Workaround: BSD-ish mkdir() ignores the effective GID
and copies group ownership from the parent directory.
File: util/make_dirs.c.
+
+20101202
+
+ Feature: the LDAP client can now authenticate to LDAP servers
+ via SASL. This is tested with SASL GSSAPI and Kerberos 5.
+ Code by Victor Duchovni. Files: global/dict_ldap.c,
+ proto/LDAP_README.html, proto/ldap_table.
+
+ Cleanup: the cleanup server now reports a temporary delivery
+ error when it reaches the virtual_alias_expansion_limit or
+ virtual_alias_recursion_limit. Previously, it would silently
+ ignore the excess recipients and deliver the message. File:
+ cleanup/cleanup_map1n.c.
+
+20101204
+
+ Cleanup: sache_clnt_create() had an unnecessary data
+ dependency on the non-library var_scache_service variable,
+ causing problems with shared library builds. Instead, it
+ should use its service argument (which has the same value).
+ File: global/scache.c.
+
+ Cleanup: pipe_command.c had an unnecessary data dependency
+ on the non-library var_command_maxtime variable, causing
+ problems with shared library builds. The dependency was not
+ necessary because the callers already specify an explicit
+ time limit. File: global/pipe_command.c.
and you may need to use the appropriate linker option (e.g. '-R') so the
executables can find it at runtime.
+If you are using OpenLDAP, and the libraries were built with SASL support, you
+can add -DUSE_LDAP_SASL to the CCARGS to enable SASL support. For example:
+
+ CCARGS="-I/usr/local/include -DHAS_LDAP -DUSE_LDAP_SASL"
+
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg L\bLD\bDA\bAP\bP l\blo\boo\bok\bku\bup\bps\bs
In order to use LDAP lookups, define an LDAP source as a table lookup in
alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
The file /etc/postfix/ldap-aliases.cf can specify a great number of parameters,
-including parameters that enable LDAP SSL and STARTTLS. For a complete
-description, see the ldap_table(5) manual page.
+including parameters that enable LDAP SSL or STARTTLS, and LDAP SASL. For a
+complete description, see the ldap_table(5) manual page.
E\bEx\bxa\bam\bmp\bpl\ble\be:\b: l\blo\boc\bca\bal\bl(\b(8\b8)\b) a\bal\bli\bia\bas\bse\bes\bs
* Gunnar Wrobel provided a first implementation of a feature to limit LDAP
search results to leaf nodes only. Victor generalized this into the Postfix
2.4 "leaf_result_attribute" feature.
+ * Quanah Gibson-Mount contributed support for advanced LDAP SASL mechanisms,
+ beyond the password-based LDAP "simple" bind.
And of course Wietse.
based on a single measurement. This is necessary because many zombies avoid
spamming the same site repeatedly, in an attempt to fly under the radar. Once
postscreen(8) decides that a client is not-a-zombie, it whitelists the client
-temporarily to avoid further delays for legitimate mail.
+temporarily to avoid further delays for legitimate mail. Clients that pass
+postscreen(8) are still subject to the checks that are built into Postfix smtpd
+(8), Postfix built-in content filters, and external content filters.
Zombies have challenges too: they have only a limited amount of time to deliver
spam before their IP address becomes blacklisted. To speed up spam deliveries,
postscreen(8) uses a variety of measurements to recognize zombies. First,
postscreen(8) determines if the remote SMTP client IP address is blacklisted.
Second, postscreen(8) looks for protocol compromises that are made to speed up
-delivery. The results of such measurements don't change with each delivery
-attempt, and are therefore good for making an is-it-a-zombie decision based on
-a single measurement.
-
-postscreen(8) does not inspect message content. Message content can vary widely
-with each delivery attempt, especially with clients that (also) send legitimate
-email. Content is therefore not good for making an is-it-a-zombie decision
-based on a single measurement, and that is the problem that postscreen(8) is
+delivery. These are good indicators for making is-it-a-zombie decisions based
+on single measurements.
+
+postscreen(8) does not inspect message content. Message content can vary from
+one delivery to the next, especially with clients that (also) send legitimate
+email. Content is not a good indicator for making is-it-a-zombie decisions
+based on single measurements, and that is the problem that postscreen(8) is
focused on.
G\bGe\ben\bne\ber\bra\bal\bl o\bop\bpe\ber\bra\bat\bti\bio\bon\bn
The postscreen(8) triage process involves a number of tests, in the order as
described below. Some tests introduce a delay of a few seconds. Once a client
-passes all tests, its IP address is temporarily excluded from any tests,
-typically 24 hours for simple tests or 1 week for complex tests. This minimizes
-the impact of the tests on legitimate mail clients.
+passes a test, its IP address is whitelisted from 24 hours for simple tests, to
+1 week for complex tests. Whitelisting minimizes the impact of postscreen(8)'s
+tests on legitimate mail clients.
After logging its findings, postscreen(8) by default hands off all connections
to a Postfix SMTP server process. This mode is useful for non-destructive
* postscreen(8)'s built-in SMTP engine does not implement the AUTH, STARTTLS,
XCLIENT, and XFORWARD features. STARTTLS and AUTH support may be added in a
- future version.
+ future version. In the mean time, if you need to make these services
+ available on port 25, then do not enable the tests after the 220 server
+ greeting.
-End-user clients should connect directly to the submission service. Other
-systems that require the above features should directly connect to a Postfix
-SMTP server, or they should be placed on the postscreen(8) whitelist.
+End-user clients should connect directly to the submission service, so that
+they never have to deal with postscreen(8)'s tests.
* Command pipelining test
* Non-SMTP command test
postscreen parameters always evaluate as if the stress value is
equal to the empty string.
+Incompatibility with snapshot 20101202
+======================================
+
+Postfix now reports a temporary delivery error when the result of
+virtual alias expansion would exceed the virtual_alias_recursion_limit
+or virtual_alias_expansion_limit. Previously, Postfix would silently
+drop the excess recipients and deliver the message.
+
Incompatibility with snapshot 20101130
======================================
smtpd xclient option for sasl_username.
- Use different ipc_timeout settings for email message
- transactions (smtpd, pickup)->cleanup and for quick query/reply
- transactions such as address rewriting/resolution.
+ Use different ipc time limits for email message transactions
+ (smtpd, pickup)->cleanup and for quick query/reply transactions
+ such as address rewriting/resolution. Beware of large time
+ limits for local or virtual alias expansion.
permit_tempfail_action (default: defer_if_reject) to be
used as the default value for dnswl_tempfail_action and
Replace sscanf() numerical conversions by strto[dl]()
for better error reporting.
- Consistency: in postconf.proto make <dt>..</dt> tags bold.
+ As postscreen implements more ESMTP keywords, need to copy
+ inter-operability features from smtpd to filter keywords
+ and command syntax.
- Milter addrcpt - use Sendmail-compatible default DSN settings.
+ Consistency: in postconf.proto make <dt>..</dt> tags bold.
postscreen(8): listen on multiple IP addresses and enforce
that the client contacts the primary MX address first (i.e.
or whatever you have, and you may need to use the appropriate linker
option (e.g. '-R') so the executables can find it at runtime. </p>
+<p> If you are using OpenLDAP, and the libraries were built with SASL
+support, you can add -DUSE_LDAP_SASL to the CCARGS to enable SASL support.
+For example: </p>
+
+<blockquote>
+<pre>
+ CCARGS="-I/usr/local/include -DHAS_LDAP -DUSE_LDAP_SASL"
+</pre>
+</blockquote>
+
<h2><a name="config">Configuring LDAP lookups</a></h2>
<p> In order to use LDAP lookups, define an LDAP source
</blockquote>
<p> The file /etc/postfix/ldap-aliases.cf can specify a great number
-of parameters, including parameters that enable LDAP SSL and
-STARTTLS. For a complete description, see the <a href="ldap_table.5.html">ldap_table(5)</a> manual
-page. </p>
+of parameters, including parameters that enable LDAP SSL or STARTTLS,
+and LDAP SASL. For a complete description, see the <a href="ldap_table.5.html">ldap_table(5)</a>
+manual page. </p>
<h2><a name="example_alias">Example: local(8) aliases</a></h2>
limit LDAP search results to leaf nodes only. Victor generalized
this into the Postfix 2.4 "leaf_result_attribute" feature. </li>
+<li>Quanah Gibson-Mount contributed support for advanced LDAP SASL
+mechanisms, beyond the password-based LDAP "simple" bind. </li>
+
</ul>
And of course Wietse.
many zombies avoid spamming the same site repeatedly, in an attempt
to fly under the radar. Once <a href="postscreen.8.html">postscreen(8)</a> decides that a client
is not-a-zombie, it whitelists the client temporarily to avoid
-further delays for legitimate mail. </p>
+further delays for legitimate mail. Clients that pass <a href="postscreen.8.html">postscreen(8)</a>
+are still subject to the checks that are built into Postfix <a href="smtpd.8.html">smtpd(8)</a>,
+Postfix built-in content filters, and external content filters.
