everything that invokes these routines including queue
manager and delivery agents.
+20030922
+
+ Feature: "XADDR address hostname" SMTP command, for SMTPD
+ restriction debugging, and for sites with fetchmail-like
+ software that extracts client information from the first
+ Received: header. The smtpd_authorized_xaddr_clients
+ parameter specifies what clients are allowed to use XADDR
+ (default: none). Files: smtpd/smtpd.c.
+
+20031015
+
+ Workaround: smtpd access maps should not apply subdomain
+ name magic to numerical hostnames. File: smtpd/smtpd_check.c.
+
+ Safety: the local delivery agent now defers delivery when
+ alias lookup produces an empty result. File: local/alias.c.
+
+20031019
+
+ Workaround: disable request/reply size limit in attr_scan*.c
+ to prevent mail from getting stuck when rewriting a malformed
+ message header. This limit was turned on with snapshot
+ 20030715 to harden the protocol that is used by SMTPD policy
+ delegation. A "no code change" workaround is to specify
+ "header_size_limit = $line_length_limit". The proper fix
+ is to enforce request/reply size limits only for data from
+ outside of Postfix. Problem reported by Brandon Mullenberg,
+ Dialup USA. Files: util/attr_scan*.c.
+
+ Feature: "XLOGINFO address hostname" SMTP command, so that
+ Postfix daemons behind SMTPD pass-through proxies log useful
+ client name/address information instead of localhost[127.0.0.1].
+ The smtpd_authorized_xloginfo_clients parameter specifies
+ what clients are allowed to use XLOGINFO (default: none).
+ Files: smtpd/smtpd.c.
+
+ Cleanup: renamed the authorized_verp_clients parameter to
+ smtpd_authorized_verp_clients for consistency.
+
+20031021
+
+ Workaround: the demo greylist script now uses BTREE instead
+ of HASH files for hopefully better stability. The real fix
+ is to use a single updater process that serves multiple
+ clients. That approach seems to work well with the verify
+ daemon. File: examples/smtpd-policy/smtpd-policy.pl.
+
+20031022
+
+ Safety: the SMTP server now warns when the queue_minfree
+ value is less than twice the message size limit. File:
+ smtpd/smtpd.c.
+
+ Safety: the SMTP server no longer accepts mail when the
+ amount of free space is less than twice the message size
+ limit. File: smtpd/smtpd_check.c.
+
+ Safety: log a warning and defer mail when canonical or
+ virtual lookups return a non-address result (like a string
+ that contains no address). File: global/mail_addr_map.c.
+
+ Safety: log a warning and defer mail when any map lookup
+ returns an empty string result, and explain that "no result"
+ is expected in case of a "not found" condition. This happens
+ with incorrectly implemented SQL or LDAP tables. File:
+ global/maps_find.c.
+
Open problems:
High: when virtual aliasing is turned off after content
Low: sendmail does not store null command-line recipients.
- Low: sendmail, not cleanup, should extract recipients from
- message headers.
-
Low: have a configurable list of errno values for mailbox
or maildir delivery that result in deferral rather than
bouncing mail.
when the content filtering software itself runs into a resource
problem.
+The simple content filter method is not suitable for content filter
+actions that are invoked via header_checks or body_checks patterns.
+These patterns will be applied again after mail is re-injected with
+the Postfix sendmail command, resulting in a mail filtering loop.
+Instead, use the advanced content filtering method (see below) and
+turn off header_checks or body_checks patterns for filtered mail.
+
Advanced content filtering example
===================================
Purpose of the before-queue content filter feature
==================================================
-Normally, Postfix receives mail, stores it in the mail queue and
-then delivers it. The Postfix SMTP server can be configured to
-forward all incoming mail to a content filter (for example, a
-real-time SPAM filter) that inspects all mail BEFORE it is stored
-in the Postfix mail queue.
-
-[This is not to be confused with the approach described in the
-FILTER_README document, where all mail is inspected AFTER it is
-stored in the Postfix mail queue]
+The Postfix SMTP server can be configured to forward all incoming
+mail to a content filter (for example, a real-time SPAM filter)
+that inspects all mail BEFORE it is stored in the Postfix mail
+queue.
The before-queue content filter is meant to be used as follows:
Internet -> smtpd -> queue -> smtpd -> cleanup -> queue -> local
Postfix filter Postfix \ virtual etc.
-For reference, this is the normal path through Postfix:
+Normally, Postfix receives mail, stores it in the mail queue and
+then delivers it. The next diagram shows the normal path through
+Postfix for mail that arrives via the network:
/ smtp
Internet -> smtpd -> cleanup -> queue -> local
Postfix \ virtual etc.
-For comparison, this is the FILTER_README approach with an SMTP-based
-after-queue content filter:
- / smtp
+The before-queue content filter is not to be confused with the
+approach described in the FILTER_README document, where mail is
+filtered AFTER it is stored in the Postfix mail queue. For example,
+below is the FILTER_README approach with an SMTP-based after-queue
+content filter:
+
+ / smtp
Internet -> smtpd -> cleanup -> queue -> local
- Postfix ^ v \ virtual etc.
- smtpd smtp
- Postfix Postfix
- \ after /
- queue <-
- filter
+ Postfix ^ v \ virtual etc.
+ smtpd smtp
+ Postfix Postfix
+ \ after /
+ queue <-
+ filter
-The before-queue content filter receives unfiltered SMTP mail from
-Postfix and does one of the following:
+The before-queue content filter functions just like the after-queue
+content filter. It receives unfiltered SMTP mail from Postfix and
+does one of the following:
1 - Re-inject the mail back into Postfix via SMTP, perhaps after
changing content.
to Postfix. Postfix passes the status back to the remote SMTP
client. This way, Postfix does not have to send a bounce message.
-3 - Send the mail somewhere else.
+3 - Send the mail somewhere else, or discard the mail.
Limitations
===========
How Postfix talks to the before-queue content filter
==================================================
-Postfix makes one connection per email message. Postfix speaks
-ESMTP, but uses no command pipelining. Postfix generates its own
-EHLO, DATA and QUIT commands, and forwards unmodified copies of
-all the MAIL FROM and RCPT TO commands that the Postfix SMTP server
-didn't reject itself. The SMTP proxy server should accept the same
+The before-filter Postfix SMTP server connects to the content
+filter, delivers one message, and disconnects. While sending mail
+into the content filter, Postfix speaks ESMTP but uses no command
+pipelining. Postfix generates its own EHLO, XLOGINFO (for logging
+the remote client IP address instead of localhost[127.0.0.1]), DATA
+and QUIT commands, and forwards unmodified copies of all the MAIL
+FROM and RCPT TO commands that the before-filter Postfix SMTP server
+didn't reject itself. The SMTP proxy server should accept the same
MAIL FROM and RCPT TO command syntax as the Postfix SMTP server.
Postfix sends no other SMTP commands.
The content filter is expected to pass on unmodified SMTP commands
from a before-filter Postfix SMTP server to an after-filter Postfix
-SMTP server that listens on a non-standard port. When the filter
-rejects content, it should send a negative SMTP response back to
-the before-filter Postfix SMTP server, and it should abort any
-connection with the after-filter Postfix SMTP server without
+SMTP server that usually listens on a non-standard port. When the
+filter rejects content, it should send a negative SMTP response
+back to the before-filter Postfix SMTP server, and it should abort
+the connection with the after-filter Postfix SMTP server without
completing the SMTP conversation with the after-filter Postfix SMTP
server.
-Configuration parameters
+Configuration parameters
========================
Parameters that control proxying:
for testing, of course.
/etc/postfix/master.cf
- smtp inet n - n - - smtpd
+ smtp inet n - n - - smtpd
-o smtpd_proxy_filter=26
:26 inet n - n - - smtpd
+ -o smtpd_authorized_xloginfo_clients=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
- -o receive_override_options=no_unknown_recipient_checks
+ -o receive_override_options=no_unknown_recipient_checks
Note: do not specify spaces around the "=" or "," characters.
The ":26" causes Postfix to listen on the localhost address only.
DO NOT expose the secondary SMTP server to the Internet :-)
+The smtpd_authorized_xloginfo_clients parameter allows the before
+filter SMTP server to pass the remote SMTP client name and address
+to the after-filter SMTP server, so that the after-filter Postfix
+daemons log the remote client name and address instead of logging
+localhost[127.0.0.1].
+
+The other parameter settings avoid duplication of effort that is
+done in the "before filter" SMTP server.
+
The result is as follows:
Internet -> smtpd on port 25 -> smtpd on port 26 -> cleanup -> queue
or because they are non-ASCII or control characters. And who knows,
some characters may tickle bugs in vulnerable software.
-- authorized_verp_clients (default value: $mynetworks) controls
-what network clients are allowed to request VERP style delivery.
+- smtpd_authorized_verp_clients (default value: none) controls
+what SMTP clients are allowed to request VERP style delivery.
Exceptions: the Postfix QMQP server uses its own access control
mechanism, and local submission (via /usr/sbin/sendmail etc.) is
always authorized. To authorize a host, list its name, IP address,
date. Snapshots change only the release date, unless they include
the same bugfixes as a patch release.
+Incompatible changes with Postfix snapshot 2.0.16-20031022
+==========================================================
+
+Postfix no longer retries delivery when no MX host has a valid A
+record, for compatibility with most other MTAs. This change is made
+in anticipation of a possible Verisign "wild-card MX record without
+A record" for unregistered domains. To get the old behavior, specify
+"smtp_defer_if_no_mx_address_found = yes".
+
+The Postfix SMTP client no longer looks in /etc/hosts by default.
+To get the old behavior, specify "smtp_host_lookup = dns, native".
+
+The authorized_verp_clients configuration parameter has been renamed
+to smtpd_authorized_verp_clients. This is for consistency with the
+new smtpd_authorized_xaddr_clients and smtpd_authorized_xloginfo_clients
+configuration parameters that control the use of the new XADDR and
+XLOGINFO commands.
+
+The smtpd_authorized_verp_clients parameter now defaults to nothing
+(no XVERP command is accepted).
+
+The Postfix SMTP server no longer allows queue_minfree values that
+are less than twice the message_size_limit value.
+
+The Postfix SMTP server no longer accepts mail when the amount of
+free queue space is less than twice the message_size_limit value.
+
+Major changes with Postfix snapshot 2.0.16-20031022
+===================================================
+
+Easier debugging of SMTPD access restrictions. The SMTP command
+"XADDR client-address client-hostname" changes Postfix's idea of
+the remote client name and address, so that you can pretend to
+connect from anywhere on the Internet. Use of this command is
+restricted to clients that match the list of names or addresses
+specified with the smtpd_authorized_xaddr_clients parameter. By
+default, XADDR is not accepted from anywhere.
