postscreen/postscreen_misc.c, postscreen/postscreen.h,
postscreen/postscreen_tests.c.
+ Feature: preliminary postscreen penalty mechanism. Basic
+ idea: when a client exceeds some threshold, don't allow it
+ to pass any tests until the penalty expires. Penalties
+ provide a way to slow down clients without blocking mail
+ permanently. Files: postscreen/postscreen_misc.c,
+ postscreen/postscreen_tests.c, postscreen/postscreen.c.
+
+ A first application of the postscreen penalty mechanism
+ triggers on clients that make brief connections to find out
+ if the mail server is up. With "postscreen_early_hangup_penalty
+ = 600" they will disqualify themselves for 10 minutes.
+ Unfortunately, this behavior is used by legitimate bulk
+ mail services. This application was removed 20101103. The
+ penalty mechanism itself is left in place as #ifdef NONPROD.
+
20100923
Cleanup: renamed MUMBLE_FLAG_MUMBLE aggregates to
20101007
Bugfix (introduced: 2100923): duplicate "PASS OLD" logging.
+ File: postscreen/postscreen_misc.c.
+
+20101008
+
+ Cleanup: dnsblog now logs "addr X listed by domain Y as Z"
+ instead of "addr X blocked by domain Y as Z", because the
+ service may be used for whitelist lookups. File:
+ dnsblog/dnsblog.c.
+
+20101023
+
+ Cleanup: don't apply reject_rhsbl_helo to non-domain forms
+ such as network addresses. This would cause false positives
+ with dbl.spamhaus.org. File: smtpd/smtpd_check.c.
+
+20101103
+
+ Cleanup: new qmgr_ipc_timeout parameter (default: 60s) to
+ override the system-wide ipc_timeout setting (default:
+ 3600s). The shorter timeout allows the queue manager to
+ reset a deadlocked IPC connection before the watchdog timer
+ goes off. Files: *qmgr/qmgr.c.
+
+ Cleanup: new qmgr_daemon_timeout parameter (default: 1000s)
+ to make the hard-coded 1000s watchdog timeout configurable.
+ Files: *qmgr/qmgr.c.
+
+ Cleanup: request default DSN notification when adding a
+ recipient with smfi_addrcpt, instead of requesting "never
+ notify" as with Postfix automatically-added BCC recipients.
+ Files: cleanup/cleanup_addr.c, cleanup/cleanup.h,
+ cleanup/cleanup_milter.c.
You can change the probe sender address into the null address
("address_verify_sender ="). This is UNSAFE because address probes will
fail with mis-configured sites that reject MAIL FROM: <>, while probes from
- "postmaster@$myorigin" would succeed.
+ "double-bounce@$myorigin" would succeed.
R\bRe\bec\bci\bip\bpi\bie\ben\bnt\bt a\bad\bdd\bdr\bre\bes\bss\bs v\bve\ber\bri\bif\bfi\bic\bca\bat\bti\bio\bon\bn
i\big\bgn\bno\bor\bre\be (default)
Ignore the failure of this test. Allow other tests to complete. Repeat this
test the next time the client connects. This option is useful for testing
- and collecting statistics without interfering with mail deliveries.
+ and collecting statistics without blocking mail.
e\ben\bnf\bfo\bor\brc\bce\be
Allow other tests to complete. Reject attempts to deliver mail with a 550
SMTP reply, and log the helo/sender/recipient information. Repeat this test
postscreen parameters always evaluate as if the stress value is
equal to the empty string.
+Incompatibility with snapshot 20101103
+======================================
+
+Postfix now requests default delivery status notifications when
+adding a recipient with the Milter smfi_addrcpt action, instead of
+"never notify" as with Postfix automatically-added recipients
+(always_bcc and sender/recipient_bcc_maps).
+
Incompatibility with snapshot 20101006
======================================
-To avoid repeated delivery to mailing list members with pathological
-nested alias configurations, the local(8) delivery agent now keeps
-the owner-alias attribute of the parent alias, when delivering mail
-to a child alias that does not have its own owner alias.
+To avoid repeated delivery to mailing lists with pathological nested
+alias configurations, the local(8) delivery agent now keeps the
+owner-alias attribute of a parent alias, when delivering mail to a
+child alias that does not have its own owner alias.
With this change, local addresses from that child alias will be
written to a new queue file, and a temporary error with one local
list members. Specify "reset_owner_alias = yes" for the older,
more fragile, behavior.
+The postconf(5) manpage entry for "reset_owner_alias" has more
+background information on this issue.
+
Incompatibility with snapshot 20100912
======================================
Remove this file from the stable release.
+ anvil rate limit for sasl_username.
+
+ Support filtering of messages that are generated by Postfix:
+ This would apply to postmaster notices and bounce messages
+ (DKIM), and address verification (BATV).
+
+ Replace sscanf() numerical conversions by strto[dl]()
+ for better error reporting.
+
Consistency: in postconf.proto make <dt>..</dt> tags bold.
- Milter addrcpt - use Sendmail default DSN
+ Milter addrcpt - use Sendmail-compatible default DSN settings.
postscreen(8): listen on multiple IP addresses and enforce
that the client contacts the primary MX address first (i.e.
("<a href="postconf.5.html#address_verify_sender">address_verify_sender</a>
="). This is UNSAFE because address probes will fail with
mis-configured sites that reject MAIL FROM: <>, while
-probes from "
postmaster@$<a href="postconf.5.html#myorigin">myorigin</a>" would succeed. </p>
+probes from "
double-bounce@$<a href="postconf.5.html#myorigin">myorigin</a>" would succeed. </p>
</ul>
<dd> Ignore the failure of this test. Allow other tests to complete.
