Newer
Older
6001
6002
6003
6004
6005
6006
6007
6008
6009
6010
6011
6012
6013
6014
6015
6016
6017
6018
6019
6020
6021
6022
6023
6024
6025
6026
6027
6028
6029
6030
6031
6032
6033
6034
6035
6036
6037
6038
6039
6040
6041
6042
6043
6044
6045
6046
6047
6048
6049
6050
6051
6052
6053
6054
6055
6056
6057
6058
6059
6060
6061
6062
6063
6064
6065
6066
6067
6068
6069
6070
6071
6072
6073
6074
6075
6076
6077
6078
6079
6080
6081
6082
6083
6084
6085
6086
6087
6088
6089
6090
6091
6092
6093
6094
6095
6096
6097
6098
6099
6100
6101
6102
6103
6104
6105
6106
6107
6108
6109
6110
6111
6112
6113
6114
6115
6116
6117
6118
6119
6120
6121
6122
6123
6124
6125
6126
6127
6128
6129
6130
6131
6132
6133
6134
6135
6136
6137
6138
6139
6140
6141
6142
6143
6144
6145
6146
6147
6148
6149
6150
6151
6152
6153
6154
6155
6156
6157
6158
6159
6160
6161
6162
6163
6164
6165
6166
6167
6168
6169
6170
6171
6172
6173
6174
6175
6176
6177
6178
6179
6180
6181
6182
6183
6184
6185
6186
6187
6188
6189
6190
6191
6192
6193
6194
6195
6196
6197
6198
6199
6200
6201
6202
6203
6204
6205
6206
6207
6208
6209
6210
6211
6212
6213
6214
6215
6216
6217
6218
6219
6220
6221
6222
6223
6224
6225
6226
6227
6228
6229
6230
6231
6232
6233
6234
6235
6236
6237
6238
6239
6240
6241
6242
6243
6244
6245
6246
6247
6248
6249
6250
6251
6252
6253
6254
6255
6256
6257
6258
6259
6260
6261
6262
6263
6264
6265
6266
6267
6268
6269
6270
6271
6272
6273
6274
6275
6276
6277
6278
6279
6280
6281
6282
6283
6284
6285
6286
6287
6288
6289
6290
6291
6292
6293
6294
6295
6296
6297
6298
6299
6300
6301
6302
6303
6304
6305
6306
6307
6308
6309
6310
6311
6312
6313
6314
6315
6316
6317
6318
6319
6320
6321
6322
6323
6324
6325
6326
6327
6328
6329
6330
6331
6332
6333
6334
6335
6336
6337
6338
6339
6340
6341
6342
6343
6344
6345
6346
6347
6348
6349
6350
6351
6352
6353
6354
6355
6356
6357
6358
6359
6360
6361
6362
6363
6364
6365
6366
6367
6368
6369
6370
6371
6372
6373
6374
6375
6376
6377
6378
is used while SASL authentication is disabled, instead of
simply ignoring the restriction. LaMont Jones, HP. File:
smtpd/smtpd.c.
Safety: when postmap creates a non-existent file, the new
file inherits group/other read permissions from the source
file. Based on code by LaMont Jones, HP. File:
postmap/postmap.c.
20020123
Portability: some Linux systems install libnsl.so without
libnsl.a file, causing an yp_match undefined reference
problem. File: makedefs.
20020124
Portability: post-install now requests that command_directory
is given on the command line when the postconf command is
in an unusual place.
Safety: extra code to detect and report Berkeley DB version
mismatches between compile time and run time. This test
is limited to mismatches in the major version number only.
File: util/dict_db.c. Based on code by Lawrence Greenfield,
Carnegie-Mellon university.
Safety: the postfix command and the master daemon abort if
they are running set-uid.
Documentation: the postmap manual page described an out of
date input file format.
20020129
Workaround: SCO version 3.2 can't ioctl(FIONREAD) a pipe.
