Workaround: added a panic check for code that is mis-compiled
by the HP-UX compiler. File: postscreen/postscreen.c,
postscreen/postscreen.h, postscreen/postscreen_state.c.
+
+20110118
+
+ Bugfix: the tls_disable_workarounds word list only included
+ workarounds in SSL_OP_ALL. Problem report by Steve Jenkins,
+ problem fix by Victor Duchovni. File: tls/tls_misc.c.
+
+ Last-minute incompatible syntax change: Postfix now uses
+ ";" instead of "," to separate DNSBL/DNSWL address filter
+ fields inside "[]". The compatibility break is not an issue,
+ because the syntax never worked in main.cf. Problem reported
+ by Mark Martinec. Files: util/ip_match.c, util/ip_match.in,
+ util/ip_match.ref, proto/postconf.proto.
+
+ Cleanup: postscreen now monitors the AVERAGE latency of
+ table access, and complains at most once per minute. File:
+ postscreen/postscreen_dict.c.
+
+ Bugfix: support for the "dunno" command somehow disappeared
+ from the postscreen_access_list implementation. File:
+ postscreen/postscreen_access.c.
content filters. Typical examples are Amavisd-new, SpamAssassin, and Milter
applications.
-Each layer reduces the spam volume. The general strategy is to eliminate spam
-early with the less expensive defenses and to use the more expensive defenses
-for the spam that remains.
+Each layer reduces the spam volume. The general strategy is to use the less
+expensive defenses first, and to use the more expensive defenses for the spam
+that remains.
Topics in this document:
Major changes - postscreen
--------------------------
+See html/POSTSCREEN_README.html for an introduction to postscreen
+(or the text version, README_FILES/POSTSCREEN_README). The text
+below summarizes milestones in reverse chronological order.
+
[Incompat 20110111] The postscreen_access_list feature replaces the
postscreen_whitelist_networks and postscreen_blacklist_networks
features. Reason: CIDR-style access maps are some 100x faster than
</ul>
<p> Each layer reduces the spam volume. The general strategy is to
-eliminate spam early with the less expensive defenses and to use
-the more expensive defenses for the spam that remains. </p>
+use the less expensive defenses first, and to use the more expensive
+defenses for the spam that remains. </p>
<p> Topics in this document: </p>
non-error DNSBL reply. Otherwise, <a href="postscreen.8.html">postscreen(8)</a> uses only DNSBL
replies that match the filter. The filter has the form d.d.d.d,
where each d is a number, or a pattern inside [] that contains one
-or more comma-separated numbers or number..number ranges. </p>
+or more ";"-separated numbers or number..number ranges. </p>
<li> <p> When no "*weight" is specified, <a href="postscreen.8.html">postscreen(8)</a> increments
the SMTP client's DNSBL score by 1. Otherwise, the weight must be
<dd>Reject the request when the reversed client network address is
listed with the A record "<i>d.d.d.d</i>" under <i>rbl_domain</i>
(Postfix version 2.1 and later only). Each "<i>d</i>" is a number,
-or a pattern inside "[]" that contains one or more comma-separated
+or a pattern inside "[]" that contains one or more ";"-separated
numbers or number..number ranges (Postfix version 2.8 and later).
If no "<i>=d.d.d.d</i>" is specified, reject the request when the
reversed client network address is listed with any A record under
<dd>Accept the request when the reversed client network address is
listed with the A record "<i>d.d.d.d</i>" under <i>dnswl_domain</i>.
Each "<i>d</i>" is a number, or a pattern inside "[]" that contains
-one or more comma-separated numbers or number..number ranges.
+one or more ";"-separated numbers or number..number ranges.
If no "<i>=d.d.d.d</i>" is specified, accept the request when the
reversed client network address is listed with any A record under
<i>dnswl_domain</i>. <br> For safety, <a href="postconf.5.html#permit_dnswl_client">permit_dnswl_client</a> is silently
<dd>Reject the request when the client hostname is listed with the
A record "<i>d.d.d.d</i>" under <i>rbl_domain</i> (Postfix version
2.1 and later only). Each "<i>d</i>" is a number, or a pattern
-inside "[]" that contains one or more comma-separated numbers or
+inside "[]" that contains one or more ";"-separated numbers or
number..number ranges (Postfix version 2.8 and later). If no
"<i>=d.d.d.d</i>" is specified, reject the request when the client
hostname is listed with
<dd>Accept the request when the client hostname is listed with the
A record "<i>d.d.d.d</i>" under <i>rhswl_domain</i>. Each "<i>d</i>"
is a number, or a pattern inside "[]" that contains one or more
-comma-separated numbers or number..number ranges. If no
+";"-separated numbers or number..number ranges. If no
"<i>=d.d.d.d</i>" is specified, accept the request when the client
hostname is listed with any A record under <i>rhswl_domain</i>.
<br> Caution: client name whitelisting is fragile, since the client
<dd>Reject the request when the unverified reverse client hostname
is listed with the A record "<i>d.d.d.d</i>" under <i>rbl_domain</i>.
Each "<i>d</i>" is a number, or a pattern inside "[]" that contains
-one or more comma-separated numbers or number..number ranges.
+one or more ";"-separated numbers or number..number ranges.
