than -) Postfix will now recognize address extensions even
with owner-foo+extension addresses. This is necessary to
make VERP work for mailing lists.
+
+20010710
+
+ Bugfix: potential memory leak in the queue managers with
+ the new VERP delimiter record. Fix by Patrik Rak.
+
+20010711
+
+ Cleanup: you can now specify the VERP delimiter characters
+ on the sendmail(1) command line, but they are still optional.
+
+ Safety: with maildir style delivery and with hashed mailboxes
+ the system mail spool directory must not be world writable.
+
+20010713
+
+ Safety: the verp_delimiter_filter parameter (default: -=+)
+ limits what characters Postfix accepts as VERP delimiter
+ characters.
+
+20010714
+
+ Logging: the queue manager now logs a "status=expired"
+ record when it returns a message that is too old. Files:
+ *qmgr/qmgr_active.c.
Postfix has preliminary server support for the QMQP protocol, so
that Postfix can be used as a backend for the Ezmlm-idx mailing
-list manager. This support includes qmqp-source and qmqp-sink
+list manager. This support includes the qmqp-source and qmqp-sink
programs for protocol stress testing.
Turning on the Postfix QMQP service
628 inet n - n - - qmqpd
+A "postfix reload" command is necessary to enable the service.
Postfix QMQP server access control
==================================
To authorize QMQP clients, edit /etc/postfix/main.cf and specify
a list of client patterns.
-qmqp_authorized_clients = client, client, ...
+qmqpd_authorized_clients = client, client, ...
+
+Example:
+
+qmqpd_authorized_clients = $mynetworks
A list pattern specifies a host name, a domain name, an internet
address, or a network/mask pattern, where the mask specifies the
number of bits in the network part. When a pattern specifies a
file name, its contents are substituted for the file name; when a
pattern is a type:name table specification, table lookup is used
-instead.
+instead. This allows you to administer the trusted clients in LDAP
+or regular expression maps, both of which are probably overkill.
Patterns are separated by whitespace and/or commas. In order to
reverse the result, precede a non-file name pattern with an
exclamation point (!).
-Setting up Ezmlm-idx to use Postfix QMQP support
+Setting up ezmlm-idx to use Postfix QMQP support
================================================
-You need to list the Postfix IP address in a suitable configuration
-file. See the ezmlm-idx documentation for details.
+Note: you still need qmail to feed the messages INTO ezmlm-idx.
+Postfix presently only supports distribution of mailing list traffic
+FROM ezmlm-idx.
+
+http://www.ezmlm.org/faq-0.40/FAQ-4.html#ss4.19 describes how to
+make ezmlm-idx work over QMQP.
+
+The following is based on hearsay. Do not ask Wietse how to make
+ezmlm-idx work. Wietse does not have the time to personally install
+and play with every mailing list manager.
+
+1 - You must list QMQP servers with numerical IP address. Hostnames
+ do not work. This means you cannot DNS-based load balancing to
+ spread the load over multiple QMQP servers.
+
+2 - QMQP support is incomplete with ezmlm-idx-0.40.
+
+ - ezmlm-send will use QMQP if you specify the undocumented -Q
+ command-line option in your .qmail-listname file.
+
+ - ezmlm-get will use QMQP if the file qmpqservers/0 exists.
+
+ - ezmlm-moderate does not support QMQP. This is not a problem
+ if you only use unmoderated mailing lists.
+Incompatible changes with snapshot-20010714
+===========================================
+
+Postfix delivery agents now refuse to create a missing maildir or
+mail spool subdirectory when its parent directory is world writable.
+This is necessary to prevent security problems with maildirs or
+with hashed mailboxes under a world writable mail spool directory.
+
+Major changes with snapshot-20010714
+====================================
+
+No major changes. What changes were made result in more polished
+VERP (variable envelope return path) support and documentation,
+and in updated documentation on how to use Postfix QMQP with the
+ezmlm-idx mailing list manager.
+
Incompatible changes with snapshot-20010709
===========================================
+[Note: this document still needs more examples]
+
Postfix VERP support
====================
-Postfix supports variable envelope return path addresses, which
-means that each recipient receives a customized copy of the message,
-with the recipient address encoded in the envelope sender address.
-This concept was popularized by the qmail MTA and by the ezmlm
-mailing list manager.
+Postfix supports variable envelope return path addresses on request.
+When VERP style delivery is requested, each recipient of a message
+receives a customized copy of the message, with his/her own recipient
+address encoded in the envelope sender address.
-When VERP style delivery is requested, Postfix delivers mail with
-sender address prefix@origin for a recipient user@domain, with a
-sender address that encodes the recipient as follows:
+For example, when VERP style delivery is requested, Postfix delivers
+mail from owner-listname@origin for a recipient user@domain, with
+a sender address that encodes the recipient as follows:
- prefix+user=domain@origin
+ owner-listname+user=domain@origin
-so that undeliverable mail reveals what address was undeliverable.
+Thus, undeliverable mail can reveal the undeliverable recipient
+address without requiring the list owner to parse bounce messages.
+
+The VERP concept was popularized by the qmail MTA and by the ezmlm
+mailing list manager.
-The + and = are the default VERP delimiters. You can specify non-
-default delimiters in main.cf with the default_verp_delimiters
-configuration parameter (default value: +=). Specify two characters;
-the first delimiter should match the $recipient_delimiter setting.
+The whole process is controlled by two configuration parameters.
+
+- default_verp_delimiters (default value: +=) controls what VERP
+delimiter characters Postfix uses when VERP style delivery is
+requested but no explicit delimiters are specified.
+
+- verp_delimiter_filter (default: -+=) controls what characters
+Postfix accepts as VERP delimiter characters. Many characters can
+not be used as VERP delimiter characters, either because they
+already have a special meaning in email addresses (such as the @
+or the %), because they appear as part of a username or domain name
+(such as alphanumerics), or because they are non-ASCII or control
+characters. And who knows, some characters may tickle bugs in
+vulnerable software.
