From: Wietse Venema Date: Thu, 14 Jun 2007 05:00:00 +0000 (-0500) Subject: postfix-2.5-20070614 X-Git-Tag: v2.5.0-RC1~34 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f2b97dd52b8541555e4e084f4322b3a228089d7;p=thirdparty%2Fpostfix.git postfix-2.5-20070614 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 3e1be934b..493b2d2a1 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -13596,8 +13596,23 @@ Apologies for any names omitted. 20070613 - Bugfix: the Milter client assumed that body edit requests - would never come before header/envelope edit requests. - Problem was triggered by Jose-Marcio Martins da Cruz. Also - streamlined the handling of queue file update errors. File: - milter/milter8.c. + Bugfix: the Milter client assumed that a Milter application + does not modify the message header or envelope, after that + same Milter application has modified the message body of + that same email message. This is not a problem with updates + by different Milter applications. Problem was triggered + by Jose-Marcio Martins da Cruz. Also simplified the handling + of queue file update errors. File: milter/milter8.c. + +20070614 + + Workaround: some EXIM servers require SASL login without + authzid (authoriZation ID), i.e. the client must send only + the authcid (authentiCation ID) + the authcid's password. + The IETF draft document says that in this case the server + shall derive the authzid from the authcid. And since the + Postfix client always used the same value for authzid and + authcid, dropping the authzid should not create problems + (lightly tested with Cyrus SASL servers). To get the old + behavior specify "send_cyrus_sasl_authzid = yes". File: + xsasl/xsasl_cyrus_client.c. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index a753e795d..67b7af21d 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -17,6 +17,14 @@ Incompatibility with Postfix 2.3 and earlier If you upgrade from Postfix 2.3 or earlier, read RELEASE_NOTES-2.4 before proceeding. +Incompatibility with Postfix snapshot 20070614 +============================================== + +By default, the Cyrus SASL client no longer sends an authoriZation +ID (authzid); it sends only the authentiCation ID (authcid) plus +the authcid's password. Specify "send_cyrus_sasl_authzid = yes" to +get the old behavior. + Incompatibility with Postfix snapshot 20070613 ============================================== diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html index 69ec99349..65101c012 100644 --- a/postfix/html/lmtp.8.html +++ b/postfix/html/lmtp.8.html @@ -253,11 +253,19 @@ SMTP(8) SMTP(8) will ignore in the LHLO response from a remote LMTP server. + Available in Postfix version 2.5 and later: + + send_cyrus_sasl_authzid (no) + When authenticating to a SASL server, with the + default setting "no", send no authoriZation ID + (authzid); send only the authentiCation ID (auth- + cid) plus the authcid's password. + MIME PROCESSING CONTROLS Available in Postfix version 2.0 and later: disable_mime_output_conversion (no) - Disable the conversion of 8BITMIME format to 7BIT + Disable the conversion of 8BITMIME format to 7BIT format. mime_boundary_length_limit (2048) @@ -272,91 +280,91 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: smtp_send_xforward_command (no) - Send the non-standard XFORWARD command when the - Postfix SMTP server EHLO response announces XFOR- + Send the non-standard XFORWARD command when the + Postfix SMTP server EHLO response announces XFOR- WARD support. SASL AUTHENTICATION CONTROLS smtp_sasl_auth_enable (no) - Enable SASL authentication in the Postfix SMTP + Enable SASL authentication in the Postfix SMTP client. smtp_sasl_password_maps (empty) - Optional SMTP client lookup tables with one user- - name:password entry per remote hostname or domain, + Optional SMTP client lookup tables with one user- + name:password entry per remote hostname or domain, or sender address when sender-dependent authentica- tion is enabled. smtp_sasl_security_options (noplaintext, noanonymous) - Postfix SMTP client SASL security options; as of - Postfix 2.3 the list of available features depends - on the SASL client implementation that is selected + Postfix SMTP client SASL security options; as of + Postfix 2.3 the list of available features depends + on the SASL client implementation that is selected with smtp_sasl_type. Available in Postfix version 2.2 and later: smtp_sasl_mechanism_filter (empty) - If non-empty, a Postfix SMTP client filter for the - remote SMTP server's list of offered SASL mecha- + If non-empty, a Postfix SMTP client filter for the + remote SMTP server's list of offered SASL mecha- nisms. Available in Postfix version 2.3 and later: smtp_sender_dependent_authentication (no) Enable sender-dependent authentication in the Post- - fix SMTP client; this is available only with SASL - authentication, and disables SMTP connection - caching to ensure that mail from different senders + fix SMTP client; this is available only with SASL + authentication, and disables SMTP connection + caching to ensure that mail from different senders will use the appropriate credentials. smtp_sasl_path (empty) - Implementation-specific information that the Post- - fix SMTP client passes through to the SASL plug-in - implementation that is selected with + Implementation-specific information that the Post- + fix SMTP client passes through to the SASL plug-in + implementation that is selected with smtp_sasl_type. smtp_sasl_type (cyrus) - The SASL plug-in type that the Postfix SMTP client + The SASL plug-in type that the Postfix SMTP client should use for authentication. STARTTLS SUPPORT CONTROLS - Detailed information about STARTTLS configuration may be + Detailed information about STARTTLS configuration may be found in the TLS_README document. smtp_tls_security_level (empty) The default SMTP TLS security level for the Postfix - SMTP client; when a non-empty value is specified, - this overrides the obsolete parameters + SMTP client; when a non-empty value is specified, + this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername. smtp_sasl_tls_security_options ($smtp_sasl_secu- rity_options) - The SASL authentication security options that the - Postfix SMTP client uses for TLS encrypted SMTP + The SASL authentication security options that the + Postfix SMTP client uses for TLS encrypted SMTP sessions. smtp_starttls_timeout (300s) - Time limit for Postfix SMTP client write and read - operations during TLS startup and shutdown hand- + Time limit for Postfix SMTP client write and read + operations during TLS startup and shutdown hand- shake procedures. smtp_tls_CAfile (empty) - The file with the certificate of the certification - authority (CA) that issued the Postfix SMTP client + The file with the certificate of the certification + authority (CA) that issued the Postfix SMTP client