map that they can't do. Files: postmap/postmap.c,
postalias/postalias.c.
- Bugfix: the proxymap client didn't properly propagate the
- postmap (postalias) -r and -w options to the proxymap server.
- File: util/dict.h.
+ Bugfix: the proxymap client didn't properly propagate user
+ options options to the proxymap server. File: util/dict.h.
Workaround: force synchronous updates in the proxymap server
so that maps will be in a consistent state between updates.
File: proxymap/proxymap.c.
+
+ Bugfix: an empty rate-limited queue wasn't removed after
+ timer expiry. Files: *qmgr/qmgr_queue.c.
+
+20071204
+
+ Use different sockets for proxymap (read-only) and proxywrite
+ (read-write) services in the proxy: client. Victor Duchovni.
+ File: global/dict_proxy.c.
+
+ Feature: proxymap delete support by Victor Duchovni. Files:
+ global/dict_proxy.c, proxymap/proxymap.c.
+
+ Feature: proxymap delete support. Files: postmap/postmap.c
+ postalias/postalias.c.
+
+ Cleanup: the Postfix sendmail command did not include the
+ user (name/uid) information in all error messages. File:
+ sendmail/sendmail.c.
+
+ Feature: data_directory configuration parameter for
+ Postfix-writable data such as caches and random numbers.
+ Files: postfix-install, conf/postfix-files.
|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
|DEF_DAEMON_DIR |daemon_directory |/usr/libexec/postfix|
|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |DEF_DATA_DIR |data_directory |/var/lib/postfix |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
|DEF_MAILQ_PATH |mailq_path |/usr/bin/mailq |
|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
|DEF_HTML_DIR |html_directory |no |
|DEF_SENDMAIL_PATH|sendmail_path |/usr/sbin/sendmail |
|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+Note: the data_directory parameter (for caches and pseudo-random numbers) was
+introduced with Postfix version 2.5.
+
4\b4.\b.5\b5 -\b- S\bSu\bup\bpp\bpo\bor\brt\bt f\bfo\bor\br t\bth\bho\bou\bus\bsa\ban\bnd\bds\bs o\bof\bf p\bpr\bro\boc\bce\bes\bss\bse\bes\bs
The number of connections that Postfix can manage simultaneously is limited by
If you upgrade from Postfix 2.3 or earlier, read RELEASE_NOTES-2.4
before proceeding.
+Major changes with Postfix snapshot 20071205
+============================================
+
+The "make install" and "make upgrade" procedures now create a
+postfix-owned directory for Postfix-writable data files such as
+caches and random numbers. The location is specified with the
+"data_directory" variable (default: "/var/lib/postfix").
+
Incompatibility with Postfix snapshot 20071203
==============================================
#
daemon_directory = /usr/libexec/postfix
+# The data_directory parameter specifies the location of Postfix-writable
+# data files (caches, random numbers). This directory must be owned
+# by the mail_owner account (see below).
+#
+data_directory = /var/lib/postfix
+
# QUEUE AND PROCESS OWNERSHIP
#
# The mail_owner parameter specifies the owner of the Postfix queue
# permissions, so that running "make install" fixes any glitches.
#
$config_directory:d:root:-:755:u
+$data_directory:d:$mail_owner:-:700:u
$daemon_directory:d:root:-:755:u
$queue_directory:d:root:-:755:uc
$sample_directory:d:root:-:755:o
\( -perm -020 -o -perm -002 \) -type f \
-exec $WARN group or other writable: {} \;
+ find $data_directory/. ! -user $mail_owner \
+ -exec $WARN not owned by $mail_owner: {} \;
+
find `ls -d $queue_directory/* | \
egrep '/(incoming|active|defer|deferred|bounce|hold|trace|corrupt|public|private|flush)$'` \
! \( -type p -o -type s \) ! -user $mail_owner \
<tr> <td>DEF_DAEMON_DIR</td> <td><a href="postconf.5.html#daemon_directory">daemon_directory</a></td>
<td>/usr/libexec/postfix</td> </tr>
+<tr> <td>DEF_DATA_DIR</td> <td><a href="postconf.5.html#data_directory">data_directory</a></td>
+<td>/var/lib/postfix</td> </tr>
+
<tr> <td>DEF_MAILQ_PATH</td> <td><a href="postconf.5.html#mailq_path">mailq_path</a></td> <td>/usr/bin/mailq</td>
</tr>
</blockquote>
+<p> Note: the <a href="postconf.5.html#data_directory">data_directory</a> parameter (for caches and pseudo-random
+numbers) was introduced with Postfix version 2.5. </p>
+
<h3>4.5 - Support for thousands of processes</h3>
<p> The number of connections that Postfix can manage simultaneously
The maximal number of Received: message headers
that is allowed in the primary message headers.
- <b><a href="postconf.5.html#queue_run_delay">queue_run_delay</a> (version dependent)</b>
+ <b><a href="postconf.5.html#queue_run_delay">queue_run_delay</a> (300s)</b>
The time between <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> scans by the queue
- manager.
+ manager; prior to Postfix 2.4 the default value was
+ 1000s.
<b>FAST FLUSH CONTROLS</b>
The <a href="ETRN_README.html">ETRN_README</a> file describes configuration and operation
<b><a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a> ($<a href="postconf.5.html#relay_domains">relay_domains</a>)</b>
Optional list of destinations that are eligible for
- per-destination logfiles with mail that is queued
+ per-destination logfiles with mail that is queued
to those destinations.
<b>VERP CONTROLS</b>
The <a href="VERP_README.html">VERP_README</a> file describes configuration and operation
- details of Postfix support for variable envelope return
+ details of Postfix support for variable envelope return
path addresses.
<b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a> (+=)</b>
The two default VERP delimiter characters.
<b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b>
- The characters Postfix accepts as VERP delimiter
- characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
+ The characters Postfix accepts as VERP delimiter
+ characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
and in SMTP commands.
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#alias_database">alias_database</a> (see 'postconf -d' output)</b>
- The alias databases for <a href="local.8.html"><b>local</b>(8)</a> delivery that are
+ The alias databases for <a href="local.8.html"><b>local</b>(8)</a> delivery that are
updated with "<b>newaliases</b>" or with "<b>sendmail -bi</b>".
<b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
- The location of all postfix administrative com-
+ The location of all postfix administrative com-
mands.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
<a href="master.5.html">master.cf</a> configuration files.
<b><a href="postconf.5.html#daemon_directory">daemon_directory</a> (see 'postconf -d' output)</b>
- The directory with Postfix support programs and
+ The directory with Postfix support programs and
daemon programs.
<b><a href="postconf.5.html#default_database_type">default_database_type</a> (see 'postconf -d' output)</b>
<a href="postalias.1.html"><b>postalias</b>(1)</a> and <a href="postmap.1.html"><b>postmap</b>(1)</a> commands.
