the input when the action is NOT executed. File:
cleanup/cleanup_message.c.
+ Bugfix? Cleanup? Documentation? main.cf now implements
+ ${name[?:]value} as promised in the postconf(5) manual.
+ Implemented by deleting the macro processor in dict_eval(),
+ and using the one in mac_expand() instead. File: util/dict.c.
+
+20050208
+
+ Feature: check_ccert_access maptype:mapname for access(5)
+ control, based on code by Victor Duchovni. File:
+ smtpd/smtpd_check.c and documentation.
+
+ Sanity check: don't allow unlimited message size with
+ limited mailbox size. File: local/local.c, virtual/virtual.c.
+
Open problems:
Med: local and remote source port and IP address for smtpd
policy hook.
- Med: smtp_connect_timeout_budget (default: 2x smtp_connect_timeout)
+ Med: disable address rewriting after XCLIENT? Introduce a
+ better concept of original submission?
+
+ Med: find out what TLS attributes to export via the policy
+ servicer hooks: peer CN, issuer CN, peer fingerprint,
+ verification status.
+
+ Med: smtp_connect_timeout_budget (default: 3x smtp_connect_timeout)
to limit the total time spent trying to connect.
Med: transform IPv4-in-IPv6 address literals to IPv4 form
Med: eliminate the tls_info data structure.
- Med: implement ${name[?:]value} in main.cf or update the
- postconf(5) manual.
-
Low: reject HELO with any domain name or IP address that
this MTA is the final destination for.
Med: silly queue file bit so that the queue manager doesn't
skip files when fast flush is requested while a queue scan
- is in progress.
+ is in progress. The bit is set by the flush server and is
+ reset when the mail is deferred, so that it survives queue
+ manager restart.
Med: postsuper -r should do something with recipients in
bounce logfiles.
# Whitelisting: local clients may specify any destination. Others may not.
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
+ # Block clients that speak too early.
+ smtpd_data_restrictions = reject_unauth_pipelining
+
+ # Enforce mail volume quota via policy service callouts.
+ smtpd_end_of_data_restrictions = check_policy_service unix:private/policy
+
Each restriction list is evaluated from left to right until some restriction
produces a result of PERMIT, REJECT or DEFER (try again later). The end of the
list is equivalent to a PERMIT result. By placing a PERMIT restriction before a
S\bSe\ber\brv\bve\ber\br a\bac\bcc\bce\bes\bss\bs c\bco\bon\bnt\btr\bro\bol\bl
-Postfix TLS support introduces two additional features for Postfix SMTP server
-access control:
+Postfix TLS support introduces three additional features for Postfix SMTP
+server access control:
permit_tls_clientcerts
Allow the remote SMTP client SMTP request if the client certificate
Allow the remote client SMTP request if the client certificate passes
verification.
+ check_ccert_access type:table
+ If the client certificate passes verification, use its fingerprint as a
+ key for the specified access(5) table.
+
The permit_tls_all_clientcerts feature must be used with caution, because it
can result in too many access permissions. Use this feature only if a special
CA issues the client certificates, and only if this CA is listed as trusted CA.
and change the patchlevel and the release date. Patches are never
issued for snapshot releases.
+Major changes with snapshot Postfix-2.2-20050208
+================================================
+
+New "check_ccert_maps maptype:mapname" feature to enforce access
+control based on (hexadecimal) client certificate fingerprints.
+
Major changes with snapshot Postfix-2.2-20050206
================================================
Support for address rewriting in outgoing SMTP mail. This is useful
for sites that have no valid Internet domain name, and that use a
domain name such as localdomain.local instead. Mail addresses that
-use such domain names are often rejected by mail servers. The new
-smtp_generics_maps feature allows you to replace local mail addresses
-by valid Internet addresses when mail needs to be sent across the
+use such domain names are often rejected by mail servers.
+
+The new smtp_generics_maps feature allows you to replace local mail
+addresses by valid Internet addresses when mail is sent across the
Internet. It has no effect on mail that is sent between accounts
-on the local machine.
+on the local machine. The syntax is described in generics(5) and
+a detailed example is in the STANDARD_CONFIGURATION_README file.
Example:
# in $inet_interfaces or $proxy_interfaces.
#
# @domain
-# Matches every other address in domain. This form
-# has the lowest precedence.
+# Matches other addresses in domain. This form has
+# the lowest precedence.
#
# ADDRESS EXTENSION
# When a mail address localpart contains the optional recip-
the specified address. In Postfix versions before 2.1, this feature
is implemented by <a href="smtpd.8.html">smtpd(8)</a>, <a href="qmqpd.8.html">qmqpd(8)</a>, or <a href="pickup.8.html">pickup(8)</a>. </dd>
-<dt> <a href="postconf.5.html#sender_bcc_maps">sender_bcc_maps</a> = type:table </dt> <dd> Search the specified
+<dt> <a href="postconf.5.html#sender_bcc_maps">sender_bcc_maps</a> = <a href="DATABASE_README.html">type:table</a> </dt> <dd> Search the specified
"<a href="DATABASE_README.html">type:table</a>" lookup table with the envelope sender address for an
automatic BCC address. This feature is available in Postfix 2.1
and later. </dd>
-<dt> <a href="postconf.5.html#recipient_bcc_maps">recipient_bcc_maps</a> = type:table </dt> <dd> Search the specified
+<dt> <a href="postconf.5.html#recipient_bcc_maps">recipient_bcc_maps</a> = <a href="DATABASE_README.html">type:table</a> </dt> <dd> Search the specified
"<a href="DATABASE_README.html">type:table</a>" lookup table with the envelope recipient address for
an automatic BCC address. This feature is available in Postfix 2.1
and later. </dd>
<dt> <b>proxy</b> (read-only) </dt>
<dd> Access information via the Postfix <a href="proxymap.8.html">proxymap(8)</a> service. The
-lookup table name syntax is "<a href="proxymap.8.html">proxy</a>:type:table". </dd>
+lookup table name syntax is "<a href="proxymap.8.html">proxy</a>:<a href="DATABASE_README.html">type:table</a>". </dd>
<dt> <b>regexp</b> (read-only) </dt>
IPv6 address information inside "<tt>[]</tt>" in the main.cf parameter
value and in files specified with a "<i>/file/name</i>" pattern.
IPv6 addresses contain the ":" character, and would otherwise be
-confused with a "<i>type:table</i>" pattern. </b> </p>
+confused with a "<i><a href="DATABASE_README.html">type:table</a></i>" pattern. </b> </p>
<h2><a name="limitations">Known Limitations</a></h2>
+++ /dev/null
-SHELL = /bin/sh
-
-# For now, just hard-coded rules for daemons, commands, config files.
