From: Wietse Venema Date: Wed, 3 Nov 2010 05:00:00 +0000 (-0500) Subject: postfix-2.8-20101103 X-Git-Tag: v2.8.0-RC1~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=925f7004f2de26b4d26c1d15448924c3719fea39;p=thirdparty%2Fpostfix.git postfix-2.8-20101103 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 20fa1ee17..f6d0de624 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -16040,6 +16040,21 @@ Apologies for any names omitted. postscreen/postscreen_misc.c, postscreen/postscreen.h, postscreen/postscreen_tests.c. + Feature: preliminary postscreen penalty mechanism. Basic + idea: when a client exceeds some threshold, don't allow it + to pass any tests until the penalty expires. Penalties + provide a way to slow down clients without blocking mail + permanently. Files: postscreen/postscreen_misc.c, + postscreen/postscreen_tests.c, postscreen/postscreen.c. + + A first application of the postscreen penalty mechanism + triggers on clients that make brief connections to find out + if the mail server is up. With "postscreen_early_hangup_penalty + = 600" they will disqualify themselves for 10 minutes. + Unfortunately, this behavior is used by legitimate bulk + mail services. This application was removed 20101103. The + penalty mechanism itself is left in place as #ifdef NONPROD. + 20100923 Cleanup: renamed MUMBLE_FLAG_MUMBLE aggregates to @@ -16076,3 +16091,35 @@ Apologies for any names omitted. 20101007 Bugfix (introduced: 2100923): duplicate "PASS OLD" logging. + File: postscreen/postscreen_misc.c. + +20101008 + + Cleanup: dnsblog now logs "addr X listed by domain Y as Z" + instead of "addr X blocked by domain Y as Z", because the + service may be used for whitelist lookups. File: + dnsblog/dnsblog.c. + +20101023 + + Cleanup: don't apply reject_rhsbl_helo to non-domain forms + such as network addresses. This would cause false positives + with dbl.spamhaus.org. File: smtpd/smtpd_check.c. + +20101103 + + Cleanup: new qmgr_ipc_timeout parameter (default: 60s) to + override the system-wide ipc_timeout setting (default: + 3600s). The shorter timeout allows the queue manager to + reset a deadlocked IPC connection before the watchdog timer + goes off. Files: *qmgr/qmgr.c. + + Cleanup: new qmgr_daemon_timeout parameter (default: 1000s) + to make the hard-coded 1000s watchdog timeout configurable. + Files: *qmgr/qmgr.c. + + Cleanup: request default DSN notification when adding a + recipient with smfi_addrcpt, instead of requesting "never + notify" as with Postfix automatically-added BCC recipients. + Files: cleanup/cleanup_addr.c, cleanup/cleanup.h, + cleanup/cleanup_milter.c. diff --git a/postfix/README_FILES/ADDRESS_VERIFICATION_README b/postfix/README_FILES/ADDRESS_VERIFICATION_README index 97dd381c3..3d1a09f1a 100644 --- a/postfix/README_FILES/ADDRESS_VERIFICATION_README +++ b/postfix/README_FILES/ADDRESS_VERIFICATION_README @@ -121,7 +121,7 @@ LLiimmiittaattiioonnss ooff aaddddrreessss vveerriiffi You can change the probe sender address into the null address ("address_verify_sender ="). This is UNSAFE because address probes will fail with mis-configured sites that reject MAIL FROM: <>, while probes from - "postmaster@$myorigin" would succeed. + "double-bounce@$myorigin" would succeed. RReecciippiieenntt aaddddrreessss vveerriiffiiccaattiioonn diff --git a/postfix/README_FILES/POSTSCREEN_README b/postfix/README_FILES/POSTSCREEN_README index 988b070a8..d06b7237c 100644 --- a/postfix/README_FILES/POSTSCREEN_README +++ b/postfix/README_FILES/POSTSCREEN_README @@ -217,7 +217,7 @@ postscreen_dnsbl_action, respectively. iiggnnoorree (default) Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing - and collecting statistics without interfering with mail deliveries. + and collecting statistics without blocking mail. eennffoorrccee Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 630b2cee7..91a2e837c 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -33,13 +33,21 @@ This is supported only when the default value is stress-dependent postscreen parameters always evaluate as if the stress value is equal to the empty string. +Incompatibility with snapshot 20101103 +====================================== + +Postfix now requests default delivery status notifications when +adding a recipient with the Milter smfi_addrcpt action, instead of +"never notify" as with Postfix automatically-added recipients +(always_bcc and sender/recipient_bcc_maps). + Incompatibility with snapshot 20101006 ====================================== -To avoid repeated delivery to mailing list members with pathological -nested alias configurations, the local(8) delivery agent now keeps -the owner-alias attribute of the parent alias, when delivering mail -to a child alias that does not have its own owner alias. +To avoid repeated delivery to mailing lists with pathological nested +alias configurations, the local(8) delivery agent now keeps the +owner-alias attribute of a parent alias, when delivering mail to a +child alias that does not have its own owner alias. With this change, local addresses from that child alias will be written to a new queue file, and a temporary error with one local @@ -47,6 +55,9 @@ address will no longer result in repeated delivery to other mailing list members. Specify "reset_owner_alias = yes" for the older, more fragile, behavior. +The postconf(5) manpage entry for "reset_owner_alias" has more +background information on this issue. + Incompatibility with snapshot 20100912 ====================================== diff --git a/postfix/WISHLIST b/postfix/WISHLIST index 77871f84e..cf0c54e57 100644 --- a/postfix/WISHLIST +++ b/postfix/WISHLIST @@ -2,9 +2,18 @@ Wish list: Remove this file from the stable release. + anvil rate limit for sasl_username. + + Support filtering of messages that are generated by Postfix: + This would apply to postmaster notices and bounce messages + (DKIM), and address verification (BATV). + + Replace sscanf() numerical conversions by strto[dl]() + for better error reporting. + Consistency: in postconf.proto make
..
tags bold. - Milter addrcpt - use Sendmail default DSN + Milter addrcpt - use Sendmail-compatible default DSN settings. postscreen(8): listen on multiple IP addresses and enforce that the client contacts the primary MX address first (i.e. diff --git a/postfix/html/ADDRESS_VERIFICATION_README.html b/postfix/html/ADDRESS_VERIFICATION_README.html index 6ea0ab636..00d555c9e 100644 --- a/postfix/html/ADDRESS_VERIFICATION_README.html +++ b/postfix/html/ADDRESS_VERIFICATION_README.html @@ -243,7 +243,7 @@ server does not reject mail for this address.

("address_verify_sender ="). This is UNSAFE because address probes will fail with mis-configured sites that reject MAIL FROM: <>, while -probes from "postmaster@$myorigin" would succeed.

