From: Wietse Venema <wietse@porcupine.org>
Date: Thu, 16 Sep 2010 05:00:00 +0000 (-0500)
Subject: postfix-2.8-20100916
X-Git-Tag: v2.8.0-RC1~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ce34a3c9dcf79e810d0016e7363a316d8517b426;p=thirdparty%2Fpostfix.git

postfix-2.8-20100916
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 918563b10..8b9509bbb 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -15996,4 +15996,16 @@ Apologies for any names omitted.
 20100915
 
 	Bugfix (introduced 20100914): missing precondition for
-	call-back notification.  File: postscreen/dnsblog.c.
+	call-back notification.  File: postscreen/postscreen_dnsbl.c.
+
+	Bugfix (introduced 20100914): the "postscreen_greet_wait"
+	delay speedup worked only for DNSBL listed sites.  File:
+	postscreen/postscreen_dnsbl.c.
+
+	Workaround: better handling of pregreeting spambots. The
+	postscreen built-in SMTP engine no longer sends a 220 banner
+	to a client that falls into the pregeet trap.  This eliminates
+	many "non-SMTP command" records in postscreen logging, as
+	the SMTP client and server no longer get out of sync.  It
+	also results in better logging of sender/recipient information.
+	file: postscreen/postscreen-smtpd.c.
diff --git a/postfix/README_FILES/POSTSCREEN_README b/postfix/README_FILES/POSTSCREEN_README
index a11a3d05c..6851341ea 100644
--- a/postfix/README_FILES/POSTSCREEN_README
+++ b/postfix/README_FILES/POSTSCREEN_README
@@ -423,19 +423,34 @@ mail:
  1. Comment out the "smtp inet ... smtpd" service in master.cf, including any
     "-o parameter=value" entries that follow.
 
+    /etc/postfix/master.cf:
+        #smtp      inet  n       -       n       -       -       smtpd
+        #    -o parameter=value ...
+
  2. Uncomment the new "smtpd pass ... smtpd" service in master.cf, and
     duplicate any "-o parameter=value" entries from the smtpd service that was
     commented out in step 1.
 
+    /etc/postfix/master.cf:
+        smtpd     pass  -       -       n       -       -       smtpd
+            -o parameter=value ...
+
  3. Uncomment the new "smtp inet ... postscreen" service in master.cf.
 
+    /etc/postfix/master.cf:
+        smtp      inet  n       -       n       -       1       postscreen
+
  4. Uncomment the new "dnsblog unix ... dnsblog" service in master.cf. This
     service does DNSBL lookups for postscreen(8) and logs results.
 
+    /etc/postfix/master.cf:
+        dnsblog   unix  -       -       n       -       0       dnsblog
+
  5. To enable DNSBL lookups, list some DNS blocklist sites in main.cf,
     separated by whitespace. Different sites can have different weights. For
     example:
 
+    /etc/postfix/main.cf:
         postscreen_dnsbl_threshold = 2
         postscreen_dnsbl_sites = zen.spamhaus.org*2 example.com*1 example.net*1
 
@@ -520,14 +535,29 @@ processes:
  1. Comment out the "smtp inet ... postscreen" service in master.cf, including
     any "-o parameter=value" entries that follow.
 
+    /etc/postfix/master.cf:
+        #smtp      inet  n       -       n       -       1       postscreen
+        #    -o parameter=value ...
+
  2. Comment out the "dnsblog unix ... dnsblog" service in master.cf.
 
+    /etc/postfix/master.cf:
+        #dnsblog   unix  -       -       n       -       0       dnsblog
+
  3. Comment out the "smtpd pass ... smtpd" service in master.cf, including any
     "-o parameter=value" entries that follow.
 
+    /etc/postfix/master.cf:
+        #smtpd     pass  -       -       n       -       -       smtpd
+        #    -o parameter=value ...
+
  4. Uncomment the "smtp inet ... smtpd" service in master.cf, including any "-
     o parameter=value" entries that follow.
 