+
+More useful logging by Postfix daemons behind a real-time SMTP
+proxy filter (the logging now shows the remote client name and
+address, instead of localhost[127.0.0.1]). This uses the new SMTP
+command "XLOGINFO client-address client-hostname", which specifies
+the client name and address for logging purposes without changing
+the name/address that are used for SMTPD access control. Use of
+this command is restricted to clients that match the list of names
+or addresses specified with the smtpd_authorized_xloginfo_clients
+parameter. By default, XLOGINFO is not accepted from anywhere.
+For an example, see the updated SMTPD_PROXY_README file.
+
Major changes with Postfix snapshot 2.0.16-20030917
===================================================
[Obsolete 20021209] The "check_relay_domains" restriction is going
away. The SMTP server logs a warning and suggests using the more
-robust "reject_unauth_destination" instead.
+robust "reject_unauth_destination" instead. This means that Postfix
+by default no longer grants relay permissions on the basis of the
+client hostname, and that relay clients must be authorized via
+other means such as permit_mynetworks.
[Obsolete 20020917] In regexp lookup tables, the form /pattern1/!/pattern2/
is going away. Use the cleaner and more flexible "if !/pattern2/..endif"
where inbound mail deliveries could become resource starved in the
presence of a high volume of outbound mail.
-[Feature 20021013] The body_checks_max_size parameter limits the
+[Feature 20021013] The body_checks_size_limit parameter limits the
amount of text per message body segment (or attachment, if you
prefer to use that term) that is subjected to body_checks inspection.
The default limit is 50 kbytes. This speeds up the processing of
IP address blacklisting. Based on code by LaMont Jones. The old
"reject_maps_rbl" is now implemented as a wrapper around the
reject_rbl_client code, and logs a warning that "reject_maps_rbl"
-is going away.
+is going away. To upgrade, specify "reject_rbl_client domainname"
+once for each domain name that is listed in maps_rbl_domains.
[Feature 20020923] "reject_rhsbl_sender rbl.domain.tld" for sender
domain blacklisting. Also: reject_rhsbl_client and reject_rhsbl_recipient
(for headers of attached email messages except MIME headers). By
default, all headers are matched with header_checks.
-[Feature 20021013] The body_checks_max_size parameter limits the
+[Feature 20021013] The body_checks_size_limit parameter limits the
amount of text per message body segment (or attachment, if you
prefer to use that term) that is subjected to body_checks inspection.
The default limit is 50 kbytes. This speeds up the processing of
$readme_directory/NFS_README:f:root:-:644
$readme_directory/PACKAGE_README:f:root:-:644
$readme_directory/PCRE_README:f:root:-:644
+$readme_directory/PGSQL_README:f:root:-:644
$readme_directory/QMQP_README:f:root:-:644
$readme_directory/RELEASE_NOTES:f:root:-:644
$readme_directory/RESTRICTION_CLASS_README:f:root:-:644
$readme_directory/SASL_README:f:root:-:644
$readme_directory/SCHEDULER_README:f:root:-:644
+$readme_directory/SMTPD_POLICY_README:f:root:-:644
+$readme_directory/SMTPD_PROXY_README:f:root:-:644
$readme_directory/ULTRIX_README:f:root:-:644
$readme_directory/UUCP_README:f:root:-:644
$readme_directory/VERP_README:f:root:-:644
#
body_checks = regexp:/etc/postfix/body_checks
-# The body_checks_max_size parameter controls how much text in a
+# The body_checks_size_limit parameter controls how much text in a
# message body segment (or attachment, if you prefer to use that
# term) is subjected to body_checks inspection.
#
# By default, only the first 50 kbytes of a message body segment are
# inspected with body_checks patterns.
#
-body_checks_max_size = 51200
+body_checks_size_limit = 51200
# The receive_override_options parameter controls what input processing
# happens before or after an external content filter.
# space in bytes in the queue file system. This is currently used by
# the SMTP server to decide if it will accept any mail at all.
#
+# By default, the SMTP server rejects MAIL FROM commands when the
+# amount of free space is less than 2*$message_size_limit.
+#
+# To specify a higher minimum free space limit, specify a value that
+# is at least 2*$message_size_limit.
+#
queue_minfree = 0
# The stale_lock_time parameter limits the time after which a stale
#
#smtp_bind_address=111.222.333.444
+# The smtp_defer_if_no_mx_address_found parameter controls what
+# Postfix will do when no MX record resolves to an IP address (Postfix
+# always ignores MX records with equal or worse preference than the
+# local MTA).
+#
+# The default (no) is to return the mail as undeliverable. With older
+# Postfix versions the default was to keep trying to deliver the mail
+# until someone fixed the MX record or until the mail was too old.
+#
+smtp_defer_if_no_mx_address_found = no
+
# The smtp_line_length_limit parameter controls the length of
# message header and body lines that Postfix will send via SMTP.
# Lines that are longer are broken by inserting <CR> <LF> <SPACE>.
#local_recipient_maps = unix:passwd.byname $alias_maps
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
-# The unknown_local_recipient_reject_code specifies the SMTP server
-# response code when a recipient domain matches $mydestination or
-# $inet_interfaces, while $local_recipient_maps is non-empty and the
-# recipient address or address local-part is not found.
+# The unknown_local_recipient_reject_code parameter specifies the
+# SMTP server response code when a recipient domain matches $mydestination
+# or $inet_interfaces, while $local_recipient_maps is non-empty and
+# the recipient address or address local-part is not found.
#
# The default setting is 550 (reject mail) but it is safer to start
# with 450 (try again later) until you are certain that your
#
#disable_vrfy_command = no
+# The smtpd_authorized_xaddr_clients parameter specifies what clients
+# are allowed to specify the SMTP "XADDR client-address client-name"
+# command. This command changes Postfix's idea of the client hostname
+# and IP address for logging and for access control. Typical use is
+# for SMTPD access testing.
+#
+# By default, no clients are allowed to specify XADDR.
+#
+# Specify an explicit list of network/netmask patterns, where the
+# mask specifies the number of bits in the network part of a host
+# address.
+#
+# You can also specify the absolute pathname of a pattern file instead
+# of listing the patterns here. Specify type:table for table-based lookups
+# (the value on the table right-hand side is not used).
+#
+smtpd_authorized_xaddr_clients =
+
+# The smtpd_authorized_xloginfo_clients parameter specifies what
+# clients are allowed to specify the SMTP "XLOGINFO client-address
+# client-name" command. This command changes Postfix's idea of the
+# client hostname and IP address for logging but not for access
+# control. Typical use is for SMTP-based content filters.
+#
+# By default, no clients are allowed to specify XLOGINFO.
+#
+# Specify an explicit list of network/netmask patterns, where the
+# mask specifies the number of bits in the network part of a host
+# address.
+#
+# You can also specify the absolute pathname of a pattern file instead
+# of listing the patterns here. Specify type:table for table-based lookups
+# (the value on the table right-hand side is not used).
+#
+smtpd_authorized_xloginfo_clients =
+
+# The smtpd_authorized_xverp_clients parameter specifies what clients
+# are allowed to specify the SMTP XVERP command. This command requests
+# that mail be delivered one recipient at a time with a per recipient
+# return address.
+#
+# By default, no clients are allowed to specify XVERP.
+#
+# Specify an explicit list of network/netmask patterns, where the
+# mask specifies the number of bits in the network part of a host
+# address.
+#
+# You can also specify the absolute pathname of a pattern file instead
+# of listing the patterns here. Specify type:table for table-based lookups
+# (the value on the table right-hand side is not used).
+#
+smtpd_authorized_xverp_clients =
+
# The smtpd_banner parameter specifies the text that follows the 220
# status code in the SMTP greeting banner. Some people like to see
# the mail version advertised. By default, Postfix shows no version.
#
smtpd_etrn_restrictions =
-# The smtpd_history_flush_threshold specifies how many lines the SMTP
-# server command history is allowed to contain before it is flushed
-# to postmaster upon receipt of EHLO, RSET, or end of DATA.
+# The smtpd_history_flush_threshold parameter specifies how many
+# lines the SMTP server command history is allowed to contain before
+# it is flushed to postmaster upon receipt of EHLO, RSET, or end of
+# DATA.
#
smtpd_history_flush_threshold = 100
# $database_name.time(), so that the mail system does not get stuck.
#
$database_name="/var/mta/smtpd-policy.db";
-$greylist_delay=3600;
+$greylist_delay=60;
#
# Syslogging options for verbose mode and for fatal errors.
# Use tied database to make complex manipulations easier to express.
$database_obj = tie(%db_hash, 'DB_File', $database_name,
- O_CREAT|O_RDWR, 0644) ||
+ O_CREAT|O_RDWR, 0644, $DB_BTREE) ||
fatal_exit "Cannot open database %s: $!", $database_name;
$database_fd = $database_obj->fd;
open DATABASE_HANDLE, "+<&=$database_fd" ||
# out of the way, and start with a new database.
#
sub sigsegv_handler {
- my $backup = $database_name . time();
+ my $backup = $database_name . "." . time();
rename $database_name, $backup ||
fatal_exit "Can't save %s as %s: $!", $database_name, $backup;
You should set up a <b>postmaster</b> <a
href="rewrite.html#aliases">alias</a> that points to a human person.
-This alias is required to exist, so that people can report mail
-delivery problems.
+The <b>postmaster</b> address is required to exist, so that people
+can report mail delivery problems.
<p>
<p>
-On SuSE systems the file permission fixing utulity is called
-<b>SuSEconfig</b>. Other Linux systems may use different names.
+On SuSE systems the utulity is called <b>SuSEconfig</b>. Other
+Linux systems may use different names.
The usual disclaimers about mileages etc. apply.
<p>
</pre>
</blockquote>
-and to make sure that in /etc/rc.config,
+and to make sure that in the file /etc/sysconfig/security (with
+older SuSE versions, in the file /etc/rc.config),
PERMISSIONS_SECURITY mentions local last, EXAMPLE:
<blockquote>
-<html> <
head> </head> <body> <pre>
+<html> <body> <pre>
MASTER(8) MASTER(8)
<b>NAME</b>
master - Postfix master process
<b>SYNOPSIS</b>
- <b>master</b> [<b>-Dtv</b>] [<b>-c</b> <i>config_dir</i>] [<b>-e</b> <i>exit_time</i>]
+ <b>master</b> [<b>-Dtv</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<b>-e</b> <i>exit</i><b>_</b><i>time</i>]
<b>DESCRIPTION</b>
The <b>master</b> daemon is the resident process that runs Post-
Options:
- <b>-c</b> <i>config_dir</i>
+ <b>-c</b> <i>config</i><b>_</b><i>dir</i>
Read the <b>main.cf</b> and <b>master.cf</b> configuration files
in the named directory instead of the default con-
figuration directory.
