Documentation: added SASL_README example for check_sasl_access.
File: proto/SASL_README.html.
+
+20131102
+
+ Security violation: by default, LMDB 0.9.9 writes fragments
+ of uninitialized heap memory to a world-readable database
+ file. This is a basic memory disclosure vulnerability:
+ memory content that a program does not intend to share ends
+ up in a world-readable file. The content of uninitialized
+ heap memory depends on program execution history. That
+ history includes code execution in other libraries that are
+ linked into the program. To work around this problem we
+ disable the use of malloc() in LMDB. However, that does not
+ address several disclosures of stack memory. File:
+ util/dict_lmdb.c.
+
+ Cleanup: expand TAB characters when generating HTML and
+ README files. Files: proto/Makefile.in.
smtp_generic_maps = hash:/etc/postfix/generic
/etc/postfix/generic:
- his@localdomain.local hisaccount@hisisp.example
- her@localdomain.local heraccount@herisp.example
- @localdomain.local hisaccount+local@hisisp.example
+ his@localdomain.local hisaccount@hisisp.example
+ her@localdomain.local heraccount@herisp.example
+ @localdomain.local hisaccount+local@hisisp.example
When mail is sent to a remote host via SMTP, this replaces
his@localdomain.local by his ISP mail address, replaces her@localdomain.local
endif
/^Message-ID:.* <!&!/ DUNNO
/^Message-ID:.*@(porcupine\.org)/
- reject forged domain name in Message-ID: header: $1
+ reject forged domain name in Message-ID: header: $1
/etc/postfix/body_checks:
# Do not indent the patterns between "if" and "endif".
endif
/^[> ]*Message-ID:.* <!&!/ DUNNO
/^[> ]*Message-ID:.*@(porcupine\.org)/
- reject forged domain name in Message-ID: header: $1
+ reject forged domain name in Message-ID: header: $1
Notes:
# Note 1: commands are specified after a TAB character.
# Note 2: use postalias(1) for local aliases, postmap(1) for the rest.
aliases.db: aliases.in
- postalias aliases.in
- mv aliases.in.db aliases.db
+ postalias aliases.in
+ mv aliases.in.db aliases.db
access.db: access.in
- postmap access.in
- mv access.in.db access.db
+ postmap access.in
+ mv access.in.db access.db
virtual.db: virtual.in
- postmap virtual.in
- mv virtual.in.db virtual.db
+ postmap virtual.in
+ mv virtual.in.db virtual.db
...etcetera...
# v\bvi\bi a\bac\bcc\bce\bes\bss\bs.\b.i\bin\bn
# a template file. The build process expands the template into
# "mtaadmin+root=mta1"
#
- root mtaadmin+root=mta1
+ root mtaadmin+root=mta1
/etc/postfix/virtual:
# Caretaker aliases:
#
- root mtaadmin
- postmaster root
+ root mtaadmin
+ postmaster root
You would typically also add a Makefile, to automatically run postmap(1)
commands when source files change. This Makefile also creates a "generic"
all: virtual.cdb generic.cdb
generic: Makefile
- @echo Creating $@
- @rm -f $@.tmp
- @printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` > $@.tmp
- @mv $@.tmp generic
+ @echo Creating $@
+ @rm -f $@.tmp
+ @printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` > $@.tmp
+ @mv $@.tmp generic
%.cdb: %
- postmap cdb:$<
+ postmap cdb:$<
Construct the "virtual" and "generic" databases (the latter is created by
running "make"), then start and test the null-client:
# Avoid splitting the envelope and scanning messages multiple times.
# Match the re-injection server's recipient limit.
#
- smtp_destination_recipient_limit = 1000
+ smtp_destination_recipient_limit = 1000
# Tolerate occasional high latency in the content filter.
#
parameters, specify their values on the command-line:
# postmulti [-I postfix-myinst] [-G mygroup] -e create \
- "config_directory = /path/to/config_directory" \
- "queue_directory = /path/to/queue_directory" \
- "data_directory = /path/to/data_directory"
+ "config_directory = /path/to/config_directory" \
+ "queue_directory = /path/to/queue_directory" \
+ "data_directory = /path/to/data_directory"
A note on the -\b-I\bI and -\b-G\bG options above. These are always used to assign a name
or group name to an instance, while the -\b-i\bi and -\b-g\bg options always select
Otherwise, you must specify the location of its configuration directory:
# postmulti [-I postfix-myinst] [-G mygroup] -e import \
- "config_directory = /path/of/config_directory"
+ "config_directory = /path/of/config_directory"
When the instance is imported, you can assign a name or a group. As with
"create", you can control the placement of the new instance in the start order
smtpd_recipient_restrictions =
permit_mynetworks
- # reject_unauth_destination is not needed here if the mail
- # relay policy is specified with smtpd_relay_restrictions
- # (available with Postfix 2.10 and later).
+ # reject_unauth_destination is not needed here if the mail
+ # relay policy is specified with smtpd_relay_restrictions
+ # (available with Postfix 2.10 and later).
reject_unauth_destination
check_recipient_access hash:/etc/postfix/recipient_access
...
# preferably specified under smtpd_relay_restrictions.
/etc/postfix/main.cf:
smtpd_relay_restrictions =
- permit_mynetworks
- p\bpe\ber\brm\bmi\bit\bt_\b_s\bsa\bas\bsl\bl_\b_a\bau\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bte\bed\bd
- reject_unauth_destination
+ permit_mynetworks
+ p\bpe\ber\brm\bmi\bit\bt_\b_s\bsa\bas\bsl\bl_\b_a\bau\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bte\bed\bd
+ reject_unauth_destination
# Older configurations combine relay control and spam control under
# smtpd_recipient_restrictions. To use this example with Postfix >=
# 2.10 specify "smtpd_relay_restrictions=".
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
- permit_mynetworks
- p\bpe\ber\brm\bmi\bit\bt_\b_s\bsa\bas\bsl\bl_\b_a\bau\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bte\bed\bd
- reject_unauth_destination
- ...other rules...
+ permit_mynetworks
+ p\bpe\ber\brm\bmi\bit\bt_\b_s\bsa\bas\bsl\bl_\b_a\bau\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bte\bed\bd
+ reject_unauth_destination
+ ...other rules...
E\bEn\bnv\bve\bel\blo\bop\bpe\be s\bse\ben\bnd\bde\ber\br a\bad\bdd\bdr\bre\bes\bss\bs a\bau\but\bth\bho\bor\bri\biz\bza\bat\bti\bio\bon\bn
smtpd_recipient_restrictions =
...
r\bre\bej\bje\bec\bct\bt_\b_s\bse\ben\bnd\bde\ber\br_\b_l\blo\bog\bgi\bin\bn_\b_m\bmi\bis\bsm\bma\bat\btc\bch\bh
- permit_sasl_authenticated
+ permit_sasl_authenticated
...
The controlled_envelope_senders table specifies the binding between a sender
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
- permit_mynetworks
- check_sasl_access hash:/etc/postfix/sasl_access
- permit_sasl_authenticated
- ...
+ permit_mynetworks
+ check_sasl_access hash:/etc/postfix/sasl_access
+ permit_sasl_authenticated
+ ...
/etc/postfix/sasl_access:
# Use this when smtpd_sasl_local_domain is empty.
- username HOLD
+ username HOLD
# Use this when smtpd_sasl_local_domain=example.com.
username@example.com HOLD
if transport process limit reached continue
foreach transport's job (in the order of the transport's job list)
do
- foreach job's peer (round-robin-by-destination)
- if peer->queue->concurrency < peer->queue->window
- return next peer entry.
- done
+ foreach job's peer (round-robin-by-destination)
+ if peer->queue->concurrency < peer->queue->window
+ return next peer entry.
