From: Wietse Venema Date: Sat, 26 Jul 2008 05:00:00 +0000 (-0500) Subject: postfix-2.6-20080726 X-Git-Tag: v2.6.0-RC1~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e3ab0029371e43bf549cb7d19bb3d0f83f1c5e5;p=thirdparty%2Fpostfix.git postfix-2.6-20080726 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index efee69ba5..310cc6ad0 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -14526,3 +14526,26 @@ Apologies for any names omitted. The description of SASL authentication attributes was garbled. File: pipe/pipe.c. + + Information: the master(8) server now logs the version + besides the configuration directory upon "postfix reload". + File: master/master.c. + +20080717 + + Cleanup: a poorly-implemented integer overflow check for + TCP MSS calculation had the unexpected effect that people + broke Postfix on LP64 systems while attempting to silence + a compiler warning. File: util/vstream_tweak.c. + +20080721 + + The cleanup server now rejects undisclosed_recipients_header + parameter values with invalid message header syntax. + File: cleanup/cleanup_message.c. + +20080725 + + Paranoia: defer delivery when a mailbox file is not owned + by the recipient. Sebastian Krahmer, SuSE. Files: + local/mailbox.c, virtual/mailbox.c. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 7eef66413..abe791e03 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -11,12 +11,6 @@ instead, a new snapshot is released. The mail_release_date configuration parameter (format: yyyymmdd) specifies the release date of a stable release or snapshot release. -Incompatibility with Postfix 2.4 and earlier -============================================ - -If you upgrade from Postfix 2.4 or earlier, read RELEASE_NOTES-2.5 -before proceeding. - Incompatibility with snapshot 20080629 ====================================== @@ -25,6 +19,14 @@ longer ignores the "smtpd_tls_auth_only = yes" parameter setting. Earlier Postfix SMTP server versions would announce SASL support, and would accept SASL login or sender information. +Incompatibility with snapshot 20080726 +====================================== + +When a mailbox file is not owned by its recipient, the local and +virtual delivery agents now log a warning and defer delivery. +Specify "strict_mailbox_ownership = no" to ignore such ownership +discrepancies. + Major changes with snapshot 20080629 ==================================== @@ -72,3 +74,9 @@ files with versions from an older release, and end up with a broken configuration that cannot repair itself. For this reason, postfix-script, postfix-files and post-install are moved away from /etc/postfix to $daemon_directory. + +Incompatible changes with Postfix 2.5.0 +======================================= + +If you upgrade from Postfix 2.4 or earlier, read RELEASE_NOTES-2.5 +before proceeding. diff --git a/postfix/WISHLIST b/postfix/WISHLIST index 0fd125a10..3a5e6acc5 100644 --- a/postfix/WISHLIST +++ b/postfix/WISHLIST @@ -1,5 +1,13 @@ Wish list: + Force a panic when the VDA patch reduces the file size limit + under the message size. They break the code that marks a + recipient as "done", when that recipient was added late + (e.g., "sendmail -t" or Milter SMFIR_ADDRCPT). + + Set a flag when a remote SMTP client speaks before the + Postfix SMTP server sends the 220 greeting. + Encapsulate time_t comparisons so that they can be made system dependent (use difftime() where available). diff --git a/postfix/html/local.8.html b/postfix/html/local.8.html index 6a5ff6c17..e43fdb985 100644 --- a/postfix/html/local.8.html +++ b/postfix/html/local.8.html @@ -398,60 +398,66 @@ LOCAL(8) LOCAL(8) attempt; do not update the Delivered-To: address while expanding aliases or .forward files. + Available in Postfix version 2.5.3 and later: + + strict_mailbox_ownership (yes) + Defer delivery when a mailbox file is not owned by + its recipient. + DELIVERY METHOD CONTROLS - The precedence of local(8) delivery methods from high to - low is: aliases, .forward files, mailbox_transport_maps, - mailbox_transport, mailbox_command_maps, mailbox_command, - home_mailbox, mail_spool_directory, fallback_trans- + The precedence of local(8) delivery methods from high to + low is: aliases, .forward files, mailbox_transport_maps, + mailbox_transport, mailbox_command_maps, mailbox_command, + home_mailbox, mail_spool_directory, fallback_trans- port_maps, fallback_transport, and luser_relay. alias_maps (see 'postconf -d' output) - The alias databases that are used for local(8) + The alias databases that are used for local(8) delivery. forward_path (see 'postconf -d' output) The local(8) delivery agent search list for finding - a .forward file with user-specified delivery meth- + a .forward file with user-specified delivery meth- ods. mailbox_transport_maps (empty) - Optional lookup tables with per-recipient message - delivery transports to use for local(8) mailbox - delivery, whether or not the recipients are found + Optional lookup tables with per-recipient message + delivery transports to use for local(8) mailbox + delivery, whether or not the recipients are found in the UNIX passwd database. mailbox_transport (empty) - Optional message delivery transport that the - local(8) delivery agent should use for mailbox - delivery to all local recipients, whether or not + Optional message delivery transport that the + local(8) delivery agent should use for mailbox + delivery to all local recipients, whether or not they are found in the UNIX passwd database. mailbox_command_maps (empty) - Optional lookup tables with per-recipient external + Optional