- <b>-e</b> <i>exit_time</i>
- Terminate the master process after <i>exit_time</i> sec-
+ <b>-e</b> <i>exit</i><b>_</b><i>time</i>
+ Terminate the master process after <i>exit</i><b>_</b><i>time</i> sec-
onds. Child processes terminate at their conve-
nience.
<b>-D</b> After initialization, run a debugger on the master
process. The debugging command is specified with
- the <b>debugger</b><i>_</i><b>command</b> in the <b>main.cf</b> global configu-
+ the <b>debugger_command</b> in the <b>main.cf</b> global configu-
ration file.
<b>-t</b> Test mode. Return a zero exit status when the <b>mas-</b>
<b>abort</b>), the master process passes the signal on to
its child processes and terminates. This is useful
for an emergency shutdown. Normally one would ter-
- minate only the master (<b>postfix</b> <b>stop</b>) and allow
+ minate only the master (<b>postfix stop</b>) and allow
running processes to finish what they are doing.
<b>DIAGNOSTICS</b>
<b>BUGS</b>
<b>ENVIRONMENT</b>
- <b>MAIL</b><i>_</i><b>DEBUG</b>
+ <b>MAIL_DEBUG</b>
After initialization, start a debugger as specified
- with the <b>debugger</b><i>_</i><b>command</b> configuration parameter
+ with the <b>debugger_command</b> configuration parameter
in the <b>main.cf</b> configuration file.
- <b>MAIL</b><i>_</i><b>CONFIG</b>
+ <b>MAIL_CONFIG</b>
Directory with Postfix configuration files.
-<b>CONFIGURATION</b> <b>PARAMETERS</b>
+<b>CONFIGURATION PARAMETERS</b>
The following <b>main.cf</b> parameters are especially relevant
to this program. See the Postfix <b>main.cf</b> file for syntax
- details and for default values. Use the <b>postfix</b> <b>reload</b>
+ details and for default values. Use the <b>postfix reload</b>
command after a configuration change.
<b>Miscellaneous</b>
- <b>import</b><i>_</i><b>environment</b>
+ <b>import_environment</b>
- <b>export</b><i>_</i><b>environment</b>
+ <b>export_environment</b>
Lists of names of environment parameters that can
be imported from (exported to) non-Postfix pro-
cesses.
- <b>mail</b><i>_</i><b>owner</b>
+ <b>mail_owner</b>
The owner of the mail queue and of most Postfix
processes.
- <b>command</b><i>_</i><b>directory</b>
+ <b>command_directory</b>
Directory with Postfix support programs.
- <b>daemon</b><i>_</i><b>directory</b>
+ <b>daemon_directory</b>
Directory with Postfix daemon programs.
- <b>queue</b><i>_</i><b>directory</b>
+ <b>queue_directory</b>
Top-level directory of the Postfix queue. This is
also the root directory of Postfix daemons that run
chrooted.
- <b>inet</b><i>_</i><b>interfaces</b>
+ <b>inet_interfaces</b>
The network interface addresses that this system
receives mail on. You need to stop and start Post-
fix when this parameter changes.
-<b>Resource</b> <b>controls</b>
- <b>default</b><i>_</i><b>process</b><i>_</i><b>limit</b>
+<b>Resource controls</b>
+ <b>default_process_limit</b>
Default limit for the number of simultaneous child
processes that provide a given service.
- <b>max</b><i>_</i><b>idle</b>
+ <b>max_idle</b>
Limit the time in seconds that a child process
waits between service requests.
- <b>max</b><i>_</i><b>use</b>
+ <b>max_use</b>
Limit the number of service requests handled by a
child process.
- <b>service</b><i>_</i><b>throttle</b><i>_</i><b>time</b>
+ <b>service_throttle_time</b>
Time to avoid forking a server that appears to be
broken.
/etc/postfix/master.cf: master process configuration file.
/var/spool/postfix/pid/master.pid: master lock file.
-<b>SEE</b> <b>ALSO</b>
+<b>SEE ALSO</b>
<a href="qmgr.8.html">qmgr(8)</a> queue manager
<a href="pickup.8.html">pickup(8)</a> local mail pickup
syslogd(8) system logging
-<html> <
head> </head> <body> <pre>
+<html> <body> <pre>
SMTP(8) SMTP(8)
<b>NAME</b>
rupted message files are marked so that the queue manager
can move them to the <b>corrupt</b> queue for further inspection.
- Depending on the setting of the <b>notify</b><i>_</i><b>classes</b> parameter,
+ Depending on the setting of the <b>notify_classes</b> parameter,
the postmaster is notified of bounces, protocol problems,
and of other trouble.
command after a configuration change.
<b>Miscellaneous</b>
- <b>best</b><i>_</i><b>mx</b><i>_</i><b>transport</b>
+ <b>best_mx_transport</b>
Name of the delivery transport to use when the
local machine is the most-preferred mail exchanger
(by default, a mailer loop is reported, and the
message is bounced).
- <b>debug</b><i>_</i><b>peer</b><i>_</i><b>level</b>
+ <b>debug_peer_level</b>
Verbose logging level increment for hosts that
- match a pattern in the <b>debug</b><i>_</i><b>peer</b><i>_</i><b>list</b> parameter.
+ match a pattern in the <b>debug_peer_list</b> parameter.
- <b>debug</b><i>_</i><b>peer</b><i>_</i><b>list</b>
+ <b>debug_peer_list</b>
List of domain or network patterns. When a remote
host matches a pattern, increase the verbose log-
ging level by the amount specified in the
- <b>debug</b><i>_</i><b>peer</b><i>_</i><b>level</b> parameter.
+ <b>debug_peer_level</b> parameter.
- <b>disable</b><i>_</i><b>dns</b><i>_</i><b>lookups</b>
+ <b>disable_dns_lookups</b>
Disable DNS lookups. This means that mail must be
forwarded via a smart relay host.
- <b>smtp</b><i>_</i><b>host</b><i>_</i><b>lookup</b>
+ <b>smtp_host_lookup</b>
What host lookup mechanism the SMTP client should
use. Specify <b>dns</b> (use DNS lookup) and/or <b>native</b>
(use the native naming service which also uses
/etc/hosts). This setting is ignored when DNS
lookups are disabled.
- <b>error</b><i>_</i><b>notice</b><i>_</i><b>recipient</b>
+ <b>error_notice_recipient</b>
Recipient of protocol/policy/resource/software
error notices.
- <b>fallback</b><i>_</i><b>relay</b>
+ <b>fallback_relay</b>
Hosts to hand off mail to if a message destination
is not found or if a destination is unreachable.
- <b>ignore</b><i>_</i><b>mx</b><i>_</i><b>lookup</b><i>_</i><b>error</b>
+ <b>ignore_mx_lookup_error</b>
When a name server fails to respond to an MX query,
search for an A record, instead of deferring mail
delivery.
- <b>inet</b><i>_</i><b>interfaces</b>
+ <b>inet_interfaces</b>
The network interface addresses that this mail sys-
tem receives mail on. When any of those addresses
appears in the list of mail exchangers for a remote
destination, the list is truncated to avoid mail
- delivery loops. See also the <b>proxy</b><i>_</i><b>interfaces</b>
+ delivery loops. See also the <b>proxy_interfaces</b>
parameter.
- <b>notify</b><i>_</i><b>classes</b>
+ <b>notify_classes</b>
When this parameter includes the <b>protocol</b> class,
send mail to the postmaster with transcripts of
SMTP sessions with protocol errors.
- <b>proxy</b><i>_</i><b>interfaces</b>
+ <b>proxy_interfaces</b>
Network interfaces that this mail system receives
mail on by way of a proxy or network address trans-
lator. When any of those addresses appears in the
list of mail exchangers for a remote destination,
the list is truncated to avoid mail delivery loops.
- See also the <b>inet</b><i>_</i><b>interfaces</b> parameter.
+ See also the <b>inet_interfaces</b> parameter.
- <b>smtp</b><i>_</i><b>always</b><i>_</i><b>send</b><i>_</i><b>ehlo</b>
+ <b>smtp_always_send_ehlo</b>
Always send EHLO at the start of a connection.
- <b>smtp</b><i>_</i><b>never</b><i>_</i><b>send</b><i>_</i><b>ehlo</b>
+ <b>smtp_never_send_ehlo</b>
Never send EHLO at the start of a connection.
- <b>smtp</b><i>_</i><b>bind</b><i>_</i><b>address</b>
+ <b>smtp_bind_address</b>
Numerical source network address to bind to when
making a connection.
- <b>smtp</b><i>_</i><b>line</b><i>_</i><b>length</b><i>_</i><b>limit</b>
+ <b>smtp_line_length_limit</b>
Length limit for SMTP message content lines. Zero
means no limit. Some SMTP servers misbehave on
long lines.
- <b>smtp</b><i>_</i><b>helo</b><i>_</i><b>name</b>
+ <b>smtp_helo_name</b>
The hostname to be used in HELO and EHLO commands.
- <b>smtp</b><i>_</i><b>quote</b><i>_</i><b>rfc821</b><i>_</i><b>envelope</b>
+ <b>smtp_quote_rfc821_envelope</b>
Whether or not to quote MAIL FROM and RCPT TO
addresses as per the rules laid out in <a href="http://www.faqs.org/rfcs/rfc821.html">RFC 821</a>.
- <b>smtp</b><i>_</i><b>skip</b><i>_</i><b>4xx</b><i>_</i><b>greeting</b>
+ <b>smtp_skip_4xx_greeting</b>
Skip servers that greet us with a 4xx status code.
- <b>smtp</b><i>_</i><b>skip</b><i>_</i><b>5xx</b><i>_</i><b>greeting</b>
+ <b>smtp_skip_5xx_greeting</b>
Skip servers that greet us with a 5xx status code.
- <b>smtp</b><i>_</i><b>skip</b><i>_</i><b>quit</b><i>_</i><b>response</b>
+ <b>smtp_skip_quit_response</b>
Do not wait for the server response after sending
QUIT.
