diff -Nru postfix-3.8.5/HISTORY postfix-3.8.6/HISTORY --- postfix-3.8.5/HISTORY 2024-01-19 15:26:29.000000000 +0000 +++ postfix-3.8.6/HISTORY 2024-02-27 21:00:12.000000000 +0000 @@ -27246,3 +27246,83 @@ Files: mantools/postlink, proto/postconf.proto, global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h, smtpd/smtpd.c, smtpd/smtpd_check.[hc]. + +20231102 + + Bugfix (defect introduced: Postfix 2.3, date 20051222): the + Dovecot auth client did not reset the 'reason' from a + previous Dovecot auth service response, before parsing the + next Dovecot auth server response in the same SMTP session. + Reported by Stephan Bosch, File: xsasl/xsasl_dovecot_server.c. + +20231105 + + Cleanup: Postfix SMTP server response with an empty + authentication failure reason. File: smtpd/smtpd_sasl_glue.c. + +20231208 + + Bugfix (defect introduced: Postfix 3.1, date: 20151128): + "postqueue -j" produced broken JSON when escaping a control + character as \uXXXX. Found during code maintenance. File: + postqueue/showq_json.c. + +20231211 + + Cleanup: posttls-finger certificate match expectations for + all TLS security levels, including warnings for levels that + don't implement certificate matching. Viktor Dukhovni. + File: posttls-finger.c. + +20231213 + + Bugfix (defect introduced: Postfix 2.3): after prepending + a message header with a Postfix access table PREPEND action, + a Milter request to delete or update an existing header + could have no effect, or it could target the wrong instance + of an existing header. Root cause: the fix dated 20141018 + for the Postfix Milter client was incomplete. The client + did correctly hide the first, Postfix-generated, Received: + header when sending message header information to a Milter + with the smfi_header() application callback function, but + it was still hiding the first header (instead of the first + Received: header) when handling requests from a Milter to + delete or update an existing header. Problem report by + Carlos Velasco. This change was verified to have no effect + on requests from a Milter to add or insert a header. File: + cleanup/cleanup_milter.c. + +20240124 + + Workaround: tlsmgr logfile spam. Some OS lies under load: + it says that a socket is readable, then it says that the + socket has unread data, and then it says that read returns + EOF, causing Postfix to spam the log with a warning message. + File: tlsmgr/tlsmgr.c. + + Bugfix (defect introduced: Postfix 3.4): the SMTP server's + BDAT command handler could be tricked to read $message_size_limit + bytes into memory. Found during code maintenance. File: + smtpd/smtpd.c. + +20240209 + + Performance: eliminate worst-case behavior where the queue + manager defers delivery to all destinations over a specific + delivery transport, after only a single delivery agent + failure. The scheduler now throttles one destination, and + allows deliveries to other destinations to keep making + progress. Files: *qmgr/qmgr_deliver.c. + +20240226 + + Safety: drop and log over-size DNS responses resulting in + more than 100 records. This 20x larger than the number of + server addresses that the Postfix SMTP client is willing + to consider when delivering mail, and is well below the + number of records that could cause a tail recursion crash + in dns_rr_append() as reported by Toshifumi Sakaguchi. This + also limits the number of DNS requests from check_*_*_access + restrictions. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_rr.c, + dns/test_dns_lookup.c, posttls-finger/posttls-finger.c, + smtp/smtp_addr.c, smtpd/smtpd_check.c. diff -Nru postfix-3.8.5/debian/changelog postfix-3.8.6/debian/changelog --- postfix-3.8.5/debian/changelog 2024-03-04 21:04:43.000000000 +0000 +++ postfix-3.8.6/debian/changelog 2024-03-05 15:24:36.000000000 +0000 @@ -1,14 +1,25 @@ -postfix (3.8.5-1build2) noble; urgency=medium +postfix (3.8.6-1) unstable; urgency=medium - * No-change rebuild against libssl3t64 + [Scott Kitterman] - -- Steve Langasek Mon, 04 Mar 2024 21:04:43 +0000 + * Remove lib/systemd/system-generators from d/postfix.dirs. Closes: #1059760 + * Update with wrap-and-sort + * Refactor d/p/Sort-list-of-AUXLIBS-for-reproducible-builds.patch based on + upstream feedback + * Mark d/p/Sort-list-of-AUXLIBS-for-reproducible-builds.patch as forwarded + * Add libnsl-dev to build-depends, split from libc6-dev. Closes: #1065158 + * Build-depend on pkgconf instead of obsolete pkg-config -postfix (3.8.5-1build1) noble; urgency=medium + [localization folks] - * No-change rebuild against libdb5.3t64 + * l10n: Updated Swedish debconf translations. (Martin Bagge, Anders + Jonsson). Closes: #1061564 - -- Steve Langasek Sat, 02 Mar 2024 20:36:31 +0000 + [Wietse Venema] + + * 3.8.6 + + -- Scott Kitterman Tue, 05 Mar 2024 10:24:36 -0500 postfix (3.8.5-1) unstable; urgency=medium diff -Nru postfix-3.8.5/debian/control postfix-3.8.6/debian/control --- postfix-3.8.5/debian/control 2024-03-02 20:36:31.000000000 +0000 +++ postfix-3.8.6/debian/control 2024-03-05 15:24:36.000000000 +0000 @@ -1,23 +1,64 @@ Source: postfix Section: mail Priority: optional -Maintainer: Ubuntu Developers -XSBC-Original-Maintainer: LaMont Jones +Maintainer: LaMont Jones Uploaders: Scott Kitterman Standards-Version: 4.6.2 Rules-Requires-Root: no Homepage: https://www.postfix.org -Build-Depends: debhelper-compat (= 13), po-debconf (>= 0.5.0), groff-base, patch, pkg-config, lsb-release, libdb-dev (>=4.6.19), libldap-dev, liblmdb-dev, libpcre2-dev, default-libmysqlclient-dev, libssl-dev (>=1.0.2), libsasl2-dev, libpq-dev, libcdb-dev, dpkg-dev (>= 1.16.1~), libsqlite3-dev, html2text, txt2man, libicu-dev, systemd-dev +Build-Depends: debhelper-compat (= 13), + default-libmysqlclient-dev, + dpkg-dev (>= 1.16.1~), + groff-base, + html2text, + libcdb-dev, + libdb-dev (>=4.6.19), + libicu-dev, + libldap-dev, + liblmdb-dev, + libnsl-dev | libc6-dev (<<2.37-15.1), + libpcre2-dev, + libpq-dev, + libsasl2-dev, + libsqlite3-dev, + libssl-dev (>=1.0.2), + lsb-release, + patch, + pkgconf, + po-debconf (>= 0.5.0), + systemd-dev, + txt2man Vcs-Browser: https://salsa.debian.org/postfix-team/postfix-dev Vcs-Git: https://salsa.debian.org/postfix-team/postfix-dev.git Package: postfix Architecture: any Pre-Depends: ${misc:Pre-Depends} -Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, adduser (>=3.48), dpkg (>= 1.8.3), ssl-cert, cpio, e2fsprogs +Depends: adduser (>=3.48), + cpio, + dpkg (>= 1.8.3), + e2fsprogs, + netbase, + ssl-cert, + ${misc:Depends}, + ${shlibs:Depends} Replaces: mail-transport-agent -Recommends: python3, ca-certificates -Suggests: procmail, postfix-mysql, postfix-pgsql, postfix-ldap, postfix-pcre, postfix-lmdb, postfix-sqlite, sasl2-bin | dovecot-common, libsasl2-modules | dovecot-common, resolvconf, postfix-cdb, mail-reader, postfix-mta-sts-resolver, ufw, postfix-doc +Recommends: ca-certificates, python3 +Suggests: libsasl2-modules | dovecot-common, + mail-reader, + postfix-cdb, + postfix-doc, + postfix-ldap, + postfix-lmdb, + postfix-mta-sts-resolver, + postfix-mysql, + postfix-pcre, + postfix-pgsql, + postfix-sqlite, + procmail, + resolvconf, + sasl2-bin | dovecot-common, + ufw Conflicts: mail-transport-agent, smail