From: Wietse Venema Date: Wed, 7 May 2014 05:00:00 +0000 (-0500) Subject: postfix-2.12-20140507 X-Git-Tag: v3.0.0-RC1~60 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=542b0c899e5fe786c90b000dcb008256c1a3019b;p=thirdparty%2Fpostfix.git postfix-2.12-20140507 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 1f9c92f52..706d83359 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -19605,8 +19605,8 @@ Apologies for any names omitted. unusable; Don't leak dane handle when all TLSA records are unusable. Viktor Dukhovni. File: smtp/smtp_tls_policy.c. - Cleanup: log TLS policy lookups as warnings. Viktor Dukhovni. - File: smtp/smtp_connect.c. + Cleanup: log TLS policy lookup errors as warnings. Viktor + Dukhovni. File: smtp/smtp_connect.c. 20140316 @@ -19672,3 +19672,42 @@ Apologies for any names omitted. proto/postconf.proto, global/mail_params.h, tls/tls_misc.c, tls/tls_scache.h, tls/tls_server.c. +20140416 + + Cleanup: replace "~0 << positive" with "~0U << positive" + even if we use only the lower bytes. Jeffrey Walton. File: + util/mask_addr.c. + +20140407 + + Documentation: the documentation for Postfix > 2.8 TLS + activity logging was incorrect. Loglevel 0 produces no + logging. Instead, information is logged only with loglevel + 1 or higher. Viktor Dukhovni. Files: proto/TLS_README.html, + proto/postconf.proto. + +20140501 + + Cleanup: postcreen_dnsbl_timeout parameter. Files: + mantools/postlink, proto/postconf.proto, global/mail_params.h, + postscreen/postscreen.c, postscreen/postscreen_dnsbl.c. + + Cleanup: added table search order information to the + postconf(5) manpage. File: proto/postconf.proto. + +20140505 + + Cleanup: added a client port attribute to the policy + delegation protocol. Jernej Porenta. File: smtpd/smtpd_check.c. + +20140507 + + Bugfix (introduced: Postfix 2.11): with connection caching + enabled (the default), recipients could be given to the + wrong mail server. Root cause: due to an incorrect predicate, + the Postfix SMTP client could save and restore plaintext + connections that should not be cached, under nonsensical + lookup keys that did not distinguish by destination. Problem + reported by Sahil Tandon, predicate error found by Viktor, + redundant connection restore request eliminated by Wietse. + File: smtp/smtp_connect.c. diff --git a/postfix/README_FILES/POSTSCREEN_README b/postfix/README_FILES/POSTSCREEN_README index c6f527488..ce14068c0 100644 --- a/postfix/README_FILES/POSTSCREEN_README +++ b/postfix/README_FILES/POSTSCREEN_README @@ -622,8 +622,8 @@ mail: postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply /etc/postfix/dnsbl_reply: - # Secret DNSBL name Name in postscreen(8) replies - secret.zen.spamhaus.org zen.spamhaus.org + # Secret DNSBL name Name in postscreen(8) replies + secret.zen.dq.spamhaus.net zen.spamhaus.org The texthash: format is similar to hash: except that there is no need to run postmap(1) before the file can be used, and that it does not detect diff --git a/postfix/README_FILES/SMTPD_ACCESS_README b/postfix/README_FILES/SMTPD_ACCESS_README index 2cc15b6d9..4a93df7e1 100644 --- a/postfix/README_FILES/SMTPD_ACCESS_README +++ b/postfix/README_FILES/SMTPD_ACCESS_README @@ -146,6 +146,7 @@ Examples of simple restriction lists are: # (available with Postfix 2.10 and later). reject_unauth_destination reject_rbl_client zen.spamhaus.org, + reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org diff --git a/postfix/README_FILES/TLS_README b/postfix/README_FILES/TLS_README index 985e01d83..c743fa2be 100644 --- a/postfix/README_FILES/TLS_README +++ b/postfix/README_FILES/TLS_README @@ -247,27 +247,25 @@ To get additional information about Postfix SMTP server TLS activity you can increase the log level from 0..4. Each logging level also includes the information that is logged at a lower logging level. - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. | - |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |0 |Log only a summary message on TLS |Disable logging of TLS activity.| - | |handshake completion -- no logging| | - | |of client certificate trust-chain | | - | |verification errors if client | | - | |certificate verification is not | | - | |required. | | - |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |1 |Also log trust-chain verification |Also log TLS handshake and | - | |errors and peer certificate |certificate information. | - | |summary information. | | - |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |2 |Also log levels during TLS negotiation. | - |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. | - |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |4 |Also log hexadecimal and ASCII dump of complete transmission after | - | |STARTTLS. | - |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ + |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. | + |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |0 |Disable logging of TLS activity. | + |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |1 |Log only a summary message on TLS |Log the summary message, peer | + | |handshake completion -- no logging|certificate summary information| + | |of client certificate trust-chain |and unconditionally log trust- | + | |verification errors if client |chain verification errors. | + | |certificate verification is not | | + | |required. | | + |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |2 |Also log levels during TLS negotiation. | + |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. | + |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |4 |Also log hexadecimal and ASCII dump of complete transmission after| + | |STARTTLS. | + |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | Use log level 3 only in case of problems. Use of log level 4 is strongly discouraged. @@ -1321,27 +1319,25 @@ To get additional information about Postfix SMTP client TLS activity you can increase the loglevel from 0..4. Each logging level also includes the information that is logged at a lower logging level. - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. | - |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |0 |Log only a summary message on TLS |Disable logging of TLS activity.| - | |handshake completion -- no logging| | - | |of remote SMTP server certificate | | - | |trust-chain verification errors if| | - | |server certificate verification is| | - | |not required. | | - |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |1 |Also log remote SMTP server trust-|Also log TLS handshake and | - | |chain verification errors and peer|certificate information. | - | |certificate summary information. | | - |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |2 |Also log levels during TLS negotiation. | - |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. | - |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | - |4 |Also log hexadecimal and ASCII dump of complete transmission after | - | |STARTTLS. | - |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ + |LLeevveell|PPoossttffiixx 22..99 aanndd llaatteerr |EEaarrlliieerr rreelleeaasseess.. | + |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |0 |Disable logging of TLS activity. | + |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |1 |Log only a summary message on TLS |Log the summary message and | + | |handshake completion -- no logging|unconditionally log trust-chain| + | |of remote SMTP server certificate |verification errors. | + | |trust-chain verification errors if| | + | |server certificate verification is| | + | |not required. | | + |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |2 |Also log levels during TLS negotiation. | + |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |3 |Also log hexadecimal and ASCII dump of TLS negotiation process. | + |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | + |4 |Also log hexadecimal and ASCII dump of complete transmission after| + | |STARTTLS. | + |_ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | Example: diff --git a/postfix/html/POSTSCREEN_README.html b/postfix/html/POSTSCREEN_README.html index 099d495a4..1d1963273 100644 --- a/postfix/html/POSTSCREEN_README.html +++ b/postfix/html/POSTSCREEN_README.html @@ -872,8 +872,8 @@ For example: 

 /etc/postfix/dnsbl_reply:
-    # Secret DNSBL name        Name in postscreen(8) replies
-    secret.zen.spamhaus.org    zen.spamhaus.org
+    # Secret DNSBL name           Name in postscreen(8) replies
+    secret.zen.dq.spamhaus.net    zen.spamhaus.org

The texthash: format is similar to hash: except that there is diff --git a/postfix/html/SMTPD_ACCESS_README.html b/postfix/html/SMTPD_ACCESS_README.html index 3c4f5975c..660060900 100644 --- a/postfix/html/SMTPD_ACCESS_README.html +++ b/postfix/html/SMTPD_ACCESS_README.html @@ -202,6 +202,7 @@ described in the postconf(5) manual page.

