Cleanup: left-over code from a DANE on/off workaround. File:
tlsproxy.c/tlsproxy.c.
+20210806
+
Constified the object argument of functions that write objects
to VSTREAM. Files: global/bounce.c, global/defer.c,
global/deliver_pass.c, global/deliver_request.c,
suggests UNIX-domain pathname syntax which is confusing. File:
until/inet_connect.c.
-20210814
+20210815
To make the maillog_file feature more useful, the postlog(1)
command is now set-gid postdrop, so that unprivileged
Adopted some code from postqueue(1) and postdrop(1) to
harden postlog(1) against privilege escalation attacks.
Files: postlog/postlog.c, conf/postfix-files.
+
+ Hardening: specify smtpd_per_request_deadline=yes to limit
+ the combined amount of time to receive a complete SMTP
+ request and to send a complete SMTP response. Specify
+ smtpd_min_data_rate to enforce a minimum data rate during
+ DATA and BDAT. This replaces smtpd_per_record_deadline; the
+ new smtpd_per_request_deadline parameter has a backwards-
+ compatible default value.
+
+ Hardening: specify {smtp,lmtp}_per_request_deadline=yes to
+ limit the combined amount of time to send a complete SMTP
+ request and to receive a complete SMTP response. Specify
+ {smtp,lmtp}_min_data_rate to enforce a minimum data rate
+ during DATA. This replaces {smtp,lmtp}_per_record_deadline.
+ The new {smtp,lmtp}_per_request_deadline parameters have a
+ backwards-compatible default value.
+
+ Minor text and code cleanups. File: postlog/postlog.c.
the software under the license of their choice. Those who are more
comfortable with the IPL can continue with that license.
+Major changes with snapshot 20210814-nonprod
+============================================
+
+Updated defense against remote clients or servers that 'trickle'
+SMTP or LMTP traffc. The new {smtpd,smtp,lmtp}_per_request_deadline
+parameters replace {smtpd,smtp,lmtp}_per_record_deadline, with
+backwards compatible default settings. This defense is automatically
+enabled by default in the Postfix SMTP server in case of overload.
+
+The new smtpd_per_record_deadline parameter limits the combined
+time for the Postfix SMTP server to receive a request and to send
+a response, while the new {smtp,lmtp}_per_record_deadline parameters
+limit the combined time for the Postfix SMTP or LMTP client to send
+a request and to receive a response.
+
+Additionally, the new smtpd_min_data_rate parameter enforces a
+minimum plaintext data transfer rate for DATA and BDAT requests,
+but only when smtpd_per_record_deadline is enabled. After a read
+operation transfers N plaintext bytes (possibly after TLS decryption),
+and after the DATA or BDAT request deadline is decreased by the
+elapsed time of that read operation, the DATA or BDAT request
+deadline is increased by N/smtpd_min_data_rate seconds. However,
+the deadline is never increased beyond the smtpd_timeout value. The
+default minimum data rate is 500 (bytes/second) but is still subject
+to change.
+
+The new {smtp,lmtp}_min_data_rate parameters enforce the corresponding
+minimum DATA transfer rates for the Postfix SMTP and LMTP client.
+
Major changes with snapshot 20210605
====================================
--- /dev/null
+Add a note to tlsproxy source why it does not enforce deadlines or
+minimum data rates. Reason: tlsproxy relies on the plaintext client
+to enforce their context-dependent deadlines and data rates. When
+a plaintext client times out, it will close the tlsproxy connection,
+and then tlsproxy will also hang up.
<b><a href="postconf.5.html#smtp_dns_resolver_options">smtp_dns_resolver_options</a> (empty)</b>
DNS Resolver options for the Postfix SMTP client.
- Available in Postfix version 2.9 and later:
+ Available in Postfix version 2.9 - 3.6:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a
response line, SMTP message content line, or TLS protocol mes-
sage).
+ Available in Postfix version 2.9 and later:
+
<b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b>
Whether or not to append the "AUTH=<>" option to the MAIL FROM
command in SASL-authenticated SMTP sessions.
".") that Postfix may use to determine whether DNSSEC validation
is available.
- <b>known_tcp_ports (lmtp=24, smtp=25, smtps=submissions=465, submis-</b>
+ <b><a href="postconf.5.html#known_tcp_ports">known_tcp_ports</a> (lmtp=24, smtp=25, smtps=submissions=465, submis-</b>
<b>sion=587)</b>
Optional setting that avoids lookups in the <b>services</b>(5) data-
base.
+ Available in Postfix version 3.7 and later:
+
+ <b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b>
+ Change the behavior of the smtp_*_timeout time limits, from a
+ time limit per plaintext or TLS read or write call, to a com-
+ bined time limit for sending a complete SMTP request and for
+ receiving a complete SMTP response.
+
+ <b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b>
+ The minimum plaintext data transfer rate in bytes/second for
+ DATA requests, when deadlines are enabled with
+ <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
+
<b>MIME PROCESSING CONTROLS</b>
Available in Postfix version 2.0 and later:
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b>
- Send the non-standard XFORWARD command when the Postfix SMTP
+ Send the non-standard XFORWARD command when the Postfix SMTP
server EHLO response announces XFORWARD support.
<b>SASL AUTHENTICATION CONTROLS</b>
Enable SASL authentication in the Postfix SMTP client.
<b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b>
- Optional Postfix SMTP client lookup tables with one user-
- name:password entry per sender, remote hostname or next-hop
+ Optional Postfix SMTP client lookup tables with one user-
+ name:password entry per sender, remote hostname or next-hop
domain.
<b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b>
Postfix SMTP client SASL security options; as of Postfix 2.3 the
- list of available features depends on the SASL client implemen-
+ list of available features depends on the SASL client implemen-
tation that is selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
- If non-empty, a Postfix SMTP client filter for the remote SMTP
+ If non-empty, a Postfix SMTP client filter for the remote SMTP
server's list of offered SASL mechanisms.
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b>
Enable sender-dependent authentication in the Postfix SMTP
- client; this is available only with SASL authentication, and
- disables SMTP connection caching to ensure that mail from dif-
+ client; this is available only with SASL authentication, and
+ disables SMTP connection caching to ensure that mail from dif-
ferent senders will use the appropriate credentials.
<b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b>
Implementation-specific information that the Postfix SMTP client
- passes through to the SASL plug-in implementation that is
+ passes through to the SASL plug-in implementation that is
selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
<b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b>
- The SASL plug-in type that the Postfix SMTP client should use
+ The SASL plug-in type that the Postfix SMTP client should use
for authentication.
Available in Postfix version 2.5 and later:
<b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b>
- An optional table to prevent repeated SASL authentication fail-
- ures with the same remote SMTP server hostname, username and
+ An optional table to prevent repeated SASL authentication fail-
+ ures with the same remote SMTP server hostname, username and
password.
<b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b>
- The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> entry before it
+ The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> entry before it
is removed.
<b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b>
- When a remote SMTP server rejects a SASL authentication request
- with a 535 reply code, defer mail delivery instead of returning
+ When a remote SMTP server rejects a SASL authentication request
+ with a 535 reply code, defer mail delivery instead of returning
mail as undeliverable.
Available in Postfix version 2.9 and later:
<b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b>
- Whether or not to append the "AUTH=<>" option to the MAIL FROM
+ Whether or not to append the "AUTH=<>" option to the MAIL FROM
command in SASL-authenticated SMTP sessions.
<b>STARTTLS SUPPORT CONTROLS</b>
- Detailed information about STARTTLS configuration may be found in the
+ Detailed information about STARTTLS configuration may be found in the
<a href="TLS_README.html">TLS_README</a> document.
<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
<b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a>)</b>
- The SASL authentication security options that the Postfix SMTP
+ The SASL authentication security options that the Postfix SMTP
client uses for TLS encrypted SMTP sessions.
<b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
- Time limit for Postfix SMTP client write and read operations
+ Time limit for Postfix SMTP client write and read operations
during TLS startup and shutdown handshake procedures.
<b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
- A file containing CA certificates of root CAs trusted to sign
- either remote SMTP server certificates or intermediate CA cer-
+ A file containing CA certificates of root CAs trusted to sign
+ either remote SMTP server certificates or intermediate CA cer-
tificates.
<b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
- Directory with PEM format Certification Authority certificates
+ Directory with PEM format Certification Authority certificates
that the Postfix SMTP client uses to verify a remote SMTP server
certificate.
File with the Postfix SMTP client RSA certificate in PEM format.
<b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b>
- The minimum TLS cipher grade that the Postfix SMTP client will
+ The minimum TLS cipher grade that the Postfix SMTP client will
use with mandatory TLS encryption.
<b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b>
client cipher list at all TLS security levels.
<b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b>
- Additional list of ciphers or cipher types to exclude from the
- Postfix SMTP client cipher list at mandatory TLS security lev-
+ Additional list of ciphers or cipher types to exclude from the
+ Postfix SMTP client cipher list at mandatory TLS security lev-
els.
<b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
Enable additional Postfix SMTP client logging of TLS activity.
<b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
- Log the hostname of a remote SMTP server that offers STARTTLS,
+ Log the hostname of a remote SMTP server that offers STARTTLS,
when TLS is not already enabled for that server.
<b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
fied, this overrides the obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
<b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (see 'postconf -d' output)</b>
- TLS protocols that the Postfix SMTP client will use with manda-
+ TLS protocols that the Postfix SMTP client will use with manda-
tory TLS encryption.
<b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b>
The verification depth for remote SMTP server certificates.
<b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b>
- How the Postfix SMTP client verifies the server certificate
+ How the Postfix SMTP client verifies the server certificate
peername for the "secure" TLS security level.
<b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
session cache.
<b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
- The expiration time of Postfix SMTP client TLS session cache
+ The expiration time of Postfix SMTP client TLS session cache
information.
<b><a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> (hostname)</b>
- How the Postfix SMTP client verifies the server certificate
+ How the Postfix SMTP client verifies the server certificate
peername for the "verify" TLS security level.
<b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
- The
number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> or <a href="smtpd.8.html"><b>smtpd</b>(8)</a>
- process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> server in order to seed its
+ The
number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> or <a href="smtpd.8.html"><b>smtpd</b>(8)</a>
+ process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> server in order to seed its
internal pseudo random number generator (PRNG).
<b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> (see 'postconf -d' output)</b>
The OpenSSL cipherlist for "export" or higher grade ciphers.
<b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
- The OpenSSL cipherlist for "NULL" grade ciphers that provide
+ The OpenSSL cipherlist for "NULL" grade ciphers that provide
authentication without encryption.
Available in Postfix version 2.4 and later:
<b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a> ($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_secu</a>-</b>
<b><a href="postconf.5.html#smtp_sasl_tls_security_options">rity_options</a>)</b>
- The SASL authentication security options that the Postfix SMTP
- client uses for TLS encrypted SMTP sessions with a verified
+ The SASL authentication security options that the Postfix SMTP
+ client uses for TLS encrypted SMTP sessions with a verified
server certificate.
Available in Postfix version 2.5 and later:
<b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b>
- List of acceptable remote SMTP server certificate fingerprints
- for
the "fingerprint" TLS security level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_secu</a>-</b>
+ List of acceptable remote SMTP server certificate fingerprints
+ for
the "fingerprint" TLS security level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_secu</a>-</b>
<b><a href="postconf.5.html#smtp_tls_security_level">rity_level</a></b> = fingerprint).
<b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (see 'postconf -d' output)</b>
- The message digest algorithm used to construct remote SMTP
+ The message digest algorithm used to construct remote SMTP
server certificate fingerprints.
Available in Postfix version 2.6 and later:
<b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (see postconf -d output)</b>
- TLS protocols that the Postfix SMTP client will use with oppor-
+ TLS protocols that the Postfix SMTP client will use with oppor-
tunistic TLS encryption.
<b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (medium)</b>
- The minimum TLS cipher grade that the Postfix SMTP client will
+ The minimum TLS cipher grade that the Postfix SMTP client will
use with opportunistic TLS encryption.
<b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b>
- File with the Postfix SMTP client ECDSA certificate in PEM for-
+ File with the Postfix SMTP client ECDSA certificate in PEM for-
mat.
