postfix-3.2-20160221

2025-09-02 15:15:24 +00:00 · 2016-02-21 00:00:00 -05:00
parent 70f66a4b6a
commit fe4ec2d6c0
13 changed files with 329 additions and 240 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -22178,3 +22178,11 @@ Apologies for any names omitted.
 20160214
 	More manpage cleanups. Viktor, Wietse.
 20160215
 	Cleanup: "match_list_match: permit_mynetworks: no match" after
 	a SUCCESSFUL permit_mynetworks match of a client IP address was
 	complicating troubleshooting.  The fix is to log additional
 	context to clarify that this "no match" condition is for
 	smtpd_log_access_permit_actions. File: smtpd/smtpd_check.c.
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -1,169 +1,17 @@
-This is the Postfix 3.1 (experimental) release.
+This is the Postfix 3.2 (experimental) release.
-The stable Postfix release is called postfix-3.0.x where 3=major
+The stable Postfix release is called postfix-3.1.x where 3=major
-release number, 0=minor release number, x=patchlevel.  The stable
+release number, 1=minor release number, x=patchlevel.  The stable
 release never changes except for patches that address bugs or
 emergencies. Patches change the patchlevel and the release date.
 New features are developed in snapshot releases. These are called
-postfix-3.1-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+postfix-3.2-yyyymmdd where yyyymmdd is the release date (yyyy=year,
 mm=month, dd=day).  Patches are never issued for snapshot releases;
 instead, a new snapshot is released.
 The mail_release_date configuration parameter (format: yyyymmdd)
 specifies the release date of a stable release or snapshot release.
-If you upgrade from Postfix 2.11 or earlier, read RELEASE_NOTES-3.0
+If you upgrade from Postfix 3.0 or earlier, read RELEASE_NOTES-3.1
 before proceeding.
 Major changes with snaphot 20160207
 ===================================
 A new "postfix tls" command to quickly enable opportunistic TLS in
 the Postfix SMTP client or server, and to manage SMTP server keys
 and certificates, including certificate signing requests and TLSA
 DNS records for DANE. See the postfix-tls(1) manpage for a detailed
 description.
 Major changes with snaphot 20151227
 ===================================
 The new address_verify_pending_request_limit parameter introduces
 a safety limit for the number of address verification probes in the
 active queue.  The default limit is 1/4 of the active queue maximum
 size. The queue manager enforces the limit by tempfailing probe
 messages that exceed the limit. This design avoids dependencies on
 global counters that get out of sync after a process or system crash.
 Tempfailing verify requests is not as bad as one might think.  The
 Postfix verify cache proactively updates active addresses weeks
 before they expire. The address_verify_pending_request_limit affects
 only unknown addresses, and inactive addresses that have expired
 from the address verify cache (by default, after 31 days).
 Major changes with snaphot 20151129
 ===================================
 Machine-readable, JSON-formatted queue listing with "postqueue -j"
 (no "mailq" equivalent).  The output is a stream of JSON objects,
 one per queue file.  To simplify parsing, each JSON object is
 formatted as one text line followed by one newline character. See
 the postqueue(1) manpage for a detailed description of the output
 format.
 Major changes with Postfix snapshot 20151031
 ============================================
 New "smtpd_client_auth_rate_limit" feature, to enforce an optional
 rate limit on the number of AUTH commands per client IP address.
 Similar to other smtpd_client_*rate_limit features, this enforces
 a limit on the number of requests per $anvil_rate_time_unit.
 Major changes with Postfix snapshot 20150913
 ============================================
 New SMTPD policy service attribute "policy_context", with a
 corresponding "smtpd_policy_service_policy_context" configuration
 parameter.  Originally, this was implemented to share the same SMTPD
 policy service endpoint among multiple check_policy_service clients.
 Incompatible change with Postfix snapshot 20150721
 ==================================================
 As of the middle of 2015, all supported Postfix releases no longer
 enable "export" grade ciphers for opportunistic TLS, and no longer
 use the deprecated SSLv2 and SSLv3 protocols for mandatory or
 opportunistic TLS.