+</p>
<p> Zombies have challenges too: they have only a limited amount
of time to deliver spam before their IP address becomes blacklisted.
<p> <a href="postscreen.8.html">postscreen(8)</a> uses a variety of measurements to recognize
zombies. First, <a href="postscreen.8.html">postscreen(8)</a> determines if the remote SMTP client
IP address is blacklisted. Second, <a href="postscreen.8.html">postscreen(8)</a> looks for protocol
-compromises that are made to speed up delivery. The results of
-such measurements don't change with each delivery attempt, and are
-therefore good for making an is-it-a-zombie decision based on a
-single measurement. </p>
+compromises that are made to speed up delivery. These are good
+indicators for making is-it-a-zombie decisions based on single
+measurements. </p>
<p> <a href="postscreen.8.html">postscreen(8)</a> does not inspect message content. Message content
-can vary widely with each delivery attempt, especially with clients
-that (also) send legitimate email. Content is therefore not good
-for making an is-it-a-zombie decision based on a single measurement,
+can vary from one delivery to the next, especially with clients
+that (also) send legitimate email. Content is not a good indicator
+for making is-it-a-zombie decisions based on single measurements,
and that is the problem that <a href="postscreen.8.html">postscreen(8)</a> is focused on. </p>
<h2> <a name="general"> General operation </a> </h2>
<p> The <a href="postscreen.8.html">postscreen(8)</a> triage process involves a number of tests,
in the order as described below. Some tests introduce a delay of
-a few seconds. Once a client passes all tests, its IP address is
-temporarily excluded from any tests, typically 24 hours for simple
-tests or 1 week for complex tests. This minimizes the impact of
-the tests on legitimate mail clients. </p>
+a few seconds. Once a client passes a test, its IP address is
+whitelisted from 24 hours for simple tests, to 1 week for complex
+tests. Whitelisting minimizes the impact of <a href="postscreen.8.html">postscreen(8)</a>'s tests
+on legitimate mail clients. </p>
<p> After logging its findings, <a href="postscreen.8.html">postscreen(8)</a> by default hands off
all connections to a Postfix SMTP server process. This mode is
<li> <p> <a href="postscreen.8.html">postscreen(8)</a>'s built-in SMTP engine does not implement
the AUTH, STARTTLS, XCLIENT, and XFORWARD features. STARTTLS and
-AUTH support may be added in a future version. </p>
+AUTH support may be added in a future version. In the mean time,
+if you need to make these services available on port 25, then do
+not enable the tests after the 220 server greeting. </p>
</ul>
<p> End-user clients should connect directly to the submission
-service. Other systems that require the above features
-should directly connect to a Postfix SMTP server, or they
-should be placed on the <a href="postscreen.8.html">postscreen(8)</a> whitelist. </p>
+service, so that they never have to deal with <a href="postscreen.8.html">postscreen(8)</a>'s tests.
+</p>
<ul>
and LDAP_SCOPE_ONELEVEL.
<b>bind (default: yes)</b>
- Whether or not to bind to the LDAP server. Newer
+ Whether or how to bind to the LDAP server. Newer
LDAP implementations don't require clients to bind,
which saves time. Example:
+ # Don't bind
bind = no
+ # Use SIMPLE bind
+ bind = yes
+ # Use SASL bind
+ bind = sasl
+
+ Postfix versions prior to 2.8 only support "bind =
+ no" which means don't bind, and "bind = yes" which
+ means do a SIMPLE bind. Postfix 2.8 and later also
+ supports "bind = SASL" when compiled with LDAP SASL
+ support as described in <a href="LDAP_README.html">LDAP_README</a>, it also adds
+ the synonyms "bind = none" and "bind = simple" for
+ "bind = no" and "bind = yes" respectively. See the
+ SASL section below for additional parameters avail-
+ able with "bind = sasl".
If you do need to bind, you might consider config-
uring Postfix to connect to the local machine on a
guished name. Example:
bind_dn = uid=postfix, dc=your, dc=com
+ With "bind = sasl" (see above) the DN may be
+ optional for some SASL mechanisms, don't specify a
+ DN if not needed.
<b>bind_pw (default: empty)</b>
The password for the distinguished name above. If
mand. Example:
bind_pw = postfixpw
+ With "bind = sasl" (see above) the password may be
+ optional for some SASL mechanisms, don't specify a
+ password if not needed.
<b>cache (IGNORED with a warning)</b>
What level to set for debugging in the OpenLDAP
libraries.
+<b>LDAP SASL PARAMETERS</b>
+ If you're using the OpenLDAP libraries compiled with SASL
+ support, Postfix 2.8 and later built with LDAP SASL sup-
+ port as described in <a href="LDAP_README.html">LDAP_README</a> can authenticate to LDAP
+ servers via SASL.
+
+ This enables authentication to the LDAP server via mecha-
+ nisms other than a simple password. The added flexibility
+ has a cost: it is no longer practical to set an explicit
+ timeout on the duration of an LDAP bind operation. Under
+ adverse conditions, whether a SASL bind times out, or if
+ it does, the duration of the timeout is determined by the
+ LDAP and SASL libraries.
+
+ It is best to use tables that use SASL binds via <a href="proxymap.8.html">prox-</a>
+ <a href="proxymap.8.html">ymap(8)</a>, this way the requesting process can time-out the
+ proxymap request. This also lets you tailer the process
+ environment by overriding the <a href="proxymap.8.html">proxymap(8)</a> import_environ-
+ ment setting in <a href="master.5.html">master.cf</a>(5). Special environment settings
+ may be needed to configure GSSAPI credential caches or
+ other SASL mechanism specific options. The GSSAPI creden-
+ tials used for LDAP lookups may need to be different than
+ say those used for the Postfix SMTP client to authenticate
+ to remote servers.
+
+ Using SASL mechanisms requires LDAP protocol version 3,
+ the default protocol version is 2 for backwards compati-
+ bility. You must set "version = 3" in addition to "bind =
+ sasl".
+
+ The following parameters are relevant to using LDAP with
+ SASL
+
+ <b>sasl (default: no)</b>
+ Whether or not to use SASL binds to the server.
+ Can be yes or no.
+
+ <b>sasl_mechs (default: empty)</b>
+ Space separated list of SASL mechanism(s) to try.
+
+ <b>sasl_realm (default: empty)</b>
+ SASL Realm to use, if applicable.
+
+ <b>sasl_authz_id (default: empty)</b>
+ The SASL authorization identity to assert, if
+ applicable.
+
+ <b>sasl_minssf (default: 0)</b>
+ The minimum required sasl security factor required
+ to establish a connection.
+
<b>LDAP SSL AND STARTTLS PARAMETERS</b>
- If you're using the OpenLDAP libraries compiled with SSL
- support, Postfix can connect to LDAP SSL servers and can
+ If you're using the OpenLDAP libraries compiled with SSL
+ support, Postfix can connect to LDAP SSL servers and can
issue the STARTTLS command.
- LDAP SSL service can be requested by using a LDAP SSL URL
+ LDAP SSL service can be requested by using a LDAP SSL URL
in the server_host parameter:
server_host = ldaps://ldap.example.com:636
start_tls = yes
- Both forms require LDAP protocol version 3, which has to
+ Both forms require LDAP protocol version 3, which has to
be set explicitly with:
version = 3
If any of the Postfix programs querying the map is config-
- ured in <a href="master.5.html">master.cf</a> to run chrooted, all the certificates
+ ured in <a href="master.5.html">master.cf</a> to run chrooted, all the certificates
and keys involved have to be copied to the chroot jail. Of
- course, the private keys should only be readable by the
+ course, the private keys should only be readable by the
user "postfix".
- The following parameters are relevant to LDAP SSL and
+ The following parameters are relevant to LDAP SSL and
STARTTLS:
<b>start_tls (default: no)</b>
Whether or not to issue STARTTLS upon connection to
- the server. Don't set this with LDAP SSL (the SSL
+ the server. Don't set this with LDAP SSL (the SSL
session is setup automatically when the TCP connec-
tion is opened).
- <b>tls_ca_cert_dir (No default; set either this or</b>
+ <b>tls_ca_cert_dir (No default; set either this or</b>
<b>tls_ca_cert_file)</b>
Directory containing X509 Certificate Authority
- certificates in PEM format which are to be recog-
- nized by the client in SSL/TLS connections. The
- files each contain one CA certificate. The files
- are looked up by the CA subject name hash value,
- which must hence be available. If more than one CA
- certificate with the same name hash value exist,
- the extension must be different (e.g. 9d66eef0.0,
- 9d66eef0.1 etc). The search is performed in the
- ordering of the extension number, regardless of
+ certificates in PEM format which are to be recog-
+ nized by the client in SSL/TLS connections. The
+ files each contain one CA certificate. The files
+ are looked up by the CA subject name hash value,
+ which must hence be available. If more than one CA
+ certificate with the same name hash value exist,
+ the extension must be different (e.g. 9d66eef0.0,
+ 9d66eef0.1 etc). The search is performed in the
+ ordering of the extension number, regardless of
other properties of the certificates. Use the
c_rehash utility (from the OpenSSL distribution) to
create the necessary links.