certificate. smtp_tls_CApath (empty) - Directory with PEM format certificate authority - certificates that the Postfix SMTP client uses to + Directory with PEM format certificate authority + certificates that the Postfix SMTP client uses to verify a remote SMTP server certificate. smtp_tls_cert_file (empty) - File with the Postfix SMTP client RSA certificate + File with the Postfix SMTP client RSA certificate in PEM format. smtp_tls_mandatory_ciphers (medium) - The minimum TLS cipher grade that the Postfix SMTP + The minimum TLS cipher grade that the Postfix SMTP client will use with mandatory TLS encryption. smtp_tls_exclude_ciphers (empty) @@ -365,43 +373,43 @@ SMTP(8) SMTP(8) levels. smtp_tls_mandatory_exclude_ciphers (empty) - Additional list of ciphers or cipher types to - exclude from the SMTP client cipher list at manda- + Additional list of ciphers or cipher types to + exclude from the SMTP client cipher list at manda- tory TLS security levels. smtp_tls_dcert_file (empty) - File with the Postfix SMTP client DSA certificate + File with the Postfix SMTP client DSA certificate in PEM format. smtp_tls_dkey_file ($smtp_tls_dcert_file) - File with the Postfix SMTP client DSA private key + File with the Postfix SMTP client DSA private key in PEM format. smtp_tls_key_file ($smtp_tls_cert_file) - File with the Postfix SMTP client RSA private key + File with the Postfix SMTP client RSA private key in PEM format. smtp_tls_loglevel (0) - Enable additional Postfix SMTP client logging of + Enable additional Postfix SMTP client logging of TLS activity. smtp_tls_note_starttls_offer (no) - Log the hostname of a remote SMTP server that - offers STARTTLS, when TLS is not already enabled + Log the hostname of a remote SMTP server that + offers STARTTLS, when TLS is not already enabled for that server. smtp_tls_policy_maps (empty) Optional lookup tables with the Postfix SMTP client TLS security policy by next-hop destination; when a - non-empty value is specified, this overrides the + non-empty value is specified, this overrides the obsolete smtp_tls_per_site parameter. smtp_tls_mandatory_protocols (SSLv3, TLSv1) - List of TLS protocols that the Postfix SMTP client + List of TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. smtp_tls_scert_verifydepth (5) - The verification depth for remote SMTP server cer- + The verification depth for remote SMTP server cer- tificates. smtp_tls_secure_cert_match (nexthop, dot-nexthop) @@ -409,7 +417,7 @@ SMTP(8) SMTP(8) for the "secure" TLS security level. smtp_tls_session_cache_database (empty) - Name of the file containing the optional Postfix + Name of the file containing the optional Postfix SMTP client TLS session cache. smtp_tls_session_cache_timeout (3600s) @@ -421,9 +429,9 @@ SMTP(8) SMTP(8) for the "verify" TLS security level. tls_daemon_random_bytes (32) - The number of pseudo-random bytes that an smtp(8) - or smtpd(8) process requests from the tlsmgr(8) - server in order to seed its internal pseudo random + The number of pseudo-random bytes that an smtp(8) + or smtpd(8) process requests from the tlsmgr(8) + server in order to seed its internal pseudo random number generator (PRNG). tls_high_cipherlist @@ -435,7 +443,7 @@ SMTP(8) SMTP(8) ciphers. tls_low_cipherlist (ALL:!EXPORT:+RC4:@STRENGTH) - The OpenSSL cipherlist for "LOW" or higher grade + The OpenSSL cipherlist for "LOW" or higher grade ciphers. tls_export_cipherlist (ALL:+RC4:@STRENGTH) @@ -443,40 +451,40 @@ SMTP(8) SMTP(8) ciphers. tls_null_cipherlist (eNULL:!aNULL) - The OpenSSL cipherlist for "NULL" grade ciphers + The OpenSSL cipherlist for "NULL" grade ciphers that provide authentication without encryption. Available in Postfix version 2.4 and later: smtp_sasl_tls_verified_security_options ($smtp_sasl_tls_security_options) - The SASL authentication security options that the - Postfix SMTP client uses for TLS encrypted SMTP + The SASL authentication security options that the + Postfix SMTP client uses for TLS encrypted SMTP sessions with a verified server certificate. OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compati- + The following configuration parameters exist for compati- bility with Postfix versions before 2.3. Support for these will be removed in a future release. smtp_use_tls (no) - Opportunistic mode: use TLS when a remote SMTP - server announces STARTTLS support, otherwise send + Opportunistic mode: use TLS when a remote SMTP + server announces STARTTLS support, otherwise send the mail in the clear. smtp_enforce_tls (no) - Enforcement mode: require that remote SMTP servers - use TLS encryption, and never send mail in the + Enforcement mode: require that remote SMTP servers + use TLS encryption, and never send mail in the clear. smtp_tls_enforce_peername (yes) - With mandatory TLS encryption, require that the + With mandatory TLS encryption, require that the remote SMTP server hostname matches the information in the remote SMTP server certificate. smtp_tls_per_site (empty) Optional lookup tables with the Postfix SMTP client - TLS usage policy by next-hop destination and by + TLS usage policy by next-hop destination and by remote SMTP server hostname. smtp_tls_cipherlist (empty) @@ -486,27 +494,27 @@ SMTP(8) SMTP(8) RESOURCE AND RATE CONTROLS smtp_destination_concurrency_limit ($default_destina- tion_concurrency_limit) - The maximal number of parallel deliveries to the - same destination via the smtp message delivery + The maximal number of parallel deliveries to the + same destination via the smtp message delivery transport. smtp_destination_recipient_limit ($default_destina- tion_recipient_limit) - The maximal number of recipients per delivery via + The maximal number of recipients per delivery via the smtp message delivery transport. smtp_connect_timeout (30s) - The SMTP client time limit for completing a TCP + The SMTP client time limit for completing a TCP connection, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The SMTP client time limit for sending the HELO or - EHLO command, and for receiving the initial server + The SMTP client time limit for sending the HELO or + EHLO command, and for receiving the initial server response. lmtp_lhlo_timeout (300s) - The LMTP client time limit for sending the LHLO + The LMTP client time limit for sending the LHLO command, and for receiving the initial server response. @@ -515,30 +523,30 @@ SMTP(8) SMTP(8) command, and for receiving the server response. smtp_mail_timeout (300s) - The SMTP client time limit for sending the MAIL - FROM command, and for receiving the server + The SMTP client time limit for sending the MAIL + FROM command, and for receiving the server response. smtp_rcpt_timeout (300s) - The SMTP client time limit for sending the SMTP - RCPT TO command, and for receiving the server + The SMTP client time limit for sending the SMTP + RCPT TO command, and for receiving the