commit postfix for openSUSE:Factory
Hello community,
here is the log from the commit of package postfix for openSUSE:Factory
checked in at Mon Jan 10 10:43:03 CET 2011.
--------
--- postfix/postfix.changes 2010-12-11 21:02:06.000000000 +0100
+++ /mounts/work_src_done/STABLE/postfix/postfix.changes 2011-01-04 13:36:04.000000000 +0100
@@ -1,0 +2,35 @@
+Tue Jan 4 12:14:06 UTC 2011 - chris@computersalat.de
+
+- update to 2.7.2
+ * Bugfix (introduced Postfix 2.2): Postfix no longer appends
+ the system default CA certificates to the lists specified
+ with *_tls_CAfile or with *_tls_CApath. This prevents
+ third-party certificates from getting mail relay permission
+ with the permit_tls_all_clientcerts feature. Unfortunately
+ this may cause compatibility problems with configurations
+ that rely on certificate verification for other purposes.
+ To get the old behavior, specify "tls_append_default_CA =
+ yes". Files: tls/tls_certkey.c, tls/tls_misc.c,
+ global/mail_params.h. proto/postconf.proto, mantools/postlink.
+ * Compatibility with Postfix < 2.3: fix 20061207 was incomplete
+ (undoing the change to bounce instead of defer after
+ pipe-to-command delivery fails with a signal). Fix by Thomas
+ Arnett. File: global/pipe_command.c.
+ * Bugfix: the milter_header_checks parser provided only the
+ actions that change the message flow (reject, filter,
+ discard, redirect) but disabled the non-flow actions (warn,
+ replace, prepend, ignore, dunno, ok). File:
+ cleanup/cleanup_milter.c.
+ * Performance: fix for poor smtpd_proxy_filter TCP performance
+ over loopback (127.0.0.1) connections. Problem reported by
+ Mark Martinec. Files: smtpd/smtpd_proxy.c.
+ * Cleanup: don't apply reject_rhsbl_helo to non-domain forms
+ such as network addresses. This would cause false positives
+ with dbl.spamhaus.org. File: smtpd/smtpd_check.c.
+ * Bugfix: the "421" reply after Milter error was overruled
+ by Postfix 1.1 code that replied with "503" for RFC 2821
+ compliance. We now make an exception for "final" replies,
+ as permitted by RFC. Solution by Victor Duchovni. File:
+ smtpd/smtpd.c.
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
postfix-2.7.1.tar.bz2
New:
----
postfix-2.7.2.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ postfix.spec ++++++
--- /var/tmp/diff_new_pack.p14vV7/_old 2011-01-10 10:42:46.000000000 +0100
+++ /var/tmp/diff_new_pack.p14vV7/_new 2011-01-10 10:42:46.000000000 +0100
@@ -1,7 +1,7 @@
#
-# spec file for package postfix (Version 2.7.1)
+# spec file for package postfix (Version 2.7.2)
#
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -21,8 +21,8 @@
Name: postfix
Summary: A fast, secure, and flexible mailer
-Version: 2.7.1
-Release: 6
+Version: 2.7.2
+Release: 1
License: IBM Public License ..
Group: Productivity/Networking/Email/Servers
Url: http://www.postfix.org/
++++++ postfix-2.7.1.tar.bz2 -> postfix-2.7.2.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.7.1/HISTORY new/postfix-2.7.2/HISTORY
--- old/postfix-2.7.1/HISTORY 2010-06-04 14:42:42.000000000 +0200
+++ new/postfix-2.7.2/HISTORY 2010-11-23 17:07:10.000000000 +0100
@@ -15768,3 +15768,51 @@
Portability: Berkeley DB 5.x has the same API as Berkeley
DB 4.1 and later. File: util/dict_db.c.
+
+20100610
+
+ Bugfix (introduced Postfix 2.2): Postfix no longer appends
+ the system default CA certificates to the lists specified
+ with *_tls_CAfile or with *_tls_CApath. This prevents
+ third-party certificates from getting mail relay permission
+ with the permit_tls_all_clientcerts feature. Unfortunately
+ this may cause compatibility problems with configurations
+ that rely on certificate verification for other purposes.
+ To get the old behavior, specify "tls_append_default_CA =
+ yes". Files: tls/tls_certkey.c, tls/tls_misc.c,
+ global/mail_params.h. proto/postconf.proto, mantools/postlink.