- <b>smtp</b><i>_</i><b>pix</b><i>_</i><b>workaround</b><i>_</i><b>delay</b><i>_</i><b>time</b>
+ <b>smtp_pix_workaround_delay_time</b>
The time to pause before sending .<CR><LF>, while
working around the CISCO PIX firewall
<CR><LF>.<CR><LF> bug.
- <b>smtp</b><i>_</i><b>pix</b><i>_</i><b>workaround</b><i>_</i><b>threshold</b><i>_</i><b>time</b>
+ <b>smtp_pix_workaround_threshold_time</b>
The time a message must be queued before the CISCO
PIX firewall <CR><LF>.<CR><LF> bug workaround is
turned on.
<b>MIME Conversion</b>
- <b>disable</b><i>_</i><b>mime</b><i>_</i><b>output</b><i>_</i><b>conversion</b>
+ <b>disable_mime_output_conversion</b>
Disable the conversion of 8BITMIME format to 7BIT
format when the remote system does not advertise
8BITMIME support.
- <b>mime</b><i>_</i><b>boundary</b><i>_</i><b>length</b><i>_</i><b>limit</b>
+ <b>mime_boundary_length_limit</b>
The amount of space that will be allocated for MIME
multipart boundary strings. The MIME processor is
unable to distinguish between boundary strings that
- do not differ in the first <b>$mime</b><i>_</i><b>bound-</b>
- <b>ary</b><i>_</i><b>length</b><i>_</i><b>limit</b> characters.
+ do not differ in the first <b>$mime_bound-</b>
+ <b>ary_length_limit</b> characters.
- <b>mime</b><i>_</i><b>nesting</b><i>_</i><b>limit</b>
+ <b>mime_nesting_limit</b>
The maximal nesting level of multipart mail that
the MIME processor can handle. Refuse mail that is
nested deeper, when converting from 8BITMIME format
to 7BIT format.
<b>Authentication controls</b>
- <b>smtp</b><i>_</i><b>sasl</b><i>_</i><b>auth</b><i>_</i><b>enable</b>
+ <b>smtp_sasl_auth_enable</b>
Enable per-session authentication as per <a href="http://www.faqs.org/rfcs/rfc2554.html">RFC 2554</a>
(SASL). By default, Postfix is built without SASL
support.
- <b>smtp</b><i>_</i><b>sasl</b><i>_</i><b>password</b><i>_</i><b>maps</b>
+ <b>smtp_sasl_password_maps</b>
Lookup tables with per-host or domain <i>name</i>:<i>password</i>
entries. No entry for a host means no attempt to
authenticate.
- <b>smtp</b><i>_</i><b>sasl</b><i>_</i><b>security</b><i>_</i><b>options</b>
+ <b>smtp_sasl_security_options</b>
Zero or more of the following.
<b>noplaintext</b>
Disallow anonymous logins.
<b>Resource controls</b>
- <b>smtp</b><i>_</i><b>destination</b><i>_</i><b>concurrency</b><i>_</i><b>limit</b>
+ <b>smtp_destination_concurrency_limit</b>
Limit the number of parallel deliveries to the same
destination. The default limit is taken from the
- <b>default</b><i>_</i><b>destination</b><i>_</i><b>concurrency</b><i>_</i><b>limit</b> parameter.
+ <b>default_destination_concurrency_limit</b> parameter.
- <b>smtp</b><i>_</i><b>destination</b><i>_</i><b>recipient</b><i>_</i><b>limit</b>
+ <b>smtp_destination_recipient_limit</b>
Limit the number of recipients per message deliv-
ery. The default limit is taken from the
- <b>default</b><i>_</i><b>destination</b><i>_</i><b>recipient</b><i>_</i><b>limit</b> parameter.
+ <b>default_destination_recipient_limit</b> parameter.
<b>Timeout controls</b>
The default time unit is seconds; an explicit time unit
value: s (seconds), m (minutes), h (hours), d (days) or w
(weeks).
- <b>smtp</b><i>_</i><b>connect</b><i>_</i><b>timeout</b>
+ <b>smtp_connect_timeout</b>
Timeout for completing a TCP connection. When no
connection can be made within the deadline, the
SMTP client tries the next address on the mail
exchanger list.
- <b>smtp</b><i>_</i><b>helo</b><i>_</i><b>timeout</b>
+ <b>smtp_helo_timeout</b>
Timeout for receiving the SMTP greeting banner.
When the server drops the connection without send-
ing a greeting banner, or when it sends no greeting
banner within the deadline, the SMTP client tries
the next address on the mail exchanger list.
- <b>smtp</b><i>_</i><b>helo</b><i>_</i><b>timeout</b>
+ <b>smtp_helo_timeout</b>
Timeout for sending the <b>HELO</b> command, and for
receiving the server response.
- <b>smtp</b><i>_</i><b>mail</b><i>_</i><b>timeout</b>
+ <b>smtp_mail_timeout</b>
Timeout for sending the <b>MAIL FROM</b> command, and for
receiving the server response.
- <b>smtp</b><i>_</i><b>rcpt</b><i>_</i><b>timeout</b>
+ <b>smtp_rcpt_timeout</b>
Timeout for sending the <b>RCPT TO</b> command, and for
receiving the server response.
- <b>smtp</b><i>_</i><b>data</b><i>_</i><b>init</b><i>_</i><b>timeout</b>
+ <b>smtp_data_init_timeout</b>
Timeout for sending the <b>DATA</b> command, and for
receiving the server response.
- <b>smtp</b><i>_</i><b>data</b><i>_</i><b>xfer</b><i>_</i><b>timeout</b>
+ <b>smtp_data_xfer_timeout</b>
Timeout for sending the message content.
- <b>smtp</b><i>_</i><b>data</b><i>_</i><b>done</b><i>_</i><b>timeout</b>
+ <b>smtp_data_done_timeout</b>
Timeout for sending the "<b>.</b>" command, and for
receiving the server response. When no response is
received, a warning is logged that the mail may be
delivered multiple times.
- <b>smtp</b><i>_</i><b>rset</b><i>_</i><b>timeout</b>
+ <b>smtp_defer_if_no_mx_address_found</b>
+ If no, bounce mail when no MX host resolves to an
+ address (Postfix always ignores MX hosts with equal
+ or worse preference than the local MTA). If yes,
+ keep trying until a suitable MX host resolves or
+ until the mail is too old.
+
+ <b>smtp_rset_timeout</b>
Timeout for sending the <b>RSET</b> command.
- <b>smtp</b><i>_</i><b>quit</b><i>_</i><b>timeout</b>
+ <b>smtp_quit_timeout</b>
Timeout for sending the <b>QUIT</b> command, and for
receiving the server response.
restriction.
<b>Miscellaneous</b>
- <b>authorized_verp_clients</b>
+ <b>smtpd_authorized_verp_clients</b>
Hostnames, domain names and/or addresses of clients
that are authorized to use the XVERP extension.
+ <b>smtpd_authorized_xaddr_clients</b>
+ Hostnames, domain names and/or addresses of clients
+ that are authorized to use the "XADDR client-
+ address client-name" command. This changes Post-
+ fix's idea of the SMTP client IP address and host-
+ name for access control and for logging purposes.
+
+ <b>smtpd_authorized_xloginfo_clients</b>
+ Hostnames, domain names and/or addresses of clients
+ that are authorized to use the "XLOGINFO client-
+ address client-name" command. This changes the
+ client name and address that are used for logging,
+ without affecting the client IP address and host-
+ name that are used for access control. XLOGINFO is
+ typically used to propagate remote client informa-
+ tion through an SMTP-based content filter to the
+ after-filter SMTP server.
+
<b>debug_peer_level</b>
Increment in verbose logging level when a remote
host matches a pattern in the <b>debug_peer_list</b>
<b>queue_minfree</b>
Minimal amount of free space in bytes in the queue
file system for the SMTP server to accept any mail
- at all.
+ at all (default: twice the <b>message_size_limit</b>
+ value).
<b>smtpd_history_flush_threshold</b>
Flush the command history to postmaster after
<b>smtpd_soft_error_limit</b>
When an SMTP client has made this number of errors,
- wait <i>error</i><b>_</b><i>count</i> seconds before responding to any
+ wait <i>error</i><b>_</b><i>count</i> seconds before responding to any
client request.
<b>smtpd_hard_error_limit</b>
- Disconnect after a client has made this number of
+ Disconnect after a client has made this number of
errors.
<b>smtpd_junk_command_limit</b>
Limit the number of times a client can issue a junk
- command such as NOOP, VRFY, ETRN or RSET in one
- SMTP session before it is penalized with tarpit
+ command such as NOOP, VRFY, ETRN or RSET in one
+ SMTP session before it is penalized with tarpit
delays.
<b>Delegated policy</b>
receiving from a delegated SMTPD policy server.
<b>smtpd_policy_service_max_idle</b>
- Time after which an unused SMTPD policy service
+ Time after which an unused SMTPD policy service
connection is closed.
<b>smtpd_policy_service_timeout</b>
- Time after which an active SMTPD policy service
+ Time after which an active SMTPD policy service
connection is closed.
<b>UCE control restrictions</b>
<b>parent_domain_matches_subdomains</b>
- List of Postfix features that use <i>domain.tld</i> pat-
- terns to match <i>sub.domain.tld</i> (as opposed to
+ List of Postfix features that use <i>domain.tld</i> pat-
+ terns to match <i>sub.domain.tld</i> (as opposed to
requiring <i>.domain.tld</i> patterns).
<b>smtpd_client_restrictions</b>
tem.
<b>smtpd_helo_required</b>
- Require that clients introduce themselves at the
+ Require that clients introduce themselves at the
beginning of an SMTP session.
<b>smtpd_helo_restrictions</b>
- Restrict what client hostnames are allowed in <b>HELO</b>
+ Restrict what client hostnames are allowed in <b>HELO</b>
and <b>EHLO</b> commands.
<b>smtpd_sender_restrictions</b>
- Restrict what sender addresses are allowed in <b>MAIL</b>
+ Restrict what sender addresses are allowed in <b>MAIL</b>
<b>FROM</b> commands.
<b>smtpd_recipient_restrictions</b>
- Restrict what recipient addresses are allowed in
+ Restrict what recipient addresses are allowed in
<b>RCPT TO</b> commands.
<b>smtpd_etrn_restrictions</b>
mands, and what clients may issue <b>ETRN</b> commands.
<b>smtpd_data_restrictions</b>
- Restrictions on the <b>DATA</b> command. Currently, the
- only restriction that makes sense here is
+ Restrictions on the <b>DATA</b> command. Currently, the
+ only restriction that makes sense here is
<b>reject_unauth_pipelining</b>.
