regression that broke TLS handshakes. It is rarely useful.
Report by Spil Oss, fix by Viktor Dukhovni. File:
tls/tls_server.c.
+
+20220802
+
+ Documentation: in the aliases(5) manpage, more specific
+ pointers to the local(8) manpage sections for delivery to
+ file, command execution, and delivery rights. File:
+ proto/aliases.
+
+20220805
+
+ Feature: "mail_version" attribute in the SMTPD policy
+ protocol, with the value of the "mail_version" configuration
+ parameter. This differs from the "compatibility_level"
+ attribute, because "mail_version" indicates the presence
+ of new features, while "compatibility_level" concerns changes
+ in default settings. Files: global/mail_proto.h,
+ proto/SMTPD_POLICY_README.html, smtpd/smtpd_check.c.
+
+20220808
+
+ Documentation: some Debian releases hard-code the search
+ path for Cyrus SASL application configuration files,
+ overriding the cyrus_sasl_config_path setting. Viktor
+ Dukhovni. File: proto/SASL_README.html.
+
+20220815
+
+ Updated the postscreen_dnsbl_sites documentation, based
+ on questions on the postfix-users mailing list. File:
+ proto/postconf.proto.
cyrus_sasl_config_path and/or the distribution-specific documentation to
determine the expected location.
+Some Debian-based Postfix distributions patch Postfix to hardcode a non-default
+search path, making it impossible to set an alternate search path via the
+"cyrus_sasl_config_path" parameter. This is likely to be the case when the
+distribution documents a Postfix-specific path (e.g. /etc/postfix/sasl/) that
+is different from the default value of "cyrus_sasl_config_path" (which then is
+likely to be empty).
+
N\bNo\bot\bte\be
Cyrus SASL searches /usr/lib/sasl2/ first. If it finds the specified
server_port=54321
P\bPo\bos\bst\btf\bfi\bix\bx v\bve\ber\brs\bsi\bio\bon\bn 3\b3.\b.8\b8 a\ban\bnd\bd l\bla\bat\bte\ber\br:\b:
compatibility_level=major.minor.patch
+ mail_version=3.8.0
[empty line]
Notes:
parameter value. It has the form major.minor.patch where minor and patch
may be absent.
+ * The "mail_version" attribute corresponds to the mail_version parameter
+ value. It has the form major.minor.patch for stable releases, and
+ major.minor-yyyymmdd for unstable releases.
+
The following is specific to SMTPD delegated policy requests:
* Protocol names are ESMTP or SMTP.
Scan Postfix code with github.com/googleprojectzero/weggli
(depends on "rust").
+ Migrate masquerade_domains from ARGV to STRING_LIST.
+
Enforce var_line_limit in util/attr_scan*c.
Investigate clang-format compatibility compared to indent.
WARN_IF_REJECT like prefix that disables the error counter increment.
- Send the Postfix version in a policy server request.
-
postscreen_dnsbl_sites is evaluated in the reverse order, breaking
expectations when different reply patterns have different weights.
We need a compatibility_level feature to correct this.
# with the RFC 822 standard.
#
# /file/name
-# Mail is appended to /file/name. See local(8) for
-# details of delivery to file. Delivery is not lim-
-# ited to regular files. For example, to dispose of
-# unwanted mail, deflect it to /dev/null.
+# Mail is appended to /file/name. For details on how
+# a file is written see the sections "EXTERNAL FILE
+# DELIVERY" and "DELIVERY RIGHTS" in the local(8)
+# documentation. Delivery is not limited to regular
+# files. For example, to dispose of unwanted mail,
+# deflect it to /dev/null.
#
# |command
# Mail is piped into command. Commands that contain
# special characters, such as whitespace, should be
-# enclosed between double quotes. See local(8) for
-# details of delivery to command.
+# enclosed between double quotes. For details on how
+# a command is executed see "EXTERNAL COMMAND DELIV-
+# ERY" and "DELIVERY RIGHTS" in the local(8) documen-
+# tation.
