and the way that check_client_access will match subnets of
an IPv6 address.
+20190428
+
+ Cleanup: replace "(whatever *) 0" with meaningfully-named
+ constants. Sheesh. File: smtpd/smtpd.c.
+
+ Documentation: BASIC_CONFIGURATION_README example default
+ setting was not updated after Postfix 3.0 change. File:
+ proto/BASIC_CONFIGURATION_README.html
+
+20190505
+
+ Workaround: uClibc has no res_send. Log a warning if this
+ code path would be used, and ignore dns_ncache_ttl_fix_enable.
+ Files: util/sys_defs.h, dns/dns_lookup.c, TODO: makedefs
+ and INSTALL documentation.
+
20190516
Initial search order support for check_ccert_access. The
mail from outside an authorized network block. This is explained in the
SASL_README and TLS_README documents.
-IMPORTANT: If your machine is connected to a wide area network then your
-default mynetworks setting may be too friendly.
+IMPORTANT: If your machine is connected to a wide area network then the
+"mynetworks_style = host" setting may be too friendly.
Examples (specify only one of the following):
/etc/postfix/main.cf:
- mynetworks_style = subnet (default: authorize subnetworks)
- mynetworks_style = host (safe: authorize local machine only)
- mynetworks = 127.0.0.0/8 (safe: authorize local machine only)
+ mynetworks_style = subnet (not safe on a wide area network)
+ mynetworks_style = host (authorize local machine only)
+ mynetworks = 127.0.0.0/8 (authorize local machine only)
mynetworks = 127.0.0.0/8 168.100.189.2/32 (authorize local machine)
+ mynetworks = 127.0.0.0/8 168.100.189.2/28 (authorize local networks)
You can specify the trusted networks in the main.cf file, or you can let
Postfix do the work for you. The default is to let Postfix do the work. The
Background:
- * Postfix consists of a number of daemon programs, and non-daemon programs
- some of which are used for local mail submission, and some for Postfix
+ * Postfix consists of a number of daemon programs that run in the background,
+ as well as non-daemon programs for local mail submission or Postfix
management.
* Logging to Postfix logfile or stdout requires the Postfix postlogd(8)
document. A complete example can be found in the Postfix source code, in the
directory examples/smtpd-policy.
-Another example of policy delegation is the SPF policy server at http://
-www.openspf.org/Software.
+Another example of policy delegation is the SPF policy server at https://
+web.archive.org/web/20190221142057/http://www.openspf.org/Software.
Policy delegation is now the preferred method for adding policies to Postfix.
It's much easier to develop a new feature in few lines of Perl, Python, Ruby,
the software under the license of their choice. Those who are more
comfortable with the IPL can continue with that license.
-Major changes with snapshot 20190516
+Major changes with snapshot 20190517
====================================
Search order support for check_ccert_access. Search order support
This is explained in the <a href="SASL_README.html">SASL_README</a> and <a href="TLS_README.html">TLS_README</a> documents. </p>
<p> IMPORTANT: If your machine is connected to a wide area network
-then your default <a href="postconf.5.html#mynetworks">mynetworks</a> setting may be too friendly. </p>
+then the "<a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = host" setting may be too friendly. </p>
<p> Examples (specify only one of the following): </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = subnet (default: authorize subnetworks)
- <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = host (safe: authorize local machine only)
- <a href="postconf.5.html#mynetworks">mynetworks</a> = 127.0.0.0/8 (safe: authorize local machine only)
+ <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = subnet (not safe on a wide area network)
+ <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = host (authorize local machine only)
+ <a href="postconf.5.html#mynetworks">mynetworks</a> = 127.0.0.0/8 (authorize local machine only)
<a href="postconf.5.html#mynetworks">mynetworks</a> = 127.0.0.0/8 168.100.189.2/32 (authorize local machine)
+ <a href="postconf.5.html#mynetworks">mynetworks</a> = 127.0.0.0/8 168.100.189.2/28 (authorize local networks)
</pre>
</blockquote>
<ul>
-<li> <p> Postfix consists of a number of daemon programs, and
-non-daemon programs some of which are used for local mail submission,
-and some for Postfix management.
+<li> <p> Postfix consists of a number of daemon programs that run
+in the background, as well as non-daemon programs for local mail
+submission or Postfix management.
