Workaround: don't report bogus Berkeley DB close errors as
fatal errors. All operations before close are already error
checked, so the data is known to be safe. File: util/dict_db.c.
+
+20100107
+
+ Documentation: the access(5) manual page did not document
+ the "send 521 and disconnect" behavior in the Postfix SMTP
+ server (introduced with Postfix 2.6). File: proto/access.
+
+ Bugfix: the pickup daemon did not discard messages that
+ were requeued after all recipients were delivered (or
+ bounced), and the cleanup server tried to bounce such
+ messages. Files: pickup/pickup.c, global/cleanup_user.h.
+
+ Future proofing: redundant code in postdrop to reject a
+ submission without recipient record. File: postdrop/postdrop.c.
+
+20100109
+
+ Cleanup: "postcat -q" will now access files in the "saved"
+ queue directory (for corrupted queue files). As before, the
+ "postsuper" command will not, to avoid suddenly deleting
+ such files. Files: global/mail_queue.h postcat/postcat.c.
+
+20100113
+
+ Cleanup: don't supply the "-o stress" command-line option
+ with a single-process service. File: master/master_ent.c.
+
+20100116
+
+ Bugfix: the valid_hostname() fuction did not set the
+ "non-numeric" flag after encountering the '-' character.
+ Reported by Jan Schampera. File: util/valid_hostname.c.
+
+ Cleanup: when a content_filter parameter or FILTER command
+ specifies an empty next-hop destination, the queue manager
+ now uses the recipient domain instead of $myhostname. Specify
+ "legacy_filter_nexthop = yes" for backwards compatibility
+ with Postfix 2.6 and earlier, or specify a non-empty next-hop
+ destination. Files: *qmgr/qmgr_message.c proto/access,
+ proto/header_checks, proto/postconf.proto, proto/FILTER_README.
+
+ Documentation: the content_filter and FILTER features never
+ supported the special cases of transport_maps. References
+ to transport_maps syntax are now removed from content filter
+ discussions. Files: proto/postconf.proto, proto/FILTER_README.
controls for positive results (address was accepted) and for negative results
(address was rejected, or address verification failed for some other reason).
-Current Postfix versions will periodically remove expired entries from the
-address verification database. With Postfix version 2.6 and earlier, database
-cleanup had to be done as described next.
-
-If the address verification database file becomes too big, or if it becomes
+The verify(8) daemon will periodically remove expired entries from the address
+verification database, and log the number of entries retained and dropped
+(Postfix versions 2.7 and later). A cleanup run is logged as "partial" when the
+daemon terminates early because of "postfix reload, "postfix stop", or because
+the daemon received no requests for $max_idle seconds. Postfix versions 2.6 and
+earlier do not implement automatic address verification database cleanup.
+There, the database is managed manually as described next.
+
+When the address verification database file becomes too big, or when it becomes
corrupted, the solution is to manually rename or delete (NOT: truncate) the
file and run "postfix reload". The verify(8) daemon will then create a new
database file.
* Postfix connection caching currently does not support multiple SASL
accounts per mail server. Specifically, Postfix connection caching assumes
that a SASL credential is valid for all hostnames or domain names that
- deliver via the same mail server IP address and TCP port, and assume that
+ deliver via the same mail server IP address and TCP port, and assumes that
the SASL credential does not depend on the message originator.
C\bCo\bon\bnn\bne\bec\bct\bti\bio\bon\bn c\bca\bac\bch\bhe\be s\bst\bta\bat\bti\bis\bst\bti\bic\bcs\bs
This record overrides the normal mail routing and causes mail to be given
to the content filter instead.
- The content_filter configuration parameter accepts the same syntax as the
- right-hand side in a Postfix transport table.
+ The content_filter configuration parameter expects a value of the form
+ transport:destination. The transport name specifies the first field of a
+ mail delivery agent definition in master.cf; the syntax of destination is
+ described in the manual page of the corresponding delivery agent.
+
+ The meaning of an empty filter destination is version dependent. Postfix
+ 2.7 and later will use the recipient domain; earlier versions will use
+ $myhostname. Specify "legacy_filter_nexthop = yes" for compatibility with
+ Postfix 2.6 or earlier, or specify a non-empty filter destination.
+
+ The content_filter setting has a lower precedence than a content filter
+ that is specified with an access(5) table or in a header_checks(5) or
+ body_checks(5) table.
* Execute "p\bpo\bos\bst\btf\bfi\bix\bx r\bre\bel\blo\boa\bad\bd" to complete the change.
content_filter = scan:localhost:10025
receive_override_options = no_address_mappings
+ * The "receive_override_options" line disables address manipulation before
+ the content filter, so that the content filter sees the original mail
+ addresses instead of the result of virtual alias expansion, canonical
+ mapping, automatic bcc, address masquerading, etc.
+
* The "content_filter" line causes Postfix to add one content filter request
record to each incoming mail message, with content "scan:localhost:10025".
The content filter request records are added by the smtpd(8) and pickup(8)
content filter request, the queue manager will deliver the mail to the
specified content filter regardless of its final destination.
- * The "receive_override_options" line disables address manipulation before
- the content filter, so that the content filter sees the original mail
- addresses instead of the result of virtual alias expansion, canonical
- mapping, automatic bcc, address masquerading, etc.
+ * The content_filter configuration parameter expects a value of the form
+ transport:destination. The transport name specifies the first field of a
+ mail delivery agent definition in master.cf; the syntax of destination is
+ described in the manual page of the corresponding delivery agent.
+
+ * The meaning of an empty filter destination is version dependent. Postfix
+ 2.7 and later will use the recipient domain; earlier versions will use
+ $myhostname. Specify "legacy_filter_nexthop = yes" for compatibility with
+ Postfix 2.6 or earlier, or specify a non-empty filter destination.
+
+ * The content_filter setting has a lower precedence than a content filter
+ that is specified with an access(5) table or in a header_checks(5) or
+ body_checks(5) table.
A\bAd\bdv\bva\ban\bnc\bce\bed\bd c\bco\bon\bnt\bte\ben\bnt\bt f\bfi\bil\blt\bte\ber\br:\b: s\bse\ben\bnd\bdi\bin\bng\bg u\bun\bnf\bfi\bil\blt\bte\ber\bre\bed\bd m\bma\bai\bil\bl t\bto\bo t\bth\bhe\be c\bco\bon\bnt\bte\ben\bnt\bt f\bfi\bil\blt\bte\ber\br
/etc/postfix/master.cf:
maildrop unix - n n - - pipe
flags=ODRhu user=vmail argv=/path/to/maildrop
- -d ${user}@${nexthop} ${extension} ${recipient} ${user} ${nexthop}
+ -d ${user}@${domain} ${extension} ${recipient} ${user} ${nexthop}
-The mail is delivered to ${user}@${nexthop} (match key for maildrop userdb
+The mail is delivered to ${user}@${domain} (search key for maildrop userdb
lookup). The ${extension} and the other address components are available to
maildrop rules as $1, $2, $3, ... and can be omitted from master.cf or ignored
by maildrop when not needed.
+With Postfix 2.4 and earlier, use ${nexthop} instead of ${domain}.
+
I\bIn\bnd\bdi\bir\bre\bec\bct\bt d\bde\bel\bli\biv\bve\ber\bry\by v\bvi\bia\ba t\bth\bhe\be l\blo\boc\bca\bal\bl d\bde\bel\bli\biv\bve\ber\bry\by a\bag\bge\ben\bnt\bt
Postfix can be configured to deliver mail to maildrop via the local delivery
If you upgrade from Postfix 2.5 or earlier, read RELEASE_NOTES-2.6
before proceeding.
+Incompatibility with snapshot 20100116
+======================================
+
+The meaning of an empty content filter next-hop destination has
+changed. Postfix now uses the recipient domain, instead of using
+$myhostname as in Postfix 2.6 and earlier. To get the old behavior
+use "legacy_filter_nexthop = yes", or specify a non-empty next-hop
+filter destination.
+
+Major changes with snapshot 20100116
+====================================
+
+The FILTER command can now be used to implement sender reputation
+schemes that dynamically choose the SMTP source IP address. This
+is implemented by specifying a FILTER with an empty next-hop
+destination, and by configuring SMTP transports in master.cf with
+appropriate "-o myhostname" and "-o smtp_bind_address" settings.
+
Incompatibility with snapshot 20100101
======================================
Remove this file from the stable release.
+ Should the postscreen temporary cache remember hosts that
+ are listed in the permanent white/black lists, and be queried
+ first? Skipping white/black list lookups will speed up the
+ handling of "good" clients without a permanent whitelist
+ entry. Of course, this means that updates to the white/black
+ lists do not immediately take effect. Workarounds: 1) ignore
+ cached white/black list lookup results after "postfix
+ reload"; 2) use a short temporary cache TTL for clients on
+ the permanent black/white lists; 3) adjust the logging, for
+ example "WHITELISTED address (cached)" and "BLACKLISTED
+ address (cached)" to eliminate surprises. Comparing the
+ cache entry time with the white/blacklist file modification
+ time is not foolproof: for example, pcre or CIDR tables are
+ read only once.
+
It would be nice if the generic dict_cache(3) cache manager
could postpone process suicide until cache cleanup is
completed (but that is not possible when postscreen forks
- into the background to finish already-accepted connections).
+ into the background to finish already-accepted connections,
+ and it is not desirable when a host is being shut down).
When postscreen drops a connection, a 521 "greeting" should
be of the form "521 servername..." and not have an enhanced
# text. 4NN means "try again later", while 5NN means
# "do not try again".
#
-# The reply code "421" causes Postfix to disconnect
-# immediately (Postfix version 2.3 and later).
+# The following responses have special meaning for
+# the Postfix SMTP server:
+#
+# 421 text (Postfix 2.3 and later)
+#
+# 521 text (Postfix 2.6 and later)
+# After responding with the numerical three-
+# digit code and text, disconnect immediately
+# from the SMTP client. This frees up SMTP
+# server resources so that they can be made
+# available to another SMTP client.
+#
+# Note: The "521" response should be used only
+# with botnets and other malware where inter-
+# operability is of no concern. The "send 521
+# and disconnect" behavior is NOT defined in
+# the SMTP standard.
#
# REJECT optional text...
# Reject the address etc. that matches the pattern.
# FILTER transport:destination
# After the message is queued, send the entire mes-
# sage through the specified external content filter.
-# The transport:destination syntax is described in
-# the transport(5) manual page. More information
-# about external content filters is in the Postfix
-# FILTER_README file.
-#
-# Note: this action overrides the content_filter set-
-# ting, and currently affects all recipients of the
-# message.
+# The transport name specifies the first field of a
+# mail delivery agent definition in master.cf; the
+# syntax of destination is described in the manual
+# page of the corresponding delivery agent. More
+# information about external content filters is in
+# the Postfix FILTER_README file.
+#
+# Note 1: do not use $number regular expression sub-
+# stitutions for transport or destination unless you
+# know that the information has a trusted origin.
+#
+# Note 2: this action overrides the main.cf con-
+# tent_filter setting, and affects all recipients of
+# the message. In the case that multiple FILTER
+# actions fire, only the last one is executed.
+#
+# Note 3: the purpose of the FILTER command is to
+# override message routing. To override the recipi-
+# ent's transport but not destination, specify an
+# empty destination (Postfix 2.7 and later), or spec-
+# ify a transport:destination that delivers through a
+# different Postfix instance (Postfix 2.6 and ear-
+# lier). Other options are using the recipient-depen-
+# dent transport_maps or the sender-dependent sender-
+# _dependent_default_transport_maps features.
