postfix-2.8.2-RC1

postfix/HISTORY

@@ -16538,3 +16538,34 @@ Apologies for any names omitted.
 	Cleanup: don't log a "connection reset by peer" warning
 	when postscreen(8) tries to send a server response.  File:
 	postscreen/postscreen_send.c.
+
+20110225
+
+	Workaround (problem introduced with IPv6 support in Postfix
+	2.2): the SMTP client did not support mail to [ipv6:ipv6addr].
+	Fix based on a patch by Gurusamy Sarathy (Sophos).  File:
+	util/host_port.c and regression test files.
+
+20110227
+
+	Portability: FreeBSD closefrom() support time window. Sahil
+	Tandon.  File: util/sys_defs.h.
+
+20110313
+
+	Bugfix (introduced Postfix 2.8): postscreen DNSBL scoring
+	error. When a client disconnected and then reconnected
+	before all DNSBL results for the earlier session arrived,
+	DNSBL results for the earlier session would be added to the
+	score for the later session. Problem report by Larry Vaden.
+	Files: dnsblog/dnsblog.c, postscreen/postscreen_dnsbl.c.
+
+	Cleanup: protocol description in dnsblog(8) manpage. File:
+	dnsblog/dnsblog.c.
+
+20110314
+
+	Portability: the SUN compiler had trouble with a pointer
+	expression of the form ``("text1" "text2") + constant'' so
+	we don't try to be so clever. Fix by Victor Duchovni.  File:
+	global/mail_params.h.

postfix/RELEASE_NOTES

@@ -11,6 +11,16 @@ instead, a new snapshot is released.
 The mail_release_date configuration parameter (format: yyyymmdd)
 specifies the release date of a stable release or snapshot release.
 
+Incompatible changes with Postfix 2.8.2
+---------------------------------------
+
+Use "postfix reload" after "make upgrade" on a running Postfix
+system. This is needed because the protocol between postscreen(8)
+and dnsblog(8) has changed.
+
+Postfix 2.8.0 release notes
+---------------------------
+
 If you upgrade from Postfix 2.6 or earlier, read RELEASE_NOTES-2.7
 before proceeding.
 

postfix/html/dnsblog.8.html

@@ -20,35 +20,36 @@ DNSBLOG(8)                                                          DNSBLOG(8)
 
 <b>PROTOCOL</b>
        With each connection, the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server receives a DNS
-       white/blacklist  domain  name  and  an  IP address. If the
-       address is listed under the DNS white/blacklist, the  <b>dns-</b>
-       <b>blog</b>(8)  server  logs the match and replies with the query
-       arguments plus a non-zero status.   Otherwise  it  replies
-       with the query arguments plus a zero status.  Finally, The
-       <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server closes the connection.
+       white/blacklist  domain  name,  IP address, and an ID.  If
+       the address is listed under the DNS  white/blacklist,  the
+       <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a>  server  logs  the  match  and replies with the
+       query arguments plus an address list with the resulting IP
+       addresses  separated  by whitespace.  Otherwise it replies
+       with the query  arguments  plus  an  empty  address  list.
+       Finally, The <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server closes the connection.
 
 <b>DIAGNOSTICS</b>
        Problems and transactions are logged to <b>syslogd</b>(8).
 
 <b>CONFIGURATION PARAMETERS</b>
-       Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up  automatically,  as  <b>dns-</b>
-       <b>blog</b>(8)  processes  run for only a limited amount of time.
+       Changes  to  <a href="postconf.5.html"><b>main.cf</b></a>  are picked up automatically, as <b>dns-</b>
+       <b>blog</b>(8) processes run for only a limited amount  of  time.
        Use the command "<b>postfix reload</b>" to speed up a change.
 
-       The text below provides  only  a  parameter  summary.  See
+       The  text  below  provides  only  a parameter summary. See
        <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
 
        <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
-              The  default  location  of  the Postfix <a href="postconf.5.html">main.cf</a> and
+              The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
               <a href="master.5.html">master.cf</a> configuration files.
 
        <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
-              How much time a Postfix daemon process may take  to
-              handle  a  request  before  it  is  terminated by a
+              How  much time a Postfix daemon process may take to
+              handle a request  before  it  is  terminated  by  a
               built-in watchdog timer.
 
        <b><a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> (empty)</b>
-              Optional list of DNS white/blacklist domains,  fil-
+              Optional  list of DNS white/blacklist domains, fil-
               ters and weight factors.
 
