From: Wietse Venema Date: Sun, 23 Jun 2013 05:00:00 +0000 (-0500) Subject: postfix-2.11-20130623 X-Git-Tag: v2.11.0-RC1~29 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6808166cf8837a45aab9959a3266edb00489d1ab;p=thirdparty%2Fpostfix.git postfix-2.11-20130623 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 1db43c106..4db5f8301 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -18707,9 +18707,10 @@ Apologies for any names omitted. 20100613 Workaround: unhelpful down-stream maintainers fail to install - the new smtpd_relay_restrictions safety net, causing things - to break. We hard-code the safety net instead. Files: - global/mail_params.h, conf/post-install, RELEASE_NOTES_2.10. + the new smtpd_relay_restrictions safety net, causing breakage + that could have been avoided. We now hard-code the safety + net instead. Files: global/mail_params.h, conf/post-install, + RELEASE_NOTES_2.10. Bugfix (DANE support): when TLSA records are insecure, report that none are found. Viktor Dukhovni. Files: @@ -18741,3 +18742,22 @@ Apologies for any names omitted. tls/tls_dane.c, tls/tls_fprint.c, tls/tls_misc.c, tls/tls_verify.c. +20130619 + + Documentation: troff lint. Patch by ES Raymond's bot. File: + proto/header_checks. + + Cleanup: enforce smtpd_client_recipient_rate_limit for VRFY + commands. File: smtpd/smtpd.c. + +20130622 + + Bugfix: typo in the 20130613 smtpd_relay_restrictions default + setting. File: global/mail_params.h. + +20130623 + + Cleanup: configurable tlsmgr(8) service name. Files: + mantools/postlink, proto/postconf.proto, tls/tls_mgr.c, + tls/tls_misc.c, tlsproxy/tls-proxy.c, smtp/smtp.c, + smtpd/smtpd.c. diff --git a/postfix/html/TLS_README.html b/postfix/html/TLS_README.html index 942e77165..c89e203db 100644 --- a/postfix/html/TLS_README.html +++ b/postfix/html/TLS_README.html @@ -606,10 +606,25 @@ In order to change this behavior, set

The Postfix SMTP server and the remote SMTP client negotiate a session, which takes some computer time and network bandwidth. -By default, this session information is cached only in the smtpd(8) -process actually using this session and is lost when the process -terminates. To share the session information between multiple -smtpd(8) processes, a persistent session cache can be used. You +SSLv3, TLSv1 and later support resumption of cached sessions. Not +is this more CPU and bandwidth efficient, it also reduces latency +as it uses only one network round-trip instead of two.

+ +

Since Postfix uses multiple smtpd(8) service processes, an in +memory cache is not sufficient for session re-use. Clients store +at most one cached session per server and are very unlikey to +repeatedly connect to the same server process. With a per-process +server cache, when a client attempts to reuse a session with a +different process than the one that created it, a new session is +negotiated and the old forgotten. Returning to the original server +process later (except with back to back connections) does not help, +as that session has most probably been replaced. Thus session +caching in the Postfix SMTP server generally requires a shared cache +(an alternative available with Postfix ≥ 2.11 is described below). +

+ +

To share the session information between multiple +smtpd(8) processes, a session cache database is used. You can specify any database type that can store objects of several kbytes and that supports the sequence operator. DBM databases are not suitable because they can only store small objects. The cache @@ -617,6 +632,24 @@ is maintained by the tlsmgr(8) process, so there is concurrent access. Session caching is highly recommended, because the cost of repeatedly negotiating TLS session keys is high.

+

Starting with Postfix 2.11, linked with a compatible OpenSSL +library (at least 0.9.8h, preferrably 1.0.0 or later) the Postfix +SMTP server supports RFC 5077 TLS session resumption without +server-side state when the remote SMTP client also supports RFC +5077. The session is encrypted by the server in a session +ticket returned to client for storage. When a client sends a +valid session ticket, the server decrypts it and resumes the session, +provided neither the ticket nor the session have expired. This +makes it possible to resume cached sessions without allocating space +for a shared database on the server. This feature can be disabled +by setting the session cache timeout to zero, otherwise the timeout +must be at least 2 minutes and at most 100 days.

+ +

Note, session tickets can only be negotiated if the client +disables SSLv2 and does not use the legacy SSLv2 compatible HELLO +message. This is true by default with the Postfix ≥ 2.6 SMTP +client.

+

Example:

@@ -648,7 +681,7 @@ recommends a maximum of 24 hours.