# (available with Postfix 2.10 and later). reject_unauth_destination reject_rbl_client zen.spamhaus.org, + reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html index f18b619b1..0a9d6699b 100644 --- a/postfix/html/TLS_README.html +++ b/postfix/html/TLS_README.html @@ -384,16 +384,15 @@ logging level.

Level Postfix 2.9 and later Earlier releases. - 0 Log only a summary + 0 Disable +logging of TLS activity. + + 1 Log only a summary message on TLS handshake completion — no logging of client certificate trust-chain verification errors if client certificate -verification is not required. Disable logging -of TLS activity. - - 1 Also log trust-chain -verification errors and peer certificate summary information. - Also log TLS handshake and certificate information. - +verification is not required. Log the summary +message, peer certificate summary information and unconditionally log +trust-chain verification errors. 2 Also log levels during TLS negotiation. @@ -1750,16 +1749,15 @@ logging level.

Level Postfix 2.9 and later Earlier releases. - 0 Log only a summary -message on TLS handshake completion — no logging of remote -SMTP server certificate trust-chain verification errors if server -certificate verification is not required. -Disable logging of TLS activity. + 0 Disable +logging of TLS activity. - 1 Also log remote -SMTP server trust-chain verification errors and peer certificate -summary information. Also log TLS handshake -and certificate information. + 1 Log only a summary +message on TLS handshake completion — no logging of remote SMTP +server certificate trust-chain verification errors if server certificate +verification is not required. Log the summary +message and unconditionally log trust-chain verification errors. + 2 Also log levels during TLS negotiation. diff --git a/postfix/html/dnsblog.8.html b/postfix/html/dnsblog.8.html index 67e4d8302..c96f588ca 100644 --- a/postfix/html/dnsblog.8.html +++ b/postfix/html/dnsblog.8.html @@ -19,12 +19,12 @@ DNSBLOG(8) DNSBLOG(8) PROTOCOL With each connection, the dnsblog(8) server receives a DNS white/black- - list domain name, IP address, and an ID. If the address is listed - under the DNS white/blacklist, the dnsblog(8) server logs the match and - replies with the query arguments plus an address list with the result- - ing IP addresses separated by whitespace. Otherwise it replies with - the query arguments plus an empty address list. Finally, The dns- - blog(8) server closes the connection. + list domain name, an IP address, and an ID. If the IP address is + listed under the DNS white/blacklist, the dnsblog(8) server logs the + match and replies with the query arguments plus an address list with + the resulting IP addresses separated by whitespace. Otherwise it + replies with the query arguments plus an empty address list. Finally, + The dnsblog(8) server closes the connection. DIAGNOSTICS Problems and transactions are logged to syslogd(8). diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 074e42d06..71b730a25 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -559,6 +559,10 @@ Examples:

The alias databases that are used for local(8) delivery. See aliases(5) for syntax details. +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +Note: these lookups are recursive.

@@ -1343,6 +1347,13 @@ are documented in canonical(5). For an overview o manipulations see the ADDRESS_REWRITING_README document.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +Note: these lookups are recursive. +

+

If you use this feature, run "postmap /etc/postfix/canonical" to build the necessary DBM or DB file after every change. The changes @@ -5346,6 +5357,12 @@ Technically, tables listed with $ lists: Postfix needs to know only if a lookup string is found or not, but it does not use the result from table lookup.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

If this parameter is non-empty (the default), then the Postfix SMTP server will reject mail for unknown local users. @@ -5742,6 +5759,12 @@ is: aliases, .forward files, ma mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, fallback_transport_maps, fallback_transport and luser_relay.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+ @@ -5816,6 +5839,12 @@ is: aliases, .forward files, ma mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, fallback_transport_maps, fallback_transport and luser_relay.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

For safety reasons, this feature does not allow $number substitutions in regular expression maps.

@@ -7550,6 +7579,18 @@ parameter.

This feature is available in Postfix 2.8.

+ + +
postscreen_dnsbl_timeout +(default: 10s)
+ +

The time limit for DNSBL or DNSWL lookups. This is separate from +the timeouts in the dnsblog(8) daemon which are defined by system +resolver(3) routines.

+ +

This feature is available in Postfix 2.12.

+ +
postscreen_dnsbl_ttl @@ -8157,6 +8198,11 @@ Example:

The lookup tables that the proxymap(8) server is allowed to access for the read-only service. +

+ +

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Table references that don't begin with proxy: are ignored.

@@ -8584,7 +8630,9 @@ supported) is added when mail enters from outside of Postfix.

-This feature is available in Postfix 2.1 and later. +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found.

@@ -8610,11 +8658,6 @@ equals $myorigin, $postmap /etc/postfix/recipient_bcc". -

-

Note: with Postfix 2.3 and later the BCC address is added as if it was specified with NOTIFY=NONE. The sender will not be notified @@ -8640,6 +8683,14 @@ Example: recipient_bcc_maps = hash:/etc/postfix/recipient_bcc +

+After a change, run "postmap /etc/postfix/recipient_bcc". +

+ +

+This feature is available in Postfix 2.1 and later. +

+ @@ -8728,7 +8779,7 @@ Examples: 
 # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
-recipient_delimiters = +-
+recipient_delimiter = +-
 
@@ -8900,6 +8951,12 @@ listed with $relay_recipient_maps
 to know only if a lookup string is found or not, but it does not
 use the result from table lookup.  

 
+

+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+

+
 

 If this parameter is non-empty, then the Postfix SMTP server will reject
 mail to unknown relay users. This feature is off by default.
@@ -9007,6 +9064,12 @@ domains that no longer exist.  The table format and lookups are
 documented in relocated(5).
 

 
+

+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+

+
 

 If you use this feature, run "postmap /etc/postfix/relocated" to
 build the necessary DBM or DB file after change, then "postfix
@@ -9239,7 +9302,9 @@ by sender address.  The BCC address (multiple results are not
 supported) is added when mail enters from outside of Postfix.  

