From: Wietse Venema Date: Sat, 15 Jan 2011 05:00:00 +0000 (-0500) Subject: postfix-2.8-20110115 X-Git-Tag: v2.8.0-RC1~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ee84c57d755145392858f5801af26be88efbc5c0;p=thirdparty%2Fpostfix.git postfix-2.8-20110115 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 43f0b42b7..c2947e853 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -16441,3 +16441,19 @@ Apologies for any names omitted. that temporarily switch control to an external program such as tlsproxy, or perhaps a future policy plugin. Files: postscreen/postscreen_smtpd, postscreen/postscreen_starttls.c. + +20110113 + + Cleanup: ps_cache and psc_cache are now postscreen_cache. + There is no need for obscure name abbrevations. File: + src/global/mail_params.h. + +20110115 + + Workaround: malloc fuzz (safety margin for malloc requests). + Files: util/sys_defs.h, util/mymalloc.c. + + Cleanup: dnsblog_service_name and tlsproxy_service_name are + now configurable, in case someone needs this. Files: + global/mail_params.h, postscreen/postscreen.c, mantools/postlink, + proto/postconf.proto. diff --git a/postfix/README_FILES/OVERVIEW b/postfix/README_FILES/OVERVIEW index 95a3056b9..ee271e61b 100644 --- a/postfix/README_FILES/OVERVIEW +++ b/postfix/README_FILES/OVERVIEW @@ -366,12 +366,15 @@ queues. processes. Its purpose is to accept connections from the network and to decide what SMTP clients are allowed to talk to Postfix. According to the 2008 MessageLabs annual report, 81% of all email was spam, and 90% of that - was sent by botnets. While postscreen(8) keeps the zombies away, more smtpd - (8) processes remain available for legitimate clients. - - The postscreen(8) server is still evolving, and is likely to undergo - changes that break compatibility with earlier versions. For this reason the - postscreen(8) server is not installed with the stable Postfix release. + was sent by botnets; by 2010, those numbers were 92% and 95%, respectively. + While postscreen(8) keeps the zombies away, more smtpd(8) processes remain + available for legitimate clients. + + The postscreen(8) server is available with Postfix 2.8 and later. To keep + the implementation simple, postscreen(8) delegates DNS white/backlist + lookups to dnsblog(8) server processes, and delegates TLS encryption/ + decryption to tlsproxy(8) server processes. This delegation is invisible to + the remote SMTP client, and is not shown in the diagram below. zombie diff --git a/postfix/README_FILES/POSTSCREEN_README b/postfix/README_FILES/POSTSCREEN_README index 6e93ddff4..0f83617ae 100644 --- a/postfix/README_FILES/POSTSCREEN_README +++ b/postfix/README_FILES/POSTSCREEN_README @@ -473,6 +473,7 @@ postscreen(8) has been tested on FreeBSD [4-8], Linux 2.[4-6] and Solaris 9 systems. * Turning on postscreen(8) without blocking mail + * postscreen(8) TLS configuration * Blocking mail with postscreen(8) * Turning off postscreen(8) @@ -555,6 +556,23 @@ Notes: ("postfix stop; postfix start"). This is needed because the Postfix "pass" master service type did not work reliably on all systems. +ppoossttssccrreeeenn((88)) TTLLSS ccoonnffiigguurraattiioonn + +postscreen(8) TLS support is available for remote SMTP clients that aren't +whitelisted, including clients that need to renew their temporary whitelist +status. When a remote SMTP client requests TLS service, postscreen(8) invisibly +hands off the connection to a tlsproxy(8) process. Then, tlsproxy(8) encrypts +and decrypts the traffic between postscreen(8) and the remote SMTP client. One +tlsproxy(8) process can handle multiple SMTP sessions. The number of tlsproxy +(8) processes slowly increases with server load, but it should always be much +smaller than the number of postscreen(8) TLS sessions. + +TLS support for postscreen(8) and tlsproxy(8) uses the same parameters as with +smtpd(8). We recommend that you keep the relevant configuration parameters in +main.cf. If you must specify "-o smtpd_mumble=value" parameter overrides in +master.cf for a postscreen-protected smtpd(8) service, then you should specify +those same parameter overrides for the postscreen(8) and tlsproxy(8) services. + BBlloocckkiinngg mmaaiill wwiitthh ppoossttssccrreeeenn((88)) To use the postscreen(8) service to block mail, edit main.cf and specify one or diff --git a/postfix/WISHLIST b/postfix/WISHLIST index b11bcc083..7004a33b3 100644 --- a/postfix/WISHLIST +++ b/postfix/WISHLIST @@ -4,8 +4,6 @@ Wish list: Remove this file from the stable release. - Make tlsproxy_service and dnsblog_service configurable. - Things to do after the stable release: When does it pay off to send domains in the active queue diff --git a/postfix/html/OVERVIEW.html b/postfix/html/OVERVIEW.html index 689b340fb..adc415ee9 100644 --- a/postfix/html/OVERVIEW.html +++ b/postfix/html/OVERVIEW.html @@ -732,14 +732,17 @@ document. The verify(8) service is available with P smtpd(8) processes. Its purpose is to accept connections from the network and to decide what SMTP clients are allowed to talk to Postfix. According to the 2008 MessageLabs annual report, 81% of -all email was spam, and 90% of that was sent by botnets. While -postscreen(8) keeps the zombies away, more smtpd(8) processes remain -available for legitimate clients.

- -

The postscreen(8) server is still evolving, and is likely to -undergo changes that break compatibility with earlier versions. -For this reason the postscreen(8) server is not installed with the -stable Postfix release.

+all email was spam, and 90% of that was sent by botnets; by 2010, +those numbers were 92% and 95%, respectively. While postscreen(8) +keeps the zombies away, more smtpd(8) processes remain available +for legitimate clients.

+ +

The postscreen(8) server is available with Postfix 2.8 and +later. To keep the implementation simple, postscreen(8) delegates +DNS white/backlist lookups to dnsblog(8) server processes, and +delegates TLS encryption/decryption to tlsproxy(8) server processes. +This delegation is invisible to the remote SMTP client, and is not +shown in the diagram below.

diff --git a/postfix/html/POSTSCREEN_README.html b/postfix/html/POSTSCREEN_README.html index 11259a64a..6dd5799de 100644 --- a/postfix/html/POSTSCREEN_README.html +++ b/postfix/html/POSTSCREEN_README.html @@ -657,6 +657,8 @@ and Solaris 9 systems.

  • Turning on postscreen(8) without blocking mail +
  • postscreen(8) TLS configuration +
  • Blocking mail with postscreen(8)
  • Turning off postscreen(8) @@ -777,6 +779,27 @@ work reliably on all systems.

    +

    postscreen(8) TLS configuration

    + +

    postscreen(8) TLS support is available for remote SMTP clients +that aren't whitelisted, including clients that need to renew their +temporary whitelist status. When a remote SMTP client requests TLS +service, postscreen(8) invisibly hands off the connection to a +tlsproxy(8) process. Then, tlsproxy(8) encrypts and decrypts the +traffic between postscreen(8) and the remote SMTP client. One +tlsproxy(8) process can handle multiple SMTP sessions. The number +of tlsproxy(8) processes slowly increases with server load, but it +should always be much smaller than the number of postscreen(8) TLS +sessions.

    + +

    TLS support for postscreen(8) and tlsproxy(8) uses the same +parameters as with smtpd(8). We recommend that you keep the relevant +configuration parameters in main.cf. If you must specify "-o +smtpd_mumble=value" parameter overrides in master.cf for a +postscreen-protected smtpd(8) service, then you should specify those +same parameter overrides for the postscreen(8) and tlsproxy(8) +services.

