postfix-2.3-RC2

postfix/HISTORY

@@ -12408,29 +12408,39 @@ Apologies for any names omitted.
 	mumble_tls_mandatory_mumble; added _mandatory_ qualifier
 	to names of parameters that affect only mandatory TLS.
 
+20060630
+
+	Features promoted from SNAPSHOT to STABLE: the "sleep"
+	pseudo restriction; Postfix daemons now read the local
+	timezone file before chrooting; trivial-rewrite now detects
+	table changes every 10 seconds, so it restarts more timely.
+
+	Features that stay #ifdef SNAPSHOT: tcp_table,
+	lmtp_sasl_tls_verified_security_options, and
+	smtp_sasl_tls_verified_security_options.
+
+	Compatibility: Sendmail does not send its own Received:
+	header to Milter applications. Offsets in header replace
+	requests are relative to the message content as received
+	(i.e. without our own Received: header), while offsets in
+	header insert requests are relative to the message as
+	delivered (i.e. they include our own Received: header).
+	This explains why dk-filter would sign our own Received:
+	header but place the signature between our own Received:
+	header and the rest of the message, violating the draft
+	domainkeys spec.
+
 Wish list:
 
 	In the SMTPD policy client (encode or strip) non-printable
 	non-ASCII in (TLS or all) attributes.
 
-	run real sendmail through test-milter and check the data
-	for bit-wise compatibility with Postfix.
-
 	Are transport:nexthop null fields the same as in the case
 	of default_transport etc. parameters?
 
-	Introduce the notion of required security level into smtpd(8)
-	just like with smtp(8): if the level is specified, ignore
-	the legacy boolean parameters.
-
 	Introduce structured API for tls_server_mumble() just like
 	with smtp(8): this eliminates ever-growing lists of arguments.
 
-	Cleanup: declare smtp_tls_levels[] in a header file, probably
-	one that is owned by the Postfix TLS library instead of
-	smtp(8).  Better, encapsulate the name to code conversion
-	as a Postfix TLS library service routine.
-
 	With (non)delivery notifications, prepend an "Auto-Submitted:
 	auto-replied" header, as per RFC 3834.
 

postfix/README_FILES/MILTER_README

@@ -152,6 +152,11 @@ mail from authorized SMTP clients. Mail that arrives via the Postfix smtpd(8)
 server is not filtered by the non-SMTP filters that are described in the next
 section.
 
+NOTE: Do not use the header_checks(5) IGNORE action to remove Postfix's own
+Received: message header. This causes problems with mail signing filters.
+Instead, keep Postfix's own Received: message header and use the header_checks
+(5) REPLACE action to sanitize information.
+
 You specify SMTP-only Milter applications (there can be more than one) with the
 smtpd_milters parameter. Each Milter application is identified by the name of
 its listening socket; other Milter configuration options will be discussed in
@@ -188,6 +193,11 @@ unwanted mail, there are limitations as discussed later in this section. Mail
 that arrives via the Postfix smtpd(8) server is not filtered by the non-SMTP
 filters.
 
+NOTE: Do not use the header_checks(5) IGNORE action to remove Postfix's own
+Received: message header. This causes problems with mail signing filters.
+Instead, keep Postfix's own Received: message header and use the header_checks
+(5) REPLACE action to sanitize information.
+
 You specify non-SMTP Milter applications with the non_smtpd_milters parameter.
 This parameter uses the same syntax as the smtpd_milters parameter in the
 previous section. As with the SMTP-only filters, you can specify more than one

postfix/README_FILES/SASL_README

@@ -227,7 +227,8 @@ Note: some Cyrus SASL distributions look for the smtpd.conf file in /etc/sasl2.
     configuration can be set with:
 
         /etc/postfix/main.cf:
-            smtpd_sasl_application_name = smtpd
+            smtpd_sasl_application_name = smtpd (Postfix < 2.3)
+            smtpd_sasl_path = smtpd (Postfix 2.3 and later)
 
     The pwcheck daemon is contained in the cyrus-sasl source tarball.
 
