Prereq: "3.8.2" diff -ur --new-file /var/tmp/postfix-3.8.2/src/global/mail_version.h ./src/global/mail_version.h --- /var/tmp/postfix-3.8.2/src/global/mail_version.h 2023-09-01 09:03:35.000000000 -0400 +++ ./src/global/mail_version.h 2023-11-01 13:03:36.000000000 -0400 @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20230901" -#define MAIL_VERSION_NUMBER "3.8.2" +#define MAIL_RELEASE_DATE "20231101" +#define MAIL_VERSION_NUMBER "3.8.3" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -ur --new-file /var/tmp/postfix-3.8.2/HISTORY ./HISTORY --- /var/tmp/postfix-3.8.2/HISTORY 2023-09-01 09:18:15.000000000 -0400 +++ ./HISTORY 2023-10-31 14:51:03.000000000 -0400 @@ -27184,3 +27184,31 @@ This problem was reported first in the context of TLSA record lookups. Files: util/valid_hostname.[hc], dns/dns_lookup.c. + +20230929 + + Bugfix (defect introduced Postfix 2.5, 20080104): the Postfix + SMTP server was waiting for a client command instead of + replying immediately, after a client certificate verification + error in TLS wrappermode. Reported by Andreas Kinzler. File: + smtpd/smtpd.c. + +20231006 + + Usability: the Postfix SMTP server now attempts to log the + SASL username after authentication failure. In Postfix + logging, this appends ", sasl_username=xxx" after the reason + for SASL authentication failure. The logging replaces an + unavailable reason with "(reason unavailable)", and replaces + an unavailable sasl_username with "(unavailable)". Based + on code by Jozsef Kadlecsik. Files: xsasl/xsasl_server.c, + xsasl/xsasl_cyrus_server.c, smtpd/smtpd_sasl_glue.c. + +20231026 + + Bugfix (defect introduced: Postfix 2.11): in forward_path, + the expression ${recipient_delimiter} would expand to an + empty string when a recipient address had no recipient + delimiter. Fixed by restoring Postfix 2.10 behavior to use + a configured recipient delimiter value. Reported by Tod + A. Sandman. Files: proto/postconf.proto, local/local_expand.c. diff -ur --new-file /var/tmp/postfix-3.8.2/html/postconf.5.html ./html/postconf.5.html --- /var/tmp/postfix-3.8.2/html/postconf.5.html 2023-06-05 15:23:21.000000000 -0400 +++ ./html/postconf.5.html 2023-11-01 12:32:11.000000000 -0400 @@ -3761,7 +3761,10 @@
$recipient_delimiter
The address extension delimiter that was found in the recipient -address (Postfix 2.11 and later), or the system-wide recipient +address (Postfix 2.11 and later), or the 'first' delimiter specified +with the system-wide recipient address extension delimiter (Postfix +3.5.22, 3.5.12, 3.7.8, 3.8.3 and later). Historically, this was +always the system-wide recipient address extension delimiter (Postfix 2.10 and earlier).
${name?value}
diff -ur --new-file /var/tmp/postfix-3.8.2/man/man5/postconf.5 ./man/man5/postconf.5 --- /var/tmp/postfix-3.8.2/man/man5/postconf.5 2023-06-05 15:23:21.000000000 -0400 +++ ./man/man5/postconf.5 2023-11-01 12:32:11.000000000 -0400 @@ -2388,7 +2388,10 @@ .br .IP "\fB$recipient_delimiter\fR" The address extension delimiter that was found in the recipient -address (Postfix 2.11 and later), or the system\-wide recipient +address (Postfix 2.11 and later), or the 'first' delimiter specified +with the system\-wide recipient address extension delimiter (Postfix +3.5.22, 3.5.12, 3.7.8, 3.8.3 and later). Historically, this was +always the system\-wide recipient address extension delimiter (Postfix 2.10 and earlier). .br .IP "\fB${name?value}\fR" diff -ur --new-file /var/tmp/postfix-3.8.2/proto/postconf.proto ./proto/postconf.proto --- /var/tmp/postfix-3.8.2/proto/postconf.proto 2023-06-05 15:12:17.000000000 -0400 +++ ./proto/postconf.proto 2023-10-31 19:39:34.000000000 -0400 @@ -1764,7 +1764,10 @@
$recipient_delimiter
The address extension delimiter that was found in the recipient -address (Postfix 2.11 and later), or the system-wide recipient +address (Postfix 2.11 and later), or the 'first' delimiter specified +with the system-wide recipient address extension delimiter (Postfix +3.5.22, 3.5.12, 3.7.8, 3.8.3 and later). Historically, this was +always the system-wide recipient address extension delimiter (Postfix 2.10 and earlier).