 These changes are very unlikely to cause problems with server-to-server
 communication over the Internet, but they may result in interoperability
 problems with ancient client or server implementations on internal
 networks.  To address this problem, you can revert the changes with:
 Postfix SMTP client settings:
    lmtp_tls_ciphers = export
    smtp_tls_ciphers = export
    lmtp_tls_protocols = !SSLv2
    smtp_tls_protocols = !SSLv2
    lmtp_tls_mandatory_protocols = !SSLv2
    smtp_tls_mandatory_protocols = !SSLv2
 Postfix SMTP server settings:
    smtpd_tls_ciphers = export
    smtpd_tls_protocols =
    smtpd_tls_mandatory_protocols = !SSLv2
 These settings, if put in main.cf, affect all Postfix SMTP client
 or server communication, which may be undesirable. To be more
 selective, use "-o name=value" parameter overrides on specific
 services in master.cf. Execute the command "postfix reload" to make
 the changes effective.
 Major changes with snaphot 20150710
 ===================================
 postscreen support for the TTL of DNSBL and DNSWL lookup results
 ----------------------------------------------------------------
 Historically, the default setting "postscreen_dnsbl_ttl = 1h" assumes
 that a "not found" result from a DNSBL server will be valid for one
 hour.  This may have been adequate five years ago when postscreen
 was first implemented, but nowadays, that one hour can result in
 missed opportunities to block new spambots.
 To address this, postscreen now respects the TTL of DNSBL "not
 found" replies, as well as the TTL of DNSWL replies (both "found"
 and "not found").  The TTL for a "not found" reply is determined
 according to RFC 2308 (the TTL of an SOA record in the reply).
 Support for DNSBL or DNSWL reply TTL values is controlled by two
 configuration parameters:
 postscreen_dnsbl_min_ttl (default: 60 seconds).
    This parameter specifies a minimum for the amount of time that
    a DNSBL or DNSWL result will be cached in the postscreen_cache_map.
    This prevents an excessive number of postscreen cache updates
    when a DNSBL or DNSWL server specifies a very small reply TTL.
 postscreen_dnsbl_max_ttl (default: $postscreen_dnsbl_ttl or 1 hour)
    This parameter specifies a maximum for the amount of time that
    a DNSBL or DNSWL result will be cached in the postscreen_cache_map.
    This prevents cache pollution when a DNSBL or DNSWL server
    specifies a very large reply TTL.
 The postscreen_dnsbl_ttl parameter is now obsolete, and has become
 a default value for the new postscreen_dnsbl_max_ttl parameter.
 Destination-independent delivery rate delay
 -------------------------------------------
 Support to enforce a destination-independent delay between email
 deliveries.  The following example inserts 20 seconds of delay
 between all deliveries with the SMTP transport, limiting the delivery
 rate to at most three messages per minute.
 /etc/postfix/main.cf:
    smtp_transport_rate_delay = 20s
 For details, see the description of default_transport_rate_delay
 and transport_transport_rate_delay in the postconf(5) manpage.
 Major changes with snaphot 20150523
 ===================================
 The milter_macro_defaults feature provides an optional list of macro
 name=value pairs. These specify default values for Milter macros
 when no value is available from the SMTP session context.
 For example, with "milter_macro_defaults = auth_type=TLS", the
 Postfix SMTP server will send an auth_type of "TLS" to a Milter,
 unless the remote client authenticates with SASL.
 This feature was originally implemented for a submission service
 that may authenticate clients with a TLS certificate, without having
 to make changes to the code that implements TLS support.
--- a/postfix/RELEASE_NOTES-3.1
+++ b/postfix/RELEASE_NOTES-3.1
@@ -0,0 +1,188 @@
 This is the Postfix 3.1 (stable) release.
 The stable Postfix release is called postfix-3.1.x where 3=major
 release number, 1=minor release number, x=patchlevel.  The stable
 release never changes except for patches that address bugs or
 emergencies. Patches change the patchlevel and the release date.
 New features are developed in snapshot releases. These are called
 postfix-3.2-yyyymmdd where yyyymmdd is the release date (yyyy=year,
 mm=month, dd=day).  Patches are never issued for snapshot releases;
 instead, a new snapshot is released.
 The mail_release_date configuration parameter (format: yyyymmdd)
 specifies the release date of a stable release or snapshot release.
