diff --git a/postfix/HISTORY b/postfix/HISTORY
index 1446077a5..b49a74955 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -16538,3 +16538,34 @@ Apologies for any names omitted.
Cleanup: don't log a "connection reset by peer" warning
when postscreen(8) tries to send a server response. File:
postscreen/postscreen_send.c.
+
+20110225
+
+ Workaround (problem introduced with IPv6 support in Postfix
+ 2.2): the SMTP client did not support mail to [ipv6:ipv6addr].
+ Fix based on a patch by Gurusamy Sarathy (Sophos). File:
+ util/host_port.c and regression test files.
+
+20110227
+
+ Portability: FreeBSD closefrom() support time window. Sahil
+ Tandon. File: util/sys_defs.h.
+
+20110313
+
+ Bugfix (introduced Postfix 2.8): postscreen DNSBL scoring
+ error. When a client disconnected and then reconnected
+ before all DNSBL results for the earlier session arrived,
+ DNSBL results for the earlier session would be added to the
+ score for the later session. Problem report by Larry Vaden.
+ Files: dnsblog/dnsblog.c, postscreen/postscreen_dnsbl.c.
+
+ Cleanup: protocol description in dnsblog(8) manpage. File:
+ dnsblog/dnsblog.c.
+
+20110314
+
+ Portability: the SUN compiler had trouble with a pointer
+ expression of the form ``("text1" "text2") + constant'' so
+ we don't try to be so clever. Fix by Victor Duchovni. File:
+ global/mail_params.h.
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 622577fbf..2ac9555f4 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -11,6 +11,16 @@ instead, a new snapshot is released.
The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.
+Incompatible changes with Postfix 2.8.2
+---------------------------------------
+
+Use "postfix reload" after "make upgrade" on a running Postfix
+system. This is needed because the protocol between postscreen(8)
+and dnsblog(8) has changed.
+
+Postfix 2.8.0 release notes
+---------------------------
+
If you upgrade from Postfix 2.6 or earlier, read RELEASE_NOTES-2.7
before proceeding.
diff --git a/postfix/html/dnsblog.8.html b/postfix/html/dnsblog.8.html
index 85de63982..84ff7371e 100644
--- a/postfix/html/dnsblog.8.html
+++ b/postfix/html/dnsblog.8.html
@@ -20,35 +20,36 @@ DNSBLOG(8) DNSBLOG(8)
PROTOCOL
With each connection, the dnsblog(8) server receives a DNS
- white/blacklist domain name and an IP address. If the
- address is listed under the DNS white/blacklist, the dns-
- blog(8) server logs the match and replies with the query
- arguments plus a non-zero status. Otherwise it replies
- with the query arguments plus a zero status. Finally, The
- dnsblog(8) server closes the connection.
+ white/blacklist domain name, IP address, and an ID. If
+ the address is listed under the DNS white/blacklist, the
+ dnsblog(8) server logs the match and replies with the
+ query arguments plus an address list with the resulting IP
+ addresses separated by whitespace. Otherwise it replies
+ with the query arguments plus an empty address list.
+ Finally, The dnsblog(8) server closes the connection.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
CONFIGURATION PARAMETERS
- Changes to main.cf are picked up automatically, as dns-
- blog(8) processes run for only a limited amount of time.
+ Changes to main.cf are picked up automatically, as dns-
+ blog(8) processes run for only a limited amount of time.
Use the command "postfix reload" to speed up a change.
- The text below provides only a parameter summary. See
+ The text below provides only a parameter summary. See
postconf(5) for more details including examples.
config_directory (see 'postconf -d' output)
- The default location of the Postfix main.cf and
+ The default location of the Postfix main.cf and
master.cf configuration files.
daemon_timeout (18000s)
- How much time a Postfix daemon process may take to
- handle a request before it is terminated by a
+ How much time a Postfix daemon process may take to
+ handle a request before it is terminated by a
built-in watchdog timer.
postscreen_dnsbl_sites (empty)
- Optional list of DNS white/blacklist domains, fil-
+ Optional list of DNS white/blacklist domains, fil-
ters and weight factors.
ipc_timeout (3600s)
@@ -56,23 +57,23 @@ DNSBLOG(8) DNSBLOG(8)
over an internal communication channel.