-
-DAEMONS = bounce.8.html cleanup.8.html defer.8.html error.8.html local.8.html \
- lmtp.8.html master.8.html pickup.8.html pipe.8.html qmgr.8.html \
- showq.8.html smtp.8.html smtpd.8.html trivial-rewrite.8.html \
- oqmgr.8.html spawn.8.html flush.8.html virtual.8.html qmqpd.8.html \
- trace.8.html verify.8.html proxymap.8.html anvil.8.html
-COMMANDS= mailq.1.html newaliases.1.html postalias.1.html postcat.1.html \
- postconf.1.html postfix.1.html postkick.1.html postlock.1.html \
- postlog.1.html postdrop.1.html postmap.1.html sendmail.1.html \
- postqueue.1.html postsuper.1.html smtp-source.1.html \
- smtp-sink.1.html qmqp-source.1.html qmqp-sink.1.html
-CONFIG = access.5.html aliases.5.html canonical.5.html relocated.5.html \
- transport.5.html virtual.5.html pcre_table.5.html regexp_table.5.html \
- cidr_table.5.html tcp_table.5.html header_checks.5.html \
- ldap_table.5.html mysql_table.5.html pgsql_table.5.html
-AWK = awk '{ print; if (NR == 1) print ".pl 9999" }'
-MAN2HTML = man2html -t "Postfix manual - `IFS=.; set \`echo $@\`; echo \"$$1($$2)\"`"
-
-update: $(DAEMONS) $(COMMANDS) $(CONFIG)
-
-Makefile: Makefile.in
- (set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../src/makedefs; cat $?) >$@
-
-clean:
- echo clean
-
-tidy: clean
-
-clobber:
- rm -f $(DAEMONS) $(COMMANDS) $(CONFIG)
-
-bounce.8.html: ../src/bounce/bounce.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-defer.8.html: bounce.8.html
- rm -f $@
- ln -s $? $@
-
-error.8.html: ../src/error/error.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-flush.8.html: ../src/flush/flush.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-cleanup.8.html: ../src/cleanup/cleanup.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-anvil.8.html: ../src/anvil/anvil.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-lmtp.8.html: ../src/lmtp/lmtp.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-local.8.html: ../src/local/local.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-master.8.html: ../src/master/master.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-oqmgr.8.html: ../src/oqmgr/qmgr.c
- PATH=../mantools:$$PATH; \
- srctoman $? | sed -e 's/qmgr[^_]/o&/' \
- -e 's/qmgr$$/o&/' \
- -e 's/QMGR[^_]/O&/' | \
- $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-pickup.8.html: ../src/pickup/pickup.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-pipe.8.html: ../src/pipe/pipe.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-proxymap.8.html: ../src/proxymap/proxymap.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-qmgr.8.html: ../src/qmgr/qmgr.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-qmqpd.8.html: ../src/qmqpd/qmqpd.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-showq.8.html: ../src/showq/showq.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-spawn.8.html: ../src/spawn/spawn.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-smtp.8.html: ../src/smtp/smtp.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-smtpd.8.html: ../src/smtpd/smtpd.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-virtual.8.html: ../src/virtual/virtual.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-trace.8.html: bounce.8.html
- rm -f $@
- ln -s $? $@
-
-trivial-rewrite.8.html: ../src/trivial-rewrite/trivial-rewrite.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-verify.8.html: ../src/verify/verify.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postalias.1.html: ../src/postalias/postalias.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postcat.1.html: ../src/postcat/postcat.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postconf.1.html: ../src/postconf/postconf.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postdrop.1.html: ../src/postdrop/postdrop.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postfix.1.html: ../src/postfix/postfix.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postkick.1.html: ../src/postkick/postkick.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postlock.1.html: ../src/postlock/postlock.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postlog.1.html: ../src/postlog/postlog.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postmap.1.html: ../src/postmap/postmap.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postqueue.1.html: ../src/postqueue/postqueue.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postsuper.1.html: ../src/postsuper/postsuper.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-sendmail.1.html: ../src/sendmail/sendmail.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-mailq.1.html: sendmail.1.html
- PATH=../mantools:$$PATH; \
- rm -f $@
- ln -s $? $@
-
-newaliases.1.html: sendmail.1.html
- PATH=../mantools:$$PATH; \
- rm -f $@
- ln -s $? $@
-
-smtp-source.1.html: ../src/smtpstone/smtp-source.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-smtp-sink.1.html: ../src/smtpstone/smtp-sink.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-qmqp-source.1.html: ../src/smtpstone/qmqp-source.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-qmqp-sink.1.html: ../src/smtpstone/qmqp-sink.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-access.5.html: ../proto/access
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-aliases.5.html: ../proto/aliases
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-canonical.5.html: ../proto/canonical
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-cidr_table.5.html: ../proto/cidr_table
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-header_checks.5.html: ../proto/header_checks
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-ldap_table.5.html: ../proto/ldap_table
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-mysql_table.5.html: ../proto/mysql_table
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-pcre_table.5.html: ../proto/pcre_table
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-pgsql_table.5.html: ../proto/pgsql_table
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-regexp_table.5.html: ../proto/regexp_table
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-relocated.5.html: ../proto/relocated
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-tcp_table.5.html: ../proto/tcp_table
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-transport.5.html: ../proto/transport
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-virtual.5.html: ../proto/virtual
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
+++ /dev/null
-SHELL = /bin/sh
-
-# For now, just hard-coded rules for daemons, commands, config files.
-
-DAEMONS = bounce.8.html cleanup.8.html defer.8.html error.8.html local.8.html \
- lmtp.8.html master.8.html pickup.8.html pipe.8.html qmgr.8.html \
- showq.8.html smtp.8.html smtpd.8.html trivial-rewrite.8.html \
- oqmgr.8.html spawn.8.html flush.8.html virtual.8.html qmqpd.8.html \
- trace.8.html verify.8.html proxymap.8.html
-COMMANDS= mailq.1.html newaliases.1.html postalias.1.html postcat.1.html \
- postconf.1.html postfix.1.html postkick.1.html postlock.1.html \
- postlog.1.html postdrop.1.html postmap.1.html sendmail.1.html \
- postqueue.1.html postsuper.1.html smtp-source.1.html \
- smtp-sink.1.html qmqp-source.1.html qmqp-sink.1.html
-CONFIG = access.5.html aliases.5.html canonical.5.html relocated.5.html \
- transport.5.html virtual.5.html pcre_table.5.html regexp_table.5.html \
- cidr_table.5.html header_checks.5.html \
- ldap_table.5.html mysql_table.5.html pgsql_table.5.html
-AWK = awk '{ print; if (NR == 1) print ".pl 9999" }'
-MAN2HTML = man2html -t "Postfix manual - `IFS=.; set \`echo $@\`; echo \"$$1($$2)\"`"
-
-update: $(DAEMONS) $(COMMANDS) $(CONFIG)
-
-Makefile: Makefile.in
- (set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../src/makedefs; cat $?) >$@
-
-clean:
- echo clean
-
-tidy: clean
-
-clobber:
- rm -f $(DAEMONS) $(COMMANDS) $(CONFIG)
-
-bounce.8.html: ../src/bounce/bounce.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-defer.8.html: bounce.8.html
- rm -f $@
- ln -s $? $@
-
-error.8.html: ../src/error/error.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-flush.8.html: ../src/flush/flush.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-cleanup.8.html: ../src/cleanup/cleanup.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-anvil.8.html: ../src/anvil/anvil.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-lmtp.8.html: ../src/lmtp/lmtp.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-local.8.html: ../src/local/local.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-master.8.html: ../src/master/master.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-oqmgr.8.html: ../src/oqmgr/qmgr.c
- PATH=../mantools:$$PATH; \
- srctoman $? | sed -e 's/qmgr[^_]/o&/' \
- -e 's/qmgr$$/o&/' \
- -e 's/QMGR[^_]/O&/' | \
