From: Wietse Venema Date: Sun, 20 Aug 2023 05:00:00 +0000 (-0500) Subject: postfix-3.9-20230820 X-Git-Tag: v3.9.0~46 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=999468c0ebd31d60616a4d0d513d6ae897433874;p=thirdparty%2Fpostfix.git postfix-3.9-20230820 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index f37f294c3..89cbcdbbd 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -27297,3 +27297,18 @@ Apologies for any names omitted. Documentation loose ends. Files: proto/postconf.proto, RELEASE_NOTES. + +20230815 + + Bugfix (bug introduced: 20140218): when opportunistic TLS fails + during or after the handshake, don't require that a probe + message has a minimum time-in-queue before falling back to + plaintext. Problem reported by Serg. File: smtp/smtp.h. + +20230820 + + Feature: smtp_sasl_password_result_delimiter, for the rare + case that the ":" character needs to be part of the username. + mantools/postlink, proto/postconf.proto, global/mail_params.h, + smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_params.c, + smtp/smtp_sasl_glue.c. diff --git a/postfix/WISHLIST b/postfix/WISHLIST index 6fd70dce9..9f409b18b 100644 --- a/postfix/WISHLIST +++ b/postfix/WISHLIST @@ -6,6 +6,8 @@ Wish list: Disable -DSNAPSHOT and -DNONPROD in makedefs. + postfix-install should mention makedefs.out. + Deprecate permit_mx_backup. It is fundamentally incompatible with recipient address validation. There is no way to fix that: reject_unverified_recipient requires that the domain is reachable, diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html index 4469e07d7..76c1ebe34 100644 --- a/postfix/html/lmtp.8.html +++ b/postfix/html/lmtp.8.html @@ -490,28 +490,34 @@ SMTP(8) SMTP(8) Whether or not to append the "AUTH=<>" option to the MAIL FROM command in SASL-authenticated SMTP sessions. + Available in Postfix version 3.9 and later: + + smtp_sasl_password_result_delimiter (:) + The delimiter between username and password in sasl_passwd_maps + lookup results. + STARTTLS SUPPORT CONTROLS - Detailed information about STARTTLS configuration may be found in the + Detailed information about STARTTLS configuration may be found in the TLS_README document. smtp_tls_security_level (empty) The default SMTP TLS security level for the Postfix SMTP client. smtp_sasl_tls_security_options ($smtp_sasl_security_options) - The SASL authentication security options that the Postfix SMTP + The SASL authentication security options that the Postfix SMTP client uses for TLS encrypted SMTP sessions. smtp_starttls_timeout (300s) - Time limit for Postfix SMTP client write and read operations + Time limit for Postfix SMTP client write and read operations during TLS startup and shutdown handshake procedures. smtp_tls_CAfile (empty) - A file containing CA certificates of root CAs trusted to sign - either remote SMTP server certificates or intermediate CA cer- + A file containing CA certificates of root CAs trusted to sign + either remote SMTP server certificates or intermediate CA cer- tificates. smtp_tls_CApath (empty) - Directory with PEM format Certification Authority certificates + Directory with PEM format Certification Authority certificates that the Postfix SMTP client uses to verify a remote SMTP server certificate. @@ -519,7 +525,7 @@ SMTP(8) SMTP(8) File with the Postfix SMTP client RSA certificate in PEM format. smtp_tls_mandatory_ciphers (medium) - The minimum TLS cipher grade that the Postfix SMTP client will + The minimum TLS cipher grade that the Postfix SMTP client will use with mandatory TLS encryption. smtp_tls_exclude_ciphers (empty) @@ -527,8 +533,8 @@ SMTP(8) SMTP(8) client cipher list at all TLS security levels. smtp_tls_mandatory_exclude_ciphers (empty) - Additional list of ciphers or cipher types to exclude from the - Postfix SMTP client cipher list at mandatory TLS security lev- + Additional list of ciphers or cipher types to exclude from the + Postfix SMTP client cipher list at mandatory TLS security lev- els. smtp_tls_dcert_file (empty) @@ -544,7 +550,7 @@ SMTP(8) SMTP(8) Enable additional Postfix SMTP client logging of TLS activity. smtp_tls_note_starttls_offer (no) - Log the hostname of a remote SMTP server that offers STARTTLS, + Log the hostname of a remote SMTP server that offers STARTTLS, when TLS is not already enabled for that server. smtp_tls_policy_maps (empty) @@ -553,14 +559,14 @@ SMTP(8) SMTP(8) fied, this overrides the obsolete smtp_tls_per_site parameter. smtp_tls_mandatory_protocols (see 'postconf -d' output) - TLS protocols that the Postfix SMTP client will use with manda- + TLS protocols that the Postfix SMTP client will use with manda- tory TLS encryption. smtp_tls_scert_verifydepth (9) The verification depth for remote SMTP server certificates. smtp_tls_secure_cert_match (nexthop, dot-nexthop) - How the Postfix SMTP client verifies the server certificate + How the Postfix SMTP client verifies the server certificate peername for the "secure" TLS security level. smtp_tls_session_cache_database (empty) @@ -568,16 +574,16 @@ SMTP(8) SMTP(8) session cache. smtp_tls_session_cache_timeout (3600s) - The expiration time of Postfix SMTP client TLS session cache + The expiration time of Postfix SMTP client TLS session cache information. smtp_tls_verify_cert_match (hostname) - How the Postfix SMTP client verifies the server certificate + How the Postfix SMTP client verifies the server certificate peername for the "verify" TLS security level. tls_daemon_random_bytes (32) - The number of pseudo-random bytes that an smtp(8) or smtpd(8) - process requests from the tlsmgr(8) server in order to seed its + The number of pseudo-random bytes that an smtp(8) or smtpd(8) + process requests from the tlsmgr(8) server in order to seed its internal pseudo random number generator (PRNG). tls_high_cipherlist (see 'postconf -d' output) @@ -587,7 +593,7 @@ SMTP(8) SMTP(8) The OpenSSL cipherlist for "medium" or higher grade ciphers. tls_null_cipherlist (eNULL:!aNULL) - The OpenSSL cipherlist for "NULL" grade ciphers that provide + The OpenSSL cipherlist for "NULL" grade ciphers that provide authentication without encryption. Available in in Postfix version 2.3..3.7: @@ -602,45 +608,45 @@ SMTP(8) SMTP(8) smtp_sasl_tls_verified_security_options ($smtp_sasl_tls_secu- rity_options) - The SASL authentication security options that the Postfix SMTP - client uses for TLS encrypted SMTP sessions with a verified + The SASL authentication security options that the Postfix SMTP + client uses for TLS encrypted SMTP sessions with a verified server certificate. Available in Postfix version 2.5 and later: smtp_tls_fingerprint_cert_match (empty) - List of acceptable remote SMTP server certificate fingerprints - for the "fingerprint" TLS security level (smtp_tls_secu- + List of acceptable remote SMTP server certificate fingerprints + for the "fingerprint" TLS security level (smtp_tls_secu- rity_level = fingerprint). smtp_tls_fingerprint_digest (see 'postconf -d' output) - The message digest algorithm used to construct remote SMTP + The message digest algorithm used to construct remote SMTP server certificate fingerprints. Available in Postfix version 2.6 and later: smtp_tls_protocols (see postconf -d output) - TLS protocols that the Postfix SMTP client will use with oppor- + TLS protocols that the Postfix SMTP client will use with oppor- tunistic TLS encryption. smtp_tls_ciphers (medium) - The minimum TLS cipher grade that the Postfix SMTP client will + The minimum TLS cipher grade that the Postfix SMTP client will use with opportunistic TLS encryption. smtp_tls_eccert_file (empty) - File with the Postfix SMTP client ECDSA certificate in PEM for- + File with the Postfix SMTP client ECDSA certificate in PEM for- mat. smtp_tls_eckey_file ($smtp_tls_eccert_file) - File with the Postfix SMTP client ECDSA private key in PEM for- + File with the Postfix SMTP client ECDSA private key in PEM for- mat. Available in Postfix version 2.7 and later: smtp_tls_block_early_mail_reply (no) - Try to detect a mail hijacking attack based on a TLS protocol - vulnerability (CVE-2009-3555), where an attacker prepends mali- - cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client + Try to detect a mail hijacking attack based on a TLS protocol + vulnerability (CVE-2009-3555), where an attacker prepends mali- + cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session. Available in Postfix version 2.8 and later: @@ -660,11 +666,11 @@ SMTP(8) SMTP(8) Available in Postfix version 2.11 and later: smtp_tls_trust_anchor_file (empty) - Zero or more PEM-format files with trust-anchor certificates + Zero or more PEM-format files with trust-anchor certificates and/or public keys. smtp_tls_force_insecure_host_tlsa_lookup (no) - Lookup the associated DANE TLSA RRset even when a hostname is + Lookup the associated DANE TLSA RRset even when a hostname is not an alias and its address records lie in an unsigned zone. tlsmgr_service_name (tlsmgr) @@ -673,14 +679,14 @@ SMTP(8) SMTP(8) Available in Postfix version 3.0 and later: smtp_tls_wrappermode (no) - Request that the Postfix SMTP client connects using the SUBMIS- + Request that the Postfix SMTP client connects using the SUBMIS- SIONS/SMTPS protocol instead of using the STARTTLS command. Available in Postfix version 3.1 and later: smtp_tls_dane_insecure_mx_policy (see 'postconf -d' output) - The TLS policy for MX hosts with "secure" TLSA records when the - nexthop destination security level is dane, but the MX record + The TLS policy for MX hosts with "secure" TLSA records when the + nexthop destination security level is dane, but the MX record was found via an "insecure" MX lookup. Available in Postfix version 3.2 and later: @@ -695,23 +701,23 @@ SMTP(8) SMTP(8) Try to make multiple deliveries per TLS-encrypted connection. smtp_tls_chain_files (empty) - List of one or more PEM files, each holding one or more private + List of one or more PEM files, each holding one or more private keys directly followed by a corresponding certificate chain. smtp_tls_servername (empty) - Optional name to send to the remote SMTP server in the TLS + Optional name to send to the remote SMTP server in the TLS Server Name Indication (SNI) extension. Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later: tls_fast_shutdown_enable (yes) - A workaround for implementations that hang Postfix while shut- + A workaround for implementations that hang Postfix while shut- ting down a TLS session, until Postfix times out. Available in Postfix version 3.8 and later: tls_ffdhe_auto_groups (see 'postconf -d' output) - The prioritized list of finite-field Diffie-Hellman ephemeral + The prioritized list of finite-field Diffie-Hellman ephemeral (FFDHE) key exchange groups supported by the Postfix SMTP client and server. @@ -721,50 +727,50 @@ SMTP(8) SMTP(8) Optional configuration file with baseline OpenSSL settings. tls_config_name (empty) - The application name passed by Postfix to OpenSSL library ini- + The application name passed by Postfix to OpenSSL library ini- tialization functions. Available in Postfix version 3.9 and later: smtp_tls_enable_rpk (no) - Request that remote SMTP servers send an RFC7250 raw public key + Request that remote SMTP servers send an RFC7250 raw public key instead of an X.509 certificate. OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compatibility with - Postfix versions before 2.3. Support for these will be removed in a + The following configuration parameters exist for compatibility with + Postfix versions before 2.3. Support for these will be removed in a future release. smtp_use_tls (no) - Opportunistic mode: use TLS when a remote SMTP server announces + Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS support, otherwise send the mail in the clear. smtp_enforce_tls (no) - Enforcement mode: require that remote SMTP servers use TLS + Enforcement mode: require that remote SMTP servers use TLS encryption, and never send mail in the clear. smtp_tls_enforce_peername (yes) - With mandatory TLS encryption, require that the remote SMTP - server hostname matches the information in the remote SMTP + With mandatory TLS encryption, require that the remote SMTP + server hostname matches the information in the remote SMTP server certificate. smtp_tls_per_site (empty) - Optional lookup tables with the Postfix SMTP client TLS usage - policy by next-hop destination and by remote SMTP server host- + Optional lookup tables with the Postfix SMTP client TLS usage + policy by next-hop destination and by remote SMTP server host- name. smtp_tls_cipherlist (empty) - Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS + Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher list. RESOURCE AND RATE CONTROLS smtp_connect_timeout (30s) - The Postfix SMTP client time limit for completing a TCP connec- + The Postfix SMTP client time limit for completing a TCP connec- tion, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The Postfix SMTP client time limit for sending the HELO or EHLO - command, and for receiving the initial remote SMTP server + The Postfix SMTP client time limit for sending the HELO or EHLO + command, and for receiving the initial remote SMTP server response. lmtp_lhlo_timeout (300s) @@ -776,19 +782,19 @@ SMTP(8) SMTP(8) mand, and for receiving the remote SMTP server response. smtp_mail_timeout (300s) - The Postfix SMTP client time limit for sending the MAIL FROM + The Postfix SMTP client time limit for sending the MAIL FROM command, and for receiving the remote SMTP server response. smtp_rcpt_timeout (300s) - The Postfix SMTP client time limit for sending the SMTP RCPT TO + The Postfix SMTP client time limit for sending the SMTP RCPT TO command, and for receiving the remote SMTP server response. smtp_data_init_timeout (120s) - The Postfix SMTP client time limit for sending the SMTP DATA + The Postfix SMTP client time limit for sending the SMTP DATA command, and for receiving the remote SMTP server response. smtp_data_xfer_timeout (180s) - The Postfix SMTP client time limit for sending the SMTP message + The Postfix SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) @@ -802,13 +808,13 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: smtp_mx_address_limit (5) - The maximal number of MX (mail exchanger) IP addresses that can - result from Postfix SMTP client mail exchanger lookups, or zero + The maximal number of MX (mail exchanger) IP addresses that can + result from Postfix SMTP client mail exchanger lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery request before - the Postfix SMTP client gives up or delivers to a fall-back + The maximal number of SMTP sessions per delivery request before + the Postfix SMTP client gives up or delivers to a fall-back relay host, or zero (no limit). smtp_rset_timeout (20s) @@ -818,17 +824,17 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and earlier: lmtp_cache_connection (yes) - Keep Postfix LMTP client connections open for up to $max_idle + Keep Postfix LMTP client connections open for up to $max_idle seconds. Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the specified + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a destination + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. smtp_connection_reuse_time_limit (300s) @@ -842,23 +848,23 @@ SMTP(8) SMTP(8) Available in Postfix version 2.3 and later: connection_cache_protocol_timeout (5s) - Time limit for connection cache connect, send or receive opera- + Time limit for connection cache connect, send or receive opera- tions. Available in Postfix version 2.9 - 3.6: smtp_per_record_deadline (no) - Change the behavior of the smtp_*_timeout time limits, from a - time limit per read or write system call, to a time limit to - send or receive a complete record (an SMTP command line, SMTP - response line, SMTP message content line, or TLS protocol mes- + Change the behavior of the smtp_*_timeout time limits, from a + time limit per read or write system call, to a time limit to + send or receive a complete record (an SMTP command line, SMTP + response line, SMTP message content line, or TLS protocol mes- sage). Available in Postfix version 2.11 and later: smtp_connection_reuse_count_limit (0) - When SMTP connection caching is enabled, the number of times - that an SMTP session may be reused before it is closed, or zero + When SMTP connection caching is enabled, the number of times + that an SMTP session may be reused before it is closed, or zero (no limit). Available in Postfix version 3.4 and later: @@ -869,13 +875,13 @@ SMTP(8) SMTP(8) Available in Postfix version 3.7 and later: smtp_per_request_deadline (no) - Change the behavior of the smtp_*_timeout time limits, from a - time limit per plaintext or TLS read or write call, to a com- - bined time limit for sending a complete SMTP request and for + Change the behavior of the smtp_*_timeout time limits, from a + time limit per plaintext or TLS read or write call, to a com- + bined time limit for sending a complete SMTP request and for receiving a complete SMTP response. smtp_min_data_rate (500) - The minimum plaintext data transfer rate in bytes/second for + The minimum plaintext data transfer rate in bytes/second for DATA requests, when deadlines are enabled with smtp_per_request_deadline. @@ -883,54 +889,54 @@ SMTP(8) SMTP(8) transport_destination_concurrency_limit ($default_destination_concur- rency_limit) - A transport-specific override for the default_destination_con- + A transport-specific override for the default_destination_con- currency_limit parameter value, where transport is the master.cf name of the message delivery transport. transport_destination_recipient_limit ($default_destination_recipi- ent_limit) A transport-specific override for the default_destination_recip- - ient_limit parameter value, where transport is the master.cf + ient_limit parameter value, where transport is the master.cf name of the message delivery transport. SMTPUTF8 CONTROLS Preliminary SMTPUTF8 support is introduced with Postfix 3.0. smtputf8_enable (yes) - Enable preliminary SMTPUTF8 support for the protocols described + Enable preliminary SMTPUTF8 support for the protocols described in RFC 6531, RFC 6532, and RFC 6533. smtputf8_autodetect_classes (sendmail, verify) - Detect that a message requires SMTPUTF8 support for the speci- + Detect that a message requires SMTPUTF8 support for the speci- fied mail origin classes. Available in Postfix version 3.2 and later: enable_idna2003_compatibility (no) - Enable 'transitional' compatibility between IDNA2003 and - IDNA2008, when converting UTF-8 domain names to/from the ASCII + Enable 'transitional' compatibility between IDNA2003 and + IDNA2008, when converting UTF-8 domain names to/from the ASCII form that is used for DNS lookups. TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a nexthop destina- - tion, remote client or server name or network address matches a + The increment in verbose logging level when a nexthop destina- + tion, remote client or server name or network address matches a pattern given with the debug_peer_list parameter. debug_peer_list (empty) - Optional list of nexthop destination, remote client or server - name or network address patterns that, if matched, cause the - verbose logging level to increase by the amount specified in + Optional list of nexthop destination, remote client or server + name or network address patterns that, if matched, cause the + verbose logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about mail delivery + The recipient of postmaster notifications about mail delivery problems that are caused by policy, resource, software or proto- col errors. internal_mail_filter_classes (empty) - What categories of Postfix-generated mail are subject to - before-queue content inspection by non_smtpd_milters, + What categories of Postfix-generated mail are subject to + before-queue content inspection by non_smtpd_milters, header_checks and body_checks. notify_classes (resource, software) @@ -938,46 +944,46 @@ SMTP(8) SMTP(8) MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail when it + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con- + The default location of the Postfix main.cf and master.cf con- figuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to handle a + How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal point when log- + The maximal number of digits after the decimal point when log- ging sub-second delay values. disable_dns_lookups (no) Disable DNS lookups in the Postfix SMTP and LMTP clients. inet_interfaces (all) - The local network interface addresses that this mail system + The local network interface addresses that this mail system receives mail on. inet_protocols (see 'postconf -d output') - The Internet protocols Postfix will attempt to use when making + The Internet protocols Postfix will attempt to use when making or accepting connections. ipc_timeout (3600s) - The time limit for sending or receiving information over an + The time limit for sending or receiving information over an internal communication channel. lmtp_assume_final (no) - When a remote LMTP server announces no DSN support, assume that - the server performs final delivery, and send "delivered" deliv- + When a remote LMTP server announces no DSN support, assume that + the server performs final delivery, and send "delivered" deliv- ery status notifications instead of "relayed". lmtp_tcp_port (24) The default TCP port that the Postfix LMTP client connects to. max_idle (100s) - The maximum amount of time that an idle Postfix daemon process + The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. max_use (100) @@ -991,21 +997,21 @@ SMTP(8) SMTP(8) The process name of a Postfix command or daemon process. proxy_interfaces (empty) - The remote network interface addresses that this mail system - receives mail on by way of a proxy or network address transla- + The remote network interface addresses that this mail system + receives mail on by way of a proxy or network address transla- tion unit. smtp_address_preference (any) The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP - client will try first, when a destination has IPv6 and IPv4 + client will try first, when a destination has IPv6 and IPv4 addresses with equal MX preference. smtp_bind_address (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv4 connection. smtp_bind_address6 (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv6 connection. smtp_helo_name ($myhostname) @@ -1025,7 +1031,7 @@ SMTP(8) SMTP(8) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - A prefix that is prepended to the process name in syslog + A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available with Postfix 2.2 and earlier: @@ -1037,14 +1043,14 @@ SMTP(8) SMTP(8) Available with Postfix 2.3 and later: smtp_fallback_relay ($fallback_relay) - Optional list of relay destinations that will be used when an - SMTP destination is not found, or when delivery fails due to a + Optional list of relay destinations that will be used when an + SMTP destination is not found, or when delivery fails due to a non-permanent error. Available with Postfix 3.0 and later: smtp_address_verify_target (rcpt) - In the context of email address verification, the SMTP protocol + In the context of email address verification, the SMTP protocol stage that determines whether an email address is deliverable. Available with Postfix 3.1 and later: @@ -1066,7 +1072,7 @@ SMTP(8) SMTP(8) Available in Postfix 3.7 and later: smtp_bind_address_enforce (no) - Defer delivery when the Postfix SMTP client cannot apply the + Defer delivery when the Postfix SMTP client cannot apply the smtp_bind_address or smtp_bind_address6 setting. SEE ALSO diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 058d67214..0f895dcf1 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -5300,6 +5300,15 @@ to the remote host.