process_id (read-only)
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
process_name (read-only)
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
queue_directory (see 'postconf -d' output)
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
SEE ALSO
@@ -81,7 +82,7 @@ DNSBLOG(8) DNSBLOG(8)
syslogd(5), system logging
LICENSE
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
HISTORY
diff --git a/postfix/makedefs b/postfix/makedefs
index de57a6a3e..e1e0882af 100644
--- a/postfix/makedefs
+++ b/postfix/makedefs
@@ -228,6 +228,12 @@ case "$SYSTEM.$RELEASE" in
done
;;
AIX.*) case "`uname -v`" in
+ 6) SYSTYPE=AIX6
+ case "$CC" in
+ cc|*/cc|xlc|*/xlc) CCARGS="$CCARGS -w -blibpath:/usr/lib:/lib:/usr/local/lib";;
+ esac
+ CCARGS="$CCARGS -D_ALL_SOURCE -DHAS_POSIX_REGEXP"
+ ;;
5) SYSTYPE=AIX5
case "$CC" in
cc|*/cc|xlc|*/xlc) CCARGS="$CCARGS -w -blibpath:/usr/lib:/lib:/usr/local/lib";;
diff --git a/postfix/man/man8/dnsblog.8 b/postfix/man/man8/dnsblog.8
index ca6660d8e..5f485051b 100644
--- a/postfix/man/man8/dnsblog.8
+++ b/postfix/man/man8/dnsblog.8
@@ -22,12 +22,13 @@ replaced by an UDP client that is built directly into the
.ad
.fi
With each connection, the \fBdnsblog\fR(8) server receives
-a DNS white/blacklist domain name and an IP address. If the
-address is listed under the DNS white/blacklist, the
+a DNS white/blacklist domain name, IP address, and an ID.
+If the address is listed under the DNS white/blacklist, the
\fBdnsblog\fR(8) server logs the match and replies with the
-query arguments plus a non-zero status. Otherwise it replies
-with the query arguments plus a zero status. Finally, The
-\fBdnsblog\fR(8) server closes the connection.
+query arguments plus an address list with the resulting IP
+addresses separated by whitespace. Otherwise it replies
+with the query arguments plus an empty address list. Finally,
+The \fBdnsblog\fR(8) server closes the connection.
.SH DIAGNOSTICS
.ad
.fi
diff --git a/postfix/src/dnsblog/dnsblog.c b/postfix/src/dnsblog/dnsblog.c
index 89d1f0df7..977a68347 100644
--- a/postfix/src/dnsblog/dnsblog.c
+++ b/postfix/src/dnsblog/dnsblog.c
@@ -14,12 +14,13 @@
/* .ad
/* .fi
/* With each connection, the \fBdnsblog\fR(8) server receives
-/* a DNS white/blacklist domain name and an IP address. If the
-/* address is listed under the DNS white/blacklist, the
+/* a DNS white/blacklist domain name, IP address, and an ID.
+/* If the address is listed under the DNS white/blacklist, the
/* \fBdnsblog\fR(8) server logs the match and replies with the
-/* query arguments plus a non-zero status. Otherwise it replies
-/* with the query arguments plus a zero status. Finally, The
-/* \fBdnsblog\fR(8) server closes the connection.
+/* query arguments plus an address list with the resulting IP
+/* addresses separated by whitespace. Otherwise it replies
+/* with the query arguments plus an empty address list. Finally,
+/* The \fBdnsblog\fR(8) server closes the connection.
/* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8).
/* CONFIGURATION PARAMETERS
@@ -215,6 +216,7 @@ static VSTRING *dnsblog_query(VSTRING *result, const char *dnsbl_domain,
static void dnsblog_service(VSTREAM *client_stream, char *unused_service,
char **argv)
{
+ int request_id;
/*
* Sanity check. This service takes no command-line arguments.