#
# This feature is available in Postfix 2.0 and later.
#
# HOLD optional text...
-# Place the message on the hold queue, where it will
-# sit until someone either deletes it or releases it
-# for delivery. Log the optional text if specified,
+# Place the message on the hold queue, where it will
+# sit until someone either deletes it or releases it
+# for delivery. Log the optional text if specified,
# otherwise log a generic message.
#
-# Mail that is placed on hold can be examined with
-# the postcat(1) command, and can be destroyed or
+# Mail that is placed on hold can be examined with
+# the postcat(1) command, and can be destroyed or
# released with the postsuper(1) command.
#
-# Note: use "postsuper -r" to release mail that was
-# kept on hold for a significant fraction of $maxi-
+# Note: use "postsuper -r" to release mail that was
+# kept on hold for a significant fraction of $maxi-
# mal_queue_lifetime or $bounce_queue_lifetime, or
-# longer. Use "postsuper -H" only for mail that will
+# longer. Use "postsuper -H" only for mail that will
# not expire within a few delivery attempts.
#
-# Note: this action currently affects all recipients
+# Note: this action currently affects all recipients
# of the message.
#
# This feature is available in Postfix 2.0 and later.
#
# PREPEND headername: headervalue
-# Prepend the specified message header to the mes-
-# sage. When more than one PREPEND action executes,
-# the first prepended header appears before the sec-
+# Prepend the specified message header to the mes-
+# sage. When more than one PREPEND action executes,
+# the first prepended header appears before the sec-
# ond etc. prepended header.
#
-# Note: this action must execute before the message
-# content is received; it cannot execute in the con-
+# Note: this action must execute before the message
+# content is received; it cannot execute in the con-
# text of smtpd_end_of_data_restrictions.
#
# This feature is available in Postfix 2.1 and later.
#
# REDIRECT user@domain
-# After the message is queued, send the message to
+# After the message is queued, send the message to
# the specified address instead of the intended
# recipient(s).
#
-# Note: this action overrides the FILTER action, and
+# Note: this action overrides the FILTER action, and
# currently affects all recipients of the message.
#
# This feature is available in Postfix 2.1 and later.
#
# WARN optional text...
# Log a warning with the optional text, together with
-# client information and if available, with helo,
+# client information and if available, with helo,
# sender, recipient and protocol information.
#
# This feature is available in Postfix 2.1 and later.
#
# ENHANCED STATUS CODES
-# Postfix version 2.3 and later support enhanced status
-# codes as defined in RFC 3463. When an enhanced status
-# code is specified in an access table, it is subject to
-# modification. The following transformations are needed
-# when the same access table is used for client, helo,
-# sender, or recipient access restrictions; they happen
+# Postfix version 2.3 and later support enhanced status
+# codes as defined in RFC 3463. When an enhanced status
+# code is specified in an access table, it is subject to
+# modification. The following transformations are needed
+# when the same access table is used for client, helo,
+# sender, or recipient access restrictions; they happen
# regardless of whether Postfix replies to a MAIL FROM, RCPT
# TO or other SMTP command.
#
-# o When a sender address matches a REJECT action, the
-# Postfix SMTP server will transform a recipient DSN
-# status (e.g., 4.1.1-4.1.6) into the corresponding
+# o When a sender address matches a REJECT action, the
+# Postfix SMTP server will transform a recipient DSN
+# status (e.g., 4.1.1-4.1.6) into the corresponding
# sender DSN status, and vice versa.
#
-# o When non-address information matches a REJECT
-# action (such as the HELO command argument or the
-# client hostname/address), the Postfix SMTP server
-# will transform a sender or recipient DSN status
-# into a generic non-address DSN status (e.g.,
+# o When non-address information matches a REJECT
+# action (such as the HELO command argument or the
+# client hostname/address), the Postfix SMTP server
+# will transform a sender or recipient DSN status
+# into a generic non-address DSN status (e.g.,
# 4.0.0).
#
# REGULAR EXPRESSION TABLES
-# This section describes how the table lookups change when
+# This section describes how the table lookups change when
# the table is given in the form of regular expressions. For
-# a description of regular expression lookup table syntax,
+# a description of regular expression lookup table syntax,
# see regexp_table(5) or pcre_table(5).
#
-# Each pattern is a regular expression that is applied to
+# Each pattern is a regular expression that is applied to
# the entire string being looked up. Depending on the appli-
-# cation, that string is an entire client hostname, an
+# cation, that string is an entire client hostname, an
# entire client IP address, or an entire mail address. Thus,
# no parent domain or parent network search is done,
-# user@domain mail addresses are not broken up into their
+# user@domain mail addresses are not broken up into their
# user@ and domain constituent parts, nor is user+foo broken
# up into user and foo.
#
-# Patterns are applied in the order as specified in the ta-
-# ble, until a pattern is found that matches the search
+# Patterns are applied in the order as specified in the ta-
+# ble, until a pattern is found that matches the search
# string.
#
-# Actions are the same as with indexed file lookups, with
-# the additional feature that parenthesized substrings from
+# Actions are the same as with indexed file lookups, with
+# the additional feature that parenthesized substrings from
# the pattern can be interpolated as $1, $2 and so on.
#
# TCP-BASED TABLES
-# This section describes how the table lookups change when
+# This section describes how the table lookups change when
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
# ble(5). This feature is not available up to and including
# Postfix version 2.4.
#
-# Each lookup operation uses the entire query string once.
-# Depending on the application, that string is an entire
+# Each lookup operation uses the entire query string once.
+# Depending on the application, that string is an entire
# client hostname, an entire client IP address, or an entire
-# mail address. Thus, no parent domain or parent network
-# search is done, user@domain mail addresses are not broken
-# up into their user@ and domain constituent parts, nor is
+# mail address. Thus, no parent domain or parent network
+# search is done, user@domain mail addresses are not broken
+# up into their user@ and domain constituent parts, nor is
# user+foo broken up into user and foo.
#
# Actions are the same as with indexed file lookups.
#
# EXAMPLE
-# The following example uses an indexed file, so that the
-# order of table entries does not matter. The example per-
-# mits access by the client at address 1.2.3.4 but rejects
-# all other clients in 1.2.3.0/24. Instead of hash lookup
-# tables, some systems use dbm. Use the command "postconf
-# -m" to find out what lookup tables Postfix supports on
+# The following example uses an indexed file, so that the
+# order of table entries does not matter. The example per-
+# mits access by the client at address 1.2.3.4 but rejects
+# all other clients in 1.2.3.0/24. Instead of hash lookup
+# tables, some systems use dbm. Use the command "postconf
+# -m" to find out what lookup tables Postfix supports on
# your system.
#
# /etc/postfix/main.cf:
# 1.2.3 REJECT
# 1.2.3.4 OK
#
-# Execute the command "postmap /etc/postfix/access" after
+# Execute the command "postmap /etc/postfix/access" after
# editing the file.
#
# BUGS
-# The table format does not understand quoting conventions.
+# The table format does not understand quoting conventions.
#
# SEE ALSO
# postmap(1), Postfix lookup table manager
# transport(5), transport:nexthop syntax
#
# README FILES
-# Use "postconf readme_directory" or "postconf html_direc-
+# Use "postconf readme_directory" or "postconf html_direc-
# tory" to locate this information.
# SMTPD_ACCESS_README, built-in SMTP server access control
# DATABASE_README, Postfix lookup table overview
#
# LICENSE
-# The Secure Mailer license must be distributed with this
+# The Secure Mailer license must be distributed with this
# software.
#
# AUTHOR(S)
# This feature is available in Postfix 2.1 and later.
#
# FILTER transport:destination
-# Write a content filter request to the queue file,
-# and inspect the next input line. After the com-
-# plete message is received it will be sent through
-# the specified external content filter. More infor-
-# mation about external content filters is in the
-# Postfix FILTER_README file.
-#
-# Note: this action overrides the content_filter set-
-# ting, and affects all recipients of the message. In
-# the case that multiple FILTER actions fire, only
-# the last one is executed.
+# After the message is queued, send the entire mes-
+# sage through the specified external content filter.
+# The transport name specifies the first field of a
+# mail delivery agent definition master.cf; the syn-
+# tax of destination is described in the manual page
+# of the corresponding delivery agent. More informa-
+# tion about external content filters is in the Post-
+# fix FILTER_README file.
+#
+# Note 1: do not use $number regular expression sub-
+# stitutions for transport or destination unless you
+# know that the information has a trusted origin.
+#
+# Note 2: this action overrides the main.cf con-
+# tent_filter setting, and affects all recipients of
+# the message. In the case that multiple FILTER
+# actions fire, only the last one is executed.
+#
+# Note 3: the purpose of the FILTER command is to
+# override message routing. To override the recipi-
+# ent's transport but not destination, specify an
+# empty destination (Postfix 2.7 and later), or spec-
+# ify a transport:destination that delivers through a
+# different Postfix instance (Postfix 2.6 and ear-
+# lier). Other options are using the recipient-depen-
+# dent transport_maps or the sender-dependent sender-
+# _dependent_default_transport_maps features.
#
# This feature is available in Postfix 2.0 and later.
#
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
+#smtp inet n - n - 1 postscreen
+#smtpd pass - - n - - smtpd
+#dnsblog unix - - n - 0 dnsblog
#submission inet n - n - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
-#628 inet n - n - - qmqpd
+#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
-#smtp inet n - n - 1 postscreen
-#smtpd pass - - n - - smtpd
-#dnsblog unix - - n - 0 dnsblog
find $data_directory/. ! -user $mail_owner \
-exec $WARN not owned by $mail_owner: {} \;
+ ls -lLd $data_directory | egrep '^.....(w|...w)' >/dev/null && \
+ $WARN group or other writable: $data_directory
+
find `ls -d $queue_directory/* | \
egrep '/(saved|incoming|active|defer|deferred|bounce|hold|trace|corrupt|public|private|flush)$'` \
! \( -type p -o -type s \) ! -user $mail_owner \
(address was accepted) and for negative results (address was rejected,
or address verification failed for some other reason). </p>
-<p> Current Postfix versions will periodically remove expired entries
-from the address verification database. With Postfix version 2.6
-and earlier, database cleanup had to be done as described next. </p>
-
-<p> If the address verification database file becomes too big, or
-if it becomes corrupted, the solution is to manually rename or
-delete (NOT: truncate) the file and run "postfix reload". The
+<p> The <a href="verify.8.html">verify(8)</a> daemon will periodically remove expired entries
+from the address verification database, and log the number of entries
+retained and dropped (Postfix versions 2.7 and later). A cleanup
+run is logged as "partial" when the daemon terminates early because
+of "postfix reload, "postfix stop", or because the daemon received
+no requests for $<a href="postconf.5.html#max_idle">max_idle</a> seconds. Postfix versions 2.6 and earlier
+do not implement automatic address verification database cleanup.
+There, the database is managed manually as described next. </p>
+
+<p> When the address verification database file becomes too big,
+or when it becomes corrupted, the solution is to manually rename
+or delete (NOT: truncate) the file and run "postfix reload". The
<a href="verify.8.html">verify(8)</a> daemon will then create a new database file. </p>
<h2><a name="probe_routing">Controlling the routing of address
multiple SASL accounts per mail server. Specifically, Postfix
connection caching assumes that a SASL credential is valid for all
hostnames or domain names that deliver via the same mail server IP
-address and TCP port, and assume that the SASL credential does not
+address and TCP port, and assumes that the SASL credential does not
depend on the message originator. </p>
</ul>
"filter:dummy". This record overrides the normal mail routing
and causes mail to be given to the content filter instead. </p>
-<p> The <a href="postconf.5.html#content_filter">content_filter</a> configuration parameter accepts the same syntax
-as the right-hand side in a Postfix transport table. </p>
-
-<li> <p> Execute "<b>postfix reload</b>" to complete the change. </p>
+<p> The <a href="postconf.5.html#content_filter">content_filter</a> configuration parameter expects a value of
+the form <i>transport:destination</i>. The <i>transport</i> name
+specifies the first field of a mail delivery agent definition in
+<a href="master.5.html">master.cf</a>; the syntax of <i>destination</i> is described in the
+manual page of the corresponding delivery agent. </p>
+
+<p> The meaning of an empty filter <i>destination</i> is version
+dependent. Postfix 2.7 and later will use the recipient domain;
+earlier versions will use $<a href="postconf.5.html#myhostname">myhostname</a>. Specify "<a href="postconf.5.html#legacy_filter_nexthop">legacy_filter_nexthop</a>
+= yes" for compatibility with Postfix 2.6 or earlier, or specify a
+non-empty filter destination. </p>
+
+<p> The <a href="postconf.5.html#content_filter">content_filter</a> setting has a lower precedence than a content
+filter that is specified with an <a href="access.5.html">access(5)</a> table or in a <a href="header_checks.5.html">header_checks(5)</a>
+or <a href="header_checks.5.html">body_checks(5)</a> table. </p>
+
+<li> <p> Execute "<b>postfix reload</b>" to complete the change.
+</p>
</ul>
<ul>
+<li> <p> The "<a href="postconf.5.html#receive_override_options">receive_override_options</a>" line disables address
+manipulation before the content filter, so that the content filter
+sees the original mail addresses instead of the result of virtual
+alias expansion, canonical mapping, automatic bcc, address
+masquerading, etc. </p>
+
<li> <p> The "<a href="postconf.5.html#content_filter">content_filter</a>" line causes Postfix to add one content
filter request record to each incoming mail message, with content
"scan:localhost:10025". The content filter request records are
will deliver the mail to the specified content filter regardless
of its final destination. </p>
-<li> <p> The "<a href="postconf.5.html#receive_override_options">receive_override_options</a>" line disables address
-manipulation before the content filter, so that the content filter
-sees the original mail addresses instead of the result of virtual
-alias expansion, canonical mapping, automatic bcc, address
-masquerading, etc. </p>
+<li> <p> The <a href="postconf.5.html#content_filter">content_filter</a> configuration parameter expects a value
+of the form <i>transport:destination</i>. The <i>transport</i> name
+specifies the first field of a mail delivery agent definition in
+<a href="master.5.html">master.cf</a>; the syntax of <i>destination</i> is described in the
+manual page of the corresponding delivery agent. </p>
+
+<li> <p> The meaning of an empty filter <i>destination</i> is version
+dependent. Postfix 2.7 and later will use the recipient domain;
+earlier versions will use $<a href="postconf.5.html#myhostname">myhostname</a>. Specify "<a href="postconf.5.html#legacy_filter_nexthop">legacy_filter_nexthop</a>
+= yes" for compatibility with Postfix 2.6 or earlier, or specify a
+non-empty filter destination. </p>
+
+<li> <p> The <a href="postconf.5.html#content_filter">content_filter</a> setting has a lower precedence than a
+content filter that is specified with an <a href="access.5.html">access(5)</a> table or in a
+<a href="header_checks.5.html">header_checks(5)</a> or <a href="header_checks.5.html">body_checks(5)</a> table. </p>
</ul>
/etc/postfix/<a href="master.5.html">master.cf</a>:
maildrop unix - n n - - pipe
flags=ODRhu user=vmail argv=/path/to/maildrop
- -d ${user}@${nexthop} ${extension} ${recipient} ${user} ${nexthop}
+ -d ${user}@${domain} ${extension} ${recipient} ${user} ${nexthop}
</pre>
</blockquote>
-<p> The mail is delivered to ${user}@${nexthop} (match key for
+<p> The mail is delivered to ${user}@${domain} (search key for
maildrop userdb lookup). The ${extension} and the other address
components are available to maildrop rules as $1, $2, $3, ... and
can be omitted from <a href="master.5.html">master.cf</a> or ignored by maildrop when not
needed. </p>
+<p> With Postfix 2.4 and earlier, use ${nexthop} instead of ${domain}.
+</p>
+
<h2><a name="indirect">Indirect delivery via the local delivery agent</a></h2>
<p> Postfix can be configured to deliver mail to maildrop via the
text. <b>4</b><i>NN</i> means "try again later", while <b>5</b><i>NN</i> means
"do not try again".
- The reply code "421" causes Postfix to disconnect
- immediately (Postfix version 2.3 and later).
+ The following responses have special meaning for
+ the Postfix SMTP server:
+
+ <b>421</b> <i>text</i> (Postfix 2.3 and later)
+
+ <b>521</b> <i>text</i> (Postfix 2.6 and later)
+ After responding with the numerical three-
+ digit code and text, disconnect immediately
+ from the SMTP client. This frees up SMTP
+ server resources so that they can be made
+ available to another SMTP client.
+
+ Note: The "521" response should be used only
+ with botnets and other malware where inter-
+ operability is of no concern. The "send 521
+ and disconnect" behavior is NOT defined in
+ the SMTP standard.
<b>REJECT</b> <i>optional text...</i>
Reject the address etc. that matches the pattern.
<b>FILTER</b> <i>transport:destination</i>
After the message is queued, send the entire mes-
sage through the specified external content filter.
- The <i>transport:destination</i> syntax is described in
- the <a href="transport.5.html"><b>transport</b>(5)</a> manual page. More information
- about external content filters is in the Postfix
- <a href="FILTER_README.html">FILTER_README</a> file.
-
- Note: this action overrides the <b><a href="postconf.5.html#content_filter">content_filter</a></b> set-
- ting, and currently affects all recipients of the
- message.
+ The <i>transport</i> name specifies the first field of a
+ mail delivery agent definition in <a href="master.5.html">master.cf</a>; the
+ syntax of <i>destination</i> is described in the manual
+ page of the corresponding delivery agent. More
+ information about external content filters is in
+ the Postfix <a href="FILTER_README.html">FILTER_README</a> file.
