From: Wietse Venema Date: Fri, 8 Nov 2002 05:00:00 +0000 (-0500) Subject: postfix-1.1.11-20021108 X-Git-Tag: v2.0.0~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2318c57bbb3008a2763cf06d8d84ffd8546837bf;p=thirdparty%2Fpostfix.git postfix-1.1.11-20021108 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index c934dc62c..05e51cb5e 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -7165,15 +7165,20 @@ Apologies for any names omitted. indices in replacement text, and silently treated $text as $0. Found by Michael Tokarev. File: dict_pcre.c. -20021107 +20021108 - The behavior of the SMTP server's defer_if_permit flag has - changed. The flag is still set when an UCE reject restriction - fails due to a temporary (DNS) problem, to prevent unwanted - mail from slipping through. However, the flag is no longer - tested at the end of client, helo or sender restrictions. - Instead, the flag is now tested at the end of the ETRN and - recipient restrictions only. + Cleanup: the behavior of the SMTP server's defer_if_permit + flag was changed, in order to maximize the opportunity to + permanently reject mail without opening opportunities for + losing legitimate mail. This was done in cooperation with + Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. + + The defer_if_permit flag is still set when an UCE reject + restriction fails due to a temporary (e.g., DNS) problem, + to prevent unwanted mail from slipping through. However, + the flag is no longer tested at the end of client, helo or + sender restrictions. Instead, the flag is now tested at + the end of the ETRN and recipient restrictions only. The behavior of the warn_if_reject restriction has changed. It no longer activates any already made defer_if_permit or @@ -7181,9 +7186,9 @@ Apologies for any names omitted. when some UCE permit restriction fails due to a temporary (DNS) problem, to avoid loss of legitimate mail). - Instead of setting the defer_if_permit flag, a failing - reject restriction after warn_if_reject now merely logs - that it would have caused mail to be deferred. + Bugfix: instead of setting the defer_if_permit flag, a + failing reject restriction after warn_if_reject now merely + logs that it would have caused mail to be deferred. A failing permit restriction after warn_if_reject still raises the defer_if_reject flag, to avoid loss of legitimate diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index d70c61e9a..58d244fee 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -12,10 +12,13 @@ snapshot release). Patches change the patchlevel and the release date. Snapshots change only the release date, unless they include the same bugfixes as a patch release. -Incompatible changes with Postfix snapshot 1.1.11-20021107 +Incompatible changes with Postfix snapshot 1.1.11-20021108 ========================================================== -The behavior of the SMTP server's defer_if_permit flag has changed. +The behavior of the SMTP server's defer_if_permit flag has changed, +in order to maximize the opportunity to permanently reject mail +without opening opportunities for losing legitimate mail. + The flag is still set when an UCE reject restriction fails due to a temporary (DNS) problem, to prevent unwanted mail from slipping through. However, the flag is no longer tested at the end of client, diff --git a/postfix/conf/canonical b/postfix/conf/canonical index 82214a0b0..2ffb81e53 100644 --- a/postfix/conf/canonical +++ b/postfix/conf/canonical @@ -143,23 +143,24 @@ # # inet_interfaces # The network interface addresses that this system -# receives mail on. +# receives mail on. You need to stop and start Post- +# fix when this parameter changes. # # masquerade_classes -# List of address classes subject to masquerading: -# zero or more of envelope_sender, envelope_recipi- +# List of address classes subject to masquerading: +# zero or more of envelope_sender, envelope_recipi- # ent, header_sender, header_recipient. # # masquerade_domains -# List of domains that hide their subdomain struc- +# List of domains that hide their subdomain struc- # ture. # # masquerade_exceptions -# List of user names