Using VERP with majordomo etc. mailing lists
============================================
In order to make VERP useful with majordomo etc. mailing lists,
-you would configure the list manager to submit mail as:
+you would configure the list manager to submit mail according
+to one of the following two forms:
sendmail -V -f owner-listname other-arguments...
+ sendmail -V+= -f owner-listname other-arguments...
+
+The first form uses the default main.cf VERP delimiter characters.
+The second form allows you to explicitly specify the VERP delimiter
+characters. The example shows the recommended values.
+
This text assumes that you have set up an owner-listname alias that
routes undeliverable mail to a real person:
owner-listname+user=domain@your.domain
which is processed by the command in your .forward+listname file.
+The message should contain, among others, a To: header with the
+encapsulated recipient sender address:
+
+ To: owner-listname+user=domain@your.domain
It is left as an exercise for the reader to parse the To: header
line and to pull out the user=domain part from the recipient address.
style delivery. The syntax allows two forms:
MAIL FROM:<sender@domain> XVERP
- MAIL FROM:<sender@domain> XVERP=xy
-where x and y are the VERP delimiters. When no VERP delimiters
-are specified, Postfix uses the two characters specified with the
-default_verp_delimiters configuration parameter.
+ MAIL FROM:<sender@domain> XVERP=+=
+
+The first form uses the default main.cf VERP delimiters, the second
+form overrides them explicitly. The values shown are the recommended
+ones.
VERP support in the Postfix sendmail command
============================================
The Postfix sendmail command has a -V flag to request VERP style
-delivery. It is not possible to override the default VERP delimiters.
+delivery. Specify one of the following two forms:
+
+ sendmail -V -f owner-listname ....
+
+ sendmail -V+= -f owner-listname ....
+
+The first form uses the default main.cf VERP delimiters, the second
+form overrides them explicitly. The values shown are the recommended
+ones.
VERP support in the Postfix QMQP server
=======================================
-When the Postfix QMQP server receives mail with a an envelope sender
+When the Postfix QMQP server receives mail with an envelope sender
address of the form:
prefix-@origin-@[]
Postfix generates VERP sender addresses using prefix@domain as the
-original sender address, and using "-=" as the VERP delimiters.
+original sender address, and using "-=" as the VERP delimiters,
+because qmail/ezmlm expect this.
transport_maps = hash:/etc/postfix/transport
mynetworks = 12.34.56.0/24
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
+ local_transport = error:local mail delivery is disabled on this machine
/etc/postfix/transport:
domain.com smtp:inside-gateway.domain.com (forwards user@domain)
of a problem. This slows down run-away errors.
<b>SEE</b> <b>ALSO</b>
- http://cr.yp.to/proto/qmqp.html, QMQP protocol
+ <a href="http://cr.yp.to/proto/qmqp.html">http://cr.yp.to/proto/qmqp.html</a>, QMQP protocol
<a href="cleanup.8.html">cleanup(8)</a> message canonicalization
<a href="master.8.html">master(8)</a> process manager
syslogd(8) system logging
Initial user submission.
<b>-V</b> Variable Envelope Return Path. Given an envelope
- sender address <i>prefix</i>-@<i>origin</i>, each recipient
- <i>user@domain</i> receives mail with a personalized enve-
- lope sender address <i>prefix</i><b>-</b><i>user=domain</i>@<i>origin</i>.
-
- <b>-bd</b> Go into daemon mode. This mode of operation is
+ sender address of the form <i>owner-listname</i>@<i>origin</i>,
+ each recipient <i>user</i>@<i>domain</i> receives mail with a
+ personalized envelope sender address.
+
+ By default, the personalized envelope sender
+ address is <i>owner-listname</i><b>+</b><i>user</i><b>=</b><i>domain</i>@<i>origin</i>. The
+ default <b>+</b> and <b>=</b> characters are configurable with
+ the <b>default</b><i>_</i><b>verp</b><i>_</i><b>delimiters</b> configuration parame-
+ ter.
+
+ <b>-V</b><i>xy</i> As <b>-V</b>, but uses <i>x</i> and <i>y</i> as the VERP delimiter char-
+ acters, instead of the characters specified with
+ the <b>default</b><i>_</i><b>verp</b><i>_</i><b>delimiters</b> configuration parame-
+ ter.
+
+ <b>-bd</b> Go into daemon mode. This mode of operation is
implemented by executing the <b>postfix</b> <b>start</b> command.
- <b>-bi</b> Initialize alias database. See the <b>newaliases</b> com-
+ <b>-bi</b> Initialize alias database. See the <b>newaliases</b> com-
mand above.
- <b>-bm</b> Read mail from standard input and arrange for
+ <b>-bm</b> Read mail from standard input and arrange for
delivery. This is the default mode of operation.
<b>-bp</b> List the mail queue. See the <b>mailq</b> command above.
- <b>-bs</b> Stand-alone SMTP server mode. Read SMTP commands
- from standard input, and write responses to stan-
+ <b>-bs</b> Stand-alone SMTP server mode. Read SMTP commands
+ from standard input, and write responses to stan-
dard output. This mode of operation is implemented
by running the <a href="smtpd.8.html"><b>smtpd</b>(8)</a> daemon.
<b>-f</b> <i>sender</i>
Set the envelope sender address. This is the
address where delivery problems are sent to, unless
- the message contains an <b>Errors-To:</b> message header.
+ the message contains an <b>Errors-To:</b> message header.
<b>-h</b> <i>hop_count</i> (ignored)
- Hop count limit. Use the <b>hopcount</b><i>_</i><b>limit</b> configura-
+ Hop count limit. Use the <b>hopcount</b><i>_</i><b>limit</b> configura-
tion parameter instead.
- <b>-i</b> When reading a message from standard input, don't
- treat a line with only a <b>.</b> character as the end of
+ <b>-i</b> When reading a message from standard input, don't
+ treat a line with only a <b>.</b> character as the end of
input.