+probes from "double-bounce@$myorigin" would succeed.

diff --git a/postfix/html/POSTSCREEN_README.html b/postfix/html/POSTSCREEN_README.html index bbbeabff3..4f2a1fd18 100644 --- a/postfix/html/POSTSCREEN_README.html +++ b/postfix/html/POSTSCREEN_README.html @@ -295,8 +295,8 @@ or postscreen_dnsbl_action
Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option -is useful for testing and collecting statistics without interfering -with mail deliveries.
+is useful for testing and collecting statistics without blocking +mail.
enforce
@@ -506,6 +506,21 @@ feature. unexpectedly, time seconds after the start of the test named test name.

+ +

The following errors are reported by the built-in SMTP engine. This engine never accepts mail, therefore it has per-session limits on the number of commands and on the session length.

diff --git a/postfix/html/oqmgr.8.html b/postfix/html/oqmgr.8.html index 5e6db842b..43116cae0 100644 --- a/postfix/html/oqmgr.8.html +++ b/postfix/html/oqmgr.8.html @@ -324,6 +324,17 @@ OQMGR(8) OQMGR(8) tion_rate_delay Idem, for delivery via the named message transport. +SAFETY CONTROLS + qmgr_daemon_timeout (1000s) + How much time a Postfix queue manager process may + take to handle a request before it is terminated by + a built-in watchdog timer. + + qmgr_ipc_timeout (60s) + The time limit for the queue manager to send or + receive information over an internal communication + channel. + MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) The default location of the Postfix main.cf and @@ -342,28 +353,24 @@ OQMGR(8) OQMGR(8) Log warnings about problematic configuration set- tings, and provide helpful suggestions. - ipc_timeout (3600s) - The time limit for sending or receiving information - over an internal communication channel. - process_id (read-only) - The process ID of a Postfix command or daemon + The process ID of a Postfix command or daemon process. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. queue_directory (see 'postconf -d' output) - The location of the Postfix top-level queue direc- + The location of the Postfix top-level queue direc- tory. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - The mail system name that is prepended to the - process name in syslog records, so that "smtpd" + The mail system name that is prepended to the + process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". FILES @@ -386,7 +393,7 @@ OQMGR(8) OQMGR(8) QSHAPE_README, Postfix queue analysis LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 27ad367f4..a785cbdd3 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -6980,8 +6980,9 @@ one-letter suffix that specifies the time unit). Time units: s
postscreen_forbidden_commands (default: $smtpd_forbidden_commands)
-

List of commands that postscreen(8) server considers in violation -of the SMTP protocol. See also: postscreen_non_smtp_command_action. +

List of commands that the postscreen(8) server considers in +violation of the SMTP protocol. See smtpd_forbidden_commands for +syntax, and postscreen_non_smtp_command_action for possible actions.

This feature is available in Postfix 2.8.

@@ -7480,6 +7481,21 @@ This feature is available in Postfix 2.0 and later.

+
+ +
qmgr_daemon_timeout +(default: 1000s)
+ +

How much time a Postfix queue manager process may take to handle +a request before it is terminated by a built-in watchdog timer. +

+ +

+Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds). +

+ +
qmgr_fudge_factor @@ -7497,6 +7513,22 @@ current queue manager solves the problem in a better way.

+ + +
qmgr_ipc_timeout +(default: 60s)
+ +

The time limit for the queue manager to send or receive information +over an internal communication channel. The purpose is to break +out of deadlock situations. If the time limit is exceeded the +software either retries or aborts the operation.

