Portability: FreeBSD 6 is a supported platform. Files:
util/sys_defs.h, makedefs.
+
+20010604
+
+ Safety: new "smtp_cname_overrides_servername" parameter.
+ The default value ("yes") is backwards compatible.
+
+ With a value of "no", the Postfix SMTP client no longer
+ allows CNAME expansion to override the hostname that is
+ used for logging, SASL password lookup, TLS policy decisions,
+ or TLS certificate verification. Instead it uses the name
+ of the recipient domain, the host or domain name specified
+ in Postfix configuration files, or the hostnames obtained
+ with MX lookups. To prevent cheating with hostnames in MX
+ lookup results, you will have to suppress MX lookups with
+ explicit [hostname] entries in transport maps. Files:
+ dns/dns_lookup.c, dns/dns_rr.c, proto/postconf.proto.
+
+20060108
+
+ Bugfix: mailbox_command_maps was not subject to $name
+ expansion. File: local/local.c.
+
+20060115
+
+ Bugfix: don't ignore the per-site policy when SSL library
+ initialization fails. Introduced after adopting the TLS
+ patch. File: smtp/smtp_session.c.
+
+20060121
+
+ Bugfix: a TLS per-site MUST_NOPEERMATCH policy could not
+ override a stronger main.cf policy, while a per-site NONE
+ policy could. Fixed with a clean re-implementation from
+ Postfix 2.3. File: smtp/smtp_session.c.
+
+ Bugfix: a combined TLS per-site (host, recipient) policy
+ of (NONE, MAY) changed a global MUST policy into NONE, and
+ a global MUST_NOPEERMATCH into MAY. The result is now NONE.
+ Problem found by exhaustive simulation. Fixed with a clean
+ re-implementation from Postfix 2.3. File: smtp/smtp_session.c.
+
+20060130
+
+ Bugfix: an empty remote_header_rewrite_domain value caused
+ trivial-rewrite to dereference a null pointer, but only in
+ regression tests, not in production. Postfix rewrites
+ addresses in the remote rewriting context only when the
+ remote_header_rewrite_domain parameter value is non-empty.
+ File: trivial-rewrite/rewrite.c.
+
+20060202
+
+ Workaround: a malformed domain name lookup result (such as
+ null MX record) is now treated as a hard error, so that
+ Postfix will no longer repeatedly try to deliver mail until
+ the message expires in the queue. However, this will not
+ reject mail with reject_unknown_sender/recipient_domain.
+ That would require too much change for a stable release.
+ File: dns/dns_lookup.c.
with the necessary definitions. This is done by invoking the command "make
makefiles" in the Postfix top-level directory and with arguments as shown next.
+N\bNO\bOT\bTE\bE:\b: D\bDo\bo n\bno\bot\bt u\bus\bse\be G\bGn\bnu\bu T\bTL\bLS\bS.\b. I\bIt\bt w\bwi\bil\bll\bl s\bsp\bpo\bon\bnt\bta\ban\bne\beo\bou\bus\bsl\bly\by t\bte\ber\brm\bmi\bin\bna\bat\bte\be a\ba p\bpr\bro\boc\bce\bes\bss\bs w\bwi\bit\bth\bh e\bex\bxi\bit\bt
+s\bst\bta\bat\btu\bus\bs c\bco\bod\bde\be 2\b2,\b, i\bin\bns\bst\bte\bea\bad\bd o\bof\bf p\bpr\bro\bop\bpe\ber\brl\bly\by r\bre\bep\bpo\bor\brt\bti\bin\bng\bg p\bpr\bro\bob\bbl\ble\bem\bms\bs t\bto\bo P\bPo\bos\bst\btf\bfi\bix\bx,\b, s\bso\bo t\bth\bha\bat\bt i\bit\bt
+c\bca\ban\bn l\blo\bog\bg t\bth\bhe\bem\bm t\bto\bo t\bth\bhe\be m\bma\bai\bil\bll\blo\bog\bg f\bfi\bil\ble\be.\b.
+
* If the OpenSSL include files (such as ssl.h) are in directory /usr/include/
openssl, and the OpenSSL libraries (such as libssl.so and libcrypto.so) are
in directory /usr/lib:
You can specify any database type that can store objects of several kbytes and
that supports the sequence operator. DBM databases are not suitable because
they can only store small objects. The cache is maintained by the tlsmgr(8)
-process, so there is no problem with concurrent access.
+process, so there is no problem with concurrent access. Session caching is
+highly recommended, because the cost of repeatedly negotiating TLS session keys
+is high.
Example:
...
The Postfix list manipulation routines give special treatment to whitespace and
-some other characters, making the use of certificate names unpractical. Instead
+some other characters, making the use of certificate names impractical. Instead
we use the certificate fingerprints as they are difficult to fake but easy to
use for lookup. Postfix lookup tables are in the form of (key, value) pairs.
Since we only need the key, the value can be chosen freely, e.g. the name of
* Client-side TLS activity logging
* Client-side TLS session cache
* Enabling TLS in the Postfix SMTP client
- * Server certificate verification
+ * Requiring TLS encryption
+ * Disabling server certificate verification
+ * Per-site TLS policies
+ * Closing a DNS loophole with per-site TLS policies
+ * Discovering servers that support TLS
+ * Server certificate verification depth
* Client-side cipher controls
* Miscellaneous client controls
issued by these CAs, append the root certificate to $smtp_tls_CAfile or install
it in the $smtp_tls_CApath directory. When you configure trust in a root CA, it
is not necessary to explicitly trust intermediary CAs signed by the root CA,
-unless $smtp_tls_verify_depth is less than the number of CAs in the certificate
-chain for the servers of interest. With a verify depth of 1 you can only verify
-certificates directly signed by a trusted CA, and all trusted intermediary CAs
-need to be configured explicitly. With a verify depth of 2 you can verify
-servers signed by a root CA or a direct intermediary CA (so long as the server
-is correctly configured to supply its intermediate CA certificate).
+unless $smtp_tls_scert_verifydepth is less than the number of CAs in the
+certificate chain for the servers of interest. With a verify depth of 1 you can
+only verify certificates directly signed by a trusted CA, and all trusted
+intermediary CAs need to be configured explicitly. With a verify depth of 2 you
+can verify servers signed by a root CA or a direct intermediary CA (so long as
+the server is correctly configured to supply its intermediate CA certificate).
RSA key and certificate examples:
can specify any database type that can store objects of several kbytes and that
supports the sequence operator. DBM databases are not suitable because they can
only store small objects. The cache is maintained by the tlsmgr(8) process, so
-there is no problem with concurrent access.
+there is no problem with concurrent access. Session caching is highly
+recommended, because the cost of repeatedly negotiating TLS session keys is
+high. Future Postfix SMTP servers may limit the number of sessions that a
+client is allowed to negotiate per unit time.
Example:
plain Postfix is visible. If you enable TLS, the Postfix SMTP client will send
STARTTLS when TLS support is announced by the remote SMTP server.
-WARNING: MS Exchange servers will announce STARTTLS support even when the
-service is not configured, so that the TLS handshake will fail. It may be wise
-to not use this option on your central mail hub, as you don't know in advance
-whether you are going to connect to such a host. Instead, use the
-smtp_tls_per_site recipient/site specific options that are described below.
-
-When the TLS handshake fails and no other server is available, the Postfix SMTP
-client defers the delivery attempt, and the mail stays in the queue.
+When the server accepts the STARTTLS command, but the subsequent TLS handshake
+fails, and no other server is available, the Postfix SMTP client defers the
+delivery attempt, and the mail stays in the queue. After a handshake failure,
+the communications channel is in an indeterminate state and cannot be used for
+non-TLS deliveries.
Example:
/etc/postfix/main.cf:
smtp_use_tls = yes
+R\bRe\beq\bqu\bui\bir\bri\bin\bng\bg T\bTL\bLS\bS e\ben\bnc\bcr\bry\byp\bpt\bti\bio\bon\bn
+
You can ENFORCE the use of TLS, so that the Postfix SMTP client will not
deliver mail over unencrypted connections. In this mode, the remote SMTP server
hostname must match the information in the remote server certificate, and the
server hostname doesn't match, and no other server is available, the delivery
attempt is deferred and the mail stays in the queue.
-The remote SMTP server hostname used in the check is beyond question, as it
-must be the principal hostname (no CNAME allowed here). Checks are performed
-against all names provided as dNSNames in the SubjectAlternativeName. If no
-dNSNames are specified, the CommonName is checked. The behavior may be changed
-with the smtp_tls_enforce_peername option which is discussed below.
+The remote SMTP server hostname is verified against all names provided as
+dNSNames in the SubjectAlternativeName. If no dNSNames are specified, the
+CommonName is checked. Verification may be turned off with the
+smtp_tls_enforce_peername option which is discussed below.
-This option is useful only if you know that you will only connect to servers
-that support RFC 2487 _and_ that present server certificates that meet the
-above requirements. An example would be a client only sends email to one
+Enforcing the use of TLS is useful if you know that you will only connect to
+servers that support RFC 2487 _and_ that present server certificates that meet
+the above requirements. An example would be a client only sends email to one
specific mailhub that offers the necessary STARTTLS support.
Example:
/etc/postfix/main.cf:
- smtp_enforce_tls = no
+ smtp_enforce_tls = yes
+
+D\bDi\bis\bsa\bab\bbl\bli\bin\bng\bg s\bse\ber\brv\bve\ber\br c\bce\ber\brt\bti\bif\bfi\bic\bca\bat\bte\be v\bve\ber\bri\bif\bfi\bic\bca\bat\bti\bio\bon\bn
As of RFC 2487 the requirements for hostname checking for MTA clients are not
set. When TLS is required (smtp_enforce_tls = yes), the option
server hostname checking. In this case, the mail delivery will proceed
regardless of the CommonName etc. listed in the certificate.
-Note: the smtp_tls_enforce_peername setting has no effect on sessions that are
-controlled via the smtp_tls_per_site table.
-
-Disabling the remote SMTP server hostname verification can make sense in closed
-environment where special CAs are created. If not used carefully, this option
-opens the danger of a "man-in-the-middle" attack (the CommonName of this
-possible attacker is logged).
+Despite the potential for eliminating "man-in-the-middle" and other attacks,
+mandatory certificate/peername verification is not viable as a default Internet
+mail delivery policy at this time. A significant fraction of TLS enabled MTAs
+uses self-signed certificates, or certificates that are signed by a private
+certificate authority. On a machine that delivers mail to the Internet, if you
+set smtp_enforce_tls = yes, you should probably also set
+smtp_tls_enforce_peername = no. You can use the per-site TLS policies (see
+below) to enable full peer verification for specific destinations that are
+known to have verifiable TLS server certificates.
Example:
/etc/postfix/main.cf:
- smtp_tls_enforce_peername = yes
-
-Generally, trying TLS can be a bad idea, as some servers offer STARTTLS but the
-negotiation will fail leading to unexplainable failures. Instead, it may be a
-good idea to choose the TLS usage policy based on the recipient or the mailhub
-to which you are connecting.
-
-Deciding the TLS usage policy per recipient may be difficult, since a single
-email delivery attempt can involve several recipients. Instead, use of TLS is
-controlled by the Postfix next-hop destination domain name and by the remote
-SMTP server hostname. If either of these matches an entry in the
-smtp_tls_per_site table, appropriate action is taken.
-
-The remote SMTP server hostname is simply the DNS name of the server that the
-Postfix SMTP client connects to. The next-hop destination is Postfix specific.
-By default, this is the domain name in the recipient address, but this
-information can be overruled by the transport(5) table or by the relayhost
-parameter setting. In these cases the relayhost etc. must be listed in the
-smtp_tls_per_site table, instead of the recipient domain name.
-
-Format of the table: domain or host names are specified on the left-hand side;
-no wildcards are allowed. On the right hand side specify one of the following
-keywords:
+ smtp_enforce_tls = yes
+ smtp_tls_enforce_peername = no
+
+P\bPe\ber\br-\b-s\bsi\bit\bte\be T\bTL\bLS\bS p\bpo\bol\bli\bic\bci\bie\bes\bs
+
+A small fraction of servers offer STARTTLS but the negotiation consistently
+fails, leading to mail aging out of the queue and bouncing back to the sender.
+In such cases, you can use the per-site policies to disable TLS for the problem
+sites. Alternatively, you can enable TLS for just a few specific sites and not
+enable it for all sites.
+
+The smtp_tls_per_site table is searched for a policy that matches the following
+information:
+
+ remote SMTP server hostname
+ This is simply the DNS name of the server that the Postfix SMTP client
+ connects to; this name may be obtained from other DNS lookups, such as
+ MX lookups or CNAME lookups.
+ next-hop destination
+ This is normally the domain portion of the recipient address, but it
+ may be overruled by information from the transport(5) table, from the
+ relayhost parameter setting, or from the relay_transport setting. When
+ it's not the recipient domain, the next-hop destination can have the
+ Postfix-specific form "[name]", [name]:port", "name" or "name:port".
+
+When both the hostname lookup and the next-hop lookup succeed, the host policy
+does not automatically override the next-hop policy. Instead, precedence is
+given to either the more specific or the more secure per-site policy as
+described below.
+
+The smtp_tls_per_site table uses a simple "name whitespace value" format.
+Specify host names or next-hop destinations on the left-hand side; no wildcards
+are allowed. On the right hand side specify one of the following keywords:
NONE
- Don't use TLS at all.
+ Don't use TLS at all. This overrides a less specific M\bMA\bAY\bY lookup result
+ from the alternate host or next-hop lookup key, and overrides the
+ global smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername
+ settings.
MAY
- Try to use STARTTLS if offered, otherwise use the unencrypted
- connection.
+ Try to use TLS if the server announces support, otherwise use the
+ unencrypted connection. This has less precedence than a more specific
+ result (including N\bNO\bON\bNE\bE) from the alternate host or next-hop lookup key,
+ and has less precedence than the more specific global "smtp_enforce_tls
+ = yes" or "smtp_tls_enforce_peername = yes".
+ MUST_NOPEERMATCH
+ Require TLS encryption, but do not require that the remote SMTP server
+ hostname matches the information in the remote SMTP server certificate,
+ or that the server certificate was issued by a trusted CA. This
+ overrides a less secure N\bNO\bON\bNE\bE or a less specific M\bMA\bAY\bY lookup result from
+ the alternate host or next-hop lookup key, and overrides the global
+ smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername settings.
MUST
- Require usage of STARTTLS, require that the remote SMTP server hostname
+ Require TLS encryption, require that the remote SMTP server hostname
matches the information in the remote SMTP server certificate, and
require that the remote SMTP server certificate was issued by a trusted
- CA.
- MUST_NOPEERMATCH
- Require usage of STARTTLS, but do not require that the remote SMTP
- server hostname matches the information in the remote SMTP server
- certificate, or that the server certificate was issued by a trusted CA.
+ CA. This overrides a less secure N\bNO\bON\bNE\bE and M\bMU\bUS\bST\bT_\b_N\bNO\bOP\bPE\bEE\bER\bRM\bMA\bAT\bTC\bCH\bH or a less
+ specific M\bMA\bAY\bY lookup result from the alternate host or next-hop lookup
+ key, and overrides the global smtp_use_tls, smtp_enforce_tls and
+ smtp_tls_enforce_peername settings.
+
+The precedences between global (main.cf) and per-site TLS policies can be
+summarized as follows:
+
+ * When neither the remote SMTP server hostname nor the next-hop destination
+ are found in the smtp_tls_per_site table, the policy is based on
+ smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername. Note:
+ "smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes" imply
+ "smtp_use_tls = yes".
+
+ * When both hostname and next-hop destination lookups produce a result, the
+ more specific per-site policy (NONE, MUST, etc) overrides the less specific
+ one (MAY), and the more secure per-site policy (MUST, etc) overrides the
+ less secure one (NONE).
+
+ * After the per-site policy lookups are combined, the result generally
+ overrides the global policy. The exception is the less specific M\bMA\bAY\bY per-
+ site policy, which is overruled by the more specific global
+ "smtp_enforce_tls = yes" with server certificate verification as specified
+ with the smtp_tls_enforce_peername parameter.
+
+C\bCl\blo\bos\bsi\bin\bng\bg a\ba D\bDN\bNS\bS l\blo\boo\bop\bph\bho\bol\ble\be w\bwi\bit\bth\bh p\bpe\ber\br-\b-s\bsi\bit\bte\be T\bTL\bLS\bS p\bpo\bol\bli\bic\bci\bie\bes\bs
+
+As long as no secure DNS lookup mechanism is available, false hostnames in MX
+or CNAME responses can change the server hostname that Postfix uses for TLS
+policy lookup and server certificate verification. Even with a perfect match
+between the server hostname and the server certificate, there is no guarantee
+that Postfix is connected to the right server. To avoid this loophole take the
+following steps:
+
+ * Eliminate MX lookups. Specify local transport(5) table entries for
+ sensitive domains with explicit smtp:[mailhost] or smtp:[mailhost]:port
+ destinations (you can assure security of this table unlike DNS); in the
+ smtp_tls_per_site table specify the value M\bMU\bUS\bST\bT for the key [mailhost] or
+ smtp:[mailhost]:port. This prevents false hostname information in DNS MX
+ records from changing the server hostname that Postfix uses for TLS policy
+ lookup and server certificate verification.
+
+ * Disallow CNAME hostname overrides. In main.cf specify
+ "smtp_cname_overrides_servername = no". This prevents false hostname
+ information in DNS CNAME records from changing the server hostname that
+ Postfix uses for TLS policy lookup and server certificate verification.
+ This feature requires Postfix 2.2.9 or later.
-The actual TLS usage policy depends not only on whether the next-hop
-destination or remote SMTP server hostname are found in the smtp_tls_per_site
-table, but also on the smtp_enforce_tls setting:
+Example:
- * If no match was found, the policy is applied as specified with
- smtp_enforce_tls.
+ /etc/postfix/main.cf:
+ smtp_tls_per_site = hash:/etc/postfix/tls_per_site
+ relayhost = [msa.example.net]:587
- * If a match was found, and the smtp_enforce_tls policy is "enforce", NONE
- explicitly switches it off; otherwise the "enforce" mode is used even for
- entries that specify MAY.
+ /etc/postfix/tls_per_site:
+ # relayhost exact nexthop match
+ [msa.example.net]:587 MUST
-Special hint for TLS enforcement mode: since no secure DNS lookup mechanism is
-available, mail can be delivered to the wrong remote SMTP server. This is not
-prevented by specifying MUST for the next-hop domain name. The recommended
-setup is: specify local transport(5) table entries for sensitive domains with
-explicit smtp:[mailhost] destinations (since you can assure security of this
-table unlike DNS), then specify MUST for these mail hosts in the
-smtp_tls_per_site table.
+ # example.org (as nexthop) has MX hosts with broken TLS.
+ example.org NONE
-Example:
+ # Except for (as host) mx1.example.org which works.
+ mx1.example.org MAY
- /etc/postfix/main.cf:
- smtp_tls_per_site = hash:/etc/postfix/tls_per_site
+D\bDi\bis\bsc\bco\bov\bve\ber\bri\bin\bng\bg s\bse\ber\brv\bve\ber\brs\bs t\bth\bha\bat\bt s\bsu\bup\bpp\bpo\bor\brt\bt T\bTL\bLS\bS
As we decide on a "per site" basis whether or not to use TLS, it would be good
to have a list of sites that offered "STARTTLS". We can collect it ourselves
/etc/postfix/main.cf:
smtp_tls_note_starttls_offer = yes
-S\bSe\ber\brv\bve\ber\br c\bce\ber\brt\bti\bif\bfi\bic\bca\bat\bte\be v\bve\ber\bri\bif\bfi\bic\bca\bat\bti\bio\bon\bn
+S\bSe\ber\brv\bve\ber\br c\bce\ber\brt\bti\bif\bfi\bic\bca\bat\bte\be v\bve\ber\bri\bif\bfi\bic\bca\bat\bti\bio\bon\bn d\bde\bep\bpt\bth\bh
When verifying a remote SMTP server certificate, a verification depth of 1 is
sufficient if the certificate is directly issued by a CA specified with
and in order to access the TLS session cache databases. Such a protocol
cannot be run across fifos.