- <b>tls_ca_cert_file (No default; set either this or</b>
+ <b>tls_ca_cert_file (No default; set either this or</b>
<b>tls_ca_cert_dir)</b>
File containing the X509 Certificate Authority cer-
- tificates in PEM format which are to be recognized
- by the client in SSL/TLS connections. This setting
+ tificates in PEM format which are to be recognized
+ by the client in SSL/TLS connections. This setting
takes precedence over tls_ca_cert_dir.
<b>tls_cert (No default; you must set this)</b>
- File containing client's X509 certificate to be
+ File containing client's X509 certificate to be
used by the client in SSL/ TLS connections.
<b>tls_key (No default; you must set this)</b>
- File containing the private key corresponding to
+ File containing the private key corresponding to
the above tls_cert.
<b>tls_require_cert (default: no)</b>
Whether or not to request server's X509 certificate
- and check its validity when establishing SSL/TLS
- connections. The supported values are <b>no</b> and <b>yes</b>.
+ and check its validity when establishing SSL/TLS
+ connections. The supported values are <b>no</b> and <b>yes</b>.
- With <b>no</b>, the server certificate trust chain is not
- checked, but with OpenLDAP prior to 2.1.13, the
+ With <b>no</b>, the server certificate trust chain is not
+ checked, but with OpenLDAP prior to 2.1.13, the
name in the server certificate must still match the
LDAP server name. With OpenLDAP 2.0.0 to 2.0.11 the
- server name is not necessarily what you specified,
- rather it is determined (by reverse lookup) from
- the IP address of the LDAP server connection. With
- OpenLDAP prior to 2.0.13, subjectAlternativeName
+ server name is not necessarily what you specified,
+ rather it is determined (by reverse lookup) from
+ the IP address of the LDAP server connection. With
+ OpenLDAP prior to 2.0.13, subjectAlternativeName
extensions in the LDAP server certificate are
- ignored: the server name must match the subject
+ ignored: the server name must match the subject
CommonName. The <b>no</b> setting corresponds to the <b>never</b>
- value of <b>TLS_REQCERT</b> in LDAP client configuration
+ value of <b>TLS_REQCERT</b> in LDAP client configuration
files.
- Don't use TLS with OpenLDAP 2.0.x (and especially
+ Don't use TLS with OpenLDAP 2.0.x (and especially
with x <= 11) if you can avoid it.
- With <b>yes</b>, the server certificate must be issued by
- a trusted CA, and not be expired. The LDAP server
- name must match one of the name(s) found in the
+ With <b>yes</b>, the server certificate must be issued by
+ a trusted CA, and not be expired. The LDAP server
+ name must match one of the name(s) found in the
certificate (see above for OpenLDAP library version
dependent behavior). The <b>yes</b> setting corresponds to
the <b>demand</b> value of <b>TLS_REQCERT</b> in LDAP client con-
The "try" and "never" values of <b>TLS_REQCERT</b> have no
equivalents here. They are not available with
- OpenLDAP 2.0, and in any case have questionable
- security properties. Either you want TLS verified
+ OpenLDAP 2.0, and in any case have questionable
+ security properties. Either you want TLS verified
LDAP connections, or you don't.
The <b>yes</b> value only works correctly with Postfix 2.5
- and later, or with OpenLDAP 2.0. Earlier Postfix
- releases or later OpenLDAP releases don't work
- together with this setting. Support for LDAP over
- TLS was added to Postfix based on the OpenLDAP 2.0
+ and later, or with OpenLDAP 2.0. Earlier Postfix
+ releases or later OpenLDAP releases don't work
+ together with this setting. Support for LDAP over
+ TLS was added to Postfix based on the OpenLDAP 2.0
API.
<b>tls_random_file (No default)</b>
- Path of a file to obtain random bits from when
- /dev/[u]random is not available, to be used by the
+ Path of a file to obtain random bits from when
+ /dev/[u]random is not available, to be used by the
client in SSL/TLS connections.
<b>tls_cipher_suite (No default)</b>
Cipher suite to use in SSL/TLS negotiations.
<b>EXAMPLE</b>
- Here's
a basic example for using LDAP to look up <a href="local.8.html">local(8)</a>
+ Here's
a basic example for using LDAP to look up <a href="local.8.html">local(8)</a>
aliases. Assume that in <a href="postconf.5.html">main.cf</a>, you have:
<a href="postconf.5.html#alias_maps">alias_maps</a> = hash:/etc/aliases,
server_host = ldap.example.com
search_base = dc=example, dc=com
- Upon receiving mail for a local address "ldapuser" that
- isn't found in the /etc/aliases database, Postfix will
+ Upon receiving mail for a local address "ldapuser" that
+ isn't found in the /etc/aliases database, Postfix will
search the LDAP server listening at port 389 on ldap.exam-
- ple.com. It will bind anonymously, search for any direc-
- tory entries whose mailacceptinggeneralid attribute is
+ ple.com. It will bind anonymously, search for any direc-
+ tory entries whose mailacceptinggeneralid attribute is
"ldapuser", read the "maildrop" attributes of those found,
and build a list of their maildrops, which will be treated
- as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to which the message will be deliv-
+ as <a href="http://tools.ietf.org/html/rfc822">RFC822</a> addresses to which the message will be deliv-
ered.
<b>SEE ALSO</b>
<a href="LDAP_README.html">LDAP_README</a>, Postfix LDAP client guide
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
- Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith
- Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon, Mike
- Mattice, Prabhat K Singh, Sami Haahtinen, Samuel Tardieu,
+ Carsten Hoeger, Hery Rakotoarisoa, John Hensley, Keith
+ Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon, Mike
+ Mattice, Prabhat K Singh, Sami Haahtinen, Samuel Tardieu,
Victor Duchovni, and many others.
LDAP_TABLE(5)
Problems and transactions are logged to <b>syslogd</b>(8).
<b>BUGS</b>
- Some of the non-default protocol tests involve
- <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. When these
+ The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> built-in SMTP protocol engine does not
+ announce support for STARTTLS, AUTH, XCLIENT or XFORWARD.
+ Support for STARTTLS and AUTH may be added in the future.
+ In the mean time, if you need to make these services
+ available on port 25, then do not enable the optional
+ "after 220 server greeting" tests.
+
+ The optional "after 220 server greeting" tests involve
+ <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. When these
tests succeed, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> adds the client to the tempo-
- rary whitelist but it cannot not hand off the "live" con-
- nection to a Postfix SMTP server process in the middle of
- a session. Instead, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> defers attempts to
- deliver mail with a 4XX status, and waits for the client
- to disconnect. The next time a good client connects, it
- will be allowed to talk to a Postfix SMTP server process
- to deliver mail. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> mitigates the impact of
- this limitation by giving such tests a long expiration
+ rary whitelist but it cannot not hand off the "live" con-
+ nection to a Postfix SMTP server process in the middle of
+ a session. Instead, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> defers attempts to
+ deliver mail with a 4XX status, and waits for the client
+ to disconnect. The next time a good client connects, it
+ will be allowed to talk to a Postfix SMTP server process
+ to deliver mail. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> mitigates the impact of
+ this limitation by giving such tests a long expiration
time.
- The <a href="postscreen.8.html"><b>postscreen</b>(8)</a> built-in SMTP protocol engine does not
- announce support for STARTTLS, AUTH, XCLIENT or XFORWARD
- (support for STARTTLS and AUTH may be added in the
- future). End-user clients should connect directly to the
- submission service; other systems that require the above
- features should directly connect to a Postfix SMTP server,
- or they should be placed on the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> whitelist.
-
<b>CONFIGURATION PARAMETERS</b>
- Changes to <a href="postconf.5.html">main.cf</a> are not picked up automatically, as
- <a href="postscreen.8.html"><b>postscreen</b>(8)</a> processes may run for several hours. Use
+ Changes to <a href="postconf.5.html">main.cf</a> are not picked up automatically, as
+ <a href="postscreen.8.html"><b>postscreen</b>(8)</a> processes may run for several hours. Use
the command "postfix reload" after a configuration change.