Repeat this test the next time the client connects. This option
-is useful for testing and collecting statistics without interfering
-with mail deliveries. </dd>
+is useful for testing and collecting statistics without blocking
+mail. </dd>
<dt> <b>enforce</b> </dt>
unexpectedly, <i>time</i> seconds after the start of the
test named <i>test name</i>. </p>
+<!--
+
+<p> While an unexpired penalty is in effect, an SMTP client is not
+allowed to pass any tests, and <a href="postscreen.8.html">postscreen(8)</a> logs each connection
+with the remaining amount of penalty time as: </p>
+
+<pre>
+ <b>PENALTY</b> <i>time</i> <b>for</b> <i>address</i>
+</pre>
+
+<p> During this time, all attempts by the client to deliver mail
+will be deferred with a 450 SMTP status. </p>
+
+-->
+
<p> The following errors are reported by the built-in SMTP engine.
This engine never accepts mail, therefore it has per-session limits
on the number of commands and on the session length. </p>
<b><a href="postconf.5.html#default_destination_rate_delay">tion_rate_delay</a></b>
Idem, for delivery via the named message <i>transport</i>.
+<b>SAFETY CONTROLS</b>
+ <b><a href="postconf.5.html#qmgr_daemon_timeout">qmgr_daemon_timeout</a> (1000s)</b>
+ How much time a Postfix queue manager process may
+ take to handle a request before it is terminated by
+ a built-in watchdog timer.
+
+ <b><a href="postconf.5.html#qmgr_ipc_timeout">qmgr_ipc_timeout</a> (60s)</b>
+ The time limit for the queue manager to send or
+ receive information over an internal communication
+ channel.
+
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
Log warnings about problematic configuration set-
tings, and provide helpful suggestions.
- <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
- The time limit for sending or receiving information
- over an internal communication channel.
-
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>FILES</b>
<a href="QSHAPE_README.html">QSHAPE_README</a>, Postfix queue analysis
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
<DT><b><a name="postscreen_forbidden_commands">postscreen_forbidden_commands</a>
(default: $<a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>)</b></DT><DD>
-<p> List of commands that <a href="postscreen.8.html">postscreen(8)</a> server considers in violation
-of the SMTP protocol. See also: <a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a>.
+<p> List of commands that the <a href="postscreen.8.html">postscreen(8)</a> server considers in
+violation of the SMTP protocol. See <a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a> for
+syntax, and <a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> for possible actions.
</p>
<p> This feature is available in Postfix 2.8. </p>
</p>
+</DD>
+
+<DT><b><a name="qmgr_daemon_timeout">qmgr_daemon_timeout</a>
+(default: 1000s)</b></DT><DD>
+
+<p> How much time a Postfix queue manager process may take to handle
+a request before it is terminated by a built-in watchdog timer.
+</p>
+
+<p>
+Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+</p>
+
+
</DD>
<DT><b><a name="qmgr_fudge_factor">qmgr_fudge_factor</a>
</p>
+</DD>
+
+<DT><b><a name="qmgr_ipc_timeout">qmgr_ipc_timeout</a>
+(default: 60s)</b></DT><DD>
+
+<p> The time limit for the queue manager to send or receive information
+over an internal communication channel. The purpose is to break
+out of deadlock situations. If the time limit is exceeded the
+software either retries or aborts the operation. </p>
+
+<p>
+Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+</p>
+
+
</DD>
<DT><b><a name="qmgr_message_active_limit">qmgr_message_active_limit</a>
defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter.
<b><a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> ($<a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>)</b>
- List of commands that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server consid-
- ers in violation of the SMTP protocol.
+ List of commands that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server con-
+ siders in violation of the SMTP protocol.
<b><a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> (ignore)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
<b><a href="postconf.5.html#default_destination_rate_delay">tion_rate_delay</a></b>
Idem, for delivery via the named message <i>transport</i>.
+<b>SAFETY CONTROLS</b>
+ <b><a href="postconf.5.html#qmgr_daemon_timeout">qmgr_daemon_timeout</a> (1000s)</b>
+ How much time a Postfix queue manager process may
+ take to handle a request before it is terminated by
+ a built-in watchdog timer.
+
+ <b><a href="postconf.5.html#qmgr_ipc_timeout">qmgr_ipc_timeout</a> (60s)</b>
+ The time limit for the queue manager to send or
+ receive information over an internal communication
+ channel.
+
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
Log warnings about problematic configuration set-
tings, and provide helpful suggestions.
- <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
- The time limit for sending or receiving information
- over an internal communication channel.
-
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>FILES</b>
<a href="QSHAPE_README.html">QSHAPE_README</a>, Postfix queue analysis
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
.PP
This feature is available in Postfix 2.8.
.SH postscreen_forbidden_commands (default: $smtpd_forbidden_commands)
-List of commands that \fBpostscreen\fR(8) server considers in violation
-of the SMTP protocol. See also: postscreen_non_smtp_command_action.
+List of commands that the \fBpostscreen\fR(8) server considers in
+violation of the SMTP protocol. See smtpd_forbidden_commands for
+syntax, and postscreen_non_smtp_command_action for possible actions.
.PP
This feature is available in Postfix 2.8.
.SH postscreen_greet_action (default: ignore)
This feature is enabled with the helpful_warnings parameter.
.PP
This feature is available in Postfix 2.0 and later.
+.SH qmgr_daemon_timeout (default: 1000s)
+How much time a Postfix queue manager process may take to handle
+a request before it is terminated by a built-in watchdog timer.
+.PP
+Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
.SH qmgr_fudge_factor (default: 100)
Obsolete feature: the percentage of delivery resources that a busy
mail system will use up for delivery of a large mailing list
.PP
This feature exists only in the \fBoqmgr\fR(8) old queue manager. The
current queue manager solves the problem in a better way.