lookup tables with per-recipient external commands to use for local(8) mailbox delivery. mailbox_command (empty) - Optional external command that the local(8) deliv- + Optional external command that the local(8) deliv- ery agent should use for mailbox delivery. home_mailbox (empty) - Optional pathname of a mailbox file relative to a + Optional pathname of a mailbox file relative to a local(8) user's home directory. mail_spool_directory (see 'postconf -d' output) - The directory where local(8) UNIX-style mailboxes + The directory where local(8) UNIX-style mailboxes are kept. fallback_transport_maps (empty) - Optional lookup tables with per-recipient message - delivery transports for recipients that the - local(8) delivery agent could not find in the + Optional lookup tables with per-recipient message + delivery transports for recipients that the + local(8) delivery agent could not find in the aliases(5) or UNIX password database. fallback_transport (empty) - Optional message delivery transport that the - local(8) delivery agent should use for names that - are not found in the aliases(5) or UNIX password + Optional message delivery transport that the + local(8) delivery agent should use for names that + are not found in the aliases(5) or UNIX password database. luser_relay (empty) @@ -461,7 +467,7 @@ LOCAL(8) LOCAL(8) Available in Postfix version 2.2 and later: command_execution_directory (empty) - The local(8) delivery agent working directory for + The local(8) delivery agent working directory for delivery to external command. MAILBOX LOCKING CONTROLS @@ -470,15 +476,15 @@ LOCAL(8) LOCAL(8) sive lock on a mailbox file or bounce(8) logfile. deliver_lock_delay (1s) - The time between attempts to acquire an exclusive + The time between attempts to acquire an exclusive lock on a mailbox file or bounce(8) logfile. stale_lock_time (500s) - The time after which a stale exclusive mailbox + The time after which a stale exclusive mailbox lockfile is removed. mailbox_delivery_lock (see 'postconf -d' output) - How to lock a UNIX-style local(8) mailbox before + How to lock a UNIX-style local(8) mailbox before attempting delivery. RESOURCE AND RATE CONTROLS @@ -486,17 +492,17 @@ LOCAL(8) LOCAL(8) Time limit for delivery to external commands. duplicate_filter_limit (1000) - The maximal number of addresses remembered by the - address duplicate filter for aliases(5) or vir- + The maximal number of addresses remembered by the + address duplicate filter for aliases(5) or vir- tual(5) alias expansion, or for showq(8) queue dis- plays. local_destination_concurrency_limit (2) - The maximal number of parallel deliveries via the + The maximal number of parallel deliveries via the local mail delivery transport to the same recipient - (when "local_destination_recipient_limit = 1") or - the maximal number of parallel deliveries to the - same local domain (when "local_destination_recipi- + (when "local_destination_recipient_limit = 1") or + the maximal number of parallel deliveries to the + same local domain (when "local_destination_recipi- ent_limit > 1"). local_destination_recipient_limit (1) @@ -509,33 +515,39 @@ LOCAL(8) LOCAL(8) SECURITY CONTROLS allow_mail_to_commands (alias, forward) - Restrict local(8) mail delivery to external com- + Restrict local(8) mail delivery to external com- mands. allow_mail_to_files (alias, forward) - Restrict local(8) mail delivery to external files. + Restrict local(8) mail delivery to external files. command_expansion_filter (see 'postconf -d' output) - Restrict the characters that the local(8) delivery - agent allows in $name expansions of $mailbox_com- - mand. + Restrict the characters that the local(8) delivery + agent allows in $name expansions of $mailbox_com- + mand and $command_execution_directory. default_privs (nobody) - The default rights used by the local(8) delivery + The default rights used by the local(8) delivery agent for delivery to external file or command. forward_expansion_filter (see 'postconf -d' output) - Restrict the characters that the local(8) delivery - agent allows in $name expansions of $forward_path. + Restrict the characters that the local(8) delivery + agent allows in $name expansions of $forward_path. Available in Postfix version 2.2 and later: execution_directory_expansion_filter (see 'postconf -d' output) - Restrict the characters that the local(8) delivery + Restrict the characters that the local(8) delivery agent allows in $name expansions of $command_execu- tion_directory. + Available in Postfix version 2.5.3 and later: + + strict_mailbox_ownership (yes) + Defer delivery when a mailbox file is not owned by + its recipient. + MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) The default location of the Postfix main.cf and diff --git a/postfix/html/mysql_table.5.html b/postfix/html/mysql_table.5.html index a527881f9..29a765f35 100644 --- a/postfix/html/mysql_table.5.html +++ b/postfix/html/mysql_table.5.html @@ -45,7 +45,7 @@ MYSQL_TABLE(5) MYSQL_TABLE(5) version. Postfix 2.2 has enhanced query interfaces for MySQL and - PostgreSQL, these include features previously available + PostgreSQL; these include features previously available only in the Postfix LDAP client. In the new interface the SQL query is specified via a single query parameter (described in more detail below). When the new query diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index e1bff9fc4..e85826248 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -1143,15 +1143,27 @@ This feature is available in Postfix 2.0 and later. (default: 50000)

