third-party patches such as TLS that introduce their own
files into the jail.
- Feature: disable the PIX workaround for mail that is queued
- for less than $minimal_backoff_time seconds.
-
Feature: static map type that always returns the map name
as lookup value, regardless of lookup key value. Contributed
Jeff Miller (jeffm at ghostgun.com)
+ Feature: turn off the PIX <CR><LF>.<CR><LF> workaround for
+ the first mail delivery attempt, i.e. when mail is queued
+ for less than $smtp_pix_workaround_threshold_time (default:
+ 500) seconds. New parameter $smtp_pix_workaround_delay_time
+ to control the delay before sending .<CR><LF> (default: 10
+ seconds) when doing the PIX <CR><LF>.<CR><LF> workaround.
+
Open problems:
Low: after reorganizing configuration parameters, add flags
+Incompatible changes with snapshot-20011210
+===========================================
+
+Postfix SMTPD access maps no longer match non-local mail addresses
+that contain multiple domains (user@dom1@dom2, user%dom1@dom2,
+etcetera). This change prevents false or spurious matches.
+Non-local multi-domain addresses are already prohibited from matching
+permit_mx_backup and the relay_domains-based restrictions.
+
+Stricter checking of Postfix chroot configurations. The Postfix
+startup procedure now warns if "system" directories (etc, bin, lib,
+usr) under the Postfix top-level queue directory are not owned by
+the super-user (usually the result of well-intended, but misguided,
+applications of "chroot -R postfix /var/spool/postfix).
+
+The Postfix sendmail command no longer exits with status 1 when
+mail submission fails, but instead returns a sendmail-compatible
+status code as defined in /usr/include/sysexits.h.
+
+Major changes with snapshot-20011210
+====================================
+
+Updated LDAP client module by LaMont Jones, with control over
+verbose logging of LDAP library routines.
+
+More usable virtual delivery agent, thanks to a new "static" map
+type by Jeff Miller that always returns its map name as the lookup
+result. This eliminates the need for per-recipient user ID and
+group ID tables. See the VIRTUAL_README file for more details.
+
+Much-needed documentation on how to configure header/body filters:
+sample regexp and pcre lookup tables for header/body filtering,
+and updated examples in the regexp_table(5) and pcre_table(5) manual
+pages.
+
+Configurable PIX firewall <CR><LF>.<CR><LF> bug workaround behavior:
+the workaround is turned off when mail is queued for less than
+$smtp_pix_workaround_threshold_time seconds (default: 500 seconds)
+so that the workaround is normally enabled only for deferred mail.
+The delay before sending .<CR><LF> is now controlled by the
+$smtp_pix_workaround_delay_time setting (default: 10 seconds).
+
Major changes with snapshot-20011127
====================================
This code was created by Andrew McNamara <andrew@connect.com.au>
-and adapted to snapshot 50001121 by Xavier Beaudouin. It was merged
-with mainstream Postfix for 20010128 by Wietse.
+and adapted to snapshot 20001121 by Xavier Beaudouin. It was merged
+with mainstream Postfix for snapshot 20010128 by Wietse.
Purpose of this software
========================
agent available.
"This code is designed for ISP's who offer virtual mail hosting.
-It looks up the location, uid and gid of user mailboxes via separate
+It looks up the user mailbox location, uid and gid via separate
maps, and the mailbox location map can specify either mailbox or
maildir delivery (controlled by trailing slash on mailbox name).
find with Postfix.
This delivery agent requires three different lookup tables in order
-to define its recipients. This is because Postfix table lookups
-can't return multiple results. Until that limitation is fixed, use
-an LDAP or MYSQL database if it is too inconvenient for you to
-maintain three parallel tables (or generate the three tables from
-one common template).
+to define its recipients as (mailbox path, user ID, group ID). This
+is because Postfix table lookups can't return multiple results.
+
+If your virtual mailboxes are all owned by the same user/group ID,
+just specify "static" maps that always return the same result. See
+below for examples.
+
+If your virtual mailboxes must be owned by different user/group
+IDs, and if it is too inconvenient for you to maintain three parallel
+tables, use an LDAP or MYSQL database (or generate the three parallel
+tables from one common template).