+ +

+Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds). +

+ +
qmgr_message_active_limit diff --git a/postfix/html/postscreen.8.html b/postfix/html/postscreen.8.html index 3e13d95ce..45a4c6f67 100644 --- a/postfix/html/postscreen.8.html +++ b/postfix/html/postscreen.8.html @@ -137,8 +137,8 @@ POSTSCREEN(8) POSTSCREEN(8) defined with the postscreen_dnsbl_sites parameter. postscreen_forbidden_commands ($smtpd_forbidden_commands) - List of commands that postscreen(8) server consid- - ers in violation of the SMTP protocol. + List of commands that the postscreen(8) server con- + siders in violation of the SMTP protocol. postscreen_greet_action (ignore) The action that postscreen(8) takes when an SMTP diff --git a/postfix/html/qmgr.8.html b/postfix/html/qmgr.8.html index 7293c8645..06aa2f692 100644 --- a/postfix/html/qmgr.8.html +++ b/postfix/html/qmgr.8.html @@ -396,6 +396,17 @@ QMGR(8) QMGR(8) tion_rate_delay Idem, for delivery via the named message transport. +SAFETY CONTROLS + qmgr_daemon_timeout (1000s) + How much time a Postfix queue manager process may + take to handle a request before it is terminated by + a built-in watchdog timer. + + qmgr_ipc_timeout (60s) + The time limit for the queue manager to send or + receive information over an internal communication + channel. + MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) The default location of the Postfix main.cf and @@ -414,28 +425,24 @@ QMGR(8) QMGR(8) Log warnings about problematic configuration set- tings, and provide helpful suggestions. - ipc_timeout (3600s) - The time limit for sending or receiving information - over an internal communication channel. - process_id (read-only) - The process ID of a Postfix command or daemon + The process ID of a Postfix command or daemon process. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. queue_directory (see 'postconf -d' output) - The location of the Postfix top-level queue direc- + The location of the Postfix top-level queue direc- tory. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - The mail system name that is prepended to the - process name in syslog records, so that "smtpd" + The mail system name that is prepended to the + process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". FILES @@ -459,7 +466,7 @@ QMGR(8) QMGR(8) QSHAPE_README, Postfix queue analysis LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 024612ec6..d23140222 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -3963,8 +3963,9 @@ one-letter suffix that specifies the time unit). Time units: s .PP This feature is available in Postfix 2.8. .SH postscreen_forbidden_commands (default: $smtpd_forbidden_commands) -List of commands that \fBpostscreen\fR(8) server considers in violation -of the SMTP protocol. See also: postscreen_non_smtp_command_action. +List of commands that the \fBpostscreen\fR(8) server considers in +violation of the SMTP protocol. See smtpd_forbidden_commands for +syntax, and postscreen_non_smtp_command_action for possible actions. .PP This feature is available in Postfix 2.8. .SH postscreen_greet_action (default: ignore) @@ -4246,6 +4247,12 @@ clogging up the Postfix active queue. Specify 0 to disable. This feature is enabled with the helpful_warnings parameter. .PP This feature is available in Postfix 2.0 and later. +.SH qmgr_daemon_timeout (default: 1000s) +How much time a Postfix queue manager process may take to handle +a request before it is terminated by a built-in watchdog timer. +.PP +Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds). .SH qmgr_fudge_factor (default: 100) Obsolete feature: the percentage of delivery resources that a busy mail system will use up for delivery of a large mailing list @@ -4253,6 +4260,14 @@ message. .PP This feature exists only in the \fBoqmgr\fR(8) old queue manager. The current queue manager solves the problem in a better way. +.SH qmgr_ipc_timeout (default: 60s) +The time limit for the queue manager to send or receive information +over an internal communication channel. The purpose is to break +out of deadlock situations. If the time limit is exceeded the +software either retries or aborts the operation. +.PP +Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds). .SH qmgr_message_active_limit (default: 20000) The maximal number of messages in the active queue. .SH qmgr_message_recipient_limit (default: 20000) diff --git a/postfix/man/man8/oqmgr.8 b/postfix/man/man8/oqmgr.8 index 00dda1311..6019d2bac 100644 --- a/postfix/man/man8/oqmgr.8 +++ b/postfix/man/man8/oqmgr.8 @@ -287,7 +287,20 @@ deliveries to the same destination; with per-destination recipient limit > 1, a destination is a domain, otherwise it is a recipient. .IP "\fItransport\fB_destination_rate_delay $default_destination_rate_delay Idem, for delivery via the named message \fItransport\fR. -.SH MISCELLANEOUS CONTROLS +.SH "SAFETY CONTROLS" +.na +.nf +.ad +.fi +.IP "\fBqmgr_daemon_timeout (1000s)\fR" +How much time a Postfix queue manager process may take to handle +a request before it is terminated by a built-in watchdog timer. +.IP "\fBqmgr_ipc_timeout (60s)\fR" +The time limit for the queue manager to send or receive information +over an internal communication channel. +.SH "MISCELLANEOUS CONTROLS" +.na +.nf .ad .fi .IP "\fBconfig_directory (see 'postconf -d' output)\fR" @@ -302,9 +315,6 @@ sub-second delay values. .IP "\fBhelpful_warnings (yes)\fR" Log warnings about problematic configuration settings, and provide helpful suggestions. -.IP "\fBipc_timeout (3600s)\fR" -The time limit for sending or receiving information over an internal -communication channel. .IP "\fBprocess_id (read-only)\fR" The process ID of a Postfix command or daemon process. .IP "\fBprocess_name (read-only)\fR" diff --git a/postfix/man/man8/postscreen.8 b/postfix/man/man8/postscreen.8 index 152137589..c75c11feb 100644 --- a/postfix/man/man8/postscreen.8 +++ b/postfix/man/man8/postscreen.8 @@ -136,8 +136,8 @@ The inclusive lower bound for blocking an SMTP client, based on its combined DNSBL score as defined with the postscreen_dnsbl_sites parameter. .IP "\fBpostscreen_forbidden_commands ($smtpd_forbidden_commands)\fR" -List of commands that \fBpostscreen\fR(8) server considers in violation -of the SMTP protocol. +List of commands that the \fBpostscreen\fR(8) server considers in +violation of the SMTP protocol. .IP "\fBpostscreen_greet_action (ignore)\fR" The action that \fBpostscreen\fR(8) takes when an SMTP client speaks before its turn within the time specified with the postscreen_greet_wait diff --git a/postfix/man/man8/qmgr.8 b/postfix/man/man8/qmgr.8 index 83e7ea59b..550a91a20 100644 --- a/postfix/man/man8/qmgr.8 +++ b/postfix/man/man8/qmgr.8 @@ -335,6 +335,17 @@ deliveries to the same destination; with per-destination recipient limit > 1, a destination is a domain, otherwise it is a recipient. .IP "\fItransport\fB_destination_rate_delay $default_destination_rate_delay Idem, for delivery via the named message \fItransport\fR. +.SH "SAFETY CONTROLS" +.na +.nf +.ad +.fi +.IP "\fBqmgr_daemon_timeout (1000s)\fR" +How much time a Postfix queue manager process may take to handle +a request before it is terminated by a built-in watchdog timer. +.IP "\fBqmgr_ipc_timeout (60s)\fR" +The time limit for the queue manager to send or receive information +over an internal communication channel. .SH "MISCELLANEOUS CONTROLS" .na .nf @@ -352,9 +363,6 @@ sub-second delay values. .IP "\fBhelpful_warnings (yes)\fR" Log warnings about problematic configuration settings, and provide helpful suggestions. -.IP "\fBipc_timeout (3600s)\fR" -The time limit for sending or receiving information over an internal -communication channel. .IP "\fBprocess_id (read-only)\fR" The process ID of a Postfix command or daemon process. .IP "\fBprocess_name (read-only)\fR" diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 2f933155b..a5a77dfdb 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -359,6 +359,8 @@ while (<>) { s;\bqmgr_message_active_limit\b;$&;g; s;\bqmgr_message_recip[-]*\n* *[]*ient_limit\b;$&;g; s;\bqmgr_message_recip[-]*\n* *[]*ient_minimum\b;$&;g; + s;\bqmgr_daemon_timeout\b;$&;g; + s;\bqmgr_ipc_timeout\b;$&;g; s;\bqmqpd_authorized_clients\b;$&;g; s;\bdefault_destination_concur[-]*\n* *[]*rency_negative_feedback\b;$&;g; diff --git a/postfix/proto/ADDRESS_VERIFICATION_README.html b/postfix/proto/ADDRESS_VERIFICATION_README.html index 4507b8bce..07f15f426 100644 --- a/postfix/proto/ADDRESS_VERIFICATION_README.html +++ b/postfix/proto/ADDRESS_VERIFICATION_README.html @@ -243,7 +243,7 @@ server does not reject mail for this address.

("address_verify_sender ="). This is UNSAFE because address probes will fail with mis-configured sites that reject MAIL FROM: <>, while -probes from "postmaster@$myorigin" would succeed.

+probes from "double-bounce@$myorigin" would succeed.

diff --git a/postfix/proto/POSTSCREEN_README.html b/postfix/proto/POSTSCREEN_README.html index 90eeeeaed..2a7492f32 100644 --- a/postfix/proto/POSTSCREEN_README.html +++ b/postfix/proto/POSTSCREEN_README.html @@ -295,8 +295,8 @@ or postscreen_dnsbl_action, respectively.

Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option -is useful for testing and collecting statistics without interfering -with mail deliveries.
+is useful for testing and collecting statistics without blocking +mail.
enforce
@@ -506,6 +506,21 @@ postscreen(8) logs this as:

unexpectedly, time seconds after the start of the test named test name.

+ +

The following errors are reported by the built-in SMTP engine. This engine never accepts mail, therefore it has per-session limits on the number of commands and on the session length.

diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 8f3ae15fc..ad997071c 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -13133,8 +13133,9 @@ commencing a MAIL transaction.

%PARAM postscreen_forbidden_commands $smtpd_forbidden_commands -

List of commands that postscreen(8) server considers in violation -of the SMTP protocol. See also: postscreen_non_smtp_command_action. +

List of commands that the postscreen(8) server considers in +violation of the SMTP protocol. See smtpd_forbidden_commands for +syntax, and postscreen_non_smtp_command_action for possible actions.

