diff --git a/postfix/HISTORY b/postfix/HISTORY index af48d17e6..c98975b66 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -16971,3 +16971,41 @@ Apologies for any names omitted. 20140104 Bugfix: malformed error message. File: conf/post-install. + +20140116 + + Workaround: prepend "-I. -I../../include" to CCARGS, to + avoid name clashes with non-Postfix header files. File: + makedefs. + +20140223 + + Logging: the TLS client logged that an "Untrusted" TLS + connection was established instead of "Anonymous". Viktor + Dukhovni. File: tls/tls_client.c. + +20140619 + + Bugfix (introduced: 2001): qmqpd null pointer bug when it + logs a lost connection while not in a mail transaction. + Reported by Michal Adamek. File: qmqpd/qmqpd.c. + +20140920 + + Bugfix (introduced: 20080212): incorrect client name in + reject messages from check_reverse_client_hostname_access + and check_reverse_client_hostname_{mx,ns}_access. They + replied with the verified client name, instead of the name + that was rejected. Problem reported by Reindl Harald. File: + smtpd/smtpd_check.c. + +20141012 + + Bugfix (introduced: Postfix 2.3): the PREPEND access/policy + action added headers ABOVE Postfix's own Received: header, + exposing Postfix's own Received: header to Milters (protocol + violation) and hiding the PREPENDed header from Milters. + The latter caused problems for DMARC implementations with + SPF policy plus DKIM Milter. PREPENDed headers are now + added BELOW Postfix's own Received: header and remain visible + to Milters. File: smtpd/smtpd.c. diff --git a/postfix/makedefs b/postfix/makedefs index bac97ea55..11fb06a68 100644 --- a/postfix/makedefs +++ b/postfix/makedefs @@ -658,6 +658,9 @@ export SYSTYPE AR ARFL RANLIB SYSLIBS CC OPT DEBUG AWK OPTS # needed before the code stabilizes. #CCARGS="$CCARGS -DNONPROD" +# Workaround. +CCARGS="-I. -I../../include $CCARGS" + sed 's/ / /g' <reason && state->where) msg_info("%s: %s: %s while %s", - state->queue_id, state->namaddr, state->reason, state->where); + state->queue_id ? state->queue_id : "NOQUEUE", + state->namaddr, state->reason, state->where); } /* qmqpd_service - service one client */ diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index 218836d49..294986c23 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -2829,13 +2829,6 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) rec_fputs(state->cleanup, REC_TYPE_MESG, ""); } - /* - * PREPEND message headers. - */ - if (state->prepend) - for (cpp = state->prepend->argv; *cpp; cpp++) - out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp); - /* * Suppress our own Received: header in the unlikely case that we are an * intermediate proxy. @@ -2926,6 +2919,18 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) "\t(envelope-from %s)", STR(state->buffer)); #endif } + + /* + * PREPEND message headers below our own Received: header. According + * https://www.milter.org/developers/api/smfi_insheader, Milters see only + * headers that have been sent by the SMTP client and those header + * modifications by earlier filters. Based on this we allow Milters to + * see headers added by access map or by policy service. + */ + if (state->prepend) + for (cpp = state->prepend->argv; *cpp; cpp++) + out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp); + smtpd_chat_reply(state, "354 End data with ."); state->where = SMTPD_AFTER_DATA; diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index 40780d778..28c830841 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -3697,7 +3697,7 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions, SMTPD_NAME_CLIENT, def_acl); } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_ACL, &cpp)) { status = check_namadr_access(state, *cpp, state->reverse_name, state->addr, - FULL, &found, state->namaddr, + FULL, &found, state->reverse_name, SMTPD_NAME_REV_CLIENT, def_acl); forbid_whitelist(state, name, status, state->reverse_name); } else if (strcasecmp(name, REJECT_MAPS_RBL) == 0) { @@ -3764,14 +3764,14 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions, } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_NS_ACL, &cpp)) { if (strcasecmp(state->reverse_name, "unknown") != 0) { status = check_server_access(state, *cpp, state->reverse_name, - T_NS, state->namaddr, + T_NS, state->reverse_name, SMTPD_NAME_REV_CLIENT, def_acl); forbid_whitelist(state, name, status, state->reverse_name); } } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_MX_ACL, &cpp)) { if (strcasecmp(state->reverse_name, "unknown") != 0) { status = check_server_access(state, *cpp, state->reverse_name, - T_MX, state->namaddr, + T_MX, state->reverse_name, SMTPD_NAME_REV_CLIENT, def_acl); forbid_whitelist(state, name, status, state->reverse_name); } diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c index aacd74adf..5137f92bf 100644 --- a/postfix/src/tls/tls_client.c +++ b/postfix/src/tls/tls_client.c @@ -983,7 +983,9 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props) */ if (props->log_level >= 1) msg_info("%s TLS connection established to %s: %s with cipher %s " - "(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" : + "(%d/%d bits)", + !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" : + TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" : TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted", props->namaddr, TLScontext->protocol, TLScontext->cipher_name, TLScontext->cipher_usebits, TLScontext->cipher_algbits);