postalias/postalias.c.
Bugfix: the proxymap client didn't properly propagate user
- options options to the proxymap server. File: util/dict.h.
+ options to the proxymap server. File: util/dict.h.
Workaround: force synchronous updates in the proxymap server
so that maps will be in a consistent state between updates.
Feature: data_directory configuration parameter for
Postfix-writable data such as caches and random numbers.
Files: postfix-install, conf/postfix-files.
+
+20071206
+
+ Security: tlsmgr(8) and verify(8) no longer use root
+ privileges when opening their cache files. This avoids a
+ potential security loophole where the ownership of a file
+ (or directory) does not match the trust level of the content
+ of that file (or directory). See RELEASE_NOTES for how to
+ use pre-existing data. Files: util/set_eugid.[hc],
+ tlsmgr/tlsmgr.c, verify/verify.c.
+
+ Compatibility: as a migration tool, redirect attempts by
+ tlsmgr(8) or verify(8) to open files in non-Postfix directories
+ to the Postfix-owned data_directory. File: global/data_redirect.c.
unverified_sender_reject_code = 550
# Note 1: Be sure to read the "Caching" section below!
# Note 2: Avoid hash files here. Use btree instead.
- address_verify_map = btree:/var/mta/verify
+ address_verify_map = btree:/var/lib/postfix/verify
/etc/postfix/sender_access:
aol.com reject_unverified_sender
...
# Note 1: Be sure to read the "Caching" section below!
# Note 2: Avoid hash files here. Use btree instead.
- address_verify_map = btree:/var/mta/verify
+ address_verify_map = btree:/var/lib/postfix/verify
This is also a good way to populate your cache with address verification
results before you start to actually reject mail.
/etc/postfix/main.cf:
# Note: avoid hash files here. Use btree instead.
- address_verify_map = btree:/var/mta/verify
-
-NOTE: Do not put this file in a file system that may run out of space. When the
-address verification table gets corrupted the world comes to an end and YOU
+ address_verify_map = btree:/var/lib/postfix/verify
+
+NOTE 1: As of version 2.5, Postfix no longer uses root privileges when opening
+this file. The file should now be stored under the Postfix-owned
+data_directory. As a migration aid, an attempt to open the file under a non-
+Postfix directory is redirected to the Postfix-owned data_directory, and a
+warning is logged. If you wish to continue using an pre-existing database file,
+move it to the data_directory, and change ownership to the account specfied
+with the mail_owner parameter.
+
+NOTE 2: Do not put this file in a file system that may run out of space. When
+the address verification table gets corrupted the world comes to an end and YOU
will have to MANUALLY fix things as described in the next section. Meanwhile,
you will not receive mail via SMTP.
-The verify(8) daemon process will create a new database when none exists, and
-will open/create the file before it enters the chroot jail and before it drops
-root privileges.
+NOTE 3: The verify(8) daemon process will create a new database when none
+exists, and will open/create the file before it enters the chroot jail.
M\bMa\ban\bna\bag\bgi\bin\bng\bg t\bth\bhe\be a\bad\bdd\bdr\bre\bes\bss\bs v\bve\ber\bri\bif\bfi\bic\bca\bat\bti\bio\bon\bn d\bda\bat\bta\bab\bba\bas\bse\be
Example:
/etc/postfix/main.cf:
- smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
+ smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
+
+As of version 2.5, Postfix will no longer maintain this file in a directory
+with non-Postfix ownership. As a migration aid, attempts to open such files are
+redirected to the Postfix-owned $data_directory, and a warning is logged.
Cached Postfix SMTP server session information expires after a certain amount
of time. Postfix/TLS does not use the OpenSSL default of 300s, but a longer
Example:
/etc/postfix/main.cf:
- smtp_tls_session_cache_database = btree:/etc/postfix/smtp_scache
+ smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
+
+As of version 2.5, Postfix will no longer maintain this file in a directory
+with non-Postfix ownership. As a migration aid, attempts to open such files are
+redirected to the Postfix-owned $data_directory, and a warning is logged.
Cached Postfix SMTP client session information expires after a certain amount
of time. Postfix/TLS does not use the OpenSSL default of 300s, but a longer
/etc/postfix/main.cf:
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
+Note: as of version 2.5, Postfix no longer uses root privileges when opening
+this file. The file should now be stored under the Postfix-owned
+data_directory. As a migration aid, an attempt to open the file under a non-
+Postfix directory is redirected to the Postfix-owned data_directory, and a
+warning is logged.
+
Cached Postfix SMTP server session information expires after a certain amount
of time. Postfix/TLS does not use the OpenSSL default of 300s, but a longer
time of 3600sec (=1 hour). RFC 2246 recommends a maximum of 24 hours.
/etc/postfix/main.cf:
smtp_tls_session_cache_database = btree:/etc/postfix/smtp_scache
+Note: as of version 2.5, Postfix no longer uses root privileges when opening
+this file. The file should now be stored under the Postfix-owned
+data_directory. As a migration aid, an attempt to open the file under a non-
+Postfix directory is redirected to the Postfix-owned data_directory, and a
+warning is logged.
+
Cached Postfix SMTP client session information expires after a certain amount
of time. Postfix/TLS does not use the OpenSSL default of 300s, but a longer
time of 3600s (=1 hour). RFC 2246 recommends a maximum of 24 hours.
The tlsmgr(8) process saves the PRNG state to a persistent exchange file at
regular times and when the process terminates, so that it can recover the PRNG
state the next time it starts up. This file is created when it does not exist.
-Its default location is under the Postfix configuration directory, which is not
-the proper place for information that is modified by Postfix. Instead, the file
-location should probably be on the /var partition (but n\bno\bot\bt inside the chroot
-jail).
Examples:
/etc/postfix/main.cf:
- tls_random_exchange_name = /etc/postfix/prng_exch
+ tls_random_exchange_name = /var/lib/postfix/prng_exch
tls_random_prng_update_period = 3600s
+As of version 2.5, Postfix no longer uses root privileges when opening this
+file. The file should now be stored under the Postfix-owned data_directory. As
+a migration aid, an attempt to open the file under a non-Postfix directory is
+redirected to the Postfix-owned data_directory, and a warning is logged. If you
+wish to continue using a pre-existing PRNG state file, move it to the
+data_directory and change the ownership to the account specified with the
+mail_owner parameter.
+
+With earlier Postfix versions the default file location is under the Postfix
+configuration directory, which is not the proper place for information that is
+modified by Postfix.
+
G\bGe\bet\btt\bti\bin\bng\bg s\bst\bta\bar\brt\bte\bed\bd,\b, q\bqu\bui\bic\bck\bk a\ban\bnd\bd d\bdi\bir\brt\bty\by
The following steps will get you started quickly. Because you sign your own
If you upgrade from Postfix 2.3 or earlier, read RELEASE_NOTES-2.4
before proceeding.
+Incompatibility with Postfix snapshot 20071206
+==============================================
+
+The "make install" and "make upgrade" procedures now create a
+Postfix-owned directory for Postfix-writable data files such as
+caches and random numbers. The location is specified with the
+"data_directory" parameter (default: "/var/lib/postfix"), and the
+ownership is specified with the "mail_owner" parameter.
+
+The tlsmgr(8) and verify(8) servers no longer use root privileges
+when opening the address_verify_map, *_tls_session_cache_database,
+and tls_random_exchange_name cache files. This avoids a potential
+security loophole where the ownership of a file (or directory) does
+not match the trust level of the content of that file (or directory).
+
+The tlsmgr(8) and verify(8) cache files should now be stored under
+the Postfix-owned data_directory. As a migration aid, attempts to
+open these files under a non-Postfix directory are redirected to
+the Postfix-owned data_directory, and a warning is logged.
+
+This is an example of the warning messages:
+
+ Dec 6 12:56:22 bristle postfix/tlsmgr[7899]: warning: request
+ to update file /etc/postfix/prng_exch in non-postfix directory
+ /etc/postfix
+
+ Dec 6 12:56:22 bristle postfix/tlsmgr[7899]: warning: redirecting
+ the request to postfix-owned data_directory /var/lib/postfix
+
+If you wish to continue using a pre-existing tls_random_exchange_name
+or address_verify_map file, move it to the Postfix-owned data_directory
+and change ownership to the account specified with the mail_owner
+configuration parameter.
+
Major changes with Postfix snapshot 20071205
============================================
The "make install" and "make upgrade" procedures now create a
-postfix-owned directory for Postfix-writable data files such as
+Postfix-owned directory for Postfix-writable data files such as
caches and random numbers. The location is specified with the
-"data_directory" variable (default: "/var/lib/postfix").
