From: Wietse Venema Date: Tue, 24 Jul 2007 05:00:00 +0000 (-0500) Subject: postfix-2.5-20070724 X-Git-Tag: v2.5.0-RC1~32 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d515a4e42cef9b796f67de2b970f1c1a78689021;p=thirdparty%2Fpostfix.git postfix-2.5-20070724 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 2658c13d1..428674f5f 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -13634,8 +13634,16 @@ Apologies for any names omitted. pre-formatted message from file, and to handle replies other than the expected 2xx or 3xx. File: smtpstone/smtp-source.c. - Cleanup: streamlined Milter client error handling, so that - the (Postfix SMTP server's Milter client) does not get out - of sync with Milter applications after the (cleanup server's - Milter client) encounters some non-recoverable problem. - Files: milter/milter8.c, smtpd/smtpd.c. + Cleanup: Milter client error handling, so that the (Postfix + SMTP server's Milter client) does not get out of sync with + Milter applications after the (cleanup server's Milter + client) encounters some non-recoverable problem. Files: + milter/milter8.c, smtpd/smtpd.c. + +20070720 + + Support for RFC 4954 (SASL AUTH, updates RFC 2554, refines + some reply codes and introduces DSN enhanced status codes) + and RFC 3848 ("Received ... with ESMTPS?A? ...). Currently, + support for the latter is always on. Files: smtpd/smtpd.c, + smtpd/smtpd_sasl_proto.c, smtpd/smtpd_sasl_glue.c. diff --git a/postfix/README_FILES/SASL_README b/postfix/README_FILES/SASL_README index b10a6814d..62cc96c64 100644 --- a/postfix/README_FILES/SASL_README +++ b/postfix/README_FILES/SASL_README @@ -12,19 +12,20 @@ considering. HHooww PPoossttffiixx uusseess SSAASSLL aauutthheennttiiccaattiioonn iinnffoorrmmaattiioonn -Postfix SASL support (RFC 2554) can be used to authenticate remote SMTP clients -to the Postfix SMTP server, and to authenticate the Postfix SMTP client to a -remote SMTP server. +Postfix SASL support (RFC 4954, formerly RFC 2554) can be used to authenticate +remote SMTP clients to the Postfix SMTP server, and to authenticate the Postfix +SMTP client to a remote SMTP server. -When receiving mail, Postfix logs the client-provided username, authentication -method, and sender address to the maillog file, and optionally grants mail -access via the permit_sasl_authenticated UCE restriction. +When receiving mail, the Postfix SMTP server logs the client-provided username, +authentication method, and sender address to the maillog file, and optionally +grants mail access via the permit_sasl_authenticated UCE restriction. -When sending mail, Postfix can look up the server hostname or destination -domain (the address right-hand part) in a Postfix SASL password table, and if a -username/password is found, it will use that username and password to -authenticate to the server. And as of version 2.3, Postfix can be configured to -search its SASL password table by the sender email address. +When sending mail, the Postfix SMTP client can look up the remote SMTP server +hostname or destination domain (the address right-hand part) in a SASL password +table, and if a username/password is found, it will use that username and +password to authenticate to the remote SMTP server. And as of version 2.3, +Postfix can be configured to search its SASL password table by the sender email +address. This document covers the following topics: @@ -137,12 +138,12 @@ will not find the SASL shared library: EEnnaabblliinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr -In order to enable SASL support in the SMTP server: +In order to enable SASL support in the Postfix SMTP server: /etc/postfix/main.cf: smtpd_sasl_auth_enable = yes -In order to allow mail relaying by authenticated clients: +In order to allow mail relaying by authenticated remote SMTP clients: /etc/postfix/main.cf: smtpd_recipient_restrictions = @@ -171,7 +172,7 @@ DDoovveeccoott SSAASSLL ccoonnffiigguurraattiioonn ffo Dovecot SASL support is available in Postfix 2.3 and later. On the Postfix side you need to specify the location of the Dovecot authentication daemon socket. We use a pathname relative to the Postfix queue directory, so that it will work -whether or not Postfix runs chrooted: +whether or not the Postfix SMTP server runs chrooted: /etc/postfix/main.cf: smtpd_sasl_type = dovecot @@ -203,13 +204,14 @@ authentication server. CCyyrruuss SSAASSLL ccoonnffiigguurraattiioonn ffoorr tthhee PPoossttffiixx SSMMTTPP sseerrvveerr -You need to configure how the Cyrus SASL library should authenticate a client's -username and password. These settings must be stored in a separate -configuration file. +You need to configure how the Cyrus SASL library should authenticate a remote +SMTP client's username and password. These settings must be stored in a +separate configuration file. The name of the configuration file (default: smtpd.conf) will be constructed -from a value sent by Postfix to the Cyrus SASL library, which adds the suffix -.conf. The value is configured using one of the following variables: +from a value that the Postfix SMTP server sends to the Cyrus SASL library, +which adds the suffix .conf. The value is configured using one of the following +variables: /etc/postfix/main.cf: # Postfix 2.3 and later @@ -233,7 +235,7 @@ Note: some Cyrus SASL distributions look for the smtpd.conf file in /etc/sasl2. pwcheck_method: pwcheck IMPORTANT: pwcheck establishes a UNIX domain socket in /var/pwcheck and - waits for authentication requests. Postfix processes must have + waits for authentication requests. The Postfix SMTP server must have read+execute permission to this directory or authentication attempts will fail. @@ -256,9 +258,9 @@ Note: some Cyrus SASL distributions look for the smtpd.conf file in /etc/sasl2. a pam". IMPORTANT: saslauthd usually establishes a UNIX domain socket in /var/run/ - saslauthd and waits for authentication requests. Postfix processes must - have read+execute permission to this directory or authentication attempts - will fail. + saslauthd and waits for authentication requests. The Postfix SMTP server + must have read+execute permission to this directory or authentication + attempts will fail. Note: The directory where saslauthd puts the socket is configurable. See the command-line option "-m /path/to/socket" in the saslauthd --help @@ -284,9 +286,9 @@ Note: some Cyrus SASL distributions look for the smtpd.conf file in /etc/sasl2. some poorly-supported systems the saslpasswd command needs to be run multiple times before it stops complaining. The Postfix SMTP server needs read access to the sasldb file - you may have to play games with group - access permissions. With the OTP authentication mechanism, the SMTP server - also needs WRITE access to /etc/sasldb2 or /etc/sasldb (or the back end SQL - database, if used). + access permissions. With the OTP authentication mechanism, the Postfix SMTP + server also needs WRITE access to /etc/sasldb2 or /etc/sasldb (or the back + end SQL database, if used). IMPORTANT: To get sasldb running, make sure that you set the SASL domain (realm) to a fully qualified domain name. @@ -305,9 +307,10 @@ Note: some Cyrus SASL distributions look for the smtpd.conf file in /etc/sasl2. sasldblistusers (Cyrus SASL version 1.5.x) or sasldblistusers2 (Cyrus SASL version 2.1.x). - On the Postfix side, you can have only one realm per