From ed72c23b26893cb86dc8d1ef711fd89ef0a042a5 Mon Sep 17 00:00:00 2001
From: Wietse Z Venema <wietse@porcupine.org>
Date: Mon, 11 Nov 2024 00:00:00 -0500
Subject: [PATCH] postfix-3.10-20241111

---
 postfix/HISTORY                          | 32 +++++++++++++++++++++++-
 postfix/README_FILES/TLSRPT_README       | 19 +++++++-------
 postfix/RELEASE_NOTES                    |  6 +++++
 postfix/WISHLIST                         | 21 +++++++++++-----
 postfix/html/TLSRPT_README.html          | 11 ++++----
 postfix/html/postconf.5.html             |  2 +-
 postfix/man/man5/postconf.5              |  2 +-
 postfix/proto/TLSRPT_README.html         | 11 ++++----
 postfix/proto/postconf.proto             |  2 +-
 postfix/src/cleanup/cleanup_api.c        |  1 +
 postfix/src/global/dict_pgsql.c          |  6 ++---
 postfix/src/global/mail_version.h        |  2 +-
 postfix/src/xsasl/xsasl_dovecot_server.c |  4 ++-
 13 files changed, 85 insertions(+), 34 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index fa98c069b..b67c988ee 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -28446,7 +28446,7 @@ Apologies for any names omitted.
 	connection target (the PostgreSQL URI parser decides what
 	is allowed). The dbname setting is now optional if the hosts
 	setting specifies only URIs. Files: util/valid_uri_scheme.[hc],
-	proto/pgsql_table.
+	proto/pgsql_table, global/dict_pgsql.c.
 
 202141026
 
@@ -28467,3 +28467,33 @@ Apologies for any names omitted.
 	of sessions per SMTP server process (max_use), and on the
 	number file handles per process (managed with sysctl).
 	File: xsasl/xsasl_dovecot_server.c.
+
+20241031
+
+	Logging: the Dovecot SASL client logging for "Invalid
+	authentication mechanism" now includes the name of that
+	mechanism. File: xsasl/xsasl_dovecot_server.c
+
+20241104
+
+	Logging: when a message transaction is canceled (i.e.
+	started but not completed), the cleanup server now logs
+	"queueid: canceled". This provides a clear signal to logfile
+	collation tools. File: cleanup/cleanup_api.c.
+
+20241028
+
+	Documentation: TLSRPT_README, section "Delivering TLSRPT
+	summaries via email". File: proto/TLSRPT_README.html.
+
+20241107
+
+	Documentation: tweaked text for smtpd_delay_open_until_valid_rcpt.
+	File: proto/postconf.proto.
+
+20241111
+
+	Bugfix (defect introduced: Postfix 3.10, date 20241025):
+	dict_pgsql_open() returned NULL when "hosts" specified a
+	non-URI target and "dbname" was not set. Instead, it should
+	return a surrogate dictionary. File: global/dict_pgsql.c.
diff --git a/postfix/README_FILES/TLSRPT_README b/postfix/README_FILES/TLSRPT_README
index c84309897..14ecf3b80 100644
--- a/postfix/README_FILES/TLSRPT_README
+++ b/postfix/README_FILES/TLSRPT_README
@@ -181,15 +181,16 @@ request that TLS enforcement will be disabled when submitting an email message.
 
 Options:
 
-  * Do nothing. When TLS security enforcement is required, a persistent
-    enforcement failure will delay the delivery of a TLSRPT summary until the
-    problem is addressed, or until the message expires in the mail queue. Keep
-    in mind that TLSRPT is not a real-time monitoring service; it takes on
-    average 12 hours before a failure is reported through TLSRPT.
+  * Do nothing. When TLS security enforcement is required but fails, a TLSRPT
+    summary message will be delayed until the problem is addressed, or until
+    the message expires in the mail queue. Keep in mind that TLSRPT is not a
+    real-time monitoring service; it takes on average 12 hours before a failure
+    is reported through TLSRPT.
 
-  * Exclude the sender of TLSRPT summaries from TLS enforcement. Implement the
-    configuration below on outbound MTA instances (replace noreply-smtp-tls-
-    reporting@example.com with your actual report generator's sender address):
+  * Exclude the sender of TLSRPT summaries from TLS security enforcement.
+    Implement the configuration below on outbound MTA instances (replace
+    noreply-smtp-tls-reporting@example.com with your actual report generator's
+    sender address):
 
     /etc/postfix/main.cf:
         # Limitation: this setting is overruled with transport_maps.
@@ -199,7 +200,7 @@ Options:
     /etc/postfix/master.cf:
         # service name    type    private unpriv  chroot  wakeup  maxproc
     command
-        allow-plaintext   unix    -       -       n       -       -       smtp
+        allow-plaintext   unix    -       -       -       -       -       smtp
             -o { smtp_tls_security_level = may }
             -o { smtp_tls_policy_maps = static:may }
 
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index 660f33511..a0e19efe2 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -26,6 +26,12 @@ now also distributed with the more recent Eclipse Public License
 license of their choice. Those who are more comfortable with the
 IPL can continue with that license.
 