Therefore, input mail flow control is disabled by default.
Files: makedefs, global/mail_params.h, conf/main.cf.
Problem reported by Kurt Andersen, Agilent.
20020201
Workaround: changed the default smtpd_null_access_lookup_key
setting to <>, because some Bezerkeloid DB implementations
can't handle null-length lookup keys. File: global/mail_params.h.
Bugfix: backed out a null-length address panic call by
ignoring the problem, like Postfix did in the past. File:
global/resolve_local.c.
Safety: "postfix check" will now warn if /usr/lib/sendmail
and /usr/sbin/sendmail differ, and will propose to replace
one by a symlink to the other. File: conf/postfix-script.
20020204
Sanity: additional permission checks for "postfix check"
that warn for setgid_group group ownership mismatches. by
Matthias Andree, uni-dortmund.de. File: conf/postfix-script.
Bugfix: "postfix check" used a too simplistic way to
recognize file ownership (grepping ls output). It now uses
the recently discovered "find -prune". Peter Bieringer,
Matthias Andree. File: conf/postfix-script.
20020218
Workaround: log a warning and disconnect when an SMTP client
ignores our negative replies and starts sending message
content without permission. File: smtpd/smtpd.c.
20020220
Bugfix: mismatch in the file being locked by dict_dbm and
the file being locked by postmap, so that locks did not
work correctly. Victor Duchovni, Morgan Stanley.
20020222
Workaround: Solaris bug 4380626: strcasecmp() and strncasecmp()
produce incorrect results with 8-bit characters. For example,
non-ASCII characters could compare equal to ASCII characters,
and that could result in any number of security problems.
Files: util/strcasecmp.c, COPYRIGHT (the BSD license).
Bugfix: off-by-one error, causing a null byte to be written
outside dynamically allocated memory in the queue manager
with addresses of exactly 100 bytes long, resulting in
SIGSEGV on systems with an "exact fit" malloc routine.
Experienced by Ralf Hildebrandt; diagnosed by Victor
Duchovny. Files: *qmgr/qmgr_message.c. This is not a
security problem.
Bugfix: make all recipient comparisons transitive, because
Solaris qsort() causes SIGSEGV errors otherwise. Victor
Duchovny, Morgan Stanley. File: *qmgr/qmgr_message.c.
20020302
Bugfix: don't strip source route (@domain...:) when the
result would be an empty address. This avoids problems when
append_at_myorigin is set to "no" (which is not supported).
Problem reported by Charles McColgan, Big Fish Communications.
File: trivial-rewrite/rewrite.c.
20020304
Cleanup: postqueue should not not complain when output
fails with "broken pipe".
20020308
Bugfix? reply with 550 not 552 when content is rejected.
552 is reserved for "too much mail".
Documentation: add note to sendmail manual page that running
"sendmail -bs" as $mail_owner enables SMTP server UCE and
access control checks. This is meant for use from inetd etc.
Matthias Andree.
20020311
Bugfix: DBM maps should use different files for locking
and for change detection. Problem reported by Victor
Duchovny, Morgan Stanley. Files: util/dict.h util/dict.c
util/dict_db.c util/dict_dbm.c global/mkmap.c local/alias.c.
20020313
Bugfix: mailq could show addresses with unusual characters
twice. Problem reported by Victor Duchovny, Morgan Stanley.
File: showq/showq.c.
Bugfix: null recipients weren't properly recorded in
bounce/defer logfiles. Such recipient addresses are not
accepted in SMTP mail, but they could appear within locally
submitted mail. File: bounce/bounce_append_service.c.
20020318
Workaround: Berkeley DB can't handle null key lookups,
which happen with HELO names ending in ".". Victor Duchovni,
Morgan Stanley. File: smtpd/smtpd_check.c.
Logging: log a hint when mail is deferred because the
soft_bounce parameter is set. People sometimes forget to
turn it off. File: global/bounce.c.