#
# When the command fails, a limited amount of command
# output is mailed back to the sender. The file
# the recipient_delimiter is set to "-".
#
# recipient_delimiter (empty)
-# The set of characters that can separate a user name
-# from its extension (example: user+foo), or a .for-
-# ward file name from its extension (example: .for-
-# ward+foo).
+# The set of characters that can separate an email
+# address localpart, user name, or a .forward file
+# name from its extension.
#
# Available in Postfix version 2.3 and later:
#
# frozen_delivered_to (yes)
-# Update the local(8) delivery agent's idea of the
-# Delivered-To: address (see prepend_deliv-
-# ered_header) only once, at the start of a delivery
-# attempt; do not update the Delivered-To: address
+# Update the local(8) delivery agent's idea of the
+# Delivered-To: address (see prepend_deliv-
+# ered_header) only once, at the start of a delivery
+# attempt; do not update the Delivered-To: address
# while expanding aliases or .forward files.
#
# STANDARDS
# postconf(5), configuration parameters
#
# README FILES
-# Use "postconf readme_directory" or "postconf html_direc-
+# Use "postconf readme_directory" or "postconf html_direc-
# tory" to locate this information.
# DATABASE_README, Postfix lookup table overview
#
# LICENSE
-# The Secure Mailer license must be distributed with this
+# The Secure Mailer license must be distributed with this
# software.
#
# AUTHOR(S)
<a href="postconf.5.html#cyrus_sasl_config_path">cyrus_sasl_config_path</a></code> and/or the distribution-specific
documentation to determine the expected location. </p> </li>
+<li> <p> Some Debian-based Postfix distributions patch Postfix to
+hardcode a non-default search path, making it impossible to set an
+alternate search path via the "<a href="postconf.5.html#cyrus_sasl_config_path">cyrus_sasl_config_path</a>" parameter. This
+is likely to be the case when the distribution documents a
+Postfix-specific path (e.g. <code>/etc/postfix/sasl/</code>) that is
+different from the default value of "<a href="postconf.5.html#cyrus_sasl_config_path">cyrus_sasl_config_path</a>" (which
+then is likely to be empty). </p> </li>
+
</ul>
<blockquote>
server_port=54321
<b>Postfix version 3.8 and later:</b>
<a href="postconf.5.html#compatibility_level">compatibility_level</a>=<i>major</i>.<i>minor</i>.<i>patch</i>
+<a href="postconf.5.html#mail_version">mail_version</a>=3.8.0
[empty line]
</pre>
</blockquote>
<i>major</i>.<i>minor</i>.<i>patch</i> where <i>minor</i> and
<i>patch</i> may be absent. </p>
+ <li> <p> The "<a href="postconf.5.html#mail_version">mail_version</a>" attribute corresponds to the
+ <a href="postconf.5.html#mail_version">mail_version</a> parameter value. It has the form
+ <i>major</i>.<i>minor</i>.<i>patch</i> for stable releases, and
+ <i>major</i>.<i>minor</i>-<i>yyyymmdd</i> for unstable releases.
+ </p>
+
</ul>
<p> The following is specific to SMTPD delegated policy requests:
<a href="https://tools.ietf.org/html/rfc822">822</a> standard.
<i>/file/name</i>
- Mail is appended to <i>/file/name</i>. See <a href="local.8.html"><b>local</b>(8)</a> for details of
- delivery to file. Delivery is not limited to regular files.
- For example, to dispose of unwanted mail, deflect it to
- <b>/dev/null</b>.
+ Mail is appended to <i>/file/name</i>. For details on how a file is
+ written see the sections "EXTERNAL FILE DELIVERY" and "DELIVERY
+ RIGHTS" in the <a href="local.8.html"><b>local</b>(8)</a> documentation. Delivery is not limited
+ to regular files. For example, to dispose of unwanted mail,
+ deflect it to <b>/dev/null</b>.
|<i>command</i>
- Mail is piped into <i>command</i>. Commands that contain special char-
- acters, such as whitespace, should be enclosed between double
- quotes. See <a href="local.8.html"><b>local</b>(8)</a> for details of delivery to command.