+
+ Note 1: do not use $<i>number</i> regular expression sub-
+ stitutions for <i>transport</i> or <i>destination</i> unless you
+ know that the information has a trusted origin.
+
+ Note 2: this action overrides the <a href="postconf.5.html">main.cf</a> <b><a href="postconf.5.html#content_filter">con</a>-</b>
+ <b><a href="postconf.5.html#content_filter">tent_filter</a></b> setting, and affects all recipients of
+ the message. In the case that multiple <b>FILTER</b>
+ actions fire, only the last one is executed.
+
+ Note 3: the purpose of the FILTER command is to
+ override message routing. To override the recipi-
+ ent's <i>transport</i> but not <i>destination</i>, specify an
+ empty <i>destination</i> (Postfix 2.7 and later), or spec-
+ ify a <i>transport:destination</i> that delivers through a
+ different Postfix instance (Postfix 2.6 and ear-
+ lier). Other options are using the recipient-depen-
+ dent <b><a href="postconf.5.html#transport_maps">transport_maps</a></b> or the sender-dependent <b><a href="postconf.5.html#sender_dependent_default_transport_maps">sender</a>-</b>
+ <b><a href="postconf.5.html#sender_dependent_default_transport_maps">_dependent_default_transport_maps</a></b> features.
This feature is available in Postfix 2.0 and later.
<b>HOLD</b> <i>optional text...</i>
- Place the message on the <b>hold</b> queue, where it will
- sit until someone either deletes it or releases it
- for delivery. Log the optional text if specified,
+ Place the message on the <b>hold</b> queue, where it will
+ sit until someone either deletes it or releases it
+ for delivery. Log the optional text if specified,
otherwise log a generic message.
- Mail that is placed on hold can be examined with
- the <a href="postcat.1.html"><b>postcat</b>(1)</a> command, and can be destroyed or
+ Mail that is placed on hold can be examined with
+ the <a href="postcat.1.html"><b>postcat</b>(1)</a> command, and can be destroyed or
released with the <a href="postsuper.1.html"><b>postsuper</b>(1)</a> command.
- Note: use "<b>postsuper -r</b>" to release mail that was
- kept
on hold for a significant fraction of <b>$<a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
+ Note: use "<b>postsuper -r</b>" to release mail that was
+ kept
on hold for a significant fraction of <b>$<a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
<b><a href="postconf.5.html#maximal_queue_lifetime">mal_queue_lifetime</a></b> or <b>$<a href="postconf.5.html#bounce_queue_lifetime">bounce_queue_lifetime</a></b>, or
- longer. Use "<b>postsuper -H</b>" only for mail that will
+ longer. Use "<b>postsuper -H</b>" only for mail that will
not expire within a few delivery attempts.
- Note: this action currently affects all recipients
+ Note: this action currently affects all recipients
of the message.
This feature is available in Postfix 2.0 and later.
<b>PREPEND</b> <i>headername: headervalue</i>
- Prepend the specified message header to the mes-
- sage. When more than one PREPEND action executes,
- the first prepended header appears before the sec-
+ Prepend the specified message header to the mes-
+ sage. When more than one PREPEND action executes,
+ the first prepended header appears before the sec-
ond etc. prepended header.
- Note: this action must execute before the message
- content is received; it cannot execute in the con-
+ Note: this action must execute before the message
+ content is received; it cannot execute in the con-
text of <b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a></b>.
This feature is available in Postfix 2.1 and later.
<b>REDIRECT</b> <i>user@domain</i>
- After the message is queued, send the message to
+ After the message is queued, send the message to
the specified address instead of the intended
recipient(s).
- Note: this action overrides the FILTER action, and
+ Note: this action overrides the FILTER action, and
currently affects all recipients of the message.
This feature is available in Postfix 2.1 and later.
<b>WARN</b> <i>optional text...</i>
Log a warning with the optional text, together with
- client information and if available, with helo,
+ client information and if available, with helo,
sender, recipient and protocol information.
This feature is available in Postfix 2.1 and later.
<b>ENHANCED STATUS CODES</b>
- Postfix version 2.3 and later support enhanced status
- codes as defined in <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a>. When an enhanced status
- code is specified in an access table, it is subject to
- modification. The following transformations are needed
- when the same access table is used for client, helo,
- sender, or recipient access restrictions; they happen
+ Postfix version 2.3 and later support enhanced status
+ codes as defined in <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a>. When an enhanced status
+ code is specified in an access table, it is subject to
+ modification. The following transformations are needed
+ when the same access table is used for client, helo,
+ sender, or recipient access restrictions; they happen
regardless of whether Postfix replies to a MAIL FROM, RCPT
TO or other SMTP command.
- <b>o</b> When a sender address matches a REJECT action, the
- Postfix SMTP server will transform a recipient DSN
- status (e.g., 4.1.1-4.1.6) into the corresponding
+ <b>o</b> When a sender address matches a REJECT action, the
+ Postfix SMTP server will transform a recipient DSN
+ status (e.g., 4.1.1-4.1.6) into the corresponding
sender DSN status, and vice versa.
- <b>o</b> When non-address information matches a REJECT
- action (such as the HELO command argument or the
- client hostname/address), the Postfix SMTP server
- will transform a sender or recipient DSN status
- into a generic non-address DSN status (e.g.,
+ <b>o</b> When non-address information matches a REJECT
+ action (such as the HELO command argument or the
+ client hostname/address), the Postfix SMTP server
+ will transform a sender or recipient DSN status
+ into a generic non-address DSN status (e.g.,
4.0.0).
<b>REGULAR EXPRESSION TABLES</b>
- This section describes how the table lookups change when
+ This section describes how the table lookups change when
the table is given in the form of regular expressions. For
- a description of regular expression lookup table syntax,
+ a description of regular expression lookup table syntax,
see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>.
- Each pattern is a regular expression that is applied to
+ Each pattern is a regular expression that is applied to
the entire string being looked up. Depending on the appli-
- cation, that string is an entire client hostname, an
+ cation, that string is an entire client hostname, an
entire client IP address, or an entire mail address. Thus,
no parent domain or parent network search is done,
- <i>user@domain</i> mail addresses are not broken up into their
+ <i>user@domain</i> mail addresses are not broken up into their
<i>user@</i> and <i>domain</i> constituent parts, nor is <i>user+foo</i> broken
up into <i>user</i> and <i>foo</i>.
- Patterns are applied in the order as specified in the ta-
- ble, until a pattern is found that matches the search
+ Patterns are applied in the order as specified in the ta-
+ ble, until a pattern is found that matches the search
string.
- Actions are the same as with indexed file lookups, with
- the additional feature that parenthesized substrings from
+ Actions are the same as with indexed file lookups, with
+ the additional feature that parenthesized substrings from
the pattern can be interpolated as <b>$1</b>, <b>$2</b> and so on.
<b>TCP-BASED TABLES</b>
- This section describes how the table lookups change when
+ This section describes how the table lookups change when
lookups are directed to a TCP-based server. For a descrip-
tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
<a href="tcp_table.5.html"><b>ble</b>(5)</a>. This feature is not available up to and including
Postfix version 2.4.
- Each lookup operation uses the entire query string once.
- Depending on the application, that string is an entire
+ Each lookup operation uses the entire query string once.
+ Depending on the application, that string is an entire
client hostname, an entire client IP address, or an entire
- mail address. Thus, no parent domain or parent network
- search is done, <i>user@domain</i> mail addresses are not broken
- up into their <i>user@</i> and <i>domain</i> constituent parts, nor is
+ mail address. Thus, no parent domain or parent network
+ search is done, <i>user@domain</i> mail addresses are not broken
+ up into their <i>user@</i> and <i>domain</i> constituent parts, nor is
<i>user+foo</i> broken up into <i>user</i> and <i>foo</i>.
Actions are the same as with indexed file lookups.
<b>EXAMPLE</b>
- The following example uses an indexed file, so that the
- order of table entries does not matter. The example per-
- mits access by the client at address 1.2.3.4 but rejects
- all other clients in 1.2.3.0/24. Instead of <b>hash</b> lookup
- tables, some systems use <b>dbm</b>. Use the command "<b>postconf</b>
- <b>-m</b>" to find out what lookup tables Postfix supports on
+ The following example uses an indexed file, so that the
+ order of table entries does not matter. The example per-
+ mits access by the client at address 1.2.3.4 but rejects
+ all other clients in 1.2.3.0/24. Instead of <b>hash</b> lookup
+ tables, some systems use <b>dbm</b>. Use the command "<b>postconf</b>
+ <b>-m</b>" to find out what lookup tables Postfix supports on
your system.
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
1.2.3 REJECT
1.2.3.4 OK
- Execute the command "<b>postmap /etc/postfix/access</b>" after
+ Execute the command "<b>postmap /etc/postfix/access</b>" after
editing the file.
<b>BUGS</b>
- The table format does not understand quoting conventions.
+ The table format does not understand quoting conventions.
<b>SEE ALSO</b>
<a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager
<a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
This feature is available in Postfix 2.1 and later.
<b>FILTER</b> <i>transport:destination</i>
- Write a content filter request to the queue file,
- and inspect the next input line. After the com-
- plete message is received it will be sent through
- the specified external content filter. More infor-
- mation about external content filters is in the
- Postfix <a href="FILTER_README.html">FILTER_README</a> file.
-
- Note: this action overrides the <b><a href="postconf.5.html#content_filter">content_filter</a></b> set-
- ting, and affects all recipients of the message. In
- the case that multiple <b>FILTER</b> actions fire, only
- the last one is executed.
+ After the message is queued, send the entire mes-
+ sage through the specified external content filter.
+ The <i>transport</i> name specifies the first field of a
+ mail delivery agent definition <a href="master.5.html">master.cf</a>; the syn-
+ tax of <i>destination</i> is described in the manual page
+ of the corresponding delivery agent. More informa-
+ tion about external content filters is in the Post-
+ fix <a href="FILTER_README.html">FILTER_README</a> file.
+
+ Note 1: do not use $<i>number</i> regular expression sub-
+ stitutions for <i>transport</i> or <i>destination</i> unless you
+ know that the information has a trusted origin.
+
+ Note 2: this action overrides the <a href="postconf.5.html">main.cf</a> <b><a href="postconf.5.html#content_filter">con</a>-</b>
+ <b><a href="postconf.5.html#content_filter">tent_filter</a></b> setting, and affects all recipients of
+ the message. In the case that multiple <b>FILTER</b>
+ actions fire, only the last one is executed.
+
+ Note 3: the purpose of the FILTER command is to
+ override message routing. To override the recipi-
+ ent's <i>transport</i> but not <i>destination</i>, specify an
+ empty <i>destination</i> (Postfix 2.7 and later), or spec-
+ ify a <i>transport:destination</i> that delivers through a
+ different Postfix instance (Postfix 2.6 and ear-
+ lier). Other options are using the recipient-depen-
+ dent <b><a href="postconf.5.html#transport_maps">transport_maps</a></b> or the sender-dependent <b><a href="postconf.5.html#sender_dependent_default_transport_maps">sender</a>-</b>
+ <b><a href="postconf.5.html#sender_dependent_default_transport_maps">_dependent_default_transport_maps</a></b> features.
This feature is available in Postfix 2.0 and later.
Allow a sender or recipient address to have `-' as
the first character.
+ Available with Postfix version 2.7 and later:
+
+ <b><a href="postconf.5.html#legacy_filter_nexthop">legacy_filter_nexthop</a> (no)</b>
+ When a FILTER command does not specify a destina-
+ tion, force the destination to be $<a href="postconf.5.html#myhostname">myhostname</a>,
+ instead of using the recipient domain.
+
<b>ACTIVE QUEUE CONTROLS</b>
<b><a href="postconf.5.html#qmgr_clog_warn_time">qmgr_clog_warn_time</a> (300s)</b>
The minimal delay between warnings that a specific
supports the "delete" and "sequence" operators. Specify a zero
interval to disable database cleanup. </p>
+<p> After each database cleanup run, the <a href="verify.8.html">verify(8)</a> daemon logs the
+number of entries that were retained and dropped. A cleanup run is
+logged as "partial" when the daemon terminates early after "<b>postfix
+reload</b>", "<b>postfix stop</b>", or no requests for $<a href="postconf.5.html#max_idle">max_idle</a>
+seconds. </p>
+
<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
(weeks). </p>
</p>
<p>
-The lookup table is persistent by default as of Postfix version
-2.7. Specify an empty table name to keep the information in volatile
+The lookup table is persistent by default (Postfix 2.7 and later).
+Specify an empty table name to keep the information in volatile
memory which is lost after "<b>postfix reload</b>" or "<b>postfix
-stop</b>" (this is default with earlier Postfix versions).
+stop</b>". This is the default with Postfix version 2.6 and earlier.
</p>
<p>
delete (NOT: truncate) the file and do "<b>postfix reload</b>".
</p>
-<p> As of version 2.5, Postfix no longer uses root privileges when
-opening this file. The file must now be stored under a Postfix-owned
-directory such as the <a href="postconf.5.html#data_directory">data_directory</a>. As a migration aid, an attempt
-to open the file under a non-Postfix directory is redirected to the
-Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>, and a warning is logged. </p>
+<p> Postfix daemon processes do not use root privileges when opening
+this file (Postfix 2.5 and later). The file must therefore be
+stored under a Postfix-owned directory such as the <a href="postconf.5.html#data_directory">data_directory</a>.
+As a migration aid, an attempt to open the file under a non-Postfix
+directory is redirected to the Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>, and a
+warning is logged. </p>
<p>
Examples:
</p>
<p>
-With Postfix version 2.7 and later, the SMTP server polls the
-<a href="verify.8.html">verify(8)</a> service up to three times under non-overload conditions,
-and only once when under overload. With earlier Postfix versions,
-the SMTP server always polls the <a href="verify.8.html">verify(8)</a> service up to three
-times.
+The Postfix SMTP server polls the <a href="verify.8.html">verify(8)</a> service up to three
+times under non-overload conditions, and only once when under
+overload. With Postfix version 2.6 and earlier, the SMTP server
+always polls the <a href="verify.8.html">verify(8)</a> service up to three times.
</p>
<p>
(default: 50000)</b></DT><DD>
<p> The maximal amount of original message text that is sent in a
-non-delivery notification. Specify a byte count. With Postfix 2.4
-and later, a message is returned as either message/rfc822 (the
-complete original) or as text/rfc822-headers (the headers only).