<b><a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> ($<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b>
- File with the Postfix SMTP client ECDSA private key in PEM for-
+ File with the Postfix SMTP client ECDSA private key in PEM for-
mat.
Available in Postfix version 2.7 and later:
<b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b>
- Try to detect a mail hijacking attack based on a TLS protocol
- vulnerability (CVE-2009-3555), where an attacker prepends mali-
- cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client
+ Try to detect a mail hijacking attack based on a TLS protocol
+ vulnerability (CVE-2009-3555), where an attacker prepends mali-
+ cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client
TLS session.
Available in Postfix version 2.8 and later:
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a> (empty)</b>
- Zero or more PEM-format files with trust-anchor certificates
+ Zero or more PEM-format files with trust-anchor certificates
and/or public keys.
<b><a href="postconf.5.html#smtp_tls_force_insecure_host_tlsa_lookup">smtp_tls_force_insecure_host_tlsa_lookup</a> (no)</b>
- Lookup the associated DANE TLSA RRset even when a hostname is
+ Lookup the associated DANE TLSA RRset even when a hostname is
not an alias and its address records lie in an unsigned zone.
<b><a href="postconf.5.html#tlsmgr_service_name">tlsmgr_service_name</a> (tlsmgr)</b>
Available in Postfix version 3.0 and later:
<b><a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> (no)</b>
- Request that the Postfix SMTP client connects using the legacy
+ Request that the Postfix SMTP client connects using the legacy
SMTPS protocol instead of using the STARTTLS command.
Available in Postfix version 3.1 and later:
<b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (see 'postconf -d' output)</b>
- The TLS policy for MX hosts with "secure" TLSA records when the
- nexthop destination security level is <b>dane</b>, but the MX record
+ The TLS policy for MX hosts with "secure" TLSA records when the
+ nexthop destination security level is <b>dane</b>, but the MX record
was found via an "insecure" MX lookup.
Available in Postfix version 3.4 and later:
Try to make multiple deliveries per TLS-encrypted connection.
<b><a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a> (empty)</b>
- List of one or more PEM files, each holding one or more private
+ List of one or more PEM files, each holding one or more private
keys directly followed by a corresponding certificate chain.
<b><a href="postconf.5.html#smtp_tls_servername">smtp_tls_servername</a> (empty)</b>
- Optional name to send to the remote SMTP server in the TLS
+ Optional name to send to the remote SMTP server in the TLS
Server Name Indication (SNI) extension.
Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
<b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b>
- A workaround for implementations that hang Postfix while shut-
+ A workaround for implementations that hang Postfix while shut-
ting down a TLS session, until Postfix times out.
<b>OBSOLETE STARTTLS CONTROLS</b>
- The following configuration parameters exist for compatibility with
- Postfix versions before 2.3. Support for these will be removed in a
+ The following configuration parameters exist for compatibility with
+ Postfix versions before 2.3. Support for these will be removed in a
future release.
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
- Opportunistic mode: use TLS when a remote SMTP server announces
+ Opportunistic mode: use TLS when a remote SMTP server announces
STARTTLS support, otherwise send the mail in the clear.
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
- Enforcement mode: require that remote SMTP servers use TLS
+ Enforcement mode: require that remote SMTP servers use TLS
encryption, and never send mail in the clear.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
- With mandatory TLS encryption, require that the remote SMTP
- server hostname matches the information in the remote SMTP
+ With mandatory TLS encryption, require that the remote SMTP
+ server hostname matches the information in the remote SMTP
server certificate.
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
- Optional lookup tables with the Postfix SMTP client TLS usage
- policy by next-hop destination and by remote SMTP server host-
+ Optional lookup tables with the Postfix SMTP client TLS usage
+ policy by next-hop destination and by remote SMTP server host-
name.
<b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
- Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
+ Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
cipher list.
<b>RESOURCE AND RATE CONTROLS</b>
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
- The Postfix SMTP client time limit for completing a TCP connec-
+ The Postfix SMTP client time limit for completing a TCP connec-
tion, or zero (use the operating system built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
- The Postfix SMTP client time limit for sending the HELO or EHLO
- command, and for receiving the initial remote SMTP server
+ The Postfix SMTP client time limit for sending the HELO or EHLO
+ command, and for receiving the initial remote SMTP server
response.
<b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
mand, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
- The Postfix SMTP client time limit for sending the MAIL FROM
+ The Postfix SMTP client time limit for sending the MAIL FROM
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
- The Postfix SMTP client time limit for sending the SMTP RCPT TO
+ The Postfix SMTP client time limit for sending the SMTP RCPT TO
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
- The Postfix SMTP client time limit for sending the SMTP DATA
+ The Postfix SMTP client time limit for sending the SMTP DATA
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
- The Postfix SMTP client time limit for sending the SMTP message
+ The Postfix SMTP client time limit for sending the SMTP message
content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
- The maximal number of MX (mail exchanger) IP addresses that can
- result from Postfix SMTP client mail exchanger lookups, or zero
+ The maximal number of MX (mail exchanger) IP addresses that can
+ result from Postfix SMTP client mail exchanger lookups, or zero
(no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
- The maximal number of SMTP sessions per delivery request before
- the Postfix SMTP client gives up or delivers to a fall-back
+ The maximal number of SMTP sessions per delivery request before
+ the Postfix SMTP client gives up or delivers to a fall-back
<a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
Available in Postfix version 2.2 and earlier:
<b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
- Keep
Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
+ Keep
Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
seconds.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
- Permanently enable SMTP connection caching for the specified
+ Permanently enable SMTP connection caching for the specified
destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
- Temporarily enable SMTP connection caching while a destination
+ Temporarily enable SMTP connection caching while a destination
has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
<b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
- Time limit for connection cache connect, send or receive opera-
+ Time limit for connection cache connect, send or receive opera-
tions.
- Available in Postfix version 2.9 and later:
+ Available in Postfix version 2.9 - 3.6:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
- Change the behavior of the smtp_*_timeout time limits, from a
- time limit per read or write system call, to a time limit to
- send or receive a complete record (an SMTP command line, SMTP
- response line, SMTP message content line, or TLS protocol mes-
+ Change the behavior of the smtp_*_timeout time limits, from a
+ time limit per read or write system call, to a time limit to
+ send or receive a complete record (an SMTP command line, SMTP
+ response line, SMTP message content line, or TLS protocol mes-
sage).
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
- When SMTP connection caching is enabled, the number of times
- that an SMTP session may be reused before it is closed, or zero
+ When SMTP connection caching is enabled, the number of times
+ that an SMTP session may be reused before it is closed, or zero
(no limit).
Available in Postfix version 3.4 and later:
<b><a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> (no)</b>
Try to make multiple deliveries per TLS-encrypted connection.
+ Available in Postfix version 3.7 and later:
+
+ <b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b>
+ Change the behavior of the smtp_*_timeout time limits, from a
+ time limit per plaintext or TLS read or write call, to a com-
+ bined time limit for sending a complete SMTP request and for
+ receiving a complete SMTP response.
+
+ <b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b>
+ The minimum plaintext data transfer rate in bytes/second for
+ DATA requests, when deadlines are enabled with
+ <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
+
Implemented in the <a href="qmgr.8.html">qmgr(8)</a> daemon:
<b>transport_destination_concurrency_limit ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
<p> This feature is available in Postfix 2.5 and later. </p>
+</DD>
+
+<DT><b><a name="lmtp_min_data_rate">lmtp_min_data_rate</a>
+(default: 500)</b></DT><DD>
+
+<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> configuration
+parameter. See there for details. </p>
+
+<p> This feature is available in Postfix 3.7 and later. </p>
+
+
</DD>
<DT><b><a name="lmtp_mx_address_limit">lmtp_mx_address_limit</a>
<p> This feature is available in Postfix 2.9 and later. </p>
+</DD>
+
+<DT><b><a name="lmtp_per_request_deadline">lmtp_per_request_deadline</a>
+(default: no)</b></DT><DD>
+
+<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>
+configuration parameter. See there for details. </p>
+
+<p> This feature is available in Postfix 3.7 and later. </p>
+
+
</DD>
<DT><b><a name="lmtp_pix_workaround_delay_time">lmtp_pix_workaround_delay_time</a>
<p> This feature is available in Postfix 2.5 and later. </p>
+</DD>
+
+<DT><b><a name="smtp_min_data_rate">smtp_min_data_rate</a>
+(default: 500)</b></DT><DD>
+
+<p> The minimum plaintext data transfer rate in bytes/second for
+DATA requests, when deadlines are enabled with <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
+After a write operation transfers N plaintext message bytes (possibly
+after TLS encryption), and after the DATA request deadline is
+decremented by the elapsed time of that write operation, the DATA
+request deadline is incremented by N/smtp_min_data_rate seconds.
+However, the deadline will never be incremented beyond the time
+limit specified with <a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a>. </p>
+
+<p> This feature is available in Postfix 3.7 and later. </p>
+
+
</DD>
<DT><b><a name="smtp_mx_address_limit">smtp_mx_address_limit</a>
long (with TLSv1), and that an entire TLS protocol message must be
sent or received within the per-record deadline. </p>
-<p> This feature is available in Postfix 2.9 and later. With older
+<p> This feature is available in Postfix 2.9-3.6. With older
Postfix releases, the behavior is as if this parameter is set to
-"no". </p>
+"no". Postfix 3.7 and later use <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>. </p>
+
+
+</DD>
+
+<DT><b><a name="smtp_per_request_deadline">smtp_per_request_deadline</a>
+(default: no)</b></DT><DD>
+
+<p> Change the behavior of the smtp_*_timeout time limits, from a
+time limit per plaintext or TLS read or write call, to a combined
+time limit for sending a complete SMTP request and for receiving a
+complete SMTP response. The deadline limits only the time spent
+waiting for plaintext or TLS read or write calls, not time spent
+elsewhere. The per-request deadline limits the impact from hostile
+peers that trickle data one byte at a time. </p>
+
+<p> See <a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> for how the per-request deadline is
+managed during the DATA phase. </p>
+
+<p> Note: when per-request deadlines are enabled, a short time limit
+may cause problems with TLS over very slow network connections. The
+reason is that a TLS protocol message can be up to 16 kbytes long
+(with TLSv1), and that an entire TLS protocol message must be
+transferred within the per-request deadline. </p>
+
+<p> This feature is available in Postfix 3.7 and later. A weaker
+feature, called <a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a>, is available with Postfix
+2.9-3.6. </p>
+
+<p> This feature is available in Postfix 3.7 and later. </p>
</DD>
<p> This feature is available in Postfix 2.3 and later. </p>
+</DD>
+
+<DT><b><a name="smtpd_min_data_rate">smtpd_min_data_rate</a>
+(default: 500)</b></DT><DD>
+
+<p> The minimum plaintext data transfer rate in bytes/second for
+DATA and BDAT requests, when deadlines are enabled with
+<a href="postconf.5.html#smtpd_per_request_deadline">smtpd_per_request_deadline</a>. After a read operation transfers N
+plaintext message bytes (possibly after TLS decryption), and after
+the DATA or BDAT request deadline is decremented by the elapsed
+time of that read operation, the DATA or BDAT request deadline is
+incremented by N/smtpd_min_data_rate seconds. However, the deadline
+will never be incremented beyond the time limit specified with
+<a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a>. </p>
+
+<p> This feature is available in Postfix 3.7 and later. </p>
+
+
</DD>
<DT><b><a name="smtpd_noop_commands">smtpd_noop_commands</a>
long (with TLSv1), and that an entire TLS protocol message must be
sent or received within the per-record deadline. </p>
-<p> This feature is available in Postfix 2.9 and later. With older
+<p> This feature is available in Postfix 2.9-3.6. With older
Postfix releases, the behavior is as if this parameter is set to
-"no". </p>
+"no". Postfix 3.7 and later use <a href="postconf.5.html#smtpd_per_request_deadline">smtpd_per_request_deadline</a>. </p>
+
+
+</DD>
+
+<DT><b><a name="smtpd_per_request_deadline">smtpd_per_request_deadline</a>
+(default: normal: no, overload: yes)</b></DT><DD>
+
+<p> Change the behavior of the <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> and <a href="postconf.5.html#smtpd_starttls_timeout">smtpd_starttls_timeout</a>
+time limits, from a time limit per plaintext or TLS read or write
+call, to a combined time limit for receiving a complete SMTP request
+and for sending a complete SMTP response. The deadline limits only
+the time spent waiting for plaintext or TLS read or write calls,
+not time spent elsewhere. The per-request deadline limits the impact
+from hostile peers that trickle data one byte at a time. </p>
+
+<p> See <a href="postconf.5.html#smtpd_min_data_rate">smtpd_min_data_rate</a> for how the per-request deadline is
+managed during the DATA and BDAT phase. </p>
+
+<p> Note: when per-request deadlines are enabled, a short time limit
+may cause problems with TLS over very slow network connections. The
+reason is that a TLS protocol message can be up to 16 kbytes long
+(with TLSv1), and that an entire TLS protocol message must be
+transferred within the per-request deadline. </p>
+
+<p> This feature is available in Postfix 3.7 and later. A weaker
+feature, called <a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a>, is available with Postfix
+2.9-3.6. With older Postfix releases, the behavior is as if this
+parameter is set to "no". </p>
+
+<p> This feature is available in Postfix 3.7 and later. </p>
</DD>
network write operation to complete; and when the Postfix SMTP
server Postfix wants to receive an SMTP client request, how long
the Postfix SMTP server will wait for an underlying network read
-operation to complete. See <a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a> for how this
-time limit may be enforced. </p>
+operation to complete. See the <a href="postconf.5.html#smtpd_per_request_deadline">smtpd_per_request_deadline</a> for how
+this time limit may be enforced (with Postfix 2.9-3.6 see
+<a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a>). </p>
<p> Normally the default limit
is 300s, but it changes under overload to just 10s. With Postfix
<b><a href="postconf.5.html#smtp_dns_resolver_options">smtp_dns_resolver_options</a> (empty)</b>
DNS Resolver options for the Postfix SMTP client.