+ * smtp_tls_per_site: the MUST_NOPEERMATCH per-site policy cannot override the
+ global "smtp_tls_enforce_peername = yes" setting.
+
+ * smtp_tls_per_site: a combined (NONE + MAY) lookup result for (hostname and
+ next-hop destination) produces counter-intuitive results for different
+ main.cf settings. TLS is enabled with "smtp_tls_enforce_peername = no", but
+ it is disabled when both "smtp_enforce_tls = yes" and
+ "smtp_tls_enforce_peername = yes".
+
+The smtp_tls_per_site limitations were removed by the end of the Postfix 2.2
+support cycle.
+
C\bCr\bre\bed\bdi\bit\bts\bs
* TLS support for Postfix was originally developed by Lutz Jänicke at Cottbus
Technical University.
* Wietse Venema adopted the code, did some restructuring, and compiled this
part of the documentation from Lutz's documents.
+ * Victor Duchovni was instrumental with the re-implementation of the
+ smtp_tls_per_site code in terms of enforcement levels, which simplified the
+ implementation greatly.
done by invoking the command "<tt>make makefiles</tt>" in the Postfix
top-level directory and with arguments as shown next. </p>
+<p> <b> NOTE: Do not use Gnu TLS. It will spontaneously terminate
+a process with exit status code 2, instead of properly reporting
+problems to Postfix, so that it can log them to the maillog file.
+</b> </p>
+
<ul>
<li> <p> If the OpenSSL include files (such as <tt>ssl.h</tt>) are
kbytes and that supports the sequence operator. DBM databases are
not suitable because they can only store small objects. The cache
is maintained by the <a href="tlsmgr.8.html">tlsmgr(8)</a> process, so there is no problem with
-concurrent access. </p>
+concurrent access. Session caching is highly recommended, because
+the cost of repeatedly negotiating TLS session keys is high.</p>
<p> Example: </p>
<p> The Postfix list manipulation routines give special treatment
to whitespace and some other characters, making the use of certificate
-names unpractical. Instead we use the certificate fingerprints as
+names impractical. Instead we use the certificate fingerprints as
they are difficult to fake but easy to use for lookup. Postfix
lookup tables are in the form of (key, value) pairs. Since we only
need the key, the value can be chosen freely, e.g. the name of
<li><a href="#client_tls_cache">Client-side TLS session cache</a>
-<li><a href="#client_tls"> Enabling TLS in the Postfix SMTP client </a>
+<li><a href="#client_tls_enable"> Enabling TLS in the Postfix SMTP client </a>
+
+<li><a href="#client_tls_require"> Requiring TLS encryption </a>
+
+<li><a href="#client_tls_nopeer"> Disabling server certificate verification </a>
+
+<li><a href="#client_tls_per_site"> Per-site TLS policies </a>
+
+<!--
+<li><a href="#client_tls_obs"> Obsolete per-site TLS policy support </a>
+-->
+
+<li><a href="#client_tls_harden"> Closing a DNS loophole with <!-- legacy --> per-site TLS policies </a>
+
+<li><a href="#client_tls_discover"> Discovering servers that support TLS </a>
-<li><a href="#client_vrfy_server">Server certificate verification</a>
+<li><a href="#client_vrfy_server">Server certificate verification depth</a>
<li> <a href="#client_cipher">Client-side cipher controls </a>
certificates issued by these CAs, append the root certificate to
$<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> or install it in the $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> directory. When
you configure trust in a root CA, it is not necessary to explicitly trust
-intermediary CAs signed by the root CA, unless $smtp_tls_verify_depth
+intermediary CAs signed by the root CA, unless $<a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a>
is less than the number of CAs in the certificate chain for the servers
of interest. With a verify depth of 1 you can only verify certificates
directly signed by a trusted CA, and all trusted intermediary CAs need to
kbytes and that supports the sequence operator. DBM databases are
not suitable because they can only store small objects. The cache
is maintained by the <a href="tlsmgr.8.html">tlsmgr(8)</a> process, so there is no problem with
-concurrent access. </p>
+concurrent access. Session caching is highly recommended, because
+the cost of repeatedly negotiating TLS session keys is high. Future
+Postfix SMTP servers may limit the number of sessions that a client
+is allowed to negotiate per unit time.</p>
<p> Example: </p>
</pre>
</blockquote>
-<h3><a name="client_tls"> Enabling TLS in the Postfix SMTP client </a>
-</h3>
+<h3><a name="client_tls_enable"> Enabling TLS in the Postfix SMTP
+client </a> </h3>
<p> By default, TLS is disabled in the Postfix SMTP client, so no
difference to plain Postfix is visible. If you enable TLS, the
Postfix SMTP client will send STARTTLS when TLS support is announced
by the remote SMTP server. </p>
-<p> WARNING: MS Exchange servers will announce STARTTLS support
-even when the service is not configured, so that the TLS handshake
-will fail. It may be wise to not use this option on your central
-mail hub, as you don't know in advance whether you are going to
-connect to such a host. Instead, use the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>
-recipient/site specific options that are described below. </p>
-
-<p> When the TLS handshake fails and no other server is available,
-the Postfix SMTP client defers the delivery attempt, and the mail
-stays in the queue. </p>
+<p> When the server accepts the STARTTLS command, but the subsequent
+TLS handshake fails, and no other server is available, the Postfix SMTP
+client defers the delivery attempt, and the mail stays in the queue. After
+a handshake failure, the communications channel is in an indeterminate
+state and cannot be used for non-TLS deliveries. </p>
<p> Example: </p>
</pre>
</blockquote>
+<h3><a name="client_tls_require"> Requiring TLS encryption </a>
+</h3>
+
<p> You can ENFORCE the use of TLS, so that the Postfix SMTP client
will not deliver mail over unencrypted connections. In this mode,
the remote SMTP server hostname must match the information in the
doesn't match, and no other server is available, the delivery
attempt is deferred and the mail stays in the queue. </p>
-<p> The remote SMTP server hostname used in the check is beyond
-question, as it must be the principal hostname (no CNAME allowed
-here). Checks are performed against all names provided as dNSNames
+<p> The remote SMTP server hostname is verified against all names
+provided as dNSNames
in the SubjectAlternativeName. If no dNSNames are specified, the
-CommonName is checked. The behavior may be changed with the
+CommonName is checked. Verification may be turned off with the
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> option which is discussed below. </p>
-<p> This option is useful only if you know that you will only
+<p> Enforcing the use of TLS is useful if you know that you will
+only
connect to servers that support <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> _and_ that present server
certificates that meet the above requirements. An example would
be a client only sends email to one specific mailhub that offers
<blockquote>
<pre>
/etc/postfix/main.cf:
- <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = no
+ <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes
</pre>
</blockquote>
+<h3> <a name="client_tls_nopeer"> Disabling server certificate
+verification </a> </h3>
+
<p> As of <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> the requirements for hostname checking for MTA
clients are not set. When TLS is required (<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes),
the option <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> can be set to "no" to disable
delivery will proceed regardless of the CommonName etc. listed in
the certificate. </p>
-<p> Note: the <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> setting has no effect on
-sessions that are controlled via the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table. </p>
-
-<p> Disabling the remote SMTP server hostname verification can
-make sense in closed environment where special CAs are created.
-If not used carefully, this option opens the danger of a
-"man-in-the-middle" attack (the CommonName of this possible attacker
-is logged). </p>
+<p> Despite the potential for eliminating "man-in-the-middle" and
+other attacks, mandatory certificate/peername verification is not
+viable as a default Internet mail delivery policy at this time. A
+significant fraction of TLS enabled MTAs uses self-signed certificates,
+or certificates that are signed by a private certificate authority.
+On a machine that delivers mail to the Internet, if you set
+<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes, you should probably also set
+<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = no. You can use the per-site TLS
+policies (see below) to enable full peer verification for specific
+destinations that are known to have verifiable TLS server certificates.
+</p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
- <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes
+ <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes
+ <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = no
</pre>
</blockquote>
-<p> Generally, trying TLS can be a bad idea, as some servers offer
-STARTTLS but the negotiation will fail leading to unexplainable
-failures. Instead, it may be a good idea to choose the TLS usage
-policy based on the recipient or the mailhub to which you are
-connecting. </p>
-
-<p> Deciding the TLS usage policy per recipient may be difficult,
-since a single email delivery attempt can involve several recipients.
-Instead, use of TLS is controlled by the Postfix next-hop destination
-domain name and by the remote SMTP server hostname. If either of these
-matches an entry in the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table, appropriate action
-is taken. </p>
-
-<p> The remote SMTP server hostname is simply the DNS name of the
-server that the Postfix SMTP client connects to. The next-hop
-destination is Postfix specific. By default, this is the domain
-name in the recipient address, but this information can be overruled
-by the <a href="transport.5.html">transport(5)</a> table or by the <a href="postconf.5.html#relayhost">relayhost</a> parameter setting.
-In these cases the <a href="postconf.5.html#relayhost">relayhost</a> etc. must be listed in the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>
-table, instead of the recipient domain name. </p>
-
-<p> Format of the table: domain or host names are specified on the
-left-hand side; no wildcards are allowed. On the right hand side
-specify one of the following keywords: </p>
+<h3> <a name="client_tls_per_site"> Per-site TLS policies </a> </h3>
+
+<p> A small fraction of servers offer STARTTLS but the negotiation
+consistently fails, leading to mail aging out of the queue and
+bouncing back to the sender. In such cases, you can use the per-site
+policies to disable TLS for the problem sites. Alternatively, you
+can enable TLS for just a few specific sites and not enable it for
+all sites. </p>
+
+<!-- insert new-style TLS policy mechanism here
+
+<h3> <a name="client_tls_obs"> Obsolete per-site TLS policy support
+</a> </h3>
+
+<p> This section describes an obsolete per-site TLS policy mechanism.
+Unlike the newer mechanism it supports TLS policy lookup by server
+hostname, and lacks control over what names can appear in server
+certificates. Because of this, the obsolete mechanism is vulnerable
+to false DNS hostname information in MX or CNAME records. These
+attacks can be eliminated only with great difficulty. </p>
+
+-->
+
+<p> The <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table is searched for a policy that matches
+the following information: </p>
<blockquote>
<dl>
-<dt> NONE </dt> <dd> Don't use TLS at all. </dd>
+<dt> remote SMTP server hostname </dt> <dd> This is simply the DNS
+name of the server that the Postfix SMTP client connects to; this
+name may be obtained from other DNS lookups, such as MX lookups or
+CNAME lookups. </dd>
+
+<dt> next-hop destination </dt> <dd> This is normally the domain
+portion of the recipient address, but it may be overruled by
+information from the <a href="transport.5.html">transport(5)</a> table, from the <a href="postconf.5.html#relayhost">relayhost</a> parameter
+setting, or from the <a href="postconf.5.html#relay_transport">relay_transport</a> setting. When it's not the
+recipient domain, the next-hop destination can have the Postfix-specific
+form "<tt>[name]</tt>", <tt>[name]:port</tt>", "<tt>name</tt>" or
+"<tt>name:port</tt>". </dd>
+
+</dl>
+
+</blockquote>
+
+<p> When both the hostname lookup and the next-hop lookup succeed,
+the host policy does not automatically override the next-hop policy.
+Instead, precedence is given to either the more specific or the
+more secure per-site policy as described below. </p>
+
+<p> The <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table uses a simple "<i>name whitespace
+value</i>" format. Specify host names or next-hop destinations on
+the left-hand side; no wildcards are allowed. On the right hand
+side specify one of the following keywords: </p>
-<dt> MAY </dt> <dd> Try to use STARTTLS if offered, otherwise use
-the unencrypted connection. </dd>
+<blockquote>
-<dt> MUST </dt> <dd> Require usage of STARTTLS, require that the
-remote SMTP server hostname matches the information in the remote
-SMTP server certificate, and require that the remote SMTP server
-certificate was issued by a trusted CA. </dd>
+<dl>
-<dt> MUST_NOPEERMATCH </dt> <dd> Require usage of STARTTLS, but do
-not require that the remote SMTP server hostname matches the
-information in the remote SMTP server certificate, or that the
-server certificate was issued by a trusted CA. </dd>
+<dt> NONE </dt> <dd> Don't use TLS at all. This overrides a less
+specific <b>MAY</b> lookup result from the alternate host or next-hop
+lookup key, and overrides the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>,
+and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings. </dd>
+
+<dt> MAY </dt> <dd> Try to use TLS if the server announces support,
+otherwise use the unencrypted connection. This has less precedence
+than a more specific result (including <b>NONE</b>) from the alternate
+host or next-hop lookup key, and has less precedence than the more
+specific global "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" or "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
+= yes". </dd>
+
+<dt> MUST_NOPEERMATCH </dt> <dd> Require TLS encryption, but do not
+require that the remote SMTP server hostname matches the information
+in the remote SMTP server certificate, or that the server certificate
+was issued by a trusted CA. This overrides a less secure <b>NONE</b>
+or a less specific <b>MAY</b> lookup result from the alternate host
+or next-hop lookup key, and overrides the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,
+<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings. </dd>
+
+<dt> MUST </dt> <dd> Require TLS encryption, require that the remote
+SMTP server hostname matches the information in the remote SMTP
+server certificate, and require that the remote SMTP server certificate
+was issued by a trusted CA. This overrides a less secure <b>NONE</b>
+and <b>MUST_NOPEERMATCH</b> or a less specific <b>MAY</b> lookup
+result from the alternate host or next-hop lookup key, and overrides
+the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
+settings. </dd>
</dl>
</blockquote>
-<p> The actual TLS usage policy depends not only on whether the
-next-hop destination or remote SMTP server hostname are found in
-the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table, but also on the <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>
-setting: </p>
+<p> The precedences between global (main.cf) and per-site TLS
+policies can be summarized as follows: </p>
<ul>
-<li> <p> If no match was found, the policy is applied as specified
-with <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>. </p>
+<li> <p> When neither the remote SMTP server hostname nor the
+next-hop destination are found in the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table, the
+policy is based on <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and
+<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. Note: "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" and
+"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes" imply "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = yes". </p>
-<li> <p> If a match was found, and the <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> policy is
-"enforce", NONE explicitly switches it off; otherwise the "enforce"
-mode is used even for entries that specify MAY. </p>
+<li> <p> When both hostname and next-hop destination lookups produce
+a result, the more specific per-site policy (NONE, MUST, etc)
+overrides the less specific one (MAY), and the more secure per-site
+policy (MUST, etc) overrides the less secure one (NONE). </p>
+
+<li> <p> After the per-site policy lookups are combined, the result
+generally overrides the global policy. The exception is the less
+specific <b>MAY</b> per-site policy, which is overruled by the more
+specific global "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" with server certificate
+verification as specified with the <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
+parameter. </p>
</ul>
-<p> Special hint for TLS enforcement mode: since no secure DNS
-lookup mechanism is available, mail can be delivered to the wrong
-remote SMTP server. This is not prevented by specifying MUST for
-the next-hop domain name. The recommended setup is: specify local
-<a href="transport.5.html">transport(5)</a> table entries for sensitive domains with explicit
-<a href="smtp.8.html">smtp</a>:[mailhost] destinations (since you can assure security of this
-table unlike DNS), then specify MUST for these mail hosts in the
-<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table. </p>
+<h3> <a name="client_tls_harden"> Closing a DNS loophole with
+<!-- legacy --> per-site TLS policies </a> </h3>
+
+<p> As long as no secure DNS lookup mechanism is available, false
+hostnames in MX or CNAME responses can change the server hostname
+that Postfix uses for TLS policy lookup and server certificate
+verification. Even with a perfect match between the server hostname
+and the server certificate, there is no guarantee that Postfix is
+connected to the right server. To avoid this loophole take the
+following steps: </p>
+
+<ul>
+
+<li> <p> Eliminate MX lookups. Specify local <a href="transport.5.html">transport(5)</a> table
+entries for sensitive domains with explicit <a href="smtp.8.html">smtp</a>:[<i>mailhost</i>]
+or <a href="smtp.8.html">smtp</a>:[<i>mailhost</i>]:<i>port</i> destinations (you can assure
+security of this table unlike DNS); in the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table
+specify the value <b>MUST</b> for the key [<i>mailhost</i>] or
+<a href="smtp.8.html">smtp</a>:[<i>mailhost</i>]:<i>port</i>. This prevents false hostname
+information in DNS MX records from changing the server hostname
+that Postfix uses for TLS policy lookup and server certificate
+verification. </p>
+
+<li> <p> Disallow CNAME hostname overrides. In main.cf specify
+"<a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> = no". This prevents false hostname
+information in DNS CNAME records from changing the server hostname
+that Postfix uses for TLS policy lookup and server certificate
+verification. This feature requires Postfix 2.2.9 or later. </p>
+
+</ul>
<p> Example: </p>
-
-<blockquote>
-<pre>
+
+<blockquote> <pre>
/etc/postfix/main.cf:
<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> = hash:/etc/postfix/tls_per_site
+ <a href="postconf.5.html#relayhost">relayhost</a> = [msa.example.net]:587
+
+/etc/postfix/tls_per_site:
+ # <a href="postconf.5.html#relayhost">relayhost</a> exact nexthop match
+ [msa.example.net]:587 MUST
+
+ # example.org (as nexthop) has MX hosts with broken TLS.
+ example.org NONE
+
+ # Except for (as host) mx1.example.org which works.
+ mx1.example.org MAY
</pre>
</blockquote>
+<h3> <a name="client_tls_discover"> Discovering servers that support
+TLS </a> </h3>
+
<p> As we decide on a "per site" basis whether or not to use TLS,
it would be good to have a list of sites that offered "STARTTLS".
We can collect it ourselves with this option. </p>
</pre>
</blockquote>
-<h3><a name="client_vrfy_server">Server certificate verification</a> </h3>
+<h3><a name="client_vrfy_server">Server certificate verification depth</a> </h3>
<p> When verifying a remote SMTP server certificate, a verification
depth of 1 is sufficient if the certificate is directly issued by
</blockquote>
<li> <p> Configure Postfix, by adding the following to
-<tt>/etc/postfix/main.cf</tt>. </p>
+<tt>/etc/postfix/main.cf </tt>. </p>
<blockquote>
<pre>
generation (PRNG) pool, and in order to access the TLS session
cache databases. Such a protocol cannot be run across fifos. </p>
+<li> <p> <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>: the MUST_NOPEERMATCH per-site policy
+cannot override the global "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes" setting.
+</p>
+
+<li> <p> <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>: a combined (NONE + MAY) lookup result
+for (hostname and next-hop destination) produces counter-intuitive
+results for different main.cf settings. TLS is enabled with
+"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = no", but it is disabled when both
+"<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" and "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes".
+</p>
+
</ul>
+<p> The <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> limitations were removed by the end of
+the Postfix 2.2 support cycle. </p>
+
<h2><a name="credits">Credits </a> </h2>
<ul>
<li> Wietse Venema adopted the code, did some restructuring, and
compiled this part of the documentation from Lutz's documents.
+<li> Victor Duchovni was instrumental with the re-implementation
+of the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> code in terms of enforcement levels, which
+simplified the implementation greatly.