<b><a href="postconf.5.html#delay_warning_time">delay_warning_time</a> (0h)</b>
- The time after which the sender receives the mes-
+ The time after which the sender receives the mes-
sage headers of mail that is still queued.
<b><a href="postconf.5.html#enable_errors_to">enable_errors_to</a> (no)</b>
- Report mail delivery errors to the address speci-
- fied with the non-standard Errors-To: message
- header, instead of the envelope sender address
- (this feature is removed with Postfix version 2.2,
- is turned off by default with Postfix version 2.1,
- and is always turned on with older Postfix ver-
+ Report mail delivery errors to the address speci-
+ fied with the non-standard Errors-To: message
+ header, instead of the envelope sender address
+ (this feature is removed with Postfix version 2.2,
+ is turned off by default with Postfix version 2.1,
+ and is always turned on with older Postfix ver-
sions).
<b><a href="postconf.5.html#mail_owner">mail_owner</a> (postfix)</b>
and most Postfix daemon processes.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> (empty)</b>
- Don't rewrite message headers from remote clients
+ Don't rewrite message headers from remote clients
at all when this parameter is empty; otherwise, re-
- write message headers and append the specified
+ write message headers and append the specified
domain name to incomplete addresses.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>FILES</b>
<a href="VERP_README.html">VERP_README</a>, Postfix VERP howto
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
The maximal number of Received: message headers
that is allowed in the primary message headers.
- <b><a href="postconf.5.html#queue_run_delay">queue_run_delay</a> (version dependent)</b>
+ <b><a href="postconf.5.html#queue_run_delay">queue_run_delay</a> (300s)</b>
The time between <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> scans by the queue
- manager.
+ manager; prior to Postfix 2.4 the default value was
+ 1000s.
<b>FAST FLUSH CONTROLS</b>
The <a href="ETRN_README.html">ETRN_README</a> file describes configuration and operation
<b><a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a> ($<a href="postconf.5.html#relay_domains">relay_domains</a>)</b>
Optional list of destinations that are eligible for
- per-destination logfiles with mail that is queued
+ per-destination logfiles with mail that is queued
to those destinations.
<b>VERP CONTROLS</b>
The <a href="VERP_README.html">VERP_README</a> file describes configuration and operation
- details of Postfix support for variable envelope return
+ details of Postfix support for variable envelope return
path addresses.
<b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a> (+=)</b>
The two default VERP delimiter characters.
<b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b>
- The characters Postfix accepts as VERP delimiter
- characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
+ The characters Postfix accepts as VERP delimiter
+ characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
and in SMTP commands.
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#alias_database">alias_database</a> (see 'postconf -d' output)</b>
- The alias databases for <a href="local.8.html"><b>local</b>(8)</a> delivery that are
+ The alias databases for <a href="local.8.html"><b>local</b>(8)</a> delivery that are
updated with "<b>newaliases</b>" or with "<b>sendmail -bi</b>".
<b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
- The location of all postfix administrative com-
+ The location of all postfix administrative com-
mands.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
<a href="master.5.html">master.cf</a> configuration files.
<b><a href="postconf.5.html#daemon_directory">daemon_directory</a> (see 'postconf -d' output)</b>
- The directory with Postfix support programs and
+ The directory with Postfix support programs and
daemon programs.
<b><a href="postconf.5.html#default_database_type">default_database_type</a> (see 'postconf -d' output)</b>
<a href="postalias.1.html"><b>postalias</b>(1)</a> and <a href="postmap.1.html"><b>postmap</b>(1)</a> commands.
<b><a href="postconf.5.html#delay_warning_time">delay_warning_time</a> (0h)</b>
- The time after which the sender receives the mes-
+ The time after which the sender receives the mes-
sage headers of mail that is still queued.
<b><a href="postconf.5.html#enable_errors_to">enable_errors_to</a> (no)</b>
- Report mail delivery errors to the address speci-
- fied with the non-standard Errors-To: message
- header, instead of the envelope sender address
- (this feature is removed with Postfix version 2.2,
- is turned off by default with Postfix version 2.1,
- and is always turned on with older Postfix ver-
+ Report mail delivery errors to the address speci-
+ fied with the non-standard Errors-To: message
+ header, instead of the envelope sender address
+ (this feature is removed with Postfix version 2.2,
+ is turned off by default with Postfix version 2.1,
+ and is always turned on with older Postfix ver-
sions).
<b><a href="postconf.5.html#mail_owner">mail_owner</a> (postfix)</b>
and most Postfix daemon processes.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> (empty)</b>
- Don't rewrite message headers from remote clients
+ Don't rewrite message headers from remote clients
at all when this parameter is empty; otherwise, re-
- write message headers and append the specified
+ write message headers and append the specified
domain name to incomplete addresses.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>FILES</b>
<a href="VERP_README.html">VERP_README</a>, Postfix VERP howto
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
</p>
+</DD>
+
+<DT><b><a name="data_directory">data_directory</a>
+(default: see "postconf -d" output)</b></DT><DD>
+
+<p> The directory with Postfix-writable data files (for example:
+caches, pseudo-random numbers). This directory must be owned by
+the <a href="postconf.5.html#mail_owner">mail_owner</a> account, and must not be shared with non-Postfix
+software. </p>
+
+<p> This feature is available in Postfix 2.5 and later. </p>
+
+
</DD>
<DT><b><a name="debug_peer_level">debug_peer_level</a>
(default: see "postconf -d" output)</b></DT><DD>
<p>
-The lookup tables that the <a href="proxymap.8.html">proxymap(8)</a> server is allowed to
-access for the read-write service.
+The lookup tables that the <a href="proxymap.8.html">proxymap(8)</a> server is allowed to access
+for the read-write service. If implemented with local files, these
+tables are preferably stored under the location specified with the
+<a href="postconf.5.html#data_directory">data_directory</a> configuration parameter.
Table references that don't begin with <a href="proxymap.8.html">proxy</a>: are ignored.
</p>
how to build, configure or operate a specific Post-
fix subsystem or feature.
+ Available in Postfix version 2.5 and later:
+
+ <b><a href="postconf.5.html#data_directory">data_directory</a> (see 'postconf -d' output)</b>
+ The directory with Postfix-writable data files (for
+ example: caches, pseudo-random numbers).
+
Other configuration parameters:
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
<a href="master.5.html">master.cf</a> configuration files.
<b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
- The list of environment parameters that a Postfix
+ The list of environment parameters that a Postfix
process will import from a non-Postfix parent
process.
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>FILES</b>
<a href="QSHAPE_README.html">QSHAPE_README</a>, Postfix queue analysis
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
This request is supported in Postfix 2.5 and later.
+ <b>delete</b> <i>maptype:mapname flags key</i>
+ Delete the data stored under the requested key.
