From: Wietse Venema Date: Tue, 8 Jul 2014 07:35:16 +0000 (+1000) Subject: postfix-2.12-20140703 X-Git-Tag: v3.0.0-RC1~47 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1042e00cfd8fd583ab84108f9e8b4d886bfb52a6;p=thirdparty%2Fpostfix.git postfix-2.12-20140703 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index d49bc716a..cdfb5aa0b 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -20094,3 +20094,31 @@ Apologies for any names omitted. mantools/postlink, proto/SMTPD_POLICY_README.html, proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_check.c, util/attr_clnt.[hc]. + +20140701 + + Cleanup: documented how Postfix maintains dictionary + provenance. Provenance matters: for example, the owner UID + of an aliases(5) database file determines the execution + privileges for delivery to |command or /file/name. Refined + the algorithm that computes the provenance of a pipemap, + based on the provenance of its constituent lookup tables. + Files: util/dict.[hc], util/dict_pipe.c. + + Cleanup: made mail_spool_directory configurable with "make + makefiles mail_spool_directory=/path/name". This allows + Postfix to be built without any pathnames that reference + system directories. This is useful for testing and sandboxing. + Files: global/mail_params.h, makedefs. + + Cleanup: configurable attr_clnt(3) retry strategy (try limit + and retry delay). Files: util/attr_clnt.[hc]. + + Feature: control over SMTPD policy lookup error handling: + smtpd_policy_service_try_limit, smtpd_policy_service_retry_delay, + smtpd_policy_service_default_action determine how many times + to try to send a policy request before giving up, the delay + before resending a failed policy request, and a default + action when giving up. The defaults are backwards-compatible. + Files: global/mail_params.h, mantools/postlink, + proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_check.c. diff --git a/postfix/INSTALL b/postfix/INSTALL index af4c208d6..f30acde50 100644 --- a/postfix/INSTALL +++ b/postfix/INSTALL @@ -408,6 +408,8 @@ postconf.5 | less"). |_____________________|____________________| |html_directory |no | |_____________________|____________________| + |mail_spool_directory |/var/mail | + |_____________________|____________________| |mailq_path |/usr/bin/mailq | |_____________________|____________________| |manpage_directory |/usr/local/man | diff --git a/postfix/README_FILES/INSTALL b/postfix/README_FILES/INSTALL index ac8aeb0c2..e4e5f33e9 100644 --- a/postfix/README_FILES/INSTALL +++ b/postfix/README_FILES/INSTALL @@ -408,6 +408,8 @@ postconf.5 | less"). |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |html_directory |no | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |mail_spool_directory |/var/mail | + |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |mailq_path |/usr/bin/mailq | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | |manpage_directory |/usr/local/man | diff --git a/postfix/README_FILES/SMTPD_POLICY_README b/postfix/README_FILES/SMTPD_POLICY_README index 6a6e867a4..590d60505 100644 --- a/postfix/README_FILES/SMTPD_POLICY_README +++ b/postfix/README_FILES/SMTPD_POLICY_README @@ -250,17 +250,30 @@ NOTES: Configuration parameters that control the client side of the policy delegation protocol: + * smtpd_policy_service_default_action (default: 451 4.3.5 Server + configuration problem): The default action when an SMTPD policy service + request fails. Available with Postfix 2.12 and later. + * smtpd_policy_service_max_idle (default: 300s): The amount of time before the Postfix SMTP server closes an unused policy client connection. * smtpd_policy_service_max_ttl (default: 1000s): The amount of time before the Postfix SMTP server closes an active policy client connection. + * smtpd_policy_service_request_limit (default: 0): The maximal number of + requests per policy connection, or zero (no limit). Available with Postfix + 2.12 and later. + * smtpd_policy_service_timeout (default: 100s): The time limit to connect to, send to or receive from a policy server. - * smtpd_policy_service_request_limit (default: 0): The maximal number of - requests per policy connection, or zero (no limit). + * smtpd_policy_service_try_limit (default: 2): The maximal number of attempts + to send an SMTPD policy service request before giving up. Available with + Postfix 2.12 and later. + + * smtpd_policy_service_retry_delay (default: 1s): The delay between attempts + to resend a failed SMTPD policy service request. Available with Postfix + 2.12 and later. Configuration parameters that control the server side of the policy delegation protocol: diff --git a/postfix/html/INSTALL.html b/postfix/html/INSTALL.html index cd8869492..06d9c3128 100644 --- a/postfix/html/INSTALL.html +++ b/postfix/html/INSTALL.html @@ -588,6 +588,8 @@ listed below. See the postconf(5) manpage for a de html_directory no + mail_spool_directory /var/mail + mailq_path /usr/bin/mailq manpage_directory /usr/local/man diff --git a/postfix/html/SMTPD_POLICY_README.html b/postfix/html/SMTPD_POLICY_README.html index 3c404154c..bd28f9037 100644 --- a/postfix/html/SMTPD_POLICY_README.html +++ b/postfix/html/SMTPD_POLICY_README.html @@ -337,6 +337,11 @@ policy delegation protocol:

diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 832cfb1d0..48a9075ef 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -14083,6 +14083,33 @@ Postfix releases, the behavior is as if this parameter is set to "no".