that are not subject to address +# List of user names that are not subject to address # masquerading. # # mydestination -# List of domains that this mail system considers +# List of domains that this mail system considers # local. # # myorigin @@ -177,7 +178,7 @@ # regexp_table(5) format of POSIX regular expression tables # # LICENSE -# The Secure Mailer license must be distributed with this +# The Secure Mailer license must be distributed with this # software. # # AUTHOR(S) diff --git a/postfix/conf/main.cf b/postfix/conf/main.cf index fcdc43fbc..10aa6c426 100644 --- a/postfix/conf/main.cf +++ b/postfix/conf/main.cf @@ -100,6 +100,8 @@ mail_owner = postfix # See also the proxy_interfaces parameter, for network addresses that # are forwarded to us via a proxy or network address translator. # +# Note: you need to stop/start Postfix when this parameter changes. +# #inet_interfaces = all #inet_interfaces = $myhostname #inet_interfaces = $myhostname, localhost diff --git a/postfix/conf/relocated b/postfix/conf/relocated index 28ec6afa1..791dd50ce 100644 --- a/postfix/conf/relocated +++ b/postfix/conf/relocated @@ -1,4 +1,3 @@ -# # RELOCATED(5) RELOCATED(5) # # NAME @@ -105,10 +104,11 @@ # # inet_interfaces # The network interface addresses that this system -# receives mail on. +# receives mail on. You need to stop and start Post- +# fix when this parameter changes. # # mydestination -# List of domains that this mail system considers +# List of domains that this mail system considers # local. # # myorigin @@ -120,7 +120,7 @@ # regexp_table(5) format of POSIX regular expression tables # # LICENSE -# The Secure Mailer license must be distributed with this +# The Secure Mailer license must be distributed with this # software. # # AUTHOR(S) @@ -129,5 +129,4 @@ # P.O. Box 704 # Yorktown Heights, NY 10598, USA # -# 1 -# +# RELOCATED(5) diff --git a/postfix/conf/sample-local.cf b/postfix/conf/sample-local.cf index 84f19d223..b5e932707 100644 --- a/postfix/conf/sample-local.cf +++ b/postfix/conf/sample-local.cf @@ -149,7 +149,7 @@ home_mailbox = # # Other environment variables of interest: USER (recipient username), # EXTENSION (address extension), DOMAIN (domain part of address), -# and LOCAL (the address localpart). +# LOCAL (the address localpart), RECIPIENT and SENDER. # # Unlike other Postfix configuration parameters, the mailbox_command # parameter is not subjected to $parameter substitutions. This is to diff --git a/postfix/conf/sample-misc.cf b/postfix/conf/sample-misc.cf index ed098b77b..ea626cb96 100644 --- a/postfix/conf/sample-misc.cf +++ b/postfix/conf/sample-misc.cf @@ -122,6 +122,8 @@ import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY # See also the proxy_interfaces parameter, for network addresses that # are forwarded to us by way of a proxy or address translator. # +# Note: you need to stop and start Postfix when this parameter changes. +# inet_interfaces = all # The proxy_interfaces parameter specifies the network interface diff --git a/postfix/conf/virtual b/postfix/conf/virtual index 37f762ab1..8c8d4a292 100644 --- a/postfix/conf/virtual +++ b/postfix/conf/virtual @@ -190,10 +190,11 @@ # # inet_interfaces # The network interface addresses that this system -# receives mail on. +# receives mail on. You need to stop and start Post- +# fix when this parameter changes. # # mydestination -# List of domains that this mail system considers +# List of domains that this mail system considers # local. # # myorigin @@ -210,7 +211,7 @@ # regexp_table(5) format of POSIX regular expression tables # # LICENSE -# The Secure Mailer license must be distributed with this +# The Secure Mailer license must be distributed with this # software. # # AUTHOR(S) diff --git a/postfix/html/basic.html b/postfix/html/basic.html index 553f87299..30f429979 100644 --- a/postfix/html/basic.html +++ b/postfix/html/basic.html @@ -473,6 +473,10 @@ or you would have a mailer loop. +

+ +Note: you need to stop and start Postfix when this parameter changes. +