+ The reply is the request completion status code.
+ The <i>maptype:mapname</i> and <i>flags</i> are the same as with
+ the <b>open</b> request.
+
+ This request is supported in Postfix 2.5 and later.
+
The request completion status is one of OK, RETRY, NOKEY
(lookup failed because the key was not found), BAD (mal-
formed request) or DENY (the table is not approved for
same <a href="postconf.5.html">main.cf</a> setting to be used by sensitive and non-sen-
sitive processes.
+ Postfix-writable data files should be stored under a dedi-
+ cated directory that is writable only by the $<b><a href="postconf.5.html#mail_owner">mail_owner</a></b>
+ account, such as the $<b><a href="postconf.5.html#data_directory">data_directory</a></b> directory.
+
+ In particular, Postfix-writable files should never exist
+ in root-owned directories. That would open up a particular
+ type of security hole where ownership (root) does not
+ match content provenance (Postfix).
+
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8).
<b>BUGS</b>
- The <a href="proxymap.8.html"><b>proxymap</b>(8)</a> server provides service to multiple
- clients, and must therefore not be used for tables that
+ The <a href="proxymap.8.html"><b>proxymap</b>(8)</a> server provides service to multiple
+ clients, and must therefore not be used for tables that
have high-latency lookups.
- The <a href="proxymap.8.html"><b>proxymap</b>(8)</a> read-write service does not explicitly
- close lookup tables (even if it did, this could not be
- relied on, because the process may be terminated between
- table updates). The read-write service should therefore
- not be used with tables that leave persistent storage in
- an inconsistent state between updates (for example, CDB).
- Tables that support "sync on update" should be safe (for
- example, Berkeley DB) as should tables that are imple-
+ The <a href="proxymap.8.html"><b>proxymap</b>(8)</a> read-write service does not explicitly
+ close lookup tables (even if it did, this could not be
+ relied on, because the process may be terminated between
+ table updates). The read-write service should therefore
+ not be used with tables that leave persistent storage in
+ an inconsistent state between updates (for example, CDB).
+ Tables that support "sync on update" should be safe (for
+ example, Berkeley DB) as should tables that are imple-
mented by a real DBMS.
<b>CONFIGURATION PARAMETERS</b>
- On
busy mail systems a long time may pass before <a href="proxymap.8.html"><b>prox-</b></a>
+ On
busy mail systems a long time may pass before <a href="proxymap.8.html"><b>prox-</b></a>
<a href="proxymap.8.html"><b>ymap</b>(8)</a> relevant changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up. Use the
command "<b>postfix reload</b>" to speed up a change.
- The text below provides only a parameter summary. See
+ The text below provides only a parameter summary. See
<a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
<a href="master.5.html">master.cf</a> configuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
- How much time a Postfix daemon process may take to
- handle a request before it is terminated by a
+ How much time a Postfix daemon process may take to
+ handle a request before it is terminated by a
built-in watchdog timer.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
over an internal communication channel.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
- The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
+ The maximum amount of time that an idle Postfix
+ daemon process waits for an incoming connection
before terminating voluntarily.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
+ The maximal number of incoming connections that a
+ Postfix daemon process will service before termi-
nating voluntarily.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#proxy_read_maps">proxy_read_maps</a> (see 'postconf -d' output)</b>
- The lookup tables that the <a href="proxymap.8.html"><b>proxymap</b>(8)</a> server is
+ The lookup tables that the <a href="proxymap.8.html"><b>proxymap</b>(8)</a> server is
allowed to access for the read-only service.
Available in Postfix 2.5 and later:
+ <b><a href="postconf.5.html#data_directory">data_directory</a> (see 'postconf -d' output)</b>
+ The directory with Postfix-writable data files (for
+ example: caches, pseudo-random numbers).
+
<b><a href="postconf.5.html#proxy_write_maps">proxy_write_maps</a> (see 'postconf -d' output)</b>
The lookup tables that the <a href="proxymap.8.html"><b>proxymap</b>(8)</a> server is
allowed to access for the read-write service.
The maximal number of Received: message headers
that is allowed in the primary message headers.
- <b><a href="postconf.5.html#queue_run_delay">queue_run_delay</a> (version dependent)</b>
+ <b><a href="postconf.5.html#queue_run_delay">queue_run_delay</a> (300s)</b>
The time between <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> scans by the queue
- manager.
+ manager; prior to Postfix 2.4 the default value was
+ 1000s.
<b>FAST FLUSH CONTROLS</b>
The <a href="ETRN_README.html">ETRN_README</a> file describes configuration and operation
<b><a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a> ($<a href="postconf.5.html#relay_domains">relay_domains</a>)</b>
Optional list of destinations that are eligible for
- per-destination logfiles with mail that is queued
+ per-destination logfiles with mail that is queued
to those destinations.
<b>VERP CONTROLS</b>
The <a href="VERP_README.html">VERP_README</a> file describes configuration and operation
- details of Postfix support for variable envelope return
+ details of Postfix support for variable envelope return
path addresses.
<b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a> (+=)</b>
The two default VERP delimiter characters.
<b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b>
- The characters Postfix accepts as VERP delimiter
- characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
+ The characters Postfix accepts as VERP delimiter
+ characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
and in SMTP commands.
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#alias_database">alias_database</a> (see 'postconf -d' output)</b>
- The alias databases for <a href="local.8.html"><b>local</b>(8)</a> delivery that are
+ The alias databases for <a href="local.8.html"><b>local</b>(8)</a> delivery that are
updated with "<b>newaliases</b>" or with "<b>sendmail -bi</b>".
<b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
- The location of all postfix administrative com-
+ The location of all postfix administrative com-
mands.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
<a href="master.5.html">master.cf</a> configuration files.
<b><a href="postconf.5.html#daemon_directory">daemon_directory</a> (see 'postconf -d' output)</b>
- The directory with Postfix support programs and
+ The directory with Postfix support programs and
daemon programs.
<b><a href="postconf.5.html#default_database_type">default_database_type</a> (see 'postconf -d' output)</b>
<a href="postalias.1.html"><b>postalias</b>(1)</a> and <a href="postmap.1.html"><b>postmap</b>(1)</a> commands.
<b><a href="postconf.5.html#delay_warning_time">delay_warning_time</a> (0h)</b>
- The time after which the sender receives the mes-
+ The time after which the sender receives the mes-
sage headers of mail that is still queued.
<b><a href="postconf.5.html#enable_errors_to">enable_errors_to</a> (no)</b>
- Report mail delivery errors to the address speci-
- fied with the non-standard Errors-To: message
- header, instead of the envelope sender address
- (this feature is removed with Postfix version 2.2,
- is turned off by default with Postfix version 2.1,
- and is always turned on with older Postfix ver-
+ Report mail delivery errors to the address speci-
+ fied with the non-standard Errors-To: message
+ header, instead of the envelope sender address
+ (this feature is removed with Postfix version 2.2,
+ is turned off by default with Postfix version 2.1,
+ and is always turned on with older Postfix ver-
sions).
