postfix-2.8.18

postfix/HISTORY

@@ -16971,3 +16971,41 @@ Apologies for any names omitted.
 20140104
 
 	Bugfix: malformed error message. File: conf/post-install.
+
+20140116
+
+	Workaround: prepend "-I. -I../../include" to CCARGS, to
+	avoid name clashes with non-Postfix header files. File:
+	makedefs.
+
+20140223
+
+	Logging: the TLS client logged that an "Untrusted" TLS
+	connection was established instead of "Anonymous".  Viktor
+	Dukhovni. File: tls/tls_client.c.
+
+20140619
+
+	Bugfix (introduced: 2001): qmqpd null pointer bug when it
+	logs a lost connection while not in a mail transaction.
+	Reported by Michal Adamek. File: qmqpd/qmqpd.c.
+
+20140920
+
+	Bugfix (introduced: 20080212): incorrect client name in
+	reject messages from check_reverse_client_hostname_access
+	and check_reverse_client_hostname_{mx,ns}_access.  They
+	replied with the verified client name, instead of the name
+	that was rejected.  Problem reported by Reindl Harald. File:
+	smtpd/smtpd_check.c.
+
+20141012
+
+	Bugfix (introduced: Postfix 2.3): the PREPEND access/policy
+	action added headers ABOVE Postfix's own Received: header,
+	exposing Postfix's own Received: header to Milters (protocol
+	violation) and hiding the PREPENDed header from Milters.
+	The latter caused problems for DMARC implementations with
+	SPF policy plus DKIM Milter.  PREPENDed headers are now
+	added BELOW Postfix's own Received: header and remain visible
+	to Milters. File: smtpd/smtpd.c.

postfix/makedefs

@@ -658,6 +658,9 @@ export SYSTYPE AR ARFL RANLIB SYSLIBS CC OPT DEBUG AWK OPTS
 # needed before the code stabilizes.
 #CCARGS="$CCARGS -DNONPROD"
 
+# Workaround.
+CCARGS="-I. -I../../include $CCARGS"
+
 sed 's/  / /g' <<EOF
 SYSTYPE	= $SYSTYPE
 AR	= $AR

postfix/src/global/mail_version.h

@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20140116"
-#define MAIL_VERSION_NUMBER	"2.8.17"
+#define MAIL_RELEASE_DATE	"20141013"
+#define MAIL_VERSION_NUMBER	"2.8.18"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE

postfix/src/qmqpd/qmqpd.c

@@ -700,7 +700,8 @@ static void qmqpd_proto(QMQPD_STATE *state)
      */
     if (state->reason && state->where)
 	msg_info("%s: %s: %s while %s",
-	      state->queue_id, state->namaddr, state->reason, state->where);
+		 state->queue_id ? state->queue_id : "NOQUEUE",
+		 state->namaddr, state->reason, state->where);
 }
 
 /* qmqpd_service - service one client */

postfix/src/smtpd/smtpd.c

@@ -2829,13 +2829,6 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
 	rec_fputs(state->cleanup, REC_TYPE_MESG, "");
     }
 
-    /*
-     * PREPEND message headers.
-     */
-    if (state->prepend)
-	for (cpp = state->prepend->argv; *cpp; cpp++)
-	    out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp);
-
     /*
      * Suppress our own Received: header in the unlikely case that we are an
      * intermediate proxy.
@@ -2926,6 +2919,18 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
 		    "\t(envelope-from %s)", STR(state->buffer));
 #endif
     }
+
+    /*
+     * PREPEND message headers below our own Received: header. According
+     * https://www.milter.org/developers/api/smfi_insheader, Milters see only
+     * headers that have been sent by the SMTP client and those header
+     * modifications by earlier filters. Based on this we allow Milters to
+     * see headers added by access map or by policy service.
+     */
+    if (state->prepend)
+	for (cpp = state->prepend->argv; *cpp; cpp++)
+	    out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp);
+
     smtpd_chat_reply(state, "354 End data with <CR><LF>.<CR><LF>");
     state->where = SMTPD_AFTER_DATA;
 

postfix/src/smtpd/smtpd_check.c

@@ -3697,7 +3697,7 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 					 SMTPD_NAME_CLIENT, def_acl);
 	} else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_ACL, &cpp)) {
 	    status = check_namadr_access(state, *cpp, state->reverse_name, state->addr,
-					 FULL, &found, state->namaddr,
+					 FULL, &found, state->reverse_name,
 					 SMTPD_NAME_REV_CLIENT, def_acl);
 	    forbid_whitelist(state, name, status, state->reverse_name);
 	} else if (strcasecmp(name, REJECT_MAPS_RBL) == 0) {
@@ -3764,14 +3764,14 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 	} else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_NS_ACL, &cpp)) {
 	    if (strcasecmp(state->reverse_name, "unknown") != 0) {
 		status = check_server_access(state, *cpp, state->reverse_name,
-					     T_NS, state->namaddr,
+					     T_NS, state->reverse_name,
 					     SMTPD_NAME_REV_CLIENT, def_acl);
 		forbid_whitelist(state, name, status, state->reverse_name);
 	    }
 	} else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_MX_ACL, &cpp)) {
 	    if (strcasecmp(state->reverse_name, "unknown") != 0) {
 		status = check_server_access(state, *cpp, state->reverse_name,
-					     T_MX, state->namaddr,
+					     T_MX, state->reverse_name,
 					     SMTPD_NAME_REV_CLIENT, def_acl);
 		forbid_whitelist(state, name, status, state->reverse_name);
 	    }

postfix/src/tls/tls_client.c

@@ -983,7 +983,9 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
      */
     if (props->log_level >= 1)
 	msg_info("%s TLS connection established to %s: %s with cipher %s "
-	      "(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
+		 "(%d/%d bits)",
+		 !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" :
+		 TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
 		 TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
 	      props->namaddr, TLScontext->protocol, TLScontext->cipher_name,
 		 TLScontext->cipher_usebits, TLScontext->cipher_algbits);