+
+20100714
+
+ Compatibility with Postfix < 2.3: fix 20061207 was incomplete
+ (undoing the change to bounce instead of defer after
+ pipe-to-command delivery fails with a signal). Fix by Thomas
+ Arnett. File: global/pipe_command.c.
+
+20100727
+
+ Bugfix: the milter_header_checks parser provided only the
+ actions that change the message flow (reject, filter,
+ discard, redirect) but disabled the non-flow actions (warn,
+ replace, prepend, ignore, dunno, ok). File:
+ cleanup/cleanup_milter.c.
+
+20100827
+
+ Performance: fix for poor smtpd_proxy_filter TCP performance
+ over loopback (127.0.0.1) connections. Problem reported by
+ Mark Martinec. Files: smtpd/smtpd_proxy.c.
+
+20101023
+
+ Cleanup: don't apply reject_rhsbl_helo to non-domain forms
+ such as network addresses. This would cause false positives
+ with dbl.spamhaus.org. File: smtpd/smtpd_check.c.
+
+20101117
+
+ Bugfix: the "421" reply after Milter error was overruled
+ by Postfix 1.1 code that replied with "503" for RFC 2821
+ compliance. We now make an exception for "final" replies,
+ as permitted by RFC. Solution by Victor Duchovni. File:
+ smtpd/smtpd.c.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.7.1/html/postconf.5.html new/postfix-2.7.2/html/postconf.5.html
--- old/postfix-2.7.1/html/postconf.5.html 2010-06-02 02:01:35.000000000 +0200
+++ new/postfix-2.7.2/html/postconf.5.html 2010-06-16 00:19:06.000000000 +0200
@@ -9150,6 +9150,10 @@
but it is best to include all the required certificates directly in
$<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>. </p>
+<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. </p>
+
<p> Example: </p>
<pre>
@@ -9173,6 +9177,10 @@
<p> To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail. </p>
+<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. </p>
+
<p> Example: </p>
<pre>
@@ -10824,8 +10832,11 @@
<dd> Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
-CA, otherwise all clients with a recognized certificate would be
-allowed to relay. This feature is available with Postfix version 2.2.</dd>
+CA. Otherwise, clients with a third-party certificate would also
+be allowed to relay. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" when the
+trusted CA is specified with <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> or <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>,
+to prevent Postfix from appending the system-supplied default CAs.
+This feature is available with Postfix version 2.2.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
@@ -12595,6 +12606,10 @@
but it is best to include all the required certificates directly in the
server certificate file. </p>
+<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. </p>
+
<p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are not
requested, and <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> should remain empty. If you do make use
of client certificates, the distinguished names (DNs) of the certificate
@@ -12626,6 +12641,10 @@
<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> in chroot mode, this directory (or a copy) must be
inside the chroot jail. </p>
+<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. </p>
+
<p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are
not requested, and <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> should remain empty. In contrast
to <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>, DNs of certificate authorities installed
@@ -13738,6 +13757,23 @@
</DD>
+
+<DT><b><a name="tls_append_default_CA">tls_append_default_CA</a>
+(default: no)</b></DT><DD>
+
+<p> Append the system-supplied default certificate authority
+certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+The default is "no"; this prevents Postfix from trusting third-party
+certificates and giving them relay permission with
+<a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
+
+<p> This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+2.7.2 and later versions. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = yes" for
+backwards compatibility, to avoid breaking certificate verification
+with sites that don't use <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
+
+
+</DD>
<DT><b><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a>
(default: 32)</b></DT><DD>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.7.1/man/man5/postconf.5 new/postfix-2.7.2/man/man5/postconf.5
--- old/postfix-2.7.1/man/man5/postconf.5 2010-06-02 02:01:35.000000000 +0200
+++ new/postfix-2.7.2/man/man5/postconf.5 2010-06-16 00:19:06.000000000 +0200
@@ -5239,6 +5239,10 @@
but it is best to include all the required certificates directly in
$smtp_tls_cert_file.
.PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates.
+.PP
Example:
.PP
.nf
@@ -5259,6 +5263,10 @@
To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail.
.PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates.
+.PP
Example:
.PP
.nf
@@ -6622,8 +6630,11 @@
Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
-CA, otherwise all clients with a recognized certificate would be
-allowed to relay. This feature is available with Postfix version 2.2.
