unusable; Don't leak dane handle when all TLSA records are
unusable. Viktor Dukhovni. File: smtp/smtp_tls_policy.c.
- Cleanup: log TLS policy lookups as warnings. Viktor Dukhovni.
- File: smtp/smtp_connect.c.
+ Cleanup: log TLS policy lookup errors as warnings. Viktor
+ Dukhovni. File: smtp/smtp_connect.c.
20140316
proto/postconf.proto, global/mail_params.h, tls/tls_misc.c,
tls/tls_scache.h, tls/tls_server.c.
+20140416
+
+ Cleanup: replace "~0 << positive" with "~0U << positive"
+ even if we use only the lower bytes. Jeffrey Walton. File:
+ util/mask_addr.c.
+
+20140407
+
+ Documentation: the documentation for Postfix > 2.8 TLS
+ activity logging was incorrect. Loglevel 0 produces no
+ logging. Instead, information is logged only with loglevel
+ 1 or higher. Viktor Dukhovni. Files: proto/TLS_README.html,
+ proto/postconf.proto.
+
+20140501
+
+ Cleanup: postcreen_dnsbl_timeout parameter. Files:
+ mantools/postlink, proto/postconf.proto, global/mail_params.h,
+ postscreen/postscreen.c, postscreen/postscreen_dnsbl.c.
+
+ Cleanup: added table search order information to the
+ postconf(5) manpage. File: proto/postconf.proto.
+
+20140505
+
+ Cleanup: added a client port attribute to the policy
+ delegation protocol. Jernej Porenta. File: smtpd/smtpd_check.c.
+
+20140507
+
+ Bugfix (introduced: Postfix 2.11): with connection caching
+ enabled (the default), recipients could be given to the
+ wrong mail server. Root cause: due to an incorrect predicate,
+ the Postfix SMTP client could save and restore plaintext
+ connections that should not be cached, under nonsensical
+ lookup keys that did not distinguish by destination. Problem
+ reported by Sahil Tandon, predicate error found by Viktor,
+ redundant connection restore request eliminated by Wietse.
+ File: smtp/smtp_connect.c.
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
/etc/postfix/dnsbl_reply:
- # Secret DNSBL name Name in postscreen(8) replies
- secret.zen.spamhaus.org zen.spamhaus.org
+ # Secret DNSBL name Name in postscreen(8) replies
+ secret.zen.dq.spamhaus.net zen.spamhaus.org
The texthash: format is similar to hash: except that there is no need to
run postmap(1) before the file can be used, and that it does not detect
# (available with Postfix 2.10 and later).
reject_unauth_destination
reject_rbl_client zen.spamhaus.org,
+ reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org
increase the log level from 0..4. Each logging level also includes the
information that is logged at a lower logging level.
- _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b
- |L\bLe\bev\bve\bel\bl|P\bPo\bos\bst\btf\bfi\bix\bx 2\b2.\b.9\b9 a\ban\bnd\bd l\bla\bat\bte\ber\br |E\bEa\bar\brl\bli\bie\ber\br r\bre\bel\ble\bea\bas\bse\bes\bs.\b. |
- |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |0 |Log only a summary message on TLS |Disable logging of TLS activity.|
- | |handshake completion -- no logging| |
- | |of client certificate trust-chain | |
- | |verification errors if client | |
- | |certificate verification is not | |
- | |required. | |
- |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |1 |Also log trust-chain verification |Also log TLS handshake and |
- | |errors and peer certificate |certificate information. |
- | |summary information. | |
- |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |2 |Also log levels during TLS negotiation. |
- |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
- |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |4 |Also log hexadecimal and ASCII dump of complete transmission after |
- | |STARTTLS. |
- |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b
+ |L\bLe\bev\bve\bel\bl|P\bPo\bos\bst\btf\bfi\bix\bx 2\b2.\b.9\b9 a\ban\bnd\bd l\bla\bat\bte\ber\br |E\bEa\bar\brl\bli\bie\ber\br r\bre\bel\ble\bea\bas\bse\bes\bs.\b. |
+ |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |0 |Disable logging of TLS activity. |
+ |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |1 |Log only a summary message on TLS |Log the summary message, peer |
+ | |handshake completion -- no logging|certificate summary information|
+ | |of client certificate trust-chain |and unconditionally log trust- |
+ | |verification errors if client |chain verification errors. |
+ | |certificate verification is not | |
+ | |required. | |
+ |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |2 |Also log levels during TLS negotiation. |
+ |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
+ |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |4 |Also log hexadecimal and ASCII dump of complete transmission after|
+ | |STARTTLS. |
+ |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
Use log level 3 only in case of problems. Use of log level 4 is strongly
discouraged.
increase the loglevel from 0..4. Each logging level also includes the
information that is logged at a lower logging level.
- _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b
- |L\bLe\bev\bve\bel\bl|P\bPo\bos\bst\btf\bfi\bix\bx 2\b2.\b.9\b9 a\ban\bnd\bd l\bla\bat\bte\ber\br |E\bEa\bar\brl\bli\bie\ber\br r\bre\bel\ble\bea\bas\bse\bes\bs.\b. |
- |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |0 |Log only a summary message on TLS |Disable logging of TLS activity.|
- | |handshake completion -- no logging| |
- | |of remote SMTP server certificate | |
- | |trust-chain verification errors if| |
- | |server certificate verification is| |
- | |not required. | |
- |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |1 |Also log remote SMTP server trust-|Also log TLS handshake and |
- | |chain verification errors and peer|certificate information. |
- | |certificate summary information. | |
- |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |2 |Also log levels during TLS negotiation. |
- |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
- |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |4 |Also log hexadecimal and ASCII dump of complete transmission after |
- | |STARTTLS. |
- |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b
+ |L\bLe\bev\bve\bel\bl|P\bPo\bos\bst\btf\bfi\bix\bx 2\b2.\b.9\b9 a\ban\bnd\bd l\bla\bat\bte\ber\br |E\bEa\bar\brl\bli\bie\ber\br r\bre\bel\ble\bea\bas\bse\bes\bs.\b. |
+ |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |0 |Disable logging of TLS activity. |
+ |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |1 |Log only a summary message on TLS |Log the summary message and |
+ | |handshake completion -- no logging|unconditionally log trust-chain|
+ | |of remote SMTP server certificate |verification errors. |
+ | |trust-chain verification errors if| |
+ | |server certificate verification is| |
+ | |not required. | |
+ |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |2 |Also log levels during TLS negotiation. |
+ |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. |
+ |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |4 |Also log hexadecimal and ASCII dump of complete transmission after|
+ | |STARTTLS. |
+ |_\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
Example:
<pre>
/etc/postfix/dnsbl_reply:
- # Secret DNSBL name Name in <a href="postscreen.8.html">postscreen(8)</a> replies
- secret.zen.spamhaus.org zen.spamhaus.org
+ # Secret DNSBL name
Name in <a href="postscreen.8.html">postscreen(8)</a> replies
+ secret.zen.dq.spamhaus.net zen.spamhaus.org
</pre>
<p> The <a href="DATABASE_README.html#types">texthash</a>: format is similar to <a href="DATABASE_README.html#types">hash</a>: except that there is
