IP queries" even if the name has an alphanumerical prefix.
We play safe, and skip both RHSBL and RHSWL queries for
names ending in a numerical suffix. File: smtpd/smtpd_check.c.
+
+20110624
+
+ Cleanup: added error checks for smtpd access primitives
+ that don't automatically terminate the program after table
+ lookup error: these primitives are permit_tls_clientcerts,
+ permit_tls_all_clientcerts, and check_address_map (the last
+ one is used in local_header_rewrite_clients only). File:
+ smtpd/smtpd_check.c.
P\bPu\bur\brp\bpo\bos\bse\be o\bof\bf t\bth\bhi\bis\bs d\bdo\boc\bcu\bum\bme\ben\bnt\bt
-This document has hints and tips for those who manage their own Postfix
-distribution for internal use, and for those who maintain Postfix distributions
-for general use.
+This document has hints and tips for those who manage their own Postfix binary
+distribution for internal use, and for those who maintain Postfix binary
+distributions for general use.
G\bGe\ben\bne\ber\bra\bal\bl d\bdi\bis\bst\btr\bri\bib\bbu\but\bti\bio\bon\bns\bs:\b: p\bpl\ble\bea\bas\bse\be p\bpr\bro\bov\bvi\bid\bde\be a\ba s\bsm\bma\bal\bll\bl d\bde\bef\bfa\bau\bul\blt\bt m\bma\bai\bin\bn.\b.c\bcf\bf f\bfi\bil\ble\be
You can use one of the following commands to generate base64 encoded
authentication information:
- % g\bge\ben\bn-\b-a\bau\but\bth\bh p\bpl\bla\bai\bin\bn
- username: u\bus\bse\ber\brn\bna\bam\bme\be
- password:
+ * Using a recent version of the b\bba\bas\bsh\bh shell:
-The g\bge\ben\bn-\b-a\bau\but\bth\bh Perl script was written by John Jetmore and can be found at http:/
-/jetmore.org/john/code/gen-auth.
+ % e\bec\bch\bho\bo -\b-n\bne\be '\b'\\b\0\b00\b00\b0u\bus\bse\ber\brn\bna\bam\bme\be\\b\0\b00\b00\b0p\bpa\bas\bss\bsw\bwo\bor\brd\bd'\b' |\b| o\bop\bpe\ben\bns\bss\bsl\bl b\bba\bas\bse\be6\b64\b4
- % p\bpr\bri\bin\bnt\btf\bf '\b'\\b\0\b0u\bus\bse\ber\brn\bna\bam\bme\be\\b\0\b0p\bpa\bas\bss\bsw\bwo\bor\brd\bd'\b' |\b| m\bmm\bme\ben\bnc\bco\bod\bde\be
+ Some other shells support similar syntax.
-The m\bmm\bme\ben\bnc\bco\bod\bde\be command is part of the metamail software.
+ * Using the p\bpr\bri\bin\bnt\btf\bf command:
- % p\bpe\ber\brl\bl -\b-M\bMM\bMI\bIM\bME\bE:\b::\b:B\bBa\bas\bse\be6\b64\b4 -\b-e\be \\b\
- '\b'p\bpr\bri\bin\bnt\bt e\ben\bnc\bco\bod\bde\be_\b_b\bba\bas\bse\be6\b64\b4(\b("\b"\\b\0\b0u\bus\bse\ber\brn\bna\bam\bme\be\\b\0\b0p\bpa\bas\bss\bsw\bwo\bor\brd\bd"\b")\b);\b;'\b'
+ % p\bpr\bri\bin\bnt\btf\bf '\b'\\b\0\b0%\b%s\bs\\b\0\b0%\b%s\bs'\b' '\b'u\bus\bse\ber\brn\bna\bam\bme\be'\b' '\b'p\bpa\bas\bss\bsw\bwo\bor\brd\bd'\b' |\b| o\bop\bpe\ben\bns\bss\bsl\bl b\bba\bas\bse\be6\b64\b4
+ % p\bpr\bri\bin\bnt\btf\bf '\b'\\b\0\b0%\b%s\bs\\b\0\b0%\b%s\bs'\b' '\b'u\bus\bse\ber\brn\bna\bam\bme\be'\b' '\b'p\bpa\bas\bss\bsw\bwo\bor\brd\bd'\b' |\b| m\bmm\bme\ben\bnc\bco\bod\bde\be
-MIME::Base64 is available from http://www.cpan.org/.
+ The m\bmm\bme\ben\bnc\bco\bod\bde\be command is part of the metamail software.