 
 

-This feature is available in Postfix 2.1 and later.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
 

 
 

@@ -9265,11 +9330,6 @@ equals $myorigin, $postmap /etc/postfix/sender_bcc".
-

-
 

 Note: with Postfix 2.3 and later the BCC address is added as if it
 was specified with NOTIFY=NONE. The sender will not be notified
@@ -9295,6 +9355,14 @@ Example:
 sender_bcc_maps = hash:/etc/postfix/sender_bcc
+

+After a change, run "postmap /etc/postfix/sender_bcc". +

+ +

+This feature is available in Postfix 2.1 and later. +

+ @@ -9352,6 +9420,12 @@ address and @domain. A lookup result of DUNNO terminates the search without overriding the global default_transport parameter setting. This information is overruled with the transport(5) table.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

Note: this overrides default_transport, not transport_maps, and therefore the expected syntax is that of default_transport, not the syntax of transport_maps. Specifically, this does not support the @@ -9377,6 +9451,12 @@ later). This information is overruled with sender_dependent_default_transport_maps, default_transport and with the transport(5) table.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

For safety reasons, this feature does not allow $number substitutions in regular expression maps.

@@ -9930,6 +10010,12 @@ remote SMTP server. See smt table is not indexed by hostname for consistency with smtpd_discard_ehlo_keyword_address_maps.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

This feature is available in Postfix 2.2 and later.

@@ -10146,6 +10232,12 @@ This is needed when the local machine does not have its own Internet domain name, but uses something like localdomain.local instead.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

The table format and lookups are documented in generic(5); examples are shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README documents.

@@ -10406,6 +10498,12 @@ per-destination workarounds for CISCO PIX firewall bugs. The table is not indexed by hostname for consistency with smtp_discard_ehlo_keyword_address_maps.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

This feature is available in Postfix 2.4 and later.

@@ -10751,6 +10849,12 @@ The Postfix SMTP client opens the lookup table before going to chroot jail, so you can leave the password file in /etc/postfix.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+ @@ -11505,14 +11609,13 @@ a lower logging level.

-
0 Log only a summary message on TLS handshake completion +
0 Disable logging of TLS activity.
+ +
1 Log only a summary message on TLS handshake completion — no logging of remote SMTP server certificate trust-chain verification errors if server certificate verification is not required. -With Postfix 2.8 and earlier, disable logging of TLS activity.
- -
1 Also log remote SMTP server trust-chain verification -errors and peer certificate summary information. With Postfix 2.8 -and earlier, log TLS handshake and certificate information.
+With Postfix 2.8 and earlier, log the summary message and unconditionally +log trust-chain verification errors.
2 Also log levels during TLS negotiation.
@@ -11796,6 +11899,12 @@ this overrides the obsolete smtp_tls TLS_README for a more detailed discussion of TLS security levels.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

The TLS policy table is indexed by the full next-hop destination, which is either the recipient domain, or the verbatim next-hop specified in the transport table, $local_transport, $virtual_transport, @@ -13379,7 +13488,13 @@ case insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.) that the Postfix SMTP server will not send in the EHLO response to a remote SMTP client. See smtpd_discard_ehlo_keywords for details. -The table is not searched by hostname for robustness reasons.

+The tables are not searched by hostname for robustness reasons.

+ +

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

This feature is available in Postfix 2.2 and later.

@@ -14214,7 +14329,7 @@ non-permanent error code. This feature is available in Postfix
Reject the request when Postfix is not final destination for the recipient domain, and the RCPT TO domain has 1) no DNS MX and -no DNS address +no DNS A record or 2) a malformed MX record such as a record with a zero-length MX hostname (Postfix version 2.3 and later).
The unknown_address_reject_code parameter specifies the numerical @@ -14814,7 +14929,9 @@ Optional lookup table with the SASL login names that own sender

-Specify zero or more "type:table" lookup tables. With lookups from +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. With lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or SQL, the following search operations are done with a sender address of user@domain:

@@ -14948,7 +15065,7 @@ Postfix version 2.1 and later.
Reject the request when Postfix is not final destination for the sender address, and the MAIL FROM domain has 1) no DNS MX and -no DNS address +no DNS A record, or 2) a malformed MX record such as a record with a zero-length MX hostname (Postfix version 2.3 and later).
The unknown_address_reject_code parameter specifies the numerical @@ -15700,15 +15817,13 @@ a lower logging level.

-
0 Log only a summary message on TLS handshake completion -— no logging of remote SMTP client certificate trust-chain verification -errors -if client certificate verification is not required. With Postfix 2.8 -and earlier, disable logging of TLS activity.
+
0 Disable logging of TLS activity.
-
1 Also log trust-chain verification errors and peer -certificate name and issuer. With Postfix 2.8 and earlier, log TLS -handshake and certificate information.
+
1 Log only a summary message on TLS handshake completion +— no logging of client certificate trust-chain verification errors +if client certificate verification is not required. With Postfix 2.8 and +earlier, log the summary message, peer certificate summary information +and unconditionally log trust-chain verification errors.
2 Also log levels during TLS negotiation.
@@ -17650,7 +17765,9 @@ for details.

-Specify zero or more "type:table" lookup tables. If you use this +Specify zero or more "type:table" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. If you use this feature with local files, run "postmap /etc/postfix/transport" after making a change.

@@ -18226,6 +18343,13 @@ This feature is available in Postfix 2.0 and later. The default value is backwards compatible with Postfix version 1.1.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +Note: these lookups are recursive. +

+

If you use this feature with indexed files, run "postmap /etc/postfix/virtual" after changing the file. @@ -18311,6 +18435,12 @@ delivery. It does not apply when mail is delivered with a different mail delivery program.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

In a lookup table, specify a left-hand side of "@domain.tld" to match any user in the specified domain that does not have a specific @@ -18440,6 +18570,12 @@ Optional lookup tables with all valid addresses in the domains that match $virtual_mailbox_domains.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

In a lookup table, specify a left-hand side of "@domain.tld" to match any user in the specified domain that does not have a specific @@ -18547,6 +18683,12 @@ delivery agent uses while writing to the recipient's mailbox. It does not apply when mail is delivered with a different mail delivery program.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