- $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-pickup.8.html: ../src/pickup/pickup.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-pipe.8.html: ../src/pipe/pipe.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-proxymap.8.html: ../src/proxymap/proxymap.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-qmgr.8.html: ../src/qmgr/qmgr.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-qmqpd.8.html: ../src/qmqpd/qmqpd.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-showq.8.html: ../src/showq/showq.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-spawn.8.html: ../src/spawn/spawn.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-smtp.8.html: ../src/smtp/smtp.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-smtpd.8.html: ../src/smtpd/smtpd.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-virtual.8.html: ../src/virtual/virtual.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-trace.8.html: bounce.8.html
- rm -f $@
- ln -s $? $@
-
-trivial-rewrite.8.html: ../src/trivial-rewrite/trivial-rewrite.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-verify.8.html: ../src/verify/verify.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postalias.1.html: ../src/postalias/postalias.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postcat.1.html: ../src/postcat/postcat.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postconf.1.html: ../src/postconf/postconf.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postdrop.1.html: ../src/postdrop/postdrop.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postfix.1.html: ../src/postfix/postfix.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postkick.1.html: ../src/postkick/postkick.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postlock.1.html: ../src/postlock/postlock.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postlog.1.html: ../src/postlog/postlog.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postmap.1.html: ../src/postmap/postmap.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postqueue.1.html: ../src/postqueue/postqueue.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-postsuper.1.html: ../src/postsuper/postsuper.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-sendmail.1.html: ../src/sendmail/sendmail.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-mailq.1.html: sendmail.1.html
- PATH=../mantools:$$PATH; \
- rm -f $@
- ln -s $? $@
-
-newaliases.1.html: sendmail.1.html
- PATH=../mantools:$$PATH; \
- rm -f $@
- ln -s $? $@
-
-smtp-source.1.html: ../src/smtpstone/smtp-source.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-smtp-sink.1.html: ../src/smtpstone/smtp-sink.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-qmqp-source.1.html: ../src/smtpstone/qmqp-source.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-qmqp-sink.1.html: ../src/smtpstone/qmqp-sink.c
- PATH=../mantools:$$PATH; \
- srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-access.5.html: ../proto/access
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-aliases.5.html: ../proto/aliases
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-canonical.5.html: ../proto/canonical
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-cidr_table.5.html: ../proto/cidr_table
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-header_checks.5.html: ../proto/header_checks
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-ldap_table.5.html: ../proto/ldap_table
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-mysql_table.5.html: ../proto/mysql_table
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-pcre_table.5.html: ../proto/pcre_table
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-pgsql_table.5.html: ../proto/pgsql_table
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-regexp_table.5.html: ../proto/regexp_table
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-relocated.5.html: ../proto/relocated
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-tcp_table.5.html: ../proto/tcp_table
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-transport.5.html: ../proto/transport
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
-
-virtual.5.html: ../proto/virtual
- PATH=../mantools:$$PATH; \
- srctoman - $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
# Whitelisting: local clients may specify any destination. Others may not.
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+
+ # Block clients that speak too early.
+ <a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> = <a href="postconf.5.html#reject_unauth_pipelining">reject_unauth_pipelining</a>
+
+ # Enforce mail volume quota via policy service callouts.
+ <a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a> = <a href="postconf.5.html#check_policy_service">check_policy_service</a> unix:private/policy
</pre>
<p> Each restriction list is evaluated from left to right until
<h3><a name="server_access">Server access control</a> </h3>
-<p> Postfix TLS support introduces two additional features for
+<p> Postfix TLS support introduces three additional features for
Postfix SMTP server access control: </p>
<blockquote>
client SMTP request if the client certificate passes verification.
</p> </dd>
+<dt> <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> <a href="DATABASE_README.html">type:table</a></dt> <dd>
+<p> If the client certificate passes verification, use its fingerprint
+as a key for the specified <a href="access.5.html">access(5)</a> table. </p> </dd>
+
</dl>
</blockquote>
<b>RESOURCE AND RATE CONTROLS</b>
<b><a href="postconf.5.html#duplicate_filter_limit">duplicate_filter_limit</a> (1000)</b>
The maximal number of addresses remembered by the
- address duplicate filter for <a href="aliases.5.html"><b>aliases</b>(5)</a> or <b>vir-</b>
- <
b>tual</b>(5) alias expansion, or for <a href="showq.8.html"><b>showq</b>(8)</a> queue dis-
+ address duplicate filter for <a href="aliases.5.html"><b>aliases</b>(5)</a> or <a href="virtual.5.html"><b>vir-</b></a>
+ <
a href="virtual.5.html"><b>tual</b>(5)</a> alias expansion, or for <a href="showq.8.html"><b>showq</b>(8)</a> queue dis-
plays.
<b><a href="postconf.5.html#header_size_limit">header_size_limit</a> (102400)</b>
<b><a href="postconf.5.html#duplicate_filter_limit">duplicate_filter_limit</a> (1000)</b>
The maximal number of addresses remembered by the
- address duplicate filter for <a href="aliases.5.html"><b>aliases</b>(5)</a> or <b>vir-</b>
- <
b>tual</b>(5) alias expansion, or for <a href="showq.8.html"><b>showq</b>(8)</a> queue dis-
+ address duplicate filter for <a href="aliases.5.html"><b>aliases</b>(5)</a> or <a href="virtual.5.html"><b>vir-</b></a>
+ <
a href="virtual.5.html"><b>tual</b>(5)</a> alias expansion, or for <a href="showq.8.html"><b>showq</b>(8)</a> queue dis-
plays.
<b><a href="postconf.5.html#local_destination_concurrency_limit">local_destination_concurrency_limit</a> (2)</b>
recursively replaced by the value of the named parameter. </p>
<li> <p> The expression "${name?value}" expands to "value" when
-"$name" is non-empty. </p>
+"$name" is non-empty. This form is supported with Postfix version
+2.2 and later. </p>
<li> <p> The expression "${name:value}" expands to "value" when
-"$name" is empty. </p>
+"$name" is empty. This form is supported with Postfix version 2.2
+and later. </p>
</ul>
relay_clientcerts = hash:/etc/postfix/relay_clientcerts
</pre>
+<p>For more fine-grained control, use <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> to select
+an appropriate <a href="access.5.html">access(5)</a> policy for each client.
+See <a href="RESTRICTION_CLASS_README.html">RESTRICTION_CLASS_README</a>.</p>
+
+<p>This feature is available with Postfix 2.2.</p>
+
</DD>
<dl>
+<dt><b><a name="check_ccert_access">check_ccert_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
+
+<dd>When the remote SMTP client certificate is verified successfully,
+use the client certificate fingerprint as lookup key for the specified
+<a href="access.5.html">access(5)</a> database. This feature is available with Postfix 2.2.</dd>
+
<dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
<dd>Search the specified access database for the client hostname,
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
CA, otherwise all clients with a recognized certificate would be
-allowed to relay. </dd>
+allowed to relay. This feature is available with Postfix 2.2.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
<dd>Permit the request when the remote SMTP client certificate is
verified successfully, and the certificate fingerprint is listed
-in $relay_clientcerts. </dd>
+in $relay_clientcerts. This feature is available with Postfix 2.2.</dd>
<dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
<dd>Reject the request when the reversed client network address is
The following commands are implemented:
- <b>check</b> Validate the Postfix mail system configuration.
- Warn about bad directory/file ownership or permis-
+ <b>check</b> Warn about bad directory/file ownership or permis-
sions, and create missing directories.
- <b>start</b> Start the Postfix mail system. This also runs the
+ <b>start</b> Start the Postfix mail system. This also runs the
configuration check described above.
<b>stop</b> Stop the Postfix mail system in an orderly fashion.
- Running processes are allowed to terminate at their
- earliest convenience.
+ If possible, running processes are allowed to ter-
+ minate at their earliest convenience.
