postfix-2.2-20050202

postfix/HISTORY

@@ -10230,10 +10230,25 @@ Apologies for any names omitted.
 	than $line_length_limit, causing postdrop to reject the
 	mail. Diagnosis by Victor Duchovni. File:  sendmail/sendmail.c.
 
+20050202
+
+	Cleanup: explicit Makefile targets for "make package" and
+	"make non-interactive-package" to create ready-to-install
+	packages for distribution to other systems. Added extra
+	sanity checks to prevent attempts to overwrite your running
+	Postfix instance. Files:  Makefile.in, proto/PACKAGE_README.
+
+	Cleanup: when bounce_queue_lifetime > maximal_queue_lifetime,
+	it is adjusted to maximal_queue_lifetime, and a warning is
+	logged. Files:  *qmgr/qmgr.c.
+
+	Cleanup: trivial-rewrite detects changes to maps even in
+	the absence of connection events. File: trivial-rewrite.c.
+
 Open problems:
 
-	Low: document regexp usage in aliases and other sensitive
+	Med: SunOS 4 has no strtoul(). Instead of sprintf/strtoul()
-	maps.
+	use hexen/decode() for the process generation number.
 
 	Low: pointers to postfinger and saslfinger. postfinger
 	is now bundled.
@@ -10261,16 +10276,11 @@ Open problems:
 	really try all the possibilities that one might expect to
 	be tried. For now, this gotcha is documented in access(5).
 
-	Low: cap bounce queue life time with regular queue life
-	time.
-
 	Med: the TLS certificate verification depth parameters
 	never worked.
 
 	Med: eliminate the tls_info data structure.
 
-	Low: something to alias sdbm:name into btree:name?
-
 	Med: implement ${name[?:]value} in main.cf or update the
 	postconf(5) manual.
 
@@ -10279,20 +10289,12 @@ Open problems:
 
 	Low: should the Delivered-To: test in local(8) be configurable?
 
-	Low: document propagate_unmatched_extensions in aliases(5)
-	etc.
-
 	Low: make mail_addr_find() lookup configurable.
 
-	Low: anvil(8) should log cache peak size, like scache(8).
-
 	Low: update events.c so that 1-second timer requests do
 	not suffer from rounding errors. This is needed for 1-second
 	SMTP session caching time limits.
 
-	Low: trivial-rewrite should examine the map change status
-	every N seconds.
-
 	Low: per-sender resolver personalities?
 
 	Low: configurable internal/system locking method.

postfix/Makefile.in

@@ -37,9 +37,15 @@ printfck: update
 install: update
 	$(SHELL) postfix-install
 
+package: update
+	$(SHELL) postfix-install -package
+
 upgrade: update
 	$(SHELL) postfix-install -non-interactive
 
+non-interactive-package: update
+	$(SHELL) postfix-install -non-interactive -package
+
 depend clean:
 	set -e; for i in $(DIRS); do \
 	 (set -e; echo "[$$i]"; cd $$i; $(MAKE) $@) || exit 1; \

postfix/README_FILES/PACKAGE_README

@@ -11,8 +11,8 @@ for general use.
 GGeenneerraall ddiissttrriibbuuttiioonnss:: pplleeaassee pprroovviiddee aa ssmmaallll ddeeffaauulltt mmaaiinn..ccff ffiillee
 
 The installed main.cf file must be small. PLEASE resist the temptation to list
-all 300+ parameters in the main.cf file. Postfix is supposed to be easy to
+all 400+ parameters in the main.cf file. Postfix is supposed to be easy to
-configure. Listing all 300+ in main.cf defeats the purpose. It is an invitation
+configure. Listing all 400+ in main.cf defeats the purpose. It is an invitation
 for hobbyists to make random changes without understanding what they do, and
 gets them into endless trouble.
 
@@ -39,7 +39,10 @@ You can build a pre-built Postfix package as an unprivileged user.
 
 First compile Postfix. After successful compilation, execute:
 
-     % sh postfix-install
+     % mmaakkee ppaacckkaaggee
+
+With Postfix versions before 2.2 you must invoke the post-install script
+directly (% sshh ppoosstt--iinnssttaallll).
 
 You will be prompted for installation parameters. Specify an install_root
 directory other than /. The mail_owner and setgid_group installation parameter
@@ -49,8 +52,10 @@ the package is unpacked and installed on the destination machine.
 If you want to fully automate this process, specify all the non-default
 installation parameters on the command line:
 
-     % sh postfix-install -non-interactive
+     % mmaakkee nnoonn--iinntteerraaccttiivvee--ppaacckkaaggee iinnssttaallll__rroooott==//ssoommee//wwhheerree...
-    install_root=/some/where ...
+
+With Postfix versions before 2.2 you must invoke the post-install script
+directly (% sshh ppoosstt--iinnssttaallll --nnoonn--iinntteerraaccttiivvee iinnssttaallll__rroooott......).
 
 BBeeggiinn SSeeccuurriittyy AAlleerrtt
 

postfix/RELEASE_NOTES

@@ -7,13 +7,34 @@ snapshot release).  Patches are issued for the official release
 and change the patchlevel and the release date. Patches are never
 issued for snapshot releases.
 
-Incompatible changes with snapshot Postfix-2.2-20050131
+Incompatible changes with snapshot Postfix-2.2-20050202
 =======================================================
 
 Postfix rewrites message header addresses only in mail that originates
 from the local machine. Specify "local_header_rewrite_clients =
 static:all" to get the old behavior of Postfix 2.1 and earlier.
 
+Major changes with snapshot Postfix-2.2-20050202
+================================================
+
+To create a ready-to-install package for distribution to other
+systems use "make package" or "make non-interactive-package",
+instead of invoking the postfix-install script by hand (which is
+deprecated). See the PACKAGE_README file for details.
+
+New "permit_inet_interfaces" access restriction to allow access
+from local IP addresses only. This is used for the default, purist,
+setting of local_header_rewrite_clients.
+
+New "sleep time-in-seconds" pseudo access restriction to block
+zombie clients with reject_unauthorized_pipelining before the
+Postfix SMTP server sends the SMTP greeting. See postconf(5)
+for example.
+
+Safety: Postfix no longer tries to send mail to the fallback_relay
+when the local machine is MX host for the mail destination. See
+postconf(5) description of fallback_relay for details.
+
 Incompatible changes with snapshot Postfix-2.2-20050117
 =======================================================
 

postfix/conf/aliases

@@ -134,6 +134,21 @@ decode:		root
 #        user+foo),  the  search  is  repeated  for  the unextended
 #        address (e.g., user).
 # 
+#        The  propagate_unmatched_extensions   parameter   controls
+#        whether  an  unmatched  address extension (+foo) is propa-
+#        gated to the result of table lookup.
+# 
+# SECURITY
+#        The local(8) delivery agent disallows  regular  expression
+#        substitution  of $1 etc. in alias_maps, because that would
+#        open a security hole.
+# 
+#        The local(8) delivery agent will silently ignore  requests
+#        to  use  the proxymap(8) server within alias_maps. Instead
+#        it will open the table directly.  Before  Postfix  version
+#        2.2,  the  local(8)  delivery  agent will terminate with a
+#        fatal error.
+# 
 # CONFIGURATION PARAMETERS
 #        The following main.cf parameters are especially  relevant.
 #        The  text  below  provides  only  a parameter summary. See
@@ -161,6 +176,13 @@ decode:		root
 #               the right-hand side of  the  owner  alias,  instead
 #               using of the left-hand side address.
 # 
+#        propagate_unmatched_extensions
+#               A  list  of  address rewriting or forwarding mecha-
+#               nisms that propagate an address extension from  the
+#               original  address  to  the  result. Specify zero or
+#               more of  canonical,  virtual,  alias,  forward,  or
+#               include.
+# 
 #        owner_request_special
 #               Give  special treatment to owner-listname and list-
 #               name-request addresses.
@@ -169,11 +191,6 @@ decode:		root
 #               Delimiter that separates  recipients  from  address
 #               extensions.
 # 
-# BUGS
-#        Regular  expression  alias  lookup tables are allowed, but
-#        substitution of $1 etc. is forbidden  because  that  would
-#        open a security loophole.
-# 
 # STANDARDS
 #        RFC 822 (ARPA Internet Text Messages)
 # 

postfix/html/PACKAGE_README.html

@@ -27,8 +27,8 @@ Postfix distributions for general use.  </p>
 file</h2>
 
 <p> The installed main.cf file must be small. PLEASE resist the
-temptation to list all 300+ parameters in the main.cf file.  Postfix
+temptation to list all 400+ parameters in the main.cf file.  Postfix
-is supposed to be easy to configure. Listing all 300+ in main.cf
+is supposed to be easy to configure. Listing all 400+ in main.cf
 defeats the purpose. It is an invitation for hobbyists to make
 random changes without understanding what they do, and gets them
 into endless trouble.  </p>
@@ -62,7 +62,11 @@ user. </p>
 <p> First compile Postfix. After successful compilation, execute:
 </p>
 
