Flipped a bit in the smtpd_relay_before_recipient_restrictions
implementation. File: smtpd/smtpd_check.c.
+20210206
+
+ Documentation: the inet_protocols default setting is compile-time
+ dependent. Files: proto/postconf.proto, proto/IPV6_README.html,
+ and documentation in smtpd/smtpd.c, smtp/smtp.c, master/master.c.
+
+20210212
+
+ Documentation: added a jq example to the postsuper(1) manpage.
+ File: postsuper/postsuper.c.
designed to enforce spam blocking policy. Both are evaluated while replying
to the RCPT TO command, and both support the same features.
-When the compatibility_level less than 3.6, and the
+When the compatibility_level is less than 3.6, and the
smtpd_relay_before_recipient_restrictions parameter is left at its implicit
default setting, Postfix may log the following message:
/etc/postfix/main.cf:
# You must stop/start Postfix after changing this parameter.
- inet_protocols = ipv4 (DEFAULT: enable IPv4 only)
inet_protocols = all (enable IPv4, and IPv6 if supported)
+ inet_protocols = ipv4 (enable IPv4 only)
inet_protocols = ipv4, ipv6 (enable both IPv4 and IPv6)
inet_protocols = ipv6 (enable IPv6 only)
- By default, Postfix uses IPv4 only, because most systems aren't attached to
- an IPv6 network.
-
- o On systems with combined IPv4/IPv6 stacks, attempts to deliver mail via
- IPv6 would always fail with "network unreachable", and those attempts
- would only slow down Postfix.
-
- o Linux kernels don't even load IPv6 protocol support by default. Any
- attempt to use it would fail immediately.
+ The default is compile-time dependent: "all" when Postfix is built on a
+ software distribution with IPv6 support, "ipv4" otherwise.
Note 1: you must stop and start Postfix after changing the inet_protocols
configuration parameter.
- Note 2: if you see error messages like the following, then you're running
- Linux and need to turn on IPv6 in the kernel: see http://www.ipv6.org/ for
- hints and tips. Unlike other systems, Linux does not have a combined stack
- for IPv4 and IPv6, and IPv6 protocol support is not loaded by default.
-
- postconf: warning: inet_protocols: IPv6 support is disabled: Address
- family not supported by protocol
- postconf: warning: inet_protocols: configuring for IPv4 support only
-
- Note 3: on older Linux and Solaris systems, the setting "inet_protocols =
- ipv6" will not prevent Postfix from accepting IPv4 connections. Postfix
- will present the client IP addresses in IPv6 format, though. In all other
- cases, Postfix always presents IPv4 client IP addresses in the traditional
- dotted quad IPv4 format.
+ Note 2: on older Linux and Solaris systems, the setting "inet_protocols =
+ ipv6" will not prevent Postfix from accepting IPv4 connections.
* The other new parameter is smtp_bind_address6. This sets the local
interface address for outgoing IPv6 SMTP connections, just like the
IPv4 outgoing connection attempts is configurable with the
smtp_address_preference parameter.
- * Postfix versions before 2.6 do not support DNSBL (real-time blackhole list)
- lookups for IPv6 client IP addresses.
+ * Postfix versions before 2.6 do not support DNSBL (DNS blocklist) lookups
+ for IPv6 client IP addresses.
* IPv6 does not have class A, B, C, etc. networks. With IPv6 networks, the
setting "mynetworks_style = class" has the same effect as the setting
* main.cf: Specify "inet_interfaces = loopback-only" to listen on loopback
network interfaces only.
- * The lmtp_bind_address and lmtp_bind_address6 features were omitted. The
- Postfix LMTP client will be absorbed into the SMTP client, so there is no
+ * The lmtp_bind_address and lmtp_bind_address6 features were omitted. Postfix
+ version 2.3 merged the LMTP client into the SMTP client, so there was no
reason to keep adding features to the LMTP client.
* The SMTP server now requires that IPv6 addresses in SMTP commands are
Wish list:
- http://www.postfix.org/postconf.5.html#inet_protocols default
- differs from http://www.postfix.org/IPV6_README.html
- and it's compile-time dependent.
