Prereq: "2.8.1" diff -cr --new-file /var/tmp/postfix-2.8.1/src/global/mail_version.h ./src/global/mail_version.h *** /var/tmp/postfix-2.8.1/src/global/mail_version.h Tue Feb 22 17:06:08 2011 --- ./src/global/mail_version.h Mon Mar 21 16:46:27 2011 *************** *** 20,27 **** * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20110222" ! #define MAIL_VERSION_NUMBER "2.8.1" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE --- 20,27 ---- * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20110321" ! #define MAIL_VERSION_NUMBER "2.8.2" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -cr --new-file /var/tmp/postfix-2.8.1/HISTORY ./HISTORY *** /var/tmp/postfix-2.8.1/HISTORY Tue Feb 22 17:22:03 2011 --- ./HISTORY Wed Mar 16 10:52:15 2011 *************** *** 16538,16540 **** --- 16538,16571 ---- Cleanup: don't log a "connection reset by peer" warning when postscreen(8) tries to send a server response. File: postscreen/postscreen_send.c. + + 20110225 + + Workaround (problem introduced with IPv6 support in Postfix + 2.2): the SMTP client did not support mail to [ipv6:ipv6addr]. + Fix based on a patch by Gurusamy Sarathy (Sophos). File: + util/host_port.c and regression test files. + + 20110227 + + Portability: FreeBSD closefrom() support time window. Sahil + Tandon. File: util/sys_defs.h. + + 20110313 + + Bugfix (introduced Postfix 2.8): postscreen DNSBL scoring + error. When a client disconnected and then reconnected + before all DNSBL results for the earlier session arrived, + DNSBL results for the earlier session would be added to the + score for the later session. Problem report by Larry Vaden. + Files: dnsblog/dnsblog.c, postscreen/postscreen_dnsbl.c. + + Cleanup: protocol description in dnsblog(8) manpage. File: + dnsblog/dnsblog.c. + + 20110314 + + Portability: the SUN compiler had trouble with a pointer + expression of the form ``("text1" "text2") + constant'' so + we don't try to be so clever. Fix by Victor Duchovni. File: + global/mail_params.h. diff -cr --new-file /var/tmp/postfix-2.8.1/RELEASE_NOTES ./RELEASE_NOTES *** /var/tmp/postfix-2.8.1/RELEASE_NOTES Wed Jan 19 19:54:21 2011 --- ./RELEASE_NOTES Wed Mar 16 11:00:05 2011 *************** *** 11,16 **** --- 11,26 ---- The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release. + Incompatible changes with Postfix 2.8.2 + --------------------------------------- + + Use "postfix reload" after "make upgrade" on a running Postfix + system. This is needed because the protocol between postscreen(8) + and dnsblog(8) has changed. + + Postfix 2.8.0 release notes + --------------------------- + If you upgrade from Postfix 2.6 or earlier, read RELEASE_NOTES-2.7 before proceeding. diff -cr --new-file /var/tmp/postfix-2.8.1/html/dnsblog.8.html ./html/dnsblog.8.html *** /var/tmp/postfix-2.8.1/html/dnsblog.8.html Sun Jan 16 12:39:49 2011 --- ./html/dnsblog.8.html Sun Mar 13 16:15:22 2011 *************** *** 20,54 **** PROTOCOL With each connection, the dnsblog(8) server receives a DNS ! white/blacklist domain name and an IP address. If the ! address is listed under the DNS white/blacklist, the dns- ! blog(8) server logs the match and replies with the query ! arguments plus a non-zero status. Otherwise it replies ! with the query arguments plus a zero status. Finally, The ! dnsblog(8) server closes the connection. DIAGNOSTICS Problems and transactions are logged to syslogd(8). CONFIGURATION PARAMETERS ! Changes to main.cf are picked up automatically, as dns- ! blog(8) processes run for only a limited amount of time. Use the command "postfix reload" to speed up a change. ! The text below provides