Cleanup: removed the PSC_STATE_FLAG_CACHE_EXPIRED flag.
Nothing uses this anymore. Files: postscreen/postscreen.h,
postscreen/postscreen_state.c, postscreen/postscreen_tests.c.
+
+20110614
+
+ Linux kernel version 3 support. Linus Torvalds has reset
+ the counters for reasons not related to changes in code.
+ Files: makedefs, util/sys_defs.h.
+
+20110615
+
+ Workaround: some Spamhaus RHSBL rejects lookups with "No
+ IP queries" even if the name has an alphanumerical prefix.
+ We play safe, and skip both RHSBL and RHSWL queries for
+ names ending in a numerical suffix. File: smtpd/smtpd_check.c.
(MAIL_CONFIG=/etc/postfix-out) of the output instance.
* Lines 1-2: With "authorized_submit_users = root", the superuser can test
- the postix-out instance with "postmulti -i postfix-out -x sendmail -bv
+ the postfix-out instance with "postmulti -i postfix-out -x sendmail -bv
recipient...", but otherwise local submission remains disabled.
* Lines 1-2: With "master_service_disable =", the "inet" listeners are re-
close-on-exec flags. This could be a way to mitigate the
impact of memory/file leaks, and to implement "postfix
reload" support for master(8) features that currently don't
- support this.
+ support this.
+
+ Sub-second time resolution. The first benefit is to make
+ per-destination rate delays more usable. Other applications
+ will come up once the support exists. The straightforward
+ approach is to represent all time intervals in milliseconds,
+ and to update all code that makes system calls with a time
+ argument (as well as the compiled-in upper and lower time
+ parameter bounds, which are currently in seconds).
+ Unfortunately, that limits he maximum time interval to less
+ than 25 days on 32-bit systems, and is likely to break
+ compatibility (for starters, it cannot even deal with the
+ compiled-in 100d upper bound on the queue file lifetime).
+ A second option is to have a "compatibility" time base
+ switch between milliseconds and seconds; this means extra
+ changes to all code that makes system calls with a time
+ argument, and the way that the compiled-in upper and lower
+ bounds are specified. Some of this can be encapsulated in
+ macros like time_to_sec(t), time_to_msec(t) and sec_to_time(t).
+ Finally, it is relatively easy to replace the events(3)
+ interface to use "double" for the time delay arguments, but
+ it is a major pain to convert all main.cf time parameters
+ into doubles (converting only some leads to a documentation
+ nightmare).
postscreen: wait for DNS completion after early HANGUP
and log DNSBL.
whitelisting database before the primary MX connection is
closed, because a client may still make a mistake.
-
Don't forget Apple's code donation for fetching mail from
IMAP server.
<ul>
<li> <p> Lines 1-2: With "<a href="postconf.5.html#authorized_submit_users">authorized_submit_users</a> = root", the
-superuser can test the postix-out instance with "postmulti -i
+superuser can test the postfix-out instance with "postmulti -i
postfix-out -x sendmail -bv recipient...", but otherwise local
submission remains disabled. </p>
<p> By default, the OpenSSL server selects the client's most preferred
cipher that the server supports. With SSLv3 and later, the server
may choose its own most preferred cipher that is supported (offered)
-by the client. Setting "<a href="postconf.5.html#tls_preempts_cipherlist">tls_preempt_cipherlist</a> = yes" enables server
+by the client. Setting "<a href="postconf.5.html#tls_preempt_cipherlist">tls_preempt_cipherlist</a> = yes" enables server
cipher preferences. The default OpenSSL behaviour applies with
-"<a href="postconf.5.html#tls_preempts_cipherlist">tls_preempt_cipherlist</a> = no". </p>
+"<a href="postconf.5.html#tls_preempt_cipherlist">tls_preempt_cipherlist</a> = no". </p>
<p> While server cipher selection may in some cases lead to a more secure
or performant cipher choice, there is some risk of interoperability
<p> By default, the OpenSSL server selects the client's most preferred
cipher that the server supports. With SSLv3 and later, the server may
choose its own most preferred cipher that is supported (offered) by
-the client. Setting "<a href="postconf.5.html#tls_preempts_cipherlist">tls_preempt_cipherlist</a> = yes" enables server cipher
+the client. Setting "<a href="postconf.5.html#tls_preempt_cipherlist">tls_preempt_cipherlist</a> = yes" enables server cipher
preferences. </p>
<p> While server cipher selection may in some cases lead to a more secure
<b><a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a> (normal: no, overload: yes)</b>
Change the behavior of the <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> time
limit, from a time limit per read or write system
- call, to a time limit to send or receive a complete
+ call, to a time limit to read or write a complete
record (an SMTP command line, SMTP response line,
SMTP message content line, or TLS protocol mes-
sage).