+
+ * Using Perl M\bMI\bIM\bME\bE:\b::\b:B\bBa\bas\bse\be6\b64\b4:
+
+ % p\bpe\ber\brl\bl -\b-M\bMM\bMI\bIM\bME\bE:\b::\b:B\bBa\bas\bse\be6\b64\b4 -\b-e\be \\b\
+ '\b'p\bpr\bri\bin\bnt\bt e\ben\bnc\bco\bod\bde\be_\b_b\bba\bas\bse\be6\b64\b4(\b("\b"\\b\0\b0u\bus\bse\ber\brn\bna\bam\bme\be\\b\0\b0p\bpa\bas\bss\bsw\bwo\bor\brd\bd"\b")\b);\b;'\b'
+
+ MIME::Base64 is available from http://www.cpan.org/.
+
+ * Using the g\bge\ben\bn-\b-a\bau\but\bth\bh script:
+
+ % g\bge\ben\bn-\b-a\bau\but\bth\bh p\bpl\bla\bai\bin\bn
+ username: u\bus\bse\ber\brn\bna\bam\bme\be
+ password:
+
+ The g\bge\ben\bn-\b-a\bau\but\bth\bh Perl script was written by John Jetmore and can be found at
+ http://jetmore.org/john/code/gen-auth.
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg S\bSA\bAS\bSL\bL a\bau\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bti\bio\bon\bn i\bin\bn t\bth\bhe\be P\bPo\bos\bst\btf\bfi\bix\bx S\bSM\bMT\bTP\bP/\b/L\bLM\bMT\bTP\bP c\bcl\bli\bie\ben\bnt\bt
into doubles (converting only some leads to a documentation
nightmare).
- postscreen: wait for DNS completion after early HANGUP
- and log DNSBL.
+ postscreen: wait for DNS completion after early HANGUP and
+ log DNSBL results. If the client was still waiting for the
+ PREGREET timer, just flag the PREGREET test as (done, not
+ passed). If the client was not waiting for the PREGREET
+ timer, just wait until DNSBL lookup (if any) completes.
+
+ Address verify cache: allow a negative cache "refresh"
+ result to purge a "positive" cache entry in some safe manner.
+ Currently, the negative cache "refresh" result is discarded,
+ address verify cache lookup returns OK, and each lookup
+ forces a "refresh" probe until the entry expires.
Some Sendmail configurations trigger sub-optimal behavior
when the postscreen_whitelist_interfaces parameter lists
be sent. This reduces the time window for RFC 1047 message
duplication, and may even prevent the delivery of some spam.
http://www.exim.org/lurker/message/20070416.103159.9d5ff0ce.en.html
+ This requires splitting the SMTP server's commit operation
+ into two operations: first, a tentative commit operation
+ that performs most of the I/O and processing in milters and
+ in the cleanup server; second, a final commit operation
+ that is executed only if the remote SMTP client hasn't hung
+ up in the mean time. Unfortunately, SMTP-based before-queue
+ content filters don't support a tentative commit operation.
Find out how to reproduce Berkeley DB bogus ENOENT errors.
postscreen does not log this with Berkeley DB 1 (FreeBSD
<h2>Purpose of this document</h2>
<p> This document has hints and tips for those who manage their
-own Postfix distribution for internal use, and for those who maintain
-Postfix distributions for general use. </p>
+own Postfix binary distribution for internal use, and for those who
+maintain Postfix binary distributions for general use. </p>
<h2>General distributions: please provide a small default main.cf
file</h2>
<p> You can use one of the following commands to generate base64
encoded authentication information: </p>
+<ul>
+
+<li> <p> Using a recent version of the <b>bash</b> shell: </p>
+
<blockquote>
<pre>
-% <strong>gen-auth plain</strong>
-username: <strong><em>username</em></strong>
-password:
+% <strong>echo -ne '\000username\000password' | openssl base64</strong>
</pre>
</blockquote>
-<p> The <strong>gen-auth</strong> Perl script was written by John
-Jetmore and can be found at <a href="http://jetmore.org/john/code/gen-auth">http://jetmore.org/john/code/gen-auth</a>. </p>
+<p> Some other shells support similar syntax. </p>
+
+<li> <p> Using the <b>printf</b> command: </p>
<blockquote>
<pre>
-% <strong>printf '\0<em>username</em>\0<em>password</em>' | mmencode</strong>
+% <strong>printf '\0%s\0%s' '<em>username</em>' '<em>password</em>' | openssl base64</strong>
+% <strong>printf '\0%s\0%s' '<em>username</em>' '<em>password</em>' | mmencode</strong>
</pre>
</blockquote>
<p> The <strong>mmencode</strong> command is part of the metamail
software. </p>
+<li> <p> Using Perl <b>MIME::Base64</b>: </p>
+
<blockquote>
<pre>
% <strong>perl -MMIME::Base64 -e \
<p> MIME::Base64 is available from <a href="http://www.cpan.org/">http://www.cpan.org/</a>. </p>
+<li> <p> Using the <b>gen-auth</b> script: </p>
+
+<blockquote>
+<pre>
+% <strong>gen-auth plain</strong>
+username: <strong><em>username</em></strong>
+password:
+</pre>
+</blockquote>
+
+<p> The <strong>gen-auth</strong> Perl script was written by John
+Jetmore and can be found at <a href="http://jetmore.org/john/code/gen-auth">http://jetmore.org/john/code/gen-auth</a>. </p>
+
+</ul>
+
<h2><a name="client_sasl">Configuring SASL authentication in the Postfix SMTP/LMTP client</a></h2>
<p> The Postfix SMTP and the LMTP client can authenticate with a
<blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- <a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> = !gssapi, !login, static:all
+ <a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> = !gssapi, !login, <a href="DATABASE_README.html#types">static</a>:all
</pre>
</blockquote>
The default time unit is s (seconds).