-
- When the command fails, a limited amount of command output is
- mailed back to the sender. The file <b>/usr/include/sysexits.h</b>
- defines the expected exit status codes. For example, use <b>"|exit</b>
- <b>67"</b> to simulate a "user unknown" error, and <b>"|exit 0"</b> to imple-
+ Mail is piped into <i>command</i>. Commands that contain special char-
+ acters, such as whitespace, should be enclosed between double
+ quotes. For details on how a command is executed see "EXTERNAL
+ COMMAND DELIVERY" and "DELIVERY RIGHTS" in the <a href="local.8.html"><b>local</b>(8)</a> documen-
+ tation.
+
+ When the command fails, a limited amount of command output is
+ mailed back to the sender. The file <b>/usr/include/sysexits.h</b>
+ defines the expected exit status codes. For example, use <b>"|exit</b>
+ <b>67"</b> to simulate a "user unknown" error, and <b>"|exit 0"</b> to imple-
ment an expensive black hole.
<b>:include:</b><i>/file/name</i>
- Mail is sent to the destinations listed in the named file.
- Lines in <b>:include:</b> files have the same syntax as the right-hand
+ Mail is sent to the destinations listed in the named file.
+ Lines in <b>:include:</b> files have the same syntax as the right-hand
side of alias entries.
- A destination can be any destination that is described in this
- manual page. However, delivery to "|<i>command</i>" and <i>/file/name</i> is
- disallowed
by default. To enable, edit the <b><a href="postconf.5.html#allow_mail_to_commands">allow_mail_to_com</a>-</b>
+ A destination can be any destination that is described in this
+ manual page. However, delivery to "|<i>command</i>" and <i>/file/name</i> is
+ disallowed
by default. To enable, edit the <b><a href="postconf.5.html#allow_mail_to_commands">allow_mail_to_com</a>-</b>
<b><a href="postconf.5.html#allow_mail_to_commands">mands</a></b> and <b><a href="postconf.5.html#allow_mail_to_files">allow_mail_to_files</a></b> configuration parameters.
<b>ADDRESS EXTENSION</b>
- When alias database search fails, and the recipient localpart contains
- the optional recipient delimiter (e.g., <i>user+foo</i>), the search is
+ When alias database search fails, and the recipient localpart contains
+ the optional recipient delimiter (e.g., <i>user+foo</i>), the search is
repeated for the unextended address (e.g., <i>user</i>).
- The <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b> parameter controls whether an
+ The <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b> parameter controls whether an
unmatched address extension (<i>+foo</i>) is propagated to the result of table
lookup.
before database lookup.
<b>REGULAR EXPRESSION TABLES</b>
- This section describes how the table lookups change when the table is
- given in the form of regular expressions. For a description of regular
- expression
lookup table syntax, see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>.
+ This section describes how the table lookups change when the table is
+ given in the form of regular expressions. For a description of regular
+ expression
lookup table syntax, see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>.
NOTE: these formats do not use ":" at the end of a pattern.
Each regular expression is applied to the entire search string. Thus, a
reasons there is no support for <b>$1</b>, <b>$2</b> etc. substring interpolation.
<b>SECURITY</b>
- The <a href="local.8.html"><b>local</b>(8)</a> delivery agent disallows regular expression substitution
+ The <a href="local.8.html"><b>local</b>(8)</a> delivery agent disallows regular expression substitution
of $1 etc. in <b><a href="postconf.5.html#alias_maps">alias_maps</a></b>, because that would open a security hole.
- The <a href="local.8.html"><b>local</b>(8)</a> delivery agent will silently ignore requests to use the
- <a href="proxymap.8.html"><b>proxymap</b>(8)</a> server within <b><a href="postconf.5.html#alias_maps">alias_maps</a></b>. Instead it will open the table
+ The <a href="local.8.html"><b>local</b>(8)</a> delivery agent will silently ignore requests to use the
+ <a href="proxymap.8.html"><b>proxymap</b>(8)</a> server within <b><a href="postconf.5.html#alias_maps">alias_maps</a></b>. Instead it will open the table
directly. Before Postfix version 2.2, the <a href="local.8.html"><b>local</b>(8)</a> delivery agent will
terminate with a fatal error.
