This is a very first implementation of Postfix content filtering.
A Postfix content filter receives unfiltered mail from Postfix and
-re-injects filtered mail back into Postfix.
+either bounces the mail or re-injects filtered mail back into Postfix.
It involves an incompatible change to queue file formats. Older
Postfix versions will reject mail that needs to be content filtered,
content filtered.
..................................
- . Postfix .
- ------smtpd \ /local-----
- . -cleanup->queue- .
- -----pickup / \smtp------
- ^ . | .
- | . \pipe-----+
+ : Postfix :
+ ----->smtpd \ /local---->
+ : -cleanup->queue- :
+ ---->pickup / \smtp----->
+ ^ : | :
+ | : \pipe-----+
| .................................. |
| |
| |
+------sendmail<-------filter<---------+
-Create a dedicated local user account called "filter". The user
-will never log in, and can be given a "*" password and non-existent
-shell and home.
+1 - Create a dedicated local user account called "filter". The
+ user will never log in, and can be given a "*" password and
+ non-existent shell and home directory. This user handles all
+ potentially dangerous mail content - that is why it should be
+ a separate account.
-Create a directory /var/spool/filter that is accessible only to
-the "filter" user. This is where the content filtering will store
-its temporary files.
+2 - Create a directory /var/spool/filter that is accessible only
+ to the "filter" user. This is where the content filtering will
+ store its temporary files.
-Define a content filtering entry in the Postfix master file:
+3 - Define a content filtering entry in the Postfix master file:
/etc/postfix/master.cf:
- filter unix - n n - - pipe
- user=filter argv=/some/where/filter -f ${sender} -- ${recipient}
+ filter unix - n n - - pipe
+ flags=R user=filter argv=/some/where/filter -f ${sender} -- ${recipient}
-The filter program can start out as a simple shell script like this:
+The /some/where/filter program can be a simple shell script like this:
#!/bin/sh
exit status of the filter command is whatever exit status Postfix
sendmail produces.
-The problem with content filters like this is that they are not
-very robust, because the software does not talk a well-defined
-protocol with Postfix. If the filter shell script aborts because
-the shell runs into some memory allocation problem, the script will
-not produce a nice exit status as per /usr/include/sysexits.h and
-mail will probably bounce. The same lack of robustness is possible
-when the content filtering software itself runs into a resource
-problem.
-
I suggest that you play with this script for a while until you are
-satisfied with the results. Run it as root or as the filter user,
-with a real message (headers+body) as input:
+satisfied with the results. Run it as the filter user, with a real
+message (headers+body) as input:
- # /some/where/filter -f sender recipient... <message-file
+ % /some/where/filter -f sender recipient... <message-file
Turn on content filtering for mail arriving via SMTP only, by
appending "-o content_filter=filter:dummy" to the master.cf
The content_filter configuration parameter accepts the same
syntax as the right-hand side in a Postfix transport table.
-Postfix snapshot-20000529 requires that you specify a dummy
-destination as shown in the example. This is no longer necessary
-with later Postfix versions.
+Simple content filter limitations
+=================================
+
+The problem with content filters like the one above is that they
+are not very robust, because the software does not talk a well-defined
+protocol with Postfix. If the filter shell script aborts because
+the shell runs into some memory allocation problem, the script will
+not produce a nice exit status as per /usr/include/sysexits.h and
+mail will probably bounce. The same lack of robustness is possible
+when the content filtering software itself runs into a resource
+problem.
Advanced content filtering example
===================================
submits mail back into Postfix via localhost port 10026.
..................................
- . Postfix .
- ------smtpd \ /local-----
- . -cleanup->queue- .
- -----pickup / ^ | \smtp------
- . | v .
- . smtpd smtp .
- . 10026 | .
+ : Postfix :
+ ----->smtpd \ /local---->
+ : -cleanup->queue- :
+ ---->pickup / ^ | \smtp----->
+ : | v :
+ : smtpd smtp :
+ : 10026 | :
......................|...........
