with deadlock, "postfix stop" now forcefully stops all the
processes in the master's process group, not just the master
process alone. File: conf/postfix-script.
+
+20070425
+
+ Bugfix: don't falsely report "lost connection from
+ localhost[127.0.0.1]" when Postfix is being portscanned.
+ Files: smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
+
+20070430
+
+ Robustness: recommend a "0" process limit for policy servers
+ to avoid "connection refused" problems when the smtpd process
+ limit exceeds the default process limit. File:
+ proto/SMTPD_POLICY_README.html.
+
+20070501
+
+ Safety: when IPv6 (or IPv4) is turned off, don't treat an
+ IPv6 (or IPv4) connection from e.g. inetd as if it comes
+ from localhost[127.0.0.1]. Files: smtpd/smtpd_peer.c,
+ qmqpd/qmqpd_peer.c.
+
+20070508
+
+ Bugfix: Content-Transfer-Encoding: attribute values are
+ case insensitive. File: src/cleanup/cleanup_message.c.
Here is an example of all the attributes that the Postfix SMTP server sends in
a delegated SMTPD access policy request:
+ P\bPo\bos\bst\btf\bfi\bix\bx v\bve\ber\brs\bsi\bio\bon\bn 2\b2.\b.1\b1 a\ban\bnd\bd l\bla\bat\bte\ber\br:\b:
request=smtpd_access_policy
protocol_state=RCPT
protocol_name=SMTP
use something like this:
1 /etc/postfix/master.cf:
- 2 policy unix - n n - - spawn
+ 2 policy unix - n n - 0 spawn
3 user=nobody argv=/some/where/policy-server
4
5 /etc/postfix/main.cf:
"policy_time_limit" setting. The name of the parameter is the name of the
master.cf entry ("policy") concatenated with the "_time_limit" suffix.
+ * Line 2: specify a "0" process limit instead of the default "-", to avoid
+ "connection refused" and other problems when the smtpd process limit
+ exceeds the default_process_limit setting.
+
* Lines 8, 9: always specify "check_policy_service" AFTER
"reject_unauth_destination" or else your system could become an open relay.
* Solaris UNIX-domain sockets do not work reliably. Use TCP sockets instead:
1 /etc/postfix/master.cf:
- 2 127.0.0.1:9998 inet n n n - - spawn
+ 2 127.0.0.1:9998 inet n n n - 0 spawn
3 user=nobody argv=/some/where/policy-server
4
5 /etc/postfix/main.cf:
socket that is accessible by Postfix processes only:
1 /etc/postfix/master.cf:
- 2 policy unix - n n - - spawn
+ 2 policy unix - n n - 0 spawn
3 user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
4
5 /etc/postfix/main.cf:
"policy_time_limit" setting. The name of the parameter is the name of the
master.cf entry ("policy") concatenated with the "_time_limit" suffix.
+ * Line 2: specify a "0" process limit instead of the default "-", to avoid
+ "connection refused" and other problems when the smtpd process limit
+ exceeds the default_process_limit setting.
+
On Solaris you must use inet: style sockets instead of unix: style, as detailed
in the "Policy client/server configuration" section above.