only a parameter summary. See postconf(5) for more details including examples. config_directory (see 'postconf -d' output) ! The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) ! How much time a Postfix daemon process may take to ! handle a request before it is terminated by a built-in watchdog timer. postscreen_dnsbl_sites (empty) ! Optional list of DNS white/blacklist domains, fil- ters and weight factors. ipc_timeout (3600s) --- 20,55 ---- PROTOCOL With each connection, the dnsblog(8) server receives a DNS ! white/blacklist domain name, IP address, and an ID. If ! the address is listed under the DNS white/blacklist, the ! dnsblog(8) server logs the match and replies with the ! query arguments plus an address list with the resulting IP ! addresses separated by whitespace. Otherwise it replies ! with the query arguments plus an empty address list. ! Finally, The dnsblog(8) server closes the connection. DIAGNOSTICS Problems and transactions are logged to syslogd(8). CONFIGURATION PARAMETERS ! Changes to main.cf are picked up automatically, as dns- ! blog(8) processes run for only a limited amount of time. Use the command "postfix reload" to speed up a change. ! The text below provides only a parameter summary. See postconf(5) for more details including examples. config_directory (see 'postconf -d' output) ! The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) ! How much time a Postfix daemon process may take to ! handle a request before it is terminated by a built-in watchdog timer. postscreen_dnsbl_sites (empty) ! Optional list of DNS white/blacklist domains, fil- ters and weight factors. ipc_timeout (3600s) *************** *** 56,78 **** over an internal communication channel. process_id (read-only) ! The process ID of a Postfix command or daemon process. process_name (read-only) ! The process name of a Postfix command or daemon process. queue_directory (see 'postconf -d' output) ! The location of the Postfix top-level queue direc- tory. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) ! The mail system name that is prepended to the ! process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". SEE ALSO --- 57,79 ---- over an internal communication channel. process_id (read-only) ! The process ID of a Postfix command or daemon process. process_name (read-only) ! The process name of a Postfix command or daemon process. queue_directory (see 'postconf -d' output) ! The location of the Postfix top-level queue direc- tory. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) ! The mail system name that is prepended to the ! process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". SEE ALSO *************** *** 81,87 **** syslogd(5), system logging LICENSE ! The Secure Mailer license must be distributed with this software. HISTORY --- 82,88 ---- syslogd(5), system logging LICENSE ! The Secure Mailer license must be distributed with this software. HISTORY diff -cr --new-file /var/tmp/postfix-2.8.1/makedefs ./makedefs *** /var/tmp/postfix-2.8.1/makedefs Sun Jan 16 16:02:31 2011 --- ./makedefs Tue Mar 1 14:08:11 2011 *************** *** 228,233 **** --- 228,239 ---- done ;; AIX.