+"data_directory" parameter (default: "/var/lib/postfix"), and the
+ownership is specified with the "mail_owner" parameter.
Incompatibility with Postfix snapshot 20071203
==============================================
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
+proxywrite unix - - n - - proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
<a href="postconf.5.html#unverified_sender_reject_code">unverified_sender_reject_code</a> = 550
# Note 1: Be sure to read the "<a href="#caching">Caching</a>" section below!
# Note 2: Avoid hash files here. Use btree instead.
- <a href="postconf.5.html#address_verify_map">address_verify_map</a> = btree:/var/mta/verify
+ <a href="postconf.5.html#address_verify_map">address_verify_map</a> = btree:/var/lib/postfix/verify
/etc/postfix/sender_access:
aol.com <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a>
...
# Note 1: Be sure to read the "<a href="#caching">Caching</a>" section below!
# Note 2: Avoid hash files here. Use btree instead.
- <a href="postconf.5.html#address_verify_map">address_verify_map</a> = btree:/var/mta/verify
+ <a href="postconf.5.html#address_verify_map">address_verify_map</a> = btree:/var/lib/postfix/verify
</pre>
</blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
# Note: avoid hash files here. Use btree instead.
- <a href="postconf.5.html#address_verify_map">address_verify_map</a> = btree:/var/mta/verify
+ <a href="postconf.5.html#address_verify_map">address_verify_map</a> = btree:/var/lib/postfix/verify
</pre>
</blockquote>
-<p> NOTE: Do not put this file in a file system that may run out
+<p> NOTE 1: As of version 2.5, Postfix no longer uses root privileges
+when opening this file. The file should now be stored under the
+Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>. As a migration aid, an attempt to
+open the file under a non-Postfix directory is redirected to the
+Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>, and a warning is logged. If you wish
+to continue using an pre-existing database file, move it to the
+<a href="postconf.5.html#data_directory">data_directory</a>, and change ownership to the account specfied with
+the <a href="postconf.5.html#mail_owner">mail_owner</a> parameter. </p>
+
+<p> NOTE 2: Do not put this file in a file system that may run out
of space. When the address verification table gets corrupted the
world comes to an end and YOU will have to MANUALLY fix things as
described in the next section. Meanwhile, you will not receive mail
via SMTP. </p>
-<p> The <a href="verify.8.html">verify(8)</a> daemon process will create a new database when
+<p>
NOTE 3: The <a href="verify.8.html">verify(8)</a> daemon process will create a new database when
none exists, and will open/create the file before it enters the
-chroot jail and before it drops root privileges. </p>
+chroot jail. </p>
<h2><a name="dirty_secret">Managing the address verification
database</a></h2>
SMTP mail or with SASL authentication.
<p> Postfix version 2.2 introduces support for TLS as described in
-<a href="http://www.faqs.org/rfcs/rfc3207.html">RFC 3207</a>. TLS Support for older Postfix versions was available as
+<a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a>. TLS Support for older Postfix versions was available as
an add-on patch. The section "<a href="#compat">Compatibility with
Postfix < 2.2 TLS support</a>" below discusses the differences
between these implementations. </p>
<p> You can ENFORCE the use of TLS, so that the Postfix SMTP server
announces STARTTLS and accepts no mail without TLS encryption, by
-setting "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes". According to <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> this MUST
+setting "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes". According to <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> this MUST
NOT be applied in case of a publicly-referenced Postfix SMTP server.
This option is off by default and should only seldom be used. </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- <a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> = btree:/etc/postfix/smtpd_scache
+ <a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> = btree:/var/lib/postfix/smtpd_scache
</pre>
</blockquote>
+<p> As of version 2.5, Postfix will no longer maintain this file
+in a directory with non-Postfix ownership. As a migration aid,
+attempts to open such files are redirected to the Postfix-owned
+$<a href="postconf.5.html#data_directory">data_directory</a>, and a warning is logged. </p>
+
<p> Cached Postfix SMTP server session information expires after
a certain amount of time. Postfix/TLS does not use the OpenSSL
-default of 300s, but a longer time of 3600sec (=1 hour). <a href="http://www.faqs.org/rfcs/rfc2246.html">RFC 2246</a>
+default of 300s, but a longer time of 3600sec (=1 hour). <a href="http://tools.ietf.org/html/rfc2246">RFC 2246</a>
recommends a maximum of 24 hours. </p>
<p> Example: </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- <a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> = btree:/etc/postfix/smtp_scache
+ <a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> = btree:/var/lib/postfix/smtp_scache
</pre>
</blockquote>
+<p> As of version 2.5, Postfix will no longer maintain this file
+in a directory with non-Postfix ownership. As a migration aid,
+attempts to open such files are redirected to the Postfix-owned
+$<a href="postconf.5.html#data_directory">data_directory</a>, and a warning is logged. </p>
+
<p> Cached Postfix SMTP client session information expires after
a certain amount of time. Postfix/TLS does not use the OpenSSL
-default of 300s, but a longer time of 3600s (=1 hour). <a href="http://www.faqs.org/rfcs/rfc2246.html">RFC 2246</a>
+default of 300s, but a longer time of 3600s (=1 hour). <a href="http://tools.ietf.org/html/rfc2246">RFC 2246</a>
recommends a maximum of 24 hours. </p>
<p> Example: </p>
<p> Enforcing the use of TLS is useful if you know that you will
only
-connect to servers that support <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> _and_ that present server
+connect to servers that support <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> _and_ that present server
certificates that meet the above requirements. An example would
be a client only sends email to one specific mailhub that offers
the necessary STARTTLS support. </p>
<h3> <a name="client_tls_nopeer"> Disabling server certificate
verification </a> </h3>
-<p> As of <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> the requirements for hostname checking for MTA
+<p> As of <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> the requirements for hostname checking for MTA
clients are not set. When TLS is required (<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes),
the option <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> can be set to "no" to disable
strict remote SMTP server hostname checking. In this case, the mail
mail without TLS encryption, by setting
"<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = encrypt" (Postfix 2.3 and
later) or "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes" (obsolete but still
-supported). According to <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> this MUST NOT be applied in case
+supported). According to <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> this MUST NOT be applied in case
of a publicly-referenced Postfix SMTP server. This option is off
by default and should only seldom be used. </p>
</pre>
</blockquote>
+<p> Note: as of version 2.5, Postfix no longer uses root privileges
+when opening this file. The file should now be stored under the
+Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>. As a migration aid, an attempt to
+open the file under a non-Postfix directory is redirected to the
+Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>, and a warning is logged. </p>
+
<p> Cached Postfix SMTP server session information expires after
a certain amount of time. Postfix/TLS does not use the OpenSSL
-default of 300s, but a longer time of 3600sec (=1 hour). <a href="http://www.faqs.org/rfcs/rfc2246.html">RFC 2246</a>
+default of 300s, but a longer time of 3600sec (=1 hour). <a href="http://tools.ietf.org/html/rfc2246">RFC 2246</a>
recommends a maximum of 24 hours. </p>
<p> Example: </p>
</pre>
</blockquote>
+<p> Note: as of version 2.5, Postfix no longer uses root privileges
+when opening this file. The file should now be stored under the
+Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>. As a migration aid, an attempt to
+open the file under a non-Postfix directory is redirected to the
+Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>, and a warning is logged. </p>
+
<p> Cached Postfix SMTP client session information expires after
a certain amount of time. Postfix/TLS does not use the OpenSSL
-default of 300s, but a longer time of 3600s (=1 hour). <a href="http://www.faqs.org/rfcs/rfc2246.html">RFC 2246</a>
+default of 300s, but a longer time of 3600s (=1 hour). <a href="http://tools.ietf.org/html/rfc2246">RFC 2246</a>
recommends a maximum of 24 hours. </p>
<p> Example: </p>
<p> Mandatory server certificate verification as a default security
level may be appropriate if you know that you will only connect to
-servers that support <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> <i>and</i> that present verifiable
+servers that support <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> <i>and</i> that present verifiable
server certificates. An example would be a client that sends all
email to a central mailhub that offers the necessary STARTTLS
support. In such cases, you can often use a <a
<p> Mandatory secure server certificate verification as a default
security level may be appropriate if you know that you will only
-connect to servers that support <a href="http://www.faqs.org/rfcs/rfc2487.html">RFC 2487</a> <i>and</i> that present
+connect to servers that support <a href="http://tools.ietf.org/html/rfc2487">RFC 2487</a> <i>and</i> that present
verifiable server certificates. An example would be a client that
sends all email to a central mailhub that offers the necessary
STARTTLS support. </p>
<p> The <a href="tlsmgr.8.html">tlsmgr(8)</a> process saves the PRNG state to a persistent
exchange file at regular times and when the process terminates, so
that it can recover the PRNG state the next time it starts up.