-With earlier Postfix versions, a message is always returned as
-message/rfc822 and is truncated when it exceeds the size limit.
+non-delivery notification. Specify a byte count. A message is
+returned as either message/rfc822 (the complete original) or as
+text/rfc822-headers (the headers only). With Postfix version 2.4
+and earlier, a message is always returned as message/rfc822 and is
+truncated when it exceeds the size limit.
</p>
<p> Notes: </p>
<DT><b><a name="content_filter">content_filter</a>
(default: empty)</b></DT><DD>
-<p>
-The name of a mail delivery transport that filters mail after
-it is queued.
+<p> After the message is queued, send the entire message to the
+specified <i>transport:destination</i>. The <i>transport</i> name
+specifies the first field of a mail delivery agent definition in
+<a href="master.5.html">master.cf</a>; the syntax of <i>destination</i> is described in the
+manual page of the corresponding delivery agent. More information
+about external content filters is in the Postfix <a href="FILTER_README.html">FILTER_README</a> file.
</p>
-<p>
-This parameter uses the same syntax as the right-hand side of a
-Postfix <a href="transport.5.html">transport(5)</a> table. This setting has a lower precedence
-than a content filter that is specified with an <a href="access.5.html">access(5)</a> table or
-in a <a href="header_checks.5.html">header_checks(5)</a> or <a href="header_checks.5.html">body_checks(5)</a> table.
-</p>
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> This setting has a lower precedence than a content filter that
+is specified with an <a href="access.5.html">access(5)</a> table or in a <a href="header_checks.5.html">header_checks(5)</a> or
+<a href="header_checks.5.html">body_checks(5)</a> table. </p>
+
+<li> <p> The meaning of an empty filter <i>destination</i> is version
+dependent. Postfix 2.7 and later will use the recipient domain;
+earlier versions will use $<a href="postconf.5.html#myhostname">myhostname</a>. Specify "<a href="postconf.5.html#legacy_filter_nexthop">legacy_filter_nexthop</a>
+= yes" for compatibility with Postfix 2.6 or earlier, or specify
+a non-empty filter <i>destination</i>. </p>
+
+</ul>
</DD>
(weeks). The default time unit is s (seconds). </p>
<p> NOTE: the delay is enforced by the queue manager. The delay
-timer state does not survive "postfix reload" or "postfix stop".
+timer state does not survive "<b>postfix reload</b>" or "<b>postfix
+stop</b>".
</p>
<p> Use <a href="postconf.5.html#transport_destination_rate_delay"><i>transport</i>_destination_rate_delay</a> to specify a
<li> b = time from last <a href="QSHAPE_README.html#active_queue">active queue</a> entry to connection setup
-<li> c = time in connection setup, including DNS, EHLO and TLS
+<li> c = time in connection setup, including DNS, EHLO and STARTTLS
<li> d = time in message transmission
</p>
+</DD>
+
+<DT><b><a name="legacy_filter_nexthop">legacy_filter_nexthop</a>
+(default: no)</b></DT><DD>
+
+<p> When a FILTER command does not specify a destination, force the
+destination to be $<a href="postconf.5.html#myhostname">myhostname</a>, instead of using the recipient domain.
+Specify "<a href="postconf.5.html#legacy_filter_nexthop">legacy_filter_nexthop</a> = yes" for compatibility with Postfix
+version 2.6 and earlier, or specify a non-empty filter destination.
+</p>
+
+<p> This feature is available in Postfix 2.7 and later. </p>
+
+
</DD>
<DT><b><a name="line_length_limit">line_length_limit</a>
cache database supports the "delete" and "sequence" operators.
Specify a zero interval to disable cache cleanup. </p>
+<p> After each cache cleanup run, the <a href="postscreen.8.html">postscreen(8)</a> daemon logs the
+number of entries that were retained and dropped. A cleanup run is
+logged as "partial" when the daemon terminates early after "<b>postfix
+reload</b>", "<b>postfix stop</b>", or no requests for $<a href="postconf.5.html#max_idle">max_idle</a>
+seconds. </p>
+
<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
(weeks). </p>
</p>
<p>
-By default, the Postfix version 2.1 SMTP server rejects MAIL FROM commands
-when the amount of free space is less than 1.5*$<a href="postconf.5.html#message_size_limit">message_size_limit</a>.
+By default, the Postfix SMTP server rejects MAIL FROM commands when
+the amount of free space is less than 1.5*$<a href="postconf.5.html#message_size_limit">message_size_limit</a>
+(Postfix version 2.1 and later).
To specify a higher minimum free space limit, specify a <a href="postconf.5.html#queue_minfree">queue_minfree</a>
value that is at least 1.5*$<a href="postconf.5.html#message_size_limit">message_size_limit</a>.
</p>
This information is overruled with the <a href="transport.5.html">transport(5)</a> table. </p>
<p> Note: this overrides <a href="postconf.5.html#default_transport">default_transport</a>, not <a href="postconf.5.html#transport_maps">transport_maps</a>, and
-therefore the expected syntax is that of <a href="postconf.5.html#default_transport">default_transport</a>. This
-feature does not support the <a href="postconf.5.html#transport_maps">transport_maps</a> syntax for null transport,
-null nexthop, or null email addresses. </p>
+therefore the expected syntax is that of <a href="postconf.5.html#default_transport">default_transport</a>, not the
+syntax of <a href="postconf.5.html#transport_maps">transport_maps</a>. Specifically, this does not support the
+<a href="postconf.5.html#transport_maps">transport_maps</a> syntax for null transport, null nexthop, or null
+email addresses. </p>
<p> For safety reasons, this feature does not allow $number
substitutions in regular expression maps. </p>
<ul>
-<li> <p> Use "<a href="postconf.5.html#resolve_numeric_domain">resolve_numeric_domain</a> = yes" to accept "<i>user@ipaddress</i>"
-Postfix already accepts the correct form "<i>user@[ipaddress]</i>".
-</p>
+<li> <p> Use "<a href="postconf.5.html#resolve_numeric_domain">resolve_numeric_domain</a> = yes" to accept
+"<i>user@ipaddress</i>". </p>
+
+<li> <p> Postfix already accepts the correct form
+"<i>user@[ipaddress]</i>". </p>
<li> <p> Use "<a href="postconf.5.html#strict_rfc821_envelopes">strict_rfc821_envelopes</a> = no" to accept "<i>User Name
-<user@example.com></i>". </p>
+<user@example.com></i>". Postfix will ignore the "User Name"
+part before delivering the mail. </p>
</ul>
<b>DESCRIPTION</b>
The Postfix <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server performs triage on multi-
- ple inbound SMTP connections in parallel. By running
- time-consuming tests in parallel in <a href="postscreen.8.html"><b>postscreen</b>(8)</a>, zombies
- and other bogus clients can be kept away from Postfix SMTP
- server processes. Thus, more Postfix SMTP server processes
- remain available for legitimate clients.
-
- This triage process involves a number of tests, documented
- below. The tests introduce a delay of a few seconds; once
- a client passes the tests, its IP address is temporarily
- whitelisted, typically for 24 hours.
-
- The program can run in two basic modes.
-
- <b>Observation mode</b>
- <a href="postscreen.8.html"><b>postscreen</b>(8)</a> reports the results of the tests, and
- forwards all connections to a real Postfix SMTP
- server process.
-
- <b>Enforcement mode</b>
- <a href="postscreen.8.html"><b>postscreen</b>(8)</a> reports the results of the tests, but
- forwards only connections to a real SMTP server
- process from clients that passed the tests.
-
- <a href="postscreen.8.html"><b>postscreen</b>(8)</a> disconnects clients that fail the
- tests, after sending a 521 status message (a future
- version may pass the connection to a dummy SMTP
- protocol engine that logs sender and recipient
- information).
-
- Note: <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is not an SMTP proxy; this is inten-
- tional. The purpose is to prioritize legitimate clients
+ ple inbound SMTP connections in parallel. While
+ <a href="postscreen.8.html"><b>postscreen</b>(8)</a> keeps zombies and other bogus clients away
+ from Postfix SMTP server processes, more Postfix SMTP
+ server processes remain available for legitimate clients.
+
+<b>GENERAL OPERATION</b>
+ The triage process involves a number of tests, in the
+ order as described below. Some tests introduce a delay of
+ a few seconds. Once a client passes all tests, its IP
+ address is temporarily excluded from the tests, typically
+ for 24 hours. This minimizes the impact of the tests on
+ legitimate mail clients.
+
+ After logging the result of its tests, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> by
+ default forwards all connections to a real SMTP server
+ process. This mode is useful for non-destructive testing.
+
+ In a typical production setting, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is config-
+ ured to disconnect clients that fail some tests. A future
+ implementation may pass the connection to a dummy SMTP
+ protocol engine that logs sender and recipient information
+ before hanging up.
+
+ Note: <a href="postscreen.8.html"><b>postscreen</b>(8)</a> is not an SMTP proxy; this is inten-
+ tional. The purpose is to prioritize legitimate clients
with as little overhead as possible.
- <a href="postscreen.8.html"><b>postscreen</b>(8)</a> performs tests in the order described below.
-
<b>1. PERMANENT WHITELIST TEST</b>
The <a href="postconf.5.html#postscreen_whitelist_networks">postscreen_whitelist_networks</a> parameter (default:
$<a href="postconf.5.html#mynetworks">mynetworks</a>) specifies a permanent whitelist for SMTP
The <a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> parameter specifies the
action that is taken next:
- <b>continue</b> (default, observation mode)
+ <b>continue</b> (default)
Continue with the SMTP GREETING PHASE TESTS below.
- <b>drop</b> (enforcement mode)
- Drop the connection immediately with a 521 SMTP
+ <b>drop</b> Drop the connection immediately with a 521 SMTP
reply. In a future implementation, the connection
may instead be passed to a dummy SMTP protocol
engine that logs sender and recipient information.
The <a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> parameter specifies the action
that is taken next:
- <b>continue</b> (default, observation mode)
+ <b>continue</b> (default)
Wait until the <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> time has
elapsed, then report DNSBL lookup results if appli-
cable. Either perform DNSBL-related actions or for-
ward the connection to a real SMTP server process.
- <b>drop</b> (enforcement mode)
- Drop the connection immediately with a 521 SMTP
+ <b>drop</b> Drop the connection immediately with a 521 SMTP
reply. In a future implementation, the connection
may instead be passed to a dummy SMTP protocol
engine that logs sender and recipient information.
The <a href="postconf.5.html#postscreen_hangup_action">postscreen_hangup_action</a> specifies the action that is
taken next:
- <b>continue</b> (default, observation mode)
+ <b>continue</b> (default)
Wait until the <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> time has
elapsed, then report DNSBL lookup results if appli-
cable. Do not forward the broken connection to a
real SMTP server process.
- <b>drop</b> (enforcement mode)
- Drop the connection immediately.
+ <b>drop</b> Drop the connection immediately.
<b>4C. DNS BLOCKLIST TEST</b>
The <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter (default: empty)
The <a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> parameter specifies the action
that is taken next:
- <b>continue</b> (default, observation mode)
+ <b>continue</b> (default)
Forward the connection to a real SMTP server
process.
- <b>drop</b> (enforcement mode)
- Drop the connection immediately with a 521 SMTP
+ <b>drop</b> Drop the connection immediately with a 521 SMTP
reply. In a future implementation, the connection
may instead be passed to a dummy SMTP protocol
engine that logs sender and recipient information.
Allow a sender or recipient address to have `-' as
the first character.
+ Available with Postfix version 2.7 and later:
+
+ <b><a href="postconf.5.html#legacy_filter_nexthop">legacy_filter_nexthop</a> (no)</b>
+ When a FILTER command does not specify a destina-
+ tion, force the destination to be $<a href="postconf.5.html#myhostname">myhostname</a>,
+ instead of using the recipient domain.
+
<b>ACTIVE QUEUE CONTROLS</b>
<b><a href="postconf.5.html#qmgr_clog_warn_time">qmgr_clog_warn_time</a> (300s)</b>
The minimal delay between warnings that a specific
Available with Postfix 2.7 and later:
<b><a href="postconf.5.html#address_verify_cache_cleanup_interval">address_verify_cache_cleanup_interval</a> (12h)</b>
- The amount of time between <a href="verify.8.html"><b>verify</b>(8)</a> cache cleanup
- runs.
+ The amount of time between <a href="verify.8.html"><b>verify</b>(8)</a> address veri-
+ fication database cleanup runs.
<b>PROBE MESSAGE ROUTING CONTROLS</b>
By default, probe messages are delivered via the same
Reject the address etc. that matches the pattern, and respond with
the numerical three-digit code and text. \fB4\fINN\fR means "try
again later", while \fB5\fINN\fR means "do not try again".
+
+The following responses have special meaning for the Postfix
+SMTP server:
+.RS
+.IP "\fB421 \fItext\fR (Postfix 2.3 and later)"
+.IP "\fB521 \fItext\fR (Postfix 2.6 and later)"
+After responding with the numerical three-digit code and
+text, disconnect immediately from the SMTP client. This
+frees up SMTP server resources so that they can be made
+available to another SMTP client.
.IP
-The reply code "421" causes Postfix to disconnect immediately
-(Postfix version 2.3 and later).
+Note: The "521" response should be used only with botnets
+and other malware where interoperability is of no concern.
+The "send 521 and disconnect" behavior is NOT defined in
+the SMTP standard.
+.RE
.IP "\fBREJECT \fIoptional text...\fR
Reject the address etc. that matches the pattern. Reply with
"\fB$access_map_reject_code \fIoptional text...\fR" when the
This feature is available in Postfix 2.0 and later.
.IP "\fBFILTER \fItransport:destination\fR"
After the message is queued, send the entire message through
-the specified external content filter. The \fItransport:destination\fR
-syntax is described in the \fBtransport\fR(5) manual page.
-More information
-about external content filters is in the Postfix FILTER_README file.
+the specified external content filter. The \fItransport\fR
+name specifies the first field of a mail delivery agent
+definition in master.cf; the syntax of \fIdestination\fR
+is described in the manual page of the corresponding delivery
+agent. More information about external content filters is
+in the Postfix FILTER_README file.
+.sp
+Note 1: do not use $\fInumber\fR regular expression
+substitutions for \fItransport\fR or \fIdestination\fR
+unless you know that the information has a trusted origin.
+.sp
+Note 2: this action overrides the main.cf \fBcontent_filter\fR
+setting, and affects all recipients of the message. In the
+case that multiple \fBFILTER\fR actions fire, only the last
+one is executed.