server response. smtp_data_init_timeout (120s) - The SMTP client time limit for sending the SMTP - DATA command, and for receiving the server + The SMTP client time limit for sending the SMTP + DATA command, and for receiving the server response. smtp_data_xfer_timeout (180s) - The SMTP client time limit for sending the SMTP + The SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) - The SMTP client time limit for sending the SMTP + The SMTP client time limit for sending the SMTP ".", and for receiving the server response. smtp_quit_timeout (300s) - The SMTP client time limit for sending the QUIT + The SMTP client time limit for sending the QUIT command, and for receiving the server response. Available in Postfix version 2.1 and later: @@ -549,12 +557,12 @@ SMTP(8) SMTP(8) lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery - request before giving up or delivering to a fall- + The maximal number of SMTP sessions per delivery + request before giving up or delivering to a fall- back relay host, or zero (no limit). smtp_rset_timeout (20s) - The SMTP client time limit for sending the RSET + The SMTP client time limit for sending the RSET command, and for receiving the server response. Available in Postfix version 2.2 and earlier: @@ -566,11 +574,11 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. @@ -580,62 +588,62 @@ SMTP(8) SMTP(8) smtp_connection_cache_time_limit (2s) When SMTP connection caching is enabled, the amount - of time that an unused SMTP client socket is kept + of time that an unused SMTP client socket is kept open before it is closed. Available in Postfix version 2.3 and later: connection_cache_protocol_timeout (5s) - Time limit for connection cache connect, send or + Time limit for connection cache connect, send or receive operations. TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a - remote client or server matches a pattern in the + The increment in verbose logging level when a + remote client or server matches a pattern in the debug_peer_list parameter. debug_peer_list (empty) - Optional list of remote client or server hostname - or network address patterns that cause the verbose - logging level to increase by the amount specified + Optional list of remote client or server hostname + or network address patterns that cause the verbose + logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about - mail delivery problems that are caused by policy, + The recipient of postmaster notifications about + mail delivery problems that are caused by policy, resource, software or protocol errors. internal_mail_filter_classes (empty) - What categories of Postfix-generated mail are sub- - ject to before-queue content inspection by + What categories of Postfix-generated mail are sub- + ject to before-queue content inspection by non_smtpd_milters, header_checks and body_checks. notify_classes (resource, software) - The list of error classes that are reported to the + The list of error classes that are reported to the postmaster. MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and + The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to - handle a request before it is terminated by a + How much time a Postfix daemon process may take to + handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal + The maximal number of digits after the decimal point when logging sub-second delay values. disable_dns_lookups (no) - Disable DNS lookups in the Postfix SMTP and LMTP + Disable DNS lookups in the Postfix SMTP and LMTP clients. inet_interfaces (all) @@ -643,7 +651,7 @@ SMTP(8) SMTP(8) tem receives mail on. inet_protocols (ipv4) - The Internet protocols Postfix will attempt to use + The Internet protocols Postfix will attempt to use when making or accepting connections. ipc_timeout (3600s) @@ -651,75 +659,75 @@ SMTP(8) SMTP(8) over an internal communication channel. lmtp_tcp_port (24) - The default TCP port that the Postfix LMTP client + The default TCP port that the Postfix LMTP client connects to. max_idle (100s) - The maximum amount of time that an idle Postfix - daemon process waits for an incoming connection + The maximum amount of time that an idle Postfix + daemon process waits for an incoming connection before terminating voluntarily. max_use (100) - The maximal number of incoming connections that a - Postfix daemon process will service before termi- + The maximal number of incoming connections that a + Postfix daemon process will service before termi- nating voluntarily. process_id (read-only) - The process ID of a Postfix command or daemon + The process ID of a Postfix command or daemon process. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. proxy_interfaces (empty) The network interface addresses that this mail sys- - tem receives mail on by way of a proxy or network + tem receives mail on by way of a proxy or network address translation unit. smtp_bind_address (empty) - An optional numerical network address that the - Postfix SMTP client should bind to when making an + An optional numerical network address that the + Postfix SMTP client should bind to when making an IPv4 connection. smtp_bind_address6 (empty) - An optional numerical network address that the - Postfix SMTP client should bind to when making an + An optional numerical network address that the + Postfix SMTP client should bind to when making an IPv6 connection. smtp_helo_name ($myhostname) - The hostname to send in the SMTP EHLO or HELO com- + The hostname to send in the SMTP EHLO or HELO com- mand. lmtp_lhlo_name ($myhostname) The hostname to send in the LMTP LHLO command. smtp_host_lookup (dns) - What mechanisms when the Postfix SMTP client uses + What mechanisms when the Postfix SMTP client uses to look up a host's IP address. smtp_randomize_addresses (yes) - Randomize the order of equal-preference MX host + Randomize the order of equal-preference MX host addresses. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (postfix) - The mail system name that is prepended to the - process name in syslog records, so that "smtpd" + The mail system name that is prepended to the + process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". Available with Postfix 2.2 and earlier: fallback_relay (empty) - Optional list of relay hosts for SMTP destinations + Optional list of relay hosts for SMTP destinations that can't be found or that are unreachable. Available with Postfix 2.3 and later: smtp_fallback_relay ($fallback_relay) - Optional list of relay hosts for SMTP destinations + Optional list of relay hosts for SMTP destinations that can't be found or that are unreachable. SEE ALSO @@ -737,7 +745,7 @@ SMTP(8) SMTP(8) TLS_README, Postfix STARTTLS howto LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 9f73cefc0..f15cad0d9 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -43,8 +43,7 @@ that starts with whitespace continues a logical line.

