From: Wietse Venema Date: Sat, 14 Jul 2001 05:00:00 +0000 (-0500) Subject: snapshot-20010714 X-Git-Tag: v1.1.0~54 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0491e41ef6c78c2990fe06377006a1e5a8cb1f4f;p=thirdparty%2Fpostfix.git snapshot-20010714 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 1b82ef459..5fce918f4 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -5322,3 +5322,28 @@ Apologies for any names omitted. than -) Postfix will now recognize address extensions even with owner-foo+extension addresses. This is necessary to make VERP work for mailing lists. + +20010710 + + Bugfix: potential memory leak in the queue managers with + the new VERP delimiter record. Fix by Patrik Rak. + +20010711 + + Cleanup: you can now specify the VERP delimiter characters + on the sendmail(1) command line, but they are still optional. + + Safety: with maildir style delivery and with hashed mailboxes + the system mail spool directory must not be world writable. + +20010713 + + Safety: the verp_delimiter_filter parameter (default: -=+) + limits what characters Postfix accepts as VERP delimiter + characters. + +20010714 + + Logging: the queue manager now logs a "status=expired" + record when it returns a message that is too old. Files: + *qmgr/qmgr_active.c. diff --git a/postfix/QMQP_README b/postfix/QMQP_README index 8f9ed0776..a23e1a3ef 100644 --- a/postfix/QMQP_README +++ b/postfix/QMQP_README @@ -3,7 +3,7 @@ Postfix QMQP server support Postfix has preliminary server support for the QMQP protocol, so that Postfix can be used as a backend for the Ezmlm-idx mailing -list manager. This support includes qmqp-source and qmqp-sink +list manager. This support includes the qmqp-source and qmqp-sink programs for protocol stress testing. Turning on the Postfix QMQP service @@ -14,6 +14,7 @@ have to add the following line to /etc/postfix/master.cf: 628 inet n - n - - qmqpd +A "postfix reload" command is necessary to enable the service. Postfix QMQP server access control ================================== @@ -25,21 +26,48 @@ This is because the QMQP server relays mail to any destination To authorize QMQP clients, edit /etc/postfix/main.cf and specify a list of client patterns. -qmqp_authorized_clients = client, client, ... +qmqpd_authorized_clients = client, client, ... + +Example: + +qmqpd_authorized_clients = $mynetworks A list pattern specifies a host name, a domain name, an internet address, or a network/mask pattern, where the mask specifies the number of bits in the network part. When a pattern specifies a file name, its contents are substituted for the file name; when a pattern is a type:name table specification, table lookup is used -instead. +instead. This allows you to administer the trusted clients in LDAP +or regular expression maps, both of which are probably overkill. Patterns are separated by whitespace and/or commas. In order to reverse the result, precede a non-file name pattern with an exclamation point (!). -Setting up Ezmlm-idx to use Postfix QMQP support +Setting up ezmlm-idx to use Postfix QMQP support ================================================ -You need to list the Postfix IP address in a suitable configuration -file. See the ezmlm-idx documentation for details. +Note: you still need qmail to feed the messages INTO ezmlm-idx. +Postfix presently only supports distribution of mailing list traffic +FROM ezmlm-idx. + +http://www.ezmlm.org/faq-0.40/FAQ-4.html#ss4.19 describes how to +make ezmlm-idx work over QMQP. + +The following is based on hearsay. Do not ask Wietse how to make +ezmlm-idx work. Wietse does not have the time to personally install +and play with every mailing list manager. + +1 - You must list QMQP servers with numerical IP address. Hostnames + do not work. This means you cannot DNS-based load balancing to + spread the load over multiple QMQP servers. + +2 - QMQP support is incomplete with ezmlm-idx-0.40. + + - ezmlm-send will use QMQP if you specify the undocumented -Q + command-line option in your .qmail-listname file. + + - ezmlm-get will use QMQP if the file qmpqservers/0 exists. + + - ezmlm-moderate does not support QMQP. This is not a problem + if you only use unmoderated mailing lists. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 48abe2be6..bc9f2771e 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -1,3 +1,19 @@ +Incompatible changes with snapshot-20010714 +=========================================== + +Postfix delivery agents now refuse to create a missing maildir or +mail spool subdirectory when its parent directory is world writable. +This is necessary to prevent security problems with maildirs or +with hashed mailboxes under a world writable mail spool directory. + +Major changes with snapshot-20010714 +==================================== + +No major changes. What changes were made result in more polished +VERP (variable envelope return path) support and documentation, +and in updated documentation on how to use Postfix QMQP with the +ezmlm-idx mailing list manager. + Incompatible changes with snapshot-20010709 =========================================== diff --git a/postfix/VERP_README b/postfix/VERP_README index d8c9e2f46..8ee3a2558 100644 --- a/postfix/VERP_README +++ b/postfix/VERP_README @@ -1,33 +1,55 @@ +[Note: this document still needs more examples] + Postfix VERP support ==================== -Postfix supports variable envelope return path addresses, which -means that each recipient receives a customized copy of the message, -with the recipient address encoded in the envelope sender address. -This concept was popularized by the qmail MTA and by the ezmlm -mailing list manager. +Postfix supports variable envelope return path addresses on request. +When VERP style delivery is requested, each recipient of a message +receives a customized copy of the message, with his/her own recipient +address encoded in the envelope sender address. -When VERP style delivery is requested, Postfix