-<blockquote> <pre> % sh postfix-install </pre> </blockquote>
+<blockquote> <pre> % <b>make package</b> </pre>
+</blockquote>
+
+<p> With Postfix versions before 2.2 you must invoke the post-install
+script directly (<tt>% <b>sh post-install</b></tt>). </p>
 
 <p> You will be prompted for installation parameters.  Specify an
 install_root directory other than /.  The <a href="postconf.5.html#mail_owner">mail_owner</a> and <a href="postconf.5.html#setgid_group">setgid_group</a>
@@ -73,8 +77,13 @@ installed on the destination machine. </p>
 <p> If you want to fully automate this process, specify all the
 non-default installation parameters on the command line: </p>
 
-<blockquote> <pre> % sh postfix-install -non-interactive
+<blockquote> 
-install_root=/some/where ...  </pre> </blockquote>
+<pre> % <b>make non-interactive-package install_root=/some/where</b>...  
+</pre> </blockquote>
+
+<p> With Postfix versions before 2.2 you must invoke the post-install
+script directly (<tt>% <b>sh post-install -non-interactive
+install_root...</b></tt>). </p>
 
 <h2>Begin Security Alert</h2>
 

postfix/html/aliases.5.html

@@ -102,6 +102,21 @@ ALIASES(5)                                             ALIASES(5)
        <i>user+foo</i>),  the  search  is  repeated  for  the unextended
        address (e.g., <i>user</i>).
 
+       The  <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b>   parameter   controls
+       whether  an  unmatched  address extension (<i>+foo</i>) is propa-
+       gated to the result of table lookup.
+
+<b>SECURITY</b>
+       The <a href="local.8.html"><b>local</b>(8)</a> delivery agent disallows  regular  expression
+       substitution  of $1 etc. in <b><a href="postconf.5.html#alias_maps">alias_maps</a></b>, because that would
+       open a security hole.
+
+       The <a href="local.8.html"><b>local</b>(8)</a> delivery agent will silently ignore  requests
+       to  use  the <a href="proxymap.8.html"><b>proxymap</b>(8)</a> server within <b><a href="postconf.5.html#alias_maps">alias_maps</a></b>. Instead
+       it will open the table directly.  Before  Postfix  version
+       2.2,  the  <a href="local.8.html"><b>local</b>(8)</a>  delivery  agent will terminate with a
+       fatal error.
+
 <b>CONFIGURATION PARAMETERS</b>
        The following <b>main.cf</b> parameters are especially  relevant.
        The  text  below  provides  only  a parameter summary. See
@@ -109,10 +124,10 @@ ALIASES(5)                                             ALIASES(5)
 
        <b><a href="postconf.5.html#alias_database">alias_database</a></b>
               List of alias databases that  are  updated  by  the
-              <a href="newaliases.1.html">newaliases(1)</a> command.
+              <a href="newaliases.1.html"><b>newaliases</b>(1)</a> command.
 
        <b><a href="postconf.5.html#alias_maps">alias_maps</a></b>
-              List  of  alias  databases  queried by the <a href="local.8.html">local(8)</a>
+              List  of  alias  databases  queried by the <a href="local.8.html"><b>local</b>(8)</a>
               delivery agent.
 
        <b><a href="postconf.5.html#allow_mail_to_commands">allow_mail_to_commands</a></b>
@@ -129,6 +144,13 @@ ALIASES(5)                                             ALIASES(5)
               the right-hand side of  the  owner  alias,  instead
               using of the left-hand side address.
 
+       <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b>
+              A  list  of  address rewriting or forwarding mecha-
+              nisms that propagate an address extension from  the
+              original  address  to  the  result. Specify zero or
+              more of  <b>canonical</b>,  <b>virtual</b>,  <b>alias</b>,  <b>forward</b>,  or
+              <b>include</b>.
+
        <b><a href="postconf.5.html#owner_request_special">owner_request_special</a></b>
               Give  special treatment to <b>owner-</b><i>listname</i> and <i>list-</i>
               <i>name</i><b>-request</b> addresses.
@@ -137,11 +159,6 @@ ALIASES(5)                                             ALIASES(5)
               Delimiter that separates  recipients  from  address
               extensions.
 
-<b>BUGS</b>
-       Regular  expression  alias  lookup tables are allowed, but
-       substitution of $1 etc. is forbidden  because  that  would
-       open a security loophole.
-
 <b>STANDARDS</b>
        <a href="http://www.faqs.org/rfcs/rfc822.html">RFC 822</a> (ARPA Internet Text Messages)
 

postfix/html/local.8.html

@@ -313,6 +313,23 @@ LOCAL(8)                                                 LOCAL(8)
        the postmaster is notified of bounces and of  other  trou-
        ble.
 
+<b>SECURITY</b>
+       The <a href="local.8.html"><b>local</b>(8)</a> delivery agent needs a dual personality 1) to
+       access the private Postfix queue and IPC mechanisms, 2) to
+       impersonate  the recipient and deliver to recipient-speci-
+       fied files or commands. It is  therefore  security  sensi-
+       tive.
+
+       The  <a href="local.8.html"><b>local</b>(8)</a>  delivery agent disallows regular expression
+       substitution of $1 etc. in <b><a href="postconf.5.html#alias_maps">alias_maps</a></b>, because that  would
+       open a security hole.
+
+       The  <a href="local.8.html"><b>local</b>(8)</a> delivery agent will silently ignore requests
+       to use the <a href="proxymap.8.html"><b>proxymap</b>(8)</a> server within  <b><a href="postconf.5.html#alias_maps">alias_maps</a></b>.  Instead
+       it  will  open the table directly.  Before Postfix version
+       2.2, the <a href="local.8.html"><b>local</b>(8)</a> delivery agent  will  terminate  with  a
+       fatal error.
+
 <b>BUGS</b>
        For  security  reasons,  the  message  delivery  status of
        external commands or of external  files  is  never  check-
@@ -326,7 +343,7 @@ LOCAL(8)                                                 LOCAL(8)
 
 <b>CONFIGURATION PARAMETERS</b>
        Changes   to  <b>main.cf</b>  are  picked  up  automatically,  as
-       <a href="local.8.html">local(8)</a> processes run for only a limited amount of  time.
+       <a href="local.8.html"><b>local</b>(8)</a> processes run for only a limited amount of  time.
        Use the command "<b>postfix reload</b>" to speed up a change.
 
        The  text  below  provides  only  a parameter summary. See
@@ -352,7 +369,7 @@ LOCAL(8)                                                 LOCAL(8)
               Obsolete SUN mailtool compatibility feature.
 
 <b>DELIVERY METHOD CONTROLS</b>
-       The precedence of <a href="local.8.html">local(8)</a> delivery methods from  high  to
+       The precedence of <a href="local.8.html"><b>local</b>(8)</a> delivery methods from  high  to
        low  is: aliases, .forward files, <a href="postconf.5.html#mailbox_transport">mailbox_transport</a>, <a href="postconf.5.html#mailbox_command_maps">mail</a>-
        <a href="postconf.5.html#mailbox_command_maps">box_command_maps</a>,      <a href="postconf.5.html#mailbox_command">mailbox_command</a>,      <a href="postconf.5.html#home_mailbox">home_mailbox</a>,
        <a href="postconf.5.html#mail_spool_directory">mail_spool_directory</a>,  <a href="postconf.5.html#fallback_transport">fallback_transport</a> and <a href="postconf.5.html#luser_relay">luser_relay</a>.

postfix/html/postconf.5.html

@@ -458,6 +458,18 @@ If you change the alias database, run "<b>postalias /etc/aliases</b>"
 run "<b>newaliases</b>" to build the necessary DBM or DB file.
 </p>
 