Available in Postfix version 2.8 and later:
- <b><a href="postconf.5.html#tls_preempts_cipherlist">tls_preempt_cipherlist</a> (no)</b>
+ <b><a href="postconf.5.html#tls_preempt_cipherlist">tls_preempt_cipherlist</a> (no)</b>
With SSLv3 and later, use the server's cipher pref-
erence order instead of the client's cipher prefer-
ence order.
<b><a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a> (normal: no, overload: yes)</b>
Change the behavior of the <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> time
limit, from a time limit per read or write system
- call, to a time limit to send or receive a complete
+ call, to a time limit to read or write a complete
record (an SMTP command line, SMTP response line,
SMTP message content line, or TLS protocol mes-
sage).
fi;;
esac
;;
+ Linux.3*) SYSTYPE=LINUX3
+ if [ -f /usr/include/db.h ]
+ then
+ : we are all set
+ elif [ -f /usr/include/db/db.h ]
+ then
+ CCARGS="$CCARGS -I/usr/include/db"
+ else
+ # On a properly installed system, Postfix builds
+ # by including <db.h> and by linking with -ldb
+ echo "No <db.h> include file found." 1>&2
+ echo "Install the appropriate db*-devel package first." 1>&2
+ echo "See the RELEASE_NOTES file for more information." 1>&2
+ exit 1
+ fi
+ SYSLIBS="-ldb"
+ for name in nsl resolv
+ do
+ for lib in /usr/lib64 /lib64 /usr/lib /lib
+ do
+ test -e $lib/lib$name.a -o -e $lib/lib$name.so && {
+ SYSLIBS="$SYSLIBS -l$name"
+ break
+ }
+ done
+ done
+ ;;
GNU.0*|GNU/kFreeBSD.[567]*)
SYSTYPE=GNU0
# Postfix no longer needs DB 1.85 compatibility
s;\btls_null_cipherlist\b;<a href="postconf.5.html#tls_null_cipherlist">$&</a>;g;
s;\btls_eecdh_strong_curve\b;<a href="postconf.5.html#tls_eecdh_strong_curve">$&</a>;g;
s;\btls_eecdh_ultra_curve\b;<a href="postconf.5.html#tls_eecdh_ultra_curve">$&</a>;g;
- s;\btls_preempt_cipherlist\b;<a href="postconf.5.html#tls_preempts_cipherlist">$&</a>;g;
+ s;\btls_preempt_cipherlist\b;<a href="postconf.5.html#tls_preempt_cipherlist">$&</a>;g;
s;\btls_disable_workarounds\b;<a href="postconf.5.html#tls_disable_workarounds">$&</a>;g;
s;\btls_append_default_CA\b;<a href="postconf.5.html#tls_append_default_CA">$&</a>;g;
<ul>
<li> <p> Lines 1-2: With "authorized_submit_users = root", the
-superuser can test the postix-out instance with "postmulti -i
+superuser can test the postfix-out instance with "postmulti -i
postfix-out -x sendmail -bv recipient...", but otherwise local
submission remains disabled. </p>
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20110605"
+#define MAIL_RELEASE_DATE "20110615"
#define MAIL_VERSION_NUMBER "2.9"
#ifdef SNAPSHOT
cp $(PROG) ../../libexec
SMTPD_CHECK_OBJ = smtpd_state.o smtpd_peer.o smtpd_xforward.o smtpd_dsn_fix.o \
- smtpd_resolve.o
+ smtpd_resolve.o smtpd_expand.o
smtpd_token: smtpd_token.c $(LIBS)
$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIBS) $(SYSLIBS)
const char *domain;
const char *reply_addr;
const char *byte_codes;
+ const char *suffix;
/*
* Extract the domain, tack on the RBL domain name and query the DNS for
return (SMTPD_CHECK_DUNNO);
} else
domain = what;
- if (domain[0] == 0)
+
+ /*
+ * XXX Some Spamhaus RHSBL rejects lookups with "No IP queries" even if
+ * the name has an alphanumerical prefix. We play safe, and skip both
+ * RHSBL and RHSWL queries for names ending in a numerical suffix.