When the Postfix SMTP server does not save TLS sessions to an external cache database, client-side session caching is unlikely -to be useful. To prevent such wastage, the Postfix SMTP server can +to be useful. To reduce waste of client resources, the Postfix SMTP server can be configured to not issue TLS session ids. By default the Postfix SMTP server always issues TLS session ids. This works around known interoperability issues with some MUAs, and prevents possible diff --git a/postfix/html/header_checks.5.html b/postfix/html/header_checks.5.html index c1d2fe860..85fda866a 100644 --- a/postfix/html/header_checks.5.html +++ b/postfix/html/header_checks.5.html @@ -394,7 +394,7 @@ HEADER_CHECKS(5) HEADER_CHECKS(5) are From:, To:, Message-ID:, Date:. Message headers deleted by the cleanup(8) daemon will be - examined before they are deleted. Examples are: Bcc:, Con- + examined before they are deleted. Examples are: Bcc:, Con- tent-Length:, Return-Path:. CONFIGURATION PARAMETERS diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html index 631eeb74f..f22804db3 100644 --- a/postfix/html/lmtp.8.html +++ b/postfix/html/lmtp.8.html @@ -608,29 +608,33 @@ SMTP(8) SMTP(8) RFC 6698 trust-anchor digest support in the Postfix TLS library. + tlsmgr_service_name (tlsmgr) + The name of the tlsmgr(8) service entry in mas- + ter.cf. + OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compati- + The following configuration parameters exist for compati- bility with Postfix versions before 2.3. Support for these will be removed in a future release. smtp_use_tls (no) - Opportunistic mode: use TLS when a remote SMTP - server announces STARTTLS support, otherwise send + Opportunistic mode: use TLS when a remote SMTP + server announces STARTTLS support, otherwise send the mail in the clear. smtp_enforce_tls (no) - Enforcement mode: require that remote SMTP servers - use TLS encryption, and never send mail in the + Enforcement mode: require that remote SMTP servers + use TLS encryption, and never send mail in the clear. smtp_tls_enforce_peername (yes) - With mandatory TLS encryption, require that the + With mandatory TLS encryption, require that the remote SMTP server hostname matches the information in the remote SMTP server certificate. smtp_tls_per_site (empty) Optional lookup tables with the Postfix SMTP client - TLS usage policy by next-hop destination and by + TLS usage policy by next-hop destination and by remote SMTP server hostname. smtp_tls_cipherlist (empty) @@ -640,80 +644,80 @@ SMTP(8) SMTP(8) RESOURCE AND RATE CONTROLS smtp_destination_concurrency_limit ($default_destina- tion_concurrency_limit) - The maximal number of parallel deliveries to the - same destination via the smtp message delivery + The maximal number of parallel deliveries to the + same destination via the smtp message delivery transport. smtp_destination_recipient_limit ($default_destina- tion_recipient_limit) - The maximal number of recipients per message for + The maximal number of recipients per message for the smtp message delivery transport. smtp_connect_timeout (30s) The Postfix SMTP client time limit for completing a - TCP connection, or zero (use the operating system + TCP connection, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The Postfix SMTP client time limit for sending the + The Postfix SMTP client time limit for sending the HELO or EHLO command, and for receiving the initial remote SMTP server response. lmtp_lhlo_timeout (300s) - The Postfix LMTP client time limit for sending the - LHLO command, and for receiving the initial remote + The Postfix LMTP client time limit for sending the + LHLO command, and for receiving the initial remote LMTP server response. smtp_xforward_timeout (300s) - The Postfix SMTP client time limit for sending the + The Postfix SMTP client time limit for sending the XFORWARD command, and for receiving the remote SMTP server response. smtp_mail_timeout (300s) - The Postfix SMTP client time limit for sending the - MAIL FROM command, and for receiving the remote + The Postfix SMTP client time limit for sending the + MAIL FROM command, and for receiving the remote SMTP server response. smtp_rcpt_timeout (300s) - The Postfix SMTP client time limit for sending the - SMTP RCPT TO command, and for receiving the remote + The Postfix SMTP client time limit for sending the + SMTP RCPT TO command, and for receiving the remote SMTP server response. smtp_data_init_timeout (120s) - The Postfix SMTP client time limit for sending the - SMTP DATA command, and for receiving the remote + The Postfix SMTP client time limit for sending the + SMTP DATA command, and for receiving the remote SMTP server response. smtp_data_xfer_timeout (180s) - The Postfix SMTP client time limit for sending the + The Postfix SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) - The Postfix SMTP client time limit for sending the - SMTP ".", and for receiving the remote SMTP server + The Postfix SMTP client time limit for sending the + SMTP ".", and for receiving the remote SMTP server response. smtp_quit_timeout (300s) - The Postfix SMTP client time limit for sending the - QUIT command, and for receiving the remote SMTP + The Postfix SMTP client time limit for sending the + QUIT command, and for receiving the remote SMTP server response. Available in Postfix version 2.1 and later: smtp_mx_address_limit (5) The maximal number of MX (mail exchanger) IP - addresses that can result from Postfix SMTP client + addresses that can result from Postfix SMTP client mail exchanger lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery - request before the Postfix SMTP client gives up or - delivers to a fall-back relay host, or zero (no + The maximal number of SMTP sessions per delivery + request before the Postfix SMTP client gives up or + delivers to a fall-back relay host, or zero (no limit). smtp_rset_timeout (20s) - The Postfix SMTP client time limit for sending the - RSET command, and for receiving the remote SMTP + The Postfix SMTP client time limit for sending the + RSET command, and for receiving the remote SMTP server response. Available in Postfix version 2.2 and earlier: @@ -725,11 +729,11 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. @@ -739,72 +743,72 @@ SMTP(8) SMTP(8) smtp_connection_cache_time_limit (2s) When SMTP connection caching is enabled, the amount - of time that an unused SMTP client socket is kept + of time that an unused SMTP client socket is kept open before it is closed. Available in Postfix version 2.3 and later: connection_cache_protocol_timeout (5s) - Time limit for connection cache connect, send or + Time limit for connection cache connect, send or receive operations. Available in Postfix version 2.9 and later: smtp_per_record_deadline (no) Change the behavior of the smtp_*_timeout time lim- - its, from a time limit per read or write system + its, from a time limit per read or write system call, to a time limit to send or receive a complete - record (an SMTP command line, SMTP response line, - SMTP message content line, or TLS protocol mes- + record (an SMTP command line, SMTP response line, + SMTP message content line, or TLS protocol mes- sage). TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a - remote client or server matches a pattern in the + The increment in verbose logging level when a + remote client or server matches a pattern in the debug_peer_list parameter. debug_peer_list (empty) - Optional list of remote client or server hostname - or network address patterns that cause the verbose - logging level to increase by the amount specified + Optional list of remote client or server hostname + or network address patterns that cause the verbose + logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about - mail delivery problems that are caused by policy, + The recipient of postmaster notifications about + mail delivery problems that are caused by policy, resource, software or protocol errors. internal_mail_filter_classes (empty) - What categories of Postfix-generated mail are sub- - ject to before-queue content inspection by + What categories of Postfix-generated mail are sub- + ject to before-queue content inspection by non_smtpd_milters, header_checks and body_checks. notify_classes (resource, software) - The list of error classes that are reported to the + The list of error classes that are reported to the postmaster. MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and + The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to - handle a request before it is terminated by a + How much time a Postfix daemon process may take to + handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal + The maximal number of digits after the decimal point when logging sub-second delay values. disable_dns_lookups (no) - Disable DNS lookups in the Postfix SMTP and LMTP + Disable DNS lookups in the Postfix SMTP and LMTP clients. inet_interfaces (all) @@ -812,7 +816,7 @@ SMTP(8) SMTP(8) tem receives mail on. inet_protocols (all) - The Internet protocols Postfix will attempt to use + The Internet protocols Postfix will attempt to use when making or accepting connections. ipc_timeout (3600s) @@ -822,85 +826,85 @@ SMTP(8) SMTP(8) lmtp_assume_final (no) When a remote LMTP server announces no DSN support, assume that the server performs final delivery, and - send "delivered" delivery status notifications + send "delivered" delivery status notifications instead of "relayed". lmtp_tcp_port (24) - The default TCP port that the Postfix LMTP client + The default TCP port that the Postfix LMTP client connects to. max_idle (100s) - The maximum amount of time that an idle Postfix - daemon process waits for an incoming connection + The maximum amount of time that an idle Postfix + daemon process waits for an incoming connection before terminating voluntarily. max_use (100) - The maximal number of incoming connections that a - Postfix daemon process will service before termi- + The maximal number of incoming connections that a + Postfix daemon process will service before termi- nating voluntarily. process_id (read-only) - The process ID of a Postfix command or daemon + The process ID of a Postfix command or daemon process. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. proxy_interfaces (empty) The network interface addresses that this mail sys- - tem receives mail on by way of a proxy or network + tem receives mail on by way of a proxy or network address translation unit. smtp_address_preference (any) The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client will try first, when a destina- - tion has IPv6 and IPv4 addresses with equal MX + tion has IPv6 and IPv4 addresses with equal MX preference. smtp_bind_address (empty) - An optional numerical network address that the - Postfix SMTP client should bind to when making an + An optional numerical network address that the + Postfix SMTP client should bind to when making an IPv4 connection. smtp_bind_address6 (empty) - An optional numerical network address that the - Postfix SMTP client should bind to when making an + An optional numerical network address that the + Postfix SMTP client should bind to when making an IPv6 connection. smtp_helo_name ($myhostname) - The hostname to send in the SMTP EHLO or HELO com- + The hostname to send in the SMTP EHLO or HELO com- mand. lmtp_lhlo_name ($myhostname) The hostname to send in the LMTP LHLO command. smtp_host_lookup (dns) - What mechanisms the Postfix SMTP client uses to + What mechanisms the Postfix SMTP client uses to look up a host's IP address. smtp_randomize_addresses (yes) - Randomize the order of equal-preference MX host + Randomize the order of equal-preference MX host addresses. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - The mail system name that is prepended to the - process name in syslog records, so that "smtpd" + The mail system name that is prepended to the + process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". Available with Postfix 2.2 and earlier: fallback_relay (empty) - Optional list of relay hosts for SMTP destinations + Optional list of relay hosts for SMTP destinations that can't be found or that are unreachable. Available with Postfix 2.3 and later: smtp_fallback_relay ($fallback_relay) - Optional list of relay hosts for SMTP destinations + Optional list of relay hosts for SMTP destinations that can't be found or that are unreachable. SEE ALSO @@ -921,7 +925,7 @@ SMTP(8) SMTP(8) TLS_README, Postfix STARTTLS howto LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index fa2320993..a3fed7443 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -16630,6 +16630,18 @@ domain name labels, other implementations likely will not.

This feature is available in Postfix 2.11 and later.

+ + +
tlsmgr_service_name +(default: tlsmgr)
+ +

The name of the tlsmgr(8) service entry in master.cf. This +service maintains TLS session caches and other information in support +of TLS.

+ +

This feature is available in Postfix 2.11 and later.