Configuration parameters
========================
virtual_mailbox_size
- An upper limit on the size of a mailbox or maildir file.
+ An upper limit on the size of a mailbox file or maildir file.
Example 1: using the virtual delivery agent for all local mail
==============================================================
# Example recipients, one UNIX-style mailbox, one qmail-style maildir:
/etc/postfix/vmailbox:
+ virtual1.domain dummy to prevent relay access denied errors
+ virtual2.domain dummy to prevent relay access denied errors
test1@virtual1.domain test1
test2@virtual2.domain test2/
# Example recipients, one UNIX-style mailbox, one qmail-style maildir:
/etc/postfix/vmailbox:
+ virtual1.domain dummy to prevent relay access denied errors
+ virtual2.domain dummy to prevent relay access denied errors
test1@virtual1.domain test1
test2@virtual2.domain test2/
# string may need to be written as ${n} or $(n) if they
# aren't followed by whitespace.
#
-# EXAMPLES
+# EXAMPLE SMTPD ACCESS MAP
# # Protect your outgoing majordomo exploders
-# /^(?!owner-)(.*)-outgoing@(my.domain)$/ 550 Use ${1}@${2} instead
+# /^(?!owner-)(.*)-outgoing@/ 550 Use ${1}@${2} instead
#
# # Bounce friend@whatever, except when whatever is our domain (you would
# # be better just bouncing all friend@ mail - this is just an example).
-# /^friend@(?!my.domain).*$/ 550 Stick this in your pipe $0
+# /^friend@(?!my\.domain)/ 550 Stick this in your pipe $0
#
# # A multi-line entry. The text is sent as one line.
# #
-# /^noddy@connect.com.au$/
+# /^noddy@my\.domain$/
# 550 This user is a funny one. You really don't want to send mail to
# them as it only makes their head spin.
#
+# EXAMPLE HEADER FILTER MAP
+# /^Subject: make money fast/ REJECT
+# /^To: friend@public\.com/ REJECT
+#
# SEE ALSO
# regexp_table(5) format of POSIX regular expression tables
#
# macros in the result string may need to be written as ${n}
# or $(n) if they aren't followed by whitespace.
#
-# EXAMPLES
+# EXAMPLE SMTPD ACCESS MAP
# # Disallow sender-specified routing. This is a must if you relay mail
# # for other domains.
# /[%!@].*[%!@]/ 550 Sender-specified routing rejected
#
# # Postmaster is OK, that way they can talk to us about how to fix
# # their problem.
-# /^postmaster@.*$/ OK
+# /^postmaster@/ OK
#
# # Protect your outgoing majordomo exploders
-# /^(.*)-outgoing@(.*)$/!/^owner-.*/ 550 Use ${1}@${2} instead
+# /^(.*)-outgoing@(.*)$/!/^owner-/ 550 Use ${1}@${2} instead
+#
+# EXAMPLE HEADER FILTER MAP
+# # These were once common in junk mail.
+# /^Subject: make money fast/ REJECT
+# /^To: friend@public\.com/ REJECT
#
# SEE ALSO
# pcre_table(5) format of PCRE tables
#
# Sample pcre (PERL-compatible regular expression) map file for
-# SMTPD access control. See pcre_table(5) for syntax description.
+# SMTPD access control. See pcre_table(5) and access(5) for
+# syntax descriptions.
#
# The first field is a perl-like regular expression. The expression
# delimiter can be any character except whitespace, or characters
# Protect your outgoing majordomo exploders
#
-/^(?!owner-)(.*)-outgoing@(connect.com.au)$/ 550 Use ${1}@${2} instead
+/^(?!owner-)(.*)-outgoing@/ 550 Use ${1}@${2} instead
# Bounce friend@whatever, except when whatever is our domain (you would
# be better just bouncing all friend@ mail - this is just an example).
#
-/^friend@(?!connect.com.au).*$/ 550 Stick this in your pipe $0
+/^friend@(?!my\.domain)/ 550 Stick this in your pipe $0
# A multi-line response
#
-/^noddy@connect.com.au$/
+/^noddy@my\.domain$/
550 This user is a funny one. You really don't want to send mail to them
as it only makes their head spin.
--- /dev/null
+#
+# Sample pcre (PERL-compatible regular expression) map file for
+# mail body filtering. See pcre_table(5) for syntax description.
