From fff75d33cf2315e1abcbcb1cb7a2c99cef5b2c1c Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Sat, 19 Oct 2019 00:00:00 -0500
Subject: [PATCH] postfix-3.5-20191019

---
 postfix/HISTORY                           | 14 ++++++++++++++
 postfix/WISHLIST                          |  6 ++++++
 postfix/src/global/mail_version.h         |  2 +-
 postfix/src/postscreen/postscreen_smtpd.c | 22 ++++++++++++++--------
 4 files changed, 35 insertions(+), 9 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 3d37b06f2..94ebeb18f 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -24437,3 +24437,17 @@ Apologies for any names omitted.
 	smtp/smtp_rcpt.c, tls/tls_certkey.c, util/nbbio.c,
 	util/vstream_tweak.c.
 
+20191014
+
+	Bugfix (introduced: Postfix 2.8): don't gratuitously enable
+	all after-220 tests when only one such test is enabled.
+	This made selective tests impossible with 'good' clients.
+	File: postscreen/postscreen_smtpd.c.
+
+	Bugfix: the 20180903 postscreen fix for a misleading
+	"PIPELINING after BDAT" warning looked at the wrong variable.
+	The warning now says "BDAT without valid RCPT", and the
+	error is no longer treated as a command PIPELINING error
+	(but sending BDAT is still a client error, because postscreen
+	rejects all RCPT commands and does not announce PIPELINING
+	support). File: postscreen/postscreen_smtpd.c.
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index 254a6a792..4eb76f466 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -7,6 +7,12 @@ Wish list:
 	See also postscreen even-driven client for policy delegation
 	below.
 
+	smtp_line_length_limit can insert a line break in the middle
+	of a multi-byte character (which is not necessarily UTF-8,
+	so we can't simply look at the 8th bit). Also, note that a
+	multi-byte character may span queue file record boundaries,
+	for example if line_length_limit == smtp_line_length_limit.
+
 	Replace ad-hoc code for pipe(8) flags handling, with
 	infrastructure that was built for smtp(8).
 
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index fba54444c..94892346b 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20191013"
+#define MAIL_RELEASE_DATE	"20191019"
 #define MAIL_VERSION_NUMBER	"3.5"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/postscreen/postscreen_smtpd.c b/postfix/src/postscreen/postscreen_smtpd.c
index 901a51f88..9eba25462 100644
--- a/postfix/src/postscreen/postscreen_smtpd.c
+++ b/postfix/src/postscreen/postscreen_smtpd.c
@@ -591,6 +591,8 @@ static int psc_data_cmd(PSC_STATE *state, char *args)
      * never see DATA from a legitimate client, because 1) the server rejects
      * every recipient, and 2) the server does not announce PIPELINING.
      */
+    msg_info("DATA without valid RCPT from [%s]:%s",
+	     PSC_CLIENT_ADDR_PORT(state));
     if (PSC_SMTPD_NEXT_TOKEN(args) != 0)
 	PSC_CLEAR_EVENT_DROP_SESSION_STATE(state,
 					   psc_smtpd_time_event,
@@ -620,6 +622,8 @@ static int psc_bdat_cmd(PSC_STATE *state, char *args)
      * client, because 1) the server rejects every recipient, and 2) the
      * server does not announce PIPELINING.
      */
+    msg_info("BDAT without valid RCPT from [%s]:%s",
+	     PSC_CLIENT_ADDR_PORT(state));
     if (state->ehlo_discard_mask & EHLO_MASK_CHUNKING)
 	PSC_CLEAR_EVENT_DROP_SESSION_STATE(state,
 					   psc_smtpd_time_event,
@@ -1033,7 +1037,7 @@ static void psc_smtpd_read_event(int event, void *context)
 	    }
 	}
 	/* Command PIPELINING test. */
-	if ((state->flags & PSC_SMTPD_CMD_FLAG_HAS_PAYLOAD) == 0
+	if ((cmdp->flags & PSC_SMTPD_CMD_FLAG_HAS_PAYLOAD) == 0
 	    && (state->flags & PSC_STATE_MASK_PIPEL_TODO_SKIP)
 	    == PSC_STATE_FLAG_PIPEL_TODO && !PSC_SMTPD_BUFFER_EMPTY(state)) {
 	    printable(command, '?');
@@ -1172,16 +1176,18 @@ void    psc_smtpd_tests(PSC_STATE *state)
     state->read_state = PSC_SMTPD_CMD_ST_ANY;
 
     /*
-     * Opportunistically make postscreen more useful by turning on the
-     * pipelining and non-SMTP command tests when a pre-handshake test
-     * failed, or when some deep test is configured as enabled.
+     * Disable all after-220 tests when we need to reply with 421 and hang up
+     * after reading the next SMTP client command.
      * 
-     * XXX Make "opportunistically" configurable for each test.
+     * Opportunistically make postscreen more useful, by turning on all
+     * after-220 tests when a bad client failed a before-220 test.
+     * 
+     * Otherwise, only apply the explicitly-configured after-220 tests.
      */
-    if ((state->flags & PSC_STATE_FLAG_SMTPD_X21) == 0) {
-	state->flags |= PSC_STATE_MASK_SMTPD_TODO;
-    } else {
+    if (state->flags & PSC_STATE_FLAG_SMTPD_X21) {
 	state->flags &= ~PSC_STATE_MASK_SMTPD_TODO;
+    } else if (state->flags & PSC_STATE_MASK_ANY_FAIL) {
+	state->flags |= PSC_STATE_MASK_SMTPD_TODO;
     }
 
     /*