From f0d9a4857f0c3c2624c57b374c6541151a2de0f6 Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Tue, 14 May 2002 00:00:00 -0500
Subject: [PATCH] postfix-1.1.10-20020514

---
 postfix/HISTORY                   | 12 ++++++++++++
 postfix/RELEASE_NOTES             |  9 +++++++++
 postfix/src/global/mail_version.h |  4 ++--
 postfix/src/global/tok822_parse.c |  2 +-
 postfix/src/qmqpd/qmqpd.c         |  2 +-
 postfix/src/smtpd/smtpd_check.c   | 16 ++++++++++------
 6 files changed, 35 insertions(+), 10 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 6d68a08e6..61f6744c4 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -6435,6 +6435,18 @@ Apologies for any names omitted.
 	more correct, but it opens a mail relay loophole with "user
 	@domain"@domain when relaying mail to a Sendmail system.
 
+20020514
+
+	Bugfix: the new code for header address quoting sometimes
+	did not null terminate strings so that arbitrary garbage
+	could appear at the end of message headers.  Reported by
+	Ralf Hildebrandt.  File:  global/tok822_parse.c.
+
+	Safety: user@domain@domain is no longer accepted by the
+	permit_mx_backup uce restriction (unless Postfix is configured
+	with "resolve_dequoted_address = no"). Victor Duchovny,
+	Morgan Stanley. File: smtpd/smtpd_check.c.
+
 Open problems:
 
 	Low: all table lookups should consistently use internalized
diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES
index b962ce2ae..edcdcd2b1 100644
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -12,6 +12,15 @@ snapshot release).  Patches change the patchlevel and the release
 date. Snapshots change only the release date, unless they include
 the same bugfixes as a patch release.
 
+Incompatible changes with Postfix snapshot 1.1.10-20020514
+==========================================================
+
+For safety reasons, the permit_mx_backup restriction no longer
+accepts mail for user@domain@domain. To recover the old behavior,
+specify "resolve_dequoted_address = no" which opens up a completely
+different can of worms as described a few paragraphs down in this
+document.
+
 Major changes with Postfix snapshot 1.1.9-20020513
 ==================================================
 
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 0f5af1c0b..f948387a9 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,10 +20,10 @@
   * Patches change the patchlevel and the release date. Snapshots change the
   * release date only, unless they include the same bugfix as a patch release.
   */
-#define MAIL_RELEASE_DATE	"20020513"
+#define MAIL_RELEASE_DATE	"20020514"
 
 #define VAR_MAIL_VERSION	"mail_version"
-#define DEF_MAIL_VERSION	"1.1.9-" MAIL_RELEASE_DATE
+#define DEF_MAIL_VERSION	"1.1.10-" MAIL_RELEASE_DATE
 extern char *var_mail_version;
 
  /*
diff --git a/postfix/src/global/tok822_parse.c b/postfix/src/global/tok822_parse.c
index 194b973a0..3555031b2 100644
--- a/postfix/src/global/tok822_parse.c
+++ b/postfix/src/global/tok822_parse.c
@@ -247,7 +247,7 @@ VSTRING *tok822_externalize(VSTRING *vp, TOK822 *tree, int flags)
 	     */
 	case TOK822_ADDR:
 	    tmp = vstring_alloc(100);
-	    tok822_internalize(tmp, tp->head, TOK822_STR_NONE);
+	    tok822_internalize(tmp, tp->head, TOK822_STR_TERM);
 	    quote_822_local_flags(vp, vstring_str(tmp),
 				  QUOTE_FLAG_8BITCLEAN | QUOTE_FLAG_APPEND);
 	    vstring_free(tmp);
diff --git a/postfix/src/qmqpd/qmqpd.c b/postfix/src/qmqpd/qmqpd.c
index 263ac17da..162610bfc 100644
--- a/postfix/src/qmqpd/qmqpd.c
+++ b/postfix/src/qmqpd/qmqpd.c
@@ -351,7 +351,7 @@ static void qmqpd_write_content(QMQPD_STATE *state)
 		    "\tid %s; %s", state->queue_id, mail_date(state->time));
     }
 #ifdef RECEIVED_ENVELOPE_FROM
-    quote_822_local(state->buf, state->sender, QUOTE_FLAG_8BITCLEAN);
+    quote_822_local(state->buf, state->sender);
     rec_fprintf(state->cleanup, REC_TYPE_NORM,
 		"\t(envelope-from <%s>)", STR(state->buf));
 #endif
diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c
index d6f7bc331..cd0b46b11 100644
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -1281,18 +1281,22 @@ static int permit_mx_backup(SMTPD_STATE *state, const char *recipient)
     if ((domain = strrchr(CONST_STR(reply->recipient), '@')) == 0)
 	return (SMTPD_CHECK_OK);
     domain += 1;
+
+    /*
+     * Skip source-routed non-local or virtual mail (uncertain destination).
+     */
+    if (var_allow_untrust_route == 0 && (reply->flags & RESOLVE_FLAG_ROUTED))
+	return (SMTPD_CHECK_DUNNO);
+
+    /*
+     * The destination is local, or it is a local virtual destination.
+     */
     if (resolve_final(state, recipient, domain))
 	return (SMTPD_CHECK_OK);
 
     if (msg_verbose)
 	msg_info("%s: not local: %s", myname, recipient);
 
-    /*
-     * Skip source-routed mail (uncertain destination).
-     */
-    if (var_allow_untrust_route == 0 && (reply->flags & RESOLVE_FLAG_ROUTED))
-	return (SMTPD_CHECK_DUNNO);
-
     /*
      * Skip numerical forms that didn't match the local system.
      */