This feature is available in Postfix 2.8.

@@ -13336,3 +13337,27 @@ fails with a temporary error condition, the entire mailing list may be expanded repeatedly until the mail expires in the queue, resulting in multiple deliveries of the same message to mailing list members.

+ +%PARAM qmgr_ipc_timeout 60s + +

The time limit for the queue manager to send or receive information +over an internal communication channel. The purpose is to break +out of deadlock situations. If the time limit is exceeded the +software either retries or aborts the operation.

+ +

+Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds). +

+ +%PARAM qmgr_daemon_timeout 1000s + +

How much time a Postfix queue manager process may take to handle +a request before it is terminated by a built-in watchdog timer. +

+ +

+Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds). +

+ diff --git a/postfix/src/cleanup/Makefile.in b/postfix/src/cleanup/Makefile.in index f99703038..7e28474b9 100644 --- a/postfix/src/cleanup/Makefile.in +++ b/postfix/src/cleanup/Makefile.in @@ -515,6 +515,7 @@ cleanup.o: ../../include/attr.h cleanup.o: ../../include/been_here.h cleanup.o: ../../include/cleanup_user.h cleanup.o: ../../include/dict.h +cleanup.o: ../../include/dsn_mask.h cleanup.o: ../../include/header_body_checks.h cleanup.o: ../../include/header_opts.h cleanup.o: ../../include/htable.h @@ -590,6 +591,7 @@ cleanup_api.o: ../../include/deliver_request.h cleanup_api.o: ../../include/dict.h cleanup_api.o: ../../include/dsn.h cleanup_api.o: ../../include/dsn_buf.h +cleanup_api.o: ../../include/dsn_mask.h cleanup_api.o: ../../include/header_body_checks.h cleanup_api.o: ../../include/header_opts.h cleanup_api.o: ../../include/htable.h @@ -625,6 +627,7 @@ cleanup_body_edit.o: ../../include/attr.h cleanup_body_edit.o: ../../include/been_here.h cleanup_body_edit.o: ../../include/cleanup_user.h cleanup_body_edit.o: ../../include/dict.h +cleanup_body_edit.o: ../../include/dsn_mask.h cleanup_body_edit.o: ../../include/header_body_checks.h cleanup_body_edit.o: ../../include/header_opts.h cleanup_body_edit.o: ../../include/htable.h @@ -771,6 +774,7 @@ cleanup_final.o: ../../include/attr.h cleanup_final.o: ../../include/been_here.h cleanup_final.o: ../../include/cleanup_user.h cleanup_final.o: ../../include/dict.h +cleanup_final.o: ../../include/dsn_mask.h cleanup_final.o: ../../include/header_body_checks.h cleanup_final.o: ../../include/header_opts.h cleanup_final.o: ../../include/htable.h @@ -799,6 +803,7 @@ cleanup_init.o: ../../include/attr.h cleanup_init.o: ../../include/been_here.h cleanup_init.o: ../../include/cleanup_user.h cleanup_init.o: ../../include/dict.h +cleanup_init.o: ../../include/dsn_mask.h cleanup_init.o: ../../include/ext_prop.h cleanup_init.o: ../../include/flush_clnt.h cleanup_init.o: ../../include/header_body_checks.h @@ -834,6 +839,7 @@ cleanup_map11.o: ../../include/attr.h cleanup_map11.o: ../../include/been_here.h cleanup_map11.o: ../../include/cleanup_user.h cleanup_map11.o: ../../include/dict.h +cleanup_map11.o: ../../include/dsn_mask.h cleanup_map11.o: ../../include/header_body_checks.h cleanup_map11.o: ../../include/header_opts.h cleanup_map11.o: ../../include/htable.h @@ -864,6 +870,7 @@ cleanup_map1n.o: ../../include/attr.h cleanup_map1n.o: ../../include/been_here.h cleanup_map1n.o: ../../include/cleanup_user.h cleanup_map1n.o: ../../include/dict.h +cleanup_map1n.o: ../../include/dsn_mask.h cleanup_map1n.o: ../../include/header_body_checks.h cleanup_map1n.o: ../../include/header_opts.h cleanup_map1n.o: ../../include/htable.h @@ -895,6 +902,7 @@ cleanup_masquerade.o: ../../include/attr.h cleanup_masquerade.o: ../../include/been_here.h cleanup_masquerade.o: ../../include/cleanup_user.h cleanup_masquerade.o: ../../include/dict.h +cleanup_masquerade.o: ../../include/dsn_mask.h cleanup_masquerade.o: ../../include/header_body_checks.h cleanup_masquerade.o: ../../include/header_opts.h cleanup_masquerade.o: ../../include/htable.h @@ -927,6 +935,7 @@ cleanup_message.o: ../../include/been_here.h cleanup_message.o: ../../include/cleanup_user.h cleanup_message.o: ../../include/conv_time.h cleanup_message.o: ../../include/dict.h +cleanup_message.o: ../../include/dsn_mask.h cleanup_message.o: ../../include/dsn_util.h cleanup_message.o: ../../include/ext_prop.h cleanup_message.o: ../../include/header_body_checks.h @@ -1010,6 +1019,7 @@ cleanup_out.o: ../../include/attr.h cleanup_out.o: ../../include/been_here.h cleanup_out.o: ../../include/cleanup_user.h cleanup_out.o: ../../include/dict.h +cleanup_out.o: ../../include/dsn_mask.h cleanup_out.o: ../../include/header_body_checks.h cleanup_out.o: ../../include/header_opts.h cleanup_out.o: ../../include/htable.h @@ -1083,6 +1093,7 @@ cleanup_region.o: ../../include/attr.h cleanup_region.o: ../../include/been_here.h cleanup_region.o: ../../include/cleanup_user.h cleanup_region.o: ../../include/dict.h +cleanup_region.o: ../../include/dsn_mask.h cleanup_region.o: ../../include/header_body_checks.h cleanup_region.o: ../../include/header_opts.h cleanup_region.o: ../../include/htable.h @@ -1110,6 +1121,7 @@ cleanup_rewrite.o: ../../include/attr.h cleanup_rewrite.o: ../../include/been_here.h cleanup_rewrite.o: ../../include/cleanup_user.h cleanup_rewrite.o: ../../include/dict.h +cleanup_rewrite.o: ../../include/dsn_mask.h cleanup_rewrite.o: ../../include/header_body_checks.h cleanup_rewrite.o: ../../include/header_opts.h cleanup_rewrite.o: ../../include/htable.h @@ -1142,6 +1154,7 @@ cleanup_state.o: ../../include/attr.h cleanup_state.o: ../../include/been_here.h cleanup_state.o: ../../include/cleanup_user.h cleanup_state.o: ../../include/dict.h +cleanup_state.o: ../../include/dsn_mask.h cleanup_state.o: ../../include/header_body_checks.h cleanup_state.o: ../../include/header_opts.h cleanup_state.o: ../../include/htable.h diff --git a/postfix/src/cleanup/cleanup.h b/postfix/src/cleanup/cleanup.h index b21b6fc02..a962f0078 100644 --- a/postfix/src/cleanup/cleanup.h +++ b/postfix/src/cleanup/cleanup.h @@ -33,6 +33,7 @@ #include #include #include +#include /* * Milter library. @@ -283,7 +284,14 @@ extern void cleanup_out_recipient(CLEANUP_STATE *, const char *, int, const char */ extern void cleanup_addr_sender(CLEANUP_STATE *, const char *); extern void cleanup_addr_recipient(CLEANUP_STATE *, const char *); -extern void cleanup_addr_bcc(CLEANUP_STATE *, const char *); +extern void cleanup_addr_bcc_dsn(CLEANUP_STATE *, const char *, const char *, int); + +#define NO_DSN_ORCPT ((char *) 0) +#define NO_DSN_NOTIFY DSN_NOTIFY_NEVER +#define DEF_DSN_NOTIFY (0) + +#define cleanup_addr_bcc(state, addr) \ + cleanup_addr_bcc_dsn((state), (addr), NO_DSN_ORCPT, NO_DSN_NOTIFY) /* * cleanup_bounce.c. diff --git a/postfix/src/cleanup/cleanup_addr.c b/postfix/src/cleanup/cleanup_addr.c index 99c7e1073..dc87f5c95 100644 --- a/postfix/src/cleanup/cleanup_addr.c +++ b/postfix/src/cleanup/cleanup_addr.c @@ -14,6 +14,12 @@ /* CLEANUP_STATE *state; /* const char *addr; /* +/* void cleanup_addr_bcc_dsn(state, addr, dsn_orcpt, dsn_notify) +/* CLEANUP_STATE *state; +/* const char *addr; +/* const char *dsn_orcpt; +/* int dsn_notify; +/* /* void cleanup_addr_bcc(state, addr) /* CLEANUP_STATE *state; /* const char *addr; @@ -28,16 +34,25 @@ /* cleanup_addr_recipient() processes recipient envelope information /* and updates state->recip. /* -/* cleanup_addr_bcc() processes recipient envelope information. This +/* cleanup_addr_bcc_dsn() processes recipient envelope information. This /* is a separate function to avoid invoking cleanup_addr_recipient() /* recursively. /* +/* cleanup_addr_bcc() is a backwards-compatibility wrapper for +/* cleanup_addr_bcc_dsn() that requests no delivery status +/* notification for the recipient. +/* /* Arguments: /* .IP state /* Queue file and message processing state. This state is updated /* as records are processed and as errors happen. /* .IP buf /* Record content. +/* .IP dsn_orcpt +/* The DSN original recipient (or NO_DSN_ORCPT to specify none). +/* .IP dsn_notify +/* DSN notification options. Specify NO_DSN_NOTIFY to disable +/* notification, and DEF_DSN_NOTIFY for default notification. /* LICENSE /* .ad /* .fi @@ -179,9 +194,10 @@ void cleanup_addr_recipient(CLEANUP_STATE *state, const char *buf) vstring_free(clean_addr); } -/* cleanup_addr_bcc - process automatic BCC recipient */ +/* cleanup_addr_bcc_dsn - process automatic BCC recipient */ -void cleanup_addr_bcc(CLEANUP_STATE *state, const char *bcc) +void cleanup_addr_bcc_dsn(CLEANUP_STATE *state, const char *bcc, + const char *dsn_orcpt, int dsn_notify) { VSTRING *clean_addr = vstring_alloc(100); @@ -189,8 +205,6 @@ void cleanup_addr_bcc(CLEANUP_STATE *state, const char *bcc) * Note: BCC addresses are supplied locally, and must be rewritten in the * local address rewriting context. */ -#define NO_DSN_ORCPT ((char *) 0) - cleanup_rewrite_internal(MAIL_ATTR_RWR_LOCAL, clean_addr, bcc); if (state->flags & CLEANUP_FLAG_MAP_OK) { if (cleanup_rcpt_canon_maps @@ -205,7 +219,7 @@ void cleanup_addr_bcc(CLEANUP_STATE *state, const char *bcc) && (cleanup_masq_flags & CLEANUP_MASQ_FLAG_ENV_RCPT)) cleanup_masquerade_internal(clean_addr, cleanup_masq_domains); } - cleanup_out_recipient(state, NO_DSN_ORCPT, DSN_NOTIFY_NEVER, + cleanup_out_recipient(state, dsn_orcpt, dsn_notify, STR(clean_addr), STR(clean_addr)); vstring_free(clean_addr); } diff --git a/postfix/src/cleanup/cleanup_milter.c b/postfix/src/cleanup/cleanup_milter.c index 05ded6167..0fc9282c6 100644 --- a/postfix/src/cleanup/cleanup_milter.c +++ b/postfix/src/cleanup/cleanup_milter.c @@ -1449,7 +1449,7 @@ static const char *cleanup_add_rcpt(void *context, const char *ext_rcpt) } } tok822_free_tree(tree); - cleanup_addr_bcc(state, STR(int_rcpt_buf)); + cleanup_addr_bcc_dsn(state, STR(int_rcpt_buf), NO_DSN_ORCPT, DEF_DSN_NOTIFY); vstring_free(int_rcpt_buf); if (addr_count == 0) { msg_warn("%s: ignoring attempt from Milter to add null recipient", diff --git a/postfix/src/dnsblog/dnsblog.c b/postfix/src/dnsblog/dnsblog.c index 425a70267..dd3ea7158 100644 --- a/postfix/src/dnsblog/dnsblog.c +++ b/postfix/src/dnsblog/dnsblog.c @@ -188,7 +188,7 @@ static VSTRING *dnsblog_query(VSTRING *result, const char *dnsbl_domain, msg_warn("%s: skipping reply record type %s for query %s: %m", myname, dns_strtype(rr->type), STR(query)); } else { - msg_info("addr %s blocked by domain %s as %s", + msg_info("addr %s listed by domain %s as %s", addr, dnsbl_domain, hostaddr.buf); if (LEN(result) > 0) vstring_strcat(result, " "); @@ -198,7 +198,7 @@ static VSTRING *dnsblog_query(VSTRING *result, const char *dnsbl_domain, dns_rr_free(addr_list); } else