<b>CONFIGURATION PARAMETERS</b>
- The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant. The text
- below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more
+ The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant. The text
+ below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more
details including examples.
<b><a href="postconf.5.html#alias_database">alias_database</a> (see 'postconf -d' output)</b>
- The alias databases for <a href="local.8.html"><b>local</b>(8)</a> delivery that are updated with
+ The alias databases for <a href="local.8.html"><b>local</b>(8)</a> delivery that are updated with
"<b>newaliases</b>" or with "<b>sendmail -bi</b>".
<b><a href="postconf.5.html#alias_maps">alias_maps</a> (see 'postconf -d' output)</b>
Restrict <a href="local.8.html"><b>local</b>(8)</a> mail delivery to external files.
<b><a href="postconf.5.html#expand_owner_alias">expand_owner_alias</a> (no)</b>
- When delivering to an alias "<i>aliasname</i>" that has an
+ When delivering to an alias "<i>aliasname</i>" that has an
"owner-<i>aliasname</i>" companion alias, set the envelope sender
address to the expansion of the "owner-<i>aliasname</i>" alias.
<b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a> (canonical, virtual)</b>
- What address lookup tables copy an address extension from the
+ What address lookup tables copy an address extension from the
lookup key to the lookup result.
<b><a href="postconf.5.html#owner_request_special">owner_request_special</a> (yes)</b>
- Enable special treatment for owner-<i>listname</i> entries in the
+ Enable special treatment for owner-<i>listname</i> entries in the
<a href="aliases.5.html"><b>aliases</b>(5)</a> file, and don't split owner-<i>listname</i> and <i>list-</i>
- <i>name</i>-request address localparts when the <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> is
+ <i>name</i>-request address localparts when the <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> is
set to "-".
<b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
- The set of characters that can separate an email address local-
+ The set of characters that can separate an email address local-
part, user name, or a .forward file name from its extension.
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#frozen_delivered_to">frozen_delivered_to</a> (yes)</b>
- Update the <a href="local.8.html"><b>local</b>(8)</a> delivery agent's idea of the Delivered-To:
- address (see <a href="postconf.5.html#prepend_delivered_header">prepend_delivered_header</a>) only once, at the start
- of a delivery attempt; do not update the Delivered-To: address
+ Update the <a href="local.8.html"><b>local</b>(8)</a> delivery agent's idea of the Delivered-To:
+ address (see <a href="postconf.5.html#prepend_delivered_header">prepend_delivered_header</a>) only once, at the start
+ of a delivery attempt; do not update the Delivered-To: address
while expanding aliases or .forward files.
<b>STANDARDS</b>
<DT><b><a name="postscreen_dnsbl_sites">postscreen_dnsbl_sites</a>
(default: empty)</b></DT><DD>
-<p>Optional list of DNS allow/denylist domains, filters and weight
+<p>Optional list of patterns with DNS allow/denylist domains, filters
+and weight
factors. When the list is non-empty, the <a href="dnsblog.8.html">dnsblog(8)</a> daemon will
-query these domains with the IP addresses of remote SMTP clients,
+query these domains with the reversed IP addresses of remote SMTP
+clients,
and <a href="postscreen.8.html">postscreen(8)</a> will update an SMTP client's DNSBL score with
-each non-error reply. </p>
+each non-error reply as described below. </p>
-<p> Caution: when postscreen rejects mail, it replies with the DNSBL
+<p> Caution: when postscreen rejects mail, its SMTP response contains
+the DNSBL
domain name. Use the <a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> feature to hide
"password" information in DNSBL domain names. </p>
specified with <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a>, <a href="postscreen.8.html">postscreen(8)</a> can drop
the connection with the remote SMTP client. </p>
-<p> Specify a list of domain=filter*weight entries, separated by
+<p> Specify a list of domain=filter*weight patterns, separated by
comma or whitespace. </p>
<ul>
-<li> <p> When no "=filter" is specified, <a href="postscreen.8.html">postscreen(8)</a> will use any
-non-error DNSBL reply. Otherwise, <a href="postscreen.8.html">postscreen(8)</a> uses only DNSBL
-replies that match the filter. The filter has the form d.d.d.d,
+<li> <p> When a pattern specifies no "=filter", <a href="postscreen.8.html">postscreen(8)</a> will
+use any non-error DNSBL query result. Otherwise, <a href="postscreen.8.html">postscreen(8)</a>
+will use only DNSBL
+query results that match the filter. The filter has the form d.d.d.d,
where each d is a number, or a pattern inside [] that contains one
or more ";"-separated numbers or number..number ranges. </p>
-<li> <p> When no "*weight" is specified, <a href="postscreen.8.html">postscreen(8)</a> increments
-the remote SMTP client's DNSBL score by 1. Otherwise, the weight must be
-an integral number, and <a href="postscreen.8.html">postscreen(8)</a> adds the specified weight to
-the remote SMTP client's DNSBL score. Specify a negative number for
-allowlisting. </p>
+<li> <p> When a pattern specifies no "*weight", the weight of the
+pattern is 1. Otherwise, the weight must be an integral number.