Up one level | Basic Configuration | inet_interfaces The network interface addresses that this system - receives mail on. + receives mail on. You need to stop and start Post- + fix when this parameter changes. masquerade_classes - List of address classes subject to masquerading: - zero or more of envelope_sender, envelope_recipi- + List of address classes subject to masquerading: + zero or more of envelope_sender, envelope_recipi- ent, header_sender, header_recipient. masquerade_domains - List of domains that hide their subdomain struc- + List of domains that hide their subdomain struc- ture. masquerade_exceptions - List of user names that are not subject to address + List of user names that are not subject to address masquerading. mydestination - List of domains that this mail system considers + List of domains that this mail system considers local. myorigin @@ -178,7 +179,7 @@ CANONICAL(5) CANONICAL(5) regexp_table(5) format of POSIX regular expression tables LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/html/local.8.html b/postfix/html/local.8.html index 2fd88869d..0bc2940d1 100644 --- a/postfix/html/local.8.html +++ b/postfix/html/local.8.html @@ -169,6 +169,8 @@ LOCAL(8) LOCAL(8) RECIPIENT The entire recipient address. + SENDER The entire sender address. + The PATH environment variable is always reset to a system- dependent default path, and the TZ (time zone) environment variable is always passed on without change. diff --git a/postfix/html/master.8.html b/postfix/html/master.8.html index 3f9526b3a..211c6b148 100644 --- a/postfix/html/master.8.html +++ b/postfix/html/master.8.html @@ -113,6 +113,11 @@ MASTER(8) MASTER(8) also the root directory of Postfix daemons that run chrooted. + inet_interfaces + The network interface addresses that this system + receives mail on. You need to stop and start Post- + fix when this parameter changes. + Resource controls default_process_limit Default limit for the number of simultaneous child diff --git a/postfix/html/relocated.5.html b/postfix/html/relocated.5.html index 5ad6c76fc..f76aa9f4f 100644 --- a/postfix/html/relocated.5.html +++ b/postfix/html/relocated.5.html @@ -1,5 +1,4 @@ 
-
 RELOCATED(5)                                         RELOCATED(5)
 
 NAME
@@ -106,10 +105,11 @@ RELOCATED(5)                                         RELOCATED(5)
 
        inet_interfaces
               The network interface addresses  that  this  system
-              receives mail on.
+              receives mail on.  You need to stop and start Post-
+              fix when this parameter changes.
 
        mydestination
-              List  of  domains  that  this mail system considers
+              List of domains that  this  mail  system  considers
               local.
 
        myorigin
@@ -121,7 +121,7 @@ RELOCATED(5)                                         RELOCATED(5)
        regexp_table(5) format of POSIX regular expression tables
 
 LICENSE
-       The  Secure  Mailer  license must be distributed with this
+       The Secure Mailer license must be  distributed  with  this
        software.
 
 AUTHOR(S)
@@ -130,6 +130,5 @@ RELOCATED(5)                                         RELOCATED(5)
        P.O. Box 704
        Yorktown Heights, NY 10598, USA
 
-                                                                1
-
+                                                     RELOCATED(5)
diff --git a/postfix/html/virtual.5.html b/postfix/html/virtual.5.html index 772b59483..6086e836a 100644 --- a/postfix/html/virtual.5.html +++ b/postfix/html/virtual.5.html @@ -191,10 +191,11 @@ VIRTUAL(5) VIRTUAL(5) inet_interfaces The network interface addresses that this system - receives mail on. + receives mail on. You need to stop and start Post- + fix when this parameter changes. mydestination - List of domains that this mail system considers + List of domains that this mail system considers local. myorigin @@ -211,7 +212,7 @@ VIRTUAL(5) VIRTUAL(5) regexp_table(5) format of POSIX regular expression tables LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/man/man5/canonical.5 b/postfix/man/man5/canonical.5 index cd731797b..9259187df 100644 --- a/postfix/man/man5/canonical.5 +++ b/postfix/man/man5/canonical.5 @@ -143,6 +143,7 @@ addresses. Other parameters