- The text below provides only a parameter summary. See
+ The text below provides only a parameter summary. See
<a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
- NOTE: Some <a href="postscreen.8.html"><b>postscreen</b>(8)</a> parameters implement stress-
- dependent behavior. This is supported only when the
- default value is stress-dependent (that is, it looks like
+ NOTE: Some <a href="postscreen.8.html"><b>postscreen</b>(8)</a> parameters implement stress-
+ dependent behavior. This is supported only when the
+ default value is stress-dependent (that is, it looks like
${stress?X}${stress:Y}). Other parameters always evaluate
as if the stress value is the empty string.
<b>TRIAGE PARAMETERS</b>
<b><a href="postconf.5.html#postscreen_bare_newline_action">postscreen_bare_newline_action</a> (ignore)</b>
- The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
- client sends a bare newline character, that is, a
+ The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
+ client sends a bare newline character, that is, a
newline not preceded by carriage return.
<b><a href="postconf.5.html#postscreen_bare_newline_enable">postscreen_bare_newline_enable</a> (no)</b>
- Enable "bare newline" SMTP protocol tests in the
+ Enable "bare newline" SMTP protocol tests in the
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
<b><a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> (ignore)</b>
- The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
- client is permanently blacklisted with the
+ The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
+ client is permanently blacklisted with the
<a href="postconf.5.html#postscreen_blacklist_networks">postscreen_blacklist_networks</a> parameter.
<b><a href="postconf.5.html#postscreen_blacklist_networks">postscreen_blacklist_networks</a> (empty)</b>
Network addresses that are permanently blacklisted;
- see the <a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> parameter for
+ see the <a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> parameter for
possible actions.
<b><a href="postconf.5.html#postscreen_disable_vrfy_command">postscreen_disable_vrfy_command</a> ($<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a>)</b>
- Disable
the SMTP VRFY command in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
+ Disable
the SMTP VRFY command in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
daemon.
<b><a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> (ignore)</b>
- The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
+ The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client's combined DNSBL score is equal to or
- greater than a threshold (as defined with the
+ greater than a threshold (as defined with the
<a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> and <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_thresh</a>-
<a href="postconf.5.html#postscreen_dnsbl_threshold">old</a> parameters).
<b><a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> (empty)</b>
- A mapping from actual DNSBL domain name which
- includes a secret password, to the DNSBL domain
+ A mapping from actual DNSBL domain name which
+ includes a secret password, to the DNSBL domain
name that postscreen will reply with when it
rejects mail.
weight factors.
<b><a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> (1)</b>
- The inclusive lower bound for blocking an SMTP
+ The inclusive lower bound for blocking an SMTP
client, based on its combined DNSBL score as
- defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter.
+ defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter.
<b><a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> ($<a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>)</b>
List of commands that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server con-
siders in violation of the SMTP protocol.
<b><a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> (ignore)</b>
- The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
+ The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client speaks before its turn within the time spec-
ified with the <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> parameter.
The <i>text</i> in the optional "220-<i>text</i>..." server
response that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends ahead of the real
Postfix SMTP server's "220 text..." response, in an
- attempt to confuse bad SMTP clients so that they
+ attempt to confuse bad SMTP clients so that they
speak before their turn (pre-greet).
<b><a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> (${stress?2}${stress:6}s)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will wait for
- an SMTP client to send a command before its turn,
- and for DNS blocklist lookup results to arrive
- (default: up to 2 seconds under stress, up to 6
+ an SMTP client to send a command before its turn,
+ and for DNS blocklist lookup results to arrive
+ (default: up to 2 seconds under stress, up to 6
seconds otherwise).
<b><a href="postconf.5.html#postscreen_helo_required">postscreen_helo_required</a> ($<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a>)</b>
- Require that a remote SMTP client sends HELO or
+ Require that a remote SMTP client sends HELO or
EHLO before commencing a MAIL transaction.
<b><a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> (drop)</b>
- The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
- client sends non-SMTP commands as specified with
+ The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
+ client sends non-SMTP commands as specified with
the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> parameter.
<b><a href="postconf.5.html#postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a> (no)</b>
- Enable "non-SMTP command" tests in the
+ Enable "non-SMTP command" tests in the
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
<b><a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> (enforce)</b>
- The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
- client sends multiple commands instead of sending
- one command and waiting for the server to respond.
+ The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
+ client sends multiple commands instead of sending
+ one command and waiting for the server to respond.
<b><a href="postconf.5.html#postscreen_pipelining_enable">postscreen_pipelining_enable</a> (no)</b>
- Enable "pipelining" SMTP protocol tests in the
+ Enable "pipelining" SMTP protocol tests in the
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
<b><a href="postconf.5.html#postscreen_whitelist_networks">postscreen_whitelist_networks</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
Network addresses that are permanently whitelisted,
- and
that will not be subjected to <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
+ and
that will not be subjected to <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
checks.
<b><a href="postconf.5.html#smtpd_service_name">smtpd_service_name</a> (smtpd)</b>
- The internal service that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> forwards
+ The internal service that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> forwards
allowed connections to.
<b>CACHE CONTROLS</b>
<b><a href="postconf.5.html#postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a> (12h)</b>
- The amount of time between <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache
+ The amount of time between <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache
cleanup runs.
<b><a href="postconf.5.html#postscreen_cache_map">postscreen_cache_map</a> (btree:$<a href="postconf.5.html#data_directory">data_directory</a>/ps_cache)</b>
- Persistent storage for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server
+ Persistent storage for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server
decisions.
<b><a href="postconf.5.html#postscreen_cache_retention_time">postscreen_cache_retention_time</a> (7d)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache an
- expired temporary whitelist entry before it is
+ expired temporary whitelist entry before it is
removed.
<b><a href="postconf.5.html#postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (30d)</b>
- The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
- results from a successful "bare newline" SMTP pro-
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
+ results from a successful "bare newline" SMTP pro-
tocol test.
<b><a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a> (1h)</b>
- The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
results from a successful DNS blocklist test.
<b><a href="postconf.5.html#postscreen_greet_ttl">postscreen_greet_ttl</a> (1d)</b>
- The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
results from a successful PREGREET test.
<b><a href="postconf.5.html#postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (30d)</b>
- The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
- results from a successful "non_smtp_command" SMTP
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
+ results from a successful "non_smtp_command" SMTP
protocol test.
<b><a href="postconf.5.html#postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (30d)</b>
- The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
- results from a successful "pipelining" SMTP proto-
+ The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache
+ results from a successful "pipelining" SMTP proto-
col test.
<b>RESOURCE CONTROLS</b>
<b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
- Upon input, long lines are chopped up into pieces
- of at most this length; upon delivery, long lines
+ Upon input, long lines are chopped up into pieces
+ of at most this length; upon delivery, long lines
are reconstructed.
<b><a href="postconf.5.html#postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a></b>
<b>($<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a>)</b>
- How many simultaneous connections any client is
+ How many simultaneous connections any client is
allowed to have with the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon.
<b><a href="postconf.5.html#postscreen_command_count_limit">postscreen_command_count_limit</a> (20)</b>
- The limit on the total number of commands per SMTP
- session for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol
+ The limit on the total number of commands per SMTP
+ session for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol
engine.
<b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (${stress?10}${stress:300}s)</b>
- The
command "read" time limit for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s
+ The
command "read" time limit for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s
built-in SMTP protocol engine.
<b><a href="postconf.5.html#postscreen_post_queue_limit">postscreen_post_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
- The number of clients that can be waiting for ser-
+ The number of clients that can be waiting for ser-
vice from a real SMTP server process.
<b><a href="postconf.5.html#postscreen_pre_queue_limit">postscreen_pre_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
- The number of non-whitelisted clients that can be
- waiting for a decision whether they will receive
+ The number of non-whitelisted clients that can be
+ waiting for a decision whether they will receive
service from a real SMTP server process.
<b><a href="postconf.5.html#postscreen_watchdog_timeout">postscreen_watchdog_timeout</a> (10s)</b>
- How much time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may take to
- respond to an SMTP client command or to perform a
+ How much time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may take to
+ respond to an SMTP client command or to perform a
cache operation before it is terminated by a built-
in watchdog timer.
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
<a href="master.5.html">master.cf</a> configuration files.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
- The maximal number of digits after the decimal
+ The maximal number of digits after the decimal
point when logging sub-second delay values.
<b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
- The location of all postfix administrative com-
+ The location of all postfix administrative com-
mands.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
over an internal communication channel.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
- The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
+ The maximum amount of time that an idle Postfix
+ daemon process waits for an incoming connection
before terminating voluntarily.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>SEE ALSO</b>
<a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, Postfix Postscreen Howto
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>HISTORY</b>
- Many ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier work
- by Michael Tokarev, in OpenBSD spamd, and in MailChannels
+ Many ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier work
+ by Michael Tokarev, in OpenBSD spamd, and in MailChannels
Traffic Control.
<b>AUTHOR(S)</b>
These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
and LDAP_SCOPE_ONELEVEL.