The maximal amount of original message text that is sent in a -non-delivery notification. Specify a byte count. If you increase -this limit, then you should increase the mime_nesting_limit value -proportionally.

+non-delivery notification. Specify a byte count. With Postfix 2.4 +and later, a message is returned as either message/rfc822 (the +complete original) or as text/rfc822-headers (the headers only). +With earlier Postfix versions, a message is always returned as +message/rfc822 and is truncated when it exceeds the size limit. +

+ +

Notes:

+ + +
@@ -6194,9 +6206,9 @@ key to the lookup result.

-For example, with a virtual(5) mapping of "joe@domain -> -joe.user", the address "joe+foo@domain" would rewrite -to "joe.user+foo". +For example, with a virtual(5) mapping of "joe@example.com => +joe.user@example.net", the address "joe+foo@example.com" +would rewrite to "joe.user+foo@example.net".

@@ -12517,6 +12529,17 @@ This feature is available in Postfix 2.0 and later.

+ + +
strict_mailbox_ownership +(default: yes)
+ +

Defer delivery when a mailbox file is not owned by its recipient. +The default setting is not backwards compatible.

+ +

This feature is available in Postfix 2.5.3 and later.

+ +
strict_mime_encoding_domain @@ -13070,7 +13093,8 @@ The default time unit is s (seconds).

Message header that the Postfix cleanup(8) server inserts when a -message contains no To: or Cc: message header.

+message contains no To: or Cc: message header. With Postfix 2.4 +and later, specify an empty value to disable this feature.

