reuses the workaround that was implemented to report a
Delivered-To: loop. Files: local/file.c, local/command.c,
local/recipient.c, local/bounce_workaround.c.
+
+20100209
+
+ The tcp_table(5) interface is now part of the stable release.
+ The last protocol change was in Postfix 2.1. File:
+ util/dict_open.c.
Example:
/etc/postfix/master.cf:
- :10026 inet n - n - - smtpd
+ 127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings
Note: do not specify whitespace around the "=" here.
Example:
/etc/postfix/master.cf:
- :10026 inet n - n - - smtpd
+ 127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings
Note: do not specify whitespace around the "=" here.
Example:
/etc/postfix/master.cf:
- :10026 inet n - n - - smtpd
+ 127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings
Note: do not specify whitespace around the "=" here.
Example:
/etc/postfix/master.cf:
- :10026 inet n - n - - smtpd
+ 127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings
Note: do not specify whitespace around the "=" here.
Access information through a TCP/IP server. The protocol is described
in tcp_table(5). The lookup table name is "tcp:host:port" where "host"
specifies a symbolic hostname or a numeric IP address, and "port"
- specifies a symbolic service name or a numeric port number. This
- protocol is not available in the stable Postfix release.
+ specifies a symbolic service name or a numeric port number.
u\bun\bni\bix\bx (read-only)
A limited way to query the UNIX authentication database. The following
tables are implemented:
responsible for. Usually, SMTP servers allow mail to remote destinations when
the client's IP address is in the "same network" as the server's IP address.
-Sometimes an SMTP client needs "same network" privileges when it connects from
-elsewhere. To address this problem, Postfix supports SASL authentication (RFC
-4954, formerly RFC 2554). With this a remote SMTP client can authenticate to
-the Postfix SMTP server, and the Postfix SMTP client can authenticate to a
-remote SMTP server. Once a client is authenticated, a server can give it "same
-network" privileges.
+SMTP clients outside the SMTP server's network need a different way to get
+"same network" privileges. To address this need, Postfix supports SASL
+authentication (RFC 4954, formerly RFC 2554). With this a remote SMTP client
+can authenticate to the Postfix SMTP server, and the Postfix SMTP client can
+authenticate to a remote SMTP server. Once a client is authenticated, a server
+can give it "same network" privileges.
Postfix does not implement SASL itself, but instead uses existing
implementations as building blocks. This means that some SASL-related
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg D\bDo\bov\bve\bec\bco\bot\bt S\bSA\bAS\bSL\bL
-Dovecot is a POP/IMAP server that must be configured to authenticate POP/IMAP
-clients. When the Postfix SMTP server uses Dovecot SASL, it also reuses this
-configuration. Consult the Dovecot documentation for how to configure and
-operate the Dovecot authentication server.
+Dovecot is a POP/IMAP server that has its own configuration to authenticate
+POP/IMAP clients. When the Postfix SMTP server uses Dovecot SASL, it reuses
+parts of this configuration. Consult the Dovecot documentation for how to
+configure and operate the Dovecot authentication server.
P\bPo\bos\bst\btf\bfi\bix\bx t\bto\bo D\bDo\bov\bve\bec\bco\bot\bt S\bSA\bAS\bSL\bL c\bco\bom\bmm\bmu\bun\bni\bic\bca\bat\bti\bio\bon\bn
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg C\bCy\byr\bru\bus\bs S\bSA\bAS\bSL\bL
-The Cyrus SASL framework was supports a wide variety of applications. Different
-applications may require different configurations. As a consequence each
-application may have its own configuration file.
+The Cyrus SASL framework supports a wide variety of applications (POP, IMAP,
+SMTP, etc.). Different applications may require different configurations. As a
+consequence each application may have its own configuration file.
The first step configuring Cyrus SASL is to determine name and location of a
configuration file that describes how the Postfix SMTP server will use the SASL
Additionally the saslauthd server itself must be configured. It must be told
which authentication backend to turn to for password verification. The backend
-is choosen as a command line option when saslauthd is started and will be shown
-in the following examples.
+is selected with a saslauthd command-line option and will be shown in the
+following examples.
N\bNo\bot\bte\be
-debug packages.
Specify an additional "-s smtp" if saslauthd was configured to contact the PAM
-authentication framework and an additional "-f /\b/p\bpa\bat\bth\bh/\b/t\bto\bo/\b/s\bso\boc\bck\bke\bet\btd\bdi\bir\br/\b/m\bmu\bux\bx" if
-saslauthd establishes the UNIX-domain socket in a non-default location.