If no "<i>=d.d.d.d</i>" is specified, reject the request when the
unverified reverse client hostname is listed with any A record under
<i>rbl_domain</i>. See the <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> description above for
<dd>Reject the request when the HELO or EHLO hostname hostname is
listed with the A record "<i>d.d.d.d</i>" under <i>rbl_domain</i>
(Postfix version 2.1 and later only). Each "<i>d</i>" is a number,
-or a pattern inside "[]" that contains one or more comma-separated
+or a pattern inside "[]" that contains one or more ";"-separated
numbers or number..number ranges (Postfix version 2.8 and later).
If no "<i>=d.d.d.d</i>" is
specified, reject the request when the HELO or EHLO hostname is
<dd>Reject the request when the RCPT TO domain is listed with the
A record "<i>d.d.d.d</i>" under <i>rbl_domain</i> (Postfix version
2.1 and later only). Each "<i>d</i>" is a number, or a pattern
-inside "[]" that contains one or more comma-separated numbers or
+inside "[]" that contains one or more ";"-separated numbers or
number..number ranges (Postfix version 2.8 and later). If no
"<i>=d.d.d.d</i>" is specified, reject
the request when the RCPT TO domain is listed with
<dd>Reject the request when the MAIL FROM domain is listed with
the A record "<i>d.d.d.d</i>" under <i>rbl_domain</i> (Postfix
version 2.1 and later only). Each "<i>d</i>" is a number, or a
-pattern inside "[]" that contains one or more comma-separated numbers
+pattern inside "[]" that contains one or more ";"-separated numbers
or number..number ranges (Postfix version 2.8 and later). If no
"<i>=d.d.d.d</i>" is specified,
reject the request when the MAIL FROM domain is
you can only disable one of these via the hexadecimal syntax above. </p>
<dl>
-<dt><b>MICROSOFT_SESS_ID_BUG</b>See SSL_CTX_set_options(3)</dt>
-<dt><b>NETSCAPE_CHALLENGE_BUG</b>See SSL_CTX_set_options(3)</dt>
-<dt><b>LEGACY_SERVER_CONNECT</b>See SSL_CTX_set_options(3)</dt>
-<dt><b>NETSCAPE_REUSE_CIPHER_CHANGE_BUG</b> also aliased as
-<b>CVE-2010-4180</b>. Postfix 2.8 disables this work-around by default
-with OpenSSL versions that may predate the fix. Fixed in OpenSSL 0.9.8q
-and OpenSSL 1.0.0c.</dt>
-<dt><b>SSLREF2_REUSE_CERT_TYPE_BUG</b>See SSL_CTX_set_options(3)</dt>
-<dt><b>MICROSOFT_BIG_SSLV3_BUFFER</b>See SSL_CTX_set_options(3)</dt>
-<dt><b>MSIE_SSLV2_RSA_PADDING</b> also aliased as
-<b>CVE-2005-2969</b>. Postfix 2.8 disables this work-around by default
-with OpenSSL versions that may predate the fix. Fixed in OpenSSL 0.9.7h
-and OpenSSL 0.9.8a.</dt>
-<dt><b>SSLEAY_080_CLIENT_DH_BUG</b>See SSL_CTX_set_options(3)</dt>
-<dt><b>TLS_D5_BUG</b>See SSL_CTX_set_options(3)</dt>
-<dt><b>TLS_BLOCK_PADDING_BUG</b>See SSL_CTX_set_options(3)</dt>
-<dt><b>TLS_ROLLBACK_BUG</b>See SSL_CTX_set_options(3). This is disabled
-in OpenSSL 0.9.7 and later. Nobody should still be using 0.9.6! </dt>
-<dt><b>DONT_INSERT_EMPTY_FRAGMENTS</b>See SSL_CTX_set_options(3)</dt>
-<dt><b>CRYPTOPRO_TLSEXT_BUG</b>New with GOST support in OpenSSL 1.0.0.</dt>
+
+<dt><b>MICROSOFT_SESS_ID_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+
+<dt><b>NETSCAPE_CHALLENGE_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+
+<dt><b>LEGACY_SERVER_CONNECT</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+
+<dt><b>NETSCAPE_REUSE_CIPHER_CHANGE_BUG</b></dt> <dd> also aliased
+as <b>CVE-2010-4180</b>. Postfix 2.8 disables this work-around by
+default with OpenSSL versions that may predate the fix. Fixed in
+OpenSSL 0.9.8q and OpenSSL 1.0.0c.</dd>
+
+<dt><b>SSLREF2_REUSE_CERT_TYPE_BUG</b></dt> <dd>See
+SSL_CTX_set_options(3)</dd>
+
+<dt><b>MICROSOFT_BIG_SSLV3_BUFFER</b></dt> <dd>See
+SSL_CTX_set_options(3)</dd>
+
+<dt><b>MSIE_SSLV2_RSA_PADDING</b></dt> <dd> also aliased as
+<b>CVE-2005-2969</b>. Postfix 2.8 disables this work-around by
+default with OpenSSL versions that may predate the fix. Fixed in
+OpenSSL 0.9.7h and OpenSSL 0.9.8a.</dd>
+
+<dt><b>SSLEAY_080_CLIENT_DH_BUG</b></dt> <dd>See
+SSL_CTX_set_options(3)</dd>
+
+<dt><b>TLS_D5_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+
+<dt><b>TLS_BLOCK_PADDING_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+
+<dt><b>TLS_ROLLBACK_BUG</b></dt> <dd>See SSL_CTX_set_options(3).