+ done
done
done
# Relay control (Postfix 2.10 and later): local clients and
# authenticated clients may specify any destination domain.
smtpd_relay_restrictions = permit_mynetworks,
- permit_sasl_authenticated,
- reject_unauth_destination
+ permit_sasl_authenticated,
+ reject_unauth_destination
# Spam control: exclude local clients and authenticated clients
# from DNSBL lookups.
smtpd_recipient_restrictions = permit_mynetworks,
- permit_sasl_authenticated,
- # reject_unauth_destination is not needed here if the mail
- # relay policy is specified under smtpd_relay_restrictions
- # (available with Postfix 2.10 and later).
- reject_unauth_destination
- reject_rbl_client zen.spamhaus.org,
- reject_rhsbl_helo dbl.spamhaus.org,
- reject_rhsbl_sender dbl.spamhaus.org
+ permit_sasl_authenticated,
+ # reject_unauth_destination is not needed here if the mail
+ # relay policy is specified under smtpd_relay_restrictions
+ # (available with Postfix 2.10 and later).
+ reject_unauth_destination
+ reject_rbl_client zen.spamhaus.org,
+ reject_rhsbl_helo dbl.spamhaus.org,
+ reject_rhsbl_sender dbl.spamhaus.org
# Block clients that speak too early.
smtpd_data_restrictions = reject_unauth_pipelining
smtp_tls_fingerprint_digest = md5
/etc/postfix/tls_policy:
- example.com fingerprint
+ example.com fingerprint
match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
[mail.example.org]:587 secure match=nexthop
# Postfix 2.5 and later
[thumb.example.org] fingerprint
- match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
- match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
+ match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
+ match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
# Postfix 2.6 and later
example.info may protocols=!SSLv2 ciphers=medium
exclude=3DES
/etc/postfix/main.cf:
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_session_cache_database =
- btree:/var/lib/postfix/smtp_tls_session_cache
+ btree:/var/lib/postfix/smtp_tls_session_cache
smtp_tls_security_level = may
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/foo-cert.pem
smtpd_tls_key_file = /etc/postfix/foo-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database =
- btree:/var/lib/postfix/smtpd_tls_session_cache
+ btree:/var/lib/postfix/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
smtpd_tls_security_level = may
Things to do after the stable release:
- Why does postlink no longer hyperlink static:all?
-
Begin code revision, after DANE support stabilizes. This
should be one pass that changes only names and no code.
<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> parameter, or if the
<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> configuration parameter specifies a
non-empty value. To get the behavior before Postfix 2.2, specify
-"<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = static:all". </p> </dd>
+"<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = <a href="DATABASE_README.html#types">static</a>:all". </p> </dd>
<dt>Rewrite "site!user" to "user@site" </dt>
<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> parameter, or if the
<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> configuration parameter specifies a
non-empty value. To get the behavior before Postfix 2.2, specify
-"<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = static:all". </p> </dd>
+"<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = <a href="DATABASE_README.html#types">static</a>:all". </p> </dd>
<dt>Rewrite "user%domain" to "user@domain"</dt>
<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> parameter, or if the
<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> configuration parameter specifies a
non-empty value. To get the behavior before Postfix 2.2, specify
-"<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = static:all". </p> </dd>
+"<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = <a href="DATABASE_README.html#types">static</a>:all". </p> </dd>
<dt>
domain name specified with the <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a>
configuration parameter, if one is specified. To get the behavior
before Postfix 2.2, specify "<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> =
-static:all". </p>
+<a href="DATABASE_README.html#types">static</a>:all". </p>
