20100915
Bugfix (introduced 20100914): missing precondition for
- call-back notification. File: postscreen/dnsblog.c.
+ call-back notification. File: postscreen/postscreen_dnsbl.c.
+
+ Bugfix (introduced 20100914): the "postscreen_greet_wait"
+ delay speedup worked only for DNSBL listed sites. File:
+ postscreen/postscreen_dnsbl.c.
+
+ Workaround: better handling of pregreeting spambots. The
+ postscreen built-in SMTP engine no longer sends a 220 banner
+ to a client that falls into the pregeet trap. This eliminates
+ many "non-SMTP command" records in postscreen logging, as
+ the SMTP client and server no longer get out of sync. It
+ also results in better logging of sender/recipient information.
+ file: postscreen/postscreen-smtpd.c.
1. Comment out the "smtp inet ... smtpd" service in master.cf, including any
"-o parameter=value" entries that follow.
+ /etc/postfix/master.cf:
+ #smtp inet n - n - - smtpd
+ # -o parameter=value ...
+
2. Uncomment the new "smtpd pass ... smtpd" service in master.cf, and
duplicate any "-o parameter=value" entries from the smtpd service that was
commented out in step 1.
+ /etc/postfix/master.cf:
+ smtpd pass - - n - - smtpd
+ -o parameter=value ...
+
3. Uncomment the new "smtp inet ... postscreen" service in master.cf.
+ /etc/postfix/master.cf:
+ smtp inet n - n - 1 postscreen
+
4. Uncomment the new "dnsblog unix ... dnsblog" service in master.cf. This
service does DNSBL lookups for postscreen(8) and logs results.
+ /etc/postfix/master.cf:
+ dnsblog unix - - n - 0 dnsblog
+
5. To enable DNSBL lookups, list some DNS blocklist sites in main.cf,
separated by whitespace. Different sites can have different weights. For
example:
+ /etc/postfix/main.cf:
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites = zen.spamhaus.org*2 example.com*1 example.net*1
1. Comment out the "smtp inet ... postscreen" service in master.cf, including
any "-o parameter=value" entries that follow.
+ /etc/postfix/master.cf:
+ #smtp inet n - n - 1 postscreen
+ # -o parameter=value ...
+
2. Comment out the "dnsblog unix ... dnsblog" service in master.cf.
+ /etc/postfix/master.cf:
+ #dnsblog unix - - n - 0 dnsblog
+
3. Comment out the "smtpd pass ... smtpd" service in master.cf, including any
"-o parameter=value" entries that follow.
+ /etc/postfix/master.cf:
+ #smtpd pass - - n - - smtpd
+ # -o parameter=value ...
+
4. Uncomment the "smtp inet ... smtpd" service in master.cf, including any "-
o parameter=value" entries that follow.
+ /etc/postfix/master.cf:
+ smtp inet n - n - - smtpd
+ -o parameter=value ...
+
5. Read the new configuration with "postfix reload".
H\bHi\bis\bst\bto\bor\bri\bic\bca\bal\bl n\bno\bot\bte\bes\bs a\ban\bnd\bd c\bcr\bre\bed\bdi\bit\bts\bs
Wietse threw together a crude prototype with pregreet and dnsbl support in June
2009, because he needed something new for a Mailserver conference presentation
in July. Ralf Hildebrandt ran this code on several servers to collect real-
-world evidence. This version used the dnsblog(8) ad-hoc DNS client program.
+world statistics. This version used the dnsblog(8) ad-hoc DNS client program.
Wietse needed new material for a LISA conference presentation in November 2010,
so he added support for DNSBL weights and filters in August, followed by a
major code rewrite, deep protocol tests, helo/sender/recipient logging, and
stress-adaptive behavior in September. Ralf Hildebrandt ran this code on
-several servers to collect real-world evidence. This version still used the
-same delay for pregreet and DNBL tests, as well as the embarrassing dnsblog(8)
+several servers to collect real-world statistics. This version still used the
+same delay for pregreet and DNSBL tests, as well as the embarrassing dnsblog(8)
ad-hoc DNS client.
in <a href="master.5.html">master.cf</a>, including any "<tt>-o parameter=value</tt>" entries
that follow. </p>
+<pre>
+/etc/postfix/<a href="master.5.html">master.cf</a>:
+ #smtp inet n - n - - smtpd
+ # -o parameter=value ...
+</pre>
+
<li> <p> Uncomment the new "<tt>smtpd pass ... smtpd</tt>" service
in <a href="master.5.html">master.cf</a>, and duplicate any "<tt>-o parameter=value</tt>" entries
from the smtpd service that was commented out in step 1. </p>
+<pre>
+/etc/postfix/<a href="master.5.html">master.cf</a>:
+ smtpd pass - - n - - smtpd
+ -o parameter=value ...