smtpd instance, and + On the Postfix side, you can have only one realm per smtpd(8) instance, and only the users belonging to that realm would be able to authenticate. The - Postfix variable smtpd_sasl_local_domain controls the realm used by smtpd: + Postfix variable smtpd_sasl_local_domain controls the realm used by smtpd + (8): /etc/postfix/main.cf: smtpd_sasl_local_domain = $myhostname @@ -316,9 +319,9 @@ IMPORTANT: The Cyrus SASL password verification services pwcheck and saslauthd can only support the plaintext mechanisms PLAIN or LOGIN. However, the Cyrus SASL library doesn't know this, and will happily advertise other authentication mechanisms that the SASL library implements, such as DIGEST-MD5. As a result, -if an SMTP client chooses any mechanism other than PLAIN or LOGIN while pwcheck -or saslauthd are used, authentication will fail. Thus you may need to limit the -list of mechanisms advertised by Postfix. +if a remote SMTP client chooses any mechanism other than PLAIN or LOGIN while +pwcheck or saslauthd are used, authentication will fail. Thus you may need to +limit the list of mechanisms advertised by the Postfix SMTP server. * With older Cyrus SASL versions you remove the corresponding library files from the SASL plug-in directory (and again whenever the system is updated). @@ -346,10 +349,12 @@ probably is not worth the trouble. TTeessttiinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr -To test the server side, connect to the SMTP server, and you should be able to -have a conversation as shown below. Information sent by the client is shown in -bold font. +To test the server side, connect (for example, with telnet) to the Postfix SMTP +server port and you should be able to have a conversation as shown below. +Information sent by the client (that is, you) is shown in bold font. + $ tteellnneett sseerrvveerr..eexxaammppllee..ccoomm 2255 + . . . 220 server.example.com ESMTP Postfix EEHHLLOO cclliieenntt..eexxaammppllee..ccoomm 250-server.example.com @@ -389,20 +394,22 @@ whatever your mail_owner directive is set to): % su postfix -then run the resulting sample server and client in separate terminals. The -sample applications send log messages to the syslog facility auth. Check the -log to fix the problem or run strace / ktrace / truss on the server to see what -makes it unhappy. Repeat the previous step until you can successfully -authenticate with the sample client. Only then get back to Postfix. +then run the resulting sample Cyrus SASL server and client in separate +terminals. The sample applications send log messages to the syslog facility +auth. Check the log to fix the problem or run strace / ktrace / truss on the +server to see what makes it unhappy. Repeat the previous step until you can +successfully authenticate with the sample Cyrus SASL client. Only then get back +to Postfix. EEnnaabblliinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP cclliieenntt Turn on client-side SASL authentication, and specify a table with per-host or -per-destination username and password information. Postfix first searches the -table for an entry with the server hostname; if no entry is found, then Postfix -searches the table for an entry with the next-hop destination. Usually, that is -the right-hand part of an email address, but it can also be the information -that is specified with the relayhost parameter or with a transport(5) table. +per-destination username and password information. The Postfix SMTP client +first searches the table for an entry with the remote SMTP server hostname; if +no entry is found, then the Postfix SMTP client searches the table for an entry +with the next-hop destination. Usually, that is the right-hand part of an email +address, but it can also be the information that is specified with the +relayhost parameter or with a transport(5) table. /etc/postfix/main.cf: smtp_sasl_auth_enable = yes @@ -415,8 +422,8 @@ that is specified with the relayhost parameter or with a transport(5) table. [mail.myisp.net] username:password [mail.myisp.net]:submission username:password -The Postfix SASL client password file is opened before the SMTP server enters -the optional chroot jail, so you can keep the file in /etc/postfix and set +The Postfix SMTP client opens the SASL client password file before entering the +optional chroot jail, so you can keep the file in /etc/postfix and set permissions read / write only for root to keep the username:password combinations away from other system users. @@ -434,26 +441,25 @@ the Postfix SASL password by sender before it searches by destination, specify: [mail.myisp.net] username:password [mail.myisp.net]:submission username:password -Note: some SMTP servers support PLAIN or LOGIN authentication only. By default, -the Postfix SMTP client does not use authentication methods that send plaintext -passwords, and defers delivery with the following error message: +Note: some remote SMTP servers support PLAIN or LOGIN authentication only. By +default, the Postfix SMTP client does not use authentication methods that send +plaintext passwords, and defers delivery with the following error message: "Authentication failed: cannot SASL authenticate to server". To enable plaintext authentication specify, for example: /etc/postfix/main.cf: smtp_sasl_security_options = noanonymous -Note: Some SMTP servers support authentication mechanisms that, although -available on the client system, may not in practice work or possess the -appropriate credentials to authenticate to the server. It is possible via the -smtp_sasl_mechanism_filter parameter to further restrict the list of server -mechanisms that the smtp(8) client will take into consideration: +Note: some remote SMTP servers announce authentication mechanisms that don't +actually work. It is possible via the smtp_sasl_mechanism_filter parameter to +restrict the list of server mechanisms that the Postfix SMTP client will take +into consideration: /etc/postfix/main.cf: smtp_sasl_mechanism_filter = !gssapi, !external, static:all -In the above example, Postfix will decline to use mechanisms that require -special infrastructure such as Kerberos or TLS. +In the above example, the Postfix SMTP client will decline to use mechanisms +that require special infrastructure such as Kerberos or TLS. The Postfix SMTP client is backwards compatible with SMTP servers that use the non-standard "AUTH=method..." syntax in response to the EHLO command; there is diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 0227312f2..68a99aa56 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -17,6 +17,13 @@ Incompatibility with Postfix 2.3 and earlier If you upgrade from Postfix 2.3 or earlier, read RELEASE_NOTES-2.4 before proceeding. +Major changes with Postfix snapshot 20070724 +============================================ + +Not really major. Support for RFC 3848 (ESMTPS, ESMTPA, ESMTPSA +in Received: headers) and updated SASL support with reply codes and +enhanced (DSN) status codes as per RFC 4954. + Incompatibility with Postfix snapshot 20070614 ============================================== diff --git a/postfix/html/SASL_README.html b/postfix/html/SASL_README.html index 20c46a615..ea4a9f57a 100644 --- a/postfix/html/SASL_README.html +++ b/postfix/html/SASL_README.html @@ -28,19 +28,23 @@ Dovecot provides an alternative that may be worth considering.