-This file is created when it does not exist. Its default location
-is under the Postfix configuration directory, which is not the
-proper place for information that is modified by Postfix. Instead,
-the file location should probably be on the /var partition (but
-<b>not</b> inside the chroot jail). </p>
+This file is created when it does not exist. </p>
<p> Examples: </p>
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- <a href="postconf.5.html#tls_random_exchange_name">tls_random_exchange_name</a> = /etc/postfix/prng_exch
+ <a href="postconf.5.html#tls_random_exchange_name">tls_random_exchange_name</a> = /var/lib/postfix/prng_exch
<a href="postconf.5.html#tls_random_prng_update_period">tls_random_prng_update_period</a> = 3600s
</pre>
</blockquote>
+<p> As of version 2.5, Postfix no longer uses root privileges when
+opening this file. The file should now be stored under the Postfix-owned
+<a href="postconf.5.html#data_directory">data_directory</a>. As a migration aid, an attempt to open the file
+under a non-Postfix directory is redirected to the Postfix-owned
+<a href="postconf.5.html#data_directory">data_directory</a>, and a warning is logged. If you wish to continue
+using a pre-existing PRNG state file, move it to the <a href="postconf.5.html#data_directory">data_directory</a>
+and change the ownership to the account specified with the <a href="postconf.5.html#mail_owner">mail_owner</a>
+parameter. </p>
+
+<p> With earlier Postfix versions the default file location
+is under the Postfix configuration directory, which is not the
+proper place for information that is modified by Postfix. </p>
+
<h2><a name="quick-start">Getting started, quick and dirty</a></h2>
<p> The following steps will get you started quickly. Because you
delete the file and do "<b>postfix reload</b>".
</p>
+<p> As of version 2.5, Postfix no longer uses root privileges when
+opening this file. The file should now be stored under the Postfix-owned
+<a href="postconf.5.html#data_directory">data_directory</a>. As a migration aid, an attempt to open the file
+under a non-Postfix directory is redirected to the Postfix-owned
+<a href="postconf.5.html#data_directory">data_directory</a>, and a warning is logged. </p>
+
<p>
Examples:
</p>
<DT><b><a name="proxy_write_maps">proxy_write_maps</a>
(default: see "postconf -d" output)</b></DT><DD>
-<p>
-The lookup tables that the <a href="proxymap.8.html">proxymap(8)</a> server is allowed to access
-for the read-write service. If implemented with local files, these
-tables are preferably stored under the location specified with the
-<a href="postconf.5.html#data_directory">data_directory</a> configuration parameter.
-Table references that don't begin with <a href="proxymap.8.html">proxy</a>: are ignored.
-</p>
+<p> The lookup tables that the <a href="proxymap.8.html">proxymap(8)</a> server is allowed to
+access for the read-write service. Postfix-owned local database
+files should be stored under the Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>.
+Table references that don't begin with <a href="proxymap.8.html">proxy</a>: are ignored. </p>
<p>
This feature is available in Postfix 2.5 and later.
per-smtp-instance <a href="master.5.html">master.cf</a> overrides of this parameter are not effective.
Note, that each of the cache databases supported by <a href="tlsmgr.8.html">tlsmgr(8)</a> daemon:
$<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a>, $<a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a>
-(and with Postfix 2.3 and later $lmtp_session_cache_database), needs to
-be stored separately, it is not at this time possible to store multiple
+(and with Postfix 2.3 and later $<a href="postconf.5.html#lmtp_tls_session_cache_database">lmtp_tls_session_cache_database</a>), needs to
+be stored separately. It is not at this time possible to store multiple
caches in a single database. </p>
<p> Note: <b>dbm</b> databases are not suitable. TLS
session objects are too large. </p>
+<p> As of version 2.5, Postfix no longer uses root privileges when
+opening this file. The file should now be stored under the Postfix-owned
+<a href="postconf.5.html#data_directory">data_directory</a>. As a migration aid, an attempt to open the file
+under a non-Postfix directory is redirected to the Postfix-owned
+<a href="postconf.5.html#data_directory">data_directory</a>, and a warning is logged. </p>
+
<p> Example: </p>
<pre>
per-smtpd-instance <a href="master.5.html">master.cf</a> overrides of this parameter are not
effective. Note, that each of the cache databases supported by <a href="tlsmgr.8.html">tlsmgr(8)</a>
daemon: $<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a>, $<a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a>
-(and with Postfix 2.3 and later $lmtp_session_cache_database), needs to be
-stored separately, it is not at this time possible to store multiple
+(and with Postfix 2.3 and later $<a href="postconf.5.html#lmtp_tls_session_cache_database">lmtp_tls_session_cache_database</a>), needs to be
+stored separately. It is not at this time possible to store multiple
caches in a single database. </p>
<p> Note: <b>dbm</b> databases are not suitable. TLS
session objects are too large. </p>
+<p> As of version 2.5, Postfix no longer uses root privileges when
+opening this file. The file should now be stored under the Postfix-owned
+<a href="postconf.5.html#data_directory">data_directory</a>. As a migration aid, an attempt to open the file
+under a non-Postfix directory is redirected to the Postfix-owned
+<a href="postconf.5.html#data_directory">data_directory</a>, and a warning is logged. </p>
+
<p> Example: </p>
<pre>
</DD>
<DT><b><a name="tls_random_exchange_name">tls_random_exchange_name</a>
-(default: ${<a href="postconf.5.html#config_directory">config_directory</a>}/prng_exch)</b></DT><DD>
+(default: see "postconf -d" output)</b></DT><DD>
<p> Name of the pseudo random number generator (PRNG) state file
that is maintained by <a href="tlsmgr.8.html">tlsmgr(8)</a>. The file is created when it does
not exist, and its length is fixed at 1024 bytes. </p>
-<p> Since this file is modified by Postfix, it should probably be
-kept in the /var file system, instead of under $<a href="postconf.5.html#config_directory">config_directory</a>.
-The location should not be inside the chroot jail. </p>
+<p> As of version 2.5, Postfix no longer uses root privileges when
+opening this file, and the default file location was changed from
+${<a href="postconf.5.html#config_directory">config_directory</a>}/prng_exch to ${<a href="postconf.5.html#data_directory">data_directory</a>}/prng_exch. As
+a migration aid, an attempt to open the file under a non-Postfix
+directory is redirected to the Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>, and a
+warning is logged. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
sitive processes.
Postfix-writable data files should be stored under a dedi-
- cated directory that is writable only by the $<b><a href="postconf.5.html#mail_owner">mail_owner</a></b>
- account, such as the $<b><a href="postconf.5.html#data_directory">data_directory</a></b> directory.
+ cated directory that is writable only by the Postfix mail
+ system, such as the Postfix-owned <b><a href="postconf.5.html#data_directory">data_directory</a></b>.
In particular, Postfix-writable files should never exist
in root-owned directories. That would open up a particular
- type of security hole where ownership (root) does not
- match content provenance (Postfix).
+ type of security hole where ownership of a file or direc-
+ tory does not match the provider of its content.
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8).
source and exchange file, and creates or truncates the
optional TLS session cache files.
+ With Postfix version 2.5 and later, the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> no
+ longer uses root privileges when opening cache files.
+ These files should now be stored under the Postfix-owned
+ <b><a href="postconf.5.html#data_directory">data_directory</a></b>. As a migration aid, an attempt to open a
+ cache file under a non-Postfix directory is redirected to
+ the Postfix-owned <b><a href="postconf.5.html#data_directory">data_directory</a></b>, and a warning is logged.
+
<b>DIAGNOSTICS</b>
Problems and transactions are logged to the syslog daemon.
$<a href="postconf.5.html#tls_random_source">tls_random_source</a> when (re)seeding the in-memory
pseudo random number generator (PRNG) pool.
- <b><a href="postconf.5.html#tls_random_exchange_name">tls_random_exchange_name</a> (${<a href="postconf.5.html#config_directory">config_directory</a>}/prng_exch)</b>
+ <b><a href="postconf.5.html#tls_random_exchange_name">tls_random_exchange_name</a> (see 'postconf -d' output)</b>
Name of the pseudo random number generator (PRNG)
state file that is maintained by <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>.
trades one problem (disk space exhaustion) for another one
(poor response time to client requests).