- Note: in order to refresh the Postfix mail system
- after a configuration change, do not use the <b>start</b>
- and <b>stop</b> commands in succession. Use the <b>reload</b>
+ Note: in order to refresh the Postfix mail system
+ after a configuration change, do not use the <b>start</b>
+ and <b>stop</b> commands in succession. Use the <b>reload</b>
command instead.
<b>abort</b> Stop the Postfix mail system abruptly. Running pro-
cesses are signaled to stop immediately.
<b>flush</b> Force delivery: attempt to deliver every message in
- the deferred mail queue. Normally, attempts to
- deliver delayed mail happen at regular intervals,
+ the deferred mail queue. Normally, attempts to
+ deliver delayed mail happen at regular intervals,
the interval doubling after each failed attempt.
Warning: flushing undeliverable mail frequently
- will result in poor delivery performance of all
+ will result in poor delivery performance of all
other mail.
<b>reload</b> Re-read configuration files. Running processes ter-
minate at their earliest convenience.
<b>set-permissions [</b><i>name</i>=<i>value ...</i><b>]</b>
- Set the ownership and permissions of Postfix
- related files and directories, as specified in the
+ Set the ownership and permissions of Postfix
+ related files and directories, as specified in the
<b>postfix-files</b> file.
- Specify <i>name</i>=<i>value</i> to override and update specific
- main.cf configuration parameters. Use this, for
- example,
to change the <b><a href="postconf.5.html#mail_owner">mail_owner</a></b> or <b><a href="postconf.5.html#setgid_group">setgid_group</a></b>
+ Specify <i>name</i>=<i>value</i> to override and update specific
+ main.cf configuration parameters. Use this, for
+ example,
to change the <b><a href="postconf.5.html#mail_owner">mail_owner</a></b> or <b><a href="postconf.5.html#setgid_group">setgid_group</a></b>
setting for an already installed Postfix system.
This feature is available in Postfix 2.1 and later.
<b>upgrade-configuration [</b><i>name</i>=<i>value ...</i><b>]</b>
- Update the <b>main.cf</b> and <b>master.cf</b> files with infor-
- mation that Postfix needs in order to run: add or
- update services, and add or update configuration
+ Update the <b>main.cf</b> and <b>master.cf</b> files with infor-
+ mation that Postfix needs in order to run: add or
+ update services, and add or update configuration
parameter settings.
- Specify <i>name</i>=<i>value</i> to override and update specific
+ Specify <i>name</i>=<i>value</i> to override and update specific
main.cf configuration parameters.
This feature is available in Postfix 2.1 and later.
The following options are implemented:
<b>-c</b> <i>config</i><b>_</b><i>dir</i>
- Read the <b>main.cf</b> and <b>master.cf</b> configuration files
- in the named directory instead of the default con-
+ Read the <b>main.cf</b> and <b>master.cf</b> configuration files
+ in the named directory instead of the default con-
figuration directory. Use this to distinguish
- between multiple Postfix instances on the same
+ between multiple Postfix instances on the same
host.
<b>-D</b> (with <b>postfix start</b> only)
parameter.
<b>-v</b> Enable verbose logging for debugging purposes. Mul-
- tiple <b>-v</b> options make the software increasingly
+ tiple <b>-v</b> options make the software increasingly
verbose.
<b>ENVIRONMENT</b>
- The <a href="postfix.1.html"><b>postfix</b>(1)</a> command exports the following environment
+ The <a href="postfix.1.html"><b>postfix</b>(1)</a> command exports the following environment
variables before executing the <b>postfix-script</b> file:
<b>MAIL_CONFIG</b>
sent.
<b>CONFIGURATION PARAMETERS</b>
- The following <b>main.cf</b> configuration parameters are
+ The following <b>main.cf</b> configuration parameters are
exported as environment variables with the same names:
<b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
- The location of all postfix administrative com-
+ The location of all postfix administrative com-
mands.
<b><a href="postconf.5.html#daemon_directory">daemon_directory</a> (see 'postconf -d' output)</b>
- The directory with Postfix support programs and
+ The directory with Postfix support programs and
daemon programs.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix main.cf and
+ The default location of the Postfix main.cf and
master.cf configuration files.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#mail_owner">mail_owner</a> (postfix)</b>
location of the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command.
<b><a href="postconf.5.html#newaliases_path">newaliases_path</a> (see 'postconf -d' output)</b>
- Sendmail compatibility feature that specifies the
+ Sendmail compatibility feature that specifies the
location of the <a href="newaliases.1.html"><b>newaliases</b>(1)</a> command.
<b><a href="postconf.5.html#mailq_path">mailq_path</a> (see 'postconf -d' output)</b>
the Postfix <a href="mailq.1.html"><b>mailq</b>(1)</a> command is installed.
<b><a href="postconf.5.html#html_directory">html_directory</a> (see 'postconf -d' output)</b>
- The location of Postfix HTML files that describe
+ The location of Postfix HTML files that describe
how to build, configure or operate a specific Post-
fix subsystem or feature.
Where the Postfix manual pages are installed.
<b><a href="postconf.5.html#readme_directory">readme_directory</a> (see 'postconf -d' output)</b>
- The location of Postfix README files that describe
+ The location of Postfix README files that describe
how to build, configure or operate a specific Post-
fix subsystem or feature.
Other configuration parameters:
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix main.cf and
+ The default location of the Postfix main.cf and
master.cf configuration files.
<b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
- The list of environment parameters that a Postfix
- process will import from a non-Postfix parent pro-
+ The list of environment parameters that a Postfix
+ process will import from a non-Postfix parent pro-
cess.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the pro-
+ The mail system name that is prepended to the pro-
cess name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<a href="QSHAPE_README.html">QSHAPE_README</a>, Postfix queue analysis
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
<b>-d</b> <i>queue</i><b>_</b><i>id</i>
Delete one message with the named queue ID from the
named mail queue(s) (default: <b>hold</b>, <b>incoming</b>,
- <b>active</b> and <b>deferred</b>). If a <i>queue</i><b>_</b><i>id</i> of <b>-</b> is speci-
- fied, the program reads queue IDs from standard
- input. For example, to delete all mail with exactly
- one recipient <b>user@example.com</b>:
+ <b>active</b> and <b>deferred</b>).
+
+ If a <i>queue</i><b>_</b><i>id</i> of <b>-</b> is specified, the program reads
+ queue IDs from standard input. For example, to
+ delete all mail with exactly one recipient
+ <b>user@example.com</b>:
mailq | tail +2 | awk 'BEGIN { RS = "" }
# $7=sender, $8=recipient1, $9=recipient2
Put mail "on hold" so that no attempt is made to
deliver it. Move one message with the named queue
ID from the named mail queue(s) (default: <b>incoming</b>,
- <b>active</b> and <b>deferred</b>) to the <b>hold</b> queue. If a
- <i>queue</i><b>_</b><i>id</i> of <b>-</b> is specified, the program reads queue
- IDs from standard input.
+ <b>active</b> and <b>deferred</b>) to the <b>hold</b> queue.
+
+ If a <i>queue</i><b>_</b><i>id</i> of <b>-</b> is specified, the program reads
+ queue IDs from standard input.
- Specify <b>-h ALL</b> to hold all messages; for example,
+ Specify <b>-h ALL</b> to hold all messages; for example,
specify <b>-h ALL deferred</b> to hold mail in the
- <b>deferred</b> queue. As a safety measure, the word <b>ALL</b>
+ <b>deferred</b> queue. As a safety measure, the word <b>ALL</b>
must be specified in upper case.