diff --git a/postfix/html/virtual.8.html b/postfix/html/virtual.8.html index 7d1e21bdb..e067406b0 100644 --- a/postfix/html/virtual.8.html +++ b/postfix/html/virtual.8.html @@ -200,9 +200,15 @@ VIRTUAL(8) VIRTUAL(8) destination for final delivery to domains listed with $virtual_mailbox_domains. + Available in Postfix version 2.5.3 and later: + + strict_mailbox_ownership (yes) + Defer delivery when a mailbox file is not owned by + its recipient. + LOCKING CONTROLS virtual_mailbox_lock (see 'postconf -d' output) - How to lock a UNIX-style virtual(8) mailbox before + How to lock a UNIX-style virtual(8) mailbox before attempting delivery. deliver_lock_attempts (20) @@ -210,41 +216,41 @@ VIRTUAL(8) VIRTUAL(8) sive lock on a mailbox file or bounce(8) logfile. deliver_lock_delay (1s) - The time between attempts to acquire an exclusive + The time between attempts to acquire an exclusive lock on a mailbox file or bounce(8) logfile. stale_lock_time (500s) - The time after which a stale exclusive mailbox + The time after which a stale exclusive mailbox lockfile is removed. RESOURCE AND RATE CONTROLS virtual_destination_concurrency_limit ($default_destina- tion_concurrency_limit) - The maximal number of parallel deliveries to the - same destination via the virtual message delivery + The maximal number of parallel deliveries to the + same destination via the virtual message delivery transport. virtual_destination_recipient_limit ($default_destina- tion_recipient_limit) - The maximal number of recipients per delivery via + The maximal number of recipients per message for the virtual message delivery transport. virtual_mailbox_limit (51200000) - The maximal size in bytes of an individual mailbox + The maximal size in bytes of an individual mailbox or maildir file, or zero (no limit). MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and + The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to - handle a request before it is terminated by a + How much time a Postfix daemon process may take to + handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal + The maximal number of digits after the decimal point when logging sub-second delay values. ipc_timeout (3600s) @@ -252,33 +258,33 @@ VIRTUAL(8) VIRTUAL(8) over an internal communication channel. max_idle (100s) - The maximum amount of time that an idle Postfix - daemon process waits for an incoming connection + The maximum amount of time that an idle Postfix + daemon process waits for an incoming connection before terminating voluntarily. max_use (100) - The maximal number of incoming connections that a - Postfix daemon process will service before termi- + The maximal number of incoming connections that a + Postfix daemon process will service before termi- nating voluntarily. process_id (read-only) - The process ID of a Postfix command or daemon + The process ID of a Postfix command or daemon process. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. queue_directory (see 'postconf -d' output) - The location of the Postfix top-level queue direc- + The location of the Postfix top-level queue direc- tory. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (postfix) - The mail system name that is prepended to the - process name in syslog records, so that "smtpd" + The mail system name that is prepended to the + process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". SEE ALSO @@ -291,20 +297,20 @@ VIRTUAL(8) VIRTUAL(8) VIRTUAL_README, domain hosting howto LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. HISTORY - This delivery agent was originally based on the Postfix - local delivery agent. Modifications mainly consisted of - removing code that either was not applicable or that was - not safe in this context: aliases, ~user/.forward files, + This delivery agent was originally based on the Postfix + local delivery agent. Modifications mainly consisted of + removing code that either was not applicable or that was + not safe in this context: aliases, ~user/.forward files, delivery to "|command" or to /file/name. The Delivered-To: message header appears in the qmail sys- tem by Daniel Bernstein. - The maildir structure appears in the qmail system by + The maildir structure appears in the qmail system by Daniel Bernstein. AUTHOR(S) diff --git a/postfix/man/man5/mysql_table.5 b/postfix/man/man5/mysql_table.5 index bde924aff..1a4b97d3f 100644 --- a/postfix/man/man5/mysql_table.5 +++ b/postfix/man/man5/mysql_table.5 @@ -46,7 +46,7 @@ Note: with this form, the passwords for the MySQL sources are written in main.cf, which is normally world-readable. Support for this form will be removed in a future Postfix version. -Postfix 2.2 has enhanced query interfaces for MySQL and PostgreSQL, +Postfix 2.2 has enhanced query interfaces for MySQL and PostgreSQL; these include features previously available only in the Postfix LDAP client. In the new interface the SQL query is specified via a single \fBquery\fR parameter (described in more detail below). diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 96257fdf5..f12518ad9 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -634,11 +634,18 @@ of failed delivery attempts and generates non-delivery notifications. This feature is available in Postfix 2.0 and later. .SH bounce_size_limit (default: 50000) The maximal amount of original message text that is sent in a -non-delivery notification. Specify a byte count. If you increase -this limit, then you should increase the mime_nesting_limit value -proportionally. +non-delivery notification. Specify a byte count. With Postfix 2.4 +and later, a message is returned as either message/rfc822 (the +complete original) or as text/rfc822-headers (the headers only). +With earlier Postfix versions, a message is always returned as +message/rfc822 and is truncated when it exceeds the size limit. .PP -Note: be careful when making changes. Excessively large values +Notes: +.IP \(bu +If you increase this limit, then you should increase the +mime_nesting_limit value proportionally. +.IP \(bu +Be careful when making changes. Excessively large values