# (available with Postfix 2.10 and later).
<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
<a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> zen.spamhaus.org,
+ <a href="postconf.5.html#reject_rhsbl_reverse_client">reject_rhsbl_reverse_client</a> dbl.spamhaus.org,
<a href="postconf.5.html#reject_rhsbl_helo">reject_rhsbl_helo</a> dbl.spamhaus.org,
<a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> dbl.spamhaus.org
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr>
-<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
+<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
+logging of TLS activity. </td> </tr>
+
+<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
message on TLS handshake completion — no logging of client
certificate trust-chain verification errors if client certificate
-verification is not required. </td> <td valign="top"> Disable logging
-of TLS activity.</td> </tr>
-
-<tr> <td valign="top"> 1 </td> <td valign="top"> Also log trust-chain
-verification errors and peer certificate summary information. </td>
-<td valign="top"> Also log TLS handshake and certificate information.
-</td> </tr>
+verification is not required. </td> <td valign="top"> Log the summary
+message, peer certificate summary information and unconditionally log
+trust-chain verification errors. </td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr>
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr>
-<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
-message on TLS handshake completion — no logging of remote
-SMTP server certificate trust-chain verification errors if server
-certificate verification is not required. </td> <td valign="top">
-Disable logging of TLS activity.</td> </tr>
+<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
+logging of TLS activity. </td> </tr>
-<tr> <td valign="top"> 1 </td> <td valign="top"> Also log remote
-SMTP server trust-chain verification errors and peer certificate
-summary information. </td> <td valign="top"> Also log TLS handshake
-and certificate information. </td> </tr>
+<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
+message on TLS handshake completion — no logging of remote SMTP
+server certificate trust-chain verification errors if server certificate
+verification is not required. </td> <td valign="top"> Log the summary
+message and unconditionally log trust-chain verification errors.
+</td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr>
<b>PROTOCOL</b>
With each connection, the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server receives a DNS white/black-
- list domain name, IP address, and an ID. If the address is listed
- under the DNS white/blacklist, the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server logs the match and
- replies with the query arguments plus an address list with the result-
- ing IP addresses separated by whitespace. Otherwise it replies with
- the query arguments plus an empty address list. Finally, The <a href="dnsblog.8.html"><b>dns-</b></a>
- <a href="dnsblog.8.html"><b>blog</b>(8)</a> server closes the connection.
+ list domain name, an IP address, and an ID. If the IP address is
+ listed under the DNS white/blacklist, the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server logs the
+ match and replies with the query arguments plus an address list with
+ the resulting IP addresses separated by whitespace. Otherwise it
+ replies with the query arguments plus an empty address list. Finally,
+ The <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> server closes the connection.
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8).
<p>
The alias databases that are used for <a href="local.8.html">local(8)</a> delivery. See
<a href="aliases.5.html">aliases(5)</a> for syntax details.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+Note: these lookups are recursive.
</p>
<p>
manipulations see the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document.
</p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+Note: these lookups are recursive.
+</p>
+
<p>
If you use this feature, run "<b>postmap /etc/postfix/canonical</b>" to
build the necessary DBM or DB file after every change. The changes
lists: Postfix needs to know only if a lookup string is found or
not, but it does not use the result from table lookup. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p>
If this parameter is non-empty (the default), then the Postfix SMTP
server will reject mail for unknown local users.
<a href="postconf.5.html#mailbox_command_maps">mailbox_command_maps</a>, <a href="postconf.5.html#mailbox_command">mailbox_command</a>, <a href="postconf.5.html#home_mailbox">home_mailbox</a>, <a href="postconf.5.html#mail_spool_directory">mail_spool_directory</a>,
<a href="postconf.5.html#fallback_transport_maps">fallback_transport_maps</a>, <a href="postconf.5.html#fallback_transport">fallback_transport</a> and <a href="postconf.5.html#luser_relay">luser_relay</a>. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
</DD>
<a href="postconf.5.html#mailbox_command_maps">mailbox_command_maps</a>, <a href="postconf.5.html#mailbox_command">mailbox_command</a>, <a href="postconf.5.html#home_mailbox">home_mailbox</a>, <a href="postconf.5.html#mail_spool_directory">mail_spool_directory</a>,
<a href="postconf.5.html#fallback_transport_maps">fallback_transport_maps</a>, <a href="postconf.5.html#fallback_transport">fallback_transport</a> and <a href="postconf.5.html#luser_relay">luser_relay</a>. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p> For safety reasons, this feature does not allow $number
substitutions in regular expression maps. </p>
<p> This feature is available in Postfix 2.8. </p>
+</DD>
+
+<DT><b><a name="postscreen_dnsbl_timeout">postscreen_dnsbl_timeout</a>
+(default: 10s)</b></DT><DD>
+
+<p> The time limit for DNSBL or DNSWL lookups. This is separate from
+the timeouts in the <a href="dnsblog.8.html">dnsblog(8)</a> daemon which are defined by system
+resolver(3) routines. </p>
+
+<p> This feature is available in Postfix 2.12. </p>
+
+
</DD>
<DT><b><a name="postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>
<p>
The lookup tables that the <a href="proxymap.8.html">proxymap(8)</a> server is allowed to
access for the read-only service.