^ |
| v
....|............
- . | 10025 .
- . filtering .
- . .
+ : | 10025 :
+ : filter :
+ : :
.................
To enable content filtering in this manner, specify in main.cf a
"filter" is a dedicated local user account. The user will never
log in, and can be given a "*" password and non-existent shell and
-home.
-
-The spawn server is part of Postfix but is not installed by default.
-Edit the top-level Makefile.in file, run "make makefiles", "make",
-and "make install". The manual page isn't installed by default,
-either. See the spawn.c source file.
+home directory. This user handles all potentially dangerous mail
+content - that is why it should be a separate account.
The /some/where/filter command is most likely a PERL script. PERL
has modules that make talking SMTP easy. The command-line specifies
The simplest content filter just copies SMTP commands and data
between its inputs and outputs. If it has a problem, all it has to
do is to reply to an input of `.' with `550 content rejected', and
-to disconnect its output side instead of sending `.'.
+to disconnect without sending `.' on the connection that injects
+mail back into Postfix.
The job of the content filter is to either bounce mail with a
suitable diagnostic, or to feed the mail back into Postfix through
PATH=/bin:/usr/bin:/usr/sbin:/usr/etc:/sbin:/etc
umask 022
+test -t 0 &&
cat <<EOF
Warning: this script replaces existing sendmail or Postfix programs.
# Find out the location of configuration files.
+test -t 0 &&
for name in install_root tempdir config_directory
do
while :
# Override default settings.
+test -t 0 &&
for name in daemon_directory command_directory \
queue_directory sendmail_path newaliases_path mailq_path mail_owner\
setgid manpages
-[Based on information that was provided by Amous Gouaux]
-
Postfix LMTP support
====================
LMTP stands for Local Mail Transfer Protocol, and is detailed in
RFC2033. This protocol is used to communicate with the final
-delivery agent, which may be on the local host or a remote host.
+delivery agent, which may run on the local host or a remote host.
This protocol opens up interesting possibilities: one Postfix front
-end system can drive multiple mailbox back end systems over LMTP.
+end machine can drive multiple mailbox back end machines over LMTP.
As the mail load increases you add Postfix front end systems and
LMTP mailbox back end systems. You can use LDAP or mysql to share
the user database among the front end and back end systems.
Using main.cf configuration
===========================
-This is the simplest LMTP configuration. The settings
-local_transport, mailbox_transport, and fallback_transport can
-support the following connections:
-
-1. LMTP over TCP sockets.
+This is the simplest LMTP configuration.
- mailbox_transport = lmtp
+1. LMTP over UNIX-domain sockets.
- Instead of delivering local mail to a mail box such as
- /var/mail/$user, a connection will be made over TCP to an LMTP
- server. Currently the default port for this connection is 24,
- but this can be customized in the "/etc/services" file.
+ The UNIX-domain socket is specified as a name in the local file
+ system. This "/path/name" should be the socket created by the
+ LMTP server on the local machine. See the specific examples
+ later in this document.
- NOTE:
+ The settings local_transport, mailbox_transport, and
+ fallback_transport support the following connections:
- With connections over TCP sockets, some Cyrus implementations
- insist on SASL-style authentication, which is not currently
- supported by the Postfix LMTP client. See the examples below
- for additional details.
+ mailbox_transport = lmtp:unix:/path/name
+ The Postfix local delivery agent expands aliases and .forward
+ files, and delegates mailbox delivery to the LMTP server.
-2. LMTP over UNIX-domain sockets.
+ local_transport = lmtp:unix:/path/name
- mailbox_transport = lmtp:unix:/path/name
+ Mail that resolves as local is directly given to the LMTP server.
+ The mail is not processed by the Postfix local delivery agent;
+ therefore aliases and .forward files are not expanded.
- In this case the LMTP connection will be made over a UNIX-domain
- socket. This "/path/name" should be the socket created by the
- LMTP server on the local machine.