+Specify a negative number for allowlisting. </p>
-<li> <p> When one <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> entry produces multiple
-DNSBL responses, <a href="postscreen.8.html">postscreen(8)</a> applies the weight at most once.
-</p>
+<li> <p> When a pattern matches one or more DNSBL query results,
+<a href="postscreen.8.html">postscreen(8)</a> adds that pattern's weight once to the remote SMTP
+client's DNSBL score. </p>
</ul>
Mail is forwarded to \fIaddress\fR, which is compatible
with the RFC 822 standard.
.IP \fI/file/name\fR
-Mail is appended to \fI/file/name\fR. See \fBlocal\fR(8)
-for details of delivery to file.
+Mail is appended to \fI/file/name\fR. For details on how a
+file is written see the sections "EXTERNAL FILE DELIVERY"
+and "DELIVERY RIGHTS" in the \fBlocal\fR(8) documentation.
Delivery is not limited to regular files. For example, to dispose
of unwanted mail, deflect it to \fB/dev/null\fR.
.IP "|\fIcommand\fR"
-Mail is piped into \fIcommand\fR. Commands that contain special
-characters, such as whitespace, should be enclosed between double
-quotes. See \fBlocal\fR(8) for details of delivery to command.
+Mail is piped into \fIcommand\fR. Commands that contain
+special characters, such as whitespace, should be enclosed
+between double quotes. For details on how a command is
+executed see "EXTERNAL COMMAND DELIVERY" and "DELIVERY
+RIGHTS" in the \fBlocal\fR(8) documentation.
.sp
When the command fails, a limited amount of command output is
mailed back to the sender. The file \fB/usr/include/sysexits.h\fR
.PP
This feature is available in Postfix 2.8.
.SH postscreen_dnsbl_sites (default: empty)
-Optional list of DNS allow/denylist domains, filters and weight
+Optional list of patterns with DNS allow/denylist domains, filters
+and weight
factors. When the list is non\-empty, the \fBdnsblog\fR(8) daemon will
-query these domains with the IP addresses of remote SMTP clients,
+query these domains with the reversed IP addresses of remote SMTP
+clients,
and \fBpostscreen\fR(8) will update an SMTP client's DNSBL score with
-each non\-error reply.
+each non\-error reply as described below.
.PP
-Caution: when postscreen rejects mail, it replies with the DNSBL
+Caution: when postscreen rejects mail, its SMTP response contains
+the DNSBL
domain name. Use the postscreen_dnsbl_reply_map feature to hide
"password" information in DNSBL domain names.
.PP
specified with postscreen_dnsbl_threshold, \fBpostscreen\fR(8) can drop
the connection with the remote SMTP client.
.PP
-Specify a list of domain=filter*weight entries, separated by
+Specify a list of domain=filter*weight patterns, separated by
comma or whitespace.