+.SH qmgr_ipc_timeout (default: 60s)
+The time limit for the queue manager to send or receive information
+over an internal communication channel. The purpose is to break
+out of deadlock situations. If the time limit is exceeded the
+software either retries or aborts the operation.
+.PP
+Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
.SH qmgr_message_active_limit (default: 20000)
The maximal number of messages in the active queue.
.SH qmgr_message_recipient_limit (default: 20000)
limit > 1, a destination is a domain, otherwise it is a recipient.
.IP "\fItransport\fB_destination_rate_delay $default_destination_rate_delay
Idem, for delivery via the named message \fItransport\fR.
-.SH MISCELLANEOUS CONTROLS
+.SH "SAFETY CONTROLS"
+.na
+.nf
+.ad
+.fi
+.IP "\fBqmgr_daemon_timeout (1000s)\fR"
+How much time a Postfix queue manager process may take to handle
+a request before it is terminated by a built-in watchdog timer.
+.IP "\fBqmgr_ipc_timeout (60s)\fR"
+The time limit for the queue manager to send or receive information
+over an internal communication channel.
+.SH "MISCELLANEOUS CONTROLS"
+.na
+.nf
.ad
.fi
.IP "\fBconfig_directory (see 'postconf -d' output)\fR"
.IP "\fBhelpful_warnings (yes)\fR"
Log warnings about problematic configuration settings, and provide
helpful suggestions.
-.IP "\fBipc_timeout (3600s)\fR"
-The time limit for sending or receiving information over an internal
-communication channel.
.IP "\fBprocess_id (read-only)\fR"
The process ID of a Postfix command or daemon process.
.IP "\fBprocess_name (read-only)\fR"
its combined DNSBL score as defined with the postscreen_dnsbl_sites
parameter.
.IP "\fBpostscreen_forbidden_commands ($smtpd_forbidden_commands)\fR"
-List of commands that \fBpostscreen\fR(8) server considers in violation
-of the SMTP protocol.
+List of commands that the \fBpostscreen\fR(8) server considers in
+violation of the SMTP protocol.
.IP "\fBpostscreen_greet_action (ignore)\fR"
The action that \fBpostscreen\fR(8) takes when an SMTP client speaks
before its turn within the time specified with the postscreen_greet_wait
limit > 1, a destination is a domain, otherwise it is a recipient.
.IP "\fItransport\fB_destination_rate_delay $default_destination_rate_delay
Idem, for delivery via the named message \fItransport\fR.
+.SH "SAFETY CONTROLS"
+.na
+.nf
+.ad
+.fi
+.IP "\fBqmgr_daemon_timeout (1000s)\fR"
+How much time a Postfix queue manager process may take to handle
+a request before it is terminated by a built-in watchdog timer.
+.IP "\fBqmgr_ipc_timeout (60s)\fR"
+The time limit for the queue manager to send or receive information
+over an internal communication channel.
.SH "MISCELLANEOUS CONTROLS"
.na
.nf
.IP "\fBhelpful_warnings (yes)\fR"
Log warnings about problematic configuration settings, and provide
helpful suggestions.
-.IP "\fBipc_timeout (3600s)\fR"
-The time limit for sending or receiving information over an internal
-communication channel.
.IP "\fBprocess_id (read-only)\fR"
The process ID of a Postfix command or daemon process.
.IP "\fBprocess_name (read-only)\fR"
s;\bqmgr_message_active_limit\b;<a href="postconf.5.html#qmgr_message_active_limit">$&</a>;g;
s;\bqmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_limit\b;<a href="postconf.5.html#qmgr_message_recipient_limit">$&</a>;g;
s;\bqmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_minimum\b;<a href="postconf.5.html#qmgr_message_recipient_minimum">$&</a>;g;
+ s;\bqmgr_daemon_timeout\b;<a href="postconf.5.html#qmgr_daemon_timeout">$&</a>;g;
+ s;\bqmgr_ipc_timeout\b;<a href="postconf.5.html#qmgr_ipc_timeout">$&</a>;g;
s;\bqmqpd_authorized_clients\b;<a href="postconf.5.html#qmqpd_authorized_clients">$&</a>;g;
s;\bdefault_destination_concur[-</Bb>]*\n* *[<Bb>]*rency_negative_feedback\b;<a href="postconf.5.html#default_destination_concurrency_negative_feedback">$&</a>;g;
("address_verify_sender
="). This is UNSAFE because address probes will fail with
mis-configured sites that reject MAIL FROM: <>, while
-probes from "postmaster@$myorigin" would succeed. </p>
+probes from "double-bounce@$myorigin" would succeed. </p>
</ul>
<dd> Ignore the failure of this test. Allow other tests to complete.
Repeat this test the next time the client connects. This option
-is useful for testing and collecting statistics without interfering
-with mail deliveries. </dd>
+is useful for testing and collecting statistics without blocking
+mail. </dd>
<dt> <b>enforce</b> </dt>
unexpectedly, <i>time</i> seconds after the start of the
test named <i>test name</i>. </p>
+<!--
+
+<p> While an unexpired penalty is in effect, an SMTP client is not
+allowed to pass any tests, and postscreen(8) logs each connection
+with the remaining amount of penalty time as: </p>
+
+<pre>
+ <b>PENALTY</b> <i>time</i> <b>for</b> <i>address</i>
+</pre>
+
+<p> During this time, all attempts by the client to deliver mail
+will be deferred with a 450 SMTP status. </p>
+
+-->
+
<p> The following errors are reported by the built-in SMTP engine.