@@ -453,7 +454,8 @@ CCrreeddiittss
     reject_authenticated_sender_login_mismatch and
     reject_unauthenticated_sender_login_mismatch, and revised the docs.
   * Wietse made another iteration through the code to add plug-in support for
-    multiple SASL implementations.
+    multiple SASL implementations, and changed smtpd_sasl_application_name into
+    smtpd_sasl_path.
   * The Dovecot SMTP server-only plug-in was originally implemented by Timo
     Sirainen of Procontrol, Finland.
 

postfix/RELEASE_NOTES

@@ -33,9 +33,9 @@ is required (notably Postfix 2.3 in "opportunistic" mode) and the
 administrator has not excluded the "aNULL" OpenSSL cipher type.
 
 Instead of cipher lists you can now specify cipher grades.  The
-smtp_tls_ciphers, lmtp_tls_ciphers and smtpd_tls_ciphers parameters
-specify one of "high", "medium", "low", "export" or "null". See the
-documentation for details.
+smtp_tls_mandatory_ciphers, lmtp_tls_mandatory_ciphers and
+smtpd_tls_ciphers parameters specify one of "high", "medium", "low",
+"export" or "null". See TLS_README for details.
 
 Incompatibility with Postfix snapshot 20060614
 ==============================================

postfix/html/MILTER_README.html

@@ -295,6 +295,12 @@ unwanted mail, and to sign mail from authorized SMTP clients.  Mail
 that arrives via the Postfix <a href="smtpd.8.html">smtpd(8)</a> server is not filtered by the
 non-SMTP filters that are described in the next section. </p>
 
+<p> NOTE: Do not use the <a href="header_checks.5.html">header_checks(5)</a> IGNORE action to remove
+Postfix's own Received: message header. This causes problems with
+mail signing filters. Instead, keep Postfix's own Received: message
+header and use the <a href="header_checks.5.html">header_checks(5)</a> REPLACE action to sanitize
+information. </p>
+
 <p> You specify SMTP-only Milter applications (there can be more
 than one) with the <a href="postconf.5.html#smtpd_milters">smtpd_milters</a> parameter.  Each Milter application
 is identified by the name of its listening socket; other Milter
@@ -345,6 +351,12 @@ limitations as discussed later in this section.  Mail that arrives
 via the Postfix <a href="smtpd.8.html">smtpd(8)</a> server is not filtered by the non-SMTP
 filters.  </p>
 
+<p> NOTE: Do not use the <a href="header_checks.5.html">header_checks(5)</a> IGNORE action to remove
+Postfix's own Received: message header. This causes problems with
+mail signing filters. Instead, keep Postfix's own Received: message
+header and use the <a href="header_checks.5.html">header_checks(5)</a> REPLACE action to sanitize
+information. </p>
+
 <p> You specify non-SMTP Milter applications with the <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>
 parameter. This parameter uses the same syntax as the <a href="postconf.5.html#smtpd_milters">smtpd_milters</a>
 parameter in the previous section. As with the SMTP-only filters,

postfix/html/SASL_README.html

@@ -359,7 +359,8 @@ library for configuration can be set with: </p>
 <blockquote>
 <pre>
 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
-    smtpd_sasl_application_name = smtpd
+    smtpd_sasl_application_name = smtpd (Postfix &lt; 2.3)
+    <a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a> = smtpd (Postfix 2.3 and later)
 </pre>
 </blockquote>
 
@@ -687,8 +688,9 @@ of SuSE Rhein/Main AG.
 <a href="postconf.5.html#reject_authenticated_sender_login_mismatch">reject_authenticated_sender_login_mismatch</a> and
 <a href="postconf.5.html#reject_unauthenticated_sender_login_mismatch">reject_unauthenticated_sender_login_mismatch</a>, and revised the docs.
 
-<li> Wietse made another iteration through the code to add
-plug-in support for multiple SASL implementations.
+<li> Wietse made another iteration through the code to add plug-in
+support for multiple SASL implementations, and changed
+smtpd_sasl_application_name into <a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a>.
 