+This is disabled in OpenSSL 0.9.7 and later. Nobody should still
+be using 0.9.6! </dd>
+
+<dt><b>DONT_INSERT_EMPTY_FRAGMENTS</b></dt> <dd>See
+SSL_CTX_set_options(3)</dd>
+
+<dt><b>CRYPTOPRO_TLSEXT_BUG</b></dt> <dd>New with GOST support in
+OpenSSL 1.0.0.</dd>
+
</dl>
<p> This feature is available in Postfix 2.8 and later. </p>
non-error DNSBL reply. Otherwise, \fBpostscreen\fR(8) uses only DNSBL
replies that match the filter. The filter has the form d.d.d.d,
where each d is a number, or a pattern inside [] that contains one
-or more comma-separated numbers or number..number ranges.
+or more ";"-separated numbers or number..number ranges.
.IP \(bu
When no "*weight" is specified, \fBpostscreen\fR(8) increments
the SMTP client's DNSBL score by 1. Otherwise, the weight must be
Reject the request when the reversed client network address is
listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR
(Postfix version 2.1 and later only). Each "\fId\fR" is a number,
-or a pattern inside "[]" that contains one or more comma-separated
+or a pattern inside "[]" that contains one or more ";"-separated
numbers or number..number ranges (Postfix version 2.8 and later).
If no "\fI=d.d.d.d\fR" is specified, reject the request when the
reversed client network address is listed with any A record under
Accept the request when the reversed client network address is
listed with the A record "\fId.d.d.d\fR" under \fIdnswl_domain\fR.
Each "\fId\fR" is a number, or a pattern inside "[]" that contains
-one or more comma-separated numbers or number..number ranges.
+one or more ";"-separated numbers or number..number ranges.
If no "\fI=d.d.d.d\fR" is specified, accept the request when the
reversed client network address is listed with any A record under
\fIdnswl_domain\fR.
Reject the request when the client hostname is listed with the
A record "\fId.d.d.d\fR" under \fIrbl_domain\fR (Postfix version
2.1 and later only). Each "\fId\fR" is a number, or a pattern
-inside "[]" that contains one or more comma-separated numbers or
+inside "[]" that contains one or more ";"-separated numbers or
number..number ranges (Postfix version 2.8 and later). If no
"\fI=d.d.d.d\fR" is specified, reject the request when the client
hostname is listed with
Accept the request when the client hostname is listed with the
A record "\fId.d.d.d\fR" under \fIrhswl_domain\fR. Each "\fId\fR"
is a number, or a pattern inside "[]" that contains one or more
-comma-separated numbers or number..number ranges. If no
+";"-separated numbers or number..number ranges. If no
"\fI=d.d.d.d\fR" is specified, accept the request when the client
hostname is listed with any A record under \fIrhswl_domain\fR.
.br
Reject the request when the unverified reverse client hostname
is listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR.
Each "\fId\fR" is a number, or a pattern inside "[]" that contains
-one or more comma-separated numbers or number..number ranges.
+one or more ";"-separated numbers or number..number ranges.
If no "\fI=d.d.d.d\fR" is specified, reject the request when the
unverified reverse client hostname is listed with any A record under
\fIrbl_domain\fR. See the reject_rbl_client description above for
Reject the request when the HELO or EHLO hostname hostname is
listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR
(Postfix version 2.1 and later only). Each "\fId\fR" is a number,
-or a pattern inside "[]" that contains one or more comma-separated
+or a pattern inside "[]" that contains one or more ";"-separated
numbers or number..number ranges (Postfix version 2.8 and later).
If no "\fI=d.d.d.d\fR" is
specified, reject the request when the HELO or EHLO hostname is
Reject the request when the RCPT TO domain is listed with the
A record "\fId.d.d.d\fR" under \fIrbl_domain\fR (Postfix version
2.1 and later only). Each "\fId\fR" is a number, or a pattern
-inside "[]" that contains one or more comma-separated numbers or
+inside "[]" that contains one or more ";"-separated numbers or
number..number ranges (Postfix version 2.8 and later). If no
"\fI=d.d.d.d\fR" is specified, reject
the request when the RCPT TO domain is listed with
Reject the request when the MAIL FROM domain is listed with
the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR (Postfix
version 2.1 and later only). Each "\fId\fR" is a number, or a
-pattern inside "[]" that contains one or more comma-separated numbers
+pattern inside "[]" that contains one or more ";"-separated numbers
or number..number ranges (Postfix version 2.8 and later). If no
"\fI=d.d.d.d\fR" is specified,
reject the request when the MAIL FROM domain is
is possible that your OpenSSL version includes new bug work-arounds
added after your Postfix source code was last updated, in that case
you can only disable one of these via the hexadecimal syntax above.
-.IP "\fBMICROSOFT_SESS_ID_BUG\fRSee SSL_CTX_\fBset_options\fR(3)"
-.IP "\fBNETSCAPE_CHALLENGE_BUG\fRSee SSL_CTX_\fBset_options\fR(3)"
-.IP "\fBLEGACY_SERVER_CONNECT\fRSee SSL_CTX_\fBset_options\fR(3)"
-.IP "\fBNETSCAPE_REUSE_CIPHER_CHANGE_BUG\fR also aliased as
-\fBCVE-2010-4180\fR. Postfix 2.8 disables this work-around by default
-with OpenSSL versions that may predate the fix. Fixed in OpenSSL 0.9.8q
-and OpenSSL 1.0.0c."