+authentication framework, and specify an additional "-f /\b/p\bpa\bat\bth\bh/\b/t\bto\bo/\b/s\bso\boc\bck\bke\bet\btd\bdi\bir\br/\b/m\bmu\bux\bx"
+if saslauthd establishes the UNIX-domain socket in a non-default location.
If authentication succeeds, proceed with the section "Enabling SASL
authentication and authorization in the Postfix SMTP server".
capabilities. Currently Cyrus SASL sources provide three authentication
plugins.
- sasldb
- Accounts are stored stored in a Cyrus SASL Berkeley DB database
-
- sql
- Accounts are stored in a SQL database
-
- ldapdb
- Accounts are stored stored in an LDAP database
+ _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b
+ |P\bPl\blu\bug\bgi\bin\bn|D\bDe\bes\bsc\bcr\bri\bip\bpt\bti\bio\bon\bn |
+ |_\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |sasldb|Accounts are stored stored in a Cyrus SASL Berkeley DB database|
+ |_\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |sql |Accounts are stored in a SQL database |
+ |_\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |ldapdb|Accounts are stored stored in an LDAP database |
+ |_\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
I\bIm\bmp\bpo\bor\brt\bta\ban\bnt\bt
T\bTi\bip\bp
- If you must store encrypted passwords, see section "Using saslauthd with
- PAM", and configure PAM to look up the encrypted passwords with, for
- example, the pam_mysql module. You will not be able to use any of the
- methods that require access to plaintext passwords, such as the shared-
- secret methods CRAM-MD5 and DIGEST-MD5.
+ If you must store encrypted passwords, you cannot use the sql auxprop
+ plugin. Instead, see section "Using saslauthd with PAM", and configure PAM
+ to look up the encrypted passwords with, for example, the pam_mysql module.
+ You will not be able to use any of the methods that require access to
+ plaintext passwords, such as the shared-secret methods CRAM-MD5 and DIGEST-
+ MD5.
The following example configures libsasl to use the sql plugin and connects it
to a PostgreSQL server:
T\bTi\bip\bp
- If you must store encrypted passwords, you can use "saslauthd -a ldap" to
- query the LDAP database directly, with appropriate configuration in
- saslauthd.conf. This may be documented in a later version of this document.
- You will not be able to use any of the methods that require access to
- plaintext passwords, such as the shared-secret methods CRAM-MD5 and DIGEST-
- MD5.
+ If you must store encrypted passwords, you cannot use the ldapdb auxprop
+ plugin. Instead, you can use "saslauthd -a ldap" to query the LDAP database
+ directly, with appropriate configuration in saslauthd.conf. This may be
+ documented in a later version of this document. You will not be able to use
+ any of the methods that require access to plaintext passwords, such as the
+ shared-secret methods CRAM-MD5 and DIGEST-MD5.
The ldapdb plugin implements proxy authorization. This means that the ldapdb
plugin uses its own username and password to authenticate with the LDAP server,
E\bEn\bna\bab\bbl\bli\bin\bng\bg S\bSA\bAS\bSL\bL a\bau\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bti\bio\bon\bn i\bin\bn t\bth\bhe\be P\bPo\bos\bst\btf\bfi\bix\bx S\bSM\bMT\bTP\bP s\bse\ber\brv\bve\ber\br
Regardless of the SASL implementation type, enabling SMTP authentication in the
-Postfix SMTP server always requires seting the smtpd_sasl_auth_enable option:
+Postfix SMTP server always requires setting the smtpd_sasl_auth_enable option:
/etc/postfix/main.cf:
smtpd_sasl_auth_enable = yes
/etc/postfix/main.cf:
smtp_sasl_security_options = noplaintext, noanonymous
-This default policy leads to authentication failures if the remote server only
-offers plaintext authentication mechanisms. In such cases the SMTP client will
-log the following error message:
+This default policy, which allows no plaintext passwords, leads to
+authentication failures if the remote server only offers plaintext
+authentication mechanisms (the SMTP server announces "AUTH PLAIN LOGIN"). In
+such cases the SMTP client will log the following error message:
SASL authentication failure: No worthy mechs found
+ N\bNo\bot\bte\be
+
+ This same error message will also be logged when the libplain.so or
+ liblogin.so modules are not installed in the /usr/lib/sasl2 directory.
+
The less secure approach is to lower the security standards and permit
plaintext authentication mechanisms:
Remove this file from the stable release.
- instead of ipc_idle, reduce ipc_ttl.
-
Add smtpd_sender_login_maps to proxy_read_maps. What other
parameters are worthy of being whitelisted for proxy access?
