9 files changed, 89 insertions, 18 deletions

diff --git a/HISTORY b/HISTORY
index 959e0fa..7cf0f3e 100644
--- a/HISTORY
+++ b/HISTORY
@@ -27973,3 +27973,53 @@ Apologies for any names omitted.
 	Documentation: in the master.cf documentation, added text
 	for "quoting" a command-line argument that starts with "{".
 	File: proto/master.
+
+20240831
+
+	Bugfix: Postfix 3.9.0 did not have a three-number mail_version
+	value (it still had the two-number version from
+	postfix-3.9-yyyymmdd).  Michael Orlitzky. Files:
+	global/mail_version.h, mantools/check-snapshot-nonprod.
+
+20240930
+
+	Bugfix (defect introduced: Postfix 2.9, date 20111218):
+	with "smtpd_sasl_auth_enable = no", info received with
+	XCLIENT LOGIN was ignored by permit_sasl_authenticated.
+	The fix was to remove a test and to rely solely on the
+	sasl_mechanism property which is null when a remote SMTP
+	client is not authenticated. File: src/smtpd/smtpd_check.c.
+
+20241021
+
+	Bugfix (defect introduced: postfix 3.0): the default master.cf
+	syslog_name setting for the relay service did not preserve
+	multi-instance information. File: conf/master.cf.
+
+20241027
+
+	Bugfix (defect introduced: Postfix 2.3, date 20051222):
+	file descriptor leak after failure to connect to a Dovecot
+	auth server. The impact is limited because there are limits
+	on the number of retries (one), on the number of errors per
+	SMTP session (smtpd_hard_error_limit), on the number
+	of sessions per SMTP server process (max_use), and on the
+	number file handles per process (managed with sysctl).
+	File: xsasl/xsasl_dovecot_server.c.
+
+20241122
+
+	Bugfix (defect introduced: Postfix 3.4, date 20190121): the
+	postsuper command failed with "open logfile 'xxx': Permission
+	denied" when the maillog_file parameter specified a filename
+	and Postfix was not running. This was fixed by opening the
+	maillog_file before dropping root privileges. Files:
+	util/msg_logger.c, global/maillog_client.c.
+
+20241201
+
+	Bugfix (defect introduced Postfix 3.0). Missing UTF8
+	autodetection for headers that are automatically generated
+	by Postfix (for example, a From: header with UTF8 full name
+	information from the password file). Reported by Michael
+	Tokarev. File: src/cleanup/cleanup_message.c.
diff --git a/conf/master.cf b/conf/master.cf
index fd282dd..abd6dae 100644
--- a/conf/master.cf
+++ b/conf/master.cf
@@ -67,7 +67,7 @@ proxymap  unix  -       -       n       -       -       proxymap
 proxywrite unix -       -       n       -       1       proxymap
 smtp      unix  -       -       n       -       -       smtp
 relay     unix  -       -       n       -       -       smtp
-        -o syslog_name=postfix/$service_name
+        -o syslog_name=${multi_instance_name?{$multi_instance_name}:{postfix}}/$service_name
 #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
 showq     unix  n       -       n       -       -       showq
 error     unix  -       -       n       -       -       error
diff --git a/mantools/check-snapshot-nonprod b/mantools/check-snapshot-nonprod
index e18f6aa..b3a038f 100755
--- a/mantools/check-snapshot-nonprod
+++ b/mantools/check-snapshot-nonprod
@@ -9,5 +9,8 @@ postfix-[0-9]*.[0-9]*.[0-9]*)
 	echo "Error: stable release builds with -DSNAPSHOT" 1>&2, exit 1; }
     grep 'CCARGS.*-DNONPROD' conf/makedefs.out && {
 	echo "Error: stable release builds with -DNONPROD" 1>&2, exit 1; }
+    mail_version=$(sh postfix-env.sh bin/postconf -h mail_version) || exit 1
+    test "postfix-$mail_version" = "$version" || {
+	echo "Error: version '$mail_version' in src/global/mail_version.h does not match version in pathname '$(env - pwd)'" 1>&2; exit 1; }
     ;;
 esac
diff --git a/src/cleanup/cleanup_message.c b/src/cleanup/cleanup_message.c
index 0d31598..d5b1271 100644
--- a/src/cleanup/cleanup_message.c
+++ b/src/cleanup/cleanup_message.c
@@ -723,8 +723,9 @@ static void cleanup_header_done_callback(void *context)
 	    vstring_sprintf(state->temp1, "%s.%s@%s",
 			    time_stamp, state->queue_id, var_myhostname);
 	}
-	cleanup_out_format(state, REC_TYPE_NORM, "%sMessage-Id: <%s>",
-			   state->resent, vstring_str(state->temp1));
+	vstring_sprintf(state->temp2, "%sMessage-Id: <%s>",
+			state->resent, vstring_str(state->temp1));
+	cleanup_out_header(state, state->temp2);
 	msg_info("%s: %smessage-id=<%s>",
 		 state->queue_id, *state->resent ? "resent-" : "",
 		 vstring_str(state->temp1));
@@ -741,8 +742,9 @@ static void cleanup_header_done_callback(void *context)
     if ((state->hdr_rewrite_context || var_always_add_hdrs)
 	&& (state->headers_seen & (1 << (state->resent[0] ?
 				       HDR_RESENT_DATE : HDR_DATE))) == 0) {
-	cleanup_out_format(state, REC_TYPE_NORM, "%sDate: %s",
+	vstring_sprintf(state->temp2, "%sDate: %s",
 		      state->resent, mail_date(state->arrival_time.tv_sec));
+	cleanup_out_header(state, state->temp2);
     }
 
