Prereq: "2.9.9" diff -cr --new-file /var/tmp/postfix-2.9.9/src/global/mail_version.h ./src/global/mail_version.h *** /var/tmp/postfix-2.9.9/src/global/mail_version.h 2014-01-16 08:10:50.000000000 -0500 --- ./src/global/mail_version.h 2014-10-13 18:54:45.000000000 -0400 *************** *** 20,27 **** * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20140116" ! #define MAIL_VERSION_NUMBER "2.9.9" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE --- 20,27 ---- * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20141013" ! #define MAIL_VERSION_NUMBER "2.9.10" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -cr --new-file /var/tmp/postfix-2.9.9/HISTORY ./HISTORY *** /var/tmp/postfix-2.9.9/HISTORY 2014-01-16 08:15:16.000000000 -0500 --- ./HISTORY 2014-10-13 18:51:09.000000000 -0400 *************** *** 17867,17869 **** --- 17867,17907 ---- 20140104 Bugfix: malformed error message. File: conf/post-install. + + 20140116 + + Workaround: prepend "-I. -I../../include" to CCARGS, to + avoid name clashes with non-Postfix header files. File: + makedefs. + + 20140223 + + Logging: the TLS client logged that an "Untrusted" TLS + connection was established instead of "Anonymous". Viktor + Dukhovni. File: tls/tls_client.c. + + 20140619 + + Bugfix (introduced: 2001): qmqpd null pointer bug when it + logs a lost connection while not in a mail transaction. + Reported by Michal Adamek. File: qmqpd/qmqpd.c. + + 20140920 + + Bugfix (introduced: 20080212): incorrect client name in + reject messages from check_reverse_client_hostname_access + and check_reverse_client_hostname_{mx,ns}_access. They + replied with the verified client name, instead of the name + that was rejected. Problem reported by Reindl Harald. File: + smtpd/smtpd_check.c. + + 20141012 + + Bugfix (introduced: Postfix 2.3): the PREPEND access/policy + action added headers ABOVE Postfix's own Received: header, + exposing Postfix's own Received: header to Milters (protocol + violation) and hiding the PREPENDed header from Milters. + The latter caused problems for DMARC implementations with + SPF policy plus DKIM Milter. PREPENDed headers are now + added BELOW Postfix's own Received: header and remain visible + to Milters. File: smtpd/smtpd.c. diff -cr --new-file /var/tmp/postfix-2.9.9/makedefs ./makedefs *** /var/tmp/postfix-2.9.9/makedefs 2012-11-29 18:53:34.000000000 -0500 --- ./makedefs 2014-01-16 17:08:45.000000000 -0500 *************** *** 669,674 **** --- 669,677 ---- # needed before the code stabilizes. #CCARGS="$CCARGS -DNONPROD" + # Workaround. + CCARGS="-I. -I../../include $CCARGS" + sed 's/ / /g' <reason && state->where) msg_info("%s: %s: %s while %s", ! state->queue_id, state->namaddr, state->reason, state->where); } /* qmqpd_service - service one client */ --- 706,713 ---- */ if (state->reason && state->where) msg_info("%s: %s: %s while %s", ! state->queue_id ? state->queue_id : "NOQUEUE", ! state->namaddr, state->reason, state->where); } /* qmqpd_service - service one client */ diff -cr --new-file /var/tmp/postfix-2.9.9/src/smtpd/smtpd.c ./src/smtpd/smtpd.c *** /var/tmp/postfix-2.9.9/src/smtpd/smtpd.c 2012-04-24 15:30:36.000000000 -0400 --- ./src/smtpd/smtpd.c 2014-10-13 18:17:30.000000000 -0400 *************** *** 2941,2953 **** } /* - * PREPEND message headers. - */ - if (state->prepend) - for (cpp = state->prepend->argv; *cpp; cpp++) - out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp); - - /* * Suppress our own Received: header in the unlikely case that we are an * intermediate proxy. */ --- 2941,2946 ---- *************** *** 3036,3041 **** --- 3029,3046 ---- "\t(envelope-from %s)", STR(state->buffer)); #endif } + + /* + * PREPEND message headers below our own Received: header. According + * https://www.milter.org/developers/api/smfi_insheader, Milters