+ fallback_transport = lmtp:unix:/path/name
- NOTE 1:
+ The Postfix local delivery agent expands aliases and .forward files,
+ and delivers to /var/mail/$user for users that have a UNIX account.
+ Mail for other local users is delegated to the LMTP server.
- If you configured Cyrus using the "--with-libwrap" option, be
- sure to allow access to the "lmtpd" service from "0.0.0.0".
- Otherwise LMTP deliveries over UNIX-domain sockets will be
- blocked. See the examples below for more on using libwrap.
-
- NOTE 2:
+ NOTE:
If you run the lmtp client chrooted, the interpretation of
the /path/name is relative to the Postfix queue directory
(typically, /var/spool/postfix).
- NOTE 3:
-
By default, the Postfix LMTP client does not run chrooted.
With LMTP delivery to the local machine there is no good
reason to run the Postfix LMTP client chrooted.
+2. LMTP over TCP sockets.
+
+ Currently the default TCP port number for this type of connection
+ is 24, but this can be customized in the "/etc/services" file.
+ Specific examples are given later in this document.
+
+ The settings local_transport, mailbox_transport, and
+ fallback_transport support the following connections:
+
+ mailbox_transport = lmtp:hostname:port
+ local_transport = lmtp:hostname:port
+ fallback_transport = lmtp:hostname:port
+
+ See the previous section for a discussion of the differences
+ between these three delivery methods.
+
+ NOTE:
+
+ With connections over TCP sockets, later Cyrus implementations
+ insist on SASL-style authentication. This means that Postfix
+ must be built with SASL support (see SASL_README). The
+ examples below show how to enable this in the Postfix LMTP
+ client.
Examples:
mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
- In this case, mail that is resolved to be local will be delivered
- to the Cyrus lmtpd server via the socket "/var/imap/socket/lmtp".
-
- If you configured Cyrus using the "--with-libwrap" option, you
- will need the following:
-
- /etc/hosts.allow:
-
- lmtpd : 0.0.0.0
+ In this case, the Postfix local delivery agent expands aliases
+ and .forward files, and delegates mailbox delivery to the Cyrus
+ lmtpd server via the socket "/var/imap/socket/lmtp".
2. LMTP over TCP sockets.
SERVICES {
...
- lmtp cmd="lmtpd -a" listen="127.0.0.1:lmtp" prefork=0
+ lmtp cmd="lmtpd" listen="127.0.0.1:lmtp" prefork=0
...
}
-XXX does this mean that connections will be accepted only on 127.0.0.1?
-
/etc/services:
- lmtp 2003/tcp
+ lmtp 24/tcp
/etc/postfix/main.cf:
- mailbox_transport = lmtp
+ mailbox_transport = lmtp:localhost
+ lmtp_sasl_auth_enable = yes
+ lmtp_sasl_password_maps = hash:/etc/postfix/lmtp_sasl_pass
/etc/postfix/master.cf:
lmtp unix - - n - - lmtp
- Mail that Postfix resolves to be local will be delivered via TCP
- to the Cyrus LMTP server. Postfix will make a connection to port
- 2003 on the local host, subsequently transmitting the message to
- the lmtpd server managed by the Cyrus master process. Since
- Postfix does not currently support LMTP-AUTH, the "-a" lmtpd
- option is required.
-
- CAUTION:
-
- If you run lmtpd with the "-a" option, be certain that you
- restrict what systems can connect to this service. This can
- be done in either one of two ways:
-
- a. Compile Cyrus with libwrap support, configuring
- "/etc/hosts.allow" to restrict access to this service to
- only your mail server.
-
- b. In the cyrus.conf file, for the "listen" argument to the
- "lmtp" service, specify the address (in this case
- localhost), that the service should bind to. This can
- also be convenient if you have a private network between
- your Postfix server and your Cyrus server.
-
- If neither of these actions are taken, anybody will be able
- to drop junk into your Cyrus message store!
+ /etc/postfix/lmtp_sasl_pass:
+ localhost.my.domain username:password
+ Instead of "hash", use the map type of your choice. Some
+ systems use "dbm" instead. Use "postconf -m" to find out what
+ map types are supported.