 If you upgrade from Postfix 2.11 or earlier, read RELEASE_NOTES-3.0
 Major changes - address verification safety
 -------------------------------------------
 [Feature 20151227] The new address_verify_pending_request_limit
 parameter introduces a safety limit for the number of address
 verification probes in the active queue.  The default limit is 1/4
 of the active queue maximum size. The queue manager enforces the
 limit by tempfailing probe messages that exceed the limit. This
 design avoids dependencies on global counters that get out of sync
 after a process or system crash.
 Tempfailing verify requests is not as bad as one might think.  The
 Postfix verify cache proactively updates active addresses weeks
 before they expire. The address_verify_pending_request_limit affects
 only unknown addresses, and inactive addresses that have expired
 from the address verify cache (by default, after 31 days).
 Major changes - json support
 ----------------------------
 [Feature 20151129] Machine-readable, JSON-formatted queue listing
 with "postqueue -j" (no "mailq" equivalent).  The output is a stream
 of JSON objects, one per queue file.  To simplify parsing, each
 JSON object is formatted as one text line followed by one newline
 character. See the postqueue(1) manpage for a detailed description
 of the output format.
 Major changes - milter support
 ------------------------------
 [Feature 20150523] The milter_macro_defaults feature provides an
 optional list of macro name=value pairs. These specify default
 values for Milter macros when no value is available from the SMTP
 session context.
 For example, with "milter_macro_defaults = auth_type=TLS", the
 Postfix SMTP server will send an auth_type of "TLS" to a Milter,
 unless the remote client authenticates with SASL.
 This feature was originally implemented for a submission service
 that may authenticate clients with a TLS certificate, without having
 to make changes to the code that implements TLS support.
 Major changes - output rate control
 -----------------------------------
 [Feature 20150710] Destination-independent delivery rate delay
 Support to enforce a destination-independent delay between email
 deliveries.  The following example inserts 20 seconds of delay
 between all deliveries with the SMTP transport, limiting the delivery
 rate to at most three messages per minute.
 /etc/postfix/main.cf:
    smtp_transport_rate_delay = 20s
 For details, see the description of default_transport_rate_delay
 and transport_transport_rate_delay in the postconf(5) manpage.
 Major changes - postscreen dnsbl
 --------------------------------
 [Feature 20150710] postscreen support for the TTL of DNSBL and DNSWL
 lookup results
 Historically, the default setting "postscreen_dnsbl_ttl = 1h" assumes
 that a "not found" result from a DNSBL server will be valid for one
 hour.  This may have been adequate five years ago when postscreen
 was first implemented, but nowadays, that one hour can result in
 missed opportunities to block new spambots.
 To address this, postscreen now respects the TTL of DNSBL "not
 found" replies, as well as the TTL of DNSWL replies (both "found"
 and "not found").  The TTL for a "not found" reply is determined
 according to RFC 2308 (the TTL of an SOA record in the reply).
 Support for DNSBL or DNSWL reply TTL values is controlled by two
 configuration parameters:
 postscreen_dnsbl_min_ttl (default: 60 seconds).
    This parameter specifies a minimum for the amount of time that
    a DNSBL or DNSWL result will be cached in the postscreen_cache_map.
    This prevents an excessive number of postscreen cache updates
    when a DNSBL or DNSWL server specifies a very small reply TTL.
 postscreen_dnsbl_max_ttl (default: $postscreen_dnsbl_ttl or 1 hour)
    This parameter specifies a maximum for the amount of time that
    a DNSBL or DNSWL result will be cached in the postscreen_cache_map.
    This prevents cache pollution when a DNSBL or DNSWL server
    specifies a very large reply TTL.
 The postscreen_dnsbl_ttl parameter is now obsolete, and has become
 the default value for the new postscreen_dnsbl_max_ttl parameter.
 Major changes - sasl auth safety
 --------------------------------
 [Feature 20151031] New "smtpd_client_auth_rate_limit" feature, to
 enforce an optional rate limit on AUTH commands per SMTP client IP
 address.  Similar to other smtpd_client_*_rate_limit features, this
 enforces a limit on the number of requests per $anvil_rate_time_unit.
 Major changes - smtpd policy
 ----------------------------
 [Feature 20150913] New SMTPD policy service attribute "policy_context",
 with a corresponding "smtpd_policy_service_policy_context" configuration
 parameter.  Originally, this was implemented to share the same SMTPD
 policy service endpoint among multiple check_policy_service clients.