 <li> The Dovecot SMTP server-only plug-in was originally implemented by
 Timo Sirainen of Procontrol, Finland.

postfix/html/postconf.5.html

@@ -10208,7 +10208,8 @@ is <b>smtpd</b>, corresponding to a SASL configuration file named
 </p>
 
 <p>
-This feature is available in Postfix 2.1 and later.
+This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3
+it was renamed to <a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a>.
 </p>
 
 
@@ -10333,7 +10334,8 @@ the SASL plug-in implementation that is selected with
 <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>.  Typically this specifies the name of a
 configuration file or rendezvous point. </p>
 
-<p> This feature is available in Postfix 2.3 and later. </p>
+<p> This feature is available in Postfix 2.3 and later. In earlier
+releases it was called smtpd_sasl_application. </p>
 
 
 </DD>

postfix/man/man5/postconf.5

@@ -6076,7 +6076,8 @@ controls the name of the SASL configuration file. The default value
 is \fBsmtpd\fR, corresponding to a SASL configuration file named
 \fBsmtpd.conf\fR.
 .PP
-This feature is available in Postfix 2.1 and later.
+This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3
+it was renamed to smtpd_sasl_path.
 .SH smtpd_sasl_auth_enable (default: no)
 Enable SASL authentication in the Postfix SMTP server. By default,
 the Postfix SMTP server does not use authentication.
@@ -6164,7 +6165,8 @@ the SASL plug-in implementation that is selected with
 \fBsmtpd_sasl_type\fR.  Typically this specifies the name of a
 configuration file or rendezvous point.
 .PP
-This feature is available in Postfix 2.3 and later.
+This feature is available in Postfix 2.3 and later. In earlier
+releases it was called smtpd_sasl_application.
 .SH smtpd_sasl_security_options (default: noanonymous)
 SASL security options; as of Postfix 2.3 the list of available
 features depends on the SASL server implementation that is selected

postfix/proto/MILTER_README.html

@@ -295,6 +295,12 @@ unwanted mail, and to sign mail from authorized SMTP clients.  Mail
 that arrives via the Postfix smtpd(8) server is not filtered by the
 non-SMTP filters that are described in the next section. </p>
 
+<p> NOTE: Do not use the header_checks(5) IGNORE action to remove
+Postfix's own Received: message header. This causes problems with
+mail signing filters. Instead, keep Postfix's own Received: message
+header and use the header_checks(5) REPLACE action to sanitize
+information. </p>
+
 <p> You specify SMTP-only Milter applications (there can be more
 than one) with the smtpd_milters parameter.  Each Milter application
 is identified by the name of its listening socket; other Milter
@@ -345,6 +351,12 @@ limitations as discussed later in this section.  Mail that arrives
 via the Postfix smtpd(8) server is not filtered by the non-SMTP
 filters.  </p>
 
+<p> NOTE: Do not use the header_checks(5) IGNORE action to remove
+Postfix's own Received: message header. This causes problems with
+mail signing filters. Instead, keep Postfix's own Received: message
+header and use the header_checks(5) REPLACE action to sanitize
+information. </p>
+
 <p> You specify non-SMTP Milter applications with the non_smtpd_milters
 parameter. This parameter uses the same syntax as the smtpd_milters
 parameter in the previous section. As with the SMTP-only filters,

postfix/proto/SASL_README.html

@@ -359,7 +359,8 @@ library for configuration can be set with: </p>
 <blockquote>
 <pre>
 /etc/postfix/main.cf:
-    smtpd_sasl_application_name = smtpd
+    smtpd_sasl_application_name = smtpd (Postfix &lt; 2.3)
+    smtpd_sasl_path = smtpd (Postfix 2.3 and later)
 </pre>
 </blockquote>
 
@@ -687,8 +688,9 @@ reject_sender_login_mismatch into
 reject_authenticated_sender_login_mismatch and
 reject_unauthenticated_sender_login_mismatch, and revised the docs.
 