20020319
Cleanup: add a msg_warn() call when fork() fails in
pipe_command(), to make problems easier to investigate.
Chris Wedgwood. File: global/pipe_command.c.
20020324
Cleanup: more graceful handling of long physical message
header lines upon input. Physical header lines can now
extend up to $header_size_limit characters. When a logical
message header is too long, the excess text is discarded
and Postfix no longer switches to body mode, to avoid
breaking MIME encapsulation. Based on code by Victor
Duchovni, Morgan Stanley. Files: cleanup/cleanup_out.c,
cleanup/cleanup_message.c.
Cleanup: more graceful handling of long physical message
header or body lines upon output by the SMTP client. The
SMTP client output line length is controlled by a new
parameter smtp_line_length_limit (default: 990; specify 0
to disable the limit). Long lines are folded by inserting
<CR> <LF> <SPACE>, to avoid breaking MIME encapsulation.
Based on code by Victor Duchovni, Morgan Stanley. File:
smtp/smtp_proto.c.
20020325
Cleanup: allow additional text after a WARN command in a
header/body_checks pattern file, so that one can change
REJECT+text into WARN+text and vice versa. Based on code
by Fredrik Thulin, Stockholm University.
Cleanup: log a warning when an unknown command is found in
a header/body_checks pattern file, or when additional text
is found after a command that does not expect additional
text. Based on code by Fredrik Thulin, Stockholm University.
Bugfix: sendmail should not recognize "." as the end of
input when the current read operation started in the middle
of a line. Victor Duchovni, Morgan Stanley. File:
sendmail/sendmail.c.
20020328
Portability fix for OPENSTEP and NEXTSTEP by Gerben Wierda.
File: util/sys_defs.h.
20020329
Bugfix: defer_transports broke because the flush server
triggered mail delivery (as if ETRN was sent) while doing
some internal housekeeping of per-destination logfiles.
Problem experienced by LaMont Jones, HP. File: flush/flush.c.
Bugfix: virtual mapping broke for addresses with embedded
whitespace. Fix by Victor Duchovni, Morgan Stanley. File:
cleanup/cleanup_map1n.c.
20020330
Bugfix: postqueue did not pass on non-default configuration
directory settings when running showq while the mail system
is down. The super-user is now exempted from environment
stripping in postqueue/postqueue.c. Problem reported by
Victor Duchovni, Morgan Stanley.
20020414
Portability: Postfix will no longer attempt to build with
gdbm support, because gdbm is broken. File: makedefs.
20020417
Bugfix: the post-install script failed to upgrade master.cf
settings from private to public if the service was explicitly
configured as private.
20020426
Bugfix: the SMTP client forgot to quote whitespace etc.
in a sender/recipient address when DNS lookup was turned
off (disable_dns_lookups = yes). Problem experienced by
Chip Paswater. Files: smtp/smtp_proto.c.
20020503
Cleanup: postqueue silently ignored command-line arguments
following -p or -f options, instead of complaining; postqueue
produced an incorrect error message (mail system down) when
the command was installed with incorrect privileges. File:
postqueue/postqueue.c.
Bugfix: while reporting a domain name or IP address syntax
error, postqueue could dereference a dangling pointer with
some getopt() implementations. LaMont Jones, HP. File:
postqueue/postqueue.c.
20020504
Portability: run-time test to avoid GDBM trouble. File:
util/dict_dbm.c.
20020508
Bugfix: close user@domain@postfix-style.virtual.domain
source routing relaying loophole involving postfix-style
virtual domains with @virtual.domain catch-all patterns.
Problem reported by Victor Duchovny. File: smtpd/smtpd_check.c.
Bugfix: mail_addr_map() used the "wrong" @ character in
addresses with multiple @. Victor Duchovny. File:
global/mail_addr_map.c.
Bugfix: for address localpart quoting, now quote @ as a
special character everywhere, except when resolving addresses.