- Available in Postfix version 2.9 and later:
+ Available in Postfix version 2.9 - 3.6:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a
response line, SMTP message content line, or TLS protocol mes-
sage).
+ Available in Postfix version 2.9 and later:
+
<b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b>
Whether or not to append the "AUTH=<>" option to the MAIL FROM
command in SASL-authenticated SMTP sessions.
".") that Postfix may use to determine whether DNSSEC validation
is available.
- <b>known_tcp_ports (lmtp=24, smtp=25, smtps=submissions=465, submis-</b>
+ <b><a href="postconf.5.html#known_tcp_ports">known_tcp_ports</a> (lmtp=24, smtp=25, smtps=submissions=465, submis-</b>
<b>sion=587)</b>
Optional setting that avoids lookups in the <b>services</b>(5) data-
base.
+ Available in Postfix version 3.7 and later:
+
+ <b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b>
+ Change the behavior of the smtp_*_timeout time limits, from a
+ time limit per plaintext or TLS read or write call, to a com-
+ bined time limit for sending a complete SMTP request and for
+ receiving a complete SMTP response.
+
+ <b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b>
+ The minimum plaintext data transfer rate in bytes/second for
+ DATA requests, when deadlines are enabled with
+ <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
+
<b>MIME PROCESSING CONTROLS</b>
Available in Postfix version 2.0 and later:
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b>
- Send the non-standard XFORWARD command when the Postfix SMTP
+ Send the non-standard XFORWARD command when the Postfix SMTP
server EHLO response announces XFORWARD support.
<b>SASL AUTHENTICATION CONTROLS</b>
Enable SASL authentication in the Postfix SMTP client.
<b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b>
- Optional Postfix SMTP client lookup tables with one user-
- name:password entry per sender, remote hostname or next-hop
+ Optional Postfix SMTP client lookup tables with one user-
+ name:password entry per sender, remote hostname or next-hop
domain.
<b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b>
Postfix SMTP client SASL security options; as of Postfix 2.3 the
- list of available features depends on the SASL client implemen-
+ list of available features depends on the SASL client implemen-
tation that is selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
- If non-empty, a Postfix SMTP client filter for the remote SMTP
+ If non-empty, a Postfix SMTP client filter for the remote SMTP
server's list of offered SASL mechanisms.
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b>
Enable sender-dependent authentication in the Postfix SMTP
- client; this is available only with SASL authentication, and
- disables SMTP connection caching to ensure that mail from dif-
+ client; this is available only with SASL authentication, and
+ disables SMTP connection caching to ensure that mail from dif-
ferent senders will use the appropriate credentials.
<b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b>
Implementation-specific information that the Postfix SMTP client
- passes through to the SASL plug-in implementation that is
+ passes through to the SASL plug-in implementation that is
selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
<b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b>
- The SASL plug-in type that the Postfix SMTP client should use
+ The SASL plug-in type that the Postfix SMTP client should use
for authentication.
Available in Postfix version 2.5 and later:
<b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b>
- An optional table to prevent repeated SASL authentication fail-
- ures with the same remote SMTP server hostname, username and
+ An optional table to prevent repeated SASL authentication fail-
+ ures with the same remote SMTP server hostname, username and
password.
<b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b>
- The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> entry before it
+ The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> entry before it
is removed.
<b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b>
- When a remote SMTP server rejects a SASL authentication request
- with a 535 reply code, defer mail delivery instead of returning
+ When a remote SMTP server rejects a SASL authentication request
+ with a 535 reply code, defer mail delivery instead of returning
mail as undeliverable.
Available in Postfix version 2.9 and later:
<b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b>
- Whether or not to append the "AUTH=<>" option to the MAIL FROM
+ Whether or not to append the "AUTH=<>" option to the MAIL FROM
command in SASL-authenticated SMTP sessions.
<b>STARTTLS SUPPORT CONTROLS</b>
- Detailed information about STARTTLS configuration may be found in the
+ Detailed information about STARTTLS configuration may be found in the
<a href="TLS_README.html">TLS_README</a> document.
<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
<b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a>)</b>
- The SASL authentication security options that the Postfix SMTP
+ The SASL authentication security options that the Postfix SMTP
client uses for TLS encrypted SMTP sessions.
<b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
- Time limit for Postfix SMTP client write and read operations
+ Time limit for Postfix SMTP client write and read operations
during TLS startup and shutdown handshake procedures.
<b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
- A file containing CA certificates of root CAs trusted to sign
- either remote SMTP server certificates or intermediate CA cer-
+ A file containing CA certificates of root CAs trusted to sign
+ either remote SMTP server certificates or intermediate CA cer-
tificates.
<b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
- Directory with PEM format Certification Authority certificates
+ Directory with PEM format Certification Authority certificates
that the Postfix SMTP client uses to verify a remote SMTP server
certificate.
File with the Postfix SMTP client RSA certificate in PEM format.
<b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b>
- The minimum TLS cipher grade that the Postfix SMTP client will
+ The minimum TLS cipher grade that the Postfix SMTP client will
use with mandatory TLS encryption.
<b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b>
client cipher list at all TLS security levels.
<b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b>
- Additional list of ciphers or cipher types to exclude from the
- Postfix SMTP client cipher list at mandatory TLS security lev-
+ Additional list of ciphers or cipher types to exclude from the
+ Postfix SMTP client cipher list at mandatory TLS security lev-
els.
<b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
Enable additional Postfix SMTP client logging of TLS activity.
<b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
- Log the hostname of a remote SMTP server that offers STARTTLS,
+ Log the hostname of a remote SMTP server that offers STARTTLS,
when TLS is not already enabled for that server.
<b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
fied, this overrides the obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
<b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (see 'postconf -d' output)</b>
- TLS protocols that the Postfix SMTP client will use with manda-
+ TLS protocols that the Postfix SMTP client will use with manda-
tory TLS encryption.
<b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b>
The verification depth for remote SMTP server certificates.
<b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b>
- How the Postfix SMTP client verifies the server certificate
+ How the Postfix SMTP client verifies the server certificate
peername for the "secure" TLS security level.
<b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
session cache.
<b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
- The expiration time of Postfix SMTP client TLS session cache
+ The expiration time of Postfix SMTP client TLS session cache
information.
<b><a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> (hostname)</b>
- How the Postfix SMTP client verifies the server certificate
+ How the Postfix SMTP client verifies the server certificate
peername for the "verify" TLS security level.
<b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
- The
number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> or <a href="smtpd.8.html"><b>smtpd</b>(8)</a>
- process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> server in order to seed its
+ The
number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> or <a href="smtpd.8.html"><b>smtpd</b>(8)</a>
+ process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> server in order to seed its
internal pseudo random number generator (PRNG).
<b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> (see 'postconf -d' output)</b>
The OpenSSL cipherlist for "export" or higher grade ciphers.
<b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
- The OpenSSL cipherlist for "NULL" grade ciphers that provide
+ The OpenSSL cipherlist for "NULL" grade ciphers that provide
authentication without encryption.
Available in Postfix version 2.4 and later:
<b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a> ($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_secu</a>-</b>
<b><a href="postconf.5.html#smtp_sasl_tls_security_options">rity_options</a>)</b>
- The SASL authentication security options that the Postfix SMTP
- client uses for TLS encrypted SMTP sessions with a verified
+ The SASL authentication security options that the Postfix SMTP
+ client uses for TLS encrypted SMTP sessions with a verified
server certificate.
Available in Postfix version 2.5 and later:
<b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b>
- List of acceptable remote SMTP server certificate fingerprints
- for
the "fingerprint" TLS security level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_secu</a>-</b>
+ List of acceptable remote SMTP server certificate fingerprints
+ for
the "fingerprint" TLS security level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_secu</a>-</b>
<b><a href="postconf.5.html#smtp_tls_security_level">rity_level</a></b> = fingerprint).
<b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (see 'postconf -d' output)</b>
- The message digest algorithm used to construct remote SMTP
+ The message digest algorithm used to construct remote SMTP
server certificate fingerprints.
Available in Postfix version 2.6 and later:
<b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (see postconf -d output)</b>
- TLS protocols that the Postfix SMTP client will use with oppor-
+ TLS protocols that the Postfix SMTP client will use with oppor-
tunistic TLS encryption.
<b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (medium)</b>
- The minimum TLS cipher grade that the Postfix SMTP client will
+ The minimum TLS cipher grade that the Postfix SMTP client will
use with opportunistic TLS encryption.
<b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b>
- File with the Postfix SMTP client ECDSA certificate in PEM for-
+ File with the Postfix SMTP client ECDSA certificate in PEM for-
mat.
<b><a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> ($<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b>
- File with the Postfix SMTP client ECDSA private key in PEM for-
+ File with the Postfix SMTP client ECDSA private key in PEM for-
mat.
Available in Postfix version 2.7 and later:
<b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b>
- Try to detect a mail hijacking attack based on a TLS protocol
- vulnerability (CVE-2009-3555), where an attacker prepends mali-
- cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client
+ Try to detect a mail hijacking attack based on a TLS protocol
+ vulnerability (CVE-2009-3555), where an attacker prepends mali-
+ cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client
TLS session.
Available in Postfix version 2.8 and later:
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a> (empty)</b>
- Zero or more PEM-format files with trust-anchor certificates
+ Zero or more PEM-format files with trust-anchor certificates
and/or public keys.
<b><a href="postconf.5.html#smtp_tls_force_insecure_host_tlsa_lookup">smtp_tls_force_insecure_host_tlsa_lookup</a> (no)</b>
- Lookup the associated DANE TLSA RRset even when a hostname is
+ Lookup the associated DANE TLSA RRset even when a hostname is
not an alias and its address records lie in an unsigned zone.
<b><a href="postconf.5.html#tlsmgr_service_name">tlsmgr_service_name</a> (tlsmgr)</b>
Available in Postfix version 3.0 and later:
<b><a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> (no)</b>
- Request that the Postfix SMTP client connects using the legacy
+ Request that the Postfix SMTP client connects using the legacy
SMTPS protocol instead of using the STARTTLS command.
Available in Postfix version 3.1 and later:
<b><a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> (see 'postconf -d' output)</b>
- The TLS policy for MX hosts with "secure" TLSA records when the
- nexthop destination security level is <b>dane</b>, but the MX record
+ The TLS policy for MX hosts with "secure" TLSA records when the
+ nexthop destination security level is <b>dane</b>, but the MX record
was found via an "insecure" MX lookup.