+#
+# Mail body lines are filtered one line at a time. In particular,
+# multi-line MIME headers in the message body are filtered one text
+# line at a time.
+#
+# The first field is a perl-like regular expression. The expression
+# delimiter can be any character except whitespace, or characters
+# that have special meaning to the regexp library (traditionally
+# the forward slash is used). The regular expression can contain
+# whitespace.
+#
+# By default, matching is case-INsensitive, although following
+# the second slash with an 'i' will reverse this. Other flags are
+# supported, but the only other useful one is 'U', which makes
+# matching ungreedy (see PCRE documentation and source for more
+# info).
+#
+# The second field is the "replacement" string - the text
+# returned by the match.
+#
+# REJECT The entire message is rejected.
+# REJECT text.... The text is sent to the originator.
+# IGNORE The line is silently discarded.
+# WARN The line is logged (not rejected) with a warning.
+#
+# Substitution of sub-strings from the matched expression is
+# possible using the conventional perl syntax. The macros in the
+# replacement string may need to be protected with curly braces
+# if they aren't followed by whitespace (see the examples
+# below).
+#
+# Lines starting with whitespace are continuation lines - they are
+# appended to the previous line (there should be no whitespace
+# before your regular expression!)
+#
--- /dev/null
+#
+# Sample pcre (PERL-compatible regular expression) map file for
+# message header filtering. See pcre_table(5) for syntax description.
+#
+# Message headers are filtered one at a time. This filter understands
+# multi-line message headers. However, the message header filter has
+# no knowledge of MIME headers that are embedded in the message body.
+#
+# The first field is a perl-like regular expression. The expression
+# delimiter can be any character except whitespace, or characters
+# that have special meaning to the regexp library (traditionally
+# the forward slash is used). The regular expression can contain
+# whitespace.
+#
+# By default, matching is case-INsensitive, although following
+# the second slash with an 'i' will reverse this. Other flags are
+# supported, but the only other useful one is 'U', which makes
+# matching ungreedy (see PCRE documentation and source for more
+# info).
+#
+# The second field is the "replacement" string - the text
+# returned by the match.
+#
+# REJECT The entire message is rejected.
+# REJECT text.... The text is sent to the originator.
+# IGNORE The header line is silently discarded.
+# WARN The header is logged (not rejected) with a warning.
+#
+# Substitution of sub-strings from the matched expression is
+# possible using the conventional perl syntax. The macros in the
+# replacement string may need to be protected with curly braces
+# if they aren't followed by whitespace (see the examples
+# below).
+#
+# Lines starting with whitespace are continuation lines - they are
+# appended to the previous line (there should be no whitespace
+# before your regular expression!)
+#
+
+/^Subject: Make Money Fast/ REJECT
+/^To: friend@public.com/ REJECT
# Sample regexp SMTPD access lookup "table". See regexp_table(5)
-# for a description of the syntax.
+# and access(5) for a description of the syntax.
#
-# Format is /regexp/flags or /regexp/flags!/regexp/flags
+# The general format of a table entry is PATTERN RESULT.
+#
+# The pattern format is /regexp/flags or /regexp/flags!/regexp/flags
# where regexp is a regular expression as found in regexp(5), and flags are
# i: toggle ignore case (REG_ICASE - default is to ignore case)
# x: toggle extended expression (REG_EXTENDED - default is extended)
# In order for a line to match, the first regexp must match, and the
# second (if present) must not match. The first matching line wins,
# terminating processing of the ruleset.
+#
+# The result syntax is described in the access(5) manual page.
# Disallow sender-specified routing. This is a must if you relay mail
#for other domains.
/[%!@].*@/ 550 Sender-specified routing rejected
# Postmaster is OK, that way they can talk to us about how to fix their problem.
-/^postmaster@.*$/ OK
+/^postmaster@/ OK
# Protect your outgoing majordomo exploders
/^(.*)-outgoing@(.*)$/!/^owner-.*/ 550 Use ${1}@${2} instead
--- /dev/null
+# Sample regexp message body filter lookup "table". See regexp_table(5)
+# for a description of the syntax.