+</p>
+
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma.
Table references that don't begin with <a href="proxymap.8.html">proxy</a>: are ignored.
</p>
</p>
<p>
-This feature is available in Postfix 2.1 and later.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
</p>
<p>
</ul>
-<p>
-Specify the types and names of databases to use. After change,
-run "<b>postmap /etc/postfix/recipient_bcc</b>".
-</p>
-
<p>
Note: with Postfix 2.3 and later the BCC address is added as if it
was specified with NOTIFY=NONE. The sender will not be notified
<a href="postconf.5.html#recipient_bcc_maps">recipient_bcc_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/recipient_bcc
</pre>
+<p>
+After a change, run "<b>postmap /etc/postfix/recipient_bcc</b>".
+</p>
+
+<p>
+This feature is available in Postfix 2.1 and later.
+</p>
+
</DD>
<pre>
# Handle both Postfix and qmail extensions (Postfix 2.11 and later).
-recipient_delimiters = +-
+<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> = +-
</pre>
<pre>
to know only if a lookup string is found or not, but it does not
use the result from table lookup. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p>
If this parameter is non-empty, then the Postfix SMTP server will reject
mail to unknown relay users. This feature is off by default.
documented in <a href="relocated.5.html">relocated(5)</a>.
</p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p>
If you use this feature, run "<b>postmap /etc/postfix/relocated</b>" to
build the necessary DBM or DB file after change, then "<b>postfix
supported) is added when mail enters from outside of Postfix. </p>
<p>
-This feature is available in Postfix 2.1 and later.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
</p>
<p>
</ul>
-<p>
-Specify the types and names of databases to use. After change,
-run "<b>postmap /etc/postfix/sender_bcc</b>".
-</p>
-
<p>
Note: with Postfix 2.3 and later the BCC address is added as if it
was specified with NOTIFY=NONE. The sender will not be notified
<a href="postconf.5.html#sender_bcc_maps">sender_bcc_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sender_bcc
</pre>
+<p>
+After a change, run "<b>postmap /etc/postfix/sender_bcc</b>".
+</p>
+
+<p>
+This feature is available in Postfix 2.1 and later.
+</p>
+
</DD>
without overriding the global <a href="postconf.5.html#default_transport">default_transport</a> parameter setting.
This information is overruled with the <a href="transport.5.html">transport(5)</a> table. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p> Note: this overrides <a href="postconf.5.html#default_transport">default_transport</a>, not <a href="postconf.5.html#transport_maps">transport_maps</a>, and
therefore the expected syntax is that of <a href="postconf.5.html#default_transport">default_transport</a>, not the
syntax of <a href="postconf.5.html#transport_maps">transport_maps</a>. Specifically, this does not support the
<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>, <a href="postconf.5.html#default_transport">default_transport</a> and with
the <a href="transport.5.html">transport(5)</a> table. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p> For safety reasons, this feature does not allow $number
substitutions in regular expression maps. </p>
table is not indexed by hostname for consistency with
<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p> This feature is available in Postfix 2.2 and later. </p>
domain name, but uses something like <i>localdomain.local</i>
instead. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p> The table format and lookups are documented in <a href="generic.5.html">generic(5)</a>;
examples are shown in the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> and
<a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> documents. </p>
is not indexed by hostname for consistency with
<a href="postconf.5.html#smtp_discard_ehlo_keyword_address_maps">smtp_discard_ehlo_keyword_address_maps</a>. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p> This feature is available in Postfix 2.4 and later. </p>
chroot jail, so you can leave the password file in /etc/postfix.
</p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
</DD>
<dl compact>
-<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
+<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
+
+<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
— no logging of remote SMTP server certificate trust-chain
verification errors if server certificate verification is not required.
-With Postfix 2.8 and earlier, disable logging of TLS activity. </dd>
-
-<dt> </dt> <dd> 1 Also log remote SMTP server trust-chain verification
-errors and peer certificate summary information. With Postfix 2.8
-and earlier, log TLS handshake and certificate information. </dd>
+With Postfix 2.8 and earlier, log the summary message and unconditionally
+log trust-chain verification errors. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
<a href="TLS_README.html">TLS_README</a> for a more detailed discussion of TLS security levels.
</p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p> The TLS policy table is indexed by the full next-hop destination,
which is either the recipient domain, or the verbatim next-hop
specified in the transport table, $<a href="postconf.5.html#local_transport">local_transport</a>, $<a href="postconf.5.html#virtual_transport">virtual_transport</a>,
etc.) that the Postfix SMTP server will not send in the EHLO response
to a
remote SMTP client. See <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> for details.
-The table is not searched by hostname for robustness reasons. </p>
+The tables are not searched by hostname for robustness reasons. </p>
+
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
<p> This feature is available in Postfix 2.2 and later. </p>
<dd>Reject the request when Postfix is not final destination for
the recipient domain, and the RCPT TO domain has 1) no DNS MX and
-no DNS address
+no DNS A
record or 2) a malformed MX record such as a record with
a zero-length MX hostname (Postfix version 2.3 and later). <br> The
<a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> parameter specifies the numerical
</p>
<p>
-Specify zero or more "<a href="DATABASE_README.html">type:table</a>" lookup tables. With lookups from
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found. With lookups from
indexed files such as DB or DBM, or from networked tables such as
NIS, LDAP or SQL, the following search operations are done with a
sender address of <i>user@domain</i>: </p>
<dd>Reject the request when Postfix is not final destination for
the sender address, and the MAIL FROM domain has 1) no DNS MX and
-no DNS address
+no DNS A
record, or 2) a malformed MX record such as a record with
a zero-length MX hostname (Postfix version 2.3 and later). <br> The
<a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> parameter specifies the numerical
<dl compact>
-<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
-— no logging of remote SMTP client certificate trust-chain verification
-errors
-if client certificate verification is not required. With Postfix 2.8
-and earlier, disable logging of TLS activity. </dd>
+<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
-<dt> </dt> <dd> 1 Also log trust-chain verification errors and peer
-certificate name and issuer. With Postfix 2.8 and earlier, log TLS
-handshake and certificate information. </dd>
+<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
+— no logging of client certificate trust-chain verification errors
+if client certificate verification is not required. With Postfix 2.8 and
+earlier, log the summary message, peer certificate summary information
+and unconditionally log trust-chain verification errors. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
</p>
<p>
-Specify zero or more "<a href="DATABASE_README.html">type:table</a>" lookup tables. If you use this
+Specify zero or more "<a href="DATABASE_README.html">type:table</a>" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found. If you use this
feature with local files, run "<b>postmap /etc/postfix/transport</b>"
after making a change. </p>
value is backwards compatible with Postfix version 1.1.