${name?value}
diff -ur --new-file /var/tmp/postfix-3.8.2/src/local/local_expand.c ./src/local/local_expand.c --- /var/tmp/postfix-3.8.2/src/local/local_expand.c 2014-12-06 20:35:33.000000000 -0500 +++ ./src/local/local_expand.c 2023-10-26 16:31:24.000000000 -0400 @@ -138,6 +138,8 @@ } else if (STREQ(name, "recipient_delimiter")) { rcpt_delim[0] = local->state->msg_attr.local[strlen(local->state->msg_attr.user)]; + if (rcpt_delim[0] == 0) + rcpt_delim[0] = var_rcpt_delim[0]; rcpt_delim[1] = 0; return (rcpt_delim[0] ? rcpt_delim : 0); #if 0 diff -ur --new-file /var/tmp/postfix-3.8.2/src/smtpd/smtpd.c ./src/smtpd/smtpd.c --- /var/tmp/postfix-3.8.2/src/smtpd/smtpd.c 2023-06-05 15:06:51.000000000 -0400 +++ ./src/smtpd/smtpd.c 2023-10-26 18:41:32.000000000 -0400 @@ -5198,15 +5198,16 @@ if (requirecert && TLS_CERT_IS_TRUSTED(state->tls_context) == 0) { /* - * Fetch and reject the next command (should be EHLO), then - * disconnect (side-effect of returning "421 ...". + * In non-wrappermode, fetch the next command (should be EHLO). Reply + * with 421, then disconnect (as a side-effect of replying with 421). */ cert_present = TLS_CERT_IS_PRESENT(state->tls_context); msg_info("NOQUEUE: abort: TLS from %s: %s", state->namaddr, cert_present ? "Client certificate not trusted" : "No client certificate presented"); - smtpd_chat_query(state); + if (var_smtpd_tls_wrappermode == 0) + smtpd_chat_query(state); smtpd_chat_reply(state, "421 4.7.1 %s Error: %s", var_myhostname, cert_present ? "Client certificate not trusted" : diff -ur --new-file /var/tmp/postfix-3.8.2/src/smtpd/smtpd_sasl_glue.c ./src/smtpd/smtpd_sasl_glue.c --- /var/tmp/postfix-3.8.2/src/smtpd/smtpd_sasl_glue.c 2020-08-30 17:03:46.000000000 -0400 +++ ./src/smtpd/smtpd_sasl_glue.c 2023-10-30 19:16:11.000000000 -0400 @@ -340,9 +340,11 @@ } } if (status != XSASL_AUTH_DONE) { - msg_warn("%s: SASL %s authentication failed: %s", - state->namaddr, sasl_method, - STR(state->sasl_reply)); + sasl_username = xsasl_server_get_username(state->sasl_server); + msg_warn("%s: SASL %.100s authentication failed: %s, sasl_username=%.100s", + state->namaddr, sasl_method, *STR(state->sasl_reply) ? + STR(state->sasl_reply) : "(reason unavailable)", + sasl_username ? sasl_username : "(unavailable)"); /* RFC 4954 Section 6. */ if (status == XSASL_AUTH_TEMP) smtpd_chat_reply(state, "454 4.7.0 Temporary authentication failure: %s", diff -ur --new-file /var/tmp/postfix-3.8.2/src/xsasl/xsasl_cyrus_server.c ./src/xsasl/xsasl_cyrus_server.c --- /var/tmp/postfix-3.8.2/src/xsasl/xsasl_cyrus_server.c 2016-06-25 20:45:17.000000000 -0400 +++ ./src/xsasl/xsasl_cyrus_server.c 2023-10-30 19:16:11.000000000 -0400 @@ -625,16 +625,15 @@ /* * XXX Do not free(serverout). */ + if (server->username) + myfree(server->username); sasl_status = sasl_getprop(server->sasl_conn, SASL_USERNAME, &serverout); if (sasl_status != SASL_OK || serverout == 0) { - msg_warn("%s: sasl_getprop SASL_USERNAME botch: %s", - myname, xsasl_cyrus_strerror(sasl_status)); - return (0); + server->username = 0; + } else { + server->username = mystrdup(serverout); + printable(server->username, '?'); } - if (server->username) - myfree(server->username); - server->username = mystrdup(serverout); - printable(server->username, '?'); return (server->username); }