How Postfix uses SASL authentication information

-

Postfix SASL support (RFC 2554) can be used to authenticate +

Postfix SASL support (RFC 4954, formerly RFC 2554) can be used +to authenticate remote SMTP clients to the Postfix SMTP server, and to authenticate the Postfix SMTP client to a remote SMTP server.

-

When receiving mail, Postfix logs the client-provided username, +

When receiving mail, the Postfix SMTP server logs the client-provided +username, authentication method, and sender address to the maillog file, and optionally grants mail access via the permit_sasl_authenticated UCE restriction.

-

When sending mail, Postfix can look up the server hostname or -destination domain (the address right-hand part) in a Postfix SASL password +

When sending mail, the Postfix SMTP client can look up the +remote SMTP server hostname or +destination domain (the address right-hand part) in a SASL password table, and if a username/password is found, it will use that username -and password to authenticate to the server. And as of version 2.3, +and password to authenticate to the remote SMTP server. And as of +version 2.3, Postfix can be configured to search its SASL password table by the sender email address.

@@ -224,7 +228,7 @@ otherwise ld.so will not find the SASL shared library:

Enabling SASL authentication in the Postfix SMTP server

-

In order to enable SASL support in the SMTP server:

+

In order to enable SASL support in the Postfix SMTP server: 

@@ -233,7 +237,8 @@ SMTP server
-

In order to allow mail relaying by authenticated clients:

+

In order to allow mail relaying by authenticated remote SMTP +clients: 

@@ -279,7 +284,7 @@ Postfix SMTP server
 the Postfix side you need to specify the location of the
 Dovecot authentication daemon socket. We use a pathname relative
 to the Postfix queue directory, so that it will work whether or not
-Postfix runs chrooted: 

+the Postfix SMTP server runs chrooted: 

 
 

 
@@ -322,11 +327,13 @@ the Dovecot authentication server. 

 SMTP server
 
 
 You need to configure how the Cyrus SASL library should
-authenticate a client's username and password. These settings must
+authenticate a remote SMTP client's username and password. These
+settings must
 be stored in a separate configuration file. 

 
 
 The name of the configuration file (default: smtpd.conf) will
-be constructed from a value sent by Postfix to the Cyrus SASL
+be constructed from a value that the Postfix SMTP server sends to
+the Cyrus SASL
 library, which adds the suffix .conf. The value is configured using
 one of the following variables: 

 
@@ -364,7 +371,7 @@ file in /etc/sasl2. 

 

 
 
 IMPORTANT: pwcheck establishes a UNIX domain socket in /var/pwcheck
-and waits for authentication requests. Postfix processes must have
+and waits for authentication requests. The Postfix SMTP server must have
 read+execute permission to this directory or authentication attempts
 will fail. 

 
@@ -393,8 +400,8 @@ can authenticate against PAM and various other sources. To use PAM,
 start saslauthd with "-a pam". 

 
 
 IMPORTANT: saslauthd usually establishes a UNIX domain socket
-in /var/run/saslauthd and waits for authentication requests. Postfix
-processes must have read+execute permission to this directory or
+in /var/run/saslauthd and waits for authentication requests. The Postfix
+SMTP server must have read+execute permission to this directory or
 authentication attempts will fail. 