</p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+Note: these lookups are recursive.
+</p>
+
<p>
If you use this feature with indexed files, run "<b>postmap
/etc/postfix/virtual</b>" after changing the file.
It does not apply when mail is delivered with a different mail
delivery program. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p>
In a lookup table, specify a left-hand side of "@domain.tld" to
match any user in the specified domain that does not have a specific
match $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.
</p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p>
In a lookup table, specify a left-hand side of "@domain.tld" to
match any user in the specified domain that does not have a specific
It does not apply when mail is delivered with a different mail
delivery program. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p>
In a lookup table, specify a left-hand side of "@domain.tld"
to match any user in the specified domain that does not have a
greeting" protocol tests, based on its combined DNSBL score as
defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter.
+ Available in Postfix version 2.11 and later:
+
+ <b><a href="postconf.5.html#postscreen_dnsbl_timeout">postscreen_dnsbl_timeout</a> (10s)</b>
+ The time limit for DNSBL or DNSWL lookups.
+
<b>AFTER 220 GREETING TESTS</b>
These tests are executed after the remote SMTP client receives the "220
servername" greeting. If a client passes all tests during this phase,
.SH alias_maps (default: see "postconf -d" output)
The alias databases that are used for \fBlocal\fR(8) delivery. See
\fBaliases\fR(5) for syntax details.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+Note: these lookups are recursive.
.PP
The default list is system dependent. On systems with NIS, the
default is to search the local alias database, then the NIS alias
are documented in \fBcanonical\fR(5). For an overview of Postfix address
manipulations see the ADDRESS_REWRITING_README document.
.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+Note: these lookups are recursive.
+.PP
If you use this feature, run "\fBpostmap /etc/postfix/canonical\fR" to
build the necessary DBM or DB file after every change. The changes
will become visible after a minute or so. Use "\fBpostfix reload\fR"
lists: Postfix needs to know only if a lookup string is found or
not, but it does not use the result from table lookup.
.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
If this parameter is non-empty (the default), then the Postfix SMTP
server will reject mail for unknown local users.
.PP
is: aliases, .forward files, mailbox_transport_maps, mailbox_transport,
mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory,
fallback_transport_maps, fallback_transport and luser_relay.
+.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
.SH mailbox_delivery_lock (default: see "postconf -d" output)
How to lock a UNIX-style \fBlocal\fR(8) mailbox before attempting delivery.
For a list of available file locking methods, use the "\fBpostconf
mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory,
fallback_transport_maps, fallback_transport and luser_relay.
.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
For safety reasons, this feature does not allow $number
substitutions in regular expression maps.
.PP
parameter.
.PP
This feature is available in Postfix 2.8.
+.SH postscreen_dnsbl_timeout (default: 10s)
+The time limit for DNSBL or DNSWL lookups. This is separate from
+the timeouts in the \fBdnsblog\fR(8) daemon which are defined by system
+\fBresolver\fR(3) routines.
+.PP
+This feature is available in Postfix 2.12.
.SH postscreen_dnsbl_ttl (default: 1h)
The amount of time that \fBpostscreen\fR(8) will use the result from
a successful DNS blocklist test. During this time, the client IP address
.SH proxy_read_maps (default: see "postconf -d" output)
The lookup tables that the \fBproxymap\fR(8) server is allowed to
access for the read-only service.
+.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma.
Table references that don't begin with proxy: are ignored.
.PP
This feature is available in Postfix 2.0 and later.
recipient address. The BCC address (multiple results are not
supported) is added when mail enters from outside of Postfix.
.PP
-This feature is available in Postfix 2.1 and later.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
.PP
The table search order is as follows:
.IP \(bu
Look up the "@domain.tld" part.
.br
.PP
-Specify the types and names of databases to use. After change,
-run "\fBpostmap /etc/postfix/recipient_bcc\fR".
-.PP
Note: with Postfix 2.3 and later the BCC address is added as if it
was specified with NOTIFY=NONE. The sender will not be notified
when the BCC address is undeliverable, as long as all down-stream
.fi
.ad
.ft R
+.PP
+After a change, run "\fBpostmap /etc/postfix/recipient_bcc\fR".
+.PP
+This feature is available in Postfix 2.1 and later.
.SH recipient_canonical_classes (default: envelope_recipient, header_recipient)
What addresses are subject to recipient_canonical_maps address
mapping. By default, recipient_canonical_maps address mapping is
.na
.ft C
# Handle both Postfix and qmail extensions (Postfix 2.11 and later).
-recipient_delimiters = +-
+recipient_delimiter = +-
.fi
.ad
.ft R
to know only if a lookup string is found or not, but it does not
use the result from table lookup.
.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
If this parameter is non-empty, then the Postfix SMTP server will reject
mail to unknown relay users. This feature is off by default.
.PP
domains that no longer exist. The table format and lookups are
documented in \fBrelocated\fR(5).
.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
If you use this feature, run "\fBpostmap /etc/postfix/relocated\fR" to
build the necessary DBM or DB file after change, then "\fBpostfix
reload\fR" to make the changes visible.
by sender address. The BCC address (multiple results are not
supported) is added when mail enters from outside of Postfix.
.PP
-This feature is available in Postfix 2.1 and later.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
.PP
The table search order is as follows:
.IP \(bu
Look up the "@domain.tld" part.
.br
.PP
-Specify the types and names of databases to use. After change,
-run "\fBpostmap /etc/postfix/sender_bcc\fR".