In a lookup table, specify a left-hand side of "@domain.tld" to match any user in the specified domain that does not have a diff --git a/postfix/html/postscreen.8.html b/postfix/html/postscreen.8.html index 8ef9176a2..6d1e07ca2 100644 --- a/postfix/html/postscreen.8.html +++ b/postfix/html/postscreen.8.html @@ -228,6 +228,11 @@ POSTSCREEN(8) POSTSCREEN(8) greeting" protocol tests, based on its combined DNSBL score as defined with the postscreen_dnsbl_sites parameter. + Available in Postfix version 2.11 and later: + + postscreen_dnsbl_timeout (10s) + The time limit for DNSBL or DNSWL lookups. + AFTER 220 GREETING TESTS These tests are executed after the remote SMTP client receives the "220 servername" greeting. If a client passes all tests during this phase, diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 14cee0d5f..e1eb62e01 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -305,6 +305,10 @@ alias_database = hash:/etc/mail/aliases .SH alias_maps (default: see "postconf -d" output) The alias databases that are used for \fBlocal\fR(8) delivery. See \fBaliases\fR(5) for syntax details. +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +Note: these lookups are recursive. .PP The default list is system dependent. On systems with NIS, the default is to search the local alias database, then the NIS alias @@ -765,6 +769,11 @@ login names by Firstname.Lastname. The table format and lookups are documented in \fBcanonical\fR(5). For an overview of Postfix address manipulations see the ADDRESS_REWRITING_README document. .PP +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +Note: these lookups are recursive. +.PP If you use this feature, run "\fBpostmap /etc/postfix/canonical\fR" to build the necessary DBM or DB file after every change. The changes will become visible after a minute or so. Use "\fBpostfix reload\fR" @@ -3123,6 +3132,10 @@ Technically, tables listed with $local_recipient_maps are used as lists: Postfix needs to know only if a lookup string is found or not, but it does not use the result from table lookup. .PP +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +.PP If this parameter is non-empty (the default), then the Postfix SMTP server will reject mail for unknown local users. .PP @@ -3382,6 +3395,10 @@ The precedence of \fBlocal\fR(8) delivery features from high to low is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, fallback_transport_maps, fallback_transport and luser_relay. +.PP +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. .SH mailbox_delivery_lock (default: see "postconf -d" output) How to lock a UNIX-style \fBlocal\fR(8) mailbox before attempting delivery. For a list of available file locking methods, use the "\fBpostconf @@ -3421,6 +3438,10 @@ is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, fallback_transport_maps, fallback_transport and luser_relay. .PP +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +.PP For safety reasons, this feature does not allow $number substitutions in regular expression maps. .PP @@ -4580,6 +4601,12 @@ its combined DNSBL score as defined with the postscreen_dnsbl_sites parameter. .PP This feature is available in Postfix 2.8. +.SH postscreen_dnsbl_timeout (default: 10s) +The time limit for DNSBL or DNSWL lookups. This is separate from +the timeouts in the \fBdnsblog\fR(8) daemon which are defined by system +\fBresolver\fR(3) routines. +.PP +This feature is available in Postfix 2.12. .SH postscreen_dnsbl_ttl (default: 1h) The amount of time that \fBpostscreen\fR(8) will use the result from a successful DNS blocklist test. During this time, the client IP address @@ -4964,6 +4991,9 @@ proxy_interfaces = 1.2.3.4 .SH proxy_read_maps (default: see "postconf -d" output) The lookup tables that the \fBproxymap\fR(8) server is allowed to access for the read-only service. +.PP +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Table references that don't begin with proxy: are ignored. .PP This feature is available in Postfix 2.0 and later. @@ -5175,7 +5205,9 @@ Optional BCC (blind carbon-copy) address lookup tables, indexed by recipient address. The BCC address (multiple results are not supported) is added when mail enters from outside of Postfix. .PP -This feature is available in Postfix 2.1 and later. +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. .PP The table search order is as follows: .IP \(bu @@ -5195,9 +5227,6 @@ equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. Look up the "@domain.tld" part. .br .PP -Specify the types and names of databases to use. After change, -run "\fBpostmap /etc/postfix/recipient_bcc\fR". -.PP Note: with Postfix 2.3 and later the BCC address is added as if it was specified with NOTIFY=NONE. The sender will not be notified when the BCC address is undeliverable, as long as all down-stream @@ -5220,6 +5249,10 @@ recipient_bcc_maps = hash:/etc/postfix/recipient_bcc .fi .ad .ft R +.PP +After a change, run "\fBpostmap /etc/postfix/recipient_bcc\fR". +.PP +This feature is available in Postfix 2.1 and later. .SH recipient_canonical_classes (default: envelope_recipient, header_recipient) What addresses are subject to recipient_canonical_maps address mapping. By default, recipient_canonical_maps address mapping is @@ -5291,7 +5324,7 @@ recipient_delimiter = + .na .ft C # Handle both Postfix and qmail extensions (Postfix 2.11 and later). -recipient_delimiters = +- +recipient_delimiter = +- .fi .ad .ft R @@ -5416,6 +5449,10 @@ listed with $relay_recipient_maps are used as lists: Postfix needs to know only if a lookup string is found or not, but it does not use the result from table lookup. .PP +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +.PP If this parameter is non-empty, then the Postfix SMTP server will reject mail to unknown relay users. This feature is off by default. .PP @@ -5485,6 +5522,10 @@ Optional lookup tables with new contact information for users or domains that no longer exist. The table format and lookups are documented in \fBrelocated\fR(5). .PP +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +.PP If you use this feature, run "\fBpostmap /etc/postfix/relocated\fR" to build the necessary DBM or DB file after change, then "\fBpostfix reload\fR" to make the changes visible. @@ -5646,7 +5687,9 @@ Optional BCC (blind carbon-copy) address lookup tables, indexed by sender address. The BCC address (multiple results are not supported) is added when mail enters from outside of Postfix. .PP -This feature is available in Postfix 2.1 and later. +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. .PP The table search order is as follows: .IP \(bu @@ -5666,9 +5709,6 @@ equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. Look up the "@domain.tld" part. .br .PP -Specify the types and names of databases to use. After change, -run "\fBpostmap /etc/postfix/sender_bcc\fR". -.PP Note: with Postfix 2.3 and later the BCC address is added as if it was specified with NOTIFY=NONE. The sender will not be notified when the BCC address is undeliverable, as long as all down-stream @@ -5691,6 +5731,10 @@ sender_bcc_maps = hash:/etc/postfix/sender_bcc .fi .ad .ft R +.PP +After a change, run "\fBpostmap /etc/postfix/sender_bcc\fR". +.PP +This feature is available in Postfix 2.1 and later. .SH sender_canonical_classes (default: envelope_sender, header_sender) What addresses are subject to sender_canonical_maps address mapping. By default, sender_canonical_maps address mapping is @@ -5726,6 +5770,10 @@ address and @domain. A lookup result of DUNNO terminates the search without overriding the global default_transport parameter setting. This information is overruled with the \fBtransport\fR(5) table. .PP +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +.PP Note: this overrides default_transport, not transport_maps, and therefore the expected syntax is that of default_transport, not the syntax of transport_maps. Specifically, this does not support the @@ -5745,6 +5793,10 @@ later). This information is overruled with relay_transport, sender_dependent_default_transport_maps, default_transport and with the \fBtransport\fR(5) table. .PP +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +.PP For safety reasons, this feature does not allow $number substitutions in regular expression maps. .PP @@ -6081,6 +6133,10 @@ remote SMTP server. See smtp_discard_ehlo_keywords for details. The table is not indexed by hostname for consistency with smtpd_discard_ehlo_keyword_address_maps. .PP +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +.PP This feature is available in Postfix 2.2 and later. .SH smtp_discard_ehlo_keywords (default: empty) A case insensitive list of EHLO keywords (pipelining, starttls, @@ -6246,6 +6302,10 @@ This is needed when the local machine does not have its own Internet domain name, but uses something like \fIlocaldomain.local\fR instead. .PP +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +.PP The table format and lookups are documented in \fBgeneric\fR(5); examples are shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README documents. @@ -6385,6 +6445,10 @@ per-destination workarounds for