+</pre>
+
<li> <p> Uncomment the new "<tt>smtp inet ... postscreen</tt>"
service in <a href="master.5.html">master.cf</a>. </p>
+<pre>
+/etc/postfix/<a href="master.5.html">master.cf</a>:
+ smtp inet n - n - 1 postscreen
+</pre>
+
<li> <p> Uncomment the new "<tt>dnsblog unix ... dnsblog</tt>"
service in <a href="master.5.html">master.cf</a>. This service does DNSBL lookups for <a href="postscreen.8.html">postscreen(8)</a>
and logs results. </p>
+<pre>
+/etc/postfix/<a href="master.5.html">master.cf</a>:
+ dnsblog unix - - n - 0 dnsblog
+</pre>
+
<li> <p> To enable DNSBL lookups, list some DNS blocklist sites in
<a href="postconf.5.html">main.cf</a>, separated by whitespace. Different sites can have different
weights. For example:
<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> = 2
<a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> = zen.spamhaus.org*2 example.com*1 example.net*1
</pre>
in <a href="master.5.html">master.cf</a>, including any "<tt>-o parameter=value</tt>" entries
that follow. </p>
+<pre>
+/etc/postfix/<a href="master.5.html">master.cf</a>:
+ #smtp inet n - n - 1 postscreen
+ # -o parameter=value ...
+</pre>
+
<li> <p> Comment out the "<tt>dnsblog unix ... dnsblog</tt>" service
in <a href="master.5.html">master.cf</a>. </p>
+<pre>
+/etc/postfix/<a href="master.5.html">master.cf</a>:
+ #dnsblog unix - - n - 0 dnsblog
+</pre>
+
<li> <p> Comment out the "<tt>smtpd pass ... smtpd</tt>" service
in <a href="master.5.html">master.cf</a>, including any "<tt>-o parameter=value</tt>" entries
that follow. </p>
+<pre>
+/etc/postfix/<a href="master.5.html">master.cf</a>:
+ #smtpd pass - - n - - smtpd
+ # -o parameter=value ...
+</pre>
+
+
<li> <p> Uncomment the "<tt>smtp inet ... smtpd</tt>" service in
<a href="master.5.html">master.cf</a>, including any "<tt>-o parameter=value</tt>" entries that
follow. </p>
+<pre>
+/etc/postfix/<a href="master.5.html">master.cf</a>:
+ smtp inet n - n - - smtpd
+ -o parameter=value ...
+</pre>
+
<li> <p> Read the new configuration with "<tt>postfix reload</tt>".
</p>
<p> Wietse threw together a crude prototype with pregreet and dnsbl
support in June 2009, because he needed something new for a Mailserver
conference presentation in July. Ralf Hildebrandt ran this code on
-several servers to collect real-world evidence. This version used
+several servers to collect real-world statistics. This version used
the <a href="dnsblog.8.html">dnsblog(8)</a> ad-hoc DNS client program. </p>
<p> Wietse needed new material for a LISA conference presentation
in August, followed by a major code rewrite, deep protocol tests,
helo/sender/recipient logging, and stress-adaptive behavior in
September. Ralf Hildebrandt ran this code on several servers to
-collect real-world evidence. This version still used the same delay
-for pregreet and DNBL tests, as well as the embarrassing <a href="dnsblog.8.html">dnsblog(8)</a>
-ad-hoc DNS client. </p>
+collect real-world statistics. This version still used the same
+delay for pregreet and DNSBL tests, as well as the embarrassing
+<a href="dnsblog.8.html">dnsblog(8)</a> ad-hoc DNS client. </p>
</body>
in master.cf, including any "<tt>-o parameter=value</tt>" entries
that follow. </p>
+<pre>
+/etc/postfix/master.cf:
+ #smtp inet n - n - - smtpd
+ # -o parameter=value ...
+</pre>
+
<li> <p> Uncomment the new "<tt>smtpd pass ... smtpd</tt>" service
in master.cf, and duplicate any "<tt>-o parameter=value</tt>" entries
from the smtpd service that was commented out in step 1. </p>
+<pre>
+/etc/postfix/master.cf:
+ smtpd pass - - n - - smtpd
+ -o parameter=value ...
+</pre>
+
<li> <p> Uncomment the new "<tt>smtp inet ... postscreen</tt>"
service in master.cf. </p>
+<pre>
+/etc/postfix/master.cf:
+ smtp inet n - n - 1 postscreen
+</pre>
+
<li> <p> Uncomment the new "<tt>dnsblog unix ... dnsblog</tt>"
service in master.cf. This service does DNSBL lookups for postscreen(8)
and logs results. </p>
+<pre>
+/etc/postfix/master.cf:
+ dnsblog unix - - n - 0 dnsblog
+</pre>
+
<li> <p> To enable DNSBL lookups, list some DNS blocklist sites in
main.cf, separated by whitespace. Different sites can have different
weights. For example:
<pre>
+/etc/postfix/main.cf:
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites = zen.spamhaus.org*2 example.com*1 example.net*1
</pre>
in master.cf, including any "<tt>-o parameter=value</tt>" entries
that follow. </p>
+<pre>
+/etc/postfix/master.cf:
+ #smtp inet n - n - 1 postscreen
+ # -o parameter=value ...