<b><a href="postconf.5.html#mail_owner">mail_owner</a> (postfix)</b>
and most Postfix daemon processes.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> (empty)</b>
- Don't rewrite message headers from remote clients
+ Don't rewrite message headers from remote clients
at all when this parameter is empty; otherwise, re-
- write message headers and append the specified
+ write message headers and append the specified
domain name to incomplete addresses.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>FILES</b>
<a href="VERP_README.html">VERP_README</a>, Postfix VERP howto
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
The location of Postfix README files that describe how to build,
configure or operate a specific Postfix subsystem or feature.
.PP
+Available in Postfix version 2.5 and later:
+.IP "\fBdata_directory (see 'postconf -d' output)\fR"
+The directory with Postfix-writable data files (for example:
+caches, pseudo-random numbers).
+.PP
Other configuration parameters:
.IP "\fBconfig_directory (see 'postconf -d' output)\fR"
The default location of the Postfix main.cf and master.cf
.IP "\fBhopcount_limit (50)\fR"
The maximal number of Received: message headers that is allowed
in the primary message headers.
-.IP "\fBqueue_run_delay (version dependent)\fR"
-The time between deferred queue scans by the queue manager.
+.IP "\fBqueue_run_delay (300s)\fR"
+The time between deferred queue scans by the queue manager;
+prior to Postfix 2.4 the default value was 1000s.
.SH "FAST FLUSH CONTROLS"
.na
.nf
.PP
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
+.SH data_directory (default: see "postconf -d" output)
+The directory with Postfix-writable data files (for example:
+caches, pseudo-random numbers). This directory must be owned by
+the mail_owner account, and must not be shared with non-Postfix
+software.
+.PP
+This feature is available in Postfix 2.5 and later.
.SH debug_peer_level (default: 2)
The increment in verbose logging level when a remote client or
server matches a pattern in the debug_peer_list parameter.
.PP
This feature is available in Postfix 2.0 and later.
.SH proxy_write_maps (default: see "postconf -d" output)
-The lookup tables that the \fBproxymap\fR(8) server is allowed to
-access for the read-write service.
+The lookup tables that the \fBproxymap\fR(8) server is allowed to access
+for the read-write service. If implemented with local files, these
+tables are preferably stored under the location specified with the
+data_directory configuration parameter.
Table references that don't begin with proxy: are ignored.
.PP
This feature is available in Postfix 2.5 and later.
service.
.sp
This request is supported in Postfix 2.5 and later.
+.IP "\fBdelete\fR \fImaptype:mapname flags key\fR"
+Delete the data stored under the requested key.
+The reply is the request completion status code.
+The \fImaptype:mapname\fR and \fIflags\fR are the same
+as with the \fBopen\fR request.
+.sp
+This request is supported in Postfix 2.5 and later.
.PP
The request completion status is one of OK, RETRY, NOKEY
(lookup failed because the key was not found), BAD (malformed
requests to access a table for security-sensitive purposes,
and opens the table directly. This allows the same main.cf
setting to be used by sensitive and non-sensitive processes.
+
+Postfix-writable data files should be stored under a dedicated
+directory that is writable only by the $\fBmail_owner\fR
+account, such as the $\fBdata_directory\fR directory.
+
+In particular, Postfix-writable files should never exist
+in root-owned directories. That would open up a particular
+type of security hole where ownership (root) does not match
+content provenance (Postfix).
.SH DIAGNOSTICS
.ad
.fi
access for the read-only service.
.PP
Available in Postfix 2.5 and later:
+.IP "\fBdata_directory (see 'postconf -d' output)\fR"
+The directory with Postfix-writable data files (for example:
+caches, pseudo-random numbers).
.IP "\fBproxy_write_maps (see 'postconf -d' output)\fR"
-The lookup tables that the \fBproxymap\fR(8) server is allowed to
-access for the read-write service.
+The lookup tables that the \fBproxymap\fR(8) server is allowed to access
+for the read-write service.
.SH "SEE ALSO"
.na
.nf
s;\bcommand_time_limit\b;<a href="postconf.5.html#command_time_limit">$&</a>;g;
s;\bconfig_direc[-</bB>]*\n*[ <bB>]*tory\b;<a href="postconf.5.html#config_directory">$&</a>;g;
s;\bcon[-</bB>]*\n*[ <bB>]*tent_filter\b;<a href="postconf.5.html#content_filter">$&</a>;g;
+ s;\bdata_directory\b;<a href="postconf.5.html#data_directory">$&</a>;g;
s;\bdae[-</bB>]*\n*[ <bB>]*mon_directory\b;<a href="postconf.5.html#daemon_directory">$&</a>;g;
s;\bdaemon_timeout\b;<a href="postconf.5.html#daemon_timeout">$&</a>;g;
s;\bdebug_peer_level\b;<a href="postconf.5.html#debug_peer_level">$&</a>;g;
# The built-in default directory name is /etc/postfix.
# This parameter setting is not recorded in the installed main.cf file
# and can be changed only by recompiling Postfix.
+# .IP data_directory
+# The final destination directory for Postfix-writable data files such
+# as caches. This directory should not be shared with non-Postfix
+# software. The built-in default directory name is /var/lib/postfix.
+# This parameter setting is recorded in the installed main.cf file.
# .IP daemon_directory
# The final destination directory for Postfix daemon programs. This
# directory should not be in the command search path of any users.
config_directory_prompt="the final destination directory for
installed Postfix configuration files."
+data_directory_prompt="the final destination directory for
+Postfix-writable data files such as caches or random numbers. This
+directory should not be shared with non-Postfix software."
+
daemon_directory_prompt="the final destination directory for
installed Postfix daemon programs. This directory should not be
in the command search path of any users."
manpage_directory_prompt="the destination directory for the Postfix on-line
manual pages. You can no longer specify \"no\" here."
-sample_directory_prompt="the destination directory for the Postfix
-sample configuration files."
-
readme_directory_prompt="the destination directory for the Postfix
README files. Specify \"no\" if you do not want to install these files."