+ + +
smtpd_policy_service_default_action +(default: 451 4.3.5 Server configuration problem)
+ +

The default action when an SMTPD policy service request fails. +Specify "DUNNO" to behave as if the failed SMTPD policy service +request was not sent, and to continue processing other access +restrictions, if any.

+ +

Limitations:

+ + + +

This feature is available in Postfix 2.12 and later.

+ +
smtpd_policy_service_max_idle @@ -14119,12 +14146,11 @@ This feature is available in Postfix 2.1 and later. (default: 0)

-The maximal number of requests per Postfix SMTP server policy -connection, or zero (no limit). Once a connection reaches this -limit, the connection is closed and the next request will be sent -over a new connection. This is a workaround to avoid error-recovery -delays with policy servers that cannot maintain a persistent -connection. +The maximal number of requests per SMTPD policy service connection, +or zero (no limit). Once a connection reaches this limit, the +connection is closed and the next request will be sent over a new +connection. This is a workaround to avoid error-recovery delays +with policy servers that cannot maintain a persistent connection.

@@ -14132,13 +14158,24 @@ This feature is available in Postfix 2.12 and later.

+
+ +
smtpd_policy_service_retry_delay +(default: 1s)
+ +

The delay between attempts to resend a failed SMTPD policy +service request. Specify a value greater than zero.

+ +

This feature is available in Postfix 2.12 and later.

+ +
smtpd_policy_service_timeout (default: 100s)

-The time limit for connecting to, writing to or receiving from a +The time limit for connecting to, writing to, or receiving from a delegated SMTPD policy server.

@@ -14147,6 +14184,17 @@ This feature is available in Postfix 2.1 and later.

+
+ +
smtpd_policy_service_try_limit +(default: 2)
+ +

The maximal number of attempts to send an SMTPD policy service +request before giving up. Specify a value greater than zero.

+ +

This feature is available in Postfix 2.12 and later.