.IP "\fBbind (default: yes)\fR"
-Whether or not to bind to the LDAP server. Newer LDAP
+Whether or how to bind to the LDAP server. Newer LDAP
implementations don't require clients to bind, which saves
time. Example:
.nf
+ # Don't bind
bind = no
+ # Use SIMPLE bind
+ bind = yes
+ # Use SASL bind
+ bind = sasl
.fi
+Postfix versions prior to 2.8 only support "bind = no" which
+means don't bind, and "bind = yes" which means do a SIMPLE bind.
+Postfix 2.8 and later also supports "bind = SASL" when compiled
+with LDAP SASL support as described in LDAP_README, it also adds
+the synonyms "bind = none" and "bind = simple" for "bind = no"
+and "bind = yes" respectively. See the SASL section below for
+additional parameters available with "bind = sasl".
+
If you do need to bind, you might consider configuring
Postfix to connect to the local machine on a port that's
an SSL tunnel to your LDAP server. If your LDAP server
.nf
bind_dn = uid=postfix, dc=your, dc=com
.fi
+With "bind = sasl" (see above) the DN may be optional for some SASL
+mechanisms, don't specify a DN if not needed.
.IP "\fBbind_pw (default: empty)\fR"
The password for the distinguished name above. If you have
to use this, you probably want to make the map configuration
.nf
bind_pw = postfixpw
.fi
+With "bind = sasl" (see above) the password may be optional
+for some SASL mechanisms, don't specify a password if not needed.
.IP "\fBcache (IGNORED with a warning)\fR"
.IP "\fBcache_expiry (IGNORED with a warning)\fR"
.IP "\fBcache_size (IGNORED with a warning)\fR"
Specifies the LDAP protocol version to use.
.IP "\fBdebuglevel (default: 0)\fR"
What level to set for debugging in the OpenLDAP libraries.
+.SH "LDAP SASL PARAMETERS"
+.na
+.nf
+.ad
+.fi
+If you're using the OpenLDAP libraries compiled with SASL
+support, Postfix 2.8 and later built with LDAP SASL support
+as described in LDAP_README can authenticate to LDAP servers
+via SASL.
+
+This enables authentication to the LDAP server via mechanisms
+other than a simple password. The added flexibility has a cost:
+it is no longer practical to set an explicit timeout on the duration
+of an LDAP bind operation. Under adverse conditions, whether a SASL
+bind times out, or if it does, the duration of the timeout is
+determined by the LDAP and SASL libraries.
+
+It is best to use tables that use SASL binds via proxymap(8), this
+way the requesting process can time-out the proxymap request. This
+also lets you tailer the process environment by overriding the
+proxymap(8) import_environment setting in master.cf(5). Special
+environment settings may be needed to configure GSSAPI credential
+caches or other SASL mechanism specific options. The GSSAPI
+credentials used for LDAP lookups may need to be different than
+say those used for the Postfix SMTP client to authenticate to remote
+servers.
+
+Using SASL mechanisms requires LDAP protocol version 3, the default
+protocol version is 2 for backwards compatibility. You must set
+"version = 3" in addition to "bind = sasl".
+
+The following parameters are relevant to using LDAP with SASL
+.IP "\fBsasl (default: no)\fR"
+Whether or not to use SASL binds to the server. Can be yes or no.
+.IP "\fBsasl_mechs (default: empty)\fR"
+Space separated list of SASL mechanism(s) to try.
+.IP "\fBsasl_realm (default: empty)\fR"
+SASL Realm to use, if applicable.
+.IP "\fBsasl_authz_id (default: empty)\fR"
+The SASL authorization identity to assert, if applicable.
+.IP "\fBsasl_minssf (default: 0)\fR"
+The minimum required sasl security factor required to establish a
+connection.
.SH "LDAP SSL AND STARTTLS PARAMETERS"
.na
.nf
.SH BUGS
.ad
.fi
-Some of the non-default protocol tests involve
+The \fBpostscreen\fR(8) built-in SMTP protocol engine does
+not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD.
+Support for STARTTLS and AUTH may be added in the future.
+In the mean time, if you need to make these services available
+on port 25, then do not enable the optional "after 220
+server greeting" tests.
+
+The optional "after 220 server greeting" tests involve
\fBpostscreen\fR(8)'s built-in SMTP protocol engine. When
these tests succeed, \fBpostscreen\fR(8) adds the client
to the temporary whitelist but it cannot not hand off the
server process to deliver mail. \fBpostscreen\fR(8) mitigates
the impact of this limitation by giving such tests a long
expiration time.
-
-The \fBpostscreen\fR(8) built-in SMTP protocol engine does
-not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD
-(support for STARTTLS and AUTH may be added in the future).
-End-user clients should connect directly to the submission
-service; other systems that require the above features
-should directly connect to a Postfix SMTP server, or they
-should be placed on the \fBpostscreen\fR(8) whitelist.
.SH "CONFIGURATION PARAMETERS"
.na
.nf
or whatever you have, and you may need to use the appropriate linker
option (e.g. '-R') so the executables can find it at runtime. </p>
+<p> If you are using OpenLDAP, and the libraries were built with SASL
+support, you can add -DUSE_LDAP_SASL to the CCARGS to enable SASL support.
+For example: </p>
+
+<blockquote>
+<pre>
+ CCARGS="-I/usr/local/include -DHAS_LDAP -DUSE_LDAP_SASL"
+</pre>
+</blockquote>
+
<h2><a name="config">Configuring LDAP lookups</a></h2>
<p> In order to use LDAP lookups, define an LDAP source
</blockquote>
<p> The file /etc/postfix/ldap-aliases.cf can specify a great number
-of parameters, including parameters that enable LDAP SSL and
-STARTTLS. For a complete description, see the ldap_table(5) manual
-page. </p>
+of parameters, including parameters that enable LDAP SSL or STARTTLS,
+and LDAP SASL. For a complete description, see the ldap_table(5)
+manual page. </p>
<h2><a name="example_alias">Example: local(8) aliases</a></h2>
limit LDAP search results to leaf nodes only. Victor generalized
this into the Postfix 2.4 "leaf_result_attribute" feature. </li>
+<li>Quanah Gibson-Mount contributed support for advanced LDAP SASL
+mechanisms, beyond the password-based LDAP "simple" bind. </li>
+
</ul>
And of course Wietse.
many zombies avoid spamming the same site repeatedly, in an attempt
to fly under the radar. Once postscreen(8) decides that a client
is not-a-zombie, it whitelists the client temporarily to avoid
-further delays for legitimate mail. </p>
+further delays for legitimate mail. Clients that pass postscreen(8)
+are still subject to the checks that are built into Postfix smtpd(8),
+Postfix built-in content filters, and external content filters.
+</p>
<p> Zombies have challenges too: they have only a limited amount
of time to deliver spam before their IP address becomes blacklisted.
<p> postscreen(8) uses a variety of measurements to recognize
zombies. First, postscreen(8) determines if the remote SMTP client
IP address is blacklisted. Second, postscreen(8) looks for protocol
-compromises that are made to speed up delivery. The results of
-such measurements don't change with each delivery attempt, and are
-therefore good for making an is-it-a-zombie decision based on a
-single measurement. </p>
+compromises that are made to speed up delivery. These are good
+indicators for making is-it-a-zombie decisions based on single
+measurements. </p>
<p> postscreen(8) does not inspect message content. Message content
-can vary widely with each delivery attempt, especially with clients
-that (also) send legitimate email. Content is therefore not good
-for making an is-it-a-zombie decision based on a single measurement,
+can vary from one delivery to the next, especially with clients
+that (also) send legitimate email. Content is not a good indicator
+for making is-it-a-zombie decisions based on single measurements,
and that is the problem that postscreen(8) is focused on. </p>
<h2> <a name="general"> General operation </a> </h2>
<p> The postscreen(8) triage process involves a number of tests,
in the order as described below. Some tests introduce a delay of
-a few seconds. Once a client passes all tests, its IP address is
-temporarily excluded from any tests, typically 24 hours for simple
-tests or 1 week for complex tests. This minimizes the impact of
-the tests on legitimate mail clients. </p>
+a few seconds. Once a client passes a test, its IP address is
+whitelisted from 24 hours for simple tests, to 1 week for complex
+tests. Whitelisting minimizes the impact of postscreen(8)'s tests
+on legitimate mail clients. </p>
<p> After logging its findings, postscreen(8) by default hands off
all connections to a Postfix SMTP server process. This mode is
<li> <p> postscreen(8)'s built-in SMTP engine does not implement
the AUTH, STARTTLS, XCLIENT, and XFORWARD features. STARTTLS and
-AUTH support may be added in a future version. </p>
+AUTH support may be added in a future version. In the mean time,
+if you need to make these services available on port 25, then do
+not enable the tests after the 220 server greeting. </p>
</ul>
<p> End-user clients should connect directly to the submission
-service. Other systems that require the above features
-should directly connect to a Postfix SMTP server, or they
-should be placed on the postscreen(8) whitelist. </p>
+service, so that they never have to deal with postscreen(8)'s tests.