-.IP "\fBSSLREF2_REUSE_CERT_TYPE_BUG\fRSee SSL_CTX_\fBset_options\fR(3)"
-.IP "\fBMICROSOFT_BIG_SSLV3_BUFFER\fRSee SSL_CTX_\fBset_options\fR(3)"
-.IP "\fBMSIE_SSLV2_RSA_PADDING\fR also aliased as
-\fBCVE-2005-2969\fR. Postfix 2.8 disables this work-around by default
-with OpenSSL versions that may predate the fix. Fixed in OpenSSL 0.9.7h
-and OpenSSL 0.9.8a."
-.IP "\fBSSLEAY_080_CLIENT_DH_BUG\fRSee SSL_CTX_\fBset_options\fR(3)"
-.IP "\fBTLS_D5_BUG\fRSee SSL_CTX_\fBset_options\fR(3)"
-.IP "\fBTLS_BLOCK_PADDING_BUG\fRSee SSL_CTX_\fBset_options\fR(3)"
-.IP "\fBTLS_ROLLBACK_BUG\fRSee SSL_CTX_\fBset_options\fR(3). This is disabled
-in OpenSSL 0.9.7 and later. Nobody should still be using 0.9.6!"
-.IP "\fBDONT_INSERT_EMPTY_FRAGMENTS\fRSee SSL_CTX_\fBset_options\fR(3)"
-.IP "\fBCRYPTOPRO_TLSEXT_BUG\fRNew with GOST support in OpenSSL 1.0.0."
+.IP "\fBMICROSOFT_SESS_ID_BUG\fR"
+See SSL_CTX_\fBset_options\fR(3)
+.IP "\fBNETSCAPE_CHALLENGE_BUG\fR"
+See SSL_CTX_\fBset_options\fR(3)
+.IP "\fBLEGACY_SERVER_CONNECT\fR"
+See SSL_CTX_\fBset_options\fR(3)
+.IP "\fBNETSCAPE_REUSE_CIPHER_CHANGE_BUG\fR"
+also aliased
+as \fBCVE-2010-4180\fR. Postfix 2.8 disables this work-around by
+default with OpenSSL versions that may predate the fix. Fixed in
+OpenSSL 0.9.8q and OpenSSL 1.0.0c.
+.IP "\fBSSLREF2_REUSE_CERT_TYPE_BUG\fR"
+See
+SSL_CTX_\fBset_options\fR(3)
+.IP "\fBMICROSOFT_BIG_SSLV3_BUFFER\fR"
+See
+SSL_CTX_\fBset_options\fR(3)
+.IP "\fBMSIE_SSLV2_RSA_PADDING\fR"
+also aliased as
+\fBCVE-2005-2969\fR. Postfix 2.8 disables this work-around by
+default with OpenSSL versions that may predate the fix. Fixed in
+OpenSSL 0.9.7h and OpenSSL 0.9.8a.
+.IP "\fBSSLEAY_080_CLIENT_DH_BUG\fR"
+See
+SSL_CTX_\fBset_options\fR(3)
+.IP "\fBTLS_D5_BUG\fR"
+See SSL_CTX_\fBset_options\fR(3)
+.IP "\fBTLS_BLOCK_PADDING_BUG\fR"
+See SSL_CTX_\fBset_options\fR(3)
+.IP "\fBTLS_ROLLBACK_BUG\fR"
+See SSL_CTX_\fBset_options\fR(3).
+This is disabled in OpenSSL 0.9.7 and later. Nobody should still
+be using 0.9.6!
+.IP "\fBDONT_INSERT_EMPTY_FRAGMENTS\fR"
+See
+SSL_CTX_\fBset_options\fR(3)
+.IP "\fBCRYPTOPRO_TLSEXT_BUG\fR"
+New with GOST support in
+OpenSSL 1.0.0.
+.PP
This feature is available in Postfix 2.8 and later.
.SH tls_eecdh_strong_curve (default: prime256v1)
The elliptic curve used by the SMTP server for sensibly strong
</ul>
<p> Each layer reduces the spam volume. The general strategy is to
-eliminate spam early with the less expensive defenses and to use
-the more expensive defenses for the spam that remains. </p>
+use the less expensive defenses first, and to use the more expensive
+defenses for the spam that remains. </p>
<p> Topics in this document: </p>
<dd>Reject the request when the reversed client network address is
listed with the A record "<i>d.d.d.d</i>" under <i>rbl_domain</i>
(Postfix version 2.1 and later only). Each "<i>d</i>" is a number,
-or a pattern inside "[]" that contains one or more comma-separated
+or a pattern inside "[]" that contains one or more ";"-separated
numbers or number..number ranges (Postfix version 2.8 and later).
If no "<i>=d.d.d.d</i>" is specified, reject the request when the
reversed client network address is listed with any A record under
<dd>Accept the request when the reversed client network address is
listed with the A record "<i>d.d.d.d</i>" under <i>dnswl_domain</i>.
Each "<i>d</i>" is a number, or a pattern inside "[]" that contains
-one or more comma-separated numbers or number..number ranges.
+one or more ";"-separated numbers or number..number ranges.