+
</ul>
</body>
<p> Examples: </p>
-<p> The Postfix < 2.2 backwards compatible setting: always rewrite
+<p> The Postfix < 2.2 backwards compatible setting: always rewrite
message headers, and always append my own domain to incomplete
header addresses. </p>
but this form is not recommended here. </p>
+</DD>
+
+<DT><b><a name="smtp_cname_overrides_servername">smtp_cname_overrides_servername</a>
+(default: yes)</b></DT><DD>
+
+<p> Allow DNS CNAME records to override the servername that the
+Postfix SMTP client uses for logging, SASL password lookup, TLS
+policy decisions, or TLS certificate verification. The default value
+(yes) is backwards compatible. Specify "no" to harden Postfix 2.2
+<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> hostname-based policies against false hostname
+information in DNS CNAME records. </p>
+
+<p> This feature is available in Postfix 2.2.9 and later. </p>
+
+
</DD>
<DT><b><a name="smtp_connect_timeout">smtp_connect_timeout</a>
(default: empty)</b></DT><DD>
<p> Optional lookup tables with the Postfix SMTP client TLS usage
-policy by next-hop domain name and by remote SMTP server hostname.
-</p>
-
-<p> Table format: domain names or server hostnames are specified
-on the left-hand side; no wildcards are allowed. On the right hand
-side specify one of the following keywords: </p>
+policy by next-hop destination and by remote SMTP server hostname.
+When both lookups succeed, the more specific per-site policy (NONE,
+MUST, etc) overrides the less specific one (MAY), and the more
+secure per-site policy (MUST, etc) overrides the less secure one
+(NONE). </p>
+
+<p> Specify a next-hop destination or server hostname on the left-hand
+side; no wildcards are allowed. The next-hop destination is either
+the recipient domain, or the destination specified with a <a href="transport.5.html">transport(5)</a>
+table, the <a href="postconf.5.html#relayhost">relayhost</a> parameter, or the <a href="postconf.5.html#relay_transport">relay_transport</a> parameter.
+On the right hand side specify one of the following keywords: </p>
<dl>
-<dt> NONE </dt> <dd>Don't use TLS at all. </dd>
+<dt> NONE </dt> <dd> Don't use TLS at all. This overrides a less
+specific <b>MAY</b> lookup result from the alternate host or next-hop
+lookup key, and overrides the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>,
+and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings. </dd>
+
+<dt> MAY </dt> <dd> Try to use TLS if the server announces support,
+otherwise use the unencrypted connection. This has less precedence
+than a more specific result (including <b>NONE</b>) from the alternate
+host or next-hop lookup key, and has less precedence than the more
+specific global "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" or "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
+= yes". </dd>
+
+<dt> MUST_NOPEERMATCH </dt> <dd> Require TLS encryption, but do not
+require that the remote SMTP server hostname matches the information
+in the remote SMTP server certificate, or that the server certificate
+was issued by a trusted CA. This overrides a less secure <b>NONE</b>
+or a less specific <b>MAY</b> lookup result from the alternate host
+or next-hop lookup key, and overrides the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,
+<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings. </dd>
+
+<dt> MUST </dt> <dd> Require TLS encryption, require that the remote
+SMTP server hostname matches the information in the remote SMTP
+server certificate, and require that the remote SMTP server certificate
+was issued by a trusted CA. This overrides a less secure <b>NONE</b>
+and <b>MUST_NOPEERMATCH</b> or a less specific <b>MAY</b> lookup
+result from the alternate host or next-hop lookup key, and overrides
+the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
+settings. </dd>
-<dt> MAY </dt> <dd>Try to use STARTTLS if offered, otherwise use
-the unencrypted connection. </dd>
+</dl>
-<dt> MUST </dt> <dd>Require usage of STARTTLS, require that the
-remote SMTP server hostname matches the information in the remote
-SMTP server certificate, and require that the remote SMTP server
-certificate was issued by a trusted CA. </dd>
+<p> As long as no secure DNS lookup mechanism is available, false
+hostnames in MX or CNAME responses can change the server hostname
+that Postfix uses for TLS policy lookup and server certificate
+verification. Even with a perfect match between the server hostname
+and the server certificate, there is no guarantee that Postfix is
+connected to the right server. To avoid this loophole take the
+following steps: </p>
-<dt> MUST_NOPEERMATCH </dt> <dd>Require usage of STARTTLS, but do
-not require that the remote SMTP server hostname matches the
-information in the remote SMTP server certificate, or that the
-server certificate was issued by a trusted CA. </dd>
+<ul>
-</dl>
+<li> Disallow CNAME hostname overrides. In main.cf specify
+"<a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> = no". This prevents false hostname
+information in DNS CNAME records from changing the server hostname
+that Postfix uses for TLS policy lookup and server certificate
+verification. This feature requires Postfix 2.2.9 or later.
+
+<li> Eliminate MX lookups. Specify local <a href="transport.5.html">transport(5)</a> table entries
+for sensitive domains with explicit <a href="smtp.8.html">smtp</a>:[mailhost] or <a href="smtp.8.html">smtp</a>:[mailhost]:port
+destinations. This prevents false hostname information in DNS MX
+records from changing the server hostname that Postfix uses for TLS
+policy lookup and server certificate verification.
+
+<li> Specify MUST for these mail hosts (including [ ] and port) in
+the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table.
+
+</ul>
-<p> Special hint for enforcement mode: since no secure DNS lookup
-mechanism is available, the recommended setup is: specify local
-<a href="transport.5.html">transport(5)</a> table entries for sensitive domains with explicit
-<a href="smtp.8.html">smtp</a>:[mailhost] destinations (since you can assure security of this
-table unlike DNS), then specify MUST for these mail hosts in the
-<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table. </p>
+<p> </p>
</DD>
<b><a href="postconf.5.html#smtp_never_send_ehlo">smtp_never_send_ehlo</a> (no)</b>
Never send EHLO at the start of an SMTP session.
+ <b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (yes)</b>
+ Allow DNS CNAME records to override the servername
+ that the Postfix SMTP client uses for logging, SASL
+ password lookup, TLS policy decisions, or TLS cer-
+ tificate verification.
+
<b><a href="postconf.5.html#smtp_defer_if_no_mx_address_found">smtp_defer_if_no_mx_address_found</a> (no)</b>
- Defer mail delivery when no MX record resolves to
+ Defer mail delivery when no MX record resolves to
an IP address.
<b><a href="postconf.5.html#smtp_line_length_limit">smtp_line_length_limit</a> (990)</b>
that Postfix will send via SMTP.
<b><a href="postconf.5.html#smtp_pix_workaround_delay_time">smtp_pix_workaround_delay_time</a> (10s)</b>
- How long the Postfix SMTP client pauses before
+ How long the Postfix SMTP client pauses before
sending ".<CR><LF>" in order to work around the PIX
firewall "<CR><LF>.<CR><LF>" bug.
<b><a href="postconf.5.html#smtp_pix_workaround_threshold_time">smtp_pix_workaround_threshold_time</a> (500s)</b>
- How long a message must be queued before the PIX
- firewall "<CR><LF>.<CR><LF>" bug workaround is
+ How long a message must be queued before the PIX
+ firewall "<CR><LF>.<CR><LF>" bug workaround is
turned on.
<b><a href="postconf.5.html#smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a> (yes)</b>
- Quote addresses in SMTP MAIL FROM and RCPT TO com-
+ Quote addresses in SMTP MAIL FROM and RCPT TO com-
mands as required by <a href="http://www.faqs.org/rfcs/rfc821.html">RFC 821</a>.
<b><a href="postconf.5.html#smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a> (yes)</b>
(go away, do not try again later).
<b><a href="postconf.5.html#smtp_skip_quit_response">smtp_skip_quit_response</a> (yes)</b>
- Do not wait for the response to the SMTP QUIT com-
+ Do not wait for the response to the SMTP QUIT com-
mand.
Available in Postfix version 2.0 and earlier:
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_discard_ehlo_keyword_address_maps">smtp_discard_ehlo_keyword_address_maps</a> (empty)</b>
- Lookup tables, indexed by the remote SMTP server
- address, with case insensitive lists of EHLO key-
- words (pipelining, starttls, auth, etc.) that the
+ Lookup tables, indexed by the remote SMTP server
+ address, with case insensitive lists of EHLO key-
+ words (pipelining, starttls, auth, etc.) that the
SMTP client will ignore in the EHLO response from a
remote SMTP server.
<b><a href="postconf.5.html#smtp_discard_ehlo_keywords">smtp_discard_ehlo_keywords</a> (empty)</b>
- A case insensitive list of EHLO keywords (pipelin-
- ing, starttls, auth, etc.) that the SMTP client
+ A case insensitive list of EHLO keywords (pipelin-
+ ing, starttls, auth, etc.) that the SMTP client
will ignore in the EHLO response from a remote SMTP
server.
<b><a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> (empty)</b>
Optional lookup tables that perform address rewrit-
- ing in the SMTP client, typically to transform a
+ ing in the SMTP client, typically to transform a
locally valid address into a globally valid address
when sending mail across the Internet.
Available in Postfix version 2.0 and later:
<b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b>
- Disable the conversion of 8BITMIME format to 7BIT
+ Disable the conversion of 8BITMIME format to 7BIT
format.
<b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b>
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b>
- Send the non-standard XFORWARD command when the
- Postfix SMTP server EHLO response announces XFOR-
+ Send the non-standard XFORWARD command when the
+ Postfix SMTP server EHLO response announces XFOR-
WARD support.
<b>SASL AUTHENTICATION CONTROLS</b>
<b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b>
- Enable SASL authentication in the Postfix SMTP
+ Enable SASL authentication in the Postfix SMTP
client.
<b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b>
- Optional SMTP client lookup tables with one user-
- name:password entry per remote hostname or domain.
+ Optional SMTP client lookup tables with one user-
+ name:password entry per remote hostname or domain.
<b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b>
- What authentication mechanisms the Postfix SMTP
+ What authentication mechanisms the Postfix SMTP
client is allowed to use.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
- If non-empty, a Postfix SMTP client filter for the
- remote SMTP server's list of offered SASL mecha-
+ If non-empty, a Postfix SMTP client filter for the
+ remote SMTP server's list of offered SASL mecha-
nisms.
<b>STARTTLS SUPPORT CONTROLS</b>
- Detailed information about STARTTLS configuration may be
+ Detailed information about STARTTLS configuration may be
found in the <a href="TLS_README.html">TLS_README</a> document.
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
- Opportunistic mode: use TLS when a remote SMTP
- server announces STARTTLS support, otherwise send
+ Opportunistic mode: use TLS when a remote SMTP
+ server announces STARTTLS support, otherwise send
the mail in the clear.
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
- Enforcement mode: require that remote SMTP servers
- use TLS encryption, and never send mail in the
+ Enforcement mode: require that remote SMTP servers
+ use TLS encryption, and never send mail in the
clear.
<b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b>
<b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b>
- The SASL authentication security options that the
- Postfix SMTP client uses for TLS encrypted SMTP
+ The SASL authentication security options that the
+ Postfix SMTP client uses for TLS encrypted SMTP
sessions.
<b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
- Time limit for Postfix SMTP client write and read
- operations during TLS startup and shutdown hand-
+ Time limit for Postfix SMTP client write and read
+ operations during TLS startup and shutdown hand-
shake procedures.
<b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
- The file with the certificate of the certification
- authority (CA) that issued the Postfix SMTP client
+ The file with the certificate of the certification
+ authority (CA) that issued the Postfix SMTP client
certificate.
<b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
- Directory with PEM format certificate authority
- certificates that the Postfix SMTP client uses to
+ Directory with PEM format certificate authority
+ certificates that the Postfix SMTP client uses to
verify a remote SMTP server certificate.
<b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b>
- File with the Postfix SMTP client RSA certificate
+ File with the Postfix SMTP client RSA certificate
in PEM format.
<b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
- Controls the Postfix SMTP client TLS cipher selec-
+ Controls the Postfix SMTP client TLS cipher selec-
tion scheme.
<b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
- File with the Postfix SMTP client DSA certificate
+ File with the Postfix SMTP client DSA certificate
in PEM format.
<b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b>
- File with the Postfix SMTP client DSA private key
+ File with the Postfix SMTP client DSA private key
in PEM format.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
- When TLS encryption is enforced, require that the
+ When TLS encryption is enforced, require that the
remote SMTP server hostname matches the information
in the remote SMTP server certificate.
<b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b>
- File with the Postfix SMTP client RSA private key
+ File with the Postfix SMTP client RSA private key
in PEM format.
<b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
- Enable additional Postfix SMTP client logging of
+ Enable additional Postfix SMTP client logging of
TLS activity.
<b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
- Log the hostname of a remote SMTP server that
- offers STARTTLS, when TLS is not already enabled
+ Log the hostname of a remote SMTP server that
+ offers STARTTLS, when TLS is not already enabled
for that server.
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
Optional lookup tables with the Postfix SMTP client
- TLS usage policy by next-hop domain name and by
+ TLS usage policy by next-hop domain name and by
remote SMTP server hostname.
<b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (5)</b>
- The verification depth for remote SMTP server cer-
+ The verification depth for remote SMTP server cer-
tificates.
<b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
- Name of the file containing the optional Postfix
+ Name of the file containing the optional Postfix
SMTP client TLS session cache.
<b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
sion cache information.
<b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
- The
number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
- or
<a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
- server in order to seed its internal pseudo random
+ The
number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
+ or
<a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
+ server in order to seed its internal pseudo random
number generator (PRNG).
<b>RESOURCE AND RATE CONTROLS</b>
<b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b>
- The maximal number of parallel deliveries to the
- same destination via the smtp message delivery
+ The maximal number of parallel deliveries to the
+ same destination via the smtp message delivery
transport.
<b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b>
<b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b>
- The maximal number of recipients per delivery via
+ The maximal number of recipients per delivery via
the smtp message delivery transport.
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
- The SMTP client time limit for completing a TCP
+ The SMTP client time limit for completing a TCP
connection, or zero (use the operating system
built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
- The SMTP client time limit for sending the HELO or
- EHLO command, and for receiving the initial server
+ The SMTP client time limit for sending the HELO or
+ EHLO command, and for receiving the initial server
response.
<b><a href="postconf.5.html#smtp_xforward_timeout">smtp_xforward_timeout</a> (300s)</b>
command, and for receiving the server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
- The SMTP client time limit for sending the MAIL
- FROM command, and for receiving the server
+ The SMTP client time limit for sending the MAIL
+ FROM command, and for receiving the server
response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
- The SMTP client time limit for sending the SMTP
- RCPT TO command, and for receiving the server
+ The SMTP client time limit for sending the SMTP
+ RCPT TO command, and for receiving the server
response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
- The SMTP client time limit for sending the SMTP
- DATA command, and for receiving the server
+ The SMTP client time limit for sending the SMTP
+ DATA command, and for receiving the server
response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
- The SMTP client time limit for sending the SMTP
+ The SMTP client time limit for sending the SMTP
message content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
- The SMTP client time limit for sending the SMTP
+ The SMTP client time limit for sending the SMTP
".", and for receiving the server response.
<b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b>
- The SMTP client time limit for sending the QUIT
+ The SMTP client time limit for sending the QUIT
command, and for receiving the server response.
Available in Postfix version 2.1 and later:
lookups, or zero (no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
- The maximal number of SMTP sessions per delivery
- request before giving up or delivering to a fall-
+ The maximal number of SMTP sessions per delivery
+ request before giving up or delivering to a fall-
back relay host, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
- The SMTP client time limit for sending the RSET
+ The SMTP client time limit for sending the RSET
command, and for receiving the server response.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
- Permanently enable SMTP connection caching for the
+ Permanently enable SMTP connection caching for the
specified destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
- Temporarily enable SMTP connection caching while a
+ Temporarily enable SMTP connection caching while a
destination has a high volume of mail in the active
queue.
<b><a href="postconf.5.html#smtp_connection_cache_reuse_limit">smtp_connection_cache_reuse_limit</a> (10)</b>
When SMTP connection caching is enabled, the number
- of times that an SMTP session is reused before it
+ of times that an SMTP session is reused before it
is closed.
<b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b>
When SMTP connection caching is enabled, the amount
- of time that an unused SMTP client socket is kept
+ of time that an unused SMTP client socket is kept
open before it is closed.
<b>TROUBLE SHOOTING CONTROLS</b>
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
- The increment in verbose logging level when a
- remote client or server matches a pattern in the
+ The increment in verbose logging level when a
+ remote client or server matches a pattern in the
<a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
- Optional list of remote client or server hostname
- or network address patterns that cause the verbose
- logging level to increase by the amount specified
+ Optional list of remote client or server hostname
+ or network address patterns that cause the verbose
+ logging level to increase by the amount specified
in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
- The recipient of postmaster notifications about
- mail delivery problems that are caused by policy,
+ The recipient of postmaster notifications about
+ mail delivery problems that are caused by policy,
resource, software or protocol errors.
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
- The list of error classes that are reported to the
+ The list of error classes that are reported to the
postmaster.
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
- Where the Postfix SMTP client should deliver mail
+ Where the Postfix SMTP client should deliver mail
when it detects a "mail loops back to myself" error
condition.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix main.cf and
+ The default location of the Postfix main.cf and
master.cf configuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
- How much time a Postfix daemon process may take to
- handle a request before it is terminated by a
+ How much time a Postfix daemon process may take to
+ handle a request before it is terminated by a
built-in watchdog timer.
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
- Disable DNS lookups in the Postfix SMTP and LMTP
+ Disable DNS lookups in the Postfix SMTP and LMTP
clients.
<b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b>
- Optional list of relay hosts for SMTP destinations
+ Optional list of relay hosts for SMTP destinations
that can't be found or that are unreachable.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
tem receives mail on.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
- The Internet protocols Postfix will attempt to use
+ The Internet protocols Postfix will attempt to use
when making or accepting connections.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
over an internal communication channel.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
- The maximum amount of time that an idle Postfix
- daemon process waits for the next service request
+ The maximum amount of time that an idle Postfix
+ daemon process waits for the next service request
before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of connection requests before a
+ The maximal number of connection requests before a
Postfix daemon process terminates.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The network interface addresses that this mail sys-
- tem receives mail on by way of a proxy or network
+ tem receives mail on by way of a proxy or network
address translation unit.
<b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
An optional numerical network address that the SMTP
- client should bind to when making an IPv4 connec-
+ client should bind to when making an IPv4 connec-
tion.
<b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
An optional numerical network address that the SMTP
- client should bind to when making an IPv6 connec-
+ client should bind to when making an IPv6 connec-
tion.
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
- The hostname to send in the SMTP EHLO or HELO com-
+ The hostname to send in the SMTP EHLO or HELO com-
mand.
<b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
- What mechanisms when the SMTP client uses to look
+ What mechanisms when the SMTP client uses to look
up a host's IP address.
<b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
- Randomize the order of equal-preference MX host
+ Randomize the order of equal-preference MX host
addresses.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>SEE ALSO</b>
<a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
.PP
Note 2: address information may be enclosed inside [],
but this form is not recommended here.
+.SH smtp_cname_overrides_servername (default: yes)
+Allow DNS CNAME records to override the servername that the
+Postfix SMTP client uses for logging, SASL password lookup, TLS
+policy decisions, or TLS certificate verification. The default value
+(yes) is backwards compatible. Specify "no" to harden Postfix 2.2
+smtp_tls_per_site hostname-based policies against false hostname
+information in DNS CNAME records.
+.PP
+This feature is available in Postfix 2.2.9 and later.
.SH smtp_connect_timeout (default: 30s)
The SMTP client time limit for completing a TCP connection, or
zero (use the operating system built-in time limit).
.ft R
.SH smtp_tls_per_site (default: empty)
Optional lookup tables with the Postfix SMTP client TLS usage
-policy by next-hop domain name and by remote SMTP server hostname.
-.PP
-Table format: domain names or server hostnames are specified
-on the left-hand side; no wildcards are allowed. On the right hand
-side specify one of the following keywords:
+policy by next-hop destination and by remote SMTP server hostname.