+ With Postfix version 2.5 and later, the <a href="verify.8.html"><b>verify</b>(8)</a> server
+ no longer uses root privileges when opening the
+ <b><a href="postconf.5.html#address_verify_map">address_verify_map</a></b> cache file. The file should now be
+ stored under the Postfix-owned <b><a href="postconf.5.html#data_directory">data_directory</a></b>. As a
+ migration aid, an attempt to open a cache file under a
+ non-Postfix directory is redirected to the Postfix-owned
+ <b><a href="postconf.5.html#data_directory">data_directory</a></b>, and a warning is logged.
+
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8).
Optional lookup table for persistent address veri-
fication status storage.
- <b><a href="postconf.5.html#address_verify_sender">address_verify_sender</a> (postmaster)</b>
+ <b><a href="postconf.5.html#address_verify_sender">address_verify_sender</a> ($<a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a>)</b>
The sender address to use in address verification
- probes.
+ probes; prior to Postfix 2.5 the default was "post-
+ master".
<b><a href="postconf.5.html#address_verify_positive_expire_time">address_verify_positive_expire_time</a> (31d)</b>
- The time after which a successful probe expires
+ The time after which a successful probe expires
from the address verification cache.
<b><a href="postconf.5.html#address_verify_positive_refresh_time">address_verify_positive_refresh_time</a> (7d)</b>
results.
<b><a href="postconf.5.html#address_verify_negative_expire_time">address_verify_negative_expire_time</a> (3d)</b>
- The time after which a failed probe expires from
+ The time after which a failed probe expires from
the address verification cache.
<b><a href="postconf.5.html#address_verify_negative_refresh_time">address_verify_negative_refresh_time</a> (3h)</b>
- The time after which a failed address verification
+ The time after which a failed address verification
probe needs to be refreshed.
<b>PROBE MESSAGE ROUTING CONTROLS</b>
- By default, probe messages are delivered via the same
- route as regular messages. The following parameters can
+ By default, probe messages are delivered via the same
+ route as regular messages. The following parameters can
be used to override specific message routing mechanisms.
<b><a href="postconf.5.html#address_verify_relayhost">address_verify_relayhost</a> ($<a href="postconf.5.html#relayhost">relayhost</a>)</b>
- Overrides the <a href="postconf.5.html#relayhost">relayhost</a> parameter setting for
+ Overrides the <a href="postconf.5.html#relayhost">relayhost</a> parameter setting for
address verification probes.
<b><a href="postconf.5.html#address_verify_transport_maps">address_verify_transport_maps</a> ($<a href="postconf.5.html#transport_maps">transport_maps</a>)</b>
- Overrides the <a href="postconf.5.html#transport_maps">transport_maps</a> parameter setting for
+ Overrides the <a href="postconf.5.html#transport_maps">transport_maps</a> parameter setting for
address verification probes.
<b><a href="postconf.5.html#address_verify_local_transport">address_verify_local_transport</a> ($<a href="postconf.5.html#local_transport">local_transport</a>)</b>
address verification probes.
<b><a href="postconf.5.html#address_verify_virtual_transport">address_verify_virtual_transport</a> ($<a href="postconf.5.html#virtual_transport">virtual_transport</a>)</b>
- Overrides the <a href="postconf.5.html#virtual_transport">virtual_transport</a> parameter setting
+ Overrides the <a href="postconf.5.html#virtual_transport">virtual_transport</a> parameter setting
for address verification probes.
<b><a href="postconf.5.html#address_verify_relay_transport">address_verify_relay_transport</a> ($<a href="postconf.5.html#relay_transport">relay_transport</a>)</b>
address verification probes.
<b><a href="postconf.5.html#address_verify_default_transport">address_verify_default_transport</a> ($<a href="postconf.5.html#default_transport">default_transport</a>)</b>
- Overrides the <a href="postconf.5.html#default_transport">default_transport</a> parameter setting
+ Overrides the <a href="postconf.5.html#default_transport">default_transport</a> parameter setting
for address verification probes.
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
<a href="master.5.html">master.cf</a> configuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
- How much time a Postfix daemon process may take to
- handle a request before it is terminated by a
+ How much time a Postfix daemon process may take to
+ handle a request before it is terminated by a
built-in watchdog timer.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
over an internal communication channel.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>SEE ALSO</b>
<a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VERIFICATION_README</a>, address verification howto
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>HISTORY</b>
database becomes corrupted, the world comes to an end. To recover
delete the file and do "\fBpostfix reload\fR".
.PP
+As of version 2.5, Postfix no longer uses root privileges when
+opening this file. The file should now be stored under the Postfix-owned
+data_directory. As a migration aid, an attempt to open the file
+under a non-Postfix directory is redirected to the Postfix-owned
+data_directory, and a warning is logged.
+.PP
Examples:
.PP
.nf
.PP
This feature is available in Postfix 2.0 and later.
.SH proxy_write_maps (default: see "postconf -d" output)
-The lookup tables that the \fBproxymap\fR(8) server is allowed to access
-for the read-write service. If implemented with local files, these
-tables are preferably stored under the location specified with the
-data_directory configuration parameter.
+The lookup tables that the \fBproxymap\fR(8) server is allowed to
+access for the read-write service. Postfix-owned local database
+files should be stored under the Postfix-owned data_directory.
Table references that don't begin with proxy: are ignored.
.PP
This feature is available in Postfix 2.5 and later.
per-smtp-instance master.cf overrides of this parameter are not effective.
Note, that each of the cache databases supported by \fBtlsmgr\fR(8) daemon:
$smtpd_tls_session_cache_database, $smtp_tls_session_cache_database
-(and with Postfix 2.3 and later $lmtp_session_cache_database), needs to
-be stored separately, it is not at this time possible to store multiple
+(and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to
+be stored separately. It is not at this time possible to store multiple
caches in a single database.
.PP
Note: \fBdbm\fR databases are not suitable. TLS
session objects are too large.
.PP
+As of version 2.5, Postfix no longer uses root privileges when
+opening this file. The file should now be stored under the Postfix-owned
+data_directory. As a migration aid, an attempt to open the file
+under a non-Postfix directory is redirected to the Postfix-owned
+data_directory, and a warning is logged.
+.PP
Example:
.PP
.nf
per-smtpd-instance master.cf overrides of this parameter are not
effective. Note, that each of the cache databases supported by \fBtlsmgr\fR(8)
daemon: $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database
-(and with Postfix 2.3 and later $lmtp_session_cache_database), needs to be
-stored separately, it is not at this time possible to store multiple
+(and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to be
+stored separately. It is not at this time possible to store multiple
caches in a single database.
.PP
Note: \fBdbm\fR databases are not suitable. TLS
session objects are too large.
.PP
+As of version 2.5, Postfix no longer uses root privileges when
+opening this file. The file should now be stored under the Postfix-owned
+data_directory. As a migration aid, an attempt to open the file
+under a non-Postfix directory is redirected to the Postfix-owned
+data_directory, and a warning is logged.
+.PP
Example:
.PP
.nf
bytes is read.
.PP
This feature is available in Postfix 2.2 and later.
-.SH tls_random_exchange_name (default: ${config_directory}/prng_exch)
+.SH tls_random_exchange_name (default: see "postconf -d" output)
Name of the pseudo random number generator (PRNG) state file
that is maintained by \fBtlsmgr\fR(8). The file is created when it does
not exist, and its length is fixed at 1024 bytes.
.PP
-Since this file is modified by Postfix, it should probably be
-kept in the /var file system, instead of under $config_directory.
-The location should not be inside the chroot jail.
+As of version 2.5, Postfix no longer uses root privileges when
+opening this file, and the default file location was changed from
+${config_directory}/prng_exch to ${data_directory}/prng_exch. As
+a migration aid, an attempt to open the file under a non-Postfix
+directory is redirected to the Postfix-owned data_directory, and a
+warning is logged.
.PP
This feature is available in Postfix 2.2 and later.
.SH tls_random_prng_update_period (default: 3600s)
setting to be used by sensitive and non-sensitive processes.
Postfix-writable data files should be stored under a dedicated
-directory that is writable only by the $\fBmail_owner\fR
-account, such as the $\fBdata_directory\fR directory.
+directory that is writable only by the Postfix mail system,
+such as the Postfix-owned \fBdata_directory\fR.
In particular, Postfix-writable files should never exist
in root-owned directories. That would open up a particular
-type of security hole where ownership (root) does not match
-content provenance (Postfix).
+type of security hole where ownership of a file or directory
+does not match the provider of its content.
.SH DIAGNOSTICS
.ad
.fi
The directory with Postfix-writable data files (for example:
caches, pseudo-random numbers).