CISCO PIX firewall bugs. The table is not indexed by hostname for consistency with smtp_discard_ehlo_keyword_address_maps. .PP +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +.PP This feature is available in Postfix 2.4 and later. .SH smtp_pix_workaround_threshold_time (default: 500s) How long a message must be queued before the Postfix SMTP client @@ -6633,6 +6697,10 @@ attempt to authenticate to the remote host. .PP The Postfix SMTP client opens the lookup table before going to chroot jail, so you can leave the password file in /etc/postfix. +.PP +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. .SH smtp_sasl_path (default: empty) Implementation-specific information that the Postfix SMTP client passes through to @@ -7244,15 +7312,14 @@ Enable additional Postfix SMTP client logging of TLS activity. Each logging level also includes the information that is logged at a lower logging level. .IP "" -0 Log only a summary message on TLS handshake completion -- no logging of remote SMTP server certificate trust-chain -verification errors if server certificate verification is not required. -With Postfix 2.8 and earlier, disable logging of TLS activity. +0 Disable logging of TLS activity. .br .IP "" -1 Also log remote SMTP server trust-chain verification -errors and peer certificate summary information. With Postfix 2.8 -and earlier, log TLS handshake and certificate information. +1 Log only a summary message on TLS handshake completion +- no logging of remote SMTP server certificate trust-chain +verification errors if server certificate verification is not required. +With Postfix 2.8 and earlier, log the summary message and unconditionally +log trust-chain verification errors. .br .IP "" 2 Also log levels during TLS negotiation. @@ -7512,6 +7579,10 @@ policy by next-hop destination; when a non-empty value is specified, this overrides the obsolete smtp_tls_per_site parameter. See TLS_README for a more detailed discussion of TLS security levels. .PP +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +.PP The TLS policy table is indexed by the full next-hop destination, which is either the recipient domain, or the verbatim next-hop specified in the transport table, $local_transport, $virtual_transport, @@ -8878,7 +8949,11 @@ case insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.) that the Postfix SMTP server will not send in the EHLO response to a remote SMTP client. See smtpd_discard_ehlo_keywords for details. -The table is not searched by hostname for robustness reasons. +The tables are not searched by hostname for robustness reasons. +.PP +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. .PP This feature is available in Postfix 2.2 and later. .SH smtpd_discard_ehlo_keywords (default: empty) @@ -9445,7 +9520,7 @@ non-permanent error code. This feature is available in Postfix .IP "\fBreject_unknown_recipient_domain\fR" Reject the request when Postfix is not final destination for the recipient domain, and the RCPT TO domain has 1) no DNS MX and -no DNS address +no DNS A record or 2) a malformed MX record such as a record with a zero-length MX hostname (Postfix version 2.3 and later). .br @@ -9916,7 +9991,9 @@ This feature is available in Postfix 2.3 and later. Optional lookup table with the SASL login names that own sender (MAIL FROM) addresses. .PP -Specify zero or more "type:table" lookup tables. With lookups from +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. With lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or SQL, the following search operations are done with a sender address of \fIuser@domain\fR: @@ -10019,7 +10096,7 @@ Postfix version 2.1 and later. .IP "\fBreject_unknown_sender_domain\fR" Reject the request when Postfix is not final destination for the sender address, and the MAIL FROM domain has 1) no DNS MX and -no DNS address +no DNS A record, or 2) a malformed MX record such as a record with a zero-length MX hostname (Postfix version 2.3 and later). .br @@ -10680,16 +10757,14 @@ Enable additional Postfix SMTP server logging of TLS activity. Each logging level also includes the information that is logged at a lower logging level. .IP "" -0 Log only a summary message on TLS handshake completion -- no logging of remote SMTP client certificate trust-chain verification -errors -if client certificate verification is not required. With Postfix 2.8 -and earlier, disable logging of TLS activity. +0 Disable logging of TLS activity. .br .IP "" -1 Also log trust-chain verification errors and peer -certificate name and issuer. With Postfix 2.8 and earlier, log TLS -handshake and certificate information. +1 Log only a summary message on TLS handshake completion +- no logging of client certificate trust-chain verification errors +if client certificate verification is not required. With Postfix 2.8 and +earlier, log the summary message, peer certificate summary information +and unconditionally log trust-chain verification errors. .br .IP "" 2 Also log levels during TLS negotiation. @@ -12031,7 +12106,9 @@ Optional lookup tables with mappings from recipient address to (message delivery transport, next-hop destination). See \fBtransport\fR(5) for details. .PP -Specify zero or more "type:table" lookup tables. If you use this +Specify zero or more "type:table" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. If you use this feature with local files, run "\fBpostmap /etc/postfix/transport\fR" after making a change. .PP @@ -12361,6 +12438,11 @@ manipulations see the ADDRESS_REWRITING_README document. This feature is available in Postfix 2.0 and later. The default value is backwards compatible with Postfix version 1.1. .PP +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +Note: these lookups are recursive. +.PP If you use this feature with indexed files, run "\fBpostmap /etc/postfix/virtual\fR" after changing the file. .PP @@ -12410,6 +12492,10 @@ This parameter is specific to the \fBvirtual\fR(8) delivery agent. It does not apply when mail is delivered with a different mail delivery program. .PP +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +.PP In a lookup table, specify a left-hand side of "@domain.tld" to match any user in the specified domain that does not have a specific "user@domain.tld" entry. @@ -12488,6 +12574,10 @@ Note 2: the default setting of this parameter is system dependent. Optional lookup tables with all valid addresses in the domains that match $virtual_mailbox_domains. .PP +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +.PP In a lookup table, specify a left-hand side of "@domain.tld" to match any user in the specified domain that does not have a specific "user@domain.tld" entry. @@ -12551,6 +12641,10 @@ This parameter is specific to the \fBvirtual\fR(8) delivery agent. It does not apply when mail is delivered with a different mail delivery program. .PP +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +.PP In a lookup table, specify a left-hand side of "@domain.tld" to match any user in the specified domain that does not have a specific "user@domain.tld" entry. diff --git a/postfix/man/man8/dnsblog.8 b/postfix/man/man8/dnsblog.8 index 5f485051b..5f1fdcda7 100644 --- a/postfix/man/man8/dnsblog.8 +++ b/postfix/man/man8/dnsblog.8 @@ -22,8 +22,8 @@ replaced by an UDP client that is built directly into the .ad .fi With each connection, the \fBdnsblog\fR(8) server receives -a DNS white/blacklist domain name, IP address, and an ID. -If the address is listed under the DNS white/blacklist, the +a DNS white/blacklist domain name, an IP address, and an ID. +If the IP address is listed under the DNS white/blacklist, the \fBdnsblog\fR(8) server logs the match and replies with the query arguments plus an address list with the resulting IP addresses separated by whitespace. Otherwise it replies diff --git a/postfix/man/man8/postscreen.8 b/postfix/man/man8/postscreen.8 index de8bb2401..c6d20db71 100644 --- a/postfix/man/man8/postscreen.8 +++ b/postfix/man/man8/postscreen.8 @@ -248,6 +248,10 @@ Available in Postfix version 2.11 and later: Allow a remote SMTP client to skip "before" and "after 220 greeting" protocol tests, based on its combined DNSBL score as defined with the postscreen_dnsbl_sites parameter. +.PP +Available in Postfix version 2.11 and later: +.IP "\fBpostscreen_dnsbl_timeout (10s)\fR" +The time limit for DNSBL or DNSWL lookups. .SH "AFTER 220 GREETING TESTS" .na .nf diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 1a30542aa..0afd34830 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -988,6 +988,7 @@ while (<>) { s;\bpostscreen_dnsbl_whitelist_thresh[-]*\n* *[]*old\b;$&;g; s;\bpostscreen_dnsbl_action\b;$&;g; s;\bpostscreen_dnsbl_ttl\b;$&;g; + s;\bpostscreen_dnsbl_timeout\b;$&;g; s;\bpostscreen_for[-]*\n*[ ]*bid[-]*\n* *[]*den_commands\b;$&;g; s;\bpostscreen_helo_required\b;$&;g; s;\bpostscreen_non_smtp_command_enable\b;$&;g; diff --git a/postfix/proto/POSTSCREEN_README.html b/postfix/proto/POSTSCREEN_README.html index 05ba2f99e..20d6186ce 100644 --- a/postfix/proto/POSTSCREEN_README.html +++ b/postfix/proto/POSTSCREEN_README.html @@ -872,8 +872,8 @@ For example: 