<b>-m</b> (ignored)
Backwards compatibility.
<b>-oA</b><i>alias_database</i>
- Non-default alias database. Specify <i>pathname</i> or
+ Non-default alias database. Specify <i>pathname</i> or
<i>type</i>:<i>pathname</i>. See <a href="postalias.1.html"><b>postalias</b>(1)</a> for details.
<b>-o7</b> (ignored)
<b>-o8</b> (ignored)
- The message body type. Currently, Postfix imple-
+ The message body type. Currently, Postfix imple-
ments <b>just-send-eight</b>.
- <b>-oi</b> When reading a message from standard input, don't
- treat a line with only a <b>.</b> character as the end of
+ <b>-oi</b> When reading a message from standard input, don't
+ treat a line with only a <b>.</b> character as the end of
input.
<b>-om</b> (ignored)
- The sender is never eliminated from alias etc.
+ The sender is never eliminated from alias etc.
expansions.
<b>-o</b> <i>x</i> <i>value</i> (ignored)
- Set option <i>x</i> to <i>value</i>. Use the equivalent configu-
+ Set option <i>x</i> to <i>value</i>. Use the equivalent configu-
ration parameter in <b>main.cf</b> instead.
<b>-r</b> <i>sender</i>
Set the envelope sender address. This is the
address where delivery problems are sent to, unless
- the message contains an <b>Errors-To:</b> message header.
+ the message contains an <b>Errors-To:</b> message header.
- <b>-q</b> Attempt to deliver all queued mail. This is imple-
+ <b>-q</b> Attempt to deliver all queued mail. This is imple-
mented by kicking the <a href="qmgr.8.html"><b>qmgr</b>(8)</a> daemon.
<b>-q</b><i>interval</i> (ignored)
- The interval between queue runs. Use the
+ The interval between queue runs. Use the
<b>queue</b><i>_</i><b>run</b><i>_</i><b>delay</b> configuration parameter instead.
<b>-qR</b><i>site</i>
- Schedule immediate delivery of all mail that is
- queued for the named <i>site</i>. Depending on the desti-
- nation, this uses "fast flush" service, or it has
- the same effect as <b>sendmail</b> <b>-q</b>. This is imple-
+ Schedule immediate delivery of all mail that is
+ queued for the named <i>site</i>. Depending on the desti-
+ nation, this uses "fast flush" service, or it has
+ the same effect as <b>sendmail</b> <b>-q</b>. This is imple-
mented by connecting to the local SMTP server. See
<a href="smtpd.8.html"><b>smtpd</b>(8)</a> for more information about the "fast
flush" service.
<b>-qS</b><i>site</i>
- This command is not implemented. Use the slower
+ This command is not implemented. Use the slower
<b>sendmail</b> <b>-q</b> command instead.
- <b>-t</b> Extract recipients from message headers. This
- requires that no recipients be specified on the
+ <b>-t</b> Extract recipients from message headers. This
+ requires that no recipients be specified on the
command line.
<b>-v</b> Enable verbose logging for debugging purposes. Mul-
- tiple <b>-v</b> options make the software increasingly
+ tiple <b>-v</b> options make the software increasingly
verbose.
<b>SECURITY</b>
- By design, this program is not set-user (or group) id.
- However, it must handle data from untrusted users or
- untrusted machines. Thus, the usual precautions need to
+ By design, this program is not set-user (or group) id.
+ However, it must handle data from untrusted users or
+ untrusted machines. Thus, the usual precautions need to
be taken against malicious inputs.
<b>DIAGNOSTICS</b>
- Problems are logged to <b>syslogd</b>(8) and to the standard
+ Problems are logged to <b>syslogd</b>(8) and to the standard
error stream.
<b>ENVIRONMENT</b>
<b>MAIL</b><i>_</i><b>DEBUG</b>
Enable debugging with an external command, as spec-
- ified with the <b>debugger</b><i>_</i><b>command</b> configuration
+ ified with the <b>debugger</b><i>_</i><b>command</b> configuration
parameter.
<b>FILES</b>
/etc/postfix, configuration files
<b>CONFIGURATION</b> <b>PARAMETERS</b>
- See the Postfix <b>main.cf</b> file for syntax details and for
- default values. Use the <b>postfix</b> <b>reload</b> command after a
+ See the Postfix <b>main.cf</b> file for syntax details and for
+ default values. Use the <b>postfix</b> <b>reload</b> command after a
configuration change.
<b>alias</b><i>_</i><b>database</b>
- Default alias database(s) for <b>newaliases</b>. The
- default value for this parameter is system-spe-
+ Default alias database(s) for <b>newaliases</b>. The
+ default value for this parameter is system-spe-
cific.
<b>bounce</b><i>_</i><b>size</b><i>_</i><b>limit</b>
initialized.
<b>debug</b><i>_</i><b>peer</b><i>_</i><b>level</b>
- Increment in verbose logging level when a remote
+ Increment in verbose logging level when a remote
host matches a pattern in the <b>debug</b><i>_</i><b>peer</b><i>_</i><b>list</b>
parameter.
<b>debug</b><i>_</i><b>peer</b><i>_</i><b>list</b>
- List of domain or network patterns. When a remote
- host matches a pattern, increase the verbose log-
- ging level by the amount specified in the
+ List of domain or network patterns. When a remote
+ host matches a pattern, increase the verbose log-
+ ging level by the amount specified in the
<b>debug</b><i>_</i><b>peer</b><i>_</i><b>level</b> parameter.
+ <b>default</b><i>_</i><b>verp</b><i>_</i><b>delimiters</b>
+ The VERP delimiter characters that are used when
+ the <b>-V</b> command line option is specified without
+ delimiter characters.