Is there a way to automate this decision?
the result exceeds the limit.
Should the postscreen save permanent white/black list lookup
- results int the temporary cache, and query the temporary
+ results to the temporary cache, and query the temporary
cache first? Skipping white/black list lookups will speed
up the handling of "good" clients without a permanent
whitelist entry. Of course, this means that updates to the
<blockquote>
<pre>
/etc/postfix/<a href="master.5.html">master.cf</a>:
- :10026 inet n - n - - smtpd
+ 127.0.0.1:10026 inet n - n - - smtpd
-o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a>
</pre>
</blockquote>
<blockquote>
<pre>
/etc/postfix/<a href="master.5.html">master.cf</a>:
- :10026 inet n - n - - smtpd
+ 127.0.0.1:10026 inet n - n - - smtpd
-o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a>
</pre>
</blockquote>
<blockquote>
<pre>
/etc/postfix/<a href="master.5.html">master.cf</a>:
- :10026 inet n - n - - smtpd
+ 127.0.0.1:10026 inet n - n - - smtpd
-o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a>
</pre>
</blockquote>
<blockquote>
<pre>
/etc/postfix/<a href="master.5.html">master.cf</a>:
- :10026 inet n - n - - smtpd
+ 127.0.0.1:10026 inet n - n - - smtpd
-o <a href="postconf.5.html#receive_override_options">receive_override_options</a>=<a href="postconf.5.html#no_address_mappings">no_address_mappings</a>
</pre>
</blockquote>
described in <a href="tcp_table.5.html">tcp_table(5)</a>. The lookup table name is "<a href="tcp_table.5.html">tcp</a>:host:port"
where "host" specifies a symbolic hostname or a numeric IP address,
and "port" specifies a symbolic service name or a numeric port
-number. This protocol is not available in the stable Postfix release.
+number.
</dd>
<dt> <b>unix</b> (read-only) </dt>
mail to remote destinations when the client's IP address is in the
"same network" as the server's IP address. </p>
-<p> Sometimes an SMTP client needs "same network" privileges when
-it connects from elsewhere. To address this problem, Postfix
+<p> SMTP clients outside the SMTP server's network need a different
+way to get "same network" privileges. To address this need, Postfix
supports SASL authentication (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>, formerly RFC 2554). With
this a remote SMTP client can authenticate to the Postfix SMTP
server, and the Postfix SMTP client can authenticate to a remote
<h3><a name="server_dovecot">Configuring Dovecot SASL</a></h3>
-<p> Dovecot is a POP/IMAP server that must be configured to
+<p> Dovecot is a POP/IMAP server that has its own configuration to
authenticate POP/IMAP clients. When the Postfix SMTP server uses
-Dovecot SASL, it also reuses this configuration. Consult the <a
-href="http://wiki.dovecot.org">Dovecot documentation</a> for how
+Dovecot SASL, it reuses parts of this configuration. Consult the
+<a href="http://wiki.dovecot.org">Dovecot documentation</a> for how
to configure and operate the Dovecot authentication server. </p>
<h4><a name="server_dovecot_comm">Postfix to Dovecot SASL communication</a></h4>
lines 11-13 limit read+write permissions to user and group
<code>postfix</code> only. </p>
-<p> Proceed with the section "<a href="#server_sasl_enable"
-title="Enabling SASL authentication and configuring authorization
-in the Postfix SMTP server">Enabling SASL authentication and
-authorization in the Postfix SMTP server</a>" to turn on and use
-SASL in the Postfix SMTP server. </p>
+<p> Proceed with the section "<a href="#server_sasl_enable">Enabling
+SASL authentication and authorization in the Postfix SMTP server</a>"
+to turn on and use SASL in the Postfix SMTP server. </p>
<h3><a name="server_cyrus">Configuring Cyrus SASL</a></h3>
-<p> The Cyrus SASL framework was supports a wide variety of
-applications. Different applications may require different
+<p> The Cyrus SASL framework supports a wide variety of applications
+(POP, IMAP, SMTP, etc.). Different applications may require different
configurations. As a consequence each application may have its own
configuration file. </p>
<p> Additionally the <code>saslauthd</code> server itself must be
configured. It must be told which authentication backend to turn
-to for password verification. The backend is choosen as a command
-line option when <code>saslauthd</code> is started and will be shown
-in the following examples. </p>
+to for password verification. The backend is selected with a
+<code>saslauthd</code> command-line option and will be shown in the
+following examples. </p>
<blockquote>
<p> Sometimes the <code>testsaslauthd</code> program is not distributed
with a the Cyrus SASL main package. In that case, it may be
-distributed with -devel, -dev or -debug packages. </p>
+distributed with <code>-devel</code>, <code>-dev</code> or
+<code>-debug</code> packages. </p>
</blockquote>