+ Try to make the master throttle more distrusting. Currently,
+ the master throttles a service after a child process cannot be
+ created (fork() fails), or if a child process fails upon its
+ first use. The master always unthrottles the service if a process
+ handles a client successfully. This is sufficient to mitigate
+ local configuration errors. It also slows down stupid remote
+ attacks as long as malicious traffic dominates benign traffic.
+ Perhaps monitor a crashing percentage?
+
+ More accurate address verification: do a quota check before
+ reporting that a local(8) or virtual(8) recipient is deliverable.
Eliminate duplicate user_acl check from sendmail, and pass
the result through the postdrop-to-sendmail protocol. This
resolver feature sets gracefully: an unsupported request
will result in an error status, not program termination.
- DNSSEC end-to-end test, probing a configurable zone (".")
- and resource type (default: NS).
-
When a secondary instance has no multi_instance_name set,
` postmulti -i won't be able to find it.
blocking policy. Both are evaluated while replying to the RCPT TO
command, and both support the same features. </p> </blockquote>
-<p> When the <a href="postconf.5.html#compatibility_level">compatibility_level</a> less than 3.6, and the
+<p> When the <a href="postconf.5.html#compatibility_level">compatibility_level</a> is less than 3.6, and the
<a href="postconf.5.html#smtpd_relay_before_recipient_restrictions">smtpd_relay_before_recipient_restrictions</a> parameter is left at its
implicit default setting, Postfix may log the following message: </p>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
# You must stop/start Postfix after changing this parameter.
- <a href="postconf.5.html#inet_protocols">inet_protocols</a> = ipv4 (DEFAULT: enable IPv4 only)
<a href="postconf.5.html#inet_protocols">inet_protocols</a> = all (enable IPv4, and IPv6 if supported)
+ <a href="postconf.5.html#inet_protocols">inet_protocols</a> = ipv4 (enable IPv4 only)
<a href="postconf.5.html#inet_protocols">inet_protocols</a> = ipv4, ipv6 (enable both IPv4 and IPv6)
<a href="postconf.5.html#inet_protocols">inet_protocols</a> = ipv6 (enable IPv6 only)
</pre>
</blockquote>
-<p> By default, Postfix uses IPv4 only, because most systems aren't
-attached to an IPv6 network. </p>
-
-<ul>
-
-<li> <p> On systems with combined IPv4/IPv6 stacks, attempts to
-deliver mail via IPv6 would always fail with "network unreachable",
-and those attempts would only slow down Postfix. </p>
-
-<li> <p> Linux kernels don't even load IPv6 protocol support by
-default. Any attempt to use it would fail immediately. </p>
-
-</ul>
+<p> The default is compile-time dependent: "all" when Postfix is built
+on a software distribution with IPv6 support, "ipv4" otherwise. </p>
<p> Note 1: you must stop and start Postfix after changing the
<a href="postconf.5.html#inet_protocols">inet_protocols</a> configuration parameter. </p>
-<p> Note 2: if you see error messages like the following, then
-you're running Linux and need to turn on IPv6 in the kernel: see
-<a href="http://www.ipv6.org/">http://www.ipv6.org/</a> for hints and tips. Unlike other systems,
-Linux does not have a combined stack for IPv4 and IPv6, and IPv6
-protocol support is not loaded by default. </p>
-
-<blockquote>
-<pre>
-postconf: warning: <a href="postconf.5.html#inet_protocols">inet_protocols</a>: IPv6 support is disabled: Address family not supported by protocol
-postconf: warning: <a href="postconf.5.html#inet_protocols">inet_protocols</a>: configuring for IPv4 support only
-</pre>
-</blockquote>
-
-<p> Note 3: on older Linux and Solaris systems, the setting
+<p> Note 2: on older Linux and Solaris systems, the setting
"<a href="postconf.5.html#inet_protocols">inet_protocols</a> = ipv6" will not prevent Postfix from
-accepting IPv4 connections. Postfix will present the client IP
-addresses in IPv6 format, though. In all other cases, Postfix always
-presents IPv4 client IP addresses in the traditional dotted quad
-IPv4 format. </p>
+accepting IPv4 connections. </p>
<li> <p> The other new parameter is <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a>.