- Note: while mail is "on hold" it will not expire
- when
its time in the queue exceeds the <b><a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
+ Note: while mail is "on hold" it will not expire
+ when
its time in the queue exceeds the <b><a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
<b><a href="postconf.5.html#maximal_queue_lifetime">mal_queue_lifetime</a></b> or <b><a href="postconf.5.html#bounce_queue_lifetime">bounce_queue_lifetime</a></b> set-
- ting. It becomes subject to expiration after it is
+ ting. It becomes subject to expiration after it is
released from "hold".
<b>-H</b> <i>queue</i><b>_</b><i>id</i>
Release mail that was put "on hold". Move one mes-
- sage with the named queue ID from the named mail
- queue(s) (default: <b>hold</b>) to the <b>deferred</b> queue. If
- a <i>queue</i><b>_</b><i>id</i> of <b>-</b> is specified, the program reads
+ sage with the named queue ID from the named mail
+ queue(s) (default: <b>hold</b>) to the <b>deferred</b> queue.
+
+ If a <i>queue</i><b>_</b><i>id</i> of <b>-</b> is specified, the program reads
queue IDs from standard input.
Note: use "<b>postsuper -r</b>" to release mail that was
Requeue the message with the named queue ID from
the named mail queue(s) (default: <b>hold</b>, <b>incoming</b>,
<b>active</b> and <b>deferred</b>). To requeue multiple mes-
- sages, specify multiple <b>-r</b> command-line options.
+ sages, specify multiple <b>-r</b> command-line options.
+
Alternatively, if a <i>queue</i><b>_</b><i>id</i> of <b>-</b> is specified, the
program reads queue IDs from standard input.
Specify <b>-r ALL</b> to requeue all messages. As a safety
- measure, the word <b>ALL</b> must be specified in upper
+ measure, the word <b>ALL</b> must be specified in upper
case.
- A requeued message is moved to the <b>maildrop</b> queue,
- from where it is copied by the pickup daemon to a
- new file whose name is guaranteed to match the new
+ A requeued message is moved to the <b>maildrop</b> queue,
+ from where it is copied by the pickup daemon to a
+ new file whose name is guaranteed to match the new
queue file inode number. The new queue file is sub-
- jected again to mail address rewriting and substi-
+ jected again to mail address rewriting and substi-
tution. This is useful when rewriting rules or vir-
tual mappings have changed.
- Warning: Postfix queue IDs are reused. There is a
- very small possibility that <a href="postsuper.1.html"><b>postsuper</b>(1)</a> requeues
- the wrong message file when it is executed while
- the Postfix mail system is running, but no harm
+ Warning: Postfix queue IDs are reused. There is a
+ very small possibility that <a href="postsuper.1.html"><b>postsuper</b>(1)</a> requeues
+ the wrong message file when it is executed while
+ the Postfix mail system is running, but no harm
should be done.
- <b>-s</b> Structure check and structure repair. This should
+ <b>-s</b> Structure check and structure repair. This should
be done once before Postfix startup.
- <b>o</b> Rename files whose name does not match the
+ <b>o</b> Rename files whose name does not match the
message file inode number. This operation is
- necessary after restoring a mail queue from
+ necessary after restoring a mail queue from
a different machine, or from backup media.
<b>o</b> Move queue files that are in the wrong place
in the file system hierarchy and remove sub-
directories that are no longer needed. File
- position rearrangements are necessary after
+ position rearrangements are necessary after
a change in the <b><a href="postconf.5.html#hash_queue_names">hash_queue_names</a></b> and/or
<b><a href="postconf.5.html#hash_queue_depth">hash_queue_depth</a></b> configuration parameters.
<b>-v</b> Enable verbose logging for debugging purposes. Mul-
- tiple <b>-v</b> options make the software increasingly
+ tiple <b>-v</b> options make the software increasingly
verbose.
<b>DIAGNOSTICS</b>
- Problems are reported to the standard error stream and to
+ Problems are reported to the standard error stream and to
<b>syslogd</b>(8).
- <a href="postsuper.1.html"><b>postsuper</b>(1)</a> reports the number of messages deleted with
- <b>-d</b>, the number of messages requeued with <b>-r</b>, and the num-
- ber of messages whose queue file name was fixed with <b>-s</b>.
- The report is written to the standard error stream and to
+ <a href="postsuper.1.html"><b>postsuper</b>(1)</a> reports the number of messages deleted with
+ <b>-d</b>, the number of messages requeued with <b>-r</b>, and the num-
+ ber of messages whose queue file name was fixed with <b>-s</b>.
+ The report is written to the standard error stream and to
<b>syslogd</b>(8).
<b>ENVIRONMENT</b>
Directory with the <b>main.cf</b> file.
<b>BUGS</b>
- Mail that is not sanitized by Postfix (i.e. mail in the
+ Mail that is not sanitized by Postfix (i.e. mail in the
<b>maildrop</b> queue) cannot be placed "on hold".
<b>CONFIGURATION PARAMETERS</b>
- The following <b>main.cf</b> parameters are especially relevant
+ The following <b>main.cf</b> parameters are especially relevant
to this program. The text below provides only a parameter
- summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including exam-
+ summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including exam-
ples.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix main.cf and
+ The default location of the Postfix main.cf and
master.cf configuration files.
<b><a href="postconf.5.html#hash_queue_depth">hash_queue_depth</a> (1)</b>
- The number of subdirectory levels for queue direc-
- tories listed with the <a href="postconf.5.html#hash_queue_names">hash_queue_names</a> parameter.
+ The number of subdirectory levels for queue direc-
+ tories listed with the <a href="postconf.5.html#hash_queue_names">hash_queue_names</a> parameter.
<b><a href="postconf.5.html#hash_queue_names">hash_queue_names</a> (deferred, defer)</b>
- The names of queue directories that are split
+ The names of queue directories that are split
across multiple subdirectory levels.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the pro-
+ The mail system name that is prepended to the pro-
cess name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<a href="postqueue.1.html">postqueue(1)</a>, unprivileged queue operations
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
in $<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b> or $<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a></b>.
@<i>domain</i>
- Matches every other address in <i>domain</i>. This form
- has the lowest precedence.
+ Matches other addresses in <i>domain</i>. This form has
+ the lowest precedence.
<b>ADDRESS EXTENSION</b>
When a mail address localpart contains the optional recip-
# SYNOPSIS
# \fBmake makefiles \fIname=value...\fR
# DESCRIPTION
-# The \fBmakedefs\fR command identifies the program compilation
+# The \fBmakedefs\fR command identifies the compilation
# environment, and emits macro definitions on the standard output
# stream that can be prepended to template Makefiles.
#
The following commands are implemented:
.IP \fBcheck\fR
-Validate the Postfix mail system configuration. Warn about bad
-directory/file ownership or permissions, and create missing
-directories.
+Warn about bad directory/file ownership or permissions,
+and create missing directories.
.IP \fBstart\fR
Start the Postfix mail system. This also runs the configuration
check described above.
.IP \fBstop\fR
-Stop the Postfix mail system in an orderly fashion. Running processes
-are allowed to terminate at their earliest convenience.
+Stop the Postfix mail system in an orderly fashion. If
+possible, running processes are allowed to terminate at
+their earliest convenience.
.sp
Note: in order to refresh the Postfix mail system after a
configuration change, do not use the \fBstart\fR and \fBstop\fR
Delete one message with the named queue ID from the named
mail queue(s) (default: \fBhold\fR, \fBincoming\fR, \fBactive\fR and
\fBdeferred\fR).