+[Feature 20241104]
+
+The cleanup server now logs "queueid: canceled" when a message
+transaction is started but not completed. This provides a clear
+signal to logfile collation tools.
+
 [Feature 20240926]
 
 Support for the TLSRPT protocol (defined in RFC 8460). With this,
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index c84db73bb..6a6cb0d51 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -8,16 +8,25 @@ Wish list:
 
 	Add a mail_version chek to each pluggable database client.
 
-	Add an option for a built-in JSON generator. This would
-	simplify TLSRPT adoption by eliminating a build-time and
-	run-time dependency on the libtlsrpt client library. Prior
-	art: this approach was previously used to implement Postfix
-	Milter support.
+	relay_recipient_maps empty should default to 'no valid
+	recipients'. Subject to compatibility level.
+
+	Make a reason available for messages placed on 'hold'.
+
+	relay_recipient_maps empty should default to 'no valid
+	recipients'. Subject to compatibility level.
+
+	Add an option for a TLSRPT built-in JSON generator. This
+	would simplify TLSRPT adoption by eliminating a build-time
+	and run-time dependency on the libtlsrpt client library.
+	Prior art: this approach was previously used to implement
+	Postfix Milter support.
 
 	Make TLSRPT support pluggable (postfix-tlsrpt.so, like
 	postfix-ldap.so, postfix-mysql.so and so on). This avods a
 	hard install-time dependency on sys4 libtlsrpt. The sys4
-	code would still be a build-time dependency.
+	code would still be a required build-time dependency, but
+	it would become an optional install-time dependency.
 
 	Add smtp_tlsrpt_allow_list feature (default: static:all) to limit
 	the domains for which Postfix generates TLSRPT daily summaries.
diff --git a/postfix/html/TLSRPT_README.html b/postfix/html/TLSRPT_README.html
index a1fc10f24..6bbc0be28 100644
--- a/postfix/html/TLSRPT_README.html
+++ b/postfix/html/TLSRPT_README.html
@@ -276,14 +276,15 @@ when submitting an email message. </p>
 
 <ul>
 
-<li> <p> Do nothing. When TLS security enforcement is required, a
-persistent enforcement failure will delay the delivery of a TLSRPT
-summary until the problem is addressed, or until the message expires
+<li> <p> Do nothing. When TLS security enforcement is required but
+fails, a TLSRPT summary message will be delayed
+until the problem is addressed, or until the message expires
 in the mail queue. Keep in mind that TLSRPT is not a real-time
 monitoring service; it takes on average 12 hours before a failure
 is reported through TLSRPT. </p>
 
-<li> <p> Exclude the sender of TLSRPT summaries from TLS enforcement.
+<li> <p> Exclude the sender of TLSRPT summaries from TLS security
+enforcement.
 Implement the configuration below on outbound MTA instances (replace
 noreply-smtp-tls-reporting@example.com with your actual report
 generator's sender address): </p>
@@ -296,7 +297,7 @@ generator's sender address): </p>
 &nbsp
 /etc/postfix/<a href="master.5.html">master.cf</a>:
     # service name    type    private unpriv  chroot  wakeup  maxproc command
-    allow-plaintext   unix    -       -       n       -       -       smtp
+    allow-plaintext   unix    -       -       -       -       -       smtp
         -o { <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may }
         -o { <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> = <a href="DATABASE_README.html#types">static</a>:may }
 </pre>
diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html
index edfe80420..a40f79520 100644
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@@ -15871,7 +15871,7 @@ command. </p>
 the use of
 disk, CPU and memory resources. The downside is that rejected
 recipients are logged with NOQUEUE instead of a mail transaction
-ID. This complicates the logfile analysis of multi-recipient mail.
+ID (also known as a queue ID).
 </p>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 92dc86518..e10a94bdc 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -10670,7 +10670,7 @@ With sites that reject lots of mail, the default setting reduces
 the use of
 disk, CPU and memory resources. The downside is that rejected
 recipients are logged with NOQUEUE instead of a mail transaction
-ID. This complicates the logfile analysis of multi\-recipient mail.
+ID (also known as a queue ID).
 .PP
 This feature is available in Postfix 2.3 and later.
 .SH smtpd_delay_reject (default: yes)
diff --git a/postfix/proto/TLSRPT_README.html b/postfix/proto/TLSRPT_README.html
index 503fd9dd3..ce1f16a16 100644
--- a/postfix/proto/TLSRPT_README.html
+++ b/postfix/proto/TLSRPT_README.html
@@ -276,14 +276,15 @@ when submitting an email message. </p>
 
