postfix-2.11-20130517

diff --git a/postfix/HISTORY b/postfix/HISTORY
index c09ee501728e2e09063fc41d4d83874073f118e8..506134bbf00c9f1afa60cbc7e796bae9a89fc566 100644 (file)
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -18479,3 +18479,11 @@ Apologies for any names omitted.
        Bugfix (introduced: 20130512): postscreen panic because the
        logic for dnsbl result retrieval was changed. Reported by
        Noel Jones. File: postscreen/postscreen_early.c.
+
+20130517
+
+       Cleanup: just like the postscreen DNS block test will use
+       partial scores when some DNS lookup result is unavailable,
+       the postscreen_dnsbl_whitelist_treshold feature will now
+       use partial scores instead of ignoring them.  File:
+       postscreen/postscreen_early.c.

diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 89fb80222e807239744260b37c5e5be2a318e50f..761a073570cee396f8bfbaedf4a6a38a261907f4 100644 (file)
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE      "20130513"
+#define MAIL_RELEASE_DATE      "20130517"
 #define MAIL_VERSION_NUMBER    "2.11"
 
 #ifdef SNAPSHOT

diff --git a/postfix/src/postscreen/postscreen_early.c b/postfix/src/postscreen/postscreen_early.c
index 265bc0839a587c757aeffd535a1ed430258e4fe1..0bd71350f699e6d64279cb580b9dc748b6af3871 100644 (file)
--- a/postfix/src/postscreen/postscreen_early.c
+++ b/postfix/src/postscreen/postscreen_early.c
@@ -51,6 +51,44 @@
 static char *psc_teaser_greeting;
 static VSTRING *psc_escape_buf;
 
+/* psc_whitelist_non_dnsbl - whitelist pending non-dnsbl tests */
+
+static void psc_whitelist_non_dnsbl(PSC_STATE *state)
+{
+    time_t  now;
+    int     tindx;
+
+    /*
+     * If no tests failed (we can't undo those), and if the whitelist
+     * threshold is met, flag all other pending or disabled tests as
+     * successfully completed, and set their expiration times equal to the
+     * DNSBL expiration time, except for tests that would expire later.
+     */
+    if ((state->flags & PSC_STATE_MASK_ANY_FAIL) == 0
+       && state->dnsbl_score < var_psc_dnsbl_thresh
+       && var_psc_dnsbl_wthresh < 0
+       && state->dnsbl_score <= var_psc_dnsbl_wthresh) {
+       now = event_time();
+       for (tindx = 0; tindx < PSC_TINDX_COUNT; tindx++) {
+           if (tindx == PSC_TINDX_DNSBL)
+               continue;
+           if ((state->flags & PSC_STATE_FLAG_BYTINDX_TODO(tindx))
+               && !(state->flags & PSC_STATE_FLAG_BYTINDX_PASS(tindx))) {
+               if (msg_verbose)
+                   msg_info("skip %s test for [%s]:%s",
+                        psc_test_name(tindx), PSC_CLIENT_ADDR_PORT(state));
+               /* Wrong for deep protocol tests, but we disable those. */
+               state->flags |= PSC_STATE_FLAG_BYTINDX_DONE(tindx);
+               /* This also disables pending deep protocol tests. */
+               state->flags |= PSC_STATE_FLAG_BYTINDX_PASS(tindx);
+           }
+           /* Update expiration even if the test was completed or disabled. */
+           if (state->expire_time[tindx] < now + var_psc_dnsbl_ttl)
+               state->expire_time[tindx] = now + var_psc_dnsbl_ttl;
+       }
+    }
+}
+
 /* psc_early_event - handle pre-greet, EOF, and DNSBL results. */
 
 static void psc_early_event(int event, char *context)
@@ -82,7 +120,8 @@ static void psc_early_event(int event, char *context)
     switch (event) {
 