.sp
-Note: this action overrides the \fBcontent_filter\fR setting,
-and currently affects all recipients of the message.
+Note 3: the purpose of the FILTER command is to override
+message routing. To override the recipient's \fItransport\fR
+but not \fIdestination\fR, specify an empty \fIdestination\fR
+(Postfix 2.7 and later), or specify a \fItransport:destination\fR
+that delivers through a different Postfix instance (Postfix
+2.6 and earlier). Other options are using the recipient-dependent
+\fBtrans\%port\%_maps\fR or the sen\%der-dependent
+\fBsender\%_de\%pen\%dent_default_trans\%port\%_maps\fR
+features.
.sp
This feature is available in Postfix 2.0 and later.
.IP "\fBHOLD \fIoptional text...\fR"
-Place the message on the \fBhold\fR queue, where it will sit
-until someone either deletes it or releases it for delivery.
+Place the message on the \fBhold\fR queue, where it will
+sit until someone either deletes it or releases it for
+delivery.
Log the optional text if specified, otherwise log a generic
message.
.sp
This feature is available in Postfix 2.1 and later.
.IP "\fBFILTER \fItransport:destination\fR"
-Write a content filter request to the queue file, and
-inspect the next input line.
-After the complete message is received it will be sent through
-the specified external content filter. More information about
-external content filters is in the Postfix FILTER_README file.
+After the message is queued, send the entire message through
+the specified external content filter. The \fItransport\fR
+name specifies the first field of a mail delivery agent
+definition master.cf; the syntax of \fIdestination\fR is
+described in the manual page of the corresponding delivery
+agent. More information about external content filters is
+in the Postfix FILTER_README file.
.sp
-Note: this action overrides the \fBcontent_filter\fR setting,
-and affects all recipients of the message. In the case that multiple
-\fBFILTER\fR actions fire, only the last one is executed.
+Note 1: do not use $\fInumber\fR regular expression
+substitutions for \fItransport\fR or \fIdestination\fR
+unless you know that the information has a trusted origin.
+.sp
+Note 2: this action overrides the main.cf \fBcontent_filter\fR
+setting, and affects all recipients of the message. In the
+case that multiple \fBFILTER\fR actions fire, only the last
+one is executed.
+.sp
+Note 3: the purpose of the FILTER command is to override
+message routing. To override the recipient's \fItransport\fR
+but not \fIdestination\fR, specify an empty \fIdestination\fR
+(Postfix 2.7 and later), or specify a \fItransport:destination\fR
+that delivers through a different Postfix instance (Postfix
+2.6 and earlier). Other options are using the recipient-dependent
+\fBtrans\%port\%_maps\fR or the sen\%der-dependent
+\fBsender\%_de\%pen\%dent_default_trans\%port\%_maps\fR
+features.
.sp
This feature is available in Postfix 2.0 and later.
.IP "\fBHOLD \fIoptional text...\fR"
supports the "delete" and "sequence" operators. Specify a zero
interval to disable database cleanup.
.PP
+After each database cleanup run, the \fBverify\fR(8) daemon logs the
+number of entries that were retained and dropped. A cleanup run is
+logged as "partial" when the daemon terminates early after "\fBpostfix
+reload\fR", "\fBpostfix stop\fR", or no requests for $max_idle
+seconds.
+.PP
Time units: s (seconds), m (minutes), h (hours), d (days), w
(weeks).
.PP
storage. The table is maintained by the \fBverify\fR(8) service, and
is opened before the process releases privileges.
.PP
-The lookup table is persistent by default as of Postfix version
-2.7. Specify an empty table name to keep the information in volatile
+The lookup table is persistent by default (Postfix 2.7 and later).
+Specify an empty table name to keep the information in volatile
memory which is lost after "\fBpostfix reload\fR" or "\fBpostfix
-stop\fR" (this is default with earlier Postfix versions).
+stop\fR". This is the default with Postfix version 2.6 and earlier.
.PP
Specify a location in a file system that will not fill up. If the
database becomes corrupted, the world comes to an end. To recover
delete (NOT: truncate) the file and do "\fBpostfix reload\fR".
.PP
-As of version 2.5, Postfix no longer uses root privileges when
-opening this file. The file must now be stored under a Postfix-owned
-directory such as the data_directory. As a migration aid, an attempt
-to open the file under a non-Postfix directory is redirected to the
-Postfix-owned data_directory, and a warning is logged.
+Postfix daemon processes do not use root privileges when opening
+this file (Postfix 2.5 and later). The file must therefore be
+stored under a Postfix-owned directory such as the data_directory.
+As a migration aid, an attempt to open the file under a non-Postfix
+directory is redirected to the Postfix-owned data_directory, and a
+warning is logged.
.PP
Examples:
.PP
How many times to query the \fBverify\fR(8) service for the completion
of an address verification request in progress.
.PP
-With Postfix version 2.7 and later, the SMTP server polls the
-\fBverify\fR(8) service up to three times under non-overload conditions,
-and only once when under overload. With earlier Postfix versions,
-the SMTP server always polls the \fBverify\fR(8) service up to three
-times.
+The Postfix SMTP server polls the \fBverify\fR(8) service up to three
+times under non-overload conditions, and only once when under
+overload. With Postfix version 2.6 and earlier, the SMTP server
+always polls the \fBverify\fR(8) service up to three times.
.PP
Specify 1 to implement a crude form of greylisting, that is, always
defer the first delivery request for a new address.
This feature is available in Postfix 2.0 and later.
.SH bounce_size_limit (default: 50000)
The maximal amount of original message text that is sent in a
-non-delivery notification. Specify a byte count. With Postfix 2.4
-and later, a message is returned as either message/rfc822 (the
-complete original) or as text/rfc822-headers (the headers only).
-With earlier Postfix versions, a message is always returned as
-message/rfc822 and is truncated when it exceeds the size limit.
+non-delivery notification. Specify a byte count. A message is
+returned as either message/rfc822 (the complete original) or as
+text/rfc822-headers (the headers only). With Postfix version 2.4
+and earlier, a message is always returned as message/rfc822 and is
+truncated when it exceeds the size limit.
.PP
Notes:
.IP \(bu
protect the infrastructure against careless people. The cache TTL
is already bounded by $max_idle.
.SH content_filter (default: empty)
-The name of a mail delivery transport that filters mail after
-it is queued.
+After the message is queued, send the entire message to the
+specified \fItransport:destination\fR. The \fItransport\fR name
+specifies the first field of a mail delivery agent definition in
+master.cf; the syntax of \fIdestination\fR is described in the
+manual page of the corresponding delivery agent. More information
+about external content filters is in the Postfix FILTER_README file.
.PP
-This parameter uses the same syntax as the right-hand side of a
-Postfix \fBtransport\fR(5) table. This setting has a lower precedence
-than a content filter that is specified with an \fBaccess\fR(5) table or
-in a \fBheader_checks\fR(5) or \fBbody_checks\fR(5) table.
+Notes:
+.IP \(bu
+This setting has a lower precedence than a content filter that
+is specified with an \fBaccess\fR(5) table or in a \fBheader_checks\fR(5) or
+\fBbody_checks\fR(5) table.
+.IP \(bu
+The meaning of an empty filter \fIdestination\fR is version
+dependent. Postfix 2.7 and later will use the recipient domain;
+earlier versions will use $myhostname. Specify "legacy_filter_nexthop
+= yes" for compatibility with Postfix 2.6 or earlier, or specify
+a non-empty filter \fIdestination\fR.
.SH cyrus_sasl_config_path (default: empty)
Search path for Cyrus SASL application configuration files,
currently used only to locate the $smtpd_sasl_path.conf file.
(weeks). The default time unit is s (seconds).
.PP
NOTE: the delay is enforced by the queue manager. The delay
-timer state does not survive "postfix reload" or "postfix stop".
+timer state does not survive "\fBpostfix reload\fR" or "\fBpostfix
+stop\fR".
.PP
Use \fItransport\fR_destination_rate_delay to specify a
transport-specific override, where \fItransport\fR is the master.cf
.IP \(bu
b = time from last active queue entry to connection setup
.IP \(bu
-c = time in connection setup, including DNS, EHLO and TLS
+c = time in connection setup, including DNS, EHLO and STARTTLS
.IP \(bu
d = time in message transmission
.PP
The default time unit is s (seconds).
.PP
This feature is available in Postfix 2.1 and later.
+.SH legacy_filter_nexthop (default: no)
+When a FILTER command does not specify a destination, force the
+destination to be $myhostname, instead of using the recipient domain.
+Specify "legacy_filter_nexthop = yes" for compatibility with Postfix
+version 2.6 and earlier, or specify a non-empty filter destination.
+.PP
+This feature is available in Postfix 2.7 and later.
.SH line_length_limit (default: 2048)
Upon input, long lines are chopped up into pieces of at most
this length; upon delivery, long lines are reconstructed.
cache database supports the "delete" and "sequence" operators.
Specify a zero interval to disable cache cleanup.
.PP
+After each cache cleanup run, the \fBpostscreen\fR(8) daemon logs the
+number of entries that were retained and dropped. A cleanup run is
+logged as "partial" when the daemon terminates early after "\fBpostfix
+reload\fR", "\fBpostfix stop\fR", or no requests for $max_idle
+seconds.
+.PP
Time units: s (seconds), m (minutes), h (hours), d (days), w
(weeks).
.PP
that is needed to receive mail. This is currently used by the SMTP
server to decide if it will accept any mail at all.
.PP
-By default, the Postfix version 2.1 SMTP server rejects MAIL FROM commands
-when the amount of free space is less than 1.5*$message_size_limit.
+By default, the Postfix SMTP server rejects MAIL FROM commands when
+the amount of free space is less than 1.5*$message_size_limit
+(Postfix version 2.1 and later).
To specify a higher minimum free space limit, specify a queue_minfree
value that is at least 1.5*$message_size_limit.
.PP
This information is overruled with the \fBtransport\fR(5) table.
.PP
Note: this overrides default_transport, not transport_maps, and
-therefore the expected syntax is that of default_transport. This
-feature does not support the transport_maps syntax for null transport,
-null nexthop, or null email addresses.
+therefore the expected syntax is that of default_transport, not the
+syntax of transport_maps. Specifically, this does not support the
+transport_maps syntax for null transport, null nexthop, or null
+email addresses.
.PP
For safety reasons, this feature does not allow $number
substitutions in regular expression maps.
Postfix already implements a number of workarounds for malformed
client commands.
.IP \(bu
-Use "resolve_numeric_domain = yes" to accept "\fIuser@ipaddress\fR"
-Postfix already accepts the correct form "\fIuser@[ipaddress]\fR".
+Use "resolve_numeric_domain = yes" to accept
+"\fIuser@ipaddress\fR".
+.IP \(bu
+Postfix already accepts the correct form
+"\fIuser@[ipaddress]\fR".
.IP \(bu
Use "strict_rfc821_envelopes = no" to accept "\fIUser Name
-<user@example.com>\fR".
+<user@example.com>\fR". Postfix will ignore the "User Name"
+part before delivering the mail.
.PP
Examples:
.PP
.IP "\fBallow_min_user (no)\fR"
Allow a sender or recipient address to have `-' as the first
character.
+.PP
+Available with Postfix version 2.7 and later:
+.IP "\fBlegacy_filter_nexthop (no)\fR"
+When a FILTER command does not specify a destination, force the
+destination to be $myhostname, instead of using the recipient domain.
.SH "ACTIVE QUEUE CONTROLS"
.na
.nf
.ad
.fi
The Postfix \fBpostscreen\fR(8) server performs triage on
-multiple inbound SMTP connections in parallel. By running
-time-consuming tests in parallel in \fBpostscreen\fR(8),
-zombies and other bogus clients can be kept away from Postfix
-SMTP server processes. Thus, more Postfix SMTP server
-processes remain available for legitimate clients.
+multiple inbound SMTP connections in parallel. While
+\fBpostscreen\fR(8) keeps zombies and other bogus clients
+away from Postfix SMTP server processes, more Postfix SMTP
+server processes remain available for legitimate clients.
+.SH "GENERAL OPERATION"
+.na
+.nf
+.ad
+.fi
+The triage process involves a number of tests, in the order
+as described below. Some tests introduce a delay of a few
+seconds. Once a client passes all tests, its IP address
+is temporarily excluded from the tests, typically for 24
+hours. This minimizes the impact of the tests on legitimate
+mail clients.
-This triage process involves a number of tests, documented
-below. The tests introduce a delay of a few seconds; once
-a client passes the tests, its IP address is temporarily
-whitelisted, typically for 24 hours.
+After logging the result of its tests, \fBpostscreen\fR(8)
+by default forwards all connections to a real SMTP server
+process. This mode is useful for non-destructive testing.
+
+In a typical production setting, \fBpostscreen\fR(8) is
+configured to disconnect clients that fail some tests. A
+future implementation may pass the connection to a dummy
+SMTP protocol engine that logs sender and recipient information
+before hanging up.
-The program can run in two basic modes.
-.IP "\fBObservation mode\fR"
-\fBpostscreen\fR(8) reports the results of the tests, and
-forwards all connections to a real Postfix SMTP server
-process.
-.IP "\fBEnforcement mode\fR"
-\fBpostscreen\fR(8) reports the results of the tests, but
-forwards only connections to a real SMTP server process
-from clients that passed the tests.
-.sp
-\fBpostscreen\fR(8) disconnects clients that fail the tests,
-after sending a 521 status message (a future version may
-pass the connection to a dummy SMTP protocol engine that
-logs sender and recipient information).
-.PP
Note: \fBpostscreen\fR(8) is not an SMTP proxy; this is
intentional. The purpose is to prioritize legitimate clients
with as little overhead as possible.
-
-\fBpostscreen\fR(8) performs tests in the order described below.
.SH 1. PERMANENT WHITELIST TEST
.ad
.fi
.sp
The postscreen_blacklist_action parameter specifies the
action that is taken next:
-.IP "\fBcontinue\fR (default, observation mode)"
+.IP "\fBcontinue\fR (default)"
Continue with the SMTP GREETING PHASE TESTS below.
-.IP "\fBdrop\fR (enforcement mode)"
+.IP \fBdrop\fR
Drop the connection immediately with a 521 SMTP reply. In
a future implementation, the connection may instead be
passed to a dummy SMTP protocol engine that logs sender and
The postscreen_greet_action parameter specifies the action
that is taken next:
-.IP "\fBcontinue\fR (default, observation mode)"
+.IP "\fBcontinue\fR (default)"
Wait until the postscreen_greet_wait time has elapsed, then
report DNSBL lookup results if applicable. Either perform
DNSBL-related actions or forward the connection to a real
SMTP server process.