-3. LMTP over TCP sockets, using hosts.allow.
-
- While similar to the previous example, this one varies in how the
- lmtpd service is protected from unauthorized use. Instead of
- binding the lmtpd service to a specific Internet address, access
- will be controlled using the "/etc/hosts.allow" tcp_wrappers
- configuration file. The tcp_wrappers package is available from:
-
- ftp://ftp.porcupine.org/pub/security/index.html
-
- To take advantage of tcp_wrappers, Cyrus will need to be
- configured using the "--with-libwrap" option. See the Cyrus
- documentation for more details.
-
- Here are excerpts of the pertinent files:
-
- /etc/hosts.allow:
-
- lmtpd : localhost : ALLOW
- lmtpd : ALL@ALL : DENY
-
- /etc/cyrus.conf:
-
- SERVICES {
- ...
- lmtp cmd="lmtpd -a" listen="lmtp" prefork=0
- ...
- }
-
- /etc/services:
-
- lmtp 2003/tcp
-
- /etc/postfix/main.cf:
-
- mailbox_transport = lmtp
-
- The syntax shown in the hosts.allow excerpt above is valid if
- tcp_wrappers is compiled using a "make" argument of:
-
- STYLE=-DPROCESS_OPTIONS
-
- See the tcp_wrappers hosts_options(5) man page for more details.
+ With the above settings, the Postfix local delivery agent
+ expands aliases and .forward files, and delegates mailbox
+ delivery to the the Cyrus LMTP server. Postfix makes a
+ connection to port 24 on the local host, subsequently
+ transmitting the message to the lmtpd server managed by the
+ Cyrus master process.
Using transport map configuration
=================================
-This approach is quite similar to specifying the LMTP service in the
-Postfix main.cf configuration file. However, now we will use a
-transport map to route mail to the appropriate LMTP server. Why
-might this approach be useful? This could be handy if you wish to
-route mail for multiple domains to their respective mail retrieval
+This approach is quite similar to specifying the LMTP service in
+the Postfix main.cf configuration file. However, now we will use
+a transport map to route mail to the appropriate LMTP server,
+instead of depending on delegation by the Postfix local delivery
+agent.
+
+Why might this approach be useful? This could be handy if you wish
+to route mail for multiple domains to their respective mail retrieval
(IMAP/POP) server. Example:
/etc/postfix/transport:
/etc/services:
- lmtp 2003/tcp
+ lmtp 24/tcp
/etc/inetd.conf:
non-standard SASL LOGIN authentication method. To enable this
authentication method, specify ``./configure --enable-login''.
-Reportedly, older Microsoft software mis-implements the AUTH
-protocol, and requires that the server replies to EHLO with
-"250-AUTH=stuff..." instead of "250-AUTH stuff...". To accomodate
-such clients, set "allow_broken_auth_clients = yes" in the main.cf
-file.
+Older Microsoft SMTP client software implements a non-standard
+version of the AUTH protocol syntax, and expects that the SMTP
+server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH
+stuff". To accomodate such clients in addition to conformant
+clients, set "broken_sasl_auth_clients = yes" in the main.cf file.
+
+The Postfix SMTP client is backwards compatible with SMTP servers
+that use the non-standard AUTH protocol syntax.
Building Postfix with SASL authentication support
=================================================
# REJECT Reject the address etc. that matches the pattern. A
# generic error response message is generated.
#
-# OK
+# OK Accept the address etc. that matches the pattern.
#
-# Any other text
-# Accept the address etc. that matches the pattern.
+# restriction...
+# Apply the named UCE restriction (permit, reject,
+# reject_unauth_destination, and so on).