Provides: mail-transport-agent, ${postfix:Provides} Description: High-performance mail transport agent @@ -25,7 +66,7 @@ Package: postfix-ldap Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${binary:Version}) +Depends: postfix (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} Description: LDAP map support for Postfix ${Description} . @@ -34,7 +75,10 @@ Package: postfix-lmdb Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, liblmdb0 (>=0.9.14), postfix (= ${binary:Version}) +Depends: liblmdb0 (>=0.9.14), + postfix (= ${binary:Version}), + ${misc:Depends}, + ${shlibs:Depends} Description: LMDB map support for Postfix ${Description} . @@ -43,7 +87,7 @@ Package: postfix-cdb Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${binary:Version}) +Depends: postfix (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} Description: CDB map support for Postfix ${Description} . @@ -52,7 +96,7 @@ Package: postfix-pcre Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${binary:Version}) +Depends: postfix (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} Description: PCRE map support for Postfix ${Description} . @@ -61,7 +105,7 @@ Package: postfix-mysql Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${binary:Version}) +Depends: postfix (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} Description: MySQL map support for Postfix ${Description} . @@ -70,7 +114,7 @@ Package: postfix-pgsql Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${binary:Version}) +Depends: postfix (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} Description: PostgreSQL map support for Postfix ${Description} . @@ -79,7 +123,7 @@ Package: postfix-sqlite Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, postfix (= ${binary:Version}) +Depends: postfix (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends} Description: SQLite map support for Postfix ${Description} . diff -Nru postfix-3.8.5/debian/copyright postfix-3.8.6/debian/copyright --- postfix-3.8.5/debian/copyright 2024-01-22 14:35:14.000000000 +0000 +++ postfix-3.8.6/debian/copyright 2024-03-05 15:20:59.000000000 +0000 @@ -284,8 +284,8 @@ Exhibit A - Form of Secondary Licenses Notice -"This Source Code may also be made available under the following -Secondary Licenses when the conditions for such availability set forth +"This Source Code may also be made available under the following +Secondary Licenses when the conditions for such availability set forth in the Eclipse Public License, v. 2.0 are satisfied: {name license(s), version(s), and exceptions or additional permissions here}." @@ -307,20 +307,20 @@ 1. DEFINITIONS -"Contribution" means: - a) in the case of International Business Machines Corporation ("IBM"), - the Original Program, and - b) in the case of each Contributor, +"Contribution" means: + a) in the case of International Business Machines Corporation ("IBM"), + the Original Program, and + b) in the case of each Contributor, i) changes to the Program, and ii) additions to the Program; where such changes and/or additions to the Program originate - from and are distributed by that particular Contributor. - A Contribution 'originates' from a Contributor if it was added - to the Program by such Contributor itself or anyone acting on - such Contributor's behalf. + from and are distributed by that particular Contributor. + A Contribution 'originates' from a Contributor if it was added + to the Program by such Contributor itself or anyone acting on + such Contributor's behalf. Contributions do not include additions to the Program which: - (i) are separate modules of software distributed in conjunction - with the Program under their own license agreement, and + (i) are separate modules of software distributed in conjunction + with the Program under their own license agreement, and (ii) are not derivative works of the Program. "Contributor" means IBM and any other entity that distributes the Program. @@ -335,7 +335,7 @@ "Program" means the Original Program and Contributions. -"Recipient" means anyone who receives the Program under this Agreement, +"Recipient" means anyone who receives the Program under this Agreement, including all Contributors. 2. GRANT OF RIGHTS @@ -379,7 +379,7 @@ 3. REQUIREMENTS -A Contributor may choose to distribute the Program in object code form +A Contributor may choose to distribute the Program in object code form under its own license agreement, provided that: a) it complies with the terms and conditions of this Agreement; and b) its license agreement: @@ -388,31 +388,31 @@ warranties or conditions of title and non-infringement, and implied warranties or conditions of merchantability and fitness for a particular purpose; - ii) effectively excludes on behalf of all Contributors all - liability for damages, including direct, indirect, special, - incidental and consequential damages, such as lost profits; - iii) states that any provisions which differ from this Agreement - are offered by that Contributor alone and not by any other + ii) effectively excludes on behalf of all Contributors all + liability for damages, including direct, indirect, special, + incidental and consequential damages, such as lost profits; + iii) states that any provisions which differ from this Agreement + are offered by that Contributor alone and not by any other party; and - iv) states that source code for the Program is available from - such Contributor, and informs licensees how to obtain it in a - reasonable manner on or through a medium customarily used for - software exchange. + iv) states that source code for the Program is available from + such Contributor, and informs licensees how to obtain it in a + reasonable manner on or through a medium customarily used for + software exchange. When the Program is made available in source code form: - a) it must be made available under this Agreement; and - b) a copy of this Agreement must be included with each copy of the - Program. + a) it must be made available under this Agreement; and + b) a copy of this Agreement must be included with each copy of the + Program. -Each Contributor must include the following in a conspicuous location -in the Program: +Each Contributor must include the following in a conspicuous location +in the Program: Copyright (c) 1997,1998,1999, International Business Machines Corporation and others. All Rights Reserved. In addition, each Contributor must identify itself as the originator of its Contribution, if any, in a manner that reasonably allows subsequent -Recipients to identify the originator of the Contribution. +Recipients to identify the originator of the Contribution. 4. COMMERCIAL DISTRIBUTION @@ -433,10 +433,10 @@ claims or Losses relating to any actual or alleged intellectual property infringement. In order to qualify, an Indemnified Contributor must: a) promptly notify the Commercial Contributor in writing of such claim, -and +and b) allow the Commercial Contributor to control, and cooperate with - the Commercial Contributor in, the defense and any related - settlement negotiations. The Indemnified Contributor may + the Commercial Contributor in, the defense and any related + settlement negotiations. The Indemnified Contributor may participate in any such claim at its own expense. For example, a Contributor might include the Program in a commercial @@ -461,7 +461,7 @@ all risks associated with its exercise of rights under this Agreement, including but not limited to the risks and costs of program errors, compliance with applicable laws, damage to or loss of data, programs or -equipment, and unavailability or interruption of operations. +equipment, and unavailability or interruption of operations. 