+<p>
+The <a href="local.8.html">local(8)</a> delivery agent disallows regular expression substitution
+of $1 etc. in <a href="postconf.5.html#alias_maps">alias_maps</a>, because that would open a security hole.
+</p>
+
+<p>
+The <a href="local.8.html">local(8)</a> delivery agent will silently ignore requests to use
+the <a href="proxymap.8.html">proxymap(8)</a> server within <a href="postconf.5.html#alias_maps">alias_maps</a>. Instead it will open the
+table directly. Before Postfix version 2.2, the <a href="local.8.html">local(8)</a> delivery
+agent will terminate with a fatal error.
+</p>
+
 <p>
 Examples:
 </p>
@@ -7157,6 +7169,21 @@ a restriction list, to make the default policy explicit.  The
 <a href="postconf.5.html#reject_code">reject_code</a> configuration parameter specifies the response code to
 rejected requests (default: 554).</dd>
 
+<dt><b><a name="sleep">sleep <i>seconds</i></a></b></dt>
+
+<dd>Pause for the specified number of seconds and proceed with
+the next restriction in the list, if any. This may stop zombie
+mail when used as:  </dd>
+
+<blockquote>
+<pre>
+/etc/postfix/main.cf:
+    <a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> =
+        sleep 1, <a href="postconf.5.html#reject_unauth_pipelining">reject_unauth_pipelining</a>
+    <a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> = no
+</pre>
+</blockquote>
+
 <dt><b><a name="warn_if_reject">warn_if_reject</a></b></dt>
 
 <dd>Change the meaning of the next restriction, so that it logs

postfix/html/virtual.8.html

@@ -116,6 +116,15 @@ VIRTUAL(8)                                             VIRTUAL(8)
        information are adequately protected. This program is  not
        designed to run chrooted.
 
+       The  virtual  delivery  agent disallows regular expression
+       substitution of  $1  etc.  in  regular  expression  lookup
+       tables, because that would open a security hole.
+
+       The  virtual  delivery agent will silently ignore requests
+       to use the <a href="proxymap.8.html">proxymap(8)</a> server. Instead it  will  open  the
+       table  directly.  Before  Postfix version 2.2, the virtual
+       delivery agent will terminate with a fatal error.
+
 <b>STANDARDS</b>
        <a href="http://www.faqs.org/rfcs/rfc822.html">RFC 822</a> (ARPA Internet Text Messages)
 

postfix/man/man5/aliases.5

@@ -94,6 +94,24 @@ configuration parameters.
 When alias database search fails, and the recipient localpart
 contains the optional recipient delimiter (e.g., \fIuser+foo\fR),
 the search is repeated for the unextended address (e.g., \fIuser\fR).
+
+The \fBpropagate_unmatched_extensions\fR parameter controls
+whether an unmatched address extension (\fI+foo\fR) is
+propagated to the result of table lookup.
+.SH "SECURITY"
+.na
+.nf
+.ad
+.fi
+The \fBlocal\fR(8) delivery agent disallows regular expression
+substitution of $1 etc. in \fBalias_maps\fR, because that
+would open a security hole.
+
+The \fBlocal\fR(8) delivery agent will silently ignore
+requests to use the \fBproxymap\fR(8) server within
+\fBalias_maps\fR. Instead it will open the table directly.
+Before Postfix version 2.2, the \fBlocal\fR(8) delivery
+agent will terminate with a fatal error.
 .SH "CONFIGURATION PARAMETERS"
 .na
 .nf
@@ -103,9 +121,10 @@ The following \fBmain.cf\fR parameters are especially relevant.
 The text below provides only a parameter summary. See
 postconf(5) for more details including examples.
 .IP \fBalias_database\fR
-List of alias databases that are updated by the newaliases(1) command.
+List of alias databases that are updated by the
+\fBnewaliases\fR(1) command.
 .IP \fBalias_maps\fR
-List of alias databases queried by the local(8) delivery agent.
+List of alias databases queried by the \fBlocal\fR(8) delivery agent.
 .IP \fBallow_mail_to_commands\fR
 Restrict the usage of mail delivery to external command.
 .IP \fBallow_mail_to_files\fR
@@ -114,18 +133,17 @@ Restrict the usage of mail delivery to external file.
 When delivering to an alias that has an \fBowner-\fR companion alias,
 set the envelope sender address to the right-hand side of the
 owner alias, instead using of the left-hand side address.
+.IP \fBpropagate_unmatched_extensions\fR
+A list of address rewriting or forwarding mechanisms that
+propagate an address extension from the original address
+to the result. Specify zero or more of \fBcanonical\fR,
+\fBvirtual\fR, \fBalias\fR, \fBforward\fR, or \fBinclude\fR.
 .IP \fBowner_request_special\fR
 Give special treatment to \fBowner-\fIlistname\fR and
 \fIlistname\fB-request\fR
 addresses.
 .IP \fBrecipient_delimiter\fR
 Delimiter that separates recipients from address extensions.
-.SH BUGS
-.ad
-.fi
-Regular expression alias lookup tables are allowed, but
-substitution of $1 etc. is forbidden because that would
-open a security loophole.
 .SH "STANDARDS"
 .na
 .nf

postfix/man/man5/postconf.5

@@ -238,6 +238,14 @@ If you change the alias database, run "\fBpostalias /etc/aliases\fR"
 (or wherever your system stores the mail alias file), or simply
 run "\fBnewaliases\fR" to build the necessary DBM or DB file.
 .PP
+The local(8) delivery agent disallows regular expression substitution
+of $1 etc. in alias_maps, because that would open a security hole.
+.PP
+The local(8) delivery agent will silently ignore requests to use
+the proxymap(8) server within alias_maps. Instead it will open the
+table directly. Before Postfix version 2.2, the local(8) delivery
+agent will terminate with a fatal error.
+.PP
 Examples:
 .PP
 .nf
@@ -704,7 +712,7 @@ debug_peer_list = some.domain
 The external command to execute when a Postfix daemon program is
 invoked with the -D option.
 .PP
-Use "command .. & sleep 5" so that the debugger can attach before
+Use "command .. & sleep 5" so that the debugger can attach before
 the process marches on. If you use an X-based debugger, be sure to
 set up your XAUTHORITY environment variable before starting Postfix.
 .PP
@@ -715,7 +723,7 @@ Example:
 .ft C
 debugger_command =
     PATH=/usr/bin:/usr/X11R6/bin
-    xxgdb $daemon_directory/$process_name $process_id & sleep 5
+    xxgdb $daemon_directory/$process_name $process_id & sleep 5
 .fi
 .ad
 .ft R
@@ -4011,6 +4019,26 @@ Reject the request. This restriction is useful at the end of
 a restriction list, to make the default policy explicit.  The
 reject_code configuration parameter specifies the response code to
 rejected requests (default: 554).
+.IP "\fBsleep \fIseconds\fR\fR"
+Pause for the specified number of seconds and proceed with
+the next restriction in the list, if any. This may stop zombie
+mail when used as:
+.na
+.nf
+.in +4
+.nf
+.na
+.ft C
+/etc/postfix/main.cf:
+    smtpd_client_restrictions =
+        sleep 1, reject_unauth_pipelining
+    smtpd_delay_reject = no
+.fi
+.ad
+.ft R
+.in -4
+.fi
+.ad
 .IP "\fBwarn_if_reject\fR"
 Change the meaning of the next restriction, so that it logs
 a warning instead of rejecting a request (look for logfile records

postfix/man/man8/local.8

@@ -326,6 +326,25 @@ manager can move them to the \fBcorrupt\fR queue afterwards.
 
 Depending on the setting of the \fBnotify_classes\fR parameter,
 the postmaster is notified of bounces and of other trouble.
+.SH "SECURITY"
+.na
+.nf
+.ad
+.fi
+The \fBlocal\fR(8) delivery agent needs a dual personality
+1) to access the private Postfix queue and IPC mechanisms,
+2) to impersonate the recipient and deliver to recipient-specified
+files or commands. It is therefore security sensitive.
+
+The \fBlocal\fR(8) delivery agent disallows regular expression
+substitution of $1 etc. in \fBalias_maps\fR, because that
+would open a security hole.
+
+The \fBlocal\fR(8) delivery agent will silently ignore
+requests to use the \fBproxymap\fR(8) server within
+\fBalias_maps\fR. Instead it will open the table directly.
+Before Postfix version 2.2, the \fBlocal\fR(8) delivery
+agent will terminate with a fatal error.
 .SH BUGS
 .ad
 .fi
@@ -342,7 +361,7 @@ early.  The resulting mail forwarding loop is broken by the use of the
 .nf
 .ad
 .fi
-Changes to \fBmain.cf\fR are picked up automatically, as local(8)
+Changes to \fBmain.cf\fR are picked up automatically, as \fBlocal\fR(8)
 processes run for only a limited amount of time. Use the command
 "\fBpostfix reload\fR" to speed up a change.
 