-.IP "\fBdrop\fR (enforcement mode)"
+.IP \fBdrop\fR
Drop the connection immediately with a 521 SMTP reply.
In a future implementation, the connection may instead be passed
to a dummy SMTP protocol engine that logs sender and recipient
.sp
The postscreen_hangup_action specifies the action
that is taken next:
-.IP "\fBcontinue\fR (default, observation mode)"
+.IP "\fBcontinue\fR (default)"
Wait until the postscreen_greet_wait time has elapsed, then
report DNSBL lookup results if applicable. Do not forward
the broken connection to a real SMTP server process.
-.IP "\fBdrop\fR (enforcement mode)"
+.IP \fBdrop\fR
Drop the connection immediately.
.SH 4C. DNS BLOCKLIST TEST
.ad
The postscreen_dnsbl_action parameter specifies the action
that is taken next:
-.IP "\fBcontinue\fR (default, observation mode)"
+.IP "\fBcontinue\fR (default)"
Forward the connection to a real SMTP server process.
-.IP "\fBdrop\fR (enforcement mode)"
+.IP \fBdrop\fR
Drop the connection immediately with a 521 SMTP reply.
In a future implementation, the connection may instead be passed
to a dummy SMTP protocol engine that logs sender and recipient
.IP "\fBallow_min_user (no)\fR"
Allow a sender or recipient address to have `-' as the first
character.
+.PP
+Available with Postfix version 2.7 and later:
+.IP "\fBlegacy_filter_nexthop (no)\fR"
+When a FILTER command does not specify a destination, force the
+destination to be $myhostname, instead of using the recipient domain.
.SH "ACTIVE QUEUE CONTROLS"
.na
.nf
.PP
Available with Postfix 2.7 and later:
.IP "\fBaddress_verify_cache_cleanup_interval (12h)\fR"
-The amount of time between \fBverify\fR(8) cache cleanup runs.
+The amount of time between \fBverify\fR(8) address verification
+database cleanup runs.
.SH "PROBE MESSAGE ROUTING CONTROLS"
.na
.nf
s;\bdefault_recipi[-</bB>]*\n* *[<bB>]*ent_refill_delay\b;<a href="postconf.5.html#default_recipient_refill_delay">$&</a>;g;
s;\bdefault_recip[-</bB>]*\n* *[<bB>]*ient_limit\b;<a href="postconf.5.html#default_recipient_limit">$&</a>;g;
s;\bdefault_transport\b;<a href="postconf.5.html#default_transport">$&</a>;g;
- s;\bsender
_depen[-</bB>]*\n* *[<bB>]*dent_default_trans[-</bB>]*\n* *[<bB>]*port_maps\b;<a href="postconf.5.html#sender_dependent_default_transport_maps">$&</a>;g;
+ s;\bsender
[-</bB>]*\n* *[<bB>]*_de[-</bB>]*\n* *[<bB>]*pen[-</bB>]*\n* *[<bB>]*dent_de[-</bB>]*\n* *[<bB>]*fault[-</bB>]*\n* *[<bB>]*_trans[-</bB>]*\n* *[<bB>]*port[-</bB>]*\n* *[<bB>]*_maps\b;<a href="postconf.5.html#sender_dependent_default_transport_maps">$&</a>;g;
s;\bempty_address_default_transport_maps_lookup_key\b;<a href="postconf.5.html#empty_address_default_transport_maps_lookup_key">$&</a>;g;
s;\bdefault_verp_delimiters\b;<a href="postconf.5.html#default_verp_delimiters">$&</a>;g;
s;\bdefer_code\b;<a href="postconf.5.html#defer_code">$&</a>;g;
s;\bproxy_write_maps\b;<a href="postconf.5.html#proxy_write_maps">$&</a>;g;
s;\bqmgr_clog_warn_time\b;<a href="postconf.5.html#qmgr_clog_warn_time">$&</a>;g;
s;\bqmgr_fudge_factor\b;<a href="postconf.5.html#qmgr_fudge_factor">$&</a>;g;
+ s;\blegacy_filter_nexthop\b;<a href="postconf.5.html#legacy_filter_nexthop">$&</a>;g;
s;\bqmgr_message_active_limit\b;<a href="postconf.5.html#qmgr_message_active_limit">$&</a>;g;
s;\bqmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_limit\b;<a href="postconf.5.html#qmgr_message_recipient_limit">$&</a>;g;
s;\bqmgr_message_recip[-</bB>]*\n* *[<bB>]*ient_minimum\b;<a href="postconf.5.html#qmgr_message_recipient_minimum">$&</a>;g;
s;\bsender_bcc_maps\b;<a href="postconf.5.html#sender_bcc_maps">$&</a>;g;
s;\bsender_canonical_classes\b;<a href="postconf.5.html#sender_canonical_classes">$&</a>;g;
s;\bsender_canonical_maps\b;<a href="postconf.5.html#sender_canonical_maps">$&</a>;g;
- s;\bsender_dependent_relay[-</bB>]*\n*[ <bB>]*host_maps\b;<a href="postconf.5.html#sender_dependent_relayhost_maps">$&</a>;g;
+ s;\bsender_de
[-</bB>]*\n* *[<bB>]*pendent_relay[-</bB>]*\n*[ <bB>]*host_maps\b;<a href="postconf.5.html#sender_dependent_relayhost_maps">$&</a>;g;
s;\bempty_address_relayhost_maps_lookup_key\b;<a href="postconf.5.html#empty_address_relayhost_maps_lookup_key">$&</a>;g;
s;\bsendmail_path\b;<a href="postconf.5.html#sendmail_path">$&</a>;g;
s;\bservice_throttle_time\b;<a href="postconf.5.html#service_throttle_time">$&</a>;g;
s;\bsyslog_facility\b;<a href="postconf.5.html#syslog_facility">$&</a>;g;
s;\bsyslog_name\b;<a href="postconf.5.html#syslog_name">$&</a>;g;
s;\btrace_service_name\b;<a href="postconf.5.html#trace_service_name">$&</a>;g;
- s;\btrans
port_maps\b;<a href="postconf.5.html#transport_maps">$&</a>;g;
+ s;\btrans
[-</bB>]*\n* *[<bB>]*port[-</bB>]*\n* *[<bB>]*_maps\b;<a href="postconf.5.html#transport_maps">$&</a>;g;
s;\btransport_retry_time\b;<a href="postconf.5.html#transport_retry_time">$&</a>;g;
s;\btrigger_timeout\b;<a href="postconf.5.html#trigger_timeout">$&</a>;g;
s;\btcp_windowsize\b;<a href="postconf.5.html#tcp_windowsize">$&</a>;g;
(address was accepted) and for negative results (address was rejected,
or address verification failed for some other reason). </p>
-<p> Current Postfix versions will periodically remove expired entries
-from the address verification database. With Postfix version 2.6
-and earlier, database cleanup had to be done as described next. </p>
-
-<p> If the address verification database file becomes too big, or
-if it becomes corrupted, the solution is to manually rename or
-delete (NOT: truncate) the file and run "postfix reload". The
+<p> The verify(8) daemon will periodically remove expired entries
+from the address verification database, and log the number of entries
+retained and dropped (Postfix versions 2.7 and later). A cleanup
+run is logged as "partial" when the daemon terminates early because
+of "postfix reload, "postfix stop", or because the daemon received
+no requests for $max_idle seconds. Postfix versions 2.6 and earlier
+do not implement automatic address verification database cleanup.
+There, the database is managed manually as described next. </p>
+
+<p> When the address verification database file becomes too big,
+or when it becomes corrupted, the solution is to manually rename
+or delete (NOT: truncate) the file and run "postfix reload". The
verify(8) daemon will then create a new database file. </p>
<h2><a name="probe_routing">Controlling the routing of address
multiple SASL accounts per mail server. Specifically, Postfix
connection caching assumes that a SASL credential is valid for all
hostnames or domain names that deliver via the same mail server IP
-address and TCP port, and assume that the SASL credential does not
+address and TCP port, and assumes that the SASL credential does not
depend on the message originator. </p>
</ul>
"filter:dummy". This record overrides the normal mail routing
and causes mail to be given to the content filter instead. </p>
-<p> The content_filter configuration parameter accepts the same syntax
-as the right-hand side in a Postfix transport table. </p>
-
-<li> <p> Execute "<b>postfix reload</b>" to complete the change. </p>
+<p> The content_filter configuration parameter expects a value of
+the form <i>transport:destination</i>. The <i>transport</i> name
+specifies the first field of a mail delivery agent definition in
+master.cf; the syntax of <i>destination</i> is described in the
+manual page of the corresponding delivery agent. </p>
+
+<p> The meaning of an empty filter <i>destination</i> is version
+dependent. Postfix 2.7 and later will use the recipient domain;
+earlier versions will use $myhostname. Specify "legacy_filter_nexthop
+= yes" for compatibility with Postfix 2.6 or earlier, or specify a
+non-empty filter destination. </p>
+
+<p> The content_filter setting has a lower precedence than a content
+filter that is specified with an access(5) table or in a header_checks(5)
+or body_checks(5) table. </p>
+
+<li> <p> Execute "<b>postfix reload</b>" to complete the change.
+</p>
</ul>
<ul>
+<li> <p> The "receive_override_options" line disables address
+manipulation before the content filter, so that the content filter
+sees the original mail addresses instead of the result of virtual
+alias expansion, canonical mapping, automatic bcc, address
+masquerading, etc. </p>
+
<li> <p> The "content_filter" line causes Postfix to add one content
filter request record to each incoming mail message, with content
"scan:localhost:10025". The content filter request records are
will deliver the mail to the specified content filter regardless
of its final destination. </p>
-<li> <p> The "receive_override_options" line disables address
-manipulation before the content filter, so that the content filter
-sees the original mail addresses instead of the result of virtual
-alias expansion, canonical mapping, automatic bcc, address
-masquerading, etc. </p>
+<li> <p> The content_filter configuration parameter expects a value
+of the form <i>transport:destination</i>. The <i>transport</i> name
+specifies the first field of a mail delivery agent definition in
+master.cf; the syntax of <i>destination</i> is described in the
+manual page of the corresponding delivery agent. </p>
+
+<li> <p> The meaning of an empty filter <i>destination</i> is version
+dependent. Postfix 2.7 and later will use the recipient domain;
+earlier versions will use $myhostname. Specify "legacy_filter_nexthop
+= yes" for compatibility with Postfix 2.6 or earlier, or specify a
+non-empty filter destination. </p>
+
+<li> <p> The content_filter setting has a lower precedence than a
+content filter that is specified with an access(5) table or in a
+header_checks(5) or body_checks(5) table. </p>
</ul>
/etc/postfix/master.cf:
maildrop unix - n n - - pipe
flags=ODRhu user=vmail argv=/path/to/maildrop
- -d ${user}@${nexthop} ${extension} ${recipient} ${user} ${nexthop}
+ -d ${user}@${domain} ${extension} ${recipient} ${user} ${nexthop}
</pre>
</blockquote>
-<p> The mail is delivered to ${user}@${nexthop} (match key for
+<p> The mail is delivered to ${user}@${domain} (search key for
maildrop userdb lookup). The ${extension} and the other address
components are available to maildrop rules as $1, $2, $3, ... and
can be omitted from master.cf or ignored by maildrop when not
needed. </p>
+<p> With Postfix 2.4 and earlier, use ${nexthop} instead of ${domain}.
+</p>
+
<h2><a name="indirect">Indirect delivery via the local delivery agent</a></h2>
<p> Postfix can be configured to deliver mail to maildrop via the
# Reject the address etc. that matches the pattern, and respond with
# the numerical three-digit code and text. \fB4\fINN\fR means "try
# again later", while \fB5\fINN\fR means "do not try again".
+#
+# The following responses have special meaning for the Postfix
+# SMTP server:
+# .RS
+# .IP "\fB421 \fItext\fR (Postfix 2.3 and later)"
+# .IP "\fB521 \fItext\fR (Postfix 2.6 and later)"
+# After responding with the numerical three-digit code and
+# text, disconnect immediately from the SMTP client. This
+# frees up SMTP server resources so that they can be made
+# available to another SMTP client.
# .IP
-# The reply code "421" causes Postfix to disconnect immediately
-# (Postfix version 2.3 and later).
+# Note: The "521" response should be used only with botnets
+# and other malware where interoperability is of no concern.
+# The "send 521 and disconnect" behavior is NOT defined in
+# the SMTP standard.
+# .RE
# .IP "\fBREJECT \fIoptional text...\fR
# Reject the address etc. that matches the pattern. Reply with
# "\fB$access_map_reject_code \fIoptional text...\fR" when the
# This feature is available in Postfix 2.0 and later.
# .IP "\fBFILTER \fItransport:destination\fR"
# After the message is queued, send the entire message through
-# the specified external content filter. The \fItransport:destination\fR
-# syntax is described in the \fBtransport\fR(5) manual page.
-# More information
-# about external content filters is in the Postfix FILTER_README file.
+# the specified external content filter. The \fItransport\fR
+# name specifies the first field of a mail delivery agent
+# definition in master.cf; the syntax of \fIdestination\fR
+# is described in the manual page of the corresponding delivery
+# agent. More information about external content filters is
+# in the Postfix FILTER_README file.
+# .sp
+# Note 1: do not use $\fInumber\fR regular expression
+# substitutions for \fItransport\fR or \fIdestination\fR
+# unless you know that the information has a trusted origin.
+# .sp
+# Note 2: this action overrides the main.cf \fBcontent_filter\fR
+# setting, and affects all recipients of the message. In the
+# case that multiple \fBFILTER\fR actions fire, only the last
+# one is executed.
# .sp
-# Note: this action overrides the \fBcontent_filter\fR setting,
-# and currently affects all recipients of the message.
+# Note 3: the purpose of the FILTER command is to override
+# message routing. To override the recipient's \fItransport\fR
+# but not \fIdestination\fR, specify an empty \fIdestination\fR
+# (Postfix 2.7 and later), or specify a \fItransport:destination\fR
+# that delivers through a different Postfix instance (Postfix
+# 2.6 and earlier). Other options are using the recipient-dependent
+# \fBtrans\%port\%_maps\fR or the sen\%der-dependent
+# \fBsender\%_de\%pen\%dent_default_trans\%port\%_maps\fR
+# features.
# .sp
# This feature is available in Postfix 2.0 and later.
# .IP "\fBHOLD \fIoptional text...\fR"
-# Place the message on the \fBhold\fR queue, where it will sit
-# until someone either deletes it or releases it for delivery.