will result in the loss of non-delivery notifications, when a bounce message size exceeds a local or remote MTA's message size limit. .SH bounce_template_file (default: empty) @@ -3440,9 +3447,9 @@ The process name of a Postfix command or daemon process. What address lookup tables copy an address extension from the lookup key to the lookup result. .PP -For example, with a \fBvirtual\fR(5) mapping of "\fIjoe@domain -> -joe.user\fR", the address "\fIjoe+foo@domain\fR" would rewrite -to "\fIjoe.user+foo\fR". +For example, with a \fBvirtual\fR(5) mapping of "\fIjoe@example.com => +joe.user@example.net\fR", the address "\fIjoe+foo@example.com\fR" +would rewrite to "\fIjoe.user+foo@example.net\fR". .PP Specify zero or more of \fBcanonical\fR, \fBvirtual\fR, \fBalias\fR, \fBforward\fR, \fBinclude\fR or \fBgeneric\fR. These cause @@ -7789,6 +7796,11 @@ This feature should not be enabled on a general purpose mail server, because it is likely to reject legitimate email. .PP This feature is available in Postfix 2.0 and later. +.SH strict_mailbox_ownership (default: yes) +Defer delivery when a mailbox file is not owned by its recipient. +The default setting is not backwards compatible. +.PP +This feature is available in Postfix 2.5.3 and later. .SH strict_mime_encoding_domain (default: no) Reject mail with invalid Content-Transfer-Encoding: information for the message/* or multipart/* MIME content types. This blocks @@ -8078,7 +8090,8 @@ Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds). .SH undisclosed_recipients_header (default: To: undisclosed-recipients:;) Message header that the Postfix \fBcleanup\fR(8) server inserts when a -message contains no To: or Cc: message header. +message contains no To: or Cc: message header. With Postfix 2.4 +and later, specify an empty value to disable this feature. .SH unknown_address_reject_code (default: 450) The numerical Postfix SMTP server response code when a sender or recipient address is rejected by the reject_unknown_sender_domain diff --git a/postfix/man/man8/local.8 b/postfix/man/man8/local.8 index 2699ba6ee..d7658f33e 100644 --- a/postfix/man/man8/local.8 +++ b/postfix/man/man8/local.8 @@ -415,6 +415,10 @@ Update the \fBlocal\fR(8) delivery agent's idea of the Delivered-To: address (see prepend_delivered_header) only once, at the start of a delivery attempt; do not update the Delivered-To: address while expanding aliases or .forward files. +.PP +Available in Postfix version 2.5.3 and later: +.IP "\fBstrict_mailbox_ownership (yes)\fR" +Defer delivery when a mailbox file is not owned by its recipient. .SH "DELIVERY METHOD CONTROLS" .na .nf @@ -513,7 +517,7 @@ Restrict \fBlocal\fR(8) mail delivery to external commands. Restrict \fBlocal\fR(8) mail delivery to external files. .IP "\fBcommand_expansion_filter (see 'postconf -d' output)\fR" Restrict the characters that the \fBlocal\fR(8) delivery agent allows in -$name expansions of $mailbox_command. +$name expansions of $mailbox_command and $command_execution_directory. .IP "\fBdefault_privs (nobody)\fR" The default rights used by the \fBlocal\fR(8) delivery agent for delivery to external file or command. @@ -525,6 +529,10 @@ Available in Postfix version 2.2 and later: .IP "\fBexecution_directory_expansion_filter (see 'postconf -d' output)\fR" Restrict the characters that the \fBlocal\fR(8) delivery agent allows in $name expansions of $command_execution_directory. +.PP +Available in Postfix version 2.5.3 and later: +.IP "\fBstrict_mailbox_ownership (yes)\fR" +Defer delivery when a mailbox file is not owned by its recipient. .SH "MISCELLANEOUS CONTROLS" .na .nf diff --git a/postfix/man/man8/virtual.8 b/postfix/man/man8/virtual.8 index b45ac26d9..28222ac59 100644 --- a/postfix/man/man8/virtual.8 +++ b/postfix/man/man8/virtual.8 @@ -213,6 +213,10 @@ mail is delivered via the $virtual_transport mail delivery transport. .IP "\fBvirtual_transport (virtual)\fR" The default mail delivery transport and next-hop destination for final delivery to domains listed with $virtual_mailbox_domains. +.PP +Available in Postfix version 2.5.3 and later: +.IP "\fBstrict_mailbox_ownership (yes)\fR" +Defer delivery when a mailbox file is not owned by its recipient. .SH "LOCKING CONTROLS" .na .nf @@ -238,7 +242,7 @@ The time after which a stale exclusive mailbox lockfile is removed. The maximal number of parallel deliveries to the same destination via the virtual message delivery transport. .IP "\fBvirtual_destination_recipient_limit ($default_destination_recipient_limit)\fR" -The maximal number of recipients per delivery via the virtual +The maximal number of recipients per message for the virtual message delivery transport. .IP "\fBvirtual_mailbox_limit (51200000)\fR" The maximal size in bytes of an individual mailbox or maildir file, diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index cc498cb5a..e968b8662 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -517,6 +517,7 @@ while (<>) { s;\bstrict_8bitmime\b;$&;g; s;\bstrict_8bitmime_body\b;$&;g; s;\bstrict_mime_encoding_domain\b;$&;g; + s;\bstrict_mailbox_ownership\b;$&;g; s;\bstrict_rfc821_envelopes\b;$&;g; s;\bsun_mailtool_compatibility\b;$&;g; s;\bswap_bangpath\b;$&;g; diff --git a/postfix/proto/mysql_table b/postfix/proto/mysql_table index ed03c9324..0d7fe9cfb 100644 --- a/postfix/proto/mysql_table +++ b/postfix/proto/mysql_table @@ -38,7 +38,7 @@ # written in main.cf, which is normally world-readable. Support # for this form will be removed in a future Postfix version. # -# Postfix 2.2 has enhanced query interfaces for MySQL and PostgreSQL, +# Postfix 2.2 has enhanced query interfaces for MySQL and PostgreSQL; # these include features previously available only in the Postfix # LDAP client. In the new interface the SQL query is specified via # a single \fBquery\fR parameter (described in more detail below). diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index b5495abce..6db1f32f4 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -709,15 +709,27 @@ This feature is available in Postfix 2.1 and later. %PARAM bounce_size_limit 50000