+When both lookups succeed, the more specific per-site policy (NONE,
+MUST, etc) overrides the less specific one (MAY), and the more
+secure per-site policy (MUST, etc) overrides the less secure one
+(NONE).
+.PP
+Specify a next-hop destination or server hostname on the left-hand
+side; no wildcards are allowed. The next-hop destination is either
+the recipient domain, or the destination specified with a \fBtransport\fR(5)
+table, the relayhost parameter, or the relay_transport parameter.
+On the right hand side specify one of the following keywords:
.IP "NONE"
-Don't use TLS at all.
+Don't use TLS at all. This overrides a less
+specific \fBMAY\fR lookup result from the alternate host or next-hop
+lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls,
+and smtp_tls_enforce_peername settings.
.IP "MAY"
-Try to use STARTTLS if offered, otherwise use
-the unencrypted connection.
-.IP "MUST"
-Require usage of STARTTLS, require that the
-remote SMTP server hostname matches the information in the remote
-SMTP server certificate, and require that the remote SMTP server
-certificate was issued by a trusted CA.
+Try to use TLS if the server announces support,
+otherwise use the unencrypted connection. This has less precedence
+than a more specific result (including \fBNONE\fR) from the alternate
+host or next-hop lookup key, and has less precedence than the more
+specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername
+= yes".
.IP "MUST_NOPEERMATCH"
-Require usage of STARTTLS, but do
-not require that the remote SMTP server hostname matches the
-information in the remote SMTP server certificate, or that the
-server certificate was issued by a trusted CA.
-.PP
-Special hint for enforcement mode: since no secure DNS lookup
-mechanism is available, the recommended setup is: specify local
-\fBtransport\fR(5) table entries for sensitive domains with explicit
-smtp:[mailhost] destinations (since you can assure security of this
-table unlike DNS), then specify MUST for these mail hosts in the
-smtp_tls_per_site table.
+Require TLS encryption, but do not
+require that the remote SMTP server hostname matches the information
+in the remote SMTP server certificate, or that the server certificate
+was issued by a trusted CA. This overrides a less secure \fBNONE\fR
+or a less specific \fBMAY\fR lookup result from the alternate host
+or next-hop lookup key, and overrides the global smtp_use_tls,
+smtp_enforce_tls and smtp_tls_enforce_peername settings.
+.IP "MUST"
+Require TLS encryption, require that the remote
+SMTP server hostname matches the information in the remote SMTP
+server certificate, and require that the remote SMTP server certificate
+was issued by a trusted CA. This overrides a less secure \fBNONE\fR
+and \fBMUST_NOPEERMATCH\fR or a less specific \fBMAY\fR lookup
+result from the alternate host or next-hop lookup key, and overrides
+the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername
+settings.
+.PP
+As long as no secure DNS lookup mechanism is available, false
+hostnames in MX or CNAME responses can change the server hostname
+that Postfix uses for TLS policy lookup and server certificate
+verification. Even with a perfect match between the server hostname
+and the server certificate, there is no guarantee that Postfix is
+connected to the right server. To avoid this loophole take the
+following steps:
+.IP \(bu
+Disallow CNAME hostname overrides. In main.cf specify
+"smtp_cname_overrides_servername = no". This prevents false hostname
+information in DNS CNAME records from changing the server hostname
+that Postfix uses for TLS policy lookup and server certificate
+verification. This feature requires Postfix 2.2.9 or later.
+.IP \(bu
+Eliminate MX lookups. Specify local \fBtransport\fR(5) table entries
+for sensitive domains with explicit smtp:[mailhost] or smtp:[mailhost]:port
+destinations. This prevents false hostname information in DNS MX
+records from changing the server hostname that Postfix uses for TLS
+policy lookup and server certificate verification.
+.IP \(bu
+Specify MUST for these mail hosts (including [ ] and port) in
+the smtp_tls_per_site table.
+.PP
.SH smtp_tls_scert_verifydepth (default: 5)
The verification depth for remote SMTP server certificates. A
depth of 1 is sufficient, if the certificate is directly issued by
Always send EHLO at the start of an SMTP session.
.IP "\fBsmtp_never_send_ehlo (no)\fR"
Never send EHLO at the start of an SMTP session.
+.IP "\fBsmtp_cname_overrides_servername (yes)\fR"
+Allow DNS CNAME records to override the servername that the
+Postfix SMTP client uses for logging, SASL password lookup, TLS
+policy decisions, or TLS certificate verification.
.IP "\fBsmtp_defer_if_no_mx_address_found (no)\fR"
Defer mail delivery when no MX record resolves to an IP address.
.IP "\fBsmtp_line_length_limit (990)\fR"
s;\bsmtp_always_send_ehlo\b;<a href="postconf.5.html#smtp_always_send_ehlo">$&</a>;g;
s;\bsmtp_bind_address\b;<a href="postconf.5.html#smtp_bind_address">$&</a>;g;
s;\bsmtp_bind_address6\b;<a href="postconf.5.html#smtp_bind_address6">$&</a>;g;
+ s;\bsmtp_cname_overrides_servername\b;<a href="postconf.5.html#smtp_cname_overrides_servername">$&</a>;g;
s;\bsmtp_connect_timeout\b;<a href="postconf.5.html#smtp_connect_timeout">$&</a>;g;
s;\bsmtp_connection_cache_on_demand\b;<a href="postconf.5.html#smtp_connection_cache_on_demand">$&</a>;g;
done by invoking the command "<tt>make makefiles</tt>" in the Postfix
top-level directory and with arguments as shown next. </p>
+<p> <b> NOTE: Do not use Gnu TLS. It will spontaneously terminate
+a process with exit status code 2, instead of properly reporting
+problems to Postfix, so that it can log them to the maillog file.
+</b> </p>
+
<ul>
<li> <p> If the OpenSSL include files (such as <tt>ssl.h</tt>) are
kbytes and that supports the sequence operator. DBM databases are
not suitable because they can only store small objects. The cache
is maintained by the tlsmgr(8) process, so there is no problem with
-concurrent access. </p>
+concurrent access. Session caching is highly recommended, because
+the cost of repeatedly negotiating TLS session keys is high.</p>
<p> Example: </p>
<p> The Postfix list manipulation routines give special treatment
to whitespace and some other characters, making the use of certificate
-names unpractical. Instead we use the certificate fingerprints as
+names impractical. Instead we use the certificate fingerprints as
they are difficult to fake but easy to use for lookup. Postfix
lookup tables are in the form of (key, value) pairs. Since we only
need the key, the value can be chosen freely, e.g. the name of
<li><a href="#client_tls_cache">Client-side TLS session cache</a>
-<li><a href="#client_tls"> Enabling TLS in the Postfix SMTP client </a>
+<li><a href="#client_tls_enable"> Enabling TLS in the Postfix SMTP client </a>
+
+<li><a href="#client_tls_require"> Requiring TLS encryption </a>
+
+<li><a href="#client_tls_nopeer"> Disabling server certificate verification </a>
+
+<li><a href="#client_tls_per_site"> Per-site TLS policies </a>
+
+<!--
+<li><a href="#client_tls_obs"> Obsolete per-site TLS policy support </a>
+-->
+
+<li><a href="#client_tls_harden"> Closing a DNS loophole with <!-- legacy --> per-site TLS policies </a>
+
+<li><a href="#client_tls_discover"> Discovering servers that support TLS </a>
-<li><a href="#client_vrfy_server">Server certificate verification</a>
+<li><a href="#client_vrfy_server">Server certificate verification depth</a>
<li> <a href="#client_cipher">Client-side cipher controls </a>
certificates issued by these CAs, append the root certificate to
$smtp_tls_CAfile or install it in the $smtp_tls_CApath directory. When
you configure trust in a root CA, it is not necessary to explicitly trust
-intermediary CAs signed by the root CA, unless $smtp_tls_verify_depth
+intermediary CAs signed by the root CA, unless $smtp_tls_scert_verifydepth
is less than the number of CAs in the certificate chain for the servers
of interest. With a verify depth of 1 you can only verify certificates
directly signed by a trusted CA, and all trusted intermediary CAs need to
kbytes and that supports the sequence operator. DBM databases are
not suitable because they can only store small objects. The cache
is maintained by the tlsmgr(8) process, so there is no problem with
-concurrent access. </p>
+concurrent access. Session caching is highly recommended, because
+the cost of repeatedly negotiating TLS session keys is high. Future
+Postfix SMTP servers may limit the number of sessions that a client
+is allowed to negotiate per unit time.</p>
<p> Example: </p>
</pre>
</blockquote>
-<h3><a name="client_tls"> Enabling TLS in the Postfix SMTP client </a>
-</h3>
+<h3><a name="client_tls_enable"> Enabling TLS in the Postfix SMTP
+client </a> </h3>
<p> By default, TLS is disabled in the Postfix SMTP client, so no
difference to plain Postfix is visible. If you enable TLS, the
Postfix SMTP client will send STARTTLS when TLS support is announced
by the remote SMTP server. </p>
-<p> WARNING: MS Exchange servers will announce STARTTLS support
-even when the service is not configured, so that the TLS handshake
-will fail. It may be wise to not use this option on your central
-mail hub, as you don't know in advance whether you are going to
-connect to such a host. Instead, use the smtp_tls_per_site
-recipient/site specific options that are described below. </p>
-
-<p> When the TLS handshake fails and no other server is available,
-the Postfix SMTP client defers the delivery attempt, and the mail
-stays in the queue. </p>
+<p> When the server accepts the STARTTLS command, but the subsequent
+TLS handshake fails, and no other server is available, the Postfix SMTP
+client defers the delivery attempt, and the mail stays in the queue. After
+a handshake failure, the communications channel is in an indeterminate
+state and cannot be used for non-TLS deliveries. </p>
<p> Example: </p>
</pre>
</blockquote>
+<h3><a name="client_tls_require"> Requiring TLS encryption </a>
+</h3>
+
<p> You can ENFORCE the use of TLS, so that the Postfix SMTP client
will not deliver mail over unencrypted connections. In this mode,
the remote SMTP server hostname must match the information in the
doesn't match, and no other server is available, the delivery
attempt is deferred and the mail stays in the queue. </p>
-<p> The remote SMTP server hostname used in the check is beyond
-question, as it must be the principal hostname (no CNAME allowed
-here). Checks are performed against all names provided as dNSNames
+<p> The remote SMTP server hostname is verified against all names
+provided as dNSNames
in the SubjectAlternativeName. If no dNSNames are specified, the
-CommonName is checked. The behavior may be changed with the
+CommonName is checked. Verification may be turned off with the
smtp_tls_enforce_peername option which is discussed below. </p>
-<p> This option is useful only if you know that you will only
+<p> Enforcing the use of TLS is useful if you know that you will
+only
connect to servers that support RFC 2487 _and_ that present server
certificates that meet the above requirements. An example would
be a client only sends email to one specific mailhub that offers
<blockquote>
<pre>
/etc/postfix/main.cf:
- smtp_enforce_tls = no
+ smtp_enforce_tls = yes
</pre>
</blockquote>
+<h3> <a name="client_tls_nopeer"> Disabling server certificate
+verification </a> </h3>
+
<p> As of RFC 2487 the requirements for hostname checking for MTA
clients are not set. When TLS is required (smtp_enforce_tls = yes),
the option smtp_tls_enforce_peername can be set to "no" to disable
delivery will proceed regardless of the CommonName etc. listed in
the certificate. </p>
-<p> Note: the smtp_tls_enforce_peername setting has no effect on
-sessions that are controlled via the smtp_tls_per_site table. </p>
-
-<p> Disabling the remote SMTP server hostname verification can
-make sense in closed environment where special CAs are created.
-If not used carefully, this option opens the danger of a
-"man-in-the-middle" attack (the CommonName of this possible attacker
-is logged). </p>
+<p> Despite the potential for eliminating "man-in-the-middle" and
+other attacks, mandatory certificate/peername verification is not
+viable as a default Internet mail delivery policy at this time. A
+significant fraction of TLS enabled MTAs uses self-signed certificates,
+or certificates that are signed by a private certificate authority.
+On a machine that delivers mail to the Internet, if you set
+smtp_enforce_tls = yes, you should probably also set
+smtp_tls_enforce_peername = no. You can use the per-site TLS
+policies (see below) to enable full peer verification for specific
+destinations that are known to have verifiable TLS server certificates.
+</p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
- smtp_tls_enforce_peername = yes
+ smtp_enforce_tls = yes
+ smtp_tls_enforce_peername = no
</pre>
</blockquote>
-<p> Generally, trying TLS can be a bad idea, as some servers offer
-STARTTLS but the negotiation will fail leading to unexplainable
-failures. Instead, it may be a good idea to choose the TLS usage
-policy based on the recipient or the mailhub to which you are
-connecting. </p>
-
-<p> Deciding the TLS usage policy per recipient may be difficult,
-since a single email delivery attempt can involve several recipients.
-Instead, use of TLS is controlled by the Postfix next-hop destination
-domain name and by the remote SMTP server hostname. If either of these
-matches an entry in the smtp_tls_per_site table, appropriate action
-is taken. </p>
-
-<p> The remote SMTP server hostname is simply the DNS name of the
-server that the Postfix SMTP client connects to. The next-hop
-destination is Postfix specific. By default, this is the domain
-name in the recipient address, but this information can be overruled
-by the transport(5) table or by the relayhost parameter setting.
-In these cases the relayhost etc. must be listed in the smtp_tls_per_site
-table, instead of the recipient domain name. </p>
-
-<p> Format of the table: domain or host names are specified on the
-left-hand side; no wildcards are allowed. On the right hand side
-specify one of the following keywords: </p>
+<h3> <a name="client_tls_per_site"> Per-site TLS policies </a> </h3>
+
+<p> A small fraction of servers offer STARTTLS but the negotiation
+consistently fails, leading to mail aging out of the queue and
+bouncing back to the sender. In such cases, you can use the per-site
+policies to disable TLS for the problem sites. Alternatively, you
+can enable TLS for just a few specific sites and not enable it for
+all sites. </p>
+
+<!-- insert new-style TLS policy mechanism here
+
+<h3> <a name="client_tls_obs"> Obsolete per-site TLS policy support
+</a> </h3>
+
+<p> This section describes an obsolete per-site TLS policy mechanism.
+Unlike the newer mechanism it supports TLS policy lookup by server
+hostname, and lacks control over what names can appear in server
+certificates. Because of this, the obsolete mechanism is vulnerable
+to false DNS hostname information in MX or CNAME records. These
+attacks can be eliminated only with great difficulty. </p>
+
+-->
+
+<p> The smtp_tls_per_site table is searched for a policy that matches
+the following information: </p>
<blockquote>
<dl>
-<dt> NONE </dt> <dd> Don't use TLS at all. </dd>
+<dt> remote SMTP server hostname </dt> <dd> This is simply the DNS
+name of the server that the Postfix SMTP client connects to; this
+name may be obtained from other DNS lookups, such as MX lookups or
+CNAME lookups. </dd>
+
+<dt> next-hop destination </dt> <dd> This is normally the domain
+portion of the recipient address, but it may be overruled by
+information from the transport(5) table, from the relayhost parameter
+setting, or from the relay_transport setting. When it's not the
+recipient domain, the next-hop destination can have the Postfix-specific
+form "<tt>[name]</tt>", <tt>[name]:port</tt>", "<tt>name</tt>" or
+"<tt>name:port</tt>". </dd>
+
+</dl>
+
+</blockquote>
+
+<p> When both the hostname lookup and the next-hop lookup succeed,
+the host policy does not automatically override the next-hop policy.
+Instead, precedence is given to either the more specific or the
+more secure per-site policy as described below. </p>
+
+<p> The smtp_tls_per_site table uses a simple "<i>name whitespace
+value</i>" format. Specify host names or next-hop destinations on
+the left-hand side; no wildcards are allowed. On the right hand
+side specify one of the following keywords: </p>
-<dt> MAY </dt> <dd> Try to use STARTTLS if offered, otherwise use
-the unencrypted connection. </dd>
+<blockquote>
-<dt> MUST </dt> <dd> Require usage of STARTTLS, require that the
-remote SMTP server hostname matches the information in the remote
-SMTP server certificate, and require that the remote SMTP server
-certificate was issued by a trusted CA. </dd>
+<dl>
-<dt> MUST_NOPEERMATCH </dt> <dd> Require usage of STARTTLS, but do
-not require that the remote SMTP server hostname matches the
-information in the remote SMTP server certificate, or that the
-server certificate was issued by a trusted CA. </dd>
+<dt> NONE </dt> <dd> Don't use TLS at all. This overrides a less
+specific <b>MAY</b> lookup result from the alternate host or next-hop
+lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls,
+and smtp_tls_enforce_peername settings. </dd>
+
+<dt> MAY </dt> <dd> Try to use TLS if the server announces support,
+otherwise use the unencrypted connection. This has less precedence
+than a more specific result (including <b>NONE</b>) from the alternate
+host or next-hop lookup key, and has less precedence than the more
+specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername
+= yes". </dd>
+
+<dt> MUST_NOPEERMATCH </dt> <dd> Require TLS encryption, but do not
+require that the remote SMTP server hostname matches the information
+in the remote SMTP server certificate, or that the server certificate
+was issued by a trusted CA. This overrides a less secure <b>NONE</b>
+or a less specific <b>MAY</b> lookup result from the alternate host
+or next-hop lookup key, and overrides the global smtp_use_tls,
+smtp_enforce_tls and smtp_tls_enforce_peername settings. </dd>
+
+<dt> MUST </dt> <dd> Require TLS encryption, require that the remote
+SMTP server hostname matches the information in the remote SMTP
+server certificate, and require that the remote SMTP server certificate
+was issued by a trusted CA. This overrides a less secure <b>NONE</b>
+and <b>MUST_NOPEERMATCH</b> or a less specific <b>MAY</b> lookup
+result from the alternate host or next-hop lookup key, and overrides
+the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername
+settings. </dd>
</dl>
</blockquote>
-<p> The actual TLS usage policy depends not only on whether the
-next-hop destination or remote SMTP server hostname are found in
-the smtp_tls_per_site table, but also on the smtp_enforce_tls
-setting: </p>
+<p> The precedences between global (main.cf) and per-site TLS
+policies can be summarized as follows: </p>
<ul>
-<li> <p> If no match was found, the policy is applied as specified
-with smtp_enforce_tls. </p>
+<li> <p> When neither the remote SMTP server hostname nor the
+next-hop destination are found in the smtp_tls_per_site table, the
+policy is based on smtp_use_tls, smtp_enforce_tls and
+smtp_tls_enforce_peername. Note: "smtp_enforce_tls = yes" and
+"smtp_tls_enforce_peername = yes" imply "smtp_use_tls = yes". </p>
-<li> <p> If a match was found, and the smtp_enforce_tls policy is
-"enforce", NONE explicitly switches it off; otherwise the "enforce"
-mode is used even for entries that specify MAY. </p>
+<li> <p> When both hostname and next-hop destination lookups produce
+a result, the more specific per-site policy (NONE, MUST, etc)
+overrides the less specific one (MAY), and the more secure per-site
+policy (MUST, etc) overrides the less secure one (NONE). </p>
+
+<li> <p> After the per-site policy lookups are combined, the result
+generally overrides the global policy. The exception is the less
+specific <b>MAY</b> per-site policy, which is overruled by the more
+specific global "smtp_enforce_tls = yes" with server certificate
+verification as specified with the smtp_tls_enforce_peername
+parameter. </p>
</ul>
-<p> Special hint for TLS enforcement mode: since no secure DNS
-lookup mechanism is available, mail can be delivered to the wrong
-remote SMTP server. This is not prevented by specifying MUST for
-the next-hop domain name. The recommended setup is: specify local
-transport(5) table entries for sensitive domains with explicit
-smtp:[mailhost] destinations (since you can assure security of this
-table unlike DNS), then specify MUST for these mail hosts in the
-smtp_tls_per_site table. </p>
+<h3> <a name="client_tls_harden"> Closing a DNS loophole with
+<!-- legacy --> per-site TLS policies </a> </h3>
+
+<p> As long as no secure DNS lookup mechanism is available, false
+hostnames in MX or CNAME responses can change the server hostname
+that Postfix uses for TLS policy lookup and server certificate
+verification. Even with a perfect match between the server hostname
+and the server certificate, there is no guarantee that Postfix is
+connected to the right server. To avoid this loophole take the
+following steps: </p>
+
+<ul>
+
+<li> <p> Eliminate MX lookups. Specify local transport(5) table
+entries for sensitive domains with explicit smtp:[<i>mailhost</i>]
+or smtp:[<i>mailhost</i>]:<i>port</i> destinations (you can assure
+security of this table unlike DNS); in the smtp_tls_per_site table
+specify the value <b>MUST</b> for the key [<i>mailhost</i>] or
+smtp:[<i>mailhost</i>]:<i>port</i>. This prevents false hostname
+information in DNS MX records from changing the server hostname
+that Postfix uses for TLS policy lookup and server certificate
+verification. </p>
+
+<li> <p> Disallow CNAME hostname overrides. In main.cf specify
+"smtp_cname_overrides_servername = no". This prevents false hostname
+information in DNS CNAME records from changing the server hostname
+that Postfix uses for TLS policy lookup and server certificate
+verification. This feature requires Postfix 2.2.9 or later. </p>
+
+</ul>
<p> Example: </p>
-
-<blockquote>
-<pre>
+
+<blockquote> <pre>
/etc/postfix/main.cf:
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
+ relayhost = [msa.example.net]:587
+
+/etc/postfix/tls_per_site:
+ # relayhost exact nexthop match
+ [msa.example.net]:587 MUST
+
+ # example.org (as nexthop) has MX hosts with broken TLS.