+</p>
<ul>
# These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
# and LDAP_SCOPE_ONELEVEL.
# .IP "\fBbind (default: yes)\fR"
-# Whether or not to bind to the LDAP server. Newer LDAP
+# Whether or how to bind to the LDAP server. Newer LDAP
# implementations don't require clients to bind, which saves
# time. Example:
#
# .nf
+# # Don't bind
# bind = no
+# # Use SIMPLE bind
+# bind = yes
+# # Use SASL bind
+# bind = sasl
# .fi
#
+# Postfix versions prior to 2.8 only support "bind = no" which
+# means don't bind, and "bind = yes" which means do a SIMPLE bind.
+# Postfix 2.8 and later also supports "bind = SASL" when compiled
+# with LDAP SASL support as described in LDAP_README, it also adds
+# the synonyms "bind = none" and "bind = simple" for "bind = no"
+# and "bind = yes" respectively. See the SASL section below for
+# additional parameters available with "bind = sasl".
+#
# If you do need to bind, you might consider configuring
# Postfix to connect to the local machine on a port that's
# an SSL tunnel to your LDAP server. If your LDAP server
# .nf
# bind_dn = uid=postfix, dc=your, dc=com
# .fi
+# With "bind = sasl" (see above) the DN may be optional for some SASL
+# mechanisms, don't specify a DN if not needed.
# .IP "\fBbind_pw (default: empty)\fR"
# The password for the distinguished name above. If you have
# to use this, you probably want to make the map configuration
# .nf
# bind_pw = postfixpw
# .fi
+# With "bind = sasl" (see above) the password may be optional
+# for some SASL mechanisms, don't specify a password if not needed.
# .IP "\fBcache (IGNORED with a warning)\fR"
# .IP "\fBcache_expiry (IGNORED with a warning)\fR"
# .IP "\fBcache_size (IGNORED with a warning)\fR"
# Specifies the LDAP protocol version to use.
# .IP "\fBdebuglevel (default: 0)\fR"
# What level to set for debugging in the OpenLDAP libraries.
+# LDAP SASL PARAMETERS
+# .ad
+# .fi
+# If you're using the OpenLDAP libraries compiled with SASL
+# support, Postfix 2.8 and later built with LDAP SASL support
+# as described in LDAP_README can authenticate to LDAP servers
+# via SASL.
+#
+# This enables authentication to the LDAP server via mechanisms
+# other than a simple password. The added flexibility has a cost:
+# it is no longer practical to set an explicit timeout on the duration
+# of an LDAP bind operation. Under adverse conditions, whether a SASL
+# bind times out, or if it does, the duration of the timeout is
+# determined by the LDAP and SASL libraries.
+#
+# It is best to use tables that use SASL binds via proxymap(8), this
+# way the requesting process can time-out the proxymap request. This
+# also lets you tailer the process environment by overriding the
+# proxymap(8) import_environment setting in master.cf(5). Special
+# environment settings may be needed to configure GSSAPI credential
+# caches or other SASL mechanism specific options. The GSSAPI
+# credentials used for LDAP lookups may need to be different than
+# say those used for the Postfix SMTP client to authenticate to remote
+# servers.
+#
+# Using SASL mechanisms requires LDAP protocol version 3, the default
+# protocol version is 2 for backwards compatibility. You must set
+# "version = 3" in addition to "bind = sasl".
+#
+# The following parameters are relevant to using LDAP with SASL
+# .IP "\fBsasl (default: no)\fR"
+# Whether or not to use SASL binds to the server. Can be yes or no.
+# .IP "\fBsasl_mechs (default: empty)\fR"
+# Space separated list of SASL mechanism(s) to try.
+# .IP "\fBsasl_realm (default: empty)\fR"
+# SASL Realm to use, if applicable.
+# .IP "\fBsasl_authz_id (default: empty)\fR"
+# The SASL authorization identity to assert, if applicable.
+# .IP "\fBsasl_minssf (default: 0)\fR"
+# The minimum required sasl security factor required to establish a
+# connection.
# LDAP SSL AND STARTTLS PARAMETERS
# .ad
# .fi
/* This module implements one-to-many table mapping via table lookup.
/* Table lookups are done with quoted (externalized) address forms.
/* The process is recursive. The recursion terminates when the
-/* left-hand side appears in its own expansion, or when a maximal
-/* nesting level is reached.
+/* left-hand side appears in its own expansion.
/*
/* cleanup_map1n_internal() is the interface for addresses in
/* internal (unquoted) form.
/* DIAGNOSTICS
-/* Recoverable errors: the global \fIcleanup_errs\fR flag is updated.
+/* When the maximal expansion or recursion limit is reached,
+/* the alias is not expanded and the CLEANUP_STAT_DEFER error
+/* is raised with reason "4.6.0 Alias expansion error".
+/*
+/* When table lookup fails, the alias is not expanded and the
+/* CLEANUP_STAT_WRITE error is raised with reason "4.6.0 Alias
+/* expansion error".
/* SEE ALSO
/* mail_addr_map(3) address mappings
/* mail_addr_find(3) address lookups
* must index the array explicitly, instead of running along it with a
* pointer.
*/
-#define UPDATE(ptr,new) { myfree(ptr); ptr = mystrdup(new); }
+#define UPDATE(ptr,new) do { \
+ if (ptr) myfree(ptr); ptr = mystrdup(new); \
+ } while (0)
#define STR vstring_str
-#define RETURN(x) { been_here_free(been_here); return (x); }
+#define RETURN(x) do { \
+ been_here_free(been_here); return (x); \
+ } while (0)
+#define UNEXPAND(argv, addr) do { \
+ argv_truncate((argv), 0); argv_add((argv), (addr), (char *) 0); \
+ } while (0)
for (arg = 0; arg < argv->argc; arg++) {
if (argv->argc > var_virt_expan_limit) {
- msg_warn("%s: unreasonable %s map expansion size for %s",
+ msg_warn("%s: unreasonable %s map expansion size for %s -- "
+ "deferring delivery",
state->queue_id, maps->title, addr);
- break;
+ state->errs |= CLEANUP_STAT_DEFER;
+ UPDATE(state->reason, "4.6.0 Alias expansion error");
+ UNEXPAND(argv, addr);
+ RETURN(argv);
}
for (count = 0; /* void */ ; count++) {
if (been_here_check_fixed(been_here, argv->argv[arg]) != 0)
break;
if (count >= var_virt_recur_limit) {
- msg_warn("%s: unreasonable %s map nesting for %s",
+ msg_warn("%s: unreasonable %s map nesting for %s -- "
+ "deferring delivery",
state->queue_id, maps->title, addr);
- break;
+ state->errs |= CLEANUP_STAT_DEFER;
+ UPDATE(state->reason, "4.6.0 Alias expansion error");
+ UNEXPAND(argv, addr);
+ RETURN(argv);
}
quote_822_local(state->temp1, argv->argv[arg]);
if ((lookup = mail_addr_map(maps, STR(state->temp1), propagate)) != 0) {
myfree(saved_lhs);
argv_free(lookup);
} else if (dict_errno != 0) {
- msg_warn("%s: %s map lookup problem for %s",
+ msg_warn("%s: %s map lookup problem for %s -- "
+ "deferring delivery",
state->queue_id, maps->title, addr);
state->errs |= CLEANUP_STAT_WRITE;
+ UPDATE(state->reason, "4.6.0 Alias expansion error");
+ UNEXPAND(argv, addr);
RETURN(argv);
} else {
break;
/* .IP version
/* Specifies the LDAP protocol version to use. Default is version
/* \fI2\fR.
+/* .IP "\fBsasl (no)\fR"
+/* Whether or not to use SASL binds with the server.
+/* .IP "\fBsasl_mechs (empty)\fR"
+/* Specifies a space-separated list of LDAP SASL Mechanisms.
+/* .IP "\fBsasl_realm (empty)\fR"
+/* The realm to use for SASL binds.
+/* .IP "\fBsasl_authz_id (empty)\fR"
+/* The SASL Authorization Identity to assert.
+/* .IP "\fBsasl_minssf (0)\fR"
+/* The minimum SASL SSF to allow.
/* .IP start_tls
/* Whether or not to issue STARTTLS upon connection to the server.
/* At this time, STARTTLS and LDAP SSL are only available if the
#include <dict.h>
#include <stringops.h>
#include <binhash.h>
+#include <name_code.h>
/* Global library. */
#include "cfg_parser.h"
#include "db_common.h"
+#include "mail_conf.h"
+
+#if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
+ /*
+ * SASL headers, for sasl_interact_t. Either SASL v1 or v2 should be fine.