+    /etc/postfix/master.cf:
+        smtp      inet  n       -       n       -       -       smtpd
+            -o parameter=value ...
+
  5. Read the new configuration with "postfix reload".
 
 HHiissttoorriiccaall nnootteess aanndd ccrreeddiittss
@@ -538,13 +568,13 @@ in OpenBSD spamd, and in MailChannels Traffic Control.
 Wietse threw together a crude prototype with pregreet and dnsbl support in June
 2009, because he needed something new for a Mailserver conference presentation
 in July. Ralf Hildebrandt ran this code on several servers to collect real-
-world evidence. This version used the dnsblog(8) ad-hoc DNS client program.
+world statistics. This version used the dnsblog(8) ad-hoc DNS client program.
 
 Wietse needed new material for a LISA conference presentation in November 2010,
 so he added support for DNSBL weights and filters in August, followed by a
 major code rewrite, deep protocol tests, helo/sender/recipient logging, and
 stress-adaptive behavior in September. Ralf Hildebrandt ran this code on
-several servers to collect real-world evidence. This version still used the
-same delay for pregreet and DNBL tests, as well as the embarrassing dnsblog(8)
+several servers to collect real-world statistics. This version still used the
+same delay for pregreet and DNSBL tests, as well as the embarrassing dnsblog(8)
 ad-hoc DNS client.
 
diff --git a/postfix/html/POSTSCREEN_README.html b/postfix/html/POSTSCREEN_README.html
index 3843d51a0..d9734d344 100644
--- a/postfix/html/POSTSCREEN_README.html
+++ b/postfix/html/POSTSCREEN_README.html
@@ -585,22 +585,45 @@ without blocking mail: </p>
 in <a href="master.5.html">master.cf</a>, including any "<tt>-o parameter=value</tt>" entries
 that follow.  </p>
 
+<pre>
+/etc/postfix/<a href="master.5.html">master.cf</a>:
+    #smtp      inet  n       -       n       -       -       smtpd
+    #    -o parameter=value ...
+</pre>
+
 <li> <p> Uncomment the new "<tt>smtpd pass ... smtpd</tt>" service
 in <a href="master.5.html">master.cf</a>, and duplicate any "<tt>-o parameter=value</tt>" entries
 from the smtpd service that was commented out in step 1. </p>
 
+<pre>
+/etc/postfix/<a href="master.5.html">master.cf</a>:
+    smtpd     pass  -       -       n       -       -       smtpd
+        -o parameter=value ...
+</pre>
+
 <li> <p> Uncomment the new "<tt>smtp inet ... postscreen</tt>"
 service in <a href="master.5.html">master.cf</a>. </p>
 
+<pre>
+/etc/postfix/<a href="master.5.html">master.cf</a>:
+    smtp      inet  n       -       n       -       1       postscreen
+</pre>
+
 <li> <p> Uncomment the new "<tt>dnsblog  unix ... dnsblog</tt>"
 service in <a href="master.5.html">master.cf</a>.  This service does DNSBL lookups for <a href="postscreen.8.html">postscreen(8)</a>
 and logs results. </p>
 
+<pre>
+/etc/postfix/<a href="master.5.html">master.cf</a>:
+    dnsblog   unix  -       -       n       -       0       dnsblog
+</pre>
+
 <li> <p> To enable DNSBL lookups, list some DNS blocklist sites in
 <a href="postconf.5.html">main.cf</a>, separated by whitespace. Different sites can have different
 weights. For example:
 
 <pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
     <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> = 2
     <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> = zen.spamhaus.org*2 example.com*1 example.net*1
 </pre>
@@ -714,17 +737,41 @@ SMTP server processes: </p>
 in <a href="master.5.html">master.cf</a>, including any "<tt>-o parameter=value</tt>" entries
 that follow. </p>
 