@@ -370,7 +389,7 @@ Obsolete SUN mailtool compatibility feature.
 .nf
 .ad
 .fi
-The precedence of local(8) delivery methods from high to low is:
+The precedence of \fBlocal\fR(8) delivery methods from high to low is:
 aliases, .forward files, mailbox_transport, mailbox_command_maps,
 mailbox_command, home_mailbox, mail_spool_directory, fallback_transport
 and luser_relay.

postfix/man/man8/virtual.8

@@ -127,6 +127,15 @@ map.
 The virtual delivery agent is not security sensitive, provided
 that the lookup tables with recipient user/group ID information are
 adequately protected. This program is not designed to run chrooted.
+
+The virtual delivery agent disallows regular expression
+substitution of $1 etc. in regular expression lookup tables,
+because that would open a security hole.
+
+The virtual delivery agent will silently ignore requests
+to use the proxymap(8) server. Instead it will open the
+table directly. Before Postfix version 2.2, the virtual
+delivery agent will terminate with a fatal error.
 .SH "STANDARDS"
 .na
 .nf

postfix/mantools/postconf2man

@@ -69,6 +69,7 @@ while(<>) {
     $block =~ s/<br>\s*/\n.br\n/g;
     $block =~ s/&lt;/</g;
     $block =~ s/&gt;/>/g;
+    $block =~ s/&amp;/\&/g;
     $block =~ s/\s+\n/\n/g;
     $block =~ s/^\n//g;
     print $block;

postfix/postfix-install

@@ -168,6 +168,7 @@ BACKUP_IFS="$IFS"
 
 USAGE="Usage: $0 [name=value] [option]
     -non-interactive        Do not ask for installation parameters.
+    -package                Build a ready-to-install package.
     name=value              Specify an installation parameter".
 
 # Process command-line options and parameter settings. Work around
@@ -179,6 +180,7 @@ do
     case $arg in
       *=*) IFS= eval $arg; IFS="$BACKUP_IFS";;
 -non-int*) non_interactive=1;;
+ -package) need_install_root=install_root;;
         *) echo "$0: Error: $USAGE" 1>&2; exit 1;;
     esac
     shift
@@ -380,6 +382,11 @@ case $install_root in
 /) install_root=
 esac
 
+test -z "$need_install_root" || test -n "$install_root" || {
+    echo $0: Error: invalid package root directory: \"install_root=/\" 1>&2
+    exit 1
+}
+
 CONFIG_DIRECTORY=$install_root$config_directory
 
 # If a parameter is not set via the command line or environment,

postfix/proto/PACKAGE_README.html

@@ -27,8 +27,8 @@ Postfix distributions for general use.  </p>
 file</h2>
 
 <p> The installed main.cf file must be small. PLEASE resist the
-temptation to list all 300+ parameters in the main.cf file.  Postfix
+temptation to list all 400+ parameters in the main.cf file.  Postfix
-is supposed to be easy to configure. Listing all 300+ in main.cf
+is supposed to be easy to configure. Listing all 400+ in main.cf
 defeats the purpose. It is an invitation for hobbyists to make
 random changes without understanding what they do, and gets them
 into endless trouble.  </p>
@@ -62,7 +62,11 @@ user. </p>
 <p> First compile Postfix. After successful compilation, execute:
 </p>
 
-<blockquote> <pre> % sh postfix-install </pre> </blockquote>
+<blockquote> <pre> % <b>make package</b> </pre>
+</blockquote>
+
+<p> With Postfix versions before 2.2 you must invoke the post-install
+script directly (<tt>% <b>sh post-install</b></tt>). </p>
 
 <p> You will be prompted for installation parameters.  Specify an
 install_root directory other than /.  The mail_owner and setgid_group
@@ -73,8 +77,13 @@ installed on the destination machine. </p>
 <p> If you want to fully automate this process, specify all the
 non-default installation parameters on the command line: </p>
 
-<blockquote> <pre> % sh postfix-install -non-interactive
+<blockquote> 
-install_root=/some/where ...  </pre> </blockquote>
+<pre> % <b>make non-interactive-package install_root=/some/where</b>...  
+</pre> </blockquote>
+
+<p> With Postfix versions before 2.2 you must invoke the post-install
+script directly (<tt>% <b>sh post-install -non-interactive
+install_root...</b></tt>). </p>
 
 <h2>Begin Security Alert</h2>
 

postfix/proto/aliases

@@ -86,6 +86,22 @@
 #	When alias database search fails, and the recipient localpart
 #	contains the optional recipient delimiter (e.g., \fIuser+foo\fR),
 #	the search is repeated for the unextended address (e.g., \fIuser\fR).
+#
+#	The \fBpropagate_unmatched_extensions\fR parameter controls
+#	whether an unmatched address extension (\fI+foo\fR) is
+#	propagated to the result of table lookup.
+# SECURITY
+# .ad
+# .fi
+#	The \fBlocal\fR(8) delivery agent disallows regular expression
+#	substitution of $1 etc. in \fBalias_maps\fR, because that
+#	would open a security hole.
+#
+#	The \fBlocal\fR(8) delivery agent will silently ignore
+#	requests to use the \fBproxymap\fR(8) server within
+#	\fBalias_maps\fR. Instead it will open the table directly.
+#	Before Postfix version 2.2, the \fBlocal\fR(8) delivery
+#	agent will terminate with a fatal error.
 # CONFIGURATION PARAMETERS
 # .ad
 # .fi
@@ -93,9 +109,10 @@
 #	The text below provides only a parameter summary. See
 #	postconf(5) for more details including examples.
 # .IP \fBalias_database\fR
-#	List of alias databases that are updated by the newaliases(1) command.
+#	List of alias databases that are updated by the
+#	\fBnewaliases\fR(1) command.
 # .IP \fBalias_maps\fR
-#	List of alias databases queried by the local(8) delivery agent.
+#	List of alias databases queried by the \fBlocal\fR(8) delivery agent.
 # .IP \fBallow_mail_to_commands\fR
 #	Restrict the usage of mail delivery to external command.
 # .IP \fBallow_mail_to_files\fR
@@ -104,16 +121,17 @@
 #	When delivering to an alias that has an \fBowner-\fR companion alias,
 #	set the envelope sender address to the right-hand side of the
 #	owner alias, instead using of the left-hand side address.
+# .IP \fBpropagate_unmatched_extensions\fR
+#	A list of address rewriting or forwarding mechanisms that
+#	propagate an address extension from the original address
+#	to the result. Specify zero or more of \fBcanonical\fR,
+#	\fBvirtual\fR, \fBalias\fR, \fBforward\fR, or \fBinclude\fR.
 # .IP \fBowner_request_special\fR
 #	Give special treatment to \fBowner-\fIlistname\fR and
 #	\fIlistname\fB-request\fR
 #	addresses.
 # .IP \fBrecipient_delimiter\fR
 #	Delimiter that separates recipients from address extensions.
-# BUGS
-#	Regular expression alias lookup tables are allowed, but
-#	substitution of $1 etc. is forbidden because that would
-#	open a security loophole.
 # STANDARDS
 #	RFC 822 (ARPA Internet Text Messages)
 # SEE ALSO

postfix/proto/postconf.proto

@@ -428,6 +428,18 @@ If you change the alias database, run "<b>postalias /etc/aliases</b>"
 run "<b>newaliases</b>" to build the necessary DBM or DB file.
 </p>
   
+<p>
+The local(8) delivery agent disallows regular expression substitution
+of $1 etc. in alias_maps, because that would open a security hole.
+</p>
+
+<p>
+The local(8) delivery agent will silently ignore requests to use
+the proxymap(8) server within alias_maps. Instead it will open the
+table directly. Before Postfix version 2.2, the local(8) delivery
+agent will terminate with a fatal error.
+</p>
+
 <p>
 Examples:
 </p>
@@ -4440,6 +4452,21 @@ a restriction list, to make the default policy explicit.  The
 reject_code configuration parameter specifies the response code to
 rejected requests (default: 554).</dd>
 
+<dt><b><a name="sleep">sleep <i>seconds</i></a></b></dt>
+
+<dd>Pause for the specified number of seconds and proceed with
+the next restriction in the list, if any. This may stop zombie
+mail when used as:  </dd>
+
+<blockquote>
+<pre>
+/etc/postfix/main.cf:
+    smtpd_client_restrictions = 
+        sleep 1, reject_unauth_pipelining
+    smtpd_delay_reject = no
+</pre>
+</blockquote>
+
 <dt><b><a name="warn_if_reject">warn_if_reject</a></b></dt>
 