6. DISCLAIMER OF LIABILITY @@ -500,7 +500,7 @@ this Agreement terminate, Recipient agrees to cease use and distribution of the Program as soon as reasonably practicable. However, Recipient's obligations under this Agreement and any licenses granted by Recipient -relating to the Program shall continue and survive. +relating to the Program shall continue and survive. IBM may publish new versions (including revisions) of this Agreement from time to time. Each new version of the Agreement will be given a @@ -519,7 +519,7 @@ intellectual property laws of the United States of America. No party to this Agreement will bring a legal action under this Agreement more than one year after the cause of action arose. Each party waives its rights -to a jury trial in any resulting litigation. +to a jury trial in any resulting litigation. The following license applies to examples/chroot-setup/LINUX2: diff -Nru postfix-3.8.5/debian/patches/Sort-list-of-AUXLIBS-for-reproducible-builds.patch postfix-3.8.6/debian/patches/Sort-list-of-AUXLIBS-for-reproducible-builds.patch --- postfix-3.8.5/debian/patches/Sort-list-of-AUXLIBS-for-reproducible-builds.patch 2024-01-22 14:35:14.000000000 +0000 +++ postfix-3.8.6/debian/patches/Sort-list-of-AUXLIBS-for-reproducible-builds.patch 2024-03-05 15:24:36.000000000 +0000 @@ -2,20 +2,30 @@ Date: Mon, 1 Jan 2024 19:45:09 +0100 Subject: Sort list of AUXLIBS for reproducible builds +Forwarded: https://www.mail-archive.com/postfix-users@postfix.org/msg101292.html --- makedefs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/makedefs b/makedefs -index d9dc529..2b376b3 100644 ---- a/makedefs -+++ b/makedefs -@@ -211,7 +211,7 @@ echo "#----------------------------------------------------------------" +Index: postfix/makedefs +=================================================================== +--- postfix.orig/makedefs ++++ postfix/makedefs +@@ -184,6 +184,8 @@ + # New York, NY 10011, USA + #-- + ++LC_ALL=C; export LC_ALL ++ + # By now all shells must have functions. + + error() { +@@ -211,7 +213,7 @@ echo "#--------------------------------- echo "# Start of summary of user-configurable 'make makefiles' options." echo "# CCARGS=$CCARGS" echo "# AUXLIBS=$AUXLIBS" -env | grep '^AUXLIBS_' | sed 's/^/# /' -+env | grep '^AUXLIBS_' | sed 's/^/# /' | LC_ALL=C sort ++env | grep '^AUXLIBS_' | sed 's/^/# /' | sort echo "# shared=$shared" echo "# dynamicmaps=$dynamicmaps" echo "# pie=$pie" diff -Nru postfix-3.8.5/debian/po/sv.po postfix-3.8.6/debian/po/sv.po --- postfix-3.8.5/debian/po/sv.po 2024-01-22 14:35:14.000000000 +0000 +++ postfix-3.8.6/debian/po/sv.po 2024-03-05 15:20:59.000000000 +0000 @@ -1,22 +1,21 @@ # Translation of Postfix debconf template to Swedish -# Copyright (C) 2012-2017 Martin Bagge +# Copyright (C) 2024 Martin Bagge # This file is distributed under the same license as the postfix package. # # Martin Ågren , 2008. -# Martin Bagge , 2012, 2013, 2017 +# Martin Bagge , 2012, 2013, 2017, 2024 msgid "" msgstr "" "Project-Id-Version: postfix_2.5.2-2_sv\n" "Report-Msgid-Bugs-To: postfix@packages.debian.org\n" "POT-Creation-Date: 2023-06-30 20:49-0400\n" -"PO-Revision-Date: 2017-01-02 10:53+0100\n" -"Last-Translator: Martin Bagge / brother \n" +"PO-Revision-Date: 2024-01-26 15:27+0100\n" +"Last-Translator: Martin Bagge / brother \n" "Language-Team: Swedish \n" "Language: sv\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"X-Generator: Poedit 1.8.11\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" #. Type: boolean @@ -50,8 +49,6 @@ #. Type: boolean #. Description #: ../templates:1001 -#, fuzzy -#| msgid "Please choose whether you want to keep that choice anyway." msgid "Please check and confirm if you want to keep your entry." msgstr "Välj huruvida du vill behålla valet ändå." @@ -118,10 +115,8 @@ #. Type: select #. Description #: ../templates:2002 -#, fuzzy -#| msgid "General type of mail configuration:" msgid "General mail configuration type:" -msgstr "Allmän typ av e-postkonfiguration:" +msgstr "Typ av e-postkonfiguration:" #. Type: select #. Description @@ -134,21 +129,6 @@ #. Type: select #. Description #: ../templates:2002 -#, fuzzy -#| msgid "" -#| " No configuration:\n" -#| " Should be chosen to leave the current configuration unchanged.\n" -#| " Internet site:\n" -#| " Mail is sent and received directly using SMTP.\n" -#| " Internet with smarthost:\n" -#| " Mail is received directly using SMTP or by running a utility such\n" -#| " as fetchmail. Outgoing mail is sent using a smarthost.\n" -#| " Satellite system:\n" -#| " All mail is sent to another machine, called a 'smarthost', for " -#| "delivery.\n" -#| " Local only:\n" -#| " The only delivered mail is the mail for local users. There is no " -#| "network." msgid "" " No configuration:\n" " Should be chosen to leave the current configuration unchanged.\n" @@ -195,8 +175,8 @@ " - Running 'service postfix start'." msgstr "" "Du har valt \"Ingen konfiguration\". Postfix kommer inte att konfigureras " -"och kommer som standard inte att starta upp. Kör \"dpkg-reconfigure postfix" -"\" vid ett senare tillfälle eller konfigurera det själv genom att:\n" +"och kommer som standard inte att starta upp. Kör \"dpkg-reconfigure " +"postfix\" vid ett senare tillfälle eller konfigurera det själv genom att:\n" " - Redigera /etc/postfix/main.cf för att passa dina behov;\n" " - Köra \"service postfix start\"." @@ -209,12 +189,6 @@ #. Type: string #. Description #: ../templates:4001 -#, fuzzy -#| msgid "" -#| "The \"mail name\" is the domain name used to \"qualify\" _ALL_ mail " -#| "addresses without a domain name. This includes mail to and from : " -#| "please do not make your machine send out mail from root@example.org " -#| "unless root@example.org has told you to." msgid "" "The 'mail name' is the domain name used to 'qualify' _ALL_ mail addresses " "without a domain name. This includes mail to and from : please do not " @@ -246,7 +220,7 @@ "value for this option would be example.org." msgstr "" "Följaktligen, om en e-postadress på den lokala maskinen är foo@example.org, " -"skulle det korrekta värde för den här inställning vara example.org." +"skulle det korrekta värdet för den här inställningen vara example.org." #. Type: string #. Description @@ -280,7 +254,7 @@ "the form [destination] to turn off MX lookups. Leave this blank for no relay " "host." msgstr "" -"Ange en domän, värd, värd:port, [adress] eller [adress]:port. Använd " +"Ange en domän, värd, värd:port, [adress] eller [adress]:port. Använd " "formatet [destination] för att stänga av MX-uppslag. Lämna blank för att " "inte använda en vidaresändningsvärd." @@ -293,19 +267,15 @@ #. Type: string #. Description #: ../templates:6001 -#, fuzzy -#| msgid "" -#| "The relayhost parameter specifies the default host to send mail to when " -#| "no entry is matched in the optional transport(5) table. When no relay " -#| "host is given, mail is routed directly to the destination." msgid "" "The relayhost parameter specifies the default external host to send mail to " "when no entry is matched in the optional transport(5) table. When no relay " "host is given, mail is routed directly to the destination." msgstr "" -"Parametern \"relayhost\" (relävärd) anger den standardvärd som post ska " -"skickas till när ingen post matchas i den valfria transport(5)-tabellen. När " -"ingen relävärd angivits kommer post att skickas direkt till destinationen." +"Parametern \"relayhost\" (relävärd) anger den externa standardvärd som post " +"ska skickas till när ingen post matchas i den valfria transport(5)-tabellen. " +"När ingen relävärd angivits kommer post att skickas direkt till " +"destinationen." #. Type: boolean #. Description @@ -387,15 +357,12 @@ #. Type: string #. Description #: ../templates:9001 -#, fuzzy -#| msgid "" -#| "Please choose the character that will be used to define a local address " -#| "extension." msgid "" "Please choose a character used as recipient delimiter that will indicate a " "local address extension." msgstr "" -"Välj det tecken som ska användas för att definiera en lokal adressutökning." +"Välj ett tecken som ska användas för att skilja mottagare åt vilket kommer " +"att användas för att definiera en \"lokal adressutökning\"." #. Type: string #. Description @@ -474,10 +441,6 @@ #. Type: string #. Description #: ../templates:12001 -#, fuzzy -#| msgid "" -#| "To use the postfix default (which is based on the connected subnets), " -#| "leave this blank." msgid "" "To use the Postfix default (which is based on the connected subnets), leave " "this blank." @@ -494,28 +457,23 @@ #. Type: string #. Description #: ../templates:13001 -#, fuzzy -#| msgid "" -#| "Please specify the limit that Postfix should place on mailbox files to " -#| "prevent runaway software errors. A value of zero (0) means no limit. The " -#| "upstream default is 51200000." msgid "" "Please specify the limit that Postfix should place on mailbox files to " "constrain file system usage by a single file (potentially due to abusive " "mail or software errors). A value of zero (0) means no limit. The upstream " "default is 51200000." msgstr "" -"Vilken gräns ska Postfix sätta på postlådefiler för att förhindra att " -"programvarufel skriver för mycket data. Ett värde på noll (0) betyder att " -"det inte finns någon gräns. Standard från utvecklarna är 51200000." +"Ange gräns som Postfix sätter på postlådefiler för att förhindra för hög " +"användning av filsystemets resurser av en enskild fil (eventuellt orsakat av " +"oredlig användning av e-post eller från mjukvarufel). Ett värde på noll (0) " +"betyder att det inte finns någon gräns. Standard från utvecklarna är " +"51200000." #. Type: string #. Description #: ../templates:14001 -#, fuzzy -#| msgid "Root and postmaster mail recipient:" msgid "Recipient for root and postmaster mail:" -msgstr "E-postmottagare för root och postmaster:" +msgstr "Mottagare för meddelanden till root och postmaster:" #. Type: string #. Description @@ -547,204 +505,16 @@ #. Type: string #. Description #: ../templates:14001 -#, fuzzy -#| msgid "" -#| "If you already have a /etc/aliases file and it does not have an entry for " -#| "root, then you should add this entry. Leave this blank to not add one." msgid "" "If you already have a /etc/aliases file and it does not have an entry for " "root, then you should add this entry. Leave this blank to not add one." msgstr "" "Om du redan har filen /etc/aliases och den saknar instruktioner för root ska " -"detta läggas till. Lämna den blank för att inte lägga till någon instruktion." +"detta läggas till. Lämna detta blankt för att inte lägga till någon " +"instruktion." #. Type: boolean #. Description #: ../templates:15001 msgid "Run newaliases command?" -msgstr "" - -#, fuzzy -#~| msgid "Update configuration to avoid compatibility warnings" -#~ msgid "Update configuration to avoid compatibility warnings?" -#~ msgstr "Uppdatera inställningar för att undvika kompatibilitetsvarningar" - -#, fuzzy -#~| msgid "" -#~| "This upgrade of postfix changes some default values in the " -#~| "configuration. As part of this upgrade, the following will be changed: " -#~| "(1) chrooted components will be changed from '-' to 'y' in master.cf, " -#~| "and (2) myhostname will be set to a fully-qualified domain name if it is " -#~| "not already such. The install will be aborted if you do not allow the " -#~| "change." -#~ msgid "" -#~ "This upgrade of Postfix changes some default values in the configuration. " -#~ "As part of this upgrade, the following will be changed: (1) chrooted " -#~ "components will be changed from '-' to 'y' in master.cf, and (2) " -#~ "myhostname will be set to a fully-qualified domain name if it is not " -#~ "already such. The install will be aborted if you do not allow the change." -#~ msgstr "" -#~ "Denna version av postfix ändrar några standardvärden i inställningarna. " -#~ "Som del i denna uppgradering kommer följande att ändras: (1) chrootade " -#~ "komponenter kommer att ändras från \"-\" till \"y\" i master.cf och (2) " -#~ "myhostname kommer att sättas till ett komplett kvalificerat domännamn om " -#~ "det inte redan är ett sådant. Installationen kommer att avbrytas om du " -#~ "inte tillåter ändringarna." - -#, fuzzy -#~| msgid "Update main.cf for daemon_directory change" -#~ msgid "Update main.cf for daemon_directory change?" -#~ msgstr "Uppdatera main.cf för ändringen av daemon_directory" - -#, fuzzy -#~| msgid "" -#~| "This upgrade of postfix changes where daemons are located, and your " -#~| "postfix configuration explicitly specifies the old location. The " -#~| "install will be aborted if you do not allow the change." -#~ msgid "" -#~ "This upgrade of Postfix changes where daemons are located, and your " -#~ "Postfix configuration explicitly specifies the old location. The install " -#~ "will be aborted if you do not allow the change." -#~ msgstr "" -#~ "Denna uppgradering av postfix ändrar var tjänster installeras och dina " -#~ "inställningar pekar ut den gamla positionen. Installationen avbryts om du " -#~ "inte tillåter förändringen." - -#, fuzzy -#~| msgid "Update dynamicmaps.cf for 3.0" -#~ msgid "Update dynamicmaps.cf for 3.0?" -#~ msgstr "Uppdatera dynamicmaps.cf för 3.0" - -#, fuzzy -#~| msgid "" -#~| "Postfix version 3.0 changes how dynamic maps are delivered, and your " -#~| "dynamicmaps.cf does not reflect that. Accept this option to convert " -#~| "dynamicmaps.cf to the version required for 3.0." -#~ msgid "" -#~ "Postfix version 3.0 changes how dynamic maps are delivered, and your " -#~ "dynamicmaps.cf does not reflect that. Accept this option to convert " -#~ "dynamicmaps.cf to the version required for 3.0." -#~ msgstr "" -#~ "Postfix version 3.0 har ändrat hur dynamisk mappning levereras och din " -#~ "dynamicmaps.cf återspeglar inte detta. Automatisk konvertering av " -#~ "dynamicmaps.cf