        <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
@@ -56,23 +57,23 @@ DNSBLOG(8)                                                          DNSBLOG(8)
               over an internal communication channel.
 
        <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
-              The process ID  of  a  Postfix  command  or  daemon
+              The  process  ID  of  a  Postfix  command or daemon
               process.
 
        <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
-              The  process  name  of  a Postfix command or daemon
+              The process name of a  Postfix  command  or  daemon
               process.
 
        <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
-              The location of the Postfix top-level queue  direc-
+              The  location of the Postfix top-level queue direc-
               tory.
 
        <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
               The syslog facility of Postfix logging.
 
        <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
-              The  mail  system  name  that  is  prepended to the
-              process name in syslog  records,  so  that  "smtpd"
+              The mail system  name  that  is  prepended  to  the
+              process  name  in  syslog  records, so that "smtpd"
               becomes, for example, "postfix/smtpd".
 
 <b>SEE ALSO</b>
@@ -81,7 +82,7 @@ DNSBLOG(8)                                                          DNSBLOG(8)
        syslogd(5), system logging
 
 <b>LICENSE</b>
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 <b>HISTORY</b>

postfix/makedefs

@@ -228,6 +228,12 @@ case "$SYSTEM.$RELEASE" in
 		done
 		;;
        AIX.*)	case "`uname -v`" in
+		6)	SYSTYPE=AIX6
+			case "$CC" in
+			cc|*/cc|xlc|*/xlc) CCARGS="$CCARGS -w -blibpath:/usr/lib:/lib:/usr/local/lib";;
+			esac
+			CCARGS="$CCARGS -D_ALL_SOURCE -DHAS_POSIX_REGEXP"
+			;;
 		5)	SYSTYPE=AIX5
 			case "$CC" in
 			cc|*/cc|xlc|*/xlc) CCARGS="$CCARGS -w -blibpath:/usr/lib:/lib:/usr/local/lib";;

postfix/man/man8/dnsblog.8

@@ -22,12 +22,13 @@ replaced by an UDP client that is built directly into the
 .ad
 .fi
 With each connection, the \fBdnsblog\fR(8) server receives
-a DNS white/blacklist domain name and an IP address. If the
-address is listed under the DNS white/blacklist, the
+a DNS white/blacklist domain name, IP address, and an ID.
+If the address is listed under the DNS white/blacklist, the
 \fBdnsblog\fR(8) server logs the match and replies with the
-query arguments plus a non-zero status.  Otherwise it replies
-with the query arguments plus a zero status.  Finally, The
-\fBdnsblog\fR(8) server closes the connection.
+query arguments plus an address list with the resulting IP
+addresses separated by whitespace.  Otherwise it replies
+with the query arguments plus an empty address list.  Finally,
+The \fBdnsblog\fR(8) server closes the connection.
 .SH DIAGNOSTICS
 .ad
 .fi

postfix/src/dnsblog/dnsblog.c

@@ -14,12 +14,13 @@
 /* .ad
 /* .fi
 /*	With each connection, the \fBdnsblog\fR(8) server receives
-/*	a DNS white/blacklist domain name and an IP address. If the
-/*	address is listed under the DNS white/blacklist, the
+/*	a DNS white/blacklist domain name, IP address, and an ID.
+/*	If the address is listed under the DNS white/blacklist, the
 /*	\fBdnsblog\fR(8) server logs the match and replies with the
-/*	query arguments plus a non-zero status.  Otherwise it replies
-/*	with the query arguments plus a zero status.  Finally, The
-/*	\fBdnsblog\fR(8) server closes the connection.
+/*	query arguments plus an address list with the resulting IP
+/*	addresses separated by whitespace.  Otherwise it replies
+/*	with the query arguments plus an empty address list.  Finally,
+/*	The \fBdnsblog\fR(8) server closes the connection.
 /* DIAGNOSTICS
 /*	Problems and transactions are logged to \fBsyslogd\fR(8).
 /* CONFIGURATION PARAMETERS
@@ -215,6 +216,7 @@ static VSTRING *dnsblog_query(VSTRING *result, const char *dnsbl_domain,
 static void dnsblog_service(VSTREAM *client_stream, char *unused_service,
 			            char **argv)
 {
+    int     request_id;
 