        /*
-        * We reached the end of the early tests time limit.
+        * We either reached the end of the early tests time limit, or all
+        * early tests completed before the pregreet timer would go off.
         */
     case EVENT_TIME:
 
@@ -102,6 +141,10 @@ static void psc_early_event(int event, char *context)
        }
 
        /*
+        * Collect the DNSBL score, and whitelist other tests if applicable.
+        * Note: this score will be partial when some DNS lookup did not
+        * complete before the pregreet timer expired.
+        * 
         * If the client is DNS blocklisted, drop the connection, send the
         * client to a dummy protocol engine, or continue to the next test.
         */
@@ -110,11 +153,14 @@ static void psc_early_event(int event, char *context)
 #define NO_DNSBL_SCORE INT_MAX
 
        if (state->flags & PSC_STATE_FLAG_DNSBL_TODO) {
-           if (state->dnsbl_score == NO_DNSBL_SCORE)
+           if (state->dnsbl_score == NO_DNSBL_SCORE) {
                state->dnsbl_score =
                    psc_dnsbl_retrieve(state->smtp_client_addr,
                                       &state->dnsbl_name,
                                       state->dnsbl_index);
+               if (var_psc_dnsbl_wthresh < 0)
+                   psc_whitelist_non_dnsbl(state);
+           }
            if (state->dnsbl_score < var_psc_dnsbl_thresh) {
                state->dnsbl_stamp = event_time() + var_psc_dnsbl_ttl;
                PSC_PASS_SESSION_STATE(state, "dnsbl test",
@@ -236,44 +282,18 @@ static void psc_early_dnsbl_event(int unused_event, char *context)
 {
     const char *myname = "psc_early_dnsbl_event";
     PSC_STATE *state = (PSC_STATE *) context;
-    time_t  now;
-    int     tindx;
 
     if (msg_verbose)
        msg_info("%s: notify [%s]:%s", myname, PSC_CLIENT_ADDR_PORT(state));
 
     /*
-     * Collect the DNSBL score. If no tests failed (we can't undo those), and
-     * if the whitelist threshold is met, flag all other pending or disabled
-     * tests as successfully completed, and set their expiration times equal
-     * to the DNSBL expiration time, except for tests that would expire
-     * later.
+     * Collect the DNSBL score, and whitelist other tests if applicable.
      */
     state->dnsbl_score =
        psc_dnsbl_retrieve(state->smtp_client_addr, &state->dnsbl_name,
                           state->dnsbl_index);
-    if (var_psc_dnsbl_wthresh < 0
-       && (state->flags & PSC_STATE_MASK_ANY_FAIL) == 0
-       && state->dnsbl_score <= var_psc_dnsbl_wthresh) {
-       now = event_time();
-       for (tindx = 0; tindx < PSC_TINDX_COUNT; tindx++) {
-           if (tindx == PSC_TINDX_DNSBL)
-               continue;
-           if ((state->flags & PSC_STATE_FLAG_BYTINDX_TODO(tindx))
-               && !(state->flags & PSC_STATE_FLAG_BYTINDX_PASS(tindx))) {
-               if (msg_verbose)
-                   msg_info("skip %s test for [%s]:%s",
-                        psc_test_name(tindx), PSC_CLIENT_ADDR_PORT(state));
-               /* Wrong for deep protocol tests, but we disable those. */
-               state->flags |= PSC_STATE_FLAG_BYTINDX_DONE(tindx);
-               /* This also disables pending deep protocol tests. */
-               state->flags |= PSC_STATE_FLAG_BYTINDX_PASS(tindx);
-           }
-           /* Update expiration even if the test was completed or disabled. */
-           if (state->expire_time[tindx] < now + var_psc_dnsbl_ttl)
-               state->expire_time[tindx] = now + var_psc_dnsbl_ttl;
-       }
-    }
+    if (var_psc_dnsbl_wthresh < 0)
+       psc_whitelist_non_dnsbl(state);
 
     /*
      * Terminate the greet delay if we're just waiting for DNSBL lookup to