+ */
+#include <sasl.h>
+#endif
/* Application-specific. */
#include "dict_ldap.h"
+#define DICT_LDAP_BIND_NONE 0
+#define DICT_LDAP_BIND_SIMPLE 1
+#define DICT_LDAP_BIND_SASL 2
+#define DICT_LDAP_DO_BIND(d) ((d)->bind != DICT_LDAP_BIND_NONE)
+#define DICT_LDAP_DO_SASL(d) ((d)->bind == DICT_LDAP_BIND_SASL)
+
+static const NAME_CODE bindopt_table[] = {
+ CONFIG_BOOL_NO, DICT_LDAP_BIND_NONE,
+ "none", DICT_LDAP_BIND_NONE,
+ CONFIG_BOOL_YES, DICT_LDAP_BIND_SIMPLE,
+ "simple", DICT_LDAP_BIND_SIMPLE,
+#ifdef LDAP_API_FEATURE_X_OPENLDAP
+#if defined(USE_LDAP_SASL)
+ "sasl", DICT_LDAP_BIND_SASL,
+#endif
+#endif
+ 0, -1,
+};
+
typedef struct {
LDAP *conn_ld;
int conn_refcount;
int debuglevel;
int version;
#ifdef LDAP_API_FEATURE_X_OPENLDAP
+#if defined(USE_LDAP_SASL)
+ int sasl;
+ char *sasl_mechs;
+ char *sasl_realm;
+ char *sasl_authz;
+ int sasl_minssf;
+#endif
int ldap_ssl;
int start_tls;
int tls_require_cert;
return rc;
}
+#if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
+ /*
+ * Context structure for SASL property callback.
+ */
+typedef struct bind_props {
+ char *authcid;
+ char *passwd;
+ char *realm;
+ char *authzid;
+} bind_props;
+
+static int
+ldap_b2_interact(LDAP *ld, unsigned flags, void *props, void *inter)
+{
+
+ sasl_interact_t *in;
+ bind_props *ctx = (bind_props *)props;
+
+ for (in = inter; in->id != SASL_CB_LIST_END; in++)
+ {
+ in->result = NULL;
+ switch(in->id)
+ {
+ case SASL_CB_GETREALM:
+ in->result = ctx->realm;
+ break;
+ case SASL_CB_AUTHNAME:
+ in->result = ctx->authcid;
+ break;
+ case SASL_CB_USER:
+ in->result = ctx->authzid;
+ break;
+ case SASL_CB_PASS:
+ in->result = ctx->passwd;
+ break;
+ }
+ if (in->result)
+ in->len = strlen(in->result);
+ }
+ return LDAP_SUCCESS;
+}
+#endif
+
/* dict_ldap_result - Read and parse LDAP result */
static int dict_ldap_result(LDAP *ld, int msgid, int timeout, LDAPMessage **res)
return LDAP_SUCCESS;
}
+#if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
+
+/* Asynchronous SASL auth if SASL is enabled */
+
+static int dict_ldap_bind_sasl(DICT_LDAP *dict_ldap)
+{
+ int rc;
+ bind_props props;
+ static VSTRING *minssf = 0;
+
+ if (minssf == 0)
+ minssf = vstring_alloc(12);
+
+ vstring_sprintf(minssf, "minssf=%d", dict_ldap->sasl_minssf);
+
+ if ((rc = ldap_set_option(dict_ldap->ld, LDAP_OPT_X_SASL_SECPROPS,
+ (char *) minssf)) != LDAP_OPT_SUCCESS)
+ return (rc);
+
+ props.authcid = dict_ldap->bind_dn;
+ props.passwd = dict_ldap->bind_pw;
+ props.realm = dict_ldap->sasl_realm;
+ props.authzid = dict_ldap->sasl_authz;
+
+ if ((rc = ldap_sasl_interactive_bind_s(dict_ldap->ld, NULL,
+ dict_ldap->sasl_mechs, NULL, NULL,
+ LDAP_SASL_QUIET, ldap_b2_interact,
+ &props)) != LDAP_SUCCESS)
+ return (rc);
+
+ return (LDAP_SUCCESS);
+}
+#endif
+
/* dict_ldap_bind_st - Synchronous simple auth with timeout */
static int dict_ldap_bind_st(DICT_LDAP *dict_ldap)
}
#endif
+#define DN_LOG_VAL(dict_ldap) \
+ ((dict_ldap)->bind_dn[0] ? (dict_ldap)->bind_dn : "empty or implicit")
/*
* If this server requires a bind, do so. Thanks to Sam Tardieu for
* noticing that the original bind call was broken.
*/
- if (dict_ldap->bind) {
+ if (DICT_LDAP_DO_BIND(dict_ldap)) {
if (msg_verbose)
- msg_info("%s: Binding to server %s as dn %s",
- myname, dict_ldap->server_host, dict_ldap->bind_dn);
+ msg_info("%s: Binding to server %s with dn %s",
+ myname, dict_ldap->server_host, DN_LOG_VAL(dict_ldap));
+#if defined(USE_LDAP_SASL) && defined(LDAP_API_FEATURE_X_OPENLDAP)
+ if (DICT_LDAP_DO_SASL(dict_ldap)) {
+ rc = dict_ldap_bind_sasl(dict_ldap);
+ } else {
+ rc = dict_ldap_bind_st(dict_ldap);
+ }
+#else
rc = dict_ldap_bind_st(dict_ldap);
+#endif
if (rc != LDAP_SUCCESS) {
- msg_warn("%s: Unable to bind to server %s as %s: %d (%s)",
- myname, dict_ldap->server_host, dict_ldap->bind_dn,
+ msg_warn("%s: Unable to bind to server %s with dn %s: %d (%s)",
+ myname, dict_ldap->server_host, DN_LOG_VAL(dict_ldap),
rc, ldap_err2string(rc));
DICT_LDAP_UNBIND_RETURN(dict_ldap->ld, DICT_ERR_RETRY, -1);
}
if (msg_verbose)
- msg_info("%s: Successful bind to server %s as %s ",
- myname, dict_ldap->server_host, dict_ldap->bind_dn);
+ msg_info("%s: Successful bind to server %s with dn %s",
+ myname, dict_ldap->server_host, DN_LOG_VAL(dict_ldap));
}
/* Save connection handle in shared container */
DICT_LDAP_CONN(dict_ldap)->conn_ld = dict_ldap->ld;
ADDSTR(keybuf, dict_ldap->server_host);
ADDINT(keybuf, dict_ldap->server_port);
ADDINT(keybuf, dict_ldap->bind);
- ADDSTR(keybuf, dict_ldap->bind ? dict_ldap->bind_dn : "");
- ADDSTR(keybuf, dict_ldap->bind ? dict_ldap->bind_pw : "");
+ ADDSTR(keybuf, DICT_LDAP_DO_BIND(dict_ldap) ? dict_ldap->bind_dn : "");
+ ADDSTR(keybuf, DICT_LDAP_DO_BIND(dict_ldap) ? dict_ldap->bind_pw : "");
ADDINT(keybuf, dict_ldap->dereference);
ADDINT(keybuf, dict_ldap->chase_referrals);
ADDINT(keybuf, dict_ldap->debuglevel);
ADDINT(keybuf, dict_ldap->version);
#ifdef LDAP_API_FEATURE_X_OPENLDAP
+#if defined(USE_LDAP_SASL)
+ ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_mechs : "");
+ ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_realm : "");
+ ADDSTR(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_authz : "");
+ ADDINT(keybuf, DICT_LDAP_DO_SASL(dict_ldap) ? dict_ldap->sasl_minssf : 0);
+#endif
ADDINT(keybuf, dict_ldap->ldap_ssl);
ADDINT(keybuf, dict_ldap->start_tls);
ADDINT(keybuf, sslon ? dict_ldap->tls_require_cert : 0);
if (dict_ldap->ctx)
db_common_free_ctx(dict_ldap->ctx);
#ifdef LDAP_API_FEATURE_X_OPENLDAP
+#if defined(USE_LDAP_SASL)
+ if (DICT_LDAP_DO_SASL(dict_ldap)) {
+ myfree(dict_ldap->sasl_mechs);
+ myfree(dict_ldap->sasl_realm);
+ myfree(dict_ldap->sasl_authz);
+ }
+#endif
myfree(dict_ldap->tls_ca_cert_file);
myfree(dict_ldap->tls_ca_cert_dir);
myfree(dict_ldap->tls_cert);
char *server_host;
char *scope;
char *attr;
+ char *bindopt;
int tmp;
int vendor_version = dict_ldap_vendor_version();
myfree(attr);
/*
- * get configured value of "bind"; default to true
+ * get configured value of "bind"; default to simple bind
*/
- dict_ldap->bind = cfg_get_bool(dict_ldap->parser, "bind", 1);
+ bindopt = cfg_get_str(dict_ldap->parser, "bind", CONFIG_BOOL_YES, 1, 0);
+ dict_ldap->bind = name_code(bindopt_table, NAME_CODE_FLAG_NONE, bindopt);
+ if (dict_ldap->bind < 0)
+ msg_fatal("%s: unsupported parameter value: %s = %s",
+ dict_ldap->parser->name, "bind", bindopt);
+ myfree(bindopt);
/*
* get configured value of "bind_dn"; default to ""
"chase_referrals", 0);
#ifdef LDAP_API_FEATURE_X_OPENLDAP
+#if defined(USE_LDAP_SASL)
+ /*
+ * SASL options
+ */
+ if (DICT_LDAP_DO_SASL(dict_ldap)) {
+ dict_ldap->sasl_mechs =
+ cfg_get_str(dict_ldap->parser, "sasl_mechs", "", 0, 0);
+ dict_ldap->sasl_realm =
+ cfg_get_str(dict_ldap->parser, "sasl_realm", "", 0, 0);
+ dict_ldap->sasl_authz =
+ cfg_get_str(dict_ldap->parser, "sasl_authz_id", "", 0, 0);
+ dict_ldap->sasl_minssf =
+ cfg_get_int(dict_ldap->parser, "sasl_minssf", 0, 0, 4096);
+ } else {
+ dict_ldap->sasl_mechs = 0;
+ dict_ldap->sasl_realm = 0;
+ dict_ldap->sasl_authz = 0;
+ }
+#endif
/*
* TLS options
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20101201"
+#define MAIL_RELEASE_DATE "20101204"
#define MAIL_VERSION_NUMBER "2.8"
#ifdef SNAPSHOT
/*
/* In order to fend off denial of service attacks, message headers
/* are truncated at or above var_header_limit bytes, message boundary
-/* strings are truncated at var_boundary_len bytes, and the multipart
+/* strings are truncated at var_mime_bound_len bytes, and the multipart
/* nesting level is limited to var_mime_maxdepth levels.