+
<b>fast</b><i>_</i><b>flush</b><i>_</i><b>domains</b>
List of domains that will receive "fast flush" ser-
- vice (default: all domains that this system is
- willing to relay mail to). This greatly improves
- the performance of the SMTP <b>ETRN</b> request, and of
- the <b>sendmail</b> <b>-qR</b> command. For domains not in the
+ vice (default: all domains that this system is
+ willing to relay mail to). This greatly improves
+ the performance of the SMTP <b>ETRN</b> request, and of
+ the <b>sendmail</b> <b>-qR</b> command. For domains not in the
list, Postfix simply attempts to deliver all queued
mail.
<b>fork</b><i>_</i><b>attempts</b>
- Number of attempts to <b>fork</b>() a process before giv-
+ Number of attempts to <b>fork</b>() a process before giv-
ing up.
<b>fork</b><i>_</i><b>delay</b>
- Delay in seconds between successive <b>fork</b>()
+ Delay in seconds between successive <b>fork</b>()
attempts.
<b>hopcount</b><i>_</i><b>limit</b>
Limit the number of <b>Received:</b> message headers.
<b>mail</b><i>_</i><b>owner</b>
- The owner of the mail queue and of most Postfix
+ The owner of the mail queue and of most Postfix
processes.
<b>command</b><i>_</i><b>directory</b>
- Directory with Postfix support commands (default:
+ Directory with Postfix support commands (default:
<b>$program</b><i>_</i><b>directory</b>).
<b>daemon</b><i>_</i><b>directory</b>
- Directory with Postfix daemon programs (default:
+ Directory with Postfix daemon programs (default:
<b>$program</b><i>_</i><b>directory</b>).
<b>queue</b><i>_</i><b>directory</b>
- Top-level directory of the Postfix queue. This is
+ Top-level directory of the Postfix queue. This is
also the root directory of Postfix daemons that run
chrooted.
<b>queue</b><i>_</i><b>run</b><i>_</i><b>delay</b>
- The time between successive scans of the deferred
+ The time between successive scans of the deferred
queue.
+ <b>verp</b><i>_</i><b>delimiter</b><i>_</i><b>filter</b>
+ The characters that Postfix accepts as VERP delim-
+ iter characters.
+
<b>SEE</b> <b>ALSO</b>
<a href="pickup.8.html">pickup(8)</a> mail pickup daemon
<a href="postalias.1.html">postalias(1)</a> maintain alias database
ging level by the amount specified in the
<b>debug</b><i>_</i><b>peer</b><i>_</i><b>level</b> parameter.
+ <b>default</b><i>_</i><b>verp</b><i>_</i><b>delimiters</b>
+ The default VERP delimiter characters that are used
+ when the XVERP command is specified without
+ explicit delimiters.
+
<b>error</b><i>_</i><b>notice</b><i>_</i><b>recipient</b>
Recipient of protocol/policy/resource/software
error notices.
reject responses. This can be useful for testing
purposes.
+ <b>verp</b><i>_</i><b>delimiter</b><i>_</i><b>filter</b>
+ The characters that Postfix accepts as VERP delim-
+ iter characters.
+
<b>Resource</b> <b>controls</b>
<b>line</b><i>_</i><b>length</b><i>_</i><b>limit</b>
- Limit the amount of memory in bytes used for the
+ Limit the amount of memory in bytes used for the
handling of partial input lines.
<b>message</b><i>_</i><b>size</b><i>_</i><b>limit</b>
ing on-disk storage for envelope information.
<b>queue</b><i>_</i><b>minfree</b>
- Minimal amount of free space in bytes in the queue
- file system for the SMTP server to accept any mail
+ Minimal amount of free space in bytes in the queue
+ file system for the SMTP server to accept any mail
at all.
<b>Tarpitting</b>
<b>smtpd</b><i>_</i><b>soft</b><i>_</i><b>error</b><i>_</i><b>limit</b>
When an SMTP client has made this number of errors,
- wait <i>error_count</i> seconds before responding to any
+ wait <i>error_count</i> seconds before responding to any
client request.
<b>smtpd</b><i>_</i><b>hard</b><i>_</i><b>error</b><i>_</i><b>limit</b>
- Disconnect after a client has made this number of
+ Disconnect after a client has made this number of
errors.
<b>smtpd</b><i>_</i><b>junk</b><i>_</i><b>command</b><i>_</i><b>limit</b>
Limit the number of times a client can issue a junk
- command such as NOOP, VRFY, ETRN or RSET in one
- SMTP session before it is penalized with tarpit
+ command such as NOOP, VRFY, ETRN or RSET in one
+ SMTP session before it is penalized with tarpit
delays.
<b>UCE</b> <b>control</b> <b>restrictions</b>
tem.
<b>smtpd</b><i>_</i><b>helo</b><i>_</i><b>required</b>
- Require that clients introduce themselves at the
+ Require that clients introduce themselves at the
beginning of an SMTP session.
<b>smtpd</b><i>_</i><b>helo</b><i>_</i><b>restrictions</b>
- Restrict what client hostnames are allowed in <b>HELO</b>
+ Restrict what client hostnames are allowed in <b>HELO</b>
and <b>EHLO</b> commands.
<b>smtpd</b><i>_</i><b>sender</b><i>_</i><b>restrictions</b>
- Restrict what sender addresses are allowed in <b>MAIL</b>
+ Restrict what sender addresses are allowed in <b>MAIL</b>
<b>FROM</b> commands.
<b>smtpd</b><i>_</i><b>recipient</b><i>_</i><b>restrictions</b>
- Restrict what recipient addresses are allowed in
+ Restrict what recipient addresses are allowed in
<b>RCPT</b> <b>TO</b> commands.
<b>smtpd</b><i>_</i><b>etrn</b><i>_</i><b>restrictions</b>
mands, and what clients may issue <b>ETRN</b> commands.
<b>allow</b><i>_</i><b>untrusted</b><i>_</i><b>routing</b>
- Allow untrusted clients to specify addresses with
- sender-specified routing. Enabling this opens up
- nasty relay loopholes involving trusted backup MX
+ Allow untrusted clients to specify addresses with
+ sender-specified routing. Enabling this opens up
+ nasty relay loopholes involving trusted backup MX
hosts.