 <dd>Change the meaning of the next restriction, so that it logs

postfix/src/anvil/anvil.c

@@ -272,6 +272,9 @@ static int max_rcpt;
 static char *max_rcpt_user;
 static time_t max_rcpt_time;
 
+static int max_cache;
+static time_t max_cache_time;
+
  /*
   * Remote connection state, one instance for each (service, client) pair.
   */
@@ -522,6 +525,10 @@ static ANVIL_REMOTE *anvil_remote_conn_update(VSTREAM *client_stream, const char
 	anvil_remote = (ANVIL_REMOTE *) mymalloc(sizeof(*anvil_remote));
 	ANVIL_REMOTE_FIRST(anvil_remote, ident);
 	htable_enter(anvil_remote_map, ident, (char *) anvil_remote);
+	if (max_cache < anvil_remote_map->used) {
+	    max_cache = anvil_remote_map->used;
+	    max_cache_time = event_time();
+	}
     } else {
 	ANVIL_REMOTE_NEXT(anvil_remote);
     }
@@ -809,29 +816,34 @@ static void post_jail_init(char *unused_name, char **unused_argv)
 
 static void anvil_status_dump(char *unused_name, char **unused_argv)
 {
-    if (max_rate > 1) {
+    if (max_rate > 0) {
 	msg_info("statistics: max connection rate %d/%ds for (%s) at %.15s",
 		 max_rate, var_anvil_time_unit,
 		 max_rate_user, ctime(&max_rate_time) + 4);
 	max_rate = 0;
     }
-    if (max_count > 1) {
+    if (max_count > 0) {
 	msg_info("statistics: max connection count %d for (%s) at %.15s",
 		 max_count, max_count_user, ctime(&max_count_time) + 4);
 	max_count = 0;
     }
-    if (max_mail > 1) {
+    if (max_mail > 0) {
 	msg_info("statistics: max message rate %d/%ds for (%s) at %.15s",
 		 max_mail, var_anvil_time_unit,
 		 max_mail_user, ctime(&max_mail_time) + 4);
 	max_mail = 0;
     }
-    if (max_rcpt > 1) {
+    if (max_rcpt > 0) {
 	msg_info("statistics: max recipient rate %d/%ds for (%s) at %.15s",
 		 max_rcpt, var_anvil_time_unit,
 		 max_rcpt_user, ctime(&max_rcpt_time) + 4);
 	max_rcpt = 0;
     }
+    if (max_cache > 0) {
+	msg_info("statistics: max ident cache size %d at %.15s",
+		 max_cache, ctime(&max_cache_time) + 4);
+	max_cache = 0;
+    }
 }
 
 /* anvil_status_update - log and reset extreme usage periodically */

postfix/src/global/mail_params.h

@@ -1574,6 +1574,8 @@ extern int var_defer_code;
 #define DEFER_IF_PERMIT		"defer_if_permit"
 #define DEFER_IF_REJECT		"defer_if_reject"
 
+#define SLEEP			"sleep"
+
 #define REJECT_UNKNOWN_CLIENT	"reject_unknown_client"
 #define VAR_UNK_CLIENT_CODE	"unknown_client_reject_code"
 #define DEF_UNK_CLIENT_CODE	450

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change the patchlevel and the release date. Snapshots change the
   * release date only.
   */
-#define MAIL_RELEASE_DATE	"20050131"
+#define MAIL_RELEASE_DATE	"20050202"
 #define MAIL_VERSION_NUMBER	"2.2"
 
 #define VAR_MAIL_VERSION	"mail_version"

postfix/src/local/local.c

@@ -302,6 +302,23 @@
 /*
 /*	Depending on the setting of the \fBnotify_classes\fR parameter,
 /*	the postmaster is notified of bounces and of other trouble.
+/* SECURITY
+/* .ad
+/* .fi
+/*	The \fBlocal\fR(8) delivery agent needs a dual personality
+/*	1) to access the private Postfix queue and IPC mechanisms,
+/*	2) to impersonate the recipient and deliver to recipient-specified
+/*	files or commands. It is therefore security sensitive.
+/*
+/*	The \fBlocal\fR(8) delivery agent disallows regular expression
+/*	substitution of $1 etc. in \fBalias_maps\fR, because that
+/*	would open a security hole.
+/*
+/*	The \fBlocal\fR(8) delivery agent will silently ignore
+/*	requests to use the \fBproxymap\fR(8) server within
+/*	\fBalias_maps\fR. Instead it will open the table directly.
+/*	Before Postfix version 2.2, the \fBlocal\fR(8) delivery
+/*	agent will terminate with a fatal error.
 /* BUGS
 /*	For security reasons, the message delivery status of external commands
 /*	or of external files is never checkpointed to file. As a result,
@@ -314,7 +331,7 @@
 /* CONFIGURATION PARAMETERS
 /* .ad
 /* .fi
-/*	Changes to \fBmain.cf\fR are picked up automatically, as local(8)
+/*	Changes to \fBmain.cf\fR are picked up automatically, as \fBlocal\fR(8)
 /*	processes run for only a limited amount of time. Use the command
 /*	"\fBpostfix reload\fR" to speed up a change.
 /*
@@ -338,7 +355,7 @@
 /* DELIVERY METHOD CONTROLS
 /* .ad
 /* .fi
-/*	The precedence of local(8) delivery methods from high to low is:
+/*	The precedence of \fBlocal\fR(8) delivery methods from high to low is:
 /*	aliases, .forward files, mailbox_transport, mailbox_command_maps,
 /*	mailbox_command, home_mailbox, mail_spool_directory, fallback_transport
 /*	and luser_relay.

postfix/src/master/master.h

@@ -23,6 +23,9 @@ typedef struct MASTER_SERV {
     int     wakeup_time;		/* wakeup interval */
     int    *listen_fd;			/* incoming requests */
     int     listen_fd_count;		/* nr of descriptors */
+#ifdef MASTER_SERV_TYPE_PASS
+    struct PASS_INFO *pass_info;	/* descriptor passing state */
+#endif
     union {
 	struct {
 	    char   *port;		/* inet listen port */
@@ -62,6 +65,7 @@ typedef struct MASTER_SERV {
 #define MASTER_SERV_TYPE_UNIX	1	/* AF_UNIX domain socket */
 #define MASTER_SERV_TYPE_INET	2	/* AF_INET domain socket */
 #define MASTER_SERV_TYPE_FIFO	3	/* fifo (named pipe) */
+/*#define MASTER_SERV_TYPE_PASS	4	/* AF_UNIX domain socket */
 
  /*
   * Default process management policy values. This is only the bare minimum.

postfix/src/master/master_ent.c

@@ -330,6 +330,11 @@ MASTER_SERV *get_master_ent()
     } else if (STR_SAME(transport, MASTER_XPORT_NAME_FIFO)) {
 	serv->type = MASTER_SERV_TYPE_FIFO;
 	serv->listen_fd_count = 1;
+#ifdef MASTER_SERV_TYPE_PASS
+    } else if (STR_SAME(transport, MASTER_XPORT_NAME_PASS)) {
+	serv->type = MASTER_SERV_TYPE_PASS;
+	serv->listen_fd_count = 1;
+#endif
     } else {
 	fatal_with_context("bad transport type: %s", transport);
     }
@@ -353,6 +358,11 @@ MASTER_SERV *get_master_ent()
     } else if (serv->type == MASTER_SERV_TYPE_FIFO) {
 	serv->name = mail_pathname(private ? MAIL_CLASS_PRIVATE :
 				   MAIL_CLASS_PUBLIC, name);
+#ifdef MASTER_SERV_TYPE_PASS
+    } else if (serv->type == MASTER_SERV_TYPE_PASS) {
+	serv->name = mail_pathname(private ? MAIL_CLASS_PRIVATE :
+				   MAIL_CLASS_PUBLIC, name);
+#endif
     } else {
 	msg_panic("bad transport type: %d", serv->type);
     }
@@ -474,6 +484,9 @@ void    print_master_ent(MASTER_SERV *serv)
 	     serv->type == MASTER_SERV_TYPE_UNIX ? MASTER_XPORT_NAME_UNIX :
 	     serv->type == MASTER_SERV_TYPE_FIFO ? MASTER_XPORT_NAME_FIFO :
 	     serv->type == MASTER_SERV_TYPE_INET ? MASTER_XPORT_NAME_INET :
+#ifdef MASTER_SERV_TYPE_PASS
+	     serv->type == MASTER_SERV_TYPE_PASS ? MASTER_XPORT_NAME_PASS :
+#endif
 	     "unknown transport type");
     msg_info("listen_fd_count: %d", serv->listen_fd_count);
     msg_info("wakeup: %d", serv->wakeup_time);