This engine never accepts mail, therefore it has per-session limits
on the number of commands and on the session length. </p>
%PARAM postscreen_forbidden_commands $smtpd_forbidden_commands
-<p> List of commands that postscreen(8) server considers in violation
-of the SMTP protocol. See also: postscreen_non_smtp_command_action.
+<p> List of commands that the postscreen(8) server considers in
+violation of the SMTP protocol. See smtpd_forbidden_commands for
+syntax, and postscreen_non_smtp_command_action for possible actions.
</p>
<p> This feature is available in Postfix 2.8. </p>
be expanded repeatedly until the mail expires in the queue, resulting
in multiple deliveries of the same message to mailing list members.
</p>
+
+%PARAM qmgr_ipc_timeout 60s
+
+<p> The time limit for the queue manager to send or receive information
+over an internal communication channel. The purpose is to break
+out of deadlock situations. If the time limit is exceeded the
+software either retries or aborts the operation. </p>
+
+<p>
+Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+</p>
+
+%PARAM qmgr_daemon_timeout 1000s
+
+<p> How much time a Postfix queue manager process may take to handle
+a request before it is terminated by a built-in watchdog timer.
+</p>
+
+<p>
+Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+</p>
+
cleanup.o: ../../include/been_here.h
cleanup.o: ../../include/cleanup_user.h
cleanup.o: ../../include/dict.h
+cleanup.o: ../../include/dsn_mask.h
cleanup.o: ../../include/header_body_checks.h
cleanup.o: ../../include/header_opts.h
cleanup.o: ../../include/htable.h
cleanup_api.o: ../../include/dict.h
cleanup_api.o: ../../include/dsn.h
cleanup_api.o: ../../include/dsn_buf.h
+cleanup_api.o: ../../include/dsn_mask.h
cleanup_api.o: ../../include/header_body_checks.h
cleanup_api.o: ../../include/header_opts.h
cleanup_api.o: ../../include/htable.h
cleanup_body_edit.o: ../../include/been_here.h
cleanup_body_edit.o: ../../include/cleanup_user.h
cleanup_body_edit.o: ../../include/dict.h
+cleanup_body_edit.o: ../../include/dsn_mask.h
cleanup_body_edit.o: ../../include/header_body_checks.h
cleanup_body_edit.o: ../../include/header_opts.h
cleanup_body_edit.o: ../../include/htable.h
cleanup_final.o: ../../include/been_here.h
cleanup_final.o: ../../include/cleanup_user.h
cleanup_final.o: ../../include/dict.h
+cleanup_final.o: ../../include/dsn_mask.h
cleanup_final.o: ../../include/header_body_checks.h
cleanup_final.o: ../../include/header_opts.h
cleanup_final.o: ../../include/htable.h
cleanup_init.o: ../../include/been_here.h
cleanup_init.o: ../../include/cleanup_user.h
cleanup_init.o: ../../include/dict.h
+cleanup_init.o: ../../include/dsn_mask.h
cleanup_init.o: ../../include/ext_prop.h
cleanup_init.o: ../../include/flush_clnt.h
cleanup_init.o: ../../include/header_body_checks.h
cleanup_map11.o: ../../include/been_here.h
cleanup_map11.o: ../../include/cleanup_user.h
cleanup_map11.o: ../../include/dict.h
+cleanup_map11.o: ../../include/dsn_mask.h
cleanup_map11.o: ../../include/header_body_checks.h
cleanup_map11.o: ../../include/header_opts.h
cleanup_map11.o: ../../include/htable.h
cleanup_map1n.o: ../../include/been_here.h
cleanup_map1n.o: ../../include/cleanup_user.h
cleanup_map1n.o: ../../include/dict.h
+cleanup_map1n.o: ../../include/dsn_mask.h
cleanup_map1n.o: ../../include/header_body_checks.h
cleanup_map1n.o: ../../include/header_opts.h
cleanup_map1n.o: ../../include/htable.h
cleanup_masquerade.o: ../../include/been_here.h
cleanup_masquerade.o: ../../include/cleanup_user.h
cleanup_masquerade.o: ../../include/dict.h
+cleanup_masquerade.o: ../../include/dsn_mask.h
cleanup_masquerade.o: ../../include/header_body_checks.h
cleanup_masquerade.o: ../../include/header_opts.h
cleanup_masquerade.o: ../../include/htable.h
cleanup_message.o: ../../include/cleanup_user.h
cleanup_message.o: ../../include/conv_time.h
cleanup_message.o: ../../include/dict.h
+cleanup_message.o: ../../include/dsn_mask.h
cleanup_message.o: ../../include/dsn_util.h
cleanup_message.o: ../../include/ext_prop.h
cleanup_message.o: ../../include/header_body_checks.h
cleanup_out.o: ../../include/been_here.h
cleanup_out.o: ../../include/cleanup_user.h
cleanup_out.o: ../../include/dict.h
+cleanup_out.o: ../../include/dsn_mask.h
cleanup_out.o: ../../include/header_body_checks.h
cleanup_out.o: ../../include/header_opts.h
cleanup_out.o: ../../include/htable.h
cleanup_region.o: ../../include/been_here.h
cleanup_region.o: ../../include/cleanup_user.h
cleanup_region.o: ../../include/dict.h
+cleanup_region.o: ../../include/dsn_mask.h
cleanup_region.o: ../../include/header_body_checks.h
cleanup_region.o: ../../include/header_opts.h
cleanup_region.o: ../../include/htable.h
cleanup_rewrite.o: ../../include/been_here.h
cleanup_rewrite.o: ../../include/cleanup_user.h
cleanup_rewrite.o: ../../include/dict.h
+cleanup_rewrite.o: ../../include/dsn_mask.h
cleanup_rewrite.o: ../../include/header_body_checks.h
cleanup_rewrite.o: ../../include/header_opts.h
cleanup_rewrite.o: ../../include/htable.h
cleanup_state.o: ../../include/been_here.h
cleanup_state.o: ../../include/cleanup_user.h
cleanup_state.o: ../../include/dict.h
+cleanup_state.o: ../../include/dsn_mask.h
cleanup_state.o: ../../include/header_body_checks.h
cleanup_state.o: ../../include/header_opts.h
cleanup_state.o: ../../include/htable.h
#include <string_list.h>
#include <cleanup_user.h>
#include <header_body_checks.h>
+#include <dsn_mask.h>
/*
* Milter library.