+</pre>
+
<li> <p> Comment out the "<tt>dnsblog unix ... dnsblog</tt>" service
in master.cf. </p>
+<pre>
+/etc/postfix/master.cf:
+ #dnsblog unix - - n - 0 dnsblog
+</pre>
+
<li> <p> Comment out the "<tt>smtpd pass ... smtpd</tt>" service
in master.cf, including any "<tt>-o parameter=value</tt>" entries
that follow. </p>
+<pre>
+/etc/postfix/master.cf:
+ #smtpd pass - - n - - smtpd
+ # -o parameter=value ...
+</pre>
+
+
<li> <p> Uncomment the "<tt>smtp inet ... smtpd</tt>" service in
master.cf, including any "<tt>-o parameter=value</tt>" entries that
follow. </p>
+<pre>
+/etc/postfix/master.cf:
+ smtp inet n - n - - smtpd
+ -o parameter=value ...
+</pre>
+
<li> <p> Read the new configuration with "<tt>postfix reload</tt>".
</p>
<p> Wietse threw together a crude prototype with pregreet and dnsbl
support in June 2009, because he needed something new for a Mailserver
conference presentation in July. Ralf Hildebrandt ran this code on
-several servers to collect real-world evidence. This version used
+several servers to collect real-world statistics. This version used
the dnsblog(8) ad-hoc DNS client program. </p>
<p> Wietse needed new material for a LISA conference presentation
in August, followed by a major code rewrite, deep protocol tests,
helo/sender/recipient logging, and stress-adaptive behavior in
September. Ralf Hildebrandt ran this code on several servers to
-collect real-world evidence. This version still used the same delay
-for pregreet and DNBL tests, as well as the embarrassing dnsblog(8)
-ad-hoc DNS client. </p>
+collect real-world statistics. This version still used the same
+delay for pregreet and DNSBL tests, as well as the embarrassing
+dnsblog(8) ad-hoc DNS client. </p>
</body>
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20100915"
+#define MAIL_RELEASE_DATE "20100916"
#define MAIL_VERSION_NUMBER "2.8"
#ifdef SNAPSHOT
ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, reply_client,
ATTR_TYPE_STR, MAIL_ATTR_RBL_ADDR, reply_addr,
ATTR_TYPE_END) == 3
- && *STR(reply_addr) != 0
&& (score = (PS_DNSBL_SCORE *)
htable_find(dnsbl_score_cache, STR(reply_client))) != 0) {
msg_info("%s: client=\"%s\" score=%d domain=\"%s\" reply=\"%s\"",
myname, STR(reply_client), score->total,
STR(reply_dnsbl), STR(reply_addr));
- head = (PS_DNSBL_HEAD *) htable_find(dnsbl_site_cache, STR(reply_dnsbl));
- site = (head ? head->first : (PS_DNSBL_SITE *) 0);
- for (reply_argv = 0; site != 0; site = site->next) {
- if (site->filter == 0
- || ps_dnsbl_match(site->filter, reply_argv ? reply_argv :
+ if (*STR(reply_addr) != 0) {
+ head = (PS_DNSBL_HEAD *)
+ htable_find(dnsbl_site_cache, STR(reply_dnsbl));
+ site = (head ? head->first : (PS_DNSBL_SITE *) 0);
+ for (reply_argv = 0; site != 0; site = site->next) {
+ if (site->filter == 0
+ || ps_dnsbl_match(site->filter, reply_argv ? reply_argv :
(reply_argv = argv_split(STR(reply_addr), " ")))) {
- score->dnsbl = head->safe_dnsbl;
- score->total += site->weight;
- if (msg_verbose > 1)
- msg_info("%s: filter=\"%s\" weight=%d score=%d",
- myname, site->filter ? site->filter : "null",
- site->weight, score->total);
+ score->dnsbl = head->safe_dnsbl;
+ score->total += site->weight;
+ if (msg_verbose > 1)
+ msg_info("%s: filter=\"%s\" weight=%d score=%d",
+ myname, site->filter ? site->filter : "null",
+ site->weight, score->total);
+ }
}
+ if (reply_argv != 0)
+ argv_free(reply_argv);
}
- if (reply_argv != 0)
- argv_free(reply_argv);
/*
* Notify the requestor(s) that the result is ready to be picked up.
if (score->pending_lookups == 0)
PS_CALL_BACK_NOTIFY(score, PS_NULL_EVENT);
}
+ /* Here, score may be a null pointer. */
vstream_fclose(stream);
}
PS_STATE_FLAG_BARLF_TODO);
/*
- * Send the SMTP banner.
+ * Send no SMTP banner to pregreeting clients. This eliminates a lot of
+ * "NON-SMTP COMMAND" events, and improves sender/recipient logging.
*/
- if (PS_SEND_REPLY(state, ps_smtpd_greeting) != 0) {
+ if ((state->flags & PS_STATE_FLAG_PREGR_FAIL) == 0
+ && PS_SEND_REPLY(state, ps_smtpd_greeting) != 0) {
ps_hangup_event(state);
return;
}
projects / thirdparty / postfix.git / commitdiff