+<pre>
+/etc/postfix/<a href="master.5.html">master.cf</a>:
+    #smtp      inet  n       -       n       -       1       postscreen
+    #    -o parameter=value ...
+</pre>
+
 <li> <p> Comment out the "<tt>dnsblog  unix ... dnsblog</tt>" service
 in <a href="master.5.html">master.cf</a>.  </p>
 
+<pre>
+/etc/postfix/<a href="master.5.html">master.cf</a>:
+    #dnsblog   unix  -       -       n       -       0       dnsblog
+</pre>
+
 <li> <p> Comment out the "<tt>smtpd pass ... smtpd</tt>" service
 in <a href="master.5.html">master.cf</a>, including any "<tt>-o parameter=value</tt>" entries
 that follow. </p>
 
+<pre>
+/etc/postfix/<a href="master.5.html">master.cf</a>:
+    #smtpd     pass  -       -       n       -       -       smtpd
+    #    -o parameter=value ...
+</pre>
+
+
 <li> <p> Uncomment the "<tt>smtp  inet ... smtpd</tt>" service in
 <a href="master.5.html">master.cf</a>, including any "<tt>-o parameter=value</tt>" entries that
 follow.  </p>
 
+<pre>
+/etc/postfix/<a href="master.5.html">master.cf</a>:
+    smtp      inet  n       -       n       -       -       smtpd
+        -o parameter=value ...
+</pre>
+
 <li> <p> Read the new configuration with "<tt>postfix reload</tt>".
 </p>
 
@@ -739,7 +786,7 @@ Control.  </p>
 <p> Wietse threw together a crude prototype with pregreet and dnsbl
 support in June 2009, because he needed something new for a Mailserver
 conference presentation in July. Ralf Hildebrandt ran this code on
-several servers to collect real-world evidence. This version used
+several servers to collect real-world statistics. This version used
 the <a href="dnsblog.8.html">dnsblog(8)</a> ad-hoc DNS client program. </p>
 
 <p> Wietse needed new material for a LISA conference presentation
@@ -747,9 +794,9 @@ in November 2010, so he added support for DNSBL weights and filters
 in August, followed by a major code rewrite, deep protocol tests,
 helo/sender/recipient logging, and stress-adaptive behavior in
 September. Ralf Hildebrandt ran this code on several servers to
-collect real-world evidence. This version still used the same delay
-for pregreet and DNBL tests, as well as the embarrassing <a href="dnsblog.8.html">dnsblog(8)</a>
-ad-hoc DNS client.  </p>
+collect real-world statistics. This version still used the same
+delay for pregreet and DNSBL tests, as well as the embarrassing
+<a href="dnsblog.8.html">dnsblog(8)</a> ad-hoc DNS client.  </p>
 
 </body>
 
diff --git a/postfix/proto/POSTSCREEN_README.html b/postfix/proto/POSTSCREEN_README.html
index 036015f0d..a7cdd5367 100644
--- a/postfix/proto/POSTSCREEN_README.html
+++ b/postfix/proto/POSTSCREEN_README.html
@@ -585,22 +585,45 @@ without blocking mail: </p>
 in master.cf, including any "<tt>-o parameter=value</tt>" entries
 that follow.  </p>
 
+<pre>
+/etc/postfix/master.cf:
+    #smtp      inet  n       -       n       -       -       smtpd
+    #    -o parameter=value ...
+</pre>
+
 <li> <p> Uncomment the new "<tt>smtpd pass ... smtpd</tt>" service
 in master.cf, and duplicate any "<tt>-o parameter=value</tt>" entries
 from the smtpd service that was commented out in step 1. </p>
 
+<pre>
+/etc/postfix/master.cf:
+    smtpd     pass  -       -       n       -       -       smtpd
+        -o parameter=value ...
+</pre>
+
 <li> <p> Uncomment the new "<tt>smtp inet ... postscreen</tt>"
 service in master.cf. </p>
 