-<li> Wietse made another iteration through the code to add
-plug-in support for multiple SASL implementations.
+<li> Wietse made another iteration through the code to add plug-in
+support for multiple SASL implementations, and changed
+smtpd_sasl_application_name into smtpd_sasl_path.
 
 <li> The Dovecot SMTP server-only plug-in was originally implemented by
 Timo Sirainen of Procontrol, Finland.

postfix/proto/postconf.proto

@@ -7480,7 +7480,8 @@ is <b>smtpd</b>, corresponding to a SASL configuration file named
 </p>
 
 <p>
-This feature is available in Postfix 2.1 and later.
+This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3
+it was renamed to smtpd_sasl_path.
 </p>
 
 %PARAM strict_7bit_headers no
@@ -9307,7 +9308,8 @@ the SASL plug-in implementation that is selected with
 <b>smtpd_sasl_type</b>.  Typically this specifies the name of a
 configuration file or rendezvous point. </p>
 
-<p> This feature is available in Postfix 2.3 and later. </p>
+<p> This feature is available in Postfix 2.3 and later. In earlier
+releases it was called smtpd_sasl_application. </p>
 
 %PARAM smtp_sasl_path
 

postfix/src/cleanup/cleanup_milter.c

@@ -272,7 +272,8 @@ static void cleanup_add_header(void *context, char *name, char *value)
 static off_t cleanup_find_header(CLEANUP_STATE *state, ssize_t index,
 			             const char *header_label, VSTRING *buf,
 				         int *prec_type,
-				         int allow_ptr_backup)
+				         int allow_ptr_backup,
+				         int skip_headers)
 {
     const char *myname = "cleanup_find_header";
     off_t   curr_offset;		/* offset after found record */
@@ -281,6 +282,7 @@ static off_t cleanup_find_header(CLEANUP_STATE *state, ssize_t index,
     int     rec_type;
     int     last_type;
     ssize_t len;
+    int     hdr_count = 0;
 
     if (msg_verbose)
 	msg_info("%s: index %ld name \"%s\"",
@@ -328,6 +330,28 @@ static off_t cleanup_find_header(CLEANUP_STATE *state, ssize_t index,
      * duplicate some of its logic here and in the routines that delete or
      * modify header records. To minimize the duplication we define an ugly
      * macro that is used in all code that scans for header boundaries.
+     * 
+     * XXX Sendmail compatibility (based on Sendmail 8.13.6 measurements).
+     * 
+     * - When changing Received: header #1, we change the Received: header that
+     * follows our own one; a request to change Received: header #0 is
+     * silently treated as a request to change Received: header #1.
+     * 
+     * - When changing Date: header #1, we change the first Date: header; a
+     * request to change Date: header #0 is silently treated as a request to
+     * change Date: header #1.
+     * 
+     * Thus, header change requests are relative to the content as received,
+     * that is, the content after our own Received: header. They can affect
+     * only the headers that the MTA actually exposes to mail filter
+     * applications.
+     * 
+     * - However, when inserting a header at position 0, the new header appears
+     * before our own Received: header, and when inserting at position 1, the
+     * new header appears after our own Received: header.
+     * 
+     * Thus, header insert operations are relative to the content as delivered,
+     * that is, the content including our own Received: header.
      */
 #define GET_NEXT_TEXT_OR_PTR_RECORD(rec_type, state, buf, curr_offset) \
     if ((rec_type = rec_get_raw(state->dst, buf, 0, REC_FLAG_NONE)) < 0) \
@@ -374,6 +398,8 @@ static off_t cleanup_find_header(CLEANUP_STATE *state, ssize_t index,
 	    break;
 	}
 	/* This the start of a message header. */
+	else if (hdr_count++ < skip_headers)
+	    continue;
 	else if ((header_label == 0
 		  || (strncasecmp(header_label, STR(buf), len) == 0
 		      && (IS_SPACE_TAB(STR(buf)[len])
@@ -590,12 +616,15 @@ static void cleanup_ins_header(void *context, ssize_t index,
      */
 #define NO_HEADER_NAME	((char *) 0)
 #define ALLOW_PTR_BACKUP	1
+#define SKIP_ONE_HEADER		1
+#define DONT_SKIP_HEADERS	0
 