Available in Postfix version 3.4 and later:
Try to make multiple deliveries per TLS-encrypted connection.
<b><a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a> (empty)</b>
- List of one or more PEM files, each holding one or more private
+ List of one or more PEM files, each holding one or more private
keys directly followed by a corresponding certificate chain.
<b><a href="postconf.5.html#smtp_tls_servername">smtp_tls_servername</a> (empty)</b>
- Optional name to send to the remote SMTP server in the TLS
+ Optional name to send to the remote SMTP server in the TLS
Server Name Indication (SNI) extension.
Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
<b><a href="postconf.5.html#tls_fast_shutdown_enable">tls_fast_shutdown_enable</a> (yes)</b>
- A workaround for implementations that hang Postfix while shut-
+ A workaround for implementations that hang Postfix while shut-
ting down a TLS session, until Postfix times out.
<b>OBSOLETE STARTTLS CONTROLS</b>
- The following configuration parameters exist for compatibility with
- Postfix versions before 2.3. Support for these will be removed in a
+ The following configuration parameters exist for compatibility with
+ Postfix versions before 2.3. Support for these will be removed in a
future release.
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
- Opportunistic mode: use TLS when a remote SMTP server announces
+ Opportunistic mode: use TLS when a remote SMTP server announces
STARTTLS support, otherwise send the mail in the clear.
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
- Enforcement mode: require that remote SMTP servers use TLS
+ Enforcement mode: require that remote SMTP servers use TLS
encryption, and never send mail in the clear.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
- With mandatory TLS encryption, require that the remote SMTP
- server hostname matches the information in the remote SMTP
+ With mandatory TLS encryption, require that the remote SMTP
+ server hostname matches the information in the remote SMTP
server certificate.
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
- Optional lookup tables with the Postfix SMTP client TLS usage
- policy by next-hop destination and by remote SMTP server host-
+ Optional lookup tables with the Postfix SMTP client TLS usage
+ policy by next-hop destination and by remote SMTP server host-
name.
<b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
- Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
+ Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
cipher list.
<b>RESOURCE AND RATE CONTROLS</b>
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
- The Postfix SMTP client time limit for completing a TCP connec-
+ The Postfix SMTP client time limit for completing a TCP connec-
tion, or zero (use the operating system built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
- The Postfix SMTP client time limit for sending the HELO or EHLO
- command, and for receiving the initial remote SMTP server
+ The Postfix SMTP client time limit for sending the HELO or EHLO
+ command, and for receiving the initial remote SMTP server
response.
<b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
mand, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
- The Postfix SMTP client time limit for sending the MAIL FROM
+ The Postfix SMTP client time limit for sending the MAIL FROM
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
- The Postfix SMTP client time limit for sending the SMTP RCPT TO
+ The Postfix SMTP client time limit for sending the SMTP RCPT TO
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
- The Postfix SMTP client time limit for sending the SMTP DATA
+ The Postfix SMTP client time limit for sending the SMTP DATA
command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
- The Postfix SMTP client time limit for sending the SMTP message
+ The Postfix SMTP client time limit for sending the SMTP message
content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
- The maximal number of MX (mail exchanger) IP addresses that can
- result from Postfix SMTP client mail exchanger lookups, or zero
+ The maximal number of MX (mail exchanger) IP addresses that can
+ result from Postfix SMTP client mail exchanger lookups, or zero
(no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
- The maximal number of SMTP sessions per delivery request before
- the Postfix SMTP client gives up or delivers to a fall-back
+ The maximal number of SMTP sessions per delivery request before
+ the Postfix SMTP client gives up or delivers to a fall-back
<a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
Available in Postfix version 2.2 and earlier:
<b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
- Keep
Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
+ Keep
Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
seconds.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
- Permanently enable SMTP connection caching for the specified
+ Permanently enable SMTP connection caching for the specified
destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
- Temporarily enable SMTP connection caching while a destination
+ Temporarily enable SMTP connection caching while a destination
has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
<b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
- Time limit for connection cache connect, send or receive opera-
+ Time limit for connection cache connect, send or receive opera-
tions.
- Available in Postfix version 2.9 and later:
+ Available in Postfix version 2.9 - 3.6:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
- Change the behavior of the smtp_*_timeout time limits, from a
- time limit per read or write system call, to a time limit to
- send or receive a complete record (an SMTP command line, SMTP
- response line, SMTP message content line, or TLS protocol mes-
+ Change the behavior of the smtp_*_timeout time limits, from a
+ time limit per read or write system call, to a time limit to
+ send or receive a complete record (an SMTP command line, SMTP
+ response line, SMTP message content line, or TLS protocol mes-
sage).
Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
- When SMTP connection caching is enabled, the number of times
- that an SMTP session may be reused before it is closed, or zero
+ When SMTP connection caching is enabled, the number of times
+ that an SMTP session may be reused before it is closed, or zero
(no limit).
Available in Postfix version 3.4 and later:
<b><a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> (no)</b>
Try to make multiple deliveries per TLS-encrypted connection.
+ Available in Postfix version 3.7 and later:
+
+ <b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b>
+ Change the behavior of the smtp_*_timeout time limits, from a
+ time limit per plaintext or TLS read or write call, to a com-
+ bined time limit for sending a complete SMTP request and for
+ receiving a complete SMTP response.
+
+ <b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b>
+ The minimum plaintext data transfer rate in bytes/second for
+ DATA requests, when deadlines are enabled with
+ <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
+
Implemented in the <a href="qmgr.8.html">qmgr(8)</a> daemon:
<b>transport_destination_concurrency_limit ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
<b><a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a> (empty)</b>
A mechanism to transform commands from remote SMTP clients.
- Available in Postfix version 2.9 and later:
+ Available in Postfix version 2.9 - 3.6:
<b><a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a> (normal: no, overload: yes)</b>
Change the behavior of the <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> and <a href="postconf.5.html#smtpd_starttls_timeout">smtpd_start</a>-
Optional setting that avoids lookups in the <b>services</b>(5) data-
base.
+ Available in Postfix version 3.7 and later:
+
+ <b><a href="postconf.5.html#smtpd_per_request_deadline">smtpd_per_request_deadline</a> (normal: no, overload: yes)</b>
+ Change the behavior of the <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> and <a href="postconf.5.html#smtpd_starttls_timeout">smtpd_start</a>-
+ <a href="postconf.5.html#smtpd_starttls_timeout">tls_timeout</a> time limits, from a time limit per plaintext or TLS
+ read or write call, to a combined time limit for receiving a
+ complete SMTP request and for sending a complete SMTP response.
+
+ <b><a href="postconf.5.html#smtpd_min_data_rate">smtpd_min_data_rate</a> (500)</b>
+ The minimum plaintext data transfer rate in bytes/second for
+ DATA and BDAT requests, when deadlines are enabled with
+ <a href="postconf.5.html#smtpd_per_request_deadline">smtpd_per_request_deadline</a>.
+
<b>ADDRESS REWRITING CONTROLS</b>
See the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document for a detailed discussion of
Postfix address rewriting.
remote SMTP client is allowed to negotiate with this service per
time unit.
- Available in Postfix version 2.9 and later:
+ Available in Postfix version 2.9 - 3.6:
<b><a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a> (normal: no, overload: yes)</b>
Change the behavior of the <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> and <a href="postconf.5.html#smtpd_starttls_timeout">smtpd_start</a>-
to send to this service per time unit, regardless of whether or
not Postfix actually accepts those commands.
+ Available in Postfix version 3.7 and later:
+
+ <b><a href="postconf.5.html#smtpd_per_request_deadline">smtpd_per_request_deadline</a> (normal: no, overload: yes)</b>
+ Change the behavior of the <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> and <a href="postconf.5.html#smtpd_starttls_timeout">smtpd_start</a>-
+ <a href="postconf.5.html#smtpd_starttls_timeout">tls_timeout</a> time limits, from a time limit per plaintext or TLS
+ read or write call, to a combined time limit for receiving a
+ complete SMTP request and for sending a complete SMTP response.
+
+ <b><a href="postconf.5.html#smtpd_min_data_rate">smtpd_min_data_rate</a> (500)</b>
+ The minimum plaintext data transfer rate in bytes/second for
+ DATA and BDAT requests, when deadlines are enabled with
+ <a href="postconf.5.html#smtpd_per_request_deadline">smtpd_per_request_deadline</a>.
+
<b>TARPIT CONTROLS</b>
When a remote SMTP client makes errors, the Postfix SMTP server can
insert delays before responding. This can help to slow down run-away
configuration parameter. See there for details.
.PP
This feature is available in Postfix 2.5 and later.
+.SH lmtp_min_data_rate (default: 500)
+The LMTP\-specific version of the smtp_min_data_rate configuration
+parameter. See there for details.
+.PP
+This feature is available in Postfix 3.7 and later.
.SH lmtp_mx_address_limit (default: 5)
The LMTP\-specific version of the smtp_mx_address_limit configuration
parameter. See there for details.
configuration parameter. See there for details.
.PP
This feature is available in Postfix 2.9 and later.
+.SH lmtp_per_request_deadline (default: no)
+The LMTP\-specific version of the smtp_per_request_deadline
+configuration parameter. See there for details.
+.PP
+This feature is available in Postfix 3.7 and later.
.SH lmtp_pix_workaround_delay_time (default: 10s)
The LMTP\-specific version of the smtp_pix_workaround_delay_time
configuration parameter. See there for details.
available.
.PP
This feature is available in Postfix 2.5 and later.
+.SH smtp_min_data_rate (default: 500)
+The minimum plaintext data transfer rate in bytes/second for
+DATA requests, when deadlines are enabled with smtp_per_request_deadline.
+After a write operation transfers N plaintext message bytes (possibly
+after TLS encryption), and after the DATA request deadline is
+decremented by the elapsed time of that write operation, the DATA
+request deadline is incremented by N/smtp_min_data_rate seconds.
+However, the deadline will never be incremented beyond the time
+limit specified with smtp_data_xfer_timeout.
+.PP
+This feature is available in Postfix 3.7 and later.
.SH smtp_mx_address_limit (default: 5)
The maximal number of MX (mail exchanger) IP addresses that can
result from Postfix SMTP client mail exchanger lookups, or zero (no
long (with TLSv1), and that an entire TLS protocol message must be
sent or received within the per\-record deadline.
.PP
-This feature is available in Postfix 2.9 and later. With older
+This feature is available in Postfix 2.9\-3.6. With older
Postfix releases, the behavior is as if this parameter is set to
-"no".
+"no". Postfix 3.7 and later use smtp_per_request_deadline.
+.SH smtp_per_request_deadline (default: no)
+Change the behavior of the smtp_*_timeout time limits, from a
+time limit per plaintext or TLS read or write call, to a combined
+time limit for sending a complete SMTP request and for receiving a
+complete SMTP response. The deadline limits only the time spent
+waiting for plaintext or TLS read or write calls, not time spent
+elsewhere. The per\-request deadline limits the impact from hostile
+peers that trickle data one byte at a time.
+.PP
+See smtp_min_data_rate for how the per\-request deadline is
+managed during the DATA phase.
+.PP
+Note: when per\-request deadlines are enabled, a short time limit
+may cause problems with TLS over very slow network connections. The
+reason is that a TLS protocol message can be up to 16 kbytes long
+(with TLSv1), and that an entire TLS protocol message must be
+transferred within the per\-request deadline.
+.PP
+This feature is available in Postfix 3.7 and later. A weaker
+feature, called smtp_per_record_deadline, is available with Postfix
+2.9\-3.6.
+.PP
+This feature is available in Postfix 3.7 and later.
.SH smtp_pix_workaround_delay_time (default: 10s)
How long the Postfix SMTP client pauses before sending
".<CR><LF>" in order to work around the PIX firewall
separator. See the MILTER_README document for details.
.PP
This feature is available in Postfix 2.3 and later.
+.SH smtpd_min_data_rate (default: 500)
+The minimum plaintext data transfer rate in bytes/second for
+DATA and BDAT requests, when deadlines are enabled with
+smtpd_per_request_deadline. After a read operation transfers N
+plaintext message bytes (possibly after TLS decryption), and after
+the DATA or BDAT request deadline is decremented by the elapsed
+time of that read operation, the DATA or BDAT request deadline is
+incremented by N/smtpd_min_data_rate seconds. However, the deadline
+will never be incremented beyond the time limit specified with
+smtpd_timeout.