+ +
tlsproxy_enforce_tls diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index 631eeb74f..f22804db3 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -608,29 +608,33 @@ SMTP(8) SMTP(8) RFC 6698 trust-anchor digest support in the Postfix TLS library. + tlsmgr_service_name (tlsmgr) + The name of the tlsmgr(8) service entry in mas- + ter.cf. + OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compati- + The following configuration parameters exist for compati- bility with Postfix versions before 2.3. Support for these will be removed in a future release. smtp_use_tls (no) - Opportunistic mode: use TLS when a remote SMTP - server announces STARTTLS support, otherwise send + Opportunistic mode: use TLS when a remote SMTP + server announces STARTTLS support, otherwise send the mail in the clear. smtp_enforce_tls (no) - Enforcement mode: require that remote SMTP servers - use TLS encryption, and never send mail in the + Enforcement mode: require that remote SMTP servers + use TLS encryption, and never send mail in the clear. smtp_tls_enforce_peername (yes) - With mandatory TLS encryption, require that the + With mandatory TLS encryption, require that the remote SMTP server hostname matches the information in the remote SMTP server certificate. smtp_tls_per_site (empty) Optional lookup tables with the Postfix SMTP client - TLS usage policy by next-hop destination and by + TLS usage policy by next-hop destination and by remote SMTP server hostname. smtp_tls_cipherlist (empty) @@ -640,80 +644,80 @@ SMTP(8) SMTP(8) RESOURCE AND RATE CONTROLS smtp_destination_concurrency_limit ($default_destina- tion_concurrency_limit) - The maximal number of parallel deliveries to the - same destination via the smtp message delivery + The maximal number of parallel deliveries to the + same destination via the smtp message delivery transport. smtp_destination_recipient_limit ($default_destina- tion_recipient_limit) - The maximal number of recipients per message for + The maximal number of recipients per message for the smtp message delivery transport. smtp_connect_timeout (30s) The Postfix SMTP client time limit for completing a - TCP connection, or zero (use the operating system + TCP connection, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The Postfix SMTP client time limit for sending the + The Postfix SMTP client time limit for sending the HELO or EHLO command, and for receiving the initial remote SMTP server response. lmtp_lhlo_timeout (300s) - The Postfix LMTP client time limit for sending the - LHLO command, and for receiving the initial remote + The Postfix LMTP client time limit for sending the + LHLO command, and for receiving the initial remote LMTP server response. smtp_xforward_timeout (300s) - The Postfix SMTP client time limit for sending the + The Postfix SMTP client time limit for sending the XFORWARD command, and for receiving the remote SMTP server response. smtp_mail_timeout (300s) - The Postfix SMTP client time limit for sending the - MAIL FROM command, and for receiving the remote + The Postfix SMTP client time limit for sending the + MAIL FROM command, and for receiving the remote SMTP server response. smtp_rcpt_timeout (300s) - The Postfix SMTP client time limit for sending the - SMTP RCPT TO command, and for receiving the remote + The Postfix SMTP client time limit for sending the + SMTP RCPT TO command, and for receiving the remote SMTP server response. smtp_data_init_timeout (120s) - The Postfix SMTP client time limit for sending the - SMTP DATA command, and for receiving the remote + The Postfix SMTP client time limit for sending the + SMTP DATA command, and for receiving the remote SMTP server response. smtp_data_xfer_timeout (180s) - The Postfix SMTP client time limit for sending the + The Postfix SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) - The Postfix SMTP client time limit for sending the - SMTP ".", and for receiving the remote SMTP server + The Postfix SMTP client time limit for sending the + SMTP ".", and for receiving the remote SMTP server response. smtp_quit_timeout (300s) - The Postfix SMTP client time limit for sending the - QUIT command, and for receiving the remote SMTP + The Postfix SMTP client time limit for sending the + QUIT command, and for receiving the remote SMTP server response. Available in Postfix version 2.1 and later: smtp_mx_address_limit (5) The maximal number of MX (mail exchanger) IP - addresses that can result from Postfix SMTP client + addresses that can result from Postfix SMTP client mail exchanger lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery - request before the Postfix SMTP client gives up or - delivers to a fall-back relay host, or zero (no + The maximal number of SMTP sessions per delivery + request before the Postfix SMTP client gives up or + delivers to a fall-back relay host, or zero (no limit). smtp_rset_timeout (20s) - The Postfix SMTP client time limit for sending the - RSET command, and for receiving the remote SMTP + The Postfix SMTP client time limit for sending the + RSET command, and for receiving the remote SMTP server response. Available in Postfix version 2.2 and earlier: @@ -725,11 +729,11 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. @@ -739,72 +743,72 @@ SMTP(8) SMTP(8) smtp_connection_cache_time_limit (2s) When SMTP connection caching is enabled, the amount - of time that an unused SMTP client socket is kept + of time that an unused SMTP client socket is kept open before it is closed. Available in Postfix version 2.3 and later: connection_cache_protocol_timeout (5s) - Time limit for connection cache connect, send or + Time limit for connection cache connect, send or receive operations. Available in Postfix version 2.9 and later: smtp_per_record_deadline (no) Change the behavior of the smtp_*_timeout time lim- - its, from a time limit per read or write system + its, from a time limit per read or write system call, to a time limit to send or receive a complete - record (an SMTP command line, SMTP response line, - SMTP message content line, or TLS protocol mes- + record (an SMTP command line, SMTP response line, + SMTP message content line, or TLS protocol mes- sage). TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a - remote client or server matches a pattern in the + The increment in verbose logging level when a + remote client or server matches a pattern in the debug_peer_list parameter. debug_peer_list (empty) - Optional list of remote client or server hostname - or network address patterns that cause the verbose - logging level to increase by the amount specified + Optional list of remote client or server hostname + or network address patterns that cause the verbose + logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about - mail delivery problems that are caused by policy, + The recipient of postmaster notifications about + mail delivery problems that are caused by policy, resource, software or protocol errors. internal_mail_filter_classes (empty) - What categories of Postfix-generated mail are sub- - ject to before-queue content inspection by + What categories of Postfix-generated mail are sub- + ject to before-queue content inspection by non_smtpd_milters, header_checks and body_checks. notify_classes (resource, software) - The list of error classes that are reported to the + The list of error classes that are reported to the postmaster. MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and + The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to - handle a request before it is terminated by a + How much time a Postfix daemon process may take to + handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal + The maximal number of digits after the decimal point when logging sub-second delay values. disable_dns_lookups (no) - Disable DNS lookups in the Postfix SMTP and LMTP + Disable DNS lookups in the Postfix SMTP and LMTP clients. inet_interfaces (all) @@ -812,7 +816,7 @@ SMTP(8) SMTP(8) tem receives mail on. inet_protocols (all) - The Internet protocols Postfix will attempt to use + The Internet protocols Postfix will attempt to use when making or accepting connections. ipc_timeout (3600s) @@ -822,85 +826,85 @@ SMTP(8) SMTP(8) lmtp_assume_final (no) When a remote LMTP server announces no DSN support, assume that the server performs final delivery, and - send "delivered" delivery status notifications + send "delivered" delivery status notifications instead of "relayed". lmtp_tcp_port (24) - The default TCP port that the Postfix LMTP client + The default TCP port that the Postfix LMTP client connects to. max_idle (100s) - The maximum amount of time that an idle Postfix - daemon process waits for an incoming connection + The maximum amount of time that an idle Postfix + daemon process waits for an incoming connection before terminating voluntarily. max_use (100) - The maximal number of incoming connections that a - Postfix daemon process will service before termi- + The maximal number of incoming connections that a + Postfix daemon process will service before termi- nating voluntarily. process_id (read-only) - The process ID of a Postfix command or daemon + The process ID of a Postfix command or daemon process. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. proxy_interfaces (empty) The network interface addresses that this mail sys- - tem receives mail on by way of a proxy or network + tem receives mail on by way of a proxy or network address translation unit. smtp_address_preference (any) The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client will try first, when a destina- - tion has IPv6 and IPv4 addresses with equal MX + tion has IPv6 and IPv4 addresses with equal MX preference. smtp_bind_address (empty) - An optional numerical network address that the - Postfix SMTP client should bind to when making an + An optional numerical network address that the + Postfix SMTP client should bind to when making an IPv4 connection. smtp_bind_address6 (empty) - An optional numerical network address that the - Postfix SMTP client should bind to when making an + An optional numerical network address that the + Postfix SMTP client should bind to when making an IPv6 connection. smtp_helo_name ($myhostname) - The hostname to send in the SMTP EHLO or HELO com- + The hostname to send in the SMTP EHLO or HELO com- mand. lmtp_lhlo_name ($myhostname) The hostname to send in the LMTP LHLO command. smtp_host_lookup (dns) - What mechanisms the Postfix SMTP client uses to + What mechanisms the Postfix SMTP client uses to look up a host's IP address. smtp_randomize_addresses (yes) - Randomize the order of equal-preference MX host + Randomize the order of equal-preference MX host addresses. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - The mail system name that is prepended to the - process name in syslog records, so that "smtpd" + The mail system name that is prepended to the + process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". Available with Postfix 2.2 and earlier: fallback_relay (empty) - Optional list of relay hosts for SMTP destinations + Optional list of relay hosts for SMTP destinations that can't be found or that are unreachable. Available with Postfix 2.3 and later: smtp_fallback_relay ($fallback_relay) - Optional list of relay hosts for SMTP destinations + Optional list of relay hosts for SMTP destinations that can't be found or that are unreachable. SEE ALSO @@ -921,7 +925,7 @@ SMTP(8) SMTP(8) TLS_README, Postfix STARTTLS howto LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index 4b87f2212..f2bad96c4 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -586,19 +586,25 @@ SMTPD(8) SMTPD(8) List or bit-mask of OpenSSL bug work-arounds to disable. + Available in Postfix version 2.11 and later: + + tlsmgr_service_name (tlsmgr) + The name of the tlsmgr(8) service entry in mas- + ter.cf. + OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compati- + The following configuration parameters exist for compati- bility with Postfix versions before 2.3. Support for these will be removed in a future release. smtpd_use_tls (no) - Opportunistic TLS: announce STARTTLS support to + Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not require that clients use TLS encryption. smtpd_enforce_tls (no) - Mandatory TLS: announce STARTTLS support to remote - SMTP clients, and require that clients use TLS + Mandatory TLS: announce STARTTLS support to remote + SMTP clients, and require that clients use TLS encryption. smtpd_tls_cipherlist (empty) @@ -606,21 +612,21 @@ SMTPD(8) SMTPD(8) server TLS cipher list. VERP SUPPORT CONTROLS - With VERP style delivery, each recipient of a message + With VERP style delivery, each recipient of a message receives a customized copy of the message with his/her own - recipient address encoded in the envelope sender address. + recipient address encoded in the envelope sender address. The VERP_README file describes configuration and operation - details of Postfix support for variable envelope return + details of Postfix support for variable envelope return path addresses. VERP style delivery is requested with the - SMTP XVERP command or with the "sendmail -V" command-line - option and is available in Postfix version 1.1 and later. + SMTP XVERP command or with the "sendmail -V" command-line + option and is available in Postfix version 1.1 and later. default_verp_delimiters (+=) The two default VERP delimiter characters. verp_delimiter_filter (-=+) - The characters Postfix accepts as VERP delimiter - characters on the Postfix sendmail(1) command line + The characters Postfix accepts as VERP delimiter + characters on the Postfix sendmail(1) command line and in SMTP commands. Available in Postfix version 1.1 and 2.0: @@ -636,38 +642,38 @@ SMTPD(8) SMTPD(8) XVERP command. TROUBLE SHOOTING CONTROLS - The DEBUG_README document describes how to debug parts of - the Postfix mail system. The methods vary from making the - software log a lot of detail, to running some daemon pro- + The DEBUG_README document describes how to debug parts of + the Postfix mail system. The methods vary from making the + software log a lot of detail, to running some daemon pro- cesses under control of a call tracer or debugger. debug_peer_level (2) - The increment in verbose logging level when a - remote client or server matches a pattern in the + The increment in verbose logging level when a + remote client or server matches a pattern in the debug_peer_list parameter. debug_peer_list (empty) - Optional list of remote client or server hostname - or network address patterns that cause the verbose - logging level to increase by the amount specified + Optional list of remote client or server hostname + or network address patterns that cause the verbose + logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about - mail delivery problems that are caused by policy, + The recipient of postmaster notifications about + mail delivery problems that are caused by policy, resource, software or protocol errors. internal_mail_filter_classes (empty) - What categories of Postfix-generated mail are sub- - ject to before-queue content inspection by + What categories of Postfix-generated mail are sub- + ject to before-queue content inspection by non_smtpd_milters, header_checks and body_checks. notify_classes (resource, software) - The list of error classes that are reported to the + The list of error classes that are reported to the postmaster. smtpd_reject_footer (empty) - Optional information that is appended after each + Optional information that is appended after each Postfix SMTP server 4XX or 5XX response. soft_bounce (no) @@ -677,30 +683,30 @@ SMTPD(8) SMTPD(8) Available in Postfix version 2.1 and later: smtpd_authorized_xclient_hosts (empty) - What remote SMTP clients are allowed to use the + What remote SMTP clients are allowed to use the XCLIENT feature. Available in Postfix version 2.10 and later: smtpd_log_access_permit_actions (empty) - Enable logging of the named "permit" actions in - SMTP server access lists (by default, the SMTP + Enable logging of the named "permit" actions in + SMTP server access lists (by default, the SMTP server logs "reject" actions but not "permit" actions). KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS - As of Postfix version 2.0, the SMTP server rejects mail - for unknown recipients. This prevents the mail queue from - clogging up with undeliverable MAILER-DAEMON messages. - Additional information on this topic is in the + As of Postfix version 2.0, the SMTP server rejects mail + for unknown recipients. This prevents the mail queue from + clogging up with undeliverable MAILER-DAEMON messages. + Additional information on this topic is in the LOCAL_RECIPIENT_README and ADDRESS_CLASS_README documents. show_user_unknown_table_name (yes) - Display the name of the recipient table in the + Display the name of the recipient table in the "User unknown" responses. canonical_maps (empty) - Optional address mapping lookup tables for message + Optional address mapping lookup tables for message headers and envelopes. recipient_canonical_maps (empty) @@ -711,7 +717,7 @@ SMTPD(8) SMTPD(8) mydestination ($myhostname, localhost.$mydomain, local- host) - The list of domains that are delivered via the + The list of domains that are delivered via the $local_transport mail delivery transport. inet_interfaces (all) @@ -720,73 +726,73 @@ SMTPD(8) SMTPD(8) proxy_interfaces (empty) The network interface addresses that this mail sys- - tem receives mail on by way of a proxy or network + tem receives mail on by way of a proxy or network address translation unit. inet_protocols (all) - The Internet protocols Postfix will attempt to use + The Internet protocols Postfix will attempt to use when making or accepting connections. local_recipient_maps (proxy:unix:passwd.byname $alias_maps) - Lookup tables with all names or addresses of local - recipients: a recipient address is local when its - domain matches $mydestination, $inet_interfaces or + Lookup tables with all names or addresses of local + recipients: a recipient address is local when its + domain matches $mydestination, $inet_interfaces or $proxy_interfaces. unknown_local_recipient_reject_code (550) - The numerical Postfix SMTP server response code - when a recipient address is local, and - $local_recipient_maps specifies a list of lookup + The numerical Postfix SMTP server response code + when a recipient address is local, and + $local_recipient_maps specifies a list of lookup tables that does not match the recipient. - Parameters concerning known/unknown recipients of relay + Parameters concerning known/unknown recipients of relay destinations: relay_domains ($mydestination) - What destination domains (and subdomains thereof) + What destination domains (and subdomains thereof) this system will relay mail to. relay_recipient_maps (empty) - Optional lookup tables with all valid addresses in + Optional lookup tables with all valid addresses in the domains that match $relay_domains. unknown_relay_recipient_reject_code (550) The numerical Postfix SMTP server reply code when a - recipient address matches $relay_domains, and - relay_recipient_maps specifies a list of lookup + recipient address matches $relay_domains, and + relay_recipient_maps specifies a list of lookup tables that does not match the recipient address. - Parameters concerning known/unknown recipients in virtual + Parameters concerning known/unknown recipients in virtual alias domains: virtual_alias_domains ($virtual_alias_maps) Postfix is final destination for the specified list - of virtual alias domains, that is, domains for - which all addresses are aliased to addresses in + of virtual alias domains, that is, domains for + which all addresses are aliased to addresses in other local or remote domains. virtual_alias_maps ($virtual_maps) - Optional lookup tables that alias specific mail - addresses or domains to other local or remote + Optional lookup tables that alias specific mail + addresses or domains to other local or remote address. unknown_virtual_alias_reject_code (550) The Postfix SMTP server reply code when a recipient - address matches $virtual_alias_domains, and $vir- - tual_alias_maps specifies a list of lookup tables + address matches $virtual_alias_domains, and $vir- + tual_alias_maps specifies a list of lookup tables that does not match the recipient address. - Parameters concerning known/unknown recipients in virtual + Parameters concerning known/unknown recipients in virtual mailbox domains: virtual_mailbox_domains ($virtual_mailbox_maps) Postfix is final destination for the specified list - of domains; mail is delivered via the $vir- + of domains; mail is delivered via the $vir- tual_transport mail delivery transport. virtual_mailbox_maps (empty) - Optional lookup tables with all valid addresses in + Optional lookup tables with all valid addresses in the domains that match $virtual_mailbox_domains. unknown_virtual_mailbox_reject_code (550) @@ -796,70 +802,70 @@ SMTPD(8) SMTPD(8) that does not match the recipient address. RESOURCE AND RATE CONTROLS - The following parameters limit resource usage by the SMTP + The following parameters limit resource usage by the SMTP server and/or control client request rates. line_length_limit (2048) - Upon input, long lines are chopped up into pieces - of at most this length; upon delivery, long lines + Upon input, long lines are chopped up into pieces + of at most this length; upon delivery, long lines are reconstructed. queue_minfree (0) - The minimal amount of free space in bytes in the + The minimal amount of free space in bytes in the queue file system that is needed to receive mail. message_size_limit (10240000) - The maximal size in bytes of a message, including + The maximal size in bytes of a message, including envelope information. smtpd_recipient_limit (1000) - The maximal number of recipients that the Postfix + The maximal number of recipients that the Postfix SMTP server accepts per message delivery request. smtpd_timeout (normal: 300s, overload: 10s) - The time limit for sending a Postfix SMTP server - response and for receiving a remote SMTP client + The time limit for sending a Postfix SMTP server + response and for receiving a remote SMTP client request. smtpd_history_flush_threshold (100) - The maximal number of lines in the Postfix SMTP - server command history before it is flushed upon + The maximal number of lines in the Postfix SMTP + server command history before it is flushed upon receipt of EHLO, RSET, or end of DATA. Available in Postfix version 2.3 and later: smtpd_peername_lookup (yes) Attempt to look up the remote SMTP client hostname, - and verify that the name matches the client IP + and verify that the name matches the client IP address. The per SMTP client connection count and request rate lim- its are implemented in co-operation with the anvil(8) ser- - vice, and are available in Postfix version 2.2 and later. + vice, and are available in Postfix version 2.2 and later. smtpd_client_connection_count_limit (50) - How many simultaneous connections any client is + How many simultaneous connections any client is allowed to make to this service. smtpd_client_connection_rate_limit (0) The maximal number of connection attempts any - client is allowed to make to this service per time + client is allowed to make to this service per time unit. smtpd_client_message_rate_limit (0) - The maximal number of message delivery requests - that any client is allowed to make to this service + The maximal number of message delivery requests + that any client is allowed to make to this service per time unit, regardless of whether or not Postfix actually accepts those messages. smtpd_client_recipient_rate_limit (0) - The maximal number of recipient addresses that any - client is allowed to send to this service per time + The maximal number of recipient addresses that any + client is allowed to send to this service per time unit, regardless of whether or not Postfix actually accepts those recipients. smtpd_client_event_limit_exceptions ($mynetworks) - Clients that are excluded from + Clients that are excluded from smtpd_client_*_count/rate_limit restrictions. Available in Postfix version 2.3 and later: @@ -873,59 +879,59 @@ SMTPD(8) SMTPD(8) smtpd_per_record_deadline (normal: no, overload: yes) Change the behavior of the smtpd_timeout time - limit, from a time limit per read or write system + limit, from a time limit per read or write system call, to a time limit to send or receive a complete - record (an SMTP command line, SMTP response line, - SMTP message content line, or TLS protocol mes- + record (an SMTP command line, SMTP response line, + SMTP message content line, or TLS protocol mes- sage). TARPIT CONTROLS - When a remote SMTP client makes errors, the Postfix SMTP - server can insert delays before responding. This can help - to slow down run-away software. The behavior is con- - trolled by an error counter that counts the number of - errors within an SMTP session that a client makes without + When a remote SMTP client makes errors, the Postfix SMTP + server can insert delays before responding. This can help + to slow down run-away software. The behavior is con- + trolled by an error counter that counts the number of + errors within an SMTP session that a client makes without delivering mail. smtpd_error_sleep_time (1s) With Postfix version 2.1 and later: the SMTP server - response delay after a client has made more than - $smtpd_soft_error_limit errors, and fewer than - $smtpd_hard_error_limit errors, without delivering + response delay after a client has made more than + $smtpd_soft_error_limit errors, and fewer than + $smtpd_hard_error_limit errors, without delivering mail. smtpd_soft_error_limit (10) - The number of errors a remote SMTP client is - allowed to make without delivering mail before the + The number of errors a remote SMTP client is + allowed to make without delivering mail before the Postfix SMTP server slows down all its responses. smtpd_hard_error_limit (normal: 20, overload: 1) - The maximal number of errors a remote SMTP client + The maximal number of errors a remote SMTP client is allowed to make without delivering mail. smtpd_junk_command_limit (normal: 100, overload: 1) - The number of junk commands (NOOP, VRFY, ETRN or + The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote SMTP client can send before the - Postfix SMTP server starts to increment the error + Postfix SMTP server starts to increment the error counter with each junk command. Available in Postfix version 2.1 and later: smtpd_recipient_overshoot_limit (1000) - The number of recipients that a remote SMTP client - can send in excess of the limit specified with + The number of recipients that a remote SMTP client + can send in excess of the limit specified with $smtpd_recipient_limit, before the Postfix SMTP - server increments the per-session error count for + server increments the per-session error count for each excess recipient. ACCESS POLICY DELEGATION CONTROLS - As of version 2.1, Postfix can be configured to delegate - access policy decisions to an external server that runs - outside Postfix. See the file SMTPD_POLICY_README for + As of version 2.1, Postfix can be configured to delegate + access policy decisions to an external server that runs + outside Postfix. See the file SMTPD_POLICY_README for more information. smtpd_policy_service_max_idle (300s) - The time after which an idle SMTPD policy service + The time after which an idle SMTPD policy service connection is closed. smtpd_policy_service_max_ttl (1000s) @@ -933,161 +939,161 @@ SMTPD(8) SMTPD(8) connection is closed. smtpd_policy_service_timeout (100s) - The time limit for connecting to, writing to or + The time limit for connecting to, writing to or receiving from a delegated SMTPD policy server. ACCESS CONTROLS - The SMTPD_ACCESS_README document gives an introduction to + The SMTPD_ACCESS_README document gives an introduction to all the SMTP server access control features. smtpd_delay_reject (yes) - Wait until the RCPT TO command before evaluating + Wait until the RCPT TO command before evaluating $smtpd_client_restrictions, $smtpd_helo_restric- tions and $smtpd_sender_restrictions, or wait until - the ETRN command before evaluating + the ETRN command before evaluating $smtpd_client_restrictions and $smtpd_helo_restric- tions. - parent_domain_matches_subdomains (see 'postconf -d' out- + parent_domain_matches_subdomains (see 'postconf -d' out- put) What Postfix features match subdomains of "domain.tld" automatically, instead of requiring an explicit ".domain.tld" pattern. smtpd_client_restrictions (empty) - Optional restrictions that the Postfix SMTP server - applies in the context of a client connection + Optional restrictions that the Postfix SMTP server + applies in the context of a client connection request. smtpd_helo_required (no) Require that a remote SMTP client introduces itself - with the HELO or EHLO command before sending the - MAIL command or other commands that require EHLO + with the HELO or EHLO command before sending the + MAIL command or other commands that require EHLO negotiation. smtpd_helo_restrictions (empty) - Optional restrictions that the Postfix SMTP server + Optional restrictions that the Postfix SMTP server applies in the context of a client HELO command. smtpd_sender_restrictions (empty) - Optional restrictions that the Postfix SMTP server - applies in the context of a client MAIL FROM com- + Optional restrictions that the Postfix SMTP server + applies in the context of a client MAIL FROM com- mand. smtpd_recipient_restrictions (see 'postconf -d' output) - Optional restrictions that the Postfix SMTP server + Optional restrictions that the Postfix SMTP server applies in the context of a client RCPT TO command, after smtpd_relay_restrictions. smtpd_etrn_restrictions (empty) - Optional restrictions that the Postfix SMTP server + Optional restrictions that the