 Incompatible change with Postfix snapshot 20150721
 ==================================================
 Major changes - tls
 -------------------
 [Feature 20160207] A new "postfix tls" command to quickly enable
 opportunistic TLS in the Postfix SMTP client or server, and to
 manage SMTP server keys and certificates, including certificate
 signing requests and TLSA DNS records for DANE. See the postfix-tls(1)
 manpage for a detailed description.
 [Feature 20160103] The Postfix SMTP client by default enables DANE
 policies when an MX host has a (DNSSEC) secure TLSA DNS record,
 even if the MX DNS record was obtained with insecure lookups.  The
 existence of a secure TLSA record implies that the host wants to
 talk TLS and not plaintext. For details see the
 smtp_tls_dane_insecure_mx_policy configuration parameter.
 [Incompat 20150719] The default Diffie-Hellman non-export prime was
 updated from 1024 to 2048 bits, because SMTP clients are starting
 to reject TLS handshakes with primes smaller than 2048 bits.
 Historically, this prime size is not negotiable, and each site needs
 to determine which prime size works best for the majority of its
 clients. See FORWARD_SECRECY_README for some hints in the quick-start
 section.
 [Incompat 20150721] As of the middle of 2015, all supported Postfix
 releases no longer enable "export" grade ciphers for opportunistic
 TLS, and no longer use the deprecated SSLv2 and SSLv3 protocols for
 mandatory or opportunistic TLS.
 These changes are very unlikely to cause problems with server-to-server
 communication over the Internet, but they may result in interoperability
 problems with ancient client or server implementations on internal
 networks.  To address this problem, you can revert the changes with:
 Postfix SMTP client settings:
    lmtp_tls_ciphers = export
    smtp_tls_ciphers = export
    lmtp_tls_protocols = !SSLv2
    smtp_tls_protocols = !SSLv2
    lmtp_tls_mandatory_protocols = !SSLv2
    smtp_tls_mandatory_protocols = !SSLv2
 Postfix SMTP server settings:
    smtpd_tls_ciphers = export
    smtpd_tls_protocols =
    smtpd_tls_mandatory_protocols = !SSLv2
 These settings, if put in main.cf, affect all Postfix SMTP client
 or server communication, which may be undesirable. To be more
 selective, use "-o name=value" parameter overrides on specific
 services in master.cf. Execute the command "postfix reload" to make
 the changes effective.
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -6,6 +6,8 @@ Wish list:
 	Disable -DSNAPSHOT and -DNONPROD in makedefs.
 	Fix "make test" bitrot.
 	Remove this file from the stable release.
 	Things to do after the stable release:
--- a/postfix/conf/postfix-tls-script
+++ b/postfix/conf/postfix-tls-script
@@ -317,10 +317,7 @@ openssl=`$postconf -c $default_config_directory -xh openssl_path`
 # ----- END OpenSSL-specific -----
-# Make this our *last* "cd", so all the key/cert generation runs in the
+test -n "$config_directory" -a -d "$config_directory" || {
 # configuration directory.
 #
 test -n "$config_directory" && cd $config_directory || {
    $FATAL no Postfix configuration directory $config_directory!
    exit 1
 }
@@ -566,7 +563,8 @@ info_enable_client() {
 info_client_deployed() {
 	cat <<-EOM
-	Enabled opportunistic TLS in the Postfix SMTP client, run:
+	Enabled opportunistic TLS in the Postfix SMTP client.
 	Run the command:
 	  # postfix reload
 	if you want the new settings to take effect immediately.
 	EOM
@@ -603,7 +601,8 @@ info_server_deployed() {
 	    echo "Enabled opportunistic TLS in the Postfix SMTP server"
 	fi
 	cat <<-EOM
-	New TLS private key and certificate deployed, run:
+	New TLS private key and certificate deployed.
 	Run the command:
 	  # postfix reload
 	if you want the new settings to take effect immediately.
 	EOM
@@ -616,9 +615,9 @@ info_csr() {
 	  # postfix tls output-server-csr -k $2 [<hostname> ...]
 	EOM
 	if [ -z "$3" ]; then
-	    echo "Save the signed certificate chain in ${config_directory}/$1, and deploy as above."
+	    echo "Save the signed certificate chain in $1, and deploy as above."
 	else
-	    echo "Save the signed certificate chain in ${config_directory}/$1."