     /*
      * Sanity check. This service takes no command-line arguments.
@@ -231,13 +233,15 @@ static void dnsblog_service(VSTREAM *client_stream, char *unused_service,
 		  ATTR_FLAG_MORE | ATTR_FLAG_STRICT,
 		  ATTR_TYPE_STR, MAIL_ATTR_RBL_DOMAIN, rbl_domain,
 		  ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, addr,
-		  ATTR_TYPE_END) == 2) {
+		  ATTR_TYPE_INT, MAIL_ATTR_LABEL, &request_id,
+		  ATTR_TYPE_END) == 3) {
 	(void) dnsblog_query(result, STR(rbl_domain), STR(addr));
 	if (var_dnsblog_delay > 0)
 	    sleep(var_dnsblog_delay);
 	attr_print(client_stream, ATTR_FLAG_NONE,
 		   ATTR_TYPE_STR, MAIL_ATTR_RBL_DOMAIN, STR(rbl_domain),
 		   ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, STR(addr),
+		   ATTR_TYPE_INT, MAIL_ATTR_LABEL, request_id,
 		   ATTR_TYPE_STR, MAIL_ATTR_RBL_ADDR, STR(result),
 		   ATTR_TYPE_END);
 	vstream_fflush(client_stream);

postfix/src/global/mail_params.h

@@ -2988,33 +2988,20 @@ extern char *var_tls_eecdh_ultra;
 #define DEF_TLS_PREEMPT_CLIST	0
 extern bool var_tls_preempt_clist;
 
-#ifdef USE_TLS
-
- /*
-  * The tweak for CVE-2005-2969 is needed in some versions prior to 1.0.0
-  */
+ /* The tweak for CVE-2010-4180 is needed in some versions prior to 1.0.1 */
+ /* The tweak for CVE-2005-2969 is needed in some versions prior to 1.0.0 */
+#if defined(USE_TLS) && (OPENSSL_VERSION_NUMBER < 0x1000100fL)
 #if (OPENSSL_VERSION_NUMBER < 0x1000000fL)
-#define TLS_BUG_TWEAK_A	" CVE-2005-2969"
+#define TLS_BUG_TWEAKS		"CVE-2005-2969 CVE-2010-4180"
 #else
-#define TLS_BUG_TWEAK_A ""
+#define TLS_BUG_TWEAKS		"CVE-2010-4180"
 #endif
-
- /*
-  * The tweak for CVE-2010-4180 is needed in some versions prior to 1.0.1
-  */
-#if (OPENSSL_VERSION_NUMBER < 0x1000100fL)
-#define TLS_BUG_TWEAK_B	" CVE-2010-4180"
 #else
-#define TLS_BUG_TWEAK_B	" "
+#define TLS_BUG_TWEAKS		""
 #endif
 
-#else /* USE_TLS */
-#define TLS_BUG_TWEAK_A	""
-#define TLS_BUG_TWEAK_B	" "
-#endif /* USE_TLS */
-
 #define VAR_TLS_BUG_TWEAKS	"tls_disable_workarounds"
-#define DEF_TLS_BUG_TWEAKS	((TLS_BUG_TWEAK_A TLS_BUG_TWEAK_B)+1)
+#define DEF_TLS_BUG_TWEAKS	TLS_BUG_TWEAKS
 extern char *var_tls_bug_tweaks;
 
  /*

postfix/src/global/mail_version.h

@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20110222"
-#define MAIL_VERSION_NUMBER	"2.8.1"
+#define MAIL_RELEASE_DATE	"20110316"
+#define MAIL_VERSION_NUMBER	"2.8.2-RC1"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE

postfix/src/postscreen/postscreen_dnsbl.c

@@ -143,6 +143,7 @@ typedef struct {
     int     total;			/* combined blocklist score */
     int     refcount;			/* score reference count */
     int     pending_lookups;		/* nr of DNS requests in flight */
+    int     request_id;			/* duplicate suppression */
     /* Call-back table support. */
     int     index;			/* next table index */
     int     limit;			/* last valid index */
@@ -344,6 +345,7 @@ static void psc_dnsbl_receive(int event, char *context)
     PSC_DNSBL_HEAD *head;
     PSC_DNSBL_SITE *site;
     ARGV   *reply_argv;
+    int     request_id;
 
     PSC_CLEAR_EVENT_REQUEST(vstream_fileno(stream), psc_dnsbl_receive, context);
 