  • When the same parameter is defined multiple times, only @@ -6712,6 +6713,23 @@ The name of the directory with example Postfix configuration files.

    + + +
    send_cyrus_sasl_authzid +(default: no)
    + +

    When authenticating to a SASL server, with the default setting +"no", send no authoriZation ID (authzid); send only the authentiCation +ID (authcid) plus the authcid's password.

    + +

    The non-default setting "yes" enables the behavior of older +Postfix versions. These always send an authzid that is equal to +the authcid, but this causes inter-operability problems with some +SMTP servers.

    + +

    This feature is available in Postfix 2.5 and later.

    + +
    sender_based_routing diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index 69ec99349..65101c012 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -253,11 +253,19 @@ SMTP(8) SMTP(8) will ignore in the LHLO response from a remote LMTP server. + Available in Postfix version 2.5 and later: + + send_cyrus_sasl_authzid (no) + When authenticating to a SASL server, with the + default setting "no", send no authoriZation ID + (authzid); send only the authentiCation ID (auth- + cid) plus the authcid's password. + MIME PROCESSING CONTROLS Available in Postfix version 2.0 and later: disable_mime_output_conversion (no) - Disable the conversion of 8BITMIME format to 7BIT + Disable the conversion of 8BITMIME format to 7BIT format. mime_boundary_length_limit (2048) @@ -272,91 +280,91 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: smtp_send_xforward_command (no) - Send the non-standard XFORWARD command when the - Postfix SMTP server EHLO response announces XFOR- + Send the non-standard XFORWARD command when the + Postfix SMTP server EHLO response announces XFOR- WARD support. SASL AUTHENTICATION CONTROLS smtp_sasl_auth_enable (no) - Enable SASL authentication in the Postfix SMTP + Enable SASL authentication in the Postfix SMTP client. smtp_sasl_password_maps (empty) - Optional SMTP client lookup tables with one user- - name:password entry per remote hostname or domain, + Optional SMTP client lookup tables with one user- + name:password entry per remote hostname or domain, or sender address when sender-dependent authentica- tion is enabled. smtp_sasl_security_options (noplaintext, noanonymous) - Postfix SMTP client SASL security options; as of - Postfix 2.3 the list of available features depends - on the SASL client implementation that is selected + Postfix SMTP client SASL security options; as of + Postfix 2.3 the list of available features depends + on the SASL client implementation that is selected with smtp_sasl_type. Available in Postfix version 2.2 and later: smtp_sasl_mechanism_filter (empty) - If non-empty, a Postfix SMTP client filter for the - remote SMTP server's list of offered SASL mecha- + If non-empty, a Postfix SMTP client filter for the + remote SMTP server's list of offered SASL mecha- nisms. Available in Postfix version 2.3 and later: smtp_sender_dependent_authentication (no) Enable sender-dependent authentication in the Post- - fix SMTP client; this is available only with SASL - authentication, and disables SMTP connection - caching to ensure that mail from different senders + fix SMTP client; this is available only with SASL + authentication, and disables SMTP connection + caching to ensure that mail from different senders will use the appropriate credentials. smtp_sasl_path (empty) - Implementation-specific information that the Post- - fix SMTP client passes through to the SASL plug-in - implementation that is selected with + Implementation-specific information that the Post- + fix SMTP client passes through to the SASL plug-in + implementation that is selected with smtp_sasl_type. smtp_sasl_type (cyrus) - The SASL plug-in type that the Postfix SMTP client + The SASL plug-in type that the Postfix SMTP client should use for authentication. STARTTLS SUPPORT CONTROLS - Detailed information about STARTTLS configuration may be + Detailed information about STARTTLS configuration may be found in the TLS_README document. smtp_tls_security_level (empty) The default SMTP TLS security level for the Postfix - SMTP client; when a non-empty value is specified, - this overrides the obsolete parameters + SMTP client; when a non-empty value is specified, + this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername. smtp_sasl_tls_security_options ($smtp_sasl_secu- rity_options) - The SASL authentication security options that the - Postfix SMTP client uses for TLS encrypted SMTP + The SASL authentication security options that the + Postfix SMTP client uses for TLS encrypted SMTP sessions. smtp_starttls_timeout (300s) - Time limit for Postfix SMTP client write and read - operations during TLS startup and shutdown hand- + Time limit for Postfix SMTP client write and read + operations during TLS startup and shutdown hand- shake procedures. smtp_tls_CAfile (empty) - The file with the certificate of the certification - authority (CA) that issued the Postfix SMTP client + The file with the certificate of the certification + authority (CA) that issued the Postfix SMTP client certificate. smtp_tls_CApath (empty) - Directory with PEM format certificate authority - certificates that the Postfix SMTP client uses to + Directory with PEM format certificate authority + certificates that the Postfix SMTP client uses to verify a remote SMTP server certificate. smtp_tls_cert_file (empty) - File with the Postfix SMTP client RSA certificate + File with the Postfix SMTP client RSA certificate in PEM format. smtp_tls_mandatory_ciphers (medium) - The minimum TLS cipher grade that the Postfix SMTP + The minimum TLS cipher grade that the Postfix SMTP client will use with mandatory TLS encryption. smtp_tls_exclude_ciphers (empty) @@ -365,43 +373,43 @@ SMTP(8) SMTP(8) levels. smtp_tls_mandatory_exclude_ciphers (empty) - Additional list of ciphers or cipher types to - exclude from the SMTP client cipher list at manda- + Additional list of ciphers or cipher types to + exclude from the SMTP client cipher list at manda- tory TLS security levels. smtp_tls_dcert_file (empty) - File with the Postfix SMTP client DSA certificate + File with the Postfix SMTP client DSA certificate in PEM format. smtp_tls_dkey_file ($smtp_tls_dcert_file) - File with the Postfix SMTP client DSA private key + File with the Postfix SMTP client DSA private key in PEM format. smtp_tls_key_file ($smtp_tls_cert_file) - File with the Postfix SMTP client RSA private key + File with the Postfix SMTP client RSA private key in PEM format. smtp_tls_loglevel (0) - Enable additional Postfix SMTP client logging of + Enable additional Postfix SMTP client logging of TLS activity. smtp_tls_note_starttls_offer (no) - Log the hostname of a remote SMTP server that - offers STARTTLS, when TLS is not already enabled + Log the hostname of a remote SMTP server that + offers STARTTLS, when TLS is not already enabled for that server. smtp_tls_policy_maps (empty) Optional lookup tables with the Postfix SMTP client TLS security policy by next-hop destination; when a - non-empty value is specified, this overrides the + non-empty value is specified, this overrides the obsolete smtp_tls_per_site