1 /etc/postfix/master.cf:
- 2 127.0.0.1:9998 inet n n n - - spawn
+ 2 127.0.0.1:9998 inet n n n - 0 spawn
3 user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
4
5 /etc/postfix/main.cf:
<blockquote>
<pre>
+<b>Postfix version 2.1 and later:</b>
request=smtpd_access_policy
protocol_state=RCPT
protocol_name=SMTP
<blockquote>
<pre>
1 /etc/postfix/<a href="master.5.html">master.cf</a>:
- 2 policy unix - n n - - spawn
+ 2 policy unix - n n - 0 spawn
3 user=nobody argv=/some/where/policy-server
4
5 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
the parameter is the name of the <a href="master.5.html">master.cf</a> entry ("policy")
concatenated with the "_time_limit" suffix. </p>
+<li> <p> Line 2: specify a "0" process limit instead of the default
+"-", to avoid "connection refused" and other problems when the smtpd
+process limit exceeds the <a href="postconf.5.html#default_process_limit">default_process_limit</a> setting. </p>
+
<li> <p> Lines 8, 9: always specify "<a href="postconf.5.html#check_policy_service">check_policy_service</a>" AFTER
"<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>" or else your system could become an
open relay. </p>
<blockquote>
<pre>
1 /etc/postfix/<a href="master.5.html">master.cf</a>:
- 2 127.0.0.1:9998 inet n n n - - spawn
+ 2 127.0.0.1:9998 inet n n n - 0 spawn
3 user=nobody argv=/some/where/policy-server
4
5 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
<blockquote>
<pre>
1 /etc/postfix/<a href="master.5.html">master.cf</a>:
-2 policy unix - n n - - spawn
+2 policy unix - n n - 0 spawn
3 user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
4
5 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
the parameter is the name of the <a href="master.5.html">master.cf</a> entry ("policy")
concatenated with the "_time_limit" suffix. </p>
+<li> <p> Line 2: specify a "0" process limit instead of the default
+"-", to avoid "connection refused" and other problems when the smtpd
+process limit exceeds the <a href="postconf.5.html#default_process_limit">default_process_limit</a> setting. </p>
+
</ul>
<p> On Solaris you must use inet: style sockets instead of unix:
<blockquote>
<pre>
1 /etc/postfix/<a href="master.5.html">master.cf</a>:
-2 127.0.0.1:9998 inet n n n - - spawn
+2 127.0.0.1:9998 inet n n n - 0 spawn
3 user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
4
5 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
<b>tcp</b> (read-only)
Perform lookups using a simple request-reply
protocol that is described in <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>.
- This feature is not included with Postfix
- 2.2.
+ This feature is not included with the stable
+ Postfix release.
<b>unix</b> (read-only)
A limited way to query the UNIX authentica-
.IP "\fBtcp\fR (read-only)"
Perform lookups using a simple request-reply protocol that is
described in \fBtcp_table\fR(5).
-This feature is not included with Postfix 2.2.
+This feature is not included with the stable Postfix release.
.IP "\fBunix\fR (read-only)"
A limited way to query the UNIX authentication database. The
following tables are implemented:
<blockquote>
<pre>
+<b>Postfix version 2.1 and later:</b>
request=smtpd_access_policy
protocol_state=RCPT
protocol_name=SMTP
<blockquote>
<pre>
1 /etc/postfix/master.cf:
- 2 policy unix - n n - - spawn
+ 2 policy unix - n n - 0 spawn
3 user=nobody argv=/some/where/policy-server
4
5 /etc/postfix/main.cf:
the parameter is the name of the master.cf entry ("policy")
concatenated with the "_time_limit" suffix. </p>
+<li> <p> Line 2: specify a "0" process limit instead of the default
+"-", to avoid "connection refused" and other problems when the smtpd
+process limit exceeds the default_process_limit setting. </p>
+
<li> <p> Lines 8, 9: always specify "check_policy_service" AFTER
"reject_unauth_destination" or else your system could become an
open relay. </p>
<blockquote>
<pre>
1 /etc/postfix/master.cf:
- 2 127.0.0.1:9998 inet n n n - - spawn
+ 2 127.0.0.1:9998 inet n n n - 0 spawn
3 user=nobody argv=/some/where/policy-server
4
5 /etc/postfix/main.cf:
<blockquote>
<pre>
1 /etc/postfix/master.cf:
-2 policy unix - n n - - spawn
+2 policy unix - n n - 0 spawn
3 user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
4
5 /etc/postfix/main.cf:
the parameter is the name of the master.cf entry ("policy")
concatenated with the "_time_limit" suffix. </p>
+<li> <p> Line 2: specify a "0" process limit instead of the default
+"-", to avoid "connection refused" and other problems when the smtpd
+process limit exceeds the default_process_limit setting. </p>
+
</ul>
<p> On Solaris you must use inet: style sockets instead of unix:
<blockquote>
<pre>
1 /etc/postfix/master.cf:
-2 127.0.0.1:9998 inet n n n - - spawn
+2 127.0.0.1:9998 inet n n n - 0 spawn
3 user=nobody argv=/usr/bin/perl /usr/libexec/postfix/greylist.pl
4
5 /etc/postfix/main.cf:
if (hdr_opts->type == HDR_CONTENT_TRANSFER_ENCODING) {
for (cmp = code_map; cmp->name != 0; cmp++) {
if (strcasecmp(hdrval, cmp->name) == 0) {
- if (strcmp(cmp->encoding, MAIL_ATTR_ENC_8BIT) == 0)
+ if (strcasecmp(cmp->encoding, MAIL_ATTR_ENC_8BIT) == 0)
nvtable_update(state->attr, MAIL_ATTR_ENCODING,
cmp->encoding);
break;
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20070423"
-#define MAIL_VERSION_NUMBER "2.4.1"
+#define MAIL_RELEASE_DATE "20070511"
+#define MAIL_VERSION_NUMBER "2.4.2-RC1"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
/* .IP "\fBtcp\fR (read-only)"
/* Perform lookups using a simple request-reply protocol that is
/* described in \fBtcp_table\fR(5).