#
# REGULAR EXPRESSION TABLES
-# This section describes how the table lookups change when
+# This section describes how the table lookups change when
# the table is given in the form of regular expressions. For
-# a description of regular expression lookup table syntax,
+# a description of regular expression lookup table syntax,
# see regexp_table(5) or pcre_table(5).
#
-# Each pattern is a regular expression that is applied to
+# Each pattern is a regular expression that is applied to
# the entire string being looked up. Depending on the appli-
-# cation, that string is an entire client hostname, an
+# cation, that string is an entire client hostname, an
# entire client IP address, or an entire mail address. Thus,
-# no parent domain or parent network search is done, and
-# user@domain mail addresses are not broken up into their
+# no parent domain or parent network search is done, and
+# user@domain mail addresses are not broken up into their
# user@ and domain constituent parts.
#
-# Patterns are applied in the order as specified in the
-# table, until a pattern is found that matches the search
+# Patterns are applied in the order as specified in the
+# table, until a pattern is found that matches the search
# string.
#
-# Actions are the same as with normal indexed file lookups,
-# with the additional feature that parenthesized substrings
-# from the pattern can be interpolated as $1, $2 and so on.
+# Actions are the same as with normal indexed file lookups,
+# with the additional feature that parenthesized substrings
+# from the pattern can be interpolated as $1, $2 and so on.
#
# BUGS
-# The table format does not understand quoting conventions.
+# The table format does not understand quoting conventions.
#
# 2
#
# regexp_table(5) format of POSIX regular expression tables
#
# LICENSE
-# The Secure Mailer license must be distributed with this
+# The Secure Mailer license must be distributed with this
# software.
#
# AUTHOR(S)
<b>REJECT</b> Reject the address etc. that matches the pattern. A
generic error response message is generated.
- <b>OK</b>
+ <b>OK</b> Accept the address etc. that matches the pattern.
- <i>Any</i> <i>other</i> <i>text</i>
- Accept the address etc. that matches the pattern.
+ <i>restriction...</i>
+ Apply the named UCE restriction (<b>permit</b>, reject,
+ <b>reject</b><i>_</i><b>unauth</b><i>_</i><b>destination</b>, and so on).
<b>REGULAR</b> <b>EXPRESSION</b> <b>TABLES</b>
- This section describes how the table lookups change when
+ This section describes how the table lookups change when
the table is given in the form of regular expressions. For
- a description of regular expression lookup table syntax,
+ a description of regular expression lookup table syntax,
see <a href="regexp_table.5.html"><b>regexp</b><i>_</i><b>table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre</b><i>_</i><b>table</b>(5)</a>.
- Each pattern is a regular expression that is applied to
+ Each pattern is a regular expression that is applied to
the entire string being looked up. Depending on the appli-
- cation, that string is an entire client hostname, an
+ cation, that string is an entire client hostname, an
entire client IP address, or an entire mail address. Thus,
- no parent domain or parent network search is done, and
- <i>user@domain</i> mail addresses are not broken up into their
+ no parent domain or parent network search is done, and
+ <i>user@domain</i> mail addresses are not broken up into their
<i>user@</i> and <i>domain</i> constituent parts.
- Patterns are applied in the order as specified in the
- table, until a pattern is found that matches the search
+ Patterns are applied in the order as specified in the
+ table, until a pattern is found that matches the search
string.
- Actions are the same as with normal indexed file lookups,
- with the additional feature that parenthesized substrings
- from the pattern can be interpolated as <b>$1</b>, <b>$2</b> and so on.
+ Actions are the same as with normal indexed file lookups,
+ with the additional feature that parenthesized substrings
+ from the pattern can be interpolated as <b>$1</b>, <b>$2</b> and so on.
<b>BUGS</b>
- The table format does not understand quoting conventions.
-
+ The table format does not understand quoting conventions.
<a href="regexp_table.5.html">regexp_table(5)</a> format of POSIX regular expression tables
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
For example, allow <a href="http://www.faqs.org/rfcs/rfc822.html">RFC822</a>-style address forms with
comments, like Sendmail does.