+#
+# Mail body lines are filtered one line at a time. In particular, multi-line
+# MIME headers in the message body are filtered one text line at a time.
+#
+# The general format of a table entry is PATTERN RESULT.
+#
+# The pattern format is /regexp/flags or /regexp/flags!/regexp/flags
+# where regexp is a regular expression as found in regexp(5), and flags are
+# i: toggle ignore case (REG_ICASE - default is to ignore case)
+# x: toggle extended expression (REG_EXTENDED - default is extended)
+# m: toggle multiline mode (REG_NEWLINE - default is non-multiline mode)
+#
+# In order for a line to match, the first regexp must match, and the
+# second (if present) must not match. The first matching line wins,
+# terminating processing of the ruleset.
+#
+# The result is one of the following:
+# REJECT The entire message is rejected.
+# REJECT text.... The text is sent to the originator.
+# IGNORE The header line is silently discarded.
+# WARN The header is logged (not rejected) with a warning.
+
+/^Subject: Make Money Fast/ REJECT
+/^To: friend@public.com/ REJECT
--- /dev/null
+# Sample regexp message header filter lookup "table". See regexp_table(5)
+# for a description of the syntax.
+#
+# Message headers are filtered one at a time. This filter understands
+# multi-line mail headers. However, the message header filter has no
+# knowledge of MIME headers that are embedded in the message body.
+#
+# The general format of a table entry is PATTERN RESULT.
+#
+# The pattern format is /regexp/flags or /regexp/flags!/regexp/flags
+# where regexp is a regular expression as found in regexp(5), and flags are
+# i: toggle ignore case (REG_ICASE - default is to ignore case)
+# x: toggle extended expression (REG_EXTENDED - default is extended)
+# m: toggle multiline mode (REG_NEWLINE - default is non-multiline mode)
+#
+# In order for a line to match, the first regexp must match, and the
+# second (if present) must not match. The first matching line wins,
+# terminating processing of the ruleset.
+#
+# The result is one of the following:
+# REJECT the entire message is rejected.
+# REJECT text.... The text is sent to the originator.
+# IGNORE the header line is silently discarded.
+# WARN the header is logged (not rejected) with a warning.
+
+/^Subject: Make Money Fast/ REJECT
+/^To: friend@public.com/ REJECT
#
smtp_skip_quit_response = yes
+# The smtp_pix_workaround_sleep_time parameter specifies how long
+# the Postfix SMTP client pauses before sending .<CR><LF>, in order
+# to work around the PIX firewall <CR><LF>.<CR><LF> bug.
+#
+# The default delay is 10 seconds. Choosing a too short time makes
+# this workaround ineffective while sending large messages over slow
+# network connections.
+#
+smtp_pix_workaround_delay_time = 10s
+
+# The smtp_pix_workaround_threshold_time parameter specifies how
+# long a message must be queued before the PIX firewall <CR><LF>.<CR><LF>
+# bug workaround is turned on.
+#
+# By default, the workaround is turned off for mail that is queued
+# for less than 500 seconds. In other words, the workaround is normally
+# turned off for the first delivery attempt.
+#
+# Specify 0 to enable the PIX firewall <CR><LF>.<CR><LF> bug workaround
+# upon the first delivery attempt.
+#
+smtp_pix_workaround_threshold_time = 500s
+
#
# RATE CONTROLS
#
# be tricked into forwarding junk mail to a primary MX host which
# then spams it out to the world.
#
+# This parameter also controls if non-local addresses with sender-specified
+# routing can match Postfix access tables. By default, such addresses
+# cannot match Postfix access tables, because the address is ambigous.
+#
allow_untrusted_routing = no
# The maps_rbl_domains parameter specifies an optional list of DNS
# details and for default values. Use the postfix reload
# command after a configuration change.
#
+# parent_domain_matches_subdomains (versions >= 20011119)
+# List of Postfix features that use domain.name pat-
+# terns to match sub.domain.name (as opposed to
+# requiring .domain.name patterns).