delivers mail with -sender address prefix@origin for a recipient user@domain, with a -sender address that encodes the recipient as follows: +For example, when VERP style delivery is requested, Postfix delivers +mail from owner-listname@origin for a recipient user@domain, with +a sender address that encodes the recipient as follows: - prefix+user=domain@origin + owner-listname+user=domain@origin -so that undeliverable mail reveals what address was undeliverable. +Thus, undeliverable mail can reveal the undeliverable recipient +address without requiring the list owner to parse bounce messages. + +The VERP concept was popularized by the qmail MTA and by the ezmlm +mailing list manager. -The + and = are the default VERP delimiters. You can specify non- -default delimiters in main.cf with the default_verp_delimiters -configuration parameter (default value: +=). Specify two characters; -the first delimiter should match the $recipient_delimiter setting. +The whole process is controlled by two configuration parameters. + +- default_verp_delimiters (default value: +=) controls what VERP +delimiter characters Postfix uses when VERP style delivery is +requested but no explicit delimiters are specified. + +- verp_delimiter_filter (default: -+=) controls what characters +Postfix accepts as VERP delimiter characters. Many characters can +not be used as VERP delimiter characters, either because they +already have a special meaning in email addresses (such as the @ +or the %), because they appear as part of a username or domain name +(such as alphanumerics), or because they are non-ASCII or control +characters. And who knows, some characters may tickle bugs in +vulnerable software. Using VERP with majordomo etc. mailing lists ============================================ In order to make VERP useful with majordomo etc. mailing lists, -you would configure the list manager to submit mail as: +you would configure the list manager to submit mail according +to one of the following two forms: sendmail -V -f owner-listname other-arguments... + sendmail -V+= -f owner-listname other-arguments... + +The first form uses the default main.cf VERP delimiter characters. +The second form allows you to explicitly specify the VERP delimiter +characters. The example shows the recommended values. + This text assumes that you have set up an owner-listname alias that routes undeliverable mail to a real person: @@ -61,6 +83,10 @@ to the following address: owner-listname+user=domain@your.domain which is processed by the command in your .forward+listname file. +The message should contain, among others, a To: header with the +encapsulated recipient sender address: + + To: owner-listname+user=domain@your.domain It is left as an exercise for the reader to parse the To: header line and to pull out the user=domain part from the recipient address. @@ -72,25 +98,35 @@ The Postfix SMTP server has a new command XVERP to enable VERP style delivery. The syntax allows two forms: MAIL FROM: XVERP - MAIL FROM: XVERP=xy -where x and y are the VERP delimiters. When no VERP delimiters -are specified, Postfix uses the two characters specified with the -default_verp_delimiters configuration parameter. + MAIL FROM: XVERP=+= + +The first form uses the default main.cf VERP delimiters, the second +form overrides them explicitly. The values shown are the recommended +ones. VERP support in the Postfix sendmail command ============================================ The Postfix sendmail command has a -V flag to request VERP style -delivery. It is not possible to override the default VERP delimiters. +delivery. Specify one of the following two forms: + + sendmail -V -f owner-listname .... + + sendmail -V+= -f owner-listname .... + +The first form uses the default main.cf VERP delimiters, the second +form overrides them explicitly. The values shown are the recommended +ones. VERP support in the Postfix QMQP server ======================================= -When the Postfix QMQP server receives mail with a an envelope sender +When the Postfix QMQP server receives mail with an envelope sender address of the form: prefix-@origin-@[] Postfix generates VERP sender addresses using prefix@domain as the -original sender address, and using "-=" as the VERP delimiters. +original sender address, and using "-=" as the VERP delimiters, +because qmail/ezmlm expect this. diff --git a/postfix/html/faq.html b/postfix/html/faq.html index 827439ecc..fc787ee47 100644 --- a/postfix/html/faq.html +++ b/postfix/html/faq.html @@ -668,6 +668,7 @@ to send mail only to user@domain.com. transport_maps = hash:/etc/postfix/transport mynetworks = 12.34.56.0/24 smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination + local_transport = error:local mail delivery is disabled on this machine /etc/postfix/transport: domain.com smtp:inside-gateway.domain.com (forwards user@domain) diff --git a/postfix/html/qmqpd.8.html b/postfix/html/qmqpd.8.html index 7bed7101b..5d5792ef3 100644 --- a/postfix/html/qmqpd.8.html +++ b/postfix/html/qmqpd.8.html @@ -102,7 +102,7 @@ QMQPD(8) QMQPD(8) of a problem. This slows down run-away errors. SEE ALSO - http://cr.yp.to/proto/qmqp.html, QMQP protocol + http://cr.yp.to/proto/qmqp.html, QMQP protocol cleanup(8) message canonicalization master(8) process manager syslogd(8) system logging diff --git a/postfix/html/sendmail.1.html b/postfix/html/sendmail.1.html index 1c6848aeb..6261883ad 100644 --- a/postfix/html/sendmail.1.html +++ b/postfix/html/sendmail.1.html @@ -95,37 +95,48 @@ SENDMAIL(1) SENDMAIL(1) Initial user submission. -V Variable Envelope Return Path. Given an envelope - sender address prefix-@origin, each recipient - user@domain receives mail with a personalized enve- - lope sender address prefix-user=domain@origin. - - -bd Go into daemon mode. This mode of operation is + sender address of the form owner-listname@origin, + each recipient user@domain receives mail with a + personalized envelope