of interest: .IP \fBinet_interfaces\fR The network interface addresses that this system receives mail on. +You need to stop and start Postfix when this parameter changes. .IP \fBmasquerade_classes\fR List of address classes subject to masquerading: zero or more of \fBenvelope_sender\fR, \fBenvelope_recipient\fR, \fBheader_sender\fR, diff --git a/postfix/man/man5/relocated.5 b/postfix/man/man5/relocated.5 index ddb318fc6..d16b331a4 100644 --- a/postfix/man/man5/relocated.5 +++ b/postfix/man/man5/relocated.5 @@ -112,6 +112,7 @@ List of lookup tables for relocated users or sites. Other parameters of interest: .IP \fBinet_interfaces\fR The network interface addresses that this system receives mail on. +You need to stop and start Postfix when this parameter changes. .IP \fBmydestination\fR List of domains that this mail system considers local. .IP \fBmyorigin\fR diff --git a/postfix/man/man5/virtual.5 b/postfix/man/man5/virtual.5 index ce5d3af85..9d2566f88 100644 --- a/postfix/man/man5/virtual.5 +++ b/postfix/man/man5/virtual.5 @@ -207,6 +207,7 @@ List of virtual mapping tables. Other parameters of interest: .IP \fBinet_interfaces\fR The network interface addresses that this system receives mail on. +You need to stop and start Postfix when this parameter changes. .IP \fBmydestination\fR List of domains that this mail system considers local. .IP \fBmyorigin\fR diff --git a/postfix/man/man8/local.8 b/postfix/man/man8/local.8 index 5e044b6da..668f5ce82 100644 --- a/postfix/man/man8/local.8 +++ b/postfix/man/man8/local.8 @@ -178,6 +178,8 @@ The entire recipient address localpart (text to the left of the rightmost @ character). .IP \fBRECIPIENT\fR The entire recipient address. +.IP \fBSENDER\fR +The entire sender address. .PP The \fBPATH\fR environment variable is always reset to a system-dependent default path, and the \fBTZ\fR (time zone) diff --git a/postfix/man/man8/master.8 b/postfix/man/man8/master.8 index 7729c2957..b1379e199 100644 --- a/postfix/man/man8/master.8 +++ b/postfix/man/man8/master.8 @@ -110,6 +110,9 @@ Directory with Postfix daemon programs. .IP \fBqueue_directory\fR Top-level directory of the Postfix queue. This is also the root directory of Postfix daemons that run chrooted. +.IP \fBinet_interfaces\fR +The network interface addresses that this system receives mail on. +You need to stop and start Postfix when this parameter changes. .SH "Resource controls" .ad .fi diff --git a/postfix/proto/canonical b/postfix/proto/canonical index f696a3aef..afc29f3cb 100644 --- a/postfix/proto/canonical +++ b/postfix/proto/canonical @@ -127,6 +127,7 @@ # Other parameters of interest: # .IP \fBinet_interfaces\fR # The network interface addresses that this system receives mail on. +# You need to stop and start Postfix when this parameter changes. # .IP \fBmasquerade_classes\fR # List of address classes subject to masquerading: zero or more of # \fBenvelope_sender\fR, \fBenvelope_recipient\fR, \fBheader_sender\fR, diff --git a/postfix/proto/relocated b/postfix/proto/relocated index ba1b00726..2c245fdda 100644 --- a/postfix/proto/relocated +++ b/postfix/proto/relocated @@ -96,6 +96,7 @@ # Other parameters of interest: # .IP \fBinet_interfaces\fR # The network interface addresses that this system receives mail on. +# You need to stop and start Postfix when this parameter changes. # .IP \fBmydestination\fR # List of domains that this mail system considers local. # .IP \fBmyorigin\fR diff --git a/postfix/proto/virtual b/postfix/proto/virtual index 1d1f16b19..509415478 100644 --- a/postfix/proto/virtual +++ b/postfix/proto/virtual @@ -187,6 +187,7 @@ # Other parameters of interest: # .IP \fBinet_interfaces\fR # The network interface addresses that this system receives mail on. +# You need to stop and start Postfix when this parameter changes. # .IP \fBmydestination\fR # List of domains that this mail system considers local. # .IP \fBmyorigin\fR diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 738414c4f..227c16510 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -437,7 +437,7 @@ ABCDEFGHIJKLMNOPQRSTUVWXYZ" extern char *var_cmd_exp_filter; #define VAR_FWD_EXP_FILTER "forward_expansion_filter" -#define DEF_FWD_EXP_FILTER "1234567890!