     if (index < 1)
 	index = 1;
     old_rec_offset = cleanup_find_header(state, index, NO_HEADER_NAME,
 					 old_rec_buf, &old_rec_type,
-					 ALLOW_PTR_BACKUP);
+					 ALLOW_PTR_BACKUP,
+					 DONT_SKIP_HEADERS);
     if (old_rec_offset < 0) {
 	cleanup_add_header(context, new_hdr_name, new_hdr_value);
     } else {
@@ -658,7 +687,8 @@ static void cleanup_upd_header(void *context, ssize_t index,
     rec_buf = vstring_alloc(100);
     old_rec_offset = cleanup_find_header(state, index, new_hdr_name,
 					 rec_buf, &last_type,
-					 NO_PTR_BACKUP);
+					 NO_PTR_BACKUP,
+					 SKIP_ONE_HEADER);
     if (old_rec_offset < 0) {
 	cleanup_add_header(context, new_hdr_name, new_hdr_value);
     } else {
@@ -733,7 +763,8 @@ static void cleanup_del_header(void *context, ssize_t index, char *hdr_name)
      */
     rec_buf = vstring_alloc(100);
     header_offset = cleanup_find_header(state, index, hdr_name, rec_buf,
-					&last_type, NO_PTR_BACKUP);
+					&last_type, NO_PTR_BACKUP,
+					SKIP_ONE_HEADER);
     /* Memory usage for header offsets is limited by header_size_limit. */
     if (header_offset > 0) {
 	ssize_t off_len = 1;

postfix/src/global/mail_version.h

@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20060629"
-#define MAIL_VERSION_NUMBER	"2.3-RC1"
+#define MAIL_RELEASE_DATE	"20060630"
+#define MAIL_VERSION_NUMBER	"2.3-RC2"
 
 #define VAR_MAIL_VERSION	"mail_version"
 #define DEF_MAIL_VERSION	MAIL_VERSION_NUMBER

postfix/src/master/multi_server.c

@@ -755,9 +755,7 @@ NORETURN multi_server_main(int argc, char **argv, MULTI_SERVER_FN service,...)
      * Optionally, restrict the damage that this process can do.
      */
     resolve_local_init();
-#ifdef SNAPSHOT
     tzset();
-#endif
     chroot_uid(root_dir, user_name);
 
     /*

postfix/src/master/single_server.c

@@ -658,9 +658,7 @@ NORETURN single_server_main(int argc, char **argv, SINGLE_SERVER_FN service,...)
      * Optionally, restrict the damage that this process can do.
      */
     resolve_local_init();
-#ifdef SNAPSHOT
     tzset();
-#endif
     chroot_uid(root_dir, user_name);
 
     /*

postfix/src/master/trigger_server.c

@@ -678,9 +678,7 @@ NORETURN trigger_server_main(int argc, char **argv, TRIGGER_SERVER_FN service,..
      * Optionally, restrict the damage that this process can do.
      */
     resolve_local_init();
-#ifdef SNAPSHOT
     tzset();
-#endif
     chroot_uid(root_dir, user_name);
 
     /*

postfix/src/milter/milter8.c

@@ -1857,6 +1857,7 @@ static void milter8_disc_event(MILTER *m)
 typedef struct {
     MILTER8 *milter;			/* milter client */
     ARGV   *macros;			/* end-of-body macros */
+    int     hdr_count;			/* header counter */
     const char *resp;			/* milter application response */
 } MILTER_MSG_CONTEXT;
 
@@ -1872,6 +1873,23 @@ static void milter8_header(void *ptr, int unused_header_class,
     char   *cp;
     int     skip_reply;
 