sender address. + + By default, the personalized envelope sender + address is owner-listname+user=domain@origin. The + default + and = characters are configurable with + the default_verp_delimiters configuration parame- + ter. + + -Vxy As -V, but uses x and y as the VERP delimiter char- + acters, instead of the characters specified with + the default_verp_delimiters configuration parame- + ter. + + -bd Go into daemon mode. This mode of operation is implemented by executing the postfix start command. - -bi Initialize alias database. See the newaliases com- + -bi Initialize alias database. See the newaliases com- mand above. - -bm Read mail from standard input and arrange for + -bm Read mail from standard input and arrange for delivery. This is the default mode of operation. -bp List the mail queue. See the mailq command above. - -bs Stand-alone SMTP server mode. Read SMTP commands - from standard input, and write responses to stan- + -bs Stand-alone SMTP server mode. Read SMTP commands + from standard input, and write responses to stan- dard output. This mode of operation is implemented by running the smtpd(8) daemon. -f sender Set the envelope sender address. This is the address where delivery problems are sent to, unless - the message contains an Errors-To: message header. + the message contains an Errors-To: message header. -h hop_count (ignored) - Hop count limit. Use the hopcount_limit configura- + Hop count limit. Use the hopcount_limit configura- tion parameter instead. - -i When reading a message from standard input, don't - treat a line with only a . character as the end of + -i When reading a message from standard input, don't + treat a line with only a . character as the end of input. -m (ignored) @@ -135,68 +146,68 @@ SENDMAIL(1) SENDMAIL(1) Backwards compatibility. -oAalias_database - Non-default alias database. Specify pathname or + Non-default alias database. Specify pathname or type:pathname. See postalias(1) for details. -o7 (ignored) -o8 (ignored) - The message body type. Currently, Postfix imple- + The message body type. Currently, Postfix imple- ments just-send-eight. - -oi When reading a message from standard input, don't - treat a line with only a . character as the end of + -oi When reading a message from standard input, don't + treat a line with only a . character as the end of input. -om (ignored) - The sender is never eliminated from alias etc. + The sender is never eliminated from alias etc. expansions. -o x value (ignored) - Set option x to value. Use the equivalent configu- + Set option x to value. Use the equivalent configu- ration parameter in main.cf instead. -r sender Set the envelope sender address. This is the address where delivery problems are sent to, unless - the message contains an Errors-To: message header. + the message contains an Errors-To: message header. - -q Attempt to deliver all queued mail. This is imple- + -q Attempt to deliver all queued mail. This is imple- mented by kicking the qmgr(8) daemon. -qinterval (ignored) - The interval between queue runs. Use the + The interval between queue runs. Use the queue_run_delay configuration parameter instead. -qRsite - Schedule immediate delivery of all mail that is - queued for the named site. Depending on the desti- - nation, this uses "fast flush" service, or it has - the same effect as sendmail -q. This is imple- + Schedule immediate delivery of all mail that is + queued for the named site. Depending on the desti- + nation, this uses "fast flush" service, or it has + the same effect as sendmail -q. This is imple- mented by connecting to the local SMTP server. See smtpd(8) for more information about the "fast flush" service. -qSsite - This command is not implemented. Use the slower + This command is not implemented. Use the slower sendmail -q command instead. - -t Extract recipients from message headers. This - requires that no recipients be specified on the + -t Extract recipients from message headers. This + requires that no recipients be specified on the command line. -v Enable verbose logging for debugging purposes. Mul- - tiple -v options make the software increasingly + tiple -v options make the software increasingly verbose. SECURITY - By design, this program is not set-user (or group) id. - However, it must handle data from untrusted users or - untrusted machines. Thus, the usual precautions need to + By design, this program is not set-user (or group) id. + However, it must handle data from untrusted users or + untrusted machines. Thus, the usual precautions need to be taken against malicious inputs. DIAGNOSTICS - Problems are logged to syslogd(8) and to the standard + Problems are logged to syslogd(8) and to the standard error stream. ENVIRONMENT @@ -208,7 +219,7 @@ SENDMAIL(1) SENDMAIL(1) MAIL_DEBUG Enable debugging with an external command, as spec- - ified with the debugger_command configuration + ified with the debugger_command configuration parameter. FILES @@ -216,13 +227,13 @@ SENDMAIL(1) SENDMAIL(1) /etc/postfix, configuration files CONFIGURATION PARAMETERS - See the Postfix main.cf file for syntax details and for - default values. Use the postfix reload command after a + See the Postfix main.cf file for syntax details and for + default values. Use the postfix reload command after a configuration change. alias_database - Default alias database(s) for newaliases. The - default value for this parameter is system-spe- + Default alias database(s) for newaliases. The + default value for this parameter is system-spe- cific. bounce_size_limit @@ -238,57 +249,66 @@ SENDMAIL(1) SENDMAIL(1) initialized. debug_peer_level - Increment in verbose logging level when a remote + Increment in verbose logging level when a remote host matches a pattern in the debug_peer_list parameter. debug_peer_list - List of domain or network patterns. When a remote - host matches a pattern, increase the verbose log- - ging level by the amount specified in the + List of domain or network patterns. When a remote + host matches a pattern, increase the verbose log- + ging level by the amount specified in the debug_peer_level parameter. + default_verp_delimiters + The VERP delimiter characters that are used when + the -V command line option is specified without + delimiter characters. + fast_flush_domains List of domains that will receive "fast flush" ser- - vice (default: all domains that this system is - willing to relay mail to). This greatly improves - the performance of the SMTP ETRN request, and of - the sendmail -qR command. For domains not in the + vice (default: all domains that this system is + willing to relay mail to). This greatly improves + the performance of the SMTP ETRN request, and of + the sendmail -qR command. For domains not in the list, Postfix simply attempts to deliver all queued mail. fork_attempts - Number of attempts to fork() a process before giv- + Number of attempts to fork() a process before giv- ing up. fork_delay - Delay in seconds between successive fork() + Delay in seconds between successive fork() attempts. hopcount_limit Limit the number of Received: message headers. mail_owner - The owner of the mail queue and of most Postfix + The owner of the mail queue and of most Postfix processes. command_directory - Directory with Postfix support commands (default: + Directory with Postfix support commands (default: $program_directory). daemon_directory - Directory with Postfix daemon programs (default: + Directory with Postfix daemon programs (default: $program_directory). queue_directory - Top-level directory of the Postfix queue. This is + Top-level directory of the Postfix queue. This is also the root directory of Postfix daemons that run chrooted. queue_run_delay - The time between successive scans of the deferred + The time between successive scans of the deferred queue. + verp_delimiter_filter + The characters that Postfix accepts as VERP delim- + iter characters. + SEE ALSO pickup(8) mail pickup daemon postalias(1) maintain alias database diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index 23ec5069f..80ad4a9ab 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -123,6 +123,11 @@ SMTPD(8) SMTPD(8) ging level by the amount specified in the debug_peer_level parameter. + default_verp_delimiters + The default VERP delimiter characters that are used + when the XVERP command is specified without + explicit delimiters. + error_notice_recipient Recipient of protocol/policy/resource/software error notices. @@ -166,9 +171,13 @@ SMTPD(8) SMTPD(8) reject responses. This can be useful for testing purposes. + verp_delimiter_filter + The characters that Postfix accepts as VERP delim- + iter characters. + Resource controls line_length_limit - Limit the amount of memory in bytes used for the + Limit the amount of memory in bytes used for the handling of partial input lines. message_size_limit @@ -176,8 +185,8 @@ SMTPD(8) SMTPD(8) ing on-disk storage for envelope information. queue_minfree - Minimal amount of free space in bytes in the queue - file system for the SMTP server to accept any mail + Minimal amount of free space in bytes in the queue + file system for the SMTP server to accept any mail at all. Tarpitting @@ -187,17 +196,17 @@ SMTPD(8) SMTPD(8) smtpd_soft_error_limit When an SMTP client has made this number of errors, - wait error_count seconds before responding to any + wait error_count seconds before responding to any client request. smtpd_hard_error_limit - Disconnect after a client has made this number of + Disconnect after a client has made this number of errors. smtpd_junk_command_limit Limit the number of times a client can issue a junk - command such as NOOP, VRFY, ETRN or RSET in one - SMTP session before it is penalized with tarpit + command such as NOOP, VRFY, ETRN or RSET in one + SMTP session before it is penalized with tarpit delays. UCE control restrictions @@ -206,19 +215,19 @@ SMTPD(8) SMTPD(8) tem. smtpd_helo_required - Require that clients introduce themselves at the + Require that clients introduce themselves at the beginning of an SMTP session. smtpd_helo_restrictions - Restrict what client hostnames are allowed in HELO + Restrict what client hostnames are allowed in HELO and EHLO commands. smtpd_sender_restrictions - Restrict what sender addresses are allowed in MAIL + Restrict what sender addresses are allowed in MAIL FROM commands. smtpd_recipient_restrictions - Restrict what recipient addresses are allowed in + Restrict what recipient addresses are allowed in RCPT TO commands. smtpd_etrn_restrictions @@ -226,57 +235,57 @@ SMTPD(8) SMTPD(8) mands, and what clients may issue ETRN commands. allow_untrusted_routing - Allow untrusted clients to specify addresses with - sender-specified routing. Enabling this opens up - nasty relay loopholes involving trusted backup MX + Allow untrusted clients to specify addresses with + sender-specified routing. Enabling this opens up + nasty relay loopholes involving trusted backup MX hosts. smtpd_restriction_classes - Declares the name of zero or more parameters that - contain a list of UCE restrictions. The names of - these parameters can then be used instead of the + Declares the name of zero or more parameters that + contain a list of UCE restrictions. The names of + these parameters can then be used instead of the restriction lists that they represent. maps_rbl_domains - List of DNS domains that publish the addresses of + List of DNS domains that publish the addresses of blacklisted hosts. relay_domains - Restrict what domains or networks this mail system + Restrict what domains or networks this mail system will relay mail from or to. UCE control responses access_map_reject_code - Server response when a client violates an access + Server response when a client violates an access database restriction. invalid_hostname_reject_code - Server response when a client violates the + Server response when