If no "<i>=d.d.d.d</i>" is specified, accept the request when the
reversed client network address is listed with any A record under
<i>dnswl_domain</i>. <br> For safety, permit_dnswl_client is silently
<dd>Reject the request when the client hostname is listed with the
A record "<i>d.d.d.d</i>" under <i>rbl_domain</i> (Postfix version
2.1 and later only). Each "<i>d</i>" is a number, or a pattern
-inside "[]" that contains one or more comma-separated numbers or
+inside "[]" that contains one or more ";"-separated numbers or
number..number ranges (Postfix version 2.8 and later). If no
"<i>=d.d.d.d</i>" is specified, reject the request when the client
hostname is listed with
<dd>Accept the request when the client hostname is listed with the
A record "<i>d.d.d.d</i>" under <i>rhswl_domain</i>. Each "<i>d</i>"
is a number, or a pattern inside "[]" that contains one or more
-comma-separated numbers or number..number ranges. If no
+";"-separated numbers or number..number ranges. If no
"<i>=d.d.d.d</i>" is specified, accept the request when the client
hostname is listed with any A record under <i>rhswl_domain</i>.
<br> Caution: client name whitelisting is fragile, since the client
<dd>Reject the request when the unverified reverse client hostname
is listed with the A record "<i>d.d.d.d</i>" under <i>rbl_domain</i>.
Each "<i>d</i>" is a number, or a pattern inside "[]" that contains
-one or more comma-separated numbers or number..number ranges.
+one or more ";"-separated numbers or number..number ranges.
If no "<i>=d.d.d.d</i>" is specified, reject the request when the
unverified reverse client hostname is listed with any A record under
<i>rbl_domain</i>. See the reject_rbl_client description above for
<dd>Reject the request when the HELO or EHLO hostname hostname is
listed with the A record "<i>d.d.d.d</i>" under <i>rbl_domain</i>
(Postfix version 2.1 and later only). Each "<i>d</i>" is a number,
-or a pattern inside "[]" that contains one or more comma-separated
+or a pattern inside "[]" that contains one or more ";"-separated
numbers or number..number ranges (Postfix version 2.8 and later).
If no "<i>=d.d.d.d</i>" is
specified, reject the request when the HELO or EHLO hostname is
<dd>Reject the request when the RCPT TO domain is listed with the
A record "<i>d.d.d.d</i>" under <i>rbl_domain</i> (Postfix version
2.1 and later only). Each "<i>d</i>" is a number, or a pattern
-inside "[]" that contains one or more comma-separated numbers or
+inside "[]" that contains one or more ";"-separated numbers or
number..number ranges (Postfix version 2.8 and later). If no
"<i>=d.d.d.d</i>" is specified, reject
the request when the RCPT TO domain is listed with
<dd>Reject the request when the MAIL FROM domain is listed with
the A record "<i>d.d.d.d</i>" under <i>rbl_domain</i> (Postfix
version 2.1 and later only). Each "<i>d</i>" is a number, or a
-pattern inside "[]" that contains one or more comma-separated numbers
+pattern inside "[]" that contains one or more ";"-separated numbers
or number..number ranges (Postfix version 2.8 and later). If no
"<i>=d.d.d.d</i>" is specified,
reject the request when the MAIL FROM domain is
non-error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL
replies that match the filter. The filter has the form d.d.d.d,
where each d is a number, or a pattern inside [] that contains one
-or more comma-separated numbers or number..number ranges. </p>
+or more ";"-separated numbers or number..number ranges. </p>
<li> <p> When no "*weight" is specified, postscreen(8) increments
the SMTP client's DNSBL score by 1. Otherwise, the weight must be
you can only disable one of these via the hexadecimal syntax above. </p>
<dl>
-<dt><b>MICROSOFT_SESS_ID_BUG</b>See SSL_CTX_set_options(3)</dt>
-<dt><b>NETSCAPE_CHALLENGE_BUG</b>See SSL_CTX_set_options(3)</dt>
-<dt><b>LEGACY_SERVER_CONNECT</b>See SSL_CTX_set_options(3)</dt>
-<dt><b>NETSCAPE_REUSE_CIPHER_CHANGE_BUG</b> also aliased as
-<b>CVE-2010-4180</b>. Postfix 2.8 disables this work-around by default
-with OpenSSL versions that may predate the fix. Fixed in OpenSSL 0.9.8q
-and OpenSSL 1.0.0c.</dt>
-<dt><b>SSLREF2_REUSE_CERT_TYPE_BUG</b>See SSL_CTX_set_options(3)</dt>
-<dt><b>MICROSOFT_BIG_SSLV3_BUFFER</b>See SSL_CTX_set_options(3)</dt>
-<dt><b>MSIE_SSLV2_RSA_PADDING</b> also aliased as
-<b>CVE-2005-2969</b>. Postfix 2.8 disables this work-around by default
-with OpenSSL versions that may predate the fix. Fixed in OpenSSL 0.9.7h