if (dns_status == DNS_NOTFOUND) { if (msg_verbose) - msg_info("%s: addr %s not listed under domain %s", + msg_info("%s: addr %s not listed by domain %s", myname, addr, dnsbl_domain); } else { msg_warn("%s: lookup error for DNS query %s: %s", diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 7b10077e0..3c19cd302 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -1870,6 +1870,10 @@ extern int var_mailtool_compat; #define DEF_DAEMON_TIMEOUT "18000s" extern int var_daemon_timeout; +#define VAR_QMGR_DAEMON_TIMEOUT "qmgr_daemon_timeout" +#define DEF_QMGR_DAEMON_TIMEOUT "1000s" +extern int var_qmgr_daemon_timeout; + /* * How long an intra-mail command may take before we assume the mail system * is in deadlock (should never happen). @@ -1878,6 +1882,10 @@ extern int var_daemon_timeout; #define DEF_IPC_TIMEOUT "3600s" extern int var_ipc_timeout; +#define VAR_QMGR_IPC_TIMEOUT "qmgr_ipc_timeout" +#define DEF_QMGR_IPC_TIMEOUT "60s" +extern int var_qmgr_ipc_timeout; + /* * Time limit on intra-mail triggers. */ diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 8569f945f..1f9174338 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20101007" +#define MAIL_RELEASE_DATE "20101103" #define MAIL_VERSION_NUMBER "2.8" #ifdef SNAPSHOT diff --git a/postfix/src/oqmgr/qmgr.c b/postfix/src/oqmgr/qmgr.c index edff94dc8..c3911ebdf 100644 --- a/postfix/src/oqmgr/qmgr.c +++ b/postfix/src/oqmgr/qmgr.c @@ -253,7 +253,16 @@ /* limit > 1, a destination is a domain, otherwise it is a recipient. /* .IP "\fItransport\fB_destination_rate_delay $default_destination_rate_delay /* Idem, for delivery via the named message \fItransport\fR. -/* .SH MISCELLANEOUS CONTROLS +/* SAFETY CONTROLS +/* .ad +/* .fi +/* .IP "\fBqmgr_daemon_timeout (1000s)\fR" +/* How much time a Postfix queue manager process may take to handle +/* a request before it is terminated by a built-in watchdog timer. +/* .IP "\fBqmgr_ipc_timeout (60s)\fR" +/* The time limit for the queue manager to send or receive information +/* over an internal communication channel. +/* MISCELLANEOUS CONTROLS /* .ad /* .fi /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR" @@ -268,9 +277,6 @@ /* .IP "\fBhelpful_warnings (yes)\fR" /* Log warnings about problematic configuration settings, and provide /* helpful suggestions. -/* .IP "\fBipc_timeout (3600s)\fR" -/* The time limit for sending or receiving information over an internal -/* communication channel. /* .IP "\fBprocess_id (read-only)\fR" /* The process ID of a Postfix command or daemon process. /* .IP "\fBprocess_name (read-only)\fR" @@ -376,6 +382,8 @@ int var_conc_cohort_limit; int var_conc_feedback_debug; int var_dest_rate_delay; char *var_def_filter_nexthop; +int var_qmgr_daemon_timeout; +int var_qmgr_ipc_timeout; static QMGR_SCAN *qmgr_scans[2]; @@ -584,8 +592,11 @@ static void qmgr_post_init(char *unused_name, char **unused_argv) * Left-over active queue entries are moved to the incoming queue because * the incoming queue has priority; moving left-overs to the deferred * queue could cause anomalous delays when "postfix reload/start" are - * issued often. + * issued often. Override the IPC timeout (default 3600s) so that the + * queue manager can reset a broken IPC channel before the watchdog timer + * goes off. */ + var_ipc_timeout = var_qmgr_ipc_timeout; var_use_limit = 0; var_idle_limit = 0; qmgr_move(MAIL_QUEUE_ACTIVE, MAIL_QUEUE_INCOMING, event_time()); @@ -617,6 +628,8 @@ int main(int argc, char **argv) VAR_XPORT_RETRY_TIME, DEF_XPORT_RETRY_TIME, &var_transport_retry_time, 1, 0, VAR_QMGR_CLOG_WARN_TIME, DEF_QMGR_CLOG_WARN_TIME, &var_qmgr_clog_warn_time, 0, 0, VAR_DEST_RATE_DELAY, DEF_DEST_RATE_DELAY, &var_dest_rate_delay, 0, 0, + VAR_QMGR_DAEMON_TIMEOUT, DEF_QMGR_DAEMON_TIMEOUT, &var_qmgr_daemon_timeout, 1, 0, + VAR_QMGR_IPC_TIMEOUT, DEF_QMGR_IPC_TIMEOUT, &var_qmgr_ipc_timeout, 1, 0, 0, }; static const CONFIG_INT_TABLE int_table[] = { @@ -658,5 +671,6 @@ int main(int argc, char **argv) MAIL_SERVER_LOOP, qmgr_loop, MAIL_SERVER_PRE_ACCEPT, pre_accept, MAIL_SERVER_SOLITARY, + MAIL_SERVER_WATCHDOG, &var_qmgr_daemon_timeout, 0); } diff --git a/postfix/src/postscreen/postscreen.c b/postfix/src/postscreen/postscreen.c index d3c270ebe..74a32f4e4 100644 --- a/postfix/src/postscreen/postscreen.c +++ b/postfix/src/postscreen/postscreen.c @@ -118,8 +118,8 @@ /* its combined DNSBL score as defined with the postscreen_dnsbl_sites /* parameter. /* .IP "\fBpostscreen_forbidden_commands ($smtpd_forbidden_commands)\fR" -/* List of commands that \fBpostscreen\fR(8) server considers in violation -/* of the SMTP protocol. +/* List of commands that the \fBpostscreen\fR(8) server considers in +/* violation of the SMTP protocol. /* .IP "\fBpostscreen_greet_action (ignore)\fR" /* The action that \fBpostscreen\fR(8) takes when an SMTP client speaks /* before its turn within the time specified with the postscreen_greet_wait diff --git a/postfix/src/postscreen/postscreen.h b/postfix/src/postscreen/postscreen.h index 374389a64..4470756b3 100644 --- a/postfix/src/postscreen/postscreen.h +++ b/postfix/src/postscreen/postscreen.h @@ -50,6 +50,7 @@ typedef struct { time_t dnsbl_stamp; /* dnsbl expiration time */ VSTRING *dnsbl_reply; /* dnsbl reject text */ int dnsbl_index; /* dnsbl request index */ + time_t penal_stamp; /* penalty