.IP "\fBproxy_write_maps (see 'postconf -d' output)\fR"
-The lookup tables that the \fBproxymap\fR(8) server is allowed to access
-for the read-write service.
+The lookup tables that the \fBproxymap\fR(8) server is allowed to
+access for the read-write service.
.SH "SEE ALSO"
.na
.nf
At process startup it connects to the entropy source and
exchange file, and creates or truncates the optional TLS
session cache files.
+
+With Postfix version 2.5 and later, the \fBtlsmgr\fR(8) no
+longer uses root privileges when opening cache files. These
+files should now be stored under the Postfix-owned
+\fBdata_directory\fR. As a migration aid, an attempt to
+open a cache file under a non-Postfix directory is redirected
+to the Postfix-owned \fBdata_directory\fR, and a warning
+is logged.
.SH DIAGNOSTICS
.ad
.fi
The number of bytes that \fBtlsmgr\fR(8) reads from $tls_random_source
when (re)seeding the in-memory pseudo random number generator (PRNG)
pool.
-.IP "\fBtls_random_exchange_name (${config_directory}/prng_exch)\fR"
+.IP "\fBtls_random_exchange_name (see 'postconf -d' output)\fR"
Name of the pseudo random number generator (PRNG) state file
that is maintained by \fBtlsmgr\fR(8).
.IP "\fBtls_random_prng_update_period (3600s)\fR"
unlimited amounts of garbage. Limiting the cache size
trades one problem (disk space exhaustion) for another
one (poor response time to client requests).
+
+With Postfix version 2.5 and later, the \fBverify\fR(8)
+server no longer uses root privileges when opening the
+\fBaddress_verify_map\fR cache file. The file should now
+be stored under the Postfix-owned \fBdata_directory\fR. As
+a migration aid, an attempt to open a cache file under a
+non-Postfix directory is redirected to the Postfix-owned
+\fBdata_directory\fR, and a warning is logged.
.SH DIAGNOSTICS
.ad
.fi
.IP "\fBaddress_verify_map (empty)\fR"
Optional lookup table for persistent address verification status
storage.
-.IP "\fBaddress_verify_sender (postmaster)\fR"
-The sender address to use in address verification probes.
+.IP "\fBaddress_verify_sender ($double_bounce_sender)\fR"
+The sender address to use in address verification probes; prior
+to Postfix 2.5 the default was "postmaster".
.IP "\fBaddress_verify_positive_expire_time (31d)\fR"
The time after which a successful probe expires from the address
verification cache.
unverified_sender_reject_code = 550
# Note 1: Be sure to read the "<a href="#caching">Caching</a>" section below!
# Note 2: Avoid hash files here. Use btree instead.
- address_verify_map = btree:/var/mta/verify
+ address_verify_map = btree:/var/lib/postfix/verify
/etc/postfix/sender_access:
aol.com reject_unverified_sender
...
# Note 1: Be sure to read the "<a href="#caching">Caching</a>" section below!
# Note 2: Avoid hash files here. Use btree instead.
- address_verify_map = btree:/var/mta/verify
+ address_verify_map = btree:/var/lib/postfix/verify
</pre>
</blockquote>
<pre>
/etc/postfix/main.cf:
# Note: avoid hash files here. Use btree instead.
- address_verify_map = btree:/var/mta/verify
+ address_verify_map = btree:/var/lib/postfix/verify
</pre>
</blockquote>
-<p> NOTE: Do not put this file in a file system that may run out
+<p> NOTE 1: As of version 2.5, Postfix no longer uses root privileges
+when opening this file. The file should now be stored under the
+Postfix-owned data_directory. As a migration aid, an attempt to
+open the file under a non-Postfix directory is redirected to the
+Postfix-owned data_directory, and a warning is logged. If you wish
+to continue using an pre-existing database file, move it to the
+data_directory, and change ownership to the account specfied with
+the mail_owner parameter. </p>
+
+<p> NOTE 2: Do not put this file in a file system that may run out
of space. When the address verification table gets corrupted the
world comes to an end and YOU will have to MANUALLY fix things as
described in the next section. Meanwhile, you will not receive mail
via SMTP. </p>
-<p> The verify(8) daemon process will create a new database when
+<p> NOTE 3: The verify(8) daemon process will create a new database when
none exists, and will open/create the file before it enters the
-chroot jail and before it drops root privileges. </p>
+chroot jail. </p>
<h2><a name="dirty_secret">Managing the address verification
database</a></h2>
</pre>
</blockquote>
+<p> Note: as of version 2.5, Postfix no longer uses root privileges
+when opening this file. The file should now be stored under the
+Postfix-owned data_directory. As a migration aid, an attempt to
+open the file under a non-Postfix directory is redirected to the
+Postfix-owned data_directory, and a warning is logged. </p>
+
<p> Cached Postfix SMTP server session information expires after
a certain amount of time. Postfix/TLS does not use the OpenSSL
default of 300s, but a longer time of 3600sec (=1 hour). RFC 2246
</pre>
</blockquote>
+<p> Note: as of version 2.5, Postfix no longer uses root privileges
+when opening this file. The file should now be stored under the
+Postfix-owned data_directory. As a migration aid, an attempt to
+open the file under a non-Postfix directory is redirected to the
+Postfix-owned data_directory, and a warning is logged. </p>
+
<p> Cached Postfix SMTP client session information expires after
a certain amount of time. Postfix/TLS does not use the OpenSSL
default of 300s, but a longer time of 3600s (=1 hour). RFC 2246
<p> The tlsmgr(8) process saves the PRNG state to a persistent
exchange file at regular times and when the process terminates, so
that it can recover the PRNG state the next time it starts up.
-This file is created when it does not exist. Its default location
-is under the Postfix configuration directory, which is not the
-proper place for information that is modified by Postfix. Instead,
-the file location should probably be on the /var partition (but
-<b>not</b> inside the chroot jail). </p>
+This file is created when it does not exist. </p>
<p> Examples: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
- tls_random_exchange_name = /etc/postfix/prng_exch
+ tls_random_exchange_name = /var/lib/postfix/prng_exch
tls_random_prng_update_period = 3600s
</pre>
</blockquote>
+<p> As of version 2.5, Postfix no longer uses root privileges when
+opening this file. The file should now be stored under the Postfix-owned
+data_directory. As a migration aid, an attempt to open the file
+under a non-Postfix directory is redirected to the Postfix-owned
+data_directory, and a warning is logged. If you wish to continue
+using a pre-existing PRNG state file, move it to the data_directory
+and change the ownership to the account specified with the mail_owner
+parameter. </p>
+
+<p> With earlier Postfix versions the default file location
+is under the Postfix configuration directory, which is not the
+proper place for information that is modified by Postfix. </p>
+
<h2><a name="quick-start">Getting started, quick and dirty</a></h2>
<p> The following steps will get you started quickly. Because you
database becomes corrupted, the world comes to an end. To recover
delete the file and do "<b>postfix reload</b>".
</p>
+
+<p> As of version 2.5, Postfix no longer uses root privileges when
+opening this file. The file should now be stored under the Postfix-owned
+data_directory. As a migration aid, an attempt to open the file
+under a non-Postfix directory is redirected to the Postfix-owned
+data_directory, and a warning is logged. </p>
<p>
Examples:
%PARAM proxy_write_maps see "postconf -d" output
-<p>
-The lookup tables that the proxymap(8) server is allowed to access
-for the read-write service. If implemented with local files, these
-tables are preferably stored under the location specified with the
-data_directory configuration parameter.
-Table references that don't begin with proxy: are ignored.
-</p>
+<p> The lookup tables that the proxymap(8) server is allowed to
+access for the read-write service. Postfix-owned local database
+files should be stored under the Postfix-owned data_directory.
+Table references that don't begin with proxy: are ignored. </p>
<p>
This feature is available in Postfix 2.5 and later.
per-smtpd-instance master.cf overrides of this parameter are not
effective. Note, that each of the cache databases supported by tlsmgr(8)
daemon: $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database
-(and with Postfix 2.3 and later $lmtp_session_cache_database), needs to be
-stored separately, it is not at this time possible to store multiple
+(and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to be
+stored separately. It is not at this time possible to store multiple
caches in a single database. </p>
<p> Note: <b>dbm</b> databases are not suitable. TLS
session objects are too large. </p>
+
+<p> As of version 2.5, Postfix no longer uses root privileges when
+opening this file. The file should now be stored under the Postfix-owned
+data_directory. As a migration aid, an attempt to open the file
+under a non-Postfix directory is redirected to the Postfix-owned
+data_directory, and a warning is logged. </p>
<p> Example: </p>
per-smtp-instance master.cf overrides of this parameter are not effective.