 
 
 Note: The directory where saslauthd puts the socket is configurable.
@@ -429,7 +436,8 @@ software). On some poorly-supported systems the saslpasswd command needs
 to be run multiple times before it stops complaining.  The Postfix SMTP
 server needs read access to the sasldb file - you may have to play games
 with group access permissions.  With the OTP authentication mechanism,
-the SMTP server also needs WRITE access to /etc/sasldb2 or /etc/sasldb
+the Postfix SMTP server also needs WRITE access to /etc/sasldb2 or
+/etc/sasldb
 (or the back end SQL database, if used). 

 
 
 IMPORTANT: To get sasldb running, make sure that you set the SASL
@@ -456,10 +464,10 @@ domain (realm) to a fully qualified domain name. 

 in sasldb with sasldblistusers (Cyrus SASL version 1.5.x) or
 sasldblistusers2 (Cyrus SASL version 2.1.x). 

 
-
 On the Postfix side, you can have only one realm per smtpd
+
 On the Postfix side, you can have only one realm per smtpd(8)
 instance, and only the users belonging to that realm would be able to
 authenticate.  The Postfix variable smtpd_sasl_local_domain controls the
-realm used by smtpd: 

+realm used by smtpd(8): 

 
 

 
@@ -474,10 +482,11 @@ realm used by smtpd: 

 and saslauthd can only support the plaintext mechanisms PLAIN or
 LOGIN.  However, the Cyrus SASL library doesn't know this, and will
 happily advertise other authentication mechanisms that the SASL
-library implements, such as DIGEST-MD5. As a result, if an SMTP
+library implements, such as DIGEST-MD5. As a result, if a remote SMTP
 client chooses any mechanism other than PLAIN or LOGIN while pwcheck
 or saslauthd are used, authentication will fail. Thus you may need
-to limit the list of mechanisms advertised by Postfix. 

+to limit the list of mechanisms advertised by the Postfix SMTP
+server. 

 
 
     
 
@@ -525,12 +534,15 @@ exercise.  It probably is not worth the trouble. 
    
 
    Testing SASL authentication in the Postfix
 SMTP server
    
 
-
     To test the server side, connect to the SMTP server, and you should
+
     To test the server side, connect (for example, with telnet) to the
+Postfix SMTP server port and you should
 be able to have a conversation as shown below. Information sent by the
-client is shown in bold font. 
    
+client (that is, you) is shown in bold font. 
    
 
 
    
 
    +$ telnet server.example.com 25
+. . .
 220 server.example.com ESMTP Postfix
 EHLO client.example.com
 250-server.example.com
@@ -587,20 +599,22 @@ directive is set to): 
    
 
    
 
    
 
-
     then run the resulting sample server and client in separate
-terminals.  The sample applications send log messages to the syslog
+
     then run the resulting sample Cyrus SASL server and client in
+separate terminals.  The sample applications send log messages to
+the syslog
 facility auth.  Check the log to fix the problem or run strace /
 ktrace / truss on the server to see what makes it unhappy. Repeat
 the previous step until you can successfully authenticate with the
-sample client. Only then get back to Postfix. 
    
+sample Cyrus SASL client. Only then get back to Postfix. 
    
 
 
    Enabling SASL authentication in the
 Postfix SMTP client
    
 
 
     Turn on client-side SASL authentication, and specify a table
 with per-host or per-destination username and password information.
-Postfix first searches the table for an entry with the server
-hostname; if no entry is found, then Postfix searches the table for
+The Postfix SMTP client first searches the table for an entry with
+the remote SMTP server hostname; if no entry is found, then the
+Postfix SMTP client searches the table for
 an entry with the next-hop destination.  Usually, that is the
 right-hand part of an email address, but it can also be the information
 that is specified with the relayhost parameter or with a transport(5)
@@ -621,8 +635,8 @@ table. 
    
 

 

 
-
 The Postfix SASL client password file is opened before the SMTP
-server enters the optional chroot jail, so you can keep the file
+
 The Postfix SMTP client opens the SASL client password file
+before entering the optional chroot jail, so you can keep the file
 in /etc/postfix and set permissions read / write only for root to
 keep the username:password combinations away from other system
 users. 

@@ -646,7 +660,8 @@ before it searches by destination, specify:
-

Note: some SMTP servers support PLAIN or LOGIN authentication only. +

Note: some remote SMTP servers support PLAIN or LOGIN authentication +only. By default, the Postfix SMTP client does not use authentication methods that send plaintext passwords, and defers delivery with the following error message: "Authentication failed: cannot SASL @@ -660,12 +675,10 @@ for example:

-

Note: Some SMTP servers support authentication mechanisms that, -although available on the client system, may not in practice work or -possess the appropriate credentials to authenticate to the server. It -is possible via the smtp_sasl_mechanism_filter parameter to further -restrict the list of server mechanisms that the smtp(8) client will take -into consideration:

+

Note: some remote SMTP servers announce authentication mechanisms +that don't actually work. It is possible via the smtp_sasl_mechanism_filter +parameter to restrict the list of server mechanisms that the Postfix +SMTP client will take into consideration: 

@@ -674,7 +687,8 @@ into consideration:
-

In the above example, Postfix will decline to use mechanisms +

In the above example, the Postfix SMTP client will decline to +use mechanisms that require special infrastructure such as Kerberos or TLS.