+.PP
+This feature is available in Postfix 3.7 and later.
.SH smtpd_noop_commands (default: empty)
List of commands that the Postfix SMTP server replies to with "250
Ok", without doing any syntax checks and without changing state.
long (with TLSv1), and that an entire TLS protocol message must be
sent or received within the per\-record deadline.
.PP
-This feature is available in Postfix 2.9 and later. With older
+This feature is available in Postfix 2.9\-3.6. With older
Postfix releases, the behavior is as if this parameter is set to
-"no".
+"no". Postfix 3.7 and later use smtpd_per_request_deadline.
+.SH smtpd_per_request_deadline (default: normal: no, overload: yes)
+Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
+time limits, from a time limit per plaintext or TLS read or write
+call, to a combined time limit for receiving a complete SMTP request
+and for sending a complete SMTP response. The deadline limits only
+the time spent waiting for plaintext or TLS read or write calls,
+not time spent elsewhere. The per\-request deadline limits the impact
+from hostile peers that trickle data one byte at a time.
+.PP
+See smtpd_min_data_rate for how the per\-request deadline is
+managed during the DATA and BDAT phase.
+.PP
+Note: when per\-request deadlines are enabled, a short time limit
+may cause problems with TLS over very slow network connections. The
+reason is that a TLS protocol message can be up to 16 kbytes long
+(with TLSv1), and that an entire TLS protocol message must be
+transferred within the per\-request deadline.
+.PP
+This feature is available in Postfix 3.7 and later. A weaker
+feature, called smtpd_per_record_deadline, is available with Postfix
+2.9\-3.6. With older Postfix releases, the behavior is as if this
+parameter is set to "no".
+.PP
+This feature is available in Postfix 3.7 and later.
.SH smtpd_policy_service_default_action (default: 451 4.3.5 Server configuration problem)
The default action when an SMTPD policy service request fails.
Specify "DUNNO" to behave as if the failed SMTPD policy service
network write operation to complete; and when the Postfix SMTP
server Postfix wants to receive an SMTP client request, how long
the Postfix SMTP server will wait for an underlying network read
-operation to complete. See smtpd_per_record_deadline for how this
-time limit may be enforced.
+operation to complete. See the smtpd_per_request_deadline for how
+this time limit may be enforced (with Postfix 2.9\-3.6 see
+smtpd_per_record_deadline).
.PP
Normally the default limit
is 300s, but it changes under overload to just 10s. With Postfix
.IP "\fBsmtp_dns_resolver_options (empty)\fR"
DNS Resolver options for the Postfix SMTP client.
.PP
-Available in Postfix version 2.9 and later:
+Available in Postfix version 2.9 \- 3.6:
.IP "\fBsmtp_per_record_deadline (no)\fR"
Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to send
or receive a complete record (an SMTP command line, SMTP response
line, SMTP message content line, or TLS protocol message).
+.PP
+Available in Postfix version 2.9 and later:
.IP "\fBsmtp_send_dummy_mail_auth (no)\fR"
Whether or not to append the "AUTH=<>" option to the MAIL
FROM command in SASL\-authenticated SMTP sessions.
is available.
.IP "\fBknown_tcp_ports (lmtp=24, smtp=25, smtps=submissions=465, submission=587)\fR"
Optional setting that avoids lookups in the \fBservices\fR(5) database.
+.PP
+Available in Postfix version 3.7 and later:
+.IP "\fBsmtp_per_request_deadline (no)\fR"
+Change the behavior of the smtp_*_timeout time limits, from a
+time limit per plaintext or TLS read or write call, to a combined
+time limit for sending a complete SMTP request and for receiving a
+complete SMTP response.
+.IP "\fBsmtp_min_data_rate (500)\fR"
+The minimum plaintext data transfer rate in bytes/second for
+DATA requests, when deadlines are enabled with smtp_per_request_deadline.
.SH "MIME PROCESSING CONTROLS"
.na
.nf
Time limit for connection cache connect, send or receive
operations.
.PP
-Available in Postfix version 2.9 and later:
+Available in Postfix version 2.9 \- 3.6:
.IP "\fBsmtp_per_record_deadline (no)\fR"
Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to send
.IP "\fBsmtp_tls_connection_reuse (no)\fR"
Try to make multiple deliveries per TLS\-encrypted connection.
.PP
+Available in Postfix version 3.7 and later:
+.IP "\fBsmtp_per_request_deadline (no)\fR"
+Change the behavior of the smtp_*_timeout time limits, from a
+time limit per plaintext or TLS read or write call, to a combined
+time limit for sending a complete SMTP request and for receiving a
+complete SMTP response.
+.IP "\fBsmtp_min_data_rate (500)\fR"
+The minimum plaintext data transfer rate in bytes/second for
+DATA requests, when deadlines are enabled with smtp_per_request_deadline.
+.PP
Implemented in the qmgr(8) daemon:
.IP "\fBtransport_destination_concurrency_limit ($default_destination_concurrency_limit)\fR"
A transport\-specific override for the
.IP "\fBsmtpd_command_filter (empty)\fR"
A mechanism to transform commands from remote SMTP clients.
.PP
-Available in Postfix version 2.9 and later:
+Available in Postfix version 2.9 \- 3.6:
.IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
time limits, from a
Evaluate smtpd_relay_restrictions before smtpd_recipient_restrictions.
.IP "\fBknown_tcp_ports (lmtp=24, smtp=25, smtps=submissions=465, submission=587)\fR"
Optional setting that avoids lookups in the \fBservices\fR(5) database.
+.PP
+Available in Postfix version 3.7 and later:
+.IP "\fBsmtpd_per_request_deadline (normal: no, overload: yes)\fR"
+Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
+time limits, from a time limit per plaintext or TLS read or write
+call, to a combined time limit for receiving a complete SMTP request
+and for sending a complete SMTP response.
+.IP "\fBsmtpd_min_data_rate (500)\fR"
+The minimum plaintext data transfer rate in bytes/second for
+DATA and BDAT requests, when deadlines are enabled with
+smtpd_per_request_deadline.
.SH "ADDRESS REWRITING CONTROLS"
.na
.nf
remote SMTP client is allowed to negotiate with this service per
time unit.
.PP
-Available in Postfix version 2.9 and later:
+Available in Postfix version 2.9 \- 3.6:
.IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
time limits, from a
The maximal number of AUTH commands that any client is allowed to
send to this service per time unit, regardless of whether or not
Postfix actually accepts those commands.
+.PP
+Available in Postfix version 3.7 and later:
+.IP "\fBsmtpd_per_request_deadline (normal: no, overload: yes)\fR"
+Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
+time limits, from a time limit per plaintext or TLS read or write
+call, to a combined time limit for receiving a complete SMTP request
+and for sending a complete SMTP response.
+.IP "\fBsmtpd_min_data_rate (500)\fR"
+The minimum plaintext data transfer rate in bytes/second for
+DATA and BDAT requests, when deadlines are enabled with
+smtpd_per_request_deadline.
.SH "TARPIT CONTROLS"
.na
.nf
s;\blmtp_mime_header_checks\b;<a href="postconf.5.html#lmtp_mime_header_checks">$&</a>;g;
s;\blmtp_nested_header_checks\b;<a href="postconf.5.html#lmtp_nested_header_checks">$&</a>;g;
s;\blmtp_per_record_deadline\b;<a href="postconf.5.html#lmtp_per_record_deadline">$&</a>;g;
+ s;\blmtp_per_request_deadline\b;<a href="postconf.5.html#lmtp_per_request_deadline">$&</a>;g;
+ s;\blmtp_min_data_rate\b;<a href="postconf.5.html#lmtp_min_data_rate">$&</a>;g;
s;\blmtp_reply_filter\b;<a href="postconf.5.html#lmtp_reply_filter">$&</a>;g;
s;\blmtp_sasl_password_maps\b;<a href="postconf.5.html#lmtp_sasl_password_maps">$&</a>;g;
s;\blmtp_send_dummy_mail_auth\b;<a href="postconf.5.html#lmtp_send_dummy_mail_auth">$&</a>;g;
s;\bsmtp_reply_filter\b;<a href="postconf.5.html#smtp_reply_filter">$&</a>;g;
s;\bsmtp_address_preference\b;<a href="postconf.5.html#smtp_address_preference">$&</a>;g;
s;\bsmtp_per_record_deadline\b;<a href="postconf.5.html#smtp_per_record_deadline">$&</a>;g;
+ s;\bsmtp_per_request_deadline\b;<a href="postconf.5.html#smtp_per_request_deadline">$&</a>;g;
+ s;\bsmtp_min_data_rate\b;<a href="postconf.5.html#smtp_min_data_rate">$&</a>;g;
s;\bsmtp_send_dummy_mail_auth\b;<a href="postconf.5.html#smtp_send_dummy_mail_auth">$&</a>;g;
s;\bsmtp_balance_inet_protocols\b;<a href="postconf.5.html#smtp_balance_inet_protocols">$&</a>;g;
s;\binfo_log_address_format\b;<a href="postconf.5.html#info_log_address_format">$&</a>;g;
s;\bsmtpd_reject_footer\b;<a href="postconf.5.html#smtpd_reject_footer">$&</a>;g;
s;\bsmtpd_reject_footer_maps\b;<a href="postconf.5.html#smtpd_reject_footer_maps">$&</a>;g;
s;\bsmtpd_per_record_deadline\b;<a href="postconf.5.html#smtpd_per_record_deadline">$&</a>;g;
+ s;\bsmtpd_per_request_deadline\b;<a href="postconf.5.html#smtpd_per_request_deadline">$&</a>;g;
+ s;\bsmtpd_min_data_rate\b;<a href="postconf.5.html#smtpd_min_data_rate">$&</a>;g;
s;\bsmtpd_upstream_proxy_protocol\b;<a href="postconf.5.html#smtpd_upstream_proxy_protocol">$&</a>;g;
s;\bsmtpd_upstream_proxy_timeout\b;<a href="postconf.5.html#smtpd_upstream_proxy_timeout">$&</a>;g;
s;\btls_daemon_random_bytes\b;<a href="postconf.5.html#tls_daemon_random_bytes">$&</a>;g;
network write operation to complete; and when the Postfix SMTP
server Postfix wants to receive an SMTP client request, how long
the Postfix SMTP server will wait for an underlying network read
-operation to complete. See smtpd_per_record_deadline for how this
-time limit may be enforced. </p>
+operation to complete. See the smtpd_per_request_deadline for how
+this time limit may be enforced (with Postfix 2.9-3.6 see
+smtpd_per_record_deadline). </p>
<p> Normally the default limit
is 300s, but it changes under overload to just 10s. With Postfix
long (with TLSv1), and that an entire TLS protocol message must be
sent or received within the per-record deadline. </p>
-<p> This feature is available in Postfix 2.9 and later. With older
+<p> This feature is available in Postfix 2.9-3.6. With older
Postfix releases, the behavior is as if this parameter is set to
-"no". </p>
+"no". Postfix 3.7 and later use smtpd_per_request_deadline. </p>
%PARAM smtp_per_record_deadline no
long (with TLSv1), and that an entire TLS protocol message must be
sent or received within the per-record deadline. </p>
-<p> This feature is available in Postfix 2.9 and later. With older
+<p> This feature is available in Postfix 2.9-3.6. With older
Postfix releases, the behavior is as if this parameter is set to
-"no". </p>
+"no". Postfix 3.7 and later use smtp_per_request_deadline. </p>
%PARAM lmtp_per_record_deadline no
inside a service name or port number. </p>
<p> This feature is available in Postfix 3.6 and later. </p>
+
+%PARAM smtpd_min_data_rate 500
+
+<p> The minimum plaintext data transfer rate in bytes/second for
+DATA and BDAT requests, when deadlines are enabled with
+smtpd_per_request_deadline. After a read operation transfers N
+plaintext message bytes (possibly after TLS decryption), and after
+the DATA or BDAT request deadline is decremented by the elapsed
+time of that read operation, the DATA or BDAT request deadline is
+incremented by N/smtpd_min_data_rate seconds. However, the deadline
+will never be incremented beyond the time limit specified with
+smtpd_timeout. </p>
+
+<p> This feature is available in Postfix 3.7 and later. </p>
+
+%PARAM smtpd_per_request_deadline normal: no, overload: yes
+
+<p> Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
+time limits, from a time limit per plaintext or TLS read or write
+call, to a combined time limit for receiving a complete SMTP request
+and for sending a complete SMTP response. The deadline limits only
+the time spent waiting for plaintext or TLS read or write calls,
+not time spent elsewhere. The per-request deadline limits the impact
+from hostile peers that trickle data one byte at a time. </p>
+
+<p> See smtpd_min_data_rate for how the per-request deadline is
+managed during the DATA and BDAT phase. </p>
+
+<p> Note: when per-request deadlines are enabled, a short time limit
+may cause problems with TLS over very slow network connections. The
+reason is that a TLS protocol message can be up to 16 kbytes long
+(with TLSv1), and that an entire TLS protocol message must be
+transferred within the per-request deadline. </p>
+
+<p> This feature is available in Postfix 3.7 and later. A weaker
+feature, called smtpd_per_record_deadline, is available with Postfix
+2.9-3.6. With older Postfix releases, the behavior is as if this
+parameter is set to "no". </p>
+
+<p> This feature is available in Postfix 3.7 and later. </p>
+
+%PARAM lmtp_min_data_rate 500
+
+<p> The LMTP-specific version of the smtp_min_data_rate configuration
+parameter. See there for details. </p>
+
+<p> This feature is available in Postfix 3.7 and later. </p>
+
+%PARAM lmtp_per_request_deadline no
+
+<p> The LMTP-specific version of the smtp_per_request_deadline
+configuration parameter. See there for details. </p>
+
+<p> This feature is available in Postfix 3.7 and later. </p>
+
+%PARAM smtp_min_data_rate 500
+
+<p> The minimum plaintext data transfer rate in bytes/second for
+DATA requests, when deadlines are enabled with smtp_per_request_deadline.