Postfix SMTP server applies in the context of a client ETRN command. allow_untrusted_routing (no) - Forward mail with sender-specified routing - (user[@%!]remote[@%!]site) from untrusted clients + Forward mail with sender-specified routing + (user[@%!]remote[@%!]site) from untrusted clients to destinations matching $relay_domains. smtpd_restriction_classes (empty) - User-defined aliases for groups of access restric- + User-defined aliases for groups of access restric- tions. smtpd_null_access_lookup_key (<>) - The lookup key to be used in SMTP access(5) tables + The lookup key to be used in SMTP access(5) tables instead of the null sender address. permit_mx_backup_networks (empty) Restrict the use of the permit_mx_backup SMTP - access feature to only domains whose primary MX + access feature to only domains whose primary MX hosts match the listed networks. Available in Postfix version 2.0 and later: smtpd_data_restrictions (empty) - Optional access restrictions that the Postfix SMTP + Optional access restrictions that the Postfix SMTP server applies in the context of the SMTP DATA com- mand. smtpd_expansion_filter (see 'postconf -d' output) - What characters are allowed in $name expansions of + What characters are allowed in $name expansions of RBL reply templates. Available in Postfix version 2.1 and later: smtpd_reject_unlisted_sender (no) - Request that the Postfix SMTP server rejects mail - from unknown sender addresses, even when no - explicit reject_unlisted_sender access restriction + Request that the Postfix SMTP server rejects mail + from unknown sender addresses, even when no + explicit reject_unlisted_sender access restriction is specified. smtpd_reject_unlisted_recipient (yes) - Request that the Postfix SMTP server rejects mail + Request that the Postfix SMTP server rejects mail for unknown recipient addresses, even when no - explicit reject_unlisted_recipient access restric- + explicit reject_unlisted_recipient access restric- tion is specified. Available in Postfix version 2.2 and later: smtpd_end_of_data_restrictions (empty) - Optional access restrictions that the Postfix SMTP - server applies in the context of the SMTP END-OF- + Optional access restrictions that the Postfix SMTP + server applies in the context of the SMTP END-OF- DATA command. Available in Postfix version 2.10 and later: - smtpd_relay_restrictions (permit_mynetworks, - reject_unauth_destination) + smtpd_relay_restrictions (permit_mynetworks, per- + mit_sasl_authenticated, defer_unauth_destination) Access restrictions for mail relay control that the - Postfix SMTP server applies in the context of the - RCPT TO command, before smtpd_recipient_restric- + Postfix SMTP server applies in the context of the + RCPT TO command, before smtpd_recipient_restric- tions. SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS - Postfix version 2.1 introduces sender and recipient - address verification. This feature is implemented by - sending probe email messages that are not actually deliv- - ered. This feature is requested via the reject_unveri- - fied_sender and reject_unverified_recipient access - restrictions. The status of verification probes is main- + Postfix version 2.1 introduces sender and recipient + address verification. This feature is implemented by + sending probe email messages that are not actually deliv- + ered. This feature is requested via the reject_unveri- + fied_sender and reject_unverified_recipient access + restrictions. The status of verification probes is main- tained by the verify(8) server. See the file ADDRESS_VER- - IFICATION_README for information about how to configure + IFICATION_README for information about how to configure and operate the Postfix sender/recipient address verifica- tion service. address_verify_poll_count (normal: 3, overload: 1) - How many times to query the verify(8) service for - the completion of an address verification request + How many times to query the verify(8) service for + the completion of an address verification request in progress. address_verify_poll_delay (3s) - The delay between queries for the completion of an + The delay between queries for the completion of an address verification request in progress. address_verify_sender ($double_bounce_sender) - The sender address to use in address verification + The sender address to use in address verification probes; prior to Postfix 2.5 the default was "post- master". unverified_sender_reject_code (450) - The numerical Postfix SMTP server response code - when a recipient address is rejected by the + The numerical Postfix SMTP server response code + when a recipient address is rejected by the reject_unverified_sender restriction. unverified_recipient_reject_code (450) - The numerical Postfix SMTP server response when a + The numerical Postfix SMTP server response when a recipient address is rejected by the reject_unveri- fied_recipient restriction. Available in Postfix version 2.6 and later: unverified_sender_defer_code (450) - The numerical Postfix SMTP server response code - when a sender address probe fails due to a tempo- + The numerical Postfix SMTP server response code + when a sender address probe fails due to a tempo- rary error condition. unverified_recipient_defer_code (450) - The numerical Postfix SMTP server response when a - recipient address probe fails due to a temporary + The numerical Postfix SMTP server response when a + recipient address probe fails due to a temporary error condition. unverified_sender_reject_reason (empty) @@ -1101,7 +1107,7 @@ SMTPD(8) SMTPD(8) unverified_sender_tempfail_action ($reject_temp- fail_action) The Postfix SMTP server's action when reject_unver- - ified_sender fails due to a temporary error condi- + ified_sender fails due to a temporary error condi- tion. unverified_recipient_tempfail_action ($reject_temp- @@ -1118,7 +1124,7 @@ SMTPD(8) SMTPD(8) addresses. ACCESS CONTROL RESPONSES - The following parameters control numerical SMTP reply + The following parameters control numerical SMTP reply codes and/or text responses. access_map_reject_code (554) @@ -1126,18 +1132,18 @@ SMTPD(8) SMTPD(8) an access(5) map "reject" action. defer_code (450) - The numerical Postfix SMTP server response code - when a remote SMTP client request is rejected by + The numerical Postfix SMTP server response code + when a remote SMTP client request is rejected by the "defer" restriction. invalid_hostname_reject_code (501) - The numerical Postfix SMTP server response code - when the client HELO or EHLO command parameter is - rejected by the reject_invalid_helo_hostname + The numerical Postfix SMTP server response code + when the client HELO or EHLO command parameter is + rejected by the reject_invalid_helo_hostname restriction. maps_rbl_reject_code (554) - The numerical Postfix SMTP server response code + The numerical Postfix SMTP server response code when a remote SMTP client request is blocked by the reject_rbl_client, reject_rhsbl_client, reject_rhsbl_reverse_client, reject_rhsbl_sender or @@ -1145,53 +1151,53 @@ SMTPD(8) SMTPD(8) non_fqdn_reject_code (504) The numerical Postfix SMTP server reply code when a - client request is rejected by the + client request is rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender or reject_non_fqdn_recipient restriction. plaintext_reject_code (450) - The numerical Postfix SMTP server response code - when a request is rejected by the reject_plain- + The numerical Postfix SMTP server response code + when a request is rejected by the reject_plain- text_session restriction. reject_code (554) - The numerical Postfix SMTP server response code - when a remote SMTP client request is rejected by + The numerical Postfix SMTP server response code + when a remote SMTP client request is rejected by the "reject" restriction. relay_domains_reject_code (554) - The numerical Postfix SMTP server response code - when a client request is rejected by the + The numerical Postfix SMTP server response code + when a client request is rejected by the reject_unauth_destination recipient restriction. unknown_address_reject_code (450) - The numerical Postfix SMTP server response code - when a sender or recipient address is rejected by + The numerical Postfix SMTP server response code + when a sender or recipient address is rejected by the reject_unknown_sender_domain or reject_unknown_recipient_domain restriction. unknown_client_reject_code (450) - The numerical Postfix SMTP server response code - when a client without valid address <=> name map- + The numerical Postfix SMTP server response code + when a client without valid address <=> name map- ping is rejected by the reject_unknown_client_host- name restriction. unknown_hostname_reject_code (450) - The numerical Postfix SMTP server response code - when the hostname specified with the HELO or EHLO - command is rejected by the + The numerical Postfix SMTP server response code + when the hostname specified with the HELO or EHLO + command is rejected by the reject_unknown_helo_hostname restriction. Available in Postfix version 2.0 and later: default_rbl_reply (see 'postconf -d' output) - The default Postfix SMTP server response template - for a request that is rejected by an RBL-based + The default Postfix SMTP server response template + for a request that is rejected by an RBL-based restriction. multi_recipient_bounce_reject_code (550) - The numerical Postfix SMTP server response code + The numerical Postfix SMTP server response code when a remote SMTP client request is blocked by the reject_multi_recipient_bounce restriction. @@ -1202,38 +1208,38 @@ SMTPD(8) SMTPD(8) access_map_defer_code (450) The numerical Postfix SMTP server response code for - an access(5) map "defer" action, including + an access(5) map "defer" action, including "defer_if_permit" or "defer_if_reject". reject_tempfail_action (defer_if_permit) The Postfix SMTP server's action when a reject-type - restriction fails due to a temporary error condi- + restriction fails due to a temporary error