+ +
smtpd_proxy_ehlo diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index 641f28471..0810ca7a2 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -859,14 +859,26 @@ SMTPD(8) SMTPD(8) is closed. smtpd_policy_service_timeout (100s) - The time limit for connecting to, writing to or receiving from a - delegated SMTPD policy server. + The time limit for connecting to, writing to, or receiving from + a delegated SMTPD policy server. Available in Postfix version 2.12 and later: + smtpd_policy_service_default_action (451 4.3.5 Server configuration + problem) + The default action when an SMTPD policy service request fails. + smtpd_policy_service_request_limit (0) - The maximal number of requests per Postfix SMTP server policy - connection, or zero (no limit). + The maximal number of requests per SMTPD policy service connec- + tion, or zero (no limit). + + smtpd_policy_service_try_limit (2) + The maximal number of attempts to send an SMTPD policy service + request before giving up. + + smtpd_policy_service_retry_delay (1s) + The delay between attempts to resend a failed SMTPD policy ser- + vice request. ACCESS CONTROLS The SMTPD_ACCESS_README document gives an introduction to all the SMTP diff --git a/postfix/makedefs b/postfix/makedefs index d5d9e3d1b..0b5a7aeed 100644 --- a/postfix/makedefs +++ b/postfix/makedefs @@ -104,8 +104,9 @@ # # command_directory config_directory daemon_directory # data_directory default_database_type html_directory -# mailq_path manpage_directory meta_directory newaliases_path -# queue_directory readme_directory sendmail_path shlib_directory +# mail_spool_directory mailq_path manpage_directory meta_directory +# newaliases_path queue_directory readme_directory sendmail_path +# shlib_directory # # See the postconf(5) manpage for a description of these # parameters. @@ -790,6 +791,7 @@ command_directory_macro=DEF_COMMAND_DIR config_directory_macro=DEF_CONFIG_DIR daemon_directory_macro=DEF_DAEMON_DIR data_directory_macro=DEF_DATA_DIR +mail_spool_directory_macro=DEF_MAIL_SPOOL_DIR mailq_path_macro=DEF_MAILQ_PATH meta_directory_macro=DEF_META_DIR newaliases_path_macro=DEF_NEWALIAS_PATH @@ -801,8 +803,8 @@ shlib_directory_macro=DEF_SHLIB_DIR # Instead, build with "dynamicmaps=no" and "shared=no" as appropriate. for parm_name in command_directory config_directory daemon_directory \ - data_directory mailq_path meta_directory newaliases_path \ - queue_directory sendmail_path shlib_directory + data_directory mail_spool_directory mailq_path meta_directory \ + newaliases_path queue_directory sendmail_path shlib_directory do eval parm_val=\"\$$parm_name\" eval parm_macro=\"\$${parm_name}_macro\" diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 7fdda2a1a..31c6253e3 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -9360,6 +9360,24 @@ sent or received within the per-record deadline. This feature is available in Postfix 2.9 and later. With older Postfix releases, the behavior is as if this parameter is set to "no". +.SH smtpd_policy_service_default_action (default: 451 4.3.5 Server configuration problem) +The default action when an SMTPD policy service request fails. +Specify "DUNNO" to behave as if the failed SMTPD policy service +request was not sent, and to continue processing other access +restrictions, if any. +.PP +Limitations: +.IP \(bu +This parameter may specify any value that would be a valid +SMTPD policy server response (or \fBaccess\fR(5) map lookup result). An +\fBaccess\fR(5) map or policy server in this parameter value may need to +be declared in advance with a restriction_class setting. +.IP \(bu +If the specified action invokes another check_policy_service +request, that request will have the built-in default action. +.br +.PP +This feature is available in Postfix 2.12 and later. .SH smtpd_policy_service_max_idle (default: 300s) The time after which an idle SMTPD policy service connection is closed. @@ -9371,19 +9389,28 @@ closed. .PP This feature is available in Postfix 2.1 and later. .SH smtpd_policy_service_request_limit (default: 0) -The maximal number of requests per Postfix SMTP server policy -connection, or zero (no limit). Once a connection reaches this -limit, the connection is closed and the next request will be sent -over a new connection. This is a workaround to avoid error-recovery -delays with policy servers that cannot maintain a persistent -connection. +The maximal number of requests per SMTPD policy service connection, +or zero (no limit). Once a connection reaches this limit, the +connection is closed and the next request will be sent over a new +connection. This is a workaround to avoid error-recovery delays +with policy servers that cannot maintain a persistent connection. +.PP +This feature is available in Postfix 2.12 and later. +.SH smtpd_policy_service_retry_delay (default: 1s) +The delay between attempts to resend a failed SMTPD policy +service request. Specify a value greater than zero. .PP This feature is available in Postfix 2.12 and later. .SH smtpd_policy_service_timeout (default: 100s) -The time limit for connecting to, writing to or receiving from a +The time limit for connecting to, writing to, or receiving from a delegated SMTPD policy server. .PP This feature is available in Postfix 2.1 and later. +.SH smtpd_policy_service_try_limit (default: 2) +The maximal number of attempts to send an SMTPD policy service +request before giving up. Specify a value greater than zero. +.PP +This feature is available in Postfix 2.12 and later. .SH smtpd_proxy_ehlo (default: $myhostname) How the Postfix SMTP server announces itself to the proxy filter. By default, the Postfix hostname is used. diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8 index 3cea206f9..e521a89aa 100644 --- a/postfix/man/man8/smtpd.8 +++ b/postfix/man/man8/smtpd.8 @@ -766,13 +766,21 @@ closed. The time after which an active SMTPD policy service connection is closed. .IP "\fBsmtpd_policy_service_timeout (100s)\fR" -The time limit for connecting to, writing to or receiving from a +The time limit for connecting to, writing to, or receiving from a delegated SMTPD policy server. .PP Available in Postfix version 2.12 and later: +.IP "\fBsmtpd_policy_service_default_action (451 4.3.5 Server configuration problem)\fR" +The default action when an SMTPD policy service request fails. .IP "\fBsmtpd_policy_service_request_limit (0)\fR" -The maximal number of requests per Postfix SMTP server policy -connection, or zero (no limit). +The maximal number of requests per SMTPD policy service connection, +or zero (no limit). +.IP "\fBsmtpd_policy_service_try_limit (2)\fR" +The maximal number of attempts to send an SMTPD policy service +request before giving up. +.IP "\fBsmtpd_policy_service_retry_delay (1s)\fR" +The delay between attempts to resend a failed SMTPD policy +service request. .SH "ACCESS CONTROLS" .na .nf diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 79c89a319..513ab23b9 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -546,6 +546,9 @@ while (<>) { s;\bsmtpd_policy_service_max_ttl\b;$&;g; s;\bsmtpd_policy_service_timeout\b;$&;g; s;\bsmtpd_policy_service_request_limit\b;$&;g; + s;\bsmtpd_policy_service_default_action\b;$&;g; + s;\bsmtpd_policy_service_try_limit\b;$&;g; + s;\bsmtpd_policy_service_retry_delay\b;$&;g; s;\bsmtpd_proxy_ehlo\b;$&;g; s;\bsmtpd_proxy_filter\b;$&;g; s;\bsmtpd_proxy_timeout\b;$&;g; diff --git a/postfix/proto/INSTALL.html b/postfix/proto/INSTALL.html index 2b3f165e5..2e43d3242 100644 --- a/postfix/proto/INSTALL.html +++ b/postfix/proto/INSTALL.html @@ -588,6 +588,8 @@ listed below. See the postconf(5) manpage for a description html_directory no + mail_spool_directory /var/mail + mailq_path /usr/bin/mailq manpage_directory /usr/local/man diff --git a/postfix/proto/SMTPD_POLICY_README.html b/postfix/proto/SMTPD_POLICY_README.html index 7d59b09a9..f425863fc 100644 --- a/postfix/proto/SMTPD_POLICY_README.html +++ b/postfix/proto/SMTPD_POLICY_README.html @@ -337,6 +337,11 @@ policy delegation protocol:

    +

  • smtpd_policy_service_default_action (default: 451 4.3.5 +Server configuration problem): The default action when an SMTPD +policy service request fails. Available with Postfix 2.12 and +later.