<p> Specify an additional "<code>-s smtp</code>" if <code>saslauthd</code>
-was configured to contact the PAM authentication framework and an
-additional "<code>-f <em>/path/to/socketdir/mux</em></code>" if
-<code>saslauthd</code> establishes the UNIX-domain socket in a
+was configured to contact the PAM authentication framework, and
+specify an additional "<code>-f <em>/path/to/socketdir/mux</em></code>"
+if <code>saslauthd</code> establishes the UNIX-domain socket in a
non-default location. </p>
<p> If authentication succeeds, proceed with the section "<a
<blockquote>
-<dl>
-
-<dt><a href="#auxprop_sasldb">sasldb</a></dt>
-
-<dd> <p> Accounts are stored stored in a Cyrus SASL Berkeley DB
-database </p> </dd>
+<table border="1">
-<dt><a href="#auxprop_sql">sql</a></dt>
+<tr> <th>Plugin </th> <th>Description </th> </tr>
-<dd> <p> Accounts are stored in a SQL database </p> </dd>
+<tr> <td><a href="#auxprop_sasldb">sasldb</a></dt> <td> Accounts
+are stored stored in a Cyrus SASL Berkeley DB database </td> </tr>
-<dt><a href="#auxprop_ldapdb">ldapdb</a></dt>
+<tr> <td><a href="#auxprop_sql">sql</a></dt> <td> Accounts are
+stored in a SQL database </td> </tr>
-<dd> <p> Accounts are stored stored in an LDAP database </p> </dd>
+<tr> <td><a href="#auxprop_ldapdb">ldapdb</a></dt> <td> Accounts
+are stored stored in an LDAP database </td> </tr>
-</dl>
+</table>
</blockquote>
<strong>Tip</strong>
-<p> If you must store encrypted passwords, see section "<a
-href="#saslauthd_pam">Using saslauthd with PAM</a>", and configure
-PAM to look up the encrypted passwords with, for example, the
-<code>pam_mysql</code> module. You will not be able to use any of
-the methods that require access to plaintext passwords, such as the
-shared-secret methods CRAM-MD5 and DIGEST-MD5. </p>
+<p> If you must store encrypted passwords, you cannot use the sql
+auxprop plugin. Instead, see section "<a href="#saslauthd_pam">Using
+saslauthd with PAM</a>", and configure PAM to look up the encrypted
+passwords with, for example, the <code>pam_mysql</code> module.
+You will not be able to use any of the methods that require access
+to plaintext passwords, such as the shared-secret methods CRAM-MD5
+and DIGEST-MD5. </p>
</blockquote>
<strong>Tip</strong>
-<p> If you must store encrypted passwords, you can use "<code>saslauthd
--a ldap</code>" to query the LDAP database directly, with appropriate
-configuration in <code>saslauthd.conf</code>. This may be documented
-in a later version of this document. You will not be able to use
-any of the methods that require access to plaintext passwords, such
-as the shared-secret methods CRAM-MD5 and DIGEST-MD5. </p>
+<p> If you must store encrypted passwords, you cannot use the ldapdb
+auxprop plugin. Instead, you can use "<code>saslauthd -a ldap</code>"
+to query the LDAP database directly, with appropriate configuration
+in <code>saslauthd.conf</code>. This may be documented in a later
+version of this document. You will not be able to use any of the
+methods that require access to plaintext passwords, such as the
+shared-secret methods CRAM-MD5 and DIGEST-MD5. </p>
</blockquote>
in the Postfix SMTP server</a></h4>
<p> Regardless of the SASL implementation type, enabling SMTP
-authentication in the Postfix SMTP server always requires seting
+authentication in the Postfix SMTP server always requires setting
the <code><a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a></code> option: </p>
<blockquote>
</pre>
</blockquote>
-<p> This default policy leads to authentication failures if the
-remote server only offers plaintext authentication mechanisms. In
-such cases the SMTP client will log the following error message:
-</p>
+<p> This default policy, which allows no plaintext passwords, leads
+to authentication failures if the remote server only offers plaintext
+authentication mechanisms (the SMTP server announces "<code>AUTH
+PLAIN LOGIN</code>"). In such cases the SMTP client will log the
+following error message: </p>
<blockquote>
<pre>
</pre>
</blockquote>
+<blockquote>
+
+<strong>Note</strong>
+
+<p> This same error message will also be logged when the
+<code>libplain.so</code> or <code>liblogin.so</code> modules are
+not installed in the <code>/usr/lib/sasl2</code> directory. </p>
+
+</blockquote>
+
<p> The less secure approach is to lower the security standards and
permit plaintext authentication mechanisms: </p>
<b>STANDARDS</b>
<a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
<a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
- <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (ARPA Internet Text Messages)
+ <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
<a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
<a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
<a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
+ <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8).