*/
extern void cleanup_addr_sender(CLEANUP_STATE *, const char *);
extern void cleanup_addr_recipient(CLEANUP_STATE *, const char *);
-extern void cleanup_addr_bcc(CLEANUP_STATE *, const char *);
+extern void cleanup_addr_bcc_dsn(CLEANUP_STATE *, const char *, const char *, int);
+
+#define NO_DSN_ORCPT ((char *) 0)
+#define NO_DSN_NOTIFY DSN_NOTIFY_NEVER
+#define DEF_DSN_NOTIFY (0)
+
+#define cleanup_addr_bcc(state, addr) \
+ cleanup_addr_bcc_dsn((state), (addr), NO_DSN_ORCPT, NO_DSN_NOTIFY)
/*
* cleanup_bounce.c.
/* CLEANUP_STATE *state;
/* const char *addr;
/*
+/* void cleanup_addr_bcc_dsn(state, addr, dsn_orcpt, dsn_notify)
+/* CLEANUP_STATE *state;
+/* const char *addr;
+/* const char *dsn_orcpt;
+/* int dsn_notify;
+/*
/* void cleanup_addr_bcc(state, addr)
/* CLEANUP_STATE *state;
/* const char *addr;
/* cleanup_addr_recipient() processes recipient envelope information
/* and updates state->recip.
/*
-/* cleanup_addr_bcc() processes recipient envelope information. This
+/* cleanup_addr_bcc_dsn() processes recipient envelope information. This
/* is a separate function to avoid invoking cleanup_addr_recipient()
/* recursively.
/*
+/* cleanup_addr_bcc() is a backwards-compatibility wrapper for
+/* cleanup_addr_bcc_dsn() that requests no delivery status
+/* notification for the recipient.
+/*
/* Arguments:
/* .IP state
/* Queue file and message processing state. This state is updated
/* as records are processed and as errors happen.
/* .IP buf
/* Record content.
+/* .IP dsn_orcpt
+/* The DSN original recipient (or NO_DSN_ORCPT to specify none).
+/* .IP dsn_notify
+/* DSN notification options. Specify NO_DSN_NOTIFY to disable
+/* notification, and DEF_DSN_NOTIFY for default notification.
/* LICENSE
/* .ad
/* .fi
vstring_free(clean_addr);
}
-/* cleanup_addr_bcc - process automatic BCC recipient */
+/* cleanup_addr_bcc_dsn - process automatic BCC recipient */
-void cleanup_addr_bcc(CLEANUP_STATE *state, const char *bcc)
+void cleanup_addr_bcc_dsn(CLEANUP_STATE *state, const char *bcc,
+ const char *dsn_orcpt, int dsn_notify)
{
VSTRING *clean_addr = vstring_alloc(100);
* Note: BCC addresses are supplied locally, and must be rewritten in the
* local address rewriting context.
*/
-#define NO_DSN_ORCPT ((char *) 0)
-
cleanup_rewrite_internal(MAIL_ATTR_RWR_LOCAL, clean_addr, bcc);
if (state->flags & CLEANUP_FLAG_MAP_OK) {
if (cleanup_rcpt_canon_maps
&& (cleanup_masq_flags & CLEANUP_MASQ_FLAG_ENV_RCPT))
cleanup_masquerade_internal(clean_addr, cleanup_masq_domains);
}
- cleanup_out_recipient(state, NO_DSN_ORCPT, DSN_NOTIFY_NEVER,
+ cleanup_out_recipient(state, dsn_orcpt, dsn_notify,
STR(clean_addr), STR(clean_addr));
vstring_free(clean_addr);
}
}
}
tok822_free_tree(tree);
- cleanup_addr_bcc(state, STR(int_rcpt_buf));
+ cleanup_addr_bcc_dsn(state, STR(int_rcpt_buf), NO_DSN_ORCPT, DEF_DSN_NOTIFY);
vstring_free(int_rcpt_buf);
if (addr_count == 0) {
msg_warn("%s: ignoring attempt from Milter to add null recipient",
msg_warn("%s: skipping reply record type %s for query %s: %m",
myname, dns_strtype(rr->type), STR(query));
} else {
- msg_info("addr %s blocked by domain %s as %s",
+ msg_info("addr %s listed by domain %s as %s",
addr, dnsbl_domain, hostaddr.buf);
if (LEN(result) > 0)
vstring_strcat(result, " ");
dns_rr_free(addr_list);
} else if (dns_status == DNS_NOTFOUND) {
if (msg_verbose)
- msg_info("%s: addr %s not listed under domain %s",
+ msg_info("%s: addr %s not listed by domain %s",
myname, addr, dnsbl_domain);
} else {
msg_warn("%s: lookup error for DNS query %s: %s",
#define DEF_DAEMON_TIMEOUT "18000s"
extern int var_daemon_timeout;
+#define VAR_QMGR_DAEMON_TIMEOUT "qmgr_daemon_timeout"
+#define DEF_QMGR_DAEMON_TIMEOUT "1000s"
+extern int var_qmgr_daemon_timeout;
+
/*
* How long an intra-mail command may take before we assume the mail system
* is in deadlock (should never happen).