-and OpenSSL 0.9.8a.</dt>
-<dt><b>SSLEAY_080_CLIENT_DH_BUG</b>See SSL_CTX_set_options(3)</dt>
-<dt><b>TLS_D5_BUG</b>See SSL_CTX_set_options(3)</dt>
-<dt><b>TLS_BLOCK_PADDING_BUG</b>See SSL_CTX_set_options(3)</dt>
-<dt><b>TLS_ROLLBACK_BUG</b>See SSL_CTX_set_options(3). This is disabled
-in OpenSSL 0.9.7 and later. Nobody should still be using 0.9.6! </dt>
-<dt><b>DONT_INSERT_EMPTY_FRAGMENTS</b>See SSL_CTX_set_options(3)</dt>
-<dt><b>CRYPTOPRO_TLSEXT_BUG</b>New with GOST support in OpenSSL 1.0.0.</dt>
+
+<dt><b>MICROSOFT_SESS_ID_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+
+<dt><b>NETSCAPE_CHALLENGE_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+
+<dt><b>LEGACY_SERVER_CONNECT</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+
+<dt><b>NETSCAPE_REUSE_CIPHER_CHANGE_BUG</b></dt> <dd> also aliased
+as <b>CVE-2010-4180</b>. Postfix 2.8 disables this work-around by
+default with OpenSSL versions that may predate the fix. Fixed in
+OpenSSL 0.9.8q and OpenSSL 1.0.0c.</dd>
+
+<dt><b>SSLREF2_REUSE_CERT_TYPE_BUG</b></dt> <dd>See
+SSL_CTX_set_options(3)</dd>
+
+<dt><b>MICROSOFT_BIG_SSLV3_BUFFER</b></dt> <dd>See
+SSL_CTX_set_options(3)</dd>
+
+<dt><b>MSIE_SSLV2_RSA_PADDING</b></dt> <dd> also aliased as
+<b>CVE-2005-2969</b>. Postfix 2.8 disables this work-around by
+default with OpenSSL versions that may predate the fix. Fixed in
+OpenSSL 0.9.7h and OpenSSL 0.9.8a.</dd>
+
+<dt><b>SSLEAY_080_CLIENT_DH_BUG</b></dt> <dd>See
+SSL_CTX_set_options(3)</dd>
+
+<dt><b>TLS_D5_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+
+<dt><b>TLS_BLOCK_PADDING_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
+
+<dt><b>TLS_ROLLBACK_BUG</b></dt> <dd>See SSL_CTX_set_options(3).
+This is disabled in OpenSSL 0.9.7 and later. Nobody should still
+be using 0.9.6! </dd>
+
+<dt><b>DONT_INSERT_EMPTY_FRAGMENTS</b></dt> <dd>See
+SSL_CTX_set_options(3)</dd>
+
+<dt><b>CRYPTOPRO_TLSEXT_BUG</b></dt> <dd>New with GOST support in
+OpenSSL 1.0.0.</dd>
+
</dl>
<p> This feature is available in Postfix 2.8 and later. </p>
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20110117"
+#define MAIL_RELEASE_DATE "20110118"
#define MAIL_VERSION_NUMBER "2.9"
#ifdef SNAPSHOT
"of this access list", name);
return (PSC_ACL_ACT_ERROR);
}
+ } else if (STREQ(name, PSC_ACL_NAME_DUNNO)) {
+ return (PSC_ACL_ACT_DUNNO);
} else {
msg_warn("%s: unknown command: %s -- ignoring the remainder "
"of this access list", origin, name);
#include <postscreen.h>
+/* psc_average - moving average */
+
+static double psc_average(double new, double old)
+{
+ return (0.1 * new + 0.9 * old);
+}
+
/*
* Monitor time-critical operations.
+ *
+ * XXX Averaging support was added during a stable release candidate, so it
+ * provides only the absolute minimum necessary. A complete implementation
+ * should maintain separate statistics for each table, and it should not
+ * complain when the average time between table access is larger than the
+ * average table access latency.
*/
#define PSC_GET_TIME_BEFORE_LOOKUP \
struct timeval _before, _after; \
DELTA_TIME _delta; \
+ double _new_delta_ms; \
GETTIMEOFDAY(&_before);
-#define PSC_DELTA_MS(d) ((d).dt_sec * 1000 + (d).dt_usec / 1000)
+#define PSC_DELTA_MS(d) ((d).dt_sec * 1000.0 + (d).dt_usec / 1000.0)
+
+#ifndef PSC_THRESHOLD_MS
+#define PSC_THRESHOLD_MS 100 /* nag if latency > 100ms */
+#endif
+
+#ifndef PSC_WARN_LOCKOUT_S
+#define PSC_WARN_LOCKOUT_S 60 /* don't nag for 60s */
+#endif
+
+static time_t psc_last_warn = 0;
-#define PSC_CHECK_TIME_AFTER_LOOKUP(table, action) \
+#define PSC_CHECK_TIME_AFTER_LOOKUP(table, action, average) \
GETTIMEOFDAY(&_after); \
PSC_CALC_DELTA(_delta, _after, _before); \
- if (_delta.dt_sec > 1 || _delta.dt_usec > 100000) \
- msg_warn("%s: %s %s took %d ms", \
- myname, (table), (action), PSC_DELTA_MS(_delta));
+ _new_delta_ms = PSC_DELTA_MS(_delta); \
+ if ((average = psc_average(_new_delta_ms, average)) > PSC_THRESHOLD_MS \
+ && psc_last_warn < event_time() - PSC_WARN_LOCKOUT_S) { \
+ msg_warn("%s: %s %s average delay is %.0f ms", \
+ myname, (table), (action), average); \
+ psc_last_warn = event_time(); \
+ }
/* psc_addr_match_list_match - time-critical address list lookup */
{
const char *myname = "psc_addr_match_list_match";
int result;
+ static double latency_ms;
PSC_GET_TIME_BEFORE_LOOKUP;
result = addr_match_list_match(addr_list, addr_str);
- PSC_CHECK_TIME_AFTER_LOOKUP("address list", "lookup");
+ PSC_CHECK_TIME_AFTER_LOOKUP("address list", "lookup", latency_ms);