The maximal amount of original message text that is sent in a -non-delivery notification. Specify a byte count. If you increase -this limit, then you should increase the mime_nesting_limit value -proportionally.

+non-delivery notification. Specify a byte count. With Postfix 2.4 +and later, a message is returned as either message/rfc822 (the +complete original) or as text/rfc822-headers (the headers only). +With earlier Postfix versions, a message is always returned as +message/rfc822 and is truncated when it exceeds the size limit. +

+ +

Notes:

+ +
    + +

  • If you increase this limit, then you should increase the +mime_nesting_limit value proportionally.

    -

    Note: be careful when making changes. Excessively large values +

  • Be careful when making changes. Excessively large values will result in the loss of non-delivery notifications, when a bounce message size exceeds a local or remote MTA's message size limit.

    +
+ %PARAM canonical_maps

@@ -3022,9 +3034,9 @@ key to the lookup result.

-For example, with a virtual(5) mapping of "joe@domain -> -joe.user", the address "joe+foo@domain" would rewrite -to "joe.user+foo". +For example, with a virtual(5) mapping of "joe@example.com => +joe.user@example.net", the address "joe+foo@example.com" +would rewrite to "joe.user+foo@example.net".

@@ -7863,7 +7875,8 @@ This feature is available in Postfix 2.1 and later.

Message header that the Postfix cleanup(8) server inserts when a -message contains no To: or Cc: message header.

+message contains no To: or Cc: message header. With Postfix 2.4 +and later, specify an empty value to disable this feature.

%PARAM unknown_relay_recipient_reject_code 550 @@ -11595,4 +11608,9 @@ details.

This feature is available in Postfix 2.6 and later.

+%PARAM strict_mailbox_ownership yes +

Defer delivery when a mailbox file is not owned by its recipient. +The default setting is not backwards compatible.

+ +

This feature is available in Postfix 2.5.3 and later.