The Postfix SMTP client is backwards compatible with SMTP diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html index 482d3e236..26c6abba4 100644 --- a/postfix/html/lmtp.8.html +++ b/postfix/html/lmtp.8.html @@ -114,6 +114,7 @@ SMTP(8) SMTP(8) RFC 3207 (STARTTLS command) RFC 3461 (SMTP DSN Extension) RFC 3463 (Enhanced Status Codes) + RFC 4954 (AUTH command) DIAGNOSTICS Problems and transactions are logged to syslogd(8). Cor- diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index 482d3e236..26c6abba4 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -114,6 +114,7 @@ SMTP(8) SMTP(8) RFC 3207 (STARTTLS command) RFC 3461 (SMTP DSN Extension) RFC 3463 (Enhanced Status Codes) + RFC 4954 (AUTH command) DIAGNOSTICS Problems and transactions are logged to syslogd(8). Cor- diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index 557a543c3..509224a17 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -54,6 +54,8 @@ SMTPD(8) SMTPD(8) RFC 3207 (STARTTLS command) RFC 3461 (SMTP DSN Extension) RFC 3463 (Enhanced Status Codes) + RFC 3848 (ESMTP Transmission Types) + RFC 4954 (AUTH command) DIAGNOSTICS Problems and transactions are logged to syslogd(8). diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8 index dd49319f5..a7390cd0f 100644 --- a/postfix/man/man8/smtp.8 +++ b/postfix/man/man8/smtp.8 @@ -108,6 +108,7 @@ RFC 2920 (SMTP Pipelining) RFC 3207 (STARTTLS command) RFC 3461 (SMTP DSN Extension) RFC 3463 (Enhanced Status Codes) +RFC 4954 (AUTH command) .SH DIAGNOSTICS .ad .fi diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8 index 09f917c2d..1f8606af7 100644 --- a/postfix/man/man8/smtpd.8 +++ b/postfix/man/man8/smtpd.8 @@ -57,6 +57,8 @@ RFC 2920 (SMTP Pipelining) RFC 3207 (STARTTLS command) RFC 3461 (SMTP DSN Extension) RFC 3463 (Enhanced Status Codes) +RFC 3848 (ESMTP Transmission Types) +RFC 4954 (AUTH command) .SH DIAGNOSTICS .ad .fi diff --git a/postfix/proto/SASL_README.html b/postfix/proto/SASL_README.html index 161ad058f..3839d813d 100644 --- a/postfix/proto/SASL_README.html +++ b/postfix/proto/SASL_README.html @@ -28,19 +28,23 @@ Dovecot provides an alternative that may be worth considering.

How Postfix uses SASL authentication information

-

Postfix SASL support (RFC 2554) can be used to authenticate +

Postfix SASL support (RFC 4954, formerly RFC 2554) can be used +to authenticate remote SMTP clients to the Postfix SMTP server, and to authenticate the Postfix SMTP client to a remote SMTP server.

-

When receiving mail, Postfix logs the client-provided username, +

When receiving mail, the Postfix SMTP server logs the client-provided +username, authentication method, and sender address to the maillog file, and optionally grants mail access via the permit_sasl_authenticated UCE restriction.

-

When sending mail, Postfix can look up the server hostname or -destination domain (the address right-hand part) in a Postfix SASL password +

When sending mail, the Postfix SMTP client can look up the +remote SMTP server hostname or +destination domain (the address right-hand part) in a SASL password table, and if a username/password is found, it will use that username -and password to authenticate to the server. And as of version 2.3, +and password to authenticate to the remote SMTP server. And as of +version 2.3, Postfix can be configured to search its SASL password table by the sender email address.

@@ -224,7 +228,7 @@ otherwise ld.so will not find the SASL shared library:

Enabling SASL authentication in the Postfix SMTP server

-

In order to enable SASL support in the SMTP server:

+

In order to enable SASL support in the Postfix SMTP server: 

@@ -233,7 +237,8 @@ SMTP server
-

In order to allow mail relaying by authenticated clients:

+

In order to allow mail relaying by authenticated remote SMTP +clients: 

@@ -279,7 +284,7 @@ Postfix SMTP server
 the Postfix side you need to specify the location of the
 Dovecot authentication daemon socket. We use a pathname relative
 to the Postfix queue directory, so that it will work whether or not
-Postfix runs chrooted: 

+the Postfix SMTP server runs chrooted: 

 
 

 
@@ -322,11 +327,13 @@ the Dovecot authentication server. 

 SMTP server
 
 
 You need to configure how the Cyrus SASL library should
-authenticate a client's username and password. These settings must
+authenticate a remote SMTP client's username and password. These
+settings must
 be stored in a separate configuration file. 

 
 
 The name of the configuration file (default: smtpd.conf) will
-be constructed from a value sent by Postfix to the Cyrus SASL
+be constructed from a value that the Postfix SMTP server sends to
+the Cyrus SASL
 library, which adds the suffix .conf. The value is configured using
 one of the following variables: 

 
@@ -364,7 +371,7 @@ file in /etc/sasl2. 

 

 
 
 IMPORTANT: pwcheck establishes a UNIX domain socket in /var/pwcheck
-and waits for authentication requests. Postfix processes must have
+and waits for authentication requests. The Postfix SMTP server must have
 read+execute permission to this directory or authentication attempts
 will fail. 

 
@@ -393,8 +400,8 @@ can authenticate against PAM and various other sources. To use PAM,
 start saslauthd with "-a pam". 

 
 
 IMPORTANT: saslauthd usually establishes a UNIX domain socket
-in /var/run/saslauthd and waits for authentication requests. Postfix
-processes must have read+execute permission to this directory or
+in /var/run/saslauthd and waits for authentication requests. The Postfix
+SMTP server must have read+execute permission to this directory or
 authentication attempts will fail. 