-.PP
Note: with Postfix 2.3 and later the BCC address is added as if it
was specified with NOTIFY=NONE. The sender will not be notified
when the BCC address is undeliverable, as long as all down-stream
.fi
.ad
.ft R
+.PP
+After a change, run "\fBpostmap /etc/postfix/sender_bcc\fR".
+.PP
+This feature is available in Postfix 2.1 and later.
.SH sender_canonical_classes (default: envelope_sender, header_sender)
What addresses are subject to sender_canonical_maps address
mapping. By default, sender_canonical_maps address mapping is
without overriding the global default_transport parameter setting.
This information is overruled with the \fBtransport\fR(5) table.
.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
Note: this overrides default_transport, not transport_maps, and
therefore the expected syntax is that of default_transport, not the
syntax of transport_maps. Specifically, this does not support the
sender_dependent_default_transport_maps, default_transport and with
the \fBtransport\fR(5) table.
.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
For safety reasons, this feature does not allow $number
substitutions in regular expression maps.
.PP
table is not indexed by hostname for consistency with
smtpd_discard_ehlo_keyword_address_maps.
.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
This feature is available in Postfix 2.2 and later.
.SH smtp_discard_ehlo_keywords (default: empty)
A case insensitive list of EHLO keywords (pipelining, starttls,
domain name, but uses something like \fIlocaldomain.local\fR
instead.
.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
The table format and lookups are documented in \fBgeneric\fR(5);
examples are shown in the ADDRESS_REWRITING_README and
STANDARD_CONFIGURATION_README documents.
is not indexed by hostname for consistency with
smtp_discard_ehlo_keyword_address_maps.
.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
This feature is available in Postfix 2.4 and later.
.SH smtp_pix_workaround_threshold_time (default: 500s)
How long a message must be queued before the Postfix SMTP client
.PP
The Postfix SMTP client opens the lookup table before going to
chroot jail, so you can leave the password file in /etc/postfix.
+.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
.SH smtp_sasl_path (default: empty)
Implementation-specific information that the Postfix SMTP client
passes through to
Each logging level also includes the information that is logged at
a lower logging level.
.IP ""
-0 Log only a summary message on TLS handshake completion
-- no logging of remote SMTP server certificate trust-chain
-verification errors if server certificate verification is not required.
-With Postfix 2.8 and earlier, disable logging of TLS activity.
+0 Disable logging of TLS activity.
.br
.IP ""
-1 Also log remote SMTP server trust-chain verification
-errors and peer certificate summary information. With Postfix 2.8
-and earlier, log TLS handshake and certificate information.
+1 Log only a summary message on TLS handshake completion
+- no logging of remote SMTP server certificate trust-chain
+verification errors if server certificate verification is not required.
+With Postfix 2.8 and earlier, log the summary message and unconditionally
+log trust-chain verification errors.
.br
.IP ""
2 Also log levels during TLS negotiation.
this overrides the obsolete smtp_tls_per_site parameter. See
TLS_README for a more detailed discussion of TLS security levels.
.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
The TLS policy table is indexed by the full next-hop destination,
which is either the recipient domain, or the verbatim next-hop
specified in the transport table, $local_transport, $virtual_transport,
etc.) that the Postfix SMTP server will not send in the EHLO response
to a
remote SMTP client. See smtpd_discard_ehlo_keywords for details.
-The table is not searched by hostname for robustness reasons.
+The tables are not searched by hostname for robustness reasons.
+.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_discard_ehlo_keywords (default: empty)
.IP "\fBreject_unknown_recipient_domain\fR"
Reject the request when Postfix is not final destination for
the recipient domain, and the RCPT TO domain has 1) no DNS MX and
-no DNS address
+no DNS A
record or 2) a malformed MX record such as a record with
a zero-length MX hostname (Postfix version 2.3 and later).
.br
Optional lookup table with the SASL login names that own sender
(MAIL FROM) addresses.
.PP
-Specify zero or more "type:table" lookup tables. With lookups from
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found. With lookups from
indexed files such as DB or DBM, or from networked tables such as
NIS, LDAP or SQL, the following search operations are done with a
sender address of \fIuser@domain\fR:
.IP "\fBreject_unknown_sender_domain\fR"
Reject the request when Postfix is not final destination for
the sender address, and the MAIL FROM domain has 1) no DNS MX and
-no DNS address
+no DNS A
record, or 2) a malformed MX record such as a record with
a zero-length MX hostname (Postfix version 2.3 and later).
.br
Each logging level also includes the information that is logged at
a lower logging level.
.IP ""
-0 Log only a summary message on TLS handshake completion
-- no logging of remote SMTP client certificate trust-chain verification
-errors
-if client certificate verification is not required. With Postfix 2.8
-and earlier, disable logging of TLS activity.
+0 Disable logging of TLS activity.
.br
.IP ""
-1 Also log trust-chain verification errors and peer
-certificate name and issuer. With Postfix 2.8 and earlier, log TLS
-handshake and certificate information.
+1 Log only a summary message on TLS handshake completion
+- no logging of client certificate trust-chain verification errors
+if client certificate verification is not required. With Postfix 2.8 and
+earlier, log the summary message, peer certificate summary information
+and unconditionally log trust-chain verification errors.
.br
.IP ""
2 Also log levels during TLS negotiation.
(message delivery transport, next-hop destination). See \fBtransport\fR(5)
for details.
.PP
-Specify zero or more "type:table" lookup tables. If you use this
+Specify zero or more "type:table" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found. If you use this
feature with local files, run "\fBpostmap /etc/postfix/transport\fR"
after making a change.
.PP
This feature is available in Postfix 2.0 and later. The default
value is backwards compatible with Postfix version 1.1.
.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+Note: these lookups are recursive.
+.PP
If you use this feature with indexed files, run "\fBpostmap
/etc/postfix/virtual\fR" after changing the file.
.PP
It does not apply when mail is delivered with a different mail
delivery program.
.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
In a lookup table, specify a left-hand side of "@domain.tld" to
match any user in the specified domain that does not have a specific
"user@domain.tld" entry.
Optional lookup tables with all valid addresses in the domains that
match $virtual_mailbox_domains.