 /etc/postfix/dnsbl_reply:
-    # Secret DNSBL name        Name in postscreen(8) replies
-    secret.zen.spamhaus.org    zen.spamhaus.org
+    # Secret DNSBL name           Name in postscreen(8) replies
+    secret.zen.dq.spamhaus.net    zen.spamhaus.org

The texthash: format is similar to hash: except that there is diff --git a/postfix/proto/SMTPD_ACCESS_README.html b/postfix/proto/SMTPD_ACCESS_README.html index 0e68b0d5e..bc98424fc 100644 --- a/postfix/proto/SMTPD_ACCESS_README.html +++ b/postfix/proto/SMTPD_ACCESS_README.html @@ -202,6 +202,7 @@ described in the postconf(5) manual page.

# (available with Postfix 2.10 and later). reject_unauth_destination reject_rbl_client zen.spamhaus.org, + reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org diff --git a/postfix/proto/TLS_README.html b/postfix/proto/TLS_README.html index a52033d83..e62c14af9 100644 --- a/postfix/proto/TLS_README.html +++ b/postfix/proto/TLS_README.html @@ -384,16 +384,15 @@ logging level.

Level Postfix 2.9 and later Earlier releases. - 0 Log only a summary + 0 Disable +logging of TLS activity. + + 1 Log only a summary message on TLS handshake completion — no logging of client certificate trust-chain verification errors if client certificate -verification is not required. Disable logging -of TLS activity. - - 1 Also log trust-chain -verification errors and peer certificate summary information. - Also log TLS handshake and certificate information. - +verification is not required. Log the summary +message, peer certificate summary information and unconditionally log +trust-chain verification errors. 2 Also log levels during TLS negotiation. @@ -1750,16 +1749,15 @@ logging level.

Level Postfix 2.9 and later Earlier releases. - 0 Log only a summary -message on TLS handshake completion — no logging of remote -SMTP server certificate trust-chain verification errors if server -certificate verification is not required. -Disable logging of TLS activity. + 0 Disable +logging of TLS activity. - 1 Also log remote -SMTP server trust-chain verification errors and peer certificate -summary information. Also log TLS handshake -and certificate information. + 1 Log only a summary +message on TLS handshake completion — no logging of remote SMTP +server certificate trust-chain verification errors if server certificate +verification is not required. Log the summary +message and unconditionally log trust-chain verification errors. + 2 Also log levels during TLS negotiation. diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 8ee4b042d..cd82f401c 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -481,6 +481,10 @@ alias_database = hash:/etc/mail/aliases

The alias databases that are used for local(8) delivery. See aliases(5) for syntax details. +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +Note: these lookups are recursive.

@@ -794,6 +798,13 @@ are documented in canonical(5). For an overview of Postfix address manipulations see the ADDRESS_REWRITING_README document.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +Note: these lookups are recursive. +

+

If you use this feature, run "postmap /etc/postfix/canonical" to build the necessary DBM or DB file after every change. The changes @@ -2301,6 +2312,12 @@ Technically, tables listed with $local_recipient_maps are used as lists: Postfix needs to know only if a lookup string is found or not, but it does not use the result from table lookup.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

If this parameter is non-empty (the default), then the Postfix SMTP server will reject mail for unknown local users. @@ -3426,7 +3443,9 @@ supported) is added when mail enters from outside of Postfix.

-This feature is available in Postfix 2.1 and later. +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found.

@@ -3452,11 +3471,6 @@ equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. -

-Specify the types and names of databases to use. After change, -run "postmap /etc/postfix/recipient_bcc". -

-

Note: with Postfix 2.3 and later the BCC address is added as if it was specified with NOTIFY=NONE. The sender will not be notified @@ -3482,6 +3496,14 @@ Example: recipient_bcc_maps = hash:/etc/postfix/recipient_bcc +

+After a change, run "postmap /etc/postfix/recipient_bcc". +

+ +

+This feature is available in Postfix 2.1 and later. +

+ %PARAM recipient_canonical_maps

@@ -3546,7 +3568,7 @@ recipient_delimiter = + 

 # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
-recipient_delimiters = +-
+recipient_delimiter = +-
 
@@ -3619,6 +3641,12 @@ listed with $relay_recipient_maps are used as lists: Postfix needs
 to know only if a lookup string is found or not, but it does not
 use the result from table lookup.  

 
+

+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+

+
 

 If this parameter is non-empty, then the Postfix SMTP server will reject
 mail to unknown relay users. This feature is off by default.
@@ -3687,6 +3715,12 @@ domains that no longer exist.  The table format and lookups are
 documented in relocated(5).
 

 
+

+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
+

+
 

 If you use this feature, run "postmap /etc/postfix/relocated" to
 build the necessary DBM or DB file after change, then "postfix
@@ -3749,7 +3783,9 @@ by sender address.  The BCC address (multiple results are not
 supported) is added when mail enters from outside of Postfix.  

 
 

-This feature is available in Postfix 2.1 and later.
+Specify zero or more "type:name" lookup tables, separated by
+whitespace of comma. Tables will be searched in the specified order
+until a match is found.
 

 
 

@@ -3775,11 +3811,6 @@ equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces.
 