<b>STANDARDS</b>
<a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
<a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
- <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (ARPA Internet Text Messages)
+ <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
<a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
<a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
<a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
+ <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8).
</DD>
<DT><b><a name="address_verify_poll_count">address_verify_poll_count</a>
-(default: see "postconf -d" output)</b></DT><DD>
+(default: ${stress?1}${stress:3})</b></DT><DD>
<p>
How many times to query the <a href="verify.8.html">verify(8)</a> service for the completion
of an address verification request in progress.
</p>
-<p>
-The Postfix SMTP server polls the <a href="verify.8.html">verify(8)</a> service up to three
-times under non-overload conditions, and only once when under
-overload. With Postfix version 2.6 and earlier, the SMTP server
-always polls the <a href="verify.8.html">verify(8)</a> service up to three times.
-</p>
+<p> By default, the Postfix SMTP server polls the <a href="verify.8.html">verify(8)</a> service
+up to three times under non-overload conditions, and only once when
+under overload. With Postfix version 2.6 and earlier, the SMTP
+server always polls the <a href="verify.8.html">verify(8)</a> service up to three times by
+default. </p>
<p>
Specify 1 to implement a crude form of greylisting, that is, always
</p>
<p>
-Example:
+Examples:
</p>
<pre>
+# Postfix ≤ 2.6 default
+<a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> = 3
+# Poor man's greylisting
<a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> = 1
</pre>
Available in Postfix version 2.1 and 2.2:
- <b>smtpd_sasl_application_name (smtpd)</b>
+ <b><a href="postconf.5.html#smtpd_sasl_application_name">smtpd_sasl_application_name</a> (smtpd)</b>
The application name that the Postfix SMTP server
uses for SASL server initialization.
and operate the Postfix sender/recipient address verifica-
tion service.
- <b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (see 'postconf -d' output)</b>
+ <b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (${stress?1}${stress:3})</b>
How many times to query the <a href="verify.8.html"><b>verify</b>(8)</a> service for
the completion of an address verification request
in progress.
<b>STANDARDS</b>
<a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
<a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (Format of Internet Message Bodies)
- <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (ARPA Internet Text Messages)
+ <a href="http://tools.ietf.org/html/rfc2822">RFC 2822</a> (Internet Message Format)
<a href="http://tools.ietf.org/html/rfc3462">RFC 3462</a> (Delivery Status Notifications)
<a href="http://tools.ietf.org/html/rfc3464">RFC 3464</a> (Delivery Status Notifications)
<a href="http://tools.ietf.org/html/rfc3834">RFC 3834</a> (Auto-Submitted: message header)
+ <a href="http://tools.ietf.org/html/rfc5322">RFC 5322</a> (Internet Message Format)
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8).
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
.PP
This feature is available in Postfix 2.1 and later.
-.SH address_verify_poll_count (default: see "postconf -d" output)
+.SH address_verify_poll_count (default: ${stress?1}${stress:3})
How many times to query the \fBverify\fR(8) service for the completion
of an address verification request in progress.
.PP
-The Postfix SMTP server polls the \fBverify\fR(8) service up to three
-times under non-overload conditions, and only once when under
-overload. With Postfix version 2.6 and earlier, the SMTP server
-always polls the \fBverify\fR(8) service up to three times.
+By default, the Postfix SMTP server polls the \fBverify\fR(8) service
+up to three times under non-overload conditions, and only once when
+under overload. With Postfix version 2.6 and earlier, the SMTP
+server always polls the \fBverify\fR(8) service up to three times by
+default.
.PP
Specify 1 to implement a crude form of greylisting, that is, always
defer the first delivery request for a new address.
.PP
-Example:
+Examples:
.PP
.nf
.na
.ft C
+# Postfix <= 2.6 default
+address_verify_poll_count = 3
+# Poor man's greylisting
address_verify_poll_count = 1
.fi
.ad
.nf
RFC 822 (ARPA Internet Text Messages)
RFC 2045 (Format of Internet Message Bodies)
-RFC 2822 (ARPA Internet Text Messages)
+RFC 2822 (Internet Message Format)
RFC 3462 (Delivery Status Notifications)
RFC 3464 (Delivery Status Notifications)
RFC 3834 (Auto-Submitted: message header)
+RFC 5322 (Internet Message Format)
.SH DIAGNOSTICS
.ad
.fi
.IP "\fBsmtpd_tls_loglevel (0)\fR"
Enable additional Postfix SMTP server logging of TLS activity.
.IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR"
-The minimum TLS cipher grade that the Postfix SMTP server
-will use with mandatory TLS encryption.
+The minimum TLS cipher grade that the Postfix SMTP server will
+use with mandatory TLS encryption.
.IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
Additional list of ciphers or cipher types to exclude from the
SMTP server cipher list at mandatory TLS security levels.
See the file ADDRESS_VERIFICATION_README for information
about how to configure and operate the Postfix sender/recipient
address verification service.
-.IP "\fBaddress_verify_poll_count (see 'postconf -d' output)\fR"
+.IP "\fBaddress_verify_poll_count (${stress?1}${stress:3})\fR"
How many times to query the \fBverify\fR(8) service for the completion
of an address verification request in progress.
.IP "\fBaddress_verify_poll_delay (3s)\fR"
<blockquote>
<pre>
/etc/postfix/master.cf:
- :10026 inet n - n - - smtpd
+ 127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings
</pre>
</blockquote>
<blockquote>
<pre>
/etc/postfix/master.cf:
- :10026 inet n - n - - smtpd
+ 127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings
</pre>
</blockquote>
<blockquote>
<pre>
/etc/postfix/master.cf:
- :10026 inet n - n - - smtpd
+ 127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings
</pre>
</blockquote>
<blockquote>
<pre>
/etc/postfix/master.cf:
- :10026 inet n - n - - smtpd
+ 127.0.0.1:10026 inet n - n - - smtpd
-o receive_override_options=no_address_mappings
</pre>
</blockquote>
described in tcp_table(5). The lookup table name is "tcp:host:port"
where "host" specifies a symbolic hostname or a numeric IP address,
and "port" specifies a symbolic service name or a numeric port
-number. This protocol is not available in the stable Postfix release.
+number.
</dd>
<dt> <b>unix</b> (read-only) </dt>
mail to remote destinations when the client's IP address is in the
"same network" as the server's IP address. </p>
-<p> Sometimes an SMTP client needs "same network" privileges when
-it connects from elsewhere. To address this problem, Postfix
+<p> SMTP clients outside the SMTP server's network need a different
+way to get "same network" privileges. To address this need, Postfix
supports SASL authentication (RFC 4954, formerly RFC 2554). With
this a remote SMTP client can authenticate to the Postfix SMTP
server, and the Postfix SMTP client can authenticate to a remote
<h3><a name="server_dovecot">Configuring Dovecot SASL</a></h3>
-<p> Dovecot is a POP/IMAP server that must be configured to
+<p> Dovecot is a POP/IMAP server that has its own configuration to
authenticate POP/IMAP clients. When the Postfix SMTP server uses
-Dovecot SASL, it also reuses this configuration. Consult the <a
-href="http://wiki.dovecot.org">Dovecot documentation</a> for how
+Dovecot SASL, it reuses parts of this configuration. Consult the
+<a href="http://wiki.dovecot.org">Dovecot documentation</a> for how
to configure and operate the Dovecot authentication server. </p>
<h4><a name="server_dovecot_comm">Postfix to Dovecot SASL communication</a></h4>
lines 11-13 limit read+write permissions to user and group
<code>postfix</code> only. </p>
-<p> Proceed with the section "<a href="#server_sasl_enable"
-title="Enabling SASL authentication and configuring authorization
-in the Postfix SMTP server">Enabling SASL authentication and
-authorization in the Postfix SMTP server</a>" to turn on and use
-SASL in the Postfix SMTP server. </p>
+<p> Proceed with the section "<a href="#server_sasl_enable">Enabling
+SASL authentication and authorization in the Postfix SMTP server</a>"
+to turn on and use SASL in the Postfix SMTP server. </p>
<h3><a name="server_cyrus">Configuring Cyrus SASL</a></h3>
-<p> The Cyrus SASL framework was supports a wide variety of
-applications. Different applications may require different
+<p> The Cyrus SASL framework supports a wide variety of applications
+(POP, IMAP, SMTP, etc.). Different applications may require different
configurations. As a consequence each application may have its own
configuration file. </p>
<p> Additionally the <code>saslauthd</code> server itself must be
configured. It must be told which authentication backend to turn
-to for password verification. The backend is choosen as a command
-line option when <code>saslauthd</code> is started and will be shown
-in the following examples. </p>
+to for password verification. The backend is selected with a
+<code>saslauthd</code> command-line option and will be shown in the
+following examples. </p>
<blockquote>
<p> Sometimes the <code>testsaslauthd</code> program is not distributed
with a the Cyrus SASL main package. In that case, it may be
-distributed with -devel, -dev or -debug packages. </p>