- <b>allow</b><i>_</i><b>broken</b><i>_</i><b>auth</b><i>_</i><b>clients</b>
+ <b>broken</b><i>_</i><b>sasl</b><i>_</i><b>auth</b><i>_</i><b>clients</b>
Support older Microsoft clients that mis-implement
the AUTH protocol, and that expect an EHLO response
of "250 AUTH=list" instead of "250 AUTH list".
same syntax as the right-hand side of a Postfix
transport table.
-<b>Authenication</b> <b>controls</b>
+<b>Authentication</b> <b>controls</b>
<b>enable</b><i>_</i><b>sasl</b><i>_</i><b>authentication</b>
Enable per-session authentication as per <a href="http://www.faqs.org/rfcs/rfc2554.html">RFC 2554</a>
(SASL). This functionality is available only when
Reject the address etc. that matches the pattern. A generic
error response message is generated.
.IP \fBOK\fR
-.IP "\fIAny other text\fR"
Accept the address etc. that matches the pattern.
+.IP \fIrestriction...\fR
+Apply the named UCE restriction (\fBpermit\fR, \fRreject\fR,
+\fBreject_unauth_destination\fR, and so on).
.SH REGULAR EXPRESSION TABLES
.na
.nf
.IP \fBstrict_rfc821_envelopes\fR
Disallow non-RFC 821 style addresses in envelopes. For example,
allow RFC822-style address forms with comments, like Sendmail does.
-.IP \fBallow_broken_auth_clients\fR
+.IP \fBbroken_sasl_auth_clients\fR
Support older Microsoft clients that mis-implement the AUTH
protocol, and that expect an EHLO response of "250 AUTH=list"
instead of "250 AUTH list".
either bounces mail or re-injects the result back into Postfix.
This parameter uses the same syntax as the right-hand side of
a Postfix transport table.
-.SH "Authenication controls"
+.SH "Authentication controls"
.IP \fBenable_sasl_authentication\fR
Enable per-session authentication as per RFC 2554 (SASL).
This functionality is available only when explicitly selected
# Reject the address etc. that matches the pattern. A generic
# error response message is generated.
# .IP \fBOK\fR
-# .IP "\fIAny other text\fR"
# Accept the address etc. that matches the pattern.
+# .IP \fIrestriction...\fR
+# Apply the named UCE restriction (\fBpermit\fR, \fRreject\fR,
+# \fBreject_unauth_destination\fR, and so on).
# REGULAR EXPRESSION TABLES
# .ad
# .fi
* Standards violation: send "250 AUTH=list" in order to accomodate broken
* Microsoft clients.
*/
-#define VAR_BROKEN_AUTH_CLNTS "allow_broken_auth_clients"
+#define VAR_BROKEN_AUTH_CLNTS "broken_sasl_auth_clients"
#define DEF_BROKEN_AUTH_CLNTS 0
extern bool var_broken_auth_clients;
* Version of this program.
*/
#define VAR_MAIL_VERSION "mail_version"
-#define DEF_MAIL_VERSION "Snapshot-20010122"
+#define DEF_MAIL_VERSION "Snapshot-20010124"
extern char *var_mail_version;
/* LICENSE
static void pre_init(char *unused_name, char **unused_argv)
{
debug_peer_init();
-#ifdef USE_SASL_AUTH
if (var_lmtp_sasl_enable)
+#ifdef USE_SASL_AUTH
lmtp_sasl_initialize();
+#else
+ msg_warn("%s is true, but SASL support is not compiled in",
+ VAR_LMTP_SASL_ENABLE);
#endif
}
static CONFIG_BOOL_TABLE bool_table[] = {
VAR_LMTP_CACHE_CONN, DEF_LMTP_CACHE_CONN, &var_lmtp_cache_conn,
VAR_LMTP_SKIP_QUIT_RESP, DEF_LMTP_SKIP_QUIT_RESP, &var_lmtp_skip_quit_resp,
+ VAR_LMTP_SASL_ENABLE, DEF_LMTP_SASL_ENABLE, &var_lmtp_sasl_enable,
0,
};
#define INSIDE(p,t) (ptr >= (char *) t && ptr < ((char *) t) + sizeof(t))
/*
- * This is gross, but the best we can do on short notice. Instead of
- * guessing we should use a tagged union. This is what code looks like
- * when written under the pressure of a first public release.