<p> If your machine is not the main machine for $<a href="postconf.5.html#myorigin">myorigin</a> and you
wish to have some users delivered locally without going via that
domain name specified with the <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a>
configuration parameter, if one is specified. To get the behavior
before Postfix 2.2, specify "<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> =
-static:all". </p>
+<a href="DATABASE_README.html#types">static</a>:all". </p>
<p> Some will argue that rewriting "host" to "host.domain"
is bad. That is why it can be turned off. Others like the convenience
<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> parameter, or if the
<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> configuration parameter specifies a
non-empty value. To get the behavior before Postfix 2.2, specify
-"<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = static:all". </p> </dd>
+"<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = <a href="DATABASE_README.html#types">static</a>:all". </p> </dd>
</dl>
<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> parameter, or if the
<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> configuration parameter specifies a
non-empty value. To get the behavior before Postfix 2.2, specify
-"<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = static:all". </p>
+"<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = <a href="DATABASE_README.html#types">static</a>:all". </p>
<p> Address rewriting is
done for local and remote addresses. The mapping is useful to
<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> parameter, or if the
<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> configuration parameter specifies a
non-empty value. To get the behavior before Postfix 2.2, specify
-"<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = static:all". </p>
+"<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = <a href="DATABASE_README.html#types">static</a>:all". </p>
<p> Address masquerading is disabled by default, and is implemented
by the <a href="cleanup.8.html">cleanup(8)</a> server. To enable, edit the <a href="postconf.5.html#masquerade_domains">masquerade_domains</a>
<a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> = hash:/etc/postfix/generic
/etc/postfix/generic:
- his@localdomain.local hisaccount@hisisp.example
- her@localdomain.local heraccount@herisp.example
- @localdomain.local hisaccount+local@hisisp.example
+ his@localdomain.local hisaccount@hisisp.example
+ her@localdomain.local heraccount@herisp.example
+ @localdomain.local hisaccount+local@hisisp.example
</pre>
</blockquote>
endif
/^Message-ID:.* <!&!/ DUNNO
/^Message-ID:.*@(porcupine\.org)/
- reject forged domain name in Message-ID: header: $1
+ reject forged domain name in Message-ID: header: $1
/etc/postfix/body_checks:
# Do not indent the patterns between "if" and "endif".
endif
/^[> ]*Message-ID:.* <!&!/ DUNNO
/^[> ]*Message-ID:.*@(porcupine\.org)/
- reject forged domain name in Message-ID: header: $1
+ reject forged domain name in Message-ID: header: $1
</pre>
</blockquote>
<td align="center" valign="middle"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle">
- Delivery<br> agents </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle">
+ Delivery<br> agents </td>
<td align="center" valign="middle"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle">
- Network or<br> local mailbox </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle">
+ Network or<br> local mailbox </td>
</tr>
# Note 1: commands are specified after a TAB character.
# Note 2: use <a href="postalias.1.html">postalias(1)</a> for local aliases, <a href="postmap.1.html">postmap(1)</a> for the rest.
aliases.db: aliases.in
- postalias aliases.in
- mv aliases.in.db aliases.db
+ postalias aliases.in
+ mv aliases.in.db aliases.db
access.db: access.in
- postmap access.in
- mv access.in.db access.db
+ postmap access.in
+ mv access.in.db access.db
virtual.db: virtual.in
- postmap virtual.in
- mv virtual.in.db virtual.db
+ postmap virtual.in
+ mv virtual.in.db virtual.db
...etcetera...
# <b>vi access.in</b>
# a template file. The build process expands the template into
# "mtaadmin+root=mta1"
#
- root mtaadmin+root=mta1
+ root mtaadmin+root=mta1
/etc/postfix/virtual:
# Caretaker aliases:
#
- root mtaadmin
- postmaster root
+ root mtaadmin
+ postmaster root
</pre>
</blockquote>
all: virtual.cdb generic.cdb
generic: Makefile
- @echo Creating $@
- @rm -f $@.tmp
- @printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` > $@.tmp
- @mv $@.tmp generic
+ @echo Creating $@
+ @rm -f $@.tmp
+ @printf '%s\t%s+root=%s\n' root $MTAADMIN `uname -n` > $@.tmp
+ @mv $@.tmp generic
%.<a href="CDB_README.html">cdb</a>: %
- postmap <a href="CDB_README.html">cdb</a>:$<
+
postmap <a href="CDB_README.html">cdb</a>:$<
</pre>
</blockquote>
# Avoid splitting the envelope and scanning messages multiple times.
# Match the re-injection server's recipient limit.
#
- <a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> = 1000
+
<a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> = 1000
# Tolerate occasional high latency in the content filter.
#
<blockquote>
<pre>
# postmulti [-I postfix-myinst] [-G mygroup] -e create \
- "<a href="postconf.5.html#config_directory">config_directory</a> = /path/to/config_directory" \
- "<a href="postconf.5.html#queue_directory">queue_directory</a> = /path/to/queue_directory" \
- "<a href="postconf.5.html#data_directory">data_directory</a> = /path/to/data_directory"
+
"<a href="postconf.5.html#config_directory">config_directory</a> = /path/to/config_directory" \
+
"<a href="postconf.5.html#queue_directory">queue_directory</a> = /path/to/queue_directory" \
+
"<a href="postconf.5.html#data_directory">data_directory</a> = /path/to/data_directory"
</pre>
</blockquote>
<blockquote>
<pre>
# postmulti [-I postfix-myinst] [-G mygroup] -e import \
- "<a href="postconf.5.html#config_directory">config_directory</a> = /path/of/config_directory"
+
"<a href="postconf.5.html#config_directory">config_directory</a> = /path/of/config_directory"
</pre>
</blockquote>
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>
- # <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> is not needed here if the mail
- # relay policy is specified with <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>
- # (available with Postfix 2.10 and later).
+
# <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> is not needed here if the mail
+
# relay policy is specified with <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>
+ # (available with Postfix 2.10 and later).
<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
<a href="postconf.5.html#check_recipient_access">check_recipient_access</a> hash:/etc/postfix/recipient_access
...
# preferably specified under <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>.
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> =
- <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>
- <strong><a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a></strong>
- <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+
<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>
+
<strong><a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a></strong>
+
<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
</pre>
<pre>
# 2.10 specify "<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>=".
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
- <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>
- <strong><a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a></strong>
- <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
- ...other rules...
+
<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>
+
<strong><a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a></strong>
+
<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+ ...other rules...
</pre>
</blockquote>
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
...
<strong><a href="postconf.5.html#reject_sender_login_mismatch">reject_sender_login_mismatch</a></strong>
- <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>
+
<a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>
...
</pre>
</blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
- <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>
- <a href="postconf.5.html#check_sasl_access">check_sasl_access</a> hash:/etc/postfix/sasl_access
- <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>
- ...
+
<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>
+
<a href="postconf.5.html#check_sasl_access">check_sasl_access</a> hash:/etc/postfix/sasl_access
+
<a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>
+ ...
/etc/postfix/sasl_access:
# Use this when <a href="postconf.5.html#smtpd_sasl_local_domain">smtpd_sasl_local_domain</a> is empty.
- username HOLD
+ username HOLD
# Use this when <a href="postconf.5.html#smtpd_sasl_local_domain">smtpd_sasl_local_domain</a>=example.com.
username@example.com HOLD
</pre>
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
- "http://www.w3.org/TR/html4/loose.dtd">
+ "http://www.w3.org/TR/html4/loose.dtd">
<html>
if transport process limit reached continue
foreach transport's job (in the order of the transport's job list)
do
- foreach job's peer (round-robin-by-destination)
- if peer->queue->concurrency < peer->queue->window
- return next peer entry.
- done
+ foreach job's peer (round-robin-by-destination)
+ if peer->queue->concurrency < peer->queue->window
+ return next peer entry.
+ done
done
done
</pre>
# Relay control (Postfix 2.10 and later): local clients and
# authenticated clients may specify any destination domain.
<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,
- <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>,
- <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+
<a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>,
+
<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
# Spam control: exclude local clients and authenticated clients
# from DNSBL lookups.
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,
- <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>,
- # <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> is not needed here if the mail
- # relay policy is specified under <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>
- # (available with Postfix 2.10 and later).