see only + * headers that have been sent by the SMTP client and those header + * modifications by earlier filters. Based on this we allow Milters to + * see headers added by access map or by policy service. + */ + if (state->prepend) + for (cpp = state->prepend->argv; *cpp; cpp++) + out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp); + smtpd_chat_reply(state, "354 End data with ."); state->where = SMTPD_AFTER_DATA; diff -cr --new-file /var/tmp/postfix-2.9.9/src/smtpd/smtpd_check.c ./src/smtpd/smtpd_check.c *** /var/tmp/postfix-2.9.9/src/smtpd/smtpd_check.c 2012-01-14 19:43:58.000000000 -0500 --- ./src/smtpd/smtpd_check.c 2014-09-20 20:39:45.000000000 -0400 *************** *** 3722,3728 **** SMTPD_NAME_CLIENT, def_acl); } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_ACL, &cpp)) { status = check_namadr_access(state, *cpp, state->reverse_name, state->addr, ! FULL, &found, state->namaddr, SMTPD_NAME_REV_CLIENT, def_acl); forbid_whitelist(state, name, status, state->reverse_name); } else if (strcasecmp(name, REJECT_MAPS_RBL) == 0) { --- 3722,3728 ---- SMTPD_NAME_CLIENT, def_acl); } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_ACL, &cpp)) { status = check_namadr_access(state, *cpp, state->reverse_name, state->addr, ! FULL, &found, state->reverse_name, SMTPD_NAME_REV_CLIENT, def_acl); forbid_whitelist(state, name, status, state->reverse_name); } else if (strcasecmp(name, REJECT_MAPS_RBL) == 0) { *************** *** 3789,3802 **** } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_NS_ACL, &cpp)) { if (strcasecmp(state->reverse_name, "unknown") != 0) { status = check_server_access(state, *cpp, state->reverse_name, ! T_NS, state->namaddr, SMTPD_NAME_REV_CLIENT, def_acl); forbid_whitelist(state, name, status, state->reverse_name); } } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_MX_ACL, &cpp)) { if (strcasecmp(state->reverse_name, "unknown") != 0) { status = check_server_access(state, *cpp, state->reverse_name, ! T_MX, state->namaddr, SMTPD_NAME_REV_CLIENT, def_acl); forbid_whitelist(state, name, status, state->reverse_name); } --- 3789,3802 ---- } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_NS_ACL, &cpp)) { if (strcasecmp(state->reverse_name, "unknown") != 0) { status = check_server_access(state, *cpp, state->reverse_name, ! T_NS, state->reverse_name, SMTPD_NAME_REV_CLIENT, def_acl); forbid_whitelist(state, name, status, state->reverse_name); } } else if (is_map_command(state, name, CHECK_REVERSE_CLIENT_MX_ACL, &cpp)) { if (strcasecmp(state->reverse_name, "unknown") != 0) { status = check_server_access(state, *cpp, state->reverse_name, ! T_MX, state->reverse_name, SMTPD_NAME_REV_CLIENT, def_acl); forbid_whitelist(state, name, status, state->reverse_name); } diff -cr --new-file /var/tmp/postfix-2.9.9/src/tls/tls_client.c ./src/tls/tls_client.c *** /var/tmp/postfix-2.9.9/src/tls/tls_client.c 2013-09-01 09:21:23.000000000 -0400 --- ./src/tls/tls_client.c 2014-02-23 12:31:17.000000000 -0500 *************** *** 1044,1050 **** */ if (log_mask & TLS_LOG_SUMMARY) msg_info("%s TLS connection established to %s: %s with cipher %s " ! "(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" : TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted", props->namaddr, TLScontext->protocol, TLScontext->cipher_name, TLScontext->cipher_usebits, TLScontext->cipher_algbits); --- 1044,1052 ---- */ if (log_mask & TLS_LOG_SUMMARY) msg_info("%s TLS connection established to %s: %s with cipher %s " ! "(%d/%d bits)", ! !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" : ! TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" : TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted", props->namaddr, TLScontext->protocol, TLScontext->cipher_name, TLScontext->cipher_usebits, TLScontext->cipher_algbits);