+ * This is gross, but the best we can do on short notice.
*/
if (INSIDE(ptr, time_table))
print_time(mode, (CONFIG_TIME_TABLE *) ptr);
* reset the saved set-userid, which would be a security vulnerability.
*/
if (geteuid() == 0 && getuid() != 0) {
- msg_warn("sendmail has set-uid root file permissions, or is run from a set-uid root process");
+ msg_warn("the Postfix sendmail command has set-uid root file permissions");
+ msg_warn("or the command is run from a set-uid root process");
msg_warn("the Postfix sendmail command must be installed without set-uid root file permissions");
set_ugid(getuid(), getgid());
}
msg_fatal("-t can be used only in delivery mode");
if (site_to_flush && mode != SM_MODE_ENQUEUE)
- msg_fatal("-t can be used only in delivery mode");
+ msg_fatal("-qR can be used only in delivery mode");
if (extract_recipients && argv[OPTIND])
msg_fatal("cannot handle command-line recipients with -t");
{
debug_peer_init();
-#ifdef USE_SASL_AUTH
if (var_smtp_sasl_enable)
+#ifdef USE_SASL_AUTH
smtp_sasl_initialize();
+#else
+ msg_warn("%s is true, but SASL support is not compiled in",
+ VAR_SMTP_SASL_ENABLE);
#endif
}
/* .IP \fBstrict_rfc821_envelopes\fR
/* Disallow non-RFC 821 style addresses in envelopes. For example,
/* allow RFC822-style address forms with comments, like Sendmail does.
-/* .IP \fBallow_broken_auth_clients\fR
+/* .IP \fBbroken_sasl_auth_clients\fR
/* Support older Microsoft clients that mis-implement the AUTH
/* protocol, and that expect an EHLO response of "250 AUTH=list"
/* instead of "250 AUTH list".
/* either bounces mail or re-injects the result back into Postfix.
/* This parameter uses the same syntax as the right-hand side of
/* a Postfix transport table.
-/* .SH "Authenication controls"
+/* .SH "Authentication controls"
/* .IP \fBenable_sasl_authentication\fR
/* Enable per-session authentication as per RFC 2554 (SASL).
/* This functionality is available only when explicitly selected
debug_peer_init();
msg_cleanup(smtpd_cleanup);
-#ifdef USE_SASL_AUTH
if (var_smtpd_sasl_enable)
+#ifdef USE_SASL_AUTH
smtpd_sasl_initialize();
+#else
+ msg_warn("%s is true, but SASL support is not compiled in",
+ VAR_SMTPD_SASL_ENABLE);
#endif
}
/* DESCRIPTION
/* .nf
+ /*
+ * System library.
+ */
+#include <unistd.h>
+
/*
* SASL library.
*/
/* Application-specific. */
#include "smtpd.h"
+#include "smtpd_sasl_glue.h"
#include "smtpd_check.h"
/*
if ((fd = accept(sock, &sa, &len)) >= 0) {
if (msg_verbose)
- msg_info("connect (%s)", sa.sa_family == AF_LOCAL ? "AF_LOCAL" :
+ msg_info("connect (%s)",
+#ifdef AF_LOCAL
+ sa.sa_family == AF_LOCAL ? "AF_LOCAL" :
+#else
+ sa.sa_family == AF_UNIX ? "AF_UNIX" :
+#endif
+ sa.sa_family == AF_INET ? "AF_INET" :
#ifdef AF_INET6
sa.sa_family == AF_INET6 ? "AF_INET6" :
#endif
- sa.sa_family == AF_INET ? "AF_INET" :
"unknown protocol family");
non_blocking(fd, NON_BLOCKING);
state = (SINK_STATE *) mymalloc(sizeof(*state));
projects / thirdparty / postfix.git / commitdiff