    +

    Blocking mail with postscreen(8)

    To use the postscreen(8) service to block mail, edit main.cf and diff --git a/postfix/html/dnsblog.8.html b/postfix/html/dnsblog.8.html index 8306a6677..ab257ea38 100644 --- a/postfix/html/dnsblog.8.html +++ b/postfix/html/dnsblog.8.html @@ -7,24 +7,24 @@ DNSBLOG(8) DNSBLOG(8) NAME - dnsblog - Postfix DNS blocklist logger + dnsblog - Postfix DNS white/blacklist logger SYNOPSIS dnsblog [generic Postfix daemon options] DESCRIPTION - The dnsblog(8) server implements an ad-hoc DNS blocklist - lookup service that will eventually be replaced by an UDP - client that is built directly into the postscreen(8) - server. + The dnsblog(8) server implements an ad-hoc DNS + white/blacklist lookup service that will eventually be + replaced by an UDP client that is built directly into the + postscreen(8) server. With each connection, the dnsblog(8) server receives a DNS - blocklist domain name and an IP address. If the address is - listed under the DNS blocklist, the dnsblog(8) server logs - the match and replies with the query arguments plus a non- - zero status. Otherwise it replies with the query argu- - ments plus a zero status. Finally, The dnsblog(8) server - closes the connection. + white/blacklist domain name and an IP address. If the + address is listed under the DNS white/blacklist, the dns- + blog(8) server logs the match and replies with the query + arguments plus a non-zero status. Otherwise it replies + with the query arguments plus a zero status. Finally, The + dnsblog(8) server closes the connection. DIAGNOSTICS Problems and transactions are logged to syslogd(8). @@ -47,8 +47,8 @@ DNSBLOG(8) DNSBLOG(8) built-in watchdog timer. postscreen_dnsbl_sites (empty) - Optional list of DNS blocklist domains, filters and - weight factors. + Optional list of DNS white/blacklist domains, fil- + ters and weight factors. ipc_timeout (3600s) The time limit for sending or receiving information diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index d6f0e969f..cc3f97dc6 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -2597,6 +2597,17 @@ Example:

    This feature is available in Postfix 2.8.

    + + +
    dnsblog_service_name +(default: dnsblog)
    + +

    The name of the dnsblog(8) service entry in master.cf. This +service performs DNS white/blacklist lookups.

    + +

    This feature is available in Postfix 2.8 and later.

    + +
    dont_remove @@ -6805,7 +6816,7 @@ seconds.

    postscreen_cache_map -(default: btree:$data_directory/ps_cache)
    +(default: btree:$data_directory/postscreen_cache)

    Persistent storage for the postscreen(8) server decisions.

    @@ -6990,11 +7001,11 @@ the file is read).

    postscreen_dnsbl_sites (default: empty)
    -

    Optional list of DNS blocklist domains, filters and weight +

    Optional list of DNS white/blacklist domains, filters and weight factors. When the list is non-empty, the dnsblog(8) daemon will -query these domains with the IP addresses of non-whitelisted remote -SMTP clients, and postscreen(8) will update an SMTP client's DNSBL -score with each non-error reply.

    +query these domains with the IP addresses of remote SMTP clients, +and postscreen(8) will update an SMTP client's DNSBL score with +each non-error reply.

    Caution: when postscreen rejects mail, it replies with the DNSBL domain name. Use the postscreen_dnsbl_reply_map feature to hide @@ -15275,6 +15286,17 @@ further details.

    This feature is available in Postfix 2.8 and later.

    +
    + +
    tlsproxy_service_name +(default: tlsproxy)
    + +

    The name of the tlsproxy(8) service entry in master.cf. This +service performs plaintext <=> TLS ciphertext conversion.

    + +

    This feature is available in Postfix 2.8 and later.

    + +
    tlsproxy_tls_CAfile diff --git a/postfix/html/postfix-manuals.html b/postfix/html/postfix-manuals.html index d63c0671d..36cdfa5b2 100644 --- a/postfix/html/postfix-manuals.html +++ b/postfix/html/postfix-manuals.html @@ -184,6 +184,8 @@ the following convention:

  • discard(8), Postfix discard delivery agent +
  • dnsblog(8), DNS black/whitelist logger +
  • error(8), Postfix error delivery agent
  • flush(8), Postfix fast ETRN service diff --git a/postfix/html/postfix.1.html b/postfix/html/postfix.1.html index ad237fcf2..c4bb73a25 100644 --- a/postfix/html/postfix.1.html +++ b/postfix/html/postfix.1.html @@ -309,6 +309,7 @@ POSTFIX(1) POSTFIX(1) bounce(8), defer(8), trace(8), Delivery status reports cleanup(8), canonicalize and enqueue message discard(8), Postfix discard delivery agent + dnsblog(8), DNS black/whitelist logger error(8), Postfix error delivery agent flush(8), Postfix fast ETRN service local(8), Postfix local delivery agent diff --git a/postfix/html/postscreen.8.html b/postfix/html/postscreen.8.html index 20c2290f8..a26bf621a 100644 --- a/postfix/html/postscreen.8.html +++ b/postfix/html/postscreen.8.html @@ -131,45 +131,49 @@ POSTSCREEN(8) POSTSCREEN(8) remote SMTP client. BEFORE-GREETING TRIAGE + dnsblog_service_name (dnsblog) + The name of the dnsblog(8) service entry in mas- + ter.cf. + postscreen_access_list (permit_mynetworks) Permanent white/blacklist for remote SMTP client IP addresses; postscreen(8) searches this list immedi- ately after a remote SMTP client connects. postscreen_blacklist_action (ignore) - The action that postscreen(8) takes when an SMTP - client is permanently blacklisted with the + The action that postscreen(8) takes when an SMTP + client is permanently blacklisted with the postscreen_blacklist_networks parameter. postscreen_blacklist_networks (empty) Network addresses that are permanently blacklisted; - see the postscreen_blacklist_action parameter for + see the postscreen_blacklist_action parameter for possible actions. postscreen_dnsbl_action (ignore) - The action that postscreen(8) takes when an SMTP + The action that postscreen(8) takes when an SMTP client's combined DNSBL score is equal to or - greater than a threshold (as defined with the + greater than a threshold (as defined with the postscreen_dnsbl_sites and postscreen_dnsbl_thresh- old parameters). postscreen_dnsbl_reply_map (empty) - A mapping from actual DNSBL domain name which - includes a secret password, to the DNSBL domain + A mapping from actual DNSBL domain name which + includes a secret password, to the DNSBL domain name that postscreen will reply with when it rejects mail. postscreen_dnsbl_sites (empty) - Optional list of DNS blocklist domains, filters and - weight factors. + Optional list of DNS white/blacklist domains, fil- + ters and weight factors. postscreen_dnsbl_threshold (1) - The inclusive lower bound for blocking an SMTP + The inclusive lower bound for blocking an SMTP client, based on its combined DNSBL score as - defined with the postscreen_dnsbl_sites parameter. + defined with the postscreen_dnsbl_sites parameter. postscreen_greet_action (ignore) - The action that postscreen(8) takes when an SMTP + The action that postscreen(8) takes when an SMTP client speaks before its turn within the time spec- ified with the postscreen_greet_wait parameter. @@ -177,28 +181,28 @@ POSTSCREEN(8) POSTSCREEN(8) The text in the optional "220-text..." server response that postscreen(8) sends ahead of the real Postfix SMTP server's "220 text..." response, in an - attempt to confuse bad SMTP clients so that they + attempt to confuse bad SMTP clients so that they speak before their turn (pre-greet). postscreen_greet_wait (${stress?2}${stress:6}s) The amount of time that postscreen(8) will wait for - an SMTP client to send a command before its turn, - and for DNS blocklist lookup results to arrive - (default: up to 2 seconds under stress, up to 6 + an SMTP client to send a command before its turn, + and for DNS blocklist lookup results to arrive + (default: up to 2 seconds under stress, up to 6 seconds otherwise). AFTER-GREETING TRIAGE postscreen_bare_newline_action (ignore) - The action that postscreen(8) takes when an SMTP - client sends a bare newline character, that is, a + The action that postscreen(8) takes when an SMTP + client sends a bare newline character, that is, a newline not preceded by carriage return. postscreen_bare_newline_enable (no) - Enable "bare newline" SMTP protocol tests in the + Enable "bare newline" SMTP protocol tests in the postscreen(8) server. postscreen_disable_vrfy_command ($disable_vrfy_command) - Disable the SMTP VRFY command in the postscreen(8) + Disable the SMTP VRFY command in the postscreen(8) daemon. postscreen_forbidden_commands ($smtpd_forbidden_commands) @@ -206,111 +210,116 @@ POSTSCREEN(8) POSTSCREEN(8) siders in violation of the SMTP protocol. postscreen_helo_required ($smtpd_helo_required) - Require that a remote SMTP client sends HELO or + Require that a remote SMTP client sends HELO or EHLO before commencing a MAIL transaction. postscreen_non_smtp_command_action (drop) - The action that postscreen(8) takes when an SMTP - client sends non-SMTP commands as specified with + The action that postscreen(8) takes when an SMTP + client sends non-SMTP commands as specified with the postscreen_forbidden_commands parameter. postscreen_non_smtp_command_enable (no) - Enable "non-SMTP command" tests in the + Enable "non-SMTP command" tests in the postscreen(8) server. postscreen_pipelining_action (enforce) - The action that postscreen(8) takes when an SMTP - client sends multiple commands instead of sending - one command and waiting for the server to respond. + The action that postscreen(8) takes when an SMTP + client sends multiple commands instead of sending + one command and waiting for the server to respond. postscreen_pipelining_enable (no) - Enable "pipelining" SMTP protocol tests in the + Enable "pipelining" SMTP protocol tests in the postscreen(8) server. AFTER-TRIAGE CONTROLS smtpd_service_name (smtpd) - The internal service that postscreen(8) forwards + The internal service that postscreen(8) forwards allowed connections to. CACHE CONTROLS postscreen_cache_cleanup_interval (12h) - The amount of time between postscreen(8) cache + The amount of time between postscreen(8) cache cleanup runs. - postscreen_cache_map (btree:$data_directory/ps_cache) - Persistent storage for the postscreen(8) server + postscreen_cache_map (btree:$data_direc- + tory/postscreen_cache) + Persistent storage for the postscreen(8) server decisions. postscreen_cache_retention_time (7d) The amount of time that postscreen(8) will cache an - expired temporary whitelist entry before it is + expired temporary whitelist entry before it is removed. postscreen_bare_newline_ttl (30d) - The amount of time that postscreen(8) will use the + The amount of time that postscreen(8) will use the result from a successful "bare newline" SMTP proto- col test. postscreen_dnsbl_ttl (1h) - The amount of time that postscreen(8) will use the + The amount of time that postscreen(8) will use the result from a successful DNS blocklist test. postscreen_greet_ttl (1d) - The amount of time that postscreen(8) will use the + The amount of time that postscreen(8) will use the result from a successful PREGREET test. postscreen_non_smtp_command_ttl (30d) - The amount of time that postscreen(8) will use the - result from a successful "non_smtp_command" SMTP + The amount of time that postscreen(8) will use the + result from a successful "non_smtp_command" SMTP protocol test. postscreen_pipelining_ttl (30d) - The amount of time that postscreen(8) will use the + The amount of time that postscreen(8) will use the result from a successful "pipelining" SMTP protocol test. RESOURCE CONTROLS line_length_limit (2048) - Upon input, long lines are chopped up into pieces - of at most this length; upon delivery, long lines + Upon input, long lines are chopped up into pieces + of at most this length; upon delivery, long lines are reconstructed. postscreen_client_connection_count_limit ($smtpd_client_connection_count_limit) - How many simultaneous connections any client is + How many simultaneous connections any client is allowed to have with the postscreen(8) daemon. postscreen_command_count_limit (20) - The limit on the total number of commands per SMTP - session for postscreen(8)'s built-in SMTP protocol + The limit on the total number of commands per SMTP + session for postscreen(8)'s built-in SMTP protocol engine. postscreen_command_time_limit (${stress?10}${stress:300}s) - The command "read" time limit for postscreen(8)'s + The command "read" time limit for postscreen(8)'s built-in SMTP protocol engine. postscreen_post_queue_limit ($default_process_limit) - The number of clients that can be waiting for ser- + The number of clients that can be waiting for ser- vice from a real SMTP server process. postscreen_pre_queue_limit ($default_process_limit) - The number of non-whitelisted clients that can be - waiting for a decision whether they will receive + The number of non-whitelisted clients that can be + waiting for a decision whether they will receive service from a real SMTP server process. postscreen_watchdog_timeout (10s) - How much time a postscreen(8) process may take to - respond to an SMTP client command or to perform a + How much time a postscreen(8) process may take to + respond to an SMTP client command or to perform a cache operation before it is terminated by a built- in watchdog timer. STARTTLS CONTROLS postscreen_tls_security_level ($smtpd_tls_security_level) - The SMTP TLS security level for the postscreen(8) - server; when a non-empty value is specified, this + The SMTP TLS security level for the postscreen(8) + server; when a non-empty value is specified, this overrides the obsolete parameters postscreen_use_tls and postscreen_enforce_tls. + tlsproxy_service_name (tlsproxy) + The name of the tlsproxy(8) service entry in mas- + ter.cf. + OBSOLETE STARTTLS SUPPORT CONTROLS These parameters are supported for compatibility with smtpd(8) legacy parameters. @@ -371,7 +380,7 @@ POSTSCREEN(8) POSTSCREEN(8) SEE ALSO smtpd(8), Postfix SMTP server tlsproxy(8), Postfix TLS proxy server - dnsblog(8), temporary DNS helper + dnsblog(8), DNS black/whitelist logger syslogd(8), system logging README FILES diff --git a/postfix/man/man1/postfix.1 b/postfix/man/man1/postfix.1 index ac87b590f..95a313506 100644 --- a/postfix/man/man1/postfix.1 +++ b/postfix/man/man1/postfix.1 @@ -267,6 +267,7 @@ anvil(8), Postfix connection/rate limiting bounce(8), defer(8), trace(8), Delivery status reports cleanup(8), canonicalize and enqueue message discard(8), Postfix discard delivery agent +dnsblog(8), DNS black/whitelist logger error(8), Postfix error delivery agent flush(8), Postfix fast ETRN service local(8), Postfix local delivery agent diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 4cc706928..9f4b1f693 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -1470,6 +1470,11 @@ disable_vrfy_command = no A debugging aid to artifically delay DNS responses. .PP This feature is available in Postfix 2.8. +.SH dnsblog_service_name (default: dnsblog) +The name of the \fBdnsblog\fR(8) service entry in master.cf. This +service performs DNS white/blacklist lookups. +.PP +This feature is available in Postfix 2.8 and later. .SH dont_remove (default: 0) Don't remove queue files and save them to the "saved" mail queue. This is a debugging aid. To inspect the envelope information and @@ -3855,7 +3860,7 @@ Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). .PP This feature is available in Postfix 2.8. -.SH postscreen_cache_map (default: btree:$data_directory/ps_cache) +.SH postscreen_cache_map (default: btree:$data_directory/postscreen_cache) Persistent storage for the \fBpostscreen\fR(8) server decisions. .PP This feature is available in Postfix 2.8. @@ -3970,11 +3975,11 @@ Example: .PP This feature is available in Postfix 2.8. .SH postscreen_dnsbl_sites (default: empty) -Optional list of DNS blocklist domains, filters and weight +Optional list of DNS white/blacklist domains, filters and weight factors. When the list is non-empty, the \fBdnsblog\fR(8) daemon will -query these domains with the IP addresses of non-whitelisted remote -SMTP clients, and \fBpostscreen\fR(8) will update an SMTP client's DNSBL -score with each non-error reply. +query these domains with the IP addresses of remote SMTP clients, +and \fBpostscreen\fR(8) will update an SMTP client's DNSBL score with +each non-error reply. .PP Caution: when postscreen rejects mail, it replies with the DNSBL domain name. Use the postscreen_dnsbl_reply_map feature to hide @@ -9777,6 +9782,11 @@ require that clients use TLS encryption. See smtpd_enforce_tls for further details. .PP This feature is available in Postfix 2.8 and later. +.SH tlsproxy_service_name (default: tlsproxy) +The name of the \fBtlsproxy\fR(8) service entry in master.cf. This +service performs plaintext <=> TLS ciphertext conversion. +.PP +This feature is available in Postfix 2.8 and later. .SH tlsproxy_tls_CAfile (default: $smtpd_tls_CAfile) A file containing (PEM format) CA certificates of root CAs trusted to sign either remote SMTP client certificates or intermediate diff --git a/postfix/man/man8/dnsblog.8 b/postfix/man/man8/dnsblog.8 index 2a361344c..358efa471 100644 --- a/postfix/man/man8/dnsblog.8 +++ b/postfix/man/man8/dnsblog.8 @@ -4,7 +4,7 @@ .SH NAME dnsblog \- -Postfix DNS blocklist logger +Postfix DNS white/blacklist logger .SH "SYNOPSIS" .na .nf @@ -12,18 +12,18 @@ Postfix DNS blocklist logger .SH DESCRIPTION .ad .fi -The \fBdnsblog\fR(8) server implements an ad-hoc DNS blocklist -lookup service that will eventually be replaced by an UDP -client that is built directly into the \fBpostscreen\fR(8) -server. +The \fBdnsblog\fR(8) server implements an ad-hoc DNS +white/blacklist lookup service that will eventually be +replaced by an UDP client that is built directly into the +\fBpostscreen\fR(8) server. With each connection, the \fBdnsblog\fR(8) server receives -a DNS blocklist domain name and an IP address. If the address -is listed under the DNS blocklist, the \fBdnsblog\fR(8) -server logs the match and replies with the query arguments -plus a non-zero status. Otherwise it replies with the query -arguments plus a zero status. Finally, The \fBdnsblog\fR(8) -server closes the connection. +a DNS white/blacklist domain name and an IP address. If the +address is listed under the DNS white/blacklist, the +\fBdnsblog\fR(8) server logs the match and replies with the +query arguments plus a non-zero status. Otherwise it replies +with the query arguments plus a zero status. Finally, The +\fBdnsblog\fR(8) server closes the connection. .SH DIAGNOSTICS .ad .fi @@ -47,7 +47,7 @@ configuration files. How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. .IP "\fBpostscreen_dnsbl_sites (empty)\fR" -Optional list of DNS blocklist domains, filters and weight +Optional list of DNS white/blacklist domains, filters and weight factors. .IP "\fBipc_timeout (3600s)\fR" The time limit for sending or receiving information over an internal diff --git a/postfix/man/man8/postscreen.8 b/postfix/man/man8/postscreen.8 index ee057c474..735e9a17b 100644 --- a/postfix/man/man8/postscreen.8 +++ b/postfix/man/man8/postscreen.8 @@ -140,6 +140,8 @@ response to a remote SMTP client. .nf .ad .fi +.IP "\fBdnsblog_service_name (dnsblog)\fR" +The name of the \fBdnsblog\fR(8) service entry in master.cf. .IP "\fBpostscreen_access_list (permit_mynetworks)\fR" Permanent white/blacklist for remote SMTP client IP addresses; \fBpostscreen\fR(8) searches this list immediately after a remote SMTP @@ -161,7 +163,7 @@ A mapping from actual DNSBL domain name which includes a secret password, to the DNSBL domain name that postscreen will reply with when it rejects mail. .IP "\fBpostscreen_dnsbl_sites (empty)\fR" -Optional list of DNS blocklist domains, filters and weight +Optional list of DNS white/blacklist domains, filters and weight factors. .IP "\fBpostscreen_dnsbl_threshold (1)\fR" The inclusive lower bound for blocking an SMTP client, based on @@ -230,7 +232,7 @@ connections to. .fi .IP "\fBpostscreen_cache_cleanup_interval (12h)\fR" The amount of time between \fBpostscreen\fR(8) cache cleanup runs. -.IP "\fBpostscreen_cache_map (btree:$data_directory/ps_cache)\fR" +.IP "\fBpostscreen_cache_map (btree:$data_directory/postscreen_cache)\fR" Persistent storage for the \fBpostscreen\fR(8) server decisions. .IP "\fBpostscreen_cache_retention_time (7d)\fR" The amount of time that \fBpostscreen\fR(8) will cache an expired @@ -287,6 +289,8 @@ is terminated by a built-in watchdog timer. The SMTP TLS security level for the \fBpostscreen\fR(8) server; when a non-empty value is specified, this overrides the obsolete parameters postscreen_use_tls and postscreen_enforce_tls. +.IP "\fBtlsproxy_service_name (tlsproxy)\fR" +The name of the \fBtlsproxy\fR(8) service entry in master.cf. .SH "OBSOLETE STARTTLS SUPPORT CONTROLS" .na .nf @@ -341,7 +345,7 @@ records, so that "smtpd" becomes, for example, "postfix/smtpd". .nf smtpd(8), Postfix SMTP server tlsproxy(8), Postfix TLS proxy server -dnsblog(8), temporary DNS helper +dnsblog(8), DNS black/whitelist logger syslogd(8), system logging .SH "README FILES" .na diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index 10f2376b9..b7110bf6f 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -921,6 +921,8 @@ while (<>) { s;\bpostscreen_command_count_limit\b;$&;g; s;\bpostscreen_com[-]*\n* *[]*mand_time_limit\b;$&;g; s;\bsmtpd_service_name\b;$&;g; + s;\bdnsblog_service_name\b;$&;g; + s;\btlsproxy_service_name\b;$&;g; s;\bpostscreen_bare_newline_enable\b;$&;g; s;\bpostscreen_bare_newline_action\b;$&;g; s;\bpostscreen_bare_newline_ttl\b;$&;g; diff --git a/postfix/proto/OVERVIEW.html b/postfix/proto/OVERVIEW.html index 062d460ab..a199c493e 100644 --- a/postfix/proto/OVERVIEW.html +++ b/postfix/proto/OVERVIEW.html @@ -732,14 +732,17 @@ document. The verify(8) service is available with Postfix version smtpd(8) processes. Its purpose is to accept connections from the network and to decide what SMTP clients are allowed to talk to Postfix. According to the 2008 MessageLabs annual report, 81% of -all email was spam, and 90% of that was sent by botnets. While -postscreen(8) keeps the zombies away, more smtpd(8) processes remain -available for legitimate clients.