 <ul>
 
-<li> <p> Do nothing. When TLS security enforcement is required, a
-persistent enforcement failure will delay the delivery of a TLSRPT
-summary until the problem is addressed, or until the message expires
+<li> <p> Do nothing. When TLS security enforcement is required but
+fails, a TLSRPT summary message will be delayed
+until the problem is addressed, or until the message expires
 in the mail queue. Keep in mind that TLSRPT is not a real-time
 monitoring service; it takes on average 12 hours before a failure
 is reported through TLSRPT. </p>
 
-<li> <p> Exclude the sender of TLSRPT summaries from TLS enforcement.
+<li> <p> Exclude the sender of TLSRPT summaries from TLS security
+enforcement.
 Implement the configuration below on outbound MTA instances (replace
 noreply-smtp-tls-reporting@example.com with your actual report
 generator's sender address): </p>
@@ -296,7 +297,7 @@ generator's sender address): </p>
 &nbsp
 /etc/postfix/master.cf:
     # service name    type    private unpriv  chroot  wakeup  maxproc command
-    allow-plaintext   unix    -       -       n       -       -       smtp
+    allow-plaintext   unix    -       -       -       -       -       smtp
         -o { smtp_tls_security_level = may }
         -o { smtp_tls_policy_maps = static:may }
 </pre>
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index dcbc8b2cc..9ce5b6eab 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -11476,7 +11476,7 @@ command. </p>
 the use of
 disk, CPU and memory resources. The downside is that rejected
 recipients are logged with NOQUEUE instead of a mail transaction
-ID. This complicates the logfile analysis of multi-recipient mail.
+ID (also known as a queue ID).
 </p>
 
 <p> This feature is available in Postfix 2.3 and later. </p>
diff --git a/postfix/src/cleanup/cleanup_api.c b/postfix/src/cleanup/cleanup_api.c
index 9c8e70f7a..85ad1ae88 100644
--- a/postfix/src/cleanup/cleanup_api.c
+++ b/postfix/src/cleanup/cleanup_api.c
@@ -354,6 +354,7 @@ int     cleanup_flush(CLEANUP_STATE *state)
 	    (void) REMOVE(vstring_str(cleanup_trace_path));
 	if (REMOVE(cleanup_path))
 	    msg_warn("remove %s: %m", cleanup_path);
+	msg_info("%s: canceled", state->queue_id);
     }
 
     /*
diff --git a/postfix/src/global/dict_pgsql.c b/postfix/src/global/dict_pgsql.c
index 53fafd228..aefd0f6f3 100644
--- a/postfix/src/global/dict_pgsql.c
+++ b/postfix/src/global/dict_pgsql.c
@@ -733,10 +733,10 @@ DICT   *dict_pgsql_open(const char *name, int open_flags, int dict_flags)
     if (dict_pgsql->pldb->non_uri_target && dict_pgsql->dbname[0] == 0) {
 	DICT   *ret;
 
-	ret == (dict_surrogate(DICT_TYPE_PGSQL, name, open_flags, dict_flags,
+	ret = dict_surrogate(DICT_TYPE_PGSQL, name, open_flags, dict_flags,
 			   "%s:%s host target '%s' requires dbname setting",
-			       DICT_TYPE_PGSQL, name,
-			       dict_pgsql->pldb->non_uri_target));
+			     DICT_TYPE_PGSQL, name,
+			     dict_pgsql->pldb->non_uri_target);
 	dict_pgsql_close(&dict_pgsql->dict);
 	return (ret);
     }
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index be2eede2a..9de1b2edb 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20241027"
+#define MAIL_RELEASE_DATE	"20241111"
 #define MAIL_VERSION_NUMBER	"3.10"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/xsasl/xsasl_dovecot_server.c b/postfix/src/xsasl/xsasl_dovecot_server.c
index ac93a2da9..110d2a643 100644
--- a/postfix/src/xsasl/xsasl_dovecot_server.c
+++ b/postfix/src/xsasl/xsasl_dovecot_server.c
@@ -660,7 +660,9 @@ int     xsasl_dovecot_server_first(XSASL_SERVER *xp, const char *sasl_method,
 
     for (cpp = server->mechanism_argv->argv; /* see below */ ; cpp++) {
 	if (*cpp == 0) {
-	    vstring_strcpy(reply, "Invalid authentication mechanism");
+	    vstring_sprintf(reply, "Invalid authentication mechanism: '%s'",
+			    sasl_method);
+	    printable(vstring_str(reply), '?');
 	    return XSASL_AUTH_FAIL;
 	}
 	if (strcasecmp(sasl_method, *cpp) == 0)