expiration time */ /* Built-in SMTP protocol engine. */ time_t pipel_stamp; /* pipelining expiration time */ time_t nsmtp_stamp; /* non-smtp command expiration time */ @@ -97,6 +98,9 @@ typedef struct { #define PS_STATE_FLAGS_TODO_TO_PASS(todo_flags) ((todo_flags) >> 1) #define PS_STATE_FLAGS_TODO_TO_DONE(todo_flags) ((todo_flags) << 1) +#define PS_STATE_FLAG_PENAL_UPDATE (1<<6) /* save new penalty */ +#define PS_STATE_FLAG_PENAL_FAIL (1<<7) /* penalty is active */ + #define PS_STATE_FLAG_PREGR_FAIL (1<<8) /* failed pregreet test */ #define PS_STATE_FLAG_PREGR_PASS (1<<9) /* passed pregreet test */ #define PS_STATE_FLAG_PREGR_TODO (1<<10) /* pregreet test expired */ @@ -178,7 +182,7 @@ typedef struct { * Super-aggregates for all tests combined. */ #define PS_STATE_MASK_ANY_FAIL \ - (PS_STATE_FLAG_BLIST_FAIL | \ + (PS_STATE_FLAG_BLIST_FAIL | PS_STATE_FLAG_PENAL_FAIL | \ PS_STATE_MASK_EARLY_FAIL | PS_STATE_MASK_SMTPD_FAIL) #define PS_STATE_MASK_ANY_PASS \ @@ -191,7 +195,7 @@ typedef struct { (PS_STATE_MASK_ANY_TODO | PS_STATE_MASK_ANY_FAIL) #define PS_STATE_MASK_ANY_UPDATE \ - (PS_STATE_MASK_ANY_PASS) + (PS_STATE_MASK_ANY_PASS | PS_STATE_FLAG_PENAL_UPDATE) /* * See log_adhoc.c for discussion. @@ -391,6 +395,7 @@ extern int ps_dnsbl_request(const char *, void (*) (int, char *), char *); (dst)->dnsbl_stamp = PS_TIME_STAMP_INVALID; \ (dst)->pipel_stamp = PS_TIME_STAMP_INVALID; \ (dst)->barlf_stamp = PS_TIME_STAMP_INVALID; \ + (dst)->penal_stamp = PS_TIME_STAMP_INVALID; \ } while (0) #define PS_BEGIN_TESTS(state, name) do { \ (state)->test_name = (name); \ diff --git a/postfix/src/postscreen/postscreen_state.c b/postfix/src/postscreen/postscreen_state.c index 06a037fab..740c02454 100644 --- a/postfix/src/postscreen/postscreen_state.c +++ b/postfix/src/postscreen/postscreen_state.c @@ -62,7 +62,7 @@ /* port arguments are null-terminated strings with the remote /* SMTP client endpoint. The _reply members are set to /* polite "try again" SMTP replies. The protocol member is set -/* to "SMTP". +/* to "SMTP". /* /* The ps_stress variable is set to non-zero when /* ps_check_queue_length passes over a high-water mark. @@ -224,6 +224,9 @@ const char *ps_print_state_flags(int flags, const char *context) "HANGUP", PS_STATE_FLAG_HANGUP, "CACHE_EXPIRED", PS_STATE_FLAG_CACHE_EXPIRED, + "PENAL_UPDATE", PS_STATE_FLAG_PENAL_UPDATE, + "PENAL_FAIL", PS_STATE_FLAG_PENAL_FAIL, + "PREGR_FAIL", PS_STATE_FLAG_PREGR_FAIL, "PREGR_PASS", PS_STATE_FLAG_PREGR_PASS, "PREGR_TODO", PS_STATE_FLAG_PREGR_TODO, diff --git a/postfix/src/postscreen/postscreen_tests.c b/postfix/src/postscreen/postscreen_tests.c index 02b6965e5..7c7fdfe0b 100644 --- a/postfix/src/postscreen/postscreen_tests.c +++ b/postfix/src/postscreen/postscreen_tests.c @@ -30,7 +30,7 @@ /* DESCRIPTION /* The functions in this module overwrite the per-test expiration /* time stamps and all flags bits. Some functions are implemented -/* as unsafe macros, meaning they evaluate one ore more arguments +/* as unsafe macros, meaning they evaluate one or more arguments /* multiple times. /* /* PS_INIT_TESTS() is an unsafe macro that sets the per-test @@ -132,6 +132,7 @@ void ps_new_tests(PS_STATE *state) state->pipel_stamp = PS_TIME_STAMP_NEW; state->nsmtp_stamp = PS_TIME_STAMP_NEW; state->barlf_stamp = PS_TIME_STAMP_NEW; + state->penal_stamp = PS_TIME_STAMP_NEW; /* * Don't flag disabled tests as "todo", because there would be no way to @@ -155,11 +156,14 @@ void ps_parse_tests(PS_STATE *state, const char *stamp_str, time_t time_value) { + const char *myname = "ps_parse_tests"; unsigned long pregr_stamp; unsigned long dnsbl_stamp; unsigned long pipel_stamp; unsigned long nsmtp_stamp; unsigned long barlf_stamp; + unsigned long penal_stamp; + time_t penalty_left; /* * We don't know what tests have expired or have never passed. @@ -175,9 +179,9 @@ void ps_parse_tests(PS_STATE *state, * enabled tests, but the remote SMTP client has not yet passed all those * tests. */ - switch (sscanf(stamp_str, "%lu;%lu;%lu;%lu;%lu", + switch (sscanf(stamp_str, "%lu;%lu;%lu;%lu;%lu;%lu", &pregr_stamp, &dnsbl_stamp, &pipel_stamp, &nsmtp_stamp, - &barlf_stamp)) { + &barlf_stamp, &penal_stamp)) { case 0: pregr_stamp = PS_TIME_STAMP_DISABLED; case 1: @@ -188,6 +192,8 @@ void ps_parse_tests(PS_STATE *state, nsmtp_stamp = PS_TIME_STAMP_DISABLED; case 4: barlf_stamp = PS_TIME_STAMP_DISABLED; + case 5: + penal_stamp = PS_TIME_STAMP_DISABLED; default: break; } @@ -196,6 +202,7 @@ void ps_parse_tests(PS_STATE *state, state->pipel_stamp = pipel_stamp; state->nsmtp_stamp = nsmtp_stamp; state->barlf_stamp = barlf_stamp; + state->penal_stamp = penal_stamp; if (pregr_stamp == PS_TIME_STAMP_NEW || dnsbl_stamp == PS_TIME_STAMP_NEW @@ -253,6 +260,41 @@ void ps_parse_tests(PS_STATE *state, state->flags |= PS_STATE_FLAG_DNSBL_TODO; } #endif + + /* + * Apply unexpired penalty for past behavior. + * + * XXX Before we can drop connections, change this function to return + * success/fail, to inform the caller that the state object no longer + * exists. + */ +#ifdef NONPROD + if ((penalty_left = state->penal_stamp - event_time()) > 0) { + msg_info("PENALTY %ld for %s", + (long) penalty_left, state->smtp_client_addr); + PS_FAIL_SESSION_STATE(state, PS_STATE_FLAG_PENAL_FAIL); +#if 0 + switch (ps_penal_action) { + case PS_ACT_DROP: + PS_DROP_SESSION_STATE(state, + "421 4.3.2 Service currently unavailable\r\n"); + break; + case PS_ACT_ENFORCE: +#endif + PS_ENFORCE_SESSION_STATE(state, + "450 4.3.2 Service currently unavailable\r\n"); +#if 0 + break; + case PS_ACT_IGNORE: + PS_UNFAIL_SESSION_STATE(state, PS_STATE_FLAG_PENAL_FAIL); + break; + default: + msg_panic("%s: unknown penalty action value %d", + myname, ps_penal_action); + } +#endif + } +#endif /* NONPROD */ } /* ps_print_tests - print postscreen cache record */ @@ -267,6 +309,25 @@ char *ps_print_tests(VSTRING *buf, PS_STATE *state) if ((state->flags & PS_STATE_MASK_ANY_UPDATE) == 0) msg_panic("%s: attempt to save a no-update record", myname); + /* + * Don't record a client as "passed" while subject to penalty. Be sure to + * produce correct PASS OLD/NEW logging. + * + * XXX This needs to be refined - we should not reset the result of tests + * that were passed in previous sessions, otherwise a client may never + * pass a multi-stage test such as greylisting. One solution is to keep + * the original and updated time stamps around, and to save an updated + * time stamp only when the corresponding "pass" flag is raised. + */ +#ifdef NONPROD + if (state->flags & PS_STATE_FLAG_PENAL_FAIL) { + state->pregr_stamp = state->dnsbl_stamp = state->pipel_stamp = + state->nsmtp_stamp = state->barlf_stamp = + ((state->flags & PS_STATE_FLAG_NEW) ? + PS_TIME_STAMP_NEW : PS_TIME_STAMP_DISABLED); + } +#endif + /* * Give disabled tests a dummy time stamp so that we don't log a client * with "pass new" when some disabled test becomes enabled at some later @@ -283,12 +344,13 @@ char *ps_print_tests(VSTRING *buf, PS_STATE *state) if (var_ps_barlf_enable == 0 && state->barlf_stamp == PS_TIME_STAMP_NEW) state->barlf_stamp = PS_TIME_STAMP_DISABLED; - vstring_sprintf(buf, "%lu;%lu;%lu;%lu;%lu", + vstring_sprintf(buf, "%lu;%lu;%lu;%lu;%lu;%lu", (unsigned long) state->pregr_stamp, (unsigned long) state->dnsbl_stamp, (unsigned long) state->pipel_stamp, (unsigned long) state->nsmtp_stamp, - (unsigned long) state->barlf_stamp); + (unsigned long) state->barlf_stamp, + (unsigned long) state->penal_stamp); return (STR(buf)); } diff --git a/postfix/src/qmgr/qmgr.c b/postfix/src/qmgr/qmgr.c index d6d7fe541..a59bf5da0 100644 --- a/postfix/src/qmgr/qmgr.c +++ b/postfix/src/qmgr/qmgr.c @@ -299,6 +299,15 @@ /* limit > 1, a destination is a domain, otherwise it is a recipient. /* .IP "\fItransport\fB_destination_rate_delay $default_destination_rate_delay /* Idem, for delivery via the named message \fItransport\fR. +/* SAFETY CONTROLS +/* .ad +/* .fi +/* .IP "\fBqmgr_daemon_timeout (1000s)\fR" +/* How much time a Postfix queue manager process may take to handle +/* a request before it is terminated by a built-in watchdog timer. +/* .IP "\fBqmgr_ipc_timeout (60s)\fR" +/* The time limit for the queue manager to send or receive information +/* over an internal communication channel. /* MISCELLANEOUS CONTROLS /* .ad /* .fi @@ -314,9 +323,6 @@ /* .IP "\fBhelpful_warnings (yes)\fR" /* Log warnings about problematic configuration settings, and provide /* helpful suggestions. -/* .IP "\fBipc_timeout (3600s)\fR" -/* The time limit for sending or receiving information over an internal -/* communication channel. /* .IP "\fBprocess_id (read-only)\fR" /* The process ID of a Postfix command or daemon process. /* .IP "\fBprocess_name (read-only)\fR" @@ -436,6 +442,8 @@ int var_conc_cohort_limit; int var_conc_feedback_debug; int var_dest_rate_delay; char *var_def_filter_nexthop; +int var_qmgr_daemon_timeout; +int var_qmgr_ipc_timeout; static QMGR_SCAN *qmgr_scans[2]; @@ -651,8 +659,11 @@ static void qmgr_post_init(char *name, char **unused_argv) * Left-over active queue entries are moved to the incoming queue because * the incoming queue has priority; moving left-overs to the deferred * queue could cause anomalous delays when "postfix reload/start" are - * issued often. + * issued often. Override the IPC timeout (default 3600s) so that the + * queue manager can reset a broken IPC channel before the watchdog timer + * goes off. */ + var_ipc_timeout = var_qmgr_ipc_timeout; var_use_limit = 0; var_idle_limit = 0; qmgr_move(MAIL_QUEUE_ACTIVE, MAIL_QUEUE_INCOMING, event_time()); @@ -685,6 +696,8 @@ int main(int argc, char **argv) VAR_QMGR_CLOG_WARN_TIME, DEF_QMGR_CLOG_WARN_TIME, &var_qmgr_clog_warn_time, 0, 0, VAR_XPORT_REFILL_DELAY, DEF_XPORT_REFILL_DELAY, &var_xport_refill_delay, 1, 0, VAR_DEST_RATE_DELAY, DEF_DEST_RATE_DELAY, &var_dest_rate_delay, 0, 0, + VAR_QMGR_DAEMON_TIMEOUT, DEF_QMGR_DAEMON_TIMEOUT, &var_qmgr_daemon_timeout, 1, 0, + VAR_QMGR_IPC_TIMEOUT, DEF_QMGR_IPC_TIMEOUT, &var_qmgr_ipc_timeout, 1, 0, 0, }; static const CONFIG_INT_TABLE int_table[] = { @@ -733,5 +746,6 @@ int main(int argc, char **argv) MAIL_SERVER_LOOP, qmgr_loop, MAIL_SERVER_PRE_ACCEPT, pre_accept, MAIL_SERVER_SOLITARY, + MAIL_SERVER_WATCHDOG, &var_qmgr_daemon_timeout, 0); } diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index 3f5a8c583..a013a6d82 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -3799,7 +3799,8 @@ static int generic_checks(SMTPD_STATE *state, ARGV *restrictions, name); else { cpp += 1; - if (state->helo_name) + if (state->helo_name + && valid_hostname(state->helo_name, DONT_GRIPE)) status = reject_rbl_domain(state, *cpp, state->helo_name, SMTPD_NAME_HELO); }