condi- tion. unknown_helo_hostname_tempfail_action ($reject_temp- fail_action) - The Postfix SMTP server's action when + The Postfix SMTP server's action when reject_unknown_helo_hostname fails due to an tempo- rary error condition. unknown_address_tempfail_action ($reject_tempfail_action) - The Postfix SMTP server's action when + The Postfix SMTP server's action when reject_unknown_sender_domain or - reject_unknown_recipient_domain fail due to a tem- + reject_unknown_recipient_domain fail due to a tem- porary error condition. MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and + The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to - handle a request before it is terminated by a + How much time a Postfix daemon process may take to + handle a request before it is terminated by a built-in watchdog timer. command_directory (see 'postconf -d' output) - The location of all postfix administrative com- + The location of all postfix administrative com- mands. double_bounce_sender (double-bounce) @@ -1254,13 +1260,13 @@ SMTPD(8) SMTPD(8) and most Postfix daemon processes. max_idle (100s) - The maximum amount of time that an idle Postfix - daemon process waits for an incoming connection + The maximum amount of time that an idle Postfix + daemon process waits for an incoming connection before terminating voluntarily. max_use (100) - The maximal number of incoming connections that a - Postfix daemon process will service before termi- + The maximal number of incoming connections that a + Postfix daemon process will service before termi- nating voluntarily. myhostname (see 'postconf -d' output) @@ -1272,19 +1278,19 @@ SMTPD(8) SMTPD(8) myorigin ($myhostname) The domain name that locally-posted mail appears to - come from, and that locally posted mail is deliv- + come from, and that locally posted mail is deliv- ered to. process_id (read-only) - The process ID of a Postfix command or daemon + The process ID of a Postfix command or daemon process. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. queue_directory (see 'postconf -d' output) - The location of the Postfix top-level queue direc- + The location of the Postfix top-level queue direc- tory. recipient_delimiter (empty) @@ -1292,28 +1298,28 @@ SMTPD(8) SMTPD(8) from its address extension (user+foo). smtpd_banner ($myhostname ESMTP $mail_name) - The text that follows the 220 status code in the + The text that follows the 220 status code in the SMTP greeting banner. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - The mail system name that is prepended to the - process name in syslog records, so that "smtpd" + The mail system name that is prepended to the + process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". Available in Postfix version 2.2 and later: smtpd_forbidden_commands (CONNECT, GET, POST) List of commands that cause the Postfix SMTP server - to immediately terminate the session with a 221 + to immediately terminate the session with a 221 code. Available in Postfix version 2.5 and later: smtpd_client_port_logging (no) - Enable logging of the remote SMTP client port in + Enable logging of the remote SMTP client port in addition to the hostname and IP address. SEE ALSO @@ -1343,7 +1349,7 @@ SMTPD(8) SMTPD(8) XFORWARD_README, Postfix XFORWARD extension LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/html/tlsproxy.8.html b/postfix/html/tlsproxy.8.html index 1cb0f03e8..30c9c52e9 100644 --- a/postfix/html/tlsproxy.8.html +++ b/postfix/html/tlsproxy.8.html @@ -183,45 +183,51 @@ TLSPROXY(8) TLSPROXY(8) The expiration time of Postfix tlsproxy(8) server TLS session cache information. + Available in Postfix version 2.11 and later: + + tlsmgr_service_name (tlsmgr) + The name of the tlsmgr(8) service entry in mas- + ter.cf. + OBSOLETE STARTTLS SUPPORT CONTROLS - These parameters are supported for compatibility with + These parameters are supported for compatibility with smtpd(8) legacy parameters. tlsproxy_use_tls ($smtpd_use_tls) - Opportunistic TLS: announce STARTTLS support to + Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not require that clients use TLS encryption. tlsproxy_enforce_tls ($smtpd_enforce_tls) - Mandatory TLS: announce STARTTLS support to remote - SMTP clients, and require that clients use TLS + Mandatory TLS: announce STARTTLS support to remote + SMTP clients, and require that clients use TLS encryption. RESOURCE CONTROLS tlsproxy_watchdog_timeout (10s) - How much time a tlsproxy(8) process may take to + How much time a tlsproxy(8) process may take to process local or remote I/O before it is terminated by a built-in watchdog timer. MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and + The default location of the Postfix main.cf and master.cf configuration files. process_id (read-only) - The process ID of a Postfix command or daemon + The process ID of a Postfix command or daemon process. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - The mail system name that is prepended to the - process name in syslog records, so that "smtpd" + The mail system name that is prepended to the + process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". SEE ALSO @@ -231,7 +237,7 @@ TLSPROXY(8) TLSPROXY(8) syslogd(5), system logging LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. HISTORY diff --git a/postfix/man/man5/header_checks.5 b/postfix/man/man5/header_checks.5 index 10cd89a00..6976eb915 100644 --- a/postfix/man/man5/header_checks.5 +++ b/postfix/man/man5/header_checks.5 @@ -370,7 +370,7 @@ are excluded from inspection. Examples of such message headers are \fBFrom:\fR, \fBTo:\fR, \fBMessage-ID:\fR, \fBDate:\fR. Message headers deleted by the \fBcleanup\fR(8) daemon will -be examined before they are deleted. Examples are: \fBBcc:\fr, +be examined before they are deleted. Examples are: \fBBcc:\fR, \fBContent-Length:\fR, \fBReturn-Path:\fR. .SH "CONFIGURATION PARAMETERS" .na diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 0888296d8..c3600b5bb 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -11340,6 +11340,12 @@ Earlier Postfix implementations behave as if .br .PP This feature is available in Postfix 2.11 and later. +.SH tlsmgr_service_name (default: tlsmgr) +The name of the \fBtlsmgr\fR(8) service entry in master.cf. This +service maintains TLS session caches and other information in support +of TLS. +.PP +This feature is available in Postfix 2.11 and later. .SH tlsproxy_enforce_tls (default: $smtpd_enforce_tls) Mandatory TLS: announce STARTTLS support to remote SMTP clients, and require that clients use TLS encryption. See smtpd_enforce_tls for diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8 index 603bfa80f..5607d73ec 100644 --- a/postfix/man/man8/smtp.8 +++ b/postfix/man/man8/smtp.8 @@ -485,6 +485,8 @@ is specified, validated DANE TLSA records are present, but none are usable. .IP "\fBtls_dane_trust_anchor_digest_enable (trust-anchor-assertion)\fR" RFC 6698 trust-anchor digest support in the Postfix TLS library. +.IP "\fBtlsmgr_service_name (tlsmgr)\fR" +The name of the \fBtlsmgr\fR(8) service entry in master.cf. .SH "OBSOLETE STARTTLS CONTROLS" .na .nf diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8 index 22e7b6603..2dad0b546 100644 --- a/postfix/man/man8/smtpd.8 +++ b/postfix/man/man8/smtpd.8 @@ -481,6 +481,10 @@ preference order instead of the remote client's cipher preference order. .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR" List or bit-mask of OpenSSL bug work-arounds to disable. +.PP +Available in Postfix version 2.11 and later: +.IP "\fBtlsmgr_service_name (tlsmgr)\fR" +The name of the \fBtlsmgr\fR(8) service entry in master.cf. .SH "OBSOLETE STARTTLS CONTROLS" .na .nf @@ -829,7 +833,7 @@ Optional access restrictions that the Postfix SMTP server applies in the context of the SMTP END-OF-DATA command. .PP Available in Postfix version 2.10 and later: -.IP "\fBsmtpd_relay_restrictions (permit_mynetworks, reject_unauth_destination)\fR" +.IP "\fBsmtpd_relay_restrictions (permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination)\fR" Access restrictions for mail relay control that the Postfix SMTP server applies in the context of the RCPT TO command, before smtpd_recipient_restrictions. diff --git a/postfix/man/man8/tlsproxy.8 b/postfix/man/man8/tlsproxy.8 index 5440eff82..caadcdd63 100644 --- a/postfix/man/man8/tlsproxy.8 +++ b/postfix/man/man8/tlsproxy.8 @@ -151,6 +151,10 @@ parameters smtpd_use_tls and smtpd_enforce_tls. .IP "\fBtlsproxy_tls_session_cache_timeout ($smtpd_tls_session_cache_timeout)\fR" The expiration time of Postfix \fBtlsproxy\fR(8) server TLS session cache information. +.PP +Available in Postfix version 2.11 and later: +.IP "\fBtlsmgr_service_name (tlsmgr)\fR" +The name of the \fBtlsmgr\fR(8) service entry in master.cf. .SH "OBSOLETE STARTTLS SUPPORT CONTROLS" .na .nf diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 60d37c6b1..94a39a1e4 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -695,6 +695,7 @@ while (<>) { s;\bsmtpd_upstream_proxy_timeout\b;$&;g; s;\btls_daemon_random_bytes\b;$&;g; s;\btls_daemon_random_source\b;$&;g; + s;\btlsmgr_service_name\b;$&;g; s;\btls_ran[-]*\n* *[]*dom_bytes\b;$&;g; s;\btls_ran[-]*\n* *[]*dom_exchange_name\b;$&;g; s;\btls_ran[-]*\n* *[]*dom_prng_update_period\b;$&;g; diff --git a/postfix/proto/header_checks b/postfix/proto/header_checks index b797e6b5e..015d3a375 100644 --- a/postfix/proto/header_checks +++ b/postfix/proto/header_checks @@ -373,7 +373,7 @@ # are \fBFrom:\fR, \fBTo:\fR, \fBMessage-ID:\fR, \fBDate:\fR. # # Message headers deleted by the \fBcleanup\fR(8) daemon will -# be examined before they are deleted. Examples are: \fBBcc:\fr, +# be examined before they are deleted. Examples are: \fBBcc:\fR, # \fBContent-Length:\fR, \fBReturn-Path:\fR. # CONFIGURATION PARAMETERS # .ad diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 793bcf03f..007e2c83c 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -15374,3 +15374,10 @@ and compression before encryption does not always improve security.

