From: Wietse Venema Date: Sat, 18 Dec 2004 05:00:00 +0000 (-0500) Subject: postfix-2.2-20041218 X-Git-Tag: v2.2.0-RC1~23 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=86823ca568d91c72353d75762bbaae0697ddeef1;p=thirdparty%2Fpostfix.git postfix-2.2-20041218 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 67a0f671c..a7256d330 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -6945,7 +6945,6 @@ Apologies for any names omitted. This involved a further rewrite of the regexp map code. File: util/dict_regexp.c. - 200209010 Bugfix: the SMTP client produced suprious warnings about @@ -7568,7 +7567,6 @@ Apologies for any names omitted. properly quoted just like the null address. File: global/quote_82[12]_local.c. - 20021217 Cleanup: more work on the trivial-rewrite address rewriting @@ -8447,7 +8445,6 @@ Apologies for any names omitted. allows Postfix to connect to LDAP SSL sources. By Liviu Daia. File: util/dict_ldap.c. - 20030811 Cleanup: produce a warning when host:port specifies a badly @@ -9959,6 +9956,30 @@ Apologies for any names omitted. which didn't work as discussed above. Files: util/dict_dbm.c, util/dict_sdbm.c. + Feature: the local(8) and pipe(8) delivery agents now make + the following attributes available upon delivery (with + local(8) names must be spelled in upper case): client_hostname, + client_address, client_protocol, client_helo, sasl_method, + sasl_sender, sasl_username. Files: local/command.c, + pipe/pipe.c, and lots of documentation. + +20041216 + + "postcat -o" now prints queue file record offsets; this is + useful for debugging. File: postcat/postcat.c. + +20041218 + + Feature: selective suppression of SMTP extensions (pipelining, + starttls, auth, etc.); this is useful to work around broken + clients or servers. Specify a list of EHLO keywords with + the smtp(d)_disable_ehlo_keywords parameters, or specify + one or more lookup tables, indexed by remote network address, + with the smtp(d)_disable_ehlo_keyword_address_maps parameters. + EHLO keyword lists are case insensitive. Files: + util/name_mask.[hc], global/ehlo_mask.[hc], smtpd/smtpd.c, + smtp/smtp.c, smtp/smtp_proto.c. + Open problems: Med: implement ${name[?:]value} in main.cf or update the diff --git a/postfix/README_FILES/OVERVIEW b/postfix/README_FILES/OVERVIEW index 873d390c0..504196b24 100644 --- a/postfix/README_FILES/OVERVIEW +++ b/postfix/README_FILES/OVERVIEW @@ -265,14 +265,14 @@ queues. processes. This overcomes chroot restrictions, and reduces the number of open lookup tables by sharing one open table among multiple processes. - * The scache(8) server maintains the session cache for the Postfix smtp(8) - client. When session caching is enabled for selected destinations, the smtp - (8) client does not disconnect immediately after a mail transaction, but - gives the connection to the session cache server. The smtp(8) client - continues with some other mail delivery request. Meanwhile, the session + * The scache(8) server maintains the connection cache for the Postfix smtp(8) + client. When connection caching is enabled for selected destinations, the + smtp(8) client does not disconnect immediately after a mail transaction, + but gives the connection to the connection cache server. The smtp(8) client + continues with some other mail delivery request. Meanwhile, the connection cache server keeps the connection open for a limited amount of time. During that time, any smtp(8) process can ask the scache(8) server for that cached - session and use it for mail delivery. + connection and use it for mail delivery. smtp(8) -> scache(8) -> smtp(8) diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 0c6b2bf41..5b4095ec8 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -7,6 +7,30 @@ snapshot release). Patches are issued for the official release and change the patchlevel and the release date. Patches are never issued for snapshot releases. +Major changes with snapshot Postfix-2.2-20041218 +================================================ + +Fine control for SMTP inter-operability problems. You can now +selectively turn off SMTP extensions (pipelining, starttls, auth, +etc.), to work around specific broken clients or servers. Specify +a list of EHLO keywords with the smtp(d)_disable_ehlo_keywords +parameters, or specify one or more lookup tables, indexed by remote +network address, with the smtp(d)_disable_ehlo_keyword_address_maps +parameters. The EHLO keywords lists are case insensitive. + +More client attributes for delivery to command with the local(8) +and pipe(8) delivery agents: client_hostname, client_address, +client_protocol, client_helo, sasl_method, sasl_sender, and +sasl_username. With local(8), attribute names must be specified +in upper case. + +Major changes with snapshot Postfix-2.2-20041210 +================================================ + +You can now dump an entire database with the new postmap/postalias +"-s" option. This works only for database types with Postfix sequence +operator support: hash, btree, dbm, and sdbm. + Major changes with snapshot Postfix-2.2-20041208 ================================================ diff --git a/postfix/html/OVERVIEW.html b/postfix/html/OVERVIEW.html index bbf575663..609a85033 100644 --- a/postfix/html/OVERVIEW.html +++ b/postfix/html/OVERVIEW.html @@ -536,15 +536,16 @@ service to Postfix processes. This overcomes chroot restrictions, and reduces the number of open lookup tables by sharing one open table among multiple processes.

-

  • The scache(8) server maintains the session cache for the -Postfix smtp(8) client. When session caching is enabled for selected +

  • The scache(8) server maintains the connection cache for +the Postfix smtp(8) client. When connection caching is enabled for +selected destinations, the smtp(8) client does not disconnect immediately -after a mail transaction, but gives the connection to the session +after a mail transaction, but gives the connection to the connection cache server. The smtp(8) client continues with some other mail -delivery request. Meanwhile, the session cache server keeps the +delivery request. Meanwhile, the connection cache server keeps the connection open for a limited amount of time. During that time, any smtp(8) process can ask the scache(8) server for that cached -session and use it for mail delivery.

    +connection and use it for mail delivery.

    diff --git a/postfix/html/local.8.html b/postfix/html/local.8.html index 96f864430..5cf0428c7 100644 --- a/postfix/html/local.8.html +++ b/postfix/html/local.8.html @@ -202,6 +202,37 @@ LOCAL(8) LOCAL(8) SENDER The entire sender address. + Additional remote client information is made available via + the following pseudo variables: + + CLIENT_ADDRESS + Remote client network address. Available as of + Postfix 2.2. + + CLIENT_HELO + Remote client EHLO command parameter. Available as + of Postfix 2.2. + + CLIENT_HOSTNAME + Remote client hostname. Available as of Postfix + 2.2. + + CLIENT_PROTOCOL + Remote client protocol. Available as of Postfix + 2.2. + + SASL_METHOD + SASL authentication method specified in the remote + client AUTH command. Available as of Postfix 2.2. + + SASL_SENDER + SASL sender address specified in the remote client + MAIL FROM command. Available as of Postfix 2.2. + + SASL_USERNAME + SASL username specified in the remote client AUTH + command. Available as of Postfix 2.2. + The PATH environment variable is always reset to a system- dependent default path, and environment variables whose names are blessed by the export_environment configuration diff --git a/postfix/html/pipe.8.html b/postfix/html/pipe.8.html index 13a4166c7..59628546c 100644 --- a/postfix/html/pipe.8.html +++ b/postfix/html/pipe.8.html @@ -155,6 +155,30 @@ PIPE(8) PIPE(8) and $(name) are also recognized. Specify $$ where a single $ is wanted. + ${client_address} + This macro expands to the remote client net- + work address. + + This is available in Postfix 2.2 and later. + + ${client_helo} + This macro expands to the remote client HELO + command parameter. + + This is available in Postfix 2.2 and later. + + ${client_hostname} + This macro expands to the remote client + hostname. + + This is available in Postfix 2.2 and later. + + ${client_protocol} + This macro expands to the remote client pro- + tocol. + + This is available in Postfix 2.2 and later. + ${extension} This macro expands to the extension part of a recipient address. For example, with an diff --git a/postfix/html/postcat.1.html b/postfix/html/postcat.1.html index f3b268a3b..0ace8d9e5 100644 --- a/postfix/html/postcat.1.html +++ b/postfix/html/postcat.1.html @@ -10,7 +10,7 @@ POSTCAT(1) POSTCAT(1) postcat - show Postfix queue file contents SYNOPSIS - postcat [-vq] [-cconfig_dir] [files...] + postcat [-oqv] [-cconfig_dir] [files...] DESCRIPTION The postcat command prints the contents of the named files @@ -25,6 +25,8 @@ POSTCAT(1) POSTCAT(1) directory instead of the default configuration directory. + -o Print the queue file offset of each record. + -q Search the Postfix queue for the named files instead of taking the names literally. diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index f36e3b6c8..feffbb610 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -3427,6 +3427,26 @@ The following environment variables are exported to the command:
    +
    CLIENT_ADDRESS
    + +
    Remote client network address. Available in Postfix 2.2 and +later.
    + +
    CLIENT_HELO
    + +
    Remote client EHLO command parameter. Available in Postfix 2.2 +and later.
    + +
    CLIENT_HOSTNAME
    + +
    Remote client hostname. Available in Postfix 2.2 and later. +
    + +
    CLIENT_PROTOCOL
    + +
    Remote client protocol. Available in Postfix 2.2 and later. +
    +
    DOMAIN
    The domain part of the recipient address.
    @@ -3451,6 +3471,21 @@ The following environment variables are exported to the command:
    The full recipient address.
    +
    SASL_METHOD
    + +
    SASL authentication method specified in the remote client AUTH +command. Available in Postfix 2.2 and later.
    + +
    SASL_SENDER
    + +
    SASL sender address specified in the remote client MAIL FROM +command. Available in Postfix 2.2 and later.
    + +
    SASL_USER
    + +
    SASL username specified in the remote client AUTH command. +Available in Postfix 2.2 and later.
    +
    SENDER
    The full sender address.
    @@ -5642,6 +5677,28 @@ the entry in the master.cf file.

    into concurrency per recipient.

    + + +
    smtp_disable_ehlo_keyword_address_maps +(default: empty)
    + +

    Lookup tables, indexed by the remote SMTP server address, with +case insensitive lists of EHLO keywords (pipelining, starttls, +auth, etc.) that the SMTP client will ignore in the EHLO response +from a remote SMTP server.

    + + +
    + +
    smtp_disable_ehlo_keywords +(default: empty)
    + +

    A case insensitive list of EHLO keywords (pipelining, starttls, +auth, etc.) that the SMTP client will ignore in the EHLO response +from a remote SMTP server. Use the smtp_disable_ehlo_keyword_address_maps +feature to disable EHLO keywords selectively.

    + +
    smtp_helo_name @@ -5664,7 +5721,7 @@ client, for example: 
       /etc/postfix/master.cf:
-        mysmtp ... smtp -o smtp_helo_name=foo.bar.com
+        mysmtp ... smtp -o smtp_helo_name">smtp_helo_name=foo.bar.com

    @@ -6667,6 +6724,28 @@ is being rejected.

    + + +
    smtpd_disable_ehlo_keyword_address_maps +(default: empty)
    + +

    Lookup tables, indexed by the remote SMTP client address, with +case insensitive lists of EHLO keywords (pipelining, starttls, +auth, etc.) that the SMTP server will not send in the EHLO response +to a remote SMTP client.

    + + +
    + +
    smtpd_disable_ehlo_keywords +(default: empty)
    + +

    A case insensitive list of EHLO keywords (pipelining, starttls, +auth, etc.) that the SMTP server will not send in the EHLO response +to a remote SMTP client. Use the smtpd_disable_ehlo_keyword_address_maps +feature to disable EHLO keywords selectively.