+After a write operation transfers N plaintext message bytes (possibly
+after TLS encryption), and after the DATA request deadline is
+decremented by the elapsed time of that write operation, the DATA
+request deadline is incremented by N/smtp_min_data_rate seconds.
+However, the deadline will never be incremented beyond the time
+limit specified with smtp_data_xfer_timeout. </p>
+
+<p> This feature is available in Postfix 3.7 and later. </p>
+
+%PARAM smtp_per_request_deadline no
+
+<p> Change the behavior of the smtp_*_timeout time limits, from a
+time limit per plaintext or TLS read or write call, to a combined
+time limit for sending a complete SMTP request and for receiving a
+complete SMTP response. The deadline limits only the time spent
+waiting for plaintext or TLS read or write calls, not time spent
+elsewhere. The per-request deadline limits the impact from hostile
+peers that trickle data one byte at a time. </p>
+
+<p> See smtp_min_data_rate for how the per-request deadline is
+managed during the DATA phase. </p>
+
+<p> Note: when per-request deadlines are enabled, a short time limit
+may cause problems with TLS over very slow network connections. The
+reason is that a TLS protocol message can be up to 16 kbytes long
+(with TLSv1), and that an entire TLS protocol message must be
+transferred within the per-request deadline. </p>
+
+<p> This feature is available in Postfix 3.7 and later. A weaker
+feature, called smtp_per_record_deadline, is available with Postfix
+2.9-3.6. </p>
+
+<p> This feature is available in Postfix 3.7 and later. </p>
#define DEF_LMTP_REC_DEADLINE 0
extern bool var_smtp_rec_deadline;
+#define VAR_SMTPD_REQ_DEADLINE "smtpd_per_request_deadline"
+#define DEF_SMTPD_REQ_DEADLINE "${smtpd_per_record_deadline?" \
+ "{$smtpd_per_record_deadline}:" \
+ "{${stress?{yes}:{no}}}}"
+extern bool var_smtpd_req_deadline;
+
+#define VAR_SMTP_REQ_DEADLINE "smtp_per_request_deadline"
+#define DEF_SMTP_REQ_DEADLINE "${smtp_per_record_deadline?" \
+ "{$smtp_per_record_deadline}:{no}}"
+#define VAR_LMTP_REQ_DEADLINE "lmtp_per_request_deadline"
+#define DEF_LMTP_REQ_DEADLINE "${lmtp_per_record_deadline?" \
+ "{$lmtp_per_record_deadline}:{no}}"
+extern bool var_smtp_req_deadline;
+
+#define VAR_SMTPD_MIN_DATA_RATE "smtpd_min_data_rate"
+#define DEF_SMTPD_MIN_DATA_RATE 500
+extern int var_smtpd_min_data_rate;
+
+#define VAR_SMTP_MIN_DATA_RATE "smtp_min_data_rate"
+#define DEF_SMTP_MIN_DATA_RATE 500
+#define VAR_LMTP_MIN_DATA_RATE "smtp_min_data_rate"
+#define DEF_LMTP_MIN_DATA_RATE 500
+extern int var_smtp_min_data_rate;
+
/*
* Permit logging.
*/
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20210814"
+#define MAIL_RELEASE_DATE "20210815"
#define MAIL_VERSION_NUMBER "3.7"
#ifdef SNAPSHOT
/* SYNOPSIS
/* #include <smtp_stream.h>
/*
-/* void smtp_stream_setup(stream, timeout, enable_deadline)
+/* void smtp_stream_setup(stream, timeout, enable_deadline,
+/* min_data_rate)
/* VSTREAM *stream;
/* int timeout;
/* int enable_deadline;
+/* int min_data_rate;
/*
/* void smtp_printf(stream, format, ...)
/* VSTREAM *stream;
/* void smtp_timeout_setup(stream, timeout)
/* VSTREAM *stream;
/* int timeout;
-/* int enable_deadline;
/* DESCRIPTION
/* This module reads and writes text records delimited by CR LF,
/* with error detection: timeouts or unexpected end-of-file.
/* and write operations described below.
/* This routine alters the behavior of streams as follows:
/* .IP \(bu
-/* When enable_deadline is non-zero, the stream is configured
-/* to enforce a total time limit for each smtp_stream read/write
-/* operation. Otherwise, the stream is configured to enforce
+/* When enable_deadline is non-zero, then the timeout argument
+/* specifies a deadline for the total amount time that may be
+/* spent in all subsequent read/write operations.
+/* Otherwise, the stream is configured to enforce
/* a time limit for each individual read/write system call.
/* .IP \f(bu
+/* Additionally, when min_data_rate is > 0, the deadline is
+/* incremented by 1/min_data_rate seconds for every min_data_rate
+/* bytes transferred. However, the deadline will never exceed
+/* the value specified with the timeout argument.
+/* .IP \f(bu
/* The stream is configured to use double buffering.
/* .IP \f(bu
/* The stream is configured to enable exception handling.
/* query the stream status with vstream_feof() etc.
/*
/* smtp_timeout_setup() is a backwards-compatibility interface
-/* for programs that don't require per-record deadline support.
+/* for programs that don't require deadline or data-rate support.
/* DIAGNOSTICS
/* .fi
/* .ad
#include "smtp_stream.h"
-/* smtp_timeout_reset - reset per-stream error flags, restart deadline timer */
+ /*
+ * Important: the time limit feature must not introduce any system calls
+ * when the input is already in the buffer, or when the output still fits in
+ * the buffer. Such system calls would really hurt when receiving or sending
+ * body content one line at a time.
+ */
+
+/* smtp_timeout_reset - reset per-stream error flags */
static void smtp_timeout_reset(VSTREAM *stream)
{
- vstream_clearerr(stream);
/*
- * Important: the time limit feature must not introduce any system calls
- * when the input is already in the buffer, or when the output still fits
- * in the buffer. Such system calls would really hurt when receiving or
- * sending body content one line at a time.
+ * Individual smtp_stream(3) I/O functions must not recharge the deadline
+ * timer, because multiline responses involve multiple smtp_stream(3)
+ * calls, and we really want to limit the time to send or receive a
+ * response.
*/
- if (vstream_fstat(stream, VSTREAM_FLAG_DEADLINE))
- vstream_control(stream, CA_VSTREAM_CTL_START_DEADLINE, CA_VSTREAM_CTL_END);
+ vstream_clearerr(stream);
}
/* smtp_longjmp - raise an exception */
/* smtp_stream_setup - configure timeout trap */
-void smtp_stream_setup(VSTREAM *stream, int maxtime, int enable_deadline)
+void smtp_stream_setup(VSTREAM *stream, int maxtime, int enable_deadline,
+ int min_data_rate)
{
const char *myname = "smtp_stream_setup";
if (msg_verbose)
- msg_info("%s: maxtime=%d enable_deadline=%d",
- myname, maxtime, enable_deadline);
+ msg_info("%s: maxtime=%d enable_deadline=%d min_data_rate=%d",
+ myname, maxtime, enable_deadline, min_data_rate);
vstream_control(stream,
CA_VSTREAM_CTL_DOUBLE,
CA_VSTREAM_CTL_TIMEOUT(maxtime),
enable_deadline ? CA_VSTREAM_CTL_START_DEADLINE
: CA_VSTREAM_CTL_STOP_DEADLINE,
+ CA_VSTREAM_CTL_MIN_DATA_RATE(min_data_rate),
CA_VSTREAM_CTL_EXCEPT,
CA_VSTREAM_CTL_END);
}
#define SMTP_ERR_NONE 4 /* non-error case */
#define SMTP_ERR_DATA 5 /* application data error */
-extern void smtp_stream_setup(VSTREAM *, int, int);
+extern void smtp_stream_setup(VSTREAM *, int, int, int);
extern void PRINTFLIKE(2, 3) smtp_printf(VSTREAM *, const char *,...);
extern void smtp_flush(VSTREAM *);
extern int smtp_fgetc(VSTREAM *);
extern void smtp_vprintf(VSTREAM *, const char *, va_list);
#define smtp_timeout_setup(stream, timeout) \
- smtp_stream_setup((stream), (timeout), 0)
+ smtp_stream_setup((stream), (timeout), 0, 0)
#define SMTP_GET_FLAG_NONE 0
#define SMTP_GET_FLAG_SKIP (1<<0) /* skip over excess input */
{"postscreen_blacklist_action", ""},
{"postscreen_dnsbl_whitelist_threshold", ""},
{"postscreen_whitelist_interfaces", ""},
+ {"lmtp_per_record_deadline", ""},
+ {"smtp_per_record_deadline", ""},
+ {"smtpd_per_record_deadline", ""},
0,
};
postlog.o: ../../include/msg.h
postlog.o: ../../include/msg_output.h
postlog.o: ../../include/msg_vstream.h
+postlog.o: ../../include/stringops.h
postlog.o: ../../include/sys_defs.h
postlog.o: ../../include/vbuf.h
postlog.o: ../../include/vstream.h
int fd;
int ch;
const char *tag;
+ char *unsanitized_tag;
int level = MSG_INFO;
ARGV *import_env;
* validated by the mail configuration read routine. Don't do complex
* things until we have completed initializations.
*/
- tag = 0;
+ unsanitized_tag = 0;
while ((ch = GETOPT(argc, argv, "c:ip:t:v")) > 0) {
switch (ch) {
default:
level = level_map(optarg);
break;
case 't':
- tag = optarg; /* sanitized below */
+ unsanitized_tag = optarg;
break;
case 'v':
msg_verbose++;
import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ);
clean_env(import_env->argv);
argv_free(import_env);
- if (tag == 0)
- /* Use sanitized command name. */
- tag = mail_task(argv[0]);
- else
- /* Sanitize user-specified tag, depends on var_smtputf8_enable. */
- (void) printable(tag, '?');
+
+ /*
+ * Sanitize the user-specified tag. The result depends on the value of
+ * var_smtputf8_enable, therefore this code is after the mail_conf_read()
+ * call.
+ */
+ if (unsanitized_tag != 0)
+ tag = printable(unsanitized_tag, '?');
/*
* Re-initialize the logging, this time with the tag specified in main.cf
/*
* Prepare for disaster.