+CA. Otherwise, clients with a third-party certificate would also
+be allowed to relay. Specify "tls_append_default_CA = no" when the
+trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
+to prevent Postfix from appending the system-supplied default CAs.
+This feature is available with Postfix version 2.2.
.IP "\fBpermit_tls_clientcerts\fR"
Permit the request when the remote SMTP client certificate
fingerprint is listed in $relay_clientcerts.
@@ -7828,6 +7839,10 @@
but it is best to include all the required certificates directly in the
server certificate file.
.PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates.
+.PP
By default (see smtpd_tls_ask_ccert), client certificates are not
requested, and smtpd_tls_CAfile should remain empty. If you do make use
of client certificates, the distinguished names (DNs) of the certificate
@@ -7857,6 +7872,10 @@
smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
inside the chroot jail.
.PP
+Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates.
+.PP
By default (see smtpd_tls_ask_ccert), client certificates are
not requested, and smtpd_tls_CApath should remain empty. In contrast
to smtpd_tls_CAfile, DNs of certificate authorities installed
@@ -8711,6 +8730,17 @@
\fBlmtp\fR(8)).
.PP
This feature is available in Postfix 2.6 and later.
+.SH tls_append_default_CA (default: no)
+Append the system-supplied default certificate authority
+certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+The default is "no"; this prevents Postfix from trusting third-party
+certificates and giving them relay permission with
+permit_tls_all_clientcerts.
+.PP
+This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
+backwards compatibility, to avoid breaking certificate verification
+with sites that don't use permit_tls_all_clientcerts.
.SH tls_daemon_random_bytes (default: 32)
The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
process requests from the \fBtlsmgr\fR(8) server in order to seed its
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.7.1/mantools/postlink new/postfix-2.7.2/mantools/postlink
--- old/postfix-2.7.1/mantools/postlink 2010-02-03 20:53:33.000000000 +0100
+++ new/postfix-2.7.2/mantools/postlink 2010-06-13 20:50:38.000000000 +0200
@@ -676,6 +676,7 @@
s;\btls_null_cipherlist\b;<a href="postconf.5.html#tls_null_cipherlist">$&</a>;g;
s;\btls_eecdh_strong_curve\b;<a href="postconf.5.html#tls_eecdh_strong_curve">$&</a>;g;
s;\btls_eecdh_ultra_curve\b;<a href="postconf.5.html#tls_eecdh_ultra_curve">$&</a>;g;
+ s;\btls_append_default_CA\b;<a href="postconf.5.html#tls_append_default_CA">$&</a>;g;
s;\bfrozen_delivered_to\b;<a href="postconf.5.html#frozen_delivered_to">$&</a>;g;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.7.1/proto/postconf.proto new/postfix-2.7.2/proto/postconf.proto
--- old/postfix-2.7.1/proto/postconf.proto 2010-06-02 01:52:06.000000000 +0200
+++ new/postfix-2.7.2/proto/postconf.proto 2010-06-16 00:18:48.000000000 +0200
@@ -4855,8 +4855,11 @@
<dd> Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
-CA, otherwise all clients with a recognized certificate would be
-allowed to relay. This feature is available with Postfix version 2.2.</dd>
+CA. Otherwise, clients with a third-party certificate would also
+be allowed to relay. Specify "tls_append_default_CA = no" when the
+trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
+to prevent Postfix from appending the system-supplied default CAs.