diff --git a/postfix/src/cleanup/cleanup_message.c b/postfix/src/cleanup/cleanup_message.c index 3abb2519a..5e17f3107 100644 --- a/postfix/src/cleanup/cleanup_message.c +++ b/postfix/src/cleanup/cleanup_message.c @@ -695,8 +695,15 @@ static void cleanup_header_done_callback(void *context) #define VISIBLE_RCPT ((1 << HDR_TO) | (1 << HDR_RESENT_TO) \ | (1 << HDR_CC) | (1 << HDR_RESENT_CC)) - if ((state->headers_seen & VISIBLE_RCPT) == 0 && *var_rcpt_witheld) - cleanup_out_format(state, REC_TYPE_NORM, "%s", var_rcpt_witheld); + if ((state->headers_seen & VISIBLE_RCPT) == 0 && *var_rcpt_witheld) { + if (!is_header(var_rcpt_witheld)) { + msg_warn("bad %s header text \"%s\" -- " + "need \"headername: headervalue\"", + VAR_RCPT_WITHELD, var_rcpt_witheld); + } else { + cleanup_out_format(state, REC_TYPE_NORM, "%s", var_rcpt_witheld); + } + } /* * Place a dummy PTR record right after the last header so that we can diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 86b9a13d5..54a330baf 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -2949,6 +2949,13 @@ extern int var_dest_rate_delay; #define DEF_STRESS "" extern char *var_stress; + /* + * Mailbox ownership. + */ +#define VAR_STRICT_MBOX_OWNER "strict_mailbox_ownership" +#define DEF_STRICT_MBOX_OWNER 1 +extern bool var_strict_mbox_owner; + /* LICENSE /* .ad /* .fi diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 3ba2e2e8e..861981974 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20080629" +#define MAIL_RELEASE_DATE "20080726" #define MAIL_VERSION_NUMBER "2.6" #ifdef SNAPSHOT diff --git a/postfix/src/local/local.c b/postfix/src/local/local.c index 6300111af..33af0ad76 100644 --- a/postfix/src/local/local.c +++ b/postfix/src/local/local.c @@ -381,6 +381,10 @@ /* address (see prepend_delivered_header) only once, at the start of /* a delivery attempt; do not update the Delivered-To: address while /* expanding aliases or .forward files. +/* .PP +/* Available in Postfix version 2.5.3 and later: +/* .IP "\fBstrict_mailbox_ownership (yes)\fR" +/* Defer delivery when a mailbox file is not owned by its recipient. /* DELIVERY METHOD CONTROLS /* .ad /* .fi @@ -471,7 +475,7 @@ /* Restrict \fBlocal\fR(8) mail delivery to external files. /* .IP "\fBcommand_expansion_filter (see 'postconf -d' output)\fR" /* Restrict the characters that the \fBlocal\fR(8) delivery agent allows in -/* $name expansions of $mailbox_command. +/* $name expansions of $mailbox_command and $command_execution_directory. /* .IP "\fBdefault_privs (nobody)\fR" /* The default rights used by the \fBlocal\fR(8) delivery agent for delivery /* to external file or command. @@ -483,6 +487,10 @@ /* .IP "\fBexecution_directory_expansion_filter (see 'postconf -d' output)\fR" /* Restrict the characters that the \fBlocal\fR(8) delivery agent allows /* in $name expansions of $command_execution_directory. +/* .PP +/* Available in Postfix version 2.5.3 and later: +/* .IP "\fBstrict_mailbox_ownership (yes)\fR" +/* Defer delivery when a mailbox file is not owned by its recipient. /* MISCELLANEOUS CONTROLS /* .ad /* .fi @@ -644,6 +652,7 @@ int var_mailtool_compat; char *var_mailbox_lock; int var_mailbox_limit; bool var_frozen_delivered; +bool var_strict_mbox_owner; int local_cmd_deliver_mask; int local_file_deliver_mask; @@ -891,6 +900,7 @@ int main(int argc, char **argv) VAR_STAT_HOME_DIR, DEF_STAT_HOME_DIR, &var_stat_home_dir, VAR_MAILTOOL_COMPAT, DEF_MAILTOOL_COMPAT, &var_mailtool_compat, VAR_FROZEN_DELIVERED, DEF_FROZEN_DELIVERED, &var_frozen_delivered, + VAR_STRICT_MBOX_OWNER, DEF_STRICT_MBOX_OWNER, &var_strict_mbox_owner, 0, }; diff --git a/postfix/src/local/mailbox.c b/postfix/src/local/mailbox.c index 92bd79d67..d35ef66b4 100644 --- a/postfix/src/local/mailbox.c +++ b/postfix/src/local/mailbox.c @@ -194,6 +194,12 @@ static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr) vstream_fclose(mp->fp); dsb_simple(why, "5.2.0", "destination %s is not a regular file", mailbox); + } else if (var_strict_mbox_owner && st.st_uid != usr_attr.uid) { + vstream_fclose(mp->fp); + dsb_simple(why, "4.2.0", + "destination %s is not owned by recipient", mailbox); + msg_warn("specify \"%s = no\" to ignore mailbox ownership mismatch", + VAR_STRICT_MBOX_OWNER); } else { end = vstream_fseek(mp->fp, (off_t) 0, SEEK_END); mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp, diff --git a/postfix/src/master/master.c b/postfix/src/master/master.c index e6d212ef6..56e1ffdce 100644 --- a/postfix/src/master/master.c +++ b/postfix/src/master/master.c @@ -481,7 +481,8 @@ int main(int argc, char **argv) watchdog_start(watchdog); /* same as trigger servers */ event_loop(-1); if (master_gotsighup) { - msg_info("reload configuration %s", var_config_dir); + msg_info("reload -- version %s, configuration %s", + var_mail_version, var_config_dir); master_gotsighup = 0; /* this first */ master_vars_init(); /* then this */ master_refresh(); /* then this */ diff --git a/postfix/src/util/vstream_tweak.c b/postfix/src/util/vstream_tweak.c index d1afac8fd..a9dc8bd1b 100644 --- a/postfix/src/util/vstream_tweak.c +++ b/postfix/src/util/vstream_tweak.c @@ -115,7 +115,7 @@ int vstream_tweak_tcp(VSTREAM *fp) */ #ifdef VSTREAM_CTL_BUFSIZE if (mss > 0) { - if (mss < __MAXINT__(ssize_t) /2) + if (mss < INT_MAX / 2) mss *= 2; vstream_control(fp, VSTREAM_CTL_BUFSIZE, (ssize_t) mss, diff --git a/postfix/src/virtual/mailbox.c b/postfix/src/virtual/mailbox.c index 09fc54bb0..f0ad6eb4a 100644 --- a/postfix/src/virtual/mailbox.c +++ b/postfix/src/virtual/mailbox.c @@ -125,6 +125,12 @@ static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr) msg_warn("recipient %s: destination %s is not a regular file", state.msg_attr.rcpt.address, usr_attr.mailbox); dsb_simple(why, "5.3.5", "mail system configuration error"); + } else if (var_strict_mbox_owner && st.st_uid != usr_attr.uid) { + vstream_fclose(mp->fp); + dsb_simple(why, "4.2.0", + "destination %s is not owned by recipient", usr_attr.mailbox); + msg_warn("specify \"%s = no\" to ignore mailbox ownership mismatch", + VAR_STRICT_MBOX_OWNER); } else { end = vstream_fseek(mp->fp, (off_t) 0, SEEK_END); mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp, diff --git a/postfix/src/virtual/virtual.c b/postfix/src/virtual/virtual.c index 88d969ca5..e2b33cd5b 100644 --- a/postfix/src/virtual/virtual.c +++ b/postfix/src/virtual/virtual.c @@ -183,6 +183,10 @@ /* .IP "\fBvirtual_transport (virtual)\fR" /* The default mail delivery transport and next-hop destination for /* final delivery to domains listed with $virtual_mailbox_domains. +/* .PP +/* Available in Postfix version 2.5.3 and later: +/* .IP "\fBstrict_mailbox_ownership (yes)\fR" +/* Defer delivery when a mailbox file is not owned by its recipient. /* LOCKING CONTROLS /* .ad /* .fi @@ -204,7 +208,7 @@ /* The maximal number of parallel deliveries to the same destination /* via the virtual message delivery transport. /* .IP "\fBvirtual_destination_recipient_limit ($default_destination_recipient_limit)\fR" -/* The maximal number of recipients per delivery via the virtual +/* The maximal number of recipients per message for the virtual /* message delivery transport. /* .IP "\fBvirtual_mailbox_limit (51200000)\fR" /* The maximal size in bytes of an individual mailbox or maildir file, @@ -329,6 +333,7 @@ char *var_virt_mailbox_base; char *var_virt_mailbox_lock; int var_virt_mailbox_limit; char *var_mail_spool_dir; /* XXX dependency fix */ +bool var_strict_mbox_owner; /* * Mappings. @@ -504,6 +509,10 @@ int main(int argc, char **argv) VAR_VIRT_MAILBOX_LOCK, DEF_VIRT_MAILBOX_LOCK, &var_virt_mailbox_lock, 1, 0, 0, }; + static const CONFIG_BOOL_TABLE bool_table[] = { + VAR_STRICT_MBOX_OWNER, DEF_STRICT_MBOX_OWNER, &var_strict_mbox_owner, + 0, + }; /* * Fingerprint executables and core dumps. @@ -513,6 +522,7 @@ int main(int argc, char **argv) single_server_main(argc, argv, local_service, MAIL_SERVER_INT_TABLE, int_table, MAIL_SERVER_STR_TABLE, str_table, + MAIL_SERVER_BOOL_TABLE, bool_table, MAIL_SERVER_PRE_INIT, pre_init, MAIL_SERVER_POST_INIT, post_init, MAIL_SERVER_PRE_ACCEPT, pre_accept,