+
If a \fIqueue_id\fR of \fB-\fR is specified, the program reads
queue IDs from standard input. For example, to delete all mail
with exactly one recipient \fBuser@example.com\fR:
Move one message with the named queue ID from the named
mail queue(s) (default: \fBincoming\fR, \fBactive\fR and
\fBdeferred\fR) to the \fBhold\fR queue.
+
If a \fIqueue_id\fR of \fB-\fR is specified, the program reads
queue IDs from standard input.
.sp
Release mail that was put "on hold".
Move one message with the named queue ID from the named
mail queue(s) (default: \fBhold\fR) to the \fBdeferred\fR queue.
+
If a \fIqueue_id\fR of \fB-\fR is specified, the program reads
queue IDs from standard input.
.sp
\fBdeferred\fR).
To requeue multiple messages, specify multiple \fB-r\fR
command-line options.
+
Alternatively, if a \fIqueue_id\fR of \fB-\fR is specified,
the program reads queue IDs from standard input.
.sp
recursively replaced by the value of the named parameter.
.IP \(bu
The expression "${name?value}" expands to "value" when
-"$name" is non-empty.
+"$name" is non-empty. This form is supported with Postfix
+version 2.2 and later.
.IP \(bu
The expression "${name:value}" expands to "value" when
-"$name" is empty.
+"$name" is empty. This form is supported with Postfix
+version 2.2 and later.
.RE
.IP \(bu
When the same parameter is defined multiple times, only the last
.fi
.ad
.ft R
+.PP
+For more fine-grained control, use check_ccert_access to select
+an appropriate \fBaccess\fR(5) policy for each client.
+See RESTRICTION_CLASS_README.
+.PP
+This feature is available with Postfix 2.2.
.SH relay_destination_concurrency_limit (default: $default_destination_concurrency_limit)
The maximal number of parallel deliveries to the same destination
via the relay message delivery transport. This limit is enforced
.PP
The following restrictions are specific to client hostname or
client network address information.
+.IP "\fBcheck_ccert_access \fItype:table\fR\fR"
+When the remote SMTP client certificate is verified successfully,
+use the client certificate fingerprint as lookup key for the specified
+\fBaccess\fR(5) database. This feature is available with Postfix 2.2.
.IP "\fBcheck_client_access \fItype:table\fR\fR"
Search the specified access database for the client hostname,
parent domains, client IP address, or networks obtained by stripping
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
CA, otherwise all clients with a recognized certificate would be
-allowed to relay.
+allowed to relay. This feature is available with Postfix 2.2.
.IP "\fBpermit_tls_clientcerts\fR"
Permit the request when the remote SMTP client certificate is
verified successfully, and the certificate fingerprint is listed
-in $relay_clientcerts.
+in $relay_clientcerts. This feature is available with Postfix 2.2.
.IP "\fBreject_rbl_client \fIrbl_domain=d.d.d.d\fR\fR"
Reject the request when the reversed client network address is
listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR
when \fIsite\fR is listed in $\fBmydestination\fR, or when \fIsite\fR
is listed in $\fBinet_interfaces\fR or $\fBproxy_interfaces\fR.
.IP @\fIdomain\fR
-Matches every other address in \fIdomain\fR. This form has the lowest
+Matches other addresses in \fIdomain\fR. This form has the lowest
precedence.
.SH "ADDRESS EXTENSION"
.na
s/\b[A-Z0-9_]*_README\b/<a href="$&.html">$&<\/a>/g;
s/\bINSTALL\b/<a href="$&.html">$&<\/a>/g;
s/\bOVERVIEW\b/<a href="$&.html">$&<\/a>/g;
- s/"type:table"/"<a href="DATABASE_README.html">type:table<\/a>"/g;
+ s/\btype:table\b/<a href="DATABASE_README.html">type:table<\/a>/g;
# Split manual page hyperlinks across newlines
# Access restrictions - client
s;\bcheck_client_access\b;<a href="postconf.5.html#check_client_access">$&</a>;g;
+ s;\bcheck_ccert_access\b;<a href="postconf.5.html#check_ccert_access">$&</a>;g;
s;\bpermit_inet_interfaces\b;<a href="postconf.5.html#permit_inet_interfaces">$&</a>;g;
s;\bpermit_mynetworks\b;<a href="postconf.5.html#permit_mynetworks">$&</a>;g;
s;\bpermit_sasl_authenticated\b;<a href="postconf.5.html#permit_sasl_authenticated">$&</a>;g;
# Whitelisting: local clients may specify any destination. Others may not.
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
+
+ # Block clients that speak too early.
+ smtpd_data_restrictions = reject_unauth_pipelining
+
+ # Enforce mail volume quota via policy service callouts.
+ smtpd_end_of_data_restrictions = check_policy_service unix:private/policy
</pre>
<p> Each restriction list is evaluated from left to right until
<h3><a name="server_access">Server access control</a> </h3>
-<p> Postfix TLS support introduces two additional features for
+<p> Postfix TLS support introduces three additional features for
Postfix SMTP server access control: </p>
<blockquote>
client SMTP request if the client certificate passes verification.
</p> </dd>
+<dt> check_ccert_access type:table</dt> <dd>
+<p> If the client certificate passes verification, use its fingerprint
+as a key for the specified access(5) table. </p> </dd>
+
</dl>
</blockquote>
recursively replaced by the value of the named parameter. </p>
<li> <p> The expression "${name?value}" expands to "value" when
-"$name" is non-empty. </p>
+"$name" is non-empty. This form is supported with Postfix version
+2.2 and later. </p>
<li> <p> The expression "${name:value}" expands to "value" when
-"$name" is empty. </p>
+"$name" is empty. This form is supported with Postfix version 2.2
+and later. </p>
</ul>
recursively replaced by the value of the named parameter.
.IP \(bu
The expression "${name?value}" expands to "value" when
-"$name" is non-empty.
+"$name" is non-empty. This form is supported with Postfix
+version 2.2 and later.
.IP \(bu
The expression "${name:value}" expands to "value" when
-"$name" is empty.
+"$name" is empty. This form is supported with Postfix
+version 2.2 and later.
.RE
.IP \(bu
When the same parameter is defined multiple times, only the last
<dl>
+<dt><b><a name="check_ccert_access">check_ccert_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
+
+<dd>When the remote SMTP client certificate is verified successfully,
+use the client certificate fingerprint as lookup key for the specified
+access(5) database. This feature is available with Postfix 2.2.</dd>
+
<dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
<dd>Search the specified access database for the client hostname,
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
CA, otherwise all clients with a recognized certificate would be
-allowed to relay. </dd>
+allowed to relay. This feature is available with Postfix 2.2.</dd>
<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
<dd>Permit the request when the remote SMTP client certificate is
verified successfully, and the certificate fingerprint is listed
-in $relay_clientcerts. </dd>
+in $relay_clientcerts. This feature is available with Postfix 2.2.</dd>
<dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
<dd>Reject the request when the reversed client network address is
relay_clientcerts = hash:/etc/postfix/relay_clientcerts
</pre>
+<p>For more fine-grained control, use check_ccert_access to select
+an appropriate access(5) policy for each client.
+See RESTRICTION_CLASS_README.</p>
+
+<p>This feature is available with Postfix 2.2.</p>
+
%PARAM smtpd_tls_cipherlist
<p> Controls the Postfix SMTP server TLS cipher selection scheme.
extern int var_access_map_code;
#define CHECK_CLIENT_ACL "check_client_access"
+#define CHECK_CCERT_ACL "check_ccert_access"
#define CHECK_HELO_ACL "check_helo_access"
#define CHECK_SENDER_ACL "check_sender_access"
#define CHECK_RECIP_ACL "check_recipient_access"
* Patches change the patchlevel and the release date. Snapshots change the
* release date only.