.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
In a lookup table, specify a left-hand side of "@domain.tld" to
match any user in the specified domain that does not have a specific
"user@domain.tld" entry.
It does not apply when mail is delivered with a different mail
delivery program.
.PP
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+.PP
In a lookup table, specify a left-hand side of "@domain.tld"
to match any user in the specified domain that does not have a
specific "user@domain.tld" entry.
.ad
.fi
With each connection, the \fBdnsblog\fR(8) server receives
-a DNS white/blacklist domain name, IP address, and an ID.
-If the address is listed under the DNS white/blacklist, the
+a DNS white/blacklist domain name, an IP address, and an ID.
+If the IP address is listed under the DNS white/blacklist, the
\fBdnsblog\fR(8) server logs the match and replies with the
query arguments plus an address list with the resulting IP
addresses separated by whitespace. Otherwise it replies
Allow a remote SMTP client to skip "before" and "after 220
greeting" protocol tests, based on its combined DNSBL score as
defined with the postscreen_dnsbl_sites parameter.
+.PP
+Available in Postfix version 2.11 and later:
+.IP "\fBpostscreen_dnsbl_timeout (10s)\fR"
+The time limit for DNSBL or DNSWL lookups.
.SH "AFTER 220 GREETING TESTS"
.na
.nf
s;\bpostscreen_dnsbl_whitelist_thresh[-</bB>]*\n* *[<bB>]*old\b;<a href="postconf.5.html#postscreen_dnsbl_whitelist_threshold">$&</a>;g;
s;\bpostscreen_dnsbl_action\b;<a href="postconf.5.html#postscreen_dnsbl_action">$&</a>;g;
s;\bpostscreen_dnsbl_ttl\b;<a href="postconf.5.html#postscreen_dnsbl_ttl">$&</a>;g;
+ s;\bpostscreen_dnsbl_timeout\b;<a href="postconf.5.html#postscreen_dnsbl_timeout">$&</a>;g;
s;\bpostscreen_for[-</bB>]*\n*[ <bB>]*bid[-</bB>]*\n* *[<bB>]*den_commands\b;<a href="postconf.5.html#postscreen_forbidden_commands">$&</a>;g;
s;\bpostscreen_helo_required\b;<a href="postconf.5.html#postscreen_helo_required">$&</a>;g;
s;\bpostscreen_non_smtp_command_enable\b;<a href="postconf.5.html#postscreen_non_smtp_command_enable">$&</a>;g;
<pre>
/etc/postfix/dnsbl_reply:
- # Secret DNSBL name Name in postscreen(8) replies
- secret.zen.spamhaus.org zen.spamhaus.org
+ # Secret DNSBL name Name in postscreen(8) replies
+ secret.zen.dq.spamhaus.net zen.spamhaus.org
</pre>
<p> The texthash: format is similar to hash: except that there is
# (available with Postfix 2.10 and later).
reject_unauth_destination
reject_rbl_client zen.spamhaus.org,
+ reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr>
-<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
+<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
+logging of TLS activity. </td> </tr>
+
+<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
message on TLS handshake completion — no logging of client
certificate trust-chain verification errors if client certificate
-verification is not required. </td> <td valign="top"> Disable logging
-of TLS activity.</td> </tr>
-
-<tr> <td valign="top"> 1 </td> <td valign="top"> Also log trust-chain
-verification errors and peer certificate summary information. </td>
-<td valign="top"> Also log TLS handshake and certificate information.
-</td> </tr>
+verification is not required. </td> <td valign="top"> Log the summary
+message, peer certificate summary information and unconditionally log
+trust-chain verification errors. </td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr>
<tr> <th> Level </th> <th> Postfix 2.9 and later</th> <th> Earlier
releases. </th> </tr>
-<tr> <td valign="top"> 0 </td> <td valign="top"> Log only a summary
-message on TLS handshake completion — no logging of remote
-SMTP server certificate trust-chain verification errors if server
-certificate verification is not required. </td> <td valign="top">
-Disable logging of TLS activity.</td> </tr>
+<tr> <td valign="top"> 0 </td> <td valign="top" colspan="2"> Disable
+logging of TLS activity. </td> </tr>
-<tr> <td valign="top"> 1 </td> <td valign="top"> Also log remote
-SMTP server trust-chain verification errors and peer certificate
-summary information. </td> <td valign="top"> Also log TLS handshake
-and certificate information. </td> </tr>
+<tr> <td valign="top"> 1 </td> <td valign="top"> Log only a summary
+message on TLS handshake completion — no logging of remote SMTP
+server certificate trust-chain verification errors if server certificate
+verification is not required. </td> <td valign="top"> Log the summary
+message and unconditionally log trust-chain verification errors.
+</td> </tr>
<tr> <td valign="top"> 2 </td> <td valign="top" colspan="2"> Also
log levels during TLS negotiation. </td> </tr>
<p>
The alias databases that are used for local(8) delivery. See
aliases(5) for syntax details.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+Note: these lookups are recursive.
</p>
<p>
manipulations see the ADDRESS_REWRITING_README document.
</p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+Note: these lookups are recursive.
+</p>
+
<p>
If you use this feature, run "<b>postmap /etc/postfix/canonical</b>" to
build the necessary DBM or DB file after every change. The changes
lists: Postfix needs to know only if a lookup string is found or
not, but it does not use the result from table lookup. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p>
If this parameter is non-empty (the default), then the Postfix SMTP
server will reject mail for unknown local users.
</p>
<p>
-This feature is available in Postfix 2.1 and later.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
</p>
<p>
</ul>
-<p>
-Specify the types and names of databases to use. After change,
-run "<b>postmap /etc/postfix/recipient_bcc</b>".
-</p>
-
<p>
Note: with Postfix 2.3 and later the BCC address is added as if it
was specified with NOTIFY=NONE. The sender will not be notified
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
</pre>
+<p>
+After a change, run "<b>postmap /etc/postfix/recipient_bcc</b>".
+</p>
+
+<p>
+This feature is available in Postfix 2.1 and later.