#define DEF_IPC_TIMEOUT "3600s"
extern int var_ipc_timeout;
+#define VAR_QMGR_IPC_TIMEOUT "qmgr_ipc_timeout"
+#define DEF_QMGR_IPC_TIMEOUT "60s"
+extern int var_qmgr_ipc_timeout;
+
/*
* Time limit on intra-mail triggers.
*/
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20101007"
+#define MAIL_RELEASE_DATE "20101103"
#define MAIL_VERSION_NUMBER "2.8"
#ifdef SNAPSHOT
/* limit > 1, a destination is a domain, otherwise it is a recipient.
/* .IP "\fItransport\fB_destination_rate_delay $default_destination_rate_delay
/* Idem, for delivery via the named message \fItransport\fR.
-/* .SH MISCELLANEOUS CONTROLS
+/* SAFETY CONTROLS
+/* .ad
+/* .fi
+/* .IP "\fBqmgr_daemon_timeout (1000s)\fR"
+/* How much time a Postfix queue manager process may take to handle
+/* a request before it is terminated by a built-in watchdog timer.
+/* .IP "\fBqmgr_ipc_timeout (60s)\fR"
+/* The time limit for the queue manager to send or receive information
+/* over an internal communication channel.
+/* MISCELLANEOUS CONTROLS
/* .ad
/* .fi
/* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
/* .IP "\fBhelpful_warnings (yes)\fR"
/* Log warnings about problematic configuration settings, and provide
/* helpful suggestions.
-/* .IP "\fBipc_timeout (3600s)\fR"
-/* The time limit for sending or receiving information over an internal
-/* communication channel.
/* .IP "\fBprocess_id (read-only)\fR"
/* The process ID of a Postfix command or daemon process.
/* .IP "\fBprocess_name (read-only)\fR"
int var_conc_feedback_debug;
int var_dest_rate_delay;
char *var_def_filter_nexthop;
+int var_qmgr_daemon_timeout;
+int var_qmgr_ipc_timeout;
static QMGR_SCAN *qmgr_scans[2];
* Left-over active queue entries are moved to the incoming queue because
* the incoming queue has priority; moving left-overs to the deferred
* queue could cause anomalous delays when "postfix reload/start" are
- * issued often.
+ * issued often. Override the IPC timeout (default 3600s) so that the
+ * queue manager can reset a broken IPC channel before the watchdog timer
+ * goes off.
*/
+ var_ipc_timeout = var_qmgr_ipc_timeout;
var_use_limit = 0;
var_idle_limit = 0;
qmgr_move(MAIL_QUEUE_ACTIVE, MAIL_QUEUE_INCOMING, event_time());
VAR_XPORT_RETRY_TIME, DEF_XPORT_RETRY_TIME, &var_transport_retry_time, 1, 0,
VAR_QMGR_CLOG_WARN_TIME, DEF_QMGR_CLOG_WARN_TIME, &var_qmgr_clog_warn_time, 0, 0,
VAR_DEST_RATE_DELAY, DEF_DEST_RATE_DELAY, &var_dest_rate_delay, 0, 0,
+ VAR_QMGR_DAEMON_TIMEOUT, DEF_QMGR_DAEMON_TIMEOUT, &var_qmgr_daemon_timeout, 1, 0,
+ VAR_QMGR_IPC_TIMEOUT, DEF_QMGR_IPC_TIMEOUT, &var_qmgr_ipc_timeout, 1, 0,
0,
};
static const CONFIG_INT_TABLE int_table[] = {
MAIL_SERVER_LOOP, qmgr_loop,
MAIL_SERVER_PRE_ACCEPT, pre_accept,
MAIL_SERVER_SOLITARY,
+ MAIL_SERVER_WATCHDOG, &var_qmgr_daemon_timeout,
0);
}
/* its combined DNSBL score as defined with the postscreen_dnsbl_sites
/* parameter.
/* .IP "\fBpostscreen_forbidden_commands ($smtpd_forbidden_commands)\fR"
-/* List of commands that \fBpostscreen\fR(8) server considers in violation
-/* of the SMTP protocol.
+/* List of commands that the \fBpostscreen\fR(8) server considers in
+/* violation of the SMTP protocol.
/* .IP "\fBpostscreen_greet_action (ignore)\fR"
/* The action that \fBpostscreen\fR(8) takes when an SMTP client speaks
/* before its turn within the time specified with the postscreen_greet_wait
time_t dnsbl_stamp; /* dnsbl expiration time */
VSTRING *dnsbl_reply; /* dnsbl reject text */
int dnsbl_index; /* dnsbl request index */
+ time_t penal_stamp; /* penalty expiration time */
/* Built-in SMTP protocol engine. */
time_t pipel_stamp; /* pipelining expiration time */
time_t nsmtp_stamp; /* non-smtp command expiration time */
#define PS_STATE_FLAGS_TODO_TO_PASS(todo_flags) ((todo_flags) >> 1)
#define PS_STATE_FLAGS_TODO_TO_DONE(todo_flags) ((todo_flags) << 1)
+#define PS_STATE_FLAG_PENAL_UPDATE (1<<6) /* save new penalty */
+#define PS_STATE_FLAG_PENAL_FAIL (1<<7) /* penalty is active */
+
#define PS_STATE_FLAG_PREGR_FAIL (1<<8) /* failed pregreet test */
#define PS_STATE_FLAG_PREGR_PASS (1<<9) /* passed pregreet test */
#define PS_STATE_FLAG_PREGR_TODO (1<<10) /* pregreet test expired */
* Super-aggregates for all tests combined.
