of a mail
      * transaction. We enforce the security guarantee here by requiring that
-     * the file is emtpy when it is reused. This is less expensive than
-     * truncating the file redundantly.
+     * no I/O happened since the file was truncated. This is less expensive
+     * than truncating the file redundantly.
      */
     if (smtpd_proxy_replay_stream != 0) {
-	if (vstream_fseek(smtpd_proxy_replay_stream, (off_t) 0, SEEK_SET) < 0) {
-	    msg_warn("seek before-queue filter speed-adjust log: %m");
-	    (void) vstream_fclose(smtpd_proxy_replay_stream);
-	    smtpd_proxy_replay_stream = 0;
-	} else if (fstat(vstream_fileno(smtpd_proxy_replay_stream), &st) < 0) {
-	    msg_warn("fstat before-queue filter speed-adjust log: %m");
-	    (void) vstream_fclose(smtpd_proxy_replay_stream);
-	    smtpd_proxy_replay_stream = 0;
-	} else {
-	    if (st.st_size > 0)
-		msg_panic("%s: non-empty before-queue filter speed-adjust log",
-			  myname);
+	/* vstream_ftell() won't invoke the kernel, so all errors are mine. */
+	if ((file_offs = vstream_ftell(smtpd_proxy_replay_stream)) != 0)
+	    msg_panic("%s: bad before-queue filter speed-adjust log offset %lu",
+		      myname, (unsigned long) file_offs);
 	vstream_clearerr(smtpd_proxy_replay_stream);
 	if (msg_verbose)
 	    msg_info("%s: reuse speed-adjust stream fd=%d", myname,
 		     vstream_fileno(smtpd_proxy_replay_stream));
 	/* Here, smtpd_proxy_replay_stream != 0 */
     }
-    }
 
     /*
      * Create a new replay logfile.
@@ -1029,6 +1020,12 @@ int     smtpd_proxy_create(SMTPD_STATE *state, int flags, const char *service,
 	 (p)->a3, (p)->a4, (p)->a5, (p)->a6, (p)->a7, (p)->a8, (p)->a9, \
 	 (p)->a10, (p)->a11, (p))
 
+    /*
+     * Sanity check.
+     */
+    if (state->proxy != 0)
+	msg_panic("smtpd_proxy_create: handle still exists");
+
     /*
      * Connect to the before-queue filter immediately.
      */
@@ -1122,11 +1119,19 @@ void    smtpd_proxy_free(SMTPD_STATE *state)
      * truncate the replay logfile before reuse. For performance reasons we
      * should truncate the replay logfile immediately after the end of a mail
      * transaction. We truncate the file here, and enforce the security
-     * guarantee by requiring that the file is empty when it is reused.
+     * guarantee by requiring that no I/O happens before the file is reused.
      */
     if (smtpd_proxy_replay_stream == 0)
 	return;
     if (vstream_ferror(smtpd_proxy_replay_stream)) {
+	/* Errors are already reported. */
+	(void) vstream_fclose(smtpd_proxy_replay_stream);
+	smtpd_proxy_replay_stream = 0;
+	return;
+    }
+    /* Flush output from aborted transaction before truncating the file!! */
+    if (vstream_fseek(smtpd_proxy_replay_stream, (off_t) 0, SEEK_SET) < 0) {
+	msg_warn("seek before-queue filter speed-adjust log: %m");
 	(void) vstream_fclose(smtpd_proxy_replay_stream);
 	smtpd_proxy_replay_stream = 0;
 	return;

postfix/src/util/inet_addr_local.c

@@ -183,13 +183,16 @@ static int ial_getifaddrs(INET_ADDR_LIST *addr_list,
     for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
 	if (!(ifa->ifa_flags & IFF_UP) || ifa->ifa_addr == 0)
 	    continue;
-	/* XXX Should we cons up a default mask instead? */
-	if (ifa->ifa_netmask == 0)
-	    continue;				
 	sa = ifa->ifa_addr;
-	sam = ifa->ifa_netmask;
 	if (af != AF_UNSPEC && sa->sa_family != af)
 	    continue;
+	sam = ifa->ifa_netmask;
+	if (sam == 0) {
+	    /* XXX In mynetworks, a null netmask would match everyone. */
+	    msg_warn("ignoring interface with null netmask, address family %d",
+		     sa->sa_family);
+	    continue;
+	}
 	switch (sa->sa_family) {
 	case AF_INET:
 	    if (SOCK_ADDR_IN_ADDR(sa).s_addr == INADDR_ANY)
@@ -586,7 +589,8 @@ int     main(int unused_argc, char **argv)
     msg_vstream_init(argv[0], VSTREAM_ERR);
     msg_verbose = 1;
 
-    proto_info = inet_proto_init(argv[0], INET_PROTO_NAME_ALL);
+    proto_info = inet_proto_init(argv[0],
+				 argv[1] ? argv[1] : INET_PROTO_NAME_ALL);
     inet_addr_list_init(&addr_list);
     inet_addr_list_init(&mask_list);
     inet_addr_local(&addr_list, &mask_list, proto_info->ai_family_list);

postfix/src/util/sys_defs.h

@@ -111,7 +111,7 @@
 #define HAS_DUPLEX_PIPE			/* 4.1 breaks with kqueue(2) */
 #endif
 
-#if __FreeBSD_version >= 800098		/* commit: r194262 */
+#if __FreeBSD_version >= 800107		/* safe; don't believe the experts */
 #define HAS_CLOSEFROM
 #endif