 
 
-

-Specify the types and names of databases to use.  After change,
-run "postmap /etc/postfix/sender_bcc".
-

-
 

 Note: with Postfix 2.3 and later the BCC address is added as if it
 was specified with NOTIFY=NONE. The sender will not be notified
@@ -3805,6 +3836,14 @@ Example:
 sender_bcc_maps = hash:/etc/postfix/sender_bcc
+

+After a change, run "postmap /etc/postfix/sender_bcc". +

+ +

+This feature is available in Postfix 2.1 and later. +

+ %PARAM sender_canonical_maps

@@ -4405,6 +4444,12 @@ The Postfix SMTP client opens the lookup table before going to chroot jail, so you can leave the password file in /etc/postfix.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+ %PARAM smtp_sasl_security_options noplaintext, noanonymous

Postfix SMTP client SASL security options; as of Postfix 2.3 @@ -5897,7 +5942,7 @@ non-permanent error code. This feature is available in Postfix

Reject the request when Postfix is not final destination for the recipient domain, and the RCPT TO domain has 1) no DNS MX and -no DNS address +no DNS A record or 2) a malformed MX record such as a record with a zero-length MX hostname (Postfix version 2.3 and later).
The unknown_address_reject_code parameter specifies the numerical @@ -6226,7 +6271,9 @@ Optional lookup table with the SASL login names that own sender

-Specify zero or more "type:table" lookup tables. With lookups from +Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. With lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or SQL, the following search operations are done with a sender address of user@domain:

@@ -6356,7 +6403,7 @@ Postfix version 2.1 and later.
Reject the request when Postfix is not final destination for the sender address, and the MAIL FROM domain has 1) no DNS MX and -no DNS address +no DNS A record, or 2) a malformed MX record such as a record with a zero-length MX hostname (Postfix version 2.3 and later).
The unknown_address_reject_code parameter specifies the numerical @@ -6565,7 +6612,9 @@ for details.

-Specify zero or more "type:table" lookup tables. If you use this +Specify zero or more "type:table" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. If you use this feature with local files, run "postmap /etc/postfix/transport" after making a change.

@@ -6823,6 +6872,13 @@ This feature is available in Postfix 2.0 and later. The default value is backwards compatible with Postfix version 1.1.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +Note: these lookups are recursive. +

+

If you use this feature with indexed files, run "postmap /etc/postfix/virtual" after changing the file. @@ -7651,6 +7707,12 @@ is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, fallback_transport_maps, fallback_transport and luser_relay.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+ %PARAM mailbox_delivery_lock see "postconf -d" output

@@ -7872,6 +7934,11 @@ This is a read-only parameter.

The lookup tables that the proxymap(8) server is allowed to access for the read-only service. +

+ +

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Table references that don't begin with proxy: are ignored.

@@ -8493,6 +8560,12 @@ delivery. It does not apply when mail is delivered with a different mail delivery program.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

In a lookup table, specify a left-hand side of "@domain.tld" to match any user in the specified domain that does not have a specific @@ -8602,6 +8675,12 @@ Optional lookup tables with all valid addresses in the domains that match $virtual_mailbox_domains.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

In a lookup table, specify a left-hand side of "@domain.tld" to match any user in the specified domain that does not have a specific @@ -8684,6 +8763,12 @@ delivery agent uses while writing to the recipient's mailbox. It does not apply when mail is delivered with a different mail delivery program.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

In a lookup table, specify a left-hand side of "@domain.tld" to match any user in the specified domain that does not have a @@ -8789,6 +8874,12 @@ remote SMTP server. See smtp_discard_ehlo_keywords for details. The table is not indexed by hostname for consistency with smtpd_discard_ehlo_keyword_address_maps.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

This feature is available in Postfix 2.2 and later.

%PARAM smtpd_discard_ehlo_keyword_address_maps @@ -8798,7 +8889,13 @@ case insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.) that the Postfix SMTP server will not send in the EHLO response to a remote SMTP client. See smtpd_discard_ehlo_keywords for details. -The table is not searched by hostname for robustness reasons.

+The tables are not searched by hostname for robustness reasons.

+ +

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

This feature is available in Postfix 2.2 and later.

@@ -9129,15 +9226,13 @@ a lower logging level.

-
0 Log only a summary message on TLS handshake completion -— no logging of remote SMTP client certificate trust-chain verification -errors -if client certificate verification is not required. With Postfix 2.8 -and earlier, disable logging of TLS activity.
+
0 Disable logging of TLS activity.
-
1 Also log trust-chain verification errors and peer -certificate name and issuer. With Postfix 2.8 and earlier, log TLS -handshake and certificate information.
+
1 Log only a summary message on TLS handshake completion +— no logging of client certificate trust-chain verification errors +if client certificate verification is not required. With Postfix 2.8 and +earlier, log the summary message, peer certificate summary information +and unconditionally log trust-chain verification errors.
2 Also log levels during TLS negotiation.
@@ -9553,14 +9648,13 @@ a lower logging level.

-
0 Log only a summary message on TLS handshake completion +
0 Disable logging of TLS activity.
+ +
1 Log only a summary message on TLS handshake completion — no logging of remote SMTP server certificate trust-chain verification errors if server certificate verification is not required. -With Postfix 2.8 and earlier, disable logging of TLS activity.
- -
1 Also log remote SMTP server trust-chain verification -errors and peer certificate summary information. With Postfix 2.8 -and earlier, log TLS handshake and certificate information.
+With Postfix 2.8 and earlier, log the summary message and unconditionally +log trust-chain verification errors.
2 Also log levels during TLS negotiation.
@@ -9937,6 +10031,12 @@ This is needed when the local machine does not have its own Internet domain name, but uses something like localdomain.local instead.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

The table format and lookups are documented in generic(5); examples are shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README documents.

@@ -10062,6 +10162,12 @@ later). This information is overruled with relay_transport, sender_dependent_default_transport_maps, default_transport and with the transport(5) table.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

For safety reasons, this feature does not allow $number substitutions in regular expression maps.

@@ -10467,6 +10573,12 @@ is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, fallback_transport_maps, fallback_transport and luser_relay.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

For safety reasons, this feature does not allow $number substitutions in regular expression maps.

@@ -10637,6 +10749,12 @@ this overrides the obsolete smtp_tls_per_site parameter. See TLS_README for a more detailed discussion of TLS security levels.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

The TLS policy table is indexed by the full next-hop destination, which is either the recipient domain, or the verbatim next-hop specified in the transport table, $local_transport, $virtual_transport, @@ -11830,6 +11948,12 @@ per-destination workarounds for CISCO PIX firewall bugs. The table is not indexed by hostname for consistency with smtp_discard_ehlo_keyword_address_maps.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

This feature is available in Postfix 2.4 and later.

%PARAM lmtp_pix_workarounds @@ -13856,6 +13980,12 @@ address and @domain. A lookup result of DUNNO terminates the search without overriding the global default_transport parameter setting. This information is overruled with the transport(5) table.

+

+Specify zero or more "type:name" lookup tables, separated by +whitespace of comma. Tables will be searched in the specified order +until a match is found. +

+

Note: this overrides default_transport, not transport_maps, and therefore the expected syntax is that of default_transport, not the syntax of transport_maps. Specifically, this does not support the @@ -14179,6 +14309,13 @@ the file is read).

This feature is available in Postfix 2.8.

+%PARAM postscreen_dnsbl_timeout 10s + +

The time limit for DNSBL or DNSWL lookups. This is separate from +the timeouts in the dnsblog(8) daemon which are defined by system +resolver(3) routines.

+ +

This feature is available in Postfix 2.12.