parameter. smtp_tls_mandatory_protocols (SSLv3, TLSv1) - List of TLS protocols that the Postfix SMTP client + List of TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. smtp_tls_scert_verifydepth (5) - The verification depth for remote SMTP server cer- + The verification depth for remote SMTP server cer- tificates. smtp_tls_secure_cert_match (nexthop, dot-nexthop) @@ -409,7 +417,7 @@ SMTP(8) SMTP(8) for the "secure" TLS security level. smtp_tls_session_cache_database (empty) - Name of the file containing the optional Postfix + Name of the file containing the optional Postfix SMTP client TLS session cache. smtp_tls_session_cache_timeout (3600s) @@ -421,9 +429,9 @@ SMTP(8) SMTP(8) for the "verify" TLS security level. tls_daemon_random_bytes (32) - The number of pseudo-random bytes that an smtp(8) - or smtpd(8) process requests from the tlsmgr(8) - server in order to seed its internal pseudo random + The number of pseudo-random bytes that an smtp(8) + or smtpd(8) process requests from the tlsmgr(8) + server in order to seed its internal pseudo random number generator (PRNG). tls_high_cipherlist @@ -435,7 +443,7 @@ SMTP(8) SMTP(8) ciphers. tls_low_cipherlist (ALL:!EXPORT:+RC4:@STRENGTH) - The OpenSSL cipherlist for "LOW" or higher grade + The OpenSSL cipherlist for "LOW" or higher grade ciphers. tls_export_cipherlist (ALL:+RC4:@STRENGTH) @@ -443,40 +451,40 @@ SMTP(8) SMTP(8) ciphers. tls_null_cipherlist (eNULL:!aNULL) - The OpenSSL cipherlist for "NULL" grade ciphers + The OpenSSL cipherlist for "NULL" grade ciphers that provide authentication without encryption. Available in Postfix version 2.4 and later: smtp_sasl_tls_verified_security_options ($smtp_sasl_tls_security_options) - The SASL authentication security options that the - Postfix SMTP client uses for TLS encrypted SMTP + The SASL authentication security options that the + Postfix SMTP client uses for TLS encrypted SMTP sessions with a verified server certificate. OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compati- + The following configuration parameters exist for compati- bility with Postfix versions before 2.3. Support for these will be removed in a future release. smtp_use_tls (no) - Opportunistic mode: use TLS when a remote SMTP - server announces STARTTLS support, otherwise send + Opportunistic mode: use TLS when a remote SMTP + server announces STARTTLS support, otherwise send the mail in the clear. smtp_enforce_tls (no) - Enforcement mode: require that remote SMTP servers - use TLS encryption, and never send mail in the + Enforcement mode: require that remote SMTP servers + use TLS encryption, and never send mail in the clear. smtp_tls_enforce_peername (yes) - With mandatory TLS encryption, require that the + With mandatory TLS encryption, require that the remote SMTP server hostname matches the information in the remote SMTP server certificate. smtp_tls_per_site (empty) Optional lookup tables with the Postfix SMTP client - TLS usage policy by next-hop destination and by + TLS usage policy by next-hop destination and by remote SMTP server hostname. smtp_tls_cipherlist (empty) @@ -486,27 +494,27 @@ SMTP(8) SMTP(8) RESOURCE AND RATE CONTROLS smtp_destination_concurrency_limit ($default_destina- tion_concurrency_limit) - The maximal number of parallel deliveries to the - same destination via the smtp message delivery + The maximal number of parallel deliveries to the + same destination via the smtp message delivery transport. smtp_destination_recipient_limit ($default_destina- tion_recipient_limit) - The maximal number of recipients per delivery via + The maximal number of recipients per delivery via the smtp message delivery transport. smtp_connect_timeout (30s) - The SMTP client time limit for completing a TCP + The SMTP client time limit for completing a TCP connection, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The SMTP client time limit for sending the HELO or - EHLO command, and for receiving the initial server + The SMTP client time limit for sending the HELO or + EHLO command, and for receiving the initial server response. lmtp_lhlo_timeout (300s) - The LMTP client time limit for sending the LHLO + The LMTP client time limit for sending the LHLO command, and for receiving the initial server response. @@ -515,30 +523,30 @@ SMTP(8) SMTP(8) command, and for receiving the server response. smtp_mail_timeout (300s) - The SMTP client time limit for sending the MAIL - FROM command, and for receiving the server + The SMTP client time limit for sending the MAIL + FROM command, and for receiving the server response. smtp_rcpt_timeout (300s) - The SMTP client time limit for sending the SMTP - RCPT TO command, and for receiving the server + The SMTP client time limit for sending the SMTP + RCPT TO command, and for receiving the server response. smtp_data_init_timeout (120s) - The SMTP client time limit for sending the SMTP - DATA command, and for receiving the server + The SMTP client time limit for sending the SMTP + DATA command, and for receiving the server response. smtp_data_xfer_timeout (180s) - The SMTP client time limit for sending the SMTP + The SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) - The SMTP client time limit for sending the SMTP + The SMTP client time limit for sending the SMTP ".", and for receiving the server response. smtp_quit_timeout (300s) - The SMTP client time limit for sending the QUIT + The SMTP client time limit for sending the QUIT command, and for receiving the server response. Available in Postfix version 2.1 and later: @@ -549,12 +557,12 @@ SMTP(8) SMTP(8) lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery - request before giving up or delivering to a fall- + The maximal number of SMTP sessions per delivery + request before giving up or delivering to a fall- back relay host, or zero (no limit). smtp_rset_timeout (20s) - The SMTP client time limit for sending the RSET + The SMTP client time limit for sending the RSET command, and for receiving the server response. Available in Postfix version 2.2 and earlier: @@ -566,11 +574,11 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. @@ -580,62 +588,62 @@ SMTP(8) SMTP(8) smtp_connection_cache_time_limit (2s) When SMTP connection caching is enabled, the amount - of time that an unused SMTP client socket is kept + of time that an unused SMTP client socket is kept open before it is closed. Available in Postfix version 2.3 and later: connection_cache_protocol_timeout (5s) - Time limit for connection cache connect, send or + Time limit for connection cache connect, send or receive operations. TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a - remote client or server matches a pattern in the + The increment in verbose logging level when a + remote client or server matches a pattern in the debug_peer_list parameter. debug_peer_list (empty) - Optional list of remote client or server hostname - or network address patterns that cause the verbose - logging level to increase by the amount specified + Optional list of remote client or server hostname + or network address patterns that cause the verbose + logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about - mail delivery problems that are caused by policy, + The