From: Wietse Z Venema Date: Mon, 8 Dec 2025 05:00:00 +0000 (-0500) Subject: postfix-3.11-20251208 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0baff80091bf38ee6d1bece92653c07f61d1e2e0;p=thirdparty%2Fpostfix.git postfix-3.11-20251208 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 82e060266..a61191d34 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -30134,3 +30134,17 @@ Apologies for any names omitted. Bitrot: non-functional code changes to silence compiler errors/warnings. File: milter/test-milter.c. + +20251208 + + Improved Milter error handling for messages that arrive + over a long-lived SMTP connection, by changing the default + milter_default_action from "tempfail" to the new "shutdown" + action (i.e. disconnect the remote SMTP client). + + The problem was that after a single Milter error, Postfix + could tempfail all messages that the client sends over a + long-lived connection, even if the Milter error was only + temporary. This problem was reported by Ankit Kulkarni. + + Files: proto/postconf.proto global/mail_params.h milter/milter8.c. diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index cbc1ab488..360b94e74 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -7456,7 +7456,7 @@ for a list of available macro names and their meanings.

milter_default_action -(default: tempfail)
+(default: Postfix ≥ 3.11: shutdown; Postfix < 3.11: tempfail)

The default action when a Milter (mail filter) response is unavailable (for example, bad Postfix configuration or Milter @@ -7473,11 +7473,22 @@ with a permanent status code.

tempfail
Reject all further commands in this session with a temporary status code.
+
shutdown
Close the SMTP connection after sending a 421 +SMTP reply. Available in Postfix 3.11 and later.
+
quarantine
Like "accept", but freeze the message in the "hold" queue. Available with Postfix 2.6 and later.
+

The default action was "tempfail" with Postfix 3.10 and earlier. +

+ +

The default action is "shutdown" with Postfix 3.11 and later, +i.e. disconnect the SMTP client. With the old default, Postfix could +tempfail all messages that the client sends over a long-lived +connection, even if a Milter failure is only temporary.

+

This feature is available in Postfix 2.3 and later.

diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 6f7309638..471104928 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -4569,7 +4569,7 @@ filter) applications after the SMTP DATA command. See MILTER_README for a list of available macro names and their meanings. .PP This feature is available in Postfix 2.3 and later. -.SH milter_default_action (default: tempfail) +.SH milter_default_action (default: Postfix >= 3.11: shutdown; Postfix < 3.11: tempfail) The default action when a Milter (mail filter) response is unavailable (for example, bad Postfix configuration or Milter failure). Specify one of the following: @@ -4584,12 +4584,23 @@ with a permanent status code. Reject all further commands in this session with a temporary status code. .br +.IP "shutdown" +Close the SMTP connection after sending a 421 +SMTP reply. Available in Postfix 3.11 and later. +.br .IP "quarantine" Like "accept", but freeze the message in the "hold" queue. Available with Postfix 2.6 and later. .br .br .PP +The default action was "tempfail" with Postfix 3.10 and earlier. +.PP +The default action is "shutdown" with Postfix 3.11 and later, +i.e. disconnect the SMTP client. With the old default, Postfix could +tempfail all messages that the client sends over a long\-lived +connection, even if a Milter failure is only temporary. +.PP This feature is available in Postfix 2.3 and later. .SH milter_end_of_data_macros (default: see "postconf \-d" output) The macros that are sent to Milter (mail filter) applications diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 0295df267..071989b8a 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -12341,7 +12341,7 @@ will not reply for each individual message header.

This feature is available in Postfix 2.3 and later.

-%PARAM milter_default_action tempfail +%PARAM milter_default_action Postfix ≥ 3.11: shutdown; Postfix < 3.11: tempfail

The default action when a Milter (mail filter) response is unavailable (for example, bad Postfix configuration or Milter @@ -12358,11 +12358,22 @@ with a permanent status code.

tempfail
Reject all further commands in this session with a temporary status code.
+
shutdown
Close the SMTP connection after sending a 421 +SMTP reply. Available in Postfix 3.11 and later.
+
quarantine
Like "accept", but freeze the message in the "hold" queue. Available with Postfix 2.6 and later.
+

The default action was "tempfail" with Postfix 3.10 and earlier. +

+ +

The default action is "shutdown" with Postfix 3.11 and later, +i.e. disconnect the SMTP client. With the old default, Postfix could +tempfail all messages that the client sends over a long-lived +connection, even if a Milter failure is only temporary.

+

This feature is available in Postfix 2.3 and later.

%PARAM milter_connect_timeout 30s diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 3acf281bd..ce450a434 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -3558,7 +3558,7 @@ extern char *var_smtpd_milter_maps; extern char *var_cleanup_milters; #define VAR_MILT_DEF_ACTION "milter_default_action" -#define DEF_MILT_DEF_ACTION "tempfail" +#define DEF_MILT_DEF_ACTION "shutdown" extern char *var_milt_def_action; #define VAR_MILT_CONN_MACROS "milter_connect_macros" @@ -3613,10 +3613,6 @@ extern int var_milt_msg_time; #define DEF_MILT_PROTOCOL "6" extern char *var_milt_protocol; -#define VAR_MILT_DEF_ACTION "milter_default_action" -#define DEF_MILT_DEF_ACTION "tempfail" -extern char *var_milt_def_action; - #define VAR_MILT_DAEMON_NAME "milter_macro_daemon_name" #define DEF_MILT_DAEMON_NAME "$" VAR_MYHOSTNAME extern char *var_milt_daemon_name; diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 36b169cdb..5c3206d78 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20251205" +#define MAIL_RELEASE_DATE "20251208" #define MAIL_VERSION_NUMBER "3.11" #ifdef SNAPSHOT diff --git a/postfix/src/milter/milter8.c b/postfix/src/milter/milter8.c index a280134d9..4ecac4ea9 100644 --- a/postfix/src/milter/milter8.c +++ b/postfix/src/milter/milter8.c @@ -523,6 +523,8 @@ static int milter8_conf_error(MILTER8 *milter) } if (strcasecmp(milter->def_action, "accept") == 0) { reply = 0; + } else if (strcasecmp(milter->def_action, "shutdown") == 0) { + reply = "421 4.3.5 Server configuration problem - try again later"; } else if (strcasecmp(milter->def_action, "quarantine") == 0) { reply = "Hdefault_action"; } else { @@ -557,6 +559,8 @@ static int milter8_comm_error(MILTER8 *milter) reply = "550 5.5.0 Service unavailable"; } else if (strcasecmp(milter->def_action, "tempfail") == 0) { reply = "451 4.7.1 Service unavailable - try again later"; + } else if (strcasecmp(milter->def_action, "shutdown") == 0) { + reply = "421 Service unavailable - try again later"; } else if (strcasecmp(milter->def_action, "quarantine") == 0) { reply = "Hdefault_action"; } else {