+	    echo "Save the signed certificate chain in $1."
 	fi
 }
@@ -659,9 +658,24 @@ set_fqdn() {
 set_keyfile() {
    keyfile=$1
    case $keyfile in
       rsa) if [ -n "${rsa}" ]; then
 		keyfile=`$postconf -nxh smtpd_tls_key_file`
 	    else
 		keyfile=
 	    fi
 	    ;;
     ecdsa) if [ -n "${ecdsa}" ]; then
 		keyfile=`$postconf -nxh smtpd_tls_eckey_file`
 	    else
 		keyfile=
 	    fi
 	    ;;
        "") : empty ok;;
-      $rsa) keyfile=`$postconf -nxh smtpd_tls_key_file`;;
+      none) : see below;;
-    $ecdsa) keyfile=`$postconf -nxh smtpd_tls_eckey_file`;;
+        /*) ;;
         *) # User-specified key pathnames are relative to the configuration
 	    # directory
 	    keyfile="${config_directory}/${keyfile}";;
    esac
    if [ "${keyfile}" = "none" ]; then keyfile= ; fi
 }
@@ -681,8 +695,10 @@ ensure_key() {
    case $_algo in
 	"") $FATAL "Internal error: empty algorithm "; return 1;;
-      $rsa) keyfile="key-${stamp}.pem";   certfile="cert-${stamp}.pem";;
+      $rsa) keyfile="${config_directory}/key-${stamp}.pem"
-    $ecdsa) keyfile="eckey-${stamp}.pem"; certfile="eccert-${stamp}.pem";;
+	    certfile="${config_directory}/cert-${stamp}.pem";;
    $ecdsa) keyfile="${config_directory}/eckey-${stamp}.pem"
 	    certfile="${config_directory}/eccert-${stamp}.pem";;
 	 *) $FATAL "Internal error: bad algorithm '${_algo}'"
 	    return 1;;
    esac
@@ -1003,8 +1019,21 @@ deploy-server-cert)
 	    exit 1
 	fi
 	shift
-	deploy_server_cert "$@" || exit 1
+
-	info_server_deployed "$1" "$2" "deploy" | $INFO
+	# User-specified key and cert pathnames are relative to the
 	# configuration directory
 	#
 	case "${1}" in
 	/*) certfile="${1}" ;;
 	 *) certfile="${config_directory}/${1}" ;;
 	esac
 	case "${2}" in
 	/*) certfile="${2}" ;;
 	 *) certfile="${config_directory}/${2}" ;;
 	esac
 	deploy_server_cert "${certfile}" "${keyfile}" || exit 1
 	info_server_deployed "${certfile}" "${keyfile}" "deploy" | $INFO
 	;;
 output-server-csr)
--- a/postfix/html/postconf.1.html
+++ b/postfix/html/postconf.1.html
@@ -290,8 +290,9 @@ POSTCONF(1)                                                        POSTCONF(1)
                     ple:  "<b><a href="DATABASE_README.html#types">randmap</a>:{</b><i>result</i><b>_</b><i>1,  ...,  result</i><b>_</b><i>n</i><b>}</b>".  Each  table
                     query returns a random choice from the specified results.
                     The first and last characters  of  the  "<a href="DATABASE_README.html#types">randmap</a>:"  table
-                     name  must be "<b>{</b>" and "<b>}</b>".  Within these, individual maps
+                     name  must  be  "<b>{</b>"  and  "<b>}</b>".   Within these, individual
-                     are separated with comma or whitespace.
+                     results are separated with comma or whitespace. To give a
                     specific result more weight, specify it multiple times.
              <b>regexp</b> (read-only)
                     A  lookup  table  based  on regular expressions. The file
--- a/postfix/man/man1/postconf.1
+++ b/postfix/man/man1/postconf.1
@@ -316,8 +316,9 @@ An in\-memory table that performs random selection. Example:
 "\fBrandmap:{\fIresult_1, ..., result_n\fB}\fR". Each table query
 returns a random choice from the specified results. The first
 and last characters of the "randmap:" table name must be
-"\fB{\fR" and "\fB}\fR".  Within these, individual maps are
+"\fB{\fR" and "\fB}\fR".  Within these, individual results
-separated with comma or whitespace.
+are separated with comma or whitespace. To give a specific
 result more weight, specify it multiple times.