+# Place the message on the \fBhold\fR queue, where it will
+# sit until someone either deletes it or releases it for
+# delivery.
# Log the optional text if specified, otherwise log a generic
# message.
#
# This feature is available in Postfix 2.1 and later.
# .IP "\fBREDIRECT \fIuser@domain\fR"
# After the message is queued, send the message to the specified
-# address instead of the intended recipient(s).
+# address instead of the intended recipient(s).
# .sp
# Note: this action overrides the FILTER action, and currently affects
# all recipients of the message.
# COMPATIBILITY
# .ad
# .fi
-# With Postfix version 2.2 and earlier specify "\fBpostmap
-# -fq\fR" to query a table that contains case sensitive
-# patterns. By default, regexp: and pcre: patterns are case
-# insensitive.
+# With Postfix version 2.2 and earlier specify "\fBpostmap
+# -fq\fR" to query a table that contains case sensitive
+# patterns. By default, regexp: and pcre: patterns are case
+# insensitive.
# TABLE FORMAT
# .ad
# .fi
# .sp
# This feature is available in Postfix 2.1 and later.
# .IP "\fBFILTER \fItransport:destination\fR"
-# Write a content filter request to the queue file, and
-# inspect the next input line.
-# After the complete message is received it will be sent through
-# the specified external content filter. More information about
-# external content filters is in the Postfix FILTER_README file.
+# After the message is queued, send the entire message through
+# the specified external content filter. The \fItransport\fR
+# name specifies the first field of a mail delivery agent
+# definition master.cf; the syntax of \fIdestination\fR is
+# described in the manual page of the corresponding delivery
+# agent. More information about external content filters is
+# in the Postfix FILTER_README file.
# .sp
-# Note: this action overrides the \fBcontent_filter\fR setting,
-# and affects all recipients of the message. In the case that multiple
-# \fBFILTER\fR actions fire, only the last one is executed.
+# Note 1: do not use $\fInumber\fR regular expression
+# substitutions for \fItransport\fR or \fIdestination\fR
+# unless you know that the information has a trusted origin.
+# .sp
+# Note 2: this action overrides the main.cf \fBcontent_filter\fR
+# setting, and affects all recipients of the message. In the
+# case that multiple \fBFILTER\fR actions fire, only the last
+# one is executed.
+# .sp
+# Note 3: the purpose of the FILTER command is to override
+# message routing. To override the recipient's \fItransport\fR
+# but not \fIdestination\fR, specify an empty \fIdestination\fR
+# (Postfix 2.7 and later), or specify a \fItransport:destination\fR
+# that delivers through a different Postfix instance (Postfix
+# 2.6 and earlier). Other options are using the recipient-dependent
+# \fBtrans\%port\%_maps\fR or the sen\%der-dependent
+# \fBsender\%_de\%pen\%dent_default_trans\%port\%_maps\fR
+# features.
# .sp
# This feature is available in Postfix 2.0 and later.
# .IP "\fBHOLD \fIoptional text...\fR"
</p>
<p>
-The lookup table is persistent by default as of Postfix version
-2.7. Specify an empty table name to keep the information in volatile
+The lookup table is persistent by default (Postfix 2.7 and later).
+Specify an empty table name to keep the information in volatile
memory which is lost after "<b>postfix reload</b>" or "<b>postfix
-stop</b>" (this is default with earlier Postfix versions).
+stop</b>". This is the default with Postfix version 2.6 and earlier.
</p>
<p>
delete (NOT: truncate) the file and do "<b>postfix reload</b>".
</p>
-<p> As of version 2.5, Postfix no longer uses root privileges when
-opening this file. The file must now be stored under a Postfix-owned
-directory such as the data_directory. As a migration aid, an attempt
-to open the file under a non-Postfix directory is redirected to the
-Postfix-owned data_directory, and a warning is logged. </p>
+<p> Postfix daemon processes do not use root privileges when opening
+this file (Postfix 2.5 and later). The file must therefore be
+stored under a Postfix-owned directory such as the data_directory.
+As a migration aid, an attempt to open the file under a non-Postfix
+directory is redirected to the Postfix-owned data_directory, and a
+warning is logged. </p>
<p>
Examples:
supports the "delete" and "sequence" operators. Specify a zero
interval to disable database cleanup. </p>
+<p> After each database cleanup run, the verify(8) daemon logs the
+number of entries that were retained and dropped. A cleanup run is
+logged as "partial" when the daemon terminates early after "<b>postfix
+reload</b>", "<b>postfix stop</b>", or no requests for $max_idle
+seconds. </p>
+
<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
(weeks). </p>
</p>
<p>
-With Postfix version 2.7 and later, the SMTP server polls the
-verify(8) service up to three times under non-overload conditions,
-and only once when under overload. With earlier Postfix versions,
-the SMTP server always polls the verify(8) service up to three
-times.
+The Postfix SMTP server polls the verify(8) service up to three
+times under non-overload conditions, and only once when under
+overload. With Postfix version 2.6 and earlier, the SMTP server
+always polls the verify(8) service up to three times.
</p>
<p>
%PARAM bounce_size_limit 50000
<p> The maximal amount of original message text that is sent in a
-non-delivery notification. Specify a byte count. With Postfix 2.4
-and later, a message is returned as either message/rfc822 (the
-complete original) or as text/rfc822-headers (the headers only).
-With earlier Postfix versions, a message is always returned as
-message/rfc822 and is truncated when it exceeds the size limit.
+non-delivery notification. Specify a byte count. A message is
+returned as either message/rfc822 (the complete original) or as
+text/rfc822-headers (the headers only). With Postfix version 2.4
+and earlier, a message is always returned as message/rfc822 and is
+truncated when it exceeds the size limit.
</p>
<p> Notes: </p>
</p>
<p>
-By default, the Postfix version 2.1 SMTP server rejects MAIL FROM commands
-when the amount of free space is less than 1.5*$message_size_limit.
+By default, the Postfix SMTP server rejects MAIL FROM commands when
+the amount of free space is less than 1.5*$message_size_limit
+(Postfix version 2.1 and later).
To specify a higher minimum free space limit, specify a queue_minfree
value that is at least 1.5*$message_size_limit.
</p>
%PARAM content_filter
-<p>
-The name of a mail delivery transport that filters mail after
-it is queued.
+<p> After the message is queued, send the entire message to the
+specified <i>transport:destination</i>. The <i>transport</i> name
+specifies the first field of a mail delivery agent definition in
+master.cf; the syntax of <i>destination</i> is described in the
+manual page of the corresponding delivery agent. More information
+about external content filters is in the Postfix FILTER_README file.
</p>
-<p>
-This parameter uses the same syntax as the right-hand side of a
-Postfix transport(5) table. This setting has a lower precedence
-than a content filter that is specified with an access(5) table or
-in a header_checks(5) or body_checks(5) table.
-</p>
+<p> Notes: </p>
+
+<ul>
+
+<li> <p> This setting has a lower precedence than a content filter that
+is specified with an access(5) table or in a header_checks(5) or
+body_checks(5) table. </p>
+
+<li> <p> The meaning of an empty filter <i>destination</i> is version
+dependent. Postfix 2.7 and later will use the recipient domain;
+earlier versions will use $myhostname. Specify "legacy_filter_nexthop
+= yes" for compatibility with Postfix 2.6 or earlier, or specify
+a non-empty filter <i>destination</i>. </p>
+
+</ul>
%PARAM default_delivery_slot_discount 50
<li> b = time from last active queue entry to connection setup
-<li> c = time in connection setup, including DNS, EHLO and TLS
+<li> c = time in connection setup, including DNS, EHLO and STARTTLS
<li> d = time in message transmission
(weeks). The default time unit is s (seconds). </p>
<p> NOTE: the delay is enforced by the queue manager. The delay
-timer state does not survive "postfix reload" or "postfix stop".
+timer state does not survive "<b>postfix reload</b>" or "<b>postfix
+stop</b>".
</p>
<p> Use <i>transport</i>_destination_rate_delay to specify a
cache database supports the "delete" and "sequence" operators.
Specify a zero interval to disable cache cleanup. </p>
+<p> After each cache cleanup run, the postscreen(8) daemon logs the
+number of entries that were retained and dropped. A cleanup run is
+logged as "partial" when the daemon terminates early after "<b>postfix
+reload</b>", "<b>postfix stop</b>", or no requests for $max_idle
+seconds. </p>
+
<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
(weeks). </p>
<ul>
-<li> <p> Use "resolve_numeric_domain = yes" to accept "<i>user@ipaddress</i>"
-Postfix already accepts the correct form "<i>user@[ipaddress]</i>".
-</p>
+<li> <p> Use "resolve_numeric_domain = yes" to accept
+"<i>user@ipaddress</i>". </p>
+
+<li> <p> Postfix already accepts the correct form
+"<i>user@[ipaddress]</i>". </p>
<li> <p> Use "strict_rfc821_envelopes = no" to accept "<i>User Name
-<user@example.com></i>". </p>
+<user@example.com></i>". Postfix will ignore the "User Name"
+part before delivering the mail. </p>
</ul>
This information is overruled with the transport(5) table. </p>
<p> Note: this overrides default_transport, not transport_maps, and
-therefore the expected syntax is that of default_transport. This
-feature does not support the transport_maps syntax for null transport,
-null nexthop, or null email addresses. </p>
+therefore the expected syntax is that of default_transport, not the
+syntax of transport_maps. Specifically, this does not support the
+transport_maps syntax for null transport, null nexthop, or null
+email addresses. </p>
<p> For safety reasons, this feature does not allow $number
substitutions in regular expression maps. </p>
<p> This feature is available in Postfix 2.7 and later. </p>
+%PARAM legacy_filter_nexthop no
+
+<p> When a FILTER command does not specify a destination, force the
+destination to be $myhostname, instead of using the recipient domain.
+Specify "legacy_filter_nexthop = yes" for compatibility with Postfix
+version 2.6 and earlier, or specify a non-empty filter destination.
+</p>
+
+<p> This feature is available in Postfix 2.7 and later. </p>
+
encoding = MAIL_ATTR_ENC_NONE;
dsn_envid = state->dsn_envid ?
state->dsn_envid : "";
+ /* Do not send unfiltered (body) content. */
dsn_ret = (state->errs & (CLEANUP_STAT_CONT | CLEANUP_STAT_SIZE)) ?
DSN_RET_HDRS : state->dsn_ret;
* These are set when we can't bounce even if we were asked to.
*/
#define CLEANUP_STAT_MASK_CANT_BOUNCE \
- (CLEANUP_STAT_BAD | CLEANUP_STAT_WRITE | CLEANUP_STAT_DEFER)
+ (CLEANUP_STAT_BAD | CLEANUP_STAT_WRITE | CLEANUP_STAT_DEFER \
+ | CLEANUP_STAT_RCPT)
/*
* These are set when we can't examine every record of a message.
#define DEF_FILTER_XPORT ""
extern char *var_filter_xport;
+#define VAR_LEGACY_FILTER_NEXTHOP "legacy_filter_nexthop"
+#define DEF_LEGACY_FILTER_NEXTHOP 0
+extern bool var_legacy_filter_nexthop;
+
/*
* Fast flush service support.
*/
#define MAIL_QUEUE_BOUNCE "bounce"
#define MAIL_QUEUE_CORRUPT "corrupt"
#define MAIL_QUEUE_FLUSH "flush"
+#define MAIL_QUEUE_SAVED "saved"
/*
* Queue file modes.
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20100102"
+#define MAIL_RELEASE_DATE "20100116"
#define MAIL_VERSION_NUMBER "2.7"
#ifdef SNAPSHOT
/* sys_exits_detail() returns a table entry with assorted
/* information about the specified sendmail-compatible status
/* code, or a generic entry for an unknown status code.
+/* The generic entry may be overwritten with each sys_exits_detail()
+/* call.
/*
/* sys_exits_softerror() returns non-zero when the specified
/* sendmail-compatible status code corresponds to a recoverable error.
argv_add(serv->args, "-u", (char *) 0);
if (chroot)
argv_add(serv->args, "-c", (char *) 0);
- if ((serv->flags & MASTER_FLAG_LOCAL_ONLY) == 0) {
+ if ((serv->flags & MASTER_FLAG_LOCAL_ONLY) == 0 && serv->max_proc > 1) {
argv_add(serv->args, "-o", "stress=" CONFIG_BOOL_YES, (char *) 0);
serv->stress_param_val =
serv->args->argv[serv->args->argc - 1] + sizeof("stress=") - 1;
/* .IP "\fBallow_min_user (no)\fR"
/* Allow a sender or recipient address to have `-' as the first
/* character.
+/* .PP
+/* Available with Postfix version 2.7 and later:
+/* .IP "\fBlegacy_filter_nexthop (no)\fR"
+/* When a FILTER command does not specify a destination, force the
+/* destination to be $myhostname, instead of using the recipient domain.
/* ACTIVE QUEUE CONTROLS
/* .ad
/* .fi
int var_conc_cohort_limit;
int var_conc_feedback_debug;
int var_dest_rate_delay;
+bool var_legacy_filter_nexthop;
static QMGR_SCAN *qmgr_scans[2];
static const CONFIG_BOOL_TABLE bool_table[] = {
VAR_VERP_BOUNCE_OFF, DEF_VERP_BOUNCE_OFF, &var_verp_bounce_off,
VAR_CONC_FDBACK_DEBUG, DEF_CONC_FDBACK_DEBUG, &var_conc_feedback_debug,
+ VAR_LEGACY_FILTER_NEXTHOP, DEF_LEGACY_FILTER_NEXTHOP, &var_legacy_filter_nexthop,
0,
};
* me" bits turned on, but we handle them here anyway for the sake of
* future proofing.
*/
+#define FILTER_WITHOUT_NEXTHOP(filter, next) \
+ (((next) = split_at((filter), ':')) == 0 || *(next) == 0)
+
+#define RCPT_WITHOUT_DOMAIN(rcpt, next) \
+ ((next = strrchr(rcpt, '@')) == 0 || *++(next) == 0)
+
else if (message->filter_xport
&& (message->tflags & DEL_REQ_TRACE_ONLY_MASK) == 0) {
reply.flags = 0;
vstring_strcpy(reply.transport, message->filter_xport);
- if ((nexthop = split_at(STR(reply.transport), ':')) == 0
- || *nexthop == 0)
+ if (FILTER_WITHOUT_NEXTHOP(STR(reply.transport), nexthop)
+ && (var_legacy_filter_nexthop != 0
+ || RCPT_WITHOUT_DOMAIN(recipient->address, nexthop)))
nexthop = var_myhostname;
vstring_strcpy(reply.nexthop, nexthop);
vstring_strcpy(reply.recipient, recipient->address);
/*
* XXX If the cleanup server gave a reason, then it was already logged.