    + +
    smtpd_end_of_data_restrictions diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index 46f3659cb..6fd034d7c 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -134,11 +134,26 @@ SMTP(8) SMTP(8) Skip SMTP servers that greet with a 4XX status code (go away, try again later). + Available in Postfix version 2.2 and later: + + smtp_disable_ehlo_keyword_address_maps (empty) + Lookup tables, indexed by the remote SMTP server + address, with case insensitive lists of EHLO key- + words (pipelining, starttls, auth, etc.) that the + SMTP client will ignore in the EHLO response from a + remote SMTP server. + + smtp_disable_ehlo_keywords (empty) + A case insensitive list of EHLO keywords (pipelin- + ing, starttls, auth, etc.) that the SMTP client + will ignore in the EHLO response from a remote SMTP + server. + MIME PROCESSING CONTROLS Available in Postfix version 2.0 and later: disable_mime_output_conversion (no) - Disable the conversion of 8BITMIME format to 7BIT + Disable the conversion of 8BITMIME format to 7BIT format. mime_boundary_length_limit (2048) @@ -153,50 +168,50 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: smtp_send_xforward_command (no) - Send the non-standard XFORWARD command when the - Postfix SMTP server EHLO response announces XFOR- + Send the non-standard XFORWARD command when the + Postfix SMTP server EHLO response announces XFOR- WARD support. SASL AUTHENTICATION CONTROLS smtp_sasl_auth_enable (no) - Enable SASL authentication in the Postfix SMTP + Enable SASL authentication in the Postfix SMTP client. smtp_sasl_password_maps (empty) - Optional SMTP client lookup tables with one user- - name:password entry per remote hostname or domain. + Optional SMTP client lookup tables with one user- + name:password entry per remote hostname or domain. smtp_sasl_security_options (noplaintext, noanonymous) - What authentication mechanisms the Postfix SMTP + What authentication mechanisms the Postfix SMTP client is allowed to use. Available in Postfix version 2.2 and later: smtp_sasl_mechanism_filter (empty) - If non-empty, a Postfix SMTP client filter for the - remote SMTP server's list of offered SASL mecha- + If non-empty, a Postfix SMTP client filter for the + remote SMTP server's list of offered SASL mecha- nisms. RESOURCE AND RATE CONTROLS smtp_destination_concurrency_limit ($default_destina- tion_concurrency_limit) - The maximal number of parallel deliveries to the - same destination via the smtp message delivery + The maximal number of parallel deliveries to the + same destination via the smtp message delivery transport. smtp_destination_recipient_limit ($default_destina- tion_recipient_limit) - The maximal number of recipients per delivery via + The maximal number of recipients per delivery via the smtp message delivery transport. smtp_connect_timeout (30s) - The SMTP client time limit for completing a TCP + The SMTP client time limit for completing a TCP connection, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The SMTP client time limit for sending the HELO or - EHLO command, and for receiving the initial server + The SMTP client time limit for sending the HELO or + EHLO command, and for receiving the initial server response. smtp_xforward_timeout (300s) @@ -204,30 +219,30 @@ SMTP(8) SMTP(8) command, and for receiving the server response. smtp_mail_timeout (300s) - The SMTP client time limit for sending the MAIL - FROM command, and for receiving the server + The SMTP client time limit for sending the MAIL + FROM command, and for receiving the server response. smtp_rcpt_timeout (300s) - The SMTP client time limit for sending the SMTP - RCPT TO command, and for receiving the server + The SMTP client time limit for sending the SMTP + RCPT TO command, and for receiving the server response. smtp_data_init_timeout (120s) - The SMTP client time limit for sending the SMTP - DATA command, and for receiving the server + The SMTP client time limit for sending the SMTP + DATA command, and for receiving the server response. smtp_data_xfer_timeout (180s) - The SMTP client time limit for sending the SMTP + The SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) - The SMTP client time limit for sending the SMTP + The SMTP client time limit for sending the SMTP ".", and for receiving the server response. smtp_quit_timeout (300s) - The SMTP client time limit for sending the QUIT + The SMTP client time limit for sending the QUIT command, and for receiving the server response. Available in Postfix version 2.1 and later: @@ -238,77 +253,77 @@ SMTP(8) SMTP(8) lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery - request before giving up or delivering to a fall- + The maximal number of SMTP sessions per delivery + request before giving up or delivering to a fall- back relay host, or zero (no limit). smtp_rset_timeout (20s) - The SMTP client time limit for sending the RSET + The SMTP client time limit for sending the RSET command, and for receiving the server response. Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. smtp_connection_cache_reuse_limit (10) When SMTP connection caching is enabled, the number - of times that an SMTP session is reused before it + of times that an SMTP session is reused before it is closed. smtp_connection_cache_time_limit (2s) When SMTP connection caching is enabled, the amount - of time that an unused SMTP client socket is kept + of time that an unused SMTP client socket is kept open before it is closed. TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a - remote client or server matches a pattern in the + The increment in verbose logging level when a + remote client or server matches a pattern in the debug_peer_list parameter. debug_peer_list (empty) - Optional list of remote client or server hostname - or network address patterns that cause the verbose - logging level to increase by the amount specified + Optional list of remote client or server hostname + or network address patterns that cause the verbose + logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about - mail delivery problems that are caused by policy, + The recipient of postmaster notifications about + mail delivery problems that are caused by policy, resource, software or protocol errors. notify_classes (resource, software) - The list of error classes that are reported to the + The list of error classes that are reported to the postmaster. MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and + The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to - handle a request before it is terminated by a + How much time a Postfix daemon process may take to + handle a request before it is terminated by a built-in watchdog timer. disable_dns_lookups (no) - Disable DNS lookups in the Postfix SMTP and LMTP + Disable DNS lookups in the Postfix SMTP and LMTP clients. fallback_relay (empty) - Optional list of relay hosts for SMTP destinations + Optional list of relay hosts for SMTP destinations that can't be found or that are unreachable. inet_interfaces (all) @@ -320,48 +335,48 @@ SMTP(8) SMTP(8) over an internal communication channel. max_idle (100s) - The maximum amount of time that an idle Postfix - daemon process waits for the next service request + The maximum amount of time that an idle Postfix + daemon process waits for the next service request before exiting. max_use (100) - The maximal number of connection requests before a + The maximal number of connection requests before a Postfix daemon process terminates. process_id (read-only) - The process ID of a Postfix command or daemon pro- + The process ID of a Postfix command or daemon pro- cess. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. proxy_interfaces (empty) The network interface addresses that this mail sys- - tem receives mail on by way of a proxy or network + tem receives mail on by way of a proxy or network address translation unit. smtp_bind_address (empty) An optional numerical network address that the SMTP client should bind to when making a connection. - smtp_helo_name ($myhostname) - The hostname to send in the SMTP EHLO or HELO com- + smtp_helo_name">smtp_helo_name ($myhostname) + The hostname to send in the SMTP EHLO or HELO com- mand. smtp_host_lookup (dns) - What mechanisms when the SMTP client uses to look + What mechanisms when the SMTP client uses to look up a host's IP address. smtp_randomize_addresses (yes) - Randomize the order of equal-preference MX host + Randomize the order of equal-preference MX host addresses. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (postfix) - The mail system name that is prepended to the pro- + The mail system name that is prepended to the pro- cess name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". @@ -378,7 +393,7 @@ SMTP(8) SMTP(8) SASL_README, Postfix SASL howto LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index b02b18f8f..567313e84 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -103,44 +103,59 @@ SMTPD(8) SMTPD(8) What SMTP clients Postfix will not offer AUTH sup- port to. + Available in Postfix version 2.2 and later: + + smtpd_disable_ehlo_keyword_address_maps (empty) + Lookup tables, indexed by the remote SMTP client + address, with case insensitive lists of EHLO key- + words (pipelining, starttls, auth, etc.) that the + SMTP server will not send in the EHLO response to a + remote SMTP client. + + smtpd_disable_ehlo_keywords (empty) + A case insensitive list of EHLO keywords (pipelin- + ing, starttls, auth, etc.) that the SMTP server + will not send in the EHLO response to a remote SMTP + client. + ADDRESS REWRITING CONTROLS - See the ADDRESS_REWRITING_README document for a detailed + See the ADDRESS_REWRITING_README document for a detailed discussion of Postfix address rewriting. receive_override_options (empty) - Enable or disable recipient validation, built-in + Enable or disable recipient validation, built-in content filtering, or address mapping. Available in Postfix version 2.2 and later: local_header_rewrite_clients (see 'postconf -d' output) Append the domain name in $myorigin or $mydomain to - message header addresses from these clients only; - either don't rewrite message headers from other + message header addresses from these clients only; + either don't rewrite message headers from other clients at all, or append the domain specified with the remote_header_rewrite_domain parameter. AFTER QUEUE EXTERNAL CONTENT INSPECTION CONTROLS - As of version 1.0, Postfix can be configured to send new - mail to an external content filter AFTER the mail is - queued. This content filter is expected to inject mail - back into a (Postfix or other) MTA for further delivery. + As of version 1.0, Postfix can be configured to send new + mail to an external content filter AFTER the mail is + queued. This content filter is expected to inject mail + back into a (Postfix or other) MTA for further delivery. See the FILTER_README document for details. content_filter (empty) - The name of a mail delivery transport that filters + The name of a mail delivery transport that filters mail after it is queued. BEFORE QUEUE EXTERNAL CONTENT INSPECTION CONTROLS - As of version 2.1, the Postfix SMTP server can be config- - ured to send incoming mail to a real-time SMTP-based con- + As of version 2.1, the Postfix SMTP server can be config- + ured to send incoming mail to a real-time SMTP-based con- tent filter BEFORE mail is queued. This content filter is - expected to inject mail back into Postfix. See the - SMTPD_PROXY_README document for details on how to config- + expected to inject mail back into Postfix. See the + SMTPD_PROXY_README document for details on how to config- ure and operate this feature. smtpd_proxy_filter (empty) - The hostname and TCP port of the mail filtering + The hostname and TCP port of the mail filtering proxy server. smtpd_proxy_ehlo ($myhostname) @@ -152,42 +167,42 @@ SMTPD(8) SMTPD(8) for sending or receiving information. GENERAL CONTENT INSPECTION CONTROLS - The following parameters are applicable for both built-in + The following parameters are applicable for both built-in and external content filters. Available in Postfix version 2.1 and later: receive_override_options (empty) - Enable or disable recipient validation, built-in + Enable or disable recipient validation, built-in content filtering, or address mapping. EXTERNAL CONTENT INSPECTION CONTROLS - The following parameters are applicable for both before- + The following parameters are applicable for both before- queue and after-queue content filtering. Available in Postfix version 2.1 and later: smtpd_authorized_xforward_hosts (empty) - What SMTP clients are allowed to use the XFORWARD + What SMTP clients are allowed to use the XFORWARD feature. SASL AUTHENTICATION CONTROLS - Postfix SASL support (RFC 2554) can be used to authenti- - cate remote SMTP clients to the Postfix SMTP server, and - to authenticate the Postfix SMTP client to a remote SMTP + Postfix SASL support (RFC 2554) can be used to authenti- + cate remote SMTP clients to the Postfix SMTP server, and + to authenticate the Postfix SMTP client to a remote SMTP server. See the SASL_README document for details. broken_sasl_auth_clients (no) - Enable inter-operability with SMTP clients that - implement an obsolete version of the AUTH command + Enable inter-operability with SMTP clients that + implement an obsolete version of the AUTH command (RFC 2554). smtpd_sasl_auth_enable (no) - Enable SASL authentication in the Postfix SMTP + Enable SASL authentication in the Postfix SMTP server. smtpd_sasl_application_name (smtpd) - The application name used for SASL server initial- + The application name used for SASL server initial- ization. smtpd_sasl_local_domain (empty) @@ -198,69 +213,69 @@ SMTPD(8) SMTPD(8) SMTP server will offer to the client. smtpd_sender_login_maps (empty) - Optional lookup table with the SASL login names + Optional lookup table with the SASL login names that own sender (MAIL FROM) addresses. Available in Postfix version 2.1 and later: smtpd_sasl_exceptions_networks (empty) - What SMTP clients Postfix will not offer AUTH sup- + What SMTP clients Postfix will not offer AUTH sup- port to. VERP SUPPORT CONTROLS - With VERP style delivery, each recipient of a message + With VERP style delivery, each recipient of a message receives a customized copy of the message with his/her own - recipient address encoded in the envelope sender address. + recipient address encoded in the envelope sender address. The VERP_README file describes configuration and operation - details of Postfix support for variable envelope return + details of Postfix support for variable envelope return path addresses. VERP style delivery is requested with the - SMTP XVERP command or with the "sendmail -V" command-line - option and is available in Postfix version 1.1 and later. + SMTP XVERP command or with the "sendmail -V" command-line + option and is available in Postfix version 1.1 and later. default_verp_delimiters (+=) The two default VERP delimiter characters. verp_delimiter_filter (-=+) - The characters Postfix accepts as VERP delimiter - characters on the Postfix sendmail(1) command line + The characters Postfix accepts as VERP delimiter + characters on the Postfix sendmail(1) command line and in SMTP commands. Available in Postfix version 1.1 and 2.0: authorized_verp_clients ($mynetworks) - What SMTP clients are allowed to specify the XVERP + What SMTP clients are allowed to specify the XVERP command. Available in Postfix version 2.1 and later: smtpd_authorized_verp_clients ($authorized_verp_clients) - What SMTP clients are allowed to specify the XVERP + What SMTP clients are allowed to specify the XVERP command. TROUBLE SHOOTING CONTROLS - The DEBUG_README document describes how to debug parts of - the Postfix mail system. The methods vary from making the - software log a lot of detail, to running some daemon pro- + The DEBUG_README document describes how to debug parts of + the Postfix mail system. The methods vary from making the + software log a lot of detail, to running some daemon pro- cesses under control of a call tracer or debugger. debug_peer_level (2) - The increment in verbose logging level when a - remote client or server matches a pattern in the + The increment in verbose logging level when a + remote client or server matches a pattern in the debug_peer_list parameter. debug_peer_list (empty) - Optional list of remote client or server hostname - or network address patterns that cause the verbose - logging level to increase by the amount specified + Optional list of remote client or server hostname + or network address patterns that cause the verbose + logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about - mail delivery problems that are caused by policy, + The recipient of postmaster notifications about + mail delivery problems that are caused by policy, resource, software or protocol errors. notify_classes (resource, software) - The list of error classes that are reported to the + The list of error classes that are reported to the postmaster. soft_bounce (no) @@ -270,22 +285,22 @@ SMTPD(8) SMTPD(8) Available in Postfix version 2.1 and later: smtpd_authorized_xclient_hosts (empty) - What SMTP clients are allowed to use the XCLIENT + What SMTP clients are allowed to use the XCLIENT feature. KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS - As of Postfix version 2.0, the SMTP server rejects mail - for unknown recipients. This prevents the mail queue from - clogging up with undeliverable MAILER-DAEMON messages. - Additional information on this topic is in the + As of Postfix version 2.0, the SMTP server rejects mail + for unknown recipients. This prevents the mail queue from + clogging up with undeliverable MAILER-DAEMON messages. + Additional information on this topic is in the LOCAL_RECIPIENT_README and ADDRESS_CLASS_README documents. show_user_unknown_table_name (yes) - Display the name of the recipient table in the + Display the name of the recipient table in the "User unknown" responses. canonical_maps (empty) - Optional address mapping lookup tables for message + Optional address mapping lookup tables for message headers and envelopes. recipient_canonical_maps (empty) @@ -296,7 +311,7 @@ SMTPD(8) SMTPD(8) mydestination ($myhostname, localhost.