This sets the local interface address for outgoing IPv6 SMTP
the order of IPv6 versus IPv4 outgoing connection attempts is
configurable with the <a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> parameter. </p>
-<li> <p> Postfix versions before 2.6 do not support DNSBL (real-time
-blackhole list) lookups for IPv6 client IP addresses. </p>
+<li> <p> Postfix versions before 2.6 do not support DNSBL (DNS
+blocklist) lookups for IPv6 client IP addresses. </p>
<li> <p> IPv6 does not have class A, B, C, etc. networks. With IPv6
networks, the setting "<a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = class" has the
to listen on loopback network interfaces only. </p>
<li> <p> The <a href="postconf.5.html#lmtp_bind_address">lmtp_bind_address</a> and <a href="postconf.5.html#lmtp_bind_address6">lmtp_bind_address6</a>
-features were omitted. The Postfix LMTP client will be absorbed
-into the SMTP client, so there is no reason to keep adding features
+features were omitted. Postfix version 2.3 merged the LMTP client
+into the SMTP client, so there was no reason to keep adding features
to the LMTP client. </p>
<li> <p> The SMTP server now requires that IPv6 addresses in SMTP
Available in Postfix version 3.1 and later:
- <b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (dane)</b>
+ <b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (see 'postconf -d' output)</b>
The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is <b>dane</b>, but the MX record
was found via an "insecure" MX lookup.
The network interface addresses that this mail system receives
mail on.
- <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (all)</b>
+ <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d output')</b>
The Internet protocols Postfix will attempt to use when making
or accepting connections.
The network interface addresses that this mail system receives
mail on.
- <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (all)</b>
+ <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d output')</b>
The Internet protocols Postfix will attempt to use when making
or accepting connections.
</DD>
<DT><b><a name="inet_protocols">inet_protocols</a>
-(default: all)</b></DT><DD>
+(default: see 'postconf -d output')</b></DT><DD>
<p> The Internet protocols Postfix will attempt to use when making
or accepting connections. Specify one or more of "ipv4"
input. For example, to delete all mail with exactly one recipi-
ent <b>user@example.com</b>:
+ postqueue -j | jq '
+ # See JSON OBJECT FORMAT section in the <a href="postqueue.1.html">postqueue(1)</a> manpage
+ select(.recipients[0].address == "user@example.com")
+ | select(.recipients[1].address == null)
+ | .queue_id
+ ' | postsuper -d -
+
+ Or the historical form:
+
mailq | tail -n +2 | grep -v '^ *(' | awk 'BEGIN { RS = "" }
# $7=sender, $8=recipient1, $9=recipient2
{ if ($8 == "user@example.com" && $9 == "")
Available in Postfix version 3.1 and later:
- <b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (dane)</b>
+ <b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (see 'postconf -d' output)</b>
The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is <b>dane</b>, but the MX record
was found via an "insecure" MX lookup.
The network interface addresses that this mail system receives
mail on.
- <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (all)</b>
+ <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d output')</b>
The Internet protocols Postfix will attempt to use when making
or accepting connections.
The network interface addresses that this mail system receives
mail on by way of a proxy or network address translation unit.
- <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (all)</b>
+ <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d output')</b>
The Internet protocols Postfix will attempt to use when making
or accepting connections.
with exactly one recipient \fBuser@example.com\fR:
.sp
.nf
+postqueue \-j | jq '
+ # See JSON OBJECT FORMAT section in the postqueue(1) manpage
+ select(.recipients[0].address == "user@example.com")
+ | select(.recipients[1].address == null)
+ | .queue_id
+ ' | postsuper \-d \-
+.fi
+.sp
+Or the historical form:
+.sp
+.nf
mailq | tail \-n +2 | grep \-v '^ *(' | awk 'BEGIN { RS = "" }
# $7=sender, $8=recipient1, $9=recipient2
{ if ($8 == "user@example.com" && $9 == "")
.fi
.ad
.ft R
-.SH inet_protocols (default: all)
+.SH inet_protocols (default: see 'postconf \-d output')
The Internet protocols Postfix will attempt to use when making
or accepting connections. Specify one or more of "ipv4"
or "ipv6", separated by whitespace or commas. The form
.IP "\fBinet_interfaces (all)\fR"
The network interface addresses that this mail system receives
mail on.
-.IP "\fBinet_protocols (all)\fR"
+.IP "\fBinet_protocols (see 'postconf -d output')\fR"
The Internet protocols Postfix will attempt to use when making
or accepting connections.