    - -

    The postscreen(8) server is still evolving, and is likely to -undergo changes that break compatibility with earlier versions. -For this reason the postscreen(8) server is not installed with the -stable Postfix release.

    +all email was spam, and 90% of that was sent by botnets; by 2010, +those numbers were 92% and 95%, respectively. While postscreen(8) +keeps the zombies away, more smtpd(8) processes remain available +for legitimate clients.

    + +

    The postscreen(8) server is available with Postfix 2.8 and +later. To keep the implementation simple, postscreen(8) delegates +DNS white/backlist lookups to dnsblog(8) server processes, and +delegates TLS encryption/decryption to tlsproxy(8) server processes. +This delegation is invisible to the remote SMTP client, and is not +shown in the diagram below.

    • diff --git a/postfix/proto/POSTSCREEN_README.html b/postfix/proto/POSTSCREEN_README.html index b23070891..1386efd02 100644 --- a/postfix/proto/POSTSCREEN_README.html +++ b/postfix/proto/POSTSCREEN_README.html @@ -657,6 +657,8 @@ and Solaris 9 systems.

  • Turning on postscreen(8) without blocking mail +
  • postscreen(8) TLS configuration +
  • Blocking mail with postscreen(8)
  • Turning off postscreen(8) @@ -777,6 +779,27 @@ work reliably on all systems.

    +

    postscreen(8) TLS configuration

    + +

    postscreen(8) TLS support is available for remote SMTP clients +that aren't whitelisted, including clients that need to renew their +temporary whitelist status. When a remote SMTP client requests TLS +service, postscreen(8) invisibly hands off the connection to a +tlsproxy(8) process. Then, tlsproxy(8) encrypts and decrypts the +traffic between postscreen(8) and the remote SMTP client. One +tlsproxy(8) process can handle multiple SMTP sessions. The number +of tlsproxy(8) processes slowly increases with server load, but it +should always be much smaller than the number of postscreen(8) TLS +sessions.

    + +

    TLS support for postscreen(8) and tlsproxy(8) uses the same +parameters as with smtpd(8). We recommend that you keep the relevant +configuration parameters in main.cf. If you must specify "-o +smtpd_mumble=value" parameter overrides in master.cf for a +postscreen-protected smtpd(8) service, then you should specify those +same parameter overrides for the postscreen(8) and tlsproxy(8) +services.

    +

    Blocking mail with postscreen(8)

    To use the postscreen(8) service to block mail, edit main.cf and diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index e04ad3553..eea3a2892 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -12597,7 +12597,7 @@ inspection for DKIM-signed mail from known friendly domains.

    This feature is available in Postfix 2.7, and as an optional patch for Postfix 2.6.

    -%PARAM postscreen_cache_map btree:$data_directory/ps_cache +%PARAM postscreen_cache_map btree:$data_directory/postscreen_cache

    Persistent storage for the postscreen(8) server decisions.