*/
-#define MAIL_RELEASE_DATE "20050207"
+#define MAIL_RELEASE_DATE "20050208"
#define MAIL_VERSION_NUMBER "2.2"
#define VAR_MAIL_VERSION "mail_version"
* file.
*/
if (var_mailbox_limit) {
- if (var_mailbox_limit < var_message_limit)
+ if (var_mailbox_limit < var_message_limit || var_message_limit == 0)
msg_fatal("main.cf configuration error: %s is smaller than %s",
VAR_MAILBOX_LIMIT, VAR_MESSAGE_LIMIT);
set_file_limit(var_mailbox_limit);
/*
/* The following commands are implemented:
/* .IP \fBcheck\fR
-/* Validate the Postfix mail system configuration. Warn about bad
-/* directory/file ownership or permissions, and create missing
-/* directories.
+/* Warn about bad directory/file ownership or permissions,
+/* and create missing directories.
/* .IP \fBstart\fR
/* Start the Postfix mail system. This also runs the configuration
/* check described above.
/* .IP \fBstop\fR
-/* Stop the Postfix mail system in an orderly fashion. Running processes
-/* are allowed to terminate at their earliest convenience.
+/* Stop the Postfix mail system in an orderly fashion. If
+/* possible, running processes are allowed to terminate at
+/* their earliest convenience.
/* .sp
/* Note: in order to refresh the Postfix mail system after a
/* configuration change, do not use the \fBstart\fR and \fBstop\fR
/* Delete one message with the named queue ID from the named
/* mail queue(s) (default: \fBhold\fR, \fBincoming\fR, \fBactive\fR and
/* \fBdeferred\fR).
+/*
/* If a \fIqueue_id\fR of \fB-\fR is specified, the program reads
/* queue IDs from standard input. For example, to delete all mail
/* with exactly one recipient \fBuser@example.com\fR:
/* Move one message with the named queue ID from the named
/* mail queue(s) (default: \fBincoming\fR, \fBactive\fR and
/* \fBdeferred\fR) to the \fBhold\fR queue.
+/*
/* If a \fIqueue_id\fR of \fB-\fR is specified, the program reads
/* queue IDs from standard input.
/* .sp
/* Release mail that was put "on hold".
/* Move one message with the named queue ID from the named
/* mail queue(s) (default: \fBhold\fR) to the \fBdeferred\fR queue.
+/*
/* If a \fIqueue_id\fR of \fB-\fR is specified, the program reads
/* queue IDs from standard input.
/* .sp
/* \fBdeferred\fR).
/* To requeue multiple messages, specify multiple \fB-r\fR
/* command-line options.
+/*
/* Alternatively, if a \fIqueue_id\fR of \fB-\fR is specified,
/* the program reads queue IDs from standard input.
/* .sp
* Reject context.
*/
#define SMTPD_NAME_CLIENT "Client host"
+#define SMTPD_NAME_CCERT "Client certificate"
#define SMTPD_NAME_HELO "Helo command"
#define SMTPD_NAME_SENDER "Sender address"
#define SMTPD_NAME_RECIPIENT "Recipient address"
CHECK_SERVER_RETURN(SMTPD_CHECK_DUNNO);
}
+/* check_ccert_access - access for TLS clients by certificate fingerprint */
+
+#ifdef USE_TLS
+
+static int check_ccert_access(SMTPD_STATE *state, const char *table,
+ const char *def_acl)
+{
+ char *myname = "check_ccert_access";
+ int found;
+
+ if (state->tls_info.peer_verified && state->tls_info.peer_fingerprint) {
+ if (msg_verbose)
+ msg_info("%s: %s", myname, state->tls_info.peer_fingerprint);
+
+ /*
+ * Regexp tables don't make sense for certificate fingerprints. That
+ * may be so, but we can't ignore the entire check_ccert_access
+ * request without logging a warning.
+ *
+ * Log the peer CommonName when access is denied. Non-printable
+ * characters will be neutered by smtpd_check_reject(). The SMTP
+ * client name and address are always syslogged as part of a "reject"
+ * event.
+ */
+ return (check_access(state, table, state->tls_info.peer_fingerprint,
+ DICT_FLAG_NONE, &found, state->tls_info.peer_CN,
+ SMTPD_NAME_CCERT, def_acl));
+ }
+ return (SMTPD_CHECK_DUNNO);
+}
+
+#endif
+
/* check_mail_access - OK/FAIL based on mail address lookup */
static int check_mail_access(SMTPD_STATE *state, const char *table,
status = reject_rbl_domain(state, *cpp, state->name,
SMTPD_NAME_CLIENT);
}
+#ifdef USE_TLS
+ } else if (is_map_command(state, name, CHECK_CCERT_ACL, &cpp)) {
+ status = check_ccert_access(state, *cpp, def_acl);
+#endif
}
/*
/* dict_eval() expands macro references in the specified string.
/* The result is owned by the dictionary manager. Make a copy if the
/* result is to survive multiple dict_eval() calls. When the
-/* \fIrecursive\fR argument is non-zero, macros references are
-/* expanded recursively.
+/* \fIrecursive\fR argument is non-zero, macro references in macro
+/* lookup results are expanded recursively.
/*
/* dict_walk() iterates over all registered dictionaries in some
/* arbitrary order, and invokes the specified action routine with
#include "vstream.h"
#include "vstring.h"
#include "readlline.h"
-#include "mac_parse.h"
+#include "mac_expand.h"
#include "stringops.h"
#include "iostuff.h"
#include "dict.h"
vstring_free(buf);
}
- /*
- * Helper for macro expansion callback.
- */
-struct dict_eval_context {
- const char *dict_name; /* where to look */
- VSTRING *buf; /* result buffer */
- int recursive; /* recursive or not */
-};
-
-/* dict_eval_action - macro parser call-back routine */
+/* dict_eval_lookup - macro parser call-back routine */
-static int dict_eval_action(int type, VSTRING *buf, char *ptr)
+static const char *dict_eval_lookup(const char *key, int unused_type,
+ char *dict_name)
{
- struct dict_eval_context *ctxt = (struct dict_eval_context *) ptr;
- char *myname = "dict_eval_action";
const char *pp;
- if (msg_verbose > 1)
- msg_info("%s: type %s buf %s context %s \"%s\" %s",
- myname, type == MAC_PARSE_VARNAME ? "variable" : "literal",
- STR(buf), ctxt->dict_name, STR(ctxt->buf),
- ctxt->recursive ? "recursive" : "non-recursive");
-
/*
- * In order to support recursion, we must save the dict_lookup() result.
- * We use the input buffer since it will not be needed anymore.
+ * XXX how would one recover?
*/
- if (type == MAC_PARSE_VARNAME) {
- if ((pp = dict_lookup(ctxt->dict_name, STR(buf))) == 0) {
- if (dict_errno) /* XXX how would one recover? */
- msg_fatal("dictionary %s: lookup %s: temporary error",
- ctxt->dict_name, STR(buf));
- } else if (ctxt->recursive) {
- vstring_strcpy(buf, pp); /* XXX clobber input */
- dict_eval(ctxt->dict_name, STR(buf), ctxt->recursive);
- } else {
- vstring_strcat(ctxt->buf, pp);
- }
- } else {
- vstring_strcat(ctxt->buf, STR(buf));
- }
- return (0);
+ if ((pp = dict_lookup(dict_name, key)) == 0 && dict_errno != 0)
+ msg_fatal("dictionary %s: lookup %s: temporary error", dict_name, key);
+
+ return (pp);
}
/* dict_eval - expand embedded dictionary references */
const char *dict_eval(const char *dict_name, const char *value, int recursive)
{
+ const char *myname = "dict_eval";
static VSTRING *buf;
- static struct dict_eval_context ctxt;
- static int loop = 0;
-
- /*
- * Sanity check.