 .IP "\fBregexp\fR (read\-only)"
 A lookup table based on regular expressions. The file format
 is described in \fBregexp_table\fR(5).
--- a/postfix/src/dns/Makefile.in
+++ b/postfix/src/dns/Makefile.in
@@ -381,6 +381,7 @@ dns_strtype.o: dns.h
 dns_strtype.o: dns_strtype.c
 test_dns_lookup.o: ../../include/argv.h
 test_dns_lookup.o: ../../include/check_arg.h
 test_dns_lookup.o: ../../include/mail_params.h
 test_dns_lookup.o: ../../include/msg.h
 test_dns_lookup.o: ../../include/msg_vstream.h
 test_dns_lookup.o: ../../include/myaddrinfo.h
--- a/postfix/src/dns/dns.h
+++ b/postfix/src/dns/dns.h
@@ -225,7 +225,6 @@ extern int dns_lookup_rl(const char *, unsigned, DNS_RR **, VSTRING *,
 			         VSTRING *, int *, int,...);
 extern int dns_lookup_rv(const char *, unsigned, DNS_RR **, VSTRING *,
 			         VSTRING *, int *, int, unsigned *);
 extern int dns_ncache_ttl_fix_enable;
 #define dns_lookup(name, type, rflags, list, fqdn, why) \
    dns_lookup_x((name), (type), (rflags), (list), (fqdn), (why), (int *) 0, \
--- a/postfix/src/dns/test_dns_lookup.c
+++ b/postfix/src/dns/test_dns_lookup.c
@@ -41,6 +41,10 @@
 #include <mymalloc.h>
 #include <argv.h>
 /* Global library. */
 #include <mail_params.h>
 /* Application-specific. */
 #include "dns.h"
@@ -86,7 +90,7 @@ int     main(int argc, char **argv)
 	    lflags |= DNS_REQ_FLAG_NCACHE_TTL;
 	    break;
 	case 'p':
-	    dns_ncache_ttl_fix_enable = 1;
+	    var_dns_ncache_ttl_fix = 1;
 	    break;
 	default:
 	    usage(argv);
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20160214"
+#define MAIL_RELEASE_DATE	"20160221"
-#define MAIL_VERSION_NUMBER	"3.1"
+#define MAIL_VERSION_NUMBER	"3.2"
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
--- a/postfix/src/postconf/postconf.c
+++ b/postfix/src/postconf/postconf.c
@@ -310,8 +310,9 @@
 /*	"\fBrandmap:{\fIresult_1, ..., result_n\fB}\fR". Each table query
 /*	returns a random choice from the specified results. The first
 /*	and last characters of the "randmap:" table name must be
-/*	"\fB{\fR" and "\fB}\fR".  Within these, individual maps are
+/*	"\fB{\fR" and "\fB}\fR".  Within these, individual results
-/*	separated with comma or whitespace.
+/*	are separated with comma or whitespace. To give a specific
 /*	result more weight, specify it multiple times.
 /* .IP "\fBregexp\fR (read-only)"
 /*	A lookup table based on regular expressions. The file format
 /*	is described in \fBregexp_table\fR(5).
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -934,6 +934,7 @@ static int PRINTFLIKE(5, 6) smtpd_acl_permit(SMTPD_STATE *state,
 					             const char *reply_name,
 					             const char *format,...)
 {
    const char myname[] = "smtpd_acl_permit";
    va_list ap;
    const char *whatsup;
@@ -946,6 +947,9 @@ static int PRINTFLIKE(5, 6) smtpd_acl_permit(SMTPD_STATE *state,
    /*
     * First, find out if (and how) this permit action should be logged.
     */
    if (msg_verbose)
 	msg_info("%s: checking %s settings", myname, VAR_SMTPD_ACL_PERM_LOG);
    if (state->defer_if_permit.active) {
 	/* This action is overruled. Do not log. */
 	whatsup = 0;
@@ -966,6 +970,9 @@ static int PRINTFLIKE(5, 6) smtpd_acl_permit(SMTPD_STATE *state,
 	    va_end(ap);
 	}
 	log_whatsup(state, whatsup, STR(error_text));
    } else {
 	if (msg_verbose)
 	    msg_info("%s: %s: no match", myname, VAR_SMTPD_ACL_PERM_LOG);
    }
    return (SMTPD_CHECK_OK);
 }