recipient of postmaster notifications about + mail delivery problems that are caused by policy, resource, software or protocol errors. internal_mail_filter_classes (empty) - What categories of Postfix-generated mail are sub- - ject to before-queue content inspection by + What categories of Postfix-generated mail are sub- + ject to before-queue content inspection by non_smtpd_milters, header_checks and body_checks. notify_classes (resource, software) - The list of error classes that are reported to the + The list of error classes that are reported to the postmaster. MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and + The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to - handle a request before it is terminated by a + How much time a Postfix daemon process may take to + handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal + The maximal number of digits after the decimal point when logging sub-second delay values. disable_dns_lookups (no) - Disable DNS lookups in the Postfix SMTP and LMTP + Disable DNS lookups in the Postfix SMTP and LMTP clients. inet_interfaces (all) @@ -643,7 +651,7 @@ SMTP(8) SMTP(8) tem receives mail on. inet_protocols (ipv4) - The Internet protocols Postfix will attempt to use + The Internet protocols Postfix will attempt to use when making or accepting connections. ipc_timeout (3600s) @@ -651,75 +659,75 @@ SMTP(8) SMTP(8) over an internal communication channel. lmtp_tcp_port (24) - The default TCP port that the Postfix LMTP client + The default TCP port that the Postfix LMTP client connects to. max_idle (100s) - The maximum amount of time that an idle Postfix - daemon process waits for an incoming connection + The maximum amount of time that an idle Postfix + daemon process waits for an incoming connection before terminating voluntarily. max_use (100) - The maximal number of incoming connections that a - Postfix daemon process will service before termi- + The maximal number of incoming connections that a + Postfix daemon process will service before termi- nating voluntarily. process_id (read-only) - The process ID of a Postfix command or daemon + The process ID of a Postfix command or daemon process. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. proxy_interfaces (empty) The network interface addresses that this mail sys- - tem receives mail on by way of a proxy or network + tem receives mail on by way of a proxy or network address translation unit. smtp_bind_address (empty) - An optional numerical network address that the - Postfix SMTP client should bind to when making an + An optional numerical network address that the + Postfix SMTP client should bind to when making an IPv4 connection. smtp_bind_address6 (empty) - An optional numerical network address that the - Postfix SMTP client should bind to when making an + An optional numerical network address that the + Postfix SMTP client should bind to when making an IPv6 connection. smtp_helo_name ($myhostname) - The hostname to send in the SMTP EHLO or HELO com- + The hostname to send in the SMTP EHLO or HELO com- mand. lmtp_lhlo_name ($myhostname) The hostname to send in the LMTP LHLO command. smtp_host_lookup (dns) - What mechanisms when the Postfix SMTP client uses + What mechanisms when the Postfix SMTP client uses to look up a host's IP address. smtp_randomize_addresses (yes) - Randomize the order of equal-preference MX host + Randomize the order of equal-preference MX host addresses. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (postfix) - The mail system name that is prepended to the - process name in syslog records, so that "smtpd" + The mail system name that is prepended to the + process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". Available with Postfix 2.2 and earlier: fallback_relay (empty) - Optional list of relay hosts for SMTP destinations + Optional list of relay hosts for SMTP destinations that can't be found or that are unreachable. Available with Postfix 2.3 and later: smtp_fallback_relay ($fallback_relay) - Optional list of relay hosts for SMTP destinations + Optional list of relay hosts for SMTP destinations that can't be found or that are unreachable. SEE ALSO @@ -737,7 +745,7 @@ SMTP(8) SMTP(8) TLS_README, Postfix STARTTLS howto LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 205400b59..678792d71 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -34,7 +34,6 @@ A parameter value may refer to other parameters. .IP \(bu The expressions "$name", "${name}" or "$(name)" are recursively replaced by the value of the named parameter. -Specify "$$" to produce a single "$" character. .IP \(bu The expression "${name?value}" expands to "value" when "$name" is non-empty. This form is supported with Postfix @@ -43,6 +42,8 @@ version 2.2 and later. The expression "${name:value}" expands to "value" when "$name" is empty. This form is supported with Postfix version 2.2 and later. +.IP \(bu +Specify "$$" to produce a single "$" character. .RE .IP \(bu When the same parameter is defined multiple times, only the last @@ -3725,6 +3726,17 @@ next-hop host, recipient) triple. This feature is available in Postfix 2.0 and later. .SH sample_directory (default: /etc/postfix) The name of the directory with example Postfix configuration files. +.SH send_cyrus_sasl_authzid (default: no) +When authenticating to a SASL server, with the default setting +"no", send no authoriZation ID (authzid); send only the authentiCation +ID (authcid) plus the authcid's password. +.PP +The non-default setting "yes" enables the behavior of older +Postfix versions. These always send an authzid that is equal to +the authcid, but this causes inter-operability problems with some +SMTP servers. +.PP +This feature is available in Postfix 2.5 and later. .SH sender_based_routing (default: no) This parameter should not be used. It was replaced by sender_dependent_relayhost_maps in Postfix version 2.3. diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8 index aa5097e40..73932bae7 100644 --- a/postfix/man/man8/smtp.8 +++ b/postfix/man/man8/smtp.8 @@ -226,6 +226,12 @@ from a remote LMTP server. A case insensitive list of LHLO keywords (pipelining, starttls, auth, etc.) that the LMTP client will ignore in the LHLO response from a remote LMTP server. +.PP +Available in Postfix version 2.5 and later: +.IP "\fBsend_cyrus_sasl_authzid (no)\fR" +When authenticating to a SASL server, with the default setting +"no", send no authoriZation ID (authzid); send only the authentiCation +ID (authcid) plus the authcid's password. .SH "MIME PROCESSING CONTROLS" .na .nf diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 537258876..cb3c162f6 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -365,6 +365,7 @@ while (<>) { s;\bresolve_dequoted_address\b;$&;g; s;\brewrite_service_name\b;$&;g; s;\bsample_directory\b;$&;g; + s;\bsend_cyrus_sasl_authzid\b;$&;g; s;\bsender_based_routing\b;$&;g; s;\bsender_bcc_maps\b;$&;g; s;\bsender_canonical_classes\b;$&;g; diff --git a/postfix/proto/postconf.html.prolog b/postfix/proto/postconf.html.prolog index af8d7c187..3963e7e6d 100644 --- a/postfix/proto/postconf.html.prolog +++ b/postfix/proto/postconf.html.prolog @@ -43,8 +43,7 @@ that starts with whitespace continues a logical line.