*/
#define PS_STATE_MASK_ANY_FAIL \
- (PS_STATE_FLAG_BLIST_FAIL | \
+ (PS_STATE_FLAG_BLIST_FAIL | PS_STATE_FLAG_PENAL_FAIL | \
PS_STATE_MASK_EARLY_FAIL | PS_STATE_MASK_SMTPD_FAIL)
#define PS_STATE_MASK_ANY_PASS \
(PS_STATE_MASK_ANY_TODO | PS_STATE_MASK_ANY_FAIL)
#define PS_STATE_MASK_ANY_UPDATE \
- (PS_STATE_MASK_ANY_PASS)
+ (PS_STATE_MASK_ANY_PASS | PS_STATE_FLAG_PENAL_UPDATE)
/*
* See log_adhoc.c for discussion.
(dst)->dnsbl_stamp = PS_TIME_STAMP_INVALID; \
(dst)->pipel_stamp = PS_TIME_STAMP_INVALID; \
(dst)->barlf_stamp = PS_TIME_STAMP_INVALID; \
+ (dst)->penal_stamp = PS_TIME_STAMP_INVALID; \
} while (0)
#define PS_BEGIN_TESTS(state, name) do { \
(state)->test_name = (name); \
/* port arguments are null-terminated strings with the remote
/* SMTP client endpoint. The _reply members are set to
/* polite "try again" SMTP replies. The protocol member is set
-/* to "SMTP".
+/* to "SMTP".
/*
/* The ps_stress variable is set to non-zero when
/* ps_check_queue_length passes over a high-water mark.
"HANGUP", PS_STATE_FLAG_HANGUP,
"CACHE_EXPIRED", PS_STATE_FLAG_CACHE_EXPIRED,
+ "PENAL_UPDATE", PS_STATE_FLAG_PENAL_UPDATE,
+ "PENAL_FAIL", PS_STATE_FLAG_PENAL_FAIL,
+
"PREGR_FAIL", PS_STATE_FLAG_PREGR_FAIL,
"PREGR_PASS", PS_STATE_FLAG_PREGR_PASS,
"PREGR_TODO", PS_STATE_FLAG_PREGR_TODO,
/* DESCRIPTION
/* The functions in this module overwrite the per-test expiration
/* time stamps and all flags bits. Some functions are implemented
-/* as unsafe macros, meaning they evaluate one ore more arguments
+/* as unsafe macros, meaning they evaluate one or more arguments
/* multiple times.
/*
/* PS_INIT_TESTS() is an unsafe macro that sets the per-test
state->pipel_stamp = PS_TIME_STAMP_NEW;
state->nsmtp_stamp = PS_TIME_STAMP_NEW;
state->barlf_stamp = PS_TIME_STAMP_NEW;
+ state->penal_stamp = PS_TIME_STAMP_NEW;
/*
* Don't flag disabled tests as "todo", because there would be no way to
const char *stamp_str,
time_t time_value)
{
+ const char *myname = "ps_parse_tests";
unsigned long pregr_stamp;
unsigned long dnsbl_stamp;
unsigned long pipel_stamp;
unsigned long nsmtp_stamp;
unsigned long barlf_stamp;
+ unsigned long penal_stamp;
+ time_t penalty_left;
/*
* We don't know what tests have expired or have never passed.
* enabled tests, but the remote SMTP client has not yet passed all those
* tests.
*/
- switch (sscanf(stamp_str, "%lu;%lu;%lu;%lu;%lu",
+ switch (sscanf(stamp_str, "%lu;%lu;%lu;%lu;%lu;%lu",
&pregr_stamp, &dnsbl_stamp, &pipel_stamp, &nsmtp_stamp,
- &barlf_stamp)) {
+ &barlf_stamp, &penal_stamp)) {
case 0:
pregr_stamp = PS_TIME_STAMP_DISABLED;
case 1:
nsmtp_stamp = PS_TIME_STAMP_DISABLED;
case 4:
barlf_stamp = PS_TIME_STAMP_DISABLED;
+ case 5:
+ penal_stamp = PS_TIME_STAMP_DISABLED;
default:
break;
}
state->pipel_stamp = pipel_stamp;
state->nsmtp_stamp = nsmtp_stamp;
state->barlf_stamp = barlf_stamp;
+ state->penal_stamp = penal_stamp;
if (pregr_stamp == PS_TIME_STAMP_NEW
|| dnsbl_stamp == PS_TIME_STAMP_NEW
state->flags |= PS_STATE_FLAG_DNSBL_TODO;
}
#endif
+
+ /*
+ * Apply unexpired penalty for past behavior.
+ *
+ * XXX Before we can drop connections, change this function to return
+ * success/fail, to inform the caller that the state object no longer
+ * exists.
+ */
+#ifdef NONPROD
+ if ((penalty_left = state->penal_stamp - event_time()) > 0) {
+ msg_info("PENALTY %ld for %s",
+ (long) penalty_left, state->smtp_client_addr);
+ PS_FAIL_SESSION_STATE(state, PS_STATE_FLAG_PENAL_FAIL);
+#if 0
+ switch (ps_penal_action) {
+ case PS_ACT_DROP:
+ PS_DROP_SESSION_STATE(state,
+ "421 4.3.2 Service currently unavailable\r\n");
+ break;
+ case PS_ACT_ENFORCE:
+#endif
+ PS_ENFORCE_SESSION_STATE(state,
+ "450 4.3.2 Service currently unavailable\r\n");
+#if 0
+ break;
+ case PS_ACT_IGNORE:
+ PS_UNFAIL_SESSION_STATE(state, PS_STATE_FLAG_PENAL_FAIL);
+ break;
+ default:
+ msg_panic("%s: unknown penalty action value %d",
+ myname, ps_penal_action);
+ }
+#endif
+ }
+#endif /* NONPROD */
}
/* ps_print_tests - print postscreen cache record */
if ((state->flags & PS_STATE_MASK_ANY_UPDATE) == 0)
msg_panic("%s: attempt to save a no-update record", myname);
+ /*
+ * Don't record a client as "passed" while subject to penalty. Be sure to
+ * produce correct PASS OLD/NEW logging.