 
 
 Note: The directory where saslauthd puts the socket is configurable.
@@ -429,7 +436,8 @@ software). On some poorly-supported systems the saslpasswd command needs
 to be run multiple times before it stops complaining.  The Postfix SMTP
 server needs read access to the sasldb file - you may have to play games
 with group access permissions.  With the OTP authentication mechanism,
-the SMTP server also needs WRITE access to /etc/sasldb2 or /etc/sasldb
+the Postfix SMTP server also needs WRITE access to /etc/sasldb2 or
+/etc/sasldb
 (or the back end SQL database, if used). 

 
 
 IMPORTANT: To get sasldb running, make sure that you set the SASL
@@ -456,10 +464,10 @@ domain (realm) to a fully qualified domain name. 

 in sasldb with sasldblistusers (Cyrus SASL version 1.5.x) or
 sasldblistusers2 (Cyrus SASL version 2.1.x). 

 
-
 On the Postfix side, you can have only one realm per smtpd
+
 On the Postfix side, you can have only one realm per smtpd(8)
 instance, and only the users belonging to that realm would be able to
 authenticate.  The Postfix variable smtpd_sasl_local_domain controls the
-realm used by smtpd: 

+realm used by smtpd(8): 

 
 

 
@@ -474,10 +482,11 @@ realm used by smtpd: 

 and saslauthd can only support the plaintext mechanisms PLAIN or
 LOGIN.  However, the Cyrus SASL library doesn't know this, and will
 happily advertise other authentication mechanisms that the SASL
-library implements, such as DIGEST-MD5. As a result, if an SMTP
+library implements, such as DIGEST-MD5. As a result, if a remote SMTP
 client chooses any mechanism other than PLAIN or LOGIN while pwcheck
 or saslauthd are used, authentication will fail. Thus you may need
-to limit the list of mechanisms advertised by Postfix. 

+to limit the list of mechanisms advertised by the Postfix SMTP
+server. 

 
 
     
 
@@ -525,12 +534,15 @@ exercise.  It probably is not worth the trouble. 
    
 
    Testing SASL authentication in the Postfix
 SMTP server
    
 
-
     To test the server side, connect to the SMTP server, and you should
+
     To test the server side, connect (for example, with telnet) to the
+Postfix SMTP server port and you should
 be able to have a conversation as shown below. Information sent by the
-client is shown in bold font. 
    
+client (that is, you) is shown in bold font. 
    
 
 
    
 
    +$ telnet server.example.com 25
+. . .
 220 server.example.com ESMTP Postfix
 EHLO client.example.com
 250-server.example.com
@@ -587,20 +599,22 @@ directive is set to): 
    
 
    
 
    
 
-
     then run the resulting sample server and client in separate
-terminals.  The sample applications send log messages to the syslog
+
     then run the resulting sample Cyrus SASL server and client in
+separate terminals.  The sample applications send log messages to
+the syslog
 facility auth.  Check the log to fix the problem or run strace /
 ktrace / truss on the server to see what makes it unhappy. Repeat
 the previous step until you can successfully authenticate with the
-sample client. Only then get back to Postfix. 
    
+sample Cyrus SASL client. Only then get back to Postfix. 
    
 
 
    Enabling SASL authentication in the
 Postfix SMTP client
    
 
 
     Turn on client-side SASL authentication, and specify a table
 with per-host or per-destination username and password information.
-Postfix first searches the table for an entry with the server
-hostname; if no entry is found, then Postfix searches the table for
+The Postfix SMTP client first searches the table for an entry with
+the remote SMTP server hostname; if no entry is found, then the
+Postfix SMTP client searches the table for
 an entry with the next-hop destination.  Usually, that is the
 right-hand part of an email address, but it can also be the information
 that is specified with the relayhost parameter or with a transport(5)
@@ -621,8 +635,8 @@ table. 
    
 

 

 
-
 The Postfix SASL client password file is opened before the SMTP
-server enters the optional chroot jail, so you can keep the file
+
 The Postfix SMTP client opens the SASL client password file
+before entering the optional chroot jail, so you can keep the file
 in /etc/postfix and set permissions read / write only for root to
 keep the username:password combinations away from other system
 users. 

@@ -646,7 +660,8 @@ before it searches by destination, specify:
-

Note: some SMTP servers support PLAIN or LOGIN authentication only. +

Note: some remote SMTP servers support PLAIN or LOGIN authentication +only. By default, the Postfix SMTP client does not use authentication methods that send plaintext passwords, and defers delivery with the following error message: "Authentication failed: cannot SASL @@ -660,12 +675,10 @@ for example:

-

Note: Some SMTP servers support authentication mechanisms that, -although available on the client system, may not in practice work or -possess the appropriate credentials to authenticate to the server. It -is possible via the smtp_sasl_mechanism_filter parameter to further -restrict the list of server mechanisms that the smtp(8) client will take -into consideration:

+

Note: some remote SMTP servers announce authentication mechanisms +that don't actually work. It is possible via the smtp_sasl_mechanism_filter +parameter to restrict the list of server mechanisms that the Postfix +SMTP client will take into consideration: 

@@ -674,7 +687,8 @@ into consideration:
-

In the above example, Postfix will decline to use mechanisms +

In the above example, the Postfix SMTP client will decline to +use mechanisms that require special infrastructure such as Kerberos or TLS.