+ + +
lmtp_sasl_password_result_delimiter +(default: :)
+ +

The LMTP-specific version of the smtp_sasl_password_result_delimiter +configuration parameter. See there for details.

+ +
lmtp_sasl_path @@ -12395,6 +12404,9 @@ If no username:password entry is found, then the Postfix SMTP client will not attempt to authenticate to the remote host.

+

Use smtp_sasl_password_result_delimiter to specify an +alternative separator between username and password.

+

The Postfix SMTP client opens the lookup table before going to chroot jail, so you can leave the password file in /etc/postfix. @@ -12407,6 +12419,16 @@ until a match is found.

+ + +
smtp_sasl_password_result_delimiter +(default: :)
+ +

The delimiter between username and password in sasl_passwd_maps lookup +results. Specify one non-whitespace character that does not appear in +the username.

+ +
smtp_sasl_path diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index 4469e07d7..76c1ebe34 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -490,28 +490,34 @@ SMTP(8) SMTP(8) Whether or not to append the "AUTH=<>" option to the MAIL FROM command in SASL-authenticated SMTP sessions. + Available in Postfix version 3.9 and later: + + smtp_sasl_password_result_delimiter (:) + The delimiter between username and password in sasl_passwd_maps + lookup results. + STARTTLS SUPPORT CONTROLS - Detailed information about STARTTLS configuration may be found in the + Detailed information about STARTTLS configuration may be found in the TLS_README document. smtp_tls_security_level (empty) The default SMTP TLS security level for the Postfix SMTP client. smtp_sasl_tls_security_options ($smtp_sasl_security_options) - The SASL authentication security options that the Postfix SMTP + The SASL authentication security options that the Postfix SMTP client uses for TLS encrypted SMTP sessions. smtp_starttls_timeout (300s) - Time limit for Postfix SMTP client write and read operations + Time limit for Postfix SMTP client write and read operations during TLS startup and shutdown handshake procedures. smtp_tls_CAfile (empty) - A file containing CA certificates of root CAs trusted to sign - either remote SMTP server certificates or intermediate CA cer- + A file containing CA certificates of root CAs trusted to sign + either remote SMTP server certificates or intermediate CA cer- tificates. smtp_tls_CApath (empty) - Directory with PEM format Certification Authority certificates + Directory with PEM format Certification Authority certificates that the Postfix SMTP client uses to verify a remote SMTP server certificate. @@ -519,7 +525,7 @@ SMTP(8) SMTP(8) File with the Postfix SMTP client RSA certificate in PEM format. smtp_tls_mandatory_ciphers (medium) - The minimum TLS cipher grade that the Postfix SMTP client will + The minimum TLS cipher grade that the Postfix SMTP client will use with mandatory TLS encryption. smtp_tls_exclude_ciphers (empty) @@ -527,8 +533,8 @@ SMTP(8) SMTP(8) client cipher list at all TLS security levels. smtp_tls_mandatory_exclude_ciphers (empty) - Additional list of ciphers or cipher types to exclude from the - Postfix SMTP client cipher list at mandatory TLS security lev- + Additional list of ciphers or cipher types to exclude from the + Postfix SMTP client cipher list at mandatory TLS security lev- els. smtp_tls_dcert_file (empty) @@ -544,7 +550,7 @@ SMTP(8) SMTP(8) Enable additional Postfix SMTP client logging of TLS activity. smtp_tls_note_starttls_offer (no) - Log the hostname of a remote SMTP server that offers STARTTLS, + Log the hostname of a remote SMTP server that offers STARTTLS, when TLS is not already enabled for that server. smtp_tls_policy_maps (empty) @@ -553,14 +559,14 @@ SMTP(8) SMTP(8) fied, this overrides the obsolete smtp_tls_per_site parameter. smtp_tls_mandatory_protocols (see 'postconf -d' output) - TLS protocols that the Postfix SMTP client will use with manda- + TLS protocols that the Postfix SMTP client will use with manda- tory TLS encryption. smtp_tls_scert_verifydepth (9) The verification depth for remote SMTP server certificates. smtp_tls_secure_cert_match (nexthop, dot-nexthop) - How the Postfix SMTP client verifies the server certificate + How the Postfix SMTP client verifies the server certificate peername for the "secure" TLS security level. smtp_tls_session_cache_database (empty) @@ -568,16 +574,16 @@ SMTP(8) SMTP(8) session cache. smtp_tls_session_cache_timeout (3600s) - The expiration time of Postfix SMTP client TLS session cache + The expiration time of Postfix SMTP client TLS session cache information. smtp_tls_verify_cert_match (hostname) - How the Postfix SMTP client verifies the server certificate + How the Postfix SMTP client verifies the server certificate peername for the "verify" TLS security level. tls_daemon_random_bytes (32) - The number of pseudo-random bytes that an smtp(8) or smtpd(8) - process requests from the tlsmgr(8) server in order to seed its + The number of pseudo-random bytes that an smtp(8) or smtpd(8) + process requests from the tlsmgr(8) server in order to seed its internal pseudo random number generator (PRNG). tls_high_cipherlist (see 'postconf -d' output) @@ -587,7 +593,7 @@ SMTP(8) SMTP(8) The OpenSSL cipherlist for "medium" or higher grade ciphers. tls_null_cipherlist (eNULL:!aNULL) - The OpenSSL cipherlist for "NULL" grade ciphers that provide + The OpenSSL cipherlist for "NULL" grade ciphers that provide authentication without encryption. Available in in Postfix version 2.3..3.7: @@ -602,45 +608,45 @@ SMTP(8) SMTP(8) smtp_sasl_tls_verified_security_options ($smtp_sasl_tls_secu- rity_options) - The SASL authentication security options that the Postfix SMTP - client uses for TLS encrypted SMTP sessions with a verified + The SASL authentication security options that the Postfix SMTP + client uses for TLS encrypted SMTP sessions with a verified server certificate. Available in Postfix version 2.5 and later: smtp_tls_fingerprint_cert_match (empty) - List of acceptable remote SMTP server certificate fingerprints - for the "fingerprint" TLS security level (smtp_tls_secu- + List of acceptable remote SMTP server certificate fingerprints + for the "fingerprint" TLS security level (smtp_tls_secu- rity_level = fingerprint). smtp_tls_fingerprint_digest (see 'postconf -d' output) - The message digest algorithm used to construct remote SMTP + The message digest algorithm used to construct remote SMTP server certificate fingerprints. Available in Postfix version 2.6 and later: smtp_tls_protocols (see postconf -d output) - TLS protocols that the Postfix SMTP client will use with oppor- + TLS protocols that the Postfix SMTP client will use with oppor- tunistic TLS encryption. smtp_tls_ciphers (medium) - The minimum TLS cipher grade