.IP "\fBimport_environment (see 'postconf -d' output)\fR"
legacy SMTPS protocol instead of using the STARTTLS command.
.PP
Available in Postfix version 3.1 and later:
-.IP "\fBsmtp_tls_dane_insecure_mx_policy (dane)\fR"
+.IP "\fBsmtp_tls_dane_insecure_mx_policy (see 'postconf -d' output)\fR"
The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is \fBdane\fR, but the MX
record was found via an "insecure" MX lookup.
.IP "\fBinet_interfaces (all)\fR"
The network interface addresses that this mail system receives
mail on.
-.IP "\fBinet_protocols (all)\fR"
+.IP "\fBinet_protocols (see 'postconf -d output')\fR"
The Internet protocols Postfix will attempt to use when making
or accepting connections.
.IP "\fBipc_timeout (3600s)\fR"
.IP "\fBproxy_interfaces (empty)\fR"
The network interface addresses that this mail system receives mail
on by way of a proxy or network address translation unit.
-.IP "\fBinet_protocols (all)\fR"
+.IP "\fBinet_protocols (see 'postconf -d output')\fR"
The Internet protocols Postfix will attempt to use when making
or accepting connections.
.IP "\fBlocal_recipient_maps (proxy:unix:passwd.byname $alias_maps)\fR"
<pre>
/etc/postfix/main.cf:
# You must stop/start Postfix after changing this parameter.
- inet_protocols = ipv4 (DEFAULT: enable IPv4 only)
inet_protocols = all (enable IPv4, and IPv6 if supported)
+ inet_protocols = ipv4 (enable IPv4 only)
inet_protocols = ipv4, ipv6 (enable both IPv4 and IPv6)
inet_protocols = ipv6 (enable IPv6 only)
</pre>
</blockquote>
-<p> By default, Postfix uses IPv4 only, because most systems aren't
-attached to an IPv6 network. </p>
-
-<ul>
-
-<li> <p> On systems with combined IPv4/IPv6 stacks, attempts to
-deliver mail via IPv6 would always fail with "network unreachable",
-and those attempts would only slow down Postfix. </p>
-
-<li> <p> Linux kernels don't even load IPv6 protocol support by
-default. Any attempt to use it would fail immediately. </p>
-
-</ul>
+<p> The default is compile-time dependent: "all" when Postfix is built
+on a software distribution with IPv6 support, "ipv4" otherwise. </p>
<p> Note 1: you must stop and start Postfix after changing the
inet_protocols configuration parameter. </p>
-<p> Note 2: if you see error messages like the following, then
-you're running Linux and need to turn on IPv6 in the kernel: see
-http://www.ipv6.org/ for hints and tips. Unlike other systems,
-Linux does not have a combined stack for IPv4 and IPv6, and IPv6
-protocol support is not loaded by default. </p>
-
-<blockquote>
-<pre>
-postconf: warning: inet_protocols: IPv6 support is disabled: Address family not supported by protocol
-postconf: warning: inet_protocols: configuring for IPv4 support only
-</pre>
-</blockquote>
-
-<p> Note 3: on older Linux and Solaris systems, the setting
+<p> Note 2: on older Linux and Solaris systems, the setting
"inet_protocols = ipv6" will not prevent Postfix from
-accepting IPv4 connections. Postfix will present the client IP
-addresses in IPv6 format, though. In all other cases, Postfix always
-presents IPv4 client IP addresses in the traditional dotted quad
-IPv4 format. </p>
+accepting IPv4 connections. </p>
<li> <p> The other new parameter is smtp_bind_address6.