+ */
+ if (domain[0] == 0 || valid_hostname(domain, DONT_GRIPE) == 0)
+ return (SMTPD_CHECK_DUNNO);
+ suffix = strrchr(domain, '.');
+ if (alldig(suffix == 0 ? domain : suffix + 1))
return (SMTPD_CHECK_DUNNO);
query = vstring_alloc(100);
name);
else {
cpp += 1;
- if (state->helo_name
- && valid_hostname(state->helo_name, DONT_GRIPE))
+ if (state->helo_name)
status = reject_rbl_domain(state, *cpp, state->helo_name,
SMTPD_NAME_HELO);
}
string_init();
int_init();
smtpd_check_init();
+ smtpd_expand_init();
smtpd_state_init(&state, VSTREAM_IN, "smtpd");
state.queue_id = "<queue id>";
>>> helo_restrictions permit_naked_ip_address,reject_invalid_hostname,reject_unknown_hostname
OK
>>> helo 123.123.123.123
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
OK
>>> #
>>> # Test the sender restrictions
>>> helo_restrictions permit_naked_ip_address,reject_non_fqdn_hostname
OK
>>> helo [1.2.3.4]
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
OK
>>> helo [321.255.255.255]
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <[321.255.255.255]>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<[321.255.255.255]>
501 5.5.2 <[321.255.255.255]>: Helo command rejected: invalid ip address
>>> helo [0.255.255.255]
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <[0.255.255.255]>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<[0.255.255.255]>
501 5.5.2 <[0.255.255.255]>: Helo command rejected: invalid ip address
>>> helo [1.2.3.321]
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <[1.2.3.321]>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<[1.2.3.321]>
501 5.5.2 <[1.2.3.321]>: Helo command rejected: invalid ip address
>>> helo [1.2.3]
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <[1.2.3]>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<[1.2.3]>
501 5.5.2 <[1.2.3]>: Helo command rejected: invalid ip address
>>> helo [1.2.3.4.5]
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <[1.2.3.4.5]>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<[1.2.3.4.5]>
501 5.5.2 <[1.2.3.4.5]>: Helo command rejected: invalid ip address
>>> helo [1..2.3.4]
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <[1..2.3.4]>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<[1..2.3.4]>
501 5.5.2 <[1..2.3.4]>: Helo command rejected: invalid ip address
>>> helo [.1.2.3.4]
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <[.1.2.3.4]>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<[.1.2.3.4]>
501 5.5.2 <[.1.2.3.4]>: Helo command rejected: invalid ip address
>>> helo [1.2.3.4.5.]