-/* This feature is not included with Postfix 2.2.
+/* This feature is not included with the stable Postfix release.
/* .IP "\fBunix\fR (read-only)"
/* A limited way to query the UNIX authentication database. The
/* following tables are implemented:
/*
* If peer went away, give up.
*/
- if (errno == ECONNRESET || errno == ECONNABORTED) {
+ if (errno != 0 && errno != ENOTSOCK) {
state->name = mystrdup(CLIENT_NAME_UNKNOWN);
state->addr = mystrdup(CLIENT_ADDR_UNKNOWN);
state->rfc_addr = mystrdup(CLIENT_ADDR_UNKNOWN);
/*
* Convert the client address to printable address and hostname.
+ *
+ * XXX If we're given an IPv6 (or IPv4) connection from, e.g., inetd, while
+ * Postfix IPv6 (or IPv4) support is turned off, don't (skip to the final
+ * else clause, pretend the origin is localhost[127.0.0.1], and become an
+ * open relay).
*/
else if (errno == 0
- && strchr((char *) proto_info->sa_family_list, sa->sa_family)) {
+ && (sa->sa_family == AF_INET
+#ifdef AF_INET6
+ || sa->sa_family == AF_INET6
+#endif
+ )) {
MAI_HOSTNAME_STR client_name;
MAI_HOSTADDR_STR client_addr;
int aierr;
char *colonp;
+ /*
+ * Sanity check: we can't use sockets that we're not configured for.
+ */
+ if (strchr((char *) proto_info->sa_family_list, sa->sa_family) == 0)
+ msg_fatal("cannot handle socket type %s with \"%s = %s\"",
+ sa->sa_family == AF_INET6 ? "AF_INET6" :
+ sa->sa_family == AF_INET ? "AF_INET" :
+ "other", VAR_INET_PROTOCOLS, var_inet_protocols);
+
/*
* Sorry, but there are some things that we just cannot do while
* connected to the network.
/*
* If peer went away, give up.
*/
- if (errno == ECONNRESET || errno == ECONNABORTED) {
+ if (errno != 0 && errno != ENOTSOCK) {
state->name = mystrdup(CLIENT_NAME_UNKNOWN);
state->reverse_name = mystrdup(CLIENT_NAME_UNKNOWN);
state->addr = mystrdup(CLIENT_ADDR_UNKNOWN);
/*
* Convert the client address to printable address and hostname.
+ *
+ * XXX If we're given an IPv6 (or IPv4) connection from, e.g., inetd, while
+ * Postfix IPv6 (or IPv4) support is turned off, don't (skip to the final
+ * else clause, pretend the origin is localhost[127.0.0.1], and become an
+ * open relay).
*/
else if (errno == 0
- && strchr((char *) proto_info->sa_family_list, sa->sa_family)) {
+ && (sa->sa_family == AF_INET
+#ifdef AF_INET6
+ || sa->sa_family == AF_INET6
+#endif
+ )) {
MAI_HOSTNAME_STR client_name;
MAI_HOSTADDR_STR client_addr;
int aierr;
char *colonp;
+ /*
+ * Sanity check: we can't use sockets that we're not configured for.
+ */
+ if (strchr((char *) proto_info->sa_family_list, sa->sa_family) == 0)
+ msg_fatal("cannot handle socket type %s with \"%s = %s\"",
+ sa->sa_family == AF_INET6 ? "AF_INET6" :
+ sa->sa_family == AF_INET ? "AF_INET" :
+ "other", VAR_INET_PROTOCOLS, var_inet_protocols);
+
/*
* Sorry, but there are some things that we just cannot do while
* connected to the network.
projects / thirdparty / postfix.git / commitdiff