     /*
@@ -805,7 +807,7 @@ static void cleanup_header_done_callback(void *context)
 	    vstring_sprintf(state->temp2, "%sFrom: %s",
 			    state->resent, vstring_str(state->temp1));
 	}
-	CLEANUP_OUT_BUF(state, REC_TYPE_NORM, state->temp2);
+	cleanup_out_header(state, state->temp2);
     }
 
     /*
diff --git a/src/global/mail_version.h b/src/global/mail_version.h
index 9e08896..bbd5d21 100644
--- a/src/global/mail_version.h
+++ b/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20240306"
-#define MAIL_VERSION_NUMBER	"3.9"
+#define MAIL_RELEASE_DATE	"20241204"
+#define MAIL_VERSION_NUMBER	"3.9.1"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff --git a/src/global/maillog_client.c b/src/global/maillog_client.c
index 34952ef..a6e8436 100644
--- a/src/global/maillog_client.c
+++ b/src/global/maillog_client.c
@@ -120,6 +120,7 @@ static int maillog_client_flags;
 static void maillog_client_logwriter_fallback(const char *text)
 {
     static int fallback_guard = 0;
+    static VSTREAM *fp;
 
     /*
      * Guard against recursive calls.
@@ -129,10 +130,20 @@ static void maillog_client_logwriter_fallback(const char *text)
      * logfile. All we can do is to hope that stderr logging will bring out
      * the bad news.
      */
-    if (fallback_guard == 0 && var_maillog_file && *var_maillog_file
-	&& logwriter_one_shot(var_maillog_file, text, strlen(text)) < 0) {
-	fallback_guard = 1;
-	msg_fatal("logfile '%s' write error: %m", var_maillog_file);
+    if (fallback_guard++ == 0 && var_maillog_file && *var_maillog_file) {
+	if (text == 0 && fp != 0) {
+	    (void) vstream_fclose(fp);
+	    fp = 0;
+	}
+	if (fp == 0) {
+	    fp = logwriter_open_or_die(var_maillog_file);
+	    close_on_exec(vstream_fileno(fp), CLOSE_ON_EXEC);
+	}
+	if (text && (logwriter_write(fp, text, strlen(text)) != 0 ||
+		     vstream_fflush(fp) != 0)) {
+	    msg_fatal("logfile '%s' write error: %m", var_maillog_file);
+	}
+	fallback_guard = 0;
     }
 }
 
diff --git a/src/smtpd/smtpd_check.c b/src/smtpd/smtpd_check.c
index 6aeda74..b63b214 100644
--- a/src/smtpd/smtpd_check.c
+++ b/src/smtpd/smtpd_check.c
@@ -4674,13 +4674,11 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions,
 			 cpp[1], CHECK_RELAY_DOMAINS);
 	} else if (strcasecmp(name, PERMIT_SASL_AUTH) == 0) {
 #ifdef USE_SASL_AUTH
-	    if (smtpd_sasl_is_active(state)) {
-		status = permit_sasl_auth(state,
-					  SMTPD_CHECK_OK, SMTPD_CHECK_DUNNO);
-		if (status == SMTPD_CHECK_OK)
-		    status = smtpd_acl_permit(state, name, SMTPD_NAME_CLIENT,
-					      state->namaddr, NO_PRINT_ARGS);
-	    }
+	    status = permit_sasl_auth(state,
+				      SMTPD_CHECK_OK, SMTPD_CHECK_DUNNO);
+	    if (status == SMTPD_CHECK_OK)
+		status = smtpd_acl_permit(state, name, SMTPD_NAME_CLIENT,
+					  state->namaddr, NO_PRINT_ARGS);
 #endif
 	} else if (strcasecmp(name, PERMIT_TLS_ALL_CLIENTCERTS) == 0) {
 	    status = permit_tls_clientcerts(state, 1);
diff --git a/src/util/msg_logger.c b/src/util/msg_logger.c
index 07c9e92..2d813d3 100644
--- a/src/util/msg_logger.c
+++ b/src/util/msg_logger.c
@@ -59,6 +59,9 @@
 /*	Override the fallback setting (see above) with the specified
 /*	function pointer. This remains in effect until the next
 /*	msg_logger_init() or msg_logger_control() call.
+/*	When the function is called with a null argument, it should
+/*	allocate resources immediately. This is needed in programs
+/*	that drop privileges after process initialization.
 /* .IP CA_MSG_LOGGER_CTL_DISABLE
 /*	Disable the msg_logger. This remains in effect until the
 /*	next msg_logger_init() call.
@@ -320,6 +323,9 @@ void    msg_logger_control(int name,...)
 	    msg_logger_disconnect();
 	    if (MSG_LOGGER_NEED_SOCKET())
 		msg_logger_connect();
+	    if (msg_logger_sock == MSG_LOGGER_SOCK_NONE
+		&& msg_logger_fallback_fn)
+		msg_logger_fallback_fn((char *) 0);
 	    break;
 	default:
 	    msg_panic("%s: bad name %d", myname, name);
diff --git a/src/xsasl/xsasl_dovecot_server.c b/src/xsasl/xsasl_dovecot_server.c
index 4a0c085..ac93a2d 100644
--- a/src/xsasl/xsasl_dovecot_server.c
+++ b/src/xsasl/xsasl_dovecot_server.c
@@ -297,6 +297,7 @@ static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp)
 		    (unsigned int) getpid());
     if (vstream_fflush(sasl_stream) == VSTREAM_EOF) {
 	msg_warn("SASL: Couldn't send handshake: %m");
+	(void) vstream_fclose(sasl_stream);
 	return (-1);
     }
     success = 0;