    • The expressions "$name", "${name}" or "$(name)" are -recursively replaced by the value of the named parameter. -Specify "$$" to produce a single "$" character.

      +recursively replaced by the value of the named parameter.

    • The expression "${name?value}" expands to "value" when "$name" is non-empty. This form is supported with Postfix version @@ -54,6 +53,8 @@ Specify "$$" to produce a single "$" character.

      "$name" is empty. This form is supported with Postfix version 2.2 and later.

      +

    • Specify "$$" to produce a single "$" character.

      +

  • When the same parameter is defined multiple times, only diff --git a/postfix/proto/postconf.man.prolog b/postfix/proto/postconf.man.prolog index 9fcd55378..37afa4e88 100644 --- a/postfix/proto/postconf.man.prolog +++ b/postfix/proto/postconf.man.prolog @@ -34,7 +34,6 @@ A parameter value may refer to other parameters. .IP \(bu The expressions "$name", "${name}" or "$(name)" are recursively replaced by the value of the named parameter. -Specify "$$" to produce a single "$" character. .IP \(bu The expression "${name?value}" expands to "value" when "$name" is non-empty. This form is supported with Postfix @@ -43,6 +42,8 @@ version 2.2 and later. The expression "${name:value}" expands to "value" when "$name" is empty. This form is supported with Postfix version 2.2 and later. +.IP \(bu +Specify "$$" to produce a single "$" character. .RE .IP \(bu When the same parameter is defined multiple times, only the last diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 06481d697..5a72ba8ad 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -10603,3 +10603,16 @@ Content-Transfer-Encoding: message headers; historically, this behavior was hard-coded to be "always on".