that the Postfix SMTP client will + The minimum TLS cipher grade that the Postfix SMTP client will use with opportunistic TLS encryption. smtp_tls_eccert_file (empty) - File with the Postfix SMTP client ECDSA certificate in PEM for- + File with the Postfix SMTP client ECDSA certificate in PEM for- mat. smtp_tls_eckey_file ($smtp_tls_eccert_file) - File with the Postfix SMTP client ECDSA private key in PEM for- + File with the Postfix SMTP client ECDSA private key in PEM for- mat. Available in Postfix version 2.7 and later: smtp_tls_block_early_mail_reply (no) - Try to detect a mail hijacking attack based on a TLS protocol - vulnerability (CVE-2009-3555), where an attacker prepends mali- - cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client + Try to detect a mail hijacking attack based on a TLS protocol + vulnerability (CVE-2009-3555), where an attacker prepends mali- + cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session. Available in Postfix version 2.8 and later: @@ -660,11 +666,11 @@ SMTP(8) SMTP(8) Available in Postfix version 2.11 and later: smtp_tls_trust_anchor_file (empty) - Zero or more PEM-format files with trust-anchor certificates + Zero or more PEM-format files with trust-anchor certificates and/or public keys. smtp_tls_force_insecure_host_tlsa_lookup (no) - Lookup the associated DANE TLSA RRset even when a hostname is + Lookup the associated DANE TLSA RRset even when a hostname is not an alias and its address records lie in an unsigned zone. tlsmgr_service_name (tlsmgr) @@ -673,14 +679,14 @@ SMTP(8) SMTP(8) Available in Postfix version 3.0 and later: smtp_tls_wrappermode (no) - Request that the Postfix SMTP client connects using the SUBMIS- + Request that the Postfix SMTP client connects using the SUBMIS- SIONS/SMTPS protocol instead of using the STARTTLS command. Available in Postfix version 3.1 and later: smtp_tls_dane_insecure_mx_policy (see 'postconf -d' output) - The TLS policy for MX hosts with "secure" TLSA records when the - nexthop destination security level is dane, but the MX record + The TLS policy for MX hosts with "secure" TLSA records when the + nexthop destination security level is dane, but the MX record was found via an "insecure" MX lookup. Available in Postfix version 3.2 and later: @@ -695,23 +701,23 @@ SMTP(8) SMTP(8) Try to make multiple deliveries per TLS-encrypted connection. smtp_tls_chain_files (empty) - List of one or more PEM files, each holding one or more private + List of one or more PEM files, each holding one or more private keys directly followed by a corresponding certificate chain. smtp_tls_servername (empty) - Optional name to send to the remote SMTP server in the TLS + Optional name to send to the remote SMTP server in the TLS Server Name Indication (SNI) extension. Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later: tls_fast_shutdown_enable (yes) - A workaround for implementations that hang Postfix while shut- + A workaround for implementations that hang Postfix while shut- ting down a TLS session, until Postfix times out. Available in Postfix version 3.8 and later: tls_ffdhe_auto_groups (see 'postconf -d' output) - The prioritized list of finite-field Diffie-Hellman ephemeral + The prioritized list of finite-field Diffie-Hellman ephemeral (FFDHE) key exchange groups supported by the Postfix SMTP client and server. @@ -721,50 +727,50 @@ SMTP(8) SMTP(8) Optional configuration file with baseline OpenSSL settings. tls_config_name (empty) - The application name passed by Postfix to OpenSSL library ini- + The application name passed by Postfix to OpenSSL library ini- tialization functions. Available in Postfix version 3.9 and later: smtp_tls_enable_rpk (no) - Request that remote SMTP servers send an RFC7250 raw public key + Request that remote SMTP servers send an RFC7250 raw public key instead of an X.509 certificate. OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compatibility with - Postfix versions before 2.3. Support for these will be removed in a + The following configuration parameters exist for compatibility with + Postfix versions before 2.3. Support for these will be removed in a future release. smtp_use_tls (no) - Opportunistic mode: use TLS when a remote SMTP server announces + Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS support, otherwise send the mail in the clear. smtp_enforce_tls (no) - Enforcement mode: require that remote SMTP servers use TLS + Enforcement mode: require that remote SMTP servers use TLS encryption, and never send mail in the clear. smtp_tls_enforce_peername (yes) - With mandatory TLS encryption, require that the remote SMTP - server hostname matches the information in the remote SMTP + With mandatory TLS encryption, require that the remote SMTP + server hostname matches the information in the remote SMTP server certificate. smtp_tls_per_site (empty) - Optional lookup tables with the Postfix SMTP client TLS usage - policy by next-hop destination and by remote SMTP server host- + Optional lookup tables with the Postfix SMTP client TLS usage + policy by next-hop destination and by remote SMTP server host- name. smtp_tls_cipherlist (empty) - Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS + Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher list. RESOURCE AND RATE CONTROLS smtp_connect_timeout (30s) - The Postfix SMTP client time limit for completing a TCP connec- + The Postfix SMTP client time limit for completing a TCP connec- tion, or zero (use the operating system built-in time limit). smtp_helo_timeout (300s) - The Postfix SMTP client time limit for sending the HELO or EHLO - command, and for receiving the initial remote SMTP server + The Postfix SMTP client time limit for sending the HELO or EHLO + command, and for receiving the initial remote SMTP server response. lmtp_lhlo_timeout (300s) @@ -776,19 +782,19 @@ SMTP(8) SMTP(8) mand, and for receiving the remote SMTP server response. smtp_mail_timeout (300s) - The Postfix SMTP client time limit for sending the MAIL FROM + The Postfix SMTP client time limit for sending the MAIL FROM command, and for receiving the remote SMTP server response. smtp_rcpt_timeout (300s) - The Postfix SMTP client time limit for sending the SMTP RCPT TO + The Postfix SMTP client time limit for sending the SMTP RCPT TO command, and for receiving the remote SMTP server response. smtp_data_init_timeout (120s) - The Postfix SMTP client time limit for sending the SMTP DATA + The Postfix SMTP client time limit for sending the SMTP DATA command, and for receiving the remote SMTP server response. smtp_data_xfer_timeout (180s) - The Postfix SMTP client time limit for sending the SMTP message + The Postfix SMTP client time limit for sending the SMTP message content. smtp_data_done_timeout (600s) @@ -802,13 +808,13 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: smtp_mx_address_limit (5) - The maximal number of MX (mail exchanger) IP addresses that can - result from Postfix SMTP client mail exchanger lookups, or zero + The maximal number of MX (mail exchanger) IP addresses that can + result from Postfix SMTP client mail exchanger lookups, or zero (no limit). smtp_mx_session_limit (2) - The maximal number of SMTP sessions per delivery request before - the Postfix SMTP client gives up or delivers to a fall-back + The maximal number of SMTP sessions per delivery request before + the Postfix SMTP client gives up or delivers to a fall-back relay host, or zero (no limit). smtp_rset_timeout (20s) @@ -818,17 +824,17 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and earlier: lmtp_cache_connection (yes) - Keep Postfix LMTP client connections open for up to $max_idle + Keep Postfix LMTP client connections open for up to $max_idle seconds. Available in Postfix version 2.2 and later: smtp_connection_cache_destinations (empty) - Permanently enable SMTP connection caching for the specified + Permanently enable SMTP connection caching for the specified destinations. smtp_connection_cache_on_demand (yes) - Temporarily enable SMTP connection caching while a destination + Temporarily enable SMTP connection caching while a destination has a high volume of mail in the active queue. smtp_connection_reuse_time_limit (300s) @@ -842,23 +848,23 @@ SMTP(8) SMTP(8) Available in Postfix version 2.3 and later: connection_cache_protocol_timeout (5s) - Time limit for connection cache connect, send or receive opera- + Time limit for connection cache connect, send or receive opera- tions. Available in Postfix version 2.9 - 3.6: smtp_per_record_deadline (no) - Change the behavior of the smtp_*_timeout time limits, from a - time limit per read or write system call, to a time limit to - send or receive a complete record (an SMTP command line, SMTP - response line, SMTP message content line, or TLS protocol mes- + Change the behavior of the smtp_*_timeout time limits, from a + time limit per read or write system call, to a time limit to + send or receive a complete record (an SMTP command line, SMTP + response line, SMTP message content line, or TLS protocol mes- sage). Available in Postfix version 2.11 and later: smtp_connection_reuse_count_limit (0) - When SMTP connection caching is enabled, the number of times - that an SMTP session may be reused before it is closed, or zero + When SMTP connection caching is enabled, the number of times + that an SMTP session may be reused before it is closed, or zero (no limit). Available in Postfix version 3.4 and later: @@ -869,13 +875,13 @@ SMTP(8) SMTP(8) Available in Postfix version 3.7 and later: smtp_per_request_deadline (no) - Change the behavior of the smtp_*_timeout time limits, from a - time limit per plaintext or TLS read or write call, to a com- - bined time limit for sending a complete SMTP request and for + Change the behavior of the smtp_*_timeout time limits, from a + time limit per plaintext or TLS read or write call, to a com- + bined time limit for sending a complete SMTP request and for receiving a complete SMTP response. smtp_min_data_rate (500) - The minimum plaintext data transfer rate in bytes/second for + The minimum plaintext data transfer rate in bytes/second for DATA requests, when deadlines are enabled with smtp_per_request_deadline. @@ -883,54 +889,54 @@ SMTP(8) SMTP(8) transport_destination_concurrency_limit ($default_destination_concur- rency_limit) - A transport-specific override for the default_destination_con- + A transport-specific override for the default_destination_con- currency_limit parameter value, where transport is the master.cf name of the message delivery transport. transport_destination_recipient_limit ($default_destination_recipi- ent_limit) A transport-specific override for the default_destination_recip- - ient_limit parameter value, where transport is the master.cf + ient_limit parameter value, where transport is the master.cf name of the message delivery transport. SMTPUTF8 CONTROLS Preliminary SMTPUTF8 support is introduced with Postfix 3.0. smtputf8_enable (yes) - Enable preliminary SMTPUTF8 support for the protocols described + Enable preliminary SMTPUTF8 support for the protocols described in RFC 6531, RFC 6532, and RFC 6533. smtputf8_autodetect_classes (sendmail, verify) - Detect that a message requires SMTPUTF8 support for the speci- + Detect that a message requires SMTPUTF8 support for the speci- fied mail origin classes. Available in Postfix version 3.2 and later: enable_idna2003_compatibility (no) - Enable 'transitional' compatibility between IDNA2003 and - IDNA2008, when converting UTF-8 domain names to/from the ASCII + Enable 'transitional' compatibility between IDNA2003 and + IDNA2008, when converting UTF-8 domain names to/from the ASCII form that is used for DNS lookups. TROUBLE SHOOTING CONTROLS debug_peer_level (2) - The increment in verbose logging level when a nexthop destina- - tion, remote client or server name or network address matches a + The increment in verbose logging level when a nexthop destina- + tion, remote client or server name or network address matches a pattern given with the debug_peer_list parameter. debug_peer_list (empty) - Optional list of nexthop destination, remote client or server - name or network address patterns that, if matched, cause the - verbose logging level to increase by the amount specified in + Optional list of nexthop destination, remote client or server + name or network address patterns that, if matched, cause the + verbose logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about mail delivery + The recipient of postmaster notifications about mail delivery problems that are caused by policy, resource, software or proto- col errors. internal_mail_filter_classes (empty) - What categories of Postfix-generated mail are subject to - before-queue content inspection by non_smtpd_milters, + What categories of Postfix-generated mail are subject to + before-queue content inspection by non_smtpd_milters, header_checks and body_checks. notify_classes (resource, software) @@ -938,46 +944,46 @@ SMTP(8) SMTP(8) MISCELLANEOUS CONTROLS best_mx_transport (empty) - Where the Postfix SMTP client should deliver mail when it + Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and master.cf con- + The default location of the Postfix main.cf and master.cf con- figuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to handle a + How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. delay_logging_resolution_limit (2) - The maximal number of digits after the decimal point when log- + The maximal number of digits