+    /*
+     * XXX Sendmail compatibility. Don't expose our first (received) header
+     * to mail filter applications. See also cleanup_milter.c for code to
+     * ensure that header replace requests are relative to the message
+     * content as received, that is, without our own first (received) header,
+     * while header insert requests are relative to the message as delivered,
+     * that is, including our own first (received) header.
+     * 
+     * XXX But this breaks when they delete our own Received: header with
+     * header_checks before it reaches the queue file. Even then we must not
+     * expose the first header to mail filter applications, otherwise the
+     * dk-filter signature will be inserted at the wrong position. It should
+     * precede the headers that it signs.
+     */
+    if (msg_ctx->hdr_count++ == 0)
+	return;
+
     /*
      * Sendmail 8 sends multi-line headers as text separated by newline.
      * 
@@ -2029,6 +2047,7 @@ static const char *milter8_message(MILTER *m, VSTREAM *qfile,
 	}
 	msg_ctx.milter = milter;
 	msg_ctx.macros = macros;
+	msg_ctx.hdr_count = 0;
 	msg_ctx.resp = 0;
 	mime_state =
 	    mime_state_alloc(MIME_OPT_DISABLE_MIME,

postfix/src/milter/test-milter.c

@@ -191,6 +191,18 @@ static sfsistat test_body(SMFICTX *ctx, unsigned char *data, size_t data_len)
 static sfsistat test_eom(SMFICTX *ctx)
 {
     printf("test_eom\n");
+#if 0
+    if (smfi_insheader(ctx, 1, "Received", "insert at 1") == MI_FAILURE)
+	fprintf(stderr, "smfi_insheader failed");
+#endif
+#if 0
+    if (smfi_chgheader(ctx, "Received", 1, "change received #1") == MI_FAILURE)
+	fprintf(stderr, "smfi_chgheader failed");
+#endif
+#if 0
+    if (smfi_chgheader(ctx, "date", 0, "change date #0") == MI_FAILURE)
+	fprintf(stderr, "smfi_chgheader failed");
+#endif
     return (test_reply(ctx, test_eom_reply));
 }
 
@@ -234,7 +246,7 @@ static struct smfiDesc smfilter =
 {
     "test-milter",
     SMFI_VERSION,
-    SMFIF_ADDRCPT | SMFIF_DELRCPT | SMFIF_CHGHDRS,
+    SMFIF_ADDRCPT | SMFIF_DELRCPT | SMFIF_ADDHDRS | SMFIF_CHGHDRS,
     test_connect,
     test_helo,
     test_mail,

postfix/src/smtpd/smtpd_check.c

@@ -3484,7 +3484,6 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 			     450, "4.7.0",
 			     "<%s>: %s rejected: defer_if_reject requested",
 			     reply_name, reply_class);
-#ifdef SNAPSHOT
 	} else if (strcasecmp(name, SLEEP) == 0) {
 	    if (cpp[1] == 0 || alldig(cpp[1]) == 0) {
 		msg_warn("restriction %s must be followed by number", SLEEP);
@@ -3494,7 +3493,6 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 					   "Server configuration error"));
 	    } else
 		sleep(atoi(*++cpp));
-#endif
 	} else if (strcasecmp(name, REJECT_PLAINTEXT_SESSION) == 0) {
 	    status = reject_plaintext_session(state);
 	}

postfix/src/trivial-rewrite/trivial-rewrite.c

@@ -473,8 +473,6 @@ static void pre_accept(char *unused_name, char **unused_argv)
 
 #endif
 
-#ifdef SNAPSHOT
-
 static void check_table_stats(int unused_event, char *unused_context)
 {
     const char *table;
@@ -486,8 +484,6 @@ static void check_table_stats(int unused_event, char *unused_context)
     event_request_timer(check_table_stats, (char *) 0, 10);
 }
 
-#endif
-
 /* pre_jail_init - initialize before entering chroot jail */
 
 static void pre_jail_init(char *unused_name, char **unused_argv)
@@ -525,9 +521,7 @@ static void post_jail_init(char *unused_name, char **unused_argv)
 	transport_post_init(resolve_regular.transport_info);
     if (resolve_verify.transport_info)
 	transport_post_init(resolve_verify.transport_info);
-#ifdef SNAPSHOT
     check_table_stats(0, (char *) 0);
-#endif
 
     /*
      * This process is called by clients that already enforce the max_idle