+ *
+ * XXX This needs to be refined - we should not reset the result of tests
+ * that were passed in previous sessions, otherwise a client may never
+ * pass a multi-stage test such as greylisting. One solution is to keep
+ * the original and updated time stamps around, and to save an updated
+ * time stamp only when the corresponding "pass" flag is raised.
+ */
+#ifdef NONPROD
+ if (state->flags & PS_STATE_FLAG_PENAL_FAIL) {
+ state->pregr_stamp = state->dnsbl_stamp = state->pipel_stamp =
+ state->nsmtp_stamp = state->barlf_stamp =
+ ((state->flags & PS_STATE_FLAG_NEW) ?
+ PS_TIME_STAMP_NEW : PS_TIME_STAMP_DISABLED);
+ }
+#endif
+
/*
* Give disabled tests a dummy time stamp so that we don't log a client
* with "pass new" when some disabled test becomes enabled at some later
if (var_ps_barlf_enable == 0 && state->barlf_stamp == PS_TIME_STAMP_NEW)
state->barlf_stamp = PS_TIME_STAMP_DISABLED;
- vstring_sprintf(buf, "%lu;%lu;%lu;%lu;%lu",
+ vstring_sprintf(buf, "%lu;%lu;%lu;%lu;%lu;%lu",
(unsigned long) state->pregr_stamp,
(unsigned long) state->dnsbl_stamp,
(unsigned long) state->pipel_stamp,
(unsigned long) state->nsmtp_stamp,
- (unsigned long) state->barlf_stamp);
+ (unsigned long) state->barlf_stamp,
+ (unsigned long) state->penal_stamp);
return (STR(buf));
}
/* limit > 1, a destination is a domain, otherwise it is a recipient.
/* .IP "\fItransport\fB_destination_rate_delay $default_destination_rate_delay
/* Idem, for delivery via the named message \fItransport\fR.
+/* SAFETY CONTROLS
+/* .ad
+/* .fi
+/* .IP "\fBqmgr_daemon_timeout (1000s)\fR"
+/* How much time a Postfix queue manager process may take to handle
+/* a request before it is terminated by a built-in watchdog timer.
+/* .IP "\fBqmgr_ipc_timeout (60s)\fR"
+/* The time limit for the queue manager to send or receive information
+/* over an internal communication channel.
/* MISCELLANEOUS CONTROLS
/* .ad
/* .fi
/* .IP "\fBhelpful_warnings (yes)\fR"
/* Log warnings about problematic configuration settings, and provide
/* helpful suggestions.
-/* .IP "\fBipc_timeout (3600s)\fR"
-/* The time limit for sending or receiving information over an internal
-/* communication channel.
/* .IP "\fBprocess_id (read-only)\fR"
/* The process ID of a Postfix command or daemon process.
/* .IP "\fBprocess_name (read-only)\fR"
int var_conc_feedback_debug;
int var_dest_rate_delay;
char *var_def_filter_nexthop;
+int var_qmgr_daemon_timeout;
+int var_qmgr_ipc_timeout;
static QMGR_SCAN *qmgr_scans[2];
* Left-over active queue entries are moved to the incoming queue because
* the incoming queue has priority; moving left-overs to the deferred
* queue could cause anomalous delays when "postfix reload/start" are
- * issued often.
+ * issued often. Override the IPC timeout (default 3600s) so that the
+ * queue manager can reset a broken IPC channel before the watchdog timer
+ * goes off.
*/
+ var_ipc_timeout = var_qmgr_ipc_timeout;
var_use_limit = 0;
var_idle_limit = 0;
qmgr_move(MAIL_QUEUE_ACTIVE, MAIL_QUEUE_INCOMING, event_time());
VAR_QMGR_CLOG_WARN_TIME, DEF_QMGR_CLOG_WARN_TIME, &var_qmgr_clog_warn_time, 0, 0,
VAR_XPORT_REFILL_DELAY, DEF_XPORT_REFILL_DELAY, &var_xport_refill_delay, 1, 0,
VAR_DEST_RATE_DELAY, DEF_DEST_RATE_DELAY, &var_dest_rate_delay, 0, 0,
+ VAR_QMGR_DAEMON_TIMEOUT, DEF_QMGR_DAEMON_TIMEOUT, &var_qmgr_daemon_timeout, 1, 0,
+ VAR_QMGR_IPC_TIMEOUT, DEF_QMGR_IPC_TIMEOUT, &var_qmgr_ipc_timeout, 1, 0,
0,
};
static const CONFIG_INT_TABLE int_table[] = {
MAIL_SERVER_LOOP, qmgr_loop,
MAIL_SERVER_PRE_ACCEPT, pre_accept,
MAIL_SERVER_SOLITARY,
+ MAIL_SERVER_WATCHDOG, &var_qmgr_daemon_timeout,
0);
}
name);
else {
cpp += 1;
- if (state->helo_name)
+ if (state->helo_name
+ && valid_hostname(state->helo_name, DONT_GRIPE))
status = reject_rbl_domain(state, *cpp, state->helo_name,
SMTPD_NAME_HELO);
}
projects / thirdparty / postfix.git / commitdiff