*/
- smtp_stream_setup(stream, conn_tmout, 1);
+ smtp_stream_setup(stream, conn_tmout, /* deadline */ 1, /* minrate */ 0);
if ((except = vstream_setjmp(stream)) != 0) {
msg_info("%s while reading server greeting", exception_text(except));
return (1);
/*
* Send the standard greeting with our hostname
*/
+ smtp_stream_setup(stream, smtp_tmout, /* deadline */ 1, /* minrate */ 0);
if ((except = vstream_setjmp(stream)) != 0) {
msg_info("%s while sending %s", exception_text(except), ehlo);
return (0);
if (state->wrapper_mode == 0) {
/* SMTP stream with deadline timeouts */
- smtp_stream_setup(stream, smtp_tmout, 1);
+ smtp_stream_setup(stream, smtp_tmout, /* deadline */ 1, /* minrate */ 0);
if ((except = vstream_setjmp(stream)) != 0) {
msg_fatal("%s while sending STARTTLS", exception_text(except));
return (1);
else
ADD_EXCLUDE(cipher_exclusions, "eNULL");
+ smtp_stream_setup(stream, smtp_tmout, /* deadline */ 1, /* minrate */ 0);
if (state->tlsproxy_mode) {
TLS_CLIENT_PARAMS tls_params;
/*
* Prepare for disaster.
*/
- smtp_stream_setup(stream, smtp_tmout, 1);
+ smtp_stream_setup(stream, smtp_tmout, /* deadline */ 1, /* minrate */ 0);
if ((except = vstream_setjmp(stream)) != 0) {
msg_warn("%s while sending QUIT command", exception_text(except));
return (0);
#ifdef USE_TLS
VAR_LMTP_TLS_SCERT_VD, DEF_LMTP_TLS_SCERT_VD, &var_smtp_tls_scert_vd, 0, 0,
#endif
+ VAR_LMTP_MIN_DATA_RATE, DEF_LMTP_MIN_DATA_RATE, &var_smtp_min_data_rate, 1, 0,
0,
};
static const CONFIG_BOOL_TABLE lmtp_bool_table[] = {
VAR_LMTP_CNAME_OVERR, DEF_LMTP_CNAME_OVERR, &var_smtp_cname_overr,
VAR_LMTP_SASL_AUTH_SOFT_BOUNCE, DEF_LMTP_SASL_AUTH_SOFT_BOUNCE, &var_smtp_sasl_auth_soft_bounce,
VAR_LMTP_ASSUME_FINAL, DEF_LMTP_ASSUME_FINAL, &var_lmtp_assume_final,
- VAR_LMTP_REC_DEADLINE, DEF_LMTP_REC_DEADLINE, &var_smtp_rec_deadline,
VAR_LMTP_DUMMY_MAIL_AUTH, DEF_LMTP_DUMMY_MAIL_AUTH, &var_smtp_dummy_mail_auth,
VAR_LMTP_BALANCE_INET_PROTO, DEF_LMTP_BALANCE_INET_PROTO, &var_smtp_balance_inet_proto,
0,
};
+ static const CONFIG_NBOOL_TABLE lmtp_nbool_table[] = {
+ VAR_LMTP_REQ_DEADLINE, DEF_LMTP_REQ_DEADLINE, &var_smtp_req_deadline,
+ 0,
+ };
/* .IP "\fBsmtp_dns_resolver_options (empty)\fR"
/* DNS Resolver options for the Postfix SMTP client.
/* .PP
-/* Available in Postfix version 2.9 and later:
+/* Available in Postfix version 2.9 - 3.6:
/* .IP "\fBsmtp_per_record_deadline (no)\fR"
/* Change the behavior of the smtp_*_timeout time limits, from a
/* time limit per read or write system call, to a time limit to send
/* or receive a complete record (an SMTP command line, SMTP response
/* line, SMTP message content line, or TLS protocol message).
+/* .PP
+/* Available in Postfix version 2.9 and later:
/* .IP "\fBsmtp_send_dummy_mail_auth (no)\fR"
/* Whether or not to append the "AUTH=<>" option to the MAIL
/* FROM command in SASL-authenticated SMTP sessions.
/* is available.
/* .IP "\fBknown_tcp_ports (lmtp=24, smtp=25, smtps=submissions=465, submission=587)\fR"
/* Optional setting that avoids lookups in the \fBservices\fR(5) database.
+/* .PP
+/* Available in Postfix version 3.7 and later:
+/* .IP "\fBsmtp_per_request_deadline (no)\fR"
+/* Change the behavior of the smtp_*_timeout time limits, from a
+/* time limit per plaintext or TLS read or write call, to a combined
+/* time limit for sending a complete SMTP request and for receiving a
+/* complete SMTP response.
+/* .IP "\fBsmtp_min_data_rate (500)\fR"
+/* The minimum plaintext data transfer rate in bytes/second for
+/* DATA requests, when deadlines are enabled with smtp_per_request_deadline.
/* MIME PROCESSING CONTROLS
/* .ad
/* .fi
/* Time limit for connection cache connect, send or receive
/* operations.
/* .PP
-/* Available in Postfix version 2.9 and later:
+/* Available in Postfix version 2.9 - 3.6:
/* .IP "\fBsmtp_per_record_deadline (no)\fR"
/* Change the behavior of the smtp_*_timeout time limits, from a
/* time limit per read or write system call, to a time limit to send
/* .IP "\fBsmtp_tls_connection_reuse (no)\fR"
/* Try to make multiple deliveries per TLS-encrypted connection.
/* .PP
+/* Available in Postfix version 3.7 and later:
+/* .IP "\fBsmtp_per_request_deadline (no)\fR"
+/* Change the behavior of the smtp_*_timeout time limits, from a
+/* time limit per plaintext or TLS read or write call, to a combined
+/* time limit for sending a complete SMTP request and for receiving a
+/* complete SMTP response.
+/* .IP "\fBsmtp_min_data_rate (500)\fR"
+/* The minimum plaintext data transfer rate in bytes/second for
+/* DATA requests, when deadlines are enabled with smtp_per_request_deadline.
+/* .PP
/* Implemented in the qmgr(8) daemon:
/* .IP "\fBtransport_destination_concurrency_limit ($default_destination_concurrency_limit)\fR"
/* A transport-specific override for the
bool var_lmtp_assume_final;
char *var_smtp_dns_res_opt;
char *var_smtp_dns_support;
-bool var_smtp_rec_deadline;
bool var_smtp_dummy_mail_auth;
char *var_smtp_dsn_filter;
char *var_smtp_dns_re_filter;
bool var_smtp_balance_inet_proto;
+bool var_smtp_req_deadline;
+int var_smtp_min_data_rate;
/* Special handling of 535 AUTH errors. */
char *var_smtp_sasl_auth_cache_name;
smtp_str_table : lmtp_str_table),
CA_MAIL_SERVER_BOOL_TABLE(smtp_mode ?
smtp_bool_table : lmtp_bool_table),
+ CA_MAIL_SERVER_NBOOL_TABLE(smtp_mode ?
+ smtp_nbool_table : lmtp_nbool_table),
CA_MAIL_SERVER_PRE_INIT(pre_init),
CA_MAIL_SERVER_POST_INIT(post_init),
CA_MAIL_SERVER_PRE_ACCEPT(pre_accept),
#ifdef USE_TLS
VAR_SMTP_TLS_SCERT_VD, DEF_SMTP_TLS_SCERT_VD, &var_smtp_tls_scert_vd, 0, 0,
#endif
+ VAR_SMTP_MIN_DATA_RATE, DEF_SMTP_MIN_DATA_RATE, &var_smtp_min_data_rate, 1, 0,
0,
};
static const CONFIG_BOOL_TABLE smtp_bool_table[] = {
VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr,
VAR_SMTP_SASL_AUTH_SOFT_BOUNCE, DEF_SMTP_SASL_AUTH_SOFT_BOUNCE, &var_smtp_sasl_auth_soft_bounce,
VAR_LMTP_ASSUME_FINAL, DEF_LMTP_ASSUME_FINAL, &var_lmtp_assume_final,
- VAR_SMTP_REC_DEADLINE, DEF_SMTP_REC_DEADLINE, &var_smtp_rec_deadline,
VAR_SMTP_DUMMY_MAIL_AUTH, DEF_SMTP_DUMMY_MAIL_AUTH, &var_smtp_dummy_mail_auth,
VAR_SMTP_BALANCE_INET_PROTO, DEF_SMTP_BALANCE_INET_PROTO, &var_smtp_balance_inet_proto,
0,
};
+ static const CONFIG_NBOOL_TABLE smtp_nbool_table[] = {
+ VAR_SMTP_REQ_DEADLINE, DEF_SMTP_REQ_DEADLINE, &var_smtp_req_deadline,
+ 0,
+ };
/* XXX Mix-up of per-session and per-request flags. */
state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS;
smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout,
- var_smtp_rec_deadline);
+ var_smtp_req_deadline, 0);
tls_helo_status = smtp_start_tls(state);
state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS;
return (tls_helo_status);
* Prepare for disaster.
*/
smtp_stream_setup(state->session->stream, var_smtp_helo_tmout,
- var_smtp_rec_deadline);
+ var_smtp_req_deadline, 0);
if ((except = vstream_setjmp(state->session->stream)) != 0)
return (smtp_stream_except(state, except, where));
* Prepare for disaster.
*/
smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout,
- var_smtp_rec_deadline);
+ var_smtp_req_deadline, 0);
if ((except = vstream_setjmp(state->session->stream)) != 0)
return (smtp_stream_except(state, except,
"receiving the STARTTLS response"));
msg_panic("%s: bad sender state %d (receiver state %d)",
myname, send_state, recv_state);
smtp_stream_setup(session->stream, *xfer_timeouts[send_state],
- var_smtp_rec_deadline);
+ var_smtp_req_deadline, 0);
if ((except = vstream_setjmp(session->stream)) != 0) {
msg_warn("smtp_proto: spurious flush before read in send state %d",
send_state);
#define LOST_CONNECTION_INSIDE_DATA (except == SMTP_ERR_EOF)
smtp_stream_setup(session->stream, *xfer_timeouts[recv_state],
- var_smtp_rec_deadline);
+ var_smtp_req_deadline, 0);
if (LOST_CONNECTION_INSIDE_DATA) {
if (vstream_setjmp(session->stream) != 0)
RETURN(smtp_stream_except(state, SMTP_ERR_EOF,
if (send_state == SMTP_STATE_DOT && nrcpt > 0) {
smtp_stream_setup(session->stream, var_smtp_data1_tmout,
- var_smtp_rec_deadline);
+ var_smtp_req_deadline, var_smtp_min_data_rate);
if ((except = vstream_setjmp(session->stream)) == 0) {
/* .IP "\fBsmtpd_command_filter (empty)\fR"
/* A mechanism to transform commands from remote SMTP clients.
/* .PP
-/* Available in Postfix version 2.9 and later:
+/* Available in Postfix version 2.9 - 3.6:
/* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
/* Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
/* time limits, from a
/* Evaluate smtpd_relay_restrictions before smtpd_recipient_restrictions.
/* .IP "\fBknown_tcp_ports (lmtp=24, smtp=25, smtps=submissions=465, submission=587)\fR"
/* Optional setting that avoids lookups in the \fBservices\fR(5) database.
+/* .PP
+/* Available in Postfix version 3.7 and later:
+/* .IP "\fBsmtpd_per_request_deadline (normal: no, overload: yes)\fR"
+/* Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
+/* time limits, from a time limit per plaintext or TLS read or write
+/* call, to a combined time limit for receiving a complete SMTP request
+/* and for sending a complete SMTP response.
+/* .IP "\fBsmtpd_min_data_rate (500)\fR"
+/* The minimum plaintext data transfer rate in bytes/second for
+/* DATA and BDAT requests, when deadlines are enabled with
+/* smtpd_per_request_deadline.
/* ADDRESS REWRITING CONTROLS
/* .ad
/* .fi
/* remote SMTP client is allowed to negotiate with this service per
/* time unit.
/* .PP
-/* Available in Postfix version 2.9 and later:
+/* Available in Postfix version 2.9 - 3.6:
/* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
/* Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
/* time limits, from a
/* The maximal number of AUTH commands that any client is allowed to
/* send to this service per time unit, regardless of whether or not
/* Postfix actually accepts those commands.