}
}
+CONFIG_PARAMS="command_directory daemon_directory data_directory \
+html_directory mail_owner mailq_path manpage_directory newaliases_path \
+queue_directory readme_directory sendmail_path setgid_group"
+
# Extract parameter settings from the installed main.cf file.
test -f $CONFIG_DIRECTORY/main.cf && {
- for name in daemon_directory command_directory queue_directory mail_owner \
- setgid_group sendmail_path newaliases_path mailq_path manpage_directory \
- sample_directory html_directory readme_directory
+ for name in $CONFIG_PARAMS sample_directory
do
eval junk=\$$name
case "$junk" in
# Use built-in defaults as the final source of parameter settings.
-for name in daemon_directory command_directory queue_directory mail_owner \
- setgid_group sendmail_path newaliases_path mailq_path manpage_directory \
- sample_directory html_directory readme_directory
+for name in $CONFIG_PARAMS sample_directory
do
eval junk=\$$name
case "$junk" in
# Override settings manually.
-test -z "$non_interactive" && for name in daemon_directory command_directory \
- queue_directory sendmail_path newaliases_path mailq_path mail_owner \
- setgid_group html_directory manpage_directory readme_directory
+test -z "$non_interactive" && for name in $CONFIG_PARAMS
do
while :
do
esac
done
-for path in "$daemon_directory" "$command_directory" "$queue_directory" \
+for path in "$daemon_directory" "$data_directory" "$command_directory" "$queue_directory" \
"$sendmail_path" "$newaliases_path" "$mailq_path" "$manpage_directory"
do
case "$path" in
}
done
-for path in command_directory config_directory daemon_directory \
+for path in command_directory config_directory daemon_directory data_directory \
manpage_directory queue_directory html_directory readme_directory
do
eval test -f $install_root\$$path && {
SENDMAIL_PATH=$install_root$sendmail_path
HTML_DIRECTORY=$install_root$html_directory
MANPAGE_DIRECTORY=$install_root$manpage_directory
-SAMPLE_DIRECTORY=$install_root$sample_directory
README_DIRECTORY=$install_root$readme_directory
# Avoid repeated tests for existence of these; default permissions suffice.
bin/postconf -c $CONFIG_DIRECTORY -e \
"daemon_directory = $daemon_directory" \
+ "data_directory = $data_directory" \
"command_directory = $command_directory" \
"queue_directory = $queue_directory" \
"mail_owner = $mail_owner" \
<tr> <td>DEF_DAEMON_DIR</td> <td>daemon_directory</td>
<td>/usr/libexec/postfix</td> </tr>
+<tr> <td>DEF_DATA_DIR</td> <td>data_directory</td>
+<td>/var/lib/postfix</td> </tr>
+
<tr> <td>DEF_MAILQ_PATH</td> <td>mailq_path</td> <td>/usr/bin/mailq</td>
</tr>
</blockquote>
+<p> Note: the data_directory parameter (for caches and pseudo-random
+numbers) was introduced with Postfix version 2.5. </p>
+
<h3>4.5 - Support for thousands of processes</h3>
<p> The number of connections that Postfix can manage simultaneously
%PARAM proxy_write_maps see "postconf -d" output
<p>
-The lookup tables that the proxymap(8) server is allowed to
-access for the read-write service.
+The lookup tables that the proxymap(8) server is allowed to access
+for the read-write service. If implemented with local files, these
+tables are preferably stored under the location specified with the
+data_directory configuration parameter.
Table references that don't begin with proxy: are ignored.
</p>
the message delivery transport. </p>
<p> This feature is available in Postfix 2.5 and later. </p>
+
+%PARAM data_directory see "postconf -d" output
+
+<p> The directory with Postfix-writable data files (for example:
+caches, pseudo-random numbers). This directory must be owned by
+the mail_owner account, and must not be shared with non-Postfix
+software. </p>
+
+<p> This feature is available in Postfix 2.5 and later. </p>
typedef struct {
DICT dict; /* generic members */
+ CLNT_STREAM *clnt; /* client handle (shared) */
+ const char *service; /* service name */
int in_flags; /* caller-specified flags */
VSTRING *result; /* storage */
} DICT_PROXY;
#define VSTREQ(v,s) (strcmp(STR(v),s) == 0)
/*
- * All proxied maps within a process share the same query/reply socket.
+ * All proxied maps of the same type share the same query/reply socket.
*/
-static CLNT_STREAM *proxy_stream;
+static CLNT_STREAM *proxymap_stream; /* read-only maps */
+static CLNT_STREAM *proxywrite_stream; /* read-write maps */
/* dict_proxy_lookup - find table entry */
request_flags = (dict_proxy->in_flags & DICT_FLAG_RQST_MASK)
| (dict->flags & DICT_FLAG_RQST_MASK);
for (;;) {
- stream = clnt_stream_access(proxy_stream);
+ stream = clnt_stream_access(dict_proxy->clnt);
errno = 0;
count += 1;
if (attr_print(stream, ATTR_FLAG_NONE,
case PROXY_STAT_BAD:
msg_fatal("%s lookup failed for table \"%s\" key \"%s\": "
"invalid request",
- MAIL_SERVICE_PROXYMAP, dict->name, key);
+ dict_proxy->service, dict->name, key);
case PROXY_STAT_DENY:
msg_fatal("%s service is not configured for table \"%s\"",
- MAIL_SERVICE_PROXYMAP, dict->name);
+ dict_proxy->service, dict->name);
case PROXY_STAT_OK:
return (STR(dict_proxy->result));
case PROXY_STAT_NOKEY:
default:
msg_warn("%s lookup failed for table \"%s\" key \"%s\": "
"unexpected reply status %d",
- MAIL_SERVICE_PROXYMAP, dict->name, key, status);
+ dict_proxy->service, dict->name, key, status);
}
}
- clnt_stream_recover(proxy_stream);
+ clnt_stream_recover(dict_proxy->clnt);
sleep(1); /* XXX make configurable */
}
}
request_flags = (dict_proxy->in_flags & DICT_FLAG_RQST_MASK)
| (dict->flags & DICT_FLAG_RQST_MASK);
for (;;) {
- stream = clnt_stream_access(proxy_stream);
+ stream = clnt_stream_access(dict_proxy->clnt);
errno = 0;
count += 1;
if (attr_print(stream, ATTR_FLAG_NONE,
} else {
if (msg_verbose)
msg_info("%s: table=%s flags=%s key=%s value=%s -> status=%d",
- myname, dict->name, dict_flags_str(request_flags),
+ myname, dict->name, dict_flags_str(request_flags),
key, value, status);
switch (status) {
case PROXY_STAT_BAD:
- msg_fatal("%s lookup failed for table \"%s\" key \"%s\": "
+ msg_fatal("%s update failed for table \"%s\" key \"%s\": "
"invalid request",
- MAIL_SERVICE_PROXYMAP, dict->name, key);
+ dict_proxy->service, dict->name, key);
case PROXY_STAT_DENY:
msg_fatal("%s update access is not configured for table \"%s\"",
- MAIL_SERVICE_PROXYMAP, dict->name);
+ dict_proxy->service, dict->name);
case PROXY_STAT_OK:
return;
default:
msg_warn("%s update failed for table \"%s\" key \"%s\": "
"unexpected reply status %d",
- MAIL_SERVICE_PROXYMAP, dict->name, key, status);
+ dict_proxy->service, dict->name, key, status);
+ }
+ }
+ clnt_stream_recover(dict_proxy->clnt);
+ sleep(1); /* XXX make configurable */
+ }
+}
+
+/* dict_proxy_delete - delete table entry */
+
+static int dict_proxy_delete(DICT *dict, const char *key)
+{
+ const char *myname = "dict_proxy_delete";
+ DICT_PROXY *dict_proxy = (DICT_PROXY *) dict;
+ VSTREAM *stream;
+ int status;
+ int count = 0;
+ int request_flags;
+
+ /*
+ * The client and server live in separate processes that may start and
+ * terminate independently. We cannot rely on a persistent connection,
+ * let alone on persistent state (such as a specific open table) that is
+ * associated with a specific connection. Each lookup needs to specify
+ * the table and the flags that were specified to dict_proxy_open().