+distributed with <code>-devel</code>, <code>-dev</code> or
+<code>-debug</code> packages. </p>
</blockquote>
<p> Specify an additional "<code>-s smtp</code>" if <code>saslauthd</code>
-was configured to contact the PAM authentication framework and an
-additional "<code>-f <em>/path/to/socketdir/mux</em></code>" if
-<code>saslauthd</code> establishes the UNIX-domain socket in a
+was configured to contact the PAM authentication framework, and
+specify an additional "<code>-f <em>/path/to/socketdir/mux</em></code>"
+if <code>saslauthd</code> establishes the UNIX-domain socket in a
non-default location. </p>
<p> If authentication succeeds, proceed with the section "<a
<blockquote>
-<dl>
-
-<dt><a href="#auxprop_sasldb">sasldb</a></dt>
-
-<dd> <p> Accounts are stored stored in a Cyrus SASL Berkeley DB
-database </p> </dd>
+<table border="1">
-<dt><a href="#auxprop_sql">sql</a></dt>
+<tr> <th>Plugin </th> <th>Description </th> </tr>
-<dd> <p> Accounts are stored in a SQL database </p> </dd>
+<tr> <td><a href="#auxprop_sasldb">sasldb</a></dt> <td> Accounts
+are stored stored in a Cyrus SASL Berkeley DB database </td> </tr>
-<dt><a href="#auxprop_ldapdb">ldapdb</a></dt>
+<tr> <td><a href="#auxprop_sql">sql</a></dt> <td> Accounts are
+stored in a SQL database </td> </tr>
-<dd> <p> Accounts are stored stored in an LDAP database </p> </dd>
+<tr> <td><a href="#auxprop_ldapdb">ldapdb</a></dt> <td> Accounts
+are stored stored in an LDAP database </td> </tr>
-</dl>
+</table>
</blockquote>
<strong>Tip</strong>
-<p> If you must store encrypted passwords, see section "<a
-href="#saslauthd_pam">Using saslauthd with PAM</a>", and configure
-PAM to look up the encrypted passwords with, for example, the
-<code>pam_mysql</code> module. You will not be able to use any of
-the methods that require access to plaintext passwords, such as the
-shared-secret methods CRAM-MD5 and DIGEST-MD5. </p>
+<p> If you must store encrypted passwords, you cannot use the sql
+auxprop plugin. Instead, see section "<a href="#saslauthd_pam">Using
+saslauthd with PAM</a>", and configure PAM to look up the encrypted
+passwords with, for example, the <code>pam_mysql</code> module.
+You will not be able to use any of the methods that require access
+to plaintext passwords, such as the shared-secret methods CRAM-MD5
+and DIGEST-MD5. </p>
</blockquote>
<strong>Tip</strong>
-<p> If you must store encrypted passwords, you can use "<code>saslauthd
--a ldap</code>" to query the LDAP database directly, with appropriate
-configuration in <code>saslauthd.conf</code>. This may be documented
-in a later version of this document. You will not be able to use
-any of the methods that require access to plaintext passwords, such
-as the shared-secret methods CRAM-MD5 and DIGEST-MD5. </p>
+<p> If you must store encrypted passwords, you cannot use the ldapdb
+auxprop plugin. Instead, you can use "<code>saslauthd -a ldap</code>"
+to query the LDAP database directly, with appropriate configuration
+in <code>saslauthd.conf</code>. This may be documented in a later
+version of this document. You will not be able to use any of the
+methods that require access to plaintext passwords, such as the
+shared-secret methods CRAM-MD5 and DIGEST-MD5. </p>
</blockquote>
in the Postfix SMTP server</a></h4>
<p> Regardless of the SASL implementation type, enabling SMTP
-authentication in the Postfix SMTP server always requires seting
+authentication in the Postfix SMTP server always requires setting
the <code>smtpd_sasl_auth_enable</code> option: </p>
<blockquote>
</pre>
</blockquote>
-<p> This default policy leads to authentication failures if the
-remote server only offers plaintext authentication mechanisms. In
-such cases the SMTP client will log the following error message:
-</p>
+<p> This default policy, which allows no plaintext passwords, leads
+to authentication failures if the remote server only offers plaintext
+authentication mechanisms (the SMTP server announces "<code>AUTH
+PLAIN LOGIN</code>"). In such cases the SMTP client will log the
+following error message: </p>
<blockquote>
<pre>
</pre>
</blockquote>
+<blockquote>
+
+<strong>Note</strong>
+
+<p> This same error message will also be logged when the
+<code>libplain.so</code> or <code>liblogin.so</code> modules are
+not installed in the <code>/usr/lib/sasl2</code> directory. </p>
+
+</blockquote>
+
<p> The less secure approach is to lower the security standards and
permit plaintext authentication mechanisms: </p>
<p> This feature is available in Postfix 2.7. </p>
-%PARAM address_verify_poll_count see "postconf -d" output
+%PARAM address_verify_poll_count ${stress?1}${stress:3}
<p>
How many times to query the verify(8) service for the completion
of an address verification request in progress.