- <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
- <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> zen.spamhaus.org,
- <a href="postconf.5.html#reject_rhsbl_helo">reject_rhsbl_helo</a> dbl.spamhaus.org,
- <a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> dbl.spamhaus.org
+
<a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>,
+
# <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> is not needed here if the mail
+
# relay policy is specified under <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>
+ # (available with Postfix 2.10 and later).
+
<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+
<a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> zen.spamhaus.org,
+
<a href="postconf.5.html#reject_rhsbl_helo">reject_rhsbl_helo</a> dbl.spamhaus.org,
+
<a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> dbl.spamhaus.org
# Block clients that speak too early.
<a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> = <a href="postconf.5.html#reject_unauth_pipelining">reject_unauth_pipelining</a>
<blockquote>
<pre>
/etc/postfix/tls_policy:
- example.com fingerprint
+ example.com fingerprint
match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
</pre>
[mail.example.org]:587 secure match=nexthop
# Postfix 2.5 and later
[thumb.example.org] fingerprint
- match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
- match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
+ match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
+ match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
# Postfix 2.6 and later
example.info may protocols=!SSLv2 ciphers=medium exclude=3DES
</pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> = /etc/postfix/cacert.pem
<a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> =
- btree:/var/lib/postfix/smtp_tls_session_cache
+ btree:/var/lib/postfix/smtp_tls_session_cache
<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may
<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> = /etc/postfix/cacert.pem
<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = /etc/postfix/foo-cert.pem
<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> = /etc/postfix/foo-key.pem
<a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> = yes
<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> =
- btree:/var/lib/postfix/smtpd_tls_session_cache
+ btree:/var/lib/postfix/smtpd_tls_session_cache
<a href="postconf.5.html#tls_random_source">tls_random_source</a> = dev:/dev/urandom
<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> = may
</pre>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,
- <a href="cidr_table.5.html">cidr</a>:/etc/postfix/postscreen_access.cidr
+
<a href="cidr_table.5.html">cidr</a>:/etc/postfix/postscreen_access.cidr
<a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> = enforce
</pre>
<pre>
/etc/postfix/dnsbl_reply:
- secret.zen.spamhaus.org zen.spamhaus.org
+ secret.zen.spamhaus.org zen.spamhaus.org
</pre>
<p> This feature is available in Postfix 2.8. </p>
<blockquote>
<pre>
/etc/postfix/tls_policy:
- example.com fingerprint
+ example.com fingerprint
match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
</pre>
[mail.example.org]:587 secure match=nexthop
# Postfix 2.5 and later
[thumb.example.org] fingerprint
- match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
- match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
+ match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
+ match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
</pre>
<p> <b>Note:</b> The <b>hostname</b> strategy if listed in a non-default
AWK = awk '{ print; if (NR == 1) print ".pl 9999\n.ll 65" }'
SRCTOMAN= ../mantools/srctoman
POSTLINK= ../mantools/postlink
+DETAB = pr -tre
HT2READ = ../mantools/html2readme
MAKEAAA = ../mantools/makereadme
MAKESOHO= ../mantools/make_soho_readme
$(SRCTOMAN) - $? | $(AWK) | nroff -man | col -bx | uniq | sed 's/^/# /' >$@
../html/ADDRESS_CLASS_README.html: ADDRESS_CLASS_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/ADDRESS_REWRITING_README.html: ADDRESS_REWRITING_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/ADDRESS_VERIFICATION_README.html: ADDRESS_VERIFICATION_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/BACKSCATTER_README.html: BACKSCATTER_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/CDB_README.html: CDB_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/CONNECTION_CACHE_README.html: CONNECTION_CACHE_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/CONTENT_INSPECTION_README.html: CONTENT_INSPECTION_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/CYRUS_README.html: CYRUS_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/BASIC_CONFIGURATION_README.html: BASIC_CONFIGURATION_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/BUILTIN_FILTER_README.html: BUILTIN_FILTER_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/DATABASE_README.html: DATABASE_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/DB_README.html: DB_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/DEBUG_README.html: DEBUG_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/DSN_README.html: DSN_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/ETRN_README.html: ETRN_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/FILTER_README.html: FILTER_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/INSTALL.html: INSTALL.