    @@ -12690,11 +12690,11 @@ one-letter suffix that specifies the time unit).

    %PARAM postscreen_dnsbl_sites -

    Optional list of DNS blocklist domains, filters and weight +

    Optional list of DNS white/blacklist domains, filters and weight factors. When the list is non-empty, the dnsblog(8) daemon will -query these domains with the IP addresses of non-whitelisted remote -SMTP clients, and postscreen(8) will update an SMTP client's DNSBL -score with each non-error reply.

    +query these domains with the IP addresses of remote SMTP clients, +and postscreen(8) will update an SMTP client's DNSBL score with +each non-error reply.

    Caution: when postscreen rejects mail, it replies with the DNSBL domain name. Use the postscreen_dnsbl_reply_map feature to hide @@ -13975,3 +13975,18 @@ response. See smtpd_reject_footer for further details.

    See smtpd_command_filter for further details.

    This feature is available in Postfix 2.8 and later.

    + +%PARAM dnsblog_service_name dnsblog + +

    The name of the dnsblog(8) service entry in master.cf. This +service performs DNS white/blacklist lookups.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_service_name tlsproxy + +

    The name of the tlsproxy(8) service entry in master.cf. This +service performs plaintext <=> TLS ciphertext conversion.

    + +

    This feature is available in Postfix 2.8 and later.