Note, that each of the cache databases supported by tlsmgr(8) daemon:
$smtpd_tls_session_cache_database, $smtp_tls_session_cache_database
-(and with Postfix 2.3 and later $lmtp_session_cache_database), needs to
-be stored separately, it is not at this time possible to store multiple
+(and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to
+be stored separately. It is not at this time possible to store multiple
caches in a single database. </p>
<p> Note: <b>dbm</b> databases are not suitable. TLS
session objects are too large. </p>
+
+<p> As of version 2.5, Postfix no longer uses root privileges when
+opening this file. The file should now be stored under the Postfix-owned
+data_directory. As a migration aid, an attempt to open the file
+under a non-Postfix directory is redirected to the Postfix-owned
+data_directory, and a warning is logged. </p>
<p> Example: </p>
<p> This feature is available in Postfix 2.2 and later. </p>
-%PARAM tls_random_exchange_name ${config_directory}/prng_exch
+%PARAM tls_random_exchange_name see "postconf -d" output
<p> Name of the pseudo random number generator (PRNG) state file
that is maintained by tlsmgr(8). The file is created when it does
not exist, and its length is fixed at 1024 bytes. </p>
-<p> Since this file is modified by Postfix, it should probably be
-kept in the /var file system, instead of under $config_directory.
-The location should not be inside the chroot jail. </p>
+<p> As of version 2.5, Postfix no longer uses root privileges when
+opening this file, and the default file location was changed from
+${config_directory}/prng_exch to ${data_directory}/prng_exch. As
+a migration aid, an attempt to open the file under a non-Postfix
+directory is redirected to the Postfix-owned data_directory, and a
+warning is logged. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
tok822_resolve.c tok822_rewrite.c tok822_tree.c trace.c \
user_acl.c valid_mailhost_addr.c verify.c verify_clnt.c \
verp_sender.c wildcard_inet_addr.c xtext.c delivered_hdr.c \
- fold_addr.c header_body_checks.c mkmap_proxy.c
+ fold_addr.c header_body_checks.c mkmap_proxy.c data_redirect.c
OBJS = abounce.o anvil_clnt.o been_here.o bounce.o bounce_log.o \
canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \
clnt_stream.o conv_time.o db_common.o debug_peer.o debug_process.o \
tok822_resolve.o tok822_rewrite.o tok822_tree.o trace.o \
user_acl.o valid_mailhost_addr.o verify.o verify_clnt.o \
verp_sender.o wildcard_inet_addr.o xtext.o delivered_hdr.o \
- fold_addr.o header_body_checks.o mkmap_proxy.o
+ fold_addr.o header_body_checks.o mkmap_proxy.o data_redirect.o
HDRS = abounce.h anvil_clnt.h been_here.h bounce.h bounce_log.h \
canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \
conv_time.h db_common.h debug_peer.h debug_process.h defer.h \
string_list.h strip_addr.h sys_exits.h timed_ipc.h tok822.h \
trace.h user_acl.h valid_mailhost_addr.h verify.h verify_clnt.h \
verp_sender.h wildcard_inet_addr.h xtext.h delivered_hdr.h \
- fold_addr.h header_body_checks.h
+ fold_addr.h header_body_checks.h data_redirect.h
TESTSRC = rec2stream.c stream2rec.c recdump.c
DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE)
CFLAGS = $(DEBUG) $(OPT) $(DEFS)
resolve_local rewrite_clnt stream2rec string_list tok822_parse \
quote_821_local mail_conf_time mime_state strip_addr \
verify_clnt xtext anvil_clnt scache ehlo_mask \
- valid_mailhost_addr own_inet_addr header_body_checks
+ valid_mailhost_addr own_inet_addr header_body_checks \
+ data_redirect
LIBS = ../../lib/libutil.a
LIB_DIR = ../../lib
header_body_checks: header_body_checks.c $(LIB) $(LIBS)
$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS)
+data_redirect: data_redirect.c $(LIB) $(LIBS)
+ $(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS)
+
tests: tok822_test mime_tests strip_addr_test tok822_limit_test \
xtext_test scache_multi_test ehlo_mask_test \
namadr_list_test mail_conf_time_test header_body_checks_tests
conv_time.o: ../../include/sys_defs.h
conv_time.o: conv_time.c
conv_time.o: conv_time.h
+data_redirect.o: ../../include/argv.h
+data_redirect.o: ../../include/dict.h
+data_redirect.o: ../../include/dict_cdb.h
+data_redirect.o: ../../include/dict_db.h
+data_redirect.o: ../../include/dict_dbm.h
+data_redirect.o: ../../include/msg.h
+data_redirect.o: ../../include/name_code.h
+data_redirect.o: ../../include/split_at.h
+data_redirect.o: ../../include/stringops.h
+data_redirect.o: ../../include/sys_defs.h
+data_redirect.o: ../../include/vbuf.h
+data_redirect.o: ../../include/vstream.h
+data_redirect.o: ../../include/vstring.h
+data_redirect.o: data_redirect.c
+data_redirect.o: data_redirect.h
+data_redirect.o: dict_proxy.h
+data_redirect.o: mail_params.h
db_common.o: ../../include/argv.h
db_common.o: ../../include/dict.h
db_common.o: ../../include/match_list.h
--- /dev/null
+/*++
+/* NAME
+/* data_redirect 3
+/* SUMMARY
+/* redirect legacy writes to Postfix-owned data directory
+/* SYNOPSIS
+/* #include <data_redirect.h>
+/*
+/* char *data_redirect_file(result, path)
+/* VSTRING *result;
+/* const char *path;
+/*
+/* char *data_redirect_map(result, map)
+/* VSTRING *result;
+/* const char *map;
+/* DESCRIPTION
+/* With Postfix version 2.5 and later, the tlsmgr(8) and
+/* verify(8) servers no longer open cache files with root
+/* privilege. This avoids a potential security loophole where
+/* the ownership of a file (or directory) does not match the
+/* trust level of the content of that file (or directory).
+/*
+/* This module implements a migration aid that allows a
+/* transition without disruption of service.
+/*
+/* data_redirect_file() detects a request to open a file in a
+/* non-Postfix directory, logs a warning, and redirects the
+/* request to the Postfix-owned data_directory.
+/*
+/* data_redirect_map() performs the same function for a limited
+/* subset of file-based lookup tables.
+/*
+/* Arguments:
+/* .IP result
+/* A possibly redirected copy of the input.
+/* .IP path
+/* The pathname that may be redirected.
+/* .IP map
+/* The "mapname" or "maptype:mapname" that may be redirected.
+/* The result is always in "maptype:mapname" form.
+/* BUGS
+/* Only a few map types are redirected. This is acceptable for
+/* a temporary migration tool.
+/* DIAGNOSTICS
+/* Fatal errors: memory allocation failure.
+/* CONFIGURATION PARAMETERS
+/* data_directory, location of Postfix-writable files
+/* LICENSE
+/* .ad
+/* .fi
+/* The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/* Wietse Venema
+/* IBM T.J. Watson Research
+/* P.O. Box 704
+/* Yorktown Heights, NY 10598, USA
+/*--*/
+
+/* System library. */
+
+#include <sys_defs.h>
+#include <sys/stat.h>
+#include <string.h>
+
+/* Utility library. */
+
+#include <msg.h>
+#include <vstring.h>
+#include <stringops.h>
+#include <split_at.h>
+#include <name_code.h>
+#include <dict_db.h>
+#include <dict_dbm.h>
+#include <dict_cdb.h>
+
+/* Global directory. */
+
+#include <mail_params.h>
+#include <dict_proxy.h>
+#include <data_redirect.h>
+
+/* Application-specific. */
+
+#define STR(x) vstring_str(x)
+#define LEN(x) VSTRING_LEN(x)
+
+ /*
+ * Redirect only these map types, so that we don't try stupid things with
+ * NIS, *SQL or LDAP. This is a transition feature for legacy TLS and verify
+ * configurations, so it does not have to cover every possible map type.
+ *
+ * XXX In this same spirit of imperfection we also use hard-coded map names,
+ * because maintainers may add map types that the official release doesn't
+ * even know about, because map types may be added dynamically on some
+ * platforms.