</p>
+<p> This feature is available in Postfix 2.8 and later. </p>
+
</DD>
The default time unit is s (seconds).
</p>
+<p> This feature is available in Postfix 2.8 and later. </p>
+
</DD>
.PP
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
+.PP
+This feature is available in Postfix 2.8 and later.
.SH qmgr_fudge_factor (default: 100)
Obsolete feature: the percentage of delivery resources that a busy
mail system will use up for delivery of a large mailing list
.PP
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
+.PP
+This feature is available in Postfix 2.8 and later.
.SH qmgr_message_active_limit (default: 20000)
The maximal number of messages in the active queue.
.SH qmgr_message_recipient_limit (default: 20000)
install_root_prompt="the prefix for installed file names. Specify
this ONLY if you are building ready-to-install packages for
-distribution to other machines."
+distribution to OTHER machines. See PACKAGE_README for instructions."
tempdir_prompt="a directory for scratch files while installing
Postfix. You must have write permission in this directory."
<h2>Purpose of this document</h2>
<p> This document has hints and tips for those who manage their
-own Postfix distribution for internal use, and for those who maintain
-Postfix distributions for general use. </p>
+own Postfix binary distribution for internal use, and for those who
+maintain Postfix binary distributions for general use. </p>
<h2>General distributions: please provide a small default main.cf
file</h2>
<p> You can use one of the following commands to generate base64
encoded authentication information: </p>
+<ul>
+
+<li> <p> Using a recent version of the <b>bash</b> shell: </p>
+
<blockquote>
<pre>
-% <strong>gen-auth plain</strong>
-username: <strong><em>username</em></strong>
-password:
+% <strong>echo -ne '\000username\000password' | openssl base64</strong>
</pre>
</blockquote>
-<p> The <strong>gen-auth</strong> Perl script was written by John
-Jetmore and can be found at http://jetmore.org/john/code/gen-auth. </p>
+<p> Some other shells support similar syntax. </p>
+
+<li> <p> Using the <b>printf</b> command: </p>
<blockquote>
<pre>
-% <strong>printf '\0<em>username</em>\0<em>password</em>' | mmencode</strong>
+% <strong>printf '\0%s\0%s' '<em>username</em>' '<em>password</em>' | openssl base64</strong>
+% <strong>printf '\0%s\0%s' '<em>username</em>' '<em>password</em>' | mmencode</strong>
</pre>
</blockquote>
<p> The <strong>mmencode</strong> command is part of the metamail
software. </p>
+<li> <p> Using Perl <b>MIME::Base64</b>: </p>
+
<blockquote>
<pre>
% <strong>perl -MMIME::Base64 -e \
<p> MIME::Base64 is available from http://www.cpan.org/. </p>
+<li> <p> Using the <b>gen-auth</b> script: </p>
+
+<blockquote>
+<pre>
+% <strong>gen-auth plain</strong>
+username: <strong><em>username</em></strong>
+password:
+</pre>
+</blockquote>
+
+<p> The <strong>gen-auth</strong> Perl script was written by John
+Jetmore and can be found at http://jetmore.org/john/code/gen-auth. </p>
+
+</ul>
+
<h2><a name="client_sasl">Configuring SASL authentication in the Postfix SMTP/LMTP client</a></h2>
<p> The Postfix SMTP and the LMTP client can authenticate with a
The default time unit is s (seconds).