+This feature is available with Postfix version 2.2.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
@@ -8648,6 +8651,10 @@
but it is best to include all the required certificates directly in the
server certificate file. </p>
+<p> Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. </p>
+
<p> By default (see smtpd_tls_ask_ccert), client certificates are not
requested, and smtpd_tls_CAfile should remain empty. If you do make use
of client certificates, the distinguished names (DNs) of the certificate
@@ -8675,6 +8682,10 @@
smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
inside the chroot jail. </p>
+<p> Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. </p>
+
<p> By default (see smtpd_tls_ask_ccert), client certificates are
not requested, and smtpd_tls_CApath should remain empty. In contrast
to smtpd_tls_CAfile, DNs of certificate authorities installed
@@ -9043,6 +9054,10 @@
but it is best to include all the required certificates directly in
$smtp_tls_cert_file. </p>
+<p> Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. </p>
+
<p> Example: </p>
<pre>
@@ -9062,6 +9077,10 @@
<p> To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail. </p>
+<p> Specify "tls_append_default_CA = no" to prevent Postfix from
+appending the system-supplied default CAs and trusting third-party
+certificates. </p>
+
<p> Example: </p>
<pre>
@@ -9351,6 +9370,19 @@
<p> This feature is available in Postfix 2.2 and later. </p>
+%PARAM tls_append_default_CA no
+
+<p> Append the system-supplied default certificate authority
+certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+The default is "no"; this prevents Postfix from trusting third-party
+certificates and giving them relay permission with
+permit_tls_all_clientcerts. </p>
+
+<p> This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
+backwards compatibility, to avoid breaking certificate verification
+with sites that don't use permit_tls_all_clientcerts. </p>
+
%PARAM tls_random_exchange_name see "postconf -d" output
<p> Name of the pseudo random number generator (PRNG) state file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.7.1/RELEASE_NOTES new/postfix-2.7.2/RELEASE_NOTES
--- old/postfix-2.7.1/RELEASE_NOTES 2010-02-03 22:43:34.000000000 +0100
+++ new/postfix-2.7.2/RELEASE_NOTES 2010-11-23 19:53:31.000000000 +0100
@@ -14,6 +14,18 @@
If you upgrade from Postfix 2.5 or earlier, read RELEASE_NOTES-2.6
before proceeding.
+Incompatibility with Postfix 2.7.2
+----------------------------------
+
+Postfix no longer appends the system-supplied default CA certificates
+to the lists specified with *_tls_CAfile or with *_tls_CApath. This
+prevents third-party certificates from getting mail relay permission
+with the permit_tls_all_clientcerts feature.
+
+Unfortunately this change may cause compatibility problems when
+configurations rely on certificate verification for other purposes.
+Specify "tls_append_default_CA = yes" for backwards compatibility.
+
Major changes - performance
---------------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.7.1/src/cleanup/cleanup_milter.c new/postfix-2.7.2/src/cleanup/cleanup_milter.c
--- old/postfix-2.7.1/src/cleanup/cleanup_milter.c 2009-06-08 13:52:12.000000000 +0200
+++ new/postfix-2.7.2/src/cleanup/cleanup_milter.c 2010-07-28 01:51:08.000000000 +0200
@@ -370,8 +370,7 @@
}
return ((char *) buf);
}
- msg_warn("unknown command in %s map: %s", map_class, command);
- return ((char *) buf);
+ return ((char *) HBC_CHECKS_STAT_UNKNOWN);
}
/* cleanup_milter_header_checks - inspect Milter-generated header */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.7.1/src/global/mail_params.h new/postfix-2.7.2/src/global/mail_params.h
--- old/postfix-2.7.1/src/global/mail_params.h 2010-06-02 12:57:55.000000000 +0200
+++ new/postfix-2.7.2/src/global/mail_params.h 2010-06-13 21:20:42.000000000 +0200
@@ -623,6 +623,10 @@
#define DEF_DUP_FILTER_LIMIT 1000
extern int var_dup_filter_limit;
+#define VAR_TLS_APPEND_DEF_CA "tls_append_default_CA"
+#define DEF_TLS_APPEND_DEF_CA 0 /* Postfix < 2.8 BC break */
+extern bool var_tls_append_def_CA;
+
#define VAR_TLS_RAND_EXCH_NAME "tls_random_exchange_name"
#define DEF_TLS_RAND_EXCH_NAME "${data_directory}/prng_exch"
extern char *var_tls_rand_exch_name;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.7.1/src/global/mail_version.h new/postfix-2.7.2/src/global/mail_version.h
--- old/postfix-2.7.1/src/global/mail_version.h 2010-06-08 14:30:42.000000000 +0200
+++ new/postfix-2.7.2/src/global/mail_version.h 2010-11-23 16:58:55.000000000 +0100
@@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20100608"
-#define MAIL_VERSION_NUMBER "2.7.1"
+#define MAIL_RELEASE_DATE "20101123"
+#define MAIL_VERSION_NUMBER "2.7.2"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.7.1/src/global/pipe_command.c new/postfix-2.7.2/src/global/pipe_command.c
--- old/postfix-2.7.1/src/global/pipe_command.c 2008-01-08 22:01:16.000000000 +0100
+++ new/postfix-2.7.2/src/global/pipe_command.c 2010-07-14 21:14:11.000000000 +0200
@@ -628,7 +628,7 @@
*/
if (!NORMAL_EXIT_STATUS(wait_status)) {
if (WIFSIGNALED(wait_status)) {
- dsb_unix(why, "5.3.0", log_len ?