+ */
+static NAME_CODE data_redirect_map_types[] = {
+ DICT_TYPE_HASH, 1,
+ DICT_TYPE_BTREE, 1,
+ DICT_TYPE_DBM, 1,
+ DICT_TYPE_CDB, 1, /* not a read-write map type */
+ "sdbm", 1, /* legacy 3rd-party TLS */
+ "dbz", 1, /* just in case */
+ 0, 0,
+};
+
+/* data_redirect_path - redirect path to Postfix-owned directory */
+
+static char *data_redirect_path(VSTRING *result, const char *path,
+ const char *log_type, const char *log_name)
+{
+ struct stat st;
+
+#define PATH_DELIMITER "/"
+
+ (void) sane_dirname(result, path);
+ if (stat(STR(result), &st) != 0 || st.st_uid == var_owner_uid) {
+ vstring_strcpy(result, path);
+ } else {
+ msg_warn("request to update %s %s in non-%s directory %s",
+ log_type, log_name, var_mail_owner, STR(result));
+ msg_warn("redirecting the request to %s-owned %s %s",
+ var_mail_owner, VAR_DATA_DIR, var_data_dir);
+ (void) sane_basename(result, path);
+ vstring_prepend(result, PATH_DELIMITER, sizeof(PATH_DELIMITER) - 1);
+ vstring_prepend(result, var_data_dir, strlen(var_data_dir));
+ }
+ return (STR(result));
+}
+
+/* data_redirect_file - redirect file to Postfix-owned directory */
+
+char *data_redirect_file(VSTRING *result, const char *path)
+{
+
+ /*
+ * Sanity check.
+ */
+ if (path == STR(result))
+ msg_panic("data_redirect_file: result clobbers input");
+
+ return (data_redirect_path(result, path, "file", path));
+}
+
+char *data_redirect_map(VSTRING *result, const char *map)
+{
+ const char *path;
+ const char *map_type;
+ size_t map_type_len;
+
+#define MAP_DELIMITER ":"
+
+ /*
+ * Sanity check.
+ */
+ if (map == STR(result))
+ msg_panic("data_redirect_map: result clobbers input");
+
+ /*
+ * Parse the input into map type and map name.
+ */
+ path = strchr(map, MAP_DELIMITER[0]);
+ if (path != 0) {
+ map_type = map;
+ map_type_len = path - map;
+ path += 1;
+ } else {
+ map_type = var_db_type;
+ map_type_len = strlen(map_type);
+ path = map;
+ }
+
+ /*
+ * Redirect the pathname.
+ */
+ vstring_strncpy(result, map_type, map_type_len);
+ if (name_code(data_redirect_map_types, NAME_CODE_FLAG_NONE, STR(result))) {
+ data_redirect_path(result, path, "table", map);
+ } else {
+ vstring_strcpy(result, path);
+ }
+
+ /*
+ * (Re)combine the map type with the map name.
+ */
+ vstring_prepend(result, MAP_DELIMITER, sizeof(MAP_DELIMITER) - 1);
+ vstring_prepend(result, map_type, map_type_len);
+ return (STR(result));
+}
+
+ /*
+ * Proof-of-concept test program. This can't be run as automated regression
+ * test, because the result depends on main.cf information (mail_owner UID
+ * and data_directory pathname) and on local file system details.
+ */
+#ifdef TEST
+
+#include <unistd.h>
+#include <stdlib.h>
+#include <vstring_vstream.h>
+#include <mail_conf.h>
+
+int main(int argc, char **argv)
+{
+ VSTRING *inbuf = vstring_alloc(100);
+ VSTRING *result = vstring_alloc(100);
+ char *bufp;
+ char *cmd;
+ char *target;
+ char *junk;
+
+ mail_conf_read();
+
+ while (vstring_get_nonl(inbuf, VSTREAM_IN) != VSTREAM_EOF) {
+ bufp = STR(inbuf);
+ if (!isatty(0)) {
+ vstream_printf("> %s\n", bufp);
+ vstream_fflush(VSTREAM_OUT);
+ }
+ if (*bufp == '#')
+ continue;
+ if ((cmd = mystrtok(&bufp, " \t")) == 0) {
+ vstream_printf("usage: file path|map maptype:mapname\n");
+ vstream_fflush(VSTREAM_OUT);
+ continue;
+ }
+ target = mystrtok(&bufp, " \t");
+ junk = mystrtok(&bufp, " \t");
+ if (strcmp(cmd, "file") == 0 && target && !junk) {
+ data_redirect_file(result, target);
+ vstream_printf("%s -> %s\n", target, STR(result));
+ } else if (strcmp(cmd, "map") == 0 && target && !junk) {
+ data_redirect_map(result, target);
+ vstream_printf("%s -> %s\n", target, STR(result));
+ } else {
+ vstream_printf("usage: file path|map maptype:mapname\n");
+ }
+ vstream_fflush(VSTREAM_OUT);
+ }
+ vstring_free(inbuf);
+ return (0);
+}
+
+#endif
--- /dev/null
+#ifndef _DATA_REDIRECT_H_INCLUDED_
+#define _DATA_REDIRECT_H_INCLUDED_
+
+/*++
+/* NAME
+/* data_redirect 3h
+/* SUMMARY
+/* redirect writes from legacy pathname to Postfix-owned data directory
+/* SYNOPSIS
+/* #include "data_redirect.h"
+/* DESCRIPTION
+/* .nf
+
+ /*
+ * External interface.
+ */
+char *data_redirect_file(VSTRING *, const char *);
+char *data_redirect_map(VSTRING *, const char *);
+
+/* LICENSE
+/* .ad
+/* .fi
+/* The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/* Wietse Venema
+/* IBM T.J. Watson Research
+/* P.O. Box 704
+/* Yorktown Heights, NY 10598, USA
+/*--*/
+
+#endif
extern int var_dup_filter_limit;
#define VAR_TLS_RAND_EXCH_NAME "tls_random_exchange_name"
-#define DEF_TLS_RAND_EXCH_NAME "${config_directory}/prng_exch"
+#define DEF_TLS_RAND_EXCH_NAME "${data_directory}/prng_exch"
extern char *var_tls_rand_exch_name;
#define VAR_TLS_RAND_SOURCE "tls_random_source"
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "2007111205"
+#define MAIL_RELEASE_DATE "20071206"
#define MAIL_VERSION_NUMBER "2.5"
#ifdef SNAPSHOT
/* setting to be used by sensitive and non-sensitive processes.
/*
/* Postfix-writable data files should be stored under a dedicated
-/* directory that is writable only by the $\fBmail_owner\fR
-/* account, such as the $\fBdata_directory\fR directory.
+/* directory that is writable only by the Postfix mail system,
+/* such as the Postfix-owned \fBdata_directory\fR.
/*
/* In particular, Postfix-writable files should never exist
/* in root-owned directories. That would open up a particular
-/* type of security hole where ownership (root) does not match
-/* content provenance (Postfix).
+/* type of security hole where ownership of a file or directory
+/* does not match the provider of its content.
/* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8).
/* BUGS
/* The directory with Postfix-writable data files (for example:
/* caches, pseudo-random numbers).
/* .IP "\fBproxy_write_maps (see 'postconf -d' output)\fR"
-/* The lookup tables that the \fBproxymap\fR(8) server is allowed to access
-/* for the read-write service.
+/* The lookup tables that the \fBproxymap\fR(8) server is allowed to
+/* access for the read-write service.
/* SEE ALSO
/* postconf(5), configuration parameters
/* master(5), generic daemon options
# do not edit below this line - it is generated by 'make depend'
tlsmgr.o: ../../include/argv.h
tlsmgr.o: ../../include/attr.h
+tlsmgr.o: ../../include/data_redirect.h
tlsmgr.o: ../../include/dict.h
tlsmgr.o: ../../include/events.h
tlsmgr.o: ../../include/iostuff.h
tlsmgr.o: ../../include/mymalloc.h
tlsmgr.o: ../../include/name_code.h
tlsmgr.o: ../../include/name_mask.h
+tlsmgr.o: ../../include/set_eugid.h
tlsmgr.o: ../../include/stringops.h
tlsmgr.o: ../../include/sys_defs.h
tlsmgr.o: ../../include/tls.h
/* At process startup it connects to the entropy source and
/* exchange file, and creates or truncates the optional TLS
/* session cache files.
+/*
+/* With Postfix version 2.5 and later, the \fBtlsmgr\fR(8) no
+/* longer uses root privileges when opening cache files. These
+/* files should now be stored under the Postfix-owned
+/* \fBdata_directory\fR. As a migration aid, an attempt to
+/* open a cache file under a non-Postfix directory is redirected
+/* to the Postfix-owned \fBdata_directory\fR, and a warning
+/* is logged.
/* DIAGNOSTICS
/* Problems and transactions are logged to the syslog daemon.