<b>allow_untrusted_routing</b>
- Allow untrusted clients to specify addresses with
- sender-specified routing. Enabling this opens up
- nasty relay loopholes involving trusted backup MX
+ Allow untrusted clients to specify addresses with
+ sender-specified routing. Enabling this opens up
+ nasty relay loopholes involving trusted backup MX
hosts.
<b>smtpd_restriction_classes</b>
- Declares the name of zero or more parameters that
- contain a list of UCE restrictions. The names of
- these parameters can then be used instead of the
+ Declares the name of zero or more parameters that
+ contain a list of UCE restrictions. The names of
+ these parameters can then be used instead of the
restriction lists that they represent.
<b>smtpd_null_access_lookup_key</b>
- The lookup key to be used in SMTPD access tables
- instead of the null sender address. A null sender
+ The lookup key to be used in SMTPD access tables
+ instead of the null sender address. A null sender
address cannot be looked up.
<b>maps_rbl_domains</b> (deprecated)
- List of DNS domains that publish the addresses of
+ List of DNS domains that publish the addresses of
blacklisted hosts. This is used with the deprecated
<b>reject_maps_rbl</b> restriction.
<b>permit_mx_backup_networks</b>
- Only domains whose primary MX hosts match the
- listed networks are eligible for the <b>per-</b>
+ Only domains whose primary MX hosts match the
+ listed networks are eligible for the <b>per-</b>
<b>mit_mx_backup</b> feature.
<b>relay_domains</b>
- Restrict what domains this mail system will relay
- mail to. The domains are routed to the delivery
+ Restrict what domains this mail system will relay
+ mail to. The domains are routed to the delivery
agent specified with the <b>relay_transport</b> setting.
<b>Sender/recipient address verification</b>
Address verification is implemented by sending probe email
- messages that are not actually delivered, and is enabled
- via the reject_unverified_{sender,recipient} access
- restriction. The status of verification probes is main-
+ messages that are not actually delivered, and is enabled
+ via the reject_unverified_{sender,recipient} access
+ restriction. The status of verification probes is main-
tained by the address verification service.
<b>address_verify_poll_count</b>
- How many times to query the address verification
- service for completion of an address verification
- request. Specify 1 to implement a simple form of
- greylisting, that is, always defer the request for
+ How many times to query the address verification
+ service for completion of an address verification
+ request. Specify 1 to implement a simple form of
+ greylisting, that is, always defer the request for
a new sender or recipient address.
<b>address_verify_poll_delay</b>
- Time to wait after querying the address verifica-
+ Time to wait after querying the address verifica-
tion service for completion of an address verifica-
tion request.
<b>UCE control responses</b>
<b>access_map_reject_code</b>
- Response code when a client violates an access
+ Response code when a client violates an access
database restriction.
<b>default_rbl_reply</b>
Default template reply when a request is RBL black-
- listed. This template is used by the <b>reject_rbl_*</b>
- and <b>reject_rhsbl_*</b> restrictions. See also:
+ listed. This template is used by the <b>reject_rbl_*</b>
+ and <b>reject_rhsbl_*</b> restrictions. See also:
<b>rbl_reply_maps</b> and <b>smtpd_expansion_filter</b>.
<b>defer_code</b>
- Response code when a client request is rejected by
+ Response code when a client request is rejected by
the <b>defer</b> restriction.
<b>invalid_hostname_reject_code</b>
- Response code when a client violates the
+ Response code when a client violates the
<b>reject_invalid_hostname</b> restriction.
<b>maps_rbl_reject_code</b>
Response code when a request is RBL blacklisted.
<b>multi_recipient_bounce_reject_code</b>
- Response code when a multi-recipient bounce is
+ Response code when a multi-recipient bounce is
blocked.
<b>rbl_reply_maps</b>
- Table with template responses for RBL blacklisted
- requests, indexed by RBL domain name. These tem-
+ Table with template responses for RBL blacklisted
+ requests, indexed by RBL domain name. These tem-
plates are used by the <b>reject_rbl_*</b> and
- <b>reject_rhsbl_*</b> restrictions. See also:
+ <b>reject_rhsbl_*</b> restrictions. See also:
<b>default_rbl_reply</b> and <b>smtpd_expansion_filter</b>.
<b>reject_code</b>
- Response code when the client matches a <b>reject</b>
+ Response code when the client matches a <b>reject</b>
restriction.
<b>relay_domains_reject_code</b>
mail relay policy.
<b>unknown_address_reject_code</b>
- Response code when a client violates the
+ Response code when a client violates the
<b>reject_unknown_address</b> restriction.
<b>unknown_client_reject_code</b>
tion.
<b>unknown_hostname_reject_code</b>
- Response code when a client violates the
+ Response code when a client violates the
<b>reject_unknown_hostname</b> restriction.
<b>unverified_sender_reject_code</b>
- Response code when a sender address is known to be
+ Response code when a sender address is known to be
undeliverable.
<b>unverified_recipient_reject_code</b>
- Response code when a recipient address is known to
+ Response code when a recipient address is known to
be undeliverable.
<b>SEE ALSO</b>
<a href="verify.8.html">verify(8)</a> address verification service
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
Timeout for sending the "\fB.\fR" command, and for
receiving the server response. When no response is received, a
warning is logged that the mail may be delivered multiple times.
+.IP \fBsmtp_defer_if_no_mx_address_found\fR
+If no, bounce mail when no MX host resolves to an address
+(Postfix always ignores MX hosts with equal or worse preference
+than the local MTA).
+If yes, keep trying until a suitable MX host resolves or until
+the mail is too old.
.IP \fBsmtp_rset_timeout\fR
Timeout for sending the \fBRSET\fR command.
.IP \fBsmtp_quit_timeout\fR
.SH Miscellaneous
.ad
.fi
-.IP \fBauthorized_verp_clients\fR
+.IP \fBsmtpd_authorized_verp_clients\fR
Hostnames, domain names and/or addresses of clients that are
authorized to use the XVERP extension.
+.IP \fBsmtpd_authorized_xaddr_clients\fR
+Hostnames, domain names and/or addresses of clients that are
+authorized to use the "XADDR client-address client-name" command.
+This changes Postfix's
+idea of the SMTP client IP address and hostname for access
+control and for logging purposes.
+.IP \fBsmtpd_authorized_xloginfo_clients\fR
+Hostnames, domain names and/or addresses of clients that are
+authorized to use the "XLOGINFO client-address client-name" command.
+This changes the client
+name and address that are used for logging, without affecting the
+client IP address and hostname that are used for access control.
+XLOGINFO is typically used to propagate remote client information
+through an SMTP-based content filter to the after-filter SMTP server.
.IP \fBdebug_peer_level\fR
Increment in verbose logging level when a remote host matches a
pattern in the \fBdebug_peer_list\fR parameter.
storage for envelope information.
.IP \fBqueue_minfree\fR
Minimal amount of free space in bytes in the queue file system
-for the SMTP server to accept any mail at all.
+for the SMTP server to accept any mail at all (default: twice
+the \fBmessage_size_limit\fR value).
.IP \fBsmtpd_history_flush_threshold\fR
Flush the command history to postmaster after receipt of RSET etc.
only if the number of history lines exceeds the given threshold.
len = res_search((char *) name, C_IN, type, reply->buf, sizeof(reply->buf));
if (len < 0) {
if (why)
- vstring_sprintf(why, "Name service error for name=%s type=%s: %s",
+ vstring_sprintf(why, "Host or domain name not found. "
+ "Name service error for name=%s type=%s: %s",
name, dns_strtype(type), dns_strerror(h_errno));
if (msg_verbose)
msg_info("dns_query: %s (%s): %s",
/* .IP address
/* The address to be looked up.
/* DIAGNOSTICS
+/* Warnings: map lookup returns a non-address result.
+/*
/* The global \fIdict_errno\fR is non-zero when the lookup
/* should be tried again.
/* SEE ALSO
if (msg_verbose)
for (i = 0; i < argv->argc; i++)
msg_info("%s: %s -> %d: %s", myname, address, i, argv->argv[i]);
+ if (argv->argc == 0) {
+ msg_warn("%s lookup of %s returns non-address result \"%s\"",
+ path->title, address, string);
+ argv = argv_free(argv);
+ dict_errno = DICT_ERR_RETRY;
+ }
}
/*
#define SMTP_HOST_LOOKUP_NATIVE "native"
#define VAR_SMTP_HOST_LOOKUP "smtp_host_lookup"
-#define DEF_SMTP_HOST_LOOKUP SMTP_HOST_LOOKUP_DNS "," SMTP_HOST_LOOKUP_NATIVE
+#define DEF_SMTP_HOST_LOOKUP SMTP_HOST_LOOKUP_DNS
extern int var_smtp_dns_lookup;
/*
#define DEF_SMTP_PIX_DELAY "10s"
extern int var_smtp_pix_delay;
+#define VAR_SMTP_DEFER_MXADDR "smtp_defer_if_no_mx_address_found"
+#define DEF_SMTP_DEFER_MXADDR 0
+extern bool var_smtp_defer_mxaddr;
+
/*
* SMTP server. The soft error limit determines how many errors an SMTP
* client may make before we start to slow down; the hard error limit
#define DEF_VERP_BOUNCE_OFF 0
extern bool var_verp_bounce_off;
-#define VAR_VERP_CLIENTS "authorized_verp_clients"
-#define DEF_VERP_CLIENTS "$mynetworks"
+#define VAR_VERP_CLIENTS "smtpd_authorized_verp_clients"
+#define DEF_VERP_CLIENTS "$authorized_verp_clients"
extern char *var_verp_clients;
+ /*
+ * XADDR.
+ */
+#define VAR_XADDR_CLIENTS "smtpd_authorized_xaddr_clients"
+#define DEF_XADDR_CLIENTS ""
+extern char *var_xaddr_clients;
+
+#define VAR_XLOGINFO_CLIENTS "smtpd_authorized_xloginfo_clients"
+#define DEF_XLOGINFO_CLIENTS ""
+extern char *var_xloginfo_clients;
+
/*
* Inbound mail flow control. This allows for a stiffer coupling between
* receiving mail and sending mail. A sending process produces one token for
* Patches change the patchlevel and the release date. Snapshots change the
* release date only, unless they include the same bugfix as a patch release.