+ example.org NONE
+
+ # Except for (as host) mx1.example.org which works.
+ mx1.example.org MAY
</pre>
</blockquote>
+<h3> <a name="client_tls_discover"> Discovering servers that support
+TLS </a> </h3>
+
<p> As we decide on a "per site" basis whether or not to use TLS,
it would be good to have a list of sites that offered "STARTTLS".
We can collect it ourselves with this option. </p>
</pre>
</blockquote>
-<h3><a name="client_vrfy_server">Server certificate verification</a> </h3>
+<h3><a name="client_vrfy_server">Server certificate verification depth</a> </h3>
<p> When verifying a remote SMTP server certificate, a verification
depth of 1 is sufficient if the certificate is directly issued by
</blockquote>
<li> <p> Configure Postfix, by adding the following to
-<tt>/etc/postfix/main.cf</tt>. </p>
+<tt>/etc/postfix/main.cf </tt>. </p>
<blockquote>
<pre>
generation (PRNG) pool, and in order to access the TLS session
cache databases. Such a protocol cannot be run across fifos. </p>
+<li> <p> smtp_tls_per_site: the MUST_NOPEERMATCH per-site policy
+cannot override the global "smtp_tls_enforce_peername = yes" setting.
+</p>
+
+<li> <p> smtp_tls_per_site: a combined (NONE + MAY) lookup result
+for (hostname and next-hop destination) produces counter-intuitive
+results for different main.cf settings. TLS is enabled with
+"smtp_tls_enforce_peername = no", but it is disabled when both
+"smtp_enforce_tls = yes" and "smtp_tls_enforce_peername = yes".
+</p>
+
</ul>
+<p> The smtp_tls_per_site limitations were removed by the end of
+the Postfix 2.2 support cycle. </p>
+
<h2><a name="credits">Credits </a> </h2>
<ul>
<li> Wietse Venema adopted the code, did some restructuring, and
compiled this part of the documentation from Lutz's documents.
+<li> Victor Duchovni was instrumental with the re-implementation
+of the smtp_tls_per_site code in terms of enforcement levels, which
+simplified the implementation greatly.
+
</ul>
</body>
<p> Examples: </p>
-<p> The Postfix < 2.2 backwards compatible setting: always rewrite
+<p> The Postfix < 2.2 backwards compatible setting: always rewrite
message headers, and always append my own domain to incomplete
header addresses. </p>
%PARAM smtp_tls_per_site
<p> Optional lookup tables with the Postfix SMTP client TLS usage
-policy by next-hop domain name and by remote SMTP server hostname.
-</p>
-
-<p> Table format: domain names or server hostnames are specified
-on the left-hand side; no wildcards are allowed. On the right hand
-side specify one of the following keywords: </p>
+policy by next-hop destination and by remote SMTP server hostname.
+When both lookups succeed, the more specific per-site policy (NONE,
+MUST, etc) overrides the less specific one (MAY), and the more
+secure per-site policy (MUST, etc) overrides the less secure one
+(NONE). </p>
+
+<p> Specify a next-hop destination or server hostname on the left-hand
+side; no wildcards are allowed. The next-hop destination is either
+the recipient domain, or the destination specified with a transport(5)
+table, the relayhost parameter, or the relay_transport parameter.
+On the right hand side specify one of the following keywords: </p>
<dl>
-<dt> NONE </dt> <dd>Don't use TLS at all. </dd>
+<dt> NONE </dt> <dd> Don't use TLS at all. This overrides a less
+specific <b>MAY</b> lookup result from the alternate host or next-hop
+lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls,
+and smtp_tls_enforce_peername settings. </dd>
+
+<dt> MAY </dt> <dd> Try to use TLS if the server announces support,
+otherwise use the unencrypted connection. This has less precedence
+than a more specific result (including <b>NONE</b>) from the alternate
+host or next-hop lookup key, and has less precedence than the more
+specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername
+= yes". </dd>
+
+<dt> MUST_NOPEERMATCH </dt> <dd> Require TLS encryption, but do not
+require that the remote SMTP server hostname matches the information
+in the remote SMTP server certificate, or that the server certificate
+was issued by a trusted CA. This overrides a less secure <b>NONE</b>
+or a less specific <b>MAY</b> lookup result from the alternate host
+or next-hop lookup key, and overrides the global smtp_use_tls,
+smtp_enforce_tls and smtp_tls_enforce_peername settings. </dd>
+
+<dt> MUST </dt> <dd> Require TLS encryption, require that the remote
+SMTP server hostname matches the information in the remote SMTP
+server certificate, and require that the remote SMTP server certificate
+was issued by a trusted CA. This overrides a less secure <b>NONE</b>
+and <b>MUST_NOPEERMATCH</b> or a less specific <b>MAY</b> lookup
+result from the alternate host or next-hop lookup key, and overrides
+the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername
+settings. </dd>
+
+</dl>
-<dt> MAY </dt> <dd>Try to use STARTTLS if offered, otherwise use
-the unencrypted connection. </dd>
+<p> As long as no secure DNS lookup mechanism is available, false
+hostnames in MX or CNAME responses can change the server hostname
+that Postfix uses for TLS policy lookup and server certificate
+verification. Even with a perfect match between the server hostname
+and the server certificate, there is no guarantee that Postfix is
+connected to the right server. To avoid this loophole take the
+following steps: </p>
-<dt> MUST </dt> <dd>Require usage of STARTTLS, require that the
-remote SMTP server hostname matches the information in the remote
-SMTP server certificate, and require that the remote SMTP server
-certificate was issued by a trusted CA. </dd>
+<ul>
-<dt> MUST_NOPEERMATCH </dt> <dd>Require usage of STARTTLS, but do
-not require that the remote SMTP server hostname matches the
-information in the remote SMTP server certificate, or that the
-server certificate was issued by a trusted CA. </dd>
+<li> Disallow CNAME hostname overrides. In main.cf specify
+"smtp_cname_overrides_servername = no". This prevents false hostname
+information in DNS CNAME records from changing the server hostname
+that Postfix uses for TLS policy lookup and server certificate
+verification. This feature requires Postfix 2.2.9 or later.
-</dl>
+<li> Eliminate MX lookups. Specify local transport(5) table entries
+for sensitive domains with explicit smtp:[mailhost] or smtp:[mailhost]:port
+destinations. This prevents false hostname information in DNS MX
+records from changing the server hostname that Postfix uses for TLS
+policy lookup and server certificate verification.
-<p> Special hint for enforcement mode: since no secure DNS lookup
-mechanism is available, the recommended setup is: specify local
-transport(5) table entries for sensitive domains with explicit
-smtp:[mailhost] destinations (since you can assure security of this
-table unlike DNS), then specify MUST for these mail hosts in the
-smtp_tls_per_site table. </p>
+<li> Specify MUST for these mail hosts (including [ ] and port) in
+the smtp_tls_per_site table.
+
+</ul>
+
+<p> </p>
%PARAM smtp_tls_scert_verifydepth 5
STANDARD_CONFIGURATION_README documents. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
+
+%PARAM smtp_cname_overrides_servername yes
+
+<p> Allow DNS CNAME records to override the servername that the
+Postfix SMTP client uses for logging, SASL password lookup, TLS
+policy decisions, or TLS certificate verification. The default value
+(yes) is backwards compatible. Specify "no" to harden Postfix 2.2
+smtp_tls_per_site hostname-based policies against false hostname
+information in DNS CNAME records. </p>
+
+<p> This feature is available in Postfix 2.2.9 and later. </p>
* named after the things one can expect to find in a DNS resource record.
*/
typedef struct DNS_RR {
- char *name; /* name, mystrdup()ed */
+ char *qname; /* query name, mystrdup()ed */
+ char *rname; /* reply name, mystrdup()ed */
unsigned short type; /* T_A, T_CNAME, etc. */
unsigned short class; /* C_IN, etc. */
unsigned int ttl; /* always */
/*
* dns_rr.c
*/
-extern DNS_RR *dns_rr_create(const char *, ushort, ushort,
+extern DNS_RR *dns_rr_create(const char *, const char *,
+ ushort, ushort,
unsigned, unsigned,
const char *, unsigned);
extern void dns_rr_free(DNS_RR *);
/* The query failed; the problem is transient.
/* .IP DNS_FAIL
/* The query failed.
+/*
+/* As a workaround, this result value is also returned when
+/* the DNS query succeeded, but the result could not be parsed,
+/* or the result domain name did not pass the valid_hostname()
+/* syntax test (e.g., a null MX hostname).
/* BUGS
/* dns_lookup() implements a subset of all possible resource types:
/* CNAME, MX, A, and some records with similar formatting requirements.
/* dns_get_rr - extract resource record from name server reply */
-static DNS_RR *dns_get_rr(DNS_REPLY *reply, unsigned char *pos,
+static DNS_RR *dns_get_rr(const char *name, DNS_REPLY *reply, unsigned char *pos,
char *rr_name, DNS_FIXED *fixed)
{
char temp[DNS_NAME_LEN];
*dst = 0;
break;
}
- return (dns_rr_create(rr_name, fixed->type, fixed->class, fixed->ttl,
+ return (dns_rr_create(name, rr_name, fixed->type, fixed->class, fixed->ttl,
pref, temp, data_len));
}
/* dns_get_answer - extract answers from name server reply */
-static int dns_get_answer(DNS_REPLY *reply, int type,
+static int dns_get_answer(const char *name, DNS_REPLY *reply, int type,
DNS_RR **rrlist, VSTRING *fqdn, char *cname, int c_len)
{
char rr_name[DNS_NAME_LEN];
CORRUPT;
if (type == fixed.type || type == T_ANY) { /* requested type */
if (rrlist) {
- if ((rr = dns_get_rr(reply, pos, rr_name, &fixed)) != 0) {
+ if ((rr = dns_get_rr(name, reply, pos, rr_name, &fixed)) != 0) {
resource_found++;
*rrlist = dns_rr_append(*rrlist, rr);
- } else
- not_found_status = DNS_RETRY;
+ } else if (not_found_status != DNS_RETRY)
+ not_found_status = DNS_FAIL; /* XXX */
} else
resource_found++;
} else if (fixed.type == T_CNAME) { /* cname resource */
DNS_REPLY reply;
int count;
int status;
+ const char *saved_name = name;
/*
* DJBDNS produces a bogus A record when given a numerical hostname.
* Extract resource records of the requested type. Pick up CNAME
* information just in case the requested data is not found.
*/
- status = dns_get_answer(&reply, type, rrlist, fqdn, cname, c_len);
+ status = dns_get_answer(saved_name, &reply, type, rrlist, fqdn,
+ cname, c_len);
switch (status) {
default:
if (why)
/* SYNOPSIS
/* #include <dns.h>
/*
-/* DNS_RR *dns_rr_create(name, type, class, ttl, preference,
+/* DNS_RR *dns_rr_create(qname, rname, type, class, ttl, preference,
/* data, data_len)
-/* const char *name;
+/* const char *qname;
+/* const char *rname;
/* unsigned short type;
/* unsigned short class;
/* unsigned int ttl;
/* information, and maintain lists of DNS resource records.
/*
/* dns_rr_create() creates and initializes one resource record.
-/* The \fIname\fR record specifies the record name.
+/* The \fIqname\fR field specifies the query name.
+/* The \fIrname\fR field specifies the reply name.
/* \fIpreference\fR is used for MX records; \fIdata\fR is a null
/* pointer or specifies optional resource-specific data;
/* \fIdata_len\fR is the amount of resource-specific data.
/* dns_rr_create - fill in resource record structure */
-DNS_RR *dns_rr_create(const char *name, ushort type, ushort class,
+DNS_RR *dns_rr_create(const char *qname, const char *rname,
+ ushort type, ushort class,
unsigned int ttl, unsigned pref,
const char *data, unsigned data_len)
{
DNS_RR *rr;
rr = (DNS_RR *) mymalloc(sizeof(*rr) + data_len - 1);
- rr->name = mystrdup(name);
+ rr->qname = mystrdup(qname);
+ rr->rname = mystrdup(rname);
rr->type = type;
rr->class = class;
rr->ttl = ttl;
if (rr) {
if (rr->next)
dns_rr_free(rr->next);
- myfree(rr->name);
+ myfree(rr->qname);
+ myfree(rr->rname);
myfree((char *) rr);
}
}
*/
dst = (DNS_RR *) mymalloc(len);
memcpy((char *) dst, (char *) src, len);
- dst->name = mystrdup(src->name);
+ dst->qname = mystrdup(src->qname);
+ dst->rname = mystrdup(src->rname);
dst->next = 0;
return (dst);
}
#define DUMMY_TTL 0
if (sa->sa_family == AF_INET) {
- return (dns_rr_create(hostname, T_A, C_IN, DUMMY_TTL, pref,
+ return (dns_rr_create(hostname, hostname, T_A, C_IN, DUMMY_TTL, pref,
(char *) &SOCK_ADDR_IN_ADDR(sa),
sizeof(SOCK_ADDR_IN_ADDR(sa))));
#ifdef HAS_IPV6
} else if (sa->sa_family == AF_INET6) {
- return (dns_rr_create(hostname, T_AAAA, C_IN, DUMMY_TTL, pref,
+ return (dns_rr_create(hostname, hostname, T_AAAA, C_IN, DUMMY_TTL, pref,
(char *) &SOCK_ADDR_IN6_ADDR(sa),
sizeof(SOCK_ADDR_IN6_ADDR(sa))));
#endif
MAI_HOSTADDR_STR host;
while (rr) {
- printf("%s: ttl: %9d ", rr->name, rr->ttl);
+ printf("%s: ttl: %9d ", rr->rname, rr->ttl);
switch (rr->type) {
case T_A:
#ifdef T_AAAA
-starttls, 8bitmime, verp, etrn, etrn -> 0x51 -> 8BITMIME ETRN VERP
+starttls, 8bitmime, verp, etrn, etrn -> 0xd1 -> 8BITMIME ETRN VERP STARTTLS
foobar, auth, pipelining, size, vrfy -> 0x2e -> AUTH PIPELINING SIZE VRFY
-xclient, xforward -> 0x180 -> XCLIENT XFORWARD
+xclient, xforward -> 0x300 -> XCLIENT XFORWARD
/* given in parentheses:
/* .IP "no_unknown_recipient_checks (INPUT_TRANSP_UNKNOWN_RCPT)"
/* Do not try to reject unknown recipients.
-/* .IP "no_address_mapping (INPUT_TRANSP_ADDRESS_MAPPING)
+/* .IP "no_address_mappings (INPUT_TRANSP_ADDRESS_MAPPING)
/* Disable canonical address mapping, virtual alias map expansion,
/* address masquerading, and automatic BCC recipients.
/* .IP "no_header_body_checkss (INPUT_TRANSP_HEADER_BODY)
if (*var_rcpt_delim == 0) {
bare_key = saved_ext = 0;
} else {
- bare_key = strip_addr(full_key, &saved_ext, *var_rcpt_delim);
+ /* Preserve case of extension. */
+ bare_key = strip_addr(address, &saved_ext, *var_rcpt_delim);
+ if (bare_key != 0)
+ lowercase(bare_key);
}
/*
/* .nf
/*
- * This is to make it easier to auto-generate tables.
- */
+ * This is to make it easier to auto-generate tables.
+ */
typedef int bool;
/*
- * Name used when this mail system announces itself.
- */
+ * Name used when this mail system announces itself.
+ */
#define VAR_MAIL_NAME "mail_name"
#define DEF_MAIL_NAME "Postfix"
extern char *var_mail_name;
/*
- * You want to be helped or not.
- */
+ * You want to be helped or not.
+ */
#define VAR_HELPFUL_WARNINGS "helpful_warnings"
#define DEF_HELPFUL_WARNINGS 1
extern bool var_helpful_warnings;
/*
- * You want to be helped or not.
- */
+ * You want to be helped or not.
+ */
#define VAR_SHOW_UNK_RCPT_TABLE "show_user_unknown_table_name"
#define DEF_SHOW_UNK_RCPT_TABLE 1
extern bool var_show_unk_rcpt_table;
/*
- * What problem classes should be reported to the postmaster via email.
- * Default is bad problems only. See mail_error(3). Even when mail notices
- * are disabled, problems are still logged to the syslog daemon.
- */
+ * What problem classes should be reported to the postmaster via email.
+ * Default is bad problems only. See mail_error(3). Even when mail notices
+ * are disabled, problems are still logged to the syslog daemon.
+ */
#define VAR_NOTIFY_CLASSES "notify_classes"
#define DEF_NOTIFY_CLASSES "resource, software"
extern char *var_notify_classes;
/*
- * What do I turn <> into? Sendmail defaults to mailer-daemon.
- */
-#define VAR_EMPTY_ADDR "empty_address_recipient"
-#define DEF_EMPTY_ADDR MAIL_ADDR_MAIL_DAEMON
+ * What do I turn <> into? Sendmail defaults to mailer-daemon.
+ */
+#define VAR_EMPTY_ADDR "empty_address_recipient"
+#define DEF_EMPTY_ADDR MAIL_ADDR_MAIL_DAEMON
extern char *var_empty_addr;
/*
- * Privileges used by the mail system: the owner of files and commands, and
- * the rights to be used when running external commands.
- */
+ * Privileges used by the mail system: the owner of files and commands, and
+ * the rights to be used when running external commands.
+ */
#define VAR_MAIL_OWNER "mail_owner"
#define DEF_MAIL_OWNER "postfix"
extern char *var_mail_owner;
extern gid_t var_default_gid;
/*
- * Access control for local privileged operations:
- */
+ * Access control for local privileged operations:
+ */
#define STATIC_ANYONE_ACL "static:anyone"
#define VAR_FLUSH_ACL "authorized_flush_users"
extern char *var_submit_acl;
/*
- * What goes on the right-hand side of addresses of mail sent from this
- * machine.
- */
+ * What goes on the right-hand side of addresses of mail sent from this
+ * machine.