- */
- if (loop > 100)
- msg_fatal("unreasonable macro nesting: \"%s\"", value);
+ int status;
/*
* Initialize.
*/
if (buf == 0)
buf = vstring_alloc(10);
- if (loop++ == 0) {
- VSTRING_RESET(buf);
- VSTRING_TERMINATE(buf);
- }
- ctxt.buf = buf;
- ctxt.recursive = recursive;
- ctxt.dict_name = dict_name;
/*
* Expand macros, possibly recursively.
*/
- if (msg_verbose > 1)
- msg_info("dict_eval[%d] %s", loop, value);
-
- mac_parse(value, dict_eval_action, (char *) &ctxt);
-
- if (msg_verbose > 1)
- msg_info("dict_eval[%d] result %s", loop, STR(buf));
-
- /*
- * Cleanup.
- */
- loop--;
- VSTRING_TERMINATE(buf);
-
+#define DONT_FILTER (char *) 0
+
+ status = mac_expand(buf, value,
+ recursive ? MAC_EXP_FLAG_RECURSE : MAC_EXP_FLAG_NONE,
+ DONT_FILTER, dict_eval_lookup, (char *) dict_name);
+ if (status & MAC_PARSE_ERROR)
+ msg_fatal("dictionary %s: macro processing error", dict_name);
+ if (msg_verbose) {
+ if (strcmp(value, STR(buf)) != 0)
+ msg_info("%s: expand %s -> %s", myname, value, STR(buf));
+ else
+ msg_info("%s: const %s", myname, value);
+ }
return (STR(buf));
}
/* into the right-hand side.
/* .IP DICT_FLAG_NO_PROXY
/* Disallow access through the \fBproxymap\fR service.
+/* .IP DICT_FLAG_NO_UNAUTH
+/* Disallow network lookup mechanisms that lack any form of
+/* authentication (example: tcp_table; even NIS can be secured
+/* to some extent by requiring that the server binds to a
+/* privileged port).
/* .IP DICT_FLAG_PARANOID
-/* A combination of all the paranoia flags: DICT_FLAG_NO_REGSUB
-/* and DICT_FLAG_NO_PROXY.
+/* A combination of all the paranoia flags: DICT_FLAG_NO_REGSUB,
+/* DICT_FLAG_NO_PROXY and DICT_FLAG_NO_UNAUTH.
/* .PP
/* Specify DICT_FLAG_NONE for no special processing.
/*
/* Bit-wise OR of zero or more of the following:
/* .RS
/* .IP MAC_EXP_FLAG_RECURSE
-/* Expand $name recursively. This should never be done with
+/* Expand macros in lookup results. This should never be done with
/* data whose origin is untrusted.
/* .PP
/* The constant MAC_EXP_FLAG_NONE specifies a manifest null value.
/* MAC_EXP_MODE_TEST to test the existence of the named attribute
/* or MAC_EXP_MODE_USE to use the value of the named attribute,
/* and the caller context that was given to mac_expand(). A null
-/* result means that the requested attribute was not defined.
+/* result value means that the requested attribute was not defined.
/* .IP context
/* Caller context that is passed on to the attribute lookup routine.
/* DIAGNOSTICS
/*
* $Name etc. reference.
+ *
+ * In order to support expansion of lookup results, we must save the lookup
+ * result. We use the input buffer since it will not be needed anymore.
*/
- if (type == MAC_PARSE_VARNAME) {
+ if (type == MAC_PARSE_EXPR) {
/*
* Look for the ? or : delimiter. In case of a syntax error, return
} else if (*text == 0) {
/* void */ ;
} else if (mc->flags & MAC_EXP_FLAG_RECURSE) {
- mac_parse(text, mac_expand_callback, (char *) mc);
+ vstring_strcpy(buf, text);
+ mac_parse(vstring_str(buf), mac_expand_callback, (char *) mc);
} else {
len = VSTRING_LEN(mc->result);
vstring_strcat(mc->result, text);
* Literal text.
*/
else {
- text = vstring_str(buf);
- vstring_strcat(mc->result, text);
+ vstring_strcat(mc->result, vstring_str(buf));
}
- /*
- * Give the poor tester a clue of what is going on.
- */
- if (msg_verbose)
- msg_info("%s: %s = %s", myname, vstring_str(buf),
- text ? text : "(undef)");
-
mc->level--;
return (mc->status);
/* found, and \fIcontext\fR is passed on unmodified from the caller.
/* The application is at liberty to clobber \fIbuf\fR.
/* .IP MAC_PARSE_LITERAL
-/* The text in \fIbuf\fR is literal text.
-/* .IP MAC_PARSE_VARNAME
-/* The text in \fIbuf\fR is a macro expression.
+/* The content of \fIbuf\fR is literal text.
+/* .IP MAC_PARSE_EXPR
+/* The content of \fIbuf\fR is a macro expression: either a
+/* bare macro name without the preceding "$", or all the text
+/* inside $() or ${}.
/* .PP
/* The action routine result value is the bit-wise OR of zero or more
/* of the following:
* execute the action, and reset the temporary buffer for re-use.
*/
#define MAC_PARSE_ACTION(status, type, buf, context) \
- { \
+ do { \
VSTRING_TERMINATE(buf); \
- status |= action(type, buf, context); \
+ status |= action((type), (buf), (context)); \
VSTRING_RESET(buf); \
- }
+ } while(0)
/* mac_parse - split string into literal text and macro references */
msg_warn("empty macro name: \"%s\"", value);
break;
}
- MAC_PARSE_ACTION(status, MAC_PARSE_VARNAME, buf, context);
+ MAC_PARSE_ACTION(status, MAC_PARSE_EXPR, buf, context);
}
}
if (VSTRING_LEN(buf) > 0 && (status & MAC_PARSE_ERROR) == 0)
char *type_name;
switch (type) {
- case MAC_PARSE_VARNAME:
- type_name = "MAC_PARSE_VARNAME";
+ case MAC_PARSE_EXPR:
+ type_name = "MAC_PARSE_EXPR";
break;
case MAC_PARSE_LITERAL:
type_name = "MAC_PARSE_LITERAL";
* External interface.
*/
#define MAC_PARSE_LITERAL 1
-#define MAC_PARSE_VARNAME 2
+#define MAC_PARSE_EXPR 2
+#define MAC_PARSE_VARNAME MAC_PARSE_EXPR /* 2.1 compatibility */
#define MAC_PARSE_OK 0
#define MAC_PARSE_ERROR (1<<0)
* file.
*/
if (var_virt_mailbox_limit) {
- if (var_virt_mailbox_limit < var_message_limit)
+ if (var_virt_mailbox_limit < var_message_limit || var_message_limit == 0)
msg_fatal("main.cf configuration error: %s is smaller than %s",
VAR_VIRT_MAILBOX_LIMIT, VAR_MESSAGE_LIMIT);
set_file_limit(var_virt_mailbox_limit);
projects / thirdparty / postfix.git / commitdiff