+</p>
+
%PARAM recipient_canonical_maps
<p>
<pre>
# Handle both Postfix and qmail extensions (Postfix 2.11 and later).
-recipient_delimiters = +-
+recipient_delimiter = +-
</pre>
<pre>
to know only if a lookup string is found or not, but it does not
use the result from table lookup. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p>
If this parameter is non-empty, then the Postfix SMTP server will reject
mail to unknown relay users. This feature is off by default.
documented in relocated(5).
</p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p>
If you use this feature, run "<b>postmap /etc/postfix/relocated</b>" to
build the necessary DBM or DB file after change, then "<b>postfix
supported) is added when mail enters from outside of Postfix. </p>
<p>
-This feature is available in Postfix 2.1 and later.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
</p>
<p>
</ul>
-<p>
-Specify the types and names of databases to use. After change,
-run "<b>postmap /etc/postfix/sender_bcc</b>".
-</p>
-
<p>
Note: with Postfix 2.3 and later the BCC address is added as if it
was specified with NOTIFY=NONE. The sender will not be notified
sender_bcc_maps = hash:/etc/postfix/sender_bcc
</pre>
+<p>
+After a change, run "<b>postmap /etc/postfix/sender_bcc</b>".
+</p>
+
+<p>
+This feature is available in Postfix 2.1 and later.
+</p>
+
%PARAM sender_canonical_maps
<p>
chroot jail, so you can leave the password file in /etc/postfix.
</p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
%PARAM smtp_sasl_security_options noplaintext, noanonymous
<p> Postfix SMTP client SASL security options; as of Postfix 2.3
<dd>Reject the request when Postfix is not final destination for
the recipient domain, and the RCPT TO domain has 1) no DNS MX and
-no DNS address
+no DNS A
record or 2) a malformed MX record such as a record with
a zero-length MX hostname (Postfix version 2.3 and later). <br> The
unknown_address_reject_code parameter specifies the numerical
</p>
<p>
-Specify zero or more "type:table" lookup tables. With lookups from
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found. With lookups from
indexed files such as DB or DBM, or from networked tables such as
NIS, LDAP or SQL, the following search operations are done with a
sender address of <i>user@domain</i>: </p>
<dd>Reject the request when Postfix is not final destination for
the sender address, and the MAIL FROM domain has 1) no DNS MX and
-no DNS address
+no DNS A
record, or 2) a malformed MX record such as a record with
a zero-length MX hostname (Postfix version 2.3 and later). <br> The
unknown_address_reject_code parameter specifies the numerical
</p>
<p>
-Specify zero or more "type:table" lookup tables. If you use this
+Specify zero or more "type:table" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found. If you use this
feature with local files, run "<b>postmap /etc/postfix/transport</b>"
after making a change. </p>
value is backwards compatible with Postfix version 1.1.
</p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+Note: these lookups are recursive.
+</p>
+
<p>
If you use this feature with indexed files, run "<b>postmap
/etc/postfix/virtual</b>" after changing the file.
mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory,
fallback_transport_maps, fallback_transport and luser_relay. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
%PARAM mailbox_delivery_lock see "postconf -d" output
<p>
<p>
The lookup tables that the proxymap(8) server is allowed to
access for the read-only service.
+</p>
+
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma.
Table references that don't begin with proxy: are ignored.
</p>
It does not apply when mail is delivered with a different mail
delivery program. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p>
In a lookup table, specify a left-hand side of "@domain.tld" to
match any user in the specified domain that does not have a specific
match $virtual_mailbox_domains.
</p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p>
In a lookup table, specify a left-hand side of "@domain.tld" to
match any user in the specified domain that does not have a specific
It does not apply when mail is delivered with a different mail
delivery program. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p>
In a lookup table, specify a left-hand side of "@domain.tld"
to match any user in the specified domain that does not have a
table is not indexed by hostname for consistency with
smtpd_discard_ehlo_keyword_address_maps. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p> This feature is available in Postfix 2.2 and later. </p>
%PARAM smtpd_discard_ehlo_keyword_address_maps
etc.) that the Postfix SMTP server will not send in the EHLO response
to a
remote SMTP client. See smtpd_discard_ehlo_keywords for details.
-The table is not searched by hostname for robustness reasons. </p>
+The tables are not searched by hostname for robustness reasons. </p>
+
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
<p> This feature is available in Postfix 2.2 and later. </p>
<dl compact>
-<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
-— no logging of remote SMTP client certificate trust-chain verification
-errors
-if client certificate verification is not required. With Postfix 2.8
-and earlier, disable logging of TLS activity. </dd>
+<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
-<dt> </dt> <dd> 1 Also log trust-chain verification errors and peer
-certificate name and issuer. With Postfix 2.8 and earlier, log TLS
-handshake and certificate information. </dd>
+<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
+— no logging of client certificate trust-chain verification errors
+if client certificate verification is not required. With Postfix 2.8 and
+earlier, log the summary message, peer certificate summary information
+and unconditionally log trust-chain verification errors. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
<dl compact>
-<dt> </dt> <dd> 0 Log only a summary message on TLS handshake completion
+<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
+
+<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
— no logging of remote SMTP server certificate trust-chain
verification errors if server certificate verification is not required.
-With Postfix 2.8 and earlier, disable logging of TLS activity. </dd>
-
-<dt> </dt> <dd> 1 Also log remote SMTP server trust-chain verification
-errors and peer certificate summary information. With Postfix 2.8
-and earlier, log TLS handshake and certificate information. </dd>
+With Postfix 2.8 and earlier, log the summary message and unconditionally
+log trust-chain verification errors. </dd>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
domain name, but uses something like <i>localdomain.local</i>
instead. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p> The table format and lookups are documented in generic(5);
examples are shown in the ADDRESS_REWRITING_README and
STANDARD_CONFIGURATION_README documents. </p>
sender_dependent_default_transport_maps, default_transport and with
the transport(5) table. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p> For safety reasons, this feature does not allow $number
substitutions in regular expression maps. </p>
mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory,
fallback_transport_maps, fallback_transport and luser_relay. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p> For safety reasons, this feature does not allow $number
substitutions in regular expression maps. </p>
TLS_README for a more detailed discussion of TLS security levels.