+ */
#define VAR_MYORIGIN "myorigin"
#define DEF_MYORIGIN "$myhostname"
extern char *var_myorigin;
/*
- * What domains I will receive mail for. Not to be confused with transit
- * mail to other destinations.
- */
+ * What domains I will receive mail for. Not to be confused with transit
+ * mail to other destinations.
+ */
#define VAR_MYDEST "mydestination"
#define DEF_MYDEST "$myhostname, localhost.$mydomain, localhost"
extern char *var_mydest;
/*
- * These are by default taken from the name service.
- */
+ * These are by default taken from the name service.
+ */
#define VAR_MYHOSTNAME "myhostname" /* my hostname (fqdn) */
extern char *var_myhostname;
extern char *var_mydomain;
/*
- * The default local delivery transport.
- */
+ * The default local delivery transport.
+ */
#define VAR_LOCAL_TRANSPORT "local_transport"
#define DEF_LOCAL_TRANSPORT MAIL_SERVICE_LOCAL ":$myhostname"
extern char *var_local_transport;
/*
- * Where to send postmaster copies of bounced mail, and other notices.
- */
+ * Where to send postmaster copies of bounced mail, and other notices.
+ */
#define VAR_BOUNCE_RCPT "bounce_notice_recipient"
#define DEF_BOUNCE_RCPT "postmaster"
extern char *var_bounce_rcpt;
extern char *var_error_rcpt;
/*
- * Virtual host support. Default is to listen on all machine interfaces.
- */
+ * Virtual host support. Default is to listen on all machine interfaces.
+ */
#define VAR_INET_INTERFACES "inet_interfaces" /* listen addresses */
#define INET_INTERFACES_ALL "all"
#define INET_INTERFACES_LOCAL "loopback-only"
extern char *var_proxy_interfaces;
/*
- * Masquerading (i.e. subdomain stripping).
- */
+ * Masquerading (i.e. subdomain stripping).
+ */
#define VAR_MASQ_DOMAINS "masquerade_domains"
#define DEF_MASQ_DOMAINS ""
extern char *var_masq_domains;
extern char *var_masq_classes;
/*
- * Intranet versus internet.
- */
+ * Intranet versus internet.
+ */
#define VAR_RELAYHOST "relayhost"
#define DEF_RELAYHOST ""
extern char *var_relayhost;
extern int var_smtp_mxsess_limit;
/*
- * Location of the mail queue directory tree.
- */
+ * Location of the mail queue directory tree.
+ */
#define VAR_QUEUE_DIR "queue_directory"
#ifndef DEF_QUEUE_DIR
#define DEF_QUEUE_DIR "/var/spool/postfix"
extern char *var_queue_dir;
/*
- * Location of command and daemon programs.
- */
+ * Location of command and daemon programs.
+ */
#define VAR_DAEMON_DIR "daemon_directory"
#ifndef DEF_DAEMON_DIR
#define DEF_DAEMON_DIR "/usr/libexec/postfix"
extern char *var_command_dir;
/*
- * Location of PID files.
- */
+ * Location of PID files.
+ */
#define VAR_PID_DIR "process_id_directory"
#ifndef DEF_PID_DIR
#define DEF_PID_DIR "pid"
extern char *var_pid_dir;
/*
- * Program startup time.
- */
+ * Program startup time.
+ */
extern time_t var_starttime;
/*
- * Location of configuration files.
- */
+ * Location of configuration files.
+ */
#define VAR_CONFIG_DIR "config_directory"
#ifndef DEF_CONFIG_DIR
#define DEF_CONFIG_DIR "/etc/postfix"
#define MASTER_CONF_FILE "master.cf"
/*
- * Preferred type of indexed files. The DEF_DB_TYPE macro value is system
- * dependent. It is defined in <sys_defs.h>.
- */
+ * Preferred type of indexed files. The DEF_DB_TYPE macro value is system
+ * dependent. It is defined in <sys_defs.h>.
+ */
#define VAR_DB_TYPE "default_database_type"
extern char *var_db_type;
/*
- * What syslog facility to use. Unfortunately, something may have to be
- * logged before parameters are read from the main.cf file. This logging
- * will go the LOG_FACILITY facility specified below.
- */
+ * What syslog facility to use. Unfortunately, something may have to be
+ * logged before parameters are read from the main.cf file. This logging
+ * will go the LOG_FACILITY facility specified below.
+ */
#define VAR_SYSLOG_FACILITY "syslog_facility"
extern char *var_syslog_facility;
#endif
/*
- * Big brother: who receives a blank-carbon copy of all mail that enters
- * this mail system.
- */
+ * Big brother: who receives a blank-carbon copy of all mail that enters
+ * this mail system.
+ */
#define VAR_ALWAYS_BCC "always_bcc"
#define DEF_ALWAYS_BCC ""
extern char *var_always_bcc;
/*
- * What to put in the To: header when no recipients were disclosed.
- *
- * XXX 2822: When no recipient headers remain, a system should insert a Bcc:
- * header without additional information. That is not so great given that
- * MTAs routinely strip Bcc: headers from message headers.
- */
+ * What to put in the To: header when no recipients were disclosed.
+ *
+ * XXX 2822: When no recipient headers remain, a system should insert a Bcc:
+ * header without additional information. That is not so great given that
+ * MTAs routinely strip Bcc: headers from message headers.
+ */
#define VAR_RCPT_WITHELD "undisclosed_recipients_header"
#define DEF_RCPT_WITHELD "To: undisclosed-recipients:;"
extern char *var_rcpt_witheld;
/*
- * Standards violation: allow/permit RFC 822-style addresses in SMTP
- * commands.
- */
+ * Standards violation: allow/permit RFC 822-style addresses in SMTP
+ * commands.
+ */
#define VAR_STRICT_RFC821_ENV "strict_rfc821_envelopes"
#define DEF_STRICT_RFC821_ENV 0
extern bool var_strict_rfc821_env;
/*
- * Standards violation: send "250 AUTH=list" in order to accomodate clients
- * that implement an old version of the protocol.
- */
+ * Standards violation: send "250 AUTH=list" in order to accomodate clients
+ * that implement an old version of the protocol.
+ */
#define VAR_BROKEN_AUTH_CLNTS "broken_sasl_auth_clients"
#define DEF_BROKEN_AUTH_CLNTS 0
extern bool var_broken_auth_clients;
/*
- * Standards violation: disable VRFY.
- */
+ * Standards violation: disable VRFY.
+ */
#define VAR_DISABLE_VRFY_CMD "disable_vrfy_command"
#define DEF_DISABLE_VRFY_CMD 0
extern bool var_disable_vrfy_cmd;
/*
- * trivial rewrite/resolve service: mapping tables.
- */
+ * trivial rewrite/resolve service: mapping tables.
+ */
#define VAR_VIRT_ALIAS_MAPS "virtual_alias_maps"
#define DEF_VIRT_ALIAS_MAPS "$virtual_maps" /* Compatibility! */
extern char *var_virt_alias_maps;
extern char *var_def_transport;
/*
- * trivial rewrite/resolve service: rewriting controls.
- */
+ * trivial rewrite/resolve service: rewriting controls.
+ */
#define VAR_SWAP_BANGPATH "swap_bangpath"
#define DEF_SWAP_BANGPATH 1
extern bool var_swap_bangpath;
extern bool var_percent_hack;
/*
- * Local delivery: alias databases.
- */
+ * Local delivery: alias databases.
+ */
#define VAR_ALIAS_MAPS "alias_maps"
#ifdef HAS_NIS
#define DEF_ALIAS_MAPS ALIAS_DB_MAP ", nis:mail.aliases"
extern char *var_alias_maps;
/*
- * Local delivery: to BIFF or not to BIFF.
- */
+ * Local delivery: to BIFF or not to BIFF.
+ */
#define VAR_BIFF "biff"
#define DEF_BIFF 1
extern bool var_biff;
/*
- * Local delivery: mail to files/commands.
- */
+ * Local delivery: mail to files/commands.
+ */
#define VAR_ALLOW_COMMANDS "allow_mail_to_commands"
#define DEF_ALLOW_COMMANDS "alias, forward"
extern char *var_allow_commands;
extern char *var_luser_relay;
/*
- * Local delivery: mailbox delivery.
- */
+ * Local delivery: mailbox delivery.
+ */
#define VAR_MAIL_SPOOL_DIR "mail_spool_directory"
#define DEF_MAIL_SPOOL_DIR _PATH_MAILDIR
extern char *var_mail_spool_dir;
extern char *var_fallback_transport;
/*
- * Local delivery: path to per-user forwarding file.
- */
+ * Local delivery: path to per-user forwarding file.
+ */
#define VAR_FORWARD_PATH "forward_path"
#define DEF_FORWARD_PATH "$home/.forward${recipient_delimiter}${extension}, $home/.forward"
extern char *var_forward_path;
/*
- * Local delivery: external command execution directory.
- */
+ * Local delivery: external command execution directory.
+ */
#define VAR_EXEC_DIRECTORY "command_execution_directory"
#define DEF_EXEC_DIRECTORY ""
extern char *var_exec_directory;
extern char *var_exec_exp_filter;
/*
- * Mailbox locking. DEF_MAILBOX_LOCK is defined in sys_defs.h.
- */
+ * Mailbox locking. DEF_MAILBOX_LOCK is defined in sys_defs.h.
+ */
#define VAR_MAILBOX_LOCK "mailbox_delivery_lock"
extern char *var_mailbox_lock;
/*
- * Mailbox size limit. This used to be enforced as a side effect of the way
- * the message size limit is implemented, but that is not clean.
- */
+ * Mailbox size limit. This used to be enforced as a side effect of the way
+ * the message size limit is implemented, but that is not clean.
+ */
#define VAR_MAILBOX_LIMIT "mailbox_size_limit"
#define DEF_MAILBOX_LIMIT (DEF_MESSAGE_LIMIT * 5)
extern int var_mailbox_limit;
/*
- * Miscellaneous.
- */
+ * Miscellaneous.
+ */
#define VAR_PROP_EXTENSION "propagate_unmatched_extensions"
#define DEF_PROP_EXTENSION "canonical, virtual"
extern char *var_prop_extension;
extern char *var_deliver_hdr;
/*
- * Cleanup: enable support for X-Original-To message headers, which are
- * needed for multi-recipient mailboxes. When this is turned on, perform
- * duplicate elimination on (original rcpt, rewritten rcpt) pairs, and
- * generating non-empty original recipient records in the queue file.
- */
+ * Cleanup: enable support for X-Original-To message headers, which are
+ * needed for multi-recipient mailboxes. When this is turned on, perform
+ * duplicate elimination on (original rcpt, rewritten rcpt) pairs, and
+ * generating non-empty original recipient records in the queue file.
+ */
#define VAR_ENABLE_ORCPT "enable_original_recipient"
#define DEF_ENABLE_ORCPT 1
extern bool var_enable_orcpt;
extern bool var_stat_home_dir;
/*
- * Queue manager: maximal size of the duplicate expansion filter. By
- * default, we do graceful degradation with huge mailing lists.
- */
+ * Queue manager: maximal size of the duplicate expansion filter. By
+ * default, we do graceful degradation with huge mailing lists.
+ */
#define VAR_DUP_FILTER_LIMIT "duplicate_filter_limit"
#define DEF_DUP_FILTER_LIMIT 1000
extern int var_dup_filter_limit;
extern int var_tls_prng_upd_period;
/*
- * Queue manager: relocated databases.
- */
+ * Queue manager: relocated databases.
+ */
#define VAR_RELOCATED_MAPS "relocated_maps"
#define DEF_RELOCATED_MAPS ""
extern char *var_relocated_maps;
/*
- * Queue manager: after each failed attempt the backoff time (how long we
- * won't try this host in seconds) is doubled until it reaches the maximum.
- * MAX_QUEUE_TIME limits the amount of time a message may spend in the mail
- * queue before it is sent back.
- */
+ * Queue manager: after each failed attempt the backoff time (how long we
+ * won't try this host in seconds) is doubled until it reaches the maximum.
+ * MAX_QUEUE_TIME limits the amount of time a message may spend in the mail
+ * queue before it is sent back.
+ */
#define VAR_QUEUE_RUN_DELAY "queue_run_delay"
-#define DEF_QUEUE_RUN_DELAY "1000s"
+#define DEF_QUEUE_RUN_DELAY "1000s"
#define VAR_MIN_BACKOFF_TIME "minimal_backoff_time"
-#define DEF_MIN_BACKOFF_TIME "1000s"
+#define DEF_MIN_BACKOFF_TIME "1000s"
extern int var_min_backoff_time;
#define VAR_MAX_BACKOFF_TIME "maximal_backoff_time"
-#define DEF_MAX_BACKOFF_TIME "4000s"
+#define DEF_MAX_BACKOFF_TIME "4000s"
extern int var_max_backoff_time;
#define VAR_MAX_QUEUE_TIME "maximal_queue_lifetime"
extern int var_delay_warn_time;
/*
- * Queue manager: various in-core message and recipient limits.
- */
+ * Queue manager: various in-core message and recipient limits.
+ */
#define VAR_QMGR_ACT_LIMIT "qmgr_message_active_limit"
#define DEF_QMGR_ACT_LIMIT 20000
extern int var_qmgr_active_limit;
extern int var_stack_rcpt_limit;
/*
- * Queue manager: default job scheduler parameters.
- */
+ * Queue manager: default job scheduler parameters.
+ */
#define VAR_DELIVERY_SLOT_COST "default_delivery_slot_cost"
#define _DELIVERY_SLOT_COST "_delivery_slot_cost"
#define DEF_DELIVERY_SLOT_COST 5
extern int var_qmgr_fudge;
/*
- * Queue manager: default destination concurrency levels.
- */
+ * Queue manager: default destination concurrency levels.
+ */
#define VAR_INIT_DEST_CON "initial_destination_concurrency"
#define DEF_INIT_DEST_CON 5
extern int var_init_dest_concurrency;
extern int var_local_con_lim;
/*
- * Queue manager: default number of recipients per transaction.
- */
+ * Queue manager: default number of recipients per transaction.
+ */
#define VAR_DEST_RCPT_LIMIT "default_destination_recipient_limit"
#define _DEST_RCPT_LIMIT "_destination_recipient_limit"
#define DEF_DEST_RCPT_LIMIT 50
extern int var_local_rcpt_lim;
/*
- * Queue manager: default delay before retrying a dead transport.
- */
+ * Queue manager: default delay before retrying a dead transport.
+ */
#define VAR_XPORT_RETRY_TIME "transport_retry_time"
#define DEF_XPORT_RETRY_TIME "60s"
extern int var_transport_retry_time;
/*
- * Queue manager: what transports to defer delivery to.
- */
+ * Queue manager: what transports to defer delivery to.
+ */
#define VAR_DEFER_XPORTS "defer_transports"
#define DEF_DEFER_XPORTS ""
extern char *var_defer_xports;
/*
- * Queue manager: how often to warn that a destination is clogging the
- * active queue.
- */
+ * Queue manager: how often to warn that a destination is clogging the
+ * active queue.
+ */
#define VAR_QMGR_CLOG_WARN_TIME "qmgr_clog_warn_time"
#define DEF_QMGR_CLOG_WARN_TIME "300s"
extern int var_qmgr_clog_warn_time;
/*
- * Master: default process count limit per mail subsystem.
- */
+ * Master: default process count limit per mail subsystem.
+ */
#define VAR_PROC_LIMIT "default_process_limit"
#define DEF_PROC_LIMIT 100
extern int var_proc_limit;
/*
- * Master: default time to wait after service is throttled.
- */
+ * Master: default time to wait after service is throttled.
+ */
#define VAR_THROTTLE_TIME "service_throttle_time"
#define DEF_THROTTLE_TIME "60s"
extern int var_throttle_time;
/*
- * Any subsystem: default maximum number of clients serviced before a mail
- * subsystem terminates (except queue manager).
- */
+ * Any subsystem: default maximum number of clients serviced before a mail
+ * subsystem terminates (except queue manager).
+ */
#define VAR_MAX_USE "max_use"
#define DEF_MAX_USE 100
extern int var_use_limit;
/*
- * Any subsystem: default amount of time a mail subsystem waits for a client
- * connection (except queue manager).
- */
+ * Any subsystem: default amount of time a mail subsystem waits for a client
+ * connection (except queue manager).
+ */
#define VAR_MAX_IDLE "max_idle"
#define DEF_MAX_IDLE "100s"
extern int var_idle_limit;
/*
- * Any subsystem: default amount of time a mail subsystem waits for
- * application events to drain.
- */
+ * Any subsystem: default amount of time a mail subsystem waits for
+ * application events to drain.
+ */
#define VAR_EVENT_DRAIN "application_event_drain_time"
#define DEF_EVENT_DRAIN "100s"
extern int var_event_drain;
/*
- * Any subsystem: default amount of time a mail subsystem keeps an internal
- * IPC connection before closing it because it is idle for too much time.
- */
+ * Any subsystem: default amount of time a mail subsystem keeps an internal
+ * IPC connection before closing it because it is idle for too much time.
+ */
#define VAR_IPC_IDLE "ipc_idle"
#define DEF_IPC_IDLE "100s"
extern int var_ipc_idle_limit;
/*
- * Any subsystem: default amount of time a mail subsystem keeps an internal
- * IPC connection before closing it because the connection has existed for
- * too much time.
- */
+ * Any subsystem: default amount of time a mail subsystem keeps an internal
+ * IPC connection before closing it because the connection has existed for
+ * too much time.
+ */
#define VAR_IPC_TTL "ipc_ttl"
#define DEF_IPC_TTL "1000s"
extern int var_ipc_ttl_limit;
/*
- * Any front-end subsystem: avoid running out of memory when someone sends
- * infinitely-long requests or replies.
- */
+ * Any front-end subsystem: avoid running out of memory when someone sends
+ * infinitely-long requests or replies.
+ */
#define VAR_LINE_LIMIT "line_length_limit"
#define DEF_LINE_LIMIT 2048
extern int var_line_limit;
/*
- * Specify what SMTP peers need verbose logging.
- */
+ * Specify what SMTP peers need verbose logging.
+ */
#define VAR_DEBUG_PEER_LIST "debug_peer_list"
#define DEF_DEBUG_PEER_LIST ""
extern char *var_debug_peer_list;
extern int var_debug_peer_level;
/*
- * Queue management: what queues are hashed behind a forest of
- * subdirectories, and how deep the forest is.
- */
+ * Queue management: what queues are hashed behind a forest of
+ * subdirectories, and how deep the forest is.
+ */
#define VAR_HASH_QUEUE_NAMES "hash_queue_names"
#define DEF_HASH_QUEUE_NAMES "deferred, defer"
extern char *var_hash_queue_names;
extern int var_hash_queue_depth;
/*
- * Multi-protocol support.
- */
+ * Multi-protocol support.
+ */
#define INET_PROTO_NAME_IPV4 "ipv4"
#define INET_PROTO_NAME_IPV6 "ipv6"
#define INET_PROTO_NAME_ALL "all"
extern char *var_inet_protocols;
/*
- * SMTP client. Timeouts inspired by RFC 1123. The SMTP recipient limit
- * determines how many recipient addresses the SMTP client sends along with
- * each message. Unfortunately, some mailers misbehave and disconnect (smap)
- * when given more recipients than they are willing to handle.
- *
- * XXX 2821: A mail system is supposed to use EHLO instead of HELO, and to fall
- * back to HELO if EHLO is not supported.
- */
+ * SMTP client. Timeouts inspired by RFC 1123. The SMTP recipient limit
+ * determines how many recipient addresses the SMTP client sends along with
+ * each message. Unfortunately, some mailers misbehave and disconnect (smap)
+ * when given more recipients than they are willing to handle.
+ *
+ * XXX 2821: A mail system is supposed to use EHLO instead of HELO, and to fall
+ * back to HELO if EHLO is not supported.