$mydomain, local- host) - The list of domains that are delivered via the + The list of domains that are delivered via the $local_transport mail delivery transport. inet_interfaces (all) @@ -305,185 +320,185 @@ SMTPD(8) SMTPD(8) proxy_interfaces (empty) The network interface addresses that this mail sys- - tem receives mail on by way of a proxy or network + tem receives mail on by way of a proxy or network address translation unit. local_recipient_maps (proxy:unix:passwd.byname $alias_maps) - Lookup tables with all names or addresses of local - recipients: a recipient address is local when its - domain matches $mydestination, $inet_interfaces or + Lookup tables with all names or addresses of local + recipients: a recipient address is local when its + domain matches $mydestination, $inet_interfaces or $proxy_interfaces. unknown_local_recipient_reject_code (550) - The numerical Postfix SMTP server response code - when a recipient address is local, and - $local_recipient_maps specifies a list of lookup + The numerical Postfix SMTP server response code + when a recipient address is local, and + $local_recipient_maps specifies a list of lookup tables that does not match the recipient. - Parameters concerning known/unknown recipients of relay + Parameters concerning known/unknown recipients of relay destinations: relay_domains ($mydestination) - What destination domains (and subdomains thereof) + What destination domains (and subdomains thereof) this system will relay mail to. relay_recipient_maps (empty) - Optional lookup tables with all valid addresses in + Optional lookup tables with all valid addresses in the domains that match $relay_domains. unknown_relay_recipient_reject_code (550) The numerical Postfix SMTP server reply code when a - recipient address matches $relay_domains, and - relay_recipient_maps specifies a list of lookup + recipient address matches $relay_domains, and + relay_recipient_maps specifies a list of lookup tables that does not match the recipient address. - Parameters concerning known/unknown recipients in virtual + Parameters concerning known/unknown recipients in virtual alias domains: virtual_alias_domains ($virtual_alias_maps) Postfix is final destination for the specified list - of virtual alias domains, that is, domains for - which all addresses are aliased to addresses in + of virtual alias domains, that is, domains for + which all addresses are aliased to addresses in other local or remote domains. virtual_alias_maps ($virtual_maps) - Optional lookup tables that alias specific mail - addresses or domains to other local or remote + Optional lookup tables that alias specific mail + addresses or domains to other local or remote address. unknown_virtual_alias_reject_code (550) The SMTP server reply code when a recipient address - matches $virtual_alias_domains, and $vir- - tual_alias_maps specifies a list of lookup tables + matches $virtual_alias_domains, and $vir- + tual_alias_maps specifies a list of lookup tables that does not match the recipient address. - Parameters concerning known/unknown recipients in virtual + Parameters concerning known/unknown recipients in virtual mailbox domains: virtual_mailbox_domains ($virtual_mailbox_maps) Postfix is final destination for the specified list - of domains; mail is delivered via the $vir- + of domains; mail is delivered via the $vir- tual_transport mail delivery transport. virtual_mailbox_maps (empty) - Optional lookup tables with all valid addresses in + Optional lookup tables with all valid addresses in the domains that match $virtual_mailbox_domains. unknown_virtual_mailbox_reject_code (550) The SMTP server reply code when a recipient address - matches $virtual_mailbox_domains, and $vir- + matches $virtual_mailbox_domains, and $vir- tual_mailbox_maps specifies a list of lookup tables that does not match the recipient address. RESOURCE AND RATE CONTROLS - The following parameters limit resource usage by the SMTP + The following parameters limit resource usage by the SMTP server and/or control client request rates. line_length_limit (2048) - Upon input, long lines are chopped up into pieces - of at most this length; upon delivery, long lines + Upon input, long lines are chopped up into pieces + of at most this length; upon delivery, long lines are reconstructed. queue_minfree (0) - The minimal amount of free space in bytes in the + The minimal amount of free space in bytes in the queue file system that is needed to receive mail. message_size_limit (10240000) - The maximal size in bytes of a message, including + The maximal size in bytes of a message, including envelope information. smtpd_recipient_limit (1000) - The maximal number of recipients that the Postfix + The maximal number of recipients that the Postfix SMTP server accepts per message delivery request. smtpd_timeout (300s) - The time limit for sending a Postfix SMTP server - response and for receiving a remote SMTP client + The time limit for sending a Postfix SMTP server + response and for receiving a remote SMTP client request. smtpd_history_flush_threshold (100) - The maximal number of lines in the Postfix SMTP - server command history before it is flushed upon + The maximal number of lines in the Postfix SMTP + server command history before it is flushed upon receipt of EHLO, RSET, or end of DATA. The per SMTP client connection count and request rate lim- its are implemented in co-operation with the anvil(8) ser- - vice, and are available in Postfix version 2.2 and later. + vice, and are available in Postfix version 2.2 and later. smtpd_client_connection_count_limit (50) - How many simultaneous connections any client is + How many simultaneous connections any client is allowed to make to this service. smtpd_client_connection_rate_limit (0) The maximal number of connection attempts any - client is allowed to make to this service per time + client is allowed to make to this service per time unit. smtpd_client_message_rate_limit (0) - The maximal number of message delivery requests - that any client is allowed to make to this service + The maximal number of message delivery requests + that any client is allowed to make to this service per time unit, regardless of whether or not Postfix actually accepts those messages. smtpd_client_recipient_rate_limit (0) - The maximal number of recipient addresses that any - client is allowed to send to this service per time + The maximal number of recipient addresses that any + client is allowed to send to this service per time unit, regardless of whether or not Postfix actually accepts those recipients. smtpd_client_event_limit_exceptions ($mynetworks) - Clients that are excluded from connection count, - connection rate, message rate or recipient rate + Clients that are excluded from connection count, + connection rate, message rate or recipient rate restrictions. TARPIT CONTROLS - When a remote SMTP client makes errors, the Postfix SMTP - server can insert delays before responding. This can help - to slow down run-away software. The behavior is con- - trolled by an error counter that counts the number of - errors within an SMTP session that a client makes without + When a remote SMTP client makes errors, the Postfix SMTP + server can insert delays before responding. This can help + to slow down run-away software. The behavior is con- + trolled by an error counter that counts the number of + errors within an SMTP session that a client makes without delivering mail. smtpd_error_sleep_time (1s) - With Postfix 2.1 and later: the SMTP server - response delay after a client has made more than - $smtpd_soft_error_limit errors, and fewer than - $smtpd_hard_error_limit errors, without delivering + With Postfix 2.1 and later: the SMTP server + response delay after a client has made more than + $smtpd_soft_error_limit errors, and fewer than + $smtpd_hard_error_limit errors, without delivering mail. smtpd_soft_error_limit (10) - The number of errors a remote SMTP client is - allowed to make without delivering mail before the + The number of errors a remote SMTP client is + allowed to make without delivering mail before the Postfix SMTP server slows down all its responses. smtpd_hard_error_limit (20) - The maximal number of errors a remote SMTP client + The maximal number of errors a remote SMTP client is allowed to make without delivering mail. smtpd_junk_command_limit (100) - The number of junk commands (NOOP, VRFY, ETRN or + The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote SMTP client can send before the - Postfix SMTP server starts to increment the error + Postfix SMTP server starts to increment the error counter with each junk command. Available in Postfix version 2.1 and later: smtpd_recipient_overshoot_limit (1000) - The number of recipients that a remote SMTP client - can send in excess of the limit specified with + The number of recipients that a remote SMTP client + can send in excess of the limit specified with $smtpd_recipient_limit, before the Postfix SMTP - server increments the per-session error count for + server increments the per-session error count for each excess recipient. ACCESS POLICY DELEGATION CONTROLS - As of version 2.1, Postfix can be configured to delegate - access policy decisions to an external server that runs - outside Postfix. See the file SMTPD_POLICY_README for + As of version 2.1, Postfix can be configured to delegate + access policy decisions to an external server that runs + outside Postfix. See the file SMTPD_POLICY_README for more information. smtpd_policy_service_max_idle (300s) - The time after which an idle SMTPD policy service + The time after which an idle SMTPD policy service connection is closed. smtpd_policy_service_max_ttl (1000s) @@ -491,161 +506,161 @@ SMTPD(8) SMTPD(8) connection is closed. smtpd_policy_service_timeout (100s) - The time limit for connecting to, writing to or + The time limit for connecting to, writing to or receiving from a delegated SMTPD policy server. ACCESS CONTROLS - The SMTPD_ACCESS_README document gives an introduction to + The SMTPD_ACCESS_README document gives an introduction to all the SMTP server access control features. smtpd_delay_reject (yes) - Wait until the RCPT TO command before evaluating + Wait until the RCPT TO command before evaluating $smtpd_client_restrictions, $smtpd_helo_restric- tions and $smtpd_sender_restrictions, or wait until - the ETRN command before evaluating + the ETRN command before evaluating $smtpd_client_restrictions and $smtpd_helo_restric- tions. - parent_domain_matches_subdomains (see 'postconf -d' out- + parent_domain_matches_subdomains (see 'postconf -d' out- put) What Postfix features match subdomains of "domain.tld" automatically, instead of requiring an explicit ".domain.tld" pattern. smtpd_client_restrictions (empty) - Optional SMTP server access restrictions in the + Optional SMTP server access restrictions in the context of a client SMTP connection request. smtpd_helo_required (no) Require that a remote SMTP client introduces itself - at the beginning of an SMTP session with the HELO + at the beginning of an SMTP session with the HELO or EHLO command. smtpd_helo_restrictions (empty) - Optional restrictions that the Postfix SMTP server + Optional restrictions that the Postfix SMTP server applies in the context of the SMTP HELO command. smtpd_sender_restrictions (empty) - Optional restrictions that the Postfix SMTP server + Optional restrictions that the Postfix SMTP server applies in the context of the MAIL FROM command. smtpd_recipient_restrictions (permit_mynetworks, reject_unauth_destination) The access restrictions that the Postfix SMTP - server applies in the context of the RCPT TO com- + server applies in the context of the RCPT TO com- mand. smtpd_etrn_restrictions (empty) - Optional SMTP server access restrictions in the + Optional SMTP server access restrictions in the context of a client ETRN request. allow_untrusted_routing (no) - Forward mail with sender-specified routing - (user[@%!]remote[@%!]site) from untrusted clients + Forward mail with sender-specified routing + (user[@%!]remote[@%!]site) from untrusted clients to destinations matching $relay_domains. smtpd_restriction_classes (empty) - User-defined aliases for groups of access restric- + User-defined aliases for groups of access restric- tions. smtpd_null_access_lookup_key (<>) - The lookup key to be used in SMTP access(5) tables + The lookup key to be used in SMTP access(5) tables instead of the null sender address. permit_mx_backup_networks (empty) Restrict the use of the permit_mx_backup SMTP - access feature to only domains whose primary MX + access feature to only domains whose primary MX hosts match the listed networks. Available in Postfix version 2.0 and later: smtpd_data_restrictions (empty) - Optional access restrictions that the Postfix SMTP + Optional access restrictions that the Postfix SMTP server applies in the context of the SMTP DATA com- mand. smtpd_expansion_filter (see 'postconf -d' output) - What characters are allowed in $name expansions of + What characters are allowed in $name expansions of RBL reply templates. Available in Postfix version 2.1 and later: smtpd_reject_unlisted_sender (no) - Request that the Postfix SMTP server rejects mail - from unknown sender addresses, even when no - explicit reject_unlisted_sender access restriction + Request that the Postfix SMTP server rejects mail + from unknown sender addresses, even when no + explicit reject_unlisted_sender access restriction is specified. smtpd_reject_unlisted_recipient (yes) - Request that the Postfix SMTP server rejects mail + Request that the Postfix SMTP server rejects mail for unknown recipient addresses, even when no - explicit reject_unlisted_recipient access restric- + explicit reject_unlisted_recipient access restric- tion is specified. Available in Postfix version 2.2 and later: smtpd_end_of_data_restrictions (empty) - Optional access restrictions that the Postfix SMTP - server applies in the context of the SMTP END-OF- + Optional access restrictions that the Postfix SMTP + server applies in the context of the SMTP END-OF- DATA command. SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS - Postfix version 2.1 introduces sender and recipient - address verification. This feature is implemented by - sending probe email messages that are not actually deliv- - ered. This feature is requested via the reject_unveri- - fied_sender and reject_unverified_recipient access - restrictions. The status of verification probes is main- + Postfix version 2.1 introduces sender and recipient + address verification. This feature is implemented by + sending probe email messages that are not actually deliv- + ered. This feature is requested via the reject_unveri- + fied_sender and reject_unverified_recipient access + restrictions. The status of verification probes is main- tained by the verify(8) server. See the file ADDRESS_VER- - IFICATION_README for information about how to configure + IFICATION_README for information about how to configure and operate the Postfix sender/recipient address verifica- tion service. address_verify_poll_count (3) - How many times to query the verify(8) service