Previously, the @ was nowhere quoted as a special character,
not even in SMTP commands. Files: global/quote_82[12]_local.c
and some clients.
20020509
Safety: don't allow an OK access rule lookup result for
user@domain@postfix-style.virtual.domain. Suggested by
Victor Duchovny, Morgan Stanley. File: smtpd/smtpd_check.c.
Bugfix: quote unquoted address localparts that need quoting.
Files: global/tok822_parse.c, global/quote_82[12]_local.c.
20020512
Cleanup: the SMTP client logged and bounced the CNAME
expanded recipient address, and thereby complicated trouble
shooting. File: src/smtp_proto.c.
Bugfix: the SMTP and LMTP clients bounced the quoted
recipient address, resulting in too much quoting in bounce
reports. Files: src/smtp_proto.c, lmtp/lmtp_proto.c.
20020513
Bugfix: the LDAP client used the "wrong" @ character in
addresses with multiple @. LaMont Jones, HP. File:
util/dict_ldap.c.
Compatibility: forwards "postqueue -r" compatibility with
the additional queue file records that are stored by snapshot
20050512.
Cleanup: specify "resolve_dequoted_address = no" to prevent
Postfix from looking inside quotes for extra @ etc. characters
when resolving an address. This behavior is technically
more correct, but it opens a mail relay loophole with "user
@domain"@domain when relaying mail to a Sendmail system.
20020514
Bugfix: the new code for header address quoting sometimes
did not null terminate strings so that arbitrary garbage
could appear at the end of message headers. Reported by
Ralf Hildebrandt. File: global/tok822_parse.c.
Safety: user@domain@domain is no longer accepted by the
permit_mx_backup uce restriction (unless Postfix is configured
with "resolve_dequoted_address = no"). Victor Duchovny,
Morgan Stanley. File: smtpd/smtpd_check.c.
20020517
Cleanup: Mailbox-Line: message header labels should be
X-Mailbox-Line: labels. Files: smtpd/smtpd.c, qmqpd/qmqpd.c.
20020526
Bugfix: the SMTP server now disallows RCPT TO:<"">, just
like it disallows RCPT TO:<>. File: smtpd/smtpd.c.
Documentation: replace domain.name by domain.tld in the
example config files. The domain exists. They were getting
mail from poorly configured Postfix boxes.
Bugfix: The Postfix sendmail command did not export the
MAIL_CONFIG environment setting to the postdrop command.
File: global/mail_config.h.
20021121
Bugfix: garbage in "user@garbage"@domain address forms may
cause the SMTP or LMTP client to terminate with a fatal
error exit because garbage/tcp is not an existing service.
This cannot be abused to cause the SMTP or LMTP client to
send data into unauthorized ports. Files: *qmgr/qmgr_message.c,
trivial-rewrite/resolve.c.
20030728
Bugfix: an invalid address resolved to an invalid result,
and caused the address resolver client to keep trying
forever, resulting in a local or remote DOS condition of
smtpd, qmgr, and other programs. Reported by Michal
Zalewski. File: trivial-rewrite/resolve.c.
Open problems:
Low: sendmail does not store null command-line recipients.
Low: don't do user@domain and @domain lookups in
local_recipient_maps queries.
Low: after reorganizing configuration parameters, add flags
to all parameters whose value can be read from file.
Medium: need in-process caching for map lookups. LDAP
servers seem to need this in particular. Need a way to
expire cached results that are too old.
Medium: make address rewriting on/off configurable for
envelopes and/or headers.
Low: generic showq protocol, to allow for more intelligent
processing than just mailq. Maybe marry this with postsuper.
Low: default domain for appending to unqualified recipients.
Low: The $process_id_directory setting is not used anywhere
in Postfix. Problem reported by Michael Smith, texas.net.
This should be documented, or better, the code should warn
about attempts to set read-only parameters.
Low: postconf -e edits parameters that postconf won't list.