+ */
+ request_flags = (dict_proxy->in_flags & DICT_FLAG_RQST_MASK)
+ | (dict->flags & DICT_FLAG_RQST_MASK);
+ for (;;) {
+ stream = clnt_stream_access(dict_proxy->clnt);
+ errno = 0;
+ count += 1;
+ if (attr_print(stream, ATTR_FLAG_NONE,
+ ATTR_TYPE_STR, MAIL_ATTR_REQ, PROXY_REQ_DELETE,
+ ATTR_TYPE_STR, MAIL_ATTR_TABLE, dict->name,
+ ATTR_TYPE_INT, MAIL_ATTR_FLAGS, request_flags,
+ ATTR_TYPE_STR, MAIL_ATTR_KEY, key,
+ ATTR_TYPE_END) != 0
+ || vstream_fflush(stream)
+ || attr_scan(stream, ATTR_FLAG_STRICT,
+ ATTR_TYPE_INT, MAIL_ATTR_STATUS, &status,
+ ATTR_TYPE_END) != 1) {
+ if (msg_verbose || count > 1 || (errno && errno != EPIPE && errno !=
+ ENOENT))
+ msg_warn("%s: service %s: %m", myname, VSTREAM_PATH(stream));
+ } else {
+ if (msg_verbose)
+ msg_info("%s: table=%s flags=%s key=%s -> status=%d",
+ myname, dict->name, dict_flags_str(request_flags),
+ key, status);
+ switch (status) {
+ case PROXY_STAT_BAD:
+ msg_fatal("%s delete failed for table \"%s\" key \"%s\": "
+ "invalid request",
+ dict_proxy->service, dict->name, key);
+ case PROXY_STAT_DENY:
+ msg_fatal("%s update access is not configured for table \"%s\"",
+ dict_proxy->service, dict->name);
+ case PROXY_STAT_OK:
+ return 0;
+ case PROXY_STAT_NOKEY:
+ return 1;
+ default:
+ msg_warn("%s delete failed for table \"%s\" key \"%s\": "
+ "unexpected reply status %d",
+ dict_proxy->service, dict->name, key, status);
}
}
- clnt_stream_recover(proxy_stream);
+ clnt_stream_recover(dict_proxy->clnt);
sleep(1); /* XXX make configurable */
}
}
VSTREAM *stream;
int server_flags;
int status;
+ const char *service;
+ const char *relative_path;
char *kludge = 0;
char *prefix;
+ CLNT_STREAM **pstream;
/*
* Sanity checks.
* server; only sets that make sense. For now, the flags are passed
* implicitly by choosing between the proxymap or proxywrite service.
*/
- if (open_flags != O_RDONLY && open_flags != (O_RDWR | O_CREAT))
+ if (open_flags == O_RDONLY) {
+ pstream = &proxymap_stream;
+ service = MAIL_SERVICE_PROXYMAP;
+ relative_path = MAIL_CLASS_PRIVATE "/" MAIL_SERVICE_PROXYMAP;
+ } else if (open_flags == (O_RDWR | O_CREAT)) {
+ pstream = &proxywrite_stream;
+ service = MAIL_SERVICE_PROXYWRITE;
+ relative_path = MAIL_CLASS_PRIVATE "/" MAIL_SERVICE_PROXYWRITE;
+ } else
msg_fatal("%s: %s map open requires O_RDONLY or O_RDWR|O_CREAT mode",
map, DICT_TYPE_PROXY);
dict_alloc(DICT_TYPE_PROXY, map, sizeof(*dict_proxy));
dict_proxy->dict.lookup = dict_proxy_lookup;
dict_proxy->dict.update = dict_proxy_update;
+ dict_proxy->dict.delete = dict_proxy_delete;
dict_proxy->dict.close = dict_proxy_close;
dict_proxy->in_flags = dict_flags;
dict_proxy->result = vstring_alloc(10);
/*
- * Use a shared stream for all proxied table lookups.
+ * Use a shared stream for proxied table lookups of the same type.
*
* XXX Use absolute pathname to make this work from non-daemon processes.
*/
- if (proxy_stream == 0) {
- if (access(open_flags == O_RDONLY ?
- MAIL_CLASS_PRIVATE "/" MAIL_SERVICE_PROXYMAP :
- MAIL_CLASS_PRIVATE "/" MAIL_SERVICE_PROXYWRITE,
- F_OK) == 0)
+ if (*pstream == 0) {
+ if (access(relative_path, F_OK) == 0)
prefix = MAIL_CLASS_PRIVATE;
else
prefix = kludge = concatenate(var_queue_dir, "/",
MAIL_CLASS_PRIVATE, (char *) 0);
- proxy_stream = clnt_stream_create(prefix,
- open_flags == O_RDONLY ?
- MAIL_SERVICE_PROXYMAP :
- MAIL_SERVICE_PROXYWRITE,
- var_ipc_idle_limit,
- var_ipc_ttl_limit);
+ *pstream = clnt_stream_create(prefix, service, var_ipc_idle_limit,
+ var_ipc_ttl_limit);
if (kludge)
myfree(kludge);
}
+ dict_proxy->clnt = *pstream;
+ dict_proxy->service = service;
/*
* Establish initial contact and get the map type specific flags.
* XXX Should retrieve flags from local instance.