+<pre>
+/etc/postfix/master.cf:
+    smtp      inet  n       -       n       -       1       postscreen
+</pre>
+
 <li> <p> Uncomment the new "<tt>dnsblog  unix ... dnsblog</tt>"
 service in master.cf.  This service does DNSBL lookups for postscreen(8)
 and logs results. </p>
 
+<pre>
+/etc/postfix/master.cf:
+    dnsblog   unix  -       -       n       -       0       dnsblog
+</pre>
+
 <li> <p> To enable DNSBL lookups, list some DNS blocklist sites in
 main.cf, separated by whitespace. Different sites can have different
 weights. For example:
 
 <pre>
+/etc/postfix/main.cf:
     postscreen_dnsbl_threshold = 2
     postscreen_dnsbl_sites = zen.spamhaus.org*2 example.com*1 example.net*1
 </pre>
@@ -714,17 +737,41 @@ SMTP server processes: </p>
 in master.cf, including any "<tt>-o parameter=value</tt>" entries
 that follow. </p>
 
+<pre>
+/etc/postfix/master.cf:
+    #smtp      inet  n       -       n       -       1       postscreen
+    #    -o parameter=value ...
+</pre>
+
 <li> <p> Comment out the "<tt>dnsblog  unix ... dnsblog</tt>" service
 in master.cf.  </p>
 
+<pre>
+/etc/postfix/master.cf:
+    #dnsblog   unix  -       -       n       -       0       dnsblog
+</pre>
+
 <li> <p> Comment out the "<tt>smtpd pass ... smtpd</tt>" service
 in master.cf, including any "<tt>-o parameter=value</tt>" entries
 that follow. </p>
 
+<pre>
+/etc/postfix/master.cf:
+    #smtpd     pass  -       -       n       -       -       smtpd
+    #    -o parameter=value ...
+</pre>
+
+
 <li> <p> Uncomment the "<tt>smtp  inet ... smtpd</tt>" service in
 master.cf, including any "<tt>-o parameter=value</tt>" entries that
 follow.  </p>
 
+<pre>
+/etc/postfix/master.cf:
+    smtp      inet  n       -       n       -       -       smtpd
+        -o parameter=value ...
+</pre>
+
 <li> <p> Read the new configuration with "<tt>postfix reload</tt>".
 </p>
 
@@ -739,7 +786,7 @@ Control.  </p>
 <p> Wietse threw together a crude prototype with pregreet and dnsbl
 support in June 2009, because he needed something new for a Mailserver
 conference presentation in July. Ralf Hildebrandt ran this code on
-several servers to collect real-world evidence. This version used
+several servers to collect real-world statistics. This version used
 the dnsblog(8) ad-hoc DNS client program. </p>
 
 <p> Wietse needed new material for a LISA conference presentation
@@ -747,9 +794,9 @@ in November 2010, so he added support for DNSBL weights and filters
 in August, followed by a major code rewrite, deep protocol tests,
 helo/sender/recipient logging, and stress-adaptive behavior in
 September. Ralf Hildebrandt ran this code on several servers to
-collect real-world evidence. This version still used the same delay
-for pregreet and DNBL tests, as well as the embarrassing dnsblog(8)
-ad-hoc DNS client.  </p>
+collect real-world statistics. This version still used the same
+delay for pregreet and DNSBL tests, as well as the embarrassing
+dnsblog(8) ad-hoc DNS client.  </p>
 
 </body>
 
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index d065a2c6d..db92c6953 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20100915"
+#define MAIL_RELEASE_DATE	"20100916"
 #define MAIL_VERSION_NUMBER	"2.8"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/postscreen/postscreen_dnsbl.c b/postfix/src/postscreen/postscreen_dnsbl.c
index fffc6b49b..794a008dc 100644
--- a/postfix/src/postscreen/postscreen_dnsbl.c
+++ b/postfix/src/postscreen/postscreen_dnsbl.c
@@ -326,7 +326,6 @@ static void ps_dnsbl_receive(int event, char *context)
 		     ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, reply_client,
 		     ATTR_TYPE_STR, MAIL_ATTR_RBL_ADDR, reply_addr,
 		     ATTR_TYPE_END) == 3
-	&& *STR(reply_addr) != 0
 	&& (score = (PS_DNSBL_SCORE *)
 	    htable_find(dnsbl_score_cache, STR(reply_client))) != 0) {
 