for - the completion of an address verification request + How many times to query the verify(8) service for + the completion of an address verification request in progress. address_verify_poll_delay (3s) - The delay between queries for the completion of an + The delay between queries for the completion of an address verification request in progress. address_verify_sender (postmaster) - The sender address to use in address verification + The sender address to use in address verification probes. unverified_sender_reject_code (450) - The numerical Postfix SMTP server response code - when a recipient address is rejected by the + The numerical Postfix SMTP server response code + when a recipient address is rejected by the reject_unverified_sender restriction. unverified_recipient_reject_code (450) - The numerical Postfix SMTP server response when a + The numerical Postfix SMTP server response when a recipient address is rejected by the reject_unveri- fied_recipient restriction. ACCESS CONTROL RESPONSES - The following parameters control numerical SMTP reply + The following parameters control numerical SMTP reply codes and/or text responses. access_map_reject_code (554) - The numerical Postfix SMTP server response code - when a client is rejected by an access(5) map + The numerical Postfix SMTP server response code + when a client is rejected by an access(5) map restriction. defer_code (450) - The numerical Postfix SMTP server response code - when a remote SMTP client request is rejected by + The numerical Postfix SMTP server response code + when a remote SMTP client request is rejected by the "defer" restriction. invalid_hostname_reject_code (501) - The numerical Postfix SMTP server response code - when the client HELO or EHLO command parameter is - rejected by the reject_invalid_hostname restric- + The numerical Postfix SMTP server response code + when the client HELO or EHLO command parameter is + rejected by the reject_invalid_hostname restric- tion. maps_rbl_reject_code (554) - The numerical Postfix SMTP server response code + The numerical Postfix SMTP server response code when a remote SMTP client request is blocked by the reject_rbl_client, reject_rhsbl_client, reject_rhsbl_sender or reject_rhsbl_recipient @@ -653,47 +668,47 @@ SMTPD(8) SMTPD(8) non_fqdn_reject_code (504) The numerical Postfix SMTP server reply code when a - client request is rejected by the + client request is rejected by the reject_non_fqdn_hostname, reject_non_fqdn_sender or reject_non_fqdn_recipient restriction. reject_code (554) - The numerical Postfix SMTP server response code - when a remote SMTP client request is rejected by + The numerical Postfix SMTP server response code + when a remote SMTP client request is rejected by the "reject" restriction. relay_domains_reject_code (554) - The numerical Postfix SMTP server response code - when a client request is rejected by the + The numerical Postfix SMTP server response code + when a client request is rejected by the reject_unauth_destination recipient restriction. unknown_address_reject_code (450) - The numerical Postfix SMTP server response code - when a sender or recipient address is rejected by + The numerical Postfix SMTP server response code + when a sender or recipient address is rejected by the reject_unknown_sender_domain or reject_unknown_recipient_domain restriction. unknown_client_reject_code (450) - The numerical Postfix SMTP server response code - when a client without valid address <=> name map- - ping is rejected by the reject_unknown_client + The numerical Postfix SMTP server response code + when a client without valid address <=> name map- + ping is rejected by the reject_unknown_client restriction. unknown_hostname_reject_code (450) - The numerical Postfix SMTP server response code - when the hostname specified with the HELO or EHLO - command is rejected by the reject_unknown_hostname + The numerical Postfix SMTP server response code + when the hostname specified with the HELO or EHLO + command is rejected by the reject_unknown_hostname restriction. Available in Postfix version 2.0 and later: default_rbl_reply (see 'postconf -d' output) - The default SMTP server response template for a - request that is rejected by an RBL-based restric- + The default SMTP server response template for a + request that is rejected by an RBL-based restric- tion. multi_recipient_bounce_reject_code (550) - The numerical Postfix SMTP server response code + The numerical Postfix SMTP server response code when a remote SMTP client request is blocked by the reject_multi_recipient_bounce restriction. @@ -702,16 +717,16 @@ SMTPD(8) SMTPD(8) MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and + The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to - handle a request before it is terminated by a + How much time a Postfix daemon process may take to + handle a request before it is terminated by a built-in watchdog timer. command_directory (see 'postconf -d' output) - The location of all postfix administrative com- + The location of all postfix administrative com- mands. double_bounce_sender (double-bounce) @@ -732,36 +747,36 @@ SMTPD(8) SMTPD(8) and most Postfix daemon processes. max_idle (100s) - The maximum amount of time that an idle Postfix - daemon process waits for the next service request + The maximum amount of time that an idle Postfix + daemon process waits for the next service request before exiting. max_use (100) - The maximal number of connection requests before a + The maximal number of connection requests before a Postfix daemon process terminates. myhostname (see 'postconf -d' output) The internet hostname of this mail system. mynetworks (see 'postconf -d' output) - The list of "trusted" SMTP clients that have more + The list of "trusted" SMTP clients that have more privileges than "strangers". myorigin ($myhostname) The domain name that locally-posted mail appears to - come from, and that locally posted mail is deliv- + come from, and that locally posted mail is deliv- ered to. process_id (read-only) - The process ID of a Postfix command or daemon pro- + The process ID of a Postfix command or daemon pro- cess. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. queue_directory (see 'postconf -d' output) - The location of the Postfix top-level queue direc- + The location of the Postfix top-level queue direc- tory. recipient_delimiter (empty) @@ -769,22 +784,22 @@ SMTPD(8) SMTPD(8) sions (user+foo). smtpd_banner ($myhostname ESMTP $mail_name) - The text that follows the 220 status code in the + The text that follows the 220 status code in the SMTP greeting banner. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (postfix) - The mail system name that is prepended to the pro- + The mail system name that is prepended to the pro- cess name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". Available in Postfix version 2.2 and later: smtpd_forbidden_commands (CONNECT, GET, POST) - List of commands that causes the Postfix SMTP - server to immediately terminate the session with a + List of commands that causes the Postfix SMTP + server to immediately terminate the session with a 221 code. SEE ALSO @@ -811,7 +826,7 @@ SMTPD(8) SMTPD(8) XFORWARD_README, Postfix XFORWARD extension LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/man/man1/postcat.1 b/postfix/man/man1/postcat.1 index 2d7051309..d3942d142 100644 --- a/postfix/man/man1/postcat.1 +++ b/postfix/man/man1/postcat.1 @@ -8,7 +8,7 @@ show Postfix queue file contents .SH "SYNOPSIS" .na .nf -\fBpostcat\fR [\fB-vq\fR] [\fB-c \fIconfig_dir\fR] [\fIfiles\fR...] +\fBpostcat\fR [\fB-oqv\fR] [\fB-c \fIconfig_dir\fR] [\fIfiles\fR...] .SH DESCRIPTION .ad .fi @@ -22,6 +22,8 @@ Options: .IP "\fB-c \fIconfig_dir\fR" The \fBmain.cf\fR configuration file is in the named directory instead of the default configuration directory. +.IP \fB-o\fR +Print the queue file offset of each record. .IP \fB-q\fR Search the Postfix queue for the named \fIfiles\fR instead of taking the names literally. diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 5bf87ce68..9be873ba1 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -1793,6 +1793,16 @@ This is not a problem, because 1) mail for root should always be aliased to a real user and 2) don't log in as root, use "su" instead. .PP The following environment variables are exported to the command: +.IP "\fBCLIENT_ADDRESS\fR" +Remote client network address. Available in Postfix 2.2 and +later. +.IP "\fBCLIENT_HELO\fR" +Remote client EHLO command parameter. Available in Postfix 2.2 +and later. +.IP "\fBCLIENT_HOSTNAME\fR" +Remote client hostname. Available in Postfix 2.2 and later. +.IP "\fBCLIENT_PROTOCOL\fR" +Remote client protocol. Available in Postfix 2.2 and later. .IP "\fBDOMAIN\fR" The domain part of the recipient address. .IP "\fBEXTENSION\fR" @@ -1805,6 +1815,15 @@ The recipient address localpart. The recipient's username. .IP "\fBRECIPIENT\fR" The full recipient address. +.IP "\fBSASL_METHOD\fR" +SASL authentication method specified in the remote client AUTH +command. Available in Postfix 2.2 and later. +.IP "\fBSASL_SENDER\fR" +SASL sender address specified in the remote client MAIL FROM +command. Available in Postfix 2.2 and later. +.IP "\fBSASL_USER\fR" +SASL username specified in the remote client AUTH command. +Available in Postfix 2.2 and later. .IP "\fBSENDER\fR" The full sender address. .IP "\fBSHELL\fR" @@ -3029,6 +3048,16 @@ the entry in the master.cf file. Setting this parameter to a value of 1 changes the meaning of smtp_destination_concurrency_limit from concurrency per domain into concurrency per recipient. +.SH smtp_disable_ehlo_keyword_address_maps (default: empty) +Lookup tables, indexed by the remote SMTP server address, with +case insensitive lists of EHLO keywords (pipelining, starttls, +auth, etc.) that the SMTP client will ignore in the EHLO response +from a remote SMTP server. +.SH smtp_disable_ehlo_keywords (default: empty) +A case insensitive list of EHLO keywords (pipelining, starttls, +auth, etc.) that the SMTP client will ignore in the EHLO response +from a remote SMTP server. Use the smtp_disable_ehlo_keyword_address_maps +feature to disable EHLO keywords selectively. .SH smtp_helo_name (default: $myhostname) The hostname to send in the SMTP EHLO or HELO command. .PP @@ -3625,6 +3654,16 @@ The default setting has one major benefit: it allows Postfix to log recipient address information when rejecting a client name/address or sender address, so that it is possible to find out whose mail is being rejected. +.SH smtpd_disable_ehlo_keyword_address_maps (default: empty) +Lookup tables, indexed by the remote SMTP client address, with +case insensitive lists of EHLO keywords (pipelining, starttls, +auth, etc.) that the SMTP server will not send in the EHLO response +to a remote SMTP client. +.SH smtpd_disable_ehlo_keywords (default: empty) +A case insensitive list of EHLO keywords (pipelining, starttls, +auth, etc.) that the SMTP server will not send in the EHLO response +to a remote SMTP client. Use the smtpd_disable_ehlo_keyword_address_maps +feature to disable EHLO keywords selectively. .SH smtpd_end_of_data_restrictions (default: empty) Optional access restrictions that the Postfix SMTP server applies in the context of the SMTP END-OF-DATA command. diff --git a/postfix/man/man8/local.8 b/postfix/man/man8/local.8 index 62aed60e4..4816bf5be 100644 --- a/postfix/man/man8/local.8 +++ b/postfix/man/man8/local.8 @@ -211,6 +211,26 @@ The entire recipient address. .IP \fBSENDER\fR The entire sender address. .PP +Additional remote client information is made available via +the following pseudo variables: +.IP \fBCLIENT_ADDRESS\fR +Remote client network address. Available as of Postfix 2.2. +.IP \fBCLIENT_HELO\fR +Remote client EHLO command parameter. Available as of Postfix 2.2. +.IP \fBCLIENT_HOSTNAME\fR +Remote client hostname. Available as of Postfix 2.2. +.IP \fBCLIENT_PROTOCOL\fR +Remote client protocol. Available as of Postfix 2.2. +.IP \fBSASL_METHOD\fR +SASL authentication method specified in the +remote client AUTH command. Available as of Postfix 2.2. +.IP \fBSASL_SENDER\fR +SASL sender address specified in the remote client MAIL +FROM command. Available as of Postfix 2.2. +.IP \fBSASL_USERNAME\fR +SASL username specified in the remote client AUTH command. +Available as of Postfix 2.2. +.PP The \fBPATH\fR environment variable is always reset to a system-dependent default path, and environment variables whose names are blessed by the \fBexport_environment\fR diff --git a/postfix/man/man8/pipe.8 b/postfix/man/man8/pipe.8 index adb0b2a93..b4c9c3410 100644 --- a/postfix/man/man8/pipe.8 +++ b/postfix/man/man8/pipe.8 @@ -141,6 +141,22 @@ In addition to the form ${\fIname\fR}, the forms $\fIname\fR and $(\fIname\fR) are also recognized. Specify \fB$$\fR where a single \fB$\fR is wanted. .RS +.IP \fB${\fBclient_address\fR}\fR +This macro expands to the remote client network address. +.sp +This is available in Postfix 2.2 and later. +.IP \fB${\fBclient_helo\fR}\fR +This macro expands to the remote client HELO command parameter. +.sp +This is available in Postfix 2.2 and later. +.IP \fB${\fBclient_hostname\fR}\fR +This macro expands to the remote client hostname. +.sp +This is available in Postfix 2.2 and later. +.IP \fB${\fBclient_protocol\fR}\fR +This macro expands to the remote client protocol. +.sp +This is available in Postfix 2.2 and later. .IP \fB${\fBextension\fR}\fR This macro expands to the extension part of a recipient address. For example, with an address \fIuser+foo@domain\fR the extension is diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8 index d14b61a70..0e6c2a7a8 100644 --- a/postfix/man/man8/smtp.8 +++ b/postfix/man/man8/smtp.8 @@ -128,6 +128,17 @@ Available in Postfix version 2.0 and earlier: .IP "\fBsmtp_skip_4xx_greeting (yes)\fR" Skip SMTP servers that greet with a 4XX status code (go away, try again later). +.PP +Available in Postfix version 2.2 and later: +.IP "\fBsmtp_disable_ehlo_keyword_address_maps (empty)\fR" +Lookup tables, indexed by the remote SMTP server address, with +case insensitive lists of EHLO keywords (pipelining, starttls, +auth, etc.) that the SMTP client will ignore in the EHLO response +from a remote SMTP server. +.IP "\fBsmtp_disable_ehlo_keywords (empty)\fR" +A case insensitive list of EHLO keywords (pipelining, starttls, +auth, etc.) that the SMTP client will ignore in the EHLO response +from a remote SMTP server. .SH "MIME PROCESSING CONTROLS" .na .nf diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8 index a5d7d7c78..e33616534 100644 --- a/postfix/man/man8/smtpd.8 +++ b/postfix/man/man8/smtpd.8 @@ -102,6 +102,17 @@ sender addresses, even when no explicit reject_unlisted_sender access restriction is specified. .IP "\fBsmtpd_sasl_exceptions_networks (empty)\fR" What SMTP clients Postfix will not offer AUTH support to. +.PP +Available in Postfix version 2.2 and later: +.IP "\fBsmtpd_disable_ehlo_keyword_address_maps (empty)\fR" +Lookup tables, indexed by the remote SMTP client address, with +case insensitive lists of EHLO keywords (pipelining, starttls, +auth, etc.) that the SMTP server will not send in the EHLO response +to a remote SMTP client. +.IP "\fBsmtpd_disable_ehlo_keywords (empty)\fR" +A case insensitive list of EHLO keywords (pipelining, starttls, +auth, etc.) that the SMTP server will not send in the EHLO response +to a remote SMTP client. .SH "ADDRESS REWRITING CONTROLS" .na .nf diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 2d277c307..848ecaed5 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -330,6 +330,9 @@ while (<>) { s;\bsmtp_destination_recip[-]*\n* *[]*ient_limit\b;$&;g; s;\bvir[-]*\n*[ ]*tual_destination_concurrency_limit\b;$&;g; s;\bvir[-]*\n*[ ]*tual_destination_recip[-]*\n* *[]*ient_limit\b;$&;g; + s;\bsmtp_disable_ehlo_keyword_address_maps\b;$&;g; + s;\bsmtp_disable_ehlo_keywords\b;$&;g; + s;\bsmtp_helo_name\b;$&;g; s;\bsmtp_helo_name\b;$&;g; s;\bsmtp_helo_timeout\b;$&;g; s;\bsmtp_host_lookup\b;$&;g; @@ -366,6 +369,8 @@ while (<>) { s;\bsmtpd_client_restrictions\b;$&;g; s;\bsmtpd_data_restrictions\b;$&;g; s;\bsmtpd_delay_reject\b;$&;g; + s;\bsmtpd_disable_ehlo_keyword_address_maps\b;$&;g; + s;\bsmtpd_disable_ehlo_keywords\b;$&;g; s;\bsmtpd_end_of_data_restrictions\b;$&;g; s;\bsmtpd_error_sleep_time\b;$&;g; s;\bsmtpd_etrn_restrictions\b;$&;g; diff --git a/postfix/proto/OVERVIEW.html b/postfix/proto/OVERVIEW.html index 0922cacc0..64e12f11a 100644 --- a/postfix/proto/OVERVIEW.html +++ b/postfix/proto/OVERVIEW.html @@ -536,15 +536,16 @@ service to Postfix processes. This overcomes chroot restrictions, and reduces the number of open lookup tables by sharing one open table among multiple processes.