after the decimal point when log- ging sub-second delay values. disable_dns_lookups (no) Disable DNS lookups in the Postfix SMTP and LMTP clients. inet_interfaces (all) - The local network interface addresses that this mail system + The local network interface addresses that this mail system receives mail on. inet_protocols (see 'postconf -d output') - The Internet protocols Postfix will attempt to use when making + The Internet protocols Postfix will attempt to use when making or accepting connections. ipc_timeout (3600s) - The time limit for sending or receiving information over an + The time limit for sending or receiving information over an internal communication channel. lmtp_assume_final (no) - When a remote LMTP server announces no DSN support, assume that - the server performs final delivery, and send "delivered" deliv- + When a remote LMTP server announces no DSN support, assume that + the server performs final delivery, and send "delivered" deliv- ery status notifications instead of "relayed". lmtp_tcp_port (24) The default TCP port that the Postfix LMTP client connects to. max_idle (100s) - The maximum amount of time that an idle Postfix daemon process + The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. max_use (100) @@ -991,21 +997,21 @@ SMTP(8) SMTP(8) The process name of a Postfix command or daemon process. proxy_interfaces (empty) - The remote network interface addresses that this mail system - receives mail on by way of a proxy or network address transla- + The remote network interface addresses that this mail system + receives mail on by way of a proxy or network address transla- tion unit. smtp_address_preference (any) The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP - client will try first, when a destination has IPv6 and IPv4 + client will try first, when a destination has IPv6 and IPv4 addresses with equal MX preference. smtp_bind_address (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv4 connection. smtp_bind_address6 (empty) - An optional numerical network address that the Postfix SMTP + An optional numerical network address that the Postfix SMTP client should bind to when making an IPv6 connection. smtp_helo_name ($myhostname) @@ -1025,7 +1031,7 @@ SMTP(8) SMTP(8) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - A prefix that is prepended to the process name in syslog + A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available with Postfix 2.2 and earlier: @@ -1037,14 +1043,14 @@ SMTP(8) SMTP(8) Available with Postfix 2.3 and later: smtp_fallback_relay ($fallback_relay) - Optional list of relay destinations that will be used when an - SMTP destination is not found, or when delivery fails due to a + Optional list of relay destinations that will be used when an + SMTP destination is not found, or when delivery fails due to a non-permanent error. Available with Postfix 3.0 and later: smtp_address_verify_target (rcpt) - In the context of email address verification, the SMTP protocol + In the context of email address verification, the SMTP protocol stage that determines whether an email address is deliverable. Available with Postfix 3.1 and later: @@ -1066,7 +1072,7 @@ SMTP(8) SMTP(8) Available in Postfix 3.7 and later: smtp_bind_address_enforce (no) - Defer delivery when the Postfix SMTP client cannot apply the + Defer delivery when the Postfix SMTP client cannot apply the smtp_bind_address or smtp_bind_address6 setting. SEE ALSO diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index e373344ac..553d07411 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -3298,6 +3298,9 @@ Optional Postfix LMTP client lookup tables with one username:password entry per host or domain. If a remote host or domain has no username:password entry, then the Postfix LMTP client will not attempt to authenticate to the remote host. +.SH lmtp_sasl_password_result_delimiter (default: :) +The LMTP\-specific version of the smtp_sasl_password_result_delimiter +configuration parameter. See there for details. .SH lmtp_sasl_path (default: empty) Implementation\-specific information that is passed through to the SASL plug\-in implementation that is selected with @@ -7996,12 +7999,19 @@ lookup is done only when sender\-dependent authentication is enabled. If no username:password entry is found, then the Postfix SMTP client will not attempt to authenticate to the remote host. .PP +Use smtp_sasl_password_result_delimiter to specify an +alternative separator between username and password. +.PP The Postfix SMTP client opens the lookup table before going to chroot jail, so you can leave the password file in /etc/postfix. .PP Specify zero or more "type:name" lookup tables, separated by whitespace or comma. Tables will be searched in the specified order until a match is found. +.SH smtp_sasl_password_result_delimiter (default: :) +The delimiter between username and password in sasl_passwd_maps lookup +results. Specify one non\-whitespace character that does not appear in +the username. .SH smtp_sasl_path (default: empty) Implementation\-specific information that the Postfix SMTP client passes through to diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8 index 8d1994d43..e6442801d 100644 --- a/postfix/man/man8/smtp.8 +++ b/postfix/man/man8/smtp.8 @@ -464,6 +464,11 @@ Available in Postfix version 2.9 and later: .IP "\fBsmtp_send_dummy_mail_auth (no)\fR" Whether or not to append the "AUTH=<>" option to the MAIL FROM command in SASL\-authenticated SMTP sessions. +.PP +Available in Postfix version 3.9 and later: +.IP "\fBsmtp_sasl_password_result_delimiter (:)\fR" +The delimiter between username and password in sasl_passwd_maps lookup +results. .SH "STARTTLS SUPPORT CONTROLS" .na .nf diff --git a/postfix/mantools/dehtml b/postfix/mantools/dehtml index cc120de84..69f66b7b1 100755 --- a/postfix/mantools/dehtml +++ b/postfix/mantools/dehtml @@ -6,4 +6,4 @@ do /*) lynx -dump file://localhost$i;; *) lynx -dump file://localhost`pwd`/$i;; esac -done +done | grep -v 'file://localhost/' diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 279fea69d..59b2716ea 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -231,6 +231,8 @@ while (<>) { s;\blmtp_min_data_rate\b;$&;g; s;\blmtp_reply_filter\b;$&;g; s;\blmtp_sasl_password_maps\b;$&;g; + s;\bsmtp_sasl_password_result_delimiter\b;$&;g; + s;\blmtp_sasl_password_result_delimiter\b;$&;g; s;\blmtp_send_dummy_mail_auth\b;$&;g; s;\blmtp_balance_inet_protocols\b;$&;g; s;\blmtp_sender_dependent_authentication\b;$&;g; diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 071d61e1c..c47af13c3 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -4687,6 +4687,9 @@ If no username:password entry is found, then the Postfix SMTP client will not attempt to authenticate to the remote host.