* Don't bother logging it another time.
+ *
+ * XXX Discard a message without recipient. This can happen with "postsuper
+ * -r" when a message is already delivered (or bounced). The Postfix
+ * sendmail command rejects submissions without recipients.
*/
if (reason == 0)
msg_warn("%s: %s", info->path, cleanup_strerror(status));
- return ((status & CLEANUP_STAT_BAD) ?
+ return ((status & (CLEANUP_STAT_BAD | CLEANUP_STAT_RCPT)) ?
REMOVE_MESSAGE_FILE : KEEP_MESSAGE_FILE);
}
MAIL_QUEUE_ACTIVE,
MAIL_QUEUE_DEFERRED,
MAIL_QUEUE_HOLD,
+ MAIL_QUEUE_SAVED,
0,
};
char **cpp;
char *junk;
struct timeval start;
int saved_errno;
+ int from_count = 0;
+ int rcpt_count = 0;
/*
* Fingerprint executables and core dumps.
set_file_limit((off_t) var_message_limit);
/*
- * Strip the environment so we don't have to trust the C library.
+ * This program is installed with setgid privileges. Strip the process
+ * environment so that we don't have to trust the C library.
*/
import_env = argv_split(var_import_environ, ", \t\r\n");
clean_env(import_env->argv);
/* Override time information from the untrusted caller. */
if (rec_type == REC_TYPE_TIME)
continue;
+ /* Check these at submission time instead of pickup time. */
+ if (rec_type == REC_TYPE_FROM)
+ from_count++;
+ if (rec_type == REC_TYPE_RCPT)
+ rcpt_count++;
+ /* Limit the attribute types that users may specify. */
if (rec_type == REC_TYPE_ATTR) {
if ((error_text = split_nameval(vstring_str(buf), &attr_name,
&attr_value)) != 0) {
}
vstring_free(buf);
+ /*
+ * As of Postfix 2.7 the pickup daemon discards mail without recipients.
+ * Such mail may enter the maildrop queue when "postsuper -r" is invoked
+ * before the queue manager deletes an already delivered message. Looking
+ * at file ownership is not a good way to make decisions on what mail to
+ * discard. Instead, the pickup server now requires that new submissions
+ * always have at least one recipient record.
+ *
+ * The Postfix sendmail command already rejects mail without recipients.
+ * However, in the future postdrop may receive mail via other programs,
+ * so we add a redundant recipient check here for future proofing.
+ *
+ * The test for the sender address is just for consistency of error
+ * reporting (report at submission time instead of pickup time). Besides
+ * the segment terminator records, there aren't any other mandatory
+ * records in a Postfix submission queue file.
+ */
+ if (from_count == 0 || rcpt_count == 0) {
+ status = CLEANUP_STAT_BAD;
+ mail_stream_cleanup(dst);
+ }
+
/*
* Finish the file.
*/
- if ((status = mail_stream_finish(dst, (VSTRING *) 0)) != 0) {
+ else if ((status = mail_stream_finish(dst, (VSTRING *) 0)) != 0) {
msg_warn("uid=%ld: %m", (long) uid);
postdrop_cleanup();
}
/* \fBpostscreen\fR [generic Postfix daemon options]
/* DESCRIPTION
/* The Postfix \fBpostscreen\fR(8) server performs triage on
-/* multiple inbound SMTP connections in parallel. By running
-/* time-consuming tests in parallel in \fBpostscreen\fR(8),
-/* zombies and other bogus clients can be kept away from Postfix
-/* SMTP server processes. Thus, more Postfix SMTP server
-/* processes remain available for legitimate clients.
+/* multiple inbound SMTP connections in parallel. While
+/* \fBpostscreen\fR(8) keeps zombies and other bogus clients
+/* away from Postfix SMTP server processes, more Postfix SMTP
+/* server processes remain available for legitimate clients.
+/* GENERAL OPERATION
+/* .ad
+/* .fi
+/* The triage process involves a number of tests, in the order
+/* as described below. Some tests introduce a delay of a few
+/* seconds. Once a client passes all tests, its IP address
+/* is temporarily excluded from the tests, typically for 24
+/* hours. This minimizes the impact of the tests on legitimate
+/* mail clients.
/*
-/* This triage process involves a number of tests, documented
-/* below. The tests introduce a delay of a few seconds; once
-/* a client passes the tests, its IP address is temporarily
-/* whitelisted, typically for 24 hours.
+/* After logging the result of its tests, \fBpostscreen\fR(8)
+/* by default forwards all connections to a real SMTP server
+/* process. This mode is useful for non-destructive testing.
+/*
+/* In a typical production setting, \fBpostscreen\fR(8) is
+/* configured to disconnect clients that fail some tests. A
+/* future implementation may pass the connection to a dummy
+/* SMTP protocol engine that logs sender and recipient information
+/* before hanging up.
/*
-/* The program can run in two basic modes.
-/* .IP "\fBObservation mode\fR"
-/* \fBpostscreen\fR(8) reports the results of the tests, and
-/* forwards all connections to a real Postfix SMTP server
-/* process.
-/* .IP "\fBEnforcement mode\fR"
-/* \fBpostscreen\fR(8) reports the results of the tests, but
-/* forwards only connections to a real SMTP server process
-/* from clients that passed the tests.
-/* .sp
-/* \fBpostscreen\fR(8) disconnects clients that fail the tests,
-/* after sending a 521 status message (a future version may
-/* pass the connection to a dummy SMTP protocol engine that
-/* logs sender and recipient information).
-/* .PP
/* Note: \fBpostscreen\fR(8) is not an SMTP proxy; this is
/* intentional. The purpose is to prioritize legitimate clients
/* with as little overhead as possible.
-/*
-/* \fBpostscreen\fR(8) performs tests in the order described below.
/* .SH 1. PERMANENT WHITELIST TEST
/* .ad
/* .fi
/* .sp
/* The postscreen_blacklist_action parameter specifies the
/* action that is taken next:
-/* .IP "\fBcontinue\fR (default, observation mode)"
+/* .IP "\fBcontinue\fR (default)"
/* Continue with the SMTP GREETING PHASE TESTS below.
-/* .IP "\fBdrop\fR (enforcement mode)"
+/* .IP \fBdrop\fR
/* Drop the connection immediately with a 521 SMTP reply. In
/* a future implementation, the connection may instead be
/* passed to a dummy SMTP protocol engine that logs sender and
/*
/* The postscreen_greet_action parameter specifies the action
/* that is taken next:
-/* .IP "\fBcontinue\fR (default, observation mode)"
+/* .IP "\fBcontinue\fR (default)"
/* Wait until the postscreen_greet_wait time has elapsed, then
/* report DNSBL lookup results if applicable. Either perform
/* DNSBL-related actions or forward the connection to a real
/* SMTP server process.
-/* .IP "\fBdrop\fR (enforcement mode)"
+/* .IP \fBdrop\fR
/* Drop the connection immediately with a 521 SMTP reply.
/* In a future implementation, the connection may instead be passed
/* to a dummy SMTP protocol engine that logs sender and recipient
/* .sp
/* The postscreen_hangup_action specifies the action
/* that is taken next:
-/* .IP "\fBcontinue\fR (default, observation mode)"
+/* .IP "\fBcontinue\fR (default)"
/* Wait until the postscreen_greet_wait time has elapsed, then
/* report DNSBL lookup results if applicable. Do not forward
/* the broken connection to a real SMTP server process.
-/* .IP "\fBdrop\fR (enforcement mode)"
+/* .IP \fBdrop\fR
/* Drop the connection immediately.
/* .SH 4C. DNS BLOCKLIST TEST
/* .ad
/*
/* The postscreen_dnsbl_action parameter specifies the action
/* that is taken next:
-/* .IP "\fBcontinue\fR (default, observation mode)"
+/* .IP "\fBcontinue\fR (default)"
/* Forward the connection to a real SMTP server process.
-/* .IP "\fBdrop\fR (enforcement mode)"
+/* .IP \fBdrop\fR
/* Drop the connection immediately with a 521 SMTP reply.
/* In a future implementation, the connection may instead be passed
/* to a dummy SMTP protocol engine that logs sender and recipient
vstream_fileno(state->smtp_client_stream)) < 0) {
msg_warn("cannot pass connection to service %s: %m", smtp_service_name);
smtp_reply(vstream_fileno(state->smtp_client_stream), state->smtp_client_addr,
- state->smtp_client_port, "421 4.3.2 No system resources\r\n");
+ state->smtp_client_port, "421 4.3.2 No system resources\r\n");
free_session_state(state);
return;
} else {
* instead of dropping already-accepted connections on the floor.
*
* Unfortunately we must close all writable tables, so we can't store or
- * look up reputation information. The reason is that don't have any
+ * look up reputation information. The reason is that we don't have any
* multi-writer safety guarantees. We also can't use the single-writer
* proxywrite service, because its latency guarantees are too weak.
*
"continue", PS_ACT_CONT,
0, -1,
};
- int expire_flags;
+ int cache_flags;
/*
* This routine runs after the skeleton code has entered the chroot jail.
* verbose logging more informative (we get positive confirmation that
* the cleanup thread runs).
*/
- expire_flags = DICT_CACHE_FLAG_STATISTICS;
+ cache_flags = DICT_CACHE_FLAG_STATISTICS;
if (msg_verbose)
- expire_flags |= DICT_CACHE_FLAG_VERBOSE;
+ cache_flags |= DICT_CACHE_FLAG_VERBOSE;
if (cache_map != 0 && var_ps_cache_scan > 0)
dict_cache_control(cache_map,
- DICT_CACHE_CTL_FLAGS, expire_flags,
+ DICT_CACHE_CTL_FLAGS, cache_flags,
DICT_CACHE_CTL_INTERVAL, var_ps_cache_scan,
DICT_CACHE_CTL_VALIDATOR, postscreen_cache_validator,
DICT_CACHE_CTL_CONTEXT, (char *) 0,
/* .IP "\fBallow_min_user (no)\fR"
/* Allow a sender or recipient address to have `-' as the first
/* character.
+/* .PP
+/* Available with Postfix version 2.7 and later:
+/* .IP "\fBlegacy_filter_nexthop (no)\fR"
+/* When a FILTER command does not specify a destination, force the
+/* destination to be $myhostname, instead of using the recipient domain.
/* ACTIVE QUEUE CONTROLS
/* .ad
/* .fi
int var_conc_cohort_limit;
int var_conc_feedback_debug;
int var_dest_rate_delay;
+bool var_legacy_filter_nexthop;
static QMGR_SCAN *qmgr_scans[2];
static const CONFIG_BOOL_TABLE bool_table[] = {
VAR_VERP_BOUNCE_OFF, DEF_VERP_BOUNCE_OFF, &var_verp_bounce_off,
VAR_CONC_FDBACK_DEBUG, DEF_CONC_FDBACK_DEBUG, &var_conc_feedback_debug,
+ VAR_LEGACY_FILTER_NEXTHOP, DEF_LEGACY_FILTER_NEXTHOP, &var_legacy_filter_nexthop,
0,
};
* me" bits turned on, but we handle them here anyway for the sake of
* future proofing.
*/
+#define FILTER_WITHOUT_NEXTHOP(filter, next) \
+ (((next) = split_at((filter), ':')) == 0 || *(next) == 0)
+
+#define RCPT_WITHOUT_DOMAIN(rcpt, next) \
+ ((next = strrchr(rcpt, '@')) == 0 || *++(next) == 0)
+
else if (message->filter_xport
&& (message->tflags & DEL_REQ_TRACE_ONLY_MASK) == 0) {
reply.flags = 0;
vstring_strcpy(reply.transport, message->filter_xport);
- if ((nexthop = split_at(STR(reply.transport), ':')) == 0
- || *nexthop == 0)
+ if (FILTER_WITHOUT_NEXTHOP(STR(reply.transport), nexthop)
+ && (var_legacy_filter_nexthop != 0
+ || RCPT_WITHOUT_DOMAIN(recipient->address, nexthop)))
nexthop = var_myhostname;
vstring_strcpy(reply.nexthop, nexthop);
vstring_strcpy(reply.recipient, recipient->address);
DICT_HT *dict_ht = (DICT_HT *) dict;
htable_free(dict_ht->table, myfree);
+ if (dict_ht->dict.fold_buf)
+ vstring_free(dict_ht->dict.fold_buf);
dict_free(dict);
}
* descriptor is closed, so our information could get out of sync with the
* kernel. But that will never happen, because we have to meticulously
* unregister a file descriptor before it is closed, to avoid errors on
+ * systems that are built with EVENTS_STYLE == EVENTS_STYLE_SELECT.
*/
#if (EVENTS_STYLE == EVENTS_STYLE_EPOLL)
#include <sys/epoll.h>
}
label_length = 0;
} else if (ch == '-') {
+ non_numeric = 1;
label_length++;
if (label_length == 1 || cp[1] == 0 || cp[1] == '.') {
if (gripe)
/* .PP
/* Available with Postfix 2.7 and later:
/* .IP "\fBaddress_verify_cache_cleanup_interval (12h)\fR"
-/* The amount of time between \fBverify\fR(8) cache cleanup runs.
+/* The amount of time between \fBverify\fR(8) address verification
+/* database cleanup runs.
/* PROBE MESSAGE ROUTING CONTROLS
/* .ad
/* .fi
* Start the cache cleanup thread.
*/
if (var_verify_scan_cache > 0) {
- int expire_flags;
+ int cache_flags;
- expire_flags = DICT_CACHE_FLAG_STATISTICS;
+ cache_flags = DICT_CACHE_FLAG_STATISTICS;
if (msg_verbose)
- expire_flags |= DICT_CACHE_FLAG_VERBOSE;
+ cache_flags |= DICT_CACHE_FLAG_VERBOSE;
dict_cache_control(verify_map,
- DICT_CACHE_CTL_FLAGS, expire_flags,
+ DICT_CACHE_CTL_FLAGS, cache_flags,
DICT_CACHE_CTL_INTERVAL, var_verify_scan_cache,
DICT_CACHE_CTL_VALIDATOR, verify_cache_validator,
DICT_CACHE_CTL_CONTEXT, (char *) vstring_alloc(100),
projects / thirdparty / postfix.git / commitdiff