/*
/* mime_state_alloc() creates a MIME state machine. The machine
/* configuration parameter. The group ID must be non-zero.
/* .IP "PIPE_CMD_TIME_LIMIT (int)"
/* The amount of time the command is allowed to run before it
-/* is terminated with SIGKILL. The default is the limit given
-/* with the \fIcommand_time_limit\fR configuration parameter.
+/* is terminated with SIGKILL. The default is DEF_COMMAND_MAXTIME.
/* .IP "PIPE_CMD_SHELL (char *)"
/* The shell to use when executing the command specified with
/* PIPE_CMD_COMMAND. This shell is invoked regardless of the
args->cwd = 0;
args->chroot = 0;
- pipe_command_maxtime = var_command_maxtime;
+ pipe_command_maxtime = DEF_COMMAND_MAXTIME;
/*
* Then, override the defaults with user-supplied inputs.
sp->scache->size = scache_clnt_size;
sp->scache->free = scache_clnt_free;
- service = concatenate("local:private/", var_scache_service, (char *) 0);
+ service = concatenate("local:private/", server, (char *) 0);
sp->auto_clnt = auto_clnt_create(service, timeout, idle_limit, ttl_limit);
myfree(service);
char *var_allow_files;
char *var_alias_maps;
int var_dup_filter_limit;
-int var_command_maxtime;
+int var_command_maxtime; /* You can now leave this here. */
char *var_home_mailbox;
char *var_mailbox_command;
char *var_mailbox_cmd_maps;
* -r" when a message is already delivered (or bounced). The Postfix
* sendmail command rejects submissions without recipients.
*/
- if (reason == 0)
- msg_warn("%s: %s", info->path, cleanup_strerror(status));
+ if (reason == 0 || *reason == 0)
+ msg_warn("%s: error writing %s: %s",
+ info->path, info->id, cleanup_strerror(status));
return ((status & (CLEANUP_STAT_BAD | CLEANUP_STAT_RCPT)) ?
REMOVE_MESSAGE_FILE : KEEP_MESSAGE_FILE);
}
* Tunable parameters. Values are taken from the config file, after
* prepending the service name to _name, and so on.
*/
-int var_command_maxtime; /* system-wide */
+int var_command_maxtime; /* You can now leave this here. */
/*
* For convenience. Instead of passing around lists of parameters, bundle
/* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8).
/* BUGS
-/* Some of the non-default protocol tests involve
+/* The \fBpostscreen\fR(8) built-in SMTP protocol engine does
+/* not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD.
+/* Support for STARTTLS and AUTH may be added in the future.
+/* In the mean time, if you need to make these services available
+/* on port 25, then do not enable the optional "after 220
+/* server greeting" tests.
+/*
+/* The optional "after 220 server greeting" tests involve
/* \fBpostscreen\fR(8)'s built-in SMTP protocol engine. When
/* these tests succeed, \fBpostscreen\fR(8) adds the client
/* to the temporary whitelist but it cannot not hand off the
/* server process to deliver mail. \fBpostscreen\fR(8) mitigates
/* the impact of this limitation by giving such tests a long
/* expiration time.
-/*
-/* The \fBpostscreen\fR(8) built-in SMTP protocol engine does
-/* not announce support for STARTTLS, AUTH, XCLIENT or XFORWARD
-/* (support for STARTTLS and AUTH may be added in the future).
-/* End-user clients should connect directly to the submission
-/* service; other systems that require the above features
-/* should directly connect to a Postfix SMTP server, or they
-/* should be placed on the \fBpostscreen\fR(8) whitelist.
/* CONFIGURATION PARAMETERS
/* .ad
/* .fi
* Reply with 421 when the client has too many open connections.
*/
if (var_ps_cconn_limit > 0
- && state->client_concurrency > var_ps_cconn_limit) {
+ && state->client_concurrency > var_ps_cconn_limit) {
msg_info("NOQUEUE: reject: CONNECT from [%s]:%s: too many connections",
state->smtp_client_addr, state->smtp_client_port);
PS_DROP_SESSION_STATE(state,
*/
if ((state->flags & PS_STATE_FLAG_PREGR_TODO) != 0
&& ps_teaser_greeting != 0
- && ps_send_reply(vstream_fileno(state->smtp_client_stream),
- state->smtp_client_addr, state->smtp_client_port,
- ps_teaser_greeting) != 0) {
+ && PS_SEND_REPLY(state, ps_teaser_greeting) != 0) {
ps_hangup_event(state);
return;
}
ps_send_socket(state);
} else {
if ((state->flags & PS_STATE_FLAG_HANGUP) == 0)
- (void) ps_send_reply(vstream_fileno(state->smtp_client_stream),
- state->smtp_client_addr, state->smtp_client_port,
- state->final_reply);
+ (void) PS_SEND_REPLY(state, state->final_reply);
msg_info("DISCONNECT [%s]:%s", PS_CLIENT_ADDR_PORT(state));
ps_free_session_state(state);
}
* XXX Need to make sure that the TCP send buffer is large enough for any
* response, so that a nasty client can't cause this process to block.
*/
- ret = (write_buf(smtp_client_fd, text, strlen(text),
- PS_SEND_TEXT_TIMEOUT) < 0);
- if (ret != 0 && errno != EPIPE)
+ ret = write_buf(smtp_client_fd, text, strlen(text), PS_SEND_TEXT_TIMEOUT);
+ if (ret < 0 && errno != EPIPE)
msg_warn("write [%s]:%s: %m", smtp_client_addr, smtp_client_port);
return (ret);
}
LOCAL_CONNECT(ps_smtpd_service_name, NON_BLOCKING,
PS_SEND_SOCK_CONNECT_TIMEOUT)) < 0) {
msg_warn("cannot connect to service %s: %m", ps_smtpd_service_name);
- ps_send_reply(vstream_fileno(state->smtp_client_stream),
- state->smtp_client_addr, state->smtp_client_port,
- "421 4.3.2 All server ports are busy\r\n");
+ PS_SEND_REPLY(state, "421 4.3.2 All server ports are busy\r\n");
ps_free_session_state(state);
return;
}
vstream_fileno(state->smtp_client_stream)) < 0) {
msg_warn("cannot pass connection to service %s: %m",
ps_smtpd_service_name);
- ps_send_reply(vstream_fileno(state->smtp_client_stream),
- state->smtp_client_addr, state->smtp_client_port,
- "421 4.3.2 No system resources\r\n");
+ PS_SEND_REPLY(state, "421 4.3.2 No system resources\r\n");
ps_free_session_state(state);
return;
} else {
int var_smtp_cache_conn;
int var_smtp_reuse_time;
char *var_smtp_cache_dest;
-char *var_scache_service;
+char *var_scache_service; /* You can now leave this here. */
bool var_smtp_cache_demand;
char *var_smtp_ehlo_dis_words;
char *var_smtp_ehlo_dis_maps;
projects / thirdparty / postfix.git / commitdiff