+

Use smtp_sasl_password_result_delimiter to specify an +alternative separator between username and password.

+

The Postfix SMTP client opens the lookup table before going to chroot jail, so you can leave the password file in /etc/postfix. @@ -4698,6 +4701,17 @@ whitespace or comma. Tables will be searched in the specified order until a match is found.

+%PARAM lmtp_sasl_password_result_delimiter : + +

The LMTP-specific version of the smtp_sasl_password_result_delimiter +configuration parameter. See there for details.

+ +%PARAM smtp_sasl_password_result_delimiter : + +

The delimiter between username and password in sasl_passwd_maps lookup +results. Specify one non-whitespace character that does not appear in +the username.

+ %PARAM smtp_sasl_security_options noplaintext, noanonymous

Postfix SMTP client SASL security options; as of Postfix 2.3 diff --git a/postfix/proto/stop.double-history b/postfix/proto/stop.double-history index 40178180d..bec21dd74 100644 --- a/postfix/proto/stop.double-history +++ b/postfix/proto/stop.double-history @@ -62,3 +62,5 @@ proto proto aliases proto virtual proto ADDRESS_REWRITING_README html smtp smtp c smtp smtp h smtp smtp_params c smtp smtp_proto c smtp smtp_tls_policy c smtpd smtpd c smtpd smtpd_check c tls tls h tls tls_client c tls tls_dane c tls tls_fprint c + reported by Serg File smtp smtp h + smtp lmtp_params c smtp smtp c smtp smtp_params c diff --git a/postfix/proto/stop.spell-history b/postfix/proto/stop.spell-history index 09192073f..32ba965cc 100644 --- a/postfix/proto/stop.spell-history +++ b/postfix/proto/stop.spell-history @@ -59,3 +59,4 @@ refactored Fumiyasu SATOH INI +Serg diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 028b6a2c6..1d964b496 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -1755,6 +1755,12 @@ extern bool var_smtp_sasl_enable; #define DEF_SMTP_SASL_PASSWD "" extern char *var_smtp_sasl_passwd; +#define VAR_SMTP_SASL_PASSWD_RES_DELIM "smtp_sasl_password_result_delimiter" +#define DEF_SMTP_SASL_PASSWD_RES_DELIM ":" +#define VAR_LMTP_SASL_PASSWD_RES_DELIM "lmtp_sasl_password_result_delimiter" +#define DEF_LMTP_SASL_PASSWD_RES_DELIM DEF_SMTP_SASL_PASSWD_RES_DELIM +extern char *var_smtp_sasl_passwd_res_delim; + #define VAR_SMTP_SASL_OPTS "smtp_sasl_security_options" #define DEF_SMTP_SASL_OPTS "noplaintext, noanonymous" extern char *var_smtp_sasl_opts; diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 559191da0..a62800c8e 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20230808" +#define MAIL_RELEASE_DATE "20230820" #define MAIL_VERSION_NUMBER "3.9" #ifdef SNAPSHOT diff --git a/postfix/src/smtp/lmtp_params.c b/postfix/src/smtp/lmtp_params.c index ed567e6ec..385c81ff4 100644 --- a/postfix/src/smtp/lmtp_params.c +++ b/postfix/src/smtp/lmtp_params.c @@ -4,6 +4,7 @@ VAR_BESTMX_TRANSP, DEF_BESTMX_TRANSP, &var_bestmx_transp, 0, 0, VAR_ERROR_RCPT, DEF_ERROR_RCPT, &var_error_rcpt, 1, 0, VAR_LMTP_SASL_PASSWD, DEF_LMTP_SASL_PASSWD, &var_smtp_sasl_passwd, 0, 0, + VAR_LMTP_SASL_PASSWD_RES_DELIM, DEF_LMTP_SASL_PASSWD_RES_DELIM, &var_smtp_sasl_passwd_res_delim, 1, 1, VAR_LMTP_SASL_OPTS, DEF_LMTP_SASL_OPTS, &var_smtp_sasl_opts, 0, 0, VAR_LMTP_SASL_PATH, DEF_LMTP_SASL_PATH, &var_smtp_sasl_path, 0, 0, #ifdef USE_TLS diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index 2f93a79e7..6353766ee 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -432,6 +432,11 @@ /* .IP "\fBsmtp_send_dummy_mail_auth (no)\fR" /* Whether or not to append the "AUTH=<>" option to the MAIL /* FROM command in SASL-authenticated SMTP sessions. +/* .PP +/* Available in Postfix version 3.9 and later: +/* .IP "\fBsmtp_sasl_password_result_delimiter (:)\fR" +/* The delimiter between username and password in sasl_passwd_maps lookup +/* results. /* STARTTLS SUPPORT CONTROLS /* .ad /* .fi @@ -1025,6 +1030,7 @@ int var_smtp_never_ehlo; char *var_smtp_sasl_opts; char *var_smtp_sasl_path; char *var_smtp_sasl_passwd; +char *var_smtp_sasl_passwd_res_delim; bool var_smtp_sasl_enable; char *var_smtp_sasl_mechs; char *var_smtp_sasl_type; diff --git a/postfix/src/smtp/smtp.h b/postfix/src/smtp/smtp.h index 29e8efbd7..60c68f845 100644 --- a/postfix/src/smtp/smtp.h +++ b/postfix/src/smtp/smtp.h @@ -506,17 +506,19 @@ extern HBC_CALL_BACKS smtp_hbc_callbacks[]; (session->state->request->msg_stats.active_arrival.tv_sec - \ session->state->request->msg_stats.incoming_arrival.tv_sec) +#define TRACE_REQ_ONLY (DEL_REQ_TRACE_ONLY(state->request->flags)) + #define PLAINTEXT_FALLBACK_OK_AFTER_STARTTLS_FAILURE \ (session->tls_context == 0 \ && state->tls->level == TLS_LEV_MAY \ - && PREACTIVE_DELAY >= var_min_backoff_time \ + && (TRACE_REQ_ONLY || PREACTIVE_DELAY >= var_min_backoff_time) \ && !HAVE_SASL_CREDENTIALS) #define PLAINTEXT_FALLBACK_OK_AFTER_TLS_SESSION_FAILURE \ (session->tls_context != 0 \ && SMTP_RCPT_LEFT(state) > SMTP_RCPT_MARK_COUNT(state) \ && state->tls->level == TLS_LEV_MAY \ - && PREACTIVE_DELAY >= var_min_backoff_time \ + && (TRACE_REQ_ONLY || PREACTIVE_DELAY >= var_min_backoff_time) \ && !HAVE_SASL_CREDENTIALS) /* diff --git a/postfix/src/smtp/smtp_params.c b/postfix/src/smtp/smtp_params.c index b4fafbeb4..cebff9380 100644 --- a/postfix/src/smtp/smtp_params.c +++ b/postfix/src/smtp/smtp_params.c @@ -4,6 +4,7 @@ VAR_BESTMX_TRANSP, DEF_BESTMX_TRANSP, &var_bestmx_transp, 0, 0, VAR_ERROR_RCPT, DEF_ERROR_RCPT, &var_error_rcpt, 1, 0, VAR_SMTP_SASL_PASSWD, DEF_SMTP_SASL_PASSWD, &var_smtp_sasl_passwd, 0, 0, + VAR_SMTP_SASL_PASSWD_RES_DELIM, DEF_SMTP_SASL_PASSWD_RES_DELIM, &var_smtp_sasl_passwd_res_delim, 1, 1, VAR_SMTP_SASL_OPTS, DEF_SMTP_SASL_OPTS, &var_smtp_sasl_opts, 0, 0, VAR_SMTP_SASL_PATH, DEF_SMTP_SASL_PATH, &var_smtp_sasl_path, 0, 0, #ifdef USE_TLS diff --git a/postfix/src/smtp/smtp_sasl_glue.c b/postfix/src/smtp/smtp_sasl_glue.c index ef8e8c442..cce5ef754 100644 --- a/postfix/src/smtp/smtp_sasl_glue.c +++ b/postfix/src/smtp/smtp_sasl_glue.c @@ -200,7 +200,9 @@ int smtp_sasl_passwd_lookup(SMTP_SESSION *session) if (session->sasl_username) myfree(session->sasl_username); session->sasl_username = mystrdup(value); - passwd = split_at(session->sasl_username, ':'); + /* Historically, the delimiter may appear in the password. */ + passwd = split_at(session->sasl_username, + *var_smtp_sasl_passwd_res_delim); if (session->sasl_passwd) myfree(session->sasl_passwd); session->sasl_passwd = mystrdup(passwd ? passwd : "");