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/IPV6_README.html: IPV6_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/LDAP_README.html: LDAP_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/LINUX_README.html: LINUX_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/LOCAL_RECIPIENT_README.html: LOCAL_RECIPIENT_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/MAILDROP_README.html: MAILDROP_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/LMDB_README.html: LMDB_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/MEMCACHE_README.html: MEMCACHE_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/MILTER_README.html: MILTER_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/MULTI_INSTANCE_README.html: MULTI_INSTANCE_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/MYSQL_README.html: MYSQL_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/NFS_README.html: NFS_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/OVERVIEW.html: OVERVIEW.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/PACKAGE_README.html: PACKAGE_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/PCRE_README.html: PCRE_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/PGSQL_README.html: PGSQL_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/POSTSCREEN_README.html: POSTSCREEN_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/QMQP_README.html: QMQP_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/QSHAPE_README.html: QSHAPE_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/RESTRICTION_CLASS_README.html: RESTRICTION_CLASS_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/SASL_README.html: SASL_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/SCHEDULER_README.html: SCHEDULER_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/SMTPD_ACCESS_README.html: SMTPD_ACCESS_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/SMTPD_POLICY_README.html: SMTPD_POLICY_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/SMTPD_PROXY_README.html: SMTPD_PROXY_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/SOHO_README.html: $(MAKESOHO) $(DEPSOHO)
- $(MAKESOHO) | $(POSTLINK) >$@
+ $(MAKESOHO) | $(POSTLINK) | $(DETAB) >$@
../html/SQLITE_README.html: SQLITE_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/STANDARD_CONFIGURATION_README.html: STANDARD_CONFIGURATION_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/STRESS_README.html: STRESS_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/TUNING_README.html: TUNING_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/UUCP_README.html: UUCP_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/ULTRIX_README.html: ULTRIX_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/VERP_README.html: VERP_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/VIRTUAL_README.html: VIRTUAL_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/XCLIENT_README.html: XCLIENT_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/XFORWARD_README.html: XFORWARD_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/TLS_README.html: TLS_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../html/TLS_LEGACY_README.html: TLS_LEGACY_README.html
- $(POSTLINK) $? >$@
+ $(POSTLINK) $? | $(DETAB) >$@
../README_FILES/ADDRESS_CLASS_README: ADDRESS_CLASS_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/ADDRESS_REWRITING_README: ADDRESS_REWRITING_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/ADDRESS_VERIFICATION_README: ADDRESS_VERIFICATION_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/BACKSCATTER_README: BACKSCATTER_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/BASIC_CONFIGURATION_README: BASIC_CONFIGURATION_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/BUILTIN_FILTER_README: BUILTIN_FILTER_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/CDB_README: CDB_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/CONNECTION_CACHE_README: CONNECTION_CACHE_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/CONTENT_INSPECTION_README: CONTENT_INSPECTION_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/CYRUS_README: CYRUS_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/DATABASE_README: DATABASE_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/DB_README: DB_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/DEBUG_README: DEBUG_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/DSN_README: DSN_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/ETRN_README: ETRN_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/FILTER_README: FILTER_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/INSTALL: INSTALL.