*/
-#define MAIL_RELEASE_DATE "20030921"
+#define MAIL_RELEASE_DATE "20031022"
#define VAR_MAIL_VERSION "mail_version"
#define DEF_MAIL_VERSION "2.0.16-" MAIL_RELEASE_DATE
/* sensitive.
/* DIAGNOSTICS
/* Panic: inappropriate use; fatal errors: out of memory, unable
-/* to open database.
+/* to open database. Warnings: null string lookup result.
/*
/* maps_find() returns a null pointer when the requested
/* information was not found. The global \fIdict_errno\fR
if (flags != 0 && (dict->flags & flags) == 0)
continue;
if ((expansion = dict_get(dict, name)) != 0) {
+ if (*expansion == 0) {
+ msg_warn("%s lookup of %s returns an empty string result",
+ maps->title, name);
+ msg_warn("%s should return NO RESULT in case of NOT FOUND",
+ maps->title);
+ dict_errno = DICT_ERR_RETRY;
+ return (0);
+ }
if (msg_verbose)
msg_info("%s: %s: %s: %s = %s", myname, maps->title,
*map_name, name, expansion);
msg_warn("mailing list \"%s\" needs an \"owner-%s\" alias",
name, name);
#endif
+ if (alias_count < 1)
+ *statusp = defer_append(BOUNCE_FLAGS(state.request),
+ BOUNCE_ATTR(state.msg_attr),
+ "no recipient in alias lookup result");
myfree(expansion);
if (owner)
myfree(owner);
clean_env(import_env->argv);
argv_free(import_env);
- if ((inherited_limit = get_file_limit()) < (off_t) INT_MAX)
- set_file_limit(INT_MAX);
+ if ((inherited_limit = get_file_limit()) < 0)
+ set_file_limit(OFF_T_MAX);
if (chdir(var_queue_dir))
msg_fatal("chdir %s: %m", var_queue_dir);
/* Disable DNS lookups. This means that mail must be forwarded
/* via a smart relay host.
/* .IP \fBsmtp_host_lookup\fR
-/* What host lookup mechanism the SMTP client should use.
+/* What host lookup mechanism the SMTP client should use.
/* Specify \fBdns\fR (use DNS lookup) and/or \fBnative\fR
/* (use the native naming service which also uses /etc/hosts).
/* This setting is ignored when DNS lookups are disabled.
/* Timeout for sending the "\fB.\fR" command, and for
/* receiving the server response. When no response is received, a
/* warning is logged that the mail may be delivered multiple times.
+/* .IP \fBsmtp_defer_if_no_mx_address_found\fR
+/* If no, bounce mail when no MX host resolves to an address
+/* (Postfix always ignores MX hosts with equal or worse preference
+/* than the local MTA).
+/* If yes, keep trying until a suitable MX host resolves or until
+/* the mail is too old.
/* .IP \fBsmtp_rset_timeout\fR
/* Timeout for sending the \fBRSET\fR command.
/* .IP \fBsmtp_quit_timeout\fR
int var_smtp_line_limit;
char *var_smtp_helo_name;
char *var_smtp_host_lookup;
-int var_smtp_quote_821_env;
+bool var_smtp_quote_821_env;
+bool var_smtp_defer_mxaddr;
/*
* Global variables. smtp_errno is set by the address lookup routines and by
VAR_SMTP_SASL_ENABLE, DEF_SMTP_SASL_ENABLE, &var_smtp_sasl_enable,
VAR_SMTP_RAND_ADDR, DEF_SMTP_RAND_ADDR, &var_smtp_rand_addr,
VAR_SMTP_QUOTE_821_ENV, DEF_SMTP_QUOTE_821_ENV, &var_smtp_quote_821_env,
+ VAR_SMTP_DEFER_MXADDR, DEF_SMTP_DEFER_MXADDR, &var_smtp_defer_mxaddr,
0,
};
addr_list = smtp_addr_list(mx_names, why);
dns_rr_free(mx_names);
if (addr_list == 0) {
- smtp_errno = SMTP_RETRY;
+ if (var_smtp_defer_mxaddr)
+ smtp_errno = SMTP_RETRY;
msg_warn("no MX host for %s has a valid A record", name);
break;
}
int except;
int rec_type;
int prev_type = 0;
- int sndbufsize;
+ int sndbufsize = 0;
int sndbuffree;
SOCKOPT_SIZE optlen = sizeof(sndbufsize);
int mail_from_rejected;
msg_fatal("%s: getsockopt: %m", myname);
if (sndbufsize > VSTREAM_BUFSIZE)
sndbufsize = VSTREAM_BUFSIZE;
+ if (sndbufsize == 0) {
+ sndbufsize = VSTREAM_BUFSIZE;
+ if (setsockopt(vstream_fileno(state->session->stream), SOL_SOCKET,
+ SO_SNDBUF, (char *) &sndbufsize, optlen) < 0)
+ msg_fatal("%s: setsockopt: %m", myname);
+ }
if (msg_verbose)
msg_info("Using ESMTP PIPELINING, TCP send buffer size is %d",
sndbufsize);
&& sent(DEL_REQ_TRACE_FLAGS(request->flags),
request->queue_id, rcpt->orig_addr,
rcpt->address, rcpt->offset,
- session->namaddr, request->arrival_time,
+ session->namaddr, request->arrival_time,
"%s",
translit(resp->str, "\n", " ")) == 0) {
if (request->flags & DEL_REQ_FLAG_SUCCESS)
/* .SH Miscellaneous
/* .ad
/* .fi
-/* .IP \fBauthorized_verp_clients\fR
+/* .IP \fBsmtpd_authorized_verp_clients\fR
/* Hostnames, domain names and/or addresses of clients that are
/* authorized to use the XVERP extension.
+/* .IP \fBsmtpd_authorized_xaddr_clients\fR
+/* Hostnames, domain names and/or addresses of clients that are
+/* authorized to use the "XADDR client-address client-name" command.
+/* This changes Postfix's
+/* idea of the SMTP client IP address and hostname for access
+/* control and for logging purposes.
+/* .IP \fBsmtpd_authorized_xloginfo_clients\fR
+/* Hostnames, domain names and/or addresses of clients that are
+/* authorized to use the "XLOGINFO client-address client-name" command.
+/* This changes the client
+/* name and address that are used for logging, without affecting the
+/* client IP address and hostname that are used for access control.
+/* XLOGINFO is typically used to propagate remote client information
+/* through an SMTP-based content filter to the after-filter SMTP server.
/* .IP \fBdebug_peer_level\fR
/* Increment in verbose logging level when a remote host matches a
/* pattern in the \fBdebug_peer_list\fR parameter.
/* storage for envelope information.
/* .IP \fBqueue_minfree\fR
/* Minimal amount of free space in bytes in the queue file system
-/* for the SMTP server to accept any mail at all.
+/* for the SMTP server to accept any mail at all (default: twice
+/* the \fBmessage_size_limit\fR value).
/* .IP \fBsmtpd_history_flush_threshold\fR
/* Flush the command history to postmaster after receipt of RSET etc.
/* only if the number of history lines exceeds the given threshold.
int var_smtpd_policy_tmout;
int var_smtpd_policy_idle;
int var_smtpd_policy_ttl;
+char *var_xaddr_clients;
+char *var_xloginfo_clients;
/*
* Silly little macros.
static NAMADR_LIST *verp_clients;
+ /*
+ * XADDR command.
+ */
+#define XADDR_CMD "XADDR"
+
+static NAMADR_LIST *xaddr_clients;
+
+ /*
+ * XLOGINFO command.
+ */
+static NAMADR_LIST *xloginfo_clients;
+
/*
* Other application-specific globals.
*/
#endif
if (namadr_list_match(verp_clients, state->name, state->addr))
smtpd_chat_reply(state, "250-%s", VERP_CMD);
+ if (namadr_list_match(xaddr_clients, state->name, state->addr))
+ smtpd_chat_reply(state, "250-%s", XADDR_CMD);
+ if (namadr_list_match(xloginfo_clients, state->name, state->addr))
+ smtpd_chat_reply(state, "250-%s", XLOGINFO_CMD);
smtpd_chat_reply(state, "250 8BITMIME");
return (0);
}
smtpd_sasl_mail_log(state);
else
#endif
- msg_info("%s: client=%s[%s]", state->queue_id, state->name, state->addr);
+ msg_info("%s: client=%s", state->queue_id, state->namaddr);
/*
* Record the time of arrival, the sender envelope address, some session
return (0);
}
+/* xaddr_cmd - process XADDR */
+
+static int xaddr_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
+{
+
+ /*
+ * Sanity checks.
+ */
+ if (namadr_list_match(xaddr_clients, state->name, state->addr) == 0) {
+ state->error_mask |= MAIL_ERROR_POLICY;
+ smtpd_chat_reply(state, "554 Error: insufficient authorization");
+ return (-1);
+ }
+ /* Todo: "XADDR address" to let Postfix look up the client name. */
+ if (argc != 3
+ || !valid_hostaddr(argv[1].strval, DONT_GRIPE)
+ || !valid_hostname(argv[2].strval, DONT_GRIPE)) {
+ state->error_mask |= MAIL_ERROR_PROTOCOL;
+ smtpd_chat_reply(state, "501 Syntax: %s address hostname", XADDR_CMD);
+ return (-1);
+ }
+
+ /*
+ * Change peer information for logging and for access control. Change a
+ * numerical hostname into "unknown", to make it easy to extract client
+ * information from Received: headers.
+ */
+#define FIX_NUMERICAL_NAME(s) \
+ (valid_hostaddr((s), DONT_GRIPE) ? "unknown" : (s))
+
+ smtpd_peer_reset(state);
+ state->name = mystrdup(FIX_NUMERICAL_NAME(argv[2].strval));
+ state->addr = mystrdup(argv[1].strval);
+ state->namaddr =
+ concatenate(state->name, "[", state->addr, "]", (char *) 0);
+ state->peer_code = strcmp(state->name, "unknown") ? 2 : 5;
+ smtpd_chat_reply(state, "250 Ok");
+ return (0);
+}
+
+/* xloginfo_cmd - process XLOGINFO */
+
+static int xloginfo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
+{
+ char *cp;
+
+ /*
+ * Sanity checks.
+ */
+ if (namadr_list_match(xloginfo_clients, state->name, state->addr) == 0) {
+ state->error_mask |= MAIL_ERROR_POLICY;
+ smtpd_chat_reply(state, "554 Error: insufficient authorization");
+ return (-1);
+ }
+ if (argc != 3
+ || !valid_hostaddr(argv[1].strval, DONT_GRIPE)
+ || !valid_hostname(argv[2].strval, DONT_GRIPE)) {
+ state->error_mask |= MAIL_ERROR_PROTOCOL;
+ smtpd_chat_reply(state, "501 Syntax: %s address hostname", XLOGINFO_CMD);
+ return (-1);
+ }
+
+ /*
+ * Change peer information for logging but not for access control. Change
+ * a numerical hostname into "unknown", for consistency with XADDR.