*/
for (;;) {
- stream = clnt_stream_access(proxy_stream);
+ stream = clnt_stream_access(dict_proxy->clnt);
errno = 0;
if (attr_print(stream, ATTR_FLAG_NONE,
ATTR_TYPE_STR, MAIL_ATTR_REQ, PROXY_REQ_OPEN,
switch (status) {
case PROXY_STAT_BAD:
msg_fatal("%s open failed for table \"%s\": invalid request",
- MAIL_SERVICE_PROXYMAP, dict_proxy->dict.name);
+ dict_proxy->service, dict_proxy->dict.name);
case PROXY_STAT_DENY:
msg_fatal("%s service is not configured for table \"%s\"",
- MAIL_SERVICE_PROXYMAP, dict_proxy->dict.name);
+ dict_proxy->service, dict_proxy->dict.name);
case PROXY_STAT_OK:
dict_proxy->dict.flags = dict_proxy->in_flags
| (server_flags & DICT_FLAG_IMPL_MASK);
return (DICT_DEBUG (&dict_proxy->dict));
default:
msg_warn("%s open failed for table \"%s\": unexpected status %d",
- MAIL_SERVICE_PROXYMAP, dict_proxy->dict.name, status);
+ dict_proxy->service, dict_proxy->dict.name, status);
}
}
- clnt_stream_recover(proxy_stream);
+ clnt_stream_recover(dict_proxy->clnt);
sleep(1); /* XXX make configurable */
}
}
#define PROXY_REQ_OPEN "open"
#define PROXY_REQ_LOOKUP "lookup"
#define PROXY_REQ_UPDATE "update"
+#define PROXY_REQ_DELETE "delete"
#define PROXY_STAT_OK 0 /* operation succeeded */
#define PROXY_STAT_NOKEY 1 /* requested key not found */
/* gid_t var_default_gid;
/* char *var_config_dir;
/* char *var_daemon_dir;
+/* char *var_data_dir;
/* char *var_command_dir;
/* char *var_queue_dir;
/* int var_use_limit;
gid_t var_default_gid;
char *var_config_dir;
char *var_daemon_dir;
+char *var_data_dir;
char *var_command_dir;
char *var_queue_dir;
int var_use_limit;
VAR_MYORIGIN, DEF_MYORIGIN, &var_myorigin, 1, 0,
VAR_RELAYHOST, DEF_RELAYHOST, &var_relayhost, 0, 0,
VAR_DAEMON_DIR, DEF_DAEMON_DIR, &var_daemon_dir, 1, 0,
+ VAR_DATA_DIR, DEF_DATA_DIR, &var_data_dir, 1, 0,
VAR_COMMAND_DIR, DEF_COMMAND_DIR, &var_command_dir, 1, 0,
VAR_QUEUE_DIR, DEF_QUEUE_DIR, &var_queue_dir, 1, 0,
VAR_PID_DIR, DEF_PID_DIR, &var_pid_dir, 1, 0,
#endif
extern char *var_pid_dir;
+ /*
+ * Location of writable data files.
+ */
+#define VAR_DATA_DIR "data_directory"
+#ifndef DEF_DATA_DIR
+#define DEF_DATA_DIR "/var/lib/postfix"
+#endif
+extern char *var_data_dir;
+
/*
* Program startup time.
*/
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "2007111204"
+#define MAIL_RELEASE_DATE "2007111205"
#define MAIL_VERSION_NUMBER "2.5"
#ifdef SNAPSHOT
queue->window = 1;
if (queue->todo_refcount > 0)
qmgr_active_drain();
+
+ /*
+ * Every event handler that leaves a queue in the "ready" state should
+ * remove the queue when it is empty.
+ */
+ if (QMGR_QUEUE_READY(queue) && queue->todo.next == 0 && queue->busy.next == 0)
+ qmgr_queue_done(queue);
}
/* qmgr_queue_suspend - briefly suspend a destination */
DICT **dicts;
const char *map_name;
int n;
+ int open_flags;
/*
* Sanity check.
for (n = 0; n < map_count; n++) {
map_name = split_at(maps[n], ':');
if (map_name && strcmp(maps[n], DICT_TYPE_PROXY) == 0)
- msg_fatal("can't delete map entries via the proxy service");
+ open_flags = O_RDWR | O_CREAT; /* XXX */
+ else
+ open_flags = O_RDWR;
dicts[n] = (map_name != 0 ?
- dict_open3(maps[n], map_name, O_RDWR, dict_flags) :
- dict_open3(var_db_type, maps[n], O_RDWR, dict_flags));
+ dict_open3(maps[n], map_name, open_flags, dict_flags) :
+ dict_open3(var_db_type, maps[n], open_flags, dict_flags));
}
/*
{
DICT *dict;
int status;
+ int open_flags;
if (strcmp(map_type, DICT_TYPE_PROXY) == 0)
- msg_fatal("can't delete map entries via the proxy service");
- dict = dict_open3(map_type, map_name, O_RDWR, dict_flags);
+ open_flags = O_RDWR | O_CREAT; /* XXX */
+ else
+ open_flags = O_RDWR;
+ dict = dict_open3(map_type, map_name, open_flags, dict_flags);
status = dict_del(dict, key);
dict_close(dict);
return (status == 0);
/* The location of Postfix README files that describe how to build,
/* configure or operate a specific Postfix subsystem or feature.
/* .PP
+/* Available in Postfix version 2.5 and later:
+/* .IP "\fBdata_directory (see 'postconf -d' output)\fR"
+/* The directory with Postfix-writable data files (for example:
+/* caches, pseudo-random numbers).
+/* .PP
/* Other configuration parameters:
/* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
/* The default location of the Postfix main.cf and master.cf
check_setenv(VAR_COMMAND_DIR, var_command_dir); /* main.cf */
check_setenv(VAR_DAEMON_DIR, var_daemon_dir); /* main.cf */
+ check_setenv(VAR_DATA_DIR, var_data_dir); /* main.cf */
check_setenv(VAR_QUEUE_DIR, var_queue_dir); /* main.cf */
check_setenv(VAR_CONFIG_DIR, var_config_dir); /* main.cf */
DICT **dicts;
const char *map_name;
int n;
+ int open_flags;
/*
* Sanity check.
for (n = 0; n < map_count; n++) {
map_name = split_at(maps[n], ':');
if (map_name && strcmp(maps[n], DICT_TYPE_PROXY) == 0)
- msg_fatal("can't delete map entries via the proxy service");
+ open_flags = O_RDWR | O_CREAT; /* XXX */
+ else
+ open_flags = O_RDWR;
dicts[n] = (map_name != 0 ?
- dict_open3(maps[n], map_name, O_RDWR, dict_flags) :
- dict_open3(var_db_type, maps[n], O_RDWR, dict_flags));
+ dict_open3(maps[n], map_name, open_flags, dict_flags) :
+ dict_open3(var_db_type, maps[n], open_flags, dict_flags));
}
/*
{
DICT *dict;
int status;
+ int open_flags;
if (strcmp(map_type, DICT_TYPE_PROXY) == 0)
- msg_fatal("can't delete map entries via the proxy service");
- dict = dict_open3(map_type, map_name, O_RDWR, dict_flags);
+ open_flags = O_RDWR | O_CREAT; /* XXX */
+ else
+ open_flags = O_RDWR;
+ dict = dict_open3(map_type, map_name, open_flags, dict_flags);
status = dict_del(dict, key);
dict_close(dict);
return (status == 0);
/* service.