    +

  • smtpd_policy_service_max_idle (default: 300s): The amount of time before the Postfix SMTP server closes an unused policy client connection.

    @@ -345,11 +350,20 @@ client connection.

    of time before the Postfix SMTP server closes an active policy client connection.

    +

  • smtpd_policy_service_request_limit (default: 0): The maximal +number of requests per policy connection, or zero (no limit). +Available with Postfix 2.12 and later.

    +

  • smtpd_policy_service_timeout (default: 100s): The time limit to connect to, send to or receive from a policy server.

    -

  • smtpd_policy_service_request_limit (default: 0): The maximal -number of requests per policy connection, or zero (no limit).

    +

  • smtpd_policy_service_try_limit (default: 2): The maximal +number of attempts to send an SMTPD policy service request before +giving up. Available with Postfix 2.12 and later.

    + +

  • smtpd_policy_service_retry_delay (default: 1s): The delay +between attempts to resend a failed SMTPD policy service request. +Available with Postfix 2.12 and later.

diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 4b9d531bc..5b614ccbf 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -8335,7 +8335,7 @@ This feature is available in Postfix 2.1 and later. %PARAM smtpd_policy_service_timeout 100s

-The time limit for connecting to, writing to or receiving from a +The time limit for connecting to, writing to, or receiving from a delegated SMTPD policy server.

@@ -8346,12 +8346,11 @@ This feature is available in Postfix 2.1 and later. %PARAM smtpd_policy_service_request_limit 0

-The maximal number of requests per Postfix SMTP server policy -connection, or zero (no limit). Once a connection reaches this -limit, the connection is closed and the next request will be sent -over a new connection. This is a workaround to avoid error-recovery -delays with policy servers that cannot maintain a persistent -connection. +The maximal number of requests per SMTPD policy service connection, +or zero (no limit). Once a connection reaches this limit, the +connection is closed and the next request will be sent over a new +connection. This is a workaround to avoid error-recovery delays +with policy servers that cannot maintain a persistent connection.

@@ -16006,3 +16005,40 @@ installing or upgrading Postfix, or specify "meta_directory = command line.

This feature is available in Postfix 2.12 and later.

+ +%PARAM smtpd_policy_service_default_action 451 4.3.5 Server configuration problem + +

The default action when an SMTPD policy service request fails. +Specify "DUNNO" to behave as if the failed SMTPD policy service +request was not sent, and to continue processing other access +restrictions, if any.

+ +

Limitations:

+ +
    + +

  • This parameter may specify any value that would be a valid +SMTPD policy server response (or access(5) map lookup result). An +access(5) map or policy server in this parameter value may need to +be declared in advance with a restriction_class setting.

    + +

  • If the specified action invokes another check_policy_service +request, that request will have the built-in default action.

    + +
+ +

This feature is available in Postfix 2.12 and later.

+ +%PARAM smtpd_policy_service_try_limit 2 + +

The maximal number of attempts to send an SMTPD policy service +request before giving up. Specify a value greater than zero.

+ +

This feature is available in Postfix 2.12 and later.

+ +%PARAM smtpd_policy_service_retry_delay 1s + +

The delay between attempts to resend a failed SMTPD policy +service request. Specify a value greater than zero.

+ +

This feature is available in Postfix 2.12 and later.

diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index e96d165a5..877d89c03 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -524,7 +524,9 @@ extern char *var_luser_relay; * Local delivery: mailbox delivery. */ #define VAR_MAIL_SPOOL_DIR "mail_spool_directory" +#ifndef DEF_MAIL_SPOOL_DIR #define DEF_MAIL_SPOOL_DIR _PATH_MAILDIR +#endif extern char *var_mail_spool_dir; #define VAR_HOME_MAILBOX "home_mailbox" @@ -2896,6 +2898,18 @@ extern int var_smtpd_policy_idle; #define DEF_SMTPD_POLICY_TTL "1000s" extern int var_smtpd_policy_ttl; +#define VAR_SMTPD_POLICY_TRY_LIMIT "smtpd_policy_service_try_limit" +#define DEF_SMTPD_POLICY_TRY_LIMIT 2 +extern int var_smtpd_policy_try_limit; + +#define VAR_SMTPD_POLICY_TRY_DELAY "smtpd_policy_service_retry_delay" +#define DEF_SMTPD_POLICY_TRY_DELAY "1s" +extern int var_smtpd_policy_try_delay; + +#define VAR_SMTPD_POLICY_DEF_ACTION "smtpd_policy_service_default_action" +#define DEF_SMTPD_POLICY_DEF_ACTION "451 4.3.5 Server configuration problem" +extern char *var_smtpd_policy_def_action; + #define CHECK_POLICY_SERVICE "check_policy_service" /* diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 66222c83a..6a46a760c 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20140701" +#define MAIL_RELEASE_DATE "20140703" #define MAIL_VERSION_NUMBER "2.12" #ifdef SNAPSHOT diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index 4b8a6ba2b..8784cf236 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -718,13 +718,21 @@ /* The time after which an active SMTPD policy service connection is /* closed. /* .IP "\fBsmtpd_policy_service_timeout (100s)\fR" -/* The time limit for connecting to, writing to or receiving from a +/* The time limit for connecting to, writing to, or receiving from a /* delegated SMTPD policy server. /* .PP /* Available in Postfix version 2.12 and later: +/* .IP "\fBsmtpd_policy_service_default_action (451 4.3.5 Server configuration problem)\fR" +/* The default action when an SMTPD policy service request fails. /* .IP "\fBsmtpd_policy_service_request_limit (0)\fR" -/* The maximal number of requests per Postfix SMTP server policy -/* connection, or zero (no limit). +/* The maximal number of requests per SMTPD policy service connection, +/* or zero (no limit). +/* .IP "\fBsmtpd_policy_service_try_limit (2)\fR" +/* The maximal number of attempts to send an SMTPD policy service +/* request before giving up. +/* .IP "\fBsmtpd_policy_service_retry_delay (1s)\fR" +/* The delay between attempts to resend a failed SMTPD policy +/* service request. /* ACCESS CONTROLS /* .ad /* .fi @@ -1230,6 +1238,9 @@ char *var_smtpd_proxy_opts; char *var_input_transp; int var_smtpd_policy_tmout; int var_smtpd_policy_req_limit; +int var_smtpd_policy_try_limit; +int var_smtpd_policy_try_delay; +char *var_smtpd_policy_def_action; int var_smtpd_policy_idle; int var_smtpd_policy_ttl; char *var_xclient_hosts; @@ -5327,6 +5338,7 @@ int main(int argc, char **argv) VAR_SMTPD_TLS_CCERT_VD, DEF_SMTPD_TLS_CCERT_VD, &var_smtpd_tls_ccert_vd, 0, 0, #endif VAR_SMTPD_POLICY_REQ_LIMIT, DEF_SMTPD_POLICY_REQ_LIMIT, &var_smtpd_policy_req_limit, 0, 0, + VAR_SMTPD_POLICY_TRY_LIMIT, DEF_SMTPD_POLICY_TRY_LIMIT, &var_smtpd_policy_try_limit, 1, 0, 0, }; static const CONFIG_TIME_TABLE time_table[] = { @@ -5345,6 +5357,7 @@ int main(int argc, char **argv) VAR_MILT_MSG_TIME, DEF_MILT_MSG_TIME, &var_milt_msg_time, 1, 0, VAR_VERIFY_SENDER_TTL, DEF_VERIFY_SENDER_TTL, &var_verify_sender_ttl, 0, 0, VAR_SMTPD_UPROXY_TMOUT, DEF_SMTPD_UPROXY_TMOUT, &var_smtpd_uproxy_tmout, 1, 0, + VAR_SMTPD_POLICY_TRY_DELAY, DEF_SMTPD_POLICY_TRY_DELAY, &var_smtpd_policy_try_delay, 1, 0, 0, }; static const CONFIG_BOOL_TABLE bool_table[] = { @@ -5476,6 +5489,7 @@ int main(int argc, char **argv) #endif VAR_SMTPD_ACL_PERM_LOG, DEF_SMTPD_ACL_PERM_LOG, &var_smtpd_acl_perm_log, 0, 0, VAR_SMTPD_UPROXY_PROTO, DEF_SMTPD_UPROXY_PROTO, &var_smtpd_uproxy_proto, 0, 0, + VAR_SMTPD_POLICY_DEF_ACTION, DEF_SMTPD_POLICY_DEF_ACTION, &var_smtpd_policy_def_action, 1, 0, 0, }; static const CONFIG_RAW_TABLE raw_table[] = { diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index 2774650a0..6c342ac90 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -466,8 +466,11 @@ static void policy_client_register(const char *name) var_smtpd_policy_tmout, var_smtpd_policy_idle, var_smtpd_policy_ttl); - attr_clnt_control(client, ATTR_CLNT_CTL_REQ_LIMIT, - var_smtpd_policy_req_limit, ATTR_CLNT_CTL_END); + attr_clnt_control(client, + ATTR_CLNT_CTL_REQ_LIMIT, var_smtpd_policy_req_limit, + ATTR_CLNT_CTL_TRY_LIMIT, var_smtpd_policy_try_limit, + ATTR_CLNT_CTL_TRY_DELAY, var_smtpd_policy_try_delay, + ATTR_CLNT_CTL_END); htable_enter(policy_clnt_table, name, (char *) client); } } @@ -3702,9 +3705,28 @@ static int check_policy_service(SMTPD_STATE *state, const char *server, ATTR_FLAG_MISSING, /* Reply attributes. */ ATTR_TYPE_STR, MAIL_ATTR_ACTION, action, ATTR_TYPE_END) != 1) { - ret = smtpd_check_reject(state, MAIL_ERROR_POLICY, - 451, "4.3.5", - "Server configuration problem"); + NOCLOBBER static int nesting_level = 0; + jmp_buf savebuf; + int status; + + /* + * Safety to prevent recursive execution of the default action. + */ + nesting_level += 1; + memcpy(ADDROF(savebuf), ADDROF(smtpd_check_buf), sizeof(savebuf)); + status = setjmp(smtpd_check_buf); + if (status != 0) { + nesting_level -= 1; + memcpy(ADDROF(smtpd_check_buf), ADDROF(savebuf), + sizeof(smtpd_check_buf)); + longjmp(smtpd_check_buf, status); + } + ret = check_table_result(state, server, nesting_level == 1 ? + var_smtpd_policy_def_action : + DEF_SMTPD_POLICY_DEF_ACTION, + "policy query", reply_name, + reply_class, def_acl); + nesting_level -= 1; } else { /* diff --git a/postfix/src/util/attr_clnt.c b/postfix/src/util/attr_clnt.c index ed8dddcd9..b9cf682c3 100644 --- a/postfix/src/util/attr_clnt.c +++ b/postfix/src/util/attr_clnt.c @@ -55,8 +55,16 @@ /* Specifies alternatives for the attr_plain_print() and /* attr_plain_scan() functions. /* .IP "ATTR_CLNT_CTL_REQ_LIMIT(int)" -/* The maximal number of requests per connection. To enable -/* the limit, specify a value greater than zero. +/* The maximal number of requests per connection (default: 0, +/* i.e. no limit). To enable the limit, specify a value greater +/* than zero. +/* .IP "ATTR_CLNT_CTL_TRY_LIMIT(int)" +/* The maximal number of attempts to send a request before +/* giving up (default: 2). To disable the limit, specify a +/* value equal to zero. +/* .IP "ATTR_CLNT_CTL_TRY_DELAY(int)" +/* The time in seconds between attempts to send a request +/* (default: 1). Specify a value greater than zero. /* DIAGNOSTICS /* Warnings: communication failure. /* SEE ALSO @@ -96,12 +104,19 @@ struct ATTR_CLNT { AUTO_CLNT *auto_clnt; + /* Remaining properties are set with attr_clnt_control(). */ ATTR_CLNT_PRINT_FN print; ATTR_CLNT_SCAN_FN scan; int req_limit; int req_count; + int try_limit; + int try_delay; }; +#define ATTR_CLNT_DEF_REQ_LIMIT (0) /* default per-session request limit */ +#define ATTR_CLNT_DEF_TRY_LIMIT (2) /* default request (re)try limit */ +#define ATTR_CLNT_DEF_TRY_DELAY (1) /* default request (re)try delay */ + /* attr_clnt_free - destroy attribute client */ void attr_clnt_free(ATTR_CLNT *client) @@ -121,8 +136,10 @@ ATTR_CLNT *attr_clnt_create(const char *service, int timeout, client->auto_clnt = auto_clnt_create(service, timeout, max_idle, max_ttl); client->scan = attr_vscan_plain; client->print = attr_vprint_plain; - client->req_limit = 0; + client->req_limit = ATTR_CLNT_DEF_REQ_LIMIT; client->req_count = 0; + client->try_limit = ATTR_CLNT_DEF_TRY_LIMIT; + client->try_delay = ATTR_CLNT_DEF_TRY_DELAY; return (client); } @@ -205,17 +222,17 @@ int attr_clnt_request(ATTR_CLNT *client, int send_flags,...) } } } - if (++count >= 2 + if ((++count >= client->try_limit && client->try_limit > 0) || msg_verbose || (errno && errno != EPIPE && errno != ENOENT && errno != ECONNRESET)) msg_warn("problem talking to server %s: %m", auto_clnt_name(client->auto_clnt)); /* Finalize argument lists before returning. */ - if (count >= 2) { + if (count >= client->try_limit && client->try_limit > 0) { ret = -1; break; } - sleep(1); /* XXX make configurable */ + sleep(client->try_delay); auto_clnt_recover(client->auto_clnt); client->req_count = 0; } @@ -239,8 +256,26 @@ void attr_clnt_control(ATTR_CLNT *client, int name,...) break; case ATTR_CLNT_CTL_REQ_LIMIT: client->req_limit = va_arg(ap, int); + if (client->req_limit < 0) + msg_panic("%s: bad request limit: %d", + myname, client->req_limit); if (msg_verbose) - msg_info("%s: new request limit %d", myname, client->req_limit); + msg_info("%s: new request limit %d", + myname, client->req_limit); + break; + case ATTR_CLNT_CTL_TRY_LIMIT: + client->try_limit = va_arg(ap, int); + if (client->try_limit < 0) + msg_panic("%s: bad retry limit: %d", myname, client->try_limit); + if (msg_verbose) + msg_info("%s: new retry limit %d", myname, client->try_limit); + break; + case ATTR_CLNT_CTL_TRY_DELAY: + client->try_delay = va_arg(ap, int); + if (client->try_delay <= 0) + msg_panic("%s: bad retry delay: %d", myname, client->try_delay); + if (msg_verbose) + msg_info("%s: new retry delay %d", myname, client->try_delay); break; default: msg_panic("%s: bad name %d", myname, name); diff --git a/postfix/src/util/attr_clnt.h b/postfix/src/util/attr_clnt.h index fac4a5b0f..9f038e289 100644 --- a/postfix/src/util/attr_clnt.h +++ b/postfix/src/util/attr_clnt.h @@ -34,8 +34,10 @@ extern void attr_clnt_free(ATTR_CLNT *); extern void attr_clnt_control(ATTR_CLNT *, int, ...); #define ATTR_CLNT_CTL_END 0 -#define ATTR_CLNT_CTL_PROTO 1 -#define ATTR_CLNT_CTL_REQ_LIMIT 2 +#define ATTR_CLNT_CTL_PROTO 1 /* print/scan functions */ +#define ATTR_CLNT_CTL_REQ_LIMIT 2 /* requests per connection */ +#define ATTR_CLNT_CTL_TRY_LIMIT 3 /* attempts per request */ +#define ATTR_CLNT_CTL_TRY_DELAY 4 /* pause between requests */ /* LICENSE /* .ad diff --git a/postfix/src/util/dict.c b/postfix/src/util/dict.c index f962fe6be..769b16b3c 100644 --- a/postfix/src/util/dict.c +++ b/postfix/src/util/dict.c @@ -48,6 +48,13 @@ /* const char *dict_name; /* /* const char *dict_changed_name() +/* +/* void DICT_OWNER_AGGREGATE_INIT(aggregate) +/* DICT_OWNER aggregate; +/* +/* void DICT_OWNER_AGGREGATE_UPDATE(aggregate, source) +/* DICT_OWNER aggregate; +/* DICT_OWNER source; /* AUXILIARY FUNCTIONS /* int dict_load_file_xt(dict_name, path) /* const char *dict_name; @@ -159,6 +166,43 @@ /* /* dict_flags_mask() returns the bitmask for the specified /* comma/space-separated dictionary flag names. +/* TRUST AND PROVENANCE +/* .ad +/* .fi +/* Each dictionary has an owner attribute that contains (status, +/* uid) information about the owner of a dictionary. The +/* status is one of the following: +/* .IP DICT_OWNER_TRUSTED +/* The dictionary is owned by a trusted user. The uid is zero, +/* and specifies a UNIX user ID. +/* .IP DICT_OWNER_UNTRUSTED +/* The dictionary is owned by an untrusted user. The uid is +/* non-zero, and specifies a UNIX user ID. +/* .IP DICT_OWNER_UNKNOWN +/* The dictionary is owned by an unspecified user. For example, +/* the origin is unauthenticated, or different parts of a +/* dictionary aggregate (see below) are owned by different +/* untrusted users. The uid is non-zero and does not specify +/* a UNIX user ID. +/* .PP +/* Note that dictionary ownership does not necessarily imply +/* ownership of lookup results. For example, a PCRE table may +/* be owned by the trusted root user, but the result of $number +/* expansion can contain data from an arbitrary remote SMTP +/* client. See dict_open(3) for how to disallow $number +/* expansions with security-sensitive operations. +/* +/* Two macros are available to help determine the provenance +/* and trustworthiness of a dictionary aggregate. The macros +/* are unsafe because they may evaluate arguments more than +/* once. +/* +/* DICT_OWNER_AGGREGATE_INIT() initialize aggregate owner +/* attributes to the highest trust level. +/* +/* DICT_OWNER_AGGREGATE_UPDATE() updates the aggregate owner +/* attributes with the attributes of the specified source, and +/* reduces the aggregate trust level as appropriate. /* SEE ALSO /* htable(3) /* BUGS diff --git a/postfix/src/util/dict.h b/postfix/src/util/dict.h index db73624ff..70b7be5ff 100644 --- a/postfix/src/util/dict.h +++ b/postfix/src/util/dict.h @@ -39,16 +39,34 @@ typedef struct DICT_OWNER { uid_t uid; /* use only if status == UNTRUSTED */ } DICT_OWNER; + /* + * Note that trust levels are not in numerical order. + */ #define DICT_OWNER_UNKNOWN (-1) /* ex: unauthenticated tcp, proxy */ #define DICT_OWNER_TRUSTED (!1) /* ex: root-owned config file */ #define DICT_OWNER_UNTRUSTED (!0) /* ex: non-root config file */ -#define DICT_OWNER_AGGREGATE(dst, src) do { \ - if ((src).status == DICT_OWNER_UNKNOWN) { \ - (dst).status = (src).status; \ - (dst).uid = ~0; \ - } else if ((src).status == DICT_OWNER_UNTRUSTED) { \ - (dst).status = (src).status; \ + /* + * When combining tables with different provenance, we initialize to the + * highest trust level, and remember the lowest trust level that we find + * during aggregation. If we combine tables that are owned by different + * untrusted users, the resulting provenance is "unknown". + */ +#define DICT_OWNER_AGGREGATE_INIT(dst) { \ + (dst).status = DICT_OWNER_TRUSTED; \ + (dst).uid = 0; \ + } while (0) + + /* + * The following is derived from the 3x3 transition matrix. + */ +#define DICT_OWNER_AGGREGATE_UPDATE(dst, src) do { \ + if ((dst).status == DICT_OWNER_TRUSTED \ + || (src).status == DICT_OWNER_UNKNOWN) { \ + (dst) = (src); \ + } else if ((dst).status == (src).status \ + && (dst).uid != (src).uid) { \ + (dst).status = DICT_OWNER_UNKNOWN; \ (dst).uid = ~0; \ } \ } while (0) diff --git a/postfix/src/util/dict_pipe.c b/postfix/src/util/dict_pipe.c index 37c4f37b0..8102cc936 100644 --- a/postfix/src/util/dict_pipe.c +++ b/postfix/src/util/dict_pipe.c @@ -20,9 +20,9 @@ /* When any table lookup produces no result, the pipeline /* produces no result. /* -/* The ASCII character after "pipemap:" will be used as the -/* separator between the lookup tables that follow (do not use -/* space, ",", ":" or non-ASCII). +/* The first ASCII character after "pipemap:" will be used as +/* the separator between the lookup tables that follow (do not +/* use space, ",", ":" or non-ASCII). /* /* The open_flags and dict_flags arguments are passed on to /* the underlying dictionaries. @@ -116,11 +116,6 @@ DICT *dict_pipe_open(const char *name, int open_flags, int dict_flags) struct DICT_OWNER aggr_owner; char delim[2]; -#ifdef DICT_TYPE_PIPE_LEGACY - msg_warn("obsolete dictionary type: \"%s\"; use \"%s\" instead", - DICT_TYPE_PIPE_LEGACY, DICT_TYPE_PIPE); -#endif - /* * Clarity first. Let the optimizer worry about redundant code. */ @@ -155,7 +150,8 @@ DICT *dict_pipe_open(const char *name, int open_flags, int dict_flags) if (*saved_name == 0) DICT_PIPE_RETURN(dict_surrogate(DICT_TYPE_PIPE, name, open_flags, dict_flags, - "bad syntax: \"%s:%s\"; need \"%s:%stype:name%s...\"", + "bad syntax: \"%s:%s\"; " + "need \"%s:%stype:name%s...\"", DICT_TYPE_PIPE, name, DICT_TYPE_PIPE, delim, delim)); @@ -163,8 +159,7 @@ DICT *dict_pipe_open(const char *name, int open_flags, int dict_flags) * The least-trusted table in the pipeline determines the over-all trust * level. The first table determines the pattern-matching flags. */ - aggr_owner.status = DICT_OWNER_TRUSTED; - aggr_owner.uid = 0; + DICT_OWNER_AGGREGATE_INIT(aggr_owner); argv = argv_split(saved_name, delim); for (cpp = argv->argv; (dict_type_name = *cpp) != 0; cpp++) { if (msg_verbose) @@ -172,14 +167,14 @@ DICT *dict_pipe_open(const char *name, int open_flags, int dict_flags) if (strchr(dict_type_name, ':') == 0) DICT_PIPE_RETURN(dict_surrogate(DICT_TYPE_PIPE, name, open_flags, dict_flags, - "bad syntax: \"%s\" in \"%s:%s\"; " - "need \"type:name\"", - dict_type_name, DICT_TYPE_PIPE, - name)); + "bad syntax: \"%s:%s\"; " + "need \"%s:%stype:name%s...\"", + DICT_TYPE_PIPE, name, + DICT_TYPE_PIPE, delim, delim)); if ((dict = dict_handle(dict_type_name)) == 0) dict = dict_open(dict_type_name, open_flags, dict_flags); dict_register(dict_type_name, dict); - DICT_OWNER_AGGREGATE(aggr_owner, dict->owner); + DICT_OWNER_AGGREGATE_UPDATE(aggr_owner, dict->owner); if (cpp == argv->argv) match_flags = dict->flags & (DICT_FLAG_FIXED | DICT_FLAG_PATTERN); } diff --git a/postfix/src/util/dict_random.c b/postfix/src/util/dict_random.c index 0f1f07a29..af975bd34 100644 --- a/postfix/src/util/dict_random.c +++ b/postfix/src/util/dict_random.c @@ -82,11 +82,6 @@ DICT *dict_random_open(const char *name, int open_flags, int dict_flags) char *saved_name = 0; char delim[2]; -#ifdef DICT_TYPE_RANDOM_LEGACY - msg_warn("obsolete dictionary type: \"%s\"; use \"%s\" instead", - DICT_TYPE_RANDOM_LEGACY, DICT_TYPE_RANDOM); -#endif - /* * Clarity first. Let the optimizer worry about redundant code. */ diff --git a/postfix/src/util/dict_test.c b/postfix/src/util/dict_test.c index 93d3f7dca..f988f3276 100644 --- a/postfix/src/util/dict_test.c +++ b/postfix/src/util/dict_test.c @@ -84,6 +84,13 @@ void dict_test(int argc, char **argv) dict_allow_surrogate = 1; dict = dict_open(dict_name, open_flags, dict_flags); dict_register(dict_name, dict); + vstream_printf("owner=%s (uid=%ld)\n", + dict->owner.status == DICT_OWNER_TRUSTED ? "trusted" : + dict->owner.status == DICT_OWNER_UNTRUSTED? "untrusted" : + dict->owner.status == DICT_OWNER_UNKNOWN? "unspecified" : + "error", (long) dict->owner.uid); + vstream_fflush(VSTREAM_OUT); + while (vstring_fgets_nonl(inbuf, VSTREAM_IN)) { bufp = vstring_str(inbuf); if (!isatty(0)) {