+#
# transport_maps
# List of transport lookup tables.
#
# postmap(1) create mapping table
# trivial-rewrite(8) rewrite and resolve addresses
# pcre_table(5) format of PCRE tables
+#
+# 3
+#
+# TRANSPORT(5) TRANSPORT(5)
+#
# regexp_table(5) format of POSIX regular expression tables
#
# LICENSE
# The Secure Mailer license must be distributed with this
# software.
#
-# 3
-#
-# TRANSPORT(5) TRANSPORT(5)
-#
# AUTHOR(S)
# Wietse Venema
# IBM T.J. Watson Research
string may need to be written as ${n} or $(n) if they
aren't followed by whitespace.
-<b>EXAMPLES</b>
+<b>EXAMPLE</b> <b>SMTPD</b> <b>ACCESS</b> <b>MAP</b>
# Protect your outgoing majordomo exploders
- /^(?!owner-)(.*)-outgoing@(my.domain)$/ 550 Use ${1}@${2} instead
+ /^(?!owner-)(.*)-outgoing@/ 550 Use ${1}@${2} instead
# Bounce friend@whatever, except when whatever is our domain (you would
# be better just bouncing all friend@ mail - this is just an example).
- /^friend@(?!my.domain).*$/ 550 Stick this in your pipe $0
+ /^friend@(?!my\.domain).*$/ 550 Stick this in your pipe $0
# A multi-line entry. The text is sent as one line.
#
- /^noddy@connect.com.au$/
+ /^noddy@my\.domain$/
550 This user is a funny one. You really don't want to send mail to
them as it only makes their head spin.
+<b>EXAMPLE</b> <b>HEADER</b> <b>FILTER</b> <b>MAP</b>
+ /^Subject: make money fast/ REJECT
+ /^To: friend@public\.com/ REJECT
+
<b>SEE</b> <b>ALSO</b>
<a href="regexp_table.5.html">regexp_table(5)</a> format of POSIX regular expression tables
macros in the result string may need to be written as ${n}
or $(n) if they aren't followed by whitespace.
-<b>EXAMPLES</b>
+<b>EXAMPLE</b> <b>SMTPD</b> <b>ACCESS</b> <b>MAP</b>
# Disallow sender-specified routing. This is a must if you relay mail
# for other domains.
/[%!@].*[%!@]/ 550 Sender-specified routing rejected
# Protect your outgoing majordomo exploders
/^(.*)-outgoing@(.*)$/!/^owner-.*/ 550 Use ${1}@${2} instead
+<b>EXAMPLE</b> <b>HEADER</b> <b>FILTER</b> <b>MAP</b>
+ # These were once common in junk mail.
+ /^Subject: make money fast/ REJECT
+ /^To: friend@public\.com/ REJECT
+
<b>SEE</b> <b>ALSO</b>
<a href="pcre_table.5.html">pcre_table(5)</a> format of PCRE tables
<b>smtp</b><i>_</i><b>never</b><i>_</i><b>send</b><i>_</i><b>ehlo</b>
Never send EHLO at the start of a connection.
+ <b>smtp</b><i>_</i><b>bind</b><i>_</i><b>address</b>
+ Numerical source network address to bind to when
+ making a connection.
+
<b>smtp</b><i>_</i><b>break</b><i>_</i><b>lines</b>
Break lines > <b>$line</b><i>_</i><b>length</b><i>_</i><b>limit</b> into multiple
shorter lines. Some SMTP servers misbehave on long
lines.
<b>smtp</b><i>_</i><b>skip</b><i>_</i><b>4xx</b><i>_</i><b>greeting</b>
- Skip servers that greet us with a 4xx status code.
+ Skip servers that greet us with a 4xx status code.
<b>smtp</b><i>_</i><b>skip</b><i>_</i><b>5xx</b><i>_</i><b>greeting</b>
- Skip servers that greet us with a 5xx status code.
+ Skip servers that greet us with a 5xx status code.
<b>smtp</b><i>_</i><b>skip</b><i>_</i><b>quit</b><i>_</i><b>response</b>
- Do not wait for the server response after sending
+ Do not wait for the server response after sending
QUIT.
- <b>smtp</b><i>_</i><b>bind</b><i>_</i><b>address</b>
- Numerical network address to bind to when making a
- connection.
+ <b>smtp</b><i>_</i><b>pix</b><i>_</i><b>workaround</b><i>_</i><b>delay</b><i>_</i><b>time</b>
+ The time to pause before sending .<CR><LF>, while
+ working around the CISCO PIX firewall
+ <CR><LF>.<CR><LF> bug.