return (result);
}
{
const char *myname = "psc_cache_lookup";
const char *result;
+ static double latency_ms;
PSC_GET_TIME_BEFORE_LOOKUP;
result = dict_cache_lookup(cache, key);
- PSC_CHECK_TIME_AFTER_LOOKUP(dict_cache_name(cache), "lookup");
+ PSC_CHECK_TIME_AFTER_LOOKUP(dict_cache_name(cache), "lookup", latency_ms);
return (result);
}
void psc_cache_update(DICT_CACHE *cache, const char *key, const char *value)
{
const char *myname = "psc_cache_update";
+ static double latency_ms;
PSC_GET_TIME_BEFORE_LOOKUP;
dict_cache_update(cache, key, value);
- PSC_CHECK_TIME_AFTER_LOOKUP(dict_cache_name(cache), "update");
+ PSC_CHECK_TIME_AFTER_LOOKUP(dict_cache_name(cache), "update", latency_ms);
}
/* psc_dict_get - time-critical table lookup */
{
const char *myname = "psc_dict_get";
const char *result;
+ static double latency_ms;
PSC_GET_TIME_BEFORE_LOOKUP;
result = dict_get(dict, key);
- PSC_CHECK_TIME_AFTER_LOOKUP(dict->name, "lookup");
+ PSC_CHECK_TIME_AFTER_LOOKUP(dict->name, "lookup", latency_ms);
return (result);
}
{
const char *myname = "psc_maps_find";
const char *result;
+ static double latency_ms;
PSC_GET_TIME_BEFORE_LOOKUP;
result = maps_find(maps, key, flags);
- PSC_CHECK_TIME_AFTER_LOOKUP(maps->title, "lookup");
+ PSC_CHECK_TIME_AFTER_LOOKUP(maps->title, "lookup", latency_ms);
return (result);
}
};
/*
- * SSL_OP_MUMBLE bug work-around name <=> mask conversion. We expect the C
- * preprocessor to be able to handle "long" #if operands
+ * SSL_OP_MUMBLE bug work-around name <=> mask conversion.
*/
#define NAMEBUG(x) #x, SSL_OP_##x
static const LONG_NAME_MASK ssl_bug_tweaks[] = {
-#if defined(SSL_OP_MICROSOFT_SESS_ID_BUG) && \
- ((SSL_OP_MICROSOFT_SESS_ID_BUG & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_MICROSOFT_SESS_ID_BUG)
NAMEBUG(MICROSOFT_SESS_ID_BUG), /* 0x00000001L */
#endif
-#if defined(SSL_OP_NETSCAPE_CHALLENGE_BUG) && \
- ((SSL_OP_NETSCAPE_CHALLENGE_BUG & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_NETSCAPE_CHALLENGE_BUG)
NAMEBUG(NETSCAPE_CHALLENGE_BUG), /* 0x00000002L */
#endif
-#if defined(SSL_OP_LEGACY_SERVER_CONNECT) && \
- ((SSL_OP_LEGACY_SERVER_CONNECT & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_LEGACY_SERVER_CONNECT)
NAMEBUG(LEGACY_SERVER_CONNECT), /* 0x00000004L */
#endif
-#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && \
- ((SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
NAMEBUG(NETSCAPE_REUSE_CIPHER_CHANGE_BUG), /* 0x00000008L */
"CVE-2010-4180", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG,
#endif
-#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG) && \
- ((SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
NAMEBUG(SSLREF2_REUSE_CERT_TYPE_BUG), /* 0x00000010L */
#endif
-#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) && \
- ((SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
NAMEBUG(MICROSOFT_BIG_SSLV3_BUFFER),/* 0x00000020L */
#endif
-#if defined(SSL_OP_MSIE_SSLV2_RSA_PADDING) && \
- ((SSL_OP_MSIE_SSLV2_RSA_PADDING & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_MSIE_SSLV2_RSA_PADDING)
NAMEBUG(MSIE_SSLV2_RSA_PADDING), /* 0x00000040L */
"CVE-2005-2969", SSL_OP_MSIE_SSLV2_RSA_PADDING,
#endif
-#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG) && \
- ((SSL_OP_SSLEAY_080_CLIENT_DH_BUG & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
NAMEBUG(SSLEAY_080_CLIENT_DH_BUG), /* 0x00000080L */
#endif
-#if defined(SSL_OP_TLS_D5_BUG) && \
- ((SSL_OP_TLS_D5_BUG & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_TLS_D5_BUG)
NAMEBUG(TLS_D5_BUG), /* 0x00000100L */
#endif
-#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG) && \
- ((SSL_OP_TLS_BLOCK_PADDING_BUG & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
NAMEBUG(TLS_BLOCK_PADDING_BUG), /* 0x00000200L */
#endif
-#if defined(SSL_OP_TLS_ROLLBACK_BUG) && \
- ((SSL_OP_TLS_ROLLBACK_BUG & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_TLS_ROLLBACK_BUG)
NAMEBUG(TLS_ROLLBACK_BUG), /* 0x00000400L */
#endif
-#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && \
- ((SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
NAMEBUG(DONT_INSERT_EMPTY_FRAGMENTS), /* 0x00000800L */
#endif
-#if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG) && \
- ((SSL_OP_CRYPTOPRO_TLSEXT_BUG & SSL_OP_ALL) != 0L)
+#if defined(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
NAMEBUG(CRYPTOPRO_TLSEXT_BUG), /* 0x80000000L */
#endif
0, 0,
/* .fi
/* An IPv4 address pattern has four fields separated by ".".