<b>smtpd</b><i>_</i><b>restriction</b><i>_</i><b>classes</b>
- Declares the name of zero or more parameters that
- contain a list of UCE restrictions. The names of
- these parameters can then be used instead of the
+ Declares the name of zero or more parameters that
+ contain a list of UCE restrictions. The names of
+ these parameters can then be used instead of the
restriction lists that they represent.
<b>maps</b><i>_</i><b>rbl</b><i>_</i><b>domains</b>
- List of DNS domains that publish the addresses of
+ List of DNS domains that publish the addresses of
blacklisted hosts.
<b>relay</b><i>_</i><b>domains</b>
- Restrict what domains or networks this mail system
+ Restrict what domains or networks this mail system
will relay mail from or to.
<b>UCE</b> <b>control</b> <b>responses</b>
<b>access</b><i>_</i><b>map</b><i>_</i><b>reject</b><i>_</i><b>code</b>
- Server response when a client violates an access
+ Server response when a client violates an access
database restriction.
<b>invalid</b><i>_</i><b>hostname</b><i>_</i><b>reject</b><i>_</i><b>code</b>
- Server response when a client violates the
+ Server response when a client violates the
<b>reject</b><i>_</i><b>invalid</b><i>_</i><b>hostname</b> restriction.
<b>maps</b><i>_</i><b>rbl</b><i>_</i><b>reject</b><i>_</i><b>code</b>
- Server response when a client violates the
+ Server response when a client violates the
<b>maps</b><i>_</i><b>rbl</b><i>_</i><b>domains</b> restriction.
<b>reject</b><i>_</i><b>code</b>
- Response code when the client matches a <b>reject</b>
+ Response code when the client matches a <b>reject</b>
restriction.
<b>relay</b><i>_</i><b>domains</b><i>_</i><b>reject</b><i>_</i><b>code</b>
- Server response when a client attempts to violate
+ Server response when a client attempts to violate
the mail relay policy.
<b>unknown</b><i>_</i><b>address</b><i>_</i><b>reject</b><i>_</i><b>code</b>
- Server response when a client violates the
+ Server response when a client violates the
<b>reject</b><i>_</i><b>unknown</b><i>_</i><b>address</b> restriction.
<b>unknown</b><i>_</i><b>client</b><i>_</i><b>reject</b><i>_</i><b>code</b>
- Server response when a client without address to
- name mapping violates the <b>reject</b><i>_</i><b>unknown</b><i>_</i><b>clients</b>
+ Server response when a client without address to
+ name mapping violates the <b>reject</b><i>_</i><b>unknown</b><i>_</i><b>clients</b>
restriction.
<b>unknown</b><i>_</i><b>hostname</b><i>_</i><b>reject</b><i>_</i><b>code</b>
- Server response when a client violates the
+ Server response when a client violates the
<b>reject</b><i>_</i><b>unknown</b><i>_</i><b>hostname</b> restriction.
<b>SEE</b> <b>ALSO</b>
syslogd(8) system logging
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
Initial user submission.
.IP \fB-V\fR
Variable Envelope Return Path. Given an envelope sender address
-\fIprefix\fR-@\fIorigin\fR, each recipient \fIuser@domain\fR
-receives mail with a personalized envelope sender address
-\fIprefix\fB-\fIuser=domain\fR@\fIorigin\fR.
+of the form \fIowner-listname\fR@\fIorigin\fR, each recipient
+\fIuser\fR@\fIdomain\fR receives mail with a personalized envelope
+sender address.
+.sp
+By default, the personalized envelope sender address is
+\fIowner-listname\fB+\fIuser\fB=\fIdomain\fR@\fIorigin\fR. The default
+\fB+\fR and \fB=\fR characters are configurable with the
+\fBdefault_verp_delimiters\fR configuration parameter.
+.IP \fB-V\fIxy\fR
+As \fB-V\fR, but uses \fIx\fR and \fIy\fR as the VERP delimiter
+characters, instead of the characters specified with the
+\fBdefault_verp_delimiters\fR configuration parameter.
.IP \fB-bd\fR
Go into daemon mode. This mode of operation is implemented by
executing the \fBpostfix start\fR command.
List of domain or network patterns. When a remote host matches
a pattern, increase the verbose logging level by the amount
specified in the \fBdebug_peer_level\fR parameter.
+.IP \fBdefault_verp_delimiters\fR
+The VERP delimiter characters that are used when the \fB-V\fR
+command line option is specified without delimiter characters.
.IP \fBfast_flush_domains\fR
List of domains that will receive "fast flush" service (default: all
domains that this system is willing to relay mail to). This greatly
directory of Postfix daemons that run chrooted.
.IP \fBqueue_run_delay\fR
The time between successive scans of the deferred queue.
+.IP \fBverp_delimiter_filter\fR
+The characters that Postfix accepts as VERP delimiter characters.
.SH SEE ALSO
.na
.nf
List of domain or network patterns. When a remote host matches
a pattern, increase the verbose logging level by the amount
specified in the \fBdebug_peer_level\fR parameter.
+.IP \fBdefault_verp_delimiters\fR
+The default VERP delimiter characters that are used when the
+XVERP command is specified without explicit delimiters.
.IP \fBerror_notice_recipient\fR
Recipient of protocol/policy/resource/software error notices.
.IP \fBhopcount_limit\fR
.IP \fBsoft_bounce\fR
Change hard (5xx) reject responses into soft (4xx) reject responses.
This can be useful for testing purposes.
+.IP \fBverp_delimiter_filter\fR
+The characters that Postfix accepts as VERP delimiter characters.