</p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p> The TLS policy table is indexed by the full next-hop destination,
which is either the recipient domain, or the verbatim next-hop
specified in the transport table, $local_transport, $virtual_transport,
is not indexed by hostname for consistency with
smtp_discard_ehlo_keyword_address_maps. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p> This feature is available in Postfix 2.4 and later. </p>
%PARAM lmtp_pix_workarounds
without overriding the global default_transport parameter setting.
This information is overruled with the transport(5) table. </p>
+<p>
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+</p>
+
<p> Note: this overrides default_transport, not transport_maps, and
therefore the expected syntax is that of default_transport, not the
syntax of transport_maps. Specifically, this does not support the
<p> This feature is available in Postfix 2.8. </p>
+%PARAM postscreen_dnsbl_timeout 10s
+
+<p> The time limit for DNSBL or DNSWL lookups. This is separate from
+the timeouts in the dnsblog(8) daemon which are defined by system
+resolver(3) routines. </p>
+
+<p> This feature is available in Postfix 2.12. </p>
%PARAM postscreen_bare_newline_action ignore
<p> The action that postscreen(8) takes when a remote SMTP client sends
/* .ad
/* .fi
/* With each connection, the \fBdnsblog\fR(8) server receives
-/* a DNS white/blacklist domain name, IP address, and an ID.
-/* If the address is listed under the DNS white/blacklist, the
+/* a DNS white/blacklist domain name, an IP address, and an ID.
+/* If the IP address is listed under the DNS white/blacklist, the
/* \fBdnsblog\fR(8) server logs the match and replies with the
/* query arguments plus an address list with the resulting IP
/* addresses separated by whitespace. Otherwise it replies
#define DEF_PSC_DNSBL_REPLY ""
extern char *var_psc_dnsbl_reply;
+#define VAR_PSC_DNSBL_TMOUT "postscreen_dnsbl_timeout"
+#define DEF_PSC_DNSBL_TMOUT "10s"
+extern int var_psc_dnsbl_tmout;
+
#define VAR_PSC_PIPEL_ENABLE "postscreen_pipelining_enable"
#define DEF_PSC_PIPEL_ENABLE 0
extern bool var_psc_pipel_enable;
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20140406"
+#define MAIL_RELEASE_DATE "20140507"
#define MAIL_VERSION_NUMBER "2.12"
#ifdef SNAPSHOT
/* Allow a remote SMTP client to skip "before" and "after 220
/* greeting" protocol tests, based on its combined DNSBL score as
/* defined with the postscreen_dnsbl_sites parameter.
+/* .PP
+/* Available in Postfix version 2.11 and later:
+/* .IP "\fBpostscreen_dnsbl_timeout (10s)\fR"
+/* The time limit for DNSBL or DNSWL lookups.
/* AFTER 220 GREETING TESTS
/* .ad
/* .fi
int var_psc_dnsbl_wthresh;
char *var_psc_dnsbl_action;
int var_psc_dnsbl_ttl;
+int var_psc_dnsbl_tmout;
bool var_psc_pipel_enable;
char *var_psc_pipel_action;
VAR_PSC_CACHE_SCAN, DEF_PSC_CACHE_SCAN, &var_psc_cache_scan, 0, 0,
VAR_PSC_WATCHDOG, DEF_PSC_WATCHDOG, &var_psc_watchdog, 10, 0,
VAR_PSC_UPROXY_TMOUT, DEF_PSC_UPROXY_TMOUT, &var_psc_uproxy_tmout, 1, 0,
+ VAR_PSC_DNSBL_TMOUT, DEF_PSC_DNSBL_TMOUT, &var_psc_dnsbl_tmout, 1, 0,
+
0,
};
static const CONFIG_BOOL_TABLE bool_table[] = {
/*
* Talking to the DNSBLOG service.
*/
-#define DNSBLOG_TIMEOUT 10
static char *psc_dnsbl_service;
/*
PSC_CALL_BACK_NOTIFY(score, PSC_NULL_EVENT);
} else if (event == EVENT_TIME) {
msg_warn("dnsblog reply timeout %ds for %s",
- DNSBLOG_TIMEOUT, (char *) vstream_context(stream));
+ var_psc_dnsbl_tmout, (char *) vstream_context(stream));
}
/* Here, score may be a null pointer. */
vstream_fclose(stream);
continue;
}
PSC_READ_EVENT_REQUEST(vstream_fileno(stream), psc_dnsbl_receive,
- (char *) stream, DNSBLOG_TIMEOUT);
+ (char *) stream, var_psc_dnsbl_tmout);
score->pending_lookups += 1;
}
return (PSC_CALL_BACK_INDEX_OF_LAST(score));
STR((state)->iterator->request_nexthop)[0] = 0; \
}
-#define HAVE_NEXTHOP_STATE(state) (STR((state)->iterator->request_nexthop) != 0)
+#define HAVE_NEXTHOP_STATE(state) (STR((state)->iterator->request_nexthop)[0] != 0)
/*
#endif
SMTP_ITER_SAVE_DEST(state->iterator);
if (*addr_list && SMTP_RCPT_LEFT(state) > 0
+ && HAVE_NEXTHOP_STATE(state)
&& (session = smtp_reuse_nexthop(state, SMTP_KEY_MASK_SCACHE_DEST_LABEL)) != 0) {
session_count = 1;
smtp_update_addr_list(addr_list, STR(iter->addr), session_count);
ATTR_TYPE_STR, MAIL_ATTR_ACT_PROTO_NAME, state->protocol,
ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, state->addr,
ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_NAME, state->name,
+ ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_PORT, state->port,
ATTR_TYPE_STR, MAIL_ATTR_ACT_REVERSE_CLIENT_NAME,
state->reverse_name,
ATTR_TYPE_STR, MAIL_ATTR_ACT_HELO_NAME,
network_bits %= CHAR_BIT;
if (network_bits != 0)
- *p++ &= ~0 << (CHAR_BIT - network_bits);
+ *p++ &= ~0U << (CHAR_BIT - network_bits);
while (p < addr_bytes + addr_byte_count)
*p++ = 0;
projects / thirdparty / postfix.git / commitdiff