a client violates the reject_invalid_hostname restriction. maps_rbl_reject_code - Server response when a client violates the + Server response when a client violates the maps_rbl_domains restriction. reject_code - Response code when the client matches a reject + Response code when the client matches a reject restriction. relay_domains_reject_code - Server response when a client attempts to violate + Server response when a client attempts to violate the mail relay policy. unknown_address_reject_code - Server response when a client violates the + Server response when a client violates the reject_unknown_address restriction. unknown_client_reject_code - Server response when a client without address to - name mapping violates the reject_unknown_clients + Server response when a client without address to + name mapping violates the reject_unknown_clients restriction. unknown_hostname_reject_code - Server response when a client violates the + Server response when a client violates the reject_unknown_hostname restriction. SEE ALSO @@ -285,7 +294,7 @@ SMTPD(8) SMTPD(8) syslogd(8) system logging LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/man/man1/sendmail.1 b/postfix/man/man1/sendmail.1 index a3a01dda5..faaa064b4 100644 --- a/postfix/man/man1/sendmail.1 +++ b/postfix/man/man1/sendmail.1 @@ -84,9 +84,18 @@ Log mailer traffic. Use the \fBdebug_peer_list\fR and Initial user submission. .IP \fB-V\fR Variable Envelope Return Path. Given an envelope sender address -\fIprefix\fR-@\fIorigin\fR, each recipient \fIuser@domain\fR -receives mail with a personalized envelope sender address -\fIprefix\fB-\fIuser=domain\fR@\fIorigin\fR. +of the form \fIowner-listname\fR@\fIorigin\fR, each recipient +\fIuser\fR@\fIdomain\fR receives mail with a personalized envelope +sender address. +.sp +By default, the personalized envelope sender address is +\fIowner-listname\fB+\fIuser\fB=\fIdomain\fR@\fIorigin\fR. The default +\fB+\fR and \fB=\fR characters are configurable with the +\fBdefault_verp_delimiters\fR configuration parameter. +.IP \fB-V\fIxy\fR +As \fB-V\fR, but uses \fIx\fR and \fIy\fR as the VERP delimiter +characters, instead of the characters specified with the +\fBdefault_verp_delimiters\fR configuration parameter. .IP \fB-bd\fR Go into daemon mode. This mode of operation is implemented by executing the \fBpostfix start\fR command. @@ -216,6 +225,9 @@ pattern in the \fBdebug_peer_list\fR parameter. List of domain or network patterns. When a remote host matches a pattern, increase the verbose logging level by the amount specified in the \fBdebug_peer_level\fR parameter. +.IP \fBdefault_verp_delimiters\fR +The VERP delimiter characters that are used when the \fB-V\fR +command line option is specified without delimiter characters. .IP \fBfast_flush_domains\fR List of domains that will receive "fast flush" service (default: all domains that this system is willing to relay mail to). This greatly @@ -241,6 +253,8 @@ Top-level directory of the Postfix queue. This is also the root directory of Postfix daemons that run chrooted. .IP \fBqueue_run_delay\fR The time between successive scans of the deferred queue. +.IP \fBverp_delimiter_filter\fR +The characters that Postfix accepts as VERP delimiter characters. .SH SEE ALSO .na .nf diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8 index 2a979fee3..736c299ec 100644 --- a/postfix/man/man8/smtpd.8 +++ b/postfix/man/man8/smtpd.8 @@ -118,6 +118,9 @@ pattern in the \fBdebug_peer_list\fR parameter. List of domain or network patterns. When a remote host matches a pattern, increase the verbose logging level by the amount specified in the \fBdebug_peer_level\fR parameter. +.IP \fBdefault_verp_delimiters\fR +The default VERP delimiter characters that are used when the +XVERP command is specified without explicit delimiters. .IP \fBerror_notice_recipient\fR Recipient of protocol/policy/resource/software error notices. .IP \fBhopcount_limit\fR @@ -148,6 +151,8 @@ request. .IP \fBsoft_bounce\fR Change hard (5xx) reject responses into soft (4xx) reject responses. This can be useful for testing purposes. +.IP \fBverp_delimiter_filter\fR +The characters that Postfix accepts as VERP delimiter characters. .SH "Resource controls" .ad .fi diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 3e228063c..027929fc9 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -48,5 +48,6 @@ exec sed ' s/[]*virtual[]*(5)/&<\/a>/ s/[]*virtual[]*(8)/&<\/a>/ s/\(\)\([]*[a-z0-9-]*[-]*\)\(\n *\)\([]*[a-z0-9-]*[]*([0-9])\)\(<\/a>\)/\1\2\5\3\1\4\5/ + s/http:\/\/[^ ,]*/&<\/a>/ s/RFC *\([0-9]*\)/&<\/a>/ ' "$@" diff --git a/postfix/src/bounce/Makefile.in b/postfix/src/bounce/Makefile.in index cad8498f0..d77256556 100644 --- a/postfix/src/bounce/Makefile.in +++ b/postfix/src/bounce/Makefile.in @@ -147,5 +147,6 @@ bounce_notify_verp.o: ../../include/post_mail.h bounce_notify_verp.o: ../../include/cleanup_user.h bounce_notify_verp.o: ../../include/mail_addr.h bounce_notify_verp.o: ../../include/mail_error.h +bounce_notify_verp.o: ../../include/verp_sender.h bounce_notify_verp.o: bounce_service.h bounce_notify_verp.o: ../../include/bounce_log.h diff --git a/postfix/src/cleanup/Makefile.in b/postfix/src/cleanup/Makefile.in index dd13667a6..168040d94 100644 --- a/postfix/src/cleanup/Makefile.in +++ b/postfix/src/cleanup/Makefile.in @@ -120,6 +120,7 @@ cleanup_envelope.o: ../../include/mail_params.h cleanup_envelope.o: ../../include/ext_prop.h cleanup_envelope.o: ../../include/mail_addr.h cleanup_envelope.o: ../../include/canon_addr.h +cleanup_envelope.o: ../../include/verp_sender.h cleanup_envelope.o: cleanup.h cleanup_envelope.o: ../../include/argv.h cleanup_envelope.o: ../../include/maps.h diff --git a/postfix/src/cleanup/cleanup_envelope.c b/postfix/src/cleanup/cleanup_envelope.c index be3f727b6..3c5e300d6 100644 --- a/postfix/src/cleanup/cleanup_envelope.c +++ b/postfix/src/cleanup/cleanup_envelope.c @@ -67,6 +67,7 @@ #include #include #include +#include /* Application-specific. */ @@ -184,14 +185,12 @@ static void cleanup_envelope_process(CLEANUP_STATE *state, int type, char *buf, state->errs |= CLEANUP_STAT_BAD; return; } - if (len == 0) { - buf = var_verp_delim; - len = strlen(buf); - } - if (len == 2) { + if (verp_delims_verify(buf) == 0) { cleanup_out(state, type, buf, len); } else { + msg_warn("%s: bad VERP delimiters: \"%s\"", state->queue_id, buf); state->errs |= CLEANUP_STAT_BAD; + return; } } else { cleanup_out(state, type, buf, len); diff --git a/postfix/src/cleanup/cleanup_init.c b/postfix/src/cleanup/cleanup_init.c index 29336362c..0cb5812c5 100644 --- a/postfix/src/cleanup/cleanup_init.c +++ b/postfix/src/cleanup/cleanup_init.c @@ -106,7 +106,6 @@ char *var_prop_extension; /* propagate unmatched extension */ char *var_always_bcc; /* big brother */ int var_extra_rcpt_limit; /* recipient extract limit */ char *var_rcpt_witheld; /* recipients not disclosed */ -char *var_verp_delim; /* default VERP delimiters */ CONFIG_INT_TABLE cleanup_int_table[] = { VAR_HOPCOUNT_LIMIT, DEF_HOPCOUNT_LIMIT, &var_hopcount_limit, 1, 0, @@ -134,7 +133,6 @@ CONFIG_STR_TABLE cleanup_str_table[] = { VAR_PROP_EXTENSION, DEF_PROP_EXTENSION, &var_prop_extension, 0, 0, VAR_ALWAYS_BCC, DEF_ALWAYS_BCC, &var_always_bcc, 0, 0, VAR_RCPT_WITHELD, DEF_RCPT_WITHELD, &var_rcpt_witheld, 1, 0, - VAR_VERP_DELIM, DEF_VERP_DELIM, &var_verp_delim, 2, 2, 0, }; diff --git a/postfix/src/global/Makefile.in b/postfix/src/global/Makefile.in index da8e25a62..97e35b60f 100644 --- a/postfix/src/global/Makefile.in +++ b/postfix/src/global/Makefile.in @@ -610,6 +610,7 @@ mail_params.o: mail_version.h mail_params.o: mail_proto.h mail_params.o: ../../include/vstream.h mail_params.o: ../../include/iostuff.h +mail_params.o: verp_sender.h mail_params.o: mail_params.h mail_pathname.o: mail_pathname.c mail_pathname.o: ../../include/sys_defs.h @@ -1042,6 +1043,7 @@ verp_sender.o: verp_sender.c verp_sender.o: ../../include/sys_defs.h verp_sender.o: ../../include/vstring.h verp_sender.o: ../../include/vbuf.h +verp_sender.o: mail_params.h verp_sender.o: verp_sender.h xtext.o: xtext.c xtext.o: ../../include/sys_defs.h diff --git a/postfix/src/global/mail_params.c b/postfix/src/global/mail_params.c index 830e9b1d9..6fc2db082 100644 --- a/postfix/src/global/mail_params.c +++ b/postfix/src/global/mail_params.c @@ -62,6 +62,8 @@ /* char *var_fflush_domains; /* char *var_def_transport; /* char *var_mynetworks_style; +/* char *var_verp_delims; +/* char *var_verp_filter; /* /* char *var_import_environ; /* char *var_export_environ; @@ -119,6 +121,7 @@ #include "mail_conf.h" #include "mail_version.h" #include "mail_proto.h" +#include "verp_sender.h" #include "mail_params.h" /* @@ -180,6 +183,8 @@ char *var_relay_domains; char *var_fflush_domains; char *var_def_transport; char *var_mynetworks_style; +char *var_verp_delims; +char *var_verp_filter; char *var_import_environ; char *var_export_environ; @@ -303,6 +308,8 @@ void mail_params_init() VAR_DEF_TRANSPORT, DEF_DEF_TRANSPORT, &var_def_transport, 0, 0, VAR_MYNETWORKS_STYLE, DEF_MYNETWORKS_STYLE, &var_mynetworks_style, 1, 0, VAR_DEBUG_PEER_LIST, DEF_DEBUG_PEER_LIST, &var_debug_peer_list, 0, 0, + VAR_VERP_DELIMS, DEF_VERP_DELIMS, &var_verp_delims, 2, 2, + VAR_VERP_FILTER, DEF_VERP_FILTER, &var_verp_filter, 1, 0, 0, }; static CONFIG_STR_FN_TABLE function_str_defaults_2[] = { @@ -402,4 +409,11 @@ void mail_params_init() */ if (strcasecmp(var_myhostname, var_relayhost) == 0) msg_fatal("myhostname == relayhost"); + + /* + * One more sanity check. + */ + if ((cp = verp_delims_verify(var_verp_delims)) != 0) + msg_fatal("%s or %s configuration problem: %s", + VAR_VERP_DELIMS, VAR_VERP_FILTER, cp); } diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index c1c5b521b..30b163489 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -1275,9 +1275,13 @@ extern int var_qmqpd_err_sleep; * VERP, more DJB intellectual cross-pollination. However, we prefer + as * the default recipient delimiter. */ -#define VAR_VERP_DELIM "default_verp_delimiters" -#define DEF_VERP_DELIM "+=" -extern char *var_verp_delim; +#define VAR_VERP_DELIMS "default_verp_delimiters" +#define DEF_VERP_DELIMS "+=" +extern char *var_verp_delims; + +#define VAR_VERP_FILTER "verp_delimiter_filter" +#define DEF_VERP_FILTER "-=+" +extern char *var_verp_filter; /* LICENSE /* .ad diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 7b5aa94c5..e53ebfb00 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -15,7 +15,7 @@ * Version of this program. */ #define VAR_MAIL_VERSION "mail_version" -#define DEF_MAIL_VERSION "Snapshot-20010709" +#define DEF_MAIL_VERSION "Snapshot-20010714" extern char *var_mail_version; /* LICENSE diff --git a/postfix/src/global/verp_sender.c b/postfix/src/global/verp_sender.c index 8e88eb4bb..b7c0f806e 100644 --- a/postfix/src/global/verp_sender.c +++ b/postfix/src/global/verp_sender.c @@ -11,6 +11,9 @@ /* const char *delims; /* const char *sender; /* const char *recipient; +/* +/* const char *verp_delims_verify(delims) +/* const char *delims; /* DESCRIPTION /* verp_sender() encodes the recipient address in the sender /* address, using the specified delimiters. For example, @@ -18,6 +21,12 @@ /* recipient \fIuser@domain\fR the result is /* \fIprefix+user=domain@origin\fR. /* +/* verp_delims_verify() determines if the specified VERP delimiters +/* have reasonable values. What is reasonable is configured with +/* the verp_delimiter_filter configuration parameter. The result +/* is null in case of success, a description of the problem in +/* case of error. +/* /* Arguments: /* .IP dst /* The result. The buffer is null terminated. @@ -49,6 +58,7 @@ /* Global library. */ +#include #include /* verp_sender - encode recipient into envelope sender address */ @@ -81,3 +91,16 @@ VSTRING *verp_sender(VSTRING *buf, const char *delimiters, VSTRING_TERMINATE(buf); return (buf); } + +/* verp_delims_verify - sanitize VERP delimiters */ + +const char *verp_delims_verify(const char *delims) +{ + if (strlen(delims) != 2) + return ("bad VERP delimiter character count"); + if (strchr(var_verp_filter, delims[0]) == 0) + return ("bad first VERP delimiter character"); + if (strchr(var_verp_filter, delims[1]) == 0) + return ("bad second VERP delimiter character"); + return (0); +} diff --git a/postfix/src/global/verp_sender.h b/postfix/src/global/verp_sender.h index 11beb6754..61641ac8a 100644 --- a/postfix/src/global/verp_sender.h +++ b/postfix/src/global/verp_sender.h @@ -20,6 +20,7 @@ * External interface. */ extern VSTRING *verp_sender(VSTRING *, const char *, const char *, const char *); +extern const char *verp_delims_verify(const char *); /* LICENSE /* .ad diff --git a/postfix/src/nqmgr/Makefile.in b/postfix/src/nqmgr/Makefile.in index fec5f9bb1..1d6b8024f 100644 --- a/postfix/src/nqmgr/Makefile.in +++ b/postfix/src/nqmgr/Makefile.in @@ -138,6 +138,7 @@ qmgr_deliver.o: ../../include/mail_proto.h qmgr_deliver.o: ../../include/recipient_list.h qmgr_deliver.o: ../../include/mail_params.h qmgr_deliver.o: ../../include/deliver_request.h +qmgr_deliver.o: ../../include/verp_sender.h qmgr_deliver.o: qmgr.h qmgr_deliver.o: ../../include/scan_dir.h qmgr_deliver.o: ../../include/maps.h @@ -204,6 +205,7 @@ qmgr_message.o: ../../include/mail_addr_find.h qmgr_message.o: ../../include/maps.h qmgr_message.o: ../../include/opened.h qmgr_message.o: ../../include/resolve_local.h +qmgr_message.o: ../../include/verp_sender.h qmgr_message.o: ../../include/resolve_clnt.h qmgr_message.o: qmgr.h qmgr_message.o: ../../include/scan_dir.h diff --git a/postfix/src/nqmgr/qmgr_active.c b/postfix/src/nqmgr/qmgr_active.c index 847f42713..6d22e806a 100644 --- a/postfix/src/nqmgr/qmgr_active.c +++ b/postfix/src/nqmgr/qmgr_active.c @@ -360,8 +360,8 @@ static void qmgr_active_done_2_generic(QMGR_MESSAGE *message) */ if (message->flags) { if (event_time() > message->arrival_time + var_max_queue_time) { - if (msg_verbose) - msg_info("%s: too old, bouncing %s", myname, message->queue_id); + msg_info("%s: from=<%s>, status=expired, returned to sender", + message->queue_id, message->sender); if (message->verp_delims == 0) adefer_flush(BOUNCE_FLAG_KEEP, message->queue_name, diff --git a/postfix/src/nqmgr/qmgr_message.c b/postfix/src/nqmgr/qmgr_message.c index 1fcbb6d27..f83f7e0d1 100644 --- a/postfix/src/nqmgr/qmgr_message.c +++ b/postfix/src/nqmgr/qmgr_message.c @@ -121,6 +121,7 @@ #include #include #include +#include /* Client stubs. */ @@ -425,12 +426,14 @@ static int qmgr_message_read(QMGR_MESSAGE *message) message->warn_time = atol(start); } } else if (rec_type == REC_TYPE_VERP) { - if (strlen(start) != 2) { - msg_warn("%s: bad VERP record length: \"%s\"", - message->queue_id, start); - } else { - message->single_rcpt = 1; - message->verp_delims = mystrdup(start); + if (message->verp_delims == 0) { + if (verp_delims_verify(start) != 0) { + msg_warn("%s: bad VERP record content: \"%s\"", + message->queue_id, start); + } else { + message->single_rcpt = 1; + message->verp_delims = mystrdup(start); + } } } } while (rec_type > 0 && rec_type != REC_TYPE_END); diff --git a/postfix/src/qmgr/Makefile.in b/postfix/src/qmgr/Makefile.in index db3885567..ae85a5f20 100644 --- a/postfix/src/qmgr/Makefile.in +++ b/postfix/src/qmgr/Makefile.in @@ -189,6 +189,7 @@ qmgr_message.o: ../../include/mail_addr_find.h qmgr_message.o: ../../include/maps.h qmgr_message.o: ../../include/opened.h qmgr_message.o: ../../include/resolve_local.h +qmgr_message.o: ../../include/verp_sender.h qmgr_message.o: ../../include/resolve_clnt.h qmgr_message.o: qmgr.h qmgr_message.o: ../../include/scan_dir.h diff --git a/postfix/src/qmgr/qmgr_active.c b/postfix/src/qmgr/qmgr_active.c index 847f42713..6d22e806a 100644 --- a/postfix/src/qmgr/qmgr_active.c +++ b/postfix/src/qmgr/qmgr_active.c @@ -360,8 +360,8 @@ static void qmgr_active_done_2_generic(QMGR_MESSAGE *message) */ if (message->flags) { if (event_time() > message->arrival_time + var_max_queue_time) { - if (msg_verbose) - msg_info("%s: too old, bouncing %s", myname, message->queue_id); + msg_info("%s: from=<%s>, status=expired, returned to sender", + message->queue_id, message->sender); if (message->verp_delims == 0) adefer_flush(BOUNCE_FLAG_KEEP, message->queue_name, diff --git a/postfix/src/qmgr/qmgr_message.c b/postfix/src/qmgr/qmgr_message.c index db88b63fc..561a73cec 100644 --- a/postfix/src/qmgr/qmgr_message.c +++ b/postfix/src/qmgr/qmgr_message.c @@ -112,6 +112,7 @@ #include #include #include +#include /* Client stubs. */ @@ -305,12 +306,14 @@ static int qmgr_message_read(QMGR_MESSAGE *message) message->warn_time = atol(start); } } else if (rec_type == REC_TYPE_VERP) { - if (strlen(start) != 2) { - msg_warn("%s: bad VERP record length: \"%s\"", - message->queue_id, start); - } else { - message->single_rcpt = 1; - message->verp_delims = mystrdup(start); + if (message->verp_delims == 0) { + if (verp_delims_verify(start) != 0) { + msg_warn("%s: bad VERP record content: \"%s\"", + message->queue_id, start); + } else { + message->single_rcpt = 1; + message->verp_delims = mystrdup(start); + } } } } while (rec_type > 0 && rec_type != REC_TYPE_END); diff --git a/postfix/src/sendmail/Makefile.in b/postfix/src/sendmail/Makefile.in index 0f9f5a478..b1b738651 100644 --- a/postfix/src/sendmail/Makefile.in +++ b/postfix/src/sendmail/Makefile.in @@ -87,3 +87,4 @@ sendmail.o: ../../include/resolve_clnt.h sendmail.o: ../../include/mail_flush.h sendmail.o: ../../include/mail_stream.h sendmail.o: ../../include/smtp_stream.h +sendmail.o: ../../include/verp_sender.h diff --git a/postfix/src/sendmail/sendmail.c b/postfix/src/sendmail/sendmail.c index a11837ef4..8de3e4c50 100644 --- a/postfix/src/sendmail/sendmail.c +++ b/postfix/src/sendmail/sendmail.c @@ -78,9 +78,18 @@ /* Initial user submission. /* .IP \fB-V\fR /* Variable Envelope Return Path. Given an envelope sender address -/* \fIprefix\fR-@\fIorigin\fR, each