This feature is available in Postfix 2.11 and later.

+%PARAM tlsmgr_service_name tlsmgr + +

The name of the tlsmgr(8) service entry in master.cf. This +service maintains TLS session caches and other information in support +of TLS.

+ +

This feature is available in Postfix 2.11 and later.

diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index e4a7dd7b6..37dee0101 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -635,13 +635,20 @@ extern bool var_exp_own_alias; extern bool var_stat_home_dir; /* - * Queue manager: maximal size of the duplicate expansion filter. By + * Cleanup server: maximal size of the duplicate expansion filter. By * default, we do graceful degradation with huge mailing lists. */ #define VAR_DUP_FILTER_LIMIT "duplicate_filter_limit" #define DEF_DUP_FILTER_LIMIT 1000 extern int var_dup_filter_limit; + /* + * Transport Layer Security (TLS) protocol support. + */ +#define VAR_TLS_MGR_SERVICE "tlsmgr_service_name" +#define DEF_TLS_MGR_SERVICE "tlsmgr" +extern char *var_tls_mgr_service; + #define VAR_TLS_APPEND_DEF_CA "tls_append_default_CA" #define DEF_TLS_APPEND_DEF_CA 0 /* Postfix < 2.8 BC break */ extern bool var_tls_append_def_CA; @@ -1975,7 +1982,7 @@ extern char *var_mail_checks; #define VAR_RELAY_CHECKS "smtpd_relay_restrictions" #define DEF_RELAY_CHECKS PERMIT_MYNETWORKS ", " \ - PERMIT_SASL_AUTH \ + PERMIT_SASL_AUTH ", " \ DEFER_UNAUTH_DEST extern char *var_relay_checks; diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index fb0c0f83f..3f8e6346c 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20130616" +#define MAIL_RELEASE_DATE "20130623" #define MAIL_VERSION_NUMBER "2.11" #ifdef SNAPSHOT diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index eb27db190..1cf409f98 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -455,6 +455,8 @@ /* usable. /* .IP "\fBtls_dane_trust_anchor_digest_enable (trust-anchor-assertion)\fR" /* RFC 6698 trust-anchor digest support in the Postfix TLS library. +/* .IP "\fBtlsmgr_service_name (tlsmgr)\fR" +/* The name of the \fBtlsmgr\fR(8) service entry in master.cf. /* OBSOLETE STARTTLS CONTROLS /* .ad /* .fi diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index ce2b31d26..613570f5e 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -447,6 +447,10 @@ /* order. /* .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR" /* List or bit-mask of OpenSSL bug work-arounds to disable. +/* .PP +/* Available in Postfix version 2.11 and later: +/* .IP "\fBtlsmgr_service_name (tlsmgr)\fR" +/* The name of the \fBtlsmgr\fR(8) service entry in master.cf. /* OBSOLETE STARTTLS CONTROLS /* .ad /* .fi @@ -779,7 +783,7 @@ /* applies in the context of the SMTP END-OF-DATA command. /* .PP /* Available in Postfix version 2.10 and later: -/* .IP "\fBsmtpd_relay_restrictions (permit_mynetworks, reject_unauth_destination)\fR" +/* .IP "\fBsmtpd_relay_restrictions (permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination)\fR" /* Access restrictions for mail relay control that the Postfix /* SMTP server applies in the context of the RCPT TO command, before /* smtpd_recipient_restrictions. @@ -3369,6 +3373,7 @@ static int noop_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) static int vrfy_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) { const char *err = 0; + int rate; /* * The SMTP standard (RFC 821) disallows unquoted special characters in @@ -3399,17 +3404,38 @@ static int vrfy_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) smtpd_chat_reply(state, "502 5.5.1 VRFY command is disabled"); return (-1); } + if (argc < 2) { + state->error_mask |= MAIL_ERROR_PROTOCOL; + smtpd_chat_reply(state, "501 5.5.4 Syntax: VRFY address"); + return (-1); + } + + /* + * XXX The client event count/rate control must be consistent in its use + * of client address information in connect and disconnect events. For + * now we exclude xclient authorized hosts from event count/rate control. + */ + if (SMTPD_STAND_ALONE(state) == 0 + && !xclient_allowed + && anvil_clnt + && var_smtpd_crcpt_limit > 0 + && !namadr_list_match(hogger_list, state->name, state->addr) + && anvil_clnt_rcpt(anvil_clnt, state->service, state->addr, + &rate) == ANVIL_STAT_OK + && rate > var_smtpd_crcpt_limit) { + state->error_mask |= MAIL_ERROR_POLICY; + msg_warn("Recipient address rate limit exceeded: %d from %s for service %s", + rate, state->namaddr, state->service); + smtpd_chat_reply(state, "450 4.7.1 Error: too many recipients from %s", + state->addr); + return (-1); + } if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0 && (err[0] == '5' || err[0] == '4')) { state->error_mask |= MAIL_ERROR_POLICY; smtpd_chat_reply(state, "%s", err); return (-1); } - if (argc < 2) { - state->error_mask |= MAIL_ERROR_PROTOCOL; - smtpd_chat_reply(state, "501 5.5.4 Syntax: VRFY address"); - return (-1); - } if (argc > 2) collapse_args(argc - 1, argv + 1); if (extract_addr(state, argv + 1, REJECT_EMPTY_ADDR, SLOPPY) != 0) { diff --git a/postfix/src/tls/Makefile.in b/postfix/src/tls/Makefile.in index 92bf67818..d3d3a2f9c 100644 --- a/postfix/src/tls/Makefile.in +++ b/postfix/src/tls/Makefile.in @@ -129,7 +129,11 @@ tls_client.o: tls.h tls_client.o: tls_client.c tls_client.o: tls_mgr.h tls_dane.o: ../../include/argv.h +tls_dane.o: ../../include/ctable.h tls_dane.o: ../../include/dns.h +tls_dane.o: ../../include/events.h +tls_dane.o: ../../include/hex_code.h +tls_dane.o: ../../include/mail_params.h tls_dane.o: ../../include/msg.h tls_dane.o: ../../include/myaddrinfo.h tls_dane.o: ../../include/mymalloc.h @@ -138,6 +142,7 @@ tls_dane.o: ../../include/name_mask.h tls_dane.o: ../../include/sock_addr.h tls_dane.o: ../../include/stringops.h tls_dane.o: ../../include/sys_defs.h +tls_dane.o: ../../include/timecmp.h tls_dane.o: ../../include/vbuf.h tls_dane.o: ../../include/vstream.h tls_dane.o: ../../include/vstring.h @@ -182,6 +187,8 @@ tls_mgr.o: ../../include/iostuff.h tls_mgr.o: ../../include/mail_params.h tls_mgr.o: ../../include/mail_proto.h tls_mgr.o: ../../include/msg.h +tls_mgr.o: ../../include/mymalloc.h +tls_mgr.o: ../../include/stringops.h tls_mgr.o: ../../include/sys_defs.h tls_mgr.o: ../../include/vbuf.h tls_mgr.o: ../../include/vstream.h diff --git a/postfix/src/tls/tls_mgr.c b/postfix/src/tls/tls_mgr.c index a0b089488..ef4014370 100644 --- a/postfix/src/tls/tls_mgr.c +++ b/postfix/src/tls/tls_mgr.c @@ -104,6 +104,8 @@ #include #include #include +#include +#include /* Global library. */ @@ -119,6 +121,7 @@ static ATTR_CLNT *tls_mgr; static void tls_mgr_open(void) { + char *service; /* * Sanity check. @@ -130,14 +133,12 @@ static void tls_mgr_open(void) * Use whatever IPC is preferred for internal use: UNIX-domain sockets or * Solaris streams. */ -#ifndef VAR_TLS_MGR_SERVICE - tls_mgr = attr_clnt_create("local:" TLS_MGR_CLASS "/" TLS_MGR_SERVICE, - var_ipc_timeout, var_ipc_idle_limit, - var_ipc_ttl_limit); -#else - tls_mgr = attr_clnt_create(var_tlsmgr_service, var_ipc_timeout, + service = concatenate("local:" TLS_MGR_CLASS "/", var_tls_mgr_service, + (char *) 0); + tls_mgr = attr_clnt_create(service, var_ipc_timeout, var_ipc_idle_limit, var_ipc_ttl_limit); -#endif + myfree(service); + attr_clnt_control(tls_mgr, ATTR_CLNT_CTL_PROTO, attr_vprint, attr_vscan, ATTR_CLNT_CTL_END); diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c index da4730520..492c6f50c 100644 --- a/postfix/src/tls/tls_misc.c +++ b/postfix/src/tls/tls_misc.c @@ -20,6 +20,7 @@ /* bool var_tls_preempt_clist; /* bool var_tls_bc_pkey_fprint; /* bool var_tls_multi_wildcard; +/* char *var_tls_mgr_service; /* /* TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx, log_mask) /* SSL_CTX *ssl_ctx; @@ -225,6 +226,7 @@ char *var_tls_bug_tweaks; char *var_tls_ssl_options; bool var_tls_bc_pkey_fprint; bool var_tls_multi_wildcard; +char *var_tls_mgr_service; #ifdef VAR_TLS_PREEMPT_CLIST bool var_tls_preempt_clist; @@ -593,6 +595,7 @@ void tls_param_init(void) VAR_TLS_BUG_TWEAKS, DEF_TLS_BUG_TWEAKS, &var_tls_bug_tweaks, 0, 0, VAR_TLS_SSL_OPTIONS, DEF_TLS_SSL_OPTIONS, &var_tls_ssl_options, 0, 0, VAR_TLS_DANE_TA_DGST, DEF_TLS_DANE_TA_DGST, &var_tls_dane_ta_dgst, 0, 0, + VAR_TLS_MGR_SERVICE, DEF_TLS_MGR_SERVICE, &var_tls_mgr_service, 1, 0, 0, }; static const CONFIG_INT_TABLE int_table[] = { diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c index e2e1d348f..eff987a6e 100644 --- a/postfix/src/tlsproxy/tlsproxy.c +++ b/postfix/src/tlsproxy/tlsproxy.c @@ -135,6 +135,10 @@ /* .IP "\fBtlsproxy_tls_session_cache_timeout ($smtpd_tls_session_cache_timeout)\fR" /* The expiration time of Postfix \fBtlsproxy\fR(8) server TLS session /* cache information. +/* .PP +/* Available in Postfix version 2.11 and later: +/* .IP "\fBtlsmgr_service_name (tlsmgr)\fR" +/* The name of the \fBtlsmgr\fR(8) service entry in master.cf. /* OBSOLETE STARTTLS SUPPORT CONTROLS /* .ad /* .fi