This sets the local interface address for outgoing IPv6 SMTP
the order of IPv6 versus IPv4 outgoing connection attempts is
configurable with the smtp_address_preference parameter. </p>
-<li> <p> Postfix versions before 2.6 do not support DNSBL (real-time
-blackhole list) lookups for IPv6 client IP addresses. </p>
+<li> <p> Postfix versions before 2.6 do not support DNSBL (DNS
+blocklist) lookups for IPv6 client IP addresses. </p>
<li> <p> IPv6 does not have class A, B, C, etc. networks. With IPv6
networks, the setting "mynetworks_style = class" has the
to listen on loopback network interfaces only. </p>
<li> <p> The lmtp_bind_address and lmtp_bind_address6
-features were omitted. The Postfix LMTP client will be absorbed
-into the SMTP client, so there is no reason to keep adding features
+features were omitted. Postfix version 2.3 merged the LMTP client
+into the SMTP client, so there was no reason to keep adding features
to the LMTP client. </p>
<li> <p> The SMTP server now requires that IPv6 addresses in SMTP
inet_interfaces = 192.168.1.2, 127.0.0.1
</pre>
-%PARAM inet_protocols all
+%PARAM inet_protocols see 'postconf -d output'
<p> The Internet protocols Postfix will attempt to use when making
or accepting connections. Specify one or more of "ipv4"
char *var_postlog_service;
char *var_dnssec_probe;
-bool var_relay_before_rcpt_checks;
const char null_format_string[1] = "";
/* read and process the following before opening tables. */
VAR_SMTPUTF8_ENABLE, DEF_SMTPUTF8_ENABLE, &var_smtputf8_enable,
VAR_IDNA2003_COMPAT, DEF_IDNA2003_COMPAT, &var_idna2003_compat,
- VAR_RELAY_BEFORE_RCPT_CHECKS, DEF_RELAY_BEFORE_RCPT_CHECKS, &var_relay_before_rcpt_checks,
0,
};
static const CONFIG_STR_FN_TABLE function_str_defaults[] = {
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20210201"
+#define MAIL_RELEASE_DATE "20210215"
#define MAIL_VERSION_NUMBER "3.6"
#ifdef SNAPSHOT
/* .IP "\fBinet_interfaces (all)\fR"
/* The network interface addresses that this mail system receives
/* mail on.
-/* .IP "\fBinet_protocols (all)\fR"
+/* .IP "\fBinet_protocols (see 'postconf -d output')\fR"
/* The Internet protocols Postfix will attempt to use when making
/* or accepting connections.
/* .IP "\fBimport_environment (see 'postconf -d' output)\fR"
/* with exactly one recipient \fBuser@example.com\fR:
/* .sp
/* .nf
+/* postqueue -j | jq '
+/* # See JSON OBJECT FORMAT section in the postqueue(1) manpage
+/* select(.recipients[0].address == "user@example.com")
+/* | select(.recipients[1].address == null)
+/* | .queue_id
+/* ' | postsuper -d -
+/* .fi
+/* .sp
+/* Or the historical form:
+/* .sp
+/* .nf
/* mailq | tail -n +2 | grep -v '^ *(' | awk 'BEGIN { RS = "" }
/* # $7=sender, $8=recipient1, $9=recipient2
/* { if ($8 == "user@example.com" && $9 == "")
/* legacy SMTPS protocol instead of using the STARTTLS command.
/* .PP
/* Available in Postfix version 3.1 and later:
-/* .IP "\fBsmtp_tls_dane_insecure_mx_policy (dane)\fR"
+/* .IP "\fBsmtp_tls_dane_insecure_mx_policy (see 'postconf -d' output)\fR"
/* The TLS policy for MX hosts with "secure" TLSA records when the
/* nexthop destination security level is \fBdane\fR, but the MX
/* record was found via an "insecure" MX lookup.
/* .IP "\fBinet_interfaces (all)\fR"
/* The network interface addresses that this mail system receives
/* mail on.
-/* .IP "\fBinet_protocols (all)\fR"
+/* .IP "\fBinet_protocols (see 'postconf -d output')\fR"
/* The Internet protocols Postfix will attempt to use when making
/* or accepting connections.
/* .IP "\fBipc_timeout (3600s)\fR"
/* .IP "\fBproxy_interfaces (empty)\fR"
/* The network interface addresses that this mail system receives mail
/* on by way of a proxy or network address translation unit.
-/* .IP "\fBinet_protocols (all)\fR"
+/* .IP "\fBinet_protocols (see 'postconf -d output')\fR"
/* The Internet protocols Postfix will attempt to use when making
/* or accepting connections.
/* .IP "\fBlocal_recipient_maps (proxy:unix:passwd.byname $alias_maps)\fR"
char *var_smtpd_uproxy_proto;
int var_smtpd_uproxy_tmout;
+bool var_relay_before_rcpt_checks;
/*
* Silly little macros.
projects / thirdparty / postfix.git / commitdiff