    + diff --git a/postfix/proto/stop b/postfix/proto/stop index 7fc657899..f0340a8ee 100644 --- a/postfix/proto/stop +++ b/postfix/proto/stop @@ -1144,3 +1144,12 @@ texthash ul whitelisted whitelists +=== proto/POSTSCREEN_README.html === +Amavisd +MUA +Mailserver +SpamAssassin +barracudacentral +bl +spamcop +tlsproxy diff --git a/postfix/src/dnsblog/dnsblog.c b/postfix/src/dnsblog/dnsblog.c index dd3ea7158..09cb18d37 100644 --- a/postfix/src/dnsblog/dnsblog.c +++ b/postfix/src/dnsblog/dnsblog.c @@ -2,22 +2,22 @@ /* NAME /* dnsblog 8 /* SUMMARY -/* Postfix DNS blocklist logger +/* Postfix DNS white/blacklist logger /* SYNOPSIS /* \fBdnsblog\fR [generic Postfix daemon options] /* DESCRIPTION -/* The \fBdnsblog\fR(8) server implements an ad-hoc DNS blocklist -/* lookup service that will eventually be replaced by an UDP -/* client that is built directly into the \fBpostscreen\fR(8) -/* server. +/* The \fBdnsblog\fR(8) server implements an ad-hoc DNS +/* white/blacklist lookup service that will eventually be +/* replaced by an UDP client that is built directly into the +/* \fBpostscreen\fR(8) server. /* /* With each connection, the \fBdnsblog\fR(8) server receives -/* a DNS blocklist domain name and an IP address. If the address -/* is listed under the DNS blocklist, the \fBdnsblog\fR(8) -/* server logs the match and replies with the query arguments -/* plus a non-zero status. Otherwise it replies with the query -/* arguments plus a zero status. Finally, The \fBdnsblog\fR(8) -/* server closes the connection. +/* a DNS white/blacklist domain name and an IP address. If the +/* address is listed under the DNS white/blacklist, the +/* \fBdnsblog\fR(8) server logs the match and replies with the +/* query arguments plus a non-zero status. Otherwise it replies +/* with the query arguments plus a zero status. Finally, The +/* \fBdnsblog\fR(8) server closes the connection. /* DIAGNOSTICS /* Problems and transactions are logged to \fBsyslogd\fR(8). /* CONFIGURATION PARAMETERS @@ -37,7 +37,7 @@ /* How much time a Postfix daemon process may take to handle a /* request before it is terminated by a built-in watchdog timer. /* .IP "\fBpostscreen_dnsbl_sites (empty)\fR" -/* Optional list of DNS blocklist domains, filters and weight +/* Optional list of DNS white/blacklist domains, filters and weight /* factors. /* .IP "\fBipc_timeout (3600s)\fR" /* The time limit for sending or receiving information over an internal diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index d7dda0048..61f914c06 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -3260,10 +3260,10 @@ extern char *var_multi_cntrl_cmds; * postscreen(8) */ #define VAR_PSC_CACHE_MAP "postscreen_cache_map" -#define DEF_PSC_CACHE_MAP "btree:$data_directory/psc_cache" +#define DEF_PSC_CACHE_MAP "btree:$data_directory/postscreen_cache" extern char *var_psc_cache_map; -#define VAR_SMTPD_SERVICE "smtpd_service" +#define VAR_SMTPD_SERVICE "smtpd_service_name" #define DEF_SMTPD_SERVICE "smtpd" extern char *var_smtpd_service; @@ -3445,10 +3445,18 @@ extern char *var_psc_cmd_filter; #define DEF_PSC_ACL PSC_ACL_NAME_WL_MYNETWORKS extern char *var_psc_acl; +#define VAR_DNSBLOG_SERVICE "dnsblog_service_name" +#define DEF_DNSBLOG_SERVICE MAIL_SERVICE_DNSBLOG +extern char *var_dnsblog_service; + #define VAR_DNSBLOG_DELAY "dnsblog_reply_delay" #define DEF_DNSBLOG_DELAY "0s" extern int var_dnsblog_delay; +#define VAR_TLSPROXY_SERVICE "tlsproxy_service_name" +#define DEF_TLSPROXY_SERVICE MAIL_SERVICE_TLSPROXY +extern char *var_tlsproxy_service; + #define VAR_TLSP_WATCHDOG "tlsproxy_watchdog_timeout" #define DEF_TLSP_WATCHDOG "10s" extern int var_tlsp_watchdog; diff --git a/postfix/src/global/mail_proto.h b/postfix/src/global/mail_proto.h index d33f0ccb4..529240662 100644 --- a/postfix/src/global/mail_proto.h +++ b/postfix/src/global/mail_proto.h @@ -32,8 +32,8 @@ #define MAIL_PROTO_QMQP "QMQP" /* - * Names of services: these are the names if INET ports, UNIX-domain sockets - * or FIFOs that a service listens on. + * Names of services: these are the names of the UNIX-domain socket or or + * FIFO that a service listens on. */ #define MAIL_SERVICE_BOUNCE "bounce" #define MAIL_SERVICE_CLEANUP "cleanup" @@ -58,6 +58,8 @@ #define MAIL_SERVICE_PROXYMAP "proxymap" #define MAIL_SERVICE_PROXYWRITE "proxywrite" #define MAIL_SERVICE_SCACHE "scache" +#define MAIL_SERVICE_DNSBLOG "dnsblog" +#define MAIL_SERVICE_TLSPROXY "tlsproxy" /* * Well-known socket or FIFO directories. The main difference is in file @@ -238,7 +240,7 @@ extern char *mail_pathname(const char *, const char *); #define MAIL_ATTR_DSN_ORCPT "dsn_orig_rcpt" /* dsn original recipient */ /* - * PROXY support. + * TLSPROXY support. */ #define MAIL_ATTR_REMOTE_ENDPT "remote_endpoint" /* name[addr]:port */ #define MAIL_ATTR_ROLE "role" /* requested role */ @@ -249,10 +251,10 @@ extern char *mail_pathname(const char *, const char *); #define MAIL_ATTR_ISSUER_CN "issuer_CN" #define MAIL_ATTR_PEER_FPT "peer_fingerprint" #define MAIL_ATTR_PEER_STATUS "peer_status" -#define MAIL_ATTR_CIPHER_PROTOCOL "cipher_protocol" +#define MAIL_ATTR_CIPHER_PROTOCOL "cipher_protocol" #define MAIL_ATTR_CIPHER_NAME "cipher_name" -#define MAIL_ATTR_CIPHER_USEBITS "cipher_usebits" -#define MAIL_ATTR_CIPHER_ALGBITS "cipher_algbits" +#define MAIL_ATTR_CIPHER_USEBITS "cipher_usebits" +#define MAIL_ATTR_CIPHER_ALGBITS "cipher_algbits" /* * SMTP reply footer support. diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index a12201f69..3fb73c2f9 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20110113" +#define MAIL_RELEASE_DATE "20110115" #define MAIL_VERSION_NUMBER "2.8" #ifdef SNAPSHOT diff --git a/postfix/src/postfix/postfix.c b/postfix/src/postfix/postfix.c index 1e5f2f7ff..c7b8c97ec 100644 --- a/postfix/src/postfix/postfix.c +++ b/postfix/src/postfix/postfix.c @@ -253,6 +253,7 @@ /* bounce(8), defer(8), trace(8), Delivery status reports /* cleanup(8), canonicalize and enqueue message /* discard(8), Postfix discard delivery agent +/* dnsblog(8), DNS black/whitelist logger /* error(8), Postfix error delivery agent /* flush(8), Postfix fast ETRN service /* local(8), Postfix local delivery agent diff --git a/postfix/src/postscreen/Makefile.in b/postfix/src/postscreen/Makefile.in index 2afc1da0c..0eead33d3 100644 --- a/postfix/src/postscreen/Makefile.in +++ b/postfix/src/postscreen/Makefile.in @@ -156,6 +156,7 @@ postscreen_dnsbl.o: ../../include/myaddrinfo.h postscreen_dnsbl.o: ../../include/mymalloc.h postscreen_dnsbl.o: ../../include/split_at.h postscreen_dnsbl.o: ../../include/string_list.h +postscreen_dnsbl.o: ../../include/stringops.h postscreen_dnsbl.o: ../../include/sys_defs.h postscreen_dnsbl.o: ../../include/valid_hostname.h postscreen_dnsbl.o: ../../include/vbuf.h diff --git a/postfix/src/postscreen/postscreen.c b/postfix/src/postscreen/postscreen.c index 7e97b329b..0e9d61807 100644 --- a/postfix/src/postscreen/postscreen.c +++ b/postfix/src/postscreen/postscreen.c @@ -120,6 +120,8 @@ /* BEFORE-GREETING TRIAGE /* .ad /* .fi +/* .IP "\fBdnsblog_service_name (dnsblog)\fR" +/* The name of the \fBdnsblog\fR(8) service entry in master.cf. /* .IP "\fBpostscreen_access_list (permit_mynetworks)\fR" /* Permanent white/blacklist for remote SMTP client IP addresses; /* \fBpostscreen\fR(8) searches this list immediately after a remote SMTP @@ -141,7 +143,7 @@ /* password, to the DNSBL domain name that postscreen will reply with /* when it rejects mail. /* .IP "\fBpostscreen_dnsbl_sites (empty)\fR" -/* Optional list of DNS blocklist domains, filters and weight +/* Optional list of DNS white/blacklist domains, filters and weight /* factors. /* .IP "\fBpostscreen_dnsbl_threshold (1)\fR" /* The inclusive lower bound for blocking an SMTP client, based on @@ -204,7 +206,7 @@ /* .fi /* .IP "\fBpostscreen_cache_cleanup_interval (12h)\fR" /* The amount of time between \fBpostscreen\fR(8) cache cleanup runs. -/* .IP "\fBpostscreen_cache_map (btree:$data_directory/ps_cache)\fR" +/* .IP "\fBpostscreen_cache_map (btree:$data_directory/postscreen_cache)\fR" /* Persistent storage for the \fBpostscreen\fR(8) server decisions. /* .IP "\fBpostscreen_cache_retention_time (7d)\fR" /* The amount of time that \fBpostscreen\fR(8) will cache an expired @@ -257,6 +259,8 @@ /* The SMTP TLS security level for the \fBpostscreen\fR(8) server; when /* a non-empty value is specified, this overrides the obsolete parameters /* postscreen_use_tls and postscreen_enforce_tls. +/* .IP "\fBtlsproxy_service_name (tlsproxy)\fR" +/* The name of the \fBtlsproxy\fR(8) service entry in master.cf. /* OBSOLETE STARTTLS SUPPORT CONTROLS /* .ad /* .fi @@ -303,7 +307,7 @@ /* SEE ALSO /* smtpd(8), Postfix SMTP server /* tlsproxy(8), Postfix TLS proxy server -/* dnsblog(8), temporary DNS helper +/* dnsblog(8), DNS black/whitelist logger /* syslogd(8), system logging /* README FILES /* .ad @@ -439,6 +443,9 @@ int var_psc_barlf_ttl; int var_psc_cmd_count; char *var_psc_cmd_time; +char *var_dnsblog_service; +char *var_tlsproxy_service; + char *var_smtpd_rej_footer; char *var_psc_rej_footer; @@ -1082,6 +1089,8 @@ int main(int argc, char **argv) VAR_PSC_DNSBL_REPLY, DEF_PSC_DNSBL_REPLY, &var_psc_dnsbl_reply, 0, 0, VAR_PSC_TLS_LEVEL, DEF_PSC_TLS_LEVEL, &var_psc_tls_level, 0, 0, VAR_PSC_CMD_FILTER, DEF_PSC_CMD_FILTER, &var_psc_cmd_filter, 0, 0, + VAR_DNSBLOG_SERVICE, DEF_DNSBLOG_SERVICE, &var_dnsblog_service, 1, 0, + VAR_TLSPROXY_SERVICE, DEF_TLSPROXY_SERVICE, &var_tlsproxy_service, 1, 0, 0, }; static const CONFIG_INT_TABLE int_table[] = { diff --git a/postfix/src/postscreen/postscreen_dnsbl.c b/postfix/src/postscreen/postscreen_dnsbl.c index 81085892d..f21b04efd 100644 --- a/postfix/src/postscreen/postscreen_dnsbl.c +++ b/postfix/src/postscreen/postscreen_dnsbl.c @@ -72,6 +72,7 @@ #include #include #include +#include /* Global library. */ @@ -82,8 +83,11 @@ #include -#define DNSBL_SERVICE "dnsblog" + /* + * Talking to the DNSBLOG service. + */ #define DNSBLOG_TIMEOUT 10 +static char *psc_dnsbl_service; /* * Per-DNSBL filters and weights. @@ -479,8 +483,9 @@ int psc_dnsbl_request(const char *client_addr, * implementation. */ for (ht = dnsbl_site_list; *ht; ht++) { - if ((fd = LOCAL_CONNECT("private/" DNSBL_SERVICE, NON_BLOCKING, 1)) < 0) { - msg_warn("%s: connect to " DNSBL_SERVICE " service: %m", myname); + if ((fd = LOCAL_CONNECT(psc_dnsbl_service, NON_BLOCKING, 1)) < 0) { + msg_warn("%s: connect to %s service: %m", + myname, psc_dnsbl_service); continue; } stream = vstream_fdopen(fd, O_RDWR); @@ -489,7 +494,8 @@ int psc_dnsbl_request(const char *client_addr, ATTR_TYPE_STR, MAIL_ATTR_ACT_CLIENT_ADDR, client_addr, ATTR_TYPE_END); if (vstream_fflush(stream) != 0) { - msg_warn("%s: error sending to " DNSBL_SERVICE " service: %m", myname); + msg_warn("%s: error sending to %s service: %m", + myname, psc_dnsbl_service); vstream_fclose(stream); continue; } @@ -514,6 +520,12 @@ void psc_dnsbl_init(void) if (dnsbl_site_cache != 0) msg_panic("%s: called more than once", myname); + /* + * pre-compute the DNSBLOG socket name. + */ + psc_dnsbl_service = concatenate(MAIL_CLASS_PRIVATE, "/", + var_dnsblog_service, (char *) 0); + /* * Prepare for quick iteration when sending out queries to all DNSBL * servers, and for quick lookup when a reply arrives from a specific diff --git a/postfix/src/postscreen/postscreen_starttls.c b/postfix/src/postscreen/postscreen_starttls.c index 9d8c12805..eb5d95a52 100644 --- a/postfix/src/postscreen/postscreen_starttls.c +++ b/postfix/src/postscreen/postscreen_starttls.c @@ -49,6 +49,7 @@ #include #include #include /* concatenate() */ +#include /* Global library. */ @@ -80,6 +81,8 @@ typedef struct { #define TLSPROXY_INIT_TIMEOUT 10 +static char *psc_tlsp_service = 0; + /* psc_starttls_finish - complete negotiation with TLS proxy */ static void psc_starttls_finish(int event, char *context) @@ -139,7 +142,7 @@ static void psc_starttls_finish(int event, char *context) */ msg_warn("%s sending file handle to %s service", event == EVENT_TIME ? "timeout" : "problem", - TLSPROXY_SERVICE); + psc_tlsp_service); event_disable_readwrite(vstream_fileno(tlsproxy_stream)); vstream_fclose(tlsproxy_stream); PSC_SEND_REPLY(smtp_state, @@ -184,16 +187,21 @@ void psc_starttls_open(PSC_STATE *smtp_state, EVENT_NOTIFY_FN resume_event) const char *myname = "psc_starttls_open"; PSC_STARTTLS *starttls_state; VSTREAM *tlsproxy_stream; - char *remote_endpt; int fd; + static VSTRING *remote_endpt = 0; + + if (psc_tlsp_service == 0) { + psc_tlsp_service = concatenate(MAIL_CLASS_PRIVATE "/", + var_tlsproxy_service, (char *) 0); + remote_endpt = vstring_alloc(20); + } /* * Connect to the tlsproxy(8) daemon. We report all errors * asynchronously, to avoid having to maintain multiple delivery paths. */ - if ((fd = LOCAL_CONNECT("private/" TLSPROXY_SERVICE, - NON_BLOCKING, 1)) < 0) { - msg_warn("connect to %s service: %m", TLSPROXY_SERVICE); + if ((fd = LOCAL_CONNECT(psc_tlsp_service, NON_BLOCKING, 1)) < 0) { + msg_warn("connect to %s service: %m", psc_tlsp_service); PSC_SEND_REPLY(smtp_state, "454 4.7.0 TLS not available due to local problem\r\n"); event_request_timer(resume_event, (char *) smtp_state, 0); @@ -215,16 +223,15 @@ void psc_starttls_open(PSC_STATE *smtp_state, EVENT_NOTIFY_FN resume_event) * simplify all the format strings throughout the program. */ tlsproxy_stream = vstream_fdopen(fd, O_RDWR); - remote_endpt = concatenate("[", smtp_state->smtp_client_addr, "]:", - smtp_state->smtp_client_port, (char *) 0); + vstring_sprintf(remote_endpt, "[%s]:%s", smtp_state->smtp_client_addr, + smtp_state->smtp_client_port); attr_print(tlsproxy_stream, ATTR_FLAG_NONE, - ATTR_TYPE_STR, MAIL_ATTR_REMOTE_ENDPT, remote_endpt, + ATTR_TYPE_STR, MAIL_ATTR_REMOTE_ENDPT, STR(remote_endpt), ATTR_TYPE_INT, MAIL_ATTR_FLAGS, TLS_PROXY_FLAG_ROLE_SERVER, ATTR_TYPE_INT, MAIL_ATTR_TIMEOUT, psc_normal_cmd_time_limit, ATTR_TYPE_END); - myfree(remote_endpt); if (vstream_fflush(tlsproxy_stream) != 0) { - msg_warn("error sending request to %s service: %m", TLSPROXY_SERVICE); + msg_warn("error sending request to %s service: %m", psc_tlsp_service); vstream_fclose(tlsproxy_stream); PSC_SEND_REPLY(smtp_state, "454 4.7.0 TLS not available due to local problem\r\n"); diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index f9a525e08..3dd9367b9 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -1251,6 +1251,11 @@ char *var_unv_from_tf_act; int smtpd_proxy_opts; +#ifdef USE_TLSPROXY +char *var_tlsproxy_service; + +#endif + /* * Silly little macros. */ @@ -4165,9 +4170,9 @@ static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) #define PROXY_OPEN_FLAGS \ (TLS_PROXY_FLAG_ROLE_SERVER | TLS_PROXY_FLAG_SEND_CONTEXT) - state->tlsproxy = tls_proxy_open(PROXY_OPEN_FLAGS, state->client, - state->addr, state->port, - var_smtpd_tmout); + state->tlsproxy = tls_proxy_open(var_tlsproxy_service, PROXY_OPEN_FLAGS, + state->client, state->addr, + state->port, var_smtpd_tmout); if (state->tlsproxy == 0) { state->error_mask |= MAIL_ERROR_SOFTWARE; /* RFC 4954 Section 6. */ @@ -4374,9 +4379,10 @@ static void smtpd_proto(SMTPD_STATE *state) if (SMTPD_STAND_ALONE(state) == 0 && var_smtpd_tls_wrappermode) { #ifdef USE_TLSPROXY /* We garbage-collect the VSTREAM in smtpd_state_reset() */ - state->tlsproxy = tls_proxy_open(PROXY_OPEN_FLAGS, state->client, - state->addr, state->port, - var_smtpd_tmout); + state->tlsproxy = tls_proxy_open(var_tlsproxy_service, + PROXY_OPEN_FLAGS, + state->client, state->addr, + state->port, var_smtpd_tmout); if (state->tlsproxy == 0) { msg_warn("Wrapper-mode request dropped from %s for service %s." " TLS context initialization failed. For details see" @@ -5242,6 +5248,9 @@ int main(int argc, char **argv) VAR_UNV_RCPT_TF_ACT, DEF_UNV_RCPT_TF_ACT, &var_unv_rcpt_tf_act, 1, 0, VAR_UNV_FROM_TF_ACT, DEF_UNV_FROM_TF_ACT, &var_unv_from_tf_act, 1, 0, VAR_SMTPD_CMD_FILTER, DEF_SMTPD_CMD_FILTER, &var_smtpd_cmd_filter, 0, 0, +#ifdef USE_TLSPROXY + VAR_TLSPROXY_SERVICE, DEF_TLSPROXY_SERVICE, &var_tlsproxy_service, 1, 0, +#endif 0, }; static const CONFIG_RAW_TABLE raw_table[] = { diff --git