till version 3.0 kan genomföras." - -#~ msgid "Add a 'mydomain' entry in main.cf for upgrade?" -#~ msgstr "Lägg till en \"mydomain\"-post i main.cf inför uppgraderingen?" - -#~ msgid "" -#~ "Postfix version 2.3.3-2 and later require changes in main.cf. " -#~ "Specifically, mydomain must be specified, since hostname(1) is not a " -#~ "fully qualified domain name (FQDN)." -#~ msgstr "" -#~ "Postfix version 2.3.3-2 och senare kräver ändringar i main.cf. Specifikt " -#~ "måste \"mydomain\" anges eftersom hostname(1) inte är ett fullständigt " -#~ "kvalificerat domännamn (FQDN)." - -#~ msgid "" -#~ "Failure to fix this will result in a broken mailer. Decline this option " -#~ "to abort the upgrade, giving you the opportunity to add this " -#~ "configuration yourself. Accept this option to automatically set mydomain " -#~ "based on the FQDN of the machine." -#~ msgstr "" -#~ "Om inte du rättar till dessa felaktigheter kommer e-postsystemet inte att " -#~ "fungera korrekt. Vägra denna inställning för att avbryta uppgraderingen " -#~ "och ge dig möjligheten att lägga till denna konfiguration själv. " -#~ "Acceptera inställningen för att automatiskt ställa in \"mydomain\" " -#~ "baserat på FQDN för maskinen." - -#~ msgid "Set smtpd_relay_restrictions in main.cf for upgrade?" -#~ msgstr "Ska smtpd_relay_restrictions i main.cf ställas in för uppgradering?" - -#~ msgid "" -#~ "Postfix version 2.10 adds smtpd_relay_restrictions, to separate relaying " -#~ "restrictions from recipient restrictions, and you have a non-default " -#~ "value for smtpd_recipient_restrictions." -#~ msgstr "" -#~ "Postfix version 2.10 lägger till smtpd_relay_restrictions för att " -#~ "separera restriktioner för vidaresändning och mottagare. Det här systemet " -#~ "har ett ickestandardiserat värde för smtpd_recipient_restrictions." - -#~ msgid "" -#~ "Failure to do this may result in deferred or bounced mail after the " -#~ "upgrade. Accept this option to set smtpd_relay_restrictions equal to " -#~ "smtpd_recipient_restrictions." -#~ msgstr "" -#~ "Om detta inte justeras kan det innebära att e-post-meddelanden avvisas " -#~ "eller studsar efter uppgraderingen. Aktivera detta alternativ för att " -#~ "ange samma värde för smtpd_relay_restrictions som för " -#~ "smtpd_recipient_restrictions." - -#, fuzzy -#~| msgid "" -#~| "This upgrade of postfix changes where daemons are located, and your " -#~| "postfix configuration explicitly specifies the old location. The " -#~| "install will be aborted if you do not allow the change." -#~ msgid "" -#~ "This upgrade of postfix drops the \"lmtp\" symlink, and your " -#~ "configuration (master.cf) refers to it: lmtp was merged into smtp long " -#~ "ago. The install will be aborted if you do not allow the change." -#~ msgstr "" -#~ "Denna uppgradering av postfix ändrar var tjänster installeras och dina " -#~ "inställningar pekar ut den gamla positionen. Installationen avbryts om du " -#~ "inte tillåter förändringen." - -#~ msgid "Add 'sqlite' entry to dynamicmaps.cf?" -#~ msgstr "Ska \"sqlite\" läggas till i dynamicmaps.cf?" - -#~ msgid "" -#~ "Postfix version 2.9 adds sqlite support to maps, but your dynamicmaps.cf " -#~ "does not reflect that. Accept this option to add support for sqlite maps." -#~ msgstr "" -#~ "Postfix version 2.0 lägger till stöd för sqlite-mappning men filen " -#~ "dynamicmaps.cf visar inte detta. Godkänn detta alternativ för att lägga " -#~ "till stöd för sqlite-mappning." - -#~ msgid "Install postfix despite an unsupported kernel?" -#~ msgstr "Installera postfix även om kärnan inte stöds?" - -#~ msgid "" -#~ "Postfix uses features that are not found in kernels prior to 2.6. If you " -#~ "proceed with the installation, Postfix will not run." -#~ msgstr "" -#~ "Postfix använder funktioner som inte finns i kärnor före version 2.6. Om " -#~ "du fortsätter med installationen kommer Postfix inte att kunna starta." - -#~ msgid "Correct retry entry in master.cf for upgrade?" -#~ msgstr "Korrigera återförsöksposten i master.cf inför uppgradering?" - -#~ msgid "" -#~ "Postfix version 2.4 requires that the retry service be added to master.cf." -#~ msgstr "" -#~ "Postfix version 2.4 och senare kräver att återförsöksposten läggs till i " -#~ "master.cf." - -#~ msgid "" -#~ "Failure to fix this will result in a broken mailer. Decline this option " -#~ "to abort the upgrade, giving you the opportunity to add this " -#~ "configuration yourself. Accept this option to automatically make master." -#~ "cf compatible with Postfix 2.4 in this respect." -#~ msgstr "" -#~ "Om du inte rättar till dessa felaktigheter kommer e-postsystemet inte att " -#~ "fungera korrekt. Vägra denna inställning för att avbryta uppgraderingen " -#~ "och få möjlighet att lägga till denna konfiguration själv. Acceptera " -#~ "inställningen för att automatiskt göra master.cf kompatibel med Postfix " -#~ "2.4 i det här avseendet." - -#~ msgid "Correct tlsmgr entry in master.cf for upgrade?" -#~ msgstr "Korrigera tlsmgr-posten i master.cf inför uppgradering?" - -#~ msgid "Postfix version 2.2 has changed the invocation of tlsmgr." -#~ msgstr "Postfix version 2.2 har ändringar i uppstarten av tlsmgr." - -#~ msgid "" -#~ "Failure to fix this will result in a broken mailer. Decline this option " -#~ "to abort the upgrade, giving you the opportunity to add this " -#~ "configuration yourself. Accept this option to automatically make master." -#~ "cf compatible with Postfix 2.2 in this respect." -#~ msgstr "" -#~ "Om inte du rättar till dessa felaktigheter kommer e-postsystemet inte att " -#~ "fungera korrekt. Vägra denna inställning för att avbryta uppgraderingen " -#~ "och ge dig möjligheten att lägga till denna konfiguration själv. " -#~ "Acceptera inställningen för att automatiskt göra master.cf kompatibel med " -#~ "Postfix 2.2 i det här avseendet." +msgstr "Ska newaliases-kommandot köras?" diff -Nru postfix-3.8.5/debian/postfix-doc.dirs postfix-3.8.6/debian/postfix-doc.dirs --- postfix-3.8.5/debian/postfix-doc.dirs 2024-01-22 14:35:14.000000000 +0000 +++ postfix-3.8.6/debian/postfix-doc.dirs 2024-03-05 15:20:59.000000000 +0000 @@ -1,4 +1,4 @@ usr/share/doc/postfix -usr/share/doc/postfix/html -usr/share/doc/postfix/examples usr/share/doc/postfix-doc +usr/share/doc/postfix/examples +usr/share/doc/postfix/html diff -Nru postfix-3.8.5/debian/postfix.dirs postfix-3.8.6/debian/postfix.dirs --- postfix-3.8.5/debian/postfix.dirs 2024-01-22 14:35:14.000000000 +0000 +++ postfix-3.8.6/debian/postfix.dirs 2024-03-05 15:20:59.000000000 +0000 @@ -1,37 +1,36 @@ DEBIAN etc/init.d etc/insserv.conf.d -etc/ppp/ip-up.d -etc/ppp/ip-down.d -etc/network/if-up.d etc/network/if-down.d -usr/lib/networkd-dispatcher/routable.d -usr/lib/networkd-dispatcher/off.d +etc/network/if-up.d +etc/postfix etc/postfix/dynamicmaps.cf.d etc/postfix/postfix-files.d etc/postfix/sasl +etc/ppp/ip-down.d +etc/ppp/ip-up.d +etc/resolvconf/update-libc.d etc/rsyslog.d etc/ufw/applications.d usr/bin -usr/sbin +usr/lib/networkd-dispatcher/off.d +usr/lib/networkd-dispatcher/routable.d usr/lib/postfix usr/lib/postfix/sbin +usr/sbin usr/share/doc/postfix +usr/share/lintian/overrides usr/share/man/man1 usr/share/man/man5 