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/IPV6_README: IPV6_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/LDAP_README: LDAP_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/LINUX_README: LINUX_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/LOCAL_RECIPIENT_README: LOCAL_RECIPIENT_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/MAILDROP_README: MAILDROP_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/LMDB_README: LMDB_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/MEMCACHE_README: MEMCACHE_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/MILTER_README: MILTER_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/MULTI_INSTANCE_README: MULTI_INSTANCE_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/MYSQL_README: MYSQL_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/NFS_README: NFS_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/OVERVIEW: OVERVIEW.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/PACKAGE_README: PACKAGE_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/PCRE_README: PCRE_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/PGSQL_README: PGSQL_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/POSTSCREEN_README: POSTSCREEN_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/QMQP_README: QMQP_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/QSHAPE_README: QSHAPE_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/RESTRICTION_CLASS_README: RESTRICTION_CLASS_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/SASL_README: SASL_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/SCHEDULER_README: SCHEDULER_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/SMTPD_ACCESS_README: SMTPD_ACCESS_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/SMTPD_POLICY_README: SMTPD_POLICY_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/SMTPD_PROXY_README: SMTPD_PROXY_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/SOHO_README: $(MAKESOHO) $(DEPSOHO)
- $(MAKESOHO) | $(HT2READ) >$@
+ $(MAKESOHO) | $(HT2READ) | $(DETAB) >$@
../README_FILES/SQLITE_README: SQLITE_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/STANDARD_CONFIGURATION_README: STANDARD_CONFIGURATION_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/STRESS_README: STRESS_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/TUNING_README: TUNING_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/UUCP_README: UUCP_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/ULTRIX_README: ULTRIX_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/VERP_README: VERP_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/VIRTUAL_README: VIRTUAL_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/XCLIENT_README: XCLIENT_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/XFORWARD_README: XFORWARD_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/TLS_README: TLS_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/TLS_LEGACY_README: TLS_LEGACY_README.html
- $(HT2READ) $? >$@
+ $(HT2READ) $? | $(DETAB) >$@
../README_FILES/AAAREADME: ../html/index.html $(MAKEAAA)
- $(MAKEAAA) ../html/index.html | $(HT2READ) >$@
+ $(MAKEAAA) ../html/index.html | $(HT2READ) | $(DETAB) >$@
../man/man5/postconf.5: postconf.man.prolog postconf.proto postconf.man.epilog \
../mantools/xpostconf ../mantools/postconf2html ../mantools/postconf2man
(cat postconf.man.prolog; ../mantools/xpostconf postconf.proto | \
../mantools/postconf2html | ../mantools/postconf2man | \
- sed 's/\\e&/\\\&/'; cat postconf.man.epilog ) > $@
+ sed 's/\\e&/\\\&/'; cat postconf.man.epilog ) | $(DETAB) > $@
../html/postconf.5.html: postconf.html.prolog postconf.proto \
postconf.html.epilog ../mantools/xpostconf ../mantools/postconf2html \
../mantools/postlink
(cat postconf.html.prolog; ../mantools/xpostconf postconf.proto | \
../mantools/postconf2html | ../mantools/postlink; \
- cat postconf.html.epilog ) > $@
+ cat postconf.html.epilog ) | $(DETAB) > $@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20131102"
+#define MAIL_RELEASE_DATE "20131103"
#define MAIL_VERSION_NUMBER "2.11"
#ifdef SNAPSHOT
mdb_path = concatenate(path, "." DICT_TYPE_LMDB, (char *) 0);
/*
- * Impedance adapters.
+ * Security violation.
+ *
+ * By default, LMDB 0.9.9 writes uninitialized heap memory to a
+ * world-readable database file. This is a basic memory disclosure
+ * vulnerability: memory content that a program does not intend to share
+ * ends up in a world-readable file. The content of uninitialized heap
+ * memory depends on program execution history. That history includes
+ * code execution in other libraries that are linked into the program.
+ *
+ * As a workaround we turn on MDB_WRITEMAP which disables the use of
+ * malloc() in LMDB. However, that does not address several disclosures
+ * of stack memory.
*/
mdb_flags = MDB_NOSUBDIR | MDB_NOLOCK;
if (open_flags == O_RDONLY)
mdb_flags |= MDB_RDONLY;
+ /*
+ * Replace with MDB_VERSION_FULL < MDB_VERINT(X, Y, Z) after this is
+ * fixed up-stream.
+ */
+#if 1
+ mdb_flags |= MDB_WRITEMAP;
+#endif
+
slmdb_flags = 0;
if (dict_flags & DICT_FLAG_BULK_UPDATE)
slmdb_flags |= SLMDB_FLAG_BULK;
projects / thirdparty / postfix.git / commitdiff