/* .sp
/* This request is supported in Postfix 2.5 and later.
+/* .IP "\fBdelete\fR \fImaptype:mapname flags key\fR"
+/* Delete the data stored under the requested key.
+/* The reply is the request completion status code.
+/* The \fImaptype:mapname\fR and \fIflags\fR are the same
+/* as with the \fBopen\fR request.
+/* .sp
+/* This request is supported in Postfix 2.5 and later.
/* .PP
/* The request completion status is one of OK, RETRY, NOKEY
/* (lookup failed because the key was not found), BAD (malformed
/* requests to access a table for security-sensitive purposes,
/* and opens the table directly. This allows the same main.cf
/* setting to be used by sensitive and non-sensitive processes.
+/*
+/* Postfix-writable data files should be stored under a dedicated
+/* directory that is writable only by the $\fBmail_owner\fR
+/* account, such as the $\fBdata_directory\fR directory.
+/*
+/* In particular, Postfix-writable files should never exist
+/* in root-owned directories. That would open up a particular
+/* type of security hole where ownership (root) does not match
+/* content provenance (Postfix).
/* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8).
/* BUGS
/* access for the read-only service.
/* .PP
/* Available in Postfix 2.5 and later:
+/* .IP "\fBdata_directory (see 'postconf -d' output)\fR"
+/* The directory with Postfix-writable data files (for example:
+/* caches, pseudo-random numbers).
/* .IP "\fBproxy_write_maps (see 'postconf -d' output)\fR"
-/* The lookup tables that the \fBproxymap\fR(8) server is allowed to
-/* access for the read-write service.
+/* The lookup tables that the \fBproxymap\fR(8) server is allowed to access
+/* for the read-write service.
/* SEE ALSO
/* postconf(5), configuration parameters
/* master(5), generic daemon options
ATTR_TYPE_END);
}
+/* proxymap_delete_service - remote delete service */
+
+static void proxymap_delete_service(VSTREAM *client_stream)
+{
+ int request_flags;
+ DICT *dict;
+ int reply_status;
+
+ /*
+ * Process the request.
+ *
+ * XXX We don't close maps, so we must turn on synchronous update to ensure
+ * that the on-disk data is in a consistent state between updates.
+ */
+ if (attr_scan(client_stream, ATTR_FLAG_STRICT,
+ ATTR_TYPE_STR, MAIL_ATTR_TABLE, request_map,
+ ATTR_TYPE_INT, MAIL_ATTR_FLAGS, &request_flags,
+ ATTR_TYPE_STR, MAIL_ATTR_KEY, request_key,
+ ATTR_TYPE_END) != 3) {
+ reply_status = PROXY_STAT_BAD;
+ } else if (proxy_writer == 0) {
+ msg_warn("refusing %s delete request on non-%s service",
+ STR(request_map), MAIL_SERVICE_PROXYWRITE);
+ reply_status = PROXY_STAT_DENY;
+ } else if ((dict = proxy_map_find(STR(request_map), request_flags,
+ &reply_status)) == 0) {
+ /* void */ ;
+ } else {
+ dict->flags = ((dict->flags & ~DICT_FLAG_RQST_MASK)
+ | (request_flags & DICT_FLAG_RQST_MASK)
+ | DICT_FLAG_SYNC_UPDATE);
+ reply_status =
+ dict_del(dict, STR(request_key)) ? PROXY_STAT_OK : PROXY_STAT_NOKEY;
+ }
+
+ /*
+ * Respond to the client.
+ */
+ attr_print(client_stream, ATTR_FLAG_NONE,
+ ATTR_TYPE_INT, MAIL_ATTR_STATUS, reply_status,
+ ATTR_TYPE_END);
+}
+
/* proxymap_open_service - open remote lookup table */
static void proxymap_open_service(VSTREAM *client_stream)
proxymap_lookup_service(client_stream);
} else if (VSTREQ(request, PROXY_REQ_UPDATE)) {
proxymap_update_service(client_stream);
+ } else if (VSTREQ(request, PROXY_REQ_DELETE)) {
+ proxymap_delete_service(client_stream);
} else if (VSTREQ(request, PROXY_REQ_OPEN)) {
proxymap_open_service(client_stream);
} else {
queue->window = 1;
if (queue->todo_refcount > 0)
qmgr_active_drain();
+
+ /*
+ * Every event handler that leaves a queue in the "ready" state should
+ * remove the queue when it is empty.
+ */
+ if (QMGR_QUEUE_READY(queue) && queue->todo.next == 0 && queue->busy.next == 0)
+ qmgr_queue_done(queue);
}
/* qmgr_queue_suspend - briefly suspend a destination */
/* .IP "\fBhopcount_limit (50)\fR"
/* The maximal number of Received: message headers that is allowed
/* in the primary message headers.
-/* .IP "\fBqueue_run_delay (version dependent)\fR"
-/* The time between deferred queue scans by the queue manager.
+/* .IP "\fBqueue_run_delay (300s)\fR"
+/* The time between deferred queue scans by the queue manager;
+/* prior to Postfix 2.4 the default value was 1000s.
/* FAST FLUSH CONTROLS
/* .ad
/* .fi
rec_fputs(dst, REC_TYPE_FROM, saved_sender);
if (verp_delims && *saved_sender == 0)
msg_fatal_status(EX_USAGE,
- "-V option requires non-null sender address");
+ "%s(%ld): -V option requires non-null sender address",
+ saved_sender, (long) uid);
if (encoding)
rec_fprintf(dst, REC_TYPE_ATTR, "%s=%s", MAIL_ATTR_ENCODING, encoding);
if (DEL_REQ_TRACE_FLAGS(flags))
rec_fputs(dst, REC_TYPE_MESG, "");
if (DEL_REQ_TRACE_ONLY(flags) != 0) {
if (flags & SM_FLAG_XRCPT)
- msg_fatal_status(EX_USAGE, "-t option cannot be used with -bv");
+ msg_fatal_status(EX_USAGE, "%s(%ld): -t option cannot be used with -bv",
+ saved_sender, (long) uid);
if (*saved_sender)
rec_fprintf(dst, REC_TYPE_NORM, "From: %s", saved_sender);
rec_fprintf(dst, REC_TYPE_NORM, "Subject: probe");
}
if (rcpt_count == 0)
msg_fatal_status(EX_USAGE, (flags & SM_FLAG_XRCPT) ?
- "No recipient addresses found in message header" :
+ "%s(%ld): No recipient addresses found in message header" :
"Recipient addresses must be specified on"
- " the command line or via the -t option");
+ " the command line or via the -t option",
+ saved_sender, (long) uid);
/*
* Identify the end of the queue file.
projects / thirdparty / postfix.git / commitdiff