+ */
+ myfree(state->namaddr);
+ state->namaddr =
+ concatenate(FIX_NUMERICAL_NAME(argv[2].strval),
+ "[", argv[1].strval, "]", (char *) 0);
+ smtpd_chat_reply(state, "250 Ok");
+ return (0);
+}
+
/* chat_reset - notify postmaster and reset conversation log */
static void chat_reset(SMTPD_STATE *state, int threshold)
"VRFY", vrfy_cmd, SMTPD_CMD_FLAG_LIMIT,
"ETRN", etrn_cmd, SMTPD_CMD_FLAG_LIMIT,
"QUIT", quit_cmd, 0,
+ "XADDR", xaddr_cmd, SMTPD_CMD_FLAG_LIMIT,
+ "XLOGINFO", xloginfo_cmd, SMTPD_CMD_FLAG_LIMIT,
"Received:", 0, SMTPD_CMD_FLAG_FORBIDDEN,
"Reply-To:", 0, SMTPD_CMD_FLAG_FORBIDDEN,
"Message-ID:", 0, SMTPD_CMD_FLAG_FORBIDDEN,
*/
smtpd_noop_cmds = string_list_init(MATCH_FLAG_NONE, var_smtpd_noop_cmds);
verp_clients = namadr_list_init(MATCH_FLAG_NONE, var_verp_clients);
+ xaddr_clients = namadr_list_init(MATCH_FLAG_NONE, var_xaddr_clients);
+ xloginfo_clients = namadr_list_init(MATCH_FLAG_NONE, var_xloginfo_clients);
if (getuid() == 0 || getuid() == var_owner_uid)
smtpd_check_init();
debug_peer_init();
* recipient checks, address mapping, header_body_checks?.
*/
smtpd_input_transp_mask =
- input_transp_mask(VAR_INPUT_TRANSP, var_input_transp);
+ input_transp_mask(VAR_INPUT_TRANSP, var_input_transp);
+
+ /*
+ * Sanity checks. The queue_minfree value should be at least as large as
+ * (process_limit * message_size_limit) but that is unpractical, so we
+ * arbitrarily pick a number and require twice the message size limit.
+ */
+ if (var_queue_minfree > 0
+ && var_message_limit > 0
+ && var_queue_minfree / 2 < var_message_limit)
+ msg_warn("%s(%lu) should be at least 2*%s(%lu)",
+ VAR_QUEUE_MINFREE, (unsigned long) var_queue_minfree,
+ VAR_MESSAGE_LIMIT, (unsigned long) var_message_limit);
}
/* main - the main program */
VAR_SMTPD_PROXY_FILT, DEF_SMTPD_PROXY_FILT, &var_smtpd_proxy_filt, 0, 0,
VAR_SMTPD_PROXY_EHLO, DEF_SMTPD_PROXY_EHLO, &var_smtpd_proxy_ehlo, 0, 0,
VAR_INPUT_TRANSP, DEF_INPUT_TRANSP, &var_input_transp, 0, 0,
+ VAR_XADDR_CLIENTS, DEF_XADDR_CLIENTS, &var_xaddr_clients, 0, 0,
+ VAR_XLOGINFO_CLIENTS, DEF_XLOGINFO_CLIENTS, &var_xloginfo_clients, 0, 0,
0,
};
static CONFIG_RAW_TABLE raw_table[] = {
*/
extern int smtpd_input_transp_mask;
+ /*
+ * XLOGINFO command.
+ */
+#define XLOGINFO_CMD "XLOGINFO"
+
/* LICENSE
/* .ad
/* .fi
/* \fImessage_size_limit\fR configuration parameter. This is a
/* permanent error.
/* .IP \(bu
-/* The message would cause the available queue file system space
-/* to drop below the bound specified with the \fImin_queue_free\fR
-/* configuration parameter. This is a temporary error.
+/* The available queue file system space is less than the amount
+/* specified with the \fImin_queue_free\fR configuration parameter.
+/* This is a temporary error.
/* .IP \(bu
-/* The message would use up more than half the available queue file
-/* system space. This is a temporary error.
+/* The available queue file system space is less than twice the
+/* message size limit. This is a temporary error.
/* .PP
/* smtpd_check_data() enforces generic restrictions after the
/* client has sent the DATA command.
char *next;
const char *value;
DICT *dict;
+ int maybe_numerical = 1;
if (msg_verbose)
msg_info("%s: %s", myname, domain);
if (dict_errno != 0)
msg_fatal("%s: table lookup problem", table);
}
+ /* Don't apply subdomain magic to numerical hostnames. */
+ if (maybe_numerical
+ && (maybe_numerical = valid_hostaddr(domain, DONT_GRIPE)) != 0)
+ break;
if ((next = strchr(name + 1, '.')) == 0)
break;
if (access_parent_style == MATCH_FLAG_PARENT)
* Check the hostnames first, then the addresses.
*/
for (server = server_list; server != 0; server = server->next) {
+ h_errno = 0; /* XXX */
if ((hp = gethostbyname((char *) server->data)) == 0) {
msg_warn("Unable to look up %s host %s for %s %s: %s",
dns_strtype(type), (char *) server->data,
"552 Message size exceeds fixed limit");
return (STR(error_text));
}
+
fsspace(".", &fsbuf);
if (msg_verbose)
- msg_info("%s: blocks %lu avail %lu min_free %lu size %lu",
+ msg_info("%s: blocks %lu avail %lu min_free %lu msg_size_limit %lu",
myname,
(unsigned long) fsbuf.block_size,
(unsigned long) fsbuf.block_free,
(unsigned long) var_queue_minfree,
- (unsigned long) size);
+ (unsigned long) var_message_limit);
if (BLOCKS(var_queue_minfree) >= fsbuf.block_free
- || BLOCKS(size) >= fsbuf.block_free - BLOCKS(var_queue_minfree)
- || BLOCKS(size) >= fsbuf.block_free / 2) {
+ || BLOCKS(var_message_limit) >= fsbuf.block_free / 2) {
(void) smtpd_check_reject(state, MAIL_ERROR_RESOURCE,
"452 Insufficient system storage");
return (STR(error_text));
./smtpd_check: <queue id>: reject: HELO from foo[123.123.123.123]: 450 <foo>: Helo command rejected: Host not found; proto=SMTP helo=<foo>
450 <foo>: Helo command rejected: Host not found
>>> helo spike.porcupine.org
-OK
+./smtpd_check: <queue id>: reject: HELO from foo[123.123.123.123]: 554 <spike.porcupine.org>: Helo command rejected: name server spike.porcupine.org; proto=SMTP helo=<spike.porcupine.org>
+554 <spike.porcupine.org>: Helo command rejected: name server spike.porcupine.org
>>> helo_restrictions permit_mynetworks,reject_unknown_client,reject_invalid_hostname,hash:./smtpd_check_access
OK
>>> helo random.bad.domain
./smtpd_check: <queue id>: reject: HELO from foo[123.123.123.123]: 450 <foo>: Helo command rejected: Host not found; proto=SMTP helo=<foo>
450 <foo>: Helo command rejected: Host not found
>>> helo spike.porcupine.org
-OK
+./smtpd_check: <queue id>: reject: HELO from foo[123.123.123.123]: 554 <spike.porcupine.org>: Helo command rejected: name server spike.porcupine.org; proto=SMTP helo=<spike.porcupine.org>
+554 <spike.porcupine.org>: Helo command rejected: name server spike.porcupine.org
>>> helo_restrictions permit_mynetworks,reject_unknown_client,reject_invalid_hostname,check_helo_access,hash:./smtpd_check_access
OK
>>> helo random.bad.domain
>>> smtpd_delay_reject 0
OK
>>> #
->>> # Test the nex access map features
+>>> # Test the new access map features
>>> #
>>> sender_restrictions hash:./smtpd_check_access
OK
topica.com reject
10.10.10.10 reject mail server 10.10.10.10
spike.porcupine.org reject name server spike.porcupine.org
+241 reject class E subnet
# Check MX access
#
helo_restrictions check_helo_mx_access,hash:smtpd_check_access
-helo verisign-wildcard.com
+#helo verisign-wildcard.com
helo verisign.com
helo example.tld
sender_restrictions check_sender_mx_access,hash:smtpd_check_access
-mail foo@verisign-wildcard.com
+mail foo@pls.net.au
+#mail foo@verisign-wildcard.com
mail foo@verisign.com
recipient_restrictions check_recipient_mx_access,hash:smtpd_check_access
-rcpt foo@verisign-wildcard.com
+#rcpt foo@verisign-wildcard.com
rcpt foo@verisign.com
rcpt foo@1.2.3.porcupine.org
#
helo_restrictions check_helo_ns_access,hash:smtpd_check_access
helo email-publisher.com
helo ns1.topica.com
-helo verisign-wildcard.com
+#helo verisign-wildcard.com
helo example.tld
sender_restrictions check_sender_ns_access,hash:smtpd_check_access
mail foo@email-publisher.com
mail foo@ns1.topica.com
-mail foo@verisign-wildcard.com
+#mail foo@verisign-wildcard.com
recipient_restrictions check_recipient_ns_access,hash:smtpd_check_access
rcpt foo@email-publisher.com
rcpt foo@ns1.topica.com
-rcpt foo@verisign-wildcard.com
+#rcpt foo@verisign-wildcard.com
rcpt foo@1.2.3.porcupine.org
>>> #
>>> helo_restrictions check_helo_mx_access,hash:smtpd_check_access
OK
->>> helo verisign-wildcard.com
-./smtpd_check: <queue id>: reject: HELO from spike.porcupine.org[168.100.189.2]: 554 <verisign-wildcard.com>: Helo command rejected: Verisign wild-card; from=<sname@sdomain> proto=SMTP helo=<verisign-wildcard.com>
-554 <verisign-wildcard.com>: Helo command rejected: Verisign wild-card
+>>> #helo verisign-wildcard.com
>>> helo verisign.com
OK
>>> helo example.tld
-./smtpd_check: warning: Unable to look up MX host for example.tld
+./smtpd_check: warning: Unable to look up MX host for example.tld: Host not found
OK
>>> sender_restrictions check_sender_mx_access,hash:smtpd_check_access
OK
->>> mail foo@verisign-wildcard.com
-./smtpd_check: <queue id>: reject: MAIL from spike.porcupine.org[168.100.189.2]: 554 <foo@verisign-wildcard.com>: Sender address rejected: Verisign wild-card; from=<foo@verisign-wildcard.com> proto=SMTP helo=<example.tld>
-554 <foo@verisign-wildcard.com>: Sender address rejected: Verisign wild-card
+>>> mail foo@pls.net.au