%PARAM postscreen_bare_newline_action ignore

The action that postscreen(8) takes when a remote SMTP client sends diff --git a/postfix/src/dnsblog/dnsblog.c b/postfix/src/dnsblog/dnsblog.c index d2f6843a8..33af6c852 100644 --- a/postfix/src/dnsblog/dnsblog.c +++ b/postfix/src/dnsblog/dnsblog.c @@ -14,8 +14,8 @@ /* .ad /* .fi /* With each connection, the \fBdnsblog\fR(8) server receives -/* a DNS white/blacklist domain name, IP address, and an ID. -/* If the address is listed under the DNS white/blacklist, the +/* a DNS white/blacklist domain name, an IP address, and an ID. +/* If the IP address is listed under the DNS white/blacklist, the /* \fBdnsblog\fR(8) server logs the match and replies with the /* query arguments plus an address list with the resulting IP /* addresses separated by whitespace. Otherwise it replies diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index b8cab5a57..174fdf906 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -3447,6 +3447,10 @@ extern int var_psc_dnsbl_ttl; #define DEF_PSC_DNSBL_REPLY "" extern char *var_psc_dnsbl_reply; +#define VAR_PSC_DNSBL_TMOUT "postscreen_dnsbl_timeout" +#define DEF_PSC_DNSBL_TMOUT "10s" +extern int var_psc_dnsbl_tmout; + #define VAR_PSC_PIPEL_ENABLE "postscreen_pipelining_enable" #define DEF_PSC_PIPEL_ENABLE 0 extern bool var_psc_pipel_enable; diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 5aa05bd26..0f5cb367e 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20140406" +#define MAIL_RELEASE_DATE "20140507" #define MAIL_VERSION_NUMBER "2.12" #ifdef SNAPSHOT diff --git a/postfix/src/postscreen/postscreen.c b/postfix/src/postscreen/postscreen.c index 5f5e255de..fb0227c12 100644 --- a/postfix/src/postscreen/postscreen.c +++ b/postfix/src/postscreen/postscreen.c @@ -220,6 +220,10 @@ /* Allow a remote SMTP client to skip "before" and "after 220 /* greeting" protocol tests, based on its combined DNSBL score as /* defined with the postscreen_dnsbl_sites parameter. +/* .PP +/* Available in Postfix version 2.11 and later: +/* .IP "\fBpostscreen_dnsbl_timeout (10s)\fR" +/* The time limit for DNSBL or DNSWL lookups. /* AFTER 220 GREETING TESTS /* .ad /* .fi @@ -473,6 +477,7 @@ int var_psc_dnsbl_thresh; int var_psc_dnsbl_wthresh; char *var_psc_dnsbl_action; int var_psc_dnsbl_ttl; +int var_psc_dnsbl_tmout; bool var_psc_pipel_enable; char *var_psc_pipel_action; @@ -1122,6 +1127,8 @@ int main(int argc, char **argv) VAR_PSC_CACHE_SCAN, DEF_PSC_CACHE_SCAN, &var_psc_cache_scan, 0, 0, VAR_PSC_WATCHDOG, DEF_PSC_WATCHDOG, &var_psc_watchdog, 10, 0, VAR_PSC_UPROXY_TMOUT, DEF_PSC_UPROXY_TMOUT, &var_psc_uproxy_tmout, 1, 0, + VAR_PSC_DNSBL_TMOUT, DEF_PSC_DNSBL_TMOUT, &var_psc_dnsbl_tmout, 1, 0, + 0, }; static const CONFIG_BOOL_TABLE bool_table[] = { diff --git a/postfix/src/postscreen/postscreen_dnsbl.c b/postfix/src/postscreen/postscreen_dnsbl.c index ef3140b6e..9d379e740 100644 --- a/postfix/src/postscreen/postscreen_dnsbl.c +++ b/postfix/src/postscreen/postscreen_dnsbl.c @@ -86,7 +86,6 @@ /* * Talking to the DNSBLOG service. */ -#define DNSBLOG_TIMEOUT 10 static char *psc_dnsbl_service; /* @@ -425,7 +424,7 @@ static void psc_dnsbl_receive(int event, char *context) PSC_CALL_BACK_NOTIFY(score, PSC_NULL_EVENT); } else if (event == EVENT_TIME) { msg_warn("dnsblog reply timeout %ds for %s", - DNSBLOG_TIMEOUT, (char *) vstream_context(stream)); + var_psc_dnsbl_tmout, (char *) vstream_context(stream)); } /* Here, score may be a null pointer. */ vstream_fclose(stream); @@ -521,7 +520,7 @@ int psc_dnsbl_request(const char *client_addr, continue; } PSC_READ_EVENT_REQUEST(vstream_fileno(stream), psc_dnsbl_receive, - (char *) stream, DNSBLOG_TIMEOUT); + (char *) stream, var_psc_dnsbl_tmout); score->pending_lookups += 1; } return (PSC_CALL_BACK_INDEX_OF_LAST(score)); diff --git a/postfix/src/smtp/smtp.h b/postfix/src/smtp/smtp.h index ee9e5062f..e966ff6b1 100644 --- a/postfix/src/smtp/smtp.h +++ b/postfix/src/smtp/smtp.h @@ -195,7 +195,7 @@ typedef struct SMTP_STATE { STR((state)->iterator->request_nexthop)[0] = 0; \ } -#define HAVE_NEXTHOP_STATE(state) (STR((state)->iterator->request_nexthop) != 0) +#define HAVE_NEXTHOP_STATE(state) (STR((state)->iterator->request_nexthop)[0] != 0) /* diff --git a/postfix/src/smtp/smtp_connect.c b/postfix/src/smtp/smtp_connect.c index 5fcbed6db..3ae3af90b 100644 --- a/postfix/src/smtp/smtp_connect.c +++ b/postfix/src/smtp/smtp_connect.c @@ -666,6 +666,7 @@ static int smtp_reuse_session(SMTP_STATE *state, DNS_RR **addr_list, #endif SMTP_ITER_SAVE_DEST(state->iterator); if (*addr_list && SMTP_RCPT_LEFT(state) > 0 + && HAVE_NEXTHOP_STATE(state) && (session = smtp_reuse_nexthop(state, SMTP_KEY_MASK_SCACHE_DEST_LABEL)) != 0) { session_count = 1; smtp_update_addr_list(addr_list, STR(iter->addr), session_count); diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index 79175eef7..715d82e33 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -3616,6 +3616,7 @@ static int check_policy_service(SMTPD_STATE *state, const char *server, ATTR_TYPE_STR, MAIL_ATTR_ACT_PROTO_NAME, state->protocol, ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, state->addr, ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_NAME, state->name, + ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_PORT, state->port, ATTR_TYPE_STR, MAIL_ATTR_ACT_REVERSE_CLIENT_NAME, state->reverse_name, ATTR_TYPE_STR, MAIL_ATTR_ACT_HELO_NAME, diff --git a/postfix/src/util/mask_addr.c b/postfix/src/util/mask_addr.c index cb37c66ee..5ddd0ca06 100644 --- a/postfix/src/util/mask_addr.c +++ b/postfix/src/util/mask_addr.c @@ -61,7 +61,7 @@ void mask_addr(unsigned char *addr_bytes, network_bits %= CHAR_BIT; if (network_bits != 0) - *p++ &= ~0 << (CHAR_BIT - network_bits); + *p++ &= ~0U << (CHAR_BIT - network_bits); while (p < addr_bytes + addr_byte_count) *p++ = 0;