@%-_=+:,./\ +#define DEF_FWD_EXP_FILTER "1234567890!@%-_=+:,.\ abcdefghijklmnopqrstuvwxyz\ ABCDEFGHIJKLMNOPQRSTUVWXYZ" extern char *var_fwd_exp_filter; @@ -1152,6 +1152,9 @@ extern int var_reject_code; #define DEF_DEFER_CODE 450 extern int var_defer_code; +#define DEFER_IF_PERMIT "defer_if_permit" +#define DEFER_IF_REJECT "defer_if_reject" + #define REJECT_UNKNOWN_CLIENT "reject_unknown_client" #define VAR_UNK_CLIENT_CODE "unknown_client_reject_code" #define DEF_UNK_CLIENT_CODE 450 diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 4e106f1be..2fbb1aa42 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change the patchlevel and the release date. Snapshots change the * release date only, unless they include the same bugfix as a patch release. */ -#define MAIL_RELEASE_DATE "20021107" +#define MAIL_RELEASE_DATE "20021108" #define VAR_MAIL_VERSION "mail_version" #define DEF_MAIL_VERSION "1.1.11-" MAIL_RELEASE_DATE diff --git a/postfix/src/local/local.c b/postfix/src/local/local.c index 187a932e1..74cc47c1b 100644 --- a/postfix/src/local/local.c +++ b/postfix/src/local/local.c @@ -164,6 +164,8 @@ /* rightmost @ character). /* .IP \fBRECIPIENT\fR /* The entire recipient address. +/* .IP \fBSENDER\fR +/* The entire sender address. /* .PP /* The \fBPATH\fR environment variable is always reset to a /* system-dependent default path, and the \fBTZ\fR (time zone) diff --git a/postfix/src/master/master.c b/postfix/src/master/master.c index b5c7e9617..9071f34e7 100644 --- a/postfix/src/master/master.c +++ b/postfix/src/master/master.c @@ -96,6 +96,9 @@ /* .IP \fBqueue_directory\fR /* Top-level directory of the Postfix queue. This is also the root /* directory of Postfix daemons that run chrooted. +/* .IP \fBinet_interfaces\fR +/* The network interface addresses that this system receives mail on. +/* You need to stop and start Postfix when this parameter changes. /* .SH "Resource controls" /* .ad /* .fi diff --git a/postfix/src/smtpd/smtpd.h b/postfix/src/smtpd/smtpd.h index c76bb9d9a..8d52fc86b 100644 --- a/postfix/src/smtpd/smtpd.h +++ b/postfix/src/smtpd/smtpd.h @@ -89,6 +89,9 @@ typedef struct SMTPD_STATE { int warn_if_reject; /* force reject into warning */ SMTPD_DEFER defer_if_reject; /* force reject into deferral */ SMTPD_DEFER defer_if_permit; /* force permit into deferral */ + int defer_if_permit_client; /* force permit into warning */ + int defer_if_permit_helo; /* force permit into warning */ + int defer_if_permit_sender; /* force permit into warning */ VSTRING *expand_buf; /* scratch space for $name expansion */ } SMTPD_STATE; diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index 57f9f323d..b2ab5ebd3 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -436,13 +436,13 @@ static int generic_checks(SMTPD_STATE *, ARGV *, const char *, const char *, con * * reject_unknown_client, hostname-based white-list, reject * - * XXX Don't raise the defer_if_permit flag with a failing reject-style - * restriction that follows warn_if_reject. Instead, log the warning for the + * XXX With warn_if_reject, don't raise the defer_if_permit flag when a + * reject-style restriction fails. Instead, log the warning for the * resulting defer message. * - * XXX Do raise the defer_if_reject flag with a failing permit-style - * restriction that follows warn_if_reject. Otherwise, we could reject - * legitimate mail. + * XXX With warn_if_reject, do raise the defer_if_reject flag when a + * permit-style restriction fails. Otherwise, we could reject legitimate + * mail. */ static void PRINTFLIKE(3, 4) defer_if(SMTPD_DEFER *, int, const char *,...); @@ -2608,6 +2608,14 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions, cpp[1], REJECT_ALL); } else if (strcasecmp(name, REJECT_UNAUTH_PIPE) == 0) { status = reject_unauth_pipelining(state, reply_name, reply_class); + } else if (strcasecmp(name, DEFER_IF_PERMIT) == 0) { + DEFER_IF_PERMIT2(state, MAIL_ERROR_POLICY, + "450 <%s>: %s rejected: defer_if_permit requested", + reply_name, reply_class); + } else if (strcasecmp(name, DEFER_IF_REJECT) == 