+./smtpd_check: warning: numeric domain name in resource data of MX record for pls.net.au: 203.3.110.241
+OK
+>>> #mail foo@verisign-wildcard.com
>>> mail foo@verisign.com
OK
>>> recipient_restrictions check_recipient_mx_access,hash:smtpd_check_access
OK
->>> rcpt foo@verisign-wildcard.com
-./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 <foo@verisign-wildcard.com>: Recipient address rejected: Verisign wild-card; from=<foo@verisign.com> to=<foo@verisign-wildcard.com> proto=SMTP helo=<example.tld>
-554 <foo@verisign-wildcard.com>: Recipient address rejected: Verisign wild-card
+>>> #rcpt foo@verisign-wildcard.com
>>> rcpt foo@verisign.com
OK
>>> rcpt foo@1.2.3.porcupine.org
>>> helo ns1.topica.com
./smtpd_check: <queue id>: reject: HELO from spike.porcupine.org[168.100.189.2]: 554 <ns1.topica.com>: Helo command rejected: Access denied; from=<foo@verisign.com> proto=SMTP helo=<ns1.topica.com>
554 <ns1.topica.com>: Helo command rejected: Access denied
->>> helo verisign-wildcard.com
-OK
+>>> #helo verisign-wildcard.com
>>> helo example.tld
-./smtpd_check: warning: Unable to look up NS host for example.tld
+./smtpd_check: warning: Unable to look up NS host for example.tld: Host not found
OK
>>> sender_restrictions check_sender_ns_access,hash:smtpd_check_access
OK
>>> mail foo@ns1.topica.com
./smtpd_check: <queue id>: reject: MAIL from spike.porcupine.org[168.100.189.2]: 554 <foo@ns1.topica.com>: Sender address rejected: Access denied; from=<foo@ns1.topica.com> proto=SMTP helo=<example.tld>
554 <foo@ns1.topica.com>: Sender address rejected: Access denied
->>> mail foo@verisign-wildcard.com
-OK
+>>> #mail foo@verisign-wildcard.com
>>> recipient_restrictions check_recipient_ns_access,hash:smtpd_check_access
OK
>>> rcpt foo@email-publisher.com
-./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 <foo@email-publisher.com>: Recipient address rejected: Access denied; from=<foo@verisign-wildcard.com> to=<foo@email-publisher.com> proto=SMTP helo=<example.tld>
+./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 <foo@email-publisher.com>: Recipient address rejected: Access denied; from=<foo@ns1.topica.com> to=<foo@email-publisher.com> proto=SMTP helo=<example.tld>
554 <foo@email-publisher.com>: Recipient address rejected: Access denied
>>> rcpt foo@ns1.topica.com
-./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 <foo@ns1.topica.com>: Recipient address rejected: Access denied; from=<foo@verisign-wildcard.com> to=<foo@ns1.topica.com> proto=SMTP helo=<example.tld>
+./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 <foo@ns1.topica.com>: Recipient address rejected: Access denied; from=<foo@ns1.topica.com> to=<foo@ns1.topica.com> proto=SMTP helo=<example.tld>
554 <foo@ns1.topica.com>: Recipient address rejected: Access denied
->>> rcpt foo@verisign-wildcard.com
-OK
+>>> #rcpt foo@verisign-wildcard.com
>>> rcpt foo@1.2.3.porcupine.org
-./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 <foo@1.2.3.porcupine.org>: Recipient address rejected: name server spike.porcupine.org; from=<foo@verisign-wildcard.com> to=<foo@1.2.3.porcupine.org> proto=SMTP helo=<example.tld>
+./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 <foo@1.2.3.porcupine.org>: Recipient address rejected: name server spike.porcupine.org; from=<foo@ns1.topica.com> to=<foo@1.2.3.porcupine.org> proto=SMTP helo=<example.tld>
554 <foo@1.2.3.porcupine.org>: Recipient address rejected: name server spike.porcupine.org
/* name->address mapping, client address not listed for hostname).
/* .RE
/* .PP
-/* smtpd_peer_reset() releases memory allocate by smtpd_peer_init().
+/* smtpd_peer_reset() releases memory allocated by smtpd_peer_init().
/* LICENSE
/* .ad
/* .fi
/* /* other fields... */
/* .in -4
/* } SMTPD_STATE;
-/*
+/*
/* int smtpd_proxy_open(state, service, timeout, ehlo_name, mail_from)
/* SMTPD_STATE *state;
/* const char *service;
const char *mail_from)
{
int fd;
+ char *lines;
+ char *line;
/*
* This buffer persists beyond the end of a proxy session so we can
return (-1);
}
+ /*
+ * Parse the EHLO reply and see if we can forward the client hostname and
+ * address info for logging purposes. If the command fails, then proceed.
+ * It is not the end of the world.
+ */
+ lines = STR(state->proxy_buffer);
+ while ((line = mystrtok(&lines, "\n")) != 0)
+ if ((line[3] == ' ' || line[3] == '-')
+ && strcmp(line + 4, XLOGINFO_CMD) == 0)
+ (void) smtpd_proxy_cmd(state, SMTPD_PROX_WANT_ANY, "%s %s %s",
+ XLOGINFO_CMD, state->addr, state->name);
+
/*
* Pass-through the client's MAIL FROM command. If this fails, then we
* have a problem because the proxy should always accept any MAIL FROM
char *cp;
int last_char;
int err = 0;
+ static VSTRING *buffer = 0;
/*
* Errors first. Be prepared for delayed errors from the DATA phase.
return (0);
/*
- * Censor out non-printable characters in server responses and keep the
- * last line of multi-line responses.
+ * Censor out non-printable characters in server responses and save
+ * complete multi-line responses if possible.
*/
+ VSTRING_RESET(state->proxy_buffer);
+ if (buffer == 0)
+ buffer = vstring_alloc(10);
for (;;) {
- last_char = smtp_get(state->proxy_buffer, state->proxy, var_line_limit);
- printable(STR(state->proxy_buffer), '?');
+ last_char = smtp_get(buffer, state->proxy, var_line_limit);
+ printable(STR(buffer), '?');
if (last_char != '\n')
msg_warn("%s: response longer than %d: %.30s...",
VSTREAM_PATH(state->proxy), var_line_limit,
- STR(state->proxy_buffer));
+ STR(buffer));
if (msg_verbose)
msg_info("< %s: %.100s", VSTREAM_PATH(state->proxy),
- STR(state->proxy_buffer));
+ STR(buffer));
+
+ /*
+ * Defend against a denial of service attack by limiting the amount
+ * of multi-line text that we are willing to store.
+ */
+ if (LEN(state->proxy_buffer) < var_line_limit) {
+ if (VSTRING_LEN(state->proxy_buffer))
+ VSTRING_ADDCH(state->proxy_buffer, '\n');
+ vstring_strcat(state->proxy_buffer, STR(buffer));
+ }
/*
* Parse the response into code and text. Ignore unrecognized
* line) will have the same effect as the '-' line continuation
* character.
*/
- for (cp = STR(state->proxy_buffer); *cp && ISDIGIT(*cp); cp++)
+ for (cp = STR(buffer); *cp && ISDIGIT(*cp); cp++)
/* void */ ;
- if (cp - STR(state->proxy_buffer) == 3) {
+ if (cp - STR(buffer) == 3) {
if (*cp == '-')
continue;
if (*cp == ' ' || *cp == 0)
break;
}
msg_warn("received garbage from proxy %s: %.100s",
- VSTREAM_PATH(state->proxy), STR(state->proxy_buffer));
+ VSTREAM_PATH(state->proxy), STR(buffer));
}
/*
{
#define IFELSE(e1,e2,e3) ((e1) ? (e2) : (e3))
- msg_info("%s: client=%s[%s]%s%s%s%s%s%s",
- state->queue_id, state->name, state->addr,
+ msg_info("%s: client=%s%s%s%s%s%s%s",
+ state->queue_id, state->namaddr,
IFELSE(state->sasl_method, ", sasl_method=", ""),
IFELSE(state->sasl_method, state->sasl_method, ""),
IFELSE(state->sasl_username, ", sasl_username=", ""),
int limit = var_line_limit * 4;
int ch;
- if ((ch = vstring_get_null_bound(plain_buf, fp, limit)) == VSTREAM_EOF) {
+ if ((ch = vstring_get_null(plain_buf, fp)) == VSTREAM_EOF) {
msg_warn("%s on %s while reading %s",
vstream_ftimeout(fp) ? "timeout" : "premature end-of-input",
VSTREAM_PATH(fp), context);
return (-1);
}
VSTRING_ADDCH(base64_buf, ch);
+#if 0
if (LEN(base64_buf) > limit) {
msg_warn("string length > %d characters from %s while reading %s",
limit, VSTREAM_PATH(fp), context);
return (-1);
}
+#endif
}
VSTRING_TERMINATE(base64_buf);
if (base64_decode(plain_buf, STR(base64_buf), LEN(base64_buf)) == 0) {
return (-1);
}
VSTRING_ADDCH(plain_buf, ch);
+#if 0
if (LEN(plain_buf) > limit) {
msg_warn("string length > %d characters from %s while reading %s",
limit, VSTREAM_PATH(fp), context);
return (-1);
}
+#endif
}
VSTRING_TERMINATE(plain_buf);
#include "sys_defs.h"
#include <ctype.h>
#include <string.h>
+#include <limits.h>
+
+#ifndef UCHAR_MAX
+#define UCHAR_MAX 0xff
+#endif
/* Utility library. */
int ch2;
int ch3;
-#define CHARS_PER_BYTE 256
+#define CHARS_PER_BYTE (UCHAR_MAX + 1)
#define INVALID 0xff
/*
/* struct sockaddr *buf;
/* SOCKADDR_SIZE *len;
/* DESCRIPTION
-/* sane_connect() implements the accept(2) socket call, and maps
+/* sane_connect() implements the connect(2) socket call, and maps
/* known harmless error results to EAGAIN.
/* BUGS
/* Bizarre systems may have other harmless error results. Such
projects / thirdparty / postfix.git / commitdiff