*) case "`uname -v`" in + 6) SYSTYPE=AIX6 + case "$CC" in + cc|*/cc|xlc|*/xlc) CCARGS="$CCARGS -w -blibpath:/usr/lib:/lib:/usr/local/lib";; + esac + CCARGS="$CCARGS -D_ALL_SOURCE -DHAS_POSIX_REGEXP" + ;; 5) SYSTYPE=AIX5 case "$CC" in cc|*/cc|xlc|*/xlc) CCARGS="$CCARGS -w -blibpath:/usr/lib:/lib:/usr/local/lib";; diff -cr --new-file /var/tmp/postfix-2.8.1/man/man8/dnsblog.8 ./man/man8/dnsblog.8 *** /var/tmp/postfix-2.8.1/man/man8/dnsblog.8 Sun Jan 16 12:39:49 2011 --- ./man/man8/dnsblog.8 Sun Mar 13 16:15:22 2011 *************** *** 22,33 **** .ad .fi With each connection, the \fBdnsblog\fR(8) server receives ! a DNS white/blacklist domain name and an IP address. If the ! address is listed under the DNS white/blacklist, the \fBdnsblog\fR(8) server logs the match and replies with the ! query arguments plus a non-zero status. Otherwise it replies ! with the query arguments plus a zero status. Finally, The ! \fBdnsblog\fR(8) server closes the connection. .SH DIAGNOSTICS .ad .fi --- 22,34 ---- .ad .fi With each connection, the \fBdnsblog\fR(8) server receives ! a DNS white/blacklist domain name, IP address, and an ID. ! If the address is listed under the DNS white/blacklist, the \fBdnsblog\fR(8) server logs the match and replies with the ! query arguments plus an address list with the resulting IP ! addresses separated by whitespace. Otherwise it replies ! with the query arguments plus an empty address list. Finally, ! The \fBdnsblog\fR(8) server closes the connection. .SH DIAGNOSTICS .ad .fi diff -cr --new-file /var/tmp/postfix-2.8.1/src/dnsblog/dnsblog.c ./src/dnsblog/dnsblog.c *** /var/tmp/postfix-2.8.1/src/dnsblog/dnsblog.c Sun Jan 16 12:39:46 2011 --- ./src/dnsblog/dnsblog.c Sun Mar 13 16:14:57 2011 *************** *** 14,25 **** /* .ad /* .fi /* With each connection, the \fBdnsblog\fR(8) server receives ! /* a DNS white/blacklist domain name and an IP address. If the ! /* address is listed under the DNS white/blacklist, the /* \fBdnsblog\fR(8) server logs the match and replies with the ! /* query arguments plus a non-zero status. Otherwise it replies ! /* with the query arguments plus a zero status. Finally, The ! /* \fBdnsblog\fR(8) server closes the connection. /* DIAGNOSTICS /* Problems and transactions are logged to \fBsyslogd\fR(8). /* CONFIGURATION PARAMETERS --- 14,26 ---- /* .ad /* .fi /* With each connection, the \fBdnsblog\fR(8) server receives ! /* a DNS white/blacklist domain name, IP address, and an ID. ! /* If the address is listed under the DNS white/blacklist, the /* \fBdnsblog\fR(8) server logs the match and replies with the ! /* query arguments plus an address list with the resulting IP ! /* addresses separated by whitespace. Otherwise it replies ! /* with the query arguments plus an empty address list. Finally, ! /* The \fBdnsblog\fR(8) server closes the connection. /* DIAGNOSTICS /* Problems and transactions are logged to \fBsyslogd\fR(8). /* CONFIGURATION PARAMETERS *************** *** 215,220 **** --- 216,222 ---- static void dnsblog_service(VSTREAM *client_stream, char *unused_service, char **argv) { + int request_id; /* * Sanity check. This service takes no command-line arguments. *************** *** 231,243 **** ATTR_FLAG_MORE | ATTR_FLAG_STRICT, ATTR_TYPE_STR, MAIL_ATTR_RBL_DOMAIN, rbl_domain, ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, addr, ! ATTR_TYPE_END) == 2) { (void) dnsblog_query(result, STR(rbl_domain), STR(addr)); if (var_dnsblog_delay > 0) sleep(var_dnsblog_delay); attr_print(client_stream, ATTR_FLAG_NONE, ATTR_TYPE_STR, MAIL_ATTR_RBL_DOMAIN, STR(rbl_domain), ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, STR(addr), ATTR_TYPE_STR, MAIL_ATTR_RBL_ADDR, STR(result), ATTR_TYPE_END); vstream_fflush(client_stream); --- 233,247 ---- ATTR_FLAG_MORE | ATTR_FLAG_STRICT, ATTR_TYPE_STR, MAIL_ATTR_RBL_DOMAIN, rbl_domain, ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, addr, ! ATTR_TYPE_INT, MAIL_ATTR_LABEL, &request_id, ! ATTR_TYPE_END) == 3) { (void) dnsblog_query(result, STR(rbl_domain), STR(addr)); if (var_dnsblog_delay > 