.IP \(bu
-When no "=filter" is specified, \fBpostscreen\fR(8) will use any
-non\-error DNSBL reply. Otherwise, \fBpostscreen\fR(8) uses only DNSBL
-replies that match the filter. The filter has the form d.d.d.d,
+When a pattern specifies no "=filter", \fBpostscreen\fR(8) will
+use any non\-error DNSBL query result. Otherwise, \fBpostscreen\fR(8)
+will use only DNSBL
+query results that match the filter. The filter has the form d.d.d.d,
where each d is a number, or a pattern inside [] that contains one
or more ";"\-separated numbers or number..number ranges.
.IP \(bu
-When no "*weight" is specified, \fBpostscreen\fR(8) increments
-the remote SMTP client's DNSBL score by 1. Otherwise, the weight must be
-an integral number, and \fBpostscreen\fR(8) adds the specified weight to
-the remote SMTP client's DNSBL score. Specify a negative number for
-allowlisting.
+When a pattern specifies no "*weight", the weight of the
+pattern is 1. Otherwise, the weight must be an integral number.
+Specify a negative number for allowlisting.
.IP \(bu
-When one postscreen_dnsbl_sites entry produces multiple
-DNSBL responses, \fBpostscreen\fR(8) applies the weight at most once.
+When a pattern matches one or more DNSBL query results,
+\fBpostscreen\fR(8) adds that pattern's weight once to the remote SMTP
+client's DNSBL score.
.br
.PP
Examples:
cyrus_sasl_config_path</code> and/or the distribution-specific
documentation to determine the expected location. </p> </li>
+<li> <p> Some Debian-based Postfix distributions patch Postfix to
+hardcode a non-default search path, making it impossible to set an
+alternate search path via the "cyrus_sasl_config_path" parameter. This
+is likely to be the case when the distribution documents a
+Postfix-specific path (e.g. <code>/etc/postfix/sasl/</code>) that is
+different from the default value of "cyrus_sasl_config_path" (which
+then is likely to be empty). </p> </li>
+
</ul>
<blockquote>
server_port=54321
<b>Postfix version 3.8 and later:</b>
compatibility_level=<i>major</i>.<i>minor</i>.<i>patch</i>
+mail_version=3.8.0
[empty line]
</pre>
</blockquote>
<i>major</i>.<i>minor</i>.<i>patch</i> where <i>minor</i> and
<i>patch</i> may be absent. </p>
+ <li> <p> The "mail_version" attribute corresponds to the
+ mail_version parameter value. It has the form
+ <i>major</i>.<i>minor</i>.<i>patch</i> for stable releases, and
+ <i>major</i>.<i>minor</i>-<i>yyyymmdd</i> for unstable releases.
+ </p>
+
</ul>
<p> The following is specific to SMTPD delegated policy requests:
# Mail is forwarded to \fIaddress\fR, which is compatible
# with the RFC 822 standard.
# .IP \fI/file/name\fR
-# Mail is appended to \fI/file/name\fR. See \fBlocal\fR(8)
-# for details of delivery to file.
+# Mail is appended to \fI/file/name\fR. For details on how a
+# file is written see the sections "EXTERNAL FILE DELIVERY"
+# and "DELIVERY RIGHTS" in the \fBlocal\fR(8) documentation.
# Delivery is not limited to regular files. For example, to dispose
# of unwanted mail, deflect it to \fB/dev/null\fR.
# .IP "|\fIcommand\fR"
-# Mail is piped into \fIcommand\fR. Commands that contain special
-# characters, such as whitespace, should be enclosed between double
-# quotes. See \fBlocal\fR(8) for details of delivery to command.
+# Mail is piped into \fIcommand\fR. Commands that contain
+# special characters, such as whitespace, should be enclosed
+# between double quotes. For details on how a command is
+# executed see "EXTERNAL COMMAND DELIVERY" and "DELIVERY
+# RIGHTS" in the \fBlocal\fR(8) documentation.