@@ -231,13 +233,15 @@ static void dnsblog_service(VSTREAM *client_stream, char *unused_service,
ATTR_FLAG_MORE | ATTR_FLAG_STRICT,
ATTR_TYPE_STR, MAIL_ATTR_RBL_DOMAIN, rbl_domain,
ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, addr,
- ATTR_TYPE_END) == 2) {
+ ATTR_TYPE_INT, MAIL_ATTR_LABEL, &request_id,
+ ATTR_TYPE_END) == 3) {
(void) dnsblog_query(result, STR(rbl_domain), STR(addr));
if (var_dnsblog_delay > 0)
sleep(var_dnsblog_delay);
attr_print(client_stream, ATTR_FLAG_NONE,
ATTR_TYPE_STR, MAIL_ATTR_RBL_DOMAIN, STR(rbl_domain),
ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, STR(addr),
+ ATTR_TYPE_INT, MAIL_ATTR_LABEL, request_id,
ATTR_TYPE_STR, MAIL_ATTR_RBL_ADDR, STR(result),
ATTR_TYPE_END);
vstream_fflush(client_stream);
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h
index 15d6394b7..a4ea42358 100644
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@@ -2988,33 +2988,20 @@ extern char *var_tls_eecdh_ultra;
#define DEF_TLS_PREEMPT_CLIST 0
extern bool var_tls_preempt_clist;
-#ifdef USE_TLS
-
- /*
- * The tweak for CVE-2005-2969 is needed in some versions prior to 1.0.0
- */
+ /* The tweak for CVE-2010-4180 is needed in some versions prior to 1.0.1 */
+ /* The tweak for CVE-2005-2969 is needed in some versions prior to 1.0.0 */
+#if defined(USE_TLS) && (OPENSSL_VERSION_NUMBER < 0x1000100fL)
#if (OPENSSL_VERSION_NUMBER < 0x1000000fL)
-#define TLS_BUG_TWEAK_A " CVE-2005-2969"
+#define TLS_BUG_TWEAKS "CVE-2005-2969 CVE-2010-4180"
#else
-#define TLS_BUG_TWEAK_A ""
+#define TLS_BUG_TWEAKS "CVE-2010-4180"
#endif
-
- /*
- * The tweak for CVE-2010-4180 is needed in some versions prior to 1.0.1
- */
-#if (OPENSSL_VERSION_NUMBER < 0x1000100fL)
-#define TLS_BUG_TWEAK_B " CVE-2010-4180"
#else
-#define TLS_BUG_TWEAK_B " "
+#define TLS_BUG_TWEAKS ""
#endif
-#else /* USE_TLS */
-#define TLS_BUG_TWEAK_A ""
-#define TLS_BUG_TWEAK_B " "
-#endif /* USE_TLS */
-
#define VAR_TLS_BUG_TWEAKS "tls_disable_workarounds"
-#define DEF_TLS_BUG_TWEAKS ((TLS_BUG_TWEAK_A TLS_BUG_TWEAK_B)+1)
+#define DEF_TLS_BUG_TWEAKS TLS_BUG_TWEAKS
extern char *var_tls_bug_tweaks;
/*
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index ba3229f51..8ad400290 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20110222"
-#define MAIL_VERSION_NUMBER "2.8.1"
+#define MAIL_RELEASE_DATE "20110316"
+#define MAIL_VERSION_NUMBER "2.8.2-RC1"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
diff --git a/postfix/src/postscreen/postscreen_dnsbl.c b/postfix/src/postscreen/postscreen_dnsbl.c
index f21b04efd..a57f20ef4 100644
--- a/postfix/src/postscreen/postscreen_dnsbl.c
+++ b/postfix/src/postscreen/postscreen_dnsbl.c
@@ -143,6 +143,7 @@ typedef struct {
int total; /* combined blocklist score */
int refcount; /* score reference count */
int pending_lookups; /* nr of DNS requests in flight */
+ int request_id; /* duplicate suppression */
/* Call-back table support. */
int index; /* next table index */
int limit; /* last valid index */
@@ -344,6 +345,7 @@ static void psc_dnsbl_receive(int event, char *context)
PSC_DNSBL_HEAD *head;
PSC_DNSBL_SITE *site;
ARGV *reply_argv;
+ int request_id;
PSC_CLEAR_EVENT_REQUEST(vstream_fileno(stream), psc_dnsbl_receive, context);
@@ -367,10 +369,12 @@ static void psc_dnsbl_receive(int event, char *context)
ATTR_FLAG_STRICT,
ATTR_TYPE_STR, MAIL_ATTR_RBL_DOMAIN, reply_dnsbl,
ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, reply_client,
+ ATTR_TYPE_INT, MAIL_ATTR_LABEL, &request_id,
ATTR_TYPE_STR, MAIL_ATTR_RBL_ADDR, reply_addr,
- ATTR_TYPE_END) == 3
+ ATTR_TYPE_END) == 4
&& (score = (PSC_DNSBL_SCORE *)
- htable_find(dnsbl_score_cache, STR(reply_client))) != 0) {
+ htable_find(dnsbl_score_cache, STR(reply_client))) != 0
+ && score->request_id == request_id) {
/*
* Run this response past all applicable DNSBL filters and update the
@@ -429,6 +433,7 @@ int psc_dnsbl_request(const char *client_addr,
HTABLE_INFO **ht;
PSC_DNSBL_SCORE *score;
HTABLE_INFO *hash_node;
+ static int request_count;
/*
* Some spambots make several connections at nearly the same time,
@@ -468,6 +473,7 @@ int psc_dnsbl_request(const char *client_addr,
if (msg_verbose > 1)
msg_info("%s: create blocklist score for %s", myname, client_addr);
score = (PSC_DNSBL_SCORE *) mymalloc(sizeof(*score));
+ score->request_id = request_count++;
score->dnsbl = 0;
score->total = 0;
score->refcount = 1;
@@ -492,6 +498,7 @@ int psc_dnsbl_request(const char *client_addr,
attr_print(stream, ATTR_FLAG_NONE,
ATTR_TYPE_STR, MAIL_ATTR_RBL_DOMAIN, ht[0]->key,
ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, client_addr,
+ ATTR_TYPE_INT, MAIL_ATTR_LABEL, score->request_id,
ATTR_TYPE_END);
if (vstream_fflush(stream) != 0) {
msg_warn("%s: error sending to %s service: %m",
diff --git a/postfix/src/util/host_port.c b/postfix/src/util/host_port.c
index bfcad8c09..7cc932479 100644
--- a/postfix/src/util/host_port.c
+++ b/postfix/src/util/host_port.c
@@ -95,22 +95,41 @@
#include
+ /*
+ * Point-fix workaround. The libutil library should be email agnostic, but
+ * we can't rip up the library APIs in the stable releases.
+ */
+#include
+#ifdef STRCASECMP_IN_STRINGS_H
+#include
+#endif
+#define IPV6_COL "IPv6:" /* RFC 2821 */
+#define IPV6_COL_LEN (sizeof(IPV6_COL) - 1)
+#define HAS_IPV6_COL(str) (strncasecmp((str), IPV6_COL, IPV6_COL_LEN) == 0)
+
/* host_port - parse string into host and port, destroy string */
const char *host_port(char *buf, char **host, char *def_host,
char **port, char *def_service)
{
char *cp = buf;
+ int ipv6 = 0;
/*
* [host]:port, [host]:, [host].
+ * [ipv6:ipv6addr]:port, [ipv6:ipv6addr]:, [ipv6:ipv6addr].
*/
if (*cp == '[') {
- *host = ++cp;
+ ++cp;
+ if ((ipv6 = HAS_IPV6_COL(cp)) != 0)
+ cp += IPV6_COL_LEN;
+ *host = cp;
if ((cp = split_at(cp, ']')) == 0)
return ("missing \"]\"");
if (*cp && *cp++ != ':')
return ("garbage after \"]\"");
+ if (ipv6 && !valid_ipv6_hostaddr(*host, DONT_GRIPE))
+ return ("malformed IPv6 address");
*port = *cp ? cp : def_service;
}
diff --git a/postfix/src/util/sys_defs.h b/postfix/src/util/sys_defs.h
index f3d0eaa5b..4688f9be0 100644
--- a/postfix/src/util/sys_defs.h
+++ b/postfix/src/util/sys_defs.h
@@ -111,7 +111,8 @@
#define HAS_DUPLEX_PIPE /* 4.1 breaks with kqueue(2) */
#endif
-#if __FreeBSD_version >= 800107 /* safe; don't believe the experts */
+#if (__FreeBSD_version >= 702104 && __FreeBSD_version <= 800000) \
+ || __FreeBSD_version >= 800100
#define HAS_CLOSEFROM
#endif
@@ -517,7 +518,7 @@ extern int opterr;
* AIX: a SYSV-flavored hybrid. NB: fcntl() and flock() access the same
* underlying locking primitives.
*/
-#ifdef AIX5
+#if defined(AIX5) || defined(AIX6)
#define SUPPORTED
#include
#define UINT32_TYPE unsigned int