0) sleep(var_dnsblog_delay); attr_print(client_stream, ATTR_FLAG_NONE, ATTR_TYPE_STR, MAIL_ATTR_RBL_DOMAIN, STR(rbl_domain), ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, STR(addr), + ATTR_TYPE_INT, MAIL_ATTR_LABEL, request_id, ATTR_TYPE_STR, MAIL_ATTR_RBL_ADDR, STR(result), ATTR_TYPE_END); vstream_fflush(client_stream); diff -cr --new-file /var/tmp/postfix-2.8.1/src/global/mail_params.h ./src/global/mail_params.h *** /var/tmp/postfix-2.8.1/src/global/mail_params.h Mon Jan 17 09:56:39 2011 --- ./src/global/mail_params.h Mon Mar 14 13:59:09 2011 *************** *** 2988,3020 **** #define DEF_TLS_PREEMPT_CLIST 0 extern bool var_tls_preempt_clist; ! #ifdef USE_TLS ! ! /* ! * The tweak for CVE-2005-2969 is needed in some versions prior to 1.0.0 ! */ #if (OPENSSL_VERSION_NUMBER < 0x1000000fL) ! #define TLS_BUG_TWEAK_A " CVE-2005-2969" #else ! #define TLS_BUG_TWEAK_A "" #endif - - /* - * The tweak for CVE-2010-4180 is needed in some versions prior to 1.0.1 - */ - #if (OPENSSL_VERSION_NUMBER < 0x1000100fL) - #define TLS_BUG_TWEAK_B " CVE-2010-4180" #else ! #define TLS_BUG_TWEAK_B " " #endif - #else /* USE_TLS */ - #define TLS_BUG_TWEAK_A "" - #define TLS_BUG_TWEAK_B " " - #endif /* USE_TLS */ - #define VAR_TLS_BUG_TWEAKS "tls_disable_workarounds" ! #define DEF_TLS_BUG_TWEAKS ((TLS_BUG_TWEAK_A TLS_BUG_TWEAK_B)+1) extern char *var_tls_bug_tweaks; /* --- 2988,3007 ---- #define DEF_TLS_PREEMPT_CLIST 0 extern bool var_tls_preempt_clist; ! /* The tweak for CVE-2010-4180 is needed in some versions prior to 1.0.1 */ ! /* The tweak for CVE-2005-2969 is needed in some versions prior to 1.0.0 */ ! #if defined(USE_TLS) && (OPENSSL_VERSION_NUMBER < 0x1000100fL) #if (OPENSSL_VERSION_NUMBER < 0x1000000fL) ! #define TLS_BUG_TWEAKS "CVE-2005-2969 CVE-2010-4180" #else ! #define TLS_BUG_TWEAKS "CVE-2010-4180" #endif #else ! #define TLS_BUG_TWEAKS "" #endif #define VAR_TLS_BUG_TWEAKS "tls_disable_workarounds" ! #define DEF_TLS_BUG_TWEAKS TLS_BUG_TWEAKS extern char *var_tls_bug_tweaks; /* diff -cr --new-file /var/tmp/postfix-2.8.1/src/postscreen/postscreen_dnsbl.c ./src/postscreen/postscreen_dnsbl.c *** /var/tmp/postfix-2.8.1/src/postscreen/postscreen_dnsbl.c Sat Jan 15 18:09:25 2011 --- ./src/postscreen/postscreen_dnsbl.c Sun Mar 13 14:35:02 2011 *************** *** 143,148 **** --- 143,149 ---- int total; /* combined blocklist score */ int refcount; /* score reference count */ int pending_lookups; /* nr of DNS requests in flight */ + int request_id; /* duplicate suppression */ /* Call-back table support. */ int index; /* next table index */ int limit; /* last valid index */ *************** *** 344,349 **** --- 345,351 ---- PSC_DNSBL_HEAD *head; PSC_DNSBL_SITE *site; ARGV *reply_argv; + int request_id; PSC_CLEAR_EVENT_REQUEST(vstream_fileno(stream), psc_dnsbl_receive, context); *************** *** 367,376 **** ATTR_FLAG_STRICT, ATTR_TYPE_STR, MAIL_ATTR_RBL_DOMAIN, reply_dnsbl, ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, reply_client, ATTR_TYPE_STR, MAIL_ATTR_RBL_ADDR, reply_addr, ! ATTR_TYPE_END) == 3 && (score = (PSC_DNSBL_SCORE *) ! htable_find(dnsbl_score_cache, STR(reply_client))) != 0) { /* * Run this response past all applicable DNSBL filters and update the --- 369,380 ---- ATTR_FLAG_STRICT, ATTR_TYPE_STR, MAIL_ATTR_RBL_DOMAIN, reply_dnsbl, ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, reply_client, + ATTR_TYPE_INT, MAIL_ATTR_LABEL, &request_id, ATTR_TYPE_STR, MAIL_ATTR_RBL_ADDR, reply_addr, ! ATTR_TYPE_END) == 4 && (score = (PSC_DNSBL_SCORE *) ! htable_find(dnsbl_score_cache, STR(reply_client))) != 0 ! && score->request_id == request_id) { /* * Run this response past all applicable DNSBL