+/* .PP
+/* Available in Postfix version 3.7 and later:
+/* .IP "\fBsmtpd_per_request_deadline (normal: no, overload: yes)\fR"
+/* Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
+/* time limits, from a time limit per plaintext or TLS read or write
+/* call, to a combined time limit for receiving a complete SMTP request
+/* and for sending a complete SMTP response.
+/* .IP "\fBsmtpd_min_data_rate (500)\fR"
+/* The minimum plaintext data transfer rate in bytes/second for
+/* DATA and BDAT requests, when deadlines are enabled with
+/* smtpd_per_request_deadline.
/* TARPIT CONTROLS
/* .ad
/* .fi
char *var_unk_addr_tf_act;
char *var_unv_rcpt_tf_act;
char *var_unv_from_tf_act;
-bool var_smtpd_rec_deadline;
int smtpd_proxy_opts;
char *var_smtpd_uproxy_proto;
int var_smtpd_uproxy_tmout;
bool var_relay_before_rcpt_checks;
+bool var_smtpd_req_deadline;
+int var_smtpd_min_data_rate;
/*
* Silly little macros.
int prev_rec_type;
int first = 1;
+ /*
+ * If deadlines are enabled, increase the time budget as message content
+ * arrives.
+ */
+ smtp_stream_setup(state->client, var_smtpd_tmout, var_smtpd_req_deadline,
+ var_smtpd_min_data_rate);
+
/*
* Copy the message content. If the cleanup process has a problem, keep
* reading until the remote stops sending, then complain. Produce typed
return (-1);
}
+ /*
+ * If deadlines are enabled, increase the time budget as message content
+ * arrives.
+ */
+ smtp_stream_setup(state->client, var_smtpd_tmout, var_smtpd_req_deadline,
+ var_smtpd_min_data_rate);
+
/*
* Block abuse involving empty chunks (alternatively, we could count
* "BDAT 0" as a "NOOP", but then we would have to refactor the code that
* memory, panic) the error is logged, and the msg_cleanup() exit handler
* cleans up, but no attempt is made to inform the client of the nature
* of the problem.
+ *
+ * With deadlines enabled, do not increase the time budget while receiving a
+ * command, because that would give an attacker too much time.
*/
- smtp_stream_setup(state->client, var_smtpd_tmout, var_smtpd_rec_deadline);
-
+ vstream_control(state->client, VSTREAM_CTL_EXCEPT, VSTREAM_CTL_END);
while ((status = vstream_setjmp(state->client)) == SMTP_ERR_NONE)
/* void */ ;
+ smtp_stream_setup(state->client, var_smtpd_tmout, var_smtpd_req_deadline, 0);
switch (status) {
default:
for (;;) {
if (state->flags & SMTPD_FLAG_HANGUP)
break;
+ smtp_stream_setup(state->client, var_smtpd_tmout,
+ var_smtpd_req_deadline, 0);
if (state->error_count >= var_smtpd_hard_erlim) {
state->reason = REASON_ERROR_LIMIT;
state->error_mask |= MAIL_ERROR_PROTOCOL;
VAR_SMTPD_SASL_RESP_LIMIT, DEF_SMTPD_SASL_RESP_LIMIT, &var_smtpd_sasl_resp_limit, DEF_SMTPD_SASL_RESP_LIMIT, 0,
VAR_SMTPD_POLICY_REQ_LIMIT, DEF_SMTPD_POLICY_REQ_LIMIT, &var_smtpd_policy_req_limit, 0, 0,
VAR_SMTPD_POLICY_TRY_LIMIT, DEF_SMTPD_POLICY_TRY_LIMIT, &var_smtpd_policy_try_limit, 1, 0,
+ VAR_SMTPD_MIN_DATA_RATE, DEF_SMTPD_MIN_DATA_RATE, &var_smtpd_min_data_rate, 1, 0,
0,
};
static const CONFIG_LONG_TABLE long_table[] = {
0,
};
static const CONFIG_NBOOL_TABLE nbool_table[] = {
- VAR_SMTPD_REC_DEADLINE, DEF_SMTPD_REC_DEADLINE, &var_smtpd_rec_deadline,
VAR_RELAY_BEFORE_RCPT_CHECKS, DEF_RELAY_BEFORE_RCPT_CHECKS, &var_relay_before_rcpt_checks,
+ VAR_SMTPD_REQ_DEADLINE, DEF_SMTPD_REQ_DEADLINE, &var_smtpd_req_deadline,
0,
};
static const CONFIG_STR_TABLE str_table[] = {
/*
* Receive the initial request attributes. Receive the remainder after we
* figure out what role we are expected to play.
+ *
+ * The tlsproxy server does not enforce per-request read/write deadlines or
+ * minimal data rates. Instead, the tlsproxy server relies on the
+ * tlsproxy client to enforce these context-dependent limits. When a
+ * tlsproxy client decides to time out, it will close its end of the
+ * tlsproxy stream, and the tlsproxy server will handle that immediately.
*/
if (event != EVENT_READ
|| attr_scan(plaintext_stream, ATTR_FLAG_STRICT,
/* buffer, reads the bytes from the specified VSTREAM, and
/* adjusts the buffer write position. The buffer is NOT
/* null-terminated. The result value is as with vstream_fread().
-/* NOTE: do not skip calling vstream_fread_buf() when len == 0.
-/* This function has side effects including resetting the buffer
-/* write position, and skipping the call would invalidate the
-/* buffer state.
+/* NOTE: do not skip calling vstream_fread_buf() when len == 0.
+/* This function has side effects including resetting the buffer
+/* write position, and skipping the call would invalidate the
+/* buffer state.
/*
/* vstream_fread_app() is like vstream_fread_buf() but appends
/* to existing buffer content, instead of writing over it.
/* buffer, so that the result of some %letter specifiers can
/* be written to contiguous memory.
/* .IP CA_VSTREAM_CTL_START_DEADLINE (no arguments)
-/* Change the VSTREAM_CTL_TIMEOUT behavior, to limit the total
-/* time for all subsequent file descriptor read or write
-/* operations, and recharge the deadline timer.
+/* Change the VSTREAM_CTL_TIMEOUT behavior, to a deadline for
+/* the total amount of time for all subsequent file descriptor
+/* read or write operations, and recharge the deadline timer.
/* .IP CA_VSTREAM_CTL_STOP_DEADLINE (no arguments)
/* Revert VSTREAM_CTL_TIMEOUT behavior to the default, i.e.
/* a time limit for individual file descriptor read or write
/* operations.
+/* .IP CA_VSTREAM_CTL_MIN_DATA_RATE (int)
+/* When the DEADLINE is enabled, the amount of data that must
+/* be transferred to add 1 second to the deadline. However,
+/* the deadline will never exceed the timeout specified with
+/* VSTREAM_CTL_TIMEOUT. A zero value requests no update to the
+/* deadline as data is transferred; that is appropriate for
+/* request/reply interactions.
/* .IP CA_VSTREAM_CTL_OWN_VSTRING (no arguments)
/* Transfer ownership of the VSTRING that was opened with
/* vstream_memopen() etc. to the stream, so that the VSTRING
} \
} while (0)
+#define VSTREAM_ADD_TIME(x, y, z) \
+ do { \
+ (x).tv_sec = (y).tv_sec + (z).tv_sec; \
+ (x).tv_usec = (y).tv_usec + (z).tv_usec; \
+ while ((x).tv_usec >= 1000000) { \
+ (x).tv_usec -= 1000000; \
+ (x).tv_sec += 1; \
+ } \
+ } while (0)
+
/* vstream_buf_init - initialize buffer */
static void vstream_buf_init(VBUF *bp, int flags)
int timeout;
struct timeval before;
struct timeval elapsed;
+ struct timeval bonus;
/*
* Sanity checks. It is illegal to flush a read-only stream. Otherwise,
if (bp->flags & VSTREAM_FLAG_DEADLINE) {
VSTREAM_SUB_TIME(elapsed, stream->iotime, before);
VSTREAM_SUB_TIME(stream->time_limit, stream->time_limit, elapsed);
+ if (stream->min_data_rate > 0) {
+ bonus.tv_sec = n / stream->min_data_rate;
+ bonus.tv_usec = (n % stream->min_data_rate) * 1000000;
+ bonus.tv_usec /= stream->min_data_rate;
+ VSTREAM_ADD_TIME(stream->time_limit, stream->time_limit,
+ bonus);
+ if (stream->time_limit.tv_sec >= stream->timeout) {
+ stream->time_limit.tv_sec = stream->timeout;
+ stream->time_limit.tv_usec = 0;
+ }
+ }
}
}
if (msg_verbose > 2 && stream != VSTREAM_ERR && n != to_flush)
ssize_t n;
struct timeval before;
struct timeval elapsed;
+ struct timeval bonus;
int timeout;
/*
if (bp->flags & VSTREAM_FLAG_DEADLINE) {
VSTREAM_SUB_TIME(elapsed, stream->iotime, before);
VSTREAM_SUB_TIME(stream->time_limit, stream->time_limit, elapsed);
+ if (stream->min_data_rate > 0) {
+ bonus.tv_sec = n / stream->min_data_rate;
+ bonus.tv_usec = (n % stream->min_data_rate) * 1000000;
+ bonus.tv_usec /= stream->min_data_rate;
+ VSTREAM_ADD_TIME(stream->time_limit, stream->time_limit,
+ bonus);
+ if (stream->time_limit.tv_sec >= stream->timeout) {
+ stream->time_limit.tv_sec = stream->timeout;
+ stream->time_limit.tv_usec = 0;
+ }
+ }
}
}
if (msg_verbose > 2)
stream->time_limit.tv_sec = stream->time_limit.tv_usec = 0;
stream->req_bufsize = 0;
stream->vstring = 0;
+ stream->min_data_rate = 0;
return (stream);
}
int old_fd;
ssize_t req_bufsize = 0;
VSTREAM *stream2;
+ int min_data_rate;
#define SWAP(type,a,b) do { type temp = (a); (a) = (b); (b) = (temp); } while (0)
stream->time_limit.tv_sec = stream->timeout;
stream->time_limit.tv_usec = 0;
break;
+ case VSTREAM_CTL_MIN_DATA_RATE:
+ min_data_rate = va_arg(ap, int);
+ if (min_data_rate < 0)
+ msg_panic("%s: bad min_data_rate %d", myname, min_data_rate);
+ stream->min_data_rate = min_data_rate;
+ break;
case VSTREAM_CTL_OWN_VSTRING:
if ((stream->buf.flags |= VSTREAM_FLAG_MEMORY) == 0)
msg_panic("%s: operation on non-VSTRING stream", myname);
VSTREAM_JMP_BUF *jbuf; /* exception handling */
struct timeval iotime; /* time of last fill/flush */
struct timeval time_limit; /* read/write time limit */
+ int min_data_rate; /* min data rate for time limit */
struct VSTRING *vstring; /* memory-backed stream */
} VSTREAM;
#define VSTREAM_CTL_START_DEADLINE 14
#define VSTREAM_CTL_STOP_DEADLINE 15
#define VSTREAM_CTL_OWN_VSTRING 16
+#define VSTREAM_CTL_MIN_DATA_RATE 17
/* Safer API: type-checked arguments, external use. */
#define CA_VSTREAM_CTL_END VSTREAM_CTL_END
#define CA_VSTREAM_CTL_SWAP_FD(v) VSTREAM_CTL_SWAP_FD, CHECK_PTR(VSTREAM_CTL, VSTREAM, (v))
#define CA_VSTREAM_CTL_START_DEADLINE VSTREAM_CTL_START_DEADLINE
#define CA_VSTREAM_CTL_STOP_DEADLINE VSTREAM_CTL_STOP_DEADLINE
-#define CA_VSTREAM_CTL_OWN_VSTRING VSTREAM_CTL_OWN_VSTRING
+#define CA_VSTREAM_CTL_MIN_DATA_RATE(v) VSTREAM_CTL_MIN_DATA_RATE, CHECK_VAL(VSTREAM_CTL, int, (v))
CHECK_VAL_HELPER_DCL(VSTREAM_CTL, ssize_t);
CHECK_VAL_HELPER_DCL(VSTREAM_CTL, int);
projects / thirdparty / postfix.git / commitdiff