@@ -341,22 +340,25 @@ static void ps_dnsbl_receive(int event, char *context)
 	    msg_info("%s: client=\"%s\" score=%d domain=\"%s\" reply=\"%s\"",
 		     myname, STR(reply_client), score->total,
 		     STR(reply_dnsbl), STR(reply_addr));
-	head = (PS_DNSBL_HEAD *) htable_find(dnsbl_site_cache, STR(reply_dnsbl));
-	site = (head ? head->first : (PS_DNSBL_SITE *) 0);
-	for (reply_argv = 0; site != 0; site = site->next) {
-	    if (site->filter == 0
-		|| ps_dnsbl_match(site->filter, reply_argv ? reply_argv :
+	if (*STR(reply_addr) != 0) {
+	    head = (PS_DNSBL_HEAD *)
+		htable_find(dnsbl_site_cache, STR(reply_dnsbl));
+	    site = (head ? head->first : (PS_DNSBL_SITE *) 0);
+	    for (reply_argv = 0; site != 0; site = site->next) {
+		if (site->filter == 0
+		    || ps_dnsbl_match(site->filter, reply_argv ? reply_argv :
 			 (reply_argv = argv_split(STR(reply_addr), " ")))) {
-		score->dnsbl = head->safe_dnsbl;
-		score->total += site->weight;
-		if (msg_verbose > 1)
-		    msg_info("%s: filter=\"%s\" weight=%d score=%d",
-			     myname, site->filter ? site->filter : "null",
-			     site->weight, score->total);
+		    score->dnsbl = head->safe_dnsbl;
+		    score->total += site->weight;
+		    if (msg_verbose > 1)
+			msg_info("%s: filter=\"%s\" weight=%d score=%d",
+			       myname, site->filter ? site->filter : "null",
+				 site->weight, score->total);
+		}
 	    }
+	    if (reply_argv != 0)
+		argv_free(reply_argv);
 	}
-	if (reply_argv != 0)
-	    argv_free(reply_argv);
 
 	/*
 	 * Notify the requestor(s) that the result is ready to be picked up.
@@ -367,6 +369,7 @@ static void ps_dnsbl_receive(int event, char *context)
 	if (score->pending_lookups == 0)
 	    PS_CALL_BACK_NOTIFY(score, PS_NULL_EVENT);
     }
+    /* Here, score may be a null pointer. */
     vstream_fclose(stream);
 }
 
diff --git a/postfix/src/postscreen/postscreen_smtpd.c b/postfix/src/postscreen/postscreen_smtpd.c
index 281c41181..33955f0a3 100644
--- a/postfix/src/postscreen/postscreen_smtpd.c
+++ b/postfix/src/postscreen/postscreen_smtpd.c
@@ -830,9 +830,11 @@ void    ps_smtpd_tests(PS_STATE *state)
 		     PS_STATE_FLAG_BARLF_TODO);
 
     /*
-     * Send the SMTP banner.
+     * Send no SMTP banner to pregreeting clients. This eliminates a lot of
+     * "NON-SMTP COMMAND" events, and improves sender/recipient logging.
      */
-    if (PS_SEND_REPLY(state, ps_smtpd_greeting) != 0) {
+    if ((state->flags & PS_STATE_FLAG_PREGR_FAIL) == 0
+	&& PS_SEND_REPLY(state, ps_smtpd_greeting) != 0) {
 	ps_hangup_event(state);
 	return;
     }