+
+ <b>smtp</b><i>_</i><b>pix</b><i>_</i><b>workaround</b><i>_</i><b>threshold</b><i>_</i><b>time</b>
+ The time a message must be queued before the CISCO
+ PIX firewall <CR><LF>.<CR><LF> bug workaround is
+ turned on.
<b>Authentication</b> <b>controls</b>
<b>smtp</b><i>_</i><b>enable</b><i>_</i><b>sasl</b><i>_</i><b>auth</b>
string is possible using the conventional perl syntax ($1, $2, etc.).
The macros in the result string may need to be written as ${n}
or $(n) if they aren't followed by whitespace.
-.SH EXAMPLES
+.SH EXAMPLE SMTPD ACCESS MAP
.na
.nf
# Protect your outgoing majordomo exploders
-/^(?!owner-)(.*)-outgoing@(my\.domain)$/ 550 Use ${1}@${2} instead
+/^(?!owner-)(.*)-outgoing@/ 550 Use ${1}@${2} instead
# Bounce friend@whatever, except when whatever is our domain (you would
# be better just bouncing all friend@ mail - this is just an example).
-/^friend@(?!my\.domain).*$/ 550 Stick this in your pipe $0
+/^friend@(?!my\\.domain)/ 550 Stick this in your pipe $0
# A multi-line entry. The text is sent as one line.
#
-/^noddy@connect\.com\.au$/
+/^noddy@my\\.domain$/
\ 550 This user is a funny one. You really don't want to send mail to
\ them as it only makes their head spin.
+.SH EXAMPLE HEADER FILTER MAP
+.na
+.nf
+/^Subject: make money fast/ REJECT
+/^To: friend@public\\.com/ REJECT
.SH SEE ALSO
.na
.nf
string is possible using $1, $2, etc.. The macros in the result string
may need to be written as ${n} or $(n) if they aren't followed
by whitespace.
-.SH EXAMPLES
+.SH EXAMPLE SMTPD ACCESS MAP
.na
.nf
# Disallow sender-specified routing. This is a must if you relay mail
# Postmaster is OK, that way they can talk to us about how to fix
# their problem.
-/^postmaster@.*$/ OK
+/^postmaster@/ OK
# Protect your outgoing majordomo exploders
-/^(.*)-outgoing@(.*)$/!/^owner-.*/ 550 Use ${1}@${2} instead
+/^(.*)-outgoing@(.*)$/!/^owner-/ 550 Use ${1}@${2} instead
+.SH EXAMPLE HEADER FILTER MAP
+.na
+.nf
+# These were once common in junk mail.
+/^Subject: make money fast/ REJECT
+/^To: friend@public\\.com/ REJECT
.SH SEE ALSO
.na
.nf
Always send EHLO at the start of a connection.
.IP \fBsmtp_never_send_ehlo\fR
Never send EHLO at the start of a connection.
+.IP \fBsmtp_bind_address\fR
+Numerical source network address to bind to when making a connection.
.IP \fBsmtp_break_lines\fR
Break lines > \fB$line_length_limit\fR into multiple shorter lines.
Some SMTP servers misbehave on long lines.
Skip servers that greet us with a 5xx status code.
.IP \fBsmtp_skip_quit_response\fR
Do not wait for the server response after sending QUIT.
-.IP \fBsmtp_bind_address\fR
-Numerical network address to bind to when making a connection.
+.IP \fBsmtp_pix_workaround_delay_time\fR
+The time to pause before sending .<CR><LF>, while working
+around the CISCO PIX firewall <CR><LF>.<CR><LF> bug.
+.IP \fBsmtp_pix_workaround_threshold_time\fR
+The time a message must be queued before the CISCO PIX firewall
+<CR><LF>.<CR><LF> bug workaround is turned on.
.SH "Authentication controls"
.IP \fBsmtp_enable_sasl_auth\fR
Enable per-session authentication as per RFC 2554 (SASL).