recipient \fIuser@domain\fR -/* receives mail with a personalized envelope sender address -/* \fIprefix\fB-\fIuser=domain\fR@\fIorigin\fR. +/* of the form \fIowner-listname\fR@\fIorigin\fR, each recipient +/* \fIuser\fR@\fIdomain\fR receives mail with a personalized envelope +/* sender address. +/* .sp +/* By default, the personalized envelope sender address is +/* \fIowner-listname\fB+\fIuser\fB=\fIdomain\fR@\fIorigin\fR. The default +/* \fB+\fR and \fB=\fR characters are configurable with the +/* \fBdefault_verp_delimiters\fR configuration parameter. +/* .IP \fB-V\fIxy\fR +/* As \fB-V\fR, but uses \fIx\fR and \fIy\fR as the VERP delimiter +/* characters, instead of the characters specified with the +/* \fBdefault_verp_delimiters\fR configuration parameter. /* .IP \fB-bd\fR /* Go into daemon mode. This mode of operation is implemented by /* executing the \fBpostfix start\fR command. @@ -200,6 +209,9 @@ /* List of domain or network patterns. When a remote host matches /* a pattern, increase the verbose logging level by the amount /* specified in the \fBdebug_peer_level\fR parameter. +/* .IP \fBdefault_verp_delimiters\fR +/* The VERP delimiter characters that are used when the \fB-V\fR +/* command line option is specified without delimiter characters. /* .IP \fBfast_flush_domains\fR /* List of domains that will receive "fast flush" service (default: all /* domains that this system is willing to relay mail to). This greatly @@ -225,6 +237,8 @@ /* directory of Postfix daemons that run chrooted. /* .IP \fBqueue_run_delay\fR /* The time between successive scans of the deferred queue. +/* .IP \fBverp_delimiter_filter\fR +/* The characters that Postfix accepts as VERP delimiter characters. /* SEE ALSO /* pickup(8) mail pickup daemon /* postalias(1) maintain alias database @@ -297,6 +311,7 @@ #include #include #include +#include /* Application-specific. */ @@ -808,7 +823,12 @@ int main(int argc, char **argv) optind++; continue; } - if ((c = GETOPT(argc, argv, "B:C:F:GIN:R:UVX:b:ce:f:h:imno:p:r:q:tvx")) <= 0) + if (strcmp(argv[OPTIND], "-V") == 0) { + verp_delims = var_verp_delims; + optind++; + continue; + } + if ((c = GETOPT(argc, argv, "B:C:F:GIN:R:UV:X:b:ce:f:h:imno:p:r:q:tvx")) <= 0) break; switch (c) { default: @@ -832,7 +852,10 @@ int main(int argc, char **argv) case 'R': /* DSN */ break; case 'V': /* VERP */ - verp_delims = ""; + if (verp_delims_verify(optarg) != 0) + msg_fatal("-V option requires two characters from %s", + var_verp_filter); + verp_delims = optarg; break; case 'b': switch (*optarg) { diff --git a/postfix/src/smtpd/Makefile.in b/postfix/src/smtpd/Makefile.in index 90d9aa96b..5eaf14882 100644 --- a/postfix/src/smtpd/Makefile.in +++ b/postfix/src/smtpd/Makefile.in @@ -119,6 +119,7 @@ smtpd.o: ../../include/mail_stream.h smtpd.o: ../../include/mail_queue.h smtpd.o: ../../include/tok822.h smtpd.o: ../../include/resolve_clnt.h +smtpd.o: ../../include/verp_sender.h smtpd.o: ../../include/mail_server.h smtpd.o: smtpd_token.h smtpd.o: smtpd.h diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index 3bc59cb3d..27f808890 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -104,6 +104,9 @@ /* List of domain or network patterns. When a remote host matches /* a pattern, increase the verbose logging level by the amount /* specified in the \fBdebug_peer_level\fR parameter. +/* .IP \fBdefault_verp_delimiters\fR +/* The default VERP delimiter characters that are used when the +/* XVERP command is specified without explicit delimiters. /* .IP \fBerror_notice_recipient\fR /* Recipient of protocol/policy/resource/software error notices. /* .IP \fBhopcount_limit\fR @@ -134,6 +137,8 @@ /* .IP \fBsoft_bounce\fR /* Change hard (5xx) reject responses into soft (4xx) reject responses. /* This can be useful for testing purposes. +/* .IP \fBverp_delimiter_filter\fR +/* The characters that Postfix accepts as VERP delimiter characters. /* .SH "Resource controls" /* .ad /* .fi @@ -284,6 +289,7 @@ #include #include #include +#include /* Single-threaded server skeleton. */ @@ -689,14 +695,14 @@ static int mail_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) } #endif } else if (strcasecmp(arg, VERP_CMD) == 0) { - verp_delims = ""; + verp_delims = var_verp_delims; } else if (strncasecmp(arg, VERP_CMD, VERP_CMD_LEN) == 0 && arg[VERP_CMD_LEN] == '=') { verp_delims = arg + VERP_CMD_LEN + 1; - if (strlen(verp_delims) != 2) { + if (verp_delims_verify(verp_delims) != 0) { state->error_mask |= MAIL_ERROR_PROTOCOL; - smtpd_chat_reply(state, "501 Bad %s parameter: %s", - VERP_CMD, arg); + smtpd_chat_reply(state, "501 %s needs two characters from %s", + VERP_CMD, var_verp_filter); return (-1); } } else { diff --git a/postfix/src/util/make_dirs.c b/postfix/src/util/make_dirs.c index b3efcddbf..31efea03e 100644 --- a/postfix/src/util/make_dirs.c +++ b/postfix/src/util/make_dirs.c @@ -54,6 +54,7 @@ int make_dirs(const char *path, int perms) int saved_ch; struct stat st; int ret; + mode_t saved_mode; /* * Initialize. Make a copy of the path that we can safely clobber. @@ -78,14 +79,31 @@ int make_dirs(const char *path, int perms) ret = -1; break; } + saved_mode = st.st_mode; } else { if (errno != ENOENT) break; + + /* + * Create a new directory. Unfortunately, mkdir(2) has no + * equivalent of open(2)'s O_CREAT|O_EXCL safety net, so we must + * require that the parent directory is not world writable. + * Detecting a lost race condition after the fact is not + * sufficient, as an attacker could repeat the attack and add one + * directory level at a time. + */ + if (saved_mode & S_IWOTH) { + msg_warn("refusing to mkdir %s: parent directory is writable by everyone", + saved_path); + errno = EPERM; + ret = -1; + break; + } if ((ret = mkdir(saved_path, perms)) < 0) { if (errno != EEXIST) break; /* Race condition? */ - if ((ret = stat(saved_path, &st)) < 0) + if ((ret = stat(saved_path, &st)) < 0) break; if (!S_ISDIR(st.st_mode)) { errno = ENOTDIR;