+ */
#define VAR_BESTMX_TRANSP "best_mx_transport"
#define DEF_BESTMX_TRANSP ""
extern char *var_bestmx_transp;
extern char *var_smtp_generic_maps;
/*
- * SMTP server. The soft error limit determines how many errors an SMTP
- * client may make before we start to slow down; the hard error limit
- * determines after how many client errors we disconnect.
- */
+ * SMTP server. The soft error limit determines how many errors an SMTP
+ * client may make before we start to slow down; the hard error limit
+ * determines after how many client errors we disconnect.
+ */
#define VAR_SMTPD_BANNER "smtpd_banner"
#define DEF_SMTPD_BANNER "$myhostname ESMTP $mail_name"
extern char *var_smtpd_banner;
extern int var_smtp_tls_scache_timeout;
/*
- * SASL authentication support, SMTP server side.
- */
+ * SASL authentication support, SMTP server side.
+ */
#define VAR_SMTPD_SASL_ENABLE "smtpd_sasl_auth_enable"
#define DEF_SMTPD_SASL_ENABLE 0
extern bool var_smtpd_sasl_enable;
"reject_unauthenticated_sender_login_mismatch"
/*
- * SASL authentication support, SMTP client side.
- */
+ * SASL authentication support, SMTP client side.
+ */
#define VAR_SMTP_SASL_ENABLE "smtp_sasl_auth_enable"
#define DEF_SMTP_SASL_ENABLE 0
extern bool var_smtp_sasl_enable;
extern char *var_smtp_sasl_tls_opts;
/*
- * LMTP server. The soft error limit determines how many errors an LMTP
- * client may make before we start to slow down; the hard error limit
- * determines after how many client errors we disconnect.
- */
+ * LMTP server. The soft error limit determines how many errors an LMTP
+ * client may make before we start to slow down; the hard error limit
+ * determines after how many client errors we disconnect.
+ */
#define VAR_LMTPD_BANNER "lmtpd_banner"
#define DEF_LMTPD_BANNER "$myhostname $mail_name"
extern char *var_lmtpd_banner;
extern int var_lmtpd_junk_cmd_limit;
/*
- * SASL authentication support, LMTP server side.
- */
+ * SASL authentication support, LMTP server side.
+ */
#define VAR_LMTPD_SASL_ENABLE "lmtpd_sasl_auth_enable"
#define DEF_LMTPD_SASL_ENABLE 0
extern bool var_lmtpd_sasl_enable;
extern char *var_lmtpd_sasl_realm;
/*
- * SASL authentication support, LMTP client side.
- */
+ * SASL authentication support, LMTP client side.
+ */
#define VAR_LMTP_SASL_ENABLE "lmtp_sasl_auth_enable"
#define DEF_LMTP_SASL_ENABLE 0
extern bool var_lmtp_sasl_enable;
extern char *var_lmtp_sasl_opts;
/*
- * SASL-based relay etc. control.
- */
+ * SASL-based relay etc. control.
+ */
#define PERMIT_SASL_AUTH "permit_sasl_authenticated"
/*
- * LMTP client. Timeouts inspired by RFC 1123. The LMTP recipient limit
- * determines how many recipient addresses the LMTP client sends along with
- * each message. Unfortunately, some mailers misbehave and disconnect (smap)
- * when given more recipients than they are willing to handle.
- */
+ * LMTP client. Timeouts inspired by RFC 1123. The LMTP recipient limit
+ * determines how many recipient addresses the LMTP client sends along with
+ * each message. Unfortunately, some mailers misbehave and disconnect (smap)
+ * when given more recipients than they are willing to handle.
+ */
#define VAR_LMTP_TCP_PORT "lmtp_tcp_port"
#define DEF_LMTP_TCP_PORT 24
extern int var_lmtp_tcp_port;
extern bool var_lmtp_send_xforward;
/*
- * Cleanup service. Header info that exceeds $header_size_limit bytes or
- * $header_address_token_limit tokens is discarded.
- */
+ * Cleanup service. Header info that exceeds $header_size_limit bytes or
+ * $header_address_token_limit tokens is discarded.
+ */
#define VAR_HOPCOUNT_LIMIT "hopcount_limit"
#define DEF_HOPCOUNT_LIMIT 50
extern int var_hopcount_limit;
extern int var_virt_expan_limit;
/*
- * Message/queue size limits.
- */
+ * Message/queue size limits.
+ */
#define VAR_MESSAGE_LIMIT "message_size_limit"
#define DEF_MESSAGE_LIMIT 10240000
extern int var_message_limit;
extern int var_body_check_len;
/*
- * Bounce service: truncate bounce message that exceed $bounce_size_limit.
- */
+ * Bounce service: truncate bounce message that exceed $bounce_size_limit.
+ */
#define VAR_BOUNCE_LIMIT "bounce_size_limit"
#define DEF_BOUNCE_LIMIT 50000
extern int var_bounce_limit;
/*
- * Bounce service: reserved sender address for double bounces. The local
- * delivery service discards undeliverable double bounces.
- */
+ * Bounce service: reserved sender address for double bounces. The local
+ * delivery service discards undeliverable double bounces.
+ */
#define VAR_DOUBLE_BOUNCE "double_bounce_sender"
#define DEF_DOUBLE_BOUNCE "double-bounce"
extern char *var_double_bounce_sender;
/*
- * When forking a process, how often to try and how long to wait.
- */
+ * When forking a process, how often to try and how long to wait.
+ */
#define VAR_FORK_TRIES "fork_attempts"
#define DEF_FORK_TRIES 5
extern int var_fork_tries;
extern int var_fork_delay;
/*
- * When locking a mailbox, how often to try and how long to wait.
- */
-#define VAR_FLOCK_TRIES "deliver_lock_attempts"
-#define DEF_FLOCK_TRIES 20
+ * When locking a mailbox, how often to try and how long to wait.
+ */
+#define VAR_FLOCK_TRIES "deliver_lock_attempts"
+#define DEF_FLOCK_TRIES 20
extern int var_flock_tries;
-#define VAR_FLOCK_DELAY "deliver_lock_delay"
-#define DEF_FLOCK_DELAY "1s"
+#define VAR_FLOCK_DELAY "deliver_lock_delay"
+#define DEF_FLOCK_DELAY "1s"
extern int var_flock_delay;
#define VAR_FLOCK_STALE "stale_lock_time"
extern int var_mailtool_compat;
/*
- * How long a daemon command may take to receive or deliver a message etc.
- * before we assume it is wegded (should never happen).
- */
+ * How long a daemon command may take to receive or deliver a message etc.
+ * before we assume it is wegded (should never happen).
+ */
#define VAR_DAEMON_TIMEOUT "daemon_timeout"
#define DEF_DAEMON_TIMEOUT "18000s"
extern int var_daemon_timeout;
/*
- * How long an intra-mail command may take before we assume the mail system
- * is in deadlock (should never happen).
- */
+ * How long an intra-mail command may take before we assume the mail system
+ * is in deadlock (should never happen).
+ */
#define VAR_IPC_TIMEOUT "ipc_timeout"
#define DEF_IPC_TIMEOUT "3600s"
extern int var_ipc_timeout;
/*
- * Time limit on intra-mail triggers.
- */
+ * Time limit on intra-mail triggers.
+ */
#define VAR_TRIGGER_TIMEOUT "trigger_timeout"
#define DEF_TRIGGER_TIMEOUT "10s"
extern int var_trigger_timeout;
/*
- * SMTP server restrictions. What networks I am willing to relay from, what
- * domains I am willing to forward mail from or to, what clients I refuse to
- * talk to, and what domains I never want to see in the sender address.
- */
+ * SMTP server restrictions. What networks I am willing to relay from, what
+ * domains I am willing to forward mail from or to, what clients I refuse to
+ * talk to, and what domains I never want to see in the sender address.
+ */
#define VAR_MYNETWORKS "mynetworks"
extern char *var_mynetworks;
extern bool var_allow_untrust_route;
/*
- * Names of specific restrictions, and the corresponding configuration
- * parameters that control the status codes sent in response to rejected
- * requests.
- */
+ * Names of specific restrictions, and the corresponding configuration
+ * parameters that control the status codes sent in response to rejected
+ * requests.
+ */
#define PERMIT_ALL "permit"
#define REJECT_ALL "reject"
#define VAR_REJECT_CODE "reject_code"
extern char *var_smtpd_exp_filter;
/*
- * Heuristic to reject unknown local recipients at the SMTP port.
- */
+ * Heuristic to reject unknown local recipients at the SMTP port.
+ */
#define VAR_LOCAL_RCPT_MAPS "local_recipient_maps"
#define DEF_LOCAL_RCPT_MAPS "proxy:unix:passwd.byname $" VAR_ALIAS_MAPS
extern char *var_local_rcpt_maps;
extern int var_local_rcpt_code;
/*
- * List of pre-approved maps that are OK to open with the proxymap service.
- */
+ * List of pre-approved maps that are OK to open with the proxymap service.
+ */
#define VAR_PROXY_READ_MAPS "proxy_read_maps"
#define DEF_PROXY_READ_MAPS "$" VAR_LOCAL_RCPT_MAPS \
" $" VAR_MYDEST \
extern char *var_proxy_read_maps;
/*
- * Other.
- */
+ * Other.
+ */
#define VAR_PROCNAME "process_name"
extern char *var_procname;
#define VAR_DEBUG_COMMAND "debugger_command"
/*
- * Paranoia: save files instead of deleting them.
- */
+ * Paranoia: save files instead of deleting them.
+ */
#define VAR_DONT_REMOVE "dont_remove"
#define DEF_DONT_REMOVE 0
extern bool var_dont_remove;
/*
- * Paranoia: defer messages instead of bouncing them.
- */
+ * Paranoia: defer messages instead of bouncing them.
+ */
#define VAR_SOFT_BOUNCE "soft_bounce"
#define DEF_SOFT_BOUNCE 0
extern bool var_soft_bounce;
/*
- * Give special treatment to owner- and -request.
- */
+ * Give special treatment to owner- and -request.
+ */
#define VAR_OWNREQ_SPECIAL "owner_request_special"
#define DEF_OWNREQ_SPECIAL 1
extern bool var_ownreq_special;
/*
- * Allow/disallow recipient addresses starting with `-'.
- */
+ * Allow/disallow recipient addresses starting with `-'.
+ */
#define VAR_ALLOW_MIN_USER "allow_min_user"
#define DEF_ALLOW_MIN_USER 0
extern bool var_allow_min_user;
extern void mail_params_init(void);
/*
- * Content inspection and filtering.
- */
+ * Content inspection and filtering.
+ */
#define VAR_FILTER_XPORT "content_filter"
#define DEF_FILTER_XPORT ""
extern char *var_filter_xport;
/*
- * Fast flush service support.
- */
+ * Fast flush service support.
+ */
#define VAR_FFLUSH_DOMAINS "fast_flush_domains"
#define DEF_FFLUSH_DOMAINS "$relay_domains"
extern char *var_fflush_domains;
extern int var_fflush_refresh;
/*
- * Environmental management - what Postfix imports from the external world,
- * and what Postfix exports to the external world.
- */
+ * Environmental management - what Postfix imports from the external world,
+ * and what Postfix exports to the external world.
+ */
#define VAR_IMPORT_ENVIRON "import_environment"
#define DEF_IMPORT_ENVIRON "MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY"
extern char *var_import_environ;
extern char *var_export_environ;
/*
- * Tunables for the "virtual" local delivery agent
- */
+ * Tunables for the "virtual" local delivery agent
+ */
#define VAR_VIRT_TRANSPORT "virtual_transport"
#define DEF_VIRT_TRANSPORT MAIL_SERVICE_VIRTUAL
extern char *var_virt_transport;
extern char *var_virt_mailbox_lock;
/*
- * Distinct logging tag for multiple Postfix instances.
- */
+ * Distinct logging tag for multiple Postfix instances.
+ */
#define VAR_SYSLOG_NAME "syslog_name"
#define DEF_SYSLOG_NAME "postfix"
extern char *var_syslog_name;
/*
- * QMQPD
- */
+ * QMQPD
+ */
#define VAR_QMQPD_CLIENTS "qmqpd_authorized_clients"
#define DEF_QMQPD_CLIENTS ""
extern char *var_qmqpd_clients;
extern int var_qmqpd_err_sleep;
/*
- * VERP, more DJB intellectual cross-pollination. However, we prefer + as
- * the default recipient delimiter.
- */
+ * VERP, more DJB intellectual cross-pollination. However, we prefer + as
+ * the default recipient delimiter.
+ */
#define VAR_VERP_DELIMS "default_verp_delimiters"
#define DEF_VERP_DELIMS "+="
extern char *var_verp_delims;
extern char *var_verp_clients;
/*
- * XCLIENT, for rule testing and fetchmail like apps.
- */
+ * XCLIENT, for rule testing and fetchmail like apps.
+ */
#define VAR_XCLIENT_HOSTS "smtpd_authorized_xclient_hosts"
#define DEF_XCLIENT_HOSTS ""
extern char *var_xclient_hosts;
/*
- * XFORWARD, for improved post-filter logging.
- */
+ * XFORWARD, for improved post-filter logging.
+ */
#define VAR_XFORWARD_HOSTS "smtpd_authorized_xforward_hosts"
#define DEF_XFORWARD_HOSTS ""
extern char *var_xforward_hosts;
/*
- * Inbound mail flow control. This allows for a stiffer coupling between
- * receiving mail and sending mail. A sending process produces one token for
- * each message that it takes from the incoming queue; a receiving process
- * consumes one token for each message that it adds to the incoming queue.
- * When no token is available (Postfix receives more mail than it is able to
- * deliver) a receiving process pauses for $in_flow_delay seconds so that
- * the sending processes get a chance to access the disk.
- */
+ * Inbound mail flow control. This allows for a stiffer coupling between
+ * receiving mail and sending mail. A sending process produces one token for
+ * each message that it takes from the incoming queue; a receiving process
+ * consumes one token for each message that it adds to the incoming queue.
+ * When no token is available (Postfix receives more mail than it is able to
+ * deliver) a receiving process pauses for $in_flow_delay seconds so that
+ * the sending processes get a chance to access the disk.
+ */
#define VAR_IN_FLOW_DELAY "in_flow_delay"
#ifdef PIPES_CANT_FIONREAD
#define DEF_IN_FLOW_DELAY "0s"
extern int var_in_flow_delay;
/*
- * Backwards compatibility: foo.com matches itself and names below foo.com.
- */
+ * Backwards compatibility: foo.com matches itself and names below foo.com.
+ */
#define VAR_PAR_DOM_MATCH "parent_domain_matches_subdomains"
#define DEF_PAR_DOM_MATCH VAR_DEBUG_PEER_LIST "," \
VAR_FFLUSH_DOMAINS "," \
#define SMTPD_ACCESS_MAPS "smtpd_access_maps"
/*
- * Run-time fault injection.
- */
+ * Run-time fault injection.
+ */
#define VAR_FAULT_INJ_CODE "fault_injection_code"
#define DEF_FAULT_INJ_CODE 0
extern int var_fault_inj_code;
/*
- * Install/upgrade information.
- */
+ * Install/upgrade information.
+ */
#define VAR_SENDMAIL_PATH "sendmail_path"
#ifndef DEF_SENDMAIL_PATH
#define DEF_SENDMAIL_PATH "/usr/sbin/sendmail"
#endif
/*
- * Safety: resolve the address with unquoted localpart (default, but
- * technically incorrect), instead of resolving the address with quoted
- * localpart (technically correct, but unsafe). The default prevents mail
- * relay loopholes with "user@domain"@domain when relaying mail to a
- * Sendmail system.
- */
+ * Safety: resolve the address with unquoted localpart (default, but
+ * technically incorrect), instead of resolving the address with quoted
+ * localpart (technically correct, but unsafe). The default prevents mail
+ * relay loopholes with "user@domain"@domain when relaying mail to a
+ * Sendmail system.
+ */
#define VAR_RESOLVE_DEQUOTED "resolve_dequoted_address"
#define DEF_RESOLVE_DEQUOTED 1
extern bool var_resolve_dequoted;
extern bool var_resolve_nulldom;
/*
- * Service names. The transport (TCP, FIFO or UNIX-domain) type is frozen
- * because you cannot simply mix them, and accessibility (private/public) is
- * frozen for security reasons. We list only the internal services, not the
- * externally visible SMTP server, or the delivery agents that can already
- * be chosen via transport mappings etc.
- */
+ * Service names. The transport (TCP, FIFO or UNIX-domain) type is frozen
+ * because you cannot simply mix them, and accessibility (private/public) is
+ * frozen for security reasons. We list only the internal services, not the
+ * externally visible SMTP server, or the delivery agents that can already
+ * be chosen via transport mappings etc.
+ */
#define VAR_BOUNCE_SERVICE "bounce_service_name"
#define DEF_BOUNCE_SERVICE MAIL_SERVICE_BOUNCE
extern char *var_bounce_service;
extern char *var_flush_service;
/*
- * Session cache service.
- */
+ * Session cache service.
+ */
#define VAR_SCACHE_SERVICE "connection_cache_service"
#define DEF_SCACHE_SERVICE "scache"
extern char *var_scache_service;
extern int var_scache_stat_time;
/*
- * Address verification service.
- */
+ * Address verification service.
+ */
#define VAR_VERIFY_SERVICE "address_verify_service_name"
#define DEF_VERIFY_SERVICE MAIL_SERVICE_VERIFY
extern char *var_verify_service;
extern char *var_vrfy_xport_maps;
/*
- * Message delivery trace service.
- */
+ * Message delivery trace service.
+ */
#define VAR_TRACE_SERVICE "trace_service_name"
#define DEF_TRACE_SERVICE MAIL_SERVICE_TRACE
extern char *var_trace_service;
/*
- * Mailbox/maildir delivery errors that cause delivery to be tried again.
- */
+ * Mailbox/maildir delivery errors that cause delivery to be tried again.
+ */
#define VAR_MBX_DEFER_ERRS "mailbox_defer_errors"
#define DEF_MBX_DEFER_ERRS "eagain, enospc, estale"
extern char *var_mbx_defer_errs;
extern char *var_mdr_defer_errs;
/*
- * Berkeley DB memory pool sizes.
- */
+ * Berkeley DB memory pool sizes.
+ */
#define VAR_DB_CREATE_BUF "berkeley_db_create_buffer_size"
#define DEF_DB_CREATE_BUF (16 * 1024 *1024)
extern int var_db_create_buf;
extern int var_db_read_buf;
/*
- * Named queue file attributes.
- */
+ * Named queue file attributes.
+ */
#define VAR_QATTR_COUNT_LIMIT "queue_file_attribute_count_limit"
#define DEF_QATTR_COUNT_LIMIT 100
extern int var_qattr_count_limit;
/*
- * MIME support.
- */
+ * MIME support.
+ */
#define VAR_MIME_MAXDEPTH "mime_nesting_limit"
#define DEF_MIME_MAXDEPTH 100
extern int var_mime_maxdepth;
extern bool var_strict_encoding;
/*
- * Bizarre.
- */
+ * Bizarre.
+ */
#define VAR_SENDER_ROUTING "sender_based_routing"
#define DEF_SENDER_ROUTING 0
extern bool var_sender_routing;
extern char *var_xport_null_key;
/*
- * Bounce service controls.
- */
+ * Bounce service controls.
+ */
#define VAR_OLDLOG_COMPAT "backwards_bounce_logfile_compatibility"
#define DEF_OLDLOG_COMPAT 1
extern bool var_oldlog_compat;
/*
- * SMTPD content proxy.
- */
+ * SMTPD content proxy.