usr/share/man/man8 -usr/share/lintian/overrides usr/share/postfix -etc/postfix -etc/resolvconf/update-libc.d +var/lib/postfix +var/log var/spool/postfix var/spool/postfix/dev var/spool/postfix/etc var/spool/postfix/lib var/spool/postfix/usr var/spool/postfix/usr/lib -var/spool/postfix/usr/lib/zoneinfo var/spool/postfix/usr/lib/sasl2 -var/log -var/lib/postfix -lib/systemd/system-generators +var/spool/postfix/usr/lib/zoneinfo diff -Nru postfix-3.8.5/debian/tests/control postfix-3.8.6/debian/tests/control --- postfix-3.8.5/debian/tests/control 2024-01-22 14:35:14.000000000 +0000 +++ postfix-3.8.6/debian/tests/control 2024-03-05 15:20:59.000000000 +0000 @@ -1,3 +1,8 @@ Tests: postfix -Depends: procmail, sasl2-bin, python3-pexpect, lsb-release, python3, libsasl2-modules +Depends: libsasl2-modules, + lsb-release, + procmail, + python3, + python3-pexpect, + sasl2-bin Restrictions: needs-root diff -Nru postfix-3.8.5/src/cleanup/cleanup_milter.c postfix-3.8.6/src/cleanup/cleanup_milter.c --- postfix-3.8.5/src/cleanup/cleanup_milter.c 2023-03-10 14:06:42.000000000 +0000 +++ postfix-3.8.6/src/cleanup/cleanup_milter.c 2024-02-27 15:55:17.000000000 +0000 @@ -119,6 +119,7 @@ #include #include #include +#include /* Application-specific. */ @@ -754,14 +755,26 @@ */ } +/* hidden_header - respect milter header hiding protocol */ + +static int hidden_header(VSTRING *buf, ARGV *auto_hdrs, int *hide_done) +{ + char **cpp; + int mask; + + for (cpp = auto_hdrs->argv, mask = 1; *cpp; cpp++, mask <<= 1) + if ((*hide_done & mask) == 0 && strncmp(*cpp, STR(buf), LEN(buf)) == 0) + return (*hide_done |= mask); + return (0); +} + /* cleanup_find_header_start - find specific header instance */ static off_t cleanup_find_header_start(CLEANUP_STATE *state, ssize_t index, const char *header_label, VSTRING *buf, int *prec_type, - int allow_ptr_backup, - int skip_headers) + int allow_ptr_backup) { const char *myname = "cleanup_find_header_start"; off_t curr_offset; /* offset after found record */ @@ -770,7 +783,7 @@ int rec_type = REC_TYPE_ERROR; int last_type; ssize_t len; - int hdr_count = 0; + int hide_done = 0; if (msg_verbose) msg_info("%s: index %ld name \"%s\"", @@ -912,11 +925,10 @@ break; } /* This the start of a message header. */ - else if (hdr_count++ < skip_headers) - /* Reset the saved PTR record and update last_type. */ ; else if ((header_label == 0 || (strncasecmp(header_label, STR(buf), len) == 0 - && (strlen(header_label) == len))) + && strlen(header_label) == len + && !hidden_header(buf, state->auto_hdrs, &hide_done))) && --index == 0) { /* If we have a saved PTR record, it points to start of header. */ break; @@ -1182,15 +1194,12 @@ */ #define NO_HEADER_NAME ((char *) 0) #define ALLOW_PTR_BACKUP 1 -#define SKIP_ONE_HEADER 1 -#define DONT_SKIP_HEADERS 0 if (index < 1) index = 1; old_rec_offset = cleanup_find_header_start(state, index, NO_HEADER_NAME, old_rec_buf, &old_rec_type, - ALLOW_PTR_BACKUP, - DONT_SKIP_HEADERS); + ALLOW_PTR_BACKUP); if (old_rec_offset == CLEANUP_FIND_HEADER_IOERROR) /* Warning and errno->error mapping are done elsewhere. */ CLEANUP_INS_HEADER_RETURN(cleanup_milter_error(state, 0)); @@ -1270,8 +1279,7 @@ rec_buf = vstring_alloc(100); old_rec_offset = cleanup_find_header_start(state, index, new_hdr_name, rec_buf, &last_type, - NO_PTR_BACKUP, - SKIP_ONE_HEADER); + NO_PTR_BACKUP); if (old_rec_offset == CLEANUP_FIND_HEADER_IOERROR) /* Warning and errno->error mapping are done elsewhere. */ CLEANUP_UPD_HEADER_RETURN(cleanup_milter_error(state, 0)); @@ -1333,8 +1341,7 @@ rec_buf = vstring_alloc(100); header_offset = cleanup_find_header_start(state, index, hdr_name, rec_buf, - &last_type, NO_PTR_BACKUP, - SKIP_ONE_HEADER); + &last_type, NO_PTR_BACKUP); if (header_offset == CLEANUP_FIND_HEADER_IOERROR) /* Warning and errno->error mapping are done elsewhere. */ CLEANUP_DEL_HEADER_RETURN(cleanup_milter_error(state, 0)); diff -Nru postfix-3.8.5/src/dns/dns.h postfix-3.8.6/src/dns/dns.h --- postfix-3.8.5/src/dns/dns.h 2023-04-02 20:20:25.000000000 +0000 +++ postfix-3.8.6/src/dns/dns.h 2024-02-29 16:51:22.000000000 +0000 @@ -161,12 +161,18 @@ unsigned short pref; /* T_MX and T_SRV record related */ unsigned short weight; /* T_SRV related, defined in rfc2782 */ unsigned short port; /* T_SRV related, defined in rfc2782 */ + /* Assume that flags lives in what was previously padding */ + unsigned short flags; /* DNS_RR_FLAG_XX, see below */ struct DNS_RR *next; /* linkage */ size_t data_len; /* actual data size */ char *data; /* a bunch of data */ /* Add new fields at the end, for ABI forward compatibility. */ } DNS_RR; +#define DNS_RR_FLAG_TRUNCATED (1<<0) + +#define DNS_RR_IS_TRUNCATED(rr) ((rr)->flags & DNS_RR_FLAG_TRUNCATED) + /* * dns_strerror.c */ @@ -215,6 +221,7 @@ extern int dns_rr_compare_pref(DNS_RR *, DNS_RR *); extern DNS_RR *dns_rr_shuffle(DNS_RR *); extern DNS_RR *dns_rr_remove(DNS_RR *, DNS_RR *); +extern int var_dns_rr_list_limit; /* * dns_rr_to_pa.c diff -Nru postfix-3.8.5/src/dns/dns_lookup.c postfix-3.8.6/src/dns/dns_lookup.c --- postfix-3.8.5/src/dns/dns_lookup.c 2023-08-31 18:57:22.000000000 +0000 +++ postfix-3.8.6/src/dns/dns_lookup.c 2024-02-27 16:14:58.000000000 +0000 @@ -978,6 +978,8 @@ resource_found++; rr->dnssec_valid = *maybe_secure ? reply->dnssec_ad : 0; *rrlist = dns_rr_append(*rrlist, rr); + if (DNS_RR_IS_TRUNCATED(*rrlist)) + break; } else if (status == DNS_NULLMX || status == DNS_NULLSRV) { CORRUPT(status); /* TODO: use better name */ } else if (not_found_status != DNS_RETRY) @@ -1208,8 +1210,11 @@ name, dns_strtype(type), dns_str_resflags(flags)); status = dns_lookup_x(name, type, flags, rrlist ? &rr : (DNS_RR **) 0, fqdn, why, rcode, lflags); - if (rrlist && rr) + if (rrlist && rr) { *rrlist = dns_rr_append(*rrlist, rr); + if (DNS_RR_IS_TRUNCATED(*rrlist)) + break; + } if (status == DNS_OK) { if (lflags & DNS_REQ_FLAG_STOP_OK) break; @@ -1260,8 +1265,11 @@ name, dns_strtype(type), dns_str_resflags(flags)); status = dns_lookup_x(name, type, flags, rrlist ? &rr : (DNS_RR **) 0, fqdn, why, rcode, lflags); - if (rrlist && rr) + if (rrlist && rr) { *rrlist = dns_rr_append(*rrlist, rr); + if (DNS_RR_IS_TRUNCATED(*rrlist)) + break; + } if (status == DNS_OK) { if (lflags & DNS_REQ_FLAG_STOP_OK) break; diff -Nru postfix-3.8.5/src/dns/dns_rr.c postfix-3.8.6/src/dns/dns_rr.c --- postfix-3.8.5/src/dns/dns_rr.c 2023-04-07 19:50:27.000000000 +0000 +++ postfix-3.8.6/src/dns/dns_rr.c 2024-02-27 16:14:58.000000000 +0000 @@ -54,6 +54,8 @@ /* /* DNS_RR *dns_srv_rr_sort(list) /* DNS_RR *list; +/* +/* int var_dns_rr_list_limit; /* AUXILIARY FUNCTIONS /* DNS_RR *dns_rr_create_nopref(qname, rname, type, class, ttl, /* data, data_len) @@ -95,9 +97,17 @@ /* /* dns_rr_copy() makes a copy of a resource record. /* -/* dns_rr_append() appends a resource record to a (list of) resource -/* record(s). -/* A null input list is explicitly allowed. +/* dns_rr_append() appends an input resource record list to +/* an output list. Null arguments are explicitly allowed. +/* When the result would be longer than var_dns_rr_list_limit +/* (default: 100), dns_rr_append() logs a warning, flags the +/* output list as truncated, and discards the excess elements. +/* Once