Prereq: "2.3.16" diff -cr --new-file /var/tmp/postfix-2.3.16/src/global/mail_version.h ./src/global/mail_version.h *** /var/tmp/postfix-2.3.16/src/global/mail_version.h Sat Jan 3 20:53:47 2009 --- ./src/global/mail_version.h Tue May 12 13:23:29 2009 *************** *** 20,27 **** * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20090103" ! #define MAIL_VERSION_NUMBER "2.3.16" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE --- 20,27 ---- * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20090511" ! #define MAIL_VERSION_NUMBER "2.3.17" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -cr --new-file /var/tmp/postfix-2.3.16/HISTORY ./HISTORY *** /var/tmp/postfix-2.3.16/HISTORY Sat Jan 3 20:51:54 2009 --- ./HISTORY Tue May 12 13:14:29 2009 *************** *** 13185,13187 **** --- 13185,13198 ---- Cleanup: adjust the VSTREAM buffer strategy when reusing an SMTP connection with a large TCP MSS value. File: smtp/smtp_reuse.c. + + 20090419 + + Bugfix: don't re-enable SIGHUP if it is ignored in the + parent. This may cause random "Postfix integrity check + failed" errors at boot time (POSIX SIGHUP death), causing + Postfix not to start. We duplicate code from postdrop and + thus avoid past mistakes. File: postsuper/postsuper.c. + + Robustness: don't re-enable SIGTERM if it is ignored in the + parent. Files: postsuper/postsuper.c, postdrop/postdrop.c. diff -cr --new-file /var/tmp/postfix-2.3.16/src/postdrop/postdrop.c ./src/postdrop/postdrop.c *** /var/tmp/postfix-2.3.16/src/postdrop/postdrop.c Wed May 30 19:51:20 2007 --- ./src/postdrop/postdrop.c Tue May 12 13:15:47 2009 *************** *** 330,336 **** signal(SIGINT, postdrop_sig); signal(SIGQUIT, postdrop_sig); ! signal(SIGTERM, postdrop_sig); if (signal(SIGHUP, SIG_IGN) == SIG_DFL) signal(SIGHUP, postdrop_sig); msg_cleanup(postdrop_cleanup); --- 330,337 ---- signal(SIGINT, postdrop_sig); signal(SIGQUIT, postdrop_sig); ! if (signal(SIGTERM, SIG_IGN) == SIG_DFL) ! signal(SIGTERM, postdrop_sig); if (signal(SIGHUP, SIG_IGN) == SIG_DFL) signal(SIGHUP, postdrop_sig); msg_cleanup(postdrop_cleanup); diff -cr --new-file /var/tmp/postfix-2.3.16/src/postsuper/postsuper.c ./src/postsuper/postsuper.c *** /var/tmp/postfix-2.3.16/src/postsuper/postsuper.c Sat Jul 22 21:28:52 2006 --- ./src/postsuper/postsuper.c Tue May 12 13:20:27 2009 *************** *** 969,979 **** /* * This commands requires root privileges. We therefore do not worry * about hostile signals, and report problems via msg_warn(). */ ! if (signal(SIGHUP, SIG_IGN) != SIG_IGN) { ! (void) signal(SIGINT, SIG_IGN); (void) signal(SIGQUIT, SIG_IGN); (void) signal(SIGTERM, SIG_IGN); if (inode_mismatch > 0 || inode_fixed > 0 || position_mismatch > 0) msg_warn("OPERATION INCOMPLETE -- RERUN COMMAND TO FIX THE QUEUE FIRST"); if (sig) --- 969,985 ---- /* * This commands requires root privileges. We therefore do not worry * about hostile signals, and report problems via msg_warn(). + * + * We use the in-kernel SIGINT handler address as an atomic variable to + * prevent nested interrupted() calls. For this reason, main() must + * configure interrupted() as SIGINT handler before other signal handlers + * are allowed to invoke interrupted(). See also similar code in + * postdrop. */ ! if (signal(SIGINT, SIG_IGN) != SIG_IGN) { (void) signal(SIGQUIT, SIG_IGN); (void) signal(SIGTERM, SIG_IGN); + (void) signal(SIGHUP, SIG_IGN); if (inode_mismatch > 0 || inode_fixed > 0 || position_mismatch > 0) msg_warn("OPERATION INCOMPLETE -- RERUN COMMAND TO FIX THE QUEUE FIRST"); if (sig) *************** *** 1161,1171 **** * * Set up signal handlers after permanently dropping super-user privileges, * so that signal handlers will always run with the correct privileges. */ - signal(SIGHUP, interrupted); signal(SIGINT, interrupted); signal(SIGQUIT, interrupted); ! signal(SIGTERM, interrupted); msg_cleanup(fatal_warning); /* --- 1167,1186 ---- * * Set up signal handlers after permanently dropping super-user privileges, * so that signal handlers will always run with the correct privileges. + * + * XXX Don't enable SIGHUP or SIGTERM if it was ignored by the parent. + * + * interrupted() uses the in-kernel SIGINT handler address as an atomic + * variable to prevent nested interrupted() calls. For this reason, the + * SIGINT handler must be configured before other signal handlers are + * allowed to invoke interrupted(). See also similar code in postdrop. */ signal(SIGINT, interrupted); signal(SIGQUIT, interrupted); ! if (signal(SIGTERM, SIG_IGN) == SIG_DFL) ! signal(SIGTERM, interrupted); ! if (signal(SIGHUP, SIG_IGN) == SIG_DFL) ! signal(SIGHUP, interrupted); msg_cleanup(fatal_warning); /*