    This feature is available in Postfix 2.5 and later.

    + +%PARAM send_cyrus_sasl_authzid no + +

    When authenticating to a SASL server, with the default setting +"no", send no authoriZation ID (authzid); send only the authentiCation +ID (authcid) plus the authcid's password.

    + +

    The non-default setting "yes" enables the behavior of older +Postfix versions. These always send an authzid that is equal to +the authcid, but this causes inter-operability problems with some +SMTP servers.

    + +

    This feature is available in Postfix 2.5 and later.

    diff --git a/postfix/src/global/mail_params.c b/postfix/src/global/mail_params.c index 0702e2db1..d12e4bd90 100644 --- a/postfix/src/global/mail_params.c +++ b/postfix/src/global/mail_params.c @@ -106,6 +106,7 @@ /* int var_oldlog_compat; /* int var_delay_max_res; /* char *var_int_filt_classes; +/* int var_cyrus_sasl_authzid; /* /* void mail_params_init() /* @@ -279,6 +280,7 @@ int var_verify_neg_cache; int var_oldlog_compat; int var_delay_max_res; char *var_int_filt_classes; +int var_cyrus_sasl_authzid; const char null_format_string[1] = ""; @@ -589,6 +591,7 @@ void mail_params_init() VAR_VERIFY_NEG_CACHE, DEF_VERIFY_NEG_CACHE, &var_verify_neg_cache, VAR_OLDLOG_COMPAT, DEF_OLDLOG_COMPAT, &var_oldlog_compat, VAR_HELPFUL_WARNINGS, DEF_HELPFUL_WARNINGS, &var_helpful_warnings, + VAR_CYRUS_SASL_AUTHZID, DEF_CYRUS_SASL_AUTHZID, &var_cyrus_sasl_authzid, 0, }; const char *cp; diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index fe236bf16..d7f9c0f56 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -1536,6 +1536,10 @@ extern char *var_lmtp_sasl_path; */ #define PERMIT_SASL_AUTH "permit_sasl_authenticated" +#define VAR_CYRUS_SASL_AUTHZID "send_cyrus_sasl_authzid" +#define DEF_CYRUS_SASL_AUTHZID 0 +extern int var_cyrus_sasl_authzid; + /* * LMTP client. Timeouts inspired by RFC 1123. The LMTP recipient limit * determines how many recipient addresses the LMTP client sends along with diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 001011532..9285ed049 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20070613" +#define MAIL_RELEASE_DATE "20070614" #define MAIL_VERSION_NUMBER "2.5" #ifdef SNAPSHOT diff --git a/postfix/src/milter/milter8.c b/postfix/src/milter/milter8.c index 1f0bce36a..a3b2e364e 100644 --- a/postfix/src/milter/milter8.c +++ b/postfix/src/milter/milter8.c @@ -475,22 +475,24 @@ static int milter8_comm_error(MILTER8 *milter) return (milter->state = MILTER8_STAT_ERROR); } -/* milter8_edit_error - local message/envelope edit error */ +/* milter8_edit_error - local queue file update error */ static void milter8_edit_error(MILTER8 *milter, const char *reply) { /* - * Close the socket so that we don't receive later Milter replies while - * we're handling the next email message. Set the Milter handle state to - * ERROR, i.e. don't report further MTA events via this handle. We don't - * want surprises when this code gets reused for a protocol that allows - * envelope or header updates before the end-of-body MTA event. + * Close the socket, so we don't have to skip pending replies from this + * Milter instance. */ if (milter->fp != 0) { (void) vstream_fclose(milter->fp); milter->fp = 0; } + + /* + * Set the socket state to ERROR, so we don't try to send further MTA + * events to this Milter instance. + */ milter8_def_reply(milter, reply); milter->state = MILTER8_STAT_ERROR; } diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index 120dd62e2..6b6d6791c 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -204,6 +204,12 @@ /* A case insensitive list of LHLO keywords (pipelining, starttls, /* auth, etc.) that the LMTP client will ignore in the LHLO response /* from a remote LMTP server. +/* .PP +/* Available in Postfix version 2.5 and later: +/* .IP "\fBsend_cyrus_sasl_authzid (no)\fR" +/* When authenticating to a SASL server, with the default setting +/* "no", send no authoriZation ID (authzid); send only the authentiCation +/* ID (authcid) plus the authcid's password. /* MIME PROCESSING CONTROLS /* .ad /* .fi diff --git a/postfix/src/xsasl/xsasl_cyrus_client.c b/postfix/src/xsasl/xsasl_cyrus_client.c index 536de2739..e49728d24 100644 --- a/postfix/src/xsasl/xsasl_cyrus_client.c +++ b/postfix/src/xsasl/xsasl_cyrus_client.c @@ -348,7 +348,8 @@ XSASL_CLIENT *xsasl_cyrus_client_create(XSASL_CLIENT_IMPL *unused_impl, if ((sasl_status = SASL_CLIENT_NEW(service, server, NULL_CLIENT_ADDR, NULL_SERVER_ADDR, - custom_callbacks, NULL_SECFLAGS, + var_cyrus_sasl_authzid ? custom_callbacks : + custom_callbacks + 1, NULL_SECFLAGS, &sasl_conn)) != SASL_OK) { msg_warn("per-session SASL client initialization: %s", xsasl_cyrus_strerror(sasl_status));