+ */
#define VAR_SMTPD_PROXY_FILT "smtpd_proxy_filter"
#define DEF_SMTPD_PROXY_FILT ""
extern char *var_smtpd_proxy_filt;
extern int var_smtpd_proxy_tmout;
/*
- * Transparency options for mail input interfaces and for the cleanup server
- * behind them. These should turn off stuff we don't want to happen, because
- * the default is to do a lot of things.
- */
+ * Transparency options for mail input interfaces and for the cleanup server
+ * behind them. These should turn off stuff we don't want to happen, because
+ * the default is to do a lot of things.
+ */
#define VAR_INPUT_TRANSP "receive_override_options"
#define DEF_INPUT_TRANSP ""
extern char *var_smtpd_input_transp;
/*
- * SMTP server policy delegation.
- */
+ * SMTP server policy delegation.
+ */
#define VAR_SMTPD_POLICY_TMOUT "smtpd_policy_service_timeout"
#define DEF_SMTPD_POLICY_TMOUT "100s"
extern int var_smtpd_policy_tmout;
#define CHECK_POLICY_SERVICE "check_policy_service"
/*
- * Client rate control.
- */
+ * Client rate control.
+ */
#define VAR_SMTPD_CRATE_LIMIT "smtpd_client_connection_rate_limit"
#define DEF_SMTPD_CRATE_LIMIT 0
extern int var_smtpd_crate_limit;
extern int var_anvil_stat_time;
/*
- * Temporary stop gap.
- */
+ * Temporary stop gap.
+ */
#if 0
#include <anvil_clnt.h>
#endif
/*
- * What domain names to assume when no valid domain context exists.
- */
+ * What domain names to assume when no valid domain context exists.
+ */
#define VAR_REM_RWR_DOMAIN "remote_header_rewrite_domain"
#define DEF_REM_RWR_DOMAIN ""
extern char *var_remote_rwr_domain;
extern char *var_local_rwr_clients;
/*
- * EHLO keyword filter.
- */
+ * EHLO keyword filter.
+ */
#define VAR_SMTPD_EHLO_DIS_WORDS "smtpd_discard_ehlo_keywords"
#define DEF_SMTPD_EHLO_DIS_WORDS ""
extern char *var_smtpd_ehlo_dis_words;
#define DEF_SMTP_EHLO_DIS_MAPS ""
extern char *var_smtp_ehlo_dis_maps;
+ /*
+ * Allow CNAME lookup result to override the server hostname.
+ */
+#define VAR_SMTP_CNAME_OVERR "smtp_cname_overrides_servername"
+#define DEF_SMTP_CNAME_OVERR 1
+extern bool var_smtp_cname_overr;
+
/* LICENSE
/* .ad
/* .fi
* Patches change the patchlevel and the release date. Snapshots change the
* release date only.
*/
-#define MAIL_RELEASE_DATE "20060103"
-#define MAIL_VERSION_NUMBER "2.2.8"
+#define MAIL_RELEASE_DATE "20060201"
+#define MAIL_VERSION_NUMBER "2.2.9-RC1"
#define VAR_MAIL_VERSION "mail_version"
#ifdef SNAPSHOT
msg_warn("skipping record type %s: %m", dns_strtype(addr->type));
} else {
msg_info("pref %4d host %s/%s",
- addr->pref, addr->name,
+ addr->pref, addr->rname,
hostaddr.buf);
}
}
SOCKADDR_TO_HOSTADDR(sa, salen, &hostaddr, (MAI_SERVPORT_STR *) 0, 0);
if (msg_verbose)
msg_info("%s: trying: %s[%s] port %d...",
- myname, addr->name, hostaddr.buf, ntohs(port));
+ myname, addr->rname, hostaddr.buf, ntohs(port));
return (lmtp_connect_sock(sock, sa, salen,
- addr->name, hostaddr.buf, destination, why));
+ addr->rname, hostaddr.buf, destination, why));
}
/* lmtp_connect_sock - connect a socket over some transport */
VAR_PROP_EXTENSION, DEF_PROP_EXTENSION, &var_prop_extension, 0, 0,
VAR_DELIVER_HDR, DEF_DELIVER_HDR, &var_deliver_hdr, 0, 0,
VAR_MAILBOX_LOCK, DEF_MAILBOX_LOCK, &var_mailbox_lock, 1, 0,
+ VAR_MAILBOX_CMD_MAPS, DEF_MAILBOX_CMD_MAPS, &var_mailbox_cmd_maps, 0, 0,
0,
};
static CONFIG_BOOL_TABLE bool_table[] = {
VAR_EXEC_DIRECTORY, DEF_EXEC_DIRECTORY, &var_exec_directory, 0, 0,
VAR_FORWARD_PATH, DEF_FORWARD_PATH, &var_forward_path, 0, 0,
VAR_MAILBOX_COMMAND, DEF_MAILBOX_COMMAND, &var_mailbox_command, 0, 0,
- VAR_MAILBOX_CMD_MAPS, DEF_MAILBOX_CMD_MAPS, &var_mailbox_cmd_maps, 0, 0,
VAR_LUSER_RELAY, DEF_LUSER_RELAY, &var_luser_relay, 0, 0,
0,
};
/* Always send EHLO at the start of an SMTP session.
/* .IP "\fBsmtp_never_send_ehlo (no)\fR"
/* Never send EHLO at the start of an SMTP session.
+/* .IP "\fBsmtp_cname_overrides_servername (yes)\fR"
+/* Allow DNS CNAME records to override the servername that the
+/* Postfix SMTP client uses for logging, SASL password lookup, TLS
+/* policy decisions, or TLS certificate verification.
/* .IP "\fBsmtp_defer_if_no_mx_address_found (no)\fR"
/* Defer mail delivery when no MX record resolves to an IP address.
/* .IP "\fBsmtp_line_length_limit (990)\fR"
char *var_smtp_generic_maps;
char *var_prop_extension;
+bool var_smtp_cname_overr;
/*
* Global variables. smtp_errno is set by the address lookup routines and by
VAR_SMTP_TLS_ENFORCE_PN, DEF_SMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername,
VAR_SMTP_TLS_NOTEOFFER, DEF_SMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer,
#endif
+ VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr,
0,
};
#endif
+
+ /*
+ * What's in a name?
+ */
+#define SMTP_HNAME(rr) (var_smtp_cname_overr ? (rr)->rname : (rr)->qname)
+
/*
* smtp_session.c
*/
msg_warn("skipping record type %s: %m", dns_strtype(addr->type));
} else {
msg_info("pref %4d host %s/%s",
- addr->pref, addr->name,
+ addr->pref, SMTP_HNAME(addr),
hostaddr.buf);
}
}
SOCKADDR_TO_HOSTADDR(sa, salen, &hostaddr, (MAI_SERVPORT_STR *) 0, 0);
if (msg_verbose)
msg_info("%s: trying: %s[%s] port %d...",
- myname, addr->name, hostaddr.buf, ntohs(port));
+ myname, SMTP_HNAME(addr), hostaddr.buf, ntohs(port));
if (var_smtp_conn_tmout > 0) {
non_blocking(sock, NON_BLOCKING);
conn_stat = timed_connect(sock, sa, salen, var_smtp_conn_tmout);
}
if (conn_stat < 0) {
vstring_sprintf(why, "connect to %s[%s]: %m",
- addr->name, hostaddr.buf);
+ SMTP_HNAME(addr), hostaddr.buf);
smtp_errno = SMTP_ERR_RETRY;
close(sock);
return (0);
*/
if (read_wait(sock, var_smtp_helo_tmout) < 0) {
vstring_sprintf(why, "connect to %s[%s]: read timeout",
- addr->name, hostaddr.buf);
+ SMTP_HNAME(addr), hostaddr.buf);
smtp_errno = SMTP_ERR_RETRY;
close(sock);
return (0);
stream = vstream_fdopen(sock, O_RDWR);
if ((ch = VSTREAM_GETC(stream)) == VSTREAM_EOF) {
vstring_sprintf(why, "connect to %s[%s]: server dropped connection without sending the initial SMTP greeting",
- addr->name, hostaddr.buf);
+ SMTP_HNAME(addr), hostaddr.buf);
smtp_errno = SMTP_ERR_RETRY;
vstream_fclose(stream);
return (0);
VSTRING *salvage_buf = smtp_salvage(stream);
vstring_sprintf(why, "connect to %s[%s]: server refused to talk to me: %s",
- addr->name, hostaddr.buf, STR(salvage_buf));
+ SMTP_HNAME(addr), hostaddr.buf, STR(salvage_buf));
vstring_free(salvage_buf);
smtp_errno = SMTP_ERR_RETRY;
vstream_fclose(stream);
return (0);
}
- return (smtp_session_alloc(stream, dest, addr->name,
+ return (smtp_session_alloc(stream, dest, SMTP_HNAME(addr),
hostaddr.buf, port, sess_flags));
}
#ifdef USE_TLS
/*
- * Per-site policies can override main.cf settings.
+ * TLS enforcement level. Actual TLS policies will be NONE or higher.
+ *
+ * There are two pseudo levels: NOTFOUND is a sentinel value for the ease of
+ * implementation; MAY is a wild-card that indicates "anything goes".
+ *
+ * Non pseudo levels can also be used to indicate the actual security level of
+ * a session.
*/
-typedef struct {
- int dont_use; /* don't use TLS */
- int use; /* useless, see above */
- int enforce; /* must always use TLS */
- int enforce_peername; /* must verify certificate name */
-} SMTP_TLS_SITE_POLICY;
+#define SMTP_TLS_LEV_NOTFOUND (-1) /* sentinel */
+#define SMTP_TLS_LEV_NONE 0 /* plain-text only */
+#define SMTP_TLS_LEV_MAY 1 /* wildcard */
+#define SMTP_TLS_LEV_ENCRYPT 2 /* encrypted connection */
+#define SMTP_TLS_LEV_VERIFY 3 /* certificate verified */
+#define SMTP_TLS_LEV_STRICT 4 /* "secure" verification */
static MAPS *tls_per_site; /* lookup table(s) */
DICT_FLAG_LOCK);
}
+/* smtp_tls_policy_print - print policy level */
+
+static void smtp_tls_policy_print(const char *name, int level)
+{
+ msg_info("%s TLS level: %s", name,
+ level == SMTP_TLS_LEV_VERIFY ? "verify" :
+ level == SMTP_TLS_LEV_ENCRYPT ? "encrypt" :
+ level == SMTP_TLS_LEV_MAY ? "may" :
+ level == SMTP_TLS_LEV_NONE ? "none" :
+ "unknown");
+}
+
/* smtp_tls_site_policy - look up per-site TLS policy */
-static void smtp_tls_site_policy(SMTP_TLS_SITE_POLICY *policy,
+static void smtp_tls_site_policy(int *site_level,
const char *site_name,
const char *site_class)
{
char *lookup_key;
/*
- * Initialize the default policy.
- */
- policy->dont_use = 0;
- policy->use = 0;
- policy->enforce = 0;
- policy->enforce_peername = 0;
-
- /*
- * Look up a non-default policy.
+ * Look up a non-default policy. In case of multiple lookup results, the
+ * precedence order is a permutation of the TLS enforcement level order:
+ * VERIFY, ENCRYPT, NONE, MAY, NOTFOUND. I.e. we override MAY with a more
+ * specific policy including NONE, otherwise we choose the stronger
+ * enforcement level.
*/
lookup_key = lowercase(mystrdup(site_name));
if ((lookup = maps_find(tls_per_site, lookup_key, 0)) != 0) {
- if (!strcasecmp(lookup, "NONE"))
- policy->dont_use = 1;
- else if (!strcasecmp(lookup, "MAY"))
- policy->use = 1;
- else if (!strcasecmp(lookup, "MUST"))
- policy->enforce = policy->enforce_peername = 1;
- else if (!strcasecmp(lookup, "MUST_NOPEERMATCH"))
- policy->enforce = 1;
- else
+ if (!strcasecmp(lookup, "NONE")) {
+ /* NONE overrides MAY or NOTFOUND. */
+ if (*site_level <= SMTP_TLS_LEV_MAY)
+ *site_level = SMTP_TLS_LEV_NONE;
+ } else if (!strcasecmp(lookup, "MAY")) {
+ /* MAY overrides NOTFOUND but not NONE. */
+ if (*site_level < SMTP_TLS_LEV_NONE)
+ *site_level = SMTP_TLS_LEV_MAY;
+ } else if (!strcasecmp(lookup, "MUST_NOPEERMATCH")) {
+ if (*site_level < SMTP_TLS_LEV_ENCRYPT)
+ *site_level = SMTP_TLS_LEV_ENCRYPT;
+ } else if (!strcasecmp(lookup, "MUST")) {
+ if (*site_level < SMTP_TLS_LEV_VERIFY)
+ *site_level = SMTP_TLS_LEV_VERIFY;
+ } else {
msg_warn("Table %s: ignoring unknown TLS policy '%s' for %s %s",
var_smtp_tls_per_site, lookup, site_class, site_name);
+ }
}
myfree(lookup_key);
}
+/* smtp_tls_level_init - configure session TLS enforcement level */
+
+static int smtp_tls_level_init(const char *dest, const char *host)
+{
+ int global_level;
+ int site_level;
+ int tls_level;
+
+ /*
+ * Compute the global TLS policy. This is the default policy level when
+ * no per-site policy exists. It also is used to override a wild-card
+ * per-site policy.
+ */
+ if (var_smtp_enforce_tls)
+ global_level = var_smtp_tls_enforce_peername ?
+ SMTP_TLS_LEV_VERIFY : SMTP_TLS_LEV_ENCRYPT;
+ else
+ global_level = var_smtp_use_tls ?
+ SMTP_TLS_LEV_MAY : SMTP_TLS_LEV_NONE;
+ if (msg_verbose)
+ smtp_tls_policy_print("global", global_level);
+
+ /*
+ * Compute the per-site TLS enforcement level. For compatibility with the
+ * original TLS patch, this algorithm is gives equal precedence to host
+ * and next-hop policies.
+ */
+ site_level = SMTP_TLS_LEV_NOTFOUND;
+
+ if (tls_per_site) {
+ smtp_tls_site_policy(&site_level, dest, "next-hop destination");
+ if (strcasecmp(dest, host) != 0)
+ smtp_tls_site_policy(&site_level, host, "server hostname");
+ if (msg_verbose)
+ smtp_tls_policy_print("site", site_level);
+ }
+
+ /*
+ * Override a wild-card per-site policy with a more specific global
+ * policy.
+ *
+ * With the original TLS patch, 1) a per-site ENCRYPT could not override a
+ * global VERIFY, and 2) a combined per-site (NONE+MAY) policy produced
+ * inconsistent results: it changed a global VERIFY into NONE, while
+ * producing MAY with all weaker global policy settings.
+ *
+ * With the current implementation, a combined per-site (NONE+MAY)
+ * consistently overrides global policy with NONE, and global policy can
+ * override only a per-site MAY wildcard. That is, specific policies
+ * consistently override wildcard policies, and (non-wildcard) per-site
+ * policies consistently override global policies.
+ */
+ if (site_level == SMTP_TLS_LEV_NOTFOUND
+ || (site_level == SMTP_TLS_LEV_MAY
+ && global_level > SMTP_TLS_LEV_MAY))
+ tls_level = global_level;
+ else
+ tls_level = site_level;
+
+ if (msg_verbose && tls_per_site)
+ smtp_tls_policy_print("effective", tls_level);
+
+ return (tls_level);
+}
+
#endif
/* smtp_session_alloc - allocate and initialize SMTP_SESSION structure */
{
SMTP_SESSION *session;
-#ifdef USE_TLS
- SMTP_TLS_SITE_POLICY host_policy;
- SMTP_TLS_SITE_POLICY rcpt_policy;
-
-#endif
-
session = (SMTP_SESSION *) mymalloc(sizeof(*session));
session->stream = stream;
session->dest = mystrdup(dest);
session->tls_enforce_peername = 0;
session->tls_context = 0;
session->tls_info = tls_info_zero;
-
- /*
- * Override the main.cf TLS policy with an optional per-site policy.
- */
- if (smtp_tls_ctx != 0) {
- smtp_tls_site_policy(&host_policy, host, "receiving host");
- smtp_tls_site_policy(&rcpt_policy, dest, "recipient domain");
-
- /*
- * Set up TLS enforcement for this session.
- */
- if ((var_smtp_enforce_tls && !host_policy.dont_use && !rcpt_policy.dont_use)
- || host_policy.enforce || rcpt_policy.enforce)
- session->tls_enforce_tls = session->tls_use_tls = 1;
-
- /*
- * Set up peername checking for this session.
- *
- * We want to make sure that a MUST* entry in the tls_per_site table
- * always has precedence. MUST always must lead to a peername check,
- * MUST_NOPEERMATCH must always disable it. Only when no explicit
- * setting has been found, the default will be used. There is the
- * case left, that both "host" and "recipient" settings conflict. In
- * this case, the "host" setting wins.
- */
- if (host_policy.enforce && host_policy.enforce_peername)
- session->tls_enforce_peername = 1;
- else if (rcpt_policy.enforce && rcpt_policy.enforce_peername)
- session->tls_enforce_peername = 1;
- else if (var_smtp_enforce_tls && var_smtp_tls_enforce_peername)
- session->tls_enforce_peername = 1;
- else if ((var_smtp_use_tls && !host_policy.dont_use && !rcpt_policy.dont_use) || host_policy.use || rcpt_policy.use)
- session->tls_use_tls = 1;
+ switch (smtp_tls_level_init(dest, host)) {
+ case SMTP_TLS_LEV_VERIFY:
+ session->tls_enforce_peername = 1;
+ case SMTP_TLS_LEV_ENCRYPT:
+ session->tls_enforce_tls = 1;
+ case SMTP_TLS_LEV_MAY:
+ session->tls_use_tls = 1;
+ break;
}
#endif
debug_peer_check(host, addr);
(VSTRING *) 0, (VSTRING *) 0);
if (dns_status == DNS_NOTFOUND && h_errno == NO_DATA) {
if (type == T_MX) {
- server_list = dns_rr_create(domain, type, C_IN, 0, 0,
+ server_list = dns_rr_create(domain, domain, type, C_IN, 0, 0,
domain, strlen(domain) + 1);
dns_status = DNS_OK;
} else if (type == T_NS) {
char *var_verify_sender;
char *var_smtpd_sasl_opts;
char *var_local_rwr_clients;
+char *var_smtpd_relay_ccerts;
typedef struct {
char *name;
VAR_MAIL_NAME, DEF_MAIL_NAME, &var_mail_name,
VAR_SMTPD_SASL_OPTS, DEF_SMTPD_SASL_OPTS, &var_smtpd_sasl_opts,
VAR_LOC_RWR_CLIENTS, DEF_LOC_RWR_CLIENTS, &var_local_rwr_clients,
+ VAR_RELAY_CCERTS, DEF_RELAY_CCERTS, &var_smtpd_relay_ccerts,
0,
};
>>> mail sname@sdomain
OK
>>> rcpt rname@rdomain
-./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@domain; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<example.tld>
-554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@domain
+./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@example.tld; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<example.tld>
+554 Service unavailable; Helo command [example.tld] blocked using abuse.rfc-ignorant.org; Not supporting abuse@example.tld
>>> #
>>> # Check MX access
>>> #
/*
* Append missing @origin
*/
- else if (var_append_at_myorigin != 0) {
+ else if (var_append_at_myorigin != 0
+ && context->origin[0][0] != 0) {
domain = tok822_sub_append(tree, tok822_alloc('@', (char *) 0));
tok822_sub_append(tree, tok822_scan(REW_PARAM_VALUE(context->origin),
(TOK822 **) 0));
* alone.
*/
if (var_append_dot_mydomain != 0
+ && context->domain[0][0] != 0
&& (domain = tok822_rfind_type(tree->tail, '@')) != 0
&& domain != tree->tail
&& tok822_find_type(domain, TOK822_DOMLIT) == 0
projects / thirdparty / postfix.git / commitdiff