.SH "Resource controls"
.ad
.fi
s/[<bB>]*virtual[</bB>]*(5)/<a href="virtual.5.html">&<\/a>/
s/[<bB>]*virtual[</bB>]*(8)/<a href="virtual.8.html">&<\/a>/
s/\(<a href="[^"]*">\)\([<bB>]*[a-z0-9-]*[-</bB>]*\)\(\n *\)\([<bB>]*[a-z0-9-]*[</bB>]*([0-9])\)\(<\/a>\)/\1\2\5\3\1\4\5/
+ s/http:\/\/[^ ,]*/<a href="&">&<\/a>/
s/RFC *\([0-9]*\)/<a href="http:\/\/www.faqs.org\/rfcs\/rfc\1.html">&<\/a>/
' "$@"
bounce_notify_verp.o: ../../include/cleanup_user.h
bounce_notify_verp.o: ../../include/mail_addr.h
bounce_notify_verp.o: ../../include/mail_error.h
+bounce_notify_verp.o: ../../include/verp_sender.h
bounce_notify_verp.o: bounce_service.h
bounce_notify_verp.o: ../../include/bounce_log.h
cleanup_envelope.o: ../../include/ext_prop.h
cleanup_envelope.o: ../../include/mail_addr.h
cleanup_envelope.o: ../../include/canon_addr.h
+cleanup_envelope.o: ../../include/verp_sender.h
cleanup_envelope.o: cleanup.h
cleanup_envelope.o: ../../include/argv.h
cleanup_envelope.o: ../../include/maps.h
#include <ext_prop.h>
#include <mail_addr.h>
#include <canon_addr.h>
+#include <verp_sender.h>
/* Application-specific. */
state->errs |= CLEANUP_STAT_BAD;
return;
}
- if (len == 0) {
- buf = var_verp_delim;
- len = strlen(buf);
- }
- if (len == 2) {
+ if (verp_delims_verify(buf) == 0) {
cleanup_out(state, type, buf, len);
} else {
+ msg_warn("%s: bad VERP delimiters: \"%s\"", state->queue_id, buf);
state->errs |= CLEANUP_STAT_BAD;
+ return;
}
} else {
cleanup_out(state, type, buf, len);
char *var_always_bcc; /* big brother */
int var_extra_rcpt_limit; /* recipient extract limit */
char *var_rcpt_witheld; /* recipients not disclosed */
-char *var_verp_delim; /* default VERP delimiters */
CONFIG_INT_TABLE cleanup_int_table[] = {
VAR_HOPCOUNT_LIMIT, DEF_HOPCOUNT_LIMIT, &var_hopcount_limit, 1, 0,
VAR_PROP_EXTENSION, DEF_PROP_EXTENSION, &var_prop_extension, 0, 0,
VAR_ALWAYS_BCC, DEF_ALWAYS_BCC, &var_always_bcc, 0, 0,
VAR_RCPT_WITHELD, DEF_RCPT_WITHELD, &var_rcpt_witheld, 1, 0,
- VAR_VERP_DELIM, DEF_VERP_DELIM, &var_verp_delim, 2, 2,
0,
};
mail_params.o: mail_proto.h
mail_params.o: ../../include/vstream.h
mail_params.o: ../../include/iostuff.h
+mail_params.o: verp_sender.h
mail_params.o: mail_params.h
mail_pathname.o: mail_pathname.c
mail_pathname.o: ../../include/sys_defs.h
verp_sender.o: ../../include/sys_defs.h
verp_sender.o: ../../include/vstring.h
verp_sender.o: ../../include/vbuf.h
+verp_sender.o: mail_params.h
verp_sender.o: verp_sender.h
xtext.o: xtext.c
xtext.o: ../../include/sys_defs.h
/* char *var_fflush_domains;
/* char *var_def_transport;
/* char *var_mynetworks_style;
+/* char *var_verp_delims;
+/* char *var_verp_filter;
/*
/* char *var_import_environ;
/* char *var_export_environ;
#include "mail_conf.h"
#include "mail_version.h"
#include "mail_proto.h"
+#include "verp_sender.h"
#include "mail_params.h"
/*
char *var_fflush_domains;
char *var_def_transport;
char *var_mynetworks_style;
+char *var_verp_delims;
+char *var_verp_filter;
char *var_import_environ;
char *var_export_environ;
VAR_DEF_TRANSPORT, DEF_DEF_TRANSPORT, &var_def_transport, 0, 0,
VAR_MYNETWORKS_STYLE, DEF_MYNETWORKS_STYLE, &var_mynetworks_style, 1, 0,
VAR_DEBUG_PEER_LIST, DEF_DEBUG_PEER_LIST, &var_debug_peer_list, 0, 0,
+ VAR_VERP_DELIMS, DEF_VERP_DELIMS, &var_verp_delims, 2, 2,
+ VAR_VERP_FILTER, DEF_VERP_FILTER, &var_verp_filter, 1, 0,
0,
};
static CONFIG_STR_FN_TABLE function_str_defaults_2[] = {
*/
if (strcasecmp(var_myhostname, var_relayhost) == 0)
msg_fatal("myhostname == relayhost");
+
+ /*
+ * One more sanity check.
+ */
+ if ((cp = verp_delims_verify(var_verp_delims)) != 0)
+ msg_fatal("%s or %s configuration problem: %s",
+ VAR_VERP_DELIMS, VAR_VERP_FILTER, cp);
}
* VERP, more DJB intellectual cross-pollination. However, we prefer + as
* the default recipient delimiter.
*/
-#define VAR_VERP_DELIM "default_verp_delimiters"
-#define DEF_VERP_DELIM "+="
-extern char *var_verp_delim;
+#define VAR_VERP_DELIMS "default_verp_delimiters"
+#define DEF_VERP_DELIMS "+="
+extern char *var_verp_delims;
+
+#define VAR_VERP_FILTER "verp_delimiter_filter"
+#define DEF_VERP_FILTER "-=+"
+extern char *var_verp_filter;
/* LICENSE
/* .ad
* Version of this program.