an output list is flagged as truncated (test with +/* DNS_RR_IS_TRUNCATED()), the caller is expected to stop +/* trying to append records to that list. Note: the 'truncated' +/* flag is transitive, i.e. when appending a input list that +/* was flagged as truncated to an output list, the output list +/* will also be flagged as truncated. /* /* dns_rr_sort() sorts a list of resource records into ascending /* order according to a user-specified criterion. The result is the @@ -150,6 +160,16 @@ #include "dns.h" + /* + * A generous safety limit for the number of DNS resource records that the + * Postfix DNS client library will admit into a list. The default value 100 + * is 20x the default limit on the number address records that the Postfix + * SMTP client is willing to consider. + * + * Mutable, to make code testable. + */ +int var_dns_rr_list_limit = 100; + /* dns_rr_create - fill in resource record structure */ DNS_RR *dns_rr_create(const char *qname, const char *rname, @@ -181,6 +201,7 @@ } rr->data_len = data_len; rr->next = 0; + rr->flags = 0; return (rr); } @@ -218,14 +239,58 @@ return (dst); } -/* dns_rr_append - append resource record to list */ +/* dns_rr_append_with_limit - append resource record to limited list */ + +static void dns_rr_append_with_limit(DNS_RR *list, DNS_RR *rr, int limit) +{ + + /* + * Pre: list != 0, all lists are concatenated with dns_rr_append(). + * + * Post: all elements have the DNS_RR_FLAG_TRUNCATED flag value set, or all + * elements have it cleared, so that there is no need to update code in + * legacy stable releases that deletes or reorders elements. + */ + if (limit <= 1) { + if (list->next || rr) { + msg_warn("DNS record count limit (%d) exceeded -- dropping" + " excess record(s) after qname=%s qtype=%s", + var_dns_rr_list_limit, list->qname, + dns_strtype(list->type)); + list->flags |= DNS_RR_FLAG_TRUNCATED; + dns_rr_free(list->next); + dns_rr_free(rr); + list->next = 0; + } + } else { + if (list->next == 0 && rr) { + list->next = rr; + rr = 0; + } + if (list->next) { + dns_rr_append_with_limit(list->next, rr, limit - 1); + list->flags |= list->next->flags; + } + } +} + +/* dns_rr_append - append resource record(s) to list, or discard */ DNS_RR *dns_rr_append(DNS_RR *list, DNS_RR *rr) { - if (list == 0) { - list = rr; + + /* + * Note: rr is not length checked; when multiple lists are concatenated, + * the output length may be a small multiple of var_dns_rr_list_limit. + */ + if (rr == 0) + return (list); + if (list == 0) + return (rr); + if (!DNS_RR_IS_TRUNCATED(list)) { + dns_rr_append_with_limit(list, rr, var_dns_rr_list_limit); } else { - list->next = dns_rr_append(list->next, rr); + dns_rr_free(rr); } return (list); } diff -Nru postfix-3.8.5/src/dns/test_dns_lookup.c postfix-3.8.6/src/dns/test_dns_lookup.c --- postfix-3.8.5/src/dns/test_dns_lookup.c 2021-04-04 15:40:41.000000000 +0000 +++ postfix-3.8.6/src/dns/test_dns_lookup.c 2024-02-27 16:14:58.000000000 +0000 @@ -121,9 +121,11 @@ vstream_printf("%s: fqdn: %s\n", name, vstring_str(fqdn)); buf = vstring_alloc(100); print_rr(buf, rr); + vstream_fflush(VSTREAM_OUT); + if (DNS_RR_IS_TRUNCATED(rr)) + msg_warn("one or more excess DNS_RR records were dropped"); dns_rr_free(rr); vstring_free(buf); - vstream_fflush(VSTREAM_OUT); } } myfree((void *) types); diff -Nru postfix-3.8.5/src/global/mail_version.h postfix-3.8.6/src/global/mail_version.h --- postfix-3.8.5/src/global/mail_version.h 2024-01-18 23:44:21.000000000 +0000 +++ postfix-3.8.6/src/global/mail_version.h 2024-03-04 16:51:28.000000000 +0000 @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20240121" -#define MAIL_VERSION_NUMBER "3.8.5" +#define MAIL_RELEASE_DATE "20240304" +#define MAIL_VERSION_NUMBER "3.8.6" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -Nru postfix-3.8.5/src/oqmgr/qmgr_deliver.c postfix-3.8.6/src/oqmgr/qmgr_deliver.c --- postfix-3.8.5/src/oqmgr/qmgr_deliver.c 2021-08-07 00:04:05.000000000 +0000 +++ postfix-3.8.6/src/oqmgr/qmgr_deliver.c 2024-02-27 16:12:55.000000000 +0000 @@ -283,6 +283,7 @@ * The queue itself won't go away before we dispose of the current queue * entry. */ +#if 0 if (status == DELIVER_STAT_CRASH) { message->flags |= DELIVER_STAT_DEFER; #if 0 @@ -317,6 +318,7 @@ qmgr_defer_transport(transport, &dsb->dsn); return; } +#endif /* * This message must be tried again. @@ -331,7 +333,9 @@ */ #define SUSPENDED "delivery temporarily suspended: " - if (status == DELIVER_STAT_DEFER) { + if (status == DELIVER_STAT_CRASH) + DSN_SIMPLE(&dsb->dsn, "4.3.0", "unknown mail transport error"); + if (status == DELIVER_STAT_CRASH || status == DELIVER_STAT_DEFER) { message->flags |= DELIVER_STAT_DEFER; if (VSTRING_LEN(dsb->status)) { /* Sanitize the DSN status/reason from the delivery agent. */ diff -Nru postfix-3.8.5/src/postqueue/showq_json.c postfix-3.8.6/src/postqueue/showq_json.c --- postfix-3.8.5/src/postqueue/showq_json.c 2021-10-27 23:33:07.000000000 +0000 +++ postfix-3.8.6/src/postqueue/showq_json.c 2024-02-27 15:55:17.000000000 +0000 @@ -96,7 +96,7 @@ VSTRING_ADDCH(result, 't'); break; default: - vstring_sprintf(result, "\\u%04X", ch); + vstring_sprintf_append(result, "\\u%04X", ch); break; } } else { diff -Nru postfix-3.8.5/src/posttls-finger/posttls-finger.c postfix-3.8.6/src/posttls-finger/posttls-finger.c --- postfix-3.8.5/src/posttls-finger/posttls-finger.c 2023-05-16 21:55:54.000000000 +0000 +++ postfix-3.8.6/src/posttls-finger/posttls-finger.c 2024-02-27 16:14:58.000000000 +0000 @@ -1260,6 +1260,8 @@ msg_fatal("host %s: conversion error for address family %d: %m", host, ((struct sockaddr *) (res0->ai_addr))->sa_family); addr_list = dns_rr_append(addr_list, addr); + if (DNS_RR_IS_TRUNCATED(addr_list)) + break; } freeaddrinfo(res0); if (found == 0) { @@ -1297,6 +1299,8 @@ msg_panic("%s: bad resource type: %d", myname, rr->type); addr_list = addr_one(state, addr_list, (char *) rr->data, res_opt, rr->pref, rr->port); + if (addr_list && DNS_RR_IS_TRUNCATED(addr_list)) + break; } return (addr_list); } @@ -2114,7 +2118,19 @@ #ifdef USE_TLS int smtp_mode = 1; + /* + * DANE match names are configured late, once the TLSA records are in + * hand. For now, prepare to fall back to "secure". + */ switch (state->level) { + default: + state->match = 0; + if (*argv) + msg_warn("TLS level '%s' does not implement certificate matching", + str_tls_level(state->level)); + break; + case TLS_LEV_DANE: + case TLS_LEV_DANE_ONLY: case TLS_LEV_SECURE: state->match = argv_alloc(2); while (*argv) @@ -2135,11 +2151,6 @@ tls_dane_add_fpt_digests((TLS_DANE *) state->dane, *argv++, "", smtp_mode); break; - case TLS_LEV_DANE: - case TLS_LEV_DANE_ONLY: - state->match = argv_alloc(2); - argv_add(state->match, "nexthop", "hostname", ARGV_END); - break; } #endif } diff -Nru postfix-3.8.5/src/qmgr/qmgr_deliver.c postfix-3.8.6/src/qmgr/qmgr_deliver.c --- postfix-3.8.5/src/qmgr/qmgr_deliver.c 2021-08-07 00:04:05.000000000 +0000 +++ postfix-3.8.6/src/qmgr/qmgr_deliver.c 2024-02-27 16:12:55.000000000 +0000 @@ -288,6 +288,7 @@ * The queue itself won't go away before we dispose of the current queue * entry. */ +#if 0 if (status == DELIVER_STAT_CRASH) { message->flags |= DELIVER_STAT_DEFER; #if 0 @@ -322,6 +323,7 @@ qmgr_defer_transport(transport, &dsb->dsn); return; } +#endif /* * This message must be tried again. @@ -336,7 +338,9 @@ */ #define SUSPENDED "delivery temporarily suspended: " - if (status == DELIVER_STAT_DEFER) { + if (status == DELIVER_STAT_CRASH) + DSN_SIMPLE(&dsb->dsn, "4.3.0", "unknown mail transport error"); + if (status == DELIVER_STAT_CRASH || status == DELIVER_STAT_DEFER) { message->flags |= DELIVER_STAT_DEFER; if (VSTRING_LEN(dsb->status)) { /* Sanitize the DSN status/reason from the delivery agent. */ diff -Nru postfix-3.8.5/src/smtp/smtp_addr.c postfix-3.8.6/src/smtp/smtp_addr.c --- postfix-3.8.5/src/smtp/smtp_addr.c 2023-03-09 18:06:45.000000000 +0000 +++ postfix-3.8.6/src/smtp/smtp_addr.c 2024-02-28 19:44:02.000000000 +0000 @@ -179,10 +179,10 @@ if ((addr = dns_sa_to_rr(host, pref, res0->ai_addr)) == 0) msg_fatal("host %s: conversion error for address family " "%d: %m", host, res0->ai_addr->sa_family); - addr_list = dns_rr_append(addr_list, addr); addr->pref = pref; addr->port = port; - if (msg_verbose) + addr_list = dns_rr_append(addr_list, addr); + if (msg_verbose && !DNS_RR_IS_TRUNCATED(addr_list)) msg_info("%s: using numerical host %s", myname, host); freeaddrinfo(res0); return (addr_list); @@ -262,6 +262,8 @@ msg_fatal("host %s: conversion error for address family " "%d: %m", host, res0->ai_addr->sa_family); addr_list = dns_rr_append(addr_list, addr); + if (DNS_RR_IS_TRUNCATED(addr_list)) + break; if (msg_verbose) { MAI_HOSTADDR_STR hostaddr_str; @@ -327,6 +329,8 @@ msg_panic("smtp_addr_list: bad resource type: %d", rr->type); addr_list = smtp_addr_one(addr_list, (char *) rr->data, res_opt, rr->pref, rr->port, why); + if (addr_list && DNS_RR_IS_TRUNCATED(addr_list)) + break; } return (addr_list); } @@ -421,6 +425,13 @@ */ /* + * Ensure that dns_rr_append() won't interfere with the protocol + * balancing goals. + */ + if (addr_limit > var_dns_rr_list_limit) + addr_limit = var_dns_rr_list_limit; + + /* * Count the number of IPv6 and IPv4 addresses. */ for (v4_count = v6_count = 0, rr = addr_list; rr != 0; rr = rr->next) { diff -Nru postfix-3.8.5/src/smtpd/smtpd.c postfix-3.8.6/src/smtpd/smtpd.c --- postfix-3.8.5/src/smtpd/smtpd.c 2024-01-19 00:00:24.000000000 +0000 +++ postfix-3.8.6/src/smtpd/smtpd.c 2024-02-27 16:06:01.000000000 +0000 @@ -4129,14 +4129,31 @@ /* * Read lines from the fragment. The last line may continue in the * next fragment, or in the next chunk. + * + * If smtp_get_noexcept() stopped after var_line_limit bytes and did not + * emit a queue file record, then that means smtp_get_noexcept() + * stopped after CR and hit EOF as it tried to find out if the next + * byte is LF. In that case, read the first byte from the next + * fragment or chunk, and if that first byte is LF, then + * smtp_get_noexcept() strips off the trailing CRLF and returns '\n' + * as it always does after reading a complete line. */ do { + int can_read = var_line_limit - LEN(state->bdat_get_buffer); + if (smtp_get_noexcept(state->bdat_get_buffer, state->bdat_get_stream, - var_line_limit, + can_read > 0 ? can_read : 1, /* Peek one */ SMTP_GET_FLAG_APPEND) == '\n') { /* Stopped at end-of-line. */ curr_rec_type = REC_TYPE_NORM; + } else if (LEN(state->bdat_get_buffer) > var_line_limit) { + /* Undo peeking, and output the buffer as REC_TYPE_CONT. */ + vstream_ungetc(state->bdat_get_stream, + vstring_end(state->bdat_get_buffer)[-1]); + vstring_truncate(state->bdat_get_buffer, + LEN(state->bdat_get_buffer) - 1); + curr_rec_type = REC_TYPE_CONT; } else if (!vstream_feof(state->bdat_get_stream)) { /* Stopped at var_line_limit. */ curr_rec_type = REC_TYPE_CONT; diff -Nru postfix-3.8.5/src/smtpd/smtpd_check.c postfix-3.8.6/src/smtpd/smtpd_check.c --- postfix-3.8.5/src/smtpd/smtpd_check.c 2024-01-18 23:39:04.000000000 +0000 +++ postfix-3.8.6/src/smtpd/smtpd_check.c 2024-02-27 16:14:58.000000000 +0000 @@ -2994,6 +2994,7 @@ struct addrinfo *res; int status; const INET_PROTO_INFO *proto_info; + int server_addr_count = 0; /* * Sanity check. @@ -3145,6 +3146,15 @@ msg_info("%s: %s host address check: %s", myname, dns_strtype(type), (char *) server->data); for (res = res0; res != 0; res = res->ai_next) { + server_addr_count += 1; + if (server_addr_count > var_dns_rr_list_limit) { + msg_warn("%s: %s server address count limit (%d) exceeded" + " for %s %s -- ignoring the remainder", myname, + dns_strtype(type), var_dns_rr_list_limit, + reply_class, reply_name); + freeaddrinfo(res0); + CHECK_SERVER_RETURN(SMTPD_CHECK_DUNNO); + } if (strchr((char *) proto_info->sa_family_list, res->ai_family) == 0) { if (msg_verbose) msg_info("skipping address family %d for host %s", diff -Nru postfix-3.8.5/src/smtpd/smtpd_sasl_glue.c postfix-3.8.6/src/smtpd/smtpd_sasl_glue.c --- postfix-3.8.5/src/smtpd/smtpd_sasl_glue.c 2023-10-30 23:16:11.000000000 +0000 +++ postfix-3.8.6/src/smtpd/smtpd_sasl_glue.c 2024-02-27 15:55:17.000000000 +0000 @@ -340,18 +340,20 @@ } } if (status != XSASL_AUTH_DONE) { + const char *reason = (*STR(state->sasl_reply) ? STR(state->sasl_reply) : + "(reason unavailable)"); + sasl_username = xsasl_server_get_username(state->sasl_server); msg_warn("%s: SASL %.100s authentication failed: %s, sasl_username=%.100s", - state->namaddr, sasl_method, *STR(state->sasl_reply) ? - STR(state->sasl_reply) : "(reason unavailable)", + state->namaddr, sasl_method, reason, sasl_username ? sasl_username : "(unavailable)"); /* RFC 4954 Section 6. */ if (status == XSASL_AUTH_TEMP) smtpd_chat_reply(state, "454 4.7.0 Temporary authentication failure: %s", - STR(state->sasl_reply)); + reason); else smtpd_chat_reply(state, "535 5.7.8 Error: authentication failed: %s", - STR(state->sasl_reply)); + reason); return (-1); } /* RFC 4954 Section 6. */ diff -Nru postfix-3.8.5/src/tlsmgr/tlsmgr.c postfix-3.8.6/src/tlsmgr/tlsmgr.c --- postfix-3.8.5/src/tlsmgr/tlsmgr.c 2021-12-19 22:04:54.000000000 +0000 +++ postfix-3.8.6/src/tlsmgr/tlsmgr.c 2024-02-27 16:03:39.000000000 +0000 @@ -819,6 +819,23 @@ } /* + * Workaround: some OS lies under load. It tells the Postfix event + * handler that a server socket is readable, then it tells peekfd() that + * the socket has unread data, and then it tells vstring_get_null() that + * there is none, causing Postfix to spam the log with warning messages. + * Close the stream to stop such nonsense; the client can reconnect if it + * still wants to talk to us. + * + * XXX Why is this problem not reported for the other five + * multi_server-based Postfix services? + */ + else if (vstream_ferror(client_stream) || vstream_feof(client_stream)) { + multi_server_disconnect(client_stream); + return; + /* Note: client_stream is now a dangling pointer. */ + } + + /* * Protocol error. */ else { diff -Nru postfix-3.8.5/src/xsasl/xsasl_dovecot_server.c postfix-3.8.6/src/xsasl/xsasl_dovecot_server.c --- postfix-3.8.5/src/xsasl/xsasl_dovecot_server.c 2022-01-02 23:25:27.000000000 +0000 +++ postfix-3.8.6/src/xsasl/xsasl_dovecot_server.c 2024-02-27 15:55:17.000000000 +0000 @@ -543,6 +543,8 @@ myfree(server->username); server->username = 0; } + VSTRING_RESET(reply); + VSTRING_TERMINATE(reply); /* * Note: TAB is part of the Dovecot protocol and must not appear in