The Postfix SMTP client is backwards compatible with SMTP diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index a6a413364..770cebca4 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20070720" +#define MAIL_RELEASE_DATE "20070724" #define MAIL_VERSION_NUMBER "2.5" #ifdef SNAPSHOT diff --git a/postfix/src/milter/milter8.c b/postfix/src/milter/milter8.c index 2753d7c4b..8f1745ce7 100644 --- a/postfix/src/milter/milter8.c +++ b/postfix/src/milter/milter8.c @@ -442,15 +442,9 @@ static int milter8_conf_error(MILTER8 *milter) const char *reply; /* - * While reading the following, keep in mind that a client-side Milter - * socket is shared between the Postfix SMTP server and the cleanup - * server. The SMTP server reports only the SMTP events to the Milter. - * The cleanup server reports the headers and body to the Milter, and - * receives the header or body modification requests from the Milter. - * - * XXX When the cleanup server closes its end of the Milter socket after - * some local/remote configuration error, the SMTP server is left out of - * sync with the Milter. Sending an ABORT to the Milters will not restore + * XXX When the cleanup server closes its end of the Milter socket while + * editing a queue file, the SMTP server is left out of sync with the + * Milter. Sending an ABORT to the Milters will not restore * synchronization, because there may be any number of Milter replies * already in flight. Workaround: poison the socket and force the SMTP * server to abandon it. @@ -476,18 +470,12 @@ static int milter8_comm_error(MILTER8 *milter) const char *reply; /* - * While reading the following, keep in mind that a client-side Milter - * socket is shared between the Postfix SMTP server and the cleanup - * server. The SMTP server reports only the SMTP events to the Milter. - * The cleanup server reports the headers and body to the Milter, and - * receives the header or body modification requests from the Milter. - * - * XXX When the cleanup server closes its end of the Milter socket after - * some local or remote remote protocol error, the SMTP server is left - * out of sync with the Milter. Sending an ABORT to the Milters will not - * restore synchronization, because there may be any number of Milter - * replies already in flight. Workaround: poison the socket and force the - * SMTP server to abandon it. + * XXX When the cleanup server closes its end of the Milter socket while + * editing a queue file, the SMTP server is left out of sync with the + * Milter. Sending an ABORT to the Milters will not restore + * synchronization, because there may be any number of Milter replies + * already in flight. Workaround: poison the socket and force the SMTP + * server to abandon it. */ if (milter->fp != 0) { (void) shutdown(vstream_fileno(milter->fp), SHUT_RDWR); @@ -1009,26 +997,21 @@ static const char *milter8_event(MILTER8 *milter, int event, /* * Receive the reply or replies. * - * Intercept all loop exits so that we can do post body replacement + * Intercept all loop exits so that we can do post header/body edit * processing. * * XXX Bound the loop iteration count. * - * While reading the following, keep in mind that a client-side Milter - * socket is shared between the Postfix SMTP server and the cleanup - * server. The SMTP server reports only the SMTP events to the Milter. - * The cleanup server reports the headers and body to the Milter, and - * receives the header or body modification requests from the Milter. - * * In the end-of-body stage, the Milter may reply with one or more queue * file edit requests before it replies with its final decision: accept, - * reject, etc. After a local queue file edit error, do not close the - * Milter socket in the cleanup server. Instead skip all further Milter - * replies until the final decision. This way the Postfix SMTP server - * stays in sync with the Milter, and Postfix doesn't have to lose the - * ability to handle multiple deliveries within the same SMTP session. - * This requires that the Postfix SMTP server uses something other than - * CLEANUP_STAT_WRITE when it loses contact with the cleanup server. + * reject, etc. After a local queue file edit error (file too big, media + * write error), do not close the Milter socket in the cleanup server. + * Instead skip all further Milter replies until the final decision. This + * way the Postfix SMTP server stays in sync with the Milter, and Postfix + * doesn't have to lose the ability to handle multiple deliveries within + * the same SMTP session. This requires that the Postfix SMTP server uses + * something other than CLEANUP_STAT_WRITE when it loses contact with the + * cleanup server. */ #define IN_CONNECT_EVENT(e) ((e) == SMFIC_CONNECT || (e) == SMFIC_HELO) diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index 701e8fe90..2f5abaf6a 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -94,6 +94,7 @@ /* RFC 3207 (STARTTLS command) /* RFC 3461 (SMTP DSN Extension) /* RFC 3463 (Enhanced Status Codes) +/* RFC 4954 (AUTH command) /* DIAGNOSTICS /* Problems and transactions are logged to \fBsyslogd\fR(8). /* Corrupted message files are marked so that the queue manager can diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index 44d0246a9..71dec8edf 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -47,6 +47,8 @@ /* RFC 3207 (STARTTLS command) /* RFC 3461 (SMTP DSN Extension) /* RFC 3463 (Enhanced Status Codes) +/* RFC 3848 (ESMTP Transmission Types) +/* RFC 4954 (AUTH command) /* DIAGNOSTICS /* Problems and transactions are logged to \fBsyslogd\fR(8). /* @@ -2462,6 +2464,8 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) int out_error; char **cpp; CLEANUP_STAT_DETAIL *detail; + const char *rfc3848_sess; + const char *rfc3848_auth; #ifdef USE_TLS VSTRING *peer_CN; @@ -2595,7 +2599,13 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) out_fprintf(out_stream, REC_TYPE_NORM, "\t(No client certificate requested)"); } + /* RFC 3848 is defined for ESMTP only. */ + if (state->tls_context != 0 + && strcmp(state->protocol, MAIL_PROTO_ESMTP) == 0) + rfc3848_sess = "S"; + else #endif + rfc3848_sess = ""; #ifdef USE_SASL_AUTH if (var_smtpd_sasl_enable && var_smtpd_sasl_auth_hdr && state->sasl_username) { username = VSTRING_STRDUP(state->sasl_username); @@ -2604,23 +2614,31 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) "\t(Authenticated sender: %s)", STR(username)); vstring_free(username); } + /* RFC 3848 is defined for ESMTP only. */ + if (var_smtpd_sasl_enable && state->sasl_username + && strcmp(state->protocol, MAIL_PROTO_ESMTP) == 0) + rfc3848_auth = "A"; + else #endif + rfc3848_auth = ""; if (state->rcpt_count == 1 && state->recipient) { out_fprintf(out_stream, REC_TYPE_NORM, - state->cleanup ? "\tby %s (%s) with %s id %s" : + state->cleanup ? "\tby %s (%s) with %s%s%s id %s" : "\tby %s (%s) with %s", var_myhostname, var_mail_name, - state->protocol, state->queue_id); + state->protocol, rfc3848_sess, + rfc3848_auth, state->queue_id); quote_822_local(state->buffer, state->recipient); out_fprintf(out_stream, REC_TYPE_NORM, "\tfor <%s>; %s", STR(state->buffer), mail_date(state->arrival_time.tv_sec)); } else { out_fprintf(out_stream, REC_TYPE_NORM, - state->cleanup ? "\tby %s (%s) with %s id %s;" : + state->cleanup ? "\tby %s (%s) with %s%s%s id %s;" : "\tby %s (%s) with %s;", var_myhostname, var_mail_name, - state->protocol, state->queue_id); + state->protocol, rfc3848_sess, + rfc3848_auth, state->queue_id); out_fprintf(out_stream, REC_TYPE_NORM, "\t%s", mail_date(state->arrival_time.tv_sec)); } @@ -2760,20 +2778,19 @@ static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) } /* - * XXX If we lost the cleanup server, the Postfix SMTP server will be out - * of sync with Milter applications. Sending an ABORT to the Milters is - * not sufficient to restore synchronization, because there may be any - * number of Milter replies already in flight. Destroying and recreating - * the Milters (and faking the connect and ehlo events) is too much - * trouble for testing and maintenance. Workaround: force the Postfix - * SMTP server to hang up with a 421 response in the rare case that the - * cleanup server breaks AND that the remote SMTP client continues the - * session after end-of-data. + * XXX If we lose the cleanup server while it is editing a queue file, + * the Postfix SMTP server will be out of sync with Milter applications. + * Sending an ABORT to the Milters is not sufficient to restore + * synchronization, because there may be any number of Milter replies + * already in flight. Destroying and recreating the Milters (and faking + * the connect and ehlo events) is too much trouble for testing and + * maintenance. Workaround: force the Postfix SMTP server to hang up with + * a 421 response in the rare case that the cleanup server breaks AND + * that the remote SMTP client continues the session after end-of-data. * * XXX Should use something other than CLEANUP_STAT_WRITE when we lose - * contact with the cleanup server. This requires internal changes to the - * mail_stream module; these may affect other mail_stream_service() users - * (qmqpd, sendmail, ...). + * contact with the cleanup server. This requires changes to the + * mail_stream module and its users (smtpd, qmqpd, perhaps sendmail). */ if (smtpd_milters != 0 && (state->err & CLEANUP_STAT_WRITE) != 0) state->access_denied = mystrdup("421 4.3.0 Mail system error"); @@ -3695,7 +3712,8 @@ static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) } if (smtpd_tls_ctx == 0) { state->error_mask |= MAIL_ERROR_SOFTWARE; - smtpd_chat_reply(state, "454 4.3.0 TLS not available due to local problem"); + /* RFC 4954 Section 6. */ + smtpd_chat_reply(state, "454 4.7.0 TLS not available due to local problem"); return (-1); } diff --git a/postfix/src/smtpd/smtpd_sasl_glue.c b/postfix/src/smtpd/smtpd_sasl_glue.c index 76f5bb9f1..fb87a83bf 100644 --- a/postfix/src/smtpd/smtpd_sasl_glue.c +++ b/postfix/src/smtpd/smtpd_sasl_glue.c @@ -258,11 +258,13 @@ int smtpd_sasl_authenticate(SMTPD_STATE *state, msg_warn("%s[%s]: SASL %s authentication failed: %s", state->name, state->addr, sasl_method, STR(state->sasl_reply)); - smtpd_chat_reply(state, "535 5.7.0 Error: authentication failed: %s", + /* RFC 4954 Section 6. */ + smtpd_chat_reply(state, "535 5.7.8 Error: authentication failed: %s", STR(state->sasl_reply)); return (-1); } - smtpd_chat_reply(state, "235 2.0.0 Authentication successful"); + /* RFC 4954 Section 6. */ + smtpd_chat_reply(state, "235 2.7.0 Authentication successful"); if ((sasl_username = xsasl_server_get_username(state->sasl_server)) == 0) msg_panic("cannot look up the authenticated SASL username"); state->sasl_username = mystrdup(sasl_username); diff --git a/postfix/src/smtpd/smtpd_sasl_proto.c b/postfix/src/smtpd/smtpd_sasl_proto.c index cef154027..8a930bebe 100644 --- a/postfix/src/smtpd/smtpd_sasl_proto.c +++ b/postfix/src/smtpd/smtpd_sasl_proto.c @@ -168,7 +168,8 @@ int smtpd_sasl_auth_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) #ifdef USE_TLS if (state->tls_auth_only && !state->tls_context) { state->error_mask |= MAIL_ERROR_PROTOCOL; - smtpd_chat_reply(state, "538 5.7.0 Encryption required for requested authentication mechanism"); + /* RFC 4954, Section 4. */ + smtpd_chat_reply(state, "504 5.5.4 Encryption required for requested authentication mechanism"); return (-1); } #endif