*/
#define VAR_MAIL_VERSION "mail_version"
-#define DEF_MAIL_VERSION "Snapshot-20010709"
+#define DEF_MAIL_VERSION "Snapshot-20010714"
extern char *var_mail_version;
/* LICENSE
/* const char *delims;
/* const char *sender;
/* const char *recipient;
+/*
+/* const char *verp_delims_verify(delims)
+/* const char *delims;
/* DESCRIPTION
/* verp_sender() encodes the recipient address in the sender
/* address, using the specified delimiters. For example,
/* recipient \fIuser@domain\fR the result is
/* \fIprefix+user=domain@origin\fR.
/*
+/* verp_delims_verify() determines if the specified VERP delimiters
+/* have reasonable values. What is reasonable is configured with
+/* the verp_delimiter_filter configuration parameter. The result
+/* is null in case of success, a description of the problem in
+/* case of error.
+/*
/* Arguments:
/* .IP dst
/* The result. The buffer is null terminated.
/* Global library. */
+#include <mail_params.h>
#include <verp_sender.h>
/* verp_sender - encode recipient into envelope sender address */
VSTRING_TERMINATE(buf);
return (buf);
}
+
+/* verp_delims_verify - sanitize VERP delimiters */
+
+const char *verp_delims_verify(const char *delims)
+{
+ if (strlen(delims) != 2)
+ return ("bad VERP delimiter character count");
+ if (strchr(var_verp_filter, delims[0]) == 0)
+ return ("bad first VERP delimiter character");
+ if (strchr(var_verp_filter, delims[1]) == 0)
+ return ("bad second VERP delimiter character");
+ return (0);
+}
* External interface.
*/
extern VSTRING *verp_sender(VSTRING *, const char *, const char *, const char *);
+extern const char *verp_delims_verify(const char *);
/* LICENSE
/* .ad
qmgr_deliver.o: ../../include/recipient_list.h
qmgr_deliver.o: ../../include/mail_params.h
qmgr_deliver.o: ../../include/deliver_request.h
+qmgr_deliver.o: ../../include/verp_sender.h
qmgr_deliver.o: qmgr.h
qmgr_deliver.o: ../../include/scan_dir.h
qmgr_deliver.o: ../../include/maps.h
qmgr_message.o: ../../include/maps.h
qmgr_message.o: ../../include/opened.h
qmgr_message.o: ../../include/resolve_local.h
+qmgr_message.o: ../../include/verp_sender.h
qmgr_message.o: ../../include/resolve_clnt.h
qmgr_message.o: qmgr.h
qmgr_message.o: ../../include/scan_dir.h
*/
if (message->flags) {
if (event_time() > message->arrival_time + var_max_queue_time) {
- if (msg_verbose)
- msg_info("%s: too old, bouncing %s", myname, message->queue_id);
+ msg_info("%s: from=<%s>, status=expired, returned to sender",
+ message->queue_id, message->sender);
if (message->verp_delims == 0)
adefer_flush(BOUNCE_FLAG_KEEP,
message->queue_name,
#include <mail_addr_find.h>
#include <opened.h>
#include <resolve_local.h>
+#include <verp_sender.h>
/* Client stubs. */
message->warn_time = atol(start);
}
} else if (rec_type == REC_TYPE_VERP) {
- if (strlen(start) != 2) {
- msg_warn("%s: bad VERP record length: \"%s\"",
- message->queue_id, start);
- } else {
- message->single_rcpt = 1;
- message->verp_delims = mystrdup(start);
+ if (message->verp_delims == 0) {
+ if (verp_delims_verify(start) != 0) {
+ msg_warn("%s: bad VERP record content: \"%s\"",
+ message->queue_id, start);
+ } else {
+ message->single_rcpt = 1;
+ message->verp_delims = mystrdup(start);
+ }
}
}
} while (rec_type > 0 && rec_type != REC_TYPE_END);
qmgr_message.o: ../../include/maps.h
qmgr_message.o: ../../include/opened.h
qmgr_message.o: ../../include/resolve_local.h
+qmgr_message.o: ../../include/verp_sender.h
qmgr_message.o: ../../include/resolve_clnt.h
qmgr_message.o: qmgr.h
qmgr_message.o: ../../include/scan_dir.h
*/
if (message->flags) {
if (event_time() > message->arrival_time + var_max_queue_time) {
- if (msg_verbose)
- msg_info("%s: too old, bouncing %s", myname, message->queue_id);
+ msg_info("%s: from=<%s>, status=expired, returned to sender",
+ message->queue_id, message->sender);
if (message->verp_delims == 0)
adefer_flush(BOUNCE_FLAG_KEEP,
message->queue_name,
#include <mail_addr_find.h>
#include <opened.h>
#include <resolve_local.h>
+#include <verp_sender.h>
/* Client stubs. */
message->warn_time = atol(start);
}
} else if (rec_type == REC_TYPE_VERP) {
- if (strlen(start) != 2) {
- msg_warn("%s: bad VERP record length: \"%s\"",
- message->queue_id, start);
- } else {
- message->single_rcpt = 1;
- message->verp_delims = mystrdup(start);
+ if (message->verp_delims == 0) {
+ if (verp_delims_verify(start) != 0) {
+ msg_warn("%s: bad VERP record content: \"%s\"",
+ message->queue_id, start);
+ } else {
+ message->single_rcpt = 1;
+ message->verp_delims = mystrdup(start);
+ }
}
}
} while (rec_type > 0 && rec_type != REC_TYPE_END);
sendmail.o: ../../include/mail_flush.h
sendmail.o: ../../include/mail_stream.h
sendmail.o: ../../include/smtp_stream.h
+sendmail.o: ../../include/verp_sender.h
/* Initial user submission.
/* .IP \fB-V\fR
/* Variable Envelope Return Path. Given an envelope sender address
-/* \fIprefix\fR-@\fIorigin\fR, each recipient \fIuser@domain\fR
-/* receives mail with a personalized envelope sender address
-/* \fIprefix\fB-\fIuser=domain\fR@\fIorigin\fR.
+/* of the form \fIowner-listname\fR@\fIorigin\fR, each recipient
+/* \fIuser\fR@\fIdomain\fR receives mail with a personalized envelope
+/* sender address.