    -

  • The scache(8) server maintains the session cache for the -Postfix smtp(8) client. When session caching is enabled for selected +

  • The scache(8) server maintains the connection cache for +the Postfix smtp(8) client. When connection caching is enabled for +selected destinations, the smtp(8) client does not disconnect immediately -after a mail transaction, but gives the connection to the session +after a mail transaction, but gives the connection to the connection cache server. The smtp(8) client continues with some other mail -delivery request. Meanwhile, the session cache server keeps the +delivery request. Meanwhile, the connection cache server keeps the connection open for a limited amount of time. During that time, any smtp(8) process can ask the scache(8) server for that cached -session and use it for mail delivery.

    +connection and use it for mail delivery.

    • diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 433b64bcc..888419d94 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -2092,6 +2092,26 @@ The following environment variables are exported to the command:
    +
    CLIENT_ADDRESS
    + +
    Remote client network address. Available in Postfix 2.2 and +later.
    + +
    CLIENT_HELO
    + +
    Remote client EHLO command parameter. Available in Postfix 2.2 +and later.
    + +
    CLIENT_HOSTNAME
    + +
    Remote client hostname. Available in Postfix 2.2 and later. +
    + +
    CLIENT_PROTOCOL
    + +
    Remote client protocol. Available in Postfix 2.2 and later. +
    +
    DOMAIN
    The domain part of the recipient address.
    @@ -2116,6 +2136,21 @@ The following environment variables are exported to the command:
    The full recipient address.
    +
    SASL_METHOD
    + +
    SASL authentication method specified in the remote client AUTH +command. Available in Postfix 2.2 and later.
    + +
    SASL_SENDER
    + +
    SASL sender address specified in the remote client MAIL FROM +command. Available in Postfix 2.2 and later.
    + +
    SASL_USER
    + +
    SASL username specified in the remote client AUTH command. +Available in Postfix 2.2 and later.
    +
    SENDER
    The full sender address.
    @@ -7224,6 +7259,34 @@ remote domains. Available before Postfix version 2.0. With Postfix 2.1 and later, this is replaced by separate controls: virtual_alias_domains and virtual_alias_maps.