/* Each field is either a decimal number, or a sequence inside
-/* "[]" that contains one or more comma-separated decimal
+/* "[]" that contains one or more ";"-separated decimal
/* numbers or number..number ranges.
/*
/* Examples of patterns are 1.2.3.4 (matches itself, as one
/* .br
/* v4octet = any decimal number in the range 0 through 255
/* .br
-/* v4sequence = v4seq_member | v4sequence "," v4seq_member
+/* v4sequence = v4seq_member | v4sequence ";" v4seq_member
/* .br
/* v4seq_member = v4octet | v4octet ".." v4octet
/* .in
}
/* Output the wild-card field separator and repeat the loop. */
if (*bp != IP_MATCH_CODE_CLOSE)
- vstring_sprintf_append(printable, ",");
+ vstring_sprintf_append(printable, ";");
}
vstring_sprintf_append(printable, "]");
}
*/
case IP_MATCH_CODE_OPEN:
VSTRING_ADDCH(byte_codes, IP_MATCH_CODE_OPEN);
- /* Require comma-separated numbers or numeric ranges. */
+ /* Require ";"-separated numbers or numeric ranges. */
for (;;) {
token_type = ip_match_next_token(&cp, &saved_cp, &oval);
if (token_type == IP_MATCH_CODE_OVAL) {
VSTRING_ADDCH(byte_codes, IP_MATCH_CODE_OVAL);
VSTRING_ADDCH(byte_codes, saved_oval);
}
- /* Require "," or end-of-wildcard. */
+ /* Require ";" or end-of-wildcard. */
token_type = look_ahead;
- if (token_type == ',') {
+ if (token_type == ';') {
continue;
} else if (token_type == IP_MATCH_CODE_CLOSE) {
break;
} else {
ipmatch_print_parse_error(byte_codes, pattern,
saved_cp, cp,
- "need \",\" or \"%c\"",
+ "need \";\" or \"%c\"",
IP_MATCH_CODE_CLOSE);
return (STR(byte_codes));
}
1.2.3.
1.2.3
a
-1.2.3,4
+1.2.3;4
1.2.[3].4
1.2.[].4
1.2.[.4
1.2.].4
-1.2.[1..127,128..255].5
+1.2.[1..127;128..255].5
1.2.[1-255].5
1.2.[1..127.128..255].5
1.2.3.[4]
1.2.3.[x]
1.2.3.4x
1.2.[3..11].5 1.2.3.5 1.2.2.5 1.2.11.5 1.2.12.5 1.2.11.6
-1.2.[3,5,7,9,11].5 1.2.3.5 1.2.2.5 1.2.4.5 1.2.11.5 1.2.12.5 1.2.11.6
+1.2.[3;5;7;9;11].5 1.2.3.5 1.2.2.5 1.2.4.5 1.2.11.5 1.2.12.5 1.2.11.6
Error: need "." at "1.2.3><"
> a
Error: need decimal number 0..255 or "[" at ">a<"
-> 1.2.3,4
-Error: need "." at "1.2.3>,<4"
+> 1.2.3;4
+Error: need "." at "1.2.3>;<4"
> 1.2.[3].4
Code: 1.2.[3].4
> 1.2.[].4
Error: need decimal number 0..255 at "1.2.[>.<4"
> 1.2.].4
Error: need decimal number 0..255 or "[" at "1.2.>]<.4"
-> 1.2.[1..127,128..255].5
-Code: 1.2.[1..127,128..255].5
+> 1.2.[1..127;128..255].5
+Code: 1.2.[1..127;128..255].5
> 1.2.[1-255].5
-Error: need "," or "]" at "1.2.[1>-<255].5"
+Error: need ";" or "]" at "1.2.[1>-<255].5"
> 1.2.[1..127.128..255].5
-Error: need "," or "]" at "1.2.[1..127>.<128..255].5"
+Error: need ";" or "]" at "1.2.[1..127>.<128..255].5"
> 1.2.3.[4]
Code: 1.2.3.[4]
> 1.2.3.[4..1]
Match 1.2.11.5: yes
Match 1.2.12.5: no
Match 1.2.11.6: no
-> 1.2.[3,5,7,9,11].5 1.2.3.5 1.2.2.5 1.2.4.5 1.2.11.5 1.2.12.5 1.2.11.6
-Code: 1.2.[3,5,7,9,11].5
+> 1.2.[3;5;7;9;11].5 1.2.3.5 1.2.2.5 1.2.4.5 1.2.11.5 1.2.12.5 1.2.11.6
+Code: 1.2.[3;5;7;9;11].5
Match 1.2.3.5: yes
Match 1.2.2.5: no
Match 1.2.4.5: no
projects / thirdparty / postfix.git / commitdiff