@@ -367,10 +369,12 @@ static void psc_dnsbl_receive(int event, char *context)
 		     ATTR_FLAG_STRICT,
 		     ATTR_TYPE_STR, MAIL_ATTR_RBL_DOMAIN, reply_dnsbl,
 		     ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, reply_client,
+		     ATTR_TYPE_INT, MAIL_ATTR_LABEL, &request_id,
 		     ATTR_TYPE_STR, MAIL_ATTR_RBL_ADDR, reply_addr,
-		     ATTR_TYPE_END) == 3
+		     ATTR_TYPE_END) == 4
 	&& (score = (PSC_DNSBL_SCORE *)
-	    htable_find(dnsbl_score_cache, STR(reply_client))) != 0) {
+	    htable_find(dnsbl_score_cache, STR(reply_client))) != 0
+	&& score->request_id == request_id) {
 
 	/*
 	 * Run this response past all applicable DNSBL filters and update the
@@ -429,6 +433,7 @@ int     psc_dnsbl_request(const char *client_addr,
     HTABLE_INFO **ht;
     PSC_DNSBL_SCORE *score;
     HTABLE_INFO *hash_node;
+    static int request_count;
 
     /*
      * Some spambots make several connections at nearly the same time,
@@ -468,6 +473,7 @@ int     psc_dnsbl_request(const char *client_addr,
     if (msg_verbose > 1)
 	msg_info("%s: create blocklist score for %s", myname, client_addr);
     score = (PSC_DNSBL_SCORE *) mymalloc(sizeof(*score));
+    score->request_id = request_count++;
     score->dnsbl = 0;
     score->total = 0;
     score->refcount = 1;
@@ -492,6 +498,7 @@ int     psc_dnsbl_request(const char *client_addr,
 	attr_print(stream, ATTR_FLAG_NONE,
 		   ATTR_TYPE_STR, MAIL_ATTR_RBL_DOMAIN, ht[0]->key,
 		   ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, client_addr,
+		   ATTR_TYPE_INT, MAIL_ATTR_LABEL, score->request_id,
 		   ATTR_TYPE_END);
 	if (vstream_fflush(stream) != 0) {
 	    msg_warn("%s: error sending to %s service: %m",

postfix/src/util/host_port.c

@@ -95,22 +95,41 @@
 
 #include <host_port.h>
 
+ /*
+  * Point-fix workaround. The libutil library should be email agnostic, but
+  * we can't rip up the library APIs in the stable releases.
+  */
+#include <string.h>
+#ifdef STRCASECMP_IN_STRINGS_H
+#include <strings.h>
+#endif
+#define IPV6_COL           "IPv6:"	/* RFC 2821 */
+#define IPV6_COL_LEN       (sizeof(IPV6_COL) - 1)
+#define HAS_IPV6_COL(str)  (strncasecmp((str), IPV6_COL, IPV6_COL_LEN) == 0)
+
 /* host_port - parse string into host and port, destroy string */
 
 const char *host_port(char *buf, char **host, char *def_host,
 		              char **port, char *def_service)
 {
     char   *cp = buf;
+    int     ipv6 = 0;
 
     /*
      * [host]:port, [host]:, [host].
+     * [ipv6:ipv6addr]:port, [ipv6:ipv6addr]:, [ipv6:ipv6addr].
      */
     if (*cp == '[') {
-	*host = ++cp;
+	++cp;
+	if ((ipv6 = HAS_IPV6_COL(cp)) != 0)
+	    cp += IPV6_COL_LEN;
+	*host = cp;
 	if ((cp = split_at(cp, ']')) == 0)
 	    return ("missing \"]\"");
 	if (*cp && *cp++ != ':')
 	    return ("garbage after \"]\"");
+	if (ipv6 && !valid_ipv6_hostaddr(*host, DONT_GRIPE))
+	    return ("malformed IPv6 address");
 	*port = *cp ? cp : def_service;
     }
 

postfix/src/util/sys_defs.h

@@ -111,7 +111,8 @@
 #define HAS_DUPLEX_PIPE			/* 4.1 breaks with kqueue(2) */
 #endif
 
-#if __FreeBSD_version >= 800107		/* safe; don't believe the experts */
+#if (__FreeBSD_version >= 702104 && __FreeBSD_version <= 800000) \
+    || __FreeBSD_version >= 800100
 #define HAS_CLOSEFROM
 #endif
 
@@ -517,7 +518,7 @@ extern int opterr;
   * AIX: a SYSV-flavored hybrid. NB: fcntl() and flock() access the same
   * underlying locking primitives.
   */
-#ifdef AIX5
+#if defined(AIX5) || defined(AIX6)
 #define SUPPORTED
 #include <sys/types.h>
 #define UINT32_TYPE	unsigned int