+/* .sp
+/* By default, the personalized envelope sender address is
+/* \fIowner-listname\fB+\fIuser\fB=\fIdomain\fR@\fIorigin\fR. The default
+/* \fB+\fR and \fB=\fR characters are configurable with the
+/* \fBdefault_verp_delimiters\fR configuration parameter.
+/* .IP \fB-V\fIxy\fR
+/* As \fB-V\fR, but uses \fIx\fR and \fIy\fR as the VERP delimiter
+/* characters, instead of the characters specified with the
+/* \fBdefault_verp_delimiters\fR configuration parameter.
/* .IP \fB-bd\fR
/* Go into daemon mode. This mode of operation is implemented by
/* executing the \fBpostfix start\fR command.
/* List of domain or network patterns. When a remote host matches
/* a pattern, increase the verbose logging level by the amount
/* specified in the \fBdebug_peer_level\fR parameter.
+/* .IP \fBdefault_verp_delimiters\fR
+/* The VERP delimiter characters that are used when the \fB-V\fR
+/* command line option is specified without delimiter characters.
/* .IP \fBfast_flush_domains\fR
/* List of domains that will receive "fast flush" service (default: all
/* domains that this system is willing to relay mail to). This greatly
/* directory of Postfix daemons that run chrooted.
/* .IP \fBqueue_run_delay\fR
/* The time between successive scans of the deferred queue.
+/* .IP \fBverp_delimiter_filter\fR
+/* The characters that Postfix accepts as VERP delimiter characters.
/* SEE ALSO
/* pickup(8) mail pickup daemon
/* postalias(1) maintain alias database
#include <mail_flush.h>
#include <mail_stream.h>
#include <smtp_stream.h>
+#include <verp_sender.h>
/* Application-specific. */
optind++;
continue;
}
- if ((c = GETOPT(argc, argv, "B:C:F:GIN:R:UVX:b:ce:f:h:imno:p:r:q:tvx")) <= 0)
+ if (strcmp(argv[OPTIND], "-V") == 0) {
+ verp_delims = var_verp_delims;
+ optind++;
+ continue;
+ }
+ if ((c = GETOPT(argc, argv, "B:C:F:GIN:R:UV:X:b:ce:f:h:imno:p:r:q:tvx")) <= 0)
break;
switch (c) {
default:
case 'R': /* DSN */
break;
case 'V': /* VERP */
- verp_delims = "";
+ if (verp_delims_verify(optarg) != 0)
+ msg_fatal("-V option requires two characters from %s",
+ var_verp_filter);
+ verp_delims = optarg;
break;
case 'b':
switch (*optarg) {
smtpd.o: ../../include/mail_queue.h
smtpd.o: ../../include/tok822.h
smtpd.o: ../../include/resolve_clnt.h
+smtpd.o: ../../include/verp_sender.h
smtpd.o: ../../include/mail_server.h
smtpd.o: smtpd_token.h
smtpd.o: smtpd.h
/* List of domain or network patterns. When a remote host matches
/* a pattern, increase the verbose logging level by the amount
/* specified in the \fBdebug_peer_level\fR parameter.
+/* .IP \fBdefault_verp_delimiters\fR
+/* The default VERP delimiter characters that are used when the
+/* XVERP command is specified without explicit delimiters.
/* .IP \fBerror_notice_recipient\fR
/* Recipient of protocol/policy/resource/software error notices.
/* .IP \fBhopcount_limit\fR
/* .IP \fBsoft_bounce\fR
/* Change hard (5xx) reject responses into soft (4xx) reject responses.
/* This can be useful for testing purposes.
+/* .IP \fBverp_delimiter_filter\fR
+/* The characters that Postfix accepts as VERP delimiter characters.
/* .SH "Resource controls"
/* .ad
/* .fi
#include <mail_stream.h>
#include <mail_queue.h>
#include <tok822.h>
+#include <verp_sender.h>
/* Single-threaded server skeleton. */
}
#endif
} else if (strcasecmp(arg, VERP_CMD) == 0) {
- verp_delims = "";
+ verp_delims = var_verp_delims;
} else if (strncasecmp(arg, VERP_CMD, VERP_CMD_LEN) == 0
&& arg[VERP_CMD_LEN] == '=') {
verp_delims = arg + VERP_CMD_LEN + 1;
- if (strlen(verp_delims) != 2) {
+ if (verp_delims_verify(verp_delims) != 0) {
state->error_mask |= MAIL_ERROR_PROTOCOL;
- smtpd_chat_reply(state, "501 Bad %s parameter: %s",
- VERP_CMD, arg);
+ smtpd_chat_reply(state, "501 %s needs two characters from %s",
+ VERP_CMD, var_verp_filter);
return (-1);
}
} else {
int saved_ch;
struct stat st;
int ret;
+ mode_t saved_mode;
/*
* Initialize. Make a copy of the path that we can safely clobber.
ret = -1;
break;
}
+ saved_mode = st.st_mode;
} else {
if (errno != ENOENT)
break;
+
+ /*
+ * Create a new directory. Unfortunately, mkdir(2) has no
+ * equivalent of open(2)'s O_CREAT|O_EXCL safety net, so we must
+ * require that the parent directory is not world writable.
+ * Detecting a lost race condition after the fact is not
+ * sufficient, as an attacker could repeat the attack and add one
+ * directory level at a time.
+ */
+ if (saved_mode & S_IWOTH) {
+ msg_warn("refusing to mkdir %s: parent directory is writable by everyone",
+ saved_path);
+ errno = EPERM;
+ ret = -1;
+ break;
+ }
if ((ret = mkdir(saved_path, perms)) < 0) {
if (errno != EEXIST)
break;
/* Race condition? */
- if ((ret = stat(saved_path, &st)) < 0)
+ if ((ret = stat(saved_path, &st)) < 0)
break;
if (!S_ISDIR(st.st_mode)) {
errno = ENOTDIR;
projects / thirdparty / postfix.git / commitdiff