filters and update the *************** *** 429,434 **** --- 433,439 ---- HTABLE_INFO **ht; PSC_DNSBL_SCORE *score; HTABLE_INFO *hash_node; + static int request_count; /* * Some spambots make several connections at nearly the same time, *************** *** 468,473 **** --- 473,479 ---- if (msg_verbose > 1) msg_info("%s: create blocklist score for %s", myname, client_addr); score = (PSC_DNSBL_SCORE *) mymalloc(sizeof(*score)); + score->request_id = request_count++; score->dnsbl = 0; score->total = 0; score->refcount = 1; *************** *** 492,497 **** --- 498,504 ---- attr_print(stream, ATTR_FLAG_NONE, ATTR_TYPE_STR, MAIL_ATTR_RBL_DOMAIN, ht[0]->key, ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, client_addr, + ATTR_TYPE_INT, MAIL_ATTR_LABEL, score->request_id, ATTR_TYPE_END); if (vstream_fflush(stream) != 0) { msg_warn("%s: error sending to %s service: %m", diff -cr --new-file /var/tmp/postfix-2.8.1/src/util/host_port.c ./src/util/host_port.c *** /var/tmp/postfix-2.8.1/src/util/host_port.c Tue Jan 18 20:22:18 2005 --- ./src/util/host_port.c Fri Feb 25 11:32:12 2011 *************** *** 95,116 **** #include /* host_port - parse string into host and port, destroy string */ const char *host_port(char *buf, char **host, char *def_host, char **port, char *def_service) { char *cp = buf; /* * [host]:port, [host]:, [host]. */ if (*cp == '[') { ! *host = ++cp; if ((cp = split_at(cp, ']')) == 0) return ("missing \"]\""); if (*cp && *cp++ != ':') return ("garbage after \"]\""); *port = *cp ? cp : def_service; } --- 95,135 ---- #include + /* + * Point-fix workaround. The libutil library should be email agnostic, but + * we can't rip up the library APIs in the stable releases. + */ + #include + #ifdef STRCASECMP_IN_STRINGS_H + #include + #endif + #define IPV6_COL "IPv6:" /* RFC 2821 */ + #define IPV6_COL_LEN (sizeof(IPV6_COL) - 1) + #define HAS_IPV6_COL(str) (strncasecmp((str), IPV6_COL, IPV6_COL_LEN) == 0) + /* host_port - parse string into host and port, destroy string */ const char *host_port(char *buf, char **host, char *def_host, char **port, char *def_service) { char *cp = buf; + int ipv6 = 0; /* * [host]:port, [host]:, [host]. + * [ipv6:ipv6addr]:port, [ipv6:ipv6addr]:, [ipv6:ipv6addr]. */ if (*cp == '[') { ! ++cp; ! if ((ipv6 = HAS_IPV6_COL(cp)) != 0) ! cp += IPV6_COL_LEN; ! *host = cp; if ((cp = split_at(cp, ']')) == 0) return ("missing \"]\""); if (*cp && *cp++ != ':') return ("garbage after \"]\""); + if (ipv6 && !valid_ipv6_hostaddr(*host, DONT_GRIPE)) + return ("malformed IPv6 address"); *port = *cp ? cp : def_service; } diff -cr --new-file /var/tmp/postfix-2.8.1/src/util/sys_defs.h ./src/util/sys_defs.h *** /var/tmp/postfix-2.8.1/src/util/sys_defs.h Mon Jan 17 09:44:25 2011 --- ./src/util/sys_defs.h Tue Mar 1 14:10:46 2011 *************** *** 111,117 **** #define HAS_DUPLEX_PIPE /* 4.1 breaks with kqueue(2) */ #endif ! #if __FreeBSD_version >= 800107 /* safe; don't believe the experts */ #define HAS_CLOSEFROM #endif --- 111,118 ---- #define HAS_DUPLEX_PIPE /* 4.1 breaks with kqueue(2) */ #endif ! #if (__FreeBSD_version >= 702104 && __FreeBSD_version <= 800000) \ ! || __FreeBSD_version >= 800100 #define HAS_CLOSEFROM #endif *************** *** 517,523 **** * AIX: a SYSV-flavored hybrid. NB: fcntl() and flock() access the same * underlying locking primitives. */ ! #ifdef AIX5 #define SUPPORTED #include #define UINT32_TYPE unsigned int --- 518,524 ---- * AIX: a SYSV-flavored hybrid. NB: fcntl() and flock() access the same * underlying locking primitives. */ ! #if defined(AIX5) || defined(AIX6) #define SUPPORTED #include #define UINT32_TYPE unsigned int