# string is possible using the conventional perl syntax ($1, $2, etc.).
# The macros in the result string may need to be written as ${n}
# or $(n) if they aren't followed by whitespace.
-# EXAMPLES
+# EXAMPLE SMTPD ACCESS MAP
# # Protect your outgoing majordomo exploders
-# /^(?!owner-)(.*)-outgoing@(my\.domain)$/ 550 Use ${1}@${2} instead
+# /^(?!owner-)(.*)-outgoing@/ 550 Use ${1}@${2} instead
#
# # Bounce friend@whatever, except when whatever is our domain (you would
# # be better just bouncing all friend@ mail - this is just an example).
-# /^friend@(?!my\.domain).*$/ 550 Stick this in your pipe $0
+# /^friend@(?!my\\.domain)/ 550 Stick this in your pipe $0
#
# # A multi-line entry. The text is sent as one line.
# #
-# /^noddy@connect\.com\.au$/
+# /^noddy@my\\.domain$/
# \ 550 This user is a funny one. You really don't want to send mail to
# \ them as it only makes their head spin.
+# EXAMPLE HEADER FILTER MAP
+# /^Subject: make money fast/ REJECT
+# /^To: friend@public\\.com/ REJECT
# SEE ALSO
# regexp_table(5) format of POSIX regular expression tables
# AUTHOR(S)
# string is possible using $1, $2, etc.. The macros in the result string
# may need to be written as ${n} or $(n) if they aren't followed
# by whitespace.
-# EXAMPLES
+# EXAMPLE SMTPD ACCESS MAP
# # Disallow sender-specified routing. This is a must if you relay mail
# # for other domains.
# /[%!@].*[%!@]/ 550 Sender-specified routing rejected
#
# # Postmaster is OK, that way they can talk to us about how to fix
# # their problem.
-# /^postmaster@.*$/ OK
+# /^postmaster@/ OK
#
# # Protect your outgoing majordomo exploders
-# /^(.*)-outgoing@(.*)$/!/^owner-.*/ 550 Use ${1}@${2} instead
+# /^(.*)-outgoing@(.*)$/!/^owner-/ 550 Use ${1}@${2} instead
+# EXAMPLE HEADER FILTER MAP
+# # These were once common in junk mail.
+# /^Subject: make money fast/ REJECT
+# /^To: friend@public\\.com/ REJECT
# SEE ALSO
# pcre_table(5) format of PCRE tables
# AUTHOR(S)
#define DEF_SMTP_BREAK_LINES 1
extern bool var_smtp_break_lines;
+#define VAR_SMTP_PIX_THRESH "smtp_pix_workaround_threshold_time"
+#define DEF_SMTP_PIX_THRESH "500s"
+extern int var_smtp_pix_thresh;
+
+#define VAR_SMTP_PIX_DELAY "smtp_pix_workaround_delay_time"
+#define DEF_SMTP_PIX_DELAY "10s"
+extern int var_smtp_pix_delay;
+
/*
* SMTP server. The soft error limit determines how many errors an SMTP
* client may make before we start to slow down; the hard error limit
sleep(10);
}
argv_free(export_env);
+ vstream_control(stream,
+ VSTREAM_CTL_PATH, command,
+ VSTREAM_CTL_END);
if (attr_scan(stream, ATTR_FLAG_MISSING,
ATTR_TYPE_STR, MAIL_ATTR_QUEUEID, id_buf, 0) != 1) {
MAIL_CLASS_PUBLIC, MAIL_SERVICE_PICKUP);
sendmail_path = mystrdup(VSTREAM_PATH(handle->stream));
} else {
+ errno = 0;
postdrop_command = concatenate(var_command_dir, "/postdrop",
msg_verbose ? " -v" : (char *) 0, (char *) 0);
if ((handle = mail_stream_command(postdrop_command)) == 0)
/* Always send EHLO at the start of a connection.
/* .IP \fBsmtp_never_send_ehlo\fR
/* Never send EHLO at the start of a connection.
+/* .IP \fBsmtp_bind_address\fR
+/* Numerical source network address to bind to when making a connection.
/* .IP \fBsmtp_break_lines\fR
/* Break lines > \fB$line_length_limit\fR into multiple shorter lines.
/* Some SMTP servers misbehave on long lines.
/* Skip servers that greet us with a 5xx status code.
/* .IP \fBsmtp_skip_quit_response\fR
/* Do not wait for the server response after sending QUIT.