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <[1.2.3.4.5.]>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<[1.2.3.4.5.]>
501 5.5.2 <[1.2.3.4.5.]>: Helo command rejected: invalid ip address
>>> helo 1.2.3.4
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
OK
>>> helo 321.255.255.255
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <321.255.255.255>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<321.255.255.255>
501 5.5.2 <321.255.255.255>: Helo command rejected: invalid ip address
>>> helo 0.255.255.255
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <0.255.255.255>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<0.255.255.255>
501 5.5.2 <0.255.255.255>: Helo command rejected: invalid ip address
>>> helo 1.2.3.321
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <1.2.3.321>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<1.2.3.321>
501 5.5.2 <1.2.3.321>: Helo command rejected: invalid ip address
>>> helo 1.2.3
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <1.2.3>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<1.2.3>
501 5.5.2 <1.2.3>: Helo command rejected: invalid ip address
>>> helo 1.2.3.4.5
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <1.2.3.4.5>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<1.2.3.4.5>
501 5.5.2 <1.2.3.4.5>: Helo command rejected: invalid ip address
>>> helo 1..2.3.4
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <1..2.3.4>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<1..2.3.4>
501 5.5.2 <1..2.3.4>: Helo command rejected: invalid ip address
>>> helo .1.2.3.4
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <.1.2.3.4>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<.1.2.3.4>
501 5.5.2 <.1.2.3.4>: Helo command rejected: invalid ip address
>>> helo 1.2.3.4.5.
-./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks instead
+./smtpd_check: warning: restriction permit_naked_ip_address is deprecated. Use permit_mynetworks or permit_sasl_authenticated instead
./smtpd_check: <queue id>: reject: HELO from foo[131.155.210.17]: 501 5.5.2 <1.2.3.4.5.>: Helo command rejected: invalid ip address; from=<foo> proto=SMTP helo=<1.2.3.4.5.>
501 5.5.2 <1.2.3.4.5.>: Helo command rejected: invalid ip address
>>> #
rcpt rname@rdomain
# Authorized destination - accept.
rcpt wietse@porcupine.org
+# Numeric TLD - dunno.
+rcpt wietse@12345
+rcpt wietse@12345.porcupine.org
+rcpt wietse@porcupine.12345
>>> # Authorized destination - accept.
>>> rcpt wietse@porcupine.org
OK
+>>> # Numeric TLD - dunno.
+>>> rcpt wietse@12345
+./smtpd_check: <queue id>: reject: RCPT from example.tld[168.100.189.2]: 554 5.7.1 <wietse@12345>: Relay access denied; to=<wietse@12345> proto=SMTP helo=<foobar>
+554 5.7.1 <wietse@12345>: Relay access denied
+>>> rcpt wietse@12345.porcupine.org
+OK
+>>> rcpt wietse@porcupine.12345
+./smtpd_check: <queue id>: reject: RCPT from example.tld[168.100.189.2]: 554 5.7.1 <wietse@porcupine.12345>: Relay access denied; to=<wietse@porcupine.12345> proto=SMTP helo=<foobar>
+554 5.7.1 <wietse@porcupine.12345>: Relay access denied
>>> client foo 127.0.0.2
OK
>>> rcpt rname@rdomain
-./smtpd_check: <queue id>: reject: RCPT from foo[127.0.0.2]: 554 5.7.1 Service unavailable; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org=127.0.0.2; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<foobar>
-554 5.7.1 Service unavailable; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org=127.0.0.2
+./smtpd_check: <queue id>: reject: RCPT from foo[127.0.0.2]: 554 5.7.1 Service unavailable; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org; from=<sname@sdomain> to=<rname@rdomain> proto=SMTP helo=<foobar>
+554 5.7.1 Service unavailable; Client host [127.0.0.2] blocked using dnsbltest.porcupine.org
>>> client foo 127.0.0.1
OK
>>> rcpt rname@rdomain
/*
* LINUX.
*/
-#ifdef LINUX2
+#if defined(LINUX2) || defined(LINUX3)
#define SUPPORTED
#include <sys/types.h>
#define UINT32_TYPE unsigned int
projects / thirdparty / postfix.git / commitdiff