</p>
+<p> This feature is available in Postfix 2.8 and later. </p>
+
%PARAM qmgr_daemon_timeout 1000s
<p> How much time a Postfix queue manager process may take to handle
The default time unit is s (seconds).
</p>
+<p> This feature is available in Postfix 2.8 and later. </p>
+
%PARAM tls_preempt_cipherlist no
<p> With SSLv3 and later, use the server's cipher preference order
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20110615"
+#define MAIL_RELEASE_DATE "20110706"
#define MAIL_VERSION_NUMBER "2.9"
#ifdef SNAPSHOT
/* const char *(*lookup) (const char *name, char *context);
/* char *context;
/* DESCRIPTION
-/* smtp_reply_footer() expands a reply template to an existing
-/* reply text.
+/* smtp_reply_footer() expands a reply template, and appends
+/* the result to an existing reply text.
/*
/* Arguments:
/* .IP buffer
static int permit_auth_destination(SMTPD_STATE *state, char *recipient);
-/* permit_tls_clientcerts - OK/DUNNO for message relaying */
+/* permit_tls_clientcerts - OK/DUNNO for message relaying, or set dict_errno */
static int permit_tls_clientcerts(SMTPD_STATE *state, int permit_all_certs)
{
#ifdef USE_TLS
const char *found;
+ dict_errno = 0;
+
if (!state->tls_context)
return SMTPD_CHECK_DUNNO;
msg_info("relay_clientcerts: No match for fingerprint '%s'",
state->tls_context->peer_fingerprint);
}
+#else
+ dict_errno = 0;
#endif
return (SMTPD_CHECK_DUNNO);
}
#endif
} else if (strcasecmp(name, PERMIT_TLS_ALL_CLIENTCERTS) == 0) {
status = permit_tls_clientcerts(state, 1);
+ if (dict_errno != 0)
+ reject_dict_retry(state, reply_name);
} else if (strcasecmp(name, PERMIT_TLS_CLIENTCERTS) == 0) {
status = permit_tls_clientcerts(state, 0);
+ if (dict_errno != 0)
+ reject_dict_retry(state, reply_name);
} else if (strcasecmp(name, REJECT_UNKNOWN_RCPTDOM) == 0) {
if (state->recipient)
status = reject_unknown_address(state, state->recipient,
}
if (strcasecmp(name, PERMIT_INET_INTERFACES) == 0) {
status = permit_inet_interfaces(state);
+ /* dict errors are fatal */
} else if (strcasecmp(name, PERMIT_MYNETWORKS) == 0) {
status = permit_mynetworks(state);
+ /* dict errors are fatal */
} else if (is_map_command(state, name, CHECK_ADDR_MAP, &cpp)) {
if ((dict = dict_handle(*cpp)) == 0)
msg_panic("%s: dictionary not found: %s", myname, *cpp);
+ dict_errno = 0;
+ /* for now, dict errors are fatal */
if (dict_get(dict, state->addr) != 0)
status = SMTPD_CHECK_OK;
+ else if (dict_errno != 0)
+ msg_fatal("%s: table lookup error", *cpp);
} else if (strcasecmp(name, PERMIT_SASL_AUTH) == 0) {
#ifdef USE_SASL_AUTH
if (smtpd_sasl_is_active(state))
#endif
} else if (strcasecmp(name, PERMIT_TLS_ALL_CLIENTCERTS) == 0) {
status = permit_tls_clientcerts(state, 1);
+ /* for now, dict errors are fatal */
+#ifdef USE_TLS
+ if (dict_errno != 0)
+ msg_fatal("%s: table lookup error", var_smtpd_relay_ccerts);
+#endif
} else if (strcasecmp(name, PERMIT_TLS_CLIENTCERTS) == 0) {
status = permit_tls_clientcerts(state, 0);
+ /* for now, dict errors are fatal */
+#ifdef USE_TLS
+ if (dict_errno != 0)
+ msg_fatal("%s: table lookup error", var_smtpd_relay_ccerts);
+#endif
} else {
msg_warn("parameter %s: invalid request: %s",
VAR_LOC_RWR_CLIENTS, name);
* Bit banging!! There is no official constant that defines the INT_MAX
* equivalent of the off_t type. Wietse came up with the following macro
* that works as long as off_t is some two's complement number.
+ *
+ * Note, however, that C99 permits signed integer representations other than
+ * two's complement.
*/
#include <limits.h>
#define __MAXINT__(T) ((T) (((((T) 1) << ((sizeof(T) * CHAR_BIT) - 1)) ^ ((T) -1))))
projects / thirdparty / postfix.git / commitdiff