postfix/src/master/master_listen.c

@@ -127,6 +127,21 @@ void    master_listen_init(MASTER_SERV *serv)
 	    myfree(end_point);
 	}
 	break;
+
+	/*
+	 * Descriptor passing endpoints always come as singlets.
+	 */
+#ifdef MASTER_SERV_TYPE_PASS
+    case MASTER_SERV_TYPE_PASS:
+	set_eugid(var_owner_uid, var_owner_gid);
+	serv->listen_fd[0] =
+	    PASS_LISTEN(serv->name, serv->max_proc > var_proc_limit ?
+			serv->max_proc : var_proc_limit, NON_BLOCKING,
+			&(serv->pass_info));
+	close_on_exec(serv->listen_fd[0], CLOSE_ON_EXEC);
+	set_ugid(getuid(), getgid());
+	break;
+#endif
     default:
 	msg_panic("%s: unknown service type: %d", myname, serv->type);
     }
@@ -146,6 +161,10 @@ void    master_listen_cleanup(MASTER_SERV *serv)
      * listener. The 4.4BSD shutdown(2) man page promises an ENOTCONN error
      * when shutdown(2) is applied to a socket that is not connected.
      */
+#ifdef MASTER_SERV_TYPE_PASS
+    if (serv->type == MASTER_SERV_TYPE_PASS)
+	PASS_SHUTDOWN(&(serv->pass_info));
+#endif
     for (n = 0; n < serv->listen_fd_count; n++) {
 	if (close(serv->listen_fd[n]) < 0)
 	    msg_warn("%s: close listener socket %d: %m",

postfix/src/master/master_proto.h

@@ -15,6 +15,7 @@
 #define MASTER_XPORT_NAME_UNIX	"unix"	/* local IPC */
 #define MASTER_XPORT_NAME_FIFO	"fifo"	/* local IPC */
 #define MASTER_XPORT_NAME_INET	"inet"	/* non-local IPC */
+/*#define MASTER_XPORT_NAME_PASS	"pass"	/* local IPC */
 
  /*
   * Format of a status message sent by a child process to the process

postfix/src/master/master_wakeup.c

@@ -104,6 +104,12 @@ static void master_wakeup_timer_event(int unused_event, char *context)
 	case MASTER_SERV_TYPE_UNIX:
 	    status = LOCAL_TRIGGER(serv->name, &wakeup, sizeof(wakeup), BRIEFLY);
 	    break;
+#ifdef MASTER_SERV_TYPE_PASS
+	case MASTER_SERV_TYPE_PASS:
+	    /* Can't send data to a service that expects descriptors. */
+	    status = 0;
+	    break;
+#endif
 
 	    /*
 	     * If someone compromises the postfix account then this must not

postfix/src/master/multi_server.c

@@ -347,6 +347,45 @@ static void multi_server_accept_local(int unused_event, char *context)
     multi_server_wakeup(fd);
 }
 
+#ifdef MASTER_XPORT_NAME_PASS
+
+/* multi_server_accept_pass - accept descriptor */
+
+static void multi_server_accept_pass(int unused_event, char *context)
+{
+    int     listen_fd = CAST_CHAR_PTR_TO_INT(context);
+    int     time_left = -1;
+    int     fd;
+
+    /*
+     * Be prepared for accept() to fail because some other process already
+     * got the connection (the number of processes competing for clients is
+     * kept small, so this is not a "thundering herd" problem). If the
+     * accept() succeeds, be sure to disable non-blocking I/O, in order to
+     * minimize confusion.
+     */
+    if (client_count == 0 && var_idle_limit > 0)
+	time_left = event_cancel_timer(multi_server_timeout, (char *) 0);
+
+    if (multi_server_pre_accept)
+	multi_server_pre_accept(multi_server_name, multi_server_argv);
+    fd = PASS_ACCEPT(listen_fd);
+    if (multi_server_lock != 0
+	&& myflock(vstream_fileno(multi_server_lock), INTERNAL_LOCK,
+		   MYFLOCK_OP_NONE) < 0)
+	msg_fatal("select unlock: %m");
+    if (fd < 0) {
+	if (errno != EAGAIN)
+	    msg_fatal("accept connection: %m");
+	if (time_left >= 0)
+	    event_request_timer(multi_server_timeout, (char *) 0, time_left);
+	return;
+    }
+    multi_server_wakeup(fd);
+}
+
+#endif
+
 /* multi_server_accept_inet - accept client connection request */
 
 static void multi_server_accept_inet(int unused_event, char *context)
@@ -603,6 +642,10 @@ NORETURN multi_server_main(int argc, char **argv, MULTI_SERVER_FN service,...)
 	    multi_server_accept = multi_server_accept_inet;
 	else if (strcasecmp(transport, MASTER_XPORT_NAME_UNIX) == 0)
 	    multi_server_accept = multi_server_accept_local;
+#ifdef MASTER_XPORT_NAME_PASS
+	else if (strcasecmp(transport, MASTER_XPORT_NAME_PASS) == 0)
+	    multi_server_accept = multi_server_accept_pass;
+#endif
 	else
 	    msg_fatal("unsupported transport type: %s", transport);
     }

postfix/src/master/single_server.c

@@ -296,6 +296,44 @@ static void single_server_accept_local(int unused_event, char *context)
     single_server_wakeup(fd);
 }
 
+#ifdef MASTER_XPORT_NAME_PASS
+
+/* single_server_accept_pass - accept descriptor */
+
+static void single_server_accept_pass(int unused_event, char *context)
+{
+    int     listen_fd = CAST_CHAR_PTR_TO_INT(context);
+    int     time_left = -1;
+    int     fd;
+
+    /*
+     * Be prepared for accept() to fail because some other process already
+     * got the connection. We use select() + accept(), instead of simply
+     * blocking in accept(), because we must be able to detect that the
+     * master process has gone away unexpectedly.
+     */
+    if (var_idle_limit > 0)
+	time_left = event_cancel_timer(single_server_timeout, (char *) 0);
+
+    if (single_server_pre_accept)
+	single_server_pre_accept(single_server_name, single_server_argv);
+    fd = PASS_ACCEPT(listen_fd);
+    if (single_server_lock != 0
+	&& myflock(vstream_fileno(single_server_lock), INTERNAL_LOCK,
+		   MYFLOCK_OP_NONE) < 0)
+	msg_fatal("select unlock: %m");
+    if (fd < 0) {
+	if (errno != EAGAIN)
+	    msg_fatal("accept connection: %m");
+	if (time_left >= 0)
+	    event_request_timer(single_server_timeout, (char *) 0, time_left);
+	return;
+    }
+    single_server_wakeup(fd);
+}
+
+#endif
+
 /* single_server_accept_inet - accept client connection request */
 
 static void single_server_accept_inet(int unused_event, char *context)
@@ -546,6 +584,10 @@ NORETURN single_server_main(int argc, char **argv, SINGLE_SERVER_FN service,...)
 	    single_server_accept = single_server_accept_inet;
 	else if (strcasecmp(transport, MASTER_XPORT_NAME_UNIX) == 0)
 	    single_server_accept = single_server_accept_local;
+#ifdef MASTER_XPORT_NAME_PASS
+	else if (strcasecmp(transport, MASTER_XPORT_NAME_PASS) == 0)
+	    single_server_accept = single_server_accept_pass;
+#endif
 	else
 	    msg_fatal("unsupported transport type: %s", transport);
     }

postfix/src/master/trigger_server.c

@@ -324,6 +324,54 @@ static void trigger_server_accept_local(int unused_event, char *context)
     close(fd);
 }
 