-/* .IP \fBsmtp_bind_address\fR
-/* Numerical network address to bind to when making a connection.
+/* .IP \fBsmtp_pix_workaround_delay_time\fR
+/* The time to pause before sending .<CR><LF>, while working
+/* around the CISCO PIX firewall <CR><LF>.<CR><LF> bug.
+/* .IP \fBsmtp_pix_workaround_threshold_time\fR
+/* The time a message must be queued before the CISCO PIX firewall
+/* <CR><LF>.<CR><LF> bug workaround is turned on.
/* .SH "Authentication controls"
/* .IP \fBsmtp_enable_sasl_auth\fR
/* Enable per-session authentication as per RFC 2554 (SASL).
char *var_smtp_bind_addr;
bool var_smtp_rand_addr;
bool var_smtp_break_lines;
-int var_min_backoff_time;
+int var_smtp_pix_thresh;
+int var_smtp_pix_delay;
/*
* Global variables. smtp_errno is set by the address lookup routines and by
VAR_SMTP_DATA1_TMOUT, DEF_SMTP_DATA1_TMOUT, &var_smtp_data1_tmout, 1, 0,
VAR_SMTP_DATA2_TMOUT, DEF_SMTP_DATA2_TMOUT, &var_smtp_data2_tmout, 1, 0,
VAR_SMTP_QUIT_TMOUT, DEF_SMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0,
- VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0,
+ VAR_SMTP_PIX_THRESH, DEF_SMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0,
+ VAR_SMTP_PIX_DELAY, DEF_SMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0,
0,
};
static CONFIG_INT_TABLE int_table[] = {
smtp_fputs("", 0, session->stream);
if ((state->features & SMTP_FEATURE_MAYBEPIX) != 0
&& request->arrival_time < vstream_ftime(session->stream)
- - var_min_backoff_time) {
+ - var_smtp_pix_thresh) {
msg_info("%s: enabling PIX <CRLF>.<CRLF> workaround for %s",
request->queue_id, session->namaddr);
vstream_fflush(session->stream);/* hurts performance */
- sleep(10); /* not to mention this */
+ sleep(var_smtp_pix_delay); /* not to mention this */
}
if (vstream_ferror(state->src))
msg_fatal("queue file read error");
/*
* Avoid surprise matches with source-routed, non-local addresses.
*/
- if (!resolve_local(ratsign + 1) && (reply->flags & RESOLVE_FLAG_ROUTED))
+ if (var_allow_untrust_route == 0
+ && (reply->flags & RESOLVE_FLAG_ROUTED)
+ && !resolve_local(ratsign + 1))
return (SMTPD_CHECK_DUNNO);
/*
/* recipient address.
/* .IP "\fB-s \fIsession_count\fR"
/* Run the specified number of SMTP sessions in parallel (default: 1).
+/* .IP "\fB-S \fIsubject\fR"
+/* Send mail with the named subject line (default: none).
/* .IP "\fB-t \fIto\fR"
/* Use the specified recipient address (default: <foo@myhostname>).
/* .IP "\fB-R \fIinterval\fR"
static int random_delay = 0;
static int fixed_delay = 0;
static int talk_lmtp = 0;
+static char *subject = 0;
static void enqueue_connect(SESSION *);
static void start_connect(SESSION *);
smtp_printf(session->stream, "Date: %s", mydate);
smtp_printf(session->stream, "Message-Id: <%04x.%04x.%04x@%s>",
mypid, vstream_fileno(session->stream), message_count, var_myhostname);
+ if (subject)
+ smtp_printf(session->stream, "Subject: %s", subject);
smtp_fputs("", 0, session->stream);
}
/*
* Parse JCL.
*/
- while ((ch = GETOPT(argc, argv, "cC:df:l:Lm:or:R:s:t:vw:")) > 0) {
+ while ((ch = GETOPT(argc, argv, "cC:df:l:Lm:or:R:s:S:t:vw:")) > 0) {
switch (ch) {
case 'c':
count++;
if ((sessions = atoi(optarg)) <= 0)
usage(argv[0]);
break;
+ case 'S':
+ subject = optarg;
+ break;
case 't':
recipient = optarg;
break;
projects / thirdparty / postfix.git / commitdiff