a/postfix/src/tls/Makefile.in b/postfix/src/tls/Makefile.in index f47ae4ec6..1dbe1546b 100644 --- a/postfix/src/tls/Makefile.in +++ b/postfix/src/tls/Makefile.in @@ -206,6 +206,7 @@ tls_proxy_clnt.o: ../../include/argv.h tls_proxy_clnt.o: ../../include/attr.h tls_proxy_clnt.o: ../../include/connect.h tls_proxy_clnt.o: ../../include/iostuff.h +tls_proxy_clnt.o: ../../include/mail_params.h tls_proxy_clnt.o: ../../include/mail_proto.h tls_proxy_clnt.o: ../../include/msg.h tls_proxy_clnt.o: ../../include/mymalloc.h diff --git a/postfix/src/tls/tls_proxy.h b/postfix/src/tls/tls_proxy.h index fb8092323..e677c67ab 100644 --- a/postfix/src/tls/tls_proxy.h +++ b/postfix/src/tls/tls_proxy.h @@ -25,15 +25,13 @@ /* * External interface. */ -#define TLSPROXY_SERVICE "tlsproxy" - #define TLS_PROXY_FLAG_ROLE_SERVER (1<<0) /* request server role */ #define TLS_PROXY_FLAG_ROLE_CLIENT (1<<1) /* request client role */ #define TLS_PROXY_FLAG_SEND_CONTEXT (1<<2) /* send TLS context */ #ifdef USE_TLS -extern VSTREAM *tls_proxy_open(int, VSTREAM *, const char *, +extern VSTREAM *tls_proxy_open(const char *, int, VSTREAM *, const char *, const char *, int); extern TLS_SESS_STATE *tls_proxy_context_receive(VSTREAM *); extern void tls_proxy_context_free(TLS_SESS_STATE *); diff --git a/postfix/src/tls/tls_proxy_clnt.c b/postfix/src/tls/tls_proxy_clnt.c index a6877975d..cf7c32f3e 100644 --- a/postfix/src/tls/tls_proxy_clnt.c +++ b/postfix/src/tls/tls_proxy_clnt.c @@ -6,8 +6,9 @@ /* SYNOPSIS /* #include /* -/* VSTREAM *tls_proxy_open(flags, peer_stream, peer_addr, +/* VSTREAM *tls_proxy_open(service, flags, peer_stream, peer_addr, /* peer_port, timeout) +/* const char *service; /* int flags; /* VSTREAM *peer_stream; /* const char *peer_addr; @@ -47,6 +48,8 @@ /* was received with tls_proxy_context_receive(). /* /* Arguments: +/* .IP service +/* The (base) name of the tlsproxy service. /* .IP flags /* Bit-wise OR of: /* .RS @@ -91,11 +94,13 @@ #include #include #include -#include /* concatenate() */ +#include +#include /* Global library. */ #include +#include /* TLS library-specific. */ @@ -104,25 +109,39 @@ #define TLSPROXY_INIT_TIMEOUT 10 +/* SLMs. */ + +#define STR vstring_str + /* tls_proxy_open - open negotiations with TLS proxy */ -VSTREAM *tls_proxy_open(int flags, VSTREAM *peer_stream, - const char *peer_addr, - const char *peer_port, - int timeout) +VSTREAM *tls_proxy_open(const char *service, int flags, + VSTREAM *peer_stream, + const char *peer_addr, + const char *peer_port, + int timeout) { VSTREAM *tlsproxy_stream; - char *remote_endpt; int status; int fd; + static VSTRING *tlsproxy_service = 0; + static VSTRING *remote_endpt = 0; + + /* + * Initialize. + */ + if (tlsproxy_service == 0) { + tlsproxy_service = vstring_alloc(20); + remote_endpt = vstring_alloc(20); + } /* - * Connect to the tlsproxy(8) daemon. We report all errors - * asynchronously, to avoid having to maintain multiple delivery paths. + * Connect to the tlsproxy(8) daemon. */ - if ((fd = LOCAL_CONNECT("private/" TLSPROXY_SERVICE, BLOCKING, + vstring_sprintf(tlsproxy_service, "%s/%s", MAIL_CLASS_PRIVATE, service); + if ((fd = LOCAL_CONNECT(STR(tlsproxy_service), BLOCKING, TLSPROXY_INIT_TIMEOUT)) < 0) { - msg_warn("connect to %s service: %m", TLSPROXY_SERVICE); + msg_warn("connect to %s service: %m", STR(tlsproxy_service)); return (0); } @@ -134,16 +153,15 @@ VSTREAM *tls_proxy_open(int flags, VSTREAM *peer_stream, * simplify all the format strings throughout the program. */ tlsproxy_stream = vstream_fdopen(fd, O_RDWR); - remote_endpt = concatenate("[", peer_addr, "]:", - peer_port, (char *) 0); + vstring_sprintf(remote_endpt, "[%s]:%s", peer_addr, peer_port); attr_print(tlsproxy_stream, ATTR_FLAG_NONE, - ATTR_TYPE_STR, MAIL_ATTR_REMOTE_ENDPT, remote_endpt, + ATTR_TYPE_STR, MAIL_ATTR_REMOTE_ENDPT, STR(remote_endpt), ATTR_TYPE_INT, MAIL_ATTR_FLAGS, flags, ATTR_TYPE_INT, MAIL_ATTR_TIMEOUT, timeout, ATTR_TYPE_END); - myfree(remote_endpt); if (vstream_fflush(tlsproxy_stream) != 0) { - msg_warn("error sending request to %s service: %m", TLSPROXY_SERVICE); + msg_warn("error sending request to %s service: %m", + STR(tlsproxy_service)); vstream_fclose(tlsproxy_stream); return (0); } @@ -164,7 +182,7 @@ VSTREAM *tls_proxy_open(int flags, VSTREAM *peer_stream, * configuration error, or other causes). */ msg_warn("%s service role \"%s\" is not available", - TLSPROXY_SERVICE, + STR(tlsproxy_service), (flags & TLS_PROXY_FLAG_ROLE_SERVER) ? "server" : (flags & TLS_PROXY_FLAG_ROLE_CLIENT) ? "client" : "bogus role"); @@ -181,7 +199,8 @@ VSTREAM *tls_proxy_open(int flags, VSTREAM *peer_stream, /* * Some error: drop the TLS proxy stream. */ - msg_warn("sending file handle to %s service: %m", TLSPROXY_SERVICE); + msg_warn("sending file handle to %s service: %m", + STR(tlsproxy_service)); vstream_fclose(tlsproxy_stream); return (0); } @@ -197,7 +216,7 @@ TLS_SESS_STATE *tls_proxy_context_receive(VSTREAM *proxy_stream) tls_context = (TLS_SESS_STATE *) mymalloc(sizeof(*tls_context)); if (attr_scan(proxy_stream, ATTR_FLAG_STRICT, - ATTR_TYPE_FUNC, tls_proxy_context_scan, (char *) tls_context, + ATTR_TYPE_FUNC, tls_proxy_context_scan, (char *) tls_context, ATTR_TYPE_END) != 1) { tls_proxy_context_free(tls_context); return (0); @@ -208,7 +227,7 @@ TLS_SESS_STATE *tls_proxy_context_receive(VSTREAM *proxy_stream) /* tls_proxy_context_free - destroy object from tls_proxy_context_receive() */ -void tls_proxy_context_free(TLS_SESS_STATE *tls_context) +void tls_proxy_context_free(TLS_SESS_STATE *tls_context) { if (tls_context->peer_CN) myfree(tls_context->peer_CN); diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c index f55cfe9f1..06dea0e95 100644 --- a/postfix/src/tlsproxy/tlsproxy.c +++ b/postfix/src/tlsproxy/tlsproxy.c @@ -849,7 +849,7 @@ static void tlsp_get_request_event(int event, char *context) msg_info("CONNECT %s %s", (req_flags & TLS_PROXY_FLAG_ROLE_SERVER) ? "from" : (req_flags & TLS_PROXY_FLAG_ROLE_CLIENT) ? "to" : - "(bogus direction)", state->remote_endpt); + "(bogus_direction)", state->remote_endpt); state->req_flags = req_flags; state->timeout = timeout + 10; /* XXX */ event_enable_read(plaintext_fd, tlsp_get_fd_event, (char *) state); diff --git a/postfix/src/util/dict_ht.c b/postfix/src/util/dict_ht.c index 32ad47c34..657f1fc38 100644 --- a/postfix/src/util/dict_ht.c +++ b/postfix/src/util/dict_ht.c @@ -74,6 +74,7 @@ static void dict_ht_update(DICT *dict, const char *name, const char *value) { DICT_HT *dict_ht = (DICT_HT *) dict; HTABLE_INFO *ht; + char *saved_value = mystrdup(value); /* * Optionally fold the key. @@ -89,7 +90,7 @@ static void dict_ht_update(DICT *dict, const char *name, const char *value) } else { ht = htable_enter(dict_ht->table, name, (char *) 0); } - ht->value = mystrdup(value); + ht->value = saved_value; } /* dict_ht_sequence - first/next iterator */ diff --git a/postfix/src/util/mymalloc.c b/postfix/src/util/mymalloc.c index 9e6221350..16df5cc54 100644 --- a/postfix/src/util/mymalloc.c +++ b/postfix/src/util/mymalloc.c @@ -154,6 +154,9 @@ char *mymalloc(ssize_t len) */ if (len < 1) msg_panic("mymalloc: requested length %ld", (long) len); +#ifdef MYMALLOC_FUZZ + len += MYMALLOC_FUZZ; +#endif if ((real_ptr = (MBLOCK *) malloc(SPACE_FOR(len))) == 0) msg_fatal("mymalloc: insufficient memory: %m"); CHECK_OUT_PTR(ptr, real_ptr, len); @@ -180,6 +183,9 @@ char *myrealloc(char *ptr, ssize_t len) */ if (len < 1) msg_panic("myrealloc: requested length %ld", (long) len); +#ifdef MYMALLOC_FUZZ + len += MYMALLOC_FUZZ; +#endif CHECK_IN_PTR(ptr, real_ptr, old_len, "myrealloc"); if ((real_ptr = (MBLOCK *) realloc((char *) real_ptr, SPACE_FOR(len))) == 0) msg_fatal("myrealloc: insufficient memory: %m"); diff --git a/postfix/src/util/sys_defs.h b/postfix/src/util/sys_defs.h index 93dc2a054..26fbace79 100644 --- a/postfix/src/util/sys_defs.h +++ b/postfix/src/util/sys_defs.h @@ -576,6 +576,7 @@ extern int opterr; #define BROKEN_AI_PASSIVE_NULL_HOST #define BROKEN_AI_NULL_SERVICE #define USE_SYSV_POLL +#define MYMALLOC_FUZZ 1 #endif #ifdef AIX4