+#ifdef MASTER_XPORT_NAME_PASS
+
+/* trigger_server_accept_pass - accept descriptor */
+
+static void trigger_server_accept_pass(int unused_event, char *context)
+{
+    char   *myname = "trigger_server_accept_pass";
+    int     listen_fd = CAST_CHAR_PTR_TO_INT(context);
+    int     time_left = 0;
+    int     fd;
+
+    if (msg_verbose)
+	msg_info("%s: trigger arrived", myname);
+
+    /*
+     * Read a message from a socket. Be prepared for accept() to fail because
+     * some other process already got the connection. The socket is
+     * non-blocking so we won't get stuck when multiple processes wake up.
+     * Don't get stuck when the client connects but sends no data. Restart
+     * the idle timer if this was a false alarm.
+     */
+    if (var_idle_limit > 0)
+	time_left = event_cancel_timer(trigger_server_timeout, (char *) 0);
+
+    if (trigger_server_pre_accept)
+	trigger_server_pre_accept(trigger_server_name, trigger_server_argv);
+    fd = PASS_ACCEPT(listen_fd);
+    if (trigger_server_lock != 0
+	&& myflock(vstream_fileno(trigger_server_lock), INTERNAL_LOCK,
+		   MYFLOCK_OP_NONE) < 0)
+	msg_fatal("select unlock: %m");
+    if (fd < 0) {
+	if (errno != EAGAIN)
+	    msg_fatal("accept connection: %m");
+	if (time_left >= 0)
+	    event_request_timer(trigger_server_timeout, (char *) 0, time_left);
+	return;
+    }
+    close_on_exec(fd, CLOSE_ON_EXEC);
+    if (read_wait(fd, 10) == 0)
+	trigger_server_wakeup(fd);
+    else if (time_left >= 0)
+	event_request_timer(trigger_server_timeout, (char *) 0, time_left);
+    close(fd);
+}
+
+#endif
+
 /* trigger_server_main - the real main program */
 
 NORETURN trigger_server_main(int argc, char **argv, TRIGGER_SERVER_FN service,...)
@@ -556,6 +604,10 @@ NORETURN trigger_server_main(int argc, char **argv, TRIGGER_SERVER_FN service,..
 	    trigger_server_accept = trigger_server_accept_local;
 	else if (strcasecmp(transport, MASTER_XPORT_NAME_FIFO) == 0)
 	    trigger_server_accept = trigger_server_accept_fifo;
+#ifdef MASTER_XPORT_NAME_PASS
+	else if (strcasecmp(transport, MASTER_XPORT_NAME_PASS) == 0)
+	    trigger_server_accept = trigger_server_accept_pass;
+#endif
 	else
 	    msg_fatal("unsupported transport type: %s", transport);
     }

postfix/src/oqmgr/qmgr.c

@@ -492,10 +492,15 @@ static void qmgr_post_init(char *unused_name, char **unused_argv)
      * Sanity check.
      */
     if (var_qmgr_rcpt_limit < var_qmgr_active_limit) {
-	msg_warn("%s is smaller than %s",
+	msg_warn("%s is smaller than %s - adjusting %s",
-		 VAR_QMGR_RCPT_LIMIT, VAR_QMGR_ACT_LIMIT);
+	      VAR_QMGR_RCPT_LIMIT, VAR_QMGR_ACT_LIMIT, VAR_QMGR_RCPT_LIMIT);
 	var_qmgr_rcpt_limit = var_qmgr_active_limit;
     }
+    if (var_dsn_queue_time > var_max_queue_time) {
+	msg_warn("%s is larger than %s - adjusting %s",
+		 VAR_DSN_QUEUE_TIME, VAR_MAX_QUEUE_TIME, VAR_DSN_QUEUE_TIME);
+	var_dsn_queue_time = var_max_queue_time;
+    }
 
     /*
      * This routine runs after the skeleton code has entered the chroot jail.

postfix/src/qmgr/qmgr.c

@@ -546,10 +546,15 @@ static void qmgr_post_init(char *name, char **unused_argv)
      * Sanity check.
      */
     if (var_qmgr_rcpt_limit < var_qmgr_active_limit) {
-	msg_warn("%s is smaller than %s",
+	msg_warn("%s is smaller than %s - adjusting %s",
-		 VAR_QMGR_RCPT_LIMIT, VAR_QMGR_ACT_LIMIT);
+	      VAR_QMGR_RCPT_LIMIT, VAR_QMGR_ACT_LIMIT, VAR_QMGR_RCPT_LIMIT);
 	var_qmgr_rcpt_limit = var_qmgr_active_limit;
     }
+    if (var_dsn_queue_time > var_max_queue_time) {
+	msg_warn("%s is larger than %s - adjusting %s",
+		 VAR_DSN_QUEUE_TIME, VAR_MAX_QUEUE_TIME, VAR_DSN_QUEUE_TIME);
+	var_dsn_queue_time = var_max_queue_time;
+    }
 
     /*
      * This routine runs after the skeleton code has entered the chroot jail.

postfix/src/smtpd/smtpd_check.c

@@ -1285,7 +1285,8 @@ static int reject_unauth_pipelining(SMTPD_STATE *state,
 
     if (state->client != 0
 	&& SMTPD_STAND_ALONE(state) == 0
-	&& vstream_peek(state->client) > 0
+	&& (vstream_peek(state->client) > 0
+	    || peekfd(vstream_fileno(state->client)) > 0)
 	&& (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0
 	    || strcasecmp(state->where, "DATA") == 0)) {
 	return (smtpd_check_reject(state, MAIL_ERROR_PROTOCOL,
@@ -3146,10 +3147,12 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 	} else if (strcasecmp(name, REJECT_UNAUTH_PIPE) == 0) {
 	    status = reject_unauth_pipelining(state, reply_name, reply_class);
 	} else if (strcasecmp(name, CHECK_POLICY_SERVICE) == 0) {
-	    if (cpp[1] == 0)
+	    if (cpp[1] == 0 || strchr(cpp[1], ':') == 0) {
 		msg_warn("restriction %s must be followed by transport:server",
 			 CHECK_POLICY_SERVICE);
-	    else
+		longjmp(smtpd_check_buf, smtpd_check_reject(state,
+		    MAIL_ERROR_SOFTWARE, "451 Server configuration error"));
+	    } else
 		status = check_policy_service(state, *++cpp, reply_name,
 					      reply_class, def_acl);
 	} else if (strcasecmp(name, DEFER_IF_PERMIT) == 0) {
@@ -3160,6 +3163,13 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 	    DEFER_IF_REJECT2(state, MAIL_ERROR_POLICY,
 			 "450 <%s>: %s rejected: defer_if_reject requested",
 			     reply_name, reply_class);
+	} else if (strcasecmp(name, SLEEP) == 0) {
+	    if (cpp[1] == 0 || alldig(cpp[1]) == 0) {
+		msg_warn("restriction %s must be followed by number", SLEEP);
+		longjmp(smtpd_check_buf, smtpd_check_reject(state,
+		    MAIL_ERROR_SOFTWARE, "451 Server configuration error"));
+	    } else
+		sleep(atoi(*++cpp));
 	}
 
 	/*

postfix/src/trivial-rewrite/trivial-rewrite.c

@@ -333,6 +333,9 @@ RES_CONTEXT resolve_verify = {
 static void rewrite_service(VSTREAM *stream, char *unused_service, char **argv)
 {
     int     status = -1;
+    static time_t last;
+    time_t  now = event_time();
+    const char *table;
 
     /*
      * Sanity check. This service takes no command-line arguments.
@@ -340,6 +343,17 @@ static void rewrite_service(VSTREAM *stream, char *unused_service, char **argv)
     if (argv[0])
 	msg_fatal("unexpected command-line argument: %s", argv[0]);
 
+    /*
+     * Connections are persistent. Be sure to refesh timely.
+     */
+    if (now - last > 10) {
+	if ((table = dict_changed_name()) != 0) {
+	    msg_info("table %s has changed -- restarting", table);
+	    exit(0);
+	}
+	last = now;
+    }
+
     /*
      * This routine runs whenever a client connects to the UNIX-domain socket
      * dedicated to address rewriting. All connection-management stuff is
@@ -362,18 +376,6 @@ static void rewrite_service(VSTREAM *stream, char *unused_service, char **argv)
 	multi_server_disconnect(stream);
 }
 
-/* pre_accept - see if tables have changed */
-
-static void pre_accept(char *unused_name, char **unused_argv)
-{
-    const char *table;
-
-    if ((table = dict_changed_name()) != 0) {
-	msg_info("table %s has changed -- restarting", table);
-	exit(0);
-    }
-}
-
 /* pre_jail_init - initialize before entering chroot jail */
 
 static void pre_jail_init(char *unused_name, char **unused_argv)
@@ -442,6 +444,5 @@ int     main(int argc, char **argv)
 		      MAIL_SERVER_BOOL_TABLE, bool_table,
 		      MAIL_SERVER_PRE_INIT, pre_jail_init,
 		      MAIL_SERVER_POST_INIT, post_jail_init,
-		      MAIL_SERVER_PRE_ACCEPT, pre_accept,
 		      0);
 }

postfix/src/util/listen.h

@@ -24,9 +24,12 @@ extern int inet_listen(const char *, int, int);
 extern int fifo_listen(const char *, int, int);
 extern int stream_listen(const char *, int, int);
 
+#define upass_listen(path, mode, log) fifo_listen((path), (mode), (log))
+
 extern int inet_accept(int);
 extern int unix_accept(int);
 extern int stream_accept(int);
+extern int upass_accept(int);
 