# .sp
# When the command fails, a limited amount of command output is
# mailed back to the sender. The file \fB/usr/include/sysexits.h\fR
%PARAM postscreen_dnsbl_sites
-<p>Optional list of DNS allow/denylist domains, filters and weight
+<p>Optional list of patterns with DNS allow/denylist domains, filters
+and weight
factors. When the list is non-empty, the dnsblog(8) daemon will
-query these domains with the IP addresses of remote SMTP clients,
+query these domains with the reversed IP addresses of remote SMTP
+clients,
and postscreen(8) will update an SMTP client's DNSBL score with
-each non-error reply. </p>
+each non-error reply as described below. </p>
-<p> Caution: when postscreen rejects mail, it replies with the DNSBL
+<p> Caution: when postscreen rejects mail, its SMTP response contains
+the DNSBL
domain name. Use the postscreen_dnsbl_reply_map feature to hide
"password" information in DNSBL domain names. </p>
specified with postscreen_dnsbl_threshold, postscreen(8) can drop
the connection with the remote SMTP client. </p>
-<p> Specify a list of domain=filter*weight entries, separated by
+<p> Specify a list of domain=filter*weight patterns, separated by
comma or whitespace. </p>
<ul>
-<li> <p> When no "=filter" is specified, postscreen(8) will use any
-non-error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL
-replies that match the filter. The filter has the form d.d.d.d,
+<li> <p> When a pattern specifies no "=filter", postscreen(8) will
+use any non-error DNSBL query result. Otherwise, postscreen(8)
+will use only DNSBL
+query results that match the filter. The filter has the form d.d.d.d,
where each d is a number, or a pattern inside [] that contains one
or more ";"-separated numbers or number..number ranges. </p>
-<li> <p> When no "*weight" is specified, postscreen(8) increments
-the remote SMTP client's DNSBL score by 1. Otherwise, the weight must be
-an integral number, and postscreen(8) adds the specified weight to
-the remote SMTP client's DNSBL score. Specify a negative number for
-allowlisting. </p>
+<li> <p> When a pattern specifies no "*weight", the weight of the
+pattern is 1. Otherwise, the weight must be an integral number.
+Specify a negative number for allowlisting. </p>
-<li> <p> When one postscreen_dnsbl_sites entry produces multiple
-DNSBL responses, postscreen(8) applies the weight at most once.
-</p>
+<li> <p> When a pattern matches one or more DNSBL query results,
+postscreen(8) adds that pattern's weight once to the remote SMTP
+client's DNSBL score. </p>
</ul>
#define MAIL_ATTR_PROTO_VERIFY "address_verification_prrotocol"
/*
- * Attribute names.
+ * Attribute names in internal and policy delegation protocols.
*/
#define MAIL_ATTR_REQ "request"
#define MAIL_ATTR_NREQ "nrequest"
#define MAIL_ATTR_CRYPTO_CIPHER "encryption_cipher"
#define MAIL_ATTR_CRYPTO_KEYSIZE "encryption_keysize"
#define MAIL_ATTR_COMPAT_LEVEL "compatibility_level"
+#define MAIL_ATTR_MAIL_VERSION "mail_version"
/*
* Suffixes for sender_name, sender_domain etc.
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20220724"
+#define MAIL_RELEASE_DATE "20220816"
#define MAIL_VERSION_NUMBER "3.8"
#ifdef SNAPSHOT
smtpd_check.o: ../../include/mail_params.h
smtpd_check.o: ../../include/mail_proto.h
smtpd_check.o: ../../include/mail_stream.h
+smtpd_check.o: ../../include/mail_version.h
smtpd_check.o: ../../include/map_search.h
smtpd_check.o: ../../include/maps.h
smtpd_check.o: ../../include/match_list.h
#include <attr_override.h>
#include <map_search.h>
#include <info_log_addr_form.h>
+#include <mail_version.h>
/* Application-specific. */
policy_clnt->policy_context),
SEND_ATTR_STR(MAIL_ATTR_COMPAT_LEVEL,
var_compatibility_level),
+ SEND_ATTR_STR(MAIL_ATTR_MAIL_VERSION,
+ var_mail_version),
ATTR_TYPE_END,
ATTR_FLAG_MISSING, /* Reply attributes. */
RECV_ATTR_STR(MAIL_ATTR_ACTION, action),
projects / thirdparty / postfix.git / commitdiff