+ dsb_unix(why, "4.3.0", log_len ?
log_buf : sys_exits_detail(EX_SOFTWARE)->text,
"Command died with signal %d: \"%s\"%s%s",
WTERMSIG(wait_status), args.command,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.7.1/src/smtpd/smtpd.c new/postfix-2.7.2/src/smtpd/smtpd.c
--- old/postfix-2.7.1/src/smtpd/smtpd.c 2010-02-14 02:50:21.000000000 +0100
+++ new/postfix-2.7.2/src/smtpd/smtpd.c 2010-11-22 21:57:59.000000000 +0100
@@ -4487,6 +4487,11 @@
}
/* XXX We use the real client for connect access control. */
if (state->access_denied && cmdp->action != quit_cmd) {
+ /* XXX Exception for Milter override. */
+ if (strncmp(state->access_denied + 1, "21", 2) == 0) {
+ smtpd_chat_reply(state, "%s", state->access_denied);
+ continue;
+ }
smtpd_chat_reply(state, "503 5.7.0 Error: access denied for %s",
state->namaddr); /* RFC 2821 Sec 3.1 */
state->error_count++;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.7.1/src/smtpd/smtpd_check.c new/postfix-2.7.2/src/smtpd/smtpd_check.c
--- old/postfix-2.7.1/src/smtpd/smtpd_check.c 2009-11-05 20:09:43.000000000 +0100
+++ new/postfix-2.7.2/src/smtpd/smtpd_check.c 2010-11-22 19:03:33.000000000 +0100
@@ -3789,7 +3789,8 @@
name);
else {
cpp += 1;
- if (state->helo_name)
+ if (state->helo_name
+ && valid_hostname(state->helo_name, DONT_GRIPE))
status = reject_rbl_domain(state, *cpp, state->helo_name,
SMTPD_NAME_HELO);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.7.1/src/smtpd/smtpd_proxy.c new/postfix-2.7.2/src/smtpd/smtpd_proxy.c
--- old/postfix-2.7.1/src/smtpd/smtpd_proxy.c 2010-01-29 23:44:19.000000000 +0100
+++ new/postfix-2.7.2/src/smtpd/smtpd_proxy.c 2010-08-27 22:40:33.000000000 +0200
@@ -355,6 +355,9 @@
/* Needed by our DATA-phase record emulation routines. */
vstream_control(proxy->service_stream, VSTREAM_CTL_CONTEXT,
(char *) state, VSTREAM_CTL_END);
+ /* Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE. */
+ if (connect_fn == inet_connect)
+ vstream_tweak_tcp(proxy->service_stream);
smtp_timeout_setup(proxy->service_stream, proxy->timeout);
/*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.7.1/src/tls/Makefile.in new/postfix-2.7.2/src/tls/Makefile.in
--- old/postfix-2.7.1/src/tls/Makefile.in 2009-01-15 22:36:39.000000000 +0100
+++ new/postfix-2.7.2/src/tls/Makefile.in 2010-07-07 11:26:33.000000000 +0200
@@ -101,6 +101,7 @@
tls_bio_ops.o: tls.h
tls_bio_ops.o: tls_bio_ops.c
tls_certkey.o: ../../include/argv.h
+tls_certkey.o: ../../include/mail_params.h
tls_certkey.o: ../../include/msg.h
tls_certkey.o: ../../include/name_code.h
tls_certkey.o: ../../include/name_mask.h
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.7.1/src/tls/tls_certkey.c new/postfix-2.7.2/src/tls/tls_certkey.c
--- old/postfix-2.7.1/src/tls/tls_certkey.c 2010-06-02 01:52:06.000000000 +0200
+++ new/postfix-2.7.2/src/tls/tls_certkey.c 2010-06-10 15:34:11.000000000 +0200
@@ -70,6 +70,10 @@
#include
participants (1)
-
root@hilbert.suse.de