</p>
-<p>
-The Postfix SMTP server polls the verify(8) service up to three
-times under non-overload conditions, and only once when under
-overload. With Postfix version 2.6 and earlier, the SMTP server
-always polls the verify(8) service up to three times.
-</p>
+<p> By default, the Postfix SMTP server polls the verify(8) service
+up to three times under non-overload conditions, and only once when
+under overload. With Postfix version 2.6 and earlier, the SMTP
+server always polls the verify(8) service up to three times by
+default. </p>
<p>
Specify 1 to implement a crude form of greylisting, that is, always
</p>
<p>
-Example:
+Examples:
</p>
<pre>
+# Postfix ≤ 2.6 default
+address_verify_poll_count = 3
+# Poor man's greylisting
address_verify_poll_count = 1
</pre>
/* STANDARDS
/* RFC 822 (ARPA Internet Text Messages)
/* RFC 2045 (Format of Internet Message Bodies)
-/* RFC 2822 (ARPA Internet Text Messages)
+/* RFC 2822 (Internet Message Format)
/* RFC 3462 (Delivery Status Notifications)
/* RFC 3464 (Delivery Status Notifications)
/* RFC 3834 (Auto-Submitted: message header)
+/* RFC 5322 (Internet Message Format)
/* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8).
/* CONFIGURATION PARAMETERS
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20100208"
+#define MAIL_RELEASE_DATE "20100213"
#define MAIL_VERSION_NUMBER "2.8"
#ifdef SNAPSHOT
/*
/* Sender address override is a problem only when delivering
/* to command or file, or when breaking a Delivered-To loop.
-/* The local(8) delivery agent saves other recipients to a new
-/* queue file, together with the replacement envelope sender
-/* address; delivery then proceeds from that new queue file.
+/* The local(8) delivery agent saves normal recipients to a
+/* new queue file, together with the replacement envelope
+/* sender address; delivery then proceeds from that new queue
+/* file, and no workaround is needed.
/*
/* The workaround sends one non-delivery notification for each
/* failed delivery that has a replacement sender address. The
/* notifications are not aggregated, unlike notifications to
-/* non-replaced sender addresses). In practice, a local alias
+/* non-replaced sender addresses. In practice, a local alias
/* rarely has more than one file or command destination (if
/* only because soft error handling is problematic).
/*
/* .IP "\fBsmtpd_tls_loglevel (0)\fR"
/* Enable additional Postfix SMTP server logging of TLS activity.
/* .IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR"
-/* The minimum TLS cipher grade that the Postfix SMTP server
-/* will use with mandatory TLS encryption.
+/* The minimum TLS cipher grade that the Postfix SMTP server will
+/* use with mandatory TLS encryption.
/* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
/* Additional list of ciphers or cipher types to exclude from the
/* SMTP server cipher list at mandatory TLS security levels.
/* See the file ADDRESS_VERIFICATION_README for information
/* about how to configure and operate the Postfix sender/recipient
/* address verification service.
-/* .IP "\fBaddress_verify_poll_count (see 'postconf -d' output)\fR"
+/* .IP "\fBaddress_verify_poll_count (${stress?1}${stress:3})\fR"
/* How many times to query the \fBverify\fR(8) service for the completion
/* of an address verification request in progress.
/* .IP "\fBaddress_verify_poll_delay (3s)\fR"
DICT_TYPE_ENVIRON, dict_env_open,
DICT_TYPE_HT, dict_ht_open,
DICT_TYPE_UNIX, dict_unix_open,
-#ifdef SNAPSHOT
DICT_TYPE_TCP, dict_tcp_open,
-#endif
#ifdef HAS_SDBM
DICT_TYPE_SDBM, dict_sdbm_open,
#endif
projects / thirdparty / postfix.git / commitdiff