    +%PARAM smtp_disable_ehlo_keywords + +

    A case insensitive list of EHLO keywords (pipelining, starttls, +auth, etc.) that the SMTP client will ignore in the EHLO response +from a remote SMTP server. Use the smtp_disable_ehlo_keyword_address_maps +feature to disable EHLO keywords selectively.

    + +%PARAM smtpd_disable_ehlo_keywords + +

    A case insensitive list of EHLO keywords (pipelining, starttls, +auth, etc.) that the SMTP server will not send in the EHLO response +to a remote SMTP client. Use the smtpd_disable_ehlo_keyword_address_maps +feature to disable EHLO keywords selectively.

    + +%PARAM smtp_disable_ehlo_keyword_address_maps + +

    Lookup tables, indexed by the remote SMTP server address, with +case insensitive lists of EHLO keywords (pipelining, starttls, +auth, etc.) that the SMTP client will ignore in the EHLO response +from a remote SMTP server.

    + +%PARAM smtpd_disable_ehlo_keyword_address_maps + +

    Lookup tables, indexed by the remote SMTP client address, with +case insensitive lists of EHLO keywords (pipelining, starttls, +auth, etc.) that the SMTP server will not send in the EHLO response +to a remote SMTP client.

    + %PARAM session_cache_service scache

    The name of the scache(8) connection cache service. This service diff --git a/postfix/src/global/Makefile.in b/postfix/src/global/Makefile.in index 0f23fb940..6c8b786cc 100644 --- a/postfix/src/global/Makefile.in +++ b/postfix/src/global/Makefile.in @@ -23,7 +23,8 @@ SRCS = abounce.c anvil_clnt.c been_here.c bounce.c bounce_log.c \ sys_exits.c timed_ipc.c tok822_find.c tok822_node.c tok822_parse.c \ tok822_resolve.c tok822_rewrite.c tok822_tree.c trace.c verify.c \ verify_clnt.c verp_sender.c virtual8_maps.c xtext.c scache_single.c \ - scache_clnt.c scache_multi.c user_acl.c mkmap_cdb.c mkmap_sdbm.c + scache_clnt.c scache_multi.c user_acl.c mkmap_cdb.c mkmap_sdbm.c \ + ehlo_mask.c OBJS = abounce.o anvil_clnt.o been_here.o bounce.o bounce_log.o \ canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \ clnt_stream.o debug_peer.o debug_process.o defer.o \ @@ -48,7 +49,8 @@ OBJS = abounce.o anvil_clnt.o been_here.o bounce.o bounce_log.o \ sys_exits.o timed_ipc.o tok822_find.o tok822_node.o tok822_parse.o \ tok822_resolve.o tok822_rewrite.o tok822_tree.o trace.o verify.o \ verify_clnt.o verp_sender.o virtual8_maps.o xtext.o scache_single.o \ - scache_clnt.o scache_multi.o user_acl.o mkmap_cdb.o mkmap_sdbm.o + scache_clnt.o scache_multi.o user_acl.o mkmap_cdb.o mkmap_sdbm.o \ + ehlo_mask.o HDRS = abounce.h anvil_clnt.h been_here.h bounce.h bounce_log.h \ canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \ debug_peer.h debug_process.h defer.h deliver_completed.h \ @@ -69,7 +71,7 @@ HDRS = abounce.h anvil_clnt.h been_here.h bounce.h bounce_log.h \ resolve_local.h rewrite_clnt.h sent.h smtp_stream.h split_addr.h \ string_list.h strip_addr.h sys_exits.h timed_ipc.h tok822.h \ trace.h verify.h verify_clnt.h verp_sender.h virtual8_maps.h \ - xtext.h scache.h user_acl.h + xtext.h scache.h user_acl.h ehlo_mask.h TESTSRC = rec2stream.c stream2rec.c recdump.c DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE) CFLAGS = $(DEBUG) $(OPT) $(DEFS) @@ -80,7 +82,7 @@ TESTPROG= domain_list dot_lockfile mail_addr_crunch mail_addr_find \ off_cvt quote_822_local rec2stream recdump resolve_clnt \ resolve_local rewrite_clnt stream2rec string_list tok822_parse \ quote_821_local mail_conf_time mime_state strip_addr \ - virtual8_maps verify_clnt xtext anvil_clnt scache + virtual8_maps verify_clnt xtext anvil_clnt scache ehlo_mask LIBS = ../../lib/libutil.a LIB_DIR = ../../lib @@ -251,9 +253,12 @@ anvil_clnt: $(LIB) $(LIBS) scache: scache.c $(LIB) $(LIBS) $(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS) +ehlo_mask: ehlo_mask.c $(LIB) $(LIBS) + $(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIB) $(LIBS) $(SYSLIBS) + tests: tok822_test mime_test mime_nest mime_8bit mime_dom mime_trunc \ mime_cvt mime_cvt2 mime_cvt3 strip_addr_test tok822_limit_test \ - virtual8_test xtext_test scache_multi_test + virtual8_test xtext_test scache_multi_test ehlo_mask_test tok822_test: tok822_parse tok822_parse.in tok822_parse.ref ./tok822_parse tok822_parse.tmp 2>&1 @@ -352,6 +357,11 @@ scache_multi_test: scache scache_multi.in scache_multi.ref diff scache_multi.ref scache_multi.tmp rm -f scache_multi.tmp +ehlo_mask_test: ehlo_mask ehlo_mask.in ehlo_mask.ref + ./ehlo_mask ehlo_mask.tmp + diff ehlo_mask.ref ehlo_mask.tmp + rm -f ehlo_mask.tmp + printfck: $(OBJS) $(PROG) rm -rf printfck mkdir printfck @@ -619,6 +629,10 @@ dot_lockfile_as.o: dot_lockfile.h dot_lockfile_as.o: ../../include/vstring.h dot_lockfile_as.o: ../../include/vbuf.h dot_lockfile_as.o: dot_lockfile_as.h +ehlo_mask.o: ehlo_mask.c +ehlo_mask.o: ../../include/sys_defs.h +ehlo_mask.o: ../../include/name_mask.h +ehlo_mask.o: ehlo_mask.h ext_prop.o: ext_prop.c ext_prop.o: ../../include/sys_defs.h ext_prop.o: ../../include/name_mask.h diff --git a/postfix/src/global/ehlo_mask.c b/postfix/src/global/ehlo_mask.c new file mode 100644 index 000000000..ea42bf7c0 --- /dev/null +++ b/postfix/src/global/ehlo_mask.c @@ -0,0 +1,129 @@ +/*++ +/* NAME +/* ehlo_mask 3 +/* SUMMARY +/* map EHLO keywords to bit mask +/* SYNOPSIS +/* #include +/* +/* #define EHLO_MASK_8BITMIME (1<<0) +/* #define EHLO_MASK_PIPELINING (1<<1) +/* #define EHLO_MASK_SIZE (1<<2) +/* #define EHLO_MASK_VRFY (1<<3) +/* #define EHLO_MASK_ETRN (1<<4) +/* #define EHLO_MASK_AUTH (1<<5) +/* #define EHLO_MASK_VERP (1<<6) +/* #define EHLO_MASK_STARTTLS (1<<7) +/* #define EHLO_MASK_XCLIENT (1<<8) +/* #define EHLO_MASK_XFORWARD (1<<9) +/* +/* int ehlo_mask(keyword_list) +/* const char *keyword_list; +/* +/* const char *str_ehlo_mask(bitmask) +/* int bitmask; +/* DESCRIPTION +/* ehlo_mask() computes the bit-wise OR of the masks that correspond +/* to the names listed in the \fIkeyword_list\fR argument, separated by +/* comma and/or whitespace characters. Undefined names are silently +/* ignored. +/* +/* str_ehlo_mask() translates a mask into its equivalent names. +/* The result is written to a static buffer that is overwritten +/* upon each call. Undefined bits cause a fatal run-time error. +/* DIAGNOSTICS +/* Fatal: str_ehlo_mask() found an undefined bit. +/* LICENSE +/* .ad +/* .fi +/* The Secure Mailer license must be distributed with this software. +/* AUTHOR(S) +/* Wietse Venema +/* IBM T.J. Watson Research +/* P.O. Box 704 +/* Yorktown Heights, NY 10598, USA +/*--*/ + +/* System library.*/ + +#include + +/* Utility library. */ + +#include + +/* Global library. */ + +#include + + /* + * The lookup table. + */ +static NAME_MASK ehlo_mask_table[] = { + "8BITMIME", EHLO_MASK_8BITMIME, + "AUTH", EHLO_MASK_AUTH, + "ETRN", EHLO_MASK_ETRN, + "PIPELINING", EHLO_MASK_PIPELINING, + "SIZE", EHLO_MASK_SIZE, + "VERP", EHLO_MASK_VERP, + "VRFY", EHLO_MASK_VRFY, + "XCLIENT", EHLO_MASK_XCLIENT, + "XFORWARD", EHLO_MASK_XFORWARD, + "STARTTLS", EHLO_MASK_STARTTLS, + 0, +}; + +/* ehlo_mask - string to bit mask */ + +int ehlo_mask(const char *mask_str) +{ + + /* + * We allow "STARTTLS" besides "starttls, because EHLO keywords are often + * spelled in uppercase. We ignore non-existent EHLO keywords so people + * can switch between Postfix versions without trouble. + */ + return (name_mask_opt("ehlo string mask", ehlo_mask_table, + mask_str, NAME_MASK_ANY_CASE)); +} + +/* str_ehlo_mask - mask to string */ + +const char *str_ehlo_mask(int mask_bits) +{ + + /* + * We don't allow non-existent bits. Doing so makes no sense at this + * time. + */ + return (str_name_mask_opt("ehlo bitmask", ehlo_mask_table, + mask_bits, NAME_MASK_NONE)); +} + +#ifdef TEST + + /* + * Stand-alone test program. + */ +#include +#include +#include + +int main(int unused_argc, char **unused_argv) +{ + int mask_bits; + VSTRING *buf = vstring_alloc(1); + const char *mask_string; + + while (vstring_get_nonl(buf, VSTREAM_IN) != VSTREAM_EOF) { + mask_bits = ehlo_mask(vstring_str(buf)); + mask_string = str_ehlo_mask(mask_bits); + vstream_printf("%s -> 0x%x -> %s\n", vstring_str(buf), mask_bits, + mask_string); + vstream_fflush(VSTREAM_OUT); + } + vstring_free(buf); + exit(0); +} + +#endif diff --git a/postfix/src/global/ehlo_mask.h b/postfix/src/global/ehlo_mask.h new file mode 100644 index 000000000..1ade500ad --- /dev/null +++ b/postfix/src/global/ehlo_mask.h @@ -0,0 +1,43 @@ +#ifndef _EHLO_MASK_H_INCLUDED_ +#define _EHLO_MASK_H_INCLUDED_ + +/*++ +/* NAME +/* name_mask 3h +/* SUMMARY +/* map names to bit mask +/* SYNOPSIS +/* #include +/* DESCRIPTION +/* .nf + + /* + * External interface. + */ +#define EHLO_MASK_8BITMIME (1<<0) /* start of first byte */ +#define EHLO_MASK_PIPELINING (1<<1) +#define EHLO_MASK_SIZE (1<<2) +#define EHLO_MASK_VRFY (1<<3) +#define EHLO_MASK_ETRN (1<<4) +#define EHLO_MASK_AUTH (1<<5) +#define EHLO_MASK_VERP (1<<6) +#define EHLO_MASK_STARTTLS (1<<7) + +#define EHLO_MASK_XCLIENT (1<<8) /* start of second byte */ +#define EHLO_MASK_XFORWARD (1<<9) + +extern int ehlo_mask(const char *); +extern const char *str_ehlo_mask(int); + +/* LICENSE +/* .ad +/* .fi +/* The Secure Mailer license must be distributed with this software. +/* AUTHOR(S) +/* Wietse Venema +/* IBM T.J. Watson Research +/* P.O. Box 704 +/* Yorktown Heights, NY 10598, USA +/*--*/ + +#endif diff --git a/postfix/src/global/ehlo_mask.in b/postfix/src/global/ehlo_mask.in new file mode 100644 index 000000000..50fc24882 --- /dev/null +++ b/postfix/src/global/ehlo_mask.in @@ -0,0 +1,3 @@ +starttls, 8bitmime, verp, etrn, etrn +foobar, auth, pipelining, size, vrfy +xclient, xforward diff --git a/postfix/src/global/ehlo_mask.ref b/postfix/src/global/ehlo_mask.ref new file mode 100644 index 000000000..4c6dab355 --- /dev/null +++ b/postfix/src/global/ehlo_mask.ref @@ -0,0 +1,3 @@ +starttls, 8bitmime, verp, etrn, etrn -> 0x51 -> 8BITMIME ETRN VERP +foobar, auth, pipelining, size, vrfy -> 0x2e -> AUTH PIPELINING SIZE VRFY +xclient, xforward -> 0x180 -> XCLIENT XFORWARD diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 051560976..76aadc51b 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -2114,6 +2114,25 @@ extern char *var_remote_rwr_domain; #endif extern char *var_local_rwr_clients; + /* + * EHLO keyword filter. + */ +#define VAR_SMTPD_EHLO_DIS_WORDS "smtpd_disable_ehlo_keywords" +#define DEF_SMTPD_EHLO_DIS_WORDS "" +extern char *var_smtpd_ehlo_dis_words; + +#define VAR_SMTPD_EHLO_DIS_MAPS "smtpd_disable_ehlo_keyword_address_maps" +#define DEF_SMTPD_EHLO_DIS_MAPS "" +extern char *var_smtpd_ehlo_dis_maps; + +#define VAR_SMTP_EHLO_DIS_WORDS "smtp_disable_ehlo_keywords" +#define DEF_SMTP_EHLO_DIS_WORDS "" +extern char *var_smtp_ehlo_dis_words; + +#define VAR_SMTP_EHLO_DIS_MAPS "smtp_disable_ehlo_keyword_address_maps" +#define DEF_SMTP_EHLO_DIS_MAPS "" +extern char *var_smtp_ehlo_dis_maps; + /* LICENSE /* .ad /* .fi diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index bf355f8ed..395e08a9f 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change the patchlevel and the release date. Snapshots change the * release date only. */ -#define MAIL_RELEASE_DATE "20041215" +#define MAIL_RELEASE_DATE "20041218" #define MAIL_VERSION_NUMBER "2.2" #define VAR_MAIL_VERSION "mail_version" diff --git a/postfix/src/local/command.c b/postfix/src/local/command.c index 6bb68db8b..8241ff0ac 100644 --- a/postfix/src/local/command.c +++ b/postfix/src/local/command.c @@ -162,6 +162,18 @@ int deliver_command(LOCAL_STATE state, USER_ATTR usr_attr, const char *comma argv_add(env, "DOMAIN", state.msg_attr.domain, ARGV_END); if (state.msg_attr.extension) argv_add(env, "EXTENSION", state.msg_attr.extension, ARGV_END); + +#define EXPORT_REQUEST(name, value) \ + if ((value)[0]) argv_add(env, (name), (value), ARGV_END); + + EXPORT_REQUEST("CLIENT_HOSTNAME", state.msg_attr.request->client_name); + EXPORT_REQUEST("CLIENT_ADDRESS", state.msg_attr.request->client_addr); + EXPORT_REQUEST("CLIENT_HELO", state.msg_attr.request->client_helo); + EXPORT_REQUEST("CLIENT_PROTOCOL", state.msg_attr.request->client_proto); + EXPORT_REQUEST("SASL_METHOD", state.msg_attr.request->sasl_method); + EXPORT_REQUEST("SASL_SENDER", state.msg_attr.request->sasl_sender); + EXPORT_REQUEST("SASL_USERNAME", state.msg_attr.request->sasl_username); + argv_terminate(env); /* diff --git a/postfix/src/local/local.c b/postfix/src/local/local.c index ab3ea4558..19465075d 100644 --- a/postfix/src/local/local.c +++ b/postfix/src/local/local.c @@ -197,6 +197,26 @@ /* .IP \fBSENDER\fR /* The entire sender address. /* .PP +/* Additional remote client information is made available via +/* the following pseudo variables: +/* .IP \fBCLIENT_ADDRESS\fR +/* Remote client network address. Available as of Postfix 2.2. +/* .IP \fBCLIENT_HELO\fR +/* Remote client EHLO command parameter. Available as of Postfix 2.2. +/* .IP \fBCLIENT_HOSTNAME\fR +/* Remote client hostname. Available as of Postfix 2.2. +/* .IP \fBCLIENT_PROTOCOL\fR +/* Remote client protocol. Available as of Postfix 2.2. +/* .IP \fBSASL_METHOD\fR +/* SASL authentication method specified in the +/* remote client AUTH command. Available as of Postfix 2.2. +/* .IP \fBSASL_SENDER\fR +/* SASL sender address specified in the remote client MAIL +/* FROM command. Available as of Postfix 2.2. +/* .IP \fBSASL_USERNAME\fR +/* SASL username specified in the remote client AUTH command. +/* Available as of Postfix 2.2. +/* .PP /* The \fBPATH\fR environment variable is always reset to a /* system-dependent default path, and environment variables /* whose names are blessed by the \fBexport_environment\fR diff --git a/postfix/src/local/local_expand.c b/postfix/src/local/local_expand.c index 61806c96b..93bde453e 100644 --- a/postfix/src/local/local_expand.c +++ b/postfix/src/local/local_expand.c @@ -22,6 +22,14 @@ /* See mac_parse(3). /* .PP /* Attributes: +/* .IP client_address +/* The client network address. +/* .IP client_helo +/* The client HELO command parameter. +/* .IP client_hostname +/* The client hostname. +/* .IP client_protocol +/* The client protocol. /* .IP domain /* The recipient address domain. /* .IP extension @@ -36,6 +44,12 @@ /* The recipient delimiter. /* .IP shell /* The recipient shell program. +/* .IP sasl_method +/* The SASL authentication method. +/* .IP sasl_sender +/* The SASL MAIL FROM address. +/* .IP sasl_username +/* The SASL login name. /* .IP user /* The recipient user name. /* .PP @@ -122,6 +136,22 @@ static const char *local_expand_lookup(const char *name, int mode, char *ptr) return (local->state->msg_attr.extension); } else if (STREQ(name, "recipient_delimiter")) { return (*var_rcpt_delim ? var_rcpt_delim : 0); +#if 0 + } else if (STREQ(name, "client_hostname")) { + return (local->state->msg_attr.request->client_name); + } else if (STREQ(name, "client_address")) { + return (local->state->msg_attr.request->client_addr); + } else if (STREQ(name, "client_protocol")) { + return (local->state->msg_attr.request->client_proto); + } else if (STREQ(name, "client_helo")) { + return (local->state->msg_attr.request->client_helo); + } else if (STREQ(name, "sasl_method")) { + return (local->state->msg_attr.request->sasl_method); + } else if (STREQ(name, "sasl_sender")) { + return (local->state->msg_attr.request->sasl_sender); + } else if (STREQ(name, "sasl_username")) { + return (local->state->msg_attr.request->sasl_username); +#endif } else { return (0); } diff --git a/postfix/src/pipe/pipe.c b/postfix/src/pipe/pipe.c index 0b6e3ca07..c518f66e1 100644 --- a/postfix/src/pipe/pipe.c +++ b/postfix/src/pipe/pipe.c @@ -131,6 +131,22 @@ /* $(\fIname\fR) are also recognized. Specify \fB$$\fR where a single /* \fB$\fR is wanted. /* .RS +/* .IP \fB${\fBclient_address\fR}\fR +/* This macro expands to the remote client network address. +/* .sp +/* This is available in Postfix 2.2 and later. +/* .IP \fB${\fBclient_helo\fR}\fR +/* This macro expands to the remote client HELO command parameter. +/* .sp +/* This is available in Postfix 2.2 and later. +/* .IP \fB${\fBclient_hostname\fR}\fR +/* This macro expands to the remote client hostname. +/* .sp +/* This is available in Postfix 2.2 and later. +/* .IP \fB${\fBclient_protocol\fR}\fR +/* This macro expands to the remote client protocol. +/* .sp +/* This is available in Postfix 2.2 and later. /* .IP \fB${\fBextension\fR}\fR /* This macro expands to the extension part of a recipient address. /* For example, with an address \fIuser+foo@domain\fR the extension is @@ -359,6 +375,10 @@ #define PIPE_DICT_EXTENSION "extension" /* key */ #define PIPE_DICT_MAILBOX "mailbox" /* key */ #define PIPE_DICT_SIZE "size" /* key */ +#define PIPE_DICT_CLIENT_ADDR "client_address" /* key */ +#define PIPE_DICT_CLIENT_NAME "client_hostname" /* key */ +#define PIPE_DICT_CLIENT_PROTO "client_protocol" /* key */ +#define PIPE_DICT_CLIENT_HELO "client_helo" /* key */ #define PIPE_DICT_SASL_METHOD "sasl_method" /* key */ #define PIPE_DICT_SASL_USERNAME "sasl_username" /* key */ #define PIPE_DICT_SASL_SENDER "sasl_sender" /* key */ @@ -443,6 +463,10 @@ static int parse_callback(int type, VSTRING *buf, char *context) PIPE_DICT_EXTENSION, PIPE_FLAG_EXTENSION, PIPE_DICT_MAILBOX, PIPE_FLAG_MAILBOX, PIPE_DICT_SIZE, 0, + PIPE_DICT_CLIENT_ADDR, 0, + PIPE_DICT_CLIENT_NAME, 0, + PIPE_DICT_CLIENT_PROTO, 0, + PIPE_DICT_CLIENT_HELO, 0, PIPE_DICT_SASL_METHOD, 0, PIPE_DICT_SASL_USERNAME, 0, PIPE_DICT_SASL_SENDER, 0, @@ -994,9 +1018,17 @@ static int deliver_message(DELIVER_REQUEST *request, char *service, char **argv) dict_update(PIPE_DICT_TABLE, PIPE_DICT_NEXTHOP, request->nexthop); vstring_sprintf(buf, "%ld", (long) request->data_size); dict_update(PIPE_DICT_TABLE, PIPE_DICT_SIZE, STR(buf)); + dict_update(PIPE_DICT_TABLE, PIPE_DICT_CLIENT_ADDR, + request->client_addr); + dict_update(PIPE_DICT_TABLE, PIPE_DICT_CLIENT_HELO, + request->client_helo); + dict_update(PIPE_DICT_TABLE, PIPE_DICT_CLIENT_NAME, + request->client_name); + dict_update(PIPE_DICT_TABLE, PIPE_DICT_CLIENT_PROTO, + request->client_proto); dict_update(PIPE_DICT_TABLE, PIPE_DICT_SASL_METHOD, request->sasl_method); - dict_update(PIPE_DICT_TABLE, PIPE_DICT_SASL_USERNAME, + dict_update(PIPE_DICT_TABLE, PIPE_DICT_SASL_USERNAME, request->sasl_username); dict_update(PIPE_DICT_TABLE, PIPE_DICT_SASL_SENDER, request->sasl_sender); diff --git a/postfix/src/postcat/postcat.c b/postfix/src/postcat/postcat.c index 935dc9c76..c9b6961ff 100644 --- a/postfix/src/postcat/postcat.c +++ b/postfix/src/postcat/postcat.c @@ -4,7 +4,7 @@ /* SUMMARY /* show Postfix queue file contents /* SYNOPSIS -/* \fBpostcat\fR [\fB-vq\fR] [\fB-c \fIconfig_dir\fR] [\fIfiles\fR...] +/* \fBpostcat\fR [\fB-oqv\fR] [\fB-c \fIconfig_dir\fR] [\fIfiles\fR...] /* DESCRIPTION /* The \fBpostcat\fR command prints the contents of the named /* \fIfiles\fR in human-readable form. The files are expected @@ -16,6 +16,8 @@ /* .IP "\fB-c \fIconfig_dir\fR" /* The \fBmain.cf\fR configuration file is in the named directory /* instead of the default configuration directory. +/* .IP \fB-o\fR +/* Print the queue file offset of each record. /* .IP \fB-q\fR /* Search the Postfix queue for the named \fIfiles\fR instead /* of taking the names literally. @@ -88,19 +90,21 @@ /* Application-specific. */ #define PC_FLAG_QUEUE (1<<0) /* search queue */ +#define PC_FLAG_OFFSET (1<<1) /* print record offsets */ #define STR vstring_str #define LEN VSTRING_LEN /* postcat - visualize Postfix queue file contents */ -static void postcat(VSTREAM *fp, VSTRING *buffer) +static void postcat(VSTREAM *fp, VSTRING *buffer, int flags) { int prev_type = 0; int rec_type; time_t time; int first = 1; int ch; + off_t offset; #define TEXT_RECORD(rec_type) \ (rec_type == REC_TYPE_CONT || rec_type == REC_TYPE_NORM) @@ -120,6 +124,8 @@ static void postcat(VSTREAM *fp, VSTRING *buffer) * Now look at the rest. */ for (;;) { + if (flags & PC_FLAG_OFFSET) + offset = vstream_ftell(fp); rec_type = rec_get(fp, buffer, 0); if (rec_type == REC_TYPE_ERROR) msg_fatal("record read error"); @@ -129,8 +135,11 @@ static void postcat(VSTREAM *fp, VSTRING *buffer) vstream_printf("*** ENVELOPE RECORDS %s ***\n", VSTREAM_PATH(fp)); first = 0; } - if (prev_type == REC_TYPE_CONT && !TEXT_RECORD(rec_type)) + if ((prev_type == REC_TYPE_CONT && !TEXT_RECORD(rec_type)) + || !(flags & PC_FLAG_OFFSET)) VSTREAM_PUTCHAR('\n'); + if (flags & PC_FLAG_OFFSET) + vstream_printf("%9lu ", (unsigned long) offset); switch (rec_type) { case REC_TYPE_TIME: case REC_TYPE_WARN: @@ -218,12 +227,15 @@ int main(int argc, char **argv) /* * Parse JCL. */ - while ((ch = GETOPT(argc, argv, "c:qv")) > 0) { + while ((ch = GETOPT(argc, argv, "c:oqv")) > 0) { switch (ch) { case 'c': if (setenv(CONF_ENV_PATH, optarg, 1) < 0) msg_fatal("out of memory"); break; + case 'o': + flags |= PC_FLAG_OFFSET; + break; case 'q': flags |= PC_FLAG_QUEUE; break; @@ -252,7 +264,7 @@ int main(int argc, char **argv) vstream_control(VSTREAM_IN, VSTREAM_CTL_PATH, "stdin", VSTREAM_CTL_END); - postcat(VSTREAM_IN, buffer); + postcat(VSTREAM_IN, buffer, flags); } /* @@ -269,7 +281,7 @@ int main(int argc, char **argv) fp = mail_queue_open(*cpp, argv[optind], O_RDONLY, 0); if (fp == 0) msg_fatal("open queue file %s: %m", argv[optind]); - postcat(fp, buffer); + postcat(fp, buffer, flags); if (vstream_fclose(fp)) msg_warn("close %s: %m", argv[optind]); optind++; @@ -283,7 +295,7 @@ int main(int argc, char **argv) while (optind < argc) { if ((fp = vstream_fopen(argv[optind], O_RDONLY, 0)) == 0) msg_fatal("open %s: %m", argv[optind]); - postcat(fp, buffer); + postcat(fp, buffer, flags); if (vstream_fclose(fp)) msg_warn("close %s: %m", argv[optind]); optind++; diff --git a/postfix/src/smtp/Makefile.in b/postfix/src/smtp/Makefile.in index b5ad1555e..ad9795994 100644 --- a/postfix/src/smtp/Makefile.in +++ b/postfix/src/smtp/Makefile.in @@ -80,6 +80,7 @@ smtp.o: ../../include/scache.h smtp.o: ../../include/string_list.h smtp.o: ../../include/match_list.h smtp.o: ../../include/match_ops.h +smtp.o: ../../include/maps.h smtp.o: ../../include/mail_server.h smtp.o: smtp.h smtp.o: ../../include/htable.h @@ -106,6 +107,8 @@ smtp_addr.o: ../../include/scache.h smtp_addr.o: ../../include/string_list.h smtp_addr.o: ../../include/match_list.h smtp_addr.o: ../../include/match_ops.h +smtp_addr.o: ../../include/maps.h +smtp_addr.o: ../../include/dict.h smtp_addr.o: smtp_addr.h smtp_chat.o: smtp_chat.c smtp_chat.o: ../../include/sys_defs.h @@ -132,6 +135,8 @@ smtp_chat.o: ../../include/scache.h smtp_chat.o: ../../include/string_list.h smtp_chat.o: ../../include/match_list.h smtp_chat.o: ../../include/match_ops.h +smtp_chat.o: ../../include/maps.h +smtp_chat.o: ../../include/dict.h smtp_connect.o: smtp_connect.c smtp_connect.o: ../../include/sys_defs.h smtp_connect.o: ../../include/msg.h @@ -163,6 +168,8 @@ smtp_connect.o: ../../include/scache.h smtp_connect.o: ../../include/string_list.h smtp_connect.o: ../../include/match_list.h smtp_connect.o: ../../include/match_ops.h +smtp_connect.o: ../../include/maps.h +smtp_connect.o: ../../include/dict.h smtp_connect.o: smtp_addr.h smtp_connect.o: smtp_reuse.h smtp_proto.o: smtp_proto.c @@ -194,8 +201,11 @@ smtp_proto.o: ../../include/mail_proto.h smtp_proto.o: ../../include/attr.h smtp_proto.o: ../../include/mime_state.h smtp_proto.o: ../../include/header_opts.h -smtp_proto.o: smtp.h +smtp_proto.o: ../../include/ehlo_mask.h +smtp_proto.o: ../../include/maps.h +smtp_proto.o: ../../include/dict.h smtp_proto.o: ../../include/argv.h +smtp_proto.o: smtp.h smtp_proto.o: ../../include/htable.h smtp_proto.o: ../../include/scache.h smtp_proto.o: ../../include/string_list.h @@ -219,6 +229,8 @@ smtp_rcpt.o: ../../include/scache.h smtp_rcpt.o: ../../include/string_list.h smtp_rcpt.o: ../../include/match_list.h smtp_rcpt.o: ../../include/match_ops.h +smtp_rcpt.o: ../../include/maps.h +smtp_rcpt.o: ../../include/dict.h smtp_reuse.o: smtp_reuse.c smtp_reuse.o: ../../include/sys_defs.h smtp_reuse.o: ../../include/msg.h @@ -237,6 +249,8 @@ smtp_reuse.o: ../../include/recipient_list.h smtp_reuse.o: ../../include/string_list.h smtp_reuse.o: ../../include/match_list.h smtp_reuse.o: ../../include/match_ops.h +smtp_reuse.o: ../../include/maps.h +smtp_reuse.o: ../../include/dict.h smtp_reuse.o: smtp_reuse.h smtp_reuse.o: ../../include/dns.h smtp_sasl_glue.o: smtp_sasl_glue.c @@ -280,6 +294,8 @@ smtp_sasl_proto.o: ../../include/scache.h smtp_sasl_proto.o: ../../include/string_list.h smtp_sasl_proto.o: ../../include/match_list.h smtp_sasl_proto.o: ../../include/match_ops.h +smtp_sasl_proto.o: ../../include/maps.h +smtp_sasl_proto.o: ../../include/dict.h smtp_sasl_proto.o: smtp_sasl.h smtp_session.o: smtp_session.c smtp_session.o: ../../include/sys_defs.h @@ -302,6 +318,8 @@ smtp_session.o: ../../include/scache.h smtp_session.o: ../../include/string_list.h smtp_session.o: ../../include/match_list.h smtp_session.o: ../../include/match_ops.h +smtp_session.o: ../../include/maps.h +smtp_session.o: ../../include/dict.h smtp_state.o: smtp_state.c smtp_state.o: ../../include/sys_defs.h smtp_state.o: ../../include/mymalloc.h @@ -318,6 +336,8 @@ smtp_state.o: ../../include/scache.h smtp_state.o: ../../include/string_list.h smtp_state.o: ../../include/match_list.h smtp_state.o: ../../include/match_ops.h +smtp_state.o: ../../include/maps.h +smtp_state.o: ../../include/dict.h smtp_state.o: smtp_sasl.h smtp_trouble.o: smtp_trouble.c smtp_trouble.o: ../../include/sys_defs.h @@ -342,6 +362,8 @@ smtp_trouble.o: ../../include/scache.h smtp_trouble.o: ../../include/string_list.h smtp_trouble.o: ../../include/match_list.h smtp_trouble.o: ../../include/match_ops.h +smtp_trouble.o: ../../include/maps.h +smtp_trouble.o: ../../include/dict.h smtp_unalias.o: smtp_unalias.c smtp_unalias.o: ../../include/sys_defs.h smtp_unalias.o: ../../include/htable.h @@ -358,3 +380,5 @@ smtp_unalias.o: ../../include/scache.h smtp_unalias.o: ../../include/string_list.h smtp_unalias.o: ../../include/match_list.h smtp_unalias.o: ../../include/match_ops.h +smtp_unalias.o: ../../include/maps.h +smtp_unalias.o: ../../include/dict.h diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index 9ffad1b5c..11d6d5031 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -110,6 +110,17 @@ /* .IP "\fBsmtp_skip_4xx_greeting (yes)\fR" /* Skip SMTP servers that greet with a 4XX status code (go away, try /* again later). +/* .PP +/* Available in Postfix version 2.2 and later: +/* .IP "\fBsmtp_disable_ehlo_keyword_address_maps (empty)\fR" +/* Lookup tables, indexed by the remote SMTP server address, with +/* case insensitive lists of EHLO keywords (pipelining, starttls, +/* auth, etc.) that the SMTP client will ignore in the EHLO response +/* from a remote SMTP server. +/* .IP "\fBsmtp_disable_ehlo_keywords (empty)\fR" +/* A case insensitive list of EHLO keywords (pipelining, starttls, +/* auth, etc.) that the SMTP client will ignore in the EHLO response +/* from a remote SMTP server. /* MIME PROCESSING CONTROLS /* .ad /* .fi @@ -334,6 +345,7 @@ #include #include #include +#include /* Single server skeleton. */ @@ -389,6 +401,8 @@ int var_smtp_reuse_limit; char *var_smtp_cache_dest; char *var_scache_service; bool var_smtp_cache_demand; +char *var_smtp_ehlo_dis_words; +char *var_smtp_ehlo_dis_maps; /* * Global variables. smtp_errno is set by the address lookup routines and by @@ -398,6 +412,7 @@ int smtp_errno; int smtp_host_lookup_mask; STRING_LIST *smtp_cache_dest; SCACHE *smtp_scache; +MAPS *smtp_ehlo_disable_maps; /* deliver_message - deliver message with extreme prejudice */ @@ -540,6 +555,14 @@ static void pre_init(char *unused_name, char **unused_argv) */ if (*var_smtp_cache_dest) smtp_cache_dest = string_list_init(MATCH_FLAG_NONE, var_smtp_cache_dest); + + /* + * EHLO keyword filter. + */ + if (*var_smtp_ehlo_dis_maps) + smtp_ehlo_disable_maps = maps_create(VAR_SMTPD_EHLO_DIS_MAPS, + var_smtp_ehlo_dis_maps, + DICT_FLAG_LOCK); } /* pre_accept - see if tables have changed */ @@ -581,6 +604,8 @@ int main(int argc, char **argv) VAR_SMTP_HOST_LOOKUP, DEF_SMTP_HOST_LOOKUP, &var_smtp_host_lookup, 1, 0, VAR_SMTP_CACHE_DEST, DEF_SMTP_CACHE_DEST, &var_smtp_cache_dest, 0, 0, VAR_SCACHE_SERVICE, DEF_SCACHE_SERVICE, &var_scache_service, 1, 0, + VAR_SMTP_EHLO_DIS_WORDS, DEF_SMTP_EHLO_DIS_WORDS, &var_smtp_ehlo_dis_words, 0, 0, + VAR_SMTP_EHLO_DIS_MAPS, DEF_SMTP_EHLO_DIS_MAPS, &var_smtp_ehlo_dis_maps, 0, 0, 0, }; static CONFIG_TIME_TABLE time_table[] = { diff --git a/postfix/src/smtp/smtp.h b/postfix/src/smtp/smtp.h index 6600c9658..d368b8c8d 100644 --- a/postfix/src/smtp/smtp.h +++ b/postfix/src/smtp/smtp.h @@ -30,6 +30,7 @@ #include #include #include +#include /* * State information associated with each SMTP delivery request. @@ -143,6 +144,8 @@ extern int smtp_host_lookup_mask; /* host lookup methods to use */ extern SCACHE *smtp_scache; /* connection cache instance */ extern STRING_LIST *smtp_cache_dest; /* cached destinations */ +extern MAPS *smtp_ehlo_disable_maps; /* ehlo keyword filter */ + /* * smtp_session.c */ diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c index e90ac7095..e3fc7ca52 100644 --- a/postfix/src/smtp/smtp_proto.c +++ b/postfix/src/smtp/smtp_proto.c @@ -121,6 +121,8 @@ #include #include #include +#include +#include /* Application-specific. */ @@ -227,6 +229,8 @@ int smtp_helo(SMTP_STATE *state, int misc_flags) 0, 0, }; SOCKOPT_SIZE optlen; + const char *ehlo_words; + int disable_mask; /* * Prepare for disaster. @@ -302,6 +306,17 @@ int smtp_helo(SMTP_STATE *state, int misc_flags) return (0); } + /* + * Determine what server EHLO keywords to ignore, typically to avoid + * inter-operability problems. + */ + if (smtp_ehlo_disable_maps == 0 + || (ehlo_words = maps_find(smtp_ehlo_disable_maps, state->session->addr, 0)) == 0) + ehlo_words = var_smtp_ehlo_dis_words; + disable_mask = ehlo_mask(ehlo_words); + if (disable_mask) + msg_info("disabled EHLO keywords: %s", str_ehlo_mask(disable_mask)); + /* * Pick up some useful features offered by the SMTP server. XXX Until we * have a portable routine to convert from string to off_t with proper @@ -315,29 +330,34 @@ int smtp_helo(SMTP_STATE *state, int misc_flags) lines = resp->str; while ((words = mystrtok(&lines, "\n")) != 0) { if (mystrtok(&words, "- ") && (word = mystrtok(&words, " \t=")) != 0) { - if (strcasecmp(word, "8BITMIME") == 0) - session->features |= SMTP_FEATURE_8BITMIME; - else if (strcasecmp(word, "PIPELINING") == 0) - session->features |= SMTP_FEATURE_PIPELINING; - else if (strcasecmp(word, "XFORWARD") == 0) - while ((word = mystrtok(&words, " \t")) != 0) - session->features |= name_code(xforward_features, + if (strcasecmp(word, "8BITMIME") == 0) { + if ((disable_mask & EHLO_MASK_8BITMIME) == 0) + session->features |= SMTP_FEATURE_8BITMIME; + } else if (strcasecmp(word, "PIPELINING") == 0) { + if ((disable_mask & EHLO_MASK_PIPELINING) == 0) + session->features |= SMTP_FEATURE_PIPELINING; + } else if (strcasecmp(word, "XFORWARD") == 0) { + if ((disable_mask & EHLO_MASK_XFORWARD) == 0) + while ((word = mystrtok(&words, " \t")) != 0) + session->features |= name_code(xforward_features, NAME_CODE_FLAG_NONE, word); - else if (strcasecmp(word, "SIZE") == 0) { - session->features |= SMTP_FEATURE_SIZE; - if ((word = mystrtok(&words, " \t")) != 0) { - if (!alldig(word)) - msg_warn("bad size limit \"%s\" in EHLO reply from %s", - word, session->namaddr); - else - session->size_limit = off_cvt_string(word); + } else if (strcasecmp(word, "SIZE") == 0) { + if ((disable_mask & EHLO_MASK_SIZE) == 0) { + session->features |= SMTP_FEATURE_SIZE; + if ((word = mystrtok(&words, " \t")) != 0) { + if (!alldig(word)) + msg_warn("bad EHLO SIZE limit \"%s\" from %s", + word, session->namaddr); + else + session->size_limit = off_cvt_string(word); + } } - } #ifdef USE_SASL_AUTH - else if (var_smtp_sasl_enable && strcasecmp(word, "AUTH") == 0) - smtp_sasl_helo_auth(session, words); + } else if (var_smtp_sasl_enable && strcasecmp(word, "AUTH") == 0) { + if ((disable_mask & EHLO_MASK_AUTH) == 0) + smtp_sasl_helo_auth(session, words); #endif - else if (strcasecmp(word, var_myhostname) == 0) { + } else if (strcasecmp(word, var_myhostname) == 0) { if (misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) { msg_warn("host %s replied to HELO/EHLO with my own hostname %s", session->namaddr, var_myhostname); diff --git a/postfix/src/smtpd/Makefile.in b/postfix/src/smtpd/Makefile.in index 62a97aa53..4229c19e2 100644 --- a/postfix/src/smtpd/Makefile.in +++ b/postfix/src/smtpd/Makefile.in @@ -149,8 +149,11 @@ smtpd.o: ../../include/quote_flags.h smtpd.o: ../../include/lex_822.h smtpd.o: ../../include/namadr_list.h smtpd.o: ../../include/input_transp.h +smtpd.o: ../../include/is_header.h smtpd.o: ../../include/anvil_clnt.h smtpd.o: ../../include/attr_clnt.h +smtpd.o: ../../include/ehlo_mask.h +smtpd.o: ../../include/maps.h smtpd.o: ../../include/mail_server.h smtpd.o: smtpd_token.h smtpd.o: smtpd.h diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index 91b449683..d5d54c4e2 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -86,6 +86,17 @@ /* access restriction is specified. /* .IP "\fBsmtpd_sasl_exceptions_networks (empty)\fR" /* What SMTP clients Postfix will not offer AUTH support to. +/* .PP +/* Available in Postfix version 2.2 and later: +/* .IP "\fBsmtpd_disable_ehlo_keyword_address_maps (empty)\fR" +/* Lookup tables, indexed by the remote SMTP client address, with +/* case insensitive lists of EHLO keywords (pipelining, starttls, +/* auth, etc.) that the SMTP server will not send in the EHLO response +/* to a remote SMTP client. +/* .IP "\fBsmtpd_disable_ehlo_keywords (empty)\fR" +/* A case insensitive list of EHLO keywords (pipelining, starttls, +/* auth, etc.) that the SMTP server will not send in the EHLO response +/* to a remote SMTP client. /* ADDRESS REWRITING CONTROLS /* .ad /* .fi @@ -691,6 +702,8 @@ #include #endif #include +#include /* ehlo filter */ +#include /* ehlo filter */ /* Single-threaded server skeleton. */ @@ -806,6 +819,8 @@ char *var_smtpd_hoggers; #endif char *var_local_rwr_clients; +char *var_smtpd_ehlo_dis_words; +char *var_smtpd_ehlo_dis_maps; /* * Silly little macros. @@ -813,6 +828,11 @@ char *var_local_rwr_clients; #define STR(x) vstring_str(x) #define LEN(x) VSTRING_LEN(x) + /* + * EHLO keyword filter + */ +static MAPS *ehlo_disable_maps; + /* * VERP command name. */ @@ -955,6 +975,9 @@ static int helo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) static int ehlo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) { char *err; + int todo_mask; + const char *ehlo_words; + VSTRING *ehlo_buf; /* * XXX 2821 new feature: Section 4.1.4 specifies that a server must clear @@ -981,40 +1004,102 @@ static int ehlo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) rcpt_reset(state); state->helo_name = mystrdup(printable(argv[1].strval, '?')); neuter(state->helo_name, NEUTER_CHARACTERS, '?'); + + /* + * XXX reject_unauth_pipelining depends on the following. If the user + * sends EHLO then we announce PIPELINING and we can't accuse them of + * using pipelining in places where it is allowed. + * + * XXX The reject_unauth_pipelining test needs to change and also account + * for mechanisms that disable PIPELINING selectively. + */ if (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0) { myfree(state->protocol); state->protocol = mystrdup(MAIL_PROTO_ESMTP); } - smtpd_chat_reply(state, "250-%s", var_myhostname); - smtpd_chat_reply(state, "250-PIPELINING"); - if (var_message_limit) - smtpd_chat_reply(state, "250-SIZE %lu", - (unsigned long) var_message_limit); /* XXX */ - else - smtpd_chat_reply(state, "250-SIZE"); - if (var_disable_vrfy_cmd == 0) - smtpd_chat_reply(state, "250-VRFY"); - smtpd_chat_reply(state, "250-ETRN"); + + /* + * Determine what server EHLO keywords to suppress, typically to avoid + * inter-operability problems. + */ + if (ehlo_disable_maps == 0 + || (ehlo_words = maps_find(ehlo_disable_maps, state->addr, 0)) == 0) + ehlo_words = var_smtpd_ehlo_dis_words; + todo_mask = ~ehlo_mask(ehlo_words); + if (~todo_mask) + msg_info("disabled EHLO keywords: %s", str_ehlo_mask(~todo_mask)); + + /* + * Build the EHLO response, suppressing features as requested. We store + * each output line in one-element output queue, where it sits until we + * know if we need to prepend "250-" or "250 " to it. Each time we + * enqueue a reply line we flush the one that sits in the queue. We use a + * couple ugly macros to avoid making mistakes in code that repeats a + * lot. + */ +#define ENQUEUE_FIX_REPLY(state, ehlo_buf, cmd) \ + do { \ + smtpd_chat_reply((state), "250-%s", STR(ehlo_buf)); \ + vstring_strcpy((ehlo_buf), (cmd)); \ + } while (0) + +#define ENQUEUE_FMT_REPLY(state, ehlo_buf, fmt, arg) \ + do { \ + smtpd_chat_reply((state), "250-%s", STR(ehlo_buf)); \ + vstring_sprintf((ehlo_buf), (fmt), (arg)); \ + } while (0) + + ehlo_buf = vstring_alloc(10); + vstring_strcpy(ehlo_buf, var_myhostname); + if (todo_mask & EHLO_MASK_PIPELINING) + ENQUEUE_FIX_REPLY(state, ehlo_buf, "PIPELINING"); + if (todo_mask & EHLO_MASK_SIZE) { + if (var_message_limit) + ENQUEUE_FMT_REPLY(state, ehlo_buf, "SIZE %lu", + (unsigned long) var_message_limit); /* XXX */ + else + ENQUEUE_FIX_REPLY(state, ehlo_buf, "SIZE"); + } + if (todo_mask & EHLO_MASK_VRFY) + if (var_disable_vrfy_cmd == 0) + ENQUEUE_FIX_REPLY(state, ehlo_buf, "VRFY"); + if (todo_mask & EHLO_MASK_ETRN) + ENQUEUE_FIX_REPLY(state, ehlo_buf, "ETRN"); #ifdef USE_SASL_AUTH - if (var_smtpd_sasl_enable && !sasl_client_exception(state)) { - smtpd_chat_reply(state, "250-AUTH %s", state->sasl_mechanism_list); - if (var_broken_auth_clients) - smtpd_chat_reply(state, "250-AUTH=%s", state->sasl_mechanism_list); + if (todo_mask & EHLO_MASK_AUTH) { + if (var_smtpd_sasl_enable && !sasl_client_exception(state)) { + ENQUEUE_FMT_REPLY(state, ehlo_buf, "AUTH %s", + state->sasl_mechanism_list); + if (var_broken_auth_clients) + ENQUEUE_FMT_REPLY(state, ehlo_buf, "AUTH=%s", + state->sasl_mechanism_list); + } } #endif - if (namadr_list_match(verp_clients, state->name, state->addr)) - smtpd_chat_reply(state, "250-%s", VERP_CMD); + if (todo_mask & EHLO_MASK_VERP) + if (namadr_list_match(verp_clients, state->name, state->addr)) + ENQUEUE_FIX_REPLY(state, ehlo_buf, VERP_CMD); /* XCLIENT must not override its own access control. */ - if (xclient_allowed) - smtpd_chat_reply(state, "250-" XCLIENT_CMD - " " XCLIENT_NAME " " XCLIENT_ADDR - " " XCLIENT_PROTO " " XCLIENT_HELO); - if (xforward_allowed) - smtpd_chat_reply(state, "250-" XFORWARD_CMD - " " XFORWARD_NAME " " XFORWARD_ADDR - " " XFORWARD_PROTO " " XFORWARD_HELO - " " XFORWARD_DOMAIN); - smtpd_chat_reply(state, "250 8BITMIME"); + if (todo_mask & EHLO_MASK_XCLIENT) + if (xclient_allowed) + ENQUEUE_FIX_REPLY(state, ehlo_buf, XCLIENT_CMD + " " XCLIENT_NAME " " XCLIENT_ADDR + " " XCLIENT_PROTO " " XCLIENT_HELO); + if (todo_mask & EHLO_MASK_XFORWARD) + if (xforward_allowed) + ENQUEUE_FIX_REPLY(state, ehlo_buf, XFORWARD_CMD + " " XFORWARD_NAME " " XFORWARD_ADDR + " " XFORWARD_PROTO " " XFORWARD_HELO + " " XFORWARD_DOMAIN); + if (todo_mask & EHLO_MASK_8BITMIME) + ENQUEUE_FIX_REPLY(state, ehlo_buf, "8BITMIME"); + smtpd_chat_reply(state, "250 %s", STR(ehlo_buf)); + + /* + * Clean up. + */ + vstring_free(ehlo_buf); + return (0); } @@ -2801,6 +2886,14 @@ static void pre_jail_init(char *unused_name, char **unused_argv) * flush client. */ flush_init(); + + /* + * EHLO keyword filter. + */ + if (*var_smtpd_ehlo_dis_maps) + ehlo_disable_maps = maps_create(VAR_SMTPD_EHLO_DIS_MAPS, + var_smtpd_ehlo_dis_maps, + DICT_FLAG_LOCK); } /* post_jail_init - post-jail initialization */ @@ -2940,6 +3033,8 @@ int main(int argc, char **argv) VAR_SMTPD_HOGGERS, DEF_SMTPD_HOGGERS, &var_smtpd_hoggers, 0, 0, #endif VAR_LOC_RWR_CLIENTS, DEF_LOC_RWR_CLIENTS, &var_local_rwr_clients, 0, 0, + VAR_SMTPD_EHLO_DIS_WORDS, DEF_SMTPD_EHLO_DIS_WORDS, &var_smtpd_ehlo_dis_words, 0, 0, + VAR_SMTPD_EHLO_DIS_MAPS, DEF_SMTPD_EHLO_DIS_MAPS, &var_smtpd_ehlo_dis_maps, 0, 0, 0, }; static CONFIG_RAW_TABLE raw_table[] = { diff --git a/postfix/src/util/name_mask.c b/postfix/src/util/name_mask.c index 14e206a57..5695c41c6 100644 --- a/postfix/src/util/name_mask.c +++ b/postfix/src/util/name_mask.c @@ -15,6 +15,18 @@ /* const char *context; /* NAME_MASK *table; /* int mask; +/* +/* int name_mask_opt(context, table, names, flags) +/* const char *context; +/* NAME_MASK *table; +/* const char *names; +/* int flags; +/* +/* const char *str_name_mask_opt(context, table, mask, flags) +/* const char *context; +/* NAME_MASK *table; +/* int mask; +/* int flags; /* DESCRIPTION /* name_mask() takes a null-terminated \fItable\fR with (name, mask) /* values and computes the bit-wise OR of the masks that correspond @@ -25,12 +37,39 @@ /* The result is written to a static buffer that is overwritten /* upon each call. /* -/* The \fIcontext\fR argument specifies what kind of names and +/* name_mask_opt() and str_name_mask_opt() are extended versions +/* with additional fine control. +/* +/* Arguments: +/* .IP context +/* What kind of names and /* masks are being manipulated, in order to make error messages /* more understandable. Typically, this would be the name of a /* user-configurable parameter. +/* .IP table +/* Table with (name, bit mask) pairs. +/* .IP names +/* A list of names that is to be converted into a bit mask. +/* .IP mask +/* A bit mask. +/* .IP flags +/* Bit-wise OR of zero or more of the following: +/* .RS +/* .IP NAME_MASK_MATCH_REQ +/* Require that all names listed in \fIname\fR exist in \fItable\fR, +/* and that all bits listed in \fImask\fR exist in \fItable\fR. +/* This feature is enabled by default when calling name_mask() +/* or str_name_mask(). +/* .IP NAME_MASK_ANY_CASE +/* Enable case-insensitive matching. +/* This feature is not enabled by default when calling name_mask(); +/* it has no effect with str_name_mask(). +/* .RE +/* The value NAME_MASK_NONE explicitly requests no features, +/* and NAME_MASK_DEFAULT enables the default options. /* DIAGNOSTICS /* Fatal: the \fInames\fR argument specifies a name not found in +/* \fItable\fR, or the \fImask\fR specifies a bit not found in /* \fItable\fR. /* LICENSE /* .ad @@ -48,6 +87,10 @@ #include #include +#ifdef STRCASECMP_IN_STRING_H +#include +#endif + /* Utility library. */ #include @@ -58,9 +101,10 @@ #define STR(x) vstring_str(x) -/* name_mask - compute mask corresponding to list of names */ +/* name_mask_opt - compute mask corresponding to list of names */ -int name_mask(const char *context, NAME_MASK *table, const char *names) +int name_mask_opt(const char *context, NAME_MASK *table, const char *names, + int flags) { char *myname = "name_mask"; char *saved_names = mystrdup(names); @@ -75,10 +119,14 @@ int name_mask(const char *context, NAME_MASK *table, const char *names) */ while ((name = mystrtok(&bp, ", \t\r\n")) != 0) { for (np = table; /* void */ ; np++) { - if (np->name == 0) - msg_fatal("unknown %s value \"%s\" in \"%s\"", - context, name, names); - if (strcmp(name, np->name) == 0) { + if (np->name == 0) { + if (flags & NAME_MASK_MATCH_REQ) + msg_fatal("unknown %s value \"%s\" in \"%s\"", + context, name, names); + break; + } + if (((flags & NAME_MASK_ANY_CASE) ? strcasecmp : strcmp) + (name, np->name) == 0) { if (msg_verbose) msg_info("%s: %s", myname, name); result |= np->mask; @@ -90,9 +138,10 @@ int name_mask(const char *context, NAME_MASK *table, const char *names) return (result); } -/* str_name_mask - mask to string */ +/* str_name_mask_opt - mask to string */ -const char *str_name_mask(const char *context, NAME_MASK *table, int mask) +const char *str_name_mask_opt(const char *context, NAME_MASK *table, + int mask, int flags) { char *myname = "name_mask"; NAME_MASK *np; @@ -105,8 +154,12 @@ const char *str_name_mask(const char *context, NAME_MASK *table, int mask) VSTRING_RESET(buf); for (np = table; mask != 0; np++) { - if (np->name == 0) - msg_panic("%s: invalid %s bitmask: 0x%x", myname, context, mask); + if (np->name == 0) { + if (flags & NAME_MASK_MATCH_REQ) + msg_fatal("%s: invalid %s bit in mask: 0x%x", + myname, context, mask); + break; + } if (mask & np->mask) { mask &= ~np->mask; vstring_sprintf_append(buf, "%s ", np->name); @@ -118,6 +171,22 @@ const char *str_name_mask(const char *context, NAME_MASK *table, int mask) return (STR(buf)); } + /* + * ABI backwards compatibility. + */ +#undef name_mask +#undef str_name_mask + +int name_mask(const char *context, NAME_MASK *table, const char *names) +{ + return(name_mask_opt(context, table,names, NAME_MASK_DEFAULT)); +} + +const char *str_name_mask(const char *context, NAME_MASK *table, int mask) +{ + return(str_name_mask_opt(context, table, mask, NAME_MASK_DEFAULT)); +} + #ifdef TEST /* diff --git a/postfix/src/util/name_mask.h b/postfix/src/util/name_mask.h index fafd7cd88..d29f49b72 100644 --- a/postfix/src/util/name_mask.h +++ b/postfix/src/util/name_mask.h @@ -19,8 +19,19 @@ typedef struct { int mask; } NAME_MASK; -extern int name_mask(const char *, NAME_MASK *, const char *); -extern const char *str_name_mask(const char *, NAME_MASK *, int); +#define NAME_MASK_MATCH_REQ (1<<0) +#define NAME_MASK_ANY_CASE (1<<1) + +#define NAME_MASK_NONE 0 +#define NAME_MASK_DEFAULT (NAME_MASK_MATCH_REQ) + +#define name_mask(tag, table, str) \ + name_mask_opt((tag), (table), (str), NAME_MASK_DEFAULT) +#define str_name_mask(tag, table, mask) \ + str_name_mask_opt((tag), (table), (mask), NAME_MASK_DEFAULT) + +extern int name_mask_opt(const char *, NAME_MASK *, const char *, int); +extern const char *str_name_mask_opt(const char *, NAME_MASK *, int, int); /* LICENSE /* .ad