0) { + DEFER_IF_REJECT2(state, MAIL_ERROR_POLICY, + "450 <%s>: %s rejected: defer_if_reject requested", + reply_name, reply_class); } /* @@ -2843,8 +2851,7 @@ char *smtpd_check_client(SMTPD_STATE *state) } /* - * This is cleared before client restrictions, and is tested after - * recipient and etrn restrictions. + * Reset the defer_if_permit flag. */ state->defer_if_permit.active = 0; @@ -2856,6 +2863,7 @@ char *smtpd_check_client(SMTPD_STATE *state) if (status == 0 && client_restrctions->argc) status = generic_checks(state, client_restrctions, state->namaddr, SMTPD_NAME_CLIENT, CHECK_CLIENT_ACL); + state->defer_if_permit_client = state->defer_if_permit.active; return (status == SMTPD_CHECK_REJECT ? STR(error_text) : 0); } @@ -2894,6 +2902,13 @@ char *smtpd_check_helo(SMTPD_STATE *state, char *helohost) return (x); \ } + /* + * Restore the defer_if_permit flag to its value before HELO/EHLO, and do + * not set the flag when it was already raised by a previous protocol + * stage. + */ + state->defer_if_permit.active = state->defer_if_permit_client; + /* * Apply restrictions in the order as specified. */ @@ -2902,6 +2917,7 @@ char *smtpd_check_helo(SMTPD_STATE *state, char *helohost) if (status == 0 && helo_restrctions->argc) status = generic_checks(state, helo_restrctions, state->helo_name, SMTPD_NAME_HELO, CHECK_HELO_ACL); + state->defer_if_permit_helo = state->defer_if_permit.active; SMTPD_CHECK_HELO_RETURN(status == SMTPD_CHECK_REJECT ? STR(error_text) : 0); } @@ -2930,6 +2946,14 @@ char *smtpd_check_mail(SMTPD_STATE *state, char *sender) return (x); \ } + /* + * Restore the defer_if_permit flag to its value before MAIL FROM, and do + * not set the flag when it was already raised by a previous protocol + * stage. The client may skip the helo/ehlo. + */ + state->defer_if_permit.active = state->defer_if_permit_client + | state->defer_if_permit_helo; + /* * Apply restrictions in the order as specified. */ @@ -2938,6 +2962,7 @@ char *smtpd_check_mail(SMTPD_STATE *state, char *sender) if (status == 0 && mail_restrctions->argc) status = generic_checks(state, mail_restrctions, sender, SMTPD_NAME_SENDER, CHECK_SENDER_ACL); + state->defer_if_permit_sender = state->defer_if_permit.active; SMTPD_CHECK_MAIL_RETURN(status == SMTPD_CHECK_REJECT ? STR(error_text) : 0); } @@ -2983,6 +3008,13 @@ char *smtpd_check_rcpt(SMTPD_STATE *state, char *recipient) || (err = smtpd_check_mail(state, state->sender)) != 0) SMTPD_CHECK_RCPT_RETURN(err); + /* + * Restore the defer_if_permit flag to its value before RCPT TO, and do + * not set the flag when it was already raised by a previous protocol + * stage. + */ + state->defer_if_permit.active = state->defer_if_permit_sender; + /* * Apply restrictions in the order as specified. */ @@ -3036,6 +3068,14 @@ char *smtpd_check_etrn(SMTPD_STATE *state, char *domain) || (err = smtpd_check_helo(state, state->helo_name)) != 0) SMTPD_CHECK_ETRN_RETURN(err); + /* + * Restore the defer_if_permit flag to its value before ETRN, and do not + * set the flag when it was already raised by a previous protocol stage. + * The client may skip the helo/ehlo. + */ + state->defer_if_permit.active = state->defer_if_permit_client + | state->defer_if_permit_helo; + /* * Apply restrictions in the order as specified. */ @@ -3228,6 +3268,12 @@ char *smtpd_check_data(SMTPD_STATE *state) state->recipient = 0; } + /* + * Reset the defer_if_permit flag. This should not be necessary but we do + * it just in case. + */ + state->defer_if_permit.active = 0; + /* * Apply restrictions in the order as specified. * diff --git a/postfix/src/smtpd/smtpd_state.c b/postfix/src/smtpd/smtpd_state.c index b1d217f87..53ef27580 100644 --- a/postfix/src/smtpd/smtpd_state.c +++ b/postfix/src/smtpd/smtpd_state.c @@ -92,9 +92,10 @@ void smtpd_state_init(SMTPD_STATE *state, VSTREAM *stream) state->recursion = 0; state->msg_size = 0; state->junk_cmds = 0; - state->defer_if_reject.active = 0; + state->defer_if_permit_client = 0; + state->defer_if_permit_helo = 0; + state->defer_if_permit_sender = 0; state->defer_if_reject.reason = 0; - state->defer_if_permit.active = 0; state->defer_if_permit.reason = 0; state->expand_buf = 0;