<li> <p> Logging to Postfix logfile or stdout requires the Postfix
<a href="postlogd.8.html">postlogd(8)</a> service. This ensures that simultaneous logging from
examples/smtpd-policy. </p>
<p> Another example of policy delegation is the SPF policy server
-at <a href="http://www.openspf.org/Software">http://www.openspf.org/Software</a>. </p>
+at
https://web.archive.org/web/20190221142057/<a href="http://www.openspf.org/Software">http://www.openspf.org/Software</a>. </p>
<p> Policy delegation is now the preferred method for adding policies
to Postfix. It's much easier to develop a new feature in few lines
<dt><b><a name="check_ccert_access">check_ccert_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
-<dd> Use the remote SMTP client certificate fingerprint or the public key
+<dd> By default use the remote SMTP client certificate fingerprint
+or the public key
fingerprint (Postfix 2.9 and later) as lookup key for the specified
<a href="access.5.html">access(5)</a> database; with Postfix version 2.2, also require that the
remote SMTP client certificate is verified successfully.
Postfix version 2.5). This feature is available with Postfix version
2.2 and later. </dd>
+<br>
+
+<dd> Alternatively, <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> accepts an explicit search
+order (Postfix 3.5 and later). The default search order as described
+above corresponds with: </dd>
+
+<dd> <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> { <a href="DATABASE_README.html">type:table</a> { search_order = cert_fingerprint,
+pubkey_fingerprint } } </dd>
+
+<dd> Other valid search_order elements are "subject" (the certificate
+subject DN) and "issuer" (the certificate issuer DN). </dd>
+
<dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
<dd>Search the specified access database for the client hostname,
The following restrictions are specific to client hostname or
client network address information.
.IP "\fBcheck_ccert_access \fItype:table\fR\fR"
-Use the remote SMTP client certificate fingerprint or the public key
+By default use the remote SMTP client certificate fingerprint
+or the public key
fingerprint (Postfix 2.9 and later) as lookup key for the specified
\fBaccess\fR(5) database; with Postfix version 2.2, also require that the
remote SMTP client certificate is verified successfully.
Postfix version 2.5). This feature is available with Postfix version
2.2 and later.
.br
+.br
+Alternatively, check_ccert_access accepts an explicit search
+order (Postfix 3.5 and later). The default search order as described
+above corresponds with:
+.br
+check_ccert_access { type:table { search_order = cert_fingerprint,
+pubkey_fingerprint } }
+.br
+Other valid search_order elements are "subject" (the certificate
+subject DN) and "issuer" (the certificate issuer DN).
+.br
.IP "\fBcheck_client_access \fItype:table\fR\fR"
Search the specified access database for the client hostname,
parent domains, client IP address, or networks obtained by stripping
This is explained in the SASL_README and TLS_README documents. </p>
<p> IMPORTANT: If your machine is connected to a wide area network
-then your default mynetworks setting may be too friendly. </p>
+then the "mynetworks_style = host" setting may be too friendly. </p>
<p> Examples (specify only one of the following): </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
- mynetworks_style = subnet (default: authorize subnetworks)
- mynetworks_style = host (safe: authorize local machine only)
- mynetworks = 127.0.0.0/8 (safe: authorize local machine only)
+ mynetworks_style = subnet (not safe on a wide area network)
+ mynetworks_style = host (authorize local machine only)
+ mynetworks = 127.0.0.0/8 (authorize local machine only)
mynetworks = 127.0.0.0/8 168.100.189.2/32 (authorize local machine)
+ mynetworks = 127.0.0.0/8 168.100.189.2/28 (authorize local networks)
</pre>
</blockquote>
<ul>
-<li> <p> Postfix consists of a number of daemon programs, and
-non-daemon programs some of which are used for local mail submission,
-and some for Postfix management.
+<li> <p> Postfix consists of a number of daemon programs that run
+in the background, as well as non-daemon programs for local mail
+submission or Postfix management.
<li> <p> Logging to Postfix logfile or stdout requires the Postfix
postlogd(8) service. This ensures that simultaneous logging from
examples/smtpd-policy. </p>
<p> Another example of policy delegation is the SPF policy server
-at http://www.openspf.org/Software. </p>
+at https://web.archive.org/web/20190221142057/http://www.openspf.org/Software. </p>
<p> Policy delegation is now the preferred method for adding policies
to Postfix. It's much easier to develop a new feature in few lines
<dt><b><a name="check_ccert_access">check_ccert_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
-<dd> Use the remote SMTP client certificate fingerprint or the public key
+<dd> By default use the remote SMTP client certificate fingerprint
+or the public key
fingerprint (Postfix 2.9 and later) as lookup key for the specified
access(5) database; with Postfix version 2.2, also require that the
remote SMTP client certificate is verified successfully.
Postfix version 2.5). This feature is available with Postfix version
2.2 and later. </dd>
+<br>
+
+<dd> Alternatively, check_ccert_access accepts an explicit search
+order (Postfix 3.5 and later). The default search order as described
+above corresponds with: </dd>
+
+<dd> check_ccert_access { type:table { search_order = cert_fingerprint,
+pubkey_fingerprint } } </dd>
+
+<dd> Other valid search_order elements are "subject" (the certificate
+subject DN) and "issuer" (the certificate issuer DN). </dd>
+
<dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
<dd>Search the specified access database for the client hostname,
* information, but that will have to wait until it is safe to make
* libunbound a mandatory dependency for Postfix.