/* BUGS
/* The number of bytes that \fBtlsmgr\fR(8) reads from $tls_random_source
/* when (re)seeding the in-memory pseudo random number generator (PRNG)
/* pool.
-/* .IP "\fBtls_random_exchange_name (${config_directory}/prng_exch)\fR"
+/* .IP "\fBtls_random_exchange_name (see 'postconf -d' output)\fR"
/* Name of the pseudo random number generator (PRNG) state file
/* that is maintained by \fBtlsmgr\fR(8).
/* .IP "\fBtls_random_prng_update_period (3600s)\fR"
#include <vstring.h>
#include <vstring_vstream.h>
#include <attr.h>
+#include <set_eugid.h>
/* Global library. */
#include <mail_version.h>
#include <tls_mgr.h>
#include <mail_proto.h>
+#include <data_redirect.h>
/* Master process interface. */
char *path;
struct timeval tv;
TLSMGR_SCACHE *ent;
+ VSTRING *redirect;
/*
* If nothing else works then at least this will get us a few bits of
}
/*
- * Open the PRNG exchange file while privileged. Start the exchange file
- * read/update pseudo thread after dropping privileges.
+ * Security: don't create root-owned files that contain untrusted data.
+ * And don't create Postfix-owned files in root-owned directories,
+ * either. We want a correct relationship between (file/directory)
+ * ownership and (file/directory) content.
+ */
+ SAVE_AND_SET_EUGID(var_owner_uid, var_owner_gid);
+ redirect = vstring_alloc(100);
+
+ /*
+ * Open the PRNG exchange file before going to jail, but don't use root
+ * privileges. Start the exchange file read/update pseudo thread after
+ * dropping privileges.
*/
if (*var_tls_rand_exch_name) {
- rand_exch = tls_prng_exch_open(var_tls_rand_exch_name);
+ rand_exch =
+ tls_prng_exch_open(data_redirect_file(redirect,
+ var_tls_rand_exch_name));
if (rand_exch == 0)
msg_fatal("cannot open PRNG exchange file %s: %m",
var_tls_rand_exch_name);
}
/*
- * Open the session cache files and discard old information while
- * privileged. Start the cache maintenance pseudo threads after dropping
- * privileges.
+ * Open the session cache files and discard old information before going
+ * to jail, but don't use root privilege. Start the cache maintenance
+ * pseudo threads after dropping privileges.
*
* XXX Need sanity check that the databases have different names.
*/
for (ent = cache_table; ent->cache_label; ++ent)
if (**ent->cache_db)
ent->cache_info =
- tls_scache_open(*ent->cache_db, ent->cache_label,
- *ent->cache_loglevel >= 2, *ent->cache_timeout);
+ tls_scache_open(data_redirect_map(redirect, *ent->cache_db),
+ ent->cache_label,
+ *ent->cache_loglevel >= 2,
+ *ent->cache_timeout);
+
+ /*
+ * Clean up and restore privilege.
+ */
+ vstring_free(redirect);
+ RESTORE_SAVED_EUGID();
}
/* tlsmgr_post_init - post-jail initialization */
/* void set_eugid(euid, egid)
/* uid_t euid;
/* gid_t egid;
+/*
+/* void SAVE_AND_SET_EUGID(uid, gid)
+/* uid_t uid;
+/* gid_t gid;
+/*
+/* void RESTORE_SAVED_EUGID()
/* DESCRIPTION
/* set_eugid() sets the effective user and group process attributes
/* and updates the process group access list to be just the specified
/* effective group id.
+/*
+/* SAVE_AND_SET_EUGID() opens a block that executes with the
+/* specified privilege. RESTORE_SAVED_EUGID() closes the block.
/* DIAGNOSTICS
/* All system call errors are fatal.
/* SEE ALSO
extern void set_eugid(uid_t, gid_t);
+ /*
+ * The following macros open and close a block that runs at a different
+ * privilege level. To make mistakes with stray curly braces less likely, we
+ * shape the macros below as the head and tail of a do-while loop.
+ */
+#define SAVE_AND_SET_EUGID(uid, gid) do { \
+ uid_t __set_eugid_uid = geteuid(); \
+ gid_t __set_eugid_gid = getegid(); \
+ set_eugid((uid), (gid));
+
+#define RESTORE_SAVED_EUGID() \
+ set_eugid(__set_eugid_uid, __set_eugid_gid); \
+ } while (0)
+
/* LICENSE
/* .ad
/* .fi
verify.o: ../../include/argv.h
verify.o: ../../include/attr.h
verify.o: ../../include/cleanup_user.h
+verify.o: ../../include/data_redirect.h
verify.o: ../../include/deliver_request.h
verify.o: ../../include/dict.h
verify.o: ../../include/dict_ht.h
verify.o: ../../include/mymalloc.h
verify.o: ../../include/post_mail.h
verify.o: ../../include/recipient_list.h
+verify.o: ../../include/set_eugid.h
verify.o: ../../include/split_at.h
verify.o: ../../include/stringops.h
verify.o: ../../include/sys_defs.h
/* unlimited amounts of garbage. Limiting the cache size
/* trades one problem (disk space exhaustion) for another
/* one (poor response time to client requests).
+/*
+/* With Postfix version 2.5 and later, the \fBverify\fR(8)
+/* server no longer uses root privileges when opening the
+/* \fBaddress_verify_map\fR cache file. The file should now
+/* be stored under the Postfix-owned \fBdata_directory\fR. As
+/* a migration aid, an attempt to open a cache file under a
+/* non-Postfix directory is redirected to the Postfix-owned
+/* \fBdata_directory\fR, and a warning is logged.
/* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8).
/* BUGS
/* .IP "\fBaddress_verify_map (empty)\fR"
/* Optional lookup table for persistent address verification status
/* storage.
-/* .IP "\fBaddress_verify_sender (postmaster)\fR"
-/* The sender address to use in address verification probes.
+/* .IP "\fBaddress_verify_sender ($double_bounce_sender)\fR"
+/* The sender address to use in address verification probes; prior
+/* to Postfix 2.5 the default was "postmaster".
/* .IP "\fBaddress_verify_positive_expire_time (31d)\fR"
/* The time after which a successful probe expires from the address
/* verification cache.
#include <dict.h>
#include <split_at.h>
#include <stringops.h>
+#include <set_eugid.h>
/* Global library. */
#include <mail_version.h>
#include <mail_proto.h>
#include <post_mail.h>
+#include <data_redirect.h>
#include <verify_clnt.h>
/* Server skeleton. */
static void pre_jail_init(char *unused_name, char **unused_argv)
{
mode_t saved_mask;
+ VSTRING *redirect;
+
+ /*
+ * Never, ever, get killed by a master signal, as that would corrupt the
+ * database when we're in the middle of an update.
+ */
+ setsid();
+
+ /*
+ * Security: don't create root-owned files that contain untrusted data.
+ * And don't create Postfix-owned files in root-owned directories,
+ * either. We want a correct relationship between (file/directory)
+ * ownership and (file/directory) content.
+ *
+ * XXX Non-root open can violate the principle of least surprise: Postfix
+ * can't open an *SQL config file for database read-write access, even
+ * though it can open that same control file for database read-only
+ * access.
+ *
+ * The solution is to query a map type and obtain its properties before
+ * opening it. A clean solution is to add a dict_info() API that is
+ * simlar to dict_open() except it returns properties (dict flags) only.
+ * A pragmatic solution is to overload the existing API and have
+ * dict_open() return a dummy map when given a null map name.
+ *
+ * However, the proxymap daemon has been opening *SQL maps as non-root for
+ * years now without anyone complaining, let's not solve a problem that
+ * doesn't exist.
+ */
+ SAVE_AND_SET_EUGID(var_owner_uid, var_owner_gid);
+ redirect = vstring_alloc(100);
/*
* Keep state in persistent (external) or volatile (internal) map.
if (*var_verify_map) {
saved_mask = umask(022);
- verify_map = dict_open(var_verify_map,
+ verify_map = dict_open(data_redirect_map(redirect, var_verify_map),
O_CREAT | O_RDWR,
VERIFY_DICT_OPEN_FLAGS);
(void) umask(saved_mask);
}
/*
- * Never, ever, get killed by a master signal, as that would corrupt the
- * database when we're in the middle of an update.
+ * Clean up and restore privilege.
*/
- setsid();
+ vstring_free(redirect);
+ RESTORE_SAVED_EUGID();
}
MAIL_VERSION_STAMP_DECLARE;
projects / thirdparty / postfix.git / commitdiff