 /* LICENSE
 /* .ad

postfix/src/util/name_mask.c

@@ -87,8 +87,8 @@
 #include <sys_defs.h>
 #include <string.h>
 
-#ifdef STRCASECMP_IN_STRING_H
+#ifdef STRCASECMP_IN_STRINGS_H
-#include <string.h>
+#include <strings.h>
 #endif
 
 /* Utility library. */

postfix/src/util/upass_listen.c

@@ -0,0 +1,192 @@
+/*++
+/* NAME
+/*	upass_listen 3
+/* SUMMARY
+/*	start UNIX-domain file descriptor listener
+/* SYNOPSIS
+/*	#include <listen.h>
+/*
+/*	int	upass_listen(path, backlog, block_mode)
+/*	const char *path;
+/*	int	backlog;
+/*	int	block_mode;
+/*
+/*	int	upass_accept(fd)
+/*	int	fd;
+/* DESCRIPTION
+/*	This module implements a listener that receives one file descriptor
+/*	across each UNIX-domain connection that is made to it.
+/*
+/*	upass_listen() creates a listener endpoint with the specified
+/*	permissions, and returns a file descriptor to be used for accepting
+/*	descriptors.
+/*
+/*	upass_accept() accepts a descriptor.
+/*
+/*	Arguments:
+/* .IP path
+/*	Null-terminated string with connection destination.
+/* .IP backlog
+/*	This argument exists for compatibility and is ignored.
+/* .IP block_mode
+/*	Either NON_BLOCKING or BLOCKING. This does not affect the
+/*	mode of accepted connections.
+/* .IP fd
+/*	File descriptor returned by upass_listen().
+/* DIAGNOSTICS
+/*	Fatal errors: upass_listen() aborts upon any system call failure.
+/*	upass_accept() leaves all error handling up to the caller.
+/* LICENSE
+/* .ad
+/* .fi
+/*	The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/*	Wietse Venema
+/*	IBM T.J. Watson Research
+/*	P.O. Box 704
+/*	Yorktown Heights, NY 10598, USA
+/*--*/
+
+/* System library. */
+
+#include <sys_defs.h>
+#include <sys/socket.h>
+#include <errno.h>
+#include <unistd.h>
+
+/* Utility library. */
+
+#include <msg.h>
+#include <sane_accept.h>
+#include <listen.h>
+
+/* upass_accept - accept descriptor */
+
+int     upass_accept(int listen_fd)
+{
+    const char *myname = "upass_accept";
+    int     accept_fd;
+    int     recv_fd;
+
+    accept_fd = sane_accept(listen_fd, (struct sockaddr *) 0, (int *) 0);
+    if (accept_fd < 0) {
+	if (errno != EAGAIN)
+	    msg_warn("%s: accept connection: %m", myname);
+	return (-1);
+    } else {
+	if ((recv_fd = unix_recv_fd(accept_fd)) < 0)
+	    msg_warn("%s: cannot receive file descriptor: %m", myname);
+	if (close(accept_fd) < 0)
+	    msg_warn("%s: close: %m", myname);
+	return (recv_fd);
+    }
+}
+
+#if 0
+
+/* System library. */
+
+#include <sys_defs.h>
+
+/* Utility library. */
+
+#include <msg.h>
+#include <events.h>
+#include <sane_accept.h>
+#include <iostuff.h>
+#include <listen.h>
+
+ /*
+  * It would be nice if a client could make one UNIX-domain connection to a
+  * Postfix master service, send multiple descriptors, and have each
+  * descriptor handled by the first available child process.
+  * 
+  * Possible solutions:
+  * 
+  * - Either the master process accepts the UNIX-domain connection and forwards
+  * each descriptor sent by the client to the first available child process.
+  * That's what the code below does. Unfortunately, this approach is
+  * inconsistent with the Postfix architecture which tries to eliminate the
+  * master from connection management as much as possible.
+  * 
+  * - Or one child processes accepts the UNIX-domain connection and sends a
+  * shared socketpair half to the client. The other socketpair half is shared
+  * with the master and all the child's siblings. The client then sends its
+  * descriptors over the socketpair, and each descriptor is available to any
+  * child process that is waiting for work.
+  * 
+  * If the second solution did not use a shared socketpair, then all the
+  * client's descriptors would be available only to the child process that
+  * accepted the UNIX-domain connection. That results in poor performance.
+  * 
+  * Unfortunately, having to receive a descriptor before being able to send one
+  * or more descriptors is ugly from the client's point of view.
+  */
+
+#define upass_accept(fd)	unix_recv_fd(fd)
+
+/* upass_plumbing - operate the hidden descriptor passing machinery */
+
+static void upass_plumbing(int unused_event, char *context)
+{
+    const char *myname = "upass_plumbing";
+    UPASS_INFO *info = (UNIX_UPASS_INFO *) context;
+    int     fd;
+
+    /*
+     * Each time a client connects to the hidden UNIX-domain socket, call
+     * unix_send_fd() to send one half of the hidden socketpair across a
+     * short-lived UNIX-domain connection. Wait until the client closes the
+     * UNIX-domain connection before closing the connection. This wait needs
+     * to be time limited.
+     */
+    fd = sane_accept(info->unixsock, (struct sockaddr *) 0, (int *) 0);
+    if (fd < 0) {
+	if (errno != EAGAIN)
+	    msg_fatal("%s: accept connection: %m", myname);
+    } else {
+	if (unix_send_fd(fd, info->halfpair) < 0)
+	    msg_warn("%s: cannot send file descriptor: %m", myname);
+	if (read_wait(fd, 5) < 0)
+	    msg_warn("%s: read timeout", myname);
+	if (close(fd) < 0)
+	    msg_warn("%s: close: %m", myname);
+    }
+}
+
+/* upass_listen - set up hidden descriptor passing machinery */
+
+int     upass_listen(const char *path, int backlog, int blocking, UPASS_INFO **ip)
+{
+    int     pair[2];
+    UPASS_INFO *info;
+
+    /*
+     * Create a UNIX-domain socket with unix_listen() and create a
+     * socketpair. One socketpair half is returned to the caller. The other
+     * half is part of the hidden machinery, together with the UNIX-domain
+     * socket.
+     */
+    if (socketpair(AF_UNIX, SOCK_STREAM, 0, fds) < 0)
+	msg_fatal("socketpair: %m");
+    info = (UPASS_INFO *) mymalloc(sizeof(*info));
+    info->halfpair = pair[0];
+    info->unixsock = unix_listen(path, backlog, blocking);
+    event_request_read(info->unixsock, upass_plumbing, (char *) info);
+    *ip = info;
+    return (pair[1]);
+}
+
+/* upass_shutdown - tear down hidden descriptor passing machinery */
+
+void    upass_shutdown(UPASS_INFO *info)
+{
+    event_disable_readwrite(upass_info->unixsock)
+    if (close(info->unixsock) < 0)
+	msg_warn("%s: close unixsock: %m", myname);
+    if (close(info->halfpair) < 0)
+	msg_warn("%s: close halfpair: %m", myname);
+    myfree((char *) info);
+}
+
+#endif

postfix/src/util/valid_hostname.c

@@ -317,8 +317,8 @@ int     valid_ipv6_hostaddr(const char *addr, int gripe)
 	    break;
 	default:
 	    /* Advance by at least 1 character position or terminate. */
-	    len = strspn(cp, "0123456789abcdefABCDEF");
+	    len = strspn((char *) cp, "0123456789abcdefABCDEF");
-	    if (len /* - strspn(cp, "0") */ > 4) {
+	    if (len /* - strspn((char *) cp, "0") */ > 4) {
 		if (gripe)
 		    msg_warn("%s: malformed IPv6 address: %.100s",
 			     myname, addr);

postfix/src/virtual/virtual.c

@@ -109,6 +109,15 @@
 /*	The virtual delivery agent is not security sensitive, provided
 /*	that the lookup tables with recipient user/group ID information are
 /*	adequately protected. This program is not designed to run chrooted.
+/*
+/*	The virtual delivery agent disallows regular expression
+/*	substitution of $1 etc. in regular expression lookup tables,
+/*	because that would open a security hole.
+/*
+/*	The virtual delivery agent will silently ignore requests
+/*	to use the proxymap(8) server. Instead it will open the
+/*	table directly. Before Postfix version 2.2, the virtual
+/*	delivery agent will terminate with a fatal error.
 /* STANDARDS
 /*	RFC 822 (ARPA Internet Text Messages)
 /* DIAGNOSTICS