*/
+#ifdef HAVE_RES_SEND
/* dns_res_query - a res_query() clone that can return negative replies */
}
}
+#endif
+
/* dns_res_search - res_search() that can return negative replies */
static int dns_res_search(const char *name, int class, int type,
_res.options &= ~saved_options;
_res.options |= flags;
if (keep_notfound && var_dns_ncache_ttl_fix) {
+#ifdef HAVE_RES_SEND
len = dns_res_query((char *) name, C_IN, type, reply->buf,
reply->buf_len);
+#else
+ var_dns_ncache_ttl_fix = 0;
+ msg_warn("system library does not support %s=yes"
+ " -- ignoring this setting", VAR_DNS_NCACHE_TTL_FIX);
+ len = dns_res_search((char *) name, C_IN, type, reply->buf,
+ reply->buf_len, keep_notfound);
+#endif
} else {
len = dns_res_search((char *) name, C_IN, type, reply->buf,
reply->buf_len, keep_notfound);
static const LONG_NAME_MASK resflag_table[] = {
"RES_INIT", RES_INIT,
"RES_DEBUG", RES_DEBUG,
+#ifdef RES_AAONLY
"RES_AAONLY", RES_AAONLY,
+#endif
"RES_USEVC", RES_USEVC,
+#ifdef RES_PRIMARY
"RES_PRIMARY", RES_PRIMARY,
+#endif
"RES_IGNTC", RES_IGNTC,
"RES_RECURSE", RES_RECURSE,
"RES_DEFNAMES", RES_DEFNAMES,
"RES_STAYOPEN", RES_STAYOPEN,
"RES_DNSRCH", RES_DNSRCH,
+#ifdef RES_INSECURE1
"RES_INSECURE1", RES_INSECURE1,
+#endif
+#ifdef RES_INSECURE2
"RES_INSECURE2", RES_INSECURE2,
+#endif
"RES_NOALIASES", RES_NOALIASES,
+#ifdef RES_USE_INET6
"RES_USE_INET6", RES_USE_INET6,
+#endif
#ifdef RES_ROTATE
"RES_ROTATE", RES_ROTATE,
#endif
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20190517"
+#define MAIL_RELEASE_DATE "20190518"
#define MAIL_VERSION_NUMBER "3.5"
#ifdef SNAPSHOT
} else {
neuter(attr_value, NEUTER_CHARACTERS, '?');
if (normalize_mailhost_addr(attr_value, &state->rfc_addr,
- &state->addr, &state->addr_family) < 0) {
+ &state->addr,
+ &state->addr_family) < 0) {
state->error_mask |= MAIL_ERROR_PROTOCOL;
smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
XCLIENT_ADDR, attr_value);
attr_value = SERVER_ADDR_UNKNOWN;
UPDATE_STR(state->dest_addr, attr_value);
} else {
+#define NO_NORM_RFC_ADDR ((char **) 0)
+#define NO_NORM_ADDR_FAMILY ((int *) 0)
neuter(attr_value, NEUTER_CHARACTERS, '?');
- if (normalize_mailhost_addr(attr_value, (char **) 0,
- &state->dest_addr, (int *) 0) < 0) {
+ if (normalize_mailhost_addr(attr_value, NO_NORM_RFC_ADDR,
+ &state->dest_addr,
+ NO_NORM_ADDR_FAMILY) < 0) {
state->error_mask |= MAIL_ERROR_PROTOCOL;
smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
XCLIENT_DESTADDR, attr_value);
UPDATE_STR(state->xforward.addr, attr_value);
} else {
neuter(attr_value, NEUTER_CHARACTERS, '?');
- if (normalize_mailhost_addr(attr_value, &state->xforward.rfc_addr,
- &state->xforward.addr, (int *) 0) < 0) {
+ if (normalize_mailhost_addr(attr_value,
+ &state->xforward.rfc_addr,
+ &state->xforward.addr,
+ NO_NORM_ADDR_FAMILY) < 0) {
state->error_mask |= MAIL_ERROR_PROTOCOL;
smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
XFORWARD_ADDR, attr_value);
#endif
#define OPTIND (optind > 0 ? optind : 1)
+#if !defined(__UCLIBC__) && !defined(NO_RES_SEND)
+#define HAVE_RES_SEND
+#else
+#undef HAVE_RES_SEND
+#endif
+
/*
* Check for required but missing definitions.
*/
projects / thirdparty / postfix.git / commitdiff
